[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]


 
                   CYBER SECURITY: U.S. VULNERABILITY
                            AND PREPAREDNESS

=======================================================================

                                HEARING

                               BEFORE THE

                          COMMITTEE ON SCIENCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 15, 2005

                               __________

                           Serial No. 109-25

                               __________

            Printed for the use of the Committee on Science


     Available via the World Wide Web: http://www.house.gov/science




                    U.S. GOVERNMENT PRINTING OFFICE
23-332                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001
                                 ______

                          COMMITTEE ON SCIENCE

             HON. SHERWOOD L. BOEHLERT, New York, Chairman
RALPH M. HALL, Texas                 BART GORDON, Tennessee
LAMAR S. SMITH, Texas                JERRY F. COSTELLO, Illinois
CURT WELDON, Pennsylvania            EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California         LYNN C. WOOLSEY, California
KEN CALVERT, California              DARLENE HOOLEY, Oregon
ROSCOE G. BARTLETT, Maryland         MARK UDALL, Colorado
VERNON J. EHLERS, Michigan           DAVID WU, Oregon
GIL GUTKNECHT, Minnesota             MICHAEL M. HONDA, California
FRANK D. LUCAS, Oklahoma             BRAD MILLER, North Carolina
JUDY BIGGERT, Illinois               LINCOLN DAVIS, Tennessee
WAYNE T. GILCHREST, Maryland         RUSS CARNAHAN, Missouri
W. TODD AKIN, Missouri               DANIEL LIPINSKI, Illinois
TIMOTHY V. JOHNSON, Illinois         SHEILA JACKSON LEE, Texas
J. RANDY FORBES, Virginia            BRAD SHERMAN, California
JO BONNER, Alabama                   BRIAN BAIRD, Washington
TOM FEENEY, Florida                  JIM MATHESON, Utah
BOB INGLIS, South Carolina           JIM COSTA, California
DAVE G. REICHERT, Washington         AL GREEN, Texas
MICHAEL E. SODREL, Indiana           CHARLIE MELANCON, Louisiana
JOHN J.H. ``JOE'' SCHWARZ, Michigan  DENNIS MOORE, Kansas
MICHAEL T. MCCAUL, Texas
VACANCY
VACANCY


                            C O N T E N T S

                           September 15, 2005

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Sherwood L. Boehlert, Chairman, 
  Committee on Science, U.S. House of Representatives............    13
    Written Statement............................................    14

Statement by Representative Bart Gordon, Minority Ranking Member, 
  Committee on Science, U.S. House of Representatives............    14
    Written Statement............................................    16

Statement by Representative W. Todd Akin, Member, Committee on 
  Science, U.S. House of Representatives.........................    19

Statement by Representative Pete Sessions of the State of Texas, 
  32nd District..................................................    20

Prepared Statement by Representative Jerry F. Costello, Member, 
  Committee on Science, U.S. House of Representatives............    17

Prepared Statement by Representative Eddie Bernice Johnson, 
  Member, Committee on Science, U.S. House of Representatives....    17

Prepared Statement by Representative Russ Carnahan, Member, 
  Committee on Science, U.S. House of Representatives............    18

                               Witnesses:

Mr. Donald ``Andy'' Purdy, Jr., Acting Director, National Cyber 
  Security Division, Department of Homeland Security
    Oral Statement...............................................    20
    Written Statement............................................    22
    Biography....................................................    30

Mr. John S. Leggate, Chief Information Officer and Group Vice 
  President, Digital & Communications Technology, BP Plc., United 
  Kingdom
    Oral Statement...............................................    31
    Written Statement............................................    33
    Biography....................................................    39
    Financial Disclosure.........................................    40

Mr. David E. Kepler, Corporate Vice President of Shared Services 
  and Chief Information Officer, The Dow Chemical Company
    Oral Statement...............................................    41
    Written Statement............................................    42
    Biography....................................................    45
    Financial Disclosure.........................................    46

Mr. Gerald S. Freese, Director of Enterprise Information 
  Security, American Electric Power
    Oral Statement...............................................    46
    Written Statement............................................    48
    Biography....................................................    50
    Financial Disclosure.........................................    51

Mr. Andrew M. Geisse, Chief Information Officer, SBC Services, 
  Inc.
    Oral Statement...............................................    51
    Written Statement............................................    53
    Biography....................................................    56
    Financial Disclosure.........................................    57

Discussion.......................................................    58

              Appendix: Answers to Post-Hearing Questions

Mr. Donald ``Andy'' Purdy, Jr., Acting Director, National Cyber 
  Security Division, Department of Homeland Security.............    80

Mr. John S. Leggate, Chief Information Officer and Group Vice 
  President, Digital & Communications Technology, BP Plc., United 
  Kingdom........................................................    91

Mr. David E. Kepler, Corporate Vice President of Shared Services 
  and Chief Information Officer, The Dow Chemical Company........    94

Mr. Gerald S. Freese, Director of Enterprise Information 
  Security, American Electric Power..............................    97

Mr. Andrew M. Geisse, Chief Information Officer, SBC Services, 
  Inc............................................................   100


          CYBER SECURITY: U.S. VULNERABILITY AND PREPAREDNESS

                              ----------                              


                      THURSDAY, SEPTEMBER 15, 2005

                  House of Representatives,
                                      Committee on Science,
                                                    Washington, DC.

    The Committee met, pursuant to call, at 10:00 a.m., in Room 
2318 of the Rayburn House Office Building, Hon. Sherwood L. 
Boehlert [Chairman of the Committee] presiding.



                            hearing charter

                          COMMITTEE ON SCIENCE

                     U.S. HOUSE OF REPRESENTATIVES

                   Cyber Security: U.S. Vulnerability

                            and Preparedness

                      thursday, september 15, 2005
                         10:00 a.m.-12:00 p.m.
                   2318 rayburn house office building

1. Purpose

    On Thursday, September 15, 2005, the House Science Committee will 
hold a hearing to examine the extent of U.S. vulnerability to cyber 
attacks on critical infrastructure such as utility systems, and what 
the Federal Government and private sector are doing, and should be 
doing, to prevent and prepare for such attacks. The hearing will also 
examine what duties should be given to the new Assistant Secretary for 
Cyber Security and Telecommunications at the Department of Homeland 
Security.

2. Witnesses

Mr. Donald ``Andy'' Purdy is Acting Director of the National Cyber 
Security Division at the Department of Homeland Security (DHS). Prior 
to joining DHS, he served as senior advisor for Information Technology 
Security and Privacy to the President's Critical Infrastructure 
Protection Board.

Mr. John Leggate is the Chief Information Officer at BP Inc. (formerly 
known as British Petroleum). In addition, he is Chairman of the Chief 
Executive Officers' Roundtable on Digital and Cyber Infrastructure 
Security at the industry organization Business Executives for National 
Security.

Mr. David Kepler is Corporate Vice President of Shared Services and 
Chief Information Officer of The Dow Chemical Company. In addition, he 
leads the Chemical Sector Cyber Security Information Sharing Forum, an 
industry association.

Mr. Gerald Freese is the Director of Enterprise Information Security at 
American Electric Power, one of the largest electric utilities in the 
United States. He has also been active in the North American Electric 
Reliability Council-coordinated development of cyber security standards 
for the energy industry.

Mr. Andrew Geisse is the Chief Information Officer of SBC Services Inc. 
(formerly Southwestern Bell Corporation), the largest 
telecommunications carrier in the United States.

3. Overarching Questions

          How do critical infrastructure sectors depend on 
        public and private information systems? What are the possible 
        consequences for these sectors of disruption or attack on their 
        information systems? What steps are being and should be taken 
        to secure these systems?

          What are the most critical responsibilities of the 
        Department of Homeland Security (DHS) in cyber security for 
        critical infrastructure sectors, and what are the most urgent 
        steps the new Assistant Secretary for Cyber Security and 
        Telecommunications should take?

          In what areas are current cyber security technical 
        solutions for critical infrastructure sectors inadequate? Where 
        is further research needed to mitigate existing and emerging 
        threats and vulnerabilities? How should federal agencies, such 
        as DHS, the National Science Foundation (NSF), the National 
        Institute of Standards and Technology (NIST), and the Defense 
        Advanced Research Projects Agency (DARPA), and academic 
        researchers work with industry to define priorities and support 
        research in these areas?

4. Issues

Is the U.S. adequately protecting critical information systems and is 
the U.S. able to detect, respond to, and recover from a cyber attacks 
on critical infrastructure?

    While industry and the Federal Government have increased their 
focus on cyber security in recent years, vulnerabilities remain, and 
many experts believe the U.S. needs to do more. An informal survey by a 
business group early this year found that in the telecommunications, 
energy, chemical, and transportations industries, executives estimated 
that 20 to 35 percent of their revenue depends directly on the 
Internet. Yet despite the crucial role of information technology, the 
vulnerabilities in information technology systems are myriad . About 10 
new entries are added each day to the National Vulnerability Database 
(maintained by the National Institute of Standards and Technology), 
which contains about 12,000 entries describing vulnerabilities in 
commonly used information technology products. (Statistics about 
attacks on critical infrastructure are hard to obtain because such 
attacks are often not reported.)

Is there are clear line of responsibility within the Federal Government 
to deal with cyber security?

    When DHS was formed in 2002, cyber security responsibilities (other 
than research and development) were assigned to the Assistant Secretary 
for Infrastructure Protection. Ever since, industry representatives 
have repeatedly expressed concern that cyber security has been a 
distant second to physical security in DHS's critical infrastructure 
protection activities and that the lack of a high-level official 
dedicated to cyber security has meant that the Department has failed to 
devote attention and resources to cyber security. In May 2005, the 
Government Accountability Office (GAO) found that DHS was having 
trouble with a number of its cyber responsibilities, including 
developing national cyber threat and vulnerability assessments and 
government/industry contingency recovery plans for cyber security, 
establishing effective partnerships with stakeholders, and achieving 
two-way information sharing with these stakeholders. (The summary of 
this report is included in Attachment A.) In response to Congressional 
and industry concerns, the Secretary of Homeland Security created in 
July the new position of Assistant Secretary for Cyber Security and 
Telecommunications to bring a higher profile to this area and high 
level attention to these problems. The position has not yet been 
filled.

Are private companies doing enough to secure their information systems? 
To what extent are they coordinating with each other and the Federal 
Government on cyber security?

    The record is mixed. For many companies, it can be difficult to 
quantify the risks associated with their dependence on information 
systems and hence difficult to justify investment in cyber security. In 
other cases, the relevant cyber security technologies may not be 
available. In many industries, companies have undertaken cyber security 
activities within industry organizations to set standards, share best 
practices, and work with information technology companies to improve 
the security of information systems and increase their cyber security 
options. (The companies testifying have generally been leaders in 
taking cyber security seriously.) In some cases, cyber security work 
has been hampered by the problems in the Federal Government described 
above. Industry groups have indicated that they do not yet trust the 
processes for sharing sensitive information related to their cyber 
security with the government and have not yet been convinced of the 
value of information and services DHS would provide in return.

What should the priorities be for federal cyber security research and 
development programs? Is funding for these programs adequate?

    Recommended areas for federal cyber security research in general 
were outlined in the recent report\1\ of the President's Information 
Technology Advisory Committee (PITAC) and include monitoring and 
detection technologies, software quality assurance processes, 
authentication techniques, mitigation and recovery technologies, and 
metrics, benchmarks, and best practices. The PITAC report recommended 
substantial increases in funding at the National Science Foundation 
(NSF), DHS, and the Defense Advanced Research Projects Agency (DARPA). 
(Currently, funding for cyber security research programs at NSF and the 
National Institute of Standards and Technology (NIST) is well below the 
levels authorized in the Cyber Security Research and Development Act.) 
The Cyber Security Industry Alliance, an association of cyber security 
software, hardware and services companies, the Internet Security 
Alliance, an association of information security users from sectors 
such as banking, insurance, and manufacturing, and the Information 
Technology Association of America, a trade association of the 
information technology industry, have all also publicly recommended 
increased federal funding for cyber security research and development.
---------------------------------------------------------------------------
    \1\ The President's Information Technology Advisory Committee 
released their report, Cyber Security: A Crisis of Prioritization, on 
March 18, 2005. It is available on line at http://www.nitrd.gov/pitac/
reports/20050301-cybersecurity/cybersecurity.pdf.

---------------------------------------------------------------------------
5. Brief Overview

          Critical infrastructure\2\ sectors include electric 
        power generation and transmission, oil and gas production and 
        distribution, communications, chemicals, food production, 
        banking and finance, transportation systems, and water 
        processing systems. These sectors are increasingly dependent on 
        information systems to administer business operations (such as 
        billing and supply chain management) and to monitor and control 
        physical operations (such as manufacturing processes and 
        distribution systems).
---------------------------------------------------------------------------
    \2\ As defined in the USA PATRIOT Act (P.L. 107-56), critical 
infrastructure is ``systems and assets, whether physical or virtual, so 
vital to the United States that the incapacity or destruction of such 
systems and assets would have a debilitating impact on security, 
national economic security, national public health and safety, or any 
combination of those matters.'' This definition is used broadly 
throughout the Federal Government.

          As reliance on information technology grows, the 
        number of ways that critical infrastructure systems can be 
        interfered with and the extent of disruption or damage that can 
        be created via such interference is also growing. In addition, 
        the potential impact of a combined physical and cyber attack on 
        a critical facility--e.g., using disruption of information 
        systems to interfere with response and recovery after an 
---------------------------------------------------------------------------
        explosion--would be severe.

          Some cyber security products and techniques (such as 
        firewalls, intrusion detection systems, and virus-protection 
        checks) can be used to safeguard many types of standard 
        information systems (e.g., protecting billing systems and 
        customer databases). However, specialized information 
        technology products are often used to manage and control 
        critical infrastructure facilities. These process control 
        systems often use customized or older hardware and software and 
        have different performance requirements and hence may require 
        specialized security solutions and strategies.

          In May 2005, GAO assessed the DHS role in cyber 
        critical infrastructure protection and found that DHS was 
        having trouble with a number of its cyber responsibilities, 
        including developing national cyber threat and vulnerability 
        assessments and government/industry contingency recovery plans 
        for cyber security (including a plan for recovering key 
        Internet functions), establishing effective partnerships with 
        stakeholders, and achieving two-way information sharing with 
        these stakeholders.

          In response to stakeholder and Congressional concerns 
        that DHS needed to make information security, particularly 
        information security for critical infrastructure sectors, a 
        higher priority, the Secretary of Homeland Security announced 
        in July 2005 that the Department would create a new position of 
        Assistant Secretary for Cyber Security and Telecommunications. 
        This new position will have responsibility for identifying and 
        assessing the vulnerability of critical telecommunications 
        infrastructure and assets, providing timely and usable threat 
        information, and leading the national response to cyber and 
        telecommunications attacks.

          In information technology systems, new 
        vulnerabilities and new threats emerge regularly and spread 
        quickly. Cyber security research programs supported by the 
        Federal Government and the private sector develop tools that 
        provide security in the current environment, as well as produce 
        the defenses against the next generation of cyber security 
        risks. Following passage of the Cyber Security Research and 
        Development Act in 2002, funding for National Science 
        Foundation programs in this area has increased; however, at the 
        same time the Defense Advanced Research Projects Agency funding 
        for unclassified research in cyber security has dropped 
        significantly. Other federal cyber security research and 
        development programs exist, particularly at DHS and at the 
        National Institute of Standards and Technology, but these are 
        relatively small.

6. Background

Critical Infrastructure Sectors and Information Security
    Critical infrastructure, as defined in the USA PATRIOT Act, is 
``systems and assets, whether physical or virtual, so vital to the 
United States that the incapacity or destruction of such systems and 
assets would have a debilitating impact on security, national economic 
security, national public health and safety, or any combination of 
those matters.'' Examples of critical infrastructure include electric 
power generation and transmission, oil and gas production and 
distribution, communications, chemicals, agriculture and food 
processing, banking and finance, transportation systems, and water 
processing systems. Because of its vital role in the U.S. security, 
economy, and quality of life, the elements of the U.S. critical 
infrastructure are a potential target for terrorists, who could use 
physical or cyber attacks to interfere with, disrupt, damage, or 
destroy important facilities and capabilities.
    Industry is increasingly dependent on information technology for 
both business operations and process controls, and many of these 
information systems directly use, or are accessible through, public 
systems (e.g., the Internet) and technologies (e.g., Wi-Fi and common 
operating systems). Yet the Internet was not designed with security in 
mind.
    Control systems (systems that run manufacturing and distribution 
facilities) raise different security issues than do the business/
administrative systems. It is harder to shut the control systems down 
to make changes in software or hardware because doing so means shutting 
down an industrial operation, such as chemical manufacturing or 
electricity generation. In addition, the control systems operate 
equipment that represents a major capital expense and that is replaced 
or upgraded less frequently than are business systems. As a result, 
security fixes to control systems often require retrofitting, rather 
than just waiting for equipment to be replaced. Finally, while business 
systems (for activities like billing) are relatively similar across 
industries, the control systems generally use specialized protocols and 
configurations specific to a particular industry. As a result, 
customized security solutions and strategies, including specialized 
testing, need to be developed.
    Industry responses to cyber vulnerability has depended on: (1) the 
type of information systems used in the sector, (2) how clear the risks 
associated with cyber attacks are, (3) what the value and return on 
investment in cyber security would be, (4) the availability of relevant 
cyber security technologies, and (5) (sometimes) what governmental 
action has been taken or is perceived as having the potential to be 
taken. For example, the financial and banking industries were very 
aggressive in adopting information security technologies, due in part 
to the fact that technologies to protect information and communications 
(the primary need in this area) have been a focus of cyber security 
development efforts for a long time because the extent of the 
vulnerability was very clear.
    In other industries, there are a variety of cyber security-focused 
activities underway. In the electric power industry, the North American 
Electric Reliability Council (an industry coordination group) recently 
developed and adopted an interim cyber security standard that outlines 
minimum requirements needed to ensure the security of electronic 
exchange of information needed to support grid reliability and market 
operations; work on a permanent standard is underway. In addition, 
Congress has focused attention on cyber security as a key element of 
ensuring electric reliability and drinking water safety. The 
Environmental Protection Agency has worked with the industry on 
understanding how their water processing facilities depend on 
information systems and what risks that creates.
    The chemical sector has developed a Chemical Sector Cyber Security 
Program, which is building on existing cooperative industry groups to 
carry out cyber security-specific activities. A sector-wide cyber 
security strategy was organized in 2002, and activities currently 
underway include work on establishing management practices, guidelines, 
and standards, on information sharing, and on encouraging accelerated 
development of improved security technologies. In addition, the 
chemical sector companies involved with the program support legislation 
that will establish national security guidelines for chemical 
facilities, require companies to conduct site vulnerability assessments 
and implement security plans, and create strong enforcement authority 
to help ensure facilities and systems are secure.
    In addition to specific cyber security activities, all critical 
infrastructure sectors have Information Sharing and Analysis Centers 
(ISACs), which provide a forum for companies to exchange, analyze and 
disseminate information about vulnerabilities, threats, and incidents 
in a trusted environment. (The establishment of ISACs was mainly a 
response to Presidential Decision Directive 63 (issued in 1998), which 
encouraged industry to form such groups. Each ISAC has a different 
structure and relationship with the government, depending on the 
specific industry's needs, history, and regulatory environment.) In 
general, discussion of cyber security issues are considered an 
important element of ISAC-based interactions, and cross-sector 
discussions of cyber security issues are coordinated by the information 
technology sector's ISAC.

Department of Homeland Security Cyber Security Activities and 
        Responsibilities
    Cyber security activities at DHS are carried out in two 
directorates: the National Cyber Security Division (NCSD), located in 
the Information Analysis and Infrastructure Protection Directorate, is 
responsible for operational cyber security; and the Science and 
Technology Directorate is responsible for cyber security research and 
development programs.

            Operational Cyber Security at DHS
    After the recently completed department-wide Second Stage Review, 
the Secretary of Homeland Security has proposed and begun to implement 
a number of organizational changes, including the creation of an 
Assistant Secretary for Cyber Security and Telecommunications position. 
This office will be responsible for identifying and assessing the 
vulnerability of critical telecommunications infrastructure and assets, 
providing timely and usable threat information, and leading the 
national response to cyber and telecommunications attacks. (To date, 
the NCSD has reported to the existing Assistant Secretary for 
Infrastructure Protection; going forward, the new Assistant Secretary 
will be parallel to this position.\3\ )
---------------------------------------------------------------------------
    \3\ The new Assistant Secretary for Cyber Security and 
Telecommunications will be Presidentially appointed, but not Senate 
confirmed. The new position was announced on July 13, 2005, but as of 
the date of this hearing an appointment had not yet been made.
---------------------------------------------------------------------------
    The responsibilities of the NCSD are defined by several documents, 
including the National Strategy to Secure Cyberspace, Homeland Security 
Presidential Directive 7 (HSPD-7) on Critical Infrastructure 
Identification, Prioritization, and Protection,\4\ the Interim National 
Infrastructure Protection Plan, and the National Response Plan. In 
FY06, $73 million was requested for NCSD, a $6 million increase from 
the level appropriated for FY05. The NCSD's mission, as defined in 
HSPD-7, includes analysis, warning, information sharing, vulnerability 
reduction, mitigation, and aiding national recovery efforts for 
critical infrastructure information systems.\5\ Currently, within these 
broad goals, three areas of particular concern and focus for NCSD in 
the area of critical infrastructure protection are (1) strategies to 
improve the resiliency of the Internet against disruption, (2) 
improving the security of control systems, and (3) improving software 
assurance (trying to move from patch management to systems that 
emphasize security as software is being developed).
---------------------------------------------------------------------------
    \4\ Homeland Security Presidential Directive 7 (HSPD-7) on Critical 
Infrastructure Identification, Prioritization, and Protection is 
available on line at http://www.whitehouse.gov/news/releases/2003/12/
20031217-5.html.
    \5\ To meet its responsibilities from HSPD-7, as well as other 
national strategies and plans, NCSD has defined for itself six core 
goals: (1) establish a National Cyber Security Response System to 
prevent, detect, respond to, and reconstitute rapidly after cyber 
incidents; (2) work with public and private sectors to reduce 
vulnerabilities and minimize the severity of cyber attacks; (3) promote 
a comprehensive national awareness program to empower American 
businesses, the general workforce, and the general population to secure 
their own parts of cyberspace; (4) foster adequate training and 
education programs to support the Nation's cyber security needs; (5) 
coordinate with the intelligence and law enforcement communities to 
identify and reduce threats to cyberspace; and (6) build a world-class 
organization that aggressively advances its cyber security mission and 
goals in partnership with its public and private stakeholders.
---------------------------------------------------------------------------
    One of the most important activities of NCSD is coordination with 
the private sector on efforts to reduce vulnerabilities and minimize 
the severity of cyber attacks. Information sharing is necessary to 
ensure awareness of vulnerabilities, and ways to mitigate 
vulnerabilities, awareness of threats and attack methods, and 
preparedness for response and recovery. Companies are expected to be a 
source of information about what problems they are experiencing and 
what solutions have been effective, while the government (primarily via 
DHS) is expected to be a source of information about threats. Both 
government and industry acknowledge that information sharing needs to 
be improved. Industry has been reluctant to share sensitive information 
incidents. In addition, it has been unclear whether DHS has developed 
the policies or attracted the expertise to ensure the confidentiality 
of sensitive information and to provide reliable analysis and feedback 
about threats and potential solutions.
    A variety of activities are underway in the NCSD to carry out its 
mission. These include the U.S. Computer Emergency Readiness Team (US-
CERT), which was established in 2003 as a partnership between DHS and 
the public and private sectors. US-CERT is responsible for analyzing 
and reducing cyber threats and vulnerabilities, disseminating cyber 
threat warning information, and coordinating incident response 
activities. Another key NCSD activity is organizing exercises to test 
preparedness and response plans for cyber attack. The next such 
exercise is scheduled for November 2005 and will include public and 
private sector participants, including companies from the energy, 
financial, and transportation sectors.

            Cyber Security Research and Development at DHS
    Research and development related to cyber security are the 
responsibility of the DHS Science and Technology Directorate. In FY06, 
$16.7 million was requested for the cyber security programs in the 
Science and Technology Directorate, a $1.3 million decrease from the 
level appropriated for FY05. Specific programs focus on improving the 
security of Internet communication protocols and developing 
technologies to enhance the cyber security of critical infrastructure 
sectors, including of process control systems. Support and coordination 
is also provided for the collection of large-scale data sets about 
network behavior that researchers can use to better understand problems 
with networks and design potential solutions. Testbeds are also a 
critical element of DHS Science and Technology Directorate cyber 
security programs. They provide support for and participate in the NSF-
funded Defense Technology Experimental Research (DETER) testbed 
(described below). They also work with the Department of Energy (at 
Sandia and Idaho National Laboratories) to support a control systems 
testbed, which is critical for design and verification of security 
technologies for control system applications. Since these systems often 
operate with real-time consequences and continuously or almost 
continuously, any security solution must be designed for the 
configuration in which the equipment and software is used and 
rigorously tested in realistic situations.

Cyber Security at Other Government Agencies and Interagency 
        Coordination
            Operational Cyber Security
    Each critical infrastructure sector is associated with a lead 
government agency. For some sectors (e.g., chemicals, transportation 
systems, information technology and telecommunications), the lead 
agency is DHS, but for many other sectors, another agency is the lead 
(e.g., the Department of Energy for the electric power and oil and gas 
sectors, the Environmental Protection Agency for water treatment 
facilities, the Department of the Treasury for banking and finance, and 
the Department of Agriculture for the food sector). However, HSPD-7, 
the 2003 Presidential Directive that designated the lead agencies, also 
clearly articulated that DHS would continue to maintain an organization 
to serve as a focal point for the security of cyberspace. For example, 
DHS, the Department of Defense (DOD), and the Department of Justice co-
chair the interagency National Cyber Response Coordination Group. In 
addition to coordinating with other agencies on the cyber security of 
critical infrastructure facilities, DHS also works with the Office of 
Management and Budget, which has significant responsibilities for the 
security of the Federal Government's information systems.

            Cyber Security Research and Development Programs
    Significant cyber security research and development programs are 
underway in a variety of federal agencies, including the National 
Science Foundation (NSF), the National Institute of Standards and 
Technology (NIST), and the Defense Advanced Research Projects Agency 
(DARPA). The programs at NSF and NIST were authorized by the Cyber 
Security Research and Development Act (P.L. 107-305).
    At NSF, cyber security research is conducted under the auspices of 
the Cyber Trust program, which supports projects designed to make 
networked computer systems more predictable, more accountable, and less 
vulnerable to attack and abuse. This program is funded at $65 million 
in FY05, and the projects supported cover a wide variety of information 
security areas. Critical infrastructure applications are included; in 
August 2005, NSF provided funding to a new center at the University of 
Illinois to perform research to support the design, construction and 
validation of a secure cyberinfrastructure for the next-generation 
electric power grid. (Both the Department of Energy and DHS have 
pledged to collaborate with NSF to fund and manage this effort.) 
Another relevant project is the Cyber Defense Technology Experimental 
Research (DETER) testbed, which provides an experimental environment in 
which government, academic, and industry cyber security researchers can 
safely analyze and measure attacks and develop attack mitigation and 
confinement strategies. (DHS also provides some funding for DETER.) 
These research and testbeds projects also have educational elements, as 
the laboratories supported by those funds become centers of expertise 
in information systems for critical infrastructure and train the 
personnel that critical infrastructure companies and information 
technology companies need to improve the security of critical 
infrastructure sector applications. In addition to its cyber security 
research programs, NSF also supports cyber security education 
activities, including scholarships and curriculum development (these 
programs received $16 million in FY05).
    At NIST, cyber security activities are centered in the Computer 
Security Division, which was funded at $19 million in FY05. The 
division's activities include developing standards, metrics, tests, 
guidelines, and validation programs related to information security and 
studying and raising awareness of information technology risks, 
vulnerabilities, and protection requirements. NIST also has specific 
responsibilities under the Federal Information Security Management Act 
of 2002 for developing standards for federal information systems 
security and supporting federal agencies' cyber security efforts. An 
example of a recent NIST cyber security project (supported by DHS) is 
the August 2005 launch of the National Vulnerability Database, which 
contains about 12,000 entries describing vulnerabilities in commonly-
used information technology products. (About 10 new entries are added 
each day.) The database integrates all publicly available U.S. 
Government vulnerability resources and is designed to provide 
references to industry resources.
    A number of other agencies, mainly in DOD, have cyber security 
research and development activities. The DOD activities focus mainly on 
specific information assurance requirements related to DOD's military 
and intelligence missions. The Department of Energy's programs are 
focused primarily on applications related to the energy and electric 
power sectors (as in the work on control systems testbeds at Department 
of Energy laboratories described above).
    All of these programs are coordinated through the National Science 
and Technology Council's (NSTC's) Interagency Working Group on Critical 
Information Infrastructure Protection Research and Development. In 
response to recommendations from the President's Information Technology 
Advisory Committee, this interagency group has recently been 
reformulated to report to both the NSTC Subcommittee on Infrastructure 
and its Subcommittee on Networking and Information Technology Research 
and Development. This group has recently begun work on defining top 
cyber security research and development needs and mapping those needs 
against current federal activities.

7. Witness Questions

Questions for Mr. Andy Purdy:

          How do critical infrastructure sectors depend on 
        public and private information systems? What are the possible 
        consequences for these sectors of disruption or attack on their 
        information systems? What steps is DHS taking to help these 
        sectors secure their systems?

          How does DHS work with the critical infrastructure 
        sectors to gather and communicate information about threats, 
        risks, and solutions related to cyber security?

          In what areas are current cyber security technical 
        solutions for critical infrastructure applications inadequate? 
        Where is further research needed to mitigate existing and 
        emerging threats and vulnerabilities? How is DHS working with 
        industry and academic researchers to define priorities for and 
        support research in these areas? How does DHS coordinate these 
        efforts within DHS and with other federal agencies, such as 
        NSF, NIST, and DARPA?

Questions for Mr. John Leggate:

          How does the energy sector depend on public and 
        private information systems? What are the possible consequences 
        for the energy sector of disruption or attack on its 
        information systems? What steps is BP taking to secure its 
        systems?

          What are the most critical responsibilities of DHS in 
        cyber security for the energy sector and what are the most 
        urgent steps the new Assistant Secretary for Cyber Security and 
        Telecommunications should take?

          In what areas are current cyber security technical 
        solutions for the energy sector inadequate? Where is further 
        research needed to mitigate existing and emerging threats and 
        vulnerabilities? How should federal agencies, such as DHS, NSF, 
        NIST, and DARPA, and academic researchers work with industry to 
        define priorities for and support research in these areas?

Questions for Mr. David Kepler:

          How does the chemical sector depend on public and 
        private information systems? What are the possible consequences 
        for the chemical sector of disruption or attack on its 
        information systems? What steps is Dow taking to secure its 
        systems?

          What are the most critical responsibilities of DHS in 
        cyber security for the chemical sector and what are the most 
        urgent steps the new Assistant Secretary for Cyber Security and 
        Telecommunications should take?

          In what areas are current cyber security technical 
        solutions for the chemical sector inadequate? Where is further 
        research needed to mitigate existing and emerging threats and 
        vulnerabilities? How should federal agencies, such as DHS, NSF, 
        NIST, and DARPA, and academic researchers work with industry to 
        define priorities for and support research in these areas?

Questions for Mr. Gerald Freese:

          How does the electric power sector depend on public 
        and private information systems? What are the possible 
        consequences for the electric power sector of disruption or 
        attack on its information systems? What steps is American 
        Electric Power taking to secure its systems?

          What are the most critical responsibilities of DHS in 
        cyber security for the electric power sector and what are the 
        most urgent steps the new Assistant Secretary for Cyber 
        Security and Telecommunications should take?

          In what areas are current cyber security technical 
        solutions for the electric power sector inadequate? Where is 
        further research needed to mitigate existing and emerging 
        threats and vulnerabilities? How should federal agencies, such 
        as DHS, NSF, NIST, and DARPA, and academic researchers work 
        with industry to define priorities for and support research in 
        these areas?

Questions for Mr. Andrew Geisse:

          How does the communications sector depend on public 
        and private information systems? What are the possible 
        consequences for the communications sector of disruption or 
        attack on its information systems? What steps is SBC taking to 
        secure its systems?

          What are the most critical responsibilities of DHS in 
        cyber security for the communications sector and what are the 
        most urgent steps the new Assistant Secretary for Cyber 
        Security and Telecommunications should take?

          In what areas are current cyber security technical 
        solutions for the communications sector inadequate? Where is 
        further research needed to mitigate existing and emerging 
        threats and vulnerabilities? How should federal agencies, such 
        as DHS, NSF, NIST, and DARPA, and academic researchers work 
        with industry to define priorities for and support research in 
        these areas?

