[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY: EMERGING THREATS, VULNERABILITIES, AND CHALLENGES IN
SECURING FEDERAL INFORMATION SYSTEMS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
ORGANIZATION, AND PROCUREMENT
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
MAY 5, 2009
__________
Serial No. 111-51
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.house.gov/reform
----------
U.S. GOVERNMENT PRINTING OFFICE
56-581 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio JOHN L. MICA, Florida
JOHN F. TIERNEY, Massachusetts MARK E. SOUDER, Indiana
WM. LACY CLAY, Missouri TODD RUSSELL PLATTS, Pennsylvania
DIANE E. WATSON, California JOHN J. DUNCAN, Jr., Tennessee
STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio
JIM COOPER, Tennessee LYNN A. WESTMORELAND, Georgia
GERALD E. CONNOLLY, Virginia PATRICK T. McHENRY, North Carolina
MIKE QUIGLEY, Illinois BRIAN P. BILBRAY, California
MARCY KAPTUR, Ohio JIM JORDAN, Ohio
ELEANOR HOLMES NORTON, District of JEFF FLAKE, Arizona
Columbia JEFF FORTENBERRY, Nebraska
PATRICK J. KENNEDY, Rhode Island JASON CHAFFETZ, Utah
DANNY K. DAVIS, Illinois AARON SCHOCK, Illinois
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
------ ------
Ron Stroman, Staff Director
Michael McCarthy, Deputy Staff Director
Carla Hultberg, Chief Clerk
Larry Brady, Minority Staff Director
Subcommittee on Government Management, Organization, and Procurement
DIANE E. WATSON, California, Chairman
PAUL E. KANJORSKI, Pennsylvania BRIAN P. BILBRAY, California
JIM COOPER, Tennessee AARON SCHOCK, Illinois
GERALD E. CONNOLLY, Virginia JOHN J. DUNCAN, Jr., Tennessee
HENRY CUELLAR, Texas JEFF FLAKE, Arizona
JACKIE SPEIER, California ------ ------
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
MIKE QUIGLEY, Illinois
C O N T E N T S
----------
Page
Hearing held on May 5, 2009...................................... 1
Statement of:
Lentz, Robert F., Deputy Assistant Secretary of Defense for
Cyber, Identity, and Information Assurance, U.S. Department
of Defense; and John Streufert, Deputy Chief Information
Officer for Information Security, Bureau of Information
Resource Management, U.S. Department of State.............. 7
Lentz, Robert F.......................................... 7
Streufert, John.......................................... 37
Wilshusen, Gregory, Director, Information Security Issues,
Government Accountability Office; James Andrew Lewis,
director and senior fellow, Technology and Public Policy
Program, Center for Strategic and International Studies;
Marcus H. Sachs, director, Sans Internet Storm Center, Sans
Institute; Lieutenant General Harry D. Raduege, Jr.,
retired, co-chairman, CSIS Commission on Cybersecurity for
the 44th Presidency; and Liesyl I. Franz, vice president,
Information Security and Global Public Policy, Techamerica. 55
Franz, Liesyl I.......................................... 102
Lewis, James Andrew...................................... 77
Raduege, Lieutenant General Harry D., Jr................. 98
Sachs, Marcus H.......................................... 86
Wilshusen, Gregory....................................... 55
Letters, statements, etc., submitted for the record by:
Franz, Liesyl I., vice president, Information Security and
Global Public Policy, Techamerica, prepared statement of... 104
Lentz, Robert F., Deputy Assistant Secretary of Defense for
Cyber, Identity, and Information Assurance, U.S. Department
of Defense, prepared statement of.......................... 9
Lewis, James Andrew, director and senior fellow, Technology
and Public Policy Program, Center for Strategic and
International Studies, prepared statement of............... 79
Raduege, Lieutenant General Harry D., Jr., retired, co-
chairman, CSIS Commission on Cybersecurity for the 44th
Presidency, prepared statement of.......................... 100
Sachs, Marcus H., director, Sans Internet Storm Center, Sans
Institute, prepared statement of........................... 89
Streufert, John, Deputy Chief Information Officer for
Information Security, Bureau of Information Resource
Management, U.S. Department of State, prepared statement of 40
Wilshusen, Gregory, Director, Information Security Issues,
Government Accountability Office, prepared statement of.... 58
CYBERSECURITY: EMERGING THREATS, VULNERABILITIES, AND CHALLENGES IN
SECURING FEDERAL INFORMATION SYSTEMS
----------
TUESDAY, MAY 5, 2009
House of Representatives,
Subcommittee on Government Management,
Organization, and Procurement,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2 p.m., in
room 2154, Rayburn House Office Building, Hon. Diane E. Watson
(chairwoman of the subcommittee) presiding.
Present: Representatives Watson, Connolly, Cuellar,
Bilbray, and Issa [ex officio].
Staff present: Bert Hammond, staff director; Valerie Van
Buren, clerk, Adam Bordes, professional staff; Adam Fromm,
minority chief clerk and Member liaison; Dr. Christopher
Bright, minority senior professional staff; and Molly Boyl and
John Ohly, minority professional staff.
Ms. Watson. The committee will now come to order. Today's
hearing will examine the Federal Government's efforts to secure
its networks and cyber-based critical infrastructure assets. We
will also look at the changing threat and vulnerability
landscape against Federal networks and how legislation to
counter these elements oughtto be crafted.
Without objection, the Chair and the ranking minority
member will have 5 minutes to make opening statements followed
by opening statements not to exceed 3 minutes by any other
Member who seeks recognition.
Without objection, Members and witnesses may have 5
legislative days to submit a written statement or extraneous
materials for the record.
I want to welcome our witnesses and I want to welcome the
Members who are here. This hearing on threats, vulnerabilities,
and challenges in securing the Federal Government's information
systems and infrastructure is very necessary and very
important. Our distinguished witnesses are here; we look
forward to your testimony.
I will preface my remarks by stating that today's hearing
is only the beginning of our efforts in this Congress to
strengthen the Federal Government's information security
posture. I know many of my subcommittee colleagues, including
Ranking Member Bilbray, recognize the critical national
security issues associated with cyberattacks from both domestic
and foreign sources. I look forward to working with them in
developing legislation this session to counter these threats.
Furthermore, I want to express my disappointment that DHS
will not be providing a member of its new senior leadership to
testify before us today. With all of the proposals under
consideration in Congress for improving our cybersecurity
posture, I think today was a missed opportunity for the
Protection and Programs Directorate to explain the value they
bring to the table. It is my sincere hope that they will become
more engaging with this subcommittee as we move forward on
these issues.
According to the Director of National Intelligence's 2009
Threat Assessment, the cybersecurity threat landscape continues
to expand as the number of actors using cyberspace for
attacking and disrupting our Federal critical infrastructure
proliferate. These actors include foreign governments,
terrorist organizations, individuals with nefarious motives,
and plain old-fashioned criminal syndicates looking to use
cyberspace as a tool for compromising Federal networks and
Government operations.
Cyberattacks against Government networks are nothing new,
but their complexity and disruptive capabilities have increased
significantly in recent years. In the past few weeks alone, we
have become aware of reported breeches to critical DOD programs
such as the Joint Strike Fighter and Marine One Presidential
Helicopter, as well as to the Air Force's air traffic control
system. Congress has also been the target of cyberattacks
originating from the People's Republic of China on numerous
occasions dating back to 2006. These episodes are a threat to
our national security interests and our ability to conduct
Government business without disruption.
Complicating matters are advances in technology that enable
cyber-criminals of all stripes to remain ahead of Federal
information security efforts. As new commercial IT products and
services become more widely available, such as wireless
networks and devices, file sharing applications or peer-to-peer
software, and new services like cloud computing, we often fail
to incorporate effective security controls to correspond with
their use.
A significant focus of today's hearing is our lack of a
harmonized framework for organizing and coordinating
Government-wide information security policies and practices.
Although there are many reasons for this, I will mention some
that come to my mind: To begin, we currently have too many
cooks in the kitchen. The OMB, DHS, and DOD all have a major
role in the security of our information infrastructure.
Furthermore, DHS has thus far failed miserably in its charge to
manage cyber-response and coordination efforts for Federal
agency stockholders through duplicativee, overlapping divisions
within the Protection and Programs Directorate. Last, it
remains unclear how efforts under the administration's mostly
classified Comprehensive National Cybersecurity Initiative are
aligned with current statutory and regulatory requirements for
both civilian and military networks. Until there are uniform
principles, policies, and requirements established for all
agencies, I fear that our patchwork approach to cybersecurity
will have a minimal effect in securing our information
infrastructure.
Over the past decade, the Federal Government has made
significant progress in the area of information security. Laws
such as the Federal Information Security Management Act have
forced agencies to recognize the need for stronger physical,
technical, and administrative safeguards for IT assets in order
to counter the ever-increasing number of threats in cyberspace.
Nevertheless, such policies have only scratched the surface for
determining what our real cyber vulnerabilities are. More
importantly, these efforts have done nothing to ensure that
Government contractors who operate systems on an agency's
behalf have adequate security measures in place. To me, this is
unacceptable and must be addressed in any future legislative
proposals.
In summary, I hope our witnesses will provide us with a
comprehensive, high level assessment of our current posture and
capabilities for adjusting to new cyber-based threats and
vulnerabilities. I would also welcome your recommendations for
legislative principles that would promote a more harmonized and
uniform approach to cybersecurity across the Government's
systems.
Once again, I thank our panelists for joining us today. I
look forward to your testimony.
I now recognize our ranking member, Mr. Bilbray.
Mr. Bilbray. Thank you, Madam Chair. Madam Chair, first of
all I would like to introduce for the record a written opening
statement, please.
Ms. Watson. Without objection.
Mr. Bilbray. Thank you. Madam Chair, I want to thank you
for having this hearing.
It is sad that DHS had to cancel out on Friday because I
think this is one of those real critical elements where there
can be not just bipartisan cooperation in this body but coequal
cooperation with the executive branch to address this issue.
I just hope that we all recognize we are having a hearing
today and remember that when the 9/11 Commission came down
about how 9/11 could happen, it was because the Federal
Government did not go back and reevaluate structures and
firewalls that had been created from the Watergate period. And
it really didn't think it was important enough to be bothered
with reinvestigating what could have happened here.
I think what we need to recognize is, if we are old enough
to remember the Y2K fear, the impact of a Y2K created,
designed, and executed with intent. That is just the tip of the
iceberg of what we could face.
Madam Chair, I want to thank you for having this hearing,
and having it with or without the Department of Homeland
Security. I think that we need the discussion now and early to
make sure our procedures are in a manner that faces the new
threats rather than trying to fight the battles of the past. I
hope that you and I can work together to make sure that we do
not find ourselves where we were with 9/11 and saying,
doggonit, why didn't we take care of this when we had a chance.
I am very proud to work with you and with the other Members
here to make sure we can look back and say, thank God we did
the right thing when we had a chance and time to do it. I
appreciate the chance and being able to participate with you in
this.
Ms. Watson. I would like now to call on Mr. Connolly for
his opening statement.
Mr. Connolly. Thank you, Madam Chairman. Thank you so much
for holding this important hearing. The number of incidents in
which hackers have broken into Government files and systems, it
seems to me, should impel Congress and the administration to
take all possible steps to secure our systems.
The permeability of our systems is a risk not only to our
national security but the future of our economic
competitiveness as well. The ability of hackers to gain access
to information from private companies about recent innovations
reduces the potential for new economic growth and the incentive
to innovate.
We are fortunate to be working with an administration that
is tackling the problem aggressively by reviewing current
cybersecurity policy and preparing potential reforms.
The testimony we are going to hear today paints a grim
picture of the current state of cybersecurity but also suggests
that there are some security steps that can be taken quickly
and relatively easily. Mr. Sachs notes that 90 percent of
security breeches addressed in a recent report were actually
easily preventable. And according to Mr. Lewis, only one third
of affected agencies have complied with Homeland Security
Policy Directive No. 12, which suggested using secure network
credentialing for employees.
