[Senate Hearing 107-366]
[From the U.S. Government Publishing Office]
S. Hrg. 107-366
IMPROVING OUR ABILITY TO FIGHT CYBERCRIME: OVERSIGHT OF THE NATIONAL
INFRASTRUCTURE PROTECTION CENTER
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
AND GOVERNMENT INFORMATION
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
JULY 25, 2001
__________
Serial No. J-107-22
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2002
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
EDWARD M. KENNEDY, Massachusetts ORRIN G. HATCH, Utah
JOSEPH R. BIDEN, Jr., Delaware STROM THURMOND, South Carolina
HERBERT KOHL, Wisconsin CHARLES E. GRASSLEY, Iowa
DIANNE FEINSTEIN, California ARLEN SPECTER, Pennsylvania
RUSSELL D. FEINGOLD, Wisconsin JON KYL, Arizona
CHARLES E. SCHUMER, New York MIKE DeWINE, Ohio
RICHARD J. DURBIN, Illinois JEFF SESSIONS, Alabama
MARIA CANTWELL, Washington SAM BROWNBACK, Kansas
JOHN EDWARDS, North Carolina MITCH McCONNELL, Kentucky
Bruce A. Cohen, Majority Chief Counsel and Staff Director
Sharon Prost, Minority Chief Counsel
Makan Delrahim, Minority Staff Director
------
Subcommittee on Technology, Terrorism, and Government Information
DIANNE FEINSTEIN, California, Chairperson
JOSEPH R. BIDEN, Jr., Delaware JON KYL, Arizona
HERBERT KOHL, Wisconsin MIKE DeWINE, Ohio
MARIA CANTWELL, Washington JEFF SESSIONS, Alabama
JOHN EDWARDS, North Carolina MITCH McCONNELL, Kentucky
David Hantman, Majority Chief Counsel
Stephen Higgins, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Feinstein, Hon. Dianne, a U.S. Senator from the State of
California..................................................... 1
Grassley, Hon. Charles E., a U.S. Senator from the State of Iowa. 74
Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah...... 68
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona.......... 3
WITNESSES
Cleland, Hon. Max, a U.S. Senator from the State of Georgia...... 53
Dacey, Robert F., Director, Information Security Issues, General
Accounting Office, Washington, D.C............................. 13
Dick, Ronald L., Director, National Infrastructure Protection
Center, Federal Bureau of Investigation, Washington, D.C....... 5
Gent, Michehl R., President and Chief Executive Officer, North
American Electric Reliability Council, Washington, D.C......... 60
Klaus, Chris, Founder and Chief Technology Officer, Internet
Security Systems, Atlanta, Georgia............................. 54
McDonald, Sallie, Assistant Commissioner, Office of Information
Assurance and Critical Infrastructure Protection, General
Services Administration, Washington, D.C....................... 20
Savage, James, Jr., Deputy Special Agent in Charge, Financial
Crimes Division, United States Secret Service, Washington, D.C. 24
SUBMISSIONS FOR THE RECORD
North American Electric Reliability Council, Eugene F. Gorzelink,
Director, Washington, D.C...................................... 75
Securify, Inc., Taher Elgamal, Chairman, President and CEO,
Mountain View, CA.............................................. 78
IMPROVING OUR ABILITY TO FIGHT CYBERCRIME: OVERSIGHT OF THE NATIONAL
INFRASTRUCTURE PROTECTION CENTER
----------
WEDNESDAY, JULY 25, 2001
U.S. Senate,
Subcommittee on Technology, Terrorism, and
Government Information,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:07 p.m., in
room SD-628, Dirksen Senate Office Building, Hon, Dianne
Feinstein, Chairman of the Subcommittee, presiding.
Present: Senators Feinstein and Kyl.
OPENING STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM
THE STATE OF CALIFORNIA
Chairperson Feinstein. I would like to begin this hearing.
Senator Kyl, who is the ranking member, is detained and
hopefully will be here by about 2:30. At 2:15, we are scheduled
to have a vote on the floor. So in order not to interrupt your
testimony, what I would like to do right now is just quickly
make my opening remarks and then go down and we will vote, and
then come back and take our first panel.
Senator Kyl has joined us. I am delighted. He was the
Chairman of this Subcommittee for a substantial period of time,
and I found I really enjoyed worked with him and so we are
really co-chairs rather than Chairman and ranking member.
This hearing will be on a GAO report, General Accounting
Office report, on the National Infrastructure Protection
Center, or NIPC--that is a wonderful Washington acronym--as it
is called for short. NIPC is the leading Government body that
combats cyber crime and cyber terrorism. So this Subcommittee
hearing will actually cover all three parts of the
Subcommittee's name--Technology, Terrorism, and Government
Information.
NIPC, which was founded only a few years ago, has a broad
mission to prevent, to warn against, to analyze, and to respond
to cyber attacks. However, many experts, both within and
without Government and the private sector, have suggested that
NIPC has not fulfilled its mission. Critics have argued that it
has done a poor job at analyzing and warning against cyber
threats and attacks. For example, some have said that NIPC's
efforts to provide warnings about the May 2000 I Love You virus
and the February 2000 distributed denial of service attacks on
major Internet sites were slow and inadequate.
Second, while NIPC was intended to be an interagency
organization, critics have contended that the FBI has dominated
the NIPC and has done a poor job coordinating with other
Federal agencies in fighting cyber crime. I am not saying I
necessarily believe these things. I am saying what the critics
have said.
Third, critics have suggested that NIPC has not done a good
at ensuring information-sharing between it and private sector
and Government entities. For example, NIPC has established a
two-way information-sharing partnership with only one private
organization, and that is the Information Sharing and Analysis
Center, or ISAC, for the electric power industry.
So that is why Senator Kyl, Senator Grassley and I asked
GAO to take a look at NIPC's operations and report back its
findings and recommendations. Their report, which is right
here, generally confirms problems identified by the critics of
NIPC.
First, the report finds that, while NIPC has issued many
analyses of individual incidents, it hasn't done a good job at
developing strategic analysis of threat and vulnerability data.
This is because of NIPC's failure to adopt a methodology to
analyze strategic cyber threats, lack of adequate staff
expertise, and an absence of sufficient industry-specific data
on vulnerabilities. The result has been confusion about NIPC's
role and responsibilities.
The report also finds that the NIPC has not done enough to
establish information-sharing and cooperative relationships
with the private sector and other Government agencies.
Now, the report points out a number of things that it
thinks NIPC should do, and I very much welcome the witnesses'
comments on these: create procedures to ensure more
information-sharing with ISACs; make more progress in
developing a data base of the most important components of the
Nation's critical infrastructures, the Key Asset Initiative;
develop better relationships with the Defense Department and
law enforcement and civilian agencies.
The report also concludes that NIPC has generally done good
investigative field work. However, it points out they still
need additional resources and new procedures to ensure that
information flows more efficiently from the field to NIPC.
So I am very pleased that the NIPC has taken the GAO's
investigation very seriously, and I am also very pleased that
it shows every intention of improving its operation. In fact,
the NIPC made several improvements during the GAO audit itself.
One example: until recently, NIPC had not done much to recruit
companies to its InfraGard program, a voluntary information-
sharing network for private companies. However, in just the
last 6 months, NIPC has tripled the number of InfraGard
members.
So I look forward to hearing the testimony from witnesses.
I think both Senator Kyl and I think this is a really important
vulnerability in our entire national infrastructure, and we
would like to do whatever we can to see that it is improved.
So now I will turn for his opening comments to my co-
chairman, Senator Kyl.
STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF
ARIZONA
Senator Kyl. Well, thank you, Senator Feinstein. It is nice
of you to refer to me in that fashion.
I now realize what a challenge Senator Feinstein had when I
was the Chairman and she would follow me after I had laid out
the whole subject of the hearing, which she has just done very
nicely, I might add. So I will put my statement in the record
and just add a couple of comments clearly to note the fact that
this hearing does give us an opportunity to focus on what
Congress can do to assist the NIPC in carrying out its mission.
The Attorney General recently called computer security one
of the Nation's top problems, and announced that the
administration is creating nine special units to prosecute
hacking and copyright violations--just one of the problems we
face. He cited a report by PricewaterhouseCoopers that
businesses spent $300 billion combatting hackers and computer
viruses last year. Think about that, just businesses, $300
billion in unproductive spending, just defensive against
hacking and viruses last year. It is obviously a huge problem.
I think the American public is only aware of a minuscule
number of the viruses that have attacked just even in the
recent past. The Michelangelo virus, the Melissa virus, and the
I Love You virus were, I think, fairly well known, but there
are others.
Just this past Thursday, a newly discovered virus called
Lion worm has been discovered by researchers. It is a self-
spreading program that attacks a common software used by
machines that drive the Internet. It will gather encrypted
passwords that can be used to gain root access to systems. This
access gives the hacker complete control of the system and the
information on it. It is a frightening thought to imagine the
damage that could be done if someone gained control of systems
that serve our communications, financial, transportation,
electrical, or defense systems in our country.
The cyber war being waged against America's infrastructure
if not limited to hackers seeking the thrill of the game of
disrupting computer systems. It is being waged as well by
criminal groups, by foreign intelligence services, insider
threats from disgruntled employees, and even politically
motivated groups.
It is important to remember that although the Federal
Government plays an important role in protecting this country's
critical infrastructure, it can't do it alone; it has got to
have the cooperation of the private sector. The private sector,
remember, controls about 95 percent of the infrastructure on
which the country depends.
It is crucial that Congress assist the private sector and
Government agencies in fostering an environment in which
information is shared quickly and fully between the two. One of
the things I am going to be interested in is whether people in
the private sector believe that we need to do more in certain
areas, for example, in the area of the Freedom of Information
Act to ensure that the private sector can give Government
sensitive and important information in a timely way without the
possibility that that information would then later be made
public in a way that is detrimental to the industry or business
involved.
So I look forward to hearing from all of our witnesses,
both Government and private sector, on how we can assist them.
I am very pleased that Senator Feinstein has given us the
opportunity to review the progress that NIPC has made since its
inception, especially with respect to the criticisms and
compliments both contained in the GAO report.
So thank you, Senator Feinstein, and I thank the witnesses.
[The prepared statement of Senator Kyl follows:]
Statement of Hon. Jon Kyl, a U.S. Senator from the State of Arizona
Then you Senator Feinstein.
Thank you for convening this very important hearing on the National
Infrastructure Protection Center. This Subcommittee originally
scheduled a hearing to correspond with the release of the General
Accounting Office's report on May 22nd of this year.
Unfortunately, series of votes on the Senate floor on that day required
that last minute cancellation of the hearing. I stated that the hearing
would be rescheduled and I am pleased that Senator Feinstein, who
chairs this Subcommittee, has decided to hold this hearing. We both
believe that this is a vitally important issue to the welfare and
safety of our nation.
In 1998, the President issued Presidential Decision Directive (PPD)
63 that established the National Infrastructure Protection Center
(NIPC) to protect the nation's critical computer-dependent
infrastructures from computer-based attacks and disruptions. The NIPC
was given the job of providing an analysis of threats, vulnerability,
and attacks; issue warnings on threats and attacks; coordinate the
government's response to cyber incidents; provide law enforcement
support; and promote ties with the private sector to facilitate the
sharing of information. This hearing provides the opportunity to
examine how effectively the NIPC in accomplishing its mission.
The Bush Administration has already emphasized the importance of
cyber security and the protection of America's critical infrastructure.
The President and his staff are working on a comprehensive plan that is
scheduled to be released later this year on the nation's critical
infrastructure.
Attorney General Ashcroft recently called computer security one of
the nation's top problems and announced that the Administration is
creating nine special units to prosecute hacking and copyright
violations. General Ashcroft cited a report conducted by
PriceWaterhouseCoopers that businesses spent $300 billion combating
hackers and computer viruses last year. Clearly, it's a huge problem,
and getting bigger every day.
The American public is aware of only a minuscule number of viruses
that have struck in the recent past: Michelangelo, Melissa, and the
ILOVEYOU viruses. Just this past Thursday, a newly discovered virus
called ``Lion'' worm has been discovered by researchers. This is a
self-spreading program that attacks a common software used by machines
that drive the internet. This program will gather encrypted passwords
that can be used to gain ``root'' access to systems. This access gives
the hacker complete control of the system and the information on it. It
is a frightening thought to imagine the damage that could be done if
someone gained control of systems that serve our communication,
financial, transportation, electrical, or defense systems.
The cyber war being waged against American's infrastructure is not
limited to hackers seeking the challenge or thrill of disrupting
computer systems. The assault is being waged by criminal groups,
foreign intelligence services, insider threats from disgruntled
employees, and politically motivated groups.
It is important to remember that, although the Federal government
plays an important role in protecting this country's critical
infrastructure, it cannot be accomplished without the assistance of the
private sector. The private sector controls approximately 95% of the
infrastructure upon which our country depends.
It is crucial that the Congress assist the private sector and
government agencies in fostering an environment in which information is
shared quickly and fully between the two.
I look forward to hearing from both our government and private
sector witnesses on how we can assist them. I am glad that Senator
Feinstein has given us the opportunity to review the progress the NIPC
has made since its inception and more and more importantly, what
changes have occurred as a result of the criticisms in the GAO report.
Once again, I thank the Senator from California.
Chairperson Feinstein. Thank you very much, Senator Kyl.
Since the vote hasn't been announced, let's begin this
panel and then we can go, say, 15 minutes after you hear the
long buzzer. Then, if that is agreeable, we will go down and
vote and come right back.
The first panel is comprised of Mr. Ron Dick, who is the
Director of the National Infrastructure Protection Center; Mr.
Robert Dacey, who is the Director of Information Security
Issues of the GAO, the General Accounting Office; Ms. Sallie
McDonald, Assistant Commissioner, Office of Information
Assurance and Critical Infrastructure Protection at the General
Services Administration; and Mr. James Savage, Jr., Deputy
Special Agent-in-Charge of the Financial Crimes Division of the
Secret Service.
Welcome, witnesses, and, Mr. Dick, if we could begin with
you. Once again, I am going to put a 5-minute limit on
witnesses so that, because it is just the two of us, we can
have a little more dialog between us.
So, Mr. Dick, please begin.
STATEMENT OF RONALD L. DICK, DIRECTOR, NATIONAL INFRASTRUCTURE
PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON,
D.C.
Mr. Dick. Well, thank you very much, Madam Chairman,
Ranking Member Kyl. Thank you for inviting me here today to
testify about the GAO review of the National Infrastructure
Protection Center.
Our work here is vitally important, and holding this
hearing once again demonstrates your personal commitment to
improving the security of our infrastructures and the
committee's leadership on this issue in Congress.
The NIPC was created in 1998 to deal with the very complex
problem of critical infrastructure protection. We started 3
years ago with no dedicated staff. As one of my colleagues put
it, we had to build the plane as we flew it. But we have come
far in just a few years.
As you rightly pointed out, our InfraGard initiative is now
over 1,600 members, with an increase since January of over
1,000 members. I had the honor here recently on behalf of
InfraGard to receive the 2001 World Safe Internet Safety Award
from the Safe America Foundation in May of 2000.
We are actively exchanging information with private sector
companies, information sharing and analysis centers, and
members of InfraGard. Companies have found that there is value
in exchanging information with the NIPC, that we can safeguard
their information and provide useful information in return.
Our watch center functions around the clock with
connectivity to FedCIRC; Sallie McDonald, one of the panelists
here, is an integral partner with the NIPC. The National
Security Incident Response Center at NSA, the Joint Task Force
for Computer Operations at the Department of Defense, the anti-
virus community, and the backbone providers are all partners of
ours, and I am going to describe a particular incident that
occurred here recently where all of those things came together
for a successful resolution.
The watch has issued over 98 warnings since our inception.
These warning products help systems administrators protect
their computer systems before things happen. We issued warnings
on, for example, the Leaves worm in June of this year, e-mail
script vulnerabilities, acts of hacktivism, the Brown Orifice
warning, and PGP vulnerability. All of these warnings went out
prior to any widespread attacks.
Let me cite one advisory that shows, as I said, what the
Center is really all about. Our advisory on e-commerce
vulnerabilities combined information derived from law
enforcement, intelligence, and open sources. It was coordinated
with our Federal partners and with three of the ISACs. It had
the desired result.
The Financial Services ISAC estimated that our warning and
press conference on e-commerce vulnerabilities helped thwart
1,600 attempted intrusions on the first day following the
warning. Alan Paller, who heads the Systems Administrators and
Network Security Institute, which represents over 100,000
information security professionals, congratulated us for our
extraordinary contribution to Internet security in sharing
information on Russian and Ukrainian extortions. He said, ``It
was extraordinary because it detailed the level of the threat
and at the same time provided forensic information that allows
the community to test and fix their systems.''
Our analytical products are reaching the right audiences.
For example, an official with a major bank information security
office told us that our ``vulnerability alerts publication is a
valuable service. We incorporate these with other alerts and
distribute [them] throughout the...enterprise.''
As you mentioned, our investigations are continuing
successfully. We currently have over 1,200 of them, both
domestically and internationally.
On issues of national concern, we have established four
strategic directions for our capabilities growth through 2005,
those being prediction, prevention, detection and mitigation.
None of these are new concepts, but the NIPC will renew its
focus on each of them in order to strengthen our strategic
analysis capabilities.
The recent events involving the Leaves and IDA Code Red
worms are good examples of the NIPC's success and progress
since the GAO study. We are working well with the National
Security Council and our partner agencies to disseminate
information and coordinate strategic efforts in a timely and
effective manner on these incidents.
Our technical programs are also making great strides. The
NIPC's work with private companies has been well received, in
that SANS awarded us the 2000 Security Technology Leadership
Award for members of our Special Technologies Applications
Unit.
The NIPC is deepening its relationships between itself and
other Federal agencies. For example, we have reached and
finalized a formal agreement just this week with the Federal
Aviation Administration. NIPC's Interagency Coordination Cell
is fostering cooperation among investigative agencies. Several
task forces have already begun based upon this work within this
cell.
We are currently negotiating agreements with various other
ISACs which will further improve the information-sharing
process. As mentioned, our training program has trained over
4,000 Federal, State, local and foreign law enforcement
personnel in computer and network investigations.
The NIPC is the sector lead for the emergency law
enforcement services sector. On March 2, 2001, we delivered the
sector plan to the White House. The ELES plan provides a
toolbox to assist some 18,000 police and sheriffs departments
in protecting their data and communications systems from
attack.
It was the first plan to be completed and was very
favorably received at the Partnership for Critical
Infrastructure Security meeting and was given as a model for
other sectors. Since the local police and sheriffs departments
are usually among the first responders to an incident, the
protection of their data and communications systems is vital to
public safety and national security. In short, I think we have
a robust program now.
As proud as I am of the NIPC's accomplishments, we must
look to the future. I am focused on implementing a strategic
planning effort that will produce measurable results as we face
challenges ahead. Infrastructure protection is an issue that is
bigger than one agency and any one private sector entity. We
must develop meaningful partnerships between the public and
private sectors, as well as internationally, to protection our
Nation.
The NIPC will be striving to take an ever greater
leadership role in this effort, and we will be doing this in
close partnership with the Subcommittee's work in this area, as
well as the administration's revisions to the national plan.
Again, I thank you.
[The prepared statement of Mr. Dick follows:]
Statement of Ronald L. Dick, Director, National Infrastructure
Protection Center, Federal Bureau of Investigation
Madame Chairperson, Ranking Member Kyl, and members of the
subcommittee, thank you for inviting me here today to testify about the
recommendations outlined in the General Accounting Office (GAO) report
titled ``CRITICAL INFRASTRUCTURE PROTECTION: Significant Challenges in
Developing National Capabilities.'' Holding this hearing once again
demonstrates your personal commitment to improving the security of our
critical infrastructures and this subcommittee's leadership on this
issue in Congress. Our work here is vitally important because the
stakes involved are enormous. One recent study observed ``12,085
attacks on over 5,000 distinct Internet hosts belonging to more than
2,000 distinct organizations during a three-week period.'' \1\ My
testimony today will address what has been accomplished and what still
needs to be done to implement the GAO report's recommendations. Our
assessment of the overall report is contained in our testimony of May
22, 2001 before this subcommittee.
---------------------------------------------------------------------------
\1\ David Moore, Geoffrey M. Voelker and Stefan Savage, ``Inferring
Internet Denial-of-Service Activity,'' May 2001.
---------------------------------------------------------------------------
At the outset, let me say how pleased I am here today with GSA's
Assistant Commissioner Sallie McDonald of FedCIRC and Deputy Special
Agent in Charge of the Financial Crimes Division Jim Savage of the U.S.
Secret Service. Assistant Commissioner McDonald's statement explains in
detail the close working relationship that GSA's FedCIRC has with the
NIPC, so I won't dwell on that here.
The GAO's recommendations fell into several broad categories,
including: enhancing capacity for strategic analysis; monitoring field
implementation of NIPC performance measures; completing the Emergency
Law Enforcement Services Sector Plan; improving cooperative
relationships between the NIPC and its federal partners; and furthering
information sharing between the NIPC, the Information Sharing and
Analysis Centers (ISACs) and the public.
Nevertheless, the Center has made great strides in achieving its
mission under Presidential Decision Directive (PDD)63 over the past
three years. In his prepared statement for the May 22, 2001 hearing,
GAO's Director of Information Security, Mr. Robert F. Dacey, stated:
First, the NIPC has provided valuable coordination and
technical support to FBI field offices, which have established
special squads and teams and one regional task force in its
field offices to address the growing number of computer crime
cases. The NIPC has supported these investigative efforts by
(1) coordinating investigations among FBI field offices,
thereby bringing a national perspective to individual cases,
(2) providing technical support in the form of analyses, expert
assistance for interviews, and tools for analyzing and
mitigating computer-based attacks, and (3) providing
administrative support to NIPC field agents. For example, the
NIPC produced over 250 written technical reports during 1999
and 2000, developed analytical tools to assist in investigating
and mitigating computer-based attacks, and managed the
procurement and installation of hardware and software tools for
the NIPC field squads and teams.
Over the past three years, NIPC has provided training for almost
4,000 participants. The NIPC's training program complements training
offered by the FBI's Training Division as well as training offered by
the Department of Defense and the National Cybercrime Training
Partnership. Trained investigators are essential to our successfully
combating computer intrusions.
Enhancing Capacity for Strategic Analysis
The GAO report recommended that the NIPC develop a comprehensive,
written plan for strategic analysis. While we have numerous documents
reflecting strategic and tactical planning, I agree that more work
needs to be done. As the GAO report noted, our progress in this area
has been impeded by the personnel shortfalls and management
discontinuities within the interagency Analysis and Warning Section. I
am pleased to report progress in this area with the arrival in April of
a Central Intelligence Agency (CIA) senior officer, detailed for a
sustained period as the Section Chief, and the recent selection of an
National Security Agency (NSA) officer as the Chief of the Analysis and
Information Sharing Unit within that section.
We have established four strategic directions for our capability
growth through 2005: prediction, prevention, detection, and mitigation.
None of these are new concepts but NIPC will renew its focus on each of
them in order to strengthen our strategic analysis capabilities. NIPC
will work to further strengthen its longstanding efforts on the early
detection and mitigation of cyber attacks. These strategic directions
will be significantly advanced by our intensified cooperation with
federal agencies and the private sector. As the recent LEAVES and CODE
RED worm incidents demonstrate, our working relations with key federal
agencies, like FedCIRC, NSA, CIA, and the Joint Task Force Computer
Network Operations (JTF-CNO), and private sector groups such as SANS,
the anti-virus community, and the major Internet service providers and
backbone companies have never been closer. Our most ambitious strategic
directions, prediction and prevention, are intended to forestall
attacks before they occur. We are seeking ways to forecast or predict
hostile capabilities in much the same way that the military forecasts
weapons threats. The goal here is to forecast these threats with
sufficient warning to prevent them. A key to success in these areas
will be strengthened cooperation with intelligence collectors and the
application of sophisticated new analytic tools to better learn from
day-to-day trends. The strategy of prevention is reminiscent of
traditional community policing programs but with our infrastructure
partners and key system vendors.
As we work on these four strategic directions: attack prediction,
prevention, detection, and mitigation, we will have many opportunities
to stretch our capabilities. With respect to all of these, the NIPC is
committed to continuous improvement through a sustained process of
documenting ``lessons learned'' from significant cyber events. We have
already begun one such lessons learned study in connection with the
recent LEAVES worm event. The NIPC also remains committed to achieving
all of its objectives while upholding the fundamental rights of our
citizenry, including the fundamental right to privacy.
The NIPC is excited by each of these strategic directions. I will
lead a senior planning offsite later this summer and I expect to have
the documented strategic plan completed by December. We are conducting
this planning in a climate of intensified cyber attacks in by a growing
number of automated tools that make effective hacking literally child's
play. For instance, hackers are preying on the growing number of
American home computer users for whom computers and cable modems are
merely appliances rather than hobbies. These millions of home computers
often lack the latest security updates, intrusion detection
capabilities, and anti-virus signatures.
The GAO also recommended that the NIPC ensure that its Special
Technologies and Applications Unit have the computer and communications
resources necessary to analyze investigative data. The NIPC has already
begun to address this issue by through the continued implementation of
the NIPC's ``data warehousing and data mining'' project. This will
allow the NIPC to retrieve incident data originating from multiple
sources. Data warehousing includes the ability to conduct real-time
allsource analysis and report generation. This initiative is ongoing
and will require multiple year funding to reach maximum potential.
Monitoring Implementation of Field Perforrnance Measures
The GAO recommended that the NIPC monitor implementation of new
performance measures to ensure that they result in FBI Field Offices
fully reporting information on computer crime complaints to the NIPC.
The NIPC continues to monitor the open investigations of all the field
offices and field performance in monthly statistical reports. Along
with this, the FBI field offices report information on potential
computer crimes by documenting and uploading reports of these incidents
to the FBI's automated case support system. These records are
searchable and available to NIPC Headquarters personnel who correlate
the incidents with other pending investigations. The placement of the
NIPC at the FBI endows the Center with both the authorities and the
ability to combine law enforcement information flowing into the NIPC
from the FBI Field Offices with other information streams derived from
open, confidential, and classified sources. This capability is unique
in the federal government. The NIPC views monitoring field office
reporting as an ongoing action.
Completion of the Emergency Law Enforcement Services Plan
This task is completed. The NIPC serves as sector liaison for
Emergency Law Enforcement Services (ELES) sector at the request of the
FBI. The NIPC completed the ELES Sector Plan in February, 2001. The
ELES Sector Plan was the first completed sector report under PDD-63 and
was delivered to the White House on March 2, 2001. At the Partnership
for Critical Infrastructure Security in Washington, D.C., in March,
2001, the ELES Plan was held up as a model for the other sectors. The
NIPC also sponsored the formation of the Emergency Law Enforcement
Services Sector forum, which meets quarterly to discuss issues relevant
to sector security planning. The Forum contains federal, state, and
local representatives. The next meeting of the forum is scheduled for
September, 2001.
The Plan was the result of two years' work in which the NIPC
surveyed law enforcement agencies concerning the vulnerabilities of
their infrastructure. Following the receipt of the survey results, the
NIPC and the ELES Forum produced the ELES Sector Plan. The NIPC also
produced a companion ``Guide for State and Local Law Enforcement
Agencies'' that provides guidance and a ``toolkit'' that law
enforcement agencies can use when implementing the activities suggested
in the Plan.
