b"<html>\n<title> - ENHANCING AND IMPLEMENTING THE CYBERSECURITY ELEMENTS OF THE SECTOR-SPECIFIC PLANS</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n \n                     ENHANCING AND IMPLEMENTING THE\n                     CYBERSECURITY ELEMENTS OF THE\n                         SECTOR-SPECIFIC PLANS\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               before the\n\n                        SUBCOMMITTEE ON EMERGING\n                       THREATS, CYBERSECURITY AND\n                         SCIENCE AND TECHNOLOGY\n\n                             joint with the\n\n                     SUBCOMMITTEE ON TRANSPORTATION\n                      SECURITY AND INFRASTRUCTURE\n                               PROTECTION\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 31, 2007\n\n                               __________\n\n                           Serial No. 110-82\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n                                     \n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n\n                               __________\n\n                     COMMITTEE ON HOMELAND SECURITY\n                  U.S. GOVERNMENT PRINTING OFFICE\n48-977                    WASHINGTON : 2009\n-----------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd0900012009\n\n               BENNIE G. THOMPSON, Mississippi, Chairman\nLORETTA SANCHEZ, California,         PETER T. KING, New York\nEDWARD J. MARKEY, Massachusetts      LAMAR SMITH, Texas\nNORMAN D. DICKS, Washington          CHRISTOPHER SHAYS, Connecticut\nJANE HARMAN, California              MARK E. SOUDER, Indiana\nPETER A. DeFAZIO, Oregon             TOM DAVIS, Virginia\nNITA M. LOWEY, New York              DANIEL E. LUNGREN, California\nELEANOR HOLMES NORTON, District of   MIKE ROGERS, Alabama\n    Columbia                         BOBBY JINDAL, Louisiana\nZOE LOFGREN, California              DAVID G. REICHERT, Washington\nSHEILA JACKSON LEE, Texas            MICHAEL T. McCAUL, Texas\nDONNA M. CHRISTENSEN, U.S. Virgin    CHARLES W. DENT, Pennsylvania\n    Islands                          GINNY BROWN-WAITE, Florida\nBOB ETHERIDGE, North Carolina        MARSHA BLACKBURN, Tennessee\nJAMES R. LANGEVIN, Rhode Island      GUS M. BILIRAKIS, Florida\nHENRY CUELLAR, Texas                 DAVID DAVIS, Tennessee\nCHRISTOPHER P. CARNEY, Pennsylvania\nYVETTE D. CLARKE, New York\nAL GREEN, Texas\nED PERLMUTTER, Colorado\nVACANCY\n       Jessica Herrara-Flanigan, Staff Director & General Counsel\n                     Rosaline Cohen, Chief Counsel\n                     Michael Twinchek, Chief Clerk\n                Robert O'Connor, Minority Staff Director\n                                 ------                                \n\n   SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND \n                               TECHNOLOGY\n\n               JAMES R. LANGEVIN, Rhode Island, Chairman\nZOE LOFGREN, California              MICHAEL T. McCAUL, Texas\nDONNA M. CHRISTENSEN, U.S. Virgin    DANIEL E. LUNGREN, California\n    Islands                          GINNY BROWN-WAITE, Florida\nBOB ETHERIDGE, North Carolina        MARSHA BLACKBURN, Tennessee\nAL GREEN, Texas                      PETER T. KING, New York (Ex \nVACANCY                                  Officio)\nBENNIE G. THOMPSON, Mississippi (Ex \n    Officio)\n                    Jacob Olcott, Director & Counsel\n        Dr. Chris Beck, Senior Advisor for Science & Technology\n                       Carla Zamudio-Dolan, Clerk\n       Dr. Diane Berry, Minority Senior Professional Staff Member\n?\n\n SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION\n\n    SHEILA JACKSON LEE, Texas,       DANIEL E. LUNGREN, California\n            Chairwoman               GINNY BROWN-WAITE, Florida\nEDWARD J. MARKEY, Massachusetts      MARSHA BLACKBURN, Tennessee\nPETER A. DeFAZIO, Oregon             GUS M. BILIRAKIS, Florida\nELEANOR HOLMES NORTON, District of   PETER T. KING, New York (Ex \n    Columbia                             Officio)                  \nYVETTE D. CLARKE, New York           \nED PERLMUTTER, Colorado              \nBENNIE G. THOMPSON, Mississippi (Ex  \n    Officio)                         \n                                     \n    Mathew Washington, Director\n        Erin Daste, Counsel\n Natalie Nixon, Deputy Chief Clerk\n  Coley O'Brien, Minority Senior \n              Counsel\n\n                                 (iii)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable James R. Langevin, a Representative in Congress \n  From the State of Rhode Island, Chairman, Subcommittee on \n  Emerging Threats, Cybersecurity, and Science:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     3\nThe Honorable Michael T. McCaul, a Representative in Congress \n  From the State of Texas, Ranking Member, Subcommittee on \n  Emerging Threats, Cybersecurity, and Science...................     5\nThe Honorable Sheila Jackson-Lee, a Representative in Congress \n  From the State of Texas, and Chairwoman, Subcommittee on \n  Transportation Security and Infrastructure Protection:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     8\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Ranking Member, Subcommittee \n  on Transportation Security and Infrastructure Protection.......     9\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York..........................................    48\nThe Honorable Bill Pascrell, Jr., a Representative in Congress \n  From the State of New Jersey...................................    40\n\n                               Witnesses\n                                Panel I\n\nMr. Greg Garcia, Assistant Secretary, Office of Cyber Security \n  and Telecommunication, Department of Homeland Security:\n  Oral Statement.................................................    10\n  Prepared Statement.............................................    12\nMr. George Hender, Banking/Financial Sector Coordinating Council, \n  Management Vice Chairman, Options Clearing Corporation:\n  Oral Statement.................................................    26\n  Prepared Statement.............................................    28\nMr. J. Michael Hickey, Chairman, Telecommunications Sector \n  Coordinating Council, Vice President, Government Affairs-\n  National Security Policy, Verizon:\n  Oral Statement.................................................    18\n  Prepared Statement.............................................    20\nMr. David Powner, Director, Information Technology Management \n  Issues, Government Accountability Office.......................    16\n\n                                Panel II\n\nMr. Larry Clinton, President and CEO, Internet Security Alliance:\n  Oral Statement.................................................    75\n  Prepared Statement.............................................    77\nDr. Lawrence A. Gordon, Ernst & Young Alumni Professor, \n  Managerial Accounting and Information Assurance, Robert H. \n  Smith School of Business, University of Maryland:\n  Oral Statement.................................................    81\n  Prepared Statement.............................................    84\nMs. Sally Katzen, Visiting Professor of Law, George Mason \n  University School of Law:\n  Oral Statement.................................................    52\n  Prepared Statement.............................................    54\n\n                             For the Record\n\nDr. Michael O'Hanlon, Senior Fellow, Brookings Institution:\n  Prepared Statement.............................................   100\nMr. David Powner, Director, Information Technology Management \n  Issues, Government Accountability Office:\n  Prepared Statement.............................................   115\n\n                               Appendixes\n\nAppendix I:  Cyber Security Criteria.............................   125\nAppendix II:  Thirteen DHS Cyber Security Responsibilities.......   126\n\n\n  ENHANCING AND IMPLEMENTING THE CYBERSECURITY ELEMENTS OF THE SECTOR-\n                             SPECIFIC PLANS\n\n                              ----------                              \n\n\n                      Wednesday, October 31, 2007\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n           Subcommittee on Emerging Threats, Cybersecurity,\n                                and Science and Technology,\n                                     joint with the\nSubcommittee on Transportation Security and Infrastructure \n                                                Protection,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 3:45 p.m., in \nRoom 311, Cannon House Office Building, Hon. James R. Langevin \n[chairman of the Emerging Threats, Cybersecurity, and Science \nand Technology Subcommittee], presiding.\n    Present: Representatives Langevin, Etheridge, Pascrell, \nJackson Lee, Clarke, McCaul, and Lungren.\n    Mr. Langevin. The Subcommittee on Emerging Threats, \nCybersecurity, and Science and Technology, and the Subcommittee \non Transportation Security and Infrastructure Protection will \nnow come to order.\n    The subcommittees today are meeting to receive testimony on \nenhancing and implementing the cybersecurity elements of the \nsector-specific plans. I will begin by recognizing myself for \nthe purpose of an opening statement.\n    Good afternoon. Over the past few months, the Subcommittee \non Emerging Threats, Cybersecurity, and Science and Technology \nhas held numerous hearings to assess how far-reaching our \ncybersecurity vulnerabilities are and how best to address them. \nToday, we will be focusing on the extent to which cybersecurity \nhas been implemented as part of our 17 different sector-\nspecific plans.\n    We are joined today by the Transportation Security and \nInfrastructure Protection Subcommittee led by Chairwoman Sheila \nJackson Lee of Texas and Ranking Member Lungren. Though this is \nour first joint hearing on the subject, I very much look \nforward to working with the chairwoman and ranking member, \nalong with my ranking member on the subcommittee on these \nissues of the 110th Congress as it continues.\n    Although critical infrastructure protection is usually \nassociated with physical protection of facilities, there is a \ngrowing realization that cybersecurity must receive equal \nattention. This holds true especially since the Nation's \ncritical infrastructure relies extensively on computerized \ninformation systems and electronic data.\n    As we learned 2 weeks ago in a hearing on control systems \nand the electricity grid, many elements of our Nation's \ncritical infrastructure are vulnerable to cyber attack in part \nbecause the computers are connected to the Internet. A cyber \nattack against a portion of our critical infrastructure could \nhave devastating consequences that could cascade across the \ncountry.\n    Similarly, an attack on our control systems could cause \nserious physical harm, for example, through the introduction of \nraw sewage into drinking water systems or through the \ncatastrophic failure of critical electrical generators.\n    One of the most important ways we can secure our \ninfrastructure is through the implementation of the sector-\nspecific plans. These 17 plans, one for each critical \ninfrastructure sector in the U.S., are supposed to describe how \neach sector will identify, prioritize, and protect their \nphysical and cyber assets. These plans are based on the high \nlevel of Federal guidance in the National Infrastructure \nProtection Plan, or NIPP, released by DHS in 2006. The NIPP is \nthe roadmap for the sectors to follow when developing their \nsector-specific plans.\n    The completion of the sector-specific plans will allow DHS \nto write a national annual report on critical infrastructure \nprotection which is designed to give us a general assessment of \nthe security of our infrastructure. This firsthand report is \nscheduled to be released next week. Today, we will focus \nspecifically on the cyber aspects of these plans.\n    I have two significant concerns about the efforts of the \nDepartment of Homeland Security in this area. First, according \nto the Government Accountability Office report, released today, \nmany of the 17 plans are incomplete when it comes to \ncybersecurity. The GAO rated these 17 sector-specific plans \naccording to three categories--either fully addressed, \npartially addressed, or not addressed at all--and found that \nnone of the plans fully addressed all 30 cybersecurity \ncriteria. GAO reports many plans have no way of identifying the \nconsequences of a cyber attack or reporting metrics of progress \nin implementing the plans to DHS. GAO concluded that without \ncomprehensive plans, certain sectors could be ill prepared to \nrespond to a cyber attack.\n    Now, the plans are supposed to be the easier part of this \nprocess, but if we are struggling just to get the plans right, \nwe are going to have an even tougher time achieving true \nsecurity. Our main goal, of course, is actually protecting our \ncritical infrastructure or at least making it resilient to \nattack; that should be the primary focus of our efforts. But as \nthe first step, DHS must improve the current state of the cyber \nelements of the sector-specific plans. What we have now is \nsimply unacceptable.\n    My second concern is with the implementation of the plan. \nToday's sector witnesses will describe the varying degrees to \nwhich they have begun translating their plans into actual \nimprovements. It should be noted, of course, that the sector-\nspecific plans were officially released in May 2007, so there \nhas not been a great deal of time for action. While sectors \nhave started implementing their plans, much work clearly \nremains to be done.\n    Under the Department's current public-private partnership \napproach, I don't believe the Federal Government can adequately \nensure the security of our critical infrastructure. Thus far, \nDHS has adopted a laissez-faire approach, it seems, towards \ncritical infrastructure owners and operators. The sector-\nspecific plan process is entirely voluntary and there are no \nregulatory requirements attached to it.\n    Many would argue, however, that protecting critical \ninfrastructure is an issue of national security, a core \nconstitutional responsibility of the Federal Government. Under \nthis viewpoint, laissez-faire is arguably not the appropriate \nmodel.\n    This observation is not intended to be an argument for more \nregulation or a criticism of our private sector partners. In a \nperfect world, we either wouldn't have to worry about security \nor would have an unlimited amount of money to spend on it, but \nthis is clearly not a perfect world.\n    The Federal Government and the American people want to \nensure that there is a high level of cybersecurity protections \non our critical infrastructure. But, as Dr. Gordon notes in his \ntestimony, private sector owners and operators have a hard time \nmaking the business case for increased cybersecurity \ninvestments.\n    Recognizing there may, in fact, be a market failure when it \ncomes to private sector cybersecurity, I have asked the second \npanel of witnesses to discuss ways to incentivize owners and \noperators of critical infrastructure to better protect their \nsystems. Some believe that with the proper incentives, the \nprivate sector can respond faster and more efficiently to \nfuture threats. Clearly, without appropriate consideration of \nall available public policy tools, the private sector's \nparticipation in critical infrastructure efforts may not reach \nits full potential, but I do think we need to look at a broad \nrange of options in this area.\n    I have great apprehension, though, about the current \nframework DHS is creating with the sector-specific plans as \nthey relate to cybersecurity. But I am hopeful that today's \ndiscussion will be a valuable tool in trying to strike the \nright balance that will ensure a high level of security with a \nlow level of government involvement.\n    Mr. Langevin. That concludes my opening statement, and the \nChair now recognizes the ranking member of the subcommittee, \nthe gentleman from Texas, Mr. McCaul, for an opening statement.\n\n   Prepared Statement of the Honorable James R. Langevin, Chairman, \n      Subcommittee on Emerging Threats, Cybersecurity, and Science\n\n    Good afternoon. Over the past few months, the Subcommittee on \nEmerging Threats, Cybersecurity and Science and Technology has held \nnumerous hearings to assess how far reaching our cybersecurity \nvulnerabilities are and how best to address them. Today we will be \nfocusing on the extent to which cybersecurity has been implemented as \npart of our 17 different Sector Specific Plans. We are joined today by \nthe Transportation Security and Infrastructure Protection Subcommittee, \nled by Chairwoman Jackson-Lee and Ranking Member Lungren. Though this \nis our first joint hearing on the subject, I very much look forward to \nworking with the Chairwoman and Ranking Member on these issues as the \n110th Congress continues.\n    Although critical infrastructure protection is usually associated \nwith physical protection of facilities, there is a growing realization \nthat cybersecurity must receive equal attention. This holds true \nespecially since the nation's critical infrastructure relies \nextensively on computerized information systems and electronic data. As \nwe learned two weeks ago in a hearing on control systems and the \nelectricity grid, many elements of our nation's critical infrastructure \nare vulnerable to cyber attack in part because their computers are \nconnected to the Internet. A cyber attack against a portion of our \ncritical infrastructure could have devastating consequences that \ncascade across the country. Similarly, an attack on our control systems \ncould cause serious physical harm, for example through the introduction \nof raw sewage into drinking water systems or through the catastrophic \nfailure of critical electrical generators.\n    One of the most important ways we can secure our infrastructure is \nthrough the implementation of the Sector Specific Plans. These 17 \nplans----one for each critical infrastructure sector in the U.S.--are \nsupposed to describe how each sector will identify, prioritize, and \nprotect their physical and cyber assets. These Plans are based on the \nhigh level Federal guidance in the National Infrastructure Protection \nPlan--or NIPP--released by DHS in 2006. The NIPP is the road map for \nthe sectors to follow when developing their Sector Specific Plans. The \ncompletion of the Sector Specific Plans will allow DHS to write a \nNational Annual Report on Critical Infrastructure Protection, which is \ndesigned to give us a general assessment of the security of our \ninfrastructure. The first annual report is scheduled to be released \nnext week.\n    Today we will focus specifically on the cyber aspects of these \nplans. I have two significant concerns about the efforts of the \nDepartment of Homeland Security._First, according to the Government \nAccountability Office report released today, many of the 17 plans are \nincomplete when it comes to cybersecurity. The GAO rated the 17 Sector \nSpecific Plans according to three categories: fully addressed, \npartially addressed, or not addressed, and found that none of the plans \nfully addressed all 30 cybersecurity criteria_GAO reports that many \nplans have no way of identifying the consequences of a cyber attack or \nreporting metrics of progress in implementing the plans to DHS. GAO \nconcluded that without comprehensive plans, certain sectors could be \nill prepared to properly respond to a cyber attack.\n    Now, the plans are supposed to be the easier part of this process. \nBut if we're struggling just to get the plans right, we're going to \nhave an even tougher time achieving true security. Our main goal, of \ncourse, it actually protecting our critical infrastructure, or at least \nmaking it resilient to attack. That should be the primary focus of our \nefforts, but, as a first step, DHS must improve the current state of \nthe cyber elements of the sector specific plans. what we have now is \nsimply unacceptable. My second concern is with the implementation of \nthe plans. Today's sector witnesses will describe the varying degrees \nto which they have begun translating their plans into actual \nimprovements. It should be noted that the sector plans were officially \nreleased in May 2007, so there has not been great deal of time for \naction. While many sectors have started implementing their plans, much \nwork remains to be done. Under the Department's current public/private \npartnership approach, I do not believe the Federal government can \nadequately ensure the security of our critical infrastructure.\n    Thus far, DHS has adopted a laissez-faire approach toward critical \ninfrastructure owners and operators. The Sector specific Plan process \nis entirely voluntary, and there are no regulatory requirements \nattached to it. Many would argue, however, that protecting critical \ninfrastructure is an issue of national security, a core constitutional \nresponsibility of the Federal government. Under this viewpoint, \nlaissez-faire is arguably not the appropriate model. This observation \nis not intended to be an argument for more regulation or a criticism of \nour private sector partners. In a perfect world, we either wouldn't \nhave to worry about security or would have an unlimited amount of money \nto spend on it. But this is clearly not a perfect world.\n    The Federal government and the American people want to ensure there \nis a high level of cybersecurity protections on our critical \ninfrastructure, but, as Dr. Gordon notes in this testimony, private \nsector owners and operators have a hard time ``making the business \ncase'' for increased cybersecurity investments. Recognizing that there \nmay in fact be a market failure when it comes to private sector \ncybersecurity, I've asked the second panel witnesses to discuss ways to \nincentivize owners and operators of critical infrastructure to better \nprotect their systems. Some believe that with the proper incentives, \nthe private sector can respond faster and more efficiently to future \nthreats. Clearly, without appropriate consideration of all available \npublic policy tools, the private sector's participation in critical \ninfrastructure protection efforts may not reach its full potential.\n    I have great apprehension about the current framework DHS is \ncreating with the sector specific plans as they relate to \ncybersecurity. But I am hopeful that today's discussion will be a \nvaluable tool in trying to strike the right balance that will ensure a \nhigh level of security with a low level of government involvement.\n\n    Mr. McCaul. I thank the chairman, and Chairwoman Jackson \nLee and Ranking Member Lungren.\n    Let me first say how honored I was yesterday to announce \nwith you the creation of a commission to study this issue of \ncybersecurity, which has the top and brightest minds in the \ncountry on cybersecurity participating. It will be chaired by \nAdmiral Inman, who is a former Director of NSA, Deputy Director \nof CIA, a good friend of mine, one of the brightest individuals \nI think I have ever met; and Scott Charney, who I had the \nopportunity to work with at the Department of Justice, who \nheaded up the Computer Crime and Intellectual Property section.\n    I look forward to working with you in a bipartisan way. It \nis actually a nonpartisan commission that will provide \nrecommendations for the next administration and the Congress on \nthis very important issue.\n    This hearing today will bring attention to the importance \nof protecting the Nation's critical information technology \ninfrastructure. In response to the President's seventh Homeland \nSecurity Directive, the Department of Homeland Security has \ndeveloped the National Infrastructure Protection Plan. It is \ndesigned to provide a coordinated approach to establish \nnational priorities, goals, and requirements for all 17 sectors \nof our economy that own and operate critical infrastructures \nacross the country.\n    Since every sector depends to a certain extent on IT \nsystems and networks, it is very important that each sector's \nplan includes its approach to securing its information \ninfrastructure. The sector-specific plans have undergone what \nsome might call a tortuous evolution. Even so, it is important \nto realize that these plans are one piece of developing a \ncommon framework across the 17 diverse sectors.\n    What this subcommittee has discovered in its hearings is \nthat each of the 17 sectors is dependent upon information \ninfrastructure in one way or another. Some are more dependent \nupon it than others, but each sector could be vulnerable to \ncyber threats and cyber attacks if appropriate steps are \nignored. For example, a hacker could infiltrate the billing \nsystem of a hospital or retail store or affect credit numbers \nor health information for a vast number of individuals. This \nwould inject the financial and/or health care system with \nuncertainty.\n    Similarly, we learned earlier this month that industrial \ncontrol systems could cause very real physical damage if not \nproperly secured.\n    We need to make sure that all the sectors are aware of \ntheir inherent interdependencies, and also that all sectors \nhave critical information infrastructure, even if they don't \nthink they do, that needs to be evaluated and appropriately \nsecured. The sector-specific plans are the first step in \nsecuring this country's critical infrastructure.\n    Again, Chairman Langevin and I--I was pleased to announce \nyesterday that we are participating in a commission to develop \nrecommendations on cyber and information security policy for \nthe next President. It is important to evaluate the actions of \nthe current administration, build upon its successes, and \nincorporate its lessons learned as we move forward to improve \nour Nation's overall cybersecurity.\n    With that, Mr. Chairman, I yield back.\n    Mr. Langevin. I thank the gentleman.\n    And the Chair now recognizes the chairwoman of the \nSubcommittee on Transportation Security and Infrastructure \nProtection, the gentlelady from Texas, Ms. Sheila Jackson Lee, \nfor an opening statement. And let me just again, as I mentioned \nin private to the chairwoman, say how grateful I am that we are \ndoing this joint hearing and how much I certainly look forward \nto working with you, Madam Chair, as we go forward.\n    Ms. Jackson Lee. Thank you very much, Mr. Chairman. And let \nme offer my equal appreciation of the opportunity to continue a \ntopic that my committee, Transportation Security and \nInfrastructure Protection, along with the ranking member of \nthat subcommittee, has continued to have a keen eye.\n    And as I do so, might I just acknowledge the existence of \nthe National Infrastructure Protection Plan. In meeting with a \nnumber of those from the private sector, we know that the work \nthat we are doing today, the work that you have done, is \nextremely important and is an urgent topic of the private \nsector's participation in protecting our country's critical \ninfrastructure.\n    So, again, I am grateful to Chairman Langevin for inviting \nthe Subcommittee on Transportation Security and Infrastructure \nProtection to participate in this hearing; and I look forward \nto our future collaboration where our issues of concern \ninteract.\n    Today's hearing regards the implementation or existence of \nthe cybersecurity elements of the 17 sector-specific plans, \nSSPs, under the National Infrastructure Protection Plan. \nRanking Member Lungren and myself take particular interest in \nthis topic as DHS protection falls under our subcommittee's \njurisdiction. We have been and continue to be very vigilant \nabout the Department's protection of our Nation's critical \ninfrastructure, beyond cybersecurity to also address physical \nand human considerations. Thanks again to Chairman Langevin, \nhowever, we will learn today about how the Department is \nprotecting critical infrastructure from a cybersecurity \nperspective, and I look forward to seeing how the lessons \nlearned today apply to other critical infrastructure protection \nprograms. Thus far, I have been disappointed with DHS SSP \nefforts, but I look forward to learning more today and \ncontinuing the journey so that we can work together public and \nprivate sector.\n    SSP is a massive and unprecedented undertaking. According \nto the Homeland Security Act of 2002, critical infrastructure \nincludes systems and assets, whether physical or virtual, so \nvital to the United States that the incapacity or destruction \nof such systems and assets would have a debilitating impact on \nsecurity, national economic security, national public health or \nsafety, or any combination of these matters. Based upon this \ndefinition, critical infrastructure is not just bridges and \nwater utilities, but also financial centers and transactions. \nIt is therefore clear that when such a vast and important \nmission is combined with a young agency, it is incumbent upon \nit and its oversight committee to have frank and honest \ndiscussions about the efficacy of our SSP efforts.\n    Protecting our systems and assets from natural and human-\nmade disasters is exclamated by the fact that approximately 85 \npercent of the country's critical infrastructure is owned and \noperated by the private sector. Furthermore, this \nadministration did not encourage the government to regulate the \nprivate sector owners and operators, and for them, instead--to \nprotect their critical infrastructure, but instead it \nencouraged voluntary partnerships.\n    I raised the question earlier this morning about whether or \nnot there needs to be regulation or should we continue in the \nvoluntary effort. How well the Department manages this \nvoluntary relationship with the private sector to protect our \ncritical infrastructure is and will continue to be a major \npriority for our committee and my subcommittee specifically.\n    Recently, Chairman Thompson and I directed committee staff \nto investigate the implementation of the NIPP and SSPs to learn \nwhether they are motivating private industry to protect our \ncritical infrastructure. Because such a large task is based \nupon a voluntary partnership, we need to give great attention \nto whether actions are indeed being taken. That will be the \nfocus of my attention at today's hearings.\n    And might I also say that I believe there is a great \ninterest in the private sector to be engaged. They know that \nthey have a large share of the private infrastructure or the \ninfrastructure of this Nation. Then, what is the vehicle, what \nis the formula, what is the structure that should be utilized \nto engage the private sector and to make this work?\n    After all, we are responsible for securing America \ncollectively, and this committee, the full committee, knows \nfull well the question will be asked, maybe only of this \ncommittee, if the possibility occurs of a terrorist act in this \nNation.\n    The release of the NIPP and SSPs was delayed significantly. \nUnfortunately, the threat to our critical infrastructure was \nnot simultaneously delayed. As a result, we have to quickly \ndetermine whether these plans are being implemented by owners \nand operators to better protect our critical infrastructure.\n    It is not enough to create large, nearly unreadable \ndocuments and to discuss processes. Instead, we must focus on \nimplementation and execution. For instance, we must have \neffective and efficient communication between private sector \nowners and operators of critical infrastructure at all levels \nof government.\n    On September 26, Chairman Thompson and I sent a letter to \nAssistant Secretary Stephan and Director Caboli about the \nimplementation of the SSPs and the standards of the national \nannual report that is supposed to describe the implementation \nof protection efforts. Based upon the Department's responses, \nwe are quite concerned about whether verifiable action is being \ntaken by the private sector.\n    I am not here to reprimand the private sector or to \nofficially call for its regulation; but as I indicated, can we \ncollaborate and can we work together? Because of the mission, \nhowever, I believe that all options should be on the table, and \nI believe that we need to give these partnerships a chance. We \nneed to know whether the Department is executing them \neffectively; and what can we do to help make them work better?\n    I believe the owners and operators of these assets will in \nmost cases act without regulation if an effective case for \naction is made and there is adequate and necessary follow-\nthrough by the Department, oversight, and the opportunity to \nshare how we can do better.\n    I want to learn from our witnesses, from the private sector \nhow the Department can be more effective in encouraging this \nnecessary and urgent activity.\n    It is now time for an open and honest conversation about \nprotecting our critical infrastructure. We are done with \ndocuments and verbiage; it is time for action. It is time for \nus to learn about the tools that you need and how this Congress \ncan be helpful.\n    We may not need a regulatory hammer, but we certainly need \na national discussion about civic and corporate responsibility \nand cooperation.\n    I believe, Chairman Langevin, that today's hearing is the \nbeginning of establishing that cooperation and dialogue on \nbehalf of the American people. I thank you.\n    Mr. Langevin. I thank the gentlelady for her comments, and \nparticularly the sentiment of our cooperation, I know that will \ncontinue, and I look forward to that.\n    [The statement of Ms. Jackson Lee follows:]\n\n  Prepared Statement of the Honorable Sheila Jackson Lee, Chairwoman, \n Subcommittee on Transportation Security and Infrastructure Protection\n\n    I would like to take this opportunity to thank all of you for \njoining us this afternoon to discuss the urgent topic of private sector \nparticipation in protecting our country's critical infrastructure. I am \nparticularly grateful to Chairman Langevin for inviting the \nSubcommittee on Transportation Security and Infrastructure Protection \nto participate in this hearing, and I look forward to future \ncollaboration where our issues of concern intersect.\n    Today's hearing regards the implementation--or existence--of the \ncyber security elements of the 17 Sector Specific Plans (SSPs) under \nthe National Infrastructure Protection Plan (NIPP). Ranking Member \nLungren and I take particular interest in this topic as DHS' \ninfrastructure protection efforts fall under our subcommittee's \njurisdiction. We have been--and continue to be--very vigilant about the \nDepartment's protection of our nation's critical infrastructure beyond \ncyber security, to also address physical and human considerations.\n    Thanks to Chairman Langevin, however, we will learn today about how \nthe Department is protecting critical infrastructure from a \ncybersecurity perspective, and I look forward to seeing how the lessons \nlearned today apply to other critical infrastructure protection (CIP) \nprograms. Thus far, I have not been very impressed with DHS' CIP \nefforts.\n    CIP is a massive and unprecedented undertaking. According to the \nHomeland Security Act of 2002, ``critical infrastructure'' includes \n``systems and assets, whether physical or virtual, so vital to the \nUnited States that the incapacity or destruction of such systems and \nassets would have a debilitating impact on security, national economic \nsecurity, nation public health or safety any combination of these \nmatters,'' Based upon this definition, ``critical infrastructure'' is \nnot just bridges and water utilities, but also financial centers and \ntransactions. It is, therefore, clear that when such a vast and \nimportant mission is combined with a young agency, it is incumbent upon \nit and its oversight committee to have frank and honest discussions \nabout the efficacy of our CIP efforts.\n    Protecting theses systems and assets from natural--and human-made \ndisasters is exacerbated by the fact that approximately 85 percent of \nthe country's critical infrastructure is owned and operated by the \nprivate sector. Furthermore, this Administration did not encourage the \ngovernment to regulate and mandate private sector owners and operators \nprotect their critical infrastructure but, instead, it encouraged \nvoluntary partnerships. How well the Department manages this voluntary \nrelationship with the private sector to protect our critical \ninfrastructure is--and will continue to be--a major priority for our \nCommittee, and my subcommittee specifically.\n    Recently, Chairman Thompson and I directed Committee staff to \ninvestigate the implementation of the NIPP and SSPs to learn whether \nthey are motivating private industry to protect our critical \ninfrastructure. Because such a large task is based upon a voluntary \npartnership, we need to give great attention to whether actions are, \nindeed, being taken. That will be the focus of my attention at today''s \nhearing.\n    The release of the NIPP and the SSPs was delayed significantly. \nUnfortunately, the threat to our critical infrastructure was not \nsimultaneously delayed. As a result, we have to quickly determine \nwhether these plans are being implemented by owners and operators to \nbetter protect our critical infrastructure. It is not enough to create \nlarge, nearly unreadable documents and to discuss processes; instead, \nwe must focus on implementation and execution. For instance, we must \nhave effective and efficient communication between private sector \nowners and operators of critical infrastructure and all levels of \ngovernment.\n    On September 26, 2007, Chairman Thompson and I sent a letter to \nAssistant Secretary Stephan and Director Caverly about the \nimplementation of the SSPs and the status of the National Annual Report \nthat is supposed to describe the implementation of protection efforts. \nBased upon the Department's responses, we are quite concerned about \nwhether verifiable action is being taken by the private sector.\n    I am not here to reprimand the private sector or to viscerally call \nfor its regulation. Because of the mission, however, I believe that all \noptions should be on the table. I believe that we need to give these \npartnerships a chance. We need to know whether the Department is \nexecuting them effectively. I believe the owners and operators of these \nassets will, in most cases, act without regulation if an effective case \nfor action is made and there is adequate and necessary follow through \nby the Department. I want to learn from our witnesses from the private \nsector how the Department can be more effective in encouraging this \nnecessary--and urgent--activity.\n    It is now time for an open and honest conversation about protecting \nour critical infrastructure. We are done with documents and verbiage. \nIt is time for action. It is time for us to learn about the tools you \nneed and how this Congress can help. We may not need a regulatory \nhammer, but we certaintly need a national discussion about civic and \ncorporate responsibility. Perhaps today's hearing begins that \nconversation and will lead to concrete steps that will make america \ntruly safer.\n\n    Mr. Langevin. The Chair now recognizes the ranking member \nof the subcommittee, the gentleman from California, Mr. \nLungren, for the purpose of an opening statement. And, \nlikewise, I look forward to working with the gentleman from \nCalifornia.\n    Mr. Lungren. Thank you very much, Mr. Chairman. And I thank \nthe gentlelady and I thank the gentleman from Texas, Mr. \nMcCaul.\n    First of all, let me say that I believe that the Department \nof Homeland Security did a good job in putting together the \nsector-specific plans and coming up with the National \nInfrastructure Protection Plan under the direction of Colonel \nStephan. I know, when he first came in, he was dissatisfied \nwith what was then in the works, and asked us for extra time to \nmake sure that we could put a good product together. And I \nthink the Department has; I congratulate you on that. Frankly, \nit is a good piece of work.\n    I am, as my colleagues are, dismayed by the recent GAO \nreview which did find that most of the sectors lacked a process \nfor identifying the consequences of cyber attacks against their \nassets. That is probably not surprising, because most Americans \nand most in Congress look at guns, gates, and guards as the \ntraditional means of protecting our critical infrastructure; \nand it is only after stepping back a ways that we realize the \nimportance of the cyber world in all of this.\n    It is my feeling that a public-private partnership is \nabsolutely essential, not just because 85, 86, 87, whatever \npercentage you want to say of our critical infrastructure is \nprivately owned and operated; but the agility with which the \nprivate sector is able to adapt in the area of technology is at \nleast the equal of those of us in government. We would do \nourselves a disservice if we in any way followed procedures on \nthe bureaucratic side or the regulatory side which denied us \nthat agility, that creativity, and that ingenuity in responding \nto what are threats that change, not yearly, not monthly, not \nweekly, not daily, but, frankly, minute by minute.\n    So I am very interested in the testimony we will receive \ntoday from both the public and the private sectors. But I hope \nthat we will find a way to reach that balance that is necessary \nbetween government regulation and private ingenuity and \neffectiveness.\n    Thank you very much, Mr. Chairman.\n    Mr. Langevin. I thank the gentleman for his opening \nstatement.\n    Mr. Langevin. Other members of the subcommittee are \nreminded that under the committee rules, opening statements may \nbe submitted for the record.\n    I now welcome our first panel of witnesses. I want to begin \nby thanking the panel for their patience and willingness to \nstick around. We wish we had a little more control over the \nschedule around this place, but it doesn't seem to work out \nthat way.\n    But I do want to begin by welcoming our first witness, Mr. \nGreg Garcia, Assistant Secretary for Cybersecurity and \nCommunications. Assistant Secretary Garcia oversees the \nDepartment of Homeland Security's mission to prepare for and \nrespond to incidents that could degrade or overwhelm the \noperation of the Nation's information technology and \ncommunications infrastructure.\n    So I welcome you, Mr. Secretary.\n    Our second witness, Dave Powner, is the Director of \nInformation Technology Management Issues at the Government \nAccountability Office.\n    Thank you for your participation, and we welcome you here \ntoday, Mr. Powner.\n    Our third witness is Mr. J. Michael Hickey, the Chairman of \nthe Communications Sector Coordinating Council. Mr. Hickey is \nalso the Vice President of Government Affairs and National \nSecurity Policy at Verizon.\n    Welcome, Mr. Hickey.\n    Our fourth witness is Mr. George Hender, the Chairman of \nthe Banking and Financial Sector Coordinating Council. Mr. \nHender is the Vice Chairman of the Options Clearing \nCorporation.\n    Welcome to you, Mr. Hender.\n    Without objection, the witnesses' full statements will be \ninserted into the record.\n    Mr. Langevin. And I now ask each witness to summarize his \nstatement for 5 minutes, beginning with Assistant Secretary \nGarcia.\n    The floor is yours.\n\n   STATEMENT OF GREG GARCIA, ASSISTANT SECRETARY, OFFICE OF \n    CYBERSECURITY AND TELECOMMUNICATION, U.S. DEPARTMENT OF \n                       HOMELAND SECURITY\n\n    Mr. Garcia. Thank you, sir.\n    Mr. Chairman, Madam Chairwoman, members of the \nsubcommittees, thank you very much for inviting me again to \nspeak about the Department of Homeland Security's effort to \nstrengthen the security and resilience of our Nation's critical \ninfrastructure.\n    My comments today will focus on three areas: first, how my \noffice has worked with each of the 17 critical infrastructure \nand key resource sectors to ensure cybersecurity is integrated \ninto their sector-specific plans, or SSPs;\n    Second, I will report on the findings from our \ncybersecurity review of each SSP; and\n    Third, our plan for continuing to increase attention that \neach sector gives to cybersecurity.\n    Under the National Infrastructure Protection Plan, or NIPP, \nmy office, the Office of the Cybersecurity and Communications, \nworks to reduce cyber risk and enhance cybersecurity in two \nways. We serve as the Federal lead for the IT and \ncommunications sector infrastructure protection efforts, and as \nthe lead for addressing the cross-sector cyber element for all \nsectors.\n    Throughout the development of the SSPs, my office provided \ncybersecurity guidance and support to the sectors. This \nincluded providing sector-specific agencies with resources for \nidentifying cybersecurity practices and protective programs, \nhelping them identify cyber R&D priorities, and developing a \ncomprehensive cyber guidance checklist which gave each sector a \nframework for integrating cybersecurity into their SSPs.\n    In addition, sectors asked us to review drafts of their \nSSPs, and we provided recommendations on ways to address \ncybersecurity. My office also conducted a review of the cyber \nelements in each plan to determine sector-specific efforts and \nidentify cross-sector trends. Our review was generally \nconsistent with the findings of the GAO's analysis.\n    In particular, I am pleased that the GAO found that 12 out \nof the 17 sectors were comprehensive in addressing \ncybersecurity and their SSPs. This is clear evidence of all the \nhard work that has been done to date. Since the development of \nthe SSPs, sectors have been implementing their plans and \nenhancing efforts to address the security of their cyber \ninfrastructure.\n    Our review of the 2007 sector annual reports revealed an \nincreased integration of cybersecurity considerations across \nthe sectors. For example, more than half of the sectors \nidentified at least one cybersecurity goal and/or priority. \nThis is a significant improvement from the 2006 sector annual \nreports, and it is a strong indication of increased \nunderstanding about the importance of cybersecurity.\n    Additionally, sectors are incorporating DHS-sponsored \ncybersecurity measures, such as our cybersecurity vulnerability \nassessment tool, into their risk assessment efforts.\n    I would add, no discussion of cybersecurity and \ninfrastructure protection efforts would be complete without \nmentioning the cross-sector cybersecurity working group. This \ngroup is composed of experts from each sector and serves to \nenhance cross-sector understanding of mutual dependencies and \ninterdependencies. It is currently focused on addressing common \ncybersecurity challenges identified in each sector's initial \nSSP and developing improvements that can be leveraged across \nthe sectors.\n    Overall, while we are seeing greater attention given to \ncybersecurity, there is still more work to do. Each sector must \nconsider their own cybersecurity posture and balance against \nother sector-specific risk management efforts. Specifically, \nsectors should continue to focus on identifying their critical \ncyber infrastructure, assessing their cyber risk, implementing \nprotective programs, and measuring the effectiveness of their \nefforts.\n    My office is currently engaging with sectors that may not \nhave fully captured the good cybersecurity work they are \nalready doing in their initial SSPs. We will work with them to \nmore fully document their efforts as they update their SSPs and \ndevelop their 2008 sector annual reports.\n    We will also continue to work with individual sectors to \nimplement the cyber aspects of their SSPs in order to \nmeasurably enhance security within their sectors. We will \nconduct workshops with sectors to identify incentives, cyber \nmetrics, and current and future cyber R&D requirements.\n    The development of the SSPs represented a significant \nmilestone for public and private sector national protection and \npreparedness activities. My office is committed to promoting \ncybersecurity strategies that can address the evolving risks we \nface. We are thankful for the work that has been done to date, \nand we encourage all sectors to continue working with us to \naddress cybersecurity and their infrastructure protection \nactivities.\n    Thank you all for your time today, and I am happy to \naddress any questions that you may have.