By the way, something that underscores your point, Madam
Chairman, and that of Mr. Bilbray is that it is too bad that
DHS is not here today. My guess is that legislation is going to
come out of this committee on the subject and DHS needs to be
at the table. This committee has an important role, obviously,
in identifying immediate steps the Federal Government can take
to enhance cybersecurity.
The committee will also hear testimony from Mr. Lewis, who
has stated that, ``It is possible that the Internet as it is
currently architected can never be secure.'' That is a pretty
provocative statement, if true. From the statement, one would
infer that a separate Internet-type system for Government usage
will ultimately be necessary. That is an equally provocative
conclusion. I look forward to hearing from all of the witnesses
about whether the creation of a whole separate system is indeed
a practical or efficient way to achieve cybersecurity, or if it
is necessary.
Again, I want to thank you, Madam Chairman, for holding
this hearing. I look forward to working with my colleagues and
the administration to enhance cybersecurity by building upon
what we learn from today's critical hearing.
Ms. Watson. I now yield to Mr. Issa.
Mr. Issa. Thank you, Madam Chair. As we hear today, the
problems of cybersecurity continue to be vexing. We are going
to continue to see these kinds of shortfalls.
What this committee uniquely has a role of looking at is
the Government in its broadest sense. So hopefully today as we
go through both the hearing and the questions that follow, we
will begin asking the tougher questions.
First of all, is there any reason to be throwing the kinds
of dollars spread over the entire Government as we did in the
Supplemental in the Cybersecurity Initiative without demanding
fixed results? Many of the dollars that have been spent under
the previous administration and continue to be spent under this
administration are essentially for upgrades. These can be
completely bypassed if the Department of Defense's Secretary of
Defense fails to have his own staff adhere to procedures for
security as has previously been reported in the press.
Additionally, the gentleman made a good point: Do we need a
separate Internet? Certainly, supernet and other theoretically
closed systems have been penetrated by those same failures like
the use of USB key fobs and the failure to lock down disk
drives, floppy disks, and other devices that allow for
penetration around, if you will, a closed system.
I am most concerned to hear that even our newest aircraft
design was penetrated, in a sense, on a system that was
designed to be closed. These and other failures show us that
the money we have thrown at the problem, although spent, was
mostly spent for the same business as usual Maginot Line that
failed to protect France from the Germans and fails to protect
us from hackers on the Internet.
Madam Chair, when we spend the kinds of tens of billions of
dollars both in the classified and unclassified world, we do so
with good intention. But if we do not begin working smarter,
using techniques to attack our enemies, getting to the hacker
before the hacker gets to us, changing or at least attempting
to change international law so that it will allow us to
consider acts by the Chinese and other less openly hostile
governments as aggressive acts of cyberwar, then we do not and
will not have the kind of peace we want.
Madam Chair, during my tenure on the Select Committee on
Intelligence, as I saw one after another failure to secure the
Department of Defense and other agencies no matter how much we
hardened, I became convinced that in fact we talk about
cybersecurity as though it is appropriately international
espionage, international crime and yet we do not deal with it
in a way that is appropriate. We do not in a hostile way
routinely shut down the hackers, whether they are in Venezuela,
China, or 100 other countries around the world. As a matter of
fact, it is considered to be bad form for us to retaliate to
somebody even as they hack into the House of Representatives.
So Madam Chair, I would hope that our questioning will go
beyond how we can throw money at the problem and whether in
fact we need international conventions and a will to deal with
people who come through the Internet and attempt to hack us in
a way in which the response is as punitive to them in a
nonviolent but equally effective way as any other act of war.
With that, I yield back.
Ms. Watson. Mr. Cuellar.
Mr. Cuellar. Thank you, Madam Chair. Thank you for having
this meeting. As we look at the challenges in securing Federal
information systems, I think, Madam Chair, that it is important
that the Congress and the executive branch work together to
develop this blueprint to protect our Federal information. One
of the things is to have hearings like this where we can have
the Department of Defense, the State Department, and other
folks sit down.
But to have one of the agencies that is in charge of
protecting our homeland, the Department of Homeland Security--
and I am one of the chairmen of one of the subcommittees in
Homeland--I am a little disappointed that they are not here.
Apparently, my understanding was that you all gave them 3 or 4
weeks advance notice to be here and I guess they just canceled
this last Friday. What was the rationale about that? If I may
inquire of the chairwoman, what was the rationale for them not
being here?
Ms. Watson. We couldn't get the Director and the next
person in line had a family emergency. We sought someone else
at the upper levels but they could not attend. We are going to
work on that so they will be in attendance at future hearings.
Mr. Cuellar. Do we have anybody from the congressional
liaison from Homeland Security present here today? I am sure we
have somebody here.
Ms. Watson. Apparently not. Nobody is jumping to put their
hand up. So we will just assume.
Mr. Cuellar. We will assume there is nobody here. Well,
again, I can understand a family reason, but I do understand
that there are other folks who can come here.
I do want to mention that I am a big supporter of Homeland
Security but they do have a record of missing over 120
congressional mandates that we have set for them. I have spoken
to the new Secretary and she assures me that they are going to
work on deadlines and all that. But I think showing up is
probably the first step to show a little cooperation with the
Congress.
I hope there is another time when we can bring him here. I
am sure we can set up something where if somebody can't come
in, I am sure the second or the third person can come in.
Because we are losing an opportunity.
The folks who are here today spent a lot of time to be
here, a lot of time preparing. I know it doesn't mean that they
just show up. It is a lot of hours in preparing to be here. It
would have been nice if we would have had Homeland here so we
can get a perspective from the Department of Defense, the State
Department, and Homeland. We are losing an opportunity.
But Madam Chair, I look forward to working with you and the
other members of the committee.
Ms. Watson. I think as they get their footing they will
cooperate with our committee. We will assure Members and the
public that they will be part of this. We cannot continue to
assess the information given, and maybe we will have to have a
classified session with them, but for sure we will seek their
input and their participation. I know they will cooperate. We
will guarantee you that.
All right, if there are no further opening statements, we
will now turn to our first panel. It is a policy of this
Committee on Oversight and Government Reform to swear all
witnesses before they testify. I would like to ask you both to
please stand and raise your right hands.
[Witnesses sworn.]
Ms. Watson. Let the record reflect that the witnesses
answered in the affirmative. Thank you. I will now introduce
our panelists.
The first is Mr. Robert F. Lentz, the Deputy Assistant
Secretary of Defense for Cyber, Identity, and Information
Assurance at the Department of Defense. Since November 2000, he
has been the Chief Information Assurance Officer for the
Department of Defense and oversees a Defense-wide Information
Assurance Cyber Program which plans, monitors, coordinates, and
investigates IA cyber activities across DOD.
The other witness, Mr. Streufert, is the Deputy Chief
Information Officer for Information Security at the Department
of State. He is responsible for providing oversight and
guidance for information assurance activities including
security policy development, risk management, system
authorization, training and awareness, compliance reporting,
and performance measures. Prior to his tenure at State, he
served in various IT management roles at USAID, USDA, and the
U.S. Navy.
I ask that each of the witnesses give a brief summary of
your testimony. Keep this summary under 5 minutes in duration
if possible. Your complete written statement will be included
in the hearing record.
Mr. Lentz, would you please proceed?
STATEMENTS OF ROBERT F. LENTZ, DEPUTY ASSISTANT SECRETARY OF
DEFENSE FOR CYBER, IDENTITY, AND INFORMATION ASSURANCE, U.S.
DEPARTMENT OF DEFENSE; AND JOHN STREUFERT, DEPUTY CHIEF
INFORMATION OFFICER FOR INFORMATION SECURITY, BUREAU OF
INFORMATION RESOURCE MANAGEMENT, U.S. DEPARTMENT OF STATE
STATEMENT OF ROBERT F. LENTZ
Mr. Lentz. Good afternoon, Chairwoman Watson, Congressman
Bilbray, and members of the subcommittee. I am pleased to
appear before the subcommittee to discuss initiatives to
enhance the Department's and the Nation's information assurance
cybersecurity posture.
This is a critical priority for the Department of Defense.
With information and information technology assets distributed
over a vast enterprise with diverse domestic and international
partners, we know that we cannot execute operations without the
GIG, the Global Information Grid which is our DOD network. The
GIG is where business goods and services are coordinated; where
medical information resides; where intelligence data is fused;
where weapons platforms are designed, built, and maintained;
where commanders control forces; and where training, readiness,
morale, and welfare are sustained.
Maintaining freedom of action in cyberspace is critical to
the Department and to the Nation. Therefore, the Department is
focused on building and operating the GIG as a joint global
enterprise. This enterprise network approach coupled with
skilled users, defenders, and first responders in partnership
with the intelligence and Homeland Security communities will
allow us to more readily identify and respond to cyberattacks.
The DOD Information Assurance Cybersecurity Program is thus
aimed at ensuring that DOD missions and operations continue
under any cyber situation or condition and that the cyber
components of DOD weapons systems perform as expected. There
are many examples of current initiatives in my statement for
the record. I will quickly highlight a few this afternoon.
To protect sensitive data on mobile and portable devices
like laptops, we help make discounted encryption products
available to all Federal, State, local, and tribal government
agencies and to NATO. Since July 2007, this program has
resulted in a U.S. Government cost avoidance of approximately
$98 million.
To address cybersecurity risks to the defense industrial
base, we have put in place a multifaceted pilot for threat and
vulnerability information sharing, incident reporting, and
damage assessments.
For the global supply chain, the Department has launched a
program to protect mission critical systems. This year, we are
establishing four Centers of Excellence to support program
executive offices and supply chain risk mitigation throughout
the system lifecycle. Additionally, we are executing
vulnerability assessments in accordance with the 2009 National
Defense Appropriations Act.
We continue to rely on the National Centers of Academic
Excellence in IA education for critical cybersecurity skills.
There are currently 94 Centers in 38 States and in the District
of Columbia. One of those Centers, as an example, the
University of Nebraska at Omaha cosponsored and hosted last
year's fifth annual cyber defense workshop.
In 2008, the Department helped bring cybersecurity to the
Wounded Warrior Program. Wounded, disabled, and transitioning
veterans are receiving no cost vocational training in digital
forensics, a critical technical shortfall for the Nation and
the Department. The program started out at Walter Reed and is
now being expanded to other DOD and VA hospitals.
To further harden our networks against cyberattacks, the
Department is implementing the Federal Desktop Core
Configuration. This is a pivotal Government and industry
cooperative venture starting with ubiquitous Microsoft products
to make computers more stable and defensible.
In conclusion, the DOD CIO is working toward a resilient
and defendable core network for the Department and for the
Nation in the face of the daunting security challenges you
talked about. We are preparing the GIG and the GIG-dependent
missions to operate under duress and we are doing so under
conditions of rising hostility. I am happy to take questions.
[The prepared statement of Mr. Lentz follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. You may proceed.
STATEMENT OF JOHN STREUFERT
Mr. Streufert. Good afternoon, Madam Chairwoman Watson,
Ranking Member Bilbray, and distinguished members of the
subcommittee. I am pleased to have this opportunity to testify
before the subcommittee regarding the Department's of State
capabilities for combating cyber threats, detecting and
mitigating vulnerabilities, and securing the Department's
global information and technology infrastructure. My statement
will describe key elements of the Department's information
security program.
Madam Chairwoman, as you know from your time at the
Department of State, we serve as the diplomatic front line in
over 270 overseas posts. This global reach affords the
Department a unique perspective on cybersecurity as we provide
for the confidentiality, integrity, and availability of a
worldwide network for the 50,000 users of the Department and
the application software that they put to work. The foreign
policy mission makes an inviting target for attack by highly
skilled cyber adversaries.