The importance of the ELES Sector Plan and the Guide cannot be
overstated. These documents will aid some 18,000 police departments
located in towns and neighborhoods to better protect themselves from
attack. Since the local police are usually among the first responders
to any incident threatening public safety, their protection is vital to
our national security.
Enhancing Cooperative Relationships Among Federal Agencies
The GAO recommended that the NIPC formalize relationships between
itself, other federal entities, and private sector ISACs, so a clear
understanding of what is expected from the respective organizations
exists. The NIPC has established effective information sharing and
cooperative investigative relationships across the U.S. Government. A
formal Memoranda of Agreement was just completed with the Department of
Transportation's Federal Aviation Administration (FAA) which will
govern how information is shared between FAA and NIPC and how that
information will be communicated. This MOA formalizes a long-standing
informal process of information sharing between NIPC and FAA. Informal
arrangements have already been established with the Federal
Communications Commission, Department of Transportation's (DOT)
National Response Center, DOT Office of Pipeline Safety, Department of
Energy's Office of Emergency Management, and others, which allow the
NIPC to receive detailed sector-specific incident reports in a timely
manner. Formal MOAs should soon be completed with several other
agencies, including the National Coordinating Center for
Telecommunications and the Federal Emergency Management Agency's
National Fire Administration.
The NIPC has developed into a truly interagency center and this in
itself fosters cooperative relationships among agencies. It currently
consists of detailees from the following U.S. government agencies: FBI,
Army, Office of the Secretary of Defense (Navy Rear Admiral), Air Force
Office of Special Investigations, Defense Criminal Investigative
Service, National Security Agency, General Services Administration,
United States Postal Service, Department of Transportation/Federal
Aviation Administration, Central Intelligence Agency, Department of
Commerce/Critical Infrastructure Assurance Office, and a representative
from the Department of Energy. Canada, the United Kingdom, and
Australia also each have a detailee in the Center.
The NIPC functions in a task force like way, coordinating
investigations in a multitude of jurisdictions, both domestically and
internationally. This is essential due to the transnational nature of
cyber intrusions. As NIPC coordinates a myriad of investigative efforts
within the FBI, it is not unlike the way the air traffic control system
manages the stream of aircraft traffic across the United States and
around the world.
To instill further cooperation and establish an essential
deconfliction process among the investigative agencies, the NIPC
asserted a leadership role by forming an Interagency Coordination Cell
(IACC) at the Center. The IACC meets on a monthly basis and includes
representation from U.S. Secret Service, NASA, U.S. Postal Service,
Department of Defense Criminal Investigative Organizations (AFOSI,
DCIS, NCIS, USACIDC), U.S. Customs, Departments of Energy, State and
Education, Social Security Administration, Treasury Inspector General
for Tax Administration and the CIA. The cell works to deconflict
investigative and operational matters among agencies and assists
agencies in combining resources on matters of common interest. The NIPC
anticipates that this cell will expand to include all investigative
agencies and inspectors general in the federal government having cyber
critical infrastructure responsibilities. As we noted on May 22, 2001,
the IACC has led to the formation of several task forces and prevented
intrusions and compromises of U.S. Government' systems.
Senior leadership positions in the NIPC are held by personnel from
several agencies. The position of NIPC Director is reserved for a
senior FBI executive. The Deputy Director of the NIPC is a two-star
Navy Rear Admiral and the Executive Director is detailed from the Air
Force Office of Special Investigations. The Section and Unit Chiefs in
the Computer Investigation and Operations Section and the Training,
Outreach, and Strategy Section are from the FBI. The Assistant Section
Chief for Training, Outreach and Strategy is detailed from the Defense
Criminal Investigative Service. The Section Chief of the Analysis and
Warning Section is from the CIA and his deputy is a senior FBI agent.
The head of the NIPC Watch and Warning Unit is reserved for a uniformed
service officer, and the head of the Analysis and Information Sharing
Unit is reserved for a National Security Agency manager.
While the Center has representatives from several U.S. Government
agencies, staffing continues to be a challenge. Non-FBI personnel are
provided to the Center on a non-reimbursable basis. Agencies have
responded to the NIPC's requests for detailees by saying that they are
constrained from sending personnel due to lack of funds. It is vitally
important that agencies be provided with sufficient funds for the
assignment of detailees to the NIPC to support its strategic analysis
mission.
As part of its emphasis on cooperation, the GAO recommended that
the NIPC ensure that its Key Asset Initiative is integrated with the
DoD and Critical Infrastructure Assurance Office (CIAO) programs. The
objective of the Key Asset Initiative is to develop and maintain a
database of information concerning ``key assets'' within each FBI Field
Office's jurisdiction as part of a broader effort to protect the
critical infrastructures against both physical and cyber threats. This
initiative benefits national security planning efforts by providing a
better understanding of the location, importance, and contact
information for critical infrastructure assets across the United
States. The NIPC has worked with the DoD and the CIAO on its Key Asset
Initiative by involving them in the training of agents that work on the
Initiative and by meeting with them regarding their programs. The NIPC
and the Department of Defense are working toward a Memorandum of
Understanding that will assist in defining cooperative efforts.
The NIPC has taken other initiatives as well in fulfilling its role
to lead the critical infrastructure protection effort. This is
evidenced by its coordinating actions as Chair of the Incident Response
SubGroup of the Information Infrastructure Protection and Assurance
Group established by NSPD-1. The NIPC also routinely disseminates
information through its participation in task forces and working;''
groups that meet regularly. NIPC senior leadership participates in
weekly senior level meetings to exchange strategic level information
with the Assistant Secretary of Defense for Command, Control,
Communication and Intelligence. Further collaboration is demonstrated
through the NIPC's designation as chair of one of the subcommittees
that is drafting version two of the National Plan.
The NIPC also maintains an active dialogue with the international
community, to include its participation in the Trilateral Seminar of
the International Cooperation for Information Assurance in Sweden and
the G-8 Lyon Group (High Tech Crime Subgroup). NIPC has briefed
visitors from a number of countries, including: Japan, Singapore, the
United Kingdom, Germany, France, Norway, Canada, Denmark, Sweden,
Israel, and other nations over the past year. In addition, NIPC
personnel have accepted invitations to meet with government authorities
in Sweden, Germany, Australia, the United Kingdom, and Denmark in
recent months to discuss infrastructure protection issues with their
counterparts. Finally, the NIPC Watch Center is connected to the Watch
Centers of several of our close allies.
The NIPC sends out advisories on an ad hoc basis which are
infrastructure warnings to address cyber or infrastructure events with
possible significant impact. These are distributed to partners in
private and public sectors. A number of recent advisories sent out by
the NIPC (see for example Advisory 01-014, titled ``New Scanning
Activity (with W32-LEAVES.worm) Exploiting SubSeven Victims '') serve
to demonstrate the continued collaboration between the NIPC and its
partner FedCIRC. The NIPC serves as a member of FedCIRC's Senior
Advisory Council and has daily contact with that entity as well as a
number of others including NSA and DoD's Joint Task Force Computer
Network Operations (JTF-CNO). On issues of national concern, the recent
incident involving the LEAVES and IDA CODE RED Worms are good examples
of the NIPC's success in working with the National Security Council and
our partner agencies to disseminate information and coordinate
strategic efforts in a timely and effective manner.
In addition to its public web-based warning messages, the NIPC
sends out tailored products to the federal government, the Information
Sharing and Analysis Centers (ISACs), and InfraGard partners. Depending
on the audience, these products may be classified or unclassified. The
Monthly Highlights are sent out to policy/decision makers, and
Cybernotes (which lists current exploited software vulnerabilities and
other malicious code) is sent to system and network administrators. The
NIPC Daily Report contains timely items of interest and significant
cyber/infrastructure activity relevant to the infrastructure protection
community and is sent to some of our federal partners as well as secure
InfraGard members.
In response to PDD-63 provisions that all executive departments and
agencies shall share with the NIPC information about threats and
attacks on their systems, the NIPC-FAA MOU can serve as a forerunner
for agreements to promote information sharing with the other 70 plus
executive branch agencies. The NIPC has developed a model agreement can
be modified to suit individual agency requirements. The execution of
these agreements will confirm the obligations and clarify information
sharing and warning procedures between the federal agencies and the
NIPC. These model agreements will be communicated to federal executive
branch agencies to open a dialogue on formalizing their relationship
with the NIPC. These agreements will also address the GAO's
recommendation that relationships between the NIPC and other federal
entities be formalized so that a clear understanding of what is
expected from the respective organizations exists. The NIPC anticipates
that this will be an ongoing effort to create, monitor, and maintain
these information sharing relationships.
Improving Information Sharing
The GAO report recommends that NIPC develop a plan to foster two-
way exchange of information between the NIPC and the ISACs. The NIPC
actively exchanges information with private sector companies, the
ISACs, members of the InfraGard Initiative, and the public as part of
the NIPC's outreach and information sharing activities. Through NIPC's
aggressive outreach efforts, we receive reports from many ISAC member
companies. The NIPC has proven that it can properly safeguard their
information and provide useful information in return. This reporting is
partially responsible for the issuance of more warning products each
year.
As noted in the GAO report, over the past two years the NIPC and
the North American Electric Reliability Council (NERC)-the ISAC for the
electric power sectorhave established an indications, analysis and
warning program (IAW) program, which makes possible the timely exchange
of information valued by both the NIPC and the electric power sector.
This relationship is possible because of a commitment both on the part
of NERC and the NIPC to build cooperative relations. The close NERC-
NIPC relationship is no accident but the result of two interrelated
sets of actions. First, as Eugene Gorzelnik, Director of Communications
for the NERC, stated in his prepared statement at the May 22, 2001
hearing:
[T]he NERC Board of Trustees in the late 1980s resolved that
each electric utility should develop a close working
relationship with its local Federal Bureau of Investigation
(FBI) office, if it did not already have such a relationship.
The Board also said the NERC staff should establish and
maintain a working relationship with the FBI at the national
level.
Second, the NIPC and NERC worked for over two years on building the
successful partnership that now exists. It did not just happen. It took
dedicated individuals in both organizations to make it happen. It is
this success and dedication to achieving results that the NIPC is
working to emulate with the other ISACs.
The NIPC also continues to meet regularly with ISACs from other
sectors, particularly the financial services (FS-ISAC) and
telecommunications (NCC-ISAC) ISACs, to establish more formal
information sharing arrangements, drawing largely on the model
developed with the electric power sector. In the past, information
exchanges with these ISACs have consisted of a one-way flow of NIPC
warning messages and products being provided to the ISACs. However, in
recent months the NIPC has received greater participation from sector
companies as they become increasingly aware that reporting to the NIPC
enhances the value and timeliness of NIPC warning products disseminated
to their sector. Productive discussions held this spring with the FS-
ISAC, in particular, should significantly advance a two-way information
exchange with the financial services industry. The NIPC is currently
working with the FS-ISAC and the NCC-ISAC to develop and test secure
communication mechanisms, which will facilitate the sharing of high-
threshold, near real-time incident information. In the meanwhile we are
working with these ISACs to share information. In March 2001, we were
commended by the FS-ISAC for our advisory on e-commerce vulnerabilities
(NIPC Advisory 01-003). According to the FS-ISAC, that advisory,
coupled with the NIPC press conference on March 8, 2001, stopped over
1600 attempted exploitations by hackers the day immediately following
the press conference.
ISACs have been established for the critical infrastructure sectors
of banking and finance, information and telecommunications, electric
power, and emergency law enforcement services. They have not yet been
established for the remaining sectors enumerated in PDD-63. A model
NIPC-ISAC agreement has been prepared to promote the sharing of
information with these existing ISACs and ISACs yet to be formed.
Agreements are being negotiated between the NIPC and the
Telecommunications ISAC, as well as the NIPC and the United States Fire
Administration (emergency fire services ISAC). The execution of these
agreements should pave the way for NIPC agreements with other ISACs.
The NIPC welcomes the participation of the sector lead agencies and the
sector coordinators to improving the information sharing process with
the ISACs. These efforts are ongoing.
The NIPC also shares information via its InfraGard Initiative. All
56 FBI field offices now have InfraGard chapters. Just in the last six
months the InfraGard Initiative has added over 1000 new members to
increase the overall membership to over 1600. It is the most extensive
government-private sector partnership for infrastructure protection in
the world, and is a service we provide to InfraGard members free of
charge. InfraGard expands direct contacts with the private sector
infrastructure owners and operators and shares information about cyber
intrusions and vulnerabilities through the formation of local InfraGard
chapters within the jurisdiction of each of the 56 FBI Field Offices
and several of its Resident Agencies (subdivisions of the larger field
offices).
A key element of the InfraGard initiative is the confidentiality of
reporting by members. The reporting entities edit out the identifying
information about themselves on the notices that are sent to other
members of the InfraGard network. This process is called sanitization
and it protects the information provided by the victim of a cyber
attack. Much of the information provided by the private sector is
proprietary and is treated as such. InfraGard provides its membership
the capability to write an encrypted sanitized report for dissemination
to other members. This measure helps to build a trusted relationship
with the private sector and at the same time encourages other private
sector companies to report cyber attack to law enforcement.
InfraGard held its first national congress from June 12-14, 2001.
This conclave provided an excellent forum for NIPC senior managers and
InfraGard members to exchange ideas. InfraGard's success is directly
related to private industry's involvement in protecting its critical
systems, since private industry owns almost all of the infrastructures.
The dedicated work of the NIPC and the InfraGard members is paying off.
InfraGard has already prevented cyber attacks by discretely alerting
InfraGard members to compromises on their systems. On May 3, 2001, the
InfraGard initiative received the 2001 WorldSafe Internet Safety Award
from the Safe America Foundation for its efforts.
Conclusion:
I remain encouraged by the progress the NIPC has made in its first
three years. Our multiagency partnership has developed unique national
capabilities that have never before been achieved. We will continually
improve in the coming years in order to master the perpetually evolving
challenges involved with infrastructure protection and information
assurance. The GAO recommendations are all being addressed and I plan
to keep the subcommittee updated on our progress. Thank you for
inviting me here today and I welcome any questions you have.
Chairperson Feinstein. Thanks very much, Mr. Dick. Thank
you for keeping within the time limit. I appreciate it.
We will go to Mr. Dacey, of the GAO, who did the report.
Mr. Dacey?
STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY
ISSUES, GENERAL ACCOUNTING OFFICE, WASHINGTON, D.C.
Mr. Dacey. Madam Chairwoman and Senator Kyl, I am pleased
to be here today to discuss our review of the National
Infrastructure Protection Center and its progress in developing
the capabilities outlined in Presidential Decision Directive
63. As you requested, I will briefly summarize my written
statement. Our testimony highlights key findings in our report
on the NIPC which you released in May of this year.
PDD-63, issued in May 1998, outlined our Government's
strategy to protection our Nation's critical infrastructures
from hostile attacks, especially computer-based attacks, and
specifically assigned the NIPC, within the FBI, responsibility
for providing comprehensive analysis and issuing timely
warnings on threats, vulnerabilities, and attacks, facilitating
and coordinating our Government's response to cyber incidents,
and promoting outreach and information-sharing.
While NIPC efforts have laid a foundation for developing
these capabilities, significant challenges remained at the
close of our review. For example, the NIPC has issued numerous
analyses to support investigations of individual incidents, but
has developed only limited capabilities for broader strategic
analysis of threat and vulnerability data.
Three factors have contributed to these limitations. First,
there is no generally accepted methodology for strategic
analysis of cyber-based threats. According to officials in the
intelligence and national security communities, developing such
a methodology would require an intense interagency effort and
dedication of resources.
Second, the NIPC has sustained prolonged leadership
vacancies and does not have adequate staff expertise, in part
because Federal agencies have not provided the originally
anticipated number of detailees.
Third, the NIPC did not have industry-specific data on
critical infrastructures, which under PDD-63 were to be
provided for each of the industry sectors by industry
representatives and the designated Federal lead agencies.
The NIPC has established a rudimentary capability to
identify attack that appear imminent and alert Government and
the private sector. However, the NIPC's ability to issue
warnings promptly has been impeded by several factors: first,
the lack of a comprehensive national framework for promptly
obtaining and analyzing information indicating that attack may
be imminent or underway; two, a shortage of skilled staff;
three, the need to ensure that NIPC does not raise undue alarm
for insignificant incidents; and, four, the need to ensure that
sensitive information is protected.
However, I want to emphasize a more fundamental impediment.
Specifically, the entities involved in the Government critical
infrastructure protection efforts did not share a common
interpretation of NIPC's roles and responsibilities. Further,
the relationships between the NIPC, the FBI, and the National
Coordinator for Security Infrastructure Protection and
Counterterrorism are unclear regarding who has direct authority
for setting NIPC priorities and procedures and providing NIPC
oversight.
The NIPC has had greater success in providing technical
support and coordination with the NIPC squads and teams in the
various FBI field offices. In addition, the NIPC has developed
and implemented procedures for establishing crisis action teams
to respond to potentially serious computer-based incidents.
In the area of establishing information-sharing
partnerships, progress has varied. NIPC's InfraGard program for
sharing information on computer-based threats and incidents
with private sector companies has steadily gained enrollment,
as we have previously discussed here. Also, the NIPC has
provided training to Government entities and has advised
foreign governments that are establishing centers similar to
the NIPC.
However, at the close of our review in February, a two-way
information-sharing partnership with the NIPC had been
established with only one of the four industry information-
sharing and analysis centers that had been established at that
time. Similarly, the NIPC and FBI had made only limited
progress in developing a data base of the most important
components of the Nation's critical infrastructures, referred
to as the Key Asset Initiative. In addition, the NIPC and other
Government entities, such as the Department of Defense and the
Secret Service, had not developed fully productive information-
sharing and cooperative relationships.
The NIPC is aware of the challenges it faces and has taken
some steps to address them. In addition, the administration is
reviewing its critical infrastructure protection strategy,
including the way that the Federal Government is organized to
manage this effort. Our report includes a variety of
recommendations that are pertinent to these efforts.
Madam Chairwoman and Senator Kyl, this concludes my
statement. Thank you.
Chairperson Feinstein. Since you didn't use up all your 5
minutes, could you just speak on your recommendations,
specifically two of them, that the Attorney General direct the
FBI Director to direct the NIPC Director to ensure to develop a
comprehensive written plan for establishing analysis and
warning capabilities as well as to do several other things.
These recommendations are at the bottom of page 15 of the
Executive Summary and the top of page 14--quickly, what
progress has been made?
Mr. Dacey. Madam Chairwoman, we did not do any follow-up
work beyond the work that we had done in terms of February, but
at that point in time the recommendations really kind of
paralleled the kind of issues that we saw in February. I don't
know if Mr. Dick would care to elaborate on the actions more
fully to address those specific recommendations.
Chairperson Feinstein. Fine. I will ask him, then, at a
later time.
[The prepared statement of Mr. Dacey follows:]
Statement of Robert F. Dacey, Director, Information Security Issues
Madam Chairwoman and Members of the Subcommittee:
I am pleased to be here today to discuss our review of the National
Infrastructure Protection Center (NIPC). As you know, the NIPC is an
important element of our government's strategy to protect our national
infrastructures from hostile attacks, especially computer-based
attacks. This strategy was outlined in Presidential Decision Directive
(PDD) 63, which was issued in May 1998.
My statement summarizes the key findings in our report on the NIPC,
which you released in May.\1\ That report is the result of an
evaluation we performed at the request of you, Madam Chairwoman;
Senator Kyl; and Senator Grassley. As you requested, the report
describes the NIPC's progress in developing national capabilities for
analyzing cyber threats and vulnerability data and issuing warnings,
enhancing its capabilities for responding to cyber attacks, and
establishing information-sharing relationships with government and
private-sector entities.
---------------------------------------------------------------------------
\1\ Critical Infrastructure Protection: Significant Challenges in
Developing National Capabilities (GAO-O1-323, April 25, 2001).
---------------------------------------------------------------------------
Overall, we found that progress in developing the analysis,
warning, and informationsharing capabilities called for in PDD 63 has
been mixed. The NIPC has initiated a variety of critical infrastructure
protection efforts that have laid a foundation for future
governmentwide efforts. In addition, it has provided valuable support
and coordination related to investigating and otherwise responding to
attacks on computers. However, at the close of our review in February
2001, the analytical and information-sharing capabilities that PDD 63
asserts are needed to protect the nation's critical infrastructures had
not yet been achieved, and the NIPC had developed only limited warning
capabilities. Developing such capabilities is a formidable task that
experts say will take an intense interagency effort. An underlying
contributor to the slow progress is that the NIPC's roles and
responsibilities had not been fully defined and were not consistently
interpreted by other entities involved in the government's broader
critical infrastructure protection strategy. Further, these entities
had not provided the information and support, including detailees, to
the NIPC that was envisioned by PDD 63.
The NIPC is aware of the challenges it faces and has taken some
steps to address them. In addition, the administration is reviewing the
federal critical infrastructure protection strategy, including the way
the federal government is organized to manage this effort. Our report
includes a variety of recommendations that are pertinent to these
efforts, including addressing the need to more fully define the role
and responsibilities of the NIPC, develop plans for establishing
analysis and warning capabilities, and formalize information-sharing
relationships with private-sector and federal entities.
The remainder of my statement will describe the NIPC's role in the
government's broader critical infrastructure protection efforts, as
outlined in PDD 63, and its progress, as of the close of our review, in
three broad areas: developing analysis and warning capabilities,
developing response capabilities, and establishing information-sharing
relationships.
background
Since the early 1990s, the explosion in computer interconnectivity,
most notably growth in the use of the Internet, has revolutionized the
wayorganizations conduct business, making communications faster and
access to data easier. However, this widespread interconnectivity has
increased the risks to computer systems and, more importantly, to the
critical operations and infrastructures that these systems support,
such as telecommunications, power distribution, national defense, and
essential government services.
Malicious attacks, in particular, are a growing concern. The
National Security Agency has determined that foreign governments
already have or are developing computer attack capabilities, and that
potential adversaries are developing a body of knowledge about U.S.
systems and methods to attack them. In addition, reported incidents
have increased dramatically in recent years. Accordingly, there is a
growing risk that terrorists or hostile foreign states could severely
damage or disrupt national defense or vital public operations through
computer-based attacks on the nation's critical infrastructures. Since
1997, in reports to the Congress, we have designated information
security a governmentwide high-risk area. Our most recent report in
this regard, issued in January,\2\ noted that, while efforts to address
the problem have gained momentum, federal assets and operations
continue to be highly vulnerable to computer-based attacks.
---------------------------------------------------------------------------
\2\ High-Risk Series: Information Management and Technology (GAO/
HR-97-9, February 1, 1997); High-Risk Series: An Update (GAO/HR-99-1,
January, 1999); High-Risks Series: An Update (GAO-01-263, January
2001).
---------------------------------------------------------------------------
To develop a strategy to reduce such risks, in 1996, the President
established a Commission on Critical Infrastructure Protection. In
October 1997, the commission issued its report,\3\ stating that a
comprehensive effort was needed, including ``a system of surveillance,
assessment, early warning, and response mechanisms to mitigate the
potential for cyber threats.'' The report said that the Federal Bureau
of Investigation (FBI) had already begun to develop warning and threat
analysis capabilities and urged it to continue in these efforts. In
addition, the report noted that the FBI could serve as the preliminary
national warning center for infrastructure attacks and provide law
enforcement, intelligence, and other information needed to ensure the
highest quality analysis possible.
---------------------------------------------------------------------------
\3\ Critical Foundations: Protecting America's Infrastructures, the
Report of the President's Commission on Critical Infrastructure
Protection, October 1997.
---------------------------------------------------------------------------
In May 1998, PDD 63 was issued in response to the commission's
report. The directive called for a range of actions intended to improve
federal agency security programs, establish a partnership between the
government and the private sector, and improve the nation's ability to
detect and respond to serious computer-based attacks. The directive
established a National Coordinator for Security, Infrastructure
Protection, and Counter-Terrorism under the Assistant to the President
for National Security Affairs. Further, the directive designated lead
agencies to work with private-sector entities in each of eight industry
sectors and five special functions. For example, the Department of the
Treasury is responsible for working with the banking and finance
sector, and the Department of Energy is responsible for working with
the electric power industry.
PDD 63 also authorized the FBI to expand its NIPC, which had been
originally established in February 1998. The directive specifically
assigned the NIPC, within the FBI, responsibility for providing
comprehensive analyses on threats, vulnerabilities, and attacks;
issuing timely warnings on threats and attacks; facilitating and
coordinating the government's response to cyber incidents; providing
law enforcement investigation and response; monitoring reconstitution
of minimum required capabilities after an infrastructure attack; and
promoting outreach and information sharing.
multiple factors have limited development of analysis and warning
capabilities
PDD 63 assigns the NIPC responsibility for developing analytical
capabilities to provide comprehensive information on changes in threat
conditions and newly identified system vulnerabilities as well as
timely warnings of potential and actual attacks. This responsibility
requires obtaining and analyzing intelligence, law enforcement, and
other information to identify patterns that may signal that an attack
is underway or imminent.
Since its establishment in 1998, the NIPC has issued a variety of
analytical products, most of which have been tactical analyses
pertaining to individual incidents. These analyses have included (1)
situation reports related to law enforcement investigations, including
denial-of-service attacks that affected numerous Internet-based
entities, such as eBay and Yahoo and (2) analytical support of a
counterintelligence investigation. In addition, the NIPC has issued a
variety of publications, most of which were compilations of information
previously reported by others with some NIPC analysis.
Strategic analysis to determine the potential broader implications
of individual incidents has been limited. Such analysis looks beyond
one specific incident to consider a broader set of incidents or
implications that may indicate a potential threat of national
importance. Identifying such threats assists in proactively managing
risk, including evaluating the risks associated with possible future
incidents and effectively mitigating the impact of such incidents.
Three factors have hindered the NIPC's ability to develop strategic
analytical capabilities.
First, there is no generally accepted methodology for
analyzing strategic cyberbased threats. For example, there is no
standard terminology, no standard set of factors to consider, and no
established thresholds for determining the sophistication of attack
techniques. According to officials in the intelligence and national
security community, developing such a methodology would require an
intense interagency effort and dedication of resources.
Second, the NIPC has sustained prolonged leadership
vacancies and does not have adequate staff expertise, in part because
other federal agencies have not provided the originally anticipated
number of detailees. For example, as of the close of our review in
February, the position of Chief of the Analysis and Warning Section,
which was to be filled by the Central Intelligence Agency, had been
vacant for about half of the NIPC's 3-year existence. In addition, the
NIPC had been operating with only 13 of the 24 analysts that NIPC
officials estimate are needed to develop analytical capabilities.
Third, the NIPC did not have industry-specific data on
factors such as critical system components, known vulnerabilities, and
interdependencies. Under PDD 63, such information is to be developed
for each of eight industry segments by industry representatives and the
designated federal lead agencies. However, at the close of our work in
February, only three industry assessments had been partially completed,
and none had been provided to the NIPC.
