[House Hearing, 107 Congress] [From the U.S. Government Publishing Office] INFORMATION TECHNOLOGY--ESSENTIAL YET VULNERABLE: HOW PREPARED ARE WE FOR ATTACKS? ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT EFFICIENCY, FINANCIAL MANAGEMENT AND INTERGOVERNMENTAL RELATIONS of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS FIRST SESSION __________ SEPTEMBER 26, 2001 __________ Serial No. 107-78 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform U.S. GOVERNMENT PRINTING OFFICE 80-481 WASHINGTON : 2002 ________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania STEPHEN HORN, California PATSY T. MINK, Hawaii JOHN L. MICA, Florida CAROLYN B. MALONEY, New York THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland BOB BARR, Georgia DENNIS J. KUCINICH, Ohio DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois DOUG OSE, California DANNY K. DAVIS, Illinois RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts JO ANN DAVIS, Virginia JIM TURNER, Texas TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois CHRIS CANNON, Utah WM. LACY CLAY, Missouri ADAM H. PUTNAM, Florida DIANE E. WATSON, California C.L. ``BUTCH'' OTTER, Idaho ------ ------ EDWARD L. SCHROCK, Virginia ------ JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont ------ ------ (Independent) Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director James C. Wilson, Chief Counsel Robert A. Briggs, Chief Clerk Phil Schiliro, Minority Staff Director Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations STEPHEN HORN, California, Chairman RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois DAN MILLER, Florida MAJOR R. OWENS, New York DOUG OSE, California PAUL E. KANJORSKI, Pennsylvania ADAM H. PUTNAM, Florida CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Robert Alloway, Professional Staff Member Scott R. Fagan, Clerk Mark Stephenson, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on September 26, 2001............................... 1 Statement of: Dick, Ronald, Director, National Infrastructure Protection Center, Federal Bureau of Investigation.................... 130 Miller, Harris, president, Information Technology Association of America................................................. 150 Pethia, Richard D., director, Cert Centers, Software Engineering Institute, Carnegie Mellon University.......... 46 Seetin, Mark, vice president, governmental affairs, New York Mercantile Exchange........................................ 137 Vatis, Michael, director, Institute for Security Technology Studies, Dartmouth College................................. 86 Willemssen, Joel C., Managing Director, Information Technology Issues, U.S. General Accounting Office.......... 5 Letters, statements, etc., submitted for the record by: Dick, Ronald, Director, National Infrastructure Protection Center, Federal Bureau of Investigation, prepared statement of......................................................... 133 Horn, Hon. Stephen, a Representative in Congress from the State of California, prepared statement of................. 3 Miller, Harris, president, Information Technology Association of America, prepared statement of.......................... 154 Pethia, Richard D., director, Cert Centers, Software Engineering Institute, Carnegie Mellon University, prepared statement of............................................... 49 Seetin, Mark, vice president, governmental affairs, New York Mercantile Exchange, prepared statement of................. 145 Vatis, Michael, director, Institute for Security Technology Studies, Dartmouth College, prepared statement of.......... 89 Willemssen, Joel C., Managing Director, Information Technology Issues, U.S. General Accounting Office: Information concerning e-mail bombing.................... 164 Prepared statement of.................................... 7 INFORMATION TECHNOLOGY--ESSENTIAL YET VULNERABLE: HOW PREPARED ARE WE FOR ATTACKS? ---------- WEDNESDAY, SEPTEMBER 26, 2001 House of Representatives, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2154, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn and Maloney. Staff present: J. Russell George, staff director/chief counsel; Elizabeth Johnston, GAO detailee; Darin Chidsey and Matt Phillips, professional staff members; Mark Johnson, clerk; Jim Holmes, intern; David McMillen, minority professional staff member; and Jean Gosa, minority clerk. Mr. Horn. A quorum being present, the hearing of this Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations will come to order. The horrific events of September 11 were a wake-up call that all too clearly illustrates this Nation's vulnerability to attack. We have known for a long time that airport security was lax, and we did nothing to fix the problem. Intruders took advantage of that vulnerability in ways that for all of us were unimaginable. We must learn from this experience. But will we? We have known for several years that our government's critical computer systems are as vulnerable as airport security. In 1997, the General Accounting Office placed the security of the executive branch of the government's computers on its high-risk list. In 1998, the Federal Bureau of Investigation formed its National Infrastructure Protection Center to gather information on computer threats and issue timely warnings about those threats. It is now 2001 and the executive branch has made little progress in addressing computer security issues. Are we going to wait until these vital systems are compromised--or worse? During the crisis in New York and Washington, we found that the Nation's communication systems were not as strong as they needed to be. Cellular telephones stopped working. City leaders were unable to communicate with other officials at all levels. In the immediate aftermath in New York, broadcast television services were interrupted. But imagine the repercussions if attacks on the Federal Government's critical computers were equally successful. National defense, communications, transportation, public health, and emergency response services across the Nation could be crippled instantly. In addition to the threat of physical assault, the Nation's information technology systems are already under cyber-assault. Following the terrorist attacks on New York and Washington, the ``Nimda'' worm attacked computer systems around the world. Nimda shut down banks in Japan, multinational corporations, and some government systems in the United States, such as Fairfax County. On Monday, a new worm was unleashed on computer systems. This worm is capable of wiping out a computer's basic system files. These attacks are increasing in intensity, sophistication, and potential damage. Is the Nation ready for this type of terrorism? Will its basic communications and computer infrastructure withstand a major assault? Today, we want to examine these critical issues. We welcome our witnesses and particularly this panel. You had to come from a number of places, and we know at the last minute it is tough. We thank you very much and we will have a very good discussion of these computer threats and the measures that must be taken to protect this Nation--its economy, its States, its cities and institutions of higher learning and research--besides Federal departments States and counties--we will be getting into that later this year. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T0481.001 [GRAPHIC] [TIFF OMITTED] T0481.002 Mr. Horn. So we will now start with the witnesses. And as we've done many times before, we will start with the representative of the U.S. General Accounting Office, Joel C. Willemssen, Managing Director, Information Technology issues. We have all witnesses accept the oath and I will start with everybody at this point and we'll just go down the line. So if you'll raise your right hand--and also have your assistants which might give you paper and all that--let's do it all at one time. The oath states do you have the full truth of your testimony you're about to give for this and the questions, and if we ask you to do it 2 weeks from now in terms of a particular thing you want in the book, all of this is under oath. [Witnesses sworn.] Mr. Horn. Thank you very much. When we introduce you, your full written statement automatically goes in the record, so you don't have to ask us to do so. We would like you to, in 5 or 7 minutes, to give a summary of your testimony. We give a little--let's see, we've got plenty of time here so we could make it 10 minutes. But we want to get into dialog among you as well as those members expected to be here. So Joel C. Willemssen, Managing Director, Information Technology Issues, U.S. General Accounting Office, which is presided over by the Comptroller General of the United States, and it's part of the legislative branch. Mr. Willemssen, it's always good to see you. STATEMENT OF JOEL C. WILLEMSSEN, MANAGING DIRECTOR, INFORMATION TECHNOLOGY ISSUES, U.S. GENERAL ACCOUNTING OFFICE Mr. Willemssen. Thank you, Mr. Chairman. It's an honor to appear again before you today and, as requested, I'll briefly summarize our statement on the challenges involved in protecting government and privately controlled systems from computer-based attacks. Overall, our work continues to show that Federal agencies have serious and widespread computer security weaknesses. These weaknesses present substantial risks to Federal operations, assets, and confidentiality. Because virtually all Federal operations are supported by automated systems and electronic data, the risks are very high and the breadth of the potential impact is very wide. The risks cover areas as diverse as taxpayer records, law enforcement, national defense, and a wide range of benefit programs, and they cover all major areas of required controls such as access controls in ensuring service continuity in the face of disasters. The September 11 tragedies demonstrated just how essential it is for government and business to be able to continue critical operations and services during emergency situations. News reports indicate that business continuity and contingency planning has been a critical factor in restoring operations for New York's financial district with some specifically attributing companies' preparedness to the contingency planning efforts associated with the year 2000 challenge. At the same time, however, our reviews still reveal shortcomings in Federal agency business continuity planning. Examples of common weaknesses include incomplete plans and plans that have not been fully tested. While a number of factors have contributed to these weaknesses, and overall weak Federal information security, we believe the key underlying problem is ineffective security program management. Computer security legislation enacted last year can go a long way to addressing this underlying problem. The legislation requires that both agency management and inspector's general annually evaluate information security programs. This new annual evaluation and reporting process is an important mechanism previously missing for holding agencies accountable for the effectiveness of their security programs. Beyond the risks with Federal agency systems, the Federal Government has begun to address the threat of attacks on our Nation's computer-dependent critical infrastructures such as electric power. A prior Presidential Directive known as PDD63 outlined a governmentwide strategy to address this. However, progress in implementing this directive has been limited. For example, while outreach by numerous Federal entities to establish cooperative relationships with private organizations in key infrastructure sectors has raised an awareness and prompted some information sharing, efforts to perform analyses of sector and cross-sector vulnerabilities have been limited. In addition, a key element of this strategy was establishing the FBI's National Infrastructure Protection Center [NIPC], as a focal point for gathering information on threats and facilitating the Federal Government's response to computer based incidents. As we reported earlier this year, the NIPC has initiated various efforts to carry out this responsibility. However, we also found that the analytical and information sharing capabilities that were intended had not yet been achieved. A major impediment to implementing the strategy outlined in PDD63 is the lack of a comprehensive national plan that clearly delineates the roles and responsibilities of Federal and non-Federal entities and defines interim objectives. We've therefore recommended that the assistant to the President for National Security Affairs ensure a more fully defined strategy for computer-based threats be developed that addresses this impediment. It will obviously be important that this strategy be coordinated with the counterterrorism efforts undertaken by the newly established Office of Homeland Security. Mr. Chairman, that concludes a summary of my statement, and after the panel is done I'd be pleased to address any questions you may have. Thank you. Mr. Horn. Well, thank you. [The prepared statement of Mr. Willemssen follows:] [GRAPHIC] [TIFF OMITTED] T0481.003 [GRAPHIC] [TIFF OMITTED] T0481.004 [GRAPHIC] [TIFF OMITTED] T0481.005 [GRAPHIC] [TIFF OMITTED] T0481.006 [GRAPHIC] [TIFF OMITTED] T0481.007 [GRAPHIC] [TIFF OMITTED] T0481.008 [GRAPHIC] [TIFF OMITTED] T0481.009 [GRAPHIC] [TIFF OMITTED] T0481.010 [GRAPHIC] [TIFF OMITTED] T0481.011 [GRAPHIC] [TIFF OMITTED] T0481.012 [GRAPHIC] [TIFF OMITTED] T0481.013 [GRAPHIC] [TIFF OMITTED] T0481.014 [GRAPHIC] [TIFF OMITTED] T0481.015 [GRAPHIC] [TIFF OMITTED] T0481.016 [GRAPHIC] [TIFF OMITTED] T0481.017 [GRAPHIC] [TIFF OMITTED] T0481.018 [GRAPHIC] [TIFF OMITTED] T0481.019 [GRAPHIC] [TIFF OMITTED] T0481.020 [GRAPHIC] [TIFF OMITTED] T0481.021 [GRAPHIC] [TIFF OMITTED] T0481.022 [GRAPHIC] [TIFF OMITTED] T0481.023 [GRAPHIC] [TIFF OMITTED] T0481.024 [GRAPHIC] [TIFF OMITTED] T0481.025 [GRAPHIC] [TIFF OMITTED] T0481.026 [GRAPHIC] [TIFF OMITTED] T0481.027 [GRAPHIC] [TIFF OMITTED] T0481.028 [GRAPHIC] [TIFF OMITTED] T0481.029 [GRAPHIC] [TIFF OMITTED] T0481.030 [GRAPHIC] [TIFF OMITTED] T0481.031 [GRAPHIC] [TIFF OMITTED] T0481.032 [GRAPHIC] [TIFF OMITTED] T0481.033 [GRAPHIC] [TIFF OMITTED] T0481.034 [GRAPHIC] [TIFF OMITTED] T0481.035 [GRAPHIC] [TIFF OMITTED] T0481.036 [GRAPHIC] [TIFF OMITTED] T0481.037 [GRAPHIC] [TIFF OMITTED] T0481.038 [GRAPHIC] [TIFF OMITTED] T0481.039 [GRAPHIC] [TIFF OMITTED] T0481.040 [GRAPHIC] [TIFF OMITTED] T0481.041 Mr. Horn. And we will now move to Mr. Richard Pethia, the director of the CERT Centers, Software Engineering Institute at Carnegie Mellon University. STATEMENT OF RICHARD D. PETHIA, DIRECTOR, CERT CENTERS, SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON UNIVERSITY . Mr. Pethia. Mr. Chairman, thank you for the opportunity to testify on information infrastructure security and our preparedness for attacks. My perspective comes from the work that we do at the CERT Coordination Center where we're chartered to deal with security emergencies on the Internet and to work with both technology producers and technology users to facilitate responses to security problems. Since 1988, we've handled over 63,000 separate incidents and have analyzed more than 3,700 computer vulnerabilities. I'll use a recent attack to illustrate what I think are some of the critical issues. On September 18, the Internet community at large was attacked with an automated attack that has been called the W32 Nimda worm or Nimda. This worm had the following characteristics: It used multiple means to spread from computer to computer, from desktop to desktop, via electronic mail; from desktop to desktop via shared files; from Web server to desktop by a browsing of compromised Web servers; from desktop to Web server via active scanning for various vulnerabilities; and from desktop to Web server via scanning for back doors left behind by earlier worms Code Red and S- Admin. It modified Web documents and certain executable files on the infected machines, and it focused on infecting machines on local networks, thus clogging those networks with scanning traffic and disrupting operations. Nimda was the first worm or virus that we've seen that attacks computers that act as servers as well as desktop computers. As many reports indicated, Nimda spread like wildfire. The first