Attachment A

  Critical Infrastructure Protection: Department of Homeland Security 
     Faces Challenges in Fulfilling Cyber Security Responsibilities

           Government Accountability Office Report GAO-05-434
                http://www.gao.gov/new.items/d05434.pdf

Excerpt: Results in Brief

    As the focal point for critical infrastructure protection, DHS has 
many cyber security-related roles and responsibilities that are called 
for in law and policy. These responsibilities include developing plans, 
building partnerships, and improving information sharing, as well as 
implementing activities related to the five priorities in the national 
cyberspace strategy: (1) developing and enhancing national cyber 
analysis and warning, (2) reducing cyberspace threats and 
vulnerabilities, (3) promoting awareness of and training in security 
issues, (4) securing governments' cyberspace, and (5) strengthening 
national security and international cyberspace security cooperation. To 
fulfill its cyber security role, in June 2003, DHS established the 
National Cyber Security Division to serve as a national focal point for 
addressing cyber security and coordinating the implementation of cyber 
security efforts.
    While DHS has initiated multiple efforts, it has not fully 
addressed any of the 13 key cyber security-related responsibilities 
that we identified in federal law and policy, and it has much work 
ahead in order to be able to fully address them. For example, DHS (1) 
has recently issued the Interim National Infrastructure Protection 
Plan, which includes cyber security elements; (2) operates the United 
States Computer Emergency Readiness Team to address the need for a 
national analysis and warning capability; and (3) has established 
forums to foster information sharing among federal officials with 
information security responsibilities and among various law enforcement 
entities. However, DHS has not yet developed national threat and 
vulnerability assessments or developed and exercised government and 
government/industry contingency recovery plans for cyber security, 
including a plan for recovering key Internet functions. Further, DHS 
continues to have difficulties in developing partnerships--as called 
for in federal policy--with other federal agencies, State and local 
governments, and the private sector.
    DHS faces a number of challenges that have impeded its ability to 
fulfill its cyber CIP responsibilities. Key challenges include 
achieving organizational stability; gaining organizational authority; 
overcoming hiring and contracting issues; increasing awareness about 
cyber security roles and capabilities; establishing effective 
partnerships with stakeholders (other federal agencies, State and local 
governments, and the private sector); achieving two-way information 
sharing with these stakeholders; and demonstrating the value DHS can 
provide. In its strategic plan for cyber security, DHS has identified 
steps that can begin to address these challenges. However, until it 
effectively confronts and resolves these underlying challenges, DHS 
will have difficulty achieving significant results in strengthening the 
cyber security of our nation's critical infrastructures, and our nation 
will lack the strong cyber security focal point envisioned in federal 
law and policy.
    We are making recommendations to the Secretary of Homeland Security 
to strengthen the Department's ability to implement key cyber security 
responsibilities by completing critical activities and resolving 
underlying challenges.
    DHS provided written comments on a draft of this report (see app. 
III). In brief, DHS agreed that strengthening cyber security is central 
to protecting the Nation's critical infrastructures and that much 
remains to be done. In addition, DHS concurred with our recommendation 
to engage stakeholders in prioritizing its key cyber security 
responsibilities. However, DHS did not concur with our recommendations 
to identify and prioritize initiatives to address the challenges it 
faces, or to establish performance metrics and milestones for these 
initiatives. Specifically, DHS reported that its strategic plan for 
cyber security already provides a prioritized list, performance 
measures, and milestones to guide and track its activities. The 
department sought additional clarification of these recommendations. 
While we agree with DHS that its plan identifies activities (along with 
some performance measures and milestones) that will begin to address 
the challenges, this plan does not include specific initiatives that 
would ensure that the challenges are addressed in a prioritized and 
comprehensive manner. For example, the strategic plan for cyber 
security does not include initiatives to help stabilize and build 
authority for the organization. Further, the strategic plan does not 
identify the relative priority of its initiatives and does not 
consistently identify performance measures for completing its 
initiatives.
    As DHS moves forward in identifying initiatives to address the 
underlying challenges it faces, it will be important to establish 
performance measures and milestones for fulfilling these initiatives.
    DHS officials (as well as others who were quoted in our report) 
also provided detailed technical corrections, which we have 
incorporated in this report as appropriate.
    Chairman Boehlert. The Committee will come to order.
    Before we proceed with today's hearing, the Committee must 
first dispense, very briefly, with some administrative 
business.
    I recognize Mr. Gordon to offer a request regarding 
Democratic subcommittee membership.
    Mr. Gordon. Thank you, Mr. Chairman.
    By direction of the Democratic caucus of the Science 
Committee, I ask unanimous consent to ratify the election of 
Representative Dennis Moore of Kansas to the Subcommittee on 
Research, thereby filling one of the existing Democratic 
vacancies.
    Chairman Boehlert. Without objection, so ordered.
    That concludes the Committee's organizational business.
    And we will now proceed with the hearing.
    And incidentally, I can't imagine any hearing any place on 
this Hill, including what our colleagues in the Senate are 
doing with the Roberts nomination, that exceeds the importance 
of the topic being discussed here today. And I am so 
appreciative of the witnesses who have agreed to share with us 
and enlighten us on a very important subject matter. And I want 
you to know how much we welcome your appearance, because you 
are facilitators. We learn from you. We like to think all 
Members of Congress, we are all alike. We like to think we have 
got all of the answers. We don't even know some of the 
questions. But I do know this, that cyber security is 
critically important. And what we are about today takes us 
further down the path of dealing in a responsible way with this 
very important subject.
    So I want to welcome everyone to this morning's hearing on 
cyber security, a subject that has long been the focus of the 
Science Committee.
    The Nation has been making progress in developing ways to 
fend off and respond to cyber attacks. For example, federal 
agencies have been implementing our Cyber Security Research and 
Development Act, and when I say ``our,'' I say it proudly. That 
is the result of this committee's work, albeit at funding 
levels significantly below what we would wish, and quite 
frankly, what is needed.
    Homeland Security Secretary Michael Chertoff, responding to 
calls from industry and the Congress, has created the position 
of Assistant Secretary for Cyber Security. But as our witnesses 
today will make clear, we still have a very long way to go. We 
still pay inadequate attention to cyber security research 
operations in both the government and private sector. We 
shouldn't have to wait for the cyber equivalent of Hurricane 
Katrina to realize that we are inadequately prepared to 
prevent, detect, and respond to cyber attacks. And a cyber 
attack can affect a far larger area at a single stroke than can 
any hurricane. Not only that, given the increasing reliance of 
critical infrastructures on the Internet, a cyber attack could 
result in deaths as well as in massive, massive disruption to 
our economy and daily life.
    There is another lesson we should take from Katrina beyond 
the need to prepare for real dangers that have not been 
recently experienced, and that is not to focus exclusively on 
terrorism. Cyber attacks could occur from any number of sources 
and motivations, even from error, not just from foreign or 
domestic terrorists who would do us harm.
    So our goal this morning is to help develop a cyber 
security agenda for the Federal Government, especially to 
provide assistance for the new Assistant Secretary. I never 
want to sit on a special committee set up to investigate why we 
were unprepared for a cyber attack. We know we are vulnerable. 
It is time to act.
    And I look forward to hearing from our witnesses and the 
guidance that they might give us to do just that.
    With that, I am pleased to recognize my partner, my 
colleague, my friend, Mr. Gordon from Tennessee.
    [The prepared statement of Chairman Boehlert follows:]

          Prepared Statement of Chairman Sherwood L. Boehlert

    I want to welcome everyone to this morning's hearing on cyber 
security, a subject that has long been a focus of the Science 
Committee.
    The Nation has been making progress in developing ways to fend off 
and respond to cyber attacks. For example, federal agencies have been 
implementing our Cyber Security Research and Development Act, albeit at 
funding levels significantly below what we would wish. Homeland 
Security Secretary Michael Chertoff, responding to calls from industry 
and the Congress, has created the position of Assistant Secretary for 
Cyber Security.
    But as our witnesses today will make clear, we still have a very 
long way to go. We still pay inadequate attention to cyber security 
research and operations in both the government and private sector.
    We shouldn't have to wait for the cyber equivalent of a Hurricane 
Katrina--or even and Hurricane Ophelia might serve--to realize that we 
are inadequately prepared to prevent, detect and respond to cyber 
attacks.
    And a cyber attack can affect a far larger area at a single stroke 
that can any hurricane. Not only that, given the increasing reliance of 
critical infrastructures on the Internet, a cyber attack could result 
in deaths as well as in massive disruption to the economy and daily 
life.
    There's another lesson we should take from Katrina beyond the need 
to prepare for real dangers that have not been recently experienced. 
And that is not to focus exclusively on terrorism. Cyber attacks could 
occur from any number of sources and motivations--even from error--not 
just from foreign or domestic terrorists.
    So our goal this morning is to help develop a cyber security agenda 
for the Federal Government, especially for the new Assistant Secretary. 
I never want to have to sit on a special committee set up to 
investigate why we were unprepared for a cyber attack. We know we are 
vulnerable, it's time to act.
    I look forward to hearing our witnesses' guidance on how to do just 
that.

    Mr. Gordon. Thank you, Mr. Chairman.
    As usual, I want to concur with your remarks, particularly 
in context to the urgency and the seriousness of this issue.
    Today's hearing has two important purposes: to assess the 
progress in improving the security of computer systems on which 
critical industries rely, and to explore why progress has been 
so slow.
    Networked information systems are key components of many of 
the Nation's critical infrastructures, including electrical 
power distribution, banking, finance, water supply, and 
telecommunications.
    Computer system vulnerabilities persist worldwide, and the 
initiators of random cyber attacks that plague the Internet 
remain largely unknown.
    But we know that many international terrorist groups now 
actively use computers and the Internet to communicate, and 
they are clearly capable of developing or acquiring the 
technical skills to direct a coordinated attack against 
networked computers in the United States.
    The disruptions and economic damages that could result from 
a successful cyber attack to one or more of our critical 
infrastructures could be substantial. And damage to water 
supply systems or to the chemical processing plants, for 
example, could also create life-threatening consequences.
    Following the events of 9/11, ensuring that security of 
critical infrastructure has become a national priority, but 
progress in securing the cyber infrastructure has simply been 
too slow.
    A presidential directive from the Clinton Administration, 
PDD-63, instituted policies and established a new organization 
to improve the Nation's ability to detect and respond to cyber 
attacks, including mechanisms to improve communications between 
the public and the private sectors regarding cyber security 
matters. Subsequently, the new Department of Homeland Security 
was charged to be the government's focal point for cyber 
security.
    And yet, in a report released this summer, GAO found that 
the Department of Homeland Security has not yet developed 
national cyber threat and vulnerability assessments or 
government/industry contingencies to recovery plans for cyber 
security. This is simply not good enough.
    Recent events make all too clear that inadequate recovery 
plans, either by design or execution, have dire consequences 
for the citizens' health and well being. Inaction can be an 
enemy just as lethal as terrorists.
    GAO stressed that to be successful in meeting its 
responsibilities, the Department will need to achieve 
organizational stability for cyber security activities, 
including the elevation of its function within the Department.
    In addition, GAO indicates the Department must work to 
develop effective partnerships with stakeholders, and then 
achieve two-way information sharing with those stakeholders.
    Today, we have an opportunity to hear from some of those 
stakeholders about what is being done within their industry 
sectors--to improve cyber security, where they now stand, and 
what could be done to accelerate progress.
    I am interested in hearing about their relationship to and 
interactions with the Department of Homeland Security and in 
their views on how the government can be more effective in 
achieving the overall goal of cyber security for critical 
infrastructures.
    We need to understand what the fundamental impediments are 
to securing cyberspace and to take appropriate action to 
overcome them.
    And let me just conclude by saying this. As I was reviewing 
the briefing material for this hearing, it is inevitable that 
you look at it in context to Katrina. And some might say, 
``Well, the financial services, you know, if a bank in New 
Orleans or electrical power or a telecommunication outfit has 
several pipes that burst and they are flooded, well, you know, 
at least an inconvenience, but the private sector will come in 
and, through competition, will take care of those customers.''
    But what if all of the banks, what if all of the power 
systems go out of order? Well, it goes beyond just being a 
regional concern. It becomes a national concern. It means 
heartache and distraughtness for those individuals there, but 
for the American public, it means a big bill. We are spending 
$200 billion or more to clean up the mess from Katrina.
    You know, I don't want to see, as the Chairman said, you 
know, I don't want to be here at a hearing later on saying, 
``What went wrong? And how can we improve this thing?'' I mean, 
the fact of the matter is that when the price of gas is stable, 
you know, nobody is really complaining, but when it spikes up 
and again, this is a private sector matter--but when it spikes 
up, the public says, ``Where are the bums in Washington? What 
are you doing?''
    Well, you know, we want to get in front of this. And quite 
frankly, after four years of Homeland Security working on this 
problem, we are not where we need to be, and we are not where 
we should be. I hope that this will be an impetus today to 
change that and to move that forward.
    And so with that, Mr. Chairman, I again join you in 
welcoming these witnesses. This is an important hearing, and I 
look forward to moving forward with it.
    [The prepared statement of Mr. Gordon follows:]

            Prepared Statement of Representative Bart Gordon

    Today's hearing has two important purposes: To assess progress in 
improving the security of computer systems on which critical industries 
rely and to explore why progress has been so slow.
    Networked information systems are key components of many of the 
Nation's critical infrastructures, including electric power 
distribution, banking and finance, water supply, and 
telecommunications.
    Computer system vulnerabilities persist worldwide, and the 
initiators of random cyber attacks that plague the Internet remain 
largely unknown.
    But we know that many international terrorist groups now actively 
use computers and the Internet to communicate, and they are clearly 
capable of developing or acquiring the technical skills to direct a 
coordinated attack against networked computers in the United States.
    The disruptions and economic damages that could result from a 
successful cyber attack to one or more of our critical infrastructures 
could be substantial. And damage to water supply systems or to chemical 
processing plants, for example, could also create life threatening 
consequences.
    Following the events of 9/11, ensuring the security of critical 
infrastructures has become a national priority, but progress in 
securing the cyber infrastructure has simply been too slow.
    A presidential directive from the Clinton Administration, PDD-63, 
instituted policies and established new organizations to improve the 
Nation's ability to detect and respond to cyber attacks, including 
mechanisms to improve communication between the public and private 
sectors regarding cyber security matters. Subsequently, the new 
Department of Homeland Security was charged to be the government's 
focal point for cyber security.
    And yet, in a report released this summer, GAO found that the 
Department of Homeland Security has not yet developed national cyber 
threat and vulnerability assessments or government/industry contingency 
recovery plans for cyber security. This is simply not good enough.
    Recent events make all too clear that inadequate recovery plans, 
either by design or execution, have dire consequences for the health 
and well being of our citizens. Inaction can be an enemy just as lethal 
as terrorists.
    GAO stresses that to be successful in meeting its responsibilities, 
the Department will need to achieve organizational stability for cyber 
security activities, including an elevation of this function within the 
Department.
    In addition, GAO indicates the Department must work to develop 
effective partnerships with stakeholders, and then achieve two-way 
information sharing with these stakeholders.
    Today, we have an opportunity to hear from some of the stakeholders 
about what is being done within their industry sectors to improve cyber 
security, where they now stand, and what could be done to accelerate 
progress.
    I am interested in hearing about their relationship to and 
interactions with the Department of Homeland Security and in their 
views on how the government can be more effective in achieving the 
overall goal of cyber security for critical infrastructures.
    We need to understand what the fundamental impediments are to 
securing cyber space and to take appropriate action to overcome them.
    Mr. Chairman, I want to thank you for calling this hearing, and I 
look forward to our discussion with the panel.

    [The prepared statement of Mr. Costello follows:]

         Prepared Statement of Representative Jerry F. Costello

    Good morning. I want to thank the witnesses for appearing before 
our committee to examine the current state of cyber security, how 
various critical infrastructure sectors depend on information systems, 
and what is and should be done to secure these systems. In addition, I 
am pleased today's hearing will also explore the respective roles of 
the Federal Government and private sector with respect to cyber 
security.
    Certain socio-economic activities are vital to the day-to-day 
functioning and security of the country; for example, transportation of 
goods and people, communications, banking and finance, and the supply 
and distribution of electricity and water. Domestic security and our 
ability to monitor, deter, and respond to outside acts also depend on 
some of these activities as well as other more specialized activities 
like intelligence gathering and command and control of police and 
military forces. A serious disruption in these activities and 
capabilities could have a major impact on the country's well-being.
    Even before the terrorist attacks of September 2001, concerns had 
been rising among security experts about the vulnerabilities to attack 
of computer systems and associated infrastructure. Yet, despite 
increasing attention from Federal and State governments and 
international organizations, the defense against attacks on these 
systems has appeared to be generally fragmented and varying widely in 
effectiveness. Concerns have grown that what is needed is a national 
cyber security framework--a coordinated, coherent set of public- and 
private-sector efforts required to ensure an acceptable level of cyber 
security for the Nation.
    While industry and the Federal Government have increased their 
focus on cyber security in recent years, vulnerabilities remain, 
despite passage of the Cyber Security Research and Development Act. The 
bill authorized $903 million over five years for new federal programs 
to ensure that the U.S. is better prepared to prevent and combat 
terrorist attacks on private and government computers. The legislation 
was developed following a series of post-September 11, 2001 Science 
Committee hearings on the emerging cyber terrorist threat and the lack 
of a coordinated U.S. response. Despite this legislative and 
programmatic initiative, our computer and communications networks, upon 
which the country's economic and critical infrastructures for finance, 
transportation, energy and water distribution, and health and emergency 
services depend, are still among the Nation's vulnerabilities.
    Valid concerns remain that the U.S. is still not appropriately 
organized and prepared to counter and respond to cyber security. 
Multiple federal agencies, as well as institutions of higher education 
and the private sector, have critical roles to play; yet, no enactment 
of or planning for the National Strategy has occurred and coordination 
is was lacking among agencies as they developed their research and 
development budget requests for FY 2006. The absence of a clear 
advocate for cyber security at the Department of Homeland Security, 
coupled with the multiple senior DHS cyber security officials leaving 
the department sends a clear signal to Congress that the National Cyber 
Security Division does not have enough authority to work effectively 
with the private sector. I am aware that legislation has been proposed 
to elevate the head of the cyber security office to the assistant 
secretary level to give cyber security more visibility within DHS and 
to allow higher level input to national policy decisions, and consider 
this a positive step in the right direction.
    I again thank the witnesses for being with us today and providing 
testimony to our committee.

    [The prepared statement of Ms. Johnson follows:]

       Prepared Statement of Representative Eddie Bernice Johnson

    Mr. Chairman and Ranking Member, I am pleased that the Science 
Committee is discussing our nation's cyber security today.
    I appreciate each guest being here today. You all are uniquely 
qualified to speak about how well our infrastructure and policies are 
set up to handle disruptions or attacks on critical information 
systems.
    Every year, the world relies more heavily on information 
technology. We view our banking accounts over the Internet, we apply 
for loans on-line, we even pay our bills on-line. We manage our 
prescriptions on-line, and there's not much today we DON'T do on-line.
    We hear of small- and large-scale breaches in the security of our 
on-line information. One situation that comes to mind is of a large 
bank that had to contact all of its members because sensitive financial 
information had become insecure.
    Congress needs to exert leadership in the area of cyber security. 
Our current system contains a patchwork of programs that represents 
neither an efficient nor effective coordinated federal effort.
    I am interested to hear from today's witnesses how we can improve 
our current efforts in this critical area.
    Thank you, Mr. Chairman. I yield back and reserve the balance of my 
time.

    [The prepared statement of Mr. Carnahan follows:]

           Prepared Statement of Representative Russ Carnahan

    Mr. Chairman and Mr. Ranking Member, thank you for hosting this 
hearing. Mr. Purdy, Mr. Leggate, Mr. Freese, Mr. Kepler, and Mr. 
Geisse, thank you for joining us today to discuss the future cyber 
security of our nation. I am very interested in how we can improve this 
critical infrastructure and our nation's security.
    In May 2005, the GAO released a report entitled ``Critical 
Infrastructure Protection: Challenges in Addressing Cyber Security.'' I 
hope that you will touch on some of the issues raised in this report 
and suggest potential options to ensure the security of our cyber 
infrastructure. Information sharing lapses between the public and 
private sectors is one of the most critical areas raised by the GAO 
study. It is my hope that today's hearing will help us understand 
opportunities for improvement.
    We are pleased to have you with us and I look forward to hearing 
your testimony.

    Chairman Boehlert. Thank you very much, Mr. Gordon, for 
those very well thought out and well reasoned arguments.
    Once again, as so frequently occurs on this committee, 
there is not strong disagreement. There is strength in the 
compatibility of our views as we go forward on a very important 
subject.
    Part of the problem is over at the Roberts hearing there 
are probably 200 press people. You know how this announcement 
of a hearing on cyber security is greeted outside the Committee 
room? With a muffled yawn, ``Oh, what is cyber security?'' This 
is a very important topic.
    So let me, once again, express to all of you my deep and 
personal appreciation for your willingness to be guides for 
those of us sitting on this side of the witness table.
    And Mr. Purdy, please relay to the Secretary our 
appreciation for the fact that he has announced the creation of 
the Assistant Secretary for Cyber Security position. I would 
hope that would be filled in a timely manner. I know attention 
is diverted in this critical period, in the aftermath of 
Katrina. All of the resources of the Federal Government, on the 
domestic side, are focused on that, understandably so. But that 
soon will be over. We are on the way to recovery and rebuilding 
one of the most important areas of the country.
    Now we have got to get on with the job of cyber security. 
And I will say to my friends down in the Administration, 
particularly those who have the heavy responsibility of working 
for OMB, the Office of Management and Budget, that I would 
remind them that we passed the Cyber Security Research and 
Development Act in 2002. It wasn't yesterday. It wasn't last 
month. It wasn't last year. It was 2002.
    But unfortunately, we don't control the purse strings. So 
we can determine the seriousness of the problem. We can provide 
direction in authorizing funds to address the problem in a 
comprehensive and meaningful way, but we don't control the 
purse strings. The appropriators, our colleagues on the 
Appropriations Committee, do. The people developing the budget, 
the people at OMB, do. And they better get a message from this 
hearing: this is a priority subject and it better get the 
priority attention it deserves, including within DHS and within 
the entire Executive Branch and the Legislative Branch of 
government.
    Now with that, let me introduce our panel of very 
distinguished witnesses: Mr. Donald Purdy, Acting Director, 
National Cyber Security Division, the Department of Homeland 
Security; Mr. John Leggate, Chief Information Officer and Group 
Vice President, Digital & Communications Technology, BP; Mr. 
David Kepler, Corporate Vice President of Shared Services and 
Chief Information Officer, the Dow Chemical Company; Mr. Gerald 
Freese, Director of Enterprise Information Security, American 
Electric Power.
    And for the purpose of an introduction, the Chair is 
pleased to recognize Mr. Akin.
    Mr. Akin. Thank you, Mr. Chairman.
    And I really appreciate this opportunity to introduce a 
native son of the Show Me State, Andy Geisse, the Chief 
Information Officer of SBC. Andy grew up in my hometown in St. 
Louis, earned a Bachelor's degree in economics and mathematics 
from the University of Missouri, Columbia, and an MBA from 
Washington University also in St. Louis.
    And he has had a long and illustrious career with SBC 
Communications, starting back in 1979 where he began as 
Assistant Manager in the comptroller's department of SBC's 
predecessor corporation, Southwestern Bell. He then held a 
variety of information technology, sales, and strategic 
marketing positions, including serving as the Director for 
Wireless Product Development for Southwestern Bell Mobile 
Systems, and Vice President and General Manager for 
Southwestern Bell Mobile Systems' Oklahoma and West Texas 
regions.
    In 1995, he moved to Santiago, Chile, and served as Vice 
President and Chief Executive Officer of VTR Cellular. He later 
became President of the Board of STARTEL Communications, the 
first nationwide cellular company in Chile. SBC has interests 
in both companies.
    In January of 1998, Andy moved to New York as President and 
General Manager of SBC's Cellular One upstate New York 
subsidiary. Later, he moved and became Vice President of 
Enterprise and OSS Systems for SBC and its subsidiaries located 
in California. In October of 1999, Andy was appointed Senior 
Vice President, Enterprise Software Solutions, responsible for 
cooperate-wide software solutions where he relocated again to 
San Antonio, Texas. And boy, the mileage is piling up here, 
Andy.
    SBC Communications is an important and valued corporate 
citizen of St. Louis and Missouri. It has been a distinct 
pleasure working with the fine employees of SBC to ensure the 
citizens of my District receive excellent telecommunications 
services.
    On behalf of Chairman Boehlert and other Members of this 
fine committee, welcome to Congress, Andy. Thank you.
    Chairman Boehlert. Wow. That is quite an introduction. You 
know what I learned from that? It is an experience in upstate 
New York that makes you a very valued member for this panel.
    Mr. Akin. He has got something for everybody, Mr. Chairman.
    Chairman Boehlert. Thank you very much, Mr. Akin.
    And I ask unanimous consent that our colleague, Mr. 
Sessions of Texas, be permitted to sit in on this hearing. He 
is a very valuable Member of the entire Congress and one who is 
deeply and personally interested in the matter before the 
Committee. Mr. Sessions, do you have anything you would care to 
say?
    Mr. Sessions. Mr. Chairman, thank you so much. It is good 
to be back over here. I have been gone from the Science 
Committee now for seven years.
    Mr. Chairman, one might assume, after Mr. Akin and myself, 
that it is an Andy Geisse Day in Congress, but I wanted to take 
just a moment. He has been properly introduced by the gentleman 
from Missouri. Mr. Geisse and I have known each other for 22 
years, during which time I have known Andy and his family. 
During the service that I spent some two years as Vice Chairman 
of the Cyberscience Research and Development Subcommittee for 
Homeland Security, I counted on Andy to provide information to 
me, background information that would help me to better serve 
not only this nation, but also that committee. And I am very 
happy that SBC has chosen to send Mr. Geisse up here. He is a 
dear friend, and I think he will add a lot to today's hearing.
    And I want to thank you for allowing me to sit with you and 
the Members of this committee.
    I yield back the time.
    Chairman Boehlert. Thank you very much, Mr. Sessions. I do 
appreciate it.
    Now to our witnesses. And the rule here is essentially the 
same as in most Committees. We ask that you try to summarize 
your opening statement in five minutes or thereabouts. And I am 
usually offended when I make that announcement, because we have 
very distinguished witnesses who have so much to offer and to 
ask them to capsulize their thinking in 300 seconds or less is 
sort of unrealistic. And so the Chair is not going to be 
arbitrary. You are the only--part of the only panel we will 
have before us today, and you all have so much value to add to 
our knowledge base. So I would ask that you be guided by the 
lights, not directed by the lights.
    With that, Mr. Purdy, you are first up.

 STATEMENT OF MR. DONALD ``ANDY'' PURDY, JR., ACTING DIRECTOR, 
   NATIONAL CYBER SECURITY DIVISION, DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Purdy. Good morning, Chairman Boehlert and 
distinguished Members of the Committee. My name is Andy Purdy. 
I am the Acting Director of the Department of Homeland 
Security's National Cyber Security Division.
    I am delighted to appear before you to share the work of 
NCSD and those with whom we are partnering to secure our 
national cyberspace and critical infrastructure.
    Pursuant to President Bush's Homeland Security Presidential 
Directive 7 (HSPD-7), our Infrastructure Protection Office 
developed the National Infrastructure Protection Plan (NIPP) to 
serve as a guide for addressing critical infrastructure and key 
resource protection. It sets forth a risk management framework 
for public and private sector stakeholders to work together to 
identify, prioritize, and conduct vulnerability assessments of 
critical assets and key resources in each sector. It also 
includes the identification of interdependencies of critical 
assets and key resources both within and across sectors as well 
as providing priority protective measures that owners and 
operators of such assets should undertake to secure them.
    DHS recognizes that more than 85 percent of the critical 
infrastructure is owned by the private sector and that the 
development and enhancement of public-private partnership is 
paramount to securing our nation's assets.
    As such, private sector-led sector coordinating councils 
are being established to work with their appropriate sector-
specific agency via the government coordinating councils, which 
represent the government agencies that have a role in 
protecting their respective sectors.
    Our Division was created in response to President Bush's 
National Strategy to Secure Cyberspace as a national focal 
point for cyber security. Given today's interconnected 
environment and the Department's integrated risk-based approach 
to critical infrastructure protection, our mission is to work 
collaboratively with public, private, and international 
entities to secure cyberspace and America's cyber assets. To 
meet that mission, we developed a strategic plan that is 
closely aligned with the Strategy, HSPD-7, the National 
Infrastructure Protection Plan, and the Cyber Annex to the 
National Response Plan.
    To carry out our mission and related responsibilities, we 
have identified two overarching priorities: to build an 
effective National Cyberspace Response System, and implement a 
cyber risk management program for critical infrastructure 
protection.
    A core component of our first priority is the US-CERT 
Operations Center that is a partnership between the Department 
and the public and private sectors to address cyber security 
issues. It provides a national coordination center that links 
public and private response capabilities to facilitate 
information sharing and coordinated response to help maintain 
the continuity of our nation's cyber infrastructure.
    We worked with the Department of Defense and the Department 
of Justice to form the National Cyber Response Coordination 
Group that is the principle interagency mechanism to prepare 
for and respond to cyber incidents of national significance 
that was formalized in the Cyber Annex to the National Response 
Plan.
    An important element of our response system is our ability 
to address the global nature of cyberspace. Implementation of 
our international cyber security strategy and its related 
outreach and collaboration objectives is well underway. Such 
international cooperation contributes to our overall global 
situation awareness and incident response capabilities in an 
area in which information moves at Internet speeds and 
traditional borders do not apply.
    To advance the second priority of cyber risk management, we 
have incorporated a risk management approach aligned with the 
interim NIPP into its effort to better assess the threat and 
reduce the risk to our national cyberspace. Risk management 
includes risk assessment based on threat, vulnerabilities, and 
consequences as well as efforts to reduce the risk by 
addressing vulnerabilities before an attack occurs and 
mitigating and managing the consequences of a cyber attack that 
does occur.
    Regarding reducing risk, our sector-specific 
responsibilities within the Department, among others, including 
the information technology sector, which we are the lead for, 
and the telecommunications sector, which our partner agency, 
the National Communications System, is responsible for.
    The NIPP also includes a cross-sector cyber responsibility 
for us.
    In addition to our specific responsibilities, there are 
three major components of our risk mitigation approach.
    First, we have established the Internet Disruption Working 
Group with the National Communications System to address the 
resiliency and recovery of Internet functions in the case of a 
major cyber incident. The Department of Treasury and the 
Department of Defense are also engaged, and the working group 
is acting to extend the partnership to representatives in the 
private sector as well as international stakeholders.
    Next, the interdependency between physical and cyber 
infrastructures is hardly more acute than in the use of control 
systems as integral operating components of many of our 
critical infrastructures.
    Interestingly, these control systems are implemented with 
remote access, open connectivity, and connections to open 
networks, such as corporate intranets and the Internet. These 
make critical infrastructure assets more automated, more 
productive, more efficient, more innovative, but they also may 
expose many of those physical assets to physical consequences 
from cyber-related threats.
    The third major component of our effort is the Software 
Assurance Program. Defects in software can be exploited to 
launch critical cyber attacks, and we have developed a 
comprehensive software assurance framework that addresses 
people, process, technology, and acquisition through the 
software development process.
    I hope we have the opportunity in the questions to discuss 
our cyber R&D agenda and our relationship with the Science and 
Technology Director to fund those. We are committed to 
achieving success in our goals and objectives, but we cannot do 
it alone. We will continue to work with government and the 
private sector to leverage the efforts of all so we, as a 
Nation, are more secure in cyberspace and in our critical 
infrastructures.
    Again, thank you for the opportunity to testify before you 
today, and I look forward to your questions.
    [The prepared statement of Mr. Purdy follows:]

             Prepared Statement of Donald (Andy) Purdy, Jr.

    Good morning Chairman Boehlert and distinguished Members of the 
Committee. My name is Andy Purdy, and I am the Acting Director of the 
Department of Homeland Security's National Cyber Security Division 
(NCSD). I am delighted to appear before you today to share with you the 
work of the NCSD and those with whom we are partnering to secure our 
national cyberspace and critical infrastructure. In my testimony today, 
I will provide an overview of NCSD, our operating mandates, our mission 
and goals, our priorities, and the programs in which we are engaged to 
meet those missions and goals.

DHS and Critical Infrastructure Protection

    Over the course of the past several months Secretary Chertoff 
conducted a systematic evaluation of the Department's operations. On 
July 13th, Secretary Chertoff announced his six point agenda for the 
path ahead for the Department. As part of this agenda, the Secretary 
announced several Departmental organizational changes. Among these was 
the creation of a new Preparedness Directorate which would house a 
newly created office of the Assistant Secretary for Cyber Security and 
Telecommunications. Currently, cyber security is addressed by the NCSD, 
one of four divisions in the Office of Infrastructure Protection (IP), 
located within the Information Analysis and Infrastructure Protection 
Directorate.
    In December 2003, President Bush issued Homeland Security 
Presidential Directive 7: Critical Infrastructure Identification, 
Prioritization, and Protection (HSPD-7), which established a national 
policy for federal departments and agencies to identify and prioritize 
United States critical infrastructure and key resources and to protect 
them from terrorist attacks. Among other things, HSPD-7 identified 
17\1\ critical infrastructure and key resource sectors and assigned 
responsibility for each to a Sector Specific Agency (SSA), with DHS 
serving as the overall program coordinator.
---------------------------------------------------------------------------
    \1\ The NIPP identifies the following Critical Infrastructure 
Sectors and Key Resources: Food and Agriculture; Public Health and 
Health Care; Drinking Water and Wastewater; Energy; Banking and 
Finance; National Monuments and Icons; Defense Industrial Base; 
Information Technology; Telecommunications; Chemical; Transportation 
Systems; Emergency Services; Postal and Shipping; Dams; Government 
Facilities; Commercial Facilities; Nuclear Reactors, Materials, and 
Waste.
---------------------------------------------------------------------------
    Additionally, HSPD-7 set forth how DHS should address critical 
infrastructure protection, including ``summary of activities to be 
undertaken in order to: define and prioritize, reduce the vulnerability 
of, and coordinate the protection of critical infrastructure and key 
resources.'' \2\
---------------------------------------------------------------------------
    \2\ Homeland Security Presidential Directive 7, December 17, 2003; 
http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html.
---------------------------------------------------------------------------
    To meet this mandate, IP developed the National Infrastructure 
Protection Plan (NIPP), a plan that is to serve as the guide for 
addressing critical infrastructure and key resource protection. It sets 
forth a risk management framework for public and private sector 
stakeholders to work together to identify, prioritize, and conduct 
vulnerability assessments of critical assets and key resources in each 
sector. It also includes the identification of interdependencies of 
critical assets and key resources both within and across the sectors, 
as well as providing priority protective measures that owners and 
operators of such assets should undertake to secure them. Recognizing 
that more that 85 percent of the critical infrastructure is owned and 
operated by the private sector and that the development of public-
private partnership is paramount to securing our nation's assets, 
private sector-led Sector Coordinating Councils (SCCs) are being 
established to work with their appropriate SSA via Government 
Coordinating Councils, which represent the government agencies that 
have a role in protecting the respective sectors.
    Currently, the office of Infrastructure Protection is finalizing 
the NIPP and it is expected to be released later this year. This 
finalized document will refine the public-private partnership model and 
a process for protecting our critical infrastructures from physical or 
cyber attack or natural disasters.

DHS and Cyber Security

    In June 2003, in response to the President's National Strategy to 
Secure Cyberspace and HSPD-7, the Department of Homeland Security 
created the NCSD as a national focal point for cyber security. The 
national strategy established the following five national priorities 
for securing cyberspace:





    Priority I:                         A National Cyberspace Security
                                         Response System
    Priority II:                        A National Cyberspace Security
                                         Threat and Vulnerability
                                         Reduction Program
    Priority III:                       A National Cyberspace Security
                                         Awareness and Training Program
    Priority IV:                        Securing Government's Cyberspace
    Priority V:                         National Security and
                                         International Cyberspace
                                         Security Cooperation



    Given today's interconnected environment and DHS's integrated risk-
based approach to critical infrastructure protection, NCSD's mission is 
to work collaboratively with public, private, and international 
entities to secure cyberspace and America's cyber assets. To meet that 
mission, NCSD developed a Strategic Plan that establishes a set of 
goals with specific objectives for each goal, and milestones associated 
with each objective. The Strategic Plan goals, which are closely 
aligned with the Strategy, HSPD-7, the NIPP, and the Cyber Annex to the 
National Response Plan, are as follows:

        1.  Establish a National Cyberspace Response System to prevent, 
        detect, respond to, and reconstitute rapidly after cyber 
        incidents;

        2.  Work with public and private sector representatives to 
        reduce vulnerabilities and minimize severity of cyber attacks;

        3.  Promote a comprehensive awareness plan to empower all 
        Americans to secure their own parts of cyberspace;

        4.  Foster adequate training and education programs to support 
        the Nation's cyber security needs;

        5.  Coordinate with the intelligence and law enforcement 
        communities to identify and reduce threats to cyberspace; and

        6.  Build a world class organization that aggressively advances 
        its cyber security mission and goals in partnership with its 
        public and private stakeholders.