To provide a warning capability, the NIPC established a Watch and
Warning Unit that monitors the Internet and other media 24 hours a day
to identify reports of computer-based attacks. As of February, the unit
had issued 81 warnings and related products since 1998, many of which
were posted on the NIPC's Internet web site. While some warnings were
issued in time to avert damage, most of the warnings, especially those
related to viruses, pertained to attacks underway. The NIPC's ability
to issue warnings promptly is impeded because of (1) a lack of a
comprehensive governmentwide or nationwide framework for promptly
obtaining and analyzing information on imminent attacks, (2) a shortage
of skilled staff, (3) the need to ensure that the NIPC does not raise
undue alarm for insignificant incidents, and (4) the need to ensure
that sensitive information is protected, especially when such
information pertains to law enforcement investigations underway.
However, I want to emphasize a more fundamental impediment.
Specifically, evaluating the NIPC's progress in developing analysis and
warning capabilities is difficult because the federal government's
strategy and related plans for protecting the nations critical
infrastructures from computer-based attacks, including the NIPC's role,
are still evolving. The entities involved in the government's critical
infrastructure protection efforts have not shared a common
interpretation of the NIPC's roles and responsibilities. Further, the
relationships between the NIPC, the FBI, and the National Coordinator
for Security, Infrastructure Protection, and Counter-Terrorism at the
National Security Council have been unclear regarding who has direct
authority for setting NIPC priorities and procedures and providing NIPC
oversight. In addition, the NIPC's own plans for further developing its
analytical and warning capabilities were fragmented and incomplete. As
a result, there were no specific priorities, milestones, or program
performance measures to guide NIPC actions or provide a basis for
evaluating its progress.
The administration is currently reviewing the federal strategy for
critical infrastructure protection that was originally outlined in PDD
63, including provisions related to developing analytical and warning
capabilities that are currently assigned to the NIPC. On May 9, the
White House issued a statement saying that it was working with federal
agencies and private industry to prepare a new version of a ``national
plan for cyberspace security and critical infrastructure protection''
and reviewing how the government is organized to deal with information
security issues.
In our report, we recommend that, as the administration proceeds,
the Assistant to the President for National Security Affairs, in
coordination with pertinent executive agencies,
establish a capability for strategic analysis of computer-
based threats, including developing related methodology, acquiring
staff expertise, and obtaining infrastructure data;
require development of a comprehensive data collection and
analysis framework and ensure that national watch and warning
operations for computer-based attacks are supported by sufficient staff
and resources; and
clearly define the role of the NIPC in relation to other
government and private-sector entities.
nipc coordination and technical support have benefited investigative
and response capabilities
PDD 63 directed the NIPC to provide the principal means of
facilitating and coordinating the federal government's response to
computer-based incidents. In response the NIPC undertook efforts in two
major areas: providing coordination and technical support to FBI
investigations and establishing crisis management capabilities.
First, the NIPC provided valuable coordination and technical
support to FBI field offices, which established special squads and
teams and one regional task force in its field offices to address the
growing number of computer crime cases. The NIPC supported these
investigative efforts by (1) coordinating investigations among FBI
field offices, thereby bringing a national perspective to individual
cases, (2) providing technical support in the form of analyses, expert
assistance for interviews, and tools for analyzing and mitigating
computer-based attacks, and (3) providing administrative support to
NIPC field agents. For example, the NIPC produced over 250 written
technical reports during 1999 and 2000, developed analytical tools to
assist in investigating and mitigating computer-based attacks, and
managed the procurement and installation of hardware and software tools
for the NIPC field squads and teams.
While these efforts benefited investigative efforts, FBI and NIPC
officials told us that increased computer capacity and data
transmission capabilities would improve their ability to promptly
analyze the extremely large amounts of data that are associated with
some cases. In addition, FBI field offices were not yet providing the
NIPC with the comprehensive information that NIPC officials say is
needed to facilitate prompt identification and response to cyber
incidents. According to field office officials, some information on
unusual or suspicious computerbased activity had not been reported
because it did not merit opening a case and was deemed to be
insignificant. To address this problem, the NIPC established new
performance measures related to reporting.
Second, the NIPC developed crisis management capabilities to
support a multiagency response to the most serious incidents from the
FBI's Washington, D.C., Strategic Information Operations Center. From
1998 through early 2001, seven crisis action teams had been activated
to address potentially serious incidents and events, such as the
Melissa virus in 1999 and the days surrounding the transition to the
year 2000, and related procedures have been formalized. In addition,
the NIPC coordinated development of an emergency law enforcement plan
to guide the response of federal, state, and local entities.
To help ensure an adequate response to the growing number of
computer crimes, we recommend in our report that the Attorney General,
the FBI Director, and the NIPC Director take steps to (1) ensure that
the NIPC has access to needed computer and communications resources and
(2) monitor implementation of new performance measures to ensure that
field offices fully report information on potential computer crimes to
the NIPC.
progress in establishing information-sharing relationships has been
mixed
Information sharing and coordination among private-sector and
government organizations are essential for thoroughly understanding
cyber threats and quickly identifying and mitigating attacks. However,
as we testified in July 2000 \4\ establishing the trusted relationships
and information-sharing protocols necessary to support such
coordination can be difficult.
---------------------------------------------------------------------------
\4\ Critical Infrastructure Protection: Challenges to Building a
Comprehensive Strategy for Information Sharing and Cooperation (GAO/T-
AIMD-00-268, July 26, 2000). Testimony before the subcommittee on
Government Management, Information and Technology, Committee on
Government Reform, House of Representatives.
---------------------------------------------------------------------------
NIPC success in this area has been mixed. For example, the
InfraGard Program, which provides the FBI and the NIPC with a means of
securely sharing information with individual companies, had grown to
about 500 member organizations as of January 2001 and was viewed by the
NIPC as an important element in building trust relationships with the
private sector. NIPC officials recently told us that InfraGard
membership has continued to increase. However, of the four information
sharing and analysis centers that had been established as focal points
for infrastructure sectors, a two-way, informationsharing partnership
with the NIPC had developed with only one-the electric power industry.
The NIPC's dealings with two of the other three centers primarily
consisted of providing information to the centers without receiving any
in return, and no procedures had been developed for more interactive
information sharing. The NIPC's information-sharing relationship with
the fourth center was not covered by our review because the center was
not established until mid-January 2001, shortly before the close of our
work.
Similarly, the NIPC and the FBI have made only limited progress in
developing a database of the most important components of the nation's
critical infrastructures-an effort referred to as the Key Asset
Initiative. While FBI field offices had identified over 5,000 key
assets, at the time of our review, the entities that own or control the
assets generally had not been involved in identifying them. As a
result, the key assets recorded may not be the ones that infrastructure
owners consider to be the most important. Further, the Key Asset
Initiative was not being coordinated with other similar federal efforts
at the Departments of Defense and Commerce.
In addition, the NIPC and other government entities had not
developed fully productive information-sharing and cooperative
relationships. For example, federal agencies have not routinely
reported incident information to the NIPC, at least in part because
guidance provided by the federal Chief Information Officers Council,
which is chaired by the Office of Management and Budget, directs
agencies to report such information to the General Services
Administration's Federal Computer Incident Response Capability.
Further, NIPC and Defense officials agreed that their information-
sharing procedures needed improvement, noting that protocols for
reciprocal exchanges of information had not been established. In
addition, the expertise of the U.S. Secret Service regarding computer
crime had not been integrated into NIPC efforts.
The NIPC has been more successful in providing training on
investigating computer crime to government entities, which is an effort
that it considers an important component of its outreach efforts. From
1998 through 2000, the NIPC trained about 300 individuals from federal,
state, local, and international entities other than the FBI. In
addition, the NIPC has advised several foreign governments that are
establishing centers similar to the NIPC.
To improve information sharing, we recommend in our report that the
Assistant to the President for National Security Affairs
direct federal agencies and encourage the private sector
to better define the types of information necessary and appropriate to
exchange in order to combat computer-based attacks and to develop
procedures for performing such exchanges,
initiate development of a strategy for identifying assets
of national significance that includes coordinating efforts already
underway, and
resolve discrepancies in requirements regarding computer
incident reporting by federal agencies.
In our report, we also recommend that the Attorney General task the
FBI Director to
formalize information-sharing relationships between the
NIPC and other federal entities and industry sectors and
ensure that the Key Asset Initiative is integrated with
other similar federal activities.
In conclusion, it is important that the government ensure that our
nation has the capability to deal with the growing threat of computer-
based attacks in order to mitigate the risk of serious disruptions and
damage to our critical infrastructures. The analysis, warning,
response, and information-sharing responsibilities that PDD 63 assigned
to the NIPC are important elements of this capability. However, as our
report shows, developing the needed capabilities will require
overcoming many challenges. Meeting these challenges will not be easy
and will require clear central direction and dedication of expertise
and resources from multiple federal agencies, as well as private sector
support.
Madame Chairwoman, this concludes my statement. I would be pleased
to answer any questions that you or other members of the Subcommittee
may have at this time.
contact and acknowledgments
If you should have any questions about this testimony, please
contact me at (202) 512-3317. I can also be reached by e-mail at
[email protected].
Chairperson Feinstein. Ms. McDonald, welcome.
STATEMENT OF SALLIE McDONALD, ASSISTANT COMMISSIONER, OFFICE OF
INFORMATION ASSURANCE AND CRITICAL INFRASTRUCTURE PROTECTION,
GENERAL SERVICES ADMINISTRATION, WASHINGTON, D.C.
Ms. McDonald. Thank you. Good afternoon, Madam Chairwoman
and Ranking Member Kyl. I wish to thank you for the opportunity
to offer testimony with regard to the National Infrastructure
Protection Center.
The Federal Computer Incident Response Center, or FedCIRC,
is a component of GSA's Federal Technology Service. It is the
central coordination entity for dealing with computer security-
related incidents affecting computer systems within the Federal
civilian agencies of the U.S. Government.
FedCIRC and NIPC are both crucial to effective cyber
defense, but serve differing roles to the Federal community.
FedCIRC's role is to provide incident response and handling
reports from agencies. When an agency reports an incident,
FedCIRC works with the agency to identify the type of incident,
contain any damage to the agency's system, and provide guidance
to the agency on recovering from the incident.
The NIPC, on the other hand, collects incident reports and
is responsible for providing threat assessments, vulnerability
studies, warnings----
Chairperson Feinstein. Ms. McDonald, I am going to
interrupt you because we have 4 minutes left in this vote.
Ms. McDonald. OK.
Chairperson Feinstein. I hope people will wait. We will
come back right away, if you don't mind, and excuse us for a
couple of minutes.
[The Subcommittee stood in recess from 2:33 p.m. to 2:50
p.m.]
Chairperson Feinstein. We will resume.
Ms. McDonald, again, we are sorry to interrupt your
testimony, but please continue. We may interrupt you once again
because Senator Cleland is coming and wanted to introduce one
of the witnesses on the next panel and he is limited in time,
so we might interrupt you once again.
Ms. McDonald. No problem.
Chairperson Feinstein. Thank you.
Ms. McDonald. As I was saying, the NIPC's responsibility is
to collect incident reports and provide threat assessments,
vulnerability studies, warnings, and coordinate the Federal
Government's investigative response to attacks.
Upon receiving an incident report from a Federal agency,
FedCIRC evaluates and categorizes the incident with respect to
its impact and severity. If criminal activity is indicated,
FedCIRC informs the reporting agency of the requirement to
immediately contact their inspector general or the NIPC. Should
the incident appear to have originated from a foreign country,
FedCIRC categorizes it as having potential national security
implications and immediately contacts both the National
Security Agency and the NIPC. The reporting agency is
subsequently notified of such action by FedCIRC.
There is an ongoing discussion between the NIPC and FedCIRC
to improve information-sharing and analytical efforts, and to
educate agencies of the value of rapid involvement of the NIPC
when incidents occur. Effective incident analysis is the
product of multiple-source data collection efforts,
collaboration to quantify related information, and
determination of the potential for proliferation and damage.
Over the past few years, a virtual network of partners has
evolved. This virtual network includes FedCIRC, the NIPC, the
National Security Agency, the Department of Defense, industry,
academia, and individual incident response components within
Federal agencies.
Though their missions vary in scope and responsibility,
this virtual network enables the Federal Government to
capitalize on the individual technical strengths, each
organization's strategic positioning within the national
infrastructure, and their access to a variety of information
resources.
Bridging the disparate boundaries has been a formidable
challenge, and although there is still work to be done in this
area, the commitment of the leadership in each organization is
on the right path to build the framework for the fluid and
cooperative exchange of information.
Critical infrastructure protection efforts, and more
specifically those for cyber defense, are a relatively new
requirement in Government and in the private sector. Only
recently have these efforts been singled out as a priority for
Federal agencies.
As Government direction for reporting the occurrence of
incidents has been promulgated, attempts by agencies to develop
related policies and procedures has sometimes been divergent
because of differing individual interpretations and
misunderstanding. FedCIRC and the NIPC are working diligently
to jointly assess problem areas, more clearly define agency
responsibilities for reporting incidents, and working with
agencies to ensure that they have the proper processes and
procedures in place to respond to and prevent attacks on their
information systems.
Madam Chairperson, the information presented today
highlights the high degree of cooperation that exists among
Government agencies and the critical and effective relationship
that exists between FedCIRC and the NIPC. Though all contribute
individually to critical infrastructure protection, our
strength in protecting information systems governmentwide lies
in collaboration and coordination efforts. I trust that you
will derive from my remarks an understanding of the cyber
threat and response issues, and also an appreciation of the
joint commitment to infrastructure protection of the FedCIRC
and the NIPC.
Thank you very much.
[The prepared statement of Ms. McDonald
follows:]
Statement of Sallie McDonald, Assistant Commissioner, Office of
Information Assurance and Critical Infrastructure Protection
Good afternoon Madam Chairwoman and members of the Subcommittee. I
am Sallie McDonald, the Assistant Commissioner for the GSA, FTS, Office
of Information Assurance and Critical Infrastructure Protection. I wish
to thank you for the opportunity to offer testimony with regard to the
National Infrastructure Protection Center (NIPC).
The Federal Computer Incident Response Center or FedCIRC, is a
component of GSA's Federal Technology Service. As designated by the
Government Information Security Reform Act, it is the central
coordination entity for dealing with computer security related
incidents affecting computer systems within the Federal civilian
agencies and Departments of the United States Government.
FedCIRC was established as a pilot by NIST in 1996 under the Office
of Management and Budget (OMB) policy authority as the primary means
for civilian Federal agencies to share information on externally
generated security incidents and common vulnerabilities. This was
recognized as an important activity given the shared risk environment
that results from a rise in interconnected systems across government
and with connection to the Internet which increases public access.
FedCIRC became operational in 1998 and was transferred to GSA.
FedCIRC's role was then and is today, one of assisting agencies and
sharing information under the overall security policy framework
established by OMB. FedCIRC is not intended to substitute for adequate
agency security practices or compete with the role of law enforcement
or national security authorities in addressing more serious types of
attacks.
GSA reports at least quarterly to OMB on matters such as the number
and nature of security incidents reported by the agencies, whether the
incidents are the result of exploits of vulnerabilities for which known
repairs are readily available, and whether FedCIRC has any specific
recommendations for changes to OMB security policy or the National
Institute of Standards and Technology (KIST) security guidance.
By definition, a ``computer security incident'' encompasses any
violation of an established or implied security policy or statute.
Incidents include but are not necessarily limited to activities such as
attempts to gain unauthorized access to government systems or data,
disruption of service, unauthorized use of computing resources and
changes to system hardware or software without consent of the owner.
FedCIRC and the NIPC are both crucial to effective cyber defense
but serve differing roles to the Federal community. FedCIRC's role is
to provide incident response and handling support to agencies. When an
agency reports an incident, FedCIRC works with the agency to identify
the type of incident, contain any damage to the agency's system, and
provide guidance to the agency on recovering from the incident. The
NIPC, on the other hand, collects incident reports and is responsible
for providing threat assessments, vulnerability studies, warnings, and
the coordination of the Federal government's investigative response to
attacks.
Upon receiving an incident report from a Federal agency, FedCIRC
evaluates and categorizes the incident with respect to its impact and
severity. If criminal activity is indicated, FedCIRC informs the
reporting agency of the requirement to immediately contact their
Inspector General or the NIPC. Should the incident appear to have
originated from a foreign country, FedCIRC categorizes it as having
potential national security implications and immediately contacts both
the NSIRC and the NIPC. The reporting agency is subsequently notified
of such action by FedCIRC. There is ongoing discussion between the NIPC
and FedCIRC to improve information sharing and analytic efforts and to
educate agencies of the value of rapid involvement of the NIPC when
incidents occur. When the escalation of an incident has the potential
for widespread proliferation or damage, FedCIRC and the NIPC routinely
pool their information and skills. FedCIRC is frequently requested by
the NIPC to collaborate with multiple sources and the affected agency
or agencies to gather more detailed information specific to a given
incident. Cyber-incidents involving a pending or potential
investigation are jointly handled in a manner that preserves sensitive
cyber-evidence without adverse impact to the affected agency's mission
functions or violation of constitutional law and applicable privacy
statutes.
Effective incident analysis is a product of multiple source data
collection efforts, collaboration to quantify related information, and
determination of the potential for proliferation and damage. Over the
past few years, a virtual network of partners has evolved. This virtual
network includes FedCIRC, the NIPC, the National Security Agency's
(NSA) National Security Incident Response Center (NSIRC), the
Department of Defense's (DOD) Joint Taskforce for Computer Network
Operations (JTF-CNO), industry, academia, and individual incident
response components within Federal agencies. Though their missions vary
in scope and responsibility, this virtual network enables the Federal
government to capitalize on the individual technical strengths, each
organization's strategic positioning within the national infrastructure
and their access to a variety of information resources. Bridging the
disparate boundaries has been a formidable challenge and although there
is still work to be done in this area the commitment of the leadership
in each organization is on the right path to build the framework for
the fluid and cooperative exchange of information. The NIPC, NSIRC,
JTF-CNO and FedCIRC are involved in a constant sharing of sensitive
cyber-threat and incident data, correlating it with counter-terrorism
and intelligence reports to develop strategic defenses, threat
predictions and timely alerts. These efforts depend, not on any one
participant, but on the unique and valuable contributions of each
organization. The NIPC, because of its relationships with industry, is
able to solicit additional participation when the government deals with
complex analysis issues. This broader spectrum brings together some of
the nation's best talent to work on known and developing threats to the
cyber infrastructure.
An excellent example of this collaboration is the Government's
response to a very recent threat to the cyber infrastructure, know as
the ``Leaves Worm''. This exercise clearly demonstrated how these
collaborative relationships work and how each participant's
contributions assist in assessing the damage potential. In June, the
SANS Institute, a private sector organization, informed the NIPC of
suspicious activities taking place in a large number of systems across
the Internet. Widespread scanning was taking place to identify systems
previously compromised by a relatively old trojan called ``SubSeven.''
Since SubSeven is for all intents and purposes a remote control
program, once identified, the perpetrator could gain full control of
the infected system. It was through the SubSeven trojan that the Leaves
Worm was being deposited on large numbers of systems around the globe
but it was being accomplished without direct intervention by the
perpetrator. Clearly we had a new worm of unknown potential and a new
delivery method not previously seen. The hacker community, typically
vocal in Internet chat rooms about new attacks or malicious code,
showed no evidence of any knowledge of the Leaves Worm. The NIPC, DOJ,
NSA, FedCIRC, CIA, Department of State, DoD, NCS, NSC, academia,
industry software vendors, anti-virus engineers and security
professionals quickly activated a collaborative communication network
to share details as they analyzed captured code from publicly available
web sites that were being used to propagate the worm. It was primarily
due to the NIPC's relationship with industry that the volumes of
information collected could be rapidly decoded, analyzed and reverse
engineered to provide the anti-virus vendors with critical information
to develop detection methods for their respective products. This
episode serves as an excellent example of the progress various
government and private organizations have made in coming together to
work toward the common goal of protecting the nation's critical
infrastructure.
The NIPC's responsibilities and relationships with various elements
in the private sector, its activities as a member of the intelligence
community and its lead role for counterterrorism contribute
significantly to the FedCIRC's analytical ability by providing global
threat information. Of significant value is the NIPC's ability to reach
beyond governmental boundaries and draw on technical skills and
information available from components in industry then share those
resources with other members of the incident response community. The
NIPC staff regularly communicates information to FedCIRC, which in many
cases, provides deeper insight into developing situations and often can
make the difference between thwarting an attack or tolerating the
ensuing damage. Knowing the extent or pattern of incidents as they may
impact the private sector, for example, may influence the development
of an alert or advisory notice issued to government agencies.
Critical Infrastructure Protection efforts and, more specifically,
those for cyber-defense are a relatively new requirement in government
and in the private sector. Only recently have these efforts been
singled out as a priority for Federal agencies. As government direction
for reporting the occurrence of incidents has been promulgated,
attempts by agencies to develop related policies and procedures have
sometimes been divergent because of differing individual interpretation
and misunderstanding. FedCIRC and the NIPC are working diligently to
jointly assess problem areas, more clearly define agency
responsibilities for reporting incidents, and working with agencies to
ensure they have the proper processes and procedures in place to
respond to and prevent attacks on their information systems.
The NIPC and FedCIRC routinely exchange information. This exchange
is built upon a trust relationship and formalized with the detailing of
FedCIRC staff personnel to the NIPC's Watch and Warning Unit. In
addition alerts and advisories are frequently generated by the NIPC,
NSIRC, or FedCIRC as a collaborative effort and represent a consensus
when distributed to our constituents.
As a further example, to simplify the incident reporting process,
the NIPC, NSA and FedCIRC have begun efforts to create a single uniform
report process that will be used across government. The process will
employ common data elements that can be easily shared and integrated
into the respective organization's database for shared or unique
analysis efforts.
Effective cyber defenses ideally prevent an incident from taking
place. Any other approach is simply reactive. FedCIRC, the NIPC, the
NSIRC, the Department of Defense and industry components realize that
the best response is a preemptive and proactive approach. In order to
implement such an approach, all resources must be focused on the common
goal of securing the nation's critical infrastructures and the
strengths of each organization must be relied upon in order to achieve
the most effective results. FedCIRC, the NIPC, DOD, the NSIRC and
others comprise a virtual team, each offering significant skills and
contributions to the common defense.
Summary
Madam Chairwoman, the information presented today highlights the
high degree of cooperation among government agencies and the critical
and effective relationship that exists between FedCIRC and the NIPC.
Though all contribute individually to critical infrastructure
protection, our strength in protecting information systems government-
wide lies in collaboration and coordination efforts. I trust that you
will derive from my remarks an understanding of the cyber-threat and
response issues and also an appreciation for the joint commitment to
infrastructure protection of FedCIRC and the NIPC. We appreciate your
leadership and that of the Committee for helping us achieve our goals
and allowing us to share information that we feel is crucial to the
defense of our technology resources.
Chairperson Feinstein. Thanks very much, Ms. McDonald.
Mr. Savage, of the Secret Service.
STATEMENT OF JAMES A. SAVAGE, JR., DEPUTY SPECIAL AGENT IN
CHARGE, FINANCIAL CRIMES DIVISION, UNITED STATES SECRET
SERVICE, WASHINGTON, D.C.
Mr. Savage. Madam Chairman, Ranking Member Kyl, thank you
for the opportunity to address the Subcommittee regarding the
efforts of the Secret Service as they relate to the protection
of our Nation's critical infrastructures. I have prepared a
comprehensive statement which will be submitted for the record,
and with the Subcommittee's permission I will summarize it at
this time.
I am particularly pleased to be here with my colleagues and
partners in fighting cyber crime from the FBI, GSA, and the
private sector. The Secret Service contributes to the
protection of our Nation's critical infrastructures through its
fight against cyber crime as part of our core mission to
protect the integrity of this Nation's financial payment
systems and the telecommunications backbone.
Since our inception in 1865 with an initial mandate to
suppress the counterfeiting of currency, modes and methods of
payment have evolved and so has our mission. Computers and
other chip devices are now the facilitators of criminal
activity or the target of such. In this era of change, one
constant that remains is our close working relationship with
the banking and finance sector. We believe that protection of
the banking and financial infrastructures is our core
competency area.
Madam Chairman, there is no shortage of information,
testimony, or anecdotal evidence regarding the nature and
variety of cyber-based threats to our banking and financial
infrastructures. There is, however, a scarcity of information
regarding successful models to combat this crime in today's
high-tech environment. That is where the Secret Service can
make a significant contribution to today's and future
discussions of successful law enforcement efforts to combat
cyber crime.
The Secret Service has developed a highly effective formula
for combatting high-tech crime, as demonstrated by our New York
Electronic Crimes Task Force. This task force, hosted by the
Secret Service, includes 50 different law enforcement agencies,
over 100 private sector corporations and six different
universities. The notion of these companies, these competitors,
and 100 others sitting down at the same table to share
information, knowledge and resources with both each other and
with law enforcement is why we believe we have found a truly
unique, innovative and effective formula for combatting cyber
crime. The task force provides a collaborative crime-fighting
environment which reflects our recognition that in today's
high-tech electronic crime environment, out-of-the-box problems
demand out-of-the-box solutions.
How effective has this task force been? Since 1995, the New
York Task Force has charged over 800 individuals with
electronic crimes valued at more than $425 million. It has
trained over 10,000 law enforcement personnel, prosecutors, and
private industry representatives in the criminal abuses of
technology and how to prevent them.
Based on the enormous success of this task force, the
Secret Service hopes to replicate the model and concepts
developed by our New York field office in additional venues
around the country in the very near future. The Secret Service
believes there is value in sharing information from our
investigations and the lessons we learn along the way with both
those in the private sector and academia who are devoting
substantial resources to protecting their networks and
researching new solutions. Law enforcement must move from a
reactive posture to a proactive or preventive posture by
helping its customers to help themselves.
The hallmark qualities of discretion and trust which we
employ in the execution of our protective duties are also
present in our investigative mission, where we enjoy quiet
successes with our private sector partners. We have jointly
resolved many significant cases with the help of our private
sector counterparts, such as network intrusions and compromises
of critical information systems.
The Secret Service recognizes that its role in
investigating computer-based attacks against the financial
sector can be significant in the larger plan for the protection
of our Nation's critical infrastructures. When we share helpful
prevention strategies with a business seeking to protect
itself, or arrest a criminal who has disrupted a sensitive
communications network and are able to restore the normal
operation of the host, be it a bank, telecommunications carrier
or medical service provider, we believe we have made a
significant contribution toward assuring the reliability of the
critical systems that the public relies upon on a daily basis.
The Secret Service is convinced that building trusted
partnerships with the private sector, local law enforcement,
and academia is the model for combatting electronic crimes in
the information age.
Madam Chairman, that concludes my prepared statement. I
will be happy to answer any questions that you or the other
members may have. Thank you.
[The prepared statement of Mr. Savage follows:]
Statement of James A. Savage, Jr., Deputy Special Agent in Charge-
Financial Crimes Division
Madam Chairman, members of the subcommittee, thank you for the
opportunity to address the subcommittee regarding federal law
enforcement efforts in combating cyber crime to protect our nation's
infrastructures, and particularly the efforts of the Secret Service in
this regard. I am particularly pleased to be here with my colleagues
and partners in fighting cyber crime from the Federal Bureau of
Investigation and the General Services Administration.
