[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
CYBER INSECURITY: HACKERS
ARE PENETRATING FEDERAL SYSTEMS
AND CRITICAL INFRASTRUCTURE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON EMERGING
THREATS, CYBERSECURITY AND
SCIENCE AND TECHNOLOGY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
APRIL 19, 2007
__________
Serial No. 110-26
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
43-562 PDF WASHINGTON : 2009
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
BENNIE G. THOMPSON, Mississippi, Chairman
LORETTA SANCHEZ, California, PETER T. KING, New York
EDWARD J. MARKEY, Massachusetts LAMAR SMITH, Texas
NORMAN D. DICKS, Washington CHRISTOPHER SHAYS, Connecticut
JANE HARMAN, California MARK E. SOUDER, Indiana
PETER A. DeFAZIO, Oregon TOM DAVIS, Virginia
NITA M. LOWEY, New York DANIEL E. LUNGREN, California
ELEANOR HOLMES NORTON, District of MIKE ROGERS, Alabama
Columbia BOBBY JINDAL, Louisiana
ZOE LOFGREN, California DAVID G. REICHERT, Washington
SHEILA JACKSON LEE, Texas MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin CHARLES W. DENT, Pennsylvania
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
JAMES R. LANGEVIN, Rhode Island GUS M. BILIRAKIS, Florida
HENRY CUELLAR, Texas DAVID DAVIS, Tennessee
CHRISTOPHER P. CARNEY, Pennsylvania
YVETTE D. CLARKE, New York
AL GREEN, Texas
ED PERLMUTTER, Colorado
------
Jessica Herrera-Flanigan, Staff Director & General Counsel
Rosaline Cohen, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
______
SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND
TECHNOLOGY
JAMES R. LANGEVIN, Rhode Island, Chairman
ZOE LOFGREN, California MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin DANIEL E. LUNGREN, California
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
AL GREEN, Texas PETER T. KING, New York (Ex
VACANCY Officio)
BENNIE G. THOMPSON, Mississippi (Ex
Officio)
Jacob Olcott, Director & Counsel
Dr. Chris Beck, Senior Advisor for Science & Technology
Carla Zamudio-Dolan, Clerk
Dr. Diane Berry, Minority Senior Professional Staff Member
(II)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island, Chairman, Subcommittee on
Emerging Threats, Cybersecurity, and Science, and Technology... 1
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, Ranking Member, Subcommittee on
Emerging Threats, Cybersecurity, and Science, and Technology... 3
The Honorable Bob Etheridge, a Representative in Congress From
the State of North Carolina.................................... 33
The Honorable Al Green, a Representative in Congress From the
State of Texas................................................. 36
The Honorable Zoe Lofgren, a Representative in Congress From the
State of California............................................ 4
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California................................... 42
Witnesses
Panel I
Mr. Jerry Dixon, Director, National Cyber Security, Division,
U.S. Department of Homeland Security:
Oral Statement................................................. 24
Prepared Statement............................................. 26
Mr. Dave Jarrell, Manager, Critical Infrastructure Protection
Program, U.S. Department of Commerce:
Oral Statement................................................. 16
Prepared Statement............................................. 18
Mr. Donald Reid, Senior Coordinator for Security Infrastructure,
Bureau of Diplomatic security, U.S. Department of State:
Oral Statement................................................. 13
Prepared Statement............................................. 15
Mr. Greg Wilshusen, Director, Information Security Issues,
Government Accountability Office:
Oral Statement................................................. 6
Prepared Statement............................................. 8
Accompanied by:..................................................
Mr. David Powner, Director, Information Technology, Government
Accounting Office............................................ 40
Panel II
Mr. Ken Silva, Chief Security Officer, VeriSign:
Oral Statement................................................. 51
Prepared Statement............................................. 53
Mr. Aaron Turner, Cybersecurity Strategist, National & Homeland
Security, Idaho National Laboratory:
Oral Statement................................................. 45
Prepared Statement............................................. 47
Appendixes
Appendix A: Prepared Opening Statements
The Hon. James R. Langevin..................................... 63
The Hon. Bennie G. Thompson.................................... 64
Appendix B: Additional Questions and Responses
Responses from Mr. Jerry Dixon................................. 64
CYBER INSECURITY: HACKERS ARE
PENETRATING FEDERAL SYSTEMS AND CRITICAL INFRASTRUCTURE
----------
Thursday, April 19, 2007
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Emerging Threats, Cybersecurity,
and Science and Technology,
Washington, DC.
the subcommittee met, pursuant to call, at 1:11 p.m., in
Room 1539, Longworth House Office Building, Hon. James Langevin
[chairman of the subcommittee] presiding.
Present: Representatives Langevin, Lofgren, Etheridge,
Green, Mccall, and Lungren.
Mr. Langevin. [Presiding.] The subcommittee will come to
order.
The subcommittee is meeting today to receive testimony on
``Cyber Insecurity: Hackers are Penetrating Federal Systems and
Critical Infrastructure.''
Good afternoon, and welcome to the Subcommittee on Emerging
Threats, Cybersecurity, Science and Technology hearing on the
hacking of federal systems and privately owned critical
infrastructure.
I would like to begin by thanking the witnesses who appear
before us today, and I appreciate your testimony today that we
are about to hear.
I will focus my remarks this afternoon on our first panel,
which will discuss the security of information technology on
the federal level.
Let me be clear about the threat to our federal systems: I
believe the infiltration by foreign nationals of federal
government networks is one of the most critical issues
confronting our nation. The acquisition of our government's
information by outsiders undermines our strength as a nation.
If sensitive information is stolen and absorbed by our enemies,
we are strategically harmed.
Over time, the theft of critical information from
government servers could cost the United States our advantage
over our adversaries. This is a most critical issue that we
cannot afford to ignore any longer. Today we are hearing from
several agencies that have experienced significant cyber
attacks against their systems. These are not the only agencies
experiencing problems. They are simply the only attacks that
have been made public to this point.
In October 2006, hackers operating through Chinese Internet
servers launched an attack on the computer system of the Bureau
of Industry and Security, BIS, at the Department of Commerce.
The hackers penetrated the computers with a ``rootkit''
program, a form of software that allows attackers to mask their
presence and then gain privileged access to the system.
In reviewing the Commerce testimony for today's hearing, I
am troubled by several things. Though Commerce first learned on
July 13 that its computers were infected, this was not the date
of initial infection. In fact, Commerce has no idea how long
the attackers were actually inside their systems, nor do they
know if the attackers are still within their systems.
As far as I can tell from the responses, rogue tunnel
audits, authentication changes, and complete machine rebuilds
have not occurred. We are also not sure how much information
was lost. Though Commerce tells us that data was not lost, data
can easily be copied and sent outside through the Internet. So
there is a difference here, and I want to make that
distinction, between lost and information that is copied by
those who have penetrated the system.
Unfortunately, Commerce isn't the only federal agency with
a problem. Prior to the Commerce hack, in June 2006, hackers
accessed networks at several State Department locations,
including its Washington headquarters, and inside the Bureau of
East Asian and Pacific Affairs. They did so by sending a
socially engineered email to an employee. The employee opened
the Microsoft Word document attachment, which contained an
exploit code.
I am concerned about the temporary fix that State put in
place. Security authorities that I have spoken with are highly
dubious about the success of ``temporary wrappers,'' as they
are called, the kind which State had to put in place due to the
absence of a Microsoft patch for several months. Most targeted
attacks involve rootkits, which cannot be detected or stopped
by a temporary wrapper. I don't understand, therefore, why
State wouldn't take its entire system offline for a full kernel
inspection.
In reading State's testimony, I believe they made the
determination that accessibility to data is more important than
confidentiality and integrity. If State really valued the
latter, they would have taken the system offline and done a
full wash. Both agencies insist that these attacks are less
serious because they involve unclassified servers. I disagree.
As you are no doubt aware, FISMA requires federal agencies
to track down and identify every device and system on an
agency's network, and to make sure that the network topology is
fully described. As we learned last week, both State and
Commerce received F's in the latest round of FISMA scores.
According to page 10 of the fiscal year 2006 FISMA report
to Congress, the inspector general at State reported that the
agency did not complete at least 50 percent of its system
inventory. The I.G. at Commerce certifies that at least 96
percent of Commerce systems have been inventoried.
I will suggest to our panelists today that if they can't
certify their network topologies to FISMA, then they can't know
for certain that these incidents don't involve the classified
networks. Furthermore, just because attacks are occurring on
the unclassified network does not mean this isn't sensitive
information. Information that may be deemed classified in the
future may first appear in an unclassified network.
But this isn't just about Commerce and State. I have to say
that I am disappointed and troubled with the Department of
Homeland Security's progress in securing cyberspace. The
department is the agency responsible for securing the nation's
critical infrastructure, and yet they received a D this year on
its FISMA score. It is the first time since 2003 that the
department did not receive an F, so I guess we are making some
progress.
Our issue today is with the NCSD, but I will be honest with
you: I don't know how the department thinks it is going to lead
this nation in securing cyberspace when it can't even secure
its own networks. Not only are these grades embarrassing, but
they are dangerous. Think about all of the critical information
the department is keeping on its networks. I can assure
everyone here that the kinds of questions that have been asked
to the State Department and the Commerce Department will be
asked of DHS as well.
With regard to NCSD's response to these incidents, I have a
few thoughts. It is my understanding that NCSD does not
adequately share commonalities of attack information with other
agencies that may be at risk. For instance, an agency like
Commerce or State that has been hacked by a ``zero-day
exploit'' will provide this information to the NCSD. But the
NCSD can't just sit on that information. We need the NCSD to be
the group that fuses information from across the federal
government together and distributes the product for agencies to
use across government.
Unfortunately, I understand that NCSD does not have
protocols in place to share this kind of information with other
agencies in the federal government or perform that level of
work. This subcommittee will continue to monitor these issues
to ensure that information sharing and technical response
improves.
In closing, I think these incidents have opened a lot of
eyes in the halls of Congress. We don't know the scope of our
networks. We don't know who is inside our networks. We don't
know what information has been stolen. We need to get serious
about this threat to our national security.
That is the end of my statement.
The chair now recognizes the ranking member of the
subcommittee, the gentleman from Texas, for an opening
statement.
Mr. McCaul. Thank you, Mr. Chairman.
I want to thank you for holding this hearing. It is a very,
very important issue. It is an issue that, in my view, is
overlooked many times. It poses a very significant threat to
this nation. In my judgment, it can cause far greater
destruction than, say, a dirty bomb which we tend to focus on
quite a bit, if you think about the networks, the cyber
systems, the power grids being shut down in this nation.
We know that our own military has tremendous capability and
capacity to do these things. Imagine that capability in the
hands of a rogue nation or a terrorist state, and what havoc
they could wreak upon this country. There is espionage hacking,
stealing intellectual property, and then there is a potential
terrorist attack. These are all threats I take very seriously
as a great threat to this nation.
Again, I want to thank you for holding this hearing on the
vulnerabilities of both government and private computer
systems. They are networks that are vulnerable to malicious
hacking. I agree the issue of cyber security has matured past
the point of talking about it in generalities and sweeping
policy statements and rhetoric. Now is the time to start
focusing on specific issues such as hacking into government
networks.
As everyone is aware, we depend on information technology
every day. We are aware of some of the more widely known
problems that face our computer networks, from spam and viruses
to online attempts at identity theft. These problems cause us
to waste resources and time, but to a large extent they do not
pose a security threat. But hacking into computer networks,
especially government computer networks, does create a very
real security threat, specifically a threat to our ability to
rely upon information that we have in those networks.
Our country and our government depend on information. If
that information becomes untrustworthy because it is on a
vulnerable computer network, governmental services and
institutions could grind to a halt. Some say that as long as
classified network remain protected, that national security
will be preserved. Unfortunately, national security depends on
more than just classified information.
For example, if Medicare records are compromised, the well-
being of a large portion of our citizens would be at risk. In a
similar way, if computers at the IRS were compromised, the
resulting unreliability of tax records could create an
administrative nightmare for many Americans. In addition, there
are industrial control systems that if compromised could have a
very direct and dangerous result.
Control systems are those that control facilities and
processes in multiple industries across the country, such as
dam spillways and electric power systems. Gaining control of
these systems could create as much damage as a weapon of mass
destruction.
I look forward to working with you, Mr. Chairman, to take a
more comprehensive look at the threats against control systems
and the viability of securing these critical infrastructure
systems. While this hearing is focused on the issue of hacking
into computer networks, I hope that we can also clarify the
role and responsibility of the Department of Homeland Security
regarding these issues.
Should the department be responsible for securing all of
the government's computer networks? Or should it be merely a
point of coordination for departmental computer security
offices? I believe the department should be the point of
leadership for cybersecurity throughout the country and lead by
example, by making its networks the most secure and reliable in
the country.
The department already has programs to monitor the traffic
on some government networks. I look forward to a better
description of them by Mr. Dixon.
Thank you, Mr. Chairman. I yield back the balance of my
time.
Mr. Langevin. I thank the gentleman.
I ask unanimous consent that the gentlelady from
California, Ms. Lofgren, be recognized for the purpose of an
opening statement.
Ms. Lofgren. Thank you very much, Mr. Chairman. I will be
brief, as I have a conflict in about 20 minutes.
I will just first thank you for holding this hearing. I
think it is very important and that we begin to pay attention
once again to the cybersecurity issues that I think have been
neglected for the last couple of years.
I have constituents here in the next panel, VeriSign. I
wanted to welcome them to the capitol and for their statement--
I have read all the statements--and to note whether this could
be addressed by the witnesses. In the VeriSign statement--there
is no page numbers on it--but describing Project Titan. There
is a discussion of the concern about a cyber attack coupled
with a physical attack, which is something that has been of
great concern to me over the years.
I am interested in exploring that, either in this hearing,
or if more appropriate, in a more discrete setting, but I think
that is something that we need to pay some considerable
attention to. I also note that the current system which
provides letter grades seems to have no connection whatsoever
to the actual security of the agency. That is something that I
hope that we can visit.
So that we will not delay the testimony, I would just
simply thank the chairman for taking me out of order and
allowing me to make those comments. I yield back.
Mr. Langevin. I thank the gentlelady.
Other members of the subcommittee are reminded that under
the committee rules, opening statements may be submitted for
the record.
I now welcome our first panel of witnesses.
Our first witness is Mr. Gregory Wilshusen, who is the
director of information security issues at GAO, where he leads
information security-related issues and audits of the federal
government. He has over 26 years of auditing, financial
management and information systems experience. He is a
certified public accountant, certified internal auditor, and
certified information systems auditor. He holds a B.S. degree
in business administration and accounting from the University
of Missouri, and an M.S. in information management from George
Washington University School of Engineering and Applied
Sciences.
Thank you for being here.
Our second witness is Mr. Don Reid, the senior coordinator
for security infrastructure, Bureau of Diplomatic Security. Mr.
Reid oversees the department's information and personnel
security suitability programs, and key aspects of its network
cybersecurity program. Mr. Reid's information security
responsibilities include the management of classified
information programs, oversight of the department's Special
Security Office, the operation of the Industrial Security
Program, and the investigation and resolution of security
violations.
Mr. Reid served in the United States Air Force for 30
years. He earned an undergraduate degree in criminology from
the University of Maryland, his master's degree in Middle East
studies from the University of Utah, and completed a senior
managers in government seminar at Harvard's Kennedy School of
Government.
Our third witness is Mr. Dave Jarrell, the critical
infrastructure protection manager at the Department of
Commerce. He has focused his 27-year career as a security
professional, where his focus remains on critical
infrastructure protection, contingency of operations planning,
crisis and disaster recovery, I.T. education for federal agency
staff, and I.T. security incident response and readiness.
His first detail while in the United States Marine Corps
was the protection of the president while traveling aboard Air
Force One. It was while assigned to HMX-One Marine Helicopter
Squadron that David received a medal for saving the life of an
infant child. In his free time, Mr. Jarrell volunteers as a
firefighter emergency medical technician and fire incident and
command officer, where his most senior assignment was that of
fire captain.
Thank you for being here.
Our final witness is Mr. Jerry Dixon, the director of the
National Cyber Security Division of the Department of Homeland
Security. Mr. Dixon leads the national effort to protect
America's cyber infrastructure and identify cyber threats. He
works collaboratively and facilitates strategic partnerships
with stakeholders in the private sector, private industry and
international arena. Mr. Dixon was appointed director of the
NCSD on January 7, 2007.
Before joining NCSD, Mr. Dixon was the founding director of
the Internal Revenue Service's computer security instant
response capability. In this role, Mr. Dixon led the
operational cybersecurity capability for the IRS and developed
their ability to detect and respond to protect American
taxpayers' private information from security attacks. Mr. Dixon
has also served as director of information security for
Marriott International, a private-sector company where he led
cybersecurity planning, security architecture, and security
operations.
Gentlemen, again I want to thank you for being here.
Without objection, the witnesses' full statements will be
inserted in the record.
I will now ask each witness to summarize their statement
for 5 minutes, beginning with Mr. Wilshusen.
Welcome.
STATEMENT OF GREG WILSHUSEN, DIRECTOR, INFORMATION SECURITY
ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Mr. Chairman and members of the
subcommittee, thank you for inviting me to testify at today's
hearing on information security over federal systems. I am
joined by David Powner, director of information technology at
GAO.
For many years, GAO has reported weaknesses in information
security, a widespread problem with potentially devastating
consequences such as intrusions by malicious users, compromised
networks, and the theft of personally identifiable information.
In reports to the Congress since 1997, GAO has identified
information security as a government-wide high-risk issue.
Today, I will discuss the weaknesses that persist in
information security controls at federal agencies, the
reporting of security incidents, and the efforts by the
Department of Homeland Security to develop a cyber-threat
analysis and warning capability.
Mr. Chairman, serious information security weaknesses
continue to threaten the confidentiality, integrity, and
availability of federal systems and information. Twenty-one of
the 24 major agencies were cited by their inspectors general or
independent auditors for significant weaknesses in information
systems control.
For example, 18 agencies do not have adequate access
controls in place to ensure that only authorized individuals
could access, view or manipulate data. Even basic controls were
not consistently implemented. For example, well-known vendor
supply passwords were not replaced. Users were granted access
privileges that exceeded their need. Sensitive information was
not always encrypted, and adequate audit logs were not always
maintained.
Agencies also lacked effective physical security controls.
For instance, many of the data losses that occurred at federal
agencies over the past few years were a result of either
physical thefts or improper safeguarding of laptops and other
portable devices. An underlying cause for these reasons is that
agencies have not fully implemented information security
programs required by the Federal Information Security
Management Act, or FISMA.
These weaknesses persist even as many agencies report
increased implementation of program activities. However, until
agencies effectively and fully implement these programs,
federal data systems will not be sufficiently safeguarded to
prevent unauthorized use, disclosure and modification.
In 2006, agencies reported a record number of security
incidents to the United States Computer Emergency Readiness
Team, or US-CERT, which is a unit within the Department of
Homeland Security responsible for collecting such information.
Although agencies have noted improvements in incident reporting
procedures, inconsistencies exist across agencies.
For example, although one agency reported more than 800
incidents annually internally to law enforcement authorities,
it did not report them to US-CERT. I.G.s have also reported
weaknesses in agencies' incident reporting procedures.
In addition to its activities with US-CERT, the Department
of Homeland Security has taken steps towards addressing our
recommendations for developing a strategic analysis and warning
capability for cyber attacks. It has established various
initiatives to enhance analytical capabilities such as
promoting intelligence sharing through the US-CERT, and
deploying situational awareness tools at selected federal
agencies.
We believe that with a robust, effective and strategic
analysis or warning capability, the department can help
agencies to reduce risks associated with security incidents.
However, it has not yet fully implemented our recommendations,
particularly in implementing such a capability beyond the
federal government.
In summary, although agencies report increased compliance
with security program activities required by FISMA, serious
weaknesses persist at federal agencies and reported incidents
are rising. Until agencies fully implement their information
security programs, they will be exposed to increased risk of
cyber attacks.
The Department of Homeland Security can help agencies
mitigate these risks by developing and implementing a strategic
analysis and warning capability.
Mr. Chairman, this concludes my opening statement. Mr.
Powner and I will be happy to answer questions.
[The statement of Mr. Wilshusen follows:]
Prepared Statement of Gregory C. Wilshusen
Mr. Chairman and Members of the Subcommittee:
Thank you for the opportunity to join in today's hearing to discuss
information security over federal systems. Information security is a
critical consideration for any organization that depends on information
systems and computer networks to carry out its mission or business. It
is especially important for government agencies, where the public's
trust is essential. The need for a vigilant approach to information
security is demonstrated by the dramatic increase in reports of
security incidents, the wide availability of hacking tools, and steady
advances in the sophistication and effectiveness of attack technology.
Proper safeguards are essential to protect systems from attackers
attempting to gain access and obtain sensitive information, commit
fraud, disrupt operations, or launch attacks against other systems.
For many years, we have reported that poor information security is
a widespread problem with potentially devastating consequences. In
reports to Congress since 1997, we have identified information security
as a governmentwide high-risk issue.\1\ Concerned by reports of
significant weaknesses in federal computer systems, Congress passed the
Federal Information Security Management Act (FISMA) of 2002,\2\ which
permanently authorized and strengthened the information security
program, evaluation, and annual reporting requirements for federal
agencies.
---------------------------------------------------------------------------
\1\ GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.:
January 2007).
\2\ FISMA was enacted as title III, E-Government Act of 2002, Pub.
L. 107-347, 116 Stat. 2946 (Dec. 17, 2002).
---------------------------------------------------------------------------
In our testimony today, we will summarize (1) the continued
weaknesses in information security controls at federal agencies, (2)
federal agencies' reporting of information security incidents, and (3)
efforts by the Department of Homeland Security (DHS) to develop a cyber
threat warning and analysis capability. In preparing for this
testimony, we relied on our previous reports on information security at
federal agencies and the challenges faced by DHS in fulfilling its
cybersecurity responsibilities. We also analyzed agencies' Inspector
General (IG) reports pertaining to information security; congressional
reports; the 24 major federal agencies' FISMA reports for fiscal years
2004, 2005, and 2006; the performance and accountability reports for
those agencies; and the Office of Management and Budget's FISMA
guidance and mandated annual reports to Congress. The work on which
this testimony is based was performed in accordance with generally
accepted government auditing standards.
Results in Brief
Significant information security weaknesses continue to place
federal agencies at risk. In their fiscal year 2006 financial statement
audit reports, 21 of 24 major agencies cited information security
control weaknesses. An underlying cause for these weaknesses is that
agencies have not fully implemented agencywide information security
programs. These weaknesses persist even as many agencies report
increased implementation of information security program activities.
However, until agencies effectively and fully implement agencywide
information security programs, federal data and systems will not be
sufficiently safeguarded to prevent unauthorized use, disclosure, and
modification.
In 2006, agencies reported a record number of information security
incidents to US-CERT (Computer Emergency Readiness Team)--the DHS unit
responsible for collecting such information. At the same time, although
agencies have noted improvements in incident reporting procedures,
inconsistencies exist across agencies. For example, one agency reported
no incidents to US-CERT, although it reported more than 800 incidents
internally and to law enforcement authorities. IGs have also reported
weaknesses in agencies' incident reporting procedures.
