[Senate Hearing 107-258]
[From the U.S. Government Publishing Office]
S. Hrg. 107-258
CRITICAL INFRASTRUCTURE PROTECTION: WHO'S IN CHARGE?
=======================================================================
HEARING
before the
COMMITTEE ON
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
OCTOBER 4, 2001
__________
Printed for the use of the Committee on Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
77-434 WASHINGTON : 2002
________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan FRED THOMPSON, Tennessee
DANIEL K. AKAKA, Hawaii TED STEVENS, Alaska
RICHARD J. DURBIN, Illinois SUSAN M. COLLINS, Maine
ROBERT G. TORRICELLI, New Jersey GEORGE V. VOINOVICH, Ohio
MAX CLELAND, Georgia PETE V. DOMENICI, New Mexico
THOMAS R. CARPER, Delaware THAD COCHRAN, Mississippi
JEAN CARNAHAN, Missouri ROBERT F. BENNETT, Utah
MARK DAYTON, Minnesota JIM BUNNING, Kentucky
Joyce A. Rechtschaffen, Staff Director and Counsel
Kiersten Todt Coon, Professional Staff Member
Hannah S. Sistare, Minority Staff Director and Counsel
Ellen B. Brown, Minority Senior Counsel
Robert J. Shea, Minority Counsel
Morgan P. Muchnick, Minority Professional Staff Member
Darla D. Cassell, Chief Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Cleland.............................................. 1
Senator Thompson............................................. 2
Senator Carnahan............................................. 4
Senator Collins.............................................. 5
Senator Bennett.............................................. 6
Senator Voinovich............................................ 7
Senator Domenici............................................. 21
Prepared statement:
Senator Bunning.............................................. 41
WITNESSES
Thursday, October 4, 2001
John S. Tritak, Director, Critical Infrastructure Assurance
Office, Bureau of Export Administration, U.S. Department of
Commerce....................................................... 9
Ronald L. Dick, Director, National Infrastructure Protection
Center, Federal Bureau of Investigation........................ 11
Sallie McDonald, Assistant Commissioner, Office of Information
Assurance and Critical Infrastructure Protection, U.S. General
Services Administration........................................ 13
Jamie S. Gorelick, Vice Chair, Fannie Mae........................ 23
Joseph P. Nacchio, Chairman and Chief Executive Officer, Qwest
Communications International, Inc.............................. 25
Frank J. Cilluffo, Co-chairman, Cyber Threats Task Force,
Homeland Defense Project, Center for Strategic and
International Studies.......................................... 27
Kenneth C. Watson, President, Partnership for Critical
Infrastructure Security (PCIS)................................. 30
Alphabetical List of Witnesses
Cilluffo, Frank J.:
Testimony.................................................... 27
Prepared statement........................................... 83
Dick, Ronald L.:
Testimony.................................................... 11
Prepared statement........................................... 52
Gorelick, Jamie S.:
Testimony.................................................... 23
Prepared statement........................................... 70
McDonald, Sallie:
Testimony.................................................... 13
Prepared statement........................................... 61
Nacchio, Joseph P.:
Testimony.................................................... 25
Prepared statement........................................... 76
Tritak, John S.:
Testimony.................................................... 9
Prepared statement........................................... 42
Watson, Kenneth C.:
Testimony.................................................... 30
Prepared statement with attachments.......................... 98
CRITICAL INFRASTRUCTURE PROTECTION: WHO'S IN CHARGE?
----------
THURSDAY, OCTOBER 4, 2001
U.S. Senate,
Committee on Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 9:35 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Max Cleland,
presiding.
Members present: Senators Cleland, Carnahan, Thompson,
Collins, Bennett, Voinovich, and Dominici.
OPENING STATEMENT OF SENATOR CLELAND
Senator Cleland [presiding]. At the request of Senator
Lieberman, who must be out of town today to attend a funeral, I
am chairing today's hearing on critical infrastructure
protection. I appreciate this opportunity to examine who in the
public and private sector is responsible for ensuring the
protection of our Nation's infrastructure. This is the second
hearing held by Senator Lieberman and the Committee in our
continuing series on the security of our Nation's critical
infrastructure and the vulnerability of the country's
financial, transportation, and communications networks, also
our utilities, our public health system, law enforcement, and
emergency systems, and others. As you can tell infrastructure
covers just about everything of value in our country.
Prior to the September 11 terrorist attacks the
Governmental Affairs Committee has been actually diligent in
its examination of the responsibilities of Federal agency heads
for developing and implementing security programs. In fact, the
computer security law, enacted during the 106th Congress,
requires Federal agencies to upgrade their practices and
procedures in order to protect government information systems
from cyber attack. However, since the attacks on Washington and
New York City, we have learned that there is still much to be
done to protect the Nation's critical infrastructure.
The terrorist attacks provide evidence that physical
assaults can cause severe disruptions in the service and
delivery of goods and products, triggering ripple effects
throughout the Nation's economy, and more importantly damaging
the faith of the people in the viability of the day-to-day
functioning of the country. Nothing affects Americans more than
the disruption of the Nation's transportation, communications,
banking, finance, and utilities systems. The country's critical
infrastructures are growing increasingly complex, relying on
computers and computer networks to operate efficiently and
reliably.
The growing complexity and the interconnectedness resulting
from networking means that a disruption in one win may lead to
disruptions in others. Therefore, President Clinton established
the President's Commission on Critical Infrastructure
Protection in July 1996. In 1997, this organization released
its report and recommended that greater cooperation and
communication between the private sector and the public sector
is needed in order to decrease the vulnerability of the
Nation's infrastructures, which led to their President's
release of Presidential Decision Directive 63.
In May 1998, President Clinton released this directive,
which sets up groups within the Federal Government to develop
and implement plans that would protect government-operated
infrastructures and calls for a dialogue between government and
the private sector to develop a national infrastructure
assurance plan that would protect the Nation's critical
infrastructures by the year 2003. This Presidential decision
memorandum identified 12 areas critical to the functioning of
the country: Information and communications; banking and
finance; water supply; transportation; emergency law
enforcement; emergency fire service; emergency medicine;
electric power; oil and gas supply and distribution; law
enforcement and internal security; intelligence; foreign
affairs; and national defense, just about everything you can
think of.
The directive required each Federal agency to secure its
own critical infrastructure and to identify a chief officer to
assume that responsibility. The directive also established
several new offices to oversee and coordinate critical
infrastructure protection. One was a national coordinator
designated to ensure that a national plan was developed. The
coordinator would be supported by a critical infrastructure
assurance office, to be located in the Export Administration of
the Department of Commerce.
The directive also created a joint FBI and private sector
office, the National Infrastructure Protection Center, which
serves as a focal point for Federal threat assessment,
vulnerability analysis, early-warning capability, law-
enforcement investigations and response coordination. NIPC is
also the private sector point of contact for information
sharing. Finally, the directive recommended that we have the
capacity and the capability to detect and respond to cyber
attacks while they are in progress. The Federal Computer
Incident Response Center gives agencies the tools to detect and
respond to such attacks, and it coordinates response and
detection information.
We are fortunate today to have several witnesses who will
present their views on the status of the Nation's critical
infrastructures, and offer their recommendations on protecting
public and private systems from outside attacks.
Senator Thompson, would you like to make any opening
remarks.
OPENING STATEMENT OF SENATOR THOMPSON
Senator Thompson. Thank you, Mr. Chairman, just very
briefly. I think this is certainly a timely hearing. I think we
all appreciate now the vulnerability that we have had for a
long time, and one that we have discussed in this Committee and
others on very many occasions, certainly including cyber
security and the problems we have with computer security, and
so forth. Of course, that was the background for Senator
Lieberman and I introducing the Government Information Security
Act.
I think that we are now looking at all these threats
through different glasses. Today we are probably going to
emphasize, perhaps, one particular issue a little more than
others, and that is the cyber threat. Now we are all familiar,
all of a sudden, with the threats of biological elements,
chemical, certainly nuclear, certainly conventional
combinations of all the above, and in addition to that is the
cyber threat, which many people think would precede any major
conflict that we had with a major power.
Of course, we now know that in this modern age of
technology, you do not need to have a major nation-state or a
national power in order to create grave problems for us. So now
that we have our attention focused after all this time, we are
thinking about rearranging the boxes again and creating new
laws and new offices, and trying to fit all the stuff that is
out there together. Of course, Governor Ridge's appointment, I
think, is a good step. But within his bailiwick, as I
understand it, will be an Office of Cyber Security.
You have Presidential Decision Directive 63, which
addressed the same general problem of cyber security. The GAO
has indicated that has not done very well, in terms of what it
was designed to do and the offices that it set up. Now we have
a new proposed executive order that is not with us yet that
will address all of this. We have got the question of what is
OMB's role going to be in all of this, since they have
responsibility for computer security, and then we have got to
ask ourselves how does all this relate to the private sector,
as Senator Bennett spent a lot of time on and has legislation
on, because we know that most of our critical infrastructure is
basically in private hands.
So we have got real big organizational issues on the table
to deal with. To me, I think it gets down to a pretty simple
proposition, it is going to require leadership, authority at
the top, and leadership, and accountability. Maybe we can learn
from our past experience with other government agencies and
other crises and things of that nature, and not make the same
mistakes as we go about trying to rearrange these boxes and
decide who reports to who and who has what authority.
Maybe we will take the lessons we learned from our other
management problems. In particular, the government basically
cannot manage large projects very well. We are told time and
time and time again by GAO, by the inspectors general, all the
reports that we have seen in terms of our problems with regard
to financial management. For example, billions and billions of
dollars in waste, fraud, and abuse.
We are told that we cannot manage large information
systems. We have spent billions and billions of dollars, money
down the drain basically, in trying to get computers to talk to
one another. This is a government-wide problem and we think
that we are going to come in here and efficiently set this
particular thing up and it is going to work well, when nothing
else--well, that is an overstatement, of course--but so many
things are producing billions of dollars of waste, fraud, and
abuse every year. The same agencies come before us every year
on the high-risk list, subject to waste, fraud, and abuse, for
a decade, but we are going to pull this out and set the boxes
right, and then go on about our business the way we did before;
we have solved that problem. Well, it isn't going to happen
that way unless we have what we have been lacking for years and
years and years, and that is leadership from the top on these
issues, with the right person having the right authority, and
accountability when it does not work.
We are very good at setting up plans and goals, and
terrible at implementing them. So I do not want to start out
this optimistic exercise on a sour note, but I think it is
important to understand that we have got a bigger job than
probably what we realize in trying to cut through this morass
that we always find ourselves in when we try to solve a
problem. And it is especially important here because of the
nature of the problem. So, hopefully, today we can get some
ideas as to who ought to do what, where the responsibility
lies.
I defy anybody to tell us today where the responsibility
lies for any of this, but maybe we can talk about where it
should lie and where we should go, the direction we should go
in, and I think for that reason it will be a useful exercise.
Thank you, Mr. Chairman.
Senator Cleland. Thank you, Senator Thompson. We will allow
everyone to make an opening statement, if they wish.
Senator Carnahan, would you like to make an opening
statement?
OPENING STATEMENT OF SENATOR CARNAHAN
Senator Carnahan. Thank you, Mr. Chairman. Terrorists did
not want to bring down just our buildings. They wanted to bring
down our economy. They wanted to bring down our military and
our financial and political infrastructure as well. Our losses
are incalculable and far-reaching. Still we must face a stark
reality: It could have been worse. Now this Congress, alongside
the President, must take the lead to ensure we are prepared for
the future. I applaud the Chairman for addressing these issues
with this series of hearings. When we talk about critical
infrastructure, we are talking about American families and
their ability to have a quality life.
This means freedom to travel; it means freedom to make a
living; and it means freedom to conduct business without fear
of terrorism. It means having the peace of mind that your
government is doing all that it can to protect you and your
children. Grim experience has taught us that terrorist attacks
know no boundaries. The ripple effect is extensive. The
emotional trauma is long-lasting, and the economic impact is
real and widespread. We are all affected, and all of us must be
part of the Nation's defense against further attacks.
As the witnesses will discuss today, there are difficulties
in creating a unified system to protect our national
infrastructure, because control of the different components
rests with different entities. On the most basic level, there
is a division between what the government owns and operates
versus what the private sector owns and operates, but the issue
is really much more complex. We live in a global, computerized,
and interconnected world. Technological changes have led to
great opportunities for human progress, but they have also
created vulnerabilities that did not exist even 5 years ago.
Securing our critical infrastructure from cyber attacks,
which could be launched from anywhere, is a tremendous
challenge for both government and industry. I look forward to
hearing from the witnesses today and learning from their
expertise. I want to hear their suggestions on what more needs
to be done. The question being raised today, who is in charge
of protecting our national infrastructure, needs to be answered
as soon as possible. We cannot afford to wait for another
attack.
Thank you, Mr. Chairman.
Senator Cleland. Thank you, Senator Carnahan. Senator
Collins.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you very much, Mr. Chairman, for
convening this important hearing. It would be hard to imagine a
more current topic for a hearing than the one that we have
before us today on the question of who is in charge of
protecting the critical infrastructure of our Nation. Until the
terrorist attacks of September 11, in fact, most Americans
probably never fully realized the importance of this issue.
Tragically, however our eyes are all too open now.
