[House Hearing, 108 Congress] [From the U.S. Government Publishing Office] THE INVISIBLE BATTLEGROUND ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY, SCIENCE, AND RESEARCH AND DEVELOPMENT of the SELECT COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS FIRST SESSION __________ SEPTEMBER 16, 2003 __________ Serial No. 108-26 __________ Printed for the use of the Select Committee on Homeland Security Available via the World Wide Web: http://www.access.gpo.gov/congress/ house __________ U.S. GOVERNMENT PRINTING OFFICE 21-354 WASHINGTON : 2005 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�0900012005 SELECT COMMITTEE ON HOMELAND SECURITY CHRISTOPHER COX, California, Chairman JENNIFER DUNN, Washington JIM TURNER, Texas, Ranking Member C.W. BILL YOUNG, Florida BENNIE G. THOMPSON, Mississippi DON YOUNG, Alaska LORETTA SANCHEZ, California F. JAMES SENSENBRENNER, JR., EDWARD J. MARKEY, Massachusetts Wisconsin NORMAN D. DICKS, Washington W.J. (BILLY) TAUZIN, Louisiana BARNEY FRANK, Massachusetts DAVID DREIER, California JANE HARMAN, California DUNCAN HUNTER, California BENJAMIN L. CARDIN, Maryland HAROLD ROGERS, Kentucky LOUISE McINTOSH SLAUGHTER, SHERWOOD BOEHLERT, New York New York LAMAR S. SMITH, Texas PETER A. DeFAZIO, Oregon CURT WELDON, Pennsylvania NITA M. LOWEY, New York CHRISTOPHER SHAYS, Connecticut ROBERT E. ANDREWS, New Jersey PORTER J. GOSS, Florida ELEANOR HOLMES NORTON, DAVE CAMP, Michigan District of Columbia LINCOLN DIAZ-BALART, Florida ZOE LOFGREN, California BOB GOODLATTE, Virginia KAREN McCARTHY, Missouri ERNEST J. ISTOOK, Jr., Oklahoma SHEILA JACKSON-LEE, Texas PETER T. KING, New York BILL PASCRELL, JR., New Jersey JOHN LINDER, Georgia DONNA M. CHRISTENSEN, JOHN B. SHADEGG, Arizona U.S. Virgin Islands MARK E. SOUDER, Indiana BOB ETHERIDGE, North Carolina MAC THORNBERRY, Texas CHARLES GONZALEZ, Texas JIM GIBBONS, Nevada KEN LUCAS, Kentucky KAY GRANGER, Texas JAMES R. LANGEVIN, Rhode Island PETE SESSIONS, Texas KENDRICK B. MEEK, Florida JOHN E. SWEENEY, New York JOHN GANNON, Chief of Staff UTTAM DHILLON, Chief Counsel and Deputy Staff Director DAVID H. SCHANZER, Democrat Staff Director MICHAEL S. TWINCHEK, Chief Clerk ______ Subcommittee on Cybersecurity, Science, and Research and Development MAC THORNBERRY, Texas, Chairman PETE SESSIONS, Texas, Vice Chairman ZOE LOFGREN, California SHERWOOD BOEHLERT, New York LORETTA SANCHEZ, California LAMAR SMITH, Texas ROBERT E. ANDREWS, New Jersey CURT WELDON, Pennsylvania SHEILA JACKSON-LEE, Texas DAVE CAMP, Michigan DONNA M. CHRISTENSEN, ROBERT W. GOODLATTE, Virginia U.S. Virgin Islands PETER KING, New York BOB ETHERIDGE, North Carolina JOHN LINDER, Georgia KEN LUCAS, KENTUCKY MARK SOUDER, Indiana JAMES R. LANGEVIN, Rhode Island JIM GIBBONS, Nevada KENDRICK B. MEEK, Florida KAY GRANGER, Texas CHARLES GONZALEZ, Texas CHRISTOPHER COX, California, ex JIM TURNER, TEXAS, ex officio officio (ii) CONTENTS ---------- Page STATEMENTS The Honorable Mac Thornberry, a Representative in Congress From the State of Texas, and Chairman, Cybersecurity, Science, and Research and Development....................................... 1 The Honorable Zoe Lofgren, a Representative in Congress From the State of California, and Ranking Member, Cybersecurity, Science, and Research and Development Oral Statement................................................. 2 Prepared Statement............................................. 5 The Honorable Donna M. Christensen, a Delegate From the U.S. Virgin Islands................................................. 24 The Honorable Jennifer Dunn, a Representative in Congress From the State of Washington........................................ 4 The Honorable Bob Etheridge, a Representative in Congress From the State of North Carolina.................................... 20 The Honorable James R. Langevin, a Representative in Congress From the State of Rhode Island Oral Statement................................................. 33 Prepared Statement............................................. 6 The Honorable Sheila Jackson-Lee, a Representative in Congress From the State of Texas Oral Statement................................................. 29 Prepared Statement............................................. 6 The Honorable John Linder, a Representative in Congress From the State of Georgia............................................... 23 The Honorable Ken Lucas, a Representative in Congress From the State of Kentucky.............................................. 26 The Honorable Kendrick B. Meek, a Representative in Congress From the State of Florida........................................... 37 The Honorable Pete Sessions, a Representative in Congress From the State of Texas............................................. 27 Witness The Honorable Robert Liscouski, Assistant Secretary, Infrastructure Protection Directorate, Department of Homeland Security Oral Statement................................................. 