[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]




 
  CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR 
                    NATION'S INTERNET INFRASTRUCTURE

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON INFORMATION POLICY,
                     CENSUS, AND NATIONAL ARCHIVES

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 23, 2007

                               __________

                           Serial No. 110-59

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                     http://www.oversight.house.gov


                     U.S. GOVERNMENT PRINTING OFFICE
43-198 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092104 Mail: Stop IDCC, Washington, DC 20402ï¿½090001

              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 HENRY A. WAXMAN, California, Chairman
TOM LANTOS, California               TOM DAVIS, Virginia
EDOLPHUS TOWNS, New York             DAN BURTON, Indiana
PAUL E. KANJORSKI, Pennsylvania      CHRISTOPHER SHAYS, Connecticut
CAROLYN B. MALONEY, New York         JOHN M. McHUGH, New York
ELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana
DANNY K. DAVIS, Illinois             TODD RUSSELL PLATTS, Pennsylvania
JOHN F. TIERNEY, Massachusetts       CHRIS CANNON, Utah
WM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California          MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts      DARRELL E. ISSA, California
BRIAN HIGGINS, New York              KENNY MARCHANT, Texas
JOHN A. YARMUTH, Kentucky            LYNN A. WESTMORELAND, Georgia
BRUCE L. BRALEY, Iowa                PATRICK T. McHENRY, North Carolina
ELEANOR HOLMES NORTON, District of   VIRGINIA FOXX, North Carolina
    Columbia                         BRIAN P. BILBRAY, California
BETTY McCOLLUM, Minnesota            BILL SALI, Idaho
JIM COOPER, Tennessee                JIM JORDAN, Ohio
CHRIS VAN HOLLEN, Maryland
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont

                     Phil Schiliro, Chief of Staff
                      Phil Barnett, Staff Director
                       Earley Green, Chief Clerk
                  David Marin, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York         CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky            BILL SALI, Idaho
PAUL W. HODES, New Hampshire
                      Tony Haywood, Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on October 23, 2007.................................     1
Statement of:
    Garcia, Gregory T., Assistant Secretary for Cyber Security 
      and Communications, Department of Homeland Security; 
      Gregory C. Wilshusen, Director of Information Security 
      Issues, GAO; and Daniel S. Ross, chief information officer, 
      State of Missouri..........................................     7
        Garcia, Gregory T........................................     7
        Ross, Daniel S...........................................    43
        Wilshusen, Gregory C.....................................    20
    Sabo, John T., president, Information Technology Information 
      Sharing and Analysis Center and director of Global 
      Government Relations, CA, Inc.; Larry Clinton, president, 
      Information Security Alliance; Ken Silva, chief security 
      officer and vice president for networking and information 
      security, Verisign; Catherine T. Allen, chairman and CEO, 
      the Santa Fe Group; and Kiersten Todt Coon, vice president, 
      Good Harbor Consulting.....................................    64
        Allen, Catherine T.......................................    98
        Clinton, Larry...........................................    86
        Sabo, John T.............................................    64
        Silva, Ken...............................................    78
        Todt Coon, Kiersten......................................   118
Letters, statements, etc., submitted for the record by:
    Allen, Catherine T., chairman and CEO, the Santa Fe Group, 
      prepared statement of......................................   100
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     3
    Clinton, Larry, president, Information Security Alliance, 
      prepared statement of......................................    88
    Garcia, Gregory T., Assistant Secretary for Cyber Security 
      and Communications, Department of Homeland Security, 
      prepared statement of......................................    10
    Ross, Daniel S., chief information officer, State of 
      Missouri, prepared statement of............................    45
    Sabo, John T., president, Information Technology Information 
      Sharing and Analysis Center and director of Global 
      Government Relations, CA, Inc., prepared statement of......    66
    Silva, Ken, chief security officer and vice president for 
      networking and information security, Verisign, prepared 
      statement of...............................................    80
    Todt Coon, Kiersten, vice president, Good Harbor Consulting, 
      prepared statement of......................................   120
    Wilshusen, Gregory C., Director of Information Security 
      Issues, GAO, prepared statement of.........................    22


  CYBERSECURITY: A REVIEW OF PUBLIC AND PRIVATE EFFORTS TO SECURE OUR 
                    NATION'S INTERNET INFRASTRUCTURE

                              ----------                              


                       TUESDAY, OCTOBER 23, 2007

                  House of Representatives,
   Subcommittee on Information Policy, Census, and 
                                 National Archives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:06 a.m. in 
room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay 
(chairman of the committee) presiding.
    Present: Representatives Clay, Hodes, Yarmuth, and Turner.
    Staff present: Darryl Piggee, staff director/counsel; Jean 
Gosa, clerk; Adam C. Bordes, professional staff member; Nidia 
Salazar, staff assistant; Michelle Mitchell, legislative 
assistant, Office of Wm. Lacy Clay; Charles Phillips, minority 
counsel; Patrick Lyden, minority parliamentarian & member 
services coordinator; and Benjamin Chance, minority clerk.
    Mr. Clay. The subcommittee on Information Policy, Census, 
and National Archives will now come to order. Today's hearing 
will examine how well DHS is fulfilling its role as the leading 
Federal agency charged with coordinating response and recovery 
efforts in the event of a major Internet disruption. In 
addition, we will review the roles and responsibilities of 
private sector stakeholders in the development of Internet 
recovery plans and hear their recommendations for improving our 
current cyber security policy framework.
    Without objection the Chair and ranking minority member 
will have 5 minutes to make opening statements followed by 
opening statements not to exceed 3 minutes by any other Member 
who seeks recognition. And without objection Members and 
witnesses may have 5 legislative days to submit a written 
statement or extraneous materials for the record.
    I will begin with an opening statement and then recognize 
the ranking member. Then we will adjourn after that while we 
vote and then we will come back and take the testimony. Just be 
patient with us, please.
    Securing our Nation's economic and global interests relies 
upon having a resilient Internet infrastructure. A recently 
released study by the Business Roundtable summarized that there 
is a probability of between 10 percent and 20 percent for a 
major Internet breakdown over the next decade. At an estimated 
global cost of approximately $250 billion, an event of this 
magnitude would prove devastating to our domestic industries 
and international trading partners.
    Despite spending millions of dollars, the Department of 
Homeland Security has failed to develop an effective Internet 
recovery plan to rely upon for emergency response and recovery 
efforts.
    Furthermore, their lack of adequate progress in developing 
appropriate models for measuring the levels of risk facing each 
sector has left policymakers unable to determine which sectors 
are most vulnerable to major cyber network disruptions.
    It is my hope that today's witnesses will provide an update 
on DHS' efforts to remedy its deficiencies and provide 
recommendations for strengthening partnerships that will best 
secure our Internet infrastructure.
    That concludes my opening statement and I will recognize 
Mr. Turner of Ohio for his opening statement. Mr. Turner.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.001
    
    [GRAPHIC] [TIFF OMITTED] T3198.002
    
    [GRAPHIC] [TIFF OMITTED] T3198.003
    
    Mr. Turner. Thank you, Chairman Clay. I want to thank you 
for holding today's hearing on Cyber Security: A Review of 
Public and Private Efforts to Secure Our Nation's Internet 
Infrastructure.
    The Internet is a key critical infrastructure asset and has 
an enormous impact on communications as well as the economy. It 
is important that this asset is protected, much like other 
critical infrastructure assets. It seems, however, that due to 
a number of factors, the Internet isn't as secure from 
catastrophic events as it could be.
    I look forward to reading the testimony from today's 
witnesses on how DHS can better prepare our Internet 
infrastructure from potential catastrophic events, such as 
national disasters and terrorist attacks.
    I am interested in how DHS plans to address the concerns 
listed in the 2006 GAO report on DHS' efforts to coordinate an 
Internet infrastructure recovery plan. And I am particularly 
interested in learning about the legal barriers that DHS faces 
in providing assistance to private sector entities which own or 
operate Internet infrastructure in the event of disaster.
    Mr. Chairman, I want to thank you again for your leadership 
and your effectiveness in the oversight of the important 
Federal policy issues of information policy. Thank you.
    Mr. Clay. Thank you, Mr. Turner. And at this time, the 
subcommittee will recess and reconvene at the conclusion of the 
three votes that we will take now on the floor. The committee 
stands in recess.
    [Recess.]
    Mr. Clay. If there are no additional opening statements, 
the subcommittee will now reconvene and we will receive 
testimony from the witnesses before us today.
    I want to start by introducing our first panel, which will 
consist of Mr. Greg Garcia, who is the Assistant Secretary for 
Cyber security and Communications at the Department of Homeland 
Security. In his position, Mr. Garcia oversees the operations 
and strategic planning activities of the National Cyber 
Security Division, the Office of Emergency Communications and 
the National Communications System. Prior to joining DHS, he 
represented the information technology on Capitol Hill, and 
before that served as a staff member of the House Science 
Committee.
    We also have joining us Mr. Greg Wilshusen, who is a 
Director of Information Security Issues at GAO. He is a long 
time expert on the topic of information security and has 
testified before this panel numerous times on cyber security 
issues and Federal information security management practices.
    And to round out the panel, Mr. Dan Ross serves as the 
chief information officer for the State of Missouri. And prior 
to his appointment in 2005, Mr. Ross served under then 
Secretary of State Matt Blount in the capacity of executive 
deputy secretary of State. He holds a bachelor's degree in 
industrial relations from Lincoln University and a master's 
degree in public administration from the University of 
Missouri.
    Welcome, Mr. Ross. We know you came further than others. 
And also welcome to the other two witnesses. And thank you all 
for appearing before today's subcommittee.
    And it is the policy of the Committee on Oversight and 
Government Reform to swear in all witnesses before they 
testify. And I would like to ask you all to stand and raise 
your right hands.
    [Witnesses sworn.]
    Mr. Clay. Thank you. You may be seated. Let the record 
reflect that the witnesses answered in the affirmative.
    Mr. Hodes, did you have an opening statement that you would 
like to offer?
    Mr. Hodes. No, I will defer.
    Mr. Clay. OK. Thank you so much. I ask that each of the 
witnesses now give a brief summary of their testimony and to 
keep the summary under 5 minutes. Your complete written 
statement will be included in the hearing.
    Mr. Garcia, we will begin with you. Before you do that, I 
know that you come today to explain how seriously DHS and the 
administration takes its cyber security responsibility. I must 
admit that it is a little disappointing that you waited until 
11:30 this morning to deliver your written testimony for 
members of the subcommittee to adequately prepare.
    With that said, you have 5 minutes to summarize your 
statement.

STATEMENTS OF GREGORY T. GARCIA, ASSISTANT SECRETARY FOR CYBER 
 SECURITY AND COMMUNICATIONS, DEPARTMENT OF HOMELAND SECURITY; 
GREGORY C. WILSHUSEN, DIRECTOR OF INFORMATION SECURITY ISSUES, 
 GAO; AND DANIEL S. ROSS, CHIEF INFORMATION OFFICER, STATE OF 
                            MISSOURI

