b"<html>\n<title> - SECURING CYBERSPACE: EFFORTS TO PROTECT NATIONAL INFORMATION INFRASTRUCTURES CONTINUE TO FACE CHALLENGES</title>\n<body><pre>[Senate Hearing 109-402]\n[From the U.S. Government Printing Office]\n\n\n\n                                                        S. Hrg. 109-402\n \n     SECURING CYBERSPACE: EFFORTS TO PROTECT NATIONAL INFORMATION \n              INFRASTRUCTURES CONTINUE TO FACE CHALLENGES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT\n                     INFORMATION, AND INTERNATIONAL\n                         SECURITY SUBCOMMITTEE\n\n                                 of the\n\n                              COMMITTEE ON\n                         HOMELAND SECURITY AND\n                          GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 19, 2005\n\n                               __________\n\n\n       Printed for the use of the Committee on Homeland Security\n                        and Governmental Affairs\n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n23-163                      WASHINGTON : 2006\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n                   SUSAN M. COLLINS, Maine, Chairman\nTED STEVENS, Alaska                  JOSEPH I. LIEBERMAN, Connecticut\nGEORGE V. VOINOVICH, Ohio            CARL LEVIN, Michigan\nNORM COLEMAN, Minnesota              DANIEL K. AKAKA, Hawaii\nTOM COBURN, Oklahoma                 THOMAS R. CARPER, Delaware\nLINCOLN D. CHAFEE, Rhode Island      MARK DAYTON, Minnesota\nROBERT F. BENNETT, Utah              FRANK LAUTENBERG, New Jersey\nPETE V. DOMENICI, New Mexico         MARK PRYOR, Arkansas\nJOHN W. WARNER, Virginia\n\n           Michael D. Bopp, Staff Director and Chief Counsel\n   Joyce A. Rechtschaffen, Minority Staff Director and Chief Counsel\n                      Trina D. Tyrer, Chief Clerk\n\n\nFEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL \n                         SECURITY SUBCOMMITTEE\n\n                     TOM COBURN, Oklahoma, Chairman\nTED STEVENS, Alaska                  THOMAS CARPER, Delaware\nGEORGE V. VOINOVICH, Ohio            CARL LEVIN, Michigan\nLINCOLN D. CHAFEE, Rhode Island      DANIEL K. AKAKA, Hawaii\nROBERT F. BENNETT, Utah              MARK DAYTON, Minnesota\nPETE V. DOMENICI, New Mexico         FRANK LAUTENBERG, New Jersey\nJOHN W. WARNER, Virginia             MARK PRYOR, Arkansas\n\n                      Katy French, Staff Director\n                   Sean Davis, Legislative Assistant\n                 Sheila Murphy, Minority Staff Director\n            John Kilvington, Minority Deputy Staff Director\n                       Liz Scranton, Chief Clerk\n\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Coburn...............................................     1\n    Senator Carper...............................................     3\n    Senator Akaka................................................     5\n    Senator Collins (ex officio).................................     6\n\n                               WITNESSES\n                         Tuesday, July 19, 2005\n\nDonald (Andy) Purdy, Jr., Acting Director, National Cyber \n  security Division, Information Analysis and Infrastructure \n  Protection Directorate, U.S. Department of Homeland Security...     6\nDavid A. Powner, Director, Information Technology Management \n  Issues, U.S. Government Accountability Office..................     8\nPaul M. Skare, Product Manager, Siemens Power Transmission and \n  Distribution, Inc., Energy Management and Automation...........    22\nThomas M. Jarrett, Secretary and Chief Information Officer, \n  Department of Technology and Information, State of Delaware....    25\n\n                     Alphabetical List of Witnesses\n\nJarrett, Thomas S.:\n    Testimony....................................................    25\n    Prepared statement with attachments..........................   105\nPowner, David A.:\n    Testimony....................................................     8\n    Prepared statement...........................................    46\nPurdy, Donald (Andy) Jr.:\n    Testimony....................................................     6\n    Prepared statement...........................................    35\nSkare, Paul M.:\n    Testimony....................................................    22\n    Prepared statement with attachments..........................    69\n\n                                APPENDIX\n\nQuestions and responses for the Record from:\n    Mr. Purdy....................................................   120\n    Mr. Powner...................................................   153\n    Mr. Skare....................................................   158\n    Mr. Jarrett..................................................   164\n\n\n                    SECURING CYBERSPACE: EFFORTS TO\n                      PROTECT NATIONAL INFORMATION\n                      INFRASTRUCTURES CONTINUE TO\n                            FACE CHALLENGES\n\n                              ----------                              \n\n\n                         TUESDAY, JULY 19, 2005\n\n                                     U.S. Senate,  \n            Subcommittee on Federal Financial Management,  \n        Government Information, and International Security,\n                          of the Committee on Homeland Security and\n                                            Governmental Affairs,  \n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 2:05 p.m., in \nroom 562, Dirksen Senate Office Building, Hon. Tom Coburn, \nChairman of the Subcommittee, presiding.\n    Present: Senators Coburn, Carper, Akaka, and Collins (ex \nofficio).\n\n              OPENING STATEMENT OF CHAIRMAN COBURN\n\n    Senator Coburn. The Committee will come to order. This is \nthe first of probably many hearings on cyber security within \nthe Federal Government and I am going to have a very limited \nopening statement. Being from Oklahoma, we had some significant \nevents there while I was a Member of Congress that taught us \nall a huge lesson in terms of terrorism. But there are several \nsignificant points associated with cyber security in America.\n    First of all, the United States does not currently have a \nrobust ability to detect a coordinated cyber attack on our \ncritical infrastructure, nor does it have a measurable recovery \nand reconstitution plan for key mechanisms of the Internet and \ntelecommunications system.\n    Second, the Department of Homeland Security has not \ncompleted the National Infrastructure Protection Plan.\n    Third, cyber attacks on control systems can be targeted \nfrom remote locations around the globe. We know that.\n    Fourth, DHS is responsible for protecting the Nation's \ncritical infrastructures. However, 85 percent of all the \ncritical infrastructures are controlled by the private sector.\n    And then, finally, there is a lack of stable leadership at \nthe National Cyber Security Division, which has hurt its \nability to maintain trusted relationships with the private \nsector and has hindered its ability to adequately plan and \nexecute activities.\n    This is the first of the hearings that we intend to hold to \nlook at Internet and informational, as well as cyber security \nwithin this Subcommittee.\n    [The prepared statement of Senator Coburn follows:]\n\n                  PREPARED STATEMENT OF SENATOR COBURN\n\n    On the morning of April 19, 1995, Oklahoma learned firsthand the \nhorrific effects of terrorism in the homeland. The prevention of \nterrorism starts with a proactive plan with cogent, measurable goals \nand the development and empowerment of effective moral leaders to \naccomplish these goals.\n    In October 2003, Chairman Adam Putnam of the House Subcommittee on \nTechnology, Information Policy, Intergovernmental Relations and the \nCensus, held a hearing where he clearly identified the problem, saying, \n``The nation's health, wealth, and security rely on these systems, but, \nuntil recently, computer security for these systems has not been a \nmajor focus. As a result, these systems on which we rely so heavily are \nundeniably vulnerable to cyber attack or terrorism.'' Those \nvulnerabilities still exist today, only now they are less excusable. \nMore importantly, the government's plan to secure our critical \ninfrastructures from a cyber threat remains vague and formative despite \nclear legislative and executive mandates.\n    Since September 11, 2001, the focus of security in the United \nStates has been on physical terrorist attacks. In contrast, the \ngovernment's cyber security efforts have focused on the internet and \nnetworking and desktop functions we all use every day. Unfortunately, \noperational control systems, which are at the heart of our critical \ninfrastructures, do not work like conventional desktop business \ncomputer systems. The President has spoken to this in Homeland Security \nPresidential Directive #7 (HSPD-7) and the National Strategy to Secure \nCyberspace, emphasize that our nation's critical infrastructures \nprovide services which are so vital that their incapacity or \ndestruction would have a debilitating impact on the defense or economic \nsecurity of the United States.\n    Congress has also spoken through The Homeland Security Act of 2002 \nwhich laid clear mandate on cyber security at Department of Homeland \nSecurity. The Act requires DHS to (1) assess our vulnerability to cyber \nattack (2) develop a plan to fix it and (3) implement that plan using \nmeasurable goals and milestones. In order to implement the plan the \nDepartment has the admittedly difficult task of engaging and securing \naction from diverse players, state and local governments, other federal \nagencies, especially key industry actors. Cyber vulnerability is \nprimarily in the private sector and the Department must find a way to \novercome the challenges there. The nature of terrorists is to attack \nprivate citizens as we recently saw in the horrific attack in the \nUnited Kingdom. There can be no excuse for not effectively engaging the \nprivate sector, even though it is hard. We ask no less of our food \nsafety, airline security and pharmaceutical industries.\n    Nobody wants to micromanage the private sector; however, American \nexpects DHS to take every reasonable measure to protect us from \nterrorism. I am not convinced that threshold has been met.\n    If America is to be safe from the damage of a cyber attack, we will \nneed a plan, a budget tied to that plan and Congressional commitment to \nthe implementation of the plan. In particular, I hope we can commit to \nthe following:\n\n    1.  The completion of the National Infrastructure Protection Plan, \nfully incorporating the cyber component with more than vague \ngeneralities;\n    2.  A way to measure milestones in the NIPP that will be assigned \nto a named department head;\n    3.  A budget line item associated with the milestones.\n\n    To that end, I look forward to hearing from our witnesses from GAO, \nDHS, the State of Delaware, and Siemens Power Transmission & \nDistribution, Inc.\n\n    Senator Coburn. At this time, I will yield for an opening \nstatement to the----\n    Senator Carper. Be careful what you say. [Laughter.]\n    Senator Coburn [continuing]. Ranking Member, and my friend, \nthe other ``TC'' on the Subcommittee, for his opening \nstatement. Senator Carper, thank you for being here.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Thank you, Mr. Chairman. I am happy to be \nhere with you and Senator Collins and to welcome our first \npanel of witnesses and look forward to the next panel of \nwitnesses, which includes an old friend from--not an old \nfriend, but a good friend from Delaware, one of our leaders.\n    I would just reflect back. I think some 2 weeks ago now, we \nhad the devastating terrorist attacks on the London \ntransportation system and it reminded us once again--especially \nthose of us who live in the Northeastern corridor of the United \nStates--it reminded us once again that terrorists are \nincreasingly able to exploit our vulnerabilities and to cause \nan enormous amount of damage, destruction of property and \ntaking of human lives.\n    Since September 11, the majority of our Homeland Security \nefforts have been aimed to strengthen security of our Nation's \nphysical infrastructure. A good example of that is the aviation \nindustry. Some of us are hopeful it eventually will focus more \non rail and transit and subways, too.\n    Last week, the Homeland Security and Governmental Affairs \nCommittee held under Senator Collins's leadership--I think it \nmight have been in this room--held a hearing on protecting \nchemical facilities within the United States. The hearing \nhighlighted the necessary precautionary measures that should be \ntaken to protect a chemical facility from a terrorist attack.\n    The importance of cyber security is oftentimes overlooked \nin discussions involving homeland security. Cyber security, \nthough, plays an important role in the protection of our \ncritical infrastructures. Computers and networks provide an \nincreasing convenience and effectiveness for the everyday \noperation of critical infrastructures. In fact, on a critical \ninfrastructure such as a railroad, combined with a cyber attack \non the computer system of a major electric utility, it can have \nan enormous impact on the emergency response capabilities that \nare needed in times of disaster.\n    It is the Committee's job, this Committee, and I think \nspecifically this Subcommittee, it is our job to ensure that we \nare taking the steps that are needed to minimize the chance and \nto minimize the consequences of such an attack if it occurs.\n    Again, I mention, Mr. Chairman, we have one of my friends \nand colleagues from Delaware, Tom Jarrett, not a ``TC'' but a \n``TJ,'' who is our Chief of Information. He works in the \nGovernor's cabinet, heads up the Department in our State called \nthe Department of Information and Technology and I am just \ndelighted to hear from Tom and to see him again.\n    Accompanying Secretary Jarrett, I am told, is a woman named \nElayne Starkey, and I am looking out in the audience. I think \nshe is sitting right behind--there she is. Elayne, welcome. \nWhen you see Tom Jarrett's lips move, hear his voice speak \nlater on, you will see Elayne's lips move. When I was \nprivileged to be Governor, she just did great work, helping us \nreally to bring technology to bear in our law enforcement \nefforts and we will always be grateful for the great work that \nshe did.