b"<html>\n<title> - CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR NATION'S INTERNET INFRASTRUCTURE</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n \n  CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR \n                    NATION'S INTERNET INFRASTRUCTURE\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                  SUBCOMMITTEE ON INFORMATION POLICY,\n                     CENSUS, AND NATIONAL ARCHIVES\n\n                                 of the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 23, 2007\n\n                               __________\n\n                           Serial No. 110-59\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n                     http://www.oversight.house.gov\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n43-198 PDF                 WASHINGTON DC:  2008\n---------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                 HENRY A. WAXMAN, California, Chairman\nTOM LANTOS, California               TOM DAVIS, Virginia\nEDOLPHUS TOWNS, New York             DAN BURTON, Indiana\nPAUL E. KANJORSKI, Pennsylvania      CHRISTOPHER SHAYS, Connecticut\nCAROLYN B. MALONEY, New York         JOHN M. McHUGH, New York\nELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida\nDENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana\nDANNY K. DAVIS, Illinois             TODD RUSSELL PLATTS, Pennsylvania\nJOHN F. TIERNEY, Massachusetts       CHRIS CANNON, Utah\nWM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee\nDIANE E. WATSON, California          MICHAEL R. TURNER, Ohio\nSTEPHEN F. LYNCH, Massachusetts      DARRELL E. ISSA, California\nBRIAN HIGGINS, New York              KENNY MARCHANT, Texas\nJOHN A. YARMUTH, Kentucky            LYNN A. WESTMORELAND, Georgia\nBRUCE L. BRALEY, Iowa                PATRICK T. McHENRY, North Carolina\nELEANOR HOLMES NORTON, District of   VIRGINIA FOXX, North Carolina\n    Columbia                         BRIAN P. BILBRAY, California\nBETTY McCOLLUM, Minnesota            BILL SALI, Idaho\nJIM COOPER, Tennessee                JIM JORDAN, Ohio\nCHRIS VAN HOLLEN, Maryland\nPAUL W. HODES, New Hampshire\nCHRISTOPHER S. MURPHY, Connecticut\nJOHN P. SARBANES, Maryland\nPETER WELCH, Vermont\n\n                     Phil Schiliro, Chief of Staff\n                      Phil Barnett, Staff Director\n                       Earley Green, Chief Clerk\n                  David Marin, Minority Staff Director\n\n   Subcommittee on Information Policy, Census, and National Archives\n\n                   WM. LACY CLAY, Missouri, Chairman\nPAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio\nCAROLYN B. MALONEY, New York         CHRIS CANNON, Utah\nJOHN A. YARMUTH, Kentucky            BILL SALI, Idaho\nPAUL W. HODES, New Hampshire\n                      Tony Haywood, Staff Director\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on October 23, 2007.................................     1\nStatement of:\n    Garcia, Gregory T., Assistant Secretary for Cyber Security \n      and Communications, Department of Homeland Security; \n      Gregory C. Wilshusen, Director of Information Security \n      Issues, GAO; and Daniel S. Ross, chief information officer, \n      State of Missouri..........................................     7\n        Garcia, Gregory T........................................     7\n        Ross, Daniel S...........................................    43\n        Wilshusen, Gregory C.....................................    20\n    Sabo, John T., president, Information Technology Information \n      Sharing and Analysis Center and director of Global \n      Government Relations, CA, Inc.; Larry Clinton, president, \n      Information Security Alliance; Ken Silva, chief security \n      officer and vice president for networking and information \n      security, Verisign; Catherine T. Allen, chairman and CEO, \n      the Santa Fe Group; and Kiersten Todt Coon, vice president, \n      Good Harbor Consulting.....................................    64\n        Allen, Catherine T.......................................    98\n        Clinton, Larry...........................................    86\n        Sabo, John T.............................................    64\n        Silva, Ken...............................................    78\n        Todt Coon, Kiersten......................................   118\nLetters, statements, etc., submitted for the record by:\n    Allen, Catherine T., chairman and CEO, the Santa Fe Group, \n      prepared statement of......................................   100\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................     3\n    Clinton, Larry, president, Information Security Alliance, \n      prepared statement of......................................    88\n    Garcia, Gregory T., Assistant Secretary for Cyber Security \n      and Communications, Department of Homeland Security, \n      prepared statement of......................................    10\n    Ross, Daniel S., chief information officer, State of \n      Missouri, prepared statement of............................    45\n    Sabo, John T., president, Information Technology Information \n      Sharing and Analysis Center and director of Global \n      Government Relations, CA, Inc., prepared statement of......    66\n    Silva, Ken, chief security officer and vice president for \n      networking and information security, Verisign, prepared \n      statement of...............................................    80\n    Todt Coon, Kiersten, vice president, Good Harbor Consulting, \n      prepared statement of......................................   120\n    Wilshusen, Gregory C., Director of Information Security \n      Issues, GAO, prepared statement of.........................    22\n\n\n  CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR \n                    NATION'S INTERNET INFRASTRUCTURE\n\n                              ----------                              \n\n\n                       TUESDAY, OCTOBER 23, 2007\n\n                  House of Representatives,\n   Subcommittee on Information Policy, Census, and \n                                 National Archives,\n              Committee on Oversight and Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10:06 a.m. in \nroom 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay \n(chairman of the committee) presiding.\n    Present: Representatives Clay, Hodes, Yarmuth, and Turner.\n    Staff present: Darryl Piggee, staff director/counsel; Jean \nGosa, clerk; Adam C. Bordes, professional staff member; Nidia \nSalazar, staff assistant; Michelle Mitchell, legislative \nassistant, Office of Wm. Lacy Clay; Charles Phillips, minority \ncounsel; Patrick Lyden, minority parliamentarian & member \nservices coordinator; and Benjamin Chance, minority clerk.\n    Mr. Clay. The subcommittee on Information Policy, Census, \nand National Archives will now come to order. Today's hearing \nwill examine how well DHS is fulfilling its role as the leading \nFederal agency charged with coordinating response and recovery \nefforts in the event of a major Internet disruption. In \naddition, we will review the roles and responsibilities of \nprivate sector stakeholders in the development of Internet \nrecovery plans and hear their recommendations for improving our \ncurrent cyber security policy framework.\n    Without objection the Chair and ranking minority member \nwill have 5 minutes to make opening statements followed by \nopening statements not to exceed 3 minutes by any other Member \nwho seeks recognition. And without objection Members and \nwitnesses may have 5 legislative days to submit a written \nstatement or extraneous materials for the record.\n    I will begin with an opening statement and then recognize \nthe ranking member. Then we will adjourn after that while we \nvote and then we will come back and take the testimony. Just be \npatient with us, please.\n    Securing our Nation's economic and global interests relies \nupon having a resilient Internet infrastructure. A recently \nreleased study by the Business Roundtable summarized that there \nis a probability of between 10 percent and 20 percent for a \nmajor Internet breakdown over the next decade. At an estimated \nglobal cost of approximately $250 billion, an event of this \nmagnitude would prove devastating to our domestic industries \nand international trading partners.\n    Despite spending millions of dollars, the Department of \nHomeland Security has failed to develop an effective Internet \nrecovery plan to rely upon for emergency response and recovery \nefforts.\n    Furthermore, their lack of adequate progress in developing \nappropriate models for measuring the levels of risk facing each \nsector has left policymakers unable to determine which sectors \nare most vulnerable to major cyber network disruptions.\n    It is my hope that today's witnesses will provide an update \non DHS' efforts to remedy its deficiencies and provide \nrecommendations for strengthening partnerships that will best \nsecure our Internet infrastructure.\n    That concludes my opening statement and I will recognize \nMr. Turner of Ohio for his opening statement. Mr. Turner.\n    [The prepared statement of Hon. Wm. Lacy Clay follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.001\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.002\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.003\n    \n    Mr. Turner. Thank you, Chairman Clay. I want to thank you \nfor holding today's hearing on Cyber Security: A Review of \nPublic and Private Efforts to Secure Our Nation's Internet \nInfrastructure.\n    The Internet is a key critical infrastructure asset and has \nan enormous impact on communications as well as the economy. It \nis important that this asset is protected, much like other \ncritical infrastructure assets. It seems, however, that due to \na number of factors, the Internet isn't as secure from \ncatastrophic events as it could be.\n    I look forward to reading the testimony from today's \nwitnesses on how DHS can better prepare our Internet \ninfrastructure from potential catastrophic events, such as \nnational disasters and terrorist attacks.\n    I am interested in how DHS plans to address the concerns \nlisted in the 2006 GAO report on DHS' efforts to coordinate an \nInternet infrastructure recovery plan. And I am particularly \ninterested in learning about the legal barriers that DHS faces \nin providing assistance to private sector entities which own or \noperate Internet infrastructure in the event of disaster.\n    Mr. Chairman, I want to thank you again for your leadership \nand your effectiveness in the oversight of the important \nFederal policy issues of information policy. Thank you.\n    Mr. Clay. Thank you, Mr. Turner. And at this time, the \nsubcommittee will recess and reconvene at the conclusion of the \nthree votes that we will take now on the floor. The committee \nstands in recess.\n    [Recess.]\n    Mr. Clay. If there are no additional opening statements, \nthe subcommittee will now reconvene and we will receive \ntestimony from the witnesses before us today.\n    I want to start by introducing our first panel, which will \nconsist of Mr. Greg Garcia, who is the Assistant Secretary for \nCyber security and Communications at the Department of Homeland \nSecurity. In his position, Mr. Garcia oversees the operations \nand strategic planning activities of the National Cyber \nSecurity Division, the Office of Emergency Communications and \nthe National Communications System. Prior to joining DHS, he \nrepresented the information technology on Capitol Hill, and \nbefore that served as a staff member of the House Science \nCommittee.\n    We also have joining us Mr. Greg Wilshusen, who is a \nDirector of Information Security Issues at GAO. He is a long \ntime expert on the topic of information security and has \ntestified before this panel numerous times on cyber security \nissues and Federal information security management practices.\n    And to round out the panel, Mr. Dan Ross serves as the \nchief information officer for the State of Missouri. And prior \nto his appointment in 2005, Mr. Ross served under then \nSecretary of State Matt Blount in the capacity of executive \ndeputy secretary of State. He holds a bachelor's degree in \nindustrial relations from Lincoln University and a master's \ndegree in public administration from the University of \nMissouri.\n    Welcome, Mr. Ross. We know you came further than others. \nAnd also welcome to the other two witnesses. And thank you all \nfor appearing before today's subcommittee.\n    And it is the policy of the Committee on Oversight and \nGovernment Reform to swear in all witnesses before they \ntestify. And I would like to ask you all to stand and raise \nyour right hands.\n    [Witnesses sworn.]\n    Mr. Clay. Thank you. You may be seated. Let the record \nreflect that the witnesses answered in the affirmative.\n    Mr. Hodes, did you have an opening statement that you would \nlike to offer?\n    Mr. Hodes. No, I will defer.\n    Mr. Clay. OK. Thank you so much. I ask that each of the \nwitnesses now give a brief summary of their testimony and to \nkeep the summary under 5 minutes. Your complete written \nstatement will be included in the hearing.\n    Mr. Garcia, we will begin with you. Before you do that, I \nknow that you come today to explain how seriously DHS and the \nadministration takes its cyber security responsibility. I must \nadmit that it is a little disappointing that you waited until \n11:30 this morning to deliver your written testimony for \nmembers of the subcommittee to adequately prepare.\n    With that said, you have 5 minutes to summarize your \nstatement.\n\nSTATEMENTS OF GREGORY T. GARCIA, ASSISTANT SECRETARY FOR CYBER \n SECURITY AND COMMUNICATIONS, DEPARTMENT OF HOMELAND SECURITY; \nGREGORY C. WILSHUSEN, DIRECTOR OF INFORMATION SECURITY ISSUES, \n GAO; AND DANIEL S. ROSS, CHIEF INFORMATION OFFICER, STATE OF \n                            MISSOURI\n\n                 STATEMENT OF GREGORY T. GARCIA\n\n    Mr. Garcia. Thank you, Mr. Chairman, and members of the \nsubcommittee. I appreciate the opportunity to discuss the \nDepartment of Homeland Security's efforts to promote the \nresilience of America's Internet infrastructure.\n    Let me just say at the outset, Mr. Chairman, that I do \napologize for the lateness of our testimony. It is more than a \nlittle disappointing to me, as well. It in no way reflects the \nseriousness with which DHS takes the mission of cyber security. \nAnd it is very much important for you, the members of the \ncommittee and the staff to have the benefit of advance reading \nof our testimony so that we can have an informed discussion. \nSo, please accept my apology for that.\n    We are endeavoring, in our process at DHS and interagency, \nto ensure that we bring testimony up to the Congress in a \ntimely fashion.\n    Mr. Clay. Thank you for that.\n    Mr. Garcia. Sir, it is fitting that you are holding this \nhearing during National Cyber Security Awareness Month. It \nhelps to raise public consciousness about the importance of \nInternet security to our economy and to our way of life.\n    Over 200 million Americans use the Internet at home and in \nthe workplace. The Internet facilitates communications, and \nsupports Government and business operations. Although the \nInternet has yielded tremendous efficiencies, organizations and \nindividuals remain vulnerable to disruptions in service and \nloss of sensitive data.\n    Both the private sector and Government play a role in \nsecuring our Internet infrastructure. The private sector \nbuilds, owns and operates most of the cyber infrastructure and \nensures the availability and functionality of the Internet. The \nFederal Government has the responsibility for ensuring the \ncontinued operation of essential Government functions, securing \ntheir timely restoration if they fail, and minimizing the \nimpact to the Nation.