[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 
                          THE CYBER INITIATIVE

=======================================================================



                                HEARING

                               before the

                     COMMITTEE ON HOMELAND SECURITY

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 28, 2008

                               __________

                           Serial No. 110-98

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC] [TIFF OMITTED] 


                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________


                     U.S. GOVERNMENT PRINTING OFFICE

44-063 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001


                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman

Loretta Sanchez, California          Peter T. King, New York
Edward J. Markey, Massachusetts      Lamar Smith, Texas
Norman D. Dicks, Washington          Christopher Shays, Connecticut
Jane Harman, California              Mark E. Souder, Indiana
Peter A. DeFazio, Oregon             Tom Davis, Virginia
Nita M. Lowey, New York              Daniel E. Lungren, California
Eleanor Holmes Norton, District of   Mike Rogers, Alabama
Columbia                             David G. Reichert, Washington
Zoe Lofgren, California              Michael T. McCaul, Texas
Sheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania
Donna M. Christensen, U.S. Virgin    Ginny Brown-Waite, Florida
Islands                              Gus M. Bilirakis, Florida
Bob Etheridge, North Carolina        David Davis, Tennessee
James R. Langevin, Rhode Island      Paul C. Broun, Georgia
Henry Cuellar, Texas
Christopher P. Carney, Pennsylvania
Yvette D. Clarke, New York
Al Green, Texas
Ed Perlmutter, Colorado
Bill Pascrell, Jr., New Jersey

       Jessica Herrera-Flanigan, Staff Director & General Counsel

                        Todd Gee, Chief Counsel

                     Michael Twinchek, Chief Clerk

                Robert O'Connor, Minority Staff Director

                                  (II)

                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security..............................................     1
The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas........................................     2
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island:
  Prepared Statement.............................................     4

                               Witnesses

Ms. Karen Evans, Administrator, Electronic Government and 
  Information Technology, Office of Management and Budget:
  Oral Statement.................................................     6
  Prepared Statement.............................................     8
Mr. Robert D. Jamison, Under Secretary, National Protection and 
  Programs Directorate, Department of Homeland Security, 
  Accompanied by Mr. Scott Charbo, Deputy Under Secretary, 
  National Protection and Programs Directorate, Department of 
  Homeland Security:
  Oral Statement.................................................    11
  Prepared Statement.............................................    12

                                Appendix

Questions From Honorable Yvette D. Clarke........................    35


                          THE CYBER INITIATIVE

                              ----------                              


                      Thursday, February 28, 2008

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:13 a.m., in 
Room 311, Cannon House Office Building, Hon. Bennie G. Thompson 
[Chairman of the committee] presiding.
    Present: Representatives Thompson, Harman, Christensen, 
Etheridge, Langevin, Green, McCaul, Dent, and Brown.
    Chairman Thompson [presiding]. The committee will come to 
order.
    The committee is meeting today to receive testimony on the 
Cyber Initiative. The infiltration and exploitation of Federal 
Government networks and critical infrastructure networks is one 
of the most critical national security issues confronting our 
country today.
    Public reports suggest that Federal networks have been 
under attack for years. These attacks have resulted in the loss 
of indeterminate amounts of information. The purpose of today's 
hearing is to discuss the administration's proposed Cyber 
Initiative, a proposal that attempts to reduce the 
vulnerability of our Federal computer networks and critical 
infrastructure and the consequences of attacks against these 
networks.
    We aim to discuss several things today, including the 
consolidation of trusted internet centers, known as TICs, which 
would reduce the number of Federal connections to the internet 
and allow for easier monitoring of incoming and outgoing 
traffic, the implementation of the Department of Homeland 
Security's cyber monitoring capabilities throughout Federal 
agencies, known as Einstein, the privacy implications of 
electronic data collection, efforts underway to conduct damage 
assessment of Federal systems, and efforts to secure our 
federally and privately owned critical infrastructure from 
cyber attack.
    Thus far, I have been extremely disappointed in this 
administration's efforts in cybersecurity. The administration 
drafted a high-level national strategy for a secure cyberspace 
in 2002 that presented problems and possible solutions to high-
level cybersecurity issues but never mandated any changes 
required to improve security.
    In 2003, the administration eliminated its top advisor on 
cybersecurity, Richard Clarke, who was a key advisor to the 
president. Then, after Congress pushed for the creation of an 
assistant secretary for cybersecurity, DHS waited over a year 
to fill the position and buried it four levels down in the 
bureaucracy.
    Despite the creation of a cross-agency intelligence 
director, the administration failed to educate Federal agency 
officials on the cyber threat. For instance, in a 2007 hearing 
before this committee, the chief information officer at DHS, 
Scott Charbo, who is with us today, told us that he had never 
received any intelligence reports about nation state hacking 
and that he was unfamiliar with this activity. To me, this 
suggests a failure on the part of the director of national 
intelligence who is charged with connecting dots that would 
prevent cross-agency intelligence failures from occurring.
    This administration regularly requested inadequate budgets 
for DHS cybersecurity activities, both for the National Cyber 
Security Division, the US-CERT and the CIO security budget and 
the R&D activities undertaken at the Science and Technology 
Directorate.
    This administration has vested responsibility for securing 
these networks in folks who don't understand the threat or the 
technical methods to deal with the threat. Secretary Chertoff's 
decision to promote Mr. Charbo to the position of deputy under 
secretary for National Protection and Programs places him in 
charge of DHS' efforts in the Cyber Initiative. This decision 
was made in spite of the committee's investigation into how he 
and his staff failed both to protect the Department's computers 
from intrusion and properly manage the contractor in charge of 
security.
    In light of these and other issues, it is hard to believe 
that this administration now believes it has the answers to 
secure our Federal networks and critical infrastructure.
    I want to be clear: I believe that cybersecurity is a 
serious problem, maybe the most complicated national security 
issue in terms of threat and jurisdiction. This problem will be 
with us for decades to come.
    I am pleased that this administration recognizes the 
challenges we face in securing this area.
    As Chairman of this committee, I continue to have numerous 
practical and theoretical questions about the initiative and 
the possibilities of its success: Who is in charge, what are 
the matrix for success, who is accountable, how are privacy 
concerns being addressed, how will future technologies be 
incorporated, how will future threats be addressed, what legal 
frameworks must be amended, how will the administration work 
with the private sector, and what will be done with critical 
infrastructure?
    I am committed to charting a course toward freedom from 
fear, and I look forward to working through these difficult 
questions in the weeks, months and years to come.
    The Chair now recognizes the Ranking Member of the 
subcommittee and who is standing in for the Ranking Member of 
the full committee, the gentleman, Mr. McCaul, for an opening 
statement.
    Mr. McCaul. Thank you, Mr. Chairman.
    Today's hearing is on the administration Cyber Security 
Initiative, which is a sweeping effort to better secure the 
computer networks owned and operated by the Federal Government.
    In my judgment, since 9/11, we have been very focused on 
the threats in the physical world, and yet not enough 
attention, in my view, has been paid on threats in the virtual 
world.
    I am glad to see that the administration has come forward 
with an initiative, a plan. Congressman Langevin and I have 
launched a nonpartisan commission to study the threat of 
cybersecurity to this Nation and to provide recommendations to 
the next President of the United States, and I look forward to 
seeing their recommendations as well.
    As this committee learned last year, the Government's 
computer networks are under constant attack from hackers and 
criminals, many of whom are sponsored by foreign nations. Just 
last year, the country of Estonia was temporarily taken off the 
internet by organized hackers. While the chances that a similar 
attack could achieve similar results in this country are small, 
the threat remains very real.
    The Department of Homeland Security will play a prominent 
role in developing and implementing the administration's 
initiative. In fact, the President's fiscal year 2009 budget 
request includes close to $200 million more for DHS than was 
requested last year for cybersecurity, and I am pleased to see 
that.
    In addition, media reports indicates the administration 
plans to ask for up to $30 billion over the next 5 years. If 
this figure is accurate, Congress needs to know how that money 
will be spent. This project is still in the formative stages; 
therefore, I understand a number of details cannot be shared at 
this time or possibly in an open forum. But it is important, 
however, that the administration keep Congress informed so as 
to avoid any misunderstanding about what this initiative is 
designed to do.
    With such a large project that cuts across the Government, 
efficient congressional oversight may be difficult to achieve 
because so many different committees claim jurisdiction over 
DHS. It is times like this that highlight the fact that despite 
promises to fulfill all the remaining 9/11 commission's 
recommendations, the Congress still has not consolidated 
oversight of DHS, and, unfortunately, it now has oversight by 
86 committees and subcommittees.
    I understand that the administration doesn't believe that 
further authorities are necessary for this initiative, but this 
area potentially could be added to our annual DHS authorization 
bill, which I urge the Chairman and this committee to take up 
prior to congressional action on DHS' appropriations bill later 
this spring. I raised this issue during our full committee this 
past Tuesday and was pleased to hear an optimistic response 
from Chairwoman Sanchez.
    We on the Republican side look forward to working with our 
majority counterparts and colleagues on another bipartisan DHS 
authorization bill.
    I yield back.
    Chairman Thompson. Thank you very much.
    Other Members of the committee reminded that under 
committee rules opening statements may be submitted for the 
record.
    [The statement of Hon. Langevin follows:]
              Prepared Statement of Hon. James R. Langevin
                           February 28, 2008
                          the cyber initiative
    For years, Federal networks have been under attack. I believe that 
the infiltration and exploitation of these networks is one of the most 
critical issues confronting our Nation. The acquisition of our 
Government's information by outsiders undermines our strength as a 
Nation. If sensitive information is stolen and absorbed by our 
adversaries, we are strategically harmed.
    Last year, as Chairman of the Subcommittee on Emerging Threats, 
Cybersecurity, Science and Technology, I held a series of hearings on 
the cyber threats to our Federal networks and critical infrastructure. 
It is clear that our failure to secure Government networks has more to 
do with mismanagement, and less to do with inadequate technology. This 
administration simply has not made cybersecurity a priority. They have 
not comprehensively identified or mitigated vulnerabilities on our 
networks; they have not held anybody accountable for breaches; and they 
have not invested adequate resources to solve the problems. 
Unfortunately, we are paying the price today.
    I remain deeply concerned about the growing threat to our national 
critical infrastructure. The effective functioning of many 
infrastructures is highly dependent on control systems. which are 
computer-based systems used to monitor and control sensitive processes 
and physical functions. Cyber attacks against these pieces of 
infrastructure have the potential to cause serious--if not 
catastrophic--damage to the economy and our way of life. The 
administration's Cyber Initiative does not adequately prioritize this 
issue.
    With the right vision and leadership, we can improve security on 
our Federal networks and critical infrastructure. There are some 
promising elements of the Cyber Initiative, but there are also some 
gaping holes. I assure the American people that we will continue to 
perform robust oversight on this issue.
             recap of the subcommittee's previous hearings
    Last year, as Chairman of the subcommittee on Emerging Threats, 
Cybersecurity, Science and Technology, I held a series of hearings on 
the cyber threats to our Federal networks and critical infrastructure. 
We began in April 2007, with a hearing on cyber attacks against the 
Departments of State and Commerce. At that time, it was clear to me 
that the Federal Government did not understand the severity of the 
threat. Officials did not know the scope or topology of networks; who 
infiltrated our networks in the past; who was inside of our networks at 
the present; and how much information had been stolen. At that hearing, 
I promised to begin an investigation to assess the cybersecurity 
posture at the Department of Homeland Security. Chairman Thompson and I 
began requesting documents from the Department's Chief Information 
Officer the following week.
    Our second hearing in April focused on the need to reduce critical 
infrastructure vulnerabilities through investment in research and 
development. In the last 7 years, more than 20 reports from such 
entities as the INFOSEC Research Council, the National Science 
Foundation, the National Institute of Justice, the National Security 
Telecommunications Advisory Committee, the National Research Council 
and the President's Commission on Critical Infrastructure Protection 
have all urged the Government to do more to drive, discover and deliver 
new solutions to address cyber vulnerabilities. Yet the administration 
routinely proposed reductions or flat funding for research and 
development efforts at the Department of Homeland Security. Our 
witnesses described the necessity to dramatically reduce the 
vulnerability of the national information infrastructure to attack, and 
make major, strategic investments that can significantly reduce 
infrastructure vulnerabilities over a 5- to 10-year period.
    During a June 2007 subcommittee hearing, we discussed the 
preliminary results of our investigation into the security of the 
Department's networks. Due to poor security practices on its networks, 
the Department of Homeland Security suffered numerous significant 
security incidents. Routine security reviews--like rogue tunnel audits, 
ingress/egress filtering, widespread internal and external penetration 
tests, and contractor audits--were not performed. Multi-factor 
authentication was not fully implemented And in spite of nearly 900 
cybersecurity incidents between fiscal year 2005 and fiscal year 2006, 
the Department continued to under-invest in IT security.
    The testimony of the Department's Chief Information Officer, Scott 
Charbo, was disturbing to the committee. Although the Chief Information 
Officer is ultimately responsible for the security of the Department's 
numerous information networks, Mr. Charbo seemed unaware and 
unconcerned about any serious malicious activity on the networks he was 
charged with securing. For example, when asked if he or his security 
team had requested or received intelligence briefings about Chinese 
hackers penetrating Federal networks, or if Department computers ever 
exfiltrated information to Chinese servers, Mr. Charbo responded ``you 
don't know what you don't know.'' This answer was typical of the 
laissez-faire attitude that he exhibited throughout the investigation, 
and suggested that neither he nor the rest of the Department was taking 
the issue of cybersecurity seriously. Chairman Thompson and I sought 
additional information to determine whether these incidents could be 
tied to the same attacks that occurred on the networks at State and 
Commerce.
    In September 2007, Chairman Thompson and I concluded that the 
Department was itself a victim not only of cyber attacks initiated by 
foreign entities, but of incompetent and possibly illegal activity by 
the contractor charged with maintaining security on its networks. The 
Department's intrusion detection systems--designed to monitor networks 
and issue alerts when outsiders attempted to gain access--were not 
properly installed and monitored. This resulted in dozens of computers 
becoming compromised by hackers, who sent an unknown quantity of 
information to a Chinese-language Web site. We asked the Department's 
Inspector General to begin an inquiry into these matters and refer the 
case for criminal investigation.
    In October 2007, my subcommittee again revisited the issue of 
cybersecurity and critical infrastructure, specifically with regard to 
the electric grid. The effective functioning of the bulk power system 
is highly dependent on control systems, which are computer-based 
systems used to monitor and control sensitive processes and physical 
functions. Once largely proprietary, closed-systems, control systems 
are becoming increasingly connected to open networks, such as corporate 
intranets and the Internet. As such, the cyber risk to these systems is 
increasing. Intentional and unintentional control system failures on 
the bulk power system can have a significant and potentially 
devastating impact on the economy, public health, and national security 
of the United States.
    The subcommittee learned about an experimental cyber attack led by 
DHS researchers at Idaho National Laboratory. This experiment--code-
named Aurora--could inflict significant damage upon the electric 
sector, and several Members joined me in calling upon the Federal 
Electric Regulatory Commission (FERC) to investigate whether the owners 
and operators were implementing mitigations to prevent this attack from 
occurring. In light of these issues, I joined Chairman Thompson, 
Chairwoman Jackson Lee, and Ranking Member McCaul in submitting 
comments to the FERC rulemaking, arguing that their proposed standards 
do not sufficiently ensure the production or delivery of power in the 
event of intentional or unintentional cyber incidents involving 
critical infrastructures. We suggested adopting standards for control 
systems proposed by the National Institute of Science and Technology.
    Our final hearing focused on the implementation of the cyber 
aspects of the Sector Specific Plans. These 17 plans--one for each 
critical infrastructure sector in the United States--are supposed to 
describe how each sector will identify, prioritize, and protect their 
physical and cyber assets. However, an investigation performed for the 
committee by the GAO suggests that many of the 17 plans are incomplete 
when it comes to cybersecurity. The GAO analyzed the 17 plans under 
three categories: fully addressed, partially addressed, or not 
addressed, and found that none of the plans fully addressed all 30 
cybersecurity criteria. Even more distressing was the absence of an 
implementation plan. Because Sector Specific Plans remain a voluntary 
exercise for all sectors, the Federal Government is unable to assess 
the effectiveness of the private sector's cybersecurity controls.
    Each of these hearings suggests that the Federal Government is 
vulnerable to a cyber attack against Federal networks or critical 
infrastructure. We must continue to identify vulnerabilities in our 
systems. We must continue to reduce those vulnerabilities. We must 
continue to engage the private sector. We must make cybersecurity a 
priority.