As you know, the Secret Service was created in 1865 to address the
burgeoning problem of counterfeit currency. At that time, it was
estimated that approximately one third of all currency in circulation
was counterfeit and the government recognized the urgent need to
address this issue in order to maintain the public's confidence in the
U.S. currency. In effect, the Secret Service was engaged in an effort
to protect a critical governmental function long before the popular
notion of critical infrastructure protection emerged.
Today, the Secret Service continues to suppress counterfeit
currency as part of its traditional role but also now includes fighting
cyber crime as part of our core mission to protect the integrity of
this nation's financial payment systems. Over time, modes and methods
of payment have evolved and so has our mission. Computers and other
``chip'' devices are now the facilitators of criminal activity or the
target of such. The perpetrators involved in the exploitation of such
technology range from traditional fraud artists to violent criminals--
all of whom recognize new opportunities and anonymous methods to expand
and diversify their criminal portfolio.
In this era of change, one constant that remains is our close
working relationship with the banking and finance sector. Our history
of cooperation with the industry is a result of our unique
responsibilities as a law enforcement bureau of the Department of the
Treasury. We believe that protection of the banking and financial
infrastructure is our ``core competency'' area.
Madam Chairman, there is no shortage of information, testimony, or
anecdotal evidence regarding the nature and variety of cyber-based
threats to our banking and financial infrastructures and the need to
create effective solutions. There is, however, a scarcity of
information regarding successful models to combat such crime in today's
high tech environment. That is where the Secret Service can make a
significant contribution to today's and future discussions of
successful law enforcement efforts to combat cyber crime which play an
important role in critical infrastructure protection.
The Secret Service has found a highly effective formula for
combating high tech crime a formula that has been successfully
developed by our New York Electronic Crimes Task Force. While the
Secret Service leads this innovative effort, we do not control or
dominate the participants and the investigative agenda of the task
force. Rather, the task force provides a productive framework and
collaborative crime-fighting environment in which the resources of its
participants can be combined to effectively and efficiently make a
significant impact on electronic crimes. Other law enforcement agencies
bring additional criminal enforcement jurisdiction and resources to the
task force while representatives from private industry, such as
telecommunications providers, for instance, bring a wealth of technical
expertise.
Although based in New York City, the task force provides assistance
and conducts investigations, which span the country and often lead
overseas, harnessing disparate repositories of resources and expertise
from the academic, private and government sectors. It is not uncommon
for the New York Task Force to receive requests for assistance directly
from foreign law enforcement representatives based upon its reputation
for responsiveness and as a center of excellence. The result is a
significant impact domestically, and occasionally abroad, as well.
Within this New York model, established in 1995, there are 50
different federal, state and local law enforcement agencies represented
as well as prosecutors, academic leaders and over 100 different private
sector corporations. The wealth of expertise and resources that reside
in this task force coupled with unprecedented information sharing
yields a highly mobile and responsive machine. In task force
investigations, local law enforcement officers hold supervisory
positions and representatives from other agencies regularly assume the
role of lead investigator. These investigations encompass a wide range
of computer-based criminal activity, involving e-commerce frauds,
intellectual property violations, telecommunications fraud, and a wide
variety of computer intrusion crimes, which affect a variety of
infrastructures.
Since 1995, the task force has charged over 800 individuals with
electronic crimes valued at more than $425 million. It has trained over
10,000 law enforcement personnel, prosecutors, and private industry
representatives in the criminal abuses of technology and how to prevent
them. We view the New York Electronic Crimes Task Force as the model
for the partnership approach that we hope to employ in additional
venues around the country in the very near future.
An important component in our investigative response to cyber crime
and critical infrastructure protection is the Electronic Crimes Special
Agent Program (ECSAP). This program is comprised of approximately 175
special agents who have received extensive training in forensic
identification, preservation, and retrieval of electronically stored
evidence. Special Agents entering the program receive specialized
training in all areas of electronic crimes, with particular emphasis on
computer intrusions and forensics. ECSAP agents are computer
investigative specialists, qualified to conduct examinations on all
types of electronic evidence, including computers, personal data
assistants, telecommunications devices, electronic organizers,
scanners, and other electronic paraphernalia. ECSAP agents understand
that not only do they have an investigative role, and that they can
also help protect components of our critical infrastructure by
providing their substantive insights regarding potential
vulnerabilities and exploits which the Secret Service discovers during
an investigation.
As a specific example, in early August we will be meeting with
representatives of a major financial group, which is in the process of
developing its own computer forensic capability to bolster its defenses
against internal and external computer based frauds and attacks. We
hope to share with this prominent corporation the lessons we have
learned in establishing and maintaining our ECSAP computer forensics
program as well as explore areas for joint endeavors in the future.
The Secret Service ECSAP program relies on the 4 year-old,
Treasury-wide Computer Investigative Specialist (CIS) initiative. All
four Treasury law enforcement bureaus--the Internal Revenue Service,
Bureau of Alcohol, Tobacco and Firearms, U.S. Customs Service, and the
U.S. Secret Service--participate and receive training and equipment
under this program.
All four Treasury bureaus also jointly participate in curriculum
development and review, equipment design and distribution of training
assets. As a result, financial savings by all Treasury bureaus are
realized due to economies of scale. Additionally, agents from different
bureaus can work together in the field in an operational capacity due
to the compatibility of the equipment and training. In the end, the
criminal element suffers and the taxpayer benefits.
The Secret Service works cooperatively with other federal law
enforcement and Department of Defense agencies in this work, to include
the FBI and NIPC. No single agency or entity can prevent cybercrime or
protect the critical infrastructure alone, so Secret Service agents
work collaboratively with their peers in the field to investigate
crimes and overcome technical problems. I would further add, Madam
Chairman, that due to the proliferation and complexity of cyber crime
there is certainly no shortage of opportunity to collaborate with our
other Federal partners in this regard.
Because of the recognized expertise of those in ECSAP, other law
enforcement agencies regularly request training from the Secret Service
or advice concerning their own computer forensics programs. These
requests have come from agencies all across the country, as well as
foreign countries such as Italy and Thailand. The Secret Service
recognizes the need to promote international cooperation and remains
proactive in the dissemination of information to law enforcement
agencies, both domestically and internationally, regarding program
initiatives and current financial and electronic crimes trends.
Madam Chairman, we are committed to working closely with our law
enforcement counterparts worldwide in response to cyber crime threats
to commerce and financial payment systems. This commitment is
demonstrated by our effort to expand our overseas presence. We
currently have 18 offices in foreign countries and a permanent
assignment at Interpol, as well as several overseas initiatives,
including a cyber crime task force in Indonesia. New offices have been
opened recently in Frankfurt, Lagos, and Mexico City. The Secret
Service is also considering opening new offices in Bucharest and New
Dehli. Our expanded foreign presence increases our ability to become
involved in foreign investigations that are of significant strategic
interest.
In addition to providing law enforcement with the necessary
technical training and resources, a great deal more can be accomplished
in fighting cyber crime if we are able to harness additional resources
that exist from the private sector and academia. The Secret Service
believes there is value in sharing information during the course of our
investigations with both those in the private sector and academia who
are devoting substantial resources to protecting their networks and
researching new solutions. On occasion the Secret Service has shared
case-specific information derived from our criminal investigations
after taking appropriate steps to protect privacy concerns and ensure
that there are no conflicts with prosecutorial issues. I would add that
there are many opportunities for the law enforcement community to share
information with our private sector counterparts without fear of
compromise. The Secret Service recognizes the need for a ``paradigm
shift'' with respect to this type of information sharing between law
enforcement and our private sector and academic counterparts.
Finally, law enforcement in general is not sufficiently equipped to
train all those in need nor can it compete with academic institutions
of higher learning in the area of research and development. However,
our partnerships with industry and academia have demonstrated that this
should be an integral part of the solution.
Partnership concepts are an important tool and strategy in both
government and private industry to achieve greater results and
efficiencies. Unfortunately, however, partnerships cannot be
legislated, regulated, or stipulated. Nor can partnerships be
purchased, traded or incorporated. Partnerships are built between
people and organizations that recognize the value in joint
collaboration toward a common end. They are fragile entities, which
need to be established and maintained by all participants and built
upon a foundation of trust.
The Secret Service, by virtue of the protective mission for which
we are so well known, has always emphasized discretion and trust in
executing our protective duties. We learned long ago that our agency
needed the full support and confidence of local law enforcement and
certain key elements of the private sector to create and maintain a
successful and comprehensive security plan. Furthermore, we are also
keenly aware that we need to maintain a trusted relationship with our
protectees so that we can work with them and their staffs to maintain
the delicate balance between security and personal privacy.
This predisposition towards discretion and trust naturally
permeates our investigative mission where we enjoy quiet successes with
our private sector partners. We have successfully investigated many
significant cases with the help of our private sector partners such as
network intrusions and compromises of critical information or operating
systems. In such cases, even though we have technical expertise that is
second to none, we still rely on our private sector counterparts to
collaborate with us in identifying and preserving critical evidence to
solve the case and bring the perpetrator to justice. Equally important
in such cases is conducting the investigation in a manner that avoids
unnecessary disruption or adverse consequences to the victim or
business. With the variety of operating platforms and proprietary
operating systems in the private sector, we could not accomplish these
objectives without the direct support of our private sector
counterparts.
I would like to highlight several significant cases that the Secret
Service has investigated over the years where we have protected the
U.S. financial and telecommunications systems.
In 1986, the USSS identified and prosecuted the ``Legion of Doom''
hacker group for compromising the 911 system in the southeast United
States.
In 1989, the USSS, working with the FBI and other law enforcement
entities, identified and prosecuted the ``Masters of Deception'' hacker
group which had compromised several communications networks in the U.S.
enabling the group to identify and reveal the details concerning on-
going law enforcement wiretaps.
In 1994, the USSS conducted the first e-mail wiretap ever conducted
on the Internet as part of a telecommunications fraud investigation.
In 1997, the US-SS identified and arrested a hacker responsible for
compromising a telephone network switch on the east coast, effectively
disabling power and communications to the Worcester, MA. Airport. This
resulted in the first prosecution of a juvenile for violation of 18 USC
1030.
In 1998, the USSS and its task force partners in New York,
identified and arrested individuals who were illegally monitoring law
enforcement Mobile Data Terminals.
Madam Chairman, the USSS continues to remain engaged in these types
of significant investigations, which not only involve notable financial
losses, but also represent the exploitation of technical
vulnerabilities in and amongst interconnected computer-based systems
which support our critical infrastructures. Of particular note is that
such cases necessarily require a close working relationship with the
private sector victim to achieve success.
In fact, in one recently completed complex investigation involving
the compromise of a wireless communications carrier's network, our case
agent actually specified in the affidavit of the federal search warrant
that representatives of the victim business be allowed to accompany
federal agents in the search of the target residence to provide
technical assistance. This is unprecedented in the law enforcement
arena and underscores the level of trust we enjoy with those we have
built relationships with in the private sector. It is also indicative
of the complexity of many of these investigations and serves to
highlight the fact that we in law enforcement must work with private
industry to be an effective crime fighting force. In approving this
search warrant, the court recognized that in certain cases involving
extraordinarily complex systems and networks, such additional technical
expertise could be a critical, and sometimes imperative, component of
our investigative efforts.
I must point out, however, that such cases are usually not
publicized without the express consent of the U.S. Attorney and the
corporate victim because it would breach our confidential relationship
and discourage the victims of electronic crimes from reporting such
incidents.
Four recently concluded investigations demonstrate the breadth of
cases the Secret Service is working, and provide concrete evidence of
the continuing success of ECSAP. The cases include the malicious
shutdown of a medical service provider's communications system, an
intrusion into a telecommunication provider's network, an attack on a
private investment company's trading network, and the disruption of a
financial institution's complete operating system and communications
network.
The first case was initiated on March 5, 2001, when a local Secret
Service field office received information that a medical diagnostic
service provider had suffered a catastrophic shutdown of its computer
network and communications system. The company reported that they were
unable to access doctor schedules, diagnostic images, patient
information, and essential hospital records, which adversely affected
their ability to provide care to patients and assist dependent medical
facilities.
Within a matter of hours, a Secret Service ECSAP agent was able to
regain control of the network by coordinating with the facility's
system administrator to temporarily shutdown and reconfigure the
computer system. The ECSAP agent also essentially ``hacked'' into the
compromised system, and modified compromised password files to ``lock
out'' the attacker. This was accomplished while maintaining control of
the computer system log files containing evidence of how the intrusion
had occurred.
Using this evidence, a federal search warrant was obtained for the
residence of a former employee of the hospital, who had recently been
terminated from his position as system administrator. Computer
equipment was seized pursuant to the warrant, the suspect admitted to
his involvement, and federal computer fraud charges are pending.
A case with obvious critical infrastructure implications was
initiated on February 20, 2001, when two major wireless
telecommunications service providers notified the New York Electronic
Crimes Task Force that they had identified two hackers in different
remote sites who were attacking their systems. These hackers were
manipulating the systems to obtain free long distance service, re-route
numbers, add calling features, forward telephone numbers, and install
software that would ensure their continued unauthorized access.
The level of access obtained by the hackers was virtually
unlimited, and had they chosen to do so, they could have shut down
telephone service over a large geographic area, including ``911''
systems, as well as service to government installations and other
critical infrastructure components.
On March 20, 2001, the Secret Service simultaneously executed
search warrants in New York City and Phoenix and computer equipment was
seized at both locations. One suspect was arrested on federal computer
fraud charges, while the other suspect was questioned and released
pending a decision by the Department of Justice as to whether or not to
pursue federal charges.
The third case occurred from March 9, 2000, through March 14, 2000,
when a company located in New York, NY, received several Internet-based
``denial of service'' attacks on its servers. A ``denial of service''
attack occurs when a perpetrator launches malicious programs,
information, codes, or commands to a target or victim computer which
causes it to shut down, thereby denying access by legitimate customers
to those computers. In this instance, the company was a prominent
provider of electronic trading services on Wall Street.
While the attacks were still occurring, the company's CEO contacted
the Secret Service's New York Electronic Crimes Task Force. The CEO
identified a former employee as a suspect, based upon the fact that the
attacks preyed on vulnerabilities, which would only be known to the
former employee. These attacks continued through March 13, 2000, when
ECSAP agents and task force members identified the attacking computer
and arrested the former employee for violating Title 18, USC, Section
1030 (Computer Fraud). In a post-arrest statement, the suspect admitted
that he was responsible for the denial of service attacks. As a result
of the attacks, the company and its customers lost access to trading
systems. Approximately $3.5 million was identified in lost trading
fees, commissions, and liability as a result of the customers'
inability to conduct any trading.
The last case began just last month when a financial institution
notified local police who in turn notified the local office of the
Secret Service, that its entire banking and communications network had
been shut down. The institution reported that it was severely crippled,
as it had no access to electronic data used in support of its ATMs,
banking transactions, employee payroll and all other critical
functions. Working with the local police and the bank's technical
staff, a former employee emerged as a suspect and electronic evidence
was developed that strongly indicated his involvement. During an
ensuing interview with agents and police, the suspect admitted to
disabling the bank's system and ``hacking'' an unrelated database in
his attempts to exact revenge upon the bank CEO. Federal charges are
pending.
Let me emphasize the Secret Service's mission in fighting cyber
crime as it relates to the bigger picture of critical infrastructure
protection. As previously stated, we target cyber crime as it may
affect the integrity of our nation's financial payment and banking
systems. As we all know, the banking and finance sector comprises a
very critical infrastructure sector and one, which we have historically
protected and will continue to protect. In this context, our efforts to
combat cyber assaults, which target information, and communication
systems, which support the financial sector, are parts of the larger
and more comprehensive critical infrastructure protection scheme. The
whole notion of infrastructure protection embodies an assurance and
confidence in the delivery of critical functions and services that in
today's world are increasingly interdependent and interconnected. To
put this all in perspective, the public's confidence is lost if such
delivery systems and services are unreliable, unavailable, or
unpredictable regardless of the cause of the problem.
We also recognize that our unique protective responsibilities,
including our duties as the lead federal agency for coordinating
security at National Special Security Events, demand heightened
electronic security awareness and preparation. A well-placed cyber
attack against a weak technology or support infrastructure system can
render an otherwise sound physical security plan vulnerable and
inadequate.
To further advance our efforts in this regard, the Secret Service
will soon commence a significant collaborative project with the
Software Engineering Institute (SEI) at Carnegie Mellon University
which has operated the Computer Emergency Response Team (CERT)
Coordination Center since 1988. Jointly, the Secret Service and the SEI
plan to combine expertise in developing strategies and programs to
effectively address cyber threats, which may impact our protective and
investigative missions.
Madam Chairman, it should also be noted that all deliberate
infrastructure attacks, before they rise to such a threshold, are also
cyber crimes and are likely to be dealt with initially by law
enforcement personnel, both federal and local, in the course of routine
business. In fact, I don't believe there is universal agreement as to
when a ``hack'' or network intrusion rises to the threshold of an
infrastructure attack and corresponding national security event but we
would all probably recognize one when it reached catastrophic
proportions.
Given this continuum and interplay between computer-based crimes
and national security issues, the Secret Service recognizes that its
role in investigating and helping to prevent computer-based attacks
against the financial sector can be significant in the larger plan for
the protection of our nation's critical infrastructures. When we arrest
a criminal who has breached and disrupted a sensitive communications
network and are able to restore the normal operation of the host--be it
a bank, telecommunications carrier, or medical service provider--we
believe we have made a significant contribution towards assuring the
reliability of the critical systems that the public relies upon on a
daily basis. But greater satisfaction and success are achieved when a
potentially devastating incident is prevented due to our prior
involvement, participation, or sharing of information.
As a footnote, the Secret Service met recently with representatives
of the Financial Services Information Sharing and Analysis Center (FS/
ISAC) that was created pursuant to Presidential Decision Directive
(PDD) 63. The directive mandated the Department of the Treasury to work
with members of the banking and finance sector to enhance the security
of the sector's information systems and other infrastructures, a
responsibility managed by Treasury's Assistant Secretary of Financial
Institutions. The role of the FS/ISAC is to devise a way to share
information within the financial services industry relating to cyber
threats and vulnerabilities. The Secret Service feels that it can make
a significant contribution to the work of the FS/ISAC and is exploring
common areas of interest with the FS/ISAC, to include information
sharing.
The Secret Service continues to receive requests from local law
enforcement agencies and others for assistance, and we welcome those
requests. On an increasing basis, our local field offices and the
Financial Crimes Division of the Secret Service receive desperate pleas
from local police departments for physical assistance, training and
equipment in the area of computer forensics and electronic crimes so
that they can continue to provide a professional level of service and
protection for their citizens. The Secret Service has become an
important option for local law enforcement, the private sector and
others to turn to when confronted with network intrusions and other
sophisticated electronic crimes.
Over the past 3 years, Secret Service ECSAP agents completed 2,122
examinations on computer and telecommunications equipment. Although the
Secret Service did not track the number of exams done for other law
enforcement agencies during this period, it is estimated that some 10
to 15 percent of these examinations fell in this category. Many of the
examinations were conducted in support of other agencies'
investigations such as those involving child pornography or homicide
cases simply because the requesting agency did not have the resources
to complete the examination itself.
We do provide assistance on a regular basis to other departments,
often sending ECSAP agents overnight to the requesting venue to perform
computer related analyses or technical consultation. In fact, so
critical was the need for even basic training in this regard that the
Secret Service joined forces with the International Association of
Chiefs of Police and the National Institute for Justice to create the
``Best Practices Guide to Searching and Seizing Electronic Evidence''
which is designed for the line officer and detective alike. Madam
Chairman, with your permission, I would like to submit a copy of this
guide for the record.
We have also worked with this group to produce the interactive,
computer-based training program known as ``Forward Edge'' which takes
the next step in training officers to conduct electronic crime
investigations. Forward Edge incorporates virtual reality features as
it presents three different investigative scenarios to the trainee. It
also provides investigative options and technical support to develop
the case. Copies of state computer crime laws for each of the fifty
states as well as corresponding sample affidavits are also part of the
two-CD training program and are immediately accessible for instant
implementation.
Thus far we have dispensed over 220,000 ``Best Practices Guides''
to local and federal law enforcement officers and we will soon
distribute, free of charge, over 20,000 Forward Edge training CDs.
In an additional effort to further enhance information sharing
between the law enforcement community and the financial industry, the
Secret Service recently created the ``E Library'' Internet website
which serves as a mechanism for all members to post specific
information, images and alerts relating to fictitious financial
instruments, counterfeit checks, and credit card skimming devices. This
website is accessible free of charge to all members of the law
enforcement and banking communities and is the only such tool of its
kind.
In today's high tech criminal environment, the challenge to federal
law enforcement and government is to identify existing repositories of
expertise and provide a framework for inclusion and productive
collaboration amongst the many government agencies and their respective
industry and academic counterparts. The Secret Service is convinced
that building trusted partnerships with the private sector and its
Federal and local law enforcement partners is the model for combating
electronic crimes in the information age.
Madam Chairman, that concludes my prepared statement, and I would
be happy to answer any questions that you or other members of the
subcommittee may have.
Additional Statement of James A. Savage, Jr., Deputy Special Agent in
Charge, Financial Crimes Division, United States Secret Service
Please provide a summary of the Secret Service's efforts to provide
training to other law enforcement agencies----
Because of the increased importance of electronic evidence in all
types of criminal investigations, the demand for timely examinations of
seized electronic media by well-qualified computer investigative
specialists has skyrocketed during the past few years. Many state and
local law enforcement agencies do not have the necessary resources or
expertise to fully develop their own computer forensic programs, and
are having difficulty keeping up with requests for examinations from
their own officers and investigators. Secret Service personnel in the
Electronic Crimes Special Agent Program (ECSAP) have provided timely
assistance to such agencies with respect to counterfeit, financial and
electronic crimes investigations. However, providing ECSAP support in a
timely manner is becoming increasingly challenging in light of the
rapidly escalating number of requests.
In an effort to assist state and local law enforcement agencies
improve their own computer forensic capabilities, the Secret Service
has recently sponsored the attendance of a limited number of state and
local officers and investigators at the six-week Basic Computer
Evidence and Recovery Training (BCERT) course. This training program is
identical to the initial training provided to those in ECSAP. The
Secret Service has also developed a two-week Basic Computer Forensics
(BCF) course exclusively for state and local officers and investigators
that will be taught by Secret Service ECSAP personnel and outside
vendors. The first BCF course, which is being offered at no cost to the
12 attendees, is scheduled for September 17-28, 2001.
Other law enforcement agencies regularly request training from the
Secret Service regarding financial and electronic crime trends and
investigative methodologies, as well as advice concerning their own
computer forensics programs. These requests have come from agencies all
across the country, as well as from foreign countries in Asia and
Europe. The Secret Service remains proactive in the dissemination of
information to law enforcement agencies, both domestically and
internationally, with respect to program initiatives and current trends
and schemes through a variety of partnerships and initiatives.
In conjunction with the International Association of Chiefs of
Police (IACP), the Secret Service developed the ``Best Practices for
Seizing Electronic Evidence Manual'', to assist law enforcement
officers in recognizing, protecting, seizing and searching electronic
devices in accordance with applicable statutes and policies. The demand
for the ``Best Practices'' guide has been so great that the supply from
each of the first four printings, totaling over 220,000 copies, was
exhausted literally within days.
As a follow-up to the ``Best Practices'' guide, the Secret Service
and the IACP produced the interactive, computer-based training program
known as ``Forward Edge'' which takes the next step in training
officers to conduct electronic crime investigations. Forward Edge
incorporates virtual reality features as it presents three different
investigative scenarios to the trainee. It also provides investigative
options and technical support to develop the case. Copies of state
computer crime laws for each of the fifty states as well as
corresponding sample affidavits are also part of the two-CD training
program and are immediately accessible for instant implementation.
In an additional effort to further enhance information sharing
between the law enforcement community and the financial industry, the
Secret Service recently created the ``eLibrary'' Internet website which
serves as a mechanism for all members to post specific information,
images and alerts relating to fictitious financial instruments,
counterfeit checks, and credit card skimming devices. This website is
accessible free of charge to all members of the law enforcement and
banking communities and is the only such tool of its kind.
In December of 2000, the Secret Service coordinated an Identity
Theft Workshop in Washington, D.C. This workshop was designed for the
criminal investigator and was attended by investigators from agencies
throughout the nation. The workshop provided investigators with a
detailed explanation of how identity theft can occur, as well as an
explanation of what tools are available to investigators.
In May of 2001, the Secret Service made an identity theft
presentation to the IACP Advisory Committee for Police Investigation
Operations. During this presentation, the Secret Service proposed the
production of an identity theft video geared toward police officers
throughout the nation. The purpose of this video will be to emphasize
the need for police to document a citizen's complaint of identity
theft, regardless of the location of the suspects (if any). In
addition, the video and its companion reference card will provide
officers with phone numbers that can assist victims. The Advisory
Committee is supportive of this effort, and is considering providing
funding for it, and pursuing it jointly with the Secret Service, as was
done with the ``Best Practices'' initiative.
To emphasize the philosophy that financial and electronic crimes
investigations are routinely international in scope, and to demonstrate
the commitment of the Secret Service to strengthening investigative
efforts and liaison with foreign law enforcement entities,
representatives of the Secret Service have participated in briefings
and provided instruction to over twenty different foreign law
enforcement groups both in Washington, D.C. and at overseas locations
around the world. Highlights include:
Developing the curriculum for a two-week specialized course titled
``Combating Counterfeit and Financial Crimes in the New Millennium''
that was taught by Secret Service instructors at the Bangkok
International Law Enforcement Academy to a class of more than thirty
command-level law enforcement officials from ten different countries;
Sending two different delegations to Rome, Italy, to give briefings
to the Guardia di Finanza regarding electronic crimes initiatives and
computer forensics issues, as well as hosting two visits by Italian
delegations to the Secret Service Financial Crimes Division; and
Having a Secret Service Special Agent spend two weeks in Bangkok,
Thailand, working with law enforcement officials and industry
representatives to address means of combating Thailand's rampant
cellular telephone fraud, including correcting systemic weaknesses and
developing cellular telephone tracking and mapping techniques.
Chairperson Feinstein. Thanks very much.
We will begin the questions, and I am going to ask you one,
Mr. Savage, if I may. The Secret Service does not participate
in the NIPC, right?
Mr. Savage. That is correct, Madam Chairman.
Chairperson Feinstein. And why is that?
Mr. Savage. We don't participate in a formal setting at
this time. We have, I believe, a very good and improving
relationship with the NIPC at this time. Just last week, I was
on the phone probably at least a dozen times personally with
personnel with the NIPC. We collaborate on cases of interest.
We are also participating with the NIPC and the FBI with
respect to some of the e-commerce cases that were mentioned,
and we are currently discussing the possibility for a future
formalized return there.
Chairperson Feinstein. All right, thank you.
Mr. Dick, you might be interested. My Judiciary counsel,
Matt Lamberti, told Senator Kyl and I a story on our way to the
vote that I want to relay to you. He said this past weekend
that his girlfriend received an e-mail on her computer from her
uncle and there was an attachment. And, while the e-mail didn't
seem right, she opened the attachment and there was a lot of
irrelevant stuff on it. She then got another e-mail from the
uncle that said don't open any attachments; an attachment with
a virus just ruined my hard drive. So Matt Lamberti keyed into
your service and, through the Internet, downloaded software
onto her computer which prevented the virus from being
effective.
Mr. Dick. Thank you.