7 Prepared Statement............................................. 9 WHAT THE DEPARTMENT OF HOMELAND SECURITY IS DOING TO MAKE AMERICA'S CYBERSPACE MORE SECURE ---------- Tuesday, September 16, 2003 House of Representatives, Subcommittee on Cybersecurity, Science, and Research and Development, Select Committee on Homeland Security, Washington, DC. The committee met, pursuant to call, at 9:30 a.m., in Room 2118, Rayburn House Office Building, Hon. Mac Thornberry [chairman of the subcommittee] presiding. Present: Representatives Thornberry, Sessions, Linder, Lofgren, Jackson-Lee, Christensen, Etheridge, Lucas, Langevin, and Meek. Also Present: Representative Dunn. Mr. Thornberry. The hearing will come to order. I would like to welcome our witness and guests to today's hearing, entitled The Invisible Battleground: What the Department of Homeland Security is Doing to Make America's Cybersecurity More Secure. Over the past several months this subcommittee has received a number of perspectives on cybersecurity. We have held classified and unclassified briefings and hearings. We have heard from witnesses from academia, think tanks, technology industry, government agency, users, and others. Our goal has been to deepen our understanding of the issues involved and to gain a truer perspective on how and where cybersecurity fits into homeland security. Now, today, we will hear a progress report from the new Department of Homeland Security. From the first bills introduced in Congress to create a Department of Homeland Security, cybersecurity was one of those critical elements that was given to the new department, one of the functions where a number of government agencies would be brought together with greater emphasis and broader responsibilities. It was clear that if we were really going to modernize and strengthen Homeland Security, cybersecurity had to be a part of it. The final legislation, in fact, did that. It did not set cybersecurity apart, as some proposed, but included it as one of the critical infrastructures placed under the Directorate for Information Analysis and Infrastructure Protection. Since the Department began operations in March this year, it has brought some key people on board, although sometimes it has seemed to have taken a while. In June, it announced the creation of a National Cybersecurity Division; just yesterday a director was announced for that division. Yesterday, also, an emergency response partnership with Carnegie Mellon University and a US-CERT was announced. So significant steps have been taken. In its strategy, released in February, the administration acknowledged that cyberspace is the nervous system of the other infrastructures, the control system of the country. Thus, the healthy functioning of cyberspace is essential to our economy and our national security. In our hearings so far, we have heard that cyber attacks are growing in number and complexity and in severity of the consequences. The recent bout with viruses and worms have shown that once they are launched, they are not easily contained; and as recently as last week, our hearing on the recent blackouts have shown again the interconnectiveness of various infrastructures. And yet there has been a lingering concern that cybersecurity has not been given the priority it deserves from the Department. Today, we are ready to hear from the administration on some answers to these important questions, such as: Where are we in implementing each of the five priorities contained in the national strategy; What can and should the Federal Government do to require or encourage better security for all of the IT infrastructure which is in private hands; and What about the human element where we have received testimony that up to two-thirds of the problems that are created are created by the interface of human beings with technology? In today's world, our computers and cyber networks are not just a place to do business and conduct research and communicate with our friends. Cyberspace is an invisible battleground that we must secure and defend, for attacks are being launched against us every day attacks against the central nervous system of the country and against our economy and our security. We must be ready. And today we hope to hear from our witness that we are in better shape than we have been in the past. Before we turn to our witness, I am going to yield to our distinguished ranking member, my partner in this effort, Ms. Lofgren. Ms. Lofgren. Thank you, Chairman Thornberry, for holding this hearing and for your continued outstanding leadership of this committee. I think the chairman did a great job in summarizing the work that this subcommittee has done to date. All the members of the subcommittee have taken the time to study this incredibly complex set of issues involving cybersecurity, and we certainly know more now than we did when we began our endeavor. I think all of us