[Senate Hearing 109-893]
[From the U.S. Government Publishing Office]
S. Hrg. 109-893
CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS
=======================================================================
HEARING
before the
FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT
INFORMATION, AND INTERNATIONAL
SECURITY SUBCOMMITTEE
of the
COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
JULY 28, 2006
__________
Available via http://www.access.gpo.gov/congress/senate
Printed for the use of the Committee on Homeland Security
and Governmental Affairs
__________
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2007
29-759 PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
SUSAN M. COLLINS, Maine, Chairman
TED STEVENS, Alaska JOSEPH I. LIEBERMAN, Connecticut
GEORGE V. VOINOVICH, Ohio CARL LEVIN, Michigan
NORM COLEMAN, Minnesota DANIEL K. AKAKA, Hawaii
TOM COBURN, Oklahoma THOMAS R. CARPER, Delaware
LINCOLN D. CHAFEE, Rhode Island MARK DAYTON, Minnesota
ROBERT F. BENNETT, Utah FRANK LAUTENBERG, New Jersey
PETE V. DOMENICI, New Mexico MARK PRYOR, Arkansas
JOHN W. WARNER, Virginia
Michael D. Bopp, Staff Director and Chief Counsel
Michael L. Alexander, Minority Staff Director
Trina Driessnack Tyrer, Chief Clerk
FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, AND INTERNATIONAL
SECURITY SUBCOMMITTEE
TOM COBURN, Oklahoma, Chairman
TED STEVENS, Alaska THOMAS CARPER, Delaware
GEORGE V. VOINOVICH, Ohio CARL LEVIN, Michigan
LINCOLN D. CHAFEE, Rhode Island DANIEL K. AKAKA, Hawaii
ROBERT F. BENNETT, Utah MARK DAYTON, Minnesota
PETE V. DOMENICI, New Mexico FRANK LAUTENBERG, New Jersey
JOHN W. WARNER, Virginia MARK PRYOR, Arkansas
Katy French, Staff Director
Sheila Murphy, Minority Staff Director
John Kilvington, Minority Deputy Staff Director
Liz Scranton, Chief Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Coburn............................................... 1
WITNESSES
Friday, July 28, 2006
George Foresman, Under Secretary for Preparedness, U.S.
Department of Homeland Security................................ 5
Richard C. Schaeffer, Jr., Director of Information Assurance,
National Security Agency....................................... 7
Karen Evans, Administrator for Electronic Government and
Information Technology, Office of Management and Budget........ 9
Keith Rhodes, Chief Technologist and Director, Center for
Technology and Engineering, U.S. Government Accountability
Office......................................................... 10
Thomas E. Noonan, President and Chief Executive Officer, Internet
Security Systems............................................... 20
Roberta A. Bienfait, Senior Vice President, Global Network
Operations, AT&T............................................... 22
Michael A. Aisenberg, Director of Government Relations, VeriSign,
Inc., and Vice Chair, IT Sector Coordinating Council........... 24
Karl Brondell, State Farm Insurance Companies, on behalf of the
Business Roundtable............................................ 26
Alphabetical List of Witnesses
Aisenberg, Michael A.:
Testimony.................................................... 24
Prepared statement........................................... 161
Bienfait, Roberta A.:
Testimony.................................................... 22
Prepared statement........................................... 139
Brondell, Karl:
Testimony.................................................... 26
Prepared statement........................................... 167
Evans, Karen:
Testimony.................................................... 9
Prepared statement with an attachment........................ 53
Foresman, George:
Testimony.................................................... 5
Prepared statement........................................... 33
Noonan, Thomas E.:
Testimony.................................................... 20
Prepared statement........................................... 132
Rhodes, Keith:
Testimony.................................................... 10
Prepared statement........................................... 111
Schaeffer, Richard C., Jr.:
Testimony.................................................... 7
Prepared statement........................................... 50
APPENDIX
Hon. Thomas Jarrett, Secretary and CIO, Delaware Department of
Technology and Information, prepared statement................. 174
Questions and responses for the Record from:
Mr. Foresman................................................. 181
Mr. Schaeffer................................................ 197
Mr. Evans.................................................... 200
Mr. Rhodes................................................... 209
Mr. Bienfait................................................. 213
Mr. Aisenberg................................................ 223
Mr. Brondell................................................. 226
CYBER SECURITY: RECOVERY AND RECONSTITUTION OF CRITICAL NETWORKS
----------
FRIDAY, JULY 28, 2006
U.S. Senate,
Subcommittee on Federal Financial Management, Government
Information, and International Security,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 9:35 a.m., in
room 342, Dirksen Senate Office Building, Hon. Tom Coburn,
Chairman of the Subcommittee, presiding.
Present: Senator Coburn.
OPENING STATEMENT OF CHAIRMAN COBURN
Chairman Coburn. The Subcommittee on Federal Financial
Management, Government Information, and International Security
will come to order.
Today's hearing is titled ``Cyber Security: Recovery and
Reconstitution of Critical Networks.'' This is the second
hearing in a series we will be conducting on cyber security. It
is actually the third. We have had a high-level secured
briefing and hearing on this, as well. On July 19, 2005, this
Subcommittee held a hearing on the importance of cyber security
to our Nation's critical infrastructures. The hearing
highlighted the importance of forging a public-private, and I
will emphasize private, partnership to protect critical
infrastructure and focused on challenges facing the Department
of Homeland Security (DHS) in facilitating and leveraging such
partnerships.
Things that we have learned through the September 11
terrorist attacks and the response to Hurricane Katrina further
emphasize these challenges. Today, despite spending millions of
dollars over the past year, DHS continues to struggle with how
to effectively form and maintain effective public-private
partnerships in support of cyber security, including how to
protect Internet infrastructure and how to recover it in the
case of a major disruption. The public-private partnership
necessary to accomplish DHS's goals in securing computer
networks continues to remain a public-private divide.
I am grieved to note that our Nation's security from a
cyber-based attack has not improved since we were here last
year. The objective of today's hearing is to highlight
immediate steps that DHS and the private sector can take to
formalize a partnership and to ensure effective response and
recovery to major cyber network disruptions.
Our economy and national security are reliant on the
Nation's information and communications infrastructure,
including the Internet. The Internet connects millions of
information technology systems and networks together, which, in
sum, provide e-commerce to the country and critical services
allowing the government to function. On July 19, 2005, we
learned that these computer networks can also control physical
infrastructure, such as electrical transformers, chemical
systems, and pipelines.
DHS recently released its National Infrastructure
Protection Plan (NIPP), 3 years after its due date. This plan
highlights the importance of cyber security and the Internet to
critical infrastructure, stating that the U.S. economy and
national security are highly dependent upon the global cyber
infrastructure. But according to today's GAO report, DHS fails
to adequately plan for recovery of key Internet functions.
Moreover, the Department has not adequately prepared to
effectively coordinate public-private plans for reconstitution
from a cyber Internet disruption.
The success of the protection efforts in the NIPP hinges on
information sharing between the Federal Government and the
private sector. However, a number of barriers exist to
information sharing. Recent incidents at the Department of
Veterans Affairs, Department of State, and a national
laboratory indicate that the government has trouble protecting
sensitive information. The government also does not have a good
record of sharing sensitive intelligence-derived threat data
with the private sector.
GAO identified numerous challenges to development of a plan
and is here today to present the recommendations to strengthen
the Department's abilities. Government agencies and private
companies, including telecommunications companies, cable
companies, peering organizations, and major data carriers, need
clarity on what is expected of them in a crisis. Overlapping
and unclear roles and responsibilities lead to frustration and
confusion, and will hamper recovery efforts in a crisis, which
will be deeply injurious to our Nation.
The overarching concern for the Committee is whether the
Department of Homeland Security knows what functions of
government need to be protected, how those functions interact
with State and local governments, and what is DHS's role and
responsibility in working with the private sector during a
cyber or telecommunication-based incidence of national
significance.
The recently released DHS plan requires the use of a risk
assessment method that has been criticized as not focusing on
what really needs to be protected in the information technology
and telecommunication sectors, and focusing heavily on physical
assets. The risk assessment methodology should be reevaluated,
as it could lead to significant wasteful spending.
While this sector has physical assets to protect,
government needs to understand that this sector is about
protecting critical functionality, not assets. The private
sector and government must work together to ensure the Nation's
critical infrastructure can function in the reliable and stable
fashion that the American public expects.
Therefore, private industry must devise plans in
coordination with the government to ensure critical functions
do not fail or can be recovered quickly when faced with an
incident of national significance. The National Communications
System has worked under this concept for years.
Both government and private industry admit there are
vulnerabilities in the networks that can and have been
exploited or damaged by accident or natural causes. A perfect
system cannot be built. We realize that. The difficult part of
any organization, especially government, is how does it
respond, recover, and reconstitute after an incident.
The Homeland Security Act of 2002 and Presidential
Directives lay out a clear mandate on cyber security at the
Department of Homeland Security. They require DHS to assess our
vulnerability to a cyber attack, develop a plan to fix it, and
implement that plan using measurable goals and milestones. In
order to implement the plan, the Department has the admittedly
difficult task of engaging and securing action from diverse
players, which include State and local governments, other
Federal agencies, and especially and most importantly, key
industry actors.
The nature of terrorists is to attack private citizens, as
we recently saw in the horrific railway attacks in India. There
can be no excuse for not effectively engaging the private
sector, even though it is hard. We ask no less of our food
safety, airline safety, and pharmaceutical industries. The
issue is lack of leadership and lack of courage.
Nobody wants to micromanage the private sector or DHS.
However, America does expect the Department of Homeland
Security and the private sector to take every reasonable
measure to protect us from terrorism. I am not convinced that
threshold has been met.
If America is to be safe from the damage of a cyber attack,
we will need a plan, a budget tied to that plan, and
Congressional commitment to the implementation of the plan. One
year ago, the Department announced the creation of the position
of Assistant Secretary for Cyber and Telecommunications
Security to elevate the importance of cyber critical
infrastructure protection. Today, this position remains vacant.