In addition to its activities with US-CERT, DHS has taken steps
towards addressing prior recommendations for developing a strategic
analysis and warning capability for cyber attacks. Specifically, DHS
has established various initiatives to enhance its analytical
capabilities, including intelligence sharing through US-CERT and
situational awareness tools at selected federal agencies. We believe
that with continued progress in addressing strategic analysis and
warnings, US-CERT can further agencies' efforts to reduce risks
associated with incidents. However, DHS has not yet fully implemented
our original recommendations, particularly in implementing such a
capability beyond the federal environment.
Background
Virtually all federal operations are supported by automated systems
and electronic data, and agencies would find it difficult, if not
impossible, to carry out their missions and account for their resources
without these information assets. Hence, the degree of risk caused by
security weaknesses is high. For example, resources (such as federal
payments and collections) could be lost or stolen, data could be
modified or destroyed, and computer resources could be used for
unauthorized purposes or to launch attacks on other computer systems.
Sensitive information, such as taxpayer data, Social Security records,
medical records, and proprietary business information could be
inappropriately disclosed, browsed, or copied for improper or criminal
purposes. Critical operations could be disrupted, such as those
supporting national defense and emergency services. Finally, agencies'
missions could be undermined by embarrassing incidents, resulting in
diminished confidence in their ability to conduct operations and
fulfill their fiduciary responsibilities.
Recognizing the importance of securing federal systems and data,
Congress passed FISMA, which set forth a comprehensive framework for
ensuring the effectiveness of security controls over information
resources that support federal operations and assets. FISMA also
defined several public sector responsibilities that have been assumed
by US-CERT, a partnership between DHS and the public and private
sectors that was established in 2003 to coordinate defense against and
responses to cyber attacks across the nation.\3\ US-CERT's
responsibilities include compiling and analyzing information about
incidents that threaten information security and providing timely
technical assistance regarding security incidents.
---------------------------------------------------------------------------
\3\ FISMA charged the Director of OMB with ensuring the operation
of a federal information security center. The required functions are
performed by US-CERT, which was established to aggregate and
disseminate cybersecurity information to improve warning and response
to incidents, increase coordination of response information, reduce
vulnerabilities, and enhance prevention and protection.
Significant Weaknesses Continue to Place Federal Agencies at Risk
Significant weaknesses continue to threaten the confidentiality,
integrity and availability of federal information and information
systems. In their fiscal year 2006 financial statement audit reports,
21 of 24 major agencies indicated that deficient information security
controls were either a reportable condition \4\ or material weakness
(see fig. 1).\5\
---------------------------------------------------------------------------
\4\ Reportable conditions are significant deficiencies in the
design or operation of internal control that could adversely affect the
entity's ability to record, process, summarize, and report financial
data consistent with the assertions of management in the financial
statements.
\5\ A material weakness is a reportable condition that precludes
the entity's internal control from providing reasonable assurance that
misstatements, losses, or noncompliance material in relation to the
financial statements or to stewardship information would be prevented
or detected on a timely basis.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
These persistent weaknesses appear in the five major categories of
information system controls: (1) access controls, which ensure that
only authorized individuals can read, alter, or delete data; (2)
configuration management controls, which provide assurance that only
authorized software programs are implemented; (3) segregation of
duties, which reduces the risk that one individual can independently
perform inappropriate actions without detection; (4) continuity of
operations planning, which provides for the prevention of significant
disruptions of computer-dependent operations; and (5) an agencywide
information security program, which provides the framework for ensuring
that risks are understood and that effective controls are selected and
properly implemented. Figure 2 shows how many of the agencies had
weaknesses in these five areas.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Access Controls Were Not Adequate
A basic management control objective for any organization is to
protect data supporting its critical operations from unauthorized
access, which could lead to improper modification, disclosure, or
deletion of the data. Access controls, which are intended to prevent,
limit, and detect unauthorized access to computing resources, programs,
information, and facilities, can be both electronic and physical.
Electronic access controls include use of passwords, access privileges,
encryption, and audit logs. Physical security controls are important
for protecting computer facilities and resources from espionage,
sabotage, damage, and theft.
Our analysis of IG, agency, and our own reports uncovered that
agencies did not have adequate access controls in place to ensure that
only authorized individuals could access or manipulate data. Of the 24
major agencies, 18 had access control weaknesses. Such weaknesses
included not replacing well-known vendor-supplied passwords, permitting
excessive access privileges that users did not need to perform their
jobs, not encrypting sensitive information, and not creating or
maintaining adequate audit logs. Agencies also lacked effective
physical security controls. For instance, many of the data losses that
occurred at federal agencies over the past few years were a result of
physical thefts or improper safeguarding of systems, including laptops
and other portable devices.
Shortcomings Existed in Other Controls
In addition to access controls, other important controls should be
in place to protect the confidentiality, integrity, and availability of
information. These controls include policies, procedures, and
techniques addressing configuration management to ensure that software
patches are installed; appropriately segregating incompatible duties;
and establishing service continuity planning. Weaknesses in these areas
increase the risk of unauthorized use, disclosure, modification, or
loss of information.
Federal agencies demonstrated weaknesses in these control areas.
For example, several agencies did not always consistently install
critical software patches in a timely manner, segregate duties such as
security and system administration, or adequately update and test
contingency plans.
Agencywide Security Programs Were Not Fully Implemented
An underlying cause for the information security weaknesses
identified at federal agencies is that they have not yet fully
implemented agencywide information security programs. An agencywide
security program provides a framework and continuing cycle of activity
for managing risk, developing security policies, assigning
responsibilities, promoting awareness, monitoring the adequacy of the
entity's computer-related controls through security tests and
evaluations, and implementing remedial actions as appropriate. Without
a well-designed program, security controls may be inadequate;
responsibilities may be unclear, misunderstood, and improperly
implemented; and controls may be inconsistently applied. Such
conditions may lead to insufficient protection of sensitive or critical
resources.
In their annual FISMA reports for fiscal year 2006, agencies
reported increased compliance in several security program elements
required by the law or federal policy. For example, agencies reported
increases in the percentages of systems with assigned risk levels,
employees receiving security awareness training, systems that have been
certified and accredited \6\ and systems whose security controls were
tested and evaluated.
---------------------------------------------------------------------------
\6\ OMB requires that agency management officials formally
authorize their information systems to process information and accept
the risk associated with their operation. This management authorization
(accreditation) is to be supported by a formal technical evaluation
(certification) of the management, operational, and technical controls
established in an information system's security plan.
---------------------------------------------------------------------------
However, our reports and those of agency IGs indicate that at least
18 of the 24 major agencies had not fully implemented agencywide
programs. For example, agencies often did not effectively ensure that
all employees and contractors, including those with significant
information security responsibilities, received sufficient training.
Also, 10 IGs rated the quality of their agencies' certification and
accreditation process as ``poor'' or ``failing'' and continued to
identify specific weaknesses with the process, such as incomplete risk
assessments and security plans. We have also identified shortcomings in
agencies' efforts in testing and evaluating the effectiveness of their
information security controls. In 2006, we reported that agencies had
not adequately designed and effectively implemented policies for
performing such tests and evaluations.\7\ Policies often did not
include elements important for performing effective testing. In
addition, at agencies where we examined the effectiveness of security
controls, we found that they did not identify many of the
vulnerabilities we identified on their systems. Further, for case
studies of 30 systems at six agencies, weaknesses included insufficient
testing documentation, inadequately defined assessment methods,
inadequate security testing, and lack of remedial actions included in
testing plans. Finally, for 16 of 24 major agencies, IGs were not able
to provide assurance that their agencies almost always incorporated
weaknesses for all systems into their remediation plans. Our reviews
have also reported that weaknesses were not always resolved as
reported, and agencies' remedial action plans did not identify
resources necessary to correct weaknesses and were not always updated.
---------------------------------------------------------------------------
\7\ GAO, Information Security: Agencies Need to Develop and
Implement Policies for Periodic Testing, GAO-07-65 (Washington, D.C.:
Oct. 20, 2006).
---------------------------------------------------------------------------
As a result, agencies do not have reasonable assurance that
controls are implemented correctly, operating as intended, or producing
the desired outcome with respect to meeting the security requirements
of the agency. Furthermore, agencies may not be fully aware of the
security control weaknesses in their systems, thereby leaving their
information and systems vulnerable to attack or compromise. Until
agencies effectively and fully implement agencywide information
security programs, federal data and systems will not be adequately
safeguarded to prevent unauthorized use, disclosure, and modification.
Incident Reporting Varies Across Agencies
Although strong controls may not block all intrusions and misuse,
organizations can reduce the associated risks if they take steps to
detect and respond to them before significant damage occurs. Accounting
for and analyzing security problems and incidents are also effective
ways for an organization to improve its understanding of security
threats and potential costs of security incidents, as well as
pinpointing vulnerabilities that need to be addressed so that they are
not exploited again. When incidents occur, agencies are to notify the
federal information security incident center--US-CERT.
According to the US-CERT annual report for fiscal year 2006,
federal agencies reported a record number of incidents, with a notable
increase in incidents reported in the second half of the year. As
figure 3 shows, since 2005, the number of incidents reported to US-CERT
increased in every category except for malicious code. Further, a 2006
report by the House Committee on Government Reform illustrated that
agencies have a wide range of incidents involving loss or theft and
privacy breaches.\8\ The report further indicates that the loss of
personally identifiable information occurs governmentwide and is not
limited to the well-publicized incident at the Department of Veterans
Affairs (which involved information on about 26.5 million veterans and
active duty military personnel).
---------------------------------------------------------------------------
\8\ Committee on Government Reform, U.S. House of Representatives,
Staff Report: Agency Breaches Since January 1, 2003 (Washington, D.C.:
Oct. 13, 2006).
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Although agencies have noted many improvements in incident
reporting procedures, there are still inconsistencies in reporting at
various levels. For example, one agency reported no incidents to US-
CERT, although it reported more than 800 incidents internally and to
law enforcement authorities. Several IGs also noted specific weaknesses
in incident procedures such as components not reporting incidents
reliably, information being omitted from incident reports, and
reporting time requirements not being met. Without properly accounting
for and analyzing security problems and incidents, agencies risk losing
valuable information needed to prevent future exploits and understand
---------------------------------------------------------------------------
the nature and cost of threats directed at them.
DHS Is Acting to Implement GAO Recommendations on Strategic Analysis
and Warning, But More Actions Needed
Strategic analysis and warning is an essential element of assisting
agencies in addressing information security incidents. We have
previously reported that developing and enhancing a national cyber
analysis and warning capability is a key DHS cybersecurity
responsibility.\9\ Over the last several years, we have made
recommendations to DHS--as the nation's focal point for cyber critical
infrastructure protection--to develop a strategic analysis and warning
capability for addressing cyber attacks.\10\ Accordingly, we
recommended that responsible executive branch officials and agencies
establish a capability for strategic analysis of computer-based
threats, including developing a methodology, acquiring expertise, and
obtaining infrastructure data.
---------------------------------------------------------------------------
\9\ GAO, Critical Infrastructure Protection: Department of Homeland
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,
GAO-05-434 (Washington, D.C.: May 26, 2005).
\10\ GAO, Critical Infrastructure Protection: DHS Leadership Needed
to Enhance Cybersecurity, GAO-06-1087T (Washington, D.C.: Sept. 13,
2006).
---------------------------------------------------------------------------
DHS has taken steps towards addressing our recommendations. As we
reported in 2005, DHS established various initiatives to enhance its
analytical capabilities, including intelligence-sharing through US-CERT
and situational awareness tools through the US-CERT Einstein program at
selected federal agencies. The Einstein Program provides an automated
process for collecting, correlating, analyzing, and sharing computer
security information across the federal civilian government. Einstein
is currently deployed to nine federal agencies; US-CERT plans to deploy
Einstein to an additional 10 to 15 agencies in fiscal year 2008, with a
goal of deploying it to all cabinet level and critical independent
federal agencies. According to DHS officials, Einstein has greatly
reduced the time for the federal government to gather and share
critical data on computer security risks (from 5 to 7 days to 4 to 5
hours). Further, the officials stated that Einstein has the potential
to reduce data collection and information sharing to under 2 hours,
allowing for vast improvements in governmental cyber response and
recovery times. If properly implemented and expanded as planned, DHS's
efforts in this program could strengthen its cyber threat analysis and
warning capability. However, DHS has not yet fully implemented our
original recommendations, particularly in implementing such a
capability beyond the federal environment.
In summary, although agencies report increased compliance with
security program activities required by FISMA and federal policy,
serious weaknesses persist at federal agencies, and reported incidents
are rising. The weaknesses exist, in part, because agencies have not
fully implemented their information security programs. Until such
programs are fully implemented, agencies will be at increased risk of
exposure to cyber attacks. As agencies report record numbers of
incidents, inconsistencies in reporting persist. With continued
progress in addressing strategic analysis and warnings, DHS's US-CERT
can help agencies mitigate the risk associated with incidents.
Mr. Chairman, this concludes our statement. We would be happy to
answer any questions at this time.
Mr. Langevin. Thank you very much.
Mr. Reid?
STATEMENT OF DONALD REID, SENIOR COORDINATOR FOR SECURITY
INFRASTRUCTURE, BUREAU OF DIPLOMATIC SECURITY, U.S. DEPARTMENT
OF STATE
Mr. Reid. Thank you, Mr. Chairman, Congressman McCaul and
Congressman Etheridge. I am Donald Reid, the senior coordinator
for security infrastructure, Bureau of Diplomatic Security at
the Department of State. I am privileged to have this
opportunity to testify before the subcommittee about a cyber
intrusion we experienced at the department last spring.
Before discussing this intrusion in detail, I would like to
inform the subcommittee generally how the State Department has
structured its information technology assets to deal with cyber
threats. The chief information officer employs a strategic
layered approach to risk management of our information and
information assets. This security strategy, which we call
``defense in depth,'' provides the department multiple levels
of defense and protection through a matrix of operational,
technical and managerial security controls.
We focus on identifying and mitigating emerging threats
because of our overseas exposure. Our architecture includes
requisite perimeter security tools and devices, virus detection
and response capability, an effective patch management program,
network operations and traffic flow analysis, intrusion
detection and response capability, security configuration
controls, and compliance verification, to name a few.
At each of our domestic and overseas locations, we employ
U.S.-citizen information systems security officers. At 10
overseas locations, we also have highly trained cybersecurity
engineers. It is worth noting that the cybersecurity team at
State won the National Security Agency's prestigious Frank B.
Rowlett Award for its organizational excellence and information
assurance in 2005, a first for the State Department.
Now, let me provide you some details about our cyber
intrusion last year. In this open session, I will describe how
the department responded as a team with our community of
partners to a sophisticated attack, while taking care to avoid
those specifics that would make it easier to harm government
systems in the future.
In late May 2006, a socially engineered e-mail was sent to
an employee in the East Asia Pacific region. The e-mail
appeared to be legitimate and contained a Word document
attachment of a congressional speech on a topic germane to this
region of the world. Later analysis confirmed the attachment
contained an exploit code hidden within a known Microsoft
application for which there was no readily available security
patch.
Once the recipient clicked on the attachment, the embedded
malicious code established backdoor communications outside the
department's network via a Trojan Horse. This external
communication was immediately detected by our 24/7 intrusion
detection system, and the department's computer incident
response team was activated.
The network operations staff was directed to block
communications to suspect external I.P.s and the information
system security officer at post was directed to move the
infected devices from the network. Additionally, we dispatched
an overseas cybersecurity engineer to the post, who then began
a detailed on-site analysis of the infected computers.
We also reported the malicious activity to the U.S. compute
readiness team at the Department of Homeland Security. As we
continued tracing the anomalous activity on our network, we
identified additional intrusions and compromises, both in
Washington and at other posts in the East Asia Pacific region.
Our cyber analysts tested and evaluated captured malicious code
and shared the results with trusted anti-virus vendors who
quickly developed appropriate signatures for detecting and
eradicating the malicious code.
Further analysis by our cybersecurity engineer at site and
our team in D.C. led to the discovery of a second unknown
vulnerability, this time in the operating system, for which no
security patch existed. Homeland Security played a critical
coordinating role with Microsoft, urging them to develop and
deploy a brand new patch as quickly as possible.
At this stage, the CIO directed the establishment of a task
force, a multi-bureau working group operating around the clock
from within the secretary's operations center. The task force
worked with staffs at post in their effort to mitigate the
system compromises, rebuild servers, re-set passwords, and
perform numerous other related tasks.
It should be noted that while the intruder's activities
greatly concerned us, they did not immediately attempt to steal
data. Once the network monitoring staff saw limited data being
exfiltrated, Internet connectivity throughout East Asia Pacific
region was immediately severed.
To develop an interim fix, we consulted with experts in
industry and government, and created a temporary wrapper that
would protect systems from being exploited further, but would
not fix the vulnerability. The task force prescribed a
remediation protocol restoring connectivity at the post that
included completely sanitizing infected computers and servers,
rebuilding them, changing all passwords, installing several
critical patches along with the temporary wrapper, and updating
anti-virus software.
The mandatory corrective actions were then confirmed via
remote scans from Washington and on-site verification by post.
By early July 2006, all posts were operating normally and we
have not experienced similar malicious activity in our
unclassified network since.
As I know you can appreciate, it is important to our
overall success to handle these intrusions quietly and
effectively, engaging a minimum number of players needed. We
were successful here until a newspaper article telegraphed what
we were dealing with. Still, we were able to fully inform the
department's oversight, intelligence and appropriations
committees of the significant details of the intrusion, while
at the same time the Department of Homeland Security continued
to engage Microsoft to deploy the needed patch.
Mr. Chairman, I want to thank you and the subcommittee
members for this opportunity, and I would be pleased to respond
to your questions.
[The statement of Mr. Reid follows:]
Prepared Statement of Donald R. Reid
Good afternoon Chairman Langevin, Congressman McCaul, and
distinguished Members of the Subcommittee:
I am Donald R. Reid, the Senior Coordinator for Security
Infrastructure, Bureau of Diplomatic Security at the Department of
State. I am privileged to have this opportunity to testify before the
Subcommittee about a cyber intrusion we experienced at the Department
last spring. My statement will concentrate on events surrounding this
targeted attack to the State Department's unclassified network in the
May to July 2006 timeframe, how and when we detected the intrusion, who
we notified and engaged to assist in defending our network, how we
mitigated the damage and what improvements we have made at the
Department to strengthen our cyber defenses.
Before discussing this intrusion in detail, I would like to inform
the Subcommittee generally how the State Department has structured its
information technology assets to deal with cyber threats. To meet the
Secretary's requirement for the confidentiality, integrity, and
availability of IT systems and networks in the conduct of diplomacy,
the Chief Information Officer employs a strategic, layered approach to
comprehensive risk management of our information and information
assets. This security strategy, which we call ``Defense in Depth,''
provides the Department multiple levels of defense and protection
through a matrix of operational, technical, and managerial security
controls. We focus on identifying and mitigating emerging threats
because of our overseas exposure.
At the direction of former Secretary of State Powell, and embraced
by Secretary Rice, the Department embarked on an aggressive program to
modernize its IT systems and networks ensuring that every employee had
Internet access. While Internet access can and has greatly facilitated
the conduct of diplomacy, it also brings inherent risks. Our
architecture includes requisite perimeter security tools and devices,
virus detection and response capability, an effective patch management
program, network operations and traffic flow analysis, intrusion
detection and response capability, security configuration controls and
compliance verification to name a few. Over our unclassified network,
we daily process about 750,000 e-mails and instant messages from our
more than 40,000 employees and contractors at 100 domestic and 260
overseas locations. Also, on a daily basis, we block 500,000 spam e-
mails, intercept 5,100 viruses and detect some 2,000,000 anomalous
external probes to our network. At each of our domestic and overseas
locations we employ U.S citizen Information System Security Officers.
At 10 overseas locations, we also have highly-trained, cyber security
engineers.
It is worth noting that the cyber security team at State won the
National Security Agency's prestigious Frank B. Rowlett Award for its
organizational excellence in information assurance in 2005--a first for
the State Department. Additionally, a number of individual members have
won IT community-wide recognition for their contributions and
leadership. Now, let me provide you some details about our cyber
intrusion last year. In this open session, I will describe how the
Department responded as a team with our community of partners to a
sophisticated attack, while taking care to avoid those specifics that
would make it easier to harm government systems in the future.
In late May 2006, a socially-engineered e-mail was sent to an
employee in the East Asia Pacific region. The e-mail appeared to be
legitimate and was sent to an actual Department e-mail address. The e-
mail contained a Word document attachment of a Congressional speech on
a topic germane to this region of the world. Later analysis confirmed
the attachment contained exploit code hidden within a known Microsoft
application that took advantage of a vulnerability for which there was
no readily available patch. Once the recipient clicked on the
attachment the embedded malicious code established backdoor
communications outside of the Department's network via a Trojan Horse.
This external communication was immediately detected by our 24/7
intrusion detection system and the Department?s Computer Incident
Response Team was activated.
At this point, without full knowledge of how the exploit worked and
not wanting to exacerbate the situation, network operations staff was
directed to block communications to suspect external IPs and the
information system security officer at post was directed to remove the
infected devices from the network. In fact, we dispatched an overseas
cyber security engineer to the post and began a detailed, on-site
analysis of the infected computers. We also reported the malicious
activity to US CERT at the Department of Homeland Security.
As we continued tracing the anomalous activity on our network, we
identified additional intrusions and compromises both in Washington and
other posts in the East Asia Pacific region. Our mitigation activity
was continued, and we maintained effective communication with US CERT.
As the State Department's cyber analysts tested and evaluated captured
malicious code, they shared their results with the greater Computer
Network Defense community as well as trusted anti-virus vendors. This
real-time information sharing practice resulted in the anti-virus
vendors quickly developing appropriate signatures for detecting and
eradicating the malicious code and they deployed their results
worldwide through their daily virus definition updates.
Meanwhile, critical analysis by our cyber security engineer at site
and our team in D.C. led to the discovery of a previously unknown
operating system vulnerability for which no security patch existed. The
Department of Homeland Security played a critical coordinating role
with Microsoft, urging them to develop and deploy a brand new patch as
quickly as possible. State also reached out to the FBI for assistance,
leveraging a well-established existing relationship.
At this stage, the CIO directed the establishment of a Task Force;
a multi-Bureau working group operating around the clock from within the
Secretary?s operations center. The Task Force worked with staffs at
post in their efforts to mitigate the system compromises, rebuild
servers, reset passwords, and performed numerous other related tasks.
It should be noted while the intruders' activities greatly concerned
us, they did not immediately attempt to steal data. Therefore, Task
Force members proposed a set of ``tripwires'' for disconnecting posts
from the Internet if the activity got more daring, especially if data
was being stolen. Once the network monitoring staff saw limited data
being exfiltrated, Internet connectivity throughout the East Asia
Pacific region was immediately severed.
When it became apparent Microsoft was unable to further expedite
testing and deployment of a new patch for the previously unknown
vulnerability, the Department was left to develop its own interim fix.
After consulting with experts in industry and government, the cyber
team developed a temporary ``wrapper'' that would protect systems from
being exploited further, but would not ``fix'' the vulnerability. The
Task Force prescribed a remediation protocol for restoring connectivity
for posts that included completely sanitizing infected computers and
servers and rebuilding them, changing all passwords, installing several
critical patches along with the temporary ``wrapper,'' and updating
anti-virus software. These mandatory corrective actions were then
confirmed via remote scans from Washington and on-site verification by
posts. By early July 2006, all posts were operating normally and we
have not experienced similar malicious activity in our unclassified
network since. Microsoft did deploy its patch for this exploit in
August 2006.