\n    We are going to hear from Secretary Jarrett today about a \nDepartment of Technology Information that is really all too \nfamiliar with the challenges that are facing cyber security. \nOne of Delaware's critical infrastructures is our State \ncomputer network. It is a large target of over, listen to this, \n3,000 cyber attacks per day, little Delaware. I can't imagine \nwhat happens in big States like yours, but over 3,000 cyber \nattacks per day. I am not sure why that is. Maybe it is because \nwe are the home of incorporation of over half-a-million \ncompanies, half the New York Stock Exchange, half the Fortune \n500. I am not sure what it is, but that is a lot of attacks.\n    Secretary Jarrett implemented a number of cyber security \ninitiatives to address the cyber risks associated with our \nState's computer network. Delaware's Department of Technology \nand Information aims to strengthen and provide proper cyber \nsecurity through partnerships with State agencies, multi-state \nforums, and a collaborative with Microsoft Corporation. \nSecretary Jarrett meets on a routine basis with all cyber \nsecurity stakeholders to share cyber threat and vulnerability \ninformation to better protect our State's network from cyber \nattacks. Delaware's cyber security initiatives are an excellent \nexample, we believe, of the processes and partnerships that are \nneeded to protect against cyber attacks.\n    In May 2005, at the request of Senator Lieberman, our \ncolleague, and several Representatives, including Chris Cox, \nRepresentative Davis, Representative Thornberry, Lofton, the \nGovernment Accountability Office released a report that was \ntitled, ``The Department of Homeland Security Faces Challenges \nin Fulfilling Cyber Security Responsibilities.'' That is a \npretty big title. The report criticized the Department of \nHomeland Security's efforts thus far in fulfilling its cyber \nsecurity responsibilities that are established for in law and \npolicy.\n    To fulfill the Department's cyber security \nresponsibilities, such as assessing national cyber threats and \nvulnerabilities, the Government Accountability Office \nrecommends that the Department of Homeland Security improve \norganizational stability and foster better partnerships with \nthe private security, much as we have done in Delaware.\n    As demonstrated by Delaware's Department of Technology \nInformation, partnerships provide education, the technical \nexpertise, and information sharing outlet that is needed to \neffectively secure cyber assets. Proper information sharing \nbetween the Federal Government and the private sector is \ninstrumental to protecting our Nation's critical infrastructure \nfrom cyber attack.\n    Last week in this room, Secretary Chertoff laid out a \nreorganization plan of the Department that includes a new \nAssistant Secretary for Cyber Security and Telecommunications \nto strengthen information technology management and cyber \nsecurity responsibilities within the Department of Homeland \nSecurity. As that Department sets forth in strengthening \nnational cyber security initiatives and efforts, I ask that the \nDepartment build cyber security partnerships within the private \nsector and provide a road map of priorities and milestones of \ncyber security responsibilities and initiatives, much as we \nhave done in our State and perhaps in your States, as well.\n    I really do look forward to this hearing and the testimony \nfrom all of our witnesses concerning the challenges that we \nface along these lines and the Federal Government's role, our \nrole, in protecting our Nation's critical infrastructures from \na cyber attack. I hope that the discussion that occurs here \ntoday and following this hearing will lead us to real solutions \nto the challenges that we face within the Federal Government \nwith respect to cyber security.\n    Mr. Chairman, I thank you, and to our witnesses, welcome. \nWe look forward to hearing from you. Thanks.\n    Senator Coburn. Senator Akaka, I understand that you have a \nhearing that you need to chair at 2:25. The Chairman has \ngraciously allowed you to go ahead of her, if you would care to \nmake your opening statement.\n\n               OPENING STATEMENT OF SENATOR AKAKA\n\n    Senator Akaka. Thank you very much, Chairman Coburn. Thank \nyou for permitting me to do it now, and thank you, Chairman \nCollins, for letting me do this.\n    Chairman Coburn, I want to compliment you on holding \ntoday's hearing on cyberspace. I know we both are also \ninterested in agroterrorism, so these are up and coming issues, \nand I thank you so much for giving me this time.\n    Computers and computer networks reside at the heart of the \nsystems upon which the American people rely on on a daily \nbasis. As our witnesses know, many of these systems are far too \nvulnerable to cyber attack, which would inhibit their function, \ncorrupt important data, and expose private information.\n    The Internet is the backbone of the U.S. economy and our \nNation's critical infrastructures. It is the electronic roadway \nof commerce, industry, and defense. Databases stored on \ncomputer networks, in particular, have been an attractive \ntarget for criminal hackers who have breached the networks of \nseveral well-known companies and have stolen the personal data \nof millions of Americans. A successful attack on the computer \nsystems that support our critical infrastructures would \nthreaten our national security, public health, and, of course, \nour way of life.\n    The former head of the National Infrastructure Protection \nCenter, Ron Dick, once said, ``The thing that keeps me awake at \nnight is the thought of a physical attack on the U.S. \ninfrastructure combined with a cyber attack which disrupts the \nability of the first responders to access 911 systems.'' This \nis not an exaggerated fear, as our own military realizes the \npower of cyber warfare in destroying an enemy's command and \ncontrol.\n    The Department of Homeland Security is responsible for \nprotecting the key resources and critical infrastructures in \nthe United States. In carrying out this role, DHS has a number \nof responsibilities established by law and Presidential \ndirective. We are here today to discuss these DHS issues and \nhow DHS is fulfilling those responsibilities and the specific \nchallenges that the Department faces as it moves forward.\n    One area that is of particular concern to me is the failure \nby DHS to complete a comprehensive cyber threat and \nvulnerability assessment. This threat assessment should be the \nfoundation for the Department's risk-based approach to mission \nand priorities. A comprehensive threat assessment is needed in \norder to be certain that we are adequately protected and to \nensure that precious Federal dollars are well spent.\n    I want to thank you, Mr. Chairman, for having this hearing \ntoday and thank you for the time and wish you well. We look \nforward to our witnesses' testimony. Thank you.\n    Senator Coburn. Thank you, Senator Akaka.\n    Now, I am pleased to recognize the Chairman of the full \nCommittee, Susan Collins from Maine. Thank you, Senator.\n\n             OPENING STATEMENT OF CHAIRMAN COLLINS\n\n    Chairman Collins. Thank you very much. Let me begin by \nthanking you, Mr. Chairman, for convening this hearing today \nand shining a spotlight on a critical infrastructure issue.\n    And your timing could not be better. Just last week, \nSecretary Chertoff testified before the full Committee \nregarding his Second Stage Review recommendations for the \nDepartment of Homeland Security. As Senator Carper has \nmentioned, Secretary Chertoff proposes to create a new \nAssistant Secretary for Cyber Security and Telecommunications, \na position that has long been needed.\n    Clearly, Secretary Chertoff has acknowledged that cyber \nsecurity is an issue worthy of much more attention and \nresources from within the Department. This hearing will provide \nan opportunity to explore some of the challenges that the new \nAssistant Secretary will face.\n    Computers and information systems are key components that \nsupport the operations of critical infrastructure in our \ncountry, whether it is chemical facilities or oil refineries, \ndams, power systems, telecommunications, or mass transit \nsystems. Increasing computer interconnectivity has improved the \nquality of daily life for Americans, but unfortunately, this \ninterconnectivity has also created a weakness that can be \nexploited by our enemies in this post-September 11 world.\n    I am pleased that the Department is placing more emphasis \non this vital component of our Nation's critical infrastructure \nsectors and I look forward to working with you, Mr. Chairman, \nas well as the Department to strengthen our protections and \ndefenses in this area.\n    Senator Coburn. Thank you, Madam Chairman.\n    Our first panel consists of two witnesses, Andy Purdy, \nActing Director, National Cyber Security Division of the \nDepartment of Homeland Security, and David Powner, Director of \nIT Management at GAO.\n    Mr. Purdy, your complete statement will be made a part of \nthe record. If you would limit your comments to 5 minutes, I \nwould appreciate it. Thank you.\n\n  TESTIMONY OF DONALD (ANDY) PURDY, JR.,\\1\\ ACTING DIRECTOR, \n  NATIONAL CYBER SECURITY DIVISION, INFORMATION ANALYSIS AND \n   INFRASTRUCTURE PROTECTION DIRECTORATE, U.S. DEPARTMENT OF \n                       HOMELAND SECURITY\n\n    Mr. Purdy. Thank you. Good afternoon, Chairman Coburn and \nMadam Chairman Collins. My name is Andy Purdy. I am the Acting \nDirector of the National Cyber Security Division (NCSD) within \nthe Department of Homeland Security. I am delighted to appear \nbefore you today on behalf of my colleagues to share with you \nthe work of NCSD and those with whom we are partnering.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Purdy appears in the Appendix on \npage 35.\n---------------------------------------------------------------------------\n    In today's world, we recognize that attacks against us may \nmanifest in many forms, including physical and cyber. We \nrecognize the potential impact of collateral damage from any \none attack to a variety of assets. As such, our Directorate \ntakes a holistic view of critical infrastructure \nvulnerabilities and works to protect America from all threats \nby ensuring the integration of physical and cyber approaches.\n    NCSD was created in June 2003 to serve as a national focal \npoint for cyber security and to coordinate the implementation \nof the national strategy to secure cyberspace. Our mission is \nto work collaboratively with public, private, and international \nentities to secure cyberspace and America's cyber assets.\n    To meet that mission, we have developed a set of goals with \nspecific objectives for each goal and milestones, and we have \nidentified two overarching priorities. One, to build a national \ncyberspace response system. Two, to implement a cyber risk \nmanagement program for critical infrastructure protection. \nFocusing on these two priorities establishes the framework for \nsecuring cyberspace today and a foundation for addressing cyber \nsecurity for the future.\n    A core component of our effort to establish a national \ncyberspace response system is the US-CERT Operations Center, a \npartnership between DHS and the public and private sectors. US-\nCERT provides a national coordination center that links public \nand private response capabilities to facilitate information \nsharing across all infrastructure sectors and to help protect \nand maintain the continuity of our Nation's cyber \ninfrastructure.\n    To assist Federal agencies in protecting their cyber \ninfrastructure, we have established the Government Forum of \nIncident Response and Security Teams to facilitate interagency \ninformation sharing and cooperation across Federal agencies for \nreadiness and response efforts.\n    A key component of our response system is the Cyber Annex, \nwhich we created as part of the recently issued National \nResponse Plan, that provides a framework for responding to \ncyber incidents. To provide a Federal approach to coordinated \ncyber incident response, we worked with the Departments of \nDefense and the Departments of Justice to form the National \nCyber Response Coordination Group, later formalized by the \nCyber Annex as the principal Federal interagency mechanism to \ncoordinate preparation for and response to cyber incidents of \nnational significance.\n    Under our second priority, we are engaged in a risk \nmanagement program to assess threats and reduce the risk to our \ncritical infrastructure. For the cyber component of the \nNational Infrastructure Protection Plan, DHS is the sector \nspecific agency, with our Division as the lead for the \ninformation technology sector, and we are working with the IT \nISAC and the newly formed Information Technology Sector \nCoordinating Council to identify critical assets, assess \nvulnerabilities, and determine protective measures.\n    In addition, we are attempting to ensure that cyber is \ncomprehensive throughout this national plan by providing \nguidance to the other critical infrastructure sectors in \nanalyzing, identifying, and assessing and protecting their \ncyber assets and the cyber component of their physical assets. \nWithin this framework, we are pursuing other priority \nvulnerability reduction effort: The Internet Disruption Working \nGroup, our Control Systems Security Program, and our Software \nAssurance Program.\n    We believe the recent GAO report on critical infrastructure \nhas provided a fair assessment of the progress to date and we \nagree that while considerable work has been done, much work \nremains to meet the challenges in this rapidly changing area. \nWith the proposed appointment of a new Assistant Secretary for \nCyber and Telecommunications Security, we are confident that we \nwill accelerate our cyber security efforts.\n    Secretary Chertoff's recent release of the findings from \nhis second stage review of the entire Department illustrates \nDHS's commitment to addressing leadership and organizational \nconcerns that also have been raised by GAO. We are committed to \nachieving success in meeting our goals and objectives, but we \ncannot do it alone. We will continue to meet with industry \nrepresentatives, our government counterparts at the State and \nFederal level, and academia to formulate the partnerships and \nleverage the efforts of all, including the private sector, so \nthat we as a Nation are more secure in cyberspace.\n    Again, thank you for the opportunity to testify before you \ntoday and I would be glad to answer any of your questions.\n    Senator Coburn. Thank you very much, Mr. Purdy. Mr. Powner.