b'<html>\n<title> - CYBERSECURITY: PROTECTING AMERICA\'S CRITICAL INFRASTRUCTURE, ECONOMY, AND CONSUMERS HEARING BEFORE THE SUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION SEPTEMBER 13, 2006 Serial No. 109-137 Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/ congress/house U.S. GOVERNMENT PRINTING OFFICE 31-464 PDF WASHINGTON : 2007</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n       CYBERSECURITY: PROTECTING AMERICA\'S CRITICAL INFRASTRUCTURE, \n\n                           ECONOMY, AND CONSUMERS \n\n\n                                 HEARING\n\n                                BEFORE THE\n\n           SUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET\n\n                                OF THE \n\n                     COMMITTEE ON ENERGY AND COMMERCE\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                            SECOND SESSION\n\n\n                          SEPTEMBER 13, 2006\n\n                          Serial No. 109-137\n\n      Printed for the use of the Committee on Energy and Commerce\n\n\n\nAvailable via the World Wide Web:  http://www.access.gpo.gov/\n                                                  congress/house\n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n\n31-464 PDF                  WASHINGTON : 2007\n------------------------------------------------------------------\nFor sale by Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;\nDC area (202) 512-1800 Fax:  (202) 512-2250. Mail:  Stop SSOP, \nWashington, DC 20402-0001\n\n\n\n                     COMMITTEE ON ENERGY AND COMMERCE\n\nJOE BARTON, Texas, Chairman\nRALPH M. HALL, Texas\nMICHAEL BILIRAKIS, Florida\n  Vice Chairman\nFRED UPTON, Michigan\nCLIFF STEARNS, Florida\nPAUL E. GILLMOR, Ohio\nNATHAN DEAL, Georgia\nED WHITFIELD, Kentucky\nCHARLIE NORWOOD, Georgia\nBARBARA CUBIN, Wyoming\nJOHN SHIMKUS, Illinois\nHEATHER WILSON, New Mexico\nJOHN B. SHADEGG, Arizona\nCHARLES W. "CHIP" PICKERING,  Mississippi \n  Vice Chairman\nVITO FOSSELLA, New York\nROY BLUNT, Missouri \nSTEVE BUYER, Indiana\nGEORGE RADANOVICH, California\nCHARLES F. BASS, New Hampshire\nJOSEPH R. PITTS, Pennsylvania\nMARY BONO, California\nGREG WALDEN, Oregon\nLEE TERRY, Nebraska\nMIKE FERGUSON, New Jersey\nMIKE ROGERS, Michigan\nC.L. "BUTCH" OTTER, Idaho\nSUE MYRICK, North Carolina\nJOHN SULLIVAN, Oklahoma\nTIM MURPHY, Pennsylvania\nMICHAEL C. BURGESS, Texas\nMARSHA BLACKBURN, Tennessee\nJOHN D. DINGELL, Michigan\n  Ranking Member\nHENRY A. WAXMAN, California\nEDWARD J. MARKEY, Massachusetts\nRICK BOUCHER, Virginia\nEDOLPHUS TOWNS, New York\nFRANK PALLONE, JR., New Jersey\nSHERROD BROWN, Ohio\nBART GORDON, Tennessee\nBOBBY L. RUSH, Illinois\nANNA G. ESHOO, California\nBART STUPAK, Michigan\nELIOT L. ENGEL, New York\nALBERT R. WYNN, Maryland\nGENE GREEN, Texas\nTED STRICKLAND, Ohio\nDIANA DEGETTE, Colorado\nLOIS CAPPS, California\nMIKE DOYLE, Pennsylvania\nTOM ALLEN, Maine\nJIM DAVIS, Florida\nJAN SCHAKOWSKY, Illinois\nHILDA L. SOLIS, California\nCHARLES A. GONZALEZ, Texas\nJAY INSLEE, Washington\nTAMMY BALDWIN, Wisconsin\nMIKE ROSS, Arkansas\n\n\nBUD ALBRIGHT, Staff Director\nDAVID CAVICKE, General Counsel\nREID P. F. STUNTZ, Minority Staff Director and Chief Counsel\n\n\nSUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET\nFRED UPTON, Michigan, Chairman\nMICHAEL BILIRAKIS, Florida\nCLIFF STEARNS, Florida\nPAUL E. GILLMOR, Ohio\nED WHITFIELD, Kentucky\nBARBARA CUBIN, Wyoming\nJOHN SHIMKUS, Illinois\nHEATHER WILSON, New Mexico\nCHARLES W. "CHIP" PICKERING,  Mississippi \nVITO FOSSELLA, New York\nGEORGE RADANOVICH, California\nCHARLES F. BASS, New Hampshire\nGREG WALDEN, Oregon\nLEE TERRY, Nebraska\nMIKE FERGUSON, New Jersey\nJOHN SULLIVAN, Oklahoma\nMARSHA BLACKBURN, Tennessee\nJOE BARTON, Texas\n  (EX OFFICIO)\nEDWARD J. MARKEY, Massachusetts\n  Ranking Member\nELIOT L. ENGEL, New York\nALBERT R. WYNN, Maryland\nMIKE DOYLE, Pennsylvania\nCHARLES A. GONZALEZ, Texas\nJAY INSLEE, Washington\nRICK BOUCHER, Virginia\nEDOLPHUS TOWNS, New York\nFRANK PALLONE, JR., New Jersey\nSHERROD BROWN, Ohio\nBART GORDON, Tennessee\nBOBBY L. RUSH, Illinois\nANNA G. ESHOO, California\nBART STUPAK, Michigan\nJOHN D. DINGELL, Michigan\n  (EX OFFICIO)\n\n\nCONTENTS\n\n\nPage\nTestimony of:\n\nPowner, David A., Director, Information Technology Management \nIssues, U.S. Government Accountability Office\t\n\n13\nForesman, Hon. George W., Undersecretary for Preparedness, U.S. \nDepartment of Homeland Security\t\n\n39\nMoran, Kenneth P., Director, Office of Homeland Security, Enforcement \nBureau, Federal Communications Commission \n\n51\nWeafer, Vincent, Senior Director, Symantec Security Response, \nSymantec Corporation\t\n\n61\nKurtz, Paul B., Executive Director, Cyber Security Industry Alliance\t\n71\nClinton, Larry, Chief Operating Officer, Internet Security Alliance\t\n79\nAdditional material submitted for the record:\n\nKenney, Jeannine, Senior Policy Analyst, Consumers Union, submission \nfor the record\t\n\n111\nPowner, David A., Director, Information Technology Management \nIssues, U.S. Government Accountability Office, response for the \nrecord\t\n\n119\nWeafer, Vincent, Senior Director, Symantec Security Response, \nSymantec Corporation, response for the record\t\n122\nKurtz, Paul B., Executive Director, Cyber Security Industry Alliance, \nresponse for the record\t\n\n128\nClinton, Larry, Chief Operating Officer, Internet Security Alliance, \nresponse for the record\t\n\n135\nForesman, Hon. George W., Undersecretary for Preparedness, U.S. \nDepartment of Homeland Security, response for the record \n\n138\n\n\nCYBERSECURITY: PROTECTING AMERICA\'S CRITICAL INFRASTRUCTURE, ECONOMY, \nAND CONSUMERS\n\n\nWEDNESDAY, SEPTEMBER 13, 2006\n\nHOUSE OF REPRESENTATIVES,\nCOMMITTEE ON ENERGY AND COMMERCE,\nSUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET,\nWashington, DC.\n\n\n\tThe subcommittee met, pursuant to notice, at 10:05 a.m., in \nRoom 2123 of the Rayburn House Office Building, Hon. Fred Upton (Chairman) presiding.\n\tMembers present:  Representatives Upton, Stearns, Shimkus, \nBass, Walden, Terry, Blackburn, Barton (ex officio), Markey, \nGonzalez, Inslee, Eshoo, and Dingell (ex officio).\n\tStaff present:  Kelly Cole, Counsel; Howard Waltzman, Chief \nCounsel for Telecommunications and the Internet; Jaylen Jensen, \nSenior Legislative Analyst; Anh Nguyen, Legislative Clerk; and \nJohanna Shelton, Minority Counsel. \n\tMR. UPTON.  Good morning.  I would like to welcome our \nwitnesses today, as well as welcome back our subcommittee members.  \nToday\'s hearing is about cybersecurity and what our Government and \nthe private sector are doing to prevent and mitigate attacks on \nour Internet infrastructure. \n\tI liken cybersecurity and the threat to our Internet \ninfrastructure to what we\'ve seen occur on the Gulf Coast.  For \nyears we were worried that the levees in New Orleans were not strong \nenough to withstand a Category 5 hurricane.  When Hurricane Katrina \nblew through the Gulf Coast, and the eventuality that we all knew \nwas a possibility became a reality: We saw the levees break; we \nsaw the devastation that such a storm could wrought. \n\tSimilarly, we know that our Internet infrastructure is \nsubject to attack every day.  The unfortunate reality is that there \nwill come a day when this country experiences a debilitating \nInternet disruption.  \n\tThe question we face now is: will we be ready?  The lesson \nthat we have learned from Hurricane Katrina is that we must be \nready.  That is why we are here today. \n\tNormally, these types of hearings are held after a major \nincident, after it, but thankfully, we are in a position to improve \nour current system, to examine what steps are being taken, and what \nsteps are needed to further fortify the Information Superhighway.  \n\tToday\'s hearing will examine the steps being taken in the \npublic and private sectors to make us ready.  We will hear the \ndisappointing report from the GAO that we are not quite prepared \nfor such an attack.  I hope that today\'s hearing will help to \nimprove our readiness and to increase the coordination among \ngovernment agencies, as well as among government and private \nsector entities to protect our Internet infrastructure from a \nmajor disruption. \n\tI thank the witnesses for appearing today.  I look forward \nto their testimony.  I particularly appreciate their ability to send \nup the testimony last night so that I could see it before I went \nhome. \n\t[The prepared statement of Hon. Fred Upton follows:] \n\nPREPARED STATEMENT OF THE HON. FRED UPTON, CHAIRMAN, SUBCOMMITTEE \nON TELECOMMUNICATIONS AND THE INTERNET\n\n\tGood Morning.  I would like to welcome our witnesses today \nas well as welcome back our subcommittee Members. \n\tToday\'s hearing is about cybersecurity, and what our \ngovernment and the private sector are doing to prevent and mitigate \nattacks on our Internet infrastructure. \n\tI liken cybersecurity and the threat to our Internet \ninfrastructure to what we\'ve seen occur on the Gulf Coast.  For \nyears we worried that the levies in New Orleans were not strong \nenough to withstand a Category 5 hurricane.  Then Hurricane Katrina \nblew through the Gulf Coast, and the eventuality that we all knew was a possibility became a reality: we saw the levies break, and we saw the devastation that such a storm could wrought.  \n\tSimilarly, we know that our Internet infrastructure is \nsubject to attack every day.  The unfortunate reality is that there \nwill come a day when this country experiences a debilitating \nInternet disruption.  \n\tThe question we face now is: will we be ready?  The lesson \nwe\'ve learned from Hurricane Katrina is that we must be ready.  \n\tThat is why we are here today.  Normally, these types of \nhearings are held after a major incident.  But thankfully, we are \nin a position to improve our current system, to examine what steps \nare being taken and what steps are needed to further fortify the \ninformation superhighway.  \n\tToday\'s hearing will examine the steps being taken in the \npublic and private sectors to make us ready.  We will hear the \ndisappointing report from the GAO that we are not quite prepared \nfor such an attack.  I hope that today\'s hearing will help to \nimprove our readiness and to increase the coordination among \ngovernment agencies as well as among government and private \nsector entities to protect our Internet infrastructure from a \nmajor disruption. \n\tI thank the witnesses for appearing today and I look \nforward to their testimony. \n\n\tMR. UPTON.  With that, I will yield to the Ranking Member \nof the subcommittee, gentleman from Massachusetts, Mr. Markey. \n\tMR. MARKEY.  Thank you, Mr. Chairman, very much.  I want \nto commend you for calling this hearing this morning on \ncybersecurity.  \n\tThis subcommittee has a long history on cybersecurity.  We \nheld a hearing, in this subcommittee, for instance, in 1993 where \nwe demonstrated in this room cyber attacks on the United States \nNavy Pacific fleet command, on NASA\'s mission control, and on the \nKremlin.  We knew in 1993, well before we enacted the \nTelecommunications Act, that individuals would use the Internet \nfor nefarious purposes.  Today, we revisit the issue, knowing \nthat the Internet is even more prevalent than ever, and that more \nindividuals, businesses, and critical infrastructure, public \nsafety, hospitals, and government agencies rely upon it.  \n\tUnquestionably, a major disruption of the Internet can \ninvoke dire consequences in an emergency.  In addition, successful \ncyber attacks can cause harm to individuals when security is \ncompromised in a way that leads to identify theft, fraud, or \nextortion.  American consumers pay dearly for such compromises \nto their privacy and security each year.  So-called bot networks \nwhere computers are essentially hijacked by Internet-based software \nimplanted in your computer without your consent are used as vehicles \nfor spam and fraud and denial of service attacks.  These acts, \nalong with computer virus attacks, have negative financial impacts \nacross the country that are estimated in the billions of dollars.  \n\tThe Federal Communications Commission plays a vital role \nin preparing and responding to cyber attacks because of its \nresponsibility over our Nation\'s telecommunications infrastructure. \n The Network Reliability and Interoperability Council, for example, \nwas convened by the FCC in response to this subcommittee\'s inquiry \ninto the massive Bell Atlantic telephone outage in 1991, which was \ncaused by software glitches in digital switching systems.  That \ncouncil is tasked with helping to prevent Internet disruptions \nfrom occurring, and has developed a list of best practices for \nInternet disaster recovery in emergency situations. \n\tThe Department of Homeland Security is tasked with the \nlead responsibility for facilitating response and recovery efforts \nsurrounding major Internet disruptions.  The Government \nAccountability Office report from June of this year concluded that \nalthough the Department of Homeland Security has begun several \ninitiatives addressing cybersecurity and Internet security, these \nefforts are neither complete nor are they comprehensive.  As a \nmember of the Homeland Security Committee since its establishment \n3 years ago, I remain concerned about the Department\'s lack of \nsignificant progress in the area of cybersecurity.  \n\tObviously, many are concerned about cyber threats from \nal Qeada.  Certainly, cyber terrorism is something that is likely \nto be in al Qeada\'s playbook, and we should be vigilant against \nsuch threats.  Yet, beyond the daily threats to cybersecurity from \nhackers and spammers attempting to profit from fraud, the present \nthreat appears to be from China.  Numerous published reports \nhighlight how China is actively probing our Internet-based \ninfrastructure.  Last year, the Washington Post, for example, \nhighlighted how websites in China are being used heavily to target \ncomputer networks in the Defense Department and other U.S. \nagencies. \n\tSo based on the GAO\'s report, we clearly are still without \nan adequate plan for cybersecurity, and we need to do a better job \npreparing ourselves, not just for future threats, but for present \npractices from those who may target Americans for fraud or \nterrorism. \n\tThis is a timely hearing, and again, I want to commend \nChairman Upton for holding this hearing, and thank our witnesses \nfor their time and efforts. \n\tMR. UPTON.  I now recognize for an opening statement the \nChairman of the full committee, Mr. Barton from Texas. \n\tCHAIRMAN BARTON.  Thank you, Chairman Upton, for holding \nthis hearing.  \n\tFollowing the anniversary of September 11, 2001, today\'s \nhearing takes on added importance.  Cybersecurity is both a timely \nissue to consider, and important issue to consider.  Following the \nevents of 9/11, we learned a great deal about our country\'s \nvulnerabilities.  As a result, there have been ongoing, systemic \nreviews surrounding our Nation\'s critical infrastructure, most of \nwhich fall within the jurisdiction of this committee.  Just as we \nhave taken steps to protect our electricity and drinking water, \nit is also important to ensure that our information systems, \ntelecommunications networks, and Internet infrastructure are \nprotected from those that wish to do us harm. \n\tIn light of the public and private reliance on the \nInternet for commerce, communications, and education, I have \nrequested the Government Accountability Office to complete a \nreport on our preparedness for a major Internet disruption.  \nAlthough, thankfully, we have never seen catastrophic Internet \ndisruption, such an event is not out of the realm of possibility. \n The conclusion of the GAO is that recovering from a major \nInternet disruption would be very difficult.  Roles of \nresponsibility among government agencies are not fully defined, \nand coordination among the vast numbers of affected entities, \nboth public and private, is not occurring on a satisfactory \nscale, according to the GAO. \n\tImagine our country without a functioning Internet, even \nfor a little bit.  Most of us have lived to adulthood without \nthe Internet, but it is now a big part of our daily lives.  Some \npeople probably think they are exempt from the impact of the \nInternet, but you would almost have to live in a cave to be truly \nunaffected.  You benefit if you have a job, see a doctor, drive \na car, or eat a meal, and the list goes on and on.  Jobs, growth, \nand opportunity in America without an Internet would not \ndisappear, but they would be dramatically tougher to achieve.  \nLife, business, and the economy would not tumble into a new Dark \nAge, but it would be a dimmer and poorer life for all of us.  \nThat is exactly the outcome envisioned by a man who does live \nin a cave, Osama bin Laden.  \n\tProtecting our Internet is not simply a goal this country \nshould aim to meet.  This is an imperative that the United States \nmust achieve.  I am anxious to hear from the Department of \nHomeland Security what steps are being pursued to remedy the \nproblems described by the GAO report.  Also, I am interested in \nhearing from the private industry witnesses about what they see \nas the most critical issues and how they believe that we can best \nresolve them.  \n\tI want to thank you, Chairman Upton.  I would like to point \nout that Chairman Stearns\'s subcommittee also has some jurisdiction \nin this area, but I thank both of you for addressing this very \nimportant issue. \n\tWith that, I yield back. \n\t[The prepared statement of Hon. Joe Barton follows:] \n\nPREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON \nENERGY AND COMMERCE \n\n\tThank you, Chairman Upton, for holding this hearing.  Just \nfollowing the five-year anniversary of September 11th, today\'s \nhearing on cybersecurity is both timely and important. \n\tFollowing the events of September 11th, we learned a great \ndeal about our country\'s vulnerabilities.  As a result, there have \nbeen ongoing, systematic reviews surrounding our nation\'s \ncritical infrastructure, most of which fall within the jurisdiction \nof this Committee.  Just as we have to take steps to protect our \nelectricity and drinking water, it is also vitally important to \nensure that our information systems, telecommunications networks, \nand Internet infrastructure are protected from those who wish to \ndo us harm.\n\tIn light of the public and private reliance on the Internet \nfor commerce, communications, and education, I requested the \nGovernment Accountability Office to complete a report on our \npreparedness for a major Internet disruption.   Although this \ncountry has, thankfully, never seen a catastrophic Internet \ndisruption, such an event is not out of the realm of possibility.  \nThe conclusion of the GAO is that recovering from a major Internet \ndisruption would be difficult.  Roles of responsibility among \ngovernment agencies are not fully defined, and coordination among \nthe vast number of affected entities, both public and private, \nis not occurring on a satisfactory scale. \n\tImagine America without a functioning Internet, even for \na little while.  Most of us lived to adulthood without the Internet, \nbut it is now an unnoticed part of our lives.  Some people probably \nthink they\'re exempt from the impact of the Internet, but you\'d \nhave to live in a cave to be truly unaffected.  You benefit if you \nhave a job, see a doctor, drive a car or eat a meal, and the list \ngoes on and on.  Jobs, growth and opportunity in America without \nan Internet would not disappear, but they\'d be dramatically \ntougher to achieve.  Life, business and the economy would not \ntumble into a new Dark Age, but it would be a dimmer and poorer \none for all of us.    That is exactly the outcome envisioned for \nus by a man who does live in a cave. \n\tProtecting our Internet infrastructure is not simply a goal \nthis country should aim to meet.  This is an imperative that the \nUnited States must achieve.  I am anxious to hear from the \nDepartment of Homeland Security what steps are being pursued to \nremedy the problems described by GAO.  Also, I am interested in \nhearing from our private industry witnesses about what they see \nas the most critical issues and how they believe we can best \nresolve them. \n\tThank you again, Chairman Upton.  I look forward to hearing \nfrom our witnesses. \n\n\tMR. UPTON.  I recognize the Ranking Member of the full \ncommittee, Mr. Dingell from the great State of Michigan. \n\tMR. DINGELL.  Mr. Chairman, we are from a great State.  \nThank you for those kind words. \n\tFirst of all, Mr. Chairman, thank you for holding this \nhearing, and I commend you for making cybersecurity a priority for \nthis subcommittee.  \n\tCyber attacks against our Nation\'s information infrastructure \ngrow in sophistication and in number every day.  A failure by the \nGovernment to plan for physical and cyber damage to the Internet \ncould be devastating to both our national security and our economic \nstability.  \n\tCyber criminals are attacking online operations and \ninfrastructure thousands of times a day, with increasingly targeted \nand malicious attacks.  Moving beyond these notorious wide scale \nattacks of the past, these perpetrators seem bent on more calculated \ninvasions designed to access and misuse corporate, personal, or \ngovernment information.  With a significant and growing level of \nour Nation\'s economic activity occurring over networked connections, \na major physical or cyber breakdown of the Internet could wreak \nhavoc on our economy.  But a loss of the public\'s trust in the \ndigital economy would likewise ripple across every industry and \nseverely damage the Nation\'s overall economic health. \n\tGiven the range of threats and vulnerabilities, this hearing \nprovides an excellent opportunity to understand on a broad level \nwhat is being done to secure cyberspace.  How well prepared are the \nGovernment and the private sector to respond to and to recover from \na major Internet disruption and from other cyber threats, and what \nis it that we should do about these problems? \n\tThe public sector is a holder of great responsibilities, \nbut the private sector is at the forefront in the defense against \ncyber attacks, and it is vital that corporate management \nappropriately invests in cybersecurity.  Do corporations, large \nand small, have the necessary commitment, information, and tools \nto protect against cyber intrusions and restore systems that have \nbeen compromised?  The information technology sector is deploying \ntools to help businesses and consumers manage cyber risks, but \nthey need a lot of help, and this is one of the places the \nGovernment comes in.  The Federal government must take a leading \nrole in working with the private sector to secure cyberspace. \n\tWhat steps has the Government, particularly the Department \nof Homeland Security, DHS, taken in regard to protecting against \nand recovering from a major cyber incident, whether from cyber \nwarfare or from a natural disaster?  Is cybersecurity receiving \nthe proper level of attention within the Department, or is there \nmore that can and should be done? \n\tThe Government Accountability Office reports that the role \nof the Government in planning for Internet recovery remains \nunclear.  According to GAO, years after its formation, DHS is \nfalling short on its efforts to secure cyberspace.  GAO\'s recent \nreport on Internet recovery provides a list of items upon which \nthe Department must focus its attention.  Curiously, more than \na year after announcing, with more than a little fanfare, the \ncreation of an Assistant Secretary for Cybersecurity and \nTelecommunications, that DHS position, along with others, \nremains vacant.  This is a noticeable and a lengthy absence of \ncybersecurity leadership, and it conveys a clear lack of \nappreciation for our Nation\'s real and mounting cyber threats. \n\tThe American people should not have to wait for a massive \ncyber disaster to bring the necessary level of government attention \nto cyber risks.  Companies on the front lines are clamoring for \nmore leadership from the Government in securing cyberspace.  \nPerhaps this is because the private sector knows full well that \nthe costs of inaction in preparing for and recovering from a \ncyber disaster could be catastrophic to our national and economic \nsecurity. \n\tMr. Chairman, this hearing is a very important one.  Let us \nhope that it helps us get some answers, but let us also hope that \nit enables us to jog the Government into a more vigorous effort at \naddressing these problems, and perhaps filling an empty appointment \nor two at DHS. \n\tThank you. \n\tMR. UPTON.  Mr. Terry. \n\tMR. TERRY.  Thank you, Mr. Chairman, for holding this \nhearing.  I would just like to associate myself to all of the \nremarks that have been made from this kiosk, and I yield back. \n\tMR. UPTON.  Especially the remarks about the great State of \nMichigan, we are glad to have-- \n\tMR. TERRY.  With that exception. \n\tMR. UPTON.  Mr. Stearns. \n\tMR. STEARNS.  Thank you, Mr. Chairman.  Obviously, all of us \nare glad that you are holding this hearing.  As Mr. Barton pointed \nout, my Subcommittee on Commerce, Consumer Protection, and Trade, \nwe have had seven hearings on privacy and we have dealt a lot with \ndata security, and we are also concerned with cybersecurity. \n\tAs the Government and private sector become more reliant on \nwidespread interconnectivity, protecting both the public and \nprivate computer systems and the critical operations and \ninfrastructure they support is more critical than ever before. \n\tAlthough the Bush Administration, the Department of Homeland \nSecurity, DHS, have begun a variety of initiatives to protect the \nInternet infrastructure, obviously, much work needs to be done.  \nAccording to a recently released GAO report, the efforts by DHS \nto fulfill its responsibilities for developing an integrated \npublic, private plan for Internet recovery are neither complete \nnor comprehensive.  DHS has developed a high level plan for \ninfrastructure protection and incident response, but the components \nof these plans addressing Internet infrastructure are not yet \ncomplete. \n\tDHS has started initiatives to improve response, such as \nworking groups to facilitate coordination and exercises in which \ngovernment and private industry practice responding to cyber events, \nbut GAO notes progress on these initiatives have been limited and \nthey often lack timeframe for completion.  \n\tMy colleagues, much of the United States\' critical \ninfrastructure is potentially vulnerable to cyber attacks.  \nIndustrial control computer systems involved in this infrastructure \nare specific points of vulnerability, as cybersecurity for these \nsystems has not been previously perceived as a very high priority. \n Many international terrorist groups now actively use computers \nand the Internet to communicate, and several may develop or \nacquire the necessary technical skills to eventually direct a \ncoordinated attack against computers in the United States.  A \ncyber attack intended to harm the U.S. economy would likely \ntarget computers that operate the civilian critical \ninfrastructure and our government agency. \n\tWhile there is no published evidence that terrorist \norganizations are currently planning a coordinated attack against \ncomputers, computer system vulnerabilities persist worldwide and \ninitiators of the random cyber attacks that plague computers on the \nInternet remain largely unknown today.  Reports from security \norganizations show that random attacks are now increasingly \nimplemented through the use of automated tools called bots that \ndirect large numbers of these compromised computers to launch \nattacks through the Internet as swarms.  The growing trend towards \nthe use of more automated attack tools has also overwhelmed some \nof the current methodologies used for tracking Internet cyber \nattacks.  \n\tThe potential consequences of this are critical, and range \nfrom temporary loss of service to catastrophic infrastructure \nfailure affecting multiple States for an extended duration.  The \nconsequences of attack could vary widely.  In addition, DOD has \nalso observed that the number of attempted intrusions into military \nnetworks has gradually increased.  \n\tMr. Chairman, this uncertainty highlights the necessity of \nthis hearing and I thank you for holding it.  I look forward to \nhearing from our witnesses. \n\tMR. UPTON.  Mr. Shimkus. \n\tMR. SHIMKUS.  Thank you, Mr. Chairman. \n\tI will just brief and say thank you for coming to the \npanelists.  I thank the Chairman for asking for the report in 2005. \n\tIn July, we suffered some pretty horrific storms in the \nSt. Louis metropolitan area.  Over three-quarters of a million \npeople were without power for many days.  My home was without power \nfor 5 days.  I think that allowed the public to understand how \nconnected we are through the computer, through Internet, through \nelectricity, and the like.  The public really needs to think what \nwe can do collectively.  And I think what these storms showed the \npublic in the St. Louis metropolitan area is what they had to do \nthemselves to prepare.  That is really the same message that we \ntalked about in Katrina and other major disasters.  What are the \nindividual citizens doing to help protect themselves in the case \nof attacks?  This is cybersecurity, but we do rely more and more \non technology, and the public needs to be prepared to--how to do \ntheir own work, and that is what I will be asking about later on. \n\tThank you, Mr. Chairman.  I yield back. \n\tMR. UPTON.  Thank you.  That concludes the opening \nstatements by the members of the subcommittee.  \n\t[Additional statement submitted for the record follows:] \n\nPREPARED STATEMENT OF THE HON. ANNA G. ESHOO, A REPRESENTATIVE IN \nCONGRESS FROM THE STATE OF CALIFORNIA \n\n\tThank you Mr. Chairman, and thanks to the witnesses for \njoining us today. \n\tAs a member of the House Intelligence Committee, I take very \nseriously the range of threats to our country from terrorists and \nother enemies, including threats to our basic infrastructure \nincluding our telecommunications networks and the Internet. \n\tIn the 21st Century, no part of our national infrastructure \nis more important than our technological infrastructure and \ncommunications networks. \n\tFormer Cybersecurity Czar Richard Clarke once described the \npotential for a telecom disaster as an "electronic Pearl Harbor."  \nCRS has estimated a cyber attack could produce an economic blow \nexceeding $200 billion. \n\tThis is undoubtedly a shared responsibility of government, \nthe telecommunications industry, businesses, and consumers, and \ncritical gaps in security remain unaddressed at every level. \n\tI\'m increasingly concerned that cybersecurity is not \nreceiving the attention it requires from the federal government. \n\tIn the wake of 9/11 the Administration has slowly \ndiminished responsibility for and visibility of cybersecurity \nmatters at the federal level.  Instead, they have focused almost \nexclusively on threats to air safety and border security.  These \nare critical threats to our national security but they are not the \nonly ones.  We must attend to all critical sectors, including \ncybersecurity. \n\tThe position of cyber security czar once resided at the \nWhite House and reported directly to the President, but after \nRichard Clarke\'s resignation in 2003, the position was relegated \nto a mid-level position in the Department of Homeland Security. \n\tIn July 2005, after significant pressure from Congress and \nthe private sector, DHS Secretary Chertoff announced the creation \nof an Assistant Secretary for Cyber Security and \nTelecommunications.  The Assistant Secretary would have the \nauthority to set policy and develop public-private partnerships \nwith industry to improve national cybersecurity. \n\tBut in the year since the position was announced, the \nAdministration has yet to even nominate someone to fill it. \n\tClearly, we cannot expect national leadership in \ncybersecurity without an individual to lead the effort.  I hope \nthe President will act soon to appoint someone to assume this \nvital function. \n\tI also believe much of the responsibility for America\'s \ncybersecurity lies with the private sector and individual citizens. \n\tMany of the most potent viruses and worms that afflict our \ncomputer networks are able to do so only because the vast majority \nof personal computers are not secure, thus becoming the unwitting \ndistribution network for destructive programs. \n\tBusinesses and individuals must be vigilant in maintaining \nappropriate security on their networks and personal computers, and \nutilize sound security practices. \n\tThe federal government should play a leadership role in \npromoting effective security standards and practices and assisting \nprivate and public institutions in reaching out to individual users \nto protect themselves from cyber attacks. \n\tData security legislation unanimously endorsed by this \nCommittee would provide significant government leadership in \nendorsing and promoting robust security systems and standards, and \nI hope the House will consider our bill before Congress adjourns. \n\tWe have to do better than react to an "electronic Pearl \nHarbor."  I look forward to working with my colleagues to make sure \nthat we do everything we can to protect our nation\'s vital computer \nand communications networks. \n\n\tMR. UPTON.  At this point, we will hear the testimony by \nour distinguished panel.  We are joined by Mr. David Powner, the \nDirector of Information Technology Management Issues from the \nUnited States Government Accountability Office; Mr. George Foresman, \nUnder Secretary for Preparedness of the United States Department of \nHomeland Security; Mr. Ken Moran, Director of the Office of Homeland \nSecurity of the Enforcement Bureau of the FCC; Mr. Vincent Weafer, \nSenior Director of Symantec Corporation from California; Mr. Paul \nKurtz, Executive Director of Cybersecurity Industry Alliance; and \nMr. Larry Clinton, CEO of Internet Security Alliance. \n\tGentlemen, your testimony is made part of the record in \nits entirety.  We would like you to take not more than 5 minutes to \nsummarize it, at which point we will have questions from members of \npanel. \n\tMr. Powner, we will start with you.  Welcome. \n\nSTATEMENTS OF DAVID A. POWNER, DIRECTOR, INFORMATION TECHNOLOGY \nMANAGEMENT ISSUES, U. S. GOVERNMENT ACCOUNTABILITY OFFICE; HON. \nGEORGE W. FORESMAN, UNDER SECRETARY FOR PREPAREDNESS, U. S. \nDEPARTMENT OF HOMELAND SECURITY; KENNETH P. MORAN, DIRECTOR, \nOFFICE OF HOMELAND SECURITY, ENFORCEMENT BUREAU, FEDERAL \nCOMMUNICATIONS COMMISSION; VINCENT WEAFER, SENIOR DIRECTOR, \nSYMANTEC SECURITY RESPONSE, SYMANTEC CORPORATION; PAUL B. KURTZ,\n EXECUTIVE DIRECTOR, CYBERSECURITY INDUSTRY ALLIANCE; AND LARRY \nCLINTON, CHIEF OPERATING OFFICER, INTERNET SECURITY ALLIANCE \n\n\tMR. POWNER.  Chairman Upton, Ranking Member Markey, Chairman \nBarton, and members of the subcommittee, we appreciate the \nopportunity to testify on our Internet Reconstitution Report that \nwe recently completed at your request.  \n\tFederal law and policy calls for critical infrastructure \nprotection activities and establishes DHS as our Nation\'s focal \npoint.  Among its many responsibilities is to work with the private \nsector to develop an integrated public private Internet recovery \nplan.  To date, no such plan exists.  Today, at your request, I \nwill briefly discuss the growing threats to the Internet, where \nour Nation is in its efforts to develop this plan, and \nrecommendations to both DHS and the Congress to facilitate public \nand private efforts to recover the Internet when major disruptions \noccur. \n\tFirst, threats.  Criminal groups, foreign intelligence \nservices, hackers, and terrorists are threats to our Nation\'s \ncomputers and networks.  A recent intelligence report on global \ntrends forecasts that terrorists may develop capabilities to \nconduct both cyber and physical attacks against infrastructure \nmodes, including the Internet.  In fact, the Internet has been \ntargeted and attacked, and private sector companies who own the \nmajority of the Internet infrastructure deal with cyber and \nphysical disruptions on a regular basis.  For example, viruses \nand worms are often used to launch denial of service attacks \nthat result in traffic being slowed or stopped.  Several recent \ncyber attacks highlight the importance of having robust Internet \nrecovery plans, including a 2002 coordinated denial of service \nattack that targeted all 13 Internet route servers.  \n\tFor most of these attacks, the Government did not have a \nrole in recovering the Internet; however, recent physical attacks \nlike 9/11 and Katrina highlight the need for public/private \ncoordination associated with Internet recovery. \n\tDHS has begun a variety of initiatives to fulfill its \nresponsibility for developing an integrated public/private plan, \nbut these efforts are not yet complete or comprehensive.  \nSpecifically, DHS has developed high level plans for infrastructure \nprotection and national disaster response, but components of \nthese plans that are to address Internet recovery are incomplete \nand inadequate.  In addition, the National Response Plan cyber \nannex does not reflect the National Cyber Response coordination \ngroup\'s current operating procedures.  DHS has started a variety \nof initiatives to tackle this problem, including working groups \nto facilitate response, and exercises to practice recovery \nefforts; however, these efforts are immature and the relationships \namong groups like the Internet disruption working group and others \nare not evident. \n\tRegarding the challenges that have impeded progress, first, \nit is unclear what government entity is in charge, what the \nGovernment\'s role should be, and when it should get involved.  \nExpanding on each of these: DHS\'s National Cybersecurity Division \nand the National Communications System have overlapping \nresponsibilities.  In addition, there is lack of consensus about \nthe role that DHS should play.  The Government is pursuing large \nscale plans with the NIPP and the National Response Plan, while \nthe private sector wants more of an assist or tactical role from \nthe Government that our report lays out in detail.  Finally, \ntriggers that clarify when the Federal government should get \ninvolved are unclear. \n\tSecond, our Nation is working in a legal framework that \ndoesn\'t specifically address the Government\'s role and \nresponsibilities in the event of an Internet disruption.  In \naddition, the Katrina recovery efforts showed that the Stafford \nAct can create a roadblock when for-profit companies that own and \noperate critical infrastructure need Federal assistance during \nnational emergencies. \n\tThird, the private sector is reluctant to share information \nwith DHS because it does not see value in sharing, does not \nnecessarily trust the Government, and views DHS as an organization \nlacking effective leadership.  \n\tTo address these inadequacies, my statement includes nine \nspecific recommendations to DHS, including determining who should \nbe in charge, given the convergence of voice and data \ncommunications, developing a plan that is consistent with what \nthe private sector infrastructure owners need during a time of \ncrisis, and incorporating lessons learned from incidents and \nexercises. \n\tIn summary, Chairman Upton, exercises to date in a recently \nissued report by the Business Roundtable found that both the \nGovernment and the private sector are poorly prepared to effectively \nrespond to cyber events.  Although DHS has various initiatives \nunderway, these need to be better coordinated and driven to \nclosure.  Until this happens, the credibility of the Department \nwill not be where it needs to be to build effective public/private \nrelationships needed to effectively respond to major Internet \ndisruptions. \n\tThis concludes my statement.  I would be pleased to respond \nto any questions. \n\t[The prepared statement of David A. Powner follows:] \n\nPREPARED STATEMENT OF DAVID A. POWNER, DIRECTOR, INFORMATION \nTECHNOLOGY MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY \nOFFICE \n\n\tMR. UPTON.  Thank you. \n\tMr. Foresman.\n\tMR. FORESMAN.  Mr. Chairman, Ranking Member Markey, and \nmembers of the subcommittee, thank you for the opportunity to appear \ntoday to discuss cyber and telecommunication security.  