\n    Mr. Langevin. Thank you, Secretary Garcia, for your \ntestimony.\n    [The statement of Mr. Garcia follows:]\n\n                  Prepared Statement of Gregory Garcia\n\n    Good afternoon, Chairman Langevin, Chairwoman Jackson-Lee, Ranking \nMember McCaul, Ranking Member Lungren, and Members of the \nSubcommittees. Thank you for inviting me to speak about our efforts to \nwork with all 17 critical infrastructure and key resource (CI/KR) \nsectors to address the security of the cyber elements of their \ninfrastructures, including the incorporation of cyber security into \ntheir Sector-Specific Plans (SSP), progress in advancing mitigation \nactions, and plans for continuing to engage with the CI/KR sectors to \nfurther address cyber security.\n    One of the most pressing challenges facing the Department of \nHomeland Security (DHS) is preparing for cyber attacks against our CI/\nKR. Threats to the Nation's CI/KR are numerous and constantly evolving. \nThe ability of threat actors to exploit vulnerabilities is facilitated \nby the widespread availability of tools, techniques, and information. A \nvariety of cyber threats could exploit vulnerabilities in the Nation's \nCI/KR assets, systems, networks, and functions, potentially threatening \nnational and economic security, public health and safety, and \nconfidence in the government. The President's National Strategy to \nSecure Cyberspace recognized the importance of assessing threats and \nvulnerabilities and determining how likely or significant those attacks \ncould be on critical infrastructure. It called for public-private \npartnerships to address five critical priorities: (1) a national \ncyberspace security response system, (2) a national cyberspace security \nthreat and vulnerability reduction program, (3) a national cyberspace \nsecurity awareness and training program, (4) securing governments' \ncyberspace, and (5) national security and international cyberspace \nsecurity cooperation. The first three priorities speak directly to the \ndevelopment and implementation of the SSPs.\n    In implementing the National Strategy DHS' Office of Cybersecurity \nand Communications (CS&C), working in partnership with the Office of \nInfrastructure Protection (OIP), Sector-Specific Agencies (SSAs), and \npublic- and private-sector security partners, is committed to \npreventing, preparing for, responding to, and recovering from cyber \nattacks and their consequences. CS&C's strategic goals include \npreparing for and deterring catastrophic incidents by achieving a \ncollaborative risk management and deterrence capability with a mature \npartnership between government and the private sector. One example of \nthis partnership is CS&C's National Coordinating Center (NCC). Since \n1984, the NCC has served as a forum through which the Federal \ngovernment and private sector communications providers can interact \nface-to-face on a daily basis. This strategic goal also encompasses \ntactical efforts to secure and protect the Nation's cyber \ninfrastructure from attacks and disasters by identifying and mitigating \nthreats, vulnerabilities, and consequences.\n    Our vision, philosophy, and strategy for preventing, responding to, \nand recovering from cyber attacks reflect the expanding and widespread \nimportance of the cyber infrastructure. Policies that advance a safe \nand secure infrastructure rely on the valuable relationships between \nthe public and private sectors and on public trust and confidence.\n    The key to continued success is partnering strategically with the \nprivate sector to identify, prioritize and protect critical cyber \nassets, systems, networks and functions. Even though the private sector \nbuilds, owns and operates most of the cyber infrastructure, CS&C takes \nan active role in its protection by building public-private \npartnerships that are vital to our strategy to secure cyberspace and to \nfacilitating efforts to raise cyber security awareness, train \npersonnel, stimulate market forces to secure cyberspace, improve \ntechnology through the identification of cyber research and development \nrequirements, identify and remediate vulnerabilities, and exchange \ninformation.\n    CS&C works to reduce cyber risk and enhance cyber security in two \nprimary ways under the National Infrastructure Protection Plan (NIPP) \nframework: (1) as Federal lead for the Information Technology (IT) \nSector's infrastructure protection and preparedness responsibilities \n(in partnership with the Communications Sector); and (2) as a cross-\nsector cyber element that involves DHS, the SSAs for each of the 17 CI/\nKR sectors, and public and private sector owners and operators.\n    Homeland Security Presidential Directive 7 designates DHS as the \nSSA for both the Communications and IT sectors. CS&C's National \nCommunications System (NCS) and the National Cyber Security Division \n(NCSD) carry out the SSA responsibility for the Communications and IT \nSectors, respectively. Both sectors recently released their Sector \nSpecific Plans (SSPs), which are planning documents that focus on \noverall sector preparedness, including managing risk to the sectors' \ncritical functions and infrastructures that support homeland, economic, \nand national security. Under the NIPP framework, the Internet and its \nassociated services are identified as a shared key resource of the IT \nand Communications Sectors, reflecting the convergence of voice and \ndata communications networks and services. In their respective DHS-\ndesignated roles for the Communications and IT infrastructure sectors, \nthe NCS and NCSD share responsibility with public--and private-sector \nsecurity partners for the availability of the Internet and its \nassociated services. Recognizing the synergies between IT and \nCommunications, the chair of each sector's Government and Sector \nCoordinating Councils also participates in the other sector's council. \nIn addition, representatives from the IT and communications sectors \nparticipate in each other's risk assessment methodology development \nefforts.\n\nCyber Security in the Sector-Specific Plans\n    In support of the cross-sector cyber responsibility, NCSD is \nworking closely with OIP, the SSAs, and other security partners to \nintegrate cyber security into the CI/KR sectors' protection and \npreparedness efforts.\n    During the SSP development process, NCSD provided cyber expertise \nto the sectors, including reviews of draft SSPs and participation in \nsector-specific cyber security meetings. Specifically, as sectors were \ndeveloping their SSPs, NCSD developed and provided information to SSAs \non resources for cyber security practices and protective programs that \nare applicable across all sectors, as well as some that are more \nfocused on individual sectors, to help inform the identification of \ncyber security-related protective programs. For each protective \nprogram, a brief description and the specific activities they supported \nwithin the preparedness spectrum were provided. NCSD also developed \ninformation on cyber research and development (R&D) requirements and \npriorities to help SSAs in the identification of cyber-related R&D \npriorities. A description of Federal organizations that support cyber \nR&D and several references to R&D documents that outlined specific \ncyber security initiatives were provided. NCSD also offered to work \ndirectly with any sector that requested assistance and worked with \nresponding sectors to develop and review cyber security content for the \nSSPs.\n    NCSD also developed a comprehensive SSP Cyber Guidance Checklist, \nwhich provided sectors with a framework for integrating cyber security \nthroughout each section of their SSPs. The checklist complemented DHS' \n2006 CI/KR Protection SSP Guidance developed by OIP and was intended to \nprovide a starting point for SSAs as they integrated cyber into their \nSSPs. The checklist included an outline and guidance for the \ndevelopment of cyber content for the SSPs. NCSD shared the checklist in \nOIP-sponsored technical assistance sessions with SSAs to provide \nexpertise and answer questions regarding the inclusion of cyber \nsecurity in the SSPs. NCSD personnel also met individually with those \nSSA representatives who expressed an interest in determining approaches \nfor incorporating cyber security into their SSPs and sector risk \nmanagement efforts.\n    In December 2006 and January 2007, NCSD conducted a review of the \nfinal draft SSPs as part of OIP's review process to (1) assess each \nsector's plan for securing its cyber infrastructure and (2) understand \nthe coordination between NCSD and the sectors needed to better secure \nthe sector's cyber infrastructure. In addition to considering the full \ncontent of the SSPs, this review focused on specific areas where future \ncoordination between NCSD and the sectors might be necessary to address \nthe security of the cyber elements of the Nation's CI/KR, including the \ncritical initial action to identify the sectors' cyber security \npartners that NCSD should engage with to manage cyber risk. NCSD also \ndetermined that coordination may be required in understanding how each \nsector plans to identify and assess risk to its cyber infrastructure. \nCoordination is also required when assisting sectors in the development \nor refinement of methodologies intended to identify critical cyber \nelements and to assess cyber risk. Finally, the review identified \nprotective programs specific to cyber security that fall within NCSD's \nresponsibility and cyber R&D priorities requiring coordination across \nthe sectors and with DHS' Science and Technology Directorate.\n    After the SSPs were finalized, NCSD conducted a second review of \nthe documents on behalf of the Cross-Sector Cyber Security Working \nGroup (CSCSWG). The CSCSWG provides a forum for exchanging information \non common cyber security challenges and issues (i.e., threats, \nvulnerabilities, and consequences) and enhancing the understanding \nacross sectors of mutual dependencies and interdependencies. The \nworking group includes cyber security experts from the CI/KR sectors \ncollaborating to identify systemic cyber risks and mitigation \nstrategies for the Nation's CI/KR sectors. The CSCSWG held its \ninaugural meeting on May 30, 2007, and determined that an initial area \nof focus would be reviewing the cyber security components of the SSPs \nto better understand the various efforts to protect cyber elements of \nthe 17 CI/KR sectors and identify trends in cyber infrastructure \nprotection that cut across the sectors. Using the NCSD review as a \nstarting point, the group provided input on sectors' cyber content and \non cyber activities not fully captured or initiated after the drafting \nprocess. The group has begun to share successes, best practices, and \nlessons learned to help the development and implementation of more \neffective cyber risk management activities across the sectors. For \nexample, through the CSCSWG, members learned about the Roadmap to \nSecure Control Systems in the Energy Sector. As a result, the Water and \nChemical Sectors have chosen to initiate similar efforts to address the \nunique concerns of control systems security within their sectors.\n\n    Progress in Advancing Mitigation Actions\n    Many of the SSPs were created in summer and fall of 2006. Sectors \nhave been implementing the plans, continuing or initiating efforts to \naddress the security of their cyber infrastructure. Sectors are not \nuniformly comprehensive in their cyber security efforts and should not \nnecessarily be. Each sector must consider its cyber security posture \nand balance that against other risk management efforts, in \nconsideration of the unique aspects of its infrastructure. Cyber risk \nvaries by sector, based on its dependence on cyber elements. For \nexample, the extensive use of control systems in the Energy Sector and \nof business systems in the Financial Services Sector must factor into \nthe extent, sophistication, and unique implementation of mitigation and \nprotection strategies within those sectors. Other sectors do not have \ncyber infrastructure integrated as ubiquitously in their essential \nservices, a fact that influences the focus and maturity of their cyber \nsecurity efforts. The length of time a sector's public and private \npartners have been working together on infrastructure protection issues \nis another factor in the comprehensiveness of their plans. These \nobservations regarding the cyber security position of the SSPs are \ngenerally consistent with the findings of the Government Accountability \nOffice's (GAO) analysis.\n    The integration and maturing nature of cyber security across the 17 \nCI/KR sectors was clear when NCSD reviewed and contributed to the \nSector Annual Reports (SARs). The sectors' 2007 SARs were much improved \nover their initial 2006 efforts. For example, more than half of the \nsectors identified at least one cyber security goal and/or priority in \ntheir second SAR. This represents a significant increase in the number \nof sectors from the 2006 SAR, suggesting that the understanding of the \nimportance of cyber security is becoming more pervasive in the sectors.\n    Further, more sectors are implementing DHS-sponsored protective \nmeasures, such as the Comprehensive Review, the Risk Analysis and \nManagement for Critical Asset Protection (RAMCAP), and the Site \nAssistance Visit programs. NCSD collaborates with OIP to incorporate \ncyber security into these DHS risk and vulnerability assessment \nprograms so that sectors implementing them would address the cyber \nelements of their infrastructure. We encourage sectors to assess cyber \nrisk by using the Cyber Security Vulnerability Assessment (CSVA), a \nflexible and scalable approach that analyzes an entity's cyber security \nposture and describes gaps and targeted considerations that can reduce \noverall cyber risks. It assesses the policies, plans, and procedures in \nplace to reduce cyber vulnerability in 10 categories (e.g., access \ncontrol, configuration management, physical security of cyber assets, \netc.) and leverages various recognized standards, guidance, and \nmethodologies (e.g., International Organization for Standardization \n27001, Information Systems Audit and Control Association Control \nObjects for Information and related Technology, and the National \nInstitute of Standards and Technology Special Publication 800 series). \nThe CSVA tool is being used by six sectors in their tailored \nvulnerability assessments: five through their sector specific RAMCAP \nmodules and another, the Transportation Sector, in its customized cyber \nsecurity assessment.\n\n    Plans for Continuing to Engage with the CI/KR Sectors to Further \nAddress Cyber Security\n    Our review of the SSPs and SARs found that sectors are paying \nattention to cyber security, but more needs to be done. Over the next \nyear, sectors need to focus on identifying their critical cyber \ninfrastructure, assessing cyber risk and promoting voluntary \nassessments, implementing protective programs, and measuring the \neffectiveness of their efforts.\n    NCSD has created an action plan and is engaging with sectors in \naddressing cyber security issues not fully addressed in those sectors' \ninitial SSPs. This action plan includes working with sectors to review \ncyber security priorities, assess effects of cyber attacks, develop \nprotective programs, and evaluate R&D requirements and initiatives to \nidentify areas where additional capabilities are needed. NCSD has \nalready worked with the cyber experts of the Chemical Sector \nCoordinating Council (SCC) and the SSA to identify cyber security \ncontent needed for the 2008 update to their SSP. Some of the \nopportunities for engagement are based on sector specific needs, but \nothers address more common challenges. The action plan will address \nboth individual and more universal steps.\n    While all sectors have established SCCs and Government Coordinating \nCouncils (GCCs), the degree of examination of specific cyber risk and \nof cyber information sharing varies. Some sectors--such as Financial \nServices--consider cyber security as critical to their core business \nfunctions and integrate cyber security into all of their SSP \nimplementation activities. In fact, the Financial Services SSA, the \nDepartment of the Treasury, sits on the IT GCC because of its interest \nand expertise in cyber security. Other sectors have historically had \nless focus on cyber security due to the lack of prominence of IT in the \nbusiness of the sector. Representation from the sectors' SCCs and GCCs \nare participating in the CSCSWG provides a mechanism for two-way \ninformation flow on cyber concerns across all sectors. Participation in \nthe CSCSWG may help less-mature sectors make more rapid progress in \nidentifying cyber goals, gaps, and interdependencies, as well as \ndeveloping programs to deter, respond and recover from cyber attacks by \nenabling them to leverage the experiences, work, and cyber functional \nexpertise that exists in many sectors.\n    In addition, the reliance of some sectors on control systems \nhighlights an area for increased coordination of risk management \nefforts. NCSD's Control Systems Security Program (CSSP) and the Process \nControl Systems Forum (PCSF) are resources to help address control \nsystems risk. The CSSP coordinates efforts among Federal, State, local, \nand tribal governments, as well as control system owners, operators, \nand vendors, to improve control system security within and across all \ncritical infrastructure sectors. In support of risk mitigation efforts, \nthe CSSP developed the Control Systems Cyber Security Self Assessment \nTool and provides training in control systems cyber security. The PCSF, \na standing group under the CSCSWG, works to develop solutions for \nprocess control systems security, aggregate information, connect \ndecision makers, and leverage other groups' work.\n    Sectors may leverage the United States Computer Emergency Readiness \nTeam (US-CERT) to share information on cyber threats and \nvulnerabilities and enhance situational awareness. The timely detection \nand analysis of cyber attacks further helps to assess operational risk \nand mitigate the impact on our Nation's critical infrastructures of \ncyber vulnerabilities. US-CERT is working with the Information Sharing \nand Analysis Center Council to expand this operational interaction.\n    Finally, most sectors are taking on the challenge of identifying or \ndeveloping metrics to measure the effectiveness of all infrastructure \nprotection efforts, including those for cyber. Since sectors have \ndifferent overall approaches to infrastructure identification and risk \nmanagement, NCSD will work with the sectors to develop some cross-\nsector qualitative measures that correlate to cyber security to help \nmeasure the effectiveness of sectors' cyber security efforts.\n    Conclusion\n    The development of the 17 CI/KR SSPs represented a significant \nmilestone in sectors' protection and preparedness activities. Sectors \nvaried in how they addressed the security of the cyber elements of \ntheir infrastructures, including the incorporation of cyber security \ninto their SSPs, but demonstrated increased understanding of the \nimportance of cyber security in the SARs and implementation activities.\n    As the sectors work to address the feedback from the GAO on the \ncyber security aspects of the SSPs, CS&C, and specifically, NCSD will \ncontinue to execute its cross-sector cyber responsibility to work with \nsectors to reduce cyber risk and enhance cyber security. Our goal is to \ncreate a clear and actionable path forward with the sectors and to work \ntogether to secure our critical cyber infrastructure.\n    NCSD will continue to schedule regular interactions with individual \nsectors as well as meetings with multiple sectors. For example, we plan \nto meet with each SSA at least twice a year, once before the sectors \nupdate their SSPs and once in early spring of 2008 as sectors are \npreparing their SARs. NCSD will develop guidance on cyber elements that \nshould be considered for inclusion in the SSPs and SARs. This guidance \nwill complement guidance from the Office of Infrastructure Protection. \nNCSD will also work with sectors through their coordinating councils to \nidentify cyber subject matter experts within their sectors and raise \nawareness of the sectors' reliance on cyber infrastructure. NCSD is \npiloting this approach by convening a small group of cyber security \nexperts with security clearances from across the sectors to support the \nSSA risk assessment process for the 2008 National CI/KR Protection \nAnnual Report.\n    NCSD also plans to offer workshops in 2008 with sector partners and \nother invited subject matter experts to address incentives to encourage \nvoluntary risk assessments, develop cross-sector cyber metrics, and \nidentify existing cyber research and development projects. The outcome \nof these workshops will provide sectors with ideas for incentives for \ninvesting in cyber security, metrics that enable realistic evaluation \nof cyber security, and cyber R&D priorities. NCSD will also continue to \nsupport the efforts of the CSCSWG as it addresses opportunities to \nenhance cyber security across the sectors and share information about \nstrong cyber programs and practices. Further, NCSD will continue to \nroll out important efforts like the CSVA, software assurance, and \ncontrol systems acquisition guidance, training, and cyber exercises to \nour sector partners.\n    We encourage sectors to continue to work collaboratively with NCSD \non addressing cyber security in their infrastructure protection \nactivities. Through participation in the CSCSWG, individual meetings \nwith NCSD, and various NCSD-sponsored workshops and programs, sectors \ncan make significant progress in the future to address or more fully \naddress cyber security.\n    We must reinforce a culture of preparedness, shift from a reactive \nto a proactive stance, and prepare by promoting effective cyber \nsecurity strategies that evolve as the risks evolve. There is much work \nto be done, but progress continues every day. We rely on the support \nand expertise of the sectors to advance this mission.\n    I would like to thank the Subcommittees for their time today, and I \nappreciate this opportunity to discuss these important cyber security \npriorities.\n\n    Mr. Langevin. I now recognize Mr. Powner to summarize his \nstatement for minutes.\n    Welcome.\n\n  STATEMENT OF DAVID POWNER, DIRECTOR, INFORMATION TECHNOLOGY \n      MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Powner. Chairman Langevin, Chairwoman Jackson Lee, \nRanking Members McCaul and Lungren, and members of the \nsubcommittees, we appreciate the opportunity to testify on our \nreport being released today on cybersecurity elements of the \nsector plans to protect our Nation's critical infrastructures.\n    Chairman Langevin and Ranking Member McCaul, I would like \nfirst to thank you for your leadership and oversight of the \nNation's cyber critical infrastructure.\n    As the focal point for SSP, DHS has many cyber-related \nroles and responsibilities that are called for in law and \npolicy that we have previously testified on before this \nsubcommittee. These are highlighted in detail in my written \nstatement. One of these is the development of a comprehensive \nnational plan that requires each of the 17 sectors to develop \nsector-specific plans that include how each sector will \nidentify, assess, and protect its cyber assets. Today's request \nis--I will discuss how well these plans address key cyber \naspects of cybersecurity and GAO's observations and \nrecommendations to move beyond the planning phase.\n    The extent to which the sectors address aspects of \ncybersecurity and their plans varied. The strongest plans were \nthe ones from the IT and communications sectors, while the \nweakest included the agriculture and commercial facilities \nsectors. The banking and finance sectors assessment fell near \nthe middle of these plans.\n    DHS has acknowledged these shortcomings and has stated that \nthese are only early efforts by sectors to develop their \nrespective plans. DHS attributed the variations to several \nitems, including the maturity of the sector and the extent to \nwhich the sector worked with DHS to develop their plans. \nNevertheless, until these plans fully address the key cyber \nelements, infrastructure sectors may not adequately identify, \nprioritize, and protect critical cyber assets.\n    Another reason why these plans are incomplete is that based \non our broader work for the full committee and for the \nsubcommittee chaired by Ms. Jackson Lee, some of the sectors \nclaim that these plans are not that useful. In particular, some \nsectors believe that they have progressed beyond these plans. \nIn these cases, then, this is just a paper exercise.\n    It is important to note that these are just plans. They do \nnot identify actual assets and vulnerabilities; rather, they \nidentify approaches the sectors will pursue. Moving forward, if \nin fact these plans are truly to be used to identify gaps in \nour Nation's cyber protection efforts on a national level, as \nintended, these plans need to be improved, meaning that they \ncomprehensively address cyber elements and, even more \nimportantly, the plans need to be effectively implemented.\n    From an oversight perspective, it will be important to \ntrack how these plans evolve and are implemented in the \ncritical infrastructure protection annual report due to the \nExecutive Office of the President each September, although we \nhear that this year's report will be issued in November.\n    Beyond its involvement with developing and implementing \nthese plans, DHS's national Cybersecurity Division needs to \ncontinue to bolster its capabilities so that it is viewed as a \nvaluable service provider to infrastructure owners. Today, this \nis not necessarily the case.\n    To its credit, DHS's efforts to lead cyber exercises, like \nCyber Storm, provide valuable information to participants to \nimprove response, and coordination mechanisms. However, our \nNation still lacks a national threat assessment and a mature \nanalysis and warning capability, an area that we are currently \nreviewing for you, Mr. Chairman. If DHS is to effectively \nfulfill its role as the focal point for cyber critical \ninfrastructure protection, it must fulfill more of its \nresponsibilities and build more capability.\n    Our Nation continues to progress at a slow pace in \nimplementing this sector-based approach to protecting our \nNation's critical infrastructures. We are almost 10 years into \nthis approach, and although there is some progress in areas, we \nare not where we need to be. Unless we start making more \nprogress and actually protecting our critical infrastructures, \nwe may want to consider alternative approaches such as \nprioritizing and protecting by asset criticality regardless of \nsector.\n    In summary, Mr. Chairman, and Madam Chair, if the sector-\nbased approach to protecting our Nation's critical \ninfrastructures is to be effective, we will need comprehensive \nplans. However, ultimately our Nation needs to move beyond the \nplanning stages and into implementation of effective protective \nand recovery programs. Implementation of these plans is more \nlikely if DHS can successfully fulfill its responsibilities and \nbecome a provider of valuable information on threats and \nanalytical products to our Nation's critical infrastructure \nowners.\n    This concludes my statement. I will be pleased to respond \nto questions.\n    Mr. Langevin. I thank you, Mr. Powner, for your testimony.\n    [The statement of Mr. Powner follows:]\\1\\\n---------------------------------------------------------------------------\n    \\1\\See For the Record.\n---------------------------------------------------------------------------\n    M. Langevin. And the Chair now recognizes Mr. Hickey for \nhis statement for 5 minutes.\n\n STATEMENT OF J. MICHAEL HICKEY, CHAIRMAN, TELECOMMUNICATIONS \n                  SECTOR COORDINATING COUNCIL\n\n    Mr. Hickey. Good afternoon, Chairman Langevin and \nChairwoman Jackson Lee, Ranking Members McCaul and Mr. Lungren. \nIt is a pleasure to be here representing the communications \nsector and to testify on behalf of the sector in terms of what \nwe are doing day in and day out to advance not only \ncybersecurity, but business continuity and emergency \npreparedness practice within our sector.\n    What I would like to do in my few minutes with you is to \ndiscuss four areas of involvement. The first is focused on what \ncompanies like Verizon do day in and day out that really \naddresses not only cybersecurity, but broader asset protection \nwithin our companies.\n    I would also like to spend a few minutes talking about the \ncollaborative activity that is under way, again day in and day \nout not only within our sector, but with our partners in \ngovernment.\n    Third, I will speak briefly to the Communications Sector \nCoordinating Council structure and the work that we are doing \non our sector-specific plan.\n    And I will conclude with a few observations in terms of \nwhat I think we can do, what we must do, with government, going \nforward.\n    Effective industry and government collaboration starts with \nthe actions of individual organizations. The private sector \nowns and operates from 85 to 90 percent of this country's \ncritical infrastructure. Because of industry's important role \nin national and homeland security, corporations like Verizon \nmust dedicate the operations, experience, resources, and \noversight necessary to be as self-aware and self-reliant as \npossible.\n    Verizon's communications, voice, data, and video networks \nare touched by over 100 million consumers and government and \nbusiness customers daily. Because of this reach, we have a \nlongstanding and growing commitment to national security and \nemergency preparedness. For instance, we have designed, built, \nand managed networks that are resilient and redundant. We have \nadopted best-practice business methods and security procedures. \nWe have created and tested business continuity and emergency \npreparedness programs. We have responded successfully to a wide \nrange of crises and have provided leadership to industry and \ngovernment organizations dedicated to national security and \nemergency preparedness.\n    From a structural standpoint internally, we have corporate \npolicy statements that require attention to business \ncontinuity, emergency preparedness, and cybersecurity. We have \na number of senior leaders within our business from a chief \ninformation officer, who is an executive vice president, to a \nnew chief technology officer, again another executive vice \npresident, to the announcement of a new chief security officer \nfor Verizon Corporation who will start with us in January, who \ncurrently serves as executive assistant director of the FBI for \nCriminal, Cyber, and International Security.\n    We have groups within our IT organization that serve as \nservice bureaus to all of our business units to make sure that \ncybersecurity practices are designed, engineered, and adopted \nbusiness unit by business unit. We actually focus on security \nwithin our company from more of an organic standpoint.\n    We rely on ground-up business unit activity, identifying \nand dealing with issues; and beyond that, to coordinate \nactivity across our corporation, we have executive security \ncouncils and a Verizon information security council that is \nresponsible not only for oversight, but to make sure that best \npractices are implemented within our business organizations.\n    We have a cyber intrusion response team that provides 7-by-\n24 coverage for the entire enterprise, supporting all business \nunits and organizational points of contact to assess intrusion \nimpacts, contain and control further dissemination of problem \nareas across the company, and capture and preserve evidence for \nlaw enforcement and legal purposes.\n    So, within Verizon Corporation, as within many other \ncorporations that I work with day in and day out, there are \nstrong practices in place. There is a real focus day in and day \nout on cybersecurity and critical assets protection within our \norganizations.\n    I would like to address, just for a minute, sector \ncollaboration. Verizon and its peer companies within the \ncommunications sector have a long history of cooperation on \nnational security and emergency preparedness. We have a 40-year \nhistory that stems back to the aftermath of the Cuban missile \ncrisis when the National Communications System was created to \ndeal with issues of interoperability and sustainable \ncommunications.\n    Since that time, in 1984, the National Coordinating Center \nfor Telecommunications was formed as a partner organization \nwith the National Communications System. It was broadened. It \nwas established when Executive Order 12472 created it, and it \nhas focused since that time on making sure that industry and \ngovernment work together closely day in and day out on a full \nrange of asset protection measures. The focus is on \nfacilitating information sharing among government and industry \nparticipants regarding vulnerability, threat, intrusion, and \nanomaly information affecting the telecommunications \ninfrastructure.\n    I might point to the recent Southern California fires where \nthe NCC Watch took a real leadership role in coordinating \nprivate sector and government information, sharing real-time on \nwhat was happening within the field and how industry and \ngovernment could respond together. That information developed \nthere was shared with a joint field office when established on \nthe West Coast.\n    There is a network reliability and interoperability council \nestablished by the FCC back in 1992. There have been a series \nof seven councils since that time. Most have focused on some \naspect of security practice. Verizon and industry in general \nhave been very active in working not only with the FCC, but \nwith other government partners in advancing sound practice on a \nvoluntary basis as a result of the work done within the NRIC.\n    There is another organization called the National Security \nInformation Exchange. In 1990, the NCS focused on actions \nindustry and government could pursue to protect critical \ntelecommunications from the growing hacker threat. Ultimately, \nthe NCS and NSTAC created national security information \nexchanges. These exchanges, since that time, have brought \ntogether expertise from government and subject matter experts \non security practice from industry to address a full range of \nsecurity practices relevant to the evolving risk environment.\n    Pertinent to the Communications Sector Coordinating \nCouncil, I am very proud to be its chair for this year, and it \npoints out the complexities, I think, of working together not \njust within our sector, but on a cross-sector basis; and we \nhave focused very much on our interdependencies not just within \nour sector, but across sectors.\n    The Communications Sector Coordinating Council became \noperational in calendar year 2006. It was chartered to foster \nthe coordination of policy initiatives to improve the physical \nand cybersecurity of sector assets and to ease the flow of \ninformation within the sector, across sectors, and with \ndesignated Federal agencies.\n    We now embrace 35 member companies that are broadly \nrepresentative of the sector. I think that is a real benefit of \nthe Sector Coordinating Council's having been established, \nbecause we are not just traditional wireline and wireless; we \nare satellite, we are undersea cable. We represent the National \nBroadcasters, the Association of Public Television Stations, a \nwide range of companies.\n    To summarize, the sector has been very proactive through \nthe Sector Coordinating Council, through other mechanisms, and \nwe have really focused on our sector-specific plan, currently \non the risk assessment which we plan to have complete by the \nend of this calendar year in draft form and in final form by \nthe end of the first quarter next year. Thank you.\n    Mr. Langevin. Thank you.\n    [The statement of Mr. Hickey follows:]\n\n                Prepared Statement of J. Michael Hickey\n\n    Overview:\n    Mr. Chairman and Members of the Subcommittee, my name is Mike \nHickey and I thank you for the opportunity to testify before you on \nmeasures we have taken to address cybersecurity in the Communications \nSector Specific Plan. I serve as Vice President of Government Affairs \nfor National Security Policy at Verizon and as Chair of the \nCommunications Sector Coordinating Council. I also serve as Vice Chair \nof the Internet Security Alliance and am an active member of the US \nChamber of Commerce Homeland Security Task Force. Of these \norganizations, the Communications Sector Coordinating Council is \nuniquely chartered to represent the breadth of the communications \nsector on policy issues relating to the protection of critical \ncommunications infrastructure and key assets. Since 2005, it has \nemerged as an instrument for business engagement with government on \npolicy matters relating to homeland security and emergency \npreparedness.\n    My comments will address the roles that have been established for \nindustry and government in protecting the nation's critical physical \nand cyber communications assets, steps taken to protect these assets, \nwhat measures have worked effectively and what needs to be done to \nsharpen the collective focus as we move forward.\n\n    Tiered Approach to Critical Asset Protection:\n    Effective industry and government collaboration starts with the \nactions of individual organizations. The private sector owns and \noperates nearly 90% of this country's critical infrastructure. Because \nof industry's important role in national and homeland security, \ncorporations like Verizon must dedicate the operations experience, \nresources and oversight necessary to be as self-aware and self-reliant \nas possible. Verizon is obligated to its shareowners and customers to \ntake the steps necessary to secure its cyber, physical and human assets \nfrom disruption or attack. We cooperate with peer companies in order to \nsupport communications sector mutual aid obligations. We also \nproactively address our interdependencies with other sectors to ensure \ncontinuity of operations in time of crisis. Finally, we continue to \nwork with government agencies at the Federal, State, regional and local \nlevels to support appropriate security and emergency preparedness \ninitiatives.\n\n    Strength from Within:\n    Verizon Communications Inc. is a Dow 30 company. It employs over \n240,000 employees. In 2006, the company generated $88 billion in annual \nrevenue and spent $17.1 billion on capital investments. Verizon's \nstate-of-the-art voice, data and video networks are touched by over 100 \nmillion consumers and government and business customers daily.\n    Given its breadth of service and geographic coverage, Verizon's \ncommitment to national security and emergency preparedness--grounded in \ncorporate policy, sound business practice and hands-on experience--is \nlong-standing and growing. In order to ensure the continuity of its own \noperations and to meet the requirements of its critical customers in \ntime of crisis, Verizon has:\n        <bullet> Designed, built and managed network facilities that \n        are robust and resilient;\n        <bullet> Embraced ``best practice'' business methods and \n        security procedures;\n        <bullet> Created and tested business continuity and emergency \n        preparedness programs that have served the corporation and its \n        customers in times of stress;\n        <bullet> Responded successfully to a wide range of crises; and,\n        <bullet> Provided leadership strength to industry and \n        government organizations dedicated to national security and \n        emergency preparedness.\n    Verizon's Internal Security Councils: Verizon takes a holistic \napproach to addressing information security by coordinating business \nunit activity around network and information protection. This effort is \nled by the Verizon Executive Security Council (VESC), established in \n1995 to oversee all aspects of information security within Verizon. \nReporting to the VESC is the Verizon Information Security Council \n(VISC), an enterprise-wide, cross-organizational working committee \ncomprised of lead security managers and information security teams. The \nVISC is charged with instituting a secure environment for company \nnetwork, information management, processing, transport and delivery.\n    The Verizon business units that comprise the VISC are dedicated to \nproviding coordinated information and network security services for \nVerizon. These services include firewall support, host (mainframe and \ndistributed) management, virus protection, risk assurance, information \nsecurity practices, information security awareness, Incident Response & \nVulnerability scanning, and remote access security administration.\n    Computer Intrusion Response Team (CIRT): The Verizon CIRT provides \n7x24 coverage for the entire enterprise, supporting all business units \nand organizational points of contact to assess intrusion impacts, \ncontain and control further dissemination of problems across the \ncompany, and capture and preserve evidence for law enforcement/legal \npurposes. The CIRT also provides restoration options, identifies and \ncloses security vulnerabilities (exploited or otherwise), and uses \nsecure communication channels during response.\n    The CIRT's network of contacts and organizational breadth enable it \nto effectively work with the appropriate company personnel to \ncoordinate incident response and resolution. A single point of contact \nis designated for all network or computer related security advisories \nto the enterprise, thus eliminating duplication of information and \neffort by quality checking all data prior to distribution. A historical \nrepository of advisory data is also maintained for reference.\n    Management Structure: Verizon has sharpened its focus in addressing \nits evolving challenges in network technology and security. Key \ninternal organizations have been realigned to apply consistent, best \npractice solutions to IT and network technology across business units. \nVerizon's Executive Vice President and Chief Information Officer has \noversight over a range of technical support organizations serving the \ncompany's major business units. Meanwhile, a newly created position of \nExecutive Vice President and Chief Technology Officer has \nresponsibility for establishing and managing the overall direction, \ntechnology and planning of all Verizon networks. The CTO in each of \nVerizon's business groups remains responsible for the day-to-day \nexecution of their network deployment strategies.\n    Technical Support:T1 A full array of internal technical, consulting \nand R&D services are available to guide decision making and strengthen \nbest practice within all major business units. For instance, the \nVerizon Information and Network Security organization advances security \nstrategies that integrate people, process and technology (such as \nfirewalls, intrusion detection systems, virus protection, and remote \naccess) with full adherence to information security policies and \npractices; while also providing technical and consulting services to \nbusiness units--all with a primary focus on information asset \nprotection.\n    Verizon Information Security Focus is Crucial: In today's evolving \nthreat environment, malicious insiders are the greatest threat to our \ncritical national infrastructures. Today's geo-political climate will \nresult in cyber attacks against national communications and control \nsystems of economic, safety, or political significance. And politically \n(ideologically) motivated cyber attacks are increasing in volume, \nsophistication, and coordination. Verizon is addressing today's very \nreal threats. Standards organizations must address carrier class \nsecurity issues and architectures. The vendor community needs to \nproduce equipment & software that meet Verizon's security objectives. \nAnd our customers and peer carriers need to work with us to mitigate \nsecurity risks.\n\n    Sector Leadership and Collaboration:\n    Verizon, and its peer companies within the Communications Sector, \nhave a long history of cooperation in national security and emergency \npreparedness. This history distinguishes the Communications Sector from \nmost other critical sectors identified in the National Infrastructure \nProtection Plan. The sector personifies cooperation and trusted \nrelationships that have resulted in the delivery of critical services \nwhen emergencies and disasters occur. A strong bond between the private \nand public sectors exists today in large part because of several \norganizations that were created in response to earlier threats to the \nnation's critical infrastructure.\n    National Communications System: The Sector Specific Agency for the \nCommunications Sector is the National Communications System (NCS), \ncurrently housed within the Department of Homeland Security's National \nCyber Security and Communications Division.\n    The NCS was established by President Kennedy in the aftermath of \nthe Cuban missile crisis when communications problems between the \nUnited States and key international players threatened to further \ncomplicate the crisis. Since 1963, the NCS has worked to strengthen the \ncommunications facilities and components of various Federal agencies, \nfocusing on interconnectivity and survivability.\n    National Coordinating Center for Telecommunications: In 1982, \ntelecommunications industry and Federal Government officials identified \nthe need for a joint mechanism to coordinate the initiation and \nrestoration of national security and emergency preparedness \ntelecommunications services. In 1984, Executive Order 12472 broadened \nthe NS/EP role of the National Communications System and created the \nNational Coordinating Center for Telecommunications as a central \npublic-private sector organization to coordinate response to emergency \ncommunications situations.\n    In January 2000, the NCC was designated an Information Sharing and \nAnalysis Center for Telecommunications in accordance with PDD-63. The \nNCC-ISAC facilitates information sharing among government and industry \nparticipants regarding vulnerability, threat, intrusion, and anomaly \ninformation affecting the telecommunications infrastructure.\n    The National Security Telecommunications Advisory Committee \n(NSTAC): The NSTAC was created 25 years ago, in 1982, by Executive \nOrder 12382. NSTAC provides another highly successful example of how \nthe private sector helps direct government decisions around national \nsecurity and emergency preparedness communications (NS/EP). This \nadvisory committee to the President brings together 30 industry chief \nexecutives representing major telecommunications companies, network \nproviders, information technology companies, finance and aerospace \nbusinesses. NSTAC provides industry-based advice and expertise to the \nPresident on a wide range of telecommunications problems related to \nimplementing NS/EP communications policy issues. These include, but are \nnot limited to, information security, information assurance, and \ncritical infrastructure protection.\n    NS/EP communications enable the government to make an immediate and \ncoordinated response to all emergencies, including cyber attacks. NS/EP \ncommunications allow the President and other senior Administration \nofficials to be continually accessible, even under stressed conditions. \nThe impact of today's dynamic technological and regulatory environment \nis profound with new technologies and increasing competition bringing \nboth new opportunities and new vulnerabilities to the information \ninfrastructure. The NSTAC is strongly positioned to offer advice to the \nPresident on how to leverage this dynamic environment to enrich NS/EP \ncommunications capabilities and ensure that new architectures fulfill \nrequirements to support NS/EP operations; and to avoid introducing \nvulnerabilities into the information infrastructure that could \nadversely affect NS/EP communications services. The NSTAC's current \nwork plan includes issues ranging from information sharing and the \nsecurity and reliability of converged networks to research and \ndevelopment (R&D) issues related to converged networks.