This vacant post was designed by the Department to lead the
Nation in buttressing our critical information technology and
telecommunications systems against threats. The Department,
working in conjunction with the private sector, needs to find
that person and set that person to the task of reforming the
plan and then implementing it. A leader can and will be found,
and I am encouraging DHS to exhaust every effort to fill this
position, ensure the proper authorities are in place to
succeed, and ensure that this person receives adequate support
from the top leadership at DHS to fulfill the mission.
To that end, I look forward to hearing from our witnesses,
NSA, DHS, OMB, GAO, AT&T, VeriSign, and Internet Security
Systems, as well as the Business Roundtable. I welcome each of
you.
The Department of Homeland Security's testimony came in
late last night. It is unavailable to me, the Chairman of this
Subcommittee. It will not be accepted as part of it and it is a
message to anybody else that wants to play games with the
Subcommittee. You are going to send us the information that you
want to testify about on a timely basis so we can do our job.
And this is an example of exactly what is happening at DHS on
cyber security. You can't meet the goals. You can't meet the
expectations. This Subcommittee hearing was noticed June 12--
6\1/2\ weeks ago, and for the testimony to come in last night
is unacceptable and it will not be accepted.
Let me welcome our guests. First is the Hon. George
Foresman. He was first confirmed by the U.S. Senate on December
18, 2005. He is responsible for synchronizing national
preparedness efforts under the direction of Homeland Security
Secretary Michael Chertoff and Deputy Secretary Michael
Jackson. He previously served in the Commonwealth of Virginia
as Assistant to the Governor for the Commonwealth Preparedness
and Homeland Security Advisor, a cabinet-level position. In
this capacity, he was the principal advisor and overall
coordinator for homeland security and preparedness efforts, as
well as relations with military commands and installations
throughout the Commonwealth. He is nationally recognized in the
fields of emergency preparedness and homeland security.
Richard Schaeffer is the Information Assurance Director at
the National Security Agency (NSA). He is responsible for the
Information Assurance Directorate at that agency. The
Directorate's mission is to provide products and services
critical to protecting our Nation's critical information and
information systems. Moreover, he is responsible for defining
and implementing the information assurance strategy to protect
the Department of Defense's global information grid and
supporting the ongoing military operations against terrorism.
Next is the Hon. Karen Evans. She is Administrator of E-
Government and Information Technology (IT), Office of
Management and Budget. She is here as a break from her
vacation. I want to tell you how much I appreciate you doing
that. She oversees the implementation of IT throughout the
Federal Government, including advising the Director on the
performance of IT investments, overseeing the development of
enterprise architectures within and across those agencies,
directing the activities of the Chief Information Officer
Council, and overseeing the usage of E-Government funds to
support interagency partnerships and innovation. She also has
responsibilities in the areas of capital planning and
investment control, information security, privacy,
accessibility of IT for persons with disabilities, and access
to, dissemination of, and preservation of government
information.
Next is Keith Rhodes, Chief Technologist, Government
Accountability Office (GAO). Mr. Rhodes is currently the Chief
Technologist at GAO and Director of the Center for Technology
and Engineering. He has been the senior advisor on a range of
assignments covering continuity of government and operations,
export control, computer security, privacy, e-commerce, E-
Government, voting systems, and various unconventional weapons
systems. Before joining GAO, he was supervisory scientist
leading weapons and intelligence programs at the Lawrence
Livermore National Laboratory.
I would like to recognize each of you. Thank you for taking
the time to be here. Mr. Foresman, you are recognized for 5
minutes.
TESTIMONY OF GEORGE FORESMAN,\1\ UNDER SECRETARY FOR
PREPAREDNESS, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Foresman. Mr. Chairman, thank you, and thank you for
the opportunity to appear today to discuss the recovery and the
reconstitution of critical cyber networks. Congressional
discussion on this particular topic is absolutely essential and
it is critical to the success that we need to achieve as a
Nation toward strengthening our levels of preparedness.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Foresman appears in the Appendix
on page 33.
---------------------------------------------------------------------------
Mr. Chairman, I would like to highlight several key issues
today and outline the Department's roadmap for success in
advance of a very important discussion on the security and the
protection of our cyber communications networks.
The findings of the GAO report on the development of a
joint public-private plan for recovering critical cyber
infrastructure and the recent Business Roundtable's
recommendations for strengthening cyber preparedness both echo
the overall resounding themes that the Department of Homeland
Security is pursuing in its work to lead a national effort to
protect America's cyber assets. While these reports offer
somewhat differing recommendations on the exact steps that we
need to take, the shared national vision further reflects two
very important and sometimes overlooked issues.
First, the risk posed to the critical cyber infrastructure
is becoming both better and more widely understood, both in the
public sector and in the private sector. Second, the importance
of mitigating these risks, whether on the individual,
corporate, or government level, is also better understood. We
know we must be ready for the cyber version of Hurricane
Katrina or the September 11 attacks.
Mr. Chairman, let me outline for you the Department's three
strategic priorities on the cyber preparedness front. They
include, one, preparing for a large-scale cyber disaster; two,
working to forge more effective partnerships, as you noted in
your opening statement; and three, fostering a culture of
preparedness to prevent cyber incidents and mitigate damage
when disruptions do, in fact, occur.
Our primary strategic goal as part of our overall risk
management approach is to prepare for high-consequence
incidents. These would include, for example, a widespread
disruption involving the Internet or critical communications
infrastructure, whether it originates from an attack or from a
natural disaster. The Department has established the Internet
Disruption Working Group, the IDWG, to address the resiliency
and recovery of Internet functions in the event of a major
cyber incident. The IDWG is not examining all individual risks,
but rather focusing on nationally significant Internet
disruptions in a prioritized fashion. The IDWG is developing
not only policy recommendations for cyber response, but also
operational proposals and protocols to improve the deployment
of Federal resources in the event of such an event and how to
ensure coordination with local, State, and private sector
partners of these assets.
I am also pleased to share with you that the Department
conducted its first national cyber security exercise, Cyber
Storm, this past February, and this was the largest
multinational cross-sector cyber exercise to date and assessed
the policies and procedures associated with a cyber-related
incident of national significance. The Department will soon be
releasing a public exercise report on this effort that will
outline findings to help bolster protective measures for
potential cyber attacks. I will also note that these lessons,
like those of Hurricane Katrina and other incidents, will not
sit idle. They will be incorporated into our operations
processes under the National Response Plan and these will be
retested during Cyber Storm II in 2008, if not before.
Cyber Storm demonstrated the close cooperation and
information sharing needs across Federal agencies, across
international boundaries, and most importantly, between the
public and the private sectors. The exercise tested for the
first time the full range of cyber-related response policy,
procedures, and communications methods required in a real-world
crisis. We know that there were successes. We also know that
there is room for improvement.
Another significant accomplishment in preparing for a
nationally significant cyber disruption is last month's
completion, as you noted, of the National Infrastructure
Protection Plan. The NIPP sets forth a comprehensive risk
management framework and clearly defines critical
infrastructure protection roles and responsibilities for DHS,
Federal sector-specific agencies, other Federal, State, local,
tribal, and territorial agencies, as well as our private sector
security partners. The plan addresses the physical, human, and
cyber elements of the critical infrastructure issues which
cross all sectors. This release of the NIPP is an important
milestone, as it accompanies 17 sector-specific plans that will
help build a safer and more secure and more resilient America
by enhancing protection of the Nation's critical infrastructure
and key resources to include the cyber community.
Our second strategic goal is to improve the Department's
partnership programs and practices. Homeland Security
Presidential Directive 7, the Administration's policy on
critical infrastructure protection, explicitly recognizes the
importance of partnerships, which are essential for many sound
reasons. In the cyber security arena, the Department is working
to nurture existing partnerships and establish new
relationships with three key stakeholder communities, the
private sector, Federal departments and agencies, and the
State, local, and tribal governments, as well as academia.
Third, we must create a culture of preparedness, both to
prevent a cyber disaster and to mitigate damages if a
widespread disruption occurs. We are working every day to
influence how individual citizens, government, and the private
sector prepare for the security challenges of the coming
decade. As with our other strategic priorities, this goal
demands a focused and disciplined approach. We need
interconnected strategies and processes, not individual
actions. Just as our cyber systems are interconnected, so must
be our approach to dealing with disruptions.
Our national cyber security efforts are rapidly maturing
and we have clear legislative and presidential direction and
private sector interest. There is no magic wand that will allow
us to do this overnight. There is, however, a growing
coalescing of effort between government and the private sector
as just two of the key entities.
Chairman Coburn. I need for you to summarize, if you will.
Mr. Foresman. Yes, sir, and I am finishing up. To create a
long-term culture of preparedness, we are developing clear
organizational doctrine which memorializes strategic policies,
clarifies roles and responsibilities, and defines measures of
accountability. The road ahead is critical and we are committed
to ensuring success. Thank you.
Chairman Coburn. Thank you. Mr. Schaeffer.
TESTIMONY OF RICHARD C. SCHAEFFER, JR.,\1\ DIRECTOR OF
INFORMATION ASSURANCE, NATIONAL SECURITY AGENCY
Mr. Schaeffer. Good morning, Mr. Chairman.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Schaeffer appears in the Appendix
on page 50.
---------------------------------------------------------------------------
Chairman Coburn. Good morning.
Mr. Schaeffer. I appreciate the opportunity to be here
today to talk briefly about the NSA's information assurance
mission and its relationship to the work of the Department of
Homeland Security and others concerned with helping operators
of crucial information systems prepare for and recover from
hostile acts or other disruptive events.
The NSA's information assurance mission focuses on
protecting what National Security Directive 42 defines as
national security information systems, systems that handle
classified information or are otherwise critical to military or
intelligence activities.