                 STATEMENT OF GREGORY T. GARCIA

    Mr. Garcia. Thank you, Mr. Chairman, and members of the 
subcommittee. I appreciate the opportunity to discuss the 
Department of Homeland Security's efforts to promote the 
resilience of America's Internet infrastructure.
    Let me just say at the outset, Mr. Chairman, that I do 
apologize for the lateness of our testimony. It is more than a 
little disappointing to me, as well. It in no way reflects the 
seriousness with which DHS takes the mission of cyber security. 
And it is very much important for you, the members of the 
committee and the staff to have the benefit of advance reading 
of our testimony so that we can have an informed discussion. 
So, please accept my apology for that.
    We are endeavoring, in our process at DHS and interagency, 
to ensure that we bring testimony up to the Congress in a 
timely fashion.
    Mr. Clay. Thank you for that.
    Mr. Garcia. Sir, it is fitting that you are holding this 
hearing during National Cyber Security Awareness Month. It 
helps to raise public consciousness about the importance of 
Internet security to our economy and to our way of life.
    Over 200 million Americans use the Internet at home and in 
the workplace. The Internet facilitates communications, and 
supports Government and business operations. Although the 
Internet has yielded tremendous efficiencies, organizations and 
individuals remain vulnerable to disruptions in service and 
loss of sensitive data.
    Both the private sector and Government play a role in 
securing our Internet infrastructure. The private sector 
builds, owns and operates most of the cyber infrastructure and 
ensures the availability and functionality of the Internet. The 
Federal Government has the responsibility for ensuring the 
continued operation of essential Government functions, securing 
their timely restoration if they fail, and minimizing the 
impact to the Nation.
    As such, it is incumbent upon the Federal Government to 
help protect against Internet disruptions and to ensure a 
coordinated response to incidents. I would like today to 
highlight a few of our efforts in these areas.
    First, we are strengthening our ability to prevent Internet 
disruptions. Under the National Infrastructure Protection Plan 
[NIPP], the availability of the Internet and its associated 
services is identified as a shared key resource of the 
information technology and communications sectors. As the 
sector's specific agency for both, we work with the sectors to 
develop their Sector-Specific Plans [SSP], which were released 
in May of this year.
    The IT SSP defines six critical functions that support the 
sector's ability to produce and provide resilient products and 
services. Of these, two critical sector functions relate 
directly to the Internet.
    Similarly, the communications Sector Specific Plan 
identifies critical architectural elements of the Internet. 
Through implementation of their SSPs, the IT and communications 
sectors are continuing to work together to assess the risk to 
the Internet.
    Although the availability of the Internet is primarily the 
responsibility of the IT and communications sectors, all 
sectors rely on the Internet. And DHS, together with the 
Partnership for Critical Infrastructure Security [PCIS], 
established the Cross Sector Cyber Security Working Group 
[CSCSWG], comprised now of more than 90 Government and private 
sector experts from across the critical infrastructure sectors.
    This group provides a forum to assess, among other things, 
how critical sector operations could be impacted by disruptions 
and to develop appropriate mitigation strategies.
    Improving situational awareness is a critical component of 
preparedness. The U.S. Computer Emergency Readiness Team [U.S. 
CERT], within my organization, coordinates with the private 
sector and Government entities to increase situational 
awareness of network conditions.
    We developed a program called Einstein that provides 
Federal agencies with early cyber incident detection so that 
they can respond more rapidly to mitigate threats. It has 
slashed the time it takes us to gather and share critical data 
on IT security risks from days, as it used to be, to hours.
    The U.S. CERT also engages with private sector Information 
Sharing And Analysis Centers [ISACs], to share information on 
cyber threats, vulnerabilities and incidents. This includes 
collaboration with the IT-ISAC and the Multi-State ISAC to 
raise the level of cyber security readiness in each State.
    Our ability to protect against and prepare for Internet 
disruptions is further enhanced through exercises. We are 
currently planning for the Cyber Storm II Exercise in March 
2008, which will include a focus on Internet disruption and 
recovery and involve Federal, State, local, international and 
private sector entities.
    Second, we are enhancing public and private collaboration 
to ensure effective response capabilities. The National 
Response Framework [NRF], which was recently released for 
public comment, articulates how our Nation will respond to all 
hazard disasters. My office has responsibility for Emergency 
Support Function No. II [ESF-2], the Communications Annex and 
the Cyber Incident Annex. We undertook an in-depth review of 
these components, and incorporated updates to them.
    In support of the NRF, the National Cyber Response 
Coordination Group [NCRCG], serves as the primary Federal 
interagency mechanism for coordinating Cyber Incidents. 
Recently, the NCRCG addressed the denial of service attack 
against the government of Estonia. The NCRCG co-chairs convened 
to discuss the situation and determined that an operational 
response was indeed needed. And we coordinated that through the 
National Coordination Center and U.S. CERT.
    To sum, my office is now implementing a plan to co-locate 
the U.S. CERT and the NCC, the IT and Communications to further 
facilitate collaboration among IT and communications experts. 
We are working side-by-side with them to make it easier to 
obtain situational awareness, to identify threats and 
coordinate response activities.
    To conclude, both Government and the private sector are 
taking proactive measures to address Internet resilience, and 
to prepare for and respond to Internet disruptions. Government 
and business leaders must continue to ensure that sectors, 
organizations and individuals all understand their dependence 
on the Internet, the impact that a disruption could have and 
actions that can be taken to mitigate the consequences.
    Sir, thank you for your time today. I appreciate the 
opportunity to discuss this issue and will be happy to answer 
questions.
    [The prepared statement of Mr. Garcia follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.004
    
    [GRAPHIC] [TIFF OMITTED] T3198.005
    
    [GRAPHIC] [TIFF OMITTED] T3198.006
    
    [GRAPHIC] [TIFF OMITTED] T3198.007
    
    [GRAPHIC] [TIFF OMITTED] T3198.008
    
    [GRAPHIC] [TIFF OMITTED] T3198.009
    
    [GRAPHIC] [TIFF OMITTED] T3198.010
    
    [GRAPHIC] [TIFF OMITTED] T3198.011
    
    [GRAPHIC] [TIFF OMITTED] T3198.012
    
    [GRAPHIC] [TIFF OMITTED] T3198.013
    
    Mr. Clay. Thank you very much, Mr. Garcia. Mr. Wilshusen, 
you are next.

               STATEMENT OF GREGORY C. WILSHUSEN

    Mr. Wilshusen. Chairman Clay and members of the 
subcommittee, thank you for the opportunity to testify at 
today's hearing on public and private sector efforts to secure 
our Nation's Internet infrastructure.
    Since the early 1990's, the world community has come to 
rely on the Internet as a critical resource supporting 
commerce, education and communication. While the benefits of 
this technology have been enormous, this widespread inter-
connectivity poses significant risks to our Government's and 
Nation's computer systems and, more importantly, to the 
critical operations and infrastructures they support.
    Today, I will discuss threats and vulnerabilities of the 
Internet, DHS' efforts in facilitating recovery from Internet 
disruptions and key challenges to such efforts.
    Mr. Chairman, the Internet is vulnerable to disruptions in 
service due to threats of terrorists and other malicious 
attacks, natural disasters and technological problems or a 
combination of these things. Disruptions to Internet service 
can be caused by cyber and physical incidents, both intentional 
and unintentional. For example, over the last few years, fast-
spreading worms and viruses coordinated denial of service 
against key root servers, 9/11 and Hurricane Katrina have 
caused local or regional disruptions or slowdowns.
    Research organizations have pegged the annual worldwide 
costs of malicious code attacks as averaging about $14 billion 
for the 6-years ending in 2005, highlighting the importance of 
recovery planning. However, these incidents have also shown the 
Internet as a whole to be flexible resilient. Even in severe 
circumstances, the Internet has not yet suffered a catastrophic 
failure.
    Nevertheless, is it possible that a complex attack or 
series of attacks could cause the Internet to fail or to 
undermine users' trust in the Internet, thereby reducing the 
Internet's utility.
    In a June 2006 report, we noted that DHS had begun a 
variety of initiatives to improve the Nation's ability to 
recover from Internet disruptions, including developing an 
integrated public/private plan for Internet recovery, 
establishing working groups to facilitate coordination, and 
conducting exercises in which Government and private industry 
practice responding to cyber events.
    However, these efforts were not complete, comprehensive or 
effectively coordinated. In that report, we also noted key 
challenges that impeded progress. First, it was unclear what 
Government entity was in charge, what the Government's role 
should be, and when it should get involved. For example, DHS' 
National Cyber Security Division and National Communications 
System had overlapping responsibilities. There is also a lack 
of consensus about the role DHS should play. The Government was 
pursuing the big plan approach with the NIPP and the National 
Response Plan while the private sector wanted to more of the 
short-term tactical role from the Government.
    Furthermore, triggers to clarify when the Federal 
Government should be involved were unclear. Another key 
challenge is working in a legal framework that doesn't 
specifically address the Government's roles and 
responsibilities in the event of an Internet disruption. The 
Katrina recovery efforts also showed that the Stafford Act can 
create a roadblock when for-profit companies that own and 
operate critical infrastructures need Federal assistance during 
national emergencies.
    In addition, the private sector was reluctant to share 
information with DHS because it did not always see value in 
sharing information, did not necessarily trust the Government 
and viewed DHS as an organization lacking effective leadership.
    Until these challenges are addressed, DHS will have 
difficulty in achieving results in its role as a focal point in 
this area.
    In our June 2006 report, we suggested that Congress 
consider clarifying the legal framework that guides roles and 
responsibilities for Internet recovery. We also made 
recommendations to improve DHS' ability to facilitate public/
private efforts and planning for Internet disruptions. The 
Department agreed with our recommendations and since then has 
made progress in addressing many of them.
    Still work remains to be done to ensure that our Nation is 
prepared to effectively respond to a disruption of the Internet 
infrastructure.
    Mr. Chairman, this concludes my statement. I would be happy 
to answer any questions you or members of the subcommittee may 
have.
    [The prepared statement of Mr. Wilshusen follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.014
    
    [GRAPHIC] [TIFF OMITTED] T3198.015
    
    [GRAPHIC] [TIFF OMITTED] T3198.016
    
    [GRAPHIC] [TIFF OMITTED] T3198.017
    
    [GRAPHIC] [TIFF OMITTED] T3198.018
    
    [GRAPHIC] [TIFF OMITTED] T3198.019
    
    [GRAPHIC] [TIFF OMITTED] T3198.020
    
    [GRAPHIC] [TIFF OMITTED] T3198.021
    
    [GRAPHIC] [TIFF OMITTED] T3198.022
    
    [GRAPHIC] [TIFF OMITTED] T3198.023
    
    [GRAPHIC] [TIFF OMITTED] T3198.024
    
    [GRAPHIC] [TIFF OMITTED] T3198.025
    
    [GRAPHIC] [TIFF OMITTED] T3198.026
    
    [GRAPHIC] [TIFF OMITTED] T3198.027
    
    [GRAPHIC] [TIFF OMITTED] T3198.028
    
    [GRAPHIC] [TIFF OMITTED] T3198.029
    
    [GRAPHIC] [TIFF OMITTED] T3198.030
    
    [GRAPHIC] [TIFF OMITTED] T3198.031
    
    [GRAPHIC] [TIFF OMITTED] T3198.032
    
    [GRAPHIC] [TIFF OMITTED] T3198.033
    
    [GRAPHIC] [TIFF OMITTED] T3198.034
    
    Mr. Clay. Thank you very much. Mr. Ross, you may proceed 
for 5 minutes.

                  STATEMENT OF DANIEL S. ROSS

    Mr. Ross. Thank you, Chairman Clay and distinguished 
members of the subcommittee. I thank you for inviting me here 
to day to appear before you in both my role as Missouri State 
chief information officer, and also as a member of NASCIO, the 
National Association of State Chief Information Officers. 
NASCIO is a not-for-profit, non-partisan research and advocacy 
organization, of which I and most State CIOs are members.
    I will briefly offer my perspective on efforts to secure my 
State and our Nation's Internet infrastructure. A lapse or 
shutdown of Internet availability would disable much of State 
government, rendering it unable to communicate, to deliver 
services and collect revenue for an extended period.
    Regional conditions in Missouri illustrate some of the 
challenges natural disasters may pose. A large portion of 
eastern Missouri, including the city of St. Louis, lies in 
close proximity to the New Madrid earthquake fault. Missouri 
experienced over 200 tornadoes last year. In addition, we 
experienced ice storms, thunderstorms and flooding which 
damaged communications infrastructure.
    In addition, the sheer pervasiveness and relentlessness of 
cyber-attacks is staggering. In the past fiscal year alone, 
Missouri's network and data center experienced nearly 5.6 
million cyber-attacks. That's 29,000 per day, about 1,200 an 
hour. And in the few minutes that I am speaking with you today, 
we will experience about 100.
    The evolving nature and sophistication of cyber-attacks is 
worrisome as well. State information technology infrastructure 
is now specifically targeted by criminal elements connected to 
organized crime. In addition, they are also increasingly 
international in origin, which makes apprehension and criminal 
prosecution highly unlikely.
    What are we doing? In response to this, State CIOs are 
forging partnerships with State, Homeland Security, emergency 
management and public safety officials to plan for the 
potential of major disruptions and security breach events. We 
are also trying to secure the funding necessary to maintain our 
intrusion detection, spam filter and other technologies that 
were purchased previously with Homeland Security one-time grant 
funds.
    A current concern State CIOs face is acquiring funding to 
build security and resilience into all new IT projects and to 
hire and retain knowledgeable, trained IT staff.
    Some recommendations to fortify Internet communications 
infrastructure. First, there must be increased 
intergovernmental and private sector coordination. Business 
partners, stakeholders and all levels of government must 
coordinate actions, share best security practices, and plan for 
the potential of a major disruptive event.
    Second, continued State involvement in the National 
Infrastructure Protection Plan and Cyber Security Information 
Technology Sector Specific Plan within it is essential.
    Third, we must identify cyber vulnerabilities and fund 
their mitigation. Cyber security is not a tangible asset, and 
Federal programmatic funding rarely includes specific 
provisions for IT spending to protect Federal programs 
delivered by States. The creation of a funding pool for cyber 
security grants to specifically assist States in achieving a 
proper cyber security posture would be beneficial in raising 
the overall security level of critical IT infrastructure in the 
State government sector.
    Fourth, we must include and address Internet dependent 
critical State functions and continuity of operations and 
recovery plans.
    And finally, we have to partake of information sharing 
initiatives between NASCIO, the Multi-States Information 
Sharing and Analysis Center and Federal agencies.
    In conclusion, Mr. Chairman, technology alone will not 
solve the security challenges that States face while trying to 
protect key information technology systems and information 
given the wide variety of cyber-attacks and security 
vulnerabilities today, it may be only a matter of time before a 
State's information systems and assets are compromised. 
Therefore, it is imperative that an investment in human and 
technology resources be an ongoing, proactive process, and not 
a reactionary response to a security event. The well publicized 
hard costs of security breaches as well as the soft costs of 
losing citizen confidence drive the need for providing 
sufficient resources for securing Government's information and 
infrastructure assets.
    As CIO for Missouri and as a representative for NASCIO, I 
appreciate the work of this subcommittee in addressing this 
national challenge. The National Association of State Chief 
Information Officers stands ready to contribute to this 
subcommittee in a meaningful way as needed.
    Thank you for your time.
    [The prepared statement of Mr. Ross follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.035
    
