[Senate Hearing 106-858]
[From the U.S. Government Printing Office]




                                                        S. Hrg. 106-858

   CRITICAL INFORMATION INFRASTRUCTURE PROTECTION: THE THREAT IS REAL

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
                       AND GOVERNMENT INFORMATION

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             FIRST SESSION

                                   on

   EXAMINING THE PROTECTION EFFORTS BEING MADE AGAINST FOREIGN-BASED 
       THREATS TO UNITED STATES CRITICAL COMPUTER INFRASTRUCTURE

                               __________

                            OCTOBER 6, 1999

                               __________

                          Serial No. J-106-53

                               __________

         Printed for the use of the Committee on the Judiciary


                               __________

                    U.S. GOVERNMENT PRINTING OFFICE
68-563                     WASHINGTON : 2001



                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman

STROM THURMOND, South Carolina       PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa            EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania          JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona                     HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio                    DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri              RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan            ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama               CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire

             Manus Cooney, Chief Counsel and Staff Director

                 Bruce A. Cohen, Minority Chief Counsel

                                 ______

   Subcommittee on Technology, Terrorism, and Government Information

                       JON KYL, Arizona, Chairman

ORRIN G. HATCH, Utah                 DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa            JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin

           Stephen Higgins, Chief Counsel and Staff Director

        Neil Quinter, Minority Chief Counsel and Staff Director

                                  (ii)


                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Kyl, Hon. Jon, U.S. Senator from the State of Arizona............     1
Feinstein, Hon. Dianne, U.S. Senator from the State of California     4

                    CHRONOLOGICAL LIST OF WITNESSES

Statement of Hon. Robert F. Bennett, a U.S. Senator From the 
  State of Utah..................................................     5
Panel consisting of John S. Tritak, director, Critical 
  Infrastructure Assurance, Office, Washington, DC; and Michael 
  A. Vatis, director, National Infrastructure Protection Center, 
  Washington, DC.................................................     6
Statement of Jack L. Brock, Jr., director, Government-Wide and 
  Defense Information Systems, Accounting and Information 
  Management Division, U.S. General Accounting Office, 
  Washington, DC; accompanied by Jean L. Boltz...................    35
Prepared statement of Richard C. Schaeffer, Jr., director, 
  Infrastructure and Information Assurance Office of the 
  Assistant Secretary of Defense.................................    56

                ALPHABETICAL LIST AND MATERIAL SUBMITTED

Bennett, Hon. Robert F.: Testimony...............................     5
Brock, Jack L., Jr.:
    Testimony....................................................    35
    Prepared statement...........................................    44
Schaeffer, Richard C., Jr.: Prepared statement...................    56
Tritak, John S.:
    Testimony....................................................     6
    Prepared statement...........................................     9
Vatis, Michael A.:
    Testimony....................................................    14
    Prepared statement...........................................    18

 
   CRITICAL INFORMATION INFRASTRUCTURE PROTECTION: THE THREAT IS REAL

                              ----------                              


                       WEDNESDAY, OCTOBER 6, 1999

                           U.S. Senate,    
         Subcommittee on Technology, Terrorism,    
                            and Government Information,    
                                Committee on the Judiciary,
                                                    Washington, DC.

    The committee met, pursuant to notice, at 10:01 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl 
(chairman of the subcommittee) presiding.
    Also present: Senators Feinstein, and Bennett (ex officio).

  OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE 
                        STATE OF ARIZONA

    Senator Kyl. The hearing before the Senate Judiciary 
Committee, Subcommittee on Technology, Terrorism, and 
Government Information will please come to order.
    Today's hearing is on the subject of the critical 
information infrastructure and protection of the infrastructure 
and the threat thereto. Our panelists this morning, we will 
have two panels, and on the first panel, we have Mr. John S. 
Tritak, who is Director of the Critical Information Assurance 
Office in Washington, and Mr. Michael Vatis, the Director of 
the National Infrastructure Protection Center here. The second 
panel will be Mr. Jack Brock, Director of Information 
Management Issues at the General Accounting Office. I 
appreciate the attendance of the witnesses here.
    I am informed that other members of the subcommittee will 
be arriving, but in view of the schedules of everyone 
concerned, I am going to begin the hearing right on time and we 
will move forward from there.
    Let me first of all make a brief opening statement and then 
call upon our two witnesses to make an opening statement, after 
which we will have a series of questions.
    At our hearing today, we are going to examine a growing 
public policy concern, the threat of hostile attack on our 
Nation's critical information infrastructure and the adequacy 
of the Federal Government's response to this threat. This is 
the fourth public hearing that our subcommittee has held on the 
topic in the last 2 years, and given the importance of the 
subject, it will not be our last.
    The President's top advisors recently issued a report on 
preserving America's privacy and security in cyberspace. As the 
report points out, the enormous success the United States has 
enjoyed over the past century was due in part to the ability of 
our Nation and its leaders to deal with the latest 
technological trends in a way that enhanced the security and 
prosperity of successive generations of Americans. At critical 
junctures in our history, wise government policies with regard 
to innovative technology have resulted in unprecedented 
success.
    During the industrial age, the arrival of World War II 
signaled an urgent need for increased production and scientific 
advances. The success of America's war effort in defeating 
fascism rested largely on the strength of our industrial might 
and the successful collaboration between our government and 
industry. We not only protected America's security, but also 
vaulted the U.S. economy to unprecedented heights in the post-
war period.
    Today, the industrial age has become the information age 
and computers facilitate the instant exchange of vast amounts 
of data and ideas. Who would have predicted just a few decades 
ago that a small Defense Department research effort would 
result in the creation of the Internet and revolutionize our 
society.
    As we approach the dawn of the new millennium, America 
again faces a time of pivotal change. Information technology 
presents both an opportunity and a threat to our society, which 
is increasingly dependent upon computers and communications 
equipment, what we call our critical information 
infrastructure. As most Americans have learned recently, with 
the preparations for Y2K to make sure there are no major 
disruptions in services, virtually every key service is 
dependent upon computers, from electric power grids, to phone 
systems, to air traffic control, water and sewer service, 
medical devices, banking, and the list goes on and on. 
Unfortunately, very few of these critical computer networks 
were designed with good security measures.
    The changes in our society also must be viewed in context 
with America's changing geopolitical role in the post-Cold War 
world. The United States is the world's only superpower and our 
armed forces enjoy technological superiority on the 
battlefield. Nations and terrorist groups that are hostile to 
our interests are increasingly choosing not to confront our 
strengths directly, that is, by trying to field fleets of 
advanced fighter planes or ships on par with ours, but rather 
are seeking to exploit our vulnerabilities, looking hard for an 
Achilles heel.
    According to the National Security Agency, over 100 
countries are working on information warfare techniques. One 
recent case illustrates the danger of this threat. According to 
Newsweek magazine, computer systems at the Defense and Energy 
Departments have been the subject of a sustained computer 
hacking effort from Russia. These attacks have resulted in the 
loss of vast quantities of data, possibly including classified 
naval codes and information on missile guidance systems.
    These computer attacks have reportedly been very subtle. 
For example, the London Sunday Times interviewed an engineer at 
the Space and Naval Warfare Systems Command in San Diego, CA, 
who described being alerted to a problem when a computer print 
job took an unusually long time. According to the Times, ``To 
his amazement, monitoring tools showed that the file had been 
removed from the printing queue and transmitted to an Internet 
server in Moscow before being sent back to San Diego.''
    And there are other troubling examples of computer attacks 
by U.S. citizens that demonstrate our weaknesses in this area. 
For example, one group dubbed the ``Phonemasters'' by the FBI 
manipulated computers that route telephone calls. These hackers 
reportedly gained access to telephone networks of companies 
like AT&T, British Telecom, GTE, Sprint, MCI WorldCom, and 
Southwestern Bell.
    At times, these hackers were able to eavesdrop on phone 
calls, compromise databases, and redirect communications at 
will, according to press accounts. In addition, they apparently 
had access to portions of the nation's power grid and air 
traffic control systems and hacked their way into a digital 
cache of unpublished phone numbers at the White House. In one 
prank, this group even succeeded in forwarding FBI phone lines 
to sex-chat lines in Germany, Moldavia, and Hong Kong, 
resulting in the FBI being billed $200,000 for these calls.
    These calls would be amusing if the stakes were not so 
high. Given a more malicious intent, hackers in our country, or 
those working for terrorist groups of the military services of 
nations hostile to the United States, could do far greater 
damage to our critical information infrastructure, resulting in 
what some have termed ``an electronic Pearl Harbor.'' We have 
been fortunate that the United States has escaped serious harm 
thus far, but our luck is likely to run out unless we take 
aggressive steps to tighten these gaps. As Winston Churchill 
once observed, in history, ``the terrible `ifs' accumulate.''
    At today's hearing, we will explore how our government has 
approached this problem as well as how its efforts might be 
improved. We will also discuss whether new legislation is 
required and we will explore the impact of the government's 
cyber-protection efforts on the privacy of American citizens.
    Our witnesses are ideally suited to address these issues. 
Mr. John Tritak, Director of the Critical Information Assurance 
Office, is responsible for the development of an integrated 
national plan to address the threats to our critical 
infrastructure. He will be followed by Michael Vatis, the 
Director of the National Infrastructure Protection Center, an 
interagency organization that is charged with leading the 
Federal Government's efforts to detect, prevent, investigate, 
and respond to cyber attacks on U.S. critical infrastructures.
    And on our second and final panel, Mr. Jack Brock, Director 
of Government Information Systems at the GAO, will testify 
about the type of vulnerabilities to cyber attacks that exist 
in computer networks operated by Federal agencies that the GAO 
has identified during annual audits and the status and 
effectiveness of the government's effort to reduce these 
vulnerabilities.
    It is my great pleasure to turn first to Senator Dianne 
Feinstein of California and then to Robert Bennett of Utah, two 
of the real experts in the U.S. Senate on this subject. Senator 
Feinstein is the ranking member of this subcommittee. She and I 
have been working for a long time, concerned about the 
protection, the necessity of protecting our Nation's critical 
infrastructure.
    Senator Bennett, not even a member of this committee, has 
such an interest in this subject that as chairman of the 
special Y2K Committee here in the Senate, he has taken an 
interest in what we are doing and what others in the Congress 
are doing to deal with this issue. It is largely to his credit, 
through the Y2K Committee chairmanship, that a lot of this 
information has been brought to light to the American public at 
large. So I am really pleased that Senator Bennett is here with 
us, as well.
    Senator Feinstein.

  STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE 
                      STATE OF CALIFORNIA

    Senator Feinstein. Thanks very much, Mr. Chairman. I think 
you know how much I enjoy working with you and I want to thank 
you for your leadership on this subject. I think I probably do 
not qualify as an expert. I think my colleague, Senator 
Bennett, probably does. But I think I do qualify as someone 
that believes that this area is one of the most critical and 
crucial areas we now face, how to address the serious and 
increasing threats to our national infrastructure.
    The advent of a new technology age in which we now live has 
brought America certainly great prosperity. California, my 
State, has benefitted immensely from these developments. 
Powerful computers now control our electricity, our phone 
service, our plane traffic, our national defense, and they have 
moved us forward much more quickly than anyone ever could have 
imagined. We can plan our physical infrastructure more 
efficiently. We can test prototype aircraft on a computer 
screen without ever spending a dime on construction. We can 
allocate resources more efficiently and at a lower cost than 
ever before.
    And the power of a new global communication network has 
taken people from the ends of the earth and brought them 
together, almost as if they were next-door neighbors. Amazing. 
Ten years ago, sending a message through the mail from Cairo to 
California would take weeks. Now, that simple message can be 
sent with a simple stroke of a key and accomplished in the 
blink of an eye. That power, the power of instant, inexpensive 
communication across mountains, oceans, and international 
boundaries has opened up vast potential for global cooperation 
and a truly borderless economy.
    But, and here is the but, with that power, also comes 
extraordinary danger. Just like an e-mail from friend to friend 
can travel over the ocean and across national boundaries in a 
split second, so can a computer virus or a casual hacker attack 
or a foreign cyber terrorist. As a result, this Nation faces 
serious challenges in the coming months and years. We must 
learn to balance the benefits of global interconnectivity with 
the need to protect our vital information, our defense, our 
infrastructure.
    About a dozen countries have information warfare programs. 
They include Libya, Iraq, and Iran. Foreign intelligence 
services routinely break into American public and private 
sector computers, mapping power grids to find weak links and 
leaving trap doors at virtually every U.S. military base.
    Last year, two California high school sophomores were among 
a group suspected of penetrating and compromising at least 11 
sensitive computer systems and military installations and 
dozens of systems at other government facilities, including 
Federal laboratories that perform nuclear weapons research. 
These children were just looking for some excitement, and guess 
what, they found it. But imagine if they had been out to do 
real damage. Imagine if they had been employed by a hostile 
foreign government.
    Because of the interrelated nature of our critical 
infrastructure systems, today's terrorist has the potential to 
do with a keyboard what in the last world war might have taken 
a squadron of bombers to accomplish. At stake are not only the 
information systems upon which we rely, but the electric power 
grid, the public switch communications network, the air traffic 
control system, the banking system, rail transport, oil and gas 
distribution networks, and a host of other networks on which 
our national security and our way of life today depend.
    We have begun to address this threat. Presidential Decision 
Directive 63, issued last year, identifies critical 
infrastructure protection as a national security priority and 
commits us to effectively protect our critical infrastructures 
within 5 years. But the time table established by Public 
Directive 63 is already slipping. A national report was due to 
Congress last December. As of today, we have still not seen it.
    I look forward to examining today what our government has 
done to protect our critical infrastructure and what more can 
be done. This Congress and this subcommittee has a clear 
responsibility to do what it takes to protect this Nation from 
the threat of cyber terrorism and from the enormous risks that 
come hand in hand with the advances in technology that have 
given us so much over the last few years.
    So thank you, Mr. Chairman, for your leadership and for 
scheduling this hearing and your very serious attention to this 
issue.
    Senator Kyl. Thank you for a fine statement, Senator 
Feinstein.
    Now, I would like to turn to Senator Robert Bennett for any 
comments he may have.

 STATEMENT OF HON. ROBERT F. BENNETT, A U.S. SENATOR FROM THE 
                         STATE OF UTAH

    Senator Bennett. Thank you, Mr. Chairman. I appreciate your 
courtesy in allowing me to come where non-lawyers usually do 
not appear. I understand Senator Feinstein is not a lawyer, and 
that----
    Senator Feinstein. I am not a lawyer.
    Senator Kyl. Now, you guys quit bragging. [Laughter.]
    Senator Bennett. That demonstrates how open-minded you are 
on this committee.
    I think you are having the first of what will be a long 
series of hearings. This is an issue which we are only barely 
beginning to understand, but I think, ultimately, the next 
President, whomever he or she may be, will find that the 
challenge of information warfare will be the number one 
national security issue of the next administration.
    I recently went to an office where they had drawn a map of 
the new world. Whenever you think of military threats, you 
start out with the geography and you draw the map and the 
various sides. This was a map of the Internet and it did not 
look like any map you or I have ever seen before. It looked 
like an abstract painting. I wanted to take it down and put it 
in my office.
    The world geologically is billions of years old. The world 
electronically is 10 years old or less. And the one thing that 
was striking about this map is that there were no oceans on it. 
When we talk about the U.S. militarily, we talk about the 
sanctuary of North America between two oceans, and on this new 
map of the new world, there were no oceans and no sanctuary. 
Mr. Chairman, you and Senator Feinstein have summarized this 
very well in your statements.
    The reason I think this hearing is important is because we 
do not have in our present governmental structure a neat pigeon 
hole in which to put this particular threat. For example, if 
somebody does the kinds of things that Senator Feinstein was 
describing, is that a military attack on our national security 
and, therefore, the responsibility of the Defense Department, 
or is that a violation of private property rights and, 
therefore, an issue for law enforcement, or does it become 
both? And where do the responsibilities lie for the Defense 
Department to protect us from foreign attack and from the 
Justice Department to protect us from intrusions?
    Inevitably, in this new world, those intrusions will merge. 
Foreign efforts to destroy us, cripple us, do us harm, will 
very clearly merge with domestic capabilities to break in. We 
have already seen the example of a foreign agent who hired some 
American teenage hackers, and as Senator Feinstein said, they 
were out for the thrills and experience, but their mentor had a 
much more malicious purpose in mind.
    I think the Judiciary Committee is the logical place to be 
holding these kinds of hearings. I have talked with Senator 
Roberts, who plans to be holding hearings in the Armed Services 
Committee, and we, of course, have held some hearings on this 
in the Senate Special Committee on the Year 2000. Some of your 
witnesses here today have already testified before that 
committee.
    So, as I say, I think this is the first of what will be a 
series of hearings. Ultimately, I think the issue must come 
before the Senate leadership and the House leadership to say 
where appropriately within the legislative structure does the 
responsibility lie for oversight and coordination of this very, 
very important challenge.
    So I congratulate you on your hearings and I am very 
grateful for your willingness to allow me to participate.
    Senator Kyl. Thank you very much, Senator Bennett.
    Now to our panel. Mr. John Tritak, you will lead off, and 
then Michael Vatis.