    To meet these goals, NCSD is organized into four operating branches 
to address the various aspects of the risk management structure: (1) 
U.S. Computer Emergency Readiness Team (US-CERT) Operations to manage 
the 24-7 threat watch, warning, and response capability that can 
identify emerging threats and vulnerabilities and coordinate responses 
to major cyber incidents; (2) Strategic Initiatives Branch to manage 
activities to advance cyber security in critical infrastructure 
protection, control systems security, software development, training 
and education, exercises, and standards and best practices; (3) 
Outreach and Awareness Branch to manage outreach, cyber security 
awareness, and partnership efforts to disseminate information to key 
constituencies and build collaborative actions with key stakeholders; 
and (4) Law Enforcement and Intelligence Branch to coordinate and share 
information between these communities and NCSD's other constituents in 
the private sector, public sector, academia, and others, and also to 
coordinate interagency response and mitigation of cyber security 
incidents. Together, these branches make up NCSD's framework to address 
the cyber security challenges across our key stakeholder groups and 
build communications, collaboration, and awareness to further our 
collective capabilities to detect, recognize, attribute, respond to, 
mitigate, and reconstitute after cyber attacks.

Cyber Security Priorities: Response and Risk Management

    The Strategy, HSPD-7, and the NIPP provide NCSD with a clear 
operating mission and national coordination responsibility. To carry 
out this mission and its related responsibilities, NCSD has identified 
two overarching priorities: to build an effective national cyberspace 
response system and to implement a cyber risk management program for 
critical infrastructure protection. Our focus on these two priorities 
and related programs addresses the overarching NIPP Risk Management 
methodology and establishes the framework for securing cyberspace today 
and a foundation for addressing cyber security for the future.
Priority 1--Cyber Incident Management: A National Cyberspace Response 
        System
    A core component of NCSD and our effort to establish a National 
Cyberspace Response System is the US-CERT Operations Center. US-CERT 
was established in September 2003 as a partnership between DHS and the 
public and private sectors to address cyber security issues. Building 
upon an initial partnership with the Computer Emergency Response Team 
Coordination Center (CERT/CC) in Carnegie Mellon University's Software 
Engineering Institute, US-CERT now provides a national coordination 
center that links public and private response capabilities to 
facilitate information sharing across all infrastructure sectors and to 
help protect and maintain the continuity of our nation's cyber 
infrastructure. The overarching approach to this task is to facilitate 
and implement systemic global and domestic coordination of deterrence 
from, preparation for, defense against, response to, and recovery from 
cyber incidents and attacks across the United States, as well as from 
the cyber consequences of physical attacks or natural disasters.
    US-CERT has four major programs of activity. First, US-CERT is 
DHS's 24-7-365 cyber watch, warning, and incident response center, and 
it provides coordinated response to cyber incidents, a web portal for 
secure communications with private and public sector stakeholders, 
including critical infrastructure owners and operators, a daily report, 
a public website (http://www.us-cert.gov/), and a National Cyber Alert 
System, which provides timely, actionable information to the public on 
both technical and non-technical bases. Second, US-CERT conducts 
malicious code analysis, provides malware technical support, and 
conducts cyber threat and vulnerability analysis. Third, US-CERT 
manages a situational awareness program and an Internet Health and 
Status service used by 50 government agency computer security incident 
response teams. Fourth, US-CERT manages programs for communication and 
collaboration among public agencies and key network defense service 
providers. In line with NCSD's close working relationship with NCS, US-
CERT works closely with the National Coordinating Center for 
Telecommunications (NCC) to address and mitigate cyber threats 
including response and recovery. US-CERT also maintains a presence in 
the HSOC to ensure coordination throughout DHS.
    As noted, NCSD has initiated a number of activities specifically to 
assist federal agencies in protecting their cyber infrastructure. NCSD 
established the Government Forum of Incident Response and Security 
Teams (GFIRST) to facilitate interagency information sharing and 
cooperation across federal agencies for readiness and response efforts. 
GFIRST is a group of technical and tactical practitioners of security 
response teams responsible for securing government information 
technology systems. The members work together to understand and handle 
computer security incidents and to encourage proactive and preventative 
security practices. The purpose of the GFIRST is to:

          Provide members with technical information, tools, 
        methods, assistance, and guidance;

          Coordinate proactive liaison activities and 
        analytical support;

          Further the development of quality products and 
        services for the Federal Government;

          Share specific technical details regarding incidents 
        within a trusted U.S. Government environment on a peer-to-peer 
        basis; and

          Improve incident response operations.

    GFIRST meets on a regular basis and held its first annual 
conference in April 2005 with more than 200 participants from Federal, 
State, and local governments. The conference was a major success for 
US-CERT, and GFIRST has established further lines of communications 
across organizations. The technical workshops and speakers stimulated 
many technical interchanges regarding cyber first responder activities. 
In another step forward, GFIRST held its first classified threat 
briefing with DHS Office of Information Analysis (IA), the Central 
Intelligence Agency, Department of Defense, and National Security 
Agency in June 2005.
    US-CERT utilizes a secure collaboration platform, the US-CERT 
Portal, to support cyber information sharing and collaboration among 
the GFIRST community, and other cyber and critical infrastructure 
communities, such as the ISACs. The US-CERT Portal is being integrated 
into the Homeland Security Information Network (HSIN) and bridges the 
gap between the Government Coordinating Councils, the Sector 
Coordinating Councils, ISACs, and other private critical infrastructure 
information-sharing entities.
    In addition to GFIRST, NCSD worked with the Department of Defense 
(DOD) and the Department of Justice (DOJ) to form the National Cyber 
Response Coordination Group (NCRCG) to provide a Federal Government 
approach to coordinated cyber incident response. NCSD created a Cyber 
Annex to the recently issued National Response Plan (NRP)\3\ that 
provides a framework for responding to cyber incidents of national 
significance. As such, the Cyber Annex formalized the NCRCG as the 
principal federal interagency mechanism to coordinate preparation for, 
and response to, cyber incidents of national significance. The co-
chairs of the NCRCG are DHS/NCSD, DOJ, and DOD. An additional 13 
federal agencies with a statutory responsibility for and/or specific 
capability toward cyber security, including the intelligence community, 
comprise the membership. NCSD serves as the Executive Agent and point 
of contact for the NCRCG. The NCRCG has developed a concept of 
operations (CONOPS) for national cyber incident response that will be 
examined in the National Cyber Exercise, Cyber Storm, to be conducted 
by NCSD in November 2005, with public and private sector stakeholders.
---------------------------------------------------------------------------
    \3\ http://www.dhs.gov/dhspublic/display?theme=15&content=4269
---------------------------------------------------------------------------
    The NCRCG is also reviewing capabilities of federal agencies from a 
cyber defense perspective to better leverage and coordinate the 
preparation for and response to significant cyber incidents. This 
effort will entail the following components:

          Mapping the current capabilities of government 
        agencies related to cyber defense relative to detection and 
        recognition of cyber activity of concern, attribution, response 
        and mitigation, and reconstitution;

          Identifying capabilities within the government that 
        US-CERT should leverage to maximize interagency coordination of 
        cyber defense capabilities;

          Performing a gap analysis to identify the surge 
        capabilities for possible leverage by, or collaboration with, 
        the US-CERT for cyber defense issues in order to detect 
        potentially damaging activity in cyberspace, to analyze 
        exploits and warn potential victims, to coordinate incident 
        responses, and to restore essential services that have been 
        damaged; and

          Consider establishing formal resource sharing 
        agreements with the other agencies per the cyber defense 
        coordination needs identified through the process identified 
        above.

    An important element of a National Cyberspace Response System is 
our ability to address the global nature of cyberspace. Implementation 
of NCSD's international cyber security strategy and its related 
outreach and collaboration objectives is well underway, as we 
participate in bilateral and multilateral outreach efforts and have 
established cooperative programs with key allies and countries of 
interest. Such international cooperation contributes to our overall 
global situational awareness and incident response capabilities in an 
area in which information moves at Internet speed and traditional 
borders do not apply.
    With our efforts, accomplishments, and on-going programs, NCSD has 
made significant progress in managing cyber incidents and has taken 
substantial strides toward building a National Cyberspace Response 
System. We know there is more to do, and we are enhancing and evolving 
our readiness and response programs to further our efforts and address 
this dynamic environment.

Priority 2--Cyber Risk Management: Assessing the Threat and Reducing 
        the Risk
    NCSD incorporated a risk management approach aligned with HSPD-7 
and the resulting interim NIPP into its effort to better assess the 
threat and reduce the risk to our national cyberspace. Risk management 
includes risk assessment based on threat, vulnerabilities, and 
consequences, as well as efforts to reduce the risk by addressing 
vulnerabilities before an attack occurs, and mitigating and managing 
the consequences of a cyber attack that does occur. The NIPP risk 
management framework entails work with the intelligence community, law 
enforcement, and the private sector to better understand the cyber 
threat and a collaborative partnership between the private sector and 
Federal, State, and local governments looking at people, cyber, and 
physical assets to identify and prioritize those assets, assess 
vulnerabilities, and coordinate the protection of critical 
infrastructure and key resources.
    With regard to assessing the threat, NCSD collaborates with the law 
enforcement and the intelligence communities in a number of ways. DHS 
assisted in the coordination of cyber-related issues for the ``National 
Intelligence Estimate (NIE) of Cyber Threats to the U.S. Information 
Infrastructure.'' The resulting classified document issued in February 
2004 details actors (nation states, terrorist groups, organized 
criminal groups, hackers, etc.), capabilities, and intent (where 
known). In addition, NCSD has infused cyber requirements into the 
Standing Information Needs (SINs) and Priority Information Needs (PINs) 
for the intelligence community and continues to collaborate with them 
through IA to characterize cyber threats for accuracy. Finally, the 
NCRCG includes law enforcement and intelligence agencies and has 
working groups addressing botnets and attribution issues.
    The private sector is also a resource for threat and risk related 
information, and NCSD works with its industry stakeholders to gather 
and communicate that information. The US-CERT Internet Health Service 
enables US-CERT to gather information from private sector resources 
regarding vulnerabilities, network attacks, and malicious code activity 
and provide that information to federal agencies. In addition, NCSD has 
identified preparedness and response as a key area of joint public-
private effort and is working with the critical infrastructure sectors 
to identify attack/threat scenarios against which proactive protective 
measures can be taken and response plans can be developed. And, DHS 
utilizes the ISACs and critical sector elements of the HSIN to obtain 
and share cyber security information.
    With regard to reducing the risk, DHS's SSA responsibilities under 
the NIPP include the Information Technology (IT) Sector and the 
Telecommunications Sector. Specifically, NCSD coordinates the IT 
Sector, and the National Communications System (NCS), another of the 
divisions in the IP directorate, coordinates the Telecommunications 
Sector. Reflecting the increasing convergence between these two 
communications sectors in today's market, NCSD and NCS work together 
closely to coordinate all efforts to protect the Nation's critical 
cyber systems and the telecommunications transport layer.
    The NIPP includes a cross-sector cyber responsibility for NCSD in 
addition to its IT Sector responsibility. The cross-sector 
responsibility is the collaborative effort between DHS/NCSD and the 
SSAs to ensure that deployed cyber elements have been secured in an 
appropriate and consistent manner across sectors. NCSD is responsible 
for providing cyber guidance to all sectors assisting them in 
understanding and mitigating cyber risk (including cyber infrastructure 
vulnerabilities) and in developing effective and appropriate protective 
measures. This guidance includes contributing cyber elements to the 
NIPP, reviewing the cyber aspects of the respective Sector Specific 
Plans (SSPs), and delivering cyber Critical Infrastructure Protection 
(CIP) training to SSAs to help them enhance the cyber aspects of their 
SSPs.
    To implement these two NIPP Cyber elements, NCSD works with the 
Information Technology Information Sharing and Analysis Center (IT-
ISAC) and the newly established Information Technology Sector 
Coordination Council (IT-SCC), as well as with the SSAs, ISACs and 
emerging SCCs in the other sectors.
    In addition to NCSD's specific NIPP responsibilities, there are 
three major components to our cyber risk mitigation approach: the 
Internet Disruption Working Group (IDWG), the Control Systems Security 
Program, and the Software Assurance Program.
    Protection of critical cyber assets goes hand-in-hand with 
protection of critical telecommunications assets; accordingly, NCSD and 
NCS are working closely together to collaborate on issues related to 
threats, identification of critical cyber assets, vulnerability and 
risk assessments, and development of appropriate protective measures 
that could be recommended for implementation by owners/operators. 
Within the NIPP framework, NCSD and NCS established the Internet 
Disruption Working Group (IDWG) in December 2004 to address the 
resiliency and recovery of Internet functions in case of a major cyber 
incident. The Department of Treasury and the Department of Defense are 
also engaged, and the working group is acting to extend the partnership 
to representatives from the private sector as well as international 
stakeholders. The IDWG reflects the convergence of telecommunications 
and information technology sectors in today's environment and the 
emergence of Next Generation Networks (NGN) that will compose the 
Internet of the future. An initial focus of the working group is to 
identify near-term actions related to situational awareness, 
protection, and response that government and its stakeholders can take 
to better prepare for, protect against, and mitigate nationally 
significant Internet disruptions.
    The interdependency between physical and cyber infrastructures is 
hardly more acute than in the use of control systems as integral 
operating components by many of our critical infrastructures. ``Control 
Systems'' is a generic term applied to hardware, firmware, 
communications, and software used to perform vital monitoring and 
controlling functions of sensitive processes and enable automation of 
physical systems. Specific control systems used in the various critical 
infrastructure sectors include Supervisory Control and Data Acquisition 
(SCADA) systems, Process Control Systems (PCS), and Distributed Control 
Systems (DCS).
    Examples of the critical infrastructure processes and functions 
that control systems monitor and control include energy transmission 
and distribution, pipelines, water and pumping stations, 
telecommunications, chemical processing, pharmaceutical production, 
rail and light rail, manufacturing, and food production. Increasingly, 
these control systems are implemented with remote access, open 
connectivity, and connections to open networks such as corporate 
intranets and the Internet. These sophisticated information technology 
tools are making our critical infrastructure assets more automated, 
more productive, more efficient, and more innovative, but they also may 
expose many of those physical assets to physical consequences from new, 
cyber-related threats and vulnerabilities.
    To assure immediate attention is directed to protect these systems, 
NCSD established the Control Systems Security Program to coordinate 
efforts among Federal, State, and local governments, as well as control 
system owners, operators, and vendors to improve control system 
security within and across all critical infrastructure sectors. As part 
of this Program, NCSD developed a Control Systems Strategy that 
incorporates five highly integrated goals to address the issues and 
challenges associated with control systems security. As such, our 
control systems activities support NCSD's overall efforts to address 
cyber security across critical infrastructure sectors over the long-
term, as well as the US-CERT's capability in the management, response, 
and handling of incidents, vulnerabilities, and mitigation of threat 
actions specific to critical control systems functions. NCSD also 
recognizes the significant attention being paid to PCS and SCADA 
security by various industry organizations in developing encryption 
standards, cryptography, modeling, and other tools to improve cyber 
security of control systems.
    NCSD also established the US-CERT Control Systems Security Center 
(CSSC) in partnership with Idaho National Laboratory (INL) and other 
Department of Energy National Laboratories\4\ in June 2004. The CSSC is 
involving other partners from control systems industry associations, 
universities, control systems vendors, and industry experts. Since its 
establishment, the CSSC has made considerable progress and some of its 
major accomplishments include:
---------------------------------------------------------------------------
    \4\ Idaho (INL), Pacific Northwest (PNNL), Los Alamos (LANL), 
Argonne (ANL), Sandia (SNL), Savannah River (SRNL)

          Established the US-CERT CSSC assessment and incident 
        response facility located at INL and a US-CERT Support 
---------------------------------------------------------------------------
        Operations Center for Control Systems;

          Established relationships with more than 25 potential 
        industry partners and completed several agreements that 
        established initial assessment, analysis, and vulnerability 
        reduction plans within various industry sectors;

          Created the Critical Infrastructure Cyber Consequence 
        Matrix to determine the industries of most concern, and a list 
        of specific sites from the National Asset Database where 
        Control Systems could cause a negative consequence due to 
        failure or attack;

          Created a quantitative control systems cyber risk/
        decision analysis measurement methodology; and,

          Established the Process Control System Forum (PCSF) 
        (in partnership with DHS's Science and Technology Directorate) 
        with industry, academia, and government to accelerate the 
        development of technology that will enhance the security, 
        safety, and reliability of Control Systems, including legacy 
        installations.

    At the same time that the telecommunications and financial sectors 
have increased their dependence on information systems overall for 
information flows, service provision, and financial transactions, the 
energy, chemical, nuclear, food and agriculture, transportation, and 
water sectors have become increasingly dependent on process control 
systems for their critical operations. To more fully utilize the Matrix 
for analysis on the nature of consequences of attacks on the various 
sectors for risk management purposes, more information is needed about 
how these various sectors are using process control systems and the 
subsequent interdependencies.
    Future FY05 and FY06 activities for NCSD's Control Systems Security 
Program include efforts to:

          Develop a comprehensive set of control systems 
        security assurance levels for owners and operators;

          Sponsor government/industry workshops to increase 
        awareness among control systems owners and operators of 
        potential cyber incident impacts and vulnerabilities;

          Develop, populate, and validate control systems 
        security scenario assessment tools to provide response teams a 
        web-based application to assess impacts;

          Assess a minimum of three core systems and provide 
        solutions to vulnerabilities and recommendations to protect 
        against cyber threats; and

          Develop the US-CERT CSSC web page for information 
        exchange.

    The third major component of NCSD's cyber risk management program 
is our Software Assurance Program. Software is an essential component 
of the Nation's critical infrastructure (power, water, transportation, 
financial institutions, defense industrial base, etc); however, defects 
in software can be exploited to launch cyber attacks as well as attacks 
against the critical infrastructure. NCSD developed a comprehensive 
software assurance framework that addresses people, process, 
technology, and acquisition throughout the software development 
lifecycle.
    As part of the shared responsibility approach to cyber security, 
DHS is working to achieve a broader ability to routinely develop and 
deploy trustworthy software products. As such, DHS is shifting the 
security paradigm from ``patch management'' to ``software assurance'' 
by encouraging U.S. software developers to raise the bar on software 
quality and security. In collaboration with other federal agencies, 
academia, and the private sector, we are:

          Sponsoring the development of a repository of best 
        practices and practical guidance for the software development 
        community;

          Developing a software assurance common body of 
        knowledge from which to develop curriculum for education and 
        training;

          Examining recommendations from the Networking and 
        Information Technology Research and Development (NITRD), 
        Software Design and Productivity (SDP), and High Confidence 
        Software and Systems (HCSS) coordination groups and 
        anticipating greater direct engagement with them in the future.

          Facilitating discussions with industry and academic 
        institutions through Software Assurance Forums;

          Collaborating with NIST to inventory software 
        assurance tools and measure effectiveness, identify gaps and 
        conflicts, and develop a plan to eliminate gaps and conflicts;

          Completing the DHS/Department of Defense co-sponsored 
        comprehensive review of the National Information Assurance 
        Partnership (NIAP) \5\ with the draft report to be published in 
        September 2005; and
---------------------------------------------------------------------------
    \5\ The National Information Assurance Partnership, established in 
August of 1997, is a joint effort between NIST and NSA to provide 
technical leadership in security-related information technology test 
methods and assurance techniques. NIAP uses the Common Criteria to 
evaluate and certify commercial off the shelf (COTS) products. There 
has been much discussion in past years on the effectiveness (time and 
cost) of the NIAP process. As a result, the National Strategy to Secure 
Cyberspace recommended an independent review of the program be 
conducted to make recommendations for its improvement.

          Promoting investment in applicable software assurance 
---------------------------------------------------------------------------
        research and development.

    DHS will seek to reduce risks by raising the level of trust for all 
software, minimizing vulnerabilities and understanding threats. DHS 
will collaborate with government, industry, academic institutions, and 
international allies to achieve these software assurance objectives.
    Another important cyber element of national infrastructure 
protection is the proliferation of the Internet in our society and 
daily lives. To mitigate the risks inherent in the rapidly growing user 
base and increasing usage, NCSD is engaged in a cyber security 
awareness program that leverages a variety of partners including the 
National Cyber Security Alliance, the Multi-State ISAC, and the Federal 
Trade Commission, among others, to reach out to the home user, K-12, 
small business, and higher education audiences to raise the American 
public's awareness of cyber risks and security measures.

Research and Development for Cyber Security and Critical Infrastructure 
                    Protection

    Cyber-related research and development (R&D) is vital to improving 
the resiliency of the Nation's critical infrastructures. This difficult 
strategic challenge requires a coordinated and focused effort from 
across the Federal Government, State and local governments, the private 
sector, and academia to advance the security of critical cyber systems.
    A critical area of focus for DHS is the development and deployment 
of technologies to protect the Nation's cyber infrastructure, including 
the Internet and other critical infrastructures that depend on IT 
systems for their mission. Two components within DHS share 
responsibility for cyber R&D, with the Science & Technology (S&T) 
Directorate serving as the primary agent responsible for executing 
cyber security R&D programs. NCSD has responsibility for developing 
requirements for DHS' cyber security R&D projects.
    The S&T Directorate's mission is to conduct, stimulate, and enable 
research, as well as to develop, test, evaluate, and transition 
homeland security capabilities to federal, State and local operational 
end-users. The goals of the DHS S&T Directorate's Cyber Security R&D 
program are to:

          Perform R&D aimed at improving the security of 
        existing deployed technologies and to ensure the security of 
        new emerging systems;

          Develop new and enhanced technologies for the 
        detection of, prevention of, and response to cyber attacks on 
        the Nation's critical information infrastructure; and

          Facilitate the transfer of these technologies into 
        the national infrastructure as a matter of urgency.

    NCSD supports the overall DHS R&D mission by identifying areas for 
cyber innovation and coordinating with S&T. NCSD collects, develops, 
and submits cyber security R&D requirements to provide input to the 
federal cyber security R&D community and specifically to inform the DHS 
S&T Directorate's cyber security research priorities.
    DHS S&T's Cyber Security Research and Development Center is 
currently working on several projects that support the recommendations 
of the National Strategy to Secure Cyberspace, while addressing the 
vulnerabilities of critical systems and infrastructures. The major 
areas are:

          Working with industry to develop secure routing 
        protocols for the core of the Internet.

          Development of a cyber security test bed for 
        researchers and developers.

          Establishment of a large database of anonymized data 
        collected from the Internet to support research on new cyber 
        security tools and techniques.

          Partnering with the government of Canada on a joint 
        experiment involving the handheld BlackBerry data devices for 
        secure communications between first responders.

          Funding research on understanding and countering 
        emerging Internet threats.

          Funding small business innovative research in the 
        development of new cyber security products.

          Coordination with the Institute for Information 
        Infrastructure Protection (I3P) on the development of new 
        technologies for securing SCADA systems and networks and 
        analyzing the economics of cyber security.

    To support and document cyber security R&D initiatives across the 
Federal Government, NCSD participates in the Cyber Security and 
Information Assurance Interagency Working Group (CSIA IWG), co-chaired 
by S&T and the Office of Science and Technology Policy (OSTP). 
Participants include the National Science Foundation (NSF), the Defense 
Advanced Research Projects Agency (DARPA), the National Institute of 
Standards and Technology (NIST) and many others. By reporting to both 
the Infrastructure Subcommittee and NITRD, the CSIA IWG is positioned 
to coordinate cyber security and information assurance R&D across 
agencies, while ensuring that the security of critical infrastructures 
is emphasized. The CSIA IWG is currently completing the Federal Cyber 
Security and Information Assurance R&D Plan.

Moving Forward

    In connection with the National Infrastructure Protection Plan, 
efforts are underway to assess cyber threats, reduce vulnerabilities 
and identify significant interdependencies. These efforts will be fully 
implemented as the SSAs implement their portion of the NIPP. In 
partnership with NCS and other agencies, we are working through the 
Internet Disruption Working Group to address the resiliency and 
recovery of Internet functions in the case of a major cyber incident. 
We have established a Control Systems Security Program to address core 
operating systems of critical infrastructure sectors. And, we are 
working with the government, private sector, and academia to promote 
the integrity and security of software. We continue to enhance our 
cyber incident readiness and response system, and we coordinate with 
our private sector stakeholders to provide protective guidance to our 
stakeholders through US-CERT. We are conducting a major exercise later 
this year to test the Cyber Annex to the National Response Plan. 
Through this effort, we will pull together appropriate entities in the 
Federal Government, State governments, and appropriate private sector 
stakeholders to test our capabilities and, subsequently, to improve our 
incident management process.
    We are committed to achieving success in meeting our goals and 
objectives, but we cannot do it alone. We will continue to meet with 
industry representatives, our government counterparts, academia, and 
State representatives to formulate the partnerships needed for 
productive collaboration and leverage the efforts of all, so we, as a 
nation, are more secure in cyberspace and in our critical 
infrastructures.
    Again, thank you for the opportunity to testify before you today. I 
would be happy to answer any questions you may have at this time.

               Biography for Donald A. (Andy) Purdy, Jr.

    In October 2004, Donald A. (Andy) Purdy, Jr. was appointed by 
Secretary Ridge as the Acting Director of the National Cyber Security 
Division (NCSD) for the Department of Homeland Security, within the 
Information Analysis and Infrastructure Protection (IAIP) Directorate. 
The IAIP Directorate identifies and assesses a broad range of 
intelligence information concerning threats to the people and 
communities of the United States and to protect the critical 
infrastructure systems vital to our national security, governance, 
public health and safety, economy, and national morale.
    The NCSD's mission, in cooperation with public, private, and 
international entities, is to secure cyberspace and America's cyber 
assets. The key components of this mission involve: (1) implementation 
of the National Strategy to Secure Cyberspace and the DHS Strategic 
Plan; and (2) implementation of priority protective measures to secure 
cyberspace and to reduce the cyber vulnerabilities of America's 
critical infrastructures.
    Prior to joining the Department, Mr. Purdy worked on assignment to 
the White House as Deputy to the Vice Chair and Senior Advisor for IT 
Security and Privacy to the President's Critical Infrastructure 
Protection Board (PCIPB) working on the development of the National 
Strategy to Secure Cyberspace. With the PCIPB, Purdy worked in the 
areas of cyber crime, privacy protection, government procurement and 
maintenance of more secure products and systems, security of the 
financial sector's information systems, and in promoting information 
sharing in industry sectors such as health care and finance. In April 
2003, Mr. Purdy came to the Department where he worked on the cyber 
tiger team to help design and launch the NCSD in June 2003. Following 
that he served as Acting Director until Amit Yoran was appointed 
Director in the Fall of 2003.
    Immediately prior to his assignment to the White House staff, Mr. 
Purdy served as Chief Deputy General Counsel and later as Acting 
General Counsel for the U.S. Sentencing Commission. The Sentencing 
Commission is charged with promulgating and updating the Federal 
Sentencing Guidelines for individuals and organizations, and for 
providing counsel to the Congress and others about federal sentencing 
practices and policies. At the Sentencing Commission Mr. Purdy served 
as a member of the senior management team and provided legal, 
strategic, administrative, and ethical advice to the Chair and 
Commissioners, Staff Director and Unit Chiefs.
    Mr. Purdy graduated from the College of William and Mary and the 
University of Virginia Law School. After receiving his law degree, 
Purdy served as an Assistant Attorney General in Missouri, and then as 
Senior Staff Counsel to the U.S. House of Representatives Select 
Committee on Assassinations' investigation of the assassination of 
President Kennedy. He subsequently served as an Assistant U.S. Attorney 
in Philadelphia where he concentrated on investigating and prosecuting 
white collar crime. Following his service as a federal prosecutor, Mr. 
Purdy returned to Washington, D.C. to serve as Counsel to the U.S. 
House of Representatives Committee on Standards of Official Conduct 
(Ethics).
    Mr. Purdy then moved to investigative work in network news, working 
as an Associate Producer for the NBC News magazines First Camera and 
Monitor, and then as the Producer for News and Politics for the CBS 
News broadcast NIGHTWATCH. Subsequently, while at the Sentencing 
Commission, Mr. Purdy was detailed to Capitol Hill where he worked as 
Counsel to the U.S. Senate Impeachment Trial Committee for the 
impeachment trial of then-chief federal judge Walter Nixon of 
Mississippi.
    Mr. Purdy lives in Bethesda, Maryland, with his wife Robin Fader, 
an Emmy Award winning television and commercial producer, and their 
daughter, Alexandra, who is 10 years old and has a certified black belt 
in Tae Kwon Do.

    Chairman Boehlert. Thank you very much, Mr. Purdy.
    Mr. Leggate.

STATEMENT OF MR. JOHN S. LEGGATE, CHIEF INFORMATION OFFICER AND 
 GROUP VICE PRESIDENT, DIGITAL & COMMUNICATIONS TECHNOLOGY, BP 
                      PLC., UNITED KINGDOM

    Mr. Leggate. Thank you, Mr. Chairman, and thank you, 
distinguished Members.
    My name is John Leggate. I am CIO for BP, and this morning, 
I also represent BENS, which is Business Executives for 
National Security in the U.S., a large organization whose 
interest, of course, is improving the nature of business and 
its dependency on the Internet.
    By way of context, also, BP happens to be the biggest 
provider of oil and gas in the United States. So, in fact, in 
our normal business, we take the whole issue of national 
security as a very, very fundamental part of what we do for the 
United States.
    Anyway, going on from that, this topic, as you said, Mr. 
Chairman, has actually been in our minds for some time. It has 
been around, and I think what I would like to do here is point 
to two things just to simply portray a little bit more of why 
this is so important today and a few ideas on the way forward 
above and beyond what is said here.
    Almost by stealth since the fail of the dot-com era 
companies have actually been moving towards the Net 
progressively. We have done survey work, and our most recent 
survey would say, in the energy sector, the chemicals and 
transport sector, up to 30 percent of their revenues come from 
work done on the Internet today in the United States. In a 
sense, the dependency is very clear and growing.
    And the second point, after Mr. Purdy's point, the nature 
of business automation regarding running process plants, 
refineries, and chemical plants are now moving to a place where 
they look simply like regular computers. They are not different 
systems anymore. And the capacity for these systems then to be 
impaired is quite important. In fact, with time, we see a 
bigger growth in what we call machine-to-machine information 
flow than simply humans on the Internet, per se. I mean, today, 
in the world, I think at any point in time, 200 million people 
are on the Internet with a billion possible connections going 
on.
    So moving on from that to say this is a big issue. The 
thing that I would note, it isn't simply cyber security but the 
confluence of cyber and physical security in the Internet. 
Solving the cyber issue doesn't solve the reliability or the 
vulnerability of the Internet. There are number of points in 
the world which are well disclosed where big nodes come 
together. There are critical points that you can find. If you 
choose to scan the Internet, you will see these today where it 
all comes together. And of course, it is--that becomes another 
big issue as to who is in charge. How should we secure or 
harden these particular environments?
    So another area to think about in all of this conversation 
is making sure we touch on the edges on the nature of the 
physical distribution of the Internet. Now you might say, 
``What are companies doing for themselves in the space, because 
clearly they should be self-reliant?'' And we are pretty well. 
But in a sense, what we do control, if you like, is the last 
mile, the mile into our premises. But the millions of miles of 
Internet, we have no control over and no say-so on its 
deliverability or its resilience. So all of this traffic is 
heading to a place where it is almost out of reach of the 
businesses, but because of economic pressures, efficiency, and 
almost an always-on environment which we demand nowadays, the 
job is on.
    So that broadly says that the problem is real. It is big 
and probably getting bigger with time. And the dimensions are 
not well aware with policy makers. In my job, I travel around 
most of the world, and I would say the same level of lack of 
knowledge of the dependency of real business, if you like, 
world trade is now coming to the Internet.
    Look at the United States where we have eight channels of 
principle critical national infrastructure and trace it all 
back, most of it ends up somewhere back on the Internet. So if 
you look through energy, transportation, aviation, it all 
comes, to some point, to some degree, to the Internet.
    And then to look forward more optimistically say what there 
is to do, I would offer there are two areas to think about. One 
is fixing what we have. And we have heard from Mr. Purdy 
various endeavors to do that. I would only add to his remarks 
and say what business would look at isn't simply the risk 
envelope but the consequences. Within a major corporation, as 
in BP, the number of attempts or events per day that come into 
the system is between a half million and a million attempts on 
the Internet. Of those, only a handful really matter to the 
company.
    And the issue is how do you screen out the knives on the 
Internet and get to the issues that actually ultimately take 
out business and make it quite difficult. So working with that, 
certainly businesses want to become more aligned with 
activities of the agencies to bring forward the notion of risk 
management and consequences into this conversation so that the 
money is spent wisely on the right priorities. Because you can 
imagine, you could do a ton of research across a large 
landscape and not nail the problem.
    So the question is how do you converge the issue in the 
near-term, in the course of 2006, 2007, and 2008 to put this 
into a much better state? So that is one aspect of the way 
forward.
    I think the other aspect of the way forward is really a new 
conversation, and I will call it mixed generation Internet, not 
Internet 2, which is basically in the scientific domain, but 
looking 20 years out. Most of all, of the United States to 
start a conversation that moves us to the next generation, if 
you like, of public utility, i.e., in order so business can 
progress. Already, in my travels to the Far East, countries 
like South Korea and Japan are talking of moving to IPv6, and 
so we are going to end up, at some stage, with different 
initiatives in different geographies but no one really holding 
the game plan, the overall strategic intent, or I would call 
it, technology development map, even the governments. Who gets 
to say in such a complex world?
    So from my point of view, let me summarize and say the 
issue is real. We should not be distracted into the near-term 
issues alone, but also take the position, I think, through this 
committee to discuss what is the nature of the strategic intent 
for the future that ensures world trade carries on in the way 
it is.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Leggate follows:]

                 Prepared Statement of John S. Leggate

                   BUSINESS CONCERNS FOR THE INTERNET

STATEMENT OF THE ISSUE

    The Internet is rapidly becoming the backbone of the world economy. 
This is particularly true for the United States where the use of the 
Internet underpins many aspects of the U.S. economy and national 
critical infrastructure (e.g., energy, water, transportation). Given 
this fundamental dependency on its continuous availability, the public 
Internet must be better protected, managed and controlled. In the 
longer-term, the U.S. should take a leadership role in creating the 
next generation Global Internet.