As I have talked with my constituents throughout Maine
during the past 2\1/2\ weeks, the question of our vulnerability
to attack--to various kinds of attacks--and who is in charge
and who is coordinating it all has come up repeatedly. This
morning, I did early morning radio, back in Maine, and one of
the questions was who is coordinating if we have a biological
or chemical attack? Another constituent asked me what about our
ports? What about if we have a big tanker that is full of
liquefied gas coming in? What about the computer systems that
are so critical to our commerce and to our government?
The answer to the question of who is in charge seems to be,
``Nobody is quite sure.'' Less than 2 weeks ago, this Committee
heard compelling testimony from the distinguished chairmen of
two commissions appointed to study this Nation's security,
former Senators Gary Hart and Warren Rudman, and Governor James
Gilmore of Virginia eloquently expressed their unanimous, but
unfortunate, conclusion that, as a Nation, we are simply not
properly prepared to defend our critical resources.
If we were poorly prepared for the challenges we thought we
faced before the terrible events of September 11, we must
surely realize that we are woefully unready now. It seems clear
that the protection of our critical infrastructure still
consists largely of a smorgasbord of independently-run and
poorly-coordinated programs across the breadth of the Federal
system. President Bush took an important step when he took
office in focusing the National Security Council upon terrorism
issues and appointing Vice President Cheney to head a task
force to develop better ways to respond to catastrophic
disasters.
As the Hart-Rudman Commission and the Gilmore Commission
made clear, however, and as recent events have so tragically
underlined, it is necessary to do even more. We, in America,
have long been blessed by being spared most of the traumas of
terrorist attacks that became far too familiar to Europeans in
the 1970's, and have been a tragic part of Israeli life for
decades. It should be clear, however, that we can no longer
afford to attempt to protect our critical infrastructures
without clear lines of authority and accountability, and
without being able to answer readily and precisely the question
of who is in charge.
The difficult, but crucial question now, of course, is who
should be in charge and of what? In other words, we must ask
who should be in charge at what level, with what specific
responsibilities and resources, and with what means of ensuring
accountability? And that is why I believe this series of
hearings is such an important contribution to the national
dialogue of protecting our infrastructure and of winning the
battle against terrorism. I am very eager to hear the testimony
of our witnesses today, and I want to thank the Chairman and
the Ranking Member for their leadership on this issue. Thank
you, Mr. Chairman.
Senator Cleland. Thank you very much, Senator Collins.
Senator Bennett.
OPENING STATEMENT OF SENATOR BENNETT
Senator Bennett. Thank you, Mr. Chairman. I appreciate the
hearing and I appreciate the opportunity for us to examine
these issues, and the point I want to make with respect to the
challenge that we face is that it is seamless. The networks do
not begin and end at any particularly defined place. But the
efficiency that comes out of the information revolution that we
live in has brought with it an increased vulnerability, and the
two are two sides of the same coin.
If you go back in American history to George Washington's
time, there was little or no connection, let us say, between
Charleston and Boston, between Virginia and Massachusetts, or
New York, whatever. It was a 7-day journey to travel from one
major metropolitan area, if you could call it that, to another.
Today, we go around the world with information, money, deals,
negotiations, etc., literately with the speed of light. There
are no boundaries in today's economy. The borderless economy is
a reality, and those who want to take down the Americans who
are the best at playing this particular game have
vulnerabilities virtually everywhere in the system.
The seamlessness is part of our efficiency. It is also part
of our vulnerability, and I got introduced to this whole thing
when we got into the Y2K issue and discovered that
seamlessness, for me, for the first time. I am interested that
the emergency people in New York, who handled all the
difficulties after the World Trade Center was hit, have said to
Senator Dodd, who has repeated it to me, we could not have
handled this emergency if we had not done the remediation
required with respect to Y2K.
Prior to the Y2K remediation, they were in the stovepipe
mentality, a computer here, a computer there, a system
someplace else. Y2K caused them to look at it in horizontal
terms, and they praised Senator Dodd for his work, I think
appropriately, on Y2K awareness and remediation, because it
addressed this problem. We are now, in the terrorist world,
simply looking at a situation where this same vulnerability
that we identified with Y2K, if the computer should fail by
accident, now what do we do if the computers fail on purpose,
not our purpose, but somebody else's purpose who wants to break
into this infrastructure and cripple us?
So we need to do what we did with respect to Y2K, address
the stovepipes, look at this in a strategic manner and say how
is the entire system to be protected? As Senator Thompson has
said, the majority of the ownership of the entire system is in
private hands, not government hands, which is why I have
introduced a bill to increase the flow of information between
the government and the private sector, back and forth, so that
each one can understand in this seamless situation what is
going on in their particular part of the world.
So I think homeland security and critical infrastructure
protection can come down to two words: Interagency
coordination. Now, if that sounds too bureaucratic, think of
interagency as including private agencies, but coordination of
information, coordination of protection activities,
coordination of understanding so that we do not go around with
the attitude, ``Well, there is no hole in my end of the boat,
so I do not need to worry about sinking.'' With this boat, a
hole anywhere hurts us all, and this is an issue that is going
to be with us for a long, long time. We are just beginning to
understand it. That is why this hearing and others like it are
very worthwhile, because it adds to this continually-building
layer of understanding, awareness, and, we hope, solutions to
this problem.
We cannot go back. We cannot say, ``Let us leave the
computer age and go back to paper and dial telephones.'' We are
in the Internet age. We are in the electronic age, whether we
want to be or not, and we simply have to learn to live with
that new vulnerability. Thank you, Mr. Chairman.
Senator Cleland. Thank you, Senator Bennett. Senator
Voinovich.
OPENING STATEMENT OF SENATOR VOINOVICH
Senator Voinovich. Thank you, Mr. Chairman. I thank
Chairman Lieberman for calling this hearing this morning, and
although he is not able to be with us, we are in good hands
with our Chairman pro tem. Today's hearing focuses on the
protection of our Nation's infrastructure, an aspect of our
society that most Americans tend to take for granted. America's
water and sewer systems, computer, roads and bridges, and
banking networks, they are all things that most Americans use
on a daily basis, but rarely give more than a passing thought.
The events of September 11, however, have changed our way
of thinking forever. Americans are now actually aware of how
vulnerable our infrastructure systems and physical surroundings
can be. That is why it is so critical that we work to protect
that infrastructure. This hearing will give us an opportunity
to examine how we allocate the responsibility of getting the
job done. I would like to just say at this time, Mr. Chairman,
that we are having all of these hearings about the various
threats we face, but we are not discussing the human capital
crisis confronting the Federal Government, which is also a
threat. Our witnesses will be talking to us today about all
kinds of things that need to be done, but the real issue is, do
you have the people in your respective agencies with the
qualifications that you need to get the job done?
From my observation of studying this human capital crisis
for the last 2 years, we are in very bad shape today. Many
people are unaware of the fact that by 2005, about 80 percent
of our Senior Executive Service can retire. Van Harp, a senior
FBI agent here in Washington who used to live and work in
Cleveland told me that, ``I'm running my shop with people that
are ready to go out the door.'' And so as we talk about all of
these things that need to be undertaken, Mr. Chairman, we had
better be aware of the fact that our No. 1 threat is the crisis
that we have in our human capital.
As a former Mayor and Governor, I am very much aware of the
water, sewers, and other infrastructure that we have in this
country. I have to say that even without terrorists, our sewer
and water systems in this country are vulnerable because of
aging. With the new mandates coming out of Washington today, in
my State, for example, sewer rates, and water rates are going
up 100 percent. If we are going to do some of the things that
we are talking about to protect them, it is going to be costly.
And it seems to me, Mr. Chairman, that one of the things that
is missing here in Washington today is that we are not
prioritizing the expenditure of dollars.
Some of the things that I think are high on people's agenda
in terms of spending are much less important than some of the
infrastructure needs that we confront here in our Nation.
So I will be very interested to hear from you in terms of
the cyber problem. I would say this: I remember how worried we
were about Y2K. Do you remember? And we were wringing our hands
and we were worried, could we get the job done and is
everything going to fall apart? Senator Bennett, who is very
familiar with this area, was very much involved in that, but we
got the job done, didn't we? But we did not get it done without
making it a major priority in terms of personnel and the
expenditure of money, and that is what it is going to take if
we are going to protect our infrastructure from this new threat
of terrorism.
Thank you, Mr. Chairman.
Senator Cleland. Thank you, Senator Voinovich. Wonderful
comments by all the Members of the Committee here. Thank you
very much for your participation. I will say as a member of the
Armed Services Committee, 1 week before the attacks, as we were
marking up the defense authorization bill, I personally asked
Senator Pat Roberts, who had been the Chairman of the Emerging
Threat Subcommittee, and Senator Mary Landrieu, who is now the
Chairman of the Emerging Threat Subcommittee, what they thought
was the most probable attack on the United States, where we
were most vulnerable. Both agreed that No. 1--a terrorist
attack below the radar screen, stealth in nature, either
biological or chemical, primarily biological and then cyber
attack.
So on the Armed Services Committee, we have been gathering
data and information for at least a couple of years now that
certainly point to a cyber attack as one of the top two or
three attacks that could come via terrorist means on this
country.
We would like to welcome all of you. Today's first panel
consists of public sector witnesses who represent three of the
primary offices created by the Presidential directive. The
Committee will hear from John Tritak, Director of the Critical
Infrastructure Assurance Office in the Bureau of Export
Administration at the U.S. Department of Commerce; Ronald Dick,
Director of the National Infrastructure Protection Center; and
Sallie McDonald, Director of the Federal Computer Incident
Response Center.
Thank you all for joining us here. Before you begin, just
some rules of the road here. Just let me mention to you that
your full statement will be entered into the hearing record.
You can have an opportunity to make a short statement and you
will be subject to a time limit, according to Committee rules.
Once the light turns from green to yellow, you will have about
a minute to wrap up before the red light appears. If you do not
stop then, we will make you an air marshal out at National.
Thank you for coming.
Tell us a little bit about youselves, and what you do, and
some of your thoughts on the subject. But, before I turn you
loose, let me just say I have been here in the Senate almost a
full term now and on this Committee for well over 5 years. I
had no idea you all existed. So please tell us who you are and
where you came from and what you do.
Mr. Tritak, do you want to start off?
TESTIMONY OF JOHN S. TRITAK,\1\ DIRECTOR, CRITICAL
INFRASTRUCTURE ASSURANCE OFFICE, BUREAU OF EXPORT
ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE
Mr. Tritak. Thank you, Senator, Chairman, and Members of
the Committee. I welcome this opportunity, truly, to be here
before you. We generally feel obligated to say that we applaud
your leadership on various issues. It is almost a canonical
thing you need to say, but, in this case it is absolutely true.
I want to add to the remark that was made earlier that this
hearing, in fact, was supposed to happen before the attack--it
was scheduled before the attack, and underscores the fact that
this Committee recognizes there is a real need to address the
challenges to our critical infrastructures.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Tritak appears in the Appendix on
page 42.
---------------------------------------------------------------------------
As was indicated in the opening remarks by a number of
Senators, we basically have been guided by PDD 63 for about 3
years, and that Directive was created based on recommendations
of an interagency group as well as a Presidential commission.
Jamie Gorelick, who will be appearing in the next panel, was
actually leading that interagency process. So this goes back to
the mid-1990's, in terms of the concerns. It created, as you
indicated, three organizations, a number of organizations;
myself at CIAO, Ron Dick over at the FBI, and Sallie McDonald
over at FedCIRC. Needless to say, after 3 years, we were ripe
for review, a thorough review in terms of the policies that
were established under PDD 63, and frankly, to take a look at
the organizational setup of the Federal Government to determine
where fixes and improvements could be made.
After 3 years of experience and being in the trenches, if
we could not come up with improvements, we really are not doing
our job. And President Bush said as much in May of this year,
in which he directed that the critical infrastructure policy be
thoroughly reviewed with a view towards figuring out ways to
improve the organization of the Federal Government to better
deal with and address the concerns of this issue, which are
extremely complex, as you have all indicated.
He also announced that he wanted, under the directorship of
my office, the Critical Infrastructure Assurance Office, to
begin to prepare a national plan or strategy to be developed
with industry, to develop a consensus in this country, through
a document that would be used to inform and make aware and
educate on what the problems of critical infrastructure are and
what the respective roles and responsibilities of government
and industry are in addressing the problem. We all speak about
this as a critical infrastructure protection program. If I had
it my way, I would strike the word ``protection'' and say it is
critical infrastructure ``assurance''--for the simple reason
that what we are really worried about here is the assured
delivery of vital services over our Nation's critical
infrastructures. Those services are provided by both physical-
and cyber-based assets.
Increasingly, those infrastructures are being restructured
and are increasingly dependent upon information systems and
networks--not just to support their business, but to operate
their assets. They are also becoming more interdependent, so
that disruptions in one sector can actually affect other
sectors, as well. What we learned about September 11, if
nothing else, is now there are at least some groups whose
purpose and goal is to undermine our way of life. They will
exploit vulnerabilities wherever they can find them. We had
some horrific examples of that back on September 11. I suspect
they are not going to stop there.
If they can find and exploit the vulnerabilities of
cyberspace, they are going to do so. So it is incumbent upon
our government to deal with that problem and work closely with
private industry in order to do it. As indicated before,
President Bush had inaugurated a thorough review of government
structure and government policy, and frankly, we were very
close to completing that. In fact, at the time that the
original hearing was going to take place we were close to
finishing that review. Then the horrific events of September 11
intervened--and what we are working on now, and I expect that
the review will be completed fairly soon, is recognition that
this is not just about infrastructure protection, it is about
homeland security, of which the infrastructures themselves are
but a component part.