    [GRAPHIC] [TIFF OMITTED] T3198.036
    
    [GRAPHIC] [TIFF OMITTED] T3198.037
    
    [GRAPHIC] [TIFF OMITTED] T3198.038
    
    [GRAPHIC] [TIFF OMITTED] T3198.039
    
    [GRAPHIC] [TIFF OMITTED] T3198.040
    
    [GRAPHIC] [TIFF OMITTED] T3198.041
    
    Mr. Clay. Thank you so much for your testimony, Mr. Ross.
    We will start the first round of questions and the 
gentleman from New Hampshire is recognized for 5 minutes. Mr. 
Hodes.
    Mr. Hodes. Thank you, Mr. Chairman. And thank you for 
holding this very, very important hearing. Given the 
Information Age that we are living in, there probably is 
nothing that is more important these days in some way to the 
security of this Nation than the issues that we are discussing 
today. As the use of the Internet and cyberspace blossoms, it 
is becoming ever more important to us.
    Mr. Garcia, I noted with appreciation your sense of regret 
that your testimony wasn't supplied earlier to us, and I take 
that you will be able to take steps in the future so that when 
you come back before us, we will have enough time to review 
your testimony.
    Mr. Garcia. Absolutely, sir. We do strive to give you the 
best quality product we can, as well, which may account for 
some of the delay and the review process.
    Mr. Hodes. I appreciate that. Prior to your appointment, 
Mr. Garcia, the previous Director of the NCSD, Andy Purdy, was 
hobbled because there were conflict of interest questions due 
to his continued employment with his original employer, 
Carnegie Mellon University, which was involved with several 
DHS, cyber-related projects at the time. My understanding is 
that he was actually drawing a salary while working also for 
the NCSD, which created real problems, as you can imagine.
    And it is my understanding that currently, a significant 
amount of the work that is being undertaken by NCSD is being 
carried out by other contractors. Private contractors, 
including Booz-Allen. As a member of the Oversight and 
Government Reform Committee, we have been exercising oversight 
in a number of areas where the Government is making significant 
use of private contractors, most notably in the news in 
connection with the war in Iraq and the flap that has developed 
around Blackwater.
    And I understand the role of contractors in assisting 
agencies with program administration, but I also understand 
that contractors aren't supposed to play any role in inherently 
governmental or policy-focused activities. We recognized that 
as a potential conflict with Mr. Purdy, and we remain concerned 
that there may continue to be conflicts at the NCSD. And I note 
in your testimony, at pages--especially at 4 and 6, where you 
talk about the collaboration that exists in the public/private 
partnership that is ongoing.
    So, there are relationships here, which while important are 
fraught with potential problems. Can you tell us how many full-
time governmental employees there are within NCSD, NCS, and the 
other DHS units under your authority?
    Mr. Garcia. Sir, I don't have the exact number. We have 
approximately 100 individuals in NCSD and NCS, and about that 
number in contractors. So we do rely on contractors. It gives 
us the resilience we need to respond to urgent initiatives. It 
enables us to surge and to pull back our resources as 
necessary.
    Mr. Hodes. And when you say 100 contractors, do you mean 
100 employees who are the employees of contractors, or 100 
separate different companies?
    Mr. Garcia. I can give you that exact number--I can get 
back with you on that specifically.
    Mr. Hodes. I would appreciate having the documents that 
reflect that. And Mr. Chairman, if I may, request that the 
record stay open long enough to have that information 
submitted.
    Mr. Clay. Without objection, the gentleman will do 
everything to get us those records.
    Mr. Garcia. Absolutely.
    Mr. Hodes. Off the top of your head, who are the largest 
contracting entities who are supplying these contractors to 
those agencies of which you spoke?
    Mr. Garcia. The most number of contractors from any one 
organization, I cannot be certain on that answer, likely to be 
Booz-Allen.
    Mr. Hodes. And what is your sense of the size of Booz-
Allen's commitment in terms of a percentage of that number of 
approximately 100 who are working?
    Mr. Garcia. I can get that for you, as well.
    Mr. Hodes. You don't have any sense today?
    Mr. Garcia. Not an accurate sense for you. No, sir.
    Mr. Hodes. And what are the roles and responsibilities of 
those contractors at your agency, versus the responsibilities 
of the Government employees?
    Mr. Garcia. None of the contractors are in managerial 
positions. So, they serve in a support role for all of our 
activities.
    Mr. Hodes. And who is supervising them? And who is 
responsible for their day-to-day activities? Is it the 
employees at your agency, or is it the providing companies?
    Mr. Garcia. The Government employees under my organization 
are responsible for supervising the activities that the 
contractors support.
    Mr. Hodes. May I continue with one further question, Mr. 
Chairman? I see my time is up.
    Mr. Clay. The gentleman is recognized for 2 additional 
minutes.
    Mr. Hodes. Thank you. Now, Mr. Garcia, I take it you would 
agree that conflict of interest policies are critical to 
ensuring the integrity of the work done for the Government?
    Mr. Garcia. Yes, sir.
    Mr. Hodes. And are there written conflict of interest 
policies in place at the agencies you supervise to ensure that 
those coming to work for your division remain free from 
decisions that may potentially impact former employers or 
clients? And I am talking about both full-time employees as 
well as consultants working under your direction.
    Mr. Garcia. Yes, sir. I believe there is. And I can get 
back with you on that and supply that with you.
    Mr. Hodes. Similarly, Mr. Chairman, I would ask that the 
record be held open to accept that submission.
    Mr. Clay. Without objection, and we would appreciate it if 
we could have it in 5 legislative days.
    Mr. Hodes. Thank you, Mr. Chairman. And just one final 
quick question. As a former lobbyist for the Information 
Technology Association of America, how have you yourself made 
sure that you are remaining free from any conflicts concerning 
issues of importance to your former employer?
    Mr. Garcia. My mission, Congressman, is in total support 
for the Department of Homeland Security and to the Nation that 
we protect. My former employer was a trade association, and my 
former employer was also the U.S. Congress. So, my mission is 
quite clear and that is to promote the security and resiliency 
and the availability of the Nation's communications and 
information infrastructure.
    Mr. Hodes. I understand that is what your mission is, and 
what have you done with your former employer to make sure that 
you yourself have taken the proper steps to ensure there is no 
conflict of interest?
    Mr. Garcia. We work with them. I have no conflict of 
interest with my former employer. We work with them as we do 
with any other major trade association in information 
technology as a major partner of the Department of Homeland 
Security. We cannot do our work without partnership from 
industry, from IT, from communications, from financial 
services. But they are but one of many, many stakeholders and 
players in this process. And I am focused squarely on our 
mission.
    Mr. Hodes. Thank you. Thank you, Mr. Chairman.
    Mr. Clay. Thank you, Mr. Hodes. Mr. Yarmuth of Kentucky, 5 
minutes.
    Mr. Yarmuth. Thank you, Mr. Chairman. When I listened to 
the testimony, it kind of reminds me of the now infamous words 
of Secretary Rumsfeld when he said, ``There are things we know 
we know, and things we know we don't know, and things we don't 
know that we don't know.''
    It sounds to me like there are a lot of things about the 
threats facing the Internet that we know, and threats that we 
don't know that we know, and we don't know that we don't know. 
And anyone can attack this problem. Is our biggest problem in 
this area threats that we don't even know exist, or are we 
still at the point where we don't know to combat the threats we 
know about?
    Mr. Garcia. I think it is a matter of both, Congressman. We 
over the past couple of years, I believe, have made tremendous 
progress in terms of understanding the threats facing the 
Internet infrastructure. Our visibility into the Internet 
infrastructure is increasing.
    For example, my U.S. CERT collects incident reports from 
private sector and Government entities. Last year, we received 
37,000 reports. The year before that, 24,000 reports. Is that 
because the incidents are increasing or is it because the 
reporting is increasing? It is probably a little bit of both.
    But the threat is still there. So much is happening under 
the radar. There are so many attacks and probes happening 
across our networks that we are not seeing. And so, a big part 
of my mission is to work with the owners and operators of those 
infrastructures, whether it is IT or communications or 
financial services, transportation, electricity, to build 
awareness. And to build investment in the systems and the 
process that will raise the level of visibility into what is 
happening in our networks so that we can take the steps to 
mitigate them.
    Mr. Yarmuth. Is that ultimately the measure of whether you 
are successful or not? Whether the incidents that you know 
about are reported to you are declining? Or is there some other 
metric that you can come up with to allow you and us to know 
whether we are actually making progress?
    Mr. Garcia. Yes, sir. We have many metrics, and none of 
them taken by themselves is going to be sufficient. Increasing 
the number of incident reports. That is a measure of success. 
That means people are paying attention and they are reporting 
it. They are sharing sensitive information.
    The amount of investment is also a measure of success, the 
investment in cyber security and information technology is 
increasing. We are looking at the number of students going into 
information security as a curriculum pursuit in universities.
    So, there are many measures, but we still are not going to 
be able to measure all the attacks that are happening without 
our seeing them. The threat is constantly evolving. The 
adversaries are very sophisticated. And we have to evolve with 
them.
    It is an ongoing technological chess match, if you will, 
except that there is no check mate. So, this is going to be 
ongoing. And we can take one measure at a time, and measure our 
success and hope that we don't take any steps back.
    Mr. Yarmuth. I am curious also, and this may not even be 
related to--well, it relates to a certain extent, to the 
ultimate goal of the hearing. But the issue of motivation. Is 
there any way to gauge whether these--what percentage of the 
attacks are motivated by people who just want to see if they 
can figure it out? Kind of intellectual curiosity or whether 
they actually have evil motives, if you will. Evil intent.
    Mr. Garcia. I will let Mr. Wilshusen elaborate, but I think 
what we--and indeed Mr. Ross, since he is also on the front 
lines--but we do see a variety of motives. It used to be that 
hacking, as it were, was very much a joy ride exercise. 
Teenagers seeing what they can get away with. Motivations 
related to ``hactivists''--those relating to political motives, 
as perhaps what we saw in Estonia.
    But the adversaries are becoming more sophisticated and 
more focused on very specific targets. And that includes the 
desire for information, whether it is from companies or from 
governments. It includes the pursuit of money through cyber 
crime, through financial services networks or through identity 
theft.
    So, they are becoming very sophisticated and very targeted 
with multiple intents.
    Mr. Yarmuth. Mr. Wilshusen.
    Mr. Wilshusen. Yes. And I would just like to add, too--I 
agree with everything that Mr. Garcia just mentioned regarding 
the threats--is that there are criminal activities and criminal 
elements out there that do have a financial motivation.
    In addition, there are also foreign nation-states that also 
have an interest in obtaining intelligence information about 
their potential adversaries, including, of course, the United 
States.
    I would also like to point out, too, that the threat is 
evolving and indeed the vulnerabilities are also increasing. 
Just to give you a statistic, the National Vulnerability Data 
base has identified over 26,000 software flaws or mis-
configurations that could be exploited to provide an avenue for 
someone to gain unauthorized access. That total, according to 
the National Vulnerability Data base, is increasing by 16 every 
day. The vulnerabilities are legion. The threats are adaptive, 
and they are constantly evolving, and it is quite a challenge 
to be able to protect computer systems against that.
    Mr. Clay. Thank you.
    Mr. Yarmuth. Thank you, Mr. Chairman.
    Mr. Clay. Thank you, Mr. Yarmuth. Mr. Wilshusen, since the 
original GAO Report on Internet Infrastructure and Recovery 
Plans came out last year, can you identify the areas in which 
DHS has demonstrated significant progress? How about the areas 
in which progress is lagging or that have been just totally 
ignored?
    Mr. Wilshusen. Yes, sir. Well, as Mr. Garcia mentioned in 
his opening remarks, some of the areas for progress included 
that DHS released its Sector Specific Plans for the IT and 
Communications Sectors. It also developed and revised its 
National Response Plan or framework to assure and make sure 
that it addresses cyber incidents that require Federal 
response.
    In addition, DHS has also led these private/public 
exercises, Cyber Tempest, Cyber Storm, that examine response 
and coordination mechanisms to simulated cyber events. These 
exercises add value. And the after action reports provide 
useful information on lessons learned during those exercises. 
Of course, the next step though is taking those lessons learned 
and actually implementing them into the plans.
    Now, some areas where DHS is lagging, if you will, is that 
it has not yet developed a private/public plan for Internet 
recovery. Nor has it set a date when that plan would be 
completed.
    In addition, DHS also disbanded the Internet Disruption 
Working Group, and it is not clear exactly how well that 
group's functions and responsibilities will be addressed by 
other groups that DHS is working with.
    And one other thing. As Mr. Garcia mentioned, there are a 
number of working groups addressing this area of Internet 
recovery. However, the interrelationship among these groups is 
not certain.
    Mr. Clay. Have there been appropriate triggers established 
to determine what type of Internet disruption would merit a 
Government response?
    Mr. Wilshusen. Well, there have been efforts, I believe. A 
couple of the working groups have looked at those triggers, but 
as of now, the specific triggers have not yet been fully 
developed or implemented.
    I might also want to point out, too, that one of the key 
aspects in order to make these triggers work is to make sure 
there is an effective analysis and warning capability. And DHS 
does have, for example, U.S. CERT, and as Mr. Garcia mentioned 
earlier, the use of the Einstein network monitoring tool, which 
can help provide information supporting those triggers. But 
Einstein has not yet been implemented across the Government.
    Mr. Clay. Thank you for that. As part of GAO's review of 
DHS' Internet recovery responsibilities, it cited a lack of DHS 
leadership and stability throughout its management ranks. Has 
this improved since the report was released last year?
    Mr. Wilshusen. Well, one area where it has improved is 
indeed the appointment of Mr. Garcia as the Assistant Secretary 
for Office of Cyber Security and Communications, and the 
Assistant Secretary has spelled out some key priorities for the 
Department, including preparing and deterring attacks, 
responding to cyber-attacks of potentially national importance 
or significance, and also building awareness among the various 
different stakeholders in cyber security.
    However, DHS continues to be hampered by its inability to 
retain key officials in the cyber security area. For example, 
the Director of the National Cyber Security Division has 
recently left, as have other key officials related to cyber 
security control systems and officials responsible for cyber-
related exercises.
    Mr. Clay. Thank you so much for that. Mr. Ross, as the CIO 
from Missouri, has your office sought to prioritize the State 
networks and critical infrastructures that are most critical in 
an emergency incident? And if so, how was it done?
    Mr. Ross. Yes, sir. We are always looking to find that 
single point of failure, which if taken out, will take the 
whole system down. You know, we have identified the essential 
functions Government has to do, which is communicate, pay 
people, pay bills, buy things, provide medical services, direct 
people in emergencies and so, in working with the Department of 
Homeland Security, the State Department of Homeland Security, 
the State emergency management folks, we are putting together a 
plan to do that.
    Now, in my own shop and the IT folks, we have identified 
vulnerabilities in the State network and we are working to 
patch those. We have recently signed a contract with AT&T to 
manage the State-wide network to give us that resiliency and 
that disaster recovery ability because of their large network 
and their redundancy.
    So, that in combination with State assets--which do include 
1,700 miles of fibers that the Highway Department owns, that we 
leverage for them--all come together to give us a resilient 
backbone to keep running in times of emergency.
    We are not there yet because we have just signed the 
agreement with AT&T and are moving into that relationship with 
them. But I look forward to that. That will provide not only 
the tremendous wide highway to operate on, but also the back-up 
and disaster recovery we have been after.
    Mr. Clay. Thank you. What are the greatest strengths and 
weaknesses of the Multi-State ISAC? Are its activities related 
to information sharing and threat analysis of cyber incidents 
providing you with adequate information for decisionmaking?
    Mr. Ross. Mr. Chairman, Missouri is one of the two founding 
States in that organization. We are extremely active in that. 
One of my security officers is co-chair of the Legislative 
Committee and another member of his team is on an Operations 