\n\n    TESTIMONY OF DAVID A. POWNER,\\1\\ DIRECTOR, INFORMATION \n TECHNOLOGY MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY \n                             OFFICE\n\n    Mr. Powner. Dr. Coburn, Chairman Collins, and Ranking \nMember Carper, we appreciate the opportunity to testify on the \nDepartment of Homeland Security's efforts associated with \nsecuring our Nation's infrastructures from cyber security \nthreats.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Powner appears in the Appendix on \npage 46.\n---------------------------------------------------------------------------\n    Recent attacks and threats have underscored the need to \neffectively manage and bolster the cyber security of our \nNation's critical infrastructures. For example, criminal \ngroups, foreign intelligence services, and terrorists are \nthreats to our Nation's computers and networks. Regarding \nrecent attacks in March of this year, hackers gained access to \nthe electric industry's control systems.\n    To address these threats, Federal law and policy calls for \ncritical infrastructure protection activities and establishes \nDHS as our Nation's focal point. It also designates other \nagencies to coordinate with key sectors, including energy, \nbanking and finance, transportation, and telecommunications.\n    This afternoon, I will summarize four points, as requested. \nFirst, DHS has many responsibilities called for in law and \npolicy. Second, although progress has been made in each area, \nmuch work remains ahead. Third, DHS faces many challenges in \nfulfilling these responsibilities. And fourth, Several \nrecommendations remain outstanding that, if effectively \nprioritized and addressed, could greatly improve our Nation's \ncyber security posture.\n    Expanding on each of these, first, we recently reported \nthat based on Federal law and policy, DHS's 13 key cyber \nsecurity responsibilities that include developing a national \nplan, enhancing public and private information sharing of cyber \nthreats, vulnerabilities, and attacks, conducting a National \nThreat Assessment, facilitating vulnerability assessments, and \ncoordinating incident response and recovery efforts if, in \nfact, an attack occurs. Although DHS has initiated efforts that \nbegin to address each of these 13 responsibilities, the extent \nof progress varies and more work remains on each.\n    For example, its Computer Emergency Response Team, referred \nto as the US-CERT, issues warnings on vulnerabilities and \ncoordinates responses to cyber attacks. However, our Nation \nstill lacks a National Threat Assessment, sector vulnerability \nassessments, a mature analysis and warning capability, and key \nrecovery plans, including plans for recovering the Internet.\n    DHS faces many challenges in building its credibility as a \nstable, authoritative, and capable organization that can \nfulfill its cyber critical infrastructure responsibilities. \nThese include achieving organizational stability and authority. \nOver the past year, multiple DHS cyber security executives have \nleft the Department. Establishing the Assistant Secretary for \nCyber may help. However, leveraging this new authority and \nrecruiting top talent to fill it remains a challenge.\n    Another challenge is establishing effective partnerships \nand information sharing arrangements with other government \nentities and the private sector. During our most recent review, \nrepresentatives from the banking and finance sector told us \nthat the level of trust is not sufficient to have productive \ninformation sharing.\n    In addition, DHS needs to demonstrate value, meaning that \nit needs to provide useful and timely information on such items \nas threats and analytical products to key stakeholders.\n    Over the last several years, we have made a series of \nrecommendations to enhance the cyber security of critical \ninfrastructure that demand immediate attention, including \nconducting important threat and vulnerability assessments, \ndeveloping a strategic analysis and warning capability to \nidentify potential attacks, developing a strategy to protect \ninfrastructure control systems, and developing recovery plans \nto respond to attacks. We also recommended that DHS prioritize \nits critical activities and closely monitor progress with \nappropriate performance measures.\n    In summary, Mr. Chairman, DHS has made progress in \nplanning, in coordinating efforts to enhance cyber security, \nbut much more needs to be done, including conducting threat and \nvulnerability assessments, bolstering our cyber analytical \ncapabilities, aggressively pursuing threat and vulnerability \nreduction efforts, and developing recovery plans.\n    Our testimony today lays out a comprehensive road map for \nwhat remains to be accomplished in each area. Until DHS \naddresses its many challenges and more fully completes critical \nactivities, it cannot function as the cyber security focal \npoint intended in Federal law and policy, resulting in \nincreased risk that large portions of our national \ninfrastructure are unprepared to effectively manage cyber \nsecurity attacks.\n    This concludes my statement. I would be pleased to respond \nto any questions you have at this time.\n    Senator Coburn. Thank you, Mr. Powner.\n    I have numerous questions. I will not ask them all at the \nhearing, but I would like for each of you to agree to answer in \nwritten form the questions that we will submit for the record \nand do that on a fairly timely basis, if you would not mind. \nThat will spare you some time.\n    Mr. Purdy, when is it anticipated that the National \nInfrastructure Protection Plan will be completed?\n    Mr. Purdy. Well, Acting Under Secretary Robert Stefan has \ntold the Hill that he expects to have a version of the plan in \npretty good order by the end of the summer, so we don't have a \nprecise date on that.\n    Senator Coburn. Will the reorganization, the stage two \nreview, move that later?\n    Mr. Purdy. Oh, I don't expect so. No, sir.\n    Senator Coburn. If you don't care to comment on this, it is \nfine, but will this protection plan be beefed up with \nmilestones that are linked to the budget line items and the \ndepartment heads that are carrying that out?\n    Mr. Purdy. I am not sure that the plan that is in existence \nat the end of the summer will have that, but that is \nanticipated to be part of the plan as it rolls forward, \nincluding the specific sector plans that have to be developed \nin partnership between the government and the private sector, \nyes.\n    Senator Coburn. It seems that some industry sectors are \nmore mature with regards to securing their cyber assets than \nothers. I think that is a true statement. That is probably true \nthroughout the residential cyber areas, as well. It seems that \nthe title of the new Assistant Secretary for Cyber Security and \nTelecommunications would indicate that some critical \ninfrastructures have more security needs than others, like the \nelectric, chemical, telecommunication industries. Which sectors \nare more technologically mature and could be used as examples \nfor sectors that are less mature when building guidance with \nwhich to self-regulate?\n    Mr. Purdy. Well, until we do a complete assessment by \nsector, it is difficult to give a quantitative approach to \nthat. I certainly believe that the telecommunications and \nfinance sectors are among the most robust.\n    Senator Coburn. We did have the penetration of some of the \npower companies' data. It kind of scares you when ``24'' is \ndoing this ahead of the cyber crooks. As this NIPP plan comes \nup, one of the questions I think a lot of people are wondering, \nwhy is it taking so long to do that? Why is it taking so long \nto have a National Infrastructure Protection Plan?\n    Mr. Purdy. Well, I think it is a very difficult task. But \non some of the specific items you mentioned, we have \naccelerated the prioritization of three major areas that we \nbelieve, although part of the National Infrastructure \nProtection Plan framework, deserve accelerated efforts. Those \nare our Internet Disruption Working Group that we co-chair with \nNational Communication Systems, and Department of Treasury and \nothers are members of that. So that is a high-priority effort, \nto identify the assets, the interdependencies, the protective \nmeasures, the response and the recovery, building on the ESF-\nII, which as you know has evolved from telecommunications to \ncommunications generally. So that piece of it is fairly robust \nand that group will work to accelerate that and respond to some \nof the specific areas in the GAO report.\n    In addition, our control systems effort is a very robust \neffort that we brought over from our Protective Security \nDivision in May 2004. We had the strategic plan. We had our \ngoals. We have a tremendous partnership with the Department of \nEnergy, with the Idaho National Lab and other labs.\n    And finally, our Software Assurance Program is also very \nrobust, building on a key partnership with the Department of \nDefense, co-founding the National Infrastructure--the NIAP \nreview in terms of the acquisition piece.\n    So we think those three priority efforts are not being held \nup by any time frame of the National Infrastructure Protection \nPlan and we believe those are the priorities, and so they are \nvery important to us.\n    Senator Coburn. So your testimony is, sometime after the \nfirst of the year, we ought to have this plan intact, the NIPP \nplan?\n    Mr. Purdy. Actually, if I said that, I didn't mean to say \nthat.\n    Senator Coburn. You said, by the end of this summer, we are \ngoing to have the structure of it, is that right?\n    Mr. Purdy. We are going to have a plan that is in pretty \ngood shape. It is not going to be the final draft of it, yes.\n    Senator Coburn. But sometime after the first of the year, \nwe should be able to expect that moving forward? I know you are \nimplementing sections of that even before you have the NIPP \nplan, but for cyber security, where are we within that?\n    Mr. Purdy. Well, cyber security, we are moving forward in \nthe work with the emerging Sector Coordinating Council, as you \nknow, the private sector group, and the Government Coordinating \nCouncil. In fact, I think the organizations of one of your \nwitnesses, NASCIO is a member of the Government Coordinating \nCouncil of the IT sector. And so we are working to build the \nframework for the sector-specific plan and the cyber guidance \nthat will go to all the critical infrastructures. So that is \nmoving ahead, and I certainly expect that the cyber piece will \nbe ready well before the first of the year.\n    Senator Coburn. Now, you have an Internet Disruption \nWorking Group.\n    Mr. Purdy. Yes.\n    Senator Coburn. Would you mind providing the Subcommittee a \nlist of the achievements of that group, where you started and \nwhere you are now? One of the things that Mr. Powner said that \nreally bothers me is that some of the limitation is because \nthere is a lack of a level of trust. Those were his words just \na moment ago. Do you perceive that is real? Is it founded on \nreal actions? In other words, do they perceive a threatened \nloss of some technologic advance or proprietary information by \nworking with you as we try to do this?\n    Mr. Purdy. Well, I think we are moving ahead very \nsuccessfully in trying to facilitate information sharing with \nthe private sector. As you may know, our secure portal, our US-\nCERT portal that involves approximately 200,000 government and \nprivate sector folks, we are working to integrate into the \nHomeland Security Information Network. In addition, we are very \nexcited by our partnership with the IT ISAC and the eight other \nISACs that supply them cyber information so that we can \nincorporate that flow among those nine ISACs with the \ngovernment into the HSIN structure.\n    In addition, the private sector is standing up an \ninformation sharing group and we will be sending some members \nto it to try to facilitate the exchange of value and \nincorporation of private sector input into the articulation of \na threat. So the information can be shared among groups and \nmove out in a way that efficiently gets to folks in a timely \nfashion. So we think that is very substantial progress.\n    In addition, we are reaching out to the private sector to \nconvene some meetings that will be in the early fall to bring \nin the incident response teams from major private sector \nentities from across the country to engage in training and \nmoving forward to really target the information sharing, \nbuilding on the existing information sharing of US-CERT and the \nefforts in information sharing from the ISACs that I just \nmentioned.\n    Senator Coburn. Are those web portals that you mentioned \n100 percent secure?\n    Mr. Purdy. Well, we believe they are secure. I am not sure \nthat there is a standard in current technology to say that \nsomething is 100 percent secure.\n    Senator Carper. I want to back up if we could just a little \nbit and take a somewhat different approach. I don't care who \nleads off, but talk to us about the nature of the threat that \nwe face. Talk to us about where the threat is coming from. Talk \nwith us about whether the threat is rising, and if so, in what \nrespect.\n    And you have touched on this a little bit, Mr. Purdy, but I \nmentioned in my remarks about our folks that were here from \nDelaware who will testify shortly, how we partner with the \nprivate sector, and I just want to hear your thoughts about \nthose kinds of partnerships.\n    Mr. Purdy. The cyber assessment of threat was completed in \nthe form of the National Intelligence Estimate for Cyber that \nwe partnered with the intelligence and the law enforcement \ncommunity on. Subsequent to that--and there are classified and \nunclassified versions of the NIE for cyber--subsequent to that, \nwe have worked through our Information Analysis Division to \nprovide intelligence collection requirements to the \nintelligence community for cyber, and those include information \nthat would provide indicators of attacks against critical \ninfrastructure, including control systems.\n    Senator Carper. What kind of control systems are we talking \nabout?\n    Mr. Purdy. Across the critical infrastructure.\n    Senator Carper. Just give me some examples.\n    Mr. Purdy. Well, we have them in power, in chemical, in \nwater. There are some in telecommunications. There are some in \nthe finance industry. Most of the critical infrastructure \nsectors, pipelines, have control systems, and that is why it is \none of the major priorities in our effort and in our funding.