    PANEL CONSISTING OF JOHN S. TRITAK, DIRECTOR, CRITICAL 
INFRASTRUCTURE ASSURANCE OFFICE, WASHINGTON, DC; AND MICHAEL A. 
  VATIS, DIRECTOR, NATIONAL INFRASTRUCTURE PROTECTION CENTER, 
                         WASHINGTON, DC

                  STATEMENT OF JOHN S. TRITAK

    Mr. Tritak. Thank you, Senator Kyl, Senator Feinstein, 
Senator Bennett. It is truly an honor to be here today to 
discuss the challenges facing our Nation in the area of 
critical infrastructure protection and the efforts being 
undertaken by the administration to address those challenges. I 
intend to keep my opening remarks very brief and ask that my 
written statement be entered into the record.
    Senator Kyl. All of the statements will be admitted, 
without objection.
    Mr. Tritak. Thank you, sir. America has long relied on 
complex systems or critical infrastructures to assure the 
delivery of services vital to its national security, economic 
prosperity, and social well-being. These infrastructures 
include telecommunications, electric power, oil and gas 
delivery and storage, banking and finance, transportation, and 
vital human services and government services. The information 
age has fundamentally altered the nature and extent of our 
reliance on these infrastructures.
    Our government, our economy, our society, indeed, our 
individual lives are becoming increasingly dependent on an 
ever-expanding system of networks of computers and information 
systems. The increasing dependence on computer control 
networks, combined with the growing interdependence of our 
Nation's critical infrastructures, together present a new kind 
of vulnerability, especially to deliberate attack.
    The threats posed to our critical infrastructures are real 
and growing. The nature of these threats and the potential 
risks they pose to the Nation's infrastructures will be 
addressed by Mr. Vatis of the National Infrastructure 
Protection Center.
    PDD 63 was issued in May 1998 to take up the unique 
challenges posed by these threats. I say unique because the 
risks posed to our critical infrastructures present a challenge 
that is really unique in our history, as this may very well be 
the first time a national security challenge cannot be solved 
by the government alone. Indeed, 90 percent of the 
infrastructures that we are concerned about are privately owned 
and operated.
    This is why PDD 63 stresses the importance of establishing 
public-private partnerships and why the President has 
designated lead agencies in the Federal Government to work as 
liaisons with the respective sectors to build those 
partnerships. PDD 63 also recognizes the traditional areas of 
national defense, foreign affairs, intelligence, and law 
enforcement and that they are fundamental to protection of our 
infrastructures, inherent in the domain of government, and 
stipulates that sector coordinators be designated for these 
areas from the associated government agencies.
    Shortly, the administration will publish the first version 
of a plan to implement PDD 63. The draft is in the final stages 
of interagency clearance, so I cannot go into a great deal of 
detail on its content. However, I can highlight the themes that 
are captured in the plan as well as what is contained in PDD 
63.
    First is a continuing commitment to protecting those 
infrastructures that are necessary in order to perform national 
defense and intelligence missions. I believe you have submitted 
for the record the statement by Mr. Richard Schaeffer of the 
Office of the Secretary of Defense, who lays out in great 
detail what efforts are being undertaken in that regard to 
protect those infrastructures.
    Second is a need for the U.S. Government to serve as a 
model in critical infrastructure protection. Recognizing that 
maybe most of the critical infrastructures of our country are 
privately owned, it is very difficult for the government to 
call upon private industry to take up the challenge posed by 
PDD 63 unless it has its own house in order. With that in mind, 
the President charges the Federal Government to do what it 
needs to do to ensure that its critical infrastructures are 
protected against intentional attack.
    Third and finally, there is a need to establish the 
partnerships between private industry and the government on the 
one hand and to encourage information sharing arrangements 
first and foremost within industries themselves and ultimately 
between industry and government. Those partnerships at various 
levels, we believe, will secure our Nation's infrastructures 
over the long term and that a collaborative effort will ensure 
that creative solutions are developed to meeting the challenges 
of the future.
    I would like to conclude my remarks very briefly by 
highlighting some of the key programs that are likely to appear 
in a national plan, as they are deemed sufficiently important 
by the administration to request accelerated funding in the 
fiscal year 1999 budget amendment, which is before you at the 
moment.
    The first of these supports an aggressive government-wide 
implementation of a Federal computer security requirements 
program. The proposal requests $5 million to establish a 
permanent 15-member expert review team that would assist 
government agencies in identifying vulnerabilities, plan secure 
systems, and to implement critical infrastructure protection 
plans. The Critical Infrastructure Assurance Office under PDD 
63 is to assist agencies in identifying critical systems and 
their own dependencies, and we will be working and supporting 
the expert review team in that effort.
    Second, the administration requests $8.4 million to 
establish a Federal intrusion detection monitoring system to 
secure Federal Government computer systems. A couple of key 
points I would like to make about that briefly, given the 
amount of coverage that has been given to this issue in the 
press.
    First, this is meant to cover civilian government agencies 
only. This is not meant to be wired into the private sector or 
to include private industries in some fraud monitoring system.
    It provides a centralized capability to analyze anomalous 
activities that agencies may detect through the use of their 
monitoring systems.
    Fourth, any Federal intrusion detection monitoring system 
that is developed will be fully consistent with existing 
privacy laws. No additional authorization has been given to the 
government in order to implement this program.
    Finally, in cases where activity suggests criminal intent 
and criminal activity, those and only those pieces of 
information will be going to law enforcement, as appropriate 
under existing laws.
    The third request is for approximately $17 million for the 
recruitment, training, and retention of Federal information 
technology managers and officers. The purpose of this program 
is to ensure that the Federal Government, if it is to act as a 
model, has the capabilities to protect its information 
infrastructures against malicious intent and activity.
    Four, $7 million are requested for ongoing efforts to 
secure government-to-government communications through the 
establishment of public key infrastructures.
    Fifth and finally, $2 million is being requested to support 
two pilot programs to foster information sharing arrangements 
between State and local governments and private industry.
    I would like to thank you for having me here today and I 
welcome any questions you may have.
    Senator Kyl. Thank you very much.
    [The prepared statement of Mr. Tritak follows:]

                  PREPARED STATEMENT OF JOHN S. TRITAK

    Mr. Chairman, Madame Ranking Member, members of the Subcommittee, 
ladies and gentlemen, it is an honor to appear before you here today to 
discuss the challenges facing our Nation in the area of critical 
infrastructure protection. This Subcommittee has shown exceptional 
leadership on these issues, and I am grateful for the opportunity to 
work closely with you and the Congress to find ways to advance 
infrastructure assurance for all Americans. We all recognize that no 
viable solutions will be discovered or implemented without the 
executive and legislative branches working together for our national 
good.

                            I. INTRODUCTION

    America has long depended on a complex of systems--or critical 
infrastructures--to assure the delivery of services vital to its 
national defense, economic prosperity, and social well-being. These 
infrastructures include telecommunications, electric power, oil and gas 
delivery and storage, banking and finance, transportation, and vital 
human and government services.
    The information age has fundamentally altered the nature and extent 
of our dependency on these infrastructures. Increasingly, our 
government, economy and society are being connected together into an 
ever expanding and interdependent digital nervous system of computers 
and information systems. With this interdependence comes new 
vulnerabilities. One person with a computer, a modem, and a telephone 
line anywhere in. the world can potentially break into sensitive 
government files, shut down an airport's air traffic control system, or 
cause a power outage in an entire region.
    The threats posed to our critical infrastructures by hackers, 
terrorists, criminal organizations and foreign governments are real and 
growing. The nature of these threats will be addressed by Mr. Vatis of 
the National Infrastructure Protection Center (NIPC).
    Before I discuss the initiatives the Administration is undertaking 
to secure our nation's critical infrastructures, I would like to 
discuss the historical context within which PDD-63 arose.
    In the early 1990's, events such as the 1995 bombing of the Murrah 
Federal Building in Oklahoma City demonstrated that the federal 
government needed to address new types of threats and vulnerabilities--
many of which the nation was unprepared to defend against.
    In response to this tragedy, and other events, the Administration 
formed an inter-agency working group to examine the nature of the 
threat, our vulnerabilities, and possible long-term solutions for this 
aspect of our national security. The Critical Infrastructure Working 
Group (CIWG), chaired by then Deputy Attorney General Jamie Gorelick, 
and including representatives from the Defense, Intelligence, and 
national security communities, identified both physical and cyber 
threats and recommended formation of a Presidential Commission to 
address more thoroughly many of these growing concerns.
    In July 1996, in response to the CIWG recommendation, President 
Clinton signed Executive Order 13010 establishing the President's 
Commission on Critical Infrastructure Protection (PCCIP or, the 
Commission). After examining infrastructure issues for over a year, the 
Commission issued its report, Critical Foundations, Protecting 
America's Infrastructures, drawing at least four significant 
conclusions:

   First, critical infrastructure protection is central to our 
        national defense, including national security and national 
        economic power;
   Second, growing complexity and interdependence between 
        critical infrastructures may create increased possibility that 
        rather minor and routine disturbances can cascade into national 
        security emergencies;
   Third, vulnerabilities are increasing steadily and the means 
        to exploit weaknesses are readily available; practical measures 
        and mechanisms, the commission argued, must be urgently 
        undertaken before we are confronted with a national crisis; and
   Fourth, laying a foundation for security will depend on new 
        forms of cooperation with the private sector, which owns and 
        operates many of these critical infrastructure facilities.

                          II. PDD-63--OVERVIEW

    After releasing the PCCIP report, the Administration worked to 
incorporate these and other recommendations into Presidential Decision 
Directive 63, which was issued in May 1998. Most importantly, PDD-63 
recognizes the need for a Public-Private Partnership to face these 
critical issues. The directive specifies sectors of the national 
infrastructure, primarily in the private sector, that provide critical 
services or functions. It designates lead agencies in the Federal 
Government to work as liaisons with their respective sectors to build 
partnerships. PDD-63 additionally recognizes that the traditional areas 
of national defense, foreign affairs, intelligence, and law enforcement 
are fundamental to infrastructure protection, are inherently the domain 
of the government, and stipulates that sector coordinators be 
designated for these areas from the associated government agencies.
    PDD-63 established the position of National Coordinator for 
Security, Infrastructure Protection, and Counter Terrorism to 
orchestrate these efforts. The PDD lays out specific tasks that must be 
accomplished, time lines for doing so, and organizations for carrying 
out these missions. Key amongst them are the National Infrastructure 
Protection Center (NIPC), Directed by Mr. Vatis, and the National Plan 
Coordination Staff--now called the Critical Infrastructure Assurance 
Office (CIAO)--which I have the honor of directing.
    PDD-63 focuses the nation's efforts on aspects of critical and 
immediate importance--and I emphasize that these must be the efforts of 
the whole nation, for success will come only from the efforts of the 
private sector, state and local governments, and the Federal Government 
working together in an integrated and cooperative manner. Our efforts 
fall in three broad categories.

A. Defense and intelligence components

    The first is the Federal Government agencies involved in defense 
and intelligence efforts. The armed forces and intelligence agencies 
have requirements and systems that are unique to their special role. 
This has long been recognized in law, in the way we structure these 
organizations, and in our national philosophy. Their efforts are, as 
would be expected from the sensitive and well established nature of 
their mission, much further along in achieving critical infrastructure 
protection than those of the other parts of the Federal Government. In 
many ways they have set the example for other agencies' efforts, and 
they currently share their experiences and advise on how the rest of 
the government might proceed. Their contribution has been very 
important in shaping the policy and programmatic reality the rest of 
the government is currently trying to establish. Mr. Richard Schaeffer, 
Director of the Information and Infrastructure Assurance Office for the 
Defense Department, has submitted a statement for the record on this 
and other matters, so, in cause of brevity, I will refer you to it and 
cover their efforts no further.

B. Government as model

    The second category of effort can be called ``Government as a 
Model.'' We often say that more than 90 percent of our critical 
infrastructures are neither owned nor operated by the Federal 
Government. Partnerships with the private sector and State and Local 
Governments are therefore not just needed, but are the fundamental 
aspect of critical infrastructure protection. Yet, the President 
rightly challenged the Federal Government in PDD-63 to serve as a model 
for critical infrastructure protection--to put our own house in order 
first. As such, the Administration has focused what might appear to be 
a disproportionate amount of our effort early in the process on doing 
this by establishing a coordinated and integrated approach across the 
Federal Government.

   Federal Computer Security Requirements and Government 
        Infrastructure Dependencies

    One component of this effort supports aggressive, government-wide 
implementation of federal computer security requirements. Thus, in 
support of PDD-63, the President forwarded to Congress a request for a 
fiscal year 2000 budget amendment that would enhance computer security 
and critical infrastructure protection in the Federal Government. This 
proposal would fund a permanent 15-member team at the Department of 
Commerce's National Institute of Standards and Technology (NIST) 
responsible for helping Agencies identify vulnerabilities, plan secure 
systems, and implement Critical Infrastructure Protection Plans. The 
budget amendment would also establish an operational fund at NIST for 
computer security projects among Federal Agencies, including 
independent vulnerability assessments, computer intrusion drills, and 
emergency funds to cover security fixes for systems identified to have 
unacceptable security risks. Among others, the Director of the team 
would consult with the Office of Management and Budget and the National 
Security Council on the team's plan to protect and enhance computer 
security for Federal Agencies.
    Under PDD-63, the President directed the CIAO to coordinate 
analyses of the U.S. Government's own dependencies on critical 
infrastructures. Many of the critical infrastructures that support our 
nation's defense and security are shared by multiple agencies. Even 
within government, then, critical infrastructure outages may cascade 
and unduly impair delivery of critical services. The CIAO is 
coordinating an interagency effort to develop a more sophisticated 
identification of critical nodes and systems and their impact on 
national security government-wide. These efforts will support the work 
of the ERT in identifying vulnerabilities of the government's computer 
infrastructures, planning secure computer systems, and implementing 
computer security plans.
    This research, when complete, will provide important information to 
maximize national security research and development, budgeting, and for 
implementing Federal computer security requirements and critical 
infrastructure planning within each agency.

   Federal Intrusion Detection Network (FIDNET)

    PDD-63 marshals resources to improve interagency cooperation in 
detecting, and in responding to computer intrusions into civilian 
government critical infrastructure nodes. To support this effort, the 
Administration recently sent to Congress a fiscal year 2000 Budget 
Amendment to create a centralized intrusion detection and response 
capability in the General Services Administration (GSA). Through the 
use of additional staff and enhanced technology, Federal Agencies will 
improve upon their abilities to:

   detect computer attacks and unauthorized intrusions;
   share attack warnings and related information across 
        agencies; and
   respond to attacks.

    This amendment would provide GSA funds to pay for additional 
technology and personnel dedicated to intrusion detection and response. 
The additional personnel would improve Federal Agencies' ability to 
detect attacks, analyze data, and communicate attack information more 
swiftly, building on the existing Federal Computer Incident Response 
Capability (FedCIRC). The additional technology, in the form of state-
of-the-art intrusion detection systems, would ensure a consistent 
capability in Agencies to protect critical systems.
    The program--much like a centralized burglar alarm system--would 
operate within legal requirements and Government policy concerning 
privacy, civil liberties, and promoting confidence in users of Federal 
civilian computer systems. Attack and intrusion information would be 
gathered and analyzed by Agency experts. Only data on system anomalies 
would be forward to GSA for further analysis.
    Neither the Federal Bureau of Investigation nor other law 
enforcement entities would receive information about the computer 
attacks and intrusions--except under long-standing legal rules and 
where an Agency determines there is sufficient indication of illegal 
conduct. Also, private entities will not be wired to the FIDNet--no 
private sector entity is part of this civilian government program.
    In short, FIDNet will be run by the GSA, not the FBI; will not 
monitor any private networks or email traffic; will confer no new 
authorities on any government agency; and will be fully consistent with 
privacy law and practice.

   Education and Training

    One of the nation's important shortcomings in our efforts to 
protect our critical infrastructures is a shortage of skilled 
information technology (IT) personnel. Within the subset of information 
systems security personnel, the shortage is acute. Within the Federal 
Government, the lack of skilled information systems security personnel 
amounts to a crisis. This shortfall of workers reflects a scarcity of 
university graduate and undergraduate information security programs. In 
attacking this problem, we will leverage the initial efforts made by 
the Defense Department, National Security Agency, and some Federal 
Agencies.
    The Federal Cyber Services (FCS) training and education initiative 
introduces five programs to help solve the Federal IT security 
personnel problem.

   The Completion of an Office of Personnel Management IT 
        occupational study. This study will help identify the number of 
        IT security positions in the Federal Government, and the 
        training and certification requirements for these positions.
   The development of Center(s) for Information Technology 
        Excellence (CITE). These Centers will train and certify current 
        Federal IT security personnel and maintain their skill levels 
        throughout their careers. It will leverage the significant 
        progress made by the Defense Department and other federal 
        agencies on this issue.
   The creation of a Scholarship for Service (SFS) program to 
        recruit and educate the next generation of Federal IT security 
        workers and managers. This program will fund up to 300 students 
        per year in their pursuit of undergraduate or graduate degrees 
        in the IT security field. In return, the students will serve in 
        the Federal IT workforce for a fixed period following 
        graduation. The program will also have a meaningful summer work 
        and internship element. An important part of the SFS program is 
        the need to identify universities for participation in the 
        program and assist in the development of IT security faculty 
        and laboratories at these universities.
   The development of a high school recruitment and training 
        initiative. This program would identify promising high school 
        students for participation in summer work and internship 
        programs that would lead to certification to Federal IT 
        workforce standards and possible future employment. This effort 
        will also examine possible programs to promote computer 
        security awareness in secondary and high school classrooms.
   The development and implementation of a Federal INFOSEC 
        awareness curriculum. This awareness effort is aimed at 
        ensuring the entire Federal workforce is developing computer 
        security literacy. It will leverage several outstanding 
        existing federal agency awareness programs.

   Research and Development

    A key component to our ability to protect our critical 
infrastructures now and in the future is a robust research and 
development plan. The interagency Critical Infrastructure Coordination 
Group (CICG) has created a process to identify technology requirements 
in support of the Plan. Chaired by the Office of Science and Technology 
Policy (OSTP), the Research and Development Sub-Group works with 
Agencies and the private sector to:

   gain agreement on requirements and priorities for 
        information security research and development;
   coordinate among Federal Departments and Agencies to ensure 
        the requirements are met within departmental research budgets 
        and to prevent waste or duplication among departmental efforts;
   communicate with private sector and academic researchers to 
        prevent Federally funded R&D from duplicating prior, ongoing, 
        or planned programs in the private sector or academia; and
   identify areas where market forces are not creating 
        sufficient or adequate research efforts in information security 
        technology.

    That process, begun in 1998, led to the Administration budget 
request for fiscal year 2000 of $500 million for critical 
infrastructure protection research. Among the priorities identified by 
the process are:

   technology to support large-scale networks of intrusion 
        detection monitors;
   artificial intelligence and other methods to identify 
        malicious code (trap doors) in operating system code;
   methodologies to contain, stop, or eject intruders, and to 
        mitigate damage or restore information-processing services in 
        the event of an attack or disaster;
   technologies to increase network reliability, system 
        survivability, and the robustness of critical infrastructure 
        components and systems, as well as the critical infrastructures 
        themselves; and
   technologies to model infrastructure responses to attacks or 
        failures; identify interdependencies and their implications; 
        and locate key vulnerable nodes, components, or systems.