You have \nmy written statement and I offer it for the record. \n\tI would like to briefly highlight several points. \n\tFirst, there has been much discussion about the Department\'s \nability to find and hire a qualified individual to serve as the \nAssistant Secretary for Cyber and Telecommunications Security.  I \nwant to be very clear.  This has been and remains a top priority \nfor the Department.  We are in the final stages of a security \nprocess review for a candidate that we feel is very well qualified.  \nWe look forward to announcing the candidate with Congress very soon. \nI am confident this individual will continue to build on the progress \nthat is being made every day in our cyber and telecommunications \nsecurity efforts. \n\tSecond, today, the Department is releasing its After Action \nreport from our recent government private sector national and \ninternational cybersecurity exercise, Cyber Storm.  This report \nwill measurably advance refinements to operational protocols.  Its \nlessons will not simply be documented, they will be implemented. \n\tThird, telecommunication networks and information technology \nactivities are both mutually dependent and interdependent, and they \nhave converged.  By the end of this year, we will complete our \nefforts to collocate together the U.S. Computer Emergency Readiness \nTeam and the National Coordination Center for Telecommunications to \nimprove operational coordination.  This means better coordination \namong all levels of government, better and stronger relationships \nbetween government, and the private sector during threats and actual \nevents.  \n\tSecretary Chertoff said last week in his speech that reflected \non five years since 9/11 the way to protect the critical \ninfrastructure is "in partnership with Federal, State, and local \nofficials, and with the private sector folks who actually own the \nthings that we are trying to protect."  This collaboration is key \nto our approach to protecting telecommunications and the Nation\'s \ncyber infrastructures.  \n\tLast month, our cybersecurity experts worked quietly with \ntheir counterparts at Microsoft to address a critical software \nvulnerability.  Microsoft was competent in their partnership with \nDHS and quickly brought the vulnerability to our attention.  While \nMicrosoft worked over several weeks to develop a patch, our U.S. \ncert was quietly and effectively monitoring Internet activity to \nensure the vulnerabilities were not being exploited.  At the same \ntime, the Department was working domestically and internationally \nand with our private sector partners to mitigate terrorist threats \nassociated with the British airline plot.  These concurrent actions \nare two of many examples of the day-to-day public/private sector \nactivity taking place in the Department\'s preparedness efforts. \n\tMaintaining these types of collaborations remains, as you \nknow, a multi-dimensional challenge.  From personal computers in \nhomes, to vast networks, to control systems, to the Internet, \ncyber and telecommunications security presents enormous challenges. \n These challenges are obvious: prioritizing our work, partnering \nfor effective collaboration, balancing security and economic \nconsiderations, and most notably, increasing the understanding. \n\tThe other witnesses today will add clarity to these points \nfrom varying perspectives, but I think it is safe to say there is \nno one before you today that does not share the belief that \nprotecting America\'s cyber and telecommunications systems is as \ncritical to national security as it is to citizens\' security.  I \nwant to be clear.  Progress is being made every day, and there is \nmore to be done.  Mr. Chairman and members of the committee, as \nyou well know, the security of America\'s cyber and \ntelecommunications systems do not lend themselves to surrounding \none building with heavily armed police officers or simply mandating \nan action and we will be safe.  Simply put, there is no magic bullet. \n\tThe success of our national cyber and telecommunications \nsecurity efforts depends on unity of purpose and continuing \npublic/private sector collaboration.  This is serious business and \nwe at the Department are serious about the business.  We look \nforward to continuing discussions with this committee, with the \nCongress on the wide range of policy issues that we must confront \ntogether if we are going to measurably advance our efforts to \nsecure the Nation\'s cyber assets and its telecommunications \nassets. \n\tThank you, and I look forward to your questions. \n\t[The prepared statement of Hon. George W. Foresman \nfollows:] \n\nPREPARED STATEMENT OF THE HON. GEORGE W. FORESMAN, UNDER SECRETARY \nOF PREPAREDNESS, U.S. DEPARTMENT OF HOMELAND SECURITY \n\n\tGood morning, Mr. Chairman and Members of the Subcommittee.  \nThank you for inviting me to speak about cyber security and the \nrecovery and reconstitution of critical networks. \n\tOur Nation\'s communications and information infrastructure \nwill support profound improvements in the security of our homeland \nin the next 20 years.  States, communities, and our private sector \npartners are already finding innovative ways to prevent terrorism \nand protect critical infrastructure by leveraging information \ntechnology.  As I outline further below, the Federal government \nis similarly deploying innovative programs that significantly raise \nthe level of preparedness in this critical area. \n\tOur vision and philosophy for the future build upon \naccomplishments of the past several years - critical infrastructure \nbusinesses, home users, and government at all levels have a greater \nunderstanding of the threat posed by malicious software. The \ncommunications and information technology sectors have deployed new \ntools to help these constituents manage cyber risks. \n\tHowever, at the core of our vision and philosophy is a strong \nbelief that the Department of Homeland Security (DHS) must \nincreasingly guard against more virulent attacks and cyber \ndisruptions - whether caused by a terrorist attack or natural \ndisaster. We must prevent cyber incidents of national significance. \n\tIn this testimony, I will outline three strategic goals to \nexecute this vision, and examples of current and future programs \n that will move us forward to these objectives. \n\n\nAssistant Secretary for Cyber Security and Telecommunications \n\tAs a preliminary matter, allow me to outline the steps the \nDepartment is currently taking while working with the White House to \nactively pursue qualified candidates for the post of Assistant \nSecretary for Cyber Security and Telecommunications.  I am \npersonally engaged in the process of selecting the new Assistant \nSecretary and, in the interim, am providing program direction \npending the post being filled permanently.  Because of the \nimportance of this mission, all parties want to ensure that the \nindividual appointed to this position possesses the right \ncombination of skills, experience, and leadership necessary to \nsucceed.  \n\tTo supplement my own personal involvement in strategy, the \nAssistant Secretary for Infrastructure Protection has been serving \nas the Acting Assistant Secretary for Cyber Security and \nTelecommunications.  As such, he has been actively engaged in \noverseeing operational programs, program reviews, governance \nstructure, and has participated in government/industry forums to \nfurther the advancement of this important new office as well as \nthe strategic goals that I will outline shortly. \n\tRegardless of when this position is filled, the mission \nof the Department of Homeland Security (DHS), the National Cyber \nSecurity Division (NCSD), and the National Communications System \n(NCS) remain clear. The absence of a permanent Assistant Secretary \nfor Cyber Security and Telecommunication has not had an impact on \nNCSD\'s or NCS\'s critically important work.  \n\nStrategic Vision and Philosophy \n\tOur vision and philosophy for cyber security and recovery \nreflects the expanding importance of our communications and \ninformation infrastructure in all walks of life.  As you know, a \nfailure to consider and deploy effective strategies could adversely \naffect homeland and national security, public health and welfare, \nand our economic security.  Policies that advance a safe and \nsecure communications infrastructure promote public trust and \nconfidence, project stability to those who wish us harm, and \nfoster valuable relationships between the public and private \nsectors. \n\tWe fully recognize the challenges inherent in our \npreparedness responsibilities.  We are faced with difficult \nchoices and options.  We must think about risks to the \ncommunications and information infrastructure in new and creative \nways.  We must prioritize resources, and make hard decisions where \nresources are limited. \n\tWe must also continue to partner strategically with the \ncommunications and information technology sectors as well as other \nexperts outside of the Federal government.  As we focus on the \npotential for catastrophic cyber disasters, our partnerships are \nbecoming more diverse and sophisticated, reflecting the different \ntechnology, business, and policy decisions that must be made.  \nThese partnerships also entail strengthening cooperation across the \ngovernment and, at a minimum, finding ways to cultivate support \noutside of the Department where expertise clearly exists.  Whether \npublic or private, the partnerships must deliver real and measurable \nvalue in light of the catastrophic damages that can occur in the \nabsence of smart collaboration.  \n\tFinally, we must reinforce a culture of preparedness and \nincreasingly shift from a reactive to a proactive stance.  In sum, \nwe must prepare by promoting effective security strategies that \nevolve as the threat evolves.  \n\nThree Strategic Goals \n\tIn responding to these challenges, the Preparedness \nDirectorate is executing three strategic priorities.  (1) We are \npreparing for cyber incident of national significance; (2) we are \nworking to forge more effective partnerships; and (3) we are working \nto foster a culture of preparedness to prevent cyber incidents \nand mitigate damage when disruptions occur. \n\n First, we must prepare for a large scale cyber disaster. \n\tOur primary strategic goal is to prepare for high-consequence \nincidents. These would include, for example, a widespread disruption \ninvolving the Internet or critical communications infrastructure, \nwhether from an attack or natural disaster. \n\tNow, as the Department matures we are preparing for large \nscale cyber disasters. Our strategic intentions are ambitious and \nwill require resolution of multiple impediments, such as: \n Identifying incidents and providing early warning;  \n Deploying Federal assets and services more efficiently to mitigate \ndamages where disruptions occur; \n Responding to the speed of attacks and disruptions, which will \nrequire new technologies and skill sets in our workforce; and \n Maximizing the use of tools that promote and integrate privacy \nprotections as well as real-time security needs. \n\n\tThe Preparedness Directorate has several important programs \nalready underway to prepare for a cyber incident of national \nsignificance.  The Office of Cyber Security and Telecommunications \nhas established an Internet Disruption Working Group (IDWG) to \naddress the resiliency and recovery of Internet functions in the \nevent of a major cyber incident.  The IDWG is not examining all \nrisks, but is focusing on and identifying measures that government \nand its stakeholders can take to protect against nationally \nsignificant Internet disruptions.    \n\tThese proposed measures may yield heightened expectations, \nroles, and responsibilities for the United States Computer Emergency \nReadiness Team (US-CERT). \n\n Second, we must continue to forge more effective partnership \narrangements.  \n Our second strategic goal is to improve the Department\'s \npartnership programs and practices.  Homeland Security Presidential \nDirective 7, the Administration\'s policy on critical \ninfrastructure protection, explicitly   recognizes the importance \nof partnerships, which are essential for many sound reasons.  In \nthe cyber security arena, the Department is working to nurture \nexisting partnerships and establish new relationships with three \nkey stakeholder communities: (1) the private sector; (2) Federal \ndepartments and agencies and State, local, and tribal governments; \nand (3) academia.\n\tPrivate Sector Partnerships.  Industry owns, operates, and \ncontrols the bulk of the communications and information \ninfrastructure, so collaborating with industry to prepare for and \nrespond to catastrophic cyber disasters is a strategic priority.  \n\tIn "The Federal Response to Hurricane Katrina: Lessons \nLearned," the White House pinpointed specific problems experienced \nby infrastructure owners in restoring communications services.  \nThe report additionally described interdependencies between the \ncritical infrastructure sectors, such as energy and transportation, \nthat impact restoration of communications services. Our vision for \nthe future, and emphasis on close collaboration with the private \nsector, follows directly from these lessons learned. \n\tIn our partnerships, the government must deliver real \nvalue to our private sector partners, who are clearly committed \nto a collaborative approach.  Smart, effective partnerships demand \nthat we: \n Understand how the private sector will prepare for and respond to \ncyber disasters - and where the government can complement industry \npractices; \n Leverage state of the art technologies to improve preparedness and \nresponse and sustain privacy protections; \n Promote pools of knowledge and subject matter expertise for \nreconstituting communications and information infrastructure; and \n Ensure close coordination of Preparedness Directorate functions, \nsuch as those provided by NCSD and NCS, \n   Government Partnerships. The Department is similarly committed to \nenhancing partnership arrangements across the Federal government and \nwith State, local, and tribal governments.  We will continue to \nexplore innovative ways to leverage skill sets outside of the \nDepartment as part of our strategy for cyber-preparedness and \nresponse. We currently partner with Multi-State Information Sharing \nand Analysis Center (MS-ISAC), as well a key operational \ninformation technology and communications officials in the states, \nand we are strengthening those partnerships for recovery and \nreconstitution efforts. \n\tPartnerships with Academia.  The Department is serious \nabout partnering aggressively with experts in academia. To date, \nthe Department has included academia in partnership discussions; \nhowever, in order to lay a foundation for more effective cyber \nresponse capability, we must seek guidance from academia on a range \nof more complex problems.  As an example, we expect to learn more \nfrom academia on such matters as challenges with insurance and \nrisk transfer for the critical infrastructure sectors as well as \nbusiness case arguments for catastrophic preparedness. These areas \npromote public and private sector collaboration.   \n\nThird, we must create a culture of preparedness - both to prevent a \ncyber disaster and to mitigate damages if widespread disruptions \noccur. \n\tOur third and final strategic goal seeks to influence how we \nprepare for security challenges in the coming decade. As with our \nother strategic priorities, this goal demands a focused and \ndisciplined approach in several areas. At a minimum, we are \nstructuring programs to: \n  Clearly outline preparedness organizations, relationships, and \nexpectations:  One of the Preparedness Directorate\'s strategic \npriorities is to clearly set forth all aspects of "doctrine" in \naccordance with legislative and Presidential direction. To create a \nlong-term culture of preparedness, we are developing clear \norganizational doctrine, which memorializes strategic policies, \nclarifies roles and responsibilities, and defines measures of \naccountability. \n Promote a shared way of life that measurably improves preparedness \nfor a catastrophic cyber disaster: Finally, we are focusing our \nenergies on cyber-preparedness. Our programs in the coming years \nwill seek to inculcate to change behavior as we continue to leverage \nour government partners to help continue efforts in these other \nareas.   Awareness and education in the past decade have focused \non large segments of the population, including home users and \nstudents in K-12. We hope to develop additional awareness programs \nthat look more carefully at catastrophic cyber risk and continue to \nleverage our government partners to help advance our efforts in \nthese other areas.  \n\nOrganizational Framework  \n\tThe three strategic goals outlined above will require clear \n organizational directions and programs. \n\tHSPD-7 directs the Department to establish an organization \ndedicated to cyber security.  The Preparedness Directorate\'s \nNational Cyber Security Division (NCSD) has been that organization \nsince it was created in June 2003.  Since its inception, the NCSD \nhas taken on the broad mandate of HSPD-7 and those provided in the \nPresident\'s National Strategy to Secure Cyberspace, in its mission \nto work collaboratively with private, public and international \nentities to secure cyberspace and America\'s cyber assets. \n\tThe NCSD is just one of the valuable preparedness resources \nwithin the Department. As part of the Preparedness Directorate, the \nNCSD works closely with the Office of the Manager of the National \nCommunications System (NCS), which addresses national security and \nemergency preparedness (NS/EP) telecommunications.  These two \nentities comprise what is now the Office of Cyber Security and \nTelecommunications. The Office of Cyber Security and \nTelecommunications works closely with the Office of Infrastructure \nProtection to ensure that the ever increasing interconnected nature \nof physical and cyber security is integrated throughout our \noverall preparedness efforts. \n\tThe National Communications System consists of 23 Federal \ndepartments and agencies with assets, resources, requirements \nand/or regulatory authority regarding national security and \nemergency preparedness (NS/EP) communications.  Established \npursuant to Executive Order 12472, the community is administered \nby DHS as Executive Agent and Manager and it supports the Executive \nOffice of the President (the National Security Council, the Homeland \nSecurity Council, the Director of the Office of Science and \nTechnology Policy and the Director of the Office of Management and \nBudget) in the coordination of the planning for and provision of \nnational security and emergency preparedness communications for \nthe Federal government under all circumstances, including crisis \nor emergency, attack, recovery and reconstitution. \n\tExecutive Order 12472 also mandates inclusion of an \nindustry component, the National Coordinating Center (NCC) for \nTelecommunications, or NCC Watch, a joint industry/Government body \noperating a 24 hour, 7-day a week watch center to coordinate NS/EP \ncommunications activities.  The NCC Watch has a unique relationship \nwith members of the private telecommunications sector in the \nCommunications Information Sharing and Analysis Center (ISAC).  \nThe Communications ISAC provides an opportunity for private sector \nindustry to partner with government to exchange information and \ncoordinate restoration of communications assets and services \nduring emergencies.  In this role, the NCC Watch communicates \ndaily and shares a web-portal with NCSD (US-CERT) on cyber related \nissues.    \n\tTo meet its mission, the NCSD is focused on leading a cyber \nrisk management program, and building and enhancing the National \nCyberspace Response System.  To address these priorities, the NCSD \nis engaged in a public-private partnership which is incorporated \ninto all of NCSD\'s programs.  This is especially critical since \nthe vast majority of our national assets and critical infrastructure \nare owned and operated by the private sector.   \n\nNational Cyber Risk Management Program \n\tThe National Cyber Risk Management Program reflects the \nDepartment\'s overall strategic approach that is focused on risk \nmanagement, as outlined in the National Infrastructure Protection \nPlan (NIPP).  The NIPP incorporates the Department\'s overall risk \nmanagement framework to assess and reduce our cyber risk, and \nimprove our planning for response, recovery, and reconstitution \nof our critical networks.  \n The Department released the NIPP on June 30 of this year after \nconsultation with industry.  The NIPP formalizes the collaboration \nbetween government and industry through the Sector Partnership Model \nwith Sector Coordinating Councils (SCC) and Government Coordinating \nCouncils (GCC) working together to address risk by analyzing \nconsequences, vulnerabilities, and threats.  \n* The NIPP provides a unifying structure for protection of the \nNation\'s 17 critical infrastructure and key resources (CI/KR) \nsectors designated in HSPD-7, including the Information Technology \nSector and the Internet.  The NIPP calls upon each sector to develop \na Sector Specific Plan based on the risk management framework.  DHS \nis the Sector Specific Agency (SSA) responsible for both the \nInformation Technology Sector and the Communications Sector, and \nassists other sectors with the cyber elements of their \ninfrastructure.  The NCSD works closely with the IT Sector \nCoordinating Council, which was formally launched in January of \nthis year.  The IT-SCC and IT-GCC are working together on the IT \nSector Specific Plan, which will be completed at the end of the \nyear.  \n In order to accomplish the risk management objectives of the NIPP, \nwe have been working closely with the private sector to build the \nframework required.  To facilitate the development of this \npartnership, the Department has established the Critical \nInfrastructure Partnership Advisory Council (CIPAC). The CIPAC \ncomprises representatives from each of the critical infrastructure \nand key resources (CI/KR), sectors, SCCs, and GCCs, and provides a \nmechanism for the information exchange and collaboration between \nindustry and government that is so crucial to understanding the \nrisk we face. The Council also prioritizes the protective \nmeasures that need to be taken to reduce that risk. \n\n\tAs we develop the IT Sector Specific Plan and deepen our \ncollective understanding of the cyber risks in other sectors, we \nare building the foundation for the development of a national cyber \nrisk assessment.  Working with our government and private sector \npartners, we are taking steps, such as developing attack scenarios \nand conducting red cell workshops and exercises, to identify what \nwe are most concerned about in cyberspace, and then using that \ninformation to build our response and mitigation plans.  As part \nof our risk management efforts, we have three priority mitigation \nprograms. \n\tFirst, as discussed above, the Office of Cyber Security \nand Telecommunications has established an IDWG to address the \nresiliency and recovery of Internet functions in the event of a \nmajor cyber incident.  The IDWG is working with government, private \nsector, academic and international security experts to examine \nrisks, improve preparedness and situational awareness, and identify \nmeasures that we can take to protect against nationally significant \nInternet disruptions.  The IDWG conducted a tabletop exercise in \nJune to examine the kinds of scenarios that would have significant \nimpact on the Internet, understand when information exchange between \nthe public and private sector is mutually beneficial, and to \ndetermine what roles and responsibilities industry and government \nshould assume in responding to and recovering from such disruptions. \n\n\tSecond, the NCSD is collaborating with the national \nlaboratories for its Control Systems Security Program to bring \ntogether government, industry, and academia to address the threats \nand vulnerabilities of the process control systems that remotely \noperate and control access to many of our critical infrastructure \nassets and systems.  To support the Program, NCSD has established a \nUS-CERT Control Systems Security Center, which is an assessment and \nincident response facility located at Idaho National Laboratory.  \nThe department also partners with the industry sectors that utilize \nprocess control systems in their operations through the Process \nControl Systems Forum, or "PCSF".  The PCSF met recently in San \nDiego and furthered its work to accelerate the security of control \nsystems, provide a venue for sharing perspectives on cross-sector \nsecurity issues, and facilitate solution-driven collaborative \nworkshops.  \n\tThrough the Process Control Systems Forum (PCSF), the \nDepartment also partners with the industry sectors that utilize \nprocess control systems in their operations.  The PCSF met recently \nin San Diego and furthered its work to accelerate the security of \ncontrol systems, provide a venue for sharing perspectives on \ncross-sector security issues, and facilitate solution-driven \ncollaborative workshops.  \n\tThe third risk mitigation effort is NCSD\'s Software \nAssurance Program that seeks to reduce software vulnerabilities, \nminimize exploitation, and address ways to improve the routine \ndevelopment of trustworthy software products and tools to analyze \nsystems for hidden vulnerabilities. In collaboration with \nindustry, academia, and government partners, the Department\'s \napproach to addressing software assurance identifies the following \nas keys to success: \n People - education and training for developers and users \n Processes - practical guidelines and best practices for the \ndevelopment of secure software \n Technology - tools for evaluating software vulnerabilities and \nquality \n Acquisition - specifications and guidelines for acquisition and \noutsourcing \n\tTo further its efforts, the Software Assurance Program holds \nsemi-annual Software Assurance Forums with other Federal agencies, \nindustry, academia, and international entities to facilitate \nongoing collaboration and progress. As part of the program, NCSD has \nlaunched "Build Security In" to raise awareness and foster \ncollaborative efforts. \n\tThe Office of Management and Budget (OMB) has recently \ndesignated NCSD as the Managing Agency for the Information Systems \nSecurity Line of Business.  As part of NCSD\'s work with the Federal \ngovernment, NCSD is currently working to establish a Program \nManagement Office for this government-wide initiative which has \nan overarching goal of improving the effectiveness and consistency \nof systems security across the Federal enterprise.  This effort will \nreduce costs through consolidation and standardization of resources. \nDHS will be working closely with partner agencies in overseeing \nthe implementation of information systems security products and \nservices. \nIn order to reduce our collective cyber risk we need to raise \nawareness of cyber security vulnerabilities and understand what we \nmust do as individuals to create a collective, shared secure cyber \ninfrastructure. \n\tNCSD\'s awareness program leverages partnerships with the \nMulti-State Information Sharing and Analysis Center (MS-ISAC) and \nthe National Cyber Security Alliance (NCSA), as well as our own \nNational Cyber Alert System to reach state and local governments, \nsmall businesses, home users, and K-12 and higher education \naudiences. October is National Cyber Security Awareness Month.  \nIn October 2005, together with our state government and industry \npartners, we reached millions of Americans with a public service \nannouncement, a satellite media tour on how to avoid identity \ntheft in cyberspace, a national cyber awareness webcast for fourth \nand fifth graders, and many other activities.  We look forward to \nmaking this year\'s campaign even more successful.  \n\tCyber space is borderless, and as such, managing cyber risk \nneeds to take into account international activities.  NCSD has an \ninternational affairs program that seeks to address cyber security \nglobally through cooperation and collaborative action toward \nbuilding and leveraging the relationships needed to prevent, protect \nagainst, respond to and recover from cyber incidents and reduce \noverall cyber risk.  \n\nNational Cyberspace Security Response System \n\tThere are three elements to the National Cyberspace Security \nResponse System: the U.S. Computer Emergency Readiness Team \nOperations, or "US-CERT Ops"; the National Cyber Response \nCoordination Group, or "NCRCG"; and our regional preparedness and \nrecovery efforts. \n\tThe first key element, US-CERT, was established in 2003 \nas a partnership between the Department and the public and private \nsectors to protect the nation\'s critical infrastructure and \ncoordinate defense against and responses to cyber attacks.  The \nUS-CERT public website, http://www.us-cert.gov, the secure portal \nfor stakeholders, and the National Cyber Security Alert System, \nprovide timely, actionable information to technical and \nnon-technical users.  We encourage each of you to sign up for \nthe US-CERT cyber alerts by going to http://www.us-cert.gov.  \n\tNCSD/US-CERT has an Operations component, which manages \nmany aspects of the Cyberspace Security Response System, including \nsituational awareness, incident handling and response, malicious \ncode analysis, and strategic operations.  Under Federal Information \nSecurity Management Act guidelines, OMB requires all Federal \ncivilian agencies to notify US-CERT of any data breaches, \nunauthorized access, or suspicious activity, including the loss \nof personally identifiable information within one hour of discovery.  \n\tUS-CERT maintains a 24x7 secure Watch center; acts as a \ntrusted third party to assist in the responsible disclosure of \nvulnerabilities; develops and participates in regional, national, \nand international level exercises; supports forensic investigations \nwith recursive analysis on artifacts; provides malware (software \nthat is designed to infiltrate or damage a computer system, without \nthe owner knowing) analytic and recovery support for government \nagencies; coordinates Federal programs of computer emergency \nresponse teams and Chief Information Security Officer peer groups \nfor sharing cyber incident information, best practices, and other \ncyber security information; and, collaborates with national and \ninternational computer security incident response teams both in \nthe US and abroad.  US-CERT\'s efforts in these and additional \nareas build our cyber situational awareness capabilities that allow \nus to prepare for and defend against cyber attacks, while also \nenhancing our ability to respond to the attacks. \n\tUS-CERT has established the Government Forum of Incident \nFirst Response Teams (GFIRST), a community of Federal agency \nincident response teams, which comprises the government\'s critical \ngroup of cyber first responders.  GFIRST meets regularly, and we \nhave hosted two GFIRST conferences to enhance information sharing \nand collaborative efforts to secure government cyberspace.  \nUS-CERT provides an Internet Health Service tool to GFIRST members \nthrough the US-CERT secure portal.  IHS is a web-based application \nthat provides members with access to several commercially available \nInternet and security products for use in building their situational \nawareness capabilities through the monitoring of their respective \nnetworks and the overall health of the Internet.  In addition, as \npart of our Situational Awareness Program, US-CERT also leverages \ninformation technology for the automated sharing of critical \ninformation across the Federal government and analysis of traffic \npatterns and behavior.  \n\tUS-CERT has developed a set of informational resources \nthat it provides to our public and private sector stakeholders, \nincluding alerts, vulnerability notices, current activity \nreports, Federal Information Notices provided to the GFIRST \ncommunity and Critical Infrastructure Information Notices provided \nto the private sector Information Sharing and Analysis Centers.  \nIn addition, US-CERT runs the National Cyber Alert System and the \npublic website reference above, which provide cyber security tips, \nguidance, and other resource materials to technical and \nnon-technical audiences. \n\tThe second key element of the National Cyberspace Security \nResponse System is the National Cyber Response Coordination Group, \nor "NCRCG".  NCSD co-chairs the NCRCG with its counterparts in the \nDepartment of Justice and the Department of Defense.  The NCRCG \nincludes 13 agencies with responsibility for and capabilities in \ncyber security matters and works to coordinate national response \nactivities to incidents of national significance. The NCRCG meets \nmonthly to prepare for cyber issues through tabletop exercises and \nworking groups. \n\tIn addition to the IDWG\'s efforts and US-CERT Operations \nincident handling and analysis functions, the NRP\'s Emergency \nSupport Function 2 (ESF-2) for Communications, led by NCS, is a \ncritical component of advanced planning and ensuring coordinated \nrecovery efforts.  When ESF- 2 is activated, the Manager of the \nNCS ensures appropriate NS/EP communications support to operations \nconducted under the NRP.  As part of ESF-2, NCSD works closely \nwith NCS on preparing for recovery and reconstitution of \ncritical communications networks and services.  In preparation for \nthis year\'s hurricane season, we have held ESF-2 training and \nexercise sessions with participation by many Federal agencies and \norganizations.  We have created and published an ESF-2 Operational \nPlan and a Standard Operating Plan for ESF- 2 supporting agencies \nto enhance understanding across the spectrum of public and private \nsector entities that participate in recovery and reconstitution \nefforts.  We have hired two Regional Communications Coordinators \nfor Federal Regions IV and VI communications pre planning with \nstate emergency planners.  The NCS has also created more analytical \ntools for predictive and post-impact analysis. \n\tOne of the critical parts of ESF-2 is a management function \nto coordinate and facilitate the handling of private sector \ndonations for recovery and reconstitution efforts in the immediate \naftermath of a disaster such as Hurricane Katrina.  We are working \nwith our private sector stakeholders and state and local government \npartners to establish a set of requirements for such donations in \norder to match those needs with the products and services \navailable.  \n\tThe third key element of the National Cyberspace Security \nResponse System is our regional preparedness and recovery efforts. \nOur regional efforts have greatly improved DHS\'s ability to \nincorporate the work of our government and private sector \nstakeholders at both the state and local levels.   The Pacific \nNorthwest Economic Region and the Gulf Coast Region are \nincreasingly coordinating their efforts as a result of exercises \nheld in the respective regions, and we are working with them to \ncontinue their preparedness planning for both cyber security \nevents, and manmade or natural disasters that have a cyber \nimpact.  In addition, we are working with our industry stakeholders \nin the IT-SCC and IT Information Sharing and Analysis Center) to \ndevelop plans for industry assistance in the event of an \nincident that requires surge support to recover and reconstitute \ncritical IT systems.  These efforts depend greatly on our \npartnerships with the full spectrum of affected industries, \nstate and local government stakeholders, and the emergency \nresponse community. \n\nRecent Success Stories \n\tI would like to take this opportunity to highlight two \nrecent success stories in our comprehensive cyber security \nefforts.  First, we conducted the first National Cyber Exercise \norganized and sponsored by the Federal government.  Conducted in \nFebruary 2006, "Cyber Storm" was the largest multinational, \ncross-sector cyber exercise to date and assessed policies and \nprocedures associated with a cyber-related incident of national \nsignificance, as outlined in the National Response Plan\'s Cyber \nAnnex.  The exercise tested, for the first time, the full range \nof cyber-related response policy, procedures, and communications \nmethods required in a real world crisis.  \n\tCyber Storm exercised the responses of over 100 public and \nprivate agencies, associations, and corporations in over 60 \nlocations and five countries.  It achieved collaboration in crisis \nresponse at operational, policy, and public affairs levels, \nincluding participation of more than 30 private sector corporations \nand associations in the planning, executing, and after action \nanalysis of a federally funded and congressionally mandated \nemergency response exercise. As mentioned earlier, Cyber Storm \nexercised the NCRCG as the principal Federal mechanism for \ncoordinating the national response to a cyber incident of national \nsignificance. Cyber Storm demonstrated the close cooperation and \ninformation sharing needs across Federal agencies, across \nboundaries, and between the public and private sectors.  \n\tFirst, the exercise reinforced the importance of defining \nroles and responsibilities, processes and procedures and having \nstrong communications and coordination among the cyber community.  \nIn addition, it highlighted the importance of coordinating and \nintegrating incident communications and public affairs outreach.  \nUnlike a physical, self-announcing incident, a set of cyber attacks \nsuch as those imagined in the Cyber Storm scenario are not \nimmediately apparent, either in occurrence or attribution.  The \ncorrelation of multiple incidents proved challenging for our \nplayers, and only further demonstrated the importance of \npublic-private relationships and the need to provide on-going \ntraining activities, discussions, and exercises to further build \nthose relationships to strengthen our collective response to a \ncyber incident. \n\tA second accomplishment falls in the international arena.  \nAt the end of June, we successfully hosted here in Washington \nthe second multilateral conference on the development of an \nInternational Watch and Warning Network, or "IWWN", among 15 \ncountries in the Americas, Europe, and Asia Pacific.  The country \nparticipants included representatives from their government \ncritical information infrastructure protection organizations, \ntheir computer security incident response teams, and their law \nenforcement agencies with responsibility for cyber crime. The \nIWWN was established in 2004 to foster international \ncollaboration on addressing cyber threats, attacks, and \nvulnerabilities.  The June conference established a clear path \nforward for the IWWN community to enhance global cyber \nsituational awareness and incident response capabilities and \nmarked the launch of a secure Internet portal to facilitate \nongoing international information sharing as well as coordination \nduring cyber incidents. \n\t\nThe Road Ahead \n\tAs we further develop our programs and leverage our recent \nsuccesses, there are some efforts we need to undertake in the near \nterm with our industry and agency partners to better prepare \nourselves to respond to, and recover from, cyber incidents. These \nefforts include, but are not limited to: \n Further integration of the cyber security and telecommunications \nefforts in the Department and with industry to reflect increasing \nconvergence in the sectors; \n Clearer articulation of roles and responsibilities in the \npublic-private partnership for information sharing and incident \nresponse through coordinated concept of operations and standard \noperating procedures; \n Development of the IT Sector Specific Plan in the NIPP risk \nmanagement framework; \n Development of a national cyber risk assessment based upon the \ncross sector cyber component of the NIPP risk management framework; \n Share aggregated situational awareness across the civilian \nagencies, the military, the international community, and the private \nsector; and \n Further collaboration between US-CERT Operations and the Department \nof Defense\'s Joint Task Force-Global Network Operations to leverage \nour respective expertise and capabilities toward common cyber \nsecurity objectives. \n\n\tThese action plans have defined benchmarks and milestones to \ndrive and track our progress in each of these areas. \n\nConclusion \n\tThe National Cyber Security Division has established its \nmission and priority objectives, developed a strategic plan, and \nundertaken significant steps to implement its strategic plan across \nthe programs outlined here.  