\n    Senator Carper. Is it fair to say that those different \ncritical infrastructures are under attack on a daily basis, \nweekly basis, monthly basis, or some never under attack?\n    And if so, where are the attacks coming from? What is the \nsource of those attacks?\n    Mr. Purdy. The National Intelligence Estimate for Cyber \nidentified some particular Nation States that are the source of \nparticular kinds of attacks. There are attacks that are rampant \nthroughout cyberspace. Within minutes, as you probably know, \nwhen you hook up a new computer, you can see different levels \nof attack. Obviously, we are more focused, particularly focused \non attacks against major critical infrastructure, attacks, \nwhether successful or otherwise, targeted against control \nsystems, for example, and that is a major effort for us.\n    Working with the Process Control System Forum, hundreds of \nprivate sector owners and operators that we are partnering with \nwith DOE to try to make sure we build access to the information \nand provide protective guidance, such as we issued last week, \nControl Systems Information Bulletin for guidance to the \ncontrol systems owners and operators to help raise the bar in \nterms of those efforts.\n    A lot of the activity, the malicious activity in cyberspace \nright now, as you know, is targeted toward financial gain. The \nuse and exploitation of vulnerabilities, the use of trojans and \nworms, there was an ABC news report last night on the use of \nkeystroke loggers, the malicious code put on people's computers \nthat log the personal identifying information, much of which is \nrelated to phishing and spam and identity theft. It is a major \nproblem to our e-commerce in general, our financial community \nin particular, even though I think they are one of the most \nrobust sectors in terms of financial security.\n    And so we are working with Treasury. We met with the FBIC, \nthat is the governmental group, 2 weeks ago to try to \naccelerate the information sharing in the financial sector, and \nwe are also monitoring the black market in those malicious \ntools, because there is a black market in those tools.\n    We are concerned and trying to help raise the bar because \nof the potential ability to use those vulnerabilities, to use \nthose exploits to launch targeted, sophisticated attacks \nagainst our critical infrastructure, and that is why one of the \npriorities that I reference in my written testimony is trying \nto engage more effectively with the private sector on the \npriority areas that we need to focus on, and the one that we \nare suggesting to them is the identification of the major cyber \nattack scenarios, the serious cyber attack scenarios that we \nneed to identify so we can mitigate, prevent, we can have our \nresponses, in some cases automate it, and we can have the \nreconstitution in place to bring the systems back up and \nrunning.\n    Senator Carper. Give us an example, if you will, of what \nyou called a serious attack scenario.\n    Mr. Purdy. Well, we would consider an effort that appears \nto be attempting to access the control mechanism of a control \nsystem, say in a waste treatment plant. We would consider that \na serious attack because of the ability to change either the \nmanipulation of the activity that it is manipulating and/or the \nmonitoring that could be used to hide if there was a change or \na problem. It might affect the sensors' ability to check that \nout.\n    More serious situations that you see referenced in last \nFriday's alert about e-mail trojans that we put out is the \nexfiltration of data. We are very concerned about--which is \nbasically stealing data from government and the private sector. \nWe believe that is a very significant issue that we are \naddressing.\n    You asked a question in terms of some of the activities \nwith the private sector. We are working closely, as I said, \nwith the Process Control Systems Forum. We have had discussions \nwith Siemens, one of the companies that will be testifying \nlater, on some activities in the control systems area and \ntrying to use some of the test beds where we can test the real \nworld activities and capabilities that folks are using and test \nthem in terms of their vulnerability to cyber attack and what \nkind of measures can be used to help protect them.\n    So that kind of real world activity--and frankly, some of \nthe activities are not very visible. One of the key things \nabout being a focal point for cyber security is we get \nclassified information, we get law enforcement sensitive \ninformation, we get information from the CERT community and \nfrom others, and what we try to do is provide real protective \nmeasures.\n    So, for example, there was an attack not too long ago \nagainst a private provider that affected a Federal Government \ncustomer, and so what we did, when we understood the----\n    Senator Carper. Say that again. There was an attack from--\n--\n    Mr. Purdy. There was an attack against a private sector \nprovider and there was a government account on that system, so \nwe took that information and identified, working with the \ncompany, working with law enforcement, identified what we \nthought was the zone of danger in that situation in terms of \nthe other Federal entities that had access to the same servers \nin separate accounts. So we had a conference call with about 15 \nFederal agencies that had not been attacked yet, but to make \nsure they knew and had specific information they needed so that \nthey could act on it.\n    Then we issued what is called a Federal Information Notice. \nThat goes to 1,400 Federal agencies. A little less sensitive \ninformation, but still, evidence that nonetheless could be used \nby folks to protect themselves. And finally, a general alert \nthat goes more broadly so that folks could know what to do to \nsecure their systems.\n    But we don't publicize those kinds of activities. Now, when \nthere is, for example, an attack against a major State that we \nhad to fly a team in to help, we don't publicize that \ninformation. We work with law enforcement, the intelligence \ncommunity to try to bring value, and I share the point from my \ncolleague from GAO that we want to provide value, and as part \nof this information effort, trying to figure out how to get the \nvalue to the private sector and our government partners and our \nState partners in a way that really is important is something \nthat is very important to us and it builds that trust that you \nneed for people to share, that if you don't go to the press and \nif you don't publicize these things and you provide real value, \nthat kind of synergy is going to help us all.\n    Senator Carper. Thanks very much.\n    Senator Coburn. Just a couple other questions. Part of your \nstatement was a major priority funding on control systems. Can \nyou elaborate on that for me?\n    Mr. Purdy. Yes. Our budget for fiscal year 2005 is in the \nhigh $70s of millions. The control systems funding is $11 \nmillion in 2005. The President's budget, which calls for \napproximately $88 million for us in 2006, includes between $15 \nand $16 million for control systems. So it is a major effort \nfor us.\n    Senator Coburn. One other question. Did your Department \nsend a representative to the DOE road mapping exercise?\n    Mr. Purdy. I don't know offhand.\n    Senator Coburn. You have got some staff shaking their heads \nyes. Did DOE send a representative to DHS's framework meeting \nin Salt Lake City today? I get ``yes,'' too. All right. Thank \nyou.\n    One of the things that----\n    Senator Carper. Mr. Chairman, how do we know that just \nwasn't members of the audience shaking their heads? [Laughter.]\n    Mr. Purdy. Yes. I am told that the answer to those \nquestions was yes. I do know that NASCIO, for example, has \nparticipated in some of our meetings, building for our national \ncyber exercise, Cyber Storm, in November, and that kind of \noutreach is obviously fundamental to the success of these \nefforts.\n    Senator Coburn. One other question for you and then a \ncouple more for Mr. Powner. GAO has pointed out that DHS's \nefforts to promote a trusted two-way communication information \nsharing have been found lacking by the private sector and some \nother Federal agencies. In fact, your testimony reflects that \nthe National Cyber Security Division's second priority is cyber \nrisk management, or assessing the threat and reducing the risk. \nHowever, you state, with regard to assessing the risk, NCSD \ncollaborates with law enforcement intelligence communities in a \nnumber of ways.\n    My concern is, is your role law enforcement or is it cyber \nsecurity and prevention, and with a prevention plan? Which is \nit? Which hat do you all wear?\n    Mr. Purdy. We are about the business of critical \ninfrastructure protection, and what we have found in our \ndiscussions with the major executive agencies, law enforcement \nagencies, is when there is law enforcement information about an \nattack, for example, against the control systems, my \ndiscussions, for example, with the Assistant Director of the \nFBI for Cyber was, if you get information in the field about \nsomething which is obviously a crime, when there is a \nsuccessful penetration of a control system or even a targeted \nattack against a control system, we would appreciate it very \nmuch if we would get that information so that we can work the \ncritical infrastructure protection so we can understand what is \ninvolved, what is the vulnerability being exploited, so we can \nshare the information, not referring to it in its law \nenforcement sensitive way, but we can give guidance out.\n    In addition, we have had situations where law enforcement \nfinds out that there is an attack. We get information about, \nfor example, the source IP addresses of the apparent source of \nthe attack. We work with the intelligence community to have \nthem work the international piece to see if they can trace it \nback to see what is involved. So it really is critical \ninfrastructure protection, but we have to share that \ninformation with law enforcement intelligence and the CERTs to \nmake sure we can all do our jobs better.\n    Senator Coburn. But do you then share that with the private \nsector so that they can enable themselves?\n    Mr. Purdy. And that is what I am saying that we do in terms \nof the information bulletins and the alerts that we send out. \nAnd as we build our portal into the Homeland Security \nInformation Network, we are going to be able to improve our \nreal-time information sharing, and the best example of that is \nbringing those nine ISACs in that our information will go into \nthat mix and theirs, as well, and we will share that much more \nquickly.\n    Senator Coburn. Mr. Powner, just share with us your view of \nhow serious the threat is to us in terms of our cyber security.\n    Mr. Powner. Well, years ago, if you looked at the situation \nhere, we were more focused on hackers who were attempting to \nbreak into systems for the sheer challenge or for bragging \nrights. I agree with Mr. Purdy's analysis. We have organized \ncrime groups that are focused on monetary gains from using \ncyber tools. We have foreign intelligence services that are \nusing cyber tools for espionage activities. I think the real \nquestion out there is where are the terrorist cells in terms of \ntheir cyber capabilities. If these folks have the capabilities \nthat we are aware of right now, where are the terrorists?\n    I think Senator Akaka put it nicely when he mentioned some \nof the FBI's concerns, which date back many years, looking at \nwhat is referred to as swarming attacks, combined attacks where \nit is not just a cyber attack, but if you have a physical \nattack where you disrupt the response capabilities via some of \nthe cyber tools, you could then have a very serious situation \nat hand. So it is real and that threat is growing.\n    Senator Coburn. Your report was fairly critical of the \nefforts that are ongoing, and DHS in the response letter to you \nall states that it has a strategic plan with milestones and \nperformance measures. Where are they insufficient and why are \nthey insufficient?\n    Mr. Powner. There is a strategic plan. There is the \nNational Infrastructure Protection Plan. Some of those plans \nlack milestones. Some of those plans lack key activities. We \nmade recommendations in areas where we saw some weaknesses in \ntheir plans. You look at the National Cyber Threat Assessment, \nvulnerability assessments by sector, and also response plans, \nnot only response plans for the individual sectors, but also \nwhen you start looking at combined plans where we have multiple \nsectors that play in a certain arena.\n    Probably the best example is if you look at the Internet. \nIf we had a major disruption in the Internet today, the \nquestion is, who is in charge of leading that effort to \nreconstitute the Internet?\n    Senator Coburn. Who is?\n    Mr. Purdy. Multiple players, I think, is the answer today. \nNCSD would play a role. The National Communication System----\n    Senator Coburn. Let me ask Mr. Purdy that. Who is \nresponsible for putting it back together?\n    Mr. Purdy. Well, the Secretary of DHS is the incident \nmanager for all incidents in the country. The National Cyber \nResponse Coordination Group that we co-chair helps provide \ninput to the Secretary and provides input to the Interagency \nIncident Management Group. With NCS, National Communication \nSystem, as part of that effort, we would coordinate the efforts \nacross the Federal Government for reconstitution in partnership \nwith the private sector.\n    Senator Coburn. Two last questions for Mr. Powner. DHS is \ngoing to move from $11 to $18 million, I believe that was Mr. \nPurdy's testimony, in 2006, on cyber security.\n    Mr. Purdy. Eleven to between $15 and $16 million.\n    Senator Coburn. Eleven to $15 and $16 million out of $70 to \n$88 million. Is there a problem with priority or is there a \nproblem with funding, in your assessment, as you look at what \nis going on?\n    Mr. Powner. Clearly, there is an issue with priority and \nthere is also an issue with delivery on the budget that is \ncurrently allocated. As we pointed out in several areas in our \nreport, there is a situation here where we need to take \nadditional steps--there have been steps in each of the areas \nthat we looked at but there needs to be further steps.