As I know you can appreciate, it is important to our overall
success to handle these intrusions quietly and effectively, engaging
the minimum number of players needed. We were successful here until a
newspaper article telegraphed what we were dealing with. Still, we were
able to fully inform the Department's oversight, intelligence and
appropriation committees of the significant details of this intrusion
while, at the same time, the Department of Homeland Security continued
to engage Microsoft to deploy the needed patch.
Mr. Chairman, I want to thank you and the Subcommittee members for
this opportunity. I would be pleased to respond to any of your
questions.
Mr. Langevin. You are welcome.
Mr. Jarrell?
STATEMENT OF DAVE JARRELL, MANAGER, CRITICAL INFRASTRUCTURE
PROTECTION PROGRAM, U.S. DEPARTMENT OF COMMERCE
Mr. Jarrell. Chairman Langevin, Ranking Member McCaul, and
distinguished members of the subcommittee, I am David Jarrell
and I represent the Department of Commerce.
I will focus my statement on how the Department of Commerce
works with our technology partners to ensure the security of
our systems. I will also highlight Commerce interaction with
the Department of Homeland Security US-CERT. And I will brief
you on the cyber incident that was discovered July 13, 2006,
affecting our Bureau of Industry and Security.
Commerce security personnel work hard to protect our
infrastructure and data. We exercise careful consideration in
selecting and implementing technology that allows us to carry
out our mission goals. With regard to protecting Commerce
infrastructure, we rely on the security technology that is
designed and tested by industry experts, and that adds value to
the overall security posture of Commerce I.T. systems.
Information technology and industry partners provide
support in the form of program and system patches. These
patches are critical when new or zero-day vulnerabilities are
identified. We also rely on the support of organizations like
US-CERT. Commerce, like other federal government agencies, is
notified by DHS US-CERT, the GFIRST, when new vulnerabilities
are identified and require our attention.
Commerce manages seven computer incident response teams
decentralized throughout the department, one of which supports
BIS. These seven teams form the Commerce federation of computer
incident response teams. To facilitate immediate notification,
each team is required to report directly to US-CERT for FISMA
and OMB guidance and the US-CERT concept of operations.
In regards to the BIS incident, on July 13, 2006, the BIS
deputy under secretary discovered that he was unable to log
onto his computer upon arrival to his office. During their
investigation, BIS staff found that one BIS-infected computer
attempted to access the deputy under secretary's account to no
avail. It was later found that the network account was in
lockout status because of the multiple unsuccessful log-in
attempts. This lockout status is an automated process
configured to prevent unauthorized access to BIS accounts.
Early during the investigation, Commerce notified US-CERT
of the incident. BIS staff worked with the Commerce computer
incident response team and our network operations staff and
discovered that several other computers were involved in the
incident. After being briefed on this new information, the
Commerce incident response team escalated the incident,
contacted US-CERT and requested on-site technical support.
As a result, two security engineers worked with Commerce to
collect forensics evidence of computer drives. Commerce also
provided virus-infected files to out anti-virus service
provider, who in turn provided files to detect infections on
BIS and other computers. Over the course of the investigation,
BIS network staff continued to monitor the incident. In total,
32 BIS and one non-BIS computer were found to be infected, all
of which were removed from the network and quarantined.
Throughout this process, a block list was imposed to filter
and prevent access to Web sites associated with the BIS
incident. These blocks and filters remain in place today.
Associated website addresses and infected file names were also
shared with US-CERT. BIS management took immediate action from
the time this incident was discovered. The interactive process
between BIS, our network operations staff, and our incident
response team enabled us to isolate infected computers.
We received timely and useful support from US-CERT, the
GFIRST, and our antivirus providers. We have no evidence to
believe that BIS data was taken as a result of this incident,
and we believe that all appropriate actions were taken.
Unfortunately, hackers and malicious code continually pose
threats to our computers and networks. The results are
sometimes unpredictable. That said, our I.T. security and
operations staff are ready to face the challenge.
Thank you for the opportunity to appear before the
subcommittee today. I am happy to answer any questions.
[The statement of Mr. Jarrell follows:]
Prepared Statement of David E. Jarrell
Chairman Langevin, Ranking Member McCaul, Chairman Thompson,
Ranking Member King, and distinguished members of the Subcommittee, I
appreciate the opportunity to address you on the state of cyber
security protecting the Department of Commerce (Commerce).
The Commerce Information Technology (IT) security program ensures
that adequate controls are in place to protect the confidentiality,
integrity, and availability of non-national security and national
security IT systems and the data they process, transmit, and store. To
fulfill the Departments requirements under the Federal Information
Security Management Act (FISMA) of 2002, the IT Security Program
establishes a framework of policies and procedures consistent with
government-wide laws and regulations, ensures systems are categorized
and assessed for risk of harm, conducts periodic monitoring of control
effectiveness, monitors tracking and completion of corrective actions,
and trains personnel with IT security responsibilities.
Commerce consists of 13 bureaus that support its mission goals and
objectives. This written testimony and my oral testimony will focus on
the cyber intrusion affecting the Department's Bureau of Industry and
Security (BIS), Commerce coordination with the Department of Homeland
Security (DHS), United States--Computer Emergency Readiness Team (US-
CERT), and the Department of State (State), and will offer a broad
perspective of the Commerce IT security program.
PREVENTIVE MEASURES & SECURITY POSTURING
Commerce and its bureaus work diligently to ensure a sound and
comprehensive IT security program. To that end, Commerce IT personnel
ensure compliance with Federal requirements such as the FISMA, Office
of Management and Budget (OMB) Circular A-130, Appendix III, Security
of Federal Automated Information Resources, Government Accountability
Office (GAO) guidance, as well as guidance issued for use within
Federal civilian government Departments and Agencies and throughout the
IT system development life cycle. That guidance comes in the form of
National Institute of Standards and Technology (NIST) Special
Publications. Other guidance considered when designing and deploying
operational IT systems is derived from industry services, capabilities,
and best practices.
IT systems designed to support the business needs of the Department
are typically managed within the program for which they will be
utilized. The systems are also reviewed by the Department's Chief
Information Officer (CIO) Council and/or Commerce IT Review Board
(CITRB) before funding and other resources are allocated to support the
system's development and integration into the Commerce infrastructure.
It is this scrutiny that senior IT staff use to determine if adequate
security planning and controls are integrated into the system
development life cycle (SDLC) and enterprise architecture. In addition,
other security measures are integrated into the design, implementation,
and operation of all IT systems within Commerce.
Commerce's enterprise architecture and IT Security Program Policy
and Minimum Implementation Standards require the integration of
security infrastructure for in-depth control, both at the perimeter and
within the program's infrastructure. Examples of the infrastructure
include the use of robust router and firewall technology, vulnerability
scans and penetration testing of IT systems, monitoring of firewall and
Intrusion Detection and Prevention System logs, email filtering, spam
filters, anti-virus software, and intrusion detection and prevention
systems.
A management control implemented throughout Commerce includes user
awareness training programs, an important aspect of the Department's
first line of defense. IT security awareness consists of reminders that
focus the user's attention on the concept of IT security in the user's
daily routine. Awareness provides a general cognizance or mindfulness
of one's actions, and the consequences of those actions. Awareness
activities provide the means to highlight when a significant change in
the IT security program policy or procedures occurs, when an incident
occurs, or when a weakness in a security control is found. IT security
training develops skills and knowledge such that computer users can
perform their jobs more securely, and develop relevant and necessary
security skills and competencies in those who access or manage Commerce
information and resources. Commerce system users are required to take
computer security training on a annual basis, and all new employees/
contractors to Commerce are provided training during in-processing
prior to being issued a user login. In addition, IT administrators are
required to take additional training courses each year that directly
apply to their work related activities. We are currently assessing the
option of using an Information System Security Line of Business Shared
Service Center as a general security awareness training provider. This
initiative is an E-Government Line of Business, managed by the
Department of Homeland Security, intending to make the Government-wide
IT security processes more efficient.
In addition to intra-departmental controls and counter measures,
the Department ensures that key personnel remain fully aware of U.S.
Government-wide initiatives and programs that affect the operation or
security of its IT systems. Commerce supports U.S. Government security
response and planning committees to include the National Cyber Response
Coordination Group (NCRCG), the Critical Infrastructure Protection
Policy Coordination Committee (CIP PCC), and the National
Communications System (NCS) Committee of Principals and Representatives
(COP/COR).
COMMERCE FEDERATION OF COMPUTER INCIDENT RESPONSE TEAM
For each bureau operating within Commerce, there are established
Computer Incident Response Teams (CIRTs) that provide incident response
for their respective bureau. Of the 13 bureaus operating within
Commerce, there are six bureaus that enable their own cyber incident
response programs through the use of bureau resources, including
technical staff and technology. The remaining Commerce bureaus receive
cyber incident response support from the centrally managed Department
of Commerce Computer Incident Response Team (DOC CIRT). The DOC CIRT
continually strives to reduce incident response time and increase
effectiveness.
To support this decentralized computer incident response
capability, Commerce also manages a Federation of Computer Incident
Response Teams--where all CIRTs within the Department are represented.
This intra-Departmental forum allows all Commerce CIRTs to share
information on a particular incident, discuss technology and security
countermeasures, and leverage Department-wide resources in the event of
a large-scale attack.
Incident reports are filed directly to the DHS US-CERT in all
incidents involving Department IT resources, per FISMA, other OMB
guidance, and DHS US-CERT Concept of Operations (CONOPS).
On a more global level, the DHS coordinates and manages the
Government Forum of Incident Response and Security Teams (GFIRST).
GFIRST is a group of technical and tactical practitioners of security
response teams responsible for securing government IT systems, of which
the Commerce Federation of Computer Incident Response Teams maintain
membership and active participation. GFIRST members work together to
understand and handle computer security incidents and to encourage
proactive and preventative security practices. Through participation in
the GFIRST, Commerce IT security professionals receive technical
information, tools, methods, assistance and guidance on cyber issues,
share specific technical details regarding incidents within a trusted
U.S. government environment on a peer-to-peer level, and improve
incident response operations.
Initial BIS Incident Response and Reporting
Following the Department's guidance on reporting cyber incidents,
BIS worked with the Network Operations Center (NOC), and the DOC CIRT
to investigate suspicious behavior on BIS logical segment of the
Commerce network, and its workstations. After the BIS and Commerce NOC
staff confirmed that three workstations exhibited suspicious behavior,
and removed them from the network, and BIS formally reported to the DOC
CIRT that a breach of security occurred. As a result of this
notification, the DOC CIRT notified the Director, IT Security,
Infrastructure and Technology, the CIO, and the Network Operations
Center (NOC), which manages the infrastructure and ``back bone''
network on which BIS Internet traffic traverses. The DOC CIRT also
notified the US-CERT and the Department's Office of the Inspector
General (OIG).
The BIS cyber incident was discovered when the BIS Deputy Under
Secretary discovered that he was unable to log into his computer upon
arrival to his office on July 13, 2006, at 8:23 a.m. He immediately
notified his CIO and security team, which determined that his network
account was in lock-out status because three unsuccessful attempts were
made to log into his account. This event was initially handled
internally within BIS until such time that system staff determined it
to be more significant and a reportable incident. Once determined to be
an incident, as defined by Commerce policy, it was reported to the DOC
CIRT.
A timeline of events was created in support of the BIS incident
from a BIS, DOC CIRT, and NOC perspective:
July 13, 2006
The user arrived at work and attempted to log
into his computer, but discovered that the BIS system
``auto-locked'' his account, because failed login
attempt thresholds of three attempts were reached. This
prevented the user's ability to login at 8:23 a.m.
The user prompted the BIS internal Help Desk
and computer security team to begin an investigation of
the event.
The BIS technical staff discovered that the
cause of the account lock-out was because a BIS
computer attempted to access another BIS computer
resource. The computer in question also attempted to
execute automated processes to access two IP addresses
after business hours when the authorized user of that
machine was not in the office.
Examination of the installed anti-virus client
logs revealed detected and deleted programs installed
on the workstation. These auto-delete actions initiated
by the anti-virus client occurred at approximately the
same time that the BIS user's account was locked-out.
The BIS technical team contacted the Commerce
NOC and requested analysis of firewall logs for the
previous night's IP traffic. During this stage of the
investigation, the NOC found two additional BIS
computers attempting to contact one of the questionable
IP addresses.
All three infected BIS computers were removed
from the network, powered down, and quarantined.
The BIS CIO contacted the Commerce CIO to
brief him of the situation and circumstances
surrounding the event, and to advise that a CIRT report
was being written based on the information gathered
during the day and evening, and would be filed
consistent with Department procedures.
July 14, 2006
BIS formally filed the incident report with
DOC CIRT that identified three of its machines
operating on the BIS local area network at 11:51 a.m.
The DOC CIRT captured forensic images of the
infected computers. The DOC CIRT determined the cause
of the user account lock-out was likely due to the use
of the ``net'' command, which is used in Windows
networked environments to connect to other network
resources.
The DOC CIRT reported the BIS incident to the
US-CERT at 11:55 a.m.
July 19, 2006
The Commerce OIG was notified of the BIS
incident at 3:15 p.m. by the Commerce Critical
Infrastructure Protection (CIP) Manager
July 20, 2006
The DOC CIRT requested assistance from McAfee,
the company that provides Commerce anti-virus software,
to analyze and provide support to identify suspicious
files and to create new definition files for detection.
July 21, 2006
The DOC CIRT submitted follow-up reports to
the US-CERT with investigation status updates, and
requested on-site technical assistance from the US-CERT
at 11:48 a.m.
The CIP Manager advised the Department's
Federation of Computer Incident Response Team of the
BIS incident, and provided the ``block list'' of IP
addresses identified as malicious or suspicious, as
well as a list of malicious file names to be monitored.
July 22, 2006
DOC CIRT received a definition file from
McAfee which included unique signatures to detect the
malicious files identified by the DOC CIRT on July 20,
2006
July 25, 2006
The US-CERT provided on-site support to the
DOC CIRT.
The US-CERT provided the DOC CIRT with updates
their initial findings based on forensic image
analysis.
The DOC CIRT requested additional assistance
from McAfee to analyze and provide support to identify
additional suspicious files and to create new
definition files for detection.
July 25, 2006
The Department of Commerce IT staff, including
the DOC CIRT, continued to monitor ``block list'' IP
addresses to ensure that unwanted and unauthorized
access did not occur.
July 26, 2006
DOC CIRT received definition file from McAfee
with unique signatures to detect the malicious files
identified by the DOC CIRT on July 25, 2006.
Throughout the course of the BIS incident investigation, blocking
policies of malicious and suspicious IP addresses were imposed by the
DOC CIRT, BIS technical staff, and the NOC. In addition, DOC firewall
administrators and BIS technical staff reviewed archive firewall logs
in an attempt to identify any previous activity fitting the
characteristics of the incident. All blocks remain in place today.
In summary, Commerce and BIS became aware of the break-in to BIS
computers on July 13, 2006, which was determined not to be the date of
the initial infection. The firewall logs were restored from the date
the incident was discovered and the preceding eight months. The DOC
CIRT, BIS technical staff, and the NOC reviewed and attempted to
identify the initial date of the computer system compromise, to no
avail. While firewall logs were reviewed for the preceding eight months
prior to detecting the BIS incident, Commerce cannot clearly define the
amount of time the perpetrators were inside its BIS computers before
their presence was discovered. BIS has no evidence to show that data
was lost as a result of this incident.
TRACKING AND CONTAINING THE OUTBREAK
An on-going challenge faced by the Department is the ability to
differentiate between real and false-positive cyber security events,
given the volume of system logs and information collected that must be
reviewed to determine which activities are actionable.
BIS management took immediate action from the time the cyber
security ``event'' was identified. Upon the determination that it was
an ``incident,'' BIS followed Commerce incident protocol and alerted
the DOC CIRT, the NOC, and the Commerce CIP Manager. BIS management,
along with others within the Department, quickly established that their
initial discovery of one user account locked-out due to existing policy
settings included three infected computers that attempted to establish
connections with two suspicious IP addresses.
As discussed in the Initial BIS Incident Response and Reproting
section of this report, the incident was escalated when it was
discovered that more than one computer was involved. By July 24, 2006,
it was discovered that ten computers attempted to establish connections
to six suspicious IP addresses. By August 18, 2006, through continued
and aggressive monitoring by BIS, the Department's IT staff, and
support from the DHS US-CERT, it was discovered that a total of 32 BIS
computers and one non-BIS computer attempted access to eleven
suspicious IP addresses, as detected by monitoring logs from the
Department's firewalls. It was later found that all computers showed
signs of infection.
Several of these victim computers were detected by the custom
Intrusion Detection Systems (IDS) signatures put into place as part of
the Commerce initial response. Of these custom signatures, several
indicators were supplied by the US-CERT to create custom IDS
signatures. In one notable case, a victim computer triggered a custom
signature, and was immediately isolated according to the improved
incident response procedures. Upon further examination, it appeared
that the victim was in the process of preparing files for exfiltration,
but stopped as a result of controls put in place to isolate the
incident. Hence the initial actions taken by Commerce, BIS, DHS, and
the US-CERT were demonstrably effective in containing the damage from
the incident. Of the 330 Commerce systems that require certification
and accreditation in accordance with FISMA, only two systems were
affected by this incident.
FISMA and certification and accreditation (C&A) compliance offer IT
management useful tools to ensure that adequate controls are
considered, implemented, and tested throughout the system's life cycle.
BIS did have a FISMA C&A package for its system which was reviewed by
the Commerce CIO's office at the time of the incident--the security
incident could have occurred regardless of FISMA and C&A status because
the incident method of attack uses Internet access to exploit un-
patched zero-day-attack vulnerabilities, irrespective of the commercial
computer security and network monitoring tools and standard prescribed
Security Test & Evaluation (ST&E) penetration testing. This is a key
point related to the BIS response, specifically the decision to
segregate Internet access. It is also important to note that BIS has no
evidence to indicate that BIS data has been exfiltrated or compromised.
EFFECTING CHANGE ON COMMERCE AND BIS SYSTEMS
BIS implemented host-based measures that revealed other victim
computers. Additional victim computers were discovered using host-based
measures identifying Trojans found dormant on the BIS logical segment
of the Commerce network before they became active. Processes developed
by BIS to discover and stop unauthorized activity on their network
proved extremely successful.
BIS established controls to detect and flag any computer infected
with variants of those files causing compromise to the BIS logical
segment of the Commerce network. As a result, the DOC CIRT and the NOC
were able to identify those computers infected by the same outbreak
traits, which included 33 computers. The Department was able to
identify and quarantine the infected 33 computers through effective
collaboration between Commerce and BIS IT staff involved in the
incident, the ``block list'' of prohibited IP addresses and sites, and
other controls to stop unwanted system activity (e.g., systems
downloading malicious files, systems access to malicious/suspicious
sites outside the control of Commerce and BIS). Only one of the 33
infected computers was outside the control of BIS.
To ensure that the infection did not spread to other Commerce
bureau computer systems, file names of the infected files and
associated suspicious IP addresses were shared among the Department's
Federation of Computer Incident Response Teams. After review and
analysis of all system logs, no other infections or infestations were
evident. In addition, all infected computer drives were quarantined
from use. After sample forensic images were captured for investigative
purposes, all drives were boxed and have been removed, and secured
under lock and key. No data was restored from backup tape as a result
of the BIS incident.
As a precautionary measure, BIS executive management required the
implementation of emergency change provisions to the change management
process. The change involved adding supplemental rules that created
additional Virtual Local Area Networks (VLANs) assigned to BIS to
segregate Internet, office automation, and export control system
access, and to deny all other access for BIS VLANs. When the incident
occurred, a policy was invoked to impose more stringent limits on all
access to or from BIS systems, (e.g., other BIS remote sites, patch
management, virus definition updates).
Custom IDS signatures capable of detecting infected files causing
impact on BIS computers have remained active since the discovery of the
first infected computer. These IDS safeguards, coupled with
augmentation of a newly implemented Intrusion Prevention System (IPS)
that monitors data streams to block and/or drop traffic based on
behavior for egress and ingress to the network were instrumental in
containing the damage. There is a high probability that existing
backdoors, if any, to the network will be detected. In addition to
safeguards put in place, BIS has added supplemental assurance by
segmenting use of their logical network to ensure that computers which
were connected to the BIS logical segment of the Commerce network
during the attack no longer have access to the Internet--effectively
segmenting computers used for BIS business processes from any Internet
access. Other BIS implemented other high assurance safeguards been put
in place to sustain continued and reliable operation. It is impossible
to say with certainty that 100% of the infestation is eradicated from
the network, but with active monitoring tools in place and an attentive
IT team, there is a high probability of detection.
The DOC CIRT conducts quarterly vulnerability assessments on all
devices residing on the Herbert C. Hoover Building Network (HCHBNet),
which includes the BIS logical segment of the DOC network. These scans
involve all devices where an IP address is assigned (e.g., server class
machines, desktop computers, appliances, printers, voice phones).
Internet facing systems staged on the HCHBNet Demilitarized Zone (DMZ)
are also part of the quarterly vulnerability assessments. In addition
to quarterly vulnerability assessments, the DOC CIRT conducts
vulnerability assessments for bureaus as requested to support
certification and accreditation enhancements when newly approved
systems and/or network devices are ready for network integration. On
average, there are approximately 14,000 checks for potential
vulnerabilities factored into each assessment. Results of each
assessment are shared with the bureau CIO and IT Security Officer for
action. The last two quarterly scans were conducted on December 18,
2006, and again on April 13, 2007.
In supporting FISMA-required certification and accreditations, the
Department spends on average between $20K and $250K for Commerce IT
systems depending on the size, complexity and significance. There are a
total of 330 IT systems in the Department's IT inventory.
Approximations are provided since legacy systems are sometimes retired
from production while new systems are introduced. Results of each
system certification and accreditation security testing exercise yields
extremely valuable information to the authorizing official who is
ultimately responsible for the security of their system(s). Used as an
education and program enhancement tool, yield valuable information
pertaining to the system's overall security posture. An itemized
inventory of vulnerabilities is generated during security testing that
allows the system owner to methodically address as either ``quick fix''
items that can be readily resolved, or as mid- to long range items
requiring supplemental resources. Long-term action items are
inventoried in the system's Plan of Action and Milestones (POA&M).
Security testing is applied to each system as part of the System
Development Life Cycle, which ensures that adequate security controls,
monitoring, and logging capabilities exist, and that the overall
implementation of new technology does not weaken existing security. In
addition, introduction of any change is tested in a lab setting prior
to being brought before the Change Control Board (CCB) for
consideration, and before final integration into the production
environment is allowed.
Situational Awareness Briefings
Situational awareness briefings are a tool used by the Commerce
(CIO) to allow staff to receive status updates on various issues
pertaining to cyber security and incident response situations occurring
within Commerce. Such situational cyber security awareness briefings
come in two forms: proactive and incident response briefings.
