b"<html>\n<title> - CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS</title>\n<body><pre>[Senate Hearing 109-893]\n[From the U.S. Government Printing Office]\n\n\n\n\n                                                        S. Hrg. 109-893\n\n    CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT\n                     INFORMATION, AND INTERNATIONAL\n                         SECURITY SUBCOMMITTEE\n\n                                 of the\n\n                              COMMITTEE ON\n                         HOMELAND SECURITY AND\n                          GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             SECOND SESSION\n\n\n                               __________\n\n                             JULY 28, 2006\n\n                               __________\n\n        Available via http://www.access.gpo.gov/congress/senate\n\n       Printed for the use of the Committee on Homeland Security\n                        and Governmental Affairs\n\n\n                               __________\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2007\n29-759 PDF\n\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n                   SUSAN M. COLLINS, Maine, Chairman\nTED STEVENS, Alaska                  JOSEPH I. LIEBERMAN, Connecticut\nGEORGE V. VOINOVICH, Ohio            CARL LEVIN, Michigan\nNORM COLEMAN, Minnesota              DANIEL K. AKAKA, Hawaii\nTOM COBURN, Oklahoma                 THOMAS R. CARPER, Delaware\nLINCOLN D. CHAFEE, Rhode Island      MARK DAYTON, Minnesota\nROBERT F. BENNETT, Utah              FRANK LAUTENBERG, New Jersey\nPETE V. DOMENICI, New Mexico         MARK PRYOR, Arkansas\nJOHN W. WARNER, Virginia\n\n           Michael D. Bopp, Staff Director and Chief Counsel\n             Michael L. Alexander, Minority Staff Director\n                  Trina Driessnack Tyrer, Chief Clerk\n\n\nFEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL \n                         SECURITY SUBCOMMITTEE\n\n                     TOM COBURN, Oklahoma, Chairman\nTED STEVENS, Alaska                  THOMAS CARPER, Delaware\nGEORGE V. VOINOVICH, Ohio            CARL LEVIN, Michigan\nLINCOLN D. CHAFEE, Rhode Island      DANIEL K. AKAKA, Hawaii\nROBERT F. BENNETT, Utah              MARK DAYTON, Minnesota\nPETE V. DOMENICI, New Mexico         FRANK LAUTENBERG, New Jersey\nJOHN W. WARNER, Virginia             MARK PRYOR, Arkansas\n\n                      Katy French, Staff Director\n                 Sheila Murphy, Minority Staff Director\n            John Kilvington, Minority Deputy Staff Director\n                       Liz Scranton, Chief Clerk\n\n\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Coburn...............................................     1\n\n                               WITNESSES\n\n                         Friday, July 28, 2006\n\nGeorge Foresman, Under Secretary for Preparedness, U.S. \n  Department of Homeland Security................................     5\nRichard C. Schaeffer, Jr., Director of Information Assurance, \n  National Security Agency.......................................     7\nKaren Evans, Administrator for Electronic Government and \n  Information Technology, Office of Management and Budget........     9\nKeith Rhodes, Chief Technologist and Director, Center for \n  Technology and Engineering, U.S. Government Accountability \n  Office.........................................................    10\nThomas E. Noonan, President and Chief Executive Officer, Internet \n  Security Systems...............................................    20\nRoberta A. Bienfait, Senior Vice President, Global Network \n  Operations, AT&T...............................................    22\nMichael A. Aisenberg, Director of Government Relations, VeriSign, \n  Inc., and Vice Chair, IT Sector Coordinating Council...........    24\nKarl Brondell, State Farm Insurance Companies, on behalf of the \n  Business Roundtable............................................    26\n\n                     Alphabetical List of Witnesses\n\nAisenberg, Michael A.:\n    Testimony....................................................    24\n    Prepared statement...........................................   161\nBienfait, Roberta A.:\n    Testimony....................................................    22\n    Prepared statement...........................................   139\nBrondell, Karl:\n    Testimony....................................................    26\n    Prepared statement...........................................   167\nEvans, Karen:\n    Testimony....................................................     9\n    Prepared statement with an attachment........................    53\nForesman, George:\n    Testimony....................................................     5\n    Prepared statement...........................................    33\nNoonan, Thomas E.:\n    Testimony....................................................    20\n    Prepared statement...........................................   132\nRhodes, Keith:\n    Testimony....................................................    10\n    Prepared statement...........................................   111\nSchaeffer, Richard C., Jr.:\n    Testimony....................................................     7\n    Prepared statement...........................................    50\n\n                                APPENDIX\n\nHon. Thomas Jarrett, Secretary and CIO, Delaware Department of \n  Technology and Information, prepared statement.................   174\nQuestions and responses for the Record from:\n    Mr. Foresman.................................................   181\n    Mr. Schaeffer................................................   197\n    Mr. Evans....................................................   200\n    Mr. Rhodes...................................................   209\n    Mr. Bienfait.................................................   213\n    Mr. Aisenberg................................................   223\n    Mr. Brondell.................................................   226\n\n \n    CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS\n\n                              ----------                              \n\n\n                         FRIDAY, JULY 28, 2006\n\n                                     U.S. Senate,  \n Subcommittee on Federal Financial Management, Government  \n                   Information, and International Security,\n                            of the Committee on Homeland Security  \n                                          and Governmental Affairs,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 9:35 a.m., in \nroom 342, Dirksen Senate Office Building, Hon. Tom Coburn, \nChairman of the Subcommittee, presiding.\n    Present: Senator Coburn.\n\n              OPENING STATEMENT OF CHAIRMAN COBURN\n\n    Chairman Coburn. The Subcommittee on Federal Financial \nManagement, Government Information, and International Security \nwill come to order.\n    Today's hearing is titled ``Cyber Security: Recovery and \nReconstitution of Critical Networks.'' This is the second \nhearing in a series we will be conducting on cyber security. It \nis actually the third. We have had a high-level secured \nbriefing and hearing on this, as well. On July 19, 2005, this \nSubcommittee held a hearing on the importance of cyber security \nto our Nation's critical infrastructures. The hearing \nhighlighted the importance of forging a public-private, and I \nwill emphasize private, partnership to protect critical \ninfrastructure and focused on challenges facing the Department \nof Homeland Security (DHS) in facilitating and leveraging such \npartnerships.\n    Things that we have learned through the September 11 \nterrorist attacks and the response to Hurricane Katrina further \nemphasize these challenges. Today, despite spending millions of \ndollars over the past year, DHS continues to struggle with how \nto effectively form and maintain effective public-private \npartnerships in support of cyber security, including how to \nprotect Internet infrastructure and how to recover it in the \ncase of a major disruption. The public-private partnership \nnecessary to accomplish DHS's goals in securing computer \nnetworks continues to remain a public-private divide.\n    I am grieved to note that our Nation's security from a \ncyber-based attack has not improved since we were here last \nyear. The objective of today's hearing is to highlight \nimmediate steps that DHS and the private sector can take to \nformalize a partnership and to ensure effective response and \nrecovery to major cyber network disruptions.\n    Our economy and national security are reliant on the \nNation's information and communications infrastructure, \nincluding the Internet. The Internet connects millions of \ninformation technology systems and networks together, which, in \nsum, provide e-commerce to the country and critical services \nallowing the government to function. On July 19, 2005, we \nlearned that these computer networks can also control physical \ninfrastructure, such as electrical transformers, chemical \nsystems, and pipelines.\n    DHS recently released its National Infrastructure \nProtection Plan (NIPP), 3 years after its due date. This plan \nhighlights the importance of cyber security and the Internet to \ncritical infrastructure, stating that the U.S. economy and \nnational security are highly dependent upon the global cyber \ninfrastructure. But according to today's GAO report, DHS fails \nto adequately plan for recovery of key Internet functions. \nMoreover, the Department has not adequately prepared to \neffectively coordinate public-private plans for reconstitution \nfrom a cyber Internet disruption.\n    The success of the protection efforts in the NIPP hinges on \ninformation sharing between the Federal Government and the \nprivate sector. However, a number of barriers exist to \ninformation sharing. Recent incidents at the Department of \nVeterans Affairs, Department of State, and a national \nlaboratory indicate that the government has trouble protecting \nsensitive information. The government also does not have a good \nrecord of sharing sensitive intelligence-derived threat data \nwith the private sector.\n    GAO identified numerous challenges to development of a plan \nand is here today to present the recommendations to strengthen \nthe Department's abilities. Government agencies and private \ncompanies, including telecommunications companies, cable \ncompanies, peering organizations, and major data carriers, need \nclarity on what is expected of them in a crisis. Overlapping \nand unclear roles and responsibilities lead to frustration and \nconfusion, and will hamper recovery efforts in a crisis, which \nwill be deeply injurious to our Nation.\n    The overarching concern for the Committee is whether the \nDepartment of Homeland Security knows what functions of \ngovernment need to be protected, how those functions interact \nwith State and local governments, and what is DHS's role and \nresponsibility in working with the private sector during a \ncyber or telecommunication-based incidence of national \nsignificance.\n    The recently released DHS plan requires the use of a risk \nassessment method that has been criticized as not focusing on \nwhat really needs to be protected in the information technology \nand telecommunication sectors, and focusing heavily on physical \nassets. The risk assessment methodology should be reevaluated, \nas it could lead to significant wasteful spending.\n    While this sector has physical assets to protect, \ngovernment needs to understand that this sector is about \nprotecting critical functionality, not assets. The private \nsector and government must work together to ensure the Nation's \ncritical infrastructure can function in the reliable and stable \nfashion that the American public expects.\n    Therefore, private industry must devise plans in \ncoordination with the government to ensure critical functions \ndo not fail or can be recovered quickly when faced with an \nincident of national significance. The National Communications \nSystem has worked under this concept for years.\n    Both government and private industry admit there are \nvulnerabilities in the networks that can and have been \nexploited or damaged by accident or natural causes. A perfect \nsystem cannot be built. We realize that. The difficult part of \nany organization, especially government, is how does it \nrespond, recover, and reconstitute after an incident.\n    The Homeland Security Act of 2002 and Presidential \nDirectives lay out a clear mandate on cyber security at the \nDepartment of Homeland Security. They require DHS to assess our \nvulnerability to a cyber attack, develop a plan to fix it, and \nimplement that plan using measurable goals and milestones. In \norder to implement the plan, the Department has the admittedly \ndifficult task of engaging and securing action from diverse \nplayers, which include State and local governments, other \nFederal agencies, and especially and most importantly, key \nindustry actors.\n    The nature of terrorists is to attack private citizens, as \nwe recently saw in the horrific railway attacks in India. There \ncan be no excuse for not effectively engaging the private \nsector, even though it is hard. We ask no less of our food \nsafety, airline safety, and pharmaceutical industries. The \nissue is lack of leadership and lack of courage.