Committee, I believe.
    So, we are actively engaged with them, in contact with them 
nearly every day. Phone calls and then certainly when an event 
or a vulnerability is identified, that network fires up very 
quickly. So, we depend on and use them very heavily.
    Mr. Clay. OK. Thank you for that. Mr. Hodes, did you have a 
second round of questioning? Please proceed for 5 minutes.
    Mr. Hodes. Thank you, Mr. Chairman. Mr. Wilshusen, I am 
looking through the statement you provided, your testimony 
here. And I note on pages 9 and 10, in dealing with the 
questions of the existing laws and regulations and their 
application to Internet recovery, some issues arise.
    You point out, for instance, that the Stafford Act 
authorizes Federal assistance to States, local governments, 
not-for-profits, in the event of a major disaster or emergency, 
but doesn't apply to for-profits.
    Do you see a revision of that as necessary, desirable? 
Something else, is it absolutely required? Would it provide an 
incentive for some kind of conduct on the part of for-profits, 
which has been problematic up until now? Would you comment? 
Thanks.
    Mr. Wilshusen. Yes, I would be glad to. During this review 
that we conducted last year, we did a number of case studies 
over key Internet cyber events. One of them had to do, of 
course, with Hurricane Katrina. And it was during that event 
where key infrastructure owners needed to gain access to the 
resources or to their facilities and have the ability to have 
basic food, water and other necessities in order to more 
quickly restore service operations--their service capabilities.
    However, the Federal Government was not able to help them 
or to provide the short-term tactical support that was needed 
in order for them to actually gain access to their facilities. 
And so, part of that was due to the Stafford Act, because the 
Federal Government cannot provide assistance to these for-
profit organizations.
    Mr. Hodes. So, had the Federal Government been able to 
provide that short term tactical assistance, the response of 
those for-profits in coordinating the effort to recover, would 
have been much quicker?
    Mr. Wilshusen. And would have been enhanced. Yes, sir.
    Mr. Hodes. Turning to the Communications Act of 1934, there 
is an implicit suggestion in your written statement that needs 
to be revised to address the new threats, the new concerns, 
that the cyber infrastructure has created since 1934 and 
whatever amendments there have been. Am I correct that you see 
that as something that Congress needs to look at?
    Mr. Wilshusen. Yes, because we see that as a Communications 
Act that does not address specifically the Internet and 
certainly not the roles and responsibilities for Internet 
recovery from disruptions or major disruptions.
    Mr. Hodes. Thank you. Mr. Garcia, it was recently reported 
that one vendor, a major DHS IT vendor, Unisys, had been 
concealing a number of significant cyber security incidents and 
attacks on Department systems, including many that apparently 
exposed the entire DHS enterprise to significant cyber-threats. 
Could you explain your role in responding to the incidents as 
they were reported to DHS leadership?
    Mr. Garcia. Sir, that particular issue, we have a 
separation of responsibilities. The Office of Cyber Security 
and Communications is responsible for a national outreach on 
cyber security policy and implementation, whereas the 
protection of the DHS network itself, that responsibility 
resides within the Office of the Chief Information Officer 
[CIO]. So, neither I nor was my office was directly involved in 
that particular issue.
    Mr. Hodes. So, it is not your job?
    Mr. Garcia. That is correct.
    Mr. Hodes. Did you coordinate at all with the Chief 
Information Officer on what happened?
    Mr. Garcia. Yes. So our role within the U.S. CERT is in 
fact, to treat the DHS networks as we do all of our Federal 
agency customers, if you will, particularly through our 
outreach and information sharing in the Einstein program, we 
work to try to help agencies see what is happening on their 
networks and to exchange information with them and ultimately 
to correlate activities to find trends that are happening 
across the Federal network. And that goes with the CIO's office 
as well.
    So, we are in close contact with the Office of the CIO as 
incidents happen, in the DHS networks or any other Federal 
agency network.
    Mr. Hodes. So, I am assuming that because it is an agency 
with which you are involved and that you must be in touch with 
the CIO about these kinds of incidents, what happened to 
Unisys? What was done? Were they sanctioned? And what steps 
were taken by the CIO to prevent these kinds of incidents from 
happening in the future?
    Mr. Garcia. I certainly would defer to the CIO to answer 
those questions for you, as I was not directly involved in 
that.
    Mr. Hodes. May I just followup for one quick moment?
    Mr. Clay. Please. Go ahead.
    Mr. Hodes. Did you have any conversations with the CIO 
about what was going on with this breach by Unisys and how it 
was being handled and what effect it would have on the agencies 
that you do deal with?
    Mr. Garcia. Our U.S. CERT facility was in contact with his 
office, and I can get back with you as to exactly what the 
interaction was. I personally was not involved. That also deals 
with a contracting matter with the CIO's contract with Unisys.
    Mr. Hodes. So, to the extent there are any documents within 
your purview, control, constructive control, or custody, I 
would like you to provide to this body any and all documents 
reflecting any interaction, discussion or contact you or your 
agency, or anybody in it had with the CIO about the response to 
Unisys over this breach. Will you provide that to us?
    Mr. Garcia. Certainly.
    Mr. Hodes. Mr. Chairman, I request that the record stay 
open so that those documents may be provided.
    Mr. Clay. Without objection, for 5 legislative days.
    Mr. Hodes. Thank you, sir. Thank you, Mr. Garcia.
    Mr. Clay. Mr. Yarmuth.
    Mr. Yarmuth. Just one followup question. And this is mostly 
for my own understanding. I would like to try again to clarify 
the difference between for-profit and the not-for-profit world. 
And also, the difference between the infrastructure world and 
the software world, because presumably most of the software out 
there is produced by for-profit companies and you have a 
security aspect of the software and a security aspect of the 
infrastructure. I am just curious as to where you draw the line 
as to where the Government's interest and responsibility begins 
and where it ends.
    Mr. Garcia. If I understand your question, the way we look 
at it is that 85 percent to 90 percent of the critical 
infrastructure is owned by the private sector. So, they are 
managing the networks and the private sector is developing the 
hardware that runs on and runs those networks. It is our job to 
coordinate with those who are owning and operating and those 
who are using those systems to ensure that we have a proactive 
way of dealing with attacks and vulnerabilities as we find 
them.
    Mr. Yarmuth. What I am trying to understand the difference 
between the relevance of for-profit and not-for-profit where 
the Stafford Act issues arise.
    Mr. Garcia. I am not exactly sure of the answer to that 
question, sir.
    Mr. Yarmuth. OK. Well, I am not sure that I know enough to 
ask any more. Thank you.
    Mr. Clay. OK. The gentleman yields back. Mr. Garcia, Mr. 
Wilshusen pointed out that one of the issues that your 
Department has is retaining key officials in cyber security. 
What do you think is the solution to the revolving door there? 
What are the main issues and why do you lose so many key 
people?
    Mr. Garcia. Thank you, sir. I honestly would not 
characterize it as a revolving door. In fact, some of our more 
recent departures were strictly for personal reasons. Two major 
staff wanted to relocate closer to family across country and 
south of here. And to be honest, the DHS environment and our 
mission is a very high intensity one, and very fast paced and 
long hours. And given that, we make every effort to first 
recruit the best talent we can and then to retain them, and to 
reward them, and to make their experiences and their challenges 
meaningful.
    So, we are acutely aware of the need to have the best 
talent we can and we are actively filling those posts that have 
been vacated.
    Mr. Clay. Are many leaving for private corporate cyber 
security positions?
    Mr. Garcia. I am not sure exactly where they went. Probably 
to the private sector, but more toward a different way of life, 
closer to family.
    Mr. Clay. I see. Let me go another direction. According to 
GAO's 2006 Report on Internet Infrastructure, one of the 
significant obstacles facing DHS is the conflicting or 
overlapping roles of the National Cyber Security Division and 
the National Communications System, which seems to have 
undefined and conflicting roles in response to a major Internet 
disruption or cyber-attack. As the person in charge of both the 
NCSD and NCS, can you explain to us how the roles and 
responsibilities of both units are distinct or different?
    Mr. Garcia. Absolutely. Very good question. The National 
Cyber Security Division is responsible for the security of the 
information infrastructure. The National Communications System 
is responsible for ensuring that the Government, that the 
Nation, has the ability to communicate in times of national 
emergency.
    So you think of the NCS and communications as the pipe, the 
telecommunications pipe, and the NCSD as dealing with the 
software and the technology that controls the operations of 
those pipes and sends information through those pipes. So, NCSD 
and NCS have very complementary roles. Certainly not 
conflicting. Sometimes overlapping, but overlapping for the 
better.
    My role is to try to bring those--by the way, NCS is a 40 
year old organization, and NCSD is a 4-year old organization. 
So they have much different histories, but they work very 
closely together. For example, in the Estonia distributed 
denial-of-service attacks, NCS and NCSD worked very closely.
    Second, I am working to bring together, to co-locate the 
U.S. CERT operations with the NCS operations, which is called 
the NCC, the National Coordinating Center for 
Telecommunications, that is a 24/7 watch operation as well, 
that serves the communications infrastructure involving 
communications companies and Government employees.
    So, we are bringing them together so that the IT and 
Communications can have a more synthesized view of what is 
happening on our information and communications 
infrastructures.
    Mr. Clay. Let me ask you, as voice and data transmission 
networks continue to converge, wouldn't combining NCSD and NCS 
prove to be more efficient for agency operations?
    Mr. Garcia. I think certainly a good number of the 
functions have already converged. That when we look at the 
convergence of communications from the traditional circuit 
switch to packet switch technology, security is going to equal 
availability, and availability is going to equal security. So 
we can't bifurcate those functions.
    There are unique and distinct functions within the National 
Communications System and NCSD that may remain unique, but by 
and large, you are absolutely right, Mr. Chairman, functionally 
NCS and NCSD will over time converge.
    Mr. Clay. Thank you for that response. It is my 
understanding that NCSD recently released a draft of what it 
called the Information Technology Security Central Body of 
Knowledge, competency and functional, A Framework for IT 
Security and Workforce Development. Isn't this the type of work 
usually undertaken by the private standards-setting community, 
such as the ISO standards organization? How is this work unique 
to what has already been developed by the standards community?
    Mr. Garcia. Very good question, and I thank you for that. 
Yes, the Essential Body of Knowledge [EBK], is our attempt to 
bring together actually a number of those security skills, 
training skills standards that have been put out by a number of 
different organizations and really find the common elements 
among all of those. What we can do is provide as a reference 
for academia, for the practitioners, a synthesized set of work 
force skills and training standards to develop curricula or to 
develop training within the enterprise.
    So, in no way is it intended to supplant the other private 
sector-developed security standards. It is instead intended to 
sort of de-conflict among those and provide a much higher level 
reference for those who are trying to distinguish between one 
or the other type of standard that they ought to be using. So 
we are quite enthusiastic about it.
    Mr. Clay. OK. Thank you. Mr. Wilshusen or Mr. Ross, do you 
have anything else to add?
    Mr. Ross. Thank you, Mr. Chairman. I might go back to a 
previous point that Mr. Yarmuth mentioned. And that is the 
evolving nature of threats. We are always having to--what we 
see in Missouri is, we will see low-level threats. Low-level 
probes of our data center and our network. We will see hundreds 
of thousands of these low-level threats and probes but little 
variations on each other, and then at the end of that period, 
we will see a heavy strike on our data center in an attempt to 
bring down servers or communication equipment and the like.
    And to get to your other point, Representative, it is not 
teenagers hacking anymore. It is coming from other countries. 
Our forensic tools can track it down to continents and to 
countries, and it is coming from all over the world. But it is 
very focused. States have extremely valuable information. 
Financial information, health information, driver's license, 
Social Security number-type information and they are after 
that.
    A recent example I heard a presentation about. If you can 
just get hold of a CD copy of all the freshmen coming into the 
University of Missouri, either the law school of the finance 
school or accounting or the like, that is probably worth $2,000 
going in. Then years down the road, when it is actually--when 
they are income-producing people, that information is extremely 
valuable, and that is when they use it. So that type of 
information is what people are after.
    Mr. Clay. Do you ever make any successful apprehensions?
    Mr. Ross. Outside the country? No. Inside the country, we 
do.
    Mr. Clay. OK. Mr. Wilshusen, anything to add?
    Mr. Wilshusen. No.
    Mr. Clay. No? Thank you. I want to thank the entire panel 
for their testimony and answering questions. This panel is 
dismissed. Thank you.
    As soon as this panel is up, we would like the second panel 
to come forward to be sworn in.
    Thank you. On our second panel, we have a distinguished 
group of individuals who are highly qualified to address the 
issues associated with cyber security and Internet architecture 
from a variety of important perspectives.
    Mr. John T. Sabo is the current president of the 
Information Technology Information Sharing and Analysis Center 
[IT-ISAC], as well as the director of Global Government 
Relations for CA, Inc. In addition to IT-ISAC, Mr. Sabo 
represents CA in a number of security and privacy focus 
industry organizations and is an appointed member of the U.S. 
Department of Homeland Security Data Privacy and Integrity 
Advisory Committee. Welcome.
    Mr. Larry Clinton is the president of the Information 
Security Alliance, which has over 500 corporate members on four 
continents representing virtually every major segment of the 
economy. Mr. Clinton is a member of several boards and advisory 
committees, including the National Partnership for Cyber 
security, the Internet Education Foundation and the Advisory 
Board of the U.S. Congressional Internet Caucus, the IT Sector 
Coordinating Council and the DHS Critical Infrastructure 
Protection Advisory Council.
    Prior to coming to IS Alliance, he was a vice president at 
the U.S. Telecom Association, served as a legislative director, 
in the House of Representatives. Welcome back, Mr. Clinton.
    Mr. Ken Silva is the chief security officer of VeriSign. 
VeriSign's chief security officer and VP for Networking and 
Information Security. He oversees the mission critical 
infrastructure for all network security and production IT 
services for VeriSign. He also serves on several boards and 
advisory committees, including Information Technology, 
Information Sharing and Analysis Center. He is the chairman of 
the board of the Internet Security Alliance. Thank you for 
being here.
    Ms. Catherine T. Allen is the chairman and CEO of the Santa 
Fe Group, a strategic consulting firm specializing in 
technology and innovation issues facing the critical 
infrastructure. Ms. Allen has long been recognized as a leading 
expert on technology issues facing the financial services 
sector and other critical infrastructure industry. Prior to her 
current position with Santa Fe, she served as the founding CEO 
of BITS, a technology-focused consortium led by the CEOs and 
CIOs of our Nation's top 100 financial institutions. She is a 
graduate of the University of Missouri, where she also received 
an honorary Doctorate of Humane Letters in 2005. 
Congratulations and welcome.
    Ms. Kiersten Todt Coon is a VP of Good Harbor Consulting, 
where she focuses her efforts on developing risk management 
solutions for IT infrastructure and homeland security clients. 
Prior to joining Good Harbor, Ms. Todt Coon worked as a policy 
advisor to several senior Government and private sector 
leaders, including the Governor of California and former VP Al 
Gore. She also served as a professional staff member on the 
U.S. Senate Committee on Governmental Affairs, where she was 
responsible for drafting the Science and Technology 
Infrastructure Protection and Emergency Preparedness 
Directorate section of the Homeland Security Act of 2002. A 
graduate of both Princeton and Kennedy School of Government at 
Harvard, Ms. Todt Coon currently serves as a term member of the 
Council on Foreign Relations.
    I welcome all of you. It is the policy of the committee to 
swear in all witnesses before you testify. And I would like to 
ask you to stand, please, and raise your right hands.
    [Witnesses sworn.]
    Mr. Clay. Thank you. Let the record reflect that all of the 
witnesses answered in the affirmative. You may be seated. And 
we will start with Mr. Sabo to begin his testimony. And you 
have 5 minutes, and we like summaries.