So what we are trying to do now is identify how and in what
ways we can improve, both organizationally and in policy, to
address the new issues when, in fact--and I will be quite
candid, since one of the roles of my office is to raise
awareness, to draw the various sectors together and identify
common problems across those sectors to involve other sectors
of the economy, like the risk management community, the
insurers, the auditing community, the people who influence the
corporate leaders--is that we had to emphasize the business
case as a way of moving forward. The national security case, in
many cases, but not all, but many cases, is simply not self-
executing in the market.
It seemed too remote to affect day-to-day business
decisions and investments in security. That is not to say
people did not take it seriously, but they had to be able to
justify those kinds of expenditures against their bottom line--
and shareholders and investors who have a whole lot of other
things on their minds. Well, September 11 has just frankly
changed all of that. I do not think anyone doubts anymore what
the needs and importance of investing in infrastructure
security, and particularly taking into account now what needs
to be done that was not done before September 11 when we got
our wake-up call.
So I would say that one of our jobs at the CIAO is to work
toward developing a national strategy, working with Ron Dick,
who is the operational side of PDD 63--with my organization
learning more about the policy-support side--is to address
those issues. And what I expect to happen in the fairly near
term is for the President to be able to provide a much more
comprehensive statement about how homeland security will be
prosecuted and how the critical infrastructure dimension of
that fits into this overall effort.
Thank you for the opportunity to appear here today,
Senator, and I look forward to your comments.
Senator Cleland. Thank you, Mr. Tritak.
Mr. Dick, tell us a little bit about youself, and what you
do.
TESTIMONY OF RONALD L. DICK,\1\ DIRECTOR, NATIONAL
INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF
INVESTIGATION
Mr. Dick. Good morning, Senator Cleland and other Members
of the Committee. Thank you for this opportunity to discuss our
government's important and continuing challenges with respect
to critical infrastructure protection. In my written statement
I address our role in protecting the Nation's critical
infrastructures and how we coordinate with other organizations,
both public and private. Last week, while appearing before a
subcommittee of House Government Reform, I heard compelling
testimony from Mark Seton, who is the vice president with the
New York Mercantile Exchange and an eyewitness to the attacks
on the World Trade Center.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Dick appears in the Appendix on
page 52.
---------------------------------------------------------------------------
Although the computer systems and records of the exchange
survived the attack, their communications, transportation, and
power systems were devastated. Working through contacts in
their emergency plans, the exchange opened 3 days after the
attack, helping to stabilize energy markets both here and
abroad. In this case, diesel generators provided the power,
boats provided the transportation, law-enforcement officials
and first-responders provided the secure environment. The
telephone company provided new lines. His experience proves
three things: How our Nation's various infrastructures are
interdependent and vulnerable; how an entity that organizes for
an emergency and plans for redundancy can operationally survive
a major attack; and how the private sector, working with
Federal, State and local agencies, can succeed in mitigating
the damage in a time of crisis.
The mission of the NIPC is to deter and prevent malicious
acts by detecting, warning of, responding to, and investigating
threats to our critical infrastructures. It is the only
organization in the Federal Government with such a
comprehensive national infrastructure protection mission. The
NIPC gathers together under one roof representatives from,
among others, the law enforcement, intelligence and defense
communities, which collectively provide a unique analytical
deterrent and response perspective to threat and incident
information obtained from investigations, intelligence
collection, foreign liaison, and private sector cooperation.
This perspective ensures that no single community addresses
threats to critical infrastructures in a vacuum; rather all
information is examined from a multidisciplinary perspective
for potential impact as a security, defense,
counterintelligence, terrorist, or law-enforcement manner, and
an appropriate response that reflects these issues is
coordinated by decisionmakers. While developing our
infrastructure protection capabilities, the NIPC has held firm
to two basic tenets that grew from the extensive study of the
President's Commission on Critical Infrastructure Protection.
First, the government can only respond effectively to
threats by focusing on protecting assets against attack while
simultaneously identifying and responding to those who
nonetheless would attempt or succeed in launching those
attacks; and second, the government can only help protect the
Nation's most critical infrastructures by building and
promoting a coalition of trust; one, amongst all government
agencies; two, between the government and the private sector;
three, amongst the different business interests within the
private sector itself; and, four, in concert with the greater
international community.
Therefore, the NIPC has focused on developing its capacity
to warn, prevent, respond to, investigate, and build
partnerships all at the same time. As our techniques continue
to mature and our trusted partnerships gel, we will continue to
experience ever-better results. Presidential Decision Directive
63 commanded the National Infrastructure Protection Center to
``provide a national focal point for gathering information on
threats to the infrastructures.'' Additionally, pursuant to
this 1998 Directive, the NIPC provides ``the principle means of
facilitating and coordinating the Federal Government's response
to an incident, mitigating attacks, investigating threats, and
monitoring reconstitution efforts.'' In the 3 years since that
mandate, the NIPC has established an unprecedented level of
cooperation among various Federal and local agencies in the
private sector.
This cooperation was achieved because we have seen the
success of joint multi-agency operations when all members of
the intelligence, defense, law enforcement, and other critical
infrastructure agencies, as well as our private sector
counterparts, combine their widely-varied skills and
specialties toward a single goal. The eight infrastructures set
forth in PDD 63 have recognized that although they are
independent, they are also interdependent and that they must
work together in order to reduce or eliminate their own
vulnerabilities, and the impact one infrastructure may have on
another.
The center has full-time representation from the defense
agencies, numerous other Federal agencies, and the Critical
Infrastructure Assurance Office. We work closely with the
Federal Computer Incident Response Center, as well as the Joint
Task Force for Computer Network Operations at Department of
Defense, and other entities which respond to critical
infrastructure events. Beyond this and moreover, we recognize
the need for a military public-private sector partnership
similar to that in the days of World War II.
We in the National Infrastructure Protection Center
continue to partner with and support lead agencies, such as the
FBI and the Department of Defense. We continue to provide
timely and credible warning information to law enforcement,
counterintelligence, and counterterrorism, and support to all
of our partners in order to fully perform this vital mission.
The center is proud to work with your Committee and the
Executive Branch to ensure that freedom continues to ring
across this Nation.
Thank you very much.
Senator Cleland. Thank you very much, Mr. Dick. Ms.
McDonald.
TESTIMONY OF SALLIE McDONALD,\1\ ASSISTANT COMMISSIONER, OFFICE
OF INFORMATION ASSURANCE AND CRITICAL INFRASTRUCTURE
PROTECTION, U.S. GENERAL SERVICES ADMINISTRATION
Ms. McDonald. Thank you and good morning, Mr. Chairman and
Members of the Committee. On behalf of the Federal Technology
Service of the General Services Administration, let me thank
you for this opportunity to appear before you to discuss our
role in critical infrastructure protection. FedCIRC is a
component of GSA's Federal Technology Service and it is the
central coordination facility for dealing with computer
security-related incidents within the civilian agencies of the
U.S. Government. Our role is to assist those agencies with the
containment of security incidents and to aid them with the
recovery process. This directly supports a critical
infrastructure protection mission because the Federal
Government's agencies depend upon their computer systems, not
only to conduct government operations, but also to provide
final connectivity to the owners and operators of the Nation's
critical infrastructures.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. McDonald appears in the Appendix
on page 61.
---------------------------------------------------------------------------
Incidents involving new vulnerabilities or previously
unseen exploits require in-depth analysis. Effective incident
analysis is a collaborative effort. Data is collected from
multiple sources, then verified, correlated and analyzed to
determine the potential for proliferation and damage. This
collaborative effort has resulted in the development of an
incident response community that includes FedCIRC, the NIPC,
the National Security Agency, the Department of Defense, the
intelligence community, industry, academia, and individual
incident response components within Federal agencies.
Though the respective missions of these organizations vary
in scope and responsibility, this virtual network enables the
Federal Government to capitalize on each organization's
strategic positioning within the national infrastructure, and
on each organization's unique access to a variety of
information sources. Each entity has a different but mutually
supportive mission and focus, which enables the critical
infrastructure protection community to simultaneously obtain
information from and provide assistance to the private sector,
Federal agencies, the intelligence community, the law-
enforcement community, the Department of Defense, and to
academia.
The unified response to recent threats to the cyber
infrastructure, including the Code Red worm and the Nimbda
worm, clearly demonstrate how these collaborative relationships
work and how each participant's contributions help to assess
and mitigate potential damage. In both instances, industry
alerted the incident response community to the new exploit.
During a previous event, a collaborative communication network
had been established among numerous government agencies
including FedCIRC, the NIPC and the Critical Infrastructure
Assurance Office, in addition to academia, industry, software
vendors, antivirus engineers and security professionals.
This network enabled participants to share details as they
performed analyses and developed remediation processes and
consensus for protection strategies. In the case of Code Red,
through the collaboration of the above-named groups, the
collective team concluded that this worm had the potential to
pose a threat to the Internet's ability to function. An
unprecedented public awareness campaign ensued concurrent with
efforts to ensure that all vulnerable servers were protected.
Statistical information provided by software vendors indicated
an unprecedented rush by users to obtain security patches and
software updates addressing the vulnerabilities. As a result,
the impact of Code Red and its variants was significantly
mitigated and serious impact to Internet performance was
avoided.
Mr. Chairman, the information presented today highlights
the critical and effective relationship that exists between
FedCIRC and other members of the critical infrastructure
community. Though each contributes individually to critical
infrastructure protection, our strength in protecting
information systems government-wide lies in our collaborative
and coordinated efforts. I trust that you will derive from my
remarks an understanding of the cyber threat and response
issues, and also an appreciation for the joint commitment to
infrastructure protection of FedCIRC and the other members of
the critical infrastructure community.
We appreciate your leadership and that of the Committee for
helping us achieve our goals and allowing us to share
information that we feel is crucial to the protection of our
Nation's technology resources. Thank you.
Senator Cleland. Thank you very much, Ms. McDonald. We will
open it up in a minute for a round of questions. Each Senator
will have 8 minutes in order to delve into some of these
questions that plague our country. One of the things that
occurs to me on this particular point of vulnerability to cyber
warfare is a question that I ask myself about the intelligence
community, but what comes to mind is that line by a humorist in
Georgia, now deceased, Lewis Grizzard, who once said that life
is like a dog sled team. If you ain't the lead dog, the scenery
never changes. I am looking for the lead dog. Who is the lead
dog among you here? Is there one? And is that a problem?
In other words, it is interesting, Mr. Dick, you are
director of the National Infrastructure Protection Center, FBI.
Mr. Tritak, you are the director of the Critical Infrastructure
Assurance Office, U.S. Department of Commerce. Ms. McDonald,
you are over in the Federal Computer Incident Response Center,
GSA.
Do we have a lead dog in the Federal Government that runs
the war against cyber terrorism, Mr. Tritak?
Mr. Tritak. Senator, under PDD 63, the lead person for
coordinating government policy on critical infrastructure
protection and assurance issues is the National Coordinator for
Security, Infrastructure Protection, and Counterterrorism at
the National Security Council, and that is Richard Clarke. What
they did is create two basically parallel offices; one for
operational threat assessment and warning and the like. It is
an interagency office that happens to be housed at the FBI.
That is Ron Dick's.
The other was a policy, planning and support group with an
emphasis on dealing with some of the cross-cutting issues of
private industry. So if you ask under the PDD 63 rubric, the
person that has front-line responsibility in oversight is
Richard Clarke over at the National Security Council. As I
tried to indicate before, all this is under review, and what is
being considered now is how to not only accomplish what Senator
Thompson had indicated, which was to establish the lines of
authority, accountability, but, frankly, also what are our
policy priorities. If you have the best organizational chart in
the world, things won't get done unless the matter is a
priority with the backing of the highest guy in the land--the
President of the United States.
I think there is no question under the current
circumstances--and I do not think it was a question before the
circumstances of September 11--that critical infrastructure
protection is going to be a priority for this President. But,
as things are, the policy review process is ongoing, but being
wrapped up and, unfortunately, many of the people who are
involved in finalizing the policy review are also very busy
actually dealing with the terrorist problem we are confronting
at the moment. So if you ask me today: To what extent is PDD 63
still in play? I would say that it is for the interim, but I
would also tell you that is going to change very soon.
Senator Cleland. Mr. Dick, any comments?
Mr. Dick. No, I completely agree with John's comments as to
who is in charge--that is according to the guidelines under
which we exist today and which are under review. I would like
to make one quick comment in agreement with Senator Bennett. No
matter who is in charge, the key to success that we have found
is the building of interagency cooperation to include the
private sector. We in the center, as I said, have been in
existence for about 3 years. We have had a number of
initiatives. One is called InfraGuard, a grassroots effort with
security professionals in both cyber and the physical world, to
share information.
We currently have about 2,000 members throughout the
country. We have chapters in every one of our 56 field offices
at the FBI and even a few more cities across the Nation. We are
working very closely with the information sharing and analysis
centers that are formed within the private sector for banking
and finance and electrical power and water, and we are working
very closely, obviously, with our partners in the Federal
Government to share information, and succeeding in getting
cooperation in that. But the key to that interagency
cooperation is the building of one word, as I said in my
statement, trust.