\n    As such, it is incumbent upon the Federal Government to \nhelp protect against Internet disruptions and to ensure a \ncoordinated response to incidents. I would like today to \nhighlight a few of our efforts in these areas.\n    First, we are strengthening our ability to prevent Internet \ndisruptions. Under the National Infrastructure Protection Plan \n[NIPP], the availability of the Internet and its associated \nservices is identified as a shared key resource of the \ninformation technology and communications sectors. As the \nsector's specific agency for both, we work with the sectors to \ndevelop their Sector-Specific Plans [SSP], which were released \nin May of this year.\n    The IT SSP defines six critical functions that support the \nsector's ability to produce and provide resilient products and \nservices. Of these, two critical sector functions relate \ndirectly to the Internet.\n    Similarly, the communications Sector Specific Plan \nidentifies critical architectural elements of the Internet. \nThrough implementation of their SSPs, the IT and communications \nsectors are continuing to work together to assess the risk to \nthe Internet.\n    Although the availability of the Internet is primarily the \nresponsibility of the IT and communications sectors, all \nsectors rely on the Internet. And DHS, together with the \nPartnership for Critical Infrastructure Security [PCIS], \nestablished the Cross Sector Cyber Security Working Group \n[CSCSWG], comprised now of more than 90 Government and private \nsector experts from across the critical infrastructure sectors.\n    This group provides a forum to assess, among other things, \nhow critical sector operations could be impacted by disruptions \nand to develop appropriate mitigation strategies.\n    Improving situational awareness is a critical component of \npreparedness. The U.S. Computer Emergency Readiness Team [U.S. \nCERT], within my organization, coordinates with the private \nsector and Government entities to increase situational \nawareness of network conditions.\n    We developed a program called Einstein that provides \nFederal agencies with early cyber incident detection so that \nthey can respond more rapidly to mitigate threats. It has \nslashed the time it takes us to gather and share critical data \non IT security risks from days, as it used to be, to hours.\n    The U.S. CERT also engages with private sector Information \nSharing And Analysis Centers [ISACs], to share information on \ncyber threats, vulnerabilities and incidents. This includes \ncollaboration with the IT-ISAC and the Multi-State ISAC to \nraise the level of cyber security readiness in each State.\n    Our ability to protect against and prepare for Internet \ndisruptions is further enhanced through exercises. We are \ncurrently planning for the Cyber Storm II Exercise in March \n2008, which will include a focus on Internet disruption and \nrecovery and involve Federal, State, local, international and \nprivate sector entities.\n    Second, we are enhancing public and private collaboration \nto ensure effective response capabilities. The National \nResponse Framework [NRF], which was recently released for \npublic comment, articulates how our Nation will respond to all \nhazard disasters. My office has responsibility for Emergency \nSupport Function No. II [ESF-2], the Communications Annex and \nthe Cyber Incident Annex. We undertook an in-depth review of \nthese components, and incorporated updates to them.\n    In support of the NRF, the National Cyber Response \nCoordination Group [NCRCG], serves as the primary Federal \ninteragency mechanism for coordinating Cyber Incidents. \nRecently, the NCRCG addressed the denial of service attack \nagainst the government of Estonia. The NCRCG co-chairs convened \nto discuss the situation and determined that an operational \nresponse was indeed needed. And we coordinated that through the \nNational Coordination Center and U.S. CERT.\n    To sum, my office is now implementing a plan to co-locate \nthe U.S. CERT and the NCC, the IT and Communications to further \nfacilitate collaboration among IT and communications experts. \nWe are working side-by-side with them to make it easier to \nobtain situational awareness, to identify threats and \ncoordinate response activities.\n    To conclude, both Government and the private sector are \ntaking proactive measures to address Internet resilience, and \nto prepare for and respond to Internet disruptions. Government \nand business leaders must continue to ensure that sectors, \norganizations and individuals all understand their dependence \non the Internet, the impact that a disruption could have and \nactions that can be taken to mitigate the consequences.\n    Sir, thank you for your time today. I appreciate the \nopportunity to discuss this issue and will be happy to answer \nquestions.\n    [The prepared statement of Mr. Garcia follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.004\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.005\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.006\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.007\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.008\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.009\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.010\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.011\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.012\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.013\n    \n    Mr. Clay. Thank you very much, Mr. Garcia. Mr. Wilshusen, \nyou are next.\n\n               STATEMENT OF GREGORY C. WILSHUSEN\n\n    Mr. Wilshusen. Chairman Clay and members of the \nsubcommittee, thank you for the opportunity to testify at \ntoday's hearing on public and private sector efforts to secure \nour Nation's Internet infrastructure.\n    Since the early 1990's, the world community has come to \nrely on the Internet as a critical resource supporting \ncommerce, education and communication. While the benefits of \nthis technology have been enormous, this widespread inter-\nconnectivity poses significant risks to our Government's and \nNation's computer systems and, more importantly, to the \ncritical operations and infrastructures they support.\n    Today, I will discuss threats and vulnerabilities of the \nInternet, DHS' efforts in facilitating recovery from Internet \ndisruptions and key challenges to such efforts.\n    Mr. Chairman, the Internet is vulnerable to disruptions in \nservice due to threats of terrorists and other malicious \nattacks, natural disasters and technological problems or a \ncombination of these things. Disruptions to Internet service \ncan be caused by cyber and physical incidents, both intentional \nand unintentional. For example, over the last few years, fast-\nspreading worms and viruses coordinated denial of service \nagainst key root servers, 9/11 and Hurricane Katrina have \ncaused local or regional disruptions or slowdowns.\n    Research organizations have pegged the annual worldwide \ncosts of malicious code attacks as averaging about $14 billion \nfor the 6-years ending in 2005, highlighting the importance of \nrecovery planning. However, these incidents have also shown the \nInternet as a whole to be flexible resilient. Even in severe \ncircumstances, the Internet has not yet suffered a catastrophic \nfailure.\n    Nevertheless, is it possible that a complex attack or \nseries of attacks could cause the Internet to fail or to \nundermine users' trust in the Internet, thereby reducing the \nInternet's utility.\n    In a June 2006 report, we noted that DHS had begun a \nvariety of initiatives to improve the Nation's ability to \nrecover from Internet disruptions, including developing an \nintegrated public/private plan for Internet recovery, \nestablishing working groups to facilitate coordination, and \nconducting exercises in which Government and private industry \npractice responding to cyber events.\n    However, these efforts were not complete, comprehensive or \neffectively coordinated. In that report, we also noted key \nchallenges that impeded progress. First, it was unclear what \nGovernment entity was in charge, what the Government's role \nshould be, and when it should get involved. For example, DHS' \nNational Cyber Security Division and National Communications \nSystem had overlapping responsibilities. There is also a lack \nof consensus about the role DHS should play. The Government was \npursuing the big plan approach with the NIPP and the National \nResponse Plan while the private sector wanted to more of the \nshort-term tactical role from the Government.\n    Furthermore, triggers to clarify when the Federal \nGovernment should be involved were unclear. Another key \nchallenge is working in a legal framework that doesn't \nspecifically address the Government's roles and \nresponsibilities in the event of an Internet disruption. The \nKatrina recovery efforts also showed that the Stafford Act can \ncreate a roadblock when for-profit companies that own and \noperate critical infrastructures need Federal assistance during \nnational emergencies.\n    In addition, the private sector was reluctant to share \ninformation with DHS because it did not always see value in \nsharing information, did not necessarily trust the Government \nand viewed DHS as an organization lacking effective leadership.\n    Until these challenges are addressed, DHS will have \ndifficulty in achieving results in its role as a focal point in \nthis area.\n    In our June 2006 report, we suggested that Congress \nconsider clarifying the legal framework that guides roles and \nresponsibilities for Internet recovery. We also made \nrecommendations to improve DHS' ability to facilitate public/\nprivate efforts and planning for Internet disruptions. The \nDepartment agreed with our recommendations and since then has \nmade progress in addressing many of them.\n    Still work remains to be done to ensure that our Nation is \nprepared to effectively respond to a disruption of the Internet \ninfrastructure.\n    Mr. Chairman, this concludes my statement. I would be happy \nto answer any questions you or members of the subcommittee may \nhave.\n    [The prepared statement of Mr. Wilshusen follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.014\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.015\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.016\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.017\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.018\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.019\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.020\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.021\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.022\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.023\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.024\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.025\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.026\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.027\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.028\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.029\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.030\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.031\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.032\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.033\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.034\n    \n    Mr. Clay. Thank you very much. Mr. Ross, you may proceed \nfor 5 minutes.\n\n                  STATEMENT OF DANIEL S. ROSS\n\n    Mr. Ross. Thank you, Chairman Clay and distinguished \nmembers of the subcommittee. I thank you for inviting me here \nto day to appear before you in both my role as Missouri State \nchief information officer, and also as a member of NASCIO, the \nNational Association of State Chief Information Officers. \nNASCIO is a not-for-profit, non-partisan research and advocacy \norganization, of which I and most State CIOs are members.\n    I will briefly offer my perspective on efforts to secure my \nState and our Nation's Internet infrastructure. A lapse or \nshutdown of Internet availability would disable much of State \ngovernment, rendering it unable to communicate, to deliver \nservices and collect revenue for an extended period.\n    Regional conditions in Missouri illustrate some of the \nchallenges natural disasters may pose. A large portion of \neastern Missouri, including the city of St. Louis, lies in \nclose proximity to the New Madrid earthquake fault. Missouri \nexperienced over 200 tornadoes last year. In addition, we \nexperienced ice storms, thunderstorms and flooding which \ndamaged communications infrastructure.\n    In addition, the sheer pervasiveness and relentlessness of \ncyber-attacks is staggering. In the past fiscal year alone, \nMissouri's network and data center experienced nearly 5.6 \nmillion cyber-attacks. That's 29,000 per day, about 1,200 an \nhour. And in the few minutes that I am speaking with you today, \nwe will experience about 100.\n    The evolving nature and sophistication of cyber-attacks is \nworrisome as well. State information technology infrastructure \nis now specifically targeted by criminal elements connected to \norganized crime. In addition, they are also increasingly \ninternational in origin, which makes apprehension and criminal \nprosecution highly unlikely.\n    What are we doing? In response to this, State CIOs are \nforging partnerships with State, Homeland Security, emergency \nmanagement and public safety officials to plan for the \npotential of major disruptions and security breach events. We \nare also trying to secure the funding necessary to maintain our \nintrusion detection, spam filter and other technologies that \nwere purchased previously with Homeland Security one-time grant \nfunds.\n    A current concern State CIOs face is acquiring funding to \nbuild security and resilience into all new IT projects and to \nhire and retain knowledgeable, trained IT staff.\n    Some recommendations to fortify Internet communications \ninfrastructure. First, there must be increased \nintergovernmental and private sector coordination. Business \npartners, stakeholders and all levels of government must \ncoordinate actions, share best security practices, and plan for \nthe potential of a major disruptive event.\n    Second, continued State involvement in the National \nInfrastructure Protection Plan and Cyber Security Information \nTechnology Sector Specific Plan within it is essential.\n    Third, we must identify cyber vulnerabilities and fund \ntheir mitigation. Cyber security is not a tangible asset, and \nFederal programmatic funding rarely includes specific \nprovisions for IT spending to protect Federal programs \ndelivered by States. The creation of a funding pool for cyber \nsecurity grants to specifically assist States in achieving a \nproper cyber security posture would be beneficial in raising \nthe overall security level of critical IT infrastructure in the \nState government sector.\n    Fourth, we must include and address Internet dependent \ncritical State functions and continuity of operations and \nrecovery plans.\n    And finally, we have to partake of information sharing \ninitiatives between NASCIO, the Multi-States Information \nSharing and Analysis Center and Federal agencies.\n    In conclusion, Mr. Chairman, technology alone will not \nsolve the security challenges that States face while trying to \nprotect key information technology systems and information \ngiven the wide variety of cyber-attacks and security \nvulnerabilities today, it may be only a matter of time before a \nState's information systems and assets are compromised. \nTherefore, it is imperative that an investment in human and \ntechnology resources be an ongoing, proactive process, and not \na reactionary response to a security event. The well publicized \nhard costs of security breaches as well as the soft costs of \nlosing citizen confidence drive the need for providing \nsufficient resources for securing Government's information and \ninfrastructure assets.