[House Hearing, 106 Congress] [From the U.S. Government Publishing Office] COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR? ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION, AND TECHNOLOGY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ MARCH 9, 2000 __________ Serial No. 106-160 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ U.S. GOVERNMENT PRINTING OFFICE 67-018 CC WASHINGTON : 2000 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania JOHN L. MICA, Florida PATSY T. MINK, Hawaii THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio Carolina ROD R. BLAGOJEVICH, Illinois BOB BARR, Georgia DANNY K. DAVIS, Illinois DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts ASA HUTCHINSON, Arkansas JIM TURNER, Texas LEE TERRY, Nebraska THOMAS H. ALLEN, Maine JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California ------ PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont HELEN CHENOWETH-HAGE, Idaho (Independent) DAVID VITTER, Louisiana Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director David A. Kass, Deputy Counsel and Parliamentarian Lisa Smith Arafune, Chief Clerk Phil Schiliro, Minority Staff Director ------ Subcommittee on Government Management, Information, and Technology STEPHEN HORN, California, Chairman JUDY BIGGERT, Illinois JIM TURNER, Texas THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania GREG WALDEN, Oregon MAJOR R. OWENS, New York DOUG OSE, California PATSY T. MINK, Hawaii PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Bonnie Heald, Director of Communications Bryan Sisk, Clerk Trey Henderson, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on March 9, 2000.................................... 1 Statement of: Gerretson, Jim, director of operations, Information Assurance, ACS Defense, Inc.; Mark Rasch, senior vice president and legal counsel, Global Integrity Corp.; and James Adams, chief executive officer, iDEFENSE............. 161 Tritak, John, Director, Critical Infrastructure Assurance Office, Department of Commerce; John Gilligan, Chief Information Officer, Department of Energy, and co-chair, Security, Privacy, and Critical Infrastructure Committee, CIO Council; Karen Brown, Deputy Director, National Institute of Standards and Technology, Department of Commerce; and Rich Pethia, director, Computer Emergency Response Team Coordination Centers, Software Engineering Institute, Carnegie Mellon University...................... 5 Letters, statements, et cetera, submitted for the record by: Adams, James, chief executive officer, iDEFENSE, prepared statement of............................................... 186 Biggert, Hon. Judy, a Representative in Congress from the State of Illinois, chart on computer security management key players................................................ 196 Brown, Karen, Deputy Director, National Institute of Standards and Technology, Department of Commerce, prepared statement of............................................... 38 Gerretson, Jim, director of operations, Information Assurance, ACS Defense, Inc., prepared statement of........ 165 Gilligan, John, Chief Information Officer, Department of Energy, and co-chair, Security, Privacy, and Critical Infrastructure Committee, CIO Council: Information concerning initiatives and activities........ 22 Prepared statement of.................................... 26 Horn, Hon. Stephen, a Representative in Congress from the State of California: Followup questions and responses......................... 159 Prepared statement of.................................... 3 Pethia, Rich, director, Computer Emergency Response Team Coordination Centers, Software Engineering Institute, Carnegie Mellon University, prepared statement of.......... 46 Rasch, Mark, senior vice president and legal counsel, Global Integrity Corp., prepared statement of..................... 173 Tritak, John, Director, Critical Infrastructure Assurance Office, Department of Commerce, prepared statement of...... 9 Turner, Hon. Jim, a Representative in Congress from the State of Texas, prepared statement of............................ 152 COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR? ---------- THURSDAY, MARCH 9, 2000 House of Representatives, Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2247, Rayburn House Office Building, Steve Horn (chairman of the subcommittee) presiding. Present: Representatives Biggert, Walden, and Turner. Staff present: J. Russell George, staff director and chief clerk; Matt Ryan, senior policy administrator; Bonnie Heald, director of communications; Bryan Sisk, clerk; Ryan McKee, staff assistant; Trey Henderson, minority professional staff member; and Jean Gosa, minority staff assistant. Mr. Horn. The hearing of the House Subcommittee on Government Management, Information, and Technology will come to order. Earlier this year, the Nation successfully met its first technological challenge of the new millennium, Y2K. Although the time, labor, and $100 billion cost for this effort, private and public, we learned much from this experience. Those lessons will be especially important now as we turn to the second technological challenge of the new year, computer security. We are here today to learn. In April 1996, this subcommittee held a similar information hearing on the year 2000 computer problem. Our questions will be many of the same questions we asked in that hearing 4 years ago. We want to know the dimension and scope of these cyber attacks. We want to know what efforts are being undertaken toward solving the problem, and we want to know what the Federal Government is doing to address this problem. Since the early 1990's, the worldwide use of computers and computer networks has skyrocketed. The Internet has revolutionized the way governments, nations, and individuals communicate, and the way to conduct business. The Internet and electronic mail are now available 24 hours a day to anyone with a desktop computer, a modem, and a telephone line. Yet, without rigorous efforts to protect the sensitive information contained in these computer systems, many of the Nation's essential services, telecommunications, power distribution, national defense, and so on down the line are vulnerable to cyber attacks. Over the last few weeks, several of the Nation's most viable Internet websites have fallen prey to ``denial-of- service computer attacks.'' Although these attacks disrupt essential business services, they only scratch the surface of cyber attacks that may be taking place in other highly integrated computer networks. Our first panel of witnesses today will discuss the vulnerability of the Nation's vital computer systems and the Government's efforts to protect them. Our second panel, from the private sector, will demonstrate how easy it is to invade or hack a computer system, and what organizations can do to protect these systems. We welcome each of you and we look forward to your testimony. If you will stand and raise your right hands, we will swear you in. [Witnesses sworn.] Mr. Horn. The clerk will note that all four witnesses affirmed the oath. We will start with Mr. Tritak, Director of Critical Infrastructure Assurance Office, Department of Commerce. Mr. Tritak. I might say, the way we work here, once I announce you, your full statement is automatically put in the record. The staff has read it and when we have had a chance, we read it. We then want you, if you could, to summarize it in 5 minutes. Do not read it, whatever you do, but give us from your heart what this problem is. That is what we are interested. When you are all done, we will then have questions, 5 minutes on each side when those Members come here. We will try to get a rounding out of what the testimony is. So, Mr. Tritak, you are first. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T7018.001 [GRAPHIC] [TIFF OMITTED] T7018.002 STATEMENT OF JOHN TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE ASSURANCE OFFICE, DEPARTMENT OF COMMERCE; JOHN GILLIGAN, CHIEF INFORMATION OFFICER, DEPARTMENT OF ENERGY, AND CO-CHAIR, SECURITY, PRIVACY, AND CRITICAL INFRASTRUCTURE COMMITTEE, CIO COUNCIL; KAREN BROWN, DEPUTY DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, DEPARTMENT OF COMMERCE; AND RICH PETHIA, DIRECTOR, COMPUTER EMERGENCY RESPONSE TEAM COORDINATION CENTERS, SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON UNIVERSITY Mr. Tritak. Thank you very much, Mr. Chairman. I am grateful for this opportunity to appear before you today to begin a dialog with you and your committee on the issues relating to critical infrastructure assurance and computer security. In the way of talking about infrastructure, one of them I want to mention is that my slides just showed up. If you do not mind, I would like to just put them up before you. Mr. Horn. Sure. Keep talking. They can put them up. Mr. Tritak. In any event, Mr. Chairman, Americans have long depended on delivery of essential services over the Nation's critical infrastructures. The need to assure the delivery of these services against significant disruptions has been a concern of infrastructures, owners, and operators for as long as there have been electric power plants, telecommunications systems, airlines, railroads, banking, and financial services. In other words, critical infrastructure assurance itself is not new. What is new is the increasing reliance on information technology and computer networks to operate those infrastructures. This growing reliance introduces new complexities, interdependencies, and potentially vulnerabilities. The threat that individuals, groups, and nation states are seeking to identify and exploit these vulnerabilities is real and growing. [Chart shown.] Mr. Tritak. In recognition of this, President Clinton issued PDD-63 establishing the protection of the Nation's infrastructures as a national security priority. As you can see from the chart, Mr. Chairman, PDD-63 sets forth an ambitious goal. It calls for a national capability by 2003 to protect our critical infrastructure from intentional attacks that could significantly diminish the Federal Government's ability to perform essential national security missions and to ensure general public health and safety, State and local government's ability to maintain order, and to deliver minimal essential services to the public. Three, the private sector's ability to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services. The important conclusion of PDD-63 is that critical infrastructure assurance is a shared responsibility. With 90 percent of the Nation's infrastructures being privately owned and operated, the Federal Government alone cannot guarantee its protection. In response to the issuance of PDD-63, the Federal Government had to organize itself in order to meet the challenges posed by this unique national security challenge. A national coordinator for security, infrastructure protection, and counter-terrorism was created to oversee national policy development and implementation, as well as to advise the President and national security advisor on the same. My Office of Critical Infrastructure Assurance Office was created to coordinate policy development for the national plan, to assist agencies in analyzing their critical infrastructure dependencies, and to coordinate national education and awareness efforts. The National Infrastructure Protection Center was created at the FBI to serve as a threat assessment center, focusing on threat warnings, vulnerabilities, and law enforcement. For each infrastructure sector that could be a target for infrastructure cyber or physical attacks, a single government department or agency was established as a lead agency for working directly with representatives from private industry. [Chart shown.] Mr. Tritak. Earlier this year, President Clinton issued the first version of the national plan. Displayed before you is the cover. It says a lot about what the plan is and is not. First, the plan focuses on the cyber dimensions for securing critical infrastructures and underscore the new challenges posed by the information age. That is not to say that physical infrastructure protection is no longer important. It is. Future versions of the plan will reflect that importance. In fact, the plan is designated 1.0 and subtitled, An Invitation to a Dialogue For a Good Reason. It is very much a work in progress. It concentrates on the Federal Government's efforts in infrastructure protection. The plan acknowledges that this is not enough. We must work closely with industry and include them in the national planning process. We must also deal with the fact that there is an international dimension to national information assurance, as well as a domestic one. Of course, we must work closely with you in the Congress to ensure that your concerns, ideas, and interests are reflected in subsequent versions of the plan. [Chart shown.] Mr. Tritak. To meet the goal of PDD-63, the national plan establishes 10 programs for achieving three broad objectives. First, steps must be taken to identify the key elements and systems that constitute our critical infrastructures. Their vulnerability to attack must be assessed and plans must be developed to address those vulnerabilities. In so preparing, we hope to prevent attacks from reaching their target in the first place. Next, should such attacks occur, we must develop a means to identify, assess, and