In this ever-evolving environment, we \nknow that the target will shift to accommodate new threats, new \nvulnerabilities, and new technologies.  We need to be flexible enough \nto adjust our efforts to meet these new challenges.  \n\tOur progress to date is tangible: we have a construct for \npublic-private partnership; we have a track record of success in our \ncyber operations; we have established relationships at various \nlevels to manage cyber incidents; we have built international \ncommunities of interest to address a global problem; and we have \ntested ourselves at a critical development stage and will continue \nto examine our internal policies, procedures, and communications \npaths in future exercises.  We are building on each of these \nachievements to take further steps to increase our cyber \npreparedness and improve our response and recovery capabilities. \n\tI would like to thank the Subcommittee for its time today \nand I appreciate this opportunity to bring further transparency \nto these important cyber security priorities. \n\n\tMR. UPTON.  Mr. Moran. \n\tMR. MORAN.  Thank you.  Good morning, Chairman Upton, \nMr. Markey, and distinguished members of the subcommittee.  My name \nis Ken Moran.  I serve as the Director of the Federal \nCommunications Commission\'s Office of Homeland Security.  In that \nrole, I am responsible for coordinating the Commission\'s policies \nand activities with respect to homeland security and emergency \npreparedness. \n\tThe importance of effective communications cannot be \noverstated, especially during emergencies.  The attacks of \nSeptember 11 and the unprecedented devastation caused by Hurricane \nKatrina remind us to be prepared for both natural and manmade \ndisasters.  Effective response to a disaster, regardless of its \ncause or lack of advanced notice, is tied to the ability of first \nresponders and commanding control authorities and the public to \ncommunicate.  Immediate, secure, and reliable communications are \nneeded across all platforms. \n\tToday, I am testifying about the Network Reliability \nand Interoperability Council, known as the NRIC, a Federal advisory \ncommittee chartered by the Commission.  I will also share some of \nthe lessons the Commission learned from its experiences in dealing \nwith Hurricanes Katrina, Rita, and Wilma.  \n\tThis subcommittee\'s attention to cybersecurity issues comes \nat an important time in the development of broadband and IP-based \nnetworks.  Communications traffic is increasingly migrating to \nthese high speed packet based technologies.  With the rollout of \nthese technologies, we are seeing a network security environment \nvery different from that of public switch telephone network, or \nPSTN.  Unlike the PSTN, Internet based communications systems \nare decentralized and far more open.  As a result, they present \nnew and difficult challenges in order to deliver the expected high \nlevel of reliability and security. \n\tThe Network Reliability and Interoperability Council \nexamines ways to improve and strengthen the Nation\'s critical \ncommunications networks.  NRIC members agree on best practices \nthrough a process of consensus and adopts solutions that are field \ntested.  In recent years, NRIC subject matter experts contributed \nthousands of hours in study and dialog that resulted the \nidentification of best practices that address business continuity, \nphysical security, and public safety communications.  In fact, over \n200 best practices address cybersecurity issues.  The Commission \nis actively promoting both the awareness and the implementation of \nthese best practices. \n\tLast fall, Hurricane Katrina caused an enormous amount of \ndamage to the communications infrastructure.  The Commission \nchartered an independent committee called the Katrina Panel to \nanalyze the impact that Katrina had on critical infrastructure to \nexamine the overall recovery effort and to recommend ways for \nimprovement.  In June of this year, the Katrina Panel completed \nits work and produced a report with a number of important \nrecommendations.  The Commission subsequently released a notice \nseeking comment on these recommendations.  Here are a few. \n\tThe Federal Government should encourage and work with each \ncommunications sector to develop and publicize readiness checklists. \nState and local authorities should keep a reserve supply of \ncommunications equipment, including IP gateways, for quick \nrestoration in communications functionality.  The FCC should serve \nas the single point of contact within the Federal Government for \ncommunications data collection.  The FCC should work with the \nDepartment of Homeland Security and the Congress to improve the \ncredentialing processes and have critical infrastructure providers \ntreated as emergency responders under the Stafford Act. \n\tIn large measure, the functioning of the Internet is \ndependent on communications networks that carry packet-based \ninformation through both wired and wireless systems.  These \ncommunication networks support e-commerce measured in billions of \ndollars per year.  They enable many new communications applications, \nincluding the use of voice over the Internet, and they help first \nresponders use IP solutions for interoperability.  \n\tThe Commission is actively engaged in promoting the \ndevelopment of new technologies to ensure that robust, reliable, \nand readily restorable communications networks exist to lead our \nNation into the future.  \n\tI would be pleased to answer your questions.  Thank you. \n\t[The prepared statement of Kenneth P. Moran follows:] \n\nPREPARED STATEMENT OF KENNETH P. MORAN, DIRECTOR, OFFICE OF HOMELAND \nSECURITY, ENFORCEMENT BUREAU, FEDERAL COMMUNICATIONS COMMISSION \n\n\tMR. UPTON.  Mr. Weafer.\n\tMR. WEAFER.  Mr. Chairman, Ranking Member Markey, \ndistinguished members of the subcommittee, thank you for inviting me \nhere today to testify about protecting our Nation\'s critical \ninfrastructure from cyber attacks.  My name is Vince Weafer and \nI\'m the Senior Director of Symantec Corporation.  \n\tI commend the committee for bringing attention to this \ncritical issue of the threat of potential cyber attacks against our \nNation\'s information infrastructure.  I would like to provide you \nwith the current assessment of the vulnerabilities of our Nation\'s \ncritical infrastructure and share with you some insights of how \ncyber crime is undermining consumer trust and confidence in using \nthe Internet for commerce. \n\tBefore I turn to the substance of my testimony, I would \nlike to provide some background on Symantec.  We are a local leader \nin information security.  Symantec provides solutions that assure \nsecurity, availability, and integrity to our customer\'s \ninformation.  Headquartered in Cupertino, California, Symantec \nemploys over 15,000 professionals and has operations in over 40 \ncountries. \n\tI am responsible for Symantec\'s Security Response global \nresearch teams, whose research provides rapid response to the latest \nInternet security attacks.  Our global intelligence network consists \nof over 40,000 sensors monitoring the computer activity in over 180 \ncountries.  We operate four security operation centers worldwide, \nin the United States, here in Alexandria, England, Germany, and \nAustralia.  Each provides preemptive managed protection to \npotential cyber threats 24/7.  In short, if there is a class of \nthreat on the Internet, Symantec knows about it. \n\tThe important message regarding our Nation\'s cybersecurity \nlandscape is that threats in our critical infrastructure are \nabsolutely real, and without a doubt growing in intensity and \nvolume.  The question is not if or when, but when will we be \nattacked; how severe will that attack be? \n\tToday\'s cyber threat landscape has changed.  Internet \nattacks these days are not the large scale fast-moving virus or worm \npandemics that we saw with frequency just a couple of years ago.  \nConsider this:  from 2002 to 2004, there was almost 100 medium to \nhigh severity attacks.  Last year, there were only six, and this \nyear, there have been none. \n\tWhat happened? \n\tWell, we have certainly made significant headway in \ncontaining these sort of threats, but the very nature of the risk we \nface has also changed.  Cyber crime is now the dominating security \nthreat we are seeing today.  In the past, cyber attacks were largely \ndesigned to destroy data and gain notoriety, but today\'s attacks \nare increasingly designed to silently steal information for profit \nor advantage.  Fraud, intelligence gathering, and gaining access to \nvulnerable systems are the motivation behind today\'s attacks.  \n\tHow do many of these threats arrive in the consumer\'s \ncomputer?  A lot do so through botnets, programs that provide \nattackers unauthorized and secret control of the computer.  Botnets \nare the engines that drive most of the criminal activity we see \ntoday, as their use distributes spam, phishing, malicious code, \nas well as storage for illegal material.  Many of these botnets are \ncreated on systems owned by home users, small businesses, and even \nsome large corporations.  \n\tSymantec releases a biannual Internet security threat \nreport, or ISTR, which includes a worldwide analysis of Internet \nattacks, which review known threats, vulnerabilities, and security \nrisks.  The findings consistently reveal that a strong growth in \ncyber crime software built for the purpose of committing online \nscams, stealing information, bots, keystroke loggers, spyware, \nadware, and Trojan horses. \n\tAttackers are not focusing just on GAN systems, but the \nexploitable web browsers and also on the weaknesses of Web servers \nand Web applications themselves.  Bots are contributing to the rise \nin cyber crime threats in the United States, having the highest \npercentage of bot commander control servers in the world.  There \nhas been an increase in modular malicious code, which initially \npossesses limited functionality, but is designed to update itself \nwith new, more damaging capabilities.  \n\tWith all of these threats and vulnerabilities that exist \non today\'s Internet, it is difficult to quantify the economic impact \nof cyber crime, but according to the cyber crime costs about $47 \nbillion to U.S. businesses last year.  A report by the Congressional \nResearch Service also found that cyber attack targeted firms suffer \nstock price decrease of about 1 to 5 percent in the days after \nattack, which translates into shareholder loss of between $50 and \n$200 million. \n\tOver the past year, more than 53 million records of \nAmericans\' private, personal information, an average of over 142,000 \ntimes per day, have been hacked into, lost, stolen, or otherwise \ncompromised from digital databases.  The cost of these breaches is \nastounding.  According to the Federal Trade Commission, identity \nthefts cost businesses annually $48 billion, and last year, \nconsumers lost $680 million.  But more damaging than loss of money \nis a lost of trust and confidence by consumers in the Internet.  \nThat is why we can\'t risk losing the public\'s trust in online \ncommerce, but we are.  According to a survey conducted by the \nConference Board, 41 percent are purchasing less online because \nof security concerns, and a survey by the Cybersecurity Alliance \nfound that 32 percent of respondents strongly believe their \nfinancial information gets stolen. \n\tCongress can help fight cyber crime and cyber terrorism by \ninvesting in cyber safety education, awareness, increase funding \nfor cyber R&D, passing strong national data breach law, extending \ninternational cyber crime law enforcement efforts, and requiring an \nInternet reconstitution plan for the U.S. government. \n\tI would be happy to elaborate on these points and any \nquestions the committee may have.  Thank you. \n\t[The prepared statement of Vincent Weafer follows:] \n\nPREPARED STATEMENT OF VINCENT WEAFER, SENIOR DIRECTOR, SYMANTEC \nSECURITY RESPONSE, SYMANTEC CORPORATION \n\nSummary of Points for Vincent Weafer Testimony \n\n It\'s vitally important that we pay attention to the threats to our \nnation\'s security including the clear and present danger of \npotential cyber attacks against our nation\'s information \ninfrastructure. \n An attack against the U.S. that combines both cyber and physical \nelements could be particularly devastating.  The threats to our \ncritical infrastructure are absolutely real and, without a doubt, \ngrowing.  \n Cybercrime is the dominant security threat we\'re seeing today and \nthere\'s been a marked increase in the use of "crimeware," or \nsoftware used to conduct cybercrime. \n* Cybercrime is undermining consumer trust which in turn is eroding \nthe publics\' confidence in performing commerce over the Internet. \nThere are economic consequences that cyber attacks are having on \nthe U.S. economy. \n The cyber threat landscape has changed.  In the past, cyber \nattacks were largely designed to destroy data or gain notoriety, but \ntoday\'s attacks are increasingly designed to silently steal data \nfor profit or advantage, without leaving behind the system damage \nthat would be noticeable. \n Symantec\'s most recent Internet Security Threat Report (ISTR) found \nthat the last 6 months have seen growth in attack trends, bot \ninfections denial of service attacks, malicious code such as Trojans \nand phishing attacks. \n Symantec\'s ISTR found that attackers are moving away from large, \nmultiple purpose attacks against traditional security devices such \nas firewalls and routers. Instead, they are focusing their efforts \non smaller regional businesses using combination of employee and \nend user desktops and Web applications to steal corporate, \npersonal, financial, or confidential information. \n Programs that provide attackers with unauthorized control of a \ncomputer, known as bots, also contribute to the rise in cybercrime \nthreats. Symantec identified an average daily total of 57,717 \nactive bot network computers per day or a total of 4,696,903 \ndistinct active bot network computers over the six month period. \nIn the first six months of 2006, the United States had the highest \npercentage of bot command-and-control servers with 42% of the \nworldwide total.  As a result of this fifty-eight percent of all \nspam detected worldwide originated in the United States \n If we fail to create a trusted digital environment, we won\'t just \nslow the growth of e-business, but of all business.  And this is \nthe real hidden threat today - not some massive cyber attack, but \nthe loss of consumer confidence in the digital world. \n It is difficult to quantify the economic impact of cyber crime but \naccording to the FBI\'s 2005 Cyber Crime Survey cyber crime costs \nabout $67 billion to U.S. firms over the last year.  \n The cost of these breaches, in terms of time and money, is \nastounding.  According to the Federal Trade Commission identity \ntheft costs businesses $48 billion annually, and last year cost \nconsumers $680 million in losses.  On top of that, identity theft \nvictims collectively spent almost 300 million hours trying to \nrepair damage.  \n In this country, we need one, national data-breach law.  The \nbusiness community must join together with Congress to push for \ncomprehensive privacy legislation.  \nOverview\n\tChairman Upton, Ranking Member Markey, distinguished members \nof the Subcommittee: Thank you for inviting me here today to testify \nabout protecting our nation\'s critical infrastructure and the \nopportunity to provide you with an overview of the current cyber \nthreat landscape.  My name is Vincent Weafer and I am the Senior \nDirector of Security Response for Symantec Corporation.  \n\tI\'d like to begin by commending the Subcommittee for \nbringing attention to this critical issue.  It\'s vitally important \nthat we pay attention to the threats to our nation\'s security \nincluding the clear and present danger of potential cyber attacks \nagainst our nation\'s information infrastructure.  \n\tOur society\'s increasing dependence on computers means that \nthe disruption of our networks whether due to nation-states, \nterrorists, criminals, or simply pranksters could seriously impair \npublic safety, national security, economic prosperity and, more \ngenerally, our way of life. An attack against the information \ntechnology backbone of one of our nation\'s so-called critical \ninfrastructures such as communications services, energy, financial \nservices, manufacturing, water, transportation, health care, and \nemergency services could disrupt Americans physical and economic \nwell-being and have a worldwide impact. An attack against the \nU.S. that combines both cyber and physical elements could be \nparticularly devastating, such as a physical attack against a \nbuilding combined with disruption of the telecommunications \ninfrastructure needed to provide emergency services to the \nphysically affected area. \n\tAccordingly, I would like to devote my testimony today to \ntwo issues.  I would first like to provide this Subcommittee with \nSymantec\'s updated assessment of our nation\'s cyber security \nlandscape and discuss the vulnerabilities of the U.S. \ninformation infrastructure to cyber attacks.  \n\tSecond, I\'d like to discuss the considerable negative impact \nthat cybercrime is having on undermining consumer trust which in \nturn is eroding the publics\' confidence in performing commerce \nover the Internet. Finally, I will discuss the economic consequences \nthat cyber attacks are having on the U.S. economy. \n\nBackground on Symantec \n\tBefore I turn to the main substance of my testimony, I would \nlike to provide you background on Symantec Corporation.  Symantec is \nthe global leader in information security.  We provide solutions to \nhelp individuals and enterprises assure the security, availability \nand integrity of their information.  Symantec\'s Norton brand of \nproducts is the worldwide leader in consumer security and problem \nsolving solutions.  Headquartered in Cupertino, California, \nSymantec employs over 15,000 professionals and has operations in \nmore than 40 countries.   \n\tI am responsible for the Symantec Security Response global \nresearch teams.  My mission is to advance the research into the new \nInternet security threats and to provide the most trusted and rapid \nresponse to today\'s complex threats, security risks and cyber \nattacks.  Symantec Security Response protects a variety of \nbusinesses, consumers and government agencies from the latest \nsecurity threats.  Symantec Security Response consists of dedicated \nintrusion experts, security engineers, virus hunters, and global \ntechnical support teams that provide our customers with \ncomprehensive, global, 24x7 Internet security expertise to guard \nagainst today\'s complex Internet threats. \n\tSymantec gathers our research from our "Global Intelligence \nNetwork" which consists of more than 40,000 sensors monitoring \nactivity on computers in more than 180 countries.  We gather data \nfrom over 120 million computer systems that use Symantec\'s anti-virus\n products and probe over 2 million decoy email accounts.  Symantec \nalso operates 4 cyber Security Operations Centers spread across the \nglobe -including Alexandria, Virginia; London, England; Munich, \nGermany; and Sydney, Australia - each dedicated to relentlessly \nsearching the Internet for potential cyber threats 24 hours a day, \n365 days a year to provide managed, pre-emptive protection for our \ncustomers.  If there is a class of threat on the Internet Symantec \nknows about it. \n\nState of the Nation\'s Cyber Security Landscape \n\tAs the company representative of the security technology \nindustry on this morning\'s panel, I want to stress an important \nmessage about our nation\'s cyber security landscape:  First, the \nthreats to our critical infrastructure are absolutely real and, \nwithout a doubt, growing.  The question is not if or even when \nwe\'ll be attacked but how severe will the attack be.  \n\tToday, I stand before you to say that the threat has \nchanged. \n\tThe main risks to information these days are not the \nlarge-scale, fast-moving virus or worm pandemic type attacks that \nwe saw with frequency just a couple years ago. Consider this: from \n2002 to 2004, there were almost 100 medium-to-high risk attacks. \nLast year, there were only six and so far in 2006, there have \nbeen none. \n\tWhat happened? \n\tWe\'ve made significant headway in containing and repelling \nthese sorts of threats. And an equally big part is that the very \nnature of the risks we face has changed.   In the past, cyber \nattacks were largely designed to destroy data or gain notoriety, \nbut today\'s attacks are increasingly designed to silently steal \ndata for profit or advantage, without leaving behind the system \ndamage that would be noticeable to a user.  \n\tFraud, intelligence gathering and gaining access to \nvulnerable systems are the motivation behind many of today\'s \nattacks. The attackers are not interested in notoriety. They\'re \ninterested in flying below the radar, using lower profile, more \ntargeted attacks, attacks that propagate at a slower rate in order \nto avoid detection and thereby increase the likelihood of \nsuccessful compromise.  Instead of exploiting vulnerabilities \nin servers, as traditional attacks often did, these threats tend \nto exploit vulnerabilities in client-side applications that require \na degree of user interaction, such as word processing and \nspreadsheet programs. A number of these have been zero-day \nvulnerabilities. These types of threats also attempt to escape \ndetection in order to remain on host systems for longer periods \nso that they can steal information or provide remote access.  \nThey\'re increasingly interested and capable of perpetrating silent, \nhighly-targeted attacks to steal sensitive personal, financial, \nand operational information using data mining techniques to \nidentify the victims and improve the effectiveness of the \nattack. \n\tCybercrime is the dominating security threat we\'re seeing \ntoday and there\'s been a marked increase in the use of "crimeware". \nCrimeware is software built with the purpose of committing online \nscams and stealing information; it includes (but is not limited to) \nbots, keystroke loggers, spyware, backdoors, and Trojan horses or \nsoftware used to conduct cybercrime.  \n\tSymantec just compiled the latest cyber threat data for our \ntenth Internet Security Threat Report, or ISTR, which is widely \nacknowledged to be the most comprehensive analysis of security \nactivity for today\'s information economy.   The Report includes an \nanalysis of network based attacks on the Internet with a review \nof known threats, vulnerabilities, and highlights of malicious \n code and additional security risks.  Symantec has provided this \nReport semi annually since 2002.  \n\tThe ISTR also offers security best practices for consumers \nand businesses to help them protect against current and emerging \ncyber crime threats.  Symantec\'s ISTR found that the last 6 months \nhave seen growth in attack trends, bot infections denial of service \nattacks, malicious code such as Trojans and phishing attacks. \n\tSymantec\'s ISTR found that attackers are moving away from \nlarge, multiple purpose attacks against traditional security \ndevices such as firewalls and routers. Instead, they are focusing \ntheir efforts on regional targets, desktops and Web applications \nthat may allow an attacker to steal corporate, personal, \nfinancial, or confidential information; this information could \nthen be used for additional criminal activity.  Attackers are \nfocusing not just on the end users systems via exploitable \nbrowser vulnerabilities, but also on weaknesses in the web \nservers and web applications. They can use that weakness to drop \nmalicious code such as a keyboard logger onto a users system, \nwhen the unwitting and unprotected user browses or \'drives-by\' \nthe compromised Web site. This attack impacts both the end user \nprivacy, as well as the brand name of the company whose Web \npresence has been compromised.\n\tPrograms that provide attackers with unauthorized control \nof a computer, known as bots, also contribute to the rise in \ncybercrime threats. Symantec\'s March 2006 Internet Security Threat \nReport identified an average of 9,163 infected computers each \nday-bot networks are being increasingly used for criminal activities \nsuch as DoS-based extortion attempts.  We believe we will see a \ncontinuing growth trend in the area of botnet infected computers. \nDuring that period, the United States had a very high percentage \nof the bot command-and-control servers worldwide.  Symantec expects \nthis trend to continue. \n\tBotnets are the engine that drives most of the criminal \nactivity, as they get used by to distribute Spam, Phishing messages, \nmalicious code as well as storage for illegal material. Many of \nthese botnets are created on systems owned by home users, small \nbusinesses and even some large corporations. \n\tSymantec estimates that the measurement above is only \ncapturing a portion of global activity and that the actual infection \nnumbers are likely to be much higher. In our March 2006 Internet \nSecurity Threat Report Symantec identified an average of 1,402 DoS \nattacks per day-a 51 percent increase over the previous reporting \nperiod. Our Reports consistently show that the United States was \nthe target of the most DoS attacks, accounting for over half of \nthe worldwide total. \n\tWe believe that this growth trend will continue as attackers \nleverage an increasing number of Web-based application and browser \nvulnerabilities. \n\tIn Symantec\'s March 2006 ISTR, we saw, attacks directed at \nWeb application technologies increase-69 percent of the \nvulnerabilities reported to Symantec affected Web application \ntechnologies, a 15 percent increase over the previous reporting \nperiod.  The new report does see a significant amount of attacks \ntargeted.  We found that Web application technologies, which rely \non a browser for their user interface, present an easier target for \nattackers due to their availability over commonly allowed protocols \nsuch as HTTP. \n\tSymantec has also consistently seen an increase in modular \nmalicious code, which initially possesses limited functionality but \nis designed to update itself with new, more damaging capabilities. \nModular malicious threats often expose confidential information \nthat can then be used in identity theft, credit card fraud, or \nother criminal financial activities.  According to our March 2006 \nISTR, malicious code that could reveal confidential information \nrose from 74 percent of the top 50 malicious code samples last \nreporting period to 80 percent this period-an increase of 6 \npercentage points. Symantec expects this growth to continue to \nincrease in future reporting periods. \n\tThese criminals are targeting all sorts of organizations. \nBy leveraging the vast number of new vulnerabilities, the \npotential introduction of entirely new and more destructive forms \nof malicious code and cyber attacks tools represents a \nsubstantial future risk. Our law enforcement, military and \nnational security agencies face an even more sophisticated threat \nwith all of these new vulnerabilities, zero day attacks and highly \ntargeted attacks.  \n\tRight now, more than 20 nations possess dedicated computer \nattack programs - and that number doesn\'t include terrorist \norganizations.1 Cyber warfare is a part of their war plans. \n\tIndeed, in the first half of 2004, DoD experienced more \nthan 150 hostile intrusion attempts per day. In the first half of \n2005, that number was up to more than 500 a day.2 \n\tMore specifically, cybercriminals could attack our computer \nsystems in a variety of ways, causing serious consequences \nincluding: (1) compromising the integrity of data, such as deleting \nrecords of financial institutions; (2) breaching the confidentiality \nof data, such as obtaining information from power and energy plants \nwhich can then be used to plan a physical attack; and (3) acting \nas weapons of mass disruption to take-down key Internet nodes \nwhose failure would then lead to a cascading effect, meaning \nwide-ranging disruption of other parts of our critical \ninfrastructures, or more likely impacting our ability to respond \nto a physical event. \n\nThe Economic Impact of Cyber Attacks and the Undermining of U.S. \nConsumer Confidence in Using the Internet for Commerce \n\tUnless a trusted relationship exists between businesses and \nconsumers the risks associated with online transactions will \nbecome unacceptable.  So, the expectations are high.  And, the \nstakes are enormous. \n\tAcross industries, companies have built into their business \nmodels the efficiencies of these new digital technologies - such as \nreal-time tracking of packages and online commerce.  The continued \nexpansion of the digital lifestyle is already built into almost \nevery company\'s assumptions for growth - and underpins the \nassumptions for the global economy. \n\tThink about what would happen if banks were forced to stop \nall online banking and go back to the days of long lines at teller \nwindows.  The costs would be enormous.   Today, it costs a \nbank $10 when a consumer originates a loan online.  That cost \njumps to more thank $200 when the loan is originated through a \nbranch office. \n\tWe can\'t go back to the old way of doing business - and, \nthat\'s why creating confidence in the digital world is everybody\'s \njob.  For the individual company, failure to protect their \ncustomers\' information will result in customers simply taking \ntheir business someplace else, to someone they can trust.  And \nthey won\'t necessarily turn to the company around the corner.  In \nthe global economy, security can be a competitive advantage - or \ndisadvantage.  If consumers can\'t trust businesses from our \ncountry, they\'ll look all over the world for the one\'s they believe \nthey can trust.  In such a world, security guarantees are very \nlikely to trump the comfort of the local brand. \n\tIf we fail to create a trusted digital environment, we won\'t \njust slow the growth of e-business, but of all business.  We won\'t \njust hurt the digital economy, but the economy as a whole.  And \nthis is the real hidden threat today - not some massive cyber \nattack, but the loss of consumer confidence in the digital world. \n\tThe IT industry has made huge strides these past few years, \nand from the evidence at hand we\'ve made significant headway in \ncontrolling large-scale, fast moving viruses and worms.  The broad \nadoption of best security practices and defense in-depth \nstrategies, deployment of firewall, antivirus, and intrusion \ndetection software and the progress operating system vendors have \nmade in improving the security of their operating system platforms \nhave made this possible.  Mitigating the large scale virus and worm \nchallenge is a major accomplishment but those are yesterday\'s \nproblems.  \n\tToday we face a bigger challenge.  As vendors and \nenterprises have adapted to the changing threat environment this \nhas resulted in more targeted malicious code and targeted attacks \naimed at client-side applications, such as Web browsers, email \nclients, and other applications. These applications are used to \ncommunicate over networks and interact with Web-based services \nand applications and Web sites. Today\'s threats are silent and \nhighly targeted.  They take advantage of the naivet\xef\xbf\xbd and \ninexperience of many online users.  For example, attackers set \nup fake Web sites with relative ease and dupe people into offering \nup financial information or making a donation to a bogus charity.  \nAnd of course, there are the large scale data breaches - some \ninnocent, some inside jobs, and some the work of skilled \ncriminals - that have made identity theft a growing threat to the \ndigital lifestyle. \n\tFor six consecutive years, identity theft has topped the \nannual list of consumer complaints collected by the Federal Trade \nCommission.  Over the past year more than 52 million records of \nAmericans\' private personal information - an average of 142,000 \nper day - have been hacked into, lost, stolen or otherwise \ncompromised from digital databases.  \n\tThe cost of these breaches, in terms of time and money, is \nastounding.  According to the Federal Trade Commission identity \ntheft costs businesses $48 billion annually, and last year cost \nconsumers $680 million in losses.  On top of that, identity theft \nvictims collectively spent almost 300 million hours trying to repair \ndamage.  \n\tIt is difficult to quantify the economic impact of cyber \ncrime but according to the FBI\'s 2005 Cyber Crime Survey cyber crime \ncosts about $67 billion to U.S. firms over the last year.  A Report \nby the Congressional Research Service found that investigations \ninto the stock price impact of cyber-attacks show the identified \ntarget firms suffer losses of 1%-5% in the days after an attack.  \nFor the average New York Stock Exchange corporation, price drops \nof these magnitudes translate into shareholder losses of between \n$50 million and $200 million. \n\tBut more damaging than the loss of money is the loss of \ntrust and confidence by consumers in the Internet economy which so \nmany of our nation\'s businesses depend upon.  We can\'t risk losing \nthe public\'s confidence in online e-commerce but consumers are \nbeginning to rethink doing business on the Internet.  \n\tIn the first six months of 2006, the home user sector was \nthe most highly targeted sector, accounting for 86% of all targeted \nattacks.  According to a survey of more than 10,000 households \nconducted by the Conference Board, 41 percent are purchasing less \nonline because of security concerns.  And according to a survey \nby the Cyber Security Industry Alliance, 32 percent of respondents \nstrongly believe that their financial information may get stolen \nonline.  \n\tWe can\'t allow this trust to continue to erode.  We can\'t \ncontinue to lose the public\'s confidence and expect to continue the \nrobust digital lifestyle that we\'ve come to enjoy.  Trust \nultimately, is the foundation of the online world. \n\tBut we have a long way to go in educating consumers.  For \nexample, a study by Small Business Technology Institute (SBTI) \nentitled, "Small Business Information Security Readiness," reveals \na real lack of appreciation of the true economic impact of \ninformation security incidents and a lack of knowledge of cyber \nthreats.  Additionally, they find a lack of forward planning and \nmatching investment required to maintain the security necessary \nto protect small businesses.  Shockingly this study found that \nover 74 percent of small businesses perform no information \nsecurity planning whatsoever. Such a lack of knowledge and \nawareness is inhibiting the wide adoption of adequate information \nsecurity protection. \n\nRecommendations\n\tLet me now discuss some actions that we believe Congress can \nimprove our cyber security. \n\nI. Awareness and Education\n\tEducating our consumers, our small businesses, the operators \nof the critical infrastructure and all levels of government on the \nimportance of protecting our systems is essential. We need a broad \nawareness campaign that reaches out to all users of the Internet. \n\tThe growing use of always-on broadband connections by home \nusers and small businesses represents a significant amount of \ncomputing power, which left unprotected can be taken over and used \nas zombie machines to damage our networks and the hinder the \ncommerce and services that flow through them. \n\tAt the least, these home users should deploy a minimum \nprotection of firewall and anti-virus technology. The remote or \nwireless-connected worker is also becoming more prevalent and can \nunknowingly open up a corporate network to potential vulnerabilities \nand attack through unprotected connections. \n\tEnterprises and government agencies should engage their \nemployees in security awareness programs to ensure better protection \nof their systems. Whether it\'s reminding them not to post their \npasswords on a yellow sticky pad on their computer, or enacting \ncorporate best practices to change those passwords on a regular \nbasis making them difficult to break. \n\tIn an effort to better educate consumers, Symantec will \nparticipate in the October National Cyber Security Awareness Month \ninitiative organized by the National Cyber Security Alliance (NCSA). \nAs a founding sponsor of the NCSA, Symantec will also support the \nNCSA\'s national public service announcement campaign to promote \nonline security among individuals, small businesses and schools. \n\tThe NCSA is a non-profit, public-private partnership \nconsisting of businesses, consumer groups, government agencies and \neducational institutions dedicated to raising the awareness of \ncyber security issues and best practices. The NCSA provides tools \nand resources to empower home users, small business, and schools \nto stay safe online. More information about the organization and \nthe October National Cyber Security Awareness Month can be found \nat www.staysafeonline.info. \n\tAt the enterprise and organizational level, the issue of \nIT security has for too long been an administrator or a CIO issue. \nThis needs to change. Cyber security needs the attention of the \nCEO and the boardroom. Only then can we institute the necessary \ncultural change and focus enough attention and resources to truly \naddress this issue.  We urge the Committee to provide much needed \nresources to the agencies under its jurisdiction such as the \nFederal Trade Commission, the Department of Commerce and the \nFederal Communications Commission to promote cyber education to \nhelp better inform consumes of cyber threats. \n\nII. Cyber Crime\n\tWe need to realize that protecting the Internet is really a \nglobal issue, one that requires better international cooperation. \nFirst, we need better resources for law enforcement to work on \ncomputer forensics, and we need cooperation from industry to \nassist prosecutors in building cases. Second, the ratification of \nthe Council of Europe\'s cyber crime treaty is a good starting point \nbut now that this framework is in place we need additional resources \nfor international cybercrime enforcement, training funds and a \nsingle point of contact in the U.S. to coordinate such efforts. \nThird, industry should reach across borders when appropriate, to \nshare information on best practices, threats and vulnerabilities, \nin order to gain a measure of early warning of potential attacks.  \nFinally there should be a single point of contact in government so \nthat those leaders can communicate at a peer level in times of major \ncyber attack.  \n\nIII. Research and Development \n\tToday, industry and government tends to look at the more \nimmediate threats to our cyber infrastructure, rather than a holistic \nview of encompassing threats of today and tomorrow. It is a view that \nneeds to change. As mentioned earlier, flash threats may be on us in \nthe near future and we must be more proactive in our cyber security \npractices focusing on behavior blocking and better patch management, \nincluding the use of fast, safe and non-disruptive patching. Given \nthe shrinking time from discovery to exploit, we should engage in \nprojects like real-time vulnerability scanning, management and \npatching and we must do it together in partnership; industry \ngovernment and academia alike.  The Federal Government must focus \non funding cybersecurity R&D to meet the constantly evolving threats \nthat face our nation\'s critical infrastructure.  And the Government \nmust also lead by example, securing its own systems through the use \nof reasonable security practices. \n\nIV. Clearly Defined Internet Response and Reconstitution Policy \n\tThe federal government needs a clearly defined Internet \nresponse and reconstitution policy for all agencies and departments. \n Public and private organizations that would oversee recovery of \nthe Internet have unclear or overlapping responsibilities, resulting \nin too many institutions with too little interaction and \ncoordination. Also, existing organizations and institutions charged \nwith Internet recovery should have sufficient resources and \nsupport. For example, little of the National Cyber Security \nDivision (NCSD)\'s funding is targeted for support of cyber \nrecovery. \n\nV.  