\n    The Network Reliability and Interoperability Council (NRIC): \nGovernment-imposed solutions may hinder the ability of business to \nadapt and respond effectively to the changing threat environment. So it \nbecomes critical for business and government to work collaboratively \ntowards solutions that are meaningful, adaptable and sustainable. The \nvoluntary development of and compliance with ``best/sound practice'' \napproaches to physical and cyber security is a model that is time \ntested. It is illustrated through the work of the Federal \nCommunications Commission's Network Reliability and Interoperability \nCouncil. The NRIC is a successor to the National Reliability Council, \nfirst established in 1992. Through the work of seven successive \ncouncils, subject matter experts from business and government have come \ntogether to address network reliability and interoperability issues of \nconcern, develop best/sound practices and encourage voluntary adoption. \nThe NRIC will soon merge with the Media Security and Reliability \nCouncil (MSRC) to create a new organization, the Communications \nSecurity, Reliability, and Interoperability Council (CSRIC).\n    National Security Information Exchange (NSIE): In April 1990, the \nChairman of the National Security Council's Policy Coordinating \nCommittee requested the NCS Manager identify what actions industry and \nGovernment should pursue to protect critical NS/EP telecommunications \nfrom the growing ``hacker'' threat. The NCS Manager subsequently \nrequested that the NSTAC provide industry's perspective on the network \nsecurity issue. Ultimately NSTAC created a mechanism for security \ninformation exchange and produce a corresponding implementation plan. \nThe NSTAC and NCS Manager also established separate, but closely \ncoordinated, Network Security Information Exchanges (NSIEs). In May \n1991, the NSIE charters were finalized, and NSTAC companies and \ngovernment departments and agencies designated their NSIE \nrepresentatives, chairmen, and vice-chairmen. The NSTAC and government \nNSIEs held their first joint meeting in June 1991.\n    Industry and government coordinate through their respective NSIEs \nto voluntarily share sensitive information on threats to operations, \nadministration, maintenance, and provisioning systems supporting the \ntelecommunications infrastructure. Government NSIE members include \ndepartments and agencies that use national security and emergency \npreparedness (NS/EP) telecommunications services, represent law \nenforcement, or have information relating to network security threats \nand vulnerabilities. NSTAC NSIE representatives include subject matter \nexperts who are engaged in prevention, detection, and/or investigation \nof telecommunications software penetrations or have security and \ninvestigative responsibilities.\n\n    The Communications Sector Coordinating Council (CSCC) and its \nSector Specific Plan (SSP):\n    Verizon recognizes its critical operational dependence on other \nsectors and has established the necessary vendor relationships to meet \nboth normal and extraordinary continuity of business requirements. In \nturn, all critical sectors are heavily reliant on the Communications \nSector to support their own continuity of operations.\n    The Homeland Security Act of 2002 provided the basis for DHS' role \nin the protection of the nation's critical infrastructure and key \nresources (CI/KR.) The Act assigned DHS responsibility for developing a \ncomprehensive national plan for securing CI/KR in conjunction with \nother Federal agencies, State and local agencies and authorities, the \nprivate sector and other entities.\n    The complexity of cross sector independencies was recognized in the \n2006 National Infrastructure Protection Plan, resulting from Homeland \nSecurity Presidential Directive 7. HSPD-7 focused on the \nidentification, prioritization and protection of the nation's critical \nassets. It prescribed the development of the National Infrastructure \nProtection Plan (NIPP) and corresponding Sector Specific Plans. Perhaps \nmost significantly, the NIPP encouraged the establishment of sector \ncoordinating councils. In so doing, it brought greater sector diversity \nto the table and significantly advanced the institutional capacity of \nsectors to formally and proactively address cross-sector dependencies.\n    Communications Sector Coordinating Council (CSCC): The \nCommunications Sector Coordinating Council (CSCC) became operational in \ncalendar year 2006. It was chartered to foster the coordination of \npolicy initiatives to improve the physical and cyber security of sector \nassets, and ease the flow of information within the sector, across \nsectors and with designated Federal agencies. Through the CSCC, \nprivate-sector owners, operators and suppliers can engage Federal \ngovernment entities to: identify and coordinate policy issues related \nto the protection of critical infrastructure and key resources; \nfacilitate the sharing of information related to physical and cyber \nthreats, vulnerabilities, incidents, potential protective measures, and \nbest practices; and, address policy issues related to response and \nrecovery activity and communication following an incident or event. The \nCSCC now embraces 35 member companies and has become more \nrepresentative of the diversity of the Communications sector. Members \ninclude wireline, wireless, cable, satellite, information service \nproviders, as well as commercial and public broadcasters, service \nintegrators, and equipment vendors. Small and medium size companies are \nrepresented through CTIA, USTelecom, ITA and NCTA. Verizon currently \nchairs the CSCC.\n    CSCC members meet quarterly to review industry and government \nactions on critical infrastructure protection priorities, confer with \nFederal agency representatives, review cross sector CIP issues, and \ncoordinate with industry participants in NSTAC and the NCC ISAC to \nensure industry coordination. Council work groups meet frequently to \nengage industry and government SME's on task force initiatives. Top \n2007 CSCC priorities include the sector's risk assessment of critical \nassets, cross sector pandemic planning and implementation of access and \ncredentialing and emergency wireless protocols.\n    The CSCC and IT Sector Coordinating Councils maintain close \ncoordination on a range of policy and operational initiatives. Both \nsectors participate in a recently formed cross sector cyber security \nwork group. Both have worked to heighten industry's role in NS/EP \nexercises such as last summer's ESF2 exercise in New Orleans and in \nTopOff 4. In the aftermath of Katrina, the Councils met to discuss ways \nof strengthening industry preparation and response to major events. \nBoth participate in ongoing sector risk assessment activity. Both \norganizations have elected sector liaisons to attend each other's \ncoordinating council meetings and they meet annually to confer, with \ngovernment counterparts, on ongoing sector activity.\n    Partnership for Critical Infrastructure Protection (PCIS): The \nCommunications Sector Coordinating Council is a member of the \nPartnership for Critical Infrastructure Security (PCIS.), a private \nsector organization. PCIS is comprised of the leadership from each of \nthe Sector Coordinating Councils, which represent the owners and \noperators of the critical infrastructure and key resources sectors \nidentified by the government in HSPD-7. The mission of PCIS is to \ncoordinate cross-sector initiatives that promote public and private \nefforts to help ensure secure, safe, and reliable critical \ninfrastructure services. This mission encompasses physical, cyber, and \nhuman security that rely on strong infrastructure integrity and \nresilience. Accordingly, the PCIS mission spans the full spectrum of \ncritical infrastructure matters from prevention, planning, and \npreparedness to business continuity, mitigation, response, and \nrecovery.\n    The PCIS has worked to encourage a productive industry partnership \nwith the Federal government over the past six years. It was formally \nrecognized as the Private Sector Cross-Sector Council in the National \nInfrastructure protection Plan when it was released in 2006. The NIPP \nstates that the ``cross-sector issues and interdependencies are \naddressed among the sector coordinating councils through PCIS. PCIS \nmembers, including the CSCC, continue to work with designated Federal \nagencies on implementation of their sector specific plans.\n    Communications Sector Specific Plan (CSSP): The CSCC completed work \non the CSSP for critical infrastructure and key resource (CI/KR) \nprotection, as recommended by the NIPP, in December 2006 the plan was \nsubsequently released in May 2007. It was developed jointly by industry \nand the National Communications System, with input from Federal \ngovernment agencies ranging from the US Department of Commerce to the \nFederal Communications Commission.\n    The CSSP provides a framework for protecting the Nation's critical \ncommunications assets and key resources. It addresses asset \nidentification, risk assessment and mitigation, protective programs and \ngovernment measurements.\n    The goals of the CSSP include the need to:\n        <bullet> Protect the overall health of the national \n        communications backbone;\n        <bullet> Rapidly reconstitute critical communications services \n        after national and regional emergencies;\n        <bullet> Plan for emergencies and crises by participating in \n        exercises and updating response and continuity of operations \n        plans;\n        <bullet> Develop protocols to manage the exponential surge in \n        utilization during an emergency situation and ensure the \n        integrity of sector networks during and after an emergency \n        event;\n        <bullet> Educate stakeholders on communications infrastructure \n        resiliency and risk management practices in the Communications \n        Sector;\n        <bullet> Ensure timely, relevant, and accurate threat \n        information sharing between the law enforcement and \n        intelligence communities and key decision makers in the sector;\n        <bullet> Establish effective cross-sector coordination \n        mechanisms to address critical interdependencies, including \n        incident situational awareness, and cross-sector incident \n        management.\n    The CSSP acknowledges the lead role played by private sector owners \nand operators in protecting critical assets. The communications \ncompanies that own, operate and supply the Nation's communications \ninfrastructure have historically factored natural disasters and \naccidental disruptions into network resiliency architecture, business \ncontinuity plans, and disaster recovery strategies. The interconnected \nand interdependent nature of these service provider networks has \nfostered crucial information sharing and cooperative response and \nrecovery relationships for decades. The CSSP also articulates the role \nof the Federal government in providing the support and resources \nnecessary to identify threats and help mitigate risk.\n    The Communications Sector's strategy is to ensure the nation's \ncommunications networks and systems are secure, resilient, and rapidly \nrestored after an incident. The approach outlined in the CSSP includes:\n        <bullet> Defining industry and government roles in protecting \n        communications infrastructure by leveraging corporate \n        capabilities and government programs;\n        <bullet> Adopting an architectural approach to infrastructure \n        identification and risk assessment processes;\n        <bullet> Coordinating with other sectors and customers on \n        critical infrastructure dependencies and solutions for \n        mitigating risk; and\n        <bullet> Working closely with DHS to advance sector protection \n        and mitigation measures.\n    The CSSP defines the three major arenas where risk assessments are \nconducted: industry self-assessments; government-sponsored assessments \nand government-sponsored cross sector dependency analyses. Industry \nself-assessments of risk are ongoing. Such assessments are conducted to \nverify compliance with company policies, industry standards, contract \nagreements and regulatory requirements.\n    Throughout 2007, industry has turned its attention to working with \ngovernment to define relevant government sponsored assessments through \na National Sector Risk Assessment (NSRA) process. Through this process, \nindustry and government have undertaken a qualitative risk analysis of \nCommunications Sector infrastructure and have narrowed the scope of \nrisk assessments to nationally critical network elements. This process \nwill result in a draft government assessment by December 2007, with a \nfinal report to be completed by March 2008. Based on the outcomes of \nthis government assessment process, government may conduct more \nquantitative assessments of selected architecture elements in \nconjunction with industry.\n    The third and final element of the CSSP risk assessment process is \nthe analysis that government will undertake with industry on cross-\nsector dependencies. Work will commence in 2008, the process will \nidentify high-level critical sector communications dependencies and \nwill leverage NCS risk assessment methodologies to identify \ncommunications dependencies specific to a facility or function. The \ngoal will be to assist other sectors in the assessment of \ncommunications dependencies for high-risk assets.\n    The Communications and IT Sector Coordinating Councils have worked \nto ensure that respective risk assessment efforts, although distinct, \nare complementary where the sectors overlap. This cross-sector \nparticipation increases information sharing, including lessons learned. \nIn each sector, cyber threats associated with the sector's functional \nor network elements will be identified and vulnerabilities and \nconsequences associated with such threats will be assessed to determine \nrisk.\n    Whatever success the CSCC has achieved in the development of the \nCSSP has resulted from industry's singular focus on developing a \ncritical asset protection plan that is designed by industry for \nimplementation by industry. In order to accomplish this, the NCS \nstepped forward to advocate industry positions within the Department of \nHomeland Security and with DHS project contractors. A strong element of \nsocial capital exists among industry representatives and Federal agency \npersonnel within the Communications Sector. This trusted relationship \nhelped to produce a practical, meaningful asset protection framework \nthat can now be used by industry and government partners to better meet \nthe country's security requirements. The CSSP is realistic and well-\ngrounded.\n    Critical Asset Protection Over the Long Term: What cannot be \nunderestimated by policymakers is the enormous amount of private sector \nresources that are being devoted to finding solutions--with government \npartners--to achieve greater effectiveness in our country's security \nand response programs. The Communications Sector continues to commit \nsignificant financial resources and subject matter expertise to \nstrengthen critical business practices. It will continue to dedicate \ntime and expertise to its work with the NCS and other Federal, state \nand local government partners to address emerging operational and \npolicy issues.\n    To ensure even greater effectiveness in protecting the Nation's \ncritical communications infrastructure--both physical and cyber--\nindustry and government partners must be clear about their respective \nroles in getting the job done. Industry is the first line of defense in \nprotecting assets and mitigating risks, and aggressive business \ncontinuity and security practice will remain critically important as \nthe Nation's risk environment continues to evolve. Although the \nCommunications Sector's long history of coordination will change as \nindustry restructuring continues, close planning and coordination \nwithin the sector will continue to be a mainstay of efforts to fortify \nphysical and cyber security programs.\n    Government must continue to ensure clarity of roles and \nresponsibilities among all levels of government and the private sector. \nIt should continue to advocate for strong sector and cross sector \ncollaboration on operational and policy issues and in providing the \nnecessary intelligence and operational support to ensure effective \nindustry preparedness and response, in particular by refining and \nimproving roles and responsibilities in the National Response \nFramework.\n    Although industry and government have made progress on long \nstanding issues pertaining to protection of critical assets and key \nresources, much work lies ahead. There must be an even greater Federal \ngovernment focus on effective engagement and integration of state and \nlocal authorities in all aspects of critical infrastructure protection \nand emergency response, including the rollout and coordination of \ninitiatives ``on the ground''. For instance, practical steps on access \nand credentialing and emergency wireless protocols for shutdown and \nrestoration of service must be taken to facilitate industry response to \nnatural or man-made disasters. Myriad jurisdictional laws and \nrequirements may be complex, but real world execution is overdue. \nGovernment must also continue to integrate industry more fully on \noperational planning, coordination and joint policy initiatives. \nEffective partnerships require early involvement of industry and direct \nengagement in government programs, including protection and response \nplans, which impact the private sector's critical industry assets. \nAlthough government has recognized the importance of sharing timely \nthreat intelligence with industry, more needs to be done in this area \nto advance NS/EP interests. Finally, recent Congressionally mandated \nchanges in organization and functions within DHS need to be fully \nimplemented and understood by all stakeholders in the critical \ninfrastructure protection and emergency response domain. In sum, \nIndustry and the Federal government have much to do on the full array \nof critical infrastructure protection initiatives, while advancing \ntransition plans for the upcoming change in Administration.\n    Mr. Chairman, this concludes my testimony. I would be happy to \nanswer any questions you or the subcommittee might have about Verizon \nor the Communications Sector.\n\n    Mr. Langevin. I now recognize Mr. Hender to summarize your \nstatement for 5 minutes.\n\n     STATEMENT OF GEORGE HENDER, BANKING/FINANCIAL SECTOR \n  COORDINATING COUNCIL, AND MANAGEMENT VICE CHAIRMAN, OPTIONS \n                      CLEARING CORPORATION\n\n    Mr. Hender. Chairman Langevin, Chairwoman Jackson Lee, \nRanking Members McCaul and Lungren, and members of both \nsubcommittees, my name is George Hender, and I am Chairman of \nthe Financial Services Sector Coordinating Council, also known \nas FSSCC. I am pleased to appear today on FSSCC's behalf to \ndiscuss the important topic of cybersecurity.\n    FSSCC was established by the Department of Treasury. FSSCC \nis a private sector coalition of the Nation's leading banks, \nfinancial firms, insurance companies, and their trade \nassociations. FSSCC worked collaboratively with Treasury, our \nsector specific agency, and with FSSCC, our government \ncoordinating council, to craft our sector-specific plan.\n    Our plan identifies three specific goals: first, to \nmaintain a sector strong position of resilience, risk \nmanagement, and redundant systems;\n    Second, to manage the risk posed by cross-sector \ninterdependencies; and\n    Third, to work with law enforcement, the private sector, \nand our international counterparts to track and arrest \ncriminals.\n    The remainder of my testimony will focus on FSSCC's efforts \nto meet these goals in the area of cybersecurity.\n    Modern financial services are built on a foundation of \ninformational technology. Financial firms' systems are a target \nfor cyber attack because that is where the money is. As the \nnature and the complexity of attacks grow more sophisticated, \nFSSCC continues to implement a number of cyber-related \ninitiatives. I would like to highlight some of those \ninitiatives.\n    A year prior to the National Infrastructure Protection \nPlan's release in 2006, FSSCC formed the first sector R&D \ncommittee. In April 2006, this committee published The Research \nChallenges, a report identifying eight specific R&D priorities. \nAn overarching theme throughout this report is protecting the \nsector from cyber attacks.\n    In October 2006, the R&D committee published our research \nagenda to demonstrate how research challenges relate to the \nNIPP. Together with these two publications, the necessary steps \nto produce a robust cyber secure platform was formed.\n    Another vital asset of FSSCC is the Financial Services \nInformation Sharing Analysis Center, or FS-ISAC. Our ISAC has \nbeen an effective information-sharing tool in the fight against \ncyber attacks. Every day our ISAC forwards cyber and physical \nsecurity risk updates from over 100 sources to over 11,000 \nsector participants. Our ISAC also shares this information with \nTreasury and law enforcement to help stop and prevent attacks.\n    FSSCC and our ISAC have also been active participants in \nseveral business continuity exercises, including the \ncongressionally mandated Top Off exercises. Additionally, ISAC \nrepresented FSSCC in Cyber Storm and Cyber Tempest, two \nexercises focused on cyber-related issues. Our ISAC is also \nhelping us to plan for Cyber Storm II, which is scheduled for \nMarch 2008.\n    FSSCC believes exercise participation is critical, and we \nencourage the planners of these exercises to include the \nprivate sectors during the planning phases of these exercises.\n    FSSCC has been an active participant in the Partnership for \nCritical Infrastructure Security, PCIS. I am a member of the \nexecutive committee and board of PCIS. PCIS has a working group \nfocusing on cross-sector collaboration on cybersecurity issues.\n    Many cybersecurity issues are ongoing and there are still \nseveral issues to address. Two issues relate to the GAO's SSP \nreport and the DHS's R&D budget. According to GAO, the banking \nand finance sector SSP was ranked somewhat comprehensive in \naddressing cybersecurity. Because the GAO did not consult with \nthe Treasury or FSSCC when preparing this report, I \nrespectfully disagree with their conclusions.\n    Our SSP included the research challenge document which \nfully addresses the GAO criteria for cybersecurity R&D. For \nexample, our R&D committee is identified as the primary \nmechanism to solicit information on R&D initiatives; and the \nresearch challenges report details the sector's goals and gaps \nrelated to cybersecurity. Examples of the SSP in my written \ntestimony contradict GAO's finding that we failed to identify \nthe programs to detect, deter, respond, and recover from cyber \nattacks.\n    The GAO report also stated our SSP failed to describe the \nprocess for R&D investment priorities, but the R&D committee \nclearly identified a number of priorities where investment \ndollars could be directed. Without further guidance, it is \nunclear how the GAO reached these conclusions. We will welcome \na dialogue with GAO on these important issues.\n    Finally, FSSCC believes DHS should consult with the private \nsector when funding private research. FSSCC thinks it makes \ngood economic sense to fund R&D industry experts and to use \nthose experts to achieve this goal. Greater communication and \nconsulting is necessary between DHS, Treasury, and FSSCC.\n    Another option would be to provide direct grant authority \nto the Treasury. Currently, FSSCC can only influence R&D \nprojects through comment letters.\n    In short, FSSCC believes that the DHS cybersecurity R&D \nbudget should be more closely aligned with the level of threat. \nAn appropriation of only $11 million is clearly insufficient. \nOur Nation would be better served by providing additional \nbudget discretion and dollars to projects identified by the \nindustry under attack.\n    Thank you for the opportunity to provide FSSCC's views for \nthis important hearing. I would be pleased to answer any \nquestions.\n    [The statement of Mr. Hender follows:]\n\n                 Prepared Statement of George S. Hender\n\n    Chairman Langevin, Chairwoman Jackson Lee, Ranking Members McCaul \nand Lungren, and members of the Subcommittee on Emerging Threats, \nCybersecurity, and Science and Technology and the Subcommittee on \nTransportation Security and Infrastructure Protection of the House \nHomeland Security Committee, I am George Hender, Management Vice \nChairman of The Options Clearing Corporation (OCC), which is the \nworld's largest derivatives clearing organization.\\1\\ OCC is a leader \nin business continuity planning in the financial services sector and \nwas a founding member of the Financial Services Sector Coordinating \nCouncil (FSSCC) and ChicagoFIRST, a regional public/private partnership \naddressing homeland security and emergency management issues in the \nfinancial services industry. I am pleased to submit this statement on \nthe very important topic of cybersecurity on behalf of FSSCC.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ OCC, founded in 1973, was the first clearinghouse to receive a \n'AAA'credit rating from Standard & Poor's Corporation. Operating under \nthe jurisdiction of the Securities and Exchange Commission and the \nCommodity Futures Trading Commission, OCC provides clearing and \nsettlement services for the American Stock Exchange, the Boston Options \nExchange, the Chicago Board Options Exchange, the CBOE Futures \nExchange, the International Securities Exchange, NYSE Arca, OneChicago, \nthe Philadelphia Stock Exchange and the Philadelphia Board of Trade.\n    \\2\\ The members of FSSCC are the America's Community Bankers (ACB); \nAmerican Bankers Association (ABA); American Council of Life Insurers \n(ACLI); American Insurance Association (AIA); American Society for \nIndustrial Security (ASIS) International; BAI; BITS/The Financial \nServices Roundtable; ChicagoFIRST; Chicago Mercantile Exchange (CME); \nThe Clearing House (TCH); CLS Group; Consumer Bankers Association \n(CBA); Credit Union National Association (CUNA); The Depository Trust & \nClearing Corporation (DTCC); Fannie Mae; Financial Industry Regulatory \nAuthority (FINRA); Financial Information Forum (FIF); Financial \nServices Information Sharing and Analysis Center (FS-ISAC); Financial \nServices Technology Consortium (FSTC); Freddie Mac; Futures Industry \nAssociation (FIA); ICE Futures U.S.; Independent Community Bankers of \nAmerica (ICBA); Investment Company Institute (ICI); Managed Funds \nAssociation (MFA); The NASDAQ Stock Market, Inc.; National Association \nof Federal Credit Unions (NAFCU); National Futures Association (NFA); \nNACHA--The Electronic Payments Association; The Options Clearing \nCorporation; Securities Industry Automation Corporation (SIAC); \nSecurities Industry and Financial Markets Association (SIFMA); State \nStreet Global Advisors; VISA USA Inc.\n---------------------------------------------------------------------------\n    On June 6, 2006, I was appointed to serve as Sector Coordinator for \nthe Financial Services Sector by former Secretary of the Treasury John \nSnow. Thus, I am the Chairman of FSSCC. Prior to my appointment, I \nserved as FSSCC's Vice Chairman from September 2004 through May 2006. \nAdditionally, I am on the Executive Committee and Board of the \nPartnership for Critical Infrastructure Security (PCIS), which is the \nprivate sector organization that coordinates homeland security issues \nfor all national critical infrastructures. I have also formerly served \nas Vice Chairman of the Financial Services Information Sharing and \nAnalysis Center (FS-ISAC). This is the organization responsible for \ncommunicating key cyberspace, physical security, and Homeland Security \ninformation to the financial services sector.\n    I applaud the Committee for holding today's hearing on such an \nimportant topic. Before I focus on measures taken by FSSCC related to \ncybersecurity, I would first like to discuss the important role the \nfinancial services sector has in our economy and the role FSSCC plays \nin improving the sector's resilience through safeguarding its critical \ninfrastructure and employees.\n\n    Introduction and Background\n    The United States financial services sector is the backbone of the \nworld economy. With United States assets estimated to be in excess of \n$55 trillion,\\3\\ this large and diverse sector accounted for over $1 \ntrillion in 2006 gross domestic product (GDP) or 7.8 percent of total \nGDP.\\4\\ The sector is primarily owned and operated by the private \nsector whose institutions are extensively regulated by Federal and, in \nmany cases, state government. In addition to these public sector \nentities, self-regulatory organizations (SROs), such as the 1Municipal \nSecurities Rulemaking Board (MSRB), the Financial Industry Regulatory \nAuthority (FINRA), and the National Futures Association (NFA), and \nexchanges, such as the Chicago Mercantile Exchange (CME), the New York \nStock Exchange (NYSE), also play an important role in industry \noversight.\n---------------------------------------------------------------------------\n    \\3\\ http://www.financialservicesfacts.org/financial2/today/assets\n    \\4\\ http://www.bea.gov/bea/dn2/gdpbyind_data.htm\n---------------------------------------------------------------------------\n    Working together, the public and private sector regulators \nencourage a highly competitive market where identifying and managing a \nmyriad of financial and nonfinancial risks is essential to success. \nThrough numerous laws enacted by Congress over the past 150 years, \nfederal financial regulators have implemented a complex regime that \nincludes examinations of the sector's institutions' operational, \nfinancial and technological systems. These examinations are designed to \ndetermine the extent to which an institution is addressing its \nfinancial and non-financial risks, such as Internet and information \ntechnology vulnerabilities. They also evaluate the adequacy of controls \nand applicable risk management practices at the institution.\n\n    Public-Private Partnership\n    Both the public and private sector financial services organizations \nrecognize the importance of business continuity planning in preparing \nfor catastrophic events; however, our sector's organizations know they \nwill not operate as independent entities during a real crisis. \nTherefore, planning for these events should be done in a coordinated \nfashion.\n    FSSCC was established at the request of the U.S. Treasury \nDepartment in response to Homeland Security Presidential Directive 7, \nwhich required sector-specific Federal departments and agencies to \nidentify, prioritize and protect United States critical infrastructure \nand key resources. We are a private sector coalition of the nation's \nleading financial services firms and trade associations that are \nworking to reinforce the financial services sector's resilience to \nterrorist attacks, man-made and natural disasters, and other threats, \nsuch as cyber attacks, facing the sector's critical infrastructure.\n    FSSCC closely interacts with its Sector Specific Agency (SSA), the \nDepartment of the Treasury (Treasury), and the Financial and Banking \nInformation Infrastructure Committee (FBIIC), its public-sector \ncounterpart.\\5\\ We also strongly support regional public/private \npartnerships, such as ChicagoFIRST and DFWfirst. These organizations \naddress homeland security and emergency management issues on a local \nlevel, where many catastrophic events are primarily managed.\n---------------------------------------------------------------------------\n    \\5\\ The members of FBIIC are the Commodity Futures Trading \nCommission (CFTC); the Conference of State Bank Supervisors (CSBS); the \nDepartment of the Treasury; the Farm Credit Administration (FCA); the \nFederal Deposit Insurance Corporation (FDIC); the Federal Housing \nFinance Board (FHFB); the Federal Reserve Bank of New York; the Federal \nReserve Board (Fed); the National Association of Insurance \nCommissioners (NAIC); the National Association of State Credit Union \nSupervisors (NASCUS); the National Credit Union Administration (NCUA); \nthe North American Securities Administrators Association (NASAA); the \nOffice of the Comptroller of the Currency (OCC); the Office of Federal \nHousing Enterprise Oversight (OFHEO); the Office of Thrift Supervision \n(OTS); the Securities and Exchange Commission (SEC); and the Securities \nInvestor Protection Corporation (SIPC).\n---------------------------------------------------------------------------\n    The combined efforts and close interaction of these groups with \nFSSCC fosters a spirit of cooperation within our sector that \nfacilitates effective preparation for a critical event, such as a cyber \nattack. Equally important, this collaboration creates a streamlined \napproach to working with other sectors where cross-industry \ninterdependencies exist. The financial services sector is very \ndependant on a number of other sectors, especially the energy, \ntelecommunications and transportation sectors.\n    At the beginning of my term as FSSCC Chairman, I personally met \nwith representatives from nearly every FSSCC member to solicit their \nideas on how to further strengthen the resilience of the financial \nservices sector and reduce vulnerability to cyber threats, terrorist \nattacks, criminal or illegal activities, and man-made or natural \ndisasters. These conversations, as well as the large number of formal \nand informal meetings taking place each year within FSSCC and between \nFSSCC and FBIIC, help show how our partnership model addresses threats \nand risks posed by the Sector's dependency upon other sectors.\n    FSSCC's general meetings provide an example of this model. Here \nmembers meet and hear from critical sectors on which our sector heavily \nrelies. They also provide a venue in which to coordinate and prioritize \nsector initiatives. Another example is the FSSCC working group which is \nworking with the Department of Homeland Security (DHS) to develop an \nemergency credential for FSSCC members' use in extraordinary \nemergencies. Development of such a credential is a priority reflected \nin our overall research plan. Just this last summer, the FSSCC \ncredentialing working group participated in the cross-sector exercise \nknown as ``Summer Breeze.'' This exercise validated the use of First \nResponder Authentication Credential (FRAC) identification cards.\n    Arguably, the most important example of collaboration within the \nsector is the ongoing effort to plan for pandemic influenza. On October \n12, 2007, FSSCC and FBIIC completed the most comprehensive exercise \never held for the U.S. financial services sector. This important \nexercise focused on the response of the sector's members to pandemic \ninfluenza; over 2,700 financial firms participated. FSSCC understands \nthat effective business continuity planning must envision and prepare \nfor a diverse range of issues and threats. This is encompassed in our \nmission statement and goals.\n\n    FSSCC's Mission and Goals\n    FSSCC's mission is to foster and facilitate the coordination of \nsector-wide voluntary activities and initiatives designed to bolster \ncritical infrastructure protection and homeland security. FSSCC strives \nto improve sector awareness of critical infrastructure protection \nissues, to promote information sharing on these issues, and to find \nopportunities for improved coordination throughout the sector. Through \nits efforts, FSSCC seeks to enhance public trust and confidence in the \nsector's ability to withstand and recover from significant disasters.\n    Treasury, in close collaboration with FSSCC and FBIIC, completed \nthe Banking and Finance Sector's Sector Specific Plan (SSP) \\6\\ in \nDecember 2006. This plan, combined with the 16 other critical \ninfrastructure SSPs, helps form the overall National Infrastructure \nProtection Plan (NIPP). Our sector's SSP outlines a strategy for \nworking collaboratively with public and private sector partners to \nidentify, prioritize and coordinate the protection of critical \ninfrastructure. FSSCC believes DHS appropriately guides each critical \ninfrastructure sector in coordinating their SSPs. However, each sector \nspecific agency should retain control over SSP implementation. Also, \nDHS and each sector should view the SSPs as a starting point for \ndeveloping a comprehensive, nationally-oriented, critical \ninfrastructure regime.\n---------------------------------------------------------------------------\n    \\6\\ https://www.fsscc.org/reports/2006/Bank_Finance_SSP_061213.pdf\n---------------------------------------------------------------------------\n    The Banking and Finance Sector's SSP, including its Research and \nDevelopment (R&D) appendices, outlines three sector-specific goals. \nFirst, the sector seeks to maintain its strong position of resilience, \nrisk management and redundant systems, in the face of a myriad of \nintentional, unintentional, man-made and natural threats. Second, the \nsector aims to address and manage the risks posed by the sector's \ndependency on telecommunications, information technology, energy and \ntransportation sectors. Lastly, the sector plans to continue to work \nwith the law enforcement community, the private sector, and our \ninternational counterparts to increase available resources used to \ntrack and arrest criminals. Specifically, to track and arrest those \npersons responsible for crimes against the sector, including cyber \nattacks and other electronic crimes.\n    The remainder of my testimony will focus on FSSCC's efforts in \naddressing these goals in light of protecting against cyber attacks and \nother electronic crimes.\n\n    Specific Actions for Cybersecurity\n    Modern financial services are built on a foundation of information \ntechnology, including computing hardware, software and \ntelecommunications. This foundation is afflicted by multiple \nvulnerabilities and an increasingly high level of threats. Our sector's \ncybersecurity strategy seeks to address these threats by generally \nfocusing on people, process and technology. Ensuring our sector has the \nbrightest minds, most efficient processes and state-of-the-art \ntechnology to protect against cyber threats is our highest priority \nbecause our sector understands our entities' systems and networks are a \ntarget because ``that's where the money is.'' \\7\\ In addition, as \nSeptember 11, 2001, showed us, our sector is a focus of terrorists \nbecause of our iconic status.\\8\\\n---------------------------------------------------------------------------\n    \\7\\ The members of FBIIC expend considerable effort to ensure the \ninformation security platforms serving as our industry's cornerstone \nare not compromised. In the case of financial institutions, federal \nexaminers are often permanently located within the entity being \nreviewed. The Federal Financial Institutions Examination Council \n(FFIEC) is the primary federal interagency body empowered to develop \nuniform principles and standards for the examination of financial \ninstitutions. The FFIEC operates an Information Technology Council \ndevoted to addressing cybersecurity issues, and its recommendations are \nincorporated into the FFIEC Handbook. Examiners use the Handbook to \ndetermine the extent to which the institution has identified its \nfinancial and non-financial risks, such as Internet and information \ntechnology vulnerabilities. Also, it is used to evaluate the adequacy \nof controls and applicable risk management practices at the \ninstitution. Additionally, the federal financial regulatory authorities \nissue numerous guidance documents and Financial Institution Letters \n(FILs) specifically related to cybersecurity. Similarly, the Securities \nand Exchange Commission and the securities SROs review the \ncybersecurity programs of exchanges, broker-dealers and clearing \norganizations as part of their ongoing supervisory exams and related \nactivities.\n    \\8\\ For many years, the culture of our sector has emphasized strong \ninternal controls, physical and cybersecurity, and a comprehensive \napproach to business continuity planning that recognizes the importance \nof recovering and resuming business operations as swiftly as possible. \nBusiness continuity planning in our sector follows an ``all hazards'' \napproach that focuses on the impact of a disruption, rather than its \ncause, to ensure that high impact but low probability events are \nincorporated into the planning process. After September 11, the Fed, \nOffice of the Comptroller of the Currency, and SEC issued the \nInteragency Paper on Sound Practices to Strengthen the Resilience of \nthe U.S. Financial System (Sound Practices Paper), Securities Exchange \nAct Release No. 47638 (April 7, 2003). This paper identified stringent \nresumption or recovery objectives for core clearing and settlement \norganizations providing services for critical financial markets or \nacting as large payment system operators, and for firms that play \nsignificant roles in one or more critical financial markets. The Sound \nPractices Paper sets out an objective of recovering or resuming \nclearing and settlement activities within the business day on which a \ndisruption occurs and maintaining geographically dispersed resources \nsufficient to meet those recovery or resumption activities. Last year, \nthe agencies that issued the Sound Practices Paper reported to Congress \nthat ``the core clearing and settlement organizations, which present \nthe greatest potential risk to the operation of the financial system, \nhave made significant investments in their operating infrastructures, \nand all have achieved substantial implementation of the sound \npractices.'' Joint Report on Efforts of the Private Sector to Implement \nthe Interagency Paper on Sound Practices to Strengthen the resilience \nof the US. Financial System (April 2006).\n    GAO has also examined the preparedness of these organizations in \nthe light of the Sound Practices paper, and has found continuing \nprogress in protecting our nation's financial system from a variety of \nthreats, including cyber attacks. See Financial Market Preparedness: \nSignificant Progress Has Been Made, But Pandemic Planning and Other \nChallenges Remain GAO-07-399 (March 2007); Financial Market \nOrganizations Have Taken Steps to Protect Against Electronic Attacks, \nBut Could Take Additional Actions GAO-05-679R (June 2005): Financial \nMarket Preparedness: Improvements Made, But More Action Needed to \nPrepare for Wide-Scale Disasters GAO-04-984 (September 2004).\n---------------------------------------------------------------------------\n    Our sector faces a number of cyber-related threats such as, \nhacking, virus dissemination, software piracy, identity theft, account \nfraud, phishing,\\9\\ spoofing,\\10\\ and pump and dump \\11\\ schemes. \nFSSCC's members have responded to these challenges aggressively. For \nexample, FSSCC member organizations have prepared a document to help \nfinancial institutions develop and execute response programs when \nconfidential and sensitive information is accessed or misused by \nunauthorized individuals. The Identity Theft Assistance Center, \ndeveloped by a FSSCC member, provides a free victim assistance service \nand provides data about identity theft to law enforcement.\n---------------------------------------------------------------------------\n    \\9\\ ``Phishing'' is a fraudulent scheme where an e-mail directs its \nrecipients to Web sites where they are asked to provide confidential \npersonal or financial information. Reports of phishing attacks have \nrisen dramatically in the last year.\n    \\10\\ ``Spoofing'' is an attempt to gain unauthorized system access \nby mimicking, impersonating or posing as an authorized user.\n    \\11\\ ``Pump and Dump'' is a fraudulent scheme involving \nartificially inflating the price of a stock or other security through \nfalse or exaggerated promotion. Then the stock or security is sold at \ninflated prices.\n---------------------------------------------------------------------------\n    The financial services sector has always placed itself on the \ncutting edge of cybersecurity initiatives. Our institutions were among \nthe first to have Chief Information Security Officers as part of their \nmanagement teams. Also, the sector was among the first to use various \nauthentication tools to protect against internet fraud. Similarly, many \nfinancial institutions embrace the concept of layered security by using \nmultiple intrusion detection and prevention products. Firms regularly \nwork with technology companies to improve these products. Without such \nsecurity measures in place, customers would hesitate to use on-line \nproducts which are a central component of a financial firm's business \nmodel. In addition to the threat to individual customers, our sector is \nalso focused on cyber-related threats to our financial structure. The \nnature and complexity of attacks are growing more sophisticated. As a \nresult, our sector works in close collaboration with the nation's \nintelligence community to address this concern.\n\n    FSSCC R&D Committee\n    Prior to the NIPP's issuance in June 2006, FSSCC recognized \ncybersecurity as a critical issue and formed a standing R&D Committee. \nThis committee was established to identify and prioritize areas of \nneed, in which the most promising opportunities exist for research and \ndevelopment initiatives. These initiatives significantly improve the \nsector's critical infrastructure protection. The R&D Committee began \ndeveloping a list of priorities in 2005. In April 2006, the committee \npublished Research Challenges,\\12\\ a document which identifies eight \nR&D areas the sector needs to address.\\13\\\n---------------------------------------------------------------------------\n    \\12\\https://www.fsscc.org/reports/2006/\nResearch_Challenges_Booklet061117.pdf\n    \\13\\ The eight R&D projects are: (1) Secure Financial Transaction \nProtocol (SFTP); (2) Resilient Financial Transaction System (RFTS); (3) \nEnrollment and Identity Credential Management; (4) Suggested Practices \nand Standards; (5) Understanding and Avoiding the Insider Threat; (6) \nFinancial Information Tracing and Policy Enforcement; (7) Testing; and \n(8) Standards for Measuring ROI of CIP and Security Technology.\n---------------------------------------------------------------------------\n    An over-arching theme throughout our Research Challenges is \nsecuring the sector's information technology infrastructure to prevent \nintrusion from unauthorized sources. In October 2006, the FSSCC R&D \ncommittee, with Treasury advising, demonstrated for DHS how FSSCC's \nResearch Challenges related to the NIPP by publishing FSSCC's Research \nAgenda. Together these two publications provide industry, academia, and \nthe public with a shared insight into the opportunities and \nrequirements necessary to produce a robust cybersecurity platform.\n\nFS-ISAC\n    The FS-ISAC is another vital asset to FSSCC and the sector. It was \ncreated on October 1, 1999, as a means of meeting the sector's \ninformation-sharing obligation under the 1998 Presidential Decision \nDirective 63 on Critical Infrastructure Protection.\\14\\\n---------------------------------------------------------------------------\n    \\14\\ http://www.cybercrime.gov/white_pr.htm\n---------------------------------------------------------------------------\n    The FS-ISAC channels information from more than 100 sources to \nreach over 11,000 sector participants daily and promotes information \nsharing between the public and private sectors. The FS-ISAC provides \nsector-wide knowledge about cyber and physical security risks faced by \nthe financial services sector. Specifically, FS-ISAC's incident alerts \nnotify members about the type of attack, its origin, and suggested \nremedial action. FS-ISAC information allows members to immediately \nreceive threat and vulnerability information; share vulnerabilities \nanonymously and communicate within a secure portal; access new data \nfeeds of threat and vulnerability information; and access a wide range \nof user data from which users can produce their own reports and \nmetrics. The FS-ISAC also uses this information to work with Treasury \nand law enforcement in helping to stop and prevent attacks.