warn about them in a timely manner. The attacks must then be contained. Disrupted services must be restored and affected systems must be reconstituted. Finally, we must lay a strong foundation upon which to create and support the Nation's commitment to achieving the first two objectives. These include coordinated research and development, training, and employing information security experts, raising awareness, and, where appropriate, identify potential legal or legislative reforms. [Chart shown.] Mr. Tritak. The President requested $2 billion for critical infrastructure protection in his fiscal year 2001 budget request. This represents a 15 percent increase over fiscal year 2000 funding. Of this, 85 percent supports protection of agency infrastructures; 72 percent goes to supporting critical infrastructure efforts within the national security agencies. Our President proposes a number of key initiatives in his budget request. I will just highlight a few. The Federal Cyber Service Initiative seeks to redress the shortage of information security expertise in the Federal Government. This shortfall reflects the scarcity of college-level programs in information security. It also reflects the inability of the Government to compete for highly skilled workers in this area. Our goal is to recruit, train, and retain a cadre of IT specialists for Federal service. The Federal Intrusion Detection Network will serve as a centralized burglar alarm system for critical computer systems within civilian government agencies. Intrusion Detection Systems will be installed and operated by the civilian agencies. Alarm data indicating anomalous computer activity will be sent through the agency, by the agency to the GSA for further analysis. Only if there is evidence of criminal behavior will data be sent to the NIPC and law enforcement. FIDNet will not monitor any private network traffic. It will comply with all existing privacy laws. The Partnership for Critical Infrastructure Security attempts to build on the efforts already underway between government and industry. It seeks to bring the individual sectors together to encourage a cross-sectoral dialog as a common concern, such as the growing interdependencies among the infrastructure owners and operators. The Partnership also provides a form for infrastructure owners and operators to engage other interested stakeholders, including the audit community, insurance community, Wall Street, and the investment community, and of course mainstream businesses who are the ultimate consumers of infrastructure services. Now, the partnership is dedicated to the belief that once industry recognizes a business case for action, economic self- interest in the market can go a long way toward addressing the challenges of infrastructure assurance. That is not to say that self-interest in the market alone can solve these problems, because they cannot. Where they cannot, and what national security interests of their country requires, the Federal Government must step in to address any gaps and vulnerabilities that may exist. Last month, over 200 representatives of more than 120 companies began to organize their participation in this Partnership. I think the Partnership represents a good step in not only addressing issues of common concern, but also for industry to take a lead in addressing the problems that confront us today. When you have good partnership between industry and government, we are better able to identify and define our respective roles so that where there are gaps, where the market cannot address a problem of concern to the Nation, we can fill that gap. Given the limited time, Mr. Chairman, I am going to conclude my remarks here and I look forward to your questions. [The prepared statement of Mr. Tritak follows:] [GRAPHIC] [TIFF OMITTED] T7018.003 [GRAPHIC] [TIFF OMITTED] T7018.004 [GRAPHIC] [TIFF OMITTED] T7018.005 [GRAPHIC] [TIFF OMITTED] T7018.006 [GRAPHIC] [TIFF OMITTED] T7018.007 [GRAPHIC] [TIFF OMITTED] T7018.008 [GRAPHIC] [TIFF OMITTED] T7018.009 [GRAPHIC] [TIFF OMITTED] T7018.010 [GRAPHIC] [TIFF OMITTED] T7018.011 [GRAPHIC] [TIFF OMITTED] T7018.012 [GRAPHIC] [TIFF OMITTED] T7018.013 Mr. Horn. Thank you very much. I would appreciate it at this point in the record if you would submit the national plan for the record. So, without objection, it will be put right after this point. We now go the next gentleman who is very familiar to this committee. You are doing a fine job. Mr. John Gilligan, Chief Information Officer, Department of Energy, and Co-Chair, Security, Privacy, and Critical Infrastructure Committee of the Chief Information Officer Council. Mr. Gilligan. Mr. Gilligan. Thank you, Chairman Horn. As you noted, I come before the committee speaking in both my role as Chief Information Officer of the Department of Energy and as well the Co-Chair of the Federal CIO Council Security, Privacy, and Critical Infrastructure Committee. As I prepared for this testimony, I gave a lot of thought to what I viewed were the two critical issues that I face as a Federal CIO. I would like to spend a moment addressing these issues for you. Up-front, let me tell you that my biggest issues are not technology challenges. The primary challenge is educating and convincing line management that computers and networks, as well as the information they possess and process, should be treated and managed as mission-essential and strategic organization resources. Let me illustrate my point with an example. Last summer, at one of the Department of Energy laboratories we conducted a security audit. The laboratory was evidenced as having the best firewall within the Department, very good security policies, and adequate protection of our classified systems. However, that same organization had a number of instances of what I refer to as no-brainer security weaknesses. For example, there were a number of computer systems that had software configurations that were years out of date. In this case, they were not taking advantage of dozens of patches that had fielded to upgrade the security of those systems over the years. In addition, there were a number of systems where their passwords, including system administrator passwords were easily guessed, or in some cases even used the term ``password.'' These and other weaknesses provided relative ease of a potential hacker to break into the laboratory's unclassified computer system. As I evaluated this apparent paradox, the same organization having both the best and the worst security practices, the root issue became clear to me. The organization was not focusing on information technology as an overall laboratory resource, rather only sub-sets of the systems and networks were being pro-actively managed. Most of the unclassified computers were procured and operated as work center or personal resources. I have found similar dichotomy at a number of other daily sites. The problem at this lab was not the absence of sound security policies or lack of security technology knowledge, but the fact that management of computers had become highly decentralized and, in many cases, was a personal task. I found that the number of system administrators approached the number of laboratory employees. The security audit findings highlighted to the laboratory director and senior management that they had fundamental problems with information technology management. The solution required a fundamental change in how computers, networks were purchased, installed, and operated. I firmly believe that this is the most significant and pervasive problem facing Federal agency CIOs. A second challenge I face is working with Federal managers in the Department of Energy in determining how much security is enough. That is, how much is adequate? In the past, primary security focus was on the protection of national security information, classified systems, and more easily controlled mainframe computers. Adequate security was defined by security gurus, in most cases, with much input from line management, and defined, in most cases, in absolute terms. Today, we use computers for a wide variety of missions where it is not cost effective or appropriate to apply the same protection mechanism or security policies in all cases. We have information relating to national security. Personnel data and business operations must be protected to ensure confidentiality. On the other hand, we have public websites where we want to protect the integrity of the information. In addition, there are mission impact and perception factors which influence what is adequate, as well as rapidly changing threats, missions, and technologies. Federal security policies require an assessment of risk to guide management decisions on what is adequate. Sounds easy. I would submit that it is not. The Federal Government is also held to a very high standard and one that continues to change and become more stringent over time. In my testimony, I have included some status updates within the Department of Energy on our recent security activities. I will not detail them here. I would like to, however, turn for a few minutes to the work of the CIO Security, Privacy, and Critical Infrastructure Protection Committee, which I co-chair with Roger Baker, CIO of the Department of Commerce, and Fernando Robano, CIO of the Department of State. Our committee is developing a set of products that we believe will augment and accelerate improvements in implementing adequate levels of protection in assuring appropriate privacy of Federal information and systems. I would like to submit for the record a brief summary of our committee activities. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7018.014 [GRAPHIC] [TIFF OMITTED] T7018.015 Mr. Gilligan. I would also like to highlight a few of the committee's efforts. Our project to develop and Information Technology Security Maturity Framework is intended to help guide agencies and senior government officials in establishing and maturing an effective cyber security program. Following the example of the successful Software Capability Maturity Framework developed by Carnegie Mellon University, the Information Technology Security Maturity Framework recommends the building block approach to security. Emphasis is placed at lower levels on critical foundation activities, such as documented policy, and clearly defined assigned responsibilities, as well as robust training and security assessment of progress. I have brought a display that summarizes the six levels of security maturity described in the draft framework. The Security Committee believes that all agencies should be working toward achievement of level 2 in the near term. This level describes what is called a documented security program. It is based on policy and guidance from the General Accounting Office, the Office of Management and Budget, and the National Institute for Standards and Technology. The committee is working to develop specific evaluation criteria, a checklist guide that could be used for level 2, as well as further definition of level 3. We have invited the Software Engineering Institute and the General Accounting Office to participate in the refinement of the framework. The committee also has initiatives in the development of a tool that will allow us to identify and make available the Federal agency's best security practices. We are developing sample agency policies and guidelines dealing with security and privacy. We are working to accelerate the use of so-called public key encryption. We are working with the Information Technology Association of America in the development of security solution benchmarks, linked to common electronic services such as financial track statues with the public, benefit inquiries over the web, and electronic submission of contractor pricing proposals. I would like to conclude my remarks with some recommendations from my perspective as co-chair of the Security, Privacy, Critical Infrastructure Committee. The first two recommendations deal with funding for security. First, I recommend that organizations specifically identify and analyze their expenditures in cyber security. In this regard, I suggest that we work with the government and industry to establish and refine benchmarks against which line managers can assess whether their investment is comparable to similar organizations. Work by the Gardner Group suggests that a reasonable range for cyber security spending is somewhere between 1 and 5 percent of an organization's spending for information technology. Second, I would recommend consideration of increased funding for a set of governmentwide security initiatives that are focused not on multi-year research or product development, but on short-term immediate operational benefits for Federal agencies. I note that most of our CIO Council cyber security efforts are focused toward ongoing operational support. Furthermore, I recommend that we continue to tightly tie our cyber security efforts with other initiatives to improve overall management of information technology resources from an enterprise perspective. Finally, I suggest that we continue to focus our education efforts toward government managers. I believe managers need to know how to make risk tradeoffs. What they need is greater awareness of their responsibility in managing information technology as a strategic resource, as well as simple benchmarks and