Historically, most of our work has been sponsored by and
tailored for the Department of Defense. Today, national
security systems very often rely on commercial products or
infrastructure or interconnect with systems that do. This
creates significant common ground between defense and broader
U.S. Government and homeland security needs. More and more, we
find that protecting national security systems demands teaming
with public and private institutions to raise the information
assurance level of products and services more broadly. If done
correctly, this is a win-win situation that benefits the whole
spectrum of information technology users, from warfighters and
policy makers to Federal, State, local governments and
operators of critical infrastructure and major arteries of
commerce.
This convergence of interests has been underway for some
time and we can already point to several examples of the kind
of fruitful collaboration it inspires. For instance, the NSA
and the National Institute of Standards and Technology have
been working together for several years to characterize cyber
vulnerabilities, threats and countermeasures to provide
practical cryptographic and cyber security guidance to both IT
suppliers and consumers.
Among other things, we have compiled and published security
checklists that harden computers against a variety of threats.
We have shaped and promoted standards that enable information
about computer vulnerabilities to be more easily cataloged and
exchanged, and ultimately, the vulnerabilities themselves to be
automatically patched. And we have begun studying how to extend
our joint vulnerability management effort to directly support
compliance programs, such as those associated with the Federal
Information Security Management Act. All of this is
unclassified and advances of cyber security in general, from
national security and other government networks to critical
infrastructure and other commercial and private systems.
The NSA partners similarly with the Department of Homeland
Security. In 2004, DHS joined the NSA in sponsoring the
National Centers of Academic Excellence Program to foster
training and education programs to support the Nation's cyber
security needs and increase the efficiency of other Federal
cyber security programs. The NSA has supplied trained personnel
and other technical support to the U.S. Computer Emergency
Readiness Team, and we routinely alert one another to possible
or emerging hostile cyber threats. In fact, DHS has just named
an integree to work in the NSA-Central Security Service Threat
Operations Center, which has as one of its missions to monitor
the operations of the global network in real time to identify
network-based threats to DOD and intelligence community
networks.
NSA and DHS cooperate on investigations and forensic
analysis of cyber events and malicious software, and together,
we look for and mitigate the vulnerabilities in various
technologies that would render them susceptible to similar
attacks. We each bring to these efforts complementary
experience, insight, and expertise based on the different
problem sets and user communities on which we concentrate, and
we each then carry back to those communities the dividends of
our combined wisdom and resources.
With regard to post-incident response, the NSA supplies
technical personnel, advice, and equipment to support an
efficient response and recovery to disasters. The NSA has
worked with the DHS Infrastructure Protection Division to plan
for interoperable communications systems needed to support
response and recovery. We did this for Hurricane Katrina and do
it for other disasters, as well.
When it comes to reconstructing networks, however, beyond
just communications systems, bringing in replacement technology
may be the easy part. The real challenge is knowing what to
reconstruct. That means maintaining an up-to-date understanding
of what set of data, functions, and connections available to
what set of users qualify as critical.
Looking forward, NSA and DHS interests will continue to
merge and the opportunities needed for shared network and
mutual support will continue to grow.
Finally, beyond technical convergence, in the post-
September 11 world, the NSA and DHS are bound together by the
need to provide for communications across once unbridgeable
chasms of classification and practice, from the President all
the way to first responders and the owners and operators of
critical infrastructure. As a starting point, the NSA and NIST
have established a suite of unclassified algorithms that can be
implemented in commercial off-the-shelf offerings as well as
specialized high-end government equipment. This sets the stage
for interoperable encryption and message authentication and is
an important step, although just one step in the broader effort
to ensure that the Nation can recognize and respond to
impending emergencies or their aftermath.
Once again, thank you, Mr. Chairman, for giving me the
opportunity to appear before you today and for your leadership
in this area.
Chairman Coburn. Thank you, Mr. Schaeffer.
Next, Ms. Evans, just a side note. Thanks for all your help
on our Government Accountability and Transparency Act. It
passed the Committee unanimously yesterday.
TESTIMONY OF KAREN EVANS,\1\ ADMINISTRATOR FOR ELECTRONIC
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND
BUDGET
Ms. Evans. Congratulations. Good morning, Mr. Chairman, and
thank you for inviting me to speak about ``Cyber Security:
Recovery and Reconstitution of Critical Networks.'' My
testimony today will focus on OMB's activities to improve
security and resilience of the Federal Government's cyber
critical assets.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Evans with an attachment appears
in the Appendix on page 53.
---------------------------------------------------------------------------
Last year, the Director of OMB issued a regulation on
maintaining telecommunication services during a crisis or an
emergency. The regulation required each agency to review its
telecommunications capability in the context of planning for
contingencies and continuity of operation situations. OMB also
asked each agency to confirm that they were complying with
directives issued by the National Communications System (NCS),
and guidance issued by the Federal Emergency Management Agency
(FEMA).
In August 2005, all large agencies submitted reports on the
status of their telecommunications services. OMB and the NCS
analysis revealed the need for additional guidance to the
agencies regarding the use of redundant and physically separate
telecommunications service entry points into buildings and the
use of physically diverse local network facilities.
In October 2005, the NCS hosted a Route Diversity Forum for
representatives from over 70 Federal agencies. In addition, the
NCS developed a Route Diversity Methodology, enabling agencies
to self-assess their own facilities.
When an agency initiates new telecommunications
procurements, the agency must determine the appropriate level
of availability, performance, and restoration that is required.
The General Service Administration's upcoming Networx
procurement will specify telecommunications infrastructure
security requirements to protect contract network services,
infrastructures, and information processing resources against
cyber and physical threats, attacks, or system failures. The
Networx program will ensure that telecommunications
capabilities are continuously ready to meet the needs of the
Federal agencies during national emergencies.
On December 17, 2003, the President signed Homeland
Security Presidential Directive 7, ``Critical Infrastructure
Identification, Prioritization, and Protection.'' This
directive established the national policy for Federal
departments and agencies to identify and prioritize U.S.
critical infrastructure and to protect it from terrorist
attacks. OMB worked with the Department of Homeland Security to
evaluate the protection plans. We have provided each agency
with a written response explaining our approval, our
disapproval of the agency's cyber security plan, and
highlighting areas where improvements were needed.
Additionally, each year, agency CIOs, chief information
officers, and program officials conduct IT security reviews for
systems that support their programs. As part of their
evaluations, agencies are asked to categorize their information
systems into high, moderate, and low impact and document the
security controls implemented for each.
Last, the National Cyber Response Coordination Group is the
principal Federal interagency mechanism to coordinate the
preparation for and response to cyber incidences of national
significance. OMB is a member of the group, along with other
agencies having a statutory role in cyber security, cyber
crime, or protection of critical infrastructure. During a cyber
incident, the member agencies would integrate their
capabilities in order to assess the scope and severity of the
incident, govern response and remediation efforts, and advise
senior policy makers. The group would also use their
established relationships with the private sector and State and
local governments to help manage the cyber crisis and develop
recovery strategies.
In conclusion, each agency is responsible for ensuring the
continued availability of its mission-essential services.
Strategic improvements in security and continuity of operations
planning can make it more difficult for attacks to succeed and
can lessen the impact of attacks when they occur. The
Administration will continue to work with the agencies,
Congress, and GAO to ensure appropriate risk-based and cost-
effective IT security programs, policies, procedures are put in
place to protect the Federal Government's critical cyber
infrastructure.
I would be happy to take any questions, sir, that you may
have.
Chairman Coburn. Thank you, Ms. Evans. Mr. Rhodes.
TESTIMONY OF KEITH RHODES,\1\ CHIEF TECHNOLOGIST AND DIRECTOR,
CENTER FOR TECHNOLOGY AND ENGINEERING, U.S. GOVERNMENT
ACCOUNTABILITY OFFICE
Mr. Rhodes. Thank you, Mr. Chairman. We appreciate the
opportunity to testify on our Internet reconstitution report
being released today that we completed at your request.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Rhodes appears in the Appendix on
page 111.
---------------------------------------------------------------------------
Last summer when GAO testified before your Subcommittee, we
discussed the work that remained for DHS to fulfil its cyber
security responsibilities in 13 key areas, including developing
a plan for recovering the Internet when it is disrupted.
Despite Federal policy requiring DHS to develop this integrated
public-private plan, to date, no such plan exists.
Today, at your request, we will briefly discuss the growing
threats to the Internet, where our Nation is in its efforts to
develop this plan, and recommendations to both DHS and the
Congress to facilitate public and private efforts to recover
the Internet when major disruptions occur.
First, threats. Criminal groups, foreign intelligence
services, hackers, and terrorists are all threats to our
Nation's computers and networks. A recent intelligence report
on global trends forecasts that terrorists may develop
capabilities to conduct both cyber and physical attacks against
infrastructure nodes, including the Internet. In fact, the
Internet itself has been targeted and attacked and private
companies who own the majority of the Internet infrastructure
deal with cyber and physical disruptions on a regular basis.
For example, viruses and worms are often used to launch
``denial of service'' attacks that result in traffic being
slowed or stopped. Several recent cyber attacks highlight the
importance of having robust Internet recovery plans, including
a 2002 coordinated denial of service attack that targeted all
13 Internet route servers.
For most of these attacks, the government did not have a
role in recovering the Internet, but recent physical attacks
like the terrorist attacks of September 11, 2001, and Hurricane
Katrina, highlight the need for public-private coordination
associated with Internet recovery. DHS has begun a variety of
initiatives to fulfill its responsibility for developing an
integrated public-private plan, but these efforts are not yet
complete nor are they comprehensive.
Specifically, DHS has developed high-level plans for
infrastructure protection and national disaster response, but
components of these plans that are to address Internet recovery
are incomplete and inadequate. For example, the National
Response Plan Cyber Annex does not reflect the National Cyber
Response Coordination Group's current operating procedures. DHS
has started a variety of initiatives to tackle this problem,
including working groups to facilitate response and exercises
to practice recovery efforts. However, these efforts are
immature and the relationships among groups like the Internet
Disruption Working Group and others are not evident.