\n    As CIO for Missouri and as a representative for NASCIO, I \nappreciate the work of this subcommittee in addressing this \nnational challenge. The National Association of State Chief \nInformation Officers stands ready to contribute to this \nsubcommittee in a meaningful way as needed.\n    Thank you for your time.\n    [The prepared statement of Mr. Ross follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.035\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.036\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.037\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.038\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.039\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.040\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.041\n    \n    Mr. Clay. Thank you so much for your testimony, Mr. Ross.\n    We will start the first round of questions and the \ngentleman from New Hampshire is recognized for 5 minutes. Mr. \nHodes.\n    Mr. Hodes. Thank you, Mr. Chairman. And thank you for \nholding this very, very important hearing. Given the \nInformation Age that we are living in, there probably is \nnothing that is more important these days in some way to the \nsecurity of this Nation than the issues that we are discussing \ntoday. As the use of the Internet and cyberspace blossoms, it \nis becoming ever more important to us.\n    Mr. Garcia, I noted with appreciation your sense of regret \nthat your testimony wasn't supplied earlier to us, and I take \nthat you will be able to take steps in the future so that when \nyou come back before us, we will have enough time to review \nyour testimony.\n    Mr. Garcia. Absolutely, sir. We do strive to give you the \nbest quality product we can, as well, which may account for \nsome of the delay and the review process.\n    Mr. Hodes. I appreciate that. Prior to your appointment, \nMr. Garcia, the previous Director of the NCSD, Andy Purdy, was \nhobbled because there were conflict of interest questions due \nto his continued employment with his original employer, \nCarnegie Mellon University, which was involved with several \nDHS, cyber-related projects at the time. My understanding is \nthat he was actually drawing a salary while working also for \nthe NCSD, which created real problems, as you can imagine.\n    And it is my understanding that currently, a significant \namount of the work that is being undertaken by NCSD is being \ncarried out by other contractors. Private contractors, \nincluding Booz-Allen. As a member of the Oversight and \nGovernment Reform Committee, we have been exercising oversight \nin a number of areas where the Government is making significant \nuse of private contractors, most notably in the news in \nconnection with the war in Iraq and the flap that has developed \naround Blackwater.\n    And I understand the role of contractors in assisting \nagencies with program administration, but I also understand \nthat contractors aren't supposed to play any role in inherently \ngovernmental or policy-focused activities. We recognized that \nas a potential conflict with Mr. Purdy, and we remain concerned \nthat there may continue to be conflicts at the NCSD. And I note \nin your testimony, at pages--especially at 4 and 6, where you \ntalk about the collaboration that exists in the public/private \npartnership that is ongoing.\n    So, there are relationships here, which while important are \nfraught with potential problems. Can you tell us how many full-\ntime governmental employees there are within NCSD, NCS, and the \nother DHS units under your authority?\n    Mr. Garcia. Sir, I don't have the exact number. We have \napproximately 100 individuals in NCSD and NCS, and about that \nnumber in contractors. So we do rely on contractors. It gives \nus the resilience we need to respond to urgent initiatives. It \nenables us to surge and to pull back our resources as \nnecessary.\n    Mr. Hodes. And when you say 100 contractors, do you mean \n100 employees who are the employees of contractors, or 100 \nseparate different companies?\n    Mr. Garcia. I can give you that exact number--I can get \nback with you on that specifically.\n    Mr. Hodes. I would appreciate having the documents that \nreflect that. And Mr. Chairman, if I may, request that the \nrecord stay open long enough to have that information \nsubmitted.\n    Mr. Clay. Without objection, the gentleman will do \neverything to get us those records.\n    Mr. Garcia. Absolutely.\n    Mr. Hodes. Off the top of your head, who are the largest \ncontracting entities who are supplying these contractors to \nthose agencies of which you spoke?\n    Mr. Garcia. The most number of contractors from any one \norganization, I cannot be certain on that answer, likely to be \nBooz-Allen.\n    Mr. Hodes. And what is your sense of the size of Booz-\nAllen's commitment in terms of a percentage of that number of \napproximately 100 who are working?\n    Mr. Garcia. I can get that for you, as well.\n    Mr. Hodes. You don't have any sense today?\n    Mr. Garcia. Not an accurate sense for you. No, sir.\n    Mr. Hodes. And what are the roles and responsibilities of \nthose contractors at your agency, versus the responsibilities \nof the Government employees?\n    Mr. Garcia. None of the contractors are in managerial \npositions. So, they serve in a support role for all of our \nactivities.\n    Mr. Hodes. And who is supervising them? And who is \nresponsible for their day-to-day activities? Is it the \nemployees at your agency, or is it the providing companies?\n    Mr. Garcia. The Government employees under my organization \nare responsible for supervising the activities that the \ncontractors support.\n    Mr. Hodes. May I continue with one further question, Mr. \nChairman? I see my time is up.\n    Mr. Clay. The gentleman is recognized for 2 additional \nminutes.\n    Mr. Hodes. Thank you. Now, Mr. Garcia, I take it you would \nagree that conflict of interest policies are critical to \nensuring the integrity of the work done for the Government?\n    Mr. Garcia. Yes, sir.\n    Mr. Hodes. And are there written conflict of interest \npolicies in place at the agencies you supervise to ensure that \nthose coming to work for your division remain free from \ndecisions that may potentially impact former employers or \nclients? And I am talking about both full-time employees as \nwell as consultants working under your direction.\n    Mr. Garcia. Yes, sir. I believe there is. And I can get \nback with you on that and supply that with you.\n    Mr. Hodes. Similarly, Mr. Chairman, I would ask that the \nrecord be held open to accept that submission.\n    Mr. Clay. Without objection, and we would appreciate it if \nwe could have it in 5 legislative days.\n    Mr. Hodes. Thank you, Mr. Chairman. And just one final \nquick question. As a former lobbyist for the Information \nTechnology Association of America, how have you yourself made \nsure that you are remaining free from any conflicts concerning \nissues of importance to your former employer?\n    Mr. Garcia. My mission, Congressman, is in total support \nfor the Department of Homeland Security and to the Nation that \nwe protect. My former employer was a trade association, and my \nformer employer was also the U.S. Congress. So, my mission is \nquite clear and that is to promote the security and resiliency \nand the availability of the Nation's communications and \ninformation infrastructure.\n    Mr. Hodes. I understand that is what your mission is, and \nwhat have you done with your former employer to make sure that \nyou yourself have taken the proper steps to ensure there is no \nconflict of interest?\n    Mr. Garcia. We work with them. I have no conflict of \ninterest with my former employer. We work with them as we do \nwith any other major trade association in information \ntechnology as a major partner of the Department of Homeland \nSecurity. We cannot do our work without partnership from \nindustry, from IT, from communications, from financial \nservices. But they are but one of many, many stakeholders and \nplayers in this process. And I am focused squarely on our \nmission.\n    Mr. Hodes. Thank you. Thank you, Mr. Chairman.\n    Mr. Clay. Thank you, Mr. Hodes. Mr. Yarmuth of Kentucky, 5 \nminutes.\n    Mr. Yarmuth. Thank you, Mr. Chairman. When I listened to \nthe testimony, it kind of reminds me of the now infamous words \nof Secretary Rumsfeld when he said, ``There are things we know \nwe know, and things we know we don't know, and things we don't \nknow that we don't know.''\n    It sounds to me like there are a lot of things about the \nthreats facing the Internet that we know, and threats that we \ndon't know that we know, and we don't know that we don't know. \nAnd anyone can attack this problem. Is our biggest problem in \nthis area threats that we don't even know exist, or are we \nstill at the point where we don't know to combat the threats we \nknow about?\n    Mr. Garcia. I think it is a matter of both, Congressman. We \nover the past couple of years, I believe, have made tremendous \nprogress in terms of understanding the threats facing the \nInternet infrastructure. Our visibility into the Internet \ninfrastructure is increasing.\n    For example, my U.S. CERT collects incident reports from \nprivate sector and Government entities. Last year, we received \n37,000 reports. The year before that, 24,000 reports. Is that \nbecause the incidents are increasing or is it because the \nreporting is increasing? It is probably a little bit of both.\n    But the threat is still there. So much is happening under \nthe radar. There are so many attacks and probes happening \nacross our networks that we are not seeing. And so, a big part \nof my mission is to work with the owners and operators of those \ninfrastructures, whether it is IT or communications or \nfinancial services, transportation, electricity, to build \nawareness. And to build investment in the systems and the \nprocess that will raise the level of visibility into what is \nhappening in our networks so that we can take the steps to \nmitigate them.\n    Mr. Yarmuth. Is that ultimately the measure of whether you \nare successful or not? Whether the incidents that you know \nabout are reported to you are declining? Or is there some other \nmetric that you can come up with to allow you and us to know \nwhether we are actually making progress?\n    Mr. Garcia. Yes, sir. We have many metrics, and none of \nthem taken by themselves is going to be sufficient. Increasing \nthe number of incident reports. That is a measure of success. \nThat means people are paying attention and they are reporting \nit. They are sharing sensitive information.\n    The amount of investment is also a measure of success, the \ninvestment in cyber security and information technology is \nincreasing. We are looking at the number of students going into \ninformation security as a curriculum pursuit in universities.\n    So, there are many measures, but we still are not going to \nbe able to measure all the attacks that are happening without \nour seeing them. The threat is constantly evolving. The \nadversaries are very sophisticated. And we have to evolve with \nthem.\n    It is an ongoing technological chess match, if you will, \nexcept that there is no check mate. So, this is going to be \nongoing. And we can take one measure at a time, and measure our \nsuccess and hope that we don't take any steps back.\n    Mr. Yarmuth. I am curious also, and this may not even be \nrelated to--well, it relates to a certain extent, to the \nultimate goal of the hearing. But the issue of motivation. Is \nthere any way to gauge whether these--what percentage of the \nattacks are motivated by people who just want to see if they \ncan figure it out? Kind of intellectual curiosity or whether \nthey actually have evil motives, if you will. Evil intent.\n    Mr. Garcia. I will let Mr. Wilshusen elaborate, but I think \nwhat we--and indeed Mr. Ross, since he is also on the front \nlines--but we do see a variety of motives. It used to be that \nhacking, as it were, was very much a joy ride exercise. \nTeenagers seeing what they can get away with. Motivations \nrelated to ``hactivists''--those relating to political motives, \nas perhaps what we saw in Estonia.\n    But the adversaries are becoming more sophisticated and \nmore focused on very specific targets. And that includes the \ndesire for information, whether it is from companies or from \ngovernments. It includes the pursuit of money through cyber \ncrime, through financial services networks or through identity \ntheft.\n    So, they are becoming very sophisticated and very targeted \nwith multiple intents.\n    Mr. Yarmuth. Mr. Wilshusen.\n    Mr. Wilshusen. Yes. And I would just like to add, too--I \nagree with everything that Mr. Garcia just mentioned regarding \nthe threats--is that there are criminal activities and criminal \nelements out there that do have a financial motivation.\n    In addition, there are also foreign nation-states that also \nhave an interest in obtaining intelligence information about \ntheir potential adversaries, including, of course, the United \nStates.\n    I would also like to point out, too, that the threat is \nevolving and indeed the vulnerabilities are also increasing. \nJust to give you a statistic, the National Vulnerability Data \nbase has identified over 26,000 software flaws or mis-\nconfigurations that could be exploited to provide an avenue for \nsomeone to gain unauthorized access. That total, according to \nthe National Vulnerability Data base, is increasing by 16 every \nday. The vulnerabilities are legion. The threats are adaptive, \nand they are constantly evolving, and it is quite a challenge \nto be able to protect computer systems against that.\n    Mr. Clay. Thank you.\n    Mr. Yarmuth. Thank you, Mr. Chairman.\n    Mr. Clay. Thank you, Mr. Yarmuth. Mr. Wilshusen, since the \noriginal GAO Report on Internet Infrastructure and Recovery \nPlans came out last year, can you identify the areas in which \nDHS has demonstrated significant progress? How about the areas \nin which progress is lagging or that have been just totally \nignored?\n    Mr. Wilshusen. Yes, sir. Well, as Mr. Garcia mentioned in \nhis opening remarks, some of the areas for progress included \nthat DHS released its Sector Specific Plans for the IT and \nCommunications Sectors. It also developed and revised its \nNational Response Plan or framework to assure and make sure \nthat it addresses cyber incidents that require Federal \nresponse.\n    In addition, DHS has also led these private/public \nexercises, Cyber Tempest, Cyber Storm, that examine response \nand coordination mechanisms to simulated cyber events. These \nexercises add value. And the after action reports provide \nuseful information on lessons learned during those exercises. \nOf course, the next step though is taking those lessons learned \nand actually implementing them into the plans.\n    Now, some areas where DHS is lagging, if you will, is that \nit has not yet developed a private/public plan for Internet \nrecovery. Nor has it set a date when that plan would be \ncompleted.\n    In addition, DHS also disbanded the Internet Disruption \nWorking Group, and it is not clear exactly how well that \ngroup's functions and responsibilities will be addressed by \nother groups that DHS is working with.\n    And one other thing. As Mr. Garcia mentioned, there are a \nnumber of working groups addressing this area of Internet \nrecovery. However, the interrelationship among these groups is \nnot certain.\n    Mr. Clay. Have there been appropriate triggers established \nto determine what type of Internet disruption would merit a \nGovernment response?\n    Mr. Wilshusen. Well, there have been efforts, I believe. A \ncouple of the working groups have looked at those triggers, but \nas of now, the specific triggers have not yet been fully \ndeveloped or implemented.