agree that the Nation's cyber infrastructure remains vulnerable and that the Federal Government must provide leadership to better secure our systems in both the public and private sectors. My concerns about the Department of Homeland Security are that it is not providing sufficient leadership in the cyber arena, particularly in the following five areas: Reducing vulnerabilities: The Department is tasked with reducing vulnerabilities to government in critical asset computers as well as responding to cyber incidents. The number of cyber attacks and resulting damage, however, continues to increase. This past August was the worst ever for computer viruses. The Blaster, Welchia, and SoBigF viruses, along with other attacks, caused more than $32.8 billion in economic damages according to one digital risk assessments company. Two, coordination: Is the National Cybersecurity Division coordinating with the private sector, other government agencies, and State and local governments to identify vulnerabilities? Has the NCSD begun a national risk assessment? If so, when will it be complete? I am concerned that the Department is not providing quick leadership in this area. Departures from the administration: In the last 6 months the most senior Bush administration cyber officials have left the government. These individuals include Richard Clarke, the Special Advisor to the President for Cybersecurity; Howard Schmidt, the Vice Chair of the President's Critical Infrastructure Board, and Clarke's replacement; Ron Dick, the Director of the National Infrastructure Protection Center; and John Tritak, Director of the Critical Infrastructure Assurance Office. I am concerned about these departures and that the National Cybersecurity Division may lack sufficient personnel and resources to operate effectively. Cyber priorities at DHS: Clearly, as the chairman has mentioned, cybersecurity is enormously important to the infrastructure of the Nation. I am worried that cybersecurity has been demoted in importance in the administration with the lead official for cyber issues reduced from a Special Advisor to the President, working in the White House, to a directorship very deep within the Department of Homeland Security. The Nation's cyber chief must have both the access and resources to do the job, the cyber chief at DHS. It took the Department over 3 months to announce its choice for a leader of the NCSD. This delay is troublesome, and I am curious as to why it took the Department so long to settle on a candidate. I am also concerned about the number of other jobs that seem to be empty and vacant within NCSD, how many desks are empty. Is there anyone there to answer the phone? With these concerns in mind, I am very encouraged by the person chosen to lead the NCSD. Mr. Yoran currently serves as the Vice President of Managed Security Services Operation at Semantech Corporation, the Internet security firm headquartered in Cupertino, California, near my home. I am very familiar with the work of Semantech. It is one of the true bright spots in Silicon Valley, and its CEO, John Thompson, is a talented and thoughtful leader. I am hopeful that our new guy will provide needed leadership at the NCSD, and once he is on the job, I am going to tell him that he must candidly tell the chairman and me if he has the access and resources needed to accomplish his mission. If he is unable to do his job, Secretary Ridge should expect to hear from me and, I think, the chairman directly. As you can see, we have many concerns about the cyber program of the Department of Homeland Security. I am pleased that we finally today will hear directly from the top official at DHS on our efforts. And the Assistant Secretary for Infrastructure has served as the acting chief since it was established on June 6, so I am sure he will address the concerns that I have raised; and I hope he will be able to reassure me that cybersecurity is, in fact, a priority at the Department. I thank the chairman for yielding. Mr. Thornberry. Thank the gentlelady. Without objection, the distinguished vice chair of the full committee will sit with the subcommittee today, and the Chair would yield to the gentlelady from Washington for any opening statement she would like to make. Ms. Dunn. Thank you very much, Mr. Chairman. Mr. Liscouski, I am looking forward to your testimony. Thank you for joining us here today. We are eager to learn about the Department of Homeland Security's most recent efforts, in fact, in June of this year to protect an important part of our Nation's critical infrastructure, our cyber systems. In the wake of September 11, the leaders of this Nation have realized that securing our homeland against terrorist attacks also means that we need to think creatively about where our targets might be. We have visual reminders of many targets every single day. When we board an airplane, when we drive over a bridge, when we have our bags