[Senate Hearing 109-402]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 109-402
 
     SECURING CYBERSPACE: EFFORTS TO PROTECT NATIONAL INFORMATION 
              INFRASTRUCTURES CONTINUE TO FACE CHALLENGES

=======================================================================

                                HEARING

                               before the

                FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT
                     INFORMATION, AND INTERNATIONAL
                         SECURITY SUBCOMMITTEE

                                 of the

                              COMMITTEE ON
                         HOMELAND SECURITY AND
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE


                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 19, 2005

                               __________


       Printed for the use of the Committee on Homeland Security
                        and Governmental Affairs



                    U.S. GOVERNMENT PRINTING OFFICE
23-163                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   SUSAN M. COLLINS, Maine, Chairman
TED STEVENS, Alaska                  JOSEPH I. LIEBERMAN, Connecticut
GEORGE V. VOINOVICH, Ohio            CARL LEVIN, Michigan
NORM COLEMAN, Minnesota              DANIEL K. AKAKA, Hawaii
TOM COBURN, Oklahoma                 THOMAS R. CARPER, Delaware
LINCOLN D. CHAFEE, Rhode Island      MARK DAYTON, Minnesota
ROBERT F. BENNETT, Utah              FRANK LAUTENBERG, New Jersey
PETE V. DOMENICI, New Mexico         MARK PRYOR, Arkansas
JOHN W. WARNER, Virginia

           Michael D. Bopp, Staff Director and Chief Counsel
   Joyce A. Rechtschaffen, Minority Staff Director and Chief Counsel
                      Trina D. Tyrer, Chief Clerk


FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL 
                         SECURITY SUBCOMMITTEE

                     TOM COBURN, Oklahoma, Chairman
TED STEVENS, Alaska                  THOMAS CARPER, Delaware
GEORGE V. VOINOVICH, Ohio            CARL LEVIN, Michigan
LINCOLN D. CHAFEE, Rhode Island      DANIEL K. AKAKA, Hawaii
ROBERT F. BENNETT, Utah              MARK DAYTON, Minnesota
PETE V. DOMENICI, New Mexico         FRANK LAUTENBERG, New Jersey
JOHN W. WARNER, Virginia             MARK PRYOR, Arkansas

                      Katy French, Staff Director
                   Sean Davis, Legislative Assistant
                 Sheila Murphy, Minority Staff Director
            John Kilvington, Minority Deputy Staff Director
                       Liz Scranton, Chief Clerk


                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Coburn...............................................     1
    Senator Carper...............................................     3
    Senator Akaka................................................     5
    Senator Collins (ex officio).................................     6

                               WITNESSES
                         Tuesday, July 19, 2005

Donald (Andy) Purdy, Jr., Acting Director, National Cyber 
  security Division, Information Analysis and Infrastructure 
  Protection Directorate, U.S. Department of Homeland Security...     6
David A. Powner, Director, Information Technology Management 
  Issues, U.S. Government Accountability Office..................     8
Paul M. Skare, Product Manager, Siemens Power Transmission and 
  Distribution, Inc., Energy Management and Automation...........    22
Thomas M. Jarrett, Secretary and Chief Information Officer, 
  Department of Technology and Information, State of Delaware....    25

                     Alphabetical List of Witnesses

Jarrett, Thomas S.:
    Testimony....................................................    25
    Prepared statement with attachments..........................   105
Powner, David A.:
    Testimony....................................................     8
    Prepared statement...........................................    46
Purdy, Donald (Andy) Jr.:
    Testimony....................................................     6
    Prepared statement...........................................    35
Skare, Paul M.:
    Testimony....................................................    22
    Prepared statement with attachments..........................    69

                                APPENDIX

Questions and responses for the Record from:
    Mr. Purdy....................................................   120
    Mr. Powner...................................................   153
    Mr. Skare....................................................   158
    Mr. Jarrett..................................................   164


                    SECURING CYBERSPACE: EFFORTS TO
                      PROTECT NATIONAL INFORMATION
                      INFRASTRUCTURES CONTINUE TO
                            FACE CHALLENGES

                              ----------                              


                         TUESDAY, JULY 19, 2005

                                     U.S. Senate,  
            Subcommittee on Federal Financial Management,  
        Government Information, and International Security,
                          of the Committee on Homeland Security and
                                            Governmental Affairs,  
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:05 p.m., in 
room 562, Dirksen Senate Office Building, Hon. Tom Coburn, 
Chairman of the Subcommittee, presiding.
    Present: Senators Coburn, Carper, Akaka, and Collins (ex 
officio).

              OPENING STATEMENT OF CHAIRMAN COBURN

    Senator Coburn. The Committee will come to order. This is 
the first of probably many hearings on cyber security within 
the Federal Government and I am going to have a very limited 
opening statement. Being from Oklahoma, we had some significant 
events there while I was a Member of Congress that taught us 
all a huge lesson in terms of terrorism. But there are several 
significant points associated with cyber security in America.
    First of all, the United States does not currently have a 
robust ability to detect a coordinated cyber attack on our 
critical infrastructure, nor does it have a measurable recovery 
and reconstitution plan for key mechanisms of the Internet and 
telecommunications system.
    Second, the Department of Homeland Security has not 
completed the National Infrastructure Protection Plan.
    Third, cyber attacks on control systems can be targeted 
from remote locations around the globe. We know that.
    Fourth, DHS is responsible for protecting the Nation's 
critical infrastructures. However, 85 percent of all the 
critical infrastructures are controlled by the private sector.
    And then, finally, there is a lack of stable leadership at 
the National Cyber Security Division, which has hurt its 
ability to maintain trusted relationships with the private 
sector and has hindered its ability to adequately plan and 
execute activities.
    This is the first of the hearings that we intend to hold to 
look at Internet and informational, as well as cyber security 
within this Subcommittee.
    [The prepared statement of Senator Coburn follows:]

                  PREPARED STATEMENT OF SENATOR COBURN

    On the morning of April 19, 1995, Oklahoma learned firsthand the 
horrific effects of terrorism in the homeland. The prevention of 
terrorism starts with a proactive plan with cogent, measurable goals 
and the development and empowerment of effective moral leaders to 
accomplish these goals.
    In October 2003, Chairman Adam Putnam of the House Subcommittee on 
Technology, Information Policy, Intergovernmental Relations and the 
Census, held a hearing where he clearly identified the problem, saying, 
``The nation's health, wealth, and security rely on these systems, but, 
until recently, computer security for these systems has not been a 
major focus. As a result, these systems on which we rely so heavily are 
undeniably vulnerable to cyber attack or terrorism.'' Those 
vulnerabilities still exist today, only now they are less excusable. 
More importantly, the government's plan to secure our critical 
infrastructures from a cyber threat remains vague and formative despite 
clear legislative and executive mandates.
    Since September 11, 2001, the focus of security in the United 
States has been on physical terrorist attacks. In contrast, the 
government's cyber security efforts have focused on the internet and 
networking and desktop functions we all use every day. Unfortunately, 
operational control systems, which are at the heart of our critical 
infrastructures, do not work like conventional desktop business 
computer systems. The President has spoken to this in Homeland Security 
Presidential Directive #7 (HSPD-7) and the National Strategy to Secure 
Cyberspace, emphasize that our nation's critical infrastructures 
provide services which are so vital that their incapacity or 
destruction would have a debilitating impact on the defense or economic 
security of the United States.
    Congress has also spoken through The Homeland Security Act of 2002 
which laid clear mandate on cyber security at Department of Homeland 
Security. The Act requires DHS to (1) assess our vulnerability to cyber 
attack (2) develop a plan to fix it and (3) implement that plan using 
measurable goals and milestones. In order to implement the plan the 
Department has the admittedly difficult task of engaging and securing 
action from diverse players, state and local governments, other federal 
agencies, especially key industry actors. Cyber vulnerability is 
primarily in the private sector and the Department must find a way to 
overcome the challenges there. The nature of terrorists is to attack 
private citizens as we recently saw in the horrific attack in the 
United Kingdom. There can be no excuse for not effectively engaging the 
private sector, even though it is hard. We ask no less of our food 
safety, airline security and pharmaceutical industries.
    Nobody wants to micromanage the private sector; however, American 
expects DHS to take every reasonable measure to protect us from 
terrorism. I am not convinced that threshold has been met.
    If America is to be safe from the damage of a cyber attack, we will 
need a plan, a budget tied to that plan and Congressional commitment to 
the implementation of the plan. In particular, I hope we can commit to 
the following:

    1.  The completion of the National Infrastructure Protection Plan, 
fully incorporating the cyber component with more than vague 
generalities;
    2.  A way to measure milestones in the NIPP that will be assigned 
to a named department head;
    3.  A budget line item associated with the milestones.

    To that end, I look forward to hearing from our witnesses from GAO, 
DHS, the State of Delaware, and Siemens Power Transmission & 
Distribution, Inc.

    Senator Coburn. At this time, I will yield for an opening 
statement to the----
    Senator Carper. Be careful what you say. [Laughter.]
    Senator Coburn [continuing]. Ranking Member, and my friend, 
the other ``TC'' on the Subcommittee, for his opening 
statement. Senator Carper, thank you for being here.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thank you, Mr. Chairman. I am happy to be 
here with you and Senator Collins and to welcome our first 
panel of witnesses and look forward to the next panel of 
witnesses, which includes an old friend from--not an old 
friend, but a good friend from Delaware, one of our leaders.
    I would just reflect back. I think some 2 weeks ago now, we 
had the devastating terrorist attacks on the London 
transportation system and it reminded us once again--especially 
those of us who live in the Northeastern corridor of the United 
States--it reminded us once again that terrorists are 
increasingly able to exploit our vulnerabilities and to cause 
an enormous amount of damage, destruction of property and 
taking of human lives.
    Since September 11, the majority of our Homeland Security 
efforts have been aimed to strengthen security of our Nation's 
physical infrastructure. A good example of that is the aviation 
industry. Some of us are hopeful it eventually will focus more 
on rail and transit and subways, too.
    Last week, the Homeland Security and Governmental Affairs 
Committee held under Senator Collins's leadership--I think it 
might have been in this room--held a hearing on protecting 
chemical facilities within the United States. The hearing 
highlighted the necessary precautionary measures that should be 
taken to protect a chemical facility from a terrorist attack.
    The importance of cyber security is oftentimes overlooked 
in discussions involving homeland security. Cyber security, 
though, plays an important role in the protection of our 
critical infrastructures. Computers and networks provide an 
increasing convenience and effectiveness for the everyday 
operation of critical infrastructures. In fact, on a critical 
infrastructure such as a railroad, combined with a cyber attack 
on the computer system of a major electric utility, it can have 
an enormous impact on the emergency response capabilities that 
are needed in times of disaster.
    It is the Committee's job, this Committee, and I think 
specifically this Subcommittee, it is our job to ensure that we 
are taking the steps that are needed to minimize the chance and 
to minimize the consequences of such an attack if it occurs.
    Again, I mention, Mr. Chairman, we have one of my friends 
and colleagues from Delaware, Tom Jarrett, not a ``TC'' but a 
``TJ,'' who is our Chief of Information. He works in the 
Governor's cabinet, heads up the Department in our State called 
the Department of Information and Technology and I am just 
delighted to hear from Tom and to see him again.
    Accompanying Secretary Jarrett, I am told, is a woman named 
Elayne Starkey, and I am looking out in the audience. I think 
she is sitting right behind--there she is. Elayne, welcome. 
When you see Tom Jarrett's lips move, hear his voice speak 
later on, you will see Elayne's lips move. When I was 
privileged to be Governor, she just did great work, helping us 
really to bring technology to bear in our law enforcement 
efforts and we will always be grateful for the great work that 
she did.
    We are going to hear from Secretary Jarrett today about a 
Department of Technology Information that is really all too 
familiar with the challenges that are facing cyber security. 
One of Delaware's critical infrastructures is our State 
computer network. It is a large target of over, listen to this, 
3,000 cyber attacks per day, little Delaware. I can't imagine 
what happens in big States like yours, but over 3,000 cyber 
attacks per day. I am not sure why that is. Maybe it is because 
we are the home of incorporation of over half-a-million 
companies, half the New York Stock Exchange, half the Fortune 
500. I am not sure what it is, but that is a lot of attacks.
    Secretary Jarrett implemented a number of cyber security 
initiatives to address the cyber risks associated with our 
State's computer network. Delaware's Department of Technology 
and Information aims to strengthen and provide proper cyber 
security through partnerships with State agencies, multi-state 
forums, and a collaborative with Microsoft Corporation. 
Secretary Jarrett meets on a routine basis with all cyber 
security stakeholders to share cyber threat and vulnerability 
information to better protect our State's network from cyber 
attacks. Delaware's cyber security initiatives are an excellent 
example, we believe, of the processes and partnerships that are 
needed to protect against cyber attacks.
    In May 2005, at the request of Senator Lieberman, our 
colleague, and several Representatives, including Chris Cox, 
Representative Davis, Representative Thornberry, Lofton, the 
Government Accountability Office released a report that was 
titled, ``The Department of Homeland Security Faces Challenges 
in Fulfilling Cyber Security Responsibilities.'' That is a 
pretty big title. The report criticized the Department of 
Homeland Security's efforts thus far in fulfilling its cyber 
security responsibilities that are established for in law and 
policy.
    To fulfill the Department's cyber security 
responsibilities, such as assessing national cyber threats and 
vulnerabilities, the Government Accountability Office 
recommends that the Department of Homeland Security improve 
organizational stability and foster better partnerships with 
the private security, much as we have done in Delaware.
    As demonstrated by Delaware's Department of Technology 
Information, partnerships provide education, the technical 
expertise, and information sharing outlet that is needed to 
effectively secure cyber assets. Proper information sharing 
between the Federal Government and the private sector is 
instrumental to protecting our Nation's critical infrastructure 
from cyber attack.
    Last week in this room, Secretary Chertoff laid out a 
reorganization plan of the Department that includes a new 
Assistant Secretary for Cyber Security and Telecommunications 
to strengthen information technology management and cyber 
security responsibilities within the Department of Homeland 
Security. As that Department sets forth in strengthening 
national cyber security initiatives and efforts, I ask that the 
Department build cyber security partnerships within the private 
sector and provide a road map of priorities and milestones of 
cyber security responsibilities and initiatives, much as we 
have done in our State and perhaps in your States, as well.
    I really do look forward to this hearing and the testimony 
from all of our witnesses concerning the challenges that we 
face along these lines and the Federal Government's role, our 
role, in protecting our Nation's critical infrastructures from 
a cyber attack. I hope that the discussion that occurs here 
today and following this hearing will lead us to real solutions 
to the challenges that we face within the Federal Government 
with respect to cyber security.
    Mr. Chairman, I thank you, and to our witnesses, welcome. 
We look forward to hearing from you. Thanks.
    Senator Coburn. Senator Akaka, I understand that you have a 
hearing that you need to chair at 2:25. The Chairman has 
graciously allowed you to go ahead of her, if you would care to 
make your opening statement.