Chairperson Feinstein. So that was an actual instance of
progress.
I wanted to ask you this question as well: Terrorist groups
are increasingly using computers and the Internet to develop
plans, to raise money, to spread propaganda, as well as to
communicate. Hizbollah, Hamas, the Abu Nidal organization, and
the Bin Laden organization all rely on computers, e-mail and
encryption to support their activities. There are even reports
that a group affiliated with the Tamil Tigers has attacked
foreign government Web sites.
What information can you share with us in this setting
about cyber attacks by international terrorist organizations?
Mr. Dick. Madam Chairwoman, everything you just described
is very accurate insofar as the threat is concerned. Obviously,
this is a high priority within the Center, within the FBI and
the other Government agencies that we deal with, is the threat
that would come from terrorist activity.
We have been very fortunate insofar as we have not been
able to identify any known terrorist organizations using cyber
means to attack facilities here in the United States. Now, not
for this environment but perhaps another one, we can talk about
issues in other countries. But as I have said many times, the
threat is real, the potential for its use is very high, in our
belief, and we need to be very diligent with our partners to
protect ourselves.
Chairperson Feinstein. How many of the NIPC's closed cases
involve threats or attacks on our Nation's critical
infrastructures, and were these cases really a threat?
Mr. Dick. You mean critical infrastructures in those that
would be defined as vital to our economic well-being and
national security?
Chairperson Feinstein. Yes.
Mr. Dick. I don't have those figures readily available to
me. One of things you have to realize about the Internet, and I
am sure you are well aware, is that whenever you have an
intrusion, we conduct investigations, and we conduct
investigations that use the law enforcement authorities that
are available to us because we never know who is behind that
keyboard until we arrive behind that keyboard. So every
investigation that we open up, we look at it in the context
that it could be some 15-year-old criminal, but it also could
be some sort of state-sponsored activity.
Chairperson Feinstein. Yes. We have actually had the
classified briefing on some of this. I would like to ask you,
though, in writing, if you could give us a listing of those
cases that you believe really are a threat or were a threat.
Do you happen to know, of the pending cases, how many
involve threats or attacks to our critical infrastructures?
Mr. Dick. I would be just taking a wild guess.
Chairperson Feinstein. Can you give me just a percentage?
Mr. Dick. Many of the cases obviously involve crimes for
greed, but those that I would rank in national security concern
are probably 10 percent.
Chairperson Feinstein. Ten percent?
Mr. Dick. I think of the level that you are probably
referring to.
Chairperson Feinstein. And can you give me the number you
have of pending cases?
Mr. Dick. Twelve hundred, but that is a guess.
Chairperson Feinstein. So it is 10 percent of 1,200, OK.
Do you happen to have the GAO report in front of you?
Mr. Dick. Yes.
Chairperson Feinstein. I would like to ask you in the
Executive Summary to respond particularly to those
recommendations that I mentioned earlier. Let's go to page 12,
the three factors that the GAO points out have hindered your
ability to develop strategic analytic capabilities: no
generally accepted methodology for analyzing strategic cyber-
based threats, prolonged leadership vacancies, and lack of
adequate staff expertise. I understand you have picked up on
some of this, but I would like you to comment. You have been
operating with only 13 of the 24 analysts that officials
estimate are needed to develop analytical capabilities. Could
you give us a progress report on those three things?
Mr. Dick. Insofar as the GAO's report and its assessment of
our strategic capabilities, I frankly am in concurrence with
what they had said there. We do need improvement in that area.
As was articulated in the report, part of the issues associated
deal with the leadership of the Analysis and Warning Section
which is primarily responsible for the production of that.
Since GAO did its report, we have had a number of changes
in that regard. No. 1, sitting behind me is Admiral Plehal, who
is a two-star admiral from the United States Navy who has been
detailed as my deputy to the Center to help in this regard
insofar as developing a process by which to provide more
strategic information to our partners.
In addition, the CIA has named an SIS individual to head up
the Analysis and Warning Section. He has been on duty, I think,
approximately 2 months and is making great strides insofar as
his assessment as to what we need to do to provide the kind of
strategic analysis that we need to do in the future.
We have just gone through the process of meeting with NSA
and doing interviews of individuals who will head up our
Analysis and Information-Sharing Unit. We have actually
selected an individual and made a recommendation to NSA for the
reporting of that individual.
With the Department of Defense and our watch capabilities
which is specifically designed for them in the Analysis and
Warning Section, Admiral Plehal is working everyday trying to
get a final commitment in that regard, which I believe we will.
So I think that we are making great progress in that regard.
In addition to the leadership positions within the
Department of Defense, for example, Admiral Plehal has been
working with them insofar as filling of certain vacancies over
there that we have. Currently, we have about 18 detailees on
board and we fully expect to reach maximum capability in that
in the very near future.
Chairperson Feinstein. Is that the 18 out of 24?
Mr. Dick. We have always had a goal of 40. There has never
been a chiseled-in-stone number, but the goal has always been
40. We have never reached it. We have hovered around 20, 22. I
would have to look, but I think it is around 18 or 20 that are
there now, but the point being that because of Admiral Plehal
and the leadership from the CIA, we now have a plan in place by
which to fill those positions.
Another point I would like to make is one of the things
that we are trying to do from the Center is to have our
partners believe that they own or have ownership in the Center.
One of the things that we are doing is I have established
regular meetings with seniors from the other agencies to
discuss Center issues as to what kinds of products do they want
to receive from us, what is it they expect from us to
facilitate in the area defining what is the strategic analysis
that you want to receive from us. Through that, they will
discern how can they facilitate our efforts for the community
at large to provide those products. So I have to be able to get
them to feel they own the Center in some respect.
Do you want me to go through all of them?
Chairperson Feinstein. I think we would like to know what
progress has been made, wherever you can do it.
Mr. Dick. OK. Insofar as the issue concerning information
and our abilities to data-mine and warehousing of data, we are
in the process of completing that project. Obviously, data-
warehousing and data-mining is going to be a multi-year-funded
issue; it just doesn't stop because of the inflow of
information.
But at this point in time, we are beginning to do data-
mining and receiving of information from our field offices that
are called 801s, where they report incident information. That
piece of the data-mining project is in final phases of
completion where information can be shared in that regard.
Insofar as the performance measures, we have sent our
policy statements to our field offices to discern what kinds of
information they are receiving insofar as computer intrusions
are concerned, developed a statistical basis by which to claim
those statistics so that we can track them, and I think that we
are making progress in that regard.
Insofar as the ELES, or Emergency Law Enforcement Section
plan, as I mentioned in my statement that has been completed.
But, again, that is going to be an ongoing process with the
Emergency Law Enforcement Sector Forum to continue to implement
these recommendations that occur out of it.
Insofar as our formalized relationships with the ISACs, as
I mentioned a moment ago and as mentioned earlier, we do have
one formalized ISAC agreement with NERC. We are in the process
of negotiating others, but just because we don't have a
formalized process or MOU, if you will, with the financial
services ISAC or the other two doesn't mean that we are not in
the process of information-sharing, as I pointed out in the e-
commerce vulnerabilities, where we work fairly routinely with
alerts and advisories and get their counsel in that regard.
Insofar as information-sharing and exchange is concerned,
we talked a little bit about that and I believe that in the not
too distant future we will have agreements and understandings
with each one of the ISACs. In fact, I have been talking very
closely with Howard Schmidt, who is heading up the IT ISAC.
Howard Schmidt is with Microsoft, and as soon as they formalize
how they are going to operate there is a great willingness on
their part to discern how we are going to share and receive
information back and forth from them. We have those kinds of
relationships with every one of the ISACs.
Did I miss any?
Chairperson Feinstein. If you just go to the bottom of page
15, the recommendation that the FBI Director and the Attorney
General ensure that you have access to computer and
communications resources, monitor the implementation of new
performance measures, and develop an emergency law enforcement
plan. Has any of that taken place?
Mr. Dick. The plan, as I have said, is complete. We turned
it into the National Security Council and the White House March
2 of this year, so that is completed.
Insofar as the resource requests, obviously we are going
through the various budgetary processes, and the administration
obviously prioritizes those requests, but we have made such a
request through the administration.
As I mentioned a moment ago, we are monitoring the
implementation of the new performance measures out there
through our own field offices and getting reporting in that
regard. But there is more that needs to be done.
Chairperson Feinstein. One last question. It has come to
our attention that President Bush is considering issuing an
executive order reorganizing the administration's policy in
combatting cyber crime. Some details have been in the press.
What has been reported is that an advisory board with
representatives from over 20 Federal agencies would coordinate
administration efforts to combat cyber crime. The Chairman of
that board would report to the National Security Adviser.
What would be the NIPC's role if this is an accurately
reported executive order and when do you think that executive
order will be forthcoming?
Mr. Dick. I as the Director of the Center have been
involved with the administration, as well as heads of the other
Government agencies, in the review of that executive order. I
think it is the administration's intent in the creation of the
board to raise the level within the public and private sector
of information assurance such that information assurance is not
just a collateral duty of the head of an agency or a CEO, but a
primary duty and a priority for that head of the agency.
Insofar as our involvement, in the last draft that I saw of
the executive order the Director of the NIPC would actually be
on the board and a participant on the board, and hopefully an
active participant in that regard. So we are very supportive of
what the administration is trying to do. Now, insofar as when
the administration will issue it, it is out of my control.
Chairperson Feinstein. Thanks very much, Mr. Dick and Mr.
Savage.
Senator Kyl?
Senator Kyl. Thank you, Madam Chairman. Let me first note
that Jim Savage was a detailee in my office for almost a year
from the Secret Service and did an excellent job. I am an
advocate of detailees partially because of the efforts of
people like Jim Savage.
I am a little concerned that we haven't helped to make it
easier for detailees to be utilized better by NIPC. I
understand one of the problems is a lack of reimbursement to
the host agency or the gifting agency, or whatever you call it,
and, second, that nobody has any expertise to spare. I ask any
of you what we can do to help address that problem so that NIPC
can get more high-quality detailees.
And the second part of my question is specifically to Mr.
Dick. One of the criticisms in the report was the under-
utilization of these detailees and I would like to have you
respond to that.
Mr. Dick. I can go first, I guess. I can't speak for the
past; I can certainly speak for since I have been director and
the time I have been in the Center. You can call Admiral Plehal
up, but I don't know of any resources, particularly technical
expertise, that is under-utilized within the Center.
I have got people, as I have said in my written statement,
that are very dedicated, hard-working people that are working
12, 14 hours a day, weekends, particularly of late with the
Leaves as well as Code Red viruses. They are giving it 110, 120
percent.
I am not sure where that came from in the past, but I
assure you that isn't the case today. Frankly, one of the
things we have been talking about is burn-out, and I know all
of our agencies are in the same boat. We are stretching our
resources as thin as they can be and we are going to need to do
something about it.
Senator Kyl. How can we get good, expert detailees from
these other departments?
Mr. Dick. That is a very good question. In my experience
with the other agencies, it is not a matter of desire; it is a
matter of having the ability to have someone fulfill the
functions they are doing when they leave. Obviously, that is a
resource and funding issue.
Senator Kyl. It seems to me it is also a leadership issue,
though. I can't think of anything more important than making
this NIPC and the related aspects of it work properly. Each of
the agencies involved have important functions, no question
about it, but protecting the Nation against cyber crime and
cyber terrorism and cyber attack has to rank right up there at
the top. I mean, I don't know of anything more important than
national security, for example.
So any of you who have any suggestion about what we can do
to provide the leadership--I mean, do we have to have the
President or the Vice President put out a notice and say, look,
guys, I am going to be checking back, this is my priority, make
somebody available? I mean, is that what it is going to take?
Ms. McDonald. Sir, if I may, the General Services
Administration has had somebody at the NIPC since its inception
to address the concern that was brought out by GAO that perhaps
maybe some of the detailees were not tasked as well as they
should. I know that in our case we had sent an individual over
as a liaison, and partly it was an error on our part. We didn't
have the individual actually working in one of the units; he
was more working in a liaison capacity. He wasn't involved in
the work. Since then, we have amended that work arrangement and
it is working much better.
As far as additional resources for the NIPC, the entire
Government has a very difficult situation because we cannot
attract qualified people in this arena. So an agency that gets
somebody who is qualified in the security arena is very
reluctant to let that person go, so it is a larger issue than
the NIPC. Reimbursement would assist, but that is not the
entire answer.
Senator Kyl. I am sure that is the case. Everybody we talk
to needs qualified people. I had a question for Mr. Savage in
this regard.
At least I am informed that the Secret Service has a very
good program to train agents as computer investigative
specialists. It has been very successful. If that is true, what
suggestions would you have for other agencies to train the
number of people that are needed here?
Mr. Savage. Senator, I would like to thank you for your
previous kind comments on my behalf and I would like to respond
to your question. The Secret Service does have what we believe
to be a very good program. As a matter of fact, we partner with
other three Treasury agencies in that regard. We have trained
approximately 50 agents this year in that respect.
We have actually been approached not only by State and
local officers, whom we believe are an important part of this
effort, but we have also been approached by other smaller
Federal agencies as to how they might be able to start programs
of a similar nature. What we have done is shared with them our
past trials and tribulations and what has worked for us and
what has not.
What we are seeing on other Federal agencies is exactly
what we have seen, and that is the issue of cyber crime and
computer forensics completely transcends all portions of the
operations and other aspects of other agencies, even if they
are not involved in the law enforcement effort. So what we have
tried to do is impart that past knowledge that we have learned.
Senator Kyl. So, within limits, you would be willing to
help others if they come to you and need a little expertise in
getting a training program underway?
Mr. Savage. Absolutely, Senator. As a matter of fact, the
private sector, as well, seeks our input and we are more than
happy to accommodate. We feel as public servants that is part
of what we can do.
Senator Kyl. Well, maybe one of the things we need to
address is what we can do on a broader scale to make sure that
we have the personnel available here.
What is holding up the formal agreements with the other
ISACs? Is there anything generic? This has been going on quite
a long time now. What is taking so long? Is it just a matter of
filling in some blanks here or is there some generic problem,
especially one that we might help to address?
Mr. Dick. From my standpoint, I don't know that there is
one specific issue or problem because information-sharing comes
down to one simple word; it comes down to ``trust.'' Trust is
one of those things that is not legislated. You can't mandate
it. It takes time and experience dealing with each other for
that to evolve.
For example, with NERC, we have had a long history with the
electrical power sector in working together from a physical
infrastructure standpoint. There has been a lot of trust that
has built up not only with us in Government, but with the other
partners in the electrical power sector, because they have to
share information and share the power grid, and so forth. So
the trust was built-in in that area.
Financial services is a different arena. It is very
competitive. I think what we are experiencing in this regard,
in my opinion, is that through dealing with each other, through
sharing information, through seeing that we can work together
to the benefit of each other, more and more information is
flowing. Through that trust building up, we will come to the
resolution of agreements.
It doesn't mean that information isn't flowing because
there is not an agreement there, because it is. The volume of
the information that is flowing is the key, and that is
dependent upon the trust over time.
Senator Kyl. Well, are there specific problems that
industry has raised? For example, from time to time we hear
concerns expressed about the antitrust laws potentially
presenting a problem of industry folks getting together to talk
about certain things, the FOIA problem that I mentioned before
about providing information that then could be subject to
mandatory release.
I am also specifically interested, Mr. Dacey, in anything
you picked up during the investigation that might help us
determine whether there is something we can do to facilitate
this trust.
Mr. Dick. We are absolutely supportive of legislation that
would encourage the private sector to voluntarily provide the
Government, not just the NIPC, but the Government with more
critical infrastructure information. There has been concern, as
you rightly pointed out, and the Chair and you, as well as
Senator Bennett, have worked, I think, very hard in trying to
clarify the Freedom of Information Act so that the private
sector would be encouraged to provide this information. I think
if that provides the assurances to the private sector and the
safeguards that they seek, then we should pursue that.
Senator Kyl. Mr. Dacey, any other comments?
Mr. Dacey. Basically, I have similar comments. I think
anything that could be done to encourage the sharing of that
information would be productive and those areas ought to be
investigated for possible changes. I know you had the interest
and Senator Bennett, as well as the House last year had a bill
that they were discussing in this area.
Senator Kyl. Well, there are a couple of other questions I
might submit to you for the record and I would like to ask you
to take under advisement the last two questions, really the
question about are there endemic problems here that we could
help address with these agreements, and, second, are there any
other ways that we can help to train personnel. Any thoughts
you have in that regard, I would like to have you communicate
them to us.
We have another panel, so I am going to just ask one final
question, and that is the question about the NIPC's authority.
Do you think that by now it is clear? Do you think it needs to
be clarified, Mr. Dacey? And any particular comments, Mr. Dick,
that you would have about the authority?
Mr. Dacey. When we did our review, we got some conflicting
views about what the roles and responsibilities of NIPC were
based on PDD-63, and we put in our report a discussion of that,
ranging from the national coordinator to others.
I think it is important that that role be clarified so that
everybody understands whose responsibility it is for critical
infrastructure. We have already got a number of entities
involved in critical infrastructure, many of which have been
named today. So I think it is just important that that role be
clarified.
In terms of clarification, we have heard that the
discussions with this executive order and discussions with the
new national plan may address some of those issues. At this
point, though, we really haven't seen anything specific that
addresses those issues.
Senator Kyl. Well, I think Senator Feinstein mentioned that
and perhaps we can also make an inquiry and ensure that if
there is further work done in this regard by the administration
that that is one of the things that it addresses.
There is much more to go into, Madam Chairman. I think what
I will do is just submit a couple of questions for the
panelists for the record and pass it back to you.
Chairperson Feinstein. Thanks very much.
Both Senator Kyl and I are very concerned with combatting
terrorism. We are also members of the Intelligence Committee.
We are aware that our efforts in this area are spread over some
41 different departments.
I would like to ask you, Mr. Dick, to arrange for us
another classified briefing on terrorist cyber threats. I can't
remember when we had the last one. Was it 2 years ago? But I
think we need to get updated on some of those groups that are
known and operating in the area.
You mentioned Senator Kyl and Senator Bennett's
legislation. How do you believe we can better handle the
Freedom of Information Act issue with private companies, just
straight exempting them from FOIA in this situation, or do you
have other recommendations?
Mr. Dick. Again, based upon my experience before I came
into this job with the financial sector, there were safe
harbors when the suspicious activity reporting was developed
many years ago in the banking and finance area which provided
the banking and finance sectors some safe harbor regarding the
protection of that information and providing it. Perhaps that
is a model that could be used, but there is greater expertise
up on this Hill than I have in that regard.
All I know is we believe that we have sufficient
authorities to protect it. The private sector is not
comfortable with it and we need to do something to make them
feel comfortable because it is not a matter of they don't want
to provide it; they just don't feel comfortable providing it.
Chairperson Feinstein. So you are saying create a safe
harbor that if you report this kind of information, you are not
subject to FOIA?
Mr. Dick. Right, because we believe we have that ability
now, but some in the private sector do not.
Chairperson Feinstein. Do you have any thoughts on whether
the FBI would need an administrative subpoena power?
Mr. Dick. I have several thoughts on issues regarding the
legislation, if you would care for me to talk about a couple of
them.
Chairperson Feinstein. Please.
Mr. Dick. One of them deals with Title 18 United States
Code Section 1030. It defines that if an individual intrudes
into a system and basically takes it over, we have to be able
to demonstrate that there was at least $5,000 in damage done to
that computer before there is a Federal crime. That sometimes
is problematic to us, particularly in the early stages of an
investigation when you have had somebody who has intruded into
it.
We believe that that might be more appropriately considered
in determining penalties insofar as the damage is concerned.
For example, the virus that are spreading out there now that
come into your system, look at your address book and then re-e-
mail them--the damages associated with that to individual
computers are probably not going to reach that threshold.
However, the totality of the damage that is done across the
network will be substantial.
One of the other issues that we think needs to be looked at
is pen trap and trace under Title 18 United States Code Section
3122. The language used in that statute is probably--how do I
phrase this--technologically outdated and needs to be looked at
insofar as the Internet is concerned.
It would be also beneficial for the courts if they could
issue a nationwide order. One of the things that we continually
run into is that there are different hop sites across the
United States, as well as the world, and every time we go into
a different judicial jurisdiction we have to go in and get
another order or another pen trap and trace, or whatever, and
it takes time. And as you well know, on the Internet things
don't happen in minutes; they happen in nanoseconds.
Fourth, I think a significant point is in a number of
agencies there is a need to review Title III to determine
whether it needs clarification, and a clarification, for
example, in Title 18 United States Code 2517. We may need to
clarify to allow for quick sharing--I say quick sharing--from
law enforcement to the intelligence community of information
obtained in a criminal case under Title III that turns out to
demonstrate an actual or potential act against the U.S. by a
foreign power or agent of a foreign power.
So there are some legislative issues that I think could be
looked at.
Chairperson Feinstein. If you would be willing to make some
recommendations to us in writing, I would appreciate that very
much.
Mr. Dick. OK.
Chairperson Feinstein. Senator Cleland, you wish to speak
on the second panel, is that correct?
Senator Cleland. At your wish, Madam Chairman, I have a
distinguished panelist to present.
Chairperson Feinstein. For the second panel?
Senator Cleland. Yes, ma'am.
Chairperson Feinstein. That is correct.
I think we are finished, unless you have additional
questions.
Senator Kyl. No. That is fine.
Chairperson Feinstein. Let me thank this panel very, very
much. We appreciate it. Thank you.
The second panel, if you would come forward, is Mr. Michehl
Gent, the President of the North American Electric Reliability
Council, and Mr. Chris Klaus, founder and chief technological
officer of Internet Security Systems.
We have a surprise introducer in the form of the
distinguished Senator from Georgia, Senator Cleland, and we are
delighted to welcome you to our Subcommittee.
STATEMENT OF HON. MAX CLELAND, A U.S. SENATOR FROM THE STATE OF
GEORGIA
Senator Cleland. Thank you, Madam Chairman. It is a
pleasure today to be with you and this distinguished panel to
discuss the important topic of computer security.
Hackers and cyber thieves are presenting an ever-growing
threat to technology infrastructure as we know it. Recent
experiences like the Melissa and I Love You computer viruses
remind us how vulnerable we really are to the crippling attacks
of an individual or group with access to the technology to
disable individual computers or entire networks.
I am particularly pleased this afternoon to introduce Mr.
Christopher Klaus, founder and chief technology officer of
Internet Security Systems, Incorporated, in Atlanta. Mr. Klaus,
a graduate of the Georgia Institute of Technology, will provide
you with some valuable background information and
recommendations regarding the computer security threat.
Chris Klaus is regarded as one of the world's foremost
security experts. In 1991, he became interested in Government
security while interning at the Department of Energy. Chris
then began working on a ground-breaking technology that
actively identified and fixed computer security weaknesses.
The next year, while attending Georgia Tech, Chris released
his product for free on the Internet. He soon learned the error
of his ways. He received thousands of requests for his
invention and decided he should sell it, in the great tradition
of Thomas Edison. In 1992, he formed Internet Security Systems
and developed the company's first software program and flagship
product, Internet Scanner.
He has been the topic of numerous stories and has been
quoted in such publications as the Wall Street Journal, Forbes,
and CNN. He continues to represent ISS as a spokesperson at
technology events, and provides high-level security
consultation to a number of government organizations and
Fortune 500 companies throughout the United States and abroad.
He was honored in MIT's magazine, Innovation Technology
Review, as one of the top 100 young innovators for 1999. In
addition, he received the award for Ernst and Young's
Entrepreneur of the Year in 1999 in the category of internet
products and services. He was the youngest person on the 1999
Forbes 100 high-tech wealthiest list, and his recent $15
million gift to Georgia Tech made him the youngest
philanthropist to give a donation of this amount.
We will see you after the meeting.
[Laughter.]
Senator Cleland. Chris' company, Internet Security Systems,
is the worldwide leader in security management software.
Internet Security Systems employs nearly 1,500 employees in 20
countries focused exclusively on computer security. The company
serves more than 8,000 customers, including 68 percent of the
Fortune 500, 21 of the 25 largest U.S. commercial banks, the 10
largest telecommunications companies, numerous U.S. Government
agencies, and other non-U.S. Governments. Former Senator Sam
Nunn, my predecessor, currently sits on the board of ISS.
Madam Chairman and members of the committee, I am delighted
to present Mr. Christopher Klaus.
Chairperson Feinstein. Thank you very much, Senator
Cleland.
Mr. Klaus, after that introduction, we expect you to solve
all the problems, and also add some spice to the hearing, being
so young as well.
[Laughter.]
Chairperson Feinstein. So, Mr. Gent, if you don't mind, we
will begin with Mr. Klaus.
Senator, thank you very much for coming by and introducing
him.
Senator Cleland. Thank you.
STATEMENT OF CHRIS KLAUS, FOUNDER AND CHIEF TECHNOLOGY OFFICER,
INTERNET SECURITY SYSTEMS, ATLANTA, GEORGIA
Mr. Klaus. Thank you, Senator Cleland, and thank you for
the opportunity, Madam Chairwoman and Senator Kyl, for allowing
me to present today. I am here representing Internet Security
Systems, as well as the ITAA, to talk about the background of
security threats.
Many of the companies who are out there who are fighting
the threat rely on both our technology that we pioneered as
well as our managed services, where we are providing service on
behalf of the companies or Government agencies.
I have prepared a demonstration or anatomy of an attack,
just a high-level attack. Really, it is going to be broken
into----
Chairperson Feinstein. Let me just thank you. It is very
thoughtful of you to make it two-sided--most people do not do
that--so that the people who are attending the hearing can also
see it. So thank you very much.
Mr. Klaus. Thank you.
There is an attack happening right now called Code Red
worm, and there was a little bit of a mention, but I thought it
might be useful to describe in detail kind of how it works and
what the effects are. I think right now Code Red is a good
example of an effective worm that, with minor tweaking, could
be a lot more dangerous in terms of what it is doing. But let
me talk about some of the details here.
We will start with a denial of service attack. A lot of
people in the security industry know denial of service attacks
as a way to break down or stop a company from interacting with
the Internet. The way it works is a lot of these computers are
set up connected to the Internet and they are typically
accessing it through some kind of pipe, what you would call
bandwidth, through their Internet service provider.
What an attacker would do is flood the computers or flood
that pump with a bunch of garbage data, and if the hacker's
computer can generate enough traffic and his pipe is bigger
than the pipe of the victim, they can over-flood it. It is kind
of like a toilet system where you put too much toilet paper in
there and it floods up and puts it out of commission. Well,
that is what the attacker is doing here.
The thing about this is a single computer probably doesn't
have enough pipe in terms of bandwidth or enough toilet paper
to clog up a large company's network. So what the intruders
have done is come up with another method they call distributed
denial of service of attack, and the way it works is basically
there are thousands of computers out there that are vulnerable
at universities, companies, government agencies.
What the hacker would do is we have a data base we have
been collecting of vulnerabilities. We have close to 10,000
different vulnerabilities that we have catalogued and
classified, and basically they affect every more operating
system, from Microsoft, to Sun, HP, IBM. What the attackers do
is they break into all these systems and they implant what we
call a zombie client. It is a program that sits on the system.