searched at football games. But we also have targets that are far less visible. The power grid is one such example. Cyberspace is another. And that is why we are here today. Your division, Mr. Liscouski, faces no small task. Securing cyberspace is an international issue, something I realized with greater awareness this summer when I addressed a group in London on cybersecurity, and was very happy to learn how involved the people of the British Government are in making sure we get this right. Also, we know that a cyber attack from overseas cannot be intercepted at the border, or at least is very difficult to be intercepted at any border, since there are no borders in the cyber world. This issue is also one that requires intense partnership with the private sector. The key to achieving a desired level of cybersecurity is utilizing and supporting the relationships that we have formed with the private sector, those on the ground doing research and development. Companies like Microsoft, which I represent here in the United States Congress, have realized that many of its priorities in business are in line with our Homeland Security priorities here in Congress. We are all working to prevent a situation where critical technological infrastructure is brought down. This committee has spent a significant amount of time looking into the successful public-private and cross-industry partnerships that already exist. I hope the Department continues to work closely with the private sector to reach a clear understanding of what a safe network system looks like. As the Department works to protect America's technological infrastructure, it also must keep in mind the interconnectivity these cyber connections have with the world's financial markets, transportation and communications systems. I am very happy the Department is taking this charge seriously, and I look forward to your testimony. Mr. Thornberry. Thank the gentlelady. Does any other member wish to offer an opening statement at this time? Without objection, any member may submit an opening statement for the record. [The information follows:] Prepared Statement of the Honorable Zoe Lofgren, Ranking Member, Subcommittee on Cybersecurity, Science, and Research and Development Thank you Chairman Thornberry for holding this hearing and for your continued outstanding leadership of this subcommittee. Chairman Thornberry did a terrific job in summarizing the work that this subcommittee has done to date. All Members of this subcommittee should be commended for taking the time to study the incredible complex set of issues involving cybersecurity. We have learned a lot since this subcommittee first met at the beginning of the year. I think all would agree that our nation's cyber infrastructure remains vulnerable, and that the federal government must provide leadership to better secure our systems in both the public and private sector. My concerns about the Department of Homeland Security are that it is just not providing sufficient leadership in the cyber arena, particularly in the following five areas.Reducing Vulnerabilities: The Department is tasked with reducing vulnerabilities to government and critical asset computers, as well as responding to cyber incidents. The number of cyber attacks, and resultant damage, however, continues to increase. This past August was the worst month ever for computer viruses. The Blaster, Welchia, and SoBig.F viruses, along with other attacks, caused more than $32.8 billion in economic damages, according to one digital risk assessment company. Coordination: Is the National Cyber Security Division (NCSD) coordinating with the private sector, other government agencies, and state and local governments to identify vulnerabilities? Has the NCSD begun a national risk assessment? If so, when will it be complete? I am very concerned that the Department is just not providing leadership in this area. Bush Administration Departures: In the last six months, the most senior Bush Administration cyber officials have left the government. These individuals include Richard Clarke, the special advisor to the president for cyber security; Howard Schmidt, the vice chair of the president's critical infrastructure board and Clarke's replacement; Ron Dick, the director of the National Infrastructure Protection Center; and John Tritak, director of the Critical Infrastructure Assurance Office. I am very concerned about these departures and that the National Cyber Security Division may lack sufficient personnel and resources to operate effectively Cyber priorities at DHS: Clearly, cyber security has been demoted in importance in the Administration with the lead official for cyber issues reduced from a special advisor to the President working in the White House, to a Directorship buried deep within the Department of Homeland Security. The nation's cyber chief must have the both the access and resources to do the job. Cyber Chief at DHS: In addition, it took the department over 3 months to announce its choice for a leader of the NCSD. This delay is troublesome, and I am curious as to why it took the department so long to settle on a candidate. I am also concerned about the number of other jobs that need to be filled within the NCSD. How many desks are empty? Is there anyone there to answer the phone? With these concerns in mind, I am very encouraged by the person chosen to lead the NCSD. Mr. Amit Yoran currently serves as the Vice President of Managed Security Services Operations at Symantec Corporation, the internet security firm headquartered in Cupertino, California. I am very familiar with the work of Symantec. It remains one of the true bright spots in Silicon Valley, and its CEO, John Thompson is a talented and thoughtful leader. I am hopeful that Mr. Yoran will provide needed leadership in the NCSD. Once he in on the job, I am going to tell him that he must candidly tell me if he has the access and resources needed to do his job. If he is unable to do his job, Secretary Ridge should expect to hear directly from me. As you can see, I have many concerns about the cyber program at the Department of Homeland Security. I am pleased that we finally get to hear directly from a top official at DHS today on its efforts. Robert Liscouski, Assistant Secretary for Infrastructure Protection, has served as the acting chief of the National Cyber Security Division (NCSD) since it was established on June 6, 2003. I hope that Mr. Liscouski will address my many concerns and reassure me that cyber security is in fact a priority at the Department of Homeland Security. Prepared Opening Statement of the Honorable James Langevin, a Representative in Congress from the State of Rhode Island Thank you, Mr. Chairman. I would like to welcome Assistant Secretary Liscouski, and express my appreciation for your willingness to come here for what I expect will be a very informative and productive hearing. We have heard so much from both the private and academic sectors about the state of information security and their hopes and fears about the Department of Homeland Security's plans, and now we can find out about those plans directly from the source. Mr. Chairman, my greatest concern by far is the fact that no information has been forthcoming from DHS until now. While I am pleased to finally get the chance to discuss how information security fits into the overall plan for critical infrastructure protection, I must express my disappointment at how long it has taken. I believe it is the duty of this Subcommittee to determine what is being done, and what more can be done, to safeguard our critical infrastructure. While it is true that much of our information infrastructure lies with private industry, that should in no way reduce DHS's efforts to secure and protect it. I am especially interested to hear Mr. Liscouski's opinion on whether or not the structure and resources being devoted to cybersecurity at DHS are sufficient to handle the tasks for which it is now responsible. In addition, I hope to learn what, if any, attention is being paid to home users and their security, an important group that is often left out of ``big picture'' views of information security. Most importantly, this Subcommittee needs to know how DHS can best work in conjunction with our computer industry partners and other agencies in order to raise the bar for information security for all users. Again, I greatly appreciate Assistant Secretary Liscouski taking time to be here to discuss these vital issues with us. Thank you, Mr. Chairman. Prepared Opening Statement of the Honorable Sheila Jackson-Lee, a Representative in Congress from the State of Texas Mr. Chairman, Thank you for calling this important and provocative hearing. With the recent blackouts, and the viruses which have been plaguing the House computer systems, our infrastructure networks--and our dependence on them--is abundantly clear. It will be good to explore what the Administration is doing to make them more secure. Obviously, national security is foremost on everyon's minds these days. As we work to improve our country's security, it is important that we take inventory of all systems that are vital to the functioning of the nation, and do all we can to protect them. This certainly includes our computer networks systems that can be attacked anonymously and from far away. These networks are the glue that holds our nation's infrastructure together. An attack from cyberspace could jeopardize electric power grids, railways, hospitals and financial services, to name a few. The recent blackouts made it clear how fragile and vulnerable our infrastructure may be. We are all aware of the growing number of internet security incidents. These incidents can come in many flavors: annoying attacks through emails, involving such things as computer viruses, denial of service attacks, and defaced web sites; or