\n    Two important government information sources for the FS-ISAC's 24/7 \nSecurity Operations Center are DHS's Homeland Security Information \nNetwork (HSIN) and the U.S.-Computer Emergency Readiness Team (US-\nCERT). Relevant information from these data sources is monitored by the \nFS-ISAC and shared with trusted sector representatives through FS-\nISAC's notification system and web portal. Then reports from FS-ISAC \napproved members are uploaded through the system. Both sources provide \na valuable service to the FS-ISAC. FSSCC and the FS-ISAC continue to \nwork with DHS to coordinate these reports into the sector's information \nsharing structure.\n    The FS-ISAC has been an effective tool in the fight against cyber \nattacks. For example, in November 2006, an FS-ISAC member detected an \nunusually large number of unauthorized log-in attempts against its \nsystems and anonymously reported this information to the FS-ISAC. Soon \nafter, the FS-ISAC issued an alert to its members. Later, five more \nfinancial institutions reported similar activity. This information \nsharing proved the financial institutions were under attack from a \nsingle source. While the attack was relatively insignificant in terms \nof its potential sector-wide impact, it demonstrates how the FS-ISAC's \ncollaborative model can be an effective means to quickly deliver real-\ntime information so financial institutions may be alerted to act \nagainst real threats.\n    The FS-ISAC was effective once again this past August when it \nalerted several member banks of suspicious web-site activity. The FS-\nISAC then helped to avoid compromise of several major money center and \nregional banking institutions user accounts.\\15\\\n---------------------------------------------------------------------------\n    \\15\\ FS-ISAC discovered use of Torpig Trojans, which use malicious \ncode designed to place themselves into on-line banking applications for \nthe purpose of stealing user login IDs and passwords. These Trojans \nevade detection by disabling security warning messages. Then they log \nopen window sessions to capture user log-on information which is sent \nback to the attacker. After discovering use of the malicious code on \nseveral members' web sites, FS-ISAC was able to issue an incident alert \nthat led to the discovery and eradication of this Trojan on web sites \nboth in the U.S. and overseas.\n\n    Cyber Syllabus\n    In May 2006, the U.S. Department of Defense sought a private sector \npartner to help develop an undergraduate studies curriculum designed to \nprovide exposure to information technology cybersecurity issues. FSSCC, \nthrough its R&D Committee, took the initiative to partner with the \nNational Terrorism Preparedness Institute at St. Petersburg College in \nFlorida to complete the project. I am pleased to report the syllabus \nwas completed in May 2007, resulting in an on-line training program \nthat can be made available to all universities. Additionally, FSSCC is \nworking to identify an educational institution capable of making this \nprogram available to our members at no cost. It is our hope this type \nof public-private collaboration will help to inspire a new generation \nof ideas and resources devoted to protecting our nation's cyber space.\n\n    Handbook of Science and Technology for Homeland Security\n    Another joint DHS/FSSCC initiative currently underway is the \ndrafting of a handbook designed to educate researchers on the critical \nneeds of the homeland security and intelligence communities. It will \nalso promote interdisciplinary dialogue in those fields. I am pleased \nto report FSSCC is on target to provide this information to DHS by \nyear's end. Also, this handbook should be distributed worldwide in \nonline and print formats next year.\n\n    Cybersecurity Exercises\n    FSSCC and FS-ISAC have been active participants in several business \ncontinuity exercises, including the congressionally mandated TOPOFF \nexercises and a number of regional and national cybersecurity \nexercises. In February 2006, FS-ISAC represented our sector in Cyber \nStorm, the first government-led, full scale cybersecurity exercise of \nits kind. Ten months later, in December 2006, FS-ISAC participated in \nCyber Tempest, an exercise devoted to testing a wide area of cyber \nissues from a regional perspective. Both of these exercises provided \npositive benefits to our sector's business continuity planning, such as \ndeveloping better integration between FSSCC and the FS-ISAC. FSISAC is \nnow involved in planning Cyber Storm II scheduled for March 2008. These \nopportunities are a vital resource to leverage. We believe exercise \nleaders would benefit by increasing our level of involvement in future \nexercises.\n\n    PCIS Working Group\n    FSSCC has been an active participant in PCIS, which was formally \nrecognized in the NIPP as the Private Sector Cross-Sector Council. PCIS \nis dedicated to coordinating cross-sector initiatives aimed at \npromoting public and private efforts to improve the security and safety \nof our nation's critical infrastructure. PCIS has established a working \ngroup focused on cross-sector collaboration of cybersecurity issues. \nEach Sector Coordinating Council must appoint a sector representative \nto participate on the working group. The FSSCC has selected FS-ISAC \nChairman, Eric Guerrino, for this task. The PCIS working group is \nanother example of how the financial services sector is following a \ncollaborative model to develop a strong cybersecurity network.\n\n    Future Challenges\n    FSSCC has achieved a great deal over the past few years. However, \nthere are still many issues which must be addressed regarding \ncybersecurity. Some of these issues have been highlighted in a recent \nGovernment Accountability Office (GAO) report entitled Critical \nInfrastructure Protection: Sector-Specific Plans' Coverage of Key \nCybersecurity Elements Varies. Another less apparent, but equally \nimportant, issue includes increasing the level of consultation between \nDHS and its SSCs and SSAs over research and development initiatives. I \nwill take a few moments to highlight each issue.\n\n    GAO Report\n    The GAO recently conducted a review of each SSP to determine if key \naspects of cybersecurity related to the NIPP had been adequately \ncovered. The GAO's preliminary results have found none of the plans \nfully addressed all 30 cybersecurity related criteria. Consequently, \nthe GAO recommends that DHS require all SSPs be amended to address all \ncyber-related criteria by September 2008. Based on the cyber-related \ncriteria established by GAO for its report, the GAO concluded the \nBanking and Finance Sector's SSP ``somewhat comprehensively'' covers \ncybersecurity. We respectfully disagree with the GAO's analysis. \nBecause the GAO did not consult the SSAs or Sector Specific Councils \nwhen conducting its review, I would like to take this opportunity to \nexplain our view on several areas the report concluded our SSP did not \naddress.\n    Under section seven of the report, GAO stated our sector's SSP \nfailed to (1) describe a process to solicit information on ongoing \ncyber R&D initiatives and (2) identifies existing cyber-related \nprojects that support goals and identifies gaps. The sector's SSP \nhighlights the R&D committee as the primary mechanism to solicit \ninformation on R&D initiatives, and the R&D Committee's Research \nChallenges outlines in detail the sector's goals and gaps related to \ncybersecurity. Further, our sector's priority on R&D is evidenced by \nthe establishment of the FSSCC R&D Committee in 2005 and publication of \nits Research Challenges in April 2006, well before the NIPP was issued \nlast year. FSSCC believes the SSP and the Research Challenges document, \nwhich was incorporated into the SSP in an appendix, adequately \naddresses the GAO's criteria. We welcome a dialogue with the GAO on \nthis issue.\n    Additionally, GAO's review stated, under section five, that our \nsector failed to identify programs to deter, respond, and recover from \ncyber attack. The Banking and Finance Sector SSP used a deter, respond \nand recover approach throughout all sections. Our testimony today \nhighlights a number of initiatives mentioned in our SSP aimed at this \nvery issue--the R&D Committee, FS-ISAC, Cyber Syllabus, Cyber Threat \nExercises, and PCIS. Consequently, without further guidance from GAO it \nis unclear how they reached a conclusion that our sector completely \nfailed to address this issue.\n    The GAO report, under section eight, also stated our SSP failed to \ndescribe a process for investment priorities. Although FSSCC does not \nhave any budget authority, we believe our R&D Committee's Research \nChallenges and Research Agenda highlight a number of priorities where \ninvestment dollars are most needed for our sector.\n    FSSCC, FBIIC and Treasury worked in close collaboration to develop \nour SSP, which we believe memorializes past and current initiatives \ninto a living document serving as a guide for future action. In other \nwords, we agree with DHS's assessment that the SSPs ``represent only \nthe early efforts by the sectors to develop their respective plans.'' \nConsequently, we welcome all comments and dialogue from interested \nparties on how to improve our nation's critical infrastructure \nprotection regime and believe that our sector is a model for less \nregulated sectors with less mature cybersecurity plans.\n\n    SSC/SSA R&D Budget\n    FSSCC believes DHS should consult with the SSCs, and, at the very \nleast, their SSAs, on business continuity research projects to ensure \noptimal resource allocation is taking place. FSSCC would like to \nencourage the Subcommittees and Congress as a whole to work with DHS to \nensure the same collaborative model used in our sector to generate \nbusiness continuity information and reports extends to actual resource \nallocation for critical infrastructure programs. Failure to consult \nwith experts from the organizations representing each sector severely \nlimits the ability to maximize returns from investment dollars in an \nefficient manner.\n    Over the past few years, FSSCC and its members have devoted \nsignificant resources to generating information, developing plans, and \nidentifying issues related to cybersecurity and opportunities for \nresearch for the public sector. While much information has been \ncollected, FSSCC fears this information risks being lost in a ``black \nhole.'' To avoid this result, FSSCC seeks to work with its public and \nprivate partners to develop a formal program that would channel \nresources to areas and programs that would provide the most positive \nimpact for our nation's critical infrastructure. FSSCC thinks that it \nmakes good economic sense to channel available sector and public \nresearch resources to programs supporting the Research Challenges and \nResearch Agenda developed by industry experts on FSSCC's R&D Committee. \nTo achieve this goal, greater communication and consultation about \nopportunities for R&D spending is necessary between DHS, Treasury and \nFSSCC. Another option would be to provide grant authority to SSAs such \nas the Treasury Department.\n    Currently, FSSCC is limited to influencing R&D project funding \nthrough support letters. Recently, FSSCC R&D Committee members visited \nCarnegie Mellon University (CMU) with a Treasury official to introduce \nCMU officials to the FSSCC R&D Agenda. While at CMU, the FSSCC R&D \nCommittee reviewed CMU research projects that CMU judged to be of \ninterest to the financial community. Committee members found that CMU \nprojects focused on Operational Resiliency, Keystroke Pattern Analysis, \nDevice-Enabled Authentication, and Insider Threat Analysis specifically \naddressed major FSSCC research challenges, as well as the corresponding \nNIPP research agenda themes. FSSCC could not fund these research \nprojects but wrote letters of support to encourage funding from other \nsources.\n    FSSCC believes the DHS cybersecurity R&D budget should be more \nclosely aligned with the threat posed. Twelve million dollars \nappropriated for this purpose is insufficient to cover the R&D demands \nwithin DHS and throughout the critical infrastructure sectors. Our \nnation would be better served by providing additional budget discretion \nand dollars to those most closely aligned with the work to be \nperformed.\n\n    Conclusion\n    The financial services sector has a long history of thoughtfully \nand carefully preparing for threats to its critical infrastructure and \nemployees. The members of FSSCC are proud of our progress since our \ninception in staying abreast of new and unexpected threats to the \ncritical infrastructure of the financial services sector.\n    The financial services sector is working diligently to refine best \npractices, business continuity plans, and homeland security efforts to \nbetter protect employees and financial assets from cyber attacks. We \nare grateful for the collaboration and coordination with our public \nsector partners, the Department of the Treasury and the other members \nof FBIIC, as we develop these plans. We will continue to work \ndiligently, and I am confident that the financial sector's preparation \nfor cyber attacks will meet the high standards of planning for which \nour industry is well respected.\n    Thank you again for the opportunity to provide FSSCC's views for \nthis important hearing. I would be pleased to answer any questions.\n\n    Mr. Langevin. I want to thank the witnesses for their \ntestimony. And I remind each member that he or she will have 5 \nminutes to question the panel.\n    I now recognize myself for 5 minutes for the purpose of \nquestions.\n    Mr. Hender, thank you for your testimony. You discussed the \nR&D piece of your sector plan and your information sharing and \nanalysis center. What I didn't hear, though, is how your sector \nprotects its assets and what efforts are under way in that \nrespect.\n    Would you address that?\n    Mr. Hender. Certainly.\n    As I indicated in my testimony, our ISAC on a daily basis, \na daily basis, receives well over 100 sources of independent \ninformation which it analyzes, and then passes on that analysis \nevery day before the markets open.\n    Mr. Langevin. That is information sharing. What about--what \nsteps do you take? What concrete steps are you taking?\n    Mr. Hender. Well, part of the information that is fed to \nthe 11,000 participants is, in fact, potential cyber attacks. \nThey then take that information and use that information to \nlook at their systems to see whether they have vulnerabilities.\n    Also, attacks take place and they are able to pass on to \nthe other participants the attacks that are ongoing and how \nthose attacks can be mitigated. We also use that information to \npass on to the other government agencies to make sure that \nthose attacks are taken seriously and the government agencies \ncan use their best efforts to stop them.\n    Mr. Langevin. I think, clearly, what would be helpful to \nthis subcommittee, for better understanding of the situation, \nis more concrete steps--instead of action plans, steps that \nthey actually take as opposed to just being notified and \nsharing information.\n    What steps are then taken to make sure that the attacks are \nnot successful and then security mechanisms are actually put \ninto place? I would have felt more comfortable--you spoke about \nintrusion detection devices and other beefing up, fire walls \nand things of that nature.\n    Mr. Hender. Clearly, the members of FSSCC spend billions \nand billions of dollars building just those things that you \nhave mentioned to prevent the attacks.\n    As we all know, these attacks are becoming more \nsophisticated every day, and the things that they have in \nplace, which maybe were adequate a year ago or 6 months ago, we \nnow know are not. So they are continuously spending money to \nmake sure that those fire walls and other protection devices \nare in place to stop an attack.\n    When those protection things fail, it is very important to \nget that information out so it does not spread.\n    Mr. Langevin. Secretary Garcia, let me turn to you on \nanother topic. The White House has announced a few weeks ago a \nnew initiative called the Cyber Initiative. It has been said \nthat the Cyber Initiative will be a multi-year, multi-billion-\ndollar operation which will help protect government and private \ncommunication networks from cyber attacks. I have also heard \nthat the DNI will be coordinating this effort with over 2,000 \npeople from DHS, NSA and other Federal agencies.\n    It is extremely disconcerting, however, that everything \nthat I have heard about this new initiative has come from \nnewspaper articles, despite repeated requests for a briefing \nfrom DHS. Why won't the Department brief this committee on the \nCyber Initiative?\n    Mr. Garcia. Mr. Chairman, thank you very much.\n    First of all, we take very seriously our commitment to \ninform and engage the Congress on matters as important as \ncybersecurity. And along those lines, we are glad that we have \nhad the opportunity to brief members of the committee on more \nthan one occasion on the classified threats that we are facing \nas a Nation, and particularly as a Federal Government.\n    So the question becomes, then, what do we actually do about \nit? And this is--in fact, many of the issues that I have \ntestified to you about we have a number of programs under way \nin DHS under my Office of Cybersecurity and Communications that \nare addressing this day after day. And one of the highest \npriorities that I stated at the outset of my tenure at the \nDepartment was to protect Federal networks, which are \nconstantly under attack, cyber attack, on a day-to-day basis. \nSo that has been well-stated as one of my highest priorities.\n    In terms of making that a comprehensive, holistic \nGovernment program that involves all members of the Federal \nGovernment on an interagency basis, it is a complex plan in \nprocess. And we would want to be sure that we have an accurate \nassessment of the way forward before we brief the Congress on \nthis. The last thing we want to do is give you an incomplete or \nfragmented strategy.\n    Mr. Langevin. Well, Secretary Garcia, you know, I just \nremind you that this is supposed to be a collaborative effort, \nand both the administration working with the Congress. And when \nyou are talking about the Cyber Initiative, something this \nmassive, involving this many people, with the direct \ninvolvement potentially of the NSA, along with billions of \ndollars that are going to be spent, the lack of being \nforthcoming and engaging in a full disclosure with the \nCongress, particularly with this committee, subcommittee, it is \nvery upsetting, it is disconcerting, and I am not happy. I am \nnot satisfied with that answer.\n    Now, according to an article in the Baltimore Sun, the \nCyber Initiative calls for NSA to work with DHS and other \nFederal agencies to monitor critical infrastructure networks to \nprevent unauthorized intrusions. One presumes this would mean \nthe monitoring of both Federal and privately owned critical \ninfrastructure networks.\n    If this is true, what impact will this have, this \ninitiative have, on the cybersecurity elements of the sector-\nspecific plans? And beyond that, what impact will this have on \nthe public-private partnership that DHS has been developing?\n    Mr. Garcia. Sir, certainly I wouldn't want to comment on an \narticle that is speculative before we really finalize our \nplans. But we certainly look forward to briefing the committee \nat the appropriate time when we have finalized our plans.\n    But let me tell you that everything that we have been doing \nover the past year and a half or 2 years has been focused on \nthis public-private partnership, and that needs to continue. My \nemphasis, absent the public-private partnership, is in \nstrengthening our Federal networks. And that really is one of \nthe highest priorities. And that is what we are focusing on \nhere for the purposes of this hearing. The NIPP and the sector-\nspecific plan process is one that we are committed to, year \nafter year, as we involve the private sector in our efforts.\n    Mr. Langevin. Mr. Secretary, I certainly look forward to \ngetting that briefing on the Cyber Initiative at the earliest \npossible opportunity.\n    With that, the Chair now recognizes the ranking member of \nthe subcommittee, Mr. McCaul, for 5 minutes.\n    Mr. McCaul. I thank the Chair.\n    And I would also like to raise the issue--we have had \nseveral hearings on cybersecurity. And, Secretary Garcia, you \nhave participated in many of those.\n    And it is my assumption that this plan that DHS is working \non with the administration, you are in the process of \ndeveloping that plan at this point in time? Is that correct?\n    Mr. Garcia. That is correct, sir. It is an interagency \nprocess.\n    Mr. McCaul. Right. When do you anticipate that the plan \nwill be fully developed so that you will be in a position to \nbrief Members of Congress?\n    Mr. Garcia. Sir, I wouldn't want to commit to a time at \nthis point. We are still in the planning stages.\n    Mr. McCaul. Okay. Certainly, if it hasn't been finalized, I \ncan see why it is an ongoing process at this point. But I would \nask, as well as to echo the Chairman's remarks, that, to the \nextent when you are ready to share and coordinate with us on \nthat, we certainly would like to know what the plan is.\n    In addition, the commission that was formed as of yesterday \nI am sure will be very interested in working with you on that, \nas well.\n    Mr. Garcia. Sir, let me just say I appreciate and commend \nyou and Chairman Langevin for the appointment of that \ncommission. I think this really shows proactive thinking about \nan ongoing attention that needs to be paid to cybersecurity and \nwhat is working, where are the gaps, what do we need to be \ndoing, going forward.\n    Mr. McCaul. And I thank you for saying that. I think as the \nChairman mentioned yesterday, we see it as a forward-looking \nvehicle, not a ``gotcha'' exercise. It is a policy exercise, \nlooking forward, what can we do to better protect our systems. \nAnd I think you will find it should be a very friendly, not \nhostile, relationship with the Department of Homeland Security \nand the administration.\n    Having said that, I think as you mentioned, Secretary, the \n12 of 17, as I look at the report card, is actually some good \nnews, that we have plans that are satisfactory. There are a few \nthat are not.\n    And, Mr. Powner, I want to ask you about some of those, \nspecifically the financial sector, which has some concern. If \nthe financial networks were hacked into and the numbers were \nmoved on the ledger, you can imagine the economic chaos that \nwould cause. And we know that, whether they are criminal \nenterprises wanting to steal or whether it would be terrorists \nthat would like to cause economic devastation in this country, \nyou can imagine the consequences. So this particular sector is \nof some concern.\n    Mr. Hender has raised the issue that your review is not as \nthorough as it should have been on the financial sector, and I \nwant to get your response on that. He specifically said you did \nnot consult with Treasury on your analysis. Can you comment on \nthat?\n    Mr. Powner. Yes, a couple comments.\n    First of all, I would like to start by saying, do we think, \nbased on our years of work looking at cyber critical \ninfrastructure, that the banking and finance sector is one of \nthe mature sectors? We do. Okay.\n    When we did our analysis, we were surprised, okay. The way \nwe go about our analysis, I have a team that has actually \nlooked at this for many years, and we had multiple folks where \nthey independently came up with the same assessment. Okay. So \nwe stand by our assessment. I think Secretary Garcia mentioned \nthat our assessment overall was consistent with his assessment. \nSo I think there is a disagreement not with just GAO but \nperhaps with the DHS.\n    Now, going forward, I am more than willing to sit down with \nMr. Hender. We have talked about this, and we will talk about \nthe differences here. I think the larger question here is \nthis--not to go over checkmarks in this category or this \ncategory when you look at 30--is, what is the value of the \nplans? Okay. Some mature sectors--and it wasn't the banking and \nfinance sector, but in other work we have done, the water \nsector, for instance, has mentioned, we are beyond the planning \nphase; these plans are not that helpful for us. And my only \nquestion is whether that is similar with the banking and \nfinance sector.\n    Mr. McCaul. Are you questioning the necessity for the plans \nor the----\n    Mr. Powner. Well, I think as you heard from the two \nwitnesses here, there is a lot going on, on an individual \ncompany basis. And when you look at the whole sector approach, \nwe have been trying to do this well prior to the, you know, 9/\n11, the Homeland Security Act. This goes back to a Presidential \ndirective in 1998. Okay.\n    So we are almost 10 years into this, and many would argue \nthat we haven't made much progress. We are still in the \nplanning and assessing phase, and we ought to be into the \nprotecting and putting in place robust recovery plans.\n    So I am not saying that the plans necessarily aren't \nuseful, because they could be useful. It is a question of \nwhether we complete them and effectively implement them going \nforward.\n    Mr. McCaul. Just to follow up to that, what more needs to \nbe done to the financial sector to put it in the passing \ncategory? I am of the view that mandates and regulatory actions \nshould be a last resort, that we should allow the private \nsector to work with the public to work this out. What more, in \nyour opinion, needs to be done?\n    Mr. Powner. Well, in order to get their plan more \ncomprehensive, I think there are probably only six or seven \ncriteria that they could easily bump their plan up and they \nwould be one of the most comprehensive. So it is matter of just \nmaking the plan complete at this point. And do we have \nconfidence that will occur? Yes.\n    And we are more than willing to sit down with Mr. Hender, \ntoo, to make sure we didn't miss anything. But, once again, we \nstand by our analysis.\n    Mr. McCaul. Last question. My time has expired, but I would \nlike to ask Mr. Hender, how vulnerable, in your opinion, is the \nfinancial sector to a cyber attack?\n    Mr. Hender. Well, I would never sit here and tell you that \na cyber attack could not happen against our sector, but I don't \nwant to leave the impression with this committee that we are \nstill in the planning phase in terms of cyber.\n    I think if the GAO had looked at our full plan and the \nappendices that were attached to that plan, and if they would \nhave understood that we are way beyond the planning stage--we \nare a highly regulated industry. And back in 2006, there was an \nanalysis done by the Federal Reserve, the Office of the \nComptroller of the Currency, and the SEC to see what progress \nour sector had made not only in physical but also in cyber. And \nI will tell you, I would like to submit for the record the \nresults of their findings, because I think you will find, if \nyou read that report, we are way beyond the planning stage. We \nhave done an enormous amount of work to protect this sector, so \nthat if it is a cyber attack or a physical attack, we are in as \ngood of shape as we think we can be. That is not to say you \ncan't be better, but we work at it every single day to try and \nget better.\n    Mr. McCaul. And what is the name of the report you \nmentioned again?\n    Mr. Hender. The name of the report is the ``Joint Report on \nEfforts of the Private Sector to Implement the Interagency \nPaper on Sound Practices to Strengthen the Resilience of the \nU.S. Financial System,'' and is dated April 2006.\n    Mr. McCaul. Mr. Chairman, I would respectfully request that \nreport be entered into the record.\n    Mr. McCaul. I see my time has expired. Thank you.\n    Mr. Langevin. The Chair now recognizes the gentleman from \nNew Jersey, Mr. Pascrell, for 5 minutes.\n    Mr. Pascrell. Did I hear you right, Mr. Hender, that the \nGAO did not take into account the appendix of the report?\n    Mr. Hender. That is my impression. I don't know that for a \nfact. Because if you look at the appendix, it really answers \nthe questions where they found fault with our sector.\n    Mr. Pascrell. Mr. Powner, did you take into account the \nappendix?\n    Mr. Powner. I would have to go back and revisit the full \nplan. A lot of these plans are quite comprehensive. Was there \nan appendix, or the one that Mr. Hender was referring to? I \nwould have to look at that.\n    Mr. Pascrell. When you are looking at the chart, you are \nlooking at the chart that you presented to us, the five areas \nthat need, really, some improvement and are still perhaps in \nthe planning stage, as you go back before 9/11, this process \nstarted, correct, Mr. Powner?\n    Mr. Powner. That is correct.\n    Mr. Pascrell. We are talking about banking and finance, \ndefense industrial base, national monuments, agriculture, food \nand commercial facilities are the worst. Aren't they?\n    Mr. Powner. Correct.\n    Mr. Pascrell. Why is agriculture and food the worst, one of \nthe worst? Specifically?\n    Mr. Powner. Specifically? I could go through in detail, you \nknow, those areas.\n    Mr. Pascrell. I read your testimony.\n    Mr. Powner. Right.\n    Mr. Pascrell. But you know that off the top of your head. \nWhat stands out? Is there any one thing that stands out?\n    Mr. Powner. I would have to get back to you on that. I \nmean, we have details here in an appendix for each of the 30 \ncriteria that we looked at, but clearly when you look at that, \nwith as many categories that were not fully satisfied, there \nare eight overall categories, you know, do you have----\n    Mr. Pascrell. Right.\n    Mr. Powner. --do you have a methodology to assess your \nassets? Do you have a methodology to perform your risk \nassessments? There be would be weaknesses in all those. Are \nthere appropriate methodologies for recovery plans?\n    Mr. Pascrell. Might not the biggest problem be here, to go \nback to something stated earlier, that we do not have a \nnational risk assessment? What is the relationship between \nthat, Mr. Powner, and the results which you have come up with, \nin your estimation?\n    Mr. Powner. A national cyber risk assessment?\n    Mr. Pascrell. Right.\n    Mr. Powner. Well, one of the things that is clear is we \nhave never had a national cyber threat assessment. Okay. So we \nhave not had that.\n    Mr. Pascrell. Ten years into the plan, and we don't have a \nrisk assessment.\n    Mr. Powner. Correct.\n    Mr. Pascrell. All right.\n    Let me ask Mr. Hender this question. Nothing changes under \nthe sun. How are you verifying what companies are doing with \nthe information you provide? How do you know what they are \ndoing with it?\n    You are not just sending information, you are not just \nsending out an advisory. This is serious business, as you well \nknow better than I do. So what are you doing with the \ninformation? What are the companies doing with the information \nyou give them?\n    Mr. Hender. Well, I have talked to the companies. And \ndepending upon the threat level, the company either has a \nproblem or doesn't have a problem.\n    Mr. Pascrell. Do we have a list of what is done? Do we have \na report to present to this committee as to what these \ncompanies are doing with the information that is provided?\n    Mr. Hender. I think if you look at the report that I \nreferred to earlier----\n    Mr. Pascrell. Right.\n    Mr. Hender. ----that report is very comprehensive. And it \nalso deals with the companies that make up the sector. And I \nthink the agencies that regulate them--I mean, we are highly \nregulated. These regulatory agencies----\n    Mr. Pascrell. You are highly regulated about--what things \nare you talking about?\n    Mr. Hender. We are highly regulated by a number of things, \nbut cyber is one of the things that we are regulated by.\n    Mr. Pascrell. And how are you regulated?\n    Mr. Hender. We are regulated by examination. And, in fact, \nin some of the large companies, the regulators sit right in the \noffices to make sure that the things that you are worried about \ndon't happen.\n    Mr. Pascrell. So you think the assessment that was made by \nGAO is just a result of them not reading all the information \nthat should be available and is available to them? If they read \nthat information, they are going to change their assessment, \nthey are going to change the report. They are going to send \nback a report to this committee and say, ``Oh, we missed three \nor four different things, and we really want to change the \nbanking and financial assessment to comprehensive. We don't \nthink they are somewhat comprehensive; they are \ncomprehensive.''\n    Is that what you want us to believe?\n    Mr. Hender. I truly believe that. And I think our sector \ncoordinating agency, the United States Treasury, truly believes \nthat. I believe that we are one of the most mature sectors that \nare out there. We take this very seriously.\n    Mr. Pascrell. No one is saying that you are not taking it \nseriously. You have been on this for 10 years.\n    Mr. Hender. And we--\n    Mr. Pascrell. Excuse me. You have been on this for 10 \nyears, and I am not convinced, in what I have read and what I \nhave heard today--I am asking you to convince me. You haven't \nso far; you might. I am asking you to convince me that there \nhave been tangible actions on your part, not you personally, \nbut in that sector, that would indicate that we have come a \nlong way. I don't feel that. What am I missing?\n    Mr. Hender. Maybe I am just not a good communicator.\n    Mr. Pascrell. No, I don't think that is the case at all. \nYou have to have something to communicate.\n    Mr. Hender. I think the amount of money that the firms have \nspent since 9/11 in making our sector more robust and able to \ndeal not only with the physical threats but the cyber threats \nare very, very impressive. As I said, they take this very \nseriously. Our regulators take it very seriously.\n    And I think that I would be surprised if the GAO, when we \nhave our conversation and point to them the real efforts--not \nplans, but the real things that we have in place to protect \nthis sector--would not change their opinion. I would be very \nsurprised.\n    Mr. Pascrell. Well, in conclusion, Mr. Chairman, we are 10 \nyears into this, with this particular sector, and there is a \nvery serious statement that Mr. Hender has made, that we \nrespectfully disagree with the GAO's analysis.\n    Those are your words, Mr. Hender. And I respect those \nwords. Don't get me wrong. I am more inclined, at this point--\nnot you personally--I am more inclined to believe GAO, because \nthey have a different part of this. They are involved in a very \ndifferent part of this than you may be or I may be.\n    And I would hope that you will prove to them that they are \nwrong and so that this committee will get the report back, and \nmaybe I will change my mind, or maybe some of the other \ncommittee members who feel like I do will change their mind.\n    But going back to what Mr. Powner said, we need a national \nrisk assessment plan. And we cannot be honest with the American \npeople about how safe they are unless we have that plan.\n    And that plan is overdue, is it not, Mr. Powner?\n    Mr. Powner. Yes, it is.\n    Mr. Pascrell. Thank you, Mr. Chairman. I appreciate your \ngiving me those courtesies.\n    Mr. Langevin. I appreciate the gentleman's line of \nquestioning. His point is well-taken, and the Chair certainly \nagrees.\n    With that, the Chair now recognizes the gentleman from \nCalifornia, Mr. Lungren, for 5 minutes.\n    Mr. Lungren. Thank you very much, Mr. Chairman.\n    Let me ask both Mr. Hickey and Mr. Hender this. It seems to \nme that the nature of your industries are such that the cyber \nworld is an essential part of it, an obvious, central part of \nit. It is part of what you do. It is part of what you are. It \nis part of how you provide your services. As opposed to some \nother sectors where cyber is important, extremely important, \nbut it is not so transparent to the user that if you were to \ncharge them for protecting the cyber aspect of their business \nthe user would say, ``Well, I understand that,'' in your \nindustry it seems to me to be far more obvious.\n    So I would ask you this, in both cases. How do your \nrespective industries view cyber protection as a part of the \ncost of doing business, such that your members can justify to \nyour shareholders the bottom line? Because I happen to think \nthat that is one of the most important things we are going to \nhave to do in the private arena. And it would seem to me it \nwould be more obvious in both of your cases to begin with. So I \nwould say these may be the easy cases.\n    But can you give me an idea of how the companies that make \nup your organizations view that as part of cost of doing \nbusiness and, therefore, part of the cost of being active \ncompetitors?\n    Mr. Hickey. I think when you take a look at today's \nmarketplace, our customers--which are enterprise customers, \nGovernment customers, and consumers--are demanding that \ncompanies like Verizon put in place safeguards to protect their \nbusiness and their livelihoods within our organization. So the \nmarket is demanding that companies like Verizon invest, and \ninvest very heavily, in technologies that will safeguard not \njust our physical assets and certainly our human assets but, \nvery importantly, our cybersecurity assets.\n    Mr. Lungren. Let me ask you this, then. You can look at a \nwhole array of potential attacks. They could be hackers. They \ncould be mischievous college students. They could be the bad \nguys who want to be able to get into your company and therefore \nextract some economic benefit on their part or to harm you so \nthat someone else is benefitted. Those, it seems to me, are, in \nterms of possibilities, greater than a terrorist attack, which \nhas greater consequence but the likelihood is far less.\n    How do you calculate that such that you make a judgment to \neither insulate your operation from a cyber attack by a \nterrorist organization, transnational or national, or to create \nredundancies in the event that they are successful with an \nattack?\n    Mr. Hickey. I think if we continue to focus on the blocking \nand tackling of cybersecurity practice, given the environment, \ngiven the fact that we are looking at an all-hazards \nenvironment, that we will continue to invest as necessary in \nthe technology and the expertise to help secure the interests \nof our customers.\n    Verizon in 2006 invested over $17 billion in infrastructure \nbuild-out. And we are doing that certainly with an eye to our \ncustomer and our future customer base. And vendors that do \nbusiness with Verizon know very clearly what our priorities \nare, in terms of the technologies that we require to make our \nnetwork more secure going forward.\n    So, again, going back to the marketplace, we are mindful of \nour customers' needs; our vendors are mindful of our needs as a \nmajor carrier. And companies like Verizon continue to invest \nvery aggressively to make sure that we are addressing all \nhazards within the cybersecurity realm.\n    Mr. Lungren. I would say parenthetically, if Verizon were \none of those companies that we asked to assist us after 9/11 on \nour efforts on foreign intelligence that we are now refusing to \ngive immunity, it is kind of tough for us to tell you to trust \nus as we go forward. Hopefully, we will address that.\n    Let me ask both of you--and I know I asked both questions \nto you as well, Mr. Hender, but I am limited in time. Do you \nhave, in the private sector, among the companies that would \nreceive information that would be of value to them from the \nGovernment, do you have or do those companies have their people \nthat have the proper clearances that they could receive that \ninformation? And is it at the CIO level? And if a CIO has that \ninformation, has that clearance, how does the CIO interact with \nthe CEO if the CEO doesn't have that clearance? And what have \nwe done in terms of recommendations, if any, in your sectors to \ndeal with that?\n    Mr. Hender. I think our sector--Specific agency, Treasury, \nhas been very responsive in getting the right people in our \nsector the necessary clearances that we need and, in addition \nto that, giving us access to the people in the Federal \nGovernment who are charged with collecting the intelligence \ninformation and passing that information on to us.\n    You ask a very important question, though. And that is, \nwhat can the person who has the clearance do with that \ninformation? Clearly, if there is a life-threatening event that \nis going on that is classified, that person has an exemption \nand can pass that information on to anyone to make sure that \nthose lives are not lost. Also, that person, with the \npermission of the agency, can work and make sure that the \nappropriate people within that company or within that entity \nknow what is going on to protect that entity.\n    It has never really been a challenge, to date, where \nsomething has come to our attention that has been classified \nwhere we have not been able to use that information to protect \nthe sector.\n    Mr. Lungren. Mr. Hickey, you feel the same way?\n    Mr. Hickey. Our sector-specific agency is the National \nCommunications System. And just as Mr. Hender said, the NCS has \nbeen very attentive to the needs of not just my company but \nothers, in making sure we have the right clearances for the \nright individuals.\n    I can say that, from a Verizon standpoint, our CEO, Ivan \nSeidenberg, has just received his top-secret clearance. So, \nright to the top within our organization. If we, at the ground \nlevel, if my team becomes aware of information shared within \nthe NCS or, you know, within the HITRAC organization, within \nthe IP division, we can share that at the very highest levels \nof the business with the appropriate individuals to make the \nright decisions, from a response standpoint.\n    Mr. Lungren. Thank you.\n    Mr. Langevin. I thank the ranking member.\n    The Chair now recognizes the Chairwoman of the Subcommittee \non Transportation Security and Infrastructure Protection for 5 \nminutes.\n    Ms. Jackson Lee. Thank you very much.\n    And I thank the witnesses.\n    And I am having trouble with double appointments and \nhearings that we have responsibility for, but I am delighted \nthat the testimony has contributed to, I think, a very \nimportant discussion.\n    I am going to start on this debate that is going on with \nthe initial offering to work with the private sector. Again, \nthe private sector holds 85 percent of the infrastructure. And, \ncertainly, cybersecurity being a seamless part of that, there \nis a dialogue going on about the question of the voluntary \ncooperation, which I made mention of in my opening remarks, or \na regulatory framework.\n    So I would like to ask Mr. Hender, based upon your \nexperience--let me pose the question first to Mr. Powner, and \nthen, Mr. Hender, you might want to comment.\n    But based upon your experience in critical infrastructure \nwork, protection work, do you think the Department of Homeland \nSecurity should continue to work with the private sector, or \nproviding the private sector with an adequate value proposition \nto encourage it to effectively protect critical infrastructure?\n    In essence, are we giving them enough of a carrot to do it \nvoluntarily, or should there be some form of a regulatory \nframework in this partnership?\n    Mr. Powner?\n    Mr. Powner. I think when you look at what was envisioned in \nnational policy going back pre-HSPD-7, one of the things that \nthe Federal Government needs to do a better job--and Assistant \nSecretary Garcia and I have talked about this--if there were \nmore products, analytical products coming out of the US-CERT, \nmore information on national threat information that was of \nvalue to the critical infrastructure owners, I think that would \nimprove the partnership. Okay.\n    So in order to have an effective partnership, you have to \nbe offering something that these sectors want. Okay. \nHistorically, when you look at where it has really worked, I \nthink there were times when we provided grants to the water \nsector to do vulnerability assessments. That opened up the \ncommunications, okay, because the Government was paying for \ncertain vulnerability assessments, so they were more inclined \nto open the discussion.\n    I think there are pockets of sectors, due to the maturity \nof them working in regulated environments, that are more mature \nand have worked more effectively together, like the banking and \nfinance sector.\n    So I think regulation should be considered if we don't make \nmore progress. But there is also--if you stay the course with \nthe NIPP and the sector plans, the Federal Government needs to \noffer more and provide more of a service to the infrastructure \nowners.\n    Ms. Jackson Lee. And that is service in what form?\n    Mr. Powner. The service--the things that the Government \ncontrols more, when you look at the roles and responsibilities \nof the NCSD under Assistant Secretary Garcia, is threat \ninformation and it is analytical products on vulnerabilities \nand incidents. Okay.\n    We have a US-CERT that we continue to attempt to build out \ncapability with the vision that we are going to have more \nrobust analytical products that we can provide to these \ninfrastructure owners. As an example, if you go to DOD or some \nparts of the intelligence community, you will see some fairly \nrobust analysis and warning capability, when it comes to cyber. \nOkay?\n    So there are pockets in the Federal Government where we \nhave this. All right? What we need to do is we need to build \nthat out and transfer that information to the infrastructure \nowners. That would help with the partnership.\n    Ms. Jackson Lee. And the pockets in the Federal Government \nare just scattered, or there is some order to them?\n    Mr. Powner. I think there is order, but it depends on where \nit is at. If you look at DOD and some of their capabilities in \nthis area, some of it is fairly robust.\n    Ms. Jackson Lee. We need to harness it. We need to get some \nsort of organized way of connecting.\n    Mr. Powner. Absolutely. If you look at HSPD-7 and if you go \nback to analysis and warning pre-DHS, we had this capability, \nand we were building it within the FBI. There was something \nthere called the National Infrastructure Protection Center. \nWith the creation of DHS, we moved it from the FBI and it now \nbecame the US-CERT.\n    So, clearly, we have had some starts and stops. We have \nprogressed forward; we have taken some steps backward. But if \nwe really want to build out that capability, that is one way to \nbuild a more effective partnership, if you offer more on the \nGovernment side that was of value to these sector owners.\n    Ms. Jackson Lee. Let me, Mr. Hender----\n    Mr. Hender. It is very clear that, unless there is a \npartnership between the private sector and the public sector, \nthe things that we have discussed today are never going to be \nsolved. I think a good example and a model is to look at the \npartnership that we have with Treasury. It is so critical to \nhave information that flows both ways.\n    And if I could make a recommendation, I would think it \nwould work very well and be very important to take people from \nthe private sectors, just not our sector but all the sectors, \nand house them in some form or fashion within CERT or some \nother intelligence organizations, so, as this information comes \nin, it can be analyzed, not only by the Government, but you \nhave the private sector sitting there and saying, ``This is \nimportant information. This is a threat. This is what this \nmeans, this information.'' Unless you have that partnership and \nunless you have those people sitting there working together, a \nlot of information that maybe flows into these intelligence \norganizations, I think we are missing a golden opportunity. And \nI think we are missing it.