C. Public-private partnership

    Thirdly, and as discussed above, one of the most important 
components of PDD-63 implementation is the development of collaborative 
partnerships among and between the private sector, state and local 
governments, and the Federal Government. The importance of this effort 
cannot be overstated and is made clear by considering just a few 
scenarios. If the natural gas delivery system you rely on for heat and 
cooking fails in January due to an attack on the computer systems that 
direct its operations, you will take small comfort in fact that the 
Federal Government has a critical infrastructure protection plan in 
place. In fact, all our efforts to put the Federal Government's house 
in order and to serve as a model for industry will be of little service 
if our government information systems are impossible to break into, but 
the electrical power that they operate on is shut down by malicious 
actions of a foreign government. The list of examples goes on and on, 
and none of these systems is owned or operated by the Federal 
Government.
    These vignettes put the situation in perspective--we are faced with 
a fascinating and challenging problem. This is the first time I am 
aware of in our national history that by creating policy and expending 
resources, the Federal Government cannot alone solve a national 
security problem. So what are we doing about it? If by ``we'' you 
understand ``the government'' then the answer must necessarily be 
unsatisfactory--because the government alone cannot protect the 
nation's infrastructures. But if by ``we'' you understand ``the 
nation''--the Federal Government in a coordinated and integrated effort 
with state and local government, industry, academia and other concerned 
groups--then I am happy to report that we have made a good beginning, 
and are developing a strong future.
    Just last Friday, Treasury Secretary Summers announced the 
formation of the Financial Sector Information Sharing and Analysis 
Center--``ISAC'' for short. ISAC's are private sector owned and 
operated entities that serve as focal points for their associated 
sector of the economy. Because they are defined individually by their 
member organizations, they will not all be identical. They are, 
however, all to be the coordinating and analyzing body for cyber 
attacks on their specific sector. I want to emphasize that these ISAC's 
are neither set up, nor supervised by the Federal Government, although 
the Federal Government will assist these critical sectors in setting up 
their ISAC, through the Sector Liaisons, if asked. The government will 
share what information we can on cyber attacks with the ISAC's to help 
them protect their sector, and we will encourage them to share 
appropriately sanitized information with us to help us protect 
government agencies and functions. But this sharing from ISAC's to 
government will be on an entirely voluntary basis, both in amount of 
information and the level of detail. No requirement exists or will 
exist that mandates information sharing.
    While these ISAC's, would work within the sectors of the economy 
that own and operate critical infrastructure, as stipulated in PDD-63, 
this is not intended to be limiting. Other sectors or groupings within 
industry could establish ISAC's, and we would assist them in this. 
Furthermore, practically every aspect of our nation relies on critical 
infrastructures. This makes CIP a fundamentally important issue for not 
just those companies that own and operate critical infrastructure, but 
also for those that rely on it to do business. They can and must have a 
voice in this public/private partnership.
    Recently, the President issued an Executive Order establishing a 
National Infrastructure Assurance Council (NIAC). This Presidential 
advisory body will be comprised of leaders from the Private Sector, 
State and Local governments, and the Federal Government. It will 
examine key aspects of critical infrastructure assurance, and report to 
the President.
    The final indispensable members of this partnership are state and 
local governments. They have the fundamentally important roles of 
providing and regulating many if not most essential services. They are 
the front line forces in the event of disasters or attacks on 
infrastructures. Some have moved quite far in their critical 
infrastructure protection efforts--New Mexico, for example, under the 
direction of Dr. Dan O'Neil, has a very strong and growing critical 
infrastructure protection partnership with key private sector entities. 
Furthermore, we have long had strong relationships with state and local 
governments on specific issues related to critical infrastructure 
protection, such as state and local emergency management organizations 
with FEMA, and state and local law enforcement agencies through the FBI 
and other national law enforcement agencies. This area is one in which 
much work remains to be done, and I look forward to working with each 
Congressional Delegation as we define the issues and solutions.

                            III. CONCLUSION

    In conclusion, much has been done since PDD-63 was issued in 1998. 
My staff and I are committed to building on this promising beginning, 
coordinating the government's efforts into an integrated holistic 
program for critical infrastructure protection under the direction of 
the National Coordinator for Security, Infrastructure Protection, and 
Counter-Terrorism. We have much work left to do, and I look forward to 
with the members of this committee, indeed with the Congress as a 
whole, as we wrestle with this developing field and implement 
solutions. I look forward to your questions.

    Senator Kyl. Mr. Vatis.

                 STATEMENT OF MICHAEL A. VATIS

    Mr. Vatis. Mr. Chairman, Senator Feinstein and Senator 
Bennett, thank you very much for inviting me here this morning 
to speak with you about critical infrastructure protection. You 
three have really been leaders in the Congress in recognizing 
the importance of these issues and the urgency of dealing with 
the new cyber threat that we face now in the information age, 
and so it is a privilege to share our perspective with you all, 
coming from the NIPC.
    I think your statements, your three statements, have really 
laid out the issue quite nicely in terms of the threats that we 
face and why our vulnerabilities are so great in this area, so 
I think I would like to focus my brief oral remarks on our 
perspective on the threats and how we are approaching them and 
attempting to deal with them.
    Much of the news media accounts on this issue focus on 
hacks into government websites and some private sector 
websites, and while those are criminal acts and they are not 
unimportant, they are not really where the main threat lies. 
The main threat lies in the potential for foreign nation 
states, foreign actors, and also domestic actors to hack into 
the critical computer networks that control our Nation's vital 
infrastructures, the services that are essential to the basic 
functioning of our economy and are essential to our national 
security, such as the telecommunications network, the 
electrical power grid, government operations, other energy 
systems, banking and finance, et cetera. Those are what we 
refer to as our critical infrastructures and those are the 
things that we are focused on protecting from attack.
    Mr. Chairman, you mentioned recent media accounts of a 
significant series of intrusions into Department of Defense and 
other government agency networks. This is a matter that we have 
been looking into for over a year now and it points up for 
those who needed yet another wake-up call the serious 
vulnerabilities that we are trying to deal with and the serious 
threats that we are facing, not 5 or 10 years in the future, 
but today. These are threats to our national security that we 
must confront now because it is already happening.
    As you mentioned, Mr. Chairman, the greatest potential 
threat comes from foreign state actors who might choose to 
engage in information warfare against the United States because 
they realize that they cannot take us on in conventional 
military terms and would seek to go after what they perceive as 
our Achilles heel, as you put it, which is our reliance on 
information technology, more than any other country, to control 
our critical operations.
    Information warfare is not the only threat. There is also a 
threat from foreign nation states engaged in cyber espionage, 
using remote access that is afforded by the interconnectivity 
of the Internet and our telecommunications systems, to access 
sensitive government information or sensitive private sector 
information, essentially engaged in industrial or economic 
espionage, to steal secrets to advantage their own indigenous 
industries at the expense of our own American private sector. 
These are threats, again, that are not just future threats, but 
they are threats that we must deal with right now.
    On the non-state side, there are a variety of bad actors 
who can engage in similar types of intrusions for different 
purposes, but essentially using very similar, if not the same, 
techniques. We have seen terrorist groups beginning to acquire 
both the equipment and the expertise to use information 
technology as a weapon. For some time now, we have seen 
terrorist groups using the Internet and other forms of 
information technology to raise funds, to spread propaganda, 
and to communicate securely using encryption.
    More recently, we have begun to see terrorists now focusing 
on using those same set of technologies as a weapon. We have 
seen the Internet Black Tigers associated with the Tamil 
Tigers, engage in a denial of service attack on e-mail servers 
of Sri Lankan government embassies. We also have concerns that 
Aum Shinrikyo, the Japanese terrorist group that launched the 
deadly sarin gas attack in Tokyo, beginning to think about 
using its expertise in computers and in networks as a possible 
weapon to direct against Japanese or U.S. interests. And there 
are reports that traditional terrorist groups such as the IRA 
have thought about using these same sorts of tools as weapons 
against their intended targets.
    All of these factors really portend the possibility and 
likelihood of a serious cyber terrorist attack directed against 
U.S. interests, but right now, we are already seeing criminal 
groups using these tools, not necessarily to disrupt systems, 
but to steal money, which is what criminal groups are basically 
all about.
    We have had the example that is now 5 years old of a 
Russian organized crime group headquartered in St. Petersburg 
using the same types of techniques to break into the Citibank 
cash management system and start transferring over $10 million 
to their own accounts. Fortunately, Citibank contacted the FBI 
early on and Citibank was able to stem its losses at 
approximately $400,000. All of the members of the group were 
apprehended and eventually prosecuted.
    But we still face that similar problem from criminal 
groups. The Phonemasters case that you mentioned, Mr. Chairman, 
is just another example of a group that does not fit our common 
definition of an organized crime group, but it was a group, it 
was organized, and it engaged in serious criminal activity. So 
I think we need to open our minds to some new paradigms out 
there of organized crime, people who are perhaps younger than 
our typical vision of organized crime groups but are taking 
advantage of these new technologies to engage in serious fraud 
schemes, serious theft schemes, and other types of criminal 
conspiracies.
    But we have also seen individuals posing a serious threat. 
In the last year alone, we have seen at least three very 
serious viruses or worms, the Melissa virus, the Explore.zip 
worm, the Chernobyl virus, wreak serious havoc on the private 
sector, some estimates going into the hundreds of millions of 
dollars of damage caused to private companies from the 
disruption caused by these viruses.
    We have also seen what we call recreational hackers cause 
serious harm, individuals who may be engaged in hacking just 
for the thrill of it, as Senator Feinstein said, or for 
bragging rights in the hacker community because they are a 
competitive bunch who like to show that they are better than 
the other guy. But they can have very serious consequences in 
their hacks. It is not just benign fun, as it is sometimes 
portrayed to be.
    We had an example a couple of years ago of a teenager in 
Massachusetts who hacked into the then-NYNEX, now Bell Atlantic 
telephone system, and shut down telecommunications in the 
Worcester, MA, area for several thousand users. What he did not 
intend was that he also disrupted communications to the local 
airport and prevented incoming airplanes from communicating 
with the tower and from turning on the runway lights. That 
could have obviously had very serious impacts on the safety of 
people using that airport. He also had the effect of shutting 
down communications of local police and rescue services. So 
even things that might seem relatively benign can have very 
serious impacts on our public safety.
    The final category of individuals is probably the most 
common, and that is the disgruntled insider, an employee or 
former employee at a company who abuses his knowledge and 
access to a system to cause disruption, by causing the system 
to crash because he is angry at his employer, by stealing 
sensitive information and giving it to a competitor, or 
altering information. We have countless examples of these types 
of instances and that is probably the category that the private 
sector is most concerned about. Fifty-five percent of 
respondents in a recent poll by the Computer Security Institute 
and the FBI said that they had insider problems, insiders 
accessing their systems and doing bad things.
    So there is an incredibly broad array of threats in the 
cyber area that we have to deal with, and one of the 
difficulties in this area that distinguishes it qualitatively 
from the physical world is that when you first notice that you 
have an intrusion, you do not know what you are dealing with. 
You do not know if it is a disgruntled insider, if it is an 
organized crime group, if it is a terrorist, a foreign 
intelligence agency, or a nation state planting the seeds for 
future destructive attacks.
    And as a result, because you do not know how to deal with 
it, in the government, it is not clear who should have 
responsibility, as Senator Bennett said, because it is not 
clear what you are dealing with. If we knew it were a nation 
state engaged in preparing the battlefield for an information 
warfare attack, then clearly a military response might be 
called for. But if we do not know that going in, it is hard to 
assign responsibility.
    In the Solar Sunrise case that I think all three of you 
alluded to from February 1998, it looked at first blush like it 
might be an instance of information warfare attack by the Iraqi 
government because we were deploying troops to the Gulf at the 
time and some of the attacks seemed to be coming through 
Internet service providers in the Gulf region. Upon 
investigation, however, we determined that the intrusions were 
carried out by several teenagers, two in California and several 
more in Israel. So what looked like a possible information 
warfare attack ended up being recreational hackers who were 
hacking for the thrill of it.
    As a result of that difficulty of knowing what you are 
dealing with, who is doing it, how are they getting in, why are 
they doing it, what systems are they affecting, and where are 
they coming from, the response that the Federal Government took 
in PDD 63 was to create an interagency center at the NIPC, 
located at the FBI, but with representatives from all of the 
agencies who have a role to play, depending on what we 
determine we are confronting. So we have representatives at 
senior levels, at analytical levels, and on the investigative 
side, as well, from the Department of Defense, from the 
intelligence community, from other Federal law enforcement 
agencies, until recently, from State and local law enforcement, 
and eventually, we hope to have representatives from the 
private sector brought in, as well.
    So as we investigate a case and can make determinations 
about who is doing what to us, we can have quick hand-off to 
the appropriate agencies that have responsibility. But the 
reason for putting the NIPC under the auspices of the FBI is 
because to make those determinations, we need to gather 
information from the victim sites, from some of the 
intermediate sites that might have been attacked on the way to 
the ultimate victim, and the only way legally we can gather 
that information is pursuant to law enforcement investigative 
authorities, or in some more narrow circumstances, 
counterintelligence authorities, if we know going in that this 
is a nation state-sponsored attack.
    But once we gather that information using those legal 
authorities, the ultimate response and the ultimate 
responsibility for dealing with it will depend on the facts, 
and at that point, other agencies would have a more direct role 
to play, be it a military response, a diplomatic response, an 
intelligence response, or a law enforcement response.
    Let me just say, finally, since I have used up all my time 
and more, that we are looking at Y2K as yet another example of 
how we need to coordinate, particularly on the information 
sharing side. Our responsibility at the NIPC is not to deal 
with service outages caused by the millennium bug and the 
inability of computers to recognize the date change. Our focus 
is, just as it is every day, is on dealing with malicious 
criminal attacks, intrusions or viruses that people use to 
attack systems. We do not have any concrete information 
indicating that any foreign group or domestic group is planning 
on engaging in these sorts of attacks specifically around Y2K, 
but we are preparing for that eventuality because of the 
distinct possibility that people might see as an opportunity to 
engage in those sorts of attacks.
    So in our field offices across the country and here at FBI 
headquarters, the NIPC is preparing a contingency plan to deal 
with those sorts of attacks, and we have been communicating 
very closely with the rest of the Federal community, with State 
and local governments, and with the new Information 
Coordination Center at the White House, which is dealing with 
the Y2K problem overall and focusing on sharing information 
about the state of critical systems during the rollover period.
    That concludes my somewhat lengthier remarks that I had 
intended, but I hope that gave you some insight into how we 
approach the problem.
    Senator Kyl. Thank you very much, Mr. Vatis.
    [The prepared statement of Mr. Vatis follows:]

                 PREPARED STATEMENT OF MICHAEL A. VATIS

                              INTRODUCTION

    Mr. Chairman, Senator Feinstein, and Members of the Committee: 
Thank you for inviting me here today to discuss critical infrastructure 
protection issues. Mr. Chairman, you and this committee have been 
leaders in recognizing the importance of these issues and the urgency 
of addressing the new threats to our national security in the 
Information Age, and I welcome this opportunity to share our 
perspectives with you today. As you know, the Federal Government is 
developing its capabilities for dealing with threats to our nation's 
infrastructures. Presidential Decision Directive-63 set in motion an 
unprecedented effort to protect our nation's critical infrastructures, 
which the PDD defined as ``those physical and cyber-based systems 
essential to the minimum operations of the economy and government.'' 
Critical infrastructures include telecommunications, energy, banking 
and finance, transportation, water systems, and emergency services, 
both public and private. The PDD formally designated the National 
Infrastructure Protection Center (NIPC) to have a central operational 
role in the government's effort. The Center works closely with the 
National Coordinator for Security, Infrastructure Protection, and 
Counter-terrorism; the Department of Defense (DOD); the U.S. 
Intelligence Community (USIC); other federal agencies; and the private 
sector to protect our critical infrastructures. My statement will cover 
the spectrum of threats we are facing and the status of the NIPC and 
its activities.

                          SPECTRUM OF THREATS

    The news media is filled with examples of intrusions into 
government and private sector computer networks. Politically motivated 
hackers have been attacking numerous U.S. Government websites, 
including the Senate's. Deputy Secretary of Defense John Hamre reported 
in February that DOD is ``detecting 80 to 100 [potential hacking] 
events daily.'' We have had several damaging computer viruses this 
year, including the Melissa Macro Virus, the Explore.Zip Worm, and the 
CIH (Chernobyl) Virus. Computer Economics, Inc., a California firm, 
estimates that damage in the first two quarters of 1999 from viruses 
has topped $7 billion. The FBI's case load for computer hacking and 
network intrusion cases has doubled each of the last two years. 
Currently we have over 800 pending investigations. In its 1999 survey, 
the Computer Security Institute estimated the total financial losses by 
the 163 businesses it surveyed from computer security breaches at 
$123.7 million. This includes everything from theft of proprietary data 
to denial of service on networks. E-commerce has become so important 
that firms, including Sedgwick Group PLC (in cooperation with IBM), 
Lloyds of London, and Network Risk Management Services, are now 
offering ``hacker insurance.''
Sensitive intrusions
    In the past few years we have seen a series of intrusions into 
numerous Department of Defense computer networks as well as networks of 
other federal agencies, universities, and private sector entities. 
Intruders have successfully accessed U.S. Government networks and took 
large amounts of unclassified but sensitive information. In 
investigating, these cases, the NIPC has been coordinating with FBI 
Field Offices, the Department of Defense, and other government 
agencies, as circumstances require. But it is important that the 
Congress and the American public understand the very real threat that 
we are facing in the cyber realm, not just in the future, but now.
Information warfare
    Perhaps the greatest potential threat to our national security is 
the prospect of ``information warfare'' by foreign militaries against 
our critical infrastructures. We know that several foreign nations are 
already developing information warfare doctrine, programs, and 
capabilities for use against each other and the United States or other 
nations. Foreign nations are developing information warfare programs 
because they see that they cannot defeat the United States in a head-
to-head military encounter and they believe that information operations 
are a way to strike at what they perceive as America's Achilles Heel--
our reliance on information technology to control critical government 
and private sector systems. For example, two Chinese military officers 
recently published a book that called for the use of unconventional 
measures, including the propagation of computer viruses, to 
counterbalance the military power of the United States. In addition, 
during the recent conflict in Yugoslavia, hackers sympathetic to Serbia 
electronically ``ping'' attacked NATO web servers. And Russian as well 
as other individuals supporting the Serbs attacked websites in NATO 
countries, including the United States, using virus-infected e-mail and 
hacking attempts. Over 100 entities in the United States received these 
e-mails. Several British organizations lost files and databases. These 
attacks did not cause any disruption of the military effort, and the 
attacked entities quickly recovered. But such attacks are portents of 
much more serious attacks that we can expect foreign adversaries to 
attempt in future conflicts.