SUMMARY OF THE ISSUE

    The growth of Internet use has been nothing short of 
extraordinary.\1\ Almost by stealth since the dot com collapse, 
governments, public bodies and large and small scale businesses have 
been transformed to operate with the Internet as a core piece of 
business infrastructure. Businesses from all over the world have found 
the Internet to be a cost effective and reliable business tool. Indeed, 
in the last few years, in addition to conventional business 
transactions, many of the controls systems (SCADA) that support 
national and public utilities are adopting the Internet as a core data 
transport method.\2\ This has resulted in businesses and societies 
becoming critically dependent on the continuous operation of the 
Internet.\3\
---------------------------------------------------------------------------
    \1\ Lazarus Research Group
    \2\ Internet Security Systems
    \3\ Jupiter Research
---------------------------------------------------------------------------
    Businesses have moved from dial-up and dedicated point to point 
leased lines to committing mission critical digital traffic to operate 
on the Internet, yet with no practical alternative to maintain business 
continuity. However, the Internet is mostly run by groups of diverse 
academic and non-profit organizations which operate via loose 
consensus. Many governments have apparently not yet fully grasped that 
national and international economies and their citizens are now 
dependent on this network of networks--i.e., the global communications 
backbone.
    In its current operation the Internet has well known physical and 
logical security weaknesses both nationally and globally. What is not 
truly known is the potential business impact of these weaknesses on the 
U.S. and the world economy. Continued operation is presumed, but is in 
no way guaranteed. This is compounded by the poor understanding of 
dependency/interdependencies between companies and critical 
infrastructures supporting nations/regions.
    Global competition has driven the need for ever increasing levels 
of productivity and innovation from businesses and this has driven the 
demand for cheaper and more ubiquitous communications. The nature of 
the architecture of the Internet has allowed it to carry an ever 
increasing variety of services, with ever decreasing costs. These 
forces are driving applications, services and business processes from 
every sector onto the Internet. Businesses that fail to exploit these 
cost and performance advantages are at a competitive disadvantage.
    Today, at moment there are some 200 million individuals active on 
the Internet. By the end of 2005, at least one billion people will have 
access to its enormous resources.\4\ Also there are as many automated 
systems--including SCADA systems, CCTV, pipelines, electricity grids, 
e-mail servers, inventory systems and medical monitoring devices. These 
systems often communicate over the Internet without human intervention. 
This machine-to-machine communication is growing dramatically and could 
supplant interactive use by people in a few years.\5\
---------------------------------------------------------------------------
    \4\ Meta Research
    \5\ ZDNet Research
---------------------------------------------------------------------------
    In 2004, $6.9 trillion of the $55.6 trillion of worldwide trade was 
directly transacted over the Internet.\6\ Of the remaining trade there 
was a significant proportion that relied on supporting activity using 
the Internet for communication--including specification queries, 
logistics and links between internal processes within companies. Even 
financial institutions use the Internet for many routine electronic 
funds transfers.\7\ Significantly, in 2004 and in the U.S. alone, 14.8 
million high tech jobs relied directly on the Internet.\8\
---------------------------------------------------------------------------
    \6\ Forrester Research, Inc.
    \7\ Forrester Research, Inc.
    \8\ University of Texas-Austin
---------------------------------------------------------------------------
    In the past there have been attempts to address the issues of 
security, operational stability and reliability but with limited 
success. For example, work conducted by the President's Commission on 
Critical Infrastructure Protection (PCCIP) nearly ten years ago, raised 
vulnerabilities that are apparently yet to be addressed.\9\ It set a 
goal of a reliable, interconnected, and secure information system 
infrastructure by the year 2003. Is the context and sense of urgency 
different today?
---------------------------------------------------------------------------
    \9\ PCCIP Report 1997
---------------------------------------------------------------------------
    This paper explains why the context is now so very different. In 
the '80s and early '90s companies were not using the Internet in 
anything like the same way or to the same scale as they do today. 
Private networks were the common means of communication. The companies 
providing Internet infrastructure were justified in treating identified 
weaknesses as rather academic and with little economic importance.
    However, things have changed and in ways that often only businesses 
directly using the Internet can articulate.\10\ Companies can, and do, 
take security measures to protect the systems they run and the services 
directly under their immediate control. But they can do little, to 
protect the external network infrastructure on which they rely or even 
engage in a meaningful dialogue about fundamental performance 
expectations. Previous work in evaluating risks to the Internet has 
almost entirely focused around a dialogue between supply-side 
telecommunications/IT companies and government.\11\ We therefore only 
have half the picture, knowledge of interdependency between supply and 
demand-side for Internet services clearly needs to be shared.
---------------------------------------------------------------------------
    \10\ See Appendix.
    \11\ National Security Technology Advisory Committee (NSTAC) and 
the National Infrastructure Assurance Council (NIAC).
---------------------------------------------------------------------------
    Even more troubling is that many demand-side organizations do not 
realise how dependent they are on the Internet. Corporations have 
become linked to the Internet in ways that are not always easily 
discerned. For example, a major corporation that depends on a third 
party's logistical services may be surprised to learn that their 
supplier communicates internal orders and status using the Internet, or 
that an electric utility they depend upon has moved its process control 
network to run over the Internet.
    These cascading dependencies all too quickly create `domino 
effects' that are not obvious to the corporate customer or to the 
policy-maker. They are usually only discovered during unplanned outages 
when capabilities begin to degrade or fail in unexpected ways, or are 
discovered during widely-based crisis management exercises. Businesses 
and governments can plan for expected failures. But even the best 
prepared organizations and corporations may be woefully inadequate in 
responding to complex, low probability, high impact failures. If a 
large scale Internet outage or significant reduction in performance 
were to occur, the unexpected effects on whole sets of industries, 
utilities and enterprise could have surprisingly large economic and 
societal impacts.
    Whether the failure of the Internet arises through error, a worm-
writers experiment, or more directed physical or cyber attacks, 
vulnerabilities exist and this is a real and present risk. Recent 
reports about ``Cyber attack'' attempts being developed and the posting 
of hacker tools with directions on some of the extremist's websites may 
be warning signs.

BROADER CONTEXT

    It is worth recalling that the Internet was set up as a government 
sponsored project, with the U.S. Government as the primary customer and 
`anchor tenant.' Its creation was a bold and dramatic step-out that 
went on to evolve into a remarkable resource that has significantly 
exceeded the wildest imaginings of its creators. As a result it is 
being used far beyond anything envisaged in the original designs.
    Since its creation, the Internet has developed rapidly in scale, 
but its technical design has progressed more through steady incremental 
evolution than through any step change. The ``grass roots'' and 
academically-based standards setting process of the Internet 
Engineering Taskforce (IETF) has had great success. However, the down-
side of this consensus approach is that entity wide coordination and 
alignment is difficult to achieve and step changes are difficult to 
implement. Internet standards setters are a community of interest and 
as such they share interests, but they do not share goals and 
timescales in the way that a project with a clear mandate does.\12\
---------------------------------------------------------------------------
    \12\ Drawn from I-space theory. Max Boisot, INSEAD.
---------------------------------------------------------------------------
    This diversity of interest has been compounded by the loss of the 
primary customer, i.e., the U.S. Government, driving operational 
performance requirements, since they have started to use alternative 
infrastructures for extra critical services. Instead of a single 
`anchor tenant,' the Internet now has countless customers drawn from 
many governments, corporations and individual users and is thus driven 
by a very diverse range of agendas, without a clear priority setting 
process. This will further slow change and adaptation to the new and 
emerging context of Internet use.
    The question we need to ask is whether incremental change will be 
sufficient to address the current physical and digital integrity 
weaknesses. The current deficiencies on the Internet may well be filled 
by tactical repairs, but the potential gap of predictable demand for 
high volume traffic with high quality services and the intractable 
vulnerabilities will require a more radical approach. Arguably the 
risks we are seeing, illustrated by spreading worms and viruses and 
underlying common mode weaknesses in technologies and physical 
infrastructure are systemic and systematic in nature.\13\ Systemic and 
systematic risks can only be addressed through coordinated rather than 
isolated action. A fact well illustrated by other complex systems such 
as vaccination statistics and epidemiology in the medical world and in 
the risk management intervention required in national and global 
banking systems.\14\ Many of these risks have no geographic or country 
boundaries--impact and influence is global.
---------------------------------------------------------------------------
    \13\ Illustrated by work from the Cooperative Association for 
Internet Data Analysis (www.caida.org).
    \14\ Drawn from standard epidemiology texts and banking risk texts 
and the opinions of banking regulators.
---------------------------------------------------------------------------
    The widespread globalization of the Internet also introduces a 
further development complexity. Scores of countries now have 
fundamental interests in its evolution and some are even orchestrating 
local step-changes in technology.\15\ However, no country has yet felt 
able to propose fundamental change on a global basis. Within the U.S., 
the Internet is seen in many quarters as the starting point for the 
National Information Infrastructure (NII). Around the world, there is 
growing recognition that the set of NIIs (assuming each country commits 
to developing one) should be compatible with each other in an--as yet--
undefined way. Who should take the lead in ensuring this compatibility? 
There is clearly an important role for government leadership in framing 
this strategic agenda--with strong collaboration with commerce and 
business.
---------------------------------------------------------------------------
    \15\ For example, the broad introduction of IPv6 in Korea and 
Japan.
---------------------------------------------------------------------------
    In practice, the technical scope of the Internet already goes 
beyond that defined as ``Internet services.'' Ultimately, the 
communication pathways must enter the user's machine/other digital 
devices, pass through layers of software and end up in applications 
programs. The computer industry, along with the many vendors of 
computer-related equipment, must play a role in determining how this 
aspect of the Internet will evolve and therefore form part of the 
supply-side. A key to the success of the Internet is to ensure that the 
interested parties have an equitable way of participating in its 
evolution, including participation in its evolving standards process 
and technology roadmap. A proper role for governments would be to 
oversee this process to make sure that it meets the wide spectrum of 
public and industry needs.
    Yet further complexity and dependency is being introduced by a new 
breed of service providers who are offering services that will continue 
to supplant alternative networks. Telephony (through Voice Over IP), 
television, radio and almost all forms of communication are migrating 
to the Internet or including the Internet as a key component in the 
communication path.

CONCLUSIONS ON CURRENT POSITION

          There are no clear accountabilities or guarantees for 
        the continuity of operation of the Internet. Even weaknesses 
        known about for some time have not yet been addressed.

          A significant and growing proportion of the world 
        economy is dependent on the Internet.

          The Internet is currently subject to technical and 
        geopolitical risk and therefore not only the U.S. economy, but 
        economies worldwide, are at risk.

          The U.S. Government itself is no longer fully 
        dependent on the Internet, as it has alternative networks at 
        its disposal for critical services. Thus the Internet has moved 
        from having a single `anchor tenant' to a diverse community of 
        stakeholders without a voice in the operational performance 
        expectations of the current Internet.

          New technologies and emergent Internet uses, such as 
        Voice Over IP and widespread control system connectivity, are 
        increasing dependency and compounding the risk.

OPTIONS ON THE WAY FORWARD

    We would consider a two-pronged approach, to address both the 
immediate risk and the strategic opportunity:

1. Short-Term

    To address immediate concerns a series of in-depth and as necessary 
classified studies, workshops and truly cross-sectoral exercises should 
be held to allow businesses (that deliver critical aspects of national 
infrastructure--e.g., energy, transportation and financial) and 
governments to share critical information under the Protected Critical 
Infrastructure Information (PCII) Program. The goal of this work would 
be to map the business reliance upon the Internet against known areas 
of risk and develop a priority plan to focus actions that are necessary 
for increasing its robustness and integrity.
    The work could start with the scope of the U.S. economy in a global 
context. Interdependency should then dictate that it be extended in the 
first instance to other countries from the G8 and EU.

2. Medium-Term

    There is a need to create the next generation Internet in a form 
that would be able to handle the emerging demands of business, civil 
societies and governments. This would include the technical design 
necessary to meet physical and logical diversity and resilience. In 
addition, the program should include the development of a Global 
Internet Management Framework that addresses broad policies and 
standards, clarity of operational accountabilities, and technology 
roadmaps. The goal should be to assure the performance and digital 
integrity of the new Global Internet, in terms of resilience to 
physical and cyber-security risks, supplier commercial failure, and 
broader geopolitical risks.
    We believe the U.S. should take a leading role in this proposed 
global initiative.
    Thank you for the opportunity to express the views of the business 
community. I look forward to continuing our conversation as our CEO 
roundtable at BENS (Business Executives for National Security) 
progresses. We look forward to contributing to the actions that we 
propose.

APPENDIX

                       Business Criticality Data

    Having recognized the potential for serious negative impact on the 
U.S. critical national infrastructure in the event of a significant 
interruption of Internet service, a group of concerned business people 
carried out an informal survey of key sector companies in early 2005. 
The graph below shows the findings from that survey, indicating the 
level of dependency these sectors have on the Internet.



                     Biography for John S. Leggate
    As CIO of BP, John Leggate is responsible for the development of 
BP's digital capability--its related systems, technology, business 
processes and business opportunities--across the company's global 
operations, Exploration and Production, Refining and Marketing and 
Trading.
    John was elected a Fellow of the Royal Academy of Engineering in 
July 2005. He was also honored as Commander, The Most Excellent Order 
of the British Empire (CBE) by the Queen in her 2004 New Year's Honour 
List. This is in recognition of an outstanding contribution and 
leadership of the international digital technology agenda.
    A chartered engineer, a graduate of Glasgow University and a Fellow 
of the IEE, began his career in marine consultancy and nuclear energy 
before joining BP Exploration in 1979. During the 1980-90s he held 
posts of increasing responsibility in the management and operating of 
BP's North Sea oil and gas assets.
    In 1998, he was appointed President of BP's Azerbaijan 
International Operating Company, in which capacity he was tasked to 
manage BP's interests in the unfolding geopolitical and economic debate 
that centered on crude oil export routes from the Caspian Sea.
    John has a particular interest in leadership, the management of 
high-performance teams and organizational change.
    He is married with two children, lives in London and travels widely 
on behalf of the company.



    Chairman Boehlert. Thank you very much, Mr. Leggate.
    Mr. Kepler.

 STATEMENT OF MR. DAVID E. KEPLER, CORPORATE VICE PRESIDENT OF 
SHARED SERVICES AND CHIEF INFORMATION OFFICER, THE DOW CHEMICAL 
                            COMPANY

    Mr. Kepler. Thank you, Chairman Boehlert and Ranking Member 
Gordon, for allowing me to share my thoughts on this important 
topic.
    Mr. Chairman, before I begin, our thoughts and prayers go 
out to the millions of Americans, including many of our 7,000 
employees, on the Gulf Coast who have lost so much from 
Hurricane Katrina.
    The importance of information infrastructure for 
communications and emergency response in a national crisis has 
never been more apparent.
    I am Dave Kepler, Corporate Vice President of Shared 
Services and Chief Information Officer of the Dow Chemical 
Company, the world's largest chemical and plastics producer.
    I am also here as Chairman of the Executive Board of our 
Industry Cyber Security Program. Our mission is to understand, 
prior-itize, and coordinate our efforts to address cyber 
security risks.
    Today, I would like to discuss the role of information 
technology in our sector, describe the cyber security threats 
we face, and highlight what is being done to address these 
threats. I will also suggest areas where I think government can 
help.
    With $109 billion in exports, the chemical industry is the 
largest exporter in the U.S. economy. We employ one million 
Americans and are one of the largest private industry investors 
in research and development. Our products help keep the water 
we drink safe, increase productivity of agriculture, enable 
medical innovations, and are essential to homeland defense and 
the war on terror.
    It is in our nation's interest to have a competitive 
chemical industry. Information technology is key in maintaining 
that competitiveness. At Dow, information technology is fully 
integrated into all aspects of our business, and advanced 
technology is used to secure our facilities. We rely on the 
automation and integration of our processes to drive 
productivity, quality, and safety.
    The Internet is a valuable communications tool essential to 
public safety and emergency response. For example, when all of 
the phone service was disrupted from the hurricane, Dow was 
able to use the Internet and Internet-based phones to 
communicate with our people in the region.
    In 2004, chemical industry executives conducted an industry 
vulnerability assessment. We concluded that, unlike an attack 
on other critical infrastructures, a security breach from cyber 
would not cause cascading impact across the chemical industry. 
However, we believe the highest concern for our industry is the 
potential of a combined physical and cyber attack.
    There are three specific areas for concern in the chemical 
industry.
    One, using information on shipments, product inventory, or 
sites to construct a physical attack. That is why Dow has set 
in place practices, policies, and technologies to protect 
critical plant systems and corporate networks.
    Two, using false identity to acquire chemicals for improper 
use. Our company counters this threat by pre-identifying and 
verifying customers.
    Three, gaining inappropriate access to systems to cause 
isolated disruptions. At Dow, operating practices and 
authentication technologies are continuously being upgraded to 
restrict access based on roles and clearances.
    Our company has conducted a comprehensive cyber security 
risk analysis, and we have used the Sandia National Lab's 
methodology for assessing vulnerabilities for our sites and 
manufacturing facilities. Dow has developed a cyber security 
management plan, and we continue to test and upgrade our plans 
in all areas of security.
    But we cannot address cyber security threats alone. 
Security of the communications and Internet infrastructure is 
beyond any one sector's control. Protecting these vital assets 
from a significant attack, whether physical, cyber, or a 
combination, is of utmost importance.
    So what role does government play?
    The Department of Homeland Security must contend with the 
real threat of attacks by people, organizations, or nations 
intent on causing significant disruptions to our economy and 
way of life. Protecting communications in the event of a 
national emergency must be a priority along with threat 
monitoring and modeling, authentication methods and information 
protection. We must understand how to prevent attacks, what is 
needed to defend against attacks, and how to recover 
infrastructure from a catastrophic failure. Department of 
Homeland Security resources and R&D efforts must be dedicated 
to the big picture.
    In closing, we are encouraged by the Department's work to 
provide--the work with the private sector to reduce 
vulnerabilities and minimize the severity of cyber attacks. But 
more needs to be done to share and protect relevant information 
across all sectors and government. Government crisis management 
and disaster recovery plans must include industry 
participation, coordinated emergency response, and ongoing 
monitoring, and managed recovery efforts with government and 
industry together are critical.
    Thank you, and I will be happy to answer any questions at 
the end.
    [The prepared statement of Mr. Kepler follows:]

                 Prepared Statement of David E. Kepler

    Thank you Chairman Boehlert and Ranking Member Gordon for allowing 
me to share my thoughts on this important topic.
    Mr. Chairman, before I begin, our thoughts and prayers go out to 
the millions of Americans, including many of our 7,000 employees on the 
gulf coast who have lost so much from Hurricane Katrina.
    Our number one priority is the safety and well-being of our 
employees and the communities impacted by this disaster. We are 
committed to safely returning our facilities to full operation and 
contributing to the recovery efforts. The importance of information 
infrastructure for communications and emergency response in a national 
crisis has never been more apparent.
    I'm Dave Kepler, Corporate Vice President of Shared Services and 
Chief Information Officer of The Dow Chemical Company. Dow is the 
world's largest chemical and plastics producer with annual sales of 
over $40 billion serving customers in markets such as: food, 
transportation, health and medicine, personal and home care, and 
building and construction.
    I am also here as the Chairman of the Executive Board of the 
Chemical Sector Cyber Security Program. This effort was established in 
2002 to coordinate the sector's activity and to align with the U.S. 
Government's National Strategy to Secure Cyberspace. The program's 
mission is to understand the risks we face as a sector and coordinate 
and prioritize our efforts to reduce those risks. Leadership for this 
program is provided by the chemical industry's leading CIOs, and 
leverages expertise from existing organizations: chemical trade 
associations, the Chemical Industry Data Exchange, and the Chemical 
Sector Information Sharing and Analysis Center.
    The five strategic elements of the program are:

          Broad support and participation throughout the sector

          Engagement with government to ensure effective 
        measures to secure cyberspace

          Identification and reduction of infrastructure 
        vulnerabilities to guard against cyber attacks and speed 
        recovery from incidents

          Establishment of management practices and guidance to 
        support overall sector cyber security

          Ongoing coordination with technology providers, 
        government and academia to accelerate development of improved, 
        cost-effective solutions.

    The program produced comprehensive cyber security guidance which 
was built into the Responsible Care Security Code in 2004. 
Implementation of the Responsible Care Security Code is mandatory for 
all members of the American Chemistry Council and has also been adopted 
by the Synthetic Organic Chemical Manufacturers Association.
    Our sector continues to work closely with the Department of 
Homeland Security, standards bodies such as the National Institute of 
Standards and Technology (NIST) and industry organizations such as 
Instrumentation Systems and Automation (ISA) to share the latest best 
practices and to develop new standards to defend against cyber attacks.
    Today, I would like to discuss the role of information technology 
in our sector, describe the cyber security threats we face and 
highlight what is being done to address these threats. I will also 
suggest areas where the government can help.
    Let me begin by outlining the importance of our sector to our 
nation's economic well-being and security--enabling 25 percent of our 
nation's GDP. With $109 billion dollars in exports, the chemical 
industry is the largest exporter in the U.S. economy. We employ one 
million Americans and are one of the largest private industry investors 
in research and development. Our industry makes modern life possible, 
from plastics to pharmaceuticals, from cars to clothing. Our products 
help keep the water we drink safe, increase productivity of 
agriculture, and enable medical innovations that prevent and treat 
disease. Our industry is also essential to homeland defense and the war 
on terror--making products that go into bullet-resistant vests, night 
vision goggles and stealth aircraft.
    Our industry's safety culture and history of cooperative voluntary 
initiatives, partnerships with local, State and Federal Government 
agencies, and strong support for research and development, position us 
well to address new security challenges. For example, the industry 
joined forces to develop the American Chemistry Council's Responsible 
Care Security Code--building upon long-standing industry safety and 
emergency response programs.
    All aspects of security are integrated into the Security Code 
including physical plant security, transportation security, as well as 
cyber security. Implementation of the Responsible Care Security Code is 
mandatory for all American Chemistry Council members leading to over $2 
billion in investments to improve security and preparedness across our 
industry.
    Cyber security has been on our radar screen long before the tragic 
events of 9/11. At Dow, for example, we have had policies and practices 
in place for securing our information assets for many years. These 
cover the use of the Internet, integration of systems, and automation 
of manufacturing control. The emergence of a significant terrorist 
threat with the events of 9/11 added urgency and focus to our efforts. 
It was this event that prompted the establishment of the Chemical 
Sector Cyber Security program.
    It's in our national interest to have a competitive chemical 
industry, and information technology is key in maintaining that 
competitiveness. At Dow, information technology is fully integrated 
into all aspects of our business--research and development, 
manufacturing, accounting, logistics and sales to name just a few. We 
also use information technology to interact with government agencies 
and to report our regulatory compliance. Advanced technology is also 
being leveraged to secure our facilities and the distribution of our 
products. We rely on automation and integration of our processes to 
drive productivity, quality, and safety.
    At Dow, approximately 15 percent of our orders are via the 
Internet, and nearly all of our customers use the Internet to learn 
about our products, track orders, and get technical support. The 
Internet is also a valuable communications tool--essential to public 
safety and emergency response. For example, in the aftermath of Katrina 
when all phone service was disrupted, Dow was able to use Internet 
based phones to communicate with our facilities in the region.
    In 2004, chemical company executives conducted an industry-level 
vulnerability assessment to determine the potential impact of cyber 
security threats. We concluded that, unlike an attack on other critical 
infrastructures, a cyber security breach would not cause cascading 
impact across the chemical industry.
    We believe the higher concern for our industry is the potential of 
a combined physical and cyber attack or the criminal use of illegally 
obtained information.
    There are three specific areas of concern for the chemical 
industry:

        1.  Using information on shipments, product inventory, or sites 
        to construct a physical attack. That's why Dow has set in place 
        policies, practices and technologies to protect the linkage of 
        critical plant systems with corporate networks.

        2.  Using false identity to acquire chemicals for improper use. 
        Our company counters this threat by pre-identifying and 
        verifying our customers before electronic orders.

        3.  Gaining inappropriate access to systems to cause isolated 
        disruptions. At Dow, operating practices and authentication 
        technology is continuously being upgraded to restrict what 
        people can do based on roles and clearances.

    For obvious reasons, I cannot get into all we do to protect 
ourselves, but here are some additional steps that Dow has taken to 
combat these threats.
    Addressing people, process and technology, we have:

          Developed a company-wide cyber security management 
        plan that includes incident management and business continuity.

          Completed a comprehensive cyber security risk 
        analysis based on the ISO information security standard, ISO/
        IEC 17799.

          Used the U.S. Government Sandia National Labs 
        methodology for assessing vulnerability of our sites and 
        manufacturing facilities--including a review of physical, 
        process, and cyber vulnerabilities.

    We continue to test and upgrade our plans in all areas of security.
    Although much has been done within the chemical sector, we cannot 
address cyber security threats alone. Security of the Nation's 
telecommunications and Internet infrastructure is beyond any one 
sector's control. Protecting the Nation's critical communication and 
information infrastructure from a significant attack, whether physical, 
cyber, or combined, is of the utmost importance.
    So, what role should the government play? While there are many 
issues impacting secure computing today such as random hacking and the 
e-mail virus of the day, the Department of Homeland Security must 
contend with the real threat of attacks by people, organizations or 
nations--intent on causing significant disruption to our economy and 
way of life. Targeted attacks that could have a major economic or 
social impact must be the priority as well as protecting our 
communications capability in the event of a national emergency.
    Department of Homeland Security resources and research and 
development efforts should be dedicated to addressing these `big 
picture' threats to benefit all sectors and improve our national 
security. Threat monitoring and modeling, better methods for 
authenticating identity, and information protection should be research 
priorities. Efforts should include understanding how to prevent 
attacks, what resources and tools are needed to defend against attacks, 
and what it would take to reconstitute our information technology 
infrastructure in the event of a catastrophic failure.
    We are encouraged by the Department's work with the public and 
private sectors to reduce vulnerabilities and minimize the severity of 
cyber attacks. But, more needs to be done around the sharing and 
protection of relevant information across all critical sectors and 
government. Finally, government crisis management and disaster recovery 
plans must include industry participation. As witnessed in the 
aftermath of Katrina--coordinated emergency response, ongoing 
monitoring, and managed recovery efforts with government and industry 
are critical.
    We believe continued and expanded cooperation between our critical 
sector, the Department of Homeland Security and other government 
agencies as well as information technology providers is vital to reduce 
vulnerabilities and enhance preparedness.
    Any efforts to improve cyber security must:

          Start and end with the commitment to be a risk-based, 
        outcome-focused program. DHS must focus on the real threat of 
        criminal attacks by people, organizations or nations.

          Recognize that cyber security is an integral part of 
        overall security, and build upon the work to date of the 
        chemical sector security programs such as the Responsible Care 
        Security Code and the Chemical Sector Cyber Security Program.

          Recognize the high degree of integration of the 
        chemical sector with other critical infrastructure sectors, as 
        well as the importance of our industry to our homeland defense 
        and economic security.

    In closing, we are committed to ensuring the security of our 
company and to taking a leadership role in improving overall security 
across our industry. Information sharing and continued cooperation 
between our sector and the Department of Homeland Security is critical. 
Above all else, efforts must be focused on those threats of greatest 
impact and concern to our national security, while addressing the 
unique needs of each sector.
    Thank you and I'd be happy to answer any questions.

                     Biography for David E. Kepler

    D.E. (Dave) Kepler is Corporate Vice President of Shared Services 
and Chief Information Officer (CIO) of The Dow Chemical Company. In 
this capacity, Kepler has global responsibility for Customer Service, 
Information Systems, Purchasing, Six Sigma, Supply Chain and Work 
Process Improvement. He is also a member of the Office of the Chief 
Executive (OCE).
    Kepler joined Dow in 1975 in the Western Division Computer and 
Process Systems group. After progressive Commercial and Information 
Systems roles throughout the United States, Canada and the Pacific, he 
was named Director of Chemicals and Plastics Information Systems in 
1993. In 1995, Kepler assumed additional responsibility as Director of 
Global Information Systems Applications. He was appointed Vice 
President and CIO in February 1998, and in 2000, assumed the role of 
Corporate Vice President of eBusiness. In 2002, Kepler undertook 
commercial responsibility for the Advanced Electronic Materials 
business and further expanded his role the following year, adding 
responsibility for Global Purchasing and Supply Chain. Kepler assumed 
his most recent role in January 2004.
    Kepler serves on the Board of Directors of the U.S. Chamber of 
Commerce. He is a member of the American Chemical Society and the 
American Institute of Chemical Engineers. In addition, he leads the 
Executive Committee of the Chemical Sector Cyber Security Program. 
Locally, Kepler serves on the Board of Directors for the Midland 
Community Cancer Services and Alden B. Dow Museum of Science and Art. 
He was the 2004 United Way of Midland County Campaign Chair.
    Kepler received a Bachelor's degree in chemical engineering from 
the University of California at Berkeley.



    Chairman Boehlert. Thank you very much, Mr. Kepler.
    Mr. Freese.