Proactive situational awareness briefings are typically scheduled
for senior and technical IT professionals on a recurring basis so that
they can remain apprised of cyber threats and alerts, industry
recommendations, product and vendor services and capabilities, and
other variables. In the realm of cyber threats and alerts, Commerce
managers are informed of newly released notifications published by the
DHS/US-CERT and other ``watch dog'' organizations that monitor and
provide status on cyber-related threats and trends. As a form of
proactive briefings, the CIO coordinated briefings from the DHS/US-
CERT, and the Department of Defense (DoD) Joint Task Force-Global
Network Operations (JTF-GNO). These briefings allowed Commerce managers
to better understand the range and magnitude of cyber-related events on
a global scale and the specific impacts against U.S. government managed
IT systems. In all cases, Commerce IT managers have found value in the
information provided by DHS/US-CERT, and DoD JTF-GNO.
Incident Response briefings are designed to inform those charged
with the management and control of IT systems and resources of a
particular incident and its operational impact on an affected system,
its data, and the security of the system. After the BIS incident was
discovered and initial response and reporting requirements were
satisfied, several meetings were scheduled for the Department's senior
management so that they might better understand the cyber threats faced
today. To support this initiative, several briefings were scheduled
that brought together Commerce senior management, the Commerce IT
Security Director, the Department of Homeland Security, US-CERT
management, and DoD JTF-GNO. As a supplemental effort to learn more
about incidents involving U.S. Government systems, a briefing was
scheduled between Commerce and BIS IT managers, and those charged with
securing the State IT systems, where a ``lessons learned'' discussion
engaged all parties.
Information Technology Security Enahncements
Monitoring and improving the state of IT security infrastructure
capabilities remains a priority for the Commerce CIO. Improvements come
in the form of newly released technology and upgrades to the
Department's existing infrastructure. Patch management for system and
appliances are updated routinely and coordinated through a formalized
CCB. These changes are introduced into a test lab environment where
changes and new technology can be evaluated before they are placed in a
``production'' environment.
To supplement the existing IPS running in IDS mode, the Department
has integrated a full scale IPS to achieve active protection at the
firewall. This newer technology allows the capture and analysis of both
ingress and egress traffic across the network in the event of a cyber
security incident. A second, more powerful log server for faster
analysis and redundant storage was procured with log analysis software
to speed and refine the analysis of firewall and other system logs. In
addition, firewall upgrades were enabled to allow deep application
inspection of traffic, and firewall log storage was increased to allow
more data storage captured from the device(s).
Minimizing cyber security incident response time is a goal that the
entire Federation of Computer Incident Response Team strives to
improve. Changes were recently made that enable the DOC CIRT to gain
direct read access to firewall logs, without intervention by the
firewall administrators or other third parties, thus improving incident
response time.
Commerce will play an active role in the Cyber Storm 2007. Cyber
Storm is the U.S. DHS National Cyber Security Division (NCSD) national
cyber exercise. The exercise is a unique government-led, full-scale,
cyber security exercise supporting Homeland Security Presidential
Directive 7. Commerce also participated in the first Cyber Storm 2006
exercise coordinated by DHS/NCSD.
Commerce is also working with DHS program managers to explore the
integration of Project Einstein into Commerce managed systems. The US-
CERT Einstein Program is an initiative that builds cyber-related
situational awareness across the Federal government. The program
monitors government agencies' networks to facilitate the identification
and response to cyber threats and attacks, improves network security,
and increases the resiliency of critical electronically delivered
government services. Einstein leverages IT so that the US-CERT can
automate the sharing of critical information across the entire Federal
government. Enhanced data sharing between Federal government agencies
and the US-CERT provides an advanced cyber view and analysis of the
Federal government's critical cyber networks.
In 2008 the Department has budgeted $120 million for IT security.
This funding is estimated by the 13 bureaus operating with Commerce for
a variety of IT security related tasks, including security awareness
and training, system certification and accreditation, IT security
operations improvements, existing security program maintenance,
contingency of operations and disaster recovery planning, and other IT
security related initiatives.
Thank you for the opportunity to appear before this Subcommittee
today, and I would be happy to answer any questions you may have at
this time.
Mr. Langevin. Mr. Dixon?
STATEMENT OF JERRY DIXON, DIRECTOR, NATIONAL CYBER SECURITY
DIVISION, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Dixon. Chairman Langevin, Ranking Member McCaul and
members of the subcommittee, I appreciate the opportunity to
address you on the National Cyber Security Division's role in
detection of and response to cyber intrusions of federal
computer networks. The NCSD is a component of the Office of
Cybersecurity and Communications within the recently
established National Protection of Programs Directorate of the
Department of Homeland Security.
The very topic of this hearing on the need to coordinate
and respond to cybersecurity incidents across the federal
government is among Secretary Chertoff's highest priorities.
The National Cyber Security Division's mandate includes
analysis, watch and warning, information sharing, vulnerability
reduction, aiding national recovery efforts, including working
collaboratively with the public and private sectors to enhance
the security of America's cyber networks and information
systems.
DHS works across its component entities to address
cybersecurity in a cohesive manner, as well as with our federal
partners across the departments and agencies. DHS and NCSD
serves as the focal point for helping government, industry and
the public work together to achieve the appropriate responses
to cyber threats and vulnerabilities.
The NCSD's operational arm for cybersecurity is the United
States Computer Emergency Readiness Team. This team provides
around-the-clock monitoring of cyber infrastructure and
coordinates the dissemination of information to key
constituencies, including all levels of government and industry
through its national cyber alert system.
Furthermore, FISMA and OMB policy requires all federal
agencies to notify US-CERT of any data breaches, unauthorized
access, or suspicious activity, including the loss of
personally identifiable information. The US-CERT played a
pivotal role in response efforts to the recent incidents at the
Department of Commerce and the Department of State. Both
incidents highlight that the threat to government systems has
shifted from opportunistic hacking to targeted cyber attacks.
These cyber attacks are sophisticated and have often led to
the discovery of new vulnerabilities and applications in
operating systems. As a result of these vulnerabilities, U.S-
CERT works closely with those vendors whose products are
affected to collaborate on fixes and mitigation strategies,
which are communicated to our partners within government and
industry via the national cyber alert system.
To accomplish our operational mission, US-CERT focuses on
enhancing situational awareness, increasing collaboration
across operational security teams, assisting with prevention or
rapid containment of malicious cyber attacks, and providing for
interagency coordination during a cyber event. To further
enhance our incident response activities, we have members from
the FBI, the United States Secret Service, and other agency
liaisons that help facilitate rapid response and increase our
situational awareness.
Now, to focus on the recent incidents that affected the
Departments of State and Commerce. Both departments notified
the US-CERT in compliance with OMB guidance, FISMA, and the US-
CERT concept of operations within the required timeframes. In
the Department of State incident, which involved a newly
identified Microsoft zero-day vulnerability, the US-CERT
immediately engaged to assist with the response efforts as soon
as the report was received. In collaboration with the
Department of State, US-CERT coordinated with federal agencies
throughout the incidence response and recovery phase.
At the same time, US-CERT coordinated daily with the
Microsoft security response center for vulnerability
management, patch remediation, and public disclosure
coordination. Additional technical analysis revealed this
vulnerability to be more dangerous and pervasive across all
Microsoft operating system platforms.
Just prior to the public release of the Microsoft security
bulletin, the US-CERT and Microsoft conducted a series of
briefings with federal, state and local operational security
teams, chief information officers, chief information security
officers, and critical infrastructure sectors. Following these
briefings, the US-CERT and Microsoft jointly released public
notification related to the vulnerability and the availability
of a security patch.
In the incident involving the Department of Commerce, the
US-CERT was notified by the Department of Commerce's
operational security team. During this response effort, the US-
CERT provided on-site assistance to the Department of Commerce
CIRT. This enabled on-site collaboration and a rapid analysis
of the event so it could be quickly contained and remediated.
The NCSD continues to conduct outreach to federal agencies
to raise cybersecurity awareness with operational security
teams and senior officials through its government forum of
incident response teams known as GFIRST. Moreover, the NCSD
continues to work with our federal and private-sector
stakeholders to identify vulnerabilities and quickly identify
suspicious activity by enhancing bi-directional information
sharing.
The NCSD also continues to provide cybersecurity training
to further increase the number of cyber incident responders to
enable agencies to quickly identify and contain emerging cyber
attacks. While significant progress has been made to enhance
the network security of federal departments and agencies, more
can and will be done.
Thank you for the opportunity to appear before this
subcommittee today. I would be happy to answer any questions
you may have at this time.
[The statement of Mr. Dixon follows:]
Prepared Statement of Jerry Dixon
Chairman Langevin, Ranking Member McCaul and Members of the
Subcommittee, I appreciate the opportunity to address you on the
National Cyber Security Division's (NCSD) role in detection of and
response to intrusions of Federal computer networks. The NCSD is a
component of the Office of Cyber Security and Communications (CS&C)
within the recently established National Protection and Programs
Directorate (NPPD) of the Department of Homeland Security. Assistant
Secretary for Cyber Security and Communications Gregory Garcia is
responsible for the overarching mission of CS&C to prepare for and
respond to incidents that could degrade or overwhelm the operation of
our Nation's IT and communications infrastructure. This mission is part
of a larger strategy to ensure the security, integrity, reliability,
and availability of our information and communications networks.
Indeed, the very topic of this hearing – that is, the need to
coordinate better cyber security practices across the Federal
government – is among Secretary Chertoff's highest priorities.
The NCSD was created in June 2003 to serve as a national focal
point for cyber security and to coordinate implementation of the
National Strategy to Secure Cyberspace (``the Strategy'') issued by
President Bush in February 2003. The Strategy outlines a national
framework of priorities, which are reflected in NCSD programs, to
promote cyber security and public-private partnerships. The NCSD's
mandate includes analysis, watch and warning, information sharing,
vulnerability reduction, aiding national recovery efforts for critical
infrastructure information systems, and working collaboratively with
the public and private sectors to secure America's cyber networks,
systems, and assets. DHS works across its component entities to address
cyber security in a cohesive manner, as well as with our Federal
partners across the departments and agencies.
The NCSD's watch and warning mechanism for cyber infrastructure is
the United States-Computer Emergency Readiness Team (US-CERT). This
team provides around-the-clock monitoring of cyber infrastructure and
coordinates the dissemination of information to key constituencies
including all levels of government and industry. DHS and NCSD/US-CERT
serve as the focal point for helping government, industry, and the
public work together to achieve the appropriate responses to cyber
threats and vulnerabilities
A key area of focus for NCSD/US-CERT is our work with the Federal
departments and agencies.
Programs and Initiatives
The NCSD/US-CERT has a number of programs and initiatives to
accomplish our operational mission of coordinating improvements in the
security and management of the Federal Government's information systems
and networks. These programs focus on enhancing situational awareness,
increasing collaboration across Federal operational security teams,
preventing or quickly containing cyber incidents, and providing for
inter-agency coordination during a cyber event.
The NCSD manages the Einstein program, which supports Federal
agencies' efforts to protect their computer networks. Einstein provides
the first situational awareness picture of the Federal Government's
Internet facing networks. It enables the rapid detection of cyber
attacks affecting agencies and provides Federal agencies with early
incident detection. Einstein is currently deployed at ten Federal
agencies with a goal to deploy it to all Cabinet level and critical
independent Federal agencies.
Einstein has greatly reduced the time for the Federal Government to
gather and share critical data on computer security risks from days to
hours.
Another major program is the Information Systems Security Line of
Business (ISS LOB). The NCSD was designated by OMB as the managing
agency for the ISS LOB, which is part of the President's Management
Agenda. The ISS LOB allows all Federal departments and agencies to
benefit from improved levels of cyber security, reduced costs,
elimination of duplicative efforts, and improved quality of service and
expertise. The program addresses four information security areas that
are common across the Federal Government: Security Training, Federal
Information Security Management Act (FISMA) Reporting, Emerging
Security Solutions for the Lifecycle, and Situational Awareness and
Incident Response.
Additionally, CS&C's mission is enhanced through the continued
development of the National Response Plan (NRP). The NRP provides the
structure and mechanisms for Federal support to State, local, and
tribal incident managers. In coordination with other Federal agencies,
CS&C has been working to provide mechanisms for improving national-
level response to Information Technology and Communications incidents.
The Cyber Incident Annex to the NRP provides a framework for addressing
a cyber event which requires a federally coordinated response, and it
formalizes the National Cyber Response Coordination Group (NCRCG) as
the principal Federal interagency mechanism to coordinate preparation
for and response to a national-level cyber incident. The NCRCG, co-
chaired by DHS, Department of Defense, and Department of Justice,
coordinates recommendations and facilitates direct actions to obtain
the necessary interagency support to respond to major cyber incidents.
Through the NCSD exercise program, we regularly test our plans and
procedures. In February 2006 we held the first national cyber exercise,
``Cyber Storm,'' to examine various aspects of our operational mission.
This included the activation of the NCRCG and working with other
Federal agencies on cyber security response to address the exercise
scenarios. Lessons learned and after action items from that effort
continue to be addressed by NCSD and other participants. Progress made
to improve response processes and procedures since Cyber Storm, as well
as other regional exercises that we sponsor, will be measured in Cyber
Storm II, which is scheduled for March 2008.
We also worked collaboratively with the Air Force, the National
Institute of Standards and Technology (NIST), the Defense Information
Systems Agency, the National Security Agency, and Microsoft to
establish common security configurations for Windows XP and VISTA.
Common security configurations provide a baseline level of security,
reduce risk from security threats and vulnerabilities, and save time
and resources. This allows agencies to improve system performance,
decrease operating costs, and ensure public confidence in the
confidentiality, integrity, and availability of government information.
The configurations can be found on our website and we are working with
NIST to help agencies adopt them.
Finally, the US-CERT Operations Incident Handling Center provides a
24 hour a day, seven day a week watch center that conducts daily
analysis and situational monitoring. The Center identifies trends and
provides information on incidents and other events, as they are
detected and unfold, to increase situational awareness and
understanding of the current operating environment. FISMA policy
requires all Federal agencies to notify US-CERT of any data breaches,
unauthorized access, or suspicious activity, including the loss of
personally identifiable information (PII).
Recent Response Efforts
The NCSD/US-CERT played a pivotal role in response efforts to the
recent incidents at the Department of Commerce (DOC) and the Department
of State (DOS). Both incidents highlight that the threat to government
systems has shifted from opportunistic hacking to targeted cyber
attacks. These cyber attacks are sophisticated and have often led to
the discovery of new vulnerabilities in applications or operating
systems. As a result of these vulnerabilities, NCSD/US-CERT works
closely with those vendors whose products are affected to collaborate
on fixes and mitigation strategies, which are communicated to our
partners within government and industry via the National Cyber Alert
System. These incidents highlight the need for enhanced rapid
situational awareness across the Federal Government. In addition, the
Einstein early watch and warning system has been implemented at the DOS
and groundwork is being laid to implement Einstein at the DOC in the
near future.
In both incidents, the affected Departments notified the US-CERT in
compliance with OMB guidance, FISMA, and the US-CERT Concept of
Operations (CONOPS) within the required timeframes. While the details
of these incidents should be provided by DOS and DOC, I will discuss
the effective coordination processes that were utilized to respond to
these incidents. We would be happy to provide the Committee with a more
detailed briefing in the appropriate setting at a later date.
In the DOS incident, which involved a newly identified Microsoft
``zero-day'' vulnerability, the US-CERT immediately engaged to assist
with response efforts as soon as the report was received. In
collaboration, the DOS and US-CERT coordinated with the National
Operations Center (NOC), and other Federal agencies throughout the
incident response and recovery phase. At the same time, US-CERT
coordinated daily with the Microsoft Security Response Center for
vulnerability management, patch remediation and public disclosure
coordination.
Additional technical analysis revealed this vulnerability to be
more dangerous and pervasive across all Microsoft operating system
platforms. Just prior to the public release of the Microsoft Security
Bulletin (MS06-040), the US-CERT and Microsoft conducted a series of
briefings with Federal and State operational Incident Response and
Security Teams, Chief Information Officers, Chief Information Security
Officers, and critical infrastructure sectors via the Sector
Coordinating Committees (SCC) and designated Information Sharing and
Analysis Centers (ISAC).
Following these briefings, the US-CERT and Microsoft jointly
released public notifications related to the new vulnerability and the
availability of a security patch. The US-CERT released a public
Technical Cyber Security Alert via the National Cyber Alert System.
Additionally, we disseminated a Federal Information Notice to the
Federal community, and a Critical Infrastructure Information Notice to
the critical infrastructure SCCs and ISACs.
Because of the significant risk posed by this vulnerability, DHS
released its first ever press release focused on cyber security
recommending that all users of the Microsoft Windows Operating Systems
apply the security patch as quickly as possible. This public press
release, along with the significant volume of media coverage and
attention it garnered, led to a highly successful rollout of a security
patch. Also the US-CERT continued to monitor the Federal Government's
patch status and reported those results on a weekly basis until all
agencies reported they had completed their patch deployments.
In the incident involving the DOC, the US-CERT was notified by the
DOC's Office of the Chief Information Officer and Cyber Incident
Response Team (CIRT) in accordance with OMB guidance, FISMA, and the
US-CERT CONOPS. During this response effort, the US-CERT provided on-
site assistance at the request of DOC CIRT. This enabled on-site
collaboration and rapid analysis of the event so it could be quickly
contained and remediated. In addition, they coordinated their
activities with the NOC and other Federal agencies throughout the
incident response and recovery phase. As a result of this incident the
DOC has expanded their response capability to an around-the-clock
operation which should greatly aid in their future incident detection
and response efforts.
The NCSD continues to conduct outreach to Federal agencies to raise
cyber security awareness with operational security teams and senior
officials through its Government Forum of Incident Response and
Security Teams (GFIRST). Moreover, the NCSD continues to work with our
Federal and private sector stakeholders to identify vulnerabilities and
quickly identify suspicious activity by enhancing bi-directional
information sharing. The NCSD also continues to provide cyber security
training to further increase the number of cyber incident responders to
enable agencies to quickly identify and contain emerging cyber attacks.
While significant progress has been made to enhance the network
security of Federal departments and agencies, more can and will be
done. Based on our ongoing programs and initiatives, the NCSD and its
US-CERT are poised to continue to work towards achieving greater
overall cyber security with our Federal, State, local, tribal,
international, and private sector partners. It is clear from our work
to date and the continuing evolution of information technology in our
society that additional advancements will be required to mitigate the
growing cyber security risks. Accordingly, we expect continuing
dialogue with this Committee as we further understand the evolving
nature of the cyber security issues.
Thank you for the opportunity to appear before this Subcommittee
today and I would be happy to answer any questions you may have at this
time.
Mr. Langevin. Thank you.
Before I go to questions, two things first of all,
procedurally.
The committee rules state that witness testimony needs to
be in 48 hours in advance. All the panel members got theirs in
advance, with the exception of the Department of Homeland
Security. I would ask that in the future that that testimony is
in 48 hours, according to committee rules. I understand that
these things have to be cleared to the White House, so it is
not entirely an individual's fault. But timely submission of
testimony is important because we can't do business this way
without having the testimony ahead of time. Okay?
The other question I have, Assistant Secretary for Cyber
Security Garcia is not in attendance today. Is there a reason
that he is not joining us?
Mr. Dixon. Chairman Langevin, since my direct involvement,
at the time I was the deputy director for US-CERT, and since
this evolves around two specific intrusions, it was thought
that it would be best since I was pretty much heavily involved
with both of these situations, to be present.
Mr. Langevin. Thank you. We look forward to having the
assistant secretary before us in the very near future.
I thank all the witnesses for their testimony.
I remind each member that he or she will have 5 minutes to
question the panel.
I would now recognize myself for 5 minutes.
I would like to begin, if I could, with Mr. Reid on the
question, and I just want to a little further explore the issue
of the hacker penetrations that we discussed in my opening
testimony, and that you addressed in your statement.
I talked about the fact that most targeted attacks involve
these rootkits, which can't be detected by temporary wrappers.
You describe the use of temporary wrappers initially, and then
you described another process, but it wasn't clear that you
took everything offline for a long period of time and did a
full kernel inspection.
I would like you to address more on that, as to how you
handled the penetration once you became aware of it.
Mr. Reid. Sir, I would just like to reinforce in my written
testimony there was a little bit more detail than the oral
statement. What we were dealing with here was two zero-day
exponents, for want of a better term. So we were in unknown
territory and we are trying to learn as we are going along.
Mr. Dixon can probably talk to this better than I can, but
my understanding is that typically it takes Microsoft a minimum
of 2 months or longer to issue a security patch. So we knew it
was going to take quite a long time before we were going to be
able to fix this particular vulnerability, and we needed
something before then. So as I indicated in my testimony, we
sought the best minds out there in the private sector and in
government to try and come up with a solution.
The security wrapper was what was recommended, and we came
up with a protocol for deploying that. We did take the entire
system down in East Asia Pacific for about a 3-week period.
Mr. Langevin. Did you do a full system wash, and then re-
build?
Mr. Reid. Yes, sir. We rebuilt everything, and we are
scanning continuously as we are checking these things are. And
then we also have available to us what we call a forensic-like
tool that we developed about 3 years ago. It helps us evaluate
the network even closer in a very discrete manner, so that we
can tell whether there is any lingering signatures.
So we felt pretty confident that we had a new process in
place. We went through it very thoroughly. Before we bring a
post back up on line, as I said we did remote scans from
Washington to confirm what they were telling us at post. We
found a lot of inconsistencies that they hadn't done the things
they said they had. We wouldn't reconnect them.
There is a business case here in terms of taking an entire
system off-line. It does have to be weighed and it is an
incredibly tough decision to make, but the business of the
State Department in part is issuing passports, issuing visas.
At all our overseas posts, you have consular officers. You have
visa lines out there with people waiting to apply for visas and
stuff. If you take the system off-line, all of that comes to a
screeching halt, with tremendous expense and disruption of
normal day-to-day business.
We felt that the risks were worth it, that we had a
solution that was going to work. As I indicated, since July, we
haven't had any more attacks. The Microsoft patch, by the way,
did not come out until August.
Mr. Langevin. Do you balance the business versus security
information?
Mr. Reid. It is a tough decision. I am not saying that we
did this. This is a decision we take to the CIO in terms of
weighing that. When do you disconnect a region from the
Internet? That is an incredibly disruptive thing to do,
obviously, for day-to-day business. The State Department kind
of got into the connectivity to the Internet late in the game.
This really occurred under Secretary Powell's watch and was
endorsed by Secretary Rice. So we have been modernizing our
I.T. systems, but the connection to the Internet brings with it
inherent risks. There is no doubt about it.
Mr. Langevin. I am not satisfied that we haven't erred more
on the side of protecting national security. I know the conduct
of business is obviously important, but I am concerned that
there hasn't been a proper balance of weight given to
protecting national security.
Mr. Reid. Sir, could I offer to follow up with a written
explanation of what that wrapper was, what it entailed and what
protections we believe were in place?
Mr. Langevin. Yes, I think that would be helpful.
Mr. Reid. All right, sir.
Mr. Langevin. My next question is for Mr. Dixon. FISMA
requires each agency to notify US-CERT about incidents
affecting the information systems. How many incidents have you
been notified about in 2006 and 2007?
Mr. Dixon. Yes, sir. For fiscal year 2006, we had over
23,978 incidents, I believe, somewhere in that ballpark. And
then just for fiscal year 2007 to date, we are already up to
20,000-plus incidents being reported to us.
Mr. Langevin. Mr. Reid, and I will ask GAO to follow up on
this as well, I mentioned in my opening statement the issue of
classified versus unclassified networks. Your inspector general
reported that your agency only 50 percent of your system is
inventoried. This means that your network topology is
incomplete as well.