    Chairman Thompson. I now welcome our witnesses to this 
hearing.
    Our first witness, Karen Evans, is the administrator of the 
Office of Electronic Government and Information Technology at 
the Office of Management and Budget. In this role, she oversees 
implementation of IT throughout the Federal Government, 
including advising the director on the performance of IT 
investments, overseeing the development of enterprise 
architecture within the agencies, directing activities of the 
Chief Information Officer Council and overseeing the usage of 
the e-government funds to support interagency partnership and 
innovation.
    Our second witness is Robert Jamison, the under secretary 
for the National Protection and Program Directorate at the 
Department of Homeland Security. He was confirmed in December 
2007. Under Secretary Jamison leads the Department's integrated 
effort to analyze, manage and reduce risk. Mr. Jamison oversees 
the Department's efforts in the Cyber Initiative.
    He will be joined in questioning period by Deputy Under 
Secretary for National Protection and Programs Directorate 
Scott Charbo. Mr. Charbo was named to this position earlier 
this month after previously serving as the Department's chief 
information officer.
    Without objection, the witnesses' full statements will be 
read into the record. I ask each witness to summarize their 
statements, beginning with Ms. Evans for 5 minutes.
    Ms. Evans.

STATEMENT OF KAREN EVANS, ADMINISTRATOR, ELECTRONIC GOVERNMENT 
  AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET

    Ms. Evans. Good morning, Mr. Chairman and Members of the 
committee. Thank you for inviting me to discuss the 
administration's comprehensive National Cyber Security 
Initiative. Our work on the Cyber Initiative is focused on 
building upon our existing effort to continue to close the gap 
in areas of continued weakness, implementing existing security 
policies and managing our risk associated in particular with 
non-secure external connections, including internet points of 
presence.
    Please note, our work is happening concurrently on all of 
the programs described in my written statement.
    Agencies connect to the internet to deliver timely 
information and services to the public, but each new connection 
multiplies threats and vulnerabilities. Agencies can 
consolidate or reduce unnecessary connections while still 
accomplishing program goals. OMB has set a target date of 
completion for the reduction and optimization of agencies' 
external connections, including those to the internet, by June 
2008.
    Agencies reduce the number of internet connections, as they 
also will be determining transitions and, if so, their 
transition strategy to the network's contract managed by the 
General Services Administration. This transition provides an 
opportunity for agencies to consolidate and optimize their 
external access points and to obtain secure telecommunications 
technologies and services.
    In connection with the network's transition, Einstein will 
be deployed at the appropriate external connection. Currently, 
14 departments and agencies have deployed Einstein. Einstein 
will be discussed more in depth by my colleague, Under 
Secretary Jamison, during his statement.
    Agencies are also taking advantage of products and services 
offered by the Information Systems Security Line of Business. 
This initiative, led by the Department of Homeland Security and 
OMB, was introduced in the spring of 2005 and identified common 
solutions for four areas to be shared by the government: 
Security training; Federal Information Security Management Act, 
FISMA, reporting; situational awareness and incident response; 
and the selection, evaluation and implementation of security 
solutions.
    As of November 2007, 12 agencies had implemented security 
awareness training services provided by three approved shared 
service centers, and 13 agencies have begun using FISMA 
reporting services provided by two approved shared service 
centers. As a result, agencies are beginning to reduce 
duplicative investment and common security tools, ensuring a 
baseline level of training and reporting performance and are 
better able to refocus their efforts to other complex and 
critical security issues at their agency.
    With the understanding that vulnerabilities result from 
weaknesses in technology, as well as improper implementation 
and oversight of technological products, we have collaborated 
with the National Institute of Standards and Technology, NIST, 
the Department of Defense, the National Security Agency, and 
Microsoft to develop a set of information security controls to 
be implemented on all Federal desktops, which are running 
Microsoft Windows XP or Vista.
    This set of controls, known as the Federal Desktop Core 
Configuration, is currently being implemented across the 
Federal enterprise. By implementing a common configuration, we 
are gaining better control of our Federal systems and are 
allowing for closer monitoring and correction of potential 
vulnerabilities, while limiting the download of internet 
applications to only authorized professionals.
    In addition to the desktop configuration, we are also 
working with the vendor community to make our application 
safer. As part of this program, NIST has developed testing 
tools for use by both the Federal agencies and the vendors. 
NIST awarded Security Content Automation Protocol, or SCAP, 
validation to three products as of February 4, 2008.
    Three independent laboratories have been accredited by NIST 
National Voluntary Laboratory Accreditation Program for the 
SCAP product validation.
    To help agency procurement officers ensure that new 
acquisitions include the common security configurations, we 
have also provided agencies with recommended procurement 
language. The Federal Acquisition Council has approved the 
language and is completing the process of adding this language 
to the Federal acquisition regulations.
    While notable progress in resolving IT security weaknesses 
has been made, and I have included more examples in my written 
statements, problems remain in agencies' implementation, and 
new threats and vulnerabilities continue to materialize. Work 
remains to continue to improve the security of information and 
systems supporting the Federal Government's missions and manage 
the risk associated with these systems.
    To address these challenges, OMB looks forward to 
continuing to work with the agencies, GAO and Congress to 
promote the appropriate risk-based and cost-effective IT 
security programs, policies and procedures.
    I will be happy to answer any questions at the appropriate 
time.
    [The statement of Ms. Evans follows:]
                   Prepared Statement of Karen Evans
                           February 28, 2008
    Good morning, Mr. Chairman and Members of the committee. Thank you 
for inviting me to discuss the administration's Comprehensive National 
Cybersecurity Initiative. My remarks today will focus on the progress 
we have made in improving the security of the Government's information 
and information technology (IT) systems as well as our strategy for 
managing the risk associated with our Government services in this ever-
changing IT environment. In our increasingly interconnected and 
interdependent environment, security risks left unaddressed by one 
agency can exponentially compound security risks faced by all of us. 
These weaknesses prevent agencies from achieving program goals and 
erode the public's trust in us.
    Information security and privacy are extremely important issues for 
the administration. On March 1, 2008, the Office of Management and 
Budget (OMB) will provide our fifth annual report to the Congress on 
implementation of the Federal Information Security Management Act 
(FISMA). This report will go into detail on our improvements and 
remaining weaknesses for both security and privacy.
    OMB policies and subsequent National Institute of Standards and 
Technology (NIST) guidance focus on a risk-based, cost-effective 
approach and reflect the balance between strong security and mission 
needs. Agencies are responsible for implementing the policies and 
guidance for their unique mission requirements within their capital 
planning and investment control processes. Agency officials who own and 
operate the agency business programs are ultimately responsible and 
accountable for ensuring security is integrated into those program 
operations. Our oversight is achieved in two primary ways--via the 
budget and capital planning process, and through independent program 
reviews.
    Our work on the cyber initiative is focused on closing gaps in 
areas of continued weakness--implementing existing security policy, and 
managing non-secure external connection, including Internet points of 
presence. Please note our work is happening concurrently on all of the 
programs described.
          effectively implementing existing security policies
    Securing cyberspace is an ongoing process, so as new technologies 
appear and new vulnerabilities are identified, NIST provides guidance 
to Federal agencies on securing networks, systems, and applications. 
Recommendations include user awareness briefings as well as training 
for technical staff on security standards, procedures, and sound 
security practices. As required by 44 U.S.C.  3543, Federal agencies 
must adopt and comply with standards promulgated by NIST, and identify 
information security protections consistent with these standards.
    For example, agencies must complete certification and accreditation 
(C&A)--a fundamental security procedure required by law and policy. As 
of first quarter fiscal year 2008, 985 systems (9.5% percent of all 
systems) operate without a complete C&A. Based on our annual reports to 
Congress, the percentage of systems C&A'd rise each year we need to be 
at 100%. When performed correctly, C&As identify the risks when 
operating an information system, tests controls necessary to mitigate 
them, and provides program managers a level of assurance the systems 
supporting their programs operate at an acceptable level of risk.
    In addition to following existing policy, agencies are continuing 
to take advantage of GSA's SmartBUY program when acquiring security 
products and services. SmartBUY is a Federal Government procurement 
vehicle designed to promote effective enterprise level software 
management. By leveraging the Government's immense buying power, 
SmartBUY has saved taxpayers millions of dollars through Government-
wide aggregate buying of Commercial Off the Shelf (COTS) software 
products. Agencies are utilizing new SmartBUY agreements to acquire 
quality security products at lower costs.
    In one recent example, GSA and DoD established a SmartBUY agreement 
for products certified through the NIST FIPS 140-2 Cryptomodule 
Validation Program. These certified products will be used to encrypt 
data at rest. This benefit is not confined solely to Federal agencies, 
since the Blanket Purchase Agreement (BPA) was written so that States 
and local governments can also take advantage of this opportunity.
    In addition to the encryption BPA, GSA worked to complete two BPA's 
for credit monitoring services deemed necessary by an agency in the 
event of a breach of personally identifiable information (PII), as well 
as risk assessment services for when a breach occurs. More information 
about the BPA related to credit monitoring services can be found in our 
OMB Memorandum M-07-04, ``Use of Commercial Credit Monitoring Services 
Blanket Purchase Agreements (BPA),'' at http://www.whitehouse.gov/omb/
memoranda/fy2007/m07-04.pdf. More information about the BPA to assist 
agencies to assess risk associated with data loss can be found in our 
OMB Memorandum M-08-10, ``Use of Commercial Independent Risk Analysis 
Services Blanket Purchase Agreements (BPA),'' at http://
www.whitehouse.gov/omb/memoranda/fy2008/m08-10.pdf.
    Currently, the Information System Security Line of Business 
(ISSLOB) is working across Federal agencies and with GSA to assess the 
feasibility of additional security related SmartBUY and BPA 
opportunities for situational awareness and discovery tool sets.
           managing multiple non-secure external connections
    Agencies connect to the Internet to deliver timely information and 
services to the public, but each new connection multiplies threats and 
vulnerabilities. Agencies can consolidate or reduce unnecessary 
connections while still accomplishing program goals. Per OMB guidance, 
agencies must reduce and/or consolidate their external connections 
including those to the internet by June 2008 with a target of no more 
than 50 access points in total for the civilian agencies.
    As agencies reduce the number of internet connections, they are 
also determining whether to transition, and if so, their transition 
strategy, to Networx. As you know, FTS2001/Crossover Bridge contracts, 
which provide services for telecommunications and networking services, 
for current customers will expire in May and June 2010. The Networx 
program is the primary replacement vehicle for these expiring 
contracts. We believe that this transition will provide an opportunity 
for agencies to consolidate and optimize their external access points 
including internet connections and obtain secure telecommunications 
technologies and services. Networx Universal and Enterprise Service 
contracts were awarded in March and May 2007, respectively.
    OMB anticipates agencies choosing to use the Networx contract can 
leverage the transition process and service offerings to meet the goal 
of reducing the number of external connections including Internet 
points of presence. OMB has asked the Federal Chief Information 
Officers (CIO) Council to prepare a cost-benefit analysis regarding the 
use of the Networx contract.
    The Interagency Management Council's Transition Working Group (TWG) 
has asked agencies seeking to qualify for transition cost reimbursement 
to complete Fair Opportunity decisions by September 2008. GSA 
recommends agencies target the completion of Fair Opportunity decisions 
by March 2008 to ensure sufficient time to complete transition of 
services prior to the expiration of FTS2001/Crossover Bridge contracts.
    Currently, one major agency has completed a Fair Opportunity 
Analysis and selected a service provider (Treasury). As of February 
2008, GSA has received 21 Statements of Work (SOWs), and anticipates at 
least 58 more SOWs from major agencies by September 2008.
    The TWG deadline for agencies to submit all transition orders is 
April 2010. GSA recommends agencies target the submission of all 
transition orders to the extent possible for January 2009 to allow 
sufficient time for service providers to complete the processing of all 
orders and establish service on the new contracts before the expiration 
of FTS2001/Crossover Bridge contracts.
    In concert with Networx transition, Einstein will be deployed at 
the appropriate external connections, including Internet points of 
presence; 14 departments and/or agencies have currently deployed 
Einstein. Einstein is an intrusion detection system managed by DHS to 
collect, analyze, and share aggregated network computer security 
information across the Federal Government. As a result of these 
deployments, agencies maintain an awareness of their network while DHS 
maintains awareness of Government-wide information security threats and 
vulnerabilities. With this information, agencies will be able to 
quickly take corrective action and reduce their risk to a manageable 
level.
    Agencies are also taking advantage of products and services offered 
by the Information System Security Line of Business (ISSLOB). This 
initiative, led by DHS and OMB was introduced in the Spring of 2005. An 
inter-agency Task Force identified common solutions to be shared across 
Government. The Task Force identified common solutions in four areas: 
security training; FISMA reporting; situational awareness/incident 
response; and selection, evaluation and implementation of security 
solutions.
    All agencies were asked to submit proposals to either become a 
Shared Service Center (SSC) for other agencies, or migrate to another 
agency from which they would acquire expert security awareness training 
services and FISMA reporting services. DHS helped coordinate the 
selection of SSCs, and agency implementation of these services.
    As of November 2007, 12 agencies had implemented security awareness 
training services provided by three approved SSC, and 13 agencies had 
begun using FISMA reporting services provided by two approved SSC. As a 
result, agencies are beginning to reduce duplicative investment in 
common security tools, ensuring a baseline level of training and 
reporting performance, and are able to refocus their efforts to other 
complex and critical security issues at their agency. OMB expects 
agencies will fully report the number of employees trained via the 
ISSLOB in their fiscal year 2008 annual FISMA report.
    Finally, vulnerabilities result from weaknesses in technology as 
well as improper implementation and oversight of technological 
products. Over the past year, in collaboration with NIST, the 
Department of Defense, the National Security Agency, and Microsoft, we 
have developed a set of information security controls to be implemented 
on all Federal desktops which are running Microsoft Windows XP or 
VISTA. This set of controls, known as the Federal Desktop Core 
Configuration (FDCC) is currently being implemented across the Federal 
enterprise. By implementing a common configuration, we are gaining 
better control of our Federal systems, and allowing for closer 
monitoring and correction of potential vulnerabilities. Security 
configurations provide a baseline level of security, reduce risk from 
security threats and vulnerabilities, and save time and resources. In 
particular, security configurations help protect connections to the 
Internet and limit the download of Internet applications to only 
authorized professionals.
    In addition to the desktop configuration, we are also working with 
the vendor community to make their applications safer. As part of this 
program, NIST has developed testing tools for use by both Federal 
agencies and vendors. NIST awarded Security Content Automation Protocol 
(SCAP) Validation to three products as of February 4, 2008. These 
products and their associated validation information can be found at 
http://nvd.nist.gov/scapproducts.cfm. Three independent laboratories 
have been accredited by the NIST National Voluntary Laboratory 
Accreditation Program (NVLAP) for SCAP Product Validation testing. The 
list of accredited labs is available at the same URL. We are very 
optimistic this program will greatly enhance the security of our 
Federal desktops, and, of our Federal enterprise as a whole. To help 
agency procurement officers ensure that new acquisitions include common 
security configurations, we have provided agencies with recommended 
procurement language. This language can be found in our Memorandum M-
07-18, ``Ensuring New Acquisitions Include Common Security 
Configurations,'' at http://www.whitehouse.gov/omb/memoranda/fy2007/
m07-18.pdf. Currently, the Federal Acquisition Council is in the 
process of adding similar language to the Federal Acquisition 
Regulation.
    These initiatives described in my testimony today in combination 
with other administration initiatives (including: IPv6, HSPD-12, 
minimum communications capabilities for continuity of Government and 
continuity of operation plans, and IT Infrastructure Line of Business) 
address our potential security gaps, help agencies optimize their 
information infrastructure, and facilitate appropriate network 
consolidation and configuration. In turn, agencies will be able to 
better manage their information infrastructure, allowing them to reduce 
risks to an acceptable level.
    In closing, OMB is committed to a Federal Government with resilient 
information systems. The dangers posed by the internet must not be 
allowed to significantly affect agency business processes or disrupt 
services to the citizen. I would like to acknowledge the significant 
work of agencies and IGs in conducting the annual reviews and 
evaluations. This effort gives OMB and the Congress much greater 
visibility into agency security status and progress.
    While notable progress in resolving IT security weaknesses has been 
made, problems remain in agency implementation and new threats and 
vulnerabilities continue to materialize. Work remains to continue to 
improve the security of the information and systems supporting the 
Federal Government's missions and manage the risk associated with these 
systems. To address these challenges, OMB will continue to work with 
agencies, GAO, and Congress to promote appropriate risk-based and cost-
effective IT security programs, policies, and procedures to adequately 
secure our operations and assets.