 STATEMENTS OF JOHN T. SABO, PRESIDENT, INFORMATION TECHNOLOGY 
INFORMATION SHARING AND ANALYSIS CENTER AND DIRECTOR OF GLOBAL 
   GOVERNMENT RELATIONS, CA, INC.; LARRY CLINTON, PRESIDENT, 
   INFORMATION SECURITY ALLIANCE; KEN SILVA, CHIEF SECURITY 
   OFFICER AND VICE PRESIDENT FOR NETWORKING AND INFORMATION 
 SECURITY, VERISIGN; CATHERINE T. ALLEN, CHAIRMAN AND CEO, THE 
 SANTA FE GROUP; AND KIERSTEN TODT COON, VICE PRESIDENT, GOOD 
                       HARBOR CONSULTING

                   STATEMENT OF JOHN T. SABO

    Mr. Sabo. Mr. Chairman, and members of the subcommittee. I 
am John Sabo, director of Global Government Relations for CA. 
It is one of the world's largest software companies. More 
importantly for this hearing, I am a board member and president 
of the Information Technology Information Sharing and Analysis 
Center [IT-ISAC]. I am also a member of the separate IT Sector 
Coordinating Council, and I chair the ISAC Council, which is 
composed of 13 ISACs addressing cross-sector information 
sharing issues.
    I want to thank you and the subcommittee for the 
opportunity to share our views on public/private sector 
responsibilities with respect to preventing and addressing 
Internet disruptions.
    The IT-ISAC is a not-for-profit organization. We were 
founded in 2001. We fund an operation center. We monitor and 
address threats, vulnerabilities and attacks on the IT 
infrastructure and we have processes in place allowing us to 
address these issues collectively across the member companies 
when issues rise to a level requiring joint analysis or action.
    The IT Sector Coordinating Council and DHS formally 
recognize the IT-ISAC as the operational, informational sharing 
mechanism for our sector. The IT-ISAC is financed entirely by 
member companies through our membership dues and represents a 
significant by leading companies in the IT sector who have 
stepped to the call for industry action.
    The GAO and the Business Roundtable have released reports, 
both of which have been referenced, expressing significant 
concerns about the ability of the Nation to respond and recover 
from a significant Internet failure.
    Despite the fact that the Internet has to date proven 
resilient, these reports reinforce the imperative to plan for 
events that exceed our current understanding of threats. 
History often proves us wrong and surprises us with the 
unthinkable. The IT sector strategy to address these challenges 
is outlined in the IT Sector specific plan and at the heart of 
this plan is the need to protect key IT sector functions. And 
this is a very distinct concept from the physical asset focus 
of many other sectors. We are looking at IT functions.
    The plan identifies in great detail a number of areas that 
need to be strengthened and in the statement we have addressed 
a number of them. I only touch on two here.
    The first includes a number of steps that Government can 
take to enhance the public/private operational capability.
    Leveraging the expertise of the IT-ISAC and other fully 
functional ISACs instead of turning to policy councils for 
operational purposes.
    Stabilizing U.S. CERT and providing it with adequate 
funding in scale with its overall national mission, defining 
and clarifying the relationship among the U.S. CERT and other 
DHS analytical and operational components and programs.
    Programmatically encouraging companies to join ISACs as a 
best practice, something which the Roundtable did in its 
report.
    Supporting the cross-sector operational information sharing 
projects initiated by the ISAC Council, with equal energy and 
level of resources with which DHS supports policy and planning 
initiatives. Providing regular classified briefings to ISAC 
operational experts and not just to sector policy 
representatives.
    And finally, in this area, organizing more effectively in 
response to the growing convergence between traditional IT and 
telecommunications. And we welcome the physical co-location of 
the U.S. CERT and the NCC watch that Assistant Secretary Garcia 
mentioned, and in fact appreciate his invitation for the IT-
ISAC to have representation.
    [The prepared statement of Mr. Sabo follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.042
    
    [GRAPHIC] [TIFF OMITTED] T3198.043
    
    [GRAPHIC] [TIFF OMITTED] T3198.044
    
    [GRAPHIC] [TIFF OMITTED] T3198.045
    
    [GRAPHIC] [TIFF OMITTED] T3198.046
    
    [GRAPHIC] [TIFF OMITTED] T3198.047
    
    [GRAPHIC] [TIFF OMITTED] T3198.048
    
    [GRAPHIC] [TIFF OMITTED] T3198.049
    
    [GRAPHIC] [TIFF OMITTED] T3198.050
    
    [GRAPHIC] [TIFF OMITTED] T3198.051
    
    [GRAPHIC] [TIFF OMITTED] T3198.052
    
    [GRAPHIC] [TIFF OMITTED] T3198.053
    
    Mr. Clay. I am going to ask each remaining witness to 
summarize, if they can, in less than 5 minutes, their opening 
statements. We are going to try to get in all opening 
statements before we recess again.
    Thank you, Mr. Sabo. Mr. Silva.

                     STATEMENT OF KEN SILVA

    Mr. Silva. Thank you, Mr. Chairman. I want to commend and 
thank you for holding this hearing. It is difficult to 
overstate the importance of amplifying and expanding our 
national focus on cyber security.
    Richard Clarke famously warned of the potential of a 
digital Pearl Harbor in which critical components of the 
Nation's increasingly vital electronic infrastructure would be 
brought down by a coordinated electronic attack.
    Since he expressed his concern, nothing really much has 
changed to make this any less dire. If anything, the threat 
grows greater every day. In fact, it has already happened to 
the country of Estonia earlier this year.
    None of us in Government or the private sector can sit 
still on electronic security. Our defenses must always remain 
two steps ahead of potential holes and exploits. If we fail to 
maintain that focus and let it deteriorate, we will be holding 
a very different sort of hearing in the near future, one in 
which we are all called upon to answer the hard question about 
what happened and what could we have done to have prevented it.
    I have been asked to offer a perspective on the efforts 
VeriSign and the Internet industry are taking to ensure that 
such a calamity never occurs. Make no mistake, it would be a 
major catastrophe for the Internet to experience such a 
significant failure.
    Approximately 25 percent of America's economic value moves 
over network connections each day. And it is not just our 
economy that would suffer. Government agencies at every level 
rely on the Internet. Imagine today's Congress trying to 
operate without e-mail or any other network services.
    What could cause such a failure? There are a couple of 
potential scenarios. The first is that we in the Internet 
community simply fail to expand the Internet infrastructure 
enough to meet the mounting demands placed upon it. The second 
potential for failure is that we fall short in adequate 
protection of our critical resources against a host of 
increasingly sophisticated cyber-attacks being directed against 
it.
    Internet crimes are increasingly conducted by sophisticated 
international crime syndicates that reap huge profits by 
targeting the network and its users. Even more frightening is 
the rise of cyber-attackers backed by governments and other 
deep-pocketed enemies of the United States.
    Today's attacks can cause damage 100 times more extensive 
than the attacks just a year ago. This is why investment in the 
infrastructure is so critical. Simply put, if we wait for usage 
to outpace the development or for sophisticated attacks to 
overwhelm our stagnant defenses, we are already too late.
    We learned the cost of complacency as a country when we 
watched the damage done by Hurricane Katrina. By the time 
Katrina hit the Gulf Coast, it was too late to strengthen its 
levees. We should not have to learn that lesson more than once. 
Critical resources should be reinforced long before there is a 
threat to their well-being.
    The Internet continues to grow at dramatic rates, which 
means the infrastructure must scale to meet that demand. No one 
can take security and stability of these networks for granted; 
not VeriSign, not the ISPs or other private sector players, and 
certainly not the Government.
    As the operator of the dot-com and dot-net domain 
registries, as well as a steward for 2 of the 13 root servers, 
VeriSign understands what is at stake. Over the last 8 years, 
VeriSign has operated its infrastructure with 100 percent in 
up-time. In other words, the systems that ensure Internet's 
core infrastructure remain functional have never gone down. 
VeriSign's primary computers that handle the dot-com and dot-
net traffic are now capable of handling 10,000 the number of 
queries that they could handle in 2000.
    And while the dot-com and dot-net systems currently process 
more than 30 billion queries a day, we will need to build a 
network infrastructure that can support 10 to 100 times that 
level of volume in the next few years.
    That is why earlier this year, VeriSign announced a global 
initiative called Project Titan to expand and diversify its 
Internet infrastructure to those levels by 2010. These upgrades 
are vital to managing the surge in Internet interactions and 
protecting against cyber-attacks.
    VeriSign is well on its way to meeting its goals under 
Project Titan and is already considering how to address this 
set of challenges.
    Thank you.
    [The prepared statement of Mr. Silva follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.054
    
    [GRAPHIC] [TIFF OMITTED] T3198.055
    
    [GRAPHIC] [TIFF OMITTED] T3198.056
    
    [GRAPHIC] [TIFF OMITTED] T3198.057
    
    [GRAPHIC] [TIFF OMITTED] T3198.058
    
    [GRAPHIC] [TIFF OMITTED] T3198.059
    
    Mr. Clay. Thank you.

