[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]




 
            COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR?

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                      INFORMATION, AND TECHNOLOGY

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 9, 2000

                               __________

                           Serial No. 106-160

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform

                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
67-018 CC                   WASHINGTON : 2000



                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida                PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio
    Carolina                         ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia                    DANNY K. DAVIS, Illinois
DAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas             JIM TURNER, Texas
LEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                             ------
PAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont 
HELEN CHENOWETH-HAGE, Idaho              (Independent)
DAVID VITTER, Louisiana


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
           David A. Kass, Deputy Counsel and Parliamentarian
                    Lisa Smith Arafune, Chief Clerk
                 Phil Schiliro, Minority Staff Director
                                 ------                                

   Subcommittee on Government Management, Information, and Technology

                   STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois               JIM TURNER, Texas
THOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon                  MAJOR R. OWENS, New York
DOUG OSE, California                 PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
                Bonnie Heald, Director of Communications
                           Bryan Sisk, Clerk
           Trey Henderson, Minority Professional Staff Member




                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 9, 2000....................................     1
Statement of:
    Gerretson, Jim, director of operations, Information 
      Assurance, ACS Defense, Inc.; Mark Rasch, senior vice 
      president and legal counsel, Global Integrity Corp.; and 
      James Adams, chief executive officer, iDEFENSE.............   161
    Tritak, John, Director, Critical Infrastructure Assurance 
      Office, Department of Commerce; John Gilligan, Chief 
      Information Officer, Department of Energy, and co-chair, 
      Security, Privacy, and Critical Infrastructure Committee, 
      CIO Council; Karen Brown, Deputy Director, National 
      Institute of Standards and Technology, Department of 
      Commerce; and Rich Pethia, director, Computer Emergency 
      Response Team Coordination Centers, Software Engineering 
      Institute, Carnegie Mellon University......................     5
Letters, statements, et cetera, submitted for the record by:
    Adams, James, chief executive officer, iDEFENSE, prepared 
      statement of...............................................   186
    Biggert, Hon. Judy, a Representative in Congress from the 
      State of Illinois, chart on computer security management 
      key players................................................   196
    Brown, Karen, Deputy Director, National Institute of 
      Standards and Technology, Department of Commerce, prepared 
      statement of...............................................    38
    Gerretson, Jim, director of operations, Information 
      Assurance, ACS Defense, Inc., prepared statement of........   165
    Gilligan, John, Chief Information Officer, Department of 
      Energy, and co-chair, Security, Privacy, and Critical 
      Infrastructure Committee, CIO Council:
        Information concerning initiatives and activities........    22
        Prepared statement of....................................    26
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California:
        Followup questions and responses.........................   159
        Prepared statement of....................................     3
    Pethia, Rich, director, Computer Emergency Response Team 
      Coordination Centers, Software Engineering Institute, 
      Carnegie Mellon University, prepared statement of..........    46
    Rasch, Mark, senior vice president and legal counsel, Global 
      Integrity Corp., prepared statement of.....................   173
    Tritak, John, Director, Critical Infrastructure Assurance 
      Office, Department of Commerce, prepared statement of......     9
    Turner, Hon. Jim, a Representative in Congress from the State 
      of Texas, prepared statement of............................   152


            COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR?

                              ----------                              


                        THURSDAY, MARCH 9, 2000

                  House of Representatives,
Subcommittee on Government Management, Information, 
                                    and Technology,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2247, Rayburn House Office Building, Steve Horn (chairman 
of the subcommittee) presiding.
    Present: Representatives Biggert, Walden, and Turner.
    Staff present: J. Russell George, staff director and chief 
clerk; Matt Ryan, senior policy administrator; Bonnie Heald, 
director of communications; Bryan Sisk, clerk; Ryan McKee, 
staff assistant; Trey Henderson, minority professional staff 
member; and Jean Gosa, minority staff assistant.
    Mr. Horn. The hearing of the House Subcommittee on 
Government Management, Information, and Technology will come to 
order. Earlier this year, the Nation successfully met its first 
technological challenge of the new millennium, Y2K. Although 
the time, labor, and $100 billion cost for this effort, private 
and public, we learned much from this experience. Those lessons 
will be especially important now as we turn to the second 
technological challenge of the new year, computer security.
    We are here today to learn. In April 1996, this 
subcommittee held a similar information hearing on the year 
2000 computer problem. Our questions will be many of the same 
questions we asked in that hearing 4 years ago. We want to know 
the dimension and scope of these cyber attacks. We want to know 
what efforts are being undertaken toward solving the problem, 
and we want to know what the Federal Government is doing to 
address this problem.
    Since the early 1990's, the worldwide use of computers and 
computer networks has skyrocketed. The Internet has 
revolutionized the way governments, nations, and individuals 
communicate, and the way to conduct business. The Internet and 
electronic mail are now available 24 hours a day to anyone with 
a desktop computer, a modem, and a telephone line. Yet, without 
rigorous efforts to protect the sensitive information contained 
in these computer systems, many of the Nation's essential 
services, telecommunications, power distribution, national 
defense, and so on down the line are vulnerable to cyber 
attacks.
    Over the last few weeks, several of the Nation's most 
viable Internet websites have fallen prey to ``denial-of-
service computer attacks.'' Although these attacks disrupt 
essential business services, they only scratch the surface of 
cyber attacks that may be taking place in other highly 
integrated computer networks.
    Our first panel of witnesses today will discuss the 
vulnerability of the Nation's vital computer systems and the 
Government's efforts to protect them. Our second panel, from 
the private sector, will demonstrate how easy it is to invade 
or hack a computer system, and what organizations can do to 
protect these systems. We welcome each of you and we look 
forward to your testimony.
    If you will stand and raise your right hands, we will swear 
you in.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note that all four witnesses 
affirmed the oath. We will start with Mr. Tritak, Director of 
Critical Infrastructure Assurance Office, Department of 
Commerce. Mr. Tritak. I might say, the way we work here, once I 
announce you, your full statement is automatically put in the 
record.
    The staff has read it and when we have had a chance, we 
read it. We then want you, if you could, to summarize it in 5 
minutes. Do not read it, whatever you do, but give us from your 
heart what this problem is. That is what we are interested. 
When you are all done, we will then have questions, 5 minutes 
on each side when those Members come here. We will try to get a 
rounding out of what the testimony is.
    So, Mr. Tritak, you are first.
    [The prepared statement of Hon. Stephen Horn follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.001
    
    [GRAPHIC] [TIFF OMITTED] T7018.002
    
  STATEMENT OF JOHN TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE 
ASSURANCE OFFICE, DEPARTMENT OF COMMERCE; JOHN GILLIGAN, CHIEF 
   INFORMATION OFFICER, DEPARTMENT OF ENERGY, AND CO-CHAIR, 
 SECURITY, PRIVACY, AND CRITICAL INFRASTRUCTURE COMMITTEE, CIO 
 COUNCIL; KAREN BROWN, DEPUTY DIRECTOR, NATIONAL INSTITUTE OF 
  STANDARDS AND TECHNOLOGY, DEPARTMENT OF COMMERCE; AND RICH 
PETHIA, DIRECTOR, COMPUTER EMERGENCY RESPONSE TEAM COORDINATION 
   CENTERS, SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON 
                           UNIVERSITY

    Mr. Tritak. Thank you very much, Mr. Chairman.
    I am grateful for this opportunity to appear before you 
today to begin a dialog with you and your committee on the 
issues relating to critical infrastructure assurance and 
computer security. In the way of talking about infrastructure, 
one of them I want to mention is that my slides just showed up. 
If you do not mind, I would like to just put them up before 
you.
    Mr. Horn. Sure. Keep talking. They can put them up.
    Mr. Tritak. In any event, Mr. Chairman, Americans have long 
depended on delivery of essential services over the Nation's 
critical infrastructures. The need to assure the delivery of 
these services against significant disruptions has been a 
concern of infrastructures, owners, and operators for as long 
as there have been electric power plants, telecommunications 
systems, airlines, railroads, banking, and financial services. 
In other words, critical infrastructure assurance itself is not 
new.
    What is new is the increasing reliance on information 
technology and computer networks to operate those 
infrastructures. This growing reliance introduces new 
complexities, interdependencies, and potentially 
vulnerabilities. The threat that individuals, groups, and 
nation states are seeking to identify and exploit these 
vulnerabilities is real and growing.
    [Chart shown.]
    Mr. Tritak. In recognition of this, President Clinton 
issued PDD-63 establishing the protection of the Nation's 
infrastructures as a national security priority. As you can see 
from the chart, Mr. Chairman, PDD-63 sets forth an ambitious 
goal. It calls for a national capability by 2003 to protect our 
critical infrastructure from intentional attacks that could 
significantly diminish the Federal Government's ability to 
perform essential national security missions and to ensure 
general public health and safety, State and local government's 
ability to maintain order, and to deliver minimal essential 
services to the public.
    Three, the private sector's ability to ensure the orderly 
functioning of the economy and the delivery of essential 
telecommunications, energy, financial, and transportation 
services. The important conclusion of PDD-63 is that critical 
infrastructure assurance is a shared responsibility. With 90 
percent of the Nation's infrastructures being privately owned 
and operated, the Federal Government alone cannot guarantee its 
protection.
    In response to the issuance of PDD-63, the Federal 
Government had to organize itself in order to meet the 
challenges posed by this unique national security challenge. A 
national coordinator for security, infrastructure protection, 
and counter-terrorism was created to oversee national policy 
development and implementation, as well as to advise the 
President and national security advisor on the same.
    My Office of Critical Infrastructure Assurance Office was 
created to coordinate policy development for the national plan, 
to assist agencies in analyzing their critical infrastructure 
dependencies, and to coordinate national education and 
awareness efforts. The National Infrastructure Protection 
Center was created at the FBI to serve as a threat assessment 
center, focusing on threat warnings, vulnerabilities, and law 
enforcement.
    For each infrastructure sector that could be a target for 
infrastructure cyber or physical attacks, a single government 
department or agency was established as a lead agency for 
working directly with representatives from private industry.
    [Chart shown.]
    Mr. Tritak. Earlier this year, President Clinton issued the 
first version of the national plan. Displayed before you is the 
cover. It says a lot about what the plan is and is not. First, 
the plan focuses on the cyber dimensions for securing critical 
infrastructures and underscore the new challenges posed by the 
information age. That is not to say that physical 
infrastructure protection is no longer important. It is.
    Future versions of the plan will reflect that importance. 
In fact, the plan is designated 1.0 and subtitled, An 
Invitation to a Dialogue For a Good Reason. It is very much a 
work in progress. It concentrates on the Federal Government's 
efforts in infrastructure protection. The plan acknowledges 
that this is not enough. We must work closely with industry and 
include them in the national planning process.
    We must also deal with the fact that there is an 
international dimension to national information assurance, as 
well as a domestic one. Of course, we must work closely with 
you in the Congress to ensure that your concerns, ideas, and 
interests are reflected in subsequent versions of the plan.
    [Chart shown.]
    Mr. Tritak. To meet the goal of PDD-63, the national plan 
establishes 10 programs for achieving three broad objectives. 
First, steps must be taken to identify the key elements and 
systems that constitute our critical infrastructures. Their 
vulnerability to attack must be assessed and plans must be 
developed to address those vulnerabilities.
    In so preparing, we hope to prevent attacks from reaching 
their target in the first place. Next, should such attacks 
occur, we must develop a means to identify, assess, and warn 
about them in a timely manner. The attacks must then be 
contained. Disrupted services must be restored and affected 
systems must be reconstituted.
    Finally, we must lay a strong foundation upon which to 
create and support the Nation's commitment to achieving the 
first two objectives. These include coordinated research and 
development, training, and employing information security 
experts, raising awareness, and, where appropriate, identify 
potential legal or legislative reforms.
    [Chart shown.]
    Mr. Tritak. The President requested $2 billion for critical 
infrastructure protection in his fiscal year 2001 budget 
request. This represents a 15 percent increase over fiscal year 
2000 funding. Of this, 85 percent supports protection of agency 
infrastructures; 72 percent goes to supporting critical 
infrastructure efforts within the national security agencies.
    Our President proposes a number of key initiatives in his 
budget request. I will just highlight a few. The Federal Cyber 
Service Initiative seeks to redress the shortage of information 
security expertise in the Federal Government. This shortfall 
reflects the scarcity of college-level programs in information 
security. It also reflects the inability of the Government to 
compete for highly skilled workers in this area.
    Our goal is to recruit, train, and retain a cadre of IT 
specialists for Federal service. The Federal Intrusion 
Detection Network will serve as a centralized burglar alarm 
system for critical computer systems within civilian government 
agencies. Intrusion Detection Systems will be installed and 
operated by the civilian agencies. Alarm data indicating 
anomalous computer activity will be sent through the agency, by 
the agency to the GSA for further analysis.
    Only if there is evidence of criminal behavior will data be 
sent to the NIPC and law enforcement. FIDNet will not monitor 
any private network traffic. It will comply with all existing 
privacy laws. The Partnership for Critical Infrastructure 
Security attempts to build on the efforts already underway 
between government and industry.
    It seeks to bring the individual sectors together to 
encourage a cross-sectoral dialog as a common concern, such as 
the growing interdependencies among the infrastructure owners 
and operators. The Partnership also provides a form for 
infrastructure owners and operators to engage other interested 
stakeholders, including the audit community, insurance 
community, Wall Street, and the investment community, and of 
course mainstream businesses who are the ultimate consumers of 
infrastructure services.
    Now, the partnership is dedicated to the belief that once 
industry recognizes a business case for action, economic self-
interest in the market can go a long way toward addressing the 
challenges of infrastructure assurance. That is not to say that 
self-interest in the market alone can solve these problems, 
because they cannot. Where they cannot, and what national 
security interests of their country requires, the Federal 
Government must step in to address any gaps and vulnerabilities 
that may exist.
    Last month, over 200 representatives of more than 120 
companies began to organize their participation in this 
Partnership. I think the Partnership represents a good step in 
not only addressing issues of common concern, but also for 
industry to take a lead in addressing the problems that 
confront us today. When you have good partnership between 
industry and government, we are better able to identify and 
define our respective roles so that where there
are gaps, where the market cannot address a problem of concern 
to the Nation, we can fill that gap.
    Given the limited time, Mr. Chairman, I am going to 
conclude my remarks here and I look forward to your questions.
    [The prepared statement of Mr. Tritak follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.003
    