               OPENING STATEMENT OF SENATOR AKAKA

    Senator Akaka. Thank you very much, Chairman Coburn. Thank 
you for permitting me to do it now, and thank you, Chairman 
Collins, for letting me do this.
    Chairman Coburn, I want to compliment you on holding 
today's hearing on cyberspace. I know we both are also 
interested in agroterrorism, so these are up and coming issues, 
and I thank you so much for giving me this time.
    Computers and computer networks reside at the heart of the 
systems upon which the American people rely on on a daily 
basis. As our witnesses know, many of these systems are far too 
vulnerable to cyber attack, which would inhibit their function, 
corrupt important data, and expose private information.
    The Internet is the backbone of the U.S. economy and our 
Nation's critical infrastructures. It is the electronic roadway 
of commerce, industry, and defense. Databases stored on 
computer networks, in particular, have been an attractive 
target for criminal hackers who have breached the networks of 
several well-known companies and have stolen the personal data 
of millions of Americans. A successful attack on the computer 
systems that support our critical infrastructures would 
threaten our national security, public health, and, of course, 
our way of life.
    The former head of the National Infrastructure Protection 
Center, Ron Dick, once said, ``The thing that keeps me awake at 
night is the thought of a physical attack on the U.S. 
infrastructure combined with a cyber attack which disrupts the 
ability of the first responders to access 911 systems.'' This 
is not an exaggerated fear, as our own military realizes the 
power of cyber warfare in destroying an enemy's command and 
control.
    The Department of Homeland Security is responsible for 
protecting the key resources and critical infrastructures in 
the United States. In carrying out this role, DHS has a number 
of responsibilities established by law and Presidential 
directive. We are here today to discuss these DHS issues and 
how DHS is fulfilling those responsibilities and the specific 
challenges that the Department faces as it moves forward.
    One area that is of particular concern to me is the failure 
by DHS to complete a comprehensive cyber threat and 
vulnerability assessment. This threat assessment should be the 
foundation for the Department's risk-based approach to mission 
and priorities. A comprehensive threat assessment is needed in 
order to be certain that we are adequately protected and to 
ensure that precious Federal dollars are well spent.
    I want to thank you, Mr. Chairman, for having this hearing 
today and thank you for the time and wish you well. We look 
forward to our witnesses' testimony. Thank you.
    Senator Coburn. Thank you, Senator Akaka.
    Now, I am pleased to recognize the Chairman of the full 
Committee, Susan Collins from Maine. Thank you, Senator.

             OPENING STATEMENT OF CHAIRMAN COLLINS

    Chairman Collins. Thank you very much. Let me begin by 
thanking you, Mr. Chairman, for convening this hearing today 
and shining a spotlight on a critical infrastructure issue.
    And your timing could not be better. Just last week, 
Secretary Chertoff testified before the full Committee 
regarding his Second Stage Review recommendations for the 
Department of Homeland Security. As Senator Carper has 
mentioned, Secretary Chertoff proposes to create a new 
Assistant Secretary for Cyber Security and Telecommunications, 
a position that has long been needed.
    Clearly, Secretary Chertoff has acknowledged that cyber 
security is an issue worthy of much more attention and 
resources from within the Department. This hearing will provide 
an opportunity to explore some of the challenges that the new 
Assistant Secretary will face.
    Computers and information systems are key components that 
support the operations of critical infrastructure in our 
country, whether it is chemical facilities or oil refineries, 
dams, power systems, telecommunications, or mass transit 
systems. Increasing computer interconnectivity has improved the 
quality of daily life for Americans, but unfortunately, this 
interconnectivity has also created a weakness that can be 
exploited by our enemies in this post-September 11 world.
    I am pleased that the Department is placing more emphasis 
on this vital component of our Nation's critical infrastructure 
sectors and I look forward to working with you, Mr. Chairman, 
as well as the Department to strengthen our protections and 
defenses in this area.
    Senator Coburn. Thank you, Madam Chairman.
    Our first panel consists of two witnesses, Andy Purdy, 
Acting Director, National Cyber Security Division of the 
Department of Homeland Security, and David Powner, Director of 
IT Management at GAO.
    Mr. Purdy, your complete statement will be made a part of 
the record. If you would limit your comments to 5 minutes, I 
would appreciate it. Thank you.

  TESTIMONY OF DONALD (ANDY) PURDY, JR.,\1\ ACTING DIRECTOR, 
  NATIONAL CYBER SECURITY DIVISION, INFORMATION ANALYSIS AND 
   INFRASTRUCTURE PROTECTION DIRECTORATE, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Purdy. Thank you. Good afternoon, Chairman Coburn and 
Madam Chairman Collins. My name is Andy Purdy. I am the Acting 
Director of the National Cyber Security Division (NCSD) within 
the Department of Homeland Security. I am delighted to appear 
before you today on behalf of my colleagues to share with you 
the work of NCSD and those with whom we are partnering.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Purdy appears in the Appendix on 
page 35.
---------------------------------------------------------------------------
    In today's world, we recognize that attacks against us may 
manifest in many forms, including physical and cyber. We 
recognize the potential impact of collateral damage from any 
one attack to a variety of assets. As such, our Directorate 
takes a holistic view of critical infrastructure 
vulnerabilities and works to protect America from all threats 
by ensuring the integration of physical and cyber approaches.
    NCSD was created in June 2003 to serve as a national focal 
point for cyber security and to coordinate the implementation 
of the national strategy to secure cyberspace. Our mission is 
to work collaboratively with public, private, and international 
entities to secure cyberspace and America's cyber assets.
    To meet that mission, we have developed a set of goals with 
specific objectives for each goal and milestones, and we have 
identified two overarching priorities. One, to build a national 
cyberspace response system. Two, to implement a cyber risk 
management program for critical infrastructure protection. 
Focusing on these two priorities establishes the framework for 
securing cyberspace today and a foundation for addressing cyber 
security for the future.
    A core component of our effort to establish a national 
cyberspace response system is the US-CERT Operations Center, a 
partnership between DHS and the public and private sectors. US-
CERT provides a national coordination center that links public 
and private response capabilities to facilitate information 
sharing across all infrastructure sectors and to help protect 
and maintain the continuity of our Nation's cyber 
infrastructure.
    To assist Federal agencies in protecting their cyber 
infrastructure, we have established the Government Forum of 
Incident Response and Security Teams to facilitate interagency 
information sharing and cooperation across Federal agencies for 
readiness and response efforts.
    A key component of our response system is the Cyber Annex, 
which we created as part of the recently issued National 
Response Plan, that provides a framework for responding to 
cyber incidents. To provide a Federal approach to coordinated 
cyber incident response, we worked with the Departments of 
Defense and the Departments of Justice to form the National 
Cyber Response Coordination Group, later formalized by the 
Cyber Annex as the principal Federal interagency mechanism to 
coordinate preparation for and response to cyber incidents of 
national significance.
    Under our second priority, we are engaged in a risk 
management program to assess threats and reduce the risk to our 
critical infrastructure. For the cyber component of the 
National Infrastructure Protection Plan, DHS is the sector 
specific agency, with our Division as the lead for the 
information technology sector, and we are working with the IT 
ISAC and the newly formed Information Technology Sector 
Coordinating Council to identify critical assets, assess 
vulnerabilities, and determine protective measures.
    In addition, we are attempting to ensure that cyber is 
comprehensive throughout this national plan by providing 
guidance to the other critical infrastructure sectors in 
analyzing, identifying, and assessing and protecting their 
cyber assets and the cyber component of their physical assets. 
Within this framework, we are pursuing other priority 
vulnerability reduction effort: The Internet Disruption Working 
Group, our Control Systems Security Program, and our Software 
Assurance Program.
    We believe the recent GAO report on critical infrastructure 
has provided a fair assessment of the progress to date and we 
agree that while considerable work has been done, much work 
remains to meet the challenges in this rapidly changing area. 
With the proposed appointment of a new Assistant Secretary for 
Cyber and Telecommunications Security, we are confident that we 
will accelerate our cyber security efforts.
    Secretary Chertoff's recent release of the findings from 
his second stage review of the entire Department illustrates 
DHS's commitment to addressing leadership and organizational 
concerns that also have been raised by GAO. We are committed to 
achieving success in meeting our goals and objectives, but we 
cannot do it alone. We will continue to meet with industry 
representatives, our government counterparts at the State and 
Federal level, and academia to formulate the partnerships and 
leverage the efforts of all, including the private sector, so 
that we as a Nation are more secure in cyberspace.
    Again, thank you for the opportunity to testify before you 
today and I would be glad to answer any of your questions.
    Senator Coburn. Thank you very much, Mr. Purdy. Mr. Powner.