Trust takes time, but trust is evolving. I think the things
we have seen that Sallie alluded to, with the Leaves virus,
Nimbda, where you saw a combining of law enforcement,
intelligence community, private sector individuals coming
together, really experts in this field, determining what is the
issue, what is the resolution to it and providing to the public
a means by which to mitigate and solve the problem, was truly
successful. And I think that across all infrastructure
protection, as well as homeland security, that is the issue--is
what Mr. Bennett alluded to, is the cooperation between all of
the agencies.
Senator Cleland. Can I just underscore that? It does seem,
and I hate to inflict another comment on you, but I was
thinking about Casey Stengal's great line when he was coach of
the Yankees. He said that it is easy to find the players, but
it is tough to get them to play together. It does seem to me
that the challenge here is the coordination of the existing
assets, I mean, step one, and we are all human beings. We all
have our offices. We all have our departments. We all have our
allegiances. Trusting someone outside that department, outside
the framework is the challenge. In other words, building a team
may be tougher than just putting some names on an
organizational chart.
Mr. Dick. And you are absolutely right and let me, if I
may, give you another, what I think, is a very good example. My
experience in being involved with the center for over 3 years
and being the director for the last 6 months, is that the
people I have dealt with in the other agencies, people I have
dealt with in the private sector, are all trying to do the
right thing. There are no agendas here going on in my opinion.
These are people that are legitimately trying to do the right
thing and figure that out.
One of the things, I think, is a success from our
standpoint is the relationship the center has built up with the
Joint Task Force for Computer Network Operations under General
Bryant in the Department of Defense. General Bryant and I are
in complete agreement about one thing, that I cannot do my job
without JTFCNO and the Department of Defense as an integral
partner. And General Bryant agrees with that same statement. So
we have built, what I think and I think General Bryant does
too, a very good working relationship that is built upon trust
and sharing information, and that information not being used in
a wrongful manner. But that takes time.
Senator Cleland. Mr. Dick, I would like to observe, too,
that we are all trying to do the right thing here, too. If some
person on the National Security Council is the lead dog or the
top coordinator or the ultimate person to which this
information is followed up, that person is not confirmed by the
Congress and it is tough for the Congress to be part of the
team. In other words, I do not think we have the authority to
call up Mr. Clarke and ask him how the war against cyber
terrorism is going? I mean, he is on the National Security
Council. So that is just a challenge for us here as we try to
plug ourselves into our oversight responsibilities.
Ms. McDonald. Well, I certainly agree with both John and
Ron's statements. We have come together as a team, because I
think this community, probably more than others, has recognized
the vulnerabilities in the cyber area, and recognized, as Dick
Clarke frequently says, that there will be an electronic Pearl
Harbor. None of us were expecting the events of September 11,
and we in the cyber community are hoping not to see anything of
that magnitude in this area. But if we do not all come
together, if we do not devote resources, if we do not correct
the human capital situation that Senator Voinovich addressed,
we have a tough job ahead of us and many challenges.
Senator Cleland. Amen. Well said. Senator Carnahan, any
questions?
Senator Carnahan. Certainly, all of us would agree that we
are going to have to be looking into the types of attacks that
we are likely to face, and whether or not we are prepared for
them in the public or private sector. The attacks in New York
and Washington were targeted attacks. Is our infrastructure
equipped to withstand a larger geographical attack on a larger
geographical area? I would address that question to Mr. Dick,
and also, could you explain how NIPC is preparing for such a
scenario, and what steps you are taking to help the private
sector prepare for something of that nature?
Mr. Dick. Thank you. Obviously, whether we are prepared for
a particular attack depends on how big. Obviously, you can make
a threat scenario so large that you eventually lead to--well,
everything is shut down, but in taking what would normally be
perceived by the intelligence community and us as reasonable
threats that are out there, that are potential, that could
occur--I think the private sector and the U.S. Government
entities, as well as State and locals, are preparing
themselves. Are they adequately prepared? No. Like the events
of September 11, no one could have predicted, I think, with any
great certainty that those things could have occurred.
What has happened, though, in the last few years is a
raising of the awareness, if you will, of the need for the
contingency plans that I talked about in my statement by Mr.
Seton, and with the Mercantile Exchange in New York. Because of
those efforts, this particular company took a lot of time and
effort to build these contingency plans. Has North American
Electrical Liability Council and all the electrical power
companies done the kind of contingency planning and
consideration of redundancy issues that they should have?
Probably not, but I think with heightened awareness and
coordinated planning, as Mr. Bennett was talking about, in
cooperation with each other, we can achieve a very robust
ability to respond and survive almost any kind of attack.
Senator Carnahan. Do you feel like you need additional
resources or tools to be able to make NIPC more effective in
this regard?
Mr. Dick. Well, absolutely. We are moving forward right
now. We have submitted a supplemental proposal and we are
working it through the Department of Justice and OMB as we
speak, to address many of those issues to reach what we are
calling full capacity to address these issues as they occur,
and it will be through a phased-in approach. But we have made
that request already. What I think is another issue here, and
it is not just a matter of funding to the NIPC or funding to
the FBI--it is a matter of being able to get the experts in
this area, whether it be in the cyber, whether it be in WMD
issues, in the private sector, at the table with the government
to share what those vulnerabilities are and how those fixes are
occurring. So it is not just a personnel issue for governmental
entities. It is much broader than that.
Senator Carnahan. One final question, Mr. Tritak. Certainly
a key component of our country's ability to recover from a
terrorist attack is the government's ability to continue
functioning. I was wondering if you could discuss what steps
are being taken to ensure that the Federal agencies have the
capability to continue functioning in the event of an attack,
and with whom does this responsibility fall?
Mr. Tritak. Well, Senator, actually, there is one piece of
this I can answer and there is another bit of it that, I think,
probably would be better discussed in another environment about
the continuity of government and how we ensure you have a fully
functioning government under all circumstances. But one thing
we are doing under my mandate, under PDD 63, is to assist
agencies in identifying the key critical services they provide,
identifying the systems that support those service deliveries
as a way of mapping potential dependencies and vulnerabilities
that they have to address and safeguard.
So for example, and I use this in my written testimony, I
think everyone would agree, for example, that a timely warning
of a hurricane would be a vital service the government needs to
provide. Ensuring that service is deliverable--it is not
sufficient simply to make sure that the Tropical Prediction
Center in Miami, Florida works. The fact of the matter is, a
number of inputs from other government agencies and private
sector entities feed into that system. Some of those, if
disrupted for even brief periods of time, could actually impair
the delivery of vital information that warned of hurricanes
with the result in loss of life if it is not brought up
quickly.
So one of the things we are all doing in accelerating, and
this is, in fact, something that is fully supportive of the
efforts that were passed under the Lieberman-Thompson bill of
last year, is to accelerate that mapping process within each of
the civilian agencies, where we focus on the civilian agencies,
because, frankly, the Defense Department, they do this as a
matter of course. So in that respect, what we are looking at is
ensuring critical government services. In some of those cases
they rely on private sector infrastructure service providers to
help. We have given these agencies a way of identifying what
they have to prioritize and pay attention to to ensure that
those services, whether they are Social Security checks,
hurricane warnings, or mobilization of U.S. forces to project
power overseas can be done.
Senator Carnahan. Thank you.
Ms. McDonald. Senator Carnahan, if I could add, the General
Services Administration is also charged with continuity of
government operations. As you probably know, we not only have
the Federal Technology Service, which provides long-distance
telecommunications service and information technology service,
but we also have the Federal Supply Service that has been
instrumental in providing supplies both to New York and the
Pentagon, and we have the Public Building Service where we
provide office space, etc. So we do have contingency plans to
reconstitute government as far as buildings, technology, and
supplies are concerned.
Senator Carnahan. Thank you.
Senator Cleland. Thank you very much. Senator Bennett.
Senator Bennett. Thank you, Mr. Chairman. Mr. Dick, can you
tell us how many people are actually doing analysis in your
information sharing unit?
Mr. Dick. I think there are 10 or 12 that are FBI
employees. I would have to confirm those numbers. From an
interagency standpoint, we probably have another four or five.
Now, that is just doing analysis. Within the center, we have a
total of approximately 90 FBI and 20 interagency folks.
Senator Bennett. I understand that in November 2000 the FBI
director wrote to Sandy Berger complaining that the other
Federal agencies did not recognize NIPC's mission, and he said
NIPC would not be able to provide analysis and warning, if the
NSC did not, in fact, assist NIPC in obtaining personnel. Are
you aware of that letter or of that concern and do you share
that concern?
Mr. Dick. I am aware of the letter and I share that
concern. As I spoke a moment ago, to one of the key factors of
the success of being able to provide strategic analysis, is the
interagency nature of being able to get many people from
different disciplines to look at the same data, and to
determine if the vulnerability in the banking and finance
sector is applicable to the electrical power sector. And that
is one of the findings that was referenced by Mr. Thompson in
the GAO report. In fact, my reading of the GAO report was that
it said we did investigations pretty well and we did outreach
pretty well, because of InfraGuard and some other things, key
asset initiatives. It said we did training pretty well. So we
did a number of things pretty well.
But what it said we did not do very well was strategic
analysis. They said we did not do strategic analysis very well,
meaning predictive analysis, because we did not have the
resources, both from an FBI standpoint, but more importantly,
from an interagency standpoint. And it has been my public
position that GAO was right. You know, their conclusion was
absolutely correct, but----
Senator Bennett. It always bothers you when that happens.
Mr. Dick. Yes, it does, but I try to get over it. We have
been working very diligently with other partners, and there has
been some response from many of the agencies in providing us
resources.
Senator Bennett. That was going to be my next question.
Have things gotten any better since November 2000?
Mr. Dick. They have gotten better. The CIA has provided a
senior officer to head the analysis and warning section, and it
made a commitment for multiple years for that person to be
engaged there. He is an excellent person. Behind me here, the
Department of Defense has sent over a two-star Rear Admiral
from the Navy to be my deputy director for the center, Admiral
Plehal. He is working very diligently with the other Department
of Defense agencies to fill those gaps that we have talked
about before. The National Security Agency has sent over a
senior analyst to head up the analysis and information sharing
unit.
So there have been a number of issues that we have made
progress on. Are there still gaps? Yes, sir, there still are
gaps, but I am seeing greater cooperation, and I think since
the events of September 11, there has been an even heightened
awareness of the need for participation and sharing of
information within the center.
Senator Bennett. Well, let me ask all of you, you have
referred to this collaborative analysis, who has the ultimate
responsibility?
Mr. Dick. For production of products?
Senator Bennett. Yes.
Mr. Dick. Generally, the center is the one that assists in
the production of that and coordinates the production of that,
along with others, particularly in the private sector, and then
pushes those products out. One of the things that you have to
keep in mind, a lot of the solutions are not necessarily
government solutions.
Senator Bennett. Oh, I understand that. I am just talking
about the analysis here, and you are saying it is focused in
the NIPC and the FBI.
Mr. Dick. But it is a collaborative effort, where like--as
Sallie was talking about on the Code Red worm, we bring the
unique skills that each of us possessed together to look at a
particular problem or issue, and then come up with mitigation
or a solution. So it is not us in the center alone. It is a
partnership with the others, a big partner, private sector, the
antivirus community, and the other software vendors.
Senator Bennett. Yes, and that is what my legislation is
trying to address, to increase that partnership with the
private sector, but if the Chairman can quote baseball, if I
were advising Tom Clancy on his next novel, who would be the
official who would go running to the Oval Office and say, ``Mr.
President, an attack is coming,'' and our analysis shows this
from the private sector creates a pattern that we discover that
holds with the Defense Department, and the CIA tells us and so
on. Our analysis shows that there is going to be a major
incident coming, on the Tom Clancy mode, would that be Dick
Clarke who would go forward with that? Would that be the
director of the FBI? Would the director of the FBI tell the
Attorney General? Who? Who ultimately is the one in whose mind
that the alarm bell should go off that, ``Hey, this pattern of
analysis shows we have a major, major vulnerability here, and
it looks like somebody is getting ready to exploit it?''
Mr. Dick. Yes, I think it would be a collaborative effort.
Obviously, we are in direct contact with Mr. Clarke and the
National Security Council almost on a daily basis because of
the events of today. So when you are saying who is going to run
and brief the President, those briefings that occur every day
with the Attorney General, the director of the FBI, and
representatives from the National Security Council. In the kind
of event that you are talking about, there are sensors out
within the private sector, but also within CIA, NSA, DOD, the
FBI, and all of that intelligence is churned together to make
those briefings. So I do not know that there is a person that
would be running up to the President.
Senator Bennett. Do you have any expectation, and I realize
this is speculation, but let's speculate--do you have any
expectation that Governor Ridge will become that person?
Mr. Dick. I have not seen the final--or I have seen a draft
of the executive order, but I do not know how that is all going
to flesh out.
Senator Bennett. Either of the other two? Do you have any--
Mr. Tritak. I will venture a speculation, which hopefully I
will not pay for. [Laughter.]
Senator Bennett. We will protect you.
Mr. Tritak. I think it is fair to say that just based on
administration statements recently, there is going to be
someone who will be responsible for this--recognizing there are
channels of constant communication on intelligence matters with
the FBI and everybody else--there will be somebody who will, in
addition, have a responsibility for reporting those sorts of
things to the Cabinet and therefore the President. It is a
question of who and under what circumstances, and I think that
is what is actually being worked out.