metrics, such as funding levels and a maturity framework, against which they can evaluate organization- specific risks, as well as the progress of their cyber security programs. This concludes my testimony. I look forward to your questions. [The prepared statement of Mr. Gilligan follows:] [GRAPHIC] [TIFF OMITTED] T7018.016 [GRAPHIC] [TIFF OMITTED] T7018.017 [GRAPHIC] [TIFF OMITTED] T7018.018 [GRAPHIC] [TIFF OMITTED] T7018.019 [GRAPHIC] [TIFF OMITTED] T7018.020 [GRAPHIC] [TIFF OMITTED] T7018.021 [GRAPHIC] [TIFF OMITTED] T7018.022 [GRAPHIC] [TIFF OMITTED] T7018.023 [GRAPHIC] [TIFF OMITTED] T7018.024 Mr. Horn. Thank you very much, Mr. Gilligan. Our next witness is Ms. Karen Brown, the Deputy Director, National Institute of Standards and Technology, otherwise known as NIST. With the Weather Bureau there, I wonder why we cannot be MIST? Anyhow, the Department of Commerce. Thank you for coming. Ms. Brown. Thank you. Thank you Mr. Chairman and members of this subcommittee for the invitation to speak to you today about computer security issues. Computer security continues to be an ongoing and challenging problem that demands the attention of the Congress, the executive branch, industry, academia, and the public. Computer security is not a narrow technical concern. The explosive growth in electronic commerce highlights the Nation's ever-increasing dependence upon the secure and reliable operation of our computer systems. Computer security has a vital influence on our economic health and our Nation's security, and we commend the committee for your focus on this security. Today, I would like to address NIST computer security activities that contribute to improving computer security for the Federal Government and the private sector. I would also like to briefly describe for you our proposed new program activities for next year. Under NIST statutory responsibilities, we develop standards and guidelines for agencies to help protect their sensitive, unclassified information systems. In meeting the needs of our customers in both the public and private sector, we work closely with industry, Federal agencies, testing organizations, standards groups, academia, and private sector users. As awareness of the need for security grows, more secure products will be demanded in the marketplace. Addressing security will also help ensure that electronic commerce growth is not limited because of security concern. What does NIST do specifically? To meet these responsibilities in customer needs, we first work to improve the awareness of the need for computer security, which is an ongoing effort. Additionally, we research new technologies and their security implications. We work to develop security standards and specifications to help users specify security needs, and establish minimum security requirements for Federal systems. We develop and manage security testing programs in cooperation with the private sector to enable users to have confidence that a product meets a security specification. We also produce security guidance to promote security planning and secured system operations in administration. I will briefly discuss the need and benefits of each. First, there is a need for timely, relevant, and easily assessable information to raise awareness about risk, vulnerabilities, and requirements for protection of information systems. This is particularly true for new and rapidly emerging technologies which are being delivered with such speed in the Internet age. We host and sponsor information sharing among security educators, the Federal Security Program Managers' Forum, and industry. We seek advice from our external advisory board of computer experts. We meet regularly with members of the Federal computer security community, including the Chief Information Officer of the Security Committee, and the Critical Information Assurance Office. We actively support information sharing through our conferences, workshops, webpages, publications, and bulletins. A second need is for research on information technology vulnerabilities and cost effective security. When we identify new technologies that could potentially influence our customer security practices, we research these technologies and their potential vulnerabilities. We also work to find ways to apply new technologies in a secure manner. The solutions we develop are made available to both public and private users. Research helps us to find more cost effective ways to implement and address security requirements. The third is the need for standards and for ways to test that standards are properly implemented on products. For example, cryptographic algorithms and techniques are essential for protecting sensitive data and electronic transition. NIST has long been active in developing Federal Cryptographic Standards and working in cooperation with private sector voluntary standards organizations in this area. We are currently leading a public program to develop the Advanced Encryption Standard [AES], which will serve 21st Century Security needs. Another aspect of our standards activity concerns public key and key management infrastructures. We have been actively involved in working with industry and the Federal Government to promote the security and inter- operability of such infrastructures. Standards help users to know what security specifications may be appropriate for their needs. Testing complements this by helping users have confidence that security standards and specifications are correctly implemented in the products they buy. Testing also helps reduce the potential vulnerabilities that products contain that could be used to attack systems. For over 5 years, we have led the Cryptographic Module Validation Program, which has now validated about 90 modules, with another 50 expected this year. This successful program utilizes private sector accredited laboratories to conduct security conformance testing of cryptographic modules against the Federal standard we developed and maintain. Many of these activities are being done in cooperation with the Defense Department's National Security Agency in our National Information Assurance Partnership. The goal is to enable product developers to get their products tested easily and voluntarily, and for users to have access to information about test products. Under this program, we have also led the development of an international mutual recognition arrangement, whereby the results of testing in the United States are recognized by our international partners, thus reducing costs to the industry. Advice and technical assistance for both government organizations and private sector is the fourth need. While I have given you a few examples of NIST work, I obviously have not covered everything. I want to emphasize there is still much more to be done. Please keep in mind that approximately $6 million of direct congressional funding supports both our Federal and industry computer security responsibilities. This is plainly not enough. Thank you. [The prepared statement of Ms. Brown follows:] [GRAPHIC] [TIFF OMITTED] T7018.025 [GRAPHIC] [TIFF OMITTED] T7018.026 [GRAPHIC] [TIFF OMITTED] T7018.027 [GRAPHIC] [TIFF OMITTED] T7018.028 [GRAPHIC] [TIFF OMITTED] T7018.029 Mr. Horn. Thank you very much. That was very helpful testimony. We now go to our last witness on this panel. I must say, Mr. Pethia, everywhere I talked and saw people in the last 3 weeks putting this panel together, the first magic word was Carnegie Mellon. So, we are glad to have you come here. We hope to visit your campus sometime. You can show us around. Mr. Rich Pethia is the director, Computer Emergency Response Team Coordination Centers, Software Engineering Institute at Carnegie Mellon University in Pittsburgh. Mr. Pethia. Mr. Chairman and members of the subcommittee, I would like to thank you for the opportunity to come and talk to you today about computer security. Today, I would like to describe a number of the trends that impact security on the Internet. I will illustrate the results of those trends and then outline some steps that I think will help us all effectively manage the increasing risk of damage from cyber attacks. My perspective comes from the work that we do with the CERT Coordination Center. The Center is charted to respond to security emergencies on the Internet, and to work with both technology producers and technology users to facilitate response to major security problems. Since 1988, we have handled over 24,000 separate security incidents, and analyzed more than 1,500 separate computer vulnerabilities. The current state of Internet security is cause for concern. The vulnerabilities associated with technology used on the Internet put government, business, and individuals at risk. Security is influenced by many factors. An organization that wishes to improve its security has to deal with a lot of issues. First of all, the Internet itself is growing at an amazing rate. As the technology is being distributed, so is the management of that technology. System administration and management often fall upon people who do not have the training, skills, resources, or interest needed to operate their system securely. This problem is about to get worse. Now that we have direct Internet connection to homes, schools, libraries, and other venues that do not have training and security staff. These always-on rarely protected systems will allow attackers to continue to add new systems to their arsenal of captured weapons. Intruder tools are becoming increasingly sophisticated and also becoming increasingly user-friendly and widely available. This technology is evolving like any other. Sophisticated developers of intruder programs package their tools in user-friendly forms and make them widely available. As a result, even unsophisticated intruders can use them. On the technology side, when vendors release patches or upgrades to solve security problems, organizations' systems often are not upgraded. The job may be too time consuming, too complex, or just too low a priority for the system administration or staff to handle. There is little evidence of improvement in the security features of most products. Today, we continue to receive new vulnerability reports in second generation and third generation products. Developers are not devoting sufficient effort to apply lessons learned about the sources of vulnerabilities and doing the engineering work necessary to remove them. Finally, engineering for ease of use is not being matched by engineering for ease of secure administration. Today, we would all find it ludicrous to safely operate and drive an automobile, a person would have to be a master mechanic. Yet, today we expect our computer users and novice system administrators to have detailed technical knowledge of all the intricacies and nuances of the technology. We are simply developing technology that is not fit for use in today's environment. Because of these and other factors, organizations and individuals who are using the Internet become vulnerable to various kinds of cyber attack, including the denial-of-service attacks that were widely publicized in February. The key point about this attack, this attack type, is that although an organization may be able to harden its own systems to help prevent having its systems used as a part of a distributed attack vehicle, there is essentially nothing a site can do with currently available technology to prevent becoming a victim of these coordinated denial-of-service attacks. The best an organization can do today is get ready to respond and have its response capabilities in place, should it ever become the victim of one of these attacks. These attacks work by having intruders compromise vulnerable systems. They collect these vulnerable systems into aggregated attack networks. These networks act in unison to attack a single victim. The network can be activated remotely at a later site by a master computer. Communication between the master and the networks is encrypted, often making it difficult to locate the master. Once activated, these tools proceed on their own. They are rapidly evolving. Individual nodes in the attack network can be automatically reprogrammed to change the type of attack so that it becomes increasingly difficult to build defenses against this technology. Clearly, we have entered a new era in the Internet, where the power of the Internet itself is now being used to attack people who are connected to it. At the CERT, we constantly monitor trends and watch for new attacks and tools. We became aware of this new form of denial-of-service attack in late August, early September 1999. Denial-of-service attacks are not new. These kinds of attacks have been around since 1994, with significant increases in 1996 and 1998. By the end of September, it was evident that this was a new form of attack. It was something we had never seen before. We called together a workshop of 30 international experts who came together for 2 days in Pittsburgh and produced a paper that explains the threat posed by these intruder tools, as well as guidance to organizations about how to protect themselves and be prepared, and how to be ready to respond. This paper, along with other advisories, were issued to the community in December. We have had a series of communications out to the Internet community. The problem is serious. It is complex. A combination of