Foreign intelligence services

    Foreign intelligence services have adapted to using cyber tools as 
part of their information gathering and espionage tradecraft. In a case 
dubbed ``the Cuckoo's Egg,'' between 1986 and 1989 a ring of West 
German hackers penetrated numerous military, scientific, and industry 
computers in the United States, Western Europe, and Japan, stealing 
passwords, programs, and other information which they sold to the 
Soviet KGB. Significantly, this was over a decade ago--ancient history 
in Internet years. While I cannot go into specifics about the situation 
today in an open hearing, it is clear that foreign intelligence 
services increasingly view computer intrusions as a useful tool for 
acquiring sensitive U.S. government and private sector information.

Terrorists

    Terrorists are known to use information technology and the Internet 
to formulate plans, raise funds, spread propaganda, and to communicate 
securely. For example, convicted terrorist Ramzi Yousef, the mastermind 
of the World Trade Center bombing, stored detailed plans to destroy 
United States airliners on encrypted files on his laptop computer. 
Moreover, some groups have already used cyber attacks to inflict damage 
on their enemies' information systems. For example, a group calling 
itself the Internet Black Tigers conducted a successful ``denial of 
service'' attack on servers of Sri Lankan government embassies. Italian 
sympathizers of the Mexican Zapatista, rebels attacked web pages of 
Mexican financial institutions. And a Canadian government report 
indicates that the Irish Republican Army has considered the use of 
information operations against British interests. We are also concerned 
that Aum Shinrikyo, which launched the deadly Sarin gas attack in the 
Tokyo subway system, could use its growing expertise in computer 
manufacturing and Internet technology to develop ``cyber terrorism'' 
weapons for use against Japanese and U.S. interests. Thus while we have 
yet to see a significant instance of ``cyber terrorism'' with 
widespread disruption of critical infrastructures, all of these facts 
portend the use of cyber attacks by terrorists to cause pain to 
targeted governments or civilian populations by disrupting critical 
systems.

Criminal groups

    We are also beginning to see the increased use of cyber intrusions 
by criminal groups who attack systems for purposes of monetary gain. 
For example, in 1994 the U.S. Secret Service uncovered a $50 million 
phone card scam that abused the accounts of AT&T, MCI, and Sprint 
customers. In addition, in 1994-95 an organized crime group 
headquartered in St. Petersburg, Russia, transferred $10.4 million from 
Citibank into accounts all over the world. After surveillance and 
investigation by the FBI's New York field office, all but $400,000 of 
the funds were recovered. In another case, Carlos Felipe Salgado, Jr. 
gained unauthorized access to several Internet Service Providers in 
California and stole 100,000 credit card numbers with a combined limit 
of over $1 billion. The FBI arrested him in the San Francisco 
International Airport when he tried to sell the credit card numbers to 
a cooperating witness for $260,000. With the expansion of electronic 
commerce, we expect to see an increase in hacking by organized crime as 
the new frontier for large-scale theft.
    Just two weeks ago, two members of a group dubbed the 
``Phonemasters'' were sentenced after their conviction for theft and 
possession of unauthorized access devices (18 USC Sec. 1029) and 
unauthorized access to a federal interest computer (18 USC Sec. 1030). 
The ``Phonemasters'' are an international group of criminals who 
penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even 
the FBI's National Crime Information Center (NCIC). Under judicially 
approved electronic surveillance orders, the FBI's Dallas Field Office 
made use of new data intercept technology to monitor the calling 
activity and modem pulses of one of the suspects, Calvin Cantrell. Mr. 
Cantrell downloaded thousands of Sprint calling card numbers, which he 
sold to a Canadian individual, who passed them on to someone in Ohio. 
These numbers made their way to an individual in Switzerland and 
eventually ended up in the hands of organized crime groups in Italy. 
Mr. Cantrell was sentenced to two years as a result of his guilty plea, 
while one of his associates, Cory Lindsay, was sentenced to 41 months.
    The ``Phonemasters'' activities should serve as a wake up call for 
corporate security. Their methods included ``dumpster diving'' to 
gather old phone books and technical manuals for systems. They then 
used this information to trick employees into giving up their logon and 
password information. The group then used this information to break 
into victim systems. It is important to remember that often ``cyber 
crimes'' are facilitated by old fashioned guile, such as calling 
employees and tricking them into giving up passwords. Good ``cyber 
security'' practices must therefore address personnel security and 
``social engineering'' in addition to instituting electronic security 
measures.

Virus writers

    Virus writers are posing an increasingly serious threat to networks 
and systems worldwide. As noted above, we have had several damaging 
computer viruses this year, including the Melissa Macro Virus, the 
Explore.Zip worm, and the CIH (Chernobyl) Virus. The NIPC frequently 
sends out warnings regarding particularly dangerous viruses.
    Earlier this year, we reacted quickly to the spread of the Melissa 
Macro Virus. While there are dozens of viruses released every day, the 
speedy propagation of Melissa and its effects on networks caused us 
great concern. Within hours of learning about the virus on Friday, 
March 26, 1999, we had coordinated with key cyber response components 
of DOD and the Computer Emergency Response Team (CERT) at Carnegie-
Mellon University. Our Watch operation went into 24-hour posture and 
sent out warning messages to federal agencies, state and local law 
enforcement, FBI Field Offices, and the private sector. Because the 
virus affected systems throughout the public, we also took the unusual 
step of issuing a public warning through the FBI's Public Affairs 
Office and on our website. These steps helped mitigate the damage by 
alerting computer users of the virus and of protective steps they could 
take.
    On the investigative side, the NIPC acted as a central point of 
contact for the Field Offices who worked leads on the case. A tip 
received by the New Jersey State Police from America Online, and their 
follow-up investigation with the FBI's Newark Field Office, led to the 
April 1, 1999 arrest of David L. Smith. Search warrants were executed 
in New Jersey by the New Jersey State Police and FBI Special Agents 
from the Newark Field Office.
    Just in the last few weeks we have seen reports on the Suppl Word 
Macro virus, the toadie.exe virus, and the W97M/Thurs.A (or Thursday) 
virus., This last virus has already infected over 5,000 machines, 
according to news reports, and deletes files on victim's hard drives. 
The payload of the virus is triggered on 12-13 and disables the macro 
virus protection in Word 97. We are also concerned with the propagation 
of a Trojan Horse called Back Orifice 2000, which allows malicious 
actors to monitor or tamper with computers undetected by the users.
    Virus writers are not often broken out as a threat category, and 
yet they often do more damage to networks than hackers do. The 
prevalence of computer viruses reminds us that we all have to be very 
careful about the attachments we open and we all must be sure to keep 
our anti-virus software up-to-date.

Hactivism

    Recently we have seen a rise in what has been dubbed 
``hacktivism''--politically motivated attacks on publicly accessible 
web pages or e-mail servers. These groups and individuals overload e-
mail servers and hack into web sites to send a political message. While 
these attacks generally have not altered operating systems or networks, 
they still damage services and deny the public access to websites 
containing valuable information and infringe on others' right to 
communicate. One such group is called the ``Electronic Disturbance 
Theater,'' which promotes civil disobedience on-line in support of its 
political agenda regarding the Zapatista movement in Mexico and other 
issues. This past spring they called for worldwide electronic civil 
disobedience and have taken what they term ``protest actions'' against 
White House and Department of Defense servers. Supporters of Kevin 
Mitnick, recently convicted of numerous computer security offenses, 
hacked into the Senate webpage and defaced it in May and June of this 
past year. The Internet has enabled new forms of political gathering 
and information sharing for those who want to advance social causes; 
that is good for our democracy. But illegal activities that disrupt e-
mail servers, deface web-sites, and prevent the public from accessing 
information on U.S. government and private sector web sites should be 
regarded as criminal acts that deny others their First Amendment rights 
to communicate rather than as an acceptable form of protest.
``Recreational'' hackers
    Virtually every day we see a report about ``recreational hackers,'' 
or ``crackers,'' who crack into networks for the thrill of the 
challenge or for bragging rights in the hacker community. While remote 
cracking once required a fair amount of skill or computer knowledge, 
the recreational hacker can now download attack scripts and protocols 
from the World Wide Web and launch them against victim sites. Thus 
while attack tools have become more sophisticated, they have also 
become easier to use.
    These types of hacks are very numerous and may appear on their face 
to be benign. But they can have serious consequences. A well-known 
example of this involved a juvenile who hacked into the NYNEX (now Bell 
Atlantic) telephone system that serviced the Worcester, Massachusetts 
area using his personal computer and modem. The hacker shut down 
telephone service to 600 customers in the local community. The 
resulting disruption affected all local police and fire 911 services as 
well as the ability of incoming aircraft to activate the runway lights 
at the Worcester airport. Telephone service was out at the airport 
tower for six hours. The U.S. Secret Service investigation of this case 
also brought to light a vulnerability in 22,000 telephone switches 
nationwide that could be taken down with four keystrokes. Because he 
was a juvenile, however, the hacker was sentenced to only two years 
probation and 250 hours of community service, and was forced to forfeit 
the computer equipment used to hack into the phone system and reimburse 
the phone company for $5,000. This case demonstrated that an attack 
against our critical communications hubs can have cascading effects on 
several infrastructures. In this case, transportation, emergency, 
services, and telecommunications were disrupted. It also showed that 
widespread disruption could be caused by a single person from his or 
her home computer.

Insider threat

    The disgruntled insider is a principal source of computer crimes. 
Insiders do not need a great deal of knowledge about computer 
intrusions, because their knowledge of victim systems often allows them 
to gain unrestricted access to cause damage to the system or to steal 
system data. The 1999 Computer Security Institute/FBI report notes that 
55 percent of respondents reported malicious activity by insiders.
    There are many cases in the public domain involving disgruntled 
insiders. For example, Shakuntla Devi Singla used her insider knowledge 
and another employee's password and logon identification to delete data 
from a U.S. Coast Guard personnel database system. It took 115 agency 
employees over 1,800 hours to recover and reenter the lost data. Ms. 
Singla was convicted and sentenced to five months in prison, five 
months home detention, and ordered to pay $35,000 in restitution.
    In another case, a former Forbes employee named George Parente 
hacked got into Forbes systems using another employee's password and 
login identification and crashed over half of Forbes' computer network 
servers and erased all of the data on each of the crashed services. The 
data could not be restored. The losses to Forbes were reportedly over 
$100,000.

Identifying the intruder

    One major difficulty that distinguishes cyber threats from physical 
threats is determining who is attacking your system, why, how, and from 
where. This difficulty stems from the ease with which individuals can 
hide or disguise their tracks by manipulating logs and directing their 
attacks through networks in many countries before hitting their 
ultimate target. The now well known ``Solar Sunrise'' case illustrates 
this point. Solar Sunrise was a multi-agency investigation (which 
occurred while the NIPC was being established) of intrusions into more 
than 500 military, civilian government, and private sector computer 
systems in the United States, during February and March 1998. The 
intrusions occurred during the build-up of United States military 
personnel in the Persian Gulf in response to tension with Iraq over 
United Nations weapons inspections. The intruders penetrated at least 
200 unclassified U.S. military computer systems, including seven Air 
Force bases and four Navy installations, Department of Energy National 
Laboratories, NASA sites, and university sites. Agencies involved in 
the investigation included the FBI, DOD, NASA, Defense Information 
Systems Agency, AFOSI, and the Department of Justice.
    The timing of the intrusions and links to some Internet Service 
Providers in the Gulf region caused many to believe that Iraq was 
behind the intrusions. The investigation, however, revealed that two 
juveniles in Cloverdale, California and several individuals in Israel 
were the culprits. Solar Sunrise thus demonstrated to the interagency 
community how difficult it is to identify an intruder until facts are 
gathered in an investigation, and why assumptions cannot be made until 
sufficient facts are available. It also vividly demonstrated the 
vulnerabilities that exist in our networks; if these individuals were 
able to assume ``root access'' to DOD systems, it is not difficult to 
imagine what hostile adversaries with greater skills and resources 
would be able to do. Finally, Solar Sunrise demonstrated the need for 
interagency coordination by the NIPC.

Special threat: Y2K malicious activity

    The main concern with the Y2K rollover is, of course, the 
possibility of widespread service outages caused by the millennium date 
problem in older computer systems. The President's Y2K Council has done 
an excellent job in helping the nation prepare for the rollover event. 
Given our overall mission under PDD 63, the NIPC's role with regard to 
Y2K will be to maintain real-time awareness of intentional cyber 
threats or incidents that might take place around the transition to 
2000, disseminate warnings to the appropriate government and private 
sector parties, and coordinate the government's response to such 
incidents. We are not responsible for dealing with system outages 
caused by the millennium bug. Because of the possibility that there 
might be an increase in malicious activity around January 1, 2000, we 
have formulated contingency plans both for NIPC Headquarters and the 

FBI Field Offices.

    We are presently augmenting our existing relationships and 
information-sharing mechanisms with relevant entities in the federal 
government, such as the Information Coordination Center (ICC), state 
and local governments, private industry, and the CERT/FIRST community. 
Information will come to us from a variety of places, including FBI 
field offices and Legal Attaches overseas, as well as the ICC. FBI 
field offices are also tasked to establish Y2K plans for their regions 
of responsibility. In essence, all of the activities that we will 
undertake during the rollover period are ones we perform everyday. The 
difference is that we will be prepared to conduct them at an increased 
tempo to deal with any incidents occurring during the Y2K rollover.
    There is one potential problem associated with Y2K that causes us 
special concern--the possibility that malicious actors, foreign or 
domestic, could use the Y2K remediation process to install malicious 
code in the ``remediated'' software. Thousands of companies across the 
United States and around the world are busy having their source code 
reviewed to ensure that they are ``Y2K compliant.'' Those who are doing 
the Y2K remediation are almost always contractors who are given the 
status of a trusted insider with broad authority to review and make 
changes to the source code that runs information systems. These 
contractors could, undetected, do any of the following to compromise 
systems:

   Install Trap Doors: By installing trap doors, intruders can 
        later gain access to a system through an opening that they have 
        created and then exploit or attack the system;
   Obtain ``Root Access'': Given their level of access, 
        remediation companies can gain the same extensive privileges as 
        the system administrator, allowing them to steal or alter 
        information or engage in a ``denial of service'' attack on the 
        system.
   Implant Malicious Code: By implanting malicious code, 
        someone could place a logic bomb or a time-delayed virus in a 
        system that will later disrupt it. A malicious actor could also 
        implant a program to compromise passwords or other aspects of 
        system security.
   Map Systems: By mapping systems as a trusted insider, a 
        contractor can gain valuable information to sell to economic 
        competitors or even foreign intelligence agencies.

Systems can be compromised for any number of purposes, including 
foreign intelligence activities, information warfare, industrial 
espionage, terrorism, or organized crime. And since any vulnerabilities 
that are implanted will persist as long as the software is in place, 
this is a problem that will last well beyond January 1, 2000. Companies 
and government agencies therefore need to determine how they will deal 
with this potential ``Post-Y2K problem'' on their critical systems.
    We have little concrete evidence so far of vendors' planting 
malicious code during remediation. But the threat is such that 
companies should take every precaution possible. Of course, checking 
the remediation work to make sure that no malicious code was implanted 
in a system is no easy matter. If reviewing the millions of lines of 
code at issue were simple, there would be little need for Y2K 
contractors in the first place. Nevertheless, given the vulnerabilities 
that could be implanted in critical systems, it is imperative that the 
client companies do as much as possible to check the background of the 
companies doing their remediation work, oversee the remediation process 
closely, and review new code as closely as possible and remove any 
extraneous code. Further, companies should test for trap doors and 
other known vulnerabilities to cracking. Companies can also use ``red 
teams'' to try to crack the software and further determine if trap 
doors exist.