    Chairman Thompson. Thank you very much.
    The Chair now recognizes Mr. Jamison for 5 minutes.

   STATEMENT OF ROBERT D. JAMISON, UNDER SECRETARY, NATIONAL 
  PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND 
SECURITY, ACCOMPANIED BY SCOTT CHARBO, DEPUTY UNDER SECRETARY, 
  NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Jamison. Thank you, Mr. Chairman.
    Chairman Thompson. Congressman McCaul and Members of the 
committee, I appreciate the opportunity to update you on the 
Department of Homeland Security's efforts to improve America's 
cybersecurity posture.
    I also appreciate the committee's interest in the Cyber 
Initiative. The Department and our interagency partners are 
committed to an ongoing engagement with Congress in an 
appropriate setting on the classified aspects of our 
activities.
    In my role as under secretary for the National Protection 
and Programs Directorate, one of my most important programmatic 
activities has been cybersecurity, and I have served as the 
lead DHS official for the Cyber Initiative since last summer.
    I am pleased this morning to be joined on this panel by my 
esteemed colleagues from OMB, Karen Evans, and the former DHS 
chief information officer and just recently appointed deputy 
under secretary, Scott Charbo.
    Secretary Chertoff identified cybersecurity as one of the 
Department's top priorities for 2008, and the President's 2008 
and 2009 budgets reflect this priority. We are aware of, and 
have defended against, malicious cyber activity directed at the 
U.S. Government. We take these threats seriously and remain 
really concerned that this activity is growing more 
sophisticated, more targeted and more prevalent.
    The nature of the threat is diverse, ranging from 
unsophisticated hackers to very technically competent 
adversaries using state-of-the-art intrusion techniques. Many 
of these malicious attacks are designed to steal information 
and disrupt, deny access to, degrade or destroy critical 
Federal information systems.
    Over the past 4 months, the Department has provided this 
committee with several classified briefings on a number of 
different cyber-related topics, including threats. The 
Department and our interagency partners remain committed to an 
ongoing dialog with Congress in an appropriate setting on these 
classified topics.
    DHS has the lead responsibility for assuring the security 
resiliency and reliability of the Nation's information 
technology and communications infrastructure. Since 2003, the 
Department has been investing in the development of a nimble, 
effective cyber emergency response capability and a culture of 
preparedness. These activities have positioned DHS to play a 
key role in this important initiative we will discuss today.
    We have established the National Cyber Security Division to 
focus on securing cyberspace. In NCSD, we have built a 247 
watch, warning and response operation centers to defend against 
and respond to cyber attack, the US-CERT. US-CERT has developed 
and deployed an Einstein program, which provides Government 
officials with situational awareness about malicious activity 
across the Federal civilian network so we can protect against 
and respond to cyber threats more effectively.
    Under the National Infrastructure Protection Plan 
framework, we have also worked closely with our private sector 
partners to develop 17 sector-specific plans, which all include 
a cybersecurity component.
    We are here today because we must do more. The Federal 
Government has a vast information interstate system with 
thousands of points of access. At last count, the Federal 
network had at least 4,000 access points. Defending the Federal 
system in its current configuration is a significant challenge. 
Implementing effective defensive strategies requires a 
manageable number of access points. Therefore, we are working 
with OMB to reduce the number of access points.
    As we reduce the number of access points, we plan to employ 
an enhanced intrusion detection capability, enhanced Einstein. 
While valuable, currently our Einstein capability is limited. 
We do not have comprehensive coverage, and it is a delayed flow 
analysis tool. We need to enhance the capability through 
comprehensive coverage across our Federal system external 
access points and upgrade Einstein to detect malicious activity 
in real time.
    Our goal is a comprehensive, consistent intrusion detection 
capability that is informed by our full understanding of the 
threat.
    Mr. Chairman, the threat is real. To defend our networks, a 
comprehensive situational awareness capability must augment the 
foundation already in place at the Department. We will achieve 
this improved situational awareness by consolidating our 
Federal connections, enhancing our intrusion detection 
capabilities, improving our threat assessment and information-
sharing capabilities and building a stronger watch and warning 
system.
    These changes, coupled with an investment in our people, 
processes and systems, will enable the Federal Government to 
apply the full capabilities to the defense of our networks.
    Thank you for the opportunity to update you today on DHS' 
efforts to improve America's cybersecurity posture, and I 
welcome the questions.
    Thank you.
    [The statement of Mr. Jamison follows:]
                Prepared Statement of Robert D. Jamison
                           February 28, 2008
                              introduction
    Chairman Thompson, Congressman King, and Members of the committee, 
I appreciate the opportunity to speak about the Department of Homeland 
Security's ongoing efforts to improve cybersecurity. I also appreciate 
the committee's continued interest in the Department's cybersecurity 
activities and in particular the Department's role in Comprehensive 
National Cybersecurity Initiative. As we have done since last year, the 
Department and our interagency partners will continue to engage with 
the committee and Congress in an appropriate setting on the classified 
portions of our activities.
    As our economy, critical infrastructure, and national security 
become more reliant on technology, it is essential that we take 
proactive measures to enhance the security and resiliency of the 
information technology (IT) systems and networks on which we rely. We 
face increasing global threats to our cyber infrastructure, and the 
exploitation of vulnerabilities is facilitated by the widespread 
availability of tools, techniques, and information. The Department has 
made progress in enhancing the cybersecurity of the Nation; however, we 
recognize the need to take deliberate action to reinforce and build on 
those efforts as the threat grows. To underscore the Department's 
efforts in this area, Secretary Chertoff has identified cybersecurity 
as one of the top priorities for the Department for 2008. The enacted 
fiscal year 2008 and the President's proposed fiscal year 2009 budget 
reflect the necessary investment for this priority.
    The Department has outlined four areas of focus within 
cybersecurity to guide our efforts over the coming year. First, we are 
enhancing Federal cyber situational awareness, intrusion detection, 
information sharing, and response capabilities. Second, we are 
expanding the Department's cadre of cybersecurity personnel, its 
capabilities, and its services to our public and private sector 
partners. Third, we are strengthening our efforts to integrate 
cybersecurity into Federal, State, private sector, and international 
preparedness, response, and resilience efforts. Finally, we are 
developing and promoting the adoption of proven cybersecurity practices 
with Government, private sector, the general public, and the 
international community.
    Today, I will provide an overview of the Department's efforts to 
improve cybersecurity across Federal departments and agencies will 
focus on our first priority. Specifically, I will address two programs 
focused on cyber risk reduction across the Federal enterprise: the 
Trusted Internet Connections initiative (TIC) and the EINSTEIN program.
                 cybersecurity: a departmental priority
    As Under Secretary for the National Protection and Programs 
Directorate (NPPD), I oversee the Directorate's efforts to advance the 
Department's mission of risk reduction, which encompasses identifying 
threats, determining vulnerabilities, and targeting resources where 
risk is greatest, including to our critical information systems. A key 
area within this mission includes the Office of Cybersecurity and 
Communications' (CS&C) efforts to improve cybersecurity by reducing 
risk to the Nation's cyber infrastructure and maintaining the 
resilience of our communications systems. The 2007 National Strategy 
for Homeland Security articulated the importance of this mission by 
recognizing that many of our essential and emergency services, 
including our critical infrastructure, ``rely on the uninterrupted use 
of the Internet and the communications systems, data, monitoring, and 
control systems that comprise our cyber infrastructure. A cyber attack 
could be debilitating to our highly interdependent [Critical 
Infrastructure and Key Resources] and ultimately to our economy and 
national security.''
    Global threats to our cyber infrastructure and to the services, 
systems, and assets that depend on them continue to increase. The 
nature of the threat is large and diverse and ranges from 
unsophisticated hackers to very sophisticated adversaries. We are 
seeing more state-of-the-art intrusion techniques designed to disrupt, 
deny access to, degrade, or destroy critical information systems and 
steal our intellectual capital and proprietary information.
    The Department is positioned to address these threats through our 
watch, warning, and response capabilities; our information sharing and 
coordination efforts with the public and private sectors; and our 
programs and initiatives through the National Cyber Security Division 
(NCSD) and United States Computer Emergency Readiness Team (US-CERT). 
These programs and initiatives are designed to carry out our mission of 
preparing for and responding to incidents that could degrade or 
overwhelm the operation of our Federal IT and communications 
infrastructure.
               securing federal departments and agencies
    Since its inception, the Department of Homeland Security has been 
working to strengthen Federal and critical infrastructure systems and 
enhance our cyber operational response capabilities. The Department 
established a number of programs and initiatives to coordinate efforts 
with Federal departments and agencies to improve cybersecurity. These 
programs focus on enhancing situational awareness, increasing 
collaboration across Federal operational security teams, preventing 
cyber incidents, and providing inter-agency coordination during a cyber 
event.
    The Department conducts outreach to Federal departments and 
agencies to raise cybersecurity awareness with operational security 
teams and senior official through channels such as the Government Forum 
of Incident Response and Security Teams (GFIRST). GFIRST is a community 
of more than 50 incident response teams from various Federal agencies 
working together to improve Federal Government security. The Department 
sponsors the annual GFIRST Conference, which fosters greater 
information sharing among IT security professionals from various 
departments and agencies. The 2007 conference garnered unprecedented 
attendance, including more than 550 IT professionals, representing 
numerous Federal departments and agencies, including more than 100 
attorneys from the Department of Justice. We expect similar success at 
the upcoming GFIRST Conference in June 2008.
    To enhance collaboration on control systems security across the 
Federal Government, NCSD established and facilitates the Federal 
Control Systems Security Working Group, consisting of over 30 
Government organizations. Since late 2006, this group has been 
developing a Federal Coordinating Strategy to Secure Control Systems, 
which seeks to place related Federal control systems activities into a 
unified framework, assess opportunities for sharing and leveraging 
information and resources, and identify possible gaps in Federal 
efforts. In addition, NCSD is working with other Federal organizations, 
such as the Tennessee Valley Authority and the U.S. Army Corps of 
Engineers, to provide control systems specific tools in their areas of 
responsibility.
    NCSD co-chairs the National Cyber Response Coordination Group 
(NCRCG) with the Department of Justice (DOJ) and the Department of 
Defense (DoD) to coordinate response to a cyber incident across the 
Federal Government. The NCRCG serves as the principal interagency 
mechanism for providing subject matter expertise, recommendations, and 
strategic policy support to the Secretary of Homeland Security during 