    [GRAPHIC] [TIFF OMITTED] T7018.004
    
    [GRAPHIC] [TIFF OMITTED] T7018.005
    
    [GRAPHIC] [TIFF OMITTED] T7018.006
    
    [GRAPHIC] [TIFF OMITTED] T7018.007
    
    [GRAPHIC] [TIFF OMITTED] T7018.008
    
    [GRAPHIC] [TIFF OMITTED] T7018.009
    
    [GRAPHIC] [TIFF OMITTED] T7018.010
    
    [GRAPHIC] [TIFF OMITTED] T7018.011
    
    [GRAPHIC] [TIFF OMITTED] T7018.012
    
    [GRAPHIC] [TIFF OMITTED] T7018.013
    
    Mr. Horn. Thank you very much. I would appreciate it at 
this point in the record if you would submit the national plan 
for the record. So, without objection, it will be put right 
after this point.
    We now go the next gentleman who is very familiar to this 
committee. You are doing a fine job. Mr. John Gilligan, Chief 
Information Officer, Department of Energy, and Co-Chair, 
Security, Privacy, and Critical Infrastructure Committee of the 
Chief Information Officer Council. Mr. Gilligan.
    Mr. Gilligan. Thank you, Chairman Horn.
    As you noted, I come before the committee speaking in both 
my role as Chief Information Officer of the Department of 
Energy and as well the Co-Chair of the Federal CIO Council 
Security, Privacy, and Critical Infrastructure Committee. As I 
prepared for this testimony, I gave a lot of thought to what I 
viewed were the two critical issues that I face as a Federal 
CIO. I would like to spend a moment addressing these issues for 
you.
    Up-front, let me tell you that my biggest issues are not 
technology challenges. The primary challenge is educating and 
convincing line management that computers and networks, as well 
as the information they possess and process, should be treated 
and managed as mission-essential and strategic organization 
resources. Let me illustrate my point with an example.
    Last summer, at one of the Department of Energy 
laboratories we conducted a security audit. The laboratory was 
evidenced as having the best firewall within the Department, 
very good security policies, and adequate protection of our 
classified systems. However, that same organization had a 
number of instances of what I refer to as no-brainer security 
weaknesses. For example, there were a number of computer 
systems that had software configurations that were years out of 
date.
    In this case, they were not taking advantage of dozens of 
patches that had fielded to upgrade the security of those 
systems over the years. In addition, there were a number of 
systems where their passwords, including system administrator 
passwords were easily guessed, or in some cases even used the 
term ``password.'' These and other weaknesses provided relative 
ease of a potential hacker to break into the laboratory's 
unclassified computer system.
    As I evaluated this apparent paradox, the same organization 
having both the best and the worst security practices, the root 
issue became clear to me. The organization was not focusing on 
information technology as an overall laboratory resource, 
rather only sub-sets of the systems and networks were being 
pro-actively managed. Most of the unclassified computers were 
procured and operated as work center or personal resources.
    I have found similar dichotomy at a number of other daily 
sites. The problem at this lab was not the absence of sound 
security policies or lack of security technology knowledge, but 
the fact that management of computers had become highly 
decentralized and, in many cases, was a personal task. I found 
that the number of system administrators approached the number 
of laboratory employees.
    The security audit findings highlighted to the laboratory 
director and senior management that they had fundamental 
problems with information technology management. The solution 
required a fundamental change in how computers, networks were 
purchased, installed, and operated. I firmly believe that this 
is the most significant and pervasive problem facing Federal 
agency CIOs.
    A second challenge I face is working with Federal managers 
in the Department of Energy in determining how much security is 
enough. That is, how much is adequate? In the past, primary 
security focus was on the protection of national security 
information, classified systems, and more easily controlled 
mainframe computers. Adequate security was defined by security 
gurus, in most cases, with much input from line management, and 
defined, in most cases, in absolute terms.
    Today, we use computers for a wide variety of missions 
where it is not cost effective or appropriate to apply the same 
protection mechanism or security policies in all cases. We have 
information relating to national security. Personnel data and 
business operations must be protected to ensure 
confidentiality. On the other hand, we have public websites 
where we want to protect the integrity of the information. In 
addition, there are mission impact and perception factors which 
influence what is adequate, as well as rapidly changing 
threats, missions, and technologies.
    Federal security policies require an assessment of risk to 
guide management decisions on what is adequate. Sounds easy. I 
would submit that it is not. The Federal Government is also 
held to a very high standard and one that continues to change 
and become more stringent over time. In my testimony, I have 
included some status updates within the Department of Energy on 
our recent security activities. I will not detail them here.
    I would like to, however, turn for a few minutes to the 
work of the CIO Security, Privacy, and Critical Infrastructure 
Protection Committee, which I co-chair with Roger Baker, CIO of 
the Department of Commerce, and Fernando Robano, CIO of the 
Department of State. Our committee is developing a set of 
products that we believe will augment and accelerate 
improvements in implementing adequate levels of protection in 
assuring appropriate privacy of Federal information and 
systems.
    I would like to submit for the record a brief summary of 
our committee activities.
    [The information referred to follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.014
    
    [GRAPHIC] [TIFF OMITTED] T7018.015
    
    Mr. Gilligan. I would also like to highlight a few of the 
committee's efforts. Our project to develop and Information 
Technology Security Maturity Framework is intended to help 
guide agencies and senior government officials in establishing 
and maturing an effective cyber security program. Following the 
example of the successful Software Capability Maturity 
Framework developed by Carnegie Mellon University, the 
Information Technology Security Maturity Framework recommends 
the building block approach to security.
    Emphasis is placed at lower levels on critical foundation 
activities, such as documented policy, and clearly defined 
assigned responsibilities, as well as robust training and 
security assessment of progress. I have brought a display that 
summarizes the six levels of security maturity described in the 
draft framework. The Security Committee believes that all 
agencies should be working toward achievement of level 2 in the 
near term.
    This level describes what is called a documented security 
program. It is based on policy and guidance from the General 
Accounting Office, the Office of Management and Budget, and the 
National Institute for Standards and Technology. The committee 
is working to develop specific evaluation criteria, a checklist 
guide that could be used for level 2, as well as further 
definition of level 3.
    We have invited the Software Engineering Institute and the 
General Accounting Office to participate in the refinement of 
the framework. The committee also has initiatives in the 
development of a tool that will allow us to identify and make 
available the Federal agency's best security practices. We are 
developing sample agency policies and guidelines dealing with 
security and privacy.
    We are working to accelerate the use of so-called public 
key encryption. We are working with the Information Technology 
Association of America in the development of security solution 
benchmarks, linked to common electronic services such as 
financial track statues with the public, benefit inquiries over 
the web, and electronic submission of contractor pricing 
proposals.
    I would like to conclude my remarks with some 
recommendations from my perspective as co-chair of the 
Security, Privacy, Critical Infrastructure Committee. The first 
two recommendations deal with funding for security. First, I 
recommend that organizations specifically identify and analyze 
their expenditures in cyber security. In this regard, I suggest 
that we work with the government and industry to establish and 
refine benchmarks against which line managers can assess 
whether their investment is comparable to similar 
organizations.
    Work by the Gardner Group suggests that a reasonable range 
for cyber security spending is somewhere between 1 and 5 
percent of an organization's spending for information 
technology. Second, I would recommend consideration of 
increased funding for a set of governmentwide security 
initiatives that are focused not on multi-year research or 
product development, but on short-term immediate operational 
benefits for Federal agencies.
    I note that most of our CIO Council cyber security efforts 
are focused toward ongoing operational support. Furthermore, I 
recommend that we continue to tightly tie our cyber security 
efforts with other initiatives to improve overall management of 
information technology resources from an enterprise 
perspective.
    Finally, I suggest that we continue to focus our education 
efforts toward government managers. I believe managers need to 
know how to make risk tradeoffs. What they need is greater 
awareness of their responsibility in managing information 
technology as a strategic resource, as well as simple 
benchmarks and metrics, such as funding levels and a maturity 
framework, against which they can evaluate organization-
specific risks, as well as the progress of their cyber security 
programs.
    This concludes my testimony. I look forward to your 
questions.
    [The prepared statement of Mr. Gilligan follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.016
    