reports of scanning activity came at about 8:30, between 8:30 and 9 a.m. Within an hour, many organizations reported that they were paralyzed by the scanning activity, and by mid-afternoon over 100,000 machines were infected. The response community reacted immediately but were hampered by lack of a source code and by the complexity of the worm. Warnings were sent to the community in the morning with updates as analysis progressed through the day. Analysts quickly obtained the binary code and began the reverse engineering process but needed several hours to complete it. By mid-afternoon, antivirus vendors began making detection software available. Heavy worm activity was reported through the remainder of the day and all of the 19th. On the 20th the reports continued but at a much lower rate. We will continue to see periodic ongoing recurrences of this worm over the next several months, gradually tapering off in impact. What are the factors that allow attacks like this to be successful? Vulnerable software. Today's commercial off-the- shelf technology is riddled with holes. In calendar year 2000 we received reports of over 1,090 new vulnerabilities in our existing information technology. At the current reporting rate, this year we expect over 2,000 new reports by the end of the year. The software design practices in use do not yield software that is resistant to attack. Software implementation practices do not remove programming flaws that result in vulnerabilities. And default software configuration shipped to the customers leave security doors open and explicit user action must be taken to close them. Technology users are not able to keep up with the pace of vulnerability fixes. The sheer number of vulnerabilities is overwhelming organizations. The upgrade process is difficult and time-consuming and it often takes months or even years for users to patch their systems across the broad Internet community. Today we still receive reports of recurrences of the Melissa virus, a virus that exploited vulnerabilities that were discovered 2 years ago. At the same time, attack technology are growing increasingly sophisticated and automated. Exploit scripts are quickly written by the intruder community for newly found vulnerabilities. They are combined with other forms of software to form very powerful automated attack tools. Compromised systems are harnessed together to attack others, and automation allows these attacks to proceed at lightning speed. Our reactive solutions are reaching the limits of their effectiveness. Only the best resourced organizations can keep up with vulnerability fixes. With over 109 million computers, and growing, on the Internet there are always hundreds of thousands, if not millions, of computers that are vulnerable; and automated attacks can now cause major damage before they're even detected. The complexity of the attack is challenging software analysts who try to fix them, and we will continue to see major damage within even the best response cycle times that we can hope to achieve. What are the answers? First and foremost, higher quality software products. Known design techniques can dramatically reduce the virus problem. Viruses spread because systems allow the unconstrained execution of imported code. Yet we've known for decades how to build hardware and software that constrains this code execution. Using this technique would dramatically reduce the virus problem. In addition, implementation errors, bugs in the software, cause over 80 percent of the other problems that we see on the Internet. Known software engineering techniques can reduce these bugs by a factor of at least 10, and typically more than 100. Also, it's important that we begin to ship high-security configurations as the default. It's no longer realistic, given this huge user population, to expect today's average computer- user and system administrator to have the technical skills needed to securely configure their software systems. We must build and ship products that are safe for use by today's average administrator and user. That's the near-term solution. Longer term, we will continue to see more sophisticated attacks. Better design and implementations will solve much of what we see today, but as we get more sophisticated attacks, we must develop new software engineering techniques, integrated frameworks for information assurance and analysis design, and these frameworks must lead to engineering methods and technologies that yield systems that are resistant to attack but also able to survive those attacks even if they are partially penetrated. More research into survivable systems is needed for the future. Increased support for information assurance degree programs is also needed. Today there is a critical shortage of technical security specialists. The recent government programs on the security Centers of Excellence is a step in the right direction, but it's only a start. More is needed to meet the growing demand in both government and industry for these technical specialists. And finally, awareness and training for all users. This is not just a problem for technical specialists. It's a problem for executives, for middle managers, for commercial users as well as for home users. We need to support the development of programs that allow awareness and training for all of those individuals, and we also must provide programs for elementary and secondary school teachers to allow them to begin training their students on acceptable and unacceptable behavior and basic security practices. In conclusion, attacks like Nimda will occur again, and they will have great impact unless and until substantial changes are made. Most important now is higher-quality software that uses known design and implementation practices to reduce vulnerabilities. A 100fold improvement is needed. In the future, threats will be even more sophisticated; and so while we deal with today's problems, we also must expand our research and education activities to deal with the problems that we'll see within the next 5 years. Thank you. Mr. Horn. Thank you. [The prepared statement of Mr. Pethia follows:] [GRAPHIC] [TIFF OMITTED] T0481.042 [GRAPHIC] [TIFF OMITTED] T0481.043 [GRAPHIC] [TIFF OMITTED] T0481.044 [GRAPHIC] [TIFF OMITTED] T0481.045 [GRAPHIC] [TIFF OMITTED] T0481.046 [GRAPHIC] [TIFF OMITTED] T0481.047 [GRAPHIC] [TIFF OMITTED] T0481.048 [GRAPHIC] [TIFF OMITTED] T0481.049 [GRAPHIC] [TIFF OMITTED] T0481.050 [GRAPHIC] [TIFF OMITTED] T0481.051 [GRAPHIC] [TIFF OMITTED] T0481.052 [GRAPHIC] [TIFF OMITTED] T0481.053 [GRAPHIC] [TIFF OMITTED] T0481.054 [GRAPHIC] [TIFF OMITTED] T0481.055 [GRAPHIC] [TIFF OMITTED] T0481.056 [GRAPHIC] [TIFF OMITTED] T0481.057 [GRAPHIC] [TIFF OMITTED] T0481.058 [GRAPHIC] [TIFF OMITTED] T0481.059 [GRAPHIC] [TIFF OMITTED] T0481.060 [GRAPHIC] [TIFF OMITTED] T0481.061 [GRAPHIC] [TIFF OMITTED] T0481.062 [GRAPHIC] [TIFF OMITTED] T0481.063 [GRAPHIC] [TIFF OMITTED] T0481.064 [GRAPHIC] [TIFF OMITTED] T0481.065 [GRAPHIC] [TIFF OMITTED] T0481.066 [GRAPHIC] [TIFF OMITTED] T0481.067 [GRAPHIC] [TIFF OMITTED] T0481.068 [GRAPHIC] [TIFF OMITTED] T0481.069 [GRAPHIC] [TIFF OMITTED] T0481.070 [GRAPHIC] [TIFF OMITTED] T0481.071 [GRAPHIC] [TIFF OMITTED] T0481.072 [GRAPHIC] [TIFF OMITTED] T0481.073 [GRAPHIC] [TIFF OMITTED] T0481.074 [GRAPHIC] [TIFF OMITTED] T0481.075 [GRAPHIC] [TIFF OMITTED] T0481.076 [GRAPHIC] [TIFF OMITTED] T0481.077 [GRAPHIC] [TIFF OMITTED] T0481.078 Mr. Horn. Our next presenter is Michael Vatis, the Director, institute for Security Technology Studies at Dartmouth College. STATEMENT OF MICHAEL VATIS, DIRECTOR, INSTITUTE FOR SECURITY TECHNOLOGY STUDIES, DARTMOUTH COLLEGE Mr. Vatis. Thank you, Mr. Chairman. I would like to commend you for holding this hearing today, because in the wake of the horrible terrorist attacks that occurred on our country on September 11, it would be very easy for Members of Congress to focus all of their attention on the types of attacks that occurred on that day and to focus on what needs to be done to prevent their reoccurrence. But I think it is equally important at least that we pay attention to the other types of threats to our Nation's security that are just as significant today as they were before September 11. And among those threats are potential cyber attacks against our information infrastructure. Indeed, for the reasons that I've given in my prepared statement, I believe that this threat is even greater today than it was before September 11. And so, again, I'd like to commend the subcommittee for bringing attention to this critical issue when it would have been very easy to focus on other things. I would like to devote my discussion today to two things. One is to provide a summary of our threat assessment of the possible attacks that could take place on our information infrastructure during the war on terrorism; and second, to talk about the importance of research and development to the overall cause of securing our Nation's computer networks. It is my belief that what is needed today is essentially a ``Manhattan Project'' for counterterrorism technology, so that America's leading scientists in industry, academia, and government can work together to use one of this Nation's greatest strengths, our technical prowess, to design tools and technology to secure the information infrastructure that provides the foundation for our economy and our national security. Turning to our threat assessment, we started by examining several recent political conflicts over the last few years that have led to attacks on cyber-systems, including the recent clashes between India and Pakistan, between Israel and the Palestinians, between NATO and Serbia in Kosovo, and also the tensions between the United States and China after the collision between a Chinese fighter plane and an American surveillance plane. From these case studies we concluded that cyber attacks immediately follow physical attacks within the circumstances of these political conflicts. It is also the case that politically motivated cyber attacks are increasing in volume, sophistication, and coordination. For instance, after the collision between the Chinese fighter plane and the American surveillance plane, approximately 1,200 U.S. sites, including those belonging to the White House and other government agencies, were reportedly subject to distributed denial of service attacks or defaced with pro-Chinese images in just 1 week. And finally, cyber attackers are attracted to high-value targets. They have attacked the Web sites of financial institutions and also government communication infrastructures. As the next step in our analysis, we looked at general trends in cyber attacks, including those lacking any apparent political motivation. And there, as my colleague, Rich Pethia has talked about, it is clear that cyber attacks are growing in their destructiveness and in their sophistication. And attackers are increasingly taking advantage of the vulnerabilities that persist throughout our networks. In addition, the wide and rapid dissemination of automated scripts has made it possible even for the unsophisticated hacker to take advantage of these advanced techniques. And so in recent years, and again in recent weeks, we have seen a proliferation in destructive worms such as Code Red and Nimda. We've seen a proliferation of distributed denial of service techniques that can be used to carry out automated attacks on victim networks, and we've seen a growth in the sophistication of unauthorized intrusions which can allow an attacker to get into government networks or private sector networks for the purpose of absconding with sensitive information, with money, with credit cards, or carrying out a destructive attack on the network itself. So the question, then, is, during the war on terrorism, what types of groups or individuals might engage in cyber attacks against our information infrastructure? Well, clearly the terrorists themselves are a concern. While it is not clear whether Osama bin Laden's al Qaeda organization has developed cyber attack capabilities, it is clear that members of his network have utilized information technology to communicate securely, to raise funds, and to formulate their plans. For instance, Ramzi Yousef, who was the mastermind of the first attack on the World Trade Center in 1993, had details of future terrorist plots, including the planned bombing of 11 U.S. airliners in the Pacific, stored on encrypted files on his laptop computer. At the same time, the September 11 attacks themselves show that terrorists are not merely focused on causing deaths, but also on causing damage to our critical infrastructures, with all of the attendant financial consequences and economic consequences that has. Another group to be concerned about is targeted nation states. Several nations could be targets in our military retaliation for the September 11 attacks, including not only Afghanistan, but possibly some states that have been designated as supporters of terrorism. And among those U.S. designated states are countries such as Iraq and Libya, which are reported to have developed information warfare capabilities. So as we engage in this war on terrorism, we need to be cognizant of the risk of possible counterattacks on our information infrastructure by countries such as that. The most likely source of attack, though, are the sympathizers of terrorists around the world or those with general anti-U.S. or anti-ally sentiments. These are the people who have engaged in attacks before, whether it's Web site defacements or denial of service attacks. And they include people who could perceive the war on terrorism as an anti-Muslim crusade. And it also could include other people such as those who are against globalization and capitalism in general and have engaged in these sorts of attacks before. And the last category is thrillseekers who might just use this situation as an opportunity to gain bragging rights for breaking into systems while the world's media are focused on the problem. And the types of targets that these attackers could go after include not only Web sites, but also more high- value targets such as domain name servers, communication systems, routers, and critical infrastructures. There could also be the possibility of compound attacks on many of these infrastructures using many different techniques and possibly combined with physical attacks as well. Mr. Chairman, my prepared statement has a number of very specific recommendations that we offer for system administrators throughout the government and in the private sector to take to protect themselves against these sorts of attacks. And we believe that if those steps are taken, people can minimize the chance of being hit. But over the long-term, the importance of research and development is great. And we can never really get ahead of the problem through patches and through updating our antivirus software, unless we can design systems, from the ground up, that are secure, and unless we make the Internet a safe place to engage in commerce and to communicate securely. Thank you, Mr. Chairman. Mr. Horn. Thank you. That's a very helpful presentation and in the dialog there's a lot of things we can take advantage of. [The prepared statement of Mr. Vadis follows:] [GRAPHIC] [TIFF OMITTED] T0481.079 [GRAPHIC] [TIFF OMITTED] T0481.080 [GRAPHIC] [TIFF OMITTED] T0481.081 [GRAPHIC] [TIFF OMITTED] T0481.082 [GRAPHIC] [TIFF OMITTED] T0481.083 [GRAPHIC] [TIFF OMITTED] T0481.084 [GRAPHIC] [TIFF OMITTED] T0481.085 [GRAPHIC] [TIFF OMITTED] T0481.086 [GRAPHIC] [TIFF OMITTED] T0481.087 [GRAPHIC] [TIFF OMITTED] T0481.088 [GRAPHIC] [TIFF OMITTED] T0481.089 [GRAPHIC] [TIFF OMITTED] T0481.090 [GRAPHIC] [TIFF OMITTED] T0481.091 [GRAPHIC] [TIFF OMITTED] T0481.092 [GRAPHIC] [TIFF OMITTED] T0481.093 [GRAPHIC] [TIFF OMITTED] T0481.094 [GRAPHIC] [TIFF OMITTED] T0481.095 [GRAPHIC] [TIFF OMITTED] T0481.096 [GRAPHIC] [TIFF OMITTED] T0481.097 [GRAPHIC] [TIFF OMITTED] T0481.098 [GRAPHIC] [TIFF OMITTED] T0481.099 [GRAPHIC] [TIFF OMITTED] T0481.100 [GRAPHIC] [TIFF OMITTED] T0481.101 [GRAPHIC] [TIFF OMITTED] T0481.102 [GRAPHIC] [TIFF OMITTED] T0481.103 [GRAPHIC] [TIFF OMITTED] T0481.104 [GRAPHIC] [TIFF OMITTED] T0481.105 [GRAPHIC] [TIFF OMITTED] T0481.106 [GRAPHIC] [TIFF OMITTED] T0481.107 [GRAPHIC] [TIFF OMITTED] T0481.108 [GRAPHIC] [TIFF OMITTED] T0481.109 [GRAPHIC] [TIFF OMITTED] T0481.110 [GRAPHIC] [TIFF OMITTED] T0481.111 [GRAPHIC] [TIFF OMITTED] T0481.112 [GRAPHIC] [TIFF OMITTED] T0481.113 [GRAPHIC] [TIFF OMITTED] T0481.114 [GRAPHIC] [TIFF OMITTED] T0481.115 [GRAPHIC] [TIFF OMITTED] T0481.116 [GRAPHIC] [TIFF OMITTED] T0481.117 [GRAPHIC] [TIFF OMITTED] T0481.118 [GRAPHIC] [TIFF OMITTED] T0481.119 Mr. Horn. And I'm delighted now to have the presentation of the Honorable Ronald Dick, the Director of the National Infrastructure Protection Center for the Federal Bureau of Investigations. I want to say great thanks on behalf of the subcommittee that the FBI has been this early in the game--they have worked very close with the committee. Thanks to their generosity; we've had a lot of individuals throughout the world that have been helpful with them bringing them here, and they can take advantage of those individuals and so can the subcommittee. So thank you very much for what you've been doing. STATEMENT OF RONALD DICK, DIRECTOR, NATIONAL INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION Mr. Dick. Thank you, Mr. Chairman. Particularly, thank you for the opportunity to discuss our government's important and continuing challenges with respect to information technology. As several of the panel members have said in the face of the tragedies 2 weeks ago, I come before you today to relay a strong sense of optimism. We, the men and women of the NIPC and our thousands of partners throughout the country and the world, including my colleagues on this panel, have heard the call and I believe have stepped forward. While the terrorists were building their network, so too were we. For the past 3 years, while others were thinking of ways to defeat us, the NIPC was working tirelessly to build the broad partnerships we have today, to mobilize great talent, to break down the old ways of doing business, and to forge ahead with the united sense of government and private sector purpose. There is more work to be done. There always will be. But there should be no doubt about our progress, about our persistence, about our pledge to the American people. Acting as one, the Federal, State and local governments, the private sector and the international partners eagerly accept President Bush's challenge which was referred to as the ``challenge of our time.'' For the past 3 years, we have cultivated a number of initiatives, each focused on simultaneously developing the NIPC, the capacity to warn, to respond and to build partnerships. The NIPC built InfraGard into the largest government/private sector joint partnership for infrastructure protection in the world, with over 2,000 members nationwide. The NIPC Web site takes advantage of the Internet's long reach to provide significant cyber-alerts as well as the ability to report computer attacks and intrusions on line. The NIPC has built systems or has provided systems administrators and home users with roughly 100 warnings about cyber-threats and vulnerabilities. Just last week, we provided information systems security advice through our Web site, through InfraGard, and through our trusted partners to better protect the public from the Nimda worm. In fact, based on our prior responsiveness and coordination with the private sector concerning Code Red, we believe that the Nimda impact was significantly reduced. The NIPC's Watch Center operates around the clock and communicates daily with the Department of Defense. Major General Dave Bryan, Commander of the Joint Task Force for Computer Network Operations, recently remarked that the NIPC and JTF-CNO have established an outstanding working relationship. We have become interdependent, with each realizing that neither can totally achieve its mission without the other. And I couldn't agree more. The Center's ability to fulfill the expectations and needs of its Department of Defense components is achieved by the interagency nature of the NIPC, which includes the Center's Deputy Director, James Plehal, a two-star Navy Rear Admiral. This example of the Center staffing demonstrates our collective commitment to achieve meaningful ownership and coordination across the law enforcement, the intelligence, and military communities as well as other agencies. We are strongly partnered with FedCIRC, to enhance the security of our government technology systems and services. We team up regularly with the CIA and the NSA to work on matters of common interest. In fact, the head of our Analysis and Warning Section is a senior CIA officer and the head of the section's Analysis and Information Sharing unit is a senior manager from NSA. In total, the Center has full-time representatives from a dozen Federal and three foreign government agencies, led in number by the FBI and the Department of Defense. We're continuing to take advantage of the FBI's global presence through its legal attaches in 44 nations around the word. Our multiagency team works with information sharing and analysis centers throughout the country and provides threat briefings to the critical infrastructure sector, including financial services electrical power, telecommunications, water, oil and gas, aviation and railroad. We are connected with 18,000 police departments and sheriffs departments which bravely serve our Nation daily and in times of crisis. Our strong ties with the private sector, State and local first responders places us at the Center in the unique position to answer the President's call for homeland security. In this regard, we're also leveraging our key asset initiative by leading the creation of a comprehensive data base to identify the Nation's critical infrastructure components. Equally significant, the NIPC manages the computer intrusion investigations nationwide for the FBI, both on the criminal and national security side. Our integration with the FBI continues to provide the NIPC with access to law enforcement, intelligence, counterintelligence and open source information that for privacy and civil rights reasons is unavailable in its aggregate to any other Federal agency. The Center has been providing critical technical assistance to the PENTTBOM investigation in aid of what is certain to be a joint and long-term law enforcement intelligence and military response. During the past 2 weeks the center has provided detailed information--or provided detailed information used to brief the National Command Authority about how the terrorist cells of September 11 used technology to further their murderous acts. We developed an interagency coordination cell to deconflict investigations and provide relevant information on those agencies--or to those agencies that have not been able to provide full-time support to the center. At the moment, the interagency coordination cell has taken a leadership role in the ongoing PENTTBOM efforts. It is staffed with 43 individuals from 15 agencies and every entity that needs information to conduct its part of this most critical mission gets it. In short, the Center is coordinating its incident deterrence prevention, warning and response mission with strong multiagency support. That, in brief, is a look at the NIPC. Our responsibilities, as you can see, are broad and we are rising to the challenge. We are united so that the benefits of technology flourish while the risk of the technology are reduced, provided resource issues identified in the GAO April 2001 report are resolved. We will continue to witness the ever better results. We are eager to take on this important work that surely lies ahead, and on behalf of the Center I would like to thank you for your continuing support in our efforts in this significant issue. Mr. Horn. Thank you. That's very helpful and we'll be working with you on the next phase of what we're going to be going to; which will be pretty much throughout the United States. [The prepared statement of Mr. Dick follows:] [GRAPHIC] [TIFF OMITTED] T0481.120 [GRAPHIC] [TIFF OMITTED] T0481.121 [GRAPHIC] [TIFF OMITTED] T0481.122 [GRAPHIC] [TIFF OMITTED] T0481.123 Mr. Horn. We now have Mark Seetin, who's the vice president, governmental affairs, New York Mercantile Exchange. STATEMENT OF MARK SEETIN, VICE PRESIDENT, GOVERNMENTAL AFFAIRS, NEW YORK MERCANTILE EXCHANGE Mr. Seetin. Thank you, Mr. Chairman. My name is Mark Seetin. I am vice president for government affairs for the New York Mercantile Exchange. I want to thank you and all the members of this subcommittee for inviting us here today to speak on this important issue. Before I begin, I would like to take just a brief moment to honor the memories of the 18 fallen comrades in our company and the thousands of innocent people who had their lives taken from them in that horrendous attacks. For the most part, their only political act was being a husband, a wife, mother, father, friend. Their only crime was to show up for work. We---- Mr. Horn. Where was your location at the time? Mr. Seetin. Actually, it's up on the map. I can show you. Actually this is for context, basically. I want to give credit to USA Today. This is a graphic from there. Our location, you can see--I'm trying to get my pointer to work here. Four World Trade Center is right there. But you can see the two towers. That's the point where we were before, when the bomb attack in 1993--which I'm going to be addressing. In 1997, we moved into this new building on One North End Avenue, which is located right there on the bank of the Hudson River. Critically, you will notice that right next to us is the Merrill Lynch building, and beyond that is the American Express building. You've heard those buildings mentioned. The shielding effect that they provided during the horrendous collapse kept us from having great structural damage to our building. We didn't lose windows. We had a lot of debris. The other critical part that's going to be evolving in my testimony is right up there, 22 Courtland Street, which was the back-up center for our computer systems. That was basically taken out in the collapse as well, and that was our back-up system as I said. With that, as I go through, just to put this all in perspective, you can see this is about 16 acres in size. These are all very, very confined and small areas. Also note here from the standpoint of what had to happen right after that attack. Right after the first plane hit the North Tower, our building was evacuated immediately. Our people were moved out into this plaza. This is the World Financial Center, right here where my marker is right now. They were moved into this plaza, and because the roads were cutoff, the only escape really was from the water. And for that, it was a little bit like a mini- Dunkirk; because boats, police boats, everybody who had a boat, was coming in and picking up people and evacuating them. And they were in the process of doing that. We still had thousands of people on that plaza when the second plane hit. It virtually flew over our people en route to crashing into building No. 2. So that kind of lays the background for the horror at the beginning of this. First, a little bit of explanation of who we are. We are a global energy marketplace. We're the world's largest energy futures exchange. We on a daily basis entertain the trading of 3 to 5 times world oil production, 5 to 7 times North American natural gas production. We are the window to the marketplace. The Exchange is a regulated entity, regulated by the Commodity Futures Trading Commission. Our job is to provide open, competitive, fair pricing for those vital energy commodities. We have been designated--in fact, one of the reasons we probably got so much assistance and, I will give great credit to those authorities that provided that, was because we were recognized as a critical asset, we're a little bit like if you lose the radio and television when a tornado is on the way, it doesn't do you much good not to hear about it because it's still going to happen. And that's why energy pricing is so critical. The September 11 attack hit the World Financial Center. We had debris raining down on us. Our building was within yards of that. We were the first exchange in New York to reopen for trading. In 1993, the attack was on a Friday. We were in No. 4 World Trade Center, right next to building No. 2, which is now a pile of ash and rubble. We were able to start trading the Monday following that. Again, we lost utilities. We lost power. The lessons we learned from that did help us in this, but from our standpoint, I must say the scope of this attack was unbelievably greater than the bomb of 1993. Through work and through cooperation and through innovation, we were able to launch our electronic trading system which normally operates at night. We have trading in our trading ring. The trading pits where you see the people yelling and screaming at each other occurs from 9 to 3 p.m. At 4 p.m., we switch to our electronic trading system, known as eACCESS, which trades throughout the night and goes until 9 o'clock the next morning. So we virtually have nearly a 24-hour trading day. The energy markets are global and our customers are around the world, so they demand that. Were we prepared for this? Frankly, I don't know anybody who could possibly be prepared for an attack of this scope. You know, there's no one who could tell me they had prepared for something like this. Yes, we tried to be prepared, given our experience in the 1993 bombing, and we knew that there were some critical things that you had to have. You had to have an emergency plan. You had to have a back-up facility. Well, because our computers had been located in 22 Courtland Street, which I showed you earlier, we had leasing on those. We thought, well, this would be an adequate back-up system. Obviously, our experience with the bomb was far more localized. Mr. Horn. How many floors were there at 22 Courtland Street? I'm looking at it and it sort of has two surrounding buildings. Mr. Seetin. I believe it's about 40 stories, if I'm not mistaken. Mr. Horn. Really? Mr. Seetin. Rough guess. I believe it's about 40 floors. And our systems were located in the 20th through the 25th on that building. The building itself structurally stands, but it's been so heavily damaged that it's basically unusable. Frankly, if we had to get in there, we probably could have. We could have rescued the hard-drives which would have held the data had we lost them in our primary trading facility, or a back-up site that we had offsite in New Jersey. Fortunately, we didn't have to do that. One of the other things that we learned when we built our new building in 1997, was that we put back-up generators on the 16th floor for the eventuality of potentially losing power. In our business, of course, in information technology, as these gentlemen say, the loss of power for us is tragedy. I mean it is the end of the world from the trading standpoint, because you have to have that continuous flow. So we had generators installed. In fact, when we lost power, immediately after the building collapsed, our generators kicked in in spite of the fact that no human beings were around at that time. I was able, at that time, to communicate throughout the day with our e-mail systems. They were on the back-up system. Basic necessities. What do you have to have? Well, the first thing, the most valuable--and people fought over it in our crisis center--is this emergency contact list. You'll see it's dated as August 2001. Little did we know. We update it periodically. This list has all contact information for all of the board members; home, cell, everyplace they can be contacted. The same thing with critical staff, because we were dispersed. I mean, it was chaotic. People were just driven out of the building. We didn't know where anybody was. So we had to use this to begin. Within 3 hours after the attack, our chairman, Vincent Viola, began the first of a series of conference calls, emergency board meetings, because we had to figure out, first of all, how we were going to approach this. Obviously you have to do damage assessment and recovery. I mean, that's No. 1 right on the list, is how do we get back into business? Mr. Horn. I take it the line to your computers in New Jersey did hold up? Mr. Seetin. Some did, some did not. We had--actually, we have two services--oh, in New Jersey. Of