From there, what they can do is once they have compromised,
say, 100 machines, they can have all those machines
simultaneously trying to flood somebody's network. So even a
huge company with a large bandwidth or a large pipe, even an
attacker that was trying to flood them probably would be more
of an annoyance. But when you have over 100 companies all with
these zombie clients all over the Internet simultaneously in
parallel with the aggregate effect of this flooding happening,
it can pretty much take out any computer on the Internet. We
saw that last year with Yahoo and eBay and those companies, and
that was with, I think, small fire power at that time.
Well, there is now a new attack we call Code Red worm, and
the way it works is very similar. The Code Red worm was
released at the beginning of July and what it does is it
compromises, just like an attacker would, a set of machines
using a known vulnerability. It actually attacks IIS Web
servers.
The difference between this and an attacker is that because
it is a worm and it is automated, it is much faster at finding
systems that are vulnerable. Once it finds a system that is
vulnerable, it puts itself on that system as a host and then
from there that machine is then being used to propagate itself,
so it rapidly geometrically grows. Today, there are over 300
machines infected with this worm because they haven't been
patched for various vulnerabilities.
What happened was there was some analysis done saying, OK,
on July 20 it would flood whitehouse.gov. Fortunately, the
attacker hard-coded the IP address of whitehouse. gov, so the
White House staff was able to change the IP address so that
when the flood did come, it was going to the wrong address. The
scary thing is it is very easy within the program to change
that to any IP address or pick multiple targets in the future.
What we believe is the worm is actually stopped right now
and it is flooding. After 7 days, at the end of the end of the
month, it will then begin propagating again and it will
continue. What we are seeing today, though, is----
Chairperson Feinstein. Is that automatic?
Mr. Klaus. It is automatic. It is written into the
software. It switches from propagation mode to flooding mode,
back to propagation mode.
What we are starting to see is variations of this virus--
well, it is not really a virus, it is a worm, in that most
viruses rely on you getting an e-mail and you clicking on it
and, oops, I ran the attachment. Well, what is dangerous about
this is that it doesn't require a person to sit there and click
on the file. If the machine is vulnerable, it is going to
infect it and take it over.
Right now, the analysis looks like it is sleeping until the
beginning of August and then it will start again. We have
already seen where people have done analysis saying, hey, there
are some flaws in this worm. And now there are updated versions
of the worm as people are improving it to be more effective.
So, that is basically one of the major threats out there
and it is very effective just because it has hit hundreds of
companies. I think, on average, it has scanned every Web site
out there at least 20 times already. I saw that CNN and the
Pentagon and a bunch of other places were infected by this
worm. I think ultimately we need to have a program for stopping
these worms.
The good thing is, technology-wise, we can solve this. It
is just more of a resource and priority of saying we need to
put burglar alarms on these systems and we need to put a fixed
vulnerability process in place. We knew about this issue long
before this worm emerged. It is just a matter of putting in the
right processes to fix those.
Chairperson Feinstein. Can I just quickly ask you one
question? Can you backtrack to get to the perpetrators?
Mr. Klaus. It is difficult because, for example, even if
you track it back to somebody, if the person is doing it
outside the U.S. typically there are no laws against it. So it
is very hard to enforce it.
The I Love You virus--a guy wrote it in the Philippines and
got caught and was let go the next day because there were no
laws against it. So because it is an international issue, most
of the time we recommend to our clients you just protect
yourself and make sure you are not liable for getting infected
with the Red worm or perpetrating the Red worm because you are
infected. Maybe from there, somebody else could attack from
your network because of that.
In most cases, you can track back pretty close to where it
was coming from, but one of the other issues that is a trend--
we were just at Defcon. We have an X Force research team, about
200 researchers, and they stay on top of all the threats. At
the Defcon hacker conference, which is based in Las Vegas,
there were about 5,000 hackers and one of the themes was
wireless technology.
It used to be that you could track somebody back because
they dialed in to their ISP or their Internet service provider
and you could look up the caller I.D. information and find out
whether they are dialing in and go back to their house. With
wireless technology, it has no security, or very little
security by most implementations.
We are starting to see that a lot of the hackers are moving
to that because there is no logging. So when someone breaks
into a network through wireless, from there they can use that
to spring-board in to attack any network they want. And the
issue is when you go back to the logs, there are no logs other
than the host company that was used to spring-board. I think
that is going to be a huge issue to track some of the attackers
that are out there.
So this is at a high level, what we are seeing with some of
the threats that are appearing. The good thing, like I said, is
there are methods to actually reducing the risk, I think,
through the burglar alarm systems. We asked recently 100
companies how many of them do a monitoring of their network on
a 24-by-7 basis. It was 100 CIOs of a Fortune 1,000 group of
companies, and 2 people raised their hands that they actually
monitor. Most of them don't. We do it today in the physical
world with ADT, monitoring people's houses, homes, and
businesses. We haven't quite gotten there with cyber security.
I don't know if there are any other questions on the Code
Red worm.
Chairperson Feinstein. If you could conclude so that we can
hear Mr. Gent, I know Senator Kyl has to leave shortly and I
want him to have a chance to ask some questions.
Mr. Klaus. In regard to the NIPC, just a couple of closing
comments in regard to that. We have been working with them.
They have been doing a good job within the resources they have.
One of the suggestions for improvement is to explore ways to
speed up the process of getting the information and releases
out to the industry.
I think information-sharing is key in the security
industry. When I started in this, nobody wanted to talk about
the security issues. It is starting to evolve. Companies are
still reluctant to share sensitive information. I think that is
an area we need to foster. We are very supportive of Senator
Bennett and Senator Kyl's bill in regard to the FOIA and
helping companies feel more comfortable in sharing the
information.
Most companies that we talk to would prefer not to tell
anybody about their hacks. We get called in all the time where
they have been broken into and they say it is cheaper to fire
the person or not deal with it than have it go on in the public
and ruin the brand or stock price and all that. So we would
recommend that.
Also, we are very positive on the ISACs. I think it is slow
to change the culture and the mind set of a lot of these
security professionals, but we are starting to see a lot of
shift and change there. A few years ago, financial institutions
and others of our customers were saying we don't want to share
any of this information. Today, they are starting to say, you
know what, let's get together and share best practices. That is
actually a good thing we are seeing out in the industry.
So with that, I would like to conclude.
[The prepared statement of Mr. Klaus follows:]
Statement of Chris Klaus, Founder and Chief Technology Officer,
Internet Security Systems, Atlanta, Georgia
I. Introduction
I'm here today representing my company, Internet Security Systems,
and also ITAA (the Information Technology Association of America) to
provide you with some background information and recommendations
regarding the computer security threat. Every day, Internet Security
Systems stops criminal hackers and cyberthieves by addressing
vulnerabilities in computers. These individuals use the Internet for
business-to-business warfare, for international cyber-terrorism, or to
cause havoc and mayhem in our technology infrastructure. Internet
Security Systems is involved in every aspect of computer security,
whether in making the security products or in managing them. We also
monitor networks and systems around the clock (24 x 7 x 365) from the
US, Japan, South America, and Europe in our Security Operations
Centers. We search for attacks and misuse, identify and prioritize
security risks, and generate reports explaining the security risks and
what can be done to fix them. At the heart of our solution is our team
of world-class security experts focused on uncovering and protecting
against the latest threats. This team of 200 global specialists, dubbed
the X-Force, understands exactly how to transform the complex technical
challenges into an effective, practical, and affordable strategy.
Because of all of these capabilities, companies and governments turn to
us as their trusted computer security advisor.
ITAA represents over 500 corporate member companies in the U.S.,
companies that build IT solutions for customers in industry and
government. ITAA is a national leadership organization in the InfoSec
area.
Over the years, I have watched computer vulnerabilities increase
dramatically. The Internet is so useful for the very reasons that it is
so vulnerable. To give you an idea of what we are dealing with, I'd
like to share an analogy. I'll compare a computer to a house. Every
computer connected to the Internet has the equivalent of 65,536 doors
and windows which need to be locked and monitored to make sure no one
breaks in. Multiply 65,536 by every computer in every company or
household and you begin to see the extent of the problem. Just as
physical security companies like ADT monitor your physical doors and
windows, computer security companies must lock and monitor the doors
and windows of computers.
II. Example of denial-of-service attack
A denial-of-service attack, or ``DoS'', is a specific type of
attack on a network that is designed to bring the network to its knees.
A DoS causes a network to have zero accessibility by flooding it with
useless Internet traffic and requests. Many DoS attacks exploit
limitations in the network. During a distributed DoS attack, a hacker
actually takes over multiple computers with a ``zombie'' program and
then, from a remote location, sets them to launch an attack all at
once. This attack makes it nearly impossible to trace the hacker since
the attacks appear to have come from the infected computers - which
could be anywhere, such as universities, the Federal Government,
businesses, or your home. For all known DoS attacks, there are software
fixes that system administrators can install to limit the damage caused
by the attacks. But, like viruses, new DoS attacks are constantly being
created by hackers. Last week's well-publicized Code Red email worm is
an example of how a new DoS attack can be launched.
Code Red was designed to launch a DoS attack that would effectively
shut down the White House's Web site last Thursday evening. Code Red
took advantage of systems running commonly used,software. Due to Code
Red, more than 200,000 servers were infected to act as ``zombies'' that
would wake up and flood the White House Web site with DoS traffic in
order to force the site to shut down.
The White House was fortunate and acted in time--in cooperation
with industry--to side-step this attack, but Code Red has forced
network and system administrators to spend hours installing and testing
a patch for the infected servers. And some servers may remain infected,
setting the stage for possible future attacks.
III. NIPC Discussion
I'm here to represent industry's viewpoint on the General
Accounting Office (GAO) report entitled ``Critical Infrastructure
Protection: Significant Challenges in Developing National
Capabilities''. As you know, this report examines NIPC (National
Infrastructure Protection Center) and recommends how NIPC can improve
its ability to combat cybercrime and cyberterrorism. Before getting to
the details of my findings and recommendations, I would like to point
out that NIPC has made great strides. Ron Dick has been an effective
leader and should be commended for his efforts in a very complicated
job.
The GAO report had three main themes: 1) NIPC's limited analysis
and warning capabilities; 2) lack of interagency cooperation at NIPC;
and 3) reluctance of private companies to share information about
cyberattacks with NIPC.
The GAO found that NIPC's analysis and warning capabilities were
limited. It is our experience that the NIPC has excellent sources of
information from law enforcement and intelligence sources. While we
understand that some information cannot be shared due to its sensitive
or classified nature, the NIPC makes every effort to craft its
information into meaningful warning messages suitable for distribution
to the widest possible audience.
Industry needs information as quickly as possible. However, we
understand that NIPC puts a premium on accuracy in its warning products
because it speaks for the federal government. Having worked with NIPC
on warning products, we have seen this first hand. While obviously not
all information can be provided to the private sector, in our
experience NIPC shares a broad array of information with the private
sector so it can be pondered and analyzed.
Because both speed and accuracy are important, NIPC should explore
ways to improve the warning process so that it can put out the most
accurate warning products it can in the fastest possible time.
GAO also pointed out that the reluctance of private companies to
share information about cyberattacks was an issue in the effectiveness
of NIPC. We agree that NIPC would be more
effective if the private sector shared more information with it,
but we have seen great strides in information sharing over the past
couple of years. The private sector not only runs private
communications facilities, but also runs most of the Government
communications facilities. We think that the ISACs (Information Sharing
and Analysis Centers) and other information sharing mechanisms are a
good mechanism for this information sharing to take place. However, the
ISACs and other information sharing mechanisms need time to further
develop. We at ISS are very supportive of ISACs and are doing our part
to make this initiative as effective as possible.
We also support GAO's praise of Infraguard. Infraguard is an
effective initiative.Infraguard is able to effectively get information
out to the business and academic communities horizontally.
IV. Information sharing is the key
All of the above themes involve more information sharing. We have
discussed how the Federal Government could be better at sharing
information. Companies also could be better at sharing However, sharing
information about corporate security practices is inherently difficult.
Companies are understandably reluctant to share sensitive proprietary
information about prevention practices, intrusions, and actual crimes
with either competitors or Government agencies. No company wants
information to surface that they have given in confidence that may
jeopardize their market position, strategies, customer base, or capital
investments.
Allowing the ISACs time to develop and grow is one way the
Government can help private companies become more amenable to sharing
information. The voluntary nature of ISACs or information sharing
bodies is extremely important. Attempting to force this to happen would
be a disaster. As I mentioned earlier in my testimony, speed is
extremely important for security information to be most useful. Placing
burdensome requirements on companies would cause information sharing to
be a legal and time-consuming process.
To help encourage growth of the ISACs, it is important to support
legislation that will strengthen information sharing legal protections
that shield U.S. critical infrastructures from cyber and physical
attacks and threats. Legislation that will clarify and strengthen
existing Freedom of Information Act and anti-trust exemptions, or
otherwise create new means to promote critical infrastructure
protection and assurance, would be very helpful. This legislation would
likely have a catalytic effect on the initiatives that are currently
under way. It is absolutely vital that we work collectively to remove
barriers to information sharing. A broad industry coalition has been
working with Senator Bennett and Senator Kyl on legislation in the
Senate, and with Congressman Davis and Congressman Moran in the House.
On behalf of ITAA, I want to express industry support for these bills.
V. Conclusion
We are pleased that the Government is interested in taking computer
security seriously. The United States Government spends billions of
dollars buying weapons and gaining intelligence to protect our country
from more conventional types of attack. Our computer systems must also
be adequately protected, or our entire infrastructure could be
compromised by one person with one computer. Even though the task is
complicated, computer systems can be protected.
The Government has taken great strides in the past few years.
However, much, much more is needed. As industry has considerable
resources and expertise, a continued partnership with industry is
crucial. In addition, computer security must be a priority, and
leadership and coordination are necessary in the Government.
International leadership is also required. Perhaps most importantly,
funding for secure Government systems must be increased by a
substantial amount, and outsourcing should be considered as a viable,
cost-effective option. The Government often does well with the
resources it has been given. However, computer security specialists are
required to implement and coordinate many different security products
and services to adequately secure a system. As computer security
expertise is extremely rare, the cost of computer security specialists
is astronomical. To help address the cost of computer security,
educational efforts must be undertaken to train the personnel required.
Thank you for inviting me here today. I look forward to a
continuing dialog on the computer security issue, and hope that,
working together, we can adequately secure our country's assets and
information.
Chairperson Feinstein. Thanks very much, Mr. Klaus.
Mr. Gent, I apologize for mispronouncing your name. Please
proceed.
STATEMENT OF MICHEHL R. GENT, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY COUNCIL,
WASHINGTON, D.C.
Mr. Gent. Thank you, Madam Chairman, and good afternoon,
Senator Kyl. I am here representing the North American Electric
Reliability Council, and I am going to take the chairman's
advice and cut my oral testimony short. If you have a copy of
what was submitted, I won't be following it.
I think it is obvious from the comments of previous
witnesses that NERC, as we call it, has a very active role in
this whole theater of protecting electric systems against major
catastrophes. In fact, that is why NERC was formed. We are
ourselves an ISAC. We didn't invent that name, but when you
think about what we do, we do information security and we do
assessment.
We actually are responsible for coordinating the activities
of some 150 control areas across the United States and Canada,
and I have to emphasize the Canada part because as far as
electricity goes, it does not know these country boundaries
that we draw on maps and we have governments controlling.
Electricity flows from Canada to the United States, and vice
versa.
I want to get right to the points. I read the letter coming
down this morning on the train. I apologize for not being more
direct in my written testimony and I would like to answer your
questions.
I think that our relationship with the NIPC works, and it
works very well. We may be only one of the four that cleared
the GAO's test screen, but we did clear it. We see absolutely
no evidence that they are lacking in what they call interagency
cooperation.
Now, for the private sector, we don't see a lot of this
interagency bickering, but there was a time when we did, when
sabotage and terrorism were very big issues. I think you might
recall back in the late 1980's we had study task forces, and I
believe that then Vice President Bush headed up a team
appointed by President Reagan to deal with the sabotage and
terrorism issue.
NERC became very much involved there and we saw an awful
lot of interagency bickering. So what we did and what we have
done ever since is we have cast our lot with the FBI. So when
some agency wants to get involved--DOD, DOE; DOE is involved in
many things--we tell them that we answer first and foremost to
the FBI. And we are so committed to that that we quite
periodically insist that all the electric utilities go
reestablish their relationship at the local level with the
local FBI office. Then we try to get the national FBI office to
tell their local jurisdictions to go out and establish that
contact.
So what happens is whenever there is a physical terrorism
attack, sabotage attack, the first people they contact are the
FBI, and it is the same with cyber attacks. So it was quite
natural for us to take what we had done in the physical area,
add cyber to it, and incorporate it in all of our notification
procedures. That is why this has worked very well for us.
We also see no evidence where their capabilities are
limited. We have had several instances where we have received
advisories, and those advisories have been sent on through our
communications system and been received by the proper
individuals.
Now, at the heart of all of this is the willingness of the
electric industry to work with the Government. Some people say
that this is because we were once all monopolies and it was
quite easy to coordinate among monopolies. That may well be
true. Today, that monopoly system is disappearing, however, and
we are still able to coordinate.
We have been asked by the Government, for instance, to deal
with the EMP threats and we have done that. I mentioned dealing
with sabotage and terrorism. All of you are familiar with the
Y2K brouhaha that we had here a couple of years ago. The
Department of Energy asked us to act to spearhead that with the
electric utility industry and we did, and we think
successfully. Now, we think we can also successfully handle
cyber attacks.
With that, I think you are probably more interested in
asking me questions than hearing me rattle on about our
credentials for doing this, so I will leave it to you for the
questions.
Thank you.
[The prepared statement of Mr. Gent follows:]
Statement of Michehl R. Gent, President, and Chief Executive Officer,
North American Electric Reliability Council
The Electricity Sector Response to the Critical Infrastructure
Protection Challenge
My name is Michehl R. Gent, and I am President and Chief Executive
Officer of the North American Electric Reliability Council (NERC). I am
responsible for directing NERC's activities within the industry and
with the federal government as these activities relate to terrorism and
sabotage of the electric systems of North America. Since mid-1998,
these activities include critical infrastructure protection.
NERC is a not-for-profit organization formed after the Northeast
blackout in 1965 to promote the reliability of the bulk electric
systems that serve North America. It works with all segments of the
electric industry--investor-owned utilities; federal power agencies;
rural electric cooperatives; state, municipal, and provincial
utilities; independent power producers; and power marketers--as well as
customers to ``keep the lights on'' by developing and encouraging
compliance with rules for the reliable operation of these systems. NERC
comprises ten Regional Reliability Councils that account for virtually
all the electricity supplied in the United States, Canada, and a
portion of Baja California Norte, Mexico.
In my testimony I will discuss NERC's relationship with the
National Infrastructure Protection Center and several related critical
infrastructure protection programs that NERC participates in: Critical
Infrastructure Protection Working Group; Indications, Analysis, and
Warnings Program; Electricity Sector Information Sharing and Analysis
Center; Critical Infrastructure Protection Planning; and Partnership
for Critical Infrastructure Security.
summary
NERC has an excellent working relationship with the National
Infrastructure Protection Center (NIPC). NERC and the electric industry
worked closely with NIPC for about two years to develop a voluntary,
industry-wide physical and cyber security indications, analysis, and
warning (IAW) reporting procedure. This program provides NIPC with
information that when combined with other intelligence available to it
will allow NIPC to provide the electric industry with timely, accurate,
and actionable alerts and warnings of imminent or emerging physical or
cyber attacks. A high degree of cooperation with NIPC is possible
because the industry has a long history of working with local, state,
and federal government agencies. In addition, the NERC Board of
Trustees in the late 1980s resolved that each electric utility should
develop a close working relationship with its local Federal Bureau of
Investigation (FBI) office, if it did not already have such a
relationship. The Board also said the NERC staff should establish and
maintain a working relationship with the FBI at the national level.
The Indications, Analysis, and Warnings Program (IAW) reporting
procedure is modeled on an existing electric system disturbance
reporting procedure in which electric utilities report system
disturbances meeting predefined criteria to the U.S. Department of
Energy. A pilot IAW program was field tested in one NERC Regional
Reliability Council in the fall of 1999 and winter 1999/2000. The
program was refined and rolled out to the industry via three workshops
held during the fall of 2000 and winter 2000/2001. A comprehensive
communications program is being developed to bring this program to the
attention of those industry entities that were not able to participate
in the workshops.
nerc national infrastructure security activities
NERC has served on a number of occasions during the past decade as
the electric utility industry (electricity sector) primary point of
contact for issues relating to national security. Since the early
1980s, NERC has been involved with the electromagnetic pulse
phenomenon, vulnerability of electric systems to state-sponsored,
multi-site sabotage and terrorism, Year 2000 rollover impacts, and now
the threat of cyber terrorism. At the heart of NERC's efforts has been
a commitment to work with various federal government agencies such as
the U.S. National Security Council, U.S. Department of Energy (DOE),
and FBI to reduce the vulnerability of interconnected electric systems
to such threats.
The report of the President's Commission on Critical Infrastructure
Protection (PCCIP) in October 1997 led to a May 1998 Presidential
Decision Directive (PDD-63). PDD-63 called for government agencies to
become involved in the process of developing a National Plan for
Information Systems Protection, and to seek voluntary participation of
private industry to meet common goals for protecting the country's
critical systems through public-private partnerships. The PCCIP
specifically commended NERC as a model for information sharing,
cooperation, and coordination between the private sector and
government. In September 1998, Secretary of Energy Bill Richardson
wrote to NERC Chairman Erle Nye seeking NERC's assistance, on behalf of
the electricity sector, in developing a program for protecting the
nation's critical electricity sector infrastructure. Responding to the
(DOE) critical infrastructure protection initiative, NERC agreed to
participate as the electricity sector coordinator.
As part of this public-private partnership, DOE, the U.S.
government's designated Energy Sector Liaison, worked through its
Infrastructure Assurance Outreach Program to perform an information
assurance assessment for a small number of nodes on NERC's industry
information system. The purpose of this assessment was to help NERC and
the electric industry develop an overall security framework to address
the changing industry structure and the threat of cyber and physical
intrusion. A second followon information system assessment was begun in
late 2000 and will be completed shortly. The product of this study will
be recommendations that will form the basis of a draft NERC policy on
information assurance. In addition, to facilitate the transfer of
information to industry that may be of value in the operation of the
electric systems in North America, DOE has provided clearances for a
number of industry personnel and clearances for other key industry
personnel are anticipated. These clearances compliment those obtained
from the Federal Bureau of Investigation (FBI) as a result of
encouragement by NIPC, as discussed below.
critical infrastructure protection working group
After several exploratory scoping sessions with DOE and NIPC, NERC
created a Critical Infrastructure Protection (CIP) Forum to evaluate
sharing cyber and physical incident data affecting the bulk electric
systems in North America. The meetings of this group were widely
noticed and the participants included all segments of the electric
utility industry and representatives from several government agencies
including the Critical Infrastructure Assurance Office (CIAO) of the
Department of Commerce, DOE, and NIPC. As a result of the groups'
deliberations, NERC created a permanent group within the NERC committee
structure--the Critical Infrastructure Protection Working Group
(CIPWG). This working group reports to NERC's Operating Committee. It
has Regional Reliability Council and industry sector representation as
well as participation by the CIAO in the Department of Commerce, DOE,
and NIPC.
indications, analysis, and warnings program
One of the first tasks of the Critical Infrastructure Protection
Forum was to develop the incident data types and event thresholds to be
used in an information-sharing program with NIPC. Information sharing
(electronic and telephone) mechanisms have been developed for use by
electric transmission providers, generation providers, and other
industry entities for reporting on a voluntary basis to both NIPC and
NERC. Assessments, advisories, and alerts prepared by NIPC (with NERC's
support), based on the data provided by the electric and other industry
sectors and government sources, will be stated in an actionable manner
and will be transmitted to electric industry entities. This process was
tested successfully within one Reliability Council Region during the
fall 1999 and winter 1999/2000. Because some of the analyses involve
classified information, U.S. government security clearances have been
obtained by key industry personnel and NERC staff members. Other
electric industry personnel are in the process of obtaining security
clearances.
The electric industry Indications, Analysis, and Warnings Program,
which evolved from this work (Attachment A), was presented to the NERC
Operating Committee in July 2000 for discussion and approval. The
Operating Committee approved a motion to implement the program; initial
emphasis is on reporting by security coordinators and control areas.
Individual electric utilities, marketers, and other electricity supply
and delivery entities are encouraged to participate by submitting
incident data and receiving the various types of NIPC warnings and
related materials. Workshops were conducted during the fall 2000 and
winter 2001 to provide program details to the industry. A more
comprehensive communications program is being developed by CIPWG to
encourage broader industry participation in the program. NERC views the
Indications, Analysis, and Warnings Program as a voluntary first step
toward preparing the electricity sector to meet PDD-63 objectives.
electricity sector information sharing and analysis center
The PCCIP recommended that each of the critical sectors establish
an Information Sharing and Analysis Center (ISAC) to help protect the
infrastructures from disruption arising from coordinated intrusion or
attack. The ISACs would gather incident data from within their
respective sectors, perform analyses to determine potential malicious
intent, share findings with other ISACs (private and government) in a
manner that assures, as required, target identity protection, and
disseminate actionable warnings so appropriate action can be taken
within each sector. ISACs would serve as points of contact between
sectors to facilitate communications, especially during a time of
stress. ISACs would study cross sector interdependencies to better
understand and be prepared for the possible impacts of an ``outage'' of
one sector on another.
The CIPWG has endorsed, and NERC has accepted, the naming of NERC
as the Electricity Sector Information Sharing and Analysis Center (ES-
ISAC). The functions performed are essentially the same as those
functions that have been required of NERC for physical sabotage and
terrorism. The ESISAC's duties are:
1. Receive voluntarily supplied incident data from electric industry
entities.
2. Work with NIPC during its analysis of incident data to determine
threat trends and vulnerabilities.
3. Assist the NIPC personnel during its analyses on a cross private and
federal sector basis.
4. Disseminate threat and vulnerability assessments, advisories, and
alerts and other related materials to all those within the
electric industry who wish to participate.
The ES-ISAC is staffed on workdays with on-call provision for all
other periods. Should this capability need to be enhanced, NERC will
likely request support for a 24-hour, seven days a week staffed
facility. To this end, NERC also is exploring the feasibility of
forming a joint ISAC with other sectors. NERC has established
relationships with the other existing ISACs through the Partnership for
Critical Infrastructure Security (see below) and will establish
relationships with other ISACs as they form.
critical infrastructure protection planning
The CIPWG, working with CIAO, has written a Business Case for
Action to delineate the need for critical infrastructure protection by
the electric industry (Attachment B). Separate business cases have been
prepared for Chief Executive Officers, Chief Operating Officers, and a
NERC general overview (Attachments C, D, E, and F). The purpose of the
business case is to persuade industry participants of the need to
report cyber intrusion incidents and to be mindful of the possible
business losses caused by cyber and physical intrusion.
The CIPWG has developed a basic and fairly comprehensive plan to
address CIP. The working group was concerned about generating an overly
prescriptive plan too early in the process and has proceeded with a
format that can assist in developing each entity's own plan. The
prototype plan, which still is undergoing industry review, addresses
awareness, threat and vulnerability assessment, practices that can be
considered, risk management schema, reconstitution, and
interdependencies between and among sectors.