    TESTIMONY OF DAVID A. POWNER,\1\ DIRECTOR, INFORMATION 
 TECHNOLOGY MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 
                             OFFICE

    Mr. Powner. Dr. Coburn, Chairman Collins, and Ranking 
Member Carper, we appreciate the opportunity to testify on the 
Department of Homeland Security's efforts associated with 
securing our Nation's infrastructures from cyber security 
threats.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Powner appears in the Appendix on 
page 46.
---------------------------------------------------------------------------
    Recent attacks and threats have underscored the need to 
effectively manage and bolster the cyber security of our 
Nation's critical infrastructures. For example, criminal 
groups, foreign intelligence services, and terrorists are 
threats to our Nation's computers and networks. Regarding 
recent attacks in March of this year, hackers gained access to 
the electric industry's control systems.
    To address these threats, Federal law and policy calls for 
critical infrastructure protection activities and establishes 
DHS as our Nation's focal point. It also designates other 
agencies to coordinate with key sectors, including energy, 
banking and finance, transportation, and telecommunications.
    This afternoon, I will summarize four points, as requested. 
First, DHS has many responsibilities called for in law and 
policy. Second, although progress has been made in each area, 
much work remains ahead. Third, DHS faces many challenges in 
fulfilling these responsibilities. And fourth, Several 
recommendations remain outstanding that, if effectively 
prioritized and addressed, could greatly improve our Nation's 
cyber security posture.
    Expanding on each of these, first, we recently reported 
that based on Federal law and policy, DHS's 13 key cyber 
security responsibilities that include developing a national 
plan, enhancing public and private information sharing of cyber 
threats, vulnerabilities, and attacks, conducting a National 
Threat Assessment, facilitating vulnerability assessments, and 
coordinating incident response and recovery efforts if, in 
fact, an attack occurs. Although DHS has initiated efforts that 
begin to address each of these 13 responsibilities, the extent 
of progress varies and more work remains on each.
    For example, its Computer Emergency Response Team, referred 
to as the US-CERT, issues warnings on vulnerabilities and 
coordinates responses to cyber attacks. However, our Nation 
still lacks a National Threat Assessment, sector vulnerability 
assessments, a mature analysis and warning capability, and key 
recovery plans, including plans for recovering the Internet.
    DHS faces many challenges in building its credibility as a 
stable, authoritative, and capable organization that can 
fulfill its cyber critical infrastructure responsibilities. 
These include achieving organizational stability and authority. 
Over the past year, multiple DHS cyber security executives have 
left the Department. Establishing the Assistant Secretary for 
Cyber may help. However, leveraging this new authority and 
recruiting top talent to fill it remains a challenge.
    Another challenge is establishing effective partnerships 
and information sharing arrangements with other government 
entities and the private sector. During our most recent review, 
representatives from the banking and finance sector told us 
that the level of trust is not sufficient to have productive 
information sharing.
    In addition, DHS needs to demonstrate value, meaning that 
it needs to provide useful and timely information on such items 
as threats and analytical products to key stakeholders.
    Over the last several years, we have made a series of 
recommendations to enhance the cyber security of critical 
infrastructure that demand immediate attention, including 
conducting important threat and vulnerability assessments, 
developing a strategic analysis and warning capability to 
identify potential attacks, developing a strategy to protect 
infrastructure control systems, and developing recovery plans 
to respond to attacks. We also recommended that DHS prioritize 
its critical activities and closely monitor progress with 
appropriate performance measures.
    In summary, Mr. Chairman, DHS has made progress in 
planning, in coordinating efforts to enhance cyber security, 
but much more needs to be done, including conducting threat and 
vulnerability assessments, bolstering our cyber analytical 
capabilities, aggressively pursuing threat and vulnerability 
reduction efforts, and developing recovery plans.
    Our testimony today lays out a comprehensive road map for 
what remains to be accomplished in each area. Until DHS 
addresses its many challenges and more fully completes critical 
activities, it cannot function as the cyber security focal 
point intended in Federal law and policy, resulting in 
increased risk that large portions of our national 
infrastructure are unprepared to effectively manage cyber 
security attacks.
    This concludes my statement. I would be pleased to respond 
to any questions you have at this time.
    Senator Coburn. Thank you, Mr. Powner.
    I have numerous questions. I will not ask them all at the 
hearing, but I would like for each of you to agree to answer in 
written form the questions that we will submit for the record 
and do that on a fairly timely basis, if you would not mind. 
That will spare you some time.
    Mr. Purdy, when is it anticipated that the National 
Infrastructure Protection Plan will be completed?
    Mr. Purdy. Well, Acting Under Secretary Robert Stefan has 
told the Hill that he expects to have a version of the plan in 
pretty good order by the end of the summer, so we don't have a 
precise date on that.
    Senator Coburn. Will the reorganization, the stage two 
review, move that later?
    Mr. Purdy. Oh, I don't expect so. No, sir.
    Senator Coburn. If you don't care to comment on this, it is 
fine, but will this protection plan be beefed up with 
milestones that are linked to the budget line items and the 
department heads that are carrying that out?
    Mr. Purdy. I am not sure that the plan that is in existence 
at the end of the summer will have that, but that is 
anticipated to be part of the plan as it rolls forward, 
including the specific sector plans that have to be developed 
in partnership between the government and the private sector, 
yes.
    Senator Coburn. It seems that some industry sectors are 
more mature with regards to securing their cyber assets than 
others. I think that is a true statement. That is probably true 
throughout the residential cyber areas, as well. It seems that 
the title of the new Assistant Secretary for Cyber Security and 
Telecommunications would indicate that some critical 
infrastructures have more security needs than others, like the 
electric, chemical, telecommunication industries. Which sectors 
are more technologically mature and could be used as examples 
for sectors that are less mature when building guidance with 
which to self-regulate?
    Mr. Purdy. Well, until we do a complete assessment by 
sector, it is difficult to give a quantitative approach to 
that. I certainly believe that the telecommunications and 
finance sectors are among the most robust.
    Senator Coburn. We did have the penetration of some of the 
power companies' data. It kind of scares you when ``24'' is 
doing this ahead of the cyber crooks. As this NIPP plan comes 
up, one of the questions I think a lot of people are wondering, 
why is it taking so long to do that? Why is it taking so long 
to have a National Infrastructure Protection Plan?
    Mr. Purdy. Well, I think it is a very difficult task. But 
on some of the specific items you mentioned, we have 
accelerated the prioritization of three major areas that we 
believe, although part of the National Infrastructure 
Protection Plan framework, deserve accelerated efforts. Those 
are our Internet Disruption Working Group that we co-chair with 
National Communication Systems, and Department of Treasury and 
others are members of that. So that is a high-priority effort, 
to identify the assets, the interdependencies, the protective 
measures, the response and the recovery, building on the ESF-
II, which as you know has evolved from telecommunications to 
communications generally. So that piece of it is fairly robust 
and that group will work to accelerate that and respond to some 
of the specific areas in the GAO report.
    In addition, our control systems effort is a very robust 
effort that we brought over from our Protective Security 
Division in May 2004. We had the strategic plan. We had our 
goals. We have a tremendous partnership with the Department of 
Energy, with the Idaho National Lab and other labs.
    And finally, our Software Assurance Program is also very 
robust, building on a key partnership with the Department of 
Defense, co-founding the National Infrastructure--the NIAP 
review in terms of the acquisition piece.
    So we think those three priority efforts are not being held 
up by any time frame of the National Infrastructure Protection 
Plan and we believe those are the priorities, and so they are 
very important to us.
    Senator Coburn. So your testimony is, sometime after the 
first of the year, we ought to have this plan intact, the NIPP 
plan?
    Mr. Purdy. Actually, if I said that, I didn't mean to say 
that.
    Senator Coburn. You said, by the end of this summer, we are 
going to have the structure of it, is that right?
    Mr. Purdy. We are going to have a plan that is in pretty 
good shape. It is not going to be the final draft of it, yes.
    Senator Coburn. But sometime after the first of the year, 
we should be able to expect that moving forward? I know you are 
implementing sections of that even before you have the NIPP 
plan, but for cyber security, where are we within that?
    Mr. Purdy. Well, cyber security, we are moving forward in 
the work with the emerging Sector Coordinating Council, as you 
know, the private sector group, and the Government Coordinating 
Council. In fact, I think the organizations of one of your 
witnesses, NASCIO is a member of the Government Coordinating 
Council of the IT sector. And so we are working to build the 
framework for the sector-specific plan and the cyber guidance 
that will go to all the critical infrastructures. So that is 
moving ahead, and I certainly expect that the cyber piece will 
be ready well before the first of the year.
    Senator Coburn. Now, you have an Internet Disruption 
Working Group.
    Mr. Purdy. Yes.
    Senator Coburn. Would you mind providing the Subcommittee a 
list of the achievements of that group, where you started and 
where you are now? One of the things that Mr. Powner said that 
really bothers me is that some of the limitation is because 
there is a lack of a level of trust. Those were his words just 
a moment ago. Do you perceive that is real? Is it founded on 
real actions? In other words, do they perceive a threatened 
loss of some technologic advance or proprietary information by 
working with you as we try to do this?
    Mr. Purdy. Well, I think we are moving ahead very 
successfully in trying to facilitate information sharing with 
the private sector. As you may know, our secure portal, our US-
CERT portal that involves approximately 200,000 government and 
private sector folks, we are working to integrate into the 
Homeland Security Information Network. In addition, we are very 
excited by our partnership with the IT ISAC and the eight other 
ISACs that supply them cyber information so that we can 
incorporate that flow among those nine ISACs with the 
government into the HSIN structure.
    In addition, the private sector is standing up an 
information sharing group and we will be sending some members 
to it to try to facilitate the exchange of value and 
incorporation of private sector input into the articulation of 
a threat. So the information can be shared among groups and 
move out in a way that efficiently gets to folks in a timely 
fashion. So we think that is very substantial progress.
    In addition, we are reaching out to the private sector to 
convene some meetings that will be in the early fall to bring 
in the incident response teams from major private sector 
entities from across the country to engage in training and 
moving forward to really target the information sharing, 
building on the existing information sharing of US-CERT and the 
efforts in information sharing from the ISACs that I just 
mentioned.
    Senator Coburn. Are those web portals that you mentioned 
100 percent secure?
    Mr. Purdy. Well, we believe they are secure. I am not sure 
that there is a standard in current technology to say that 
something is 100 percent secure.
    Senator Carper. I want to back up if we could just a little 
bit and take a somewhat different approach. I don't care who 
leads off, but talk to us about the nature of the threat that 
we face. Talk to us about where the threat is coming from. Talk 
with us about whether the threat is rising, and if so, in what 
respect.
    And you have touched on this a little bit, Mr. Purdy, but I 
mentioned in my remarks about our folks that were here from 
Delaware who will testify shortly, how we partner with the 
private sector, and I just want to hear your thoughts about 
those kinds of partnerships.
    Mr. Purdy. The cyber assessment of threat was completed in 
the form of the National Intelligence Estimate for Cyber that 
we partnered with the intelligence and the law enforcement 
community on. Subsequent to that--and there are classified and 
unclassified versions of the NIE for cyber--subsequent to that, 
we have worked through our Information Analysis Division to 
provide intelligence collection requirements to the 
intelligence community for cyber, and those include information 
that would provide indicators of attacks against critical 
infrastructure, including control systems.
    Senator Carper. What kind of control systems are we talking 
about?
    Mr. Purdy. Across the critical infrastructure.
    Senator Carper. Just give me some examples.
    Mr. Purdy. Well, we have them in power, in chemical, in 
water. There are some in telecommunications. There are some in 
the finance industry. Most of the critical infrastructure 
sectors, pipelines, have control systems, and that is why it is 
one of the major priorities in our effort and in our funding.