\n    One good example is the National Threat Assessment. In \nworking with the other intelligence organizations, if you look \nat the FBI Cyber Crime Division and other organizations across \nthe Federal Government, there is a lot of information out there \nthat exists today on the situation associated with the national \nthreat. If we put out, as one example, a National Threat \nAssessment that the Department agreed to update annually and to \nprovide information on an as-needed basis throughout the area, \nI think that would go a long ways into building credibility and \nadding value, where the private sector would clearly view them \nas a partner in this.\n    So I think when you look at the current budget, and I think \nfolks up on the Hill--we have had many discussions with them--\nwould like to see more value coming out of the budgets that are \ncurrently allocated today.\n    Senator Coburn. So this threat assessment would be one way \nto engage the private sector. What are other ways that DHS \ncould engage the private sector?\n    Mr. Powner. One other way, I think if you go back to the \nInternet reconstitution, I think Mr. Purdy talked about or \nmentioned that NCSD would take a leadership role. There are \nmany folks in the private sector, when you are looking at \nInternet service providers and telecommunication companies, \nenergy companies, they also would play a major role in that, \nand if the NCSD, as one example, put together some initial \nplans, I think the working group that Mr. Purdy mentioned is a \nstep in the right direction, but there needs to be further \nprogress in putting in place response plans that are \ncomprehensive, where the private sector views the Federal \nGovernment as a partner.\n    Senator Coburn. Is there a backup hardware infrastructure \nin place now if, in fact, the Internet--they would successfully \nchallenge and shut it down, without reprogramming it and \neverything else, is there a backup infrastructure with which \nthat could be reassembled quickly on a short-term basis? Do \neither one of you want to answer that?\n    Mr. Purdy. Well, I think ESF-II, the communications plan \nfor recovery, is a very robust effort and the \ntelecommunications backbone is the foundation for the Internet. \nWe have done a lot of modeling work in terms of potential \ndisruptions of the Internet and what it would take to carry it \nout for a long period of time. So I think we are in pretty good \nshape on that.\n    I do echo the point that in terms of the priorities, we \nwant to partner more effectively with the private sector on the \nrecovery piece, on the response piece and the information \nsharing and threat piece. We recognize and we support those \nconclusions and we are working hard to do that.\n    Senator Coburn. Have you sent a letter to them saying, how \ncan we do that? Has DHS gone to the private sector and said, \nhow can we partner with you better?\n    Mr. Purdy. We had two large meetings with the private \nsector over the last 2 weeks. We had a meeting with the \nrepresentatives of the Sector Coordinating Council yesterday. \nWe will be meeting within DHS after July 26 to lay out how we \nare going to move forward to engage. We have had meetings with \nour lawyers to figure out how we can comply with the Federal \nAdvisory Committee Act, to have private sector folks actually \ntasked on a working group or a task force.\n    So we expect to have some concrete progress in setting up \nthose groups, and for each of those groups, identifying \nmilestones and metrics, because the metrics piece is the other \nbig piece that we are moving forward on with our internal and \nexternal metrics, and we want the private sector involved with \nus. So it is not just performance, it is cyber security \npreparedness, metrics that folks can follow over time to see \nwhere we stand, and that is going to help impact the whole \nNational Infrastructure Protection Plan cyber piece.\n    Senator Coburn. Senator Carper.\n    Senator Carper. Just a couple more, if I could. I think I \nwill direct these to Mr. Powner, if I may. I am going to read \nyou something that was prepared in my briefing papers here.\n    Cyber attacks are launched for monetary gain, for \nintelligence information, or for the thrill of a challenge. The \nmost commonly used cyber attacks are viruses and worms that are \ntransmitted through the networks and systems to disrupt \ncomputer files and programs.\n    Go back to the first part. Cyber attacks are launched for \nmonetary gain, for intelligence information, or for the thrill \nof a challenge. In the work that you have done, the study that \nyou have--the time you have invested in this, which of those \nthree, monetary gain, intelligence information, or the thrill \nof a challenge, seem to predominate?\n    Mr. Powner. We don't have specific numbers on that, Ranking \nMember Carper, but I would say that the monetary gain, when you \nlook at some of the surveys that are done by some of the \ninstitutions out there that track this on an annual basis, for \nmonetary gain, those numbers continue to grow year to year. The \nhacking community, I think they are always going to attempt to \nhack for the thrill of hacking. The underground community is \nstrong and vibrant. But clearly, when you look for monetary \ngain, also if you look at recently with online fraud and \nidentity theft, that is also a growing area where there is \ngreat concern with security vulnerabilities.\n    Senator Carper. I don't know if it was a football coach \nfrom someplace in Oklahoma, Oklahoma State University, OSU, or \nthe other OSU, Ohio State University, but one said that----\n    Senator Coburn. I happen to be an alum of both.\n    Senator Carper. I know. I am an alumni of Ohio State. \nSomehow, I got on the list from Oregon State University. They \nsend me solicitations for money, so I hear from a lot of OSUs.\n    But one of them once said that the best defense is a good \noffense. It sounds to me like we play a lot of defense, trying \nto fend off these cyber attacks. Talk to us about the offense \nthat we are playing, as well. I will start with you, Mr. \nPowner, and then I will go back over to Mr. Purdy.\n    Mr. Powner. Ranking Member Carper, I think if you look at \nour offensive capabilities, it is probably best if we talked \nabout that in a closed setting.\n    Senator Carper. All right. Should we ask our guests to \nleave? I am just kidding. We won't do it here.\n    Mr. Purdy>\n    Mr. Purdy. Let me say the piece of it that I can respond \nto, because the point is well taken, we are attempting, and I \nsay in my written testimony, to leverage the capabilities of \nthe Federal Government from a cyber defense perspective. That \nis situation awareness. That is the ability to attribute the \nsource of attacks, the ability to coordinate and prepare for \nresponding to specific attacks and the reconstitution piece. So \nwe are mapping those capabilities across the Federal Government \nand we are going to identify of those capabilities what do we \nneed to tie into US-CERT?\n    And third, when there is a cyber incident of national \nsignificance, we want to in advance identify the surge \ncapacities and resources that we need brought to bear so we \nhave the full resources of the Federal Government coordinated \nin partnership with the ISPs and the telecommunications \nproviders, as well. And if you have a good defense, you don't \nhave to respond to other alternatives. We would prefer to try \nto make ourselves as safe as possible, dealing with the threat \nas was discussed, but we need to reduce the vulnerabilities \nbecause too often, we are not going to know the specific threat \ninformation as to who is going to attack us. So we need to \nprioritize the vulnerabilities under the risk management \nframework of the Secretary to help mitigate the risks that we \nface.\n    Senator Carper. Sometimes when folks commit crime for \nmonetary gain, they do so because they feel that--there is a \nrisk-benefit situation here. People are willing to take a risk \nand in return they feel they get a certain potential payoff or \na benefit from it.\n    When it comes to folks that are doing this for monetary \ngain, I don't know how likely it is that they feel they are \ngoing to get caught, prosecuted, go to jail, be fined. Talk to \nus a little bit about the likelihood that the folks who are \ndoing this for monetary gain are going to be punished and \nwhether or not the punishment is commensurate with the crime.\n    Mr. Purdy. Who are you directing the question to?\n    Senator Carper. Either one of you. Let me start with Mr. \nPowner.\n    Mr. Powner. Would you repeat that, please?\n    Senator Carper. I sure will. What I am trying to find out \nis, somebody is out there. They are going to commit one of \nthese crimes, one of these cyber attacks for money, for \nmonetary gain, and they are thinking through, does this really \nmake sense? Am I going to get something that is worth taking \nthe risk to commit this crime? How likely is it that we are \ngoing to catch them, and if we do, is it fair to say that the \npunishment, the level of punishment, is enough to make them \nthink twice about committing the crime?\n    Mr. Powner. A couple comments. One is GAO does not have \nspecific numbers on that, but a lot of these activities go \nundetected to begin with. So if you start there and say that \nthere are a large number of these attacks that we do not \ndetect, then I think the chances are high that, in fact, they \nwill not get caught because they may not even be detected. \nConsistent with Andy's comments, I think that is why we are \ntrying to reduce our vulnerabilities, increase our intrusion \ndetection capabilities so that, in fact, we can detect more on \na going forward basis.\n    Senator Carper. Same question. Mr. Purdy, what I am trying \nto get at is sometimes when criminals are contemplating a \ncrime, they actually think about, well, what if I get caught? \nIf I get caught, what is likelyhood that I will be convicted. \nIf I am convicted, do I go to jail or pay a fine? Is it worth \nit? And what I am trying to get at is how likely is it that we \nare going to catch these guys and is the punishment \ncommensurate with the crime.\n    Mr. Purdy. Well, most of those questions, I would prefer to \ndefer to the Department of Justice. They really have the \nresponsibility in that area.\n    The point that Mr. Powner referenced, though, in terms of \nthe seriousness with which we view the criminal activity that \nis occurring in cyberspace and the difficulty of attributing \nthe source of some of the largest attacks we have ever seen, \nthat is all the more reason why we want to focus on reducing \nthe vulnerabilities and working with law enforcement and in the \nR&D space to try to do a better job of figuring out who is \ndoing these things to us, because obviously in the dynamic of \nif you don't think you are going to get caught, it doesn't \nmatter what the punishment is.\n    Senator Carper. The last question I want to ask is to go \nback to Mr. Powner. I think it was the May 2005 report called \n``Department of Homeland Security Faces Challenges in \nFulfilling Cyber Security Responsibilities.'' GAO identified, I \nthink you called it a road map of 13 key responsibilities that \nwere established, both in law and in policy. And my question of \nyou would be, what priorities--and I think the Chairman \nactually mentioned this before--what priorities, and if you are \nGAO, should the Department focus on first?\n    Mr. Powner. First of all, that was our recommendation, that \nyou take these 13 areas and that they prioritize. But one thing \nthat you could--that could help with the prioritization, I \nthink Mr. Purdy has clearly mentioned a number of their \npriorities, priority areas on a going-forward basis with \nbuilding trust relationships and tackling the threat and \nvulnerability reduction. There are certain areas that the \ngovernment, and in particular NCSD, controls more than others.\n    So if you compared threat assessment to vulnerability \nassessment, vulnerability assessment, they can facilitate the \nvulnerability assessments, but that really has to be done by \nthe infrastructure owners of the private sector, for the most \npart. Threat assessment, they control most of that. So in terms \nof the priorities, there are perhaps some quicker hits with \nareas that the government controls more than the private \nsector. So that could be a factor in their prioritization \nefforts.\n    Senator Carper. All right. Gentlemen, thank you.\n    Senator Coburn. Thank you very much. Thank you for your \ntestimony.\n    We will now have panel two. Our first witness will be Paul \nSkare. He is the Product Manager of SCADA, Substation \nAutomation Products for Siemens Power Transmission and \nDistribution, Energy and Management Automation Division.\n    With us, also, I will let Senator Carper introduce Thomas \nJarrett.\n    Senator Carper. Thank you, Mr. Chairman.\n    I am going to ask Mr. Jarrett when he speaks to just take a \nmoment and introduce the members of his team that are with us \nhere today.\n    I would just say, because I already talked a good bit about \nTom earlier in my opening comments and I appreciate the \nopportunity to introduce him here today. I was fortunate to \nserve as Governor for 8 years and one of our real challenges in \nState Government was to put together at the cabinet level an \nagency that could help us take our information systems really \ninto the 21st Century, and we struggled with that. We actually \nhad an overall sort of top-to-bottom review of State Government \nin, I want to say, 1993. We looked at our Information Services \nAgency, OIS, and tried to determine how we should change it, \nhow we could make it better and to enable us to better serve \nthe folks in our State. I am never convinced we got it quite \nright.\n    I think one of the very good things that has been done \nunder the administration of my successor is, I think they have \npretty much gotten it right. Part of getting it right is really \nhaving the right person to lead that effort, and in Tom \nJarrett, I think we have that person.\n    He brings us to today the perspective of one who has worked \nin the private sector in these areas, one who has provided \ngreat leadership, not just for our State, but I think for \nothers who do his work, his job, his counterparts in other \nStates across the country, and I am really proud of him and the \nagency and the men and women that he leads.\n    I thank you for the chance to say those nice words about \nhim.\n    Senator Coburn. I am struck by the fact that we lost 75 \npercent of the people that are here, and I am just wondering if \nall those worked for GAO and DHS, and if they did, no wonder we \nare not getting where we need to be.\n    Senator Carper. They are doing the security for the two \nwitnesses.\n    Senator Coburn. Thank you both for coming. Mr. Skare, if \nyou would.