[Senate Hearing 109-893]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 109-893

    CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS

=======================================================================

                                HEARING

                               before the

                FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT
                     INFORMATION, AND INTERNATIONAL
                         SECURITY SUBCOMMITTEE

                                 of the

                              COMMITTEE ON
                         HOMELAND SECURITY AND
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE


                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION


                               __________

                             JULY 28, 2006

                               __________

        Available via http://www.access.gpo.gov/congress/senate

       Printed for the use of the Committee on Homeland Security
                        and Governmental Affairs


                               __________


                     U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2007
29-759 PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001




        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   SUSAN M. COLLINS, Maine, Chairman
TED STEVENS, Alaska                  JOSEPH I. LIEBERMAN, Connecticut
GEORGE V. VOINOVICH, Ohio            CARL LEVIN, Michigan
NORM COLEMAN, Minnesota              DANIEL K. AKAKA, Hawaii
TOM COBURN, Oklahoma                 THOMAS R. CARPER, Delaware
LINCOLN D. CHAFEE, Rhode Island      MARK DAYTON, Minnesota
ROBERT F. BENNETT, Utah              FRANK LAUTENBERG, New Jersey
PETE V. DOMENICI, New Mexico         MARK PRYOR, Arkansas
JOHN W. WARNER, Virginia

           Michael D. Bopp, Staff Director and Chief Counsel
             Michael L. Alexander, Minority Staff Director
                  Trina Driessnack Tyrer, Chief Clerk


FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL 
                         SECURITY SUBCOMMITTEE

                     TOM COBURN, Oklahoma, Chairman
TED STEVENS, Alaska                  THOMAS CARPER, Delaware
GEORGE V. VOINOVICH, Ohio            CARL LEVIN, Michigan
LINCOLN D. CHAFEE, Rhode Island      DANIEL K. AKAKA, Hawaii
ROBERT F. BENNETT, Utah              MARK DAYTON, Minnesota
PETE V. DOMENICI, New Mexico         FRANK LAUTENBERG, New Jersey
JOHN W. WARNER, Virginia             MARK PRYOR, Arkansas

                      Katy French, Staff Director
                 Sheila Murphy, Minority Staff Director
            John Kilvington, Minority Deputy Staff Director
                       Liz Scranton, Chief Clerk



                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Coburn...............................................     1

                               WITNESSES

                         Friday, July 28, 2006

George Foresman, Under Secretary for Preparedness, U.S. 
  Department of Homeland Security................................     5
Richard C. Schaeffer, Jr., Director of Information Assurance, 
  National Security Agency.......................................     7
Karen Evans, Administrator for Electronic Government and 
  Information Technology, Office of Management and Budget........     9
Keith Rhodes, Chief Technologist and Director, Center for 
  Technology and Engineering, U.S. Government Accountability 
  Office.........................................................    10
Thomas E. Noonan, President and Chief Executive Officer, Internet 
  Security Systems...............................................    20
Roberta A. Bienfait, Senior Vice President, Global Network 
  Operations, AT&T...............................................    22
Michael A. Aisenberg, Director of Government Relations, VeriSign, 
  Inc., and Vice Chair, IT Sector Coordinating Council...........    24
Karl Brondell, State Farm Insurance Companies, on behalf of the 
  Business Roundtable............................................    26

                     Alphabetical List of Witnesses

Aisenberg, Michael A.:
    Testimony....................................................    24
    Prepared statement...........................................   161
Bienfait, Roberta A.:
    Testimony....................................................    22
    Prepared statement...........................................   139
Brondell, Karl:
    Testimony....................................................    26
    Prepared statement...........................................   167
Evans, Karen:
    Testimony....................................................     9
    Prepared statement with an attachment........................    53
Foresman, George:
    Testimony....................................................     5
    Prepared statement...........................................    33
Noonan, Thomas E.:
    Testimony....................................................    20
    Prepared statement...........................................   132
Rhodes, Keith:
    Testimony....................................................    10
    Prepared statement...........................................   111
Schaeffer, Richard C., Jr.:
    Testimony....................................................     7
    Prepared statement...........................................    50

                                APPENDIX

Hon. Thomas Jarrett, Secretary and CIO, Delaware Department of 
  Technology and Information, prepared statement.................   174
Questions and responses for the Record from:
    Mr. Foresman.................................................   181
    Mr. Schaeffer................................................   197
    Mr. Evans....................................................   200
    Mr. Rhodes...................................................   209
    Mr. Bienfait.................................................   213
    Mr. Aisenberg................................................   223
    Mr. Brondell.................................................   226

 
    CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS

                              ----------                              


                         FRIDAY, JULY 28, 2006

                                     U.S. Senate,  
 Subcommittee on Federal Financial Management, Government  
                   Information, and International Security,
                            of the Committee on Homeland Security  
                                          and Governmental Affairs,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 9:35 a.m., in 
room 342, Dirksen Senate Office Building, Hon. Tom Coburn, 
Chairman of the Subcommittee, presiding.
    Present: Senator Coburn.

              OPENING STATEMENT OF CHAIRMAN COBURN

    Chairman Coburn. The Subcommittee on Federal Financial 
Management, Government Information, and International Security 
will come to order.
    Today's hearing is titled ``Cyber Security: Recovery and 
Reconstitution of Critical Networks.'' This is the second 
hearing in a series we will be conducting on cyber security. It 
is actually the third. We have had a high-level secured 
briefing and hearing on this, as well. On July 19, 2005, this 
Subcommittee held a hearing on the importance of cyber security 
to our Nation's critical infrastructures. The hearing 
highlighted the importance of forging a public-private, and I 
will emphasize private, partnership to protect critical 
infrastructure and focused on challenges facing the Department 
of Homeland Security (DHS) in facilitating and leveraging such 
partnerships.
    Things that we have learned through the September 11 
terrorist attacks and the response to Hurricane Katrina further 
emphasize these challenges. Today, despite spending millions of 
dollars over the past year, DHS continues to struggle with how 
to effectively form and maintain effective public-private 
partnerships in support of cyber security, including how to 
protect Internet infrastructure and how to recover it in the 
case of a major disruption. The public-private partnership 
necessary to accomplish DHS's goals in securing computer 
networks continues to remain a public-private divide.
    I am grieved to note that our Nation's security from a 
cyber-based attack has not improved since we were here last 
year. The objective of today's hearing is to highlight 
immediate steps that DHS and the private sector can take to 
formalize a partnership and to ensure effective response and 
recovery to major cyber network disruptions.
    Our economy and national security are reliant on the 
Nation's information and communications infrastructure, 
including the Internet. The Internet connects millions of 
information technology systems and networks together, which, in 
sum, provide e-commerce to the country and critical services 
allowing the government to function. On July 19, 2005, we 
learned that these computer networks can also control physical 
infrastructure, such as electrical transformers, chemical 
systems, and pipelines.
    DHS recently released its National Infrastructure 
Protection Plan (NIPP), 3 years after its due date. This plan 
highlights the importance of cyber security and the Internet to 
critical infrastructure, stating that the U.S. economy and 
national security are highly dependent upon the global cyber 
infrastructure. But according to today's GAO report, DHS fails 
to adequately plan for recovery of key Internet functions. 
Moreover, the Department has not adequately prepared to 
effectively coordinate public-private plans for reconstitution 
from a cyber Internet disruption.
    The success of the protection efforts in the NIPP hinges on 
information sharing between the Federal Government and the 
private sector. However, a number of barriers exist to 
information sharing. Recent incidents at the Department of 
Veterans Affairs, Department of State, and a national 
laboratory indicate that the government has trouble protecting 
sensitive information. The government also does not have a good 
record of sharing sensitive intelligence-derived threat data 
with the private sector.
    GAO identified numerous challenges to development of a plan 
and is here today to present the recommendations to strengthen 
the Department's abilities. Government agencies and private 
companies, including telecommunications companies, cable 
companies, peering organizations, and major data carriers, need 
clarity on what is expected of them in a crisis. Overlapping 
and unclear roles and responsibilities lead to frustration and 
confusion, and will hamper recovery efforts in a crisis, which 
will be deeply injurious to our Nation.
    The overarching concern for the Committee is whether the 
Department of Homeland Security knows what functions of 
government need to be protected, how those functions interact 
with State and local governments, and what is DHS's role and 
responsibility in working with the private sector during a 
cyber or telecommunication-based incidence of national 
significance.
    The recently released DHS plan requires the use of a risk 
assessment method that has been criticized as not focusing on 
what really needs to be protected in the information technology 
and telecommunication sectors, and focusing heavily on physical 
assets. The risk assessment methodology should be reevaluated, 
as it could lead to significant wasteful spending.
    While this sector has physical assets to protect, 
government needs to understand that this sector is about 
protecting critical functionality, not assets. The private 
sector and government must work together to ensure the Nation's 
critical infrastructure can function in the reliable and stable 
fashion that the American public expects.
    Therefore, private industry must devise plans in 
coordination with the government to ensure critical functions 
do not fail or can be recovered quickly when faced with an 
incident of national significance. The National Communications 
System has worked under this concept for years.
    Both government and private industry admit there are 
vulnerabilities in the networks that can and have been 
exploited or damaged by accident or natural causes. A perfect 
system cannot be built. We realize that. The difficult part of 
any organization, especially government, is how does it 
respond, recover, and reconstitute after an incident.
    The Homeland Security Act of 2002 and Presidential 
Directives lay out a clear mandate on cyber security at the 
Department of Homeland Security. They require DHS to assess our 
vulnerability to a cyber attack, develop a plan to fix it, and 
implement that plan using measurable goals and milestones. In 
order to implement the plan, the Department has the admittedly 
difficult task of engaging and securing action from diverse 
players, which include State and local governments, other 
Federal agencies, and especially and most importantly, key 
industry actors.
    The nature of terrorists is to attack private citizens, as 
we recently saw in the horrific railway attacks in India. There 
can be no excuse for not effectively engaging the private 
sector, even though it is hard. We ask no less of our food 
safety, airline safety, and pharmaceutical industries. The 
issue is lack of leadership and lack of courage.
    Nobody wants to micromanage the private sector or DHS. 
However, America does expect the Department of Homeland 
Security and the private sector to take every reasonable 
measure to protect us from terrorism. I am not convinced that 
threshold has been met.
    If America is to be safe from the damage of a cyber attack, 
we will need a plan, a budget tied to that plan, and 
Congressional commitment to the implementation of the plan. One 
year ago, the Department announced the creation of the position 
of Assistant Secretary for Cyber and Telecommunications 
Security to elevate the importance of cyber critical 
infrastructure protection. Today, this position remains vacant. 
This vacant post was designed by the Department to lead the 
Nation in buttressing our critical information technology and 
telecommunications systems against threats. The Department, 
working in conjunction with the private sector, needs to find 
that person and set that person to the task of reforming the 
plan and then implementing it. A leader can and will be found, 
and I am encouraging DHS to exhaust every effort to fill this 
position, ensure the proper authorities are in place to 
succeed, and ensure that this person receives adequate support 
from the top leadership at DHS to fulfill the mission.
    To that end, I look forward to hearing from our witnesses, 
NSA, DHS, OMB, GAO, AT&T, VeriSign, and Internet Security 
Systems, as well as the Business Roundtable. I welcome each of 
you.
    The Department of Homeland Security's testimony came in 
late last night. It is unavailable to me, the Chairman of this 
Subcommittee. It will not be accepted as part of it and it is a 
message to anybody else that wants to play games with the 
Subcommittee. You are going to send us the information that you 
want to testify about on a timely basis so we can do our job. 
And this is an example of exactly what is happening at DHS on 
cyber security. You can't meet the goals. You can't meet the 
expectations. This Subcommittee hearing was noticed June 12--
6\1/2\ weeks ago, and for the testimony to come in last night 
is unacceptable and it will not be accepted.
    Let me welcome our guests. First is the Hon. George 
Foresman. He was first confirmed by the U.S. Senate on December 
18, 2005. He is responsible for synchronizing national 
preparedness efforts under the direction of Homeland Security 
Secretary Michael Chertoff and Deputy Secretary Michael 
Jackson. He previously served in the Commonwealth of Virginia 
as Assistant to the Governor for the Commonwealth Preparedness 
and Homeland Security Advisor, a cabinet-level position. In 
this capacity, he was the principal advisor and overall 
coordinator for homeland security and preparedness efforts, as 
well as relations with military commands and installations 
throughout the Commonwealth. He is nationally recognized in the 
fields of emergency preparedness and homeland security.
    Richard Schaeffer is the Information Assurance Director at 
the National Security Agency (NSA). He is responsible for the 
Information Assurance Directorate at that agency. The 
Directorate's mission is to provide products and services 
critical to protecting our Nation's critical information and 
information systems. Moreover, he is responsible for defining 
and implementing the information assurance strategy to protect 
the Department of Defense's global information grid and 
supporting the ongoing military operations against terrorism.
    Next is the Hon. Karen Evans. She is Administrator of E-
Government and Information Technology (IT), Office of 
Management and Budget. She is here as a break from her 
vacation. I want to tell you how much I appreciate you doing 
that. She oversees the implementation of IT throughout the 
Federal Government, including advising the Director on the 
performance of IT investments, overseeing the development of 
enterprise architectures within and across those agencies, 
directing the activities of the Chief Information Officer 
Council, and overseeing the usage of E-Government funds to 
support interagency partnerships and innovation. She also has 
responsibilities in the areas of capital planning and 
investment control, information security, privacy, 
accessibility of IT for persons with disabilities, and access 
to, dissemination of, and preservation of government 
information.
    Next is Keith Rhodes, Chief Technologist, Government 
Accountability Office (GAO). Mr. Rhodes is currently the Chief 
Technologist at GAO and Director of the Center for Technology 
and Engineering. He has been the senior advisor on a range of 
assignments covering continuity of government and operations, 
export control, computer security, privacy, e-commerce, E-
Government, voting systems, and various unconventional weapons 
systems. Before joining GAO, he was supervisory scientist 
leading weapons and intelligence programs at the Lawrence 
Livermore National Laboratory.
    I would like to recognize each of you. Thank you for taking 
the time to be here. Mr. Foresman, you are recognized for 5 
minutes.