\n    Ms. Jackson Lee. We are missing it.\n    Mr. Garcia--Mr. Chairman, if I can, I just have a couple of \nquick questions, probably not quick on the answers.\n    Secretary Garcia, let me thank you for your service. This \nis a tough business that we are in. And I think there are some \ntough concerns that we have as members.\n    You know that I expressed my concern about the national \nannual report regarding the status of critical infrastructure \nprotection nationally and within each of the sectors. The \nreport is due on November 5th. And my question is, is it ready? \nIs it something that we can expect? And you might want to \nacknowledge whether this is still the case, that we will have a \nfull report.\n    And I have another question for you that I would like to \njust offer so that you can answer it. The incident at the Idaho \nlaboratory provided you with an opportunity to showcase how \neffectively you can reach out to the private sector with best \npractices. My concern, though, is how you verify the \nimplementation of these advisories. And I think this was \nmentioned by one of the witnesses.\n    How do we have a two-way street? How are you measuring such \nimplementation? And into what obstacles are you running, so \nthat the private sector can become vested in what you do?\n    Mr. Garcia. Absolutely. Thank you, Madam Chairwoman.\n    On the first point, I believe we are on track for \ndelivering that report to you.\n    And on the second issue, you are correct that one of the \nmost important things for us to achieve over time is the \nability to measure progress. Where DHS is not empowered to \ncompel reporting back from the private sector on the extent to \nwhich they have implemented best practices or other----\n    Ms. Jackson Lee. DHS is not compelled to report back to the \nprivate sector?\n    Mr. Garcia. No, to the extent that DHS cannot compel the \nprivate sector to report back to DHS.\n    Ms. Jackson Lee. To report back. So there is a lack of \neither oversight or regulatory structure.\n    Mr. Garcia. Right. And for those sector coordinating \ncouncils that we have worked with, for example, they, in turn, \nare not necessarily empowered to demand from their member \ncompanies that they report back to them. So, much of this is, \nin fact, voluntary.\n    I would point out, I think the fact that, through this \nwhole NIPP process and the sector-specific plan process, the \nfact that there are 17 critical sectors that have come to the \ntable with DHS and other sector-specific agencies without \nactually being compelled to do so is, I think, in fact, a \ntestament to the importance that the entire private sector, \nsector-specific agencies give to this issue of the joint \npublic-private partnership.\n    Ms. Jackson Lee. Quickly, Mr. Hickey, has the DHS given \nenough incentives to the business community to do what Mr. \nGarcia says is missing, which is to come back and report back \non best practices? Apparently, there is a schism there, in \nterms of being able to do this in a voluntary manner.\n    Mr. Hickey. I would respond to that by saying that there \nare a great number of forums that companies like Verizon \nparticipate in, from the National Security Telecom Advisory \nCommittee to the President, where you have 30 companies coming \ntogether from a full array of sector participants, that come \ntogether regularly to develop plans and policy and \nrecommendations to the President on global infrastructure \nresiliency, on network security, on GPS issues, on a full array \nof issues where we feel an obligation to bring our subject-\nmatter expertise to the table to work with Government and \nsupport Government initiatives.\n    The NSIE, the National Security Information Exchange, where \nGovernment and industry come together, again, it is \nvoluntarily, but willingly, to share best practice around \ncybersecurity and other security practice.\n    My sense is that companies like Verizon are there because \nwe feel an obligation to Government and to the country to \nparticipate not only in planning but in operationalizing \nsecurity practice to protect the country's best interests. So \nwe are there willingly.\n    I think, from an incentive standpoint, the issue of real-\ntime sharing of threat intelligence is very important. And that \nis helpful for companies like Verizon, to have a good, accurate \nsource of timely information regarding threats, cybersecurity \nand otherwise, that we can then internalize and deal with from \nan operational standpoint.\n    Within Assistant Secretary Garcia's organization, he has \nmade, I think, a positive move toward bringing together, even \nmore closely, the information-technology sector and the \ncommunications sector by collocating our NCC ISAC, our National \nCoordinating Center for Telecommunications ISAC, with the IT \nISAC and with the US-CERT. That brings us closer together, \nphysically, day in and day out. We can address, as things \nevolve, operational issues much more quickly on a day-to-day \nbasis.\n    So threat intelligence would be a major incentive, but I \nthink there is a real willingness there to assist our \nGovernment partners. And we are, I think, continuing to move in \nthe right direction.\n    Ms. Jackson Lee. Thank you. I think we have a lot of work \nthat we can look at that you have done that we need to do. \nThank you.\n    Mr. Langevin. I thank the gentlelady.\n    There is a vote on right now, but we will go to Ms. Clarke \nfor the final question before we dismiss this panel. Ms. Clarke \nis recognized for 5 minutes.\n    Ms. Clarke. Thank you very much, Mr. Chair.\n    This question is to Mr. Powner.\n    You just suggested to Chair Jackson Lee that the Federal \nGovernment could assist these sectors to ensure greater \nconsistency through partnership, if you will. Clearly, there is \na lack of consistency in the quality of the various sector-\nspecific plans.\n    Do you feel that DHS is doing enough to work with each \nrespective set of public-private stakeholders to ensure greater \nconsistency? And have your offices recommended or determined a \ngood way for them to do this?\n    Mr. Powner. Well, clearly, Assistant Secretary Garcia had \nmentioned his office and the interaction they had with various \nsectors in putting those plans together.\n    I think what is important is, when you look at this next \nannual report that is due out, the annual report should be \nproviding some assurance, Madam Chairwoman, that you mentioned, \nthat, one, the plans are now complete and, two, that we are \nactually moving down the road toward implementation.\n    Ms. Clarke. Mr. Garcia, Assistant Secretary Garcia, good to \nsee you again.\n    In response to Representative Pascrell's questioning, Mr. \nPowner said that there needs to be a national risk assessment \nfor cybersecurity. Five months ago, the Department stood up the \nRisk Management and Analysis Division. Have you engaged with \nthat office to date?\n    Mr. Garcia. That is part of the National Protection and \nPrograms Directorate, to which my office belongs as well. CS&C \nis part of that, as well as the Risk Management Analysis \nOffice. So, yes, we interact regularly.\n    The national risk assessment that we are focusing on is, in \nfact, the National Infrastructure Protection Plan, the sector-\nspecific plans that go with it. And I think, as we implement \nthese plans, as Mr. Powner says, we are going to have a \nnational risk assessment with metrics in place that we can \nmeasure how well we are doing.\n    I would emphasize that it is important to note that this is \nthe first time we have done this, that 17 sectors, industry \nsectors, have organized themselves around a common mission, and \nthen to organize themselves to interact with the Government in \na collaborative process, a framework by which we are going to \nmeasure the vulnerability, assess the vulnerability of our \ninfrastructure nationwide, and then take the steps to actually \nmitigate those vulnerabilities and strengthen our \ninfrastructure.\n    So I think we have come a long way in just a year-and-a-\nhalf worth of time. And the fact that most of these sector-\nspecific plans were written around the middle of last year, \nthere has been a tremendous amount of effort and resources put \ninto infrastructure protection since then in the cyber area.\n    Ms. Clarke. Assistant Secretary, I recognize that, you \nknow, this is a major, major undertaking, and some would say \njust putting together the Department of Homeland Security has \nbeen a major, major undertaking.\n    The concern is that there be some sort of a driving force \nthat puts some, you know, some energy behind getting this done \nin a timely fashion, and that we are not sort of leaving it up \nto inertia to get us there.\n    You know, with each passing day, people are concerned that \nwe have, you know, the critical infrastructure, particularly \nwith respect to cybersecurity, in place. Because it seems like \nthere is a generation of intelligentsia out there that just \nlives to get ahead of us, with respect to cyberspace.\n    So I hope that you will certainly recognize the urgency \nfrom which you hear this committee speaking, because we \ncertainly believe time is of the essence but, at the same time, \nunderstand that haste can make waste. So we hope you will take \nthat under advisement.\n    And this question is--really, my final question is to \nanyone on the panel. Although there are many differences \nbetween each sector represented in the NIPP and there is merit \nto the idea that each area tailor its own plan, when it comes \nto cybersecurity, many of these sectors deal with some of the \nsame problems. For example, organizations of every sector have \nto deal with the possibility of data theft or that systems can \nbe brought down. Therefore, if planners in one sector figure \nout a useful solution that can apply to other sectors, it would \nbe useful if this information were disseminated.\n    Is there any information-sharing occurring between the \ncoordinating councils for each sector? And is this a role that \nDHS plays or could play?\n    Mr. Garcia. Absolutely, Congresswoman. Thanks very much for \nthat question.\n    We, last May, set up--my office set up the Cross-Sector \nCybersecurity Working Group. And it is composed now of experts \nin cybersecurity from all of the 17 sectors. And we meet at \nleast monthly and, I think, more frequently on conference call. \nAnd this is the forum precisely for those various sectors to \nshare their experiences in cybersecurity and see where there \nare dependencies on one another in their cyber infrastructure \nand interdependencies, and see where are there are common \nproblems across all of them.\n    Control systems, a subject that this committee held a \nhearing on on October 17th, is a prime example, where there is \na nexus between cybersecurity and physical security. That the \nprocess control systems that enable us to purify water, \nmanufacture chemicals, to run the electric grid, all of these \ndigital control systems have a nexus to information networks or \ncommunications networks.\n    And so, the fact that these sector representatives are \ncoming together on a regular basis to share those concerns, \nidentify common vulnerabilities, this is taking us a long way \ndown the track of doing that national risk assessment that we \nare heading toward.\n    And I think this is a perfect example of how the sector-\nspecific plans, the NIPP process, is working.\n    Ms. Clarke. You want to say anything?\n    Mr. Hickey. I would just like to comment that the \nCommunications Sector Coordinating Council and the IT Sector \nCoordinating Council work very closely together, day in and day \nout. We have cross-membership. We work together in a number of \nforums. Actually, the chair of the IT Sector Council is in \ntoday's audience. So there is a very close relationship.\n    As was pointed out earlier by one of your colleagues, it is \nhard to distinguish where pure providers end and information \nservice providers start. Companies like Verizon and other \ncompanies, large and small, are aware of the fact that, with \nconvergence of technologies, cybersecurity has to remain a real \nfocus. And I can assure you that, both within the IT sector and \ncom sector, we work very, very closely together.\n    Mr. Hender. I would just like to comment that we just \nfinished a 3-week pandemic exercise. Part of the component of \nthat exercise was cyber, because if the Internet is not there, \nthen the work-at-home programs that the firms have put together \nare going to be useless.\n    It is our intention to make those findings public in 2008, \nearly in 2008, not only to our sector, but to all the sectors \nin this country and to the international countries that are \ninterested in learning the experiences we had during this \npandemic exercise.\n    Ms. Clarke. Thank you.\n    Thank you very much, Mr. Chairman.\n    Mr. Langevin. I thank the gentlelady.\n    And I thank the witnesses for their testimony.\n    There is one last thing I am going to pose. Unfortunately, \nwe don't have time for the answer since there is a vote on \nright now. We have about 2 minutes.\n    But, you know, when we talk about the risk assessment--\nSecretary Garcia, I would ask you to respond to this in \nwriting. And, Mr. Powner, if you would comment.\n    You know, a risk assessment is composed of threat and \nvulnerability and consequence. You know, how will the national \nreport be a risk assessment, when it is lacking these critical \nissues?\n    So I pose that to you. And we will have some other \nquestions that we would like you to respond to in writing.\n    Again, I thank the witnesses for their valuable testimony, \nthe members for their questions.\n    The members of the subcommittee, as I mentioned, may have \nadditional questions for the witnesses, and we ask that you \nrespond expeditiously in writing to those questions.\n    At this time, the first panel of witnesses is dismissed.\n    And the Chair now recesses for what will be one vote, and \nwe will reconvene in approximately 15 minutes.\n    Thank you.\n    [Recess.]\n    Mr. Langevin. The committee will come to order. As we call \nup the second panel of witnesses, I want to thank the panel for \nyour patience and willingness to stick around. We do appreciate \nit, and I know you have valuable testimony to offer. \nUnfortunately, Mr. O'Hanlon was not able to stick around. He \nwas going to be on this panel as the lead-off. Mr. O'Hanlon \nspecializes in U.S. national security policy and is the co-\nauthor of a book called Protecting the Homeland 2006, 2007, and \nhe would have been discussing one of his articles in that book. \nBut he has submitted a statement for the record, and we will \ncertainly forward look forward to reviewing that and hearing \nfrom Mr. O'Hanlon on a later date. In the meantime, of course, \nwe are very grateful for the rest of our panel being here.\n     Our first witness will be Ms. Sally Katzen, faculty member \nof the George Mason School of Law and a senior consultant to \nthe Critical Infrastructure Protection Program at George Mason \nUniversity. We thank you, Ms. Katzen, for being here.\n    Our next witness is Mr. Larry Clinton, president of the \nInternet Security Alliance. We are grateful for you being here \nas well, Mr. Clinton.\n    And our next witness, the last witness is Dr. Larry Gordon, \nErnst & Young Alumni Professor Managerial Accounting \nInformation Assurance at the Robert H. Smith School of Business \nat the University of Maryland. Dr. Gordon is also an affiliate \nprofessor with the University of Maryland Institute for \nAdvanced Computer Studies.\n    Mr. Langevin. Again, we want to thank you for being here. \nWithout objection, the witnesses' full statements will be \ninserted into the record. And I now ask each of the witnesses \nto summarize their statement for 5 minutes, beginning with Ms. \nKatzen.\n    And before I turn the floor over to, Ms. Katzen, I \nunderstand that it is your anniversary today. Let me take the \nprerogative as Chair to wish you a happy anniversary, and thank \nyou for spending your anniversary with us today.\n    Ms. Katzen. My husband thanks you as well. Thank you.\n    Mr. Langevin. I don't know if that was sincere or not. He \nmay question it as well. Thank you.\n\n STATEMENT OF SALLY KATZEN, GEORGE MASON SCHOOL OF LAW, SENIOR \n CONSULTANT TO THE CRITICAL INFRASTRUCTURE PROTECTION PROGRAM, \n                    GEORGE MASON UNIVERSITY\n\n    Ms. Katzen. Chairman Langevin, Chairman Jackson Lee, \nRanking Members McCaul and Lungren, other distinguished members \nof the subcommittee. My background and qualifications and the \ncredentials of the George Mason Law School CIPP program are set \nforth in the written testimony. Given the lateness of the hour, \nI want to condense my oral comments to the bare essentials.\n    First point. You have heard it before, but it cannot be \noveremphasized. One of the problems that we have had with cyber \nCIPP is that for too long and in too many places, both in the \nprivate sector and in government, the task of identifying and \naddressing cyber CIPP risks has been confined to those in the \nenterprise that own, operate, maintain the computers, the \nservers, the networks. In other words, the IT department. But \nviewing cybersecurity as an IT problem with an IT solution \ngreatly understates the problem and misperceives the solution.\n    As we explain in the written testimony, even the best \ntechnical defenses are no better than the physical security and \npersonnel security elements that must accompany them. And not \nonly are these elements typically outside the direction and \ncontrol of the IT department, but also they like the IT \ndepartment typically fall on the operations side of the \nenterprise which generally is not well represented at the \nhighest levels of corporate accountability and governance.\n    Based on the extensive work that the CIPP program at GMU \nhas done, we are impressed with what is called the ERM, the \nEnterprise Risk Management program. The emphasis in ERM is on \nthe enterprise as a whole and raising cyber CIPP issues to the \nhighest corporate level of accountability. And we have got a \nlot of discussion in our written testimony about how it works \nand what it does. I hope you like the cowboy graphic.\n    Second point. Six years and billions of dollars since 9/11, \nhow much progress have we made? Now, the headlines from the GAO \nstudy say 12 of the 17 SSPs have comprehensively addressed the \n30 cybersecurity criteria. We think that may be an overly rosy \nsummary if you look at the individual cyber criteria, plan by \nplan and sector by sector.\n    In the written testimony, we highlight section 6 of the GAO \ncriteria, which speaks to the measures of progress. And in that \nconnection, the representative from GAO in the earlier panel \nsaid, well, we are passed the plans. We are now into \nimplementation. Fine. In fact, good. But if you don't have \nquality metrics to establish benchmarks at the outset and over \ntime, how to you measure this implementation? How do you \nevaluate the implementation? And we think the verification of \nthat is also essential.\n    To our mind, the problem is the dearth of data, the absence \nof valid information. And I have heard from some that the \nPaperwork Reduction Act is part of the problem. I think it is \npart of the solution. And this is something that we can get \ninto another time, but I think it is really important to focus \non getting good information.\n    Third point. What should we do to improve the situation? We \npropose that the government provide incentives for the private \nsector to do the right thing. To be sure, companies already \nhave lots of incentives in terms of smoother, more efficient \noperations and in terms of marketplace acceptance. There is the \nErnst & Young study which shows the correlation between success \nin risk management and success on Wall Street. But, again, the \nGAO report, and again just looking at the plans, Section 3 \nwhich says incentives--that is where the bottom fell out. Only \nthree sectors have fully addressed incentivizing vulnerability \nassessments.\n    We gave five different carrots for you all to chew on. \nCarrots are good for your diet. They are part of my diet, if I \nget dinner tonight. In any event, many of them are actually \ndiscussed in Mr. Clinton's testimony, and I am going to defer \nto him on virtually all of them but I want to make two \ncomments.\n    I do want to distance myself from his discussion of \nliability limitations, limitations on liabilities for \ncompanies. I disagree with that approach. And, also, the \nreinsurance program at DHS. I don't think it should be a \ngovernment-sponsored reinsurance program. I think he hits the \nnail on the head when he talks about government leading by \nexample and the importance of the government getting its act \ntogether.\n    One of my responsibilities while I was in Federal service \nat OMB was the Y2K experience. Now, that is a very different \norder of magnitude from what we are talking about now. But if \nyou think about the Y2K adventure as a mini pilot of how the \ngovernment can face these problems and work within, we had no \nadditional command and control authorities, we had no \nregulatory authorities. We were nonetheless able to work \ncollegially with the groups. We were able, with the various \nsectors, to share best practices, to work through the problems \nthat had to be done on a cooperative basis, and to use trusted \nestablished relationships that already exist between members of \nthe private sector and their State or local regulators or their \nFederal regulators or their colleagues.\n    And the problem, in answer to Chairman Jackson Lee's \nquestion, what do we do? How do we solve, how do we change this \nrelationship? We do not recommend any additional commands and \ncontrol authorities. We do not think you should go the \nregulatory route either with respect to making DHS the SSA for \nthe other sectors or with respect to even the sectors that it \nhas.\n    But DHS should not be trying to do it alone. DHS should not \nbe dictating to others to ``do it my way.'' Rather, as we \nexperienced in Y2K, DHS should adroitly use its convening \npowers, take advantage for its opportunities for collaborative \nwork together and collegially work through programs with their \npartners.\n    In our written testimony, we give an even more recent \nexample than Y2K. DOE has done this very successfully on a \nsmaller scale.\n    That is it. Smash the stove pipes, develop metrics, and \ngather quality data, and have the government help in a \nnoncommand and control regulatory way.\n    I look forward to any questions you may have. Thank you so \nmuch.\n    Mr. Langevin. Thank you, Ms. Katzen, for your testimony. \nAnd we enjoyed hearing what you had to say.\n    [The statement of Ms. Katzen follows:]\n\n                Prepared Statement of Sally Katzen, Esq\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Langevin. The Chair now recognizes Mr. Clinton for 5 \nminutes. Welcome.\n\n   STATEMENT OF LARRY CLINTON, PRESIDENT, INTERNET SECURITY \n                            ALLIANCE\n\n    Mr. Clinton. Thank you, Mr. Chairman, Mr. McCaul.\n    The Internet Security Alliance believes the threat to our \neconomy, our Nation, and our citizenry from cyber attacks is \nreal and growing. We also believe that government and industry \nmust work much more aggressively to address these threats. We \nare past the time for simple education. Now is the time for \naction.\n    However, for industry and government to create a \nsustainable and effective cyber defense system, we need a \nfundamental rethinking about how we address these issues.\n    First, the Internet is unlike anything we have ever dealt \nwith before and, hence, securing it will require a solution \nunlike anything we have done before. In its June 2006 GAO \nreport, they cited the number one challenge to developing a \npublic-private sector partnership for cybersecurity was the \ninnate characteristics of the Internet itself. The Internet is \njust different. It transmits phone calls but it is not a phone \nline. It makes copies but it is not a Xerox machine. It houses \nbooks but it is not a library. It broadcasts images but it is \nnot a TV station. Is critical to our national defense but it is \nnot a military installation.\n    The Internet is international, interactive, constantly \nchanging, constantly under attack. We cannot simply cut and \npaste old governing systems and realistically expect that we \nare going to be able to manage this new system effectively.\n    Even if Congress were to enact an enlightened statute, it \nwould reach only to our natural borders and hence would not be \ncomprehensive enough. Even if some agency wrote a brilliant \nregulation, it would probably be out of date before it got \nthrough the entire process.\n    Second. Information security, as Ms. Katzen has pointed \nout, is not a static and merely technical problem. The threats \nto the Net have recently morphed from the broad, benign, and \nwell publicized attacks like Love Bug and Blaster, to Designer \nNow-ware that is constructed to target specific systems where \nit can reside undetected for a long time while causing \nsignificant economic and physical damage.\n    As a result, traditional antivirus software and viral \nsolutions are becoming inadequate. To adequately address the \nmodern threats, we need an ever-evolving system that addresses \nall the vulnerabilities, technical and otherwise.\n    Third, the threat to our infrastructure from cyber attack \nis very, very serious and growing.\n    Two years ago, the Internet Security Alliance reported to \nthis committee that the main protocols that the Internet is \nbased on were over 30 years old and had multiple well-known \nsecurity flaws. Since then, the massive growth in Internet use \nbased on these same protocols has increased our vulnerability \nat a massive rate. Moreover, the Internet attacks are no longer \nbased on publicity but now are designed to generate money or, \nmore insidiously, power and destruction.\n    Especially worrisome are cyber attacks that would hijack \nsystems with false information in order to discredit systems \nand do lasting physical damage. At a corporate level, attacks \non this kind have the potential to create liabilities and \nlosses large enough to bankrupt large companies. At a national \nlevel, attacks directed at our critical infrastructure \nindustries could cause hundreds of billions of dollars worth of \ndamage and thousands of lives.\n    But, fortunately, we know a good deal about how to protect \nourselves. The best evidence of this is that the Internet has \nbeen under attack constantly thousands of times a day and has \nyet to go down. The largest study ever done of best practices \nfound that organizations that follow the approved best \npractices for information security have shown a remarkable \nability to fend off attacks, recover from attacks, and even \ndeter attacks. The problem is, we need more entities to embrace \nthese practices while also working with us to develop new ones.\n    The best mechanism to effectively establish a sustainable \ndefense system is to inject market incentives to motivate the \nadoption of best practices.\n    Unlike some of the conversation at the first panel, markets \ndo not emerge spontaneously. They must be created and managed. \nThat is what we need to do with cybersecurity.\n    In this regard, the Internet Security Alliance has come to \nthe committee with a specific and concrete proposal. This \nproposal is detailed more fully in our written testimony, but \nit offers a market-based incentive program to bridge the gap \nbetween the purely voluntary program as outlined in the \nnational strategy to secure cyber space, and a regulatory model \nwhich, A, won't work and, B, would probably be \ncounterproductive.\n    The core elements of the Cyber Safety Act would be for \ngovernment to use its market power instead of its regulatory \npower to promote security primarily through the procurement \npractice. Congress can lead by example, as Ms. Katzen pointed \nout. Congress can tie incentives such as civil liabilities safe \nharbors such as those that are currently provided in the SAFETY \nAct. Congress can stimulate the stunted cyber insurance market, \nand I would be delighted to discuss the specifics with this \nfurther with the committee. And, Congress can create government \nindustry consortiums similar to what we did with the Sema-Tech \nto solve our computer chip problem in the 1980s. And, \ngovernment can create awards programs.\n    There are other market-based programs such as the use of \nmodel contracts that we can use to expand the perimeter of \ncybersecurity. But I urge the committee to consider acting, but \nacting in a novel and creative fashion. The old system won't \nwork. A new system must be created. Thank you.\n    [The statement of Mr. Clinton follows:]\n\n                  Prepared Statement of Larry Clinton\n\n    Good Morning, I am Larry Clinton, President & CEO of the Internet \nSecurity Alliance (ISAlliance). I also am a member of the DHS's \nCommunications Sector Coordinating Council, the Critical Infrastructure \nPartnership Advisory Council and serve as an Officer on the IT Sector \nCoordinating Council.\n    ISAlliance is a cross-sector trade association focused exclusively \non information security. We were created in 2001 as collaboration with \nthe Carnegie Mellon University. We now have roughly 1,000 member \ncompanies. We provide our members with a range of services, including \ntechnical, business operational and public policy. ISAlliance provides \nits members with an integrated series of security services addressing \nthe technical, legal, business and public policy concerns \nsimultaneously.\n    I want to thank the Chairman for inviting me to participate.\n    ISAlliance continues to believe that the threat to our economy, our \nnation, and our citizenry from cyber attacks is real and growing.\n    We also believe that government and industry must work much more \naggressively to address these threats. We are past the time for simple \neducation about the cyber threat. Now is the time for action.\n    However, for industry and government to create a sustainable and \neffective system of cyber defense we need a fundamental re-thinking of \nhow we go about addressing these issues.\n    This rethinking must include at least three critical realizations.\n    First, the Internet is a technology unlike anything we have dealt \nwith before and hence will require a solution unlike what we have \ntraditionally used to address technology and business.\n    We need to change the way government, perhaps including Congress, \nthinks about and conceptualizes its role in assuring Internet security. \nIn its June 2006 report, ``Internet Infrastructure: DHS Faces \nChallenges in Developing a Joint Public/Private Recovery Plan,'' the \nGAO got it right. It listed as the number one challenge we face the \n``innate characteristics of the Internet.''\n    How then is the Internet different?\n        <bullet> It transmits phone calls but it is not a phone line.\n        <bullet> It makes copies but it is not a Xerox machine.\n        <bullet> It houses books but it is not a library.\n        <bullet> It broadcasts images but it is not a TV station.\n        <bullet> It is critical to our national defense, but it is not \n        a military installation.\n        <bullet> It is all these things and much, much more.\n    The Internet is international, interactive, constantly changing, \nconstantly under attack, then changes and changes again.\n    It is not even really an ``It.'' It is actually lots of ``Its'' all \nknitted together--some public, some private--all transmitting \ninformation across corporate and national borders without stopping to \npay tolls or check regional sensitivities.\n    We can not simply ``cut and paste'' previous governance systems \nfrom old technologies or business models and realistically expect that \nwe will be able to manage this system effectively.\n    The regulatory model we have traditionally used to govern business \nhas not changed much since we created it to deal with the breakthrough \ntechnology of 2 centuries ago--the railroad.\n    To manage the railroad, Congress decided to create an expert \nagency, the ICC, to pass specific regulations. The ICC begat the rest \nof the alphabet soup: the FCC, the SEC, the FTC. And, that system has \nworked arguably well in most instances.\n    But that system will not work with Internet security. Even if \nCongress were to enact an enlightened statute, it would not have reach \nbeyond our national borders and hence would not be comprehensive \nenough. Even if some agency wrote a brilliant regulation, it would \nlikely be out-dated before it got through the process, a process that \ncan be further delayed with court challenges.\n    And that assumes, unrealistically, that the political process \ninherent in a government regulation system doesn't ``dumb-down'' the \neventual regulations so that we wind up with a campaign-finance-style \nstandard where everyone can attest that they met the federal \nregulations, but everyone knows the system is really not working.\n    That may work in politics, but, frankly, we can't afford that when \nit comes to Internet security.\n    Regrettably not enough is being done, either by government or \nindustry, to secure cyber space. We have attempted to manage the risk \nof 21st century technology solely using regulatory models designed two \ncenturies ago. While regulation has its place, a new, more creative, \nmodel built on market incentives must be developed.\n    Yet, we can't stand idly by either. We must, together, develop a \nmechanism to assure an effective and sustainable system of security \nthat will accommodate the global breadth of the Internet and still \nresult in a dynamic and constantly improving system of mutual security.\n    Second, information security is not a static technical problem. \nEven within the past couple of years the threats have become not just \nmore sophisticated, but more subtle.\n    For example, we now know that threats to the net have morphed from \nbroad and often relatively benign, if well publicized, attacks like \nLove Bug and Blaster, to designer malware constructed to target \nspecific systems where it can reside undetected by traditional methods \nfor an indeterminate period of time while causing serious damage.\n    As a result, traditional AV software and firewall solutions are \nbecoming inadequate. However, a new generation of security products has \nbeen, and continues to be, developed to address the continually \nevolving threats.\n    To adequately address information security concerns we need to \naddress the full organizational system which relies on information \ninfrastructure.\n    Our members now look to us to provide a comprehensive risk \nmanagement approach that encompasses the full-system approach necessary \nto address the problem. An example is our Enterprise Integration \nProgram which addresses discrete cyber security issues ranging from \npreventing and handling breaches of personal information to securing \nthe IT supply chain in the era of globalization.\n    We address these issues by looking at their technical, business \noperational, human resource, legal and public policy aspects \nsimultaneously and developing an integrated solution. We would commend \nthis fully integrated model to our government partners to consider.\n    Third, the threat to this nation's and the world's economic \ninfrastructure from the risk of cyber-attack is real.\n    Two years ago ISA reported to this Committee that the main protocol \nused to protect this data is over 30 years old and has multiple well-\nknow security flaws.\n    Since then the massive growth in Internet use based on these same \nprotocols has increased the vulnerability of the Internet at a massive \nrate.\n    In addition there are now far more attackers and they have become \nincreasingly more sophisticated. Whereas only a few years ago \n``hackers'' created cutely named attacks like the ``love bug'' and \n``slammer'' largely to get attention, the current generation use \nstealth and designer malware that is difficult to detect and in some \ncases virtually impossible to eradicate.\n    Even worse, the motivation for Internet attacks is no longer \npublicity, but money, and more insidiously power and destruction.\n    Especially worrisome are the cyber-attacks that would hijack \nsystems with false information in order to discredit the systems or do \nlasting physical damage. At a corporate level, attacks of this kind \nhave the potential to create liabilities and losses large enough to \nbankrupt most companies. At a national level, attacks of this kind, \ndirected at critical infrastructure industries, have the potential to \ncause hundreds of billions of dollars worth of damage and to cause \nthousands of deaths.\n    Some of the attack scenarios that would produce the most \ndevastating consequences are now being outlined on hacker websites and \nat hacker conventions. The overall patterns of cyber intrusion \ncampaigns suggest that a number of potentially hostile groups and \nnation states are actively acquiring the capability to carry out such \nattacks. Meanwhile, the many ways in which criminal organizations could \nreap huge profits from highly destructive attacks are also now being \nwidely discussed. Forth, there is some good news: We actually know a \ngood deal about how to protect the Internet.\n    The best evidence of this is that although the Internet is under \nattack constantly--thousands of times a day--it has yet to fail. The \nowners and operators of the Internet, primarily the major private \nsector players are doing a terrific job managing the defense.\n    Major independent surveys, such as the PricewaterhouseCoopers \n``Global State of Information Security''--the largest study of its \nkind--have indicated that those entities that follow approved best \npractices of information security show a remarkable ability to fend off \nattacks, recover from attacks and even deter attacks.\n    The problem is that as the Internet continues to grow we need more \nentities to embrace these practices and technologies while also working \nwith us to develop new ones.\n    The critical question is: how precisely can we create such a \nsystem, if the models we have used for previous technologies are \ninadequate?\n    The best mechanism to assure an adequate and sustainable defense \nsystem is to inject market incentives to motivate the adoption of best \npractices.\n    That has been the mantra of the Internet Security Alliance, and The \nNational Infrastructure Protection Plan officially embraced the need \nfor a government supported market based incentive program stating that \nthe ``Government can. . .[create] an environment that supports \nincentives for companies to voluntarily adopt widely accepted sound \nsecurity practices.''\n    Fifth, there is a concrete proposal for moving forward.\n    The ISAlliance has long campaigned for the development of a \npublicly supported market based incentive program to bridge the gap \nbetween a regulatory and pure volunteer approach.\n    ISAlliance believes that the Federal government should advance \nhomeland security preparedness through reliance on existing published \nstandards and best practices, and defer to the private sector to \ncontinue to invest in and develop appropriate general and industry-\nspecific standards for improved security.\n    Fortunately, there exist a number of paths, most with Congressional \nprecedent, for Congressional action to provide incentives that are in \nthe national interest. Among these paths are:\n        1. Congress can use its market power, instead of its regulatory \n        power by more prominently including security, along with cost \n        into its procurement process.\n        2. Congress can lead by example by fully funding federal agency \n        needs for cyber security and integrating security compliance \n        into personnel evaluations along with other HR criteria\n        3. Congress can tie incentives such as civil liability safe \n        harbors such as those provided in the Safety Act, or provide \n        procurement credits to companies who can demonstrate compliance \n        with market generated best practices for cyber security;\n        4. Congress can stimulate the stunted cyber insurance market by \n        temporarily sharing the risk of a massive cyber-hurricane until \n        the market is sufficiently large to take the risk themselves.\n        5. The Congress can create an industry/government/university \n        consortium to stimulate the needed research, development and \n        adoption of security protocols, similar to the Sema-Tech model \n        used in the late 1980s to address the computer chip gap.\n        6. The Government can create awards programs similar to the \n        ``Baldrige Awards'' for quality which eventually became a \n        sought after market differentiator for corporations.\n    Earlier this year the Board of Directors of the Internet Security \nAlliance met and approved an outline for a legislative approach we \noffer for your considerations which we call the ``Cyber-Security Safety \nAct of 2007.'' I spend the balance of my statement further detailing \nour thoughts on how the Saftey Act can be used as a model for improved \ncyber security.\n    We do not come to the Committee with legislative language which we \nare endorsing, but rather with a set of concrete policy proposals we \nurge the Congress to work with us on perfecting.\n    We believe the ``Cyber Safety Act'' offers a coherent approach \nwhich will create specific Federal support for a package of incentives \nthat will affirmatively encourage private sector investment in improved \nsecurity and protection of the Internet. I would like to use the \nremainder of my testimony to outline he specific incentive \nrecommendations and offer a brief analysis in their support:\n        <bullet> Establish a mechanism which will enable companies that \n        adopt standards-based information security programs or best \n        practices to be qualified to receive the specified incentives \n        (``Qualified Companies'').\n        The availability of incentives requires some type of baseline \n        as a criterion to be met for the incentives to be available. \n        The ISAlliance has long advocated that private sector standards \n        and best practices are already in place that can be adopted by \n        DHS as a basis for incentives.\n        <bullet> Create, in connection with privacy reform legislation \n        (such as uniform breach notice laws), a Federal limitation of \n        liability for Qualifying Companies that would limit their \n        liability for breaches that occur, notwithstanding their use of \n        standards-based security and best practices.\n    Information security is closely associated with privacy protection. \nMany companies otherwise eligible to be Qualified Companies have large \nvolumes of personal information requiring protection under various \nFederal and state laws. Those companies will not be motivated to move \nforward with their cyber-security investments if they still are exposed \nto liability when breaches occur notwithstanding good security \npractices. As a final piece of the litigation-related incentives, this \nincentive eliminates the inhibitor of continued privacy-related \nliability for Qualifying Companies.\n        <bullet> Establish Federal Acquisition Regulations (FARs) and \n        other legal frameworks through which private sector companies \n        do business with the United States government that:\n                Require the agencies to specify published standards and \n                best practices as required elements for any contract \n                relating to information security, data protection or \n                similar services.\n        <bullet> Qualified Companies should be able to acquire \n        additional cyber-security insurance to cover losses arising \n        from CINS-related catastrophic events, and limit their \n        liability to third-parties to the amount of that insurance. The \n        amount of the insurance acquired must be reasonable in order to \n        qualify for the limited liability.\n    Many companies defer investments in improved security out of a \nconcern that, even with improved security, they are not protected from \nliability for losses that occur despite the quality of their security \ncontrols. Businesses are encouraged to invest in becoming Qualified \nCompanies when they are offered the protection that is provided by (a) \nassuring the availability of insurance to cover losses from CINS-\nrelated catastrophic events and (b) limited their liability to the \namount of insurance that has been obtained.\n    The principles of limiting liability to encourage improved homeland \nsecurity are similar to the structures used to incent new homeland \nsecurity technologies under the SAFETY Act which was enacted as part of \nthe Homeland Security Act of 2002.\n        <bullet> To support the preceding insurance market, the Federal \n        government should create within DHS a national program for \n        temporary, short term reinsurance, through which insurers may \n        purchase reinsurance coverage for their exposure to CINS-\n        related catastrophic losses under policies issued to Qualified \n        Companies.\n    Insurance carriers have been reluctant to create a vigorous \nmarketplace for cybersecurity insurance. The chief reason is that the \ninsurance companies lack sufficient experience with cyber-terrorism to \neffectively evaluate the overall risks in order to determine effective \npremium levels, particularly for CINS-related catastrophes.\n    The proposed establishment of a reinsurance program provides \nunderwriting for the insurance companies. In the event losses are \nincurred by the purchasing insurance carrier is greater than their \nreinsurance deductible, the insurer would be entitled to coverage under \nthe reinsurance agreement with the Federal program. The program \nadministrator would have the right to increase future reinsurance \npremiums as deemed necessary to accomplish a revenue neutral goal. Over \ntime, the program could be sunsetted as the insurance market gains \nexperience with cyber-security coverage. This solution is similar to \nFederal legislation that enhances the airline transport industry.\n        <bullet> Qualified Companies with appropriate insurance will \n        also have litigation-related incentives available, excluding \n        liability for consequential and punitive damages and limiting \n        their liability for non-economic losses.\n                Similar to the incentive provided by a limitation on \n                losses to the available insurance, the limitation of \n                liability for consequential and punitive damages, and \n                limited liability for non-economic losses removes a \n                serious inhibitor to information security investments--\n                i.e., the risk of losses for which responsibility is \n                assigned notwithstanding a company's good faith \n                investments in adequate information security. \n                Eliminating that inhibitor encourages a more secure \n                preparedness, company-by-company.\n                On many occasions, the Federal government has employed \n                its influence as a major purchaser from the private \n                sector to encourage companies to develop and implement \n                improved business practices. Establishing criteria tied \n                to providing services to the government offers new \n                market opportunities to Qualified Companies and, in \n                doing so, provides strong economic incentives to \n                improving their cyber-security.\n        <bullet> Establish a ``Baldrige Award'' for information \n        security quality and excellence, coordinated with specific \n        industry organizations to develop and create awareness of \n        information security as a competitive differentiator.