   STATEMENT OF MR. GERALD S. FREESE, DIRECTOR OF ENTERPRISE 
         INFORMATION SECURITY, AMERICAN ELECTRIC POWER

    Mr. Freese. Mr. Chairman and distinguished Members of this 
committee, thank you for the opportunity to appear before you 
today.
    My name is Gerry Freese, Director of Enterprise Information 
Security at American Electric Power. I am also here 
representing the North American Electrical Reliability Council 
in Princeton, New Jersey.
    AEP is the largest provider of electricity in the country 
with over five million customers in 11 states, and I am 
responsible for information security for all corporate and 
operational systems and networks, including those used in the 
operation of the bulk power system.
    Before I address the three questions posed to the 
presenters, I would like to preface my remarks.
    In the aftermath of Hurricane Katrina, we have seen the 
suffering and the unprecedented devastation in Louisiana and 
Mississippi. We have seen the confusion and chaos when 
essential services were no longer functioning. We have seen how 
critical infrastructure can be destabilized and destroyed when 
links are broken in its complex chain of multiple 
interdependencies. Whether the cause is a natural disaster or a 
terrorist attack, the impact on people and the economy is 
horrendous.
    Critical infrastructure industries, by virtue of their 
interdependencies, have a responsibility to work across all 
sectors, and this includes the Federal Government, to mitigate 
risk, ensure service continuity and an expeditious recovery in 
the event of a natural or manmade disaster.
    This hearing is timely in its intent to explore means to 
expand the cooperation and collaboration between the private 
and public critical infrastructure sectors.
    Now for responses to the three questions.
    For the first question, the electricity sector has, in many 
cases, developed its own telecommunications network for 
conducting electricity operations, but it is steadily becoming 
more reliant on public networks. The electric sector uses these 
public networks for many functions with the net result that its 
interfaces with the telecommunications sector have become more 
numerous and complex. Both sectors are working together to 
better understand their levels of operational integration and 
in ways the vulnerability in either of these sectors impacts 
the other.
    Because of these complex and critical interdependencies, it 
is fairly clear that serious damage or disruption of 
telecommunications could seriously undermine the operation and 
reliability of the electricity infrastructure. Accordingly, the 
electric sector has taken some decisive steps to secure the 
cyber and physical resources and will continue to invest in 
comprehensive and effective security measures. We have interim 
cyber security standards in place right now and are working 
diligently to move through the approval process for a 
permanent, more expansive critical infrastructure protection 
standard.
    The final product will strengthen cyber security across the 
electric sector and lay the groundwork for greater 
collaboration between industry and government.
    In response to the second question, the electric industry 
views government entities, such as DHS and DOE, as partners in 
sector cyber security. In fact, we have worked extensively with 
DHS, DOE representatives, the National Labs, and others to try 
and identify areas of focus for good security and determine 
means to carry out what we all see as primary responsibilities 
for national security.
    We believe the office of the Assistant Secretary for Cyber 
Security and Telecommunications should focus on several 
specific areas covering private and public sector cooperation. 
These areas center on greater awareness of critical 
infrastructure interdependencies, information sharing between 
government and the private sector, and true, non-prescriptive 
partnerships. I would be happy to elaborate on those three 
points in the question-and-answer period, if it is possible.
    As to the third question regarding possible research and 
development opportunities, the electric sector is interested in 
continuing to work closely with DOE on the work being done at 
the Idaho National Lab. We believe it holds great promise as 
one of the best and most efficient means of stimulating 
research and developing technical solutions to the present 
cyber security problems. DOE and DHS have provided leadership 
and support on this initiative, and the electricity industry is 
committed to its success.
    Regarding inadequacies of the electric sector security 
solution, the present electric infrastructure has been built 
over many years and various types of process control systems 
produced by a diverse set of vendors. These legacy systems are 
a large part of the reason that new technology security 
solutions cannot be more widely deployed across the industry.
    The long-term solution to this is to begin a process of 
rebuilding the old infrastructure with the ultimate goal of 
replacing it with next-generation equipment and technology. The 
new infrastructure would be based on greater levels of security 
and reliability with enhanced design recognition of the 
interdependencies between the electric and telecommunications 
sectors.
    Work is already underway in this area. The 
Telecommunications and Electric Power Interdependencies Task 
Force is exploring the next generation of public networks and 
how the electricity sector will be able to use these networks 
of the future through the employment of more sophisticated 
encryption technology and other security measures.
    Cyber security is evolving rapidly, and all of us working 
in the discipline are tirelessly seeking more effective 
solutions for protecting our critical assets and systems. We 
appreciate your interest in this topic and welcome your 
assistance in helping us to ensure our critical infrastructures 
are protected, secure, and reliable.
    Thank you for your attention.
    [The prepared statement of Mr. Freese follows:]

                 Prepared Statement of Gerald S. Freese

    Mr. Chairman and distinguished Members of this committee, thank you 
for the opportunity to appear before you today. My name is Gerry 
Freese. I am the Director of Enterprise Information Security for the 
American Electric Power Company in Columbus, Ohio. AEP is the largest 
supplier of electricity in the country, with over five million 
customers in 11 states. I am responsible for information security for 
all of AEP's corporate and operational systems and networks, including 
those used for the operation of the bulk electric system.
    My reason for being here today is to talk about the cyber security 
needs and activities of the entire electricity sector, one of North 
America's most critical infrastructures. During my career, I have 
worked with numerous industry-wide committees addressing the growing 
need for increased security for information and cyber systems. This 
need is underscored by the sheer expanse and diversity of the 
electricity sector, which is made up of large and small entities, 
publicly, privately, and government owned and operated. Through 
industry groups and as individual companies, we have always placed 
great emphasis and the highest priority on the need to protect our 
information systems and effectively secure the data residing on them.
    Before I address the three questions posed to the presenters by the 
Committee, I want to make two points.
    First, our industry has long-term and positive working 
relationships with federal agencies, including the Department of 
Homeland Security (DHS) and the Department of Energy (DOE). We value 
these relationships and want to work collaboratively to improve them 
even further. The recent recognition from DOE and DHS of the 
Electricity Sector Coordinating Council (ESCC) is a positive step. We 
firmly believe the relationships between federal agencies and the 
industry are working well because both the electricity sector and the 
federal agencies recognize the value in jointly addressing issues. Both 
the industry and government recognize the difficulties posed by 
prescriptive mandates and overly rigid rules and regulations that 
stifle creative solutions to problems.
    Second, our industry continues to have concerns about the security 
of information after it is provided to the government. The electric 
infrastructure is one of the most critical infrastructures servicing 
the Nation and allowing us to maintain our way of life. Certain 
technical, architectural and operational aspects and details must be 
kept secure so they will not be inadvertently disclosed to those who 
would try to disrupt or destroy our social, political or economic 
fabric. We believe the Critical Infrastructure Information (CII) 
approach meets most of the needs for critical information protection 
but have been frustrated by an evident lack of progress in fully 
implementing this important safeguard.
    I will now respond to the three questions posed by the committee. 
In response to the first question, the electricity sector has, in many 
cases, built its own telecommunications networks but is steadily 
becoming more reliant on public networks as well. The electricity 
sector uses the public networks for many functions including customer 
service and information exchange via the Internet. It also uses the 
Internet and the public networks for a limited amount of telemonitoring 
of the electrical system, although this varies by individual electric 
company. The interdependencies between the telecommunications sector 
and the electricity sector are numerous and complex. Because of these 
complex and critical interdependencies, serious damage or disruption of 
the telecommunications infrastructure would seriously undermine the 
operation and operability of the electricity infrastructure. Both 
sectors are working together to better understand their criticality and 
the ways that vulnerabilities in either of these sectors impacts the 
other.
    Securing the extensive, distributed and critical electric power 
infrastructure is a huge responsibility that the electricity industry 
takes very seriously. We have already taken decisive steps to secure 
our cyber and physical resources and will continue to invest in 
comprehensive and effective security measures. We have interim cyber 
security standards in place and are working diligently to move through 
the approval process a permanent, more expansive Critical 
Infrastructure Protection (CIP) standard. The permanent standard will 
strengthen cyber security across the electricity sector and lay the 
groundwork for greater collaboration between the industry and 
government.
    In response to the second question, DHS can assist the electricity 
sector in cyber security by continuing its support of security 
activities like Carnegie Mellon's Computer Emergency Readiness team. 
DHS also has been very supportive of other information sharing 
activities, which adds value to our industry's security initiatives. 
Another more recent example is the Process Control Security Forum. This 
group is made up of several key industry sectors that use process 
control systems and includes government representatives, academics, and 
vendors. The forum is working to develop design guidelines for the next 
generation of more secure control systems and is looking at what can be 
done to improve existing systems. As the forum continues to make 
progress, the possibility of seed money from DHS should be considered 
to stimulate the implementation of the ideas and concepts developed.
    Another way that DHS can assist the electricity sector is by 
helping coordinate research initiatives taking place in cyber security. 
Many of the most prestigious institutions in America are engaged in 
research and development in this area. The missing element that hinders 
real progress is an overall coordination plan to avoid competition for 
funding and duplication of effort. The coordination should extend 
beyond the borders of the United States because a number of other 
countries such as Australia, Canada, Great Britain, and Japan have also 
made cyber security a top priority.
    The third question focused on current inadequacies in security and 
possible research and development opportunities. The electricity 
industry is interested in continuing to work closely with DOE on the 
work being done at the Idaho National Laboratory. We believe it holds 
great promise as one of the best and most efficient means of 
stimulating research and developing technical solutions to the present 
shortfalls in cyber security. DOE and DHS have provided leadership and 
support on this initiative and the electricity industry is committed to 
its success. Again, DHS should coordinate this work with other projects 
in this topic, both domestically and internationally.
    The present electric infrastructure has been built over many years 
with various types of process control systems produced by a large 
number of vendors. The long-term solution to present inadequacies is to 
build out the old infrastructure with the next generation of 
technologies and equipment. The new infrastructure will be based on 
greater levels of security and reliability, enhanced design, and 
recognition of the interdependencies between the electricity sector and 
the communications sector. Very interesting work is already taking 
place in this area. The Telecommunications and Electric Power 
Interdependencies Task Force is exploring the next generation of public 
networks and how the electricity sector will be able to use these 
networks of the future through the employment of more sophisticated 
encryption and other security measures.
    The cyber security arena is evolving rapidly and all of us working 
in the field find it to be an exciting and stimulating professional 
challenge. Operational and security technologies are changing quickly. 
We appreciate your interest in the topic and welcome your assistance in 
helping us to ensure that our critical infrastructures are protected 
and secure well in the future. Thank you for your attention.

                     Biography for Gerald S. Freese

    Gerald Freese is the Managing Director of Enterprise Information 
Security at American Electric Power. He is responsible for defining, 
developing and executing all information security programs to 
effectively protect AEP data and systems, including critical digital 
control systems. He is responsible for regulatory compliance and 
critical infrastructure protection for cyber security, and has been 
instrumental in the development of cyber security standards for the 
energy industry. Gerald Freese is a recognized security and 
infrastructure protection expert who brings a powerful combination of 
leadership, domain experience, technological vision and strategy 
development to American Electric Power. He is the company's primary 
data security architect, and a strong proponent of industry and 
government partnerships for critical infrastructure protection.
    Prior to accepting a position at American Electric Power, Mr. 
Freese was the Director of Security Intelligence at Vigilinx, Inc., 
where he developed an early warning and data analysis process to 
identify computer-based threats and attack profiles. He has authored in 
depth analytical papers on cyber-activities relative to geopolitical 
threat environments and has testified before congress on critical 
infrastructure interdependencies and control system security. Mr. 
Freese is a retired naval Cryptologic Officer with extensive experience 
in computer security and information warfare. He has held other 
leadership positions in the information technology industry with Perot 
Systems and General Dynamics Advanced Information Systems.
    Mr. Freese is a Certified Information Systems Security Professional 
(CISSP). He holds a Bachelor's degree from State University of New York 
(Albany), and a Master's degree in Information and Telecommunications 
Systems from Johns Hopkins University in Baltimore, Maryland.




    Chairman Boehlert. Thank you very much.
    Mr. Geisse. After that wonderful introduction by Mr. Akin, 
I want to make sure we hear you.

 STATEMENT OF MR. ANDREW M. GEISSE, CHIEF INFORMATION OFFICER, 
                       SBC SERVICES, INC.

    Mr. Geisse. It doesn't go against my five minutes, does it?
    Okay. Thank you, Chairman Boehlert, Ranking Member Gordon, 
other Members of the Committee. And I would like to thank 
Congressmen Akin and Sessions for that unexpected and kind 
introduction.
    I am pleased to represent SBC Communications on this panel 
focused on cyber security within critical industries.
    SBC has a long history of providing reliable communication 
services. We provide voice and data communication services as a 
local exchange carrier in 13 states. We also provide services 
nationally as a long distance provider, data services provider, 
and Internet services. We have a national wireless presence 
with BellSouth in Cingular Wireless, and we recognize the 
importance of our nation's critical communications 
infrastructure and the role that it plays for the security of 
the United States and its citizens. Integrity and reliability 
of our networks have been cornerstones of the communications 
industry.
    At SBC, we implement both physical and cyber security 
measures that protect both our customer-serving networks as 
well as our internal information systems networks. Physical 
security measures include things like guard services, card key 
IDs, visible badge policies, video monitoring, and in special 
cases, biometric type security.
    Information security, though, begins with the employee, and 
it begins as being part of our code of business conduct that 
every employee has to read and sign off on each year. We 
segment our internal network connections from our external 
network connections using various security technologies to 
ensure the integrity of our networks. We keep our internal core 
business network separate from the general employee network, 
and we use virus protection software, of course, on all of our 
PCs as well as our e-mail servers.
    Proactive vulnerability scanning is a key part of our 
strategy, and it is something that we do on a daily basis. SBC 
maintains close ties to government agencies responsible for 
national security. We work closely with them on a daily basis 
to receive and share security-related information. Examples are 
the National Security Telecommunications Advisory Council, the 
National Coordinating Center Telecom Information Sharing and 
Analysis Center, Infragard, and the National Security 
Information Exchange.
    Continued government focus on security standards and 
collaborative support organizations is seen positively by SBC; 
providing research assistance, grants, and funds to focus the 
information technology industry to work towards security 
standards and best practices is absolutely necessary. It is 
important that the government provides to the critical 
industries that are part of our infrastructure the best 
practices that they learn from their own cyber security 
agencies.
    Society in the 21st century is rapidly changing with 
increasing reliance on information technologies. Users expect 
that they be mobile and that they have access to the Internet 
and e-mail wherever they are. Providing secure services in the 
environment becomes increasingly important and challenging. 
Federal programs could help educate and assist consumers to 
understand their roles and responsibilities in a connected 
world.
    As recognized by the Department of Homeland Security, the 
Nation is dependent on the critical infrastructure of 
communications, banking and finance, power, food, health, 
information technology, and others. A disruption to any 
component of those affects the whole infrastructure. Securing 
against disruptions of any component is a best interest of all 
of us.
    The communication industry is also increasingly dependent 
on application and information technology vendors to ensure the 
products they provide are of the highest quality and integrity. 
Software and hardware that does not meet industry standards or 
best practices require additional efforts and expense to meet 
its expected function. Vendors that provide software or 
hardware with security vulnerabilities that must be continually 
monitored, reviewed, patched drain on a company's resources and 
a liability to companies that must ensure the integrity of 
their own systems, data, and services.
    As a result, cyber security must become a priority in the 
creation of new information technologies. To date, security 
components are often an afterthought. I mean, you can look at 
cellular and Wi-fi when they first came out in the ability to 
intercept calls, clone phones, and data snooping where they 
could occur.
    Internet protocol-based services wrestle constantly with 
the need to traverse the same network paths where unscrupulous 
persons may have the ability to interfere, impede, or intrude 
on the service itself. IP-based services must find new ways to 
protect the content of each packet that is carried and 
delivered in the shared Internet world. SBC is committed to 
work with the information industry to help build the next 
generation of Internet-based voice and video and data services 
securely.
    Mr. Chairman and Members of the Committee, your assistance 
to focus industry attention on cyber security is greatly 
appreciated. We encourage the Department of Homeland Security 
to continue to support research grants and assistance that 
focus on national cyber security, to support industry 
organizations and government agencies that create security 
standards and best practices, to continue to provide early 
warnings of security events through various government 
agencies, and to make sure that the government-identified 
security best practices are shared with our private, critical 
infrastructure industries.
    I would like to add that you make sure that our laws carry 
serious penalties for cyber security issues and that the 
instigators are prosecuted to the full extent of the law. It 
must become a major crime. It is no longer just kids playing 
with computers. It is a real threat and the attacks are 
serious.
    Thank you for the opportunity to appear here today. The 
work you are doing is critical to our future as a nation. Cyber 
terrorism is a real threat, and we must stay diligent.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Geisse follows:]

                 Prepared Statement of Andrew M. Geisse

    Thank you, Chairman Boehlert, Ranking Member Gordon and Members of 
the Committee.
    I am pleased to represent SBC Communications on this panel focused 
on cyber security within our nation's critical industries.
    SBC has a long history of providing reliable communication 
services. SBC provides voice and data communications services as a 
local exchange carrier within thirteen states and nationally with long 
distance, data and Internet services. We also have a national wireless 
presence in Cingular Wireless in a partnership with BellSouth. We 
recognize the importance of our nation's critical communication 
infrastructure and the role it plays for the protection of the United 
States and its citizens. Integrity and reliability of our networks have 
been historic cornerstones of the communications industry.
    As society becomes more and more dependent on information 
technology, cyber security must be a priority to protect the services 
provided by those same resources.

How does the communications sector depend on public and private 
information systems?

    SBC well understands the strong connection between communications 
security and information technology, or what is commonly referred to as 
cyber security.
    Behind the networks that move voice and data, are many 
applications, private networks, and computing resources. These 
resources support the operations, administration, maintenance, and 
provisioning services of our telecommunications infrastructure. These 
information systems and networks provide SBC and other carriers the 
ability to manage this complex industry supporting the dial tone and 
Internet connections that we have all come to expect as a part of our 
daily lives. Securing these cyber resources to ensure the integrity and 
availability of communications networks is a role that SBC takes 
seriously, as part of its corporate culture.
    SBC uses many vendor products within its information technology 
infrastructure. In that regard, SBC is dependent on vendor product 
development in the private sector and delivery of private sector 
services and materials to support the information technology services 
of the infrastructure. In this manner, SBC relies on vendors to 
incorporate cyber security best practices, standard interfaces, and 
administrative tools within their products. SBC is also reliant on 
vendors to ensure their software products can be patched easily to 
prevent existence of long-term vulnerabilities.
    In support of the private sector, SBC provides managed security 
services as a product offering. These types of services include: risk 
reviews and analysis, firewall installation and monitoring, and 
firewall and intrusion prevention/detection reseller for other vendor 
products.
    For the consumer space, SBC's Internet Services organization 
through our relationship with Yahoo! provides security tools to our 
Internet Services customers as part of their Internet experience. In 
this manner, SBC supports cyber security to the consumer so they can 
better protect their home information technologies, which in turn 
provides less problems to the shared Internet space.
    Other areas where SBC has focused on consumer cyber security is as 
a founding member of the Internet NOC Hotline, which connects key U.S. 
and International ISPs. SBC is also a founding member of the Global 
Infrastructure Alliance for Internet Security.
    An area where SBC would recommend government focus is on the 
education of the consumers regarding cyber security matters. End users 
must recognize they are part of the interconnected world. When end-
users do not understand how virus and worm propagation can impact their 
home PCs, the result is a negative effect at the Internet level. This 
impact is caused through a variety of malicious activities, including, 
SPAM e-mails and bot-networks. Educational awareness programs should 
advise users on anti-virus protection and identity theft protection.

What steps is SBC taking to secure its systems?

    At SBC, we implement physical and cyber security measures that 
protect both our customer-serving network facilities and our internal 
information services. Physical security measures include guard 
services, card key technologies, visible badge policies, video 
monitoring, and, in special cases, bio-metric technologies.
    Information security begins with a cyber security policy that is 
part of our Corporate Code of Business Conduct. We segment our internal 
network connections from external networks using various security 
technologies to ensure the integrity of our network. We keep our 
internal core business networks separate from the general employee 
network. Virus protection software is deployed as standard on desktops 
and e-mail servers. Pro-active vulnerability scanning is performed 
constantly to identify potential areas of risk.
    SBC maintains close ties to government agencies responsible for 
national security. We work closely with them on a daily basis to 
receive and share security related information. Examples are the 
National Security Telecommunications Advisory Council (NSTAC), National 
Coordinating Center Telecom Information Sharing and Analysis Center 
(NCC Telecom ISAC), Infragard, and the National Security Information 
Exchange (NSIE).
    Internally, SBC has several organizations dedicated to the security 
of our assets. Organizations such as our National Security/Emergency 
Preparedness organization, our Asset Protection organization, and our 
Corporate Information Security organization, work to protect our 
customers information and services, our employees, and our internal 
networks and data on a daily basis.
    Our SBC Labs business unit works closely with technology vendors, 
academic communities, and government standards organizations, to 
partner and share information on new technologies. Cyber security 
standards are always a priority in future service and technology 
development and a focus of our internal auditing organization as well 
as external security audits.
    Continued Government focus on security standards and collaborative 
support organizations is seen positively by SBC. Providing research 
assistance, grants, and funds to focus the information technology 
industry to work towards security standards and best practices is 
necessary. It is important that the Government provides to the critical 
infrastructure industries the learnings and best practices that its 
cyber security agencies learn.
    Legislation should not always be necessary to bring industry 
attention to technical priorities. However, providing research 
assistance, grants, and funds to focus the information technology 
industry to work towards security standards and best practices is 
necessary.

What are the possible consequences for the communication sector of 
disruption or attack on information systems?

    Society in the 21st century is rapidly changing with increasing 
reliance on information technologies. Users' expectations are that they 
be mobile and have instant access to the Internet and their e-mail. 
Providing secure services in this environment becomes increasingly 
important and challenging. Federal programs could help educate and 
assist consumers to understand their roles and responsibilities in a 
connected world.
    To illustrate: Consider how often people stop for gas and use a 
payment card at the pumps for convenience. The payment card 
transactions must be carried efficiently, reliably, and securely across 
communications networks. This is to ensure the gas vendor, the payment 
card vendor, and the customer are all satisfied that the transaction 
occurred to everyone's expectation.
    The networks, the applications, and the information systems that 
are necessary to complete transactions of this nature are part of our 
society on a daily basis. Cyber security is necessary to ensure the 
integrity of those transactions. Disruptions within the communications 
sector can impact these, and other, daily activities.
    Consider the impact of disrupted or unreliable communications to 
everyday needs, including how patients obtain collaborative health care 
between multiple providers and locations. Communications plays ever 
increasing importance to health industries, emergency first responders, 
911 services, law enforcement, banking, power, and other parts of our 
society that serve critical functions.
    With the growing use of wireless technologies, we must recognize 
that those wireless systems still rely on an underlying physical 
transport, use of back-end systems and applications that may 
interconnect with other carriers. As we have recently witnessed in New 
Orleans and the Gulf Coast, if the supporting infrastructure is 
disrupted, communication fails. A cyber disruption could cause similar 
impacts as a physical disruption.
    While we recognize that other critical infrastructure industries 
are reliant on the communications industry to provide the network and 
communication services, we also recognize that we, as an industry, are 
reliant on those other industries. We require industries such as 
electricity and gas, banking and finance, health, and government, to 
also function securely and without disruption to ensure the integrity 
of our communications infrastructure.
    As recognized by the Department of Homeland Security, the Nation is 
dependent on the critical infrastructure of communications, banking and 
finance, power, food, health, information technology and others. A 
disruption to any component affects the whole infrastructure. Securing 
against disruptions to any component is in the best interest of all.

In what areas are current cyber security technical solutions for the 
communications sector inadequate? Where is further research needed to 
mitigate existing and emerging threats and vulnerabilities?

    The communications industry is also increasingly dependent on 
application and information technology vendors to ensure the products 
they provide are of the highest quality and integrity. Software and 
hardware that does not meet industry security best practices and 
standards require additional efforts and expense to meet its expected 
function. Vendors that provide software or hardware with security 
vulnerabilities that must constantly be monitored, reviewed, and 
patched, are a drain on a company's resources and a liability to 
companies that must ensure the integrity of their systems, data, and 
services.
    SBC works diligently with software vendors that provide the 
foundation of the information technology infrastructure to ensure 
necessary software security patches are installed to protect our 
complex environment. Continued focus from the Federal Government on 
industry standards for secure information technology products is 
appreciated and desired. This will help to ensure that better security 
and quality is an objective of the software, network and computer 
hardware industries.
    NIST (National Institute of Standards and Technology) is one 
example of a collaborative organization that has been helpful in 
promoting information security requirements through its various 
research and standards efforts. We, as a business, look to leverage 
those standards as potential baselines in our efforts and are glad to 
see vendors meet such useful guidelines.

How should federal agencies, such as DHS, the National Science 
Foundation, the National Institute of Standards and Technology, and the 
Defense Advanced Research Projects Agency, and the academic researchers 
work with industry to define priorities for and support research in 
these areas?

    Cyber security must become a priority in the creation of new 
information technologies. To date, security components for information 
technologies often appeared to be an afterthought. Examples of this can 
be seen in early versions of cellular and Wi-Fi technologies, where 
calls could be intercepted, cell phones cloned, and data snooping could 
occur.
    Internet Protocol (IP) based services wrestle constantly with the 
need to traverse the same network paths where unscrupulous persons may 
have the ability to interfere, impede, or intrude on the service 
itself. IP based services must find new ways to protect the content of 
each packet that is carried and delivered in this shared Internet 
world.
    We have all seen that virus and worm attacks have risen over the 
past several years. Research focus on how to prevent the distribution 
of malicious content through virus, worms, and e-mail should be a high 
priority for all industries that use the Internet for communications 
and business. The ability to detect and remove unwanted data content 
and attacks as it progresses through the network is more desirable than 
expecting each end device to have the same ability to protect itself 
from its neighbors on the networks.
    Admittedly, security requirements interfere with convenience of the 
product or service offered. However, we need cyber security and 
software development standards that insist new technologies embrace 
security as part of their evolution and development. In this way, 
society as a whole benefits through improved assurance of integrity, 
reliability, service, and subsequent reduced resource costs to support 
those services.
    SBC is committed to work with the information industry to build the 
next generation of Internet-based voice, video and data communications, 
securely.

What are the most critical responsibilities of the Department of 
Homeland Security (DHS) in cyber security for the communications sector 
and what are the most urgent steps the new Assistant Secretary for 
Cyber Security and Telecommunications should take?

    Mr. Chairman and Members of the Committee, your assistance to focus 
industry attention on cyber security is greatly appreciated. We 
encourage the Department of Homeland Security to continue:

          to support research grants and assistance that focus 
        on National cyber security,

          to support industry organizations and government 
        agencies that create security standards and best practices,

          to continue to provide early warnings of security 
        events, through various government agencies,

          and to make sure the security best practices that 
        various critical government agencies develop are shared with 
        our critical infrastructure industries.

    I would like to add that you should make sure our laws carry 
serious penalties for cyber security issues and that the instigators 
are prosecuted to the full extent of the law. It must become a major 
crime. It is no longer just kids playing with computers. The attacks 
are serious.
    Thank you for the opportunity to appear before you today. The work 
you are doing is critical to our future as a nation. Cyber terrorism is 
a real threat and we must stay diligent.

                     Biography for Andrew M. Geisse

    Andy Geisse, Chief Information Officer, is responsible for 
Information Technology, Payroll and Billing Operations for SBC 
Communications, Inc. and its subsidiaries. He was appointed to this 
position in October 2004 and is located in San Antonio, Texas.
    Andy began his telecommunications career in 1979 with Southwestern 
Bell Telephone Company as Assistant Manager for the comptrollers 
department. He then held a variety of information technology, sales, 
and strategic marketing positions for Southwestern Bell and SBC 
Communications Inc. Andy served as Executive Director, Wireless Product 
Development for Southwestern Bell Mobile Systems and Vice President and 
General Manager for Southwestern Bell Mobile Systems' Oklahoma and West 
Texas regions.
    In 1995, he moved to Santiago, Chile, and served as Vice President 
and Chief Executive Officer of VTR Cellular. He later became President 
of the Board of STARTEL Communications, the first nationwide cellular 
company in Chile. SBC had interests in both companies.
    In January 1998, Andy moved to New York, as President and General 
Manager of SBC's Cellular One upstate New York subsidiary. Later that 
year, he became Vice President Enterprise and OSS Systems for SBC and 
its subsidiaries, located in San Ramon, California. In October 1999 
Andy was appointed Senior Vice President, Enterprise Software 
Solutions, responsible for corporate-wide software solutions.
    Andy grew up in Minneapolis, Minnesota, and St. Louis, Missouri. He 
earned a Bachelor's degree in Economics and Mathematics from the 
University of Missouri-Columbia and a M.B.A. from Washington University 
in St. Louis. He and his wife, Jane, have four children.