\n\n TESTIMONY OF PAUL M. SKARE,\\1\\ PRODUCT MANAGER, SIEMENS POWER \n  TRANSMISSION AND DISTRIBUTION, INC., ENERGY MANAGEMENT AND \n                           AUTOMATION\n\n    Mr. Skare. Good afternoon, Chairman Coburn, Senator Carper. \nI am Paul Skare, the Product Manager at Siemens Power \nTransmission and Distribution. My role is, as we said, managing \nmany of the products that we are talking about here. I am also \ninvolved in many standards groups relating to SCADA, or \nSupervisory Control and Data Acquisitions Systems.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Skare with attachments appears in \nthe Appendix on page 69.\n---------------------------------------------------------------------------\n    Siemens is a very large company in this product space and \nwe operate in over 190 countries worldwide. In the United \nStates, we have over 70,000 employees and we have operations in \nall 50 States.\n    In energy management and automation, we provide software \nand technologies for the energy market, and these SCADA systems \nare systems that collect data from all the remote places, the \nsubstations, the power plants and other expensive pieces of \npower equipment, bring them to a central location, and do \nanalysis on this data and turn this data into information so \nthat the operators can then make the right, appropriate actions \nto correct problems in the field. Obviously, this is a key \npoint for power reliability. Adding more smart applications to \nthese SCADA systems allows you to then do even more detailed \nanalysis and really look at preventing--proactive approaches to \npreventing blackouts and things.\n    My testimony today is focusing on identifying some of the \npotential security vulnerabilities of a SCADA system, some of \nthe activities related to this, and some recommendations to \nbetter protect these systems.\n    While our customers primarily use these systems in the \nelectric sector, many also use the same basic technology for \ngas, water, and transportation. With some background on this \ninformation, I have prepared some appendices that can be \nsubmitted into the public record to help the----\n    Senator Coburn. Without objection, they will be. Thank you.\n    Mr. Skare. And I would like to say that in the last few \nyears, I have seen industry and government working better \ntogether. What is really noticeable is that a lot of this type \nof discussion has moved away from the art, or the world called \nart into a more firm science approach to the issues. and it \nhelps spread awareness and get everyone to speak the same \nlanguage.\n    But nonetheless, some of the SCADA vulnerabilities that are \nissues to look at are obviously remote access. Anytime you have \nremote access to make it easier to access these devices \nremotely, it is going to present a vulnerability or the \npotential for a vulnerability.\n    Network configurations, the way that you would remotely \naccess these things, of course is very important, to make sure \nthat they are secured, and any minor misconfiguration can \ncreate a vulnerability.\n    Disgruntled employees, whether they are current employees \nor ex-employees, are a big factor, whether they are mad and \nthey go immediately and do something they still have access to, \nor whether they have just been terminated but they still have \naccess privileges to the system will allow them to go out and \ndo a malicious act.\n    The discussion earlier about security holes and patches and \nviruses, worms and so on, is going to be always an issue for \nthis industry because of our high reliance on commercial off-\nthe-shelf technology. Our systems are based on all the standard \ncomputers that are available on the market.\n    Communications should be encrypted. This means if you are \nusing a wide-area network approach, you should have a public-\nprivate key infrastructure with encryption and authentication \nto make sure the data is private and can't be hacked into. You \nshould also make sure that for a lot of these remote devices \nyou are talking to, that you have valid encryption and \nauthentication in place for those, as well.\n    One of the things that we have talked about in the previous \ntestimonies today is incident reporting, really. How do you \nknow how bad it is when it is unclear how you measure? What are \nthe real incidents? Are you getting a false positive on an \nattack report? Are the companies that use these systems, are \nthey reporting actual incidents to anybody? Certainly as a \nSCADA vendor, most of our customers do not want this \ninformation public. They don't want to tell us, and they would \nprefer not to tell anyone because of the potential harm the \npublicity could bring.\n    So some of the challenges for these SCADA systems is making \nsure that all user activity is audited by the individual doing \nthe activity, making sure that there is upgrade kits for older \nsystems to make them secure without having to replace the whole \nsystem, making sure all the third-party products involved in \nthese systems are also set up for security and the latest patch \nis built into those. Again, making sure that we have the secure \ncommunications, both over WANs and over slower dial-up-type \naccess.\n    And finally, making sure that a lot of the low, weak \ndevices that you are talking to have the ability to have \nencryption between them so that when you are talking from a \ncontrol center out to an RTU or a remote device that is \nbringing the data in, even if it is a really old one, that you \ncan still get a secure communications and not have concerns \nfrom that regard.\n    Some of the recommendations that will help achieve securing \nthese systems is making sure that business processes are \naligned with security in mind. Now, NERC has done a lot to \ncreate some security policy where it is sent to foster \nrequirements for security policies, but not necessarily--with \nthe energy bill now, the enforcement becomes a possibility for \nNERC to be able to address these issues. Today, the enforcement \nis only a voluntary enforcement, and so for a utility to have a \nsecurity manager and a security awareness program and making \nsure there are no little yellow sticky notes with user names \nand passwords laying around is an important aspect of security.\n    Types of SCADA systems also have some challenges on the \ndifferent types of security because an electric SCADA system \nwill be processing information every one or two seconds, \npulling that information in and doing analysis on it, while \nsomething on a gas pipeline system might only need to pull that \ndata in once every 10 minutes. So a gas pipeline system can \nhave a higher level of encryption and still get its data in \ntime, but for an electric power system, when you are talking \nabout collecting data at perhaps once every second, you can't \nblock the access of the data by having so much encryption that \nit slows down the availability of the data.\n    So with that regard, one of the recommendations is to \nfoster some research into that area so that for these low-\npowered devices, that includes some of the wireless devices \nthat are out there now, too, because more and more, you are \nseeing sensors connected into the system through a wireless \nconnection before they come upstream to the control center, and \nright now, there is a need for research in the security of \nthese wireless communications.\n    Another recommendation is to have a secure way of reporting \nboth the threats and the incidents in these systems. So, for \nexample, whether someone has a threat available, it is not \nnecessarily accurate that everyone is aware of that threat, and \nalso, if a utility is faced with an attack or a security \nincident, there is no mandate that says they have to report \nthat to anyone. And if there was a way for these incidents to \nbe shared along with the vendors that make these systems, it \nwould allow us to more rapidly respond to fixes for these \nincidents.\n    Another issue is incentives for the utilities when they \nsecure their systems. If there was an approach that would \nensure that the culture at these utilities had the mindset of \nsecuring their systems in a way to help their cost recovery on \nthose through either tax incentives or some such mechanism, \nwould be helpful, I think, for the electric utilities.\n    Federal and State cooperation, it is not just the people we \nhave talked about today, but each State Public Utility \nCommission is also involved in the operation of these electric \nutilities and the cooperation and perhaps public outreach in \nthese areas with the Public Utility Commissions would be of \nbenefit.\n    And then there is also non-jurisdictional utilities also \ncould be useful to be brought into the fold with the security \ndiscussion.\n    Another recommendation is Department of Homeland Security \nand Department of Energy have some similar programs and it \nwould be useful, I think, to have them perhaps a little more \ncoordinated or merged together.\n    We heard earlier today about the Control System Security \nand Test Center, and there is also the National SCADA Testbed, \nboth out at Idaho National Laboratory. And while Siemens has a \nsystem out there, I think that it would be useful to have these \nprograms combined and have a longer-term funding approach for \nthem so that you can see that as these vendor systems get out \nthere and the vendors produce fixes and patches for them, that \nover time, you can verify that these systems are really getting \nsecured. But this is not a one-year type of approach. This is a \nmulti-year activity.\n    The other thing that would be useful is if the different \nnational laboratories were a little bit more in sync and didn't \nappear to be competing. For example, Idaho National Lab, Sandia \nNational Lab, specific Northwest National Lab and Oakridge, \nwhich all have some relevance to this subject, in fact, three \nof them do have a partnership for the National SCADA Testbed, \nbut in overall, there has still in the past been some confusion \nas to who is taking what role in this activity.\n    The various management changes and reorganizations have had \nan impact, also, on making sure you know who you are talking to \nin order to accomplish various tasks in this arena.\n    Senator Coburn. Let me get you to summarize, if you would.\n    Mr. Skare. OK. Absolutely. The final point is that a risk-\nbased approach is, I think, the most effective approach to \nthese issues.\n    Finally, I would like to say that Siemens is very \nsupportive of these activities and will continue to be made \navailable and to assist and to work in the area to secure the \nNation's critical infrastructure. Thank you.\n    Senator Coburn. Secretary Jarrett.\n\n    TESTIMONY OF THOMAS M. JARRETT,\\1\\ SECRETARY AND CHIEF \nINFORMATION OFFICER, DEPARTMENT OF TECHNOLOGY AND INFORMATION, \n                       STATE OF DELAWARE\n\n    Mr. Jarrett. Thank you. At Senator Carper's request, first, \nI will introduce the folks that came along with me. First is \nElayne Starkey, the Chief Technology Officer for the \nDepartment; Michele Ackles, who is my Deputy in the Department; \nand I would also like to introduce Shay Stautz, who is here \nwith me from NASCIO, so I am glad that they joined me today.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Jarrett with attachments appears \nin the Appendix on page 105.\n---------------------------------------------------------------------------\n    Thank you for inviting me to appear before you today. I \nappear in two capacities, first representing the great State of \nDelaware as Secretary of Delaware's Technology and Information \nAgency, and second, as the current President of the National \nAssociation of State Chief Information Officers, or NASCIO.\n    First, I would like to thank Chairman Coburn and a special \nthanks to Delaware's Senator Tom Carper for inviting me to \nspeak with you today. As Delaware's CIO in charge of all State \nGovernment information and communications technology, my \nhighest priority is cyber security.\n    The security of Delaware's information technology system is \ncritical to the well-being of our State as a whole, not just \nthe business of the State, but also its economy. Further, from \na Federal perspective, Delaware's information system is key to \nproviding Federal services to our citizens and supports \nhomeland security efforts.\n    In the most simple of terms, keeping those who would wish \nto do us harm out of our network and systems is the primary \nchallenge of IP security staff in Delaware and across the \nNation. Delaware's State network may be small in comparison to \nsome other States, yet we are responsible for over 130,000 \nusers, representing all three branches of government, including \nour law enforcement, first responder, and educational \ncommunities.\n    We have recently deployed new software that permits us to \ncheck network events on a daily basis and we fend off nearly \n3,000 daily attempts at entering our network. I would like to \nrepeat that, nearly 3,000 attempts a day to invade our network. \nAs you will see in the documentation that I have attached to my \nstatement, these numbers are not out of line with what other \nStates are seeing.\n    Because of our extreme diligence, we have not had a \nsignificant intrusion into our network. Keeping those that \nwould wish to do us harm out of our network requires multiple \nlayers of protection. While it is rarely a terrorist in the \ntraditional sense of the word that threatens the State network, \nwe do not focus specifically on who is trying to infiltrate our \nnetwork. Rather, our goal is to keep all those with bad \nintentions from entering our system.\n    Without lapsing into too many technical terms, we deploy a \nnumber of different hardware and software products to protect \nour networks. We scan, scan, and scan again all traffic coming \ninto the network. We search for viruses, spam, spyware, and \nother recognized problems.\n    Delaware is proactive in establishing collaborative \npartnerships at the Federal and local level. We have a working \nrelationship with the FBI, who performs vulnerability audits \nand scans for us. We collaborate with the private sector, as \nwell. Delaware was the first State to become part of an \nextensive security cooperation program that Microsoft has \nestablished.\n    During times of heightened security alerts, like that \nresulting from the recent terror incidents in London, we also \nraise the bar on cyber security. We increase our vigilance and \nour monitoring because we are well aware that a virus that \nbegins in Asia can propagate to the United States in a matter \nof a few short hours. In a very short period of time, it is \npossible for a system that has been not hardened or properly \nmaintained to be completely overrun.