course. Mr. Horn. Right. Mr. Seetin. That was not a problem. But I must say that the communications problem in New York was great, and it wasn't limited to that area. We eventually relocated to 50th Street and Madison Avenue as our crisis center. We setup telephone systems there to provide support for our traders. We also used our Web site as really the contact point for the staff and for everybody else to contact us. But, fortunately, when we were running our trading system from 2:30 to 6 on Friday night, we didn't have a problem. But by about 7:30 Friday night, something went wrong in the switching system. Again, a lot of this is related to the attack area that we lost incoming traffic on our phone systems. All of a sudden the phones went dead, and we were sitting there saying this is not right. We could call out. But when people would call into us, they would either get a busy signal or their call would die. So we had to get the Verizon folks in very quickly. We virtually changed our exchange numbers right then, which, you know in the midst of a crisis, of course, what you're doing is exchanging information and telephone numbers with people to have to go back and replicate that and tell them now the number that they had before is--you know, is no longer useful. That takes an enormous amount of time that you really ought to be spending in getting to the things that you have to do. As I said earlier, our board decided, first of all, two stages of recovery. We did a quick assessment and we could migrate our computerized trading system, because we had offsite capabilities in New Jersey. We would migrate that to do an extraordinary daytime trading system, because in fact the energy markets, as you well know, within 2 hours after that attack, rose something in the order of $2 a barrel. Nobody was there. We weren't there to provide that window. It was critical. We really felt the pressure, and frankly we got pressure from the White House and everybody else to get back- up. We didn't need that. We felt that ourselves. But in essence, we decided to convert to this daytime trading system. We had obstacles as we migrated. The telephones were one, because we were really managing it from a hotel, but the system itself was away offsite. The critical part was getting people back into our building. As you well know, that whole area was shut down. Nobody could get in there. The only way you could get in there was with a police escort. So we had to work very closely with the police and the Federal authorities to get our people in, first of all, to do the assessment as to what we needed. Really the critical computer functions in our building that we needed were for clearing, because we guarantee all of the trades. Those trades have to be processed after they're done. If you can't process them, it's a very, very difficult situation. So we used our Web site as a contact. We migrated to the electronic system. Simultaneous with that was our effort, really, to resume physical trading. For that, we had to go in and do an assessment both environmentally, structurally, fire, security, all of those issues; because sitting where we were, and obviously, from our experience before, we viewed ourselves as a potential target even in recovery. So the authorities were tremendous in providing us very, very intense and expansive security to allow our people into the building where we assessed what we needed. And then really the Herculean part of our effort began. Nobody was getting any sleep before, but we certainly didn't once we started the process of moving people in and out. We called, because some of the operations were done out of the White House, we had to call at 2 a.m. to arrange police boats to pick our people up at 7:30, because the only way to get into the building, again, was by water on the Hudson River. That's the only way. We were lucky in that we did have dock and pier facilities right adjacent to the building. We were able to do that. We got our people in and began the assessment of what we needed at that stage to begin physical trading. After that assessment, the board decided, again given just enormous pressure from around the world and our client base, that we would begin physical trading at 11 a.m. on Monday. Our normal starting time with our metals trading, the gold, silver and copper, starts at 8:30 traditionally. That was our regular starting time. Our energies begin in a staggered start about 9:35, and they start in 5-minute increments after that, the reason being the energy products are related. Price of crude oil is related to heating oil and to gasoline, so you can't start one without the other. They have a relationship. That compounds the problem that I'll talk about in future recovery plans. Our chairman, Vincent Viola, our president, Phil Collins, basically had backbones of steel, and didn't get any sleep. We had to do a lot of things ourselves. We quickly gathered--my role--I started down here quickly, I got on a train, got to the crisis center, and because the communication--again, we learned this--has to be centralized. Well, we were trying to coordinate a lot of the governmental contacts down here. When you're not in that frenetic activity, when you're not in that centralized place, one does not know a lot of the context of what's going on. So I had to be there because I had to know when these guys were having trouble with FEMA or these guys were having trouble with OEM--the OEM is the Office of Emergency Management, which is the State and city setup. Which, by the way, itself was a complicating factor. Remember, they were in the World Trade Center. The OEM was wiped out, the very same blast that kicked us out of our building. And their responsibility, of course, is to help people like us and all of the people that were affected. And I must say, Mayor Giuliani did something that I don't even believe. A lot of people said we don't believe you guys got up yourself and traded by Friday, within 2 days. The first day they had a number for us to call. They had people to contact. I had my contact, Bill Gross, who was the mayor's assistant. I could call him anytime, and I did. He will say that. I will tell you that, you know, any time of the day or night; the guy did not get any sleep. But they were there. And they migrated their number. They told us what the new number was. It went through without a slip. How they did that, you know--and actually the performance of the OEM was just remarkable. The State and the city were almost seamless, with just a few exceptions. Mr. Horn. That's the city emergency management group. Mr. Seetin. Yes, the city office. Mr. Horn. Was the State also involved? Mr. Seetin. The State was also involved. The State was very tightly linked with the city. I mean, in fact, we could do a lot of the same calls. The same people were talking to each other who were State authorities and city authorities. I will say the only complication we had, and I guess in retrospect, you know, you can smile about it a little bit, but we had a group of telephone technicians. Now, remember, we had two different systems in our building. We found out we had AT&T and Verizon, because we have tenants who are trading tenants who basically operate their own businesses, and they all had the Verizon system which had its own series of problems. So we were trying to get these people in Thursday night, Friday night, Saturday night--in to get the phone lines up and running. We had ours fairly well up by late Friday night inside of the building. But one of the problems I had--we got a call back from the AT&T people that said we got three trucks with technicians that are stuck at the checkpoint on Canal Street, because that's where the stop point was for basically everybody. That was where you were held up. And these people had police escorts with them. And this was the night that the National Guard had been dispatched, so you know, it was a situation where the National Guard troops, even though we had a police escort, were not letting us in there. So it took me 3 hours to get through to the Governor's office to get down through the guards. You know, this is the way things operate. Once that got through, you know, again, that operated smoothly. But those are some of the glitches when you have Federal, State, and military authorities coming in. It is critical that they communicate with each other, because, you know, those of us that are trying to get up and running, we have enough complications without having to try to go and get these guys to talk with each other. That was a very minor problem. And I don't want to overemphasize it, because in fact it worked. It worked out very well. I will never criticize any one of those people for what they did. So we were getting all the support that we could. Several hurdles that we had to overcome were, of course, if we began trading with our thousands of people, and we have up to 5,000 people in our building when we're up and running trading. There was no way for them to get to the building over land, by the surface. We are certainly not going to have NYPD bringing these guys in in police cars. It's not going to happen. So we had to find an alternative route. And while we were all doing this, another of our directors was tasked with the fact of working with the New York Waterways. New York Waterways did dedicate then, because we didn't really want to use the police boats. The police were great about ferrying us, but we also knew there were a lot of other people that needed this as well. So we met, got the ferry boat and we got authority then from the officials to basically use that to finalize it for Monday. We basically had a series of ferrys that we leased, that we rented. And we put together about 14 sites where our people could gather on the dock, load onto the ferry, and they would be transported to our facility on Monday morning. That's one of the reasons why we had an 11 o'clock opening, because logistically it's a very very tough task. We were doing all of this. Of course, at the same time, we had to get our building cleaned, according to--and fit for EPA inspection. Obviously the asbestos--you saw the dust. You saw the horrendous materials there. And I must tell you, my own experience down there, if hell has a smell, that was it. The most horrendous, acrid smell of burning and death and everything else on top of everything else that you have to do. We were struggling with that. The authorities were working very hard with us, because we had to have fire inspection, we had to have the building cleaned. We had to have structural engineers, OK it. And we had to work with Con Edison as well because we were off. The electrical grid was down there, basically, and it was not such that they could flip a couple of switches and put us back on the system. The problem there was that the broader base to turn us on, to put us onto the grid, means that they would have a whole chunk of Tribeca, and it would be a tremendous drain on their resources given the fact that on the other side of the island the New York Stock Exchange was working just as hard as we were to get up and running and they were in just as much need. So we tried to work with Con Ed, and we needed back-ups to our back-up, because we were really now at the situation where our back-up generators were our sole source of power. So all of that going into play, we needed to have a certificate--in essence, a certificate of occupancy, a letter from the OEM Authorities, the city authorities, that our building was OK to occupy. We were going ahead with our plans. I finally got that letter at 4 o'clock Sunday afternoon. At that time then we really began to formalize the final plans for our opening. We locked in the ferries. We had already been on the Web site and we had an 800 number to call in our Web site, which really was the critical point of contact, the 800 number. And we---- Mr. Horn. Hopefully, we are going to have staff sit down with you and other people that have had similar situations and--because we just can't do all of the things this morning. But I think we want to get them. First of all, I am fascinated by the telephone situation where you couldn't get communications in the one direction but you could get it in the other. Mr. Seetin. Yes. And cell phones were another issue. Because there were certain relay stations taken out, there was a period when cell phone communication was very, very difficult. In a crisis like this, that is a very, very important thing, as you know. It seems like when have you a crisis like this everything happens at once. After an exhausting week, Saturday night we were feeling pretty good about it. I was up in my hotel room finally after about 2 hours of sleep for the last 4 days. At 11:30, the phone rang as I came out of the shower; and our chairman was yelling at me to get down there because, of all things, one of our back-up generators had sprung a leak in the fuel-line and diesel fuel was spewing on the 16th floor of our building, the same building that we were trying to recover from. So I called Inspector Pat Bradley. Now this is the guy who is in charge of all of the police in lower Manhattan, another guy who has had less sleep than any of us. He darn near had an accident while I was talking to him, but within 20 minutes he had a police car to our building. Our chairman went down with two technicians to begin the rehab process; at the same time called the White House, who relayed to Con Edison the essential need to get back-up generators. Before dawn we had one back-up generator onsite. And these are not the little kind that you have in the back of your car. These are huge. They are semi-size units. And the Con Ed people had to basically--it is not a plug-and-play system, either. They had to cut the system apart and actually weld the interface in, and they did that. By the end of the day, we had another back-up system; and Con Ed has been tremendous with that. The difficulty is, of course, the refueling. Because we went from our system where our back-up generators were refueled every 4 days to 12-hour increments. Anyway, to cut to the chase, basically we are up and running. We have back-ups to our back-ups. By next Monday we will have a fully redundant back-up of our computerized trade system, and it will be some distance away. It will not be located in the New York City area, and we will be able to basically flip a switch for a seamless move-in there. God forbid the power loss is that large. If the power loss is as large as takes that out, then we are all in trouble. So I think I am going to try to summarize. I know that there are many people here that have things to say. The critical thing we learned, first of all, is that communication is tantamount. The first thing you need in your crisis plan are the names, numbers, and ability to get together in the same site, because you all have to be there. You all have to be there to implement, because things are chaotic. There is no order to the system. I mean, we were up and running on Friday, and it sounds like a miracle. But it is a little bit like the old saying about laws and sausages. Those interested in laws and sausage should not witness the making of either. We got the sausage of our electronic trading system on Friday, but it wasn't a clean operation. But we were there. We all had to work together. And the Federal and State authorities, the police, the firemen--I can't say enough. We needed it, and they were there. And I see Mrs. Maloney there, too. Mr. Horn. Yes. She is going to ask you a question, and then we will go to Mr. Miller because she has to leave. Mr. Seetin. I just want to close and say one thing that she did that was so critical. On Monday morning, after all of this, we are about to open at 11, and I bothered Carolyn's poor husband--poor guy was in bed. She was out working already. And Carolyn called me back and said, you know, do you guys have-- are you all set with grief counselors? And I said, well, you know, I could use one myself. But, you know, I really wasn't aware of that. And I said, well, you know, I will have to talk to you about that later. As soon as I got to the building--I got into the building at about 5:30 on Monday morning. Our H.R. person comes to me and says, we can't get any grief