and in anticipation of a cyber incident. The NCRCG comprises senior 
representatives from Federal agencies that have roles and 
responsibilities related to preventing, investigating, defending 
against, responding to, mitigating, and assisting in the recovery from 
cyber incidents. The senior-level membership of the NCRCG helps ensure 
that during a significant national incident, appropriate Federal 
capabilities will be deployed in a coordinated and effective fashion.
    To ensure processes and procedures involved with response to cyber 
incidents are up-to-date and comprehensive, the Department sponsors 
exercises to allow participants in the public and private sector to 
examine their cyber response capabilities. In February 2006, the 
Department held the first National Cyber Exercise--Cyber Storm--to 
examine various aspects of our operational mission, including 
collaboration with Federal departments and agencies. The Department and 
other participants continues to address lessons learned and after-
action items from the exercise. Progress made to improve response 
processes and procedures will be measured in Cyber Storm II, which is 
scheduled for March 2008. Cyber Storm II will simulate a coordinated, 
large-scale cyber attack on four of the Nation's critical 
infrastructure sectors. The exercise will include participants from 18 
Federal departments and agencies, 9 States, over 40 private sector 
companies, and 4 international partners. For the Federal Government 
Cyber Storm II will exercise strategic incident response decisionmaking 
and interagency coordination in accordance with national-level policies 
and procedures. The exercise will strengthen the ability of 
participating organizations to prepare for, protect against, and 
respond to the effects of cyber attacks.
    US-CERT is the Department's watch and warning mechanism for the 
Federal Government's internet infrastructure. It provides around-the-
clock monitoring of Federal network infrastructure and coordinates the 
dissemination of information to key constituencies including all levels 
of Government and industry. In addition, US-CERT serves as the main 
component for helping Government, industry, and the public work 
together to respond to cyber threats and vulnerabilities. A main area 
of focus for US-CERT is our work with Federal departments and agencies. 
US-CERT provides Government partners with actionable information needed 
to protect information systems and infrastructures. In addition, US-
CERT leverages its technical expertise to further efforts to secure 
Federal networks and systems through targeted programs, such as the 
Trusted Internet Connections (TIC) initiative and EINSTEIN.
Trusted Internet Connections Initiative
    The Trusted Internet Connections (TIC) initiative is a multifaceted 
plan to improve the Federal Government's security posture by 
significantly reducing the number of Federal external connections. 
External connections include, but are not limited to, any connection 
outside a department or agency, such as government-to-government 
connections and Internet access points. Currently, there are several 
thousand Federal external connections. The existence of such a large 
number inhibits the Federal Government's ability to implement 
standardized security measures effectively. The TIC initiative aims to 
reduce and consolidate the number of external connections to create a 
more clearly defined ``cyber border.'' Fewer external connections will 
enable more efficient management and implementation of security 
measures and reduce avenues for malicious attacks. Once fully 
implemented, the TIC initiative will facilitate security 
standardization for access points across the Federal Government.
    The Office of Management and Budget (OMB) maintains oversight of 
the TIC initiative, and implementation relies on the technical 
expertise of US-CERT, all participating Federal departments and 
agencies, and the Information Systems Security Line of Business (ISS 
LOB). The ISS LOB is part of the President's Management Agenda to 
expand Electronic Government. The goal of the ISS LOB is to address 
those areas of information security which are common to all agencies 
and are not specific to the mission of any individual agency, 
ultimately resulting in improved information systems security. OMB has 
selected DHS as the managing agency for the ISS LOB, and DHS, through 
the NCSD, is leveraging its role in the ISS LOB to enhance the TIC 
initiative.
    OMB announced \1\ the TIC initiative to the heads of Federal 
Government departments and agencies in November 2007, subsequently 
outlining the specific steps departments and agencies should take as 
part of the initiative, including compiling a comprehensive inventory 
of each department and agencies' existing network infrastructure. Each 
department and agency is required to develop a Plan of Actions and 
Milestones (POA&M) to reduce and consolidate the number of external 
connections with a target completion date of June 2008. NCSD is in the 
process of reviewing initial POA&M submitted to NCSD, via the ISS LOB, 
for review to ensure completeness and alignment with the goals and 
objectives of the TIC initiative. In addition, US-CERT and the ISS LOB 
created an interagency technical working group to establish, for OMB's 
approval, a list of requirements and standards for the implementation 
of each TIC. Once approved, these requirements will be passed to the 
department and as for implementation.
---------------------------------------------------------------------------
    \1\ The TIC was announced in OMB Memorandum 08-05.
---------------------------------------------------------------------------
    The reduction of external connections will have a number of 
benefits for the Federal Government, particularly when coupled with 
other security measures. First, fewer external connections will provide 
the ability to establish a central oversight and compliance function. 
This central function will benefit Federal systems by facilitating the 
implementation of standardized information security policies. In 
addition, the TIC will enable the implementation of 24-hour watch and 
warning capabilities across the Federal Government and enable faster 
and more effective response to cyber incidents. The TIC will also 
enable the rollout of an intrusion detection system across Federal 
networks to provide better situational awareness, earlier 
identification of malicious activity, and overall, a more comprehensive 
network defense.
The EINSTEIN Program
    The EINSTEIN program is another critical element of our efforts to 
increase cybersecurity across Federal departments and agencies. 
EINSTEIN is a collaborative information-sharing program that was 
developed in response to increasingly common network attacks on and 
disruptions to Federal systems. The program was initially established 
to help departments and agencies more effectively protect their systems 
and networks and to generate and report necessary IT-related 
information to US-CERT. EINSTEIN enhances situational awareness of the 
Federal Government's portion of cyberspace, allowing US-CERT and 
cybersecurity personnel to identify anomalies and respond to potential 
problems quickly. EINSTEIN is presently deployed at 15 Federal 
agencies, including the Department of Homeland Security, and US-CERT is 
in the process of deploying EINSTEIN across all Federal departments and 
agencies. With the TIC initiative providing a reduced number of 
external connections, EINSTEIN will be able to more effectively monitor 
activity across Federal Government networks.
    The EINSTEIN program supplements departments' and agencies' 
intrusion detection systems by monitoring their networks from outside 
their firewalls, 24 hours a day, 7 days a week. EINSTEIN utilizes an 
automated process for rapidly collecting, correlating, analyzing, and 
sharing government computer security information with US-CERT and 
department and agency system administrators. EINSTEIN utilizes a 
specific tool set to analyze network flow, which is comprised of a 
brief summary of a network connection, including source, destination, 
time, bytes, and packets transferred.
    US-CERT deploys EINSTEIN to Federal departments and agencies, along 
with all necessary hardware, software, support services, and staff 
training. Once implemented within a Federal department or agency, 
EINSTEIN identifies and establishes a baseline for normal network 
operational activity. From this baseline, security personnel are able 
to identify unusual network traffic patterns and trends, such as 
configuration problems, unauthorized network traffic, network 
backdoors, routing anomalies, and unusual network scanning activities. 
With this information, security personnel can quickly identify, 
prevent, and respond to potential problems.
    EINSTEIN analyzes the information collected and posts it to a 
secure internet portal, which only approved personnel can access. 
System administrators from participating departments and agencies 
review their data and determine if any mitigation activities are 
necessary, often in collaboration with US-CERT. Simultaneously, US-CERT 
personnel analyze the data from participating department and agency 
networks to determine if any recurring patterns and trends exist, 
potentially indicating the presence of malicious cyber activity 
targeting the Government as a whole. If US-CERT finds such patterns of 
unusual activity across multiple agencies, US-CERT notifies appropriate 
stakeholders and coordinates mitigation and response actions as 
necessary.
    EINSTEIN already has proven successful in enhancing security within 
the Federal Government. For example, through the Department of 
Transportation's (DOT's) participation in the EINSTEIN program, we were 
able to quickly detect malicious activity and prevent it from infecting 
other government computers. In this case, a computer worm had infected 
an unsecured government computer in a U.S. Government agency. When the 
worm, in its attempts to increase its network of infected computers, 
tried to attack DOT's network, EINSTEIN detected the unusual traffic. 
After further investigation, US-CERT discovered the worm and worked 
with the affected departments and agencies to prevent its spread.
    EINSTEIN reduces the time it takes to gather and share critical 
data on computer security risks from an average of 4 to 5 days to an 
average of 4 to 5 hours. Quick notification results in the Federal 
Government being able to respond to incidents and mitigate potential 
problems more efficiently and effectively. Government-wide deployment 
of EINSTEIN will further enhance the ability of US-CERT to gain a more 
comprehensive view of Federal systems, increasing US-CERT's analytic 
capabilities and augmenting the extent and quality of US-CERT's 
information sharing activities. Together with the TIC, broad deployment 
of EINSTEIN will increase our ability to address potential threats in 
an expedited and efficient manner.
                               conclusion
    Securing the Nation's IT systems and networks in an environment of 
increasing global threats by agile and sophisticated adversaries is a 
difficult challenge that requires a coordinated and focused effort. 
Secretary Chertoff's prioritization of cybersecurity for the year ahead 
underscores the importance of this challenge. Accordingly, the 
Department is working with its Federal partners to develop and 
implement a holistic strategy for securing our Federal networks and 
systems.
    We have established a strong foundation of programs and activities 
to address the dynamic threat, and we continue to expand and improve 
upon those programs through new and enhanced efforts. The TIC's 
reduction of Internet access points and EINSTEIN's situational 
awareness capabilities are examples of initiatives designed to prevent 
the disruption of Federal critical infrastructure from unauthorized 
users that penetrate Federal systems and steal or compromise vital or 
sensitive information.
    Government-wide deployment of TIC and EINSTEIN enables strategic, 
cross-agency assessments of irregular or abnormal Internet activity 
that could indicate a vulnerability or problem in the system. These 
programs enhance Federal Government cybersecurity by providing more 
robust security monitoring capabilities to facilitate the 
identification and response to cyber threats and attacks. They 
contribute to the improvement of network security, increasing the 
resilience of critical electronically delivered government services, 
and enhancing the survivability of the internet.
    The Federal Government is committed to increasing its capabilities 
to address cyber risks associated with our critical networks and 
systems. Every Federal department and agency plays a role in and adds 
to the protection of our Nation and its citizens from cyber threats.
    Thank you for your time today, and I am happy to answer any 
questions from the committee.

