[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
THE FUTURE OF CYBER AND
TELECOMMUNICATIONS SECURITY AT DHS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON ECONOMIC
SECURITY, INFRASTRUCTURE
PROTECTION, AND CYBERSECURITY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 13, 2006
__________
Serial No. 109-102
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
35-624 PDF WASHINGTON DC: 2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Don Young, Alaska Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas Loretta Sanchez, California
Curt Weldon, Pennsylvania Edward J. Markey, Massachusetts
Christopher Shays, Connecticut Norman D. Dicks, Washington
John Linder, Georgia Jane Harman, California
Mark E. Souder, Indiana Peter A. DeFazio, Oregon
Tom Davis, Virginia Nita M. Lowey, New York
Daniel E. Lungren, California Eleanor Holmes Norton, District of
Jim Gibbons, Nevada Columbia
Rob Simmons, Connecticut Zoe Lofgren, California
Mike Rogers, Alabama Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida Donna M. Christensen, U.S. Virgin
Bobby Jindal, Louisiana Islands
Dave G. Reichert, Washington Bob Etheridge, North Carolina
Michael McCaul, Texas James R. Langevin, Rhode Island
Charlie Dent, Pennsylvania Kendrick B. Meek, Florida
Ginny Brown-Waite, Florida
.........................................................
Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity
Daniel E. Lungren, California, Chairman
Don Young, Alaska Loretta Sanchez, California
Lamar S. Smith, Texas Edward J. Markey, Massachusetts
John Linder, Georgia Norman D. Dicks, Washington
Mark E. Souder, Indiana Peter A. DeFazio, Oregon
Mike Rogers, Alabama Zoe Lofgren, California
Stevan Pearce, New Mexico Sheila Jackson-Lee, Texas
Katherine Harris, Florida James R. Langevin, Rhode Island
Bobby Jindal, Louisiana Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
(II)
C O N T E N T S
----------
Page
Statements
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Chairman, Subcommittee on
Economic Security, Infrastructure Protection, and
Cybersecurity:
Oral Statement................................................. 1
Prepared Opening Statement..................................... 2
The Honorable Loretta Sanchez, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Economic Security, Infrastructure Protection, and Cybersecurity 3
The Honorable Norman D. Dicks, a Representative in Congress From
the State of Washington........................................ 39
The Honorable Sheila Jackson-Lee, a Representative in Congress
From the State of Texas........................................ 43
The Honorable Stevan Pearce, a Representative in Congress From
New Mexico..................................................... 55
The Honorable Mark E. Souder, a Representative in Congress From
the State Indiana.............................................. 51
Witnesses
Panel I
The Honorable George Foresman, Undersecretary for Preparedness,
U.S. Department of Homeland Security:
Oral Statement................................................. 4
Prepared Statement............................................. 6
Mr. David Powner, Director, Information Technology Management
Issues, Government Accountability Office:
Oral Statement................................................. 9
Prepared Statement............................................. 12
Panel II
Mr. David Barron, Chair, Telecommunications Sector Coordinating
Council:
Oral Statement................................................. 93
Prepared Statement............................................. 95
Mr. Guy Copeland, Chair, Information Technology Sector,
Coordinating Council:
Oral Statement................................................. 80
Prepared Statement............................................. 82
Mr. Paul B. Kurtz, Executive Director, Cyber Security Industry
Alliance:
Oral Statement................................................. 74
Prepared Statement............................................. 75
Mr. William Pelgrin, Director, New YorK State Office of Cyber
Security and Critical Infrastructure:
Oral Statement................................................. 58
Prepared Statement............................................. 60
THE FUTURE OF CYBER AND TELECOMMUNICATIONS SECURITY
AT DHS
----------
Wednesday, September 13, 2006
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Economic Security, Infrastructure
Protection, and Cybersecurity,
Washington, DC.
The subcommittee met, pursuant to call, at 3:21 p.m., in
Room 2212, Rayburn House Office Building, Hon. Daniel Lungren
[chairman of the subcommittee] presiding.
Present: Representatives Lungren, Souder, Pearce, Sanchez,
Dicks, and Jackson-Lee.
Mr. Lungren. [Presiding.] I would like to welcome everyone
this afternoon to the Subcommittee on Economic Security,
Infrastructure Protection and Cybersecurity of the Homeland
Security as hearing on the future of cyber and
telecommunications security at Department of Homeland Security.
The security of information infrastructure has not received
the emphasis that it deserves, in spite of the fact that our
economy and our nation's preparedness is so dependent on this
technology.
Two days ago, this country commemorated the 5-year
anniversary of the worst terrorist attack on American soil. The
attacks of 9/11 not only killed thousands of American citizens,
but also targeted our way of life.
Those responsible have vowed to continue to attack our
country and our economy.
Information and communications technology are a prime
target for those intending to do us harm and a successful
terrorist attack could cause immeasurable danger and damage to
our everyday lives, for example, disrupt our electrical power
supply or disrupt our ability to respond to emergencies.
The Department of Homeland Security has been designated the
point of government contact for the critical infrastructure
owners and operators within both the information technology
sector and the telecommunications sector.
It is, therefore, incumbent upon the department to develop
an organization that can work effectively with these two
critical sectors to protect the assets under their control that
benefit the entire country.
This committee has been critical of the department's
priorities regarding cybersecurity and telecommunications in
the past and has called for the creation of an assistant
secretary for these issues to ensure their visibility within
the department.
Disappointingly, it has been over a year since the
secretary announced the creation of acting secretary for
cybersecurity and telecommunications, and, yet, the position
has not been filled.
We are concerned the department has not been as effective
as possible in ensuring the security and resiliency of our
information infrastructure or its efficient reconstitution in
the case of an incident of national significance.
We have been fortunate enough not to have suffered a
debilitating information infrastructure incident, but we cannot
rely upon good fortunate alone. We must create a strong,
focused organization to ensure our cyber assets our protected
and to enable us to respond effectively to a cyber incident.
Today we will hear from Undersecretary for Preparedness
George Foresman, to whom the yet to be named assistant
secretary will report. And we look forward to hearing your
vision for the department with regard to these important
issues.
We will also hear from David Powner, with the Government
Accountability Office, who has reviewed the department's
programs and priorities for the past several years and will
present their findings and recommendations for going forward.
On our second panel, we will hear from William Pelgrin, the
director of New York State's Office of Cybersecurity and
Critical Infrastructure Coordination. He has experience in
running a government organization task, with coordinating the
protection of information infrastructure, and will provide
important insight on how this can be done successfully.
Also, Mr. Paul Kurtz, executive director of the
Cybersecurity Industry Alliance, will provide a private sector
perspective on the department's leadership, priorities and
programs.
We will also hear from Guy Copeland, the chairman of the
Information Technology Sector Coordinating Council, and David
Barron, the chairman of the Telecommunications Sector
Coordinating Council.
Both of these gentlemen have extensive experience with
managing critical information infrastructure and dealing with
the department and they will provide private sector
expectations and priorities for the future.
I would like to thank all the witnesses for joining us
today, look forward to hearing everyone's testimony.
Before recognizing the ranking member, Ms. Sanchez, for any
opening statement she may wish to make, I give everybody
permission to take their coats off, because I don't know why we
decided that we need to heat the place up in September in
Washington, D.C. But someone has evidently thought that was a
good thing.
Prepared Opening Statement of the Honorable Daniel Lungren
I would like to welcome everyone this afternoon to the Subcommittee
on Economic Security, Infrastructure Protection, and Cybersecurity of
the Committee on Homeland Security's hearing on the future of cyber and
telecommunications security at the Department of Homeland Security.
The security of our information infrastructure has not received the
emphasis that it deserves, in spite of the fact that our economy and
our nation's preparedness is so dependent on this technology.
Two days ago this country commemorated the five year anniversary of
the worst terrorist attack on American soil.
The attacks of 9/11 not only killed thousands of American citizens
they also targeted our way of life. Those responsible have vowed to
continue to attack our Country, and our economy.
Information and communications technology are a prime target for
those intending to do us harm.
A successful terrorist attack could cause immeasurable damage to
our everyday lives, for example, disrupt our electrical power supply or
disrupt our ability to respond to emergencies.
The Department of Homeland Security has been designated the point
of governmental contact for the critical infrastructure owners and
operators within both the information technology sector and the
telecommunications sector.
It is therefore incumbent upon DHS to develop an organization that
can work effectively with these two critical sectors to protect the
assets under their control that benefit the entire country.
This Committee has been critical of the Department's priorities
regarding cybersecurity and telecommunications in the past and has
called for the creation of an Assistant Secretary for these issues to
ensure their visibility within the department.
It has been over a year since the Secretary announced the creation
of an Assistant Secretary for Cyber Security and Telecommunications and
yet the position has not been filled.
I am concerned that the Department has not been as effective as
possible in ensuring the security and resiliency of our information
infrastructure or its efficient reconstitution in the case of an
incident of national significance.
We have been fortunate enough not to have suffered a debilitating
information infrastructure incident, but we can not rely upon good
fortune alone; we must create a strong, focused organization to ensure
our cyber assets are protected and to enable us to respond effectively
to a cyber incident.
Today we will hear from Under Secretary for Preparedness, George
Foresman, to whom the yet to be named Assistant Secretary will report.
I look forward to hearing his vision for the Department with regard to
these important issues.
We will also hear from David Powner with the Government
Accountability Office who has reviewed the Department's programs and
priorities for the past several years and will present their findings
and recommendations for going forward.
On our second panel we will hear from William Pelgrin the Director
of New York State's Office of Cyber Security and Critical
Infrastructure Coordination. Mr. Pelgrin has experience in running a
government organization tasked with coordinating the protection of
information infrastructure and will provide important insight on how
this can be done successfully.
Also, Mr. Paul Kurtz, the Executive Director of the Cyber Security
Industry Alliance will provide a private sector perspective on the
Department's leadership, priorities and programs.
We will also hear from Guy Copeland, the chairman of the
Information Technology Sector Coordinating Council and David Barron the
chairman of the Telecommunications Sector Coordinating Council. Both of
these gentlemen have extensive experience with managing critical
information infrastructure and dealing with the Department. They will
provide private sector expectations and priorities for the future.
I would like to thank all our witnesses for joining us today.
I look forward to hearing everyone's testimony, and I now recognize
the Ranking Member, Ms. Sanchez, for any opening statement she may wish
to make.
Ms. Sanchez?
Ms. Sanchez. Thank you, Mr. Chairman. Thank you for
agreeing to hold this hearing. I think it is an incredibly
important one.
As you know, cybersecurity is a critical issue that I
believe deserves a lot more attention than this committee and
others have been paying to it, and I think it also needs a lot
more resources than we have devoted to it in the Department of
Homeland Security.
Our whole infrastructure, when you think about business
these days, relies on secure information networks, so that we
can ensure that reliable operations of water systems,
electrical grids, emergency response systems, Internet,
everything.
In addition, for many Americans, it is really a part of
their lives. This is the way we communicate. And,
unfortunately, I think that the information networks that we
have that we really rely on are really big areas for attack.
And, you know, we are not talking about maybe losing
people, but we are talking about an economic crunch that would
happen to our nation. And I am always just as concerned that
the terrorists affect us economically, because then I think
they will have won this issue of trying to come after our
lifestyle.
So I am looking forward to hearing from our witnesses.
There is a lot of issues that I am concerned with with respect
to cybersecurity. I want to find out when the assistant
secretary for cybersecurity and telecommunications is going to
be appointed.
I think the position has been open over a year now. I also
know that there are a lot of titles in this area that are still
acting and I want to find out when we are going to see more
permanent appointments of people, because I think that this is
just one little piece, but it sends a really big message.
Do we take cybersecurity seriously? And when we have acting
and empty spots, et cetera, then I think we are not devoting
the resources we need. And, lastly, do we have the right
resources for the department? And I look forward to discussing
these.
Thank you for calling this hearing, Mr. Chairman.
Mr. Lungren. I thank the gentlelady for her comments.
I might say that I know the ranking member of the full
committee and the chairman of the full committee wish they
could be here. They are on the floor right now managing time on
the bill commemorating 9/11 and the efforts of Congress
thereafter.
The chair now recognizes Mr. George Foresman, the
undersecretary for preparedness, to testify.
STATEMENT OF THE HONORABLE GEORGE FORESMAN, UNDERSECRETARY FOR
PREPAREDNESS, DEPARTMENT OF HOMELAND SECURITY
Mr. Foresman. Mr. Chairman, Ranking Member Sanchez, and
members of the subcommittee, thank you for the opportunity to
appear today to discuss cyber and telecommunications security.
Before I begin, I would very much like to acknowledge this
committee's exceptional leadership and dedication to
strengthening the cybersecurity of our nation.
Mr. Chairman, I look forward to working closely with this
committee to receive your guidance and to collaborate as we
continue the process that we have already made.
You have my written statement and I offer that for the
record.
I would like to briefly, though, highlight several points.
First, there has, in fact, been much discussion about the
department's ability to find and hire a qualified individual to
serve as the assistant secretary for cyber and
telecommunications security.
I want to be very clear. This has been and remains a top
priority for the department. We are, in fact, in the final
stages of a security review process for a candidate that we
feel is very well qualified. We look forward to announcing the
candidate with Congress very soon and I am confident that this
individual will continue to build on the progress that is being
made every day.
Second, today, the department is releasing its after action
report from our recent government, private sector, national and
international cybersecurity exercise, Cyberstorm.
This report will measurably advance refinements to
operational protocols and our coordination between the public
sector and the private sector.
Its lessons will not simply be documented. They will be
implemented.
Third, telecommunication networks and information
technology activities are both mutually dependent and
interdependent. They have, in fact, converged. By the end of
the year, we will complete our efforts to collocate together
the U.S. computer emergency readiness team and the national
coordination center for telecommunications to improve
operational coordination.
This means better coordination among all levels of
government and better coordination between government and the
private sector during threats and actual events.
Secretary Chertoff said last week, in his speech that
reflected on the 5 years since 9/11, the way to protect the
critical infrastructure is to work in partnership with federal,
state and local officials, and with the private sector folks
who actually own the things that we are trying to protect.
This collaboration is key to our approach to protecting
telecommunications and cyber infrastructure. We remain resolute
in our approach that will balance the security of the nation
against the economic security of the nation.
Last month, our cybersecurity experts worked quietly with
their counterparts at Microsoft to address critical software
vulnerability. Microsoft was competent in their partnership
with DHS and quickly brought this to our attention.
While Microsoft worked over several weeks to develop a
patch, our U.S. CERT was quietly and effectively monitoring
Internet activity to ensure the vulnerabilities were not being
exploited.
At the same time, the department was working domestically
and internationally with our private sector partners and public
sector partners to mitigate terrorist threats associated with
the British airline plot.
These two concurrent actions are just examples of many of
the day-to-day public and private sector activities taking
place in the department's preparedness efforts.
Maintaining these types of collaborations remains, as you
know, as it relates to cybersecurity and telecommunications
security, a multi-dimensional challenge. From personal
computers in homes to vast networks to control systems to the
Internet, cyber and telecommunications security presents
enormous challenges.
These challenges are obvious: prioritizing our work,
partnering for effective collaboration, balancing security and
economic considerations, and, most notably, increasing
understanding.
The other witnesses today will add clarity to this points
from varying perspectives. I think it is safe to say, however,
there is no one that will appear before you today that does not
share the belief that protecting America's cyber and
telecommunications systems is as critical to national security
as it is to citizen security.
I want to be clear, Mr. Chairman and members of the
subcommittee. Progress is being made every day. There is more
to be done.
Mr. Chairman and members of the committee, as you well
know, the security of America's cyber and telecommunications
systems do not lend themselves to surrounding one building with
heavily armed police officers or simply mandating an action and
we are safe.
Simply put, there is no magic bullet.
In closing, the success of our national cyber and
telecommunications security efforts depend on unity of purpose
and continuing public/private sector collaboration. This is
serious business and we are serious about this business.
We look forward to continuing discussions with Congress on
the wide range of policy issues that we must confront together.
Thank you, and I look forward to your questions.
[The statement of Mr. Foresman follows:]
Prepared Statement of Hon. George Foresman
Good morning, Mr. Chairman and Members of the Subcommittee. Thank
you for inviting me to speak about cyber security and the recovery and
reconstitution of critical networks in the event of a catastrophic
Internet disruption.
One of the most pressing challenges facing the Department of
Homeland Security is preparing for attacks on the Internet and the
information networks supporting our critical infrastructure. Our
vision, our philosophy, and our strategy for preventing, responding to,
and recovering from cyber attacks reflect the expanding importance of
communications and the information infrastructure in all aspects of our
lives today. Policies that advance a safe and secure communications
infrastructure rely on fostering valuable relationships between the
public and private sectors, and promoting public trust and confidence.
Strong policies also project stability and strength to those who wish
us harm.
The key to continued success is partnering strategically with the
communications and information technology sectors, end-users of
Internet technologies, and other experts.
During the past several weeks our cyber security experts worked
quietly with their counterparts at Microsoft to address a critical
software vulnerability first identified to us by the Department of
State's cyber defense team. In the interim between identification of
the vulnerability and development of the solution, the Department was
closely monitoring technical indicators for indications of additional
exploitation of the vulnerability. Once a patch was available, the
Department's U.S. Computer Emergency Readiness Team (US-CERT)
coordinated an alert with Microsoft. DHS issued an alert through the
National Cyber Alert System urging the public, private industry, as
well as federal users to apply the security patch in order to protect
their systems. Overshadowed in the news media by the successful foiling
of the U.K. terror threat, this collaboration is typical of the kind of
behind-the-scenes, day-to-day public-private cyber security activity
that exemplifies the work being accomplished between the Department and
so many of our strategic partners.
These partnerships also entail strengthening cooperation across the
government institutions and, at a minimum, finding ways to cultivate
support outside of the Department where expertise clearly exists. We
are actively collaborating with 116 private firms. We are working
closely with the private sector entities established within the
National Infrastructure Protection Plan (NIPP) framework to collaborate
on risk management, including the Information Technology (IT) Sector
Coordinating Council (SCC) and the Telecommunications SCC. From an
operational perspective, we work with the Information Technology
Information Sharing and Analysis Center (IT-ISAC) and the National
Coordinating Center (NCC)/Telecommunications ISAC through various
information sharing mechanisms, including the US-CERT Portal. Our
partners, both public and private, are involved in a number of
programmatic activities that address software assurance, Internet
disruption, as well as exercises such as Cyber Storm.
In addition, there are about 400 firms that are part of the Process
Control Systems Forum, which was recently transferred from Science and
Technology Directorate to National Cyber Security Division (NCSD) and
addresses Control Systems security. There are 21 associations that we
work with on a regular basis that represent hundreds of companies,
including large enterprises and smaller companies. Whether public or
private, these partnerships must deliver real and measurable value in
light of the catastrophic damages that could occur to our national
cyber assets if we do not collaborate effectively.
Finally, we must reinforce a culture of preparedness and
increasingly shift from a reactive to a proactive stance. In sum, we
must prepare by promoting effective security strategies that evolve as
the risks evolve.
Assistant Secretary for Cyber Security and Telecommunications
Mr. Chairman, the Committee has expressed as a priority the
designation of the Assistant Secretary for Cyber Security and
Telecommunications, and has communicated interest in the Department's
plan to fill this vacancy.
Mr. Chairman, the Department shares the Committee's view on the
importance of filling the position of Assistant Secretary for Cyber
Security and Telecommunications with a qualified candidate.
Given the complexity of the portfolio, we believe it is important
to fill this position with a person of necessary talent and expertise
who understands both policy and technology issues regarding cyber
security and telecommunications and can further strengthen our national
efforts.I am personally engaged in this process and, in the interim, am
providing program direction to the talented men and women who are part
of our NCSD and National Communications System (NCS). Because of the
importance of our mission, all parties want to ensure that the
individual appointed to this position possesses the right combination
of skills, experience, and leadership necessary to succeed.
In the interim, I want to assure you, Mr. Chairman, that I am
personally overseeing strategic management objectives associated with
NCSD and specifically Internet recovery. These include, by way of
example:
Positioning the NCSD, especially the US Computer
Emergency Readiness Team (US-CERT), and the NCS so these
organizations are structured to be at the forefront of
preventing, responding to, and recovering from massive Internet
disruptions. Just as FEMA is on point for coordinating disaster
response, and the Coast Guard is on point for coordinating the
response to an oil spill, key experts like NCS and NCSD must be
capable of coordinating our response to events that target the
Internet;
Re-aligning CS&T component entities to create a
cohesive organization. The NCS and NCSD (including the US-CERT
and the NCC) must more fully synchronize their activities,
without a loss of either's core mission capabilities.
Communications convergence, threats against the communications
infrastructure, the increasing use of Voice over Internet
Protocol (VOIP) for emergency communications purposes, and
other influences demand that we merge the work of these
entities to create new and stronger synergies and;
Ensuring resources are sufficiently allocated to meet
new needs. I am personally overseeing the development of a
budget strategy that spans the next five years. This strategy
is essential for shepherding CS&T priority programs into the
next decade.
Information Sharing and Internet Recovery
Mr. Chairman, the Committee has communicated interest in the
programs within the Department that are designed to improve information
sharing regarding the recovery of the Internet
We fully recognize the challenges inherent in our preparedness
responsibilities. As the President stated in the National Strategy to
Secure Cyberspace, it is the policy of the United States to protect
against ``the debilitating disruption of the operation of information
systems for critical infrastructures and, thereby, help to protect the
people, economy, and national security of the United States.'' The
strategy also underscores the importance of partnering with the private
sector as well as State, local, and tribal governments to effectuate
this policy.
On my fourth day as Undersecretary for Preparedness, I met with the
Business Roundtable to discuss strategic collaboration and their
Internet reconstitution study. We outlined a 120-day plan to advance
our collaboration on this important work and continue to work in tandem
with the Roundtable as they expand their efforts to focus on business
needs and issues regarding Internet recovery and reconstitution in the
coming year. The timeframes for specific actions and results will be
the topic of more discussion with the Business Roundtable in the next
several months. That effort supplements the work we are doing with the
IT-SCC and the Telecommunications SCC under the NIPP to address
Internet protection and prioritization as part of our collaborative
approach to risk management in the core sectors for the Internet.
US-CERT, NCC & the NAIRG
In addition to coordinating with the Business Roundtable, our
outreach specifically focuses on building relationships with private
industry owners and operators of the Internet and information networks.
For example, the US-Computer Emergency Readiness Team (US-CERT)
continues to develop operational relationships and processes to enhance
its ability to respond to an Internet disruption of national
significance through its work with the IT-ISAC, and with the North
American Incident Response Group (NAIRG) of industry participants. In
addition, the NCC represents a fully collaborative model as the ISAC
for the Telecommunications Sector, with both public and private
participation in its operations.
The US-CERT has deployed several programs as part of its efforts to
support cyber incident response. We expect funding in Fiscal Year 2007
to reach approximately $37 million. These funds support deployment of
multiple programs, including the Einstein Program, which tracks attacks
on federal information systems and warns stakeholders in near real-
time. Other program areas funded as part of this total include an
Internet Health Service for federal agency incident response teams, the
US-CERT's 24X7 cyber incident handling center, vulnerability
management, forensics education and support, and malicious code
analysis.
Internet Disruption Working Group (IDWG)
The NCSD and NCS have also established an Internet Disruption
Working Group (IDWG) to address the resiliency and recovery of Internet
functions in the event of a major cyber incident. With public and
private sector representatives, the IDWG's near-term objectives help to
augment the level of information sharing among government and the
private sector. The IDWG is also undertaking an information sharing
assessment to better understand the information exchange landscape
involving Internet incidents.
National Cyber Response Coordination Group (NCRCG)
The Business Roundtable report also underscores the role of the
National Cyber Response Coordination Group (NCRCG). Established in
partnership with the Department of Defense and the Department of
Justice in the National Response Plan's (NRP) Cyber Annex, the NCRCG
serves as the Federal government's principal interagency mechanism for
coordinating the federal effort to respond to and recover from cyber
incidents of national significance and includes 19 federal agencies
including the Intelligence Community. The NCSD is working with industry
to establish a private sector counterpart to the NCRCG, which would
communicate and collaborate with the Federal government NCRCG during
times of crisis.
Mr. Chairman, further detail regarding the Committee's inquiries
related to the goals, resources, and timeframes for implementation
associated with these programs is also provided in the Department's
recent letter in response to your July 5, 2006 query.
The Role of US-CERT in Internet Recovery
Mr. Chairman, the Committee has expressed concern about the role
and responsibility of the United States Computer Emergency Readiness
Team with regard to Internet reconstitution.
US-CERT is the operational component of the National Cyber Security
Division and represents a partnership between the Department and the
public and private sectors. US-CERT is charged with protecting our
nation's Internet infrastructure by coordinating defense against and
response to cyber attacks. US-CERT is responsible for:
Analyzing and reducing cyber threats and
vulnerabilities;
Disseminating cyber threat warning information; and
Coordinating incident response activities.
As indicated above, I am personally overseeing the retooling of the
US-CERT and CS&T to ensure that roles and responsibilities align with
our mission with regard to Internet recovery and the NRP.
The Role of FEMA in Internet Recovery
Mr. Chairman, the Committee has communicated interest in learning about
the role of the Federal Emergency Management Agency (FEMA) with regard
to restoration of Internet functions in the case of a major disruption
or attack.
Depending upon the nature of the disruption or attack, FEMA, under
the direction of the Secretary of Homeland Security, and advised by the
Assistant Secretary for Cyber Security and Telecommunications and other
Department officials, may be called upon to support industry and other
Federal efforts to restore connections to the Internet. FEMA's specific
responsibilities under the National Response Plan through Emergency
Support Function (ESF) #5--Emergency Management may entail providing
logistical, communications or administrative support as they would for
any other emergency or disaster that they do not have the primary lead
role. However FEMA would not have the lead role for Internet
restoration.
Conclusion
The National Cyber Security Division has established its mission
and priority objectives, developed a strategic plan, and undertaken
significant steps to implement its strategic plan across the programs
outlined here. Our progress to date is tangible: we have a construct
for public-private partnership; we have a track record of success in
our cyber operations; we have established relationships at various
levels to manage cyber incidents; we have built international
communities of interest to address a global problem; and we have tested
ourselves at a critical development stage and will continue to examine
our internal policies, procedures, and communications paths in future
exercises. We are building on each of these achievements to take
further steps to address Internet recovery and reconstitution as well
as to increase our overall cyber preparedness and improve our response
and recovery capabilities.
In this ever-evolving environment, we know that we must always be
attuned to new threats, new vulnerabilities, and new technologies. We
need to be flexible enough to adjust our efforts to meet these new
challenges.
I would like to thank the Subcommittee for its time today, and I
appreciate this opportunity to bring further transparency to these
important cyber security priorities.
Mr. Lungren. Thank you very much, Mr. Foresman, for your
testimony.
The chair will now recognize Mr. David Powner, the director
of information technology management issues at the Government
Accountability Office, to testify.
And, again, the full text of your comments will be in the
record, and we would ask you to summarize for 5 minutes.