counselors. There is nobody available. I called Carolyn. In 2 hours we had four grief counselors onsite. And, you know, that is the type of cooperation that we got, for which we will be eternally grateful. [The prepared statement of Mr. Seetin follows:] [GRAPHIC] [TIFF OMITTED] T0481.124 [GRAPHIC] [TIFF OMITTED] T0481.125 [GRAPHIC] [TIFF OMITTED] T0481.126 [GRAPHIC] [TIFF OMITTED] T0481.127 Mr. Horn. Well, she always gets things done right, early and often. Mrs. Maloney. Thank you, Mr. Chairman; and, as a point of personal privilege, I welcome all of the panelists today, but particularly Mark Seetin. He is a constituent and a friend as vice president of government affairs for the New York Mercantile Exchange. We have worked together closely over the years. We are all very proud of the Exchange. It is an important exchange to our city, to our country. I was personally there, Mr. Chairman, at the miracle, at the reopening of the New York Mercantile Exchange along with the Governor, the mayor and many other New Yorkers; and I believe that the reopening of the Exchange was symbolic of the efforts up and down Wall Street and throughout our city and our country. At the NYMEX, the staff and senior executives worked around the clock to reopen. They overcame terrible logistical problems, interruptions in power supplies, and the grieving that is natural when so many of our industry colleagues perished in the World Trade Center. The Exchange lost 18 of their employees and many, many probably hundreds, thousands of their friends in this horrible accident. It was impossible to get at the Exchange over the land. It was roped off. The recovery was taking place. The fire, the police were all there. And the Exchange literally, probably to this day, brought in their employees by boat. Are you still using the boats to bring them in? Mr. Seetin. Yes, we still have to use the boats. Mrs. Maloney. I think that shows the tremendous spirit of American free enterprise, of overcoming many, many obstacles to get open, to get back to work. And even with their great grief and their great loss, opening up the Exchange, going back. I still don't understand how they do it, all of that screaming and yelling, but you are out there making these exchanges, making these trades and really investing in the American economy. I just want to say briefly, very briefly, in this crime against humanity, I am so shaken I can hardly believe it. I think all of us are, who have been to ground zero, who have seen it, who have met the families, who know the tremendous personal loss in so, so many areas. But to see the spirit come back. The terrorists wanted our markets to fail. Our markets succeeded. And they wanted our planes down. Our planes are flying. It is a symbol of our American spirit. And it is really a way that we can be patriots, to invest in the market. It is something that we can control as individuals, our own faith in our own economy. Mr. Seetin and his whole team at the New York Mercantile Exchange are part of that success story that we are doing right now, building back America even more strong and determined. Believe me, I have never seen Congress so determined in my entire life or so united; and we will be there on Monday, touring--many members are coming on Monday to tour ground zero, and we will see if we can stop by and meet with you and your many devoted employees who are working as we speak to keep our economy strong. Thank you for your testimony, all of your hard work; and my condolences on the great loss of many of your friends and colleagues. Mr. Seetin. Thank you very much, Congresswoman. We very much appreciate your help and all of the members of the New York delegation who were so helpful to us. Mrs. Maloney. Just so you understand, Mr. Seetin and others, we are in a hearing on the insurance industry in Financial Services. It is the first one on how they are paying the claims, reacting to the crisis of the individuals; and I need to get back to that. But I thank you for your testimony, all of you. Mr. Seetin. I should be there, too. Mr. Horn. Well, we thank Mrs. Maloney, the ranking member here over the years. She is very eloquent, and she speaks for the Congress. Mrs. Maloney. Thank you, Mr. Horn. I have enjoyed working with you so many times. I regret that you have made a decision to retire after this term. I think it is a great loss to Congress, to the constituents you represent. I hope you will reconsider. Mr. Horn. Well, we will be busy, Carolyn, for the rest of this year and all of next year. I really appreciate it. Some of the things you have said, as I say, I want the staff to go up to New York and talk to some of the similar types of situations. Because that does worry me on that telephone situation, and we have got to figure out a way to do it. A number of us sent a letter to Chairman Powell of the FCC, and we have asked, on a 911 situation, where you can have an extended system in some way or an isolated--has various ways to do it, either on an underground or overground--because--we need to have these options coming up in the satellite or whatever. Mr. Seetin. Those are very important. One other thing--and I must say it is very important and was mentioned here--about the scope of the attack and whether computer systems are being scanned. I must say that we had that experience as we were beta-testing to get up and running. I think that anybody who is in this business, in information, technology needs to be aware that there are lots of bad people out there, and whether or not they are coordinated really doesn't matter. Because things like that are going on. We experienced it as we were trying to recover. Mr. Horn. Well, thank you very much. We now go to the last presenter. Harris Miller is president of the Information Technology Association of America. He has been a long-time witness with this subcommittee, and we are very grateful to him. He has a professional, wonderful group; and he can reach out throughout America to give us witnesses and everything else. So, Mr. Miller, thanks for all you have done. We now get to you. STATEMENT OF HARRIS MILLER, PRESIDENT, INFORMATION TECHNOLOGY ASSOCIATION OF AMERICA Mr. Miller. Well, thank you, Chairman Horn. I fear what I have to say following Mr. Seetin's very dramatic form of testifying may seem somewhat banal, but I still will proceed; and I also want to echo Congresswoman Maloney's comments about our regrets about your decision to leave Congress at the end of your term. You have been a great friend to the IT community and a great overseer on issues like Y2K and information security. But, knowing you as I do, I know you will work right up through January 3, 2003, to the end of your term on all of these issues. So I am sure we will be seeing a lot more of each other. In terms of the issues today, I would like to focus on the importance of IT generally to what happened on September 11th and subsequent events. I would like to offer insights regarding both disaster recovery and critical infrastructure protection. The United States has made a huge investment in information technology in dollars, intellectual capital and in public confidence. Even before the fearful dust cloud settled over lower Manhattan, the Pentagon, and the field in southwestern Pennsylvania, our national investment began to payoff. That is my main message to you this morning. Allow me to reiterate it. The Nation's IT investment paidoff. In the midst of disaster, the IT industry, a complex web of people, technology, products and services, responded brilliantly. The IT industry and the customers it supports absorbed the blow and came back strong. Voice data and video communications have been critically important in helping us to understand the scope of the disaster, directing relief efforts and locating missing people. The Internet provided literally millions of people with an alternative route around clogged or destroyed New York circuits, providing a frantic public with critical services for finding loved ones, services like e-mail, instant messaging, and voice-over-the-Internet phone calls. According to a public opinion poll conducted by Harris Interactive just after the World Trade Center bombing, 64 percent of people on-line used the Internet as a source of information. As a political scientist, Mr. Chairman, you understand how important communications are to maintaining the fabric of society; and clearly the Internet helped to strengthen the fabric of the American community during some of the most critical hours in our Nation's history. While the recovery operations at ground zero and the Pentagon made us all proud, a less visible but very important series of activities has taken place to sustain the operational integrity of businesses damaged in the attacks. Many well- managed companies built themselves up a safety net by contacting disaster recovery firms for data back-up and remote operations support. In fact, business continuity planning may be the bright line between companies that emerge from disasters with a future and those that do that. A business continuity plan identifies the mission-critical processes and applications of the company as well as its interdependencies, both inside and outside of the enterprise, necessary to support such functions. As you know quite well, Mr. Chairman, from your work under Y2K, much of the contingency planning that prepared organizations to face Y2K apparently helped them to survive this latest disaster. The IT industry has also demonstrated its heart in the aftermath of these horrendous attacks. For instance, several leading companies responded to the attacks by creating www.libertyunites.com, a Web site committed to providing convenient access to philanthropic organizations helping America recover from this tragedy. Libertyunite.com, which President Bush mentioned in his eloquent address to the Nation last week, has collected well over $80 million in public contributions to date to help the victims and to help in the recovery process. This is just one example of the creativity and generosity of IT companies and the utility of the Internet in aggregating support and building community, an example of the on-line community at its best. But, going forward, we dare not let down our guard to terrorism ever again. So what do we do? Well, homeland defense is a phrase which we are just beginning to understand. Many people are unsure about what it means and how they can participate. To focus just on the cyberaspects, I would like to suggest an immediate action. We need to safeguard U.S. computer assets by adopting much more widely sound information security practices. We have heard from Mr. Willemssen the shortcomings that continue to exist in the government systems. And, unfortunately, we know the private sector also has its own shortcomings. Practicing information security as part of homeland defense will pay massive dividends in the future. In my written statement I have identified a series of information security steps for home users, small businesses and larger firms. I would also like to talk for a minute about a silver lining part of the Nimda worm that you heard about earlier from the other witnesses. While we are far from a perfect system, I would like to report to the subcommittee that both under the Code Red and under the Nimda there was a massive coming together of government, not-for-profit organizations and for- profit companies to try to deal with the attack. I particularly want to pay tribute to National Security Council official Marjorie Gilbert, who pulled together massive numbers of people on interminable, it seems, conference calls last week involving all of the organizations of the government, the NIPC, Defense Department, the Central Intelligence Agency, the Energy Department, organizations like Mr. Pethia's organization, CERT, many of the leading anti-virus companies, many of my member companies, other industries, the IT, ISAC-- the financial services ISAC, and a massive undertaking to understand and deal with it. Was it a perfect system? No. But, for the first time, I think we are finally seeing what true government private sector cooperation means. We learned some lessons last week, and Ms. Gilbert and the other people working on that are now coming up with better systems to be able to respond even more effectively under the next attacks. Because Mr. Vatis is certainly correct. We have not seen the last of these attacks, and being able to prepare is right. But I think, Mr. Chairman, you should be proud that we are moving forward. I would be glad to brief your staff at some point on my impressions of how we saw some major progress the last few weeks, and I think we are going to see even more progress going forward. Let me talk about a couple of things that I hope will not happen in response to the attacks we have seen. There has been some discussion about rolling back the policy on encryption. I think that would be a mistake, and I hope that we will not do it. I also believe we must move ahead quickly with the efforts that are already under way to better coordinate within the government. As you know, Mr. Chairman, under the leadership of Dr. Rice, the National Security Council has been developing a revised Executive order to better coordinate cybersecurity within the government. The exact status of that is unclear with the announcement of Governor Ridge's appointment. But, whatever happens, we need to move forward with that coordination in a very rapid fashion. We also must stay the course on our technology agenda. For example, we need to continue to focus on the issue of broadband. Telecommunications and broadband service were very important during the actual response to this crisis. They will become even more important moving forward. Finally, Mr. Chairman, I want to object in the strongest possible terms to some allegations made in a Washington Post op-ed piece by John Podesta, the former Clinton White House chief of staff, last week where he said that the IT community does not understand the importance of societal safety and security. As one who worked personally with President Clinton and Attorney General Reno and others under the Clinton administration, I know that is not true. The IT community focuses very clearly on safety and security. I worked very closely with Mr. Vatis, for example, when he headed the NIPC. If anything, the relationship between the IT community and the government has even strengthened during this crisis that we face, first with the Code Red virus and, of course, the horrible physical attacks that occurred on the World Trade Center and the Pentagon and southwestern Pennsylvania. So I say that close collaboration is under way. We are doing it much more every day. The IT community stands ready to work closely with our law enforcement community, our national security community to not only try to head off any kind of cyber attacks, to help deal with physical threats, but also, when these attacks occur, to make sure that the perpetrators are tracked down. On September 11th, we all learned an important lesson about the capacity of terrorists to practice evil. In the aftermath we learned an important lesson about this Nation's incredible ability to pull together in the face of adversity. For those listening closely enough during this truly terrible time, another lesson still, the IT industry works. Thank you very much, Mr. Chairman. Mr. Horn. Thank you for that very fine overlook. [The prepared statement of Mr. Miller follows:] [GRAPHIC] [TIFF OMITTED] T0481.128 [GRAPHIC] [TIFF OMITTED] T0481.129 [GRAPHIC] [TIFF OMITTED] T0481.130 [GRAPHIC] [TIFF OMITTED] T0481.131 [GRAPHIC] [TIFF OMITTED] T0481.132 [GRAPHIC] [TIFF OMITTED] T0481.133 [GRAPHIC] [TIFF OMITTED] T0481.134 [GRAPHIC] [TIFF OMITTED] T0481.135 [GRAPHIC] [TIFF OMITTED] T0481.136 Mr. Horn. I wanted to start in on just a couple of items, and then we will get to a dialog. Mr. Willemssen, being the very thorough type that he is, he has a long series here of some of these groups that have acted; and I just want to clarify one thing. On page 4 you say, the Russian Hacker Association offered over the Internet an e-mail bombing system that would destroy a person's Web enemy for a fee, and that the source is the United Kingdom Ministry of Defense Joint Security Coordination Center. I just wonder is there any relation to the Russian Government, or is this just some group of people with Halloween night or something? Mr. Willemssen. I believe it is the latter, Mr. Chairman. But to be precise on the answer to that question, I would prefer to answer it for the record. If I could followup on that and get you the specific answer, I will do that. Mr. Horn. Good. I appreciate that. At this point in the record, without objection. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T0481.137 Mr. Willemssen. Also, Mr. Chairman, in following up on that, I believe there was an NIPC report on that particular incident that we will be able to identify and get back to you on. Mr. Horn. Yes. Because that is serious business. If it is with the Russian Government, we need to confront them on that in a quiet way and get this--see what they are doing on it. I want to next go to Presidential Directive 63. What I am interested in is, when that was developed, was GAO asked on it? Was the CERT group asked to take a look at that? And did the FBI have an opportunity to look at that and--as a matter of just getting the best you can in a Presidential directive. So how did that work? Did anybody get with the White House, say, hey, you guys know a lot of this, what do you think? Mr. Dick. From my standpoint, PDD63 was already in existence before I became a part of the Center. However, my esteemed colleague here, Mr. Vatis, who I worked for for a period of time, I think was part of the commission that was in the development of that. So I am going to defer to him. Mr. Horn. Mr. Vatis. Mr. Vatis. The history of PDD63 was that it stemmed from a Presidential commission composed of both government representatives as well as representatives from the private sector who issued a report in 1997, I believe, looking at the vulnerabilities of the Nation's critical infrastructures to both physical and cyber attacks. PDD63 then was pulled together by an interagency working group led by the National Security Council. So there were representatives from the Department of Justice, from the FBI, from the Department of Defense, all of the intelligence community, as well as all of the other civilian Federal agencies involved. There was not a great deal of private sector involvement in the development of that Presidential directive. There was private sector development, though, in the followup development of a national plan for information system protection. Mr. Horn. Well, as you look at it now, going back about 5 years or so, does that need expansion, and were things not put in there that should have been put in there? Mr. Vatis. Mr. Chairman, my personal view on the PDD was that it actually did set forth a good structure--not the be-all and end-all structure, but certainly an excellent start. My principal problem with the PDD, though, was the lack of enforcement of its terms about various agencies' responsibilities and the lack of resources to support the various responsibilities that were created. The NIPC is a perfect example of an entity that was given massive responsibilities and only a drop in the bucket of the resources that were required to do the job. I can say that more freely now that I am no longer in the government. But I don't suspect anybody would disagree with me. And that is only an example. Many agencies that were given responsibilities under that directive considered those responsibilities to be basically unfunded mandates, because they were not given new resources to perform those new responsibilities. And that is a continuing problem. You can have the greatest plan in the world, but if the resources aren't allocated to perform the responsibilities under that plan, nothing much will get done. Mr. Horn. To whom should that budget allocation go? Mr. Vatis. Do you mean, sir, who is responsible for making these allocations? Mr. Horn. Right. You are saying it is a mandate, and usually over the years we have worried about that. If, say, it is a mandate to the State or a mandate to the cities or whatever, through HUD--so where do you think we are missing the---- Mr. Vatis. I think it has to start with the executive branch, and the President's budget submission each year I think needs to have resources allocated to meet all of the directives that have been given to the various government agencies. Then Congress can, in turn, examine those proposals and respond accordingly with appropriations. But it must start, I believe, with the President's budget submission. Mr. Pethia. The CERT coordination center also worked closely with the Presidential commission prior to PDD63 and also afterwards with the implementation plan. The other thing I would like to mention is that in the original work of the commission and hinted at in the PDD63 was the call for increased research in the area of information assurance. The problem that we are struggling with today are real struggles. I personally think we are getting farther behind than we are ahead. But I think that we are going to have even bigger problems in the future. So as we put immediate near-term solutions in place, we also have to look down the road 8 to 10 years to begin to think about the kinds of threats that we will see then, and the research community and the technology community is going to struggle to meet these needs without an expanded research agenda. Mr. Horn. Well, is that because, Mr. Vatis, I believe, said on the software, and others have said the same thing, if you are thinking 10, 15 years out when you have got--almost every day something new comes in Silicon Valley, all over the country, and how do we deal with that then? Do we have a constant team that looks at this and says, hey, this can also be mischief. So how would you go about it? Mr. Pethia. Today an awful lot of what we do with recognizing attacks and dealing with them are done by people, people who are watching the systems. I believe we can work toward new generations of technology that are much more aware of what is going on, whether or not they are being attacked; and we need the engineering framework that will support the construction of these kinds of systems. Today, information assurance is very much an ad hoc art, and we need to turn it into an engineering discipline like civil engineering. So that is area that I propose where we can build the basic frameworks and mechanisms and methods that will allow us to build systems that will adapt over time to meet the new threats. Mr. Dick. A couple of quick comments. The main mission of the Center or the impact of the Center is to reduce threats to our critical infrastructures. The goal is to detect and deter and prevent those attacks before they occur. One of the things that was highlighted, and rightly so, in the GAO report was our need to improve our strategic analysis. And one of the things that we are doing through Mr. Vatis and Dartmouth is a project to kind of look over the horizon and what the technologies will be in the future, to identify those kind of vulnerabilities associated with that so that we can better prepare the critical infrastructures from a technology standpoint as to what those vulnerabilities are and what the appropriate response mechanism should be. So it's a multi-faceted approach, insofar as information assurance is concerned, from the ability to detect, assist, and warn of those vulnerabilities. It is a huge effort that is going to be built upon a partnership between the private sector, academia and the government; and I think we are building that trust up, which 3, 4, years ago was in its infancy, but I think it is growing. And Harris is right. We have come a long way from where we were in the ability to communicate with each other. Mr. Miller. I would just like to add that--the sort of the third leg of the stool, to confirm what Mr. Pethia was saying about the need for more research money. The fact of the matter is, Mr. Chairman, that in most corporations which do spend tons of money on research--but, really, it is mostly short-term development and short-term. What we really need is a long- term--frankly, it is going to have to be a government-funded research agenda. Following the distributed denial of service attacks in February 2000, the Clinton administration proposed a $50 million supplemental appropriation to create a new research and development center. Because it was an election year and all kinds of other reasons, that proposal never got very far, though. I do believe that Mr. Vatis' center has gotten a small amount of funding for kind of a micro version of this. But I know the IT community feels very strongly and certainly echos what Mr. Dick said and Mr. Pethia has said, that there needs to be government-funded research focused on long-term information security challenges. And also the subsidiary benefit of that, as you and I have discussed before, Mr. Chairman, that also helps another problem which Mr. Pethia outlined, which is it provides more funding for graduate student assistance and research, which gets more computer scientists trained as information security specialists, which is another challenge that we have. So I think that this R&D topic is very, very important going forward. It doesn't help us today or tomorrow, but in the long-term it helps to protect our IT infrastructure. Mr. Horn. Well, we certainly have a number of people here that are already working on that, Mr. Dick and the FBI. Are you thinking of a section in NIPCs which I think there is a section on the patent operation and so forth in the Department of Commerce. What role would you see for them? Mr. Miller. We think that NIPCs plays an important role. Following the proposal, Mr. Chairman, made by the Clinton administration, there were a series of meetings chaired by then director of the Office of Science and Technology Policy, Dr. Lane, and Dick Clark, from the National Security Council, where you brought industry and government and academia together to discuss the best structure of this. And, no, no final conclusion came out of it. There was a sense that it should not be totally centered within NIST, that would be a mistake. Now, NIST needs to be a part of this. But you need to have a role so that industry and academia also have leadership. Because if it simply becomes another government grant program where government officials sit there and respond one on one to specific research requests coming from the universities or other not-for-profit organizations, it won't really meet its mission. We felt from the industry standpoint that, for example, a structure that we could have a director of this operation from NIST, but the deputy director would come from industry, for example. So you would have a tremendous amount of industry input to make sure that the government-funded dollars didn't go to duplicative research that was already done being done by the corporate sector. The challenge, Mr. Chairman, is--as you can appreciate is industry wants to make sure that research being done with these government taxpayer dollars is simply not duplicating what has already been done in the labs of IBM or Microsoft or Network Associates or all these companies that specialize in these areas. That is the challenge that we face. But we do believe that it can be overcome, and we believe that we can resurrect the conversations that took place in 2000 and move quickly if Congress decides to fund such a larger center at a larger scale which we believe is necessary. Mr. Horn. Certainly Mr. Pethia's group, the Software Engineering Institute at Carnegie Mellon, they certainly have a long track record on this; and we certainly depended on them. I think that is where the thought came about the software. Would you like to elaborate on that, how we can build into the software so that some of these worms and all of the rest can't get in there? And why isn't Silicon Valley doing some of that? Because they would make billions of dollars if they could be assured that a complex hardware and all--so I just wonder what you see on the horizon right now? Mr. Pethia. A couple of points I would like to make. One of them is, the roots of much of the technology that we have today didn't come from the Internet, per se. The Internet infrastructure itself was originally a Dartmouth-funded research project. It was installed as a demonstration of how to build large-scale, robust and reliable networks that would withstand attacks, and I think the Internet infrastructure has done that. Over time, we began to use it for different purposes for which it wasn't designed. At the same time, one of the major early operating systems on the Internet was the UNIX operating system, which again came from a university research environment. It was developed primarily to allow software practitioners ease of development of software, not necessarily ease of use or secure use. Much of what we have on our desktop computers today really came from the personal computer world of years ago where personal computers were intended to be just that, personal, not connected to anything else and therefore not subject to attack from the outside. What we have done is we have taken these older technologies and we have networked them together into something that now doesn't have the security characteristics that we need. But since we have this huge installed base we now have all of this legacy software that we have to deal with, so we can't change it quickly. However, we do know from our software engineering work that there are techniques that can build systems that are much more robust, much more secure, and have many fewer errors than what we typically see today. And there I think it is a matter of recognizing that we won't get there quickly. We have got to give industry time to make the transition from one to another but also help the industry understand that there is a common belief in industry that many of these techniques require extra cost, slow downtime to market and hamper features. That is not the case. We have plenty of data now to demonstrate that. But it is a learning curve for industry to recognize that they can't put new practices and processes in place without having the negative side effects that they necessarily might think that they would have. There will be an initial upfront cost as organizations go through this learning curve and change the way that they engineer their systems. There will be for the short-term--very short-term--a slowdown in productivity and a lengthening of development process. But as they become more proficient using these new techniques, in fact, they get benefits in terms of being able to produce software more cost effectively and actually improve their delivery schedules. Mr. Horn. Under the current legislation, the Office of Management and Budget is really responsible for overseeing computer security in the Federal Government. They have put various types of surveys out. We haven't seen them yet. But I think we have found in this hearing that there is a lot of-- numerous deficiencies that government computer networks ought to be working on. I think in the last week or so, where we have the Office of Homeland Security headed by Governor Ridge of Pennsylvania--and I certainly remember when we were on the Y2K bit that Governor Ridge was the Governor in the country that was doing the most on Y2K within the Commonwealth of Pennsylvania. What do you think about having the Office of Homeland Security have this responsibility within the executive branch? And if not that-- because the problem with OMB, they have got too much to do, and this isn't going to be done unless somebody has it done. This certainly relates to Governor Ridge, for whom I have a high respect. And I think if you were in the Chamber, as were all Members of Congress, when the President made that announcement, it was absolute thunder in the 400 or so of us that were there that night. If not, what other things do you see that we ought to have that will pull these things together and not have to have a congressional committee sort of goad it, which is what we did from 1996 to 2000 as most of you know, and eventually the President did something about it. But, we need that on a constant, steady, sensible basis. Mr. Miller. Mr. Chairman, I continue to advocate very strongly the creation