                               Discussion

    Chairman Boehlert. Thank you very much, and thank all of 
you.
    You know, one of the dangers of a hearing dealing with a 
sensitive subject like this is that we provide fire for tabloid 
trash. And I darn sure don't want to go to my supermarket 
checkout counter next week, and I do the grocery shopping 
incidentally, and read a headline that says, you know, 
``Science Committee Warns Cyber Katrina Imminent.''
    Now having said that, and taking that risk, using DHS's own 
color-coding system, I would say the threat is, at a minimum, 
at best, yellow, and perhaps even orange.
    My question to all of you is do you think collectively, 
one, the private sector gets it and understands the full 
dimensions and implications, and two, the government 
understands the full dimensions and potential implications?
    Let me ask each of you. Mr. Geisse?
    Mr. Geisse. Yes, Chairman Boehlert.
    I believe the private sector understands it is critical, 
and I also do believe the government does as well.
    But I think it is sometimes an afterthought in the sense 
that it is more of a technology issue and it is not only a 
technology issue. It is truly a part of our critical 
infrastructure and something that we have to be focused on as a 
country.
    Chairman Boehlert. Mr. Freese.
    Mr. Freese. I think both the government and the private 
sector understand the issues. I see some basic fundamental 
problems, though, in addressing these issues as a combined 
force. Just as I referred to in my comments, information 
sharing with DHS has got to be extremely frustrating for them. 
They ask for information on critical infrastructure assets. We 
can't provide that, because there is no way that they can 
protect that information. It stalls the whole process.
    Chairman Boehlert. So it is very necessary for the 
government and the private sector to cooperate, but you don't 
have the confidence----
    Mr. Freese. Absolutely.
    Chairman Boehlert.--that the information you share, and 
that is very important information to determine vulnerability 
and response capability. You are concerned about providing 
that, because you are concerned about the security of sharing 
proprietary information--all right.
    Mr. Freese. That is correct, Mr. Chairman.
    And that has been going on for a couple of years now.
    Chairman Boehlert. Well, we are going to change it.
    Mr. Kepler.
    Mr. Kepler. Yes, I think industry has put the time into 
this thing and understands the risks-based approach. The 
concern I would have is that there is a lot of problems in 
cyber security and are we focused on getting the right 
solutions for the major issues so at the end you can work on 
everything and not be effective in anything. And I think we 
really have to be focused on the major, national impacts as a 
first wave of fixing things.
    Chairman Boehlert. Mr. Leggate.
    Mr. Leggate. I would say, in my experience, that most 
boards get it. Most boards who run serious companies understand 
their dependency, in this age, on this whole digital 
environment. So that, I think, is done.
    Whether small businesses understand the services that they 
need for everyday transactions, I am not sure about that.
    On the government level, I would say in the United States, 
maybe--who understand entirely departmentally the issue. Where 
the challenge comes, I think, is to put this into practical 
action in a timely way and to then set a set of priorities 
become of--almost a national plan to do things very quickly in 
a focused way, not across a whole landscape, but just nail the 
big issues. And to me, that is where the gap is.
    Chairman Boehlert. Yes. And let me ask, and one of the 
lessons learned from Katrina is diffused responsibility. 
Everybody's responsibility tends to be no one's responsibility. 
Where would you suggest the focal point should be? I am 
encouraged, as I hope you are, that the Secretary has announced 
the creation of an Assistant Secretary for Cyber Security and 
Telecommunications. Would that be the focal point? I mean, 
there is somebody that has to be sort of at the center of 
coordinating all of these activities. You can't have 14 people 
the center of coordination, because they don't coordinate 
amongst themselves.
    Where would you suggest that be?
    Mr. Leggate.
    Mr. Leggate. Well, I would separate the notion of 
coordination from accountability. So coordination is a fine 
thing to do, and done well is good. But where do we look for 
the ultimate accountability for the service level we get from 
the Internet? To whom do we look of that? And so I think big 
steps to go forward to improve coordination, but I do think at 
some level we must actually break through into accountabilities 
that isn't visible today.
    Chairman Boehlert. Mr. Kepler.
    Mr. Kepler. Yes. I think information technology is 
pervasive, so the idea that you would have a focused effort on 
cyber security, we think, is exactly correct. But to John 
Leggate's point is that when you think about emergency 
response, you think about physical securing of critical 
infrastructure. Those also have Internet impacts. So the--you 
can't separate all of these things in the Departments and have 
them link together. You have to have coordination but then 
recognition that these bodies really have to work together to 
come with--come up with common capabilities to, you know, 
defend, protect, and respond.
    Chairman Boehlert. Mr. Freese.
    Mr. Freese. I agree. I think the coordination, I think, 
should lie at that new position's role. But again, and I may 
sound like a broken record here, but if there is going to be a 
coordination point, there has to be representation, and strong 
representation, from the private sector to assist in that 
coordination, because I have seen too many times in the past, 
it looks like a good thing to do from an overall perspective, 
but it is not focused to where it really needs to be.
    Chairman Boehlert. Mr. Geisse.
    Mr. Geisse. Well, I think you brought up a good point, Mr. 
Chairman. I think we have lots of agencies focused on cyber 
security, but we don't have a single, real focal point. And 
maybe by the Department of Homeland Security setting this up, 
it should help do that.
    Chairman Boehlert. So I would take it that your reaction is 
the same as mine: the welcoming of the announcement by the 
Secretary that we are going to have a new Assistant Secretary 
for Cyber Security and Telecommunications, the sooner the 
better.
    Mr. Geisse. Yes, sir.
    Chairman Boehlert. But that is progress. We are moving in 
the right direction.
    The red light is on for me. And I have got to practice what 
I preach, so I have got to shut up and now recognize Mr. 
Gordon.
    Mr. Gordon. Thank you, Mr. Chairman.
    And because we do have that red light, in all due respect, 
I would like for you to try to be crisp in your answers. And 
let me tell you, I want to ask each of our industry sector 
representatives to tell me what they think about how vulnerable 
your sector might be to a serious, focused, cyber attack; what 
could be the consequences of that attack for your industry; and 
what role would you suggest for Homeland Security or other 
parts of the Federal Government in trying to help you develop a 
plan and also more preferably, avoid that, and then if there is 
something that happens, the recovery?
    And while you are thinking about that, let me quickly ask a 
question for Mr. Purdy.
    Mr. Purdy, I recognize you are just recently been appointed 
the Acting Director of the agency, and so all of the either 
omissions or, probably more likely, the low priority that the 
agency has placed toward cyber security over the last four 
years can't be laid at your feet. But it seems like your 
testimony mostly was a litany of things you want to do or you 
are starting to do and that, really, the only plans are really 
just a framework document. This is concurred by the General 
Accounting Office, which had a report this summer that said the 
DHS has not yet developed national cyber threat and 
vulnerability assessments or government industry contingency 
recovery plans for cyber security. And so my really simple 
question is, when do you estimate these assessments and 
recovery plans will be in place?
    Mr. Purdy. Well, attempting to comply with your request 
that we be succinct, let me say that I am proud to associate 
myself with the activity of the Department of Homeland Security 
since it was set up. I worked on the National Strategy to 
Secure Cyberspace on the White House staff and then came over 
to the Department to help set up this agency, and I have been 
Acting Director since October of last year.
    We have made tremendous progress in building our watching 
warning capability----
    Mr. Gordon. Yes, and I don't mean to be disrespectful, but 
I said one simple question. When do you estimate that these 
assessments and recovery plans will be in place?
    Mr. Purdy. We have a couple different levels. The 
fundamental response to attacks is the ESF-2, is the 
communications piece, which is we have a close partnership with 
NCS and NCSD, that is in place. It is operational. There is a 
long history of the communications----
    Mr. Gordon. Was it in place when the General Accounting 
Office did their report this summer?
    Mr. Purdy. Yes, it was.
    Mr. Gordon. Well, they didn't seem to think it was in 
place.
    Mr. Purdy. Well, reading the entire GAO report, there is a 
recognition of tremendous progress we have made----
    Mr. Gordon. Recently.
    Mr. Purdy.--in a number of places.
    Mr. Gordon. Right. Recently.
    Mr. Purdy. And the ESF-2 is a long-standing product of a 
public/private partnership with the private sector that has 
stood the test of time, and we are proud to be associated with 
that. The actual assessment of risk is part of the National 
Infrastructure Protection Plan. The base plan will be out later 
this year, and each individual sector is working on 
developing----
    Mr. Gordon. You said the base plan. That will still just be 
the framework?
    Mr. Purdy. Yeah, the federal plan, the more detailed 
guidance of----
    Mr. Gordon. But again, I just had a very simple question. 
When do you estimate these assessments and recovery plans will 
be in place?
    Mr. Purdy. There are two different elements. There is the 
assessment and there is recovery.
    Mr. Gordon. Okay.
    Mr. Purdy. The National Infrastructure Protection Plan is 
part of the assessment. We are also, within the Information 
Analysis and Infrastructure Protection Division, doing a risk 
assessment of cyber that is one of the priority efforts to fuse 
intelligence, to map the threat against the risk. So that is 
going to be ready very soon. The National Infrastructure 
Protection Plan, the risk assessment piece, will be early next 
year as to when that part of the assessment is completed.
    Mr. Gordon. Right. Thank you. I just didn't want to take 
time from these other folks.
    Now, if you could, I would like to hear about your sectors.
    Mr. Leggate. Okay. Let me speak for that.
    I answer your question in--although it is a simple 
question, in two ways.
    The first one is today, 2005, I will take a point in time 
in 2007 or 2008. So given we are still in the process of 
migration from private networks to the Internet, the 
consequences would be moderate in the near-term, because we 
haven't fully migrated to the new way. I would suggest to you 
that by 2007 and 2008, this is the tipping point when most the 
business will run that way. And at that point, I would suggest, 
it might be catastrophic.
    Mr. Gordon. And is there a role for the United States 
Federal Government to play in helping you avoid catastrophe or 
to recover from it if it did occur?
    Mr. Leggate. I think, absolutely, going back to the 
Chairman's remarks about setting up a new post within the 
Department, I think the issue is to make progress and retain 
focus to put things in place in the near time frame rather than 
taking five or six years to move to a better place.
    Mr. Kepler. Yes, if you take the first point, which is what 
I do believe is a major risk or consequence here, if 
communications, both voice and the Internet, is the key 
vulnerability in my mind and risk. If communication stops, 
commerce stops. And if communications isn't there, you can't 
recover. So really, looking at a major catastrophic failure in 
communications is really the real critical issue, in my mind, 
around cyber security. And so when you approach that, what are 
the major risk areas for that to happen we will have to 
address, and not only recover and response, but part of 
addressing with risk is containment and mitigation. So when we 
have those risks, we do see parts of the infrastructure fail, 
but we can't have it cascade and completely fail. So how do you 
contain those failures is something that we need to work on, 
and that needs to be collectively done between the government 
and industry to model those threats and to come up with 
response positions.
    Mr. Freese. From the electric sector, it measures very well 
with what he is saying. The telecommunications infrastructure 
and the electric infrastructure are very closely matched. A 
problem with telecommunications will impact the electric 
control systems, in most cases. If I look at it strictly from 
an electric company--or electric sector perspective, we are 
vulnerable to an undetermined extent based on the number of 
utilities that are in the country and the number--the amount of 
information that is shared even between utilities is very 
scarce. I can say if we have network security in place, if we 
have our communications security in place, we are all right. 
But I don't know how many of the companies are in that 
situation. I would say the government can assist with that by, 
as I mentioned, keeping the R&D programs with the Idaho 
National Lab, Pacific Northwest National Lab, Sandia in place, 
and working on cyber solutions that we need now. I mean, 
research and development for long-term solutions is great, but 
we have some pressing issues now.
    Mr. Geisse. I guess I would add, for the communications 
industry, it is very similar to the other industries with one 
exception. We keep our network, general purpose type network 
for our customers, independent and separate of the Internet 
network to try to prevent that sort of issue to begin with.
    And I think you also asked what do we do about it if that 
happens, we have a very focused effort, something that we 
constantly test and for disaster recovery. If we have a 
disaster like that, how do we bring up a duplicate, for 
example, network operations center. We have duplication 
throughout our network to prevent it.
    I think the government can help in a lot of ways. One is 
hearings like this that put some focus on it are important. I 
think doing R&D and research is important. But I also think, 
from my own perspective, there are reasons for these attacks, 
and you need to start treating them just like you are treating 
terrorists and other things and actually go after them and 
prevent it before it happens.
    Mr. Gordon. Thank you very much.
    Chairman Boehlert. Thank you very much.
    The gentleman's time has expired.
    And before I turn to the eloquent Mr. Akin, just let me 
point out the private sector. All of your affiliations have 
active lobbying efforts on Capitol Hill. And my experience with 
lobbyists; they are very valuable assets. They provide 
additional information to us, and hopefully we listen to both 
sides of the story, but that you have got to attach a higher 
priority to lobbying the Congress, our colleagues outside this 
committee, who don't really understand the full dimensions of 
this yet to, when you call on the Members, advocate for more 
R&D, for example, into cyber security, for better coordination, 
for more attention.
    And so please carry that back to your hired guns, so to 
speak. And I use that as a positive not a pejorative. But you 
have got to focus on the importance of this subject. And 
tomorrow's papers will come out. The evening news will come 
out. Then this won't even be mentioned anyplace, because, as I 
say, in most quarters it is greeted with a muffled yawn, and 
yet we know, you know in your sharing with us, how important 
this is and the potential impact it could have on our entire 
economy.
    So with that, let me turn to the always eloquent Mr. Akin.
    Mr. Akin. Thank you, Mr. Chairman.
    I will try not to be too long in my eloquence here. I just 
had a couple of quick questions.
    And let me explain where I am coming from. I am also 
serving on the Armed Services Committee, and one of the things 
that the House is doing is trying to do a complete analysis of 
where we are relative to defense and all. So my questions are 
more directed toward a situation where somebody, even a major 
nation state, might try to precipitate some coordinated attack 
in this area.
    So my first question is kind of a simple one. After 
September 11, cell phones and phones became pretty much 
inoperative. Was that because of the volume of traffic?
    Mr. Geisse. I guess I will answer that one, Congressman 
Akin.
    Are you talking about specifically in New York?
    Mr. Akin. Well, actually, here in DC, cell phones were 
useless. You couldn't get a call or anything.
    Mr. Geisse. I am not familiar with that, but my guess I 
mean, the reality is of how those networks are designed, there 
is a limited amount of frequency that you get from the Federal 
Government for those networks, and as a result, a limited 
number of calls you can do at any one time. And I imagine the 
call volumes were way high that day.
    Mr. Akin. So consequently, that would jam everything up?
    Mr. Geisse. Well, I am sure there is a certain amount of 
calls that would get through. But one of the things that we do 
that you may not be aware of is for the Federal Government, in 
an emergency like that, we reserve a certain amount of the 
network for them, from a priority perspective for calls.
    Mr. Akin. Okay. Now let us say that we are talking about 
more this organized sort of attack type of situation. First of 
all, just simply how vulnerable are we? And second of all, what 
are some of the first things that you would do to try to 
protect against that?
    Mr. Geisse. As part of the co-chairs of the National Cyber 
Response Coordination Group in Department of Defense, and their 
representatives include those from the Office of the Secretary 
and the Joint Task Force on Global Network Operations, we have 
been doing tabletop exercises among the membership at the 
National Defense University to make sure we have the 
communication paths and processes in place to make sure we have 
a coordinated government response to such attacks.
    Mr. Akin. Anybody else want to take a shot at that?
    Mr. Kepler. I would just say that when you get prepared for 
the scenario you are talking about, you have to worry about 
diversity before you start, so we would look at cell phones, 
land lines, priority lines, multiple carriers, Internet 
communications, so the whole concept, I think in this 
environment, is diversity so you can respond over whatever 
happens to be up at the time. That is the key point in my mind.
    Mr. Akin. So you are saying have enough backup kinds of 
systems that are going different ways that you could run things 
a different direction?
    Mr. Kepler. It is hard in scenario planning to target an 
exact backup. That is why I think diversification of different 
types of routing, circuitry, different methods, whether that is 
satellite or whatever, are pretty key, because then you would 
have to take out different types of infrastructure, which is a 
challenge.
    Mr. Geisse. I would like to add one thing, Congressman 
Akin.
    I know of at least one situation that is public, it was in 
the private sector, where a cyber attack was used specifically 
to gather information from a competitor, so they put out a 
virus that basically the company didn't even know was there, 
collected data, transmitted it back. And so I think that type 
of attack that you bring up is very possible, and I think part 
of it is we have to start getting proactive. We can't keep 
sitting back and preventing after we see the worm, after we see 
the virus. We have to start getting and creating technologies 
that go out and prevent it before it ever happens.
    Mr. Akin. Right. So now some of what we have got is going 
to be software-related types of attacks. Some are going to be 
just simple hardware things like, you know, an electromagnetic 
pulse or something that is just simply blowing up a 
communications hub or something, right? And so what you are 
saying is a diversity of ways of moving information is probably 
your best--and you are saying that we are making some progress 
in that regard or that we still have--what is your--what would 
you say would be our level of vulnerability? Could you just hit 
the system in a couple of places and shut the country down or 
would it be pretty hard to just pick several things to do?
    Mr. Freese. From the communications perspective, as it 
applies to electricity, you could shut down various areas and 
regions. I don't think you could shut down the entire country. 
That is a--that is kind of a misconception. You could take out 
a significant region of power and communications, however.
    Mr. Akin. From an electric grid point of view?
    Mr. Freese. From an electric and a communications point of 
view.
    Mr. Akin. Yeah.
    Mr. Freese. I don't think you would have an entire country 
down from a telecommunications perspective from a localized 
attack against a certain region.
    Mr. Akin. Again----
    Mr. Gordon. Would the gentleman yield? Ask him how long. He 
is going to be down for how long?
    Mr. Akin. Go ahead. Yeah.
    Mr. Gordon. If you would. I mean, you say we would be down, 
but for what period of time?
    Mr. Freese. Well, that depends on a lot of different 
things. It depends on what you have for backup communications.
    Mr. Gordon. Are we talking minutes, hours, or days, or 
weeks?
    Mr. Freese. I would say, in some cases, hours, some cases, 
days. He would be better to tell you how long it would take 
telecommunications to come back up.
    Mr. Akin. Yes. You can go ahead and respond.
    Mr. Gordon. Thank you.
    Mr. Geisse. Yes, sir.
    From a communications perspective on a cyber attack, the 
way we do our networks, it wouldn't affect the communications 
network itself, because we keep it independent. But what it 
does impact is the systems we use to monitor it, to provision 
it, to make sure that we can keep the network up. And that is 
why it is still extremely critical. And I think that Mr. 
Leggate made a point earlier on that as the future goes on, and 
more and more things run on the Internet itself, we more and 
more vulnerable versus the separate networks that we have 
today.
    Mr. Akin. So to some degree, the lack of sophistication, if 
you will, or the duplication, is giving us a lot more 
protection than we would have in the future? That is a point 
several of you have made then.
    Yes. Well, I think my time has expired, and I don't want to 
be excessively eloquent, so----
    Chairman Boehlert. Well, all right. Fine. We will permit 
you to be excessively eloquent.
    But Mr. Purdy, you had your hand up.
    Mr. Purdy. Yes. I just wanted to mention that in a major 
situation, we have the critical infrastructure warning 
information network that is a survivable network connecting our 
Department with various critical sectors in the country, 
including electricity, information technology, and 
telecommunications, State Homeland Security Advisors, sector-
specific agencies, and resources in each critical 
infrastructure, and we are building out that network to greater 
connectivity over time.
    Chairman Boehlert. When the warning is issued, hopefully 
the message is not only heard but heeded. I would point out 
that one of the agencies under the jurisdiction of this 
committee is NOAA, which is the parent agency for the National 
Weather Service, and if you are looking for bright lights in 
the aftermath of Katrina, one of the bright lights is that the 
National Weather Service, on five o'clock, on the Friday 
preceding the Monday morning when Katrina actually hit land, 
the National Weather Service put out an alert, a weather alert 
that a category four or five hurricane was due to hit within 72 
hours. That went to every emergency responder, every state 
capitol, every major city, but some people didn't pay much 
attention.
    Mr. Honda.
    Mr. Honda. Thank you, Mr. Chairman, and I appreciate this 
opportunity.
    There are two arenas I would like to just bring up, and it 
has been touched upon a little bit. But one is, I represent 
Silicon Valley, and in our valley, we house the backup data and 
even the primary data of many businesses. Perhaps some of yours 
are housed there. And maintaining both the integrity of and the 
appropriate access to this data is essential for normal 
operations. But in the event of not only a cyber attack, you 
have made some comments in that arena and physical attack, but 
coupled physical and cyber. I am not sure that that was 
discussed very fully. And also a response on how we would be 
responding to a natural disaster. And I bring that up, because 
my valley is situated between the San Andreas Fault and the 
Hayward Fault. And I am not sure that that kind of an incident 
or occurrence has been thought of. And given Katrina, I think 
that natural disasters we found that sometimes it creates a lot 
of unintended consequences that we have to anticipate.
    The other question is the information sharing and exchange, 
that has always been something I have been concerned about 
since 9/11. And in terms of cyber security and information 
exchange, where are we in the Department of Homeland Security 
in that effort? And I would like to know what the private 
sector feels that we are, and what grade would you give the 
Department of Homeland Security at this point in time? And then 
I suspect that we are going to have a new Assistant Secretary 
of Cyber Security. What advice would you give that person at 
this point in time relative to information sharing?
    Thank you, Mr. Chairman.
    Mr. Kepler. Let me try to answer maybe a couple from my 
view.
    The one point you made, if you think of weather systems, we 
are getting a lot better at modeling hurricanes. If you think 
of earthquakes, we are getting better, but not nearly to the 
sophistication. To other external threats, we don't have the 
same type of modeling and predictive capabilities. So part of 
the response is getting that predictive capability. So we 
really need to think about that as we go forward and look at 
strengthening that. That is one of my----
    Mr. Honda. Does our--do we have a redundant system that 
will accommodate all of those three areas?
    Mr. Kepler. Well, there are just a couple of areas we are 
talking about. One is the prediction so you can become better 
prepared in stages. You go closer like you would. Another 
activity is to have diversification of your infrastructure and 
recovery protocols, so most major companies are positioned to 
have recovery plans, crisis management plans in place. We have 
corporate crisis management plans since the late '80s. When 9/
11 occurred, we actually invoked that. We weren't majorly 
impacted, to one of the other points earlier, some of the small 
businesses and structures that may not have that level of 
sophistication.
    I think it is also a challenge in terms of information 
sharing, which is critical in protecting and responding. The 
private sector is bound between antitrust laws and Freedom of 
Information issues and sharing information. That, to me, is a 
critical issue that we still need to balance on. So while you 
are trying to address this thing, we can actually be non-
compliant with other laws. So how we really focus on that 
information sharing is really a critical aspect of it.
    Mr. Honda. Thank you.
    Mr. Freese. I would like to add something about the natural 
disasters response you were talking about.
    Even during Katrina, there was some extensive physical 
damage to the electric infrastructure, to the communications 
infrastructure, and several others. Okay. And that is going to 
happen regardless of what type of natural disaster you have 
got. So what your main concern is, at that point, is making 
sure that those problems don't cascade outside of the 
immediately affected area. And I think it was true testimony to 
everybody's professionalism down there that the electric sector 
maintained power around the area. There were no cascading 
failures. Communications was set up via the Internet and 
temporary communications, so there are ways to do this. But I 
don't see a really good way around the physical damage, 
physical destruction of the infrastructure. That is very 
difficult to have a backup to outside of the affected area.
    Mr. Honda. And in the affected area, was there a 
replacement system that took place of the current power, no pun 
intended, not electrical power, because people were afraid----
    Mr. Freese. No.
    Mr. Honda.--of electrocution?
    Mr. Freese. No, there was not. There were substations that 
were damaged and put out of service. There were lines down. 
That type of physical damage just takes time to repair. Now 
there are ways of bringing temporary transformers in, those 
types of--getting the lines back up, temporary lines run, but 
that, of course, takes time and effort and significant funding.
    Mr. Honda. Would wireless and satellite connections replace 
that loss of----
    Mr. Freese. From the communications perspective, yes.
    Mr. Geisse. Yes. For example, in Hurricane Katrina, one of 
the first things we did is send down--we call them ``cellular 
on wheels.'' They are basically cell sites that are built into 
a truck. We sent over 300 of those down there immediately for--
so that we could set up cellular service in Katrina.
    Mr. Honda. Was that private sector strategy or was that 
something----
    Mr. Geisse. Private sector strategy.
    Mr. Honda. And is that something that we should look at in 
terms of the government's side?
    Mr. Geisse. Well, I guess here is my answer because I think 
your question is, as I understand, and it is well founded. I 
mean, you know, we have had many disasters in California from 
the fires down in LA to the mudslides to our own issues with 
flooding and weather. And we have response units within our 
company to go out and handle those types of situations so that 
we can get service up and repaired as quickly as possible. And 
it is not as simple as just dropping in a second system, 
because really, in many cases, like, for example, the fires 
down there, we had burned up wires that we had to go in and 
replace and put up and running and working. I think what the 
government can help on this, and I think it has been brought up 
here several times, is start focusing this as a major issue and 
that we are all prepared, as different industries, to work 
together in a real disaster.
    Mr. Freese. If I may just finish up with one thing about 
the information exchange in DHS. As I mentioned earlier, that 
has been a problem for the last few years, and I am not sure 
that I understand exactly why, because DHS has a PCII program 
developed and in place. This was essentially going to let 
private industry present information to the government that 
would be protected and would not be disclosed without the 
private industry's permission. I am not sure where that stands 
right now. If Mr. Purdy could give me an update on that 
program, I would appreciate it.
    Chairman Boehlert. Mr. Purdy, and then we will go. Mr. 
Honda's time is expired. We are generous.
    Mr. Purdy. Yes, the PCII program, which has been operating 
under an interim rule since the time it went into effect, will 
be subject to a final rule. It is under current consideration 
by the DHS General Counsel, Phil Perry. We expect that revised 
rule to come out momentarily. But in the meantime, we are 
trying to facilitate information sharing, building on some key 
legacy organizations, such as the NCC ISACs, the NCC generally, 
but we have leveraged the source of information across the 
federal agencies, so we get better information now, and now we 
can share it. Plus, we have enhanced the information we get 
from the intelligence and the law enforcement folks, and we can 
put out targeted bulletins to the technical or non-technical 
sector, to government or the private sector, that we don't 
associate with the source of the information. So we can get 
sensitive law enforcement-sensitive information, classified 
information that we can turn into actionable guidance. In 
addition, we are building a North American Incident Response 
Group of private sector folks. We met last week in Silicon 
Valley with a number of companies out there. We have a meeting 
that is ongoing right now in Arlington with a number of 
companies. We are trying to build that capability. The ISACs, 
we met with the ISAC council with the Assistant Secretary 
earlier this week. The sharing of information with the ISACs is 
a fundamentally important thing.
    In addition, there has been a robust sharing among ISACs 
that is centered by the IT ISAC. We have our US-CERT secure 
portal that has 2,000 private and governmental folks involved 
in sharing information in a secure environment. We are going to 
tie in that IT ISAC information sharing, because we believe it 
is a combination of building trust, giving value, because we 
have a major private sector retreat next week that the private 
sector is hosting. We want to share what we know, what of that 
do they want, and let us accelerate the mechanisms for getting 
that information. Because folks, if they go to the effort or 
decide whether to go to the effort to share information, it is 
important to protect it, but it is also important for them to 
think somebody cares about it, somebody uses it, and we provide 
value back to the private sector. And we are committed to do 
that.
    Chairman Boehlert. Thank you very much, Mr. Purdy.
    The Chair recognizes Dr. Bartlett.
    Mr. Bartlett. Thank you very much.
    Mr. Leggate, in your written testimony, you note that 
businesses and governments can plan for expected failures. But 
even the best prepared organizations and corporations may be 
woefully inadequate in responding to complex, low-probability, 
high-impact failures. If a large-scale Internet outage or 
significant reduction in performance would occur, the 
unexpected effects on whole sets of industries, utilities, and 
enterprise could have surprisingly large economic and social 
impacts. For the few moments that we have, I would like to 
engage you in a discussion of the ultimate low-probability, 
high-impact failure, and that is a nuclear EMP attack on our 
country.
    For several years, I have been concerned with this, and I 
got legislation about three years ago to set up an EMP 
Commission which acted for two years, chaired by Dr. Bill 
Graham, Rumsfeld's deputy in his emerging ballistic missile 
threat commission. They have now issued their report. Senator 
John Kyl has, in the last few weeks, had a piece in the 
Washington Post reflecting his concern for this. Newt Gingrich 
and his colleague, Bill Forstchen, have written a fascinating 
novel, which will be out next summer. I encourage you to read 
that. It is called ``One Second After.'' They have done very 
good research. It is quite accurate. Because even the level of 
concern may be classified, I will only tell you that within the 
Pentagon now, there is a growing concern for a nuclear EMP 
attack.
    The Russian generals can tell us things that I maybe cannot 
tell you, because they would be classified, but the Russian 
generals tell us that they have developed a nuclear EMP weapon 
that will produce 200 kilovolts per meter, that a large weapon 
detonated 300 miles high over the center of our country, Iowa 
or Nebraska, would blanket the whole country, and at its 
margins, would be 100 kilovolts per meter. The Russian generals 
tell us that the 200 kilovolts per meter is several times the 
level to which we tested. I cannot tell you to which we tested. 
I think that is classified, but the Russian generals say that 
that is several times the level to which we tested. And at the 
margins, it is probably a couple of times to the level at which 
we tested.
    My question is what are we doing to prepare for an EMP 
attack? The Commission, by the way, noted that this is one of a 
few incidents that could, you know, and I am going to put their 
caution in the common vernacular, it could end life as we know 
it. What preparations are we making for this low-probability, 
high-impact probability?
    And I would like to ask Mr. Freese, if a failure of the 
power systems resulted in the loss of our major transformers, 
how long would it take to get a new one, and where would you go 
to get a new one?
    Mr. Freese. Okay. We have multiple sizes of transformers. 
Some of them are readily available in spare parts.
    Mr. Bartlett. But isn't it true, sir, that the larger ones 
that we don't even make in this country----
    Mr. Freese. Yes, sir. I----
    Mr. Bartlett.--it would take you maybe 18 months to get 
one----
    Mr. Freese. Yes, sir.
    Mr. Bartlett.--ordered from overseas?
    Mr. Freese. I was going to mention that at the----
    Mr. Bartlett. That is correct?
    Mr. Freese. There are some major transformers that are not 
made in this country, made in Europe and in Asia, and it would 
take up to 18 months to get one sent over to the United States. 
That is one at costs of several million dollars. And we, 
frankly, don't have a lot of those spare parts laying around.
    Mr. Bartlett. But you do have a few spare transformers?
    Mr. Freese. Yes.
    Mr. Bartlett. They are in the field?
    Mr. Freese. Yes.
    Mr. Bartlett. They are beside the transformer that if it 
went out, you couldn't serve your customers. But an EMP attack 
would take out both of them, would it not?
    Mr. Freese. Yes, sir, it would.
    Mr. Bartlett. I hope that my colleague, Dr. Ehlers, has an 
opportunity to pursue this, because already our yellow light is 
on.
    But I want to ask each of you the level of concern in your 
discipline about EMP attack and what you are doing.
    Let me start with Mr. Purdy. What is your level of concern, 
sir, and what are you doing about it?
    Mr. Purdy. Well, this issue is concerned in the larger 
context of the full potential threats to the telecommunications 
infrastructure. The Department of Homeland Security is working 
with the Department of Defense and Central Intelligence Agency 
to ongoing assess the developments of the kinds of technology 
you are talking about to consider the full range of these kinds 
of threats against various sectors, including the use of EMP 
and telecommunications electromagnetic disruptive effects.
    Mr. Bartlett. Sir, when will you, because our time is very 
short, when will you be able to tell us of our level of 
vulnerability and your recommendations for what we do about it? 
Just tell us when you will be able to tell us that.
    Mr. Purdy. Well, we already made recommendations and 
mitigative measures have been taken to enhance the equipment 
providing greater protection in the event of an EMP threat.
    Mr. Bartlett. My red light is on. Let me just make one 
observation and ask if this is not correct.
    We have SCADA systems and we have computers embedded in 
those, and it is my understanding that we may not even know who 
made those computers. And if we know, they may no longer be 
available, there are so many of those that it would be 
impossible to harden them, and that unless we are going to 
replace all of those SCADA systems, we are going to remain 
vulnerable to a pretty broad scale shutdown of our 
infrastructure in the event of an EMP attack. That is correct?
    Mr. Freese. Well, sir, I mentioned it earlier that our 
electric infrastructure is made up of a lot of legacy systems 
that don't support new technological security protections and 
it will take, probably, a new generation of infrastructure to 
completely eradicate those from the system. Right now, we are 
working with obsolete equipment in a lot of cases.
    Mr. Bartlett. I know my red light is on, Mr. Chairman. I 
just want to note that although not one in 100 of our citizens 
may know about nuclear EMP attack, I will assure you, sir, that 
every one of our potential enemies knows all about it, and it 
is in their open literature.
    Thank you very much.
    Mr. Akin. [Presiding] Thank you, Mr. Bartlett.
    Mr. Miller.
    Mr. Miller. Thank you, Mr. Chairman.
    The 9/11 Commission said that private sector preparedness 
for terrorism attack now must be regarded as part of the cost 
of doing business, certainly for critical industries and any 
kind of critical infrastructure. And you can no longer--no 
industry that is part of our critical infrastructure can ever 
claim again that a nuclear--that a, excuse me, terrorist attack 
is not foreseeable. It must be foreseeable. Do all of you agree 
with that?
    Yes, sir.
    Mr. Leggate. I would say the point you come to is the range 
of scenarios that companies use to do their testing of their 
systems that, in a sense, prior to 9/11, we wouldn't have 
conceived----
    Mr. Miller. Right.
    Mr. Leggate.--events of this kind. But what we have to do 
is learn from 9/11, learn from the tsunami----
    Mr. Miller. Right.
    Mr. Leggate.--New Orleans, and also from the bombing in 
London, for example, which we have been involved in managing. 
So each one creates a new set of situations, and then 
companies, and I would make a plug for this, really have to 
really run these scenarios hard and find out, I would call it 
the disconnected pieces, the things that you wouldn't have 
predicted that show up. And it also applies at the national 
level as well. So there is enormous value in running these 
scenarios. Then to find out the things that do fail well ahead 
of time.
    And number two, prepare your management teams, either at 
the country level or the corporate level, to respond 
effectively during difficult situations.
    Mr. Miller. Okay. Yes, I agree with you. You can't just 
respond to the things that have already happened. Be prepared 
for things that we know can happen, because they have happened. 
We really do need smart people lying awake at three o'clock in 
the morning trying to figure out what could happen next and how 
to be prepared for that.
    The 9/11 Commission also said that we needed to develop 
standards for preparedness in the private sector that does 
provide for business continuity and mitigation, redundancy, and 
that those kind of commonly understood standards, they praised 
the standards developed by the American National Standards 
Institute, ANSI, should become the standard of care for 
purposes of legal liability. Is there anything like that in the 
cyber field? Is there any kind of standard of care that is the 
industry standard that is well understood this is what you do 
to be prepared against a cyber attack?
    Yes, sir.
    Mr. Freese. Yes, sir. In the electric sector, we have the 
North American Electric Reliability Council, twelve hundred 
cyber security standards. These have been in place for almost 
two years, and they provide a very, very solid best practices 
approach to securing critical security systems and other 
critical systems against cyber attack. It extends into business 
continuity, disaster recovery, personnel issues, background 
checks, network security, transmission security, and 
communications security. So these are in place right now.
    Mr. Miller. Okay. And Mr. Purdy, does the Homeland Security 
Department embrace the finding of the 9/11 Commission that 
there should be legal liability for the failure to prepare up 
to the standard of care in industry?
    Mr. Purdy. We have not taken a position on whether there 
should be liability in that instance. What we are finding is 
that the interpretation of the Sarbanes-Oxley statute, 
requiring that the CEOs and Boards of Directors exercise due 
care in their risk mitigation processes has led the CEOs to 
fashion their risk mitigation strategies based on best 
practices. NIST provides very substantial guidance on best 
practices for information systems. The FISMA standards for 
federal systems provides similar guidance, and we are working 
with NIST on additional guidance along those areas.
    Mr. Miller. Okay. The usual legal liability is for the 
damages that would be foreseeable from a failure to abide by 
the legal standard of care. Mr. Freese, for instance, in the 
energy area in the electric grid, what would be the foreseeable 
loss from a cyber terror attack that was foreseeable, should 
have been foreseeable, and that the failure to abide by 
industry standards had led to it?
    Mr. Freese. Please rephrase the question for me.
    Mr. Miller. Okay. I will admit that was a little garbled. I 
will try that again.
    What is a foreseeable loss, not just to a power company, 
but from all of those who do business with it who depend upon 
it for their power from a cyber security attack?
    Mr. Freese. Well, it is going to be very significant. From 
the electric sector, it is one of the primary critical 
infrastructures in the country. There is virtually nothing that 
doesn't use electricity. Businesses, the military, everything 
uses electricity. If you have a major cyber attack that takes 
out an entire region of the country, everyone is going to be 
impacted within that region. I mean, there is--there are some 
backup generators. There are backup power supplies, but 
essentially, a lot of companies are going to take major losses, 
financial losses, if there is a major outage that lasts any 
period of time.
    Mr. Akin. The gentleman's time has expired.
    Mrs. Biggert.
    Ms. Biggert. Thank you, Mr. Chairman.
    Mr. Kepler and Mr. Freese, you both mentioned your work 
with the National Laboratories on your critical infrastructure 
protection efforts. Could you give us a little more detail 
about your work with the Labs? And have they been helpful?
    Mr. Kepler. Yes, I would be happy to do that.
    To link the two discussions up here, from an American 
Chemistry Council point of view, we have a concept called 
``Responsible Care'' that we expect our members to subscribe 
to. In that is a certain set of management practices of how you 
approach all aspects of stewardship in your industry, including 
security. And in that is embedded cyber security. With that, 
these are management practices, and you need to establish 
standards of how you do that in compliance. You don't want to 
subscribe to exact solutions, because this is such a dynamic 
area. So we have worked with organizations that have been 
outlined, as well as international standards organizations, and 
tried to build those in. For example, in plant vulnerability, 
assessments and design is a great example. Just the corporate 
management systems for how you put in place corporate 
governance of security, including cyber security as well.
    Ms. Biggert. Mr. Freese.
    Mr. Freese. We have worked significantly with the Idaho 
National Lab and Pacific Northwest National Lab on SCADA, 
specifically. We are looking at encryption technologies, 
encryption of control signals to prevent interception or 
injection. We are looking at secure authentication. And this 
is, again, this is trying to secure the current systems we have 
now prior to any long-term R&D coming into fruition. There is a 
SCADA testbed at the Idaho National Lab that is extremely 
valuable. It can be used to solve a lot of problems with 
information security, especially if it is coordinated with 
the--they also have an energy infrastructure set up at Idaho 
National Lab that has got end-to-end--well, for an example of 
infrastructure for telecommunications and electricity, you can 
do end-to-end testing, and you don't have to bother with piece 
meal solutions. You can go and do an entire range of trial and 
error. And I think those programs are extremely valuable, and 
they are not made enough use of right now. And I think we 
should expand the use of those, particularly in the SCADA 
testbed. There is a lot of equipment that is used commonly by 
many, many companies, and those would apply particularly well 
to that particular test environment.
    Ms. Biggert. Thank you.
    And Mr. Purdy, you know, the Labs do have expertise in both 
computers and the networks and the critical infrastructure 
protections. To what extent is your Division working with the 
National Labs and the U.S. research universities?
    Mr. Purdy. One of the highest priority programs for NCSD is 
our Control Systems Security Program. We funded it at over $11 
million in 2005, and the President's budget proposes over $15 
million in 2006. At the heart of that is our work with the 
Idaho National Lab and the partnership with the other Labs and 
partnership with the Department of Energy on their area of 
responsibility, and the Science and Technology Directorate. So 
that is a hugely significant area that we are working in close 
partnership, not only with the Labs, but the key private sector 
folks. We helped form, for example, the Process Control Systems 
Forum, which is made up of hundreds of owners and operators. In 
addition, NIST has an Advisory Group of owners and operators. 
We are working with DOE to build the network of the control 
systems owners and operators so that we get the shared 
information on attacks and failures and that we can have a 
continuous loop, but it has R&D aspects, incident response 
aspects, and there are short- and long-term benefits to this 
program.
    Ms. Biggert. Thank you.
    And then time for one more question to Mr. Freese again.
    One aspect of cyber security is making sure that the 
Internet and other information networks are up and running. And 
isn't electricity critical to keeping the information networks, 
like the Internet, operational? So if so, then cyber security 
is critical to your core business of energy production and 
distribution. But your core business also is critical to the 
cyber security of other sectors of the economy and the Nation 
as a whole. Is the energy sector giving equal attention to 
cyber security and the protection of critical energy 
infrastructure? Is one more important than the other or are 
they the same? It seems like we have got the chicken and the 
egg, which is going to be----
    Mr. Freese. Yeah, it is kind of a chicken and the egg 
situation. But I believe sincerely that the energy sector is 
extremely aware of their responsibilities to the rest of the 
country to provide communications, the Internet, all of those 
things. We are--we have formed major industry groups to look at 
security within the industry itself across the sector, physical 
and cyber security, physical primarily to protect the cyber 
assets. And we take that very seriously. And we understand that 
there are these interdependencies that we are a primary part of 
in a lot of areas in a lot of critical infrastructure sectors.
    Ms. Biggert. Okay. Thank you.
    My time has expired.
    Mr. Akin. Ms. Johnson.
    Ms. Johnson. Thank you very much, Mr. Chairman.
    I ask unanimous consent to submit my entire statement to 
the record and welcome this esteemed panel. And let me 
apologize for having to----
    Mr. Akin. Without objection, that will be entered in the 
record.
    Ms. Johnson. Thank you.
    I apologize for having to dash out and come back.
    And Mr. Geisse, welcome. I know two of your colleagues, 
John Mumford, whom I served in the Texas Senate with on the 
Finance Committee, and Mr. Whitacre that I have known for 20 
some years. So welcome to this committee.
    I have some questions that I am asking anyone to answer. 
And maybe you have already answered, and if you have, just tell 
me, and I apologize for asking again.
    But what is known about the vulnerabilities of different 
sectors of the economy that rely on networked information 
systems, and to what extent can the seriousness of the threat 
be quantified or prioritized?
    Go ahead.
    Mr. Purdy. The National Infrastructure Advisory Council, a 
Presidential Advisory Group, made up of private sector 
individuals, has done an assessment of the risk and threat to 
the different critical infrastructure sectors and the 
dependency of those sectors on each other. That is not 
available for public dissemination. We are using that as part 
of our process of identifying the cyber risk assessment as part 
of our fusion of the intelligence vulnerability and 
consequences information and in our work on developing 
scenarios that I talked about in my testimony so that we can 
understand what is necessary to mitigate the possibility of 
those vulnerabilities being exploited, how are we going to 
respond to those, and how are we going to reconstitute. And we 
look forward to that being a strong public/private partnership.
    Ms. Johnson. Thank you.
    Anyone else?
    Thank you very much.
    Is the government sponsoring enough R&D in an effort to aid 
the public sector with cyber security?
    Yes.
    Mr. Purdy. Let me answer the question this way.
    The Federal Government, under HSPD-7, has coordinated, 
under the leadership of the Office of Science and Technology 
Policy, the President's Science Advisor, and the Science and 
Technology Directorate. They will be issuing a national cyber 
R&D plan in the very near future which will serve the benefit 
of scoping out what needs to be done. They also had an 
interagency group to identify and track what is happening and 
what needs to be happening in cyber security. It is my hope 
that as the articulation of what needs to be done and the 
specific requirements are laid out, then those who feel that 
the priorities aren't the right priorities or feel that the 
resources aren't the right ones, then, perhaps, can suggest 
where the extra emphasis and resources need to be placed.
    Ms. Johnson. Do I have a little bit more time for another 
question? I guess----
    Mr. Akin. The gentlelady does have a minute and 43 seconds.
    Ms. Johnson. Okay. Thank you.
    There are two aspects of cyber security that I have concern 
about, because of my constituency and because of Homeland 
Security. One is that I have not met a person who is not 
suspicious of all of their business being available through the 
networks. And I would like some comment on that on just how 
secure that is, and two, for terrorist attacks.
    So I invite anyone to comment to see what we need to do or 
what is the risk or what is real and what is imagined.
    Mr. Kepler. On the second part, I think when you look at 
the access to terrorism, this is a critical issue in terms of 
the amount of information we want to provide in this country 
versus how that information could be used against us. And 
certainly, I mean, that is one of the public policy things that 
needs to be addressed. What we want to do is be able to have an 
open environment between the right people to make sure we can 
assess threat. The challenge is once you start to look at those 
vulnerabilities and make them public, they provide information 
to our enemies as well. And the challenge we have is some 
things that may not be related to terrorism directly can be 
used as information to create attacks. And I think we have to 
spend a lot of time on public policy and on research to figure 
out how to segment those two issues and keep them balanced.
    Ms. Johnson. Are you doing any kind of PR to allay the 
fears of Americans who think that telephone companies and 
everybody else snoop into their business by computer and 
Internet?
    Mr. Geisse. Telephone companies snooping?
    Ms. Johnson. Anything wired, people think they can listen 
to their conversations, get into their private business, look 
at where they shop, all of that.
    Mr. Geisse. Well, I think, you know, I will answer your 
question in that your concern about terrorist attack, your 
concern about information being available on the Internet are 
real issues, and they are issues that industry has to 
constantly be looking at to protect our customers' information, 
which, for example, we do in the phone company religiously. I 
mean, we take it very, very serious, our customer information 
and protecting it, and are constantly looking for ways to 
prevent attacks on that information.
    Ms. Johnson. Thank you.
    Would anybody else like to comment or do you think you are 
saved by the bell?
    Mr. Akin. The gentlelady's----
    Ms. Johnson. My time is up.
    Mr. Akin.--time is----
    Ms. Johnson. Thank you very much.
    Mr. Akin.--expired, and we have a vote on the House Floor, 
but if Dr. Ehlers can go quickly, we can get that in, I think.
    Mr. Ehlers. I thank you, Mr. Chairman.
    I will try to be pretty rapid.
    First of all, to respond to my colleague who just asked the 
question about telephone companies snooping. I grew up in 
southwest Minnesota, a very small town, hand crank telephone on 
the wall, a switchboard sitting downtown with an operator, and 
I can tell you, she knew more about the business of everyone in 
the town than anyone else did. So I suspect there is 
considerably less snooping by telephone companies by 
electronics than there was back then. But it is certainly a 
worthwhile question to ask.
    I would like to, first of all, just sitting here trying to 
put this all in perspective, it seems to me that most of the 
discussion has been about cyber security in the sense of 
software, and that is, of course, a major concern. It is a 
concern both in terms of industrial espionage, as it is called, 
certainly a concern in terms of national security. But then 
there is also the hardware factor, which was brought up by my 
colleague from Maryland. And since we are both scientists, 
maybe we have good reason for both worrying about the same 
thing, namely the hardware security.
    We have known about nuclear EMP for a long time. And I 
happen to be a nuclear physicist and worked at Livermore for 
one summer, years ago. And I never worried that much about it, 
because, frankly, I thought mutually assured destruction was 
pretty clear policy in that there is no benefit in any country 
to set off a nuclear weapon far above another country knowing 
that they, in turn, would have their systems destroyed. I do 
worry about it much, much more now, and I think Dr. Bartlett's 
fear is well founded in the sense that if you don't have a 
country that can be counterattacked, and if your goal is to 
disable your opponent as much as possible and to cause grief 
and pain and terror, the EMP is a very good way to do it, if 
you can manage to get the weapon and the launch vehicle. And I 
think it is something we have to take very seriously. Mr. 
Freese, I think you were a little optimistic in saying it would 
only affect certain areas of the country, but it depends, 
again, on the size of the weapon. We are not hardening our 
equipment.
    And I was struck by a phrase that Mr. Kepler offered 
earlier that when communication stops, commerce stops. And I 
would even extend that beyond that. When commerce stops, then 
life is endangered and perhaps life stops, because with the 
proliferation, and I have been worrying about this for about 10 
years now. I never worried about it too much until the 
proliferation of the Internet, but today, so much commerce is 
done over the Internet. But also, the proliferation of 
microprocessors and automobiles and everywhere else. And an EMP 
would not only affect communications but also transportation. 
How many of us would be able to drive our car after an EMP had 
wiped out the processors? And there are some 250, typically, 
microprocessors in the average American automobile today. How 
would trucks be able to deliver a product? How would people get 
food and water? I mean, this is really a doomsday scenario.
    And Mr. Purdy, I hope that you and others are worrying a 
great deal about this, because what we really need in place is 
an infrastructure that, at least in an emergency basis, would 
replace the infrastructure that we are becoming so dependent on 
through our use of microprocessors, Internet, and so forth.
    And I would like to give any of you time to react to my 
comments. Maybe I am off base, and if so, I would like to hear 
that. But if you could, briefly make a comment.
    Mr. Kepler.
    Mr. Kepler. Yes, Congressman.
    I think one of the key issues as we talk about industry and 
government relationship is understanding the roles and 
responsibilities. It is probably not practical for companies to 
go address that problem. That requires government from that 
type of level, and that is my broader point is these major 
issues need to be led by government in terms of how we address 
in the sectors need to support. There are things the sectors 
need to do, but there are things the government needs to do in 
that environment.
    Mr. Ehlers. If I may just interject. It seems to me your 
role, however, is to try to harden your facilities so that you 
can continue to operate.
    Mr. Kepler. Absolutely, and that is why we need 
diversification and structure. One point that has been brought 
up is the idea that the older technology can't be replaced, and 
that is true, but also the older technology is less vulnerable 
to the newer threats. So it is a real delicate balance in terms 
of putting this new technology in, because it is actually more 
vulnerable because of its complexity and size. So that is why I 
think we have got to be really careful of just putting 
technical solutions in and not having the broad policy 
understandings and risk balancing here.
    Mr. Ehlers. That is precisely the point, and the policy has 
to come from the Federal Government, but also the industry has 
to be aware of the need to harden their facilities as much as 
they can so at least emergency services can continue.
    Mr. Kepler. We agree with that.
    Mr. Ehlers. Mr. Purdy, do you have a comment?
    Mr. Purdy. I will have to defer to National Communication 
Systems on your follow-up question.
    Mr. Ehlers. Any other comments?
    I think everyone is eager to go vote, and I am as popular 
as a skunk at the tea party at this point, so I will defer to 
the Chairman and yield back.
    Mr. Akin. No, you are very popular, Dr. Ehlers.
    And--but your time has expired.
    And now all of our time is expired, because we have got to 
go vote.
    We will leave the record open for five days for Members to 
submit additional written questions for the witnesses.
    And I want to thank the witnesses for your time and your 
testimony. You are experts in your fields, and you have added 
to our understanding, and we thank you.
    And the Committee stands adjourned.
    [Whereupon, at 12:00 p.m., the Committee was adjourned.]