                           STATUS OF THE NIPC

    The NIPC is an interagency Center located at the FBI. Created in 
1998, the NIPC serves as the focal point for the government's efforts 
to warn of and respond to cyber intrusions. In PDD-63, the President 
directed that the NIPC ``serve as a national critical infrastructure 
threat assessment, warning, vulnerability, and law enforcement 
investigation and response entity.'' The PDD further states that the 
mission of the NIPC ``will include providing timely warnings of 
intentional threats, comprehensive analyses and law enforcement 
investigation and response.''
    Thus, the PDD places the NIPC at the core of the government's 
warning, investigation, and response system for threats to, or attacks 
on, the nation's critical infrastructures. The NIPC is the focal point 
for gathering information on threats to the infrastructures as well as 
``facilitating and coordinating the Federal Government's response to an 
incident.'' The PDD further specifies that the NIPC should include 
``elements responsible for warning, analysis, computer investigation, 
coordinating emergency response, training, outreach, and development 
and application of technical tools.''
    The NIPC has a vital role in collecting and disseminating 
information from all relevant sources. The PDD directs the NIPC to 
``sanitize law enforcement and intelligence information for inclusion 
into analyses and reports that it will provide, in appropriate form, to 
relevant federal, state, and local agencies; the relevant owners and 
operators of critical infrastructures; and to any private sector 
information sharing and analysis entity.'' The NIPC is also charged 
with issuing ``attack warnings or alerts to increases in threat 
condition to any private sector information sharing and analysis entity 
and to the owners and operators.''
    In order to perform its role, the NIPC is continuing to establish a 
network of relationships with a wide range of entities in both the 
government and the private sector. The PDD provides for this in several 
ways. First, it states that the Center will ``include representatives 
from the FBI, U.S. Secret Service, and other investigators experienced 
in computer crimes and infrastructure protection, as well as 
representatives detailed from the Department of Defense, Intelligence 
Community and Lead Agencies.'' \1\ Second, pursuant to the PDD, the 
NIPC has electronic links to the rest of the government in order to 
facilitate the sharing of information and the timely issuance of 
warnings. Third, the PDD directs all executive departments and agencies 
to ``share with the NIPC information about threats and warning of 
attacks and actual attacks on critical government and private sector 
infrastructures, to the extent permitted by law.'' By bringing other 
agencies directly into the Center and building direct communication 
linkages, the Center provides a means of coordinating the government's 
cyber expertise and ensuring full sharing of information, consistent 
with applicable laws and regulations.
---------------------------------------------------------------------------
    \1\ The Lead Agencies are: Commerce for information and 
communications; Treasury for banking and finance; EPA for water supply; 
Transportation for aviation, highways, mass transit, pipelines, rail, 
and waterborne commerce; Justice/FBI for emergency law enforcement 
services; Federal Emergency Management Agency for emergency fire 
service and continuity of government; Health and Human Services for 
public health services. The Lead Agencies for special functions are: 
State for foreign affairs, CIA for intelligence, Defense for national 
defense, and Justice/FBI for law enforcement and internal security. The 
NIPC is performing the lead agency and special functions roles 
specified for ``Justice/FBI'' in the PDD.
---------------------------------------------------------------------------
    To accomplish its goals under the PDD, the NIPC is organized into 
three sections:

   The Computer Investigations and Operations Section (CIOS) is 
        the operational and response arm of the Center. It program 
        manages computer intrusion investigations conducted by FBI 
        Field Offices throughout the country; provides subject matter 
        experts, equipment, and technical support to cyber 
        investigators in federal, state, and local government agencies 
        involved in critical infrastructure protection; and provides a 
        cyber emergency response capability to help resolve a cyber 
        incident.
   The Analysis and Warning Section (AWS) serves as the 
        ``indications and warning'' arm of the NIPC. The AWS reviews 
        numerous government and private sector databases, media, and 
        other sources daily to disseminate information that is relevant 
        to any aspect of NIPC's mission, including the gathering of 
        indications of a possible attack. It provides analytical 
        support during computer intrusion investigations, performs 
        analyses of infrastructure risks and threat trends, and 
        produces current analytic products for the national security 
        and law enforcement communities, the owners-operators of the 
        critical infrastructures, and the computer network managers who 
        protect their systems. It also distributes tactical warnings, 
        alerts, and advisories to all the relevant partners, informing 
        them of exploited vulnerabilities and threats.
   The Training, Outreach and Strategy Section (TOSS) 
        coordinates the training and continuing education of cyber 
        investigators within the FBI Field Offices and other federal, 
        state and local law enforcement agencies. It also coordinates 
        our liaison with private sector companies, state and local 
        governments, other government agencies, and the FBI's Field 
        Offices. In addition, this section manages our collection and 
        cataloguing of information concerning ``key assets''--i.e., 
        critical individual components within each infrastructure 
        sector, such as specific power grids, telecommunications switch 
        nodes, or financial systems--across the country.

    To facilitate our ability to investigate and respond to attacks, 
the FBI has created the National Infrastructure Protection and Computer 
Intrusion (NIPCI) Program in the 56 FBI Field Offices across the 
country. Under this program, managed by the NIPC at FBIHQ, ``NIPCI'' 
squads consisting of at least seven agents have been created in 10 
Field Offices: Washington D.C., New York, San Francisco, Chicago, 
Dallas, Los Angeles, Atlanta, Charlotte, Boston, and Seattle. For 
fiscal year 2000, we intend to reallocate our existing field agent 
compliment to create six additional squads in Baltimore, Houston, 
Miami, Newark, New Orleans, and San Diego. Because of resource 
constraints, the other field offices have only 1-5 agents dedicated to 
working NIPCIP matters.
    The NIPC's mission clearly requires the involvement and expertise 
of many agencies other than the FBI. This is why the NIPC, though 
housed at the FBI, is an interagency center that brings together 
personnel from all the relevant agencies. In addition to our 79 FBI 
employees, the NIPC currently has 28 representatives from: DOD 
(including the military services and component agencies), the CIA, DOE, 
NASA, the State Department as well as federal law enforcement, 
including the U.S. Secret Service, the U.S. Postal Service and, until 
recently, the Oregon State Police. The NIPC is in the process of 
seeking additional representatives from State and local law 
enforcement.
    But clearly we cannot rely on government personnel alone. Much of 
the technical expertise needed for our mission resides in the private 
sector. Accordingly, we rely on contractors to provide technical and 
other assistance. We are also in the process of arranging for private 
sector representatives to serve in the Center full time. In particular, 
the Attorney General and the Information Technology Association of 
America (ITAA) announced in April that the ITAA would detail personnel 
to the NIPC as part of a ``Cybercitizens Partnership'' between the 
government and the information technology (IT) industry. Information 
technology industry representatives serving in the NIPC would enhance 
our technical expertise and our understanding of the information and 
communications infrastructure.

NIPC activities

    The NIPC's operations can be divided into three categories: 
protection, detection, and response.

Protection

    Our role in protecting infrastructures against cyber intrusions is 
not to advise the private sector on what hardware or software to use or 
to act as their systems administrator. Rather, our role is to provide 
information about threats, ongoing incidents, and exploited 
vulnerabilities so that government and private sector system 
administrators can take the appropriate protective measures. The NIPC 
is developing a variety of products to inform the private sector and 
other government agencies of threats, including: warnings, alerts, and 
advisories; the Infrastructure Protection Digest; Critical 
Infrastructure Developments; CyberNotes; and topical electronic 
reports. These products are designed for tiered distribution to both 
government and private sector entities consistent with applicable law 
and the need to protect intelligence sources and methods, and law 
enforcement investigations. For example, the Infrastructure Protection 
Digest is a quarterly publication providing analyses and information on 
critical infrastructure issues. The Digest provides analytical insights 
into major trends and events affecting the nation's critical 
infrastructures. It is usually published in both classified and 
unclassified formats and reaches national security and civilian 
government agency officials as well as infrastructure owners. Critical 
Infrastructure Developments is distributed bi-weekly to private sector 
entities. It contains analyses of recent trends, incidents, or events 
concerning critical infrastructure protection. CyberNotes is another 
NIPC publication designed to provide security and information system 
professionals with timely information on cyber vulnerabilities, hacker 
exploit scripts, hacker trends, virus information, and critical 
infrastructure-related best practices. It is published twice a month on 
our website and disseminated in hard copy to government and private 
sector audiences.
    The NIPC, in conjunction with the private sector, has also 
developed an initiative called ``InfraGard'' to expand direct contacts 
with the private sector infrastructure owners and operators and to 
share information about cyber intrusions and exploited vulnerabilities, 
with the goal of increasing protection of critical infrastructures. The 
initiative encourages the exchange of information by government and 
private sector members through the formation of local InfraGard 
chapters within the jurisdiction of each of the 56 FBI Field Offices. 
The initiative includes an intrusion alert network using encrypted e-
mail, a secure website and local chapter activities. A critical 
component of InfraGard is the ability of industry to provide 
information on intrusions to the NIPC and the local FBI Field Office 
using secure communications in both a detailed and a ``sanitized'' 
format. The local FBI Field Offices can, if appropriate, use the 
detailed version to initiate an investigation, while the NIPC can 
analyze that information in conjunction with law enforcement, 
intelligence, open source, or other industry information to determine 
if the intrusion is part of a broader attack on numerous sites. The 
NIPC can simultaneously use the sanitized version to inform other 
members of the intrusion without compromising the confidentiality of 
the reporting company. InfraGard also provides us with a regular, 
secure method of providing additional security related to information 
to the private sector based on information we obtained from law 
enforcement investigations and other sources. InfraGard has recently 
been expanded to a total of 21 FBI Field Offices. The program will be 
expanded to the rest of the country later this year.
    Under PDD-63, the NIPC also serves as the U.S. governments ``Lead 
Agency'' for the Emergency Law Enforcement Services Sector. As Sector 
Liaison for law enforcement, the NIPC and a ``Sector Coordinator'' 
committee representing state and local law enforcement are formulating 
a plan to reduce the vulnerabilities of state and local law enforcement 
to cyber attack and are developing methods and procedures to share 
information within the sector. The NIPC and the FBI Field Offices are 
also working with the State and local law enforcement agencies to raise 
awareness with regard to vulnerabilities in this sector.

Detection

    Given the ubiquitous vulnerabilities in existing Commercial Off-
the-Shelf (COTS) software, intrusions into critical systems are 
inevitable for the foreseeable future. Thus, detection of these 
intrusions is critical if the U.S. Government and critical 
infrastructure owners and operators are going to be able to respond. To 
improve our detection capabilities, we first need to ensure that we are 
fully collecting, sharing, and analyzing all extant information from 
all relevant sources. It is often the case that intrusions can be 
discerned simply by collecting bits of information from various 
sources; conversely, if we don't collate these pieces of information 
for analysis, we might not detect the intrusions at all. Thus the 
NIPC's role in collecting information from all sources and performing 
analysis in itself aids the role of detection.
    The NIPC is currently concentrating on developing and implementing 
reliable mechanisms for receiving, processing, analyzing and storing 
information provided by government and private sector entities. This 
information is being used by NIPC analysts to develop tactical and 
strategic warning indicators of cyber threats and attacks. The NIPC and 
North American Energy Reliability Council (NERC) have established an 
industry-based Electric Power Working Group to develop tactical warning 
indicators and information sharing procedures for the electric power 
sector. The NIPC also has developed mechanisms to share cyber incident 
information with both government agencies and private companies in the 
telecommunications sector. In the long-term, our indications and 
warning efforts will require participation by the Intelligence 
Community, DOD, the sector lead agencies, other government agencies, 
federal, State and local law enforcement, and the private sector owners 
and operators of the infrastructures.
    Another initiative that will aid in the detection of network 
intrusions is the ``Federal Intrusion Detection Network'' (``FIDNet''), 
a National Security Council initiative that would be managed by the 
General Services Administration. Many agencies already have their own 
intrusion detection systems. FIDNet will enhance agencies' cyber 
security by linking their intrusion detection systems together so that 
suspicious patterns of activity can be detected and alerts issued 
across agencies. The goal of FIDNet is to detect intrusions in the 
federal civilian agencies' critical computer systems. (Contrary to 
recent press reports, FIDNet will not extend to private sector 
systems.) To do this, critical network event data will be captured and 
analyzed so that patterns can be established and, in the event of an 
attack, warnings issued. FIDNet will be the civilian agency counterpart 
for the automated detection system currently deployed across Department 
of Defense systems. FIDNet, under current plans, will consist of the 
following: sensors at key network nodes; a centrally managed GSA 
facility, the Federal Intrusion Detection Analysis Center (FIDAC), to 
analyze the technical data from the nodes; and secure storage and 
dissemination of collected information. The NIPC will receive reports 
from the FIDAC when there is evidence of a possible federal crime (such 
as a violation of 18 U.S.C Sec. 1030). Using all-source information, 
the Center would then analyze intrusions and other significant 
incidents to implement response efforts and support and inform national 
security decision-makers. FIDNet-derived information would also be 
combined with all-source reporting available to the NIPC to produce 
analysis and warning products which will be distributed to government, 
private sector companies, and the public, as appropriate.

Response

    The NIPC's and the FBI's role in response principally consists of 
investigating intrusions to identify the responsible party and issuing 
warnings to affected entities so that they can take appropriate 
protective steps. As discussed earlier, in the cyber world, determining 
what is happening during a suspected intrusion is difficult, 
particularly in the early stages. An incident could be a system probe 
to find vulnerabilities or entry points, an intrusion to steal or alter 
data or plant sniffers or malicious code, or an attack to disrupt or 
deny service. The cyber crime scene is totally different from a crime 
scene in the physical world in that it is dynamic--it grows, contracts, 
and can change shape. Determining whether an intrusion is even 
occurring can often be difficult in the cyber world, and usually a 
determination cannot be made until after an investigation is initiated. 
In the physical world, by contrast, one can see instantly if a building 
has been bombed or an airliner brought down.
    Further, the tools used to perpetrate a cyber terrorist attack can 
be the same ones used for other cyber intrusions (simple hacking, 
foreign intelligence gathering, organized crime activity to steal data, 
etc.), making identification and attribution more difficult. The 
perpetrators could be teenagers, criminal hackers, electronic 
protestors, terrorists, foreign intelligence services, or foreign 
military. In order to attribute an attack, FBI Field Offices can gather 
information from within the United States using either criminal 
investigative or foreign counter-intelligence authorities, depending on 
the circumstances. This information is necessary not only to identify 
the perpetrator but also to determine the size and nature of the 
intrusion: how many systems are affected, what techniques are being 
used, and what the purpose of the intrusions is--disruption, espionage, 
theft of money, etc.
    Relevant information also could come from the U.S. Intelligence 
Community (if the attack is from a foreign source), other U.S. 
government agency information, state and local law enforcement, private 
sector contacts, the media, other open sources, or foreign law 
enforcement contacts. The NIPC's role is to coordinate and collect this 
information.
    On the warning side, if we determine an intrusion is imminent or 
underway, the Watch and Warning Unit is responsible for formulating 
warnings, alerts, or advisories and quickly disseminating them to all 
appropriate parties. If we determine an attack is underway, we can 
issue warnings using an array of mechanisms, and send out sanitized and 
unsanitized warnings to the appropriate parties in the government and 
the private sector so they can take immediate protective steps. The 
Center has issued 22 warnings, alerts, or advisories between January 4 
and September 22, 1999.
    Two other NIPC initiatives are directed to improving our response 
capabilities. First, to respond appropriately, our field investigators 
need the proper training. Training FBI and other agencies' 
investigators is critical if we hope to keep pace with the rapidly 
changing technology and be able to respond quickly and effectively to 
computer intrusions. The NIPC has been very active in training. These 
training efforts will help keep us at the cutting edge of law 
enforcement and national security in the 21st Century. The Center 
provided training to 314 attendees in fiscal year 1998. In fiscal year 
1999, over 383 FBI Agents, state and local law enforcement 
representatives, and representatives from other government agencies 
have taken FBI-sponsored courses on computer intrusions and network 
analysis, the workings of the energy and telecommunications key assets, 
and other relevant topics.
    Second, our Key Asset Initiative (KAI) facilitates response to 
threats and intrusion incidents by building liaison and communication 
links with the owners and operators of individual companies in the 
critical infrastructure sectors and enabling contingency planning. The 
KAI began in the 1980's and focused on physical vulnerabilities to 
terrorism. Under the NIPC, the KAI has been reinvigorated and expanded 
to focus on cyber vulnerabilities as well. The KAI initially will 
involve determining which assets are key within the jurisdiction of 
each FBI Field Office and obtaining 24-hour points of contact at each 
asset in cases of emergency. Eventually, if future resources permit, 
the initiative will include the development of contingency plans to 
respond to attacks on each asset, exercises to test response plans, and 
modeling to determine the effects of an attack on particular assets. 
FBI Field Offices will be responsible for developing a list of the 
assets within their respective jurisdictions, while the NIPC will 
maintain the national database. The KAI is being developed in 
coordination with DOD and other agencies.

                               CONCLUSION

    While the NIPC has accomplished much over the last year in building 
the first national-level operational capability to respond to cyber 
intrusions, much work remains. We have learned from cases that 
successful network investigation is highly dependent on expert 
investigators and analysts, with state of the art equipment and 
training. We have begun to build that capability both in the FBI Field 
Offices and at NIPC Headquarters, but we have much work ahead if we are 
to build our resources and capability to keep pace with the changing 
technology and growing threat environment and be capable of responding 
to several major incidents at once.
    We have also demonstrated how much can be accomplished when 
agencies work together, share information, and coordinate their 
activities as much as legally permissible. But on this score, too, more 
can be done to achieve the interagency and public-private partnerships 
called for by PDD-63. We need to ensure that all relevant agencies are 
sharing information about threats and incidents with the NIPC and 
devoting personnel and other resources to the Center so that we can 
continue to build a truly interagency, ``national'' center. Finally, we 
must work with Congress to make sure that policy makers understand the 
threats we face in the Information Age and what measures are necessary 
to secure our Nation against them. I look forward to working with the 
Members and Staff of this Committee to address these vitally important 
issues. Thank you.