    Senator Carper. Is it fair to say that those different 
critical infrastructures are under attack on a daily basis, 
weekly basis, monthly basis, or some never under attack?
    And if so, where are the attacks coming from? What is the 
source of those attacks?
    Mr. Purdy. The National Intelligence Estimate for Cyber 
identified some particular Nation States that are the source of 
particular kinds of attacks. There are attacks that are rampant 
throughout cyberspace. Within minutes, as you probably know, 
when you hook up a new computer, you can see different levels 
of attack. Obviously, we are more focused, particularly focused 
on attacks against major critical infrastructure, attacks, 
whether successful or otherwise, targeted against control 
systems, for example, and that is a major effort for us.
    Working with the Process Control System Forum, hundreds of 
private sector owners and operators that we are partnering with 
with DOE to try to make sure we build access to the information 
and provide protective guidance, such as we issued last week, 
Control Systems Information Bulletin for guidance to the 
control systems owners and operators to help raise the bar in 
terms of those efforts.
    A lot of the activity, the malicious activity in cyberspace 
right now, as you know, is targeted toward financial gain. The 
use and exploitation of vulnerabilities, the use of trojans and 
worms, there was an ABC news report last night on the use of 
keystroke loggers, the malicious code put on people's computers 
that log the personal identifying information, much of which is 
related to phishing and spam and identity theft. It is a major 
problem to our e-commerce in general, our financial community 
in particular, even though I think they are one of the most 
robust sectors in terms of financial security.
    And so we are working with Treasury. We met with the FBIC, 
that is the governmental group, 2 weeks ago to try to 
accelerate the information sharing in the financial sector, and 
we are also monitoring the black market in those malicious 
tools, because there is a black market in those tools.
    We are concerned and trying to help raise the bar because 
of the potential ability to use those vulnerabilities, to use 
those exploits to launch targeted, sophisticated attacks 
against our critical infrastructure, and that is why one of the 
priorities that I reference in my written testimony is trying 
to engage more effectively with the private sector on the 
priority areas that we need to focus on, and the one that we 
are suggesting to them is the identification of the major cyber 
attack scenarios, the serious cyber attack scenarios that we 
need to identify so we can mitigate, prevent, we can have our 
responses, in some cases automate it, and we can have the 
reconstitution in place to bring the systems back up and 
running.
    Senator Carper. Give us an example, if you will, of what 
you called a serious attack scenario.
    Mr. Purdy. Well, we would consider an effort that appears 
to be attempting to access the control mechanism of a control 
system, say in a waste treatment plant. We would consider that 
a serious attack because of the ability to change either the 
manipulation of the activity that it is manipulating and/or the 
monitoring that could be used to hide if there was a change or 
a problem. It might affect the sensors' ability to check that 
out.
    More serious situations that you see referenced in last 
Friday's alert about e-mail trojans that we put out is the 
exfiltration of data. We are very concerned about--which is 
basically stealing data from government and the private sector. 
We believe that is a very significant issue that we are 
addressing.
    You asked a question in terms of some of the activities 
with the private sector. We are working closely, as I said, 
with the Process Control Systems Forum. We have had discussions 
with Siemens, one of the companies that will be testifying 
later, on some activities in the control systems area and 
trying to use some of the test beds where we can test the real 
world activities and capabilities that folks are using and test 
them in terms of their vulnerability to cyber attack and what 
kind of measures can be used to help protect them.
    So that kind of real world activity--and frankly, some of 
the activities are not very visible. One of the key things 
about being a focal point for cyber security is we get 
classified information, we get law enforcement sensitive 
information, we get information from the CERT community and 
from others, and what we try to do is provide real protective 
measures.
    So, for example, there was an attack not too long ago 
against a private provider that affected a Federal Government 
customer, and so what we did, when we understood the----
    Senator Carper. Say that again. There was an attack from--
--
    Mr. Purdy. There was an attack against a private sector 
provider and there was a government account on that system, so 
we took that information and identified, working with the 
company, working with law enforcement, identified what we 
thought was the zone of danger in that situation in terms of 
the other Federal entities that had access to the same servers 
in separate accounts. So we had a conference call with about 15 
Federal agencies that had not been attacked yet, but to make 
sure they knew and had specific information they needed so that 
they could act on it.
    Then we issued what is called a Federal Information Notice. 
That goes to 1,400 Federal agencies. A little less sensitive 
information, but still, evidence that nonetheless could be used 
by folks to protect themselves. And finally, a general alert 
that goes more broadly so that folks could know what to do to 
secure their systems.
    But we don't publicize those kinds of activities. Now, when 
there is, for example, an attack against a major State that we 
had to fly a team in to help, we don't publicize that 
information. We work with law enforcement, the intelligence 
community to try to bring value, and I share the point from my 
colleague from GAO that we want to provide value, and as part 
of this information effort, trying to figure out how to get the 
value to the private sector and our government partners and our 
State partners in a way that really is important is something 
that is very important to us and it builds that trust that you 
need for people to share, that if you don't go to the press and 
if you don't publicize these things and you provide real value, 
that kind of synergy is going to help us all.
    Senator Carper. Thanks very much.
    Senator Coburn. Just a couple other questions. Part of your 
statement was a major priority funding on control systems. Can 
you elaborate on that for me?
    Mr. Purdy. Yes. Our budget for fiscal year 2005 is in the 
high $70s of millions. The control systems funding is $11 
million in 2005. The President's budget, which calls for 
approximately $88 million for us in 2006, includes between $15 
and $16 million for control systems. So it is a major effort 
for us.
    Senator Coburn. One other question. Did your Department 
send a representative to the DOE road mapping exercise?
    Mr. Purdy. I don't know offhand.
    Senator Coburn. You have got some staff shaking their heads 
yes. Did DOE send a representative to DHS's framework meeting 
in Salt Lake City today? I get ``yes,'' too. All right. Thank 
you.
    One of the things that----
    Senator Carper. Mr. Chairman, how do we know that just 
wasn't members of the audience shaking their heads? [Laughter.]
    Mr. Purdy. Yes. I am told that the answer to those 
questions was yes. I do know that NASCIO, for example, has 
participated in some of our meetings, building for our national 
cyber exercise, Cyber Storm, in November, and that kind of 
outreach is obviously fundamental to the success of these 
efforts.
    Senator Coburn. One other question for you and then a 
couple more for Mr. Powner. GAO has pointed out that DHS's 
efforts to promote a trusted two-way communication information 
sharing have been found lacking by the private sector and some 
other Federal agencies. In fact, your testimony reflects that 
the National Cyber Security Division's second priority is cyber 
risk management, or assessing the threat and reducing the risk. 
However, you state, with regard to assessing the risk, NCSD 
collaborates with law enforcement intelligence communities in a 
number of ways.
    My concern is, is your role law enforcement or is it cyber 
security and prevention, and with a prevention plan? Which is 
it? Which hat do you all wear?
    Mr. Purdy. We are about the business of critical 
infrastructure protection, and what we have found in our 
discussions with the major executive agencies, law enforcement 
agencies, is when there is law enforcement information about an 
attack, for example, against the control systems, my 
discussions, for example, with the Assistant Director of the 
FBI for Cyber was, if you get information in the field about 
something which is obviously a crime, when there is a 
successful penetration of a control system or even a targeted 
attack against a control system, we would appreciate it very 
much if we would get that information so that we can work the 
critical infrastructure protection so we can understand what is 
involved, what is the vulnerability being exploited, so we can 
share the information, not referring to it in its law 
enforcement sensitive way, but we can give guidance out.
    In addition, we have had situations where law enforcement 
finds out that there is an attack. We get information about, 
for example, the source IP addresses of the apparent source of 
the attack. We work with the intelligence community to have 
them work the international piece to see if they can trace it 
back to see what is involved. So it really is critical 
infrastructure protection, but we have to share that 
information with law enforcement intelligence and the CERTs to 
make sure we can all do our jobs better.
    Senator Coburn. But do you then share that with the private 
sector so that they can enable themselves?
    Mr. Purdy. And that is what I am saying that we do in terms 
of the information bulletins and the alerts that we send out. 
And as we build our portal into the Homeland Security 
Information Network, we are going to be able to improve our 
real-time information sharing, and the best example of that is 
bringing those nine ISACs in that our information will go into 
that mix and theirs, as well, and we will share that much more 
quickly.
    Senator Coburn. Mr. Powner, just share with us your view of 
how serious the threat is to us in terms of our cyber security.
    Mr. Powner. Well, years ago, if you looked at the situation 
here, we were more focused on hackers who were attempting to 
break into systems for the sheer challenge or for bragging 
rights. I agree with Mr. Purdy's analysis. We have organized 
crime groups that are focused on monetary gains from using 
cyber tools. We have foreign intelligence services that are 
using cyber tools for espionage activities. I think the real 
question out there is where are the terrorist cells in terms of 
their cyber capabilities. If these folks have the capabilities 
that we are aware of right now, where are the terrorists?
    I think Senator Akaka put it nicely when he mentioned some 
of the FBI's concerns, which date back many years, looking at 
what is referred to as swarming attacks, combined attacks where 
it is not just a cyber attack, but if you have a physical 
attack where you disrupt the response capabilities via some of 
the cyber tools, you could then have a very serious situation 
at hand. So it is real and that threat is growing.
    Senator Coburn. Your report was fairly critical of the 
efforts that are ongoing, and DHS in the response letter to you 
all states that it has a strategic plan with milestones and 
performance measures. Where are they insufficient and why are 
they insufficient?
    Mr. Powner. There is a strategic plan. There is the 
National Infrastructure Protection Plan. Some of those plans 
lack milestones. Some of those plans lack key activities. We 
made recommendations in areas where we saw some weaknesses in 
their plans. You look at the National Cyber Threat Assessment, 
vulnerability assessments by sector, and also response plans, 
not only response plans for the individual sectors, but also 
when you start looking at combined plans where we have multiple 
sectors that play in a certain arena.
    Probably the best example is if you look at the Internet. 
If we had a major disruption in the Internet today, the 
question is, who is in charge of leading that effort to 
reconstitute the Internet?
    Senator Coburn. Who is?
    Mr. Purdy. Multiple players, I think, is the answer today. 
NCSD would play a role. The National Communication System----
    Senator Coburn. Let me ask Mr. Purdy that. Who is 
responsible for putting it back together?
    Mr. Purdy. Well, the Secretary of DHS is the incident 
manager for all incidents in the country. The National Cyber 
Response Coordination Group that we co-chair helps provide 
input to the Secretary and provides input to the Interagency 
Incident Management Group. With NCS, National Communication 
System, as part of that effort, we would coordinate the efforts 
across the Federal Government for reconstitution in partnership 
with the private sector.
    Senator Coburn. Two last questions for Mr. Powner. DHS is 
going to move from $11 to $18 million, I believe that was Mr. 
Purdy's testimony, in 2006, on cyber security.
    Mr. Purdy. Eleven to between $15 and $16 million.
    Senator Coburn. Eleven to $15 and $16 million out of $70 to 
$88 million. Is there a problem with priority or is there a 
problem with funding, in your assessment, as you look at what 
is going on?
    Mr. Powner. Clearly, there is an issue with priority and 
there is also an issue with delivery on the budget that is 
currently allocated. As we pointed out in several areas in our 
report, there is a situation here where we need to take 
additional steps--there have been steps in each of the areas 
that we looked at but there needs to be further steps.
    One good example is the National Threat Assessment. In 
working with the other intelligence organizations, if you look 
at the FBI Cyber Crime Division and other organizations across 
the Federal Government, there is a lot of information out there 