approaches must be used to reduce the risks associated with this ever-increasing dependence on the Internet. First of all, we need better ability to collect, analyze, and disseminate information on assurance issues. A lot of what we do today is reactive. We see a problem. We analyze it. We understand what just happened. That is no longer adequate. New forms of attack are now happening at Internet speed, both automated attacks, like these distributed denial- of-service attacks, as well as new forms of viruses, such as Melissa that showed up in March of this year. Today, we need to find analysis methods that build a predictive early warning capability. We need to be able to understand what is going to happen before it happens, which means we need new ways of analysis. In addition, better attention paid to collecting information. There has been a lot of discussion and debate about instrumenting networks to collect data to watch the traffic on the network to anticipate what the problems might be. Certainly, there is a need to be concerned about privacy, but we have to find some way to balance our need to collect information about the operation of networks with our need to keep individual transactions and user's activities private. Until we get a better view into what is happening on our networks, we are going to have a very difficult time defending against new forms of attack. Third, we need to invest in better education and training to raise the level of security and security awareness. In particular, we need to focus on bringing the understanding of security issues to senior and middle management in government, as well as in industry. Until there is management commitment, and management commitment of resource to solve this problem, little is going to happen. Part of that includes encouraging the development of comprehensive security programs with well- defined responsibilities for managers, users, and system administrators. Finally, all of this is only going to help us mitigate the problem, stem the flow of quality that we are having. It will not solve the problem. In order to get ahead of this problem, we need to support research and development activities that will lead to a new generation of technology on the Internet and other broad-scale networks. Systems that are easier to secure, systems that do not require so much constant attention, systems that do not repeat the vulnerabilities of the past, the long- term solution is better technology. That is going to take years. Until we get there, we need better management approaches. Thank you. [The prepared statement of Mr. Pethia follows:] [GRAPHIC] [TIFF OMITTED] T7018.030 [GRAPHIC] [TIFF OMITTED] T7018.031 [GRAPHIC] [TIFF OMITTED] T7018.032 [GRAPHIC] [TIFF OMITTED] T7018.033 [GRAPHIC] [TIFF OMITTED] T7018.034 [GRAPHIC] [TIFF OMITTED] T7018.035 [GRAPHIC] [TIFF OMITTED] T7018.036 [GRAPHIC] [TIFF OMITTED] T7018.037 [GRAPHIC] [TIFF OMITTED] T7018.038 [GRAPHIC] [TIFF OMITTED] T7018.039 [GRAPHIC] [TIFF OMITTED] T7018.040 [GRAPHIC] [TIFF OMITTED] T7018.041 [GRAPHIC] [TIFF OMITTED] T7018.042 [GRAPHIC] [TIFF OMITTED] T7018.043 [GRAPHIC] [TIFF OMITTED] T7018.044 [GRAPHIC] [TIFF OMITTED] T7018.045 [GRAPHIC] [TIFF OMITTED] T7018.046 [GRAPHIC] [TIFF OMITTED] T7018.047 [GRAPHIC] [TIFF OMITTED] T7018.048 [GRAPHIC] [TIFF OMITTED] T7018.049 [GRAPHIC] [TIFF OMITTED] T7018.050 [GRAPHIC] [TIFF OMITTED] T7018.051 [GRAPHIC] [TIFF OMITTED] T7018.052 [GRAPHIC] [TIFF OMITTED] T7018.053 [GRAPHIC] [TIFF OMITTED] T7018.054 [GRAPHIC] [TIFF OMITTED] T7018.055 [GRAPHIC] [TIFF OMITTED] T7018.056 [GRAPHIC] [TIFF OMITTED] T7018.057 [GRAPHIC] [TIFF OMITTED] T7018.058 [GRAPHIC] [TIFF OMITTED] T7018.059 [GRAPHIC] [TIFF OMITTED] T7018.060 [GRAPHIC] [TIFF OMITTED] T7018.061 [GRAPHIC] [TIFF OMITTED] T7018.062 [GRAPHIC] [TIFF OMITTED] T7018.063 [GRAPHIC] [TIFF OMITTED] T7018.064 [GRAPHIC] [TIFF OMITTED] T7018.065 [GRAPHIC] [TIFF OMITTED] T7018.066 [GRAPHIC] [TIFF OMITTED] T7018.067 [GRAPHIC] [TIFF OMITTED] T7018.068 [GRAPHIC] [TIFF OMITTED] T7018.069 [GRAPHIC] [TIFF OMITTED] T7018.070 [GRAPHIC] [TIFF OMITTED] T7018.071 [GRAPHIC] [TIFF OMITTED] T7018.072 [GRAPHIC] [TIFF OMITTED] T7018.073 [GRAPHIC] [TIFF OMITTED] T7018.074 [GRAPHIC] [TIFF OMITTED] T7018.075 [GRAPHIC] [TIFF OMITTED] T7018.076 [GRAPHIC] [TIFF OMITTED] T7018.077 [GRAPHIC] [TIFF OMITTED] T7018.078 [GRAPHIC] [TIFF OMITTED] T7018.079 [GRAPHIC] [TIFF OMITTED] T7018.080 [GRAPHIC] [TIFF OMITTED] T7018.081 [GRAPHIC] [TIFF OMITTED] T7018.082 [GRAPHIC] [TIFF OMITTED] T7018.083 [GRAPHIC] [TIFF OMITTED] T7018.084 [GRAPHIC] [TIFF OMITTED] T7018.085 [GRAPHIC] [TIFF OMITTED] T7018.086 [GRAPHIC] [TIFF OMITTED] T7018.087 [GRAPHIC] [TIFF OMITTED] T7018.088 [GRAPHIC] [TIFF OMITTED] T7018.089 [GRAPHIC] [TIFF OMITTED] T7018.090 [GRAPHIC] [TIFF OMITTED] T7018.091 [GRAPHIC] [TIFF OMITTED] T7018.092 [GRAPHIC] [TIFF OMITTED] T7018.093 [GRAPHIC] [TIFF OMITTED] T7018.094 [GRAPHIC] [TIFF OMITTED] T7018.095 [GRAPHIC] [TIFF OMITTED] T7018.096 [GRAPHIC] [TIFF OMITTED] T7018.097 [GRAPHIC] [TIFF OMITTED] T7018.098 [GRAPHIC] [TIFF OMITTED] T7018.099 [GRAPHIC] [TIFF OMITTED] T7018.100 [GRAPHIC] [TIFF OMITTED] T7018.101 [GRAPHIC] [TIFF OMITTED] T7018.102 [GRAPHIC] [TIFF OMITTED] T7018.103 [GRAPHIC] [TIFF OMITTED] T7018.104 [GRAPHIC] [TIFF OMITTED] T7018.105 [GRAPHIC] [TIFF OMITTED] T7018.106 [GRAPHIC] [TIFF OMITTED] T7018.107 [GRAPHIC] [TIFF OMITTED] T7018.108 [GRAPHIC] [TIFF OMITTED] T7018.109 [GRAPHIC] [TIFF OMITTED] T7018.110 [GRAPHIC] [TIFF OMITTED] T7018.111 [GRAPHIC] [TIFF OMITTED] T7018.112 [GRAPHIC] [TIFF OMITTED] T7018.113 [GRAPHIC] [TIFF OMITTED] T7018.114 [GRAPHIC] [TIFF OMITTED] T7018.115 [GRAPHIC] [TIFF OMITTED] T7018.116 [GRAPHIC] [TIFF OMITTED] T7018.117 [GRAPHIC] [TIFF OMITTED] T7018.118 [GRAPHIC] [TIFF OMITTED] T7018.119 [GRAPHIC] [TIFF OMITTED] T7018.120 [GRAPHIC] [TIFF OMITTED] T7018.121 [GRAPHIC] [TIFF OMITTED] T7018.122 [GRAPHIC] [TIFF OMITTED] T7018.123 [GRAPHIC] [TIFF OMITTED] T7018.124 [GRAPHIC] [TIFF OMITTED] T7018.125 [GRAPHIC] [TIFF OMITTED] T7018.126 [GRAPHIC] [TIFF OMITTED] T7018.127 [GRAPHIC] [TIFF OMITTED] T7018.128 [GRAPHIC] [TIFF OMITTED] T7018.129 [GRAPHIC] [TIFF OMITTED] T7018.130 Mr. Horn. Thank you very much. We will now go to questioning. It will be 5 minutes to a side. We will get everybody in here in three rounds, if you need them. [Pause.] Mr. Horn. This looks like a vote. What I want to do is start on one issue. Then I will yield to Mr. Turner. As I listened to the comment about maybe we need a tzar in this area, usually my spinal column starts wiggling. As a student of Russian history, I keep wondering what happened to a lot of tzars and who is Rasputin in this operation? So, I guess I would ask, is the Koskinen model a good one for this? Now, with the Koskinen model, then when Mrs. Maloney and I wrote the President, then talked to him and said, look, you have got to get somebody to coordinate this effort. Some were waving the flag for a tzar. I was not. The way it worked out, one, the President picked a person that he had known before he was President and had trust in. No. 2, we made him assistant to the President, which is the highest rank you can have in the White House hierarchy. No. 3, he was not in OMB. He was housed near there. The President had him and the President spread the word to the Cabinet that this is serious business, when they finally got around to it. No. 4, they called on each of the Deputy Secretaries that really run departments and obviously involved the Chief Information Officers, who are the people we ought to be spending the time to be the managers they are supposed to be of communications and information in their particular agencies. So, I guess I would simply like to get the feeling of you as to whether that was a successful model that we could also apply to computer security and not have some tzar in OMB. Of course, as you know, I am trying to split the management part out of OMB. It might well roost there, but the fact is the model I think worked the way it did. I do not know if any of you want to take that and say, hey, there is another way to look at this. Go ahead. Mr. Gilligan. Mr. Gilligan. Sir, let me give you some perspectives. I think the model with the particular individual, John Koskinen, worked extremely well. I think there were a number of factors that made it work well, one of which was the personal characteristics and strength of John Koskinen. I think there were also some other factors that made it effective. That was the urgency and the immediacy of Y2K heightened the interest across the board. There was a need and a willing acceptance of someone to help lead the effort across government and across really the country. It is not clear to me that an exact parallel to that would work as effectively in computer security. I know that there has been some frustration, and there continues to be at all levels, with our difficulty of pulling together across- government activities in this area. So, it is clear that we need to emphasize and we need to work in that area. Obviously it is something the CIO Council is trying to address, and yet we realize that we have limited abilities as well. So, while I would not specifically endorse the exact model, I think we need to continue to look for some way to better leverage our across-government efforts in this area as a part of our solution. Mr. Horn. Any other thoughts on this? Mr. Tritak. Mr. Tritak. I would agree with those comments. Mr. Horn. So, you would like that model? Mr. Tritak. I think what is intriguing about the Koskinen and the Y2K effort generally is, in many respects, the Y2K was your first critical infrastructure challenge to the United States. It had a lot of things going for it. First of all, there was a recognition. In fact, industry actually led the way. The government took a little while to get onboard. There was an acknowledgment of what the challenge was. There was a known problem. The people rallied for it. I think that when you look at the Koskinen model, it is important to look at what the factors of success were. You have identified quite a few of them. He was viewed as having the authority. He worked very closely with the Cabinet. The Cabinet knew that when he walked into the room, who he was, and what he stood for. We certainly cannot under-emphasize the importance of a leadership and view it as someone who is speaking with authority on behalf of the President; especially when you are talking about across-agency issues, which critical infrastructure really is all about. If you look at the way this has evolved, there was a time probably when the Computer Security Act was actually passed where you could talk about a computer system within an agency. It was that agency's system. Now, you are looking more at an interconnected set of systems. You have to ensure, in terms of the government as a whole providing a service to the Nation, that you have strong links across government agencies, as well as within them, so that you do not create weak links in the chain. Now, with that said, I think that we have to look very closely about how the challenges, as ongoing, differ from the Y2K experience before you talk about institutionalizing a new position. I think certainly some of the ingredients that you indicated bear close scrutiny and attention on that. In fact, you could make the case that, that kind of leadership becomes even more essential in some regards when the known threats are not as immediate, but you know they are out there and they could happen at any time as opposed to a date-specific. Mr. Horn. Any other comments on this? I will yield 5 minutes to the gentleman from Texas. If you would like, we could recess now to go vote, and then come back, and then start with your 5 minutes. Is that OK with you? Mr. Turner. That is fine. Mr. Horn. OK. We are going to be in recess then for 20 minutes so we can get these two votes. [Recess.] Mr. Horn. This subcommittee will be in order. We will proceed with the questioning. It is 5 minutes for Mr. Turner, the ranking member from Texas. Mr. Turner. Thank you, Mr. Chairman. I appreciated your comments. I really get the impression that what you were saying to us is that there is a lot of work that has got to be done in the area of new technology before we will ever have any hope of really having a secure Internet. I guess I was kind of curious as to what types of things you are talking about? We made the comparison a minute ago to the Y2K problem. To me, what we are talking about today dwarfs the Y2K problem. In that arena, we had a date certain we were working toward. We knew if we made it past that date, we had succeeded. The government was able to provide a coordinating role for both the public and the private sector. This challenge seems to be so much greater. When you say we need better technologies, what kinds of things are we talking about? Mr. Pethia. First of all, the driving factor behind my belief is that more and more devices attached to Internet are going to become consumer items. I think we are already there with personal computers. We are almost there, even with some devices like routers and fire walls, when you think about having these things installed in libraries, in doctors' offices, and in places where you would not expect to find someone with a degree in computer science. That is going to continue. We are going to have all kinds of devices at home. We are going to