STATEMENT OF DAVID POWNER, DIRECTOR, INFORMATION TECHNOLOGY
MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Powner. Thank you, Chairman Lungren, Ranking Member
Sanchez, and members of the subcommittee. We appreciate the
opportunity to testify on the Department of Homeland Security's
efforts associated with securing our nation's critical
infrastructures from cybersecurity threats.
Recent attacks and threats have underscored the need to
effectively manage and bolster cybersecurity of our nation's
critical infrastructures. For example, criminal groups, foreign
intelligence services, and terrorists are threats to our
nation's computers and networks.
To address these threats, federal law and policy calls for
critical infrastructure protection activities and establishes
DHS as our nation's focal point. It also designates other
agencies to coordinate with key sectors, including energy,
banking and finance, and telecommunications.
This afternoon, as requested, I will summarize three key
points. First, DHS has many responsibilities called for in law
and policy that remain unfulfilled. Second, many challenges
confront the department, including organizational stability and
leadership. And, third, I will highlight our key
recommendations to improve our nation's cybersecurity posture.
Expanding on each of these. Last year, we reported to you,
Mr. Chairman, that based on federal law and policy, DHS has 13
key cybersecurity responsibilities that include developing a
national plan, enhancing public-private information sharing of
cyber threats, vulnerabilities and attacks, conducting a
national cyber threat assessment, facilitating vulnerability
assessments, and coordinating incident response and recovery
efforts, if, in fact, attacks occur.
Although DHS has initiated efforts that begin to address
each of its responsibilities, the extent of progress varies and
more work remains on each.
For example, its computer emergency response team, referred
to the U.S. CERT, issues warnings about vulnerabilities and
coordinates responsibilities for cyber attacks. However, our
nation still lacks a national threat assessment, sector
vulnerability assessments, a mature analysis of warning
capability, and key recovery plans, including a plan for
recovering Internet functions.
Despite federal policy requiring DHS to develop an
integrated public-private Internet recovery plan, to date, no
such plan exists. Such a plan is important because the Internet
has been targeted and attacked and private sector companies,
who own the majority of the Internet infrastructure, deal with
cyber and physical disruptions on a regular basis.
Several recent cyber attacks highlight the importance of
having robust Internet recovery plans, including a 2002
coordinated denial of service attack that targeted all 13
Internet root servers.
DHS faces a number of challenges in building its
credibility as a stable, authoritative and capable organization
that can fulfill its cyber critical infrastructure
responsibilities.
These include achieving organizational stability and
authority. Filling the assistant secretary for cyber and
telecommunications position is critical. However, leveraging
this new authority will remain a challenge.
Another challenge is establishing effective partnerships
and information sharing arrangements with other government
entities and the private sector.
During our most recent interviews, representatives from
various sectors told us that the level of trust is not
sufficient to have productive information sharing.
In addition, DHS needs to demonstrate value, meaning that
it needs to provide useful and timely information on such items
as threats and analytical products to key stakeholders.
Regarding challenges that have impeded Internet recovery
progress, it is unclear what government entity is in charge,
what the government's role should be, and when they should get
involved.
Over the last several years, we have made a series of
recommendations to enhance the cybersecurity of critical
infrastructures that demand immediate attention, including
conducting important threat and vulnerability assessments,
developing a strategic analysis and warning capability for
identifying potential threats, developing a strategy to protect
infrastructure control systems, and developing recovery plans
to respond to attacks, including a plan for Internet
reconstitution.
In summary, Mr. Chairman, DHS has made progress in planning
and coordinating efforts to enhance cybersecurity, but much
more needs to be done, including conducting threat
vulnerability assessments, bolstering our analytical
capabilities, aggressively pursuing threat and vulnerability
reduction efforts, and developing recovery plans.
Our testimony today lays out a comprehensive roadmap of key
recommendations to help DHS tackle its many responsibilities.
Until DHS addresses its many challenges and more fully
completes critical activities, it cannot function as the
cybersecurity focal point intended in federal law and policy,
resulting in increased risks that large portions of our
national infrastructure will be unprepared to effectively
manage cybersecurity attacks.
This concludes my statement. I would be pleased to respond
to any questions.
[The statement of Mr. Powner follows:]
[GRAPHIC] [TIFF OMITTED] 35624.013
[GRAPHIC] [TIFF OMITTED] 35624.014
[GRAPHIC] [TIFF OMITTED] 35624.015
[GRAPHIC] [TIFF OMITTED] 35624.016
[GRAPHIC] [TIFF OMITTED] 35624.017
[GRAPHIC] [TIFF OMITTED] 35624.018
[GRAPHIC] [TIFF OMITTED] 35624.019
[GRAPHIC] [TIFF OMITTED] 35624.020
[GRAPHIC] [TIFF OMITTED] 35624.021
[GRAPHIC] [TIFF OMITTED] 35624.022
[GRAPHIC] [TIFF OMITTED] 35624.023
[GRAPHIC] [TIFF OMITTED] 35624.024
[GRAPHIC] [TIFF OMITTED] 35624.025
[GRAPHIC] [TIFF OMITTED] 35624.026
[GRAPHIC] [TIFF OMITTED] 35624.027
[GRAPHIC] [TIFF OMITTED] 35624.028
[GRAPHIC] [TIFF OMITTED] 35624.029
[GRAPHIC] [TIFF OMITTED] 35624.030
[GRAPHIC] [TIFF OMITTED] 35624.031
[GRAPHIC] [TIFF OMITTED] 35624.032
[GRAPHIC] [TIFF OMITTED] 35624.033
[GRAPHIC] [TIFF OMITTED] 35624.034
[GRAPHIC] [TIFF OMITTED] 35624.035
Mr. Lungren. Thank you very much for your testimony, from
both of you.
If I knew how to work this thing, I would work it, too.
Anyway, I will try and keep myself to 5 minutes.
Mr. Foresman. Mr. Chairman, we do have a bunch of technical
experts in the room.
[Laughter.]
Mr. Lungren. I know that. I just don't know which button to
push. I am sure it will work out.
Thank you very much for your testimony. I will give myself
the first 5 minutes to ask you these questions.
Mr. Foresman, in your testimony, you acknowledge--and in
the letter that I received from the secretary, dated September
12, that I received, I guess, today or last evening, in
response to my letter of July 5--you acknowledge the importance
of cybersecurity.
Yet, this position has remained vacant for such a long
period of time. From the outside looking in, that would suggest
that you don't have that really at the top of your priority
list or you don't think it is important to fill it, because in
the letter that I received, you indicate that, ``Hey, we are
still doing these things. It hasn't stopped us or slowed us
down from doing it.''
Why hasn't that attention been given to this?
Mr. Foresman. Mr. Chairman, let me address it with two
points.
First, this has been the most top priority position since I
came into office in January, and we have been through a number
of candidates, candidates who have withdrawn from the IT
industry, who found divestment of their businesses unattainable
in the timeframes we needed to get them on board.
We have had individuals that have gone through the security
review process and, for a variety of reasons, have not been
able to continue on. But we feel confident in the candidate
that we do have.
Part of this comes down to the fact that one person is
absolutely critical, but not indispensable anymore than you,
Mr. Chairman. If your director of constituent services leaves
your office, it doesn't mean you quit doing constituent
services.
We have been continuing to move forward with this, but we
weren't going to simply hire someone in order to fill the
position. We wanted to get a top quality candidate, get a top
quality individual.
We believe that we are at that point. We felt like we were
at that point several times before, but we are much further
through the process this time.
Mr. Lungren. Mr. Powner, based on your work, it appears
that DHS has not fully addressed any of its 13 key
cybersecurity responsibilities. Of the 13 key responsibilities,
which, from your review, should be the highest priority for
DHS?
Mr. Powner. Clearly, within those areas of responsibility,
there are some core areas that should be focused on. We look at
threat assessment as being one. Vulnerability assessments and
reduction activities in that area would be another key one. The
third one would be bolstering their analytical capability.
One of the issues in building credibility with the private
sector is what does the government have that is of value to the
private sector infrastructure owners. And if we had more robust
analytical capability, where we were ahead of attacks, and I
know the department is trying to pursue that with some of their
projects, like Einstein and other things that are ongoing.
But if we offered that to the private sector, they would be
more willing to participate and share information with the
government.
Mr. Lungren. How much, if any, of the reluctance to
participate--you say their lack of trust, I think is the word
that you used--is the result of us not building into our
legislation and our regulations protections against liability?
That is, if I am on the outside looking in, the government
comes to me and says, ``We would like you to share information
with us with respect to the state of your cybersecurity,'' you
may be reluctant because you may be looking at a lawsuit down
the line if you are exposed as not having done everything that
needs to be done, based on analysis done by the department.
Do you have any sense of that?
Mr. Powner. Well, we clearly hear that from some of the
infrastructure owners that that is one reason why they do not
provide any information.
The second reason is, you know, they provide information,
but what do they get back in return? If you don't get something
in return, you are less willing to provide that.
Although I will say, in all fairness to the department,
they recently issued a rule which is associated with how
critical infrastructure information is shared and there is
greater clarity in terms of how that information is handled and
protected on the government side.
So that was clearly a step in the right direction that
recently occurred.
Mr. Lungren. Mr. Foresman, there is criticism, obviously,
that you have not fully addressed any of the 13 key
cybersecurity responsibilities.
What would you say in response to that, number one? And,
number two, how do you prioritize among those 13 in terms of
what you need to do at the department?
Mr. Foresman. Mr. Chairman, what I would say is we very
much acknowledge the great work that the Government
Accountability Office continues to do on a wide range of fronts
and the recommendations that Mr. Powner has brought forward are
ones that will help us chart the road ahead.
But to the second piece of it, in terms of prioritization,
this is not simply unilateral action on the part of the
Department of Homeland Security.
One of the reasons why we have a wide range of
constituencies involved in this process, public sector and
private sector, sector coordinating council, just being one of
many examples, as we are working through the national
infrastructure protection plan in the IT sector, is so that we
can bring the private sector stakeholders to the table with
government and in an environment of collaboration to make a
mutual determination about where the priorities are, because if
we in the department were to have a priority that was different
than, say, the Office of Management and Budget at the federal
level or the state of New York at the state level or Microsoft
at the corporate level, we are not going to be headed in the
same direction.
So this is not the easiest environment in the world,
because it is not a regulated environment. It shouldn't be a
regulated environment. And we have got to create a mutually
shared vision and gain a wide range of consensus.
And, clearly, one of the things that we know is that there
are market factors that can be brought into play that will
incentivize. You mentioned liability, just being one of many.
Mr. Lungren. My time, I believe, has expired. When we come
back, I want to ask you about the three top priorities
specifically.
The gentlelady?
Ms. Sanchez. Thank you, gentlemen, for being before us.
You know, it is not just a lack of this assistant secretary
that you have been unable to fill for the last year. I mean,
the GAO noted, in its last report, in 2005, that there were
various people who had left the department and that there
really is no leadership going on.
And my question is how can you say that because you haven't
filled that position, you--I mean, there seems to be no
leadership in this area.
In fact, I think your report noted that some of the
industry groups you had spoken to said that the lack of these
positions being filled really noted a lack of leadership from
that department.
Is that not true?
Mr. Foresman. Yes, that is true. What we heard from certain
infrastructure owners was the lack of leadership was sending a
message that it was not an administration priority.
Ms. Sanchez. So is it an administration priority?
Mr. Foresman. Ms. Sanchez, it is, in fact, an
administration priority. When Secretary Chertoff went through
the second stage review and we created this position, we did it
in response to a desire on the part of the industry and a
desire on the part of Congress, as well as the federal
executive branch, to have greater collaboration and
coordination.
And I acknowledge and I am the first one to acknowledge
that this has been a tough process to get this position filled.
And, Congresswoman, I want to say it is not for wont of
trying. We have been working exceptionally hard and, as you
know, the department--it is hard to recruit, frankly, because
there is great criticism of the department on many fronts.
And many of the folks who have the IT background are making
very substantial salaries in the private sector and you have to
make a sacrifice to come into government and it has been
difficult to find individuals willing to make the sacrifice.
Ms. Sanchez. I think a lot of us make a sacrifice to come
into the government.
Mr. Dicks. Would you yield just for one question?
On that very point, do you have an acting assistant
secretary? We have acting secretaries all over the government.
Is there an acting assistant secretary?
Mr. Foresman. Congressman, there is. And we had Bob
Stephan, who was our assistant secretary for infrastructure
protection, was dual hatted, carrying the responsibilities of
doing infrastructure protection, also overseeing the efforts of
our cybersecurity and our national communications systems
activities.
Recently, we interjected the deputy undersecretary for
preparedness, Rob Zitz, who works for me, to provide for the
day-to-day management and oversight, in collaboration with the
national cybersecurity division and the national communications
system, simply because of the fact that we are going through
trying to get the national infrastructure protection plan done,
get all the sector coordination plans done.
And Bob was doing yeoman's work with both hats on, but we
have added an additional person in there to help make sure that
the folks in both of these shops have the tools, the resources
and the guidance necessary to be successful.
Mr. Dicks. Thank you.
Ms. Sanchez. Certainly, Mr. Dicks.
So you are telling me that he was--did you officially do
that? Because we never got word that you did this. You titled
him with the acting secretary position?
Mr. Foresman. We did not. What I am saying to you is--
Ms. Sanchez. You just said you were going to give it all
over to him to do.
Mr. Foresman. No, ma'am. What we have said is that Mr. Zitz
has the responsibility for ensuring day-to-day oversight and
coordination efforts between the national cybersecurity
division, as well as the national communications system.
Ms. Sanchez. Okay, I think the question that Mr. Dicks had
was did you have an acting assistant secretary for
cybersecurity and telecommunications.
Mr. Foresman. We did and that is Mr. Steffen.
Ms. Sanchez. So he is doing both secretary positions.
Mr. Foresman. He is doing both secretary positions. And,
Congresswoman, he is on paper today doing the cybersecurity and
the communications system in the context that Bob was working
phenomenal hours, trying to do both jobs, and we added a second
person in to provide day-to-day direction and oversight.
Ms. Sanchez. Well, this is such an important job. I mean, I
can't imagine that someone is going to have a real full-time
job and then take this job on.
And you can really sit there with a straight face and tell
me that he was doing both jobs.
Mr. Foresman. Congresswoman, my--
Ms. Sanchez. That is like saying I am a congresswoman and
Mr. Lungren's district doesn't have a congressperson,
therefore, I am going to be the acting one. I mean, it is two
jobs you just can't do together.
Mr. Foresman. Well, Congresswoman, let me just offer this.
In the context of providing advice and counsel to the men and
women of both of these shops, providing strategic direction and
leadership, we have plenty of folks who are available and are
doing that on a day-to-day basis.
Ms. Sanchez. Did you have a comment?
Mr. Lungren. Well, if the gentlelady would yield for a
second.
Mr. Foresman, could you tell us when you do anticipate
filling this position?
Mr. Foresman. Congressman, as you know, the individual who
will fill this position will have access to some of the most
highly classified data that is available. They are going
through the security clearance process.
The way I would best characterize it is in terms of where
one would normally expect them to be in the security clearance
review process. They are way beyond that point, which shows
that we are making getting the security clearance done a
highest priority.
Mr. Lungren. So is the answer that the only thing holding
this up is the finalization of the security clearance?
Mr. Foresman. That is correct.
Ms. Sanchez. I want to talk about compensation for a
minute, because we had the whole issue of Andy Purdy and being
paid from different pots.
Do you think that you have adequate protections in place to
deal with potential conflicts of interest that arise when the
IPA contractors oversee business arrangements between the
government and their home employer?
Mr. Foresman. Congresswoman, we do, but beyond that step,
as you know, the department used a large number of IPAs in the
early days to get the department up and running.
We made a very deliberate decision and in consultation with
the secretary and the deputy secretary, when I came on board,
we are moving as many of the current IPA positions to full-time
federal employee positions, recognizing that we are
transitioning from what one would reasonably say is the startup
point of the department, where IPAs were a necessity, to the
point of where we need to convert these to full-time federal
employees.
Ms. Sanchez. So how many IPAs would you estimate are still
around? And I am assuming what you are telling me is that you
are moving them from however many you might have right now to a
net of zero.
You don't really want IPAs hanging around in the
department?
Mr. Foresman. No, Congresswoman, I wouldn't say that we are
going to do it at a 100 percent. There is going to be a
necessity for IPAs particularly in selected expertise areas,
high science areas.
But for the vast majority of positions that were IPA
before, we are taking a very hard look at this and, frankly, we
want to make sure that we had these as full-time federal
employees, not subject to the provisions of some of the
limitations that, frankly, are placed on IPAs, because they
don't fit into that full-time federal employee status.
Ms. Sanchez. Thank you, Mr. Chairman.
Mr. Lungren. The time of the gentlelady has expired.
The gentleman from the state of Washington is recognized
for 5 minutes.
Mr. Dicks. Well, thank you.
You have got this person that you signed a 2-year contract
with, Andy Purdy, is that correct?
Mr. Foresman. That is correct.
Mr. Dicks. And 2 years to serve as acting director of the
national cybersecurity division.
Mr. Foresman. That is correct.
Mr. Dicks. In a time when enduring leadership over the
federal government's effort in this arena is vital, why would
the department sign a two-year contract that expressly provides
for an interim director?
Mr. Foresman. Congressman, I will have to offer that that
occurred before my arrival, but what I will say is that upon my
arrival, upon my assumption of the duties and the
responsibilities, we have looked at our IPA activities and I
want to convert these over to FTE, full-time federal employee
positions, and we are in the process of doing that.
Mr. Dicks. Now, we know that the preparedness directorate
also uses IPAs, as was mentioned. A recent news article
revealed that acting NCSD director Andy Purdy receives a
$277,000 salary, mostly paid by the department, all while
overseeing a multi-million dollar budget for this home
institution of Carnegie Mellon.
Does the preparedness directorate have adequate protections
in place to deal with potential conflicts of interest?
Mr. Foresman. Congressman, as you know, this issue did come
up in the public, in the press over the course of the last
several months, and we went and did an exhaustive review of it.
When Andy came on board, he was subjected to the same
ethics requirements that the rest of the federal employees are
subjected to. We have a series of checks and balances.
We have separate business functions from those who oversee
program activities. And we do feel like it was adequate.
Mr. Dicks. The Cybersecurity Alliance have called for
increased funding of cybersecurity efforts within the
department. Yet, the administration lowered the budget by
several hundred thousand dollars this year and the Senate
Homeland Appropriations Committee recommended a decrease of
almost $10 million for the budget request for 2007.
Why is cybersecurity having such a hard time obtaining
proper funding from the administration and from the majority
party in the Senate?
Mr. Foresman. Congressman, I think I would articulate it
like this. We shouldn't measure our success or failure with
cybersecurity efforts in dollars spent, but rather in the
ability to leverage the resources.
As a for instance, one of the things that the GAO report
mentions in terms of the analytical ability--Mr. Chairman, this
goes to one of your three top priorities--is enhancing our
analytical ability.
Part of that hinges on leveraging better the intelligence
community. And I will tell you, Congressman, that as we look
across the spectrum of things that we are doing on our
cybersecurity efforts, we are trying to break down the
stovepipes inside the department so that we don't have, if you
will, two activities doing the same function.
The Secret Service does elements of cyber training. Their
cybersecurity division is involved in cyber training. And we
are looking to achieve efficiencies where we can merge
activities and get more bang for the buck.
So I would not articulate that dollars spent is a clear
indicator of whether we are being successful or not with our
cybersecurity efforts.
Mr. Dicks. Well, Mr. Powner, you are the GAO fellow, right?
Mr. Powner. Correct.
Mr. Dicks. I missed your presentation, but you guys have
done studies over the last several years and it is still your
impression that we are not making very much progress in terms
of getting this area moving forward.
Mr. Powner. Well, if you look comprehensively at the whole
plan for tackling the cyber critical infrastructure protection
arena, we can go back to 1996, with Presidential Directive 63.
We haven't made much progress.
We put a lot of plans--
Ms. Sanchez. May I ask a question related to that?
Mr. Dicks. Let him finish his answer. Then I will yield to
you.
Mr. Powner. I mean, we put resources and there are always
plans in place, but we need to get off of putting plans in
place and actually get down to implementation.
We are going to get sector-specific plans, hopefully, at
the end of the year, that are tied to the national
infrastructure protection plan. Hopefully, those plans move us
beyond another plan, but more into vulnerability assessments,
efforts to protect our infrastructure, efforts to reduce the
vulnerabilities that are out there, and, also, to put in place
recovery plans.
We don't have those things, if you look at--individual
companies do, yes, but if you look at sector by sector and what
is called for in law and policy, we do not have those.
Mr. Dicks. I yield.
Ms. Sanchez. Do you think they have a vision? I mean, with
nobody at the top really under this and with so many people
having come in and been cyber czar, as I call them, I think the
fifth person now.
I mean, do the people that work in this area and does the
department really have a vision about what they are supposed to
be doing or do you find them struggling?
Mr. Powner. Clearly, they are struggling, in aspects. But
in terms of a vision, there is a national infrastructure
protection plan that has a lot of the right pieces in place. It
calls for the right things, to engage the right parties.
Now, what we need to do is to engage those parties and move
forward on the implementation phase. So I would say the
national infrastructure protection plan, a lot of the aspects
of that plan are pretty good, but now the challenge becomes in
implementing it and it is tough to implement it when you have
this history of not necessarily having the strongest
relationship with various sectors in the private sector who own
the majority of the infrastructure.
It is a huge challenge.
Ms. Sanchez. Thank you, Mr. Dicks.
Mr. Dicks. Let me ask you these. We spent a lot of money in
the Department of Defense looking at cybersecurity from a
Defense Department perspective. I serve on Defense
Appropriations. Has DHS benefited at all from the work that was
done at the DOD?
Mr. Powner. A couple comments. I think, clearly, we could
leverage other aspects of the federal government where we have
made progress. DOD, if you look at their defense cybersecurity
lab, if you look at their joint task force, they have got many
areas that look at cyber initiatives.
And I think the department has acknowledged that trying to
link up and leverage those aspects within the Department of
Defense and build a partnership in those areas are needed.
Mr. Dicks. Mr. Chairman, just one quick, last, brief
question.
Mr. Lungren. Sure, go right ahead.
Mr. Dicks. Thank you.
Mr. Foresman, did the DHS ethics officer approve the Purdy
arrangement?
Mr. Foresman. Congressman, I believe he did, but let me
confirm that and provide you a written response.
Mr. Dicks. Get us a response. And if there was a letter
written at the time, we would like to have that, if that would
be all right with the chairman.
Mr. Lungren. That would be fine.
Mr. Dicks. I think we need to be able to see a copy of what
was sent at the time.
Does the GAO know anything about that?
Mr. Powner. No, sir.
Mr. Dicks. Thank you. Thank you, Mr. Chairman.
Mr. Lungren. The gentleman's time has expired.
The gentleman from Indiana is recognized for 5 minutes.
Mr. Souder. I appreciate your testimony and the
unbelievable complexity of the challenge.
I had kind of a side question, but I wonder how it is
extending the front that you have to defend.
I know in the GAO testimony, you have about how to protect
government computers and there is a reference also to the
university names that were stolen and others.
But in the Veterans a Administration, where we, in effect,
had most of our veterans a, a high percentage of our veterans a
names appeared to have been stolen in a random burglary,
because it went home and the computer went home, and, at one
point, it looked like we might have even compromised home
addresses and our active servicemen, meaning that they would be
vulnerable.
How does the whole experience of contracting out, not only
in the government arena, but in the private arena--are you
looking at how to build--I understand the veterans a department
is trying to work additional firewalls in.
How are we going to handle this without, in effect, pulling
everything back inside a few walls? This is like making our
entire system vulnerable at its weakest link, which is at home.
It is vulnerable to random robberies, penetrations of some kid
hacker on his dad's computer.
Mr. Foresman. Congressman, let me start and maybe Mr.
Powner may have additional comments. This actually very much
underscores the complexity of probably among our greatest
vulnerabilities is not on our networks, as I think some of your
next panels of witnesses will talk about, but in the context of
the computer sitting on the desk at home or in the small
business office somewhere.
And, you know, this becomes the same challenge that we have
when we talk about how do we prepare America for emergencies
and disasters of any kind and part of this comes back to
citizen education.
You know, October is national cybersecurity awareness month
and just as much as we want the average citizen to know that
they need to check their smoke detector batteries in October,
we also want our citizens to know that you can at buy the
computer, you can't load the software on it, and you can't say,
``Okay, I am good forever on until I get the next computer.''
And it requires maintenance, it requires work, and this is
one of the areas where I think strong collaboration between the
public sector and the private sector, constant messaging is
going to be absolutely critical.
Mr. Powner. Just to second that, when you look at security
as a whole, it is only as good as your weakest link.
We do a lot of work not only looking at cyber critical
infrastructure, but looking at individual agencies and
departments. We have a lab internally that we attempt to break
into systems and networks in federal departments and agencies
and we are almost always successful.
But there are simple things, like when you are not
successful, we will call the Department of Homeland Security
and say, ``We are working for Mr. Foresman and he forgot his
password and can you give it to us.'' And you know what? We
usually get it.
So it is those type of things, too, and it makes it very
difficult, because you have got this huge technological
component that you have to secure, but it is also relying on
the individuals and the people, too.
And educating everyone and having that whole picture in
place is very difficult with many of these departments.
Mr. Souder. Well, thank you for scaring me even more. Mr.
Chairman, I want to point out, I have blue and gold on.
Mr. Lungren. That is very good. I am just painting my
office blue and gold, after the victory against Penn State, I
guess it was. Now it is Michigan, the next one coming up.
The gentlelady from the great state of Texas is recognized
for 5 minutes.
Ms. Jackson-Lee. Well, you know, I am stuck in orange and
we are struggling, but we are going to make it.
Mr. Lungren. I wasn't going to say a thing.
Ms. Jackson-Lee. But thank you very much, Mr. Chairman, to
the ranking member.
I am going to use a part of my time to try to articulate
some of the piquing frustration. As I do that, Mr. Foresman, I
do want to acknowledge that you are a superb professional. We
thank you for your service.
We thank Mr. Powner, as well, and the GAO is certainly one
of our frequent witnesses throughout the Congress.
But I notice that this room is particularly tranquil and
very well appointed and would give us a sense of calm. Here is
my frustration.
We are not living in a calm arena. Day to day, we are
noting the use of technology, levels of sophistication by Al
Qaida, certainly the new sophisticated creative uses of mere
liquids that would create havoc in the nations and the world
skies, and, of course, as my colleague mentioned, the ludicrous
incident or accident of a missing laptop and thousands upon
thousands of veterans a personal information.
I just had a hearing yesterday on the National Security
Agency and, of course, the issues dealing with warrantless
searches, which speaks to corporations who are now either
engaged or not engaged in providing data, issues of data
mining.
These are major issues and I guess as I look at this
structure that you have, I am a little--we call it unready, a
great deal of discomfort.
Mr. Purdy may be a very fine professional himself, but I am
listening to Mr. Powner, who said he is completely blank on
this arrangement.
My concern would be attention span and the ability to run a
multi-conglomerate, whatever responsibility Mr. Purdy has,
whether or not he has put it in trust, I am not sure, and this
very important responsibility.
I do hear you saying that there is a process going and
someone is being embedded as we speak.