that exists today on the situation associated with the national 
threat. If we put out, as one example, a National Threat 
Assessment that the Department agreed to update annually and to 
provide information on an as-needed basis throughout the area, 
I think that would go a long ways into building credibility and 
adding value, where the private sector would clearly view them 
as a partner in this.
    So I think when you look at the current budget, and I think 
folks up on the Hill--we have had many discussions with them--
would like to see more value coming out of the budgets that are 
currently allocated today.
    Senator Coburn. So this threat assessment would be one way 
to engage the private sector. What are other ways that DHS 
could engage the private sector?
    Mr. Powner. One other way, I think if you go back to the 
Internet reconstitution, I think Mr. Purdy talked about or 
mentioned that NCSD would take a leadership role. There are 
many folks in the private sector, when you are looking at 
Internet service providers and telecommunication companies, 
energy companies, they also would play a major role in that, 
and if the NCSD, as one example, put together some initial 
plans, I think the working group that Mr. Purdy mentioned is a 
step in the right direction, but there needs to be further 
progress in putting in place response plans that are 
comprehensive, where the private sector views the Federal 
Government as a partner.
    Senator Coburn. Is there a backup hardware infrastructure 
in place now if, in fact, the Internet--they would successfully 
challenge and shut it down, without reprogramming it and 
everything else, is there a backup infrastructure with which 
that could be reassembled quickly on a short-term basis? Do 
either one of you want to answer that?
    Mr. Purdy. Well, I think ESF-II, the communications plan 
for recovery, is a very robust effort and the 
telecommunications backbone is the foundation for the Internet. 
We have done a lot of modeling work in terms of potential 
disruptions of the Internet and what it would take to carry it 
out for a long period of time. So I think we are in pretty good 
shape on that.
    I do echo the point that in terms of the priorities, we 
want to partner more effectively with the private sector on the 
recovery piece, on the response piece and the information 
sharing and threat piece. We recognize and we support those 
conclusions and we are working hard to do that.
    Senator Coburn. Have you sent a letter to them saying, how 
can we do that? Has DHS gone to the private sector and said, 
how can we partner with you better?
    Mr. Purdy. We had two large meetings with the private 
sector over the last 2 weeks. We had a meeting with the 
representatives of the Sector Coordinating Council yesterday. 
We will be meeting within DHS after July 26 to lay out how we 
are going to move forward to engage. We have had meetings with 
our lawyers to figure out how we can comply with the Federal 
Advisory Committee Act, to have private sector folks actually 
tasked on a working group or a task force.
    So we expect to have some concrete progress in setting up 
those groups, and for each of those groups, identifying 
milestones and metrics, because the metrics piece is the other 
big piece that we are moving forward on with our internal and 
external metrics, and we want the private sector involved with 
us. So it is not just performance, it is cyber security 
preparedness, metrics that folks can follow over time to see 
where we stand, and that is going to help impact the whole 
National Infrastructure Protection Plan cyber piece.
    Senator Coburn. Senator Carper.
    Senator Carper. Just a couple more, if I could. I think I 
will direct these to Mr. Powner, if I may. I am going to read 
you something that was prepared in my briefing papers here.
    Cyber attacks are launched for monetary gain, for 
intelligence information, or for the thrill of a challenge. The 
most commonly used cyber attacks are viruses and worms that are 
transmitted through the networks and systems to disrupt 
computer files and programs.
    Go back to the first part. Cyber attacks are launched for 
monetary gain, for intelligence information, or for the thrill 
of a challenge. In the work that you have done, the study that 
you have--the time you have invested in this, which of those 
three, monetary gain, intelligence information, or the thrill 
of a challenge, seem to predominate?
    Mr. Powner. We don't have specific numbers on that, Ranking 
Member Carper, but I would say that the monetary gain, when you 
look at some of the surveys that are done by some of the 
institutions out there that track this on an annual basis, for 
monetary gain, those numbers continue to grow year to year. The 
hacking community, I think they are always going to attempt to 
hack for the thrill of hacking. The underground community is 
strong and vibrant. But clearly, when you look for monetary 
gain, also if you look at recently with online fraud and 
identity theft, that is also a growing area where there is 
great concern with security vulnerabilities.
    Senator Carper. I don't know if it was a football coach 
from someplace in Oklahoma, Oklahoma State University, OSU, or 
the other OSU, Ohio State University, but one said that----
    Senator Coburn. I happen to be an alum of both.
    Senator Carper. I know. I am an alumni of Ohio State. 
Somehow, I got on the list from Oregon State University. They 
send me solicitations for money, so I hear from a lot of OSUs.
    But one of them once said that the best defense is a good 
offense. It sounds to me like we play a lot of defense, trying 
to fend off these cyber attacks. Talk to us about the offense 
that we are playing, as well. I will start with you, Mr. 
Powner, and then I will go back over to Mr. Purdy.
    Mr. Powner. Ranking Member Carper, I think if you look at 
our offensive capabilities, it is probably best if we talked 
about that in a closed setting.
    Senator Carper. All right. Should we ask our guests to 
leave? I am just kidding. We won't do it here.
    Mr. Purdy>
    Mr. Purdy. Let me say the piece of it that I can respond 
to, because the point is well taken, we are attempting, and I 
say in my written testimony, to leverage the capabilities of 
the Federal Government from a cyber defense perspective. That 
is situation awareness. That is the ability to attribute the 
source of attacks, the ability to coordinate and prepare for 
responding to specific attacks and the reconstitution piece. So 
we are mapping those capabilities across the Federal Government 
and we are going to identify of those capabilities what do we 
need to tie into US-CERT?
    And third, when there is a cyber incident of national 
significance, we want to in advance identify the surge 
capacities and resources that we need brought to bear so we 
have the full resources of the Federal Government coordinated 
in partnership with the ISPs and the telecommunications 
providers, as well. And if you have a good defense, you don't 
have to respond to other alternatives. We would prefer to try 
to make ourselves as safe as possible, dealing with the threat 
as was discussed, but we need to reduce the vulnerabilities 
because too often, we are not going to know the specific threat 
information as to who is going to attack us. So we need to 
prioritize the vulnerabilities under the risk management 
framework of the Secretary to help mitigate the risks that we 
face.
    Senator Carper. Sometimes when folks commit crime for 
monetary gain, they do so because they feel that--there is a 
risk-benefit situation here. People are willing to take a risk 
and in return they feel they get a certain potential payoff or 
a benefit from it.
    When it comes to folks that are doing this for monetary 
gain, I don't know how likely it is that they feel they are 
going to get caught, prosecuted, go to jail, be fined. Talk to 
us a little bit about the likelihood that the folks who are 
doing this for monetary gain are going to be punished and 
whether or not the punishment is commensurate with the crime.
    Mr. Purdy. Who are you directing the question to?
    Senator Carper. Either one of you. Let me start with Mr. 
Powner.
    Mr. Powner. Would you repeat that, please?
    Senator Carper. I sure will. What I am trying to find out 
is, somebody is out there. They are going to commit one of 
these crimes, one of these cyber attacks for money, for 
monetary gain, and they are thinking through, does this really 
make sense? Am I going to get something that is worth taking 
the risk to commit this crime? How likely is it that we are 
going to catch them, and if we do, is it fair to say that the 
punishment, the level of punishment, is enough to make them 
think twice about committing the crime?
    Mr. Powner. A couple comments. One is GAO does not have 
specific numbers on that, but a lot of these activities go 
undetected to begin with. So if you start there and say that 
there are a large number of these attacks that we do not 
detect, then I think the chances are high that, in fact, they 
will not get caught because they may not even be detected. 
Consistent with Andy's comments, I think that is why we are 
trying to reduce our vulnerabilities, increase our intrusion 
detection capabilities so that, in fact, we can detect more on 
a going forward basis.
    Senator Carper. Same question. Mr. Purdy, what I am trying 
to get at is sometimes when criminals are contemplating a 
crime, they actually think about, well, what if I get caught? 
If I get caught, what is likelyhood that I will be convicted. 
If I am convicted, do I go to jail or pay a fine? Is it worth 
it? And what I am trying to get at is how likely is it that we 
are going to catch these guys and is the punishment 
commensurate with the crime.
    Mr. Purdy. Well, most of those questions, I would prefer to 
defer to the Department of Justice. They really have the 
responsibility in that area.
    The point that Mr. Powner referenced, though, in terms of 
the seriousness with which we view the criminal activity that 
is occurring in cyberspace and the difficulty of attributing 
the source of some of the largest attacks we have ever seen, 
that is all the more reason why we want to focus on reducing 
the vulnerabilities and working with law enforcement and in the 
R&D space to try to do a better job of figuring out who is 
doing these things to us, because obviously in the dynamic of 
if you don't think you are going to get caught, it doesn't 
matter what the punishment is.
    Senator Carper. The last question I want to ask is to go 
back to Mr. Powner. I think it was the May 2005 report called 
``Department of Homeland Security Faces Challenges in 
Fulfilling Cyber Security Responsibilities.'' GAO identified, I 
think you called it a road map of 13 key responsibilities that 
were established, both in law and in policy. And my question of 
you would be, what priorities--and I think the Chairman 
actually mentioned this before--what priorities, and if you are 
GAO, should the Department focus on first?
    Mr. Powner. First of all, that was our recommendation, that 
you take these 13 areas and that they prioritize. But one thing 
that you could--that could help with the prioritization, I 
think Mr. Purdy has clearly mentioned a number of their 
priorities, priority areas on a going-forward basis with 
building trust relationships and tackling the threat and 
vulnerability reduction. There are certain areas that the 
government, and in particular NCSD, controls more than others.
    So if you compared threat assessment to vulnerability 
assessment, vulnerability assessment, they can facilitate the 
vulnerability assessments, but that really has to be done by 
the infrastructure owners of the private sector, for the most 
part. Threat assessment, they control most of that. So in terms 
of the priorities, there are perhaps some quicker hits with 
areas that the government controls more than the private 
sector. So that could be a factor in their prioritization 
efforts.
    Senator Carper. All right. Gentlemen, thank you.
    Senator Coburn. Thank you very much. Thank you for your 
testimony.
    We will now have panel two. Our first witness will be Paul 
Skare. He is the Product Manager of SCADA, Substation 
Automation Products for Siemens Power Transmission and 
Distribution, Energy and Management Automation Division.
    With us, also, I will let Senator Carper introduce Thomas 
Jarrett.
    Senator Carper. Thank you, Mr. Chairman.
    I am going to ask Mr. Jarrett when he speaks to just take a 
moment and introduce the members of his team that are with us 
here today.
    I would just say, because I already talked a good bit about 
Tom earlier in my opening comments and I appreciate the 
opportunity to introduce him here today. I was fortunate to 
serve as Governor for 8 years and one of our real challenges in 
State Government was to put together at the cabinet level an 
agency that could help us take our information systems really 
into the 21st Century, and we struggled with that. We actually 
had an overall sort of top-to-bottom review of State Government 
in, I want to say, 1993. We looked at our Information Services 
Agency, OIS, and tried to determine how we should change it, 
how we could make it better and to enable us to better serve 
the folks in our State. I am never convinced we got it quite 
right.
    I think one of the very good things that has been done 
under the administration of my successor is, I think they have 
pretty much gotten it right. Part of getting it right is really 
having the right person to lead that effort, and in Tom 
Jarrett, I think we have that person.
    He brings us to today the perspective of one who has worked 
in the private sector in these areas, one who has provided 
great leadership, not just for our State, but I think for 
others who do his work, his job, his counterparts in other 
States across the country, and I am really proud of him and the 
agency and the men and women that he leads.
    I thank you for the chance to say those nice words about 
him.
    Senator Coburn. I am struck by the fact that we lost 75 
percent of the people that are here, and I am just wondering if 
all those worked for GAO and DHS, and if they did, no wonder we 
are not getting where we need to be.
    Senator Carper. They are doing the security for the two 
witnesses.
    Senator Coburn. Thank you both for coming. Mr. Skare, if 
you would.