    Chairman Thompson. Thank you very much.
    I thank the witnesses for their testimony.
    I now remind each member that he or she will have 5 minutes 
to question the panel.
    I now recognize myself for the first set of questions.
    Mr. Charbo, we had a hearing in June of last year where Mr. 
Langevin chaired the subcommittee, and it was quite revealing 
that a number of attacks had occurred on our system, and 
perhaps we were not as notified, or you and your Department, of 
many of those attacks until a contractor informed you of that. 
The infamous, ``You don't know what you don't know,'' comment 
was in response.
    Now, to the extent possible, since that hearing, can you 
give this committee the follow-up as to what you have 
instituted in your previous position and this present position 
to prevent such attacks?
    Mr. Charbo. Thank you, Mr. Chairman.
    At that hearing, we were asked about some of the security 
notifications that we have had on our networks through our 
intrusion detection systems. In 2005, we looked at the current 
contract that we had on those local networks. We identified 
gaps, and we put dollars in place to fill a lot of those gaps, 
including putting contract support in place for that. We also 
identified a need to recompete that contract, which we have 
done.
    It is true that at the time of that hearing, I had not been 
read into any of the specific threat vectors that are in place 
and that we are now aware of. The first briefing that we did 
have was with OMB--that was to the general CIO Council, and 
since that, we have had follow-up briefings. This initiative 
has caused a number of briefings, and my staff and I have also 
gone out and pretty aggressively looked toward any sources we 
can to identify briefings that get beyond a sensitive but 
unclassified or even a secret level.
    At the time, we said, ``We are only focused on the data. 
That is all we can look at in terms of data of intrusion sets, 
et cetera, to identify anything back to whether it is a nation 
state attack or what is the nature of the vulnerability.'' We 
are still in that phase. There's a handful of issues that we 
are continuing to look at. Those in a classified state. We take 
every security incident very seriously at the operation.
    At the Department of Homeland Security, we have instituted 
several issues since I have started at that Department. The one 
we have spoke about many times is OneNet. We have said very 
publicly, ``That is the most important IT project that we can 
put in place at the Department.'' That is a consolidation of a 
wide area of points of access. It mirrors very closely to what 
the TIC effort is about.
    We want to put state-of-the-art intrusion detection at 
those access points that includes Einstein and other services. 
We have put that in place. We have put a security operations 
center in place that is 247.
    We are beginning to peer to those from our different 
components at the Department. We have raised the 
classifications of the CIOs, of our security, administrators, 
of our network administrators, of our deputy CIOs so that no 
longer are they just getting an unclassified brief. Quite 
honestly, what you get in that state is just a piece of 
information that is very difficult to interpret back to any 
attribution at all or to identify what the gaps are.
    What makes it even more difficult at the Department of 
Homeland Security is we are an immigration agency, which we 
have clients from outside of this country who are trying to 
receive information on our public points of access, as well as 
law enforcement points, as well as border and port agencies. So 
we have done a number of things before the hearing, since the 
hearing in order to shore up our security operations at the 
Department, including doing a number of recompetitions and 
rebuilds of certain applications, moving it to our points of 
access, which were part of the OneNet project.
    Chairman Thompson. Thank you. We will come back to some 
other questions.
    I yield to the Ranking Member for questions.
    Mr. McCaul. Thank you, Mr. Chairman.
    I just want to follow up on the Chairman's line of 
questioning, because at the last hearing, when you testified, 
it did raise some serious concerns. You are the chief 
information officer for the Department of Homeland Security. 
There is a major threat of intrusion into our Federal networks, 
and yet you are not read into, as you said, read into the 
threat factors at the time. I understand you didn't know what 
you didn't know, but who was responsible for ensuring that you 
had that information, that didn't get you that information that 
you should have had?
    We talk a lot after 9/11 about silos and not connecting the 
dots, not sharing information, and yet we have what I consider 
to be a major breach at the Federal level of not sharing 
information that should have been shared with you. I mean, you 
are the CIO of Homeland Security, and you didn't have this 
threat factor information.
    Can you tell me what happened? Then I think you explained 
what you have done to correct that; that is the good news. You 
had a clearance, I assume, at the time. But you said you have 
upgraded now all the CIOs, they have the clearance to share 
that information.
    What happened back then?
    Mr. Charbo. It is difficult to tell what happened, sir. The 
briefings that we get are on a compartmentalized basis. They 
are tear lines between information moving down from 
classifications level. Most of the information that we got 
prior was at an unclassified level. At that point, it is very 
difficult to interpret that.
    If I can bring this back to the hearing point, in terms of 
the enterprise network, I think this is an issue that is going 
to have to be addressed across a lot of the components--raising 
classification levels, moving information onto secure networks 
and not trying to do this on our unclassed networks--and that 
is going to be a training, a clearance issue, a network issue. 
We have addressed that.
    Once we do have the information at Homeland, I think we 
have moved very aggressively in terms of raising the visibility 
with our key points. We have taken that to mean our CIOs within 
the Department, our security officers within the Department, 
our network administrators. We can bring together in classified 
settings, action those and then task those on in an 
unclassified point of presence.
    All I can say is, prior to that there were gaps in that.
    Mr. McCaul. You suffered from that gap, obviously, and I 
think as we move forward with this initiative and as Congress 
provides its oversight in how best to implement this 
initiative, that has got to be one of the key factors to make 
sure the CIOs for each of the major Federal agencies involved 
with this initiative are certainly read into the classification 
level to share that kind of threat information. I mean, we have 
gotten the reports that the Federal Government has had massive 
intrusions into its Federal networks, and it seems to me the 
CIOs of these agencies should be aware of that fact to better 
protect itself.
    I know this is part of the initiative, but I would 
encourage you to make this a priority in this initiative, and 
we will be looking at that issue.
    Mr. Jamison, did you have a comment?
    Mr. Jamison. Yes, sir. Congressman, you are exactly on 
point: This is one of the fundamental challenges that we are 
facing, and a lot of the threat information was extremely 
classified. What we are talking about trying to do is get 
comprehensive situational awareness.
    So as we improve our Einstein deployment, improve intrusion 
detection, we are also coordinating with our intelligence 
components and all of the Federal Government agencies that have 
threat information so we can get more real-time information to 
the CIOs and to the network operation centers and security 
operation centers so that they can take defensive action. That 
is the top priority.
    Mr. McCaul. My second question is, under this initiative--I 
am a believer in clear lines of authority. When you have these 
mergers and partnerships and sharing agreements and what not, 
you need to know who is in charge and who is in charge of the 
budget.
    Under this initiative, can you tell me--maybe Mr. Jamison--
who is in charge here?
    Mr. Jamison. Sure. First, let me caveat this statement by, 
I would be happy to give you a detailed briefing on the full 
budget, including the classified parts in a close session.
    For what we are talking about today, for the TIC 
consolidation, we share the lead with OMB on helping them 
consolidate internet access points, but we have the lead to 
deploy the intrusion detection, to own, operate and manage the 
intrusion detection and come up with that comprehensive 
situational awareness picture.
    There are many more parts to this initiative that I can't 
discuss openly in this forum and would be happy to give you a 
classified briefing on that.
    Mr. McCaul. I understand that. I think at one of the 
hearings that the Chairman of the subcommittee, Langevin, and I 
had, we had testimony that the DHS was not really coordinating, 
certainly as well as we would hope, with the Department of 
Defense, and I know that may be getting into a classified area. 
I hope that is an area that will be focused on as well. They 
certainly have great expertise in this area that I think the 
DHS could be of great value to you in terms of the 
coordination. So I certainly hope that takes place.
    Then, last, we heard about the declassified operation, 
Aurora, where the Idaho National Labs found a vulnerability 
where a power grid could be shut down, exploited, with the 
click of a mouse. That causes, obviously, shockwaves, I think, 
through not only in the Federal Government but also the 
administration and the Congress, in terms of the vulnerability.
    That is great work, though, in terms of detecting that 
vulnerability and fixing it.
    Can I hear from you maybe some of the lessons learned from 
this project and what you are doing to protect the United 
States?
    Mr. Jamison. Sure. I think it was a success story. I think, 
as always, when you look back there is always room for 
improvement. But what happened with the Aurora vulnerability is 
research that was funded by the Department of Homeland Security 
through our lab networks identified the vulnerability. Once we 
identified the vulnerability, we worked through the national 
security infrastructure protection process and our interagency 
partners to validate that there was a vulnerability and 
actually develop mitigation plans.
    We developed those mitigation plans and tested those 
mitigation plans and actually came up with a dissemination plan 
within that NIPP framework, leveraging both our interagency 
partners and the Federal Government and our private sector 
partners and drove those implementation plans.
    We continue to monitor the implementation plans. We are 
pleased with the results. What we must continue to do is make 
sure that we are able to validate that those measures are still 
being taken in the field and we continue to pursue enhanced 
cybersecurity.
    But I do think it was a success story, especially given the 
fact of the sensitivity of the information and the challenges 
with trying to get implementation measures down the field while 
you don't highlight a vulnerability, and I think the system 
worked.
    Mr. McCaul. I agree with that and look forward to hearing 
more about it.
    Thank you, Mr. Chairman.
    Chairman Thompson. Thank you very much.
    I now recognize the gentleman from Rhode Island and 
Chairman of the subcommittee for 5 minutes, Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. I appreciate you 
yielding, and I appreciate the witnesses for their testimony. I 
have deep appreciation for the Chairman's line of questions, as 
well as the Ranking Member, about who knew what when and this 
issue of silos.
    Obviously, the Department of Homeland Security being the 
lead agency for security needs to know what threats we are 
facing and making sure that the dots are connected, and I 
haven't been satisfied previously that that had been happening. 
I hope that this is changing, and we heard some of that in your 
testimony today.
    I am not going to go on about that, but I will say, 
obviously, for years now, our Federal networks have been under 
attack, and I believe that the infiltration and exploitation of 
these networks is one of the most critical issues confronting 
our Nation. The acquisition of our Government's information by 
outsiders undermines our strength as a Nation, and if sensitive 
information clearly is stolen and absorbed, our systems are 
hacked by our adversaries, clearly, we are strategically 
harmed.
    I don't believe that this administration, at least up until 
now, has made cybersecurity the priority that it should be. I 
believe that is starting to change, and with the right vision 
and leadership, I believe we can improve security of our 
Federal networks and our critical infrastructure.
    There are some promising elements of the Cyber Security 
Initiative, but there are still some gaping holes, and I just 
want to assure the American people that under Chairman 
Thompson's leadership and the work that we are doing on our 
subcommittee that we are going to continue to perform robust 
oversight of this issue.
    In terms of questions, in terms of what I see as gaps, what 
I want to know is, how many and what kinds of connections does 
the trusted internet connection cover? For instance, does the 
TIC cover government-to-contractor network connections? Because 
we know that it is not only about the security on networks but 
authorized intrusions. We need to be secure about that.
    We had problems right at the Department of Homeland 
Security where we had contractors plugging unauthorized laptops 
into our own network, which you have viruses on there that 
infiltrate our networks. So you could be securing your networks 
but if you have unauthorized access, that is a problem.
    Also does it cover Federal-to-State and local connections? 
What about public service e-gov Web sites, such as student 
loans at the Department of Education or Social Security or the 
IRS e-file site? How about law enforcement internet connections 
used for investigative purposes?
    So I would like you to answer that, as well as what will 
the Cyber Initiative do to secure federally owned or privately 
owned critical infrastructure, such as nuclear power plants and 
the electric grid from cyber attacks? As part of the TIC 
consolidation, will you consolidate connections between 
federally owned critical infrastructure and the internet? In 
other words, will dams operated by the Bureau of Reclamation or 
power plants operated by the TVA consolidate their connections, 
and will you install Einstein on these connections?
    Ms. Evans. I would be happy to answer the first part of the 
question, which is, what types of connections, and the way that 
we are approaching it is, it is all external connections.
    As you clearly outlined, any external connection to an 
entity causes or poses a risk. So all agencies were required to 
report back to DHS by the guidance of OMB to tell how many 
external connections, and that is all of them, whether it is 
going to a Federal contractor, whether it is your internet 
point of presence, whether it is a direct connect between you 
and another. If it is external to your operation, it counts and 
it is being looked at as part of this effort.
    Because we need to manage the risk associated with those, 
because this is a shared responsibility of managing the risk by 
department, by department. They all have to look at what type 
of information they have, what type of services they are 
providing and then manage the risk accordingly to that.
    So they have all reported in. We gave them a reporting 
template. We have the number baseline of connections that they 
have right now so that we can then move to optimize those going 
forward.
    Mr. Langevin. And the second part of the question?
    Mr. Jamison. I will just follow up on the critical 
infrastructure.
    As Karen mentioned, we are focused on all external 
connections and getting those external points solidified. The 
initial focus of the effort is to get the dot-gov networks 
under stronger intrusion detection management and situational 
awareness.
    We are continuing our dialog through the NIPP process on 
critical infrastructure and how we better manage cybersecurity 
in those areas. We will continue to engage them and develop a 
stronger plan, and some of those initiatives we will be happy 
to talk in more detail about in a classified session.
    Mr. Langevin. That is promising. We are going to continue 
to follow up on that.
    Mr. Chairman, with your indulgence, I do have one last 
question. Have we ever done a full damage assessment of Federal 
agency networks or DHS networks? If not, why not, and will this 
be covered under the Cyber Initiative?
    Mr. Jamison. Not to my knowledge that a full damage 
assessment has been done, but I will say that we investigate 
known intrusions and make sure that each agency follows up and 
has that responsibility, and Karen may want to go into more 
detail about that.
    US-CERT has played a support role in investigating 