Secure Digital Control Systems for Physical Infrastructure \n\tOur nation relies on a digitally controlled utility and \ncommercial infrastructure such as the electrical transmission \ngrid, oil and natural gas, water, waste water, chemicals, \ntelecommunications, transportation, banking and finance - and \nmany critical manufacturing processes.  Remote control of \ndistributed critical infrastructure occurs with Supervisory \nControl and Data Acquisition (SCADA) systems.  These systems are \ndesigned to be open and interoperable; but their increasing use \nof the Internet for communications makes them vulnerable to cyber \nattack.  Such attacks could have devastating consequences such \nas endangering public health and safety, according to the \nGovernment Accounting Office.  We urge Congress to pass legislation \nto form a task force of key government agencies, appropriate \nregulators, experts in the cyber security field, and representatives \nfrom utilities and suppliers to meet and recommend concrete actions \nto improve the security of control systems supporting critical \ninfrastructure. \n\nVI. Direct a Federal Agency to Track Costs Associated with Cyber \nAttacks\n\tNo one in the field is satisfied with our present ability to \nmeasure the costs and probabilities of cyber attacks.  There are no \nstandard methodologies for the cost measurement, and study of the \nfrequency of attacks is hindered by the reluctance of organizations \nto make public their experiences with security breaches.  The lack \n of a methodology or measurement program also prohibits knowing \nhow much national efforts to improve cyber security are working.  \nWe urge Congress to pass legislation directing the federal \ngovernment to work with private industry on a methodology to \nmeasure the true cost of cyber attacks, and to track those \nassociated costs as part of ongoing national economic assessment. \n\nVII. Pass a National Data Breach Law and Consider Comprehensive \nPrivacy Reform \n\tThe business community must join together with Congress to \npush for comprehensive privacy legislation.  Some governments have \nalready stepped to the plate.  However, up until now, the U.S. \ngovernment has been reactive - dealing with important parts of \nthe issue on a piecemeal basis.   Currently, U.S. privacy \nregulations focus on sensitive areas such as financial and health \ninformation and protecting children online.  It\'s an approach \nthat, ultimately, will result in a number of different confusing \nregulations.  In light of the growth of identity theft and the \nrise of invasive threats like spyware, we need a comprehensive \nresponse that ensures that information is protected at every step \nalong the way. \n\tIn this country, we need one, national data-breach law.  \nInstead of the quilt of state laws, we need one federal law that \nprotects all consumers from data breaches and requires businesses \nto put in place some type of reasonable security measures.  We \nurge Congress to pass a national data breach law this year that \nwould require notification of affected consumers and would provide \ntough enforcement policies. \n\nConclusions\n\tIn closing, let me issue this challenge to industry, \ngovernment and the individual users: We must take cyber security \nmore seriously and we must do it together. \n\tThe increasing prevalence of blended threats and the \npotential for even more fast-spreading and damaging exploits is a \nserious threat to our nation\'s information infrastructure and the \neconomic benefits that we derive from it. We need strong \nleadership from industry and government to promote awareness and \neducation on cyber security, more resources for law enforcement to \ninvestigate and prosecute cyber criminals, strong research and \ndevelopment partnerships to tackle the challenges of future threats \nto the Internet, and more vigilance from business and governments \nby putting resources and support behind a proactive IT security \nprogram. \n\tBut most importantly we all as individual users of the \nInternet need to do our part, to protect cyber space. Experience \nshows that effective implementations of security solutions cost \nin the range of 6-8% of overall IT budgets. Few corporations \noutside of the finance sector, or government departments, have \nallocated such levels of funding to this critical need. It is time \nthat we put our resources to work to minimize the risk of a \nserious disruption of our national cyber infrastructure. \n\tThank you and I look forward to your questions.\n\n\tMR. UPTON.  Mr. Kurtz.\n\tMR. KURTZ.  Thank you, Mr. Chairman and other members of \nthe committee.  It is a pleasure to be here this morning.  \n\tYou have asked me to comment on a very broad topic: to look \nat the importance of cybersecurity, not just as it relates to our \ncritical infrastructures, but across America\'s economy and for all \nconsumers. \n\tCyber systems are our newest and most pervasive \ninfrastructure.  They drive and organize every facet of our \ncollective and individual lives, from national and economic \nsecurity to personal health and well-being.  And yet, we do not \nhave a strategic national capability to assess how well most \ncritical systems are protected and what the consequences are if \nthey fail.  There is little strategic direction or leadership \nfrom the Federal government in the area of information security.  \nInsuring the resiliency and integrity of our information \ninfrastructure and protecting the privacy of our citizens should \nbe a higher priority for the Government.  We must move beyond \nphilosophy and statements of aspiration to defining priorities \nin programs. \n\tCSI believes that the Government has a responsibility to \nlead, set priorities, coordinate, and facilitate protection \nresponse.  Let me be clear.  This is not a call for regulation \nand intervention.  This is a call for leadership.  It is myopic \nto assume that DHS has exclusive government responsibility for \nthe entire continuum of security across the information \ninfrastructure and for all threats. \n\tWhen we think about the potential impact of cyber threats \nand attacks on our overall economy, for consumers as a whole we \nmust acknowledge that we have a strategic national interest in \ncybersecurity and that a much broader review of cybersecurity is \nrequired and extended beyond DHS. \n\tWe face various forms of cyber attacks every day, and \nwithin businesses.  Every day, thousands of citizens have their \nsensitive personal information compromised through data breaches, \nphishing campaigns, Internet fraud, and other cyber crimes.  As \na result, consumers do not have confidence that they should in \nthe Internet.  A major cyber disruption could prevent companies \nfrom operating critical systems, possibly for sustained periods \nof time.  This means the planes may not fly, goods and services \nmay not be distributed, power and gas may not be available, and \nall this would potentially have a devastating impact on our \neconomy and national security. \n\tIn preparing for how to respond to a significant cyber \nevent, the critical unanswered question is what is a suitable role \nfor the Government, including DHS, DOD, and FCC, in facilitating, \nrecovering, and reconstitution from an incident of national \nsignificance?  The Federal government must engage in a serious \ninquiry of the following questions.  What is an incident of \nnational significance and what is the process for determining such \nan event?  What are its ramifications?  What obligations do the \nprivate sector entities have to obey a DHS directive or another \nentity\'s directive?  Who would resolve conflicting demands for \nscarce cyber resources, such as bandwidth?  What authorities should \nDHS, DOD, and FCC have to help the Nation recover from cyber \nattacks?  We must take a holistic view.  United States needs a \nstrategic national information assurance policy. \n        We have a chart over to your right that you might take a \nlook at.  What I have tried to do here is identify a cycle, if \nyou will, for responding, preparing to cyber attacks or cyber \ndifficulties.  It is an overly simplistic chart.  I will say \nthat right up front, you know.  You could add Department of \nEnergy and Treasury, but the point here is that several agencies \nhave a role and responsibility in this process, and it would be \nhelpful if the White House would assert a greater level of \ncoordination and support for these activities as well.  This \nproblem clearly extends beyond DHS.  DHS has significant issues \nthat it is trying to resolve, and it would help if the White \nHouse would step in and ensure greater level of coordination. \n\tDHS, working with other agents, needs to articulate a \nchain of command for recovery and reconstitution.  In addition, \nDHS needs to articulate an emergency communications system that \nworks, even when standard communications interconnectivity is \ndisrupted.  Emergency communications entail more than simply \nestablishing a resilient mechanism for allowing people to talk; \nit requires advance identification for the right people being \nable to use the right language to talk, and I will note that Under \nSecretary Foresman\'s report that was released today talks about \nsome of these issues. \n\tA summary of our recommendations: consider the need for a \ngovernment-wide strategic national information assurance policy; \nincrease attention to cybersecurity; appoint a leader.  Everybody \nhas talked about the need for an Assistant Secretary for Cyber \nand Telecommunications.  I don\'t need to dwell on that more.  Plan \nto prevent or minimize a cyber attack of major significance.  Plan \nto work with the private sector to recover from a major disaster.  \nAnd I have to urge the Congress to take the step and pass a national \nbill to secure sensitive, personal information. \n\tThank you. \n\t[The prepared statement of Paul B. Kurtz follows:] \n\nPREPARED STATEMENT OF PAUL B. KURTZ, EXECUTIVE DIRECTOR, CYBER \nSECURITY INDUSTRY ALLIANCE \n\nIntroduction:\n\tChairman Upton, Congressman Markey and Members of the \nSubcommittee, thank you for the opportunity to testify today.  My \nname is Paul Kurtz and I am Executive Director of the Cyber Security \nIndustry Alliance (CSIA). \n\tCSIA is the only advocacy group dedicated to ensuring the \nprivacy, reliability and integrity of information systems through \npublic policy, technology, education and awareness.  The \norganization is led by CEOs from the world\'s top security providers \nwho offer the technical expertise, depth and focus needed to \nencourage a better understanding of security issues.  It is our \nbelief that a comprehensive approach to ensuring the security and \nresilience of information systems is fundamental to global \nprotection, national security and economic stability. \n\tBefore joining CSIA, I served at the White House on the \nNational Security Council and Homeland Security Council.  On the \nNSC, I served as Director of Counterterrorism and Senior Director \nof the Office of Cyberspace Security.  On the HSC, I was Special \nAssistant to the President and Senior Director for Critical \nInfrastructure Protection. \n\tYou have asked me to comment on a very broad topic - to \nlook at the importance of cyber security not just as it relates \nto our critical infrastructures, but across America\'s economy and \nfor all consumers.  Later today I will testify before the House \nHomeland Security Committee on a narrow but important piece of \nyour much broader inquiry - cyber security and recovery of our \ncritical infrastructure - so I particularly appreciate the chance \nto begin that dialogue at the 50,000 foot level you posit.  \n\tRight now no one in government is really looking at the \nmacro-level.  The fact is that cyber systems are our newest and \nmost pervasive infrastructure.  They drive and organize every facet \nof our collective and individual lives from national and economic \nsecurity to personal health and well-being - and yet we do not \nhave a strategic national capability to assess how well the most \ncritical systems are protected, and what the consequences are if \nthey fail.  Currently, there is little strategic direction or \nleadership from the federal government in the area of information \nsecurity.  Ensuring the resiliency and integrity of our \ninformation infrastructure and protecting the privacy of our \ncitizens should be higher on the priority list for our government. \nCSIA believes the government has a responsibility to lead, set \npriorities, and coordinate and facilitate protection and response. \n\nDHS has a central role in protecting critical cyber infrastructure \nfrom massive attack, but government must consider economic \nconsequences and impact to our citizens in a more comprehensive and \nsystematic way. \n\tClearly DHS has a vital and central role - HSPD 7 designates \nthe Department of Homeland Security as a focal point for \ninfrastructure protection, including cyber security.  [We\'ll get \nto how well, or poorly, they are doing in just a moment.]  But it \nis myopic to assume DHS has exclusive government responsibility for \nthe entire continuum of security across all information \ninfrastructures, and for all threats.  DHS should, indeed must be \naccountable for coordinating the protection of our most critical \ninfrastructures from serious attack or devastation.  But when we \nthink about the potential impacts of cyber threats and attacks on \nour overall economy, or for consumers as a whole, we must \nacknowledge that we have a strategic national interest in cyber \nsecurity that is much broader than the mandate of DHS or the \nimmediate challenges it faces.  We face various forms of cyber \nattacks and efforts to exploit faulty software code every day.  \nBusinesses routinely fight against unauthorized intrusions, whether \nfor sport, industrial espionage, or more nefarious reasons.  \nCompanies incur significant costs to keep up with ever-more \nsophisticated efforts to compromise their systems, ultimately \nwe all bear these costs.  And every day, thousands of citizens \nhave their sensitive personal information compromised through data \nbreaches, phishing campaigns, Internet fraud and other cyber \ncrimes.  As a result, consumers do not have trust and confidence \nin online services and e-commerce, with significant economic results \nfor many industries. \n\tThe truth is that a major cyber disruption could prevent \ncompanies from operating critical systems, possibly for sustained \nperiods of time.  This means that planes may not fly, goods and \nservices may not be distributed, power and gas may not be \navailable, and all of this would have a potentially devastating \nimpact on our economy and our citizens.  \n\tMost importantly, DHS must consider and articulate how it \nwill work with the private sector to respond to and recover from a \nmassive failure of information technology systems - whether from a \ncyber attack or a natural disaster.  In preparing for how to \nrespond to a significant cyber event, the unanswered question \naffecting all is:  What is a suitable role for DHS as well as \nother key federal agencies, including DoD and the FCC, in \nfacilitating recovery and reconstitution from a cyber "incident \nof national significance"?   The Federal government must engage \nin a serious inquiry of the following questions:  \n What is an "incident of national significance" and what is the \nprocess for determining such an event and its legal significance? \n What obligations do private sector entities have to obey \ndirectives from DHS, or other agencies? \n Who would resolve conflicting demands for scarce cyber \nresources? \n What enforcement power does DHS, DOD, and the FCC have to help the \nnation recover from a cyber disaster? \n\n\tThese are tough questions, and raise complex policy issues \nwhich extend beyond DHS.  \n\nWe must take a holistic view - the United States needs a Strategic \nNational Information Assurance Policy \n\tThe bottom line is that protecting our cyber infrastructure \nis not just DHS\'s problem.  In large measure, because our cyber \ninfrastructure is almost exclusively owned and operated by the \nprivate sector, the front line defense is the investment made by \ninfrastructure providers on behalf of their customers.  But, in \naddition to DHS, many key departments and agencies have key roles \nin protecting our cyber infrastructure: \n* The Department of Commerce has a key role.  The Department of \nCommerce advocates for technological innovation and has \nresponsibility to develop and promote measurements, standards, \nand technology to enhance productivity, trade, and the quality of \nlife. This includes conducting research to advance the U.S. \ntechnology infrastructure and supporting the development of \ntechnologies for broad national benefit.1  The Under Secretary for \nTechnology Administration has the lead in developing and promoting \ninformation security standards and in leading research and \ndevelopment efforts to enhance privacy and security.  There is much \nmore Commerce could do.  For example, Commerce currently does not \nmeasure consumer or business confidence in the information \ninfrastructure or the costs of attacks or disruptions.   Commerce, \nin partnership with DHS, could support increased adoption of \ninsurance.   Currently, many insurance companies are reluctant to \nenter this market because of a lack of actuarial data.   \n The Federal Trade Commission has a key role.   The FTC\'s \nEnforcement Division conducts a wide variety of law enforcement \nactivities to protect consumers online, including: (1) ensuring \ncompliance with administrative and federal court orders entered in \nconsumer protection cases; (2) conducting investigations and \nprosecuting civil actions to stop fraudulent, unfair or deceptive \nmarketing and advertising practices; and (3) enforcing consumer \nprotection laws, rules, and guidelines.2 \n The U.S. Department of Justice has a key role.  The Computer \nCrime and Intellectual Property Section (CCIPS) within DOJ\'s \nCriminal Division is responsible for combating computer and \nintellectual property crimes worldwide. CCIPS\' Computer Crime \nInitiative is a comprehensive program designed to combat \nelectronic penetrations, data thefts, and cyber attacks on \ncritical information systems. CCIPS prevents, investigates, and \nprosecutes computer crimes by working with other government \nagencies, the private sector, academic institutions, and foreign \ncounterparts.3 \n The Federal Communications Commission has a key role.  Charged \nwith regulating interstate and international communications, the \n FCC has established the following objectives:\n To evaluate and strengthen measures for protecting the Nation\'s communications infrastructure.\n To facilitate rapid restoration of the U.S. communications \ninfrastructure and facilities after disruption by a threat or attack.\n To develop policies that promote access to effective communications \nservices by public safety, public health, and other emergency and \ndefense personnel in emergency situations. 4\n The Department of Defense has a key role.  DoD gives highest \npriority to securing its national security systems. The Defense \nInformation Systems Agency (DISA) provides a seamless, secure and \nreliable web of communications networks, computers, software, \ndatabases, applications, and other capabilities to meet the \ninformation processing and transport needs of DoD. DISA also \nensures the integration and interoperability of command and \ncontrol, communications, computers and intelligence systems.5 \n The Office of Management and Budget has a key role.  The government \nhas a critical need to ensure critical Federal IT systems are \nresilient; after all, our citizens rely on our government not to \nlet them down.  Under the Federal Information Security Management \nAct (FISMA), OMB is responsible for developing and overseeing \nthe implementation of government-wide policies, principles, and \nstandards, as well as providing guidance for the federal \ngovernment\'s information technology security program.6 \n White House Coordination.  The President\'s staff must ensure \nseamless coordination across Federal agencies and ensure sufficient \nattention and fiscal resources are allocated to the issue. \n Congress has a key role.   Congress must exercise its traditional \nrole.   This Committee, for example, has worked hard to enact \neffective legislation to protect sensitive personal information; \nCongress should act before the end of the session to pass data \nsecurity legislation. \n\nA graphical depiction of this discussion is noted below: \n\n\tClearly, as a nation we have a strategic national interest \nin making sure that we understand the risks across all our cyber \ninfrastructures and who is accountable for their resilience to \nattack. We urge policy makers to consider the need for a strategic \nnational information assurance policy, developed in consultation \nwith industry, operating across all of government.    The policy \nwould address many of the questions I have posed. \n\n\nDHS needs to specify steps to prevent and/or minimize a massive \ncyber attack or telecommunications disaster \n\tMy remaining testimony will reflect on DHS\'s effectiveness \nto-date, because the bottom line is that cyber security is \nreceiving inadequate attention from DHS.  Of particular urgency is \nthe need for DHS to specify how it and the private sector would \ncoordinate actions if a massive cyber attack were to occur.  \n\tLast week in his updated national strategy for \n counterterrorism, President Bush declared that "America is safer \nbut we are not yet safe."  The reality of physical terror occurring \nin the United States has riveted our attention since the attacks on \nSeptember 11, 2001.  Prevention of any physical incident of horror \nhas since been priority one. \n\tThe President\'s reminder for vigilance clearly applies to \nthreats against our physical well-being, but his admonition should \nalso apply to cyber security.  Since 9/11, responsibility for \ncoordinating federal efforts on national safety shifted to the \nDepartment of Homeland Security.  DHS has predictably reacted to a \nmyriad of security challenges by focusing first on immediate \nphysical threats and natural disasters.  This focus is \nunderstandable, but it has also impeded progress toward stronger \nnational cyber security.  As a result, the United States remains \nunprepared to defend itself against a massive cyber disruption or \nto systematically recover and reconstitute information systems \nafter such an event.  However, by realistically refining the \nDepartment\'s role in national cyber security, DHS can escalate cyber \nsecurity efforts along with efforts to prevent physical terror in \nAmerica. \n\tNational coordination of cyber security is the purview of \nthe Department of Homeland Security, and its related leadership \nposition is Assistant Secretary for Cyber Security and \nTelecommunications.  This new position was established in July \n2005 by Secretary Chertoff specifically to elevate the importance \nof cyber security in relation to DHS\'s main focus on physical \nsecurity.  Unfortunately, fourteen months later, the Assistant \nSecretary position is unfilled, which reflects the low priority \nDHS still has toward cyber security.  No one is in charge to lead \nefforts to protect information infrastructure against cyber attacks \nor to lead response and recovery. \n\tFor example, currently members of the IT sector are working \nwith DHS on a sector specific plan as required under HSPD-7 and the \nNational Infrastructure Protection Plan.  While we have made \nprogress, there has been little to no senior-level attention to the \nplan at DHS, as well as several other agencies.  The plan seeks to \nhammer out many of the questions I posited earlier. \n\nDHS has not specified how it will work with the private sector to a \ncyber incident of national significance \n\tThe Cyber Incident Annex of the National Response Plan, \npublished January 6, 2005, states that the federal government \nplays a significant role in managing intergovernmental (federal \nstate, local and tribal), and, where appropriate, public and \nprivate coordination in response to cyber incidents of national \nsignificance.  DHS is well aware that the private sector "runs \nthe show," which may account for its encouragement of \npublic-private partnerships.  However, the Government Accounting \nOffice recently reported that progress on those initiatives is \nlimited, some lack time frames for completion, and relationships \nbetween these initiatives are unclear.7 \n\tConsequently, DHS needs to articulate a chain-of-command for\n each step of recovery and reconstitution.  For example, the DHS\'s \nU.S. Computer Emergency Readiness Team (US-CERT) may be aware of a \nnetwork attack, but the North American Network Operators Group \n(NANOG) is the operational forum for backbone/enterprise \nnetworking.  \n\tIn addition to chain-of-command, DHS needs to articulate an \nemergency communications system that works even when standard \ntelecommunications and Internet connectivity are disrupted.  \nEmergency communications entail more than simply establishing a \nresilient mechanism allowing people to talk.  It also requires \nadvance identification of the right people from appropriate \norganizations who speak the "same language" for establishing \nrapid recovery and reconstitution of national systems. \n\tThese are but a few of the details that must be articulated \nand agreed upon in advance if the nation is to truly prepare for \nrecovery and reconstitution from a cyber disaster.  Ostensibly, \nDHS would have a leading role in planning. \n\tThese issues should be answered in the DHS\'s 400-plus page \nNational Response Plan.  Unfortunately, the plan does not \narticulate clear answers on how federal agencies work with each \nother, with other government entities, or with the private sector \nin responding to a national disaster.  Instead of one coordinator, \nthere are at least six: Homeland Security Operations Center, \nNational Response Coordination Center, Regional Response \nCoordination Center, Interagency Incident Management Group, Joint \nField Office, and Principal Federal Official.  The National Response \nPlan\'s discussion of cyber security is contained in the "Cyber \nIncident Annex."  The Annex mentions many other federal departments \nand agencies with "coordinating" responsibility for cyber incident \nresponse, including Defense, Homeland Security, Justice, State, \nthe Intelligence Community, Office of Science and Technology Policy, \nOffice of Management and Budget, and State, Local, and Tribal \nGovernments.  The agency tasked with maintaining the National \nResponse Plan is FEMA. \n\tAs I draw toward the end of my testimony, I wish to comment \non one other topic that also requires close coordination of the \ngovernment and private sector - namely, the need for a cyber early \nwarning system that provides the nation with situational awareness \nof attacks.  DHS has sponsored some mechanisms toward this end, \nsuch as US-CERT, and Information Sharing and Analysis Centers \n(ISACs) that share some cyber alert data from the private sector \nwith the federal government.  As noted by the Business Roundtable, \nhowever, the nation lacks formal "trip wires" that provide rapid, \nclear indication that an attack is under way.8  This mechanism \nwould be akin to NOAA\'s National Hurricane Center, which usually \ncan provide a day or so of advance notice before a dangerous storm \nlands ashore.  Cyber attacks provide far less notice to prepare \nand react.  DHS should lead the establishment of an efficient \nnational cyber warning system because the private sector is most \nlikely to first detect an attack, and data correlation and follow \nthrough coordination closely involves the government. \n\nSummary of Recommendations \n\tIn summary, CSIA offers the following recommendations for \nthe Subcommittee\'s consideration: \n\tConsider the need for a government-wide strategic national \ninformation assurance policy.  Cyber security is too important to be \nleft to piecemeal and bifurcated approaches. There needs to be more \nactive engagement by the White House to lead in developing a \ncoherent national information assurance policy across all agencies. \n\tUrge Congress to enact comprehensive data security \nlegislation this year.  Sensitive personal information should be \nprotected whether it is being held by a commercial enterprise, non \nprofit organization or government entity.  Millions of Americans \nare looking to the government for help in safeguarding their \npersonal information. \n\tIncrease Attention to Cyber Security.  DHS has inadvertently \nexposed the nation to another vector of attack by providing \ninadequate attention to cyber security.  The Department should \nreassess its priorities and shift some attention from an almost \nexclusive focus on physical security. \n\tAppoint a Leader.  There is no leadership at DHS in terms of \na person who is solely responsible for cyber security.  DHS should \nswiftly fill the open position of Assistant Secretary for Cyber \nSecurity and Telecommunications to close the leadership vacuum. \n\tPlan to Prevent or Minimize a Major Cyber Disaster.  DHS \nshould shift this energy to articulating a smaller set of priorities \nfocused on preventing and/or minimizing the likelihood or severity \nof a massive cyber attack or telecommunications disaster. \n\tPlan to Work with the Private Sector to Recover from a Major \nDisaster.  The existing DHS "plan" for recovery cites more than a \ndozen federal departments and agencies with "coordinating" \nresponsibility - not including state, local and tribal governments.  \nDHS needs to clearly articulate a chain-of-command between \ngovernment and the private sector for recovery from a major cyber \ndisaster. \n\tWith that, I appreciate the opportunity to testify today \nand am pleased to answer your questions. \n\n\tMR. UPTON.  Mr. Clinton. \n\tMR. CLINTON.  Thank you, Mr. Chairman.  \n\tThe Internet Security Alliance represents about 500 companies \noperating worldwide from almost every sector.  We basically represent \nthe major industrial users of the Internet.  \n\tMy remarks today will focus on three messages. \n\tFirst, the threat to this Nation\'s and the world\'s economic \ninfrastructure from cyber attack is real and growing.  Second, not \nenough is being done either by government or by industry to secure \ncyberspace.  We can\'t manage the 21st Century technology solely \nbased on regulatory models designed 2 centuries ago.  While \nregulation has its place, new more creative models built on market \nincentives must be built.  Third, there are concrete steps that can \nbe taken both by industry and by government to create this new model. \n\tLet me start with some core facts.  Today, there are more \nthan one billion Internet users.  That is a 300 percent increase \nsince 2000.  The gross in applications has increased nearly 2,000 \npercent in that time.  Twenty-five percent of America\'s economic \nvalue, $3 trillion a day, moves over the connections on the \nInternet.  The main protocols to protect that data are 30 years \nold and contain multiple well-known security flaws.  The \nCongressional Research Services estimated the economic impact of \ncyber attacks to business is about $226 billion.  In the first \nhalf of \'06, banks financial losses from cyber attacks were up \n450 percent since 2005.  In addition, international terrorists \nare also becoming increasingly sophisticated in their use of \nthe Net.  A terrorist can sit at a computer and create havoc \nworldwide.  They don\'t need a bomb or explosives to cripple a \nsector or shut down a power grid. \n\tTo address these issues, we have to broaden our thinking \nabout Internet security governance.  The Internet is \ninternational, interactive, constantly changing, and constantly \nunder attack.  The national strategy to secure cyberspace, \npublished in 2002, stated correctly that regulation in this space \nwould be effective and possibly counterproductive.  Even if \nCongress enacted a lightened statute, it would only have reach to \nour national borders.  Even if some agency wrote a brilliant \nregulation, it is likely to be outdated before it gets through \nthe process and could stunt innovation.  But we can\'t sit idly \nby and do nothing, either.  The best mechanism to ensure \nsustainable defense is to interject market incentives to \nmotivate the corporations who own and operate the vast majority \nof the Internet to adopt best practices.  \n\tOne of the untold stories of Internet security is that \nwe already know a good deal about how to address these issues.  \nStudies show that approximately 25 percent of companies who do \ncurrently follow best practices are still intact, but the \nresulting financial loss, down time, disruption, et cetera \nis greatly minimized.  While many have suggested, hopefully, \nthat a positive return on investment would stimulate enough \nvoluntary action, this has not been the case.  Recent research \nindicates that most companies still do not see security as a \ncore value driver.  Various private sector entities are \nalready doing a great deal to address these problems, some of \nwhich are detailed in my written statement.  We are doing \nresearch, creating best practices, providing incentives, \ncoordinating with standard-setting bodies, reaching out to \neducate the corporate investment communities. \n\tBut the reason you asked us here today was to discuss \nwhat the Government\'s role would be, and more specifically, how \nwe can work together.  Acting through a range of coalition \nactivities known as the Corporate Information Security working \ngroup, the National Cybersecurity Partnership, the WYE II \nCoalition, et cetera, we have developed an outline of a \nmarket-based incentive program to breach the gap between a pure \nvoluntary and regulatory approach.  Six weeks ago the National \nInfrastructure Protection Plan officially embraced the idea of \ndeveloping a market incentive program by stating, and I quote, \n"The success of a public/private partnership depends on \narticulating the benefits of participating to the private sector." \nThere is a clear national security and homeland security interest \nin ensuring collective protection of our Nation\'s critical \ninfrastructure.  Government can engage industry to go beyond the \nefforts already justified by their corporate business needs by \ncreating an environment that supports incentives for companies to \nvoluntarily adopt widely accepted security practices. \n\tNow, we move to the hard question: Exactly how do we do \nthis?  Fortunately, there exist a number of paths, most with \nCongressional precedent, that may provide incentives that are in \nthe national interest.  Among these paths are Congress can tie \nincentives such as civil liability safe harbors, such as those \nprovided in the Safety Act, or provide procurement credits for \ncompanies who demonstrate compliance with generated best practices. \nCongress can stimulate the stunted cyber insurance market by \ntemporarily insuring the risk of a massive cyber hurricane until the \nmarket is sufficiently large to take the risk themselves.  Congress \ncan create industry, government, and university consortia, similarly \nto the Symantec model we developed in the 1980\'s to address our \ncomputer chip problem.  Congress can use tax incentives to \nmotivate corporations, particularly small ones, to adopt best \npractices.  Congress can create awards programs, such as the \nBaldrige Program, to make security a market differentiator, just \nas we did quality a while ago. \n\tMy written testimony provides numerous other examples of \nprivate sector programs already underway, many without any Federal \nbuy-in. \n\tThe bottom line is this, Mr. Chairman.  We have a major \nsecurity problem revolving around the Internet.  If we attempt to \nuse the traditional regulatory method to address it, we will be \nunsuccessful.  The Federal government, in cooperation with the \nprivate sector, can create an effective and sustainable security \nsystem with market incentives. \n\tThank you, Mr. Chairman. \n\t[The prepared statement of Larry Clinton follows:] \n\nPREPARED STATEMENT OF LARRY CLINTON, CHIEF OPERATING OFFICER, \nINTERNET SECURITY ALLIANCE \n\n\tGood Morning, I am Larry Clinton, Chief Operating Officer of \nthe Internet Security Alliance. I also sit on the Board of the \nNational Cyber Security Partnership, and both the IT and \nTelecommunications Sector Coordinating Councils. In addition, I \nchair the NCSP Committee on Incentives for Improved Corporate \nSecurity. I want to thank Chairman Upton for having this hearing \nand inviting me to participate on behalf of the Internet Security \nAlliance. \n\tThe ISAlliance represents about 500 companies operating \non 4 continents who are primarily major corporate users of Internet \nservices.  Our diverse membership includes companies from a wide \nvariety of economic sectors including financial services, IT and \nTelecommunications, entertainment, manufacturing, food services, \ndefense, business consulting and security services. Companies such \nas American International Group, Mellon Financial Corporation, \nNorthrop Grumman, Visa, Verizon, Verisign, NAM, Sony, Tata \nConsulting, Raytheon, Nortel and Ceridian, among many others. \nCompanies join ISAlliance because we believe we must work across \ncorporate and national boarders, and engage both security providers \nand users in order to improve cyber security in a comprehensive \nfashion. Our goal is to improve cyber security across the nation \nand the globe through education, training and the creation of \nmarket based incentives for action. \n\tMy remarks today will focus on three main messages I would \nlike to leave with the Committee today. \n\tFirst, the threat to this nation\'s and the world\'s economic \ninfrastructure from the risk of cyber-attack is real.  It is not \nscience fiction.  It is not theoretical. It is happening today and \nin all likelihood will get worse. \n\tSecond, regrettably not enough is being done, either by \ngovernment or industry, to secure cyber space.  We continue down \nthis path at great peril.  If we are to address the threats we face \nin the Internet security space, we must broaden our thinking \nconsiderably.  We cannot manage what is, essentially, the first \n21st century technology solely using regulatory models designed \ntwo centuries ago. A new, more creative, model built on market \nincentives and creative solutions must be developed and added to \nthe mix. \n\tThird, fortunately, there are concrete steps that can be \ntaken to both by industry and government to create this new model. \nSome of these steps have already begun, but we need to pick up \nthe pace of activity considerably. \n\nCYBER THREATS ARE SIGNIFICANT AND GROWING \n\tIt was not that long ago that popular myth held that cyber \nattacks were largely propagated by some Matthew Broderick type \nHigh School student playing "war games" with the pentagon computer \nsystem to prove how smart he was.  If that ever was the case it is \nno longer.  Now the most likely perpetrator is more likely to be \nagents of foreign countries, organized criminal syndicates or \nhighly educated and trained cyber-terrorists.  \n\tHere are some core facts:  \n\n The dot-com bust gave the illusion that Internet growth slowed down, \nbut in fact it has grown at remarkable rates. At the height of the \ndot-com boom in 2000, for example, roughly 250 million people used \nthe Internet. Today, according to Internet World Stats, more than 1 \nbillion users worldwide rely on the Internet, a 300 percent increase \nsince 2000. \n\nThe explosion of Internet-enabled devices and applications - text \nmessaging, music downloads, VoIP, Blackberries and device-to-device \ncommunications - has created exponential growth in Internet traffic \nfar surpassing the increase in users. While users have increased \n300 percent since 2000, the volume of traffic on .com and .net has \nincreased 1,900 percent in that same period. \n\n This very growth of Internet users, broadband capacity and number \nof Internet-enabled devices has created an opportunity for hackers, \norganized criminals and even more serious terrorists to attack our \nnetworks.  