     TESTIMONY OF GEORGE FORESMAN,\1\ UNDER SECRETARY FOR 
       PREPAREDNESS, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Foresman. Mr. Chairman, thank you, and thank you for 
the opportunity to appear today to discuss the recovery and the 
reconstitution of critical cyber networks. Congressional 
discussion on this particular topic is absolutely essential and 
it is critical to the success that we need to achieve as a 
Nation toward strengthening our levels of preparedness.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Foresman appears in the Appendix 
on page 33.
---------------------------------------------------------------------------
    Mr. Chairman, I would like to highlight several key issues 
today and outline the Department's roadmap for success in 
advance of a very important discussion on the security and the 
protection of our cyber communications networks.
    The findings of the GAO report on the development of a 
joint public-private plan for recovering critical cyber 
infrastructure and the recent Business Roundtable's 
recommendations for strengthening cyber preparedness both echo 
the overall resounding themes that the Department of Homeland 
Security is pursuing in its work to lead a national effort to 
protect America's cyber assets. While these reports offer 
somewhat differing recommendations on the exact steps that we 
need to take, the shared national vision further reflects two 
very important and sometimes overlooked issues.
    First, the risk posed to the critical cyber infrastructure 
is becoming both better and more widely understood, both in the 
public sector and in the private sector. Second, the importance 
of mitigating these risks, whether on the individual, 
corporate, or government level, is also better understood. We 
know we must be ready for the cyber version of Hurricane 
Katrina or the September 11 attacks.
    Mr. Chairman, let me outline for you the Department's three 
strategic priorities on the cyber preparedness front. They 
include, one, preparing for a large-scale cyber disaster; two, 
working to forge more effective partnerships, as you noted in 
your opening statement; and three, fostering a culture of 
preparedness to prevent cyber incidents and mitigate damage 
when disruptions do, in fact, occur.
    Our primary strategic goal as part of our overall risk 
management approach is to prepare for high-consequence 
incidents. These would include, for example, a widespread 
disruption involving the Internet or critical communications 
infrastructure, whether it originates from an attack or from a 
natural disaster. The Department has established the Internet 
Disruption Working Group, the IDWG, to address the resiliency 
and recovery of Internet functions in the event of a major 
cyber incident. The IDWG is not examining all individual risks, 
but rather focusing on nationally significant Internet 
disruptions in a prioritized fashion. The IDWG is developing 
not only policy recommendations for cyber response, but also 
operational proposals and protocols to improve the deployment 
of Federal resources in the event of such an event and how to 
ensure coordination with local, State, and private sector 
partners of these assets.
    I am also pleased to share with you that the Department 
conducted its first national cyber security exercise, Cyber 
Storm, this past February, and this was the largest 
multinational cross-sector cyber exercise to date and assessed 
the policies and procedures associated with a cyber-related 
incident of national significance. The Department will soon be 
releasing a public exercise report on this effort that will 
outline findings to help bolster protective measures for 
potential cyber attacks. I will also note that these lessons, 
like those of Hurricane Katrina and other incidents, will not 
sit idle. They will be incorporated into our operations 
processes under the National Response Plan and these will be 
retested during Cyber Storm II in 2008, if not before.
    Cyber Storm demonstrated the close cooperation and 
information sharing needs across Federal agencies, across 
international boundaries, and most importantly, between the 
public and the private sectors. The exercise tested for the 
first time the full range of cyber-related response policy, 
procedures, and communications methods required in a real-world 
crisis. We know that there were successes. We also know that 
there is room for improvement.
    Another significant accomplishment in preparing for a 
nationally significant cyber disruption is last month's 
completion, as you noted, of the National Infrastructure 
Protection Plan. The NIPP sets forth a comprehensive risk 
management framework and clearly defines critical 
infrastructure protection roles and responsibilities for DHS, 
Federal sector-specific agencies, other Federal, State, local, 
tribal, and territorial agencies, as well as our private sector 
security partners. The plan addresses the physical, human, and 
cyber elements of the critical infrastructure issues which 
cross all sectors. This release of the NIPP is an important 
milestone, as it accompanies 17 sector-specific plans that will 
help build a safer and more secure and more resilient America 
by enhancing protection of the Nation's critical infrastructure 
and key resources to include the cyber community.
    Our second strategic goal is to improve the Department's 
partnership programs and practices. Homeland Security 
Presidential Directive 7, the Administration's policy on 
critical infrastructure protection, explicitly recognizes the 
importance of partnerships, which are essential for many sound 
reasons. In the cyber security arena, the Department is working 
to nurture existing partnerships and establish new 
relationships with three key stakeholder communities, the 
private sector, Federal departments and agencies, and the 
State, local, and tribal governments, as well as academia.
    Third, we must create a culture of preparedness, both to 
prevent a cyber disaster and to mitigate damages if a 
widespread disruption occurs. We are working every day to 
influence how individual citizens, government, and the private 
sector prepare for the security challenges of the coming 
decade. As with our other strategic priorities, this goal 
demands a focused and disciplined approach. We need 
interconnected strategies and processes, not individual 
actions. Just as our cyber systems are interconnected, so must 
be our approach to dealing with disruptions.
    Our national cyber security efforts are rapidly maturing 
and we have clear legislative and presidential direction and 
private sector interest. There is no magic wand that will allow 
us to do this overnight. There is, however, a growing 
coalescing of effort between government and the private sector 
as just two of the key entities.
    Chairman Coburn. I need for you to summarize, if you will.
    Mr. Foresman. Yes, sir, and I am finishing up. To create a 
long-term culture of preparedness, we are developing clear 
organizational doctrine which memorializes strategic policies, 
clarifies roles and responsibilities, and defines measures of 
accountability. The road ahead is critical and we are committed 
to ensuring success. Thank you.
    Chairman Coburn. Thank you. Mr. Schaeffer.