\n    I might also want to point out, too, that one of the key \naspects in order to make these triggers work is to make sure \nthere is an effective analysis and warning capability. And DHS \ndoes have, for example, U.S. CERT, and as Mr. Garcia mentioned \nearlier, the use of the Einstein network monitoring tool, which \ncan help provide information supporting those triggers. But \nEinstein has not yet been implemented across the Government.\n    Mr. Clay. Thank you for that. As part of GAO's review of \nDHS' Internet recovery responsibilities, it cited a lack of DHS \nleadership and stability throughout its management ranks. Has \nthis improved since the report was released last year?\n    Mr. Wilshusen. Well, one area where it has improved is \nindeed the appointment of Mr. Garcia as the Assistant Secretary \nfor Office of Cyber Security and Communications, and the \nAssistant Secretary has spelled out some key priorities for the \nDepartment, including preparing and deterring attacks, \nresponding to cyber-attacks of potentially national importance \nor significance, and also building awareness among the various \ndifferent stakeholders in cyber security.\n    However, DHS continues to be hampered by its inability to \nretain key officials in the cyber security area. For example, \nthe Director of the National Cyber Security Division has \nrecently left, as have other key officials related to cyber \nsecurity control systems and officials responsible for cyber-\nrelated exercises.\n    Mr. Clay. Thank you so much for that. Mr. Ross, as the CIO \nfrom Missouri, has your office sought to prioritize the State \nnetworks and critical infrastructures that are most critical in \nan emergency incident? And if so, how was it done?\n    Mr. Ross. Yes, sir. We are always looking to find that \nsingle point of failure, which if taken out, will take the \nwhole system down. You know, we have identified the essential \nfunctions Government has to do, which is communicate, pay \npeople, pay bills, buy things, provide medical services, direct \npeople in emergencies and so, in working with the Department of \nHomeland Security, the State Department of Homeland Security, \nthe State emergency management folks, we are putting together a \nplan to do that.\n    Now, in my own shop and the IT folks, we have identified \nvulnerabilities in the State network and we are working to \npatch those. We have recently signed a contract with AT&T to \nmanage the State-wide network to give us that resiliency and \nthat disaster recovery ability because of their large network \nand their redundancy.\n    So, that in combination with State assets--which do include \n1,700 miles of fibers that the Highway Department owns, that we \nleverage for them--all come together to give us a resilient \nbackbone to keep running in times of emergency.\n    We are not there yet because we have just signed the \nagreement with AT&T and are moving into that relationship with \nthem. But I look forward to that. That will provide not only \nthe tremendous wide highway to operate on, but also the back-up \nand disaster recovery we have been after.\n    Mr. Clay. Thank you. What are the greatest strengths and \nweaknesses of the Multi-State ISAC? Are its activities related \nto information sharing and threat analysis of cyber incidents \nproviding you with adequate information for decisionmaking?\n    Mr. Ross. Mr. Chairman, Missouri is one of the two founding \nStates in that organization. We are extremely active in that. \nOne of my security officers is co-chair of the Legislative \nCommittee and another member of his team is on an Operations \nCommittee, I believe.\n    So, we are actively engaged with them, in contact with them \nnearly every day. Phone calls and then certainly when an event \nor a vulnerability is identified, that network fires up very \nquickly. So, we depend on and use them very heavily.\n    Mr. Clay. OK. Thank you for that. Mr. Hodes, did you have a \nsecond round of questioning? Please proceed for 5 minutes.\n    Mr. Hodes. Thank you, Mr. Chairman. Mr. Wilshusen, I am \nlooking through the statement you provided, your testimony \nhere. And I note on pages 9 and 10, in dealing with the \nquestions of the existing laws and regulations and their \napplication to Internet recovery, some issues arise.\n    You point out, for instance, that the Stafford Act \nauthorizes Federal assistance to States, local governments, \nnot-for-profits, in the event of a major disaster or emergency, \nbut doesn't apply to for-profits.\n    Do you see a revision of that as necessary, desirable? \nSomething else, is it absolutely required? Would it provide an \nincentive for some kind of conduct on the part of for-profits, \nwhich has been problematic up until now? Would you comment? \nThanks.\n    Mr. Wilshusen. Yes, I would be glad to. During this review \nthat we conducted last year, we did a number of case studies \nover key Internet cyber events. One of them had to do, of \ncourse, with Hurricane Katrina. And it was during that event \nwhere key infrastructure owners needed to gain access to the \nresources or to their facilities and have the ability to have \nbasic food, water and other necessities in order to more \nquickly restore service operations--their service capabilities.\n    However, the Federal Government was not able to help them \nor to provide the short-term tactical support that was needed \nin order for them to actually gain access to their facilities. \nAnd so, part of that was due to the Stafford Act, because the \nFederal Government cannot provide assistance to these for-\nprofit organizations.\n    Mr. Hodes. So, had the Federal Government been able to \nprovide that short term tactical assistance, the response of \nthose for-profits in coordinating the effort to recover, would \nhave been much quicker?\n    Mr. Wilshusen. And would have been enhanced. Yes, sir.\n    Mr. Hodes. Turning to the Communications Act of 1934, there \nis an implicit suggestion in your written statement that needs \nto be revised to address the new threats, the new concerns, \nthat the cyber infrastructure has created since 1934 and \nwhatever amendments there have been. Am I correct that you see \nthat as something that Congress needs to look at?\n    Mr. Wilshusen. Yes, because we see that as a Communications \nAct that does not address specifically the Internet and \ncertainly not the roles and responsibilities for Internet \nrecovery from disruptions or major disruptions.\n    Mr. Hodes. Thank you. Mr. Garcia, it was recently reported \nthat one vendor, a major DHS IT vendor, Unisys, had been \nconcealing a number of significant cyber security incidents and \nattacks on Department systems, including many that apparently \nexposed the entire DHS enterprise to significant cyber-threats. \nCould you explain your role in responding to the incidents as \nthey were reported to DHS leadership?\n    Mr. Garcia. Sir, that particular issue, we have a \nseparation of responsibilities. The Office of Cyber Security \nand Communications is responsible for a national outreach on \ncyber security policy and implementation, whereas the \nprotection of the DHS network itself, that responsibility \nresides within the Office of the Chief Information Officer \n[CIO]. So, neither I nor was my office was directly involved in \nthat particular issue.\n    Mr. Hodes. So, it is not your job?\n    Mr. Garcia. That is correct.\n    Mr. Hodes. Did you coordinate at all with the Chief \nInformation Officer on what happened?\n    Mr. Garcia. Yes. So our role within the U.S. CERT is in \nfact, to treat the DHS networks as we do all of our Federal \nagency customers, if you will, particularly through our \noutreach and information sharing in the Einstein program, we \nwork to try to help agencies see what is happening on their \nnetworks and to exchange information with them and ultimately \nto correlate activities to find trends that are happening \nacross the Federal network. And that goes with the CIO's office \nas well.\n    So, we are in close contact with the Office of the CIO as \nincidents happen, in the DHS networks or any other Federal \nagency network.\n    Mr. Hodes. So, I am assuming that because it is an agency \nwith which you are involved and that you must be in touch with \nthe CIO about these kinds of incidents, what happened to \nUnisys? What was done? Were they sanctioned? And what steps \nwere taken by the CIO to prevent these kinds of incidents from \nhappening in the future?\n    Mr. Garcia. I certainly would defer to the CIO to answer \nthose questions for you, as I was not directly involved in \nthat.\n    Mr. Hodes. May I just followup for one quick moment?\n    Mr. Clay. Please. Go ahead.\n    Mr. Hodes. Did you have any conversations with the CIO \nabout what was going on with this breach by Unisys and how it \nwas being handled and what effect it would have on the agencies \nthat you do deal with?\n    Mr. Garcia. Our U.S. CERT facility was in contact with his \noffice, and I can get back with you as to exactly what the \ninteraction was. I personally was not involved. That also deals \nwith a contracting matter with the CIO's contract with Unisys.\n    Mr. Hodes. So, to the extent there are any documents within \nyour purview, control, constructive control, or custody, I \nwould like you to provide to this body any and all documents \nreflecting any interaction, discussion or contact you or your \nagency, or anybody in it had with the CIO about the response to \nUnisys over this breach. Will you provide that to us?\n    Mr. Garcia. Certainly.\n    Mr. Hodes. Mr. Chairman, I request that the record stay \nopen so that those documents may be provided.\n    Mr. Clay. Without objection, for 5 legislative days.\n    Mr. Hodes. Thank you, sir. Thank you, Mr. Garcia.\n    Mr. Clay. Mr. Yarmuth.\n    Mr. Yarmuth. Just one followup question. And this is mostly \nfor my own understanding. I would like to try again to clarify \nthe difference between for-profit and the not-for-profit world. \nAnd also, the difference between the infrastructure world and \nthe software world, because presumably most of the software out \nthere is produced by for-profit companies and you have a \nsecurity aspect of the software and a security aspect of the \ninfrastructure. I am just curious as to where you draw the line \nas to where the Government's interest and responsibility begins \nand where it ends.\n    Mr. Garcia. If I understand your question, the way we look \nat it is that 85 percent to 90 percent of the critical \ninfrastructure is owned by the private sector. So, they are \nmanaging the networks and the private sector is developing the \nhardware that runs on and runs those networks. It is our job to \ncoordinate with those who are owning and operating and those \nwho are using those systems to ensure that we have a proactive \nway of dealing with attacks and vulnerabilities as we find \nthem.\n    Mr. Yarmuth. What I am trying to understand the difference \nbetween the relevance of for-profit and not-for-profit where \nthe Stafford Act issues arise.\n    Mr. Garcia. I am not exactly sure of the answer to that \nquestion, sir.\n    Mr. Yarmuth. OK. Well, I am not sure that I know enough to \nask any more. Thank you.\n    Mr. Clay. OK. The gentleman yields back. Mr. Garcia, Mr. \nWilshusen pointed out that one of the issues that your \nDepartment has is retaining key officials in cyber security. \nWhat do you think is the solution to the revolving door there? \nWhat are the main issues and why do you lose so many key \npeople?\n    Mr. Garcia. Thank you, sir. I honestly would not \ncharacterize it as a revolving door. In fact, some of our more \nrecent departures were strictly for personal reasons. Two major \nstaff wanted to relocate closer to family across country and \nsouth of here. And to be honest, the DHS environment and our \nmission is a very high intensity one, and very fast paced and \nlong hours. And given that, we make every effort to first \nrecruit the best talent we can and then to retain them, and to \nreward them, and to make their experiences and their challenges \nmeaningful.\n    So, we are acutely aware of the need to have the best \ntalent we can and we are actively filling those posts that have \nbeen vacated.\n    Mr. Clay. Are many leaving for private corporate cyber \nsecurity positions?\n    Mr. Garcia. I am not sure exactly where they went. Probably \nto the private sector, but more toward a different way of life, \ncloser to family.\n    Mr. Clay. I see. Let me go another direction. According to \nGAO's 2006 Report on Internet Infrastructure, one of the \nsignificant obstacles facing DHS is the conflicting or \noverlapping roles of the National Cyber Security Division and \nthe National Communications System, which seems to have \nundefined and conflicting roles in response to a major Internet \ndisruption or cyber-attack. As the person in charge of both the \nNCSD and NCS, can you explain to us how the roles and \nresponsibilities of both units are distinct or different?\n    Mr. Garcia. Absolutely. Very good question. The National \nCyber Security Division is responsible for the security of the \ninformation infrastructure. The National Communications System \nis responsible for ensuring that the Government, that the \nNation, has the ability to communicate in times of national \nemergency.\n    So you think of the NCS and communications as the pipe, the \ntelecommunications pipe, and the NCSD as dealing with the \nsoftware and the technology that controls the operations of \nthose pipes and sends information through those pipes. So, NCSD \nand NCS have very complementary roles. Certainly not \nconflicting. Sometimes overlapping, but overlapping for the \nbetter.\n    My role is to try to bring those--by the way, NCS is a 40 \nyear old organization, and NCSD is a 4-year old organization. \nSo they have much different histories, but they work very \nclosely together. For example, in the Estonia distributed \ndenial-of-service attacks, NCS and NCSD worked very closely.\n    Second, I am working to bring together, to co-locate the \nU.S. CERT operations with the NCS operations, which is called \nthe NCC, the National Coordinating Center for \nTelecommunications, that is a 24/7 watch operation as well, \nthat serves the communications infrastructure involving \ncommunications companies and Government employees.\n    So, we are bringing them together so that the IT and \nCommunications can have a more synthesized view of what is \nhappening on our information and communications \ninfrastructures.\n    Mr. Clay. Let me ask you, as voice and data transmission \nnetworks continue to converge, wouldn't combining NCSD and NCS \nprove to be more efficient for agency operations?\n    Mr. Garcia. I think certainly a good number of the \nfunctions have already converged. That when we look at the \nconvergence of communications from the traditional circuit \nswitch to packet switch technology, security is going to equal \navailability, and availability is going to equal security. So \nwe can't bifurcate those functions.\n    There are unique and distinct functions within the National \nCommunications System and NCSD that may remain unique, but by \nand large, you are absolutely right, Mr. Chairman, functionally \nNCS and NCSD will over time converge.\n    Mr. Clay. Thank you for that response. It is my \nunderstanding that NCSD recently released a draft of what it \ncalled the Information Technology Security Central Body of \nKnowledge, competency and functional, A Framework for IT \nSecurity and Workforce Development. Isn't this the type of work \nusually undertaken by the private standards-setting community, \nsuch as the ISO standards organization? How is this work unique \nto what has already been developed by the standards community?\n    Mr. Garcia. Very good question, and I thank you for that. \nYes, the Essential Body of Knowledge [EBK], is our attempt to \nbring together actually a number of those security skills, \ntraining skills standards that have been put out by a number of \ndifferent organizations and really find the common elements \namong all of those. What we can do is provide as a reference \nfor academia, for the practitioners, a synthesized set of work \nforce skills and training standards to develop curricula or to \ndevelop training within the enterprise.