Given this unknown, how can you be certain that your
classified networks aren't touching your unclassified networks?
Can you really know that hackers have only access to
unclassified networks? Do you have an idea of how much
information was compromised?
Mr. Reid. On the issue of unclassified and classified
networks, they are separate networks. So we are very confident
that there is no bleed-over, that the hackers don't have a
route into the classified network by compromising the
unclassified system.
We do our scanning on both systems. We do our scanning on
our unclassified systems and classified systems. We have seen
no activity on our classified systems, nor has the national
security community as a whole.
Mr. Langevin. How is that possible if you haven't completed
the topology?
Mr. Reid. I don't know that we necessarily agree with the
I.G. My understanding of the I.G. was that they found one
system that was not reported, and that they concluded from that
that they couldn't trust the rest of our inventory. We feel we
have a very complete inventory, certainly far more than 50
percent of the topology.
Again, it is our scanning that does that. Our scanning goes
out and touches 57,000 devices that are out there on our
unclassified network. We know where they are. We know that
there is more work to be done on our inventory.
Mr. Langevin. Mr. Wilshusen, would you comment?
Mr. Wilshusen. Right. This is based upon our review of the
agencies and the I.G.'s FISMA report that they are required to
submit. The I.G. noted that one of the State Department's
systems could not be located. Due to its methodology and the
scope of its work, it concluded that the State Department did
not have a complete inventory.
But certainly, one of the things to consider in terms of
the separation of classified and unclassified networks is that
if there are any interconnections between the two, it could
raise a significant security violation. Not to say that that
occurred at State Department, because we have not conducted
tests at the department in reviewing the security over those
two types of networks.
Mr. Langevin. Do you share my concern that even if the
information is ``unclassified,'' that it could very well be
sensitive information that later becomes classified that could
have been compromised originally?
Mr. Wilshusen. Of course. Sensitive information of various
different types, particularly when aggregated together, could
raise the level of sensitivity to that information. There is a
lot of highly sensitive information that the government retains
and that you do not want out in the public domain and certainly
do not want a hacker or some other group to have that
information.
Mr. Langevin. I agree.
The chair now recognizes the ranking member, my partner in
this effort, the gentleman from Texas, Mr. McCaul, to ask some
questions.
Mr. McCaul. I thank the chairman.
I mentioned in my opening statement, really three types of
hacking that could occur, and there may be more, but one would
be just for mischief purposes, say, a teenager hacking in.
Another one would be espionage to try to get information, steal
information, intellectual property. And the third would be a
direct attack on the United States, a direct attack from a
rogue nation or a state sponsor of terrorism. I think the last
scenario would be the gravest.
I will ask about the protocol with the military. Why don't
I just ask that first? If you can't answer this in a public
forum, I will grant you that. Do you have any protocol with the
United States military in the event there is a perceived
threat, a direct attack on the United States from a rogue
nation or a state-sponsored terrorist?
Mr. Reid. In terms of do we have relationships built up?
Mr. McCaul. A protocol?
Mr. Reid. Certainly. The global network operations joint
task force that is run by Strategic Command is a big player in
the computer network defense community. We interrelate with
them all the time. We are sharing analytical information back
and forth all the time. Again, Homeland Security is a key
interface for us with those relationships.
Mr. McCaul. Getting to the specific intrusions, Mr. Reid
had one. You talked about one Mr. Jarrell, and I will get to
you, Mr. Dixon. Can you comment publicly on the source of these
intrusions?
Mr. Reid. The chairman indicated that they had their source
in China, but these are hackers. These are people intruding
into our systems using a sophisticated method to do it(and e-
mail with hidden malicious code. Any hacker is covering their
trail. So the fact that the last place they were at was in
China doesn't necessarily mean that this was a state-sponsored
attack.
The community as a whole, the computer network defense
community as a whole, works on this attribution issue very,
very hard. It is just tough to nail these things down.
Mr. McCaul. So it is difficult to determine the source?
Mr. Reid. Most definitely, the original source.
Mr. McCaul. Mr. Jarrell?
Mr. Jarrell. Yes, sir. Actually, before we discovered the
incident on the BIS network, we worked closely with US-CERT,
but at the same time we try to depend on multiple sources of
information to be able to derive our intelligence. We work with
DOD's Joint Task Force for Global Network Operations, JTFGNO.
So they are aware of the issues, as well as the Department of
Homeland Security, US-CERT and the GFIRST.
After we experienced the incident that we did, and we
reported to US-CERT, and that is our obligation to report to
U.S.-CERT, we met with both US-CERT and JTFGNO to share
information so that while we don't have a protocol necessarily
to deal directly with the DOD environment, we wanted to pull
and derive information from them. That has proven to be useful
for us, so that we can gain a more broad perspective on the
incidents that were occurring, and we would be able to benefit
from that process and information.
We are in a situation as well, sir, that we can't
definitely say the source of the attack on those BIS computers.
Mr. McCaul. Mr. Dixon, you quoted a very high number of
over 20,000 incidents on the federal government. Is that
correct?
Mr. Dixon. Those incidents include incidents from private-
sector entities as well as the government. I would say the vast
majority of those incidents for last year were actually from
the private sector, so they could range from malicious code to
phishing, with the issue involving identify theft; malicious
Web sites. A majority of those things are being reported to us
from corporations, as well as home users, and are called into
the US-CERT.
Again, the majority of those were last year within the
private sector. This year, with the advent of reporting
personally identifiable information to us, that is where we
have seen a large increase based on OMB management directives
to report those to us within 1 hour.
Mr. McCaul. Were any of those incidents attempts to hack
into the computer networks of the United States Congress?
Mr. Dixon. We have worked incidents with both branches of
government. We have worked with the chief information security
officers on the House and the Senate side. That is pretty much
it. We can talk in more detail in a different setting.
Mr. McCaul. I understand.
My next question is to the GAO. What is your recommendation
regarding the responsibility of DHS regarding cybersecurity for
the federal government? Do you see them having a role as a
chief information security officer for the federal government?
Mr. Wilshusen. I think that would present some challenges
if they were to fulfill that role. One, under current law,
FISMA, it requires and gives responsibility to the director of
the Office of Management and Budget to oversee and coordinate
the federal implementation of information security controls, as
well as coordinating the development of those standards.
FISMA also assigns specific responsibilities to the heads
of agencies, and makes them specifically responsible for
safeguarding the information assets under their department.
Having DHS in particular, and I am not sure which individual in
there, but someone at the assistant secretary level being able
to compel other agencies and secretaries of other agencies
could be somewhat problematic from an organizational placement
of that.
In addition, it would also be appropriate that DHS first
assume or assure that its own security is effective and that
they have taken actions to fully and effectively implement an
information security program before trying to be responsible
for the full federal government.
Mr. McCaul. Thank you.
Mr. Chairman, are we going to have one round of questions?
Mr. Langevin. If we have time, I am inclined to go for two
rounds. I know we are expecting a vote soon, but I am inclined
to go for a second round if our witnesses can stay.
Mr. McCaul. My time has expired. Thanks.
Mr. Langevin. I thank the gentleman.
The chair now recognizes the gentleman from North Carolina,
Mr. Etheridge, for 5 minutes.
Mr. Etheridge. Thank you, Mr. Chairman.
Let me thank you and commend you for holding this hearing.
I hope this is the first of many because the issue that we are
talking about is so vast and it is rapidly evolving and
continues to evolve. I think all of us recognize this is going
to be central to what we do in the 21st century. One hearing
does nothing more than scratch the surface of what we need to
be about and stay on top of.
Mr. Jarrell, let me ask you a question. Your description of
the break-in in the Commerce computers is troubling. It is
troubling on many levels to me. In your testimony, you note
that the date and duration of illegal access is still unknown,
and the extent of information compromised may never be known.
My question is, how confident are you that the information
at Commerce is now secure?
Mr. Jarrell. I am very confident, sir. The reason that we
don't know the date or the source of the infection on that one
account is because of our audit logs and the duration that we
retain those audit logs. So it is unfortunate that we are
unable to pinpoint that point of action and activity on the
system.
Mr. Etheridge. Have you changed the protocols on that so
you will be able to know in the future?
Mr. Jarrell. We are doing that now, sir. Yes, sir.
Mr. Etheridge. So I assume that would be one step you have
taken to improve it.
Mr. Jarrell. Absolutely.
Mr. Etheridge. All right. Let me follow that up. For
example, the incident at BIS was identified by a user accessing
his computer with a simple password, is my understanding.
Numerous guidelines from NSA, DOD and NIST recommend at least
two.
Have you implemented these recommendations for privileged
personnel now? Why were they not used in the past, I guess, is
the question I really ought to be asking.
Mr. Jarrell. We are looking at two-factor authentication as
part of our new protocol and our new process for access to
systems, including any remote access or remote administration
of those systems. We are working towards meeting the intent of
FISMA and the OMB guidance that we are provided. We are in the
process of doing that now.
Mr. Etheridge. Do you have a date where you want to have
that implemented?
Mr. Jarrell. We are actually working to establish contracts
with vendors that can provide that kind of technology to the
Department of Commerce, so that we can deploy that throughout
the entire department's 13 agencies.
Mr. Etheridge. With the goal for?
Mr. Jarrell. We are hoping to have that done this fiscal
year so that the contract is established, and then we would
have a roll-out schedule into fiscal year 2008.
Mr. Etheridge. Okay. Thank you, sir.
Mr. Jarrell. Yes, sir.
Mr. Etheridge. Mr. Wilshusen, is it possible to determine
after an attack the full extent of the damage? For example, can
logs be altered to hide the nature of the attack?
Mr. Wilshusen. Yes, they can. It is a very difficult
process to go through and try to determine the extent and the
amount of damage that could occur from such an attack,
particularly if the attackers have the ability and the access
to delete audit logs and other system logs.
In addition, if they are adequately masquerading their
tracks, it makes it more difficult, as we have already
discussed here, determine the ultimate source of the attack. So
it can be difficult to do that.
Mr. Etheridge. I raise that question because I think as we
deal with this, we need to all get a pretty good grasp of the
challenge we are facing as we put more and more data at risk.
That is really what we are doing.
Mr. Wilshusen. Right. And also the extent to which the
organization is able to determine the extent of the damage also
depends upon how well that organization is logging and
monitoring its networks on an ongoing basis. So that also has
an impact on how prepared an agency is in order to identify and
detect these types of intrusions.
Mr. Etheridge. Let me ask you one additional question,
before I go to Mr. Dixon. It seems to me we need to do a much
better job of letting our personnel know how vulnerable we are
and how important it is to have security on the station they
are working on.
Mr. Wilshusen. That is absolutely correct. Indeed, one of
the best defenses is to have security in depth. That means to
have multiple layers of security from various different points
of vulnerability, to include assuring that users and agency
personnel are fully aware of the risk and their
responsibilities in mitigating those risks and practicing safe
computing.
Mr. Etheridge. Thank you.
Mr. Dixon, how does the Department of Homeland Security
learn of instances such as those at Commerce? And how confident
are you in the department's ability to analyze and prevent such
incidences?
Number two, is it possible to know the extent of our
vulnerability and what can we do to increase our knowledge and
reduce the threat?
Mr. Dixon. In both instances, we were notified directly by
their operational security teams and made aware of the
incidents. They also shared with us the technical details and
the information. As we do with pretty much all incidents that
are reported to us, offer our assistance to help out any way we
can. If it is related to a vulnerability, especially a brand
new vulnerability, we will work with the affected vendor to,
one, try to see when can it be fixed, and what are the options
to mitigate it.
We also communicate with the government performance and
response teams which has over 400 members from all the various
operational security teams across the federal government and
state and local governments. We have a program called Einstein
that basically, we often get asked the question, who is
affected or how bad is it across the U.S. government. Sometimes
this question comes from the private sector. Sometimes it is
from other agencies.
The way it used to work is we would have to call each and
every operational security team, leverage GFIRST, make the
request--can you let us know whether you have seen this type of
malicious activity. They would then, and it would take a couple
of days to actually go through logs of their security
infrastructure to make that determination if they were seeing
it or not seeing it, report that back, and then we can report
back to everybody.
Mr. Etheridge. Let me interrupt--and I know I am running
out of time, Mr. Chairman. I am over.
What is your budget?
Mr. Dixon. It is $97 million.
Mr. Etheridge. Do you do preemptive work, rather than just
reactive?
Mr. Dixon. Yes, sir. US-CERT is the operational team and
then we have proactive programs across the National Cyber
Security Division, like software assurance.
Mr. Etheridge. Thank you, Mr. Chairman. You have indulged
my going over and I appreciate that. Thank you.
Mr. Langevin. I thank the gentleman.
The gentleman from Texas, Mr. Green, is recognized for 5
minutes.
Mr. Green. Thank you, Mr. Chairman. Thank you and the
ranking member for hosting this hearing. I will be terse.
Let's start with the rootkit program. Mr. Dixon, this
technology, is this something that is in the hands of your
typical hacker or person who desires to perpetrate mischief?
Mr. Dixon. Yes, sir. Many types of rootkits are available
for download from the Internet. They are on varying levels of
skills that can be used, depending on the level of how they go
about social engineering it, whether they are doing targeted e-
mails to specific individuals. That tends to increase the level
of sophistication because they have to have some knowledge of
that organization. But a lot of these things are readily
available on the Internet that can be downloaded and pushed
out.
Mr. Green. Let's go next to the zero-day exploit. If we
have such an occurrence, is it true that the communication, the
means by which you communicate the actual penetration is thus
far confined to the department that had the zero-day exploit?
Is this true?
Mr. Dixon. When you say was it combined, actually with that
particular situation with the zero-day vulnerability, we were
actually trying to determine were there other victims or other
folks affected, and was it in fact targeted. We actually worked
with probably about five other organizations to determine, are
you seeing activity characteristic of this. At the same time,
we were working with the vendor. They also have their network
of contacts. We were trying to see if there was any other
active exploitation.
Mr. Green. Let me intercede and ask, is there a protocol
that requires you to share this information with other agencies
that have not suffered the exploit?
Mr. Dixon. We have information sharing guidance within our
US-CERT concept of operations, which was vetted to an
interagency process. So basically, again if this was being more
actively exploited when we talked to our partners within the
Department of Defense and other agencies, we would have quickly
went public with this. We put basically Microsoft on notice.
However, we did not find that, and found it to be targeted,
and we did not want to run the risk of somebody actually
developing tools to take advantage of it. In that particular
instance, it was what was called ``wormable,'' meaning an
automated script or program could have taken advantage of that
vulnerability that affected all Microsoft operating systems,
which is why we exercised extra caution and sensitivity around
that particular vulnerability.
Mr. Green. Final question. Let's talk about the I.P.
number. This is the equivalent of a fingerprint for a computer,
generally speaking. It gives you the location. It doesn't
necessarily take you right to the source, but at least you get
in the area, the geography of the source. Is this a fair
statement?
Mr. Dixon. An I.P. address does give where the traffic
might be originating from. However, a lot of organizations and
corporate networks, for instance, use what is called dynamic
I.P. addressing, meaning that they might get a different I.P.
address every time they boot up their machine or log on on a
different day.
Also, a lot of attackers tend to hide where they are coming
from, so there are various points, because the Internet is
global. So they can make it appear to be coming from a
different source than where it really is coming from. It is
very easy to hide their tracks.
Mr. Green. All right. Thank you. That was what I wanted to
get to, the ability to mask the location by the variations of
I.P.s. But is it also possible to defeat the technology in some
other way? As far as throwing persons who are trying to
ascertain where you are off track?
Mr. Dixon. Yes, sir. There are a number of ways to hide
where you are coming from. Some actually might modify the I.P.
address to do what is called modifying the traffic, and put in
there a bad I.P. address. So it is not that difficult. There
are actually tools out there that you can download from the
Internet to facilitate making that happen. There are tools out
there called ``onion routing,'' which basically makes you
pretty anonymous on the Web and from where you are coming from.
So there is a lot of capability there to hide your tracks.
Mr. Green. Perhaps this is something that is not at your
level to respond to, but is there a way, and I beg that you
would just consider the question, is there a way for Congress
to help you with all of these various Internet providers who
are continually giving out information that is antithetical to
our best interests.
Mr. Dixon. We have a process, and a great working
relationship with many of the Internet service providers. To
give an example, when folks had come under attack from denial
of service attacks, they have been effective and instrumental
in actually helping what we call ``black holing'' the traffic,
making that traffic disappear.
Where that is really important is folks that are running
electronic com making that traffic disappear. Where that is
really important is folks that are running electronic commerce
sites, or critical Web services. We have what is called the
Internet Disruption Working Group, and we work very closely
with the North American Network Operators Group.
The operational relationships that we have developed with
those organizations have really been essential on tackling some
of the issues that we are facing.
Mr. Green. Thank you, Mr. Chairman. I yield back.
Mr. Langevin. Thank you.
We have two votes on, and then we have the second panel
coming up. We brought you all the way up here, and I would like
to make productive use of the time. Would the panel be willing
to stay while we have two votes? We will come back and we have
one more brief round of questions, and then go to panel two. I
appreciate that.
The committee stands in recess.
[Recess.]
Mr. Langevin. The meeting will come to order. I thank the
witnesses for staying. We will try to wrap this up as
expeditiously as possible.
I would like to turn just if I could to Mr. Jarrell for my
initial question, because I want to give you the opportunity to
respond to something I brought up in my opening statement. That
is with respect to what your department did with respect to its
administrative policies after the cyber attack had occurred. If
you want to take a minute to respond to that?
Mr. Jarrell. Absolutely. As we put controls in place to
identify infected computers on the BIS network, we removed
those computers from access. We pulled the drives and we
quarantined those drives. As a result, we did not reintroduce
those to our system. They were quarantined. They remain in
quarantine today for any potential forensics evidence needed to
support any initiatives.
So as a result, we did not reintroduce those infected
drives, but also we didn't trust the data that was stored on
those drives. As a result, we did not reintroduce the
information on to the network on the off-chance that it may
compromise issues. So we worked from clean systems.
In addition, sir, with regard to authentication changes, we
suspended all of our BIS accounts because we believe they were
suspect, so we expired those accounts immediately and required
that all of our users reauthenticate themselves, and we
continue to do that. We went from a 90-day process for user
account lifespan to now 30 days. So we are significantly more
aggressive in making sure that those accounts are being used by
proper authorized personnel.
In addition to that, we added a second layer of control by
requiring that anyone with administrative privilege on that
network requires a second level of authentication to the
system. It increases our security significantly, we believe.
Mr. Langevin. I appreciate you addressing this for the
record. Thank you. Thank you for clarifying.
Mr. Reid and Mr. Jarrell, both of your agencies received
F's on FISMA. Let's just say for exploration purposes, pretend
that you both received A-pluses for this year. Would that, in
your opinion, have stopped the attacks from occurring? If
everything possible were done with respect to security in terms
of within our capability to do it today, would that have
stopped the attacks?
Mr. Reid. Mr. Chairman, in my opinion, no. The socially
engineered e-mail would have bypassed any CAA system, and all
of our systems have been certified and accredited. We certainly
knew about them, whether they were part of a formal inventory
or not.
I think FISMA I believe has been in existence for 5 years
now. It is a great baseline law that we clearly have more work
to do with at State to be able to achieve its objectives. But
there are other things going on that it is not measuring, and
we feel that that is an aspect of FISMA that doesn't quite tell
the whole story.
For instance, our ability to detect and respond to the
intrusion, nowhere is that measured in FISMA, and yet I have
some terrific capability that is there to do just that. So we
feel that we have a great capability for detecting these
things.
Congressman McCaul, you talked about espionage, terrorism,
and other kinds of things. Well, there is a criminal threat out
there also that is growing dramatically in terms of threat.
We have to be able to see these things as they come into
our systems, and be able to detect them, be able to respond to
them, be able to mitigate them. My belief is that FISMA doesn't
measure those kinds of things very well.
Mr. Langevin. Mr. Jarrell?
Mr. Jarrell. We focus a significant amount of attention on
FISMA compliance through certification, accreditation, and
other variables. Anytime that we can have management and our
executive staff's attention on the security of our
infrastructure and our data, it is a good thing, because we
need more eyes on the ball.
That said, a system that has been graded as an A with full
FISMA compliance and understand that the certification and
accreditation process that we go through on a routine basis is
a snapshot in time, meaning that that snapshot in time looks at
the system as it was configured at that given time. From the
next day forward, any change or the introduction of new
technology or even a new user on that system, changes the
variable you looked at the day before.
Again, FISMA is a great tool. It is a great asset to us to
be able to look at the controls that we put in place. Incident
response, zero-day vulnerabilities, those kinds of things
change the process and the way that we have to look at this
issue. So having FISMA is a great tool. Having the ability to
put more technology in place so that we can secure that system
is also as great an issue. It seems that there needs to be more
of a balance between FISMA and introduction of this new
technology.
Mr. Langevin. Mr. Wilshusen, let me ask you, what does it
say about our information security laws? Somebody can get the
highest score possible on our scale, but still be vulnerable to
being hacked or losing critical information.
Mr. Wilshusen. I think it goes and speaks to how we measure
the effectiveness of security at federal agencies. Clearly, the
performance measures that OMB has established and its reporting
instructions for federal agencies to report under FISMA, and
the reporting requirement under FISMA, focus on the performance
of certain control activities. Those measures do not focus on
the effectiveness of those activities.
So I kind of would mirror what Mr. Jarrell has indicated,
that just performing certain activities does not necessarily
mean that they are being performed effectively. And certainly
with what Mr. Jarrell indicated about certified and accredited
systems, just because a system is certified and accredited does
not make it necessarily secure, for some of the reasons that
Mr. Jarrell cited.
Certainly, I agree that the law as written has been very,
very positive in improving security within the federal
government, because it has raised the level of attention to
information security and assigned specific responsibilities to
key officials in the government and at federal agencies.
It also is based upon key and important information
security practices and processes. Those are valid(the ability
to assess your risk, develop policies and procedures that are
risk-based, that cost-effectively reduce those risks, assuring
that your staff and contractors are appropriately trained and
are made aware of the risk that they need to protect against;
conducting security testing and evaluation to assess the
effectiveness of your controls, and then identifying
vulnerabilities and taking effective and immediate remedial
actions to correct those vulnerabilities.
Those are the requirements of FISMA, among others, and
those are valid today, as they were 4 1/2 years ago when it was
passed. The dichotomy has kind of arranged where receiving the
higher grade or doing a good job under the performance measures
is more an indication of what the measures we are using to
assess security implementation.
Mr. Langevin. We have a lot of work to do. Thank you.
I will recognize now the ranking member, the gentleman from
Texas, Mr. McCaul, for the purpose of asking questions.
Mr. McCaul. Thank you, Mr. Chairman.
I asked the question in the last round about the role of
DHS as a chief information security officer for the federal
government. If I am not recounting this correctly, let me know,
Mr. Wilshusen, but your response was that until DHS can really
get its own act together, you wouldn't recommend that. Is that
a fair assessment? If not, why don't you answer that?
Mr. Wilshusen. I did not use those terms exactly.
Mr. McCaul. I know. I am paraphrasing.
[Laughter.]
I did say ``paraphrase.''