of a position of information security czar within the government. You and I have discussed this at previous hearings at which you have allowed me to testify. Whether Governor Ridge wants to take on the responsibility obviously is his decision. But I agree with you there are some excellent people at OMB. But they simply have too many other things on their plate right now. I think that having one person in charge who plays the same role as Mr. Koskinen played so brilliantly during Y2K, not with a big budget, not have a big staff, but having the ear of the President and the Vice President, therefore being able to be a very persuasive person for government officials is absolutely essential if we are going to make the progress. That along with the other issue that Mr. Vatis addressed, which is a sufficient budget resource for the agencies and departments, again, not to buildup a big bureaucracy for this czar but to make sure that the individual CIOs and other people have a budget. Without those two elements, Mr. Willemssen is going to be back here giving you the same report year after year after year. Mr. Horn. Well, it is always a pleasure. Speaking of that, you are going to check that Russian hacker thing. Mr. Willemssen. Yes, sir. Mr. Horn. Mr. Dick, will you check that, too? OK, I have wound that up now. So we are going to get back to a few things just for the record. Now why haven't some Federal agencies even succeeded in identifying their most critical systems--under that Presidential Directive 63--which required that they do it by December 2000, and they haven't really done it. So do you have any feelings on that, Mr. Willemssen? Mr. Willemssen. Well, I think it is instructive to go back to an issue that you raised previously and also Mr. Miller raised, and that is going back to Y2K. We know that when agencies started in earnest on that particular effort they also did not have a good handle on their computing infrastructure, that over time they did gain a much better understanding of what they had and how it contributed to their various lines of business. One of the issues that you and I have chatted about shortly after Y2K was over was the concern that the momentum would be lost that had been started by this--much better management of IT in Federal agencies overall, better understanding of what they had and how it contributed to their missions. That is what will be very useful to see the upcoming agency reports that will be submitted on information security, to see if indeed that momentum was lost and some agencies are now having to go back and do reassessments that they already had in place but they didn't continually update. So there is a potential for almost a reinventing the wheel syndrome, which, if that is the case, that would be very unfortunate that we lost that sense of urgency and didn't continue down that path of improved IT management. Mr. Horn. Well, in the next few months we will know whether we are getting the kind of information we need to go through this or not. Maybe they are just playing the same games that the previous administration did, but I would like to think that they have a chance to just say, hey, it wasn't our situation. But, here, we just got everybody moving on this, and I haven't seen that at this point. Mr. Pethia, as a person with extensive knowledge of Federal operations, what actions do you think are the most important to improve the computer security at Federal agencies? Mr. Pethia. I think what you mentioned earlier--the need for the agencies to identify their critical assets, their critical information assets, and then to put in place within each agency---- Mr. Horn. Is that really an inventory idea? Mr. Pethia. It is an inventory idea, but it is not a simple inventory. We have had a lot of experience in helping agencies, also helping organizations in the private sector do exactly this. And what we discover in both cases is that, very often, since information infrastructures and functions sort of buildup over time, if you look inside any organization there is no focal point anymore, no one any longer remembers what all of these pieces are and how they interconnect. So there is an analysis process that you have to go through to understand, first of all, the mission of the organization, the critical functions it provides, and then map that onto the information infrastructure. So it is not just looking at the hardware, it is looking at the functions of the organization. I think that is the start, to identify where the critical needs are and, based on that, to be able to form a protection strategy that focuses on meeting those critical assets. What we saw too often is people trying to let me say peanut butter information security technology across their entire infrastructure. By doing that, they very often miss the critical components and also end up in some cases spending much more money than they need to because they are protecting things that are, in fact, not that critical. Mr. Dick. Mr. Chairman, there is one thing that I would like to comment on. It was mentioned by Harris and Mr. Willemssen both. One of the things that we can do now--it is going to take time for research and development to modify the software and tools that are out there now. But something that we can do now that both of them mentioned was putting in place policies and procedures that actually implement a practice of information security. Many of the--we work very closely within the NIPC with CERT and SANDS and ITAA and the private sector to identify the, if you will, the top 10 common vulnerabilities that are out there and for which there are patches for to repair the systems. What we have determined is that a high number of the intrusions and problems that we have experienced could have been eliminated if systems administrators in the industry had just downloaded the patch and repaired their systems. I mean, probably 80 percent of the issues that I see in the NIPC wouldn't be issues because the vulnerability wouldn't continue to exist. For example, I think one of the reasons that the Nimda issue was minimized as quickly as it was is that we had gone through Code Red, we went to a high visibility on explaining what the vulnerability was, because in both of those issues the patch was available prior to the spread of the worm. It was just a matter of systems administrators didn't repair these systems. But it is even more of a problem today, because not only do you have to, with the advent of Internet connections and DSL connections, we have to get--reach the home user to implement these kind of patches, too. But I think if we could develop and teach people good information security, good information assurance practices we could see some substantial results. Mr. Horn. Let me ask all of you, how vulnerable is the Internet itself to terrorist attacks and what would it take to bring it down and what would it take to not bring it down? Mr. Vatis. If I could address that just briefly. The analysis that we did over this past weekend of the possibility of attacks by terrorists, their sympathizers, state sponsors of terrorism or others shows that the possibility is there to take down significant portions of the Internet and the critical infrastructures that rely on the Internet. Many of the vulnerabilities are ones that have been there for a long time. But things like routers and domain name servers and the like, which are critical to the functioning of the Internet and the communications across it, are vulnerable attacks that can have wide-scale consequences. The problem is, as Mr. Dick alluded to, that a lot of these problems are well known, yet they are not being addressed because of a lack of resources or lack of prioritization from the top. We can have system administrators in a company, in a government agency, who are very well-intentioned, doing the best that they can, but if the CEO or if the secretary of an agency doesn't really care about security, then the system administrator is not going to get the resources and the attention that it needs to really implement a program, policies, procedures, technology and people to get the job done. So all of those things are critical. But the bottom line answer to your question is, we are extremely vulnerable and will continue to be until these sorts of problems are addressed in a systematic way. Mr. Pethia. Building on what Mr. Vatis says, I think the good piece of the news is that much of the Internet is very resilient and very robust and able to recover from attack. But there are those few key points like the domain name servers that don't have enough redundancy, don't have enough ability to quickly recover from attacks that are successful. I think if we focused in on those key points we could make a great deal of progress in a short period of time. Mr. Horn. As I remember, a few years ago, Mr. Willemssen, I had asked the General Accounting Office to take a look at the aging of both hardware and the software in the executive branch. I don't know how much we ever got of that or whether OMB took it over. But if you are coming up to a congressional group, we ought to have some good facts that we could say this is why you should invest in this infrastructure. I know you have wonderful studies over there, and I look at all of them, and I don't know if that one sort of just went to GSA or whoever. But, we need to sort of get a partial analysis maybe and/or take a couple of agencies that we really look and see what is there and what isn't there. Mr. Willemssen. Well, we recently briefed your staff on the results of that, the information that we were able to acquire from a variety of sources, including OMB. Of course, the state of computing and data centers has dramatically changed through the 1990's as you are less able to get strictly at computing capacity because of the advent of connectivity and networking. So it is not always the best measure of computer capacity. Among the things that we looked at in that particular study relating to information security, I think that it is fairly instructive and connects to some of the points made by the other panelists. The data that agencies are reporting on the extent of expenditures on information security varies dramatically across the Federal Government. Several agencies stated they are spending a good percentage, 15, 20, 25 percent of their IT funding on security; other agencies reporting they are spending very little. That kind of data I think is very useful in understanding, at least based on what agencies are reporting, what kind of priority they are placing on information security and what that means in terms of how they are addressing the risks and threats that they face. Mr. Horn. Mr. Dick, why it is so difficult to apprehend these perpetrators of viruses like Code Reds, its variants and Nimda? Will they ever be apprehended? Mr. Dick. Yes, and we have had some successes. I mean, in the Melissa virus we have been able to determine who did that. And the Love Letter virus, we were able to determine who the preparator was of that. Now obviously there are a whole lot of obstacles associated with that. For example, in the Love Letter virus, even though we were able to identify who we believe did that, the country in which that individual lived or resided didn't have the appropriate laws perhaps to deal with that. We are working through the State Department and with our international partners to try to resolve these issues. As you know, in the Philippines they have since taken corrective action. So, you know, I don't like to paint the picture that it is an insurmountable obstacle to identify and arrest these individuals. For example, even on the Leech virus, we have identified a subject in--that we have brought to the bar of justice in another country. The big obstacle is that, like the Internet, it is a very global issue. You know, even if we have--as I talked about in Australia, a month ago, you know, the United States and Canada and Australia could, you know, implement all of the appropriate procedures for firewalls and patch our systems. But because of the way the Internet works and the interconnectivity of the various businesses, if it is not a global solution and a global response to it, we are still vulnerable. So it makes it very, very difficult but not an insurmountable problem. My glass is always half full. Mr. Horn. Well, mine, too. Do you think we have enough laws to give you guidance within the domain of the United States or are we missing something? And, if not, should we be putting it in? This is the time of year where you can stick a lot of things on an omnibus appropriation. You can also put language to help people in other areas. And, if so, let's hear it. Mr. Dick. There are a number of legislative issues that we are working with the Department of Justice on. You know, some of which are issues like, for example, if we did an investigation, in each one of the judicial districts we have to go and get an order or subpoena or some kind of official document to followup and retrieve information from Internet service providers and so forth. It would be helpful--in this arena time is of the essence, because the evidence is fleeting, since it is digital. The idea of being able to have a one-stop shopping, if you will, to be able to get an order that allows us to go to multiple jurisdictions to get that and not have to go in each district to get these things. But there are a number of other proposals like that I would be happy to provide to you that are in discussion with the Department of Justice. Mr. Horn. Mr. Miller. Mr. Miller. I would just like to comment on your earlier question about the vulnerability of the Internet. Because I know there is a lot of media here, and I am afraid of the headline tomorrow, Internet very vulnerable. I think that would be inaccurate. I think that the Internet, as Mr. Pethia mentioned, was developed by DARPA to have a lot of redundancy in it. Yes, Mr. Vatis is correct. There are actually physical risks. The domain name servers that he mentioned are very important. But the companies that manage those, Verizon Network Solutions, is very aware of these vulnerabilities; builds a lot of physical redundancy in their systems. I am sure that they would be glad to brief your staff in great detail about that. Again, as Mr. Seetin said earlier, nothing is totally invulnerable, as he said very eloquently during his statement. But I don't want you or the people who read the stories tomorrow to somehow get the idea that the Internet is about to be brought down. I would also like to mention something that I think indirectly came up in Mr. Seetin's statement but we haven't addressed directly, which is we all believe that, as part of business continuity planning, we have to have redundancy. But if your redundant system is in your same building or if your redundant telephone lines are going in and out of the same entrance and exit points of the building, do you truly have redundancy? And I think what we learned quite dramatically with these events at the World Trade Center, particularly in the area around the World Trade Center, which is probably the highest area of telecommunications density in the world, is that having redundancy located in the same building or telecommunications lines going in and out of the same pipes really isn't redundancy. So I think it is going to force a lot of companies to rethink this. I think the government is going to need to rethink it. For example, when they build buildings or lease buildings, the government may need to start asking questions. Where in this building is the back-up system? Is it in exactly the same building or right across the street? Do we really, truly have redundancy? And I think it is something that the subcommittee may want to take a further look at, because we did find that was a bit of a problem. Again, Mr. Seetin may want to address this in more detail. Mr. Seetin. Yes, thank you very much. In fact, that is the case. The redundancy that we had planned on really was a result--because we had that facility at least already because our space in Four World Trade was inadequate to actually provide the computer space that we needed. To the extent that our experience with the 1993 bombing still didn't give an indication