But I think the message I want you to take back to
Secretary Chertoff, and we had great hopes and dreams for
homeland security, we still do, we wouldn't be here, committed,
as you heard, that there has to be a certain energy, a certain
sense of urgency, a certain sense of panic, that we wouldn't
have to see one area after another be vacant, be with acting or
interim.
And we are all sort of facing those uphill obstacles. You
are not the personnel director, of course, but I think it is
important to note that the idea of staffing is crucial.
So maybe you can give me a sense of who is working under
Mr. Purdy. What kind of shop do we have there? Vision has never
been--it is good planning, but it has never been answers to
terrorism, because we can visioning for a long time and subject
the American people to a major, if you will, terrorist attack.
We are all sort of sitting on edge because we know that
just by the nature of this heinous business now that is going
on the world, that we are certainly as vulnerable as the next.
We are trying to secure this nation, but we have a lot of
gaping holes.
So tell me what staffing you have and what are you
practically doing as it relates to cybersecurity, because you
have got an interim person?
And, Mr. Powner, in my closing moment, would you then take
it to the next level of what are the Achilles heels as we are
presently structured? The interim person, maybe some of your
questions not being answered, in a world of cybersecurity.
And I yield to you, Mr. Foresman.
Mr. Foresman. Congresswoman, thank you for the question.
And let me also, to the context of what Congressman Dicks asked
about, I did get a note from staff and the ethics officer did
review the arrangement before Mr. Purdy came on board. So it
did go through the ethics review process, but we will provide
any additional clarity that you wish.
I would generally break four primary functions in the
national cybersecurity division and some of the most talented
men and women and very dedicated men and women, and I would
invite all of you all to come out to the U.S. CERT center out
in Northern Virginia and see what they do every day to monitor
what is going on across the Internet, to identify and look for
vulnerabilities.
Ms. Jackson-Lee. Do you know the numbers of your staff, how
many are out there?
Mr. Foresman. I can get you an approximate. Congresswoman,
I don't know off--
Ms. Jackson-Lee. But is every spot filled?
Mr. Foresman. I believe that they are close, because we are
making sure vacancies--
Ms. Jackson-Lee. You are making headway.
Mr. Foresman. Minimizing vacancies. But there are four
primary buckets. One is kind of the detection and monitoring.
That is the U.S. CERT folks. That is the operational piece,
knowing what is going on, having a place that the federal
interagency and the private sector can reach into 24/7 to be
able to do it.
The second category is those efforts that are targeted
towards raising education and awareness across the university
sector and that type of activity.
The third area is what is traditionally the planning,
getting the private sector and the public sector folks in the
room together and making sure that we know how we are going to
respond to a threat, we know how we are going to respond to an
actual event, we know how we are going to implement recovery.
And those are the folks who had the hard time of
translating the idea for greater cooperation.
Ms. Jackson-Lee. And your team is engaged in information
sharing. You are part of the component that deals with the
information sharing component. I assume that you look at
information.
Are you the gatherers or are you providing information out?
Mr. Foresman. Well, it is both. It is really both being--
Ms. Jackson-Lee. You are functioning in two ways. You feel
confident that you are functioning now with your staff.
Mr. Foresman. We are functioning, but, Congresswoman, I am
not going to mislead you or this committee. We got our high
track activity, which is a collaborative activity that is
responsible for getting intelligence information out to the
private sector and getting it back in and feeding it into the
intelligence community.
We have got the work of the U.S. CERT. We have got our
national operations center, the national coordination center
for telecommunications. They are closer and better tied than
they were a year ago. They are closer and much better tied than
they were 4 years ago or 3 years ago, when the department was
stood up.
But we still have more work to do and we need to make sure
it is a seamless operation. One of the things I said earlier in
my testimony was we are going to put the telecommunications
coordinating group that is there 24/7 right next to the
information technology, the cybersecurity group that is there
24/7, because the telecommunications infrastructure and our
information technology infrastructure are inextricably related
and we want to make sure that those folks are sitting next to
each other when things go on so that they can share that
information back and forth.
Ms. Jackson-Lee. Mr. Chairman, if you will indulge me, so
that Mr. Powner could respond, please.
Thank you. Thank you, Mr. Foresman.
Mr. Powner. Congresswoman, clearly, there are--getting at
the human capital issue within the department there, clearly,
there are many capable men and women within the national
cybersecurity division. Many of them are sitting in this room
today. We just need more of them.
In terms of leadership, though, there is a leadership void.
We need a permanent leader not only for the department
internally, but because of the interaction with the private
sector, the state and local governments.
So we clearly need that. This isn't the only department
that has struggled with getting capable folks on board. I do
work in many areas across the federal government. IRS is an
example.
They had a huge human capital issue there, not being able
to deliver. I can say today, looking at them over a number of
years, they have one of the better IT organizations when it
comes to their modernization efforts.
They still have hiccups, but how did they do that? They got
critical position pay, where they paid folks above the SES
salary cap. So there are things you could do and you could
pursue.
It is not perfect, because it is still difficult to compete
with the private sector salaries, but there are things you
could do and you could pursue and there are some good examples
out there in other federal departments that we could move
forward on.
Ms. Jackson-Lee. Thank you.
To you, Mr. Chairman, I would just say those of us who live
beyond the beltway, I would really like to give an SOS e-mail
to our friends here in Washington to start going out and
recruiting across the country, whether it is Texas or
California or Washington state.
We have got to be able to find good people and good people
are out there and there must be some recruiting blindness, but
we need to start reaching out to our own constituents, because
they are out there and they know this business.
And I yield back. Thank you.
Mr. Lungren. I thank the gentlelady. We will do a second
round with this panel before we go to the second panel.
Mr. Foresman, you were going to tell me what the three top
priorities are regarding cybersecurity responsibilities? You
gave us one, which is enhancing analytical abilities.
What would the other two be?
Mr. Foresman. Congressman, clearly, it is the ability to
effect the coordination between the agencies of the federal
government with our state and local partners and between
government and the private sector, just the basic operational
coordination.
And then the second one is information sharing. As Mr.
Powner pointed out, there has got to be a tangible benefit to
the private sector and this is not just limited to the
information technology sector. This is across all of our
critical, whether we are talking about ports in transportation
systems or our IT systems.
What is the value added for the private sector to share
information with government and, conversely, government has got
to--it has got to be a two-way street.
Mr. Lungren. I mean, part of this hearing is, obviously,
beating up on you, because the department hasn't done as much
as it needs to do in this area. But, look, I am going to
confess, the Congress hasn't either.
If there is one area that we probably lag behind in terms
of the array of vulnerabilities we have, in my judgment, more
than anything else, it is probably cybersecurity.
But we will keep sending these letters to you and we will
still keep prodding you to do these things.
Mr. Dicks. Mr. Chairman, didn't we have national commission
on cybersecurity? That, I thought, did an outstanding effort. I
mean, this issue has been out there.
Mr. Lungren. I am not saying the issue hasn't been out
there. What I am suggesting is, I mean, as I look at the
Congress, I am not sure that we have done what we need to do.
Mr. Dicks. In terms of oversight?
Mr. Lungren. In terms of oversight, in terms of prodding
the department. I just want to let you know we are going to be
doing a much stronger job on that. We are going to be inviting
you to come up here more often.
We are going to be sending letters out. We are going to
make inquiries. We need to get moving on this.
This is not as visible as a physical piece of critical
infrastructure, yet it is as important, if not more important,
because it is embedded in and underlies so much of what we do.
And in that regard, I would ask you about the SCADA
systems, the control systems that we have. They are so
critical, as they provide a link between the cyber world and
the physical world. These need to be a top priority.
Does the department have a specific plan to work with
various critical infrastructure sectors to protect their
control systems, to actually get it done? As Mr. Powner said,
we have done a lot of studies, a lot of planning.
Are we actually doing it?
Mr. Foresman. Congressman, three quick points on that.
First, we are looking, as we are doing all of the sector plans,
whether it is the chemical sector or the dam sector, all of
these other ones that have SCADA systems that we are concerned
about.
We have got a cyber component that is built in as they go
about doing their sector coordination. The sector coordinating
councils develop their sector-specific plans and then part of
this is having them say what is the best practice, what is the
acceptable standard that we are promoting and pushing within a
particular sector and having that implemented.
The second piece is training and education and I think you
and this committee undoubtedly understand the SCADA issues as
well as any group out there and there is a growing need to
educate.
As a matter of fact, here at the end of the month, there is
a session that we are going to be teaching out in Las Vegas in
conjunction with a conference, where we are going to focus
exclusively on the SCADA issues and protection and prevention
measures associated with it.
And then the third part of it is there is a business issue
here. You know, if you think about SCADA systems, the control
systems back pre-a92-a93, when we saw the major proliferation
of information technology, the older systems tend not to be as
reliant on the Internet as those that are built into the
current systems.
And a lot of this is we have to make the business case to
corporate America that protection of their SCADA systems goes
back to what you talked about earlier, the liability issue.
What is the acceptable national standard by which someone will
be judged as it relates to the protection of SCADA systems?
And, frankly, I think that market-driven incentives rather
than overt, heavy-handed regulation is going to get us there,
but there is a liability issue for corporate America and we
need to make sure that we articulate that.
Mr. Lungren. And one of the things we have to do, from our
standpoint, working with your department, is to ensure that we
know that the landscape is out there. How can we get the
information from the various sectors dealing with their own
cybersecurity?
How are we going to develop the trust such that they will
give us that information, so that we can utilize it, so that we
can make a better judgment here in the Congress as to what
makes sense from a legislative standpoint as opposed to what
makes sense from a regulatory standpoint as opposed to what
makes sense from an incentive standpoint as opposed to what
makes sense from the risk management experts, which is the
insurance industry?
If we don't have that information, we may be heavy-handed
on the regulatory side or the statutory side only because we
don't have that information.
So we have to build a relationship of trust with the
private sector so that they will feel free to share that
information with us, feel free to share it with you.
That is not an easy thing to do, even with the question of
liability. But beyond that, do they trust us to have the
competence to be able to deal with the information they give
us?
So I am looking at this not to point fingers at people. I
am looking at this to solve a problem. And when we are given
the responsibility in this committee and this subcommittee of
dealing with critical infrastructure, it seems to me, if we
don't look at cybersecurity as a part of that, we are not doing
our job.
And we are like a non-modern governmental entity trying to
deal with a modern world. It just isn't going to work.
So we will be pressing and working hard and we will do this
on a bipartisan basis, because I know the concern is shared by
both Democrats and Republicans.
All right, if I can get this working again, I will start it
off for another 5 minutes for my ranking member, the gentlelady
from California.
Ms. Sanchez. Thank you, Mr. Chairman. I just want to say
that one of the reasons that we may have not been paying as
much attention lately to cybersecurity is, as you will recall,
when we first started the Homeland Security Committee, we had
an actual subcommittee that dealt with cybersecurity.
And then the reorg that happened in the last 2 years, this
was put under the jurisdiction of this subcommittee, which, as
you know, has an extensive portfolio and trying to get through
TSA and ports and everything else.
I guess this may be the second hearing that we have had on
cybersecurity in the 2 years.
So it is important to get done. I just don't know how we
also will find the time. It is always a difficult thing to do.
And there are some good things that have come out of the
directorate. As you know, when we have been in the markup
sessions, I have tried to put more money into some of the
programs that I think have been done well.
So for me, it is more of understanding that we have had
this revolving door at the top and the frustration of not being
able to fill it and the idea of the people, the rest of the
people in the agency having less direction than they probably
need to get things done.
So that is why we are so, I think, concerned to see this
issue of filling the slots with competent people who want to
stay around, which we see in a lot of the different areas of
homeland security. It is a major problem. And the morale issues
and the pay issues and everything that go with it.
And just, you know, developing something new, it takes a
special kind of person. A lot of people can follow, but it is
hard to lead. So we really need to fill those leadership
positions.
The GAO said that progress to date on initiatives to
improve the nation's ability to recover from Internet
disruption, that the progress had been limited and that other
initiatives lacked timeframes for completion, and, also, that
the relationships between these initiatives are not evident.
Can you tell me what efforts must be made by the department
to achieve the kinds of relationships that need to exist for
these initiatives to work? Again, the ones that deal with
working groups to facilitate coordination and exercises in
which government and the private industry practice respond to
cyber events.
Mr. Foresman. Congresswoman, I think there are three really
big issues here. One is clear deliverable timelines and I will
tell you, this is an issue--you noted correctly that the
department continues to go through growing pains, but we have
gotten through that first visceral reaction of getting the
department up and running.
And we do need to take a collective deep breath and look at
all of the things that we are doing and make sure and make sure
what we are doing is still what we need to be doing this time
next week, but that we are putting specific deliverable
timelines on these.
And I think part of this, and I talked to Mr. Powner ahead
of time, when we get the new assistant secretary on board, I
would like to sit down with the GAO and amalgamate all of the
recommendations across the cyber front and develop a matrix.
I am not going to say we are going to do them all, but
there is a lot of great work that has gone in there. There is a
lot of great work that is coming out of the sector coordinating
councils.
One of the advantages is we are working with the business
sector. They don't do well if we don't have clear, definitive
end products that we are looking for and timelines. So they are
helping to push us. That is the first thing.
The second piece of it really comes down to the issue of
trust that we have talked about. And I want to be clear, when
we talk about trust, these types of public-private sector
relationships, even going back to PDD-63 in the 1990s
timeframe, and 67, this is new. Government has always been a
regulator and private sector has always been a regulatee.
So we are talking about new relationships here. The PCII
rule, the protecting critical infrastructure information, the
tool that this Congress gave to the department, a very
important tool, we have taken, we have implemented just here in
the last several months, and it provides an additional layer of
competence to the private sector that key information that they
provide to us is not going to end up out in the public domain,
particularly where we are talking about proprietary
information, because you know one bad piece of information
affects stock prices and we understand that.
So I am anxious to see how the PCII rule, married together
with our ongoing relationships, provides tangible benefits as
we go forward.
And then the third piece of it is I think it is going to
come back to as we define and continue to work with Congress on
this issue, we have got a national strategy on securing
cyberspace. That is the high level document.
As Mr. Powner said, we have got the national infrastructure
protection plan, the next level down. We have got the sector
coordination plans that are being put--the sector-specific
plans that are being put together.
But we have got to get down into the implementation level
and that is what normally would come next in the cycle. That is
what is normally going to come next in the cycle, but I will
tell you I don't want to be up here 6 months from now telling
you all we haven't made progress.
I would like to be able to appear before this subcommittee
and say here are the 15 or 20 things--or, actually, I would
like to have the assistant secretary appear before you all and
say here are the 15 or 20 things that have gotten done in the
last 6 months and, by the way, here are the 15 or 20 things
that the private sector agrees with us that we are going to do
in the next 6 months.
Ms. Sanchez. Mr. Powner, do you have anything you might
want to enlighten us on that?
Mr. Powner. Just one comment about the whole trust issue.
There is a lot of discussion about building trust and I think
naming the secretary position, that will be great going
forward.
But we don't build trust through individuals or because we
are competent or a good person in this position. You are going
to build trust with the private sector because the government
is going to have something that is of value to them.
And right now we need to grow the capability in the
government to offer something that is of value. That is
ultimately how you are going to build trust.
I have spent some time in the telecommunications sector
and, I will tell you, when I was there, we didn't share a lot
with the government, because the ultimate question was what
benefit is that to our company.
If we are interested in stock prices, when we have someone
we wanted prosecuted because they were in our central office,
that is when we wanted the government assistance, because they
could help us.
He key question is building trust. I think we go back to
that analytical capability and some of the key items that are
called for, called for in policy and in law. If we start
tackling some of those key priorities, we can build trust.
It is difficult, but I think there are some things that are
in place that we can march forward with.
Ms. Sanchez. Thank you.
Mr. Lungren. Thank you.
The gentleman from Indiana is recognized for 5 minutes.
Mr. Souder. First, I wanted to say something about the
Cybersecurity Subcommittee here. That is, first, I want to
thank the speaker for giving us any flexibility at all to do
cybersecurity.
The Energy and Commerce Committee has been trying to muscle
this committee and we need to push back. In every session of
Congress, we need to work to make sure jurisdiction for
homeland security stays under this committee.
It is a wonder that we have had any jurisdiction, given how
hard they went after our committee on that.
Mr. Lungren. If the gentleman would yield on that.
One of the points I have been trying to make is if
cybersecurity is not part and parcel of critical
infrastructure, I don't know what is. And I didn't come back
here to have fights with other committees, but we need to do
our job and we cannot do our job in terms of critical
infrastructure protection if we do not involve ourselves in an
major way in terms of cybersecurity.
Mr. Souder. There are members of Congress in both political
parties that would love to see the death of this committee and
we need to fight.
Ms. Sanchez. Will the gentleman yield for one second?
When I was talking about the history of this, what I meant
is it is so critical. I mean, it warranted its own subcommittee
before. It is very important.
Mr. Souder. Because my concern was that we weren't going to
have any jurisdiction whatsoever, because that was why we
initially eliminated the cybersecurity, because we had that.
Energy and Commerce tried to make a move to exclude us from
having any jurisdiction and the chairman and the committee and
the subcommittee chairman here has put some cybersecurity in,
because we are all in agreement here what we need to do is make
sure that this committee--because if you don't have
cybersecurity, everything else falls apart.
As the chairman just said, we are acting like we are in the
dark ages here. This is where they are talking the stories that
you have in here on the worms and what can happen at nuclear
power plants, what happens if our electrical grid shuts down,
the internal security of the United States.
There are lots of things that people just assume are
protected. I felt the most scaring, eye-opening hearing--it
wasn't a hearing--a briefing that I had was with the
cybersecurity subcommittee under this, when we first created
homeland security, and we had the guy who had originally been
the attacker of our systems and now the defender of our Defense
Department systems.
I just can't see anything other than that repeated,
firewalls with incredible strength to feel off different parts,
we are never going to be able to protect everything, is, in my
book, the number one thing that has to be done.
How that can be done on the Internet, surely, we have to
have the ability to cut this off, much like if the bird flu
hits, how you are going to have to do segmentation of society
like we did in 1916 with the flu epidemic.
You have to be able to isolate this stuff more rapidly than
we are doing.
But I had a couple other particular questions. I would be
interested if you agree that that is the biggest challenge, is
how to wall it off when we get hit.
But one is clearly staffing and you are competing in an
industry that pays incredible amounts of money, trying to keep
people long term, divest stocks that they have, it is a huge
challenge.
Have you been looking at innovative payroll type things,
that if somebody stays a period longer, they get a bonus? In
other words, tier the pay somewhat on how long they are there.
Should we be looking at personnel things that change?
Because this is not a typical department. And I don't see, in
the future, that there is going to be less demand for people
with high skill cybersecurity and we don't want to have
basically the people who couldn't quite cut it out in the
rating field trying to defend us from the people who want to
attack us, because there is incredible amounts of money to be
made by attacking a system.
And a second part of this is that as I was alluding to
earlier and you correctly said, the weakest part of the system
is our vulnerability.
As we look at contracting out, as companies diversify and
you have all these different modes of operation, are we looking
at requiring different security systems for the level of the
vulnerability of the site that you are at and putting in
requirements and penalties if you fail to do that?
In other words, yes, we need cooperation. I am a free
market businessperson who wants to see cooperation. But there
are certain things that the society assumes are happening.
And the question is how do we put in certain safeguards,
because now it isn't just your business, you can endanger
everybody in the United States because you got sloppy.
What are we doing in putting in standards that if you are
going to have access that can get you into one of these
networks, particularly if we are a little uncertain of our
wall, to do that?
Mr. Foresman. Congressman, let me maybe give three points,
and I don't know whether Mr. Powner might want to add
something, as well.
But I would also suggest that your next panel, I think,
could address that same question and give some good clarity to
it.
The first part, in terms of filling this position, I have
looked at every innovative human resource opportunity that we
can and there is nobody in the city of Washington who wants
this position filled more than the undersecretary for
preparedness at the Department of Homeland Security, for a
whole bunch of reasons.
But to one of the things that Congresswoman Sanchez said,
we made it very clear that whoever was going to sign up with
this was going to sign up for the long term, because we didn't
need a revolving door and that would have been the worst thing
for industry.
So we put some strong parameters on it. Please come serve
the nation and, oh, by the way, you have got to be here for the
long haul, and that did scare some people off, in addition to
the things you have mentioned.
But we are restricted by law in certain categories, but we
have tried to be innovative.
To the second point, I think I would very much offer to you
that industry has shown tremendous progress at developing, if
you will, acceptable standards and practices, but they are not
universally adopted across all industries.
So part of this is going to be the ongoing dialogue and
discussion with the private sector about how do we get
universal compliance. Is it going to be through market-driven
incentives, through insurance? Is it going to be through
regulation?
We don't know the answer to that, but I will offer to you
that I have met very few folks in the technology community that
don't understand the vulnerabilities. But as one person said at
a session this morning, you have got to compare the bottom line
and the needs of the moment.
And these are tough decisions and I think we may need to
provide some structural policy incentives to make it all
happen, but ultimately, the same that we develop the Internet
through innovation, we probably need to develop increased
security through innovation.
Mr. Lungren. The time of the gentleman has expired.
The gentleman from Washington is recognized for 5 minutes.
Mr. Dicks. Thank you, Mr. Chairman.
I want to go back to this question about Andy Purdy. As we
understand, as I said, he earns $245,000, roughly, a year. The
secretary of homeland security makes $175,000, but he is also
on loan from the school to the government, which is paying
nearly all his salary. Is that correct?
Mr. Foresman. Congressman, I will need to go back and--
Mr. Dicks. He is here today. He is here in the audience.
Mr. Foresman. I understand that. But in terms of the
contractual relationship, I would like to provide you a written
response to that so that we are very clear.
But on the first part of it, let me also acknowledge that
when we talk about compensation packages, we have to remember
that what my base salary is in the federal government, on top
of it, there is a 33-34 percent package on top of it.
Mr. Dicks. Right.
Mr. Foresman. So I think part of it is looking at this in
terms of the total compensation, but I am more than happy to
provide a detailed written response to you.
Mr. Dicks. Now, as of January 2006, the national
cybersecurity division had 27 government employees out of 40
full-time equivalent positions assigned. These 27 employees
make up only 27 percent of the total workforce, with the
remaining 73 percent being provided through contracts with one
or more of 10 different private sector organizations, such as
Booz Allen Hamilton and SRA International, Inc.
In addition, NCSD has contracts with Carnegie Mellon
University totaling $19 million, which is one-fifth of the
unit's total budget.
Now, that appears to me to be a very questionable practice.
How can you have a person who is running the division and being
paid by Carnegie Mellon also giving contracts to them of $19
million? I don't understand that.
Mr. Foresman. Congressman, three points on that. First,
when I assumed this position in January, we did have a large
number of unfilled positions, as well as a lot of contractors,
IPAs and contract support.
We made a very deliberate policy decision in the
department. That was the way to get the department up and
running back when Congress created it.
But as we move forward, we are trying to transition as many
positions as possible into full-time federal employee
positions. That process continues to take time, but we have
made hiring and filling vacant positions and transitioning as
many from contract status to permanent status a priority.
In terms of Mr. Purdy and the relationship with Carnegie
Mellon, we do have checks and balances in place. His ability to
obligate funds is not sole and exclusive in the context of not
having checks and balances.
And, in fact, what I will--
Mr. Dicks. What are the checks and balances?
Mr. Foresman. Well, there are a variety of checks and
balances. You have to go through the business review process,
through a procurement process.
And what I would like to do is describe those for you and
for the committee in exact detail, because, Congressman, if I
attempted to do it, I am going to miss an important part and
that is going to create an incorrect picture and I want to
paint the correct picture of what--
Mr. Dicks. Well, the picture isn't real pretty, as far as I
am concerned. This doesn't look right to me.
Has he recused himself from making any decisions about
Carnegie Mellon?
Mr. Foresman. Congressman, I believe in the context of his
ethics agreement, he is, but, again, let me--
Mr. Dicks. He is right here. Why can't you let him testify?
Mr. Foresman. But, Congressman, he is not the witness and
what I would prefer to do is to make sure that we get you a
factual and accurate answer, please.
Mr. Dicks. Well, Mr. Chairman, I think the gentleman is
here in the audience, I think we ought to have him testify.
Mr. Lungren. Well, the problem is he was not requested to
testify. We did not notify that he was going to be asked to
testify.
Mr. Dicks. Well, the administration's witnesses bring up
people with them all the time, in all the hearings I have ever
been in. If the person is there and can answer the question, I
think the question ought to be answered.
Mr. Lungren. I don't want to avoid this, but that is not
the procedure we follow in this subcommittee. We notice people.
They are given an opportunity to know they are going to testify
and if it is appropriate--
Mr. Dicks. How long is it going to take to get an answer to
this question?
Mr. Lungren. Mr. Foresman, could you get an answer to us in
written form within the week?
Mr. Foresman. Yes, sir. Well, what day of the week is it,
Congressman, Wednesday?
Mr. Lungren. Yes.
Mr. Foresman. I think Friday is reasonable, yes, sir.
Mr. Lungren. And we will make that a part of the record, as
well.
Ms. Sanchez. Will the gentleman yield?
Mr. Dicks. I yield.
Ms. Sanchez. I don't think it is going to be very
difficult. I mean, this issue has been in the newspaper for
about 6 months, almost day in and out in some of them. And I
would imagine, Mr. Secretary, that you have this all written
out already, because you have probably had to explain this over
and over.
It is just that our committee hasn't really gotten the real
explanation.
Mr. Foresman. Well, Congresswoman, I want to make sure that
this committee, in terms of your oversight and responsibilities
for our department and this particular area, that you get the
information you need to do the job that you need to do.
So we will put posthaste on this when we get back to our
offices today.
Mr. Lungren. So we will get that by Friday and we will make
it a part of the record.
Mr. Dicks. Thank you, Mr. Chairman. I appreciate that.
Mr. Lungren. The gentleman's time--
Mr. Dicks. Well, let me just ask one final question.
Mr. Lungren. The only thing I just want to mention is Mr.
Pearce hasn't asked any questions yet and we have a second
panel coming up.
Mr. Dicks. Okay, that is fine. Thank you.
Mr. Lungren. Thank you.
Mr. Pearce is recognized for 5 minutes.
Mr. Pearce. Thank you, Mr. Chairman.
Mr. Powner, over the course of time, GAO has issued you all
some findings, recommendations to strengthen your ability to
implement the cybersecurity and I just wonder which of the
recommendations are considered a priority and where we stand on
implementing those.
Mr. Powner. My written statement today lays out
recommendations in five broad areas and there are 25 specific
recommendations in that statement. I would say the priority
areas are in four key areas, threat assessments, vulnerability
assessments and reduction efforts, bolstering analysis and
warning capabilities, and putting in place recovery plans.
Mr. Pearce. Mr. Foresman, the business roundtable report
issued suggested that too many organizations, both public and
private, had overlapping responsibilities in managing the
Internet reconstitution.
Do you have any comment about their comment?
Mr. Foresman. Congressman, one of the first meetings I took
when I became the undersecretary was 2 or 3 days after I
arrived in Washington on the job, was to sit down with the
business roundtable and specifically to talk through a number
of these issues.