I think what is informing your question is the recognized
need to ensure is that there is someone with sufficient
authority, accountability, and has the ear of the President who
is going to be able to communicate these concerns in a timely
manner, and I think that there is every effort from what I can
tell, just in the various reviews that have been going on at an
accelerated pace, that the answer will be yes, there will be
someone responsible. What we cannot tell you now is who, for
sure.
Senator Bennett. If I may, Mr. Chairman, I am asking these
questions of the administration. If someone were to turn the
tables and say who in the Senate would be the one to alert
Leader Daschle, we would not have an answer to that on this
side of the dais. Thank you very much for your testimony and
for your service in this area.
Senator Cleland. Thank you very much, Senator Bennett.
Senator Domenici.
OPENING STATEMENT OF SENATOR DOMENICI
Senator Domenici. Thank you, Mr. Chairman. I apologize for
being late and I am sorry I did not get to hear whatever you
had to say before I arrived.
I just want to make two observations, Mr. Chairman. It
would be good to have before us how many meetings we have had
of this type, talking about better coordination among the
important aspects of the government and the people, so that
they know what is happening and what might beset them and their
families. Most of those hearings would be drab and dull, and
maybe if the Committee had not reported so many bills during
the year, it might report one on the subject of coordination,
so that we would not just add to another tall list of
coordination requirements.
I will not say people in the government will not follow
them, but I would suggest there would not be a great deal of
urgency about getting them operative, solving problems within
the legislation that requires meeting for this and meeting with
this leader or that person. I would hope that has ended, and I
would hope that you, Mr. Chairman, and the Chairman of the
Committee, would consider the subject matter of this hearing
something serious enough that within a very reasonable time, it
should be achieved.
We should have legislation that does something with
reference to this area of infrastructure, organizationally
speaking, so as to preserve it and make sure we know what we
are doing and others can rely upon what we know. I happen to
have a bill that is before us, S. 1407, the Critical
Infrastructure Protection Act. It follows in tandem with what
we understand the President's proposals are going to be, by way
of executive order. I am hopeful that soon, whatever other
bills are going to be introduced and considered, that our
Chairman will proceed with dispatch to mark up this kind of
bill, unless to be effective, we need to do a lot of other
bills.
I have not passed judgment on that yet myself, but
obviously a very big vacuum existed in terms of communicating
to someone about a problem that was going to fall upon our
people on that now infamous day, September 11. I compliment you
and this Committee, because I think this is not normally very
exciting work. But we ought to do something with the smartest
people we have and the equipment we are capable of buying and
putting in place if we think the problem is serious enough. We
surely can do much better than we have done, and we can have in
place within a year something much better than we have by way
of infrastructure safety, cooperation, and information
exchange.
Thank you for what you all do. I am going to wear my other
hat, which I am a little bit better known for, the budgeting
part, and I am going to go talk about the stimulus. I have
already chatted with you, so I kind of know what you think.
Maybe we can get something done on that quickly, too, let's
hope.
Thank you, Mr. Chairman.
Senator Cleland. Thank you, Senator Domenici. Thank you for
stimulating and underlining the need for increased coordination
and cooperation on this vital issue of security, in terms of
our cyber world, both public and private, and just to point out
and underscore the Senators concern if we cannot get together
public entities, private entities, Legislative and Executive
Branches--if we cannot get together now, under these
circumstances, when will we ever get together? So that is our
charge.
We would like to thank the panelists for your time and
attention. Thank you very much. We would now like to call the
second panel.
We thank you all very much for coming today, and we would
like to welcome Frank Cilluffo. He is the senior policy analyst
and deputy director for the Global Organized Crime Project,
from the well-known and well-respected Center for Strategic and
International Studies, which I understand the board of trustees
is chaired by my friend, Senator Sam Nunn, from Georgia. You
are a senior policy analyst and recently chaired two homeland
defense committee hearings on counterterrorism and cyber
threats and information security at CSIS. We welcome you today.
Jamie Gorelick, the Vice Chair of Fannie Mae, who, as you
know, is a private shareholder-owned company that works to make
sure mortgage money is available for people in communities all
across America. We welcome you today.
Joseph Nacchio, Chairman and CEO, Qwest Communications, and
Vice Chairman of the National Security Telecommunications
Advisory Committee. We would like to learn more about that.
Qwest Communications offers local and long distance telephone,
wireless, and Internet web hosting services over a state-of-
the-art network to homes, businesses and government agencies in
the United States and around the world.
Kenneth Watson, President, Partnership for Critical
Infrastructure Protection Security, who is very much involved
in dealing with these threats and vulnerabilities,
countermeasures and best practices within and between
industries. We are delighted to welcome all of you here.
May I just throw out a couple of questions here that you
can respond to, please? The President has put forward the
notion of an Office of Homeland Defense. It is interesting that
it has cabinet-level status, and it needs it, and the office
will report directly to the President, and I think that is very
much needed. However, interestingly enough, the Rudman-Hart
Commission that looked for 2 years at the question of American
defense focused more and more, because of the testimony they
received, on a terrorist attack and concluded that--a year ago,
in their report--that it was not a question of whether a
terrorist attack would come on this country, but when, and
therefore recommended a full-blown agency of homeland defense,
in effect with a budget of its own and, in effect, infantry,
troops, people at its command, Border Patrol and so forth, the
Coast Guard and the like, that could be put into operation in
terms of homeland defense.
We just want to let you know that is something that is on
my mind as you now have an opportunity to give an opening
statement, and we will start off with Ms. Gorelick.
TESTIMONY OF JAMIE S. GORELICK,\1\ VICE CHAIR, FANNIE MAE
Ms. Gorelick. Thank you very much, Senator Cleland, and I
very much appreciate the opportunity to be here. I testified on
this subject, I think, the first time before this Committee in
July 1996, and I said at the time that I hope we would not have
to see the electronic equivalent of Pearl Harbor before we did
something substantial. We have not had an electronic Pearl
Harbor, but we have had a Pearl Harbor, and it, I think, puts
what we are doing as a country in a different perspective.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Gorelick appears in the Appendix
on page 70.
---------------------------------------------------------------------------
As Senator Thompson said just a little while ago, we are
seeing things through different glasses. I have a long interest
in this issue. I came to the Department of Justice from the
Department of Defense. At the Department of Justice, where I
served as deputy, I was in a position--not unique, but there
are not very many people who see both domestic and foreign
intelligence on a daily basis--that caused me to be very
concerned about our national infrastructure and the lack of
responsibility for protecting it, particularly in the area of
cyber security (but also our entire national infrastructure).
We started a Working Group which resulted in a Presidential
Commission, which resulted in PDD 63. I have been long
interested in these issues. I currently serve on the Director
of Central Intelligence National Security Advisory Panel and on
President Bush's National Intelligence Review Panel. So I have
kept an interest in these things. I am here as Vice Chairman of
Fannie Mae, to comment on the readiness of the financial
services sector of our economy, but also with this background.
So let me make a couple of comments and see if I can come
back to the question that you posed, Senator Cleland. We have
realized as a country, for now 5 or 6 years, that we need to
have a hardened-against-attack private and public
infrastructure. We need to have the comprehensive ability to
detect intrusions. We need to have comprehensive planning,
warning, and operational response capabilities.
The two original actions that emerged from the Presidential
Commission did, as we just heard from the last panel, create
two efforts, a law-enforcement effort and an effort to get
industry to where it needed to be. There has been progress, but
frankly it has not been enough. The events of September 11
serve, if nothing else, as a wake-up call. From the point of
view of industry, the original concept was that industry should
be encouraged, if you will, to work together to form such
things as the Partnership for Critical Infrastructure Security,
and various information sharing analytic centers, to work
together.
That made sense, because industry asked the Commission not
to put in place government command-and-control of industry
infrastructure. And there was, as you have heard from the
previous panel, a decided lack of trust between industry and
government. So the first step was to build trust and each
industry was to be encouraged to work together. Various of
these information sharing and analysis centers have, in fact,
been stood up. I would say to you--and I have submitted my
testimony in greater length on this subject--that there is an
uneven range of results, uneven participation, uneven
robustness of capacity. And in some industries, the effort is
still nascent.
These ISACS, by and large, have no funding, no permanent
staffing, no real operational capability. So when you point
out, Senator, as you have quite appropriately, that 90-plus
percent of the information infrastructure on which this
country's security rests belong in the private sector, that
private sector's organizations to deal with this issue are not,
I think, where they need to be. I think now, perhaps with the
greater sense of urgency, there will be a greater willingness
on the part of industry to step up to the plate and also to
accept help from the government.
I think we need a more realistic approach, one in which the
government does more to bring industry together for the sharing
of information. We need a new legal rubric, and I commend
Senator Bennett for addressing the Freedom of Information Act
issue and the antitrust issue, both of which will bring greater
coordination to and greater flow of information from the
private sector to the government. And we need greater clarity
on chain of command, if you will, within the governmental
structure.
I would say one word about law enforcement. The NIPC is to
be commended for the work that it has done. To the question
that all of you have asked, the FBI is in charge, under PDD 63;
it is very clearly the lead agency. But if you look at the
resources that the FBI in general has had to fight terrorism,
compared to the resources that a CINC would have to protect the
national interest, say, in the Pacific, it is absolutely
dwarfed. There is no relationship between the job and the
resources.
The worry that I have about a coordinator in the White
House is that we will not get to the point of real homeland
security and defense, the way the Defense Department would step
up to it if it had that job. I do not know what the thinking is
in that regard, since I am not in the government. But I would
say to you, having served in both places, there is no one in
the government with the operational capacities and the
wherewithal of our Defense Department. And unless you get to
that level of scale and capacity to protect our national
infrastructure, we will, I am afraid, remain at risk.
There is no one currently doing the kind of planning we
need done, and there is no capacity, for example, that I am
aware of for a military response to a cyber attack on the
private sector.
Thank you.
Senator Cleland. Fascinating testimony, Ms. Gorelick. Thank
you very much. Powerful. Mr. Nacchio.
TESTIMONY OF JOSEPH P. NACCHIO,\1\ CHAIRMAN AND CHIEF EXECUTIVE
OFFICER, QWEST COMMUNICATIONS INTERNATIONAL, INC.
Mr. Nacchio. Thank you, Mr. Chairman and Members of the
Committee for inviting us. It is an honor to be here this
morning. Let me begin by first introducing who we are. We are
not as well-known as most other big companies. We are a 5-year-
old Fortune 100 company. We have 66,000 employees and revenues
of about $20 billion. We provide local, long distance,
Internet, broadband, and wireless services across the United
States and Western Europe, and we own the incumbent local
telephone company in 14 Western States. We also provide
services to agencies of the U.S. Government, notably the
Departments of Defense, Energy, and Treasury.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Nacchio appears in the Appendix
on page 76.
---------------------------------------------------------------------------
I am also testifying today, as you noted earlier, in
addition to my capacity as Chairman and CEO of Qwest, as the
Vice Chairman of the National Security Telecommunication
Advisory Committee (NSTAC), and I bring to that organization
all of my experience in the industry, about 30 years, and a
deep concern on this issue, an issue we have been addressing
for the better part of the last 3 years. In cyberspace, we have
been at war for 3 years. It is now just catching up to the
general consciousness of the country.
We are constantly hit with viruses and almost ironically,
the success that the telecommunications industry has had over
the last 30 years in defending against physical attacks and
nuclear war, has now made us vulnerable in cyberspace. Although
we have moved much of the physical layer out of danger,
although there is still some danger, we now have cyber defense
as one of our biggest issues.
I would tell you though, that instead of focusing just on
vulnerability, we should also look at resiliency. And, as the
President reassured the Nation 2 weeks ago that the state of
the Union is strong, I would tell you this morning and assure
you that the telecommunications infrastructure of this country
is strong.
Our infrastructure and telecommunications is the best in
the world. Our engineers, technicians and workers maintain it
second to none, and we saw that proof on September 11, because
despite the horrific damage at the World Trade Center and at
the Pentagon, most of the Nation's telecommunications and
Internet infrastructure worked flawlessly at a time of
increased demand.
The problems were isolated to the end links in the network.
We had wireless overlays in play. It was far better than most
people, I think, would have imagined. At ground zero in New
York, telecommunications companies put aside their everyday
marketplace rivalries, including ourselves. For example, we
diverted a multimillion dollar shipment of equipment that was
supposed to come to us in the West directly to Verizon, so that
we could restore those central offices down on West Street. We
worked with FEMA to provide communications between the two
critical locations in lower Manhattan the day after the attack,
and we provided Internet connections and services to all who
had lost them.
Similar efforts were made by other telecom companies. We
have a collaborative industry, and in this case, it was praised
by FCC Chairman Michael Powell, who quoted it as a heroic act,
ensuring the world's premier communications network has
continued to be available in times of tragedy. So we should
look at both the vulnerabilities and the resiliency of our
infrastructure, and understand how resiliency came to pass: It
has been through collaborative efforts that have occurred over
the last 20 or 30 years.
The telecom industry understands that our networks are
quite literally the conduits that connect the world and the
essential sectors of the economy, and keeping both our internal
and external networks safe is something that the companies in
our industry do every day and will continue to do. Let me give
you two examples that make this real from our own experience.
First, to defend our internal Qwest physical network from
physical and cyber attack we have implemented a comprehensive
information network security program which includes
classification of the network assets, the implementation of a
complete set of security policies and procedures, extensive
employee training and a plan for disaster recovery and reacting
to disasters.