\n    Nobody wants to micromanage the private sector or DHS. \nHowever, America does expect the Department of Homeland \nSecurity and the private sector to take every reasonable \nmeasure to protect us from terrorism. I am not convinced that \nthreshold has been met.\n    If America is to be safe from the damage of a cyber attack, \nwe will need a plan, a budget tied to that plan, and \nCongressional commitment to the implementation of the plan. One \nyear ago, the Department announced the creation of the position \nof Assistant Secretary for Cyber and Telecommunications \nSecurity to elevate the importance of cyber critical \ninfrastructure protection. Today, this position remains vacant. \nThis vacant post was designed by the Department to lead the \nNation in buttressing our critical information technology and \ntelecommunications systems against threats. The Department, \nworking in conjunction with the private sector, needs to find \nthat person and set that person to the task of reforming the \nplan and then implementing it. A leader can and will be found, \nand I am encouraging DHS to exhaust every effort to fill this \nposition, ensure the proper authorities are in place to \nsucceed, and ensure that this person receives adequate support \nfrom the top leadership at DHS to fulfill the mission.\n    To that end, I look forward to hearing from our witnesses, \nNSA, DHS, OMB, GAO, AT&T, VeriSign, and Internet Security \nSystems, as well as the Business Roundtable. I welcome each of \nyou.\n    The Department of Homeland Security's testimony came in \nlate last night. It is unavailable to me, the Chairman of this \nSubcommittee. It will not be accepted as part of it and it is a \nmessage to anybody else that wants to play games with the \nSubcommittee. You are going to send us the information that you \nwant to testify about on a timely basis so we can do our job. \nAnd this is an example of exactly what is happening at DHS on \ncyber security. You can't meet the goals. You can't meet the \nexpectations. This Subcommittee hearing was noticed June 12--\n6\\1/2\\ weeks ago, and for the testimony to come in last night \nis unacceptable and it will not be accepted.\n    Let me welcome our guests. First is the Hon. George \nForesman. He was first confirmed by the U.S. Senate on December \n18, 2005. He is responsible for synchronizing national \npreparedness efforts under the direction of Homeland Security \nSecretary Michael Chertoff and Deputy Secretary Michael \nJackson. He previously served in the Commonwealth of Virginia \nas Assistant to the Governor for the Commonwealth Preparedness \nand Homeland Security Advisor, a cabinet-level position. In \nthis capacity, he was the principal advisor and overall \ncoordinator for homeland security and preparedness efforts, as \nwell as relations with military commands and installations \nthroughout the Commonwealth. He is nationally recognized in the \nfields of emergency preparedness and homeland security.\n    Richard Schaeffer is the Information Assurance Director at \nthe National Security Agency (NSA). He is responsible for the \nInformation Assurance Directorate at that agency. The \nDirectorate's mission is to provide products and services \ncritical to protecting our Nation's critical information and \ninformation systems. Moreover, he is responsible for defining \nand implementing the information assurance strategy to protect \nthe Department of Defense's global information grid and \nsupporting the ongoing military operations against terrorism.\n    Next is the Hon. Karen Evans. She is Administrator of E-\nGovernment and Information Technology (IT), Office of \nManagement and Budget. She is here as a break from her \nvacation. I want to tell you how much I appreciate you doing \nthat. She oversees the implementation of IT throughout the \nFederal Government, including advising the Director on the \nperformance of IT investments, overseeing the development of \nenterprise architectures within and across those agencies, \ndirecting the activities of the Chief Information Officer \nCouncil, and overseeing the usage of E-Government funds to \nsupport interagency partnerships and innovation. She also has \nresponsibilities in the areas of capital planning and \ninvestment control, information security, privacy, \naccessibility of IT for persons with disabilities, and access \nto, dissemination of, and preservation of government \ninformation.\n    Next is Keith Rhodes, Chief Technologist, Government \nAccountability Office (GAO). Mr. Rhodes is currently the Chief \nTechnologist at GAO and Director of the Center for Technology \nand Engineering. He has been the senior advisor on a range of \nassignments covering continuity of government and operations, \nexport control, computer security, privacy, e-commerce, E-\nGovernment, voting systems, and various unconventional weapons \nsystems. Before joining GAO, he was supervisory scientist \nleading weapons and intelligence programs at the Lawrence \nLivermore National Laboratory.\n    I would like to recognize each of you. Thank you for taking \nthe time to be here. Mr. Foresman, you are recognized for 5 \nminutes.\n\n     TESTIMONY OF GEORGE FORESMAN,\\1\\ UNDER SECRETARY FOR \n       PREPAREDNESS, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Foresman. Mr. Chairman, thank you, and thank you for \nthe opportunity to appear today to discuss the recovery and the \nreconstitution of critical cyber networks. Congressional \ndiscussion on this particular topic is absolutely essential and \nit is critical to the success that we need to achieve as a \nNation toward strengthening our levels of preparedness.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Foresman appears in the Appendix \non page 33.\n---------------------------------------------------------------------------\n    Mr. Chairman, I would like to highlight several key issues \ntoday and outline the Department's roadmap for success in \nadvance of a very important discussion on the security and the \nprotection of our cyber communications networks.\n    The findings of the GAO report on the development of a \njoint public-private plan for recovering critical cyber \ninfrastructure and the recent Business Roundtable's \nrecommendations for strengthening cyber preparedness both echo \nthe overall resounding themes that the Department of Homeland \nSecurity is pursuing in its work to lead a national effort to \nprotect America's cyber assets. While these reports offer \nsomewhat differing recommendations on the exact steps that we \nneed to take, the shared national vision further reflects two \nvery important and sometimes overlooked issues.\n    First, the risk posed to the critical cyber infrastructure \nis becoming both better and more widely understood, both in the \npublic sector and in the private sector. Second, the importance \nof mitigating these risks, whether on the individual, \ncorporate, or government level, is also better understood. We \nknow we must be ready for the cyber version of Hurricane \nKatrina or the September 11 attacks.\n    Mr. Chairman, let me outline for you the Department's three \nstrategic priorities on the cyber preparedness front. They \ninclude, one, preparing for a large-scale cyber disaster; two, \nworking to forge more effective partnerships, as you noted in \nyour opening statement; and three, fostering a culture of \npreparedness to prevent cyber incidents and mitigate damage \nwhen disruptions do, in fact, occur.\n    Our primary strategic goal as part of our overall risk \nmanagement approach is to prepare for high-consequence \nincidents. These would include, for example, a widespread \ndisruption involving the Internet or critical communications \ninfrastructure, whether it originates from an attack or from a \nnatural disaster. The Department has established the Internet \nDisruption Working Group, the IDWG, to address the resiliency \nand recovery of Internet functions in the event of a major \ncyber incident. The IDWG is not examining all individual risks, \nbut rather focusing on nationally significant Internet \ndisruptions in a prioritized fashion. The IDWG is developing \nnot only policy recommendations for cyber response, but also \noperational proposals and protocols to improve the deployment \nof Federal resources in the event of such an event and how to \nensure coordination with local, State, and private sector \npartners of these assets.\n    I am also pleased to share with you that the Department \nconducted its first national cyber security exercise, Cyber \nStorm, this past February, and this was the largest \nmultinational cross-sector cyber exercise to date and assessed \nthe policies and procedures associated with a cyber-related \nincident of national significance. The Department will soon be \nreleasing a public exercise report on this effort that will \noutline findings to help bolster protective measures for \npotential cyber attacks. I will also note that these lessons, \nlike those of Hurricane Katrina and other incidents, will not \nsit idle. They will be incorporated into our operations \nprocesses under the National Response Plan and these will be \nretested during Cyber Storm II in 2008, if not before.\n    Cyber Storm demonstrated the close cooperation and \ninformation sharing needs across Federal agencies, across \ninternational boundaries, and most importantly, between the \npublic and the private sectors. The exercise tested for the \nfirst time the full range of cyber-related response policy, \nprocedures, and communications methods required in a real-world \ncrisis. We know that there were successes. We also know that \nthere is room for improvement.\n    Another significant accomplishment in preparing for a \nnationally significant cyber disruption is last month's \ncompletion, as you noted, of the National Infrastructure \nProtection Plan. The NIPP sets forth a comprehensive risk \nmanagement framework and clearly defines critical \ninfrastructure protection roles and responsibilities for DHS, \nFederal sector-specific agencies, other Federal, State, local, \ntribal, and territorial agencies, as well as our private sector \nsecurity partners. The plan addresses the physical, human, and \ncyber elements of the critical infrastructure issues which \ncross all sectors. This release of the NIPP is an important \nmilestone, as it accompanies 17 sector-specific plans that will \nhelp build a safer and more secure and more resilient America \nby enhancing protection of the Nation's critical infrastructure \nand key resources to include the cyber community.\n    Our second strategic goal is to improve the Department's \npartnership programs and practices. Homeland Security \nPresidential Directive 7, the Administration's policy on \ncritical infrastructure protection, explicitly recognizes the \nimportance of partnerships, which are essential for many sound \nreasons. In the cyber security arena, the Department is working \nto nurture existing partnerships and establish new \nrelationships with three key stakeholder communities, the \nprivate sector, Federal departments and agencies, and the \nState, local, and tribal governments, as well as academia.\n    Third, we must create a culture of preparedness, both to \nprevent a cyber disaster and to mitigate damages if a \nwidespread disruption occurs. We are working every day to \ninfluence how individual citizens, government, and the private \nsector prepare for the security challenges of the coming \ndecade. As with our other strategic priorities, this goal \ndemands a focused and disciplined approach. We need \ninterconnected strategies and processes, not individual \nactions. Just as our cyber systems are interconnected, so must \nbe our approach to dealing with disruptions.\n    Our national cyber security efforts are rapidly maturing \nand we have clear legislative and presidential direction and \nprivate sector interest. There is no magic wand that will allow \nus to do this overnight. There is, however, a growing \ncoalescing of effort between government and the private sector \nas just two of the key entities.\n    Chairman Coburn. I need for you to summarize, if you will.\n    Mr. Foresman. Yes, sir, and I am finishing up. To create a \nlong-term culture of preparedness, we are developing clear \norganizational doctrine which memorializes strategic policies, \nclarifies roles and responsibilities, and defines measures of \naccountability. The road ahead is critical and we are committed \nto ensuring success. Thank you.\n    Chairman Coburn. Thank you. Mr. Schaeffer.\n\n    TESTIMONY OF RICHARD C. SCHAEFFER, JR.,\\1\\ DIRECTOR OF \n        INFORMATION ASSURANCE, NATIONAL SECURITY AGENCY\n\n    Mr. Schaeffer. Good morning, Mr. Chairman.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Schaeffer appears in the Appendix \non page 50.\n---------------------------------------------------------------------------\n    Chairman Coburn. Good morning.\n    Mr. Schaeffer. I appreciate the opportunity to be here \ntoday to talk briefly about the NSA's information assurance \nmission and its relationship to the work of the Department of \nHomeland Security and others concerned with helping operators \nof crucial information systems prepare for and recover from \nhostile acts or other disruptive events.