Mr. Wilshusen. Okay. I think that is part of it. I also
think just the organizational placement of DHS versus perhaps
someone in maybe the office of the president. Certainly, DHS
has a very important role to play in the analysis and warning
capability, and because it is ideally suited for collecting and
reporting all of the security incidents within the federal
government, and being able to analyze that and provide that
service to other federal agencies, as well as to organizations
outside of the federal government.
I would also kind of like to introduce Dave Powner here,
who has been doing some work in that space.
Mr. Powner. One other factor to consider, if you look at
their roles and responsibilities, and we have done work for
this committee over the years looking at DHS and the National
Cyber Security Division roles and responsibilities in
furthering private-sector security and working with the 17
sectors.
There is a lot of work to do. We talk a lot about the US-
CERT capabilities, and they are doing some good things through
their Einstein project. We need to expand those capabilities.
We need to do a lot more with threat identification, coming up
with national threat assessments, partnering with the private
sector.
So one factor to consider, too, is given all those
responsibilities and the long road ahead, if you levy that
requirement on an assistant secretary, you are really
overburdening them. I don't think it is the time right now to
do that.
Mr. McCaul. Mr. Dixon, do you have any comment on that?
Mr. Dixon. Right now, the CIO is responsible for the
protection of the data within their networks, as well as their
information technology assets. I think, again with FISMA and
just to touch on the certification and accreditation process,
part of FISMA also includes ongoing vulnerability assessments,
penetration testing, and really managing risk within your
environments.
Not just doing FISMA for the sake of reporting, but
actually leveraging it as a tool in your toolkit to defend your
networks, to raise awareness. When you have operational issues,
the certification and accreditation information lets you know
how many systems in critical applications do you have across
your enterprise. It helps you to quickly assess how bad is it
in my environment when we do have a malicious event.
Back to your question, I think we have a significant
mission to date, being a facilitator and helping organizations
tackle the issues. We were just with the CIO council yesterday
for all the departments. We provide them quarterly reports of
incident trends within their department. We do that quarterly
and annually, as well as we take a look at here is how you sit
from the rest of the government, based on reporting coming into
us, showing the trends and things that are coming up; here are
some potential recommendations to maybe help you tackle some of
these issues that you are facing.
So again, with the amount of information that we are
getting not only from government, from the private sector, and
being able to provide that back to key decision makers to
prioritize where they focus their efforts is an effective
approach.
Mr. McCaul. So am I correct in saying you are actually in
agreement on this, that the role of coordinator and point of
contact is the preferred role for the Department of Homeland
Security on this?
Mr. Dixon. I think the current role that we are playing
today is effective, and our capability is continuing to mature,
and there is still a lot to be done. I think that the
authorities of the CIOs, the effective person that knows the
business applications within their environment, for some
outside entity to be able to try to get a handle on their line
of business, whether it is in the tax collection business or
whether it issuing Social Security numbers, passports or
visas--that is a pretty tall order to take on.
Mr. McCaul. Another question. I think Mr. Reid talked about
when you had the intrusion, you consulted with Microsoft for a
patch. Could you expand on this, or Mr. Dixon, I would be
interested in this from your vantage point, in terms of the
coordination of the department with the private sector in
securing these network systems. I would go ahead and start with
you, Mr. Dixon.
Mr. Dixon. I guess I am not following the exact question.
Can you clarify?
Mr. McCaul. In terms of coordination with the private
sector, I mean, the private sector has the answers, in my view.
They are on the cutting edge, not the federal government. What
role have you played or what role has the department played, or
do we need to play a greater role in coordinating with the
private sector?
Mr. Dixon. The private sector is an essential partner in a
lot of the issues that we are facing today, whether it is an
operating system vendor. If we come across activity based on
our experience, if we need to get security definitions or any
virus signatures pushed out there based on these types of
incidents, how do you get it out to the broadest audience? The
way to do that is to work with those security vendors, get them
the information.
Sometimes we do it in a sensitive way. Folks don't realize
it. We pass to them, here is what we are seeing. They will
incorporate it into their products so that it will not only
clean or quarantine or prevent further victims. Again, we take
operational information we get on a routine basis, get it to
the information security folks to help protect a larger
enterprise, because again they are the ones that are out on the
frontlines. They are the ones that have the products to get
across to corporations, infrastructure operators, as well as
government agencies.
Mr. McCaul. Mr. Reid, do you have any comment?
Mr. Reid. I was just going to say, we look to DHS for that
kind of support and help. They have the best relationships with
Microsoft. We are up to our eyeballs in things to do anyhow.
About the most clout we could have put forward would have been
our CIO, possibly the under secretary for management. The
reality is they already have established relationships with
Microsoft. This is something that has to be dealt with as
quickly as possible, and they were in the best position to do
it.
Mr. McCaul. Yes, go ahead.
Mr. Dixon. To further that, we are partnered, obviously.
Under our assistant secretary, you have the national
communications system, and within that they have the national
coordinating center, which is made up of a lot of the major
Internet service providers and telecommunication providers. We
also have direct ties with a lot of the technical vendors out
there, the I.T. vendors.
We are looking to further enhance and bring more of those
folks into the fold because when we are dealing with some of
these issues, and again with some of these zero-days, we don't
have the capacity or the expertise to really know is this
something new, how bad is it. We have work with those that
actually develop that software. So we are trying to bring those
more into the fold to help us in that major event, and also to
figure out how can we quickly mitigate it.
I think the partnership with the recent standard
configurations, one is XP and VISTA, that are being promulgated
in partnership with OMB, NIST, NSA, and ourselves and the Air
Force, is really going to go a long ways to improving the
security posture of a lot of the agencies, getting to minimum
baseline security standards. Again, that was through
partnerships and working with vendors.
Mr. McCaul. Thank you. I yield back.
Mr. Langevin. The gentleman from California, Mr. Lungren,
is recognized for 5 minutes.
Mr. Lungren. Thank you very much, Mr. Chairman. I wish I
had been able to be here, but three different things at once is
difficult. I will master that if I keep working at it.
Let me ask a more general question of all of you there.
That is this, and we see this in the private sector, but I
would like your observation about the federal system.
Cybersecurity is an important issue that is not always so
obvious to the many people that are involved in an enterprise.
You can see the various physical structures that we have to
stop trucks from ramming in here and so forth, and everyone can
recognize that. It is easy to tell your employees, if you see
something suspicious that relates to that, do something about
it.
But my suspicion is that it is much more difficult to get
us trained to understand this in the cyber world from the top
to the bottom. One of the things I ask CEOs in the private
sector is, how seriously do you consider the issue of
cybersecurity? What kind of heft do you put behind those
elements of your corporation that are dealing with that?
And so I guess my question to all of you is, from your
perspective, what is the level of concern that we have been
able to relate to the employee base at large with respect to
cybersecurity, number one.
Number two, what more do we need to do to embed that in the
experience of our people?
And third, and perhaps as importantly, how seriously do the
top people in the departments of the federal government take
this, and what kind of a priority have they placed on it?
I would love to have observations from all of you.
Mr. Wilshusen. I guess I will go ahead and start.
One, I think the level of attention to information security
and cybersecurity issues is definitely increasing throughout
the federal government. In part, that is due to the
requirements specified by FISMA, but also due to the data theft
that occurred last year at the Veterans Affairs. It was that
incident that affected so many individuals, or potentially
could have affected so many individuals that I think it really
opened up the eyes of many in the federal government throughout
all the federal agencies.
During hearings that were held in response to that
incident, it was estimated that it could potentially cause
between $30 to maybe $50 or $100 per veterans whose information
was potentially lost. When you start multiplying that by 26.5
million, that ends up to be a very large amount. So I think
individuals and agencies started to realize, they, this is very
important and it does have costs, not only in terms of monetary
costs, but the effect on veterans and citizens if the federal
government loses their information.
Subsequent to that, we noticed an up-tick in the number of
incidents that have been reported, particularly at VA. So that
is not to say there are more incidents, but the staff and
agencies are more attuned to the need to report on those
particular incidents. So I think the level of attention is
increasing, in part due to those factors.
Mr. Reid. I certainly agree. There is a lot more attention
within the State Department to this issue, not only because of
our own exploits, but because of the trends across government
as a whole. Secretary Rice is a strong supporter of our
initiatives in cybersecurity.
On a day-to-day basis, however, that function falls to the
under secretary for management. One of the things she did was
to last year reach out and bring in a new CIO at State. We have
had some very dramatic changes and directions that are positive
for the department.
He, in turn, reached out to an A-plus organization and
brought on board a new chief information security officer, who
is my colleague, John Straford, who joined me here today.
Congressman you do point to the weakest link in everything
we have been talking about here, and it is the human dynamic.
It gets right down to the individual, and what kind of damage
can they cause intentionally or unintentionally.
So we, I am sure like other agencies, we have programs in
place to try and make our employees aware, to educate those
that need further education in terms of what their roles and
responsibilities are in the I.T. world. We have a sanction
program for monitoring their behavior on the computer and
taking action if they exceed their authorities and things.
So we are trying a variety of things, but at the end of the
day, it is that human factor that is very, very difficult to
control.
Mr. Jarrell. I hope that some part of our I.T. security
program remains invisible to the user. There are a variety of
different things that I mean by that. We have intrusion
detection and intrusion prevention systems that sit on our
network. The user does not interact with them. And those are
significant tools to ensuring the security part of our network.
So we continue to maintain those kinds of issues.
There is always the FISMA variable. There is always the
user awareness and the role-based training requirements that we
impose on our staff when they have general access to a system,
versus someone who has administrative authority to our systems,
and there is a significant change in that authority that is
given to that account.
So some things we want to keep behind the scenes; some
things we are going to bring to the forefront. We want our
users to engage us when they access our system by signing rules
of behavior that talk about how they should and how they should
not act on our networks, what they can and what they cannot do.
We believe that those are good steps towards educating our
users and keeping security at the forefront of all of the
things that we are trying to deal with.
Our CIOs have made I.T. security a priority because of
FISMA compliance, because of report card grades, but more
importantly because of the security of our data and the
infrastructure that we prepare to support and carry out our
mission goals. Things like PII, personally identifiable
information, get our department's highest level of attention,
where we report weekly on those issues, so that our executive
staff is fully aware and makes sure that our bureau agency
heads are fully accountable for those issues.
Mr. Langevin. I thank the gentleman.
I want to thank the panel for their testimony here today.
It has been very helpful and informative. We look forward to
having you back again and continuing to work on this issue
together.
Thank you very much. The panel is dismissed at this point,
and I call up the second panel.
I want to welcome the second panel of witnesses.
Our first witness, Mr. Aaron Turner, is the cybersecurity
strategist for the Department of Energy's Idaho National
Laboratories. In his role, Mr. Turner applies his experience in
information security to collaborate with control systems
experts, energy management engineers, and homeland security law
enforcement officials to develop solutions to the cyber threats
that our critical infrastructure is currently facing.
Before joining INL, Mr. Turner worked in several of
Microsoft's security divisions for 7 years, including as a
senior security strategist within the security technology unit,
as well as the security residence manager for the Microsoft
sales, marketing and service group, where he led the
development of Microsoft's information security curriculum for
over 22,000 of Microsoft's field staff.
Our second witness, Mr. Ken Silva, is the chief security
officer for VeriSign. As VeriSign's chief security officer and
vice president for networking and information security, Mr.
Silva oversees the mission-critical infrastructure for all
network security and production I.T. services for VeriSign. In
this role, he oversees the mission-critical network
infrastructure for VeriSign's three core business units:
security services, registry services, and telecommunications
services.
Mr. Silva's responsibilities include oversight of the
technical and network security, the definitive database of over
27 million Web addresses and dot-coms and dot-nets, the world's
most recognizable top-level domains. Responding to over 14
billion DNS lookups daily, the platform includes the critical
infrastructure for the 13 globally deployed, global top-level
domain-name servers answering domain-name system requests for
all dot-com and dot-net domains and the A-route server. The
Internet's ``dot'' is the hierarchical top of the Internet's
route server system and is the most heavily utilized domain-
name server.
Additionally, Mr. Silva coordinates the security oversight
of VeriSign's public key infrastructure, security systems that
authenticate over 500,000 merchants on the Web in VeriSign's
payment gateways that handle 25 percent of all the e-commerce
online transactions in North America.
I want to welcome both of you here today.
Without objection, the witnesses' full statements will be
inserted into the record. I would like to ask each witness now
to summarize their statement for 5 minutes, beginning with Mr.
Turner.
Welcome, gentlemen.
STATEMENT OF AARON TURNER, CYBERSECURITY STRATEGIST, NATIONAL
AND HOMELAND SECURITY, IDAHO NATIONAL LABORATORY
Mr. Turner. Good afternoon. Chairman Langevin, Ranking
Member McCaul and distinguished members of the Homeland
Security Committee, thank you for this opportunity to address
you today.
To introduce myself, my name is Aaron Turner. I have been
an information security practitioner since 1994. The vast
majority of my experience was gained in responding to
information security incidents in 20 countries around the
world. Based on that experience, I have been invited to
participate in several global information security efforts. In
7 years working in Microsoft's security divisions, I had the
opportunity to participate in global information security
improvement programs.
When I found out about the Idaho National Laboratory's
critical infrastructure protection programs, I was immediately
interested in working with the INL's talented group of control
systems experts. I joined the lab in September of 2006. I
continue to be impressed by the INL's unique facilities that
allow large-scale testing and research. These programs that INL
conducts are funded through national-level programs sponsored
by the Departments of Energy, Homeland Security, and Defense.
I would like to focus my remarks on historical lessons that
we have learned from complex systems that rely on technology,
and how an over-reliance on technology can lead to system
imbalance and subsequent corrections. The quality of life that
we enjoy today is built upon the successful implementation of
technology. Our society is what it is because of improvements
in efficiency and productivity that technology brings us.
But when we implement technology for the sake of
efficiency, without regard for vulnerabilities, the
consequences can be significant. The first historical example
that I would like to share is based on the financial markets of
the early 20th century. Facilitated by the widespread use of
technology such as the telephone and ticker-tape, it was the
first time that we could create a truly national financial
market. But these communications technologies did not
necessarily assure equal access to information. The result of
the use of communications technologies without a level playing
field was the system correction of 1929.
Another example of large-scale system corrections are the
Internet worm incidents of Slammer and Blaster in 2003. In the
years preceding, there were widespread connections of Internet
systems to each other. Without sufficient security controls for
those systems, it resulted in an overall Internet system that
was imbalanced, where a few individuals were able to impact
millions of Internet-connected systems.
There is an important system vulnerability pattern that we
need to recognize based upon these two historical examples.
Usually, the system vulnerabilities always begin with small-
scale exploits. Where exploit capability increases, criminals
begin to extort system owners or take advantage of them
economically in taking the systems hostage. As the underground
hacking or attacker community takes notice of the extortions,
they begin to build automated vulnerability tools that are
released. This results in non-experts being able to create
vulnerabilities on a wide scale for widespread system
compromise.
So as we take a look at those two historical examples,
where are we today with regards to control systems security?
First, we should note that control systems are the
technological components that automate the services that we
rely on such as electricity, potable water, petroleum refining,
et cetera. It is important to note that most of our nation's
critical infrastructure is privately owned, and infrastructure
owners are subject to market forces and resource constraints as
a result.
These pressures have resulted in reduction of human
operators which oversee these control systems, and an increase
in the number of these systems that are connected to networks.
Looking at the research that INL has conducted over the last
several years in this area, we have gone out and worked with
vendors of technology and private asset owners to conduct
control system security assessments that have been funded by
DOE and DHS. That research is important because from those
assessments, we have been able to find and understand
vulnerabilities in those systems. In the field assessments that
INL has conducted, we have discovered high-impact
vulnerabilities exploitable by low-skill-level attackers.
Comparing the control system security situation to the
vulnerability pattern I mentioned previously, where are we? In
May of 2006, there was an extortion scheme perpetrated against
infrastructure owners. In December of 2006, there was a release
of an automated control system vulnerability tool set. Now,
compared to other technology sectors, where are we with regard
to control system security?
We see a fragmented market with inconsistent responses by
technology vendors and infrastructure owners. Control system
security is lagging behind other technology sectors by years in
the approach to the problem. INL's recommendation? We need to
continue to prioritize and expediently address our nation's
control system security issues. The use of technology in
control systems has improved efficiency without the
corresponding improvements in the ability to secure these newly
connected systems.
For those of us working in this area, the path is clear. We
must continue to maximize cooperation among infrastructure
owners and technology vendors, and understand and improve
control system security across the entire life-cycle of this
necessary and critical technology. While we cannot reduce the
risks, we must work collaboratively to reduce the impact of the
occurrences.
Thank you very much.
[The statement of Mr. Turner follows:]
Prepared Statement of Aaron R. Turner
Chairman Langevin, Ranking Member McCaul and distinguished members
of the Homeland Security Subcommittee:
I am Aaron Turner, Cybersecurity Strategist for the Department of
Energy's Idaho National Laboratory (INL). In my role, I apply my
experience in information security to collaborate with control systems
experts, industry engineers and homeland security/law enforcement
officials to develop solutions to the cyber threats that our critical
infrastructure is currently facing. Before joining INL, I worked in
several of Microsoft?s security divisions for seven years--including as
a Senior Security Strategist within the Security Technology Unit as
well as the Security Readiness Manager for Microsoft?s Sales, Marketing
and Services Group where I led the development of Microsoft?s
information security curriculum for over 22,000 of Microsoft's field
staff. I have been an information security practitioner since 1994,
designing security solutions and responding to incidents in 20
countries around the world.
INL has a dedicated critical infrastructure protection research
effort focused on control system security and technology risks. The
U.S. government, recognizing the need to better understand the risk
posed by the challenges that come with greater reliance on technology,
has supported research and testing through voluntary partnerships among
asset owners and operators, system vendors and the federal government.
This effort includes extensive security assessments, testing security
enhancements, developing risk measurement and mitigation tools, and
providing security training to strengthen defenses.
We participate in multi-year programs with a team of talented
people including other national labs, academia and industry, based on
their best-in-class core competencies and the needs of the program.
This effort is funded by the Department of Homeland Security (Control
System Security Program), the Department of Energy (National SCADA Test
Bed or NSTB) and the Department of Defense. INL has also worked
directly with critical infrastructure asset owners to assist companies
and organizations with customized security services.
The development of our nation's society and economy has been based
upon our successful use of technology to improve efficiency and
productivity--resulting in the quality of life that many U.S. citizens
enjoy today. The implementation of technology-reliant systems has
resulted in the creation of some of the most complex systems mankind
has ever engineered. Key examples of these systems and their complexity
include our nation's financial markets, telecommunications systems, and
the national electric grid.
History provides us with consistent lessons about complex systems
and the way that they can impact our society and economy when they
become unstable or are subject to critical vulnerabilities. There are
two historical examples that we can focus on to learn important lessons
about system complexity, security vulnerabilities in those systems, and
the effects of having to respond to threats to those systems in an
efficient and effective manner--specifically, the events surrounding
the 1929 financial markets crisis and the world-wide Internet worm
events of 2003.
In order for complex systems to be efficient, they require balance.
When they are out of balance is when they are most vulnerable, and
instability can cause loss of confidence in the systems themselves. In
financial markets, the term ``correction'' has been adopted to describe
how an unstable situation regains its balance. Such was the case in
1929 when the introduction of technologies, such as the telephone and
stock ticker, allowed for the creation of a truly national financial
market. These technologies were used to assure convenient communication
of information between individuals on a scale that had not been
available previously. Unfortunately, the convenience of communicating
information did not necessarily ensure the consistency or ethics of
communication between investors. This resulted in a situation where
technology facilitated the creation of a large-scale system, but a
relatively small amount of people capitalized on the manipulation or
control of information. The financial system rapidly went out of
balance and this necessitated a large-scale correction.
Since 1929, our nation has worked to implement controls that will
keep our financial markets balanced and efficient, and as a society we
have assigned clear responsibility for enforcing rules to assure a
balanced and sustainable financial system. Unfortunately, the maturity
found in financial market controls is not present in the area of
control systems security.
Just as in the events leading up to the financial crisis of 1929,
there were similar indications of an upcoming service disruption in the
years preceding the Internet worm incidents of 2003. The wide-scale
implementation of technology resulted in the largest computer network
that had ever been created. The ubiquity of Internet connectivity
motivated many governments, private entities, and individuals to
connect their computers to the network to take advantage of the new
communication opportunities. This full-speed-ahead approach to the
Internet was undertaken without any coordinated oversight or planning,
and it was assumed that its use involved relatively few risks.
Previous to 2003 there was relatively little attention given to
securing components connected to the Internet. Most of the efforts of
security professionals were directed at securing the core network
services that the Internet relied on and not the distributed components
that were connected to the network, which resulted in systems that were
significantly out-of-balance that impacted computer users that were
connected to the Internet. The first event was the SQL Slammer Worm
that compromised hundreds of thousands of computers and generated
enough network traffic to interrupt Internet connectivity for most of
the world?s computer users. The second event of 2003 was the Blaster
Worm that infected millions of computer systems worldwide and, again,
interrupted Internet service on a global scale.
The impacts of the 2003 events provide examples of how technology
has already become a core part of the services that we rely on. When
the Slammer worm was coursing through the Internet, Bank of America?s
debit and credit card operations were impacted, denying customers the
opportunity to make any transactions using their bank cards. These
incidents signaled a change in the way that individuals can and do
exploit system instability. While the problems with market fluctuations
in 1929 resulted from thousands of people interacting with the system,
the Slammer and Blaster worms were created by a small number of
individuals.
The correction that resulted in the case of the 2003 incidents was
a significant shift in the resources dedicated to computer and Internet
security. Instead of focusing on securing just the core services, the
owners of the connected components began dedicating resources to secure
their own systems. Within months, technology vendors began implementing
processes and technologies to enable systems to be more resilient to
internet-based attacks. I look back at my participation in the design
and implementation of improved technology updating services while at
Microsoft and still remember the enormous challenge that we faced in
the days following Slammer and Blaster. The problem of creating a
system that provides universal access to updates while still allowing
system owners the flexibility they need to operate predictably creates
a paradox that is yet to be resolved today. Looking across the
technology industry, each vendor and system owner has taken a different
approach to managing the risks associated with inter-connected systems.
As a result of the current fragmented approach to assuring system
resiliency, information security professionals have had to continue to
shift resources as the threats and vulnerabilities constantly change
from day to day, with very little time to look at the problem and
limited resources to coordinate a long-term strategy. For those who are
seeking a strategic view, the trend that can be identified in the cyber
security realm is that the threats consistently migrate on a ``path of
least resistance'', meaning that where one service or component may be
protected, the attackers will move to another service or component,
continuously searching out the easiest entry points to achieve their
objectives. Examples of this shift are evident in the way that core
Internet services were protected after initial denial-of-service
attacks in the mid 1990s, the increased focus on operating system
security after the operating systems of Internet-connected computers
were attacked in the late 1990s and early 2000s, and the increase in
application-specific attacks that have been seen in the last two years.
In light of the 2003 Internet worm incidents and subsequent cyber
security incidents, it is important to review the current state of
security of the components that make up our critical infrastructure
systems.
The majority of our nation's critical infrastructure is privately
owned and operated, with the asset owners being subject to market
forces as they make decisions relative to the security of their
systems. In the current situation where control system security issue
awareness is sporadic and significant incidents have not been publicly
reported, these privately-owned infrastructure systems have only
rudimentary mitigations for security risks. Despite the lack of
appropriate security controls, there are numerous examples where asset
owners have decided to increase their dependency on technology to
reduce the costs associated with having to maintain a large operating
staff. This reduction in the number of qualified operators and increase
in the number of connected systems has resulted in a significant
increase in the vulnerabilities that we see affecting control systems
today.