    TESTIMONY OF RICHARD C. SCHAEFFER, JR.,\1\ DIRECTOR OF 
        INFORMATION ASSURANCE, NATIONAL SECURITY AGENCY

    Mr. Schaeffer. Good morning, Mr. Chairman.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Schaeffer appears in the Appendix 
on page 50.
---------------------------------------------------------------------------
    Chairman Coburn. Good morning.
    Mr. Schaeffer. I appreciate the opportunity to be here 
today to talk briefly about the NSA's information assurance 
mission and its relationship to the work of the Department of 
Homeland Security and others concerned with helping operators 
of crucial information systems prepare for and recover from 
hostile acts or other disruptive events.
    The NSA's information assurance mission focuses on 
protecting what National Security Directive 42 defines as 
national security information systems, systems that handle 
classified information or are otherwise critical to military or 
intelligence activities.
    Historically, most of our work has been sponsored by and 
tailored for the Department of Defense. Today, national 
security systems very often rely on commercial products or 
infrastructure or interconnect with systems that do. This 
creates significant common ground between defense and broader 
U.S. Government and homeland security needs. More and more, we 
find that protecting national security systems demands teaming 
with public and private institutions to raise the information 
assurance level of products and services more broadly. If done 
correctly, this is a win-win situation that benefits the whole 
spectrum of information technology users, from warfighters and 
policy makers to Federal, State, local governments and 
operators of critical infrastructure and major arteries of 
commerce.
    This convergence of interests has been underway for some 
time and we can already point to several examples of the kind 
of fruitful collaboration it inspires. For instance, the NSA 
and the National Institute of Standards and Technology have 
been working together for several years to characterize cyber 
vulnerabilities, threats and countermeasures to provide 
practical cryptographic and cyber security guidance to both IT 
suppliers and consumers.
    Among other things, we have compiled and published security 
checklists that harden computers against a variety of threats. 
We have shaped and promoted standards that enable information 
about computer vulnerabilities to be more easily cataloged and 
exchanged, and ultimately, the vulnerabilities themselves to be 
automatically patched. And we have begun studying how to extend 
our joint vulnerability management effort to directly support 
compliance programs, such as those associated with the Federal 
Information Security Management Act. All of this is 
unclassified and advances of cyber security in general, from 
national security and other government networks to critical 
infrastructure and other commercial and private systems.
    The NSA partners similarly with the Department of Homeland 
Security. In 2004, DHS joined the NSA in sponsoring the 
National Centers of Academic Excellence Program to foster 
training and education programs to support the Nation's cyber 
security needs and increase the efficiency of other Federal 
cyber security programs. The NSA has supplied trained personnel 
and other technical support to the U.S. Computer Emergency 
Readiness Team, and we routinely alert one another to possible 
or emerging hostile cyber threats. In fact, DHS has just named 
an integree to work in the NSA-Central Security Service Threat 
Operations Center, which has as one of its missions to monitor 
the operations of the global network in real time to identify 
network-based threats to DOD and intelligence community 
networks.
    NSA and DHS cooperate on investigations and forensic 
analysis of cyber events and malicious software, and together, 
we look for and mitigate the vulnerabilities in various 
technologies that would render them susceptible to similar 
attacks. We each bring to these efforts complementary 
experience, insight, and expertise based on the different 
problem sets and user communities on which we concentrate, and 
we each then carry back to those communities the dividends of 
our combined wisdom and resources.
    With regard to post-incident response, the NSA supplies 
technical personnel, advice, and equipment to support an 
efficient response and recovery to disasters. The NSA has 
worked with the DHS Infrastructure Protection Division to plan 
for interoperable communications systems needed to support 
response and recovery. We did this for Hurricane Katrina and do 
it for other disasters, as well.
    When it comes to reconstructing networks, however, beyond 
just communications systems, bringing in replacement technology 
may be the easy part. The real challenge is knowing what to 
reconstruct. That means maintaining an up-to-date understanding 
of what set of data, functions, and connections available to 
what set of users qualify as critical.
    Looking forward, NSA and DHS interests will continue to 
merge and the opportunities needed for shared network and 
mutual support will continue to grow.
    Finally, beyond technical convergence, in the post-
September 11 world, the NSA and DHS are bound together by the 
need to provide for communications across once unbridgeable 
chasms of classification and practice, from the President all 
the way to first responders and the owners and operators of 
critical infrastructure. As a starting point, the NSA and NIST 
have established a suite of unclassified algorithms that can be 
implemented in commercial off-the-shelf offerings as well as 
specialized high-end government equipment. This sets the stage 
for interoperable encryption and message authentication and is 
an important step, although just one step in the broader effort 
to ensure that the Nation can recognize and respond to 
impending emergencies or their aftermath.
    Once again, thank you, Mr. Chairman, for giving me the 
opportunity to appear before you today and for your leadership 
in this area.
    Chairman Coburn. Thank you, Mr. Schaeffer.
    Next, Ms. Evans, just a side note. Thanks for all your help 
on our Government Accountability and Transparency Act. It 
passed the Committee unanimously yesterday.

   TESTIMONY OF KAREN EVANS,\1\ ADMINISTRATOR FOR ELECTRONIC 
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND 
                             BUDGET

    Ms. Evans. Congratulations. Good morning, Mr. Chairman, and 
thank you for inviting me to speak about ``Cyber Security: 
Recovery and Reconstitution of Critical Networks.'' My 
testimony today will focus on OMB's activities to improve 
security and resilience of the Federal Government's cyber 
critical assets.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Evans with an attachment appears 
in the Appendix on page 53.
---------------------------------------------------------------------------
    Last year, the Director of OMB issued a regulation on 
maintaining telecommunication services during a crisis or an 
emergency. The regulation required each agency to review its 
telecommunications capability in the context of planning for 
contingencies and continuity of operation situations. OMB also 
asked each agency to confirm that they were complying with 
directives issued by the National Communications System (NCS), 
and guidance issued by the Federal Emergency Management Agency 
(FEMA).
    In August 2005, all large agencies submitted reports on the 
status of their telecommunications services. OMB and the NCS 
analysis revealed the need for additional guidance to the 
agencies regarding the use of redundant and physically separate 
telecommunications service entry points into buildings and the 
use of physically diverse local network facilities.
    In October 2005, the NCS hosted a Route Diversity Forum for 
representatives from over 70 Federal agencies. In addition, the 
NCS developed a Route Diversity Methodology, enabling agencies 
to self-assess their own facilities.
    When an agency initiates new telecommunications 
procurements, the agency must determine the appropriate level 
of availability, performance, and restoration that is required. 
The General Service Administration's upcoming Networx 
procurement will specify telecommunications infrastructure 
security requirements to protect contract network services, 
infrastructures, and information processing resources against 
cyber and physical threats, attacks, or system failures. The 
Networx program will ensure that telecommunications 
capabilities are continuously ready to meet the needs of the 
Federal agencies during national emergencies.
    On December 17, 2003, the President signed Homeland 
Security Presidential Directive 7, ``Critical Infrastructure 
Identification, Prioritization, and Protection.'' This 
directive established the national policy for Federal 
departments and agencies to identify and prioritize U.S. 
critical infrastructure and to protect it from terrorist 
attacks. OMB worked with the Department of Homeland Security to 
evaluate the protection plans. We have provided each agency 
with a written response explaining our approval, our 
disapproval of the agency's cyber security plan, and 
highlighting areas where improvements were needed.
    Additionally, each year, agency CIOs, chief information 
officers, and program officials conduct IT security reviews for 
systems that support their programs. As part of their 
evaluations, agencies are asked to categorize their information 
systems into high, moderate, and low impact and document the 
security controls implemented for each.
    Last, the National Cyber Response Coordination Group is the 
principal Federal interagency mechanism to coordinate the 
preparation for and response to cyber incidences of national 
significance. OMB is a member of the group, along with other 
agencies having a statutory role in cyber security, cyber 
crime, or protection of critical infrastructure. During a cyber 
incident, the member agencies would integrate their 
capabilities in order to assess the scope and severity of the 
incident, govern response and remediation efforts, and advise 
senior policy makers. The group would also use their 
established relationships with the private sector and State and 
local governments to help manage the cyber crisis and develop 
recovery strategies.
    In conclusion, each agency is responsible for ensuring the 
continued availability of its mission-essential services. 
Strategic improvements in security and continuity of operations 
planning can make it more difficult for attacks to succeed and 
can lessen the impact of attacks when they occur. The 
Administration will continue to work with the agencies, 
Congress, and GAO to ensure appropriate risk-based and cost-
effective IT security programs, policies, procedures are put in 
place to protect the Federal Government's critical cyber 
infrastructure.
    I would be happy to take any questions, sir, that you may 
have.
    Chairman Coburn. Thank you, Ms. Evans. Mr. Rhodes.

TESTIMONY OF KEITH RHODES,\1\ CHIEF TECHNOLOGIST AND DIRECTOR, 
    CENTER FOR TECHNOLOGY AND ENGINEERING, U.S. GOVERNMENT 
                     ACCOUNTABILITY OFFICE