intrusion activity and making sure that we follow up with 
damage assessments from known intrusions.
    There is a broader effort to do a more detailed risk 
assessment, as we move forward with this initiative on the 
total risk picture for the Federal Government, as we address 
those risks.
    Karen, you may want to follow up on that.
    Ms. Evans. I would like to clarify a couple of pieces here. 
One, under the FISMA, Federal Information Security Management 
Act, agencies do need to do an assessment right off the bat on 
all their systems, and the guidance has been given out to the 
agencies, and we report on this on an annual basis. So all 
systems are categorized by high-, medium- and low-risk, and we 
report on that. Then they all have to do testing, have security 
controls in place and then also then evaluate what that is. So 
we report on that on an annual basis. That report is due March 
1 every year.
    Mr. Langevin. If I could just stop you there, because that 
is a risk assessment. That is different than a damage 
assessment.
    Ms. Evans. I am going to get there.
    Mr. Langevin. Okay.
    Ms. Evans. So the second part of that is, as a result of 
the loss of data that happened at the VA situation with the 
personal identifiable information, we put additional procedures 
in place so that as agencies have things happen--we also now 
have a BPA available for all agencies so that they can then do 
an assessment after the fact so that they can then go in and 
see how much damage has actually occurred, what they are 
supposed to do.
    The policy is in place, they have teams that are in place 
at the highest levels of each department so that as they lose 
data, they are supposed to assess it, what is the risk 
associated with that, and then take proper precautions and 
proper notification associated with it.
    Mr. Langevin. Okay, but that is prospectively. You are 
saying that we have not and we are not going to do a damage 
assessment----
    Ms. Evans. No, sir. They need to do a damage assessment 
each time things--that is how the policy is set up now. So they 
do an assessment as each incident occurs and as they report the 
incidents in. So they report incidents into US-CERT. They have 
to make an assessment at that point depending on the type of 
incident, by the categories we have, and then they have to 
continue on doing the assessment. You are calling it a damage 
assessment; we call it a risk, data breach type of assessment 
so that they can then take the appropriate actions.
    That is whether you turn it over to law enforcement, 
whether you have to notify individuals for the services that 
you have done if their information may have been compromised or 
notify your partners so that they are aware of what has 
happened within your entity to be able to share for more 
awareness across the board.
    So we have enhanced our procedures to make sure that that 
is being done on a consistent basis.
    Mr. Langevin. I yield back, Mr. Chairman.
    Chairman Thompson. Thank you very much.
    We now yield 5 minutes to the gentleman from Pennsylvania, 
Mr. Dent.
    Mr. Dent. Thank you, Mr. Chairman.
    My question is to Mr. Jamison.
    Mr. Jamison, I guess my first question is, who is in charge 
of the Cyber Initiative and who is going to hold the budget 
authority for it?
    Mr. Jamison. Congressman, for the portions that we are 
talking about today, with the TIC consolidation, we share the 
lead with OMB, but the $115 million budget supplemental that 
addresses this issue of deploying Einstein and dramatically 
ramping up our comprehensive situational awareness, DHS has the 
budget authority for that and are owning, operating and 
managing that equipment.
    I would be happy to go into more details in follow-up 
briefings on the rest of the classified budget and who has the 
leads for the other pieces.
    Mr. Dent. I guess in a follow-up to that question, if the 
initiative is spread across the entire Government, who is going 
to have the ultimate control over how everybody is working 
together? Obviously, Mr. McCaul pointed out some gaps and 
people not knowing things that they needed to know, apparently, 
so who is going to have that ultimate control to make sure that 
people are actually working together on this?
    Mr. Jamison. Let me answer the question in a couple of 
ways. The director of national intelligence has a coordination 
role for all aspects of the initiative to help coordinate the 
project management of those initiatives. Each individual agency 
that has authorities and responsibilities under the initiative 
have that responsibility.
    We would be happy to come back in a classified session and 
give you a lot more details on that aspect.
    The Department of Homeland Security plays a key role in the 
protection of the dot-gov and Federal networks from an Einstein 
perspective and has a lead role in that. We also have a 
coordination role across the cybersecurity domain, and we would 
be happy, as that develops, the plan for that develops, to come 
back up in a classified session and lay out in detail how that 
coordination role is going to be played out to coordinate all 
of the activities across the Federal Government.
    Mr. Dent. Thank you for that answer.
    It is also my understanding that US-CERT is going to be 
able to view the content of communications over government 
networks. I guess the question is, why is this important, and 
what information will they be collecting, and what will they do 
with it?
    Mr. Jamison. First of all, if I may, I brought a couple of 
props with me, if I can ask one of----
    Mr. Dent. Please.
    Mr. Jamison [continuing]. My employees to come up. I would 
like to, kind of, explain to you what the differences are.
    So if you get the other two first, I want to show this.
    Mr. Dent. We can't see that, by the way. Well, maybe some 
of you can but not me.
    Mr. Jamison. Can you take it up to the Congressman?
    Our current Einstein capability is a flow analysis tool, so 
if you look at the current Einstein flow records, this is the 
basic information that Einstein captures: IP addresses, the 
size of data packets and where is information is flowing from 
network to network. We capture that and then once day, or 
routinely, we download it. The other chart shows you the types 
of analysis that we do on that information.*
---------------------------------------------------------------------------
    * Copies of the charts have been retained in committee files.
---------------------------------------------------------------------------
    So we are trying to detect patterns, we are trying to 
detect malicious IP addresses and to do analysis on activity 
that would look suspicious or have malicious intent. It is 
delayed and our effectiveness--and we have got good analysts--
but our effectiveness is limited to how good our analysts are.
    Where we want to go is we want to be able to detect the 
malicious code that we know about. When an adversary or an 
intrusion has a signature of malicious code, we want the 
sensors to be able to scan for that malicious code and alert us 
when we know that we have malicious activity.
    Let me point out that this is no different than intrusion 
detection capabilities that are on Federal systems today. They 
all have commercial capability to do intrusion detection. What 
is different is that we are going to have comprehensive 
coverage of our external points to make sure that we have got 
intrusion detection at all those points.
    We are also going to make sure it is consistent so the same 
intrusion detection is consistent, and it is going to be 
informed by the knowledge of the Federal Government of what we 
know about the threat, so we will have the latest signature 
information on the threat comprehensively across the Federal 
Government.
    So it addresses some of the concerns that I have heard from 
the committee today about not knowing all the threat avenues 
and one agency knowing more threat information than another. 
This is the intent, to get to comprehensive situational 
awareness.
    Mr. Dent. Thank you.
    Real quickly, the specific role of US-CERT, the 
administration is requesting, I guess, about $100 million more 
than was enacted last year, and so I guess the question is, how 
are you going to spend this US-CERT money?
    Mr. Jamison. It really breaks down into a couple of 
different components. The majority of it is in deploying the 
equipment, so the intrusion detection equipment to the sites. 
We also have a large chunk of money, about $43 million, for the 
2008 budget in facilities as we ramp up our capabilities to add 
more people.
    We have to build the backend analytical capabilities. So 
just as I have shown you, some of the analysis has to be done 
on flow records. We need to build our capability to do analysis 
on that, to handle a much larger percentage of the traffic. 
Currently, our Einstein capability handles a very, very, very 
small percentage of the Federal Government traffic. We want to 
expand that to 100 percent through this initiative, so we have 
to back up our analytical capability.
    It also will allow us to build our malicious malware 
analysis labs and those things and expand them to handle the 
additional volume.
    Those are the major components.
    Mr. Dent. Thank you. I yield back.
    Chairman Thompson. Thank you very much.
    We now recognize the gentlelady from California, Ms. 
Harman, for 5 minutes.
    Ms. Harman. Thank you, Mr. Chairman, and thank you for 
holding this hearing.
    As I think the witnesses know, Members of this committee 
have received a number of classified briefings on the threat. 
Obviously, we are not discussing the threat here, but since my 
focus over all my years in Congress, all 100 years that I have 
served in Congress, has been on security threats, I take that 
kind of information very seriously, and I think the threats are 
substantial, starting with hackers but going on to much bigger 
threats.
    I have been sitting here with my mouth open. I think that 
this hearing reminds me of FEMA trailers, the Government doing 
something and 2 years later deciding that it is toxic and 
taking it away. I think while all of you are well meaning and 
working hard at your jobs, the fact that you don't have the 
threat information and that you are working on projects that 
will take years to complete is absolutely shocking. Let me 
repeat that: I think it is shocking.
    If we are serious about these threats--and I am serious 
about these threats--we are not being serious about our 
response to the threats. It is not timely, I don't get any 
sense of urgency, I don't think much of it will work.
    As an example, as we all know, most of the cyber network is 
in the private sector. I think, absolutely, everybody knows 
that. You have been talking about private sector collaboration 
and cooperation. My understanding is the private sector 
considers Einstein too passive, and it doesn't deliver 
information in real time.
    So how is it that we are going, in real time, have a 
response to a very significant threat? I just don't see it 
happening. I don't see DHS being able to do it within DHS, let 
alone coordinate a response across our Government. So I am 
sitting here really concerned about that.
    Second, I hear from constituents all the time in my 
district. They are really aware of programs that involve having 
access to personal information of American citizens. Obviously, 
for this program to work, as you have been discussing, there 
has to be some collaboration with some of our security 
agencies, like NSA and DOD.
    I have no doubt that you are working on, and that we have 
been briefed on, some legal protocols about all that and that 
there is an effort to protect privacy. However, I assure you 
that constituents of mine listening to this hearing--and I am 
sure they are all tune in, even though it is pretty early in 
California--are thinking about this as, ``Government sets up 
new spy network.'' That is how they are going to receive this 
information.
    So let me ask you to respond--all of you--to what I have 
just said, two parts. No. 1, is this in real time and fast 
enough to mount a serious response to a serious threat? No. 2, 
what would you advise me to tell my constituents who are going 
to call me this afternoon and ask me how I am going to stop 
this latest government spy network into their personal privacy?
    Mr. Jamison. Thank you, Congressman, I will address those. 
The previous charts I put up were trying to get exactly to that 
point. Obviously, I could do a better job of explaining it. But 
I would say that right now our Einstein capability is passive. 
We are looking at flow records, we are not looking for 
malicious activity, we are doing it after the fact, and we want 
to move that to real-time intrusion detection capabilities. So 
we want to make sure we lock down our nodes of access to the 
Federal Government and give ourselves real-time malicious 
activity intrusion detection.
    So that is exactly the intent of this. We are aggressive 
about it. We are going to be employing--as we ramp down the 
number of locations, we are going to be deploying that 
equipment this year. As you can tell by our budget request, we 
have ramped up our capabilities to respond to that.
    Second, on the privacy issue, I can tell you one thing: 
First of all, privacy and civil rights has been a top priority 
for this. We have had our privacy folks and our civil rights 
folks involved in this from the very start. Current Einstein 
has a privacy impact assessment that is public. We are 
currently in the process of doing a privacy impact assessment 
for the new capability as we move it forward, as well as full 
legal review, and we take that matter very seriously.
    But I would like to add that the capability that we are 
talking about for detecting that malicious activity in real 
time is no different than a commercial intrusion detection 
capabilities at many agencies and every corporation in America 
has on their systems. The issue is, it is going to be 
comprehensive, it is going to be consistent, it is going to be 
informed by our threat information.
    Ms. Harman. It is going to be massive, and it is going to 
be across the Government and possibly across the private 
sector. So it is a little bigger than any of the other networks 
or tools that individual companies have, right?
    Mr. Jamison. We are not talking about the private sector 
right now, we are talking about the Federal Government node and 
the traffic coming into the Federal Government.
    Ms. Harman. Got it.
    Other people have any answers to my two questions?
    Ms. Evans. Yes, ma'am, I would like to answer those 
questions as well.
    In everything that we are talking about and even on the 
threat information and the vulnerabilities that we are all 
aware of, this all starts with a defense in depth. There is no 
silver bullet, we all know that, and so there are several 
things that the agencies are doing that, first and foremost, 
most of these come from exploiting known vulnerabilities and 
through configuration management.
    There is a very extensive effort, and I mentioned this in 
my testimony and we did this jointly with the NSA, which is set 
up the way that FISMA was intended where they would do 
standards in an open setting, and then we would go through the 
process that the Commerce Department has. So we have set up 700 
settings that then reduce the vulnerability and then make sure 
that what we are doing is building that in right up front.
    So some of these things that are common sense we are going 
ahead and trying to take care of that on a mass basis. That is 
also then going to be built into the computers that get 
delivered to the agencies. So in spite of themselves, they will 
be successful, because they will be coming configured securely. 
That is the first thing that we are doing, because those things 
we should take those right off the table, and that should not 
be an issue.
    The other thing that the agencies are doing are also 
encrypting all their data--data at rest, data that is mobile--
so that should that happen, that then it becomes harder. So you 
are raising the threshold up.
    Then we are also using two-factor authentication, which 
then makes sure that people who are authorized, you know that 
those are the people who are supposed to be on your networks.
    So we have these in place. The agencies are rolling out, 
they have these measures, they are implementing these, and they 
are upgrading their security as they go forward.
    As part of privacy and security, that is an administration 
concern, has always been. It is a high priority, and we have 
been doing all of these activities in a very transparent way, 
so that everyone can comment on what we are doing. The privacy 
impact assessments are out there. We put it through the Federal 
Register notice process so that it is done in a very 
transparent way to make sure that the citizens know how we 
intend to protect that information.
    Ms. Harman. Did you want to comment?
    If he could just finish his response, I would appreciate 
that. Thank you.
    Mr. Charbo. I would just add that the Einstein program is 
only a part of the total cyber effort. We are really focused on 