The NSTAC leadership has broadly circulated the Qwest
program, encouraging the other members of NSTAC to implement a
similar program.
Second, to protect our external networks, just last month
we dedicated 1,000 technical experts to assist our customers
affected by the global Code Red computer virus, which
penetrated our firewalls and took down our customer networks.
Such a quick and comprehensive response is what is necessary
across all networks. But doing it in our own networks is not
enough. Doing it inside the telecommunications infrastructure
is not enough. Other industries need to take similar steps
because we are all interconnected in cyberspace.
It is no longer important to just protect your physical
layer. You have to protect the software layer. We are all
connected. Each company must therefore protect its own network,
assets and people, and all companies must coordinate those
actions. I have some very specific proposals that I think
address this.
First, NSTAC and the National Security Council should
immediately initiate a project to develop benchmarks and
requirements for information security best practices for the
telecommunications industry and its users, because again we are
interconnected. Either NSTAC or another public organization,
such as the National Infrastructure Simulation and Analysis
Center, proposed by Senator Domenici, should be given the
responsibility to extend these clearinghouse and coordination
functions to other industries and other agencies, as well.
Second, I think Congress should remove the perceived
barriers to information sharing. Your legislation, Senator
Bennett, with Senator Kyl, is critical to allow us to share
information safe and secure, so that the information we are
sharing with the government does not fall into the hands of the
perpetrators to begin with, under the Freedom of Information
Act, and we can collaborate without the threat of antitrust,
based upon the national security needs.
Third, and this is very important to us who are fighting
this every day, we need legislation increasing the penalties
for cyber attacks. This is not a humorous subject for hackers.
It has to be a serious subject. It costs money. It costs time.
It puts people in vulnerable circumstances when they lose their
communications infrastructure. We need to give law enforcement
greater latitude to investigate and to prosecute these attacks.
Let me conclude by saying that the telecommunication
infrastructure is strong. There is more work to be done, but it
can and must be made stronger, and I know that we at Qwest and
my colleagues in the communication industry will do whatever is
necessary to help this Committee, the Congress and the
administration to ensure the continued strength of America's
telecommunications infrastructure.
Senator Cleland. Thank you very much, sir, for that very
strong testimony. Mr. Cilluffo.
TESTIMONY OF FRANK J. CILLUFFO,\1\ CO-CHAIRMAN, CYBER THREATS
TASK FORCE, HOMELAND DEFENSE PROJECT, CENTER FOR STRATEGIC AND
INTERNATIONAL STUDIES
Mr. Cilluffo. Mr. Chairman, Senator Bennett, it is a
privilege to appear before you today to discuss this important
matter. In the wake of the terrorist attacks on the World Trade
Center and the Pentagon, the United States is confronted with
harsh realities.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Cilluffo appears in the Appendix
on page 83.
---------------------------------------------------------------------------
Our homeland is vulnerable to physical attack and gone is
the sense that two oceans that have historically protected our
country can continue to protect Americans. The terrorists
attack highly visible symbols, not only of military strength,
but also of our economic prowess. Though exceedingly well-
planned, coordinated and executed, the comparatively low-tech
means employed by the terrorists raises the possibility of a
cyber strike or perhaps a more inclusive, more sophisticated
assault combining both physical and virtual means on one or
several critical infrastructures.
As we will never be able to protect everything, everywhere,
all the time, from every adversary and every modality of
attack, now is clearly the time for clearheaded prioritization
of policies and resources. Unless we examine this issue in its
totality, we may simply be displacing risk from one
infrastructure to another. We need to approach the issue
holistically and examine the dangers posed to our critical
infrastructures from both physical attack, a well-placed bomb,
and cyber attack, and perhaps most important where the two
converge.
Infrastructures have long provided popular terrorist
targets. Telecommunications, electric power systems, oil and
gas, finance and banking, transportation, water supply systems,
and emergency services have been frequent targets to terrorist
attacks, and I listed a bunch in my prepared remarks. The
destruction or incapacitation could have a debilitating effect
on U.S. national or economic security, clearly the reason for
this hearing and others.
One should state that bits and bytes or bugs and gas, for
that matter, will never replace bullets and bombs as the
terrorist weapon of choice. Al Qaeda, in particular, chooses
vulnerable targets and varies its modus operandi accordingly.
They become more lethal and more innovative with every attack.
While bin Laden may have his finger on the trigger, his
grandchildren may have their fingers on the computer mouse.
Moreover, cyber attacks need not originate directly from Al
Qaeda, but from those with sympathetic views, and given the
anonymity of cyberspace, it is very difficult to discern who is
really behind the clickety-clack of the keyboard.
For too long, our cyber security efforts have focused on
the beep and squeak issues, and it focused on the individual
virus or hacker du jour in the news, often to the neglect of
the bigger picture. It is now time to identify gaps and
shortfalls in our current policies, programs and procedures,
begin to take significant steps forward and pave the way for
the future by laying down the outlines of a solid course of
action that will remedy these existing shortcomings.
Along these lines, there have already been a series of
actions taken, some prior to September 11, some post. In
particular, I do applaud the creation of the new cabinet-level
Office of Homeland Security, directed by Governor Ridge. It is
my understanding that a comprehensive review will be completed
by next week, which will set out the office's roles, missions,
and responsibilities. We will then have a better sense of the
explicit roles and responsibilities pertaining to homeland
security and how they directly impact critical infrastructure
protection, and as was mentioned earlier, there was already an
executive order in the works, about to be signed, on cyber
security. So this is clearly something the President has been
engaged in, in advancing our cyber defenses, for quite some
time.
To get to the point you have brought up earlier, Mr.
Chairman, this attack was a transforming event. Many have
claimed that the Office of Homeland Security may not have the
authority to succeed. Well, I disagree. One cannot look to
history alone to identify what organizational model will be
most effective. Because this is the highest priority facing our
Nation today, organizational charts, titles, and line items,
boxes, historic emblems of bureaucratic power, fade to the
background. Governor Ridge will have the ammunition required to
carry out his responsibilities because he and his mission have
the full confidence of the President of the United States.
But even an undertaking of this importance takes time to
move from concepts to capabilities. Once the immediacy of the
problem has settled into routine, perhaps several months from
now, we should consider codifying and institutionalizing its
mission with congressional legislation and additional statutory
authority if needed, but I think we have to crawl before we
run. As both the Executive Branch and the Congress consider how
best to proceed in this area, we should not be afraid to wipe
the slate clean and review the matter with fresh eyes.
We need to be willing to press fundamental assumptions of
national security. Critical infrastructure protection and
information assurance are cross-cutting issues, but our
government is still organized along vertical lines in their
respective stovepipes. When we do this review, we should do it
with a critical eye, not only one that appreciates how far we
have to go, but also where we have come, and there have been
some centers of excellence, both in government and the private
sector, that we should leverage and build upon.
Ultimately, it is essential that any strategy encompasses
prevention, preparedness and incident response, vis-a-vis the
public and private sectors and the interface between them. What
we need is a strategy that would generate synergies and result
in the whole amounting to more than simply the sum of its
parts, which is currently the case.
Information technology's impact on society has been
profound and touches everyone, whether we examine our economy,
our quality of life, or our national security. Unfortunately,
our ability to network has far outpaced our ability to protect
networks. Though the myth persisted that the United States had
not been invaded since 1812, invasion through cyberspace has
been a near-daily occurrence, a marked counterpoint to
September 11 attacks.
Fortunately, however, we have yet to see the coupling of
capabilities and intent, aside from foreign intelligence
collection, where the really bad guys exploit the really good
stuff and become technosavvy. We have not seen that marriage,
but in my eyes that is a matter of time. Let me jump very
briefly--I have laid out a number of recommendations that I
thought we should be looking to in terms of building this
partnership. As to who is responsible, it is a shared
responsibility.
The government must, however, lead by example. Only by
leading by example and getting its own house in order can they
expect the private sector to commit the resources in both time
and effort to get the job done, and we need to clarify
accountability. We need to clarify roles and missions. Right
now, there really is no one held accountable, and clearly that
is going to be something that will be examined with all the new
executive orders.
Let me skip through the rest and close with a couple of
initiatives that can be taken to incentivize the private
sector. First, from the government perspective, by improving
the resilience of our economic infrastructure we improve the
government's readiness, because so many of these critical
functions are owned and operated by the private sector. But,
second, we also improve our economic security, which cannot be
seen as black or white. These are now blurred.
We need to encourage standards to incentivize the private
sector. We need to improve information sharing, and I
wholeheartedly applaud Senator Bennett's initiative in this
area, because FOIA has been a significant obstacle to sharing
information between the public and private sector. We can also
look at liability relief. Government could provide
extraordinary liability relief to the private sector in the
case of cyber warfare, similar to the indemnification authority
set up in the case of destruction of commercial assets during
conventional warfare. So these are some of the areas we can
look to.
Mr. Chairman, I know I am over my time. I have rarely had
an unspoken thought. Forgive me, but not to digress, but I
would like to close by saying thank you. We have all done some
soul-searching in the last couple of weeks. I, for one, have
never been so proud to be an American, proud of our President,
proud of our Congress, and proud of the millions of Americans
that make this country great. I believe we have all emerged
from this with a stronger sense of purpose and appreciation of
our Republic and its institutions.
This is precisely what our forefathers had in mind. We were
put to the test. We will prevail. They will fail. And critical
infrastructure protection is clearly an important element to
improving our Nation's security.
Thank you, Mr. Chairman.
Senator Cleland. Thank you, Mr. Cilluffo. Wonderful, strong
statement. We are proud of you, too, and all of you.
Mr. Watson.
TESTIMONY OF KENNETH C. WATSON,\1\ PRESIDENT, PARTNERSHIP FOR
CRITICAL INFRASTRUCTURE SECURITY (PCIS)
Mr. Watson. Good morning, Mr. Chairman and Senator Bennett,
I am honored to be here today on behalf of the more than 70
companies and organizations from all the critical
infrastructure sectors that comprise the Partnership for
Critical Infrastructure Security, or the PCIS. The question:
``Critical infrastructure protection: Who is in charge?'' is
timely, but may not have a quick and easy answer, as we have
heard many times today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Watson appears in the Appendix on
page 98.
---------------------------------------------------------------------------
We would all like to be able to turn to a single government
or industry executive or agency with the authority and
responsibility to assure the continued delivery of vital
services to our citizens in the face of these new and emerging
threats. The truth is that the infrastructure architecture
requires a distributed leadership, cooperation, and partnership
to accomplish that goal, exactly what Senator Bennett said
earlier.
I would like to describe for you the environment of the
critical infrastructures, explain what we were doing before the
horrendous attacks 3 weeks ago, and what has changed since
then. I will also make a few recommendations.
Over the last 10 to 20 years, the network of networks has
truly changed the way we live and work. There is no turning the
clock back. This has brought about unprecedented levels of
productivity and profitability; however, each industry is now
more dependent on every other than before, and all have come to
depend on computer networks for core operations, not just as a
business enhancing tool.
The Federal Government cannot function without services
provided by the private sector infrastructure owners and
operators. Most of these are multinational corporations with an
interlaced network of suppliers, partners and customers, many
of whom are outside the United States. The Internet itself
relies on key name servers and routers located around the world
with no central ownership or authority. Therefore, the health
of the global economy is directly related to America's national
and economic security.
Just as the Internet is open, borderless, international and
unregulated, responsibility for protecting critical
infrastructures is distributed among companies and government
organizations. Form follows function. This applies not only to
architecture, but also to how we organize to protect our
critical infrastructures. Even with the best of intentions and
the most modern tools, the Defense Department could not defend
against a cyber attack on the information systems of a power
plant in Omaha. That power plant must have the technologies and
teams to defend itself and to prevent cascading effects beyond
its own perimeter, and it must be connected to a distributed
indications and warning system in order to be able to respond
quickly and proactively.
Also, since every unsecured computer connected to the
Internet could be used as a zombie in a distributed denial-of-
service attack, these tools, teams and warnings must become
part of every business' standard networking procedures.
Activities that an enterprise can take: Conducting
vulnerability and risk assessments; deploying security
technologies; investing in research and development; resourcing
and enabling incident response teams must now be distributed
and coordinated.
Many in industry and government have been focusing on how
to accomplish this coordination for at least the last 5 years.
The President's National Security Telecommunications Advisory
Committee, or NSTAC, has been providing advice on national
security and emergency preparedness issues in the
telecommunications sector since 1982. The NSTAC is still
extremely relevant, even more today, conducting studies and
holding network security information exchanges on current
issues.
The President's Commission--as has been mentioned several
times--on Critical Infrastructure Protection, reported in
October 1997, recognizing the need for close public-private
coordination, that applies to all the infrastructure sectors.
Industry responded to the government's invitation to a dialogue
by launching the Partnership for Critical Infrastructure
Security at the World Trade Center in December 1999. Since its
formation, the PCIS has become a model for cross-sector
coordination and public-private cooperation.
Last year, the PCIS identified barriers to information
sharing with government, and now Senator Bennett's bill and
others in Congress are working through legislation based on our
findings. During the response to the Code Red worm, government
and industry turned to the PCIS to represent industry alongside
the NIPC and security experts as we made the public service
announcement that ultimately blunted the impact of that
infestation. Inthe coming year, the administration will publish
a public-private national plan for critical infrastructure
protection, with industry sections coordinated by the PCIS.