have hand-held portable units. We are going to have cell phones connected, as we already do, into the Internet. So, from one perspective what we need to do is to make security much simpler than it is today. You can configure a very secure personal computer, be it a Unix box or a Microsoft Windows box. All of the mechanics are there to do that, but it is not easy. It takes a lot of understanding and a lot of knowledge. Not only do you have to get it right the first time, you have to keep it that way over time as you add new applications into your personal computer. So, if you think back to the 1960's when all computers were hard to use in all kinds of ways, the industry responded very well with a lot of research and development in easy-to-use, in fact ease of use was the buzz word for the industry back then. We need the same effort today, in terms of security controls and security mechanisms. Bring those controls and mechanisms to the point where the average user could use them. I think that is sort of a near-term, by ``near-term'' I mean a 2- to 3-year effort that could show some results, significant results, major results in that period of time. Mr. Turner. I forget the name of the group or company that is certifying whether something is secure or not. I read about it somewhere. Is that the kind of thing that would motivate the private sector to be sure they develop their products in a way that they can be secure? Mr. Pethia. I think that kind of thing will certainly help. I think the tension is going to be between the length of time it takes to do the evaluations and the market forces that keep driving new products. Very often, the situation of doing an exhaustive evaluation takes time. By the time you are through with that evaluation, the marketplace has already moved on to the next generation of products. I think we have to struggle with that issue. Mr. Turner. That seems to be one of my greater concerns because this field moves so fast. It is always the private sector that is moving forward. We had some government effort over there, though it is not in one place right now. It seems that the government effort, even if we consolidate it, is always going to be a step behind what is really going on in the private sector. So, it is forcing you to try to think of private sector incentives to try to make this all happen. I cannot get it in my mind that the government is going to be able to keep up with it. Mr. Pethia. I think the private sector interest is rising. I think as more and more damage happens on the Internet, people are going to begin to understand that investing in security is something they are going to need to do in order to keep their businesses operational. So, I think that is happening. I see a big increase in private sector interest today, over just a year ago. That trend has been going on for several years. I think the marketplace, in my opinion, has become complacent. The marketplace is currently accepting whatever the vendors produce. I think an awareness campaign and an understanding that technology can be changed; technology does not have to be the way it is today is something that would help move, first of all, the consumer to a better understanding of the kind of quality the consumer should expect from a product. Then finally, the technology producers, as they begin to see a marketplace for that new product, to begin to produce. There is a place where I think government campaigns focused on broad-scale awareness, understanding, helping the consumer, both in government and outside government, understand that technology possibilities exist beyond what we have available to us today, I think, would go a long way to spur that kind of effort. Mr. Turner. Is it a reasonable suggestion to think in terms of a second Internet? After all, we are even getting to the point where much of what takes place can even be done in a wireless mode. Is there a reason to consider that there could be more than one Internet? That there are secure Internets so that we can solve some of our national security type problems and others in a way that we know that we are protected? Me. Pethia. Certainly, I think there are some needs for high security in some applications where those networks and systems will remain isolated and should remain isolated from the broad Internet. I think the last 10 years of history has told us that the Internet is going to continue to evolve. It is going to continue to lure people because of the broad connectivity that is available over the Internet, and also because of the dramatic lower cost of operating on this huge network where everybody shares the expense. I think the economics are going to continue to push most organizations toward the Internet. I think the challenge as to rather than trying to isolate from the Internet, the question is how do we go about fixing the Internet so that we can all enjoy the level of security that we need? Mr. Turner. Your effort at Carnegie Mellon, through the Computer Emergency Response Team, seems to me to be an excellent private sector initiative. Do you think government is capable of duplicating that or will it be best left to efforts like yours? Mr. Pethia. I think it is going to take a combination of efforts. There are within the government a number of computer emergency response teams in the DOD, in the Department of Energy, and in some of the other agencies. There is the FedCIRC activity which we actually participate in. So, I think there is a large government effort there. One of the advantages that I think we have is that in addition to the reactive work that we do, we are also housed in a research university. So, in the private sector where you can have these kinds of reactive capabilities to help us understand what the problem is, but also marry with that a research and development capability we can move toward solution. That, I think, is a good combination. So, there perhaps is a way where government can team with organizations in the private sector, with the government doing some of the response reactive work, ensuring that they have close working relationships with technology researchers so that the researchers really understand what the real problems are. Mr. Turner. Thank you, Mr. Chairman. [The prepared statement of Hon. Jim Turner follows:] [GRAPHIC] [TIFF OMITTED] T7018.131 [GRAPHIC] [TIFF OMITTED] T7018.132 [GRAPHIC] [TIFF OMITTED] T7018.133 [GRAPHIC] [TIFF OMITTED] T7018.134 Mr. Horn. I thank the gentleman. Now, I yield to the gentlewoman, the vice chairman from Illinois, Mrs. Biggert to question the witnesses for 5 minutes. Mrs. Biggert. Thank you, Mr. Chairman. If I could ask unanimous consent to include my opening statement. Mr. Horn. Without objection, it will be so ordered as read at the beginning, after Mr. Turner's opening remarks. Mrs. Biggert. Thank you. This is a question for all of you. What is the real threat from cyber terrorists to the Federal agencies' mission critical systems? I know that is a broad question, but how does the administration's recently released National Plan for Information Systems Protection address the plans to mitigate these terrorist threats? I think when we were talking about Y2K, we had our mission critical systems. I think that was what was really addressed there. First of all, is there a threat from the terrorists? Mr. Tritak. Well, I think the national plan makes clear that the threats posed by cyber terrorists as well as nation states is growing. I would urge you, if you have not already, to get a briefing by Mr. Michael Vaddis at the National Infrastructure Protection Center who could give you a lot more detail, an appropriate level of detail than I can get into. One of the reasons for PDD-63 stemmed from a Presidential commission which asked the question, what are the new threats to the Nation? The cold war is over. It is unlikely that anyone would be foolish enough again to take on the United States with armed forces. So, what are they? That question was initially prompted, of course, by a number of events that were happening in the mid-1990's, the Towers' bombing, Oklahoma City. What is going on here? The recommendation of that commission was to say that the critical infrastructure of this country are increasingly becoming vulnerable to types of attacks that could be delivered over the information super highway. Why? Because as was indicated earlier, traditional infrastructures are increasingly relying on computer networks, not only to receive e-mail, but actually perform operational functions of their business. As you move further and further into deregulation, the need to cut your costs to make the margins up, you are going to be relying more and more on information technologies to perform functions which traditionally may have been performed by manual labor for example. Also, in the past, if a computer operational system went down, say in the electric power industry, they have ways of shifting over to manual type responses in order to keep the flow of services going. Now, over the long-term, more and more of those primary functions are performed by information technology, and if those systems are then networked either through the Internet or some wide area network systems, the potential for someone being able to get in and cause damage increases. Now, I am glad you also mentioned the critical systems because this is a very important thing about critical infrastructure assurance. What we are concerned about are those systems within our critical infrastructures which, if disrupted, could cause immediate and significant harm to the Nation's security, its economy, or the health and welfare of its people. If someone means to do harm, they are going to want to leverage their efforts to find weak links in the chain. So, one of the purposes of the effort that is outlined in the national plan is to begin to raise this issue with industry to make clear that this is more than just a hacking problem. Frankly, they deal with that now. They know that they are being hacked. Their websites are being looked at. The idea that if more and more of their business relies on information technology, for example, banking and finance, e-commerce, where the very nature of the revenue stream turns on information technologies. This is a different problem. The same thing within the Federal Government. There was a time when you could talk about a computer system within the Federal Government and it was the agency's system. It was insular. It was self-contained. Now, like everywhere else, you are getting inter-connectivity between agencies. They are depending on different services, both within government as well as outside of government. This inter-dependency is one of the newer challenges. An agency can get their security concerns right, but if they are dependent upon systems which do not have their security right, that is where the vulnerability lies. Your types of attacks which, again, Mr. Vaddis will be in a better position to talk to you about this, they are looking for the weak links. They are not simply going to willy-nilly take on any piece of the information infrastructure. They are going to look for where the highest value payoff is going to come from. Mr. Gilligan. I think Mr. Tritak has done a good job of summarizing the significance of the threat and many of the characteristics that contribute to it. I would only add a couple of thoughts. One, I think it is not just linkages between agencies, but linkages within sites and within agencies where you find I think unknowingly our interconnection. We are just about intermeshed in our network connectivity among systems that we have the same vulnerabilities. I think second, we really, in my view, have kind of two tiers of threat. Unfortunately, a lot of our emphasis and visibility is on what I will call the lower tier, which is a very unsophisticated, but today, because of the vulnerabilities, is ineffective and gets a lot of visibility. Now, I think there is one that is much more sophisticated. We only get glimpses of it. In many cases, that is something we do not share a lot of insight. It is almost masked. That is, we are seeing some of these lower sophistication threats. That is what we are focusing a lot of attention. I think we need to because you need to dampen those out of the system before you can really start to focus and then get the protection that you need to address the more sophisticated attack. Ms. Brown. Well, I think both gentlemen have done a really good job. I would only add that I think one of the key challenges is not just today's problem, but the ongoing problem. There is new software every month. There are new systems every month. So, there is not a single fix, as in the Y2K, as Mr. Turner and everyone has talked about. There was a single crisis. There was a single thing that we had to fix. This is going to be an ongoing problem, and ever more difficult in many ways to stay on top of as we become more and more global. So, we need to look at what can we do today, but also on the more fundamental things to make our systems fundamentally secure. How do we design the systems and how do we design the software so it is not up to the user to fix and put the patches, which will always be there? Somehow, how do we fundamentally make the system more robust? Mr. Pethia. I am building briefly on Mr. Gilligan's remarks; this idea of two tiers of threat. At the lowest level, and one of my big concerns, and the reason that I am advocating for increased emphasis on analysis, capability, and data collection is that the low-level threat, the amount of noise generated by that threat is now so huge. We literally get 50 new incidents reported to us every day. We are only 1 of 90 emergency response teams, as well as a number of government agencies who focus on this issue. There is so much activity out on the network today. It is very difficult to pull out from all of that noise the one or two key things that you really need to pay attention to. In order to stay ahead of this problem, I think we are going to need to become much more sophisticated in the way we collect and analyze incidents data. So we can look for those key indicators that there is something really significant going. Mrs. Biggert. Thank you. Thank you, Mr. Chairman. Mr. Horn. Thank you. May I suggest that if we have some additional questions, that we have a time problem here. A number of us are involved in things that just go every 15 minutes, starting at around 12:05 p.m. So, if you do not mind, we would like to submit some of these questions, I know that I have, to you. Take your time, but we would love to have them in the record at this point, your best thoughts, if that is OK with you. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7018.135 [GRAPHIC] [TIFF OMITTED] T7018.136 Ms. Brown. Thank you very much for the opportunity. Mr. Horn. Well, we thank you. The chart here I particularly want your comments. That is our question 5, for the majority. I think you have it. Now, this was prepared by counsel, Mr. Ryan. He is 100 percent Irish. I am only 50 percent Irish. It is not even St. Patrick's Day. I look at that. I looked for Jesse Jackson on the floor. It looks like the Rainbow Coalition. He is serious about this and we are. So, we would like your best shot at it, in terms of all of these organizations and how they can work on computer security issues. The key question still remains on who is coordinating this operation? Are there various ways, given the private sector, the Federal sector, the State sector, the local sector, the non-profit sector? So, if you would struggle a little with that, we would appreciate it. Well, thank you very much for coming. We will now swear in the next panel. Mr. Horn. We have Mr. Jim Gerretson, Director of Operations, Information, Assurance, ACS Defense, Inc.; Mr. Mark Rasch, senior vice president and legal counsel, Global Integrity Corp.; and Mr. James Adams, chief executive officer, iDEFENSE. Gentlemen if you will just stand and raise your right- hands. [Witnesses sworn.] Mr. Horn. The clerk will note all three witnesses affirmed. We will begin, Mr. Gerretson with you. It will be 5 minutes for a summary. We are going to have to stick to that. We all have your papers. If you were not in the room, they automatically go in at this point in full. If you can give us a summary, and then we would like to have some questions before noon. Then we are going to have to break. So, Mr. Gerretson, it is all yours. STATEMENTS OF JIM GERRETSON, DIRECTOR OF OPERATIONS, INFORMATION ASSURANCE, ACS DEFENSE, INC.; MARK RASCH, SENIOR VICE PRESIDENT AND LEGAL COUNSEL, GLOBAL INTEGRITY CORP.; AND JAMES ADAMS, CHIEF EXECUTIVE OFFICER, iDEFENSE Mr. Gerretson. Mr. Chairman and members of the committee, thank you for giving me the honor of testifying today. I am here today to give you a brief presentation on hacking. We believe that in order to start to fix your systems and networks, that you have to understand the enemy, and hackers really are the enemy. The following presentation will take you briefly through what we call the hacker protocol and demonstrate just some of the tools and techniques used by hackers to gain access to your systems. All of the tools that you are going to see today are freely available on the Internet or you can go to a local computer show on a weekend and, for $10 per CD, buy a full CD of different types of hacks. The current data base that we have contains over 3 gigabytes of data. What you see on the screen before you is what we call the hacker protocol. Different people may use different terms, but professional hackers in nation states that implement hacking as warfare do follow the same concepts. The thing that is important to recognize here is this is highly structured in its approach and in its planning. A good hack, for better or for worse, is invariably a well-thought- out, well-executed operation. Mr. Horn. I might add on that very useful chart that, that will be placed in the record at this point, without objection. All other charts will be put in appropriately where they have been used by the witness or the staff. So, all of those charts will go in the final hearing report. Mr. Gerretson. Thank you, sir. [Slide shown.] Mr. Gerretson. The first phase of the hacking protocol is intelligence gathering. This is primarily an espionage operation. There are many facets to it. Social engineering is a large part. I may act as a user calling up a help desk and say I have forgotten my password. Help desks are setup to be very helpful. They will frequently say, the default password is, or your network is. So, I get a lot of information that way. Open source materials such as newspapers, prospectuses, and library magazine articles are also a wonderful way of getting information. You hear the term a lot, but ``dumpster diving'' is also a very popular way of getting information on your system. [Slide shown.] Mr. Gerretson. Once we have done the intelligence gathering, the next step is to do reconnaissance. Again, to define the target. Your domain host is the name of your computer system on the network. I want to know what I have got, see if I can attack it, and how I can attack it. This is what we are going to show you. It is a freely available program called NMAP. We are going to take that information that we have gathered and scan your network to determine what is there. The program that we are using is called Ping Sweep. [Slide shown.] Mr. Gerretson. In simple terms, my computer is going out to your network and saying, hello, are you there? Your computers are coming back and saying, yes, I am. What you see here, with these being listed, are computer targets that have come back and said, I am here. What we have now done is identified a target set. We are not wasting our time. [Slide shown.] Mr. Gerretson. The next slide, we are going to take one of those targets that we have identified and go and look for additional information. What we are trying to do is find out what services are open, as you see, I am pointing out. These are all considered services on a computer. This one, for example, is finger, which we will talk about in a second. What we are doing is finding a means to attack your system. We are also going to go out to try to find out the operating system that your computer is running which is again identified. Once we have this information, we can now go and do specific probes. What we are going to do is take that information and look for a way to get into your system. [Slide shown.] Mr. Gerretson. This presentation that we are going to show you now is one of the tools called Finger. It is an information gathering tool, you are seeing it used in a way it was never intended to be used. In order to attack and control the system, you need three things. You need a valid user name. You need a valid password, and you need a host address from the computer system that is allowed to talk to you. If you look across here, as I am highlighting ``student one,'' I now have a valid ID and I now have a valid computer system that I am talking from. I have two of the three items that I need to attack this system. [Slide shown.] Mr. Gerretson. This next scan, web servers as we are all aware, are a wonderful target for attack. It used to be that in order to do the attack, I had to know all of the systems and all of the vulnerabilities. Now, I have a tool that will run it for me automatically. It requires very little work on my part. It identifies the server type that is running and will simply go out and scan all of the CGI weaknesses on this web system. I do not even have to know what these systems are now. I do not have to know what these vulnerabilities are. It just tells me it finds one. I go out to my tool kit, pull in this particular attack and away I go. Once we do that, we are trying to get a toehold on the system. This is basically I just get into your box any way I can. I cannot control the data. I do not need it, but I am on it and it gives me the next step. [Slide shown.] Mr. Gerretson. The next step is to go from just being a user into what we call the root or administrator level of the system then we really do own this box. I am going to skip this example. [Slide shown.] Mr. Gerretson. We are going to go and actually break into this system and take it over. It acts as a user system. What this program does is it shows us actually going in and doing an attack on the system that in a matter of about 15 seconds turns us into the root administrator of the box, simply from being a user. Once we have gotten control of the system, there are a lot things we can do. We could kill this box. We could take the information. But what we do want to do is use it again later. So, we are going to hide our track. We do not want people to know we are there. We can do that by deleting files or modifying log files. We are going to show you a quick example of how we just simply modify a log file. [Slide shown.] Mr. Gerretson. This is a program called Wipe. We have a user account. We are called ``Reacher.'' We get into the system. If the system administrator were to check his logs, he would say, why is this guy here. But we have gone and wiped it. We are no longer there. We are now invisible to the person that runs this machine. [Slide shown.] Mr. Gerretson. We can put Trojans on the system. A Trojan is a program that will look like something that is a valid program that is supposed to be there, but in effect it is a program that does a lot of bad things. In this brief example, listen. We can record every keystroke you type on the system. We can turn on your sound system. So, if you have a microphone, we can record everything that is said in the area, and you will never know what happened. [Slide shown.] Mr. Gerretson. Now, sounds bad and it gets worse. I will make a bold statement that if you are connected to the network, and if I have enough time and want to make the effort, I can hack you. The only sure fire way to protect your system is to disconnect it from the network. Take out your floppy. Take out your CD and then lock it up in a secure room. Anything short of that, eventually it can be had. It sounds pretty bad, but there is hope. It is not all bad; just mostly bad. The first thing is you have to have a vulnerability assessment. You have to know what your security posture is. Second, we believe in the defense-in-depth approach. It is vital. There is no single solution to make your system secure. You have to have layered approachs that complement each other. The next thing, training is the key. As the earlier witnesses said, there are good people out there, but they just do not understand security. One of the key things to recognize is the solution that works today may not work in 6 months. You will never have a final solution. You are constantly reassessing. Thank you for your time. [The prepared statement of Mr. Gerretson follows:] [GRAPHIC] [TIFF OMITTED] T7018.137 [GRAPHIC] [TIFF OMITTED] T7018.138 [GRAPHIC] [TIFF OMITTED] T7018.139 [GRAPHIC] [TIFF OMITTED] T7018.140 [GRAPHIC] [TIFF OMITTED] T7018.141 [GRAPHIC] [TIFF OMITTED] T7018.142 Mr. Horn. Thank you very much. We now have our second witness, Mr. Mark Rasch, who is the senior vice president and Legal Counsel for the Global Integrity Corp. Perhaps you would like to tell us a little bit about the corporation. Mr. Rasch. Yes, thank you, Mr. Chairman. I work for Global Integrity Corp. It is a company that does information security consulting work for the private sector. So, our clients tend to be things like banks, insurance companies, Fortune 100 companies that take the problem of information protection. Notice I used the term ``information protection'' and not computer security. They take that problem seriously. What we are trying to protect here is not the computers themselves, but the information that is contained on those computers. So, the perspective that I bring is what the private sector sees as the problem and what the private sector is trying to do itself to try to solve the problem. One of the things we noticed is that the Commerce Department issued a report in the last couple of days that indicates that U.S. retail e-commerce sales for the fourth quarter of 1999, that is October through December, was about $5.3 billion. What has happened is this Internet that we created 20 years ago is being asked to do something that it was never designed to do. That is to support a national economy; to support a national infrastructure that it was never designed to do. So, what happens is we have this distributed computer network, which was essentially unsecured. All of the security to that network is essentially added afterwards. That is being designed now and being asked to protect the critical