                   STATEMENT OF LARRY CLINTON

    Mr. Clinton. I want to congratulate you, Mr. Chairman, on 
holding this hearing of the Government Reform Committee, 
because Government reform is clearly what is necessary.
    The June 2, 2006 GAO Report got it exactly right. The 
problem is the inherent characteristics of the Internet. The 
Internet is unlike anything we have ever dealt with before. It 
is international, it is interactive, it is constantly on the 
attack. Consequently, it will require a security system unlike 
anything we have ever designed before.
    We can't simply cut and paste previous government systems 
and put them into Internet security. Even if Congress enacted a 
brilliant statute, it would only go to our national borders. 
Even if a regulator came up with a brilliant solution, it would 
be outdated before you could put it into effect.
    Fortunately, we need other things to attack the Internet. 
The committee has expressed some interest in the instance of 
Katrina, saying that we should model ourselves on that. There 
are major differences between cyber-attack and Katrina. 
Katrina, we could see it coming. Literally. From hundreds of 
miles away. The adequate analogy to Katrina is that the problem 
with Katrina wasn't the event itself. The problem with Katrina 
was that the systems weren't in place to properly handle the 
event.
    Now, fortunately, we actually know a good deal about how to 
mitigate and manage a number of issues dealing with cyber 
security. The largest study ever conducted in this field found 
that the best practices group, people who follow the industry 
recognize best practices were able to have fewer incidents, 
less downtime, less financial loss.
    What we need to do is find a way to get more people to 
follow the best practices that industry is already following. 
Industry is also not waiting for government to get its act 
together. Industry is aggressively moving forward with new 
products and services because, as it has already been pointed 
out, the problem has morphed.
    We are no longer looking at these well publicized instances 
like Blaster and Love Bug that were designed to get publicity. 
Instead, what we are dealing with now are carefully targeted 
designer malware that can sit on a system for an extended 
period of time, cause tremendous damage and we don't even know 
it is there.
    Fortunately, we are developing new systems to attack this. 
But there is a role for the government. And role for the 
government was pointed out in that 2006 GAO Report, where they 
pointed out that in the private sector, competitors were 
working together to deal with these incidents when they see 
that there is a direct business relationship benefit to that. 
And the NIPP, the National Infrastructure Protection Plan, also 
pointed out--and this is the one thing that I choose to read 
for you, Mr. Chairman:

        That the public private partnership called for in the NIPP 
        provides for the foundation for effective critical 
        infrastructure protection. The success of the partnership 
        depends on articulating the mutual benefits to government and 
        the private sector partners. While articulating the value to 
        the proposition for the government is typically clear, it is 
        often difficult to articulate the direct benefits to the 
        private sector. In assessing the value proposition for the 
        private sector, there is a clear national security interest and 
        homeland security interest in ensuring that the collective 
        protection of the critical infrastructure goes beyond that of 
        the business unit. Government can engage industry to go beyond 
        efforts already justified by their corporate business needs and 
        assists in a broad-scale critical infrastructure protection by 
        creating an environment that supports incentives for companies 
        to voluntarily adopt widely held best practices.

    And I conclude my presentation by listing for you 10 steps 
that I would suggest that the committee consider for roles that 
the Government can embrace, which are not your traditional 
regulatory role, but are things like leading by example, using 
your market power instead of your regulatory power; supporting 
research and development that is not going to be undertaken by 
industry; using the market incentives that you have 
traditionally used in other areas; address the lack of cyber 
insurance; raise your aim in terms of awareness to focus on 
senior executives rather than individuals; adopt a coherent 
strategy for dealing with the private sector, something 
discussed before; clarify the roles and procedures for crisis 
management; and rethink your approach to information sharing.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Clinton follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.060
    
    [GRAPHIC] [TIFF OMITTED] T3198.061
    
    [GRAPHIC] [TIFF OMITTED] T3198.062
    
    [GRAPHIC] [TIFF OMITTED] T3198.063
    
    [GRAPHIC] [TIFF OMITTED] T3198.064
    
    [GRAPHIC] [TIFF OMITTED] T3198.065
    
    [GRAPHIC] [TIFF OMITTED] T3198.066
    
    [GRAPHIC] [TIFF OMITTED] T3198.067
    
    [GRAPHIC] [TIFF OMITTED] T3198.068
    
    [GRAPHIC] [TIFF OMITTED] T3198.069
    
    Mr. Clay. Thank you so much, Mr. Clinton. The committee 
will now recess for the duration of these votes on the floor. 
They tell me it will be about half an hour. I am sorry. The 
committee stands in recess.
    [Recess.]
    Mr. Clay. The committee will come to order. Ms. Allen.

                STATEMENT OF CATHERINE T. ALLEN

    Ms. Allen. Thank you, Chairman Clay and members of the 
subcommittee and committee for the opportunity to submit 
testimony before you today on private and public sector efforts 
to secure our Nation's Internet infrastructure.
    The Santa Fe Group does a lot of work for the industry and 
still for BITS. I am actually going to go directly to the 
recommendations because of the time.
    And what I am suggesting is that the financial services 
industry has done a great deal to strengthen business 
continuity, planning and coordinate prior to and during times 
of crisis. We have business continuity plans which are 
constantly updated. We refine and test them, and this is a 
regulatory requirement, and part of our risk management 
process.
    Most financial institutions, in fact, all that are deemed 
mission critical are required by our regulators to have 
recovery operations in place and back-up in a very narrow 
timeframe. And this requires telecommunications, it requires 
power and it requires dependency upon IT. If any of those are 
not working, we cannot meet our regulatory requirements.
    I would be the first to tell you that we have a long way to 
go as an industry, but there is much of what we do that we 
believe could be copied or modeled for other critical 
infrastructure industries.
    We have a very successful FS-ISAC, Financial Services ISAC, 
and FSSCC, a coordinating council for critical infrastructure 
protection. We work very closely with our regulators through 
the FBIIC and with the Department of Treasury in coordinating 
on everything from Katrina to the power outage after 9/11.
    Most recently, we ran a pandemic exercise which included a 
component that looked at if the Internet was down and we had 
many people working from home, what would that mean.
    And I would say that the two most important things that we 
have done related to Internet recovery are the work that we did 
on business critical telecommunications services, where we 
developed best practices, not only for the financial sector but 
for the telecom sector, upon which we are extremely dependent, 
to make sure that they had the diversity and redundancy that we 
needed.
    We also finished a business critical access to power. We 
did this with the power industry, again to look at best 
practices for alternative power if there was disruption in any 
of the IT industry.
    Last, we worked in managing third-party service providers. 
Much of the Internet is dependent upon third parties, many of 
whom are located in India and China and other places. So, 
looking at how we manage those. Those are all models for other 
industries.
    The recommendations that I have are, recognize that other 
industries may need to share the same level of responsibility 
and liability that we do as an industry, and to look at some of 
our regulatory requirements might not be a bad idea. Second, we 
maintain rapid and reliable communications, and that means 
diverse communications.
    I personally had a number of our CIOs from the financial 
sector in Detroit when we had the power outage, we were all 
using our Blackberries, which were the only thing that still 
worked, because the cell phones ran out and there was no power. 
But that is how we communicated with our regulators, and we 
were able to make sure that it wasn't a terrorist event, that 
it was in fact a power outage. But we needed to have 
alternative channels.
    Recognize the critical infrastructures that are dependent 
upon software and operating systems. The IT industry is the 
backbone for telecommunications, for power, for the user groups 
like financial services and chemical, and if they are down or 
disrupted, we are down.
    So, it is critically important to focus on the Internet, 
the software and operating systems that access the Internet 
because that is the backbone of both economic and 
communications-wise for us.
    We encourage our regulatory agencies and others to look at 
the software vendors. Similar to what our regulators look at, 
third-party service providers, to make sure that they are 
delivering safe and sound practices and security practices 
within those vendors.
    Encourage collaboration and coordination among critical 
infrastructures and the government agencies to enhance the 
diversity and resiliency of the telecommunications 
infrastructure. The NCC, the NCS, used to be an outstanding 
organization. We did a lot of our early work with them. They 
were gutted. They have no budget to be able to do the kind of 
work that we need for them to do.
    Invest in the power grid because of its critical and 
cascading impact on other industries and other critical 
infrastructures.
    And when I talk about invest, I think there are incentives 
that Congress can put in place to have these other industries 
make sure that they maintain a resiliency.
    Improve the coordination procedures across all critical 
infrastructures and with the Federal, State and local 
governments, I don't believe it is working, and I think there 
is much that we need to do, when we do have a major event.
    And last, encourage law enforcement to prosecute cyber 
criminals. And in particular, on a global basis, because much 
of the problems we have are not criminals in the United States, 
they are criminals in the Ukraine or in Asia or in other 
countries that are attacking our systems here today.
    I thank you, Chairman Clay and Members, for this 
opportunity to testify ensuring Internet resiliency and 
security in light of the increased cyber-attacks. It is a 
daunting task, but it is critically important to do so.
    Thank you.
    [The prepared statement of Ms. Allen follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.070
    
    [GRAPHIC] [TIFF OMITTED] T3198.071
    
    [GRAPHIC] [TIFF OMITTED] T3198.072
    
    [GRAPHIC] [TIFF OMITTED] T3198.073
    
    [GRAPHIC] [TIFF OMITTED] T3198.074
    
    [GRAPHIC] [TIFF OMITTED] T3198.075
    
    [GRAPHIC] [TIFF OMITTED] T3198.076
    
    [GRAPHIC] [TIFF OMITTED] T3198.077
    
    [GRAPHIC] [TIFF OMITTED] T3198.078
    
    [GRAPHIC] [TIFF OMITTED] T3198.079
    
    [GRAPHIC] [TIFF OMITTED] T3198.080
    
    [GRAPHIC] [TIFF OMITTED] T3198.081
    
    [GRAPHIC] [TIFF OMITTED] T3198.082
    
    [GRAPHIC] [TIFF OMITTED] T3198.083
    
    [GRAPHIC] [TIFF OMITTED] T3198.084
    
    [GRAPHIC] [TIFF OMITTED] T3198.085
    
    [GRAPHIC] [TIFF OMITTED] T3198.086
    
    [GRAPHIC] [TIFF OMITTED] T3198.087
    
    Mr. Clay. Thank you so much, Ms. Allen, for your testimony. 
Ms. Todt Coon, you may proceed.