This is not just an American problem. Several countries are
establishing similar partnerships. The PCIS is forming close
relationships with them and we are collaborating several areas.
We are currently working with critical infrastructure
protection organizations in Canada and the United Kingdom, and
we are following similar activity in Switzerland. The United
States and Australia conducted a bilateral meeting in August, 2
months ago, where we agreed to cooperate on security standards
and in other areas.
One of the keys to success is the timely sharing of
information about threats, vulnerabilities, countermeasures and
best practices within and between industries and between the
public and private sectors. Information Sharing Analysis
Centers, or ISACs, are proving their value as both computer
defense centers and awareness vehicles. There are currently
five ISACs in operation: Financial services;
telecommunications; information technology; electrical power;
and oil and natural gas.
These ISACs have shared information on threats to members
and helped their sectors prevent damage and disruption from
threats like the Code Red and Nimda software worms. The telecom
ISAC is able to share vital information from the government to
industry that has been proved both valuable and timely. Four
additional ISACs are in various stages of development:
Railroads; aviation; water; and information service providers,
or ISPs. One of this year's top goals for the PCIS is to
establish a cross-sector and public-private information sharing
architecture.
With the same goal, the existing ISACs, under the
leadership of the National Communications System, met last week
to work out a cross-sector operational information exchange
capability. This meeting greatly accelerated the progress we
have made in this area and the procedures they develop will
form the foundation for the overall cross-sector architecture.
What has changed since September 11? The terrorist attacks
on the World Trade Center and the Pentagon did not change the
architecture of the new economy or our interdependency, or the
interlinked nature of the economy's national security in the
nations of the world. What those attacks did was create a sense
of urgency and an increase in security awareness. Just as the
administration carefully and deliberately seeks out those that
conducted and supported these barbaric acts and learns about
this new battlefield environment, I urge everyone involved to
take the time to understand the infrastructure environment and
not to move too quickly to try to solve the infrastructure
protection problem.
So what can we do to protect our critical infrastructures?
We need to raise the security bar worldwide, by streamlining
communication and coordination, accelerating research and
development, practicing good network security, and by not
abandoning our values. I have four recommendations: First,
support the administration initiatives to streamline
coordination within the Federal Government. We will continue to
work closely with the Critical Infrastructure Assurance Office,
the National Infrastructure Protection Center, and the national
coordinator, as the government organizes itself to manage
homeland security, counterterrorism, and critical
infrastructure protection.
Second, support initiatives that will secure the next
generation's network of networks, as well as patches and fixes
we are applying today, by providing resources to government
agencies with increased responsibilities in this area and
providing funding for research. To assist in this effort, the
PCIS is developing a research and development roadmap that will
include a gap analysis of current industry, academic and
government programs, and recommendations for focusing resources
to meet sector and cross-sector needs.
Third, encourage government organizations, businesses and
individuals to practice sound information security, starting by
adequately funding network security programs in all Federal
departments and agencies; updating passwords, disallowing
unauthorized accounts and unneeded services and installing
firewalls and intrusion detection are no longer just common
sense, but a matter of cyber civil defense.
And, last, carefully consider the impact of any new
legislation on the freedoms Americans cherish: Individual
privacy; freedom of expression; and freedom of
entrepreneurship. We all understand that without security there
is no privacy, but we must always strive for balance. My
colleagues of the PCIS and I welcome any invitation to discuss
our activities with you at any time. We believe a dialogue
where we can hear your insight and you can hear our concerns
will be healthy and fruitful.
We are all in this together: Industry, academia, the
administration, the Congress, the American people, and we need
all points of view to ensure that our critical infrastructures
continue to meet the needs of every citizen by ensuring the
continued delivery of vital services and enabling the economy
that underpins our security and our way of life.
Thank you very much, and I am happy to answer any
questions.
Senator Cleland. Thank you very much, Mr. Watson. You are
right. We are all in this together.
Mr. Cilluffo, I was fascinated by a comment. If you would
go back in your testimony, if you could find that section where
you said something about the terrorist will not do something--
and ultimately will not give up bombs and bullets. Can you say
that section again? Since you seemed to say that maybe bombs
and bullets, in bin Laden's case, was maybe generational, and
his offspring may have their finger on a mouse or something.
Talk about that section again.
Mr. Cilluffo. If we look at the threat, we need to look at
a full spectrum of threats. If we are focusing on Al Qaeda
specifically, this is an organization that understands the
lethality, has demonstrated the capability, and bombs and
bullets are the effective weapon of choice, and he will
continue to accelerate the capability. If you look at it, even
Al Qaeda, if you go back to Kobar Towers, you saw car bombs,
then you had truck bombs at the African embassies. The U.S.S.
Cole, you had boats as bombs. Now, unfortunately, you have
planes as bombs. So it is more innovative every time, more
lethal every time, he is not, and his followers in Al Qaeda and
this loosely affiliated network of radicals, because what they
really do is they pool resources. There is no monolithic
organization. He is the chief financial officer of this loosely
affiliated organization that brings groups together.
He is not going to be turning to cyber means. They use it,
cyber, for tradecraft, to communicate. Whether they use
stegonography, as some media have said, I do not know, to hide
code messages inside, or whether they use simple code words,
where ``Go walk the dog,'' could mean something very different,
and seemingly innocuous could mean something very different if
they have communications beforehand, and he has demonstrated
the ability to mix very high-tech and very rudimentary low-tech
means of tradecraft, to include communications.
And so I think that it is important to say that when we
look at the terrorist threat today, we need to look at it
holistically. We need to recognize that Al Qaeda is not all
terrorism. You are going to see some that are turning to cyber
means. There is only one official terrorist use of offense
information warfare, and that was the Tamil Tigers of LTTE, who
disabled embassy communications in Ottawa, Seoul, and
Washington. But that is going to change.
What we see mostly are nations--and they are in the
stealing secret business. They are not going to crash systems.
They would be compromising such a valuable method and technique
to steal America's secrets. So we just need to look at it
holistically.
Senator Cleland. Thank you.
Mr. Nacchio, thank you for your testimony. When I saw the
Pentagon smoking and I looked at the Capitol and realized that
the Capitol might be the next target, it was a strange feeling.
So I tried to get on a cell phone. Of course, by now the whole
system was clogged, and my immediate thought, though, was that
we are also under a cyber attack. In other words, they have
jammed our communications. As an old Army signal officer, I
guess that was the first thing that came to my mind. Actually,
I later realized the whole system was overloaded.
Also, you mentioned the reliability of the system. Again,
in my training, the first week I was on active duty I had an
old colonel tell me that, ``Cleland, the secret to reliability
is redundancy.'' Have you learned anything about this, in
effect, instant overload, when the country is attacked or some
spectacular thing happens, have you learned anything in your
world that you are going to do differently? Are you going to
program in more redundancy for a peak usage for a few hours, so
that average citizens can communicate by the millions, which is
what they wanted to do, and I just wondered if you had a
comment on that?
Mr. Nacchio. Well, yes, it is a very pertinent point, and
it really relates to a question you asked an earlier panel that
said how do you protect against a massive attack? The
communication networks are best designed, of course, for a
massive attack. There are many of them, multiple paths,
physical redundancy, multiple fiber paths that you can travel.
What happened in New York and the Pentagon, specifically New
York, is when the towers were on fire, West Street central
office of Verizon went out, so all of southern Manhattan, at
the end point, was taken out. The rest of the nationwide
infrastructure worked well, but you could not get in and out of
southern New York, and similarly the wireless networks and
points did not work if you were going in and out of New York or
in and out of northern Virginia.
But the rest of the Nation, communicating about it, worked
well. So you still have physical points of vulnerability. What
we learned here is that what we used to protect for a nuclear
attack, the same thing could happen with an airplane attack or
if we had a massive fiber cut or if a bridge across the
Mississippi River went down. These infrastructures need to be
protected. So we are not invulnerable to physical attacks, and
that is what was demonstrated, but it is very isolated.
The bigger danger is what my colleague here on the left has
said; it is only a question of time, only a question of time
that what nation-states can do to attack the fiber
infrastructure, terrorists will learn how to do, and you will
see a massive shutdown, and that is what I know national
security has worried about in the past and what we have tried
to assist on, a massive cyber attack that disables nationwide
communications, not just a pair of points, say in New York or
Washington.
Senator Cleland. Then do we in the Federal Government and
many in the private sector need to think about redundancy, some
kind of redundant capability?
Mr. Nacchio. Right.
Senator Cleland. Certain leaders were moved to, in effect,
a redundant headquarters outside of Washington. In the case of,
shall we say, a national emergency in our telecommunications
world, in our cyber world, do we need to be able to have some
kind of built-in redundancy?
Mr. Nacchio. Absolutely, and I think for most of the
infrastructure in this country, you have redundancy. There are
still critical points and there is a limit at the last mile, so
to speak, at some point you are not going to have redundancy,
and that is what we have to be careful of.
Senator Cleland. Thank you.
Mr. Watson, do you have any feeling about your own view
about whether an Office of Homeland Defense is going to be
adequate, or do you feel a cabinet-level agency with budget and
with troops in the field and so forth, massing their assets, is
something we ought to seriously think about? Have you come to a
conclusion on that?
Mr. Watson. There are many agencies and organizations in
the Federal Government that are currently contributing to the
critical infrastructure protection effort. There certainly
needs to be some streamlining. I am in no position to tell the
government how to organize itself, but simply the fact that the
pending executive order seems to indicate that there will be
someone to coordinate critical infrastructure protection, we
believe, is a very positive step, and we look at that as a
parallel effort to what we have at the PCIS, coordinating all
the infrastructure sectors.
Senator Cleland. Mr. Cilluffo, I see your head nodding. Do
you want to come in on that?
Mr. Cilluffo. Oh, no, I pretty much agree. What we will
have to work out are the details, of course. There are a number
of potential executive orders out there, a number of great
ideas and a number of commissions that have come out with
different ideas. What I think you are seeing now is the
amalgamation of the best of the best. There is no right answer.
Whatever answer they choose, though, is in some ways the right
answers, because they are the ones who are going to have to
implement and execute.
So what I say here is let's not rush to judgment. Let's see
where this goes. Six months from now, maybe we are going to see
there is a need for additional statutory authority or very
specific legislative proposals or even access to troops. But I
think let's focus now on the short-term needs requirements,
backfill those threats to be able to withstand, prevent and
preempt an incident, make sure that we are looking at this from
not just the top-down, but the bottom-up; that our emergency
responders and the public health community, for a bio event,
are ready. So I do not disagree, but I think now let's focus on
the short-term and then look to long-term capacity building.
Senator Cleland. Ms. Gorelick, any ideas?
Ms. Gorelick. As I said earlier, I think we do need some
streamlining from the point of view of business to know who is
doing what, operationally. I would make a comment about NSTAC
in that regard. The reason that NSTAC is as robust as it is and
has the capacity that it does, compared to the other ISACs that
are more nascent, is that it was actually stood up by the
government. The CEOs of the industry were, in 1982, named to
the panel. They were given clearances. They get briefings.
There is an extant staff. Industry is not told what to do by
the government, but there is an infrastructure provided.
There are many willing partners in the private sector, and
we have a lot of technical expertise. We understand, from our
own business perspective, the need to have business continuity.
We understand, from our own business perspective, the need for
our partners to have business continuity, but we are in
business, we are unused to collective or collaborative action
of the sort that is really called for here. If you could have
the NSTAC model in each of the other industries, you would have
a much more robust capacity on the part of industry doing the
sorts of things that Mr. Watson is talking about. Other
industries would get caught up to where communications is.
The financial services sector did very well, considering
what happened to it. It does have a lot of individual
redundancy. We have backup centers and we have done a lot of
thinking about hardening those resources. But if we are going
to get where we need to be as industries responsible for this
national infrastructure, I think we need, as I suggest in my
written testimony, more adequate support on an industry by
industry basis. I think we would be all helped by that. I do
not think it is tremendously expensive, and it would
dramatically increase the way that industry and government
communicate with each other, and that industry communicates
across itself.
Senator Cleland. Mr. Nacchio.
Mr. Nacchio. Mr. Chairman, let me just build on that--a
couple of quick thoughts. Something that we do in the private
sector, I think, applies here. If you want to get something
done, define it clearly, focus and align resources, and keep it
simple. Today, when we have a problem on our networks, we are
required under the law to report it within 30 minutes to the
FCC, as Verizon did to Chairman Powell when they had the
outage. If we, NSTAC members, are faced with a cyber attack,
will report it to NSTAC so it can be shared. But just to be
clear, we take care of ourselves. NSTAC does not direct what we
do. We are together.
I have a fiduciary responsibility to make sure my network
does not go down no matter who is attacking. I have my own guys
who protect it. We hire ex-FBI, ex-anybody we can. We are kind
of a nation-state in defending our physical and our cyber
infrastructure. We are happy to share that as long--under the
Freedom of Information Act--as it not get passed out to the bad
guys, so to speak.
So what NSTAC is really good at, which I think was touched
here and why I am involved, is that my biggest job as the vice-
chair is not necessarily working with national security, it is
working with all my colleagues in industry as best I can to
encourage them, based upon what we learned, because we are all
responsible for this, not just the government. But if you can
keep it focused and keep it simple, your pertinent question
about what do you do about homeland defense--I could not tell
you how to organize the government--but I would say keep it
simple.