You know, it is hard for any of us to assess whether there
are too many or too few, but I think the one thing that is
clear from the GAO report, one thing that is clear from our
Cyberstorm exercise is we need to have clarity and
coordination, increased clarity and increased coordination of
roles and responsibilities.
We are far better than we were a year ago. There is still
more work to be done. But, you know, I wouldn't assess whether
we need more or fewer, but believe they need to be well
coordinated.
Mr. Pearce. Now, as I listened to Mr. Powner discuss the
threat and vulnerability assessments, I wonder where we stand
on accomplishing those.
Mr. Foresman. That is, Congressman, actually one of the
things that will come out of the work of the sector
coordinating council in developing the IT sector-specific plan,
as we will do across all of the sectors.
Part of that will be the engagement of the public sector,
the private sector, leveraging a wide array of U.S. government
resources to do that vulnerability assessment, so that we
understand what is it that we are trying to protect and how do
we prioritize towards doing that.
And to that end, one thing I will just mention, Mr.
Chairman, it may be worthwhile in the early part of January for
us to come up and brief you on what is, in fact, in those
sectors, what each of the sectors have come up with.
And the vulnerability analysis on the IT sector is one that
I'm most anxious to receive.
Mr. Pearce. Thank you, Mr. Chairman. I see my time is about
expired.
Mr. Lungren. Does the gentlelady from Texas wish to
participate in the second round?
Ms. Jackson-Lee. Very briefly, Mr. Chairman, thank you.
I think I want to go back to my point of frustration,
because we face daily challenges. And I want to ask or at least
emphasize why I use the term frustration. It is because we have
noted over the last couple of weeks the administration, and I
will yield to their higher moral responsibility which has
caused them to utilizes the extensive media that they have
done, meaning the president has been making speeches almost
every day, every other day, on the war on terror, which means
that, I guess, there is a sense of urgency.
Of his public pronouncements, I don't see the equating of
those public pronouncements with the agency that has the
responsibility to carry forth those policies. So I find that
particularly frustrating.
And I want to go to Mr. Powner. And you went rather
quickly, excuse me for being redundant in asking the question,
but I would like to hear those four points again. That was
asked by the distinguished gentleman from New Mexico.
Then I would like you to categorize where we are, because
those points that you enumerated were the key element of our
line of homeland security defense, whether we are dealing with
cybersecurity or we are talking about border patrol or
protecting the borders.
And you have made, I guess, a limited assessment, but let
me hear those again and, if you would, walk us through, so that
we are awake, where we are in that, because that is my--again,
I am using this word frustration--the urgency of getting this
department back--not back, but on its feet in numerous areas,
and we are now talking about cybersecurity, infrastructure of
that.
And any number of incidences over the last couple of weeks
show us that that is crucial. That is crucial.
Again, you gave us four points. Could you just--
Mr. Powner. And, clearly, there are multiple ways to
prioritize and I make these four comments because this is
really the heart and soul of information security, whether it
is our critical infrastructure or federal agencies or private
sector organization security. But it starts with threat,
understanding the threat.
Clearly, there has been a lot of work on threat. We have
the U.S. CERT and there are many aspects within the department
that work on threats. So it is not devoid of threat
information. I think Mr. Foresman mentioned the threat needs to
be bolstered through greater intelligence information. That is
one area that could greatly be improved.
I think when you look at the requirement, it calls for a
national threat assessment. I don't think we have seen that
yet.
Ms. Jackson-Lee. No, we have been talking about that for 3
years. But I will let you skip on. I got the gist of that one.
Mr. Powner. So that is threat. The second one is
vulnerability assessments. Mr. Foresman referred to the sector-
specific plans that come out.
I would imagine that some of those plans may get at
vulnerability assessments. Some of those plans likely may call
for vulnerability assessments. Hopefully, we get vulnerability
assessments within those plans at the end of the year.
The third area is looking at analysis and warning
capability.
Ms. Jackson-Lee. Analysis.
Mr. Powner. And warning capability. And this is a point
that I mentioned earlier, where the U.S. CERT, there is certain
analysis and warning capability that currently exists, where we
provide information on--more of it is after-the-fact type of
vulnerabilities and incidents.
We need to get more on the front end with our analytical
capabilities, where we get precursors to attacks. And I think
the department acknowledges that and is working on that.
The fourth area then is recovery plans. We just completed a
large review focusing on this, not only do the individual
sectors need a recovery plan, and that is called for, but if
you take the Internet, an Internet recovery plan is called for
in national policy.
That doesn't exist to date. That is very important that we
work in the government with the private sector in recovering
the Internet, if, in fact, there is a large-scale outage. And I
think some of those lessons learned from Katrina and 9/11
really drove that home.
Now, that wasn't a cyber event, but in terms of the
partnering and working together to restore some things, there
were many lessons learned from that.
Ms. Jackson-Lee. Many lessons, many lessons. Mr. Chairman,
I would, in conclusion--thank you very much, Mr. Powner--say
that it is time for Secretary Chertoff to come again before
this committee, the full committee, because I think there are
some large vulnerabilities.
The idea that a threat assessment still may not be complete
is one that I think should disturb this committee, Republicans
and Democrats alike.
So I thank you, Mr. Powner and Mr. Foresman, for your
testimony and your service.
I yield back.
Mr. Lungren. I thank the gentlelady. And I want to thank
both witnesses for their testimony and responses to our
questions.
Mr. Foresman, I know you are a busy individual, but perhaps
you or some members of your staff could stay around to listen
to what the other panel has to say, as we try to build that
trust further.
Again, thank both of you for appearing. We appreciate it.
The chair would not like to call the second panel. Mr.
William Pelgrin, Mr. Paul Kurtz, Mr. Guy Copeland, Mr. David
Barron.
We have someone to the rescue who is going to try and bring
the heat down a little bit here.
I thank the four of you for being with us. I introduced the
individuals briefly beforehand and we would now ask the panel,
again, gentlemen, your prepared testimony will be made a part
of the record in its entirety, and we would ask you to please
summarize your testimony.
And we will go from my left to right or your right to left,
starting with Mr. William Pelgrin, director of the New York
State Office of Cybersecurity and Critical Infrastructure
Coordination.
STATEMENT OF WILLIAM PELGRIN, DIRECTOR, NEW YORK STATE OFFICE
OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE
Mr. Pelgrin. Good afternoon, Chairman Lungren, Ranking
Member Sanchez, and distinguished members of the subcommittee.
I am William Pelgrin, the director of New York State's Office
of Cybersecurity and chair of the multi-state Information
Sharing and Analysis Center.
I am honored to represent New York state and the multi-
state ISAC to discuss our efforts to be more vigilant, prepared
and resilient regarding cybersecurity.
Two days ago, we marked the fifth anniversary of the tragic
event of September 11. Since 2001, much has been implemented to
improve our nation's security posture. I am very proud of what
has been accomplished in cybersecurity at both the New York
state and multi-state levels.
Our achievements could not have been done without the
support at the highest levels. In New York, Governor Pataki has
been a true champion on these issues. And I would also like to
thank Undersecretary Foresman. His leadership and support of
our efforts are very much appreciated. It has been a great
partnership with DHS and one that I believe has made a
difference.
But we cannot be complacent. We need to stay one step ahead
of those who wish to do us harm. More than ever, we must
continue to make significant progress in our fight against
cyber threats.
It is critical that we learn from the past in order to
improve the future. It is not about how good we are, but about
how good we can be. Cybersecurity is more about the management
of technology. The best technology in the world, if it is not
managed properly, can leave us vulnerable.
Our successes have been driven by the following guiding
principles. It is not about one person or entity, it is about
the collective effort. It can't be territorial. We have got to
work together across sectors and geographic boundaries.
Trust must be earned. It is not a right. We have worked
hard to earn trust. The culture must change. Implementing sound
cybersecurity practices must be as second nature as buckling a
seatbelt. This can only be done through education and
awareness.
We must be deliverable oriented. The time to talk is over.
It is the time to do.
My approach has been threefold. First, we wanted to make
sure that New York state is strategically aligned to meet the
emerging threats. My office was created in order to have an
entity with a single focus, dedicated to addressing the highly
specialized need of cybersecurity, one that wouldn't be
diverted to other competing priorities.
Second, we recognized early on that we could not do this
alone. So we focus on developing strong collaboration with
others, true partnerships. We established the New York state
public-private cybersecurity workgroup in 2002 to foster
sharing across sector borders and to build important trust
relationships.
The workgroup comprises high level executives from the
public and private sectors, representing critical industries,
including telecommunications, financial, utilities, chemical,
health and food.
Third, we recognize that the traditional geographic borders
are irrelevant when dealing with cybersecurity issues. So there
was a need for strong partnerships with other states and local
governments across the nation, as well as with our federal and
international partners.
The multi-state ISAC was created in 2003 and I am pleased
to say that all 50 states and D.C. are members. The mission of
the MSISAC, consistent with the objectives of the national
strategy to secure cyberspace, is to provide a common mechanism
for raising the level of cybersecurity readiness and response
in each state and with local governments.
This volunteering and collaborative effort provides a
central resource for gathering information on cyber threats and
events, providing two-way sharing of information between and
among states, and with local governments, as well as with the
federal government.
A key component of the MSISAC is our 7-by-24 cybersecurity
center. This center provides cybersecurity monitoring for
analysis of intrusions and other anomalous cyber activities for
all the members of the multi-state ISAC.
The center works very closely with U.S. CERT, other cyber
researchers, security vendors, and the ISPs. In addition, we
have deployed equipment that provides real-time monitoring of
network traffic, specifically to two states, one in New York
and, most recently, Alaska.
Many other states and local governments have expressed an
interest in being part of this service. The concept is that the
collective view is more valuable and informative than a
singular view.
Another key initiative is our cybersecurity alert map,
which allows each state to identify and display its current
cybersecurity status and contact information. I am pleased that
all 50 states and D.C. have adopted this common cyber alert
protocol.
What a tremendous step forward in facilitating information
sharing than situational awareness.
We have a number of other initiatives focused on helping
local governments address cybersecurity. They are facing the
same issues that the states are. However, many of them don't
have the necessary resources or expertise for the cyber
challenges that they face.
For example, when we issued a cybersecurity advisory
recommending patching vulnerable systems, I received a call
from a town supervisor, telling me, ``Will, I don't understand
what you mean by patching. When I hear the word, I look for
duct tape.''
To aid local governments, we have established a local
government cybersecurity committee, with representatives from
towns, counties, cities, schools and state governments. The
committee has developed a roadmap for addressing the
cybersecurity needs of local governments.
In partnership with DHS, we have completed our first major
deliverable, the first national cybersecurity guide for
localities. It is called ``Just Get Started,'' and I do have
copies for the chairman and members of the committee, as well.
The goal of the guide was to keep it short, easy to read,
like a magazine, that there would be periodic installments.
In closing, I have briefly highlighted for you some of our
major accomplishments. The key guiding principle that has been
instrumental in these efforts is collaboration. We must ensure
that all stakeholders are at the table. We also need to realize
that you can't get from A to Z overnight. You have to
prioritize and move strategically.
I appreciate the opportunity to testify today and thank
you, Chairman Lungren and the members of the subcommittee, for
your strong leadership and attention to this important matter
of cybersecurity.
Thank you.
[The statement of Mr. Pelgrin follows:]
Prepared Statement of William F. Pelgrin
Good Afternoon Chairman Lungren, Ranking Member Sanchez, and
distinguished Members of the Subcommittee on Economic Security,
Infrastructure Protection, and Cyber Security. I am William Pelgrin,
the Director of New York State Office of Cyber Security and Critical
Infrastructure Coordination and Chair of the Multi-State Information
Sharing and Analysis Center (Multi-State ISAC).
I am honored to represent New York State and the Multi-State ISAC
to discuss the challenges, successes and lessons learned in our efforts
to address cyber security.
It is time for plain speaking--we must be open to sharing
information. We must learn from the past to improve the future. Cyber
security must be everyone's responsibility. I have adopted this mantra
as a call to action.
Two days ago, we commemorated the 5th anniversary of the tragic
events of September 11. Since 2001, much has been implemented to
improve our nation's security posture. I am very proud of what has been
accomplished in cyber security at both the New York State and Multi-
State levels to assist in this effort to be more vigilant, prepared and
resilient. But we cannot be complacent; we still have a long way to go.
Why We Must Be So Concerned?
Cyber terrorism or human error can both have
devastating consequences;
Cyber attacks can originate from anywhere;
The technology to launch such cyber attacks is
relatively inexpensive and widely available; and
Sophisticated computer expertise is no longer
necessary to launch attacks.
My testimony today will describe our approach to address these
issues and how we are working to improve the cyber security posture not
only of New York State but of all the states and local governments in
our nation. This could not have been done without the strong leadership
of Governor Pataki, who has been a true champion of these issues.
Since it is the start that stops most of us, we took the approach
of ``let's just get started'' using the ``build it as you go'' and
``best effort'' rules to move forward as quickly as possible.
The time to talk is over--it is the time for action.
For many it is very difficult to fully grasp the cyber challenges
and threats that we face today. My method is to make it real and
tangible in order to provide clarity and understanding of these issues.
None of us is as smart as all of us. Therefore, collaboration,
cooperation and communication are the cornerstones of our approach. We
can't do this alone. Our partnership with U.S. Department of Homeland
Security has been a positive example of what can be accomplished when
we truly work together toward a common goal.
Cyber security is more about management than technology. The best
technology in the world, if not managed properly, with appropriate
policies and procedures, will leave us vulnerable. We all must become
champions for good cyber security practices and set an example for
others to follow.
I would like to start off by describing my philosophy. I believe
these guiding principles are major factors for our successes in New
York, as well as with the Multi-State.
First and foremost, it is not about one person or
entity; it is about the collective effort.
It is about moving in a common direction.
Trust must be earned; it is not a right. We work hard
to earn that trust.
We have a willingness to share as much as possible
without concern for what would or would not be shared with us.
Over time, sharing is becoming two-way.
The culture must change. Implementing sound cyber
security practices must be as second nature as buckling a
seatbelt.
We continually strive to eliminate traditional
bureaucratic impediments.
We have created a safe haven in order to facilitate
true collaboration and sharing.
The remainder of this testimony will describe how we addressed our
challenges.
First, we needed to strategically realign our focus to meet the
emerging threats.
Creation of the New York State Office of Cyber Security and Critical
Infrastructure Coordination
The New York State Office of Cyber Security and Critical
Infrastructure Coordination (CSCIC) was established in September 2002
by Governor George E. Pataki in order to have an entity with a single
focus dedicated to addressing the highly specialized needs of cyber
security and critical infrastructure coordination.
The Office is responsible for leading and coordinating New York
State's efforts regarding cyber readiness and resilience; expanding the
capabilities of the State's cyber incident response team; monitoring
the State's networks for malicious cyber activities; coordinating the
process by which State critical infrastructure data is collected and
maintained; as well as leading and coordinating geographic information
technologies.
Second, we focused on developing strong collaboration with the
private sector.
NYS Public/Private Sector Cyber Security Workgroup
Because more than 85% of critical infrastructure is owned or
controlled by the private sector, we immediately saw the need to create
true partnerships. New York State actively engaged the private sector
in addressing the State's cyber security and critical infrastructure
needs.
Our NYS Public/Private Sector Cyber Security Workgroup comprises
private sector high-level executives and public sector commissioners to
represent critical industry sectors, including telecommunications,
financial and economic, utilities, public safety, chemical, health,
food and education/awareness. For example, for the Telecommunications
Sector, we have as co-chair from the private sector, the Vice President
and Chief Cyber Security Officer for AT& T, and for the public sector,
the Chair of the NYS Public Service Commission.
The Workgroup is examining the current state of cyber readiness
throughout the entities within each sector, working to identify and
assess vulnerabilities and identify mitigation strategies.
The Workgroup has published two reports: Cyber Security: Protecting
New York State's Critical Infrastructure details the on-going efforts
in New York State to address cyber security readiness and response, in
both the public and the private sectors; and The Best Practice
Guidelines for Cyber Security Awareness which includes a number of
useful tips and practical advice, along with links to additional
information for all New Yorkers on how to become more ``cyber security
aware.''
The Workgroup has expanded its participation to include all major
entities within the sectors. These entities work closely with the
established sector chairs and New York State to more fully engage those
critical entities to share information and build important
communication relationships.
The Workgroup meets monthly via conference call with each sector
and meets together as a full group in person periodically. The
participation in this Workgroup has been tremendous, and the
information sharing relationship with the private sector serves to
better prepare and protect New York State. This mutual information
sharing arrangement is an important component in helping to ensure the
readiness and resilience of New York State's critical infrastructure
assets--both public and private. We are truly breaking down the
traditional barriers that have prevented the public and private sectors
from communicating. This Workgroup is important not only to New York,
but the nation as well.
We are also working collaboratively on the national level with the
private sector, through the National ISAC Council. The Council
represents the critical industry sectors and focuses on advancing the
physical and cyber security of the critical infrastructures of North
America. I'm honored to have been elected to serve as Vice Chair of the
ISAC Council. This is another great example of strong relationships
between the public and private sectors.
Third, we recognized that traditional geographic borders are
irrelevant when dealing with cyber security issues, so the need was
clear for strong partnerships with other states and local governments
across the nation.
Multi-State Information Sharing and Analysis Center (Multi-State ISAC)
The Multi-State ISAC is a voluntary and collaborative organization.
I am pleased to say that we have 50 states and the District of Columbia
as members, and we are actively pursuing local governments and
territories. The mission of the Multi-State ISAC, consistent with the
objectives of the National Strategy to Secure Cyberspace, is to provide
a common mechanism for raising the level of cyber security readiness
and response in each state and with local governments. The MS-ISAC
provides a central resource for gathering information on cyber threats
to critical infrastructure from the states and providing two-way
sharing of information between and among the states and with local
government.
The U.S. Department of Homeland Security has officially recognized
the Multi-State ISAC as the national ISAC for the states and local
governments to help coordinate cyber readiness and response.
Major Objectives of the Multi-State ISAC
to provide two-way sharing of information on cyber
critical infrastructure incidents and threats
to provide a process for gathering and disseminating
information on cyber and physical threats to cyber critical
infrastructures
to share security incident information among critical
industry sectors
to focus on the cyber and physical vigilance,
readiness, and resilience of our country's cyber critical
infrastructure assets
to promote awareness of the interdependencies between
cyber and physical critical infrastructure as well as between
and among the different sectors
to ensure that all necessary parties are vested
partners in this effort
to work collaboratively with the public and private
sectors to foster communication and coordination
to coordinate training and awareness
The following major initiatives reflect the successes we--ve
accomplished at both the New York State level and the Multi-State ISAC
level.
7x 24 Cyber Security Center
One of the key components in addressing our cyber security needs is
the establishment of a 7x24 cyber security center. This Center provides
cyber security monitoring for and analysis of intrusions and other
anomalous cyber activity for New York State agencies and public
universities, as well as the members of the Multi-State ISAC. The State
has deployed Intrusion Detection/Prevention Systems (IDS/IPS) for the
State agencies. Since the inception of the IDS/IPS program in May 2003,
more than 17 billion log entries have been analyzed. Currently we also
provide intrusion prevention monitoring for the State of Alaska, and
several other states are actively engaging the MS-ISAC in considering
similar arrangements.
The Center monitors cyber intelligence activity at a State,
national and global level. It works closely with US-CERT, cyber
researchers, security vendors and ISPs. The Center distributes cyber
security advisories and alerts to all New York State agencies, to
members of the private sector through its Public/Private Sector
Workgroup and to other States and local governments through the Multi-
State ISAC. New York State also posts cyber alerts and advisories on
its public website: www.cscic.state.ny.us, and the Multi-State ISAC
through its public website: www.msisac.org.
The Center monitors State and local government websites for web
page defacements and affected entities are notified. In 2005, 1,169
defacements have been reported out to state and local governments.
Incident Response Team
New York State has an incident response team to respond to cyber
incidents. A mandatory incident policy has been issued to all state
agencies, which outlines what must be reported and how. The goal of
this policy is to ensure that a state entity recovers from an incident
in a timely and secure manner and to minimize impact. Reporting
incidents to a central group promotes collaboration and information
sharing with other sites that may be experiencing similar
problems.Sec.
The Multi-State ISAC Members also report incidents to the Multi-
State ISAC. The Multi-State ISAC serves as the liaison between the
states and US CERT for cyber incident reporting.
Multi-State ISAC Secure Portal and Cyber Security Alert Map
The Multi-State ISAC uses the US-CERT portal as its secure portal.
The Multi-State ISAC's compartment on this portal serves as a central
repository for Multi-State ISAC members to utilize as a secure
mechanism in sharing important, secure and vital information among the
states. The portal allows for secure emailing and includes a library so
that Multi-State ISAC members can readily share information and
documents, such as statewide policies, procedures, and white papers.
One of the most unique features on the Multi-State ISAC secure
portal is an alert map application that the Multi-State ISAC developed.
This is a map of the nation, in which each state displays its current
cyber security alert level, along with contact information for the
Multi-ISAC Members. The Multi-State ISAC members have adopted this
common Cyber Alert Indicator Protocol process; thus, when any Multi-
State ISAC member state is at a ``Guarded'' level for cyber, for
example, all of the other Multi-State ISAC Members will know the
specific criteria used to arrive at that level.
State ISACs on the Secure Portal
A major step in fostering the strong relationships between and
among state and local governments is the build-out of the secure portal
so that each MS-ISAC Member state will have its own section of the
portal in which to communicate securely, share documents, and display
alert level status. This pilot is currently underway with five states.
These individual state ``ISACs'' will include representatives from
state agencies, counties, cities and other municipalities and
educational institutions and will provide the following benefits to
members:
direct access to cyber security threat information
from the State
access to security awareness materials, including
computer-based training modules
access to security policy templates
access to security-related solutions
periodic meetings, teleconferences and webcasts to
promote peer networking and information sharing
This initiative is focusing on building strong relationships
between and among the state and local government entities to best
ensure our cyber readiness.
To view examples of the alert map and the individual state ISAC
sections of the portal, please refer to Appendix A.
Local Government Committee
Local governments face the same cyber security issues. However, many of
them can be at a disadvantage in addressing the issues due to lack of
resources and expertise. We are cognizant of the need for local
government involvement and want local government as vested partners as
we move forward.
To that end, I've established a Local Government Cyber Security
Committee (Committee), with representatives from towns, counties,
cities, and schools and state government. The Committee, established in
May 2005, has been meeting monthly to develop a roadmap for addressing
the cyber security needs of local governments. The Committee is focused
on ascertaining the issues, building communication channels, and
identifying mitigation strategies.
The Committee's goal was to develop a document that provides a non-
technical resource to executives and managers to help them better
understand the importance of cyber security and what they need to know
about the issues.
The Committee has produced one of its first priority projects: the
Local Government Information Security: Getting Started Guide. This is a
brief, practical reference intended for entities that may not have the
technology or information security expertise of other entities and
therefore need a basic ``how to get started'' resource for addressing
information security challenges.
This Guide is a joint effort with the U.S. Department of Homeland
Security's National Cyber Security Division.
The Getting Started guide covers the following topics:
Introduction to Information Security
Why is Information Security Important
What is an Unprotected Computer
What is a Cyber Incident
Top Ten Things that must be done
Glossary of information security terms
Daily/weekly/monthly/annual checklist for the
designated information security individual(s)
Future volumes of the Guide will include appendices that expand on
the topics presented in the first volume, providing more detail about
the steps necessary to secure the information which the citizens have
entrusted to local governments. The appendices will be distributed in
installments periodically over the year and will contain non-technical,
plain language descriptions with specific action steps, along with
references for further information.
We are also working on compiling a national database of contact
information for local government representatives so that we can
communicate more effectively and share information, including cyber
alerts and advisories, future appendices of the Guides and other
relevant information.
National Webcast Initiative
The MS-ISAC, in cooperation with the U.S Department of Homeland
Security, through its National Cyber Security Division, has launched a
partnership to deliver a series of national webcasts which examine
critical and timely cyber security issues.
Embracing the concept that ``cyber security is everyone's
responsibility,'' these webcasts are available to a broad audience to
help raise awareness and knowledge levels. The webcasts provide
practical information and advice that users can apply immediately. All
sessions are recorded and archived for viewing via the MS-ISAC public
website.
Thousands of individuals from across the country and around the
world participate in the webcasts.
One of the highlights of the webcast program is the national
webcast held in October as part of National Cyber Security Awareness
Month. This webcast is focused on how to keep our children safe online
and features an interactive play for 4th and 5th grade age levels. The
session will be broadcast live via the Internet and satellite and will
be rebroadcast several times throughout the day to maximize viewing in
each time zone. Last October, more than 5,000 teachers, parents,
students and others participated in that broadcast and we look forward
to another successful event this October 4!
To view a listing of all webcasts conducted through the National
Webcast Initiative, please refer to Appendix B.
Partnership with U.S. Department of Homeland Security, National Cyber
Security Division
As highlighted in this testimony, the Multi-State ISAC has a strong
partnership with the National Cyber Security Division (NCSD) and its
operational arm, the US-CERT. Through this partnership, we work
together on many initiatives including sharing and analyzing
information regarding cyber threats and events, conducting national
webcasts, publishing cyber security awareness materials, conducting
cyber exercises, as well as National Cyber Security Awareness Month
activities. These initiatives help further the goal of improving our
nation's cyber security posture.
Training and Awareness Activities
In New York, we have a number of ongoing training and awareness
activities including:
Annual Statewide Cyber Security Conference. We just
held our ninth annual Cyber Security Conference. This
Conference is free of charge to government employees.
Consistent with our motto that ``Cyber Security is everyone's
responsibility,'' the scope of the Conference has expanded over
the years to where we now provide multiple tracks covering a
wide spectrum of cyber security issues, including technical,
legal, auditing, academia, business managers and local
government. This is the largest free government conference of
its type in the country.
Annual Kids Safe Online Conference. We are sponsoring
our second annual Kids Safe Online Conference next month. Our
target audience includes parents, educators, law enforcement
officers as well as kids. The subject is not only what are the
dangers for children online, but what are the solutions. This
Conference is free to the public.
Information Security Officers (ISOs). New York was the
first state to appoint a statewide Information Security Office
and I believe the first to require each agency to appoint an
information security officer. The agency ISOs have a dotted
line reporting relationship with my Office. We hold monthly
meetings with the ISOs where we focus on current issues and
training opportunities. Agency ISOs are required to have
twenty-four hours a year of continuing professional education.
We also sponsor statewide cyber security training for ISOs and
technical staff. For example, we are currently sponsoring a
seven-week online course for information security professionals
to increase their skills.
Technical Staff. We are sponsoring training on secure
coding for application developers. In the past, we provided a
12 week course designed to increase the cyber security
knowledge of technical staff and prepare staff to sit for the
CISSP (Certificated Information Security Systems Professional)
Exam. This training was video taped and made available to state
and local governments on a national level.
Senior Staff. Once a year, we provide a half-day
awareness session for agency heads and their senior staff. The
focus is to keep them informed of cyber security issues and to
ensure they have the requisite knowledge to address them. It's
also important to employ unique and creative solutions to
increase awareness and education. We need to make it real. One
of the approaches I took was to demonstrate to agency
commissioners what is really meant when a computer is hacked.