                               Appendix:

                              ----------                              


                   Answers to Post-Hearing Questions

Responses by Donald ``Andy'' Purdy, Jr., Acting Director, National 
        Cyber Security Division, Department of Homeland Security

Questions submitted by Chairman Sherwood L. Boehlert

Q1.  Measuring Cyber Security

Q1a.  How do you measure national cyber security?

A1a. National cyber security is a rapidly changing area in which a 
dynamic market drives the continuous emergence of new technologies and 
an evolving threat environment. As a result, measuring national cyber 
security is an important but challenging goal.
    Organizations, including all levels of industry, government, and 
academia, do not necessarily have total network cognizance, which 
prevents them from being able to measure their own level of security. 
To create an assessment of national cyber security, an entity would 
require accurate reporting from all organizations that rely on cyber 
systems on their own individual networks. Until all organizations 
achieve this, it will be very difficult to measure national cyber 
security.
    NCSD is working toward achieving greater situational awareness 
through efforts with: federal agencies, such as federal agency network 
monitoring; the private sector through interaction with Information 
Sharing and Analysis Center (ISACs); and, international partners 
through the international Computer Emergency Response Team 
collaboration. Enhanced situational awareness will help to provide a 
better estimation of the state of cyber security and identify methods 
of measuring changes and improvement.
    In addition, NCSD's responsibilities under the National 
Infrastructure Protection Plan (NIPP) for the IT Sector and cyber 
guidance across the critical infrastructures, will involve working with 
key governmental entities and the private sector to complete a sector 
specific plan that when implemented will help to create a national 
assessment of cyber risk, together with the prioritization of cyber 
risk mitigation measures. Several critical infrastructure cyber 
measures and metrics will be tracked across each sector based on the 
Sample Cyber Measures and Metrics being developed for the NIPP.
    The Counter-intelligence community also supports these efforts from 
the perspective of cyber espionage threat assessments. Foreign 
intelligence services are increasingly using cyber espionage as a means 
for collecting sensitive information. We are developing methodologies 
for identifying their cyber capabilities and for assessing, in more 
precise form, the damage to national security that might be caused by 
various cyber intrusion incidents.

Q1b.  How do you determine if the Nation's level of cyber vulnerability 
is being reduced?

A1b. In order to determine whether the Nation's level of cyber 
vulnerability is being reduced, NCSD undertakes a risk management 
approach that includes measuring threat, vulnerability, and 
consequences.
    There are a number of DHS initiatives underway that examine cyber-
related vulnerabilities in addition to physical risk and vulnerability 
assessments. In coordination with the private sector, DHS is 
identifying cyber vulnerability assessment best practices. This effort 
began with an evaluation of various methodologies in use throughout the 
public and private sectors. In addition, NCSD is working closely with 
other DHS components to ensure that cyber aspects of threat, 
consequence, and vulnerability analysis are consistently and 
appropriately included in risk methodology efforts. These efforts 
include the Risk Analysis and Management for Critical Asset Protection 
(RAMCAP), the Vulnerability Identification Self Assessment Tool, 
Comprehensive Reviews, and Site Assistance Visits.
    NCSD is sponsoring several exercise initiatives that will enhance 
U.S. preparedness in the event of a cyber incident and improve 
communication, coordination, and procedures between DHS, other 
government agencies, the public and private sectors, and with select 
foreign partners. In February 2006, NCSD will conduct the National 
Cyber Exercise: Cyber Storm, which will test federal response to a 
cyber-related incident of national significance; examine state, federal 
and international intra-governmental coordination; and emphasize 
public/private cooperation and communications using the energy, 
information technology, telecommunications and transportation sectors. 
In addition to Cyber Storm, NCSD has also coordinated extensively with 
and supported the creation of two regional partnerships in the Gulf 
Coast and the Pacific Northwest consisting of public and private sector 
entities. In each of these regions, NCSD has facilitated a tabletop 
exercise designed to raise awareness of infrastructure 
interdependencies and to identify ways to improve regional 
preparedness. Collaboration with State/local government and private 
sector companies has been instrumental in the success of our regional 
efforts in the Gulf Coast and Pacific Northwest. Through direct 
interaction and collaboration during exercises in these regions, NCSD 
has developed significant partnerships with the public and private 
sectors to better prepare for and become more capable of preventing, 
responding to, and recovering from a major cyber incident.
    Cyber exercises provide the environment to develop, coordinate, 
rehearse, and refine key processes; integrate infrastructure protection 
activities within other national-level plans; establish mechanisms for 
coordination and information exchange; and identify interdependencies, 
overlaps, and gaps so that all the critical infrastructure stakeholders 
at every level are better prepared for and more capable of preventing, 
responding to, and recovering from a major cyber incident, thereby 
reducing exposure to cyber vulnerabilities.

Q1c.  How do you decide what is ``secure enough''?

A1c. Determining a sufficient level of security is variable depending 
on the specific needs of an organization and the specific assets 
involved, their risk tolerance, and the availability of resources. By 
following established set standards such as International Organization 
for Standardization (ISO) 17799, an international security standard 
that includes a comprehensive set of controls comprising best practices 
in information security, as well as conducting risk assessments, 
entities may determine their ideal security level. This determination 
must be based upon the results of a risk assessment in which government 
and the private sector respectively, can reasonably decide what level 
of risk is acceptable or what areas need improvement and additional 
effort. Entities will make the determination regarding whether or not 
improvements and additional effort are necessary, based on availability 
of resources concerning their risk assessments and acceptable levels of 
risk.

Q1d.  Are government mandates needed to increase the Nation's progress 
on securing information systems and to get to ``secure enough''?

A1d. Government mandates would likely not increase the Nation's 
progress on securing systems to reach a state of ``secure enough.'' 
This is largely due to the fact that a state of ``secure enough'' will 
differ for each entity utilizing information systems and the fact that 
it would be very difficult to formulate a mandate that enhances 
security in a way that can evolve with the dynamic security and 
technology environment. Each operating environment is different and 
each entity, public or private, must determine what is needed to 
continue their individual critical operations based on their distinct 
environment. These case-specific needs will evolve over time.
    A comprehensive awareness program to include the promotion of a 
risk management approach, as well as accepted best practices and 
standards, is a more effective tool for enhancing cyber security and 
achieving a greater state of security. Under the NIPP framework, 
metrics are being developed to improve the measurement of cyber 
security across critical infrastructure sectors.

Q2.  Information Sharing

Q2a.  What information would Department of Homeland Security (DHS) find 
most helpful to receive from critical infrastructure and information 
technology companies? What do you, or would you, do with this 
information, and how would you protect sensitive information?

A2a. Industry information can allow NCSD (in partnership with other 
government entities and the private sector) to identify critical assets 
and interdependencies, vulnerabilities, and problematic cyber incidents 
and activity, assess cyber risk and prioritize measures to reduce 
vulnerabilities and cyber risk, generally, and minimize the severity of 
cyber attacks by timely warnings and by increased awareness and 
outreach efforts to improve the cyber security of critical 
infrastructures. DHS has established mechanisms, such as the Protected 
Critical Infrastructure Information program (PCII), to encourage 
industry to submit proprietary/sensitive information that will be 
protected and exempt from public disclosure as determined by the PCII 
program. In addition, entities may securely submit information through 
the United States Computer Emergency Readiness Team (US-CERT) secure 
website.
    Industry and government can provide many forms of information that 
are beneficial to NCSD. First, identification of cyber points of 
contact within organizations allows the US-CERT to disseminate 
information on cyber threats and vulnerabilities to the appropriate 
parties. Second, industry reporting of any cyber incidents (e.g., 
worms, viruses, attacks, etc.) to the US-CERT provides NCSD the ability 
to enhance cyber situational awareness across all sectors as well as to 
provide alerts and warnings back to the public. In addition, of 
particular importance from the private sector is information about 
major impacts that affect critical infrastructure operations.
    Third, the sharing of vulnerability assessment information with 
NCSD, including methodologies used, consequences of loss, and 
interdependencies, can assist NCSD in the identification of multi-
sector cyber vulnerabilities and in collecting best practices that can 
be shared across sectors. Information on the cyber vulnerabilities the 
private sector is most concerned about, tactics that might be used to 
exploit these vulnerabilities, or the likelihood from their perspective 
that these vulnerabilities could be exploited, will assist NCSD in 
determining the state of cyber security for the IT Sector and the 
Nation. Fourth, it is important for NCSD to receive information on 
current protective measures, business continuity plans, and current 
levels of resources applied to cyber security. Insight into this 
information can enable NCSD to work even more effectively with industry 
to address vulnerabilities and further enhance protective measures. 
Fifth, NCSD is working with critical infrastructure owners and 
operators, vendors, and other security partners to promote control 
systems security. Information on control system architectures, 
protective measures, metrics, and research and development will further 
enhance NCSD's situational awareness and understanding of the state of 
control systems security and the ability to provide protective measures 
that are relevant and meaningful to the industry.

Q2b.  Are you currently receiving the information you need? What are 
the principal barriers to information sharing? Are changes in 
legislation or regulations needed to overcome these barriers?

A2b. While NCSD does receive information from various stakeholders, we 
believe that we can improve upon our current level of analysis with 
more information. We continue to encourage companies, government 
agencies, and others to share information as described above.
    Perhaps the greatest barrier to private sector information sharing 
with the government is concern about the possible release of shared 
information to the public, either unintentionally or by legal statute, 
such as the Freedom of Information Act (FOIA). There is a concern that 
the release of shared information by either means could potentially 
lead to the exploitation of any disclosed vulnerabilities by malicious 
actors, cause damage to corporate reputation, and/or result in legal 
consequences.
    DHS, through the PCII program office, is pursuing ways to make the 
resulting program as effective as possible in furthering information 
sharing between the public and private sectors by providing industry 
protections and assurances through statutory exemption categories, as 
afforded by Congress.

Q3.  Response to Cyber Attacks

Q3a.  If the information systems of a critical infrastructure company 
were attacked today, is the U.S. prepared to detect the attack and 
repel it or repair the systems quickly?

A3a. Approximately eighty-five percent of the information 
infrastructure is owned and operated by the private sector; 
consequently, the majority of response activities reside with the 
private sector. In the case of attack on private sector infrastructure, 
NCSD's role includes providing support to the private sector in the 
form of warnings, incident response coordination, technical support, 
and coordination with law-enforcement as warranted. In addition, NCSD's 
US-CERT provides a national coordination center that links public and 
private response capabilities to facilitate information sharing across 
all infrastructure sectors and to help protect and maintain the 
continuity of our nation's cyber infrastructure. US-CERT serves as a 
24x7x365 cyber watch, warning, and incident response center, and 
provides coordinated response to cyber incidents, a web portal for 
secure communications with private and public sector stakeholders, a 
daily report, a public website (http://www.us-cert.gov/), and a 
National Cyber Alert System, which provides timely, actionable 
information to the public on both technical and non-technical bases. 
US-CERT also conducts malicious code analysis, provides malware 
technical support, and conducts cyber threat and vulnerability 
analysis. US-CERT works to advance relationships with infrastructure 
owners and operators to confirm attacks and enhance coordinated 
response activities.
    In addition, if the attack rises to the level of a cyber incident 
of national significance, the National Cyber Response Coordination 
Group (NCRCG) will help to coordinate the federal response, including 
law enforcement and the intelligence community, with that of the 
private sector. NCSD co-chairs the NCRCG with the Department of Justice 
and the Department of Defense. An additional thirteen federal agencies 
with a statutory responsibility for and/or specific capability toward 
cyber security, including the intelligence community, are members. NCSD 
serves as the Executive Agent and point of contact for the NCRCG. As 
directed by Homeland Security Presidential Directives 5 and 8, NCSD 
helped to create a Cyber Annex to the National Response Plan (NRP)\1\ 
that provides a framework for responding to cyber incidents of national 
significance. The Cyber Annex establishes the NCRCG as the principal 
Federal Government cyber response body.
---------------------------------------------------------------------------
    \1\ http://www.dhs.gov/dhspublicldisplay?theme=15&content=4269
---------------------------------------------------------------------------
    The government is prepared to respond to major cyber incidents in 
coordination with the private sector and is working to formalize 
incident response coordination by ensuring that standard operating 
procedures work in unison. NCSD is also working to facilitate, enhance, 
and ensure public-private coordination during major cyber incidents.

Q3b.  What about if it were an attack on the Internet?

A3b. As stated above, because approximately 85 percent of the 
information infrastructure is owned and operated by private industry, 
the majority of mitigation and restoration activity is borne by private 
industry. In this regard, NCSD's US-CERT is enhancing relationships 
with Internet owners, operators, and other associated industries to 
aide in incident coordination and communications with all players to 
facilitate rapid response to a significant cyber event or incident. 
Specifically, the US-CERT maintains regular communications with the 
Information Technology Information Sharing and Analysis Center (ISAC) 
and the Telecommunications ISAC. Additionally, US-CERT has established 
relationships with the Financial and Multi-State ISACs and is well 
coordinated with the ISAC Council that includes ISACs from other 
critical infrastructures. US-CERT is prepared to reach out and alert 
those within the ISAC communities and affected infrastructure sectors 
when necessary.
    A large-scale attack on the infrastructure of the Internet may 
constitute a cyber incident of national significance that would 
activate the NCRCG. The NCRCG is also building a more robust 
partnership with the IT sector, with Internet Service Providers, and 
through NCSD's responsibilities for the cyber component of the National 
Infrastructure Protection Plan (NIPP) to enable a collaborative, 
coordinated approach to attack mitigation and recovery.
    The NCSD also co-chairs the Internet Disruption Working Group 
(IDWG) with the National Communications Systems (NCS). The IDWG was 
established by the NCSD and NCS to form a strategic partnership with 
other key government agencies. Its focus is to identify and detail 
actions that can be taken in the near-term to enhance Internet 
resilience. An initial goal of the IDWG was to reach out to private 
sector stakeholders. A one-day IDWG Forum was conducted on November 29, 
2005 as an initial undertaking to bring subject matter experts together 
around a common concern: Internet disruption and hardening with a focus 
on gathering feedback on the most likely risk scenarios facing the 
Internet infrastructure today. Emphasis was placed on discussing 
immediate near-term needs and requirements for industry-government 
coordination in preparation for or during an Internet disruption of 
national significance. The IDWG will analyze outcome data from the 
forum to develop near-term action plans for risk preparedness, 
vulnerability mitigation, and response and reconstitution. Information 
will be provided to the NCS, NCRCG and the US-CERT for consideration as 
input to the update of the NRP/ESF-2 which is the overarching National 
plan for communications recovery/reconstitution activities. Near-term 
action plans are scheduled to be completed by the end of the 2nd 
quarter, FY06.

Q3c.  What role can and should DHS and other public and private 
organizations play in these response activities?

A3c. Although the private sector owns and operates such a large part of 
the information infrastructure, and that infrastructure represents a 
critical national asset, response activities reside with both the 
private sector and the government. DHS's role is to ensure the 
coordination and effectiveness of government preparedness and response 
efforts in partnership with the private sector.
    US-CERT is the operational arm for DHS's coordinated cyber 
preparedness and response and collaborates with affected parties to 
assist with rapid response. US-CERT also builds situational awareness, 
provides malicious code and vulnerability analysis, disseminates timely 
alerts and warnings, participates in exercises, develops and refines 
standard operating procedures, and provides training.
    As discussed above, the Cyber Annex to the National Response Plan 
(NRP), which provides a framework for responding to cyber incidents of 
national significance, establishes the NCRCG as the principal Federal 
Government response body. The NCRCG will engage the applicable private 
sector entities to ensure both the feasibility and comprehensiveness of 
the mitigation and recovery strategy.

Q3d.  What are the barriers to DHS, companies, or other organizations 
providing a quick, effective, and coordinated response?

A3d. NCSD views the current challenges to include clearly defined roles 
and responsibilities for response activities. Delineating roles and 
responsibilities between the public and private sectors with regard to 
response is well underway. The US-CERT Concept of Operations (CONOPS) 
provides federal agency reporting and coordination, while the NCRCG 
CONOPS provides response to a cyber incident of national significance. 
US-CERT and NCRCG continue to refine draft Standard Operating 
Procedures (SOPS) to ensure systemization and coordination of response 
actions. Also, as stated above, NCSD is working to facilitate, enhance, 
and ensure public-private coordination during major cyber incidents.
    NCSD's Cyber Storm exercise seeks to test whether in the event of 
an incident, the public and private sectors are prepared to act in a 
coordinated fashion. By examining homeland security cyber response and 
recovery mechanisms, NCSD can evaluate the existing resources and 
procedures to recommend improvements to information sharing, processes, 
and policies for a more coordinated and robust national cyber incident 
preparedness and response. Specifically, Cyber Storm will provide the 
opportunity for the lead agencies in the Federal Government to examine 
their SOPS and CONOPS in a controlled environment and make revisions 
based on the outcome of the exercise.

Q4.  Cyber Security R&D

Q4a.  What are the biggest technology gaps, or areas where research and 
development (R&D) are most needed, that you see in trying to protect 
information systems across critical infrastructure sectors?

A4a. For cyber security research and development (R&D) within the 
Department of Homeland Security, the Science and Technology (S&T) 
Directorate coordinates with the National Cyber Security Division 
(NCSD). NCSD collects, develops, and submits cyber security R&D 
requirements to provide input for the S&T Directorate's cyber security 
research priorities and to the federal cyber security R&D community. 
The most significant technology gaps where R&D is needed to protect 
information systems across critical infrastructure sectors fall into 
three categories: (1) technologies that are applicable to standard 
network-based information systems, [the Department of Homeland 
Security's (DHS) Science and Technology (S&T) Directorate is addressing 
some of these through existing and planned programs within the Cyber 
Security portfolio]; (2) technologies that are applicable to 
distributed control systems [the S&T Directorate is addressing these 
issues through existing programs within the Critical Infrastructure 
portfolio--see Q02935]; and (3) technologies that are relevant when 
enterprise information systems are directly connected to distributed 
control systems.
    Technologies needing further R&D related to distributed control 
systems are:

        --  Efficient, intelligent, cross-domain intrusion detection 
        systems

        --  Effective authentication and authorization technologies

        --  Methods for testing and verification of solutions to 
        retrofit existing systems

        --  Automated security assessments

        --  Efficient, low-cost encryption technologies

        --  Improved technologies for non-intrusive testing methods for 
        secondary (supervisory) instrumentation systems.

    Improved technologies needing further R&D related to enterprise 
systems connected to distributed control systems, but are not currently 
commercially available are:

        --  System-wide intrusion detection and prevention systems

        --  Intelligent firewalls

        --  Multi-level security systems

        --  High-level auditing and reporting systems

    The Federal Plan for Cyber Security and Information Assurance 
Research and Development (CSIA R&D Plan) marks the Federal Government's 
first step toward developing an agenda for the R&D listed above. The 
Plan responds to significant drivers for improved federal cyber 
security and information assurance R&D arising from current federal 
priorities, as outlined in the 2005 report of the President's 
Information Technology Advisory Committee (PITAC) and, additionally, 
the following documents: the OSTP/OMB Memorandum on Interagency R&D 
Priorities for FY 2007; Cyber Security: A Crisis of Prioritization, the 
2003 National Strategy to Secure Cyberspace; and the 2002 Cyber 
Security Research and Development Act (Public Law 107-305). The purpose 
of the Plan is to provide baseline information and an initial technical 
framework for a coordinated multi-agency R&D effort in cyber security 
and information assurance. The Plan was developed by the Cyber Security 
and Information Assurance Interagency Working Group (CSIA IWG) of the 
National Science and Technology Council (NSTC). The CSIA R&D Plan has 
been coordinated, and is consistent with the National Critical 
Infrastructure Protection Research and Development Plan, developed by 
OSTP and the S&T Directorate.
    The CSIA IWG was established by the Subcommittee on Infrastructure 
and the Subcommittee on Networking and Information Technology Research 
and Development (NITRD). The purpose of the IWG is to coordinate 
policy, programs, and budgets for cyber security and information 
assurance (CSIA) R&D. This includes identifying and integrating 
requirements, conducting joint program planning, and developing joint 
strategies for the CSIA R&D programs conducted by agency members of the 
Subcommittees. For the purposes of this document, CSIA includes 
fundamental and applied R&D, technology development and engineering, 
demonstrations, testing and evaluation, and education and training; and 
``agencies'' refers to federal departments, agencies, directorates, 
institutes, and other organizational entities.
    The following federal agencies are represented on the IWG:

          Department of Commerce:

                --  National Institute of Standards and Technology

          Department of Defense:

                --  Office of the Deputy Under Secretary of Defense for 
                Science & Technology

                --  Defense Information Systems Agency

                --  Defense Advanced Research Projects Agency

                --  Departments of the Air Force, Army, and Navy

                --  National Security Agency

                --  Technical Support Working Group (joint with 
                Department of State)

          Department of Energy

          Department of Health and Human Services:

                --  National Institutes of Health

          Department of Homeland Security:

                --  National Communications System

                --  National Cyber Security Division

                --  Science and Technology Directorate

          Department of Justice

          Department of State

          Department of Transportation:

                --  Federal Aviation Administration

          Department of the Treasury

          Central Intelligence Agency

          Environmental Protection Agency

          National Aeronautics and Space Administration

          National Science Foundation

Q4b.  What federal R&D programs exist in these areas and what are their 
funding levels?

A4b. We refer you to the Federal Plan for Cyber Security and 
Information Assurance Research and Development (CSIA R&D Plan) for a 
consolidated list of R&D programs in the areas listed above, broken out 
by federal agency. The Plan also includes detailed funding information 
for each of the programs.
    The federal agency funding information gathered during the CSIA 
Plan process was pre-decisional and of varying granularity; it was 
collected only to provide a preliminary indication of federal agency 
spending emphases in cyber security and information assurance. Thus, 
the baseline findings derived from this information should be viewed as 
useful in the aggregate, but not a comprehensive source of detailed 
investment data.
    DHS's S&T Directorate and the Office of Science and Technology 
Policy (OSTP) prepare an annual Critical Infrastructure Protection 
(CIP) R&D Plan, as mandated by Homeland Security Presidential Directive 
(HSPD)-7. The first of these plans is available to the public. It 
specifically addresses and combines ongoing R&D activities and future 
goals for both cyber and physical domains. This plan has been 
thoroughly coordinated across multiple federal agencies and includes 
input from the private sector, academia, and the national laboratories 
through a series of facilitated technical workshops. The plan was 
developed under the auspices of the Infrastructure Subcommittee of the 
National Science and Technology Council (NSTC), overseen by OSTP. The 
subcommittee further acts as an integrating mechanism for input and 
planning efforts conducted by two interagency working groups, one 
focused on physical security and one focused on cyber security, that 
report to the Subcommittee.
    Within the DHS S&T Directorate, the CIP and Cyber Security 
portfolios have several programs linking cyber security research to 
critical infrastructure protection:

          Process Control System Forum (PCSF)--This forum was 
        established this year to accelerate the development of 
        technology that will enhance the security, safety, and 
        reliability of process control system (PCS) and supervisory 
        control and data acquisition (SCADA) systems. The Forum 
        provides a united venue for industry and government (including 
        DHS's S&T Directorate, DHS's National Cyber Security Division, 
        and other partners) to work together in evaluating, specifying, 
        developing, refining, and testing new technologies. The S&T 
        Directorate has expended $1.5M in FY 2004, and obligated 
        another $1.5M in FY 2005. In FY 2006, it is anticipated that an 
        additional $750K will be used to fund PCSF.

          Control System Security Test Center (CSSTC)--In 
        collaboration with the Department of Energy (DOE) and its 
        resources and testing facilities, this program focuses on 
        developing procedures for enumerating the vulnerability of 
        process control systems to cyber attack and finding solutions 
        to correct these weaknesses. This is intended to be a close 
        private/public partnership effort with the critical 
        infrastructure industries that use and manufacture process 
        control systems. The CSSTC is run out of the National Cyber 
        Security Division; funding does not come from the Science and 
        Technology Directorate.

          Linking the Oil & Gas Industry to Improve Cyber-
        Security (LOGIC)--This public-private partnership is aimed at 
        reducing vulnerabilities in process control environments used 
        in the oil and gas sector by establishing a framework for 
        assessing risks, evaluating new technologies, and providing an 
        environment for collaborative cyber-security projects. 
        Currently in planning stages, this effort brings together 
        government and private sector stakeholders to identify a 
        working model for leveraging the collective resources of the 
        oil and gas sector, government agencies, and national 
        laboratories to improve process control system security. In FY 
        2006, the S&T Directorate intends to fund LOGIC and $500K.

          Small Business Innovative Research (SBIR) Awards--In 
        FY 2004, 13 Phase I SBIR projects were awarded in the area of 
        process control system security. In FY 2005, Phase II SBIRs 
        were awarded to a subset of the Phase I performers, on the 
        following topics:

                --  Advanced Security for SCADA Systems;

                --  Protection of SCADA Systems Using Physics Based 
                Authentication and Location Awareness;

                --  Improved Security Information Management for SCADA 
                Systems;

                --  A Robust Secure Management System for SCADA/EMS 
                Operations; and

                --  A Toolkit for Next Generation Electric Power SCADA 
                Security Protection and Research.

    In SBIRs for SCADA/Process Control Security, the S&T Directorate 
has committed/obligated approximately $3.75M for the Phase II efforts.

Questions submitted by Representative Bart Gordon

Q1.  Earlier this year, GAO reported to Congress (GAO-05-827T) that the 
Department of Homeland Security ``has not yet developed national cyber 
threat and vulnerability assessments or government/industry contingency 
recovery plans for cyber security, including a plan for recovering key 
Internet functions.''

Q1a.  What is the current status of progress toward developing national 
cyber threat and vulnerability assessments, and by what date or dates 
do you estimate such assessments will be completed?

A1a. As part of NCSD's participation in the development of the National 
Infrastructure Protection Plan (NIPP), the NIPP Base Plan discusses 
cyber security and the cross-sector cyber element of critical 
infrastructure and key resources protection across all 17 critical 
infrastructure sectors. It also highlights cyber security concerns in 
an appendix that provides additional details on processes, procedures, 
and mechanisms needed to achieve NIPP goals and the supporting 
objectives for cyber security. The cyber security appendix specifies 
cyber responsibilities for security partners, processes and initiatives 
to reduce cyber risk, and milestones and metrics to measure progress on 
enhancing the Nation's protection of cyber infrastructure.
    The draft NIPP Base Plan was released for final review and comment 
on November 2, 2005 and addresses the federal, State, territorial, 
tribal, local, and private sector roles and responsibilities for 
critical infrastructure protection. It will be completed in early 2006. 
The 17 critical infrastructure and key resource (CI/KR) Sector-Specific 
Plans (SSPs) will further detail risk reduction strategies related to 
their respective critical cyber infrastructure. The SSPs will be 
completed in 180 days after the publication of the NIPP Base Plan.
    In addition to physical risk and vulnerability assessments, there 
are a number of DHS initiatives underway that examine cyber-related 
vulnerabilities. DHS, in coordination with the private sector, is 
identifying cyber vulnerability assessment best practices. This effort 
began with an evaluation of various methodologies from across public 
and private sectors. NCSD is also working closely with other DHS 
components to ensure that cyber aspects of threat, consequence, and 
vulnerability analysis are consistently and appropriately included in 
risk methodology efforts. These efforts include the Risk Analysis and 
Management for Critical Asset Protection (RAMCAP), the Vulnerability 
Identification Self Assessment Tool, Comprehensive Reviews, and Site 
Assistance Visits. To achieve this objective, NCSD will:

        1)  Support the development of cyber components of RAMCAP.

        2)  Complete its evaluation of public and private sector 
        vulnerability assessment methodologies and document best 
        practices in Q1FY06 for integration into other efforts;

        3)  Integrate cyber issues and best practices into DHS risk 
        management and vulnerability assessment methods and tools 
        through ongoing and continued collaboration and coordination 
        with DHS entities as methods and tools are implemented; and

        4)  enhance understanding of the impact of cyber attacks by 
        analyzing the consequences (i.e., economic, human, physical) of 
        cyber attacks on critical infrastructure sectors by Q3FY06.