\n    The NSA's information assurance mission focuses on \nprotecting what National Security Directive 42 defines as \nnational security information systems, systems that handle \nclassified information or are otherwise critical to military or \nintelligence activities.\n    Historically, most of our work has been sponsored by and \ntailored for the Department of Defense. Today, national \nsecurity systems very often rely on commercial products or \ninfrastructure or interconnect with systems that do. This \ncreates significant common ground between defense and broader \nU.S. Government and homeland security needs. More and more, we \nfind that protecting national security systems demands teaming \nwith public and private institutions to raise the information \nassurance level of products and services more broadly. If done \ncorrectly, this is a win-win situation that benefits the whole \nspectrum of information technology users, from warfighters and \npolicy makers to Federal, State, local governments and \noperators of critical infrastructure and major arteries of \ncommerce.\n    This convergence of interests has been underway for some \ntime and we can already point to several examples of the kind \nof fruitful collaboration it inspires. For instance, the NSA \nand the National Institute of Standards and Technology have \nbeen working together for several years to characterize cyber \nvulnerabilities, threats and countermeasures to provide \npractical cryptographic and cyber security guidance to both IT \nsuppliers and consumers.\n    Among other things, we have compiled and published security \nchecklists that harden computers against a variety of threats. \nWe have shaped and promoted standards that enable information \nabout computer vulnerabilities to be more easily cataloged and \nexchanged, and ultimately, the vulnerabilities themselves to be \nautomatically patched. And we have begun studying how to extend \nour joint vulnerability management effort to directly support \ncompliance programs, such as those associated with the Federal \nInformation Security Management Act. All of this is \nunclassified and advances of cyber security in general, from \nnational security and other government networks to critical \ninfrastructure and other commercial and private systems.\n    The NSA partners similarly with the Department of Homeland \nSecurity. In 2004, DHS joined the NSA in sponsoring the \nNational Centers of Academic Excellence Program to foster \ntraining and education programs to support the Nation's cyber \nsecurity needs and increase the efficiency of other Federal \ncyber security programs. The NSA has supplied trained personnel \nand other technical support to the U.S. Computer Emergency \nReadiness Team, and we routinely alert one another to possible \nor emerging hostile cyber threats. In fact, DHS has just named \nan integree to work in the NSA-Central Security Service Threat \nOperations Center, which has as one of its missions to monitor \nthe operations of the global network in real time to identify \nnetwork-based threats to DOD and intelligence community \nnetworks.\n    NSA and DHS cooperate on investigations and forensic \nanalysis of cyber events and malicious software, and together, \nwe look for and mitigate the vulnerabilities in various \ntechnologies that would render them susceptible to similar \nattacks. We each bring to these efforts complementary \nexperience, insight, and expertise based on the different \nproblem sets and user communities on which we concentrate, and \nwe each then carry back to those communities the dividends of \nour combined wisdom and resources.\n    With regard to post-incident response, the NSA supplies \ntechnical personnel, advice, and equipment to support an \nefficient response and recovery to disasters. The NSA has \nworked with the DHS Infrastructure Protection Division to plan \nfor interoperable communications systems needed to support \nresponse and recovery. We did this for Hurricane Katrina and do \nit for other disasters, as well.\n    When it comes to reconstructing networks, however, beyond \njust communications systems, bringing in replacement technology \nmay be the easy part. The real challenge is knowing what to \nreconstruct. That means maintaining an up-to-date understanding \nof what set of data, functions, and connections available to \nwhat set of users qualify as critical.\n    Looking forward, NSA and DHS interests will continue to \nmerge and the opportunities needed for shared network and \nmutual support will continue to grow.\n    Finally, beyond technical convergence, in the post-\nSeptember 11 world, the NSA and DHS are bound together by the \nneed to provide for communications across once unbridgeable \nchasms of classification and practice, from the President all \nthe way to first responders and the owners and operators of \ncritical infrastructure. As a starting point, the NSA and NIST \nhave established a suite of unclassified algorithms that can be \nimplemented in commercial off-the-shelf offerings as well as \nspecialized high-end government equipment. This sets the stage \nfor interoperable encryption and message authentication and is \nan important step, although just one step in the broader effort \nto ensure that the Nation can recognize and respond to \nimpending emergencies or their aftermath.\n    Once again, thank you, Mr. Chairman, for giving me the \nopportunity to appear before you today and for your leadership \nin this area.\n    Chairman Coburn. Thank you, Mr. Schaeffer.\n    Next, Ms. Evans, just a side note. Thanks for all your help \non our Government Accountability and Transparency Act. It \npassed the Committee unanimously yesterday.\n\n   TESTIMONY OF KAREN EVANS,\\1\\ ADMINISTRATOR FOR ELECTRONIC \nGOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND \n                             BUDGET\n\n    Ms. Evans. Congratulations. Good morning, Mr. Chairman, and \nthank you for inviting me to speak about ``Cyber Security: \nRecovery and Reconstitution of Critical Networks.'' My \ntestimony today will focus on OMB's activities to improve \nsecurity and resilience of the Federal Government's cyber \ncritical assets.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Evans with an attachment appears \nin the Appendix on page 53.\n---------------------------------------------------------------------------\n    Last year, the Director of OMB issued a regulation on \nmaintaining telecommunication services during a crisis or an \nemergency. The regulation required each agency to review its \ntelecommunications capability in the context of planning for \ncontingencies and continuity of operation situations. OMB also \nasked each agency to confirm that they were complying with \ndirectives issued by the National Communications System (NCS), \nand guidance issued by the Federal Emergency Management Agency \n(FEMA).\n    In August 2005, all large agencies submitted reports on the \nstatus of their telecommunications services. OMB and the NCS \nanalysis revealed the need for additional guidance to the \nagencies regarding the use of redundant and physically separate \ntelecommunications service entry points into buildings and the \nuse of physically diverse local network facilities.\n    In October 2005, the NCS hosted a Route Diversity Forum for \nrepresentatives from over 70 Federal agencies. In addition, the \nNCS developed a Route Diversity Methodology, enabling agencies \nto self-assess their own facilities.\n    When an agency initiates new telecommunications \nprocurements, the agency must determine the appropriate level \nof availability, performance, and restoration that is required. \nThe General Service Administration's upcoming Networx \nprocurement will specify telecommunications infrastructure \nsecurity requirements to protect contract network services, \ninfrastructures, and information processing resources against \ncyber and physical threats, attacks, or system failures. The \nNetworx program will ensure that telecommunications \ncapabilities are continuously ready to meet the needs of the \nFederal agencies during national emergencies.\n    On December 17, 2003, the President signed Homeland \nSecurity Presidential Directive 7, ``Critical Infrastructure \nIdentification, Prioritization, and Protection.'' This \ndirective established the national policy for Federal \ndepartments and agencies to identify and prioritize U.S. \ncritical infrastructure and to protect it from terrorist \nattacks. OMB worked with the Department of Homeland Security to \nevaluate the protection plans. We have provided each agency \nwith a written response explaining our approval, our \ndisapproval of the agency's cyber security plan, and \nhighlighting areas where improvements were needed.\n    Additionally, each year, agency CIOs, chief information \nofficers, and program officials conduct IT security reviews for \nsystems that support their programs. As part of their \nevaluations, agencies are asked to categorize their information \nsystems into high, moderate, and low impact and document the \nsecurity controls implemented for each.\n    Last, the National Cyber Response Coordination Group is the \nprincipal Federal interagency mechanism to coordinate the \npreparation for and response to cyber incidences of national \nsignificance. OMB is a member of the group, along with other \nagencies having a statutory role in cyber security, cyber \ncrime, or protection of critical infrastructure. During a cyber \nincident, the member agencies would integrate their \ncapabilities in order to assess the scope and severity of the \nincident, govern response and remediation efforts, and advise \nsenior policy makers. The group would also use their \nestablished relationships with the private sector and State and \nlocal governments to help manage the cyber crisis and develop \nrecovery strategies.\n    In conclusion, each agency is responsible for ensuring the \ncontinued availability of its mission-essential services. \nStrategic improvements in security and continuity of operations \nplanning can make it more difficult for attacks to succeed and \ncan lessen the impact of attacks when they occur. The \nAdministration will continue to work with the agencies, \nCongress, and GAO to ensure appropriate risk-based and cost-\neffective IT security programs, policies, procedures are put in \nplace to protect the Federal Government's critical cyber \ninfrastructure.\n    I would be happy to take any questions, sir, that you may \nhave.\n    Chairman Coburn. Thank you, Ms. Evans. Mr. Rhodes.\n\nTESTIMONY OF KEITH RHODES,\\1\\ CHIEF TECHNOLOGIST AND DIRECTOR, \n    CENTER FOR TECHNOLOGY AND ENGINEERING, U.S. GOVERNMENT \n                     ACCOUNTABILITY OFFICE\n\n    Mr. Rhodes. Thank you, Mr. Chairman. We appreciate the \nopportunity to testify on our Internet reconstitution report \nbeing released today that we completed at your request.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Rhodes appears in the Appendix on \npage 111.\n---------------------------------------------------------------------------\n    Last summer when GAO testified before your Subcommittee, we \ndiscussed the work that remained for DHS to fulfil its cyber \nsecurity responsibilities in 13 key areas, including developing \na plan for recovering the Internet when it is disrupted. \nDespite Federal policy requiring DHS to develop this integrated \npublic-private plan, to date, no such plan exists.\n    Today, at your request, we will briefly discuss the growing \nthreats to the Internet, where our Nation is in its efforts to \ndevelop this plan, and recommendations to both DHS and the \nCongress to facilitate public and private efforts to recover \nthe Internet when major disruptions occur.\n    First, threats. Criminal groups, foreign intelligence \nservices, hackers, and terrorists are all threats to our \nNation's computers and networks. A recent intelligence report \non global trends forecasts that terrorists may develop \ncapabilities to conduct both cyber and physical attacks against \ninfrastructure nodes, including the Internet. In fact, the \nInternet itself has been targeted and attacked and private \ncompanies who own the majority of the Internet infrastructure \ndeal with cyber and physical disruptions on a regular basis.\n    For example, viruses and worms are often used to launch \n``denial of service'' attacks that result in traffic being \nslowed or stopped. Several recent cyber attacks highlight the \nimportance of having robust Internet recovery plans, including \na 2002 coordinated denial of service attack that targeted all \n13 Internet route servers.\n    For most of these attacks, the government did not have a \nrole in recovering the Internet, but recent physical attacks \nlike the terrorist attacks of September 11, 2001, and Hurricane \nKatrina, highlight the need for public-private coordination \nassociated with Internet recovery. DHS has begun a variety of \ninitiatives to fulfill its responsibility for developing an \nintegrated public-private plan, but these efforts are not yet \ncomplete nor are they comprehensive.