    Mr. Rhodes. Thank you, Mr. Chairman. We appreciate the 
opportunity to testify on our Internet reconstitution report 
being released today that we completed at your request.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Rhodes appears in the Appendix on 
page 111.
---------------------------------------------------------------------------
    Last summer when GAO testified before your Subcommittee, we 
discussed the work that remained for DHS to fulfil its cyber 
security responsibilities in 13 key areas, including developing 
a plan for recovering the Internet when it is disrupted. 
Despite Federal policy requiring DHS to develop this integrated 
public-private plan, to date, no such plan exists.
    Today, at your request, we will briefly discuss the growing 
threats to the Internet, where our Nation is in its efforts to 
develop this plan, and recommendations to both DHS and the 
Congress to facilitate public and private efforts to recover 
the Internet when major disruptions occur.
    First, threats. Criminal groups, foreign intelligence 
services, hackers, and terrorists are all threats to our 
Nation's computers and networks. A recent intelligence report 
on global trends forecasts that terrorists may develop 
capabilities to conduct both cyber and physical attacks against 
infrastructure nodes, including the Internet. In fact, the 
Internet itself has been targeted and attacked and private 
companies who own the majority of the Internet infrastructure 
deal with cyber and physical disruptions on a regular basis.
    For example, viruses and worms are often used to launch 
``denial of service'' attacks that result in traffic being 
slowed or stopped. Several recent cyber attacks highlight the 
importance of having robust Internet recovery plans, including 
a 2002 coordinated denial of service attack that targeted all 
13 Internet route servers.
    For most of these attacks, the government did not have a 
role in recovering the Internet, but recent physical attacks 
like the terrorist attacks of September 11, 2001, and Hurricane 
Katrina, highlight the need for public-private coordination 
associated with Internet recovery. DHS has begun a variety of 
initiatives to fulfill its responsibility for developing an 
integrated public-private plan, but these efforts are not yet 
complete nor are they comprehensive.
    Specifically, DHS has developed high-level plans for 
infrastructure protection and national disaster response, but 
components of these plans that are to address Internet recovery 
are incomplete and inadequate. For example, the National 
Response Plan Cyber Annex does not reflect the National Cyber 
Response Coordination Group's current operating procedures. DHS 
has started a variety of initiatives to tackle this problem, 
including working groups to facilitate response and exercises 
to practice recovery efforts. However, these efforts are 
immature and the relationships among groups like the Internet 
Disruption Working Group and others are not evident.
    Regarding challenges that have impeded progress, first, it 
is unclear what government entity is in charge, what the 
government's role should be, and when it should get involved. 
Expanding on each of these, DHS National Cyber Security 
Division and the National Communications System have 
overlapping responsibilities. In addition, there is a lack of 
consensus about the role DHS should play. The government is 
pursuing the grandiose plan approach with the NIPP and the 
National Response Plan, while the private sector wants more of 
an assist or tactical role from the government that our report 
lays out in detail. And triggers that clarify when the Federal 
Government should be involved are unclear.
    Second, our Nation is working in a legal framework that 
doesn't specifically address the government's roles and 
responsibilities in the event of an Internet disruption. In 
addition, the Hurricane Katrina recovery effort showed that the 
Stafford Act can create a roadblock when for-profit companies 
that own and operate critical infrastructures need Federal 
assistance during national emergencies.
    Third, the private sector is reluctant to share information 
with DHS because it does not always see value in sharing, does 
not necessarily trust the government, and views DHS as an 
organization lacking effective leadership.
    To address these inadequacies, our statement includes nine 
specific recommendations for DHS, including determining who 
should be in charge given the convergence of voice and data 
communications, developing a plan that is consistent with what 
the private sector infrastructure owners need during a time of 
crisis, and incorporating lessons learned from incidences and 
exercises.
    In addition, the Congress should consider clarifying the 
legal framework that guides roles and responsibilities for 
Internet recovery.
    In summary, Dr. Coburn, exercises to date and a recently 
issued report by the Business Roundtable found that both the 
government and private sector are poorly prepared to 
effectively respond to cyber events. Although DHS has various 
initiatives underway, these need to be better coordinated and 
driven to closure. Until that happens, the credibility of the 
Department will not be where it needs to be to build effective 
public-private relationships needed to effectively respond to 
major Internet disruptions.
    This concludes our statement. Thank you, Mr. Chairman, and 
we are prepared to answer any questions the Subcommittee may 
have.
    Chairman Coburn. Thank you very much.
    Mr. Foresman, your response to Mr. Rhodes' report?
    Mr. Foresman. Mr. Chairman, let me offer two responses. 
One, as we have gone through that report, we clearly agree that 
the road ahead, whether we are talking about GAO or the private 
sector, we agree on the road ahead.
    I would, however, not agree with him in terms of the 
perception that he might leave in the relationship with the 
private sector. My fourth day on the job back in January, one 
of the first groups I met with in this particular case was the 
Business Roundtable and one of the key issues we talked about 
were cyber security, the concern about reconstitution and 
recovery of the Internet, and I think that as you said in your 
statement, Mr. Chairman, this is not easy and there are a lot 
of folks who have said, well, it is not where it should be, and 
I would agree. But we need to have definitive milestones. We 
need to have definitive deliverables.
    But I will tell you, sir, just as your comment to us that 
we need to work closely with the private sector, getting 
agreement across the various elements in the private sector, 
whether it is the information technology sector or the 
telecommunications sector, this is not easy. We are not in a 
position to force them. We are coalescing the road ahead.
    So I would agree that we share the vision. I think his 
assessment in terms of progress is much bleaker than what is 
the actual progress to date.
    Chairman Coburn. Why would the private sector be reluctant 
to give DHS information on this?
    Mr. Foresman. Mr. Chairman, I think there are three things. 
There are those elements of the private sector that are 
reluctant to give us information and there are those elements 
of the private sector that are not reluctant to give us 
information. A conversation with a handful of people does not, 
I think, effectively reflect the private sector as a whole 
because the private sector is rapidly big.
    But as you know, there are a couple of issues here. One, 
there is the concern of our private sector partners out there, 
the proprietary nature of the information that they have in a 
business competitive environment. They want further and 
stronger assurances that proprietary information is not going 
to be shared with competitors.
    The second issue, and frankly is a legitimate issue, is 
government and the private sector have typically operated in a 
regulator-regulatee relationship over the past 20 or 25 years. 
When we talk about the IT community, it is not, if you will, 
regulated by government, and clearly there are the 
institutional----
    Chairman Coburn. Thank goodness.
    Mr. Foresman. Yes, sir, and clearly, the institutional 
barriers to getting beyond a 25- or a 50-year culture to get 
into a collaborative partnership is not a culture that you 
change overnight. And so I think it is part policy, it is part 
culture, but we are seeing more and more every day as we 
collaborate with the private sector. As our US-CERT, for 
instance, gets specific information provided to us through a 
variety of sources, such as the NSA, we rapidly get that 
information out to the private sector and they rapidly come 
back to us with information. So it sometimes comes down to who 
did you talk to last and what is it that they said to you?
    Chairman Coburn. Well, the group that I talked to last were 
the ISPs and the telecommunications companies, and I would tell 
you in that meeting, uniformly, there was no trust of DHS with 
any of their proprietary data, and that was in a classified 
briefing I had 3 months ago. How do you establish the 
leadership role and the trust that allows the private sector to 
do what they know how to do that you don't know how to do?
    Mr. Foresman. Well, Mr. Chairman, this comes down to the 
continued interaction. As Ms. Evans identified and as other 
folks have identified, we have got a number of working groups 
where we have got government and the private sector sitting 
side by side, developing sector-specific plans, for instance, 
under the National Infrastructure Protection Plan, and trust is 
not a function of me coming into the room and sitting with our 
private sector partners and saying, trust me. We have to prove 
it.
    This is the benefit of these joint planning activities. As 
much as we would like them to be done in immediacy overnight, 
they are not. But just as it is taking time to develop those 
plans, one of the important byproducts is that we are raising 
trust every day when we put these people in the room together.
    Chairman Coburn. I will be submitting some questions to you 
separate from that. I would hope that we could get a timely 
response.
    Mr. Foresman. Mr. Chairman, I will ensure that you get a 
timely response and I will acknowledge that we were remiss in 
not hitting the deadline on getting our testimony to you. I 
accept full responsibility and I will give you my personal 
assurance that we will correct those issues in the future.
    But I also want to underscore, by no means were we trying 
to not get information to you. This is a critically important 
area. This Subcommittee is one of the few committees across the 
Congress that has shown a continuing interest in this area. It 
is not an easily understood area, and frankly, this level and 
more of this type of dialogue is going to be absolutely 
critical to our success.
    Chairman Coburn. Mr. Schaeffer, at NSA, tell me about your 
relationship with the private sector and trust and relationship 
and information sharing and how have you developed that and how 
do you utilize that. Have you emphasized recovery more than 
physical asset protection?
    Mr. Schaeffer. Well, sir, I think our relationship with 
industry or the private sector is on a number of levels. 
Clearly, there are, as I mentioned in my testimony and others 
did, as well, the dependence upon the private sector to deliver 
the technology, the capabilities that we need within the 
national security community, and quite frankly, across the 
entire Nation, is dependent upon the reliability, the security 
of that technology. So we have a very deep relationship with 
the private sector in establishing on a one-on-one basis the 
availability of vulnerability information of the products that 
they provide, assisting them in increasing the overall security 
or assurance of those products, and then we also work with the 
infrastructure providers themselves to understand the 
vulnerabilities within those environments and help them address 
the situation, the improvements that can be made in that 
environment.
    Most of our relationships that are strong come from a one-
on-one basis with the agency. We participate. We collaborate 
with industry associations and do that in a very open and, I 
think, positive way. But I think as Mr. Foresman outlined, it 
is a situation that takes a tremendous amount of work with 
individual companies, then with industry or association groups, 
and then in larger forums to build the trust and confidence 
that information that is exchanged with the government, and in 
this case NSA, receives the appropriate level of protection. It 
is something that we work on every day. It takes that sort of 
attention and commitment.
    And we have seen actually tremendous progress over the last 
several years as the community at large, the public-private 
community, has come to better understand the risks associated 
with operating in this highly networked environment and the 
need for close collaboration amongst public-private enterprises 
to better understand the vulnerabilities and ways of mitigating 
them.
    I think we are an example of where it has worked because we 
have developed the trust and confidence over a long period of 
time with companies, trade groups, industry associations, and 
so forth, and I see promise in what DHS is leading, in what DHS 
is participating in, and quite frankly, what I see the entire 
IT industry participating in. We are just at the bottom of a 
very steep hill.
    Chairman Coburn. Has NSA's main focus been on 
functionality?
    Mr. Schaeffer. No, sir. NSA's main focus has been on the 
assurance of the functionality that is provided in the devices, 
so----
    Chairman Coburn. That is what I mean. But the goal is 
function. The ultimate goal for security is to maintain 
function, or to recover function.
    Mr. Schaeffer. Yes, sir. That is correct.
    Chairman Coburn. All right. Mr. Rhodes, you mentioned the 
working groups aren't communicating. We don't have cross-
reference. You also mentioned a role that is more grandiose 
rather than recovery. Talk for a minute, if you would, about 
the working groups that have been established and what you see 
that needs to be changed there so that we accomplish this goal 
of protecting and recovering functionality.
    Mr. Rhodes. The big struggle with the working groups seems 
to be that there are a lack of roles and responsibilities and 
clear lines of authority. There seems to be a not clear 
definition of how the working groups relate to one another----
    Chairman Coburn. In other words, they could come up with a 
really appropriate plan, but have no authority to get that plan 
implemented?
    Mr. Rhodes. And no milestones. Your original point about 
budget against effect, a recommendation with money, a 
recommendation with schedule, not just--they can come up with 
that, but then what is their schedule? What is their time line? 
What is their relationship? That is the main struggle we see.
    Also, working groups without authority. What purpose do 
they serve? If they don't--if no one has the hammer, if no one 
has the authority to get anyone to do anything, then it is just 