    In addition, NCSD's US-CERT Control Systems Security Program and 
the US-CERT Control Systems Security Center (CSSC) work to reduce 
control system vulnerabilities in our critical infrastructure. The 
Control Systems Security Program coordinates efforts among Federal, 
State, and local governments, as well as control system owners, 
operators, and vendors to improve control system security within and 
across all critical infrastructure sectors by reducing cyber security 
vulnerabilities and risk. The US-CERT CSSC coordinates control system 
incident management, provides timely situational awareness information, 
and manages control system vulnerability and threat reduction 
activities. The US-CERT CSSC brings together government, industry, and 
academia to reduce vulnerabilities, respond to threats, and foster 
public/private collaboration. NCSD and the Control Systems Security 
Program are also working with other DHS components to ensure that 
control systems security is integrated into risk and vulnerability 
assessment methodologies and tools designed for use across multiple 
sectors.
    Further, to reduce control system vulnerabilities in our critical 
infrastructure, CSSC developed a draft cyber security protection 
framework for identifying control systems security protection measures 
and comparing them against existing security standards. The framework 
provides a systematic methodology for assessing the cyber security 
posture of control systems. It is designed to reduce the burden on 
owners and operators by providing them with a means to select 
protective measures that apply to their specific architecture and 
operating environment and reduce their respective risk.
    As part of this framework, the CSSC also has capabilities at Idaho 
National Laboratory to perform vulnerability assessments of control 
systems. The CSSC is working with commercial vendors and Department of 
Energy (DOE) to complete assessments of three different control systems 
to identify cyber vulnerabilities, reverse engineer exploits, and 
provide solutions to secure vendor systems. A code-based analysis has 
also been conducted in cooperation with a vendor/manufacturer to 
identify possible vulnerabilities and recommendations to secure the 
system.
    The cyber security protection framework also leverages best 
practices from industry for securing control systems against cyber 
attacks and organizes them so the control systems community can 
identify specific solutions to their security vulnerabilities. As part 
of the framework, implementation tools, such as a ``self-assessment 
tool,'' have also been developed to allow owners and operators of 
industrial control systems to perform on-site self-assessments against 
a database of categorized security requirements.
    In addition, NCSD's Law Enforcement/Intelligence Branch has 
multiple efforts underway in this area. For example, the Law 
Enforcement/Intelligence Branch, in collaboration with the Homeland 
Infrastructure Threat and Risk Assessment Center, (HITRAC), has created 
a draft Domestic Cyber Risk Estimate to evaluate the threats emanating 
from inside the U.S., to complement international threat assessments 
completed by the intelligence community. HITRAC is comprised of subject 
matter experts from the Office of Infrastructure Protection and the 
Office of Intelligence and Analysis.

Q1b.  What is the current status of progress toward developing 
government/industry contingency recovery plans for cyber security, 
including a plan for recovering key Internet functions, and by what 
date or dates do you estimate such recovery plans will be completed?

A1b. DHS is confronting this security challenge through the work of the 
Internet Disruption Working Group (IDWG), a partnership between the 
NCSD and the National Communications System (NCS). To initiate the 
substantive work of IDWG, the NCSD conducted a one-day IDWG Forum with 
major public sector partners and subject matter experts in late 
November 2005. Participants at the Forum will work to continue to 
collaboratively work in identifying actions that can be taken in the 
near-term to better protect against, respond to, and reconstitute 
following an Internet disruption. Topics discussed included: risk 
scenarios; path forward/near-term protective measures; key Internet 
infrastructure components; path forward/near-term response; scope of 
disruption analysis (or ``thresholds''); and path forward/near-term 
response.
    The IDWG will analyze outcome data to develop near-term action 
plans for risk preparedness, situational awareness, vulnerability 
mitigation, and response and reconstitution. Information will be 
provided to the NCS, NCRCG, and the US-CERT for consideration as input 
to the update of the National Response Plan (NRP)/Emergency Support 
Function (ESF) #2, which is the overarching National plan for 
communications recovery/reconstitution activities. Near-term action 
plans are scheduled to be completed by the end of the 2nd quarter, 
FY06. Action plans will be composed detailing near-term steps for 
industry and government to increase Internet resiliency.
    In addition, the Emergency Support Function #2, Communications, is 
one of fifteen emergency support functions (ESF) maintained by the 
Federal Emergency Management Agency (FEMA) as part of the Federal 
Response Plan (FRP). The National Communications System (NCS) is 
responsible for ESF #2, which ensures the federal telecommunications 
support to federal, State and local response efforts following a 
Presidentially declared major disaster, emergency or extraordinary 
situation under the FRP. Because the Internet backbone is telecom-
based, NCS's expertise will help to promote the survivability of the 
Internet and recovery after disruption. NCSD and NCS have agreed to 
explore the need for possible recommendations to revise ESF-2 to ensure 
that cyber is appropriately accounted for (with SOPs as appropriate).

Q2.  The Critical Infrastructure Information (CII) program, which is 
authorized by the statute creating the Department of Homeland Security 
(DHS), is intended to protect cyber security related information 
provided voluntarily to DHS by the private sector. In response to a 
question at the hearing, you indicated that DHS has interim rules in 
place for instituting the CII program.

Q2a.  What is the current status of the CII program and by what date do 
you estimate that the final rule for its implementation will be in 
place?

A2a. The Department has synthesized the comments received and has 
reviewed the operating experience with the program to date. The item 
has a very high priority; however, DHS is committed to making sure that 
the rule and the Program work effectively for the Department and 
critical infrastructure owners/operators, and thus, the draft document 
has been undergoing further refinement. In the meantime, based on its 
operating experience, the PCII Program Office has already been 
implementing changes in its operating procedures to respond to some of 
the issues raised in the comments to make PCII more flexible/useful for 
submitters. The editing process is nearing completion. Before going to 
the Federal Register, the Rule must be submitted to OMB for interagency 
coordination. The Department is committed to working to resolve any 
issues that may arise there as quickly as possible. The rule will be 
published as a Final Rule and DHS will continue to work with submitters 
and government users to address implementation issues as they arise.
    In addition to these efforts toward a Final Rule, approximately a 
year ago, DHS' PCII Office implemented a way for companies to sign up 
to submit protected critical infrastructure information to NCSD on a 
recurring basis through the secure US-CERT Portal. Since then, NCSD has 
been working toward a mechanism to enable companies to submit protected 
information on an episodic basis, rather than having to pre-enroll. 
This mechanism is scheduled to be implemented in early 2006. 
Additionally, the Department has been working to establish a pilot with 
the NCSD/US-CERT submissions to allow the submitter to request limited 
dissemination of their information. This effort is expected to be 
active in early 2006 as well.

Q2b.  What are the principal concerns of the private sector thus far 
regarding implementation of the CII program, and how is DHS responding 
to these concerns?

A2b. One of the main concerns frequently expressed by the private 
sector with respect to the PCII Program is dissemination of information 
shared by the private sector. Several organizations have stated that 
they would contemplate sharing cyber related information with NCSD if 
dissemination of their information were limited to only NCSD. As a 
result, NCSD has begun working with the PCII Program Office in 
`piloting' the capability for an entity to submit CII information 
directly to NCSD and request that information be limited in its 
dissemination to only NCSD. We expect this pilot effort, consistent 
with the interim final rule, to be operational shortly.

Q3.  In his testimony, Mr. Freese indicated that the Process Control 
Security Forum is doing good work in developing design guidelines for 
the next generation of more secure control systems, and he suggested 
the need for support from DHS for seed money to support the 
implementation of ideas and concepts developed by the Forum.

     What is your view of the value of the Process Control Security 
Forum, and what is your response to Mr. Freese's suggestion?

A3. The Process Control Systems Forum (PCSF) is an industry lead group 
comprised of many interest and working groups with the focus of 
securing legacy and next generation control systems. The PCSF is 
sponsored by the Department of Homeland Security's Science & Technology 
(S&T) Directorate. The NCSD co-chairs the PCSF and supports the PCSF in 
their mission to accelerate the design, development, and deployment of 
more secure control and legacy systems currently embedded with our 
nation's critical infrastructure. The NCSD Control Systems Security 
Program's (CSSP) goal is to reduce the risk from a cyber attack to 
control systems associated with our nation's critical infrastructure. 
The NCSD CSSP provides recommendations for areas of research and 
development (R&D) to the S&T Directorate as gaps and vulnerabilities 
are identified in control system cyber security.
    NCSD's CSSP is an active participant within the PCSF. The CSSP 
leads several interest groups within the PCSF in order to inform and 
receive comments on CSSP initiatives, such as the Control Systems 
Security Framework and Self-Assessment tool and control systems 
security focused standards. The value of the PSCF is its ability to 
reach out to representatives of the critical infrastructure sectors, 
such as chemical, water, energy, and telecommunications, which utilize 
Process Control Systems (PCS) and Supervisory Control and Data 
Acquisition (SCADA). The NCSD actively engages with the PSCF to reach 
vendors and asset owners as part of its outreach efforts. More 
recently, for example, the NCSD CSSP published the Hurricane Katrina 
Control Systems Assistance Informational Paper, which provided guidance 
for rebuilding and securely restarting control systems. The paper is 
available on the PCSF website, as well as the NCSD US-CERT website.

Question submitted by Representative Eddie Bernice Johnson

Q1.  I understand that the Secretary of Homeland Security created the 
new position of Assistant Secretary of Cyber Security and 
Telecommunications. Why has this position not yet been filled, and when 
will it be filled?

A1. As with other key leadership positions, the Assistant Secretary for 
Cyber Security and Telecommunications position requires a unique skill 
set of managerial and substantive expertise and we are in the process 
of reviewing the qualifications of several candidates. The Department 
will move forward with the process of identifying a suitable nominee as 
quickly as possible.
                   Answers to Post-Hearing Questions
Responses by John S. Leggate, Chief Information Officer and Group Vice 
        President, Digital & Communications Technology, BP Plc., United 
        Kingdom

Questions submitted by Chairman Sherwood L. Boehlert

Q1.  Measuring Cyber Security

Q1a.  How do you measure your company's cyber security?

A1a. We assess our capability to manage security vs. the risk, assessed 
through a combination of assessment of threats against the company, the 
potential weaknesses in systems and processes and the impact that such 
exposures could have.

Q1b.  How do determine if your company's level of cyber vulnerability 
is being reduced?

A1b. The assessment approach stated above measures risk reduction 
activities such as device patching and the relevance of such actions.

Q1c.  How do you decide what is ``secure enough''?

A1c. The impact assessment, measuring financial and non-financial 
impact (such as safety, environment, effect on society, regulatory 
compliance and reputation) determines whether something matters to the 
company. The likelihood of the event, assessed by threat intelligence 
and effectiveness of controls determines how much action needs to be 
taken.

Q1d.  Are there specific metrics you use in evaluating the cyber 
security of your company?

A1d. We use specific metrics relating to the effectiveness of 
particular controls or the trend of threats. We have a scale used for 
assessing impact for the most significant risks. (Broader concepts such 
as value at risk have as yet proved illusory in the case of operational 
risks).

Q1e.  How should the Department of Homeland Security (DHS) determine if 
the Nation is making progress?

A1e. Firstly, through risk assessment of security--what is at risk and 
how well is it protected, the capabilities deployed, measured in the 
form of skilled people, deployed security technologies and processes. 
Secondly through the number of security events being reported.

Q1f.  Are government mandates needed to increase the progress and get 
to ``secure enough''?

A1f. The government should always avoid mandating specifics, as true 
knowledge of the most appropriate control always exists within the 
sector (no matter which sector). However, government should mandate 
processes and actions that ensure that cross-sector risks are 
identified and picked up and that sectors measure themselves against 
their own standards.
Business Case for Cyber Security

Q1g.  Within your company, how do you make the business case for the 
costs associated with more secure information technology products? What 
can the Federal Government do to help you make this case and make 
investment in cyber security more attractive?

A1g. The security requirements for information technology products are 
generally little more than the basics of good integrity, i.e., no 
vulnerabilities. The addition of simple security measures like 
frrewalls and anti-virus and next generation protection of data is just 
good business. No special action is required outside normal good 
business practice. The government need take no additional action.

Q2.  Information Sharing

Q2a.  What information would you find most helpful to receive from the 
government (especially DHS) or from other companies when you are making 
decisions related to what cyber security you need. When responding to 
an attack or an incident?

A2a. Threat information about new risks and problems being encountered 
in near real-time.

Q2b.  What information have you been asked for by DHS that you feel 
uncomfortable providing and why?

A2b. Detail of security events and known vulnerabilities. We have no 
assurances as to the protection of our information, who has access to 
it and how it will be used. Additionally we are concerned that there 
will be demands put on the individuals dealing with the incident that 
are no in the best interest of our company.

Q2c.  What are the principal barriers to information sharing: Are 
changes in the legislation or regulations needed to overcome these 
barriers?

A2c. Simple trust between one person and another. It takes time to 
build and needs processes to bed in before it works. Changes in process 
such as a move from ISACs to central DHS actions was a backward step in 
this fragile trust model. Government funding to help the information 
sharing infrastructure is invaluable in getting over the lead time 
between starting and seeing value (which is a barrier for company 
funding).

Q3.  Responding to Cyber attacks

Q3a.  If the information systems of a critical infrastructure company 
were attacked today, is the U.S. prepared to detect the attack and 
repel it or repair the systems quickly?

A3a. It depends on the industry, the nature of the attack and the 
company itself. Response would range from excellent to poor. As a whole 
the U.S. Government would probably not be of much help in helping 
critical infrastructure companies; however, the company themselves may 
be prepared to handle the majority of attacks.

Q3b.  What about if it were an attack on the Internet?

A3b. There is no coordinated response to an Internet attack. Recovery 
would be by adhoc action and if unlucky could be catastrophic if the 
impact spread across sectors. Lots of very good technical people work 
on an adhoc basis but there is NO strategic plan or coordinated effort.

Q3c.  What role can and should DHS and other public and private 
organizations play in these response activities?

A3c. DHS itself can do little in the response, this has to be done by 
the companies that own the infrastructure itself. DHS can help best in 
analysis, preparedness and planning.

Q3d.  What are the barriers to DHS, companies or other organizations 
providing a quick, effective and coordinated response?

A3d. Poor planning and lack of understanding of interdependencies and 
weak points but most of all TRUST. DHS has done little to foster trust 
with the critical infrastructure companies.

Q4.  International Cyber Security

Q4a.  In your experience working with multiple Federal Governments on 
cyber security, what notable differences exist between the approach of 
the U.S. and that of other countries?

A4a. The U.S. approach is paradoxical, there seems to be good funding 
in total but this is not integrated into a focused program. The lack of 
continuity and lack of seniority in the cyber security part of DHS has 
led to fragmentation of the program with many activities being started 
but few big wins to point at. Cyber Security has taken a back seat 
especially in R&D--DHS S&T is only spending about $15 million on cyber 
security.

Q4b.  Are other countries supporting activities that the U.S. should be 
doing too?

A4b. Delivery of specifics such as practical solutions from funded 
research, novel cyber-intelligence, and user-led security solutions 
fora have all been seen to add great value in the programs of some 
other countries.

Q5.  What is the Department of Homeland Security doing to foster 
private sector efforts in cyber security and what could the agency do 
that it is not doing now?

A5. The ISACs presented a great opportunity for private sector 
engagement, but DHS has programmatically eliminated independent ISACs. 
The initiatives should be given focus and direction to have specific 
rather than generic work programs.

Q6.  Are effective practices procedures and technologies now available 
to guard against the adverse impacts of cyberspace vulnerabilities?

A6. As we digitize more and more we need to have a significant 
improvement in software engineering to create systems of adequate 
integrity. This philosophy is still not present in the IT industry.

Q7.  Are there shortcomings for particular critical infrastructure 
areas?

A7. As traditional process control technologies such as SCADA/DCS 
continue to integrate with Commercial Off The Shelf IT systems we see 
vulnerabilities and threats being introduced into environments that 
cannot be changed to deal with them. A new class of co-existing 
security protection is required to address legacy systems until such 
time as new, built-secure technologies can take their place.
                   Answers to Post-Hearing Questions
Responses by David E. Kepler, Corporate Vice President of Shared 
        Services and Chief Information Officer, The Dow Chemical 
        Company

Questions submitted by Chairman Sherwood L. Boehlert

Q1.  Measuring Cyber security

          How do you measure your company's cyber security?

          How do determine if your company's level of cyber 
        vulnerability is being reduced?

          How do you decide what is ``secure enough''?

          Are there specific metrics you use in evaluating the 
        cyber security of your company?

          How should the Department of Homeland Security (DHS) 
        determine if the Nation is making progress?

          Are government mandates needed to increase the 
        progress and get to ``secure enough''?

A1. Dow Chemical has a disciplined process to manage risk and address 
cyber security in our company. The metrics established in this 
framework allow us to analyze our effectiveness against priorities, 
understand internal support for addressing these priorities, and 
identify strengths and areas for improvement in our efforts. This 
framework also provides a valuable mechanism to compare our own 
priorities and self-assessments against those of peer companies. Our 
processes are based on industry standards and best practices.
    Today's world requires us to maintain constant vigilance and effort 
to ensure our security. There is no foreseeable point where we as a 
company can declare we are ``secure enough.'' We must continue to 
assess our risk and vulnerabilities applying the necessary investments, 
resources and management systems to effectively manage risk and 
mitigate vulnerabilities on an on-going basis.
    The Department of Homeland Security (DHS) cannot be everything to 
everyone. Instead, it is in our national interest for DHS to place a 
priority and focus on cyber threats of significant consequence that 
could interrupt our nation's critical information and communications 
infrastructure or cause significant disruption to our economy. DHS 
should be measured by how well they plan, defend, and respond to such 
threats of national consequence.

Q2.  Business Case for Cyber Security

     Within your company, how do you make the business case for the 
costs associated with more secure information technology products? What 
can the Federal Government do to help you make this case and make 
investment in cyber security more attractive?

A2. Information systems are critical to Dow Chemical's business 
operations and are integral to the competitive advantage of our 
company. Ensuring the reliability and security of our systems, 
processes, and information is of the utmost importance. The business 
case for cyber security is very simple for us. If our critical 
information systems or manufacturing control systems are compromised, 
our ability to conduct business is compromised. Investments are based 
on impact to our current operations and stakeholders, not for benefit 
return.

Q3.  Information Sharing

          What information would you find most helpful to 
        receive from the government (especially DHS) or from other 
        companies when you are making decisions related to what cyber 
        security you need. When responding to an attack or an incident?

          What information have you been asked for by DHS that 
        you feel uncomfortable providing and why?

          What are the principal barriers to information 
        sharing: Are changes in the legislation or regulations needed 
        to overcome these barriers?

A3. DHS should strive to provide specific information regarding pending 
threats, likely attacks, and recommended response plans where possible. 
Although understanding this is not always feasible, it is necessary to 
have an ongoing, two-way dialogue with critical infrastructure sectors 
on the current threat environment, likely trends, and potential 
mitigation options.
    We believe DHS has established programs, such as PCII, and 
continues to revise theses programs as necessary to enable the 
effective sharing of information from the private sector to DHS. 
However, we believe DHS and the private sector communications need to 
be protected in both directions to enable dialogue on highly sensitive 
areas. PCII only protects information we submit, it does not promote 
reverse sharing. An additional concern is the growing number of 
requests from federal agencies outside DHS and State agencies for 
security and proprietary sensitive information that could otherwise be 
protected as PCII. If requested under broad authority granted by 
various laws and statutes, the information would be considered 
``independently obtained,'' and would not be protected under existing 
DHS programs.
    Further, even programs within DHS, such as protection of SSI, are 
not consistent with PCII and do not offer equivalent protections. 
Efforts must be taken to harmonize the protection of information within 
DHS and across all governmental agencies to ensure that critical 
security information is not compromised and that development of 
important security information and sharing of such information is 
encouraged. We believe that DHS should be empowered as the central 
agency responsible for the protection of security sensitive and 
proprietary sensitive information. Redundant requests from other 
agencies should be limited, and if information sharing is required 
across federal, state and local agencies, it must have the same level 
of protections provided by PCII.

Q4.  Responding to Cyber attacks

          If the information systems of a critical 
        infrastructure company were attacked today, is the U.S. 
        prepared to detect the attack and repel it or repair the 
        systems quickly?

          What about if it were an attack on the Internet?

          What role can and should DHS and other public and 
        private organizations play in these response activities?

          What are the barriers to DHS, companies or other 
        organizations providing a quick, effective and coordinated 
        response?

A4. The U.S. must be prepared to address high consequence cyber attacks 
to our nation's critical information and communications infrastructure. 
Research and development efforts need to be focused on how best to 
anticipate and model, detect, defend, and respond to significant 
interruptions to the Internet and communications infrastructure. More 
needs to be done to focus attention on these high risk concerns--
ensuring adequate planning, resources, and management structure are in 
place to respond to these high-risk scenarios. Less engagement in 
security and reliability solutions is needed as this is being addressed 
by marketplace forces.

Questions submitted by Representative Eddie Bernice Johnson

Q1.  What is the Department of Homeland Security doing to foster 
greater private sector efforts in cyber security and what could the 
agency do that it is not doing now?

A1. DHS is currently initiating a number of projects they believe will 
increase cyber security in the private sector. However, these efforts 
are not well coordinated with the private sector and appear to lack 
coordination within the agency itself. A chartered engagement with the 
Chemical Sector's Security Program is needed to understand and address 
the highest areas of risk to our country as it relates to the chemical 
sector.

Q2.  Are effective practices, procedures, and technologies now 
available to guard against the adverse impacts of cyberspace 
vulnerabilities? Are there shortcomings for particular critical 
infrastructure areas?

A2. Speaking for the chemical industry, we have established the 
Chemical Sector Cyber Security Program to create guidance and reference 
procedures as well as best practices across our industry. For over 
three years, this program has actively engaged to educate large and 
small chemical companies and to build guidance into industry programs 
such as the Responsible Care Security Code.
    Although technology is improving, the current approach of releasing 
software and infrastructure with security vulnerabilities that requires 
patching later must be addressed. Information technology providers must 
more thoroughly test their products for existing security threats and 
apply necessary protections against anticipated future threats. The 
market appears to be working--incenting companies to provide much more 
secure software and systems. However, if this trend does not continue, 
government intervention may be needed to ensure information technology 
is fully developed and secured before being released into the 
marketplace. Companies have the financial capability to address this, 
and government sponsored R&D should not be required.
                   Answers to Post-Hearing Questions
Responses by Gerald S. Freese, Director of Enterprise Information 
        Security, American Electric Power

Questions submitted by Chairman Sherwood L. Boehlert

Q1.  Measuring Cyber Security

Q1a.  How do you measure your company's cyber security?

A1a. Measurement is most effective against a backdrop consisting of a 
security policy and standards. Measurement is accomplished in several 
ways, depending on the intended focus:

          Compliance with internal security standards--measured 
        against metrics derived from self-imposed security requirements 
        (based on business drivers and best practices).

          Compliance with regulatory requirements--measured 
        against externally generated security mandates (Sarbanes Oxley, 
        HIPAA, FERC, GLB, etc.).

          Penetration testing--Tests technical security 
        architecture for vulnerabilities. Provides multiple levels of 
        security gap determinations and direction for remediation.

Q1b.  How do you determine if your company's level of cyber 
vulnerability is being reduced?

A1b. Using periodic scanning of networks, servers and workstation for 
known vulnerabilities; ongoing compliance checks determine levels of 
compliance with standards. Compliance checks rely on the use of 
technical and process metrics developed through best practices or 
regulatory requirements.

Q1c.  How do you decide what is secure enough?

A1c. ``Secure enough'' is determined through analysis of several 
variables; these are risk to business systems, regulatory requirements 
and the level of security implemented in the technical architecture.

Q1d.  How should DHS determine if the Nation is making progress?

A1d. DHS must continue to work toward comprehensive information sharing 
with critical infrastructure industries. The NIPP is an excellent start 
toward greater cooperation but the PCII program needs to be fully 
implemented and socialized to be effective.

Q1e.  Are government mandates needed to increase the progress and get 
to ``secure enough?''

A1e. Critical infrastructure industries do not want government mandates 
to increase security. Unfortunately, there is no way for the government 
to effectively help protect critical infrastructure if its components 
do not have some consistency in the level of risk-based protection they 
have in place. I feel that at some point in the future, government will 
step in and establish federal requirements. Hopefully they will do it 
with full industry collaboration.

Q2.  Business Case for Cyber Security

Q2a.  Within your company, how do you make the business case for the 
costs associated with more secure information technology products?

A2a. In several ways: Regulatory or legislative requirements; Risk 
identification and mitigation; Cultivating strong executive support for 
CI protection.

Q2b.  What can the Federal Government do to help make this case?

A2b. The government can provide more pertinent, substantiated threat 
information. They can also design financial assistance for selected 
protective measures. These would have to be accomplished with extensive 
collaboration with the private sector.

Q3.  Information Sharing

Q3a.  What information would you find most helpful to receive from the 
government (especially DHS) or from other companies when you are making 
decisions related to what cyber security you need? When responding to 
an attack or an incident?

A3a. In question two, we discussed that there is a need for more 
pertinent and substantiated threat information from the government. 
When responding to an attack or incident, government sources, outside 
of some law enforcement liaison, will probably be less timely than 
commercial enterprises specializing in early warning and incident 
response measures. Attacks or exploits, however, are threats come to 
fruition. Initial government involvement in early warning and threat 
analysis would go a long way toward better prevention or deflection of 
these exploits.

Q3b.  What information have you been asked for by DHS that you feel 
uncomfortable providing? Why? What are the barriers to information 
sharing? Are changes in legislation or regulations needed to overcome 
these barriers?

A3b. On numerous occasions, federal and State DHS authorities have 
asked us for information on our critical assets and on the protective 
measures (physical and cyber) surrounding them. Without the PCII 
program in place, we are very reluctant to provide that data, and have 
repeatedly declined their requests. We cannot be sure under the current 
situation of only partial implementation of the PCII program who will 
have access to that data. Once PCII is fully established and 
implemented, we will revisit information sharing and support the 
effort. We are committed to doing all we can to help the government 
protect our nation's critical infrastructure.

Q4.  Responding to Cyber Attacks

Q4a.  If the information systems of a critical infrastructure company 
were attacked today, is the U.S. prepared to detect the attack and reel 
it or repair the systems quickly?

A4a. While there are many companies that have successfully repelled one 
or more major cyber attacks, many more have not and a good number could 
not. Those that have the security technology and mature incident 
response programs are usually well equipped to handle both directed and 
general cyber attacks. Those that have few technical solutions in place 
or that have poorly defined incident response procedures are often 
victims of even the most well-known and preventable threats. So the 
answer to this question must be qualified with an ``it depends on who 
is attacked'' caveat. Overall as a country I believe we are not well 
equipped to repel such attacks.

Q4b.  What about if the attack were on the Internet?

A4b. If attacks are recognized quickly (very likely) and there are 
preventive measures already in place and properly configured, responses 
after a major Internet attack can probably effectively thwart 
attackers. These measures range from network and system processes to 
equipment/communication redundancy.

Q4c.  What role can and should DHS and other public and private 
organizations play in these response activities?

A4c. DHS should be providing the most up to date threat data available, 
along with analysis of potential and actual cyber threats. In addition, 
they should provide awareness information to companies that is 
substantive, citing examples of attacks, providing recommended 
solutions and adding real value to the knowledge base. To make this 
more meaningful, DHS might want to make this a collaborative effort 
with commercial companies that already have a large critical 
infrastructure customer base.

Q4d.  What are the barriers to DHS companies or other organizations 
providing a quick, effective and coordinated response?

A4d. I can't speak for other companies, but regarding DHS, it needs to 
staff its ranks with true cyber security experts and be willing to pay 
the costs of their expertise. This does not mean hiring the standard 
group of government contractors. It means recruiting individuals from 
the commercial world that have industry credibility, can offer real 
knowledge and experience and feel that protecting critical 
infrastructure is a vital mission for our national security.

Q4e.  What is DHS doing to foster greater private sector efforts in 
cyber security, and what could the agency do that it is not doing now?

A4e. DHS seems to be addressing most of the right areas as evidenced by 
the NIPP draft. They are also increasing involvement in industry 
groups, making sure their message is being effectively communicating. 
What they could add is accurate threat data and greater awareness of 
the impact that cyber attacks can have on the infrastructure and 
economy.

Q4f.  Are effective practices, procedures and technologies now 
available to guard against the adverse impacts of cyberspace 
vulnerabilities? Are there shortcomings for particular critical 
infrastructure areas?

A4f. Currently there are effective practices, procedures and 
technologies available. And they will keep improving. The problem is 
that these are not used consistently across all infrastructure 
organizations. Unfortunately, with cyber security we're still only as 
strong as our weakest link.
                   Answers to Post-Hearing Questions
Responses by Andrew M. Geisse, Chief Information Officer, SBC Services, 
        Inc.

Questions submitted by Chairman Sherwood L. Boehlert

Q1.  Measuring Cyber Security

     How do you measure your company's cyber security? How do you 
determine if your company's level of cyber vulnerability is being 
reduced? How do you decide what is ``secure enough''? Are there 
specific metrics you use in evaluating the cyber security of your 
company? How should the Department of Homeland Security (DHS) determine 
if the Nation is making progress? Are government mandates needed to 
increase the progress to get to ``secure enough''?

A1. There is no single metric or measurement that suffices to describe 
a company's cyber security readiness. SBC proactively determines the 
cyber security readiness of its environment through the use of internal 
and external audit reviews, secure system management compliance, 
application security compliance, routine scans to identify 
vulnerabilities, and periodic component review within the 
infrastructure. In addition, an annual assessment of deployed security 
solutions is conducted based upon new or changing requirements and 
conditions. SBC also has a team of IT Security professionals dedicated 
to the protection of its internal cyber resources. A key metric for SBC 
is the number of attempted and investigated intrusions within the 
environment and the corrective actions taken to address them.
    As a way to measure private companies' progress towards cyber 
security, the Department of Homeland Security could use publicly 
reported information, such as annual Sarbanes-Oxley disclosure reports.
    Government mandates should not be necessary. The DHS could focus on 
cyber security best practices and standards. Also helpful would be 
tools so companies could measure their compliance towards those best 
practices.

Q2.  Business Case for Cyber Security

     Within your company, how do you make the business case for the 
costs associated with more secure information technology products? What 
can the Federal Government do to help you make this case and make 
investment in cyber security more attractive?

A2. SBC well understands the need for cyber security, within the 
company infrastructure and as a service we can provide to users of our 
data products. Business cases to support cyber security preparedness to 
protect internal cyber resources must clearly define the risks to the 
business, the security tools needed and processes required, and then 
should be evaluated based on needs of the business. Most often, 
business cases supporting cyber security are developed because of new 
business opportunities, changing cyber technologies, new identified 
vulnerabilities, growth of our environment, or new legislative 
requirements.
    Awareness of cyber security to the public can show a positive 
impact to businesses that help support cyber infrastructure (i.e., 
Internet). The more people understand virus protection, anti-spam 
tools, identity theft protection, and phishing risks, the better the 
Internet-connected community and services can perform on their behalf. 
Government education programs that could also be used within businesses 
would help defray internal education costs.

Q3.  Information Sharing

Q3a.  What information would you find most helpful to receive from the 
government (especially DHS) or from other companies when you are making 
decisions related to what cyber security you need? When responding to 
an attack or incident?

A3a. SBC would find it helpful if information from the DHS includes: 
current cyber vulnerabilities, attack methods, and attack sources. The 
most current information helps us prepare strategies to deal with new 
sources of attack and new methods of attack. The same can be said when 
responding to an incident. Understanding how an attack may occur and 
from where allows SBC to better prepare defenses that could block 
specific protocols or specific IP addresses.

Q3b.  What information have you been asked for by DHS that you feel 
uncomfortable providing? Why?

A3b. Information that SBC has been asked to share that has made us 
uncomfortable includes items that we consider private within the 
company and restricted to only employees with a need to know. Examples 
include our private address spaces, server specifics (numbers, types, 
versions, and locations), vendors used and security infrastructure 
components. Typically, we are uncomfortable with sharing information 
that could be used to allow specific, targeted attacks against SBC. We 
also have an expectation from and an obligation to our customers to 
keep their information private and secure. Release of customer 
information to law enforcement should always follow the same strict 
protocol as any other subpoenaed information.

Q3c.  What are the principal barriers to information sharing? Are 
changes in legislation or regulations needed to overcome these 
barriers?

A3c. It has been our experience that the principal barriers to 
information sharing between companies are; competition within an 
industry, potential negative public perception if cyber security 
intrusions occur, and the FOIA or other disclosure acts requiring 
federal agencies to disclose meeting proceedings or information 
provided.

Q4.  Responding to Cyber Attacks

     If the information systems of a critical infrastructure company 
were attacked today, is the U.S. prepared to detect the attack and 
repel it or repair the systems quickly? What about if it were an attack 
on the Internet? What role can and should DHS and other public and 
private organizations play in these response activities? What are the 
barriers to DHS, companies, or other organizations providing a quick 
and effective and coordinated response?

A4. I believe most large companies, especially those within the 
critical infrastructure, understand cyber security is a part of doing 
business within our Internet-connected world, today, and have taken 
precautionary measures to detect and protect against attacks.
    The Internet itself is constantly attacked. The Internet, by 
definition, is a network of networks, and, as such, Internet service 
providers have an ability to segment portions of the network to prevent 
rampant abuse, if necessary.
    Communications is the chief barrier to DHS' ability to coordinate a 
rapid and coordinated response to Internet problems. To provide a 
coordinated response, the DHS needs the ability to contact key Internet 
providers to focus on the immediate attack. This is not unlike the 
telecommunications requirement to have a National Security Emergency 
Preparedness (NSEP) organization which focuses on national telco 
events.

Questions submitted by Representative Eddie Bernice Johnson

Q1.  What is the Department of Homeland Security doing to foster 
greater private sector efforts in cyber security, and what could the 
agency do that it is not doing now?

A1. SBC maintains close ties to government agencies responsible for 
national security. We work closely with them on a daily basis to 
receive and share security related information. The DHS is encouraged 
to continue to support the efforts of the following: the National 
Security Telecommunications Advisory Council (NSTAC), National 
Coordinating Center Telecom Information Sharing and Analysis Center 
(NCC Telecom ISAC), FBI's Infragard, and the National Security 
Information Exchange (NSIE).
    DHS support of public awareness and education programs focused on 
cyber security would be a pro-active effort to help companies and the 
public be more aware of cyber security and the role they play to 
protect themselves.

Q2.  Are effective practices, procedures, and technologies now 
available to guard against the adverse impacts of cyberspace 
vulnerabilities? Are there shortcomings for particular critical 
infrastructure areas?

A2. SBC utilizes security technologies and practices to guard against 
adverse cyber security vulnerabilities. We believe security tools and 
practices exist for industries to protect themselves. Our challenge is 
addressing new vulnerabilities as they appear. This requires 
technologies and processes to continuously react to the ever-changing 
environment. Consumers and industry must continue to hold vendors 
accountable and to focus their efforts on providing products and tools 
to meet cyber security best practices. Vendors need to recognize that 
cyber security is an administrative intensive effort and tools are 
needed to relieve this pressure.