However, the Department's layered approach to risk
management allows multiple levels of protection. This
protection is accomplished by implementing a matrix of
technical, operational, and management security controls. In my
dual roles as Chief Information Security Officer and Deputy
Chief Information Officer for Information Security, I am part
of an integrated team. Together, technical and operational
security experts of the Department work in close coordination
with the DOD and others to satisfy mission essential
requirements from our command and control capabilities, network
and critical infrastructure protection, law enforcement, and
intelligence community support.
The scope of cyber activity the Department faces in a
typical week includes blocking 3\1/2\ million spam emails,
intercepting 4,500 viruses, and detecting over a million
external probes to our networks. The Department maintains a 24
x 7 network watch program that guards against external
penetration, compromise, or misuse of the Department's cyber
assets.
Analysts stationed at our network monitoring center serve
as continuous sentries for inappropriate network activity. The
analysts perform preliminary assessments to confirm the nature
and source of suspicious network security events. Those matters
deemed significant are escalated to our Computer Incident
Response Team [CIRT], for in depth analyses and corrective
action. CIRT analysts track all reported actions through
completion and coordinate incident response actions with all
stakeholders including our internal Department security units,
the Department of Homeland Security, US-CERT, and law
enforcement entities.
To combat increasingly sophisticated cyberattacks, the
Department's of State Cyber Threat Analysis Program provides
early warnings about potential cyber incidents. This team of
technical analysts performs essential in depth assessments of
network intrusions and helps to coordinate the Department's
response to sophisticated cyberattacks. In addition, they
perform proactive penetration testing and network forensic
analyses to detect and resolve significant threat issues.
The Global Security Scanning program at the Department
serves multiple essential purposes covering all of its domestic
and overseas locations. Electronic tools perform functions that
include confirming what is connected to the Department's
networks; assuring that computers, networks, and software are
in the safest of configuration settings; locating system
vulnerabilities that need correction; and collecting evidence
for cybersecurity investigations. Global Scanning is
complemented by our computer security officers that are posted
both regionally and locally for overseas embassies and
consulates as our boots on the ground.
To strengthen its operational capability, the Department
has created the Risk Scoring Program to help pinpoint and
correct the worst network and system vulnerabilities on any
particular day both locally and for our networks worldwide.
Risk points are assigned for cyber threats consistent with
vulnerabilities defined in the National Institute of Standards
and Technology guidelines.
Every computer and server connected to the Department of
State network is scanned worldwide on a continual basis. Based
on progress in reducing vulnerabilities overseas and at
headquarters organizations, each entity is graded from an A to
an F for their work during the last month. In this sense, it
functions like a daily quiz where at the end of the month there
is a test and a grade is given.
Madam Chairman, we are pleased to report that an embassy as
far flung as the one in Kolonia where you served currently has
an A+ with perfect ratings in 6 of 10 categories we evaluate,
notwithstanding how far it is from many other industrialized
centers.
Since July 2008, overall risk on the Department's key
unclassified network has been reduced by nearly 80 percent in
overseas sites and 55 percent in domestic locations.
The Department's Cybersecurity Incident Program was formed
to address consequences for acts of cyber misuse or abuse by
individuals. The Cybersecurity Incident Program applies to all
Department system users and defines infractions and violations.
More serious violations are cases where the failure to comply
with a specific Department policy exists and results in damage
or the potential of significant damage to the Department's
cyber infrastructure. Along the notification of an incident, an
investigation is undertaken incorporating several Department
organizations charged with gathering what is necessary to
ensure a prompt and appropriate response to the cyber event
while protecting the rights of the accused.
For those that are found to have committed an infraction or
violation, the consequences available to the Department range
from a letter of warning to suspension of network access. In
select cases, further disciplinary action has been recommended
or referral for criminal prosecution.
Madam Chairwoman, I want to conclude by reiterating that
the Department's strategy and programs are continually adapting
to match the ever changing threats to cybersecurity. We believe
we have the policies, technology, business processes, and
partnerships in place to evolve and meet the continuing
challenges of security threats in the cyberspace environment.
I thank you and the subcommittee members for this
opportunity to speak before you today. I would be pleased to
respond to your questions.
[The prepared statement of Mr. Streufert follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you so much for your testimony. We are
now going to move to the question period and proceed under the
5-minute rule. I will make my statement and than I will
recognize the ranking member, Mr. Bilbray for 5 minutes as
well.
These questions will be for both panelists. You can respond
as soon as I finish. When we talk about cyberattacks against
Government agencies, we often fail to determine the purpose of
the attacks being carried out such as those for economic gain,
espionage purposes, or simply to disable or to disrupt
Government operations. If possible, I would like both of you to
offer some general observations on the differences or the
similarities between cyberattacks from both domestic and
international sources. Are there distinguishable motives or
things for either source? Do certain groups target specific
networks or cyber infrastructure in their activities, or do
they look for the weakest link in the chain for attack?
I am very pleased that Kolonia in the Micronesian Islands
is following a good example and that they are A+. That is a
little personal thing, there.
But if you will start, Mr. Lentz, I would appreciate it.
Mr. Lentz. I think your question is a very good one because
the state of cyber threats has changed dramatically over the
last several years. In fact, what we are seeing in the past 18
months is a significant rise in cyber crime activity, a
significant rise. Before that, it was pretty much exclusively
in the hacker domain where we would get a lot of our cyber
events occurring. That skill set has dramatically improved in
terms of its skill craft as well.
But going to your question, the state of play, because
cyber criminals now can use the Internet to make lots of money,
provides them a playing field that is very rich with targets of
opportunity. So that is a significant concern of all of us,
particularly other sectors of the U.S. Government and of course
the private sector.
But the other aspect of this is one that we in the
Department of Defense are of course always concerned about, the
threat against our national security systems and our weapons
programs. We always have to be prepared for a nation-state or
surrogate of a nation-state to take action against our networks
either for espionage or for other denial of service purposes in
conflict. So that is the other aspect of this problem, which is
continuing to grow in sophistication. It is one that we are
very concerned about and we have to be prepared for.
Ms. Watson. Mr. Lentz, naturally there is probably little
you can tell us in an opening statement or in your statement
about the recent breeches to the Joint Strike Fighter and
Marine One programs. But I do, however, feel obligated to ask
you about some general background that is consistent with what
is part of the public record. So can you tell us where you are
in determining the sources of the breeches and whether they
were government sponsored or private cyber criminals at work
there?
Mr. Lentz. As you said, Madam Chairwoman, this issue is
very sensitive. We are prepared to give the committee a
classified briefing of the details of the investigation. Much
of this investigation right now is held in law enforcement
channels under warrants. It is an ongoing investigation. That
is the current position where we are. It is a very important
priority of ours to get to the bottom of this.
Ms. Watson. I know that technology improves every single
day. I am wondering if the personnel who work on our posts are
well equipped with the knowledge of how it operates and the
uses. Do you then train, say the new Ambassadors and the
embassy staffs, along these lines of the increases in
technology?
Mr. Lentz. Training and education awareness is without a
doubt one of our top priorities. In my opinion, I think it is
our most important priority because people are what run our
network. We improve awareness training every single year. One
of the things that we are doing a lot more of, to go to the
heart of your excellent question, is leadership training. That
is one of our highest priorities right now, to the highest
levels of our Department, to make sure that general officers
and senior officials coming into the Department are briefed in
an in depth form on the cyber threat. It is a very big priority
to include our mission partners in places like embassies to
make sure. We team with State Department in collaborative
efforts to do the same thing.
Ms. Watson. Mr. Streufert, do you want to comment?
Mr. Streufert. To your question of training, we place an
extraordinarily high value on the current Federal Information
Security Management Act. It encourages that there is annual
awareness training. At the State Department, by one method or
another, we provide sometimes oral briefings to the most senior
leadership of the Department of State, or in other cases,
remote distance learning. For the balance of the Department, we
see training to be extraordinarily beneficial as our users are
an important part in the protection of the information that the
Department of State has and what we are asked to protect.
The State Department has initiated a pilot project for a
method of training called Tips of the Day. What we do, when the
computer users log on in the morning, is to provide them two or
three sentences of instruction and then, to those connected in
what we expect to pilot in two of our bureaus here in the
coming weeks, a true/false question. Then we keep track of
those answers and the level of understanding about basic
security awareness.
We found this to be a particularly beneficial mechanism at
an earlier point of testing after a laptop was lost in one part
of the Government. This occurred at USAID. We very quickly went
out and reinforced that personally identifying information
should not be carried out of a Government space without prior
arrangements, which has evolved to become encryption to later
events.
So along with Mr. Lentz, we believe that training is a very
essential part to keep our users leaning forward to complement
the important changes we make in technology.
Ms. Watson. My own time is up. I will recognize the ranking
member, Mr. Bilbray, for 5 minutes.
Mr. Bilbray. Thank you, Madam Chair. Thank you for having a
loud mic this time around. I appreciate the technology
advancement.
Mr. Lentz, sadly there are a whole lot of things we can't
talk about here in public. So I guess that is sort of an
indication of how important this issue is going to be.
There is a lot of discussion about how secure our systems
are within the structure and whatever. But I want to sort of
back off and go down to the fact of who has access into these
systems, especially the contractors. Right now, within the
Department itself, we verify before we hire somebody in house
who they are and what they are. We use E-Verify to classify
that, right? Within the Department itself, we use E-Verify?
Mr. Lentz. That is right.
Mr. Bilbray. But we have delayed--correct me if I am wrong,
you may be doing this with your contractors--but right now the
administration has delayed the implementation of E-Verify from
February I guess until late June. Are you now with your
contractors that are being brought in to work on a lot of these
projects, are you now by policy requiring e-verification of
every employee so we know they are who they are, or at least
have the justification to know that the Social Security and
other information they have given is viable?
Mr. Lentz. My understanding is we do not use E-Verify
within the Department of Defense. So I can't really respond to
that particular question. We can take that for the record and
talk to DSS and get some specifics.
Mr. Bilbray. I just think that kind of the minimum is that
we make sure that everybody is checked. As far as I know, you
are supposed to be using it in house. Members of Congress use
it. Everybody in the Federal system is supposed to be E-
Verifying whenever we hire.
The trouble is when we bring the contractors in. We have
had situations where contractors have been working on nuclear
powered ships and it was a major concern. I just want to make
sure that we put the same level of security on our information
systems that we put to our nuclear ships. That is make sure
that any contractor who is coming in, who has access to our
systems, has at least been checked that they are who they claim
to be. That is the first level of security we ought to talk
about.
So I would ask that you take a look at that. I think, God
forbid, we wouldn't want to have next month come out and
everyone say, well, why didn't we implement this earlier. There
were things that Congress couldn't even discuss in public but
people that hadn't been checked were being allowed into the
system. I ask that we see what kinds of systems, first of all,
we have to make sure the access into the system is only people
that have been qualified.
In that category, generally what efforts underway do we
have to secure the contractors' networks and their material?
Mr. Lentz. First to go back to your first question, one
program that we have instituted in the Department of Defense is
a program called FICS, which stands for Federated Identity
Credentialing Service. It is a program we have working with
industry to, in a federated way, to recognize their security
clearance process. Then using electronic authentication
capabilities, we can in fact recognize their entrance into the
Department of Defense installations.
Mr. Bilbray. Now that electronic, is that biometric or is
that just the pass card system?
Mr. Lentz. It is currently using PKI, Public Key
Infrastructure technology. That is the same technology we use
in the Department of Defense to implement Homeland Security
Presidential Directive No. 12 pervasively throughout the
Department. So that technology is proven.
Mr. Bilbray. Is there biometric confirmation in that?
Mr. Lentz. It does not currently leverage biometrics but we
do have a program for three factor authentication underway to
pilot that throughout the Department.
To the other part of your question, we have our defense
industrial base effort that we launched a little less than 2
years ago. That effort is aggressively going after the control
of unclassified information that resides on our contractor
systems. We have a pilot underway with a number of our top
industrial partners to help protect their networks to the same
level that we are protecting our own.