another group that meets to meet instead of meeting to get 
something done. As you say, they could have very fine 
recommendations, but where do they go from there?
    Chairman Coburn. OK. One last question for you, the comment 
on the Stafford Act. I don't believe we have gotten anything, 
and I may be wrong, from the Administration on modifying the 
Stafford Act so that we can help the telecommunications 
industry and the Internet industry to recover by assisting them 
with either protection or transportation or security as they 
bring these systems back up. Would you agree that is something 
that we ought to hear from the Administration? And we may have, 
I am just not aware of it.
    Mr. Rhodes. We haven't seen anything, either, but when you 
look at the tactical needs, the tactical view that private 
industry takes, they are talking about just those things--fuel, 
access, transportation. They are not talking about, tell me how 
to bring the Internet back up. They are saying, let me get into 
the disaster area with my business credential or some emergency 
credential issued by the U.S. Government so I can go to the 
location to do the job that the government can't.
    Chairman Coburn. And modify the law so that the government 
assets----
    Mr. Rhodes. And modify the law----
    Chairman Coburn [continuing]. And assist that effort.
    Mr. Rhodes. Absolutely. I mean, what we hear from private--
and it is not just relative to the Internet, it is whether we 
are talking to the chemical industry or we are talking to gas 
and oil or we are talking about the power grid or folks like 
that, they are all saying, let me do my job. I am not the enemy 
because I am for profit.
    Chairman Coburn. Yes.
    Mr. Rhodes. I am the infrastructure. Let me go into the 
area I am supposed to in order to fix it.
    Chairman Coburn. Right. Which we saw lots of problems with 
during Hurricane Katrina.
    Mr. Rhodes. Absolutely, and saw it during September 11, 
2001, also.
    Chairman Coburn. All right. Ms. Evans, not long ago, the 
Federal Government's critical infrastructure protection 
coordination efforts were run out of the White House and some 
in private sector viewed this, and I think probably still do, 
as a higher Administration priority than it is now. Should 
these initiatives remain within DHS or should we consider the 
prior model?
    Ms. Evans. The model that we have right now is in place as 
a follow-on from the Homeland Security Act as well as the 
President's HSPD-7, which clearly outlines that the Secretary 
of Homeland Security has the responsibilities for these 
activities. This does not mean that the Administration does not 
view this as a priority, because oversight activities still 
occur out of the White House and the Executive Office of the 
President, with the Office of Management and Budget, myself, as 
well as the Homeland Security Council. So the Administration is 
very much committed to this and continues to have cyber 
security reconstitution, continuity of operations, as a 
priority.
    I do think that the model that we have in place right now 
is an effective model and can work, because the actual work and 
execution happens in the agencies. The President holds the 
Secretary accountable for these actions. The President holds 
him accountable for getting these plans in place with clear 
milestones. This clearly has been talked about, and to achieve 
the results.
    We, in the White House, do not do the actual execution. The 
work is done out in the agencies. And so it doesn't diminish 
that the Administration doesn't view this as a priority by 
having a person clearly responsible for the execution of these 
activities at a department level.
    Chairman Coburn. Any of you can respond to this if you 
want. It just seems to me that 75 percent of this is private 
sector. Why wouldn't the Administration's view say, OK, you are 
the guys that know all this. You are the guys who are 
responsible for it. Your bottom line depends on it staying up 
and working. Why don't you go tell us what you think we ought 
to do rather than us tell you what we think you ought to do? 
Why shouldn't the debate be, private industry, come tell us 
what to do. Why shouldn't the organizational framework be, let 
us listen to them and then let us create the framework based on 
what they suggest we ought to do rather than top-down? Why not 
private industry up?
    Mr. Foresman. Mr. Chairman, if I might, that is exactly 
what we are doing, and that is why we have the National 
Infrastructure Protection Plan. That is why we have the 
development through the sector coordinating councils. The role 
of the Federal Government is not to tell the private sector 
what to do. It is to create the environment to provide for a 
national approach, and what I mean by that is the Federal 
Government is uniquely positioned to bring together the 
elements of local government, State government, tribal and 
territorial, the private sector partners, because this is a 
homeland security issue. It is a national security issue.
    So our job is to get all of the players around the table 
and to go through and get the best and the brightest in the 
room to say, what is it that we, as a Nation, need to be doing, 
because this is not a Federal issue. It is clearly a national 
issue.
    Chairman Coburn. Do you think that is happening right now?
    Mr. Foresman. Senator, I don't think it is happening to the 
degree that it should, and I think, as all of the folks have 
pointed out, this continues to be a growth effort, a growing 
effort on the part of this Nation in the post-September 11 era. 
When I was vice chairing the Gilmore Commission prior to 
September 11, we raised the whole issue of critical 
infrastructure protection and the fact that a significant 
amount of work needed to be done. I don't think we have reached 
the optimal level of private sector direction and input into 
it, but at the end of the day, I don't think we were going to 
start--we are not going to start at the perfect position. This 
is very much a learning process for everyone, Federal, State, 
local, public sector, and private sector.
    Chairman Coburn. Well, the private sector is being attacked 
all the time now and they are responding, both in terms of 
physical assets and software and encryption and everything 
else. They are doing the things because they are seeing the 
attacks anyway. It just seems to me we have got it backwards. 
We ought to have the private sector come together and say, here 
is how we think you ought to mobilize State and local 
governments. Here is how we think you ought to set up the 
structure to best maintain this. Here is how we think you 
assure protection.
    What would happen to this economy if you had a 4-week 
disruption, interruption of the Internet? We would be on our 
back, and everybody knows that, and yet the urgency to make 
sure that can't happen, or if it did happen to recover quickly, 
I don't see anywhere except in the private sector.
    Mr. Foresman. Mr. Chairman, I would respectfully disagree 
in this context. We are aware of a variety of things we 
obviously cannot get into in an open hearing----
    Chairman Coburn. I understand that.
    Mr. Foresman [continuing]. But we are aware of a 
significant number of things that have occurred in recent time 
that the private sector was not aware of had government not 
made them aware of it. So we are doing our part to give them 
the information. They, in turn, are assessing the situation, 
bringing recommended solution sets back to us, implementing 
solution sets in the broadest of terms, and so our role wasn't 
to go to them and say, here is the problem. Here is what we 
want you to do to fix it. We made them aware of the problem. We 
know that they are the owners and the providers of a lot of the 
critical IT backbone. They assessed it. They took steps. And 
this happens hundreds, if not thousands, of times every month. 
I would very much underscore that US-CERT, as just one example, 
there is daily ongoing dialogue between Federal agencies and 
the private sector, not in the context of here is what you have 
to do, but here is the problem and please come back to us.
    Now, I will tell you that there are going to be times that 
the private sector is going to assess the risk differently than 
we do in government and then they are forced to make a business 
decision about whether they are going to invest the time and 
effort into it to address it. So this is all part of the trust 
process that we can get to an equal common ground.
    Chairman Coburn. Fair enough. One last question for Ms. 
Evans, and I will have questions for each of you. I also would 
like for you to have staff stick around here to hear our other 
panelists because routinely I see Administration witnesses 
leave before those that have a different position and 
constructive criticism can be heard.
    Ms. Evans, do you have enough staff to handle the cyber 
security of critical infrastructure and Federal information 
security management?
    Ms. Evans. My answer would be yes, sir, that I do. We have 
subject matter experts for each of the areas that I am 
responsible for and the way that we manage within OMB is that 
we have portfolios of agencies and we work very closely with 
all parts of OMB so that we are managing the issues across the 
board as they affect each of the agencies. So it isn't just my 
staff, but it is the entire resources that are available within 
OMB because we take a portfolio approach to this.
    There is one thing that I would like to follow up on, Mr. 
Foresman's comment, and this is what the government is doing as 
a whole, at least from a Federal perspective. We do view it as 
we are buying services, because we don't own the 
infrastructure. There are activities that we have done and that 
we are continuing to do. In my written testimony, I have 
included the information security line of business.
    But as you know, we spend $65 billion on information 
technology, so in the course of that spending, we make it very 
clear what the services are that we need, what the risk is 
associated with the services and the information we need to 
protect, and as Mr. Foresman said, then it is up to industry to 
offer us the solutions back, and the way that we structure 
those procurements is not to tell them, we want you to do X, Y, 
and Z, but to really frame, this is the service, this is the 
recovery level, this is the level of risk that we are willing 
to accept. Here is the type of protection that we think we need 
to have. And then we do look to private industry to give us the 
solutions that can best service those needs, because as you 
have said, sir, it is about the functionality and the mission 
critical nature of the services that we provide that we need to 
have that reliability.
    Chairman Coburn. I would like you to repeat that number so 
everybody can hear what you spend annually on IT.
    Ms. Evans. Sixty-five billion dollars.
    Chairman Coburn. This Subcommittee will have a hearing on 
whether or not that is spent properly or not. I can tell you, 
from the Defense Travel System, you certainly haven't spent the 
money properly. So we will be looking at that.
    Ms. Evans. Well, we are looking forward to it, yes, sir. 
[Laughter.]
    Chairman Coburn. Sixty-five billion dollars is a lot of IT.
    Thank you. You will each receive questions. Thank you for 
the report from GAO. I thank each of you for your service to 
our country and I would dismiss this panel and ask our next 
panel to come forward.
    I am going to start introducing our witnesses while they 
are being seated. Thomas Noonan is Chairman, President, and 
Chief Executive Officer for Internet Security Systems (ISS). He 
is responsible for the overall strategic direction, growth, and 
management of the company. Under his leadership, ISS revenues 
soared from start-up in 1994 to nearly $330 million in its 
first decade. The company has grown to more than 1,200 
employees with operations in 26 countries. In 2002, President 
Bush appointed Mr. Noonan to serve on the National 
Infrastructure Advisory Council, a homeland defense initiative 
that protects information systems that are critical to the 
Nation's infrastructure. He currently chairs the NIAC 
Evaluation Enhancement of Information Sharing and Analysis 
Working Group.
    Robin Bienfait, Senior Vice President, Global Network 
Operations, AT&T, welcome. She is the first woman in company 
history to be responsible for AT&T's global network, including 
local, data, and voice network worldwide. I pay them a lot of 
money every month. In addition, she leads teams that manage 
network security and global network disaster recovery. And 
additionally, she previously led AT&T's international and 
domestic core network operations and technical support division 
and has held a variety of other technical and leadership 
positions of increasing responsibility since joining AT&T in 
1985. She is a graduate of the Georgia Institute of Technology 
with a Master's degree in management of technology. She also 
holds a Bachelor's degree in engineering from Central Missouri 
State University and an Associate in Business degree from 
Maryland University, European Division.
    Michael Aisenberg, Director of Government Relations for 
VeriSign, serves as the company's principal liaison with the 
Administration and Federal agencies, including the Departments 
of Homeland Security, Defense, State, and Justice. He manages a 
portfolio of policy issues, including global infrastructure 
security, digital signatures, e-health, intellectual property 
and government procurement on behalf of the world's leading 
Internet trust and identity provider. He is the Vice Chairman 
and Chair-Elect of the Information Technology Sector 
Coordinating Council. In 2004, he was elected Chairman of the 
ITAA's Information Security Committee. He leads VeriSign's 
participation in the President's National Security 
Telecommunications Advisory Committee. He holds a B.A. from the 
University of Pennsylvania, a J.D. from the University of Maine 
Law School. He attended Georgetown University Law Center in 
1975 and 1976, and upon graduation served 5 years as an 
attorney advisory and legislative counsel at the FCC.
    Karl Brondell, Strategic Consultant State Farm Insurance 
Companies, representing the Business Roundtable here today. He 
is a CPCU, a strategic consultant in the Strategic Resources 
Department of State Farm Insurance Company. He is the past 
Chairman of the Board of Directors for the Insurance Placement 
Facilities of Pennsylvania and Delaware. He is a member of the 
national CPCU International Insurance Section Committee and an 
at-large Board of Director for Villanova University's Executive 
MBIA Alumni Association. He received a Bachelor's degree from 
Benedictine College, Acheson, Kansas. I, by the way, have 
visited there. He has a Master's degree from Villanova 
University in Villanova, Pennsylvania. He earned the Charter 
Property and Casualty Underwriter Designation and holds an 
Associate in Claims certificate and a certificate for general 
insurance.
    Welcome to you all. We will start with you, Mr. Noonan.