By having them see first-hand what could happen, it increased
their awareness of the importance of cyber security.
End Users. We developed a toolkit for State agencies,
along the same line as the toolkit developed for the Multi-
State ISAC. This includes calendars, mouse pads and posters,
all with the cyber security message. We also produced a cyber
security video that is used for training new employees at State
agencies, as well as local governments. This was also made
available to state and local governments on a national level.
In addition, we conducted a ``phishing exercise'' with several
state agencies to assess the current state of cyber awareness
and identify where further education is necessary.
Cyber Exercises. We sponsor and participate in
periodic cyber security exercises to test our plans, policies,
practices and procedures.
In our role as Coordinator of the Multi-State Information Sharing
and Analysis Center, we work with states to develop, share and
collaborate on training and awareness activities including:
Proclamations: In 2005, thirty-six Multi-State ISAC
members reported that proclamations were issued by their
respective governors proclaiming October 2005 as Cyber Security
Awareness month. This is an increase of twenty-four from the
previous year. This demonstrates the increasing awareness of
cyber security issues at the state level. A copy of our 2005
Cyber Security Month After-Action Report is attached.
Tool Kits. We develop an annual tool kit for the
states to use to promote Cyber Security Awareness. This
includes posters, calendars, mouse pads and new for 2006 is the
development of Public Service Announcements that are customized
for each state.
Cyber Exercise. In partnership with U.S. Department of
Homeland Security, we coordinate Multi-State (state and local
government) participation in regional and national exercises to
test our plans, policies, practices and processes in responding
to a cyber event. We need to insure that we have the capability
to provide prompt and accurate situational awareness reports at
the state and national level.
Technical Training. We coordinate state participation
of state and local governments in national training programs
sponsored by the federal government. We also negotiate some
volume discounts for states to participate in training provided
by the private sector.
End User. We are just completing the development of a
Computer Based Training Program that will be made available to
state and local governments nationally. This is a tutorial
which educates end users on the basics of information security
and what their responsibilities are to safeguard our government
information systems. We publish a monthly Cyber Security
Newsletter for end users. The newsletter focuses on one cyber
security issue each month that is relevant for end users/home
users. The newsletter is distributed to the states and local
government which then push it out to the end users.
For a summary of the MS-ISAC Accomplishments, please refer to
Appendix C.
Funding for the Multi-State ISAC
We very much appreciate the fiscal support from the Department of
Homeland Security for the Multi-State ISAC. The current funding level
of one million dollars a year amounts to twenty thousand dollars per
state. While we have worked hard to leverage this available funding,
more meaningful, long lasting change would be possible if more funding
was available. Our ability to help raise the awareness and preparedness
of states and local governments (for example, intrusion prevention
monitoring and correlation of data) to help improve their cyber
security posture is constrained due to the limited fiscal resources.
I appreciate the opportunity to testify today. Thank you Chairman
Lungren and Members of this Subcommittee for your strong leadership and
attention to this important matter.
Appendix A
[GRAPHIC] [TIFF OMITTED] 35624.002
[GRAPHIC] [TIFF OMITTED] 35624.003
[GRAPHIC] [TIFF OMITTED] 35624.004
[GRAPHIC] [TIFF OMITTED] 35624.005
[GRAPHIC] [TIFF OMITTED] 35624.006
[GRAPHIC] [TIFF OMITTED] 35624.007
[GRAPHIC] [TIFF OMITTED] 35624.008
[GRAPHIC] [TIFF OMITTED] 35624.009
[GRAPHIC] [TIFF OMITTED] 35624.010
[GRAPHIC] [TIFF OMITTED] 35624.011
[GRAPHIC] [TIFF OMITTED] 35624.012
Appendix B--National Webcase Initiative Topics and Description
August 16, 2006
Instant Messaging
The broadcast presentation raised awareness on instant messaging
(IM) and how IM is being used today as a source of communication
online--both at home and at work. While IM can be a convenient and
quick way to chat with others or collaborate on business matters, there
are security concerns that we must understand and address. This webcast
provided attendees with accurate and up-to-date information so that
each of us can take the necessary steps to help protect ourselves
online.
June 28, 2006
Remote Access
The broadcast presentation raised awareness on popular secure
remote access solutions in terms of business use cases, high level
deployment scenarios, and security and operational considerations.
April 13th, 2006
Voice-Over IP_How secure is your network infrastructure for handling
VoIP?
VoIP is growing in popularity. Two-thirds of the world's 2,000
largest companies will be using VOIP systems in 2006 and by 2009, 27
million Americans will use Internet phones at home. The presentation
raised awareness on network security issues and challenges that arise
in today's network world.
February 16th, 2006
Identity Theft_The crime that keeps on taking!
The February 16th broadcast presentation focused on what ID Theft
is, how to protect yourself, and what to do if you think you may have
become a victim. The presenters walked through a variety of scenarios
to help explain these concepts and provided specific advice on what
steps to take.
December 15, 2005
Cyber Security Tips During the Holiday Season
The broadcast included such topics as online shopping transactions
and the need to secure your private information online; understanding
how to properly check your security settings on the new computer you
just received as a gift; and what to look for when visiting legitimate
web sites.
October 20, 2005
Protecting Our Children on the Internet
The National Webcast on Protecting Our Children on the Internet
consisted of a play entitled Cyber Smart in Cyber Space geared toward
the 4th and 5th grade age levels in which actors performed a cyber
security-related skit interacting with the children. The play used
content from CyberSmart!, an organization dedicated to teaching secure,
responsible and effective Internet and computer use, and acted out with
members of the Plays for Living organization, a nonprofit organization
that utilizes live theater dramas to depict the real-life challenges
and stresses many people face on a daily basis at work, at home and in
the community.
July 20, 2005
Wireless Security
The webcast provided a non-technical presentation on Wireless
Security. The webcast applied to all computer users--whether you are
using your wireless-enabled laptop at the local coffee house or running
a network that hosts sensitive customer data, you need to understand
the issues and how to use wireless technology safely. Attendees walked
away with a better understanding of the diversity of wireless devices
that are used today, the security that can be applied behind the
wireless network, and solutions of how you can be more secure.
May 18, 2005
Botnets
The webcast provided a non-technical presentation on BotNets.
BotNets are becoming a significant problem across the Internet and are
increasing at an alarming rate. They are a growing source for staging
denial of service attacks, identity theft, phishing attacks and SPAM
mail relay services. Please visit the archived presentation and learn
about how to defend against BotNets, what to do when your machine has
been compromised, and how to respond when your machine has been
controlled by BotNets.
March 16, 2005
Are You Secure?. . .Are You Sure?
Vulnerability Management
The webcast provided a ``low/medium technical'' discussion about
what each of us should do on a daily basis to be more secure. The
volume of malicious cyber activity continues on an upward curve. The
sophistication of hacker tools continues to grow while the expertise
required to deploy them is decreasing. Phishing schemes are becoming
increasingly difficult to discern from legitimate email. Botnets are
increasing at an alarming rate. These facts require that your
information systems are as secure as possible and that you have
appropriate measures in place to decrease your vulnerability to these
cyber threats.
February 9, 2005
Adware/Spyware:
How to Protect Yourself from Today's Most Dangerous Spyware Threats
The webcast provided a non-technical discussion about what each of us
should do on a daily basis to be more secure. This session focused on
an in-depth analysis of today's most egregious spyware/adware programs.
October 19 , 2004
Are YOU the Weakest Link?
The webcast provided a non-technical discussion about what each of
us should do on a daily basis to be more secure. This session focused
on the human elements of cyber security, which are just as important,
if not more so, than the technical elements, and included examples of
the various types of scams and pitfalls we need to watch out for, and
how to protect ourselves.
August 26, 2004
Performing a Cyber Security Risk Assessment:
Why? When? and How?
The webcast focused on the steps organizations should take in
addressing risk and provided timely and practical advice that can be
applied immediately.
June 22, 2004
Cyber Security: The Three Things You Should Have Done Yesterday and The
Three Things You Should Do Today
The webcast included discussion of the biggest challenges to
security, what you should have already been doing in your organization
to address those challenges, and what you must do today.
Appendix C--Highlights of MS-ISAC Accomplishments
establishment of a 24 x 7 operations center
distribution of cyber security advisories and
bulletins
cyber incident response assistance to MS-ISAC Members
monthly Member conference calls
annual meetings of the Members
two MS-ISAC websites--a public and a secure website
participation in cyber exercises, including the
national Live Wire and Cyber Storm exercises
development and adoption of common cyber alert level
protocols
development of draft cyber incident reporting
protocols
support and promotion of National Cyber Security
Awareness Month
MS-ISAC Deliverables for 2005 National Cyber Awareness
Month:
36 MS-ISAC Members (35 States and the District
of Columbia) signed proclamations recognizing
Awareness Month;
Cyber Security Toolkits were developed and
distributed to all 50 States and the District
of Columbia;
PSAs for Governors were distributed;
National Webcast was conducted with more than
5,000 registrants from across the country.
Awareness Month materials available at: http://
www.cscic.state.ny.us/msisac/ncsa/oct05/
index.htm
development and execution of legal NDA for the Members
to sign
development and adoption of the MS-ISAC Business Plan
development and adoption of the MS-ISAC Charter
development and adoption of MS-ISAC Member
Representative Guidelines
development and adoption of ISAC Council
Representation Guidelines
development and adoption of MS-ISAC Contact
Administration Guidelines
establishment of the MS-ISAC Nominating Committee
issuance of white papers
served as chair for the state and local section of the
``Awareness and Outreach'' Task Force of the NCSP--the Task
Force issued a report detailing specific action items to be
taken to increase end user cyber security awareness
collaboration with all necessary parties
Mr. Lungren. Thank you very much.
Now, we will hear from Mr. Paul Kurtz, the executive
director of the Cybersecurity Industry Alliance.
STATEMENT OF PAUL B. KURTZ, EXECUTIVE DIRECTOR, CYBER SECURITY
INDUSTRY ALLIANCE
Mr. Kurtz. Mr. Chairman and other members of the committee,
thank you very much for asking me here today.
Cyber systems are our newest and most pervasive
infrastructure. They drive and organize every fact of our
collective and individual lives from national and economic
security to personal health and wellbeing.
And, yet, we do not have a strategic national capability to
assess how well the mot critical systems are protected and what
the consequences are if they fail. There is little strategic
direction or leadership from the federal government in the area
of information security.
Ensuring resiliency and integrity of our information
infrastructure and protecting the privacy of our citizens
should be a higher priority for the government. We must move
beyond philosophy and statements of aspiration to defining
priorities and programs.
CSIA believes the government has a responsibility to lead,
set priorities and coordinate and facilitate protection and
response.
Let me be clear. This is not a call for regulation for
intervention. This is a call for leadership.
So if I could, I am going to depart from my prepared notes
and list six recommendations for consideration for DHS.
Number one, lead, lead, lead. Number two, prevention and
mitigation programs. In this area, I would highlight two key
important points. R&D, Doug Bond, who is the head of
cybersecurity R&D at DHS is doing a fantastic job, but he is
lost in a bureaucratic morass. Doug's work needs to be
recognized. It needs to be funded appropriately.
Second, in this area, we need to investigate incentives
specifically facilitating the growth of insurance.
The third area that I would highlight would be establish an
active early warning program that embraces the private sector.
Currently, the ITISAC is being held at arm's distance by the
Department of Homeland Security. It should be more fully
embraced and its work should be recognized.
Fourth, we need to establish command and control procedures
for when the balloon goes up, and it will go up. That means two
key questions. A, what is the process for determining an
incident of national significance? What agencies are involved
inside the government? Who is involved in the private sector,
as well?
Secondly, what are the implications of that decision?
Legally, what does it mean for government? What does it mean
for the private sector? A cyber incident of national
significance, that language is drawn from the national response
plan that has been prepared by DHS.
The fifth recommendation is ensure we have resilient
communications in place to execute command and control when a
crisis surfaces. So imagine when we have a problem, we are
going to grab that phone or we are going to use the computer,
but think of the phone in an IT environment.
Will it work when the very infrastructure is under attack?
So we need to ensure we have resilient communications in place.
The sixth recommendation is to establish a national
information assurance policy, which enshrine basically the five
recommendations that I outlined before.
The protection of the information infrastructure goes
beyond DHS. Clearly, the president has established that DHS has
the lead in coordination. But when the balloon goes up and when
we have problems, DOD will be involved, the FTC will be
involved, and multiple other agencies will be involved at the
same time.
And with that, I will close and I will take questions
later.
Thank you.
[The statement of Mr. Kurtz follows:]
Prepared Statement of Paul B. Kurtz
Introduction
Chairman Lungren, Ranking Member Sanchez and members of the
Subcommittee, thank you for the opportunity to testify today before the
House Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity. My name is Paul Kurtz and I am Executive Director of the
Cyber Security Industry Alliance (CSIA).
CSIA is the only advocacy group dedicated to ensuring the privacy,
reliability and integrity of information systems through public policy,
technology, education and awareness. The organization is led by CEOs
from the world's top security providers who offer the technical
expertise, depth and focus needed to encourage a better understanding
of security issues. It is our belief that a comprehensive approach to
ensuring the security and resilience of information systems is
fundamental to global protection, national security and economic
stability.
Before joining CSIA, I served at the White House on the National
Security Council and Homeland Security Council. On the NSC, I served as
Director of Counterterrorism and Senior Director of the Office of
Cyberspace Security. On the HSC, I was Special Assistant to the
President and Senior Director for Critical Infrastructure Protection.
My testimony will address four themes for consideration by Congress
on refining the role of the Department of Homeland Security as it
relates to national cyber security:
Inadequate attention
Lack of leadership
No plan to prevent or minimize a major cyber disaster
No plan for working with the private sector to recover
from a cyber disaster
Cyber Security is Receiving Inadequate Attention from DHS
Last week in his updated national strategy for counterterrorism,
President George W. Bush declared that ``America is safer but we are
not yet safe.'' The reality of physical terror occurring in the United
States of America has riveted our attention since the attacks on
September 11, 2001. Prevention of any physical incident of horror has
since been priority one.
The President's reminder for vigilance clearly applies to threats
against our physical well-being, but his admonition must also apply to
the threats against cyber security. To some the idea of terrorists or
hackers breaking into computers may sound like an abstract threat,
especially when compared to the shock of a suicide bomber killing
innocent people and destroying property. However, a successful massive
cyber attack could trigger grave harm for many Americans if it knocked
out communications and information systems for emergency response,
energy, transportation, and other critical resources that depend on IT.
The nation experienced such vivid fallout from a regionalized natural
disaster last year in the aftermath of Hurricane Katrina--imagine this
disaster on a national scale.
Since 9/11, responsibility for coordinating federal efforts on
national safety shifted to the Department of Homeland Security. DHS has
predictably reacted to a myriad of security challenges by focusing
first on immediate physical threats. This focus is understandable, but
it has also impeded progress toward stronger national cyber security.
As a result, the United States remains unprepared to defend itself
against a massive cyber attack or to systematically recover and
reconstitute information systems after a successful attack.
My testimony will describe what DHS is and is not doing with
respect to national cyber security, plus the need for DHS to specify
how it and the private sector would coordinate actions if a massive
cyber attack were to occur. By realistically refining the Department's
role in national cyber security, DHS can escalate cyber security
efforts in concert with efforts to prevent physical terror in America.
There is no leadership at DHS for national cyber security
Despite publication of more than 750 pages of strategies,
directives and response plans, leadership in the U.S. government on
cyber security is clearly absent. The practical significance of lack of
leadership means the nation is not ready for a major disruption to our
information infrastructure.
National coordination of cyber security is the purview of the
Department of Homeland Security, and its related leadership position is
Assistant Secretary for Cyber Security and Telecommunications. This new
position was established in July 2005 by Secretary Chertoff
specifically to elevate the importance of cyber security in relation to
DHS's main focus on physical security. Unfortunately, fourteen months
later, the Assistant Secretary position is unfilled, which reflects the
low priority DHS still has toward cyber security. No one is in charge
to lead efforts to protect information infrastructure against cyber
attacks or to lead response and recovery.
Another consequence of this leadership vacuum at DHS is an unclear,
uncoordinated strategy for cyber security. The agency has pushed plenty
of paper on the topic but people responsible for securing information
technology in government, public and the private sector would be hard
pressed to identify the top DHS priorities.
The threats to information security are real. Digital systems
underpin vital infrastructure throughout the nation and a major
disruption to, or widespread lack of confidence in these systems could
have a devastating effect on our citizens, our economy and security.
The real need is for concrete action guided by a few key national
priorities understood by those who must ensure cyber security. DHS
needs to immediately fill the position for Assistant Secretary for
Cyber Security and Telecommunications to crystallize a few key
priorities, and develop programs that support and achieve those
priorities.
An important role for the new Assistant Secretary will be ensuring
that priorities for cyber security reflect the fact that all critical
functions of all industry sectors rely on IT and telecommunications.
Coordination and leadership should be the primary concern for DHS.
Lastly, DHS and the White House can take steps to consolidate
multiple presidential-level advisory bodies in the area of IT and
telecommunications. For example, we have NSTAC and NIAC that clearly
have overlapping responsibilities and areas of inquiry. These should be
combined to ensure that presidential advice and recommendations are
made holistically, looking across key critical infrastructures, and not
in separate silos.
DHS needs to specify steps to prevent and/or minimize a massive cyber
attack or telecommunications disaster
DHS documents such as the National Response Plan and the National
Infrastructure Protection Plan attempt to not omit any unconsidered
detail. Virtually no agency, program or initiative is left unmentioned
in sweeping surveys of the cyber security landscape. The downside to
this ocean of detail is that every point seems equally important. Lack
of prioritization makes it difficult for organizations to take
practical coordinated action to secure their information systems.
CSIA believes this lack of prioritization dilutes the Department's
limited resources and makes it less effective in preparing the nation
against a massive attack. DHS should articulate a smaller set of
priorities focused on preventing and/or minimizing the likelihood or
severity of a massive cyber attack or telecommunications disaster.
Creating cyber security for critical systems entails using a
combination of technological solutions and best practices for IT. With
regard to cyber security technology, its successful use is linked to
understanding vulnerabilities of operating systems, applications,
networks, and literally thousands of protocols that enable modern IT.
Acquiring this knowledge is a moving target due to the complex
interdependencies of these technologies and their continuous evolution.
There are 4 major areas of logical activity that DHS should
crystallize programs around:
Risk Management--identification and classification of
Critical Infrastructure
Research & Development--solutions to identify, prevent
and recover from attacks
Incentives--encourage problems to be resolved, not
postponed
Insurance--ensures continuing US financial viability
after a cyber loss
Risk Management
An important starting place is for DHS to encourage organizations
to pursue cyber security as they would manage other types of risks. In
evaluating the nation's IT resources, DHS should help identify the most
critical interdependencies and urge organizations to concentrate on
protecting those systems first. One positive effort underway is the
partnership between DHS and the private sector in developing a
protection plan for the IT infrastructure. Under the plan, the private
sector is identifying common risk-management processes and techniques.
However, this effort is lacking senior-level attention at DHS.
Research & Development
DHS could play a major national role by funding cyber security
research and development (R&D) in the private sector. Instead, more
than 98 percent of last year's $1.039 billion science and technology
budget of DHS went to R&D on weapons of mass destruction. Less than 2%
($18 million) was for cyber security, and of that only about $1.5
million was for basic research.\1\
---------------------------------------------------------------------------
\1\ See CSIA Policy Briefing, ``Federal Funding for Cyber Security
R&D'' (July 2005).
---------------------------------------------------------------------------
We understand the concern about threats to physical security, but
CSIA believes DHS has inadvertently placed the nation in the way of
another harmful vector by virtually ignoring R&D on cyber security.
Where DHS has spent money on cyber security R&D there has been some
success. Over the past 18 months, the Department's Science and
Technology (S&T) Directorate has participated in a technology
demonstration project with the Oil and Gas sector. The project,
entitled LOGIIC--Linking the Oil and Gas Industry to Improve
Cybersecurity--is a public-private partnership between DHS, several
companies from the oil and gas sector, process control system (PCS) and
information security technology vendors, and the National Labs. This
project is aimed at reducing vulnerabilities in process control
environments used in the oil and gas sector by establishing a framework
for assessing risks, evaluating new technologies, integrating these new
technologies into a test environment, and demonstrating commercial
event detection and correlation technologies that can significantly
enhance situational awareness on PCS networks used in refineries and
other large industrial facilities.
There is strong historical precedent for federally funding R&D for
emerging technologies of national significance. The Internet is the
most famous example, beginning with seed money in 1962 from with the
Defense Advanced Research Projects Agency's (DARPA). The Internet is
now a vital global infrastructure almost entirely owned and operated by
the private sector. Other examples of federal funding for R&D that
resulted in important innovations for cyber security include firewalls,
intrusion detection systems, fault tolerant networks, open operating
systems, cryptography and advanced authentication. CSIA urges DHS to
shift a larger portion of its R&D budget to programs that will bolster
national cyber security.
Incentives
The time-tested government practice of offering incentives for
private investment is another avenue worthy of examination by DHS. By
offering incentives such as tax credits for implementation of security
solutions, the federal government could dramatically accelerate
adoption of measures to shore up national cyber security--just as it
has done to spur other initiatives deemed as important for the country
by Congress. The key is to develop very carefully-crafted incentives
targeted at high priority systems such as certain SCADA systems and
Internet security protocols. Many SCADA systems operate on unsupported
application platforms and must be moved to a virtual ``sandbox'' to
remediate immediate and urgent security threats.
Insurance
On a related non-technical note, insurance is a practical way for
organizations to recover from catastrophic loss. Private insurance
policies, however, do not usually provide ``cyber risk coverage'' due
to the newness of this concept and lack of data enabling insurers to
establish actuarial loss tables and a viable premium structure. To be
effective, premiums for cyber attack coverage would have to include
natural risk management incentives for organizations to balance the
cost of premiums against the cost of taking preventative measures for
security. CSIA believes DHS, in partnership with the Department of
Commerce, should sponsor research into viable uses of private-sector
insurance coverage for cyber attacks.
DHS has not specified how it will work with the private sector to a
cyber incident of national significance
The other major yet unarticulated priority for DHS is describing
how it will work with the private sector to respond to and recover from
a massive failure of information technology systems--whether from a
cyber attack or a natural disaster. This issue is important because
it's the private sector--not DHS--that owns and operates information
technology systems for most of the nation's critical infrastructure.
The unanswered question affecting all is: What is a suitable role for
DHS as well as other key federal agencies, including DoD and the FCC in
facilitating recovery and reconstitution from a cyber incident of
national importance?
DHS is well aware that the private sector ``runs the show,'' which
may account for its encouragement of public-private partnerships. I am
sure that everyone involved with the multitude of DHS-sponsored public-
private partnerships participates with the best of intentions, but
there is a lack of clarity in what this work is accomplishing. The
Government Accounting Office recently reported that progress on those
initiatives is limited, some lack time frames for completion, and
relationships between these initiatives are unclear.\2\
---------------------------------------------------------------------------
\2\ ``Challenges in Developing a Public/Private Recovery Plan,''
GAO-06-863T (July 28, 2006).
---------------------------------------------------------------------------
Consequently, DHS needs to articulate a chain-of-command for each
step of recovery and reconstitution. For example, the DHS's U.S.
Computer Emergency Readiness Team (US-CERT) may be aware of a network
attack, but the North American Network Operators Group (NANOG) is the
operational forum for backbone/enterprise networking. Considerations
for this type of situation include:
Which entity should be in charge of coordinating the
actual work of recovery and reconstitution?
What, if any, related legal authority is possessed by
DHS and the federal government?
What obligations do private sector entities have to
obey directives from DHS?
Who would resolve conflicting demands for scarce cyber
resources?
What enforcement power does DHS have in the process of
helping the nation recover from a cyber disaster?
In this context, I would note that DHS in February sponsored
``Cyber Storm,'' a large-scale exercise focused on some of these
questions. CSIA and its members supported the exercise but some six
months after the event, DHS's after action report containing lessons
learned has not been shared with key owners and operators in the
private sector.
In addition to chain-of-command, DHS needs to articulate an
emergency communications system that works even when standard
telecommunications and Internet connectivity are disrupted. Emergency
communications entail more than simply establishing a resilient
mechanism allowing people to talk. It also requires advance
identification of the right people from appropriate organizations who
speak the ``same language'' for establishing rapid recovery and
reconstitution of national systems.
These are but a few of the details that must be articulated and
agreed upon in advance if the nation is to truly prepare for recovery
and reconstitution from a cyber disaster. Ostensibly, DHS would have a
leading role in planning.
These issues should be answered in the DHS's 400-plus page National
Response Plan. Unfortunately, the plan does not articulate clear
answers on how federal agencies work with each other, with other
government entities, or with the private sector in responding to a
national disaster. Instead of one coordinator, there are at least six:
Homeland Security Operations Center, National Response Coordination
Center, Regional Response Coordination Center, Interagency Incident
Management Group, Joint Field Office, and Principal Federal Official.
The National Response Plan's discussion of cyber security is contained
in the ``Cyber Incident Annex.'' The Annex mentions many other federal
departments and agencies with ``coordinating'' responsibility for cyber
incident response, including Defense, Homeland Security, Justice,
State, the Intelligence Community, Office of Science and Technology
Policy, Office of Management and Budget, and State, Local, and Tribal
Governments. The agency tasked with maintaining the National Response
Plan is FEMA.
As I draw toward the end of my testimony, I wish to comment on one
other topic that also requires close coordination of the government and
private sector--namely, the need for a cyber early warning system that
provides the nation with situational awareness of attacks. DHS has
sponsored some mechanisms toward this end, such as US-CERT, and
Information Sharing and Analysis Centers (ISACs) that share some cyber
alert data from the private sector with the federal government. As
noted by the Business Roundtable, however, the nation lacks formal
``trip wires'' that provide rapid, clear indication that an attack is
under way.\3\ This mechanism would be akin to NOAA's National Hurricane
Center, which usually can provide a day or so of advance notice before
a dangerous storm lands ashore. Cyber attacks often provide far less
notice to prepare and react. DHS should lead the establishment of an
efficient national cyber warning system because the private sector is
most likely to first detect an attack, and data correlation and follow
through coordination closely involves the government.
---------------------------------------------------------------------------
\3\ Business Roundtable, ``Essential Steps to Strengthen America's
Cyber Terrorism Preparedness'' (June 2006); see also Section 15 of
Homeland Security Presidential Directive 5, ``Management of Domestic
Incidents'' (Feb. 28, 2003), and the National Strategy to Secure
Cyberspace (Feb. 2003).
Summary of Recommendations
In summary, CSIA offers the following recommendations for the
Subcommittee's consideration:
Increase Attention to Cyber Security. DHS has inadvertently exposed
the nation to another vector of attack by providing inadequate
attention to cyber security. The Department should carefully assess its
priorities to achieve more balance by shifting some attention from an
almost exclusive focus on physical security.
Appoint a Leader. There is no leader at DHS who is solely
responsible for cyber security. DHS should swiftly fill the open
position of Assistant Secretary for Cyber Security and
Telecommunications to close the leadership vacuum.