\n    Now, what does the future hold? Unfortunately, I have to \nstate that I believe that threats to cyber security will only \nincrease and we will face continuing attacks and attempts on \nmultiple fronts. State IT officials must continually adjust how \nand what is filtered, blocked, and monitored. New threats \nappear almost daily and they can, in a matter of seconds, \nrender services we have all come to depend upon, like e-mail \nand web browsing, completely unusable. In the worst case \nscenario, without proper protection, an attack could \npotentially cripple or completely shut down an entire State \nGovernment.\n    While we must understand that all critical infrastructure \nis the same by its very nature, critical, whether it is a \nroadway system or an information network, infrastructure is \nabout moving people and information and a State's network \ninfrastructure is equally as important as its highways, \nelectric power grid, or mass transit system.\n    I will conclude my remarks with a few words about what \nNASCIO is doing. NASCIO is working with the States to get a \ncomprehensive picture of the challenge that cyber security \nrepresents. We have produced a series of snapshots into what a \nfew States are doing. Let me share just a few experiences from \nmy CIO colleagues.\n    Michigan reports that nearly 32 percent of its incoming e-\nmail carries viruses, while Montana reports a rise from 93 \nattempted virus infections in 1997 to nearly 45 million in \n2005. Kansas blocked 600,000 intrusion attempts over a 3- to 4-\nhour time period during one recent attack.\n    Protecting critical IT infrastructure does not come \ncheaply. We estimate that my Department spends $5 million \nannually, or 15 percent of my annual budget, on cyber security. \nA recent Statewide assessment in North Carolina revealed that \napproximately $50 million was needed to implement a statewide \nsecurity plan.\n    NASCIO believes that the Federal Government and the States \nmust increase collaboration in facing these threats which we \nshare in common. NASCIO applauds last Wednesday's announcement \nby Secretary Chertoff that he will create an Assistant \nSecretary for Cyber Security within the reorganized Department. \nNASCIO supported the calls for such a position and has endorsed \npast legislative efforts seeking to create the position. In \nfact, State CIOs have made addressing deficiencies in public \nsector cyber security their No. 1 item on our Federal agenda. \nWe believe that the creation of a higher-profile position for \ncyber security within DHS is an important statement to the \nNation as a whole.\n    Having provided you with this background, NASCIO comes \nprepared to offer the Subcommittee one substantive step that it \ncan take forward toward improving intergovernmental cyber \nsecurity. NASCIO has provided Subcommittee staff with language \nthat encourages the Secretary to have DHS revise the existing \nstrategy and assessment process to include requiring a cyber \nsecurity preparedness plan from each State and each State's \nCIO. We feel that closing the cyber security planning gap in \nthe near term, and especially before the next round of grant \nmaking gets underway, is the single most important issue facing \nour sector today.\n    Finally, NASCIO points out that information systems in \ngeneral are the only part of the Nation's critical \ninfrastructure that is under attack everywhere, all the time, \nand these attacks are inflicting millions of dollars in damage. \nCyber attacks, even those without terroristic intent, could \ndisrupt government's operations in general or homeland security \nmission critical systems specifically. It is our duty to secure \nthese systems from all types of threats, regardless of the \nintent behind them, and as soon as possible.\n    As the CIO for the State of Delaware and the President of \nNASCIO, I appreciate the work that the Subcommittee is doing in \nconfronting this national challenge. Thank you.\n    Senator Coburn. Thank you, Mr. Jarrett.\n    Senator Carper has to leave and I am going to defer to him \nfor the first set of questions.\n    Senator Carper. Thank you very much, sir.\n    Again, to our witnesses, thanks a lot for coming and for \nreally excellent testimony in ways that even I could almost \nunderstand. Sometimes when we have people testify on these \nsubjects, I am not sure I understand the words. As Mrs. \nEinstein used to say, Albert Einstein's wife, ``Mrs. Einstein, \ndo you understand what your husband is saying or talking \nabout?'' And she said, ``I understand the words, but not the \nsentences.'' I think for your testimony, for the most part, I \nunderstood not only the words but, in many cases, the \nsentences.\n    I want to return to a question I asked the last panel and \nnever got the answer I was looking for. I raised the issue of a \nfootball coach who is looking for ways to provide a good \noffense, and not just a good defense. We had a big middleweight \nchampionship fight out in, I think it was Las Vegas, this past \nweekend. A guy who defended his title, I think 20 times, was \nunsuccessful in title defense No. 21.\n    Senator Coburn. Fighting is not good for you.\n    Senator Carper. That is what I have heard, at least \nfighting against those guys wouldn't be good for us. But as I \nlistened to this testimony, I am reminded of a boxing match, \nmaybe even a football game, where one side is on defense the \nwhole time and you never get the ball to go on offense. I am \nreminded of a fight where you have got one guy is permitted to \nthrow all the punches and the other guy just basically has to \ntake them. Am I misreading this? Are there ways that we can \nfight back effectively? It seems that all we do is play \ndefense, and I think we are pretty good at it, it sounds like \nwe are very good at it, but I like to play offense, too. Are \nwe? Should we be?\n    Mr. Jarrett. Well, I would say from a State perspective, I \nthink we are beginning that process. We have spent considerable \ndollars over the last several years building a very strong \ndefense. But the real issue here is more in trying to identify \nthe people that are actually trying to get into our networks, \nthey hide themselves very effectively. So you need to have the \nresources and the money to then go after them, and I happen to \nbe a believer that we should be going after them, but they are \nvery difficult to find. In our case, as quickly as we make \nchanges to our system, we see changes that have already \ncountered those changes. So very definitely, I would hope that \nwe will begin to take a much more offensive approach, but it is \nvery difficult.\n    Mr. Skare. I think that we have a very large installed \nknowledge now with intrusion detection systems, but now the \nlatest thing that is coming along is intrusion prevention \nsystems. So what it is, it is trying to take a look at the \nknown signatures of some of these attacks and try and prevent \nthem as they are happening, or the so-called zero day defense \nthat is really happening. And when you combine that with a \ndefense in depth approach to your control system, you have a \nmuch better chance of really trying to proactively stop them as \nit happens, although I would say that there is still a long \nways to go there.\n    But, for example, when you look at some of these control \nsystems, they use quite common standardized protocols so that \nall the different systems can talk to each other and these are \nmostly publicly available, so we are taking a look at how do \nyou scan real time these data communications and prevent things \nfrom happening real time.\n    Senator Carper. All right. A question, if I could, this \nwould be for Secretary Jarrett. I believe in your testimony, I \nthink I heard you say that some 15 percent of your Department's \nbudget is just for cyber security initiatives. Last week, \nSecretary Chertoff said, I believe in this hearing room, not \nonly the establishment of the Assistant Secretary for Cyber \nSecurity and Telecommunications, but he talked about dedicating \nsome Federal resources to help the efforts across the board. \nLet me just ask, what additional resources do you believe that \nthe Federal Government, if any, should allocate, if any, for \ncyber security initiatives?\n    Mr. Jarrett. Well, I think there are two pieces of that. I \nhave read some of the numbers as far as dollars that they are \ntalking about appropriating to that. When I compare them in \ndirect comparison to what I spend, my comment would be that I \ndon't think it is enough. So I would hope that the \nappropriations that they are going to put towards cyber \nsecurity would be much larger than what I, at least from what I \nhave currently seen.\n    Senator Carper. It would also be great if, whether the \nallocations are huge or large or moderate, it would be great if \nthey were doing something that sort of complemented what you \nwere doing with this data, not necessarily duplicate or \nreplicate.\n    Mr. Jarrett. And that was going to really be my second \nthought, which is I heard the comments and what was honestly \nstriking to me was the fact that though there was a lot of talk \nabout connections between agencies and all that, there was no \nmention of connection really to the States. And I would argue \nthat the States are really the first line of defense when it \ncomes to, whether it is first responders and those kinds of \nthings. We are kind of out front on a lot of areas, working in \nthe area of cyber security. So we would like to work much more \neffectively with them in the future. I think that would be a \ntremendous approach if we could finally, or at least \nultimately, reach that point.\n    Senator Carper. One other thought, Mr. Chairman, comes to \nmind. I think it was Lincoln who used to say, the role of \nGovernment is to do for people what they cannot do for \nthemselves. Maybe a reasonable role for the Federal Government \nhere, for the Department of Homeland Security, is to do for \nStates what you cannot do for yourselves, or for the private \nsector, for that matter.\n    One last question, if I could, for Secretary Jarrett. I \nbelieve your first task, as I recall, as Secretary was to \ntransform Delaware's Office of Information systems to this \nDepartment of Technology and Information. You hand picked and \nhired an entirely new organization that is built on a market-\nbased compensation plan where individuals are compensated based \non their performance within the Department. You also did away \nwith many middle management positions. You enabled employees to \nbe more connected with the end result.\n    I would just ask what suggestions you might have, really \nfor the Department of Homeland Security, for our Federal \nagency, for your big brother, if you will--that probably has \nthe wrong connotations--but for Homeland Security in finding \nand retaining the most highly qualified individuals to protect \nour Nation's critical infrastructure.\n    Mr. Jarrett. I have a pretty basic thought about that and \nit comes down to the most basic thing, which is pay. One of the \nkey approaches that Delaware took was to be able to pay our \npeople within the Department what the market, and what they \nwould literally get in the market if they were to go outside of \nworking in State Government. We found that to be very \neffective, because in the end, if you are going to be effective \nin managing, working these kinds of issues, then you have to \nhave very good people, and if they are going to be accountable, \nthen you have to be willing to pay them, or otherwise very \nlikely they either won't come to you in the first place, or if \nthey do, they won't remain very long.\n    So we have found that our pay structure has been probably \none of our greatest assets because it has allowed us to hire \nvery excellent people who are more than willing to stay because \nwe are very competitive.\n    Senator Carper. Great. Mr. Chairman, thanks for letting me \nlead off here. And again to Secretary Jarrett, it is great to \nsee you.\n    Mr. Jarrett. Thank you.\n    Senator Carper. Thank you for you and your team, who are \nrepresentative of the great work you are doing on behalf of our \nState and for, I think, the wonderful example you are providing \nto a few other States. Congratulations. He is not only \nSecretary, Mr. Secretary, but he is also Mr. President of his \nnational organization. It is not ever day we get to do that. \nThank you both.\n    Senator Coburn. The Senator from Delaware, are you \nproposing waiving government parameters limiting the ability to \nincrease pay and pay for performance in Homeland Security? That \nis something our President has been trying to do here for some \nperiod of time.\n    Senator Carper. When we have a private conversation with \nour earlier panel on the matters they couldn't discuss, let us \nbring that one up, too.\n    Senator Coburn. OK. Good answer. [Laughter.]\n    Senator Coburn. Mr. Skare, here is how my staff assesses \nyou. He is a world class operational control systems technology \nexpert. He works for one of the world's largest manufacturers \nand leaders in control systems. So I want to ask you very \nfrankly, do you have a good working relationship with DHS? Are \nthey communicating the way they should with you? Are you \nallowed to get information that is helpful to you when you \nshould, and do you feel comfortable sharing information with \nthem?\n    Mr. Skare. Well, that is a very good question. I think that \nthere has been some changes in management. I originally was \ncontacted and had been working with Mike Lombard in the \nDepartment of Homeland Security, and then that had shifted over \nto David Sanders. I think as some of the activities go on--for \nexample, the DHS did invite me to the road map meeting we had \nlast week in Baltimore, and I think that it was a very good \nmeeting for sharing ideas with the DHS people.\n    My experience with DHS is that they are very focused on \nmoving quickly. But as far as sharing any detailed information, \nI do not have any specific threats shared with me of any sort.\n    Senator Coburn. So, in other words, there may be a threat \nto one of the systems that you are looking at that they know \nabout that you don't know that could maybe enhance your ability \nto do the job better as a vendor for those items, yet you are \nnot seeing the feedback loop coming on that.\n    Mr. Skare. That is right. I have seen no feedback in that \narea.