INL has worked through government programs, industry associations
and directly with vendors and asset owners to increase security
awareness. While significant progress has been made in this area, it is
still in the early stages of getting vendors and asset owners across
infrastructures working together. Specifically, some vendors are still
producing the components that make up infrastructure systems without
appropriate security controls or an over-arching security architecture.
Among the early and limited successes are a group of control systems
technology vendors that are cooperating through government-sponsored
partnerships to improve the security of those systems. Those efforts
are still mostly confined to post-development security reviews. Also,
in the areas of system updates, prescriptive implementation guidance
and security support processes--control system security lags
significantly behind other technology sectors.
Exacerbating the immaturity of security in control systems, most of
the deployed systems that compose our infrastructure today were
designed and deployed prior to the wide-spread availability of
networking technologies and the advent of the Internet. However, as was
mentioned previously, the lack of security has not stopped asset owners
from connecting those systems to the Internet to take advantage of
technological efficiencies in the face of increasing competitive and
resource pressures.
Today, we find ourselves at a crossroads, where millions of
infrastructure components are now connected to networks, allowing
hackers access to systems that were never designed to be exposed to
network attacks.
While recent cyber security incidents, such as theft of personal
information, denial of service attacks, and large-scale system
compromise have impacted the Internet and connected computing systems,
it needs to be emphasized that there has not yet been a wide-spread
focus by hackers on the control systems that underlie our nation's
infrastructure. Currently, vendors, asset owners, incident responders
and information security experts do not fully appreciate the potential
threat that exists to our infrastructure due to the risks created by
vulnerabilities in control systems technologies. The pervasive use of
technology, drive to ubiquitous connectivity and reduction in human
oversight in control systems has introduced critical vulnerabilities in
our infrastructure. The electricity that we depend on, the water that
we drink, the petroleum that we use to get from place to place and
financial systems we use for trade are all at some risk of being
targeted and compromised.
The NSTB program has funded 12 separate control systems security
reviews, during which INL experts have found that all of the evaluated
systems suffer from high-impact security vulnerabilities that could be
exploitable by a low-skill-level attacker, using techniques that do not
require physical access to systems. In reviewing the design and
implementation of these control systems, the INL team discovered that
in currently-deployed systems, enhanced security controls cannot easily
be implemented while still assuring basic system functionality.
With computer attackers constantly looking for new targets, they
will follow the path of least resistance, which could lead them to the
control systems that underlie our infrastructure. Information security
experts, such as Alan Paller of the SANS (SysAdmin, Audit, Network,
Security) Institute agree that without implementing risk mitigations,
control systems will continue to be vulnerable. Based on historical
examples of cyber security incidents in other technology domains, the
corrections will most likely begin with small-scale incidents focused
on economic gain, followed by the release of publicly-available
vulnerability discovery tools and then transition to large-scale
incidents designed to reduce confidence in the infrastructure systems
themselves.
As was reported by a government analyst in 2006 at a discussion in
Williamsburg, Virginia, criminal extortion schemes have already
occurred, where attackers have exploited control system vulnerabilities
for economic gain. In December 2006 an automated control system
vulnerability scanner was released allowing individuals with relatively
little experience in control systems to quickly identify
vulnerabilities. Following past correction trends, we may be on the
path towards wide-spread vulnerability and exploitation.
Another cause for concern is the increasing capability of hackers.
In a recent paper published by IBM, experts agreed that attackers are
forming a hacking industry, an underground economy that is quickly
becoming a mature industry taking advantage of economies of scale with
efficient distribution and communication channels. Raimund Genes, the
Chief Technical Officer of Trend Micro, has stated that this
underground digital economy generated more revenue than the $26 billion
that legitimate security vendors generated in 2005.
Today's ``just in time'' markets are more susceptible to control
systems security issues, whether it is the electrical utility industry,
petroleum production and refining, transportation services, or other
essential services. In the limited control system reviews and testing
that INL has conducted we have modeled scenarios where simplistic
attacks originating from the Internet could:
Degrade electric grid capacity
Impact petroleum refinery processes
Interrupt transportation networks
Compromise potable water systems
This list is composed of a brief sampling of potential outcomes. It
should also be noted that the inter-connected nature of our
infrastructure increases the potential for a high-impact correction.
Based on the Department of Energy's research of the post-Katrina
impacts on infrastructure, the second--and third-order impacts were in
sectors not directly related to the infrastructure components destroyed
by the hurricane.
Comparing the capabilities of the asset owners and infrastructure
technology vendors to the capabilities of the underground attacker
community shows the stark contrast that exists between the attackers
and the defenders. Based upon the wide-spread use of networked
technologies observed during INL assessments, it should be noted that
the complex systems that make up our nation's infrastructure are out of
balance--similar to how systems were out of balance preceding the
events of 2003.
The course of action that is necessary in light of the current
situation must be the continued decisive, coordinated, and committed
effort by government, technology vendors, and asset owners. These
efforts must start with effective awareness campaigns to educate all
sectors about the risks that they currently face, followed with clear
guidance on minimum standards for technology components of our nation?s
infrastructure. This guidance must contemplate all aspects of the
technology lifecycle, including improved development standards,
implementation guidelines, operations procedures, and incident
response. Good progress has been made by progressive asset owners,
industry-initiated infrastructure protection leadership and by vendors
willing to anticipate larger market-driven requirements for more
security. The process of change will best be supported by renewed vigor
in finding ways to get tools, technology and knowledge to a larger
audience of asset owners and technology providers.
INL's recommendation is to continue to prioritize and expediently
address the issues associated with the nation's control systems
security. The use of technology in our nation's infrastructure has
improved the efficiency of infrastructure operations without
corresponding improvements in the ability to secure these newly
connected systems. For those of us working in this area the path is
clear. We must maximize cooperation among asset owners and technology
vendors to understand and improve control system security across the
entire lifecycle of this necessary and critical technology. While we
can't reduce all risk, we must work collaboratively to reduce the
impact of these occurrences.
Mr. Langevin. Thank you, Mr. Turner.
Mr. Silva?
STATEMENT OF KEN SILVA, CHIEF SECURITY OFFICER, VERISIGN
Mr. Silva. Thank you, Mr. Chairman, Ranking Member McCaul,
Congressman Lungren. I thank you for the opportunity to testify
today.
First, I want to commend and thank you for holding this
hearing. All too often, cybersecurity is only the focus of
attention after a few high-profile incidents, but it is the
daily efforts by the government and private sector that ensure
that we are prepared so that these attacks don't cause
significant economic disruption.
Make no mistake about it, cyber attacks occur every day
with increasing frequency, intensity and sophistication. For
the most part, Internet users never know these incidents
because the infrastructure is continually strengthened and
fortified to manage them. While the Internet's infrastructure
may be invisible to users, it's importance cannot be
overstated.
Internet usage has grown dramatically. The dot-com bust
gave the illusion that Internet growth had slowed down, but in
fact it has grown at remarkable rates. At the height of the
dot-com boom in 2000, for example, roughly 250 million used the
Internet. Today, according to Internet World statistics, more
than 1 billion users worldwide rely on the Internet.
The technology of the Internet has transformed personal
communications, banking and finance, government processes and
manufacturing. Twenty-five percent of America's economic value
moves over network connections each day. If the Internet were
to go down for just a few hours, we would lose hundreds of
millions of dollars of economic activity. For those reasons, it
is critical that we make protecting our Internet infrastructure
a priority.
As the operator of the dot-com and dot-net domain
registries, as well as the steward for two of the 13 route
servers that serve as the nerve center for the Internet
infrastructure, VeriSign has a unique position to observe cyber
threats. The scale and scope of cyber attacks has grown
dramatically over the last decade. For example, bandwidth
demands to deal with cyber attacks have increased 150 times
since 2000.
A look at two of the largest attacks reflects how attacks
have increased. In October of 2002, the Internet community got
a wake-up call when 13 DNS route servers, which serve as the
heart of the Internet addressing system, came under heavy
denial-of-service attack. While the October 2002 attack slowed
down the Internet, it did not cripple it.
Infrastructure providers did take steps to protect the
networks to cope with this new threat, in part spurred by
concern that terrorists might target the Internet. Significant
bandwidth was added to manage future attacks and to
decentralize the infrastructure so that a single incident could
not knock out the entire route server infrastructure.
Attacks on the infrastructure did not let up, however,
although the newly fortified system was far better prepared to
handle them. An attack of that scale today is viewed as pretty
much ordinary and commonplace. Hackers, however, have become a
little bit more sophisticated. A year ago, for example, a
hacker systematically disabled over 1,500 Web sites using
approximately 32,000 hijacked PCs in a span of 6 weeks.
In an unfortunate twist, the very devices and increased
bandwidth that make the Internet more robust and user friendly,
are being co-opted to compromise the Internet. Now that
computers are always on, they are easily accessible to hackers
and other abusers to hijack. The increased bandwidth and
computing power available literally gives hackers more
ammunition to utilize against the infrastructure.
VeriSign projects that the volume of Internet attacks will
increase by 50 percent in both 2007 and 2008. We now that the
U.S. government takes Internet attacks very seriously. The
Department of Homeland Security conducts Cyber Storm, which is
the most ambitious cyber war game of its kind that tests how
over 100 government agencies, organizations and private
companies respond to threats on the Internet.
The private sector must also be ready. VeriSign recently
announced a global initiative called Project Titan to expand
and diversify its Internet infrastructure by 10 times by the
year 2010. Under Project Titan, VeriSign expects to increase
its capacity 10 times, from over 400 billion DNS queries a day
in capacity today, to more than 4 trillion per day;
substantially expand its infrastructure both domestically and
internationally--we are currently in the process of globally
deploying over 70 sites worldwide; and to improve the
monitoring infrastructure to provide a real-time, in-depth view
of the anomalous network activity, either malicious or mishap
activity.
Given the increased usage and mounting threats, the
Internet infrastructure must be continually fortified. Simply
put, if we wait for usage to reach certain levels or attacks to
take place to act, we are already too late. While the dot-com
and dot-net systems currently get more than 30 billion queries
a day, VeriSign believes it needs to continue to build a
network infrastructure that can support 10 to 100 times that
level of volume for the next few years.
What is most concerning now is a scenario where terrorist
attacks on a physical structure are combined with a cyber
attack. Today is the 12th anniversary of the Oklahoma City
bombing. It took 168 American lives. If such an attack today
were combined with a cyber incident, which could disrupt the
communication networks of those first responders, the damage
could be much more severe.
Equally concerning are the number of more subtle
penetration attempts. We are literally constantly probed for
vulnerabilities, and if we left our guard down for even a few
moments, the slightest weakness could be exploited and damage
far greater than a denial-of-service attack could occur.
I thank you for this opportunity to testify here today.
[The statement of Mr. Silva follows:]
Prepared Statement of Ken Silva
Good morning, Mr. Chairman and distinguished Members of the
Committee. My name is Ken Silva and I serve as Chief Security Officer
of VeriSign.
VeriSign operates intelligent infrastructure services that enable
and protect billions of interactions every day across the world's voice
and data networks. The company is headquartered in Mountain View,
California and it has additional corporate facilities in Virginia,
Kansas, Washington state and Massachusetts.
Thank you for the opportunity to testify today. I have a prepared
statement, which I would request be inserted in the record.
First, I want to commend and thank you for holding this hearing.
All too often, cyber security is only the focus of attention after
high-profile incidents. But it's the daily efforts by the government
and private sector that ensure that we are prepared so these attacks
don't cause significant economic disruption.
And make no mistake about it, cyber attacks occur every day, with
increasing frequency, intensity and sophistication. For the most part,
Internet users never even know of these incidents because the
infrastructure is continually strengthened and fortified to manage
them.
While the Internet infrastructure may be invisible to users, its
importance cannot be overstated. Internet usage has grown dramatically.
The dot-com bust gave the illusion that Internet growth had slowed
down, but in fact it has grown at remarkable rates. At the height of
the dot-com boom in 2000, for example, roughly 250 million people used
the Internet. Today, according to Internet World Stats, more than 1
billion users worldwide rely on the Internet.
The technology of the Internet has transformed personal
communications, banking and finance, government process and
manufacturing. Twenty-five percent of America's economic value moves
over network connections each day. If the Internet were to go down for
a just few hours, we would lose hundreds of millions of dollars of
economic activity.
For those reasons, it is critical that we make protecting our
Internet infrastructure a priority.
As the operator of the .com and .net domain registries as well as
the steward for two of the 13 root servers that serve as the nerve
center for the Internet infrastructure, VeriSign has a unique position
to observe cyber threats.
The scale and scope of cyber attacks has grown dramatically over
the last decade. For example, bandwidth demands to deal with cyber
attacks have increased 150 times since 2000. A look at the two largest
attacks reflects how attacks have increased.
In October 2002, the Internet community got a wake-up call when the
13 DNS root servers, which serve as the heart of the Internet
addressing system, came under heavy denial of service (DoS) attack.
While the October 2002 attack slowed down the Internet, it didn't
cripple it.
Infrastructure providers took steps to protect the networks to cope
with this new threat, in part spurred by concern that terrorists might
target the Internet. Significant bandwidth was added to manage future
attacks and to decentralize the infrastructure so that a single
incident could not knock out a root server. Attacks on the
infrastructure did not let up, although the newly fortified system was
far better prepared to handle them.
An attack of that scale today is viewed as ordinary and
commonplace.
Hackers, however, have become much more sophisticated. A year ago,
for example, a hacker systematically disabled over 1,500 websites using
approximately 32,000 hijacked PCs. In these attacks, the hacker didn't
directly attack the domain-name servers. Instead, they sent their
traffic to a legitimate server with a DNS query and a forged source
address. This attack was also amplified by 70x.
In an unfortunate twist, the very devices and increased bandwidth
that make the Internet more robust and user friendly are being co-opted
to compromise the Internet. Now that computers are always-on, they are
easily accessible to hackers and other abusers to hijack. The increased
bandwidth and computing power available literally gives hackers more
ammunition to utilize against the infrastructure. VeriSign projects
that the volume of Internet attacks will increase by 50 percent in both
2007 and 2008. In addition, massive infrastructures such telephony,
television, and mobile communications will migrate to the Internet.
We know that the U.S. Government takes Internet attacks very
seriously. The Department of Homeland Security conducts ``Cyber
Storm,'' the most ambitious cyber wargame of its kind that tests how
over one hundred government agencies, organizations and private
companies respond to threats to the Internet.
The private sector must also be ready. VeriSign recently announced
a global initiative called Project Titan to expand and diversify its
Internet infrastructure by ten times by the year 2010.
Under Project Titan, VeriSign expects to:
Increase its capacity 10 times from 400 billion DNS
queries a day to 4 trillion a day. By doing so, VeriSign will
ensure that the infrastructure is prepared not only for
attacks, but the dramatic increase in Internet usage driven by
Internet-enabled mobile devices and social networking
applications.
Substantially expand its infrastructure both
domestically and internationally. VeriSign is in process of
globally deploying over 70 DNS constellation sites. These sites
will distribute Internet traffic and enable us to isolate
attacks as they happen.
Improve the monitoring infrastructure to provide a
real-time, in-depth view of anomalous network activity, either
malicious or mishap.
Given the increased usage and mounting threats, the Internet
infrastructure must be continually fortified. Simply put, if we wait
for usage to reach certain levels or attacks to take place to act, we
are already too late. While the .com and .net systems currently get
more than 30 billion queries a day, VeriSign believes it needs to
continue to build a network infrastructure that can support 10 to 100
times that level of volume in the next few years.
What is most concerning now is a scenario where terrorist attacks
on a physical structure are combined with a cyber attack. Today is the
12th anniversary of the Oklahoma City bombing that took 168 American
lives. If such an attack today was combined with a cyber incident that
took down or disrupted our communications networks the damage could be
much more severe.
Equally concerning, are the number of more subtle penetration
attempts. We are literally constantly probed for vulnerabilities and if
we left our guard down for even a few moments, the slightest weakness
could be exploited and damage far greater than that of a denial of
service attack could occur.
We have all witnessed, and learned, a lot over the last decade. We
have had tragic reminders that our critical infrastructure and national
symbols are targets. We have seen how not adequately preparing for
events can have disastrous consequences.
We know that Internet is often taken for granted. But the operators
of that infrastructure must never take it for granted. We must remain
vigilant in understanding what is driving the growth of the Internet
and the malicious efforts of some who wish to disrupt it.
Thank you for the opportunity to testify here today.
Mr. Langevin. Gentleman, I thank you for your testimony.
I will now recognize myself for questions, beginning with
Mr. Turner.
I wanted to ask why haven't we seen a widescale event take
place if these systems are so easy to access? Without widescale
events, what is the motivation for users to secure them? And
how do we educate the owners and operators of these systems?
And finally, will the systems ever be 100 percent secure?
Mr. Turner. Thank you for the opportunity to respond.
For your first question, why haven't we seen a major
incident to date. There are a couple of factors that influence
that, the first one being that for the vast life-span of these
systems, they have not been connected to any network of any
sort.
But as I mentioned in my testimony, the private
infrastructure owners who manage these systems, they are
private entities and they are subject to market forces and
resource constraints. So when they have the opportunity to
reduce staff to improve efficiency, they usually defer to
connecting them to some sort of network to control them
remotely.
Based upon our research that we have seen and the
assessments that we have conducted at INL, we see a significant
increase in the number of connected systems in the last year.
So we believe that we have not see a major incident to date
because of the lack of connectivity, but that ecosystem is
changing.
Does that address your first question?
Mr. Langevin. Yes, sure.
Mr. Turner. The second one, how to educate. There are
really three parts to the awareness equation that need to be
taken a look at here. This problem cannot be solved by just
focusing on the infrastructure owners or just focusing on the
vendors. It has to be a holistic solution. So the vendors first
need to be made aware of these types of vulnerabilities very
early in the life-cycle of these systems, so that these
vulnerabilities are not created when the product is shipped to
the customer.
Also, the customer needs to be informed about how to make
sure that they deploy the systems in the correct way, and how
to recognize an insecure architecture. And then the third
aspect is we need to make sure that our law enforcement
officials and incident responders understand what an incident
looks like. We don't really have a solid understanding of what
an incident in this area looks like because nothing big has
happened yet.
And then the last one, how can we be 100 percent certain,
or do we need to get to 100 percent security.
Mr. Langevin. Will we ever get to 100 percent?
Mr. Turner. I think, as was mentioned before in prior
testimony, security is a snapshot of a moment in time. The
threat always changes. The vulnerabilities are introduced. So I
don't believe you can ever have a dynamic, effective,
productive system and be 100 percent secure. It would violate
the reason why you built it.
What you have to have in place are mitigations that help
you get the business accomplished, while still monitoring the
integrity of that system. So you have to make sure that you
take a balanced response in making sure the system does its
job, but that it can be monitored and maintained, and its
integrity can be maintained over time.
Mr. Langevin. Gentlemen, why do you think our nation isn't
doing enough in the area of control system security? Why does
the government need to get involved? Where are the leadership
areas that are appropriate for government? And how can federal
regulation be used to improve the CIP posture? What areas are
not appropriate for government, as well as what areas are
appropriate?
Mr. Turner. Why are we not doing enough? Based upon my
professional experience, I have seen what it takes to conduct a
global information security program within a company like
Microsoft; what it takes to make sure that the developers of
the technology understand things; that the implementers
understand things; and the end-customers understand it, too.
When I compare the insights that I have into the budget
that a company like Microsoft spends on a global information
security improvement program, and I compare that to the insight
that I have into what we are doing as a country to protect our
critical infrastructure, the budget being spent by Microsoft is
a magnitude order greater than what we are spending as a
country in this area. So that is the first comparison that I
would make.
As far as leadership, I think that government leadership
should rely in areas such as setting a good example of how to
secure government systems so that the critical infrastructure
providers can look to the government as a leader in the space,
and then also serve as a coordinator among different experts so
that the expertise can be shared across the ecosystem.
The last point of your question as far as regulation, I
think government should get involved to assure a level playing
field. There should be minimum standards that are established
so that it is clear for all of the technology vendors and the
infrastructure owners what constitutes the minimum here.
I think a good example of that is some of the work that INL
has done in conjunction with the DHS program for a procurement
standard, meaning that you can teach the infrastructure owner
what the minimum standard should be for those systems before
you buy them and before you install them. We need to do that
across the ecosystem, though.
Mr. Langevin. Mr. Silva?
Mr. Silva. I don't disagree with anything Mr. Turner said,
except that in listening to the earlier panel and listening to
some of the description of what they had to go through and how
they had to do some risk analysis and make some decisions on
whether to take these machines off or not, is not uncommon from
what almost any company in the world would go through if they
experienced a very similar type of incident.
Patch management and the ability to keep systems updated
and secure, for instance you could put a computer on the
network today and you have cleaned all of the vulnerabilities
that you know about today. Tomorrow, there may be 200
vulnerabilities attached to that machine that you didn't know
about when you put the machine on, or it could be a year from
now, et cetera.
The ability to be able to keep those machines updated and
patched is a challenge that this industry has been facing for a
decade, and still hasn't completely solved the problem.
Different companies deal with it in different ways. Trying to
keep the systems secured to a common level and establishing a
baseline for that, frankly that baseline would be probably
obsolete by the time the ink dried on it in many cases.
A lot of our government agencies, as well as our private
companies are facing a lot of compliance issues, where they are
dedicating a lot of time to trying to meet somebody's
interpretation of what a minimum standard is, and not adapting
to what the new challenges are. So I think that there is a fine
line to walk here between holding people accountable and
regulating it.
Mr. Langevin. Thank you.
The chair now recognizes the ranking member of the
subcommittee, Mr. McCaul, the gentleman from Texas, for 5
minutes.
Mr. McCaul. I thank the chair.
This is kind of a big picture question, but today
vulnerabilities are discovered, found. Who do you believe is
responsible to lead that effort to mitigate the risk? Who takes
the lead?
Mr. Silva. Well, today, the government agency that we look
to for that is the US-CERT. They are considered the authority
of database for vulnerabilities and exploitation management. So
we typically use them as the authoritative source for the
contents of what those vulnerabilities are. They will typically
list some mitigation strategies associated with that.
Mr. McCaul. Do you believe that they are providing that
leadership today at an adequate level? Is there more that they
could be doing?
Mr. Silva. Well, I think that there is always more anybody
could be doing, but yes I do think that they are actually doing
a pretty good job at that. As a matter of fact, I think that
when you look at the NCSD, for example, okay? I think that they
are a model for a public-private partnership in terms of
relationship. I was fascinated at the amount of information
that they started providing us once we got into that pool of
people, if you will, or industries that they support.
NCSD provides a lot of information to us daily. Could it
always be better? Nothing is ever perfect. I believe that every
day they improve it. So I think they know it could be better
and they constantly strive to do that.
Mr. McCaul. What needs to be done to engage the private
sector more in this area? We heard from Mr. Turner that the
private-sector security is not always where it should be. What
needs to be done to really bring in the private sector more to
make them more of a leader in this area?