\n    Specifically, DHS has developed high-level plans for \ninfrastructure protection and national disaster response, but \ncomponents of these plans that are to address Internet recovery \nare incomplete and inadequate. For example, the National \nResponse Plan Cyber Annex does not reflect the National Cyber \nResponse Coordination Group's current operating procedures. DHS \nhas started a variety of initiatives to tackle this problem, \nincluding working groups to facilitate response and exercises \nto practice recovery efforts. However, these efforts are \nimmature and the relationships among groups like the Internet \nDisruption Working Group and others are not evident.\n    Regarding challenges that have impeded progress, first, it \nis unclear what government entity is in charge, what the \ngovernment's role should be, and when it should get involved. \nExpanding on each of these, DHS National Cyber Security \nDivision and the National Communications System have \noverlapping responsibilities. In addition, there is a lack of \nconsensus about the role DHS should play. The government is \npursuing the grandiose plan approach with the NIPP and the \nNational Response Plan, while the private sector wants more of \nan assist or tactical role from the government that our report \nlays out in detail. And triggers that clarify when the Federal \nGovernment should be involved are unclear.\n    Second, our Nation is working in a legal framework that \ndoesn't specifically address the government's roles and \nresponsibilities in the event of an Internet disruption. In \naddition, the Hurricane Katrina recovery effort showed that the \nStafford Act can create a roadblock when for-profit companies \nthat own and operate critical infrastructures need Federal \nassistance during national emergencies.\n    Third, the private sector is reluctant to share information \nwith DHS because it does not always see value in sharing, does \nnot necessarily trust the government, and views DHS as an \norganization lacking effective leadership.\n    To address these inadequacies, our statement includes nine \nspecific recommendations for DHS, including determining who \nshould be in charge given the convergence of voice and data \ncommunications, developing a plan that is consistent with what \nthe private sector infrastructure owners need during a time of \ncrisis, and incorporating lessons learned from incidences and \nexercises.\n    In addition, the Congress should consider clarifying the \nlegal framework that guides roles and responsibilities for \nInternet recovery.\n    In summary, Dr. Coburn, exercises to date and a recently \nissued report by the Business Roundtable found that both the \ngovernment and private sector are poorly prepared to \neffectively respond to cyber events. Although DHS has various \ninitiatives underway, these need to be better coordinated and \ndriven to closure. Until that happens, the credibility of the \nDepartment will not be where it needs to be to build effective \npublic-private relationships needed to effectively respond to \nmajor Internet disruptions.\n    This concludes our statement. Thank you, Mr. Chairman, and \nwe are prepared to answer any questions the Subcommittee may \nhave.\n    Chairman Coburn. Thank you very much.\n    Mr. Foresman, your response to Mr. Rhodes' report?\n    Mr. Foresman. Mr. Chairman, let me offer two responses. \nOne, as we have gone through that report, we clearly agree that \nthe road ahead, whether we are talking about GAO or the private \nsector, we agree on the road ahead.\n    I would, however, not agree with him in terms of the \nperception that he might leave in the relationship with the \nprivate sector. My fourth day on the job back in January, one \nof the first groups I met with in this particular case was the \nBusiness Roundtable and one of the key issues we talked about \nwere cyber security, the concern about reconstitution and \nrecovery of the Internet, and I think that as you said in your \nstatement, Mr. Chairman, this is not easy and there are a lot \nof folks who have said, well, it is not where it should be, and \nI would agree. But we need to have definitive milestones. We \nneed to have definitive deliverables.\n    But I will tell you, sir, just as your comment to us that \nwe need to work closely with the private sector, getting \nagreement across the various elements in the private sector, \nwhether it is the information technology sector or the \ntelecommunications sector, this is not easy. We are not in a \nposition to force them. We are coalescing the road ahead.\n    So I would agree that we share the vision. I think his \nassessment in terms of progress is much bleaker than what is \nthe actual progress to date.\n    Chairman Coburn. Why would the private sector be reluctant \nto give DHS information on this?\n    Mr. Foresman. Mr. Chairman, I think there are three things. \nThere are those elements of the private sector that are \nreluctant to give us information and there are those elements \nof the private sector that are not reluctant to give us \ninformation. A conversation with a handful of people does not, \nI think, effectively reflect the private sector as a whole \nbecause the private sector is rapidly big.\n    But as you know, there are a couple of issues here. One, \nthere is the concern of our private sector partners out there, \nthe proprietary nature of the information that they have in a \nbusiness competitive environment. They want further and \nstronger assurances that proprietary information is not going \nto be shared with competitors.\n    The second issue, and frankly is a legitimate issue, is \ngovernment and the private sector have typically operated in a \nregulator-regulatee relationship over the past 20 or 25 years. \nWhen we talk about the IT community, it is not, if you will, \nregulated by government, and clearly there are the \ninstitutional----\n    Chairman Coburn. Thank goodness.\n    Mr. Foresman. Yes, sir, and clearly, the institutional \nbarriers to getting beyond a 25- or a 50-year culture to get \ninto a collaborative partnership is not a culture that you \nchange overnight. And so I think it is part policy, it is part \nculture, but we are seeing more and more every day as we \ncollaborate with the private sector. As our US-CERT, for \ninstance, gets specific information provided to us through a \nvariety of sources, such as the NSA, we rapidly get that \ninformation out to the private sector and they rapidly come \nback to us with information. So it sometimes comes down to who \ndid you talk to last and what is it that they said to you?\n    Chairman Coburn. Well, the group that I talked to last were \nthe ISPs and the telecommunications companies, and I would tell \nyou in that meeting, uniformly, there was no trust of DHS with \nany of their proprietary data, and that was in a classified \nbriefing I had 3 months ago. How do you establish the \nleadership role and the trust that allows the private sector to \ndo what they know how to do that you don't know how to do?\n    Mr. Foresman. Well, Mr. Chairman, this comes down to the \ncontinued interaction. As Ms. Evans identified and as other \nfolks have identified, we have got a number of working groups \nwhere we have got government and the private sector sitting \nside by side, developing sector-specific plans, for instance, \nunder the National Infrastructure Protection Plan, and trust is \nnot a function of me coming into the room and sitting with our \nprivate sector partners and saying, trust me. We have to prove \nit.\n    This is the benefit of these joint planning activities. As \nmuch as we would like them to be done in immediacy overnight, \nthey are not. But just as it is taking time to develop those \nplans, one of the important byproducts is that we are raising \ntrust every day when we put these people in the room together.\n    Chairman Coburn. I will be submitting some questions to you \nseparate from that. I would hope that we could get a timely \nresponse.\n    Mr. Foresman. Mr. Chairman, I will ensure that you get a \ntimely response and I will acknowledge that we were remiss in \nnot hitting the deadline on getting our testimony to you. I \naccept full responsibility and I will give you my personal \nassurance that we will correct those issues in the future.\n    But I also want to underscore, by no means were we trying \nto not get information to you. This is a critically important \narea. This Subcommittee is one of the few committees across the \nCongress that has shown a continuing interest in this area. It \nis not an easily understood area, and frankly, this level and \nmore of this type of dialogue is going to be absolutely \ncritical to our success.\n    Chairman Coburn. Mr. Schaeffer, at NSA, tell me about your \nrelationship with the private sector and trust and relationship \nand information sharing and how have you developed that and how \ndo you utilize that. Have you emphasized recovery more than \nphysical asset protection?\n    Mr. Schaeffer. Well, sir, I think our relationship with \nindustry or the private sector is on a number of levels. \nClearly, there are, as I mentioned in my testimony and others \ndid, as well, the dependence upon the private sector to deliver \nthe technology, the capabilities that we need within the \nnational security community, and quite frankly, across the \nentire Nation, is dependent upon the reliability, the security \nof that technology. So we have a very deep relationship with \nthe private sector in establishing on a one-on-one basis the \navailability of vulnerability information of the products that \nthey provide, assisting them in increasing the overall security \nor assurance of those products, and then we also work with the \ninfrastructure providers themselves to understand the \nvulnerabilities within those environments and help them address \nthe situation, the improvements that can be made in that \nenvironment.\n    Most of our relationships that are strong come from a one-\non-one basis with the agency. We participate. We collaborate \nwith industry associations and do that in a very open and, I \nthink, positive way. But I think as Mr. Foresman outlined, it \nis a situation that takes a tremendous amount of work with \nindividual companies, then with industry or association groups, \nand then in larger forums to build the trust and confidence \nthat information that is exchanged with the government, and in \nthis case NSA, receives the appropriate level of protection. It \nis something that we work on every day. It takes that sort of \nattention and commitment.\n    And we have seen actually tremendous progress over the last \nseveral years as the community at large, the public-private \ncommunity, has come to better understand the risks associated \nwith operating in this highly networked environment and the \nneed for close collaboration amongst public-private enterprises \nto better understand the vulnerabilities and ways of mitigating \nthem.\n    I think we are an example of where it has worked because we \nhave developed the trust and confidence over a long period of \ntime with companies, trade groups, industry associations, and \nso forth, and I see promise in what DHS is leading, in what DHS \nis participating in, and quite frankly, what I see the entire \nIT industry participating in. We are just at the bottom of a \nvery steep hill.\n    Chairman Coburn. Has NSA's main focus been on \nfunctionality?\n    Mr. Schaeffer. No, sir. NSA's main focus has been on the \nassurance of the functionality that is provided in the devices, \nso----\n    Chairman Coburn. That is what I mean. But the goal is \nfunction. The ultimate goal for security is to maintain \nfunction, or to recover function.\n    Mr. Schaeffer. Yes, sir. That is correct.\n    Chairman Coburn. All right. Mr. Rhodes, you mentioned the \nworking groups aren't communicating. We don't have cross-\nreference. You also mentioned a role that is more grandiose \nrather than recovery. Talk for a minute, if you would, about \nthe working groups that have been established and what you see \nthat needs to be changed there so that we accomplish this goal \nof protecting and recovering functionality.\n    Mr. Rhodes. The big struggle with the working groups seems \nto be that there are a lack of roles and responsibilities and \nclear lines of authority. There seems to be a not clear \ndefinition of how the working groups relate to one another----\n    Chairman Coburn. In other words, they could come up with a \nreally appropriate plan, but have no authority to get that plan \nimplemented?\n    Mr. Rhodes. And no milestones. Your original point about \nbudget against effect, a recommendation with money, a \nrecommendation with schedule, not just--they can come up with \nthat, but then what is their schedule? What is their time line? \nWhat is their relationship? That is the main struggle we see.\n    Also, working groups without authority. What purpose do \nthey serve? If they don't--if no one has the hammer, if no one \nhas the authority to get anyone to do anything, then it is just \nanother group that meets to meet instead of meeting to get \nsomething done. As you say, they could have very fine \nrecommendations, but where do they go from there?\n    Chairman Coburn. OK. One last question for you, the comment \non the Stafford Act. I don't believe we have gotten anything, \nand I may be wrong, from the Administration on modifying the \nStafford Act so that we can help the telecommunications \nindustry and the Internet industry to recover by assisting them \nwith either protection or transportation or security as they \nbring these systems back up. Would you agree that is something \nthat we ought to hear from the Administration? And we may have, \nI am just not aware of it.