Some do so for technical trophies, some for political \nobjectives, but today, most bad behavior on the Internet is done \nfor financial gain. \n\nIn fact, the very devices and increased bandwidth that make the \nInternet more robust and user friendly are being deployed to \ncompromise the Internet. Now that computers are always-on, they \nare easily accessible to hackers and other abusers to hijack. \nAnd the increased bandwidth and computing power available \nliterally gives hackers more ammunition to utilize against the \ninfrastructure. \n\n In October 2002, the Internet community got a wake-up call when \nthe 13 DNS root servers, which serve as the heart of the Internet \naddressing system, came under heavy denial of service (DoS) attack. \nIn these attacks, the hackers send countless bogus inquiries to \ndomain-name servers, which are computers that direct Internet \ntraffic. By sending phony website requests to these servers, they \noverload and disable them, making websites unavailable. \n\nThe most alarming of attacks occurred in early January 2006, when \na hacker systematically disabled over 1,500 websites using hijacked \nPCs. In these attacks, the hacker didn\'t directly attack the \ndomain-name servers. Instead, they sent their traffic to a \nlegitimate server with a DNS query and a forged source address.  \n\n Twenty-five percent of America\'s economic value ---up to 3 trillion \ndollars a day--- moves over network connections each day. The main \nprotocol used to protect this data is over 30 years old and has \nmultiple well-know security flaws. There are now more electronic \nfinancial transactions each day than there are paper checks written. \n\n     If the Internet were to go down for a just few hours, we would \nlose hundreds of millions of dollars of economic activity. If it went \ndown for several days, U.S. economic activity would be severely \ncurtailed; payrolls would not be met, securities transactions not \ncleared; invoices not paid. \n\n In 2004 the Congressional Research Service estimated that the \neconomic impact of cyber attacks on business grew to $226 billion. \nIn truth, we don\'t know the precise amount of the economic losses \nbecause there is a tremendous disincentive to disclose this \ninformation.  But we do know it\'s huge and growing. \n\n In August 2006 the SANS Institute claimed that bank\'s financial \nlosses caused by cyber attacks were up 450% from the first half of \n2005. \n\n August 2006 was the worst month in history for data breach \nnotifications according to SANS. Consumers Union tells us that \nalthough about 98% of bank robbers get caught, only 1 in a thousand \nidentity thefts are prosecuted. One of the main reasons is again \nthe internet infrastructure itself makes tracing these thieves very \ndifficult. \n\n There has been a massive increase in cyber crime from organized \ngroups in Eastern Europe and Asia. \n\n   This is the on-going chronic cyber security problem we face day in \nand day out. \n\tHowever, the threat is not just from criminals.  \nInternational terrorists are becoming increasingly sophisticated in \ntheir use of the global net creating a threat potentially more \ndangerous than physical explosives.  Of course, for some time now, \nterrorists have used the net for fund raising, communication and \nrecruitment activities.  However, there is growing testimony from \nthe intelligence community that they are pursuing methods to inflict \na deadly combination of electronic breakdown and serious physical \ninjury either using cyber means alone or in combination with \nphysical explosives. \n\tFormer CIA Director George Tenent has said the Internet \nrepresents the "Achilles heel" of our financial stability and \nphysical security. Former CIA Director Gates has warned that \ncyber-terrorism could be the most devastating weapon of mass \ndestruction yet. \n\tIn April of 2002, then Homeland Security Director Tom Ridge \nprobably said it best: "Terrorists can sit at one computer connected \nto one network and can create worldwide havoc.  [They] don\'t \nnecessarily need a bomb or explosives to cripple a sector of the \neconomy, or shut down a power grid." \n\tA recent Google search on the term "cyber-terrorism" found \nover 900,000 entries. \n\tAccordingly to the Insurance Information Institute, 2005 was \nthe most costly on record for the insurance industry, with insured \nlosses from Hurricane Katrina alone at $40.6 billion and total \ncatastrophe losses for the year from 24 disasters totaling \n$61.2 billion.  We have but to watch the news to see vividly the \nmisery and destruction caused to New Orleans and the surrounding \nareas.  \n\tNow, imagine a hurricane with intelligence.  One that learns \nand grows more destructive with each year.  Imagine a hurricane \nthat methodically, intentionally with malice born of a lifetime of \nanger plans and executes a destructive force to precisely hit the \nvery fabric of our economy and daily life.  That is a \ncyber-terrorism attack. \n\tHowever, those of us who operate major information systems \nknow that we must worry not just about that cyber-hurricane of the \nfuture but of the smaller attacks we are under every day---thousands \nof times a day.  \n\tThus, it is our job in industry to work with you in \ngovernment to address not just the large scale, massive, attack \nscenarios but also to address the chronic cyber security problems \nwe face.  \n\tTo do this, we must broaden our approach. \n\nWE NEED TO BROADEN OUR THINKING ABOUT INTERNET SECURITY GOVERNANCE \n\tWhen I say we need to broaden our thinking about the \nInternet, I mean that we need to do at least three things. \n\tFirst, we need to realize that the Internet is unlike \nanything we have dealt with before. \n It transmits phone calls but it is not a phone line. \n It makes copies but it is not a Xerox machine. \n It houses books but it is not a library. \n It broadcasts images but it is not a TV station.  \n It\'s critical to our national defense, but it is not a military \ninstallation. \n It\'s all these things and much much more. \n\n  The Internet is international, interactive, constantly changing \nand constantly under attack.  \n  Consequently, it will require a security system unlike anything we \nhave designed before. \n   It\'s not even really an "It." Its actually lots of "Its" all \nknitted together. Some public, some private --all transmitting \ninformation across corporate and national boarders without stopping \nto pay tolls or check regional sensitivities. \n   The regulatory model we have traditionally used to govern business \nhas not changed much since we created it to deal with the \nbreakthrough technology of 2 centuries ago---the railroad. \n   To manage the railroad, Congress decided to create an expert \nagency, the ICC to pass specific regulations.  The ICC begat the \nrest of the alphabet soup, the FCC, the SEC and the FTC.  And that \nsystem has worked arguably well in most instances. \n   But that system, whatever its advantages, will not work with \nInternet security. Even if Congress were to enact an enlightened \nstatute, it would not reach beyond our national boarders and hence \nwould not be comprehensive enough.  Even if some agency wrote a \nbrilliant regulation, it is likely to be out-dated before it went \nthrough the process, a process that can be further delayed with \ncourt challenges. \n\tAnd that assumes, unrealistically, that the political \nprocess inherent in a government regulation system doesn\'t \ncompromise, simplify and "dumb-down" the eventual regulations so \nthat we end up with a standard which offends no one, where everyone \ncan attest that they met the new federal regulations, but everyone \nknows the system is not really working. \n\tThat is not to say that regulation doesn\'t have its place, \nespecially with traditionally regulated industries.  It is to say \nthat regulation, standing alone, will not be sufficient. \n\tWe must, together, develop a mechanism to assure an \neffective and sustainable system of security that will accommodate \nthe global breadth of the Internet and still result in a dynamic \nand constantly improving system of mutual security. \n\tWe, the Internet Security alliance, contend that the best \nmechanism to assure an adequate and sustainable defense system is \nto inject the market with a combination of motivations. \n       We need to have corporations, who own and operate the vast \nmajority of the Internet, to perceive that it is their own self \ninterest to continually improve not only their own security, but \nthat of everyone else with whom they interact. \n\tSadly, this is not the case now.  \n\tA range of studies have demonstrated that corporations, for \nvarious reasons, tend to regard security and resilience, including \ncyber security, as a cost center to be minimized.  \n\tMoreover, the enlightened companies will do what they \nperceive is appropriate to assure the cyber defense within their \ncorporate borders, however, the Internet is a shared infrastructure. \n\tWe need to develop a system that assures comprehensive \nsecurity---and nothing motivates the private sector like market \nincentives. \n\tPsychologists tell us that punishment as the sole means of \nbehavioral modification doesn\'t effectively work past the age of \ntwo.   Rather, the best course of action is the use of the carrot, \nsometimes alone and sometimes in combination, with an already in \nplace and existing stick. \n\nTHE ROLE OF INSURANCE \n\tNumerous private and governmental documents have encouraged \nthe use of cyber-insurance and the creation of a robust \ncyber-insurance market.  There is little wonder about this.  \nInsurance can: \n(1) \tmotivate best practices by modifying the availability and \naffordability of insurance based on the degree of implementation of \nsuch best practices, \n(2) \tspread the financial costs of a cyber-attack, especially a \nmassive cyber-attack, among society creating an efficient funding \nmechanism in the event of "digital Pearl Harbor", and \n(3) \tbe a primary distribution channel for risk management \ninformation on preventing and mitigating cyber-risks given the \nhistory view of the insurance industry as the "risk management \nexperts". \n\n   Given that a robust insurance market is necessary to achieve \nthese essential public goods, the question is how best to achieve \nsuch a market.  While the primary burden is on the insurance sector \nitself to make this happen, left purely on its own, the industry \nwill move "too little, too late".  One main reason for this is that \nthe lack of historical loss information makes the creation of \nstandard actuarial tables impossible leaving carriers to \n``quesstimate" correct rates, something most carriers do not want \nto do. Thus, the market is currently estimated to be less than \n$200 million in premium with only a handful of carriers willing to \nissue policies. \n\tFortunately, there are concrete steps, some easy and some \nhard, that can be taken by the insurance industry and government \nto achieve the goal of a sustainable and robust insurance system \nfor the inevitable cyber-hurricane. \n\nTHERE ARE CONCRETE STEPS THAT WE CAN TAKE TO DEVELOP A SUSTAINABLE \nMODEL OF INTERNET SECURITY \n\nA. What We Are Doing \n\tThe mantra of the Internet Security Alliance is that since \nthe Internet is largely owned and operated by the private sector, \nit is up to the private sector to provide Internet security. \n\tConsistent with that policy, the Internet Security \nAlliance has executed and supported a wide range of activities \nwithin the private sector to improve security. \nINFORMATION SHARING \n\tISAlliance was founded in April 2004---5 months before the \ntragedy of 9/11 placed an increased emphasis on security because, \neven then, we realized the need for advanced information sharing. \nWe established one of the first and most sophisticated information \nsharing operations in conjunction with our partners at Carnegie \nMellon University\'s CERT/cc.  This became the model used by DHS, \nwhich eventually took over that function from us with the creation \nof US-CERT. \n\nBEST PRACTICE DEVELOPMENT \n\tOne of the under-reported stories of Internet security is \nthat we actually know how to solve much of these problems.  Best \nPractices in various areas of Internet security have been developed \nin the private sector and research has empirically demonstrated \nthat these Best Practices work: though corporations, who follow \nthem invariably still get attacked, they can better withstand \nand manage the attacks suffering little if any down time or \nfinancial loss.  \n\tISAlliance has been a leader in the development of best \npractices, and has published a continuing series of works that \ncommunicate those best practices to the full range of large, small, \nand medium size enterprises.  \n\tUnfortunately, so far, only a minority of corporations \nfollow these best practices.  \n\nWORKING WITH THE INSURANCE INDUSTRY \n\tAIG insurance has, in conjunction with ISAlliance, attempted \nto stimulate wider adoption of these best practices by offering \ncredits on cyber insurance for corporations who comply with them. \n Working closely with the ISAlliance technical team and Carnegie \nMellon University, AIG developed the first cyber-insurance \ncertification tool to be used in conjunction with ISAlliance\'s \nBest Practice Guides.  This tool permits companies to show that \nthey are meeting the standards of the Best Practice Guides and \nare entitled to insurance credits where permitted by law. \n\nSMALL COMPANIES \n\tIn 2004 the private sector, in conjunction with DHS, held \nthe first national Cyber Summit. The very first recommendation to \ncome out of that summit was that something had to be done to bring \nmore small companies into the perimeter of a secure cyber space. \n\tThe ISAlliance was asked to create a program specifically to \naddress the needs of smaller companies.  In the past two years we \nhave developed a separate set of best practices for them, developed \na self assessment tool to assess these needs, offered private \nincentives such as lower insurance rates for compliant companies \nand created an innovative mechanism for small companies to \nparticipate in our information sharing and educational programs.  \nSince the cyber summit, the ISAlliance has increased its reach \ninto the small company community by several hundred new companies. \n\nREACHING OUT TO THE INVESTMENT COMMUNITY \n\tNext month we, along with several coalition partners such \nas the Council on Competitiveness and BITS, will be holding a major \nevent at NASDAQ.  The purpose of that event is to reach out to the \ninvestment community who we believe have been undervaluing \ncorporate investment in security and business resilience. Based \non recent research we hope to convince the investment community \nthat companies who do invest in business resiliency projects are \nindeed better investments.  That is, companies that invest in \ncyber security are not dumping money in to economic black-hole. \nRather, an investment in cyber security not only makes a company \nmore resilient but also produces a positive return on investment. \nClearly, if we can make this case strongly it would have a major \nimpact on increasing the market incentive for improved security. \n\nREVIEWING CORPORATE STRUCTURES \n\tIn addition, based on a series of recent studies, we believe \nthat in many corporations there is insufficient integration among \nCSO\'s, CIO\'s and Risk Managers leading to less commitment from the \nCOO, CEO and Boards of Directors for security and resiliency \ninvestments. As a result, we are engaged in a program to get this \nmessage out and achieve results in improved corporate governance. \n\nADDRESSING PARTNERSHIP AND OUT-SOURCING SECURITY ISSUES THROUGH \nMODEL CONTRACTS \n\tCompanies who participate in organizations like the Internet \nSecurity Alliance are often also among those "best practices" \ncompanies who are actually doing a very good job of assuring the \nsecurity of their own cyber systems.  However, with a shared \ninfrastructure like the Internet you are only as secure as the \ncompany with whom you are interacting.  Hence, we needed to develop \na market system to expand the state-of-the-art procedures we follow \nto all our partners including those who are based off-shore.  The \nmechanism we chose was commercial agreements recognizing that the \nagreement was an inherent part of setting up shared \ninfrastructure.  We developed a set of model contract terms and \nconditions which provide contract trading partners with a market \nmechanism that assures that both sides are following the necessary \nprocedures to assure each other\'s compliance, while at the same \ntime cutting legal costs. \n\tOur work in this model contract project was endorsed by \nthe Information Systems Security Association, an international \nprofessional association of over 10,000 information security \nprofessionals.  \n\nCOORDINATING WITH RECOGNIZED STANDARD SETTING BODIES \n\tAs a next step within the Model Contracts Project, \nISAlliance is collaborating with the American National Standard \nInstitute (ANSI).  We have agreed to work cooperatively to take \nthe adopted standards for information security programs and \ndevelop contract language that embraces these standards.  We are \nalso hoping to broaden this effort to embrace international \nstandards, and are working with internationally based partner \ncorporations to incorporate legal requirements in other \ncountries. \n\nINTEGRATION OF MULTI-FACETED SECURITY ISSUES \n\tIt is a misnomer that cyber security is a technical problem. \n While it obviously has many technical aspects maintaining cyber \nsecurity has technical, legal, business operational and public \npolicy dimensions.  Unfortunately, many organizations are \nill-equipped to address these issues in an integrated fashion \nleading to uncoordinated and inefficient security programs.  \nIn cooperation with our partners at Carnegie Mellon University \nCyLab, ISAlliance is developing integration programs including \nlegal/technical and business analysis coordinated with web-based \neducation and training to improve our member\'s performance in \ntheir own management of cyber security as part of the business \nagenda. \n\nADDRESSING THE INSIDER THREAT \n\tMany of the breakdowns in cyberspace (including the recent \nhighly publicized personal security breeches on the part of agencies \nof the federal government) have been the function of personnel \nmisconduct rather than technology failures. DHS Chief for Cyber \nSecurity research, Scott Borg, has reported that the single \nbiggest vulnerability in industry is the lack of adherence of \nsenior corporate personnel to cyber security policies and best \npractices.  ISAlliance in conjunction with CMU and the US Secret \nService has developed a separate set of best practices for \naddressing insider threats.  This is coupled with web-based \ntraining which is also made available to Congressional and \ngovernment personnel at no charge. \n\nCOOPERATION WITH INDUSTRY AND GOVERNMENT COALITIONS   \n\tThe ISAlliance contributes both time and resources to support \na range of voluntary industry and government coalitions such as \nthe Information Technilogy Sector Specific Council, the \nTelecommunications Sector Specific Council, The National Cyber \nSecurity Partnership, and US-CERT. \n\nB. What government Can Do \nBACKGROUND \n\tAs I have already outlined, the private sector must take a \nleadership role in assuring the security of cyber space.  Many \norganizations, including ISAlliance, its members, and the many \ncoalition partners we have referred to above are doing a great \ndeal.  \n\tBut, the current level of effort is not enough. \n\tAlthough research indicates that by following already \nidentified best practices companies can make substantial progress \ntoward mitigating the effect of cyber attacks. However, current \nresearch also suggests only about 1/4 of corporations adhere to \nthem. \n\tThe biggest obstacle is cost, weighed against perceived \nvalue. \n\tThe National Strategy to Secure Cyberspace, published almost \nexactly 4 years ago, correctly concluded that reliance upon \ngovernment regulation in this domain was not the proper course of \naction.  Given the ever changing nature of the Internet, it would \nbe largely ineffective and most likely counter productive for \nAmerican industry. \n\tYet, we have also maintained, since our comments filed in \nthe development of that document, that there was a missing link \nin the strategy.  While regulation would likely be ineffective, \nlargely for the reasons detailed above, a pure voluntary program \nwould also likely fail. \n\tAlthough many have hopefully suggested that there would be \na positive return on investment to cyber security spending, it has \nnot so far been demonstrated effectively in most corporate board \nrooms.   \n\tSince the publication of the National Strategy, the \nISAlliance has campaigned for the development of an incentive \nprogram to assure an effective and sustainable program of cyber \ninfrastructure protection. \n\tThe road has been a long one, involving substantial \ndialogue and productive analysis of the alternatives available.  \nHere are several notable activities to which the ISAlliance has \ncontributed. \n\nCISWG \n\tIn 2004, the then Chairman of the House Information \nPolicy Subcommittee on Government Reform appointed a group of \n45 industry executives to present a program that would take a \nderegulatory approach to cyber security.  I was honored to serve \nas co-chair (along with ISAlliance COO Larry Clinton) of the \nIncentives Committee.  We issued a series of fairly detailed \nreports covering issues such as best practices, educational \noutreach, and incentives. \n\nWYE II \n\tIn 2005, the National Cyber Security Partnership engaged \nwith DHS and 13 federal agencies in a series of off-site meetings \nbuilt on DHS\'s own conference on cyber security held in December \nof 2004 at Wye River. The Wye II program also recommended an \nincentive program built on and extending the work done by CISWG. \n\nNIPP and the SECTOR COORDINATING COUNCILS \n\tIn 2006, as part of the process in developing the National \nInfrastructure Protection Plan (NIPP), DHS requested that each sector \nform a Coordinating Council to help provide input on and \neventually implementation of the Sector Specific plans that are \nexpected to grow out of the NIPP. \n\tAs with the CISWG reports and the WYE II reports, both the \nIT and Communications Sector Coordinating Councils provided almost \nidentical comments to DHS suggesting that the NIPP include the need \nto develop a value proposition and market incentives to improve and \nsustain cyber security. \n\nNIPP ESTABLISHES THE NATIONAL SECURITY LINK FOR ESTABLISHING A \nVALUE PROPOSITION FOR INDUSTRY INCLUDING INCENTIVES \n\tThe NIPP was published on June 30, 2006.  It embraces the \nnotion that as a matter of national security and homeland security \na value proposition for industry must be developed including the \ncreation of economic incentives. \n\t"The public private partnership called for in the NIPP \nprovides for the foundation for effective CI/KR protection...The \nsuccess of the partnership depends on articulating mutual benefits \nto government and private sector partners.  While articulating the \nvalue proposition to the government typically is clear, it is often \ndifficult to articulate the direct benefits of participation for \nthe private sector...In assessing the value proposition for the \nprivate sector there is a clear national security and homeland \nsecurity interest in ensuring the collective protection of the \nNation\'s CI/KR. Government can engage industry to go beyond \nefforts already justified by their corporate business needs to \nassist in broad-scale CI/KR protection through activates such \nas:...\n\tCreating an environment that supports incentives for \ncompanies to voluntarily adopt widely accepted sound security \npractices" (NIPP page 9) \n\tISAlliance wants to thank and congratulate DHS Assistant \nSecretary for Infrastructure Protection Bob Stephan and Acting \nCyber Security Director Andy Purdy and their staff for making \nthis paradigm shifting assessment and including it in the \nNational Infrastructure Protection Plan. \n\nNOW IT\'S TIME FOR CONGRESS \n\tIt is now time to move from the general notion of \nrecognizing the national security need to develop a value \nproposition for industry for improved security to the much \nharder question, "how exactly do we do it?" \n     The ISAlliance does not come to the Committee today with \nlegislative language to be introduced.  That is premature today, \nbut it may not be in a few months. What we do come to you today \nis specific legislature ideas which, once agreed to, will then \nbe translated into suggested legislative language. \n\tCongress should continue the process you have started \ntoday and hold hearings on the various ideas we have identified \nfor creating an incentive-based security model so that we can \naddress the issue with the attention that the national security \nperspective suggests. \n\tWhat I can provide for the members today is a fairly \nspecific list of suggestions that have been developed through the \nCISWG, WYE II and NIPP comment processes I have discussed.  In \nbrief we can identify numerous paths, most with Congressional \nprecedent for Congressional action to provide incentives that \nare in the national interest.  These are all appropriate for \nadaptation and application in the cyber security space. \n\tAmong the alternatives we believe are appropriate for \nCongressional review are: \n1. Congress can tie incentives such as civil liability safe harbors \nor procurement credits to companies who can demonstrate compliance \nwith market generated best practices for cyber security. As I \npreviously noted, research has demonstrated that a substantial \nminority of corporations currently follow industry generated \ncyber best practices which yield empirical success. The problem \nis motivating more companies to adopt these procedures. In the \nlast Congress Chairman Putnam of the Information Policy \nSubcommittee of Government Reform created the Corporate Information \nSecurity Working Group. The Incentives Committee of that group \nproposed a system though which this can be accomplished. \n2. Congress can stimulate the stunted cyber insurance market. \nCyber insurance can help achieve social goals by managing government \nrisk in a cyber hurricane while providing a mechanism to maximize \ncorporate security behavior that is dynamic enough to address the \nfast changing and international characteristics of cyberspace. \nThis can be done by: \na. Having government serve as an insurer of last resort to stimulate \nthe market (Precedent: Terrorism Risk Insurance Act of 2002). \nb. Establish a revolving fund reinsurance system funded by taxes on \ninsurance products (Precedent: Federal Aviation Act 1958). \nc. Requiring government contractors to purchase cyber insurance. \n(Precedent: Federal Acquisition Regulations) \nd. Promote cyber security information sharing allowing for the \ncreation of better actuarial tables resulting in lower premium \ncosts, increased competition and broader coverage. (Precedent \nThe Year 2000 Information Readiness Disclosure Act of 1998) \n3. The Congress can create an industry/government/university \nconsortium to stimulate the needed research, development and \nadoption of security protocols. This will enable government, \nacademia and industry to work together to replace today\'s security \npoor Internet protocols with security rich protocols. Congress \nfollowed a similar model (Sema-Tech) in the late 1980s to address \nthe computer chip gap. \n4. The Congress can use tax incentives to motivate corporations to \nadopt security practices beyond those already justified by their \nown corporate needs but conducive to the national and Homeland \nSecurity needs cited in the National Infrastructure Protection Plan \n(NIPP July 2006). (Precedent: IRS Code 26 U.S.C; IRS Code 26 \nU.S.C.832 (e); Energy Policy Act 2005). \n5.  The Government can create awards programs to highlight the \ncontributions of corporations and senior executives who have gone \nbeyond their own corporate interests and expended resources. In the \n1980s when industry believed that "Quality" was a luxury they could \nnot afford the federal government initiated the "Baldrige Awards" \nfor quality which eventually became a sought after market \ndifferentiator for corporations. \n6. The government can support private sector initiatives to use \nmarket forces to enhance cyber security.  As noted, the ISAlliance, \nin conjunction with the ISSA and ANSI is developing a series of \npublications of model contract language that enable traditional \nand emerging standards of security within commercial agreements \nutilizing the market power of business alliances as a means to \nexpand security.  The ISAlliance in conjunction with BITS and the \nCouncil on Competitiveness is sponsoring a series of studies and \nforums educating the investment community as to the business \nbenefits of security/resiliency and the corporate organizational \nreforms needed to expand this concept.  All this is simultaneously \nin the public\'s national security interest. DHS, the Department of \nCommerce and other federal agencies should identify, promote and \nsupport these programs aggressively as a cost effective mechanism; \ndoing so serves to expand their culture of security message. \n\n\tI would like to thank the committee again for allowing \nISAlliance to testify today and I would be happy to answer any \nquestions the Committee may have. \n\n\tMR. UPTON.  Thank you all for your testimony.  It seems as \nthough we have our work cut out for us.  I am glad that my Chairman \nis here, because that means if we do all the things that you \nexplain, Mr. Clinton, that we would have jurisdiction over all the \nother committees, and I think we would welcome that here. \n\tMR. CLINTON.  Know your audience, Mr. Chairman. \n\tMR. UPTON.  Mr. Foresman, how long has this vacancy been in \nterms of the Assistant Secretary at DHS? \n\tMR. FORESMAN.  Mr. Chairman, as you know, Secretary \nChertoff now announced last July the second stage review and the \ncreation of the Preparedness Director and the creation of this new \nposition that was officially established on October the 1st, so \nsince that period of time. \n\tMR. UPTON.  So almost a year? \n\tMR. FORESMAN.  That is correct.\n\tMR. UPTON.  And I am pleased to hear that you are getting \nclose.  Is this a position that has to be confirmed by the Senate? \n\tMR. FORESMAN.  No, sir, it does not. \n\tMR. UPTON.  Good.  That may be the best news we have this \nmorning. \n\tI would like, as you go back this morning, to just underscore \nthe need to see that this position is filled as quickly as we can, \nso that we can, in fact, have a high profile leadership spot willing \nto tackle this and to be able to work with the other agencies that \nare out there. \n\tMr. Weafer, we appreciated your testimony.  I would be very \ninterested in the difference or the changes in the attacks from \nperhaps this year to previous years.  You talked a little bit about \na rapid response.  Obviously, the impact of what would happen to the \neconomy, but I am interested how these attacks change as \nparticularly the private sector has prepared themselves for it.  \nWhat has been the next stage?  What has been the evolution? \n\tMR. WEAFER.  Well, the good news is we do believe a lot of \npeople have listened to some of the best practices defense in depth, \nwhich is why some of the pandemic, the local events have died down.  \nHowever, they have been replaced by a level of intensity in volume \nthat we have not seen since a long time for us.  We are seeing this \ndriven by fraud, cyber crime, people trying to invade personal \nprivacy.  Largely, it is also driven by the use of broadband \nconnectivity and home users, bringing work home, having data \nleakage from there. \n\tMR. UPTON.  Do a lot of these attacks originate from \noverseas? \n\tMR. WEAFER.  Actually, we find that most of the attacks \noriginate within the U.S., attacking victims inside the U.S.  Of \ncourse, cyber crime is very international.  The people controlling \nthose machines could be sitting over in Europe or South America, \nor anywhere around the world.  So it is a very international \nproblem. \n\tMR. UPTON.  Mr. Powner, you indicated in your testimony, you \nsaid that the Internet recovery was by far incomplete.  We had real \nthreats.  You painted a pretty bleak picture.  Do you see that we \nare making some progress?  What are the most critical things that \nwe can do in the coming months? \n\tMR. POWNER.  Well, clearly there is some progress with some \nof the plans and working groups that are being put in place within \nthe Department, but--and I think some of the panel members mentioned \nwe need to move beyond plans and some of the initial stages. \n\tOne of the key things that we learned in our study for \nyou, Mr. Chairman, is that what the private sector wants during \na time of crisis isn\'t exactly where we are right now within the \nDepartment of Homeland Security with their planning efforts.  They \nwant items like what we learned in Katrina: help with logistics, \nhelp with prioritization, backup communications.  Those types of \nthings aren\'t being discussed.  We are talking about these great \nlarge-scale plans, and we need to get together on the same page on \nthis to have a plan that would be helpful to the private sector \ninfrastructure owners. \n\tMR. UPTON.  I know that you studied the Business Roundtable \nreport that was put out.  Did you find that it helped you interface \nat all in terms of your report that you made? \n\tMR. POWNER.  The Business Roundtable report was very \nconsistent with the number of findings that we had, and a number \nof those recommendations were quite consistent.  We obviously \nweren\'t as critical as the private sector, because we couldn\'t look \nat that.  \n\tWhen you look at that report, and I think some of our panel \nmembers mentioned today, it is clear there is room for improvement \non the private sector side of things also.  There was one \nrecommendation in that report, though, that talked about another \ngroup being formed.  I think we need to stop forming groups and we \nneed to hold the current groups accountable.  We have enough groups \nthat are looking at this.  Let us just get some accountability here \nand get the job done. \n\tMR. UPTON.  That leads, actually, to my next question to \nMr. Kurtz, who said we needed more of a role by the White House and \nothers that try and take a leadership role.  Now, Mr. Kurtz, \nI don\'t know all of your background, but I know that you once \nworked at the White House.  Is that correct? \n\tMR. KURTZ.  Correct.  In the early part of the first term \nof the Bush Administration, President Bush spent a great deal of \ntime looking at putting together a national strategy to secure \ncyberspace.  It came out in February \'03.  It is actually a good \ndocument.  The problem is since that strategy was issued in \nFebruary of \'03, we have actually been running in place.  \nWe--keep in mind-- \n\tMR. UPTON.  Do you think that once an assistant secretary \nis named, that that will be a big help? \n\tMR. KURTZ.  I think it will help.  One of the issues that \nI am trying to point out in the testimony is that DHS, under \nHomeland Security directive Presidential 7 and under the National \nStrategy, clearly have a lead coordinating role in putting together \nour national strategy to secure cyberspace.  But what we need to \nunderstand is that while DHS has that leading role, there are \nmultiple other agencies involved in this process, in particular, \nwhen we talk about an issue that is important to this committee \nwhen it comes to recovery and reconstitution issues.  You know, \nagencies like the FCC have a role.  Agencies like DOD have a role. \nThe classic example is Hurricane Katrina.  At the end of the day \nwhen the problems were so significant with Hurricane Katrina, the \nPresident ultimately turned to DOD for their assistance. \n\tSo what would happen in an event of a large-scale cyber \ndisaster?  What is the chain of command?  Who is calling the \nshots?  And at the end of the day, you may not have a situation \nwhere the Internet is, if you will, dark, that there is a \nblackout.  In fact, I think that would be a pretty extreme case.  \nBut what you may have is a situation where you have very limited \nbandwidth or certain sectors cannot connect with each other.  That \nmeans real decisions about priority need to be made.  What traffic \ngets through?  What traffic gets stopped?  Likewise, can FedEx or \nUPS deliver their packages by the way--they base all their \noperations on the Internet.  \n\tA lot of these key questions require resolution, and that is \nwhy we are arguing for a national information assurance policy to \nput in place a directive across agencies, so we have a firm \nunderstanding of roles and responsibility and who is doing what in \nthe event of a crisis. \n\tMR. UPTON.  My time is expired. \n\tMr. Gonzalez. \n\tMR. GONZALEZ.  Thank you very much, Mr. Chairman. \n\tThe first thing I want to do is read from Mr. Clinton\'s \nsubmitted written testimony.  I don\'t think you covered it, \nMr. Clinton, but I really liked it, and I think it tells the \nAmerican people exactly what we are talking about.  It says "First \nwe need to realize that the Internet is unlike anything we have \never dealt with before.  It transmits phone calls, but it is not \na phone line.  It makes copies, but it is not a Xerox machine.  \nIt houses books, but it is not a library.  It broadcasts images, \nbut it is not a TV station.  It is critical to our national \ndefense, but it is not a military installation.  It is all these \nthings and much, much more."  It seems that what I am hearing is \nthat we have got a piecemeal way of addressing many of these \ndifferent uses and such, and we really need something that is \nholistic.  I just really enjoyed reading what is a very \nthoughtful written statement. \n\tIt appears that we are talking about a couple of things, \nof course.  One is prevention.  Obviously, we need to prevent the \ndisruption of this incredible system that we have in the United \nStates.  The other thing is what do we do to respond once we have \nthe disruption or the attack or whatever.  And yet, we don\'t seem \nto be coordinated or getting a handle on what the problem really \nis.  We haven\'t even figured out where the agencies--we are not \neven staffing them timely.  It seems so overwhelming, and I don\'t \nmean to sound defeatist, but if we took the totality of your \ntestimony today, we would have to admit that Congress is not really \nmeeting its challenge effectively or timely.  I am part of that \nCongress. \n\tThe first thing that comes to mind is the lack of \ncooperation between government and the private sector, more so on \nthe private sector.  In fact, I think Mr. Powner indicated that \nthere is somewhat--I guess they guard jealously what they may \nsense is proprietary in nature, the edge, or whatever it is.  \n\tI want to break down the players in this scheme when we talk \nabout the Internet.  We have networks, AT&T, cable, and so on, \nright?  We have ISPs, the Internet service providers, and we have \nthe content aggregators, the search engines, the Googles.  Everybody \nthat goes out there--and this is all part of a communication system. \n It seems to me, Mr. Powner, that the private sector really is \nlooking to the Government when there is disruption to make sure \nthat it is minimal and will not interfere or interrupt or disrupt \nthe doing of business, yet, they don\'t see that it is a two-way \nstreet, that they have to be making their contribution to make sure \nthat we prevent and that we are able to respond.  Am I correct in \nthat particular assumption? \n\tMR. POWNER.  I think when you look at a potential \nlarge-scale disruption, it is very clear that we need to work \ncollectively on it.  So the private sector, the owners of the \nInternet components, telecom companies, the route server operators, \nall those folks clearly are in charge of recovery. \n\tWhat can the Federal government do to assist?  That is \nreally the question, because the private sector is ultimately in \ncharge.  