    [GRAPHIC] [TIFF OMITTED] T7018.017
    
    [GRAPHIC] [TIFF OMITTED] T7018.018
    
    [GRAPHIC] [TIFF OMITTED] T7018.019
    
    [GRAPHIC] [TIFF OMITTED] T7018.020
    
    [GRAPHIC] [TIFF OMITTED] T7018.021
    
    [GRAPHIC] [TIFF OMITTED] T7018.022
    
    [GRAPHIC] [TIFF OMITTED] T7018.023
    
    [GRAPHIC] [TIFF OMITTED] T7018.024
    
    Mr. Horn. Thank you very much, Mr. Gilligan.
    Our next witness is Ms. Karen Brown, the Deputy Director, 
National Institute of Standards and Technology, otherwise known 
as NIST. With the Weather Bureau there, I wonder why we cannot 
be MIST? Anyhow, the Department of Commerce. Thank you for 
coming.
    Ms. Brown. Thank you.
    Thank you Mr. Chairman and members of this subcommittee for 
the invitation to speak to you today about computer security 
issues. Computer security continues to be an ongoing and 
challenging problem that demands the attention of the Congress, 
the executive branch, industry, academia, and the public. 
Computer security is not a narrow technical concern.
    The explosive growth in electronic commerce highlights the 
Nation's ever-increasing dependence upon the secure and 
reliable operation of our computer systems. Computer security 
has a vital influence on our economic health and our Nation's 
security, and we commend the committee for your focus on this 
security. Today, I would like to address NIST computer security 
activities that contribute to improving computer security for 
the Federal Government and the private sector.
    I would also like to briefly describe for you our proposed 
new program activities for next year. Under NIST statutory 
responsibilities, we develop standards and guidelines for 
agencies to help protect their sensitive, unclassified 
information systems. In meeting the needs of our customers in 
both the public and private sector, we work closely with 
industry, Federal agencies, testing organizations, standards 
groups, academia, and private sector users.
    As awareness of the need for security grows, more secure 
products will be demanded in the marketplace. Addressing 
security will also help ensure that electronic commerce growth 
is not limited because of security concern. What does NIST do 
specifically? To meet these responsibilities in customer needs, 
we first work to improve the awareness of the need for computer 
security, which is an ongoing effort.
    Additionally, we research new technologies and their 
security implications. We work to develop security standards 
and specifications to help users specify security needs, and 
establish minimum security requirements for Federal systems. We 
develop and manage security testing programs in cooperation 
with the private sector to enable users to have confidence that 
a product meets a security specification.
    We also produce security guidance to promote security 
planning and secured system operations in administration. I 
will briefly discuss the need and benefits of each. First, 
there is a need for timely, relevant, and easily assessable 
information to raise awareness about risk, vulnerabilities, and 
requirements for protection of information systems. This is 
particularly true for new and rapidly emerging technologies 
which are being delivered with such speed in the Internet age.
    We host and sponsor information sharing among security 
educators, the Federal Security Program Managers' Forum, and 
industry. We seek advice from our external advisory board of 
computer experts. We meet regularly with members of the Federal 
computer security community, including the Chief Information 
Officer of the Security Committee, and the Critical Information 
Assurance Office.
    We actively support information sharing through our 
conferences, workshops, webpages, publications, and bulletins. 
A second need is for research on information technology 
vulnerabilities and cost effective security. When we identify 
new technologies that could potentially influence our customer 
security practices, we research these technologies and their 
potential vulnerabilities.
    We also work to find ways to apply new technologies in a 
secure manner. The solutions we develop are made available to 
both public and private users. Research helps us to find more 
cost effective ways to implement and address security 
requirements. The third is the need for standards and for ways 
to test that standards are properly implemented on products. 
For example, cryptographic algorithms and techniques are 
essential for protecting sensitive data and electronic 
transition.
    NIST has long been active in developing Federal 
Cryptographic Standards and working in cooperation with private 
sector voluntary standards organizations in this area. We are 
currently leading a public program to develop the Advanced 
Encryption Standard [AES], which will serve 21st Century 
Security needs. Another aspect of our standards activity 
concerns public key and key management infrastructures.
    We have been actively involved in working with industry and 
the Federal Government to promote the security and inter-
operability of such infrastructures. Standards help users to 
know what security specifications may be appropriate for their 
needs. Testing complements this by helping users have 
confidence that security standards and specifications are 
correctly implemented in the products they buy.
    Testing also helps reduce the potential vulnerabilities 
that products contain that could be used to attack systems. For 
over 5 years, we have led the Cryptographic Module Validation 
Program, which has now validated about 90 modules, with another 
50 expected this year. This successful program utilizes private 
sector accredited laboratories to conduct security conformance 
testing of cryptographic modules against the Federal standard 
we developed and maintain. Many of these activities are being 
done in cooperation with the Defense Department's National 
Security Agency in our National Information Assurance 
Partnership.
    The goal is to enable product developers to get their 
products tested easily and voluntarily, and for users to have 
access to information about test products. Under this program, 
we have also led the development of an international mutual 
recognition arrangement, whereby the results of testing in the 
United States are recognized by our international partners, 
thus reducing costs to the industry.
    Advice and technical assistance for both government 
organizations and private sector is the fourth need. While I 
have given you a few examples of NIST work, I obviously have 
not covered everything. I want to emphasize there is still much 
more to be done.
Please keep in mind that approximately $6 million of direct 
congressional funding supports both our Federal and industry 
computer security responsibilities. This is plainly not enough.
    Thank you.
    [The prepared statement of Ms. Brown follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.025
    
    [GRAPHIC] [TIFF OMITTED] T7018.026
    
    [GRAPHIC] [TIFF OMITTED] T7018.027
    
    [GRAPHIC] [TIFF OMITTED] T7018.028
    
    [GRAPHIC] [TIFF OMITTED] T7018.029
    
    Mr. Horn. Thank you very much. That was very helpful 
testimony. We now go to our last witness on this panel. I must 
say, Mr. Pethia, everywhere I talked and saw people in the last 
3 weeks putting this panel together, the first magic word was 
Carnegie Mellon. So, we are glad to have you come here. We hope 
to visit your campus sometime. You can show us around.
    Mr. Rich Pethia is the director, Computer Emergency 
Response Team Coordination Centers, Software Engineering 
Institute at Carnegie Mellon University in Pittsburgh.
    Mr. Pethia. Mr. Chairman and members of the subcommittee, I 
would like to thank you for the opportunity to come and talk to 
you today about computer security. Today, I would like to 
describe a number of the trends that impact security on the 
Internet. I will illustrate the results of those trends and 
then outline some steps that I think will help us all 
effectively manage the increasing risk of damage from cyber 
attacks.
    My perspective comes from the work that we do with the CERT 
Coordination Center. The Center is charted to respond to 
security emergencies on the Internet, and to work with both 
technology producers and technology users to facilitate 
response to major security problems. Since 1988, we have 
handled over 24,000 separate security incidents, and analyzed 
more than 1,500 separate computer vulnerabilities.
    The current state of Internet security is cause for 
concern. The vulnerabilities associated with technology used on 
the Internet put government, business, and individuals at risk. 
Security is influenced by many factors. An organization that 
wishes to improve its security has to deal with a lot of 
issues. First of all, the Internet itself is growing at an 
amazing rate.
    As the technology is being distributed, so is the 
management of that technology. System administration and 
management often fall upon people who do not have the training, 
skills, resources, or interest needed to operate their system 
securely. This problem is about to get worse. Now that we have 
direct Internet connection to homes, schools, libraries, and 
other venues that do not have training and security staff.
    These always-on rarely protected systems will allow 
attackers to continue to add new systems to their arsenal of 
captured weapons. Intruder tools are becoming increasingly 
sophisticated and also becoming increasingly user-friendly and 
widely available. This technology is evolving like any other.
    Sophisticated developers of intruder programs package their 
tools in user-friendly forms and make them widely available. As 
a result, even unsophisticated intruders can use them.
    On the technology side, when vendors release patches or 
upgrades to solve security problems, organizations' systems 
often are not upgraded. The job may be too time consuming, too 
complex, or just too low a priority for the system 
administration or staff to handle. There is little evidence of 
improvement in the security features of most products. Today, 
we continue to receive new vulnerability reports in second 
generation and third generation products.
    Developers are not devoting sufficient effort to apply 
lessons learned about the sources of vulnerabilities and doing 
the engineering work necessary to remove them. Finally, 
engineering for ease of use is not being matched by engineering 
for ease of secure administration. Today, we would all find it 
ludicrous to safely operate and drive an automobile, a person 
would have to be a master mechanic.
    Yet, today we expect our computer users and novice system 
administrators to have detailed technical knowledge of all the 
intricacies and nuances of the technology. We are simply 
developing technology that is not fit for use in today's 
environment. Because of these and other factors, organizations 
and individuals who are using the Internet become vulnerable to 
various kinds of cyber attack, including the denial-of-service 
attacks that were widely publicized in February.
    The key point about this attack, this attack type, is that 
although an organization may be able to harden its own systems 
to help prevent having its systems used as a part of a 
distributed attack vehicle, there is essentially nothing a site 
can do with currently available technology to prevent becoming 
a victim of these coordinated denial-of-service attacks.
    The best an organization can do today is get ready to 
respond and have its response capabilities in place, should it 
ever become the victim of one of these attacks. These attacks 
work by having intruders compromise vulnerable systems. They 
collect these vulnerable systems into aggregated attack 
networks. These networks act in unison to attack a single 
victim.
    The network can be activated remotely at a later site by a 
master computer. Communication between the master and the 
networks is encrypted, often making it difficult to locate the 
master. Once activated, these tools proceed on their own. They 
are rapidly evolving. Individual nodes in the attack network 
can be automatically reprogrammed to change the type of attack 
so that it becomes increasingly difficult to build defenses 
against this technology.
    Clearly, we have entered a new era in the Internet, where 
the power of the Internet itself is now being used to attack 
people who are connected to it. At the CERT, we constantly 
monitor trends and watch for new attacks and tools. We became 
aware of this new form of denial-of-service attack in late 
August, early September 1999. Denial-of-service attacks are not 
new.
    These kinds of attacks have been around since 1994, with 
significant increases in 1996 and 1998. By the end of 
September, it was evident that this was a new form of attack. 
It was something we had never seen before. We called together a 
workshop of 30 international experts who came together for 2 
days in Pittsburgh and produced a paper that explains the 
threat posed by these intruder tools, as well as guidance to 
organizations about how to protect themselves and be prepared, 
and how to be ready to respond.
    This paper, along with other advisories, were issued to the 
community in December. We have had a series of communications 
out to the Internet community. The problem is serious. It is 
complex. A combination of approaches must be used to reduce the 
risks associated with this ever-increasing dependence on the 
Internet. First of all, we need better ability to collect, 
analyze, and disseminate information on assurance issues.
    A lot of what we do today is reactive. We see a problem. We 
analyze it. We understand what just happened. That is no longer 
adequate. New forms of attack are now happening at Internet 
speed, both automated attacks, like these distributed denial-
of-service attacks, as well as new forms of viruses, such as 
Melissa that showed up in March of this year.
    Today, we need to find analysis methods that build a 
predictive early warning capability. We need to be able to 
understand what is going to happen before it happens, which 
means we need new ways of analysis. In addition, better 
attention paid to collecting information. There has been a lot 
of discussion and debate about instrumenting networks to 
collect data to watch the traffic on the network to anticipate 
what the problems might be.
    Certainly, there is a need to be concerned about privacy, 
but we have to find some way to balance our need to collect 
information about the operation of networks with our need to 
keep individual transactions and user's activities private. 
Until we get a better view into what is happening on our 
networks, we are going to have a very difficult time defending 
against new forms of attack.
    Third, we need to invest in better education and training 
to raise the level of security and security awareness. In 
particular, we need to focus on bringing the understanding of 
security issues to senior and middle management in government, 
as well as in industry. Until there is management commitment, 
and management commitment of resource to solve this problem, 
little is going to happen. Part of that includes encouraging 
the development of comprehensive security programs with well-
defined responsibilities for managers, users, and system 
administrators.
    Finally, all of this is only going to help us mitigate the 
problem, stem the flow of quality that we are having. It will 
not solve the problem. In order to get ahead of this problem, 
we need to support research and development activities that 
will lead to a new generation of technology on the Internet and 
other broad-scale networks. Systems that are easier to secure, 
systems that do not require so much constant attention, systems 
that do not repeat the vulnerabilities of the past, the long-
term solution is better technology.
    That is going to take years. Until we get there, we need 
better management approaches. Thank you.
    [The prepared statement of Mr. Pethia follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.030
    