\n    Mr. Rhodes. We haven't seen anything, either, but when you \nlook at the tactical needs, the tactical view that private \nindustry takes, they are talking about just those things--fuel, \naccess, transportation. They are not talking about, tell me how \nto bring the Internet back up. They are saying, let me get into \nthe disaster area with my business credential or some emergency \ncredential issued by the U.S. Government so I can go to the \nlocation to do the job that the government can't.\n    Chairman Coburn. And modify the law so that the government \nassets----\n    Mr. Rhodes. And modify the law----\n    Chairman Coburn [continuing]. And assist that effort.\n    Mr. Rhodes. Absolutely. I mean, what we hear from private--\nand it is not just relative to the Internet, it is whether we \nare talking to the chemical industry or we are talking to gas \nand oil or we are talking about the power grid or folks like \nthat, they are all saying, let me do my job. I am not the enemy \nbecause I am for profit.\n    Chairman Coburn. Yes.\n    Mr. Rhodes. I am the infrastructure. Let me go into the \narea I am supposed to in order to fix it.\n    Chairman Coburn. Right. Which we saw lots of problems with \nduring Hurricane Katrina.\n    Mr. Rhodes. Absolutely, and saw it during September 11, \n2001, also.\n    Chairman Coburn. All right. Ms. Evans, not long ago, the \nFederal Government's critical infrastructure protection \ncoordination efforts were run out of the White House and some \nin private sector viewed this, and I think probably still do, \nas a higher Administration priority than it is now. Should \nthese initiatives remain within DHS or should we consider the \nprior model?\n    Ms. Evans. The model that we have right now is in place as \na follow-on from the Homeland Security Act as well as the \nPresident's HSPD-7, which clearly outlines that the Secretary \nof Homeland Security has the responsibilities for these \nactivities. This does not mean that the Administration does not \nview this as a priority, because oversight activities still \noccur out of the White House and the Executive Office of the \nPresident, with the Office of Management and Budget, myself, as \nwell as the Homeland Security Council. So the Administration is \nvery much committed to this and continues to have cyber \nsecurity reconstitution, continuity of operations, as a \npriority.\n    I do think that the model that we have in place right now \nis an effective model and can work, because the actual work and \nexecution happens in the agencies. The President holds the \nSecretary accountable for these actions. The President holds \nhim accountable for getting these plans in place with clear \nmilestones. This clearly has been talked about, and to achieve \nthe results.\n    We, in the White House, do not do the actual execution. The \nwork is done out in the agencies. And so it doesn't diminish \nthat the Administration doesn't view this as a priority by \nhaving a person clearly responsible for the execution of these \nactivities at a department level.\n    Chairman Coburn. Any of you can respond to this if you \nwant. It just seems to me that 75 percent of this is private \nsector. Why wouldn't the Administration's view say, OK, you are \nthe guys that know all this. You are the guys who are \nresponsible for it. Your bottom line depends on it staying up \nand working. Why don't you go tell us what you think we ought \nto do rather than us tell you what we think you ought to do? \nWhy shouldn't the debate be, private industry, come tell us \nwhat to do. Why shouldn't the organizational framework be, let \nus listen to them and then let us create the framework based on \nwhat they suggest we ought to do rather than top-down? Why not \nprivate industry up?\n    Mr. Foresman. Mr. Chairman, if I might, that is exactly \nwhat we are doing, and that is why we have the National \nInfrastructure Protection Plan. That is why we have the \ndevelopment through the sector coordinating councils. The role \nof the Federal Government is not to tell the private sector \nwhat to do. It is to create the environment to provide for a \nnational approach, and what I mean by that is the Federal \nGovernment is uniquely positioned to bring together the \nelements of local government, State government, tribal and \nterritorial, the private sector partners, because this is a \nhomeland security issue. It is a national security issue.\n    So our job is to get all of the players around the table \nand to go through and get the best and the brightest in the \nroom to say, what is it that we, as a Nation, need to be doing, \nbecause this is not a Federal issue. It is clearly a national \nissue.\n    Chairman Coburn. Do you think that is happening right now?\n    Mr. Foresman. Senator, I don't think it is happening to the \ndegree that it should, and I think, as all of the folks have \npointed out, this continues to be a growth effort, a growing \neffort on the part of this Nation in the post-September 11 era. \nWhen I was vice chairing the Gilmore Commission prior to \nSeptember 11, we raised the whole issue of critical \ninfrastructure protection and the fact that a significant \namount of work needed to be done. I don't think we have reached \nthe optimal level of private sector direction and input into \nit, but at the end of the day, I don't think we were going to \nstart--we are not going to start at the perfect position. This \nis very much a learning process for everyone, Federal, State, \nlocal, public sector, and private sector.\n    Chairman Coburn. Well, the private sector is being attacked \nall the time now and they are responding, both in terms of \nphysical assets and software and encryption and everything \nelse. They are doing the things because they are seeing the \nattacks anyway. It just seems to me we have got it backwards. \nWe ought to have the private sector come together and say, here \nis how we think you ought to mobilize State and local \ngovernments. Here is how we think you ought to set up the \nstructure to best maintain this. Here is how we think you \nassure protection.\n    What would happen to this economy if you had a 4-week \ndisruption, interruption of the Internet? We would be on our \nback, and everybody knows that, and yet the urgency to make \nsure that can't happen, or if it did happen to recover quickly, \nI don't see anywhere except in the private sector.\n    Mr. Foresman. Mr. Chairman, I would respectfully disagree \nin this context. We are aware of a variety of things we \nobviously cannot get into in an open hearing----\n    Chairman Coburn. I understand that.\n    Mr. Foresman [continuing]. But we are aware of a \nsignificant number of things that have occurred in recent time \nthat the private sector was not aware of had government not \nmade them aware of it. So we are doing our part to give them \nthe information. They, in turn, are assessing the situation, \nbringing recommended solution sets back to us, implementing \nsolution sets in the broadest of terms, and so our role wasn't \nto go to them and say, here is the problem. Here is what we \nwant you to do to fix it. We made them aware of the problem. We \nknow that they are the owners and the providers of a lot of the \ncritical IT backbone. They assessed it. They took steps. And \nthis happens hundreds, if not thousands, of times every month. \nI would very much underscore that US-CERT, as just one example, \nthere is daily ongoing dialogue between Federal agencies and \nthe private sector, not in the context of here is what you have \nto do, but here is the problem and please come back to us.\n    Now, I will tell you that there are going to be times that \nthe private sector is going to assess the risk differently than \nwe do in government and then they are forced to make a business \ndecision about whether they are going to invest the time and \neffort into it to address it. So this is all part of the trust \nprocess that we can get to an equal common ground.\n    Chairman Coburn. Fair enough. One last question for Ms. \nEvans, and I will have questions for each of you. I also would \nlike for you to have staff stick around here to hear our other \npanelists because routinely I see Administration witnesses \nleave before those that have a different position and \nconstructive criticism can be heard.\n    Ms. Evans, do you have enough staff to handle the cyber \nsecurity of critical infrastructure and Federal information \nsecurity management?\n    Ms. Evans. My answer would be yes, sir, that I do. We have \nsubject matter experts for each of the areas that I am \nresponsible for and the way that we manage within OMB is that \nwe have portfolios of agencies and we work very closely with \nall parts of OMB so that we are managing the issues across the \nboard as they affect each of the agencies. So it isn't just my \nstaff, but it is the entire resources that are available within \nOMB because we take a portfolio approach to this.\n    There is one thing that I would like to follow up on, Mr. \nForesman's comment, and this is what the government is doing as \na whole, at least from a Federal perspective. We do view it as \nwe are buying services, because we don't own the \ninfrastructure. There are activities that we have done and that \nwe are continuing to do. In my written testimony, I have \nincluded the information security line of business.\n    But as you know, we spend $65 billion on information \ntechnology, so in the course of that spending, we make it very \nclear what the services are that we need, what the risk is \nassociated with the services and the information we need to \nprotect, and as Mr. Foresman said, then it is up to industry to \noffer us the solutions back, and the way that we structure \nthose procurements is not to tell them, we want you to do X, Y, \nand Z, but to really frame, this is the service, this is the \nrecovery level, this is the level of risk that we are willing \nto accept. Here is the type of protection that we think we need \nto have. And then we do look to private industry to give us the \nsolutions that can best service those needs, because as you \nhave said, sir, it is about the functionality and the mission \ncritical nature of the services that we provide that we need to \nhave that reliability.\n    Chairman Coburn. I would like you to repeat that number so \neverybody can hear what you spend annually on IT.\n    Ms. Evans. Sixty-five billion dollars.\n    Chairman Coburn. This Subcommittee will have a hearing on \nwhether or not that is spent properly or not. I can tell you, \nfrom the Defense Travel System, you certainly haven't spent the \nmoney properly. So we will be looking at that.\n    Ms. Evans. Well, we are looking forward to it, yes, sir. \n[Laughter.]\n    Chairman Coburn. Sixty-five billion dollars is a lot of IT.\n    Thank you. You will each receive questions. Thank you for \nthe report from GAO. I thank each of you for your service to \nour country and I would dismiss this panel and ask our next \npanel to come forward.\n    I am going to start introducing our witnesses while they \nare being seated. Thomas Noonan is Chairman, President, and \nChief Executive Officer for Internet Security Systems (ISS). He \nis responsible for the overall strategic direction, growth, and \nmanagement of the company. Under his leadership, ISS revenues \nsoared from start-up in 1994 to nearly $330 million in its \nfirst decade. The company has grown to more than 1,200 \nemployees with operations in 26 countries. In 2002, President \nBush appointed Mr. Noonan to serve on the National \nInfrastructure Advisory Council, a homeland defense initiative \nthat protects information systems that are critical to the \nNation's infrastructure. He currently chairs the NIAC \nEvaluation Enhancement of Information Sharing and Analysis \nWorking Group.\n    Robin Bienfait, Senior Vice President, Global Network \nOperations, AT&T, welcome. She is the first woman in company \nhistory to be responsible for AT&T's global network, including \nlocal, data, and voice network worldwide. I pay them a lot of \nmoney every month. In addition, she leads teams that manage \nnetwork security and global network disaster recovery. And \nadditionally, she previously led AT&T's international and \ndomestic core network operations and technical support division \nand has held a variety of other technical and leadership \npositions of increasing responsibility since joining AT&T in \n1985. She is a graduate of the Georgia Institute of Technology \nwith a Master's degree in management of technology. She also \nholds a Bachelor's degree in engineering from Central Missouri \nState University and an Associate in Business degree from \nMaryland University, European Division.