Regarding challenges that have impeded progress, first, it
is unclear what government entity is in charge, what the
government's role should be, and when it should get involved.
Expanding on each of these, DHS National Cyber Security
Division and the National Communications System have
overlapping responsibilities. In addition, there is a lack of
consensus about the role DHS should play. The government is
pursuing the grandiose plan approach with the NIPP and the
National Response Plan, while the private sector wants more of
an assist or tactical role from the government that our report
lays out in detail. And triggers that clarify when the Federal
Government should be involved are unclear.
Second, our Nation is working in a legal framework that
doesn't specifically address the government's roles and
responsibilities in the event of an Internet disruption. In
addition, the Hurricane Katrina recovery effort showed that the
Stafford Act can create a roadblock when for-profit companies
that own and operate critical infrastructures need Federal
assistance during national emergencies.
Third, the private sector is reluctant to share information
with DHS because it does not always see value in sharing, does
not necessarily trust the government, and views DHS as an
organization lacking effective leadership.
To address these inadequacies, our statement includes nine
specific recommendations for DHS, including determining who
should be in charge given the convergence of voice and data
communications, developing a plan that is consistent with what
the private sector infrastructure owners need during a time of
crisis, and incorporating lessons learned from incidences and
exercises.
In addition, the Congress should consider clarifying the
legal framework that guides roles and responsibilities for
Internet recovery.
In summary, Dr. Coburn, exercises to date and a recently
issued report by the Business Roundtable found that both the
government and private sector are poorly prepared to
effectively respond to cyber events. Although DHS has various
initiatives underway, these need to be better coordinated and
driven to closure. Until that happens, the credibility of the
Department will not be where it needs to be to build effective
public-private relationships needed to effectively respond to
major Internet disruptions.
This concludes our statement. Thank you, Mr. Chairman, and
we are prepared to answer any questions the Subcommittee may
have.
Chairman Coburn. Thank you very much.
Mr. Foresman, your response to Mr. Rhodes' report?
Mr. Foresman. Mr. Chairman, let me offer two responses.
One, as we have gone through that report, we clearly agree that
the road ahead, whether we are talking about GAO or the private
sector, we agree on the road ahead.
I would, however, not agree with him in terms of the
perception that he might leave in the relationship with the
private sector. My fourth day on the job back in January, one
of the first groups I met with in this particular case was the
Business Roundtable and one of the key issues we talked about
were cyber security, the concern about reconstitution and
recovery of the Internet, and I think that as you said in your
statement, Mr. Chairman, this is not easy and there are a lot
of folks who have said, well, it is not where it should be, and
I would agree. But we need to have definitive milestones. We
need to have definitive deliverables.
But I will tell you, sir, just as your comment to us that
we need to work closely with the private sector, getting
agreement across the various elements in the private sector,
whether it is the information technology sector or the
telecommunications sector, this is not easy. We are not in a
position to force them. We are coalescing the road ahead.
So I would agree that we share the vision. I think his
assessment in terms of progress is much bleaker than what is
the actual progress to date.
Chairman Coburn. Why would the private sector be reluctant
to give DHS information on this?
Mr. Foresman. Mr. Chairman, I think there are three things.
There are those elements of the private sector that are
reluctant to give us information and there are those elements
of the private sector that are not reluctant to give us
information. A conversation with a handful of people does not,
I think, effectively reflect the private sector as a whole
because the private sector is rapidly big.
But as you know, there are a couple of issues here. One,
there is the concern of our private sector partners out there,
the proprietary nature of the information that they have in a
business competitive environment. They want further and
stronger assurances that proprietary information is not going
to be shared with competitors.
The second issue, and frankly is a legitimate issue, is
government and the private sector have typically operated in a
regulator-regulatee relationship over the past 20 or 25 years.
When we talk about the IT community, it is not, if you will,
regulated by government, and clearly there are the
institutional----
Chairman Coburn. Thank goodness.
Mr. Foresman. Yes, sir, and clearly, the institutional
barriers to getting beyond a 25- or a 50-year culture to get
into a collaborative partnership is not a culture that you
change overnight. And so I think it is part policy, it is part
culture, but we are seeing more and more every day as we
collaborate with the private sector. As our US-CERT, for
instance, gets specific information provided to us through a
variety of sources, such as the NSA, we rapidly get that
information out to the private sector and they rapidly come
back to us with information. So it sometimes comes down to who
did you talk to last and what is it that they said to you?
Chairman Coburn. Well, the group that I talked to last were
the ISPs and the telecommunications companies, and I would tell
you in that meeting, uniformly, there was no trust of DHS with
any of their proprietary data, and that was in a classified
briefing I had 3 months ago. How do you establish the
leadership role and the trust that allows the private sector to
do what they know how to do that you don't know how to do?
Mr. Foresman. Well, Mr. Chairman, this comes down to the
continued interaction. As Ms. Evans identified and as other
folks have identified, we have got a number of working groups
where we have got government and the private sector sitting
side by side, developing sector-specific plans, for instance,
under the National Infrastructure Protection Plan, and trust is
not a function of me coming into the room and sitting with our
private sector partners and saying, trust me. We have to prove
it.
This is the benefit of these joint planning activities. As
much as we would like them to be done in immediacy overnight,
they are not. But just as it is taking time to develop those
plans, one of the important byproducts is that we are raising
trust every day when we put these people in the room together.
Chairman Coburn. I will be submitting some questions to you
separate from that. I would hope that we could get a timely
response.
Mr. Foresman. Mr. Chairman, I will ensure that you get a
timely response and I will acknowledge that we were remiss in
not hitting the deadline on getting our testimony to you. I
accept full responsibility and I will give you my personal
assurance that we will correct those issues in the future.
But I also want to underscore, by no means were we trying
to not get information to you. This is a critically important
area. This Subcommittee is one of the few committees across the
Congress that has shown a continuing interest in this area. It
is not an easily understood area, and frankly, this level and
more of this type of dialogue is going to be absolutely
critical to our success.
Chairman Coburn. Mr. Schaeffer, at NSA, tell me about your
relationship with the private sector and trust and relationship
and information sharing and how have you developed that and how
do you utilize that. Have you emphasized recovery more than
physical asset protection?
Mr. Schaeffer. Well, sir, I think our relationship with
industry or the private sector is on a number of levels.
Clearly, there are, as I mentioned in my testimony and others
did, as well, the dependence upon the private sector to deliver
the technology, the capabilities that we need within the
national security community, and quite frankly, across the
entire Nation, is dependent upon the reliability, the security
of that technology. So we have a very deep relationship with
the private sector in establishing on a one-on-one basis the
availability of vulnerability information of the products that
they provide, assisting them in increasing the overall security
or assurance of those products, and then we also work with the
infrastructure providers themselves to understand the
vulnerabilities within those environments and help them address
the situation, the improvements that can be made in that
environment.
Most of our relationships that are strong come from a one-
on-one basis with the agency. We participate. We collaborate
with industry associations and do that in a very open and, I
think, positive way. But I think as Mr. Foresman outlined, it
is a situation that takes a tremendous amount of work with
individual companies, then with industry or association groups,
and then in larger forums to build the trust and confidence
that information that is exchanged with the government, and in
this case NSA, receives the appropriate level of protection. It
is something that we work on every day. It takes that sort of
attention and commitment.
And we have seen actually tremendous progress over the last
several years as the community at large, the public-private
community, has come to better understand the risks associated
with operating in this highly networked environment and the
need for close collaboration amongst public-private enterprises
to better understand the vulnerabilities and ways of mitigating
them.
I think we are an example of where it has worked because we
have developed the trust and confidence over a long period of
time with companies, trade groups, industry associations, and
so forth, and I see promise in what DHS is leading, in what DHS
is participating in, and quite frankly, what I see the entire
IT industry participating in. We are just at the bottom of a
very steep hill.
Chairman Coburn. Has NSA's main focus been on
functionality?
Mr. Schaeffer. No, sir. NSA's main focus has been on the
assurance of the functionality that is provided in the devices,
so----
Chairman Coburn. That is what I mean. But the goal is
function. The ultimate goal for security is to maintain
function, or to recover function.
Mr. Schaeffer. Yes, sir. That is correct.
Chairman Coburn. All right. Mr. Rhodes, you mentioned the
working groups aren't communicating. We don't have cross-
reference. You also mentioned a role that is more grandiose
rather than recovery. Talk for a minute, if you would, about
the working groups that have been established and what you see
that needs to be changed there so that we accomplish this goal
of protecting and recovering functionality.
Mr. Rhodes. The big struggle with the working groups seems
to be that there are a lack of roles and responsibilities and
clear lines of authority. There seems to be a not clear
definition of how the working groups relate to one another----
Chairman Coburn. In other words, they could come up with a
really appropriate plan, but have no authority to get that plan
implemented?
Mr. Rhodes. And no milestones. Your original point about
budget against effect, a recommendation with money, a
recommendation with schedule, not just--they can come up with
that, but then what is their schedule? What is their time line?
What is their relationship? That is the main struggle we see.
Also, working groups without authority. What purpose do
they serve? If they don't--if no one has the hammer, if no one
has the authority to get anyone to do anything, then it is just
another group that meets to meet instead of meeting to get
something done. As you say, they could have very fine
recommendations, but where do they go from there?
Chairman Coburn. OK. One last question for you, the comment
on the Stafford Act. I don't believe we have gotten anything,
and I may be wrong, from the Administration on modifying the
Stafford Act so that we can help the telecommunications
industry and the Internet industry to recover by assisting them
with either protection or transportation or security as they
bring these systems back up. Would you agree that is something
that we ought to hear from the Administration? And we may have,
I am just not aware of it.
Mr. Rhodes. We haven't seen anything, either, but when you
look at the tactical needs, the tactical view that private
industry takes, they are talking about just those things--fuel,
access, transportation. They are not talking about, tell me how
to bring the Internet back up. They are saying, let me get into
the disaster area with my business credential or some emergency
credential issued by the U.S. Government so I can go to the
location to do the job that the government can't.