    [GRAPHIC] [TIFF OMITTED] T7018.031
    
    [GRAPHIC] [TIFF OMITTED] T7018.032
    
    [GRAPHIC] [TIFF OMITTED] T7018.033
    
    [GRAPHIC] [TIFF OMITTED] T7018.034
    
    [GRAPHIC] [TIFF OMITTED] T7018.035
    
    [GRAPHIC] [TIFF OMITTED] T7018.036
    
    [GRAPHIC] [TIFF OMITTED] T7018.037
    
    [GRAPHIC] [TIFF OMITTED] T7018.038
    
    [GRAPHIC] [TIFF OMITTED] T7018.039
    
    [GRAPHIC] [TIFF OMITTED] T7018.040
    
    [GRAPHIC] [TIFF OMITTED] T7018.041
    
    [GRAPHIC] [TIFF OMITTED] T7018.042
    
    [GRAPHIC] [TIFF OMITTED] T7018.043
    
    [GRAPHIC] [TIFF OMITTED] T7018.044
    
    [GRAPHIC] [TIFF OMITTED] T7018.045
    
    [GRAPHIC] [TIFF OMITTED] T7018.046
    
    [GRAPHIC] [TIFF OMITTED] T7018.047
    
    [GRAPHIC] [TIFF OMITTED] T7018.048
    
    [GRAPHIC] [TIFF OMITTED] T7018.049
    
    [GRAPHIC] [TIFF OMITTED] T7018.050
    
    [GRAPHIC] [TIFF OMITTED] T7018.051
    
    [GRAPHIC] [TIFF OMITTED] T7018.052
    
    [GRAPHIC] [TIFF OMITTED] T7018.053
    
    [GRAPHIC] [TIFF OMITTED] T7018.054
    
    [GRAPHIC] [TIFF OMITTED] T7018.055
    
    [GRAPHIC] [TIFF OMITTED] T7018.056
    
    [GRAPHIC] [TIFF OMITTED] T7018.057
    
    [GRAPHIC] [TIFF OMITTED] T7018.058
    
    [GRAPHIC] [TIFF OMITTED] T7018.059
    
    [GRAPHIC] [TIFF OMITTED] T7018.060
    
    [GRAPHIC] [TIFF OMITTED] T7018.061
    
    [GRAPHIC] [TIFF OMITTED] T7018.062
    
    [GRAPHIC] [TIFF OMITTED] T7018.063
    
    [GRAPHIC] [TIFF OMITTED] T7018.064
    
    [GRAPHIC] [TIFF OMITTED] T7018.065
    
    [GRAPHIC] [TIFF OMITTED] T7018.066
    
    [GRAPHIC] [TIFF OMITTED] T7018.067
    
    [GRAPHIC] [TIFF OMITTED] T7018.068
    
    [GRAPHIC] [TIFF OMITTED] T7018.069
    
    [GRAPHIC] [TIFF OMITTED] T7018.070
    
    [GRAPHIC] [TIFF OMITTED] T7018.071
    
    [GRAPHIC] [TIFF OMITTED] T7018.072
    
    [GRAPHIC] [TIFF OMITTED] T7018.073
    
    [GRAPHIC] [TIFF OMITTED] T7018.074
    
    [GRAPHIC] [TIFF OMITTED] T7018.075
    
    [GRAPHIC] [TIFF OMITTED] T7018.076
    
    [GRAPHIC] [TIFF OMITTED] T7018.077
    
    [GRAPHIC] [TIFF OMITTED] T7018.078
    
    [GRAPHIC] [TIFF OMITTED] T7018.079
    
    [GRAPHIC] [TIFF OMITTED] T7018.080
    
    [GRAPHIC] [TIFF OMITTED] T7018.081
    
    [GRAPHIC] [TIFF OMITTED] T7018.082
    
    [GRAPHIC] [TIFF OMITTED] T7018.083
    
    [GRAPHIC] [TIFF OMITTED] T7018.084
    
    [GRAPHIC] [TIFF OMITTED] T7018.085
    
    [GRAPHIC] [TIFF OMITTED] T7018.086
    
    [GRAPHIC] [TIFF OMITTED] T7018.087
    
    [GRAPHIC] [TIFF OMITTED] T7018.088
    
    [GRAPHIC] [TIFF OMITTED] T7018.089
    
    [GRAPHIC] [TIFF OMITTED] T7018.090
    
    [GRAPHIC] [TIFF OMITTED] T7018.091
    
    [GRAPHIC] [TIFF OMITTED] T7018.092
    
    [GRAPHIC] [TIFF OMITTED] T7018.093
    
    [GRAPHIC] [TIFF OMITTED] T7018.094
    
    [GRAPHIC] [TIFF OMITTED] T7018.095
    
    [GRAPHIC] [TIFF OMITTED] T7018.096
    
    [GRAPHIC] [TIFF OMITTED] T7018.097
    
    [GRAPHIC] [TIFF OMITTED] T7018.098
    
    [GRAPHIC] [TIFF OMITTED] T7018.099
    
    [GRAPHIC] [TIFF OMITTED] T7018.100
    
    [GRAPHIC] [TIFF OMITTED] T7018.101
    
    [GRAPHIC] [TIFF OMITTED] T7018.102
    
    [GRAPHIC] [TIFF OMITTED] T7018.103
    
    [GRAPHIC] [TIFF OMITTED] T7018.104
    
    [GRAPHIC] [TIFF OMITTED] T7018.105
    
    [GRAPHIC] [TIFF OMITTED] T7018.106
    
    [GRAPHIC] [TIFF OMITTED] T7018.107
    
    [GRAPHIC] [TIFF OMITTED] T7018.108
    
    [GRAPHIC] [TIFF OMITTED] T7018.109
    
    [GRAPHIC] [TIFF OMITTED] T7018.110
    
    [GRAPHIC] [TIFF OMITTED] T7018.111
    
    [GRAPHIC] [TIFF OMITTED] T7018.112
    
    [GRAPHIC] [TIFF OMITTED] T7018.113
    
    [GRAPHIC] [TIFF OMITTED] T7018.114
    
    [GRAPHIC] [TIFF OMITTED] T7018.115
    
    [GRAPHIC] [TIFF OMITTED] T7018.116
    
    [GRAPHIC] [TIFF OMITTED] T7018.117
    
    [GRAPHIC] [TIFF OMITTED] T7018.118
    
    [GRAPHIC] [TIFF OMITTED] T7018.119
    
    [GRAPHIC] [TIFF OMITTED] T7018.120
    
    [GRAPHIC] [TIFF OMITTED] T7018.121
    
    [GRAPHIC] [TIFF OMITTED] T7018.122
    
    [GRAPHIC] [TIFF OMITTED] T7018.123
    
    [GRAPHIC] [TIFF OMITTED] T7018.124
    
    [GRAPHIC] [TIFF OMITTED] T7018.125
    
    [GRAPHIC] [TIFF OMITTED] T7018.126
    
    [GRAPHIC] [TIFF OMITTED] T7018.127
    
    [GRAPHIC] [TIFF OMITTED] T7018.128
    
    [GRAPHIC] [TIFF OMITTED] T7018.129
    
    [GRAPHIC] [TIFF OMITTED] T7018.130
    
    Mr. Horn. Thank you very much.
    We will now go to questioning. It will be 5 minutes to a 
side. We will get everybody in here in three rounds, if you 
need them.
    [Pause.]
    Mr. Horn. This looks like a vote.
    What I want to do is start on one issue. Then I will yield 
to Mr. Turner. As I listened to the comment about maybe we need 
a tzar in this area, usually my spinal column starts wiggling. 
As a student of Russian history, I keep wondering what happened 
to a lot of tzars and who is Rasputin in this operation? So, I 
guess I would ask, is the Koskinen model a good one for this?
    Now, with the Koskinen model, then when Mrs. Maloney and I 
wrote the President, then talked to him and said, look, you 
have got to get somebody to coordinate this effort. Some were 
waving the flag for a tzar. I was not. The way it worked out, 
one, the President picked a person that he had known before he 
was President and had trust in.
    No. 2, we made him assistant to the President, which is the 
highest rank you can have in the White House hierarchy. No. 3, 
he was not in OMB. He was housed near there. The President had 
him and the President spread the word to the Cabinet that this 
is serious business, when they finally got around to it.
    No. 4, they called on each of the Deputy Secretaries that 
really run departments and obviously involved the Chief 
Information Officers, who are the people we ought to be 
spending the time to be the managers they are supposed to be of 
communications and information in their particular agencies. 
So, I guess I would simply like to get the feeling of you as to 
whether that was a successful model that we could also apply to 
computer security and not have some tzar in OMB.
    Of course, as you know, I am trying to split the management 
part out of OMB. It might well roost there, but the fact is the 
model I think worked the way it did. I do not know if any of 
you want to take that and say, hey, there is another way to 
look at this. Go ahead. Mr. Gilligan.
    Mr. Gilligan. Sir, let me give you some perspectives. I 
think the model with the particular individual, John Koskinen, 
worked extremely well. I think there were a number of factors 
that made it work well, one of which was the personal 
characteristics and strength of John Koskinen. I think there 
were also some other factors that made it effective. That was 
the urgency and the immediacy of Y2K heightened the interest 
across the board.
    There was a need and a willing acceptance of someone to 
help lead the effort across government and across really the 
country. It is not clear to me that an exact parallel to that 
would work as effectively in computer security. I know that 
there has been some frustration, and there continues to be at 
all levels, with our difficulty of pulling together across-
government activities in this area.
    So, it is clear that we need to emphasize and we need to 
work in that area. Obviously it is something the CIO Council is 
trying to address, and yet we realize that we have limited 
abilities as well. So, while I would not specifically endorse 
the exact model, I think we need to continue to look for some 
way to better leverage our across-government efforts in this 
area as a part of our solution.
    Mr. Horn. Any other thoughts on this? Mr. Tritak.
    Mr. Tritak. I would agree with those comments.
    Mr. Horn. So, you would like that model?
    Mr. Tritak. I think what is intriguing about the Koskinen 
and the Y2K effort generally is, in many respects, the Y2K was 
your first critical infrastructure challenge to the United 
States. It had a lot of things going for it. First of all, 
there was a recognition. In fact, industry actually led the 
way. The government took a little while to get onboard.
    There was an acknowledgment of what the challenge was. 
There was a known problem. The people rallied for it. I think 
that when you look at the Koskinen model, it is important to 
look at what the factors of success were. You have identified 
quite a few of them. He was viewed as having the authority. He 
worked very closely with the Cabinet. The Cabinet knew that 
when he walked into the room, who he was, and what he stood 
for.
    We certainly cannot under-emphasize the importance of a 
leadership and view it as someone who is speaking with 
authority on behalf of the President; especially when you are 
talking about across-agency issues, which critical 
infrastructure really is all about. If you look at the way this 
has evolved, there was a time probably when the Computer 
Security Act was actually passed where you could talk about a 
computer system within an agency. It was that agency's system.
    Now, you are looking more at an interconnected set of 
systems. You have to ensure, in terms of the government as a 
whole providing a service to the Nation, that you have strong 
links across government agencies, as well as within them, so 
that you do not create weak links in the chain. Now, with that 
said, I think that we have to look very closely about how the 
challenges, as ongoing, differ from the Y2K experience before 
you talk about institutionalizing a new position.
    I think certainly some of the ingredients that you 
indicated bear close scrutiny and attention on that. In fact, 
you could make the case that, that kind of leadership becomes 
even more essential in some regards when the known threats are 
not as immediate, but you know they are out there and they 
could happen at any time as opposed to a date-specific.
    Mr. Horn. Any other comments on this?
    I will yield 5 minutes to the gentleman from Texas. If you 
would like, we could recess now to go vote, and then come back, 
and then start with your 5 minutes. Is that OK with you?
    Mr. Turner. That is fine.
    Mr. Horn. OK. We are going to be in recess then for 20 
minutes so we can get these two votes.
    [Recess.]
    Mr. Horn. This subcommittee will be in order. We will 
proceed with the questioning. It is 5 minutes for Mr. Turner, 
the ranking member from Texas.
    Mr. Turner. Thank you, Mr. Chairman.
    I appreciated your comments. I really get the impression 
that what you were saying to us is that there is a lot of work 
that has got to be done in the area of new technology before we 
will ever have any hope of really having a secure Internet. I 
guess I was kind of curious as to what types of things you are 
talking about? We made the comparison a minute ago to the Y2K 
problem.
    To me, what we are talking about today dwarfs the Y2K 
problem. In that arena, we had a date certain we were working 
toward. We knew if we made it past that date, we had succeeded. 
The government was able to provide a coordinating role for both 
the public and the private sector. This challenge seems to be 
so much greater. When you say we need better technologies, what 
kinds of things are we talking about?
    Mr. Pethia. First of all, the driving factor behind my 
belief is that more and more devices attached to Internet are 
going to become consumer items. I think we are already there 
with personal computers. We are almost there, even with some 
devices like routers and fire walls, when you think about 
having these things installed in libraries, in doctors' 
offices, and in places where you would not expect to find 
someone with a degree in computer science.
    That is going to continue. We are going to have all kinds 
of devices at home. We are going to have hand-held portable 
units. We are going to have cell phones connected, as we 
already do, into the Internet. So, from one perspective what we 
need to do is to make security much simpler than it is today. 
You can configure a very secure personal computer, be it a Unix 
box or a Microsoft Windows box.
    All of the mechanics are there to do that, but it is not 
easy. It takes a lot of understanding and a lot of knowledge. 
Not only do you have to get it right the first time, you have 
to keep it that way over time as you add new applications into 
your personal computer. So, if you think back to the 1960's 
when all computers were hard to use in all kinds of ways, the 
industry responded very well with a lot of research and 
development in easy-to-use, in fact ease of use was the buzz 
word for the industry back then.
    We need the same effort today, in terms of security 
controls and security mechanisms. Bring those controls and 
mechanisms to the point where the average user could use them. 
I think that is sort of a near-term, by ``near-term'' I mean a 
2- to 3-year effort that could show some results, significant 
results, major results in that period of time.
    Mr. Turner. I forget the name of the group or company that 
is certifying whether something is secure or not. I read about 
it somewhere. Is that the kind of thing that would motivate the 
private sector to be sure they develop their products in a way 
that they can be secure?
    Mr. Pethia. I think that kind of thing will certainly help. 
I think the tension is going to be between the length of time 
it takes to do the evaluations and the market forces that keep 
driving new products. Very often, the situation of doing an 