 TESTIMONY OF PAUL M. SKARE,\1\ PRODUCT MANAGER, SIEMENS POWER 
  TRANSMISSION AND DISTRIBUTION, INC., ENERGY MANAGEMENT AND 
                           AUTOMATION

    Mr. Skare. Good afternoon, Chairman Coburn, Senator Carper. 
I am Paul Skare, the Product Manager at Siemens Power 
Transmission and Distribution. My role is, as we said, managing 
many of the products that we are talking about here. I am also 
involved in many standards groups relating to SCADA, or 
Supervisory Control and Data Acquisitions Systems.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Skare with attachments appears in 
the Appendix on page 69.
---------------------------------------------------------------------------
    Siemens is a very large company in this product space and 
we operate in over 190 countries worldwide. In the United 
States, we have over 70,000 employees and we have operations in 
all 50 States.
    In energy management and automation, we provide software 
and technologies for the energy market, and these SCADA systems 
are systems that collect data from all the remote places, the 
substations, the power plants and other expensive pieces of 
power equipment, bring them to a central location, and do 
analysis on this data and turn this data into information so 
that the operators can then make the right, appropriate actions 
to correct problems in the field. Obviously, this is a key 
point for power reliability. Adding more smart applications to 
these SCADA systems allows you to then do even more detailed 
analysis and really look at preventing--proactive approaches to 
preventing blackouts and things.
    My testimony today is focusing on identifying some of the 
potential security vulnerabilities of a SCADA system, some of 
the activities related to this, and some recommendations to 
better protect these systems.
    While our customers primarily use these systems in the 
electric sector, many also use the same basic technology for 
gas, water, and transportation. With some background on this 
information, I have prepared some appendices that can be 
submitted into the public record to help the----
    Senator Coburn. Without objection, they will be. Thank you.
    Mr. Skare. And I would like to say that in the last few 
years, I have seen industry and government working better 
together. What is really noticeable is that a lot of this type 
of discussion has moved away from the art, or the world called 
art into a more firm science approach to the issues. and it 
helps spread awareness and get everyone to speak the same 
language.
    But nonetheless, some of the SCADA vulnerabilities that are 
issues to look at are obviously remote access. Anytime you have 
remote access to make it easier to access these devices 
remotely, it is going to present a vulnerability or the 
potential for a vulnerability.
    Network configurations, the way that you would remotely 
access these things, of course is very important, to make sure 
that they are secured, and any minor misconfiguration can 
create a vulnerability.
    Disgruntled employees, whether they are current employees 
or ex-employees, are a big factor, whether they are mad and 
they go immediately and do something they still have access to, 
or whether they have just been terminated but they still have 
access privileges to the system will allow them to go out and 
do a malicious act.
    The discussion earlier about security holes and patches and 
viruses, worms and so on, is going to be always an issue for 
this industry because of our high reliance on commercial off-
the-shelf technology. Our systems are based on all the standard 
computers that are available on the market.
    Communications should be encrypted. This means if you are 
using a wide-area network approach, you should have a public-
private key infrastructure with encryption and authentication 
to make sure the data is private and can't be hacked into. You 
should also make sure that for a lot of these remote devices 
you are talking to, that you have valid encryption and 
authentication in place for those, as well.
    One of the things that we have talked about in the previous 
testimonies today is incident reporting, really. How do you 
know how bad it is when it is unclear how you measure? What are 
the real incidents? Are you getting a false positive on an 
attack report? Are the companies that use these systems, are 
they reporting actual incidents to anybody? Certainly as a 
SCADA vendor, most of our customers do not want this 
information public. They don't want to tell us, and they would 
prefer not to tell anyone because of the potential harm the 
publicity could bring.
    So some of the challenges for these SCADA systems is making 
sure that all user activity is audited by the individual doing 
the activity, making sure that there is upgrade kits for older 
systems to make them secure without having to replace the whole 
system, making sure all the third-party products involved in 
these systems are also set up for security and the latest patch 
is built into those. Again, making sure that we have the secure 
communications, both over WANs and over slower dial-up-type 
access.
    And finally, making sure that a lot of the low, weak 
devices that you are talking to have the ability to have 
encryption between them so that when you are talking from a 
control center out to an RTU or a remote device that is 
bringing the data in, even if it is a really old one, that you 
can still get a secure communications and not have concerns 
from that regard.
    Some of the recommendations that will help achieve securing 
these systems is making sure that business processes are 
aligned with security in mind. Now, NERC has done a lot to 
create some security policy where it is sent to foster 
requirements for security policies, but not necessarily--with 
the energy bill now, the enforcement becomes a possibility for 
NERC to be able to address these issues. Today, the enforcement 
is only a voluntary enforcement, and so for a utility to have a 
security manager and a security awareness program and making 
sure there are no little yellow sticky notes with user names 
and passwords laying around is an important aspect of security.
    Types of SCADA systems also have some challenges on the 
different types of security because an electric SCADA system 
will be processing information every one or two seconds, 
pulling that information in and doing analysis on it, while 
something on a gas pipeline system might only need to pull that 
data in once every 10 minutes. So a gas pipeline system can 
have a higher level of encryption and still get its data in 
time, but for an electric power system, when you are talking 
about collecting data at perhaps once every second, you can't 
block the access of the data by having so much encryption that 
it slows down the availability of the data.
    So with that regard, one of the recommendations is to 
foster some research into that area so that for these low-
powered devices, that includes some of the wireless devices 
that are out there now, too, because more and more, you are 
seeing sensors connected into the system through a wireless 
connection before they come upstream to the control center, and 
right now, there is a need for research in the security of 
these wireless communications.
    Another recommendation is to have a secure way of reporting 
both the threats and the incidents in these systems. So, for 
example, whether someone has a threat available, it is not 
necessarily accurate that everyone is aware of that threat, and 
also, if a utility is faced with an attack or a security 
incident, there is no mandate that says they have to report 
that to anyone. And if there was a way for these incidents to 
be shared along with the vendors that make these systems, it 
would allow us to more rapidly respond to fixes for these 
incidents.
    Another issue is incentives for the utilities when they 
secure their systems. If there was an approach that would 
ensure that the culture at these utilities had the mindset of 
securing their systems in a way to help their cost recovery on 
those through either tax incentives or some such mechanism, 
would be helpful, I think, for the electric utilities.
    Federal and State cooperation, it is not just the people we 
have talked about today, but each State Public Utility 
Commission is also involved in the operation of these electric 
utilities and the cooperation and perhaps public outreach in 
these areas with the Public Utility Commissions would be of 
benefit.
    And then there is also non-jurisdictional utilities also 
could be useful to be brought into the fold with the security 
discussion.
    Another recommendation is Department of Homeland Security 
and Department of Energy have some similar programs and it 
would be useful, I think, to have them perhaps a little more 
coordinated or merged together.
    We heard earlier today about the Control System Security 
and Test Center, and there is also the National SCADA Testbed, 
both out at Idaho National Laboratory. And while Siemens has a 
system out there, I think that it would be useful to have these 
programs combined and have a longer-term funding approach for 
them so that you can see that as these vendor systems get out 
there and the vendors produce fixes and patches for them, that 
over time, you can verify that these systems are really getting 
secured. But this is not a one-year type of approach. This is a 
multi-year activity.
    The other thing that would be useful is if the different 
national laboratories were a little bit more in sync and didn't 
appear to be competing. For example, Idaho National Lab, Sandia 
National Lab, specific Northwest National Lab and Oakridge, 
which all have some relevance to this subject, in fact, three 
of them do have a partnership for the National SCADA Testbed, 
but in overall, there has still in the past been some confusion 
as to who is taking what role in this activity.
    The various management changes and reorganizations have had 
an impact, also, on making sure you know who you are talking to 
in order to accomplish various tasks in this arena.
    Senator Coburn. Let me get you to summarize, if you would.
    Mr. Skare. OK. Absolutely. The final point is that a risk-
based approach is, I think, the most effective approach to 
these issues.
    Finally, I would like to say that Siemens is very 
supportive of these activities and will continue to be made 
available and to assist and to work in the area to secure the 
Nation's critical infrastructure. Thank you.
    Senator Coburn. Secretary Jarrett.

    TESTIMONY OF THOMAS M. JARRETT,\1\ SECRETARY AND CHIEF 
INFORMATION OFFICER, DEPARTMENT OF TECHNOLOGY AND INFORMATION, 
                       STATE OF DELAWARE