\n    Michael Aisenberg, Director of Government Relations for \nVeriSign, serves as the company's principal liaison with the \nAdministration and Federal agencies, including the Departments \nof Homeland Security, Defense, State, and Justice. He manages a \nportfolio of policy issues, including global infrastructure \nsecurity, digital signatures, e-health, intellectual property \nand government procurement on behalf of the world's leading \nInternet trust and identity provider. He is the Vice Chairman \nand Chair-Elect of the Information Technology Sector \nCoordinating Council. In 2004, he was elected Chairman of the \nITAA's Information Security Committee. He leads VeriSign's \nparticipation in the President's National Security \nTelecommunications Advisory Committee. He holds a B.A. from the \nUniversity of Pennsylvania, a J.D. from the University of Maine \nLaw School. He attended Georgetown University Law Center in \n1975 and 1976, and upon graduation served 5 years as an \nattorney advisory and legislative counsel at the FCC.\n    Karl Brondell, Strategic Consultant State Farm Insurance \nCompanies, representing the Business Roundtable here today. He \nis a CPCU, a strategic consultant in the Strategic Resources \nDepartment of State Farm Insurance Company. He is the past \nChairman of the Board of Directors for the Insurance Placement \nFacilities of Pennsylvania and Delaware. He is a member of the \nnational CPCU International Insurance Section Committee and an \nat-large Board of Director for Villanova University's Executive \nMBIA Alumni Association. He received a Bachelor's degree from \nBenedictine College, Acheson, Kansas. I, by the way, have \nvisited there. He has a Master's degree from Villanova \nUniversity in Villanova, Pennsylvania. He earned the Charter \nProperty and Casualty Underwriter Designation and holds an \nAssociate in Claims certificate and a certificate for general \ninsurance.\n    Welcome to you all. We will start with you, Mr. Noonan.\n\nTESTIMONY OF THOMAS E. NOONAN,\\1\\ PRESIDENT AND CHIEF EXECUTIVE \n               OFFICER, INTERNET SECURITY SYSTEMS\n\n    Mr. Noonan. Mr. Chairman, thank you for the opportunity to \nappear before you today. My name is Tom Noonan. I am President \nand Chief Executive Officer of Internet Security Systems. We \nare a leading provider of preemptive cyber security \ntechnologies for large-scale enterprises, and I represent the \ntechnology industry today.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Noonan appears in the Appendix on \npage 132.\n---------------------------------------------------------------------------\n    We operate five cyber security centers around the world, \ntwo in the United States, the rest in Asia through Tokyo, \nAustralia, Brussels, and a partner operation in Latin America. \nWe protect our customers by monitoring the Internet for cyber \nthreats 24 hours a day, 365 days a year, providing preemptive \nprotection for customers. This is critical preemption before \nreconstitution, obviously. We utilize that security \nintelligence, technology, and expertise to preempt the strikes \nthat would cripple critical networks and stay ahead of the \nthreats.\n    I want to stress three important messages about our \nNation's security landscape this morning, and this comes from \nmy 13 years in this industry as one of the founders of this \ncompany and a person that has been working to advocate better \nsecurity practices in both the private and public sector.\n    First, threats to the critical infrastructure are real, and \nwithout a doubt, they are growing. The question is not if but \nwhen. The explosive growth of new Internet technologies, from \nwireless to voice-over Internet telephony, has engendered new \nthreats that are far outpacing the security responses of many \nprivate and governmental users.\n    Second, the intelligence protocols and technologies \nnecessary to protect against emerging cyber threats are, by and \nlarge, robust and widely available. In other words, we have the \ntools at our disposal today to safeguard our critical \ninfrastructure.\n    And finally, despite our knowledge of these threats and our \noverall ability to protect ourselves, we as a Nation are not \ndoing nearly enough to preempt the types of attacks that could \ndebilitate our critical network infrastructure. Leadership is \ndesperately needed at the Federal level, not to replicate \nexisting private sector efforts but rather to extend the impact \nof those efforts by encouraging the private sector to \ncollectively increase in cooperation with the government.\n    This means five things for me this morning. First, \nappointing an Assistant Secretary of Homeland Security for \nCyber Security and Telecommunications who will help secure the \nFederal Government's own networks as well as those of the \nbroader economy.\n    Second, clearly delineating and hardening the roles and \nresponsibilities of many public-private entities working today \nto secure cyberspace.\n    Three, ensuring that the Federal Government makes use of \nexisting industry resources to gather and analyze data on cyber \nsecurity threats and methods.\n    Four, creating a national plan to restore connectivity on a \nprioritized basis.\n    And five, providing sustained Federal funding--that $65 \nbillion sounds like a lot, but sustained Federal funding and \nactive Congressional oversight to ensure that the Department of \nHomeland Security is getting the job done for this country.\n    I think we know cyber threats are serious and they are \ngrowing in sophistication. The rules of criminal hacking today \nare no longer shaped by teenage malfeasants, but by \nconfederated crime operations that are driven by the economics \nof opportunity, incentive, and risk, just like traditional \ntheft, burglary, and extortion.\n    I think it is this professionalization of cyber crime that \nis unsettling for many reasons, not the least of which are \nindications that those who would seek to do harm to our Nation \nhave been working to improve their technological abilities. \nParticularly unsettling is not just the threat to privacy \ninformation, which we read about in the newspaper, or our e-\ncommerce applications, but more importantly to the very control \nnetworks of the automated systems that control and regulate our \nNation's industrial systems, like SCADA. Control systems are \nnow Internet-connected and they are susceptible to major \nattacks. Under contract with customers, ISS has conducted real \nworld penetration tests with large power plants and others to \nshow that they are at risk.\n    Put simply, Mr. Chairman, the fact that our Nation's \ncritical infrastructure has yet to fall victim to a significant \nand coordinated cyber attack does not mean that it can't \nhappen. Emerging technologies coupled with an exponential \nincrease in the use of new applications on the Internet have \nopened many new avenues to attack and keeping up with this \nlarge increase in vulnerabilities is a daunting task. It is \nonly complicated by the shrinking window that we are seeing \nbetween the time a vulnerability is disclosed and the time that \nit is exploited by criminal interests.\n    I think there is good news, Mr. Chairman. Our Nation \nalready has the technological capabilities to protect the \ncritical infrastructure. Private industry is operating \npositively against many of the requirements associated with \ntechnology, vulnerability, discussion, etc. But what is missing \nis genuine leadership on the part of the Federal Government. \nWe, as a Nation, can protect our critical infrastructure, and \nin fact, we already are, but that requires also Federal \nleadership.\n    I think your role here boils down to two things. The first \none is minding the store, and I know that Secretary Chertoff \nand the Department of Homeland Security are working around the \nclock to protect the Nation, but we need to be able to talk to \nthe person who is minding the store and that is the Assistant \nSecretary.\n    Second, it is difficult for the Federal Government to \npreach strong cyber security practices across our economy when \nthe Federal networks themselves are so woefully unprotected. \nWhile steps have been taken in recent years to improve agency \nsecurity practices through FISMA, most Federal agencies are \nstill getting failing marks when it comes to securing their \nnetworks.\n    When it comes to strengthening Federal leadership, I just \nwant to reiterate these five points in closing. Appointment of \nthe Assistant Secretary for Cyber Security and \nTelecommunications. The job has been open for over a year.\n    Two, a clear delineation and hardening of the roles and \nresponsibilities of these countless public-private entities.\n    Three, ensuring that the Federal Government makes full use \nof existing industry resources. We are absolutely willing and \nable to participate as a private sector.\n    Four, we need to develop the national plan to restore \nconnectivity on a prioritized basis.\n    And five, sustained Federal funding.\n    So there is no silver bullet here, Mr. Chairman. Securing \nour Nation's infrastructure from cyber attack requires a \nheightened degree of public-private coordination and I think it \nis a challenge but it is one we are up to. We are pleased at \nISS to be partnering with you and I thank you for the \nopportunity to participate this morning.\n    Chairman Coburn. Thank you. Ms. Bienfait.\n\n  TESTIMONY OF ROBERTA A. BIENFAIT,\\1\\ SENIOR VICE PRESIDENT, \n                GLOBAL NETWORK OPERATIONS, AT&T\n\n    Ms. Bienfait. Good morning, Mr. Chairman.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Bienfait appears in the Appendix \non page 139.\n---------------------------------------------------------------------------\n    Chairman Coburn. Good morning.\n    Ms. Bienfait. My name is Robin Bienfait and I am Senior \nVice President of AT&T's Global Network Operations. I want to \nthank you for allowing me to share with you what we have done \nand what we are generally doing to ensure the reliability and \nrestorability of AT&T network services. We are committed to a \nstrong public-private partnership and we hope our experience is \nhelpful.\n    We believe there are keys to network security and disaster \nrecovery and I will focus on the following areas: The strength \nof the public-private partnership; the lessons learned, \nespecially from Hurricane Katrina and the 2003 Midwest and \nNortheast power outages; and a series of policy \nrecommendations.\n    Our country relies on cyber and physical infrastructure \nthat is provided by a very close partnership among all the \nproviders and users of this infrastructure. Each partner, both \nin the public and private sector, has a responsibility to keep \ntheir part of the infrastructure working. They also each have a \nresponsibility to be able to recover or restore their piece of \nthe infrastructure.\n    At AT&T, our goal is to have a network where failures are \nprevented or identified and corrected before they affect our \ncustomers. Since 1991, we have invested more than $300 million \nin our mobile network disaster recovery infrastructure and \ncapabilities. We have also invested $200 million in a system \nthat proactively monitors and manages the networks of some of \nour largest customers.\n    We have more than 500 fully loaded emergency communication \nvehicles that we can quickly deploy to respond to any disaster \nanywhere in the United States. We have the basic building \nblocks of our network infrastructure installed in 150 \ntechnology trailers and it is ready to roll at a moment's \nnotice.\n    I would like to draw on the examples of Hurricane Katrina \nand the 2003 blackouts to illustrate our approach to response \nand restoration efforts and to show you how our incident \ncommand structure makes every minute count.\n    For Hurricane Katrina, we followed our prescribed command \nand control approach to a tee. AT&T began moving equipment and \nteams from around the country toward the Gulf States in the \ndays before the storm made landfall. The first team restored \nAT&T service to its prior levels, a second team maintained and \nmonitored AT&T's facilities so as to prevent new issues from \narising, and a third team came in to help others.\n    AT&T worked around the clock to respond to this crisis and \nsafeguard its network and support the efforts to respond to the \ndisaster. AT&T was also able to direct its effort to benefit \nits customers, other telecommunication competitors and their \ncustomers, first responders, and evacuees, as needed. AT&T also \nhelped to provide relief to those directly affected by the \nhurricane and flooding and assistance to charitable relief \nefforts.\n    Thanks to these efforts and the intense dedication of the \nemployees involved, AT&T's network remained essentially intact. \nWe were able to carry at least 95 percent of all calls in the \nGulf Coast area that came to our network. Of the five percent \nof our capacity in the area that was initially lost, we \nrestored half of that capacity within a couple of hours.\n    Related to the blackouts, as you know, in 2003, large \nportions of the Midwest, Northeast, and Ontario, Canada, \nexperienced an electrical power blackout affecting 50 million \npeople. Power was not restored for 4 days in some parts of the \nUnited States. Because of the reliability and redundancy that \nwe designed and built into our network infrastructure, Internet \ntraffic, data services, and voice calls flowed across our \nnetwork without interruption.\n    These and other experiences have reinforced lessons that we \nmust incorporate in future planning and are the basis of our \nfollowing policy recommendations. More detailed recommendations \nare available in my written testimony.