Chairman Coburn. And modify the law so that the government
assets----
Mr. Rhodes. And modify the law----
Chairman Coburn [continuing]. And assist that effort.
Mr. Rhodes. Absolutely. I mean, what we hear from private--
and it is not just relative to the Internet, it is whether we
are talking to the chemical industry or we are talking to gas
and oil or we are talking about the power grid or folks like
that, they are all saying, let me do my job. I am not the enemy
because I am for profit.
Chairman Coburn. Yes.
Mr. Rhodes. I am the infrastructure. Let me go into the
area I am supposed to in order to fix it.
Chairman Coburn. Right. Which we saw lots of problems with
during Hurricane Katrina.
Mr. Rhodes. Absolutely, and saw it during September 11,
2001, also.
Chairman Coburn. All right. Ms. Evans, not long ago, the
Federal Government's critical infrastructure protection
coordination efforts were run out of the White House and some
in private sector viewed this, and I think probably still do,
as a higher Administration priority than it is now. Should
these initiatives remain within DHS or should we consider the
prior model?
Ms. Evans. The model that we have right now is in place as
a follow-on from the Homeland Security Act as well as the
President's HSPD-7, which clearly outlines that the Secretary
of Homeland Security has the responsibilities for these
activities. This does not mean that the Administration does not
view this as a priority, because oversight activities still
occur out of the White House and the Executive Office of the
President, with the Office of Management and Budget, myself, as
well as the Homeland Security Council. So the Administration is
very much committed to this and continues to have cyber
security reconstitution, continuity of operations, as a
priority.
I do think that the model that we have in place right now
is an effective model and can work, because the actual work and
execution happens in the agencies. The President holds the
Secretary accountable for these actions. The President holds
him accountable for getting these plans in place with clear
milestones. This clearly has been talked about, and to achieve
the results.
We, in the White House, do not do the actual execution. The
work is done out in the agencies. And so it doesn't diminish
that the Administration doesn't view this as a priority by
having a person clearly responsible for the execution of these
activities at a department level.
Chairman Coburn. Any of you can respond to this if you
want. It just seems to me that 75 percent of this is private
sector. Why wouldn't the Administration's view say, OK, you are
the guys that know all this. You are the guys who are
responsible for it. Your bottom line depends on it staying up
and working. Why don't you go tell us what you think we ought
to do rather than us tell you what we think you ought to do?
Why shouldn't the debate be, private industry, come tell us
what to do. Why shouldn't the organizational framework be, let
us listen to them and then let us create the framework based on
what they suggest we ought to do rather than top-down? Why not
private industry up?
Mr. Foresman. Mr. Chairman, if I might, that is exactly
what we are doing, and that is why we have the National
Infrastructure Protection Plan. That is why we have the
development through the sector coordinating councils. The role
of the Federal Government is not to tell the private sector
what to do. It is to create the environment to provide for a
national approach, and what I mean by that is the Federal
Government is uniquely positioned to bring together the
elements of local government, State government, tribal and
territorial, the private sector partners, because this is a
homeland security issue. It is a national security issue.
So our job is to get all of the players around the table
and to go through and get the best and the brightest in the
room to say, what is it that we, as a Nation, need to be doing,
because this is not a Federal issue. It is clearly a national
issue.
Chairman Coburn. Do you think that is happening right now?
Mr. Foresman. Senator, I don't think it is happening to the
degree that it should, and I think, as all of the folks have
pointed out, this continues to be a growth effort, a growing
effort on the part of this Nation in the post-September 11 era.
When I was vice chairing the Gilmore Commission prior to
September 11, we raised the whole issue of critical
infrastructure protection and the fact that a significant
amount of work needed to be done. I don't think we have reached
the optimal level of private sector direction and input into
it, but at the end of the day, I don't think we were going to
start--we are not going to start at the perfect position. This
is very much a learning process for everyone, Federal, State,
local, public sector, and private sector.
Chairman Coburn. Well, the private sector is being attacked
all the time now and they are responding, both in terms of
physical assets and software and encryption and everything
else. They are doing the things because they are seeing the
attacks anyway. It just seems to me we have got it backwards.
We ought to have the private sector come together and say, here
is how we think you ought to mobilize State and local
governments. Here is how we think you ought to set up the
structure to best maintain this. Here is how we think you
assure protection.
What would happen to this economy if you had a 4-week
disruption, interruption of the Internet? We would be on our
back, and everybody knows that, and yet the urgency to make
sure that can't happen, or if it did happen to recover quickly,
I don't see anywhere except in the private sector.
Mr. Foresman. Mr. Chairman, I would respectfully disagree
in this context. We are aware of a variety of things we
obviously cannot get into in an open hearing----
Chairman Coburn. I understand that.
Mr. Foresman [continuing]. But we are aware of a
significant number of things that have occurred in recent time
that the private sector was not aware of had government not
made them aware of it. So we are doing our part to give them
the information. They, in turn, are assessing the situation,
bringing recommended solution sets back to us, implementing
solution sets in the broadest of terms, and so our role wasn't
to go to them and say, here is the problem. Here is what we
want you to do to fix it. We made them aware of the problem. We
know that they are the owners and the providers of a lot of the
critical IT backbone. They assessed it. They took steps. And
this happens hundreds, if not thousands, of times every month.
I would very much underscore that US-CERT, as just one example,
there is daily ongoing dialogue between Federal agencies and
the private sector, not in the context of here is what you have
to do, but here is the problem and please come back to us.
Now, I will tell you that there are going to be times that
the private sector is going to assess the risk differently than
we do in government and then they are forced to make a business
decision about whether they are going to invest the time and
effort into it to address it. So this is all part of the trust
process that we can get to an equal common ground.
Chairman Coburn. Fair enough. One last question for Ms.
Evans, and I will have questions for each of you. I also would
like for you to have staff stick around here to hear our other
panelists because routinely I see Administration witnesses
leave before those that have a different position and
constructive criticism can be heard.
Ms. Evans, do you have enough staff to handle the cyber
security of critical infrastructure and Federal information
security management?
Ms. Evans. My answer would be yes, sir, that I do. We have
subject matter experts for each of the areas that I am
responsible for and the way that we manage within OMB is that
we have portfolios of agencies and we work very closely with
all parts of OMB so that we are managing the issues across the
board as they affect each of the agencies. So it isn't just my
staff, but it is the entire resources that are available within
OMB because we take a portfolio approach to this.
There is one thing that I would like to follow up on, Mr.
Foresman's comment, and this is what the government is doing as
a whole, at least from a Federal perspective. We do view it as
we are buying services, because we don't own the
infrastructure. There are activities that we have done and that
we are continuing to do. In my written testimony, I have
included the information security line of business.
But as you know, we spend $65 billion on information
technology, so in the course of that spending, we make it very
clear what the services are that we need, what the risk is
associated with the services and the information we need to
protect, and as Mr. Foresman said, then it is up to industry to
offer us the solutions back, and the way that we structure
those procurements is not to tell them, we want you to do X, Y,
and Z, but to really frame, this is the service, this is the
recovery level, this is the level of risk that we are willing
to accept. Here is the type of protection that we think we need
to have. And then we do look to private industry to give us the
solutions that can best service those needs, because as you
have said, sir, it is about the functionality and the mission
critical nature of the services that we provide that we need to
have that reliability.
Chairman Coburn. I would like you to repeat that number so
everybody can hear what you spend annually on IT.
Ms. Evans. Sixty-five billion dollars.
Chairman Coburn. This Subcommittee will have a hearing on
whether or not that is spent properly or not. I can tell you,
from the Defense Travel System, you certainly haven't spent the
money properly. So we will be looking at that.
Ms. Evans. Well, we are looking forward to it, yes, sir.
[Laughter.]
Chairman Coburn. Sixty-five billion dollars is a lot of IT.
Thank you. You will each receive questions. Thank you for
the report from GAO. I thank each of you for your service to
our country and I would dismiss this panel and ask our next
panel to come forward.
I am going to start introducing our witnesses while they
are being seated. Thomas Noonan is Chairman, President, and
Chief Executive Officer for Internet Security Systems (ISS). He
is responsible for the overall strategic direction, growth, and
management of the company. Under his leadership, ISS revenues
soared from start-up in 1994 to nearly $330 million in its
first decade. The company has grown to more than 1,200
employees with operations in 26 countries. In 2002, President
Bush appointed Mr. Noonan to serve on the National
Infrastructure Advisory Council, a homeland defense initiative
that protects information systems that are critical to the
Nation's infrastructure. He currently chairs the NIAC
Evaluation Enhancement of Information Sharing and Analysis
Working Group.
Robin Bienfait, Senior Vice President, Global Network
Operations, AT&T, welcome. She is the first woman in company
history to be responsible for AT&T's global network, including
local, data, and voice network worldwide. I pay them a lot of
money every month. In addition, she leads teams that manage
network security and global network disaster recovery. And
additionally, she previously led AT&T's international and
domestic core network operations and technical support division
and has held a variety of other technical and leadership
positions of increasing responsibility since joining AT&T in
1985. She is a graduate of the Georgia Institute of Technology
with a Master's degree in management of technology. She also
holds a Bachelor's degree in engineering from Central Missouri
State University and an Associate in Business degree from
Maryland University, European Division.
Michael Aisenberg, Director of Government Relations for
VeriSign, serves as the company's principal liaison with the
Administration and Federal agencies, including the Departments
of Homeland Security, Defense, State, and Justice. He manages a
portfolio of policy issues, including global infrastructure
security, digital signatures, e-health, intellectual property
and government procurement on behalf of the world's leading
Internet trust and identity provider. He is the Vice Chairman
and Chair-Elect of the Information Technology Sector
Coordinating Council. In 2004, he was elected Chairman of the
ITAA's Information Security Committee. He leads VeriSign's
participation in the President's National Security
Telecommunications Advisory Committee. He holds a B.A. from the
University of Pennsylvania, a J.D. from the University of Maine
Law School. He attended Georgetown University Law Center in
1975 and 1976, and upon graduation served 5 years as an
attorney advisory and legislative counsel at the FCC.