also changing the way networks are operated. That is down at 
the operator level. In terms of just their situational 
awareness, their training and how they react and respond on a 
daily basis to operations, as well as to how we procure, how we 
also configure the different things, which Ms. Evans just went 
into.
    Chairman Thompson. Thank you.
    The gentleman from Georgia, Mr. Broun.
    Mr. Broun. Thank you, Mr. Chairman.
    I would like to just go a little further with a question 
that Mr. Dent asked you all.
    Secretary Jamison, it is my understanding that you all can 
view the content of all the dot-gov connections, and I am 
concerned about privacy too, as Congresswoman Harman is. We 
have had your folks from civil rights as well as the privacy 
protection of DHS come testify before this committee, and the 
question I have or frustration I have is, I don't really see 
beyond just DHS how folks in my district, privacy is really 
going to be protected. It looks almost like the fox guarding 
the henhouse, proverbially.
    As a United States Marine, I am very concerned about the 
security of this Nation, and as an original intent 
constitutionalist, I believe that national security and what 
you guys are doing is the prime purpose of the U.S. Government. 
But I am not convinced, as I think Ms. Harman is not convinced, 
that privacy is going to be protected in the process of 
developing these cyber protections within the government 
connections.
    I encourage you to try to find something beyond Einstein 
that is going to be focusing on the bad guys and not focusing 
just on the general public but finding some way to protect the 
privacy of American citizens, the good guys. As I see DHS 
developing these policies, when I go through security at 
airports or all these other things, it just looks to me as if 
we are focusing more of our resources, which are very limited, 
more of our personnel, greater and greater bureaucracy on 
focusing upon all us good guys and not on the bad guys.
    Can you assure me or tell me how you all maybe can go to 
Einstein 2.0, or whatever the system is, that is going to 
protect the privacy rights of American citizens, the good guys, 
and make sure that we don't have these security threats within 
the cyberspace of the dot-gov connections?
    Mr. Jamison. Thank you, Congressman.
    First of all, let me say that this is a comprehensive 
initiative, and there are a lot of agencies involved, and it 
has a comprehensive plan. We want to make sure that we have the 
opportunity to brief that to you in full in a classified 
session.
    From the standpoint of privacy, it is a top concern. We are 
currently not looking at content, as you put it. That is where 
we need to go.
    Mr. Broun. Not looking at any content.
    Mr. Jamison. Not currently. We are proposing that we are 
going to do that.
    Mr. Broun. That is my concern, too.
    Mr. Jamison. We are going through a privacy impact 
assessment to do that and make sure that we follow all the 
civil rights and civil liberties that are associated with that.
    Congressman, the threat is real. Our adversaries are very 
adept at hiding their attacks in normal traffic and the normal 
everyday traffic that comes across the network very well could 
be disguised, and it could be malicious. So the only true way 
to protect your networks is to have intrusion detections. It is 
what everybody has on all their networks now. It is not just 
consistent in the Federal Government, and it is not informed by 
our latest threat information of what we know. That is what we 
are talking about.
    There are a lot of other activities that we need to do to 
focus on improving cybersecurity beyond just this and the 
effort that we are talking about today, and we are working on 
that, and we would be happy to brief you on that in a detailed 
session.
    Mr. Broun. Okay. Thank you very much.
    Mr. Chairman, thank you. I yield back.
    Chairman Thompson. Thank you very much.
    We now yield 5 minutes to the gentleman from North 
Carolina, Mr. Etheridge.
    Mr. Etheridge. Thank you, Mr. Chairman.
    Let me thank you for being here. I must confess, I join Ms. 
Harman in listening to the testimony this morning.
    So, Mr. Jamison, given the hundreds of cyber incidents that 
have taken place over the last few years, how would you rate 
the Department's response to cybersecurity, A through F?
    Mr. Jamison. It's been a while since I have been in school. 
I think currently we are----
    Mr. Etheridge. Well, you find the number you want to, I 
will be happy.
    Mr. Jamison. I think we are a solid C, and if you will 
allow me to expound on that from the standpoint of, as I 
mentioned before, our current capability from a US-CERT 
standpoint, and I am strictly talking about----
    Mr. Etheridge. Let me just say something: If you say a 
solid C, you know, I was a State superintendent of schools for 
a few years, that is sort of average, at best.
    Mr. Jamison. That is why we are here, Congressman.
    Mr. Etheridge. That isn't even close to being good enough 
in what we are talking about for the American people. But I 
will let you continue, because I have another question 
following that.
    Mr. Jamison. Congressman, that is why we are here. As I 
said in my opening statements, we need to do more. Currently, 
from a DHS and US-CERT perspective of having that 
responsibility across the Federal domain, we need to have more 
comprehensive----
    Mr. Etheridge. All right. Given that then, can you tell 
this committee what accountability has been put in place, 
because there are well-recorded numbers of breaches in the 
Government system? What accountability do we have in place when 
that happens? If it happens on my watch, what accountabilities 
am I accountable for?
    Mr. Jamison. Well, I will defer to Karen to talk about the 
FISMA accountabilities and some of their requirements that each 
CIO has.
    Ms. Evans. We hold the agencies accountable through a 
quarterly process. We manage, through the President's 
management agenda, on the score card. However, when incidents 
occur, agencies are held accountable. We do work with them to 
ensure--because, first and foremost is when it does occur, that 
there is a proper response, because it is involving the 
citizens' data, and, first and foremost, we have to make sure 
that the way that we handle that response is addressing their 
immediate needs and that we take the proper precautions in 
place to ensure that the citizen then knows that we are 
addressing that.
    Yes, sir.
    Mr. Etheridge. Let me follow up on that, because I think 
that leads to a little broader question in that area, because 
every year OMB says that agencies are implementing more 
security controls on their computers, yet every year the number 
of successful penetrations in the Federal networks rise. This 
means that every year we lose more and more information to our 
adversaries.
    That being true, OMB measures success by the percentage of 
certified and accredited computer systems, but even the stamp 
of approval that you are just talking about, sensitive data 
tends to seep out, okay?
    That being true, are we using the right metrics? The second 
part of that question, shouldn't we be measuring our ability to 
stop attacks or at a minimum use our ability to detect and 
respond to attacks as the correct metric? Wouldn't that seem to 
be a better metric to use in terms of where we are than just 
measuring the other pieces? I mean, that just seems common 
sense to me.
    Ms. Evans. Okay. I would agree with you that initially when 
we first started this process, when FISMA's predecessor was the 
Government Information Security Act, and many of the Members 
have brought this up: Initially, agencies didn't know what they 
didn't know. So metrics evolved, and these are the first sets 
of metrics that we use so that agencies could make sure that 
they knew what their inventory was. Because if you don't know 
what you own, then you can't manage it appropriately and know 
the risk associated with it.
    So the first set of metrics and the things that we have 
measured may need to improve, and we have talked to Congress 
about this and GAO, because we are now--and I would agree with 
you that the metrics that we look at are more output-oriented 
right now, and we are moving now to a level of more 
performance, such as the types of metrics that you are talking 
about, because----
    Mr. Etheridge. Seems to me that is how you measure it.
    Ms. Evans. Absolutely, and you know what the baseline is 
now. We know what these systems are, we know how the agencies 
are categorizing the systems, and there is consistency across 
the board.
    Mr. Etheridge. My time is running out. Let me touch one 
more point, if I may get it in, because I think this is 
critical.
    Because it seems to me there are flaws on the on-the-job 
training. I mean, we have already heard that. If we aren't 
giving proper training and ongoing training, management 
practices within Federal agencies where workforces do not 
understand the effects of their actions on national security. I 
mean, what are we doing to train employees? That is the other 
side of it. We have got to measure both pieces, and that 
metric, it seems to me, has to change, if we are going to get--
because if we do the same thing we have always done, we are 
going to get the same results we have always gotten.
    Ms. Evans. May I answer?
    Mr. Etheridge. Please.
    Ms. Evans. Thank you, sir.
    Okay, so we pick certification and accreditation because it 
is a soup-to-nuts process. If an agency approaches the process 
for compliance, checks the box, because I have to tell OMB and 
then it goes to Congress, we aren't going to get the result 
that we intend.
    But if you look at the process associated with that, all 
the issues that you brought up, when you certify an accredited 
system, you have to know what it is, you have to analyze the 
risk, you have to put together rules of behavior so that each 
user, as they sign on, know what they are supposed to do and 
the consequences associated with not doing that.
    The last part of that also is residual risk, because the 
manager in charge needs to say, ``That service is important. I 
will live with this risk. Here is the compensating control and 
hold me accountable.''
    That is really how the process is supposed to work, and 
that is where we have to now move it to the next level so that 
we are actually achieving the result versus a paperwork 
exercise where we just get a bunch of paper and people are 
producing stuff and people don't really know what their 
responsibility is and what they should be held accountable for.
    Mr. Etheridge. We are doing a lot of work.
    Ms. Evans. We are improving it.
    Mr. Etheridge. But the results are meager for the 
investment, and we have got to do better to protect the 
American people. I really believe that. Thank you.
    Thank you.
    I yield back, Mr. Chairman.
    Chairman Thompson. Thank you.
    The gentleman from Texas, Mr. Green, for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. Thank you and the 
Ranking Member for holding this hearing, and because I know 
that time is of the essence, I will move as quickly as 
possible.
    I have a few questions, and thank you, witnesses, for 
appearing today.
    Is it true, Mr.--is it, Charbo, am I pronouncing it 
correctly?--Mr. Charbo, that you were the CIO of Homeland 
Security at a time when some intelligence reports about hacking 
were known to other agencies but not reported to you? Is this 
true?
    Mr. Charbo. Well, sir, I am not sure what was reported to 
other agencies. My assumption is, is that is probably correct.
    Mr. Green. Okay. At a 2007 hearing, according to the 
intelligence that I have, the Department of Homeland Security 
CIO, Scott Charbo--that would be you--told the committee that 
he had never received any intelligence reports about nation 
states hacking and that he was unfamiliar with the activity.
    Mr. Charbo. The response, I believe, was that we had had 
one. I had had one previous to that hearing, which was 
sponsored through the CIO Council----
    Mr. Green. Yes, sir.
    Mr. Charbo [continuing]. And at that time, there was 
nothing that pointed back to DHS.
    Mr. Green. You were not familiar with it. There were others 
who knew but you did not know; is this true?
    Mr. Charbo. Not by the name, I believe, that was being 
discussed at the hearing. I mean, obviously, we had heard about 
nation state hacking and different nations, but I had never had 
a briefing that pointed back to the Department. They were all, 
basically, in general at a lower classification level.
    Mr. Green. Well, did it happen? Maybe I should start there. 
Did this happen? Was there actually a hacking that took place?
    Mr. Charbo. At the Department?
    Mr. Green. Yes, sir.
    Mr. Charbo. We have lots of security events at the 
Department. Whether or not those are nation states----
    Mr. Green. Whether they are nation states--all right, let's 
talk about nation states. Was there a nation state hacking?
    Mr. Charbo. Yes, there are a few that we are looking at, 
and we would have to address that on a classified level.
    Mr. Green. Okay. Is it your opinion that we have not had 
any cross-agency intelligence failures?
    Mr. Charbo. I certainly think it can be improved, and I 
think that is what this effort is about.
    Mr. Green. All right. Well, let me go to my next question. 
Is it true that we had a contractor charged with securing 
networks at the Department, and this contractor did not install 
intrusion detection systems?
    Mr. Charbo. Those are gaps that we identified, and that we 
had them put in place.
    Mr. Green. Is that a true statement?
    Mr. Charbo. That is a true statement.
    Mr. Green. Okay. The question becomes then, what are the 
consequences when we have these kinds of occurrences? Have we 
ever had a contractor terminated for failure to perform to the 
level that this contractor failed to perform? Terminated. We 
are not talking about renewing a contract. But have we ever had 
one terminated?
    Mr. Charbo. Well, I can only speak to this incident. I 
mean, from a broader contracting perspective, that would have 
to go to our contracts. We did recompete this contract.
    Mr. Green. Let me ask you about what you know? Do you know 
of any contractor ever having been terminated?
    Mr. Charbo. I can't speak to anything specific.
    Mr. Green. So you don't know of one.
    Mr. Charbo. To my knowledge, I don't know of that.
    Mr. Green. Okay. Do you know of anyone who has ever been 
fired for failure to properly provide intelligence across 
agencies that should have been provided?
    Mr. Charbo. I couldn't put a name on it, but, certainly, we 
have had contractors removed.
    Mr. Green. Well, now I am talking about a person being 
fired as opposed to a contractor. We went through the 
contracting and you indicated that you didn't know about the 
contractors.
    Mr. Charbo. The question is?
    Mr. Green. The question is, have we had anybody fired? Has 
anybody ever been fired?
    Mr. Charbo. To my knowledge, I have never fired a Federal 
employee. We certainly have responded to performance, but I 
have not fired a Federal employee.
    Mr. Green. Do you know of anyone that has ever been fired 
for failure to perform in this area of sensitive security 
information transmission?
    Mr. Charbo. I can't speak to anything specifically.
    Chairman Thompson. Will that gentleman yield?
    Mr. Green. Yes, sir.
    Chairman Thompson. In the interest of making sure we get 
the record straight, Mr. Charbo, that incident that was 
referred to by Mr. Green I think it was the committee staff 
that brought it to your attention of your shop that there had 
been some problems with a contractor that you all were not 
aware of. I think after that was brought to your attention, you 
all moved forward and looked at it.
    Please.
    Mr. Charbo. The one incident that I believe is being 
referred to was made aware of by our staff. What was incomplete 
was the closure of that because of the different opinions. I 
mean, much of this hearing is about the level of data that you 
receive on a particular event. One analyst can look at a piece 
of data and have one interpretation. Several others can look at 
it and have different interpretations. A lot of that is 
dependent on the situational awareness that an individual has.
    In this case, that is what was presented to me. That 
coincided with the hearing. We asked for that information. At 
that time, I turned that over to our security group and said, 
``I have conflicting information here. It is something for you 
to look at.''
    I believe that is currently still under investigation, sir.
    Mr. Green. All right, Mr. Chairman, thank you.
    Chairman Thompson. Thank you very much.
    We now have three votes on the floor, and we have concluded 
all of our witnesses and our questions for the witnesses. I 
would like to thank them for their valuable testimony. The 
Members of the committee may have additional questions for the 
witnesses, and we will ask that you would respond expeditiously 
in writing to those questions.
    Hearing no further business, the committee stands 
adjourned.
    [Whereupon, at 11:27 a.m., the committee was adjourned.]