    Senator Kyl. It is my understanding that, with the 
exception of one paragraph, the draft statement that had not 
previously been cleared is the statement that you have 
submitted for the record today, is that right?
    Mr. Vatis. What we brought this morning is the final 
statement, yes, sir.
    Senator Kyl. And that statement, since Mr. Vatis did not 
recount in detail all of the examples of things that had been 
dealt with or are being dealt with, I might just reiterate, 
just to highlight a couple, one estimate of damage from the 80 
to 100 events daily detected is, in the first two quarters of 
1999, a loss or damage from these viruses over $7 billion. This 
is not a minor matter.
    Then the other examples of foreign sources interfering with 
the Kosovo operation, the foreign intelligence services with 
information sold to the Soviet KGB, terrorist activity, the 
criminal groups which you have mentioned, the Phonemasters 
case, which I mentioned, and a variety of other situations, but 
there was one item that I referred to from open source 
material, I believe it was Newsweek magazine. Can you say 
anything on the record about that particular ongoing event and 
can you identify it by its code name?
    Mr. Vatis. The article called it Moonlight Maze, and that 
is, in fact, our name for an investigation that we have been 
conducting for over a year into a series of widespread 
intrusions into Department of Defense, other Federal Government 
agency, and private sector computer networks. About the 
furthest I can go is to say that the intrusions appear to 
originate in Russia. We have been coordinating an investigation 
that has involved numerous Federal agencies, as well as 
international counterparts, but the intrusions have resulted in 
the taking of or the theft of unclassified, and it is important 
to stress that it is unclassified, but still sensitive 
information about essentially defense technical research 
matters.
    Senator Kyl. Thank you very much. I think none of us 
underestimates the seriousness of the issue, but I think it is 
important that hearings like this convey to the public as much 
information as can possibly be conveyed about the threat so 
that the public will be supportive of the efforts of the 
government and the private sector to deal with it, and also so 
that they will appreciate the law enforcement tension that you 
identified, and I am going to get more into that in a minute, 
to try to put everybody's mind at ease with respect to how the 
investigations are proceeding and how privacy is being 
protected.
    Mr. Tritak, let me ask you, the PDD was issued back in May 
1998 and I think the 180-day time frame which mandated that the 
plans be developed was probably unrealistic at the time. But it 
has now been over a year and we still do not--well, let me ask 
you. A, have plans been completed, and B, if not, why not, and 
C, when we might expect that the initial operating capability, 
which was supposed to be by November 2000, will, in fact, be 
achieved?
    Mr. Tritak. Yes, Senator. Let me say that the plan is in 
its final stages of interagency review and clearance. It is our 
strong hope that it will be issued later this month or early 
next month. So I think, recognizing that, as you have 
indicated, I think when the initial goal of 180 days was made, 
the complexity of the task at hand perhaps was not quite as 
well appreciated as it became in the course of developing it.
    But let me say a couple of words about that, because I 
think it is important to understand that we are talking about 
rather an unprecedented process of engaging some 24 agencies in 
addressing an issue that everyone recognizes is important. How 
one goes about it, especially given budgetary realities, is 
something that is open to serious consideration and debate, 
sometimes very spirited debate. I think that is a good thing 
because this is a big issue and you want the benefit of very 
careful thought given by a wide range of experts within the 
government on this matter.
    Now, when the plan does come out, it is probably best to 
think of it as an invitation to a dialogue rather than a final 
product to be embraced and accepted thumbs up/thumbs down. That 
is mainly because the main focus of the national plan is on the 
Federal Government's efforts. I think the rationale for taking 
this approach is if we are going to engage the private sector 
and ask them to support the efforts that are needed to protect 
our critical infrastructures, the government has to show a 
level of seriousness in getting its own house in order.
    So what you are going to see, for the most part, in the 
first version is the Federal Government's initial attempt at 
developing a plan that it will implement and pursue in the ends 
and goals of PDD 63. It is hoped that once this is issued, it 
will be very quickly followed by a broader dialogue with 
private sector interest groups, particularly in the privacy 
area, but also members of Congress and their staffs because we 
cannot consider something to be a national plan without 
engaging the Nation in this dialogue. It affects everyone 
importantly.
    So in answer to your question, it is coming out very soon 
and we are hoping that it will be, again, the later part of 
this month, the early part of next month.
    Senator Kyl. Thank you. This is not the time to be 
critical. I really was simply focusing on the questions that 
Senator Feinstein raised at the end of her statement, and I 
think we all want to work constructively toward the result. I 
can remember former Senator Sam Nunn and I testifying about 
this, and I have forgotten now when that was, but clearly, he 
has not been around for a while. This has been going on for a 
long time and we have had to prod some people within the 
administration for quite a while to get going here.
    Again, I am not being critical of you or the people who are 
working hard on this. As you point out, it is a hard job. But 
in view of the kind of threats that have been mentioned here, I 
do not think we can say too often that we have got to get on 
with this and put these plans in place.
    Just very quickly, because I do not want to take any more 
time here, you testified that this program would operate within 
legal requirements and government policy concerning privacy, 
civil liberties, and promoting confidence in users of the 
Federal/civilian computer systems, that neither the FBI nor 
other law enforcement entities would receive information about 
computer attacks and intrusions except under longstanding legal 
rules and where an agency determines there is sufficient 
indication of illegal conduct, that private entities will not 
be wired to the FIDNet, no private sector entity is a part of 
the civilian government program, and that it will be run by 
GSA, not the FBI. It will not monitor any private networks or 
e-mail traffic and confer no new authorities on any government 
agencies and will be fully consistent with privacy law and 
practice, right?
    Mr. Tritak. Right.
    Senator Kyl. I think that is an important point to get 
across to folks, that we are dealing with a very significant 
national security issue here, and as Senator Bennett pointed 
out, there will be times when it may be unclear to us but it 
moves into a law enforcement requirement, but that in no event 
will any policies or rules be changed, which obviously that is 
a concern of this committee, because we understand that the 
U.S. Constitution would prevent any inhibitions on privacy 
rights in any event. I just want to try to help put people's 
mind at ease that everyone is very cognizant of that, the 
people in charge of putting the plan together, some of the 
people in charge of oversight here, and we will continue to 
keep our eye on that.
    Senator Feinstein.
    Senator Feinstein. Thanks very much, Mr. Chairman.
    Mr. Vatis, in your testimony, you mentioned, and Senator 
Kyl, I think, referred to it, that the DOD has reported 80 to 
100 hacker attempts every day. Do you know how many of these 
attempts succeed?
    Mr. Vatis. I do not have exact numbers, Senator, on how 
many succeed. There is a whole range of effects of possible 
attacks. Sometimes they are just pings that attempt to probe a 
system. Sometimes they get in successfully but then do not do 
anything. And sometimes they get in and then they do things, 
such as remove information or----
    Senator Feinstein. Then let me ask you the next question, 
which you probably do know the answer to. What kind of damage, 
if any, is occurring?
    Mr. Vatis. In general?
    Senator Feinstein. Yes, or as specific as you feel you can.
    Mr. Vatis. It depends on the case. Generally, what we see 
is people looking around and sometimes taking information on 
the unclassified networks. There have not been many instances 
where damage has been done to the systems. The primary concern 
in most of these cases is with unauthorized, illegitimate 
access to information that, though unclassified, is sensitive 
military information.
    Senator Feinstein. You said there have not been many 
occasions when significant damage has been done, but has some 
damage been done?
    Mr. Vatis. I am sure there are instances where somebody has 
done damage. I do not have any specific recent examples to 
bring to you.
    Senator Feinstein. You mentioned Operation Moonlight Maze. 
In that operation, has there been any penetration of classified 
systems?
    Mr. Vatis. I should not get into that area in this setting.
    Senator Feinstein. I would be interested, perhaps in a 
classified setting, if you might be able to indicate that. I 
think those are key questions.
    Senator Kyl. Excuse me. I might mention, we had a briefing 
established yesterday by Dick Clark.
    Senator Feinstein. I could not attend.
    Senator Kyl. Well, none of us could and, therefore, it was 
cancelled, but we will do it. We will reschedule it when 
everyone can attend and we will do that.
    Senator Feinstein. If we could discuss this in that 
briefing, I think that would be----
    Senator Bennett. If I may, Senator, we have had a briefing 
on that in the Y2K Committee. I agree with the witness, these 
are classified matters, but I agree with you in pursuing them 
because they are very important.
    Senator Feinstein. I was recently told that there are 
certain computer software available for free on the Internet 
that allows a person to install what amounts to an undetectable 
trap door on another person's computer. As long as that 
computer remains hooked up to the Internet, the hacker can then 
read the target's e-mails, see every password, move the mouse, 
erase files from the computer, and even shut it down, all 
without detection or recourse. I understand that some of the 
software is commercially available and beneficial for internal 
company use, but it also seems to me that some people are 
clearly trying to teach people how to infiltrate outside 
computers and do some real harm. Are you aware of this kind of 
software?
    Mr. Vatis. Yes, we are. There are several instances of 
that. One recent piece of software that fit that description is 
something called Back Orifice 2000, which was released at the 
recent DeathCom hackers' conference in Las Vegas, which permits 
an external user to gain unauthorized access and do things to 
another person's system along the lines that you mentioned. 
This is something we are aware of. We have actually issued 
several advisories to both government agencies and the private 
sector about that particular tool. But these types of tools, 
hacking tools, pop up daily and there are new tools. I am sure 
you will hear from Rich Pathea about more specifics on those 
types of things. But the one you mentioned, if I think that is 
the one you are referring to, is one we are very well aware of 
and have issued warnings on.
    Senator Feinstein. Are there any commercial systems 
available that can pierce classified systems?
    Mr. Vatis. The protection of the classified systems is 
mainly a matter of controlling the access. It is not that they 
are impenetrable, per se. Beyond that, I really do not want to 
get into that area of the classified systems.
    Senator Feinstein. If this could be another area, Mr. 
Chairman, that we could discuss, because there is--and you and 
I have both been involved in the encryption area, and there is 
this strong feeling in the industry about protecting privacy, 
with which I think we both agree. Now, here we are with systems 
commercially being devised to pierce that and to sabotage that 
very same privacy and put these on the open market. I think 
that raises a very real question that what would be appropriate 
regulation by the government, if any, of systems that pierce 
the privacy and really can sabotage a system.
    Do you have any suggestions as to what can be done to 
ensure that teenage hackers or others do not simply leave such 
trap doors or computer programs on the computers they 
penetrate?
    Mr. Vatis. A lot of the security measures that we would 
recommend are really rather basic and it is a question of 
devoting sufficient resources and attention to those basic 
security measures. Careful perimeter security design of a 
network, augmented by careful personnel security policies, 
because oftentimes the beginning of a successful intrusion is 
social engineering and getting passwords or log-in information 
by calling up a user and pretending to be someone who forgot 
his password, for instance. The use of smart cards and tokens, 
one-time passwords, would also be a successful way to implement 
security, and updating virus detection software and also 
implementing the latest patches that are made available are all 
basic security practices that are too often neglected.
    Senator Feinstein. Are those protections in place in all, I 
will not use the word highly secure systems, but all key 
government systems today?
    Mr. Vatis. Basic security policies are in place across the 
government to effect that sort of security. Where the breakdown 
sometimes occurs is in the implementation. The Solar Sunrise 
case is another good example of that. The vulnerabilities that 
the teenagers took advantage of were ones that were known 
throughout the network community, the system administrator 
community, and, in fact, patches were available to fix those 
vulnerabilities. The problem was that the patches had not been 
implemented across the DOD systems. So the policies exist, but 
it is the implementation that is the difficult part.
    Senator Feinstein. What about the private systems, 
airlines, railroads, telephones, power systems?
    Mr. Vatis. The difficulty there, as Mr. Tritak referred to, 
is that these are privately owned systems over which the 
government has very little directive authority or regulatory 
authority. Much of the private sector is beginning to pay more 
attention to security and the need to have good security 
practices, to spend money on effective security, because they 
are beginning to see that poor security will have a deleterious 
impact on the bottom line. But it is still a problem in the 
rest of the private sector of getting the decision makers, the 
corporate decision makers, to focus enough attention and 
resources on that type of security.
    Senator Feinstein. Let me ask this question. Of these kinds 
of systems, and I am speaking about the big systems, what would 
you say the level today of vulnerability is, low vulnerability, 
medium vulnerability, or high vulnerability?
    Mr. Vatis. As a general matter, I would have to say it is 
high. I think there are significant vulnerabilities in these 
critical systems that not only can be taken advantage of but 
are being taken advantage of. We have not seen what some people 
have referred to as the electronic Pearl Harbor, where somebody 
has used those vulnerabilities to engage in a massive 
destructive attack. But just the examples that we have 
discussed this morning should be sufficient to indicate to 
people and to demonstrate that these significant 
vulnerabilities do exist. If teenagers can gain the type of 
access to the types of systems that we have seen just in the 
last couple of years, those instances in themselves should 
demonstrate the level of vulnerability.
    Senator Feinstein. We had one situation in San Francisco at 
a PG&E, it seemed to me, plant where everything got shut down. 
So what you are saying is, in the private sector, in terms of 
the civilian infrastructure, today, there is a very high 
vulnerability and that the private sector has not responded 
significantly to use available technology to quell that 
vulnerability?
    Mr. Vatis. It is a mixed bag, but I think, in general, when 
we are talking about those critical infrastructures, there are 
significant vulnerabilities that do exist and that is one of 
the reasons that we have been trying to engage in information 
sharing about the vulnerabilities, about the threats, to make 
people aware in the private sector of where the vulnerabilities 
lie, what types they are, and also what the threats are that 
might take advantage of those vulnerabilities.
    But again, we should not act as though the private sector 
does not have its act together but the government does, because 
I think, as Mr. Tritak said and as the next panel will get 
into, there are also significant vulnerabilities in the 
government. So I think the Nation as a whole, both the private 
sector and the public sector, needs to face up to this and deal 
with these vulnerabilities.
    Senator Feinstein. Thanks very much, Mr. Chairman.
    Senator Kyl. Thank you. I think particularly important is 
the fact you brought out that the efforts here are not invasive 
of privacy but rather are important in order to protect 
people's privacy. That is very important.
    Senator Bennett.
    Senator Bennett. Thank you, Mr. Chairman.
    In July, you both testified before the Y2K Committee and 
there were no clear answers as to what cyber reconstitution 
was. We talked about that at that time. Can you tell me now, in 
the case of either a Y2K failure or an IW event, where there is 
an actual attack to try to shut something down, how the United 
States would facilitate cyber reconstitution, in other words, 
bring a system back up? This is for either one.
    Mr. Vatis. I think my answer would still be the same as in 
July, which is that reconstitution of private systems, at least 
for the first part of the answer, the responsibility resides 
first and foremost with the private sector, but the assistance 
to the private sector is the responsibility of the lead agency 
under PDD 63, to provide the expertise and any assistance that 
we can offer. Then the consequence management for disruption, 
providing emergency generators, for instance, in the event of 
an attack on the electrical power system, would be the 
responsibility of FEMA.
    Senator Bennett. Yes. Well, the FEMA example is the obvious 
one. You have a disaster, whether it is a tornado in Salt Lake 
City or an earthquake in California or a hurricane off the 
coast of Florida, and here is a government agency that steps in 
after the fact to try to help rebuild the essential 
infrastructure. I just asked the question in order to keep the 
issue alive, recognizing that we do not have those kinds of 
answers, but we need to keep focusing on this, because if 
somebody does succeed in shutting us down, we ought to have 
some sort of electronic FEMA in place that can say, all right, 
we were not able to prevent it, but we can reconstitute the 
service relatively quickly.
    Senator Feinstein talked in terms of success. Just a quick 
editorial comment. My concern, and that is shared by a lot of 
the folks with whom I have spoken over this particular odyssey, 
has to do with people who get in undetected. Success is when 
you can stop it at some level. But is there a level where 
people have gotten in, gotten the information they want, and 
gotten out without our knowing it? Not to sound like a Tom 
Clancy novel, but the last one I read that described how a 
Russian submarine had tracked an American submarine without the 
Americans realizing it. I think there is some indication that 
there may be some of that, that not necessarily the teenage 
hackers but nation states have gotten into our computers, 
gotten the information they were looking for, and left, and 
most frighteningly, maybe left behind a trap door that would 
allow them to do that undetected wherever they are.
    I make that point simply to underscore once again, we are 
living in a new world. We are living where there is no 
sanctuary. We are not hiding behind our oceans. Our potential 
enemies are, indeed, in our bowels, if you will, and it becomes 
very important for us to just start thinking that way as we 
look for remediation.
    It is my experience that when you talk to people in 
industry about this issue, you get the same kind of response we 
initially got with respect to Y2K. That is, hey, it is not 
really a problem and our IT people will handle it and it will 
all go away. We will get it under control. It was not until we 
got the attention of the CEO as well as the CIO that we got 
significant progress in industry.
    When I talk to industry leaders, they all say, oh, we have 
firewalls. We have spent the money. We have firewalls. My sense 
is that these firewalls have never really been tested the way 
the firewalls of the Defense Department, for example, have been 
tested. The Defense Department is a whole lot harder than a lot 
of people realize. I have now spent enough time going around to 
Defense Department installations to discover that. But I am not 
sure how hard some of the private institutions are.
    Do either of you have a sense of how effective the 
firewalls are in private industry compared to the government?
    Mr. Vatis. I think it varies tremendously, whether they 
even have firewalls, first of all, and second of all, how good 
the firewalls are, and then third, whether the firewall and 
other security measures are actually implemented properly. But 
no firewall is impenetrable, and I think sometimes people have 
a false sense of security. As you indicated, merely from the 
fact that their IT guys assure them that they have a firewall, 
they think as a result that they are totally secure, and that 
is a false sense of security.
    Senator Bennett. I do not want to get across the line into 
classified information, but let me posit this as a 
hypothetical. Suppose a U.S. Government red team were formed 
and offered to make an attempt to get into certain industry 
areas, just as an exercise. How do you think industry officials 
would react to that?
    Mr. Vatis. I think some of them would actually welcome that 
kind of assistance in testing their systems and others might be 
averse to it because they would not want to know the answer.
    Senator Bennett. How about government agencies outside of 
the Defense Department? Say, for example, the Department of 
Energy, that has responsibility for our nuclear weapons, was 
told, OK, that is wonderful that you have all of these 
protections. Now we are going to try to penetrate you. Do you 
think the Secretary of Energy should cooperate with that 
effort?
    Mr. Vatis. Absolutely. I think red-teaming is an important 
part of any set of security measures because the only way to 
know whether your security measures are adequate is to test 
them. So I think that is a critical thing.
    Senator Bennett. Thank you, Mr. Chairman.
    Senator Kyl. Thank you. Senator Feinstein.
    Senator Feinstein. Let me just thank you for being up-front 
and forthright with this. I think it is really important and I 
appreciate the fact that you speak directly. It is my 
understanding that at least 22 of the largest Federal agencies 
have significant computer weaknesses, either because they do 
not know how to fix the problem or because they do not realize 
the problem exists. The GAO report gives some examples.
    In May 1999, NASA computer-based controls were successfully 
penetrated on several mission-critical systems. In August 1999, 
serious weaknesses in DOD's information security continued to 
provide both hackers and hundreds of thousands of authorized 
users the opportunity to modify, steal, inappropriately 
disclose, and destroy sensitive DOD data. I mean, that is a 
month ago. In July 1999, GAO reported the Department of 
Agriculture's national finance center had serious access 
control weaknesses. And in October 1999, which is now, we 
report that the Department of Veterans Affairs systems continue 
to be vulnerable to unauthorized access, and they point out one 
VA insurance center, 265 users who had not been authorized 
access had the ability to read, write, and delete information 
related to insurance awards.
    Have these been remedied? These 22 agencies, have their 
weaknesses been remedied?
    Mr. Vatis. I do not know the answer to that question.
    Senator Feinstein. Mr. Tritak.
    Mr. Tritak. I do not know the answer to that question, 
either.
    Senator Feinstein. Our next panelist does? Good. Perhaps 
they can answer it. I look forward to it. Maybe that is a good 
segue.
    Senator Kyl. Thank you very much.
    We would really appreciate your responses, because as we 
have mentioned here, this will be just one in a continuum of 
hearings. We obviously will want to get a report about the 
timing on the completion of the plans and on the operations 
capability and time frames. We will want to have you come back 
and report that to us.
    I am looking forward, Mr. Vatis, to perhaps even getting 
into just two or three specific kinds of cases, one attack on 
our defense or security infrastructure, one financial attack to 
steal money, and then perhaps another one, either an insider 
attack or a terrorist kind of attack. I think it would be very 
interesting to have you get into detail about--just take two or 
three or four case studies and walk through them and talk about 
the three or four different kinds of intrusion that can take 
place and how it does without getting into too much how-to, 
obviously.
    I believe that, as Senator Bennett said, this does sound a 
little bit like Tom Clancy, but it is a reality and people are 
fascinated by it. If they can come to be fascinated by it, they 
can come to be concerned about it and then we can help Mr. 
Tritak and others get their job done on a timely basis.
    I thank both of you for being here very much and would like 
to call the next witness now, Jack Brock. We will get started, 
and if we have to be interrupted, we will, but I would at least 
like to begin the testimony.
    Mr. Brock, as I said, is with GAO. He is the Director of 
the Government-Wide and Defense Information Systems, Accounting 
and Information Management Division, and will testify 
specifically to what GAO has found with respect to government 
vulnerabilities and hope to be able to answer the questions 
that Senator Feinstein got into.
    Senator Feinstein. I did not mean to jump his testimony.