    Mr. Jarrett. Thank you. At Senator Carper's request, first, 
I will introduce the folks that came along with me. First is 
Elayne Starkey, the Chief Technology Officer for the 
Department; Michele Ackles, who is my Deputy in the Department; 
and I would also like to introduce Shay Stautz, who is here 
with me from NASCIO, so I am glad that they joined me today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Jarrett with attachments appears 
in the Appendix on page 105.
---------------------------------------------------------------------------
    Thank you for inviting me to appear before you today. I 
appear in two capacities, first representing the great State of 
Delaware as Secretary of Delaware's Technology and Information 
Agency, and second, as the current President of the National 
Association of State Chief Information Officers, or NASCIO.
    First, I would like to thank Chairman Coburn and a special 
thanks to Delaware's Senator Tom Carper for inviting me to 
speak with you today. As Delaware's CIO in charge of all State 
Government information and communications technology, my 
highest priority is cyber security.
    The security of Delaware's information technology system is 
critical to the well-being of our State as a whole, not just 
the business of the State, but also its economy. Further, from 
a Federal perspective, Delaware's information system is key to 
providing Federal services to our citizens and supports 
homeland security efforts.
    In the most simple of terms, keeping those who would wish 
to do us harm out of our network and systems is the primary 
challenge of IP security staff in Delaware and across the 
Nation. Delaware's State network may be small in comparison to 
some other States, yet we are responsible for over 130,000 
users, representing all three branches of government, including 
our law enforcement, first responder, and educational 
communities.
    We have recently deployed new software that permits us to 
check network events on a daily basis and we fend off nearly 
3,000 daily attempts at entering our network. I would like to 
repeat that, nearly 3,000 attempts a day to invade our network. 
As you will see in the documentation that I have attached to my 
statement, these numbers are not out of line with what other 
States are seeing.
    Because of our extreme diligence, we have not had a 
significant intrusion into our network. Keeping those that 
would wish to do us harm out of our network requires multiple 
layers of protection. While it is rarely a terrorist in the 
traditional sense of the word that threatens the State network, 
we do not focus specifically on who is trying to infiltrate our 
network. Rather, our goal is to keep all those with bad 
intentions from entering our system.
    Without lapsing into too many technical terms, we deploy a 
number of different hardware and software products to protect 
our networks. We scan, scan, and scan again all traffic coming 
into the network. We search for viruses, spam, spyware, and 
other recognized problems.
    Delaware is proactive in establishing collaborative 
partnerships at the Federal and local level. We have a working 
relationship with the FBI, who performs vulnerability audits 
and scans for us. We collaborate with the private sector, as 
well. Delaware was the first State to become part of an 
extensive security cooperation program that Microsoft has 
established.
    During times of heightened security alerts, like that 
resulting from the recent terror incidents in London, we also 
raise the bar on cyber security. We increase our vigilance and 
our monitoring because we are well aware that a virus that 
begins in Asia can propagate to the United States in a matter 
of a few short hours. In a very short period of time, it is 
possible for a system that has been not hardened or properly 
maintained to be completely overrun.
    Now, what does the future hold? Unfortunately, I have to 
state that I believe that threats to cyber security will only 
increase and we will face continuing attacks and attempts on 
multiple fronts. State IT officials must continually adjust how 
and what is filtered, blocked, and monitored. New threats 
appear almost daily and they can, in a matter of seconds, 
render services we have all come to depend upon, like e-mail 
and web browsing, completely unusable. In the worst case 
scenario, without proper protection, an attack could 
potentially cripple or completely shut down an entire State 
Government.
    While we must understand that all critical infrastructure 
is the same by its very nature, critical, whether it is a 
roadway system or an information network, infrastructure is 
about moving people and information and a State's network 
infrastructure is equally as important as its highways, 
electric power grid, or mass transit system.
    I will conclude my remarks with a few words about what 
NASCIO is doing. NASCIO is working with the States to get a 
comprehensive picture of the challenge that cyber security 
represents. We have produced a series of snapshots into what a 
few States are doing. Let me share just a few experiences from 
my CIO colleagues.
    Michigan reports that nearly 32 percent of its incoming e-
mail carries viruses, while Montana reports a rise from 93 
attempted virus infections in 1997 to nearly 45 million in 
2005. Kansas blocked 600,000 intrusion attempts over a 3- to 4-
hour time period during one recent attack.
    Protecting critical IT infrastructure does not come 
cheaply. We estimate that my Department spends $5 million 
annually, or 15 percent of my annual budget, on cyber security. 
A recent Statewide assessment in North Carolina revealed that 
approximately $50 million was needed to implement a statewide 
security plan.
    NASCIO believes that the Federal Government and the States 
must increase collaboration in facing these threats which we 
share in common. NASCIO applauds last Wednesday's announcement 
by Secretary Chertoff that he will create an Assistant 
Secretary for Cyber Security within the reorganized Department. 
NASCIO supported the calls for such a position and has endorsed 
past legislative efforts seeking to create the position. In 
fact, State CIOs have made addressing deficiencies in public 
sector cyber security their No. 1 item on our Federal agenda. 
We believe that the creation of a higher-profile position for 
cyber security within DHS is an important statement to the 
Nation as a whole.
    Having provided you with this background, NASCIO comes 
prepared to offer the Subcommittee one substantive step that it 
can take forward toward improving intergovernmental cyber 
security. NASCIO has provided Subcommittee staff with language 
that encourages the Secretary to have DHS revise the existing 
strategy and assessment process to include requiring a cyber 
security preparedness plan from each State and each State's 
CIO. We feel that closing the cyber security planning gap in 
the near term, and especially before the next round of grant 
making gets underway, is the single most important issue facing 
our sector today.
    Finally, NASCIO points out that information systems in 
general are the only part of the Nation's critical 
infrastructure that is under attack everywhere, all the time, 
and these attacks are inflicting millions of dollars in damage. 
Cyber attacks, even those without terroristic intent, could 
disrupt government's operations in general or homeland security 
mission critical systems specifically. It is our duty to secure 
these systems from all types of threats, regardless of the 
intent behind them, and as soon as possible.
    As the CIO for the State of Delaware and the President of 
NASCIO, I appreciate the work that the Subcommittee is doing in 
confronting this national challenge. Thank you.
    Senator Coburn. Thank you, Mr. Jarrett.
    Senator Carper has to leave and I am going to defer to him 
for the first set of questions.
    Senator Carper. Thank you very much, sir.
    Again, to our witnesses, thanks a lot for coming and for 
really excellent testimony in ways that even I could almost 
understand. Sometimes when we have people testify on these 
subjects, I am not sure I understand the words. As Mrs. 
Einstein used to say, Albert Einstein's wife, ``Mrs. Einstein, 
do you understand what your husband is saying or talking 
about?'' And she said, ``I understand the words, but not the 
sentences.'' I think for your testimony, for the most part, I 
understood not only the words but, in many cases, the 
sentences.
    I want to return to a question I asked the last panel and 
never got the answer I was looking for. I raised the issue of a 
football coach who is looking for ways to provide a good 
offense, and not just a good defense. We had a big middleweight 
championship fight out in, I think it was Las Vegas, this past 
weekend. A guy who defended his title, I think 20 times, was 
unsuccessful in title defense No. 21.
    Senator Coburn. Fighting is not good for you.
    Senator Carper. That is what I have heard, at least 
fighting against those guys wouldn't be good for us. But as I 
listened to this testimony, I am reminded of a boxing match, 
maybe even a football game, where one side is on defense the 
whole time and you never get the ball to go on offense. I am 
reminded of a fight where you have got one guy is permitted to 
throw all the punches and the other guy just basically has to 
take them. Am I misreading this? Are there ways that we can 
fight back effectively? It seems that all we do is play 
defense, and I think we are pretty good at it, it sounds like 
we are very good at it, but I like to play offense, too. Are 
we? Should we be?
    Mr. Jarrett. Well, I would say from a State perspective, I 
think we are beginning that process. We have spent considerable 
dollars over the last several years building a very strong 
defense. But the real issue here is more in trying to identify 
the people that are actually trying to get into our networks, 
they hide themselves very effectively. So you need to have the 
resources and the money to then go after them, and I happen to 
be a believer that we should be going after them, but they are 
very difficult to find. In our case, as quickly as we make 
changes to our system, we see changes that have already 
countered those changes. So very definitely, I would hope that 
we will begin to take a much more offensive approach, but it is 
very difficult.
    Mr. Skare. I think that we have a very large installed 
knowledge now with intrusion detection systems, but now the 
latest thing that is coming along is intrusion prevention 
systems. So what it is, it is trying to take a look at the 
known signatures of some of these attacks and try and prevent 
them as they are happening, or the so-called zero day defense 
that is really happening. And when you combine that with a 
defense in depth approach to your control system, you have a 
much better chance of really trying to proactively stop them as 
it happens, although I would say that there is still a long 
ways to go there.
    But, for example, when you look at some of these control 
systems, they use quite common standardized protocols so that 
all the different systems can talk to each other and these are 
mostly publicly available, so we are taking a look at how do 
you scan real time these data communications and prevent things 
from happening real time.
    Senator Carper. All right. A question, if I could, this 
would be for Secretary Jarrett. I believe in your testimony, I 
think I heard you say that some 15 percent of your Department's 
budget is just for cyber security initiatives. Last week, 
Secretary Chertoff said, I believe in this hearing room, not 
only the establishment of the Assistant Secretary for Cyber 
Security and Telecommunications, but he talked about dedicating 
some Federal resources to help the efforts across the board. 
Let me just ask, what additional resources do you believe that 
the Federal Government, if any, should allocate, if any, for 
cyber security initiatives?
    Mr. Jarrett. Well, I think there are two pieces of that. I 
have read some of the numbers as far as dollars that they are 
talking about appropriating to that. When I compare them in 
direct comparison to what I spend, my comment would be that I 
don't think it is enough. So I would hope that the 
appropriations that they are going to put towards cyber 
security would be much larger than what I, at least from what I 
have currently seen.
    Senator Carper. It would also be great if, whether the 
allocations are huge or large or moderate, it would be great if 
they were doing something that sort of complemented what you 
were doing with this data, not necessarily duplicate or 
replicate.
    Mr. Jarrett. And that was going to really be my second 
thought, which is I heard the comments and what was honestly 
striking to me was the fact that though there was a lot of talk 
about connections between agencies and all that, there was no 
mention of connection really to the States. And I would argue 
that the States are really the first line of defense when it 
comes to, whether it is first responders and those kinds of 
things. We are kind of out front on a lot of areas, working in 
the area of cyber security. So we would like to work much more 
effectively with them in the future. I think that would be a 
tremendous approach if we could finally, or at least 
ultimately, reach that point.
    Senator Carper. One other thought, Mr. Chairman, comes to 
mind. I think it was Lincoln who used to say, the role of 
Government is to do for people what they cannot do for 
themselves. Maybe a reasonable role for the Federal Government 
here, for the Department of Homeland Security, is to do for 
States what you cannot do for yourselves, or for the private 
sector, for that matter.
    One last question, if I could, for Secretary Jarrett. I 
believe your first task, as I recall, as Secretary was to 
transform Delaware's Office of Information systems to this 
Department of Technology and Information. You hand picked and 
hired an entirely new organization that is built on a market-
based compensation plan where individuals are compensated based 
on their performance within the Department. You also did away 
with many middle management positions. You enabled employees to 
be more connected with the end result.
    I would just ask what suggestions you might have, really 
for the Department of Homeland Security, for our Federal 
agency, for your big brother, if you will--that probably has 
the wrong connotations--but for Homeland Security in finding 
and retaining the most highly qualified individuals to protect 
our Nation's critical infrastructure.
    Mr. Jarrett. I have a pretty basic thought about that and 
it comes down to the most basic thing, which is pay. One of the 
key approaches that Delaware took was to be able to pay our 
people within the Department what the market, and what they 
would literally get in the market if they were to go outside of 
working in State Government. We found that to be very 
effective, because in the end, if you are going to be effective 
in managing, working these kinds of issues, then you have to 
have very good people, and if they are going to be accountable, 
then you have to be willing to pay them, or otherwise very 
likely they either won't come to you in the first place, or if 
they do, they won't remain very long.
    So we have found that our pay structure has been probably 
one of our greatest assets because it has allowed us to hire 
very excellent people who are more than willing to stay because 
we are very competitive.
    Senator Carper. Great. Mr. Chairman, thanks for letting me 
lead off here. And again to Secretary Jarrett, it is great to 
see you.
    Mr. Jarrett. Thank you.
    Senator Carper. Thank you for you and your team, who are 
representative of the great work you are doing on behalf of our 
State and for, I think, the wonderful example you are providing 
to a few other States. Congratulations. He is not only 
Secretary, Mr. Secretary, but he is also Mr. President of his 
national organization. It is not ever day we get to do that. 
Thank you both.
    Senator Coburn. The Senator from Delaware, are you 
proposing waiving government parameters limiting the ability to 
increase pay and pay for performance in Homeland Security? That 
is something our President has been trying to do here for some 
period of time.
    Senator Carper. When we have a private conversation with 
our earlier panel on the matters they couldn't discuss, let us 
bring that one up, too.
    Senator Coburn. OK. Good answer. [Laughter.]
    Senator Coburn. Mr. Skare, here is how my staff assesses 
you. He is a world class operational control systems technology 
expert. He works for one of the world's largest manufacturers 
and leaders in control systems. So I want to ask you very 
frankly, do you have a good working relationship with DHS? Are 
they communicating the way they should with you? Are you 
allowed to get information that is helpful to you when you 
should, and do you feel comfortable sharing information with 
them?
    Mr. Skare. Well, that is a very good question. I think that 
there has been some changes in management. I originally was 
contacted and had been working with Mike Lombard in the 
Department of Homeland Security, and then that had shifted over 
to David Sanders. I think as some of the activities go on--for 
example, the DHS did invite me to the road map meeting we had 
last week in Baltimore, and I think that it was a very good 
meeting for sharing ideas with the DHS people.
    My experience with DHS is that they are very focused on 
moving quickly. But as far as sharing any detailed information, 
I do not have any specific threats shared with me of any sort.
    Senator Coburn. So, in other words, there may be a threat 
to one of the systems that you are looking at that they know 
about that you don't know that could maybe enhance your ability 
to do the job better as a vendor for those items, yet you are 
not seeing the feedback loop coming on that.
    Mr. Skare. That is right. I have seen no feedback in that 
area.
    Senator Coburn. Is that not something that we want to 
happen?
    Mr. Skare. I believe it is. I know that I actually had this 
discussion with one of the DHS people last week and we 
discussed if it meant that we should get security clearance, or 
maybe there is a new type of clearance that could be created, a 
trusted type of information sharing line that could go on. But 
the discussion was still an ongoing discussion.
    Senator Coburn. Well, if 85 percent of our cyber is in 
private hands, we are going to have to talk to the private 
sector. That would mean 15 percent is in the State and Federal 
hands and other entities. We are going to have to communicate, 
and I was most concerned about GAO's testimony as this lack of 
confidence, because if there is not confidence with DHS, then 
you as a spokesman or lead individual for your company are 
going to be somewhat hesitant to share with them information. 
And so if we can't get past the--it is kind of like marriage. 
If you can't get past the trust deal, you never get anywhere. 
So if we can't get there, this can build and this can grow if 
we have a working relationship. I am concerned.
    Have you noticed anything, Secretary Jarrett, in terms of 
your ability to relate and a level playing field and 
informational exchange that you could offer us?
    Mr. Jarrett. We have found that the information exchange 
has been very difficult. That is why we have built strong 
relationships with most of our business partners. I can tell 
you that most of the threat data that we get today, we get from 
those business partners and through US-CERT, but not directly 
from the Department.
    Senator Coburn. Through the US-CERT?
    Mr. Jarrett. Right.
    Senator Coburn. OK. And did either of you gentlemen happen 
to see the article yesterday in the Wall Street Journal where 
they talked about the trojans? I thought it was a very 
informative article for the public because it is us and our 
personal computers that are being used to scam everything else 
in the world and used to, what do they call it, bot----
    Mr. Jarrett. Bots and zombies and----
    Senator Coburn. Yes. I would also note that DHS is not in 
here anymore for them to hear your testimony, which is 
concerning for me, because that is one of the areas, we are 
sponsoring this, we have 15 people from DHS attend a hearing, 
but when they are through testifying, then they are not here to 
hear what the rest of the panel says so we don't get the 
information. So that says you don't build trust if you can't 
communicate, and if you aren't going to listen, you are never 
going to be able to communicate. So I am somewhat critical of 
that.
    Mr. Jarrett, does your office have regular contact with the 
National Cyber Security Division at DHS?
    Mr. Jarrett. We do not. We do on a kind of hit-or-miss 
basis. We do a lot of things. We are members of the MS ISAC, 
which is the 50-State group that has come together, but not 
directly with them.
    Senator Coburn. Did I hear you right a moment ago that you 
thought there should be a requirement for each State to have a 
preparedness plan?
    Mr. Jarrett. A cyber security preparedness plan, 
absolutely.
    Senator Coburn. And should that be contingent on their DHS 
grant?
    Mr. Jarrett. I think it should be tied directly to the 
grant process. What has been difficult in the current grant 
process is that little of that money is going towards cyber-
related issues. I can tell you, in the 3 years that monies have 
come out in my State, I just for the first time got a small 
amount of those dollars for some cyber work that we are doing. 
It has been driven toward other directions, and though I 
understand that and respect that, I think that we need to also 
understand that the cyber aspect of this is absolutely 
critical.
    All of our systems and everything that--I run all of the 
systems for all the first responders, the State police, 
everyone, so during time of greatest need, if my systems go 
down, they literally have no access to any of the information 
that they will require.
    Senator Coburn. And you already answered this somewhat, but 
I want to ask you again, and I find it strange. Fifteen to $16 
million of this next year's budget for DHS, and you are going 
to spend $5 million, and you say to set a State up, it is going 
to take $50 million just in programming the structure and 
observations and diligence. I am kind of appalled that that is 
the priority. Are you?
    Mr. Jarrett. I am concerned about the priority, absolutely. 
I mean, we are very happy to see that they have established the 
Assistant Secretary for Cyber Security. That is something that 
we have pushed for for a long time. But with it must come the 
right funding to be able to do the job correctly and the amount 
of money, at least that I have seen, concerns me.
    Senator Coburn. How are you all at the State of Delaware 
informed of a fast-moving cyber threat? How do you find out, 
other than your own observation and blocking and monitoring 
technique?
    Mr. Jarrett. Two primary ways today, neither of which are 
the Department. One is through the MS ISAC structure that was 
created about 2 years ago----
    Senator Coburn. Is that fast? Do you get that on a real 
time basis?
    Mr. Jarrett. We get that on a real time basis. It has 
become a very dynamic group. We meet once a month, and so we 
have built a structure within the States that allow us to share 
information on a very rapid basis.
    We also get it from our vendors through our cooperative 
program with companies like Microsoft and Oracle and others. 
And all of my key security folks are obviously also connected 
to the US-CERT process, as well.
    Senator Coburn. Is that timely, the US-CERT process, or 
does it come hours or days after the fact?
    Mr. Jarrett. We are actually finding the US-CERT process to 
be quite timely----
    Senator Coburn. Good.
    Mr. Jarrett. So we have been very pleased with that at this 
point. Timeliness, obviously, in our business, is absolutely 
critical, given the fact that we are talking about threats 
that--we are not talking about days, we are talking about 
minutes and hours.
    Senator Coburn. And going back to your testimony, Mr. 
Skare, if you are talking about a power generation facility and 
they are monitoring sequentially, there is not the technology 
for encoding or encrypting instantaneously that information so 
that you can stay on a real time basis without putting that 
facility at risk?
    Mr. Skare. There are ways to do that for network 
connections, although a lot of the standards are still lacking 
in approval from an approval perspective, and many utilities 
are reluctant to roll out technologies like that until they 
have been standard and approved.
    Senator Coburn. And who holds that approval?
    Mr. Skare. It depends. In this case, there is international 
approval as well as U.S. approaches. In the international 
arena, it is the International Electrotechnical Commission. On 
the U.S. side, the standard that most U.S. utilities are going 
to be looking toward is one set by NERC.
    Senator Coburn. OK. I can't help but think about the 
television show ``24'' and how closely you were involved in 
that. Part of our risk--there has been $60 billion spent by the 
U.S. Government on IT in this last year, $60 billion by the 
Federal Government. That is a big sum of money. And yet it 
doesn't seem that we are a whole lot more secure. We may be 
faster and we may be moving information around, but the more IT 
we have, the more risk we have if it is vulnerable.
    What is the budget for the State of Delaware on IT? Do you 
have any idea?
    Mr. Jarrett. Well, about $300 million.
    Senator Coburn. A year?
    Mr. Jarrett. A year.
    Senator Coburn. And that is both hardware and software, the 
whole----
    Mr. Jarrett. That is everything.
    Senator Coburn. That is the whole thing. All right.
    Mr. Skare, you talked about business process. What 
motivates, or what would motivate a company to make an 
investment in cyber security to protect their critical 
infrastructures, those that have not?
    Mr. Skare. I think those that have not, any type of 
business case where you can show them where the loss or the 
damage to their business due to such an incident would result 
in a negative impact on their business. For example, if an 
attack took down a particular substation and those customers 
were without power for a certain amount of time, you would have 
not only the lost revenue due to the power outage, but you 
would also have then the damage to the reputation. And 
quantifying those in terms of a business case would go a long 
way to help.
    Senator Coburn. And so you all are seeing more that your 
business is good, is that correct?
    Mr. Skare. Interestingly enough, common sense might dictate 
that after a major event, such as the blackout in 2000, it 
would spur investment in these areas. However, there was a 
certain amount of reluctance to spend purely so that it wasn't 
seen as a reaction or as a sign of weakness. So it is kind of a 
balancing act.
    Senator Coburn. I want to thank both of you for your 
testimony and for staying as long as we have. I appreciate you 
coming and giving this information.
    We may submit some questions to you in writing. We very 
much appreciate if you would be timely in your response to 
those.
    Thank you very much for attending. The meeting is 
adjourned.
    [Whereupon, at 3:44 p.m., the Subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