As I mentioned in my oral remarks, this program has proven
to be very successful both in getting very timely threat
information to our industrial base partners, but also for them
to provide us very timely information on incidents that they
have occurring on their networks. We use a very strong policy
framework and legal framework to protect the equities of each
of us to make sure that information flows near real time if at
all possible.
Mr. Bilbray. Madam Chair, I wasn't planning on following
this line but I have sort of fallen into the fact that the
first line of defense against somebody messing with our
information system is to make sure the people we hire to help
do the work aren't people we don't want on there.
I have just quickly a question because my time is up. Do we
have the same access system going into the Pentagon today that
we had during 9/11? It sure looked like the same system to me.
Have we upgraded and put biometrics or anything else on the
Pentagon?
Mr. Lentz. No, sir.
Mr. Bilbray. I just think that is something we need to talk
about in the future. I appreciate it, Madam Chair.
Ms. Watson. Mr. Connolly.
Mr. Connolly. Thank you, Madam Chair. Let me ask each of
you, in your respective agencies, what keeps you up at night?
What is your sense of the biggest threat you worry about? Is it
hacking into the system? Is it just a breech of security
because somebody is not careful? Is it unwarranted inquiries
into classified and/or unclassified systems? Is it the far
flung enterprise you each represent?
Mr. Streufert, I think you mentioned 280 locations around
the world for the State Department. There must be an equal
number in the Defense Department. Levels of security have to
very given that far flung enterprise.
I would just like to have some sense from each of you in
terms of the Defense Department and the State Department of
your sense of the nature of the threat and how well equipped we
are from your point of view to address that threat.
Mr. Streufert. Congressman, an aspect that keeps me up at
night is precisely the one that you mention on how far flung
the Department of State is, particularly in conjunction with
the comments that a number of Members have made and Mr. Lentz
about how sophisticated and evolving the threat is.
The reality is that we could have new threats which would
appear overnight. In practical terms, if we don't have a tool
that is capable of diagnosing that threat, we could have
difficulties that could get away from us and potentially cause
harm.
So I think that the future of protecting Federal networks
is likely to aim in the direction of trying to find those sets
of tools that could be made available to those within the .gov
network, which you made appropriate reference to, to figure out
how we can protect the information that the American public
entrusts with those of us at the national level and distributed
throughout the other parts of the Federal Government and in the
States. I think that is a very challenging area. We just have
to watch the continually evolving threats and figure out a way
that we can step up to them.
Mr. Lentz. As Chairwoman Watson said, what keeps me up at
night is the pervasiveness of this threat when we talk about
cyber espionage and the amount of information that is getting
stolen, from not just the Government's potential networks but
the Nation at large. The technology edge that we have
currently, especially when it comes to innovation, is one that
we have to protect very, very carefully. I think that keeps me
up at night, not only as a Government employee but as a private
citizen.
The second thing is, from a DOD standpoint, the threat of a
nation-state in terms of what it can do if hostilities rise to
that point. We have to have the best protection mechanisms in
place and redundancy in our capability to withstand a very
sophisticated nation-state, in light of the fact that all of
our systems and networks and people are now so dependent upon
the network and information to be successful, as we see in the
Information Age. Those are the two things that keep me up.
Mr. Connolly. The suggestion has been made that the very
nature of the architecture of the Internet as such an open
system, so all-encompassing, that by its very nature it is
subject to compromise. There is just no getting around it. Have
you given thought to creating parallel systems that are closed
for the U.S. Government? Would it work?
Presumably, the same techniques for hacking into or
compromising even a secure system on the existing Internet
could likewise be applied to a parallel closed system. I would
be interested in whether your respective agencies have examined
that and what you think about the practicality of it.
Mr. Streufert. This is an area that we looked to under the
Committee on National Security Systems, in which Mr. Lentz
plays a very active part and I am privileged to participate at
a number of their activities each year. There are some
technologies that are being worked on in the Department of
Defense that seem to hold the best prospects for protecting
information of national security importance, but also of the
nature of protecting personally identifying information as an
example.
The use of the Internet has both risks and potential
benefits for the American public. As an example, with the
consular function, which I know the Madam Chairwoman
understands very well, we are able to support the needs of the
public through some online activities which make it easier for
people at a distance to obtain visas and passports. On the
other hand, that same technology which is an aid to the
American people is a potential risk.
There are a number of technologies that DOD is evaluating
for virtual operating systems. They permit the possibility that
if there would be a potential threat to the computer system,
there would be a refresh of the image of that computer on its
next use so that the regular work could go forward. And that is
just one of many techniques that we try to work with the
Department of Defense on.
Mr. Connolly. I would ask unanimous consent that Mr. Lentz
be allowed to answer. My time is up. But if we could just hear
the Department of Defense response, if that is acceptable?
Ms. Watson. Go ahead.
Mr. Connolly. I thank the Chair.
Mr. Lentz. We completely agree that network resiliency, the
ability of our network to be able to withstand and maintain
continuity of operations under any form of attack, is a very
high priority of ours. We are designing in every day as many
measures as possible to ensure that from the top secret
sensitive networks to our command and control secret networks
we can withstand that kind of sophisticated attack. So we are
investing as much as we can to harden that network to do that.
I will say that the growth, as I said, of technology and
the escalation of the threat pose a significant challenge to us
every single day. We must continue to invest and leap ahead
with technologies to stay further ahead of our adversaries
instead of just keeping pace with them.
Ms. Watson. Mr. Cuellar.
Mr. Cuellar. Thank you, Madam Chair. I think we understand
the threats that we are seeing now have been increasing by
large numbers. For example, the Department of Homeland Security
reported in 2007 that they had received about 18,000 cyber
related incidents. The Department of Defense, according to GAO
the Department of Defense had received approximately 6 million
scans or probes daily from unidentified areas. The Department
of Energy, the Los Alamos National Laboratory reported
receiving an estimated 10 million probes of its classified
systems per month to 2007. I think we have seen even
congressional offices that have been subject to some of these
attacks also.
I guess one of my questions has to do with lessons learned
and what cooperation, communication we have with the different
agencies. What best practices are we learning from each other?
Just looking at body language, and I am probably wrong, do
you all know each other? Do you talk?
Mr. Streufert. Yes.
Mr. Lentz. Constantly.
Mr. Cuellar. But do you all work on a professional basis in
the sense of this is what we learned, this is what has happened
in the State Department, this is what has happened at the
Defense Department?
Mr. Streufert. Yes.
Mr. Cuellar. What are the lessons learned that you can tell
us that we can share and that the Intelligence Committee or the
intelligence community can share with each other? I am sure
each agency is learning something on those cyber attacks and
how we defend each other, but how do you share that with
another agency? It might be that somebody is learning something
that could help another agency.
Mr. Lentz. One of the things that has been a huge priority
of ours over the last several years, as you stated in your
statistics you said earlier, is the pace by which our network
is being scanned. The immensity of that threat is such that our
intelligence agencies and our law enforcement agencies are
richly connected these days sharing information. From our Joint
Task Force for Global Network Operations within the Department
of Defense to the Defense Cyber Crime Center, which is our
front door for our defense industrial base FE
Mr. Cuellar. By the way, let me interrupt. GAO reported in
2007 that you all had 6 million unauthorized probes and scans
but I think in your testimony you referenced 360 million.
Mr. Lentz. That is correct.
Mr. Cuellar. So did it increase from 6 million to 360
million?
Mr. Lentz. That is correct. That reflects several things.
One, it just reflects, as the chairwoman said, the
immensity of the threat. The threat is increasing
exponentially. The amount of individuals and machines, what we
call in our techie parlance botnets, that are out there,
machines pinging the network, probing our network, has grown
exponentially.
In addition, we have better sensoring technology within our
network now versus 2006. It is now able to allow us to better
understand and better have knowledge of these probes and scans
that are occurring on our network.
Also, our Computer Emergency Response Teams are now working
very much closely together. They collect these statistics that
are now reported up, which is what reflected in the more
updated report.
That goes to the heart of your very good question. All
these centers are working together to be able to share
information. The one challenge that we have is protecting
information and not letting it out as fast as possible. That is
a cultural issue that must be dealt with. That is one that I
think is probably the biggest Achilles heel that we have.
We need to have law enforcement and the intelligence
community make sure that they open up information as fast as
possible because we are talking about real time threats that
therefore need real time responses and situation awareness. So
we therefore are all learning from each other to deal with
that.
Mr. Cuellar. But what protocols do you all have in place
that gets you to provide your lessons learned to, let us say,
the gentleman next to you from the State Department? What are
the protocols?
Like you were saying, it is moving so quickly. There is a
scan and a probe here, and there is something new here. How do
we share that? What protocols do we have in place to provide
that communication and coordination with other Federal
agencies?
Mr. Streufert. Congressman, there are things happening on
many different levels, beneficially simultaneously. Perhaps
what we can learn from this is that we need to get better and
better. These include daily video conferences that are held
between the key components of the Government.
Mr. Cuellar. Does that include Homeland Security?
Mr. Streufert. Yes.
Mr. Cuellar. OK. Thank you.
Mr. Streufert. The regular interactions between US-CERT and
the civilian agencies are very active. We are discussing
signatures in particular threats, responding to things like the
recent Conficker and a number of the other threats.
At the State Department, we have a unit which analyzes
threats. Because we are members of a country team and have so
many locations overseas at embassies and consulates, we are
available to assist them if there is identification of a
particular problem and they ask about it. We can proactively
reach in their direction.
All of these I think are beginnings of an effort where we
as a country, if we can become the strongest team among
nations, we will do the best in a very rapidly evolving area.
Mr. Cuellar. I want to thank both of you and the men and
women who work with you. I know the future challenges are just
amazing. So I really appreciate the work that you all do. Thank
you.
Ms. Watson. I want to thank the panel for your testimony.
There are a couple of things we would like to set up a
classified briefing about. We will get together with you to
determine the time. I think there is far more information that
we need to know as part of this hearing or subsequent to this
hearing. So we will be in touch with you.
That is the bell that says we have three bills on the floor
to vote on. I will dismiss this panel. Thank you very much. You
may be dismissed now.
Mr. Bilbray. Madam Chair, before they are dismissed I would
just ask one thing. There is this big issue, to followup on my
colleagues, that is the issue that was brought up by the Center
for Strategic and International Studies and the concept of
having a coordinator in the White House for oversight on all of
these agencies. I would ask that you respond in writing
specifically to your concerns or your support or whatever you
have about the concept of having a designated person in the
White House itself to be able to coordinate this.
I appreciate my colleagues bringing up this issue because
those firewalls and all the problems we had in 9/11, we are
seeing we have the same problems here.
Ms. Watson. Without objection, we will ask for the
committee to raise that question. We will ask for responses as
soon as possible.
With that, we will dismiss. We will recess this committee
hearing. We will come back, I would say, it would be close to 4
p.m. for panel II. Sorry for the break but we need to get to
the floor. Thank you so much for your testimony.
[Recess.]
Ms. Watson. I would like to invite our second panel of
witnesses to come forward. You are already in your seats. It is
the policy, as you know, of this committee to swear in all
witnesses before they testify. I would like to ask all of you
to please stand and raise your right hands.
[Witnesses sworn.]
Ms. Watson. Thank you. You may be seated. Let the record
reflect that the witnesses answered in the affirmative. Now I
will take a moment to introduce our distinguished panelists.
Mr. Gregory Wilshusen serves as the Director of Information
Security Issues at GAO. His work involves examining Federal
information security practices and trends at Federal agencies.
He is GAO's leading expert on FISMA implementation.
James Andrew Lewis directs the CSIS Technology and Public
Policy Program. He is a Senior Fellow and most recently served
as Project Director of the CSIS Commission on Cybersecurity for
the 44th Presidency. Before joining CSIS, he was a career
diplomat who worked on a range of national security issues
during his Federal service, including several bilateral
agreements on security and technology.