\n    So, in no way is it intended to supplant the other private \nsector-developed security standards. It is instead intended to \nsort of de-conflict among those and provide a much higher level \nreference for those who are trying to distinguish between one \nor the other type of standard that they ought to be using. So \nwe are quite enthusiastic about it.\n    Mr. Clay. OK. Thank you. Mr. Wilshusen or Mr. Ross, do you \nhave anything else to add?\n    Mr. Ross. Thank you, Mr. Chairman. I might go back to a \nprevious point that Mr. Yarmuth mentioned. And that is the \nevolving nature of threats. We are always having to--what we \nsee in Missouri is, we will see low-level threats. Low-level \nprobes of our data center and our network. We will see hundreds \nof thousands of these low-level threats and probes but little \nvariations on each other, and then at the end of that period, \nwe will see a heavy strike on our data center in an attempt to \nbring down servers or communication equipment and the like.\n    And to get to your other point, Representative, it is not \nteenagers hacking anymore. It is coming from other countries. \nOur forensic tools can track it down to continents and to \ncountries, and it is coming from all over the world. But it is \nvery focused. States have extremely valuable information. \nFinancial information, health information, driver's license, \nSocial Security number-type information and they are after \nthat.\n    A recent example I heard a presentation about. If you can \njust get hold of a CD copy of all the freshmen coming into the \nUniversity of Missouri, either the law school of the finance \nschool or accounting or the like, that is probably worth $2,000 \ngoing in. Then years down the road, when it is actually--when \nthey are income-producing people, that information is extremely \nvaluable, and that is when they use it. So that type of \ninformation is what people are after.\n    Mr. Clay. Do you ever make any successful apprehensions?\n    Mr. Ross. Outside the country? No. Inside the country, we \ndo.\n    Mr. Clay. OK. Mr. Wilshusen, anything to add?\n    Mr. Wilshusen. No.\n    Mr. Clay. No? Thank you. I want to thank the entire panel \nfor their testimony and answering questions. This panel is \ndismissed. Thank you.\n    As soon as this panel is up, we would like the second panel \nto come forward to be sworn in.\n    Thank you. On our second panel, we have a distinguished \ngroup of individuals who are highly qualified to address the \nissues associated with cyber security and Internet architecture \nfrom a variety of important perspectives.\n    Mr. John T. Sabo is the current president of the \nInformation Technology Information Sharing and Analysis Center \n[IT-ISAC], as well as the director of Global Government \nRelations for CA, Inc. In addition to IT-ISAC, Mr. Sabo \nrepresents CA in a number of security and privacy focus \nindustry organizations and is an appointed member of the U.S. \nDepartment of Homeland Security Data Privacy and Integrity \nAdvisory Committee. Welcome.\n    Mr. Larry Clinton is the president of the Information \nSecurity Alliance, which has over 500 corporate members on four \ncontinents representing virtually every major segment of the \neconomy. Mr. Clinton is a member of several boards and advisory \ncommittees, including the National Partnership for Cyber \nsecurity, the Internet Education Foundation and the Advisory \nBoard of the U.S. Congressional Internet Caucus, the IT Sector \nCoordinating Council and the DHS Critical Infrastructure \nProtection Advisory Council.\n    Prior to coming to IS Alliance, he was a vice president at \nthe U.S. Telecom Association, served as a legislative director, \nin the House of Representatives. Welcome back, Mr. Clinton.\n    Mr. Ken Silva is the chief security officer of VeriSign. \nVeriSign's chief security officer and VP for Networking and \nInformation Security. He oversees the mission critical \ninfrastructure for all network security and production IT \nservices for VeriSign. He also serves on several boards and \nadvisory committees, including Information Technology, \nInformation Sharing and Analysis Center. He is the chairman of \nthe board of the Internet Security Alliance. Thank you for \nbeing here.\n    Ms. Catherine T. Allen is the chairman and CEO of the Santa \nFe Group, a strategic consulting firm specializing in \ntechnology and innovation issues facing the critical \ninfrastructure. Ms. Allen has long been recognized as a leading \nexpert on technology issues facing the financial services \nsector and other critical infrastructure industry. Prior to her \ncurrent position with Santa Fe, she served as the founding CEO \nof BITS, a technology-focused consortium led by the CEOs and \nCIOs of our Nation's top 100 financial institutions. She is a \ngraduate of the University of Missouri, where she also received \nan honorary Doctorate of Humane Letters in 2005. \nCongratulations and welcome.\n    Ms. Kiersten Todt Coon is a VP of Good Harbor Consulting, \nwhere she focuses her efforts on developing risk management \nsolutions for IT infrastructure and homeland security clients. \nPrior to joining Good Harbor, Ms. Todt Coon worked as a policy \nadvisor to several senior Government and private sector \nleaders, including the Governor of California and former VP Al \nGore. She also served as a professional staff member on the \nU.S. Senate Committee on Governmental Affairs, where she was \nresponsible for drafting the Science and Technology \nInfrastructure Protection and Emergency Preparedness \nDirectorate section of the Homeland Security Act of 2002. A \ngraduate of both Princeton and Kennedy School of Government at \nHarvard, Ms. Todt Coon currently serves as a term member of the \nCouncil on Foreign Relations.\n    I welcome all of you. It is the policy of the committee to \nswear in all witnesses before you testify. And I would like to \nask you to stand, please, and raise your right hands.\n    [Witnesses sworn.]\n    Mr. Clay. Thank you. Let the record reflect that all of the \nwitnesses answered in the affirmative. You may be seated. And \nwe will start with Mr. Sabo to begin his testimony. And you \nhave 5 minutes, and we like summaries.\n\n STATEMENTS OF JOHN T. SABO, PRESIDENT, INFORMATION TECHNOLOGY \nINFORMATION SHARING AND ANALYSIS CENTER AND DIRECTOR OF GLOBAL \n   GOVERNMENT RELATIONS, CA, INC.; LARRY CLINTON, PRESIDENT, \n   INFORMATION SECURITY ALLIANCE; KEN SILVA, CHIEF SECURITY \n   OFFICER AND VICE PRESIDENT FOR NETWORKING AND INFORMATION \n SECURITY, VERISIGN; CATHERINE T. ALLEN, CHAIRMAN AND CEO, THE \n SANTA FE GROUP; AND KIERSTEN TODT COON, VICE PRESIDENT, GOOD \n                       HARBOR CONSULTING\n\n                   STATEMENT OF JOHN T. SABO\n\n    Mr. Sabo. Mr. Chairman, and members of the subcommittee. I \nam John Sabo, director of Global Government Relations for CA. \nIt is one of the world's largest software companies. More \nimportantly for this hearing, I am a board member and president \nof the Information Technology Information Sharing and Analysis \nCenter [IT-ISAC]. I am also a member of the separate IT Sector \nCoordinating Council, and I chair the ISAC Council, which is \ncomposed of 13 ISACs addressing cross-sector information \nsharing issues.\n    I want to thank you and the subcommittee for the \nopportunity to share our views on public/private sector \nresponsibilities with respect to preventing and addressing \nInternet disruptions.\n    The IT-ISAC is a not-for-profit organization. We were \nfounded in 2001. We fund an operation center. We monitor and \naddress threats, vulnerabilities and attacks on the IT \ninfrastructure and we have processes in place allowing us to \naddress these issues collectively across the member companies \nwhen issues rise to a level requiring joint analysis or action.\n    The IT Sector Coordinating Council and DHS formally \nrecognize the IT-ISAC as the operational, informational sharing \nmechanism for our sector. The IT-ISAC is financed entirely by \nmember companies through our membership dues and represents a \nsignificant by leading companies in the IT sector who have \nstepped to the call for industry action.\n    The GAO and the Business Roundtable have released reports, \nboth of which have been referenced, expressing significant \nconcerns about the ability of the Nation to respond and recover \nfrom a significant Internet failure.\n    Despite the fact that the Internet has to date proven \nresilient, these reports reinforce the imperative to plan for \nevents that exceed our current understanding of threats. \nHistory often proves us wrong and surprises us with the \nunthinkable. The IT sector strategy to address these challenges \nis outlined in the IT Sector specific plan and at the heart of \nthis plan is the need to protect key IT sector functions. And \nthis is a very distinct concept from the physical asset focus \nof many other sectors. We are looking at IT functions.\n    The plan identifies in great detail a number of areas that \nneed to be strengthened and in the statement we have addressed \na number of them. I only touch on two here.\n    The first includes a number of steps that Government can \ntake to enhance the public/private operational capability.\n    Leveraging the expertise of the IT-ISAC and other fully \nfunctional ISACs instead of turning to policy councils for \noperational purposes.\n    Stabilizing U.S. CERT and providing it with adequate \nfunding in scale with its overall national mission, defining \nand clarifying the relationship among the U.S. CERT and other \nDHS analytical and operational components and programs.\n    Programmatically encouraging companies to join ISACs as a \nbest practice, something which the Roundtable did in its \nreport.\n    Supporting the cross-sector operational information sharing \nprojects initiated by the ISAC Council, with equal energy and \nlevel of resources with which DHS supports policy and planning \ninitiatives. Providing regular classified briefings to ISAC \noperational experts and not just to sector policy \nrepresentatives.\n    And finally, in this area, organizing more effectively in \nresponse to the growing convergence between traditional IT and \ntelecommunications. And we welcome the physical co-location of \nthe U.S. CERT and the NCC watch that Assistant Secretary Garcia \nmentioned, and in fact appreciate his invitation for the IT-\nISAC to have representation.\n    [The prepared statement of Mr. Sabo follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.042\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.043\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.044\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.045\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.046\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.047\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.048\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.049\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.050\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.051\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.052\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.053\n    \n    Mr. Clay. I am going to ask each remaining witness to \nsummarize, if they can, in less than 5 minutes, their opening \nstatements. We are going to try to get in all opening \nstatements before we recess again.\n    Thank you, Mr. Sabo. Mr. Silva.\n\n                     STATEMENT OF KEN SILVA\n\n    Mr. Silva. Thank you, Mr. Chairman. I want to commend and \nthank you for holding this hearing. It is difficult to \noverstate the importance of amplifying and expanding our \nnational focus on cyber security.\n    Richard Clarke famously warned of the potential of a \ndigital Pearl Harbor in which critical components of the \nNation's increasingly vital electronic infrastructure would be \nbrought down by a coordinated electronic attack.\n    Since he expressed his concern, nothing really much has \nchanged to make this any less dire. If anything, the threat \ngrows greater every day. In fact, it has already happened to \nthe country of Estonia earlier this year.\n    None of us in Government or the private sector can sit \nstill on electronic security. Our defenses must always remain \ntwo steps ahead of potential holes and exploits. If we fail to \nmaintain that focus and let it deteriorate, we will be holding \na very different sort of hearing in the near future, one in \nwhich we are all called upon to answer the hard question about \nwhat happened and what could we have done to have prevented it.\n    I have been asked to offer a perspective on the efforts \nVeriSign and the Internet industry are taking to ensure that \nsuch a calamity never occurs. Make no mistake, it would be a \nmajor catastrophe for the Internet to experience such a \nsignificant failure.\n    Approximately 25 percent of America's economic value moves \nover network connections each day. And it is not just our \neconomy that would suffer. Government agencies at every level \nrely on the Internet. Imagine today's Congress trying to \noperate without e-mail or any other network services.\n    What could cause such a failure? There are a couple of \npotential scenarios. The first is that we in the Internet \ncommunity simply fail to expand the Internet infrastructure \nenough to meet the mounting demands placed upon it. The second \npotential for failure is that we fall short in adequate \nprotection of our critical resources against a host of \nincreasingly sophisticated cyber-attacks being directed against \nit.\n    Internet crimes are increasingly conducted by sophisticated \ninternational crime syndicates that reap huge profits by \ntargeting the network and its users. Even more frightening is \nthe rise of cyber-attackers backed by governments and other \ndeep-pocketed enemies of the United States.\n    Today's attacks can cause damage 100 times more extensive \nthan the attacks just a year ago. This is why investment in the \ninfrastructure is so critical. Simply put, if we wait for usage \nto outpace the development or for sophisticated attacks to \noverwhelm our stagnant defenses, we are already too late.\n    We learned the cost of complacency as a country when we \nwatched the damage done by Hurricane Katrina. By the time \nKatrina hit the Gulf Coast, it was too late to strengthen its \nlevees. We should not have to learn that lesson more than once. \nCritical resources should be reinforced long before there is a \nthreat to their well-being.\n    The Internet continues to grow at dramatic rates, which \nmeans the infrastructure must scale to meet that demand. No one \ncan take security and stability of these networks for granted; \nnot VeriSign, not the ISPs or other private sector players, and \ncertainly not the Government.\n    As the operator of the dot-com and dot-net domain \nregistries, as well as a steward for 2 of the 13 root servers, \nVeriSign understands what is at stake. Over the last 8 years, \nVeriSign has operated its infrastructure with 100 percent in \nup-time. In other words, the systems that ensure Internet's \ncore infrastructure remain functional have never gone down. \nVeriSign's primary computers that handle the dot-com and dot-\nnet traffic are now capable of handling 10,000 the number of \nqueries that they could handle in 2000.\n    And while the dot-com and dot-net systems currently process \nmore than 30 billion queries a day, we will need to build a \nnetwork infrastructure that can support 10 to 100 times that \nlevel of volume in the next few years.\n    That is why earlier this year, VeriSign announced a global \ninitiative called Project Titan to expand and diversify its \nInternet infrastructure to those levels by 2010. These upgrades \nare vital to managing the surge in Internet interactions and \nprotecting against cyber-attacks.