[GRAPHIC] [TIFF OMITTED] T3163.001

[GRAPHIC] [TIFF OMITTED] T3163.002

[GRAPHIC] [TIFF OMITTED] T3163.003

[GRAPHIC] [TIFF OMITTED] T3163.004

[GRAPHIC] [TIFF OMITTED] T3163.005

[GRAPHIC] [TIFF OMITTED] T3163.006

[GRAPHIC] [TIFF OMITTED] T3163.007

[GRAPHIC] [TIFF OMITTED] T3163.008

[GRAPHIC] [TIFF OMITTED] T3163.009

[GRAPHIC] [TIFF OMITTED] T3163.010

[GRAPHIC] [TIFF OMITTED] T3163.011

[GRAPHIC] [TIFF OMITTED] T3163.012

[GRAPHIC] [TIFF OMITTED] T3163.013

[GRAPHIC] [TIFF OMITTED] T3163.014

[GRAPHIC] [TIFF OMITTED] T3163.015

[GRAPHIC] [TIFF OMITTED] T3163.016

[GRAPHIC] [TIFF OMITTED] T3163.017

[GRAPHIC] [TIFF OMITTED] T3163.018

[GRAPHIC] [TIFF OMITTED] T3163.019

[GRAPHIC] [TIFF OMITTED] T3163.020

[GRAPHIC] [TIFF OMITTED] T3163.021

[GRAPHIC] [TIFF OMITTED] T3163.022

[GRAPHIC] [TIFF OMITTED] T3163.023

[GRAPHIC] [TIFF OMITTED] T3163.024

[GRAPHIC] [TIFF OMITTED] T3163.025

[GRAPHIC] [TIFF OMITTED] T3163.026

[GRAPHIC] [TIFF OMITTED] T3163.027

[GRAPHIC] [TIFF OMITTED] T3163.028

[GRAPHIC] [TIFF OMITTED] T3163.029

[GRAPHIC] [TIFF OMITTED] T3163.030

[GRAPHIC] [TIFF OMITTED] T3163.031

[GRAPHIC] [TIFF OMITTED] T3163.032

[GRAPHIC] [TIFF OMITTED] T3163.033

[GRAPHIC] [TIFF OMITTED] T3163.034

[GRAPHIC] [TIFF OMITTED] T3163.035

[GRAPHIC] [TIFF OMITTED] T3163.036

[GRAPHIC] [TIFF OMITTED] T3163.037

[GRAPHIC] [TIFF OMITTED] T3163.038

[GRAPHIC] [TIFF OMITTED] T3163.039

[GRAPHIC] [TIFF OMITTED] T3163.040

[GRAPHIC] [TIFF OMITTED] T3163.041

[GRAPHIC] [TIFF OMITTED] T3163.042

[GRAPHIC] [TIFF OMITTED] T3163.043

[GRAPHIC] [TIFF OMITTED] T3163.044

[GRAPHIC] [TIFF OMITTED] T3163.045

[GRAPHIC] [TIFF OMITTED] T3163.046

[GRAPHIC] [TIFF OMITTED] T3163.047

[GRAPHIC] [TIFF OMITTED] T3163.048

[GRAPHIC] [TIFF OMITTED] T3163.049

[GRAPHIC] [TIFF OMITTED] T3163.050

[GRAPHIC] [TIFF OMITTED] T3163.051

[GRAPHIC] [TIFF OMITTED] T3163.052

[GRAPHIC] [TIFF OMITTED] T3163.053

[GRAPHIC] [TIFF OMITTED] T3163.054

[GRAPHIC] [TIFF OMITTED] T3163.055

[GRAPHIC] [TIFF OMITTED] T3163.056

[GRAPHIC] [TIFF OMITTED] T3163.057

[GRAPHIC] [TIFF OMITTED] T3163.058

[GRAPHIC] [TIFF OMITTED] T3163.059

[GRAPHIC] [TIFF OMITTED] T3163.060

[GRAPHIC] [TIFF OMITTED] T3163.061

[GRAPHIC] [TIFF OMITTED] T3163.062

[GRAPHIC] [TIFF OMITTED] T3163.063

[GRAPHIC] [TIFF OMITTED] T3163.064

[GRAPHIC] [TIFF OMITTED] T3163.065

[GRAPHIC] [TIFF OMITTED] T3163.066

[GRAPHIC] [TIFF OMITTED] T3163.067

[GRAPHIC] [TIFF OMITTED] T3163.068

[GRAPHIC] [TIFF OMITTED] T3163.069

[GRAPHIC] [TIFF OMITTED] T3163.070

[GRAPHIC] [TIFF OMITTED] T3163.071

[GRAPHIC] [TIFF OMITTED] T3163.072

[GRAPHIC] [TIFF OMITTED] T3163.073

[GRAPHIC] [TIFF OMITTED] T3163.074

[GRAPHIC] [TIFF OMITTED] T3163.075

[GRAPHIC] [TIFF OMITTED] T3163.076

[GRAPHIC] [TIFF OMITTED] T3163.077

[GRAPHIC] [TIFF OMITTED] T3163.078

[GRAPHIC] [TIFF OMITTED] T3163.079

[GRAPHIC] [TIFF OMITTED] T3163.080

[GRAPHIC] [TIFF OMITTED] T3163.081

[GRAPHIC] [TIFF OMITTED] T3163.082

[GRAPHIC] [TIFF OMITTED] T3163.083

[GRAPHIC] [TIFF OMITTED] T3163.084

[GRAPHIC] [TIFF OMITTED] T3163.085

[GRAPHIC] [TIFF OMITTED] T3163.086

[GRAPHIC] [TIFF OMITTED] T3163.087

[GRAPHIC] [TIFF OMITTED] T3163.088

[GRAPHIC] [TIFF OMITTED] T3163.089

[GRAPHIC] [TIFF OMITTED] T3163.090

[GRAPHIC] [TIFF OMITTED] T3163.091

[GRAPHIC] [TIFF OMITTED] T3163.092

[GRAPHIC] [TIFF OMITTED] T3163.093

[GRAPHIC] [TIFF OMITTED] T3163.094

[GRAPHIC] [TIFF OMITTED] T3163.095

[GRAPHIC] [TIFF OMITTED] T3163.096

[GRAPHIC] [TIFF OMITTED] T3163.097

[GRAPHIC] [TIFF OMITTED] T3163.098

[GRAPHIC] [TIFF OMITTED] T3163.099

[GRAPHIC] [TIFF OMITTED] T3163.100

[GRAPHIC] [TIFF OMITTED] T3163.101

[GRAPHIC] [TIFF OMITTED] T3163.102

[GRAPHIC] [TIFF OMITTED] T3163.103

[GRAPHIC] [TIFF OMITTED] T3163.104

[GRAPHIC] [TIFF OMITTED] T3163.105

[GRAPHIC] [TIFF OMITTED] T3163.106

[GRAPHIC] [TIFF OMITTED] T3163.107

[GRAPHIC] [TIFF OMITTED] T3163.108

[GRAPHIC] [TIFF OMITTED] T3163.109

[GRAPHIC] [TIFF OMITTED] T3163.110

[GRAPHIC] [TIFF OMITTED] T3163.111

[GRAPHIC] [TIFF OMITTED] T3163.112

[GRAPHIC] [TIFF OMITTED] T3163.113

[GRAPHIC] [TIFF OMITTED] T3163.114

[GRAPHIC] [TIFF OMITTED] T3163.115

[GRAPHIC] [TIFF OMITTED] T3163.116

[GRAPHIC] [TIFF OMITTED] T3163.117

[GRAPHIC] [TIFF OMITTED] T3163.118

[GRAPHIC] [TIFF OMITTED] T3163.119

[GRAPHIC] [TIFF OMITTED] T3163.120

[GRAPHIC] [TIFF OMITTED] T3163.121

[GRAPHIC] [TIFF OMITTED] T3163.122

[GRAPHIC] [TIFF OMITTED] T3163.123

[GRAPHIC] [TIFF OMITTED] T3163.124

[GRAPHIC] [TIFF OMITTED] T3163.125

[GRAPHIC] [TIFF OMITTED] T3163.126

[GRAPHIC] [TIFF OMITTED] T3163.127

[GRAPHIC] [TIFF OMITTED] T3163.128

[GRAPHIC] [TIFF OMITTED] T3163.129

[GRAPHIC] [TIFF OMITTED] T3163.130

[GRAPHIC] [TIFF OMITTED] T3163.131

[GRAPHIC] [TIFF OMITTED] T3163.132

                                 