TESTIMONY OF THOMAS E. NOONAN,\1\ PRESIDENT AND CHIEF EXECUTIVE 
               OFFICER, INTERNET SECURITY SYSTEMS

    Mr. Noonan. Mr. Chairman, thank you for the opportunity to 
appear before you today. My name is Tom Noonan. I am President 
and Chief Executive Officer of Internet Security Systems. We 
are a leading provider of preemptive cyber security 
technologies for large-scale enterprises, and I represent the 
technology industry today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Noonan appears in the Appendix on 
page 132.
---------------------------------------------------------------------------
    We operate five cyber security centers around the world, 
two in the United States, the rest in Asia through Tokyo, 
Australia, Brussels, and a partner operation in Latin America. 
We protect our customers by monitoring the Internet for cyber 
threats 24 hours a day, 365 days a year, providing preemptive 
protection for customers. This is critical preemption before 
reconstitution, obviously. We utilize that security 
intelligence, technology, and expertise to preempt the strikes 
that would cripple critical networks and stay ahead of the 
threats.
    I want to stress three important messages about our 
Nation's security landscape this morning, and this comes from 
my 13 years in this industry as one of the founders of this 
company and a person that has been working to advocate better 
security practices in both the private and public sector.
    First, threats to the critical infrastructure are real, and 
without a doubt, they are growing. The question is not if but 
when. The explosive growth of new Internet technologies, from 
wireless to voice-over Internet telephony, has engendered new 
threats that are far outpacing the security responses of many 
private and governmental users.
    Second, the intelligence protocols and technologies 
necessary to protect against emerging cyber threats are, by and 
large, robust and widely available. In other words, we have the 
tools at our disposal today to safeguard our critical 
infrastructure.
    And finally, despite our knowledge of these threats and our 
overall ability to protect ourselves, we as a Nation are not 
doing nearly enough to preempt the types of attacks that could 
debilitate our critical network infrastructure. Leadership is 
desperately needed at the Federal level, not to replicate 
existing private sector efforts but rather to extend the impact 
of those efforts by encouraging the private sector to 
collectively increase in cooperation with the government.
    This means five things for me this morning. First, 
appointing an Assistant Secretary of Homeland Security for 
Cyber Security and Telecommunications who will help secure the 
Federal Government's own networks as well as those of the 
broader economy.
    Second, clearly delineating and hardening the roles and 
responsibilities of many public-private entities working today 
to secure cyberspace.
    Three, ensuring that the Federal Government makes use of 
existing industry resources to gather and analyze data on cyber 
security threats and methods.
    Four, creating a national plan to restore connectivity on a 
prioritized basis.
    And five, providing sustained Federal funding--that $65 
billion sounds like a lot, but sustained Federal funding and 
active Congressional oversight to ensure that the Department of 
Homeland Security is getting the job done for this country.
    I think we know cyber threats are serious and they are 
growing in sophistication. The rules of criminal hacking today 
are no longer shaped by teenage malfeasants, but by 
confederated crime operations that are driven by the economics 
of opportunity, incentive, and risk, just like traditional 
theft, burglary, and extortion.
    I think it is this professionalization of cyber crime that 
is unsettling for many reasons, not the least of which are 
indications that those who would seek to do harm to our Nation 
have been working to improve their technological abilities. 
Particularly unsettling is not just the threat to privacy 
information, which we read about in the newspaper, or our e-
commerce applications, but more importantly to the very control 
networks of the automated systems that control and regulate our 
Nation's industrial systems, like SCADA. Control systems are 
now Internet-connected and they are susceptible to major 
attacks. Under contract with customers, ISS has conducted real 
world penetration tests with large power plants and others to 
show that they are at risk.
    Put simply, Mr. Chairman, the fact that our Nation's 
critical infrastructure has yet to fall victim to a significant 
and coordinated cyber attack does not mean that it can't 
happen. Emerging technologies coupled with an exponential 
increase in the use of new applications on the Internet have 
opened many new avenues to attack and keeping up with this 
large increase in vulnerabilities is a daunting task. It is 
only complicated by the shrinking window that we are seeing 
between the time a vulnerability is disclosed and the time that 
it is exploited by criminal interests.
    I think there is good news, Mr. Chairman. Our Nation 
already has the technological capabilities to protect the 
critical infrastructure. Private industry is operating 
positively against many of the requirements associated with 
technology, vulnerability, discussion, etc. But what is missing 
is genuine leadership on the part of the Federal Government. 
We, as a Nation, can protect our critical infrastructure, and 
in fact, we already are, but that requires also Federal 
leadership.
    I think your role here boils down to two things. The first 
one is minding the store, and I know that Secretary Chertoff 
and the Department of Homeland Security are working around the 
clock to protect the Nation, but we need to be able to talk to 
the person who is minding the store and that is the Assistant 
Secretary.
    Second, it is difficult for the Federal Government to 
preach strong cyber security practices across our economy when 
the Federal networks themselves are so woefully unprotected. 
While steps have been taken in recent years to improve agency 
security practices through FISMA, most Federal agencies are 
still getting failing marks when it comes to securing their 
networks.
    When it comes to strengthening Federal leadership, I just 
want to reiterate these five points in closing. Appointment of 
the Assistant Secretary for Cyber Security and 
Telecommunications. The job has been open for over a year.
    Two, a clear delineation and hardening of the roles and 
responsibilities of these countless public-private entities.
    Three, ensuring that the Federal Government makes full use 
of existing industry resources. We are absolutely willing and 
able to participate as a private sector.
    Four, we need to develop the national plan to restore 
connectivity on a prioritized basis.
    And five, sustained Federal funding.
    So there is no silver bullet here, Mr. Chairman. Securing 
our Nation's infrastructure from cyber attack requires a 
heightened degree of public-private coordination and I think it 
is a challenge but it is one we are up to. We are pleased at 
ISS to be partnering with you and I thank you for the 
opportunity to participate this morning.
    Chairman Coburn. Thank you. Ms. Bienfait.

  TESTIMONY OF ROBERTA A. BIENFAIT,\1\ SENIOR VICE PRESIDENT, 
                GLOBAL NETWORK OPERATIONS, AT&T

    Ms. Bienfait. Good morning, Mr. Chairman.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Bienfait appears in the Appendix 
on page 139.
---------------------------------------------------------------------------
    Chairman Coburn. Good morning.
    Ms. Bienfait. My name is Robin Bienfait and I am Senior 
Vice President of AT&T's Global Network Operations. I want to 
thank you for allowing me to share with you what we have done 
and what we are generally doing to ensure the reliability and 
restorability of AT&T network services. We are committed to a 
strong public-private partnership and we hope our experience is 
helpful.
    We believe there are keys to network security and disaster 
recovery and I will focus on the following areas: The strength 
of the public-private partnership; the lessons learned, 
especially from Hurricane Katrina and the 2003 Midwest and 
Northeast power outages; and a series of policy 
recommendations.
    Our country relies on cyber and physical infrastructure 
that is provided by a very close partnership among all the 
providers and users of this infrastructure. Each partner, both 
in the public and private sector, has a responsibility to keep 
their part of the infrastructure working. They also each have a 
responsibility to be able to recover or restore their piece of 
the infrastructure.
    At AT&T, our goal is to have a network where failures are 
prevented or identified and corrected before they affect our 
customers. Since 1991, we have invested more than $300 million 
in our mobile network disaster recovery infrastructure and 
capabilities. We have also invested $200 million in a system 
that proactively monitors and manages the networks of some of 
our largest customers.
    We have more than 500 fully loaded emergency communication 
vehicles that we can quickly deploy to respond to any disaster 
anywhere in the United States. We have the basic building 
blocks of our network infrastructure installed in 150 
technology trailers and it is ready to roll at a moment's 
notice.
    I would like to draw on the examples of Hurricane Katrina 
and the 2003 blackouts to illustrate our approach to response 
and restoration efforts and to show you how our incident 
command structure makes every minute count.
    For Hurricane Katrina, we followed our prescribed command 
and control approach to a tee. AT&T began moving equipment and 
teams from around the country toward the Gulf States in the 
days before the storm made landfall. The first team restored 
AT&T service to its prior levels, a second team maintained and 
monitored AT&T's facilities so as to prevent new issues from 
arising, and a third team came in to help others.
    AT&T worked around the clock to respond to this crisis and 
safeguard its network and support the efforts to respond to the 
disaster. AT&T was also able to direct its effort to benefit 
its customers, other telecommunication competitors and their 
customers, first responders, and evacuees, as needed. AT&T also 
helped to provide relief to those directly affected by the 
hurricane and flooding and assistance to charitable relief 
efforts.
    Thanks to these efforts and the intense dedication of the 
employees involved, AT&T's network remained essentially intact. 
We were able to carry at least 95 percent of all calls in the 
Gulf Coast area that came to our network. Of the five percent 
of our capacity in the area that was initially lost, we 
restored half of that capacity within a couple of hours.
    Related to the blackouts, as you know, in 2003, large 
portions of the Midwest, Northeast, and Ontario, Canada, 
experienced an electrical power blackout affecting 50 million 
people. Power was not restored for 4 days in some parts of the 
United States. Because of the reliability and redundancy that 
we designed and built into our network infrastructure, Internet 
traffic, data services, and voice calls flowed across our 
network without interruption.
    These and other experiences have reinforced lessons that we 
must incorporate in future planning and are the basis of our 
following policy recommendations. More detailed recommendations 
are available in my written testimony.
    Establish and practice disaster recovery processes in 
anticipation of emergencies. Communication resources can be 
brought where needed very quickly, but it is essential that 
those clear lines of command and control at all times are there 
to direct those resources effectively and to the area of 
greatest need. A single agency must be identified, funded, 
empowered to act as a national cyber incident commander for any 
required cyber infrastructure recovery and reconstitution 
efforts.
    Coordinate restoration and recovery efforts. Everyone 
available should be participating and there needs to be 
coordination so the efforts are not duplicated or in conflict 
with one another. Logistical information, such as what roads 
are closed and what medical precautions are needed, must be 
readily available. Moreover, a recommendation we made after 
September 11 still has not been widely implemented. Companies 
such as AT&T that are crucial to the response to disasters 
should have special credentials designed for employees and 
accredited in advance in order to assess disaster areas.
    Minimize the amount of regulation and data reporting 
requirements during a disaster and maximize the amount of 
coordination and cooperation between public and private sector.
    Interoperability and spectrum availability. A crisis on the 
scale we saw in the Gulf Coast and smaller challenges, as well, 
demand a well-coordinated information and communications 
delivery system. We must resolve the spectrums needed and 
highlighted by the 9/11 Commission.
    Consider subsidizing some of the emergency preparation by 
infrastructure companies. The government is likely to call on 
such capabilities in use or would otherwise need to duplicate 
resources ineffectively.
    We can never anticipate every contingency in an emergency, 
nor can we assure a foolproof communications network all the 
time under all circumstances. Nonetheless, at AT&T, we have 
done much to ensure reliability and restorability of 
communication networks, and together as an industry and as a 
Nation, we can do more. I thank you for holding this hearing to 
advance this important discussion.
    Chairman Coburn. Thank you, Ms. Bienfait. Mr. Aisenberg