exhaustive evaluation takes time. By the time you are through 
with that evaluation, the marketplace has already moved on to 
the next generation of products. I think we have to struggle 
with that issue.
    Mr. Turner. That seems to be one of my greater concerns 
because this field moves so fast. It is always the private 
sector that is moving forward. We had some government effort 
over there, though it is not in one place right now. It seems 
that the government effort, even if we consolidate it, is 
always going to be a step behind what is really going on in the 
private sector.
    So, it is forcing you to try to think of private sector 
incentives to try to make this all happen. I cannot get it in 
my mind that the government is going to be able to keep up with 
it.
    Mr. Pethia. I think the private sector interest is rising. 
I think as more and more damage happens on the Internet, people 
are going to begin to understand that investing in security is 
something they are going to need to do in order to keep their 
businesses operational. So, I think that is happening. I see a 
big increase in private sector interest today, over just a year 
ago. That trend has been going on for several years.
    I think the marketplace, in my opinion, has become 
complacent. The marketplace is currently accepting whatever the 
vendors produce. I think an awareness campaign and an 
understanding that technology can be changed; technology does 
not have to be the way it is today is something that would help 
move, first of all, the consumer to a better understanding of 
the kind of quality the consumer should expect from a product.
    Then finally, the technology producers, as they begin to 
see a marketplace for that new product, to begin to produce. 
There is a place where I think government campaigns focused on 
broad-scale awareness, understanding, helping the consumer, 
both in government and outside government, understand that 
technology possibilities exist beyond what we have available to 
us today, I think, would go a long way to spur that kind of 
effort.
    Mr. Turner. Is it a reasonable suggestion to think in terms 
of a second Internet? After all, we are even getting to the 
point where much of what takes place can even be done in a 
wireless mode. Is there a reason to consider that there could 
be more than one Internet? That there are secure Internets so 
that we can solve some of our national security type problems 
and others in a way that we know that we are protected?
    Me. Pethia. Certainly, I think there are some needs for 
high security in some applications where those networks and 
systems will remain isolated and should remain isolated from 
the broad Internet. I think the last 10 years of history has 
told us that the Internet is going to continue to evolve. It is 
going to continue to lure people because of the broad 
connectivity that is available over the Internet, and also 
because of the dramatic lower cost of operating on this huge 
network where everybody shares the expense.
    I think the economics are going to continue to push most 
organizations toward the Internet. I think the challenge as to 
rather than trying to isolate from the Internet, the question 
is how do we go about fixing the Internet so that we can all 
enjoy the level of security that we need?
    Mr. Turner. Your effort at Carnegie Mellon, through the 
Computer Emergency Response Team, seems to me to be an 
excellent private sector initiative. Do you think government is 
capable of duplicating that or will it be best left to efforts 
like yours?
    Mr. Pethia. I think it is going to take a combination of 
efforts. There are within the government a number of computer 
emergency response teams in the DOD, in the Department of 
Energy, and in some of the other agencies. There is the FedCIRC 
activity which we actually participate in. So, I think there is 
a large government effort there. One of the advantages that I 
think we have is that in addition to the reactive work that we 
do, we are also housed in a research university.
    So, in the private sector where you can have these kinds of 
reactive capabilities to help us understand what the problem 
is, but also marry with that a research and development 
capability we can move toward solution. That, I think, is a 
good combination. So, there perhaps is a way where government 
can team with organizations in the private sector, with the 
government doing some of the response reactive work, ensuring 
that they have close working relationships with technology 
researchers so that the researchers really understand what the 
real problems are.
    Mr. Turner. Thank you, Mr. Chairman.
    [The prepared statement of Hon. Jim Turner follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.131
    
    [GRAPHIC] [TIFF OMITTED] T7018.132
    
    [GRAPHIC] [TIFF OMITTED] T7018.133
    
    [GRAPHIC] [TIFF OMITTED] T7018.134
    
    Mr. Horn. I thank the gentleman.
    Now, I yield to the gentlewoman, the vice chairman from 
Illinois, Mrs. Biggert to question the witnesses for 5 minutes.
    Mrs. Biggert. Thank you, Mr. Chairman.
    If I could ask unanimous consent to include my opening 
statement.
    Mr. Horn. Without objection, it will be so ordered as read 
at the beginning, after Mr. Turner's opening remarks.
    Mrs. Biggert. Thank you.
    This is a question for all of you. What is the real threat 
from cyber terrorists to the Federal agencies' mission critical 
systems? I know that is a broad question, but how does the 
administration's recently released National Plan for 
Information Systems Protection address the plans to mitigate 
these terrorist threats? I think when we were talking about 
Y2K, we had our mission critical systems. I think that was what 
was really addressed there. First of all, is there a threat 
from the terrorists?
    Mr. Tritak. Well, I think the national plan makes clear 
that the threats posed by cyber terrorists as well as nation 
states is growing. I would urge you, if you have not already, 
to get a briefing by Mr. Michael Vaddis at the National 
Infrastructure Protection Center who could give you a lot more 
detail, an appropriate level of detail than I can get into. One 
of the reasons for PDD-63 stemmed from a Presidential 
commission which asked the question, what are the new threats 
to the Nation? The cold war is over. It is unlikely that anyone 
would be foolish enough again to take on the United States with 
armed forces. So, what are they?
    That question was initially prompted, of course, by a 
number of events that were happening in the mid-1990's, the 
Towers' bombing, Oklahoma City. What is going on here? The 
recommendation of that commission was to say that the critical 
infrastructure of this country are increasingly becoming 
vulnerable to types of attacks that could be delivered over the 
information super highway.
    Why? Because as was indicated earlier, traditional 
infrastructures are increasingly relying on computer networks, 
not only to receive e-mail, but actually perform operational 
functions of their business. As you move further and further 
into deregulation, the need to cut your costs to make the 
margins up, you are going to be relying more and more on 
information technologies to perform functions which 
traditionally may have been performed by manual labor for 
example.
    Also, in the past, if a computer operational system went 
down, say in the electric power industry, they have ways of 
shifting over to manual type responses in order to keep the 
flow of services going. Now, over the long-term, more and more 
of those primary functions are performed by information 
technology, and if those systems are then networked either 
through the Internet or some wide area network systems, the 
potential for someone being able to get in and cause damage 
increases.
    Now, I am glad you also mentioned the critical systems 
because this is a very important thing about critical 
infrastructure assurance. What we are concerned about are those 
systems within our critical infrastructures which, if 
disrupted, could cause immediate and significant harm to the 
Nation's security, its economy, or the health and welfare of 
its people. If someone means to do harm, they are going to want 
to leverage their efforts to find weak links in the chain.
    So, one of the purposes of the effort that is outlined in 
the national plan is to begin to raise this issue with industry 
to make clear that this is more than just a hacking problem. 
Frankly, they deal with that now. They know that they are being 
hacked. Their websites are being looked at. The idea that if 
more and more of their business relies on information 
technology, for example, banking and finance, e-commerce, where 
the very nature of the revenue stream turns on information 
technologies. This is a different problem.
    The same thing within the Federal Government. There was a 
time when you could talk about a computer system within the 
Federal Government and it was the agency's system. It was 
insular. It was self-contained. Now, like everywhere else, you 
are getting inter-connectivity between agencies. They are 
depending on different services, both within government as well 
as outside of government.
    This inter-dependency is one of the newer challenges. An 
agency can get their security concerns right, but if they are 
dependent upon systems which do not have their security right, 
that is where the vulnerability lies. Your types of attacks 
which, again, Mr. Vaddis will be in a better position to talk 
to you about this, they are looking for the weak links. They 
are not simply going to willy-nilly take on any piece of the 
information infrastructure. They are going to look for where 
the highest value payoff is going to come from.
    Mr. Gilligan. I think Mr. Tritak has done a good job of 
summarizing the significance of the threat and many of the 
characteristics that contribute to it. I would only add a 
couple of thoughts. One, I think it is not just linkages 
between agencies, but linkages within sites and within agencies 
where you find I think unknowingly our interconnection.
    We are just about intermeshed in our network connectivity 
among systems that we have the same vulnerabilities. I think 
second, we really, in my view, have kind of two tiers of 
threat. Unfortunately, a lot of our emphasis and visibility is 
on what I will call the lower tier, which is a very 
unsophisticated, but today, because of the vulnerabilities, is 
ineffective and gets a lot of visibility.
    Now, I think there is one that is much more sophisticated. 
We only get glimpses of it. In many cases, that is something we 
do not share a lot of insight. It is almost masked. That is, we 
are seeing some of these lower sophistication threats. That is 
what we are focusing a lot of attention. I think we need to 
because you need to dampen those out of the system before you 
can really start to focus and then get the protection that you 
need to address the more sophisticated attack.
    Ms. Brown. Well, I think both gentlemen have done a really 
good job. I would only add that I think one of the key 
challenges is not just today's problem, but the ongoing 
problem. There is new software every month. There are new 
systems every month. So, there is not a single fix, as in the 
Y2K, as Mr. Turner and everyone has talked about. There was a 
single crisis. There was a single thing that we had to fix.
    This is going to be an ongoing problem, and ever more 
difficult in many ways to stay on top of as we become more and 
more global. So, we need to look at what can we do today, but 
also on the more fundamental things to make our systems 
fundamentally secure. How do we design the systems and how do 
we design the software so it is not up to the user to fix and 
put the patches, which will always be there? Somehow, how do we 
fundamentally make the system more robust?
    Mr. Pethia. I am building briefly on Mr. Gilligan's 
remarks; this idea of two tiers of threat. At the lowest level, 
and one of my big concerns, and the reason that I am advocating 
for increased emphasis on analysis, capability, and data 
collection is that the low-level threat, the amount of noise 
generated by that threat is now so huge. We literally get 50 
new incidents reported to us every day. We are only 1 of 90 
emergency response teams, as well as a number of government 
agencies who focus on this issue.
    There is so much activity out on the network today. It is 
very difficult to pull out from all of that noise the one or 
two key things that you really need to pay attention to. In 
order to stay ahead of this problem, I think we are going to 
need to become much more sophisticated in the way we collect 
and analyze incidents data. So we can look for those key 
indicators that there is something really significant going.
    Mrs. Biggert. Thank you. Thank you, Mr. Chairman.
    Mr. Horn. Thank you. May I suggest that if we have some 
additional questions, that we have a time problem here. A 
number of us are involved in things that just go every 15 
minutes, starting at around 12:05 p.m. So, if you do not mind, 
we would like to submit some of these questions, I know that I 
have, to you. Take your time, but we would love to have them in 
the record at this point, your best thoughts, if that is OK 
with you.
    [The information referred to follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.135
    