They know their equipment, they deal with minor disruptions \non a daily, weekly basis.  They know how to respond to things.  \nBut when it becomes at a certain scale, when does the Government \nget involved?  That is unclear.  What is their role on involvement?  \nThat is really what needs to be defined moving forward. \n\tMR. GONZALEZ.  The other thing that we touched on is, of \ncourse, the information security and the security of the systems \nthemselves, and the fact that we have many in the private sector \nin users that don\'t take that into account at all.  Again, \nMr. Powner, I think you heard Mr. Clinton and others saying \nthat--and I am going to go back, I guess, to Mr. Clinton\'s \ntestimony, if I can find it quickly, about trying old methods \nin an environment that doesn\'t work anymore.  A regulatory scheme, \nmaybe, and I know that someone indicated that maybe this will be a \nconflict of philosophies.  This is from Mr. Clinton\'s testimony.  \n"We cannot manage what is essentially the 21st Century technology \nsolely using regulatory models designed 2 centuries ago.  A new, \nmore creative model built on market incentives and creative \nsolutions must be developed and added to the mix." \n\tMr. Powner, in your research and what you have done, do you \nagree that there has to be maybe a totally different way of \napproaching and getting these parties together and involved? \n\tMR. POWNER.  Mr. Gonzalez, that is an excellent point, \nlooking at market incentives.  I have been involved in critical \ninfrastructure since the mid-\'90s when Presidential Directive \nDecision 63 was initially signed, left the Government for a while, \nworked for a major telecommunications company, and since have come \nback.  So I have been on both sides of the fence. \n\tFrankly, we haven\'t been successful from the mid-\'90s on \nhaving an approach to secure our critical infrastructures.  We have \nhad a lot of good starts.  We have progressed certain ways.  We \nhave taken some steps backwards.  But when you look at how we \nidentify threats, whether we are working collectively in \npublic/private partnerships, we have had mixed success dating \nback to the mid-\'90s.  So I think looking at some new approaches, \nI think that we ought to keep our eyes open and consider those \nideas. \n\tMR. GONZALEZ.  Okay.  I sure do thank you, and my time \nis up. \n\tMR. UPTON.  Mr. Shimkus. \n\tMR. SHIMKUS.  Thank you, Mr. Chairman.  A great debate, \ngreat hearing, an important one, as you all have noted. \n\tIn listening and trying to get a handle on where we are \nat and where we need to go, I am struck by this whole debate on \nwho is supposed to do what, when, where, and how, and that is what \nwe are trying to get focused.  Hopefully getting an assistant \nsecretary will at least bring some coordination and focus and \nleadership.  It is really all a definition of leadership and \ngetting people to move and setting the tone and going forward. \n\tThe private sector has a--especially those who are highly \ninvested in data issues--I mean, they have a compelling financial \nreason to secure their data and to harden it.  Isn\'t that correct?  \nAnyone want to--let us start with Mr. Kurtz, and then we will go \nto Mr. Clinton. \n\tMR. KURTZ.  Yeah, I would agree, and this goes back to the \npoint that Mr. Gonzalez said.  I would actually disagree with you \nin part about where the private sector is on this.  I can answer \nboth at the same time. \n\tThe private sector, over the past several years, and Larry \ncan add to this as well, over a decade, at least, has spent a great \ndeal of time working to try to protect the critical infrastructure \nand working to shore up the critical information infrastructure in \nlarge part, for their own reasons.  The energy and oil has to flow \nthrough the pipelines, over the power lines.  The banking systems \nneed to work; the health systems need to work.  They all need to \ndo that for their own reasons, and I think in fact a great deal \nof progress has been made along the way.  I would also note that \nthere are several organizations, the National Cybersecurity \nPartnership, organizations that have been set up at the behalf \nof the Department of Homeland Security, like the IT Sector \nCoordination Council, that have been stood up to address issues \nwith regard to cybersecurity.  \n\tWe are, if you will, Larry and I are a piece of a much \nlarger set of people, both in Washington and across the country, \nthat are working on IT security issues on behalf of the private \nsector.  I think the key issue that we are at today, if I may, \nis looking for more government leadership to work with the \nprivate sector to solve some of those key questions that I \noutlined in my testimony.  What happens when the balloon goes \nup?  What happens when we really have a problem?  The private \nsector, for its own part, wants and needs to ensure the critical \ninformation infrastructure, but there will be problems, so what \nhappens when that happens?  Who is in charge, who is supposed \nto do what?  That is what we are looking for. \n\tMR. SHIMKUS.  Thank you.  \n\tLet me stop you.  I am going to interject, and then I am \ngoing to allow Mr. Clinton to respond also, because for us, large \nversus small, what do you define?  What is large breach, and then \nif--based upon testimony, if there is--the other question I am \ngoing to throw out eventually will be do you believe that whatever \nis defined as a large disruption, will all communications go dark, \nor will there be a reduced bandwidth?  And if there is a reduced \nbandwidth, then I agree definitely that there needs to be some--in \nfact, we already do it.  I pulled out of my wallet this Government \nEmergency Telecommunications Service little phone--fortunately, I \nhave never had to use it, and sometimes I forget it is even here, \nbut someone is going to allow me in a degraded environment for \ntelecommunications, if I have to call back to Washington then I \nhopefully will get some expedited service because of this. \n\tSo we are already doing this at the national level in one \narena of communications.  So really, the debate is bandwidth, what \nthe prioritization or what would go through and how it would go \nthrough.  \n\tMr. Clinton, why don\'t you add, subtract, or delete. \n\tMR. CLINTON.  Maybe I can just extend. \n\tMR. SHIMKUS.  Good. \n\tMR. CLINTON.  First of all, let me thank Mr. Gonzalez and \nrefer partly to, Mr. Shimkus, with respect to a point that Paul made \nthat I, too, think that probably the record for the private sector, \nin the instance of a major disruption, is actually very good, \nincluding the sharing of information and bypassing some of the \nconcerns that they would have on a normal instance.  I think it \nis real important that we segment the problem here.  You have the \nconcern about the major, the big one, the Hurricane Katrina, and \nthen you have the hurricanes of all the other sorts that we also \nface every day.  So it is two different things. \n\tWith respect to the big one, people--just like they did \non 9/11, bypassed their normal concerns.  They just get in and they \ndo what they need to do, and that has been the case.  But you are \ncorrect sir, Mr. Shimkus, that what we need is a unifying motivator \nto get people to do the right thing all the time so that when the \nbig one hits--if I can use the Chairman\'s metaphor a little bit, \nthe levees are higher already.  And what we are arguing for is \nthat sort of resilience needs to be put into the system, and \nfrankly, the private sector, just like the Federal government, \nand perhaps even the Congress, needs to readjust because we are \ndealing with something very, very different. \n\tYou are right.  There is a compelling interest for companies \nto defend their systems, but frankly, the research indicates that \ncorporations are not currently valuing that responsibility as \nhighly as they probably should.  \n\tWe are having a big event next month, up at NASDAQ, where \nwe are going out to the investment community and saying you guys \nare not properly valuing the investments on security and resiliency \nthat the companies are making, so you are providing a disincentive \nto do this.  So we have to find a way to get the market incentive \nmoving so that the levees are built and people better appreciate \nthat.  If we can do that, when the big one hits we won\'t have to \nworry about bypassing our normal concerns and sharing information \nwe would otherwise normally--would be in position.  So that is what \nwe need to do, and that is going to require reorganization at DHS, \nthe White House, in corporate America--and we can go into that in \ngreater detail if you like, and perhaps even in the Congress, \nbecause it is difficult to deal with you guys. \n\tMR. SHIMKUS.  I got elected in 1996, took office in \'97.  \nWe had this big disaster coming in the future, which now seems \npretty minimal, which was Y2K.  There was a financial aspect of the \nprivate sector to get their act in order so that come the change \nover of the clock that there wouldn\'t be--how many people on \nDecember 31, 1999, as they welcomed in the new year, were kind of \nlooking at the lights to see if the lights would continue to be on?  \n\tAnd so it is good to have leadership, is it good that we \nfill this position so that we can have communication.  We started \ntalking about how you prioritize, and we appreciate your \ntestimony.  Hopefully, this will lead us forward in ensuring that we \nare ready to define minor versus major and that--we know we live in \na dangerous world, and we just have to do--we don\'t want to be sitting \non the sidelines and say we didn\'t act. \n\tSo thank you, Mr. Chairman.  My time is expired. \n\tMR. UPTON.  Ms. Eshoo. \n\tMS. ESHOO.  Thank you, Mr. Chairman, for holding this \nimportant hearing on an issue that I think has really, for the most \npart, been overlooked.  It is too important to overlook.  As a member \nof the House Intelligence Committee, I take very seriously the range \nof threats to our country, from terrorists and other enemies, \nincluding threats to our basic infrastructure, which includes our \ntelecommunications network and the Internet.  If you spend any time \nwith the NSA, you know that this is not only the most valued of infrastructures, but how it serves our national security.  So this \nhearing is really important, not only to identify how we can \ncooperate with one another, but also really to put, I think, the \nAdministration\'s feet to the fire on this, in plain English. \n\tWe have gone without a cybersecurity czar for far too \nlong.  I heard some testimony that an application and its approval \nis in the works, but make no mistake about it--to have gone this \nlong without any attention to this and without having someone \ndirect this part of the orchestra, I think is dangerous for our \ncountry, in plain English.  I am not one to try to hype up fear \nand all of that, but simply put, we have placed ourselves in a \nreal ditch here by not having the Administration name someone. \n\tI remember when Richard Clark, former cybersecurity czar, \ndescribed the potential for a telecom disaster as an electronic \nPearl Harbor.  And whether he is there or not, I think his words \nshould be taken seriously here.  \n\tSo I have a couple questions.  Why has it taken so long \nto fill this position? \n\tMR. FORESMAN.  Congresswoman, let me make two points first.  \nThis is not-- \n\tMS. ESHOO.  I mean, there hasn\'t even been a permanent \ndirector, so this is just like having erased something very \nimportant on the blackboard.  We are just operating without-- \n\tMR. FORESMAN.  Congresswoman--\n\tMS. ESHOO.  --anyone there.\n\tMR. FORESMAN.  --I would strenuously object to that \ncharacterization. \n\tMS. ESHOO.  Well, who has been in charge? \n\tMR. FORESMAN.  I have been in charge since January. \n\tMS. ESHOO.  January of this year? \n\tMR. FORESMAN.  January of this year.  And let me offer that \nthe success or failure of efforts in the Nation\'s cybersecurity \nefforts does not rest with one position in one agency or \norganization. \n\tWhen you look at the challenge that we have gone through, \nand I am sure you are aware, Congresswoman, that to get an-- \n\tMS. ESHOO.  Do you wear any other hat, or you are full-time \nas cybersecurity czar? \n\tMR. FORESMAN.  Congresswoman, as I think you know, I am the \nUnder Secretary of Preparedness.  I have a number of areas of \nresponsibility, of which cybersecurity is-- \n\tMS. ESHOO.  What percentage of your time do you spend \non cybersecurity? \n\tMR. FORESMAN.  Approximately 25 percent of my personal time, \nand I have a deputy who is assigned to it 75 percent of his time. \n\tMS. ESHOO.  And who is that deputy, is he or she here? \n\tMR. FORESMAN.  No, ma\'am, but I will make the point that \nAndy Purdy, who has been our Acting Director of the National \nCybersecurity Division, Andy has done an exceptional job and \nCongresswoman, I understand the importance of getting this position \nfilled, but I want to be very clear with you.  This was the number \none personnel priority that I had on my plate when I walked into \nthis position.  We have been through numerous candidates, \nCongresswoman, and we have had a wide variety of candidates who, \nfor a variety of reasons, have not made it through the process.  \nWe have had a number who started into the process and decided \nthat the vestiture of their businesses, many of them were owners \nof firms in the IP community-- \n\tMS. ESHOO.  Does that fit with other timelines in terms \nof hiring people?  \n\tMR. FORESMAN.  It doesn\'t, and I think it points to the \nunique nature, just as all of the panelists have talked about, \n with dealing with IT issues.  The sector is unique-- \n\tMS. ESHOO.  I want to get to another point, and I have 33 \nseconds to do that. \n\tGiven the many vulnerabilities which exist as a result of \nusers and businesses with inadequate security or vulnerable \nnetworks, what are you identifying that should establish an \nenvironment where users and the private sector do what is \nappropriate to really fill this gap to protect our \ntelecommunications infrastructure?  That is what we are here \nfor.  We need to identify that.  I am still not pleased with \nyour answer.  I mean, if, in fact, we are on this big search \nfor a cybersecurity czar and you are saying that you have spent \n25 percent of your time, we have someone that is really able \nthat spends 75 percent of their time, but they are not even here \nto testify about it, that says to me that we have a problem.  \nYou may not agree, but I think that we do. \n\tSo given the responsibility that you say is 100 percent \ncovered, where is the plan to pull industry, businesses, private \nsector, and the Government together?  Because as far as I can see, \nwe don\'t have a plan, and that is equally as disturbing. \n\tMR. FORESMAN.  Congresswoman, no, we have action.  We have \na Sector Coordinating Council that is working across the IT sector \nto-- \n\tMS. ESHOO.  We don\'t have any standards or anything that \nhas been pulled together.  We heard that in testimony here today. \n\tMR. FORESMAN.  Absolutely, Congresswoman, and that is why \nwe have this group working to develop those standards.  This is \nnot something the Federal government is going to mandate on \nindustry.  I think you heard all of the panelists from the private \nsector note that, and we are providing the leadership to get the \nplayers in the room to have the discussion to adopt the best \npractices. \n\tMS. ESHOO.  I think that we can lead in this area.  I think \nthat we have to lead, and you know, you used the word mandate.  I \nthink that we can create something where people buy into it without \nforcing something on them.  But I think unless we do take a \nleadership position, it is not going to happen. \n\tMr. Clinton, you wanted to say something? \n\tMR. CLINTON.  Yeah.  Congresswoman, what I wanted to try to \ndo is offer an example of where we are working together.  Under the \nNational Infrastructure Protection Plan, there is a requirement for \neach individual sector to prepare its own infrastructure protection \nplan, and I happen to be working on the IT sector-specific plan, \nworking in partnership with some of the folks at the Department of \nHomeland Security.  We are making progress and we are seeking to \nmake that, if you will, a joint plan.  In other words-- \n\tMS. ESHOO.  Who has bought into it? \n\tMR. CLINTON.  Right now, it is very much at the working \nlevel.  In other words, we have individuals within the private \nsector who are working on that plan in draft form.  We are working \nwith our counterparts at DHS.  Now, if I were to offer some \ncriticism here, and I think I have to, I wish there were more \nsenior level involvement in the preparation of that plan, not \nonly DHS, frankly, but other agencies as well, because there \nare critical policy questions that need to be addressed. \n\tBut I don\'t want to leave the impression that nothing \nis happening between the private sector and the Department of \nHomeland Security and other agencies.  There are things \nhappening.  It is more leadership and attention to the problem \nthat would be very useful and critical. \n\tMR. UPTON.  The gentlelady\'s time is expired. \n\tMS. ESHOO.  Can I have Mr. Clinton give an answer to the \ncommittee?  I think he wanted-- \n\tMR. UPTON.  Very briefly. \n\tMR. CLINTON.  Well, very briefly, I worked with Paul on \nthe infrastructure protection plan, the sector-specific plan, \nand we are working very hard.  I am very hopeful about that. \n\tThe comment that I wanted to make, however, dealt with \nthe issue of whether or not we don\'t have any standards.  That \nis--I would beg to differ.  I don\'t think that is actually--we \nhave got a whole lot of stuff already out there: the NRIC \nstandards, the best practices are really good.  The ANSI has \njust come up with a new set of standards.  The private sector \nis well along.  As I documented in my testimony, companies that \nfollow these things are really doing a pretty good job.  If we \ncould get everybody to do this, and there we need motivation.  \nSome of this we can do on the private sector side.  We have a \n program to establish model contract language so that the good \nactors, when they engage in contracts with the others, will put \ninto their contract that you have to comply with these ANSI \nstandards, for example.  So there is a whole lot of creative \nstuff that we can do.  \n\tWe have to do a whole lot more on our side, absolutely, and \nso does DHS, but we also are really trying to establish an \nenvironment of working together.  That is something that is tough \nbut we are working on it. \n\tMS. ESHOO.  Thank you. \n\tMR. UPTON.  Mr. Stearns. \n\tMR. STEARNS.  Thank you, Mr. Chairman.  \n\tUnder Secretary Foresman, let me just sort of follow up a \nlittle bit.  Ms. Eshoo had been talking about the Department of \nHomeland Security sponsored exercises such as a cyber storm.  Have \nyou found that both the Government and the private industry are \nunprepared to respond to a major Internet disruption?  Can you \nspecifically tell us how bad the situation and what is being done \nto fix it? \n\tMR. MORAN.  Congressman, it is difficult to put a \nquantifiable measure on where we are, but let me offer a couple-- \n\tMR. STEARNS.  Don\'t give me vague and general. \n\tMR. MORAN.  I am not going to give you vague and general \nanswers.  \n\tAs a number of the panelists have said, we have got to have \na clear appreciation of the roles and responsibilities of the \nprivate sector versus the Department of Homeland Security, and \nthat was identified.  And as we go through the update of the \nNational Response Plan, we will do those clarifications. \n\tMR. STEARNS.  Well, on a 1 through 10 scale, it says here \nthat you found that both government and private industries are \nunprepared to respond.  Ten being they are very prepared, and 1 \nbeing they are not prepared.  On a 1 through 10 scale, how \nunprepared are they to respond to a major Internet disruption? \n\tMR. MORAN.  Congressman, with all due respect, I am not \ngoing to put a measure on it because it would be unfair to the \nindustry, it would be unfair to government to put a scope or a \nscale on here when as we have evolved through the development \nof our infrastructure protection efforts in this Nation, whether \nyou are talking about-- \n\tMR. STEARNS.  I don\'t want you to--just give me general \nlanguage.  I would like to get--since the report said government \nand private industry are unprepared, are they very unprepared or \nnot prepared?  In your opinion, how bad are they unprepared?  Is \nthis significant? \n\tMR. MORAN.  Congressman, let me leave it at this.  I would \noffer that we are moderately well-prepared, and there is more work \nto be done. \n\tMR. STEARNS.  And what should be done to fix it? \n\tMR. MORAN.  Well, Congressman, clearly the big thing is \nthere is a wide range of ongoing discussions, planning activities, \nthe exercise activities, the training activities, but I think one \nof the critical things that Larry Clinton raised in his testimony \nis that there are a number of policy issues that need to be \naddressed so that we drive this from a market incentive standpoint. \n There are certain areas of the critical infrastructure where \nregulation is appropriate-- \n\tMR. STEARNS.  Okay. \n\tMR. MORAN.  --there are others-- \n\tMR. STEARNS.  I will just move from there. \n\tMr. Powner, how would legislative changes improve the ability \nof the Department of Homeland Security to develop Internet recovery \nplans?  This is your chance to tee off and give the straight scoop \nhere that-- \n\tMR. POWNER.  I think that two areas could move the ball \nforward in a large way.  Hopefully with the assistant secretary \nposition being filled soon, that there will be greater clarity \nbetween the roles between the National Communication System and \nthe National Cybersecurity Division.  Right now, those roles and \nresponsibilities-- \n\tMR. STEARNS.  So you would want legislative overlap language \nfor that? \n\tMR. POWNER.  Well, the question is if they can\'t figure it \nout soon, perhaps you could help them. \n\tMR. STEARNS.  Okay. \n\tMR. POWNER.  Okay?  So I think that is the first one. \n\tMR. STEARNS.  That is a nice way to put it. \n\tMR. POWNER.  So that is the first point.  The second point is \nwhen you look at the Stafford Act and the lessons learned from \nKatrina, there were private companies that needed assistance, and \nthey were denied.  When we have a major disaster, that should not \nbe the case.  We ought to have waivers around some of those things \nduring national emergencies where private companies can be assisted \nby the Federal government. \n\tMR. STEARNS.  Mr. Clinton, what percentage of the United \nStates companies are simply implementing best practices when it \ncomes to protecting the IT infrastructure? \n\tMR. CLINTON.  Well, the last part makes it a little bit \ntougher for me, because the statistic I was just going to quote you \ngoes beyond just the IT infrastructure.  Well, the answer I would \ngive you, sir, is that the research that I have seen, which is \ndone by PricewaterhouseCoopers, indicates about 25 percent of \ncorporations are currently following what we would identify as best \npractices. \n\tMR. STEARNS.  So 80 percent, then, are not doing it? \n\tMR. CLINTON.  In various degrees, yes, it is about 80 \npercent. \n\tMR. STEARNS.  And is there--within that 80 percent, can you \nbreak out in terms of groups?  Can you be more specific who those 80 \npercent are? \n\tMR. CLINTON.  Yes, although the degree to which I can do it \noff the top of my head is-- \n\tMR. STEARNS.  I don\'t want to put you to too much trouble.  \nIf you could name a couple names that would be helpful. \n\tMR. CLINTON.  Well frankly, Mr. Stearns, probably most of \nthe companies that appear before this subcommittee are probably \ndoing a pretty good job.  I mean, the major providers, et cetera.  \nIt is when we get particularly into the small business environment \nit becomes really-- \n\tMR. STEARNS.  But 80 percent is a pretty big number, so is \nit possible you could give me some examples who are in that 80 \npercent categories? \n\tMR. CLINTON.  Well, we have a major problem with small \nbusiness overall. \n\tThe first recommendation that came out of the National \nCybersecurity Summit, which was held a couple years ago, was to \nreach out to small businesses and-- \n\tMR. STEARNS.  Under 5 million, under 100 million, what-- \n\tMR. CLINTON.  Under 50 million is-- \n\tMR. STEARNS.  Under 250, so that is a lot of companies. \n\tMR. CLINTON.  That is a lot of companies, sir.  And we \ndid research on that to figure out why was this going on, and to \nreally cut to the chase, we found that all the small companies \nthat we dealt with, series of focus groups held nationwide, had \none thing in common.  Every small company wanted one thing: to \nbecome a big company.  And so the economic difficulties, the costs \ninvolved, were really the major barriers.  So what we have attempted \nto do is develop a cost efficient way to deliver services to these \ncompanies, and we have expanded our reach by several hundred.  \n\tSo there are efforts that need to be made here.  We need \nmore best practices; we have to refine the best practices that are \npreviously established so that they are more applicable to the \nsmall companies.  They have different needs than larger companies.  \nWe have to find ways that we can fund a delivery system that would \nbe far more cost effective for them, develop assessment tools, all \nof which we have done.  So we are doing outreach, but sir, I am \nabsolutely with you.  My testimony says a lot more needs to be \ndone.  We have to find incentives to get these people more into \nthe boat, and we would love to work with you on that. \n\tMR. STEARNS.  Thank you, Mr. Chairman. \n\tMR. UPTON.  Mr. Inslee. \n\tMR. INSLEE.  Thank you.  There is a lot to be concerned about \nhere, and I want to ask some of you gentlemen about excuses for \ninaction. \n\tWe have this blatant failure to have leadership for not \nfilling the Assistant Secretary of Cybersecurity post at DHS.  The \nGAO has found that that has retarded any significant advances on \ncybersecurity.  That is on the Administration\'s side. \n\tOn the Congress\'s side, the House has failed to pass two \nmeaningful pieces of legislation, the Data Accountability and Trust \nAct, H.R. 4127.  We passed that unanimously on our committee on \nMarch 29, 2006.  This is supposed to be the big security month in \nthe House, but as far as we know, it is not scheduled for House \naction.  That, of course, would set national standards on how to \nhandle data brokers handle personal information.  That hasn\'t \npassed.  The Provincia Fraudulent Access to Phone Records Act, \nH.R. 4943, that passed unanimously--I\'m not sure it was \nunanimously-out of this committee on March 16, 2006.  That hasn\'t \npassed the House of Representatives yet.  \n\tSo we have supposedly the big security month in the \nRepublican Administration, Republican House.  We don\'t have a \nleadership post for cybersecurity for the Nation.  It has been \nempty for a year.  We have two major bills, one involving pretext \ncalling--by the way, we know this is not an abstract problem.  We \nsee at Hewlett Packard the situation where somebody in management \nbasically hired a firm to do pretext calling to violate the privacy \nrights of the Board members of this corporation to get their phone \nrecords.  This is going on in the major board rooms of a major \nFortune 500 company.  This is not an abstract problem.  It is \nhappening.  And yet, we don\'t have the House passing either one \nof these bills to date.  I think that is a concern.  \n\tSo I guess I will ask Mr. Foresman, is there any excuse \nfor either of these failures? \n\tMR. FORESMAN.  Congressman, let me first say with regard \nto what Congress has or has not done.  I am not in a position to \nexercise any level of judgment on that.  On the second piece with \nregard to the cybersecurity post, I would offer to you progress has \nbeen made.  The absence of an individual in that particular post \nhas not stopped us from moving forward.  Earlier, I had talked \nabout the fact that we had a very collaborative relationship with \nMicrosoft just a couple of weeks ago to deal with the vulnerability \nissue. \n\tSo if it were the fact that we had a difficult time finding \na candidate to fill this position had we been in neutral the entire \ntime, I think there would be grave concern, but I think we have \nbeen in overdrive the entire time, and as all the individuals have \nsaid here today, we need to keep the pedal to the metal and \ncontinue our efforts forward. \n\tMR. INSLEE.  Well, it is great on a ship that the people in \nthe boiler room are doing a good job and the navigator is doing as \ngood a job that he can, without a captain you just don\'t get the \nmotivation to move an agency.  And sitting here, I don\'t think \nthere is any excuse for that.  I don\'t think there is any excuse \nfor us not passing these two bills, either, that are consensus \nproducts. \n\tSo I think constituents of any party ought to be \ndissatisfied with both the Administration and the House today, and \nI would hope this hearing, which I am glad we are having, I thank \nthe Chair for having this hearing, will motivate all parties to move \nwith the dispatch to get these jobs done. \n\tThank you. \n\tMR. UPTON.  Mr. Walden. \n\tMR. WALDEN.  Thank you very much, Mr. Chairman.  I \nappreciation the work of the GAO to give us some guidance, and the \ntestimony of our panelists today. \n\tI want to ask the gentleman from Symantec, is it Weafer? \n\tMR. WEAFER.  Weafer. \n\tMR. WALDEN.  Weafer.  What sort of changes have you seen in \nthe cyber threats over the last couple of years?  I mean, we are \nall subject to them.  I get this garbage on my Blackberry, at home \nand everywhere else, and I realize that is junk mail, but in terms \nof the threat, what are you seeing? \n\tMR. WEAFER.  Well, I think we have seen a very big change \nfrom the late \'90s, which are very much driven by the teenagers, \nthe cyber vandals, the attention, today are very much driven by\ncriminalization and commercialization.  \n\tThe criminalization are the ones we have talked about, the \nphishers, the spammers, the people that are out there.  The \ncommercialization is people like adware companies, bad actors, the \npeople who are trying to exploit vulnerabilities, take over \nwebsites.  They are trying to get sludge onto your machine.  So it \nis the intensity in volume and the absence of high profile events \nis something of concern to us in terms of creating awareness for \nusers. \n\tWe hear this from home users, we hear this from CEOs of \ncompanies, which is the problem has been solved because I don\'t see \nit on the news anymore, and we are seeing the opposite.  We are \nseeing the intensity of the volumes actually increase over the last \ncouple of years. \n\tMR. INSLEE.  And as you see that intensity increase, what \nsort of damage are you seeing to these systems? \n\tMR. WEAFER.  Well, today it is very focused on loss of \nconfidential, personal information: Social Security numbers, \npersonal information stolen from data leakage from corporations.  \nThat seems to be where most of the money is concentrated on.  \nThat is where most of the attacks are.  Certainly, there is a lot \nof concern about critical infrastructure, not just on today\'s \ntechnology, but as we move into the next generation technologies \nlike smart phones, mobile technologies, there is a lot of concern \ngoing forward about how prepared are we with those technologies, \nwhich is why one of the recommendations is certainly R&D into \nsome of these new technologies to secure them. \n\tMR. INSLEE.  And as you look at what is coming out of the \nFederal government, I mean, we have heard a lot about the lack of \nan appointment to the head of this Department and all, how \nimportant is that? \n\tMR. WEAFER.  We think it is critical.  I think, to echo \nmany of the comments made here today, which is we have identified \nmany of the policies, we have identified some of the key players, \nwe just need to implement and get many of these ideas moving. \n\tMR. INSLEE.  All right.  \n\tMr. Moran, what kind of security issues should we take \ninto consideration as we migrate from sort of the traditional phone \nservice to Internet-based services and communications? \n\tMR. MORAN.  Well, the newer systems, the new Internet-based \nsystems, they are much more open systems.  The old systems were \nclosed systems where you had trusted a few people, trusted people, \nyou knew them.  They were the ones that had access to like the \nsignaling operations so the networks were easier to maintain the \nintegrity of the networks.  The new systems are much more open.  \nThe channels that handle the data are the same channels that handle \nthe controls in many cases.  This produces a lot of challenges, \nand it means that anyone who is a part of the system, if they want \nto maintain secure systems, they have to take a lot of steps to \nmake sure that they are not being sloppy with how their networks \nare and whether--not being sloppy, but people into those systems \nthat shouldn\'t be in. \n\tThrough the NRIC process, we posed some of those questions \nto NRIC and we have gotten a number of best practices on how to be \nmore secure in those things to make sure that your system will not \nbe so vulnerable. \n\tMR. INSLEE.  All right. \n\tMr. Kurtz, I guess one of the issues that has always \nintrigued and yet troubled me with how we deal with the Internet \nis its international scope.  We can have people in place and \npolicies coming out of the United States government.  How do you \ncontrol it when a lot of this stuff is offshore?  What do you \nrecommend?  How do we get at that issue? \n\tMR. KURTZ.  Well, there is an important milestone just \npassed before the summer recess when the Senate ratified the \nCouncil of Europe\'s Convention on Cyber Crime, which puts in place \nthat common infrastructure for investigating and prosecuting cyber \ncriminals.  That was a very important step. \n\tThe next step now is to, if you will, take the show on the \nroad and ensure that other countries around the world adopt that \nsame convention, put in place the laws in order to investigate \nand prosecute cyber criminals.  It also requires the United States \nto reach out, in particular, to key allies and friends, to \ndevelop relationships about relating to infrastructure protection, \ninformation infrastructure protection.  In other words, if we have \na major problem in Europe or in Asia with regard to a critical \ndata link or multiple links at the same time, we are obviously \ngoing to need to know who is who on the other side so we can have \nthose kind of relationships in place, getting into a broader \nexercise environment. \n\tI will note that Cyber Storm, if you will, was international \nin nature.  They had some other countries participating, but we \nneed to broaden that scope. \n\tMR. INSLEE.  But doesn\'t it just take one outlier, I mean, \none safe harbor, if you will, from international law where they can \ndrive it all through servers and-- \n\tMR. KURTZ.  Well, it depends on ultimately what you want to \ndo at the end of the day.  If you are, in fact, talking about cyber \ncrime, yes, if you want to have somebody who wants to go after \npeople\'s sensitive personal information, it can be just one \noutlier.  But if you are talking about a concerted cyber attack, \nthat takes more resources, more planning capabilities on the \noutside and on the inside, in other words, an insider threat \ncapability as well.  It takes a little bit more, but it is very \ndifficult with the Internet because I can, if you will, spoof that \nI am sitting in China or I am sitting in Iran, when I am really \nsomewhere in Iowa.  It makes it difficult. \n\tMR. UPTON.  Mrs. Blackburn. \n\tMRS. BLACKBURN.  Thank you, Mr. Chairman.  I thank all of \nyou for being with us today and bringing the information that you \nhave.  Listening to you, I tell you, we have--in this committee \nand in Oversight and Investigations, we have talked quite a bit \nabout looking at the new economy, the electronic commerce needs \nfor drawing some bright lines distinguishing what is large \nbusinesses and small businesses.  Mr. Kurtz, listening to you it \nsounds like there again that needs to be a consideration, how we \ndeal with the businesses and the type of business that it is, and \nthen looking into folding that into the laws in the government and \ntheir responsibility. \n\tSecretary Foresman, let me come to you first.  We talked a \nlot about what is not done.  I have looked at your testimony, and \nyou lay out broad platitudes and goals that are there, and I will \ntell you quite frankly, reading it, it reminded me a little bit \nabout the hearing that we did in New Orleans post-Katrina on the \nimplosion of healthcare.  And as we talked with them about what \ntheir emergency preparedness was, we found out that they had a \nstrategy, a plan on paper.  What they did not ever do was put in \nplace an implementation plan.  So sometimes, we can look at goals, \nwe can look at what a vision is, but that is not going to get \nthings in place to deal with recovery of information or putting a \ncyber structure back in place, should we have an attack. \n\tSo for the record, why don\'t you articulate the steps that \nyou all have taken, the things that you do have in process. \n\tMR. FORESMAN.  Congresswoman, what I propose is to bring \nback a comprehensive list of those things and how they fit \ntogether in terms of implementers, but I am 110 percent with you.  \nThe Secretary and I have talked in the context of cybersecurity.  \nThe necessity of first defining the goals and doing that in \ncollaboration with industry in a way that balances security and \nthe national economy-- \n\tMRS. BLACKBURN.  Okay.  If I may interrupt you-- \n\tMR. FORESMAN.  And then, Congresswoman, if I just might \nsay, we are going to put tangible timelines on all of these things \nas we move forward.  As you saw in the testimony, we are updating \nthe National Response Plan.  The sector plan is due by December 31 \nat the latest, earlier if possible.  We are just not going to \nsimply throw them out there without specific deliverable timelines. \n\tMRS. BLACKBURN.  So you can give this committee assurance \nthat there are some tangible items that you all--some milestones \nthat you have reached, some things that you have in place that we \ncan point to, and when our constituents say, you know, post-Katrina, \nthere was not communication in Southern Mississippi.  What are you \nlooking at if we have a disaster that takes down everything again?  \nYou can say when it comes to Internet and to our cyber \ninfrastructure, we have some deliverables that have been reached \nand we can document that and show you. \n\tMR. FORESMAN.  Congresswoman, we will bring that and \ndocument it and provide it to you. \n\tMRS. BLACKBURN.  Okay, thank you.  I appreciate that. \n\tMr. Kurtz, back to some of your comments, and kind of \ntaking up where Mr. Walden had left off, do you think that the \nFederal government is capable of putting in place a recovery \nstructure?  Do you think that this is something that needs to \nbe done by the private sector and the stakeholders necessarily \nfor helping put that in place for the government?  Do you think \ngovernment has the ability to move quickly enough to address it? \n\tMR. KURTZ.  I certainly think the Government has the \nability to lead those efforts.  If I can go back to the 1980s and \n1990s when the national communication system was set up with a \ndivestiture of AT&T, a group of companies came together, the \ntelecom firms came together to work with DOD and the rest of the \ninteragency on telecom issues.  If you will, the Government built \nthe field and they all came.  I think we really can do the same \nthing with this situation as well. \n\tMRS. BLACKBURN.  Okay.\n\tMR. KURTZ.  We can expand the pool to include the IT \ninfrastructure folks, and as well as other key infrastructure \nproviders, the finance and energy folks as well. \n\tI do think it is doable.  It is really leadership and \nsorting out roles and responsibilities in the event of a crisis \nthat is important. \n\tMRS. BLACKBURN.  Okay.  Mr. Moran, you mentioned the 200 \nbest practices in your testimony that your work had led to, over \n200 best practices.  