There are at least a dozen agencies, if something really
bad is happening, we have to call, and that is all good,
including the FBI, the local police, and the FCC. We generally
get on it ourselves to start with. So, I recommend that you can
keep it focused, streamlined, with clear accountability, and,
of course, dedicate the resources.
Ms. Gorelick. I would second that.
Senator Cleland. Thank you. Senator Bennett.
Senator Bennett. Thank you, Mr. Chairman.
Mr. Nacchio, they taught me in high school that nature
abhors a vacuum. Government abhors simplicity. [Laughter.]
Senator Bennett. And may I, as a former customer of US
West, and now one who writes a check to you every month, thank
you for the improvement in service that has come since you took
over. We are grateful that you have put the kind of resources
you have into increasing customer service, and it is not
unnoticed and not unappreciated.
Mr. Nacchio. Thank you.
Senator Bennett. Mr. Nacchio has told us what they did at
September 11. I would be interested, Ms. Gorelick, what Fannie
Mae did with respect to September 11.
Ms. Gorelick. We stayed in business.
Senator Bennett. What kind of challenges did you face?
Ms. Gorelick. We were open for business. Our challenges
were communication with sources of funding. The capital
markets, as you know, were not really operating. We were able
to establish communication with the Fed. We were able to
maintain our communications with our customers.
Basically, what we do, as you know, is fund those who are
making mortgage loans around the country, and, by and large,
the other outlets were, at least for the period of September 11
and for some period after that, not able to function.
Fortunately, for us, we were able to. We have a very robust
system. Like Mr. Nacchio, we try to hire the best. Our head of
security is out of DISA. We have spent a lot of time thinking
about cyber security.
So we were able to function and I think we were able to
perform a real service to those who needed the capital markets
to function. Eventually, those markets came back, but it took
awhile, and I think if you look at what some of the learnings
are, I think a lot of financial services companies have learned
what makes their backup systems work. If you have your backup
system right down the street from your main system, that may
not work. If your backup system is reliant on the same
communications grid, even if it may be in Brooklyn rather than
lower Manhattan, it may not work.
If you have a backup system that relies on the same people
and the people cannot get there, it may not work. Fannie Mae
did not experience any of those problems, and that is partly
good planning and partly good luck, but I think there are a lot
of learnings for the financial services sector coming out of
this event.
Senator Bennett. Thank you.
Mr. Cilluffo, you made reference to the motivations of Al
Qaeda, and I will share with you and put into this record
information that came from a hearing we held in the Joint
Economic Committee on this issue less than 60 days ago, where I
asked one of the witnesses from the CIA if, in fact, the next
terrorist attack would not come in the form of a cyber attack,
because I said, as I said before, if I were someone who wished
this country ill--back to your world, Ms. Gorelick--I would
want to shut down the Fed wire and break into the computer
system that keeps that going. If you could do that, you would
produce long-term devastation.
Ms. Gorelick. If I might suggest, Senator Bennett--I am
sorry to interrupt--but I would actually think it useful to
inquire as to what occurred, because that is a very vulnerable
node, and we saw----
Senator Bennett. We have done that on the Banking
Committee. I sit on the Banking Committee, and I have asked
Alan Greenspan directly about that issue and have had my staff
down at the Fed looking at it for exactly the reason that you
are underscoring. The answer I got from the witness was very
interesting, and, in view of what has now happened, prophetic.
He said, ``Senator, that is because you think the way you
think. To the terrorist, shutting down the Fed wire does not
give him what he wants, which is television footage that can be
broadcast around the world to inflame people,'' and one of the
analysts after September 11 who spoke to us said, ``In a sense,
this attack by Al Qaeda backfired and failed, because what they
wanted to produce was such a reaction out of America as to
create a war of civilizations that would then polarize the
Muslim world on their side. It backfired in that it caused such
revulsion among good Muslims, who said this is not what they
teach in the Koran, that it has driven moderate Arab States and
Muslim States to our side in this confrontation.'' So cutting
down the Fed wire does not give them any footage at all on
international television, and therefore was not a notion that
he looked at.
But we go to the issue of hostile nation-states, and the
ability to shut down the Fed wire would be something that a
dictator in a hostile nation-state could hold this country
hostage, a phone call or a hotline to the President of the
United States, saying, ``Mr. President, we want the following
things done in the international scene, and if they are not,
within 20 minutes,'' or they would probably give him less time
than that, ``the Fed wire will be shut down and the American
economy will come to a screeching halt.''
If we think in strategic terms, isn't that the kind of
long-term protection that we have got to deal with, in addition
to the immediate challenge of terrorists that want to use
kinetic weapons--isn't this the long-term strategic
vulnerability that we have?
Mr. Cilluffo. Absolutely, Mr. Chairman--Senator Bennett.
Senator Bennett. I will take that, but the Senate probably
would not concur. [Laughter.]
Mr. Cilluffo. But let me build on what I thought was such
an important point. The single common denominator of all
terrorism is that it is a psychological weapon intended to
erode trust and undermine confidence in a government, its
institutions, its elected officials, its policies in a region
or, more generally, its values, and on and on and on and on.
This did backfire. It united our country and it united--we
united at home and we built a united front abroad. In the back
of the minds, I think, of the administration, they have done a
wonderful job of keeping this to fighting the really radical
radicals. This is not about Islam. It is about radical Islamic
fundamentalism, which Islam abhors, and we need to keep it that
way.
But, to the cyber question, I do not think there is an easy
answer. Since the end of the Cold War, threat forecasting has
arguably made astrology look respectable, and I do not have a
crystal ball, but I would say that one thing we do want to
think about in terms of conventional terrorist organizations
are combined attacks, where perhaps you detonate your
conventional explosive, big, large, whatever it may be, and you
disrupt emergency 911, so the first responders cannot get to
the scene, or something similar--and we do not want to
advertise too many possibilities.
But you are right. In terms of nations, that is where we
have seen capabilities. There is no question that nations are
doing surveillance, the cyber equivalence of intelligence
preparation of the battlefield, on our networks. And those same
tools to steal secrets can automatically be turned on to deny
service, to attack. So this is something we need to be looking
at, absolutely, and we need to be looking at it in a many-
pronged lens. We need to improve our own computer network,
exploit the ability to steal cyber secrets of others, as well
as good old espionage.
Senator Bennett. If I could just make one quick comment,
Mr. Chairman, before we wind it up. One of the vulnerabilities
that we have to deal with, with the Defense Department, is the
potential ability of an enemy to break into that communications
system and then send the wrong instructions to the CINCs, and
even if they do not, the mere fact that there is the
possibility that they have will cause the CINC not to act on
real instructions until he can be absolutely sure, through
redundancy, that this order did come from the CINC, and in that
process, time is lost, efficiency is lost, and the combination
that Mr. Cilluffo was talking about of a kinetic weapon attack
and then a scrambling of our command and control system or a
threatening of our command and control system that slows down
our response is an additional tool of warfare that we need to
deal with as we are thinking about this in strategic long-
term----
Mr. Watson. Senator Bennett, if I may make an additional
comment to piggyback on that, I spent 23 years in the Marine
Corps, the last eight of which were devoted to what became
information warfare, and we were very much concerned with the
combination of things like electronic warfare, military
deception, psychological operations, destructive capabilities.
But our feeling now in the private sector--and there are many
of us that believe that the center of gravity for this country
has moved to the private sector, because everyone is dependent
on the private sector for the services that the infrastructures
provide, we understand that we are on the front lines of
defense, and I think it is impressive that the board of
directors of the PCIS is all volunteer, and they all represent
presidents and executives from companies like Bank of America,
BellSouth, Consolidated Edison, Union Pacific, Conaco,
Microsoft, and Merrill Lynch. You name the industry association
and they are on the board. We get it, and we are ready to
cooperate and help.
Senator Bennett. Thank you. Thank you, Mr. Chairman.
Senator Cleland. Thank you, Senator Bennett, and thank our
panelists today, wonderful testimony.
In conclusion, talking about the unity that has been
brought about here, I have been often asked about the
historical impact of the attack on September 11, and I quote
Admiral Yamamoto, who planned and executed the attack on Pearl
Harbor, that afterwards he felt he had only awakened a sleeping
giant, and in so many ways that is exactly what has happened.
Thank you all very much. The hearing is adjourned.
[Whereupon, at 11:59 a.m., the Committee was adjourned.]
A P P E N D I X
----------
PREPARED STATEMENT OF SENATOR BUNNING
Thank you, Mr. Chairman.
This is the second hearing on critical infrastructure protection
the Committee has held this year, and I am pleased we are looking at
this issue again.
The first hearing the Committee held was on September 12, the day
after the terrorist bombing. The importance of our security has never
been more evident, as the reality of terrorism on America's soil was
sadly brought home.
Protecting critical infrastructure is a responsibility of all
levels of government and the private sector.
This will require businesses and government to share information
and form alliances in ways they have traditionally not done.
I am hopeful that we can make some good progress in protecting our
critical infrastructure from future attacks over the next couple of
months.
However, we have a long way to go.
In fact, during the September 12 hearing we discussed that too
often in the Federal Government our critical infrastructure is weakened
because simple, common-sense steps are not taken.
This includes not changing passwords routinely or closing accounts
for former employees or contractors.
This leaves us vulnerable to future attacks. We must do better.
I want to thank our witnesses for being here today, and look
forward to hearing more about what else we need to do to protect our
critical infrastructure.
[GRAPHIC] [TIFF OMITTED] T7434.001
[GRAPHIC] [TIFF OMITTED] T7434.002
[GRAPHIC] [TIFF OMITTED] T7434.003
[GRAPHIC] [TIFF OMITTED] T7434.004
[GRAPHIC] [TIFF OMITTED] T7434.005
[GRAPHIC] [TIFF OMITTED] T7434.006
[GRAPHIC] [TIFF OMITTED] T7434.007
[GRAPHIC] [TIFF OMITTED] T7434.008
[GRAPHIC] [TIFF OMITTED] T7434.009
[GRAPHIC] [TIFF OMITTED] T7434.010
[GRAPHIC] [TIFF OMITTED] T7434.011
[GRAPHIC] [TIFF OMITTED] T7434.012
[GRAPHIC] [TIFF OMITTED] T7434.013
[GRAPHIC] [TIFF OMITTED] T7434.014
[GRAPHIC] [TIFF OMITTED] T7434.015
[GRAPHIC] [TIFF OMITTED] T7434.016
[GRAPHIC] [TIFF OMITTED] T7434.017
[GRAPHIC] [TIFF OMITTED] T7434.018
[GRAPHIC] [TIFF OMITTED] T7434.019
[GRAPHIC] [TIFF OMITTED] T7434.020
[GRAPHIC] [TIFF OMITTED] T7434.021
[GRAPHIC] [TIFF OMITTED] T7434.022
[GRAPHIC] [TIFF OMITTED] T7434.023
[GRAPHIC] [TIFF OMITTED] T7434.024
[GRAPHIC] [TIFF OMITTED] T7434.025
[GRAPHIC] [TIFF OMITTED] T7434.026
[GRAPHIC] [TIFF OMITTED] T7434.027
[GRAPHIC] [TIFF OMITTED] T7434.028
[GRAPHIC] [TIFF OMITTED] T7434.029
[GRAPHIC] [TIFF OMITTED] T7434.030
[GRAPHIC] [TIFF OMITTED] T7434.031
[GRAPHIC] [TIFF OMITTED] T7434.032
[GRAPHIC] [TIFF OMITTED] T7434.033
[GRAPHIC] [TIFF OMITTED] T7434.034
[GRAPHIC] [TIFF OMITTED] T7434.035
[GRAPHIC] [TIFF OMITTED] T7434.036
[GRAPHIC] [TIFF OMITTED] T7434.037
[GRAPHIC] [TIFF OMITTED] T7434.038
[GRAPHIC] [TIFF OMITTED] T7434.039
[GRAPHIC] [TIFF OMITTED] T7434.040
[GRAPHIC] [TIFF OMITTED] T7434.041
[GRAPHIC] [TIFF OMITTED] T7434.042
[GRAPHIC] [TIFF OMITTED] T7434.043
[GRAPHIC] [TIFF OMITTED] T7434.044
[GRAPHIC] [TIFF OMITTED] T7434.045
[GRAPHIC] [TIFF OMITTED] T7434.046
[GRAPHIC] [TIFF OMITTED] T7434.047
[GRAPHIC] [TIFF OMITTED] T7434.048
[GRAPHIC] [TIFF OMITTED] T7434.049
[GRAPHIC] [TIFF OMITTED] T7434.050
[GRAPHIC] [TIFF OMITTED] T7434.051
[GRAPHIC] [TIFF OMITTED] T7434.052
[GRAPHIC] [TIFF OMITTED] T7434.053
[GRAPHIC] [TIFF OMITTED] T7434.054
[GRAPHIC] [TIFF OMITTED] T7434.055
[GRAPHIC] [TIFF OMITTED] T7434.056
[GRAPHIC] [TIFF OMITTED] T7434.057
[GRAPHIC] [TIFF OMITTED] T7434.058
[GRAPHIC] [TIFF OMITTED] T7434.059
[GRAPHIC] [TIFF OMITTED] T7434.060
[GRAPHIC] [TIFF OMITTED] T7434.061
[GRAPHIC] [TIFF OMITTED] T7434.062
[GRAPHIC] [TIFF OMITTED] T7434.063
[GRAPHIC] [TIFF OMITTED] T7434.064
-