STATEMENT OF JACK L. BROCK, JR., DIRECTOR, GOVERNMENT-WIDE AND 
    DEFENSE INFORMATION SYSTEMS, ACCOUNTING AND INFORMATION 
     MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE, 
          WASHINGTON, DC; ACCOMPANIED BY JEAN L. BOLTZ

    Mr. Brock. I hope so. With your permission, Mr. Chairman, I 
would like to have Ms. Boltz----
    Senator Kyl. We welcome Jean Boltz on the panel, as well.
    Mr. Brock. Thank you.
    Senator Kyl. Thank you. Go ahead.
    Mr. Brock. I appreciate very much, Ms. Feinstein, your 
summarizing the most interesting part of my statement, and you 
did it very effectively.
    I think the first two witnesses, as well as the opening 
statements, Mr. Chairman, of you and Ms. Feinstein and Senator 
Bennett, very effectively talked about that there is a real 
threat, that there are real opportunities with connectivity and 
that these opportunities are wonderful. They offer incredible 
advances in the way we do business, the way we communicate, and 
the future opportunities are even greater and we do not want to 
lose that advantage. Almost ironically, though, these same 
opportunities offer new ways of disrupting the national 
infrastructure, and that is what the purpose of your hearing is 
today.
    I want to focus primarily on the Federal portion of that. 
We have reported that 22 of the largest Federal agencies have 
significant weaknesses and our statement details several 
examples. We could have gone on page after page after page of 
examples, were it NASA, at VA, at, although we did not list it 
in here, the Financial Management Service, the Department of 
Agriculture, agencies that have billion dollar portfolios, 
agencies that protect the national defense, we have broken 
into.
    In breaking into these agencies and doing our penetration 
testing, we could have done severe damage to the systems, we 
could have done severe damage to the information that was 
contained in those systems, and we could have denied access by 
the agencies to that information. We obviously did not do so, 
but the risk is there. The vulnerabilities are there.
    To get to your point, and I will just answer your question 
now, have the agencies repaired these holes? Yes and no. At the 
individual problem level, they have taken immediate action. All 
of them have been very responsive. However, it is like having a 
bad roof on your house and you are continually having leaks and 
you put up a shingle here and a shingle there and pretty soon 
you have sort of shingled over the house but you are still 
having the leaks. These agencies need a whole new roof. It is 
not just a question of fixing the vulnerabilities we find.
    When we go back to agencies--at DOD, we were there 2 years 
ago. We just issued our second report last month. At VA, we 
were there a couple of years ago. We just issued our report. 
These agencies had taken good strides in fixing the 
vulnerabilities we identified before, but there were new 
vulnerabilities that cropped up.
    We believe that at many agencies, computer security is a 
bottoms-up type of affair, that the real problem needs to be 
owned, as Senator Bennett said, by the top management, and if 
top management does not own the problem, if they do not provide 
the resources, if they do not assign the accountability, then 
computer security is more likely a catch-as-catch-can affair.
    We have been looking at computer security for several years 
and we find the same problem every time--poor access controls, 
poor system controls, poor management controls, and we were 
just beginning to repeat ourselves. A couple years ago, we 
started work on what we called best practices or leading 
practices, where we went to a number of organizations that had 
good computer security programs, and almost uniformly, these 
organizations had one, a central point of control, someone that 
was clearly accountable for information security. That person 
was always accountable to the chief executive officer or the 
chief operating officer.
    There was a real assessment of the risk that that 
organization faced in terms of defining threats, 
vulnerabilities, and the value of the information that the 
organization had. These organizations then developed policies 
and procedures and processes that allowed them to be responsive 
to those risks.
    Next, they made people well aware of what their roles and 
responsibilities were and made sure that those were accountable 
for monitoring and maintaining control over the processes and 
applying them.
    And then lastly, there was independent assessment of the 
organization's performance, and this is a continuous cycle. It 
is not a one-time thing that stops. It goes on and on and on. 
We think that if agencies did this, that, in fact, they could 
eliminate many of the weaknesses that they have right now. Our 
report has been endorsed by the CIO Council. It has been 
endorsed by many individual agencies. I think the level of 
effort, though, goes to endorsement and we have not seen a lot 
of real positive action on implementing the broad management 
reforms that need to take place.
    I would like to talk a little bit, though, about PDD 63 and 
the current environment that is going on. We see this as a real 
opportunity, that there is now a discussion at a national level 
about issues that could have a significant impact, a positive 
impact, on the ability not only of Federal agencies, but also 
the ability of the entire infrastructure to provide better 
assurance that vulnerabilities will be closed up.
    We have identified seven topics, though, that we think need 
to be addressed in the discussion in order for things to move 
forward. First of all is clearly defined roles and 
responsibilities. Under the current law, there are a lot of 
agencies that have some set of responsibilities and duties. It 
is not always clear what these are and it is not always clear 
that they are being implemented. PDD 63 has also introduced a 
number of new organizations and many of these organizations and 
processes are immature and have not found their way yet. So it 
is unclear how they are going to relate and interrelate and it 
is unclear about what sort of impact they can have on agencies 
and on the private infrastructure. So it is important that as 
the debate unfolds, that roles and responsibilities be clearly 
defined, that authorities and accountability be clearly 
defined.
    Second, we see a need for specific risk-based standards. 
Right now, most of the guidance is very general. For example, 
NIST issues guidance saying that users should be authenticated. 
Well, that can mean anything from a four-digit password to your 
thumbprint. We believe that agencies need more specific 
guidance on how to identify risk, how to categorize these 
risks, and then have standards that are tailored to addressing 
these risks.
    We think there should be routine evaluations of agency 
performance that we need to measure. If you cannot measure what 
you are doing, if you cannot report on the success, the 
failures, the opportunities missed, the opportunities gained, 
then it is really impossible to see what the lessons learned 
and what you need to do. The CFO Act is a good example of this, 
where there are now independent audits of agencies' financial 
statements, and as a result of that, agencies have made 
incredible strides in improving their financial management 
operations over the past 5 years. We think similar 
opportunities exist with computer security.
    Next, executive branch and Congressional oversight. Senator 
Bennett has been instrumental in the Senate in terms of 
providing very rigorous oversight over Y2K issues. Just as 
importantly, though, most of the individual committees that 
have oversight over individual agencies have also had hearings, 
and not just one hearing but multiple hearings. The same thing 
is true on the House side. The same thing is true in the 
executive branch, where the oversight over Y2K has been notably 
more rigorous than it has been on computer security issues.
    As a result of this, many of the hurdles have been overcome 
by the constant pressure of the spotlight being shone on the 
issue, identification of things that need to be done, and 
solutions reached. So a continuation of that type of executive 
branch and Congressional oversight and leadership is important 
in this area, as well.
    The next area is adequate technical expertise. If you do 
not have the right kind of people, you are not going to come up 
with the right kind of solutions, and this is a problem. We 
have an executive council of independent CIO's in the private 
sector. They are telling us that a system administrator that is 
well qualified can make about $150,000 in the private sector. 
That is not true in the public sector. There is inadequate 
training. There are just not enough people sometimes to go 
around. If this problem is not addressed, then regardless of 
the policies and procedures and the good work that goes into 
it, if you do not have the technical resources to carry it out, 
you still will not be able to reach success.
    The next area is adequate funding. The most positive 
response we got to our publication last week on critical 
infrastructure protection, comprehensive strategy control, and 
year 2000 experiences, we pointed out in that report that there 
was funding for Y2K fixes, that the funding was made available 
not only with the agencies directly in their budgets but also 
in the emergency supplemental fund, that there was a relatively 
good assurance that the funds would be available. That is not 
always true on computer security.
    On the other hand, because of the relatively low level of 
some agencies in terms of their abilities to effectively deal 
with the problem, you do not also want to paper it over with 
money. You need to make sure that if agencies have more funds, 
that they are also prepared to spend them wisely.
    Incident response and coordination, and again, talking 
about the Federal Government, there is no real requirement to 
report incidents. As a real matter, within some agencies, we 
find that even within the agency, they do not report incidents, 
if they are aware of it. Certainly, agencies are not uniformly 
reporting them to FedCIRC, housed at GSA, and as a result, 
opportunities are missed to learn from what agencies are 
experiencing, opportunities within the agency and opportunities 
among the agencies.
    We think that if these seven issues come up for serious 
discussion and resolution during the discussion of the national 
plan and then placed on top of a renewed infrastructure within 
the agencies, that solutions are available to improve computer 
security within the government. There is no panacea. There is 
no magic bullet. There is no assurance that problems will be 
completely eliminated, but we think there is lots of 
opportunity for improvement.
    Mr. Chairman, that concludes my statement, and Ms. Boltz 
and I would be happy to answer any questions you might have.
    Senator Kyl. Thank you. There are other important hearings 
going on today, but I think what you have said here, while I 
know it has been in the public domain before, maybe has not 
been focused on, and I think it is important that I repeat just 
a little bit of it and have you comment on it.
    You are basically saying that through your audits, the GAO 
audits, you found that our government--I am quoting now--``is 
not adequately protecting critical Federal operations and 
assets from computer-based attacks.'' You go on to say that the 
audits show that 22 of the largest Federal agencies have 
significant computer security weaknesses, right?
    Mr. Brock. That is correct.
    Senator Kyl. You further say that reports issued over the 
last 5 years describe persistent computer security weaknesses 
that place Federal operations such as national defense, law 
enforcement, air traffic control, and benefit payments at risk 
of disruption, as well as fraud and inappropriate 
disbursements, I think is the word, or disclosures.
    Mr. Brock. Yes, sir.
    Senator Kyl. Specific incidents, you mention just this year 
you successfully penetrated several mission-critical systems of 
NASA. Just in August of this year, you reported weaknesses in 
DOD's system that provide people the opportunity to modify, 
steal, inappropriately disclose, or destroy sensitive DOD data. 
You talked about the fact that DOD functions, including weapons 
and supercomputer research, as well as others, have already 
been adversely affected by system attacks or fraud.
    Mr. Brock. That is correct.
    Senator Kyl. See, those are very important, disclosures 
that are important for the public to appreciate, and I do not 
believe that the message has gotten out yet. I am told that you 
have to repeat something 6 times before it takes hold. Maybe 
that is true in the Senate; I am not sure about the public 
generally. But I think it is important that the results of this 
GAO work be conveyed to the public in order to help generate 
the support for the financial systems that is needed as well as 
the other reforms that you pointed out can be accomplished.
    Let me ask you whether you can say whether in these attacks 
by GAO you were able to gain access to classified information.
    Mr. Brock. We were focusing our penetration test on 
sensitive but unclassified systems.
    Senator Kyl. OK.
    Mr. Brock. The last thing I ever want to see is a headline 
in the morning saying, ``GAO Brings Down Critical Systems.''
    Senator Kyl. Yes. Why has it taken so long for PDD 63 to 
get off the ground? You mentioned that there has been no real 
action on the broad reforms that are necessary, and we heard 
testimony earlier that you heard about the delays of well over 
a year in getting this plan off the ground. Why is it taking so 
long?
    Mr. Brock. I think there are a couple of reasons. First of 
all, let me say that I think the concept behind PDD-63 is long 
overdue. However, you are starting from an environment where 
there was not a lot of consensus over what needed to be done 
and how it should be done, and I think that part of the delay 
has been in building that consensus. I think part of the delay, 
as well, is one of the requirements of PDD 63 is for each of 
the agencies to develop a plan. It has taken a long time to 
develop those plans and it is taking a long time to get them in 
the kind of shape, because they are also starting from ground 
zero.
    So part of it is trying to bring some people together that 
may have some different agendas. I think that is important to 
do that. Part of it, I am sure, is logistics, and part of it 
has been, I believe, the inability of some agencies to respond 
with the kind of material that was required by PDD 63.
    Senator Kyl. Let me add just two more things. First of all, 
this subcommittee will continue to explore, in particular, any 
legislative action that might be necessary. We can generate 
that as an ongoing committee of the Senate. The Y2K Committee, 
of course, does not do that, but they point out problems and 
then we can take it from there. So we will continue to focus on 
that, and if there are any legislative suggestions that you 
want to bring to our attention that become apparent, or the 
need for which becomes apparent as a result of your auditing, I 
hope you will just consider this an open request to do that.
    But second, I am going to quote one statement you conclude 
your statement with, that weaknesses continue to surface 
because agencies have not implemented a management framework 
for overseeing information security on an agency-wide and 
ongoing basis. Because of that, I am going to recommend to the 
chairman of the Government Operations Committee, which would 
have a different kind of oversight jurisdiction, to review your 
audits very carefully, prioritize them in some way to identify 
those that seem most behind, and to begin bringing them in, 
agency by agency, to ask very specific and very hard questions 
using the information from your audits to bring to light some 
of the deficiencies. Obviously, the goal here is not to point 
fingers, but as you pointed out, to get on with the fixes that 
have to be put into place.
    Do you have any other comment about what we could do to 
help advance this all, in addition, of course, to helping to 
provide the resources that you identified earlier?
    Mr. Brock. I think the constant spotlight, the questions, 
the suggestion you had for the committee to bring the 
individual agencies up, I mean, that imposes a level of 
accountability that forces action. It forces the top management 
within those agencies to say, here is an issue that Congress is 
interested in. I need to elevate my own interest. As I said, 
that was very successful in Y2K and I think it can be 
successful in computer security, as well.
    Senator Kyl. Whether we do that in this subcommittee or if 
another full committee takes that oversight, we will expect to 
maybe check back with you in a few months, maybe sometime mid-
year next year and have you give an honest, straightforward, 
unvarnished evaluation of how our government agencies are 
doing.
    Mr. Brock. We will do so, sir.
    Senator Kyl. Thank you. Senator Feinstein.
    Senator Feinstein. Thanks, Mr. Chairman. You know, Mr. 
Brock, first of all, again, your report is very straightforward 
and I appreciate that very much. But we have all heard the same 
adage, you cannot squeeze blood out of a turnip. In many 
respects, the Federal Government is a turnip in this respect. 
You pointed out the differential in salaries. The private 
sector goes out, they get the most experienced personnel, their 
cutting-edge software, all the rest. I question whether we 
really have the expertise to do what is necessary.
    I read your conclusions and your suggestions in your 
report, but the one thing where this is really lacking is how 
do you get that kind of cutting-edge technical knowledge that 
departments can go to and say, here, I know we have a problem. 
Do something about it. It seems to me we lack that. Now, 
whether it can be contracted out for in the private sector, 
whether the government has to put together some specific area 
and really bring together the brightest and the best across the 
nation to do this, I do not know.
    But it seems to me that you can go to someone and say, 
look, you have got a big problem, and they can look at it and 
they may not even know how to remedy it or even have the people 
that can make the suggestions that were adequate. You spoke 
about a new roof. I do not think you are going to get a new 
roof unless we can reach out in an unprecedented way.
    Mr. Brock. I agree with you, Senator. There are sort of two 
aspects of that. One of the things that I believe that the 
national plan is contemplating on proposing are initiatives in 
terms of increasing skills and abilities, sponsoring more 
research and development in the area, training people, 
providing opportunities. People have been looking at salary 
differentials and ways of addressing that.
    So looking at ways of bringing on skills, either by 
improving the skills on board or attracting new people, that is 
one issue. Contracting out, under proper controls, is an issue. 
Many of the weaknesses that we identified, though, are almost 
no cost.
    When we go into agencies, for example--and these are real 
examples--and we find the schematic for their network topology 
on the website and we find on another website an open 
discussion of the weaknesses they have over some of their 
controls, it is like a bank saying, here is our building plan 
and here is our guard schedule and here are the guards that 
have bullets and here are the guards that do not. I mean, there 
are some basics like that that just require basic attention.
    The other big area that is really, again, very basic is 
that many of our penetration tests are done through password 
guessing. We have these programs that just generate password 
after password after password and people are very lax in 
changing their passwords. They use overly simplistic passwords. 
This is one of the reasons we were calling for different 
standards for risk. For some types of information, a simple 
four- or five- or six-digit password probably is not enough. 
You need another level of protection.
    So there are a lot of basic things, and some agencies have 
made remarkable progress in terms of addressing this within 
more of a comprehensive management perspective, where they are 
improving their information management across the board.
    For example, when we have looked at controls at the Federal 
Reserve, they are very well done. They also have a very good 
Y2K program. They also have a very good information management 
program.
    We have had some negative reports about IRS and its 
computer security. Recent reports have indicated they have been 
making real progress, and also, and I do not think it is 
coincidental, we have also noted that they made real progress 
in the way they manage their big systems development efforts, 
as well.
    So management attention is the most critical factor, but I 
would agree with you that providing the availability of 
resources is a thorny issue and it may be one of these areas, 
Mr. Chairman, where some sort of legislative alternatives may 
need to be looked at.
    Senator Feinstein. In your report, you mention that the 
examples that I mentioned and Senator Kyl went over more 
thoroughly are just examples of weaknesses. I would like to ask 
for the full list of weaknesses that you found.
    Then second, I would like to ask you to go back in one 
month and repeat this and see if those weaknesses have been 
remedied. I will bet you they have not. I will bet you 25 cents 
they have not. That will be my request, and I will put that in 
writing to you, as well. But I would like to see the full list 
rather than just the examples, if I might, of the 22 
departments.
    Mr. Brock. OK. We can provide you with an overview of each 
of the 22 and details to support them, as well.
    Senator Feinstein. Thank you very much. Thanks, Mr. 
Chairman.
    Senator Kyl. Senator Feinstein, by the way, I will see your 
bet and raise you, but we will not convey it on the Internet. 
How is that?
    Senator Feinstein. All right.
    Senator Kyl. We probably should consider writing a letter 
to the President and perhaps the Director of the OMB to 
encourage them as they begin thinking about the new budget that 
they will be preparing for submission to the Congress next 
year, that they be very alert to the requests of the different 
agencies for the financial resources to accomplish all of these 
objectives so that it is not a matter of after the fact, that 
they are all focusing on their needs early on, they put those 
needs down, and the President is fully cognizant of them when 
he submits his budget to us.
    Senator Feinstein. May I make one suggestion?
    Senator Kyl. Absolutely.
    Senator Feinstein. The prior speakers brought out that 
there was no requirement to report incidents. There should be a 
requirement to report incidents.
    Senator Kyl. Mr. Brock, you alluded to that, as well. Do 
these agencies just not have an interagency protocol?
    Mr. Brock. It is really unclear to me whether it is a 
matter of choice that they do not report or just a simple 
matter of omission. But most of them, or many of them, do not 
report incidents. Jean, do you have anything to add to that?
    Ms. Boltz. Yes. In many cases, there is really not a 
commonly accepted definition of what an incident is. It can be 
just a probe, it can be an attack, an actual intrusion, which 
may or may not cause damage. So there are really no rules about 
what to report to whom and to when.
    Senator Kyl. I agree with Senator Feinstein. This is the 
kind of thing where there has got to be a consistent policy, 
and if it cannot be done through the plan--I think the first 
thing would be to see if we can get them to put that in the 
plan for sure. If not, then legislation would be perhaps 
appropriate.
    But as Senator Bennett has pointed out before, come January 
1, who is to know what it is? The computer goes down. Well, was 
it because of Y2K? Was it because somebody was taking advantage 
of Y2K? Was it because there is just an effort to disrupt, or 
maybe was that the result of something more intrusive? So you 
cannot know for sure, and that is why, what I think Senator 
Feinstein's point is, all of these incidents need to be 
reported and then we can sort out later what the problem is.
    Senator Feinstein. Could we write a letter formally from us 
to Mr. Tritak and ask that this be included in the plan?
    Senator Kyl. I think that is a good suggestion.
    Senator Feinstein. And we could put some specifics into 
that request.
    Senator Kyl. And we might even call upon Mr. Brock and Ms. 
Boltz to help us formulate that.
    Senator Feinstein. Yes.
    Senator Kyl. I really appreciate your being here today.
    [The prepared statement of Mr. Brock follows:]