cyber-crime, such as identity theft. Such events have disrupted business and government activities, and have sometimes resulted in significant recovery costs. Despite the risks, our hospitals and power grids, our communications, our transportation systems, will probably always be critically dependent on computers and information flow and the satellites above us. A terrorist or other criminal tampering with those systems could devastate entire industries and potentially cost lives. While we have been fortunate so far in avoiding a catastrophic cyber attack, Richard Clarke, the President's cyber-terrorism czar from last year, I guess I should say ``two czars ago,'' said that the government must make cybersecurity a priority or face the possibility of a ``Digital Pearl Harbor''. This was truly a frightening prospect. On paper, it seems we are taking bold steps toward securing cyberspace: we now have a National Cyber Security Division (NCSD) at the DHS, and its new U.S. Computer Emergency Response Team (US-CERT). I would like to thank Mr. Liscouski for taking the time away from the challenges that face him at the DHS to enlighten us on the progress the Department and the Administration are making on this important front. We have been working on this subject for the past year in the Science Committee as well. One thing I have been disturbed by is the lack of good data on the threats that face us, and the absence of a solid assessment of the risks we face. How can we know how much to invest, and where, if we do not know those basics? I want to know the magnitude of the threat out there, and how Americans are dealing with it. What is the role of the private sector, and of private citizens, and of the federal government? Are we putting adequate resources and energy into fulfilling that role? I look forward to the dialogue. Thank you. Mr. Thornberry. With that, we will turn to our witness. We want to welcome, Robert P. Liscouski, Assistant Secretary for Infrastructure Protection of the Department of Homeland Security. I understand this is your first opportunity to testify in front of Congress. We appreciate your being here and you are recognized. Your full statement will be made part of the record, and you are recognized to summarize it as you wish. STATEMENT OF THE HONORABLE ROBERT P. LISCOUSKI, ASSISTANT SECRETARY FOR INFRASTRUCTURE PROTECTION, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Liscouski. Thank you and good morning, Chairman Thornberry and members of the committee. I am pleased to appear before you this morning to discuss some of our efforts to protect and secure our Nation's critical infrastructure. From the beginning of DHS, IAIP and the Infrastructure Protection Office for which I am responsible recognized the equal importance of protecting physical as well as cyber assets. Thus, we created the National Cybersecurity Division on June 6 of this year. Today, I am here to give you a progress report on where we are now and where we will be going in the future to implement the President's national strategy to secure cyberspace. Mr. Thornberry. Excuse me, Mr. Liscouski, would you pull the microphone just a little closer to you. It will be easier for us to hear. Thank you. Mr. Liscouski. All right. I am pleased to announce this morning that Amit Yoran has been formally named as the Director of the NCSD, effective today. Mr. Yoran is a strategic thinker, a disciplined leader, who understands the unique threats and vulnerabilities manifested in cyberspace and is the individual who will further accelerate our efforts in building a full NCSD team and increasing the strength of our public and private sector partnerships. Building upon the formation of the NCSD, the Department has worked to assemble a consolidated and coordinated team of cybersecurity professionals. Despite the many organizational and cultural challenges associated with integrating these elements into one entity, our initial efforts have yielded very effective positive and tangible results. The creation of the NCSD has enabled the initial consolidation of three 24x7 cyber watch capabilities; formulation of standardized incident handling procedures for responding to cybersecurity events; and the creation of a single national focal point for cybersecurity leadership for prevention, protection, and response to incidents. The most recent accomplishments of the NCSD is the creation of the National Computer Emergency Response Team or the US- CERT. The US-CERT, in collaboration with the private sector and leading response organizations, will improve warning and response time to security incidents by fostering the development of detection tools and utilizing common commercial incident and vulnerability reporting protocols. This will increase the flow of critical security information throughout the Internet community. I would like to take a moment to address our rationale behind the decision to integrate