\n    VeriSign is well on its way to meeting its goals under \nProject Titan and is already considering how to address this \nset of challenges.\n    Thank you.\n    [The prepared statement of Mr. Silva follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.054\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.055\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.056\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.057\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.058\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.059\n    \n    Mr. Clay. Thank you.\n\n                   STATEMENT OF LARRY CLINTON\n\n    Mr. Clinton. I want to congratulate you, Mr. Chairman, on \nholding this hearing of the Government Reform Committee, \nbecause Government reform is clearly what is necessary.\n    The June 2, 2006 GAO Report got it exactly right. The \nproblem is the inherent characteristics of the Internet. The \nInternet is unlike anything we have ever dealt with before. It \nis international, it is interactive, it is constantly on the \nattack. Consequently, it will require a security system unlike \nanything we have ever designed before.\n    We can't simply cut and paste previous government systems \nand put them into Internet security. Even if Congress enacted a \nbrilliant statute, it would only go to our national borders. \nEven if a regulator came up with a brilliant solution, it would \nbe outdated before you could put it into effect.\n    Fortunately, we need other things to attack the Internet. \nThe committee has expressed some interest in the instance of \nKatrina, saying that we should model ourselves on that. There \nare major differences between cyber-attack and Katrina. \nKatrina, we could see it coming. Literally. From hundreds of \nmiles away. The adequate analogy to Katrina is that the problem \nwith Katrina wasn't the event itself. The problem with Katrina \nwas that the systems weren't in place to properly handle the \nevent.\n    Now, fortunately, we actually know a good deal about how to \nmitigate and manage a number of issues dealing with cyber \nsecurity. The largest study ever conducted in this field found \nthat the best practices group, people who follow the industry \nrecognize best practices were able to have fewer incidents, \nless downtime, less financial loss.\n    What we need to do is find a way to get more people to \nfollow the best practices that industry is already following. \nIndustry is also not waiting for government to get its act \ntogether. Industry is aggressively moving forward with new \nproducts and services because, as it has already been pointed \nout, the problem has morphed.\n    We are no longer looking at these well publicized instances \nlike Blaster and Love Bug that were designed to get publicity. \nInstead, what we are dealing with now are carefully targeted \ndesigner malware that can sit on a system for an extended \nperiod of time, cause tremendous damage and we don't even know \nit is there.\n    Fortunately, we are developing new systems to attack this. \nBut there is a role for the government. And role for the \ngovernment was pointed out in that 2006 GAO Report, where they \npointed out that in the private sector, competitors were \nworking together to deal with these incidents when they see \nthat there is a direct business relationship benefit to that. \nAnd the NIPP, the National Infrastructure Protection Plan, also \npointed out--and this is the one thing that I choose to read \nfor you, Mr. Chairman:\n\n        That the public private partnership called for in the NIPP \n        provides for the foundation for effective critical \n        infrastructure protection. The success of the partnership \n        depends on articulating the mutual benefits to government and \n        the private sector partners. While articulating the value to \n        the proposition for the government is typically clear, it is \n        often difficult to articulate the direct benefits to the \n        private sector. In assessing the value proposition for the \n        private sector, there is a clear national security interest and \n        homeland security interest in ensuring that the collective \n        protection of the critical infrastructure goes beyond that of \n        the business unit. Government can engage industry to go beyond \n        efforts already justified by their corporate business needs and \n        assists in a broad-scale critical infrastructure protection by \n        creating an environment that supports incentives for companies \n        to voluntarily adopt widely held best practices.\n\n    And I conclude my presentation by listing for you 10 steps \nthat I would suggest that the committee consider for roles that \nthe Government can embrace, which are not your traditional \nregulatory role, but are things like leading by example, using \nyour market power instead of your regulatory power; supporting \nresearch and development that is not going to be undertaken by \nindustry; using the market incentives that you have \ntraditionally used in other areas; address the lack of cyber \ninsurance; raise your aim in terms of awareness to focus on \nsenior executives rather than individuals; adopt a coherent \nstrategy for dealing with the private sector, something \ndiscussed before; clarify the roles and procedures for crisis \nmanagement; and rethink your approach to information sharing.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Clinton follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.060\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.061\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.062\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.063\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.064\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.065\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.066\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.067\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.068\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.069\n    \n    Mr. Clay. Thank you so much, Mr. Clinton. The committee \nwill now recess for the duration of these votes on the floor. \nThey tell me it will be about half an hour. I am sorry. The \ncommittee stands in recess.\n    [Recess.]\n    Mr. Clay. The committee will come to order. Ms. Allen.\n\n                STATEMENT OF CATHERINE T. ALLEN\n\n    Ms. Allen. Thank you, Chairman Clay and members of the \nsubcommittee and committee for the opportunity to submit \ntestimony before you today on private and public sector efforts \nto secure our Nation's Internet infrastructure.\n    The Santa Fe Group does a lot of work for the industry and \nstill for BITS. I am actually going to go directly to the \nrecommendations because of the time.\n    And what I am suggesting is that the financial services \nindustry has done a great deal to strengthen business \ncontinuity, planning and coordinate prior to and during times \nof crisis. We have business continuity plans which are \nconstantly updated. We refine and test them, and this is a \nregulatory requirement, and part of our risk management \nprocess.\n    Most financial institutions, in fact, all that are deemed \nmission critical are required by our regulators to have \nrecovery operations in place and back-up in a very narrow \ntimeframe. And this requires telecommunications, it requires \npower and it requires dependency upon IT. If any of those are \nnot working, we cannot meet our regulatory requirements.\n    I would be the first to tell you that we have a long way to \ngo as an industry, but there is much of what we do that we \nbelieve could be copied or modeled for other critical \ninfrastructure industries.\n    We have a very successful FS-ISAC, Financial Services ISAC, \nand FSSCC, a coordinating council for critical infrastructure \nprotection. We work very closely with our regulators through \nthe FBIIC and with the Department of Treasury in coordinating \non everything from Katrina to the power outage after 9/11.\n    Most recently, we ran a pandemic exercise which included a \ncomponent that looked at if the Internet was down and we had \nmany people working from home, what would that mean.\n    And I would say that the two most important things that we \nhave done related to Internet recovery are the work that we did \non business critical telecommunications services, where we \ndeveloped best practices, not only for the financial sector but \nfor the telecom sector, upon which we are extremely dependent, \nto make sure that they had the diversity and redundancy that we \nneeded.\n    We also finished a business critical access to power. We \ndid this with the power industry, again to look at best \npractices for alternative power if there was disruption in any \nof the IT industry.\n    Last, we worked in managing third-party service providers. \nMuch of the Internet is dependent upon third parties, many of \nwhom are located in India and China and other places. So, \nlooking at how we manage those. Those are all models for other \nindustries.\n    The recommendations that I have are, recognize that other \nindustries may need to share the same level of responsibility \nand liability that we do as an industry, and to look at some of \nour regulatory requirements might not be a bad idea. Second, we \nmaintain rapid and reliable communications, and that means \ndiverse communications.\n    I personally had a number of our CIOs from the financial \nsector in Detroit when we had the power outage, we were all \nusing our Blackberries, which were the only thing that still \nworked, because the cell phones ran out and there was no power. \nBut that is how we communicated with our regulators, and we \nwere able to make sure that it wasn't a terrorist event, that \nit was in fact a power outage. But we needed to have \nalternative channels.\n    Recognize the critical infrastructures that are dependent \nupon software and operating systems. The IT industry is the \nbackbone for telecommunications, for power, for the user groups \nlike financial services and chemical, and if they are down or \ndisrupted, we are down.\n    So, it is critically important to focus on the Internet, \nthe software and operating systems that access the Internet \nbecause that is the backbone of both economic and \ncommunications-wise for us.\n    We encourage our regulatory agencies and others to look at \nthe software vendors. Similar to what our regulators look at, \nthird-party service providers, to make sure that they are \ndelivering safe and sound practices and security practices \nwithin those vendors.\n    Encourage collaboration and coordination among critical \ninfrastructures and the government agencies to enhance the \ndiversity and resiliency of the telecommunications \ninfrastructure. The NCC, the NCS, used to be an outstanding \norganization. We did a lot of our early work with them. They \nwere gutted. They have no budget to be able to do the kind of \nwork that we need for them to do.\n    Invest in the power grid because of its critical and \ncascading impact on other industries and other critical \ninfrastructures.\n    And when I talk about invest, I think there are incentives \nthat Congress can put in place to have these other industries \nmake sure that they maintain a resiliency.\n    Improve the coordination procedures across all critical \ninfrastructures and with the Federal, State and local \ngovernments, I don't believe it is working, and I think there \nis much that we need to do, when we do have a major event.\n    And last, encourage law enforcement to prosecute cyber \ncriminals. And in particular, on a global basis, because much \nof the problems we have are not criminals in the United States, \nthey are criminals in the Ukraine or in Asia or in other \ncountries that are attacking our systems here today.\n    I thank you, Chairman Clay and Members, for this \nopportunity to testify ensuring Internet resiliency and \nsecurity in light of the increased cyber-attacks. It is a \ndaunting task, but it is critically important to do so.\n    Thank you.\n    [The prepared statement of Ms. Allen follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.070\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.071\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.072\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.073\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.074\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.075\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.076\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.077\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.078\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.079\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.080\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.081\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.082\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.083\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.084\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.085\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.086\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.087\n    \n    Mr. Clay. Thank you so much, Ms. Allen, for your testimony. \nMs. Todt Coon, you may proceed.\n\n                STATEMENT OF KIERSTEN TODT COON\n\n    Ms. Todt Coon. Good afternoon, Chairman Clay, and thank you \nfor the opportunity to testify. As was mentioned in the \nintroductions, I am currently a vice president at Good Harbor, \nand of particular relevance to this hearing, served on the \nSenate Committee on Homeland Security and Government Affairs, \nand worked on the Directorate part of the DHS legislation on \nInternet Protection and Emergency Preparedness.\n    In the interests of time, I will move pretty quickly to my \nrecommendations.\n    As the National Strategy to Secure Cyberspace correctly \nstated, cyberspace is the nervous system supporting our \nNation's critical infrastructure. Yet, despite our recognition \nof this, little has been done and there are several reasons for \nthis, including authority and ownership issues, both in the \npublic and private sectors.\n    Our Internet infrastructure is vulnerable for several \nreasons, and I will tackle two of them regarding infrastructure \nand looking at response capabilities. Regarding infrastructure \nin our end systems, there are two classes of end systems. There \nare home users and enterprise. Access to the servers usually by \nthese enterprise users is critical in a time of crisis. If the \nend systems are compromised, then key response personnel will \nnot be able to access the information they need to respond to \nan event.\n    The current challenge with which we are faced is that all \ninformation, both critical and non-critical, is transmitted \nover our information networks and treated equally. For example, \nif this Nation is confronted with a pandemic like the avian \nflu, our information networks as they currently exist will \nexperience disruptions and outages that will paralyze us and \nprevent us from executing an effective emergency response.\n    The second area of weakness I will discuss in this brief \nstatement is response capabilities. Our response capability is \ncritical because obviously we are not able to guard \nsuccessfully against all threats. We don't have a back-up \nsystem at this time that can be activated in the event of a \nwidespread Internet failure. And we have not developed \nscenarios for potential attacks on our Internet infrastructure.\n    Experts disagree on the magnitude of risks and what needs \nto be done. And what is important that we routinely use this \nlack of consensus as an excuse for inaction. Until we reach \nagreement on these issues, we will not be able to prepare for \nimminent attacks.