 TESTIMONY OF MICHAEL A. AISENBERG,\1\ DIRECTOR OF GOVERNMENT 
     RELATIONS, VERISIGN, INC., AND VICE CHAIR, IT SECTOR 
                      COORDINATING COUNCIL

    Mr. Aisenberg. Thank you, Mr. Chairman. Thank you for the 
opportunity to appear before the Subcommittee today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Aisenberg appears in the Appendix 
on page 161.
---------------------------------------------------------------------------
    VeriSign's 4,600 employees operate intelligent 
infrastructures that enable and protect billions of 
interactions every day across the world's voice and data 
networks. I, too, have three key points I would like to make 
today.
    First, those who make policy in the United States must 
understand the economic value and critical interdependencies we 
have developed on our information networks.
    Second, we must understand and accommodate to the global 
nature of both our information networks and the attacks that 
are being continually mounted against them.
    Third, largely owned and operated by the private sector, 
our network security and ability to withstand and recover from 
the continuing attacks against them depends on effective 
partnership between government and we, the industry stewards.
    Americans must keep a clear focus on the critical economic 
and national security role which our information networks have 
come to fulfill. In less than two decades, the industrial 
nations have evolved an irreversible dependency and 
interdependency by our banking, finance, transportation, health 
care, education, power, manufacturing, and government service 
sectors on the networks managed by the companies, mostly 
American, which make up the ICT sector.
    Each day, $3 trillion pass over secure Federal financial 
networks. If these electronic transactions do not have Internet 
sites, such as NYSE.net, BankofAmerica.com, and Treasury.gov, 
available, secure, and running, the U.S. economy begins to 
grind to a halt at the rate of $130 billion per hour.
    As you have noted, Mr. Chairman, cyber security is indeed a 
responsibility which we all share and in which we all have a 
stake. We must recognize that information networks are global, 
increasingly managed by interests beyond U.S. control, but at 
the same time subjected to threats and attacked by actors from 
around the world. The role of an effective government cyber 
security function and government-industry partnership is 
central to the BRT report's critical conclusion. America needs 
a much improved cyber security activity, not just in DHS, but 
across government and industry interests.
    But while its conclusions are consistent with others from 
industry, the BRT report's suggestions about the extent and 
effectiveness of industry engagement with DHS are, I believe, 
out of touch with important progress being made in public-
private collaboration in the last 18 months. There have been 
many, and there are increasingly significant collaborative 
engagements between the cyber industry and DHS, some of which 
were outlined by Secretary Foresman.
    In 2005, commented engagement with industry began to be 
regularly sought by new DHS leadership. Involvement in DHS 
policy processes from their beginning rather than at the end 
began to be practiced. Examples include the national cyber 
security exercise Cyber Storm, concluded in February of this 
year, DHS's Internet Disruption Working Group, the IDWG, the 
government Security Operations Community, GFirst, the just-
released NIPP process, and the ongoing sector-specific plans 
just under development.
    Mr. Chairman, my sector colleagues and I have found these 
activities valuable and a marked departure from what we 
experienced prior to 2005. This steady improvement and 
expansion of industry involvement with DHS cyber and network 
security activities must continue.
    But while these milestones and improvement in the 
relationship between cyber sector industry interests and the 
NCSD and NCC staff are important and significant, they are not 
a solution, but a beginning.
    Mr. Chairman, we are at least twice as good in our 
cooperation as we have been, but we are not half as good as we 
need to be. Indeed, many of us believe that notwithstanding 
these improved public and private engagements, the operational 
posture is still fraught with risk. If a September 11-type 
attack were to take down the NYSE today, I doubt the Exchange 
could restore its network-dependent functions in the same 4 
days it did in 2001, and indeed, perhaps not in 4 weeks, and 
the principal reason for this is DHS, or rather the 
bureaucratic impediments, many of which have already been 
discussed this morning, to the kind of action that the private 
sector was able to engage in in 2001 and was thwarted at during 
Hurricane Katrina.
    We need to act without delay to ensure that our networks 
and critical dependent sectors are resilient enough to 
withstand the daily attacks being mounted against them. And as 
the GAO is reporting today, they must be supported by the 
appropriate tools from government as well as industry to assure 
the ability to recover with minimum collateral impact on our 
economy and security.
    To conclude, Mr. Chairman, going forward, several steps are 
necessary. First, DHS's modest cyber security budget must be 
insulated from the continuing reprogramming and budgetary cuts 
now underway.
    Second, a cyber security leader with credibility in 
industry must be identified and appointed as DHS's permanent 
Assistant Secretary for Cyber Security and Telecommunications 
without further delay.
    Third, critical R&D projects to improve key network 
security protocols must be funded and launched or relaunched.
    Mr. Chairman, if we do these things, we will not guarantee 
that our adversaries will stop attacking our critical cyber 
assets, but we will improve the likelihood that we will 
continue to successfully withstand those attacks and retain the 
availability of these infrastructures on which we are now so 
dependent. Thank you, Mr. Chairman.
    Chairman Coburn. Thank you, Mr. Aisenberg. Mr. Brondell.