Lieutenant General Harry D. Raduege retired after 35 years
in the U.S. military where he last served as the Director of
the Defense Information Systems Agency. He also served as co-
chair of the CSIS Commission of Cybersecurity for the 44th
Presidency.
Mr. Marcus Sachs is the Director of the SANS Internet Storm
Center, an all volunteer Internet early warning service
sponsored by the SANS Institute in Bethesda, MD. His
professional experience includes a 20 year military career as
an Officer in the U.S. Army followed by 2 years of Federal
civilian service at the White House as part of the National
Security Counsel and at the U.S. Department of Homeland
Security.
Then we have Liesyl I. Franz. She is the Vice President for
Information Security and Global Public Policy at TechAmerica.
Prior to her current position, she worked at the Department of
Homeland Security and in Government Relations for EDS.
Now, I will ask that each one of the witness please give a
brief summary of your testimony. Keep this summary, if you can,
under 5 minutes in duration because your complete written
statement will be included in the hearing record.
Mr. Wilshusen, please proceed.
STATEMENTS OF GREGORY WILSHUSEN, DIRECTOR INFORMATION SECURITY
ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; JAMES ANDREW LEWIS,
DIRECTOR AND SENIOR FELLOW, TECHNOLOGY AND PUBLIC POLICY
PROGRAM, CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES; MARCUS
H. SACHS, DIRECTOR, SANS INTERNET STORM CENTER, SANS INSTITUTE;
LIEUTENANT GENERAL HARRY D. RADUEGE, JR., RETIRED, CO-CHAIRMAN,
CSIS COMMISSION ON CYBERSECURITY FOR THE 44TH PRESIDENCY; AND
LIESYL I. FRANZ, VICE PRESIDENT, INFORMATION SECURITY AND
GLOBAL PUBLIC POLICY, TECHAMERICA
STATEMENT OF GREGORY WILSHUSEN
Mr. Wilshusen. Chairwoman Watson, thank you for the
opportunity to participate in today's hearing on the threats,
vulnerabilities, and challenges in securing Federal information
systems.
Information security is a critical consideration for any
organization that depends on information systems and computer
networks to carry out its mission or business. The need for a
vigilant approach to information security has been demonstrated
by the pervasive and sustained cyber-based attacks against the
United States that continue to pose significant risks to
systems and to the operations and critical infrastructures that
they support.
Cyber threats to Federal systems and cyber-based critical
infrastructures are evolving and growing. These threats can be
intentional or unintentional, targeted or non-targeted. They
can come from a variety of sources such as foreign nations
engaged in espionage and information warfare, criminals seeking
monetary gain, hackers and virus writers proving their mettle,
and disaffected employees and contractors working within an
organization. Moreover, these groups and individuals have a
variety of attack techniques at their disposal.
Cyber exploitation activity has grown more sophisticated,
more targeted, and more serious. Perhaps reflective in part of
the evolving and growing nature of these threats to Federal
systems, the number of incidents reported to US-CERT tripled
during fiscal years 2006 through 2008 from about 5,500 to over
16,800 incidents. Agencies have experienced a wide range of
incidents involving data loss or theft, computer intrusions,
and privacy breeches.
These factors highlight the need for effective security
policies and practices. However serious and widespread, control
deficiencies and vulnerabilities continue to place Federal
assets at risk of inadvertent or deliberate misuse, financial
information at risk of unauthorized modification or
destruction, sensitive information at the risk of inappropriate
disclosure, and critical operations at risk of disruption.
Over the past several years, GAO has made hundreds of
recommendations to assist agencies in countering cyber threats,
mitigating identified vulnerabilities, and strengthening
security controls over Federal information systems. Effective
implementations of these recommendations will help agencies to
prevent, limit, and detect unauthorized access to computerized
networks and systems; help ensure that only authorized users
can read, alter, or delete data; better manage the
configuration of security features for hardware and software;
assure that changes to those configurations are systematically
controlled; better plan for contingencies which can prevent
significant disruptions of computer-dependent operations; and
to fully implement an agency-wide information security program
that provides protections commensurate with the risk and
magnitude of harm resulting from the unauthorized access, use,
disclosure, or modification of its information and systems.
This includes those operated by contractors.
Agencies have implemented or are in the process of
implementing many of our recommendations. Nevertheless,
agencies will continue to face significant challenges in
securing their systems and information going forward. For
example, the complexity of highly diverse, dispersed, and
interconnected Federal computing environments; the
preponderance of defective software; the increasing reliance on
contractors for operational IT support; and the emergence of
new technologies, threats, vulnerabilities, and business
practices will continue to challenge the abilities of agencies
to sufficiently safeguard their information technology
resources.
To help address these and other challenges, sustained
commitment, oversight, and improvements to the national
cybersecurity strategy are needed to strengthen Federal
information security. Chairwoman Watson, this concludes my
opening statement.
I will be happy to answer questions at the appropriate
time.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you.
Mr. Lewis.
STATEMENT OF JAMES ANDREW LEWIS
Mr. Lewis. Thank you. I thank the committee for the
opportunity to testify.
Digital networks provide real economic benefit but the
combination of greater reliance on networks and inadequate
attention to security has made our Nation vulnerable. My
written statement lists a number of publically known incidents
that occurred just in the last year.
The failure to secure America's information infrastructure
weakens the United States and makes our competitors stronger.
The real risk lies is the long term damage to our economic
competitiveness and technological leadership. We are everyone's
target. Cyber attacks could provide the capability to disrupt
key services as in the case of an opponent who accesses a
utilities control system. But the immediate problem is the loss
of intellectual property and advanced commercial and military
technology to foreign competitors.
Right now, attackers have the advantage. The principal
threat comes from well financed and innovative opponents. The
most skilled are foreign military and intelligence services
with immense resources and experience. The first Russian hack
of DOD computers, for example, occurred more than 25 years ago.
They have been continuing to engage in this sort of activity
ever since. These government agencies, however, are almost
matched by highly sophisticated cyber criminals who buy and
sell tools and data in virtual black markets and who are safe
from the threat of prosecution.
The sources of vulnerability are outdated policy and laws
and inadequate technologies. The Internet as it is currently
configured and governed cannot be secured. If we continue on
the course we are on today where we have not learned how to
balance efficiency and security, these vulnerabilities will
only grow.
The United States has been trying to improve cybersecurity
for more than a decade. The last 12 months have seen some
progress. The Obama administration has identified cyber
security as an important national security issue. But we are
still mired in debate.
There are arguments that the Government should only secure
its own networks and lead by example. This won't work because
we are really all on one big network, Government and private
sector, America and foreigners. It is like saying we should
tune up half the car and hope that the other spark plugs are
inspired.
Some say that since most networks are privately owned, we
should rely on the private sector for defense. This is like
saying that since most airplanes are private, we should depend
on the airlines to defend our airspace. National security is a
function that only the Government can perform adequately.
People worry that if we secure our networks, it will damage
America's ability to innovate. But more investment in
innovation, which I applaud, is pointless if we are only going
to share it for free with our foreign competitors.
We need a comprehensive Government-led approach to secure
cyberspace. In recognition of this, the CSIS Cybersecurity
Commission, which some of us served on, recommended a broad
national approach, the creation of a strong White House cyber
advisor with clear authorities, and the development of a
national security strategy that would use all the tools of U.S.
power.
Government policy will determine whether we fail or
succeed. Government acquisition rules can create a market for
more secure products. A revised FISMA would improve agencies'
security and provide a template for the private sector.
International engagement, expanded law enforcement, a judicious
use of regulatory powers, and investment education and research
can change the situation from one where we are losing to one
where we are at least holding our own.
The problems we face in cyberspace, espionage, crime, and
risk to critical infrastructure, will not go away. But the
risks they pose can be reduced by coordinated Government
action.
As you know, the administration is struggling to conclude
its 60 day review. Ideally, the review will lead to a strong
White House cyber advisor. Without this, cybersecurity in the
United States will always be underpowered. But with so many
different interests involved, there is a risk that the
administration will come up with a solution that makes everyone
happy. The only people who will benefit from this will be
foreign intelligence agencies and cyber criminals.
I thank you for the opportunity to testify. I will be happy
to take your questions.
[The prepared statement of Mr. Lewis follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you.
Mr. Sachs.
STATEMENT OF MARCUS H. SACHS
Mr. Sachs. Thank you, Madam Chairwoman. I appreciate the
opportunity to appear before the committee to discuss the
important topic of cybersecurity and the challenges if securing
Federal information systems. The committee's interest in this
topic is timely and crucial to the security of our Nation's
most sensitive information. My written testimony is fairly
detailed so I will just summarize it now by covering most of
the main points.
I would like to look back over our shoulders at how we got
to this troublesome position we are in today. Decisions made in
the 1980's about Government purchases of commercial off the
shelf [COTS], computer hardware and software in lieu of
expensive, specially hardened systems made sense when most
home, business, and Government computer users did not have
access to networks but instead relied on floppy disks. That is
what we used to call the old sneakernet. This is how we moved
and transferred files between computers.
Back in those days, the malicious code inside the Federal
Government's desktop computers was primarily in the form of
disk-based viruses. They had little fun names like Brain or
Concept. They really weren't much more than an annoyance. In
fact, back then, to gain access to a Government desktop
computer or file server, you generally had to have physical
contact with it or you had to have the ability to talk a
Government employee into accessing it for you.
Theft of floppy disks, backup tapes, and printer outputs
were the methods that were used by our adversaries to steal
sensitive information contained on our Government computer
systems.
This started to change in the middle 1990's as more
organizations connected their computers to the global Internet
and threats beyond the borders of the United States began to
take advantage of that connectivity. The growth of Government
outsourcing and the increasing dependence on Government
contractors also added to the problem of protecting sensitive
data since information was no longer uniquely stored on
Government computers and behind layers of rigid security
barriers.
Also in the 1990's the .com explosion happened and the
Internet became a common household word. Nuisance viruses and
Web site defacements were the weapons that both adolescents and
political protestors, as well as others, used to express their
views. In fact, we had a string in the late 1990's of hundreds
of .gov Web sites that were defaced. It was a very embarrassing
situation for cia.gov, Congress.gov, speaker.gov, and
whitehouse.gov.
But while these Web site defacements were a very visible
sign of the difficulties we faced, a less visible conflict on
two fronts was brewing that we continue to deal with today.
That is cyber crime and cyber espionage.
In my written testimony, I outline several actions that the
Government has already taken since the middle 1990's in terms
of new organizations and new partnerships with the private
sector. But let me just summarize briefly five items I think we
should do to continue making the Internet more secure.
The first is that Government's most important role is truly
to set the example. If the Government were to manage its own
computer networks in a manner that can be an exemplar for
others to follow, then we in the private sector can point to
the Government and say, follow them and do as they do.
Second, the Government must use its acquisition powers to
improve everybody's ability to secure cyberspace. There was a
large effort by the Air Force, OMB, NSA, DISA, NIST, Microsoft,
and others to build what today we call the Federal Desktop Core
Configuration. That standard can not only be used by the
Federal Government but by any organization that uses Windows XP
and Windows Vista operating systems. This is the type of
leadership we need. It can't stop with just Windows. We need to
have all software secured and we can use that procurement angle
to do that.
Third, the Government must develop a career field for
cyberspace professionals. We are talking about initial entry
all the way to senior executives. If we don't immediately
address this problem, we will never be able to secure the
Federal Government's networks. Security is not about applying
just the latest patch or running the latest anti-virus
software. It is also about culture and risk management and
leadership. It truly is about the people.
Fourth, we need to think about how we view cyberspace and,
in particular, how we view the Internet. If we think about
industrialism from the 19th century, cyberspace is really
industrialism of the 21st century. It is what fuels our
economy. We cannot allow it to become a combat zone. We can't
let the criminals take it over. We can't let the spies
dominate. We need to change this conversation and argue that
cyberspace is the cornerstone of America's global leadership
and our economic prosperity as we go forward in this century.