\n    So I offer today the following recommendations. The \nInternet was designed for the purpose of openly sharing \ninformation. The question then with which we are posed is how \ndo we impose the secure exchange of information on top of an \nopen sharing environment.\n    We should create a three-tiered system that allows our \nnetworks to identify and prioritize in the following order. \nFirst, critical communications supporting government \noperations, business and first responders. Second, routine \nbusiness information, and third, non-critical information. In a \ntime of crisis, we must be able to ensure that critical \ninformation is being delivered with priority speed and that it \nis not encumbered by non-critical information being sent \nsimultaneously.\n    We must also develop back-up systems and conduct scenario \nplanning. If we experience a life cycle attack, we would need \nto have the ability to reboot the Internet. We should have \nreserve network protocols and we should maintain back-up \nparallel systems that can replace the active systems and bring \nup the critical portion of the Internet in the time of crisis.\n    And we should develop a playbook for scenario planning. And \nI assert that this is different than exercise. Scenario \nplanning is different than exercises. Scenario planning would \npush us to identify and conceive possible responses to a \nserious attack. We need to think through how appropriate \nplayers in both the public and private sectors will respond and \nwe need to examine our current authority and ownership issues \nwithin both the government and the private sectors.\n    I now submit to you a final recommendation. One of the \nfirst steps we need to take in preparing ourselves for an \ninformation infrastructure failure is to set risk standards. \nHowever, we can't set risk standards if we don't know what the \nrisk is.\n    I commend this committee on its work with FSMA because I \nthink FSMA has done a good job with defining cyber security. I \nalso propose a National Cyber Risk Assessment to be conducted \nby a blue ribbon commission of experts who would be responsible \nfor defining the risks that exist. The only way we can begin to \nadequately prepare ourselves is to commit to possible \nscenarios. The assessment would inform the scenarios and enable \nus to assign ownership and controls. The Office of Management \nand Budget should provide the resources, the direction and the \noversight and leadership for this assessment.\n    In conclusion, experts and observers postulate that we do \nnot have to be worried about hackers taking down the Internet \nbecause hackers would not intentionally bury their playground. \nBut our greatest risk does not come from hackers. It comes, as \nwas mentioned before, from foreign governments that can ably \nand quietly use the Internet infrastructure for espionage and \nother nefarious purposes.\n    The threat is particular strong from governments that have \ndeveloped their own internal Internets, such as China, and \nwould therefore not be severely affected by a worldwide \ndisruption.\n    Recent events have demonstrated that these scenarios are \nnot possibilities, but realities. Our national security, the \nhealth and well-being of the community, and the daily \nfunctioning of our society depend on the security and \nresiliency of our infrastructure.\n    We have a responsibility to define the Internet \ninfrastructure risk that exists and to plan for that risk \nappropriately. And we have a responsibility to act. I assert \nthat we must act now.\n    Thank you for the opportunity to testify before you today.\n    [The prepared statement of Ms. Todt Coon follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T3198.088\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.089\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.090\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.091\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.092\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.093\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.094\n    \n    [GRAPHIC] [TIFF OMITTED] T3198.095\n    \n    Mr. Clay. Thank you very much. I will ask the panel several \nquestions, and I would love to hear responses from the entire \npanel. We will just start at this end of the table with Ms. \nTodt Coon, and go down the line.\n    The first issue is, regardless of which sector of the \neconomy we focus on, all of them have significant levels of \ndependence on the Internet for their operations. It seems, \nhowever, that we spend more time focusing on the risk of 17 \ndifferent sectors, as opposed to the broad risk associated with \nthe disruption of a key critical asset, such as the Internet.\n    First, should we begin to move away from establishing \nlevels of risk for each specific sector, and move toward \nestablishing risk models according to specific assets or \ncritical functions, such as telecom, Internet or infrastructure \nresiliency or the security of our power transmission assets?\n    Ms. Todt Coon, let's begin with you.\n    Ms. Todt Coon. Thank you. That is an excellent question, \nand it is obviously a question that we are confronted with in \nlooking at how we have organized our sectors.\n    I think some would assert at this point that the sector \nmodel is sophisticated in a way that is almost too \nsophisticated for us to manage right now, because the reality \nof how we are handling the sector issue is that it is stalling \nus and preventing us from making the progress that we could on \ninformation infrastructure protection.\n    I would reference a report that was recently released by \nthe Business Roundtable which talks about public/private \npartnerships. And it talks about the fact that the private \nsector incorrectly believes that government is developing \nresponse plans and that the Government believes that the \nindustry structures will have their recovery response plans.\n    We recognize that both the public and the private sector \nhave a role but neither is adequately prepared.\n    Having said that, I would like to reference, I think, a \nmodel within the private sector and its coordination with the \npublic sector that has worked effectively. And that is the \nFBIIC model, which Ms. Allen has referenced. It is the \nFinancial and Banking Information Infrastructure Committee.\n    Post 9/11, the financial sector was obviously concerned \nabout the anticipation of what could happen to our banking and \nfinancial markets. Through the committee, the Fed reached out \nto 11 financial institutions--reached out to the banking \nindustry, and said we are going to talk to 11 institutions, we \nare not going to tell you who they are. Obviously if we talk to \nyou, you will know you are one of them. And if not, you are \nnot.\n    And they worked with these institutions to create a \nsecurity and resiliency plan. And Ms. Allen, I am sure, can \ntalk to this in greater detail. But what this collaboration \nreflected was the clarity of Government purpose, and it also \nreflected industry working within a Government strategy.\n    And one of the reasons why I think this was effective, was \nthat the Government was able to leverage its institutional \nknowledge. The way that we have currently organized with DHS is \nthat we have split the ownership roles across different \nagencies and entities, both on the cyber side, but we see it \nwith energy and with other structures.\n    And what I would propose is that we look at how the \nGovernment can institute this integrated approach to industry \nprotection in a more collaborative way that doesn't silo this \nprotection issue.\n    Mr. Clay. Thank you for that response.\n    Ms. Allen.\n    Ms. Allen. I agree with everything you just said, and I \nwould add to it, you can't boil the ocean. And I would pick \nfive infrastructure groups to first coordinate and use that as \na model for the others. And that is, the IT, the Internet, the \ntelecom and the power, because they are absolutely \ninterdependent.\n    Then I would add financial services, because if that is \ndown, then you are going to have a major problem with the \neconomy and the confidence of the people. Last, first \nresponders, so that you are taking care of the first \nresponders.\n    If you could look at integrated programs across those five \ngroups, with the Government, that would be the starting point. \nAnd I think the FBIIC model, that the financial sector \ndeveloped is the right model.\n    Mr. Clay. Should it all be Homeland Security's \nresponsibility? [Laughter.]\n    Well, maybe Ms. Todt Coon should answer that. You helped \ndesign----\n    Ms. Todt Coon. Well, I don't have a lot of confidence. \nLet's just say that there has been many, many attempts to have \nthis happen under DHS and it has been very difficult for it to \nbe effective. So I think it is really going to take absolute \nadministrative support. I am in support of a blue ribbon \ncommission and then maybe DHS responds back to and does \nwhatever this commission says it needs to do.\n    But I don't think that it is going to come the way that we \nhave it structured now.\n    Mr. Clay. All right. Mr. Clinton.\n    Mr. Clinton. Mr. Chairman, I think that is a very \nthoughtful question. And I have been trying to listen to my \ncolleagues to get a good answer for it, while I have been \nthinking of it myself.\n    Here is my off-the-cuff view on it. First of all, we at the \nInternet Security Alliance have never embraced the sector \nmodel. The Internet Security Alliance is built on an entirely \ndifferent model. We are a cross-sectoral organization. We have \nthe defense sector, IT, banks, Coca-Cola, food service. Only \nbecause when you are dealing with the Internet, it is all ones \nand zeroes.\n    So we all have the same problem, although, at a sub-\nstructural level, there are individual sector orientations \nwithin. So, the sector model, I think, was entirely the wrong \nway to go, fundamentally. And when I say we ought to rethink \nthings, that is one of the places where I would suggest we \nbegin.\n    The second question, and this kind of gets to your followup \nquestion a little bit, has to do--when you say, what should we \nbe doing. That is a really critical question. Who is the ``we'' \nyou are talking about, sir? I think it is appropriate for you \nto be thinking, well, should this be DHS? And my answer is no, \nit shouldn't be DHS. It can't be DHS. If we try to shove this \ninto DHS, even if we hire Catherine Allen to run DHS, I am \nstill not sure that they are going to be able to do it. They \nare a U.S. Federal Government institution trying to deal with \nan inherently international infrastructure that is owned and \noperated 95 percent by the private sector.\n    Trying to get this done through DHS or the Internet \nCommission on Wonderfulness is not going to work. We have to \nunderstand that we are dealing with an entirely different \nmodel. We have to find a way to work together with the private \nsector. The private sector is constantly--the major players, \nanyway--are constantly doing risk assessments. They are \nconstantly upgrading their systems.\n    As I said in my testimony, they are not waiting for DHS. \nAnd we work cooperatively with DHS. I am not going to bash DHS. \nBut the system is being run by the private sector. That is \nnever going to change. We have to find a way that Government \nunderstands its role. And its role is not to manage, to \ndictate, to be the parent here. Their role is to be a major \nuser who works with all the other major users.\n    Now, obviously they have a separate role in terms of \nnational defense that we could deal with differently. But my \nsuggestion would be that the way to go about this is to harden \nthe entire system. Not to identify what the one particular risk \nis because that is a static moment in time.\n    This past week we had a major conference at ISA where we \nlooked at securing the IT supply chain. Talk about a major \nproblem. There is nothing that is not in the IT system that is \nnot researched, resourced, developed, assembled, whatever, \nsomeplace. And some of the places this stuff is made can be a \nlittle bit scary.\n    How do we secure the supply chain? And we looked at all the \nrisks. And we said this is the area where we have the greatest \nvulnerability. We looked at it for a minute, and we said, well, \nas soon as we established that as the major risk vector, the \nguys who are attacking this aren't stupid. Move it over to \nhere.\n    So the risks don't stay static. We need a full systems \nsolution that is sustainable on a long term basis and that is \nwhy we argued for a system of market incentives. We have to \nmake the owners and operators realize that it is in their self-\ninterest to continually upgrade and build-out the system, \nincluding the Federal Government's, and that is, we think, the \nanswer to the approach that you are suggesting.\n    Mr. Clay. Thank you for that response.\n    Mr. Silva.\n    Mr. Silva. I think that you have brought up a couple of \ninteresting questions here, and I thank you for the opportunity \nto respond to them.\n    It is interesting, when you really think about throughout \ntime, we have kind of decided that we would handle this in a \nsector-specific way and that's just sort of how it worked \nitself out. In fact, the ISACs themselves were created as \nsector-specific to a large degree.\n    And there are problems that are sector-specific. For \ninstance, financial institutions have a more interesting set of \nthreats unrelated to the infrastructure itself, but more around \nIT security and around the practices of being online for a bank \nor other financial institutions.\n    But there are a lot of overlapping infrastructures, and \nthose infrastructures certainly include the Internet itself, \nwhich all by itself is very insecure. I mean, the Internet \nitself doesn't offer any security. It really doesn't. Most of \nthe security is handled either through appliances or through \nthe applications themselves. But the Internet itself was \ndesigned to be an open system with really zero security \nmeasures to it at all.\n    So I think that we need to look at the Internet \ninfrastructure and its resilience and whatever security \nmechanisms we need to put in place to make sure that it \ncontinues to stay up, and the international aspect of it needs \nto be something that is looked at commonly across all of the \nsectors.\n    Now you did ask what we should be doing and, as Mr. Clinton \npointed out, what we should be doing is dependent upon who \n``we'' is. Since the private sector is responsible for most of \nthe infrastructure on the Internet, it is incumbent upon the \nprivate sector to take action.\n    I think if we beg for too much regulation from the \nGovernment, we will get exactly what we asked for, and I don't \nthink that would be a pleasant situation, either.\n    But as Mr. Clinton pointed out, incentives are probably the \nbest tactical step that could be taken with long term effects \nthat I think would be positive. Unfortunately, when we look at \nbuilding out the infrastructure, say, for the next generation \nof the Internet protocol--which by the way that next generation \nof Internet protocol was developed a decade ago, and still has \nyet to be implemented literally. IP Version 6 has been pretty \nmuch standardized for a number of years and is the best \ntechnology yet to come, still.\n    But there is no incentive for telecommunications providers \nor Internet service providers to deploy it. There aren't any \ncustomers and it is a chicken and egg kind of thing. There is \nmore secure, more robust protocol, and some would argue that it \nis not necessarily more secure and I might be one of them. But \nit hasn't been deployed because there are no customers for it. \nThere are no customers for it because it doesn't exist.\n    The Federal Government is a big enough customer that if \nthey demanded it as part of their infrastructure, and their \ninfrastructure build-out and used their market influence, their \nbuying power, then those kinds of protocols and those kinds of \nenhancements would be made, if demanded by the Government as \npart of the procurement process.