Plan to Prevent or Minimize a Major Cyber Disaster. DHS is too
preoccupied with appearing to be in control of every detail related to
cyber security. DHS should shift this energy to articulating a smaller
set of priorities focused on preventing and/or minimizing the
likelihood or severity of a massive cyber attack or telecommunications
disaster.
Plan to Work with the Private Sector to Recover from a Major
Disaster. The existing DHS ``plan'' for recovery cites more than a
dozen federal departments and agencies with ``coordinating''
responsibility--not including state, local and tribal governments. DHS
needs to clearly articulate a chain-of-command between government and
the private sector for recovery from a major cyber disaster.
With that, I appreciate the opportunity to testify today and am
pleased to answer your questions. Kurtz testimony before House
Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity 9/13/2006
[GRAPHIC] [TIFF OMITTED] 35624.001
Mr. Lungren. Thank you very much for your testimony. I was
trying to write as fast as I could, since you departed from
your prepared text.
[Laughter.]
Mr. Kurtz. It is all in the written statement. I will put
this together and send it.
Mr. Lungren. The chair recognizes Mr. Guy Copeland, the
chairman of the Information Technology Sector Coordination
Council.
STATEMENT OF GUY COPELAND, CHAIR, INFORMATION TECHNOLOGY SECTOR
COORDINATING COUNCIL
Mr. Copeland. Mr. Chairman, distinguished members of the
subcommittee, thank you for inviting me here today.
As chairman of the Information Technology Sector
Coordinating Council, I commend you for your attention to cyber
and telecommunications security. I am also a vice president at
Computer Sciences Corporation, but I am offering my personal
reflections here today.
Five years ago this week, we suffered a devastating
terrorist attack. 9/11 did not include a cyber attack
component, but it reaffirmed how dependent we are on
information technology and communications.
As an IT sector witness, I am focusing on our sector, but I
also acknowledge the efforts of so many others who are
dedicated to our common cause in their respective sectors.
The IT Sector Coordinating Council formally began in
January 2006, with over 30 founding members. It is broadly
representative of the sector and works with DHS, our sector-
specific agency, the national cybersecurity division, or NCSD,
and other organizations, in developing strategies and policies
for critical infrastructure protection, collaborations,
analysis and information sharing.
The IT sector's 5-year-old information sharing and analysis
center, or ITISAC, is recognized and endorsed by the IT Sector
Coordinating Council as our lead for the sector.
Under Secretary Foresman, Assistant Secretary Steffen, and
Mr. Purdy have all worked tirelessly to include us in
initiatives that affect the private sector. During and since
its formation, the IT Sector Coordinating Council actively
engage with government colleagues in the update of the national
infrastructure protection plan, the NIPP, and we have formed a
joint effort with them to draft the IT sector-specific plan.
Secretary Chertoff has proposed the establishment of an
assistant secretary position, as you have discussed earlier. We
stand ready to work with the new assistant secretary. We have
not been on hold awaiting this appointment, but it is very
important to us.
Recognizing the importance of IT and communications, Under
Secretary Foresman, as he stated earlier, has recently directed
his deputy undersecretary, Robert Zitz, to provide day-to-day
oversight of the NCSD and the national communications system,
which together constitute the cybersecurity and
telecommunications organization.
I have some observations and suggestions. Trusted
partnership is a key priority. DHS leadership has made huge
strides to improving partnership, but still appears to be
hampered by the application of laws and regulations rightly
intended for the protection of a procurement or regulatory
relationship, but not for the operational partnership that
homeland security needs.
Adequate operational preparedness and timely response
require physical collocation and daily interaction. DHS should
build on its over 20 years experience of the national
coordinating center for telecommunications, the NCC, add
representatives from the IT sector and the other time critical
or sometimes we call them the millisecond sectors, and resident
members should represent the core group of each sector. That
is, the most important entities for crisis response.
Ultimately, this should become the national crisis
coordination center.
Since its establishment, the NCC has been collocated in the
defense information systems agency headquarters, with the DOD's
joint task force for global network operations. Current plans
call for the NCC to relocate with the DHS U.S. CERT, as you
heard earlier today.
Instead, DOD, DISA and DHS should consider collocating all
of them, the U.S. CERT, the NCC, the JTFGNO, and perhaps other
important elements. That will allow for maximum interaction
leading to enhanced efficiency and value for both government
and industry, for both homeland and national security missions.
Ultimately, the collocation facility could be a part of the
national crisis coordination center.
Mr. Chairman, subcommittee members, Congress can help. In
my written testimony, there are more details, but here,
briefly, are a few recommendations.
Examine the collocation of those three entities, the NCC,
the CERT and the JTFGNO, and other appropriate ones, to add
better value. Examine the national crisis coordination center
concept. Work with DHS and the IT Sector Coordinating Council
and the Telecommunications Sector Coordinating Council to agree
on cybersecurity priorities and ensure that DHS has the
resources to implement them.
Create a better environment for the critical infrastructure
protection partnership. Consider forming a bipartisan House
caucus for cybersecurity for IT and communications, to help you
all understand the issues and complexities better.
Encourage broader industry participation in critical
infrastructure protection through membership in the sector
coordinating councils and the ISACs.
Mr. Chairman, thank you again for inviting me to appear
today.
[The statement of Mr. Copeland follows:]
Prepared Statement of Guy L. Copeland
Mr. Chairman, distinguished members of the Subcommittee, thank you
for inviting me to testify before you this afternoon. On behalf of the
members of the Information Technology Sector Coordinating Council, I
commend you for your continuing attention to Cyber and
Telecommunications Security.
Five years ago this week, we suffered the most devastating,
terrorist attack in the history of our nation. The deliberate, horribly
evil assaults on that day did not include a cyber attack. But they
immediately reaffirmed how dependent we are on our information
technology and communications sectors to respond quickly and
effectively in any emergency and to recover and reconstitute normal
societal functions. Subsequent analysis also showed that the
technologies of these two sectors are equally crucial to prevention and
preparedness at all levels.
A little over a year ago now, Katrina painfully reminded us that
natural emergencies can be devastating. The scale of Katrina's impact
and the response required was unprecedented. Once again though,
communications and information technology were essential to response,
recovery and reconstitution. Lessons learned have since been folded
into the preparedness posture and emergency plans of the critical
institutions, both industry and government.
My testimony today is based, in part, on my experiences and
observations on how we have reacted to these and other tragedies. I've
formed these observations, in part, based on my experience as Chairman
of the Information Technology Sector Coordinating Council (IT SCC) and
the immediate past President of the Information Technology Information
Sharing and Analysis Center (IT-ISAC). Additionally, I am drawing on my
experience as Vice President of Information Infrastructure Advisory
Programs at Computer Sciences Corporation (CSC). However, I must
emphasize that I am not speaking on behalf of CSC, the IT SCC or the
IT-ISAC. I am offering my personal reflections, previously shared with
key leaders in each organization.
We--both the Private Sector and Government--have been building an
increasingly strong partnership, starting long before DHS was created.
The level and sophistication of activities and initiatives has grown
tremendously during that period. As the Information Technology sector
witness today, I am focusing my comments in that sector. But I am
equally proud of the efforts of my friends, colleagues and others who
are equally dedicated to our common cause in their respective sectors.
Many companies--large and small--are among our best citizens in terms
of their selfless contributions.
IT SCC
In January 2005, while then serving as the President of the
Information Technology Information Sharing and Analysis Center (IT-
ISAC), I briefed a joint industry and government group on an initial
proposal to begin an effort in the IT sector to consider the formation
of the IT Sector Coordinating Council (IT SCC). Working with Mr. Harris
Miller, President of ITAA, the leadership of the IT-ISAC and other
sector leaders and with the facilitation assistance of Meridian
Institute provided by DHS, we developed the necessary formation
documents through 2005. In November 2005, we announced the interim IT
SCC and in January 2006, the formal charter, first slate of officers
and the executive committee were approved by over thirty founding
members.
As with SCC's representing electricity, financial services,
telecommunications, water, transportation, and others, the IT-SCC was
organized to serve as a central point of coordination, collaboration
and information sharing among the many members of the sector, and with
the Federal agency(ies) responsible for interacting with a given
private sector on critical infrastructure protection. The Department of
Homeland Security--specifically the National Cyber Security Division
(NCSD)--is the designated Sector Specific Agency responsible for
collaborating with the IT sector.
In January, the IT-SCC completed its formation procedures, ratified
its operating charter, and elected its leadership. With Harris's
departure from ITAA, Greg Garcia, ITAA's Vice President for Information
Security, was elected to the SCC' Executive Committee, as the
Secretary. I was elected Chairman; Michael Aisenberg of VeriSign, Vice
Chairman; and Larry Clinton of the Internet Security Alliance,
Treasurer.
During and since its formation, the leadership and members of the
IT SCC have been actively engaged in collaborative partnership with
their government colleagues. We were invited to participate fully in
the update of the National Infrastructure Protection Plan (NIPP) and
our plans committee, under the leadership of Paul Kurtz of the Cyber
Security Industry Alliance and John Lindquist of EWA, has formed a
joint writing effort with our government colleagues, led by Cheri
McGuire of the NCSD at DHS, to draft the IT Sector Specific Plan (SSP)
which will in a few months be completed, staffed with our respective IT
SCC and IT Government Coordinating Council membership, and approved as
an annex to the NIPP. This joint effort exemplifies a marked
improvement in the partnership as compared to the earliest days of DHS.
The leadership on both sides should be commended for the strides that
have been made.
IT sector leadership has been pleased with the relationships we
have developed with the current leadership within DHS. In particular,
Under Secretary for Preparedness, the Honorable George Foresman:
Assistant Secretary for Infrastructure Protection, Mr. Robert Stephan,
and Acting Director of the National Cyber Security Division, Mr. Donald
``Andy'' Purdy, have all worked tirelessly to include us in initiatives
that affect the private sector. They have provided encouragement and
support. They have been open to consideration of our recommendations.
They have included us in the development of key documents such as the
recent National Infrastructure Protection Plan (NIPP). Recognizing the
importance of cyber securityand communications, Undersecretary Foresman
has recently directed his Deputy Under Secretary, Robert Zitz, to
provide day-to-day oversight of the NCSD and the National
Communications System, which together constitute the new Cyber Security
and Telecommunications organization. Our leadership has met with Mr.
Zitz and we are impressed with how quickly he has picked up the reins
and the approaches he is espousing. In short, they are trying as hard
as anyone can--within current government restrictions on private sector
relationships--to develop, nurture and grow a valuable and essential
partnership for critical infrastructure protection.
There are many challenges remaining for us to address and new ones
are sure to arise. We look forward to meeting those challenges with
them and with their successors.
IT-ISAC and the ISAC Council
PDD 63 called for industry establishment of Information Sharing and
Analysis Centers (ISACs). The Information Technology (IT) sector
coordinator, Mr. Harris Miller, President of the Information Technology
Association of America (ITAA) and other sector leaders began developing
the necessary charter documents and reaching out to potential members.
On January 16, 2001, in a press conference held at the Department of
Commerce, 19 founding members formally announced the IT-ISAC. The
mission of the IT-ISAC is to provide
Trusted and confidential reporting, exchange and
analysis of sensitive cyber and physical information concerning
incidents, threats, attacks, vulnerabilities, solutions,
countermeasures, and best security practices.
A trusted mechanism enabling the systematic and
confidential exchange of member information with strong and
enforceable legal protections.
Leadership visibility for IT-ISAC members with public
and private enterprises on cyber security processes and
information sharing issues.
A sampling of the value of IT-ISAC membership includes:
Access to Sensitive Threat, Vulnerability and
Analytical Products
Collaboration in a Trusted Forum--vetted, trusted and
confidential
Anonymity for Members--within industry and to
government
Access to Cross Sector and Government Information,
Contacts and Tools
Emergency Response Coordination, Operational
Practices, and Exercises
In July 2001, the IT-ISAC went operational through a 24/7
operations center manned by their contract with Internet Security
Systems. July 2001 also found them helping coordinate the response to a
new form of malicious software, Code Red. On September 11, 2001, they
helped to support the response activities and a few days later helped
to coordinate the response to another cyber threat, NIMDA.
In 2002, the IT-ISAC established formal information sharing
memoranda of understanding (MOUs) with the Financial Services,
Electricity and Communications ISACs. In 2003, it helped to establish
the ISAC Council, an informal, voluntary, cross-sector body, consisting
of the leadership of the active sector ISACs. Mr. John Sabo, the
current IT-ISAC President, is also the current Chairman of the ISAC
Council. 2003 also saw the IT-ISAC start daily cross-sector cyber
security collaboration calls for all ISACs and government agencies
(including DHS) which adhere to the MOU information sharing agreements.
Since then the IT-ISAC has continued to mature and expand its
capabilities. In 2005, they hired a full time Executive Director, Mr.
Scott Algeier. In addition to the daily cyber calls, they host twice
weekly cyber technical calls which can dive deeply into technical
issues and analysis, for example, those associated with emerging
exploits or newly released patches. And they have recently added a
weekly physical issues call which supports cross-sector sharing of
information regarding physical incidents, vulnerabilities and related
matters.
Throughout 2005, IT-ISAC leadership was at the forefront of efforts
to form an IT Sector Coordinating Council (IT SCC). SCC's were
requested of the critical infrastructures by DHS and Homeland Security
Presidential Directive 7 (HSPD 7) and further detailed in the National
Partnership Model of the President's National Infrastructure Advisory
Council (NIAC). SCCs are intended to be broadly representative of their
sector and to work with DHS, Sector Specific Agencies (SSAs) and other
organizations in developing strategies and policies for critical
infrastructure protection. In January 2006, the IT SCC was formalized
and in May it recognized the IT-ISAC as the sector's official
operational information sharing mechanism.
``For operations, analysis and information sharing, the
Information Technology Information Sharing and Analysis Center
(IT-ISAC) is recognized and endorsed by the Information
Technology Sector Coordinating Council (IT SCC) as our lead for
the IT sector. The IT-ISAC has served since 2001 and will
continue to serve as the main vehicle for communicating
information about threats, vulnerabilities and incidents,
especially through its Operations Center on a 24/7/365 basis.
It is also our main vehicle for information analysis.''
IT SCC Chair and Vice Chair Letter to Asst. Sec. Robert
Stephan dated 5/26/06
Looking to the Future
Assistant Secretary for Cyber Security and Telecommunciations
In his Second Stage Review, Secretary Michael Chertoff proposed the
establishment of an Assistant Secretary position for cyber security and
telecommunications to ``centralize the coordination of the efforts to
protect the technological infrastructure.'' \1\
---------------------------------------------------------------------------
\1\ ``Statement of Secretary Michael Chertoff, U.S. Department of
Homeland Security, Before the United States Senate Committee on
Commerce, Science, and Transportation.'' July 19, 2005.
---------------------------------------------------------------------------
The IT Sector Coordinating Council, the IT-ISAC, and the other
bodies I have briefly described, stand ready to welcome and work with
the new Assistant Secretary from the moment he or she is announced. We
have no doubts that it is in the interests of all of us to partner with
him or her to address our common security concerns which cannot be
addressed by each of us alone.
Even before announcement by DHS of this Assistant Secretary
position, the IT Sector leadership had long advocated a senior Cyber
Security executive (IT and Communications) for long term leadership,
visibility, making the case for resources, and giving the issue area
stature commensurate with the growing risks as IT and Communications
become ever more critical to so many of our most important societal
functions. The ideal appointee to this new position
must be credible to both government and industry,
must be open to new ideas and recognize the value of
experienced input,
must be a strong leader who can build and maintain
trusted partnerships, and
must convey and get support for a vision of success
and a path to achieve it.
In addition, he or she will need the commitment of DHS and
Administration leadership to succeed. That commitment must strive to
ensure the new Assistant Secretary is
empowered and supported with the resources to succeed,
supported by positive, ``can-do'' legal advisers
willing to break new ground for the close, trusted
relationships required for critical infrastructure protection,
unhampered to readily and effectively partner and
communicate with the private sector, including
unhampered by administrative and bureaucratic
trivia,
unhampered by excessive diversion from
priorities, and
unhampered by well meaning but inappropriately
applied restrictions.
Prioritize and Focus
The new Assistant Secretary must avoid and be protected from
chasing the issue of the day or week. To avoid that trap, he or she
must ensure that lower priorities are handled as and where needed in
the organization but focus his or her attention and that of senior
management and oversight on the main priorities
Congress can help empower the new Assistant Secretary by helping to
set the right priorities, ensuring resources to achieve them, removing
inappropriate and hampering restrictions and providing oversight to the
priorities while avoiding diversion of time and attention to minor
items
Trusted Partnership
Trusted partnership is a key, critical priority. For critical
infrastructure protection, the directly involved key personnel from
Government and industry must develop into a well trained, close knit
team. The current leadership at DHS has made huge strides to improving
partnership but still appear to be hampered by perhaps conservative
interpretation and application of laws and regulations rightly intended
for protection of a procurement or regulatory relationship, not the
national security partnership that Homeland Security needs. Our sectors
are complex, evolutionary and robust. Regulation and mandates cannot
achieve the intelligent preparedness and response capabilities that
thoughtful, voluntary partnership and teamwork can achieve. The best
partnership and teamwork is fostered through physical co-location and
daily interaction in planning, training and executing--just as in any
successful sports team or military unit.
Physical Co-Location for Crisis Coordination--Build on the NCC
A top priority for continuing preparedness and timely response must
be physical co-location and frequent daily interaction of
representatives of all key players--industry and government--for crisis
response management. Ultimately, we execute well that which we develop
thoughtfully and practice carefully, learning and improving as we go.
Writing a plan for winning isn't enough. I suggest that DHS build on
the 20+ years experience with the NCC. Continue to strengthen NCC
interoperation with other key 24/7 operations such as those operated by
ISACs. Add representatives from other, time-critical (``millisecond
sectors''). Add others in time, with core group representation (i.e.,
representation from the most important organizations for response in
the sector or entity.)
National Crisis Coordination Center
The concept of a jointly (industry and government) manned, National
Crisis Coordination Center has been around for at least a few years
now. In 2004, the Early Warning Task Force begun as one of the National
Cyber Security Summit task forces, recommended \2\ creation of a
national crisis Coordination Center to:
---------------------------------------------------------------------------
\2\ National Early Warning Task Force Recommendation, A NATIONAL
CRISIS COORDINATION CENTER, National Cyber Security Partnership, March
2004
House government, industry and academic security
experts, both physical and cyber, to bridge the cultural
barriers that have hampered a true partnership in
counterterrorism and cyber security
Jointly prepare, exercise, evaluate and update
National Joint Crisis Response plans to prevent, detect and
respond
Operate joint watch centers
Conduct joint exercises at the national level to train
and test the plans
Conduct joint field training at the regional level to
train and further test the plans
Respond jointly to traditional natural events, as well
as malicious events
Proactively share intelligence--both national security
and law enforcement
Include a secure, compartmented intelligence facility
staffed equally with government and private sector
representatives, as well as appropriate state, local and other
representation
Proactively address priority remediation of systemic
vulnerabilities in national level infrastructures
In March 2006, the NSTAC's Next Generation Networks Report
recommended a Joint Coordination Center.\3\
---------------------------------------------------------------------------
\3\ Next Generation Networks Task Force Report, NSTAC, March 28,
2006.
---------------------------------------------------------------------------
A joint coordination center for industry and Government should
be established. This would be a cross-sector industry/
Government facility with a round-the-clock watch, and would be
brought up to full strength during emergencies. Such a center
would improve communications between industry and Government as
well as among industry members, and would incorporate and be
modeled on the NCC.
The center should be a Government-funded, appropriately
equipped facility, manned jointly by experts from all key
sectors. In a fully converged NGN environment, everything will
be interconnected and interdependent to a greater degree, and
thus means of coordinating among all key sectors must exist.
Physically collocated, joint manning is vital to achieve the
high level of interpersonal trust needed for sharing sensitive
specific information and to achieve the level of mutual
credibility required in a fast-paced decision-oriented
environment. It should provide the full set of planning,
collaboration, and decision-making tools for those experts to
work, whether together as a whole or in focused subgroups.
Industry is at times hesitant to share information with the
Government because it is unsure of how the information will be
used, and Government-to-industry information sharing should
also be improved.\4\ DHS has a vision for how HSOC will
function to improve information sharing; however, the HSOC's
current operational interface to the private sector [the
National Infrastructure Coordination Center (NICC)] is nascent
and needs further development. An environment of trust must be
established. A joint operations center could play a key role in
fostering that environment and in enhancing HSOC operations. In
addition, appropriately cleared industry experts collocated in
a joint coordination center with their Government counterparts
could assist the Homeland Infrastructure Threat and Risk
Analysis Center (HITRAC), the DHS intelligence analysis arm, in
performing its analytical and reporting functions, helping to
ensure that HITRAC products are more complete, credible and
useful.
---------------------------------------------------------------------------
\4\ Both these observations were confirmed at the August 2005 NGN
Incident Response Subject Matter Experts meetings. See Appendix D of
the Next Generation Networks Task Force Report, NSTAC, March 28, 2006.
---------------------------------------------------------------------------
The Inspector General at DHS has also stated, ``If the partnership
between the federal government and private sector is to be successful,
another key requirement is establishing a permanent physical location
or forum so that critical and non-critical sectors can interface with
one another and their federal counterparts. This is essential to
developing and maintaining long-term collaborative relationships.''\5\
---------------------------------------------------------------------------
\5\ A Review of the Top Officials 3 Exercise, DHS OIG Report OIG-
06-07, p. 24 (Nov. 2005).
NCC Relocation--an Immediate Concern
Since its establishment, the National Coordinating Center for
Telecommunications (NCC) has been housed in the Defense Information
Systems Agency (DISA) headquarters facility. That location was natural
because the same facility housed the National Communication System
(NCS) which served as the support Secretariat for the NSTAC and also
was assigned responsibility for the jointly manned NCC. That location
turned out to be invaluable for trusted, sensitive information sharing.
It also housed or came to house DISA's Global Network Operations and
Security Center (GNOSC) and its subordinate Defense Department computer
emergency response team (CERT), and the Department of Defense Joint
Task Force--Global Network Operations (JTF-GNO). The synergy and
trusted interaction between and among these entities has become
important to all participants for both national security and emergency
response purposes. Unfortunately, current plans call for relocating the
NCC to co-locate it with the US-CERT operated by DHS.
We should strongly consider the wisdom of separating the NCC from
the DoD entities with which it is located. Instead we should encourage
the leadership of the DoD, DISA and DHS to consider an approach that
could strengthen the value for all: co-locate the US-CERT and other
NCSD operational response elements with the NCC and their counterpart
DoD elements. While each has a different mission and set of customers,
they are all ultimately looking at overlapping sets of data and similar
problem sets. Co-location will allow for greater interaction and
synergy, leading to enhanced efficiency and value for all their
``customers.''
Because the Base Realignment and Closure process is expected to
relocate DISA in a few years, part of the examination of the value for
the nation in achieving multi-organization co-location will have to be
an examination of facility alternatives. But that should not deter us
from at least exploring the potential benefits that could be achieved
for the nation and both our national and homeland security. Ultimately,
the co-location facility could be part of the National Crisis
Coordination Center which I have already described.
My industry colleagues and I would be happy to participate in such
an examination.
Congress Can Help
Support Examination of NCC Co-location and Expansion to a National
Crisis Coordination Center
Look at co-location of the NCC, the US-CERT, the JTF-GNO and other
existing similar entities for advantages to their missions, their
``customers'' and the nation. Similarly, examine the National Crisis
Coordination Center (NCCC) concept in detail and strongly support its
implementation if it holds up to your scrutiny as many of us expect it
will. Be sure to include international liaison in the NCCC. Many of our
allies are even more closely intertwined with us in the Cyber world
than in the physical world. But in both, the interdependencies can be
enormous. In particular, with Canada, many of our key critical
infrastructures and dependencies are mutually shared across our common
border.
Focus on Priorities
Use your oversight and appropriations powers to work with DHS and
the private sector in the establishment of Cyber Security priorities.
Then follow-up to ensure DHS has the necessary resources to implement
those priorities.
Create a Better Environment
Congress can create a better environment for homeland security
partnership, helping us achieve a tight knit, superbly prepared,
professional team with high morale, and a commitment to each other to
succeed. The current environment for government and industry
interaction is designed rightly to prevent fraud and abuse in
procurement or regulatory matters or other areas where an unscrupulous
actor might try to further a personal or organizational agenda,
contrary to the public good. In many ways, those rules implicitly
require Government personnel to maintain an ``arms length,'' almost
adversary relationship. At the very least, it implicitly impugns
motives before the fact. But Homeland Security partnerships must be
close, trusted, and non-public. Could the Washington Redskins or any
professional team succeed if their members were not allowed to get
together to plan and train out of sight of their opponents when needed?
We cannot do away with protection against fraud and abuse. But the
close teamwork and rapid response requirements of Homeland Security and
Critical Infrastructure Protection demand high levels of interpersonal
trust that can only be developed through frequent interaction,
including informal, relationship building interaction. To accomplish
this and still protect against fraud and abuse, I believe that we will
need to replace the rigid rules and bureaucratically slow exception
handling processes with alternative systems that provide strong,
independent oversight to detect, report, halt and punish fraud and
abuse but encourage true partnership, trusted relationships and team
building, treating all participants as if they are members of the same
organization/team, operating under the same code of ethics but free to
form trusted and close relationships.
Examine Innovative Ways to Encourage Private Sector Active
Participation
Congress might be able to help encourage even more private sector
participation in critical infrastructure protection through private
sector bodies such as the SCCs and ISACs. Here are a few examples which
might be worth exploring.
Value Proposition
Congress and the DHS should work with SCCs, ISACs and other private
sector institutions to develop a compelling value proposition with
industry to further improve our working relationship for critical
infrastructure protection and expand improved cyber security behavior.
Not doing so is contrary to our national and homeland security
interest. Many companies and other private sector institutions
understand this. But many still do not. We need to make the value
proposition compelling so that the vast majority--and all the critical
ones--understand and pro-actively participate.
Congressional and Executive Support for SCCs and ISACs
Carefully examine the positive role that DHS and Administration
executive leadership could and should play in encouraging sector
members to participate in their respective SCCs and ISACs. Private
sector leaders responded to previous Government requests and have
expended significant resources to create the partnership model
organizations requested. But when it comes to encouraging sector
members to join those bodies and actively participate in them,
Government executives have been strangely absent or quiet for the most
part. Also, in some cases they have reached out through other
organizations not formed for these specific purposes. The net effect of
their silence or misaimed outreach is contrary to the very goals they
envisioned achieving when they asked the private sector to form ISACs
and SCCs.
Simply put, they should always turn first to the organizations they
asked us to form to fit their model for working with them. And they
should not be shy about encouraging sector members to join those
organizations (ISACs and SCCs), even to the extent of expressing
unhappiness with important sector ``core'' players who fail to do so.
If there are any rules in place that impede such demonstrable support,
they should be revisited swiftly and decisively.