If we look at cyberspace through the lens of economics, perhaps
then we will find some better approaches to secure it.
Fifth, cyberspace exists because of the combined work of
the Federal Government and the private sector with the
scientists, researchers, investors, and other leaders. It is
not the single domain of either Government or the private
sector. It must be protected from damage by both parties
working in unison. We have come a long way over the past
several decades in building strong public/private partnerships.
We cannot let those relationships weaken or dissolve.
The last thing I want to mention briefly is that industry
has been doing quite a bit of research as well, trying to find
out how intrusions happen, how breeches occur. One of the most
remarkable reports is this one that Verizon Business has come
up with. This is the second year. What it tells us is that
almost everything is preventable. These breeches that are
costing millions of dollars in credit cards and others are all
preventable largely if we just do simple steps. If we follow
the rules we have already come up with, this goes away.
It is inexcusable that in 2009 our Nation seems to be
unable to prevent our adversaries from breaking into our
networks. It is also inexcusable that we continue to run our
computer networks as though they are some magical enterprise
only understandable by geeks and nerds. Cyberspace does belong
to all of us and we are all part of the solution to making it
more secure.
Madam Chairwoman, I again appreciate the opportunity to
appear before the committee. I look forward to answering any
questions.
[The prepared statement of Mr. Sachs follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you.
Mr. Raduege.
STATEMENT OF LIEUTENANT GENERAL HARRY D. RADUEGE, JUNIOR
General Raduege. Chairwoman Watson, Ranking Member Bilbray,
and members of the subcommittee, thank you for the opportunity
to join in today's hearing to discuss efforts to protect our
Nation from current and emerging cyber threats and
vulnerability of our Nation's critical infrastructures to
exploitation, attack, and disruption.
Relentless and continuing cyber intrusions into Federal
Government systems, defense industrial base companies, and
supporting critical infrastructures continue to pose serious
national security risks to our Nation. While I understand the
main focus of this hearing is centered primarily on Federal
Government systems, I would also point out that cyber crime is
an escalating problem that affects all citizens and businesses.
The cyber threat has no boundaries. In fact, a variety of
studies have identified the serious implications of cyber crime
focused on stealing financial and personal information and the
tremendous economic impact of this profit driven activity. The
problem of cyber threats affects not only our national security
but also our economy and the privacy of all our citizens.
Cybersecurity is an issue that is front and center from a
public policy perspective as the new administration grapples
with how to handle an overall national cyber strategy. Various
reports have come out over the past several months, including
the Center for Strategic and International Studies Commission
on Cybersecurity for the 44th Presidency. I was privileged to
co-chair this Commission. This important effort provided
findings and recommendations to secure cyberspace for the
country and to help guide policymaking. It called for immediate
action to create a comprehensive national security strategy for
cyberspace.
The new administration has cybersecurity high on its agenda
and is making a serious effort to take what has already been
done and improve our national cyber posture. While I am
hopeful, there is still much to be done. Improving the security
of our Federal networks and Nation's digital infrastructures
will be a long term effort. But immediate, focused attention on
this significant challenge is absolutely critical.
As our Commission report noted, cybersecurity is now a
major national security problem for the United States. In
response, we need to focus all tools of national power,
diplomatic, economic, military, intelligence gathering, and law
enforcement, on this critical issue.
I would like to briefly highlight three challenges facing
the Federal Government's information systems and critical cyber
infrastructure assets.
First, despite the increased attention by this
administration and the 60 day cybersecurity review led by Ms.
Melissa Hathaway, it is imperative that the Federal Government
be organized properly for the emerging threats and
vulnerabilities in securing Federal information systems.
Currently, our networks and systems are under continuous and
relentless cyber assault. We are losing a significant amount of
personal and sensitive data every day. Even worse, we are
losing competitive advantage globally.
The Federal Government must become a model for cyber
security and it must start by securing our networks and
information as quickly as possible. While efforts like the
Comprehensive National Cybersecurity Initiative will bear fruit
over time, we need leadership throughout the Federal Government
to make this a focus area. Securing our networks and protecting
information on those networks is an important matter of public
trust. Government must be well organized to lead.
Second, raising the level of education and awareness of the
seriousness of the threats is imperative. Those who work in the
cybersecurity business clearly understand the magnitude of the
problems and are very concerned about the current state of
affairs. However, for many in both Government and industry the
threats are abstract, the implications are not fully
understood, and their ability to help is unclear. An aggressive
outreach and awareness campaign is needed in creating a
cybersecurity mindset to raise the level of knowledge of
Federal leaders and the work force that our Nation is
constantly under cyber attack. We need to ensure that every
person who logs onto a system connected to the Federal
enterprise is properly educated and trained to protect the
information with which they have been entrusted.
Third, there is a need for clearly delineated roles and
responsibilities within the Federal Government for
cybersecurity. While the administration is focused on
addressing this concern, it is critical to ensure a successful
cybersecurity strategy. A properly structured and resourced
organization that leverages and integrates the capabilities of
the private sector, civilian government, law enforcement,
military, intelligence community, and our Nation's
international allies to address incidents against critical
cyber infrastructure systems and functions is essential.
In summary, our Nation and, in particular, Federal networks
and systems are under relentless cyber assault. While many good
efforts are underway, much more in needed, faster. The Federal
Government must focus on understanding cyber risk and take
appropriate action to secure its networks and become a model
for others. Today, that is not the case. We also must change
the culture of the Federal work force by raising and
maintaining awareness of cyber threats that are focused on
gaining access to our networks every day, 24 hours a day.
Finally, we must clearly identify who is in charge with respect
to Federal cybersecurity.
Madam Chair, this concludes my statement. I would be happy
to answer any questions that you or members of the subcommittee
may have at this time.
[The prepared statement of General Raduege follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you.
Ms. Franz.
STATEMENT OF LIESYL I. FRANZ
Ms. Franz. Madam Chair, thank you and Ranking Member
Bilbray for the opportunity to appear today and to provide the
technology industry's perspective on cybersecurity and securing
Federal information systems.
Today's highly interconnected environment presents great
opportunities to innovate and create economic prosperity, but
it also presents challenges as my fellow witnesses have clearly
descried today. But let me highlight two clear trends. First,
the attackers are more sophisticated and increasingly able to
target their attacks more directly and efficiently. Second, the
insider threat is a prevalent concern that illustrates that
technology alone is not the only problem or the only solution.
It is people and processes as well. We see three key elements
to better securing Government information systems.
First, the President should act quickly to appoint a senior
cybersecurity advisor that reports directly to the President.
He or she should have the authority needed to develop,
coordinate, and execute upon the President's cybersecurity
priorities in partnership with Congress, industry, and other
stakeholders. A cybersecurity advisor reporting directly to the
President is the surest way to muster the perspective and
authority necessary to protect the United States in cyberspace.
Crucial elements to making progress are a strategy that
includes ensuring senior level attention to cybersecurity as a
national priority, developing a comprehensive and coordinated
strategy across the Government in partnership with the private
sector, and integrating cybersecurity into the deliberation on
the issues of highest national concern such as economic
prosperity and technological innovation.
We commend the President for initiating a 60 day
cybersecurity review and its consultative process. We look
forward to its release.
Second, we need to reform the Federal Information Security
Management Act. We were a big champion of FISMA when it was
enacted in 2002 but it should evolve to meet today's demands,
moving beyond compliance to more effective security measures.
In previous testimony before this committee's Subcommittee on
Information Policy, Census, and National Archives, we described
six areas for improvement. We provide that for your reference
and look forward to working with you on new FISMA reform
proposals.
Third, we must strengthen the public/private partnership to
address both strategic and operational concerns both here at
home and globally. That partnership is critical to addressing
cybersecurity risks throughout the ecosystem which will
positively impact Federal systems as well. We support the
partnership model that was established in the National
Infrastructure Protection Plan. The NIPP is not perfect but it
has improved over time and it provides a framework for
strategic and operational collaboration going forward.
A key component is the IT Information Sharing and Analysis
Center, which is the operational focal point of the IT sector.
There are similar ISACs, or Information Sharing and Analysis
Centers, for other sectors. We continue to recommend two-way
information sharing and analysis about specific threats between
the industry and Government, and the colocation of Government
and industry experts working side by side on a continuous basis
to address those threats.
Industry is playing a key role in cybersecurity and
critical information infrastructure protection. Allow me to
outline it. We participate in the IT ISAC. We participate in
the NIPP and are concluding a baseline risk assessment for the
IT sector. We participate in the standards making process
through international standards bodies. Many companies provide
the products and services used to protect systems and networks,
and they are innovating to do more. Many companies utilize
those products and services in their own enterprise and in
their enterprise solutions for customers including the Federal
Government agencies. Additionally, discrete efforts are
underway addressing software assurance and next generation
response and security engineering.
All of these efforts rely on partnership between the public
and private sectors. Together we do need to find ways to
achieve wider adoption of solutions, standards, and best
practices for greater overall security.
We commend the Congress for its early focus in this session
on cybersecurity issues and this subcommittee for convening
this panel today. We look forward to working with you. Again,
thank you for the opportunity to appear today and express
industry's perspective. I would be happy to answer any
questions you may have.
[The prepared statement of Ms. Franz follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. Watson. Thank you so much. I am going to throw out a
question. I would like all the panelists to take part. It is
similar to the one that I offered our first panel. How have the
changes in technology such as the network architecture and the
use of wireless devices and networks changed the approach that
is needed for Federal cybersecurity?
Let me go on with the next one. Senator Rockefeller and
Snowe recently introduced legislation that included provisions
to establish a cybersecurity office in the White House along
with Federal acquisition and procurement requirements for IT.
These recommendations are also offered in the recent CSIS
report for the new administration. I would welcome to hear from
anyone that would like to address it first.
Mr. Wilshusen. I guess I will hit it off first. With regard
to wireless security, increasingly the Federal Government is
using that technology. We did a report back in 2005, I believe,
which identified that Federal agencies had not taken sufficient
steps to adequately secure the use of wireless security.
Obviously, there are some tremendous benefits that can
accrue from using such technologies. It provides greater
mobility and opportunities for individuals to perform services
that they normally would not be able to do if they were
tethered to a workstation at their desks. So clearly there are
some benefits in using such technologies. But with the
introduction of these types of technologies into the workplace,
agencies need to assess the risk associated with those
technologies and then take appropriate steps to mitigate those
risks.
In our review, we found that they had not adequately done
that. In many cases, they had not identified the types of
vulnerabilities that such technologies would place, did not
provide sufficient policies or procedures to mitigate those
vulnerabilities, and did not take sufficient steps to train
their staffs on how to appropriately and securely use these
types of technologies.
So with the introduction of any new technologies, I would
just say that there are some basic steps that need to occur in
order to facilitate their secure use.
Mr. Lewis. Thank you, Madam Chairman. One of the things
that we have looked at in some of our work was who are the
architects of the Federal Government. If you start looking at
it a little bit, you find out it is people named Grover
Cleveland and Herbert Hoover. This is good, but it is maybe
time to modernize how Government operates a little bit. The
question is how do we do that. One way to do that is to take
advantage of the technologies you described. But as my
colleague from GAO has said, when we take advantage of them--
and we absolutely have to--we also have to think about
security. Usually what happens is we do one and we don't do the
other and then we are surprised. So I think it is essential to
modernize but we need to do it in a secure fashion.
Mr. Sachs. Thank you. I think we are talking mostly
technologies so we will get to Senator Rockefeller's bill in a
moment.