The essence of this ``Approach to Action'' is being considered for
inclusion in Version 2.0 of the National Plan for Information Systems
Protection being compiled by the U.S. Government. Richaard Clarke,
Special Assistant to the President and National Coordinator for
Security, Infrastructure Protection, and Counter-terrorism, has
discussed the importance of establishing and maintaining a National
Plan to the health of the government and private sectors, companies,
and the nation. Version 1.0 of the Plan did a good job covering the
threats and the government response, but it did not detail private
sector response.
The need for private sector participation is engendered by the fact
that the government lacks private sector expertise and needs private
sector ``buy in'' to CIP initiatives. The National Plan version 2.0,
which will include private sector input, is scheduled for fall 2001.
partnership for critical infrastructure security
The Partnership for Critical Infrastructure Security (PCIS) was
proposed in late 1999 by members of several private sectors; the PCIS
is supported by CIAO and the U.S. Chamber of Commerce. Earlier this
year, it established itself as a not-for-profit organization and
elected a Board of Directors and company officers. NERC participates in
PCIS and I serve as its Secretary.
The PCIS Mission:
Coordinate cross-sector initiatives and complement public/private
efforts to promote and assure reliable provision of critical
infrastructure services in the face of emerging risks to economic and
national security.
The PCIS held two general forums in 2000 and one so far this year.
It is planning a second general forum on September 6-7, 2001. The PCIS
has formed six active working groups: Interdependency Vulnerability
Assessment and Risk Management; Information Sharing, Outreach and
Awareness; Public Policy and Legislation; Research and Development and
Workforce Development; Organization Issues and Public-Private
Relations; and National Plan. The opportunities presented by PCIS
include gaining a better perspective of the sector interdependencies,
facilitating ISAC formation, and sharing of common research and
development efforts.
Emerging Business Risks to the Electric Power Infrastructure
a case for chief executive officer action
The introduction of competition in the wholesale and retail
electricity markets, coupled with an increased demand for electricity,
has led to electric utilities' to rely more on information technologies
(IT). In addition to ensuring a utility's ability to generate,
transmit, and distribute electricity to its customers, information
systems are increasingly effective vehicles for exploring new markets;
executing strategic business decisions; achieving internal operating
efficiencies; and tracking the people, products, and services on which
a firm's success depends.
The reliability and security of these systems are critical to
electric utility survival. Chief Executive Officers (CEO), boards of
directors, and other senior-level executives responsible for overseeing
the business operations of electric utilities need to understand the
risks posed by this increased reliance on information technology. In
addition, they also must manage and, where possible, mitigate these
risks to their organizations and the industry through continuous
communication and leadership. This management and mitigation
responsibility requires close coordination with finance, customer
services, operations, and other senior-level officials in their firms,
and coordination within the industry, to address a widening range of
competitive and operational vulnerabilities, including information
systems, security, and other cyber-related threats. CEOs, boards of
directors, and other senior-level officials are vested with authority
and have an obligation to manage risks and liabilities through due
diligence and prudent management. As such, it is important that they
recognize that IT is not only an enabler of competitive advantage,
customer service, and investor confidence, but also a source of
vulnerability or business risk.
What Is Changing?
Manned Facilities Operations Unmanned Facilities
Remote Monitoring Automated Monitoring/Control
Local Markets Open, Reional/National Markets
Local Customer Services Consolidated Call Centers
Customer Billing Information Customer Services Information
Heterogeneous Technology Standardized/Homogeneous
Traditional Electric Services On-Line
business operational survivability
Significant security risks stem from the interconnectedness of the
communications networks that underpin utility generation, transmission,
and distribution systems. Most of the approximately 3,200 electric
utilities serving North America depend on IT networks, such as
supervisory control and data acquisition (SCADA) systems, to manage
generation, transmission, and distribution systems. These systems are
linked to control networks and corporate management systems, many of
which also are connected to systems outside the utility. In addition,
the electric utilities participate in open markets, vastly expanding
the size and complexity of the electric industry's IT infrastructure.
Simply put, the electric industry, conducting arbitrage over real and
virtual assets, relies on a nationwide network information systems to
do business. These systems include Internet-based applications such as
the Open Access Same-time Information System (OASIS), which facilitates
the exchange of transmission availability information and on-line price
negotiations.
Like commodities trading, the buying and selling of electricity
would be virtually impossible without the efficiencies of IT. The array
of mainframes, desktop clients, operating systems, and network
protocols used by power marketers add to the complexity of the electric
power industry's IT infrastructure. Consequently, as the newly
competitive energy market matures, generation, transmission, and
distribution systems will become increasingly subject to both IT- and
market-related forces. This maturation will present new challenges to
ensuring the reliability of the electricity delivery systems in North
America.
business competitiveness
Reliability and security have also come under pressure from
financial interests. A utility's previous ``obligation to serve'' to
some degree is being pressured by industry stakeholders. Many expect
that a competitive market place will shift reliability from a mandated
``obligation'' to being a competitive feature of service in order to be
in the electric business.\1\ Many also see that the electric industry
will become a highly competitive commodities business that is largely
customer-driven and dependent on technological and operational
efficiency. The Power Company of America expects annual trading volume
of electricity to reach an unprecedented high of $2.5 trillion by the
year 2003.\2\
---------------------------------------------------------------------------
\1\ John D. Mountford and Ricardo R. Austria, ``Keeping the Lights
On!'' IEEE Spectrum (June 1999): 34.
\2\ Tami Cissna, ``Wholesale Electric Power Sales Are Increasing-Is
Anyone Profiting?'' Electric Light & Power (August 1998): 42.
---------------------------------------------------------------------------
If this projection holds true, electricity will become the United
States' most heavily traded commodity. Consequently, power marketers
and utilities are competing aggressively for a substantial share of the
market. Like the financial industry's commodities market, which may be
a harbinger of how the electricity market will evolve, electricity
worth billions of dollars will be traded over computer-controlled
networks and telecommunications systems. Failure to maintain the
confidentiality, integrity, and availability of these transactions
could not only compromise an electric utility's business strategy but,
if widespread, could also threaten the confidence of those
participating in the electricity markets.
Chairperson Feinstein. Thank you very much.
Mr. Klaus, if I may, at least 4 days before the February
2000 distributed denial of service attacks, computer experts at
some of the Nation's largest banks received detailed warnings
of possible attacks from the banking industry's warning
network. These warnings helped the banks protect themselves, as
you mentioned, from the attacks that shut down Yahoo, eBay and
other companies.
However, under Treasury Department restrictions, these
warnings were not turned over to anyone outside the financial
services industry, including law enforcement, so companies in
other industries did not benefit.
Do you think the ISAC model is the most effective way of
protecting companies from cyberattacks, and how do we better
encourage information-sharing between industries?
Mr. Klaus. I think the ISACs lay the foundation for sharing
the information. I think with the distributed denial of service
attacks, the biggest issue I see with the security is just from
a priority perspective. It is usually an after-thought when
people are designing their networks and they are implementing
their computer systems. The information is out there.
In many cases like this worm, we knew about the IIS Web
server vulnerability at least a month before the worm ever
spread, but there were still 300,000 Web servers that were
vulnerable. I guess the question will be how do we get people
to put the resources in there.
One of the aspects that we are seeing is insurance
companies are becoming a driver for this, where they are
selling hacker insurance or cyber security insurance, where
they are saying we are not going to insure you unless you have
a standard level of security. That is having an effect. Before,
we could easily over the Internet grab the whole data base of
credit cards.
That is one of the misperceptions, is with the credit
cards, encryption fixes that, when, in fact, most of the
attacks that we are finding--we are working with a lot of banks
right now where it is not when you are Web-surfing and you put
in your credit card. Most people ask, should I do that, and the
answer is it is probably encrypted.
Where the attack is happening is the hackers go right into
the data base itself, like the Oracle data base, and you can
use the user name ``Oracle'' and the password ``Oracle.'' Any
of the data bases have default accounts that never get changed,
so you can grab every credit card that exists on that data
base. So having some kind of standard level of security for
most of those systems would help, I guess, raise the bar for
most of the intruders.
Information-sharing is good, but I would still say that a
lot of that information exists today you can get out there. And
ISACs help foster that, but I think the next thing will be how
do we motivate industries to protect against those, once you
have the information.
Chairperson Feinstein. Mr. Gent, would you respond to that,
and would you also respond to what the possibilities are of an
attack on California's electricity grid, how likely it is and
how it can be prevented.
Mr. Gent. Right here on national TV?
Chairperson Feinstein. Well, we can arrange that it not be
done on national TV, if you would like.
Mr. Gent. I think you are probably familiar with that one
incident that happened to a Web server, the Cal ISO. The
reporting was grossly overblown, and I was very happy to see
that happen, actually. If hackers are going to attack Web sites
that are holding information sources and not control sites,
then I am perfectly happy with that.
Electric systems are controlled by computers we call EMS
systems, energy management systems, and for the most part they
are not vulnerable to the same type of hacker attack, with one
exception, and Chris pointed it out. The vendors very often
will have default ways into the system so they can pull
maintenance.
Chairperson Feinstein. And not a worm either?
Mr. Gent. No, but it could be, but it is not in this case.
I believe you have to have a program running to be able to host
a worm.
What we have tried to do is to make this whole problem a
business problem, and part of the stuff that I turned in with
my testimony are brochures that we have produced with the help
of the CIAO, ``Business Case for Action: A Case for Chief
Executive Officer Action,'' what can an electric utility's
chief information officer do, what utility operations executive
do and what can NERC do?
As Chris has stated, we have got to get them interested in
doing this.
One of the reasons that we have been so successful with
large catastrophes like sabotage, terrorism, and so on, is that
if you take out a very large facility, it will affect every
utility on the network. In this case, if you attack a
particular utility's Web site, the chances are you are only
affecting that one business and you are not affecting companion
businesses down the chain. So it is difficult to get them
involved and interested, but that is what we are trying to do
here, with the help of NIPC.
To answer your question directly, I think there is little
chance that the hackers can do any harm to either California or
anything else in the West as far as operational control.
Chairperson Feinstein. Little chance, you say?
Mr. Gent. Little chance.
Chairperson Feinstein. Little chance. That is good news.
Mr. Gent. I hate to say never. I would like to, but I am
not going to.
Chairperson Feinstein. Thank you.
Senator Kyl?
Senator Kyl. Thank you, Madam Chairman. I just would note
that we had an example in Arizona testified to by our State
attorney general that a hacker wanting to erase his electric
bill essentially got into the electric utility----
Chairperson Feinstein. You are on national TV, Senator.
Senator Kyl.--got into the utility that had his accounts.
That utility also, however, is responsible for all of the dams
that contain the water that provide the water source for the
Phoenix metropolitan area. Once he was in, there would have
been nothing to stop him from automatically opening the dams
and letting all the water out, which would have created a huge
problem. It simply illustrates the fact that it is possible to
break in, and somebody who could break in for one purpose
perhaps even inadvertently could cause some other kinds of
problems. So it is not a trivial issue in any event.
I have been asked to say that Senator Hatch intended to be
here to participate in the hearing today. I know he has been
detained and I would like to ask unanimous consent that his
statement be submitted for the record, Madam Chairman.
Chairperson Feinstein. So ordered.
[The prepared statement of Senator Hatch follows:]
Statement of Hon. Orrin G. Hatch, A U.S. Senator from the State of Utah
Improving our Ability to Fight Cyber-crime:
Oversight of The National Infrastructure Protection Center
There was a time when a battle began with the sound of a trumpet
and a cavalry charge.
In the 20th century, a battle was likely to begin with the sound of
airplane engines on a bombing run.
In this new century, a battle will likely begin with the sound of a
person typing at a computer keyboard, and the release of an electronic
virus designed to paralyze an adversary's computers.
And it is not only warfare that is changing.
No longer do aspiring bank robbers need to don a ski-mask and carry
a shotgun into a bank. Millions of dollars can be stolen electronically
by illegally accessing the computer networks of the financial services
industry.
No longer do aspiring terrorists need to plant a bomb to draw
attention to their cause. Millions of people's lives can be threatened
electronically--by disrupting air traffic control functions; or
shutting down a power grid; or blocking access to 911 operators.
As a recently as a decade ago, these threats were barely imagined.
And it is only in the last three years that the federal government has
formulated a comprehensive strategy to protect the nation's basic
computer infrastructure from malicious attacks made by criminals,
terrorists, and hostile foreign states.
The National Infrastructure Protection Center has, for the last
three years, been on the forefront of protecting our country's computer
networks from outside attack. And, given where we were just three years
ago, the NIPC has laid an important foundation in the protection of our
critical computer infrastructure.
But the integrity of our computer infrastructure is so vital to our
well-being as a nation, and the technology is evolving at such a rapid
rate, that it is essential that we continue to reevaluate whether the
federal government is doing everything it can do to protect our
critical computer infrastructure. And for that reason, I applaud
Senator Feinstein, Senator Kyl, and the Senators on this subcommittee,
not only for holding this hearing today, but also for having had the
foresight, over a year ago, to order the GAO study that is the focus of
today's hearing. As a result of that foresight, and the hard work of
the GAO personnel who prepared the report, we are able to pursue
today's inquiry at a much deeper level, and with a greater degree of
insight, than would otherwise be possible. So I commend the senators on
this subcommittee, and the hardworking staff at the GAO.
I have examined the GAO's report, and I find it to be, on the
whole, a balanced and wellreasoned assessment of the NIPC's
performance. It highlights both the successes of the NIPC, and those
areas where the NIPC has come up short of its original goals.
Not surprisingly, the NIPC has succeeded at those functions that
are most traditionally within the expertise of the FBI, and it has been
less successful at those functions that are least familiar to the
Bureau.
The GAO found that ``the NIPC has provided valuable support and
coordination'' in the investigation of computer crime. I agree, and I
believe that the NIPC should be commended for its success, in a
relatively short span of time, at making itself into a valuable
resource for use by the law enforcement community when dealing with
computer crime.
To facilitate the investigation of illegal access to computer
networks, the NIPC has established teams of specially-trained computer
crime investigators in each of the FBI's 56 field offices. In addition,
the NIPC provides technical assistance to the field offices and
coordinates investigations among the field offices. Since 1998, the
NIPC has issued 93 warnings to systems administrators, alerting them,
and the general public, about specific threats and vulnerabilities
within their computer networks. An advisory issued in March of this
year regarding a specific ecommerce vulnerability is estimated to have
stopped over 1600 attempted hacking incidents.
Our experience over the last three years has shown the value of
having a multi-agency entity, like NIPC, with the resources to
investigate computer intrusions that are often national in scope.
Obviously, there is room for improvement. The GAO report makes some
specific recommendations to the NIPC leadership, such as improved
information sharing between the NIPC and the agents in the field
offices. I hope that the NIPC leadership gives serious consideration to
these recommendations.
Some of the other problems identified in the GAO report appear to
be beyond the control of the NIPC's leadership--such as the failure of
agencies outside the FBI to provide full cooperation with the NIPC. We,
in the Congress, must continue to exercise our oversight authority over
the Executive Branch to ensure that all agencies are motivated to
provide the needed cooperation in this vital area. I, for one, promise
to do everything in my power to discourage institutional rivalries
between the Executive Branch agencies from disrupting the important
mission of the NIPC.
It is those functions furthest from the FBI's traditional
responsibilities that the NIPC has had the most difficulty
accomplishing. According to the GAO's findings, the NIPC has made
little progress in producing a comprehensive, strategic analysis of the
vulnerabilities of, and threats to, the nation's critical computer
infrastructure. Similarly, the NIPC has not been particularly
successful in establishing information-sharing arrangements with
private industry.
The development of a comprehensive, strategic threat analysis is
certainly one of the most important tasks that has been assigned to the
NIPC. In the absence of such a strategic assessment, law enforcement
will be perpetually consigned to responding reactively--instead of
proactively addressing and eliminating threats to the system.
The GAO has identified several obstacles faced by the NIPC in
performing its strategic assessment: the lack of an accepted
methodology for evaluating threats; confusion within the Executive
Branch about the scope of the NIPC's mandate; and inadequate technical
expertise within the NIPC personnel.
Implicitly, the GAO report raises a fair question--that is, whether
the NIPC, which has so far served principally as an ``operational''
organization, is the best entity within the federal government to
conduct what appears to be an abstract, almost academic, assessment of
the strategic threats facing the critical computer infrastructure.
By giving voice to this question, I do not mean to suggest that I
have reached an answer. I simply do not know, at this point, whether or
not the NIPC is the ideal entity to perform this analysis. It may well
be that the NIPC brings more technical expertise to this question than
any other governmental entity.
The Administration has recently announced its intention to review
Presidential Decision Directive 63, and to reevaluate the effectiveness
of our national plan for cyberspace security and critical
infrastructure protection. I hope and expect that, as part of this
evaluation, the Administration will assess whether the NIPC is, in
fact, the best entity to perform the strategic threat assessment.
Certainly, I believe that Congress should await the Administration's
determination on this matter, before reaching its own decision.
The other area which the GAO highlighted as a shortcoming in the
NIPC's performance is the NIPC's lack of success in establishing
information-sharing arrangements with private industry. It is in this
area that I believe Congress could potentially provide the NIPC with
the most help.
Obviously, the NIPC is hamstrung in its efforts to investigate
computer intrusions when the private sector does not provide them with
notification that an intrusion has occurred. On the other hand, private
firms are often reluctant to report an intrusion, out of fear that
publicity regarding an unauthorized intrusion will be detrimental to
the firm's commercial interests. Although the NIPC has undertaken
significant outreach efforts in an effort to win the private sector's
confidence, there is little that the NIPC can do to overcome this basic
divergence of interests.
It is possible, though, that Congress can help.
There is legislation pending, which I support, that would
strengthen the FOIA exemption applicable to information provided by
companies when they self-report an unauthorized computer intrusion.
I believe that Congress can go even farther. I believe that we
should explore a range of financial incentives to the private sector--
possibly tax credits or liability caps--for companies that provide the
NIPC with full and timely notification of unauthorized computer
intrusions. Only by reversing the private sector's financial incentives
pertaining to cooperation with the NIPC can we enlist the aid of the
private sector against the criminals and terrorists who would
compromise our computer networks.
In sum, I believe we should commend the leadership of the NIPC, who
have, in the short span of three years, laid the groundwork for a
comprehensive defense of our critical computer infrastructure. As with
any new venture, there have been successes, and there have been areas
in which the leadership has fallen short of their goals.
Given the interconnected nature of today's digital world, it is
impossible to overstate the importance of the NIPC's mission.
Hopefully, the GAO Report, and today's hearing, have set in motion a
healthy dialogue on how best to face these new and emerging threats to
our well-being as a nation.
Senator Kyl. I am going to have to go here in just a
minute, but I guess one of the things that I should ask, since
we have Chris Klaus' expertise here, is what are the first
couple of things that you tell clients--I realize you have
different kinds of clients come to you, whether it be a
government client or a business client--when they say, well,
what is the first thing I should do to protect myself or our
company or our agency here?
It might be useful to at least give folks an idea of the
kinds of advice that you give, and then I have one follow-up
question, if I might.
Mr. Klaus. We get a lot of companies coming to us saying,
OK, I have heard security is important, what do we do?
``Security'' is such a big word. You hear about PKI,
encryption, biometrics, firewalls, and the list goes on and on
of all the different measures you can take.
Initially, what we do is start with an assessment in terms
of doing an assessment of what your current state of security
looks like. There are any number of security companies such as
ourselves and many others that do assessments on behalf of
companies.
It is kind of interesting, in that we are starting to see a
trend where it is similar to the reason that you bring in the
Big Five, like Ernst and Young or some of the other Big Five to
do the books or the tax audits. It is the same reason you
probably want a security team outside of that company to do a
security audit to make sure it has not been tampered with.
It is very easy to configure the software to come back and
say, OK, there are no problems, this must be a good network, so
having someone come in, do a penetration test, find out all the
issues, and then from there start to design your security
system so that you can understand where to put the proper
security processes in place.
I look at it a lot like physical security, in that there
are certain places you may put a camera; there are certain
places you will put locks, there are certain places you put
guards, et cetera. The same metaphors can apply to a company's
network. Where do you want a lock-down? What systems are
critical? Where are your assets? Where are your key servers?
What things do you want to lock down?
So we help design and then help deploy that, and then on an
ongoing basis a high recommendation is to have a 24-by-7
monitoring and management of your security system. Security
doesn't go away once you put it on the network; it is
constantly there, and so we would recommend that.
And then the last thing would be education, get educated
about all the different issues, know about what is a worm, what
is a virus, how do you defend against those, what are the
latest methods of breaking in. I think education and
information becomes key there.
Senator Kyl. It is just like security in any other setting,
be aware of the potential dangers, get good people to give you
advice about how to take care of it and then take care of it.
Mr. Klaus. Absolutely.
Senator Kyl. If you could give us some advice here, you are
looking at this from two or three different angles. It is
obviously useful for there to be an entity like NIPC to give
warnings, to assist in remediation of problems, to have
organizations like the one Mr. Gent represents to be
coordinating very carefully with groups like NIPC.
You have seen the problems from the standpoint of both the
private sector and the government clients that you represent.
If you had to give us one or two suggestions about things that
you think we might do to help to facilitate the exchange of
information, to help entities like the one Mr. Gent represents,
to improve NIPC, any of these things that we might do to help,
what would be maybe the top one or two suggestions you could
give to us?
Mr. Klaus. Continue to raise cyber security as a high
priority, and I think anything that can help raise the
visibility and make sure people understand it is a serious
issue that affects everyone. Also, I would say that one of the
key issues we see--and this came from one of the industry
analysts; they did a survey of companies and most companies
spend more money on coffee and soda than they do on network
security.
So from a budget perspective, I think both for commercial
and government, if we can somehow give governments more money
to defend themselves so that they can hire the right people or
at least get the right technology protection in place would be
an additional benefit.
I think legislatively any of the bills that would help
foster more sharing of information, and probably more than just
fostering information, but trust and building a process for
commercial to work with government--we had a large user base
and there was a group of about 200 people of very large
companies. How many of you ever worked with law enforcement in
regard to being hacked? I mean, all of them had been hacked at
some point, and one of them raised their hand and that person
happened to be from a Government agency themselves and by
Federal law had to do that. But the rest of them had not worked
with any kind of law enforcement.
Chairperson Feinstein. Would you allow me on that point----
Senator Kyl. I am going to have to go. Might I just thank
both of you and the other panel for being here, and for the
great demonstration. I hope that we will be able to expose this
to more people in the future. I really apologize, but I am
already late for a meeting.
Mr. Klaus. Thank you, Senator Kyl.
Chairperson Feinstein. Thanks, Senator, very, very much.
Let me ask this question, Mr. Klaus: Do you know of any
company that had an attack where the company provided
information to the Government and that information was leaked?
Mr. Klaus. No. I think it is more of a perception.
Chairperson Feinstein. I think that these fears that
companies have about information leaking out are really
contraindicated by the record. I wonder why they continue to
have them.
Mr. Gent, can you comment on that?
Mr. Gent. I share your concern. The companies that I work
with seem to be paranoid against providing the Government with
information, particularly commercially viable information. We
have often put restrictions on any information released for,
say, 9 days, any commercially viable information. So I think
that is a whole area that needs to be investigated,
particularly as it applies here.
We have had several incidents, though, that show this is
improving. We have reported maybe 20 or 30 incidents of hacker
activity on our systems to the FBI. The FBI is always
responsive. They come out, but they are held back by some of
the laws that I heard from the previous panel, where they
really can't do anything when they find it. But they can
buildup a data base and a log of----
Chairperson Feinstein. You mean because it originates out
of the country?
Mr. Gent. Either that or it doesn't have enough financial
repercussions that they can demonstrate directly.
Chairperson Feinstein. I see.
Mr. Klaus. The other thing is I think the InfraGard has
been beneficial. I know in Atlanta we have the InfraGard
meetings and those have grown pretty large, and I think that
has built up a lot of trust between having law enforcement
there and the FBI there, as well as the commercial or private
sector being able to interact and have a kind of personal
relationship. Hey, we are running into this problem, how do we
deal with this? Now that they have those ties or that personal
networking through InfraGard, I think that is going to help out
a lot.
Chairperson Feinstein. I think what is interesting is
because there are so many leaks from Government, companies
incorrectly thought that they should not provide cyberattack
information to the government. I don't believe leaks are a
problem in this area. I think all these agencies really
understand the importance of this information and the national
security questions that are involved and that there aren't
going to be any leaks of sensitive information. Therefore,
companies have so much to gain by providing this information
about cyberattacks so that law enforcement can get to the root
of the problem and so that we in Congress know what laws to
change to enable us to deter this activity.
Cyber attack activity seems to be multiplying and getting
more coordinated. If the White House just hadn't acted
promptly. This Code Red worm would have taken down their whole
database. Is that fair to say?
Mr. Klaus. It would have taken down their connection to the
Internet, yes.
Chairperson Feinstein. But it wouldn't have affected their
hard drive?
Mr. Klaus. It depends on what is exposed to the Internet.
When you go to whitehouse.gov, it is more of a Web site kind of
just to give you education on the Web site. I don't think much
of their internal stuff is exposed to the Internet.
If the attacker really wanted to bring down stuff, he could
target some more critical infrastructure that supports that
Internet and it would have a much more serious effect.
Whitehouse.gov is probably more symbolic. The Web site itself
doesn't contain a lot of sensitive information, but any system
on the Internet that is sensitive would be affected by Code Red
by just simply changing the attack addresses.
Chairperson Feinstein. Any other comment, Mr. Gent?
Mr. Gent. Well, one other in regard to InfraGard. At the
national level, through the NERC operating Committee we have
what is called a CIP forum where we are attempting to get all
interested parties, which would include the FBI and other
agencies interested in this, together with all of the operating
people across North America that are interested in these
subjects. It is informal right now, but we are hoping that it
will result in some standards being written and some processes
and procedures put out there where somebody can say, well, what
do I do to protect myself, and they at least have a checklist
where they can start. Of course, the first might be to call a
security expert, but at least we are starting to give stuff out
like that.
Chairperson Feinstein. That is terrific.
Well, thank you both very much. We appreciate it, and
please feel free to keep in touch with us, both Senator Kyl and
myself. If you have any further thoughts, please let us know.
Thank you very much.
Let me thank the audience.
This hearing is adjourned.
[Whereupon, at 4:13 p.m., the Subcommittee was adjourned.]
[Submissions for the record follow:]
SUBMISSIONS FOR THE RECORD
Statement of Hon. Charles E. Grassley, a U.S. Senator from the State of
Iowa
Today, we examine the progress of the National Infrastructure
Protection Center (NIPC), and to what extent they are fulfilling their
charter as set forth in Presidential Decision Directive-63. Let me
first thank all of the panel members for taking time out of their busy
schedules to be here today. And, I would also like to thank the
Government Accounting Office for their hard work in preparing their
report.
This is a time of extraordinary change. We sit here today in the
midst of one of the most significant technological revolutions in the
history of the world. With each passing day, we add to the dramatic
expansion in computer capacity, most notably through the increase in
the use of the Internet. This new medium has altered our society and
our economy in many significant ways. The breathtaking technological
advances led by the concept of free enterprise have left scarcely a
corner of the globe untouched by this remarkable tool. And the day-to-
day activities of business and government have become enmeshed in the
use of computers and the Internet to an extent that would have been
unthinkable even ten years ago.