                STATEMENT OF KIERSTEN TODT COON

    Ms. Todt Coon. Good afternoon, Chairman Clay, and thank you 
for the opportunity to testify. As was mentioned in the 
introductions, I am currently a vice president at Good Harbor, 
and of particular relevance to this hearing, served on the 
Senate Committee on Homeland Security and Government Affairs, 
and worked on the Directorate part of the DHS legislation on 
Internet Protection and Emergency Preparedness.
    In the interests of time, I will move pretty quickly to my 
recommendations.
    As the National Strategy to Secure Cyberspace correctly 
stated, cyberspace is the nervous system supporting our 
Nation's critical infrastructure. Yet, despite our recognition 
of this, little has been done and there are several reasons for 
this, including authority and ownership issues, both in the 
public and private sectors.
    Our Internet infrastructure is vulnerable for several 
reasons, and I will tackle two of them regarding infrastructure 
and looking at response capabilities. Regarding infrastructure 
in our end systems, there are two classes of end systems. There 
are home users and enterprise. Access to the servers usually by 
these enterprise users is critical in a time of crisis. If the 
end systems are compromised, then key response personnel will 
not be able to access the information they need to respond to 
an event.
    The current challenge with which we are faced is that all 
information, both critical and non-critical, is transmitted 
over our information networks and treated equally. For example, 
if this Nation is confronted with a pandemic like the avian 
flu, our information networks as they currently exist will 
experience disruptions and outages that will paralyze us and 
prevent us from executing an effective emergency response.
    The second area of weakness I will discuss in this brief 
statement is response capabilities. Our response capability is 
critical because obviously we are not able to guard 
successfully against all threats. We don't have a back-up 
system at this time that can be activated in the event of a 
widespread Internet failure. And we have not developed 
scenarios for potential attacks on our Internet infrastructure.
    Experts disagree on the magnitude of risks and what needs 
to be done. And what is important that we routinely use this 
lack of consensus as an excuse for inaction. Until we reach 
agreement on these issues, we will not be able to prepare for 
imminent attacks.
    So I offer today the following recommendations. The 
Internet was designed for the purpose of openly sharing 
information. The question then with which we are posed is how 
do we impose the secure exchange of information on top of an 
open sharing environment.
    We should create a three-tiered system that allows our 
networks to identify and prioritize in the following order. 
First, critical communications supporting government 
operations, business and first responders. Second, routine 
business information, and third, non-critical information. In a 
time of crisis, we must be able to ensure that critical 
information is being delivered with priority speed and that it 
is not encumbered by non-critical information being sent 
simultaneously.
    We must also develop back-up systems and conduct scenario 
planning. If we experience a life cycle attack, we would need 
to have the ability to reboot the Internet. We should have 
reserve network protocols and we should maintain back-up 
parallel systems that can replace the active systems and bring 
up the critical portion of the Internet in the time of crisis.
    And we should develop a playbook for scenario planning. And 
I assert that this is different than exercise. Scenario 
planning is different than exercises. Scenario planning would 
push us to identify and conceive possible responses to a 
serious attack. We need to think through how appropriate 
players in both the public and private sectors will respond and 
we need to examine our current authority and ownership issues 
within both the government and the private sectors.
    I now submit to you a final recommendation. One of the 
first steps we need to take in preparing ourselves for an 
information infrastructure failure is to set risk standards. 
However, we can't set risk standards if we don't know what the 
risk is.
    I commend this committee on its work with FSMA because I 
think FSMA has done a good job with defining cyber security. I 
also propose a National Cyber Risk Assessment to be conducted 
by a blue ribbon commission of experts who would be responsible 
for defining the risks that exist. The only way we can begin to 
adequately prepare ourselves is to commit to possible 
scenarios. The assessment would inform the scenarios and enable 
us to assign ownership and controls. The Office of Management 
and Budget should provide the resources, the direction and the 
oversight and leadership for this assessment.
    In conclusion, experts and observers postulate that we do 
not have to be worried about hackers taking down the Internet 
because hackers would not intentionally bury their playground. 
But our greatest risk does not come from hackers. It comes, as 
was mentioned before, from foreign governments that can ably 
and quietly use the Internet infrastructure for espionage and 
other nefarious purposes.
    The threat is particular strong from governments that have 
developed their own internal Internets, such as China, and 
would therefore not be severely affected by a worldwide 
disruption.
    Recent events have demonstrated that these scenarios are 
not possibilities, but realities. Our national security, the 
health and well-being of the community, and the daily 
functioning of our society depend on the security and 
resiliency of our infrastructure.
    We have a responsibility to define the Internet 
infrastructure risk that exists and to plan for that risk 
appropriately. And we have a responsibility to act. I assert 
that we must act now.
    Thank you for the opportunity to testify before you today.
    [The prepared statement of Ms. Todt Coon follows:]