    [GRAPHIC] [TIFF OMITTED] T7018.136
    
    Ms. Brown. Thank you very much for the opportunity.
    Mr. Horn. Well, we thank you. The chart here I particularly 
want your comments. That is our question 5, for the majority. I 
think you have it. Now, this was prepared by counsel, Mr. Ryan. 
He is 100 percent Irish. I am only 50 percent Irish. It is not 
even St. Patrick's Day. I look at that. I looked for Jesse 
Jackson on the floor. It looks like the Rainbow Coalition. He 
is serious about this and we are.
    So, we would like your best shot at it, in terms of all of 
these organizations and how they can work on computer security 
issues. The key question still remains on who is coordinating 
this operation? Are there various ways, given the private 
sector, the Federal sector, the State sector, the local sector, 
the non-profit sector? So, if you would struggle a little with 
that, we would appreciate it.
    Well, thank you very much for coming. We will now swear in 
the next panel.
    Mr. Horn. We have Mr. Jim Gerretson, Director of 
Operations, Information, Assurance, ACS Defense, Inc.; Mr. Mark 
Rasch, senior vice president and legal counsel, Global 
Integrity Corp.; and Mr. James Adams, chief executive officer, 
iDEFENSE.
    Gentlemen if you will just stand and raise your right-
hands.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note all three witnesses affirmed. 
We will begin, Mr. Gerretson with you. It will be 5 minutes for 
a summary. We are going to have to stick to that. We all have 
your papers. If you were not in the room, they automatically go 
in at this point in full. If you can give us a summary, and 
then we would like to have some questions before noon. Then we 
are going to have to break.
    So, Mr. Gerretson, it is all yours.

     STATEMENTS OF JIM GERRETSON, DIRECTOR OF OPERATIONS, 
 INFORMATION ASSURANCE, ACS DEFENSE, INC.; MARK RASCH, SENIOR 
 VICE PRESIDENT AND LEGAL COUNSEL, GLOBAL INTEGRITY CORP.; AND 
         JAMES ADAMS, CHIEF EXECUTIVE OFFICER, iDEFENSE

    Mr. Gerretson. Mr. Chairman and members of the committee, 
thank you for giving me the honor of testifying today. I am 
here today to give you a brief presentation on hacking. We 
believe that in order to start to fix your systems and 
networks, that you have to understand the enemy, and hackers 
really are the enemy. The following presentation will take you 
briefly through what we call the hacker protocol and 
demonstrate just some of the tools and techniques used by 
hackers to gain access to your systems.
    All of the tools that you are going to see today are freely 
available on the Internet or you can go to a local computer 
show on a weekend and, for $10 per CD, buy a full CD of 
different types of hacks. The current data base that we have 
contains over 3 gigabytes of data. What you see on the screen 
before you is what we call the hacker protocol. Different 
people may use different terms, but professional hackers in 
nation states that implement hacking as warfare do follow the 
same concepts.
    The thing that is important to recognize here is this is 
highly structured in its approach and in its planning. A good 
hack, for better or for worse, is invariably a well-thought-
out, well-executed operation.
    Mr. Horn. I might add on that very useful chart that, that 
will be placed in the record at this point, without objection. 
All other charts will be put in appropriately where they have 
been used by the witness or the staff. So, all of those charts 
will go in the final hearing report.
    Mr. Gerretson. Thank you, sir.
    [Slide shown.]
    Mr. Gerretson. The first phase of the hacking protocol is 
intelligence gathering. This is primarily an espionage 
operation. There are many facets to it. Social engineering is a 
large part. I may act as a user calling up a help desk and say 
I have forgotten my password. Help desks are setup to be very 
helpful. They will frequently say, the default password is, or 
your network is. So, I get a lot of information that way.
    Open source materials such as newspapers, prospectuses, and 
library magazine articles are also a wonderful way of getting 
information. You hear the term a lot, but ``dumpster diving'' 
is also a very popular way of getting information on your 
system.
    [Slide shown.]
    Mr. Gerretson. Once we have done the intelligence 
gathering, the next step is to do reconnaissance. Again, to 
define the target. Your domain host is the name of your 
computer system on the network. I want to know what I have got, 
see if I can attack it, and how I can attack it. This is what 
we are going to show you. It is a freely available program 
called NMAP. We are going to take that information that we have 
gathered and scan your network to determine what is there. The 
program that we are using is called Ping Sweep.
    [Slide shown.]
    Mr. Gerretson. In simple terms, my computer is going out to 
your network and saying, hello, are you there? Your computers 
are coming back and saying, yes, I am. What you see here, with 
these being listed, are computer targets that have come back 
and said, I am here. What we have now done is identified a 
target set. We are not wasting our time.
    [Slide shown.]
    Mr. Gerretson. The next slide, we are going to take one of 
those targets that we have identified and go and look for 
additional information. What we are trying to do is find out 
what services are open, as you see, I am pointing out. These 
are all considered services on a computer. This one, for 
example, is finger, which we will talk about in a second.
    What we are doing is finding a means to attack your system. 
We are also going to go out to try to find out the operating 
system that your computer is running which is again identified. 
Once we have this information, we can now go and do specific 
probes. What we are going to do is take that information and 
look for a way to get into your system.
    [Slide shown.]
    Mr. Gerretson. This presentation that we are going to show 
you now is one of the tools called Finger. It is an information 
gathering tool, you are seeing it used in a way it was never 
intended to be used. In order to attack and control the system, 
you need three things. You need a valid user name. You need a 
valid password, and you need a host address from the computer 
system that is allowed to talk to you.
    If you look across here, as I am highlighting ``student 
one,'' I now have a valid ID and I now have a valid computer 
system that I am talking from. I have two of the three items 
that I need to attack this system.
    [Slide shown.]
    Mr. Gerretson. This next scan, web servers as we are all 
aware, are a wonderful target for attack. It used to be that in 
order to do the attack, I had to know all of the systems and 
all of the vulnerabilities. Now, I have a tool that will run it 
for me automatically. It requires very little work on my part. 
It identifies the server type that is running and will simply 
go out and scan all of the CGI weaknesses on this web system. I 
do not even have to know what these systems are now.
    I do not have to know what these vulnerabilities are. It 
just tells me it finds one. I go out to my tool kit, pull in 
this particular attack and away I go. Once we do that, we are 
trying to get a toehold on the system. This is basically I just 
get into your box any way I can. I cannot control the data. I 
do not need it, but I am on it and it gives me the next step.
    [Slide shown.]
    Mr. Gerretson. The next step is to go from just being a 
user into what we call the root or administrator level of the 
system then we really do own this box. I am going to skip this 
example.
    [Slide shown.]
    Mr. Gerretson. We are going to go and actually break into 
this system and take it over. It acts as a user system. What 
this program does is it shows us actually going in and doing an 
attack on the system that in a matter of about 15 seconds turns 
us into the root administrator of the box, simply from being a 
user. Once we have gotten control of the system, there are a 
lot things we can do.
    We could kill this box. We could take the information. But 
what we do want to do is use it again later. So, we are going 
to hide our track. We do not want people to know we are there. 
We can do that by deleting files or modifying log files. We are 
going to show you a quick example of how we just simply modify 
a log file.
    [Slide shown.]
    Mr. Gerretson. This is a program called Wipe. We have a 
user account. We are called ``Reacher.'' We get into the 
system. If the system administrator were to check his logs, he 
would say, why is this guy here. But we have gone and wiped it. 
We are no longer there. We are now invisible to the person that 
runs this machine.
    [Slide shown.]
    Mr. Gerretson. We can put Trojans on the system. A Trojan 
is a program that will look like something that is a valid 
program that is supposed to be there, but in effect it is a 
program that does a lot of bad things. In this brief example, 
listen. We can record every keystroke you type on the system. 
We can turn on your sound system. So, if you have a microphone, 
we can record everything that is said in the area, and you will 
never know what happened.
    [Slide shown.]
    Mr. Gerretson. Now, sounds bad and it gets worse. I will 
make a bold statement that if you are connected to the network, 
and if I have enough time and want to make the effort, I can 
hack you. The only sure fire way to protect your system is to 
disconnect it from the network. Take out your floppy. Take out 
your CD and then lock it up in a secure room. Anything short of 
that, eventually it can be had.
    It sounds pretty bad, but there is hope. It is not all bad; 
just mostly bad. The first thing is you have to have a 
vulnerability assessment. You have to know what your security 
posture is. Second, we believe in the defense-in-depth 
approach. It is vital. There is no single solution to make your 
system secure. You have to have layered approachs that 
complement each other.
    The next thing, training is the key. As the earlier 
witnesses said, there are good people out there, but they just 
do not understand security. One of the key things to recognize 
is the solution that works today may not work in 6 months. You 
will never have a final solution. You are constantly 
reassessing.
    Thank you for your time.
    [The prepared statement of Mr. Gerretson follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.137
    