\n    Establish and practice disaster recovery processes in \nanticipation of emergencies. Communication resources can be \nbrought where needed very quickly, but it is essential that \nthose clear lines of command and control at all times are there \nto direct those resources effectively and to the area of \ngreatest need. A single agency must be identified, funded, \nempowered to act as a national cyber incident commander for any \nrequired cyber infrastructure recovery and reconstitution \nefforts.\n    Coordinate restoration and recovery efforts. Everyone \navailable should be participating and there needs to be \ncoordination so the efforts are not duplicated or in conflict \nwith one another. Logistical information, such as what roads \nare closed and what medical precautions are needed, must be \nreadily available. Moreover, a recommendation we made after \nSeptember 11 still has not been widely implemented. Companies \nsuch as AT&T that are crucial to the response to disasters \nshould have special credentials designed for employees and \naccredited in advance in order to assess disaster areas.\n    Minimize the amount of regulation and data reporting \nrequirements during a disaster and maximize the amount of \ncoordination and cooperation between public and private sector.\n    Interoperability and spectrum availability. A crisis on the \nscale we saw in the Gulf Coast and smaller challenges, as well, \ndemand a well-coordinated information and communications \ndelivery system. We must resolve the spectrums needed and \nhighlighted by the 9/11 Commission.\n    Consider subsidizing some of the emergency preparation by \ninfrastructure companies. The government is likely to call on \nsuch capabilities in use or would otherwise need to duplicate \nresources ineffectively.\n    We can never anticipate every contingency in an emergency, \nnor can we assure a foolproof communications network all the \ntime under all circumstances. Nonetheless, at AT&T, we have \ndone much to ensure reliability and restorability of \ncommunication networks, and together as an industry and as a \nNation, we can do more. I thank you for holding this hearing to \nadvance this important discussion.\n    Chairman Coburn. Thank you, Ms. Bienfait. Mr. Aisenberg\n\n TESTIMONY OF MICHAEL A. AISENBERG,\\1\\ DIRECTOR OF GOVERNMENT \n     RELATIONS, VERISIGN, INC., AND VICE CHAIR, IT SECTOR \n                      COORDINATING COUNCIL\n\n    Mr. Aisenberg. Thank you, Mr. Chairman. Thank you for the \nopportunity to appear before the Subcommittee today.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Aisenberg appears in the Appendix \non page 161.\n---------------------------------------------------------------------------\n    VeriSign's 4,600 employees operate intelligent \ninfrastructures that enable and protect billions of \ninteractions every day across the world's voice and data \nnetworks. I, too, have three key points I would like to make \ntoday.\n    First, those who make policy in the United States must \nunderstand the economic value and critical interdependencies we \nhave developed on our information networks.\n    Second, we must understand and accommodate to the global \nnature of both our information networks and the attacks that \nare being continually mounted against them.\n    Third, largely owned and operated by the private sector, \nour network security and ability to withstand and recover from \nthe continuing attacks against them depends on effective \npartnership between government and we, the industry stewards.\n    Americans must keep a clear focus on the critical economic \nand national security role which our information networks have \ncome to fulfill. In less than two decades, the industrial \nnations have evolved an irreversible dependency and \ninterdependency by our banking, finance, transportation, health \ncare, education, power, manufacturing, and government service \nsectors on the networks managed by the companies, mostly \nAmerican, which make up the ICT sector.\n    Each day, $3 trillion pass over secure Federal financial \nnetworks. If these electronic transactions do not have Internet \nsites, such as NYSE.net, BankofAmerica.com, and Treasury.gov, \navailable, secure, and running, the U.S. economy begins to \ngrind to a halt at the rate of $130 billion per hour.\n    As you have noted, Mr. Chairman, cyber security is indeed a \nresponsibility which we all share and in which we all have a \nstake. We must recognize that information networks are global, \nincreasingly managed by interests beyond U.S. control, but at \nthe same time subjected to threats and attacked by actors from \naround the world. The role of an effective government cyber \nsecurity function and government-industry partnership is \ncentral to the BRT report's critical conclusion. America needs \na much improved cyber security activity, not just in DHS, but \nacross government and industry interests.\n    But while its conclusions are consistent with others from \nindustry, the BRT report's suggestions about the extent and \neffectiveness of industry engagement with DHS are, I believe, \nout of touch with important progress being made in public-\nprivate collaboration in the last 18 months. There have been \nmany, and there are increasingly significant collaborative \nengagements between the cyber industry and DHS, some of which \nwere outlined by Secretary Foresman.\n    In 2005, commented engagement with industry began to be \nregularly sought by new DHS leadership. Involvement in DHS \npolicy processes from their beginning rather than at the end \nbegan to be practiced. Examples include the national cyber \nsecurity exercise Cyber Storm, concluded in February of this \nyear, DHS's Internet Disruption Working Group, the IDWG, the \ngovernment Security Operations Community, GFirst, the just-\nreleased NIPP process, and the ongoing sector-specific plans \njust under development.\n    Mr. Chairman, my sector colleagues and I have found these \nactivities valuable and a marked departure from what we \nexperienced prior to 2005. This steady improvement and \nexpansion of industry involvement with DHS cyber and network \nsecurity activities must continue.\n    But while these milestones and improvement in the \nrelationship between cyber sector industry interests and the \nNCSD and NCC staff are important and significant, they are not \na solution, but a beginning.\n    Mr. Chairman, we are at least twice as good in our \ncooperation as we have been, but we are not half as good as we \nneed to be. Indeed, many of us believe that notwithstanding \nthese improved public and private engagements, the operational \nposture is still fraught with risk. If a September 11-type \nattack were to take down the NYSE today, I doubt the Exchange \ncould restore its network-dependent functions in the same 4 \ndays it did in 2001, and indeed, perhaps not in 4 weeks, and \nthe principal reason for this is DHS, or rather the \nbureaucratic impediments, many of which have already been \ndiscussed this morning, to the kind of action that the private \nsector was able to engage in in 2001 and was thwarted at during \nHurricane Katrina.\n    We need to act without delay to ensure that our networks \nand critical dependent sectors are resilient enough to \nwithstand the daily attacks being mounted against them. And as \nthe GAO is reporting today, they must be supported by the \nappropriate tools from government as well as industry to assure \nthe ability to recover with minimum collateral impact on our \neconomy and security.\n    To conclude, Mr. Chairman, going forward, several steps are \nnecessary. First, DHS's modest cyber security budget must be \ninsulated from the continuing reprogramming and budgetary cuts \nnow underway.\n    Second, a cyber security leader with credibility in \nindustry must be identified and appointed as DHS's permanent \nAssistant Secretary for Cyber Security and Telecommunications \nwithout further delay.\n    Third, critical R&D projects to improve key network \nsecurity protocols must be funded and launched or relaunched.\n    Mr. Chairman, if we do these things, we will not guarantee \nthat our adversaries will stop attacking our critical cyber \nassets, but we will improve the likelihood that we will \ncontinue to successfully withstand those attacks and retain the \navailability of these infrastructures on which we are now so \ndependent. Thank you, Mr. Chairman.\n    Chairman Coburn. Thank you, Mr. Aisenberg. Mr. Brondell.\n\nTESTIMONY OF KARL BRONDELL,\\1\\ STATE FARM INSURANCE COMPANIES, \n              ON BEHALF OF THE BUSINESS ROUNDTABLE\n\n    Mr. Brondell. Thank you, Mr. Chairman. I am honored for \nthis opportunity to testify today on Internet recovery on \nbehalf of the Business Roundtable.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Brondell appears in the Appendix \non page 167.\n---------------------------------------------------------------------------\n    Following the attacks of September 11, Roundtable CEOs \nformed the Security Task Force to address ways the private \nsector can improve the security of its employees, facilities, \ncommunities, and our Nation. The Roundtable believes that the \nbusiness community must be a partner with government in \ndisaster preparedness and response. The Roundtable commends the \nSubcommittee and its members for their continued interest in \nimproving procedures and preparedness to ensure recovery of the \nInternet following a major disruption. Hardening the Internet \nand strengthening cyber security is one of the priorities of \nour Security Task Force.\n    More than a year ago, the Roundtable began work on an \ninitiative to assess the public and private sector plans and \nprocedures for Internet recovery following a cyber catastrophe. \nWe have just produced and delivered a report, ``Essential Steps \nto Strengthen America's Cyber Terrorism Preparedness,'' which \nfinds that the United States is ill-prepared for a cyber \ncatastrophe, with significant ambiguities in public and private \nsector responses that would be needed to restore and recover \nthe Internet following a disaster.\n    As the Subcommittee knows, the Internet and the cyber \ninfrastructure serve as a critical backbone for the Nation's \neconomy and its uninterrupted use is a crucial issue for our \nnational and homeland security. But our analysis has exposed \nsignificant weaknesses that could paralyze the economy \nfollowing a massive disruption.\n    Despite progress having been made over the past decades on \ntechnical and IT issues, there are other issues that have not \nreceived the same attention. The Roundtable's report identifies \nthree significant gaps in our Nation's response plans to \nrestore the Internet.\n    First, we found the United States lacks an early warning \nsystem to identify potential Internet attacks or determine if \nthe disruptions are spreading rapidly across critical systems.\n    Second, public and private organizations that would oversee \nrestoration and recovery of the Internet have unclear or \noverlapping responsibilities, resulting in too many \ninstitutions with too little interaction and coordination.\n    Finally, existing organizations and institutions charged \nwith the Internet recovery have insufficient resources and \nsupport.\n    Collectively, these gaps mean that the United States is not \nsufficiently prepared for a major attack. If our Nation is hit \nby a cyber catastrophe that wipes out large parts of the \nInternet, there is no coordinated public-private plan in place \nto restart and restore it.\n    Let me make another point. Although there is no agreement \namong experts about the likelihood of a widescale cyber \ndisaster, they do agree that the risks and the potential \noutcomes are serious enough to mandate careful planning and \npreparation.\n    In my remaining time, let me talk briefly about our \nrecommendations for government and business to consider. We \nbelieve it is important to understand that response and \nrecovery to a cyber disaster will be different from natural \ndisasters when the Federal Government has the leading role. \nIndustry must undertake principal responsibility following an \nincident for reconstituting the communications infrastructure \nand the Internet. We believe that business and government must \ntake action, individually and collectively, to address these \nissues.\n    Let us start with the government. The Roundtable calls on \nthe Federal Government to establish clear roles and \nresponsibilities, to fund long-term programs, and ensure that \nnational response plans treat major Internet disruptions as \nserious national problems.\n    Regarding the private sector, our report urges companies to \ndesignate a point person for cyber recovery, update their \nstrategic plans, and set priorities to prepare for a widespread \nInternet outage and its impact on the movement of goods and \nservices.\n    When it comes to protecting our Nation, neither the \ngovernment nor business can do it alone. We feel the best \nsecurity solutions will come from a public-private partnership \nthat identifies and acts on ways to improve collaboration. Let \nme discuss a few of the collaboration recommendations.