physical and cybersecurity within the IAIP directorate. I believe that this approach is the correct one for three reasons. First, cybersecurity cannot stand alone. The critical interdependencies between cyber and physical domains demand that we coordinate our intelligence and our protection efforts. Second, with the creation of the NCSD, we have for the first time implemented a single point of contact for cybersecurity within the Federal Government that will interact with other agencies, private security, the resource communities and State and local governments on a 24x7 basis. Third, though the director of the NCSD serves as a technical and operational lead for cybersecurity issues, cybersecurity will also be championed by Under Secretary Frank Libutti and myself. And we are committed to the implementation and the full funding of the NCSD as one of the top priorities for the IAIP directorate and for DHS at large. As demonstrated by recent events, the consequences of cyber attack can manifest with little or no warning, on a widespread scale, with tremendous speed. Impacts can quickly escalate across multiple infrastructures, resulting in widespread disruption of essential services, significant economic losses, and potentially endangering public safety and national security. The NCSD, therefore, is implementing its objectives for the timely execution of three key mission areas--outreach, prevention, and remediation. The NCSD is aggressively pursuing an outreach agenda that will provide education tools for children, parents, teachers, business owners, and business operators. NCSD, through the development of partnerships with government agencies such as the Federal Trade Commission, nonprofits like the National Cybersecurity Alliance and Internet service providers, will work to establish and enhance awareness programs for all users at all levels. We will be making announcements on our progress in the coming weeks. NCSD partnerships with industry, academia, and government will be the foundation for program implementation for protective and preventive measures to reduce America's vulnerabilities to cyber attacks. It is crucial that we improve existing public and private partnerships whose missions are consistent with the NCSD. A prime example is the National Cybersecurity Alliance whose members have committed their time and resources to regularly educating the home consumer and small businesses on good security practices. Proactive response and recovery efforts associated with the recent Blaster worm and SoBig virus offer the best evidence of the value of partnerships. SoBig spread faster and more aggressively than any previous e-mail virus, affecting millions of residential business and government computers worldwide. We recognize a cyber attack could easily cascade across multiple infrastructures, causing widespread, rapid disruption of essential services and impacting our national economy, public safety, and national security. The NCSD is committed to closely working with other government and law enforcement agencies, private industry, as well as academia, to help secure our cyberspace from future and potentially more serious malicious exploitation. To this end, I am pleased to announce that we are beginning to organize a National Cybersecurity Summit for later this fall in order to assemble key industry and government leaders to energize decisions like several key national cybersecurity issues. The Internet and cyber technologies have greatly improved both the quality of life for our citizens and the efficiency and the productivity of our business and our government. These societal and economic benefits are not without their costs. Malicious actors are devising new and ingenious ways to exploit vulnerabilities in our cyber world, to disrupt our quality of life, and threaten our national and economic security. Much like the larger global war on terrorism, this effort will take time, resources, dedication, energy, and hard work. But in the few short months we have been in existence, we have made great strides and we look forward to working with the Members of Congress, this committee, our government partners, the private sector, and the international community in this endeavor. I come before you today to dedicate ourselves to this common goal: one team, one fight, one mission, to protect the United States of America. I appreciate the opportunity to testify before you today and I look forward to your questions. Thank you. [The statement of Mr. Liscouski follows:] Prepared Statement of the Hon. Robert Liscouski Good morning Chairman Thornberry and Members of the committee. My name is Robert Liscouski, I am the Assistant Secretary for Infrastructure Protection and Acting Director of the National Cyber Security Division (NCSD) within the Department of Homeland Security. I am pleased to appear before your Subcommittee to discuss some of our efforts to protect and secure our Nation's