    [GRAPHIC] [TIFF OMITTED] T7018.138
    
    [GRAPHIC] [TIFF OMITTED] T7018.139
    
    [GRAPHIC] [TIFF OMITTED] T7018.140
    
    [GRAPHIC] [TIFF OMITTED] T7018.141
    
    [GRAPHIC] [TIFF OMITTED] T7018.142
    
    Mr. Horn. Thank you very much.
    We now have our second witness, Mr. Mark Rasch, who is the 
senior vice president and Legal Counsel for the Global 
Integrity Corp. Perhaps you would like to tell us a little bit 
about the corporation.
    Mr. Rasch. Yes, thank you, Mr. Chairman.
    I work for Global Integrity Corp. It is a company that does 
information security consulting work for the private sector. 
So, our clients tend to be things like banks, insurance 
companies, Fortune 100 companies that take the problem of 
information protection. Notice I used the term ``information 
protection'' and not computer security. They take that problem 
seriously.
    What we are trying to protect here is not the computers 
themselves, but the information that is contained on those 
computers. So, the perspective that I bring is what the private 
sector sees as the problem and what the private sector is 
trying to do itself to try to solve the problem. One of the 
things we noticed is that the Commerce Department issued a 
report in the last couple of days that indicates that U.S. 
retail e-commerce sales for the fourth quarter of 1999, that is 
October through December, was about $5.3 billion.
    What has happened is this Internet that we created 20 years 
ago is being asked to do something that it was never designed 
to do. That is to support a national economy; to support a 
national infrastructure that it was never designed to do. So, 
what happens is we have this distributed computer network, 
which was essentially unsecured. All of the security to that 
network is essentially added afterwards.
    That is being designed now and being asked to protect the 
critical infrastructure. The attacks that we saw a few weeks 
ago against Yahoo, Ebay, and others also demonstrated another 
problem. As a lawyer, this is one that concerns me much more 
than what concerned me about the year 2000 bug problem, from a 
litigation standpoint. That is that we are only as secure as 
everybody else on the Internet.
    As the previous panel discussed, these are targets of 
opportunity. People attack systems because they can get in. 
They attack the ones that they feel that they can get into. 
Also, the fact that even if you have done stuff to harden your 
system, people will break into other people's systems and use 
those to attack you. So, what we have is a serious looming 
litigation problem, or what we would call downstream liability.
    If you are attacked by somebody and the attack is coming 
from another corporation that did not secure the systems, and 
you go to your lawyer and ask, can we sue, which is always the 
dumbest question to ask a lawyer because the answer is always 
yes. The question is who are you going to sue, the 17- or 18-
year-old hacker, if they are ever identified, or the 
corporation from whom you are attacked?
    So, the idea of a worldwide web that is dependent upon the 
security of everybody else creates targets of opportunities, 
not just for hackers, but for lawyers as well. One of the 
problems also that we have seen is a massive increase, not only 
in the use of the Internet and the use of the Internet for 
electronic commerce, but of these types of criminal activity.
    For example, from 1998 to 1999, theft of intellectual 
property increased from 15 percent. Unauthorized access by 
hackers from inside is up 28 percent. Insider abuse to the 
Internet is up 17 percent. System penetration by external 
parties increased 32 percent. Why is this happening? The first 
reason is that attack technologies are becoming very easy to 
use. So, as Mr. Gerretson just showed, you can go to any hacker 
convention, pick up a copy of this disk, put it in your 
machine, and knowing no more than a lawyer, which is a fairly 
low standard I would say, put this in your machine and launch 
an attack on any computer on the Internet.
    You do not need to know a lot. It is point and click and 
you are in. So, the tools are getting easier to use. They are 
becoming more widely available. In addition, with the growth of 
the Internet, you have tens of thousands and probably of 
millions of insecure computers out there that are used as 
targets of opportunity and methods of attack. The software is 
becoming increasingly complex and much more difficult to 
secure.
    Software manufactures who are building this software are 
trying to design it to be functional. If you are coming out 
with a new word processing program or you are trying to come 
out with a new operating system, and you are under competitive 
pressures to get it out to market, you want to make sure that 
it is functional. Until companies demand security and the 
government demands security as an integral part of 
functionality, I do not think the manufacturers are going to 
ship these things as being at least more secure.
    So, these are some of the problems. What is the private 
sector doing? Well, speaking just for Global integrity, we are 
doing two things working with the financial services industry, 
which I think is a model for both the government and for other 
private sector enterprises. One of them is something called the 
BITS Laboratory that we are working with the Banking Industry 
Technology Secretariat and a consortium of banks.
    What they are doing is they are developing a series of 
security standards. We at Global, are testing computer 
products, hardware, software, and other types of products, 
against the security criteria. The idea is that the marketplace 
then will say, for example, banks will say unless your software 
had been tested against these criteria, we will not buy it. 
Unless it is pre-configured to be in a secured manner, we will 
not buy it.
    So, we are using the marketplace as a method of trying to 
ensure security. The second thing is the Financial Services 
Information Sharing and Analysis Center [FSISA]. This is 
something that we are doing. Financial services industries, 
banks, insurance companies, and the like have a secure method 
of sharing information amongst themselves about attacks and 
vulnerabilities.
    Let us face it, they do not want to tell people that they 
have been attacked, but they are happy to share information 
among themselves, if that will lead to more security. These are 
some of the models that are currently in place. We need to do 
more in the private sector and in the government sector to help 
secure the infrastructure.
    Thank you.
    [The prepared statement of Mr. Rasch follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.143
    
    [GRAPHIC] [TIFF OMITTED] T7018.144
    
    [GRAPHIC] [TIFF OMITTED] T7018.145
    
    [GRAPHIC] [TIFF OMITTED] T7018.146
    
    [GRAPHIC] [TIFF OMITTED] T7018.147
    
    [GRAPHIC] [TIFF OMITTED] T7018.148
    
    [GRAPHIC] [TIFF OMITTED] T7018.149
    
    [GRAPHIC] [TIFF OMITTED] T7018.150
    
    [GRAPHIC] [TIFF OMITTED] T7018.151
    
    [GRAPHIC] [TIFF OMITTED] T7018.152
    
    [GRAPHIC] [TIFF OMITTED] T7018.153
    
    Mr. Horn. Thank you very much.
    Our next witness and the last one on this panel is Mr. 
James Adams, chief executive officer of iDEFENSE.
    Mr. Adams. Chairman Horn and members of the committee, I 
want to thank you very much for inviting me here today. Few 
revolutions are accomplished without bloodshed. Already as we 
plunge headlong into the knowledge age, we are beginning to 
receive the initial casualty reports from the front lines of 
the technology revolution.
    From the headlines, you would think that the recent denial-
of-service attacks were the beginning of the end of cyber world 
as we know it. Nothing could be further from the truth. These 
were mere in-breaks on the audio-V commerce. Consider instead 
that some 30 countries have aggressive, offensive information 
warfare programs. All of them have America firmly in their 
sights.
    Consider too that if you buy a piece of hardware or 
software from several countries, among them, some of our 
allies, there is real concern that you will be buying doctored 
equipment. It will syphon copies of all material that passes 
across that hardware or software back to the country of 
manufacture.
    The hacker today is not just the stereo-typical computer 
geek with a grudge against the world. The serious hacker today 
is much more likely to be in the employ of government, big 
business, or organized crime. Consider the band of Russian 
hackers who, over the past 2 years, have syphoned off an 
enormous amount of research and development secrets from United 
States corporate and government entities in an operation code 
named Moonlight Mays television.
    I would like to focus on this nexus between the public and 
private sectors, and on the government's efforts to respond to 
the growing threat. A couple of illustrations to begin; 20 
years ago, some 70 percent of all technology development was 
funded by the public sector. Today, that figure is under 5 
percent. In other words, in the course of one generation, every 
government agency should have changed how it does business.
    Has that happened? No. Looking ahead for that same 20-year 
period, we will see the following. The ordinary computer that 
you have on your desk will have the computing capacity of the 
human brain. At the same time, research offers the possibility 
of our ability to manufacture perfectly the human body. So, in 
the course of a generation, our view of life, death, family, 
society, and culture, the bed rocks of our way of life down 
this century will have changed forever.
    Is government or the private sector thinking and planning 
for such fundamental change? No. One further point; the pace of 
the revolution is accelerating rapidly. Yet, the pace of change 
within government seems to be exactly the same today as it was 
10 years ago. How has the government responded so far? Well, 
there has been the usual President's Commission and then the 
Principal's Working Group, then the bureaucratic compromise 
that nobody really wanted, and then the national plan which 
arrived 7 months late and was not a plan at all, but an 
invitation to further discussion.
    [Chart shown.]
    Mr. Adams. These two charts that I brought today illustrate 
the current chaos. What you see is a totally disorganized 
organization chart. One that, if it were in the private sector, 
would be a sign of eminent bankruptcy. You see no clear 
leadership. You see duplication of efforts; the waste of 
billions of dollars of taxpayers' money, and the struggle by 
stovepipe agencies to retain power, influence, and money.
    In other words, there is no coherent strategy and the 
tactics are not about winning a war, but about preserving turf. 
There are, of course, some notable exceptions to this. You have 
heard from one of them today, John Tritak. What is needed today 
is an outside entity with real power to implement drastic 
change in the way government approaches technology and the 
underlying security of its systems.
    What is needed most is a personal entity that would draw on 
skill sets in many areas that will overlap those of the CIO, 
CFO, or CSO, and most of the other officers or entities in any 
organization. Let us give this new person the title of chief of 
business assurance. He or she would be in charge of the Office 
of Business Assurance. Business assurance is more than 
security, more than technology, and more than a combination of 
the two.
    It is an understanding of the whole environment and what 
that means for a business or a public sector operation. The 
CBA's task would be to continuously gather and synthesize 
infrastructure-related trends and events to intelligently 
evaluate the technological context within which the 
organization operates, to identify and assess potential 
threats, and then to suggest defense action.
    Viewed from the positive side, to assess the technological 
revolutions' opportunities and propose effective offensive 
strategies. The Office of Business Assurance must be a totally 
independent organization with real teeth and real power within 
government. There is much in common between government and 
industry when it comes to the challenges and the opportunities 
that the technology revolution poses.
    Both sectors face a common threat. Both sectors share 
common goals. Both employ technologies that are, in essence, 
identical. Both must work together to protect each other. I 
will leave you with this thought. You will employee total 
transformations of the way business and government is conducted 
internally and externally going forward. We have heard a great 
deal in recent months about the potential of a digital divide 
that is developing between the computer-haves and the computer-
have-nots.
    I believe there is another digital divide that is growing 
between the American Government and its citizens. If this 
committee's efforts do not move forward in changing this 
culture inertia, there is real danger that the digital divide 
that exist between the government and the private sector will 
only widen. We cannot afford a situation where the governed 
feel that their government is out of touch and increasingly 
irrelevant to their lives.
    Thank you.
    [The prepared statement of Mr. Adams follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.154
    