\n                The Malcolm Baldrige Award by the US Department of \n                Commerce has become a cherished recognition of \n                excellence in the marketplace. A similar program, \n                perhaps recognizing information security excellence \n                within industry sectors, will greatly increase \n                awareness of the value of information security and its \n                function as a competitive differentiator, thereby \n                encouraging new investments.\n        <bullet> Create and fund an industry/government/university \n        consortium to stimulate the needed research, development and \n        adoption of security protocols that can, in turn, stimulate \n        improved technologies for adoption across the private sector \n        and government computer systems.\n    In the late 1980's, the Federal government provided matching \nfunding to create an industry-government cooperative consortium that \ncollaborated in accelerating solutions to common manufacturing problems \nin semi-conductor production (SEMATECH). This successful model \nrevitalized the U.S. semiconductor industry and continues to generate \nindustry leadership and innovation long after Federal funding was \nvoluntarily terminated by the consortium.\n    A similar program today will enable government, academia and \nindustry to work together to replace today's security poor Internet \nprotocols with security-rich protocols. Those protocols can enhance the \nquality and integrity of the hardware devices, switches and other \ncomponents from which the Internet is constructed.\n\n    Mr. Langevin. Thank you, Mr. Clinton.\n    Mr. Langevin. And the Chair now recognizes Dr. Gordon to \nsummarize your statement for 5 minutes. Welcome, Dr. Gordon.\n\n  STATEMENT OF LARRY GORDON, ERNST & YOUNG, ALUMNI PROFESSOR, \n MANAGERIAL ACCOUNTING INFORMATION ASSURANCE, ROBERT H. SMITH \n                      SCHOOL OF BUSINESS,\n\n    Mr. Gordon. Chairman Langevin, Chairwoman Jackson Lee. \nThank you very much for inviting me here. My comments are going \nto focus on how to improve cybersecurity investments within the \nprivate sector. I am going to concentrate on four points which \nare all detailed in my testimony that I wrote up and submitted \nalready.\n    But before I talk about these four points, let me just \nmention two things. One is that in the private sector, \nefficient allocation of resources is fundamental, and the \nreason that is fundamental is because that leads to profits, \nand profits leads to increasing the value of the firm. And \nincreasing the value of the firm is a key concern to all senior \nexecutives in the private sector.\n    The second point I want to make is that investments in \ncyber computer compete with other investments. And I think that \nis also fundamental to keep in mind.\n    With that said, let me go to my four points. The first \npoint I want to make is that the best, the strongest incentive \nby far is to have the private sector recognize that it is in \ntheir best interests in terms of increasing the value of the \nfirm to increase investments in cybersecurity.\n    There is a well-established process among business people \nfor looking at efficient allocation of resources. That often is \na concept that falls under the umbrella of what we sometimes \ncall making the business case. Making the business case is the \nnotion of using a well-established metric cost benefit \nanalysis. There are various models of cost benefit analysis. \nAnd actually looking at alternative investments, rank ordering \nthem, and then allocating their resources.\n    So my first point is that in order to get business people \nto invest more in cybersecurity, what you want them to do is to \nrecognize the importance of efficient allocation of resources \ntoward cybersecurity investments. In other words, it is an \ninternal incentive. It is a business incentive.\n    Now, one of the problems in this regard is that the people \nwho are often arguing for cybersecurity investments, the CIOs, \nthe chief security officers, their training is primarily in \ntechnology what you might call computer security. And many of \nthem, at least traditionally, have not been well versed in the \nnotion of how to make the business case. So let me give you a \nlittle real world story.\n    About 5 years ago, I was approached by the chief security \nofficer for a Fortune 500 company, and he came up to me and \nsaid--he met with me for lunch, and he was all upset because he \nmet with his CFO for his company and he asked for a $10 million \nupgrade to the network, the security of the network for that \ncompany. And the CFO said to him: Where is your business case?\n    So when he came to me and we discussed it at lunch, he \nsaid: What's wrong with the CFO? Doesn't he understand the \nimportance of security? And my immediate reaction was: If I \nwere the CFO, when you left the room I would probably be \nsaying, what's wrong with you? Don't you understand the \nimportance of economics? If I give you $10 million to upgrade \nthe security.\n    I am essentially taking away from something else. And the \nname of the game for the private sector is, generating profits \nso that what you can do is you can increase the value of the \nfirm. And when you talk about cybersecurity investments, it is \nwhat we call in capital budgeting a cost savings project. And \nwhat you really want to do when you are in a private sector is \nnot only save costs, but equally if not more important is \nincrease revenues. In other words, there is two ways to \nincrease profits. You can increase revenues, save costs.\n    And when you talk about cybersecurity investments, one of \nthe big problems, this is my second point, is estimating the \nbenefits which are really cost benefits here, what you are \nreally talking about is estimating the cost savings. And the \ncost savings are particularly tough to estimate for two \nreasons. One is a big chunk of the cost savings really come \nfrom, if you have a cybersecurity breach what you have here is \nyou lose customers and so a big chunk of those cost savings \ncome from avoiding lost customers. And a second big chunk of \nthose cost savings come from the notion of potential \nliabilities. And these are two very tough things to measure. \nAnd in order to measure them properly, you have got to take \ninto consideration risks, the risks associated with the breach.\n    And there are different notions of risk. There is a well-\nestablished body of literature in economics and finance and in \ninsurance which has all kinds of metrics for measuring risk. \nThese metrics have not been well integrated into the \ncybersecurity literature. You don't have to go out and discover \nnew metrics. They are there already. So that is my second \npoint.\n    My third point is that when you talk about cybersecurity, \nyou have got another unique kind of issue and that is you have \ngot what we call spillover effects, or in economics we call it \nexternalities. And these externalities really relate to the \nfact that a big chunk of the costs associated with \ncybersecurity are private costs, costs associated to a private \ncompany. But also, another large share of these costs we call \nsocial costs. And these social costs, this is where government \nincentives become important. These social costs are costs that \nare borne by other companies, not the company that is not \npracticing cybersecurity.\n    And my last point that I want to make relates to Sarbanes-\nOxley Act, or affectionately known as SOX. One of the things \nthat recent research has shown is that SOX actually has as a \nside effect increased the cybersecurity activities of firms. It \nwas, seems to me, unintended. Part of SOX requires that \ncorporations improve their internal controls systems. There is \nno way an internal control system can be improved if you don't \nhave strong security. And what has happened since SOX has gone \ninto effect, research has shown that corporations are \nincreasing their security activities.\n    I would suggest that in respect to all four of these \npoints, that this committee and the Department of Homeland \nSecurity can do several things to improve cybersecurity \ninvestments. First, my first recommendation would be to set up \nsome kind of workshops associated with making the business case \nfor cybersecurity investments. That is the first thing.\n    The second thing is that we need more research in looking \nat how do you actually determine the benefits associated with \ncybersecurity investments.\n    Third, we need to look at the kinds of incentive plans that \ngovernments set up related to these externalities, these social \ncosts.\n    Now, lots of people talk about tax credits, and that is \ncertainly one option. Another option, one that I probably think \nshould be looked at more carefully, is maybe the government \nneeds to set up tough security standards. Now, you can do this \nby regulation, but I would recommend something different. I \nmight recommend setting up tough security standards, and \nalongside of those is basically give preferential treatment on \ngovernment contracts to those companies that comply with those \nstandards. So you are giving them an economic incentive to \ncomply with those standards.\n    And the last point I want to make is I think this committee \nand DHS should take a close look at the relation between \ncybersecurity activities at firms and Sarbanes-Oxley Act. I \nthink what you will find is that a lot of good things are \ncoming out of that that actually relate to your concern with \nimproving cybersecurity in the private sector.\n    Thank you for giving me this opportunity, and I will be \nglad to answer any questions you have related to my comments.\n    Mr. Langevin. Thank you, Dr. Gordon, and I thank the panel \nfor their testimony.\n    [The statement of Mr. Gordon follows:]\n\n Incentives for Improving Cybersecurity in the Private Sector: A Cost-\n                          Benefit Perspective\n\n              Prepared Statement of Dr. Lawrence A. Gordon\n\n             (http://www.rhsmith.umd.edu/faculty/lgordon/)\n\n    Thank you for inviting me here today to talk about economic aspects \nof improving cybersecurity in the private sector. I commend the members \nof the Subcommittee for focusing on this critical and complicated \nissue.\n\nIntroduction\n    My comments today will center on ways of encouraging (i.e., \nproviding incentives for) investments that are directed at improving \ncybersecurity in profit-oriented organizations operating in the private \nsector. However, much of what I have to say would also apply, with some \nmodifications, to non-profit organizations (in both the private and \npublic sector). My comments are based on an ongoing stream of research \non ``economic aspects of cyber/information security'' that I (along \nwith several colleagues) started in 1998. Part of this research has \nalready been published, as indicated in the reference section at the \nend of this testimony.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ Given the limited nature of this testimony, many facets of the \nabove noted stream of research are not directly addressed in this \ndocument (e.g., cybersecurity risk management).\n---------------------------------------------------------------------------\n    A key concern among profit-oriented organizations is efficiency. \nThis concern is usually thought of in terms of facilitating the \ngeneration of profits (i.e., the difference between revenues and costs) \nfor the owners of an organization, with the ultimate goal being to \nincrease the value of the organization. Indeed, the most powerful \nincentive for an organization in the private sector to invest in \ncybersecurity activities is the motivation to increase the \norganization's value to its owners. For a publicly traded profit-\noriented corporation, this value proposition is usually (or at least \nprimarily) thought of in terms of increasing the stockholders' value.\n    At the heart of implementing this stockholders' value proposition \nis the notion of cost-benefit analysis. ``Cost-benefit analysis \ncompares the costs of an activity to the benefits of that activity, \nthereby focusing attention on the process of efficiently allocating \nscarce resources among competing activities. In the context of \ncybersecurity, the cost-benefit analysis principle means that managers \nneed to compare the costs of an additional information security \nactivity with the benefits derived from that activity'' (Gordon and \nLoeb, 2006, p. 20-21). When the benefits exceed the costs, the value of \nthe organization will increase. Thus, in considering a decision to \nincrease spending on cybersecurity activities, it is important that the \norganization believe that the benefits will exceed the costs.\n    A fundamental assumption underlying the above concept of cost-\nbenefit analysis is the fact that organizations have scarce resources \nthat need to be allocated to competing activities, including \ncybersecurity activities. In other words, cybersecurity activities are \ncompeting with other organizational activities (e.g., new product \ndevelopment, R&D, merger and acquisition decisions, fringe benefits for \nemployees, etc.). If an organization invests more in cybersecurity \nactivities, that means less will be available for other initiatives \n(i.e., organizations have finite resources to invest in competing \nprojects). Accordingly, it is important for profit-oriented \norganizations to be able to argue that cybersecurity investments \nrepresent a more efficient allocation of organizational resources (on a \ncost-benefit basis) than if such resources were put to an alternative \nuse (e.g., developing a new product). In the vernacular of business, \nthis means it is important to be able to ``make the business case'' for \ninvesting in the cybersecurity activities. Generally speaking, there is \na well established process for making the business case for an \ninvestment, including investments in cybersecurity activities. Figure 1 \nprovides a diagram of that process.\n    As indicated in Figure 1, making the business case starts with \nspecifying the cybersecurity objectives for the organization. Next, \nvarious alternative investments for achieving the cybersecurity \nobjectives need to be identified. Once the alternatives have been \nidentified, the data associated with each alternative needs to be \nspecified and analyzed. The next step is to conduct a cost-benefit \nanalysis and to rank the various investment alternatives, followed by \nthe allocation of resources to particular cybersecurity \ninvestment(s).\\2\\ The final step in the business case framework is to \nconduct a post-audit of the investment decision (i.e., evaluate the \neffectiveness of the cybersecurity investment decision).\n---------------------------------------------------------------------------\n    \\2\\ For a detailed explanation on the mathematics underlying cost-\nbenefit analysis, based on discounted cash flows, see Chapter 2 of \nGordon and Loeb (2006).\n---------------------------------------------------------------------------\n    Unfortunately, making the business case for cybersecurity \ninvestments is often more difficult than making the business case for \nmany other investments. There are at least three separate, albeit \nrelated, aspects to this added difficulty. First, the benefits derived \nfrom cybersecurity investments are especially difficult to assess. \nSecond, the risks associated with cybersecurity investments are also \nespecially difficult to assess. Third, there are externalities (spill-\nover effects) associated with cybersecurity investments. A brief \ndiscussion of each of these concerns is provided below.\n    In addition to the benefits, risks and externalities associated \nwith cybersecurity investments, there are two other items that are \nimportant to any discussion of improving cybersecurity investments in \nthe private sector. These two additional items concern the total amount \nto spend on cybersecurity activities and the Sarbanes-Oxley Act of \n2002. A brief discussion of both of these items is also provided below.\n\nBenefits Derived from Cybersecurity Investments\n    The first difficulty associated with cybersecurity investments has \nto do with identifying and estimating the benefits derived from such \ninvestments. The primary benefits associated with cybersecurity \ninvestments are the future ``cost savings'' derived from the prevention \nof losses due to cybersecurity breaches.\\3\\ However, if breaches were \nprevented, the actual losses would not occur and therefore would not be \nobservable. In fact, the better the security, the less an organization \nwill observe the losses resulting from cybersecurity breaches. Thus, \norganizations need to estimate the potential losses from cybersecurity \nbreaches in order to estimate the benefits derived from cybersecurity \ninvestments. These estimates can be based on past experiences, where \nsuch experience exists.\n---------------------------------------------------------------------------\n    \\3\\ It can also be argued that cybersecurity investments can create \na competitive advantage for an organization, which in turn translates \ninto potential benefits. Although this argument is correct, such \nbenefits are generally considered to be secondary in relation to the \npotential cost savings from such investments.\n---------------------------------------------------------------------------\n    A fundamental problem in coming up with estimates of the benefits \nderived from cybersecurity investments is that the most important \npotential losses are due to unobservable lost customers resulting from \ncyber breaches and the potential liabilities associated with cyber \nbreaches. In fact, as shown in the Campbell et al. (2003) study, these \ncosts can be staggering.\\4\\ Unfortunately, even when organizations have \ndata upon which to estimate the explicit losses associated with \ndetecting and correcting past breaches, they rarely have data upon \nwhich to estimate the implicit losses associated with lost customers \nand the potential liabilities.\n---------------------------------------------------------------------------\n    \\4\\ The Campbell et al. (2003) study also shows that many \ncybersecurity breaches are not statistically significant, in an \neconomic sense.\n---------------------------------------------------------------------------\n    One way of addressing part of the problem discussed above \nconcerning estimates of the benefits of cybersecurity investments is to \ntake a ``wait-and-see'' approach to such investments. As pointed out in \nthe Gordon, Loeb and Lucyshyn (2003a) study, this wait-and-see approach \nis consistent with the ``real options'' (more specifically, the \n``deferment option'') approach to capital budgeting. Of course, as the \nname suggests, it also means that it is often best to defer certain \ninvestments in cybersecurity due to the problems associated with \nestimating the potential benefits.\n    The fact that the benefits derived from cybersecurity investments \nare essentially ``cost savings'' raises an additional issue not \ndiscussed above. That additional issue has to do with the fact that \nmost corporate executives would prefer to increase profits by \nincreasing revenues rather than by decreasing costs. The reason for \nthis preference is due to the fact that the stock market tends to \nreward the owners of firms for growth as well as efficiency. Thus, in \ncompeting for funds, cybersecurity investments have a built in bias \nagainst them relative to ``revenue generating'' projects.\n\nRisks Associated with Cybersecurity Investments\n    The second difficulty associated with cybersecurity investments \ndeals with the risks (or uncertainty) associated with such \ninvestments.\\5\\ It is important to recognize at the onset that 100% \nsecurity is rarely feasible in a technical sense, and certainly not \ncost-beneficial in an economic sense. Thus, it is important to realize \nthat cybersecurity investments are intended to reduce the risk (i.e., \nprobability) of cybersecurity breaches. However, determining the \nreduction in the probability of a particular breach taking place, let \nalone a string of breaches taking place, as result of a cyber \ninvestment is extremely difficult to estimate. Nevertheless, in \nestimating the benefits from cybersecurity investments it becomes \nnecessary to associate those benefits with the probability of the \noccurrence of security breaches. In other words, the ``expected'' cost \nsavings (i.e., expected benefits) from cybersecurity investments are \nactually derived by multiplying the potential cyber losses by the \ndifference between the probability of the cyber security losses \noccurring prior to the cybersecurity investment and the probability of \nthe cybersecurity losses occurring after the investment.\n---------------------------------------------------------------------------\n    \\5\\ In the early economics literature, a distinction is sometimes \nmade between the terms risk and uncertainty (see Gordon and Loeb, 2006, \np. 96). For purposes of this testimony, no such distinction is made.\n---------------------------------------------------------------------------\n    Not surprisingly, estimating the before and after probabilities \nassociated with cyber losses is more an art than a science. Thus, many \nhave argued that the entire process of trying to estimate the expected \nbenefits derived from cybersecurity investments is nothing more than an \nacademic exercise. However, the fact that it is difficult to estimate \nthe risk (uncertainty) associated with cybersecurity breaches should \nnot be used as an excuse for avoiding the determination of such \nestimates.\n    Another aspect of the risk associated with cybersecurity \ninvestments deals with the definition of the term risk. In the \ncybersecurity literature, risk is usually associated with the expected \nloss from security breaches (i.e., the sum of the product of potential \nlosses multiplied by the probability of such losses). The goal of \nreducing the risk of a cybersecurity breach, according to this \ndefinition of risk, is to reduce the expected loss. However, there are \nother important notions of risk that should be of interest to those \nresponsible for allocating cybersecurity investments. For example, \nreducing the variance (i.e., variation) of the potential losses is \nanother valuable facet of risk when discussing cybersecurity \ninvestments.\\6\\ Although beyond the scope of the testimony being \nsubmitted today, it should be noted that one way for an organization to \nreduce the risk associated with cybersecurity breaches is to invest in \ncybersecurity insurance (see Gordon, Loeb and Sohail, 2003).\n---------------------------------------------------------------------------\n    \\6\\ The expected loss and reducing the variance of potential losses \nare only two of the different concepts of risk that could be considered \nin the context of cybersecurity investments. For a further discussion \nof various risk concepts applicable to cybersecurity investments, see \nChapter 5 of Gordon and Loeb (2006).\n\nExternalities Associated with Cybersecurity Investments\n    The third difficulty associated with cybersecurity investments \nrelates to the externalities (i.e., spillover effects) associated with \nsuch investments. These spillover effects are largely the result of the \ninherent interconnectivity associated with computer networks. In other \nwords, the security of a computer network--particularly the Internet--\ndepends on the actions of all users of the network. This creates a \nproblem in the following sense. When a firm invests in information \nsecurity activities in an effort to improve its cybersecurity, it bears \nall the costs, but does not reap all the benefits. The larger the share \nof the benefits that accrue to other firms, the smaller the incentive \nfor a firm to increase its investments in cybersecurity activities. \nThis may result in the firm, and hence society, under-investing in \ninformation security. While the government could, in principle, \ncounteract this tendency by creating incentives for information \nsecurity investments (for example, by offering tax credits for such \ninvestments), the government currently does not know the right level of \nincentives to provide.\n    The externalities associated with the Internet have resulted in all \nsorts of efforts to coordinate cybersecurity activities on both a \nnational and international level. The ISACs (Information Sharing \nAnalysis Centers) and the US-CERT (United States Computer Emergency \nResponse Team) are two good examples of efforts to coordinate \ncybersecurity activities. Both of these efforts rely heavily on \ninformation sharing related to computer security, with particular \nemphasis placed upon protecting the nation's critical infrastructure.\n    Information sharing has the potential for lowering the cost of \ncybersecurity for each organization involved in such a program. \nUnfortunately, the free-rider problem (i.e., the situation where each \nmember of a group shares a little amount of information, in the hope of \nlearning a lot about the other members of the group), is prevalent \namong information sharing arrangements related to cybersecurity (see \nGordon, Loeb and Lucyshyn, 2003b). Thus, unless economic incentives are \ndevised to offset the free-rider problem, much of the potential benefit \nfrom information sharing organizations will not be realized.\n\nHow much in Total should be Invested in Cybersecurity Activities?\n    The cost-benefit framework discussed above provides a \nstraightforward way of assessing the benefits and costs associated with \nincremental investments in cybersecurity activities. If we assume that \nan organization already has in place some initial level of \ncybersecurity spending, then the total spending on cybersecurity \nactivities would be this initial spending plus the sum of incremental \ninvestments. A more sophisticated approach to deriving the right amount \nto invest in cybersecurity activities is to assume a zero-base starting \nposition for such investments. In its most rigorous form, a \nmathematical model can be developed to derive the optimal amount an \norganization should spend on cybersecurity activities. Although cost-\nbenefit analysis would be embedded within such a model, an optimization \napproach would be a far more sophisticated (in terms of the \nmathematics) approach to deriving the right amount to invest in \ncybersecurity. This model should involve specifying security breach \nfunctions, the potential losses associated with security breaches, the \nprobability of such losses, and the productivity of cybersecurity \ninvestments.\n    One model for deriving the optimal amount to invest in \ncybersecurity activities, which has gained wide acceptance among \nacademicians and many practitioners, is referred to as the Gordon-Loeb \nModel. This model is described in the paper by Gordon and Loeb (2002). \nIt must be emphasized, however, that the Gordon-Loeb Model is best \nviewed as a ``framework'' for examining the optimal level of spending \non cybersecurity, rather than as an absolute solution to the \ncybersecurity investment dilemma. Indeed, in the final analysis, \ndetermining the right amount to spend on cybersecurity activities \nrequires sound business judgment (based on experience and knowledge \nrelated to a particular firm and industry), as well as the application \nof sound economic principles. In other words, in the final analysis, \nthere is no silver bullet for deriving the right amount to spend on \ncybersecurity.\n    Since cybersecurity investment decisions are made based on \nexpectations of the future, the likelihood of getting the optimal \nsolution to the investment problem is close to zero. However, it is \nimportant to realize that on average an organization would be better \noff by utilizing sound economic principles in making cybersecurity \ninvestment decisions than ignoring such principles.\n\nSarbanes-Oxley Act has Created an Incentive to Increase Cybersecurity \nActivities\n    The accounting scandals of the late 1990s resulted in the Sarbanes-\nOxley Act (SOX) of 2002. A key aspect of this legislation deals with \nthe internal control requirements of SOX under Section 404. In essence, \nSOX requires firms registered with the U.S. Securities and Exchange \nCommission to develop sound internal control procedures associated with \nfinancial reporting. Given the computer-based nature of modern \norganizations, it is generally agreed that sound internal controls \nimplies sound information security. Thus, as shown by Gordon, Loeb, \nLucyshyn and Sohail (2006), an indirect result of SOX has been to \ncreate an incentive for firms to increase their information security \nactivities (and by implication, investments) by firms. In essence, \nresearch suggests that SOX has created a strong incentive for \norganizations to increase their cybersecurity investments. Although the \nabove claim has not been directly tested, the findings by Gordon, Loeb, \nLuchyshyn and Sohail (2006) clearly point to the validity of this \nclaim.\n\nSummary and Recommendations\n    The above discussion highlights several key aspects of investments \ndirected at improving cybersecurity within profit-oriented \norganizations operating within the private sector. These aspects can be \nsummarized in terms of the following five points.\n        1. The most powerful incentive for an organization in the \n        private sector to invest in cybersecurity activities is the \n        motivation to increase the organization's value to its owners. \n        At the heart of implementing this value proposition is the \n        concept of cost-benefit analysis, which falls under the \n        umbrella of ``making the business case'' for cybersecurity \n        investments. The idea of deriving an optimal level of \n        investment in cybersecurity activities is closely associated \n        with this cost-benefit concept. Unfortunately, many (if not \n        most) CIOs (Chief Information Officers) and CSOs (Chief \n        Security Officers) are not well versed in the economic \n        underpinnings of cost-benefit analysis. Accordingly, it is \n        often difficult for those responsible for cybersecurity \n        activities within a firm to make a cogent argument for \n        increasing the firm's spending on such activities. Remember, an \n        increase in spending on cybersecurity activities generally \n        means that less is available for spending on other initiatives \n        (including revenue generating initiatives) within the \n        organization. Thus, my recommendation is for this Subcommittee \n        to initiate an effort to establish training sessions for CIOs \n        and CSOs on how to apply cost-benefit analysis to cybersecurity \n        investment decisions. The development of these sessions could \n        fall under the auspices of the Department of Homeland Security. \n        In my opinion, such training would go a long way toward \n        improving the allocation of private sector resources toward \n        cybersecurity activities.\n\n        2. A fundamental problem in coming up with estimates of the \n        benefits from cybersecurity investments is that the most \n        important potential losses are due to unobservable lost \n        customers resulting from cyber breaches and potential \n        liabilities associated with cyber breaches. Until organizations \n        feel more comfortable with their estimates of the benefits from \n        cybersecurity investments, it is unlikely they will make the \n        necessary commitment to such investments. In other words, the \n        tendency will be to treat cybersecurity investments as a \n        necessary evil rather than sound economic investments. Thus, my \n        recommendation is for this Subcommittee to encourage, under the \n        auspices of the Department of Homeland Security, additional \n        research related to estimating the benefits of cybersecurity \n        investments.\n\n        3. The fact that it is difficult to estimate the risks \n        associated with cybersecurity breaches should not be used as an \n        excuse for avoiding the determination of such estimates. The \n        risks associated with cybersecurity are difficult to estimate. \n        As a result, many view the process of deriving the ``expected \n        benefits'' from cybersecurity investments as merely an academic \n        exercise. However, there is an extensive body of existing \n        literature on risk that has direct bearing upon cybersecurity \n        investments. To date, this literature on risk has not been well \n        integrated into the cybersecurity literature. Thus, my \n        recommendation is that the cost-benefit analysis training \n        sessions suggested in the first point above should include \n        coverage of this literature on risk.\n\n        4. The inherent interconnectivity associated with computer \n        networks creates externalities (spillover effects). These \n        externalities revolve around issues related to welfare \n        economics (i.e., a branch of economics associated with \n        improving the welfare of an entire society or economic system, \n        usually based on such principles as the efficiency of resource \n        allocations and equitable income distribution to individuals). \n        Since it is difficult to get organizations to incorporate these \n        externalities into their decisions regarding cybersecurity \n        investments, the development of exogenous government incentives \n        may be appropriate. Thus, my recommendation is for this \n        Subcommittee to encourage research directed at examining the \n        appropriateness of developing incentives to address these \n        externalities.\n\n        5. Research suggests that the Sarbanes-Oxley Act of 2002 has \n        created a strong incentive for organizations to increase their \n        cybersecurity activities. The fact that there is preliminary \n        evidence that SOX has created a strong incentive for \n        organizations to increase their cybersecurity activities, and \n        by implication their spending on such activities, is worth \n        exploring in greater depth. Indeed, assuming these preliminary \n        findings are correct, there may be ways for the Department of \n        Homeland Security to capitalize on this development. Thus, my \n        recommendation is for this Subcommittee to facilitate further \n        exploration of this SOX-cybersecurity relation.\n        [GRAPHIC] [TIFF OMITTED] T1082.13.\n        \n        eps[GRAPHIC] [TIFF OMITTED] T1082.14.\n        \n\n    epsMr. Langevin. I now recognize myself for 5 minutes. And \nlet me begin with you briefly, Dr. Gordon, on your point that \none of the primary goals of a firm is to increase the asset \nvalue of the firm. But what about protecting the asset value of \nthe firm? And why is it that that isn't more readily apparent \nas a need, in a sense a primary goal of doing business, right \nalong with increasing value at the firm?\n    Mr. Gordon. I think both of those actually address the \nissue of increasing value, but I would put it in a slightly \ndifferent context. I would say that in the capital budgeting \nliterature, we talk about generic areas of capital investments. \nOne is revenue generating products, new product development, \nmergers and acquisitions. Another one would be what we call \ncost savings projects. Cybersecurity investments fall under \nthat category. The third category is what we often call must-do \nprojects.\n    So the way I would answer your question is to say that when \nyou get to these cost savings projects, it is much tougher. And \nwhen you get to cybersecurity investments they are the \ntoughest. And the reason they are the toughest, it is much \ntougher to actually observe the benefits. And the reason for \nthat is if you do the job right, then you have avoided those \nbreaches, you have avoided those catastrophes, and you don't \nreally see what you would have incurred as a cost.\n    So that is why they are particularly tough. And that is \nwhy, when you talk about protecting assets in that sense, it is \na different kind of project. It is not that they don't add \nvalue to the firm. They do. It is just often harder for \nmanagers to figure out how to quantify it.\n    I am a big believer in that you should try to--you know, \nwhat you measure is what you get. You need metrics. And after \nyou come up with these, I look at these metrics as a framework. \nOnce you get those, then of course you have got to bring in \ngood business judgment, nonfinancial concerns, nonquantitative \nconcerns. But there is a well established process for doing \nthat. So what you have to do is go through and estimate these \nbenefits.\n    Mr. Langevin. You have each had the opportunity to hear \neach other's testimony. Let me just go down the line and ask, \nwas there anything that you heard in the other testimony of \nyour fellow panel members right now that struck you that you \nhighly agree with or strongly disagree with?\n    Ms. Katzen. On the basis of both the oral statements and \nthe written testimony which I had read, I think we are in \nviolent agreement. We all seem to believe and advocate that \nnecessity for getting good metrics, good data, good research; \nthat the government should not be regulating; that one size \ndoes not fit all; that it is not an IT problem, that it is an \nenterprise-wide problem. That there are business cases \ninvolved, and that there should be market-based incentives, \nwith the government holding out some additional incentives to \nbring the companies to the table. And I don't hear very much \ndifference among us.\n    Mr. Clinton. I would have to agree with Ms. Katzen. I am \nstruck very pleasantly by the degree of agreement with regard \nto what is the best way forward for Congress. And it is for \nCongress to act, but for Congress to act in a novel fashion.\n    Professor Gordon's testimony, which I think is probably \npretty difficult to summarize orally, although I think he did a \nwonderful job with it, goes into really good detail on why it \nis very, very difficult for real corporations to justify the \nsort of extraordinary expenses that we would like to have them \nmake for security that goes beyond their corporate borders. \nThat is just not going to happen.\n    For about 6 years, we have been hearing rhetoric from DHS \nand others saying, well, gee, if industry would only get it and \nrealize the value proposition is there for them to protect \ntheir own resources, then that would take care of it. That has \nnot happened. The amount of spending has not increased \ndramatically. It is not going to increase dramatically unless \nwe develop a market for this. Now, that is an unhappy solution, \nbut I don't see how we can come to any other realistic \nsolution. There are a range of things.\n    One of the things we haven't talked about here is that \nvirtually all of the ideas, and again most of us have \narticulated pretty much the same ideas, use procurement better, \nuse awards programs. You know, based on standards. You know, \nmost of the standards are already there in the private sector. \nWe already know a lot about how to do this. We are under attack \nthousands of times a day. We are preventing lots of them. We \njust need more people to adopt these things.\n    So we don't need the government to come in and provide \nstandards. We don't need the government to come in and regulate \nthese things. We need the government to come in and provide \nincentives. And the sort of incentives that I have articulated \nin my testimony are incentives that have already been used in \nagriculture, in aviation, in the environmental sphere, in \nground transportation, in tax law. The government has done this \nstuff before, they have just not applied it to cybersecurity. \nAnd that is what I would argue, is that if we would take the \nprecedent that we have found in other sectors of the economy \nand the standards that have already been proven effective in \nmitigating the attacks that we are having every day, that is \nthe payoff forward for improved cybersecurity, which is in the \nnational interest.\n    Mr. Gordon. In general, I would agree with what my \ncolleagues have to say here, although--and I hate to put an end \nto the love fest, but I see a different focus. And let me tell \nyou the focus.\n    First of all, market-based incentives, they already exist. \nThe clearest market-based incentive is to get firms to realize \nit is in their best interest in terms of cost efficiency to \ninvest more in cybersecurity investments.\n    And the other point I would make is, so it is not that we \ndisagree, but I am saying the focus to me is it is already out \nthere. We have got to get firms to understand how to use that \nbetter, and I think that is something your committee could \ncertainly facilitate.\n    The other point I want to mention is that I thought the \npoint mentioned about Enterprise Risk Management, ERM, was \nreally a good one. And so I appreciate the fact that it was \nmentioned. However, having done a lot of work in that area, let \nme tell you the problem with ERM. ERM comes from COSO, the \nCommittee on Sponsoring Organization from the accounting \norganizations. And COSO talks about ERM in four categories. \nThey talk about operations, they talk about financial \nreporting, they talk about compliance and strategy.\n    What they don't do is give you a metric for measuring it. \nAnd if you go and read this ERM literature, what you will find \nis and you need, in my opinion, is if you need a metric for \nmeasuring it. In fact, I have got a Ph.D. student who just \nfinished up a dissertation working on this very topic. And when \nhe came to me and wanted to do something on ERM, the first \nthing I said to him is, you realize you are going to have to \ncome up with a metric. What we need is some kind of a metric \nfor measuring have we improved it.\n    So it is not that I would disagree. I would just say the \nfocus has to be on developing a metric for ERM. And so I don't \nthink we disagree. It is just a question of focus. I tend to be \nmore focused on the quantitative metrics.\n    Mr. Langevin. My question for Mr. Clinton is, isn't it the \ncase, though, that firms in the private sector when, in a sense \ncreating standards, that they tend to create substandard \nstandards?\n    Mr. Clinton. No. I am not aware of any evidence of that. In \nmy testimony, I cite the largest study that has been done on \ninformation security which, independent study, \nPriceWaterhouseCoopers study. And they found that the \ncompanies, the best practices group, the group they classified \nas following these things, were able to mitigate against \nattacks better, didn't lose money like others did, and, in \nfact, could deter tax.\n    It is, as Professor Gordon has just alluded, companies do \nwant to protect their own cyber systems. But the Internet \ntranscends those cyber systems. If you read the discussion of \nexternalities that is in Professor Gordon's testimony, I think \nhe makes a really good argument here. Basically, what we need \nis for corporations that go to their own corporate borders for \ntheir own self-interests, to provide security that goes to the \nentire system. And that is--it is important to remember, there \nis no private sector. There is no thing that is the private \nsector. The private sector is thousands and thousands of \ndifferent companies, with different goals, technologies, et \ncetera. We have to get all these guys to cooperate. They do \ncooperate. They set standards all the time to make sure their \nsystems are interoperable, so that they can generate more \ninvestment, have cooperative engagements, et cetera, et cetera.\n    There is plenty of reason for them to set good standards. \nAnd the research indicates that when they follow those \nstandards and best practices, we do have demonstrable \nimprovements in cybersecurity. I am not going to say it is 100 \npercent, because the threat, as I also pointed out, continually \nevolves. So we need to continue to work on it.\n    But the evidence that I am aware of, with all respect, Mr. \nChairman, is the opposite. Is that rather industry set \nstandards adequate to meet their needs, and then attempts to \nmeet those standards.\n    Moreover, one last point. One of the projects that we are \ninvolved in at the Internet Security Alliance is to develop \nmodel contracts around those standards, so that the really good \nplayers like Verizon who testified on the first panel--and they \nare doing a great job. They are just doing as good a job as you \ncan do, I think, from what I can see. What they want to do and \nwhat we are working with them to do is to take their system and \nwrite contracts for their vendors, their suppliers, their \ncustomers, that include in those contracts compliance with the \nhigh-level security systems that Verizon is already having, so \nthat we are using contracts to expand the perimeter of security \nrather than using regulation. And those contracts are much \neasier to update, keep up with the technology, keep up with the \nevolving threat, than going through a regulatory model which \ntakes years. And, frankly, I think it is the regulatory model. \nYou get a bunch of lobbyists coming in, they will dumb it down \nfor you.\n    Mr. Langevin. My concern is that the private sector would \ntend to skimp or to underestimate risk. We heard testimony last \nweek on the electric grid, where the industry ostensibly self \nregulates through NERC that makes recommendations to FERC about \nthe type of regulations that should be put in place. Yet, \nclearly the self regulation process in that instance doesn't \nquite go far enough. And I believe that a model similar to the \nNuclear Regulatory Commission is stronger where they have the \nability to come in and direct, as opposed to just allowing \nindustry to kind of self-advise, self-regulate.\n    Mr. Clinton. If I could respond quickly to the chairman. \nAnd I apologize for taking too much time. I wouldn't classify \nmyself as an expert in that particular sector. I frankly don't \nhave any members in that particular sector. We are a cross-\nsector organization.\n    My sense would be that that is the sort of thing that we \ncould work with. I can tell you that there are standards that \nhave been shown to work. I am unfamiliar with the standards \nthat they have. It would seem to me that the government, \nparticularly in a regulated sector such as the one you are \ndescribing, certainly can use that.\n    But let me point out something that was not pointed out in \nthe first panel, which is when GAO did their study, they found \nthat the number one sector that had done the best job was \ncompletely unregulated, the IT sector. The banking sector, \nwhich is heavily regulated, did among the worst jobs.\n    So I don't think that there is a one-to-one correspondence \nhere with respect to regulated/unregulated in terms of doing a \ngood job in this area. I think what we need to do is find a set \nof standards that we would agree on meet certain metrics. No \ndisagreement on that. And then find ways to get more companies \nto do that. But you have got to do it in a way so that you can \nkeep up with the threat.\n    Ms. Katzen. If I could. What I hear, though, is almost so \nobvious, that this is not easy on the ERM. There are lots of \nERM models, and they have to be adapted in different ways. Cost \nbenefit analysis, I have spent the last 10 years of my \nprofessional life of doing cost benefit analysis. It is not \neasy. There are ways of doing it and there is literature out \nthere and it has to work.\n    The problem is the diversity of the corporate models, the \ndiversity of corporate awareness, the differences in technical \ncapabilities. You are not dealing with the monolithic world. \nSomeone said there is no private sector, there is lots of \ncomponents of a private sector. And this decentralized nature \ncan be very offputting or frustrating.\n    But if you can't fix it, flaunt it. Use it. And that means \ndon't look for a silver bullet. Don't look for a one-size-fits-\nall. Don't look for the perfect thing that would work in one \nsector to be applied in another, but apply sort of what comes \nnaturally to each sector.\n    Thank you.\n    Mr. Langevin. Thank you. The Chair now recognizes the \nranking member.\n    Mr. McCaul. Thank you, Mr. Chairman. I appreciate \neverybody's patience. It is getting late, and we have got an \nanniversary, we have trick-or-treaters tonight. We convened at \n2:30. It has been 4 hours. I would like to get more input in \nwriting, if that would be acceptable. It is just getting a \nlittle late and I have got to run on to another obligation.