TESTIMONY OF KARL BRONDELL,\1\ STATE FARM INSURANCE COMPANIES, 
              ON BEHALF OF THE BUSINESS ROUNDTABLE

    Mr. Brondell. Thank you, Mr. Chairman. I am honored for 
this opportunity to testify today on Internet recovery on 
behalf of the Business Roundtable.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Brondell appears in the Appendix 
on page 167.
---------------------------------------------------------------------------
    Following the attacks of September 11, Roundtable CEOs 
formed the Security Task Force to address ways the private 
sector can improve the security of its employees, facilities, 
communities, and our Nation. The Roundtable believes that the 
business community must be a partner with government in 
disaster preparedness and response. The Roundtable commends the 
Subcommittee and its members for their continued interest in 
improving procedures and preparedness to ensure recovery of the 
Internet following a major disruption. Hardening the Internet 
and strengthening cyber security is one of the priorities of 
our Security Task Force.
    More than a year ago, the Roundtable began work on an 
initiative to assess the public and private sector plans and 
procedures for Internet recovery following a cyber catastrophe. 
We have just produced and delivered a report, ``Essential Steps 
to Strengthen America's Cyber Terrorism Preparedness,'' which 
finds that the United States is ill-prepared for a cyber 
catastrophe, with significant ambiguities in public and private 
sector responses that would be needed to restore and recover 
the Internet following a disaster.
    As the Subcommittee knows, the Internet and the cyber 
infrastructure serve as a critical backbone for the Nation's 
economy and its uninterrupted use is a crucial issue for our 
national and homeland security. But our analysis has exposed 
significant weaknesses that could paralyze the economy 
following a massive disruption.
    Despite progress having been made over the past decades on 
technical and IT issues, there are other issues that have not 
received the same attention. The Roundtable's report identifies 
three significant gaps in our Nation's response plans to 
restore the Internet.
    First, we found the United States lacks an early warning 
system to identify potential Internet attacks or determine if 
the disruptions are spreading rapidly across critical systems.
    Second, public and private organizations that would oversee 
restoration and recovery of the Internet have unclear or 
overlapping responsibilities, resulting in too many 
institutions with too little interaction and coordination.
    Finally, existing organizations and institutions charged 
with the Internet recovery have insufficient resources and 
support.
    Collectively, these gaps mean that the United States is not 
sufficiently prepared for a major attack. If our Nation is hit 
by a cyber catastrophe that wipes out large parts of the 
Internet, there is no coordinated public-private plan in place 
to restart and restore it.
    Let me make another point. Although there is no agreement 
among experts about the likelihood of a widescale cyber 
disaster, they do agree that the risks and the potential 
outcomes are serious enough to mandate careful planning and 
preparation.
    In my remaining time, let me talk briefly about our 
recommendations for government and business to consider. We 
believe it is important to understand that response and 
recovery to a cyber disaster will be different from natural 
disasters when the Federal Government has the leading role. 
Industry must undertake principal responsibility following an 
incident for reconstituting the communications infrastructure 
and the Internet. We believe that business and government must 
take action, individually and collectively, to address these 
issues.
    Let us start with the government. The Roundtable calls on 
the Federal Government to establish clear roles and 
responsibilities, to fund long-term programs, and ensure that 
national response plans treat major Internet disruptions as 
serious national problems.
    Regarding the private sector, our report urges companies to 
designate a point person for cyber recovery, update their 
strategic plans, and set priorities to prepare for a widespread 
Internet outage and its impact on the movement of goods and 
services.
    When it comes to protecting our Nation, neither the 
government nor business can do it alone. We feel the best 
security solutions will come from a public-private partnership 
that identifies and acts on ways to improve collaboration. Let 
me discuss a few of the collaboration recommendations.
    First, since the first 24 hours often determine the overall 
success of recovery efforts, we must focus more attention on 
coordinating initial efforts to identify when an Internet 
attack or disruption is occurring.
    Second, we recommend the creation of a federally-funded 
panel of experts from business, government, and academia who 
would assist in developing plans for restoring Internet 
services in the event of a massive disruption.
    Finally, we believe the Department of Homeland Security, 
together with business, should conduct large-scale cyber 
emergency exercises with lessons learned integrated into 
programs and procedures.
    Without change, our Nation will continue to use ad hoc and 
incomplete tools for managing our critical risk to the Internet 
and to our Nation's economy and its security.
    Up to this point, I have outlined for the Subcommittee the 
basis for our observations and some of the recommendations to 
consider. Now I would like to spend a moment telling you about 
the Roundtable's plans to find solutions to the gaps that we 
have identified.
    First, let me say that we are confident that our member 
companies are able to manage most disruptions that affect 
Internet operations. For this reason, the Roundtable will focus 
its efforts on those large-scale events that no single company 
is positioned to manage absent widespread cross-industry and 
government collaboration.
    As an extension of our previous work, the Roundtable will 
examine the processes, protocols, and practices across the 
private sector before, during, and after a disruptive event. We 
will assess which institutions respond, how early warnings are 
established, and how companies access information and service 
critical disruptions and emergency situations. We believe this 
will provide a foundation for meaningful improvements in our 
Nation's ability to protect and restore the Internet as well as 
clarify specific, meaningful, and actionable decisions that 
will lead to well-coordinated public and private response and 
reconstitution processes.
    In conclusion, let me again thank the Chairman for the 
opportunity to present the Business Roundtable's report on 
cyber preparedness and to discuss our recommendations for 
improvements. Roundtable CEOs believe strongly that we need a 
national response to this challenge, not separate business and 
government responses, and that means better collaboration. I 
assure you, America's CEOs and our companies are committed to 
do their part. Thank you.
    Chairman Coburn. Thank you.
    One of the things I take from you all is leadership is 
important, and the fact that we don't have the position filled 
is significant. You know, that is a real problem in our Nation 
today and I don't know what the cause of it is. Some people 
say, well, the salaries aren't high enough. But for us to 
secure our future, we are going to have to make individual 
sacrifice and that means somebody out of private industry needs 
to come up and fulfill this role. When they are trying to 
recruit and nobody wants to do it because they are not willing 
to sacrifice a little bit of earnings for 3 or 4 years and make 
a commitment to make a difference to our country, we are losing 
the very essence of what it means to be Americans.
    So it is pretty hard to hire somebody into a Federal 
Government agency into a position that is going to mean their 
salary is going to be cut in half if there is no patriotic 
thought that you can make a contribution to our country. Each 
of you have raised that. Do any one of you all want to 
volunteer for that position? [Laughter.]
    Mr. Noonan. I know someone that does, sir.
    Chairman Coburn. Well, the man that probably is involved in 
that decision is sitting behind you. I hope you will 
communicate that with Secretary Foresman.
    Mr. Noonan. I certainly will.
    Chairman Coburn. I appreciate him being here.
    Just quickly, I am going to have several questions and I 
can't get them all through to you, so I am going to submit them 
in writing.
    What do you think about the GAO's report? Mr. Brondell has 
just made a recommendation, we have got all these working 
groups. Here is what you all think we ought to do. We have got 
working groups, yet we basically have nobody in charge. What 
would happen tomorrow if a major event happened? We don't have 
the coordination across government to the private sector to 
establish that. So how do we respond? How do we take your 
recommendation, Mr. Brondell, versus the problem? We have got 
working groups. We have got people that are involved in it. How 
do we get it off dead center and make something happen?
    Mr. Brondell. First of all, we do applaud that the efforts 
are moving in the right direction. As you heard earlier this 
morning, it is a long road that we are going to have to pull, 
but as we look at a collaborative approach, we do agree and 
have suggested that we do need some focal point within the 
government that private sector can rely upon. We support the 
addition of the position. We hope that it gets filled quickly 
and goes through the administrative process to be in place.
    But to your question of what we would do today if it 
happened, industry would continue to respond as it has in the 
past and overcome the hurdles based on the experience from past 
smaller incidents. But the lacking of collaboration, it could 
damage the overall economy with a long delay.
    Chairman Coburn. Mr. Aisenberg.
    Mr. Aisenberg. Senator, we see a steady stream of insults 
against the network on a daily basis. VeriSign routinely repels 
1,000 or more attacks against the naming infrastructure, the 
DNS, every day. Major events happen with greater frequency than 
makes us happy, but we are successful in repelling those now, 
by and large. But every day, the sophistication in those 
attacks grows. The sources of them becomes more diverse and the 
risks inherent, therefore, becomes more severe.
    So you are absolutely right. We need a more coordinated 
approach. We cannot guarantee, no one can guarantee that an 
attack will not at some point be successful, and I agree, the 
ability to reconstitute and recover from a serious attack at 
the moment is not as good as we need it to be, and I could not 
predict how severe or how long a major attack that took down 
the naming system or fundamental other aspects of the Internet 
could persist and impact the economy. Our best defense is the 
aggressive investment that the infrastructure stewards make in 
massive overhead, massive engineering, constant exercising, 
constant testing of the security, and vigilance, and a little 
bit of good luck.
    Chairman Coburn. Is there an early warning system out there 
now?
    Mr. Aisenberg. It depends on what you mean by early 
warning.
    Ms. Bienfait. Not one that you would actually, as we would 
do with a hurricane in an emergency scenario, we see a 
hurricane coming and we have got a way to give an early 
warning----
    Chairman Coburn. No, I mean is there a communication 
network where, whether it is NSA or whoever is experiencing it, 
all of the sudden, this is a major attack and time is of the 
essence and everybody knows it is happening in one area so they 
can prepare if their area is about to get hit. Is that out 
there now?
    Ms. Bienfait. Not across----
    Chairman Coburn. Is there an early warning system so that 
there is communication to all the players that something is 
happening. You need to know about it. Here is what we see. You 
might be next. Is that happening now?
    Ms. Bienfait. We have something internal to ourselves that 
we can actually see the signatures and the knocking of all the 
hacking attacks against our network----
    Chairman Coburn. That is your network?
    Ms. Bienfait. That is my network. But we are only doing 
this in our own domain. We are not doing a lot across 
companies, across collaboration----
    Chairman Coburn. Is there something that prevents you 
legally from being able to communicate that with the rest of 
the service providers?
    Ms. Bienfait. Nothing at this point in time, other than us 
getting a trusted environment where we could actually do pre-
planning ahead of time so that we know what that information 
might look like. We are doing some of that right now, trying to 
put best practices together, but there is not anything formal 
to the point that we know how to pull up a security alert and 
actually say, hey, the collaboration of the different units, I 
am going to shut down this part of my network or I am going to 
open up that part of my network so that this work can flow 
through.
    Chairman Coburn. And you would all agree that is needed?
    Ms. Bienfait. I think it is necessary.
    Chairman Coburn. It is needed, and one of the reasons it is 
not is because there is not a position of leadership and trust 
which you can work through?
    Ms. Bienfait. You really have to have a very trusted 
environment. It is essential----
    Chairman Coburn. Otherwise you expose proprietary 
information.
    Ms. Bienfait. Exactly. And we are working through that, it 
is just not moving fast enough.
    Chairman Coburn. OK.
    Mr. Aisenberg. Senator, another aspect of that is that what 
we call the millisecond sectors--electric power, 
communications, IT--frequently see insults only after they are 
actually mounted. Unlike intelligence gathering around physical 
attacks where you hear a tip from one individual and you can 
grow your investigative technique, very often when the attacks 
are mounted against the Internet or the communications or power 
networks, you don't see the attacks until they are already at 
their zero moment and are massively engaging the 
infrastructure.
    Chairman Coburn. But, in fact, we know that is a 
possibility, so we can design to prevent that if we have the 
structure in place to communicate it, cross-communicate it 
without the sharing of proprietary data that would put somebody 
at a competitive disadvantage. I mean, that is possible. 
Everybody would agree with that, right?
    Mr. Noonan. Right. There is already a foundation in place, 
sir, but it is not broadly available cross-industry, cross-
sector, cross-agency and government. There are multiple early 
warning activities that are operating at various levels of 
efficacy. These include the ISAC, the Information Sharing and 
Analysis Centers that are established as part of the IT, or as 
part of the Sector Coordinating Councils. They are not fully 
operating cross-functionally today, but they are a foundation 
that has been being built for many years. There are issues, but 
we are making progress there.
    I think the early warning vulnerability disclosure activity 
that is underway has actually moved this industry along in a 
number of years. If we know where our vulnerabilities are, 
there is a pretty good chance that is where the attacks are 
going to be. Whether they are malicious and disruptive or 
whether they are quiet and compromising, they are typically 
getting through our vulnerabilities.
    There, I think we have made progress. However, as an 
industry, or both a public and private sector perspective, we 
don't have the equivalent of turn on CNN and get the hurricane 
early warning system. We simply don't have that.
    Chairman Coburn. Are there any other comments from any of 
you all on the GAO report?
    [No response.]
    Chairman Coburn. I don't know if the silence is because--I 
won't say that. I will just let it go with that.
    None of you would disagree with the fact that there could 
be somebody in a position that could maintain the trust of the 
providers and the service companies and the Internet industry 
and work for government and maintain the integrity that is 
required for us to solve these problems. Would you agree with 
that?
    Ms. Bienfait. I would agree with that.
    Mr. Noonan. I would agree.
    Chairman Coburn. So one of the real issues for us to move 
things offline is to fill the position with somebody that has 
the competency, character, and trust of the industry and the 
government and can put the impetus behind moving forward. If 
this hearing does anything with that, we will have accomplished 
something.
    I want to thank each of you for being here. This is a 
difficult problem we face, but it is also, besides difficult, 
it is critical. Our country can't take many more hits. This is 
one that is preventable, provided we do the right thing. It is 
at least, if not preventable, recoverable if we do the right 
thing.
    I would hope that we will continue to have good 
communications. We will have other hearings on this. We are 
going to move. There is going to be an Assistant Secretary, I 
promise you. Even if we have to raise the salary for the 
position, there is going to be one because it is just too 
important.
    We will be submitting some questions to you. I would hope 
that you would return those to us within 2 weeks.
    I thank you for your service, and the hearing is adjourned.
    [Whereupon, at 11:12 a.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

                                 