So what do you do with that list?  Are you \nactively communicating that or do-- \n\tMR. MORAN.  Yes, the best practices have been developed.  \nThey are actually posted on the NRIC website.  But we have an \noutreach program.  We get out to parties who we think need to \nhear the message.  The ones who were involved in NRIC development, \nthey obviously know them, they voted on them, they know what they \nare.  They are very attuned to it.  But for example, we get out \nto--a lot of the FCC focus is on the telecom networks, so one of \nthe things we do, we try to get out to the State telephone \nassociations and we get out and make some presentations about the \nbest practices, why they are important.  We try to make the point, \nby the way, that there are costs to implement best practices, but \nthe risks and the costs of not implementing the best practices and \nhaving networks go down, lost revenues among other things, we try \nto point out that there is a lot of risk and a lot of costs \nassociated with not implementing best practices. \n\tSo we get out there.  We also get out at national \nconventions and conferences to get the word out on the best \npractices.  So we think it is extremely important for everyone to \nknow about them who the best practices would be relevant to, and we \ntry to make that happen. \n\tMRS. BLACKBURN.  And I would assume that post-Katrina you \nhave some lessons learned that are also included in that? \n\tMR. MORAN.  Absolutely, yes. \n\tMRS. BLACKBURN.  Thank you, Mr. Chairman. \n\tMR. UPTON.  Thank you. \n\tMr. Gonzalez. \n\tMR. GONZALEZ.  Thank you very much, Mr. Chairman, to indulge \nme this last question.  I just didn\'t want to leave this untreated, \nbecause I think we touched on it, but to make sure that we are \ncomprehensive. \n\tWe have touched on the role of the major player, of course, \ngovernment, and then the major players in the Internet, and I think \nwe have identified those as the individuals that \ncome--representatives that testified before our committee, \nMr. Chairman.  We barely touched on the other, though, and that is \ngoing to be small business and consumer.  And so this question is \nmore directed to Mr. Weafer, right?  Mr. Weafer, your testimony \ncites a study by the Small Business Technology Institute, small \nbusiness information security readiness, and I quote "Shockingly, \nthis study found that over 74 percent of small businesses perform \nno information security planning whatsoever."  That is the first \npoint.  Now, let us get into the consumer, and I think small \nbusiness more consumer than anything else.  "The growing use of \nalways on broadband connections by home users and small businesses \nrepresents a significant amount of computing power, which left \nunprotected can be taken over and used as zombie machines to damage \nour networks and hinder the commerce and services that flow through \nthem." \n\tSo on those two points, where are we today in addressing \nthose particular groups that are essential, obviously, if it is \ngoing to be comprehensive, and again, what should we be doing if, \nin fact, you disagree with the progress that we are making at the \npresent time? \n\tMR. WEAFER.  Well, I think just a couple of things you need \nto do.  One is increasing awareness and education, particularly for \nthe home user level.  I think it is a danger for the home users that \nthey think that the problem is solved through one magic pill.  That \nis not the case.  As we have moved from dial-up connections to \nbroadband connections, we have opened up our computers to not only \nmore pressing power, but more threats coming in: network attacks, \nphishing attacks, spam attacks.  I think in many cases people are \nunaware of the dangers they are opening up. \n\tEvery country we look at and we log go, to broadband, we \nsee a complimentary increase in the number of cyber attacks \noriginating from within that country.  So it is not just a U.S. \nconcept, we actually see it around the world. \n\tSo getting people to understand it is a defense in depth, \ngetting them to understand it is about updating security patches, \nbest practices, social awareness in terms of what parts of the \nInternet--don\'t go down the dark alleys of the Internet, what they \nare downloading on the machine, reading the user agreements, these \nare part of the education awareness. \n\tSecondly, the infrastructure itself, we need to make sure \nwe are protecting them as much as we can.  Some of this can be \ndone at the telecommunications or the ISP layer, which is protecting \nthem from spam, viruses, and things coming down that pipe towards \nthem.  We do recognize a special place the home users have, \nbecause, of course, many of us are also remote workers.  So if we \nbring home our work, we are also exposing our company\'s data as \npart of this.  So this is another reason why we really need to \nfocus on this group and try to get them the incentive as well as \nthe awareness to try and improve security. \n\tMR. UPTON.  Thank you, Mr. Gonzalez. \n\tWell, this concludes our hearing.  We appreciate your \nthoughtful remarks and your testimony, as well as in your \nstatements.  I must tell you that this subcommittee is going to \nstay on top of this issue.  Mr. Foresman, again, if you could take \nthat message back that we are looking forward to working with an \nassistant secretary, as we know that this is a potential real \nproblem that will cause just enormous damages if it is not dealt \nwith correctly. \n\tThank you and have a good day. \n\t[Whereupon, at 11:58 a.m., the subcommittee was adjourned.] \n\nSUBMISSION FOR THE RECORD OF JEANNINE KENNEY, SENIOR POLICY ANALYST, \nCONSUMERS UNION \n\n\nRESPONSE FOR THE RECORD OF DAVID A. POWNER, DIRECTOR, INFORMATION \nTECHNOLOGY MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE \n\nRESPONSE FOR THE RECORD OF VINCENT WEAFER, SENIOR DIRECTOR, SYMANTEC \nSECURITY RESPONSE, SYMANTEC CORPORATION \n\n\n\n1. \nWhat are the risks and benefits of private companies sharing \ninformation with the Department of Homeland Security (DHS)? \n\n\tInformation sharing among government agencies and the private \nsector has emerged as one of the most critical challenges of the \npost 9/11 era. A key element of this challenge is that while the \nfederal government is expected to keep the U.S. secure, the \noverwhelming majority (85 to 90 percent) of the nation\'s critical \ninfrastructure is owned by the private sector. \n\tIn structuring its strategy for securing the national \ncritical infrastructure, the Department of Homeland Security (DHS) \nhas been designated as the lead agency and is charged with finding \nways to improve information sharing while the IT systems that \ncontrol the critical infrastructure -- such as telecommunications \nnetworks, the electrical power grid, oil pipelines, and water \ntreatment plants -- remain protected from physical and cyberthreats. \n\tIn early 2005, the Government Accountability Office (GAO) \npublished a report that criticized the DHS for not doing enough to \nreach out to the private sector. The report asserted that many \norganizations responsible for the nation\'s critical infrastructure \n"are either unaware of key areas of cybersecurity risks or \nunprepared to effectively address cyber emergencies. Further, DHS \ncontinues to have difficulties in developing partnerships -- as \ncalled for in federal policy -- with other federal agencies, state \nand local governments, and (the) private sector."  Without \neffective partnerships with the private sector, the government\'s \nmission to secure our nation\'s infrastructure will not be \nsuccessful. \n \tWhile information sharing is necessary for critical \ninfrastructure protection, it may also leave participants more \nvulnerable to attacks. In order to effectively protect the \ninfrastructure, government agencies and private firms must work \ntogether to determine what kinds of information should be shared \nand why, develop the appropriate information sharing mechanisms \n(such as further development of the IT-ISAC and IT-SCC for the \nIT Sector), ensure that the public sector shares as much timely \ninformation as possible, and make the intelligence more actionable \nfor all parties. Most of the information the private sector has \nreceived in the past has been old information or is not enough \ninformation to take any specific actions.  We have seen some \nimprovement recently in this area.  The advent of the Protected \nCritical Infrastructure Information (PCII) program is also a \npositive step toward protecting sensitive information and only \nsharing it with appropriate parties.  However, there are still \nsome questions that remain about the PCII program, including how \nthe information which is submitted will be protected and to what \nextent a company can control the information once submitted. \n\tBefore the government can expect the private sector to fully \ncooperate and share valuable IT information and assets, the \ngovernment should be able to demonstrate a secure, resilient \ninfrastructure of its own. The most recent FISMA scores signal that \n many agencies still have a lot more to do in the area of IT \nSecurity.  By combining the right technologies, processes, and \npolicies, agencies can dramatically reduce the risk of unexpected \ndisruptions, increase their ability to maintain continuity of \nnormal business operations, protect highly sensitive information, \nand tightly align IT to changing operational goals. \n\n2. What improvements could DHS make in building its working \nrelationships with private sector information technology and \ncommunications companies and major industrial users of the Internet? \n\n\tThe Department of Homeland Security should streamline \ncommunication with private firms holding a stake in the nation\'s \ncritical infrastructure sectors. In addition, DHS should expedite \nrecommendations provided by private sector representatives serving \non the National Infrastructure Assurance Council (NIAC). \n\tSymantec\'s Chairman and CEO, John W. Thompson, was appointed \nin 2002 to the National Infrastructure Assurance Council (NIAC) by \nU.S. President George W. Bush. The NIAC was established by the \nPresident to provide advice on the security of information systems \nfor critical infrastructure supporting key sectors of the national \neconomy, including banking and finance, transportation, energy, \nmanufacturing, and emergency government services. \n\tDuring the summer of 2005, the NIAC established a Sector \nPartnership Model Working Group from a DHS requested study and \nprovided recommendations on its structure, function and \nimplementation. \n\tIn October 2005, the Working Group presented its initial \nreport and findings to the NIAC, affirming the structure of the \npartnership model presented in the National Infrastructure \nProtection Plan (NIPP), and recommending key operating principles, \nincluding that the partnership be considered a collaboration of \nequals between the government and the private sector. The approach \nincludes sector based and cross-sector partnerships. \n\tWe believe that DHS should implement a "sector partnership \nmodel" in which leaders from the private sector and government \ncounterparts that do similar work would share information about \nsector-specific topics. Unlike formal governmental advisory \ncommittees that involve private sector voices, these groups of \nleaders would be self-organized bodies and remain independent of \ngovernment control. \n\tSymantec recommends that DHS should also continue to work \nwith private industry to discuss the key challenges the Department \nfaces that impede the private sector\'s willingness to share \nsensitive information.  Some of these key challenges for DHS \ninclude:  \ndefining specific government needs for critical infrastructure \ninformation, \ndetermining how the information will be used, \nassuring the private sector that the information will be protected \nand who will be authorized to have access to the information, and \ndemonstrating to critical infrastructure owners the benefits of \nsharing the information. \n\n\tIf DHS were able to surmount these challenges, it and other \ngovernment users may begin to overcome the lack of trust that \ncritical infrastructure owners have in the government\'s ability to \nuse and protect their sensitive information. \n\tFinally, Symantec has made numerous recommendations over the \nlast several years related to information sharing functions that \nhave been transferred to DHS. One significant area concerns the \nfederal government\'s CIP efforts, which is focused on the sharing \nof information on incidents, threats, and vulnerabilities, and the \nproviding of warnings related to critical infrastructures both \nwithin the federal government and between the federal government \nand state and local governments and the private sector. Although \nimprovements have been made, further efforts are needed by DHS in \ncoordination with the private sector to address the following \ncritical CIP challenges: \n developing a comprehensive and coordinated national plan to \nfacilitate CIP information sharing  that clearly delineates the \nroles and responsibilities of federal and nonfederal CIP entities, \ndefines interim objectives and milestones, sets timeframes for \nachieving objectives, and establishes performance measures; \n developing fully productive information sharing relationships \nwithin the federal government and between the federal government \nand state and local governments and the private sector; \n improving the federal government\'s capabilities to analyze \nincident, threat, and vulnerability information obtained from \nnumerous sources and share appropriate, timely, useful warnings \nand other information concerning both cyber and physical threats \nto federal entities, state and local governments, and the private \nsector; and \n providing appropriate incentives for non-federal entities to increase information sharing with the federal government and enhance other CIP \nefforts. \n\n\tThe success of homeland security also relies on establishing \neffective systems and processes to facilitate information sharing \namong and between government entities and the private sector. The \nISAC\'s have identified critical success factors and other key \nmanagement issues that DHS should consider as it establishes \nsystems and processes to facilitate information sharing among and \nbetween government entities and the private sector. \n\tThese success factors include establishing trust \nrelationships with a wide variety of federal and non-federal \nentities that may be in a position to provide potentially useful \ninformation and advice on vulnerabilities and incidents. As part of \nits information technology management, DHS should continue to \ndevelop and implement enterprise architecture to integrate the \nmany existing systems and processes required to support its mission \nand to guide the department\'s investments in new systems to \neffectively support homeland security in the coming years. Other \nkey management issues include ensuring that sensitive information \nis secured, developing secure communications networks, integrating \nstaff from different organizations, and ensuring that the \ndepartment has properly skilled staff. \n\n3. Describe (a) the involvement of private sector firms in the \ndevelopment of the National Infrastructure Protection Plan and your \nviews on the efforts to develop this plan; and (b) the involvement \nof private sector firms in the ongoing development of the \nIT/Communications Sector specific plan in response to NIPP and \nyour view of the process by which the sector-specific plan is being \ndeveloped. \n\n\t(A.) As the focal point for critical infrastructure \nprotection, DHS has many cybersecurity and other IT related \nresponsibilities that are called for in law and policy. In 2005 and \n2006, DHS initiated efforts to address these responsibilities, but \nmuch more remains to be done.  \n\tOn June 30, pursuant to Homeland Security Presidential \nDirective 7, the Department of Homeland Security (DHS) released a \nfinal (NIPP).  The final NIPP builds on the framework established \nin both the interim and draft versions of the NIPP, issued in \nFebruary 2005 and November 2005 respectively. Symantec believes \nthat DHS has made significant progress on these responsibilities \nwith the June 2006 release of the National Infrastructure \nProtection Plan; however, supplemental sector-specific plans have \nnot yet been finalized. \n\tPrivate sector firms were allowed little time to review and \ncomment on the finalized version of the NIPP.  Many \nIT/Communications sector specific firms had hoped to be consulted \nearlier by DHS to participate in the drafting process for the NIPP \nup front as opposed to being asked to comment on a DHS completed \ndocument without prior industry consultation. \n\tSymantec is encouraged that the final NIPP includes more \nreferences to the IT Sector.  However, we believe the plan needs to \ngo one step further by addressing avenues for merging physical and \ncyber protection. Reconciling the two won\'t be any easy task but \nthat is what the 17 sector-specific councils are charged with doing \nin 180 days; that\'s the deadline for preparing individual \ninfrastructure protection plans for the telecommunications, IT, \nfinancial service, chemical and other industries \ndesignated "criticial" by the DHS. These plans will be based on the \nNIPP and sanctioned and released by DHS, but issued as guidance, \nmeaning compliance by companies will be voluntary. The key part \nof each of those sector specific plans will be a risk assessment \nof the possibility of a cyber or physical attack and an estimation \nof its effects. \n\tSymantec believes that it will be most difficult for \nsecurity professionals in each industry to merge those two risk \nassessments, especially given the lack of specificity in the NIPP. \nThere is a complex web of issues which have not been dealt with \nin the NIPP. For example, a dam -- and most physical assets -- are \nbuilt to certain specifications in order to resist threats, such \nas a storm, of a specified magnitude. If the dam breaks, the \nresult can typically be predicted. But if vulnerability in an \noperating system is exploited, the asset, i.e. the computer, is \nnot damaged. Rather, there is a loss of functionality throughout \na network, the extent of which cannot be predicted in advance. \nSymantec is concerned that the sector-specific plans will confine \nnetwork security to the backseat as concern over dams, rivers, \nbuildings and other physical assets drives each plan. The NIPP \nfocuses more directly on protection of physical assets and still \nneeds greater emphasis on cybersecurity.  Symantec recommends \ngreater inclusion of cyber security in the NIPP.  We have \nidentified several clear and present cyber security threats to \nU.S. critical infrastructure which exist from many sources. \n\t(B.) Symantec is a member of the Information Technology \nSector Coordinating Council (IT-SCC) which was established on \nJanuary 27, 2006 for the purposes of bringing together \ncompanies, associations, and other key IT sector participants \non a regular basis to coordinate strategic activities and \ncommunicate broad sector member views associated with \ninfrastructure protection, response and recovery that are broadly \nrelevant to the IT Sector.  \n\tThe IT-SCC was formed, in part, to support the "Sector \nPartnership Model" developed by DHS and endorsed by the NIAC.  \nSymantec remains closely engaged with DHS, specifically the National \nCyber Security Division (NCSD) as our lead Sector Agency, in CIP \npolicy development and coordination.  For operational information \nsharing issues, the IT-ISAC will take leadership, with the support \nof the IT SCC.  The IT sector envisions a secure, resilient, and \nprotected global information infrastructure that can rapidly \nrestore services if affected by an emergency or crisis, ensuring \nthe continued and efficient function of information technologies, \ninfrastructures and services for people, governments, and \nbusinesses worldwide. \n\tSymantec and other Council members are working in \npartnership with DHS in developing risked based, private sector \ndriven critical infrastructure protection (CIP) initiatives.  \nSpecifically, the IT SCC is working with the NCSD to develop a \nnew understanding of IT assets that is function based, as opposed \nto the traditional physical structure conception of assets.  The \nIT SCC has developed a Plans Working Group to coordinate the IT \nSCC\'s input to the government\'s National Infrastructure \nProtection Plan (NIPP) and co-development of the IT Sector Specific \nPlan (SSP). \n\tAdditionally, the IT-SCC is looking to build more robust \ninformation sharing between DHS and the private sector.  As such, \nthe IT SCC has asked DHS to use the powers granted to it in Section \n871 of the Homeland Security Act and develop a FACA exempt structure \nto more easily share information.  The April 2006 announcement by \nDHS of the formation of the Critical Infrastructure Protection \nAdvisory Committee (CIPAC) responds to that need, and the IT-SCC \nis working with DHS to refine architecture and operation of that \ncommittee.  Additionally, the IT-ISAC continues to engage DHS on \noperational information sharing. \n\tSymantec has been pleased with our participation in the IT \nSCC and the process to collaboratively work together with other \nindustry players on an IT sector specific plan. \n\n4. What factors make private/public working groups more/less \neffective in planning for or responding to major Internet \ndisruptions? \n\n\tThe Internet and its communications infrastructure serve \nas the backbone of information exchange that is vital to our \nnation\'s security and our economy. Yet many feel the United States \nis not sufficiently prepared for a major attack, software incident \nor natural disaster that would lead to disruption of large parts \nof the Internet. Despite a series of efforts in recent years to \naddress this issue, some gaps still exist in the response plans \nof the U.S. government and the private sector for reconstituting \nthe Internet in the event of an unprecedented massive Internet \ndisruption. \n\tThe primary factor that can make private/public working \ngroups ineffective in planning for or responding to major Internet \ndisruptions is that there is currently no well-coordinated \nprocesses or roles and responsibilities which exist today that \nwould integrate the disparate plans of industry and government \nto restore Internet functioning when recovering from a major \ncyber attack. Some of the recent government exercises demonstrate \nthat there is much to improve on from both sides.  \n\tAccording to the GAO, DHS has so far failed to establish \na comprehensive plan for responding to cyberthreats against \ncritical infrastructure. Criminal groups, foreign intelligence \nservices and terrorists all have the ability to launch disruptive \nphysical and cyberattacks. While the DHS developed high-level \nplans for infrastructure protection, components that address \nInternet recovery are "incomplete. In addition, while the DHS has \nbegun working with private industry on processes for jointly \nresponding to cyberattacks, the initiatives are "immature" and \nlack deadlines for completion. \n\tAlso hampering the department\'s efforts to establish a \nrecovery plan is a lack of agreement over what the agency\'s role \nshould be when a disruption does occur and when it should get \ninvolved. In addition, the private sector has been reluctant to \nshare information with the DHS because "it doesn\'t currently see \na value in sharing" and lacks trust in the leadership. \n\tA July 2005 GAO report has stated that the government is \nnot prepared to effectively coordinate public and private-sector \nplans for recovering from a major Internet attack. "Until these \nchallenges are addressed, DHS will have difficulty achieving \nresults in its role as a focal point for helping the Internet to \nrecover from a major disruption," the report noted. \n\tThat said, there are definite benefits to having \nprivate/public working groups in planning for or responding to \nmajor Internet disruptions.  Specifically, by working together, \nstronger trust relationships can built, processes can be developed \nand streamlined, roles can be identified, and actionable information \ncan be shared to better protect our nation\'s infrastructure. \n\tSymantec encourages more comprehensive exercises by DHS \nsuch as the Cyber Storm Exercise involving simulated cyberattacks \nagainst the nation\'s critical infrastructure that were conducted \nin February. Cyber Storm was conducted by the DHS\'s NCSD on \nFeb. 6-10. More than 110 public, private and international \norganizations took part in the exercise, which simulated a \ncyberattack directed at critical infrastructure. Among the key \nfindings in the report is the need for a well-established chain \nof command in a time of crisis, the importance of information \nsharing across government and industry sectors and a better \nability to correlate incident information across the two groups.  \nThere was some negative press regarding this exercise, but the \nimportant thing to remember is that exercises are conducted \nspecifically to find the problem areas or gaps and fix them before \nthe next exercise or real-life event occurs. \n\tSymantec looks forward to continuing important work with \nprivate industry, Congress and the Administration to better \nenhance our nation\'s preparedness for a major Internet disruption \nor physical attack.  As I noted in my testimony to the Committee, \nI firmly believe that it\'s not a question of "if", but "when".  \nThank you. \n\nRESPONSE FOR THE RECORD OF PAUL B. KURTZ, EXECUTIVE DIRECTOR, CYBER \nSECURITY INDUSTRY ALLIANCE \n\nCSIA\'s responses to follow-up questions from the September 13, 2006 \nhearing, "Cybersecurity: Protecting America\'s Critical \nInfrastructure, Economy, and Consumers," House Committee on \nEnergy and Commerce, Subcommittee on Telecommunications and the \nInternet. \n\n1. What are the risks and benefits of private companies sharing \ninformation with the Department of Homeland Security (DHS)? \n\n\tPrivate sector companies and organizations have invested \nenormous financial and human resources into developing proactive and \neffective partnerships with government to protect our valuable \ncritical information infrastructure. Despite significant progress, \nbarriers remain, and more needs to be done to improve the quality \nof information sharing partnerships between government and \nindustry. \n\tRisks: Private sector companies and the government have \nidentified a number of risks and barriers with respect to sharing \ninformation with DHS or other federal entities.  The \nU.S. Government Accountability Office released a report in \nApril, 2006 that identified the following items as key challenges \nthat impede the private sector\'s willingness to share sensitive \ninformation: \n- defining specific government needs for critical infrastructure \ninformation; \n- determining how the information will be used; \n- assuring the private sector that the information will be protected \nand who will be authorized to have access to the information; and \n- demonstrating to critical infrastructure owners the benefits of \nsharing the information. \n\n\tSeparately, the National Cyber Security Partnership\'s Working \nGroup on Information Sharing identified additional barriers that \nrequire improvement: \n- Industry is brought into the process once government consensus is \nachieved, which makes meaningful change or input difficult. \n- Government consensus on major initiatives developed prior to \nsubstantial industry input creates resistance when presented to \nindustry, on both substantive and partnership grounds. \n- Every process that DHS develops to collect information \n(i.e., HSIN, US-CERT) should be done with industry partnership to \nensure that both industry and government will have something to \ngain out of sharing information and thus an incentive to share. \n- Outdated clearance requirements do not fit new-era information \nsharing requirements.  A new, enhanced partnership with the private \nsector requires a new information classification system. \n\n\tBoth of these lists identify fundamental problems with the \nexisting information-sharing process that require clarity of purpose \non the part of DHS, and inclusion of the private sector on program \nplanning and implementation.  In order to establish functional and \neffective information-sharing partnerships, DHS and other \ngovernment agencies need to establish trust among organizations and \ncreate "true" partnerships. \n\nEstablishing Trust \n\tDHS operates under the premise that once information or \ndata is provided, it is then "owned" by DHS and can be used as DHS \nsees fit.  This impedes trust and eliminates any incentive by \nindustry for information sharing.  Unfortunately, the Final Rule \nregarding procedures for Handling Critical Infrastructure \nInformation issued by DHS this September (implementing the \nCritical Information Infrastructure Act of 2002) provides no \nfurther clarity for industry.  Industry needs a clear understanding \nof what information they are being asked to provide, why they are \nbeing asked for it, and how it will be used.  They have concerns \nwith sharing sensitive proprietary information, and industry needs \nassurance that this information, when shared, will be protected.  \nConversely, DHS needs to reciprocate by providing industry with \ncritical information in a timely manner. \n\nEstablishing a "true" partnership \n\tThere are many barriers to establishing a "true" partnership.\n  DHS must ensure the partnership reflects all relevant parties and \nsector-specific entities.  Senior leadership buy-in and support from \nboth DHS and industry are critical in establishing this "true" \npartnership.  Finally, the information sharing partnership must \nbe voluntary and built on trust; each member must be personally \nresponsible for their trusted behavior. \n\tBenefits: There are several businesses and organizations \nwith the tools, resources and expertise that can provide \ninvaluable information DHS may not otherwise have access to, or the \nability to produce.  Likewise, DHS and other government agencies \nhave their own internal organizations, plus, previously-established \npublic-private partnerships that have made strides in information \nsharing and program and policy development. \n\tPrivate sector organizations can gather data on threats and \nmalicious Internet activity and present this information to DHS and \nother government agencies in order to raise awareness and encourage \naction.  McAfee\'s AVERT Labs, for example, has developed a general \nranking system that indicates the severity of known global threats \nand how they impact the Internet, business operations, and home \nusers\' systems.  Their 100 researchers in 14 countries continuously \nmonitor the latest threats and provide remediation.  Internet \nSecurity Systems\' (ISS) X-Force Threat Analysis Service (XFTAS) \nprovides real-time threat information from ISS\' international \nnetwork of Security Operations Centers and delivers customized \ninformation about potential threats to networks. \n\tLikewise, Symantec Corporation releases a semi-annual \nInternet Security Threat Report, or ISTR, which is a comprehensive \nanalysis of security activity in today\'s information economy.  It \noffers an overview of threat activity over a six-month period and \nis based on data collected from more than 40,000 sensors deployed \nin over 180 countries in addition to a database covering more than \n18,000 vulnerabilities affecting over 30,000 technologies from \nmore than 4,000 vendors.  The Report includes an analysis of \nnetwork-based attacks on the Internet with a review of known \nthreats, vulnerabilities, malicious code and other security \nrisks.  It also offers security best practices for consumers and \nbusinesses in order to help them protect themselves against \ncurrent and emerging cyber threats.  The underlying data \nassociated with such reports can help guide the government and \nCongress toward addressing the problem. \n\tPresidential Decision Directive 63 (PDD63), Homeland \nSecurity Presidential Directive (HSPD-7) and Executive Order \n13231 (EO - 13231) helped promote the idea of a concentrated \neffort regarding the sharing of various sector issues leading \nto unified and strengthened industry sectors  entities.  The \nIT-ISAC, or Information Sharing and Analysis Center, is a \nnon-profit organization, providing users with real-time \ninformation about urgent alerts, security news, vulnerabilities, \nviruses and other Internet threats, thus providing a coherent \npicture of the current health of the Internet to IT-ISAC members.  \nThe purpose of the IT-ISAC is also to provide a forum for sharing \nthreat related information, and ways to protect against those \nthreats. Members can submit vulnerability, virus and general \nnotifications for distribution. \n\tBelow is a description of other public-private \npartnerships, organizations and committees that generate \nstrategies, programs, and best practices, where sharing critical \ncyber information data with the federal government has certainly \nbeen a benefit: \n\tCERT-CC: a center of Internet security expertise, located \nat the Software Engineering Institute, a federally funded research \nand development center operated by Carnegie Mellon University; it \nstudies Internet security vulnerabilities, researches long-term \nchanges in networked systems, and develops information and training \nto help improve security. \n\tNational Security Telecommunications Advisory Committee \n(NSTAC): created by President Ronald Reagan in September 1982; it \nis composed of up to 30 industry chief executives representing \nthe major communications and network service providers and \ninformation technology, finance, and aerospace companies, and \nprovides industry-based advice and expertise to the President on \nissues and problems related to implementing national security \nand emergency preparedness (NS/EP) communications policy. \n\tNational Infrastructure Advisory Council (NIAC): an advisory \ncommittee within DHS that is composed of a maximum of 30 members, \nappointed by the President from private industry, academia, and \nstate and local government; they provide the President through \nthe Secretary of the Department of Homeland Security with advice \non the security of the critical infrastructure sectors and their \ninformation systems. \n\tNorth American Network Operators Group (NANOG): an \neducational and operational forum for the coordination and \ndissemination of technical information related to backbone/enterprise \nnetworking technologies and operational practices. \n\tNational Cyber-Forensics and Training Alliance (NCFTA): \nprovides a neutral collaborative venue where critical confidential \ninformation about cyber incidents can be shared discreetly, and \nwhere resources can be shared among industry, academia and law \nenforcement. \n \tNational Cyber Security Alliance (NCSA): a non-profit, \npublic-private partnership that offers resources for cyber security \nawareness and education for home user, small business, and \neducation audiences.  NCSA sponsors include the DHS, the Federal \nTrade Commission, and many private-sector corporations and \norganizations. NCSA provides tools and resources to empower home \nusers, small businesses, and schools, colleges, and universities \nto stay safe online. \n\tNational Cyber Security Partnership (NCSP): led by the \nBusiness Software Alliance (BSA), the Information Technology \nAssociation of America (ITAA), TechNet, and the U.S. Chamber of \nCommerce; a voluntary public-private partnership with academicians, \nCEOs, federal government agencies and industry experts tasked to \ndevelop shared strategies and programs to better secure and \nenhance America\'s critical information infrastructure. \n\n2. What improvements could DHS make in building its working \nrelationships with private sector information technology and \ncommunications companies and major industrial users of the \nInternet? \n\n\tSince the establishment of DHS, there has been a tension \nregarding what entity - public or private - is responsible for the \nprotection of the critical information infrastructure.  DHS has \njurisdiction over these matters, however industry generally owns \nand operates the critical infrastructure; unfortunately, this \ntension interferes with producing a constructive \nindustry-government partnership. \n\tBoth DHS and industry can take steps to improve this \npartnership: \n\nDelineation of Roles and Responsibilities \n\tClear, defined roles for DHS/Federal agencies and industry \nmust be established regarding situational awareness and early \nwarning, emergency communications, continuity of operations \nplanning, reconstitution, and resiliency.  As Paul Kurtz, the \nExecutive Director of CSIA stated in his testimony, currently, \nthere is little strategic direction or leadership from the \nfederal government in the area of information security.  CSIA \nbelieves the government has a responsibility to lead, set \npriorities, and coordinate and facilitate protection and \nresponse. \n\tDHS must consider and articulate how it will work with the \nprivate sector to respond to and recover from a massive failure of \ninformation technology systems - whether from a cyber attack or a \nnatural disaster.  In preparing to respond to a significant cyber \nevent, the question that should be asked is: What is a suitable \nrole for DHS as well as other key federal agencies, including DoD \nand the FCC, in facilitating recovery and reconstitution from a \ncyber "incident of national significance?  The existing DHS \n"plan" for recovery cites more than a dozen federal departments \nand agencies with "coordinating" responsibility - not including \nstate, local and tribal governments.  DHS needs to articulate a \nchain-of-command for each step of recovery and reconstitution.  \nFor example, the DHS\'s U.S. Computer Emergency Readiness Team \n(US-CERT) may be aware of a network attack, but the North American \nNetwork Operators Group (NANOG) as the operational forum for \nbackbone/enterprise networking, will play the key technical role in \nactually mitigating and recovering from a cyber attack. \n\tIn the event of a natural disaster, a terrorist attack, or a \nfailure of any kind of our critical infrastructure, both the \nprivate and public sector need to have timely access to \nsituational information; they need to communicate with one another \nin order to assess and remedy the situation, and oversee COOP, \nreconstitution and recovery efforts.  Having distinct \nresponsibilities identified and carried out in practice scenarios \nwill result in stronger public-private working relationships, \nproper planning, and effective response. \n\nIdentification of Specific Needs for Information Sharing \n\tAccording to the aforementioned GAO report, DHS has not \nexplicitly identified or defined specific needs, nor has it \nexplained how the information submitted to the Critical \nInfrastructure Information (CII) Program Office will be utilized.  \nGAO also recognized that the information that has already been \nsubmitted to the Program Office has not been utilized to issue \nadvisories, alerts or warnings.  GAO recommends that DHS define \nthe CII needs of the department and other agencies, specify how \nthat information will be used, assure the information will be \nprotected, and demonstrate the benefit of information sharing. \n\nEarly and Substantive Engagement/Reciprocity of Information-Sharing \n\tDHS should coordinate with the private sector prior to \ndeveloping plans or activities designed to protect critical \ninfrastructures in order to get a better understanding of the \nsector-specific characteristics and operational realities.  Too \noften, the government develops a plan which fails to reflect \nunique sector needs and requirements, and the government later \ntries to sell the plan to the private sector.  Likewise, the \nprivate sector needs to provide expertise, time and resources to \nidentify CIP issues, and provide guidance on sector-specific \nissues associated with infrastructure protection and response \nplanning. \n\nDevelop and Endorse Cyber Security Best Practices \n\tThe private sector needs to coordinate across infrastructure \nsectors, national borders, and industries to develop cyber security \nbest practices that are realistic, responsive, adaptable, and \nforward-looking.  