Mr. Silva. I am sure Mr. Turner will have something to say
about this, but I will just say a couple of words on that. I
think as long as it is viewed as a partnership, and you are not
asking the private sector to just come in and sort of donate a
bunch of effort and a bunch of time, and all of a sudden deep
dark secrets wind up in the press. I think some of the issues
have been addressed with respect to what information could be
retrieved from FOIA, with information sharing. I think that was
a big step in the right direction. We have seen a lot of
positive movement because of that.
So I think the biggest thing is to approach it as a
partnership. It is a give and take. The good news is that I
think that NCSD has taken their relationship with the private
sector, they bring that information together; they sort of
sanitize it, anonymize it, if you will, and then they can
produce a cohesive report. Literally every day, they produce a
daily summary of what the situation is.
Mr. McCaul. So the FOIA exception that was passed that
would protect your reporting a vulnerability, which obviously a
private company is not going to want to report that for obvious
reasons--shareholders and stock price. That has helped in the
information sharing process with the government, in your view.
Mr. Silva. It absolutely has. In fact, if you break this
down a little bit, Mr. Dixon cited earlier that there were a
number of vulnerabilities and incidents that had been reported,
and it was tens of thousands. It is a big number. Bear in mind
that that number is only from the people who have willingly
reported it, and I dare say that the number is significantly
higher that goes unreported.
Mr. McCaul. Mr. Turner, you said something that caught my
attention. You said that experts have found that all the
systems suffer from high-impact security vulnerabilities that
could be exploited by a low skill-level attacker. We always
hear the story about the teenager learning how to hack into a
computer network system and crash it, and then we think about
that kind of capacity, that sort of skill on the part of a
criminal or in the worst-case scenario, a terrorist.
Yet, that is what you are reporting the experts have found.
How do we strengthen that system so low skill-level, which
would include obviously not a whole lot of knowledge to do it.
How do we greater protect the system?
Mr. Turner. As I mentioned previously, the best way to
approach this is holistically, meaning that you have to
motivate the vendors to start including better security
controls in the base technologies themselves. And then you also
have to make sure that the infrastructure owners are properly
trained to architect those systems properly so they don't
defeat the security controls that the vendor develops.
And so in the case that further on in the testimony you
will notice, some of the existing systems cannot necessarily be
retrofitted with security technologies or enhanced security
controls, while still maintaining system reliability. So that
is going to be the barrier to entry for improve security for
these private infrastructure owners. They are going to be the
ones who have to make that decision of when do we rip and
replace; what is the pain threshold that we have to go through.
I think the role of government there is establishing this
level playing field so that people understand these are the
minimum standards, and then you defeat some of the market
forces and the resource constraints that these private
infrastructure owners are apparently under. So it is a
combination of government motivating the private infrastructure
owners to make the investment; informing the technology vendors
about how to go about improving the technology; and then
informing the infrastructure owners how to deploy it properly.
I think that is the three-phase approach.
Mr. McCaul. Do you agree with that, Mr. Silva, from the
private-sector standpoint?
Mr. Silva. Yes, I do. I think that certainly incentives,
whether positive or negative, definitely have an impact on that
sort of thing. In terms of the vendors actually incorporating
security into their software or their products, there is a huge
challenge in that it still has to be usable, okay?
So BlackBerrys, for example, are a very useful tool and a
lot of people use them, but not a lot of people want to have to
enter a password every time that they want to check their e-
mail on that. So what happens is that they frequently turn it
off, making it far less secure if you leave that on an
airplane, and someone picks it up, and they basically have your
whole mailbox.
So there is a tradeoff between usability and security.
Unfortunately, oftentimes, things that are more convenient are
often less secure because of that.
Mr. McCaul. If I can just throw one last one, in terms of
when we are talking about vulnerabilities--and if you can't
give me a specific percentage breakdown, I understand--but how
much are we vulnerable because of technology weaknesses in the
system, versus just what you talked about, and that is, for
lack of a better term, operator error?
Mr. Silva. Oftentimes, the biggest vulnerability in any
network sits between the keyboard and the back of the chair. So
what will frequently happen is that users will make the system
more accessible for themselves, their children, their
coworkers, you know, what have you. And by and large, and the
thing we have not really talked about here today is the insider
threat, not just outsider threats, but insider threats.
In fact, most of the most serious penetrations in networks
have actually occurred from inside the network, where people
actually steal the money or steal intellectual property from
inside the company. But oftentimes, people will do things for
their own convenience which inherently make the system less
secure.
Mr. Turner. And we would back that up with the findings
that we have had in our assessments. You can make the best,
most secure technology, but if it is inconvenient in the end-
users perspective, it often gets disabled. So it is an
awareness issue all the way through to the end-user.
Mr. McCaul. Thank you. I see my time has expired.
Mr. Langevin. I thank the gentleman.
The gentleman from California, Mr. Lungren, is recognized
for 5 minutes.
Mr. Lungren. I thank the gentleman.
I thank the gentleman from Texas for leaving me some time.
I appreciate this.
[Laughter.]
Mr. McCaul. I was trying to filibuster.
[Laughter.]
Mr. Lungren. Mr. Chairman, I would just like to suggest if
we are going to conduct hearings on these high-technology
issues here, we might ask if they could at least get the two
clocks to be coordinated.
[Laughter.]
According to one, it is 8 minutes to 10:00, and the other
one says it is 7 minutes after 7:00.
Mr. Langevin. I would check my BlackBerry, but I don't know
if that is working right now.
[Laughter.]
Mr. Lungren. Well, for security reasons, no one knows what
time it is.
Here is the question. In the private sector, how do we make
them do more than they are doing now, because you are talking
about these control systems that are controlling more and more.
How do we get them to understand better that security of this
nature is acceptable to their bottom line? In other words, if I
sell a product, my bottom line is expressed in some ways by the
more attractive I make my product. So the user sees air
conditioning in the car; sees a new transmission, those sorts
of things.
Here you are selling products to individuals who want to
make it user-friendly, want to make sure it works, but embedded
in that is the threat against security. Therefore, embedded in
that has to be the security against that invasion. How do we
make it real for a CEO to listen to his I.T. security guy, the
man or woman who comes in and says, there is this
vulnerability, but--and I am quoting you, Mr. Silva--there are
all kinds of vulnerabilities out there. There are attacks going
on every day. Everybody sort of has them.
How do I improve my product--and of course, we are talking
about critical infrastructure--how do I improve it so that I
can show my bottom line to my shareholders, to the taxpayers,
to whoever, when perhaps the possibility of a catastrophic
event is very small, but the consequence is huge. How do we do
that when it is hidden the way it is, as you suggested?
Mr. Turner. The first approach that you have to look at
this is you are exactly right. In a true risk management
equation, without threat, without some sort of over-act, or
some sort of large incident, it is very tough to drive purely
business-focused people, because they can't manage an unknown
threat. You can talk about the worst impact in the world, but
until there is some sort of incident, most times the people who
are in pure risk management situations will not take any
action.
So with that sort of backdrop, you have to move into a
situation where the people who manage the business of providing
critical infrastructure are educated for the vulnerabilities
that exist in their systems. In many cases, they don't
understand. Now, that education is where we have been spending
a lot of effort, reaching out to industry at INL to help
educate folks, but still there is a long ways to go.
Mr. Lungren. So the government could do a lot in terms of
education. I think that is an obligation.
The next question is, what do we do in terms of regulation?
If we do regulation, what is the nature of that regulation?
Because if we do try and articulate what the range of fixes
are, as you suggest, before the ink is dry, that may not be the
right fix.
So what is the--if you have any suggestions for us--the
parameters of our legislative action that would create the
incentives for this kind of protection you are talking about,
on the one hand, and not diminish the ingenuity of the private
sector, where they might find a fix that we haven't even
thought about, but they are doing that job.
I know that is a general question, but that is really the
tough thing that we have here.
Mr. Silva. It is a very fair question. Some of this was
sort of addressed. Some examples of what you are talking about
are things like the SAFETY Act, for example, where if you meet
a minimum set of standards, you know your liability is limited,
those sorts of things. There has to be some form of an
incentive to get the average company to participate in an
aggressive security activity.
Some examples where we have seen some improvement have been
around Sarbanes-Oxley, okay? So Section 404 of that sort of
suggests some security measures which need to be taken, and the
board holds them accountable. But when a CSO walks into the
CEO's office and says, boss, I need $100 million to enhance the
infrastructure because it might go down for 1 hour in the next
3 years, okay? If I were a bank, I might accept that risk and
say it is not worth $100 million to me. I can afford to be down
3 hours in the next 3 years.
At VeriSign, we don't have that luxury, because if we go
down, every enterprise is down for 3 hours, and that is not a
luxury we have. So I am fortunate as a CSO in that my CEO gets
it, but I don't think that you can make business sense to most
CEOs that you want to spend tens or hundreds of millions of
dollars fortifying an infrastructure with no financial return
on it. So that is the challenge.
Now, what Congress can do in particular is if you want
strengthened software and better products, then insist on it
when you buy them.
Mr. Lungren. So we will spend more money.
Mr. Silva. You are already spending the money, right? You
are already spending the money. You decide who you are going to
spend it with based on the capabilities that they offer. This
is not unprecedented. It has happened in the past.
Mr. Turner. To back up his comments, I think what is
important is that if you are looking to take action, the first
thing you can do is help to dedicate folks towards specific
aspects of the area, so there is no one-size-fits-all security
mechanism. Help the private folks categorize and prioritize
their assets that support critical infrastructure, and then
help them, motivate them to whatever mechanism you deem most
appropriate to move towards something that is more proactive
from the security perspective.
Mr. Langevin. The time has expired.
I want to thank the witnesses for their very valuable
testimony and the members for their questions.
This is not the last hearing that we hold on cybersecurity,
I can promise you that. I look forward to working with you as
we go forward. The issue is too important to ignore.
Again, we thank you for your testimony here today.
The members of the subcommittee may have additional
questions for the witnesses, and we will ask you to respond
expeditiously to those questions.
Hearing no further business, the subcommittee stands
adjourned.
[Whereupon, at 3:56 p.m., the subcommittee was adjourned.]
APPENDIX A
----------
Prepared Statements
Prepared Statement of the Honoralble James Langevin, Chairman,
Subcommittee on Emerging Threats, Cybersecurity, and Science, and
Technology
Ladies and gentlemen, welcome to the Subcommittee on
Emerging Threats, Cybersecurity, Science and Technology hearing on the
hacking of federal systems and privately-owned critical infrastructure.
I'd like to begin by thanking the witnesses who appear
before us today, and I appreciate your testimony.
I'd like to focus my remarks this afternoon on our first
panel, which will discuss the security of information technology on the
federal level.
Let me be clear about the threat to our federal systems: I
believe that the infiltration by foreign nationals of federal
government networks is one of the most critical issues confronting our
nation.
The acquisition of our government's information by
outsiders undermines our strength as a nation. If our sensitive
information is stolen and absorbed by our enemies, we are strategically
harmed.
Over time, the theft of critical information from
government servers could cost the United States our advantage over our
adversaries. This is a most critical issue that we cannot afford to
ignore any longer.
Today we're hearing from several agencies that have
experienced significant cyber attacks against their systems.
These are not the only agencies experiencing these
problems. They are simply the only attacks that have been made public.
In October 2006, hackers operating through Chinese
Internet servers launched an attack on the computer system of the
Bureau of Industry and Security (BIS) at the Department of Commerce.
The hackers penetrated the computers with a ``rootkit''
program, a form of software that allows attackers to mask their
presence and then gain privileged access to the computer system.
In reviewing the Commerce testimony for today's hearing, I
am troubled by several things.
Though Commerce learned on July 13 that its computers were
first infected, this was not the date of initial infection. In fact,
Commerce has no idea how long the attackers were inside their systems,
nor do they know if the attackers are still within their systems. As
far as I can tell from the responses, rogue tunnel audits,
authentication changes, and complete machine rebuilds have not
occurred.
We're also not sure how much information was lost. Though
Commerce tells us that data was not ``lost,'' data can easily be
``copied'' and sent outside through the Internet.
Unfortunately, Commerce isn't the only federal agency with
a problem.
Prior to the Commerce hack, in June 2006, hackers accessed
networks at several State Department locations, including its
Washington headquarters, and inside the Bureau of East Asian and
Pacific Affairs.
They did so by sending a socially-engineered email to an
employee. The employee opened the Microsoft Word document attachment,
which contained an exploit code.
I am concerned about the temporary fix that State put in
place.
Security authorities that I have spoken with are highly
dubious about the success of ``temporary wrappers,'' the kind which
State had to put in place due to the absence of a Microsoft patch for
several months.
Most targeted attacks involve root-kits, which cannot be
detected or stopped by a ``temporary wrapper.'' I don't understand,
therefore, why State wouldn't take its entire system offline for a full
kernel inspection.
In reading State's testimony, I believe that State made
the determination that accessibility to data is more important than
confidentiality and integrity. If State really valued confidentiality
and integrity, they would have taken the system off line and done a
full wash.
Both agencies insist that these attacks are less serious
because they involve ``unclassified servers.'' I disagree.
As you are no doubt aware, FISMA requires federal agencies
to track down and identify every device and system on an agency's
network, and to make sure that the network topology is fully described.
As we learned last week, both State and Commerce received
F's in the latest round of FISMA scores. According to page 10 of the
Fiscal year 2006 FISMA Report to Congress, the Inspector General at the
Department of State reported that the agency did not complete at least
50% of its system inventory. The IG at the Department of Commerce
certifies that at least 96% of Commerce systems have been inventoried.
I will suggest to our panelists today that if they can't
certify their network topologies to FISMA, then they can't know for
certain whether these incidents don't involve the classified networks.
Furthermore, just because these attacks are occurring on
the unclassified network does not mean this isn't sensitive
information. Information that may be deemed ``classified'' in the
future may first appear on an unclassified network.
But this isn't just about Commerce and State.
I am disappointed and troubled with the Department of
Homeland Security's progress in securing cyberspace.
The Department is the agency responsible for securing the
nation's critical infrastructure, and yet they received a ``D'' this
year on its FISMA score. It is the first time since 2003 that the
Department did not receive an ``F.''
Our issue today is with the NCSD, but I'll be honest with
you: I don't know how the Department thinks it's going to lead this
nation in securing cyberspace when it can't even secure its own
networks.
Not only are these grades embarrassing, it's dangerous.
Think about all of the critical information the Department is keeping
on its networks. I can assure everyone here that the kinds of questions
that have been asked to the State Department and the Commerce
Department will be asked to DHS.
With regard to NCSD's response to these incidents, I have
a few thoughts.
It is my understanding that NCSD does not adequately share
commonalities of attack information with other agencies that may be at
risk. For instance, an agency like Commerce or State that has been
hacked by a ``zero-day exploit'' will provide this information to the
NCSD. But the NCSD can't just sit on that information.
We need the NCSD to be the group that fuses information
from across the federal government together and distributes a product
for agencies to use.
Unfortunately, I understand that NCSD does not have
protocols in place to share this kind information with other agencies
in the federal government or perform that level of work.
This subcommittee will continue to monitor these issues to
ensure that information sharing and technical response improves.
In closing, I think these incidents have opened up a lot
of eyes in the halls of Congress.
We don't know the scope of our networks. We don't know
who's inside our networks. We don't know what information has been
stolen.
We need to get serious about this threat to our national
security.
Prepared Opening Statement of the Honorable Bennie G. Thompson,
Chairman, Committee on Homeland Security
I want to thank Chairman Langevin for holding this
critical hearing.
I've been tracking this issue for some time now.
In October 2006, when the world first learned of the
hacking incident at the Department of Commerce, I sent a letter to the
Assistant Secretary for Cybersecurity, Greg Garcia, asking several
specific questions about the role of the Department in responding to
this incident.
Unfortunately, I never received a response back from the
Department.
I understand that I'm not the only one being left in the
dark when it comes to the Department's efforts in cybersecurity.
If I understand Chairman Langevin correctly, many federal
agencies are waiting for the Department to provide them with timely
intelligence and recommendations about hacking incidents at the federal
level.
Many in the private sector are also telling me that the
Department is failing to provide the guidance and partnership necessary
to successfully secure cyberspace.
It is clear that our government, working together with the
private sector and academia, must do more to ensure that cybersecurity
is a priority in our nation(s homeland security strategy.
In 1996, the United States government undertook the first
national effort to secure our networks.
Unfortunately, I don't believe that we are any further
along today in our efforts to secure cyberspace.
Programs and initiatives that were developed over the past
ten years have been dismantled and, in certain instances, are just now
being re-created by the government.
We can see that this Administration views its priorities
in cyberspace differently from the last Administration.
The most senior ranking official within the Administration
exclusively responsible for cybersecurity has gone from being a Senior
Advisor to the President to an Assistant Secretary position buried
several layers down in the Department of Homeland Security bureaucracy.
I'm glad to read in Mr. Dixon's statement that
``coordinating better cyber security practices across the Federal
government'' is one of Secretary Chertoff's ``highest priorities.''
But this rings hollow to me when I think about how long it
took him to appoint an Assistant Secretary for Cybersecurity.
I also wonder why the Secretary believes that this
Department will be able to coordinate better cyber security practices
across the Federal government, when his own Chief Information Officer
just received up a ``D'' in the recent FISMA grades.
Finally, I'm wondering why the Secretary wouldn't send Mr.
Garcia up on this first panel to testify. I can think of no better
opportunity for him to work on coordinating better cyber security
practices across the Federal government than sitting next to the State
and Commerce Departments at this hearing.
I look forward to hearing the testimony and I appreciate
the witnesses for being here today.
APPENDIX B
----------
Additional Questions and Responses
Questions from the Honorable James. R. Langevin, Chairman, Subcommittee
on Emerging Threats, Cybersecurity, and Science, and Technology
Responses from Jerry Dixon
Question 1.: What kinds of products does the Department provide to
other agencies when the Department hears about a ``zero day'' exploit?
Does the Department send intelligence products to other agencies
suggesting ways that they can remedy the vulnerability? Does the
Department send patches that agencies can install on their own systems?
Response: Zero-Day Exploits
A zero-day exploit is one that takes advantage of a security
vulnerability previously unknown to the general public. In many cases,
the exploit code is written by the same person who discovered the
vulnerability. By writing an exploit for the previously unknown
vulnerability, the attacker creates a potent threat since the
compressed timeframe between public discoveries of both the exploit and
vulnerability makes it extremely difficult to defend against. In many
cases, the critical nature of the exploit puts the vendor in the
spotlight with the pressure to create a fix as soon as possible.
Defending against zero-days is a difficult task for even the most
vigilant administrator or experienced computer user. Establishing and
following best practices is still the best defense in network security.
These practices will help organizations decrease risks and determine
incident response procedures should a need occur.
US-CERT Vulnerability Disclosure Policy
To support its operational mission, the United States Computer
Emergency Readiness Team (US-CERT) focuses its programs and initiatives
on enhancing situational awareness, increasing collaboration across
Federal operational security teams, preventing or quickly containing
cyber incidents, and providing for inter-agency coordination during a
cyber event. US-CERT established a vulnerability remediation process
and a national alert system in order to collect, mitigate, and
disseminate vulnerability information to Federal, public, and private
partners.
Vulnerabilities reported to US-CERT are forwarded to the affected
vendors as soon as practical after the report is received. Extenuating
circumstances, such as active exploitation, threats of an especially
serious (or trivial) nature, or situations that require changes to an
established standard may result in earlier or later disclosure. US-
CERT's goal is to balance the need of the public to be informed of
security vulnerabilities with the vendors' need for time to respond
effectively. The final determination of a publication schedule is based
on the best interests of the overall community.
US-CERT provides Federal agencies and the public with actionable
information regarding zero-day exploits in the form of technical and
non-technical cyber alerts. These products are posted on the US-CERT
public website, as well as distributed through the National Cyber Alert
System. Federal agencies receive this information at the same time it
is disclosed to the public.
The cyber alerts contain recommendations and work-around for risk
mitigation. After coordinating with vendors and gathering as much
technical and threat information as possible, US-CERT takes steps to
notify end users about the vulnerability. US-CERT strives to disclose
accurate, neutral, objective information focused on technical
remediation and mitigation. Targeting a technical audience (system
administrators or others who are responsible for securing and patching
systems), the alert describes the vulnerability in some detail,
providing sufficient information for the user to make an informed
decision about the risk. US-CERT will reference other available
information and correct misinformation when possible.
US-CERT provides patch information and links for patches that can
be downloaded as soon as they are available from the vendor. US-CERT
does not create, nor does it endorse the use of third-party patches,
for they are considered ``buyer-beware'' and could introduce new
problems or unforeseen configuration issues. Instead, US-CERT
recommends that all organizations consider their options carefully and
work with the vendor when faced with a zero-day threat.
Question 2: What is the role of Assistant Secretary Garcia in the
FISMA process?
Response: The Federal Information Systems Management Act (FISMA)
directs OMB to maintain a Federal information security incident center
to perform the following functions: 1) provide timely technical
assistance to agency information system operators; 2) compile and
analyze incidents that threaten information security; 3) inform agency
information system operators about current and potential information
security threats and vulnerabilities; and 4) consult with the National
Institute of Standards and Technology (NIST), agencies or offices
operating or exercising control over national security systems. It also
requires all Federal civilian agencies to implement FISMA and to ensure
the operation of a central Federal information security incident
center. Although FISMA assigns this function to OMB, the Director of
OMB has, in turn, issued guidance to Federal departments and agencies
stating that DHS' US-CERT performs these responsibilities, which is
under the leadership of Assistant Secretary Garcia.1
FISMA requires all Federal civilian agencies to notify the National
Cyber Security Division (NCSD)/US-CERT of any data breaches,
unauthorized access, or suspicious activity, including the loss of
personally identifiable information (PII) within one hour of discovery.
US-CERT collects this information to identify trends and provides
regular reports to OMB. NCSD is promoting the need for Federal agencies
to commit adequate resources to strengthen their networks, and to
utilize robust technology security requirements in the procurement
process combined with reasonable security practices.
Question 3: In your experience, what percentage of governmental
network security weaknesses are technology based and what percentage is
based upon the failure to follow necessary protocols and procedures? In
other words how many weaknesses are based on a lack of the proper
security tool and which are based on network operator error?
Response: All Federal agencies face ongoing challenges to maintain
the security of their systems, which include both addressing security
weaknesses and ensuring that processes and procedures are in place and
followed to maintain security.
Based on the experience of NCSD/US-CERT, the two greatest
weaknesses in Federal government networks stem from the inherent
vulnerabilities in operating systems, application software, and/or
protocols, as well as the lack of user training/education. New exploits
for vulnerable technology are discovered, targeted and exploited on a
daily basis. In addition, end users are many times the greatest
weakness, as they continually open unsolicited e-mail, respond to
unsolicited e-mail, are sometimes targeted by e-mail, and visit
malicious websites that can lead to intrusions.
The NCSD/US-CERT maintains a number of programs and initiatives
that focus on increasing security across the Federal government, which
serve to address security weaknesses, improve awareness about good
security practices, enhance coordination during a cyber event, and
increase collaboration among Federal operational security teams. An
example of this is the Government Forum of Incident Response and
Security Teams, which is comprised of over 400 members from Federal
Operational Security Teams, Chief Information Security Officers, and
information security policy makers. In addition, the National Cyber
Response Coordination Group (NCRCG) comes together for National
Response Plan implementation or incident coordination. The NCRCG is
comprised of cyber security experts from all of the cabinet
departments, and facilitates inter-agency coordination activities in
response to major cyber incidents affecting the public or private
sector.