\n    Senator Coburn. Is that not something that we want to \nhappen?\n    Mr. Skare. I believe it is. I know that I actually had this \ndiscussion with one of the DHS people last week and we \ndiscussed if it meant that we should get security clearance, or \nmaybe there is a new type of clearance that could be created, a \ntrusted type of information sharing line that could go on. But \nthe discussion was still an ongoing discussion.\n    Senator Coburn. Well, if 85 percent of our cyber is in \nprivate hands, we are going to have to talk to the private \nsector. That would mean 15 percent is in the State and Federal \nhands and other entities. We are going to have to communicate, \nand I was most concerned about GAO's testimony as this lack of \nconfidence, because if there is not confidence with DHS, then \nyou as a spokesman or lead individual for your company are \ngoing to be somewhat hesitant to share with them information. \nAnd so if we can't get past the--it is kind of like marriage. \nIf you can't get past the trust deal, you never get anywhere. \nSo if we can't get there, this can build and this can grow if \nwe have a working relationship. I am concerned.\n    Have you noticed anything, Secretary Jarrett, in terms of \nyour ability to relate and a level playing field and \ninformational exchange that you could offer us?\n    Mr. Jarrett. We have found that the information exchange \nhas been very difficult. That is why we have built strong \nrelationships with most of our business partners. I can tell \nyou that most of the threat data that we get today, we get from \nthose business partners and through US-CERT, but not directly \nfrom the Department.\n    Senator Coburn. Through the US-CERT?\n    Mr. Jarrett. Right.\n    Senator Coburn. OK. And did either of you gentlemen happen \nto see the article yesterday in the Wall Street Journal where \nthey talked about the trojans? I thought it was a very \ninformative article for the public because it is us and our \npersonal computers that are being used to scam everything else \nin the world and used to, what do they call it, bot----\n    Mr. Jarrett. Bots and zombies and----\n    Senator Coburn. Yes. I would also note that DHS is not in \nhere anymore for them to hear your testimony, which is \nconcerning for me, because that is one of the areas, we are \nsponsoring this, we have 15 people from DHS attend a hearing, \nbut when they are through testifying, then they are not here to \nhear what the rest of the panel says so we don't get the \ninformation. So that says you don't build trust if you can't \ncommunicate, and if you aren't going to listen, you are never \ngoing to be able to communicate. So I am somewhat critical of \nthat.\n    Mr. Jarrett, does your office have regular contact with the \nNational Cyber Security Division at DHS?\n    Mr. Jarrett. We do not. We do on a kind of hit-or-miss \nbasis. We do a lot of things. We are members of the MS ISAC, \nwhich is the 50-State group that has come together, but not \ndirectly with them.\n    Senator Coburn. Did I hear you right a moment ago that you \nthought there should be a requirement for each State to have a \npreparedness plan?\n    Mr. Jarrett. A cyber security preparedness plan, \nabsolutely.\n    Senator Coburn. And should that be contingent on their DHS \ngrant?\n    Mr. Jarrett. I think it should be tied directly to the \ngrant process. What has been difficult in the current grant \nprocess is that little of that money is going towards cyber-\nrelated issues. I can tell you, in the 3 years that monies have \ncome out in my State, I just for the first time got a small \namount of those dollars for some cyber work that we are doing. \nIt has been driven toward other directions, and though I \nunderstand that and respect that, I think that we need to also \nunderstand that the cyber aspect of this is absolutely \ncritical.\n    All of our systems and everything that--I run all of the \nsystems for all the first responders, the State police, \neveryone, so during time of greatest need, if my systems go \ndown, they literally have no access to any of the information \nthat they will require.\n    Senator Coburn. And you already answered this somewhat, but \nI want to ask you again, and I find it strange. Fifteen to $16 \nmillion of this next year's budget for DHS, and you are going \nto spend $5 million, and you say to set a State up, it is going \nto take $50 million just in programming the structure and \nobservations and diligence. I am kind of appalled that that is \nthe priority. Are you?\n    Mr. Jarrett. I am concerned about the priority, absolutely. \nI mean, we are very happy to see that they have established the \nAssistant Secretary for Cyber Security. That is something that \nwe have pushed for for a long time. But with it must come the \nright funding to be able to do the job correctly and the amount \nof money, at least that I have seen, concerns me.\n    Senator Coburn. How are you all at the State of Delaware \ninformed of a fast-moving cyber threat? How do you find out, \nother than your own observation and blocking and monitoring \ntechnique?\n    Mr. Jarrett. Two primary ways today, neither of which are \nthe Department. One is through the MS ISAC structure that was \ncreated about 2 years ago----\n    Senator Coburn. Is that fast? Do you get that on a real \ntime basis?\n    Mr. Jarrett. We get that on a real time basis. It has \nbecome a very dynamic group. We meet once a month, and so we \nhave built a structure within the States that allow us to share \ninformation on a very rapid basis.\n    We also get it from our vendors through our cooperative \nprogram with companies like Microsoft and Oracle and others. \nAnd all of my key security folks are obviously also connected \nto the US-CERT process, as well.\n    Senator Coburn. Is that timely, the US-CERT process, or \ndoes it come hours or days after the fact?\n    Mr. Jarrett. We are actually finding the US-CERT process to \nbe quite timely----\n    Senator Coburn. Good.\n    Mr. Jarrett. So we have been very pleased with that at this \npoint. Timeliness, obviously, in our business, is absolutely \ncritical, given the fact that we are talking about threats \nthat--we are not talking about days, we are talking about \nminutes and hours.\n    Senator Coburn. And going back to your testimony, Mr. \nSkare, if you are talking about a power generation facility and \nthey are monitoring sequentially, there is not the technology \nfor encoding or encrypting instantaneously that information so \nthat you can stay on a real time basis without putting that \nfacility at risk?\n    Mr. Skare. There are ways to do that for network \nconnections, although a lot of the standards are still lacking \nin approval from an approval perspective, and many utilities \nare reluctant to roll out technologies like that until they \nhave been standard and approved.\n    Senator Coburn. And who holds that approval?\n    Mr. Skare. It depends. In this case, there is international \napproval as well as U.S. approaches. In the international \narena, it is the International Electrotechnical Commission. On \nthe U.S. side, the standard that most U.S. utilities are going \nto be looking toward is one set by NERC.\n    Senator Coburn. OK. I can't help but think about the \ntelevision show ``24'' and how closely you were involved in \nthat. Part of our risk--there has been $60 billion spent by the \nU.S. Government on IT in this last year, $60 billion by the \nFederal Government. That is a big sum of money. And yet it \ndoesn't seem that we are a whole lot more secure. We may be \nfaster and we may be moving information around, but the more IT \nwe have, the more risk we have if it is vulnerable.\n    What is the budget for the State of Delaware on IT? Do you \nhave any idea?\n    Mr. Jarrett. Well, about $300 million.\n    Senator Coburn. A year?\n    Mr. Jarrett. A year.\n    Senator Coburn. And that is both hardware and software, the \nwhole----\n    Mr. Jarrett. That is everything.\n    Senator Coburn. That is the whole thing. All right.\n    Mr. Skare, you talked about business process. What \nmotivates, or what would motivate a company to make an \ninvestment in cyber security to protect their critical \ninfrastructures, those that have not?\n    Mr. Skare. I think those that have not, any type of \nbusiness case where you can show them where the loss or the \ndamage to their business due to such an incident would result \nin a negative impact on their business. For example, if an \nattack took down a particular substation and those customers \nwere without power for a certain amount of time, you would have \nnot only the lost revenue due to the power outage, but you \nwould also have then the damage to the reputation. And \nquantifying those in terms of a business case would go a long \nway to help.\n    Senator Coburn. And so you all are seeing more that your \nbusiness is good, is that correct?\n    Mr. Skare. Interestingly enough, common sense might dictate \nthat after a major event, such as the blackout in 2000, it \nwould spur investment in these areas. However, there was a \ncertain amount of reluctance to spend purely so that it wasn't \nseen as a reaction or as a sign of weakness. So it is kind of a \nbalancing act.\n    Senator Coburn. I want to thank both of you for your \ntestimony and for staying as long as we have. I appreciate you \ncoming and giving this information.\n    We may submit some questions to you in writing. We very \nmuch appreciate if you would be timely in your response to \nthose.\n    Thank you very much for attending. The meeting is \nadjourned.\n    [Whereupon, at 3:44 p.m., the Subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] T3163.001\n\n[GRAPHIC] [TIFF OMITTED] T3163.002\n\n[GRAPHIC] [TIFF OMITTED] T3163.003\n\n[GRAPHIC] [TIFF OMITTED] T3163.004\n\n[GRAPHIC] [TIFF OMITTED] T3163.005\n\n[GRAPHIC] [TIFF OMITTED] T3163.006\n\n[GRAPHIC] [TIFF OMITTED] T3163.007\n\n[GRAPHIC] [TIFF OMITTED] T3163.008\n\n[GRAPHIC] [TIFF OMITTED] T3163.009\n\n[GRAPHIC] [TIFF OMITTED] T3163.010\n\n[GRAPHIC] [TIFF OMITTED] T3163.011\n\n[GRAPHIC] [TIFF OMITTED] T3163.012\n\n[GRAPHIC] [TIFF OMITTED] T3163.013\n\n[GRAPHIC] [TIFF OMITTED] T3163.014\n\n[GRAPHIC] [TIFF OMITTED] T3163.015\n\n[GRAPHIC] [TIFF OMITTED] T3163.016\n\n[GRAPHIC] [TIFF OMITTED] T3163.017\n\n[GRAPHIC] [TIFF OMITTED] T3163.018\n\n[GRAPHIC] [TIFF OMITTED] T3163.019\n\n[GRAPHIC] [TIFF OMITTED] T3163.020\n\n[GRAPHIC] [TIFF OMITTED] T3163.021\n\n[GRAPHIC] [TIFF OMITTED] T3163.022\n\n[GRAPHIC] [TIFF OMITTED] T3163.023\n\n[GRAPHIC] [TIFF OMITTED] T3163.024\n\n[GRAPHIC] [TIFF OMITTED] T3163.025\n\n[GRAPHIC] [TIFF OMITTED] T3163.026\n\n[GRAPHIC] [TIFF OMITTED] T3163.027\n\n[GRAPHIC] [TIFF OMITTED] T3163.028\n\n[GRAPHIC] [TIFF OMITTED] T3163.029\n\n[GRAPHIC] [TIFF OMITTED] T3163.030\n\n[GRAPHIC] [TIFF OMITTED] T3163.031\n\n[GRAPHIC] [TIFF OMITTED] T3163.032\n\n[GRAPHIC] [TIFF OMITTED] T3163.033\n\n[GRAPHIC] [TIFF OMITTED] T3163.034\n\n[GRAPHIC] [TIFF OMITTED] T3163.035\n\n[GRAPHIC] [TIFF OMITTED] T3163.036\n\n[GRAPHIC] [TIFF OMITTED] T3163.037\n\n[GRAPHIC] [TIFF OMITTED] T3163.038\n\n[GRAPHIC] [TIFF OMITTED] T3163.039\n\n[GRAPHIC] [TIFF OMITTED] T3163.040\n\n[GRAPHIC] [TIFF OMITTED] T3163.041\n\n[GRAPHIC] [TIFF OMITTED] T3163.042\n\n[GRAPHIC] [TIFF OMITTED] T3163.043\n\n[GRAPHIC] [TIFF OMITTED] T3163.044\n\n[GRAPHIC] [TIFF OMITTED] T3163.045\n\n[GRAPHIC] [TIFF OMITTED] T3163.046\n\n[GRAPHIC] [TIFF OMITTED] T3163.047\n\n[GRAPHIC] [TIFF OMITTED] T3163.048\n\n[GRAPHIC] [TIFF OMITTED] T3163.049\n\n[GRAPHIC] [TIFF OMITTED] T3163.050\n\n[GRAPHIC] [TIFF OMITTED] T3163.051\n\n[GRAPHIC] [TIFF OMITTED] T3163.052\n\n[GRAPHIC] [TIFF OMITTED] T3163.053\n\n[GRAPHIC] [TIFF OMITTED] T3163.054\n\n[GRAPHIC] [TIFF OMITTED] T3163.055\n\n[GRAPHIC] [TIFF OMITTED] T3163.056\n\n[GRAPHIC] [TIFF OMITTED] T3163.057\n\n[GRAPHIC] [TIFF OMITTED] T3163.058\n\n[GRAPHIC] [TIFF OMITTED] T3163.059\n\n[GRAPHIC] [TIFF OMITTED] T3163.060\n\n[GRAPHIC] [TIFF OMITTED] T3163.061\n\n[GRAPHIC] [TIFF OMITTED] T3163.062\n\n[GRAPHIC] [TIFF OMITTED] T3163.063\n\n[GRAPHIC] [TIFF OMITTED] T3163.064\n\n[GRAPHIC] [TIFF OMITTED] T3163.065\n\n[GRAPHIC] [TIFF OMITTED] T3163.066\n\n[GRAPHIC] [TIFF OMITTED] T3163.067\n\n[GRAPHIC] [TIFF OMITTED] T3163.068\n\n[GRAPHIC] [TIFF OMITTED] T3163.069\n\n[GRAPHIC] [TIFF OMITTED] T3163.070\n\n[GRAPHIC] [TIFF OMITTED] T3163.071\n\n[GRAPHIC] [TIFF OMITTED] T3163.072\n\n[GRAPHIC] [TIFF OMITTED] T3163.073\n\n[GRAPHIC] [TIFF OMITTED] T3163.074\n\n[GRAPHIC] [TIFF OMITTED] T3163.075\n\n[GRAPHIC] [TIFF OMITTED] T3163.076\n\n[GRAPHIC] [TIFF OMITTED] T3163.077\n\n[GRAPHIC] [TIFF OMITTED] T3163.078\n\n[GRAPHIC] [TIFF OMITTED] T3163.079\n\n[GRAPHIC] [TIFF OMITTED] T3163.080\n\n[GRAPHIC] [TIFF OMITTED] T3163.081\n\n[GRAPHIC] [TIFF OMITTED] T3163.082\n\n[GRAPHIC] [TIFF OMITTED] T3163.083\n\n[GRAPHIC] [TIFF OMITTED] T3163.084\n\n[GRAPHIC] [TIFF OMITTED] T3163.085\n\n[GRAPHIC] [TIFF OMITTED] T3163.086\n\n[GRAPHIC] [TIFF OMITTED] T3163.087\n\n[GRAPHIC] [TIFF OMITTED] T3163.088\n\n[GRAPHIC] [TIFF OMITTED] T3163.089\n\n[GRAPHIC] [TIFF OMITTED] T3163.090\n\n[GRAPHIC] [TIFF OMITTED] T3163.091\n\n[GRAPHIC] [TIFF OMITTED] T3163.092\n\n[GRAPHIC] [TIFF OMITTED] T3163.093\n\n[GRAPHIC] [TIFF OMITTED] T3163.094\n\n[GRAPHIC] [TIFF OMITTED] T3163.095\n\n[GRAPHIC] [TIFF OMITTED] T3163.096\n\n[GRAPHIC] [TIFF OMITTED] T3163.097\n\n[GRAPHIC] [TIFF OMITTED] T3163.098\n\n[GRAPHIC] [TIFF OMITTED] T3163.099\n\n[GRAPHIC] [TIFF OMITTED] T3163.100\n\n[GRAPHIC] [TIFF OMITTED] T3163.101\n\n[GRAPHIC] [TIFF OMITTED] T3163.102\n\n[GRAPHIC] [TIFF OMITTED] T3163.103\n\n[GRAPHIC] [TIFF OMITTED] T3163.104\n\n[GRAPHIC] [TIFF OMITTED] T3163.105\n\n[GRAPHIC] [TIFF OMITTED] T3163.106\n\n[GRAPHIC] [TIFF OMITTED] T3163.107\n\n[GRAPHIC] [TIFF OMITTED] T3163.108\n\n[GRAPHIC] [TIFF OMITTED] T3163.109\n\n[GRAPHIC] [TIFF OMITTED] T3163.110\n\n[GRAPHIC] [TIFF OMITTED] T3163.111\n\n[GRAPHIC] [TIFF OMITTED] T3163.112\n\n[GRAPHIC] [TIFF OMITTED] T3163.113\n\n[GRAPHIC] [TIFF OMITTED] T3163.114\n\n[GRAPHIC] [TIFF OMITTED] T3163.115\n\n[GRAPHIC] [TIFF OMITTED] T3163.116\n\n[GRAPHIC] [TIFF OMITTED] T3163.117\n\n[GRAPHIC] [TIFF OMITTED] T3163.118\n\n[GRAPHIC] [TIFF OMITTED] T3163.119\n\n[GRAPHIC] [TIFF OMITTED] T3163.120\n\n[GRAPHIC] [TIFF OMITTED] T3163.121\n\n[GRAPHIC] [TIFF OMITTED] T3163.122\n\n[GRAPHIC] [TIFF OMITTED] T3163.123\n\n[GRAPHIC] [TIFF OMITTED] T3163.124\n\n[GRAPHIC] [TIFF OMITTED] T3163.125\n\n[GRAPHIC] [TIFF OMITTED] T3163.126\n\n[GRAPHIC] [TIFF OMITTED] T3163.127\n\n[GRAPHIC] [TIFF OMITTED] T3163.128\n\n[GRAPHIC] [TIFF OMITTED] T3163.129\n\n[GRAPHIC] [TIFF OMITTED] T3163.130\n\n[GRAPHIC] [TIFF OMITTED] T3163.131\n\n[GRAPHIC] [TIFF OMITTED] T3163.132\n\n                                 <all>\n\x1a\n</pre></body></html>\n"