\n    First, since the first 24 hours often determine the overall \nsuccess of recovery efforts, we must focus more attention on \ncoordinating initial efforts to identify when an Internet \nattack or disruption is occurring.\n    Second, we recommend the creation of a federally-funded \npanel of experts from business, government, and academia who \nwould assist in developing plans for restoring Internet \nservices in the event of a massive disruption.\n    Finally, we believe the Department of Homeland Security, \ntogether with business, should conduct large-scale cyber \nemergency exercises with lessons learned integrated into \nprograms and procedures.\n    Without change, our Nation will continue to use ad hoc and \nincomplete tools for managing our critical risk to the Internet \nand to our Nation's economy and its security.\n    Up to this point, I have outlined for the Subcommittee the \nbasis for our observations and some of the recommendations to \nconsider. Now I would like to spend a moment telling you about \nthe Roundtable's plans to find solutions to the gaps that we \nhave identified.\n    First, let me say that we are confident that our member \ncompanies are able to manage most disruptions that affect \nInternet operations. For this reason, the Roundtable will focus \nits efforts on those large-scale events that no single company \nis positioned to manage absent widespread cross-industry and \ngovernment collaboration.\n    As an extension of our previous work, the Roundtable will \nexamine the processes, protocols, and practices across the \nprivate sector before, during, and after a disruptive event. We \nwill assess which institutions respond, how early warnings are \nestablished, and how companies access information and service \ncritical disruptions and emergency situations. We believe this \nwill provide a foundation for meaningful improvements in our \nNation's ability to protect and restore the Internet as well as \nclarify specific, meaningful, and actionable decisions that \nwill lead to well-coordinated public and private response and \nreconstitution processes.\n    In conclusion, let me again thank the Chairman for the \nopportunity to present the Business Roundtable's report on \ncyber preparedness and to discuss our recommendations for \nimprovements. Roundtable CEOs believe strongly that we need a \nnational response to this challenge, not separate business and \ngovernment responses, and that means better collaboration. I \nassure you, America's CEOs and our companies are committed to \ndo their part. Thank you.\n    Chairman Coburn. Thank you.\n    One of the things I take from you all is leadership is \nimportant, and the fact that we don't have the position filled \nis significant. You know, that is a real problem in our Nation \ntoday and I don't know what the cause of it is. Some people \nsay, well, the salaries aren't high enough. But for us to \nsecure our future, we are going to have to make individual \nsacrifice and that means somebody out of private industry needs \nto come up and fulfill this role. When they are trying to \nrecruit and nobody wants to do it because they are not willing \nto sacrifice a little bit of earnings for 3 or 4 years and make \na commitment to make a difference to our country, we are losing \nthe very essence of what it means to be Americans.\n    So it is pretty hard to hire somebody into a Federal \nGovernment agency into a position that is going to mean their \nsalary is going to be cut in half if there is no patriotic \nthought that you can make a contribution to our country. Each \nof you have raised that. Do any one of you all want to \nvolunteer for that position? [Laughter.]\n    Mr. Noonan. I know someone that does, sir.\n    Chairman Coburn. Well, the man that probably is involved in \nthat decision is sitting behind you. I hope you will \ncommunicate that with Secretary Foresman.\n    Mr. Noonan. I certainly will.\n    Chairman Coburn. I appreciate him being here.\n    Just quickly, I am going to have several questions and I \ncan't get them all through to you, so I am going to submit them \nin writing.\n    What do you think about the GAO's report? Mr. Brondell has \njust made a recommendation, we have got all these working \ngroups. Here is what you all think we ought to do. We have got \nworking groups, yet we basically have nobody in charge. What \nwould happen tomorrow if a major event happened? We don't have \nthe coordination across government to the private sector to \nestablish that. So how do we respond? How do we take your \nrecommendation, Mr. Brondell, versus the problem? We have got \nworking groups. We have got people that are involved in it. How \ndo we get it off dead center and make something happen?\n    Mr. Brondell. First of all, we do applaud that the efforts \nare moving in the right direction. As you heard earlier this \nmorning, it is a long road that we are going to have to pull, \nbut as we look at a collaborative approach, we do agree and \nhave suggested that we do need some focal point within the \ngovernment that private sector can rely upon. We support the \naddition of the position. We hope that it gets filled quickly \nand goes through the administrative process to be in place.\n    But to your question of what we would do today if it \nhappened, industry would continue to respond as it has in the \npast and overcome the hurdles based on the experience from past \nsmaller incidents. But the lacking of collaboration, it could \ndamage the overall economy with a long delay.\n    Chairman Coburn. Mr. Aisenberg.\n    Mr. Aisenberg. Senator, we see a steady stream of insults \nagainst the network on a daily basis. VeriSign routinely repels \n1,000 or more attacks against the naming infrastructure, the \nDNS, every day. Major events happen with greater frequency than \nmakes us happy, but we are successful in repelling those now, \nby and large. But every day, the sophistication in those \nattacks grows. The sources of them becomes more diverse and the \nrisks inherent, therefore, becomes more severe.\n    So you are absolutely right. We need a more coordinated \napproach. We cannot guarantee, no one can guarantee that an \nattack will not at some point be successful, and I agree, the \nability to reconstitute and recover from a serious attack at \nthe moment is not as good as we need it to be, and I could not \npredict how severe or how long a major attack that took down \nthe naming system or fundamental other aspects of the Internet \ncould persist and impact the economy. Our best defense is the \naggressive investment that the infrastructure stewards make in \nmassive overhead, massive engineering, constant exercising, \nconstant testing of the security, and vigilance, and a little \nbit of good luck.\n    Chairman Coburn. Is there an early warning system out there \nnow?\n    Mr. Aisenberg. It depends on what you mean by early \nwarning.\n    Ms. Bienfait. Not one that you would actually, as we would \ndo with a hurricane in an emergency scenario, we see a \nhurricane coming and we have got a way to give an early \nwarning----\n    Chairman Coburn. No, I mean is there a communication \nnetwork where, whether it is NSA or whoever is experiencing it, \nall of the sudden, this is a major attack and time is of the \nessence and everybody knows it is happening in one area so they \ncan prepare if their area is about to get hit. Is that out \nthere now?\n    Ms. Bienfait. Not across----\n    Chairman Coburn. Is there an early warning system so that \nthere is communication to all the players that something is \nhappening. You need to know about it. Here is what we see. You \nmight be next. Is that happening now?\n    Ms. Bienfait. We have something internal to ourselves that \nwe can actually see the signatures and the knocking of all the \nhacking attacks against our network----\n    Chairman Coburn. That is your network?\n    Ms. Bienfait. That is my network. But we are only doing \nthis in our own domain. We are not doing a lot across \ncompanies, across collaboration----\n    Chairman Coburn. Is there something that prevents you \nlegally from being able to communicate that with the rest of \nthe service providers?\n    Ms. Bienfait. Nothing at this point in time, other than us \ngetting a trusted environment where we could actually do pre-\nplanning ahead of time so that we know what that information \nmight look like. We are doing some of that right now, trying to \nput best practices together, but there is not anything formal \nto the point that we know how to pull up a security alert and \nactually say, hey, the collaboration of the different units, I \nam going to shut down this part of my network or I am going to \nopen up that part of my network so that this work can flow \nthrough.\n    Chairman Coburn. And you would all agree that is needed?\n    Ms. Bienfait. I think it is necessary.\n    Chairman Coburn. It is needed, and one of the reasons it is \nnot is because there is not a position of leadership and trust \nwhich you can work through?\n    Ms. Bienfait. You really have to have a very trusted \nenvironment. It is essential----\n    Chairman Coburn. Otherwise you expose proprietary \ninformation.\n    Ms. Bienfait. Exactly. And we are working through that, it \nis just not moving fast enough.\n    Chairman Coburn. OK.\n    Mr. Aisenberg. Senator, another aspect of that is that what \nwe call the millisecond sectors--electric power, \ncommunications, IT--frequently see insults only after they are \nactually mounted. Unlike intelligence gathering around physical \nattacks where you hear a tip from one individual and you can \ngrow your investigative technique, very often when the attacks \nare mounted against the Internet or the communications or power \nnetworks, you don't see the attacks until they are already at \ntheir zero moment and are massively engaging the \ninfrastructure.\n    Chairman Coburn. But, in fact, we know that is a \npossibility, so we can design to prevent that if we have the \nstructure in place to communicate it, cross-communicate it \nwithout the sharing of proprietary data that would put somebody \nat a competitive disadvantage. I mean, that is possible. \nEverybody would agree with that, right?\n    Mr. Noonan. Right. There is already a foundation in place, \nsir, but it is not broadly available cross-industry, cross-\nsector, cross-agency and government. There are multiple early \nwarning activities that are operating at various levels of \nefficacy. These include the ISAC, the Information Sharing and \nAnalysis Centers that are established as part of the IT, or as \npart of the Sector Coordinating Councils. They are not fully \noperating cross-functionally today, but they are a foundation \nthat has been being built for many years. There are issues, but \nwe are making progress there.\n    I think the early warning vulnerability disclosure activity \nthat is underway has actually moved this industry along in a \nnumber of years. If we know where our vulnerabilities are, \nthere is a pretty good chance that is where the attacks are \ngoing to be. Whether they are malicious and disruptive or \nwhether they are quiet and compromising, they are typically \ngetting through our vulnerabilities.\n    There, I think we have made progress. However, as an \nindustry, or both a public and private sector perspective, we \ndon't have the equivalent of turn on CNN and get the hurricane \nearly warning system. We simply don't have that.\n    Chairman Coburn. Are there any other comments from any of \nyou all on the GAO report?\n    [No response.]\n    Chairman Coburn. I don't know if the silence is because--I \nwon't say that. I will just let it go with that.\n    None of you would disagree with the fact that there could \nbe somebody in a position that could maintain the trust of the \nproviders and the service companies and the Internet industry \nand work for government and maintain the integrity that is \nrequired for us to solve these problems. Would you agree with \nthat?\n    Ms. Bienfait. I would agree with that.\n    Mr. Noonan. I would agree.\n    Chairman Coburn. So one of the real issues for us to move \nthings offline is to fill the position with somebody that has \nthe competency, character, and trust of the industry and the \ngovernment and can put the impetus behind moving forward. If \nthis hearing does anything with that, we will have accomplished \nsomething.\n    I want to thank each of you for being here. This is a \ndifficult problem we face, but it is also, besides difficult, \nit is critical. Our country can't take many more hits. This is \none that is preventable, provided we do the right thing. It is \nat least, if not preventable, recoverable if we do the right \nthing.\n    I would hope that we will continue to have good \ncommunications. We will have other hearings on this. We are \ngoing to move. There is going to be an Assistant Secretary, I \npromise you. Even if we have to raise the salary for the \nposition, there is going to be one because it is just too \nimportant.\n    We will be submitting some questions to you. I would hope \nthat you would return those to us within 2 weeks.\n    I thank you for your service, and the hearing is adjourned.\n    [Whereupon, at 11:12 a.m., the Subcommittee was adjourned.]\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n[GRAPHIC] [TIFF OMITTED] \n\n                                 <all>\n\x1a\n</pre></body></html>\n"