infrastructure. The attacks that we saw a few weeks ago against Yahoo, Ebay, and others also demonstrated another problem. As a lawyer, this is one that concerns me much more than what concerned me about the year 2000 bug problem, from a litigation standpoint. That is that we are only as secure as everybody else on the Internet. As the previous panel discussed, these are targets of opportunity. People attack systems because they can get in. They attack the ones that they feel that they can get into. Also, the fact that even if you have done stuff to harden your system, people will break into other people's systems and use those to attack you. So, what we have is a serious looming litigation problem, or what we would call downstream liability. If you are attacked by somebody and the attack is coming from another corporation that did not secure the systems, and you go to your lawyer and ask, can we sue, which is always the dumbest question to ask a lawyer because the answer is always yes. The question is who are you going to sue, the 17- or 18- year-old hacker, if they are ever identified, or the corporation from whom you are attacked? So, the idea of a worldwide web that is dependent upon the security of everybody else creates targets of opportunities, not just for hackers, but for lawyers as well. One of the problems also that we have seen is a massive increase, not only in the use of the Internet and the use of the Internet for electronic commerce, but of these types of criminal activity. For example, from 1998 to 1999, theft of intellectual property increased from 15 percent. Unauthorized access by hackers from inside is up 28 percent. Insider abuse to the Internet is up 17 percent. System penetration by external parties increased 32 percent. Why is this happening? The first reason is that attack technologies are becoming very easy to use. So, as Mr. Gerretson just showed, you can go to any hacker convention, pick up a copy of this disk, put it in your machine, and knowing no more than a lawyer, which is a fairly low standard I would say, put this in your machine and launch an attack on any computer on the Internet. You do not need to know a lot. It is point and click and you are in. So, the tools are getting easier to use. They are becoming more widely available. In addition, with the growth of the Internet, you have tens of thousands and probably of millions of insecure computers out there that are used as targets of opportunity and methods of attack. The software is becoming increasingly complex and much more difficult to secure. Software manufactures who are building this software are trying to design it to be functional. If you are coming out with a new word processing program or you are trying to come out with a new operating system, and you are under competitive pressures to get it out to market, you want to make sure that it is functional. Until companies demand security and the government demands security as an integral part of functionality, I do not think the manufacturers are going to ship these things as being at least more secure. So, these are some of the problems. What is the private sector doing? Well, speaking just for Global integrity, we are doing two things working with the financial services industry, which I think is a model for both the government and for other private sector enterprises. One of them is something called the BITS Laboratory that we are working with the Banking Industry Technology Secretariat and a consortium of banks. What they are doing is they are developing a series of security standards. We at Global, are testing computer products, hardware, software, and other types of products, against the security criteria. The idea is that the marketplace then will say, for example, banks will say unless your software had been tested against these criteria, we will not buy it. Unless it is pre-configured to be in a secured manner, we will not buy it. So, we are using the marketplace as a method of trying to ensure security. The second thing is the Financial Services Information Sharing and Analysis Center [FSISA]. This is something that we are doing. Financial services industries, banks, insurance companies, and the like have a secure method of sharing information amongst themselves about attacks and vulnerabilities. Let us face it, they do not want to tell people that they have been attacked, but they are happy to share information among themselves, if that will lead to more security. These are some of the models that are currently in place. We need to do more in the private sector and in the government sector to help secure the infrastructure. Thank you. [The prepared statement of Mr. Rasch follows:] [GRAPHIC] [TIFF OMITTED] T7018.143 [GRAPHIC] [TIFF OMITTED] T7018.144 [GRAPHIC] [TIFF OMITTED] T7018.145 [GRAPHIC] [TIFF OMITTED] T7018.146 [GRAPHIC] [TIFF OMITTED] T7018.147 [GRAPHIC] [TIFF OMITTED] T7018.148 [GRAPHIC] [TIFF OMITTED] T7018.149 [GRAPHIC] [TIFF OMITTED] T7018.150 [GRAPHIC] [TIFF OMITTED] T7018.151 [GRAPHIC] [TIFF OMITTED] T7018.152 [GRAPHIC] [TIFF OMITTED] T7018.153 Mr. Horn. Thank you very much. Our next witness and the last one on this panel is Mr. James Adams, chief executive officer of iDEFENSE. Mr. Adams. Chairman Horn and members of the committee, I want to thank you very much for inviting me here today. Few revolutions are accomplished without bloodshed. Already as we plunge headlong into the knowledge age, we are beginning to receive the initial casualty reports from the front lines of the technology revolution. From the headlines, you would think that the recent denial- of-service attacks were the beginning of the end of cyber world as we know it. Nothing could be further from the truth. These were mere in-breaks on the audio-V commerce. Consider instead that some 30 countries have aggressive, offensive information warfare programs. All of them have America firmly in their sights. Consider too that if you buy a piece of hardware or software from several countries, among them, some of our allies, there is real concern that you will be buying doctored equipment. It will syphon copies of all material that passes across that hardware or software back to the country of manufacture. The hacker today is not just the stereo-typical computer geek with a grudge against the world. The serious hacker today is much more likely to be in the employ of government, big business, or organized crime. Consider the band of Russian hackers who, over the past 2 years, have syphoned off an enormous amount of research and development secrets from United States corporate and government entities in an operation code named Moonlight Mays television. I would like to focus on this nexus between the public and private sectors, and on the government's efforts to respond to the growing threat. A couple of illustrations to begin; 20 years ago, some 70 percent of all technology development was funded by the public sector. Today, that figure is under 5 percent. In other words, in the course of one generation, every government agency should have changed how it does business. Has that happened? No. Looking ahead for that same 20-year period, we will see the following. The ordinary computer that you have on your desk will have the computing capacity of the human brain. At the same time, research offers the possibility of our ability to manufacture perfectly the human body. So, in the course of a generation, our view of life, death, family, society, and culture, the bed rocks of our way of life down this century will have changed forever. Is government or the private sector thinking and planning for such fundamental change? No. One further point; the pace of the revolution is accelerating rapidly. Yet, the pace of change within government seems to be exactly the same today as it was 10 years ago. How has the government responded so far? Well, there has been the usual President's Commission and then the Principal's Working Group, then the bureaucratic compromise that nobody really wanted, and then the national plan which arrived 7 months late and was not a plan at all, but an invitation to further discussion. [Chart shown.] Mr. Adams. These two charts that I brought today illustrate the current chaos. What you see is a totally disorganized organization chart. One that, if it were in the private sector, would be a sign of eminent bankruptcy. You see no clear leadership. You see duplication of efforts; the waste of billions of dollars of taxpayers' money, and the struggle by stovepipe agencies to retain power, influence, and money. In other words, there is no coherent strategy and the tactics are not about winning a war, but about preserving turf. There are, of course, some notable exceptions to this. You have heard from one of them today, John Tritak. What is needed today is an outside entity with real power to implement drastic change in the way government approaches technology and the underlying security of its systems. What is needed most is a personal entity that would draw on skill sets in many areas that will overlap those of the CIO, CFO, or CSO, and most of the other officers or entities in any organization. Let us give this new person the title of chief of business assurance. He or she would be in charge of the Office of Business Assurance. Business assurance is more than security, more than technology, and more than a combination of the two. It is an understanding of the whole environment and what that means for a business or a public sector operation. The CBA's task would be to continuously gather and synthesize infrastructure-related trends and events to intelligently evaluate the technological context within which the organization operates, to identify and assess potential threats, and then to suggest defense action. Viewed from the positive side, to assess the technological revolutions' opportunities and propose effective offensive strategies. The Office of Business Assurance must be a totally independent organization with real teeth and real power within government. There is much in common between government and industry when it comes to the challenges and the opportunities that the technology revolution poses. Both sectors face a common threat. Both sectors share common goals. Both employ technologies that are, in essence, identical. Both must work together to protect each other. I will leave you with this thought. You will employee total transformations of the way business and government is conducted internally and externally going forward. We have heard a great deal in recent months about the potential of a digital divide that is developing between the computer-haves and the computer- have-nots. I believe there is another digital divide that is growing between the American Government and its citizens. If this committee's efforts do not move forward in changing this culture inertia, there is real danger that the digital divide that exist between the government and the private sector will only widen. We cannot afford a situation where the governed feel that their government is out of touch and increasingly irrelevant to their lives. Thank you. [The prepared statement of Mr. Adams follows:] [GRAPHIC] [TIFF OMITTED] T7018.154 [GRAPHIC] [TIFF OMITTED] T7018.155 [GRAPHIC] [TIFF OMITTED] T7018.156 [GRAPHIC] [TIFF OMITTED] T7018.157 [GRAPHIC] [TIFF OMITTED] T7018.158 Mr. Horn. Thank you. All three of you have made some really excellent suggestions. Let me start some of this query. Let me note that, Mr. Rasch, you were very active before you took your current job. You were a trial attorney with the Fraud Section of the Criminal Division of the U.S. Department of Justice. You left the Department in 1991. You were the sole attorney in the Computer Crime Unit. That was on a part-time basis. The Computer Crime and Intellectual Property Section of the Department of Justice today consist of 18 attorneys. The Internet consisted of perhaps 60,000 computers. Then you have made some very thoughtful things. Let me pursue this. I turned to Mr. Ryan, the counsel to the subcommittee, when you were testifying. I said, let us draft a bill that would make this simply illegal. Now, how does the Justice Department, what does it use to be able to get after hackers now? What laws? Do you need new legislation which would ban them and get those out of here? Mr. Rasch, the principal statute that exist to prosecute Federal computer crimes is 18 U.S.C. Section 1030, which is the Federal computer crimes statute. That focuses on activities. For example, intentionally accessing a computer without authorization or disrupting authorized access to a computer. So, for example, the recent attacks and the denial-of-service attacks squarely come within the ambit of that statute and are being aggressively investigated and could be prosecuted under that. Mr. Horn. Is there any first amendment concerns on this? Mr. Rasch. Probably not. This is action and not speech. Although just as burning down a building may be an expression, it is certainly is not a protected expression. There are some first amendment concerns in the area of encryption and some legislation. There is some case law on the question of whether or not software itself acts as a form of expression. That relates to these type of hacker tools. The dissemination of hacker tools themselves; whether or not that type of dissemination is criminal. There are really