Technical and Operational Support
The ultimate goal of our partnership model is to create an
infrastructure environment that is intended to deter attacks as much as
feasible and operationally prepared to respond, recover and
reconstitute to any attack or emergency as rapidly and effectively as
feasible. Operational preparedness and success will depend ultimately
on a partnership that is focused on operations even more than on
policy. The recommendations I have made for a jointly manned, National
Crisis Coordination Center (NCCC) will help significantly to shift to
an operational focus. But it will also take working out and testing our
individual and collective Concepts of Operations (CONOPS), constantly
improving them so our operational metrics continually improve. The best
solutions may call for cross sector or even government to industry
provisioning of technical and operational support. For example, DHS
support to operational ISACs might be appropriate. Operational
readiness and improvement should be one of our highest priorities.
Congressional Charters
Examine the Potential Value of a Congressional Charter for
established SCCs and ISACs. If a National Crisis Coordination Center is
supported, consider a Congressional Charter for it as well.
Congressional Charters would give Congress enhanced visibility into
their functioning and would allow for periodic GAO audit. They would
also help many SCCs and ISACs recruit the broad membership and
participation they need from their sectors.
Procurement
Consider using procurement in DHS, or even government-wide, as a
carrot for greater private sector participation and proactive,
operational commitments.
Congressional Awareness and Education
Finally, to help prepare you for the increasingly complex issues of
the Cyber Security Age, I suggest you consider forming a bipartisan
House caucus for cyber security (IT and communications) to provide a
forum for educating staff and members on the relevant issues.
Attachment
Summary of a few Key Cyber Security and Telecommunications Partnerships
and Key Initiatives
NSTAC
President Ronald Reagan created the National Security
Telecommunications Advisory Committee (NSTAC) by Executive Order 12382
in September 1982. Composed of up to 30 industry chief executives
representing many of the major communications and network service
providers and information technology, finance, and aerospace companies,
the NSTAC provides industry-based advice and expertise to the President
on issues and problems related to implementing national security and
emergency preparedness (NS/EP) communications policy. Since its
inception, the NSTAC has addressed a wide range of policy and technical
issues regarding communications, information systems, information
assurance, critical infrastructure protection, and other NS/EP
communications concerns.
NS/EP communications enable the Government to make an immediate and
coordinated response to all emergencies, whether caused by a natural
disaster, such as a hurricane, an act of domestic terrorism, such as
the Oklahoma City bombing and the September 11th attacks, a man-made
disaster, or a cyber attack. NS/EP communications allow the President
and other senior Administration officials to be continually accessible,
even under stressed conditions.
The NSTAC has addressed numerous issues in the past 24 years. A few
examples illustrate NSTAC's capabilities to address NS/EP
communications issues in today's environment: the establishment of the
National Coordinating Center for Telecommunications (NCC); the
implementation of the Government and NSTAC Network Security Information
Exchange (NSIE) process; the Telecommunications Service Priority (TSP)
program; Government Emergency Telecommunications Service (GETS) and
Wireless Priority Service (WPS); and the examination of the NS/EP
implications of Internet technologies and the vulnerabilities of
converged networks. These accomplishments are briefly described below.
NCC--From ``NSTAC Report to the President on the National Coordinating
Center,'' May 10, 2006
The NCC was established to fulfill a critical need for a national
coordinating mechanism to organize and manage the initiation and
restoration of NS/EP communications services. This need was identified
at the dawn of the divestiture of AT&T and the height of the Cold War.
As Government increasingly relied on commercial communications services
and no longer had a single point of contact (POC) for the industry,
Government needed a joint industry and Government-staffed organization
to coordinate emergency requests. The NCC became operational on January
3, 1984.
The National Coordinating Center (NCC) has been the hub for
coordinating the initiation and restoration of national security and
emergency preparedness (NS/EP) communications services for more than 20
years--supporting four administrations and evolving as threats and
national priorities have shifted. Following the September 11, 2001,
terrorist attacks, the NCC proved its value to the Nation as it
supported the restoration of communications in the New York and
Washington, D.C., areas. The NCC has also repeatedly shown its strength
during hurricane recovery efforts, including Hurricane Katrina.
. . .the NSTAC recommended designating the NCC as the Information
Sharing and Analysis Center (ISAC) for telecommunications in 1999.
With the establishment of the Department of the Homeland Security
(DHS) and the transfer of the National Communications System (NCS) to
the new department in 2003, the NCC also has made the transition to
DHS.
The primary mission of the NCC throughout its history has been to
coordinate the restoration and provisioning of communications services
for NS/EP users during natural disasters, armed conflicts, and
terrorist attacks. Significant events such as the Hinsdale, Illinois,
central office fire, the Oklahoma terrorist bombing, the events of
September 11, 2001, and Hurricane Katrina have proved the value of this
partnership. During a crisis, Government personnel communicate NS/EP
requirement priorities to industry, and industry representatives assist
the Government in developing situational awareness by providing
restoration status information. Having the representatives in one
location ensures a smoother restoration effort. The NCC's all-hazards
response depends on the flexible application of NCS resources, such as
its priority service programs (e.g., Government Emergency
Telecommunications Service, Wireless Priority Service, and
Telecommunications Service Priority [TSP] Program).
During day-to-day operations, NCC members work on plans and share
information on vulnerabilities and threats to the telecom
infrastructure. Planning activities include developing lessons learned
following events, creating comprehensive service restoration plans,
planning for continuity of operations (COOP)/continuity of Government
(COG) activities, and participating in exercise planning. In addition,
the NCC works with international emergency response partners, including
the North Atlantic Treaty Organization (NATO), International
Telecommunication Union (ITU), and Canada, on crisis communications and
mutual assistance.
In 2000, the NCC was designated the ISAC for telecommunications per
the guidance in the 1998 Presidential Decision Directive 63 (PDD-63),
Protecting America's Critical Infrastructures, which encouraged the
private sector to establish ISACs to ``serve as the mechanism for
gathering, analyzing, appropriately sanitizing and disseminating
private sector information.'' As part of the ISAC mission, the NCC
collects and shares information about threats, vulnerabilities,
intrusions, and anomalies from the communications industry, Government,
and other sources. Analysis on information is performed with the goal
of averting or mitigating impact on the communications infrastructure.
The NCC has historically been an operational element and as such
does not fall under provisions of the Federal Advisory Committee Act
(FACA). A June 1, 1983, letter to the NCS from Assistant Attorney
General William F. Baxter discussed issues of incident management and
information sharing for the proposed National Coordinating Mechanism
(NCM) (which became the NCC) and noted that such an organization posed
no significant antitrust problems.
. . .Since the transition to DHS, the NCC has been involved in
additional critical infrastructure protection (CIP) activities. As part
of the implementation of Homeland Security Presidential Directive
(HSPD) 7, DHS is tasked with identifying, prioritizing, and protecting
the Nation's critical infrastructure. Through the NCC, the NCS often
coordinates data calls on the identification of assets, coordinates
planning for national special security events (NSSE), and provides
impact analyses. In the future, NCC industry members may be asked to
further assist in the risk assessment process as detailed in the
sector's Sector-Specific Plan.
NSIE--From ``GUIDE TO UNDERSTANDING THE NATIONAL COORDINATING CENTER
FOR TELECOMMUNICATIONS AND THE NETWORK SECURITY INFORMATION
EXCHANGES,'' PREPARED BY THE OFFICE OF THE MANAGER, NATIONAL
COMMUNICATIONS SYSTEM, MARCH 2001
In April 1990, the Chairman of the National Security Council's
(NSC) Policy Coordinating Committee--National Security
Telecommunications and Information Systems requested the
Manager, NCS, identify what action should be taken by
Government and industry to protect critical national security
telecommunications from the ``hacker'' threat. . . .In response
to the NSC tasking, the Manager, NCS and the NSTAC established
separate, but closely coordinated, NSIEs. In May 1991, the NSIE
charters were finalized, and Government departments and
agencies and NSTAC companies designated their NSIE
representatives, chairmen, and vice-chairmen. The first joint
meeting of the Government and NSTAC NSIEs was held in June
1991.
The Government and NSTAC NSIEs meet jointly approximately every two
months. The NSIEs provide a working forum to identify issues involving
penetration or manipulation of software and databases affecting NS/EP
telecommunications. The NSIEs share information with the objectives of:
Learning more about intrusions into and
vulnerabilities affecting the PN--Developing
recommendations for reducing network security
vulnerabilities
Assessing network risks affecting network
assurance
Acquiring threat and threat mitigation
information
Providing expertise to the NSTAC on which to
base network security recommendations to the President.
The success of the NSIEs is based in large part on the
establishment of trusted interpersonal relationships. Participants--
government and industry--must hold requisite security clearances and
sign individual non-disclosure agreements. The organizations sending
participants to the NSIEs must also sign organizational non-disclosure
agreements.
TSP--From NCS Web site
Telecommunications Service Priority (TSP) provides service
vendors with a Federal Communications Commission (FCC) mandate
for prioritizing service requests by identifying those services
critical to NS/EP. A telecommunications service with a TSP
assignment is assured of receiving full attention by the
service vendor before a non-TSP service.
From briefing ``NCS Roles During the Attack on America,''
Deputy Manager, NCS, August 9, 2002
Nearly 40,000 TSP circuits enrolled by NCS prior to 9/11
tragedy
TSP vital in accelerating the opening of Wall Street on
9/17
Major coordination in restoration of
telecommunications for Broad Street switches--
major role to restore stock and bond markets
NCS supported nearly 600 provisioning requests
following 11 Sep 01
46 organizations (incl. FBI, FEMA , FRB, Port
Authority, DoD)
GETS--From NCS Web site
Implemented in the early 1990's, Government Emergency
Telecommunications Service (GETS) is an emergency phone service
provided by the National Communications System (NCS) in the
Information Analysis and Infrastructure Protection Division of
the Department of Homeland Security. GETS supports federal,
state, local, tribal, industry, and non-governmental
organization (NGO) personnel in performing their National
Security and Emergency Preparedness (NS/EP) missions. GETS
provides emergency access and priority processing in the local
and long distance segments of the Public Switched Telephone
Network (PSTN). It is intended to be used in an emergency or
crisis situation when the PSTN is congested and the probability
of completing a call over normal or other alternate
telecommunication means has significantly decreased.
From briefing ``NCS Roles During the Attack on America,''
Deputy Manager, NCS, August 9, 2002
The AT&T long distance network carried a record 431 million
call attempts on Sept. 11, 101 million more than the previous
high-traffic day.
Massive congestion in WTC & Pentagon areas
Over 10,000 GETS calls in WTC/Pentagon areas
Over 95% completion rate--Highest calling in
first 48 hours
GETS PIN Cards:
Over 1,500 key personnel made GETS calls
Over 20,000 GETS PIN cards issued following
events of September 11th
WPS--From NCS Web site
Wireless Priority Service (WPS), is the wireless complement to
GETS. In the early 1990's, the OMNCS initiated efforts based on
NSTAC recommendations, to develop and implement a nationwide
cellular priority access capability in support of national
security and emergency preparedness (NS/EP) telecommunications
and pursued a number of activities to improve cellular call
completion during times of network congestion. Subsequently, as
a result of a petition filed by the NCS in October 1995, the
FCC released a Second Report and Order [FCC-00-242, July 13,
2000] (R&O) on wireless Priority Access Service (PAS). The R&O
offers Federal liability relief for NS/EP wireless carriers if
the service is implemented in accordance with uniform operating
procedures. The FCC made PAS voluntary, found it to be in the
public interest, and defined five priority levels for NS/EP
wireless calls.
Wireless network congestion was widespread on September 11,
2001. With wireless traffic demand estimated at up to 10 times
normal in the affected areas and double nationwide, the need
for wireless priority service became a critical and urgent
National requirement. In response, the National Security
Council requested that the NCS deploy a nationwide priority
access queuing system for wireless networks.
From briefing ``NCS Roles During the Attack on America,''
Deputy Manager, NCS, August 9, 2002:
Verizon Wireless experienced a 50 to 100 percent
increase nationwide. Wireless networks remained near
saturation in NY through September 28th.
Cingular Wireless' attempted calls ballooned by 400
percent in Washington and 1000 percent in its N.J.
Switching Center
PDD 63 and Sector Coordinators
Presidential Decision Directive 63 (PDD 63) was released in May
1998. It ordered the development of sector-specific critical
infrastructure protection plans and established the role of private
industry sector coordinators. The Information & Communications Sector
as then designated under PDD 63, had four organizations sharing the
sector coordinator role: the Cellular Telecommunications and Internet
Association (CTIA), the Information Technology Association of America
(ITAA); the Telecommunications Industry Association (TIA); and the
United States Telecom Association (USTA).
Important early contributions of the Sector coordinators included
developing internal sector awareness
organizing voluntary sector participation in
planning
leading the way in the formation of
Information Sharing and Analysis Centers for
Information Technology and Telecommunications
developing the I&C Sector National Strategy Input
for Critical Infrastructure and Cyberspace Security, May
2002
PCIS
The Partnership for Critical Infrastructure Security (PCIS)
consists generally of the leadership (usually the Chairs) of the
organized Sector Coordinating Councils for the various critical
infrastructures. The PCIS coordinates cross sector critical
infrastructure protection interests and initiatives within the private
sector and with the Government under the partnership model described
within the National Infrastructure Protection Plan
NCSP (Santa Clara Dec 03 Summit, TFs, reports, Wye I, Wye II)
The National Cyber Security Partnership (NCSP) combines
representatives from government, industry and academia working
together to harden the nation's cyber defenses. The partnership
provides a forum, structure and common agenda for
interdisciplinary, cross-industry information exchange with
government. Lead organizations of the partnership are: the
Business Software Alliance, Information Technology Association
of America, TechNet and the U.S. Chamber of Commerce. The
public-private partnership was formed during the National Cyber
Security Summit on December 3, 2003, in Santa Clara,
California, which aimed to gather cyber security experts across
disciplines to embark on a work program to develop
recommendations for implementing key challenges posed in the
2003 National Strategy to Secure Cyberspace. The partnership
established five task forces comprised of cyber security
experts from industry, academia and government. Each task force
was led by two or more co-chairs. The NCSP-sponsoring trade
associations act as secretariats in managing task force work
flow and logistics. The task forces included:
Awareness for Home Users and Small Businesses
Cyber Security Early Warning
Corporate Governance
Security Across the Software Development Life Cycle
Technical Standards and Common Criteria
The resulting task force recommendations in 2004 were provided to
DHS. Many are still valid an valuable.
In follow-up to the National Cyber Security Summit and the reports
of the task forces, DHS' National Cyber Security Division hosted a
government and private sector exchange at the Wye River Conference
Center in Maryland in January 2005. A second follow-up exchange (``Wye
II'') was hosted by the NCSP in Annapolis, MD, in September 2005. Many
of the original Summit Task Forces' Recommendations continue to be
brought up as potentially valuable.
CIPAC--extracted from DHS sources
In March 2006, the Department of Homeland Security established the
Critical Infrastructure Partnership Advisory Council (CIPAC) to
facilitate effective coordination between Federal infrastructure
protection programs with the infrastructure protection activities of
the private sector and of state, local, territorial and tribal
governments.
The CIPAC represents a partnership between government and critical
infrastructure/key resource (CI/KR) owners and operators and provides a
forum in which they can engage in a broad spectrum of activities to
support and coordinate critical infrastructure protection.
CIPAC membership will encompass CI/KR owner/operator institutions
and their designated trade or equivalent organizations that are
identified as members of existing Sector Coordinating Councils (SCCs).
It is also includes representatives from Federal, state, local and
tribal governmental entities identified as members of existing
Government Coordinating Councils (GCCs) for each sector
IDWG--extracted from DHS sources
The Internet Disruption Working Group (IDWG) is a DHS hosted,
informal gathering of industry and government Internet technical
operation experts who collaboratively explore vulnerability issues and
identify recommended actions to address them. The IDWG is beginning to
establish important, trusted interpersonal relationships amongst
government and industry technical experts. The IDWG was established by
NCSD in partnership with the National Communications System (NCS), in
response to security concerns surrounding the growing dependency of
critical infrastructures and national security and emergency
preparedness users on the Internet for communications, operational
functions, and essential services.
The IDWG's near-term objectives are to improve the resiliency and
recovery of Internet functions in the event of a cyber-related incident
of national significance; work with both government and private sector
stakeholders to identify and prioritize protective measures necessary
to prevent and respond to major Internet disruptions; and assess the
operational dependencies of critical infrastructure sectors on the
Internet. The 2005 IDWG Forum identified specific areas for action by
both government and private sector stakeholders, including risk
assessments, information sharing, protective measures, research and
development, and Internet development issues. The IDWG is engaging with
both public and private stakeholders to address these action items. The
IDWG also plans to hold future forums and tabletop exercises, including
an IDWG Tabletop Exercise, on June 15, 2006, to maintain both a pulse
of the issues and an understanding of existing capabilities.
Mr. Lungren. Thank you very much for your testimony.
Now, we would hear from Mr. David Barron, the chairman of
the Telecommunications Sector Coordination Council.
STATEMENT OF DAVID M. BARRON, CHAIR, TELECOMMUNICATIONS SECTOR
COORDINATING COUNCIL
Mr. Barron. Good afternoon, Mr. Chairman and fellow members
of the subcommittee. It is an honor and a pleasure to be here
with you today and I thank you for the opportunity to discuss
this very important topic, the future of cybersecurity and
telecommunications.
I am David Barron. I am assistant vice president for
federal relations and national security for Bell South, here in
our Washington Office, but I am appearing today as the chair of
the Communications Sector Coordinating Council. My testimony
reflects my personal views as the chair of the council and not
the views of Bell South.
Sector-specific planning and coordination are addressed to
private sector and government coordinating councils that are
established for each sector through the national infrastructure
protection plan.
Sector coordinating councils are comprised of private
sector entities, representatives. Government coordinating
councils are comprised of representatives from government
agencies, state, local and tribal entities.
Established in 2005, the Communications Sector Coordinating
Council has over 25 owners and operators and associations
represented on the council today and we anticipate adding new
members, as we continue to broaden our membership.
While Homeland Security Presidential Directive 7 defined
our sector as telecommunications, we in the industry feel that
communications is a more representative title and that
represents our diverse membership more accurately.
Our membership today includes wire line, wireless,
satellite, equipment manufacturers and Internet service
providers, among others. We are also actively trying to expand
the membership to include cable telephony, emergency service
providers, and broadcasters, so that the Communications Sector
Coordinating Council truly represents the breadth of this
dynamic sectors.
One of the sectors we call, as Guy said, the millisecond
sector because of the nature of how our sector works.
The Communications Sector Coordinating Council is currently
engaged in a wide variety of activities not only with our
government colleagues, but also with the Department of Homeland
Security, as well as other sector coordinating councils on a
number of initiatives the foremost of which, and you have heard
about it today, is the creation of the sector-specific plan.
We are well into that and we are anxious to get that
project finished as soon as possible.
In addition to the sector-specific plan, the Communications
Sector Coordinating Council is engaged in several other
important activities and I think the point is, as Guy said, we
are not on hold. We are working every day to ensure the best
security we can for the nation.
These other activities include pandemic flu planning,
national coordinating center, regional coordination concepts,
post-Katrina issues, such as access, credentialing and
emergency responder status as it relates to the Stafford Act,
emergency wireless protocols, and many other activities.
Finally, the world of communications often has considerable
interaction and interdependencies with information technology,
another critical infrastructure identified through HSPD-7. As
such, the Communications Sector Coordinating Council has
established a close working relationship with the Information
Technology Sector Coordinating Council on issues of mutual
concern.
In September, the Communications and Information Technology
Councils will be holding the first ever joint meeting with all
four councils present, both communications, IT and the
government counterparts, to discuss cross-sector issues, such
as the creation of sector-specific plans that are complementary
and support of each other.
With the support of Under Secretary Foresman, the assistant
secretary for infrastructure protection, Bob Steffen, has
overseen many of these initiatives while in the acting
assistant secretary for cybersecurity and telecommunications
position and while serving as the manager of the national
communications systems, known as the NCS.
We are pleased with the progress that has been made, but
the industry would welcome additional focus brought to bear by
a dedicated assistant secretary for cybersecurity and
telecommunications.
Obviously, we should view all critical infrastructures and
key resources defined in HSPD-7 as critically important to the
nation. However, communications and information technology are
unique in that they underlie and support all the other sectors.
Each of the other sectors depends upon computer systems,
voice networks, broadband systems, wireless networks, and
countless other structures and services provided by the
communications and IT communities. Those sectors are equally
critical in support of the nation's homeland security mission.
While DHS has been very helpful and responsive in many of
these matters, there are areas in which the private sector
would specifically like to see continued progress and
improvement.
First, while the current team of leadership at DHS has done
a good job working with the sector, the position of assistant
secretary for cybersecurity and telecommunications remains
vacant. As I stated earlier in my testimony, Assistant
Secretary Steffen has done an admirable job in working with the
communications and IT sectors, but a dedicated assistant
secretary could dramatically strengthen this critical public-
private partnership.
Second, a clear definition of the mission needs to be
established. What does cybersecurity and telecommunications
really mean as it relates to national security, homeland
security and emergency preparedness? In other words, what is
the problem we are trying to solve?
There is such a wide range of threats and vulnerabilities
that a clear vision of the problem tied to priorities is
essential.
Third, DHS needs to clearly define roles and
responsibilities for all of those involved in this process, and
this comes back to the understanding of the problem and a clear
strategy based on risk assessment and priorities. By clarifying
who is in charge of what, more will be accomplished in an
efficient and effective manner.
Finally, and I think very importantly, DHS should recognize
that the private sector is willing and fully committed to this
partnership. If this framework is truly intended to be a
partnership, then more emphasis needs to be placed on ensuring
there is a trusted relationship between the public and private
sectors, which is in the best interest of the nation's
security.
For example, the national coordinating center for
communications, the NCC, is a model to follow for the
partnership that is mandated by the future. In the NCC,
government and industry sit together every day to prepare for
and to respond to events that threaten the nation's
communications networks.
The NCC has had a long history of success. I think this
model could and should be expanded to include other
infrastructure, like information technology and electric power.
As I close, I would like to, again, thank the subcommittee
for the opportunity to speak today and for your support on
these efforts. The partnership framework is incredibly valuable
and continues to serve as a conduit for unprecedented
cooperation and collaboration between government and private
industry.
There is room for improvement, to be sure, but the
suggestions I have presented here today are intended to further
strengthen those valued interactions and ensure we jointly
consider to take steps to secure our homeland.
Thank you, sir.
[The statement of Mr. Barron follows:]
Prepared Statement of David M. Barron
Good Afternoon Mr. Chairman and fellow members of the committee. It
is an honor to appear before you today and I thank you for the
opportunity to discuss this very important topic, the future of cyber
security and telecommunications.
I am David Barron, Assistant Vice President for Federal Relations/
National Security with BellSouth Corporation here in our Washington
office, but I am appearing today as the Chair of the Communications
Sector Coordinating Council (CSCC). My testimony reflects my personal
views as Chairman of the CSCC and not the views of Bell South.
Let me begin by giving you a brief background on the Sector
Partnership Model and the Communications SCC in particular. Homeland
Security Presidential Directive 7 (HSPD-7) established the basis for a
national coordinated approach to critical infrastructure protection,
including the development of the National Infrastructure Protection
Plan (NIPP) as well as the Sector Partnership Model. The NIPP defines
the organizational structure that provides the framework for
coordination of Critical Infrastructure and Key Resources (CI/KR)
protection efforts at all levels of government, as well as within and
across sectors.
Sector-specific planning and coordination are addressed through
private sector and government coordinating councils that are
established for each sector. Sector Coordinating Councils (SCCs) are
comprised of private sector representatives. Government Coordinating
Councils (GCCs) are comprised of representatives of the Sector-Specific
Agencies, other Federal departments and agencies, and state, local, and
tribal governments.
Established in 2005, the Communications Sector Coordinating Council
has over 25 owner/operators and associations represented on the Council
and we anticipate adding new members as we continue to broaden our
membership. While HSPD-7 defined our sector as ``Telecommunications'',
we in the industry feel that ``Communications'' is a more encompassing
title that represents our diverse membership. Our membership today
includes wireline, wireless, satellite, equipment manufacturers, and
internet service providers among others. We are also actively trying to
expand the membership to include cable telephony, emergency service
providers and broadcasters so that our Communications Sector
Coordinating Council truly represents the breadth of this dynamic
sector; one of the sectors we call the ``millisecond'' sector due to
the nature of how our sector works.
The CSCC is currently engaged in a wide variety of activities not
only with our Communications Government Coordinating Council
counterparts, but also with the Department of Homeland Security as well
as other Sector Coordinating Councils on a number of initiatives,
foremost of which is the creation of our Sector Specific Plan.
The NIPP base plan is supported by several Sector Specific Plans
(SSPs) that provide further detail on how the critical infrastructure
and key resources protection mission of each sector will be carried
out. In late August the Communications SCC and GCC held a joint meeting
in Washington, D.C. to coordinate on several issues, the most prominent
of which is the development of the Sector-Specific Plan (SSP) as I
mentioned before. The CSCC and GCC have been actively collaborating on
a draft of the Communications SSP, with both Councils providing input
and comments throughout the process. This effort is continuing and we
are on track to submit the Communications SSP by the end of the year to
DHS.
In addition to the SSP, the Communications SCC is engaged in
several other important activities, including Pandemic Flu planning,
National Coordinating Center (NCC) regional coordination, post-Katrina
issues such as access, credentialing, and emergency responder status
related to the Stafford Act, emergency wireless protocols, and many
other activities.
Finally, the world of Communications often has considerable
interaction and interdependencies with Information Technology (another
critical infrastructure established by HSPD-7). As such, the
Communications SCC has established a close relationship with the
Information Technology SCC to work on issues of mutual concern. In
September the Communications and Information Technology SCCs and GCCs
will be holding the first ever Joint meeting, with all four councils
present, to discuss cross-sector issues such as the creation of Sector
Specific Plans that are complimentary and supportive of each other.
With the support of Under Secretary Foresman, Assistant Secretary
for Infrastructure Protection Bob Stephan has overseen many of these
initiatives while in the Acting Assistant Secretary for Cyber Security
and Telecommunications position and while serving as the Manager of the
National Communications System (NCS). We are pleased with the progress
that has been made. But the industry would welcome the additional focus
brought to bear by a dedicated Assistant Secretary for Cyber Security
and Telecommunications.
Obviously, we should view all the critical infrastructures and key
resources defined in HSPD-7 as critically important to the nation.
However, Communications and Information Technology is unique in that it
underlies and supports all of the other sectors. Each of the other
sectors depend upon computer systems, voice networks, broadband
systems, wireless networks, and countless other structures and services
provided by the Communications and IT communities. As a result,
Congress has mandated and DHS has begun implementing strategies and
procedures to ensure specific emphasis on these valuable cross-sector
interdependencies. For example, the National Infrastructure Protection
Plan and the supporting Sector Plans are working very specifically to
address this convergence of Communications and Information Technology
into what is referred to as the Next Generation Networks. As this work
continues, there must be a balanced approach when looking at Cyber
Security and Telecommunications. Both sectors are equally critical in
support of the Nation's Homeland Security mission.
While DHS has been very helpful and responsive in many of these
matters, there are areas in which the private sector would specifically
like to see continued progress and improvement. First, while the
current team of leadership at DHS, including Under Secretary Foresman,
Deputy Under Secretary Robert Zitz, and Assistant Secretary Stephan,
have done an excellent job, the position of Assistant Secretary for
Cyber Security and Telecommunications remains vacant. As I stated
earlier in my testimony, Assistant Secretary Stephan has done an
admirable job in working with the Communications and Information
Technology community but a dedicated Assistant Secretary could
dramatically strengthen this critical public/private partnership.