    [GRAPHIC] [TIFF OMITTED] T3198.088
    
    [GRAPHIC] [TIFF OMITTED] T3198.089
    
    [GRAPHIC] [TIFF OMITTED] T3198.090
    
    [GRAPHIC] [TIFF OMITTED] T3198.091
    
    [GRAPHIC] [TIFF OMITTED] T3198.092
    
    [GRAPHIC] [TIFF OMITTED] T3198.093
    
    [GRAPHIC] [TIFF OMITTED] T3198.094
    
    [GRAPHIC] [TIFF OMITTED] T3198.095
    
    Mr. Clay. Thank you very much. I will ask the panel several 
questions, and I would love to hear responses from the entire 
panel. We will just start at this end of the table with Ms. 
Todt Coon, and go down the line.
    The first issue is, regardless of which sector of the 
economy we focus on, all of them have significant levels of 
dependence on the Internet for their operations. It seems, 
however, that we spend more time focusing on the risk of 17 
different sectors, as opposed to the broad risk associated with 
the disruption of a key critical asset, such as the Internet.
    First, should we begin to move away from establishing 
levels of risk for each specific sector, and move toward 
establishing risk models according to specific assets or 
critical functions, such as telecom, Internet or infrastructure 
resiliency or the security of our power transmission assets?
    Ms. Todt Coon, let's begin with you.
    Ms. Todt Coon. Thank you. That is an excellent question, 
and it is obviously a question that we are confronted with in 
looking at how we have organized our sectors.
    I think some would assert at this point that the sector 
model is sophisticated in a way that is almost too 
sophisticated for us to manage right now, because the reality 
of how we are handling the sector issue is that it is stalling 
us and preventing us from making the progress that we could on 
information infrastructure protection.
    I would reference a report that was recently released by 
the Business Roundtable which talks about public/private 
partnerships. And it talks about the fact that the private 
sector incorrectly believes that government is developing 
response plans and that the Government believes that the 
industry structures will have their recovery response plans.
    We recognize that both the public and the private sector 
have a role but neither is adequately prepared.
    Having said that, I would like to reference, I think, a 
model within the private sector and its coordination with the 
public sector that has worked effectively. And that is the 
FBIIC model, which Ms. Allen has referenced. It is the 
Financial and Banking Information Infrastructure Committee.
    Post 9/11, the financial sector was obviously concerned 
about the anticipation of what could happen to our banking and 
financial markets. Through the committee, the Fed reached out 
to 11 financial institutions--reached out to the banking 
industry, and said we are going to talk to 11 institutions, we 
are not going to tell you who they are. Obviously if we talk to 
you, you will know you are one of them. And if not, you are 
not.
    And they worked with these institutions to create a 
security and resiliency plan. And Ms. Allen, I am sure, can 
talk to this in greater detail. But what this collaboration 
reflected was the clarity of Government purpose, and it also 
reflected industry working within a Government strategy.
    And one of the reasons why I think this was effective, was 
that the Government was able to leverage its institutional 
knowledge. The way that we have currently organized with DHS is 
that we have split the ownership roles across different 
agencies and entities, both on the cyber side, but we see it 
with energy and with other structures.
    And what I would propose is that we look at how the 
Government can institute this integrated approach to industry 
protection in a more collaborative way that doesn't silo this 
protection issue.
    Mr. Clay. Thank you for that response.
    Ms. Allen.
    Ms. Allen. I agree with everything you just said, and I 
would add to it, you can't boil the ocean. And I would pick 
five infrastructure groups to first coordinate and use that as 
a model for the others. And that is, the IT, the Internet, the 
telecom and the power, because they are absolutely 
interdependent.
    Then I would add financial services, because if that is 
down, then you are going to have a major problem with the 
economy and the confidence of the people. Last, first 
responders, so that you are taking care of the first 
responders.
    If you could look at integrated programs across those five 
groups, with the Government, that would be the starting point. 
And I think the FBIIC model, that the financial sector 
developed is the right model.
    Mr. Clay. Should it all be Homeland Security's 
responsibility? [Laughter.]
    Well, maybe Ms. Todt Coon should answer that. You helped 
design----
    Ms. Todt Coon. Well, I don't have a lot of confidence. 
Let's just say that there has been many, many attempts to have 
this happen under DHS and it has been very difficult for it to 
be effective. So I think it is really going to take absolute 
administrative support. I am in support of a blue ribbon 
commission and then maybe DHS responds back to and does 
whatever this commission says it needs to do.
    But I don't think that it is going to come the way that we 
have it structured now.
    Mr. Clay. All right. Mr. Clinton.
    Mr. Clinton. Mr. Chairman, I think that is a very 
thoughtful question. And I have been trying to listen to my 
colleagues to get a good answer for it, while I have been 
thinking of it myself.
    Here is my off-the-cuff view on it. First of all, we at the 
Internet Security Alliance have never embraced the sector 
model. The Internet Security Alliance is built on an entirely 
different model. We are a cross-sectoral organization. We have 
the defense sector, IT, banks, Coca-Cola, food service. Only 
because when you are dealing with the Internet, it is all ones 
and zeroes.
    So we all have the same problem, although, at a sub-
structural level, there are individual sector orientations 
within. So, the sector model, I think, was entirely the wrong 
way to go, fundamentally. And when I say we ought to rethink 
things, that is one of the places where I would suggest we 
begin.
    The second question, and this kind of gets to your followup 
question a little bit, has to do--when you say, what should we 
be doing. That is a really critical question. Who is the ``we'' 
you are talking about, sir? I think it is appropriate for you 
to be thinking, well, should this be DHS? And my answer is no, 
it shouldn't be DHS. It can't be DHS. If we try to shove this 
into DHS, even if we hire Catherine Allen to run DHS, I am 
still not sure that they are going to be able to do it. They 
are a U.S. Federal Government institution trying to deal with 
an inherently international infrastructure that is owned and 
operated 95 percent by the private sector.
    Trying to get this done through DHS or the Internet 
Commission on Wonderfulness is not going to work. We have to 
understand that we are dealing with an entirely different 
model. We have to find a way to work together with the private 
sector. The private sector is constantly--the major players, 
anyway--are constantly doing risk assessments. They are 
constantly upgrading their systems.
    As I said in my testimony, they are not waiting for DHS. 
And we work cooperatively with DHS. I am not going to bash DHS. 
But the system is being run by the private sector. That is 
never going to change. We have to find a way that Government 
understands its role. And its role is not to manage, to 
dictate, to be the parent here. Their role is to be a major 
user who works with all the other major users.
    Now, obviously they have a separate role in terms of 
national defense that we could deal with differently. But my 
suggestion would be that the way to go about this is to harden 
the entire system. Not to identify what the one particular risk 
is because that is a static moment in time.
    This past week we had a major conference at ISA where we 
looked at securing the IT supply chain. Talk about a major 
problem. There is nothing that is not in the IT system that is 
not researched, resourced, developed, assembled, whatever, 
someplace. And some of the places this stuff is made can be a 
little bit scary.
    How do we secure the supply chain? And we looked at all the 
risks. And we said this is the area where we have the greatest 
vulnerability. We looked at it for a minute, and we said, well, 
as soon as we established that as the major risk vector, the 
guys who are attacking this aren't stupid. Move it over to 
here.
    So the risks don't stay static. We need a full systems 
solution that is sustainable on a long term basis and that is 
why we argued for a system of market incentives. We have to 
make the owners and operators realize that it is in their self-
interest to continually upgrade and build-out the system, 
including the Federal Government's, and that is, we think, the 
answer to the approach that you are suggesting.
    Mr. Clay. Thank you for that response.
    Mr. Silva.
    Mr. Silva. I think that you have brought up a couple of 
interesting questions here, and I thank you for the opportunity 
to respond to them.
    It is interesting, when you really think about throughout 
time, we have kind of decided that we would handle this in a 
sector-specific way and that's just sort of how it worked 
itself out. In fact, the ISACs themselves were created as 
sector-specific to a large degree.
    And there are problems that are sector-specific. For 
instance, financial institutions have a more interesting set of 
threats unrelated to the infrastructure itself, but more around 
IT security and around the practices of being online for a bank 
or other financial institutions.
    But there are a lot of overlapping infrastructures, and 
those infrastructures certainly include the Internet itself, 
which all by itself is very insecure. I mean, the Internet 
itself doesn't offer any security. It really doesn't. Most of 
the security is handled either through appliances or through 
the applications themselves. But the Internet itself was 
designed to be an open system with really zero security 
measures to it at all.
    So I think that we need to look at the Internet 
infrastructure and its resilience and whatever security 
mechanisms we need to put in place to make sure that it 
continues to stay up, and the international aspect of it needs 
to be something that is looked at commonly across all of the 
sectors.
    Now you did ask what we should be doing and, as Mr. Clinton 
pointed out, what we should be doing is dependent upon who 
``we'' is. Since the private sector is responsible for most of 
the infrastructure on the Internet, it is incumbent upon the 
private sector to take action.
    I think if we beg for too much regulation from the 
Government, we will get exactly what we asked for, and I don't 
think that would be a pleasant situation, either.
    But as Mr. Clinton pointed out, incentives are probably the 
best tactical step that could be taken with long term effects 
that I think would be positive. Unfortunately, when we look at 
building out the infrastructure, say, for the next generation 
of the Internet protocol--which by the way that next generation 
of Internet protocol was developed a decade ago, and still has 
yet to be implemented literally. IP Version 6 has been pretty 
much standardized for a number of years and is the best 
technology yet to come, still.
    But there is no incentive for telecommunications providers 
or Internet service providers to deploy it. There aren't any 
customers and it is a chicken and egg kind of thing. There is 
more secure, more robust protocol, and some would argue that it 
is not necessarily more secure and I might be one of them. But 
it hasn't been deployed because there are no customers for it. 
There are no customers for it because it doesn't exist.
    The Federal Government is a big enough customer that if 
they demanded it as part of their infrastructure, and their 
infrastructure build-out and used their market influence, their 
buying power, then those kinds of protocols and those kinds of 
enhancements would be made, if demanded by the Government as 
part of the procurement process.
    Thank you.
    Mr. Clay. Thank you for that response.
    Mr. Sabo.
    Mr. Sabo. Well, summing up after that, or coming to a 
conclusion, a couple of things I would say with respect to the 
basic question.
    There are risk assessments that can be applied generally to 
what we see as the infrastructure. And some of that work is 
happening now. The IT-ISAC and the Sector Coordinating Council, 
in fact, have work groups of industry experts attempting to 
look at the key functionality provided by the infrastructure 
and the sub-functionality, and attempt to build a risk 
assessment methodology that actually might make some sense.
    If you do a static risk assessment, although I respect the 
idea of bringing in experts and assembling for many months, we 
have had many of those studies. You can look at the literature 
and you can see a number of recommendations made by 
academicians and by industry experts that are sitting on the 
shelves because the Internet and the infrastructure are very 
dynamic. And, as Mr. Silva pointed out in his statement, a 
number of threats to the infrastructure are not on the 
infrastructure, it is on the applications that ride on the 
infrastructure and that impact the utility of the 
infrastructure.
    In the financial sector, a number of attacks are based on 
social engineering. And those attacks open up and expose 
vulnerabilities, the vector of an attack that can be used much 
later to go after the infrastructure.
    In a way, we have a very organic Internet infrastructure. 
The components of it, such as software itself or a domain name 
service resolution or some of the other pieces of it, are all 
components which lead to the vulnerabilities which actors can 
use when they decide to make an attack.
    So a couple of things. One is, work needs to happen cross-
sector and I agree with that, and it is actually starting, but 
it has not really moved far enough along. Work also has to 
happen by the users of the infrastructure, and that is, the 
major sectors and the major corporations and companies in the 
sector. And to some degree that is addressed by the type of 
regulatory environment in which financial services operates. It 
is not addressed in many other environments and yet the work 
needs to be done.
    So I think it really is a combination of both looking at 
the risks associated with the use of the network 
infrastructure, for example, by control systems, the use of the 
infrastructure by the major corporations, but also by the 
industry that writes the hardware/software and operates 
resolution services and security services for the 
infrastructure.
    You can't look at it, I think, as one simple solution. You 
have to recognize how complex the beast is, and you have to 
let, actually encourage, which was the purpose of my testimony 
for the ISAC, that where industry is stepping forward to 
address these issues, Government's best role is to foster and 
encourage through appropriate incentives. And not all monetary 
incentives. They could be incentives such as saying we 
encourage you and we will support some of these activities, to 
move forward with that.
    And I think to conclude, the Roundtable Report is an eye-
opener. Because what the Business Roundtable found in its 
report says that we are increasingly and fundamentally and 
almost totally becoming dependent on this IT infrastructure 
which is network based. And in that interdependence, we are 
losing our capacity to go backward. We are losing our ability 
to go back to older systems. We are losing our ability to fall 
back to paper systems. Therefore it is imperative for us as a 
Nation to take the steps to do what you just said; do an active 
risk assessment, put in the types of controls we need, do some 
of the strategic work that is academically based, but have a 
proactive operational plan to move forward.
    If all we are going to do is write more papers, do more 
commissions, do more studies, we are going to hopelessly fall 
behind. And so I think being active, looking at the uniqueness 
of each sector, what the companies are doing, what the 
practices are, as well as looking cross-sector at some of the 
functions, is a combination way to go.
    And then from a congressional perspective, avoiding 
regulation but perhaps looking to measures and to saying to us 
who are in these sectors, what are some performance measures 
that you are using to evaluate your effectiveness. What steps 
are you taking. What outcomes are you offering.
    And to me that would be the most effective short-term 
approach.
    Mr. Clay. Thank you for that response. One more question 
for the panel. Is the extension of the Federal Terrorism 
Reinsurance Backstop program an adequate model for Government 
to provide economic security to the private sector in the event 
of a major Internet disruption? Do we have effective risk 
models to determine the cost and potential exposure to the 
Government for covering this type of incident? We will start 
with Ms. Todt Coon.
    Ms. Todt Coon. I would go back to--I appreciate the 
comments of the panelists, but I continue to assert that we 
have not defined the risk in a way that allows us to create a 
model, in response to your question. By not having this 
accountability and by not defining this risk, we are being 
stalled with inaction.
    And while there has been action in different components, as 
we cited earlier--I think what the financial sector has done is 
exemplary and noteworthy--as a whole, we have not made the 
progress on these issues that we are looking to do.
    And I think at the end of the day, in looking at what the 
public and the private sectors have done, as we cited earlier, 
looking up multiple post-Katrina reports, we recognize that 
neither the public nor the private sector can respond 
individually. They need to work together. And Katrina showed us 
that the ways in which they work together currently aren't 
working properly.
    And so I would encourage us to look at legislation, like 
the Stafford Act, to revise to include for-profit companies and 
also look at the Defense Production Act, which if leveraged 
correctly by DHS could support the work that they are doing. 
And I think that legislation exists out there within which we 
need to work. And that we also need to be assigning the 
ownership and responsibility in a more clear way that allows 
those entities responsible for this to act accordingly.
    Mr. Clay. Thank you for that. And, Ms. Allen, the Terrorism 
Reinsurance Backstop program, is it an adequate model?
    Ms. Allen. It is not adequate. I think it is a good thing, 
but it is not adequate. Again, I agree that there is not an 
appropriate risk model. We don't yet understand the cross-
sector impact. I think there are other incentives, including 
insurance, the ratings agencies, tax incentives, Government 
procurement, that might be more effective in the short run.
    And that is my answer.
    Mr. Clay. Mr. Clinton.
    Mr. Clinton. I think I would agree that it is a useful 
model, but some important differences have to be realized. 
First of all, cyber insurance is a very different animal than 
traditional insurance. The cyber insurance market has not taken 
off at all. It has been stagnant for 5 or 6 years, about 20 
percent of companies have cyber insurance. And there are things 
that the Government can do to help in that area.
    So, if you are talking about cyber, the model is probably 
worth looking at, but there are other things that need to be 
done. And my colleagues are exactly right with regard to you 
can't assess the risk.
    Let me quickly tell you what the core problem is with cyber 
and then in my written testimony I go into a little bit more 
depth on insurance. I won't bore you with that now.
    But the problem with cyber insurance, it is available. But 
the problem is, nobody buys it. And the reason nobody buys it 
is because it costs too much money. And the reason it costs too 
much money is because since there isn't adequate actuarial 
tables, the businesses that run the cyber insurance naturally 
set the risk at maximum and therefore the prices are at 
maximum.
    The Federal Government could do a tremendous service by 
coming in and working with us so that we get the data 
appropriate so that we could set actuarial tables which would 
bring more providers into the market. Currently one company, 
AIG, has 85 percent of the market. That is not a good thing.
    If we got more providers into the market by providing them 
with the data, which expect the Government does actually have, 
that would then lower the cost. By lowering the cost, now more 
providers will get in. That will increasingly lower the cost, 
which has two major benefits.
    First of all, if you have a cyber Katrina right now, there 
is virtually nobody covered. Which means the insurer of last 
resort is going to be the Federal Government. The Federal 
Government is going to be stuck with a billions and billions 
and billions of dollars bill. It is going to be worse than 
Katrina because at least there was some insurance down there. 
There isn't in a cyber Katrina.
    Second, once we have insurance available and being 
purchased broadly throughout the market place, insurance can 
be, in addition to other incentives, and I would endorse 
Cathy's comments in that regard, but insurance can be a 
tremendous incentive.
    We use insurance all the time to motivate pro-social 
behavior. Good driving behavior, good health behavior. My 
daughter is desperate to get really good grades because it is 
going to lower the insurance on her car. This can drive better 
behavior. And what I have argued in my testimony is, the way to 
have a fully resilient, consistent, consistently up-growing 
system is to have market incentives. Insurance is a great one. 
So that people will constantly want to adopt the best 
practices, get the lower insurance rate and the industry and 
the Government is therefore covered if we have a major event.
    So, it is a good model, but there are a variety of things 
that we have to do to make it work, particular in the cyber 
arena.
    Mr. Clay. Thank you for that response.
    Mr. Silva.
    Mr. Silva. Thank you. I don't know that level of assistance 
is necessarily everything that we need. And there has been a 
lot of discussion about how difficult it is to assess the risk. 
And I don't know about assessing the risk because I think each 
individual element of this could assess what they believe is a 
risk and then somehow we could wrap that up. It is difficult to 
assess now.
    What is even harder to assess is what the level of damage 
is going to be. And it will be more than we can even imagine 
sitting at this table. We couldn't have imagined the damage 
that happened during Katrina and when we sat and tried to plan 
for that ahead of time.
    But the damage that would have happened from even shutting 
down the Internet for a couple of hours in the middle of a 
trading day or the middle of a business would be catastrophic. 
It would be huge. And if something so serious occurred that we 
had to reboot the Internet, so to speak, it would be a 
significant amount before that recovery would actually take 
place. There are so many different players.
    But one of the things that I worry about, in addition to 
those attacks that come from a terrorist act, if you will, or 
some malicious behavior, are those sorts of things that might 
create a self-inflicted wound. In our zeal to try to improve 
the Internet, in many cases, we make it more complicated and in 
fact create new and additional risk that we should think 
through a lot more carefully before we do it.
    One example of that is internationalized domain names. 
There are proposals to create internationalized domain names in 
order to let countries create domain names, the name of Web 
sites, if you will, in Cyrillic or Arabic, etc. The problem is 
that because of a lack of careful action and careful planning 
on this, other countries are on their own racing out to create 
another Internet, if you will, that uses the Internet we are 
used to, but works in a completely different way.
    So the rules and regulations that we would create and the 
policies that we would create as industry sectors and as 
governments wouldn't apply to these people. Therefore, we have 
to take corrective action for whatever the weakest link is 
going to be, and carefully think through some of these 
improvements that we think are improvements, and make sure that 
they are not actually creating more complexity and more 
confusion for users and more confusion for the people who have 
to assess threats and damage.
    Mr. Clay. Thank you for that response.
    Mr. Sabo.
    Mr. Sabo. I think an approach to this is to give a chance 
to the mechanisms that have not been given a chance to work. It 
is a complex environment. We have never been in a situation 
where millions of individuals scattered around the whole United 
States, or for that matter, the world, could literally have an 
impact on a national economy.
    We have never been in a situation where people living--and 
it has been rare--but if you think of a physical event and the 
insurance for terrorism, it might be very applicable to that. 
But we are dealing with a much different animal.
    Mr. Clay. Mr. Sabo, let me interrupt you. Are we too 
dependent on the Internet as a society? As a world? Mr. Clinton 
is saying there is no going back. There is no way to go back to 
the paper or anything else. Does that make us too dependent on 
the Internet?
    Mr. Sabo. We are dependent on it. And it is increasingly 
so. And we can't stop that because the nature of us as human 
beings, the nature of the capitalist society and the 
development of many uses of information and new technologies, 
simply can't be arrested without some dramatic shift back to a 
society of almost the Stone Age. You can't do it.
    Having said that, and knowing the complexity that we do, my 
suggestion is that we give an opportunity for measures to begin 
working slowly to address different aspects of this. So one 
aspect is Internet resilience and some of the things that Ken 
is talking about.
    Another aspect is expectations of companies as noted in the 
Business Roundtable to take steps, good steps, to deal with 
business continuity practices. Another example would be looking 
to industry through the ISACs and so on, to address 
vulnerabilities.
    And by putting this together in combination, you have some 
opportunity to see progress against a set of measures. But if 
you just look at it in terms of--particularly with the 
Internet, as Ken said, a catastrophe so huge that in cyber 
terms it would be the equivalent of a national state of 
emergency that might continue for weeks or months.
    What is that? How can you insure against it? Insurance 
might be good to, say, I have a breach issue and I am insured 
against the risk associated with that. But how do you insure 
against the loss of a whole infrastructure for the whole 
economy?
    So I would say an approach is let each of the measures that 
are best suited for this tier of protection be given a chance 
to operate and be given a chance to demonstrate effectiveness.
    Mr. Clay. Thank you so much for that response. Let me thank 
the panel for their responses and their expertise in this area. 
I am certain that this will not be the last hearing.
    But as you have heard, the bells have rung, and without 
objection, this committee is adjourned.
    Thank you.
    [Whereupon, at 5:50 p.m., the subcommittee was adjourned.]

                                 