Technology, of course, is something that our country has
been a leader in since we started. There is no turning back
there. The employees of the Federal Government are just like
you and me and our kids and our grandparents, the people that
are around us. We have most of these technologies at home. We
want to bring them into work. The private sector has the same
problem. So when new things come along such as wireless or
handhelds or even new applications like the social networking
sites, Twitter, Facebook, and things like that, there is
naturally this desire to bring that back into the workspace,
which could be the Federal Government or it could be the
private sector.
We want to do the same thing at work as we do at home. That
is a natural desire. Even with our cars, we would like to use
that as the way to get around and not depend on having an
office-provided or Government-provided vehicle that we have to
wait in line for at a motor pool to have it available.
So our challenge then is as new technologies come along, as
Mr. Lewis said, is that we have a unique situation with the
Federal Government with the security of very sensitive
information. These are the crown jewels of our Nation. These
technologies make those crown jewels now exposed not just to
local people but to the entire planet. This we have not faced
before. Our adversaries can get into our hard drives remotely
in a matter of milliseconds from virtually anywhere on the
planet.
When we bring in new technologies, we bring in new
exposures and new vulnerabilities, things we really haven't
thought about. It takes a little while before we understand it,
and after a while we begin to secure it. But our mindset needs
to change. This is not the same as industrial technologies or
new ways of doing aircraft or cars. These technologies are
global and they expose us globally, literally within
milliseconds.
So as long as we can grasp that and understand it, with
that new mindset we can encourage employees to use the new
technologies. But we have to show them how to use them so we
don't put the Government's and our people's crown jewels at
risk of being taken by our adversaries.
General Raduege. Thank you very much. I think it is
interesting to point out that the intranet started in the
Department of Defense not too many years ago. Of course, it
grew into an Internet. Now the global community uses the
benefits of that Internet and that way of communicating
globally. We are stressing these days more and more open
communications. We are more connected. Of course, we have
become as a result more productive. We would describe this
perhaps as entering an age of interdependence, though. We have
become very dependent on each other for our world economies,
our national securities, and our prosperities.
With more of these connections, though, and some estimate
that by next year we will have 2 billion individuals and users
connected to the Internet, we have become more vulnerable. Of
course, the cyber criminals have found a new avenue for making
money. It has become syndicated now. There has been an
explosive growth of activity in cyber crime, as you are very
well familiar. So with your first question about how the
networks have changed, this is what we have seen. It has been
exponential growth with exponential opportunity, but also the
threats and vulnerabilities are very real.
Ms. Watson. Ms. Franz.
Ms. Franz. I would just like to add the notion, to echo my
colleague's comment, about technology being very exciting, very
innovative, and contributing to the productivity, economic
growth, and prosperity which retains our leadership in the
global economy. However, new technology does provide
challenges.
Industry is responding in many ways. One, we talked a lot
about technology and training. We talked about empowering the
user to use these technologies more securely. In addition,
industry is increasingly baking security into its products and
services. That is something that we heard a lot about in recent
weeks during the RSA Conference in San Francisco in April,
which is a great place to learn where some of these new
technologies are going.
I think with regard to the Federal Government, though, one
thing they can do is look at their procurement strategies and
see if they can't be nimbler in adapting to the adoption of
these new technologies not only for the benefits that they
bring, but the security aspects that they bring as well.
Ms. Watson. Thank you. I would like to go back to the GAO
and Mr. Wilshusen. Recently, you completed work looking at the
information security controls and practices at both the Los
Alamos National Laboratory and the Tennessee Valley Authority.
Can you cite some of the major information security control
deficiencies in both studies? Are there similarities in the
deficiencies of both entities? What are the challenges for
them?
If you feel this is information that we don't need to
share, then we will take it up in the classified section. But
what can you tell us at this point?
Mr. Wilshusen. I can certainly address those issues I think
at a high enough level where it won't be disruptive or
compromising to the security at those organizations.
We have identified, as we do on most of our examinations of
information security controls at agencies, a number of
significant vulnerabilities at both the Los Alamos National
Laboratory and at the TVA.
With regard to the TVA, we looked at the security controls
and the network security controls over its corporate network as
well as the networks supporting the control systems that
operate key infrastructures operated by the Tennessee Valley
Authority. We found a number of vulnerabilities related to
controls that were insufficient to adequately identify and
validate the identity of users in the access privileges granted
to those users.
We found weaknesses with regard to the firewalls that were
in place at those organizations, which could allow certain
firewalls to either be bypassed or not adequately segregate and
prevent network traffic that should not be passed through those
devises.
We also found a number of problems associated with their
auditing and monitoring capabilities. Those are the controls
which agencies use to try to identify, detect, and then respond
to unauthorized traffic or security incidents.
So we find pretty much weaknesses in most of the general
control areas that we look at. We found those at both Los
Alamos and at TVA.
With respect to TVA, we found not only the cybersecurity
related weaknesses but also physical security weaknesses as
well. Combined with the cybersecurity weaknesses that we
identified, these placed the control systems and networks that
we examined at risk to both internal and external threats.
Ms. Watson. Well, some have made the case that our military
agencies have better technical and organizational capabilities
for addressing cybersecurity in the Federal Government when
compared with the multiple operational layers of DHS. Can you
comment on whether DHS has adequate or similar capabilities for
operational cybersecurity?
Mr. Wilshusen. As you may know, back in 2003 President Bush
issued the National Strategy to Secure Cyberspace. As part of
that strategy, DHS was the focal point for much of the Federal
cybersecurity efforts.
Over the past several years, GAO has identified and
consistently reported that DHS has not consistently implemented
or met those responsibilities. In total, we issued about 30
recommendations on various different core elements related to
protecting cybersecurity. As a result, we have found that DHS
has just not adequately performed their responsibilities for a
number of different reasons, not the least of which is the
significant turnover in their leadership and key personnel
positions in the cybersecurity area.
Ms. Watson. I just thought the agency was too big. Putting
them all under one roof, when you have had the experience of
being the master of your unit and now you have to report to
someone else, it just wasn't going to work out all that
efficiently.
But let me hear from the rest of you. We will just go down
the line.
Mr. Lewis. This is a serious problem and it is not going to
be easy to fix. We would all prefer that it be a civilian
agency. Everyone thought it should be DHS. But as my colleagues
have said, they are not yet capable of performing the mission.
So one of the questions you want to ask is how long do you want
to wait. Depending on who you talk to, they say DHS could be
ready in 3 years or 5 years or 10 years. We can't wait 3 or 5
years.
The dilemma is the only place that really has the
capability now is the Department of Defense, particularly the
National Security Agency. But when you say that, you
immediately trigger Constitutional concerns. You trigger the
memory of the FISA debate. We have a problem. The people who
could do this best are in the intelligence community, but we
are not comfortable with that. The people who would be the
civilian focal point for this aren't ready or capable.
So how do we fix that problem? That is a very difficult
issue and it is one I think we are going to have to wrestle
with for the next couple of years.
Mr. Sachs. As one of the guys that was there when we opened
the doors for DHS in the spring and summer of 2003, we had a
lot of euphoria about what we could do. We had this beautiful
charter in front of us and the pasture was green. We look back
on those days now, and I see Mr. Lewis chuckling.
The summer of 2003 was when the Blaster Worm hit. There
were outages in the power sector. I am sure we all recall that.
When the agency was young, still maybe she had a lot of naivete
about it, but we did quite well because we didn't know what we
couldn't do or what we weren't supposed to do.
Unfortunately, in my opinion, what has happened over the
years is the agency has been unable to grow in the manner that
we were hoping that it would. It has been unable to take on the
challenges and the responsibilities that we hoped it would.
There have been a lot of politics surrounding them, as you are
aware. There has been a lot of media scrutiny. There has been a
lot of private sector scrutiny and international scrutiny. DHS
is very big. It encompasses parts of 24 different Federal
agencies that were pulled together. There is a culture that has
to be stitched in. Underlying all of this, of course, is
cyberspace, this thing that we are all very familiar with. And
they have the role of making it secure.
I don't envy my counterparts at DHS. This is a tough
mission that they have in front of them. They have very good
people that are there but they are constrained by a lot of
things that are beyond their control. I think one of the best
things we could do is really get out of their way and let them,
particularly in cyberspace, let them do what they need to do.
Give them the latitude, the ability to grow, the ability to
hire the right people, and let those people run. Give them the
pasture and let them do what they need to do.
I believe the private sector is more than willing to work
with DHS. Many of us do spend our days over at the Department.
We have some very strong public/private bonds that have been
built over the years. We all do want to make this work.
A key to all of this is leadership. We need to get some
good appointments. We need to get strong people, people who are
dedicated in service to their country and are willing to be
there year after year, people that we in industry are willing
to work with. I think we can do that.
I have a lot of optimism for the Department and I do look
forward in the next coming years or so to seeing big changes
there.
But just to go back to the military because I spent 20
years there. The military has a very old culture. We have to
recognize that. It has been around over 200 years. DHS is only
6 years old. We cannot expect DHS to perform like a 200 year
old department. It just is not there yet. So patience, I beg of
you. We will get there with them.
General Raduege. Madam Chair, I come from a military
background, as you noted earlier, having spent 35 years on
active duty. I was serving during the time in 1998 when in the
Department of Defense we recognized the fact that our computers
were being attacked. So the responsibility was given to the
U.S. Space Command at that time to create some sort of a
program to defend our computer networks. I was privileged to
serve at that time within the U.S. Space Command. The program
we put together in 1998 has grown over the years to now what is
considered by many to be a very outstanding program.
The Department of Defense also has the benefit of a command
and control system and network where individuals work for each
person. You know exactly who you work for. There are orders
that can be given and they have to be followed based on the
requirements of the Uniform Code of Military Justice. That is
what the command and control of the Department of Defense is
all about. Our other organizations, though, don't have that
kind of a structure.
I would point out that in my years, now over a decade of
working with this area that initially was called computer
network defense and now has gone into a cybersecurity type of
terminology, that there are a number of departments in our
Federal Government that have key roles in this. I would just
point out the Department of Homeland Security, the Department
of Defense, the intelligence community, the Department of
State, the Department of Commerce, the Department of Justice,
and the Department of Interior just to mention a few that have
key roles in a national strategy for securing cyberspace.
I believe it is for that reason, the realization that
someone had to be in control of that and have some sort of
oversight, and for that reason--I was proud to serve with our
Center for Strategic and International Studies Cybersecurity
Commission--we recommend that we consider an individual in the
White House that would have the opportunity to create policy
and to provide oversight and a balanced Federal program across
all the Federal departments and agencies. We feel like that is
a critical way to have someone in charge to move us forward in
this critical area.
Ms. Watson. Thank you.
Ms. Franz.
Ms. Franz. Thank you. I don't have much to add to the very
good comments of my fellow witnesses except probably to put
things slightly in perspective with regard to the relationship
between DHS and DOD. We should remember that DHS had very
limited resources both from a staffing perspective and from a
funding perspective in its early days. Since the beginning, it
has leveraged the manpower of DOD and the systems and
strategies that had been used in DOD. So that has been a
positive impact, I would say.
But it does need to be its own entity. It has a different
mission. It has a different perimeter and parameters than the
Department of Defense has. So it does need to build its own
manpower. Importantly as well, it really needs its own
facilities that provide it a base of operations. That has been
a challenge since the very beginning. It was a challenge when I
was there in the National Cybersecurity Division and it remains
a challenge today.
DOD has a more impressive facility and a capable one. That
should be no surprise given the funding differences between the
two. So resources, manpower, and facilities are really key to
making some improvements soon.
Ms. Watson. I want to go back to Mr. Lewis again. I think
the other panelists have been addressing this issue. But as
part of the CNCI, there is an ongoing debate as to what role
the DHS ought to have as a leading agency charged to coordinate
and respond to cyber related incidents.
I wish they would have been here today to answer these
questions. But do you think, and I think many of you have
commented on it already, does DHS have the technical or
operational capabilities to be in charge of handling cyber?
Mr. Lewis. Well, you have heard some of the answer earlier.