    [GRAPHIC] [TIFF OMITTED] T8563.001
    
    [GRAPHIC] [TIFF OMITTED] T8563.002
    
    [GRAPHIC] [TIFF OMITTED] T8563.003
    
    [GRAPHIC] [TIFF OMITTED] T8563.004
    
    [GRAPHIC] [TIFF OMITTED] T8563.005
    
    [GRAPHIC] [TIFF OMITTED] T8563.006
    
    [GRAPHIC] [TIFF OMITTED] T8563.007
    
    [GRAPHIC] [TIFF OMITTED] T8563.008
    
    [GRAPHIC] [TIFF OMITTED] T8563.009
    
    [GRAPHIC] [TIFF OMITTED] T8563.010
    
    [GRAPHIC] [TIFF OMITTED] T8563.011
    
    [GRAPHIC] [TIFF OMITTED] T8563.012
    
    Senator Kyl. I also want to note that Mr. Richard 
Schaeffer, Director of Infrastructure and Information 
Assurance, Office of the Assistant Secretary of Defense, has 
submitted a written statement which will be included in the 
record. His statement comments on DOD's role and responsibility 
relative to the PDD 63 and the national plan.
    [The prepared statement of Mr. Schaeffer follows:]

      PREPARED STATEMENT OF RICHARD C. SCHAEFFER, JR., DIRECTOR, 
   INFRASTRUCTURE AND INFORMATION ASSURANCE OFFICE OF THE ASSISTANT 
                          SECRETARY OF DEFENSE

                              INTRODUCTION

    Information Superiority is essential to our capability to meet the 
challenges of the 21st Century. It is a key enabler of Joint Vision 
2010 and its four fundamental operational concepts of dominant 
maneuver, precision engagement, full dimensional protection and focused 
logistics. This is because each of these concepts demands that we 
obtain, process, distribute and protect critical information in a 
timely manner, while preventing our adversaries from doing the same. 
Without Information Superiority we will, very simply, not be able to 
achieve the goals established by the Department in Joint Vision 2010.
    Information technology has provided us with a means to gain a 
military advantage over our adversaries while actually reducing our 
force structure. These technologies have made precision strike and 
focused logistics possible. They allow us to attack targets surgically 
with fewer munitions (albeit more expensive ones), and manage our 
logistics requirements more efficiently so we can move forces much 
farther and faster--and sustain them--than we have ever been able to do 
before. Similarly, information systems are essential to the situational 
awareness needed to achieve dominant maneuver and full dimensional 
protection.
    But our dependence on these systems, and their presence in every 
aspect of our operations, has made us very vulnerable should they be 
disrupted. The same technologies we can use to such advantage are 
becoming available to our adversaries. And because they are relatively 
inexpensive and accessible, the range of adversaries that potentially 
can cause great disruption has broadened considerably.
    We no longer have the luxury of focusing our defense, as we once 
did, mainly on our peer competitors. We now have to establish defenses 
that will defeat attacks by major adversaries as well as by the 
terrorist, hacker, and disenchanted insider--and the latter is a 
significant challenge. In the past much of our defensive efforts 
focused on protecting our offensive capabilities. Now we also have to 
protect an extensive DOD information infrastructure--virtually all of 
which depend on commercial communications networks--as well as the 
other critical Defense infrastructures it supports. We simply cannot 
conduct and sustain offensive operations without these critical 
infrastructures.
    I am not especially concerned about our ability to develop and 
employ the information technologies needed to achieve the strike, 
maneuver, and other offensive goals of Joint Vision 2010, I am very 
concerned about our ability to defend the information systems that make 
actual offensive operations possible. Not too long ago we focused 
primarily on the ``confidentiality'' aspects of our information systems 
(can we keep something secret). Today, we must address a much broader 
concept that we call `Information Assurance.' This includes not only 
confidentiality of information, but also the integrity of the data 
bases from which it's drawn, the availability of the infrastructure to 
deliver the message, our ability to identify and authenticate those who 
are using our networks, and non-repudiation features to keep people 
from reneging on electronic contracts. These five factors: 
confidentiality, integrity, availability, identification and 
authentication, and non-repudiation constitute information assurance or 
IA.
    Over the past two years, we have initiated a number of efforts to 
improve the overall information assurance posture of the Department. We 
established a Defense-wide Information Assurance Program (DIAP) to 
bring a comprehensive IA approach to this almost overwhelming challenge 
of building and sustaining a secure information infrastructure. Since 
1997 we have conducted a number of exercises, and experienced real 
world events, that have emphasized to all of us in DOD that our 
information systems are interconnected, and hence interdependent. This 
means that we conduct our daily operations in a shared-risk 
environment, underscoring the need for all organizations connecting to 
a network to thoroughly understand the risks that exist prior to 
operating in that environment. Each organization must know in advance 
whether they can accept, manage, or adequately mitigate risks that have 
been accepted by others before connecting to a network.
    ELIGIBLE RECEIVER, in June 1997, was the first large-scale exercise 
designed to test our ability to respond to an attack on our information 
infrastructure. Designed to test DOD planning and crisis-action 
capabilities, it also evaluated our ability to work with other branches 
of government to respond to an attack on our National Infrastructures.
    ELIGIBLE RECEIVER revealed significant vulnerabilities in our 
information systems and the interdependence of the defense and national 
information infrastructures. It showed that we had little capability to 
detect or assess cyber attacks and that our ``indications and warning'' 
process for cyber events was totally inadequate.
    A few months later, in early 1998, we experienced a series of 
attacks that targeted DOD network Domain Name Servers, exploiting a 
well-known vulnerability in the Solaris Operating System. Known as 
SOLAR SUNRISE, these attacks were widespread, systematic and showed a 
pattern that indicated they might be the preparation for a coordinated 
attack on the Defense Information Infrastructure. The attacks targeted 
key parts of Defense Networks at a time we were preparing for possible 
military operations in Southwest Asia.
    SOLAR SUNRISE validated the findings from ELIGIBLE RECEIVER and 
helped focus the legal issues surrounding cyber attacks. Because of the 
world situation, it was a high interest incident that significantly 
increased pressure for a quick response. It also validated the need to 
establish a standing response team. The ELIGIBLE RECEIVER/SOLAR SUNRISE 
experience resulted in a number of defensive actions being taken. 
Specifically, we have:

   Increased our situational awareness by establishing a 24-
        hour watch.
   Established positive control over the identification and 
        repair of information systems at risk--SOLAR SUNRISE could have 
        been prevented had available patches been in place in certain 
        computer operating systems!
   Installed intrusion detection systems on key system nodes.
   Expanded computer emergency response teams to perform 
        alerts, critical triage and repair.
   Developed contingency plans to mitigate the degradation or 
        loss of networks.
   Improved our ability to analyze data rapidly and assess 
        attacks.
   Established a close working relationship with the National 
        Infrastructure Protection Center (NIPC), teaming with law 
        enforcement agencies and developed procedures to share 
        information with the private sector.
   Increased ``red team'' exercises to test our systems and 
        improve our operational readiness.

    Dependence on interconnected information systems and networks will 
only increase as we move into the 21st Century and towards Joint Vision 
2010. We cannot eliminate this ``networked dependence,'' so we have to 
meet the challenges of Computer Network Defense, even as we change our 
systems to make them less susceptible to attack. Defending a computer 
network is a significant challenge and the challenge is increasing 
daily. Actually, it is a set of very significant technical challenges 
and associated legal and social issues. There are significant technical 
problems with characterizing and attributing attacks in complex 
networks that have no real borders. And as we develop technical 
solutions, we inevitably find ourselves immersed in a host of policy 
and legal issues--law enforcement versus national security interests, 
domestic versus foreign intelligence--while trying to work significant 
operational problems requiring the most urgent attention.
    To address the operational response problem in a coherent and 
integrated manner, the DOD activated a Joint Task Force for Computer 
Network Defense (JTF-CND). Established in December 1998, it is directly 
responsible to the Secretary of Defense. The Joint Task Force is, in 
conjunction with the CINC's, Services and Agencies, responsible for 
coordinating and directing the defense of DOD computer systems and 
computer networks. Its mission includes the coordination of DOD 
defensive actions with non-DOD government agencies and appropriate 
private organizations. This is a major first step in restructuring the 
Command and Control regime in the Department to address the crucial 
importance of computer network defense in both our war fighting and 
business operations. The task force is based in Washington to provide 
interagency access and leverage established relationships with the 
Federal Bureau of Investigation (FBI), Central Intelligence Agency 
(CIA), Defense Intelligence Agency (DIA), and the National Security 
Agency (NSA). It provides a single, accessible DOD point of contact 
with the NIPC. And it is co-located with the Defense Information 
Systems Agency (DISA) so that it can leverage their technical and 
operational capabilities: their network management center, an 
established 24 hour operations center, and regional operations centers 
with CINC liaison. This co-location also facilitates coordination with 
the National Communications System. As of October 1, 1999, the United 
States Space Command was assigned responsibility for computer network 
defense (CND), with JTF-CND reporting directly to this unified command.
    It is important to understand that we will always have to deal with 
a network of interconnected and interdependent information 
infrastructures that serve an ever-expanding set of interrelated 
communities. We cannot avoid this global interaction. And we, DOD and 
the U.S. Government, will have relatively little effect on its 
evolution. We must take advantage of it, understand its perils, and 
design an appropriate level of security into our systems and 
procedures. We have to learn to adapt our security practices to the 
evolving global environment.
    At the same time we must be ever vigilant to a world that is an 
increasingly dangerous place. As we've improved our ability to monitor 
network activities, the number of probes, intrusions, and cyber events 
we can observe continues to increase. We are now detecting 80 to 100 
events daily. Of these approximately 10 each day require detailed 
investigation. Such investigations are carried out by many of the same 
people we rely on to keep our networks operational, so there are limits 
on the resources we have to work with.
    We also must recognize that the interconnected nature of the 
information infrastructure, and the increasing availability and 
sophistication of hacker tools, places at risk immediately any 
information that is not properly secured. We are increasingly concerned 
about those who have legitimate access to our networks--the trusted 
insider. This is consistent with industry experience, which reports 
significant losses from disgruntled or dishonest employees.
    We have taken significant steps to increase our internal security 
and security awareness, but again, vigilance is the watchword. Internet 
exploitation operations can be executed remotely, from any country. 
They can be completely anonymous, done in real time and automatically. 
There are extraordinary resources available to the data ``miner.'' Our 
own ``red team'' assessment last year of DOD information available on 
the Internet revealed some very sensitive material. We recently 
completed a major examination of all the information the Department has 
on its web pages and have instituted stringent procedures to insure 
that classified or sensitive material, alone or in aggregate, is not 
inadvertently accessible.
    The Secretary has also instituted a policy to insure that every 
individual in the DOD with access to Top Secret or a specially 
controlled access category or compartment make an oral attestation that 
they will conform to the conditions and responsibilities imposed by 
that access. We are using this as a means to reinforce to DOD personnel 
the significance of the responsibilities associated with access to this 
information.
    We also recognize that our dependence on the information 
infrastructure extends to our other critical infrastructures as well. 
We have reorganized within OSD to bring information assurance and 
critical infrastructure protection together under a single Director. We 
have developed, and are now implementing, our Critical Infrastructure 
Protection plan. The Defense Department is serious about protecting its 
critical infrastructures. We have provided a comprehensive chapter to 
the national plan outlining how DOD will meet our defense mission (e.g. 
facilities, equipment), determining the critical assets, identifying 
their associated vulnerabilities, recognizing interdependencies and 
taking measures to protect them.
    I would like to outline the two major concepts on how Critical 
Infrastructure Protection (CIP) will be addressed within and outside 
DOD.
    To examine critical infrastructure (CI) issues within DOD, we will 
have representatives (some full time, some part time) from each of the 
defense infrastructure sectors--financial; transportation; public 
works; Defense Information Infrastructure/Command, Control, & 
Communications (DII/C3); Intelligence, Sensors, & Reconnaissance (ISR); 
health affairs; personnel; emergency preparedness; space; and 
logistics--that will work together to discuss common infrastructure 
concerns. They will identify critical nodes and networks, nationally 
and internationally, that the DOD depends upon to execute successful 
military operations. They will assess the vulnerability of such nodes 
and networks to physical and/or cyber attack and make recommendations 
to enhance their security. The infrastructure providers--the private 
sector--are indispensable in our execution of military operations. This 
brings me to my second point--how we reach outside DOD.
    PDD 63 calls for a partnership with the private sector. Along with 
others in government, we are exploring with industry the best concepts 
on how we share or ``partner'' information with the private sector. 
Private sector involvement is crucial throughout the continuum of the 
Defense infrastructure, but we are working with industry to determine 
government and private sector companies will exchange information (e.g. 
classified, business confidential) and the means to which it should be 
shared, documented and updated routinely. At the DOD installation 
level, we are exploring information-sharing concepts on two fronts. 
First, we need to ensure that the government and private sector 
representatives (e.g. the installation commander and staff with the 
local railroad owner)--our first line defenders--jointly respond to the 
needs identified in the planning assessments. Second, these government 
and private sector representatives will need to work with state, local, 
and county governments as to determining what their installations need 
in order to support their missions. Our goal is the establishment of an 
information-sharing model that allows for a continuous and credible 
information flow from the installation level to senior levels in 
government to include the National Information Protection Center 
(NIPC).
    So where do we go from here? What is the way ahead? There is no 
simple or single solution. Our strategy is based on a multidimensional 
approach. We must have trained and disciplined personnel. We must 
improve our operations. And we must be innovative technologically. We 
have to recognize that information technology is vitally important to 
all the DOD critical infrastructures. And we must implement this 
strategy through a comprehensive, coherent, and integrated Defense-wide 
infrastructure and information assurance program.
    Some steps we are taking include:

   Employing a defense in depth security model and changing our 
        basic approach to network architecture. A major effort is 
        underway to fundamentally restructure the Defense Information 
        Infrastructure into a Global Networked Information Enterprise 
        (GNIE)--a new concept of how the Department will meet its 
        information needs.
   Moving toward a robust, DOD Public Key Infrastructure (PKI) 
        that can bring public key cryptography to bear to help provide 
        the required range of assurance and data integrity services as 
        well as permitting segregation of the networks into communities 
        of interest. This will allow us to limit the extent of the 
        damage an intruder can inflict.
   Increasing our deployment of more sophisticated intrusion 
        detection and monitoring technology.
   Continuing to build strategic partnerships with industry to 
        foster an open security framework and development of security 
        enabled products.
   Investing our R&D dollars in developing highly assured 
        products and systems and for real-time monitoring, data 
        collection, analysis and visualization.

    In addition, the JTF-CND is working toward full operational 
capability (FOC) and we are expanding our CINC, Service and Agency 
Computer Emergency Response Teams. We are instituting a real-time 
network monitoring and reporting structure. We have established 
positive control through our Information Assurance Vulnerability Alert 
or IAVA process. We are establishing a continuous vulnerability 
analysis and assessment program, and are increasing our red team 
assessment capability. We have made significant improvements in our 
ability to perform long-term trend analysis, thereby identifying 
certain types of sophisticated attacks.
    We are increasing our efforts to promote information assurance 
training and awareness. We are looking closely at certification and 
retention issues for personnel performing key functions--the system 
administrators and system maintainers. And we are examining an expanded 
use of military reserves.
    Substantial progress has been made, but we must always think of it 
as a journey, not a destination. As new technology is created, new 
attacks will be developed, and new countermeasures must be adopted. 
There is a lot more that has to be done in virtually every area that 
I've mentioned today. But only by recognizing this challenge, and 
facing it head on, can we realize the military potential afforded by 
achieving Information Superiority.

    Senator Kyl. I invite anyone else who would like to submit 
a statement for this record to do so. One of the best things, I 
think, we can do is to make the record here and then get that 
out to the public.
    I appreciate the work that you are doing with GAO. Keep it 
up. We will be calling upon you again.
    If there is not anything further, then this hearing will be 
adjourned.
    [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]