Second, a clear definition of the mission needs to be established.
What does Cyber Security and Telecommunications really mean as it
relates to National Security, Homeland Security and Emergency
Preparedness? In other words, what is the problem that we are trying to
solve? There is such a wide range of threats and vulnerabilities that a
clear vision of the problem tied to priorities is essential.
Third, DHS needs to clearly define roles and responsibilities for
all of those involved in this process. Again, this comes back to the
understanding of the problem and a clear strategy based on risk
assessment and priorities. By clarifying who is in charge of what, more
will be accomplished in an efficient and effective manner.
Finally, DHS should recognize that the private sector is willing
and fully committed to this partnership. If this framework is truly
intended to be a partnership, then more emphasis needs to be placed on
ensuring there is a trusted relationship between the public and private
sectors, which is in the best interest of our Nation's security. For
example, the National Coordinating Center for Communications--the NCC--
is a model to follow for the partnership that is mandated by the
future. In the NCC, government and industry sit together everyday to
prepare for and to respond to events that threaten the Nation's
communications networks. The NCC has had a long history of success and
I think this model could and should be expanded to include other
infrastructures like Information Technology/Cyber and Electric Power.
The continued health and evolution of the partnership depends not only
on private sector participation, but DHS' s recognition of the value of
that partnership with a commitment to work more closely with industry.
As I close, I would like to again thank Congress for the
opportunity to speak today and for their support in these efforts. The
partnership framework is incredibly valuable and continues to serve as
a conduit for unprecedented cooperation and collaboration between
government and private industry. There is room for improvement to be
sure, but the suggestions I have presented here today are intended to
further strengthen these valued interactions and ensure we jointly
continue to take steps to secure our homeland.
Thank You.
Mr. Lungren. Thank you all for your testimony.
We will go to a round of questioning. We promised that we
would get you out of here no later than 6:00. So we will see
how long that takes us with the members who are here.
Let me begin the questioning by asking you, Mr. Pelgrin,
how would you describe the overall priority that the federal
government has placed on cyber-related critical infrastructure
protection?
Mr. Pelgrin. I believe that they have put a high priority
on it. I think that they definitely need to fill the assistant
secretary position. But I know that even the undersecretary,
that when he was in Virginia, was actually one of our multi-
state ISAC members.
So he, from early on, believed very much in cybersecurity.
So from my experience, from the governmental experience, from
the state and local government, the support that we have
received, the direction, the cooperation with the federal
government has been excellent.
I think there is always room to improve. I think that there
is always a need, both on a state and local government side, to
move this forward. I am a big believer that this is to build it
as you go and it really is a time to make sure that we have
very strict deliverables and get those deliverables executed.
So from a priority perspective, I think that that badly, by
not having the assistant secretary position filled, taints all
the good work that they are doing and they are doing a lot of
good work.
Mr. Lungren. Mr. Kurtz, of the six points that you have
made, the first, I noted, was lead, lead, lead.
Is that a suggestion that the department is not leading at
the present time?
Mr. Kurtz. It would be a suggestion that they are not
leading.
Mr. Lungren. Are they compromised not leading because of
the absence of a leadership position being filled?
Mr. Kurtz. I think so. Certainly, the assistant secretary
of cybersecurity and telecommunications will provide some
leadership. It is not a panacea, though. I think we have to go
higher up the line in the department, as well, to ensure that
they are paying attention to the issue at the most senior
levels.
I commend Under Secretary Foresman for spending the time
today to address this issue up here on the Hill. He was at a
committee meeting earlier today, and it is very good to see him
here.
Mr. Lungren. And I got a deliverable. I got a letter from
the secretary answering my questions, from my letter of July 5.
Maybe we ought to have these meetings more often.
Mr. Kurtz. If I can, I think it is symptomatic of across
the federal government. We have, if you will, a reluctance
among senior officials to engage on cyber and I think one of
the real reasons it it is not visual. You can't see it, you
can't touch it, you can't feel it.
When you go into a cyber?
Mr. Lungren. You can't show it to your constituents.
Mr. Kurtz. You can't show it to your constituents, as well.
You go into a cyber knock and you look at it and, quite
frankly, it can be pretty boring. But this logical system, this
nervous system that we depend upon controls every facet of our
lives.
And just because we can't see it and taste it and smell it
doesn't mean we shouldn't be paying attention to it.
Mr. Lungren. Mr. Kurtz, who is further along, in your
estimate, the private sector or the federal government, in
terms of cybersecurity?
Mr. Kurtz. I think there are elements of the private sector
that are quite far along. I would highlight the banking and
finance industry. The banking and finance industry has brought
incredible sophistication to this space.
Can they do better? Sure. I think the energy, the oil and
gas sector is getting more serious about this. I think Doug
Bond's program, Doug at least was behind a little bit ago, the
logic program that they are doing on working on SCADA control
systems and improving the security is a fantastic program and
it is a partner program.
So there is work under way in that area. Frankly, I think
the other sectors, many of the other sectors have a long way to
go.
Mr. Lungren. I mean, if we are going to have a team in
this, you look at the football analogy, you have got to have
both the offense and the defense and the special teams all
working together.
I look at this as a partnership opportunity and obligation,
private sector-public sector, in part, because 85-90 percent of
the critical infrastructure is owned not by the government, but
by the private sector.
I would assume that if we have got the cyber world involved
in critical infrastructure, that we would have that same sort
of percentage. So we have got to be firming up both sides.
And to Mr. Copeland and Mr. Barron, thank you for your
testimony and thank you for the work that you are doing. You
are doing double-duty, too. I mean, you are doing the work for
your companies and you are also doing the work in these
coordinating councils.
A general question to the two of you and then maybe if we
get time for a second round, I can go into more specifics.
How well is the concept of the coordinating councils
working? You are putting a lot of effort into it. Obviously,
you think it is worthwhile, because you are both still doing
it.
You are getting the cooperation of not only your companies,
but like companies. But is government listening? Is government
really acting as a partner with you in this coordinating
councils?
Do you feel that your time is well spent? And has the
experience been such that it is encouraging to have other
companies become involved and commit their people to the time
that is necessary to actually make a contribution?
Mr. Copeland. Mr. Chairman, as a general observation, of
course, our sector coordinating councils are just getting
started. So the answer is it remains to be seen how they will
survive in the long run, but I am very excited about how they
are starting out.
The intention was that they would provide broad
representation for their sectors to work with their government
counterparts, to attack a variety of issues, many of which you
have heard discussed here today.
I have to say, even as we were going through our formative
process, we were already working with our government
colleagues, doing, for example, detailed word-by-word reviews
on the national infrastructure protection plan.
So we had that kind of interaction with them. The writing
team that we have formed and which Paul co-chairs for us, that
is working on the sector-specific plan, is made up of both
industry and government representatives. So I am very positive
on that.
Is there room for progress? Yes. I am very concerned that
we need to quickly move on to reaching out across the country
to the many different, some very key players who need to become
aware of the sector coordinating council and become involved in
it, as well.
When I spoke to the recommendation of encouragement and
looking to our government colleagues, both the executive branch
and Congress, for that kind of encouragement, you can do some
of that when you are back in your districts and you are talking
to executives.
You can build some of that encouragement, where
appropriate, into legislation, where there might be an
opportunity. I would like to see more of the senior executives
in both the executive branch and Congress sending letters to
the senior executives in the private sector, saying, ``Look,
this is an important activity. It will ultimately bring value
to your company, help provide general protection to you,
protect you in the mission or business services that you offer
to your clients, and it will help the nation.''
And even beyond that, because the whole issue of
information security and cybersecurity is inextricably
intertwined with many of our closest allies, but most
particularly with our Canadian allies because of the border
that we share and the way that our infrastructures happen to
built and intertwined very, very closely.
So it is going to have international impact, as well, for
them to participate.
I have watched with pleasure as some motivating factors
have creeped into things that are extremely useful. So, for
example, the federal financial institutions examination council
has now built into their guidelines for examining information
security and financial institutions a requirement that whoever
provides their information technology and communications must
be participating in an ISAC, and that could be the company
itself or it could be an outsourced company like mine that may
provide those kind of services to them.
So that is positive reinforcement for joining those
institutions and working together to solve these common
problems.
Mr. Lungren. Thank you.
Mr. Barron?
Mr. Barron. Thank you, Mr. Chairman. I think the sector
coordinating council concept is working very well.
Telecommunications and communications, in general, has a
longstanding history with the government through the national
communications system and the NCC. We have been partners with
them for well over 20 years and there is a close relationship
there.
It has performed very well, 9/11, Katrina, I mean, we have
been there and we have had a lot of success in the face of
disasters. So I think that relationship and that partnership
is, without question, there through the NCS.
The key is, I think, trying to turn the sector-specific
plans from something that you are required to do to something
that you want to do and we are making progress there and
bringing in what I call, Mr. Chairman, nontraditional players
into the Communications Sector Coordinating Council, cable
telephony, those kind of folks who haven't traditionally been
involved, but they are very critical players, are now getting
engaged and we are very pleased with that, and think the NCS
and the DHS folks are helping us with that.
So I think the partnership is working.
Mr. Lungren. Thank you very much.
The gentleman from Washington is recognized.
Mr. Dicks. Thank you.
Mr. Kurtz, when did you serve on the White House staff?
Mr. Kurtz. I joined the White House staff in 1999, before
the millennium, at the very end of the Clinton administration
and stayed on into early 2004 in the Bush administration.
Mr. Dicks. Are there people at the White House doing the
kind of work today that you were doing at that time?
Mr. Kurtz. Not on a full-time basis.
Mr. Dicks. Part-time?
Mr. Kurtz. Yes. Certainly, there are people there within
the National Security Council, Homeland Security Council and
the Office of Technology and Policy who are spending some time
on this issue.
Mr. Dicks. You described a little bit the--but flesh out
why you think this has been downplayed in this administration.
Why are they not taking this as seriously as the previous
administration did? Obviously, you had the millennium, the 2000
thing, which was a big factor and had everybody's attention on
it.
Mr. Kurtz. My own personal view is the Clinton
administration, toward the end of the Clinton administration,
they were, in fact, paying attention to this, because that is
when we started to see the problems surface. The massive denial
of service attacks in 2000 prompted an event with the
president.
However, President Bush, when he first started off, one of
the first briefings he took was on cybersecurity. When I was on
staff there, it was one of the very first briefings he had and
he stood up the critical infrastructure protection board,
which, in turn, produced the national strategy to secure
cybersecurity in 2003.
I think after that strategy was issued, that is when we had
the change. Under the strategy, the vast majority of the work
was to go over to the Department of Homeland Security. I
believe that decision made good sense, because we were standing
up the department at that time.
However, the department had massive issues on its hands and
in my written testimony we talk about the preoccupation, and
understandable preoccupation with the physical threats, threats
to kill people, blow up buildings. That is understandable.
However, several years down the line, it is hard to defend
that and especially in the context that we have increased
threats and increased vulnerabilities and more dependency on
this information infrastructure.
I also think the intervening events for the department have
been, obviously, Hurricane Katrina. Katrina took a lot of
energy out of the department. Really, though, quite frankly, I
am out of excuses. The time is now to have higher level
attention within the federal government to this issue.
And I would argue, and I talked about this a little bit
this morning, that DHS needs to assert more leadership, but I
would also argue that the White House needs to step up more.
Mr. Dicks. When you say leadership, what do you mean by
that? When I look at it, either you are talking about
resources, as an appropriator, or you are talking about
regulation or you are talking about bringing together people to
work together to try to understand each other's problems and to
convince each of these sectors that they have got to do
something themselves to protect their own cybersecurity.
Mr. Kurtz. I would argue, in a sense, all four of those
issues that you mentioned, with the caveat around the third
one, regulation.
By leadership, I mean--
Mr. Dicks. I know you are afraid of regulation, because of
your clients.
Mr. Kurtz. But leadership, I mean--
Mr. Dicks. If you don't get the job done, and this goes
back all the way back to the first days of the ICC and
railroads. I mean, you know, at some point, the government has
to step in and say you have got to do it.
Mr. Kurtz. But by leadership, I mean a senior individual
who is consistently focused on a problem. One of the reasons
why we have the national strategy to secure cyberspace, and I
still think it has good standing in the private sector, is we
had a very senior individual push that through.
Mr. Lungren. How about an assistant secretary for
cybersecurity and telecommunications?
Mr. Kurtz. I think it certainly helps, but I do argue that
we need to have more senior involvement on a regular basis by
others within the department and other agencies, as well.
I think as far as resources, yes, resources, though, follow
leadership when you can establish the priorities and programs
that we need to pursue. Regulation in a limited degree, when we
know we have had market failure, and there is an opportunity
before the Congress now to pass legislation to secure sensitive
personal information.
There are multiple bills under consideration up here and I
do think that is an important step forward that ought to be
paid attention to.
Mr. Dicks. Privacy, obviously, is a very important issue.
But, again, you think maybe having somebody else at the White
House staff who is on the National Security Council and
Homeland Security Council.
Mr. Kurtz. The decision to move it over to the Department
of Homeland Security was correct and stands true today.
Mr. Dicks. But it was correct that they picked up the ball
and did something with it, but so far they haven't done that.
Mr. Kurtz. Let me give a practical example. As we develop
the IT sector-specific plan, we have been working very closely
with our colleagues on a working level at the Department of
Homeland Security. In fact, we have quite a good relationship.
But what is absent is that we don't have other agencies at
a more senior level participating and only within the last week
or so have we gotten people at the White House to, if you will,
tune in more to this problem.
The reason why, I think, is that there are some very
complex policy questions that need to be resolved that cross
jurisdictions, that cross agencies. An example, in Hurricane,
Katrina, ultimately, the president turned to the Department of
Defense to help us in the response to Hurricane Katrina.
If we have a massive disruption in the information
infrastructure, DHS is going to play a lead coordinating role,
but you can be darn sure that DOD is going to care and the FCC
is going to care. And what would happen in that instance is you
would have probably not a total Internet blackout, but you
would probably have very limited bandwidth available, which
means information going across the Internet would need to be
prioritized.
All right, so who is first? Does DOD take precedence? Does
the financial community take precedence? Obviously, in the
context of a larger scale disaster, first responders,
hospitals, medical institutions, we haven't come close to
making those decisions.
That is why I argue that we have to have more senior level
input into this process. An assistant secretary can certainly
help queue up those issues for more senior people to ultimately
make those decisions. That is where the assistant secretary is
critical, as he or she can work across federal agencies to
queue up these decisions.
Mr. Dicks. Thank you, Mr. Chairman.
Mr. Lungren. The time of the gentleman has expired.
And the gentleman from Indiana is recognized for 5 minutes.
Mr. Souder. I thought that was a very interesting
discussion, because we keep hearing leadership without
specifics. But you put a finger on that it is cross-
jurisdictional, because, in effect, if the secretary of
homeland security and the Department of Defense are in an
argument, what kind of official, short of the president or vice
president, is going to be able to referee that.
There isn't going to be a national security advisor or a
lower level staff and you have got, arguably, the two biggest
agencies in jurisdictional tussles.
Let me come back to a variation of the question I asked
earlier, and the answer was there is government enforcement and
there is private sector enforcement and insurance was
mentioned.
I was kind of trying to make a list in my head. What would
be the government incentives to fix this? And, basically, other
than altruism and a desire to help the American system, which
is important and I am not arguing isn't a motivation, but it
basically comes down to fear of loss of your job and career
ruining.
In the private sector, the incentives are somewhat
different. Has there been any court case that has established a
liability of, if you haven't plugged a certain hole on
cybersecurity, that you can have a massive fee on your firm?
Mr. Kurtz. The most obvious example that comes to my mind
is the FTC, the Federal Trade Commission's actions over the
past year and a half, where, in three cases, there were three
retailers, separate events--well, two retailers and a data
broker who did not take adequate steps to secure sensitive
personal information.
Those entities involved knew that they had problems and
didn't attend to them. And in one case in particular, the FTC
levied a $14 million fine.
There have been subsequent cases and I think all of them
have been less than $14 million. That is a relatively new
development.
Mr. Souder. Because that will certainly affect insurance
rates on everyone and the question is how to fairly disburse
that, then, because your weakest links are going to be driving
up the insurance rates on those who are actually investing,
because the catastrophic costs drive up costs.
You also have potential loss of sales to any company that
basically gets penetrated, because people say this isn't a safe
place, or a financial institution. If it is others, you have
the potential restoring costs to that, which the federal
government would have, too, if we had damages in a facility
that we run.
We also have the absolute wiping out of a brand name, in
the sense of your company could be destroyed. There are
multiple private sector things.
Why do you think, with all those pressures on the private
sector, that the private sector, particularly given these kind
of cases, isn't ramping up at a faster rate?
At the federal government, we react to problems. We need to
be better at preempting. Certainly, Katrina and 9/11, voters
want to know that they have every single bag--I mean, in this
committee we debate this--want to have every single bag checked
multiples times and this and that we put so much money in there
that we are not dealing with cybersecurity.
We have X amount of money. That is risk assessment, ramping
up, and the general public is reacting off of what happened in
the past, to ramp up that and we are missing some bigger risks.
Part of my question would be, as the private sector,
clearly, has multiple risks here, why aren't they ramping up
more? Is it that the guys at the margin who aren't making as
much money and don't have the ability to do the costs are the
ones not ramping up?
Mr. Kurtz. I think that that last point is an important
point. I think there are elements in the private sector, as I
said earlier, that are taking this issue seriously, because if
they experience a loss, it has a real impact on their business,
their customers, their market share.
Mr. Souder. Can I ask you? Because my time is about--let me
ask you, then. Given the assumption that you are saying, that
if you have the ability, you understand the risk and you are
doing it.
If it is the group--if our weakest link destroys our
biggest link, in other words, you get into our electrical grid,
whether it is in Canada or the United States, you are wrecked.
If the weakest link, unless we have these firewalls that shut
you off you are going to wreck everybody else around you.
If the financial market incentive isn't there for our
weakest link, do we have a choice, other than the regulatory
side?
Mr. Kurtz. I think, first of all, we need to pursue those
incentives. I don't think we are at the point yet where we can
say that the market has failed for all those industries who
haven't necessarily taken it seriously.
Mr. Souder. Are there tax incentive type things that we
could do to accelerate that?
Mr. Kurtz. I am certainly not going to say no to the idea
of a tax incentive. I think we ought to explore that. But I
think the insurance market is something interesting, because
the reason why the insurance community, as I understand it, the
reason why the insurance community cannot write as much
insurance in this space as they would like is that there are,
if you will, no common standards that they can base risk upon.
In other words, if I know X firm has done the following 10
things, that I have a reasonable understanding that a lot of
other firms are going to follow, as well, and I can have that
certified in some manner, self-certification or third-party
certification, then I am going to feel, as a insurance person,
and I have no background in this area, though, I would feel, as
an insurance person, it is a better risk. I could write
insurance in that area.
The problem is we don't really have that nexus now in the
federal government between places like the Department of
Commerce and the Department of Homeland Security to look at
these issues.
If I can, the fascinating detail, I think, is currently,
despite our dependence upon the information infrastructure, we
have no federal agency today that is tracking the costs of
cyber attacks. We have no one at the Department of Commerce, no
one who is, if you will--we have all sorts of statistics as to
how well our economy is doing, how our labor force is doing,
how productive we are.
But when it comes down to understanding the costs of cyber
attacks, the cost of disruptions, and, granted, it is a
difficult problem to solve, no one is tracking that today.
Mr. Souder. Mr. Chairman, I would like to say, too, that in
the GAO testimony, some of these things are out there, but they
are usually way back in the reports or they do not put this
clearly, but there is information in here about the slammer
worm taking a nuclear power plant down, their security
monitoring system, for 5 hours.
Somebody did a movie on that. I mean, our whole nuclear
policy is based on that Jane Fonda movie. One movie and all of
a sudden cybersecurity changes. Similar, that in here about?
Mr. Lungren. Are you suggesting Hollywood can make
cybersecurity sexy?
Mr. Souder. Yes. And TV, in other words, when you look at
the--if you are airline flights are canceled, your automatic
teller machine failed, and network outages, if people knew what
actually happened, it is scary.
And part of the problem, the way we respond is that, hey,
we run every 2 years, the Constitution made us basically
weather vanes and somebody has got to be blowing the weather.
And part of the problem we have in homeland security is we
are charging around that way and cybersecurity has to become--
the danger has to become more sexy to the general public.
Mr. Lungren. I thank the gentleman for his comments.
And now I would recognize someone who I would never call a
weather vane, the gentlelady from Houston.
Ms. Jackson-Lee. I will take that in the spirit that it is
offered and I will wonder about the spirit.
Mr. Kurtz. He meant it as a compliment, I think.
Mr. Lungren. I meant an independent thinker is what I
meant.
Ms. Jackson-Lee. I said I would take it as such.
I am going to go with Mr. Souder's passion and continue at
his level, which is where I stopped off, which is this sense of
urgency that is not gripping some of the segments of homeland
security as I think it deserves.
And so I am going to go back to you, Mr. Kurtz, and then
Mr. Pelgrin, because as we look at the tragedy of terrorist
acts, we know that Washington is certainly a target, but so are
our notable areas of high risk, from New York to California.
And, of course, I happen to be a high risk proponent, but I
do believe it is important to translate information so that all
of the homeland can be secure.
But I have a simple question on time. You have laid out the
obstacles, Mr. Kurtz, and Undersecretary Mr. Foresman, in a
February 2006 press conference on cybersecurity or Cyberstorm,
about the role of the department in the event of an attack, at
the time, he said, ``The key thing that you bring to the table
is coordination. We will bring the ability to leverage multiple
people towards a common goal, towards a common solution, in
order to deal with the problem so that it is not a haphazard
approach.''
Well meaning, but the question is if you had to give an
answer when the American people could feel comfortable that our
cybersecurity is--the term under control is not accurate, but
under extreme or very vibrant oversight, and our infrastructure
is in lace and we have leveraged, when do you think that would
be?
Mr. Pelgrin. I guess my response, from a DHS perspective,
when we have an early warning system in place, a solid early
warning system program in place that embraces the private
sector.
Secondly, an emergency communications system that allows us
to communicate when the very infrastructure we are seeking to
protect is under attack.
Ms. Jackson-Lee. Would you want that emergency system to be
seamless, meaning that it would go across the nation, as
opposed to saying all of New York would talk to each other?
Mr. Kurtz. Among critical owners and operators across the
nation. In other words, key government entities, key folks
within the private sector.
And then the third key area would be recovery and
reconstitution issues. In other words, you have to accept that
you have to plan as though there will be successful attacks. So
what happens when that happens? How do you reconstitute the
Internet? How do you reconstitute major protocols that may have
been broken out there? We need to think through those.
Once we have those questions solved, we can accept that
there are always going to be attacks. The nature of the beast
is we are always going to have bad guys out there and always
going to have people coming after us. But if we have a system
in place to protect and respond, then we will be in a much
better spot.
And, hopefully, along the way, we will have more resilient
networks being developed through R&D.
Ms. Jackson-Lee. Well, we think of Hurricane Katrina when
we think of recovery. But for those of us who went to New York
during 9/11 and went specifically to Wall Street, which was not
hit, per se, but, obviously, was shut down, if, for example, an
attack was on that system, the question is what is the timing
of recovery.
What preparedness do we have? Because that system is
obviously interwoven into the cybersecurity, if you will,
superhighway, using an old term. And what is the recovery? I
don't know if any of us know that.
Some of these things, I am sort of doubtful of discussing
them publicly, but I think we have some real issues here and I
guess I didn't hear a timeframe, but the fact that you have
given me three elements would suggest that these three elements
are not yet there.
Mr. Kurtz. No, they are not yet there. But in the case of
the banking and finance industry, it is probably worthwhile for
you to have a discussion with them, because they are very
advanced in that area and they learned a lot from 9/11 and they
have got some very sophisticated programs in place, which are
worth learning about.
Ms. Jackson-Lee. And the only question, I would say, is
they are probably sophisticated, but are they complete and what
more can they do and what more can we do to help them. I think
that is the real question.
Mr. Pelgrin, the whole issue is to be able to communicate
with state and local officials. Are we there yet, particularly
on this aspect of security?
Mr. Pelgrin. I don't think we are there yet and it has to
do a lot with still awareness and education and dollars and
resources at the state and local government level.
I think we have made huge progress from when we started in
2003. The multi-state ISAC, we meet every month with all the
states. We share information on an interactive call every
month.
But trying to get that message out to local governments is
a true challenge. We are working diligently on doing that and
actually we have a pilot with five states, New York being one
of those states, in which we are expanding the multi-state into
local governments by allowing each state to have a state ISAC,
which allows them to communicate.
Ms. Jackson-Lee. What states are they? What are the five
states?
Mr. Pelgrin. It is Florida, New York, Wisconsin, Michigan,
and I am blocking on the fifth and I will have to get back to
you on the fifth. Congresswoman, I will get back to you on the
fifth one. Michigan. If I didn't say Michigan, it is Michigan.
It is an opportunity to reach them. But you need to put it
in context from a local government perspective. When a local
government official is a town supervisor who is part-time and
they are working out of their home part-time and that computer
that they are using is also, by the way, used by their kids at
night, think about the challenges and what type information is
contained on it.
We had one town clerk who said when we talked about the
importance of erasing media in an appropriate way, from
destruction of the media to wiping it clean to ensure that data
is protected, the comment initially was, ``I don't understand
why we are talking about this, because we want to produce one
of our supplements on how to do that.''
And she said, ``When my computer dies, I just toss it
out.'' Well, that information doesn't get deleted just because
that computer died on her. So it is critical that we reach all
of these individuals, education and awareness at the earliest
of ages.
And one of the things I would recommend, Undersecretary
Foresman mentioned it, but October is cybersecurity awareness
month, it would be wonderful if Congress embraced that. We
actually have our toolkit that we are providing you.
We have five packages of toolkits for you. That deals with
everything from calendars for kids to adults, mouse pads,
anything we can do to bring this message home that they have to
take basic precautions.
I am not sure if it was Guy or David who said that the
weakest link is just one link that you have to be concerned
with.
Ms. Jackson-Lee. Mr. Chairman, thank you. It is not just
the town supervisor's computer that is thrown way. I can tell
you that large cities, having come out of local government, do
likewise and I am not sure whether they are now more informed
about cleaning those, the terminology ``cleaning,'' with
quotes, but to eliminate the data on those thrown away computer
and/or the donated computers that are subsequently donated to
schools.
I think there is certainly a large question of data
preservation and/or particularly if we connect on some of these
very secure matters.
I yield back. Thank you very much.
Mr. Lungren. I thank the gentlelady for yielding. I thank
the witnesses for your valuable testimony today and members for
their questions.
Members of the committee may have some additional questions
for the witnesses and we would ask you to respond to those in
writing. The hearing record will be open for 10 days.
Thank you once again for your participation. It was very,
very helpful.
Without objection, the committee stands adjourned.
[Whereupon, at 5:44 p.m., the subcommittee was adjourned.]