    [GRAPHIC] [TIFF OMITTED] T7018.155
    
    [GRAPHIC] [TIFF OMITTED] T7018.156
    
    [GRAPHIC] [TIFF OMITTED] T7018.157
    
    [GRAPHIC] [TIFF OMITTED] T7018.158
    
    Mr. Horn. Thank you. All three of you have made some really 
excellent suggestions. Let me start some of this query. Let me 
note that, Mr. Rasch, you were very active before you took your 
current job. You were a trial attorney with the Fraud Section 
of the Criminal Division of the U.S. Department of Justice. You 
left the Department in 1991. You were the sole attorney in the 
Computer Crime Unit. That was on a part-time basis.
    The Computer Crime and Intellectual Property Section of the 
Department of Justice today consist of 18 attorneys. The 
Internet consisted of perhaps 60,000 computers. Then you have 
made some very thoughtful things. Let me pursue this. I turned 
to Mr. Ryan, the counsel to the subcommittee, when you were 
testifying. I said, let us draft a bill that would make this 
simply illegal.
    Now, how does the Justice Department, what does it use to 
be able to get after hackers now? What laws? Do you need new 
legislation which would ban them and get those out of here?
    Mr. Rasch, the principal statute that exist to prosecute 
Federal computer crimes is 18 U.S.C. Section 1030, which is the 
Federal computer crimes statute. That focuses on activities. 
For example, intentionally accessing a computer without 
authorization or disrupting authorized access to a computer. 
So, for example, the recent attacks and the denial-of-service 
attacks squarely come within the ambit of that statute and are 
being aggressively investigated and could be prosecuted under 
that.
    Mr. Horn. Is there any first amendment concerns on this?
    Mr. Rasch. Probably not. This is action and not speech. 
Although just as burning down a building may be an expression, 
it is certainly is not a protected expression. There are some 
first amendment concerns in the area of encryption and some 
legislation. There is some case law on the question of whether 
or not software itself acts as a form of expression. That 
relates to these type of hacker tools.
    The dissemination of hacker tools themselves; whether or 
not that type of dissemination is criminal. There are really 
two separate statutes that could be used there. One is the 
Digital Millennium Copyright Act which passed last year, which 
is right now being used in a civil lawsuit against the people 
who attempted to reverse-engineer the DVD codes to allow them 
to pirate software and things like that.
    So far, it has withstood a challenge on Constitutional 
grounds. The second one would be 18 U.S.C. Section 1029 which 
makes it illegal to disseminate what are called access devices, 
which could be such things as passwords and things like that.
    Mr. Horn. Any comments on those?
    Mr. Adams. I think you raise an interesting, Chairman. I 
would just make this in addition to what Mark was saying. There 
has been a great deal of focus on law enforcement. Of course, 
law enforcement has a prominent role to play in this. The speed 
of the revolution is such that, that is very much after the 
fact, obviously. An event has occurred. We failed and therefore 
we have to do something about it.
    By the time somebody is caught and prosecuted, the 
revolution has moved several steps forward. So, we need to 
think about what does the prevention look like in the globally 
virtual environment in which we find ourselves. Then if that 
fails, of course you need something to follow that up. The 
first step has to be a much more comprehensive approach to 
prevention, warning, intentions, good intelligence, and so on.
    Mr. Horn. At this point, I am going to turn the Chair over 
to the vice chairwoman, Mrs. Biggert, the gentle woman from 
Illinois. I, unfortunately, have other commitments that I have 
got to do. I want Mr. Turner and Mrs. Biggert to get all of the 
questions out that they can. So, thank you particularly for 
functioning and coming here.
    Mrs. Biggert [presiding]. Mr. Turner, you are recognized 
for questions.
    Mr. Turner. Mr. Adams, you were showing us your two charts 
here, which I guess were designed to display the multitude of 
efforts within various Federal agencies to deal with 
information system security. Rather than look at that as a 
failed effort, I guess it shows that every agency is struggling 
to try to keep up with the problem.
    There are obviously some things that we ought to do to 
consolidate the effort. This battle is so dependent upon 
technical expertise. One of the battlefields where we should be 
fighting on is to figure out how to train people to work for 
the good guys. There are probably people within these Federal 
agencies that are noted to be outstanding technical experts 
that do good work in trying to find solutions and trying to 
make the systems secure.
    Are we going to be constantly behind the curve in terms of 
what government does? I think it is probably difficult to 
attract the best and the brightest to the public sector. I am 
sure that Global Integrity and others of the world are going to 
be reaching out and trying to pay the salaries necessary to 
attract the people who could really create the defensive 
mechanisms you need.
    Mr. Adams. I think those are very good points. We clearly 
face a very difficult dilemma. The government is at the front 
line here, as is the private sector. The private sector, my 
largest number of recruits come from government agencies. The 
private sector is hiring the best and the brightest and moving 
forward very quickly. Clearly, there needs to be a relationship 
between the public and private sector. Look, for example, at 
what the CIA is doing to try and keep itself up to speed with 
the pace of technology change.
    It is doing that by establishing essentially a venture 
capital arm that is the interface between the public and 
private sector. So, you have that on the one hand; different 
ways of doing it. On the other hand, something that the Federal 
Government can do dramatically different is push education into 
the system, so that what we are doing is seeding the next 
generation and the generation after that to keep itself up to 
speed.
    The Federal Government is going to be an enabler. It is not 
going to be able to mandate very much. This revolution is 
occurring outside of its orbit. So, it can do a lot of things 
to influence it. It needs to, I think, do that more creatively 
so that it is seeding the population. We have tremendous 
shortages of skills at the moment in the whole area of 
computers, and computer security, information security, and so 
on.
    So, how to tackle that more creatively and aggressively is 
going to be a very important issue which is partly where it all 
comes back to leadership. You need to have a more creative and 
push-through process than we have at the moment.
    Mr. Turner. If you were to have a free hand at creating an 
entity that would do that, what would it look like?
    Mr. Adams. Well, I think what the lesson we have learned in 
this revolution from the private sector is that if you take an 
old economy company and you try and transition it to the new 
economy, this will largely fail. What you have to do is do the 
Apple Computer model. You setup a new building, different 
people, and put a pirate flag on the roof. They developed a 
culture and they forced something else into the system, which 
is why this idea of a Business Assurance, some sort of entity 
that sits outside of the Federal Government that is able to 
communicate effectively with the private sector and with the 
public sector and force through change.
    What those charts illustrate is, as you rightly say, lots 
of people try to fix it. These are people of good will, by and 
large. They are unable to move collectively aggressively 
enough. They are falling further and further behind in the 
revolution, which is this disconnect. It is very dangerous in a 
democracy. So, if you can have a way of driving through change, 
something with real power, the Koskinen model, but with muscle, 
not just please will you all sit around the table.
    If you do not do this, you will be held accountable for 
failure. That is something where there is an opportunity 
perhaps because it is the private sector that has the expertise 
and the energy. That is going to continue to be the case. That 
is just going to be a fact of life. So, much better to try and 
figure out a way to bridge that gulf, rather than say, well, we 
can actually fix it all ourselves. It is all about a 
partnership between the private and the public sector, making 
that work and then driving it into the public sector.
    That is the trick for you all to try and come up with a way 
of creating something very muscular that will force change, 
rather than saying, well, let us get around to it in another 
couple of years. Too late.
    Mr. Turner. Although we obviously have to let the CIA do 
their own thing, would that kind of model work for the rest of 
government?
    Mr. Adams. I think it is too early to say at the agency. 
Clearly, what we know is that they are bringing some 
interesting technology back into the system. The problem comes 
then is this is a voluntary exercise. We found this really cool 
stuff. We think you should use it. Can the culture be forced to 
change? The CIA is a very inert bureaucracy like a lot of 
government agencies. Will that drive it through?
    I think it is an interesting model in creating the place 
for dialog, but it is a difficult challenge. For example, there 
is a government agency that is currently revising its ways of 
procuring things, trying to keep on the front of technology. It 
feels that it is making a big step forward by doing changes in 
2 years; design and implementation in a couple of years. My 
company is not into design and implementation in 90 days. I 
cannot afford to do it because I am losing market share.
    So, how do you change that culture to a place which is much 
more reflective of what is happening in the private sector? It 
is a very difficult challenge. It has to, I think, have 
somebody. You are talking about very big picture stuff here; 
billions, and billions, and billions of dollars, where you have 
a single entity that says you do this my way or it is not going 
to happen; so forcing it.
    This is very counter-culture to the way governments 
traditionally work. One of the great strengths of democracy and 
the great strength of government entities is that they slowly 
evolve. They move forward to match a pace. Well, in a 
revolution that is very hard because you cannot afford to 
evolve in the same way. You have to either become a 
revolutionary or you get swept away. We have seen examples of 
that throughout history.
    That is why this is both a dangerous and a very challenging 
time; dangerous because it can threaten the institutions that 
provide stability, but a tremendous opportunity for America as 
the leading Nation in the world to move with the revolution, 
embrace it, and drive it forward. The government and the 
private sector have to come together somehow to make that so.
    Mr. Turner. Thank you.
    Mrs. Biggert. Thank you. Mr. Gerretson and probably Mr. 
Rasch, how vulnerable are home computer users? You mentioned 
that the whole Internet is only as secure as the most 
vulnerable link. Then after that, if after they surf the web 
and turn off their modems, are there still risks to the system?
    Mr. Gerretson. I will take the first shot at that. The 
first answer is if you are on a dial-up modem, you are 
vulnerable while you are connected. Cable modems and DSL are 
widely becoming available now. They are always on. I run a 
private network at my house. I have a firewall. Every night I 
have probably six to eight of what I call drive by shootings 
where somebody comes and just tries out my system to see if 
they can get a hold of it.
    The answer is they are very vulnerable. There is very 
little protection on them because it sits on there. Without 
that firewall, I probably would have been one of what they call 
the zombie machines attacking Yahoo and would have never known 
it. As the cable modems and the DSLs get more and more 
ubiquitously available, it is a huge problem.
    Mr. Rasch. I would mirror that. We did a study at Global 
where we left a cable modem on at a home PC and simply tested 
it to see how many times, without a firewall deliberately, to 
test to see how many times it was attempted to be attacked. We 
found that in 1 month, almost 6,000 attempted attacks on a home 
PC.
    What was interesting about that study, however, was the 
fact that these attacks were coming from Eastern Europe, from 
Africa, from Asia, as well as from the United States. So, these 
are coordinated concerted attacks on any computer that they can 
find on the Internet. That would include home PCs in the 
always-on mode; particularly, those on DSL connections or cable 
models.
    Mrs. Biggert. So, in theory, these really then could lead 
you into, let us say, a Federal agency through those computers?
    Mr. Rasch. Absolutely.
    Mr. Gerretson. That is right.
    Mrs. Biggert. OK. Then we talked in the first hearing about 
this chart with the yellow bubbles at the top and sides 
representing the executive branch, and then those organizations 
that also have a stake-hold in the Federal computer security.
    [The information referred to follows:]
    [GRAPHIC] [TIFF OMITTED] T7018.159
    
    Mrs. Biggert. So, to me, it looks very similar to your 
chart, Mr. Adams. The problem is that we have kind of a blank 
in the middle. So, would you all agree that we need an outside 
coordinator to be in control of this to coordinate all of our 
efforts?
    Mr. Gerretson. Well, ma'am, I would say that my first 
question when I saw this chart and I was talking to Mr. Ryan 
about this is, who is coordinating the coordinators? It seems 
to be somewhat disorganized. I would like to make one little 
statement about that. The one advantage that the Federal 
Government has is that they know they are screwed up. We do a 
lot of commercial work.
    If you get outside of the IA Groups, they do not even know 
they are in trouble. So, yes, you are lagging behind, in some 
cases, but, at least you know you are lagging behind. That is 
kind of contrary in view, but there are advantages to what you 
are doing. This is a problem.
    Mr. Rasch. What I see as the problem is a definition of 
function. What we really need somebody to do is to say, not so 
much just coordinate the efforts, but say, alright, testing. 
That is NIST. For developing new technologies, that is somebody 
else. Basically, not so much coordinating, but defining who has 
what roles. One of the things that happened with the 
development of the Computer Emergency Response Team at Carnegie 
Mellon, the CERT Team, it was a wonderful idea, and remains a 
wonderful idea, and works very well.
    Now, we have dozens, and dozens, and dozens of computer 
emergency response teams. The problem with that is it is like 
living in a town that has 20 different 911 numbers. So, you run 
into a problem of who are you going to call. So, you need to 
really define the functions first and then decide who is going 
to coordinate between and among those functions.
    Mrs. Biggert. This has been very interesting. Obviously, 
you have heard the bells. We have another vote. So, I think 
that we will have to adjourn at this time. We will be having 
several more hearings. I know that we will be pursuing this 
more in-depth. I agree with you that we are behind and we need 
to look at this problem. I think that this has been a great 
start for this committee. So, I really appreciate you all 
participating and look forward to asking more questions of you, 
I am sure, in the future when we get into this.
    So, without more, this committee hearing is adjourned.
    [Whereupon, at 12:05 p.m., the subcommittee was adjourned.]

                                   -