                            A P P E N D I X

                              ----------                              

  Question From Honorable Yvette D. Clarke for Honorable Karen Evans, 
  Administrator for Electronic Government and Information Technology, 
                    Office of Management and Budget
    Question. Ms. Evans, it is my understanding that you have worked 
with Director Will Pelgrin, head of NY State's Cyber Security Office 
and the chair of the Multi-State Information Sharing and Analysis 
Center, including coordination on the Data-at-Rest Smart Buy program. 
Can you describe your involvement with this effort with the State and 
local governments and what were the results?
    Answer. SmartBuy is a Government-wide initiative which leverages 
the Federal Government's requirements and buying power. As a member of 
the governance board, we help determine the priorities and technical 
requirements to be included in SmartBuy efforts. A major effort of the 
SmartBuy program was the Data-At-Request (DAR) Blanket Purchase 
Agreements (BPAs) to provide encryption products to Federal agencies, 
NATO, and State and local governments to protect sensitive, 
unclassified data on mobile computing devices and removable media.
    Protecting DAR is increasingly critical in today's information 
technology (IT) environment of highly mobile data and decreasing device 
size. Personal identity information or sensitive Government information 
stored on devices such as laptops, thumb drives and personal digital 
assistants (PDAs) can be unaccounted for and unprotected, and can pose 
a problem if these devices are compromised. In addition to saving 
taxpayer dollars, the DAR BPA enhances DAR information security and 
requires vendors to meet stringent technical and information assurance 
requirements.
    OMB Memorandum M-06-16, Protection of Sensitive Agency Information, 
issued in June 2006 was a key impetus for the actions resulting in 
these agreements. Two months after OMB issued this memo, the DoD Data-
at-Rest Tiger Team (DARTT) was developed to address technical 
requirements. Eventually, the DARTT evolved into an interagency team 
comprised of 20 DoD components, 18 Federal agencies and NATO, with 
State and local governments joining in March 2007. These requirements 
were presented to the governance board and accepted.
    The State and local governments are participating under GSA's 
Cooperative Purchasing Program, which allows them to purchase IT 
products and services from both GSA's Multiple Award Schedule 70 and 
Consolidated Schedules that have IT special item numbers.
    To date 127,296 licenses have been issued across 15 States 
(including local governments). This has resulted in savings of $24.1 
million on purchases of encryption software through use of these 
Federal DAR contracts and approximately $8 million using the special 
State and local government offers--for a total of more than $32 million 
in savings/cost avoidance to date.
   Question From Honorable Yvette D. Clarke for Honorable Robert D. 
Jamison, Under Secretary, National Protection and Programs Directorate, 
                    Department of Homeland Security
    Question 1. Secretary Jamison, how much of the Infrastructure 
Protection and Information Security (IPIS) account in the fiscal year 
2009 budget request is intended to support State and local Government 
cybersecurity activities?
    Answer. The Department of Homeland Security collaborates with a 
broad range of security partners, including State, local, and 
international governments, private-sector owners and operators, and 
individuals, in its efforts to improve the Nation's cybersecurity 
posture. Specifically, the Department's United States Computer 
Emergency Readiness Team (US-CERT), the national focal point for 
coordinating the defense against and response to national cyber 
attacks, engages with State and local governments by sharing 
information with States and providing direct support to States 
requiring response and recovery assistance. Budgetary support for State 
and local government cybersecurity efforts is embedded within the 
Department's many programs and activities and does not maintain a 
specific line item; however, the Department does provide funding to the 
Multi-State Information Sharing and Analysis Center (MS-ISAC). Much of 
the increase in funding to cybersecurity will result in improved 
situational awareness of threats, intrusions, and response methods 
across the Federal domain. State and local governments will benefit 
from this enhanced focus.
    Through a contract with the Department, the MS-ISAC supports a 
number of operational and awareness activities. The current contract 
with the MS-ISAC, spanning from November 2007 through November 2008, 
totals $1,694,825, and a similar amount is estimated for fiscal year 
2009. These activities include operating the MS-ISAC State and Local 
Operations Center for Cybersecurity, which collaborates with US-CERT 
and contributes to State and local cybersecurity by maintaining 
situational awareness of the State cyber landscape; by hosting bi-
monthly webcasts with cybersecurity experts for the general public to 
raise awareness about emerging cybersecurity issues; and by developing 
cybersecurity educational materials offering best practices, tools, and 
tips as part of the Department's national cybersecurity awareness 
efforts.
    In addition to the funding provided to the MS-ISAC for these 
efforts, the Department has dedicated staff to support ongoing MS-ISAC 
efforts. This includes more than two full-time equivalents who liaise 
with the MS-ISAC to ensure coordination with the Department on current 
State and local government efforts by engaging in MS-ISAC activities, 
including various working groups to help with the creation, production, 
and dissemination of education and awareness resources for use by the 
States; and by participating in regular meetings as well as the MS-ISAC 
annual meeting. In addition, Department staff members work to oversee 
the fulfillment of the statement of work. Staff support to and 
coordination with the MS-ISAC is estimated at $270,000 annually.
    An important component of the Department's work is its support of 
efforts to advance State and local cybersecurity activities. In 
addition to funding provided to support the MS-ISAC, the Department has 
committed significant resources, through various programs and 
activities, to help State and local security partners address their 
cybersecurity preparedness and response needs and effectively manage 
cybersecurity issues.
    Question 2. Secretary Jamison, how much of the increased funding to 
DHS for cybersecurity initiatives to address improvements in the 
security posture of State and local governments is specifically set 
aside for programs to be coordinated or performed by the Multi-State 
ISAC?
    Answer. The Cyber Initiative is an interagency effort that aims to 
enhance the security of Federal Government networks. Increased funding 
has been primarily directed to enhancements for the Department of 
Homeland Security's United States Computer Emergency Readiness Team 
(US-CERT), the Nation's watch and warning mechanism. US-CERT provides 
around-the-clock monitoring of cyber infrastructure and coordinates the 
dissemination of information to key constituencies, including all 
levels of government and industry. It serves as the focal point for 
helping Federal, State, local, and international governments, industry, 
and the public work together to achieve the appropriate responses to 
cyber threats and vulnerabilities. The additional funding allocated to 
enhance US-CERT capabilities is primarily focused on improving Federal 
network security through programs such as the Trusted Internet 
Connections (TIC) initiative and the Einstein program. It will also 
result in increased level of service and information sharing with all 
cybersecurity partners, which includes all of the Information Sharing 
and Analysis Centers (ISACs); however, no additional funding has been 
allocated to the Multi-State Information Sharing and Analysis Center 
(MS-ISAC) or any other ISAC under this initiative.
    Although the Cyber Initiative is focused on Federal networks, the 
enhanced products and services from US-CERT will provide specific 
additional benefits to State and local governments. States are 
dependent upon Federal network operations and information for a range 
of services and daily critical functions. Cyber threats to the Federal 
networks could have potentially devastating effects on State and local 
government networks given their interconnectedness. Improving US-CERT's 
capabilities to monitor, detect, report, and mitigate malicious 
activity will enable the Department to identify threats to Federal 
networks more effectively and efficiently, thus protecting those 
networks upon which State and local governments rely.
    The Department recognizes the importance of State and local 
government cybersecurity in its efforts to better secure the Nation's 
cyber assets. Under the Cyber Initiative, programs and activities to 
secure Federal networks will benefit State and local governments. 
Through US-CERT's enhanced watch, warning, and response capabilities, 
State and local governments will benefit from improved information 
sharing of alerts, warnings, and mitigations plans. In addition, the 
Department has established and maintains strong cooperative 
relationships with State and local governments, and it has developed 
several programs directed at addressing State and local government 
cybersecurity issues. With existing and new programs, the Department 
remains committed to improving the cybersecurity posture of State and 
local governments.

                                 