Karl Brondell, Strategic Consultant State Farm Insurance
Companies, representing the Business Roundtable here today. He
is a CPCU, a strategic consultant in the Strategic Resources
Department of State Farm Insurance Company. He is the past
Chairman of the Board of Directors for the Insurance Placement
Facilities of Pennsylvania and Delaware. He is a member of the
national CPCU International Insurance Section Committee and an
at-large Board of Director for Villanova University's Executive
MBIA Alumni Association. He received a Bachelor's degree from
Benedictine College, Acheson, Kansas. I, by the way, have
visited there. He has a Master's degree from Villanova
University in Villanova, Pennsylvania. He earned the Charter
Property and Casualty Underwriter Designation and holds an
Associate in Claims certificate and a certificate for general
insurance.
Welcome to you all. We will start with you, Mr. Noonan.
TESTIMONY OF THOMAS E. NOONAN,\1\ PRESIDENT AND CHIEF EXECUTIVE
OFFICER, INTERNET SECURITY SYSTEMS
Mr. Noonan. Mr. Chairman, thank you for the opportunity to
appear before you today. My name is Tom Noonan. I am President
and Chief Executive Officer of Internet Security Systems. We
are a leading provider of preemptive cyber security
technologies for large-scale enterprises, and I represent the
technology industry today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Noonan appears in the Appendix on
page 132.
---------------------------------------------------------------------------
We operate five cyber security centers around the world,
two in the United States, the rest in Asia through Tokyo,
Australia, Brussels, and a partner operation in Latin America.
We protect our customers by monitoring the Internet for cyber
threats 24 hours a day, 365 days a year, providing preemptive
protection for customers. This is critical preemption before
reconstitution, obviously. We utilize that security
intelligence, technology, and expertise to preempt the strikes
that would cripple critical networks and stay ahead of the
threats.
I want to stress three important messages about our
Nation's security landscape this morning, and this comes from
my 13 years in this industry as one of the founders of this
company and a person that has been working to advocate better
security practices in both the private and public sector.
First, threats to the critical infrastructure are real, and
without a doubt, they are growing. The question is not if but
when. The explosive growth of new Internet technologies, from
wireless to voice-over Internet telephony, has engendered new
threats that are far outpacing the security responses of many
private and governmental users.
Second, the intelligence protocols and technologies
necessary to protect against emerging cyber threats are, by and
large, robust and widely available. In other words, we have the
tools at our disposal today to safeguard our critical
infrastructure.
And finally, despite our knowledge of these threats and our
overall ability to protect ourselves, we as a Nation are not
doing nearly enough to preempt the types of attacks that could
debilitate our critical network infrastructure. Leadership is
desperately needed at the Federal level, not to replicate
existing private sector efforts but rather to extend the impact
of those efforts by encouraging the private sector to
collectively increase in cooperation with the government.
This means five things for me this morning. First,
appointing an Assistant Secretary of Homeland Security for
Cyber Security and Telecommunications who will help secure the
Federal Government's own networks as well as those of the
broader economy.
Second, clearly delineating and hardening the roles and
responsibilities of many public-private entities working today
to secure cyberspace.
Three, ensuring that the Federal Government makes use of
existing industry resources to gather and analyze data on cyber
security threats and methods.
Four, creating a national plan to restore connectivity on a
prioritized basis.
And five, providing sustained Federal funding--that $65
billion sounds like a lot, but sustained Federal funding and
active Congressional oversight to ensure that the Department of
Homeland Security is getting the job done for this country.
I think we know cyber threats are serious and they are
growing in sophistication. The rules of criminal hacking today
are no longer shaped by teenage malfeasants, but by
confederated crime operations that are driven by the economics
of opportunity, incentive, and risk, just like traditional
theft, burglary, and extortion.
I think it is this professionalization of cyber crime that
is unsettling for many reasons, not the least of which are
indications that those who would seek to do harm to our Nation
have been working to improve their technological abilities.
Particularly unsettling is not just the threat to privacy
information, which we read about in the newspaper, or our e-
commerce applications, but more importantly to the very control
networks of the automated systems that control and regulate our
Nation's industrial systems, like SCADA. Control systems are
now Internet-connected and they are susceptible to major
attacks. Under contract with customers, ISS has conducted real
world penetration tests with large power plants and others to
show that they are at risk.
Put simply, Mr. Chairman, the fact that our Nation's
critical infrastructure has yet to fall victim to a significant
and coordinated cyber attack does not mean that it can't
happen. Emerging technologies coupled with an exponential
increase in the use of new applications on the Internet have
opened many new avenues to attack and keeping up with this
large increase in vulnerabilities is a daunting task. It is
only complicated by the shrinking window that we are seeing
between the time a vulnerability is disclosed and the time that
it is exploited by criminal interests.
I think there is good news, Mr. Chairman. Our Nation
already has the technological capabilities to protect the
critical infrastructure. Private industry is operating
positively against many of the requirements associated with
technology, vulnerability, discussion, etc. But what is missing
is genuine leadership on the part of the Federal Government.
We, as a Nation, can protect our critical infrastructure, and
in fact, we already are, but that requires also Federal
leadership.
I think your role here boils down to two things. The first
one is minding the store, and I know that Secretary Chertoff
and the Department of Homeland Security are working around the
clock to protect the Nation, but we need to be able to talk to
the person who is minding the store and that is the Assistant
Secretary.
Second, it is difficult for the Federal Government to
preach strong cyber security practices across our economy when
the Federal networks themselves are so woefully unprotected.
While steps have been taken in recent years to improve agency
security practices through FISMA, most Federal agencies are
still getting failing marks when it comes to securing their
networks.
When it comes to strengthening Federal leadership, I just
want to reiterate these five points in closing. Appointment of
the Assistant Secretary for Cyber Security and
Telecommunications. The job has been open for over a year.
Two, a clear delineation and hardening of the roles and
responsibilities of these countless public-private entities.
Three, ensuring that the Federal Government makes full use
of existing industry resources. We are absolutely willing and
able to participate as a private sector.
Four, we need to develop the national plan to restore
connectivity on a prioritized basis.
And five, sustained Federal funding.
So there is no silver bullet here, Mr. Chairman. Securing
our Nation's infrastructure from cyber attack requires a
heightened degree of public-private coordination and I think it
is a challenge but it is one we are up to. We are pleased at
ISS to be partnering with you and I thank you for the
opportunity to participate this morning.
Chairman Coburn. Thank you. Ms. Bienfait.
TESTIMONY OF ROBERTA A. BIENFAIT,\1\ SENIOR VICE PRESIDENT,
GLOBAL NETWORK OPERATIONS, AT&T
Ms. Bienfait. Good morning, Mr. Chairman.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Bienfait appears in the Appendix
on page 139.
---------------------------------------------------------------------------
Chairman Coburn. Good morning.
Ms. Bienfait. My name is Robin Bienfait and I am Senior
Vice President of AT&T's Global Network Operations. I want to
thank you for allowing me to share with you what we have done
and what we are generally doing to ensure the reliability and
restorability of AT&T network services. We are committed to a
strong public-private partnership and we hope our experience is
helpful.
We believe there are keys to network security and disaster
recovery and I will focus on the following areas: The strength
of the public-private partnership; the lessons learned,
especially from Hurricane Katrina and the 2003 Midwest and
Northeast power outages; and a series of policy
recommendations.
Our country relies on cyber and physical infrastructure
that is provided by a very close partnership among all the
providers and users of this infrastructure. Each partner, both
in the public and private sector, has a responsibility to keep
their part of the infrastructure working. They also each have a
responsibility to be able to recover or restore their piece of
the infrastructure.
At AT&T, our goal is to have a network where failures are
prevented or identified and corrected before they affect our
customers. Since 1991, we have invested more than $300 million
in our mobile network disaster recovery infrastructure and
capabilities. We have also invested $200 million in a system
that proactively monitors and manages the networks of some of
our largest customers.
We have more than 500 fully loaded emergency communication
vehicles that we can quickly deploy to respond to any disaster
anywhere in the United States. We have the basic building
blocks of our network infrastructure installed in 150
technology trailers and it is ready to roll at a moment's
notice.
I would like to draw on the examples of Hurricane Katrina
and the 2003 blackouts to illustrate our approach to response
and restoration efforts and to show you how our incident
command structure makes every minute count.
For Hurricane Katrina, we followed our prescribed command
and control approach to a tee. AT&T began moving equipment and
teams from around the country toward the Gulf States in the
days before the storm made landfall. The first team restored
AT&T service to its prior levels, a second team maintained and
monitored AT&T's facilities so as to prevent new issues from
arising, and a third team came in to help others.
AT&T worked around the clock to respond to this crisis and
safeguard its network and support the efforts to respond to the
disaster. AT&T was also able to direct its effort to benefit
its customers, other telecommunication competitors and their
customers, first responders, and evacuees, as needed. AT&T also
helped to provide relief to those directly affected by the
hurricane and flooding and assistance to charitable relief
efforts.
Thanks to these efforts and the intense dedication of the
employees involved, AT&T's network remained essentially intact.
We were able to carry at least 95 percent of all calls in the
Gulf Coast area that came to our network. Of the five percent
of our capacity in the area that was initially lost, we
restored half of that capacity within a couple of hours.
Related to the blackouts, as you know, in 2003, large
portions of the Midwest, Northeast, and Ontario, Canada,
experienced an electrical power blackout affecting 50 million
people. Power was not restored for 4 days in some parts of the
United States. Because of the reliability and redundancy that
we designed and built into our network infrastructure, Internet
traffic, data services, and voice calls flowed across our
network without interruption.
These and other experiences have reinforced lessons that we
must incorporate in future planning and are the basis of our
following policy recommendations. More detailed recommendations
are available in my written testimony.