\n    But what I am hearing is, and tell me if I am wrong. It \nsounds like, nobody here is advocating regulatory reform, but, \nrather, market-based incentives. Is that correct? Is that a \nfair statement, from all three?\n    Mr. Gordon. I think there is something in between. And the \nsomething in between is you can have government incentives, \nwhich is not necessarily regulatory in nature. For example, you \ncould go to NIST and ask NIST to set up the standards for you \nfor security, and you can reward companies. Companies that are \nfollowing those standards, you might give them preferential \ntreatment with government contracts. I don't view that as \nregulation, but that is not straightforward market reform.\n    Mr. McCaul. Sort of the novel, Mr. Clinton, where you are \ntalking about the novel creative approach would be to look at \nthis through the government contracting process, to provide \nincentives through that process?\n    Mr. Clinton. That is one way absolutely. Yes.\n    Mr. McCaul. What are some other market-based initiatives or \nincentives that can be used without regulation?\n    Ms. Katzen. One of the ones that we talk about, and I think \nMr. Clinton does as well, is a recognition and reward program \nmodeled on the Energy Star, which we use to increase energy \nefficiency; and, have a Cyber Star program where there would be \nrecognition if you set the bar high enough and you require them \nto keep increasing their security.\n    Another of the workshops that I think we are all talking \nabout, whether it is to educate for how to use or do a risk \nassessment or whether you are talking about how to use ERM, we \nare all talking about providing additional information. Not \ntrying to hoard it, but to share it. And I think those kinds of \nincentives, whether the government picks up the cost of \nFederally-sponsored programs or gives tax credits for it are \nthings that each of us have talked about in different ways, but \nsomehow uses the Federal support for information sharing.\n    Those are just two ideas that I think all three of us have \nsigned onto one way or the other.\n    Mr. Clinton. Briefly, Mr. McCaul. In addition to what has \nbeen said, there are a number of things that can be done with \ninsurance. Insurance is one of the strongest motivators that we \nuse in health care, you know, good driving, et cetera, cetera, \nand there are a whole range of things that could be done with \nrespect to insurance. As we have mentioned procurement, there \nare awards programs like the Baldrige Award. Make security a \nmarket differentiator, publicize that. There are creative \nconsortiums like the Sema-Tech program that we did back in the \n1980s. There are the contract systems that we use. As I said, \nthere is at least a half dozen.\n    And I don't advocate tax incentives. I think the tax \nincentives would probably be a good idea, but IS Alliance lives \nin the world. We don't imagine that we are going to get tax \nrelief for large corporations for security, even though I think \nit is a good idea. Politically, it probably isn't going to fly. \nBut these other things ought to fly. We have done them, as I \nsaid, in a variety of other sectors. They passed. We really \nwant to work with you on this.\n    Mr. McCaul. We have a Sema-Tech in Austin and that is a \ngreat model.\n    Just in the interest of time, because it is getting late. \nTo the extent you can provide us additional information on what \nwe can do at this level, what congressional action would be \nhelpful to facilitate these incentives you are referring to; \nwhether it be the contracting, whether it be the insurance, the \ninformation sharing? All these are great ideas that the \nchairman and I can look at in terms of crafting legislation \nthat wouldn't be overburdensome in terms of regulating, but \nrather facilitating.\n    Mr. Clinton. We have a good deal of material, Mr. McCaul, \nand we would be happy to share that with you and the Chairman \nand the rest of the committee and discuss it in greater detail \nat your convenience.\n    Mr. McCaul. I certainly appreciate that. Thank you.\n    Mr. Langevin. And I agree. I look forward to seeing your \nrecommendations as well.\n    The Chair now recognizes the chairwoman of the \nTransportation Subcommittee, Ms. Sheila Jackson Lee.\n    Ms. Jackson Lee. Thank you very much, Mr. Chairman. To your \nranking member, to my ranking member, and to the staying power \nof the witnesses, let me thank you for accepting our invitation \nto become fixtures in this place. But you are doing it well and \nwe thank you very much.\n    Allow me to, I held up this large document that is the \nNational Infrastructure Protection Plan. Let me just read into \nthe record some language.\n    Protection includes actions to mitigate the overall risk to \nthe critical infrastructure and key resources assets, systems, \nnetworks, functions, or their interconnecting links resulting \nfrom exposure, injury, destruction, incapacitation or \nexploitation in the context of the National Infrastructure \nProtection Plan. This includes actions to deter the threat, \nmitigate vulnerabilities, or minimize consequences associated \nwith a terrorist attack or other incident.\n    And so we have our marching orders through this plan. And \nyou are giving us sort of the wide perspective of the private \nsector. Can I get sort of a sentence answer from all of you, \nthough this is cybersecurity? You heard individuals \nrepresenting telecommunications and financial services on the \nfirst panel.\n    Do you believe that, overall, the private sector has been \nengaged in actions to mitigate the risk to these assets systems \nand networks? And do you think there have been sufficient \nincentives for them to do that? And as we do that, I will ask \nmy next question of what more once I hear where you are on that \nquestion. Ms. Katzen. And welcome.\n    Ms. Katzen. Thank you. It is very good to see you.\n    Ms. Jackson Lee. It is good to see you. Put that on the \nrecord.\n    Ms. Katzen. Thank you.\n    It is hard to know how much action has been taken because \nwe have yet to develop meaningful quality metrics to measure. \nBut one of the problems with the NIPP, the plan, is that it \ncalls for information from the private sector, but you don't \nknow what you are measuring against. We don't have benchmarks, \nwe don't have metrics by which to make progress.\n    I think a lot of work is being done. And much of it must be \nproductive, but I am not able to sit here and tell you that it \nis or it isn't as long as we have a lack of a real partnership. \nAnd this is what I was trying to say earlier. DHS has got to \nwork in a public-private partnership, public-public partnership \nin a way that is respectful and exploits the trusted \nrelationships that exist, and that provides the--and I will go \nback to the incentives--provides incentives for the private \nsector to do the right thing. Right now, I think they are more \nin a ``do it my way'' or dictate to the SSAs as or the private \nsector what they should do, and I don't think that is as \nproductive.\n    Ms. Jackson Lee. Mr. Clinton.\n    Mr. Clinton. Thank you, Madam Chairman. I would say, first \nof all, with regard to your first question, is the private \nsector engaged? Yes, many people in the private sector are; \nhowever, not nearly enough.\n    I participate on a number of these organizations. The \noutreach to the breadth of U.S. industry is, in my opinion, \nwoefully inadequate. We need----\n    Ms. Jackson Lee. When you say breadth, you are going beyond \neven the cybersecurity?\n    Mr. Clinton. No, Ms. Jackson Lee. I am speaking within the \ncontext of cybersecurity. Frankly, I think that probably would \nbe true beyond cybersecurity. We are not reaching enough people \nwith respect to being involved in these various plans.\n    Ms. Jackson Lee. DHS is not reaching enough people?\n    Mr. Clinton. Yes. And with respect to do they need more \nincentives, I am afraid the answer is yes. Now, certainly, as \nDr. Gordon has pointed out, there are incentives. Lots of \npeople are doing a lot of good things. That best practices \ngroup I was referring to before that was found in the \nPriceWaterhouseCoopers found about 30 percent of corporations, \nmany of the larger corporations. That is a lot of people, but \nthat means 70 percent are not being reached. And when we deal \nwith the Internet, the weakest link is the problem. So that if \nwe have the small businesses or the commercial sectors not \nbeing engaged at all, they are intertwined with everybody else \nand they can help bring down the whole system. We need a much \nmore expansive effort. And the only motivator that is going to \nbe dynamic enough to work is the profit motive. We have to \ninject that in.\n    And you have got to remember, as somebody else pointed out \nbefore, it is not just a U.S. problem. The Internet is \ninherently international. So we need to reach out to the Indias \nand the Chinas and everybody else. We have to have some sort of \nsystem that is going to transcend that, and market incentives \nis the most logical one, which is why I think the three of us \nindependently came to that conclusion.\n    Ms. Jackson Lee. Mr. Gordon.\n    Mr. Gordon. I would say that the private sector is clearly \nengaged. Clear evidence of that is the growing importance of \nsetting up a chief security officer apart from the chief \ninformation officer within a company. You have now most of your \nmajor corporations have someone in charge of security who may \nreport to the chief information officer or may even report \ndirectly to CFO.\n    Are they doing enough? That is a tough one to answer, \nbecause in order to answer that one, you have got to really \nunderstand where they are and where they want to be. I can only \ngive you my own experience, is I get contacted by at least one \nsenior executive a week. And one of the biggest issues from a \nchief security officer's point of view is they want more \nsecurity, okay, because not only is the company their concern \nbut their job is their concern.\n    So they have the option, they have an incentive. There is \nan agency problem; that is what we call it in economics. They \nhave an incentive to overinvest. But the biggest problem they \nface is getting more funds out of the CFO for cybersecurity \ninvestments.\n    So a little side note here is if you take a look at what \ncompanies invest, all the studies tend to show that companies \ninvest somewhere around 5 to 7 percent of their IT budget on \nsecurity. And the interesting thing about that is that security \nis becoming one of the fastest growing concerns, and the \npercentage of the budget for security is not growing. So that \nwould suggest to me that they are not getting the share they \nshould be getting. It suggests that to me; but without having \nthe deed on particular companies, and I am sure it varies from \ncompany to company.\n    Ms. Jackson Lee. My questions are never quick, but I am \ngoing to try to offer two more quick questions recognizing your \ntime and the lateness of the hour. But what I would ask without \nhaving that answered, I would like to get from the witnesses \nyour list of incentives that can be utilized more effectively \nthrough DHS. And I would like that in writing. But let me try \nto get Mr. Clinton, and then I have a question for Ms. Katzen \nand Mr. Gordon.\n    You never were a fan in particular for the approach dealing \nwith a regulatory scheme, if you will, I don't think. You were \nsort of interested in trying to, as you said, get DHS to be \nmore enthusiastic on this best practices area. I am still \nlooking at whether or not this should be a totally voluntary \napproach with incentives, or whether or not we need some \nregulatory structure, which I have heard my colleagues say and \nI too am looking at legislation along that line. I obviously \nhave an array of infrastructure issues to look at.\n    But what I would like to know is what has been your \nassociation in terms of being involved with DHS to promote the \nbest practices so that they are more broadly adopted across the \nIT sector through this program.\n    Have you been able to engage with DHS to talk about best \npractices? And I am just saying you in particular because you \nrepresent a component of the industry that I think is \nimportant. And, isn't this program a great way to encourage \nmore effective cross-sector cybersecurity protection? Meaning \nthis whole best practices. Have you been engaged in particular?\n    Let me ask my other question to both Ms. Katzen and Mr. \nGordon. I think cybersecurity gives value to companies. And it \nwould look like that would be one of the industry incentives \nthat, if my investors knew that I was managing my risk, that \nthat would make my product more valuable. Question is, does \nWall Street give value to cybersecurity so that companies then \nare self-rewarded for what they have done? And, in essence, \ndoes the government? Have they narrowed the rewards to even \nthat way? Cybersecurity, more valuable, protect the America's \nassets?\n    I will go to Mr. Clinton first on this whole best practices \nand interacting with the DHS.\n    Mr. Clinton. Thank you, Ms. Jackson Lee. Yes. I, speaking \nas the Internet Security Alliance, am very involved.\n    Ms. Jackson Lee. Is that the name of the program, so you \nwill at least be--I will put it on the record. The Voluntary \nPrivate Sector Preparedness Certification Program.\n    Mr. Clinton. Well, the Internet Security Alliance is very, \nvery involved in developing best practices and finding \nincentives for our Members to use them. We do have an insurance \nincentive program with the largest insurance provider of cyber \ninsurance for our best practices. We publish best practices \nbasically once every year. We talked earlier about the model \ncontracts that we provide.\n    So we do on the private sector side a great deal with \nrespect to developing best practices, providing incentives for \nbest practices, et cetera. With respect to, is DHS the mode for \nthat? I would have to tell you that we have not really found \nvery much grounding in working with DHS in that regard.\n    Most of the improvements in cybersecurity that I am aware \nof happen by the private sector doing things through the \nprivate sector, not through DHS. Maybe that will change as DHS \nmatures. But to this point, I would have to tell you that none \nof my members would say that they are doing anything to improve \ntheir security thanks to DHS. They are doing it for other \nreasons; some are for social, some are business, for a variety \nof other things.\n    But our view is that the infrastructure is owned and \noperated by the private sector. You have to work with the \nprivate sector to get it strengthened. When you strengthen that \ninfrastructure, you are also fulfilling an important homeland \nsecurity and national security function. But you do it through \nprivate sector. Going through DHS, I think you are really \ntrying to stick a square peg in a round hole, and I think it is \ngoing to be counterproductive.\n    Ms. Katzen. On the issue of both market value and Wall \nStreet, and it is referred to in my testimony, the Ernst & \nYoung study, which shows a very strong correlation between \nsuccess in managing risks and success on Wall Street, and that \ninvestors do appreciate that. So I think there are data there \nthat support that.\n    Mr. Gordon. I would agree with that. Actually, if you take \na look at my written testimony, I discuss this notion of what \nyou call value added as opposed to cost savings from \ncybersecurity investments. It is usually thought of as sort of \na secondary effect, but in the short run firms certainly can \ncarve out a niche for themselves, a competitive advantage of \nshowing they have more security than another firm. In the long \nrun, it will be hard to keep that competitive advantage. I do \ndiscuss that point in my written testimony.\n    Ms. Jackson Lee. Thank you very much to all of the \nwitnesses. And, Mr. Chairman, it has been a pleasure to be able \nto unveil and to pull back the covers on what has either been \nhappening or not been happening with DHS. And I think that \nthere are some roads not yet traveled that we can work on, in \nparticular public-public, public-private relationships and \nincentives rewards.\n    Mr. Clinton, I don't want to leave DHS completely out and I \nam not convinced that they should be completely out or not, \nthat they not be a regulatory structure. But I do believe that \nthere should be rewards that you are aware of that are given \nthrough DHS, and apparently we have not established that \nstructure yet.\n    Mr. Clinton. I would agree with that, Ms. Jackson.\n    Ms. Jackson Lee. And so, let me just thank Chairman \nLangevin. I look forward that we have an opportunity to work \nagain together on this issue. And I yield back.\n    Thank you all for your testimony.\n    Mr. Langevin. Thank you, Madam Chair. Let me just say how \nmuch I appreciate your participation in this joint hearing, as \nwell as Ranking Member Lungren. This was very productive, and \nsome great things came out of it. I look forward to our \ncontinuing to work together.\n    I also, of course, want to thank the panelists for your \npatience, for your testimony. You have added great insight into \nthe work that we have ahead of us and perhaps a road map of \nwhat we need to do to better coordinate this effort of \ncybersecurity and working together with the public and the \nprivate sector.\n    So I thank you for your testimony and the members for their \nquestions.\n    The members of the subcommittee may have additional \nquestions for the witnesses, and we would ask that you respond \nexpeditiously in writing to those questions.\n    Hearing no further business--again, happy anniversary to \nyou, Ms. Katzen. I hope you get home soon. And sorry for the \nlateness of the hour, but certainly an important issue.\n    Hearing no further----\n    Ms. Jackson Lee. Happy anniversary.\n    Mr. Chairman, would you allow a moment of personal \nprivilege?\n    Mr. Langevin. Certainly.\n    Ms. Jackson Lee. Professor Katzen goes back with my \ncombined family.\n    My spouse, Dr. Elwyn Lee, he sends his greetings.\n    Ms. Katzen. Thank you.\n    Ms. Jackson Lee. And you allowed me a moment of \nreminiscing, and she is as young and vibrant. And I am \napologetic. Go home for that anniversary, please. And greetings \nfrom myself and my husband. Congratulations.\n    I thank you for giving me a moment of personal privilege.\n    Mr. Langevin. Certainly.\n    Ms. Jackson Lee. The check is on Chairman Langevin, so do \nwhatever you want to do tonight.\n    [Laughter.]\n    Mr. Langevin. On that note, hearing no further business, \nthe subcommittee stands adjourned. Thank you.\n    [Whereupon, at 6:53 p.m., the subcommittee was adjourned.]\n\n                             For the Record\n\n                 Prepared Statement of Michael O'Hanlon\n\n    Greetings. It is an honor to appear before the committee today.\n    My opening comments will be brief and rather broad. I am not an \nexpert on cybersecurity, hence my contribution today will involve \ncreating a framework within which this important aspect of homeland \nsecurity can be considered and analyzed.\n    It is useful to think in terms of different possible strategies for \nhomeland security. Clearly, in a society like ours, huge as it is, as \nopen and free as it is, we could be far more diligent about protecting \nourselves from terrorism than we are today.\n    For example, if the degree of terrorist threat here was anything \napproaching that in Israel, or if even a single additional major attack \nhad been successfully carried out since 9/11, we would do things that \nare presently seen as politically infeasible or strategically \nunnecessary (such as searching baggage on most trains and buses, \ntightening up land borders far more, and worrying about truck bomb \nvulnerability at far more prominent buildings).\n    But we are already much more diligent than we were before 9/11, and \nare spending more than $50 billion a year in federal funds on the \neffort (whereas a decade ago we spent perhaps one fifth as much on \ncounterterrorism, and did not even employ the term homeland security in \nthe federal lexicon). So our current strategy might be seen as an \nintermediate one along a spectrum of possible approaches.\n    A notional list of a full spectrum of possible approaches to \nhomeland security might look something like this, in ascending order of \nintensity and cost:\n        <bullet> Pre-9/11 Approach. The philosophy here would be to \n        protect only against very specific threats that have manifested \n        themselves before, or that would be especially worrisome. For \n        example, we protected nuclear power plants from sabotage, and \n        top officials from assassination. The annual cost to the \n        federal government is under $10 billion for such an approach, \n        roughly and notionally speaking.\n        <bullet> Post-9/11 Threat-Based Approach. This approach would \n        follow a similar logic but expand the list of credible threats \n        based on what we learned on September 11, 2001 and in various \n        events around the world since then. Jeremy Shapiro of Brookings \n        is a proponent of this approach (see opportunity08.org). \n        Airline security is an obvious area of focus for this approach, \n        which would emphasize prevention of what we know that al-Qa'ida \n        and related groups CAN do, as opposed to what they might wish \n        to do. Reducing our vulnerability to truck bombs at prominent \n        sites is another logical area of emphasis, given known patterns \n        of terrorist activity around the world. The annual cost is \n        about $20 billion to $30 billion (my estimates).\n        <bullet> Bush Administration Approach. This goes beyond the \n        threat-based approach to include as well attention to those \n        types of attacks that we know al-Qa'ida would LIKE to carry \n        out, as well as those that would be so horrible we have to \n        worry that they might occur even if they probably will not \n        (such as WMD attacks). Estimated annual cost $50 billion.\n        <bullet> Brookings Approach. This approach, reflected in two \n        Brookings studies this decade by a team of authors, is similar \n        in some ways to the Bush administration's concept. But it takes \n        a slightly broader approach to defining threats and toughens up \n        the steps taken to address them in some cases. We focus \n        primarily on attacks that could cause major damage to our \n        national security, our population, or our economy (catastrophic \n        attacks). For example, we emphasize better protection of the \n        chemical industry and the hazardous trucking industry, as well \n        as improved use of intelligence to find patterns of possible \n        terrorist attack before they occur (a ``google function for \n        counterterrorism'') along the lines also proposed by the Markle \n        Foundation. Estimated yearly cost $60 billion.\n        <bullet> ``America the Vulnerable'' approach. I borrow here \n        from Stephen Flynn of the Council on Foreign Relations; former \n        Bush administration homeland security official Clark Kent Ervin \n        has written a somewhat similar book. The approach here is to \n        take imagination to its logical extreme, and suppose that any \n        serious attack al-Qa'ida might be able to carry out we should \n        defend robustly against. It is a vulnerability-based approach, \n        but with vulnerability defined in a broad way. Great attention \n        is paid to inspecting cargo in international shipping by Flynn, \n        for example, even though it could be very difficult to rework \n        our port infrastructure to make this possible. Estimated cost \n        $80 billion a year.\n        <bullet> Council on Foreign Relations task force approach. This \n        Hart-Rudman task force of several years ago reflected the logic \n        of Flynn, who was involved with the project as well, and also \n        placed particular emphasis on equipping and training most of \n        America's millions of first responders to deal with WMD attacks \n        and other catastrophes. About $90 billion a year.\n        <bullet> Israel-style approach. If we had to worry about small \n        bombs going off in most public places, a whole different level \n        of effort would be required, with annual costs perhaps reaching \n        $200 billion (and many inconveniences introduced to daily \n        life).\n    This is a very short written testimony but I hope its succinctness \nwill be of some use in providing a simple taxonomy for further \ndiscussion. I would be happy in particular to explain the Brookings \napproach, both in broad philosophy and in its specific recommendations.\n    I am attaching as an appendix a chapter in a recent Brookings book \nI coauthored in 2006. I have no reason to believe my coauthor's \nthinking has changed. However, given his current position, please \nassign responsibility for this ``republishing'' of material that first \nappeared a year and a half ago entirely to me.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ Micahel d'Arcy, Michael O'Hanlon, Peter Orszag, Jeremy Shapiro, \nand James Steinberg, Protecting the Homeland 2006/2007 (Washington, \nD.C.: Brookings, 2007), pp. 73-95. ???\n---------------------------------------------------------------------------\n        Appendix: Protecting Infrastructure and Providing Incentives \n        for the Private Sector to Protect Itself\n        Since the attacks of September 11th, the private sector has \n        generally not done nearly enough to improve its security \n        against terrorist attack. For example, the Congressional Budget \n        Office recently concluded that ``there is relatively little \n        evidence that firms have been making additional investments \n        since September 11 to improve their security and avoid \n        losses.'' \\2\\ About 85 percent of the nation's critical \n        infrastructure is owned by the private sector, and security had \n        typically not been sufficient before the attacks, so the \n        failure to materially improve security measures in many key \n        industries represents one of the most glaring and dangerous \n        shortcomings in the nation's response to the terrorist attacks.\n---------------------------------------------------------------------------\n    \\2\\ Congressional Budget Office, ``Federal Terrorism Reinsurance: \nAn Update,'' January 2005, page 13. Some industries (such as \ntransportation, energy, utilities, and financial services) have \nincreased spending modestly. See Benjamin Weiser and Claudia H. \nDeutsch, ``Many Offices Holding the Line on Post-9/11 Security \nOutlays,'' New York Times, August 16, 2004; and the Conference Board, \nCorporate Security Management: Organization and Spending Since 9/11 \n(New York: The Conference Board, 2003), p. 5.\n---------------------------------------------------------------------------\n    The key to improved security in the private sector is structuring \nincentives properly: Markets respond to incentives. But to date, the \nfederal government has done little to alter firms' incentives for \nprotecting most private sector infrastructure from terrorist attack. \nApart from efforts to protect those types of infrastructure that have \nalready been attacked, such as commercial airliners, the \nAdministration's policy has been very restrained. Part of its \nreluctance to intervene may be a reflection of the admittedly daunting \nnature of the task--and the impossibility of knowing exactly which \ntypes of infrastructure to protect to what standards of robustness. But \nthe Administration's laissez-faire approach also risks leaving \nundefended targets within the United States that could nonetheless \ncause catastrophic harm.\n    The greatest concerns apply to key pieces of private \ninfrastructure--chemical facilities, skyscrapers, other large \nbuildings, many hospitals, and so on. Such infrastructure is \npredominately owned by the private sector, but is critical to the \nfunctioning of our broader society. Protection of the public is not \nalways consistent with private incentives in such settings. Given \nexisting incentives, economic logic suggests that owners of key \ninfrastructure will, from the point of view of the broader public \ninterest, underinvest in security precautions.\\3\\ At present, many \nindustries see counterterrorism protection as a costly way to provide \nan uncertain degree of protection against an unlikely threat. There are \nfew perceived benefits and many costs to improving security. As Frank \nCilluffo, former Special Assistant to the President for Homeland \nSecurity in the Bush administration puts it: ``We need to be able to \nspur [that] investment by providing incentives. Right now, the \nincentives are disincentives.'' \\4\\\n---------------------------------------------------------------------------\n    \\3\\ Peter R. Orszag, ``Homeland Security and the Private Sector,'' \nTestimony before the National Commission on Terrorist Attacks Upon the \nUnited States, November 19, 2003.\n    \\4\\ Frank Cilluffo, ``The Mission of Homeland Security,'' The NYU \nReview of Law and Security: Are We Safer?, Issue No. 3 (Fall 2004), p. \n38.\n---------------------------------------------------------------------------\n    Private markets by themselves do not generate sufficient incentives \nfor homeland security, and government intervention can therefore be \nwarranted, for several reasons. Most broadly, national security is a \ncore constitutional responsibility of the federal government. Even if a \ngiven terrorist attack only affects private property, it can have \nbroader ramifications for the country's sense of safety. In the \nterminology of economists, such an attack imposes a ``0negative \nexternality.'' The presence of this negative externality means that \nprivate markets will undertake less investment in security than would \nbe socially desirable: Individuals or firms deciding how best to \nprotect themselves against terrorism are unlikely to take the external \ncosts of an attack fully into account, and therefore will generally \nprovide an inefficiently low level of security against terrorism on \ntheir own.\\5\\ Without government involvement, private markets will thus \ntypically under-invest in anti-terrorism measures.\\6\\\n---------------------------------------------------------------------------\n    \\5\\ It is also possible, at least in theory, for private firms to \ninvest too much in anti-terrorism security. In particular, visible \nsecurity measures (such as more uniformed guards) undertaken by one \nfirm may merely displace terrorist attacks onto other firms, without \nsignificantly affecting the overall probability of an attack. In such a \nscenario, the total security precautions undertaken can escalate beyond \nthe socially desirable levels--and government intervention could \ntheoretically improve matters by placing limits on how much security \nfirms would undertake. Unobservable security precautions (which are \ndifficult for potential terrorists to detect), on the other hand, do \nnot displace vulnerabilities from one firm to another and can at least \ntheoretically reduce the overall level of terrorism activity. For an \ninteresting application of these ideas to the Lojack automobile \nsecurity system, see Ian Ayres and Steven Levitt, ``Measuring Positive \nExternalities from Unobservable Victim Precaution: An Empirical \nAnalysis of Lojack,'' Quarterly Journal of Economics, Vol. 108, no. 1 \n(February 1998). For further analysis of evaluating public policy in \nthe presence of externalities, see Peter Orszag and Joseph Stiglitz, \n``Optimal Fire Departments: Evaluating Public Policy in the Face of \nExternalities,'' Brookings Institution Working Paper, January 2002.\n    \\6\\ The Coase theorem shows that under very restrictive conditions, \nthe negative externality can be corrected by voluntary private actions \neven if the role of government is limited to enforcing property rights. \nBut the Coase theorem requires that all affected parties are able to \nnegotiate at sufficiently low cost with each other. Since virtually the \nentire nation could be affected indirectly by a terrorist attack, the \ncosts of negotiation are prohibitive, making the Coase theorem \nessentially irrelevant in the terrorism context.\n---------------------------------------------------------------------------\n    Second, a more specific negative externality exists with regard to \ninputs into terrorist activity. For example, loose security at a \nchemical facility can provide terrorists with the materials they need \nfor an attack. Similarly, poor security at a biological laboratory can \nprovide terrorists with access to dangerous pathogens. The costs of \nallowing terrorists to obtain access to such materials are generally \nnot borne by the facilities themselves: the attacks that use the \nmaterials could occur elsewhere. Such a specific negative externality \nprovides a compelling rationale for government intervention to protect \nhighly explosive materials, chemicals, and biological pathogens even if \nthey are stored in private facilities. In particular, preventing access \nto such materials is likely to reduce the overall risk of catastrophic \nterrorism, as opposed to merely displacing it from one venue to \nanother.\n    Third, a related type of externality involves ``contamination \neffects.'' Contamination effects arise when a catastrophic risk faced \nby one firm is determined in part by the behavior of others, and the \nbehavior of these others affects the incentives of the first firm to \nreduce its exposure to the risk. Such interdependent security problems \ncan arise, for example, in network settings. The problem in these \nsettings is that the risk to any member of a network depends not only \non its own security precautions but also on those taken by others. Poor \nsecurity at one establishment can affect security at others. The result \ncan often be weakened incentives for security precautions.\\7\\ For \nexample, once a hacker or virus reaches one computer on a network, the \nremaining computers can more easily be contaminated. This possibility \nreduces the incentive for any individual computer operator to protect \nagainst outside hackers.\n---------------------------------------------------------------------------\n    \\7\\ See Howard Kunreuther and Geoffrey Heal, ``Interdependent \nSecurity,'' Journal of Risk and Uncertainty 26: 231-249 (March/May \n2003), and Howard Kunreuther, Geoffrey Heal, and Peter Orszag, \n``Interdependent Security: Implications for Homeland Security Policy \nand Other Areas,'' Policy Brief #108, Brookings Institution, October \n2002.\n---------------------------------------------------------------------------\n    Even stringent cyber-security may not be particularly helpful if a \nhacker has already entered the network through a ``weak link.''\n    A fourth potential motivation for government intervention involves \ninformation--in particular, the cost and difficulty of accurately \nevaluating security measures. For example, one reason that governments \npromulgate building codes is that it would be too difficult for each \nindividual entering a building to evaluate its structural soundness. \nSince it would also be difficult for the individual to evaluate how \nwell the building's air intake system could filter out potential bio-\nterrorist attacks, the same logic would suggest that the government \nshould set minimum anti-terrorism standards for buildings if there were \nsome reasonable threat of a terrorist attack on the relevant type of \nbuildings (so that the individual would have some interest in ensuring \nthat the building were protected against biological attack). Similarly, \nit would be possible, but inefficient, for each individual to conduct \nextensive biological anti-terrorism safety tests on the food that he or \nshe was about to consume. The information costs associated with that \ntype of system, however, make it much less attractive than a system of \ngovernment regulation of food safety.\n    The fifth justification for government intervention is that \ncorporate and individual financial exposures to the losses from a major \nterrorist attack are inherently limited by the bankruptcy laws. For \nexample, assume that there are two types of possible terrorist attacks \non a specific firm: A very severe attack and a somewhat more modest \none. Under either type of attack, the losses imposed would exceed the \nfirm's net assets, and the firm would declare bankruptcy--and therefore \nthe extent of the losses beyond that which would bankrupt the firm \nwould be irrelevant to the firm's owners. Since the outcome for the \nfirm's owners would not depend on the severity of the attack, the firm \nwould have little or no incentive to reduce the likelihood of the more \nsevere version of the attack even if the required preventive steps were \nrelatively inexpensive. From society's perspective, however, such \nsecurity measures may be beneficial--and government intervention can \ntherefore be justified to address catastrophic possibilities in the \npresence of the bankruptcy laws.\n    The sixth justification for government intervention is that the \nprivate sector may expect the government to bail it out should a \nterrorist attack occur. The financial assistance to the airline \nindustry provided by the government following the September 11th \nattacks provides just one example of such bailouts. Such expectations \ncreate a ``moral hazard'' problem: private firms, expecting the \ngovernment to bail them out should an attack occur, do not undertake as \nmuch security as they otherwise would. If the government cannot \ncredibly convince the private sector that no bailouts will occur after \nan attack, it may have to intervene before an attack to offset the \nadverse incentives created by the expectation of a bailout.\n    The final justification for government intervention involves \nincomplete markets. The most relevant examples involve imperfections in \ncapital and insurance markets. For example, if insurance firms are \nunable to obtain reinsurance coverage for terrorism risks (that is, if \nprimary insurers are not able to transfer some of the risk from \nterrorism costs to other insurance firms in the reinsurance market), \nsome government involvement may be warranted. In addition, certain \ntypes of activities may require large-scale coordination, which may be \npossible but difficult to achieve without governmental intervention.\n    These market shortcomings provide a justification for targeted \ngovernment intervention. But providing a high degree of protection for \nall possible targets would be prohibitively expensive and practically \nimpossible. Focusing on high-impact attacks helps to narrow the range \nof private-sector settings in which government intervention is \nwarranted.\n    When government intervention is needed, the best approach is to use \ngovernment regulation to alter incentives for the private sector for \nbetter protecting itself. This can be done either by providing firms \nwith certain advantages when they adopt appropriate measures (the \ncarrot approach), or by imposing costs on those who fail to adopt such \nmeasures (the stick approach). In both cases, the goal would be the \nsame: to introduce a difference in the cost of one activity compared to \nanother, accomplished either by reducing the cost of the first activity \n(e.g., an investment in security) or by raising the cost of the second \nactivity (e.g., business as usual).\n    For example, consider the case of trucking. Truck drivers can be \nsubjected to more intensive background searches, and advanced \ntechnologies can be used to monitor trucks and ensure the security of \ntheir cargo in real time. The government could directly subsidize such \nsteps, for example by providing tax credits to firms that adopt them. \nOr it could mandate insurance for trucking firms, thereby relying on \ninsurances firms to impose costs (e.g., through higher premiums) on \nfirms that fail to adopt appropriate security measures. The government \ncould also combine either of these approaches with some form of \nregulation, such as allowing better protected cargo trucks to travel \ncloser to population centers than less protected trucks, thereby \nproviding time and money savings to the firms that invest in protecting \ntheir trucks.\n    The key distinction between the ``carrot'' and the ``stick'' \napproaches is who pays. Government subsidies or tax credits spread the \ncost of homeland security spending in a particular private market \nacross the entire population, rather than the stakeholders (the owners \nof businesses, the workers, and consumers of the product) in that \nsector itself. The stick approach--either through regulation or \ninsurance, or some combination thereof--instead concentrates its costs \non the stakeholders in that sector. If particular sectors are \ninherently more dangerous than others, we as a society may want to \nencourage activity in other, safer sectors where we have a choice--\nwhich would be better accomplished by having stakeholders in the sector \nbear the full cost of protection. The reason is that imposing the cost \non the stakeholders rather than the general public would raise the \ncosts of the most dangerous activities. The market would thus \ndiscourage such activities (through higher prices), which would help to \nmitigate the risk of a terrorist attack in the most dangerous sectors.\n    Before turning to a discussion of specific industries, we first \nexamine these generic approaches to improving security in the private \nsector.\n\n    SUBSIDIES\n    Perhaps the most obvious way of strengthening incentives for \nprotective measures in the private sector is to provide a government \nsubsidy. For example, some policy-makers have proposed tax credits for \nsecurity measures. This approach, however, is generally flawed, and not \njust because of the substantial budget imbalance facing the nation.\n    Subsidies or tax credits can encourage unnecessarily expensive \ninvestments in security measures (or ``gold plating''). The problem is \nparticularly severe in the case of investments that provide protection \nagainst terrorist attack but also have substantial other benefits to \nfirms. Even if they don't encourage firms to undertake excessively \ncostly investments with minimal homeland security benefits, subsidies \nor tax credits can provide benefits to firms that would have undertaken \nthe investments even in the absence of the tax subsidy--raising the \nbudget cost without providing any additional security. In other words, \nsubsidies or tax credits ``buy out the base'' of what firms are already \ndoing to protect themselves against terrorist attack. Subsidies or tax \ncredits also do a poor job of differentiating between high-risk and \nlower-risk sectors, yet the degree of government intervention should \nclearly vary by circumstance. In other words, designing and \nimplementing subsidies or tax credits is likely to be just as \ncumbersome and inefficient as designing direct regulations.\n\n    INSURANCE AS A MECHANISM FOR IMPROVING INCENTIVES\n    An alternative is to provide incentives for better security through \nthe insurance system. At first glance, terrorism insurance may seem \ncounterproductive: Firms and individuals with insurance against \nterrorist attack would appear to lack incentives to take appropriate \nprecautions against an attack. However, where such insurance is \navailable, it typically comes with provisions (such as a deductible) to \nensure that the insured bear at least some of the cost of an attack, \nand thus have an economic incentive to avoid such attacks or minimize \ntheir consequences. More important, the insurance companies themselves \nhave an incentive to encourage risk-reducing activities. Indeed, \ninsurance firms are well positioned to provide incentives for \nmitigation efforts--for firms to take steps ahead of time to protect \nthemselves against terrorist attack. The terrorism insurance market \ncould thus guide protective efforts. Best practices would be encouraged \nthrough graduated rate structures for insurance that encourage \nindividual owners to adopt prudent and cost-effective technologies and \nprocedures for protecting their assets and the people within them.\n    Three critical questions arise with regard to the use of insurance \nin this way. The first is whether firms will voluntarily purchase the \ninsurance. Terrorism insurance coverage among large firms has expanded \nnoticeably: take-up rates were quite low in 2003 but nearly doubled in \n2004, reaching almost half of large firms in mid2004.\\8\\ Despite the \nrecent increases, however, take-up of terrorism insurance remains well \nbelow 100 percent.\\9\\ In the absence of universal take-up, at least \namong firms that own critical infrastructure, the incentives provided \nby the insurance industry would be much less likely to produce adequate \nrisk reduction. Furthermore, voluntary insurance markets often suffer \nfrom classic problems of ``adverse selection,'' in which firms that are \nriskier are the ones that are more likely to purchase insurance, \ncreating a potential spiral of rising premiums and reduced take-up.\n---------------------------------------------------------------------------\n    \\8\\ Congressional Budget Office, ``Federal Terrorism Reinsurance: \nAn Update,'' January 2005, page 6; and Erwann Michel-Kerjan and \nBurkhard Pedell, ``Terrorism Risk Coverage in the post-9/11 Era: A \nComparison of Public-Private Partnerships in France, Germany, and the \nU.S,'' Risk Management and Decision Processes Center, Wharton School, \nUniversity of Pennsylvania, Working Paper 2004029, October 2004, page \n22.\n    \\9\\ Some economists argue that many firms should not insure \nthemselves against terrorist attack, since the owners of the firm can \nmostly if not entirely diversify that risk. Kent Smetters, ``Insuring \nAgainst Terrorism: The Policy Challenge,'' NBER Working Paper 11038, \nJanuary 2005.\n---------------------------------------------------------------------------\n    The shortcomings with voluntary terrorism insurance raise the \nquestion of whether insurance should be mandatory--at least for large \nfirms or key sectors. Mandatory insurance would not only facilitate \nrisk-mitigation efforts on a broader scale and allow the insurance \nindustry to spread its risks more effectively, but would also reduce \nthe likely demands on government following any attack in the \nfuture.\\10\\\n---------------------------------------------------------------------------\n    \\10\\ Howard Kunreuther and Erwann Michel-Kerjan, ``Policy Watch: \nChallenges for Terrorism Risk Insurance in the United States,'' Journal \nof Economic Perspectives, Volume 18, Number 4, Fall 2004, page 211.\n---------------------------------------------------------------------------\n    In France, terrorism insurance is mandatory.\\11\\ Former Deputy \nHomeland Security Adviser Richard Falkenrath has suggested that \nCongress mandate that terrorism insurance be included in all commercial \ninsurance policies.\\12\\ In our view, terrorism insurance should indeed \nbe required on all commercial policies, perhaps above some minimum \nthreshold of several million dollars to avoid unnecessary \nadministrative costs in settings unlikely to cause high-impact \nterrorist damage.\n---------------------------------------------------------------------------\n    \\11\\ Erwann Michel-Kerjan and Burkhard Pedell, ``Terrorism Risk \nCoverage in the post-9/11 Era: A Comparison of Public-Private \nPartnerships in France, Germany, and the U.S,'' Risk Management and \nDecision Processes Center, Wharton School, University of Pennsylvania, \nWorking Paper 2004029, October 2004.\n    \\12\\ Statement of Richard A. Falkenrath before the United States \nSenate Committee on Homeland Security and Governmental Affairs, January \n26, 2005.\n---------------------------------------------------------------------------\n    The second question is whether the insurance industry will be able \nto develop the tools for evaluating terrorism risk. Models of terrorism \nrisk at the level of zip codes or specific locations are now available \nfrom firms such as Risk Management Systems, EQECAT, and Applied \nInsurance Research Worldwide.