They have a really good team there now. There are some really
good folks. That is an improvement. They do have a shortage of
resources, facilities, trained folks, and money. It is hard to
believe after all these years, but they are not equipped.
I was talking to someone who was over at DHS Cyber Division
last week and they said the staffing is running at about 30
percent. So for every one person who is there, there are two
who are missing. I don't know if that is right. This is what I
was told. But I have heard repeatedly from many people that
severe resource problems put them at a disadvantage. They don't
have the trained people.
Now, they do have a very important mission. The NCSD, the
National Cybersecurity Division, should be the place
responsible for securing the .gov networks. It has to work with
critical infrastructure. It has to work with the private
sector. That is enough, particularly when they aren't staffed
or funded. They don't need to pick up more missions. But the
missions they have are really important and we should hopefully
make them capable of carrying them out.
As I say, though, there is a great team there now. It is
probably the best team they have had in a long time. So there
is a chance.
Ms. Watson. Let us hope. I want to go to you, Mr. Sachs.
From your Government experience which dates back to the Clinton
administration's 1998 Presidential Directive for securing
critical infrastructure sectors, what are the so called lessons
learned that the Federal Government has improved upon over the
past decade? Conversely, where are we not learning? What are we
not learning from our mistakes?
Mr. Sachs. The middle 1990's, the concern was one of the
critical infrastructures. We saw .com growing. We knew that
Russian bank robbers were breaking in. The Air Force had
intrusions at Roane [phonetic] Laboratory. There was this
understanding that the Internet, while great, was offering
these new problems that we really didn't know how to get our
hands around.
The bombing of Oklahoma City in 1995 was the big eye
opener. Not only were children and people killed there, but we
had quite a few Government computer systems in that building
that were destroyed when that bomb went off. We found within
minutes that several Government department data bases literally
weren't there. They had chosen that building because they
thought physically it was in the middle of nowhere. Nobody was
going to attack it. It was far, far away from Washington and
New York City and places a terrorist would go after. They
realized that this linkage between physical and cyber was more
than just science fiction; it really did exist. A terrorist
attack doing something physical could have an effect in
cyberspace. So that set forth a series of congressional
hearings and White House investigations. DOD and others got
involved.
There was an exercise in 1997, highly classified at the
time but today we can read all about it, called Eligible
Receiver. It showed that portions of the Defense Department's
networks could be reached from the civilian networks, from
home. Literally, I could dial into the Internet and gain access
to classified computers. We were that porous back in the
1990's. So a lot has come since then.
As General Raduege mentioned, the JTF-CND was created in
1998 as part of that. I was part of that group also that stood
that up. We immediately took upon ourselves to secure the
Defense Department, not North American cyberspace. This wasn't
like a NORAD for the Internet. But even just looking at DOD, we
found we were extremely porous. We had Web sites that listed
flight schedules for Generals. We had Web sites that showed
full bunker maps of all the nuclear facilities. I mean, it was
unbelievable what information we were making available to our
adversaries. That was on unclassified Web sites, not even
talking about access to what we thought was classified.
So since then, I think the big lesson that has been learned
is that information seeks to be free. If you put information
somewhere, if you put it on a hard drive, doggonit it will
attempt even on its own to leak out. But we make it easy. We
connect sensitive computers to the wide open Internet. We allow
our employees to swap files back and forth. We don't train
them. We don't teach our employees, both in the private sector
as well as Government, the danger of cross-connections. The
actual information is ones and zeros that are on hard drives,
but we don't teach them how much risk that can put our Nation
against.
Our adversaries on the other hand understand this game
fully. The Chinese in the late 1990's published their doctrine
of unrestricted warfare. Many of us read it; looked at it; and
said yes, they got it. They understand it. We looked at
ourselves and our doctrines and policies didn't even come
close. In our arrogance, because we invented the Internet and
everything speaks English online, we were thinking that this is
ours and we can control it. But they understood it. We are
seeing this today. This has now come back around to bite us.
So this is our challenge going forward, as we look back at
the 1990's and as we look at this decade as it comes to an end
here in a few months. We have learned so much about cyber
crime, cyber espionage, military actions online, and even just
what people want to do and what society wants to do with the
networks. So as we go forward, 2010 and the years beyond, the
Internet doesn't go away. Cyberspace doesn't go away. It is
really just part of what we are.
I think the Federal Government, in a partnership with the
private sector and with America, has to face this challenge
head on. We take the Internet as what it is. It is an economic
engine. It is the fuel for recovery. It is exactly what we need
to stimulate us, to use some of the terms that have been used
here. We must protect it. We must guard it like that and think
about it economically. Otherwise, we lose and we lose big. Our
adversaries, again, they understand this game and they are able
to think in front of us.
Ms. Watson. Let me get to General Raduege. It seems to me,
and I think we have all mentioned this, that the Federal
Government has too many cooks in the kitchen for cyber
coordination and organization. This is a fair assessment. I
think all of you have been saying that. As the former head of
DISA, could you offer up some thoughts on where the Government
could improve its organizational hierarchy for cybersecurity
across the entire agency community?
General Raduege. Madam Chair, as I mentioned, I think we
need to have someone at the top of this hierarchy of our Nation
that can give the proper guidance and policy, the proper
oversight, and can lead from the top in putting together a
comprehensive approach to addressing cyberspace and what it
means to us in our future.
I also wanted to comment on the fact that this doesn't
require cyber science. It boils down a lot also to management
techniques and policies. For example, a lot of computers are
broken into through electronic means. But we also don't have
the proper governance, the proper policies and procedures in
managing our capabilities when people steal laptops from our
vehicles, steal them from our cars, or when we just lose our
computer capabilities. So a lot of this also boils down to
policies and procedures of managing the capabilities. In many
cases, we are just too careless with our cyber equipment.
So I would state that as something that we need to develop
additional governance around and better procedures. This gets
back to the part about the education and awareness, and
developing a cyber mindset. We just don't realize how
vulnerable we are to just someone picking and choosing the
computers that we allow access to on a daily basis.
I can tell you that the organization that I am with now in
civilian life stresses this with every employee all the time.
So now when I travel, I think twice when I am in my hotel room.
I never leave my hotel room and allow my computer to stay
there. As a matter of fact, I don't even lock it in those
little safes they provide. I carry that computer around with me
on my person at all times because in the organization I am
with, our name is our reputation. To lose a computer to someone
who steals it would be devastating to our business
opportunities. So it is something that we have stressed in our
education process.
Ms. Watson. Let me just ask, do you have a backup? Could
you put a chip in there so you will know, so it will signal you
wherever it is? Would you not have a backup to what you have on
your computer?
General Raduege. I have backups to what is on my computer
but I want to make sure that unauthorized individuals don't
gain access to my computer and the networks that I am
authorized to operate in.
Ms. Watson. Well, couldn't a chip signal you some way that
it is out of your control? If your computer is not with you,
could it signal you so you could turn it off or destroy what is
on there or black it out? It seems that we have technology that
would work that way.
General Raduege. We have a lot of technology and a lot of
technology could be put into place that would have that kind of
a capability. But most individuals I don't think operate in
that fashion today. So it is a very manual process of
controlling the asset that is in your possession.
Ms. Watson. Let us go to Ms. Franz now. There seems to be a
significant amount of resistance from industry regarding policy
proposals that would establish standards for information
security controls and software assurance for Government
systems. Can you explain this to me, why there is this
resistance?
Ms. Franz. Certainly. I am not sure I would characterize it
as resistance from the industry to discuss the kinds of things
that may be needed to address specific issues and specific
problems. As I mentioned in my remarks, the industry is
involved in standard making processes in international
standards making bodies. They see a benefit to standards for
both interoperability and for security concerns.
I think the issue is around proposals that may come that
are trying to address some of the problems but don't do so
either in a targeted way or in a consultative way with
industry, the way we see it happen in those exchanges in the
international standard making bodies, for example. So I
wouldn't say it is a resistance to identifying clear needs and
then taking steps in a partnership fashion, in a consultative
fashion to find out the best way to address those needs.
There can always be unintended consequences from either
regulation or standards or, dare I say, even legislation that
may have a broad brush and not address the concern
specifically. It can have unintended consequences for the
impact on industry and consumers and Government users, for
example.
Ms. Watson. I would like to have each one of you give us
one concluding statement that you feel will help us. We are
going to be making recommendations. We might have a bill; we
might just make some strong recommendations to the executive
branch. But what would your last input be that you think would
be helpful? Let us start with the GAO.
Mr. Wilshusen. I think I would suggest that you ensure that
in your bill you establish mechanisms for establishing
accountability over the actions that agencies need to take.
Assure that they are held to task to implement those particular
requirements, whatever you may include in your bill. I think
accountability is key. That would be my one remark.
Ms. Watson. Mr. Lewis.
Mr. Lewis. Thank you. I would say we need to come up with a
plan. We need to put the White House in charge of that plan and
we need to get moving on it. We have been doing this now for 10
years and we are worse than when we started.
On the accountability note, I think one thing that Congress
can do, and one thing that legislation can certainly do, is you
have the authority and the oversight responsibility to hold
Government and the private sector accountable for when there
are lapses. There certainly have been enough lapses in the last
few years.
Mr. Sachs. I would like to also highlight the people. I
think this is the real angle that could make a very good
nucleus of anything in the future. There are three groups that
really make all of this work.
There are Government officials and people who work within
the Government. They know each other; they are very
professional.
There is the private sector. I am talking about the private
sector that is profit oriented, that do the work. They run the
carriers and so forth.
Then there is this third group of volunteers who are the
unsung heros, the ones that collaborate. This Conficker Worm
that was going around recently largely was solved by a
volunteer effort that has come together. There was no formal
approach toward that leadership. We have seen this over the
years that this type of problem solving tends to just come out
of nowhere by the volunteers. So they are very important, those
three groups. But I highlight that because of the people piece.
In cybersecurity, the professionals like myself and the
rest of the panel here who do what we do, we still need to have
our profession professionalized. You will see this called for
in the CSIS report. I believe Senator Rockefeller has it in his
bill, the notion that says that those who are professional in
this world need to become professional. We need to be
certified; we need to be licensed.
It is more than just passing an exam but actually licensed
and bonded. We do this with real estate sales people. We do it
with people who groom dogs. We do it with lawyers and countless
other professions. Right now, the essence of our Nation,
trillions of dollars of value, is being managed by very good
people but we don't have a licensing or a licensed profession.
Now, we don't solve that overnight. This may take years.
The profession needs to do it ourselves. But it would be
helpful if the Congress would think about how to enable that,
how to help the profession become professional.
Ms. Watson. Thank you for that input. General.
General Raduege. Madam Chair, I would say for one point
that is different than those already expressed, that I would
stress the fact that we could significantly improve Federal
cybersecurity by operationalizing the intent of the FISMA
legislation. By doing that, we would also use performance based
measurements for security so that we really are measuring the
operation of security throughout our Federal networks instead
of just an audit of the checklist.
Ms. Watson. Thank you.
Ms. Franz.
Ms. Franz. I think I would like to respond to your comment
about too many cooks in the kitchen. I wouldn't want to leave
the impression that we have too many people working on
cybersecurity these days because I don't think any of us would
agree that is the case.
However, we don't have a head chef. Let us create a head
chef. Let us empower the cooks in each of the agencies, or
their kitchens, to do their jobs. Let us give them empowerment
before we measure them. Then let us look at making changes that
enable rather than prohibit the partnership to really operate
the way that it could in a shared environment.
Ms. Watson. I think I have heard over and over, General,
that you need somebody to head up the Joint Chiefs of Staff.
I think your input has been very, very valuable to us. We
have it all recorded. We have your reports. We will be reaching
out to you again. With your statements, we are going to adjourn
this meeting but we will be back in touch. Thank you so much
for your testimony.
The meeting is adjourned without objection.
[Whereupon, at 5:10 p.m., the subcommittee was adjourned.]