Establish and practice disaster recovery processes in
anticipation of emergencies. Communication resources can be
brought where needed very quickly, but it is essential that
those clear lines of command and control at all times are there
to direct those resources effectively and to the area of
greatest need. A single agency must be identified, funded,
empowered to act as a national cyber incident commander for any
required cyber infrastructure recovery and reconstitution
efforts.
Coordinate restoration and recovery efforts. Everyone
available should be participating and there needs to be
coordination so the efforts are not duplicated or in conflict
with one another. Logistical information, such as what roads
are closed and what medical precautions are needed, must be
readily available. Moreover, a recommendation we made after
September 11 still has not been widely implemented. Companies
such as AT&T that are crucial to the response to disasters
should have special credentials designed for employees and
accredited in advance in order to assess disaster areas.
Minimize the amount of regulation and data reporting
requirements during a disaster and maximize the amount of
coordination and cooperation between public and private sector.
Interoperability and spectrum availability. A crisis on the
scale we saw in the Gulf Coast and smaller challenges, as well,
demand a well-coordinated information and communications
delivery system. We must resolve the spectrums needed and
highlighted by the 9/11 Commission.
Consider subsidizing some of the emergency preparation by
infrastructure companies. The government is likely to call on
such capabilities in use or would otherwise need to duplicate
resources ineffectively.
We can never anticipate every contingency in an emergency,
nor can we assure a foolproof communications network all the
time under all circumstances. Nonetheless, at AT&T, we have
done much to ensure reliability and restorability of
communication networks, and together as an industry and as a
Nation, we can do more. I thank you for holding this hearing to
advance this important discussion.
Chairman Coburn. Thank you, Ms. Bienfait. Mr. Aisenberg
TESTIMONY OF MICHAEL A. AISENBERG,\1\ DIRECTOR OF GOVERNMENT
RELATIONS, VERISIGN, INC., AND VICE CHAIR, IT SECTOR
COORDINATING COUNCIL
Mr. Aisenberg. Thank you, Mr. Chairman. Thank you for the
opportunity to appear before the Subcommittee today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Aisenberg appears in the Appendix
on page 161.
---------------------------------------------------------------------------
VeriSign's 4,600 employees operate intelligent
infrastructures that enable and protect billions of
interactions every day across the world's voice and data
networks. I, too, have three key points I would like to make
today.
First, those who make policy in the United States must
understand the economic value and critical interdependencies we
have developed on our information networks.
Second, we must understand and accommodate to the global
nature of both our information networks and the attacks that
are being continually mounted against them.
Third, largely owned and operated by the private sector,
our network security and ability to withstand and recover from
the continuing attacks against them depends on effective
partnership between government and we, the industry stewards.
Americans must keep a clear focus on the critical economic
and national security role which our information networks have
come to fulfill. In less than two decades, the industrial
nations have evolved an irreversible dependency and
interdependency by our banking, finance, transportation, health
care, education, power, manufacturing, and government service
sectors on the networks managed by the companies, mostly
American, which make up the ICT sector.
Each day, $3 trillion pass over secure Federal financial
networks. If these electronic transactions do not have Internet
sites, such as NYSE.net, BankofAmerica.com, and Treasury.gov,
available, secure, and running, the U.S. economy begins to
grind to a halt at the rate of $130 billion per hour.
As you have noted, Mr. Chairman, cyber security is indeed a
responsibility which we all share and in which we all have a
stake. We must recognize that information networks are global,
increasingly managed by interests beyond U.S. control, but at
the same time subjected to threats and attacked by actors from
around the world. The role of an effective government cyber
security function and government-industry partnership is
central to the BRT report's critical conclusion. America needs
a much improved cyber security activity, not just in DHS, but
across government and industry interests.
But while its conclusions are consistent with others from
industry, the BRT report's suggestions about the extent and
effectiveness of industry engagement with DHS are, I believe,
out of touch with important progress being made in public-
private collaboration in the last 18 months. There have been
many, and there are increasingly significant collaborative
engagements between the cyber industry and DHS, some of which
were outlined by Secretary Foresman.
In 2005, commented engagement with industry began to be
regularly sought by new DHS leadership. Involvement in DHS
policy processes from their beginning rather than at the end
began to be practiced. Examples include the national cyber
security exercise Cyber Storm, concluded in February of this
year, DHS's Internet Disruption Working Group, the IDWG, the
government Security Operations Community, GFirst, the just-
released NIPP process, and the ongoing sector-specific plans
just under development.
Mr. Chairman, my sector colleagues and I have found these
activities valuable and a marked departure from what we
experienced prior to 2005. This steady improvement and
expansion of industry involvement with DHS cyber and network
security activities must continue.
But while these milestones and improvement in the
relationship between cyber sector industry interests and the
NCSD and NCC staff are important and significant, they are not
a solution, but a beginning.
Mr. Chairman, we are at least twice as good in our
cooperation as we have been, but we are not half as good as we
need to be. Indeed, many of us believe that notwithstanding
these improved public and private engagements, the operational
posture is still fraught with risk. If a September 11-type
attack were to take down the NYSE today, I doubt the Exchange
could restore its network-dependent functions in the same 4
days it did in 2001, and indeed, perhaps not in 4 weeks, and
the principal reason for this is DHS, or rather the
bureaucratic impediments, many of which have already been
discussed this morning, to the kind of action that the private
sector was able to engage in in 2001 and was thwarted at during
Hurricane Katrina.
We need to act without delay to ensure that our networks
and critical dependent sectors are resilient enough to
withstand the daily attacks being mounted against them. And as
the GAO is reporting today, they must be supported by the
appropriate tools from government as well as industry to assure
the ability to recover with minimum collateral impact on our
economy and security.
To conclude, Mr. Chairman, going forward, several steps are
necessary. First, DHS's modest cyber security budget must be
insulated from the continuing reprogramming and budgetary cuts
now underway.
Second, a cyber security leader with credibility in
industry must be identified and appointed as DHS's permanent
Assistant Secretary for Cyber Security and Telecommunications
without further delay.
Third, critical R&D projects to improve key network
security protocols must be funded and launched or relaunched.
Mr. Chairman, if we do these things, we will not guarantee
that our adversaries will stop attacking our critical cyber
assets, but we will improve the likelihood that we will
continue to successfully withstand those attacks and retain the
availability of these infrastructures on which we are now so
dependent. Thank you, Mr. Chairman.
Chairman Coburn. Thank you, Mr. Aisenberg. Mr. Brondell.
TESTIMONY OF KARL BRONDELL,\1\ STATE FARM INSURANCE COMPANIES,
ON BEHALF OF THE BUSINESS ROUNDTABLE
Mr. Brondell. Thank you, Mr. Chairman. I am honored for
this opportunity to testify today on Internet recovery on
behalf of the Business Roundtable.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Brondell appears in the Appendix
on page 167.
---------------------------------------------------------------------------
Following the attacks of September 11, Roundtable CEOs
formed the Security Task Force to address ways the private
sector can improve the security of its employees, facilities,
communities, and our Nation. The Roundtable believes that the
business community must be a partner with government in
disaster preparedness and response. The Roundtable commends the
Subcommittee and its members for their continued interest in
improving procedures and preparedness to ensure recovery of the
Internet following a major disruption. Hardening the Internet
and strengthening cyber security is one of the priorities of
our Security Task Force.
More than a year ago, the Roundtable began work on an
initiative to assess the public and private sector plans and
procedures for Internet recovery following a cyber catastrophe.
We have just produced and delivered a report, ``Essential Steps
to Strengthen America's Cyber Terrorism Preparedness,'' which
finds that the United States is ill-prepared for a cyber
catastrophe, with significant ambiguities in public and private
sector responses that would be needed to restore and recover
the Internet following a disaster.
As the Subcommittee knows, the Internet and the cyber
infrastructure serve as a critical backbone for the Nation's
economy and its uninterrupted use is a crucial issue for our
national and homeland security. But our analysis has exposed
significant weaknesses that could paralyze the economy
following a massive disruption.
Despite progress having been made over the past decades on
technical and IT issues, there are other issues that have not
received the same attention. The Roundtable's report identifies
three significant gaps in our Nation's response plans to
restore the Internet.
First, we found the United States lacks an early warning
system to identify potential Internet attacks or determine if
the disruptions are spreading rapidly across critical systems.
Second, public and private organizations that would oversee
restoration and recovery of the Internet have unclear or
overlapping responsibilities, resulting in too many
institutions with too little interaction and coordination.
Finally, existing organizations and institutions charged
with the Internet recovery have insufficient resources and
support.
Collectively, these gaps mean that the United States is not
sufficiently prepared for a major attack. If our Nation is hit
by a cyber catastrophe that wipes out large parts of the
Internet, there is no coordinated public-private plan in place
to restart and restore it.
Let me make another point. Although there is no agreement
among experts about the likelihood of a widescale cyber
disaster, they do agree that the risks and the potential
outcomes are serious enough to mandate careful planning and
preparation.
In my remaining time, let me talk briefly about our
recommendations for government and business to consider. We
believe it is important to understand that response and
recovery to a cyber disaster will be different from natural
disasters when the Federal Government has the leading role.
Industry must undertake principal responsibility following an
incident for reconstituting the communications infrastructure
and the Internet. We believe that business and government must
take action, individually and collectively, to address these
issues.
Let us start with the government. The Roundtable calls on
the Federal Government to establish clear roles and
responsibilities, to fund long-term programs, and ensure that
national response plans treat major Internet disruptions as
serious national problems.
Regarding the private sector, our report urges companies to
designate a point person for cyber recovery, update their
strategic plans, and set priorities to prepare for a widespread
Internet outage and its impact on the movement of goods and
services.
When it comes to protecting our Nation, neither the
government nor business can do it alone. We feel the best
security solutions will come from a public-private partnership
that identifies and acts on ways to improve collaboration. Let
me discuss a few of the collaboration recommendations.