of the potential scope of an attack--and I must say this--I don't know that anybody would have predicted the scope of this type of attack. We did learn the lesson in that the back-up system which was halfway across the island from us happened to be the one that was affected by the attack in addition to us. And we have already taken steps now. In fact, as I said before, on Monday, as of Monday next week, you know, we are--our back-up system is very far away. It's at a completely different utility telenetwork. So, unfortunately, yes, we learned our lesson the hard way. It didn't cost us in terms of our ability to get up and running. It could have. But, Mr. Horn. Any other thoughts, Mr. Miller, on that? And anybody else on the panel in terms of giving some advice to the government that we could prepare our systems for catastrophe, from what we know now. We're going to have the staff up in New York and they'll talk to a lot of the people with your guidance, Mr. Seetin. Yes, Mr. Willemssen. Mr. Willemssen. Just going to add, Mr. Chairman, to the extent that agencies have business continuity and contingency plans now, it's a good point--if they haven't already--to take a look at them, reassess the threat and reassess the likelihood of the threat and the impact it might have, and then put in the appropriate contingencies in the event it occurs. I don't know that's happened universally yet. I think in light of recent events it's a good opportunity to do that. And I would concur with some of the comments made earlier about the critical importance of communications from an emergency response and preparedness perspective. Mr. Pethia. Yeah. Also I'd like to comment on your earlier statements and questions about the need for Homeland Defense and the possible role that Tom Ridge might take. I think it is important, and I agree with what Mr. Miller said, that we do need to have the function of an IT czar. And I also think it's important that it be under one agency coordinated with other kinds of infrastructure activities. I think one of the lessons we're all learning is just how interdependent all of these infrastructures are. And this time we were only attacked from one dimension, but I can easily imagine in future attacks that while we're dealing with one problem, we'll see one in yet another part of our infrastructure, and we need to be able to coordinate responses to all of those at one time. You know, I would hate to think of what would have happened on September 11 if at the same time we were struggling with what happened from--by the terrorists, we were also dealing with things like Nimda and other kinds of information infrastructure attacks. It would have hurt us severely. Mr. Horn. We mentioned the software developers and a number of you mentioned that. How difficult is it for the industry to get some of these software developers into the products before they're released? I mean, are these great difficulties by them? Or--you go to all the professional groups in the country, Mr. Miller; what do you hear? Mr. Miller. Well, I guess my starting point diverges a little bit from Mr. Pethia. We've disagreed publicly before, so this isn't the first time. We do believe that our companies do put forth maximum effort to first of all create systems that have as little security flaws as possible. And second, many of them go out of their way to try to do--but I do agree with him that they should have the highest possible security configurations preset. The difficulty is that in software engineering, as well as engineering on automobiles or building or airplanes, there are still going to be flaws. No design is going to be perfect. Yes, it can be better; but no design is going to be perfect. And so there are going to be these followup challenges. And those followup challenges are dealt with by patches. And, as Mr. Dick said, the problem isn't that the patches weren't out there. The problem was that in many cases the patches simply were not implemented. I would also say that the companies are trying to build into their systems the highest configuration security setting. But what the companies tell me is when they go back to their customers, they find that this is a problem as to what the customers actually do. For example--this now goes back a year and half to a meeting at the White House with President Clinton--but one of the major companies there, a well-known computer services firm, said that when they went back and visited their customers 90 days after installing systems, on the average, two-thirds of companies had turned off all the security features. Or when they went in and checked as to what the passwords were for some of the major customers, the password was ``password.'' So it is a bit of a challenge. And the question is, even if the best software, designed with the best engineering, is set, if the customer refuses to use it, then you get into a problem. So how do we get this kind of acceptance? Just like how do you convince people to use seatbelts or how do you convince people when they get American Express or travelers checks not to put the numbers of the American Express checks in the same wallet? And that really is a problem of communication. It's not that the product itself is flawed or that the principle is flawed. It's getting broader buy-in. I don't have a simple answer. I think a lot of it goes back to the point Mr. Dick was making. It's education. And we at ITAA, the Partnership for Critical Information Security--which is ITAA--and many other industries have been discussing with the government whether this might be a good time for a massive public service campaign to try to get more customers aware of the need to practice good cyber-hygiene. And frankly, we're internally divided about whether to move forward or not, Mr. Chair. There is some concern this will look like somehow, next to what's happened at the World Trade Center and the physical security threats, that this will simply get lost in the message and it won't really be effective. But other people believe that this is very timely, because particularly with the Code Red worm, the Nimda virus--and, as Mr. Pethia said, had they occurred at the same time as the attacks, the physical attacks, who knows what would have happened? So we're pursuing this as an option right now. And again, it's a collaboration between industry and government if we do roll this out. But somehow we've got to get into the heads of the customers, No. 1, no matter how well we design the software, there's going to be flaws subsequently. You've got to install the patches. No. 2, take advantage of those security features. And No. 3, it's not just the technology. It's the people and the processes. And if you have great technology software and you don't install it, or you use ``password'' as your password, you might as well forget about it. You're just not playing the game the right way. Mr. Pethia. As Harris said, we have a tradition of disagreeing on certain points. I agree wholeheartedly that we need better security administration. We need people to adopt practices. But there is a big difference between bulletproof software and where we are today. Things like the top 10 list or the top 20 list are useful, but they can only be created with hindsight. The top 10 or the top 20 are things that we know are problems because we've already been attacked with those 10 or 20. When system administrators are faced with 2,000 new vulnerabilities a year, which 10 do they focus on? It's not a matter of 10's and 20's. It's a matter of getting from 2,000 down to 10 or 20, so that they only have to deal with those and not the thousands of others. Mr. Horn. Mr. Vatis, you're at Dartmouth, and a lot of their graduates go to Madison Avenue in New York and have the best--have the best type of communications in ads and everything else. And maybe some of this, with the damage we've seen in New York, we could get some public service ads where we would educate from lap computers to all the big ones and try to get the attitude changed. And I would think there's enough examples that are seen in the New York situation where maybe this is the time it'll cut through to people that, hey, we're not doing it the right way. So I would hope that your professional group there, Mr. Miller, might use that as a project. And I remember when we talked about a ``good housekeeping seal of approval,'' and it seems to me people wouldn't want--I would think the average citizen might say, well, we don't want all these bugs running around, worms running around, if I put my data base on it. I don't really have any feeling that you can't really hurt--you can hurt it. And you've spent a couple of thousand dollars. And I would think that those people in the various different manufacturing would say, hey, this is a good thing that we can now use this. And it seems to me that a lot of people in--a lot of professional people ought to be working that feel--and again, New York is certainly why we should be doing this. Mr. Vatis. Mr. Chairman, if I could just offer a slightly different perspective on that. I think education is very important, but I don't think it's going to be a panacea. There have already been many efforts to educate people about safe practices in cyberspace. And Mr. Miller's organization, with the Department of Justice, sponsored such an education program over the last year and a half or so. You started out this hearing by saying that you hope that recent events would offer a wake-up call to America. I'm afraid that we've had so many wake-up calls that people are just repeatedly pushing the snooze button. One would have thought that the I Love You virus, the Melissa virus, the distributed denial of service attacks, Code Red, Nimda--the list goes on and on--each one of those should have offered a wake-up call, and yet we still see the persistent vulnerabilities. At the same time, I think while industry is focused, as Mr. Miller said, on improving security within software, I think, again, their focus is in the short term on getting products to market quickly, with the state-of-the-art of security that exists today. But part of the problem is the state-of-the-art of security today, as Mr. Pethia has alluded to, is not good enough. And so even if customers don't turn off all of the security that's available in software, they're still vulnerable to attack. And if they are turning a lot of the security functions off, to my mind, that suggests a problem with some of those security functions potentially, because they may limit the functionality of the software. And so a customer might make the determination that it's simply not worth it. Or they're simply too difficult. One example of that is encryption. Encryption is available today for people to use to preserve the confidentiality of their communications and their stored data. But it's not widely used because it is considered a hassle by many people and, again, not simply worth it. One solution to that is to try to design an encryption technology that is easier to use, so that people can, with the click of a mouse or the push of one key on the keyboard, ensure confidentiality. So the answer again, to me, over the long-term, is research and development to design technology that is easy to use and that offers broader and deeper assurance of security than the current technology allows. And again, as I think several of the panelists have said, the private sector is important on that. But they are naturally going to be thinking about near-term profitmaking ventures. That is their mission in life, and appropriately so. But government funded research and development is critical to look at the long-term developments that can really help us secure the information base. Mr. Horn. I would think that a manufacturer--now, I look at these Dell ads, etc., and that's changed a lot of things in the market. And I would think that the one that is able to say we're reacting to both the foreign hackers, domestic hackers and all the rest, and we have a good housing, and keeping it going and having some sort of--you talk about their monetary interests and they could put it to good interest. So--and I think people would go and want to buy it now, because it's just too complex to have all this machinery going down the drain, with all these people coming in from various things. And I guess, Mr. Dick, besides the incoming ones in the United States so far, has your Center found that foreign hackers have come into the United States? Or how difficult is that to decide it and to see it? Mr. Dick. If you will, the doors of the Internet have made all kinds of illicit contact on the Internet available to the globe. And yes, I mean, we're seeing a number of intrusions into U.S. systems by foreign subjects and organizations. Here recently, we had a series of intrusions into e-commerce businesses, the focus of which was emanating from Eastern Europe. We were able to identify who those individuals were, and have brought several of them to prosecution here in the United States. So because of the borderless nature of the Internet, criminals and terrorists and any of the threats that you can identify just don't emanate from the United States. It's a global issue which I've referred to before. Mr. Horn. Mr. Seetin noted that the Web site was a critical point of contact, since the cell phone relays went out. I'd just say for both of you, did the Nimda virus scanning have an impact on the availability of your site? Mr. Seetin. Thank you, Mr. Chairman. No. In fact, our technology folks had been well aware of that and were operating, you know, with great caution. Our system uses what-- commonly used encryption systems by the financial industry, because obviously we face the same issues as they do in terms of potential threat. So we went in using that. We did not face those types of problems with our Web site. Not to say that we wouldn't, you know. And I agree with the other panelists here that, indeed, looking forward, I think the only thing we can anticipate is that the bad guys are going to get smarter and they're going to get badder, and so we have to stay ahead of them to the degree that we can. Mr. Horn. Any other thoughts on that? We're going to be closing this down in a few minutes and we won't keep you here forever. Anything that should have been said that we didn't ask about? We're going to have the majority and minority staff go over the questions, that I just have said you can only use so many, and we'd appreciate any thoughts you might have, and they'll write you. And is there anything that some of your colleagues said that we didn't ask and you think it's important? OK. What I'm going to do is have a closing statement. I thank you all for coming down here, and we can't predict what lies ahead anymore. We weren't able to anticipate the horrible events of September 11, but the Nation has now been placed on alert. Let's hope we can keep that sense of alert to get something done. Protecting our information infrastructure and our critical government computer systems must become our highest priority. The administration is taking an aggressive step, as I mentioned, with the creation of the Office of Homeland Security under Governor Ridge. The Office of Management and Budget must also play a key role. And I note that the Director of OMB has a representative taking notes here. So hopefully it'll be moved through the bureaucracy down there. I look forward to working with all of you as we focus on this vitally important issue. And I want to thank the staff: the minority staff, David McMillen, Jean Gosa; and with the majority staff we have J. Russell George, behind me, staff director/chief counsel. He grew up right near some of those towers, and so he knows New York well. Elizabeth Johnston, on my left, your right, is on loan to us from the General Accounting Office, and we're delighted to have her working on this particular hearing. Then Darin Chidsey and Matt Phillips, professional staff. Mark Johnson is our very able clerk, and Jim Holmes is the intern this week. And the court reporters are Christina Smith and Mark Stuart. We thank you all for what you've done here, and we'll try to get this hearing out as fast as we can. We are adjourned. [Whereupon, at 12:15 p.m., the subcommittee was adjourned.] -