two separate statutes that could be used there. One is the Digital Millennium Copyright Act which passed last year, which is right now being used in a civil lawsuit against the people who attempted to reverse-engineer the DVD codes to allow them to pirate software and things like that. So far, it has withstood a challenge on Constitutional grounds. The second one would be 18 U.S.C. Section 1029 which makes it illegal to disseminate what are called access devices, which could be such things as passwords and things like that. Mr. Horn. Any comments on those? Mr. Adams. I think you raise an interesting, Chairman. I would just make this in addition to what Mark was saying. There has been a great deal of focus on law enforcement. Of course, law enforcement has a prominent role to play in this. The speed of the revolution is such that, that is very much after the fact, obviously. An event has occurred. We failed and therefore we have to do something about it. By the time somebody is caught and prosecuted, the revolution has moved several steps forward. So, we need to think about what does the prevention look like in the globally virtual environment in which we find ourselves. Then if that fails, of course you need something to follow that up. The first step has to be a much more comprehensive approach to prevention, warning, intentions, good intelligence, and so on. Mr. Horn. At this point, I am going to turn the Chair over to the vice chairwoman, Mrs. Biggert, the gentle woman from Illinois. I, unfortunately, have other commitments that I have got to do. I want Mr. Turner and Mrs. Biggert to get all of the questions out that they can. So, thank you particularly for functioning and coming here. Mrs. Biggert [presiding]. Mr. Turner, you are recognized for questions. Mr. Turner. Mr. Adams, you were showing us your two charts here, which I guess were designed to display the multitude of efforts within various Federal agencies to deal with information system security. Rather than look at that as a failed effort, I guess it shows that every agency is struggling to try to keep up with the problem. There are obviously some things that we ought to do to consolidate the effort. This battle is so dependent upon technical expertise. One of the battlefields where we should be fighting on is to figure out how to train people to work for the good guys. There are probably people within these Federal agencies that are noted to be outstanding technical experts that do good work in trying to find solutions and trying to make the systems secure. Are we going to be constantly behind the curve in terms of what government does? I think it is probably difficult to attract the best and the brightest to the public sector. I am sure that Global Integrity and others of the world are going to be reaching out and trying to pay the salaries necessary to attract the people who could really create the defensive mechanisms you need. Mr. Adams. I think those are very good points. We clearly face a very difficult dilemma. The government is at the front line here, as is the private sector. The private sector, my largest number of recruits come from government agencies. The private sector is hiring the best and the brightest and moving forward very quickly. Clearly, there needs to be a relationship between the public and private sector. Look, for example, at what the CIA is doing to try and keep itself up to speed with the pace of technology change. It is doing that by establishing essentially a venture capital arm that is the interface between the public and private sector. So, you have that on the one hand; different ways of doing it. On the other hand, something that the Federal Government can do dramatically different is push education into the system, so that what we are doing is seeding the next generation and the generation after that to keep itself up to speed. The Federal Government is going to be an enabler. It is not going to be able to mandate very much. This revolution is occurring outside of its orbit. So, it can do a lot of things to influence it. It needs to, I think, do that more creatively so that it is seeding the population. We have tremendous shortages of skills at the moment in the whole area of computers, and computer security, information security, and so on. So, how to tackle that more creatively and aggressively is going to be a very important issue which is partly where it all comes back to leadership. You need to have a more creative and push-through process than we have at the moment. Mr. Turner. If you were to have a free hand at creating an entity that would do that, what would it look like? Mr. Adams. Well, I think what the lesson we have learned in this revolution from the private sector is that if you take an old economy company and you try and transition it to the new economy, this will largely fail. What you have to do is do the Apple Computer model. You setup a new building, different people, and put a pirate flag on the roof. They developed a culture and they forced something else into the system, which is why this idea of a Business Assurance, some sort of entity that sits outside of the Federal Government that is able to communicate effectively with the private sector and with the public sector and force through change. What those charts illustrate is, as you rightly say, lots of people try to fix it. These are people of good will, by and large. They are unable to move collectively aggressively enough. They are falling further and further behind in the revolution, which is this disconnect. It is very dangerous in a democracy. So, if you can have a way of driving through change, something with real power, the Koskinen model, but with muscle, not just please will you all sit around the table. If you do not do this, you will be held accountable for failure. That is something where there is an opportunity perhaps because it is the private sector that has the expertise and the energy. That is going to continue to be the case. That is just going to be a fact of life. So, much better to try and figure out a way to bridge that gulf, rather than say, well, we can actually fix it all ourselves. It is all about a partnership between the private and the public sector, making that work and then driving it into the public sector. That is the trick for you all to try and come up with a way of creating something very muscular that will force change, rather than saying, well, let us get around to it in another couple of years. Too late. Mr. Turner. Although we obviously have to let the CIA do their own thing, would that kind of model work for the rest of government? Mr. Adams. I think it is too early to say at the agency. Clearly, what we know is that they are bringing some interesting technology back into the system. The problem comes then is this is a voluntary exercise. We found this really cool stuff. We think you should use it. Can the culture be forced to change? The CIA is a very inert bureaucracy like a lot of government agencies. Will that drive it through? I think it is an interesting model in creating the place for dialog, but it is a difficult challenge. For example, there is a government agency that is currently revising its ways of procuring things, trying to keep on the front of technology. It feels that it is making a big step forward by doing changes in 2 years; design and implementation in a couple of years. My company is not into design and implementation in 90 days. I cannot afford to do it because I am losing market share. So, how do you change that culture to a place which is much more reflective of what is happening in the private sector? It is a very difficult challenge. It has to, I think, have somebody. You are talking about very big picture stuff here; billions, and billions, and billions of dollars, where you have a single entity that says you do this my way or it is not going to happen; so forcing it. This is very counter-culture to the way governments traditionally work. One of the great strengths of democracy and the great strength of government entities is that they slowly evolve. They move forward to match a pace. Well, in a revolution that is very hard because you cannot afford to evolve in the same way. You have to either become a revolutionary or you get swept away. We have seen examples of that throughout history. That is why this is both a dangerous and a very challenging time; dangerous because it can threaten the institutions that provide stability, but a tremendous opportunity for America as the leading Nation in the world to move with the revolution, embrace it, and drive it forward. The government and the private sector have to come together somehow to make that so. Mr. Turner. Thank you. Mrs. Biggert. Thank you. Mr. Gerretson and probably Mr. Rasch, how vulnerable are home computer users? You mentioned that the whole Internet is only as secure as the most vulnerable link. Then after that, if after they surf the web and turn off their modems, are there still risks to the system? Mr. Gerretson. I will take the first shot at that. The first answer is if you are on a dial-up modem, you are vulnerable while you are connected. Cable modems and DSL are widely becoming available now. They are always on. I run a private network at my house. I have a firewall. Every night I have probably six to eight of what I call drive by shootings where somebody comes and just tries out my system to see if they can get a hold of it. The answer is they are very vulnerable. There is very little protection on them because it sits on there. Without that firewall, I probably would have been one of what they call the zombie machines attacking Yahoo and would have never known it. As the cable modems and the DSLs get more and more ubiquitously available, it is a huge problem. Mr. Rasch. I would mirror that. We did a study at Global where we left a cable modem on at a home PC and simply tested it to see how many times, without a firewall deliberately, to test to see how many times it was attempted to be attacked. We found that in 1 month, almost 6,000 attempted attacks on a home PC. What was interesting about that study, however, was the fact that these attacks were coming from Eastern Europe, from Africa, from Asia, as well as from the United States. So, these are coordinated concerted attacks on any computer that they can find on the Internet. That would include home PCs in the always-on mode; particularly, those on DSL connections or cable models. Mrs. Biggert. So, in theory, these really then could lead you into, let us say, a Federal agency through those computers? Mr. Rasch. Absolutely. Mr. Gerretson. That is right. Mrs. Biggert. OK. Then we talked in the first hearing about this chart with the yellow bubbles at the top and sides representing the executive branch, and then those organizations that also have a stake-hold in the Federal computer security. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7018.159 Mrs. Biggert. So, to me, it looks very similar to your chart, Mr. Adams. The problem is that we have kind of a blank in the middle. So, would you all agree that we need an outside coordinator to be in control of this to coordinate all of our efforts? Mr. Gerretson. Well, ma'am, I would say that my first question when I saw this chart and I was talking to Mr. Ryan about this is, who is coordinating the coordinators? It seems to be somewhat disorganized. I would like to make one little statement about that. The one advantage that the Federal Government has is that they know they are screwed up. We do a lot of commercial work. If you get outside of the IA Groups, they do not even know they are in trouble. So, yes, you are lagging behind, in some cases, but, at least you know you are lagging behind. That is kind of contrary in view, but there are advantages to what you are doing. This is a problem. Mr. Rasch. What I see as the problem is a definition of function. What we really need somebody to do is to say, not so much just coordinate the efforts, but say, alright, testing. That is NIST. For developing new technologies, that is somebody else. Basically, not so much coordinating, but defining who has what roles. One of the things that happened with the development of the Computer Emergency Response Team at Carnegie Mellon, the CERT Team, it was a wonderful idea, and remains a wonderful idea, and works very well. Now, we have dozens, and dozens, and dozens of computer emergency response teams. The problem with that is it is like living in a town that has 20 different 911 numbers. So, you run into a problem of who are you going to call. So, you need to really define the functions first and then decide who is going to coordinate between and among those functions. Mrs. Biggert. This has been very interesting. Obviously, you have heard the bells. We have another vote. So, I think that we will have to adjourn at this time. We will be having several more hearings. I know that we will be pursuing this more in-depth. I agree with you that we are behind and we need to look at this problem. I think that this has been a great start for this committee. So, I really appreciate you all participating and look forward to asking more questions of you, I am sure, in the future when we get into this. So, without more, this committee hearing is adjourned. [Whereupon, at 12:05 p.m., the subcommittee was adjourned.] -