The infrastructure foundations on which this nation depends are an
extremely complex system of interrelated elements. And true to its free
market roots, this has not been a jointly coordinated revolution. Each
of these infrastructure elements have taken their own path to become
the networks that they are today. And while each of these elements can
also be viewed as islands unto themselves, they are all connected to
each other and to the outside world by one common element: a telephone
line. So, while we may be the most technologically advanced nation on
earth, we are also the most technologically vulnerable.
Consequently, the issue of public-private cooperation has become
essential to the success of the safeguarding of our national
infrastructure. We cannot count on the federal government alone to
protect our critical infrastructure from cyber-terrorism, because the
government doesn't own or operate the networks that carry most of our
critical content. The private sector is not only needed, but pivotal in
this endeavor. Private industry owns 90 percent of the national
infrastructure, yet our country's economic well-being, national
defense, and vital functions depend on the reliable operation of these
systems.
Cyber-Security and critical infrastructure protection are among the
most important national security and economic issues facing our country
today, and will only become more challenging in the years to come.
Recent attacks on our infrastructure components have taught us that
security has been a relatively low priority in the development of
computer software and Internet systems. These attacks not only have
disrupted electronic commerce, but have also had a debilitating effect
on public confidence in the Internet.
Recognizing this vital need to coordinate the protection of our
critical systems, the NIPC was formed pursuant to the 1998,
Presidential Decision Directive. We are here today to review the
performance of the NIPC relevant to that charter. To be frank, there is
not much here for me to be optimistic about.
It is clear to me that the problems outlined within the GAO report
are symptomatic of a mission that is incomplete in its conception. I
would not take issue with those who advocate the position that many of
the problems experienced by the NIPC can be attributed to a significant
lack of definition within the PDD-63 charter. And, I am also mindful of
the fact we are reviewing what some have termed as a ``start-up''
program that has only been in existence for three years. But I would
suggest to you that the deficiencies noted by the GAO can also be
attributed to a lack of operational capability. And that these problems
are also symptomatic of a much larger issue within the NIPC, and the
FBI in particular; that being the pervasive ``culture of arrogance''
within the bureau. One cannot underestimate the negative affect that
this culture has had upon the ability of the NIPC to fulfill its
mission.
One of the few areas in this report where the GAO offers some
positive evaluation is in the FBI's coordination of investigations of
attacks on ``computer crimes''. But I don't believe this assessment
takes into account the cooperative spirit called for within the NIPC
charter. Instead of being a focal point to coordinate the
investigations of various federal law enforcement agencies, the NIPC
has simply become a conduit for the FBI to fund its own computer crime
cases. The internal culture of the bureau is not built on the culture
of sharing information with fellow law enforcement agencies. The NIPC
charter calls upon the bureau to distribute cases according to
expertise. With very few exceptions, this is not being done. A
significant number of participating agencies have withdrawn their
participation, not only because all of the incoming cases have been
taken by the FBI, but also because their contributions and expertise
have not been incorporated into the NIPC in any significant way.
Consequently, the NIPC should not be held up as an example of success
in the field of interagency cooperation.
By its very nature, the FBI does not share information, it
restricts information. Getting the criminal is the FBI's first
priority--warning the public is secondary. For example, the NIPC has
been tasked by this Presidential Decision Directive to provide timely
warnings, mitigate attack and monitor reconstitution efforts. But the
mission doesn't stop there; it also includes providing comprehensive
analyses to determine if an attack is underway, the scope and origin of
the attack, and the coordination of the government's response. In the
realtime confusion of a cyberattack, the NIPC will have to decide
whether or not an incident is an attack which will impact national
security, or a criminal act that will require a criminal investigation.
These conflicting national responsibilities impede decisions and put
the nation at risk. The FBI's methodology for investigating crimes is
incompatible with the mission intended for the NIPC. And that is why we
should not allow the FBI to further commandeer this program.
History has proven that the FBI cannot maintain effective
partnerships within the federal government or even within their own
federal law enforcement community. How can we then expect the bureau to
establish effective partnerships with the private sector? Can we
honestly expect that the widespread aversion within the private sector
to entrust sensitive corporate information is any less assuaged by the
FBI stewardship of this program? One answer can be found in the
inability of the NIPC to establish successful sharing agreements with
all but one of the Information Sharing and Analysis Centers. Further,
the NIPC has failed to successfully establish either an adequate
warning and analysis capability, or reconstitution design under the Key
Asset Initiative--both crucial foundations of the charter. One approach
that does appear to have acquired a successful constituency within the
private sector is the InfraGuard Program, and I would encourage the
continued expansion of this initiative.
In conclusion, I want to once again thank the General Accounting
Office for their hard work on this report. But I want to be clear that
I take issue with some of its conclusions regarding the PDD-63
framework. I would suggest that the deficiencies noted with the NIPC
owe as much to the insular culture within the FBI than to the number of
mitigating factors ascribed by the GAO. Our nations critical security
and infrastructure programs are currently under executive review. I
look forward to this evaluation and to working with the relevant
parties to improve the protection of our nations critical computer-
dependent infrastructures.
Statement of Eugene F. Gorzelink, Director, North American Electric
Reliability Council, Washington, DC
My name is Eugene F. Gorzelnik, and I am the Director--
Communications for the North American Electric Reliability Council
(NERC). Part of my job since the late 1980s is to facilitate NERC's
activities within the industry and with the federal government as these
activities relate to terrorism and sabotage of the electric systems of
North America. Since mid-1998, these activities include critical
infrastructure protection. I report directly to the President and CEO
of NERC in these matters.
NERC is a not-for-profit organization formed after the Northeast
blackout in 1965 to promote the reliability of the bulk electric
systems that serve North America. It works with all segments of the
electric industry--investorowned utilities; federal power agencies;
rural electric cooperatives; state, municipal, and provincial
utilities; independent power producers; and power marketers--as well as
customers to ``keep the lights on'' by developing and encouraging
compliance with rules for the reliable operation of these systems. NERC
comprises ten Regional Reliability Councils that account for virtually
all the electricity supplied in the United States, Canada, and a
portion of Baja California Norte, Mexico.
In my testimony I will discuss several related critical
infrastructure protection programs that NERC participates in: Critical
Infrastructure Protection Working Group (CIPWG); Indications, Analysis,
and Warnings Program; Electricity Sector Information Sharing and
Analysis Center (ES-ISAC); Critical Infrastructure Protection Planning;
and Partnership for Critical Infrastructure Security.
Summary
The North American Electric Reliability Council (NERC) and the
electric industry worked closely with the National Infrastructure
Protection Center (NIPC) for about two years to develop a voluntary,
industry-wide physical and cyber security indications, analysis, and
warning (IAW) reporting procedure. This program provides NIPC with
information that when combined with other intelligence available to it
will allow NIPC to provide the electric industry with timely, accurate,
and actionable alerts and warnings of imminent or emerging physical or
cyberattacks. A high degree of cooperation with NIPC is possible
because the industry has a long history of working with local, state,
and federal government agencies. In addition, the NERC Board of
Trustees in the late 1980s resolved that each electric utility should
develop a close working relationship with its local Federal Bureau of
Investigation (FBI) office, if it did not already have such a
relationship. The Board also said the NERC staff should establish and
maintain a working relationship with the FBI at the national level.
The IAW reporting procedure is modeled on an existing electric
system disturbance reporting procedure in which electric utilities
report system disturbances meeting a predefined criteria to the U.S.
Department of Energy. A pilot IAW program was field tested in one NERC
Regional Reliability Council in the fall of 1999 and winter 1999/2000.
The program was refined and rolled out to the industry via three
workshops held during the fall of 2000 and winter 2000/2001. A
comprehensive communications program is being developed to bring this
program to the attention of those industry entities that were not able
to participate in the workshops.
NERC is satisfied with the working relationship it has with NIPC.
Introduction
NERC has served on a number of occasions during the past decade as
the electric utility industry (electricity sector) primary point of
contact for issues relating to national security. Since the early
1980s, NERC has been involved with the electromagnetic pulse
phenomenon, vulnerability of electric systems to state-sponsored,
multisite sabotage and terrorism, Year 2000 rollover impacts, and now
the threat of cyber terrorism. At the heart of NERC's efforts has been
a commitment to work with various federal government agencies such as
the U.S. National Security Council, U.S. Department of Energy (DOE),
and FBI to reduce the vulnerability of interconnected electric systems
to such threats.
The report of the President's Commission on Critical Infrastructure
Protection (PCCIP) in October 1997 led to a May 1998 Presidential
Decision Directive (PDD-63). PDD-63 called for government agencies to
become involved in the process of developing a National Plan for
Information Systems Protection, and to seek voluntary participation of
private industry to meet common goals for protecting the country's
critical systems through public-private partnerships. The PCCIP
specifically commended NERC as a model for information sharing,
cooperation, and coordination between the private sector and
government. In September 1998, Secretary of Energy Bill Richardson
wrote to NERC Chairman Erle Nye seeking NERC's assistance, on behalf of
the electricity sector, in developing a program for protecting the
nation's critical electricity sector infrastructure. Responding to the
(DOE) critical infrastructure protection initiative, NERC agreed to
participate as the electricity sector coordinator.
As part of this public-private partnership, DOE, the U.S.
government's designated Energy Sector Liaison, worked through its
Infrastructure Assurance Outreach Program to perform an information
assurance assessment for a small number of nodes on NERC's industry
information system. The purpose of this assessment was to help NERC and
the electric industry develop an overall security framework to address
the changing industry structure and the threat of cyber and physical
intrusion. A second follow-on information system assessment was begun
in late 2000 and will be completed shortly. The product of this study
will be recommendations that will form the basis of a draft NERC policy
on information assurance. In addition, to facilitate the transfer of
information to industry that may be of value in the operation of the
electric systems in North America, DOE has provided clearances for a
number of industry personnel and clearances for other key industry
personnel are anticipated. These clearances compliment those obtained
from the Federal Bureau of Investigation (FBI) as a result of
encouragement by NIPC, as discussed below.
Critical Infrastructure Protection Working Group (CIPWG)
After several exploratory scoping sessions with DOE and NIPC, NERC
created a Critical Infrastructure Protection (CIP) Forum to evaluate
sharing cyber and physical incident data affecting the bulk electric
systems in North America. The meetings of this group were widely
noticed and the participants included all segments of the electric
utility industry and representatives from several government agencies
including the Critical Infrastructure Assurance Office (CIAO) of the
Department of Commerce, DOE, and NIPC. As a result of the groups'
deliberations, NERC created a permanent group within the NERC committee
structure--the Critical Infrastructure Protection Working Group
(CIPWG). This working group reports to NERC's Operating Committee. It
has Regional Reliability Council and industry sector representation as
well as participation by the CIAO in the Department of Commerce, DOE,
and NIPC.
Indications, Analysis, and Warnings Program
One of the first tasks of the Critical Infrastructure Protection
Forum was to develop the incident data types and event thresholds to be
used in an information-sharing program with NIPC. Information sharing
(electronic and telephone) mechanisms have been developed for use by
electric transmission providers, generation providers, and other
industry entities for reporting on a voluntary basis to both NIPC and
NERC. Assessments, advisories, and alerts prepared by NIPC (with NERC's
support), based on the data provided by the electric and other industry
sectors and government sources, will be stated in an actionable manner
and will be transmitted to electric industry entities. This process was
tested successfully within one Reliability Council Region during the
fall 1999 and winter 1999/2000. Because some of the analyses involve
classified information, U.S. government security clearances have been
obtained by key industry personnel and NERC staff members. Other
electric industry personnel are in the process of obtaining security
clearances.
The electric industry Indications, Analysis, and Warnings Program,
which evolved from this work (Attachment A), was presented to the NERC
Operating Committee in July 2000 for discussion and approval. The
Operating Committee approved a motion to implement the program; initial
emphasis is on reporting by security coordinators and control areas.
Individual electric utilities, marketers, and other electricity supply
and delivery entities are encouraged to participate by submitting
incident data and receiving the various types of NIPC warnings and
related materials. Workshops were conducted during the fall 2000 and
winter 2001 to provide program details to the industry. A more
comprehensive communications program is being developed by CIPWG to
encourage broader industry participation in the program.
NERC views the Indications, Analysis, and Warnings Program as a
voluntary first step toward preparing the electricity sector to meet
PDD-63 objectives.
Electricity Sector Information Sharing and Analysis Center (ES-ISAC)
The PCCIP recommended that each of the critical sectors establish
an Information Sharing and Analysis Center (ISAC) to help protect the
infrastructures from disruption arising from coordinated intrusion or
attack. The ISACs would gather incident data from within their
respective sectors, perform analysis to determine potential malicious
intent, share findings with other ISACs (private and government) in a
manner that assures, as required, target identity protection, and
disseminate actionable warnings so appropriate action can be taken
within each sector. ISACs would serve as points of contact between
sectors to facilitate communications, especially during a time of
stress. ISACs would study cross sector interdependencies to better
understand and be prepared for the possible impacts of an ``outage'' of
one sector on another.
The CIPWG has endorsed, and NERC has accepted, the naming of NERC
as the Electricity Sector Information Sharing and Analysis Center (ES-
ISAC). The functions performed are essentially the same as those
functions that have been required of NERC for physical sabotage and
terrorism. The ES-ISAC's duties are:
1. Receive voluntarily supplied incident data from electric
industry entities.
2. Work with NIPC during its analysis of incident data to
determine threat trends and vulnerabilities.
3. Assist the NIPC personnel during its analyses on a cross
private and federal sector basis.
4. Disseminate threat and vulnerability assessments,
advisories, and alerts and other related materials to all those
within the electric industry who wish to participate.
The ES-ISAC is staffed on workdays with on-call provision for all
other periods. Should this capability need to be enhanced, NERC will
likely request support for a 24-hour, seven days a week staffed
facility. To this end, NERC also is exploring the feasibility of
forming a joint ISAC with other sectors.
NERC has established relationships with the other existing ISACs
through the Partnership for Critical Infrastructure Security (see
below) and will establish relationships with other ISACs as they form.
Critical Infrastructure Protection Planning
The CIPWG, working with CIAO, has written a Business Case for
Action to delineate the need for critical infrastructure protection by
the electric industry (Attachment B). Separate business cases have been
prepared for Chief Executive Offcers, Chief Operating Officers, Chief
Information Officers, and a NERC general overview (Attachments C, D, E,
and F). The purpose of the business case is to persuade industry
participants of the need to report cyber intrusion incidents and to be
mindful of the possible business losses caused by cyber and physical
intrusion.
The CIPWG has developed a--basic and fairly comprehensive plan to
address CIP. The working group was concerned about generating an overly
prescriptive plan too early in the process and has proceeded with a
format that can assist in developing each entity's own plan. The
prototype plan, which still is undergoing industry review, addresses
awareness, threat and vulnerability assessment, practices that can be
considered, risk management schema, reconstitution, and
interdependencies between and among sectors.
The essence of this ``Approach to Action'' is being considered for
inclusion in Version 2.0 of the National Plan for Information Systems
Protection being compiled by the U.S. Government. Richard Clarke,
Special Assistant to the President and National Coordinator for
Security, Infrastructure Protection, and Counter-terrorism, has
discussed the importance of establishing and maintaining a National
Plan to the health of the government and private sectors, companies,
and the nation. Version 1.0 of the Plan did a good job covering the
threats and the government response, but it did, not detail private
sector response. The need for private sector participation is
engendered by the fact that the government lacks private sector
expertise and needs private sector ``buy in'' to CIP initiatives. The
National Plan version 2.0, which will include private sector input, is
scheduled for fall 2001.
Partnership for Critical Infrastructure Security
The Partnership for Critical Infrastructure Security (PCIS) was
proposed in late 1999 by members of several private sectors; the PCIS
is supported by CIAO and the U.S. Chamber of Commerce. Earlier this
year, it established itself as a not-for-profit organization and
elected a Board of Directors and company officers. NERC participates in
PCIS and Michehl R. Gent, NERC's President and Chief Executive Officer,
serves as PCIS' Secretary.
The PCIS Mission:
Coordinate cross-sector initiatives and complement public/
private efforts to promote and assure reliable provision of
critical infrastructure services in the face of emerging risks
to economic and national security.
The PCIS held two general forums in 2000 and one so far this year.
It is planning a second general forum on September C-7, 2001. The PCIS
has formed six active working groups: Interdependency Vulnerability
Assessment and Risk Management; Information Sharing, Outreach and
Awareness; Public Policy and Legislation; Research and Development and
Workforce Development; Organization Issues and Public-Private
Relations; and National Plan. The opportunities presented by PCIS
include gaining a better perspective of the sector interdependencies,
facilitating ISAC formation, and sharing of common research and
development efforts.
Statement of Taher Elgamal, Chairman, President & CEO, Securify, Inc.,
Mountain View, CA
Executive Summary
Protecting our nation's critical infrastructures today is a great
challenge given the open and global nature of the Internet. Since the
Internet was not developed for commercial activity and since it does
not recognize political borders, industry and government need to invest
in new technologies and business practices in order to strengthen the
Internet. Obviously more and more value resides online in networks.
Increasingly, society itself is dependent upon computer-based
communications and the Internet.
Greater coordination between governments and industry is necessary.
Information sharing and analysis is a good start. However, security
needs to become a tool for running one's business or organization in a
more effective manner, rather than a reaction to a problem.
Fundamentally, security is first about being aware of what is actually
happening on one's network. Simply putting up barriers at the perimeter
of your network is not going to work. There are no walls in cyberspace:
remote access by employees, consultants on site, and ever increasing
interconnectedness with other networks eliminate any sense of walls.
Rather than defending one's network from perceived outside threats, one
must instead manage from the inside outward. Vigilance rather than
repair will become the standard operating procedure for both industry
and government networks.
Introduction
Protection of our nation's critical infrastructure requires
increased attention from business and government. With the advent of
the Internet more of society is dependent on computer-based
communications. This will not change. Globalization, economic
productivity, trade, innovation, education, and other drivers
accelerate dependency. Since the private sector owns or operates the
vast majority of the world's information infrastructure and relies upon
other infrastructures (e.g., energy, law enforcement, health care,
finance, transportation, defense) that are recognized in many cases as
government driven, both industry and government must cooperate closely
on the significant issues before the Subcommittee today.
Security,Inc., is pleased to be a witness. We believe that our
approach to security enables business and government to be in a
superior position to address today's infrastructure concerns. From my
own professional experience I know first hand about the close working
relationships between industry and government in the area of security.
For example, my PhD thesis became the adopted DSS government standard
for digital signatures. Based on this experience I respectfully suggest
some public policy ideas for the Subcommittee to consider.
Background on Securify, Inc.
One cannot have security without the ability to continually verify
that actual activity comports with expectations, rules and policies.
One can spend a lot of time and money on people and technology and not
improve the quality of security. Verification is an essential and
logical first step.
Securify was founded in 1998 as VeriGuard, Inc. Within the first 10
months the company changed its name to Securify and was then sold to
Kroll-O'Gara, a publicly traded risk mitigation and security services
firm. Kroll-O'Gara spun Securify out as an independent company in 2000.
Today Securify is a privately held firm with approximately 100
employees. Our headquarters are based in Mountain View, California.
Securify began as a high-end information security consulting firm.
Clients were Fortune 50 firms with very sensitive security needs. Early
on Securify recognized that customers needed automated, technology
driven and continuous security solutions. Customer needs escalated and
outstripped the availability of security experts and consumed
increasing portions of IT budgets. A proactive, cost-effective approach
that served the business needs of the customer was necessary. For
nearly two years Securify has researched and developed a unique,
patent-pending technology. It is called SecurVantage.
Securify designed this unique, managed service for measuring
security effectiveness of business networks including intranets,
production networks and connections to the networks of partners,
customers and suppliers. Securify SecurVantage provides in-depth
visibility and analysis of the security attributes of live network
traffic, enabling security managers and IT staff to quickly detect
misconfiguration, and the presence of unauthorized devices.
Most organizations manage each security device independently and
hope the combination of devices provides security. Securify
SecurVantage provides a continuous method for comparing real time
traffic to business-level security standards. Performing this analysis
of real time traffic on a continuous basis is the best method to ensure
live traffic is conforming to corporate security guidelines. Securify
SecurVantage provides a high-level overview of security policy
development, implementation, and continuous maintenance. It quickly
targets inconsistencies and recommends corrective actions. Securify
SecurVantage establishes a baseline, customized, business-driven
security policy specification for each customer. Using this
specification, network traffic is analyzed for conformance to the
desired security requirements. If a violation is detected, the Securify
Network Operations Center (NOC) staff alerts the customer of the
violation and recommends corrective action. Securify SecurVantage can
also be used to establish metrics to ensure traffic flowing between
business partners meets required security parameters. This is
particularly important for companies that rely on their distributed
networks for day-to-day operations, wherever valuable data is accessed
and stored.
What Is Needed To Protect Critical Infrastructures: Verification and
Security
Securify's SecurVantage demonstrates the combination of security
and verification. By continually verifying that the activity on your
networks and the networks you connect to is what is expected, then one
can focus on mitigating the deviations, anomalies, deviations and
exceptions. This is a significantly smaller set of events to focus on
than the ever evolving and growing universe of threats and
vulnerabilities. Rather than reacting to the expanse of threats and
vulnerabilities one can mitigate risk on a level that is customized and
do so in an intelligent and managed manner. It is the difference
between reacting on little or no information to acting according to a
plan. And since this approach is a part of the every day functioning of
the customer's business and their networks, they have the ability to
assess security performance and other network attributes. So it is more
than security; it helps make the network and the organization it serves
healthier, more reliable and productive. It simply makes it more
valuable.
This is an important point. Government and business increasingly
have more value and more at stake digitally than physically. Assets and
value are based not on material objects but on information assets and
network connections. From General Electric to Dell, from old to new,
more businesses are using technology to change how they're run and to
manage their operations and relations with employees, customers,
suppliers and partners.
More revenue is derived from network activity. More cost savings
are gained from online activity. Today this is no longer headline news
but a real fact of life for business and government alike.
We all recognize that an organization cannot function properly,
effectively, successfully, competitively or legally without sound
financial management processes and systems. A business cannot function
if it does not continually know the status of money coming in and money
going out and who it touching the money. The same has become true for
network activity and the increasingly valuable and critical information
that flows through the network. Even today, discussions of corporate
network security issues are delegated down from corporate management to
the IT department. Recent reports by the GAO on the status of
government network operations reveal a similar problem. We believe that
a healthy dialogue between senior government officials, corporate CEOs
and Boards of Directors, academia and others is required if these
issues are to be appropriately addressed and resolved.
As a vendor of security technology and solutions, Securify of
course stands to benefit from spending on security by business and
government. Securify is not here today to recite the latest statistics
on the number of attacks and threats and their cost to business and our
economy. Frankly, the damage done by overt activity is overshadowed by
the costs resulting from poorly managed networks.
Securify advocates the adoption of the proactive and continuous
approach of verification. It is simply good business and trustworthy
government. One cannot manage what they do not measure. If one does not
have a network security policy in place and if one does not continually
measure the actual activity on the network against this policy, then
one will never know if they are secure. As a result the network is
unreliable and it cannot ensure privacy, security, and integrity.
It is important to note that the Internet was designed some thirty
years ago by collaboration between government, industry and academia.
The Internet was designed to be an open medium for sharing information.
Security and commercial activity were not a part of the original
programming. It is important to recognize this plain fact. Now that we
are all dependent on the Internet and computer-based communications we
need to take some new action to make the Internet strong enough.
Action includes increased information sharing and analysis within
industry and government. Action includes adopting new technologies and
business practices. Spending on security has not really diminished in
the current economic climate. A recent survey of the chief information
officers of the Fortune 100 reported that security spending is the last
item to be cut from an IT budget. This may be stating the obvious. One
does not cut what protects one's assets. What is not so obvious is that
security spending has increased in recent years but no one really knows
how effective those investments have been.
If one can start from the first point of a verified network then
the owner and operator of that network has the ability to continually
ensure that it is functioning within expected parameters. They can
track activity and correct errors and analyze historical records for
improvement and modification. Results of this include greater
reliability (i.e., less network downtime), privacy assurance (i.e., one
has the ability to determine if the set privacy rules and practices are
being applied properly and followed) and greater security (i.e., one
can track deviations and anomalies in real time across all networks).
This is not some sort of big brother technology. It is a business
tool. Just as a senior management team and a board of directors must
know if there is a misuse of funds or property or some sort of illegal
activity taking place inside their company, they must have the tools
and ability to detect and mitigate the same sorts of unauthorized
activity in the digital world. Such a tool provides for transparency in
the operation of a business. Without it truly nefarious activity would
be able to flourish and do so unchecked as no one would be readily able
to detect it or mitigate it.
By using SecurVantage our customers immediately see unauthorized
activity such as an employee using a file server to transmit sensitive
data to a competitor. Employees and consultants use a network and its
resources to run gambling and pornography businesses. Many misuse their
access to peruse parts of the network they don't need to see or should
not gain access to. These are just a few examples. But they easily
illustrate the costs of misuse of a network. From just the cost control
perspective, network misuse increases operating costs. Why should a
company pay for more bandwidth, energy, equipment or technical support
than it has to in order to do its business? Again, security is really
about running an organization correctly and effectively. It is not
simply a matter of preventing attacks or locking secrets away. At some
point, financial audits are less than complete if a company's network
security vulnerabilities and practices are not reviewed and discussed,
especially for certain types of firms. Any company involved in an
acquisition today would want to investigate the target company's
network security practices as an ordinary due diligence item.
What This Means for the Public Policy Landscape: New Activity for
Policy Makers
The Administration recently announced its intention to change the
approach of government on managing security and critical infrastructure
policymaking functions. A fresh approach that accounts for the
increasing significance of the issues is most welcome. Securify is
involved in many government and industry groups. From the G8 to the
OECD to the Council of Europe to the US Congress to the European
Commission to the Japanese Government, there is, government driven
activity. From the Global Business Dialogue on Electronic Commerce
(GBDe), to various industry trade associations to the newly created
information sharing and analysis centers (ISACs) for key industry
sectors (e.g., IT, transport, energy, finance), there is increasing
senior executive level attention to these issues.
10
Industry remains sensitive to control of technical standards and
open, global markets. Governments remain interested in setting some
parameters for best practices and liability for criminal activity. Some
in industry fear sharing information in industry groups as an exposure
to one's competitors and to attackers. Some in industry fear sharing
information with government will lead to an unauthorized disclosure and
possible public embarrassment and perhaps litigation. Multinational
companies and some governments wonder how information sharing and
analysis can cross borders when trust between parties may not be
sufficient to address national security and espionage concerns. Many
government officials and Members of Congress are concerned about
foreign ownership of sensitive technologies developed here in the
United States (e.g., Verio-NTT, VoiceStream-Duetsche Telekom, Silicon
Valley Group-ASM Lithography (ASML), Lucent-Alcatel).
Law enforcement of course needs to have lawful access to data.
Cooperation between governments and companies across borders is
critical. As information sharing and analysis cooperation between
government agencies and industry groups grows in the US, we will need
to focus on the issue of sharing across borders. This is not a radical
idea. Indeed, we can learn from our past.
Some sixty-five years ago academics, mathematicians, government
intelligence specialists, cryptographers, chess masters, and others
from several countries quietly
-