\n    Thank you.\n    Mr. Clay. Thank you for that response.\n    Mr. Sabo.\n    Mr. Sabo. Well, summing up after that, or coming to a \nconclusion, a couple of things I would say with respect to the \nbasic question.\n    There are risk assessments that can be applied generally to \nwhat we see as the infrastructure. And some of that work is \nhappening now. The IT-ISAC and the Sector Coordinating Council, \nin fact, have work groups of industry experts attempting to \nlook at the key functionality provided by the infrastructure \nand the sub-functionality, and attempt to build a risk \nassessment methodology that actually might make some sense.\n    If you do a static risk assessment, although I respect the \nidea of bringing in experts and assembling for many months, we \nhave had many of those studies. You can look at the literature \nand you can see a number of recommendations made by \nacademicians and by industry experts that are sitting on the \nshelves because the Internet and the infrastructure are very \ndynamic. And, as Mr. Silva pointed out in his statement, a \nnumber of threats to the infrastructure are not on the \ninfrastructure, it is on the applications that ride on the \ninfrastructure and that impact the utility of the \ninfrastructure.\n    In the financial sector, a number of attacks are based on \nsocial engineering. And those attacks open up and expose \nvulnerabilities, the vector of an attack that can be used much \nlater to go after the infrastructure.\n    In a way, we have a very organic Internet infrastructure. \nThe components of it, such as software itself or a domain name \nservice resolution or some of the other pieces of it, are all \ncomponents which lead to the vulnerabilities which actors can \nuse when they decide to make an attack.\n    So a couple of things. One is, work needs to happen cross-\nsector and I agree with that, and it is actually starting, but \nit has not really moved far enough along. Work also has to \nhappen by the users of the infrastructure, and that is, the \nmajor sectors and the major corporations and companies in the \nsector. And to some degree that is addressed by the type of \nregulatory environment in which financial services operates. It \nis not addressed in many other environments and yet the work \nneeds to be done.\n    So I think it really is a combination of both looking at \nthe risks associated with the use of the network \ninfrastructure, for example, by control systems, the use of the \ninfrastructure by the major corporations, but also by the \nindustry that writes the hardware/software and operates \nresolution services and security services for the \ninfrastructure.\n    You can't look at it, I think, as one simple solution. You \nhave to recognize how complex the beast is, and you have to \nlet, actually encourage, which was the purpose of my testimony \nfor the ISAC, that where industry is stepping forward to \naddress these issues, Government's best role is to foster and \nencourage through appropriate incentives. And not all monetary \nincentives. They could be incentives such as saying we \nencourage you and we will support some of these activities, to \nmove forward with that.\n    And I think to conclude, the Roundtable Report is an eye-\nopener. Because what the Business Roundtable found in its \nreport says that we are increasingly and fundamentally and \nalmost totally becoming dependent on this IT infrastructure \nwhich is network based. And in that interdependence, we are \nlosing our capacity to go backward. We are losing our ability \nto go back to older systems. We are losing our ability to fall \nback to paper systems. Therefore it is imperative for us as a \nNation to take the steps to do what you just said; do an active \nrisk assessment, put in the types of controls we need, do some \nof the strategic work that is academically based, but have a \nproactive operational plan to move forward.\n    If all we are going to do is write more papers, do more \ncommissions, do more studies, we are going to hopelessly fall \nbehind. And so I think being active, looking at the uniqueness \nof each sector, what the companies are doing, what the \npractices are, as well as looking cross-sector at some of the \nfunctions, is a combination way to go.\n    And then from a congressional perspective, avoiding \nregulation but perhaps looking to measures and to saying to us \nwho are in these sectors, what are some performance measures \nthat you are using to evaluate your effectiveness. What steps \nare you taking. What outcomes are you offering.\n    And to me that would be the most effective short-term \napproach.\n    Mr. Clay. Thank you for that response. One more question \nfor the panel. Is the extension of the Federal Terrorism \nReinsurance Backstop program an adequate model for Government \nto provide economic security to the private sector in the event \nof a major Internet disruption? Do we have effective risk \nmodels to determine the cost and potential exposure to the \nGovernment for covering this type of incident? We will start \nwith Ms. Todt Coon.\n    Ms. Todt Coon. I would go back to--I appreciate the \ncomments of the panelists, but I continue to assert that we \nhave not defined the risk in a way that allows us to create a \nmodel, in response to your question. By not having this \naccountability and by not defining this risk, we are being \nstalled with inaction.\n    And while there has been action in different components, as \nwe cited earlier--I think what the financial sector has done is \nexemplary and noteworthy--as a whole, we have not made the \nprogress on these issues that we are looking to do.\n    And I think at the end of the day, in looking at what the \npublic and the private sectors have done, as we cited earlier, \nlooking up multiple post-Katrina reports, we recognize that \nneither the public nor the private sector can respond \nindividually. They need to work together. And Katrina showed us \nthat the ways in which they work together currently aren't \nworking properly.\n    And so I would encourage us to look at legislation, like \nthe Stafford Act, to revise to include for-profit companies and \nalso look at the Defense Production Act, which if leveraged \ncorrectly by DHS could support the work that they are doing. \nAnd I think that legislation exists out there within which we \nneed to work. And that we also need to be assigning the \nownership and responsibility in a more clear way that allows \nthose entities responsible for this to act accordingly.\n    Mr. Clay. Thank you for that. And, Ms. Allen, the Terrorism \nReinsurance Backstop program, is it an adequate model?\n    Ms. Allen. It is not adequate. I think it is a good thing, \nbut it is not adequate. Again, I agree that there is not an \nappropriate risk model. We don't yet understand the cross-\nsector impact. I think there are other incentives, including \ninsurance, the ratings agencies, tax incentives, Government \nprocurement, that might be more effective in the short run.\n    And that is my answer.\n    Mr. Clay. Mr. Clinton.\n    Mr. Clinton. I think I would agree that it is a useful \nmodel, but some important differences have to be realized. \nFirst of all, cyber insurance is a very different animal than \ntraditional insurance. The cyber insurance market has not taken \noff at all. It has been stagnant for 5 or 6 years, about 20 \npercent of companies have cyber insurance. And there are things \nthat the Government can do to help in that area.\n    So, if you are talking about cyber, the model is probably \nworth looking at, but there are other things that need to be \ndone. And my colleagues are exactly right with regard to you \ncan't assess the risk.\n    Let me quickly tell you what the core problem is with cyber \nand then in my written testimony I go into a little bit more \ndepth on insurance. I won't bore you with that now.\n    But the problem with cyber insurance, it is available. But \nthe problem is, nobody buys it. And the reason nobody buys it \nis because it costs too much money. And the reason it costs too \nmuch money is because since there isn't adequate actuarial \ntables, the businesses that run the cyber insurance naturally \nset the risk at maximum and therefore the prices are at \nmaximum.\n    The Federal Government could do a tremendous service by \ncoming in and working with us so that we get the data \nappropriate so that we could set actuarial tables which would \nbring more providers into the market. Currently one company, \nAIG, has 85 percent of the market. That is not a good thing.\n    If we got more providers into the market by providing them \nwith the data, which expect the Government does actually have, \nthat would then lower the cost. By lowering the cost, now more \nproviders will get in. That will increasingly lower the cost, \nwhich has two major benefits.\n    First of all, if you have a cyber Katrina right now, there \nis virtually nobody covered. Which means the insurer of last \nresort is going to be the Federal Government. The Federal \nGovernment is going to be stuck with a billions and billions \nand billions of dollars bill. It is going to be worse than \nKatrina because at least there was some insurance down there. \nThere isn't in a cyber Katrina.\n    Second, once we have insurance available and being \npurchased broadly throughout the market place, insurance can \nbe, in addition to other incentives, and I would endorse \nCathy's comments in that regard, but insurance can be a \ntremendous incentive.\n    We use insurance all the time to motivate pro-social \nbehavior. Good driving behavior, good health behavior. My \ndaughter is desperate to get really good grades because it is \ngoing to lower the insurance on her car. This can drive better \nbehavior. And what I have argued in my testimony is, the way to \nhave a fully resilient, consistent, consistently up-growing \nsystem is to have market incentives. Insurance is a great one. \nSo that people will constantly want to adopt the best \npractices, get the lower insurance rate and the industry and \nthe Government is therefore covered if we have a major event.\n    So, it is a good model, but there are a variety of things \nthat we have to do to make it work, particular in the cyber \narena.\n    Mr. Clay. Thank you for that response.\n    Mr. Silva.\n    Mr. Silva. Thank you. I don't know that level of assistance \nis necessarily everything that we need. And there has been a \nlot of discussion about how difficult it is to assess the risk. \nAnd I don't know about assessing the risk because I think each \nindividual element of this could assess what they believe is a \nrisk and then somehow we could wrap that up. It is difficult to \nassess now.\n    What is even harder to assess is what the level of damage \nis going to be. And it will be more than we can even imagine \nsitting at this table. We couldn't have imagined the damage \nthat happened during Katrina and when we sat and tried to plan \nfor that ahead of time.\n    But the damage that would have happened from even shutting \ndown the Internet for a couple of hours in the middle of a \ntrading day or the middle of a business would be catastrophic. \nIt would be huge. And if something so serious occurred that we \nhad to reboot the Internet, so to speak, it would be a \nsignificant amount before that recovery would actually take \nplace. There are so many different players.\n    But one of the things that I worry about, in addition to \nthose attacks that come from a terrorist act, if you will, or \nsome malicious behavior, are those sorts of things that might \ncreate a self-inflicted wound. In our zeal to try to improve \nthe Internet, in many cases, we make it more complicated and in \nfact create new and additional risk that we should think \nthrough a lot more carefully before we do it.\n    One example of that is internationalized domain names. \nThere are proposals to create internationalized domain names in \norder to let countries create domain names, the name of Web \nsites, if you will, in Cyrillic or Arabic, etc. The problem is \nthat because of a lack of careful action and careful planning \non this, other countries are on their own racing out to create \nanother Internet, if you will, that uses the Internet we are \nused to, but works in a completely different way.\n    So the rules and regulations that we would create and the \npolicies that we would create as industry sectors and as \ngovernments wouldn't apply to these people. Therefore, we have \nto take corrective action for whatever the weakest link is \ngoing to be, and carefully think through some of these \nimprovements that we think are improvements, and make sure that \nthey are not actually creating more complexity and more \nconfusion for users and more confusion for the people who have \nto assess threats and damage.\n    Mr. Clay. Thank you for that response.\n    Mr. Sabo.\n    Mr. Sabo. I think an approach to this is to give a chance \nto the mechanisms that have not been given a chance to work. It \nis a complex environment. We have never been in a situation \nwhere millions of individuals scattered around the whole United \nStates, or for that matter, the world, could literally have an \nimpact on a national economy.\n    We have never been in a situation where people living--and \nit has been rare--but if you think of a physical event and the \ninsurance for terrorism, it might be very applicable to that. \nBut we are dealing with a much different animal.\n    Mr. Clay. Mr. Sabo, let me interrupt you. Are we too \ndependent on the Internet as a society? As a world? Mr. Clinton \nis saying there is no going back. There is no way to go back to \nthe paper or anything else. Does that make us too dependent on \nthe Internet?\n    Mr. Sabo. We are dependent on it. And it is increasingly \nso. And we can't stop that because the nature of us as human \nbeings, the nature of the capitalist society and the \ndevelopment of many uses of information and new technologies, \nsimply can't be arrested without some dramatic shift back to a \nsociety of almost the Stone Age. You can't do it.\n    Having said that, and knowing the complexity that we do, my \nsuggestion is that we give an opportunity for measures to begin \nworking slowly to address different aspects of this. So one \naspect is Internet resilience and some of the things that Ken \nis talking about.\n    Another aspect is expectations of companies as noted in the \nBusiness Roundtable to take steps, good steps, to deal with \nbusiness continuity practices. Another example would be looking \nto industry through the ISACs and so on, to address \nvulnerabilities.\n    And by putting this together in combination, you have some \nopportunity to see progress against a set of measures. But if \nyou just look at it in terms of--particularly with the \nInternet, as Ken said, a catastrophe so huge that in cyber \nterms it would be the equivalent of a national state of \nemergency that might continue for weeks or months.\n    What is that? How can you insure against it? Insurance \nmight be good to, say, I have a breach issue and I am insured \nagainst the risk associated with that. But how do you insure \nagainst the loss of a whole infrastructure for the whole \neconomy?\n    So I would say an approach is let each of the measures that \nare best suited for this tier of protection be given a chance \nto operate and be given a chance to demonstrate effectiveness.\n    Mr. Clay. Thank you so much for that response. Let me thank \nthe panel for their responses and their expertise in this area. \nI am certain that this will not be the last hearing.\n    But as you have heard, the bells have rung, and without \nobjection, this committee is adjourned.\n    Thank you.\n    [Whereupon, at 5:50 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"