First, since the first 24 hours often determine the overall
success of recovery efforts, we must focus more attention on
coordinating initial efforts to identify when an Internet
attack or disruption is occurring.
Second, we recommend the creation of a federally-funded
panel of experts from business, government, and academia who
would assist in developing plans for restoring Internet
services in the event of a massive disruption.
Finally, we believe the Department of Homeland Security,
together with business, should conduct large-scale cyber
emergency exercises with lessons learned integrated into
programs and procedures.
Without change, our Nation will continue to use ad hoc and
incomplete tools for managing our critical risk to the Internet
and to our Nation's economy and its security.
Up to this point, I have outlined for the Subcommittee the
basis for our observations and some of the recommendations to
consider. Now I would like to spend a moment telling you about
the Roundtable's plans to find solutions to the gaps that we
have identified.
First, let me say that we are confident that our member
companies are able to manage most disruptions that affect
Internet operations. For this reason, the Roundtable will focus
its efforts on those large-scale events that no single company
is positioned to manage absent widespread cross-industry and
government collaboration.
As an extension of our previous work, the Roundtable will
examine the processes, protocols, and practices across the
private sector before, during, and after a disruptive event. We
will assess which institutions respond, how early warnings are
established, and how companies access information and service
critical disruptions and emergency situations. We believe this
will provide a foundation for meaningful improvements in our
Nation's ability to protect and restore the Internet as well as
clarify specific, meaningful, and actionable decisions that
will lead to well-coordinated public and private response and
reconstitution processes.
In conclusion, let me again thank the Chairman for the
opportunity to present the Business Roundtable's report on
cyber preparedness and to discuss our recommendations for
improvements. Roundtable CEOs believe strongly that we need a
national response to this challenge, not separate business and
government responses, and that means better collaboration. I
assure you, America's CEOs and our companies are committed to
do their part. Thank you.
Chairman Coburn. Thank you.
One of the things I take from you all is leadership is
important, and the fact that we don't have the position filled
is significant. You know, that is a real problem in our Nation
today and I don't know what the cause of it is. Some people
say, well, the salaries aren't high enough. But for us to
secure our future, we are going to have to make individual
sacrifice and that means somebody out of private industry needs
to come up and fulfill this role. When they are trying to
recruit and nobody wants to do it because they are not willing
to sacrifice a little bit of earnings for 3 or 4 years and make
a commitment to make a difference to our country, we are losing
the very essence of what it means to be Americans.
So it is pretty hard to hire somebody into a Federal
Government agency into a position that is going to mean their
salary is going to be cut in half if there is no patriotic
thought that you can make a contribution to our country. Each
of you have raised that. Do any one of you all want to
volunteer for that position? [Laughter.]
Mr. Noonan. I know someone that does, sir.
Chairman Coburn. Well, the man that probably is involved in
that decision is sitting behind you. I hope you will
communicate that with Secretary Foresman.
Mr. Noonan. I certainly will.
Chairman Coburn. I appreciate him being here.
Just quickly, I am going to have several questions and I
can't get them all through to you, so I am going to submit them
in writing.
What do you think about the GAO's report? Mr. Brondell has
just made a recommendation, we have got all these working
groups. Here is what you all think we ought to do. We have got
working groups, yet we basically have nobody in charge. What
would happen tomorrow if a major event happened? We don't have
the coordination across government to the private sector to
establish that. So how do we respond? How do we take your
recommendation, Mr. Brondell, versus the problem? We have got
working groups. We have got people that are involved in it. How
do we get it off dead center and make something happen?
Mr. Brondell. First of all, we do applaud that the efforts
are moving in the right direction. As you heard earlier this
morning, it is a long road that we are going to have to pull,
but as we look at a collaborative approach, we do agree and
have suggested that we do need some focal point within the
government that private sector can rely upon. We support the
addition of the position. We hope that it gets filled quickly
and goes through the administrative process to be in place.
But to your question of what we would do today if it
happened, industry would continue to respond as it has in the
past and overcome the hurdles based on the experience from past
smaller incidents. But the lacking of collaboration, it could
damage the overall economy with a long delay.
Chairman Coburn. Mr. Aisenberg.
Mr. Aisenberg. Senator, we see a steady stream of insults
against the network on a daily basis. VeriSign routinely repels
1,000 or more attacks against the naming infrastructure, the
DNS, every day. Major events happen with greater frequency than
makes us happy, but we are successful in repelling those now,
by and large. But every day, the sophistication in those
attacks grows. The sources of them becomes more diverse and the
risks inherent, therefore, becomes more severe.
So you are absolutely right. We need a more coordinated
approach. We cannot guarantee, no one can guarantee that an
attack will not at some point be successful, and I agree, the
ability to reconstitute and recover from a serious attack at
the moment is not as good as we need it to be, and I could not
predict how severe or how long a major attack that took down
the naming system or fundamental other aspects of the Internet
could persist and impact the economy. Our best defense is the
aggressive investment that the infrastructure stewards make in
massive overhead, massive engineering, constant exercising,
constant testing of the security, and vigilance, and a little
bit of good luck.
Chairman Coburn. Is there an early warning system out there
now?
Mr. Aisenberg. It depends on what you mean by early
warning.
Ms. Bienfait. Not one that you would actually, as we would
do with a hurricane in an emergency scenario, we see a
hurricane coming and we have got a way to give an early
warning----
Chairman Coburn. No, I mean is there a communication
network where, whether it is NSA or whoever is experiencing it,
all of the sudden, this is a major attack and time is of the
essence and everybody knows it is happening in one area so they
can prepare if their area is about to get hit. Is that out
there now?
Ms. Bienfait. Not across----
Chairman Coburn. Is there an early warning system so that
there is communication to all the players that something is
happening. You need to know about it. Here is what we see. You
might be next. Is that happening now?
Ms. Bienfait. We have something internal to ourselves that
we can actually see the signatures and the knocking of all the
hacking attacks against our network----
Chairman Coburn. That is your network?
Ms. Bienfait. That is my network. But we are only doing
this in our own domain. We are not doing a lot across
companies, across collaboration----
Chairman Coburn. Is there something that prevents you
legally from being able to communicate that with the rest of
the service providers?
Ms. Bienfait. Nothing at this point in time, other than us
getting a trusted environment where we could actually do pre-
planning ahead of time so that we know what that information
might look like. We are doing some of that right now, trying to
put best practices together, but there is not anything formal
to the point that we know how to pull up a security alert and
actually say, hey, the collaboration of the different units, I
am going to shut down this part of my network or I am going to
open up that part of my network so that this work can flow
through.
Chairman Coburn. And you would all agree that is needed?
Ms. Bienfait. I think it is necessary.
Chairman Coburn. It is needed, and one of the reasons it is
not is because there is not a position of leadership and trust
which you can work through?
Ms. Bienfait. You really have to have a very trusted
environment. It is essential----
Chairman Coburn. Otherwise you expose proprietary
information.
Ms. Bienfait. Exactly. And we are working through that, it
is just not moving fast enough.
Chairman Coburn. OK.
Mr. Aisenberg. Senator, another aspect of that is that what
we call the millisecond sectors--electric power,
communications, IT--frequently see insults only after they are
actually mounted. Unlike intelligence gathering around physical
attacks where you hear a tip from one individual and you can
grow your investigative technique, very often when the attacks
are mounted against the Internet or the communications or power
networks, you don't see the attacks until they are already at
their zero moment and are massively engaging the
infrastructure.
Chairman Coburn. But, in fact, we know that is a
possibility, so we can design to prevent that if we have the
structure in place to communicate it, cross-communicate it
without the sharing of proprietary data that would put somebody
at a competitive disadvantage. I mean, that is possible.
Everybody would agree with that, right?
Mr. Noonan. Right. There is already a foundation in place,
sir, but it is not broadly available cross-industry, cross-
sector, cross-agency and government. There are multiple early
warning activities that are operating at various levels of
efficacy. These include the ISAC, the Information Sharing and
Analysis Centers that are established as part of the IT, or as
part of the Sector Coordinating Councils. They are not fully
operating cross-functionally today, but they are a foundation
that has been being built for many years. There are issues, but
we are making progress there.
I think the early warning vulnerability disclosure activity
that is underway has actually moved this industry along in a
number of years. If we know where our vulnerabilities are,
there is a pretty good chance that is where the attacks are
going to be. Whether they are malicious and disruptive or
whether they are quiet and compromising, they are typically
getting through our vulnerabilities.
There, I think we have made progress. However, as an
industry, or both a public and private sector perspective, we
don't have the equivalent of turn on CNN and get the hurricane
early warning system. We simply don't have that.
Chairman Coburn. Are there any other comments from any of
you all on the GAO report?
[No response.]
Chairman Coburn. I don't know if the silence is because--I
won't say that. I will just let it go with that.
None of you would disagree with the fact that there could
be somebody in a position that could maintain the trust of the
providers and the service companies and the Internet industry
and work for government and maintain the integrity that is
required for us to solve these problems. Would you agree with
that?
Ms. Bienfait. I would agree with that.
Mr. Noonan. I would agree.
Chairman Coburn. So one of the real issues for us to move
things offline is to fill the position with somebody that has
the competency, character, and trust of the industry and the
government and can put the impetus behind moving forward. If
this hearing does anything with that, we will have accomplished
something.
I want to thank each of you for being here. This is a
difficult problem we face, but it is also, besides difficult,
it is critical. Our country can't take many more hits. This is
one that is preventable, provided we do the right thing. It is
at least, if not preventable, recoverable if we do the right
thing.
I would hope that we will continue to have good
communications. We will have other hearings on this. We are
going to move. There is going to be an Assistant Secretary, I
promise you. Even if we have to raise the salary for the
position, there is going to be one because it is just too
important.
We will be submitting some questions to you. I would hope
that you would return those to us within 2 weeks.
I thank you for your service, and the hearing is adjourned.
[Whereupon, at 11:12 a.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