The government should then encourage and endorse \nprivate sector cyber security best practices.  It is important, \nhowever, that these best practices are viewed as advisory, flexible \nenough to accommodate differences in risks, and not be \nprescriptive. \n\n3. Describe (a) the involvement of private sector firms in the \ndevelopment of the National Infrastructure Protection Plan and your \nviews of the efforts to develop this plan; and (b) the involvement \nof private sector firms in the ongoing development of the \nIT/Communications Sector Specific Plan in response to NIPP and your \nviews of the process by which the sector specific plan is being \ndeveloped. \n\n\tThe National Infrastructure Protection Plan (NIPP) provides \na basic flexible framework to translate the needs of both the \ngovernment and private sector into planning activities to enhance \nnational and economic security.  The IT-Sector-Specific Plan (SSP) \nprovides a unique vehicle for articulating common goals for \npartnering to accomplish specific objectives.  \n\tThe private sector and government security partners over the \npast six months have jointly engaged to develop an Information \nTechnology (IT) Sector Specific Plan (SSP) as required under the \nNIPP.  While we have made good progress, the IT Sector Coordinating \nCouncil (SCC), the IT Government Coordinating Council (GCC), and \nthe National Cyber Security Division (NCSD) have identified three \nsets of issues that require resolution to ensure effective \nimplementation of the IT SSP. \n\nI.    Managing Risk \n\tThere are at least three issues requiring resolution between \ngovernment and the IT sector.:  (a) designation of critical \nfunctions, (b) risk assessment and mitigation, (c) the resources \nnecessary to identify and protect critical functions.  \n\t(a)  Critical Functions: Under the NIPP, each sector is \nrequired to identify critical infrastructure assets.  Given the \ndynamic nature of the information infrastructure, government and \nprivate sector partners jointly agreed to focus on critical \nfunctions associated with the IT infrastructure.  \n\t(b) Risk Assessments:  Implementing the IT Sector risk \nassessment approach outlined in the SSP and mitigating \nvulnerabilities in an effective and efficient manner requires \nclarity on process.  Owners and operators of the IT infrastructure \ntoday engage in risk assessments based on widely accepted standards \nand best practices in order to ensure uninterrupted service to \ncustomers in both the public and private sector, and significant \ncorporate resources are dedicated to performing risk assessments \non a regular basis.  In most cases, current best practices would \nbe sufficient for identifying the critical functions outlined \nabove.  In some cases, risk mitigation may exceed what is required \nto serve customers, especially in the case of low probability \ncatastrophic losses.  In such instances, the private sector needs \nclarity on how such assessments are performed, how conclusions can \nbe protected from public disclosure, and how any recommendations \nfor mitigation shall be adjudicated.  \n\t(c)  Resources:   In such instances identified above in (b), \nthe IT sector needs clarity on who shall pay for additional risk \nassessments and any subsequent mitigation if deemed necessary. \n\nII.  Cyber Incidents of National Significance (CINS) \n\tThere are three related issues associated with Cyber Incidents \nof National Significance: (a) there are no clear criteria for \ndesignating a CINS; (b) there is no clear protocol for reaching such \na decision; and (c) there is no clarity on such a declaration\'s legal \nor policy significance.  The third issue is most critical as owners \nand operators in the private sector need to understand the meaning \nand potential liability if such a declaration is issued.  The \nissues related to CINS are very important.  The Business Roundtable \nissued a June report ("Essential Steps Toward Strengthening America\'s \nCyber Terrorism Preparedness") highlighting the importance of this \nissue.  Specific programs have not been implemented by DHS which need \nto be.  Congress should ask DHS about its programs via oversight \nhearings. \n\t(a)  Criteria for Designating a Cyber Incident of National Significance:  The National Response Plan (NRP) defines incidents of \nnational significance and the NRP\'s Cyber Incident Annex describes at \na high level what may constitute a CINS.  \n\t(b)  CINS Protocol:  There is no protocol for determining a \ndeclaration for a disruption of the Internet or communications \ninfrastructure sufficient to cause catastrophic risk to public \nhealth and safety.  Such a protocol should include consultation \nwith the White House and appropriate federal agencies as well as \nthe leadership of the IT and/or Communications Sector Coordinating \nCouncils and other potentially affected sectors.  \n\t(c)  Implications of Declaring a CINS:  There is no clear \nunderstanding of the policy or legal authority of a CINS declaration \nfor the IT sector.  \n\nIII.   Response, Recovery and Reconstitution \n\t(a)  Recovery and Reconstitution:  Policies and procedures are \nneeded to clarify the roles and responsibilities of both government \nand the private sector in response, recovery, and reconstituting in the \nevent a CINS is declared.  DHS leadership should facilitate efforts to \ncreate these policies and procedures. \n\t(b)  Ensuring Robust Response: The capability to respond and \nrecover from a CINS is critical to promoting the resiliency of \ncritical infrastructure sectors.  An all hazards operational response \nand recovery capability that brings government and the private sector \ntogether to coordinate activities involving events (whether potential \nor actual CINS) is needed.  Existing operational capabilities for \nprevention, detection, response, and recovery (e.g., US-CERT) need \nadditional resources to ensure that necessary enhancements are \nmade.  In addition, new capabilities are needed to ensure \neffective communication and reconstitution of data, services, and \nnetworks. \n\n4. What factors make private/public working groups more or less \neffective in planning for or responding to major Internet disruptions? \n\n\tMany of the impediments (described in our answer to Questions \n#1) have made public/private working groups less effective.  DHS has \nconsistently prepared plans and reports without first seeking industry \ninput; trust has not effectively been established between the public \nand private sector; proper roles and responsibilities have not been \ndelineated; and manageable, pointed plans for next steps have not \nbeen carried out or implemented.  Ineffective partnerships result in \nineffective planning and response. \n\tAs the GAO report noted, creating a trusted environment for \ninformation sharing among the private sector will lead to stronger and \nmore organized working groups.  Currently, the lack of defined \nspecific needs of DHS, the uncertainty of what information is needed, \nhow it will be used, and who or what entities will have access to \nit all prevent proper, trusted information sharing.  And without \nproper, trusted information sharing, neither the government nor the \nprivate sector has the proper tools, ideas, or strategies that \nwill lead to effective planning for or response to major Internet \ndisruptions. \n\tCongress\' Role: Congress can oversee the progress of breaking \ndown these boundaries and minimizing these risks by holding \noversight hearings, and requesting progress reports from both DHS \nand from established public-private working groups.  Specifically, \nCongress should request updates from DHS and industry to report on \nprogress toward achieving top objectives such as: \n\n- Increase Leadership: The assistant secretary for cyber security \nand telecommunications should crystallize and take steps toward \nachieving key priorities \n- Sponsor Prevention and Mitigation Programs: DHS should establish \nprograms that aim to prevent or minimize a major cyber disruption, \nsuch as greater focus on research and development (R&D) and viable \nuses of private-sector insurance coverage for cyber attacks \n- Establish an Early Warning System: There are similar warning \nmechanisms in place, such as the Information Sharing and Analysis \nCenters (ISACs), but we still lack a federally-supported, formal \nsystem that provides rapid and clear indication that an attack is \nunderway and alerts all key stakeholders. DHS should support the \nISACs and ensure that a more holistic system is put into place. \n- Institute Command and Control Procedures: DHS should work with \nindustry to establish a clear "chain of command" in the case of \nmassive failure of information technology systems, either due to \na cyber attack or natural disaster.  There are critical questions \nto be answered such as: what defines an incident of national \nsignificance? which government agencies should be involved? which \nprivate sector entities? what is the legal significance of such a \ndeclaration? \n- Articulate an Emergency Communications System: DHS should ensure \nthat we have a resilient communications system in place to execute \ncommand and control in the case of a major cyber disruption. Such a \nsystem will need to work even when telecommunications and Internet \nconnectivity are unavailable. This requires processes and protocols \nto communicate reliably and effectively and advance identification \nof the key stakeholders who need access to the emergency \ncommunications systems in order to perform their recovery and \nreconstitution duties. \n- Create a National Information Assurance Policy: A national policy \nis needed that outlines the key roles that relevant government \nagencies should play in the protection of our cyber infrastructure. \nWhile the establishment of a national information assurance policy \nis not solely the responsibility of DHS, it has a critical role to \nplay in its development and implementation and its support of such \na government-wide policy is needed. \n\n\nRESPONSE FOR THE RECORD OF LARRY CLINTON, CHIEF OPERATING OFFICER, \nINTERNET SECURITY ALLIANCE \n\nANSWERS TO QUESTIONS RAISED BY THE HONORABLE JOHN DINGELL AT THE \nHEARING ON "CYBER SECURITY PROTECTING AMERICA\'S CRITICAL \nINFRASTRUCTURE, ECONOMY AND CONSUMERS" SEPTEMBER 13, 2006. SUBMITTED \nBY LARRY CLINTON, CHIEF OPERATING OFFICER OF THE INTERNET SECURITY \nALLIANCE \n\n1. What are the risks and benefits of the private sector sharing \ninformation with the Department of Homeland Security? \n\n  As was the case of 9/11 and after hurricane Katrina, industry will \ngenerally sweep aside long standing concerns and provide whatever \nassistance the government needs, information or otherwise, in times \nof crisis.  \n\tI doubt this will ever change. \n\tHowever, cyber security is more than crisis management. It \nis an ongoing fight fueled by thousands of attacks on the system \nevery day. A reliable and sustainable system of defense must be \nestablished. \n\tIndustry has often remarked, through a variety of fora, that \ninformation sharing with the government is critical to the maintenance \nof the Internet in cases of Cyber Incidents of National Significance \n(CINS). \n\tIndustry needs prompt, reliable and actionable information \nabout significant impending threats as well as an ongoing flow of \ninformation to address the steady stream of threats and incidents \nthat occur every day. \n\tMoreover, industry and government need to share information \n on a regular basis to address the thousands of attacks the Internet \nexperiences every day.  It is also these chronic attacks, not just \nthe prospect of an acute CINS, which drive the need for a reliable \nexchange of information between the government and industry. \n\tFor the relationship between industry and government to \noperate in the most efficient manner, cyber defense requires a far \ngreater degree of trust. \n\tMuch of the risk industry perceives in sharing information \nwith DHS has to do with uncertainty:  \n\tWhat is a CINS, specifically? \n\tWhat are the roles and responsibilities to share information \n(as well as other tasks) between industry and government in case of \na CINS, specifically? \n\tHow can industry be sure that information it provides the \ngovernment will not be misused? \n\tWhy are so many government requests placed on such short \ntimelines? And why so often are there no clear explanations as to \nwhat the information requested will be used for, even post facto? \n\tThe lack of trust in the current relationship between \ngovernment and industry is the prime impediment to more efficient \nand effective information sharing. \n\n\n2. What changes could DHS make in building its working relationships \nwith private sector information technology and communications \ncompanies and major industrial users of the Internet? \n\n\tFirst, it should be noted that there is general consensus \nwithin the IT and Communications communities that there has been \nsubstantial progress made in improving the relationship between DHS \nand these sectors over the past year and a half. \n\tThe Internet Security Alliance, in conjunction with the \nNational Cyber Security Partnership, organized an off-sight meeting \nwith DHS and numerous other government agencies in the fall of 2005 \n(called "Wye II") which highlighted a wide variety of issues that \nneeded to be addressed along these lines. \n\tMany of these issues have been, at least initially, \naddressed. \n\tIn particular, DHS has demonstrated willingness to bring the \nprivate sector into its planning process at a far earlier time \nperiod than previously. \n\tIn addition, DHS has shown some willingness to actually \ndevelop plans in conjunction with the private sector rather than \ndeveloping their own plan and putting it out for comment. The latter \nprocess often resulted in little more than lip service. \n\tThese attitude changes have led to improvements in the \nrecently published NIPP and appear at this stage to be evident in \nthe drafting of the Sector Specific Plans as well. \n\tHowever, the "Wye II" process also produced a list of items \nthat could still be addressed more comprehensively.  Among the \nrecommendations to come out of the Wye II process are those quoted \nbelow: \n The partnership\'s objectives must be clearly defined and embody \ncommon goals \n Institutionalized processes are important to provide lasting \nbenefits \n The partnership needs to be an evolving relationship \n The partnership needs champions and institutional support \n Working members of the partnership should interact frequently \n The partnership should build on existing organizations and \nmechanisms first; while people may come and go, the institution \nremains \n Legal and liability issues can be powerful tools that may align the \ninterests of the partners; legal issues can be points upon which \ncohesion can be built \n\n\n3. Describe (a) the involvement of private sector firms in the \ndevelopment of the National Infrastructure Protection Plan and your \nviews on the effort to develop this plan and (b) the involvement \nof firms in the ongoing development of the It Sector Specific plan \nin response to the NIPP and your views on the process by which the \nsector specific plan is being developed. \n\n\tAs stated above, the NIPP process was generally seen as a \nmajor step forward in the development of a real partnership between \nthe government and the IT and Communications sectors. \n\tIn addition to the process improvements I have already \nreferred to, there were some substantial policy directions \narticulated that are very promising. \n\tOne principle example is the NIPP\'s articulation of the \nneed to develop a value proposition for industry as part of the \nNIPP. \n\tClearly, companies will do what they perceive in their own \ncorporate interest to protect their information systems. And as \nstated above, they have proven willing to go the extra mile(s) \nneeded in time of crisis. \n\tBut Cyberspace is a shared space, and there are likely gaps \nbetween what the government feels it needs to defend it and what is \nautomatically done via convenient corporate self-interest.  \n\tIt is vital to identify any such gaps and provide a value \nproposition for industry to fill them in, because they are, by \ndefinition, beyond what they will do in their own corporate \ninterest.  The NIPPs recognition and commitment to developing \nthis value proposition is a critical element in developing the \nsort of partnership that will create an effective and sustainable \ncyber defense.\n\tAs to the Sector Specific Plans, apart from some of the \nprocess improvements, there remains substantial issues that are \nstill being addressed (we are just over the half way mark in the \nprocess at this writing). \n\tIn general, there are still a number of key issues that \nlack definition. The required delineation of roles and\nresponsibilities are currently lacking. The question of resources \nhas not been directly addressed and there has not been ample time \nto fully integrate the wide range of companies into the process \nwhich attempts to deal with extremely complicated problems. \n\tThese and other issues have been commented on in the \ncurrent developmental drafts and we can only hope there will be \nacceptable progress by the Congressionally imposed \ndeadline---which may have been overly optimistic in light of the \ndifficulty of the task. \n\tAfter all, the important thing is to get these plans right \nin terms of effectiveness, sustainability and real world practicality. \n\n\n4. What factors make private/public working groups more or less \neffective in planning for or responding to major internet disruptions. \n\n\tThere are many factors that relate to the effectiveness of \nthese efforts but the most important are: \nA) The tendency to try to do too much and force a "regulatory fix" \nof the problem; and  \nB) The lack of resources devoted to planning efforts; and \nC) Needed basic research is not funded. \nD) In point of fact, we already know a great deal about good cyber \ndefense.  Large independent studies tell us that the corporations \nthat engage in best security management (not necessarily technical) \npractices have great success in preventing, mitigating and \nrecovering from attacks. If the IT SSP would simply start with \nencouraging the 75% of US corporations who do not currently follow \nthese practices to do so (probably by reaching out directly to \nsenior executives) real progress in overall cyber defense could be \nmade rather quickly. Instead, we have a plethora of random programs \nand consultant driven grand schemes geared toward regulatory \nsolutions that cannot possibly work. \nE) Almost all of the private sector efforts in cyber security \nthat I am familiar with are being done by a small cadre of \nvolunteers from the private sector.  There is virtually no money \navailable for the sort of planning and practice that would engender \nlong term cyber security, probably because such efforts are not \nglitzy enough.  But clearly more priority driven funding is required. \nF) The core protocols upon which the Internet is based are 30 years \nold.  They were never designed with the current environment in mind \nand they are in need of a heavy lift of R&D. This is not something \nthe private sector is ever going to do. It will require a government \neffort in cooperation with industry and academia similar to the \nSemaTech program of the 1980s. \n\n\nRESPONSE FOR THE RECORD OF THE HON. GEORGE W. FORESMAN, UNDER \nSECRETARY OF PREPAREDNESS, U.S. DEPARTMENT OF HOMELAND SECURITY \n\nQuestions from Representative John Dingell\n\n1. After more than a year since announcing the position, I was pleased \nto see the appointment of a new Assistant Secretary for Cybersecurity \nshortly after our Committee\'s hearing. \nPlease describe how this new position will elevate the matter of \ncybersecurity and differ from the Acting Director position of the \npast two years.  Specifically: \n\n(What new resources, budget, and staff will the Assistant Secretary \nhave, and how does that compare to the Acting Director\'s prior \nresources, budget, and staff? \n\n\tResponse:  The Department of Homeland Security (DHS) is very \npleased that Mr. Greg Garcia has been appointed the Assistant \nSecretary for Cyber Security and Telecommunications (CS&T).  The \nposition of Assistant Secretary reflects the importance of cyber \nsecurity and communications to our homeland security and to the \nDepartment.  Assistant Secretary Garcia comes to the Department \nwith significant expertise and has the ability to focus resources \nfor cyber security and communications in a manner that is \nconsistent with our risk-based approach to homeland security. \n\tIn addition to the existing position of Director and \nDeputy Director of the National Cyber Security Division (NCSD), \nthe staffing for the Assistant Secretary will include the \nfollowing new positions: Deputy Assistant Secretary for CS&T, \nChief of Staff, and an executive assistant.  DHS is working \nexpeditiously to fill these positions.  \n\tWith respect to CS&T budget and resources, the Assistant \nSecretary will continue to leverage and expand collaborative \nefforts with cyber security and communications stakeholders and \nwill be working under the President\'s Budget for Fiscal Year \n2007.  Additional needs will, of course, be evaluated as part \nof ongoing budget development. \n\n\n( What new authorities does the Assistant Secretary have, and how \ndoes that compare to the Acting Director\'s prior authorities? \n\n\tResponse:  The Assistant Secretary for CS&T occupies an \nelevated tier within the DHS organizational structure and reports \ndirectly to the Under Secretary for Preparedness, whereas the \nActing Director reported to the Acting Assistant Secretary for \nCyber Security and Telecommunications. The Assistant Secretary \nwill continue to operate under the National Strategy to Secure \nCyberspace, Homeland Security Presidential Directive 7, and the \nNational Infrastructure Protection Plan. In addition, the \nAssistant Secretary has both a mandate for integrating cyber \nsecurity related to national security and emergency preparedness \n(NS/EP), as well as communications needs for Federal, State, local \nand tribal governments and private industry, including mandates \noutlined in Executive Order 12472.  Moreover, with the recent \nenactment of the DHS Appropriations Act for Fiscal Year 2007, \nthe Assistant Secretary will also be responsible for the new \nOffice of Emergency Communications established in Subtitle D of \nthe Act.  \n\n\n( What new levels of access to senior decision makers within the \nDepartment will the Assistant Secretary have, and how does that \ncompare to the Acting Director\'s prior level? \n\n\tResponse:  The Assistant Secretary joins the DHS senior \nleadership participating in high level Departmental decisions.  He \nreports to the Under Secretary for Preparedness.  Previously, the \nActing Director of NCSD reported to the Acting Assistant Secretary \nfor Cyber Security and Telecommunications, who in turn reported \nto the Under Secretary for Preparedness. One of my key \nresponsibilities is to enable effective discussion and \ndecision-making on key issues.   As such I will ensure Mr. Garcia \nis both actively and intimately engaged.   \n\n\n( What new programs, initiatives, or operations will the Assistant \n Secretary be launching that were not contemplated or designed \nunder the Acting Director? Will any programs or initiatives that \nthe Acting Director was administering be discontinued under the \nAssistant Secretary? \n\n\tResponse The Assistant Secretary has responsibility for \nNCSD, the National Communications System (NCS), and the new Office \nof Emergency Communications. The Assistant Secretary is currently \nconducting program reviews within CS&T. Once the Assistant \nSecretary has had an opportunity to fully evaluate the depth and \nbreadth of existing programs, initiatives, and operations, he \nwill make programmatic adjustments as necessary.  We will, of \ncourse, engage Congress as appropriate in these actions.    \n\n\n2. Following the release of the National Infrastructure Protection \nPlan (NIPP), the Department is charged with assuring that each of \nthe critical infrastructure sectors develops a sector-specific \nplan. \n\n( What, specifically, are these plans supposed to yield?  For \nexample, will they be emergency blueprints?  Will they be overall \nstrategic plans as to how corporations should organize and perform \nongoing security operations? \n\n\tResponse:  The release of the final NIPP Base Plan \nformalized a framework for assessing and addressing the risk to \nour national critical infrastructure in a public/private \npartnership.  The implementation of the NIPP and the accompanying \n17 Sector Specific Plans (SSPs) will help build a safer, more \nsecure, and more resilient America by enhancing protection of \nthe Nation\'s Critical Infrastructure and Key Resources (CI/KR). \n\tBased on guidance from DHS, SSPs are developed jointly \nby Sector-Specific Agencies (SSAs) in close collaboration with \nSector Coordinating Councils (SCCs), Government Coordinating \nCouncils (GCCs), and others, including State, local and tribal \nhomeland security partners with key interests or expertise \nappropriate to the sector.  The SSPs provide the means by which \nthe NIPP is implemented across all sectors and each SSP is \ntailored to address the unique characteristics and risk \nlandscapes of the 17 CI/KR sectors. \n\tThe objective of the SSP is to outline each sector\'s \nunique implementation of the NIPP risk management framework.  \nIt will also provide a statement of security goals and objectives \nand identify initiatives to meet these goals.  Lastly, it will \nidentify resources needs and performance metrics for ensuring \nthat the goals can be met which will be sustained by an ongoing \nprocess for coordinated private and public sector planning. \n\tThe SSPs are intended for long-term enhancement of CI/KR \nprotection including proactive identification and management of \nrisks.  While enhancement of CI/KR protection may improve emergency \nresponse capabilities of all security partners, the SSPs are not \n emergency blueprints. Rather the SSPs describe each sector\'s \nunique implementation of the NIPP risk management framework, \nprovide jointly developed public and private sector security \ngoals and objectives; identify and align initiatives to meet \nthese goals; and create an ongoing process for coordinated private \nand public sector planning.  \n\tThe SSPs are strategic policy and planning documents that \nmay include suggestions of best practices for security partners, \nbut their primary purpose is to establish the framework  for  \npublic and private partners to work together and align their \nrespective efforts to protect the Nation\'s CI/KR.  \n\n\n( My understanding is that the Department is attempting to engage \nthe private sector in the development of these plans.  What is the \nspecific degree of private sector participation in the \nIT/Communications Sector specific plan? \n\n\tResponse:  The SSPs for both the Information Technology (IT) \nand Communications Sectors are currently under development with \nsignificant private sector participation.  Within the NIPP construct, \nDHS is the Sector Specific Agency (SSA) responsible for both the \nIT and Communications Sectors.  The SSA responsibility for the \nIT Sector is handled by NCSD within CS&T, which  works closely \nwith the IT-Sector Coordinating Council (IT-SCC).  The SSA \nresponsibility for the Communications Sector is handled by NCS \nwithin CS&T, which  works closely with the Communications Sector \nCoordinating Council (CSCC).  Through these partnership \narrangements, the Department is fostering robust working \nrelationships with the private sector toward the development of \nSSPs.\n\tDHS/NCSD has engaged the private sector in every aspect \nof the plan.  There are approximately 7 working groups made up of \nSCC and GCC members engaged in identifying the basic principles and \nideas for each chapter of the plan.  Each of these working groups \nmeets about once a week to review comments and propose changes.  \nThe draft plan has been reviewed by the GCC and a large part of \nthe SCC multiple times within the last two months. \n\tThe IT SCC was formally launched in January 2006 and is \ncomprised of over thirty members from across the sector, including \nhardware, software, IT system and service providers.  For the IT \nSSP, NCSD has been working closely with the IT SCC on the \ndevelopment of the plan.  In anticipation of the final release of \nthe NIPP Base Plan, the IT SCC and IT GCC held a joint meeting in \nMay to develop a process for co-writing the IT SSP.  A writing \nteam was established, consisting of members from the IT GCC and \nIT SCC to ensure overall coordination of the IT SSP.  This team \ndeveloped a consensus outline for the IT SSP based on the SSP \nGuidance and then divided into working groups with members from \nboth the IT GCC and IT SCC to collaboratively write each chapter \nof the plan. The writing team meets on a monthly basis to review \nand incorporate the chapter working groups\' products into \niterative drafts of the IT SSP.  The collaborative and iterative \nprocess has ensured a coordinated plan with broad participation \nfrom both the public and private sectors. \n\tDHS/NCS, has historically engaged with the private sector \non many plans and initiatives.  Their Sector Specific plan has been \ncompiled from NCS\' work and vetted to the private sector multiple \ntimes since as a draft.  The private sector is engaging with NCS \non methodologies and processes for the plan. \n  \tFor the Communications SSP, the NCS initiated a series of \nmeetings with the Communications Sector to coordinate NIPP \nactivities and draft the Communications SSP in 2004.  Working \nclosely with DHS, the CSCC was established in May 2005, to work \n with the NCS on matters related to the NIPP, including: the \nidentification of communication critical infrastructure and \nresources; critical infrastructure protection (CIP) policy issues; \nand drafting a sector specific plan. In addition, the CSCC seeks to \nfoster and facilitate the coordination of sector-wide policy \nrelated activities and initiatives designed to improve both physical \nand cyber security of communication critical infrastructure.  The \nCSCC is made up of communication owners and operators, and is led \nby an executive committee of corporate senior executives from \nwireline companies, wireless companies and the Telecommunications \nIndustry Association.  \n\n\n3. The NIPP generally takes the laudable perspective of dealing \nwith the largest needs first, but seems to be less clear when it \nbegins to consider "awareness." \n\n( Describe the Department\'s vision of "awareness" efforts, and how \nthe Department plans to engage senior network operators in \nspecific cybersecurity initiatives. \n\n\tResponse:  The Department\'s vision is to improve situational \nawareness of the IT sector within normal operations and during \nsignificant threats and disruptions, intentional or unintentional \nincidents, crippling attacks (cyber or physical) against IT Sector \ninfrastructure, technological emergencies and/or failures, and \nPresidentially declared disasters.  In order to realize this \nmission, the IT sector and the government need to collaborate, \ndevelop, and share appropriate threat and vulnerability \ninformation more efficiently.  When completed, the SSP will \nestablish the mechanisms through which the Department can engage \nall stakeholders regarding cyber security initiatives.  HITRAC \nhas also just announced a program to hire private sector \ncritical infrastructure experts to collaborate with DHS \nIntelligence and Infrastructure Protection analysts on the \nDepartment\'s sector assessments and related products. \n\tThe NIPP addresses the importance of awareness towards \nits overall goal of building a safer, more secure, and more \nresilient America by enhancing the protection of the Nation\'s \nCI/KR and strengthening national preparedness.  As such, the NIPP \nBase Plan highlights the need to build national awareness to \nsupport CI/KR protection, related protection investments, and \nassociated protection activities by ensuring a focused \nunderstanding of the threat environment. \n\tWith respect to cyber security, the Department\'s vision \nof "awareness" efforts is based on Priority III of the National \nStrategy to Secure Cyberspace, "A National Cyberspace Security \nAwareness and Training Program".   The Strategy calls for \npromoting a comprehensive national awareness program to empower \nall Americans, including the business community, the general \nworkforce, and the general population, to secure their own \nparts of cyberspace.  NCSD maintains an Outreach and Awareness \nprogram that includes working with stakeholders to raise the \ncyber security awareness of the general public.  NCSD works with \nthe National Cyber Security Alliance (NCSA) to reach home users, \nsmall businesses, and all levels of students.  NCSD also works \nwith the Multi-State ISAC (MS-ISAC) to enhance cyber security \nawareness among state information security professionals and the \ngeneral public.  In collaboration with NCSA and the MS-ISAC, NCSD \npromotes the annual National Cyber Security Awareness Month, \nwhich occurs each October.  This year, the National Cyber Security \nAwareness Month initiatives included all fifty states and promoted \ncyber security awareness to approximately 75 million Americans \nthrough TV, radio, print, web and other media.  Key programs \nalso included Congressional outreach, educational webcasts for \n4th and 5th graders, and, a Small Business Workshop Series. \n\tWith respect to engaging senior network operators in \nspecific cyber security initiatives, the Department engages in \na number of activities.  For example, the United States Computer \nEmergency Readiness Team (US-CERT) established the Government \nForum of Incident Response and Security Teams (GFIRST), which \nmakes up the government\'s critical group of cyber first \nresponders.  GFIRST meets regularly, and DHS has hosted two \nGFIRST conferences to enhance information sharing and collaborative \nefforts to secure government cyberspace.  With respect to the \nprivate sector, US-CERT has established working relationships \nwith a number of groups representing network operators, including \nthe Information Technology Information Sharing and Analysis Center \n(IT-ISAC), the North American Incident Response Group, and the \nNorth American Network Operators\' Group (NANOG). \n\n( In terms of spending priorities, how much money is the Department \ndevoting to reaching out to the senior executives who control much \nof our Nation\'s IT/communications infrastructure? \n\n\tResponse:  The overall budget for NCSD is $92,000,000, and \nthe budget for NCS is $143,272,000.  Outreach and collaboration \nwith the private sector is a key component of nearly all cyber \nsecurity and communications programs and related activities.  \nSignificant examples include the following: \n       The NCSD coordinates with the IT-Sector Coordinating Council \n(IT-SCC) and IT-ISAC.  In each of its program areas, as a lead \nfor the IT Sector, NCSD\'s activities involve senior executives \non control systems security, software assurance, and Internet \ndisruption. \n\tSimilarly, NCS engages senior executives in the \nCommunications Sector through the Communications Sector Coordinating \nCouncil (CSCC), the National Coordinating Center for Communications \n(NCC), and the Communications Information Sharing and Analysis \nCenter (ISAC).  \n\tThe NCS serves as the executive secretariat for the \nPresident\'s National Security Telecommunications Advisory Committee \n(NSTAC).  The NSTAC, made up of up to 30 Chief Executive Officers \n(CEOs) and other senior executives in the Communications Sector, \nprovides advice to the President on communications matters.  DHS \nworks closely with the NSTAC on a wide range of NS/EP, CIP, and \nresponse and recovery issues.  \n\n\n4. The NIPP encourages the private sector to implement \nrecommendations in the National Strategy to Secure Cyber Space.  \nAt our hearing, witnesses from the private sector indicated that \na series of incentive programs would be critical to create the \nnecessary effect, and the Government Accountability Office \nsupported these comments.  Does the Department recommend any \nspecific measures to develop the sort of incentive plans alluded \nto in the NIPP? \n\n\tResponse:  DHS recognizes that the private sector makes \ncyber security risk management decisions based on the return on \ninvestment, including ensuring business continuity.  Market-based \nincentives for cyber security investments include protection of \nintellectual capital, security influenced procurement, market \ndifferentiation, and public confidence. \n\tThe private sector acknowledges that there must be \ncollaborative approach with the Federal Government to secure \ncyberspace.  DHS is committed to working closely with the private \nsector to ensure that this partnership increases overall \npreparedness.  The NIPP value proposition is based on sharing \nthe responsibility of cyber security with industry and State \nand local governments, and DHS believes that this cooperation \nwill help encourage all parties to take the proper steps to \nsecure cyber assets.  As CI/KR protection efforts mature, DHS \nwill examine specific incentive programs tailored to each \nsector to encourage private sector participation in CI/KR \nprotection.  \n\n5. GAO reports that the private sector has expressed concerns \nabout the Department\'s ability to execute its plans and is \nreluctant to share information with the Department.  Does the \nDepartment recommend any steps that can be taken to improve its \n working relationships with private sector information \ntechnology and communications companies? \n\n\tResponse:  The Department relies heavily on its engagement \nwith the private sector and has taken a number of steps to improve \nits working relationships with the private sector in general, \nspecifically with information technology and communications \ncompanies.  \n\tThe Department has taken significant measures to provide for \na more conducive information sharing environment, including \nestablishing and improving the Protected Critical Infrastructure \nInformation (PCII) Program and, importantly, establishing the Critical \nInfrastructure Partnership Advisory Council (CIPAC) to provide for \nthe public-private collaboration for the NIPP framework.  The \nCIPAC encompasses all seventeen critical infrastructure sectors \nand facilitates the information sharing and collaborative \nenvironment needed to implement the NIPP. \n\tIn addition to these measures, the Department continues to \nbuild its working relationships with information technology and \ncommunications companies through collaboration with the IT-SCC and \nCSCC.  Furthermore, NCSD/US-CERT and NCS/NCC strive to provide the \nanalysis and information aggregation functions that enable timely \nand actionable dissemination of information to the private sector, \nincluding the IT-ISAC and the Communications ISAC.  The continued \nenhancement of the information sharing process through \ncollaboration between the Department and the private sector helps \nto build a working partnership which allows critical information \nto flow efficiently between all stakeholders. \n\n\n1  "Information Battleground," Air Force Magazine,  http://www.afa.org/magazine/Dec2005/1205info.asp. \n2 "Information Battleground," Air Force Magazine, http://www.afa.org/magazine/Dec2005/1205info.asp.  \n1 http://www.technology.gov/Index.html \n2 http://www.ftc.gov/bcp/bcpenf.htm\n3 http://www.justice.gov/criminal/c ybercrime/ccips.html \n4 www.fcc.gov/homeland \n5 http://www.disa.mil/main/about/missman.html \n6 http://www.whitehouse.gov/omb/egov/ \n7 "Challenges in Developing a Public/Private Recovery Plan," \nGAO-06-863T (July 28, 2006). \n8 Business Roundtable, "Essential Steps to Strengthen America\'s \nCyber Terrorism Preparedness" (June 2006); see also Section 15 \nof Homeland Security Presidential Directive 5, "Management of \nDomestic Incidents" (Feb. 28, 2003), and the National \nStrategy to Secure Cyberspace (Feb. 2003). \n\n\n\n\n\n\n\x1a\n</pre></body></html>\n'