\\13\\ These models represent significant \nadvances; they are, however, inherently limited not only by the paucity \nof historical data on terrorist attacks but also by the difficulties in \npredicting how terrorist behavior will evolve over time. For example, \none model assumes that risk is mostly concentrated in high visibility \ntargets; another assumes that attacks at low visibility targets could \nbe employed to sow confusion and broad fears.\\14\\ The key issue is not \nwhether the models are fully reliable; they clearly are not.\\15\\ \nInstead, the fundamental question is whether the models could become \ngood enough to provide the basis for an insurance-oriented approach to \nprotective efforts. From this perspective, especially compared to an \nalternative of failing to provide incentives for private efforts or \nrelying exclusively on government regulation, the models seem \nrelatively insightful. And it should be possible for them to be \ninformed by government risk analyses as well. Homeland Security \nPresidential Directive 7 (HSPD 7) requires the Secretary of Homeland \nSecurity to coordinate national protection efforts in infrastructure \nsectors such as information technology, telecommunications, \ntransportation, and the chemical industry, and requires the government \nas a whole to prioritize protection activities.\\16\\\n---------------------------------------------------------------------------\n    \\13\\ Congressional Budget Office, ``Federal Terrorism Reinsurance: \nAn Update,'' January 2005, page 4.\n    \\14\\ Congressional Budget Office, ``Federal Terrorism Reinsurance: \nAn Update,'' January 2005, page 4.\n    \\15\\ The insurance industry operates in many areas in which models \nare nowhere close to fully reliable, including tort cases. See Kent \nSmetters, ``Insuring Against Terrorism: The Policy Challenge,'' NBER \nWorking Paper 11038, January 2005.\n    \\16\\ President George W. Bush, ``Homeland Security Presidential \nDirective/HSPD 7: Critical Infrastructure Identification, \nPrioritization, and Protection,'' December 17, 2003, available at \nwww.whitehouse.gov/news/releases/2003/12/print/20031217-5.htlm.\n---------------------------------------------------------------------------\n    A final question is whether the insurance industry requires a \ngovernment backstop to play the role envisioned for it here. Some \neconomists argue that the risks can be spread across private financial \nmarkets without government intervention.\\17\\ Other economists and \nmarket observers, however, argue that capital market imperfections \nimpede the ability of insurers to provide coverage against catastrophic \nrisks, such as those involved in terrorist activities. In such a case, \na government backstop may be required. Alan Greenspan, for example, has \ntestified that he has ``yet to be convinced'' that the terrorism \ninsurance market could operate effectively without a government \nbackstop.\\18\\\n---------------------------------------------------------------------------\n    \\17\\ Kent Smetters, ``Insuring Against Terrorism: The Policy \nChallenge,'' NBER Working Paper 11038, January 2005. See also Appendix \nB in Congressional Budget Office, ``Federal Terrorism Reinsurance: An \nUpdate,'' January 2005.\n    \\18\\ ``Senators Trying Again To Extend Terrorism Insurance Plan,'' \nCongressDaily, February 18, 2005.\n---------------------------------------------------------------------------\n    The most pressing issue involves the Terrorism Risk Insurance Act \n(TRIA), enacted in November 2002. TRIA is scheduled to expire on \nDecember 31, 2005, and policymakers are debating whether it should be \nextended. Under TRIA, insurance firms are required to offer terrorism \ncoverage, and the government agrees to pay a specified share of the \ninsured losses in the event of a terrorist attack.\\19\\ Although some \nform of federal backstop should be extended past 2005, significant \nchanges in the existing program are warranted.\\20\\ A substantial flaw \nwith the current program is that no fee is imposed by the government \nfor the backstop. (The government would recover a certain amount of its \nlosses after the fact, but through a surcharge on all commercial \npolicies, rather than only on those with terrorism insurance \ncomponents. As a result, the government program effectively subsidizes \nterrorism insurance, with all commercial policyholders potentially \nliable to pay for part of the subsidy.) A better approach would have \nthe government charge a premium based on how much protection the \ninsurance firm itself wants; the government should continue, though, \nonly to provide coverage against extreme losses.\\21\\ Losses below the \ncatastrophic level should be covered entirely by private markets.\n---------------------------------------------------------------------------\n    \\19\\ For a description, see Congressional Budget Office, ``Federal \nTerrorism Reinsurance: An Update,'' January 2005.\n    \\20\\ See also Swiss Re, ``Terrorism Risks in Property Insurance and \nTheir Insurability After September 11, 2001'' (2003).\n    \\21\\ For one explanation of how various layers of insurance could \nbe provided, including a government layer for catastrophic losses, see \nHoward Kunreuther and Erwann Michel-Kerjan, ``Policy Watch: Challenges \nfor Terrorism Risk Insurance in the United States,'' Journal of \nEconomic Perspectives, Volume 18, Number 4, Fall 2004.\n\nA MIXED SYSTEM WITH INSURANCE AND REGULATIONS\n    An insurance-based system could be combined with a larger policy of \nregulatory standards and third-party inspections. A mixed regulatory-\ninsurance system is already applied in many other areas, such as owning \na home or driving a car. Local building codes specify minimum standards \nthat homes must meet. But mortgages generally require that homes also \ncarry home insurance, and insurance companies provide incentives for \nimprovements beyond the building code level--for example, by providing \na reduction in the premiums they charge if the homeowner installs a \nsecurity system. Similarly, governments specify minimum standards that \ndrivers must meet in order to operate a motor vehicle. But they also \nrequire drivers to carry liability insurance for accidents arising out \nof the operation of their vehicles. Meanwhile, insurance companies \nprovide incentives for safer driving by charging higher premiums to \nthose with poorer driving records.\\22\\\n---------------------------------------------------------------------------\n    \\22\\ To be sure, crucial differences exist between the terrorist \ncase and these other examples. For example, stable actuarial data exist \nfor home and auto accidents, but not for terrorist attacks. \nNonetheless, it may be possible for insurers to distinguish risks of \nloss based on differences in damage exposures, given a terrorist \nincident. Some financial firms are already trying to devise basic \nframeworks for evaluating such risks. See, for example, Moody's \nInvestors Service, ``Moody's Approach to Terrorism Insurance for U.S. \nCommercial Real Estate,'' March 1, 2002.\n---------------------------------------------------------------------------\n    A mixed system of minimum standards coupled with an insurance \nmandate not only can encourage actors to act safely, but also can \nprovide incentives for innovation to reduce the costs of achieving any \ngiven level of safety. The presence of minimum regulatory standards \nalso helps to attenuate the moral hazard effect from insurance: Moral \nhazard arises when firms, knowing that they are insured against \nterrorist losses, take less care in protecting against attack. Minimum \nstandards could also provide guidance to courts in determining \nnegligence under liability laws.\\23\\\n---------------------------------------------------------------------------\n    \\23\\ For a discussion of the potential benefits of a mixed system \nof building code regulations and mandatory catastrophic risk insurance \nin the context of natural disasters, see Peter Diamond, ``Comment on \nCatastrophic Risk Management,'' in Kenneth Froot, ed., The Financing of \nCatastrophe Risk (University of Chicago Press: Chicago, 1999), pages \n85-88.\n---------------------------------------------------------------------------\n    A mixed system also has the advantage of being flexible, a key \nvirtue in an arena where new threats will be ``discovered'' on an \nongoing basis. In situations in which insurance firms are particularly \nunlikely to provide proper incentives to the private sector for \nefficient risk reduction (for example, because insurers lack experience \nin these areas), regulation can play a larger role.\n    Third-party inspections can be coupled with insurance protection to \nencourage companies to reduce the risk of accidents and disasters. \nUnder such schemes, insurance corporations would hire third-party \ninspectors to evaluate the safety and security of plants seeking \ninsurance cover. Passing the inspection would indicate to the community \nand government that a firm complies with safety and security \nregulations. The firm would also benefit from reduced insurance \npremiums, since the insurer would have more confidence in the safety \nand security of the firm.\n    This system takes advantage of two potent market mechanisms to make \nfirms safer, while freeing government resources to focus on the largest \nrisks. Insurance firms have a strong incentive to make sure that the \ninspections are rigorous and that the inspected firms are safe, since \nthey bear the costs of an accident or terrorist attack. Private sector \ninspections also reduce the number of audits the regulatory agency \nitself must undertake, allowing the government to focus its resources \nmore effectively on those companies that it perceives to pose the \nhighest risks. The more firms decide to take advantage of private \nthird-party inspections, the greater the chances that high-risk firms \nwill be audited by the regulatory agency.\n    Studies have shown how such a program could be implemented in \npractice. In Delaware and Pennsylvania, the State Departments of \nEnvironmental Protection have worked closely with the insurance \nindustry and chemical plants to test this approach for chemical \nfacility safety.\\24\\\n---------------------------------------------------------------------------\n    \\24\\ For further information, see Howard Kunreuther, Patrick \nMcNulty, and Yong Kang, ``Improving Environmental Safety Through Third \nParty Inspection,'' Risk Analysis. 22: 309-18, 2002.\n\nREQUIRED STEPS IN SPECIFIC INDUSTRIES AND SECTORS\n    The steps required to improve security vary across industries. In \nkeeping with the principles we set forth in chapter one, it is \nimportant to find ways to maximize protection, particularly against \ncatastrophic attack, in cost-effective ways and where possible in a \nmanner that provides additional benefits outside the homeland security \nrealm. But applying these principles to specific industries and sectors \nrequires considerable detailed technical analysis on a case by case \nbasis.\n    One common theme in much of the below, however, is that appropriate \nsafeguards are often expensive to implement immediately but relatively \npainless to build into new systems. For example, given that al-Qa'ida \nappears to have considerable interest in biological agent attacks, and \ngiven the continued difficulty of treating the symptoms of biological \nattacks quickly and effectively (especially on a large scale), it \nbehooves the United States to adopt defensive measures where cost-\neffective.\\25\\ Air intakes on buildings can be put well above street \nlevel and beyond the reach of anyone without access to restricted \nareas.\\26\\ Filters might be built into air circulation systems, to \nimpede the distribution of any chemical or biological agent introduced \ninto a building (and a slight overpressure maintained within buildings \nto reduce the risk that agents will infiltrate from the outside).\\27\\ \nAddition of filters may sometimes only be practical when entire \nheating, ventilation, and air conditioning systems are being \nreplaced.\\28\\ Still, over time, considerable progress is quite \nfeasible. Many modern heating and air circulation systems have the \nkinds of sensors, adaptable flows, and other features that could help \nprotect against the effects of terrorist attack as well as optimize a \nbuilding's functioning and the quality of its air in normal times.\\29\\ \nThis shows how measures taken in part to promote homeland security can \nhave other benefits.\n---------------------------------------------------------------------------\n    \\25\\ Judith Miller, ``U.S. Has New Concerns About Anthrax \nReadiness,'' New York Times, December 28, 2003, p. A20; and Philip \nShenon, ``Terrorism Drills Showed Lack of Preparedness, Report Says,'' \nNew York Times, December 19, 2003.\n    \\26\\ Gregory Wright, ``Is Your Building's HVAC Safe Against \nTerrorism?'' HVACR News, vol. 24, no. 2 (May 2004).\n    \\27\\ U.S. Army Corps of Engineers, ``Protecting Buildings and Their \nOccupants from Airborne Hazards,'' draft, October 2001; Energy \nInformation Administration, Department of Energy, ``Building \nCharacteristics: Buildings Use Tables,'' table 12, available at \nwww.eia.doe.gov/emeu/consumption; Letter from Michael C. Janus, \nBattelle Corporation, December 1, 2001, to Michael O'Hanlon; and Ann \nGerhart, ``Tom Ridge, on High Alert,'' Washington Post, November 12, \n2001, p. C1.\n    \\28\\ Department of Health and Human Services, Guidance for \nProtecting Building Environments from Airborne Chemical, Biological, or \nRadiological Attacks (May 2002);\n    \\29\\ Jon C. Lund, ``Smart Buildings,'' IEEE Spectrum (August 2003), \npp. 18-23.\n---------------------------------------------------------------------------\n    Protecting key buildings against attacks involving explosives is \ndifficult, but sometimes warranted when high casualties or other severe \ndamage to society could result from a given attack (and when any attack \nis probably preventable through reasonably inexpensive measures). \nSometimes it is a matter of adopting simple steps of limited but useful \nimpact. For example, elevators might be built so as to descend to the \nnearest floor in the event of a power outage--a wise investment against \nthe possibility of electricity overloading as well. (In the public \nsector, relatedly, street lights could be given low-energy diode \nemitters powered by batteries as backups to main power systems.\\30\\)\n---------------------------------------------------------------------------\n    \\30\\ Peter Fairley, ``The Unruly Power Grid,'' IEEE Spectrum \n(August 2004), pp. 22-27.\n---------------------------------------------------------------------------\n    Truck bombs will remain a threat in the future; they have been the \nweapon of choice of al-Qa'ida in most attacks since 9/11. Defending \nagainst them can involve constructing new, prominent buildings a \ncertain distance back from streets--as has occurred with a number of \nnew U.S. embassies in recent years. Further desirable measures, at \nleast for the highest-profile buildings, can involve using shatterproof \nglass or comparable coatings in the lower floors of such buildings, and \nclosing or at least inspecting entrants into underground parking \ngarages. Relatedly, one might worry about large bombs being assembled \npiece by piece through the use of individual bags to carry explosives \ninto buildings. This threat may argue for controlling access to \nsymbolically important buildings in particular. At present, outside of \nNew York, very few major buildings have any checks or controls on \nentry.\\31\\\n---------------------------------------------------------------------------\n    \\31\\ Terry Pristin, ``Different Cities, Different Security for \nBuildings,'' New York Times, July 9, 2003, p. C6.\n\nThe Chemical and Nuclear Industries\n    The U.S. chemical industry remains quite vulnerable to possible \nterrorist strikes.\\32\\ As Richard Falkenrath recently testified, ``To \ndate, the federal government has made no material reduction in the \ninherent vulnerability of hazardous chemical targets inside the Untied \nStates. Doing so should be the highest critical infrastructure \nprotection priority for the Department of Homeland Security in the next \ntwo years.'' \\33\\ A DHS study that ranked a terrorist act releasing \nchlorine, along with nuclear and anthrax attacks, as among the most \ndeadly plausible scenarios for the United States to worry about in the \nfuture gives further credence to Falkenrath's view.\\34\\ As we argue in \nchapter one, it is precisely such types of vulnerabilities that demand \nthe most urgent attention.\n---------------------------------------------------------------------------\n    \\32\\ For further discussion of homeland security and the chemical \nindustry, see Congressional Budget Office, ``Homeland Security and the \nPrivate Sector,'' Chapter 3 (Chemicals and Hazardous Materials), \nDecember 2004.\n    \\33\\ Statement of Richard A. Falkenrath before the United States \nSenate Committee on Homeland Security and Governmental Affairs, January \n26, 2005.\n    \\34\\ Eric Lipton, ``U.S. Report Lists Possibilities for Terrorist \nAttacks and Likely Toll,'' New York Times, March 16, 2005, p. 1.\n---------------------------------------------------------------------------\n    Voluntary measures have been adopted by some chemical plants, \nnotably those of the American Chemistry Council, but these represent a \nminority of the nation's total such facilities. Hardening plants \nagainst sophisticated attacks by well-trained bands of terrorists, and \nother such robust safeguards, could be uneconomical and in many cases \nunnecessary. There are thousands of chemicals produced in the United \nStates, but only some 300 that are very dangerous and about half that \nnumber that are most extreme in the threats they pose. There are tens \nof thousands of chemical plants but only 4,000 to 8,000 where the \nimproper release of agent could kill 1,000 or more individuals.\\35\\ But \na more systematic approach that at least requires periodic assessments \nof vulnerabilities and common-sense solutions is imperative.\\36\\ \nSenator Corzine introduced a bill to do just that but it has not been \npassed by the Congress.\\37\\\n---------------------------------------------------------------------------\n    \\35\\ Richard D. Farmer, Homeland Security and the Private Sector \n(Washington, D.C.: Congressional Budget Office, December 2004), pp. \n21--28.\n    \\36\\ Government Accountability Office, Homeland Security: Voluntary \nInitiatives Are Under Way at Chemical Facilities, but the Extent of \nSecurity Preparedness Is Unknown, GAO-03-439 (March 2003), summary \npage.\n    \\37\\ Office of Senator Jon S. Corzine, ``Fact Sheet on Senator \nCorzine's Chemical Security Legislation,'' November 17, 2003, available \nat www.corzine.senate.gov/priorities/chem _sec.html; and Rick Hind and \nDavid Halperin, ``Lots of Chemicals, Little Reaction,'' New York Times, \nSeptember 22, 2004, p. A31.\n---------------------------------------------------------------------------\n    There are also situations where less dangerous chemicals can be \nused in place of highly toxic ones. Reducing dependence on chlorine for \ndrinking water purification is the most notable example. In these \ncases, the good sense of chemical plant owners combined with the \nguiding hand of the insurance market are the ideal mechanisms for \nimproving safety.\\38\\\n---------------------------------------------------------------------------\n    \\38\\ A related topic concerns the safeguards applied to the sales \nof certain lethal chemicals. Not enough has yet been done to ensure \nproper oversight in this regard. For example, a full decade after the \nOklahoma City tragedy, only three states have notable regulations on \nthe sale of ammonium nitrate fertilizer. Oklahoma joined South Carolina \nand Nevada in requiring requiring presentation of identification from \nanyone wishing such fertilizer and tracking sales of such materials to \nallow for investigation of any problems that may result. Others should \nfollow this lead. In such cases where simple, common-sense, minimal-\ncost regulations can be devised, they are hardly inconsistent with the \ngeneral approach advocated here of using market incentives where \npossible but mixed approaches including some regulation when sensible. \nSee Associated Press, ``National Briefing--Oklahoma: Rules to Regulate \nSelling of Fertilizer,'' New York Times, February 18, 2005, p. A17.\n---------------------------------------------------------------------------\n    Another key challenge is securing nuclear materials.\\39\\ Power \nplants are now protected fairly well. But the cooling ponds used for \nstorage of spent fuel may not be protected against certain types of \nattacks (such as from airplanes).\\40\\ Nor are many areas where low-\nmedium-grade waste is stored. These latter materials can be used in \n``dirty bombs.'' While such weapons might not kill large numbers, they \ncould cause enormous economic costs (due to cleanup) and disruption (if \na city center or other important area could not be used while being \ncleaned). Here the most practical defense is much improved security for \nsites where such materials are found, at home and abroad.\\41\\ In this \ntype of case, where the optimal safety features are not obvious, \nregulation may be less desirable than reliance on insurance market \nincentives.\n---------------------------------------------------------------------------\n    \\39\\ See Congressional Budget Office, ``Homeland Security and the \nPrivate Sector,'' Chapter 2 (Civilian Nuclear Power), December 2004.\n    \\40\\ Shankar Vedantam, ``Storage of Nuclear Spent Fuel \nCriticized,'' Washington Post, March 28, 2005, p. 1.\n    \\41\\ Peter D. Zimmerman and Cheryl Loeb, ``Dirty Bombs: The Threat \nRevisited,'' Defense Horizons, no. 38 (Washington, D.C.: National \nDefense University, January 2004); and Joby Warrick, ``Smugglers \nTargeting Dirty Bombs for Profit,'' Washington Post, November 30, 2003, \np. 1.\n\n    Passenger Trains, Buses, and Boats\n    On March 11, 2004, a simple terrorist strike against trains in \nMadrid killed some 200 people and injured another 1,500. The July 7, \n2005 London attacks, killing more than 50 themselves, underscored that \nMadrid was not a fluke. This worry applies not only to trains, but in \nsimilar ways to buses, ferries, and cruise ships. Yet not nearly as \nmuch attention has been given to this issue as, for example, to \nairplane security.\\42\\\n---------------------------------------------------------------------------\n    \\42\\ Arnold M. Howitt and Jonathan Makler, ``On the Ground: \nProtecting America's Roads and Transit Against Terrorism,'' \n(Washington, D.C.: Brookings, 2005).\n---------------------------------------------------------------------------\n    Several experimental efforts have been made to monitor passengers \nand cargo entering American trains. However, such efforts tend to rely \nheavily on labor-intensive methods such dogs to detect explosives. The \nchallenge is the speed at which people must move through such stations, \nand the number of passengers involved, particularly for heavily \ntraveled local train services and subways.\\43\\ For example, the New \nYork subway system carries nearly 4 million passengers a day (getting \non and off at 468 stations); all America's airports handle just 1.5 \nmillion people a day between them.\\44\\\n---------------------------------------------------------------------------\n    \\43\\ Baronet Media Ltd., ``Washington Tests High Security System \nfor Trains,'' Vigilo Risk, issue #1, June 9, 2004, p. 7.\n    \\44\\ Gregg Easterbrook, ``In an Age of Terror, Safety Is \nRelative,'' New York Times, June 27, 2004, p. 1.\n---------------------------------------------------------------------------\n    Some additional safeguards are desirable for trains and buses. \nEmergency communications systems can be improved, stations protected by \nperimeter fencing and guards and monitoring, relevant tunnels hardened, \nand spot checking made more common. Further federal funding is \nappropriate here; insurance markets are unlikely to be of much help \nsince much train infrastructure is publicly owned.\\45\\ The American \nPublic Transportation Association has called for over $7 billion in \nadded funding for mass transit systems including trains over the next \nthree years--thirty times the expenditures of the last three years \ncombined.\\46\\ Indeed, there is a strong case for substantial funding \nincreases.\\47\\\n---------------------------------------------------------------------------\n    \\45\\ Baronet Media Ltd., ``House Committee Seeks $1 Billion for \nU.S. Rail Security,'' Vigilo Risk, issue #2, June 23, 2004, p. 7.\n    \\46\\ David Randall Peterman, ``Passenger Rail Security: Overview of \nIssues,'' CRS Report for Congress (Washington, D.C.: Congressional \nResearch Service, July 29, 2005), pp. 2--3.\n    \\47\\ Nicole Gaouette, ``Senate is Split on Spending Bill for \nDomestic Security,'' Los Angeles Times, July 12, 2005.\n---------------------------------------------------------------------------\n    But the $7 billion added amount strikes us as too much. More \nlogical is a gradual, incremental increase that continually evaluates \nthe benefits of new and experimental measures as they are introduced. \nThe fact of the matter is that, almost independent of expenditure \nlevels, security will not be perfect on trains and buses. Controlling \naccess of all passengers at all times seems unrealistic.\n    Tightened security measures can be used for special events or in \nthe case of intelligence alerts suggesting particular cause for \nconcern. For example, police officers were put on every subway train in \nNew York the day after the July 7, 2005 London bombings.\\48\\ But alas \nthis vulnerability is one of those so difficult to address that it \nunderscores the need for preventive homeland security activities-border \npatrols, prevention efforts by police departments and the FBI, and so \nforth--as well as continued intelligence operations and offensive \naction abroad.\n---------------------------------------------------------------------------\n    \\48\\ Sewell Chan, ``In Added Security Measure, Officers are Riding \nthe Rails,'' New York Times, July 8, 2005.\n---------------------------------------------------------------------------\n    A Democratic attempt to add $1.7 billion to the 2006 budget for \nrail security failed in the Congress.\\49\\ The Democratic idea was sound \nbut the amount was, for the reasons noted above, probably too much. \nThat said, an increase in the range of hundreds of millions of dollars \nwould have been appropriate, and should be pursued for the 2007 budget.\n---------------------------------------------------------------------------\n    \\49\\ David Rogers, ``Homeland Budget Accord Is Reached,'' Wall \nStreet Journal, September 30, 2005, p. 2.\n---------------------------------------------------------------------------\n    The situation is similar for passenger ships and ferries. Some \nimprovements in security are warranted, but that said, vulnerability is \na fact of life.\\50\\ Given that most such attacks, however tragic they \nmight be, would not be catastrophic in the terms we use in chapter one, \na cost-benefit analysis--and the state of available technology and \nprocedures for security--suggest that only limited investments of the \ntype already underway are warranted at this time.\\51\\\n---------------------------------------------------------------------------\n    \\50\\ In addition to the threat of explosives being placed in cars, \nor planted directly on ferries and other ships, there is a risk of \nscuba divers attacking ships. See Jim Gomez, ``Terror Plots May Reach \nNew Depths,'' Chicago Tribune, March 18, 2005. Sometimes certain risky \nports or waterways can be avoided overseas, but clearly this is not a \nprotection method of complete reliability. See David Wood, ``Terrorism \nFears Divert Navy Supply Ships from Suez Canal,'' Newhouse.com, January \n13, 2005.\n    \\51\\ Eric Lipton, ``Trying to Keep the Nation's Ferries Safe from \nTerrorists,'' New York Times, March 19, 2005, p. 18.\n\nCargo Trains, Trucks, and Barges Carrying Hazardous Materials\n    Trucks, trains, and barges are the chief methods for the transport \nof hazardous materials in the United States today. On the issue of \ntrucks, at present there are few restrictions on who can drive the \ntrucks and where those trucks can go--except of course that as a matter \nof public safety, tunnels and certain other very specific sections of \nroad are sometimes deemed off limits to certain classes of highly toxic \nor flammable materials. Background checks have been begun for drivers \nof especially dangerous classes of chemicals and other substances. But \nefforts to authenticate their identities using identification with \nbiometric indicators remain in the pilot, testing stage.\\52\\ Moreover, \nMexican and Canadian drivers on American roads are not being checked in \nthe same way.\\53\\ Some municipalities have similarly decided to find \nsubstitutes for the most lethal sorts of chemicals often carried by \ntrucks (such as chlorine) when possible. Some companies train their \nemployees in security precautions and monitor key facilities such as \nfuel depots. But these efforts are at present scattershot.\\54\\\n---------------------------------------------------------------------------\n    \\52\\ William H. Robinson, Jennifer E. Lake, and Lisa M. Seghetti, \n``Border and Transportation Security: Possible New Directions and \nPolicy Options,'' CRS Report for Congress (Washington, D.C.: \nCongressional Research Service, March 29, 2005), pp. 9--10.\n    \\53\\ Transportation Security Administration, information at \nwww.tsa.gov/public/display?content=09000519800d3fd3&print=yes, accessed \nJanuary 6, 2005.\n    \\54\\ See David Johnston and Andrew C. Revkin, ``Officials Say Their \nFocus Is on Car and Truck Bombs,'' New York Times, August 2, 2004, p. \nA13.\n---------------------------------------------------------------------------\n    This situation is highly imprudent. Leaving aside the issue of \ntruck bombs, many trucks carry potentially lethal materials that could \nkill thousands if dissipated in densely congested parts of cities. To \nreduce the risks, several steps can be taken. First, for those drivers \ntransporting anything from gasoline to chlorine, background checks must \nbe done comprehensively and quickly. Names and fingerprints must be \ncompared to entries on terror watchlists. Second, truck storage yards \nmust meet minimal safety standards limiting access and monitoring \nperimeters. Third, safety features should be used on the doors of \nrelevant trucks--reducing the odds that dangerous materials would be \nstolen for subsequent use in a terrorist attack. Given the danger of \nthe materials involved, not just to the drivers of the trucks and \nothers directly involved but to society on the whole, minimal safety \nstandards are important enough to be done by regulation rather than \nrelying entirely on the insurance markets.\n    As an additional precaution, trucks carrying certain highly toxic \nsubstances should be banned from the most central parts of cities--\nunless escorted by security and outfitted with tracking technology as \nwell as automatic braking technology.\\55\\ Economic incentives would \nthus come into play, with firms measuring the costs of protective \ntechnology against the economic benefits of being granted greater \naccess to densely populated regions.\n---------------------------------------------------------------------------\n    \\55\\ Flynn, America the Vulnerable, pp. 118--122.\n---------------------------------------------------------------------------\n    The chlorine gas tragedy in South Carolina in January of 2005 \nunderscored the need for upgrades to security in this realm as well. \nSeveral types of improvements are needed. As the South Carolina \naccident underscored, both would have benefits for general public \nhealth beyond the subject of counterterrorism, reducing the risks of \nroutine accidents. Since it is a dual-benefit program, it serves one of \nmain goals we suggest in chapter one for guiding future homeland \nsecurity efforts.\n    When substitution of dangerous chemicals by safer chemicals cannot \nhappen, specific trains should be rerouted away from the centers of \ncities when necessary and practical. In early 2005, the District of \nColumbia prohibited shipments of hazardous materials through parts of \nthe nation's capital. A more systematic national effort is appropriate \nas well.\\56\\ (The most lethal substances should be banned outright from \ncity centers; others could be permitted, as noted above, when companies \nadopt best practices on safety such as automatic tracking and braking \ntechnology on their trucks.)\n---------------------------------------------------------------------------\n    \\56\\ Eric M. Weiss and Spencer S. Hsu. ``90-Day Hazmat Ban Is \nPassed; Measure Will bar Shipments in DC.'' Washington Post, February \n2, 2005, p. B1.\n---------------------------------------------------------------------------\n    Finally, safety standards should be enforced. For example, it \nshould not be tolerated that half of the nation's 60,000 train cars \nfrequently carrying poisonous gases are obsolete or otherwise in poor \nshape.\\57\\ This recommendation complements the first, since it is \neasier to improve safety on a smaller number of trains.\\58\\\n---------------------------------------------------------------------------\n    \\57\\ Walt Bogdanich and Christopher Drew, ``Deadly Leak Underscores \nConcerns About Rail Safety.'' New York Times, January 9, 2005, p. 1.\n    \\58\\ Sara Kehaulani Goo, ``Accidents Spur New Focus on Securing \nU.S. Raily System,'' Washington Post. Janaury 29, 2005.\n\nThe Food and Water Industries\n    Other areas where not enough has been done to prevent attacks are \nthe food industry and the country's water infrastructure.\n    In regard to food, the case for doing more can be debated. There \nare no known cases of al-Qa'ida or affiliates attacking the food \nsupply, but that hardly means that an organization that has already \nproved itself innovative will not attack it in the future. And certain \ntypes of attacks, such as a small amount of botulism toxin poured into \na milk truck leaving a farm could literally cause tens if not hundreds \nof thousands of deaths.\\59\\ Thus, if simple and economical measures \nthat bring other benefits beyond the counterterrorism domain can be \nidentified, they should be seriously considered.\n---------------------------------------------------------------------------\n    \\59\\ Rick Weiss, ``Report Warns of Threat to Milk Supply,'' \nWashington Post, June 29, 2005, p. A8.\n---------------------------------------------------------------------------\n    As he left the Bush administration, former Secretary of Health and \nHuman Services Tommy Thompson said the worries ``every single night'' \nabout large-scale food poisoning.\\60\\ But infrastructure for monitoring \nfood supplies and quickly detecting any signs of contamination is \ninsufficient. Some additional funding has been added for food safety \ninvestigators and laboratories to check for deliberate contamination. \nBut no demands have been placed on the nation's 50,000+ food processing \nsites to improve site security. Some voluntary measures have been \nadopted by the industry--and FDA and USDA have preferred to keep them \nvoluntary to avoid collecting data that could later be made available \ndue to Freedom of Information Act requests. But these have been \nspotty.\\61\\\n---------------------------------------------------------------------------\n    \\60\\ Mike Allen, ``Rumsfeld to Remain at Pentagon; Thompson Quits \nat HHS, Warns of Vulnerabilities,'' Washington Post, December 4, 2004, \np. A1.\n    \\61\\ General Accounting Office, Food-Processing Security, GAO-03-\n342 (February 2003), pp. 1--7.\n---------------------------------------------------------------------------\n    Requiring sites such as food processing centers to carry terrorism \ninsurance (against any liability for poisoning that occurs on their \npremises) may provide the simplest and soundest means of addressing \nthis vulnerability in a cost-effective way. At a minimum, it could lead \nto more uniform adaptation of commonsense protective measures such as \nmore systematic patrolling and monitoring of the perimeters of \nfacilities.\n    As suggested by the Democratic members of the House Select \nCommittee on Homeland Security, each state or region should also have \nthe ability to quickly test foods for a wide range of possible \ncontaminants. This can allow spot checking of food under normal \ncircumstances, and prompt efforts to contain the consequences of any \nattack should one occur.\n    As for water, it is extremely difficult to contaminate large water \nsystems because of the amount of material needed for lethal doses. That \nmeans that protecting drinking water reservoirs, for example, need not \nextend to the level of providing complete assurance that no person on \nfoot is ever near a reservoir at any time. Protective systems that keep \ntrucks away from such reservoirs, and monitor foot traffic well enough \nto ensure that substantial numbers of people are not able to gain entry \nto a reservoir, would generally suffice. And as for the chemical \ntreatment facilities, these can be viewed largely as any other chemical \nplant--with risk, and appropriate security measures, determined by the \nnature of the chemicals in use. To the extent chlorine is employed, \nthat implies a reasonably high level of protection, but nothing beyond \nthe scale of what would be properly applied to many other facilities in \nthe chemical industry.\\62\\\n---------------------------------------------------------------------------\n    \\62\\ Government Accountability Office, Homeland Security: Agency \nPlans, Implementation, and Challenges Regarding the National Strategy \nfor Homeland Security, GAO-05-33 (January 2005), pp. 84--93.\n---------------------------------------------------------------------------\n    A second problem with water concerns the potential for attacks on \ndams to flood metropolitan areas and create conditions not unlike those \nproduced by Hurricane Katrina--though this time without the warning. \nRisk assessments have been completed for the nation's major dams.\\63\\ \nThe amount of high explosive needed to destroy most of them, together \nwith improved site security near most, limit the likely danger \nassociated with this type of terrorist scenario. But they do not \neliminate the risk entirely by any means. At a minimum, this worry is \nfurther reason for the nation to digest fully the lessons of Katrina--\nand figure out how to mount large-scale responses to such catastrophes \nwithin hours rather than days. This observation has implications for \nmany agencies, including NORTHCOM. The military should not be the lead \nresponder to the vast majority of natural disasters or terrorist \nstrikes, in terms of leading any effort. But leaving aside such issues, \nas well as the question of whether posse comitatus should be modified, \nthe U.S. armed forces have physical capacities rivaled by no other \nnational institution and at a minimum need to be better prepared to \norganize and deploy them fast in future crises.\n---------------------------------------------------------------------------\n    \\63\\ Claudia Copeland and Betsy Cody, ``Terrorism and Security \nIssues Facing the Water Infrastructure Sector,'' in Russell Howard, \nJames Forest, and Joanne Moore, eds., Homeland Security and Terrorism \n(New York: McGraw Hill, 2006), p. 200.\n\nEnergy Infrastructure\n    It will not always be possible to know what infrastructure to \nprotect and what not to protect--until after the fact. Take for example \nthe Alyeska Pipeline in Alaska (or any other oil pipeline). It is \npossible to use a rifle to disrupt the flow of oil, and in fact that \nhas happened before (though in an act closer to vandalism or \nhooliganism than terrorism). Pipelines are of course attacked in \nColombia, Iraq, and elsewhere so this threat is hardly implausible. \nThat said, taking steps to try to prevent such attacks would clearly be \nvery difficult in some places, short of setting up dense security \nperimeters (or burying the pipelines). Moreover, attacks on oil \npipelines would be unlikely to cause the loss of any human life. This \nis the type of threat that should be in a second or even third tier of \nimportance.\\64\\ Some measures such as protecting choke points, ensuring \ncapacity for quick shutdown of damaged pipes, and protecting the \npumping stations (and key electronics) of pipeline systems are \nwarranted, but comprehensive protection is not.\\65\\\n---------------------------------------------------------------------------\n    \\64\\ See for example, Andrea R. Mihailescu, ``Alaska's Vulnerable \nOil Pipeline,'' Jane's Terrorism and Security Monitor, September 1, \n2004.\n    \\65\\ One area where it behooves the United States to establish \nimproved vigilance is in the vulnerability of power, communications, \ntransportation, and water infrastructure to electromagnetic pulse from \na high-altitude nuclear detonation. Terrorists are unlikely to carry \nout such an attack, but a nation-state could, and the nature of the \npreparation against such an attack is akin to homeland security \nactivities so worthy of brief mention here. Protecting all electronics \nfrom such an attack is impractical (and modern electronic systems, with \ntheir low power requirements and low voltage tolerances, are inherently \nmore vulnerable to such attacks than were vacuum tubes). But the \ncountry's infrastructure should not be allowed to fail catastrophically \nafter such an attack; the period of recovery could last many months, \nduring which time the country would have function like a premodern \nsociety. Devising protections to key nodes of major infrastructure is \nestimated to cost about one to three percent of total system cost, if \ndone when a system is first being built. But retrofitting protections \nonto existing equipment might be an order of magnitude more expensive, \nimplying costs reaching well into the tens of billions of dollars. This \nsuggests a two-track approach to protection, redressing glaring \nvulnerabilities where feasible in the short term (that is, hardening \nkey electronics used by major infrastructure, or purchasing backup \nsystems), while planning to gradually eliminate other vulnerabilities \nas infrastructure is modernized in the coming years. See 65 Commission \nto Assess the Threat to the United States from Electromagnetic Pulse \n(EMP) Attack, Report of the Commission to Assess the Threat to the \nUnited States from Electromagnetic Pulse (EMP) Attack, Volume I: \nExecutive Report (2004), available at www.iwar.org.uk/iwar/resources/\nemp/04-0722emp.pdf, accessed February 17, 2005; and Testimony of Frank \nGaffney before the House Committee on the Budget, U.S. Congress, \nFebruary 16, 2005.\n---------------------------------------------------------------------------\n    To take another energy example, of greater concern given the \npotential loss of life involved in any attack, Boston is the only major \ncity in the United States to have a liquid natural gas terminal nearby. \n(Explosions of such tankers could cause structural damage to buildings \na third of a mile away and burn the skin of people a mile away.\\66\\ ) \nTankers were not allowed to come into Boston harbor to service this \nterminal during the 2004 Democratic convention, suggesting that there \nis a real basis to worry about a possible attack. But has the danger \nreally passed now that the convention is over? This question suggests \nthat it would be prudent to move the terminal--if not immediately, then \nat least when a major renovation would be needed on the existing \ninfrastructure.\\67\\\n---------------------------------------------------------------------------\n    \\66\\ Justin Blum, ``Report Assesses Risks of Attack on Tankers,'' \nWashington Post, December 22, 2004, p. E1.\n    \\67\\ Associated Press, ``Collins Suicide Attack Warning,'' Lloyd's \nList, July 5, 2004, p. 12.\n\nSkyscrapers, Major Buildings and Other Structures\n    In the United States, most large buildings, famous public \nfacilities, sports stadiums, concert halls, and shopping malls are open \nto the public--and thus to terrorists armed with explosives, chemicals, \nor biological pathogens. Most such structures lack the types of filters \nthat could clean up contamination that gets inside. Few buildings have \nthe types of air circulation systems that reduce the danger of such \ncontamination in the first place. And few have common-sense protections \nagainst the kinds of car and truck bombs that al-Qa'ida continues to \nemploy with frequency and effectiveness around the world even in the \npost-9/11 era.\n    The degree of appropriate protection depends clearly on the nature \nof the potential target. For the nation's 500 skyscrapers, 250 largest \narenas and stadiums, large train stations and airports, and any other \nlocations where many thousands of people gather in confined spaces, \nspecial efforts are required when practical. New buildings might even \nbe built a certain distance back from streets (as is the case with many \nU.S. embassies today), tougher structural building codes employed, and \nparking garages kept physically separate from buildings. But these \nsorts of sweeping measures are clearly not practical for all cases.\\68\\\n---------------------------------------------------------------------------\n    \\68\\ See Protecting the American Homeland, pp. 54--56.\n---------------------------------------------------------------------------\n    Existing structures can be equipped with shatterproof glass in \nlower floors. Vehicles entering their parking garages can be searched \nand in some cases restricted in their movements. When air circulation \nsystems are renovated, their intakes should be moved above street level \nand monitored. Reverse pressure air systems and good filters are among \nthe other options. Again, insurance markets can help incentivize owners \nto adopt such measures.\\69\\\n---------------------------------------------------------------------------\n    \\69\\ See Eric Lipton and James Glanz, ``New Rules Proposed to Help \nHigh-Rises Withstand Attacks,'' New York Times, March 6, 2002, p. A1; \nLetter from Michael C. Janus, Battelle Corporation, December 1, 2001, \nto Michael O'Hanlon; Ann Gerhart, ``Tom Ridge, on High Alert,'' \nWashington Post, November 12, 2001, p. C1; and Statement of Arden \nBement, Director, National Institute of Standards and Technology, \nHearing before the Committee on Science, U.S. House of Representatives, \n107 Cong. 2 sess. (March 6, 2002).\n---------------------------------------------------------------------------\nCONCLUSION\n    The number of sites that might be targeted in the United States is \ndaunting, and a rigorous means of protecting the country \ncomprehensively is unaffordable (if even conceivable). But the United \nStates has a more limited number of sites of particular interest--where \nthousands of individuals routinely congregate, where the economy has \nimportant choke points or centers of activity, where the symbolic and \npolitical effect of any attack could be hugely significant. Most such \nsites are in the private sector, which holds 85 percent of the nation's \ninfrastructure, though an important number are clearly public too. By \nfocusing on this category of key locations (and establishing different \ntiers of necessary protection within that category), and by using \ninsurance makrets and related mechanisms to give private owners \nincentives to adopt best practices at reasonable cost, the country's \nvulnerability to truly catastrophic terrorism can be substantially \nmitigated. Since 9/11, we have moved towards this objective. But we \nhave a great distance still to go.\n                               __________\n\n[GRAPHIC] [TIFF OMITTED]\n\n                               Appendixes\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED]\n\n                                <all>\n\x1a\n</pre></body></html>\n"