critical infrastructure. Last week's observances of the two-year anniversary of the September 11th attacks offer a stark reminder of the threats and vulnerabilities we as a Nation still confront. The Department's Information Analysis and Infrastructure Protection Directorate (IAIP) was established by the Homeland Security Act to lead the Nation's efforts to prepare for, prevent, respond to, and recover from terrorist attacks like those perpetrated on 9/11. These terrorist acts may manifest in many forms, including physical and cyber attacks against our critical infrastructure, key assets, and national icons. Both physical and cyber assets have vulnerabilities that may be exploited by our enemies. The highly interconnected nature of our infrastructure makes these physical and cyber weaknesses impossible to separate--and difficult to address separately. Our protection methodology leverages an integrated physical/cyber protection approach to reduce vulnerabilities and to optimize our response when an attack does occur. From the beginning of DHS, the IAIP directorate which includes the Infrastructure Protection Office for which I am responsible, has implemented a dedicated organization committed to protecting physical assets. The organization is called the Protective Security Division (PSD). Recognizing the equal importance of protecting cyber assets, we created the National Cyber Security Division on June 6 of this year. These organizations within the Infrastructure Protection Office work together to implement the integrated protection methodology that I previously discussed. Today, I am here to give you a progress report on where we are now, and what we have in store for the coming months and years to implement the President's National Strategy to Secure Cyberspace. I am pleased to announce that Amit Yoran has been formally named as the Director of the NCSD effective today. Mr. Yoran is a strategic, disciplined leader who understands the unique threats and vulnerabilities manifested in cyberspace and is an individual capable of managing a diverse, highly technical organization Mr.Yoran was most recently the Vice President for Managed Security Services at Symantec Corporation where he was primarily responsible for managing security infrastructures in 40 different countries. Before working with Symantec, Mr. Yoran was the Founder, President and CEO of Riptech, Inc., a leader in outsourced information security management and monitoring. Before working in the private sector, he was the Director of the Vulnerability Assessment Program within the Computer Emergency Response Team at the Department of Defense and the Network Security Manager and the Department of Defense where he was responsible for maintaining operations of the Pentagon's network Mr. Yoran's leadership and respect within the information security industry will further accelerate our efforts in building the full NCSD team, and increasing the strength of our public and private sector partnerships. Since its formal establishment in June, the National Cyber Security Division has worked closely with our partners in the private sector, including coordinating response and mitigation of the Blaster worm and SoBig virus. Without these coordinated efforts, the significant economic impact of these attacks could have been much worse. In each situation, the Department's cyber security experts demonstrated the ability to quickly reach out to the security community, rapidly assess emerging threats, and provide timely warnings to government, industry, and the general public. These initial efforts were crucial--they allowed the NCSD to establish its credibility and demonstrate its value to the national and international cyber security community. Since June, IAIP has been assembling a consolidated and coordinated team of cyber security professionals. These experts were integrated from portions of the National Infrastructure Protection Center (NIPC), Critical Infrastructure Assurance Office (CIAO), Energy Assurance Office (EAO), and the Federal Computer Incident Response Center (FedCIRC). Despite the many organizational and cultural challenges associated with integrating these elements into one entity, our initial efforts have yielded effective and tangible results. Creation of the NCSD has enabled: Planning for consolidation of three 24x7 cyber watch centers; Formulation of a standardized incident handling procedure for responding to cybersecurity events; and Creation of a single national focal point for cybersecurity leadership for prevention, protection, and response to incidents. The most recent accomplishment of the NCSD is the creation of the National Computer Emergency Response Team (US-CERT). The US-CERT, in collaboration with the private sector and leading response organizations, will improve warning and response time to security incidents by fostering the development of detection tools and utilizing common commercial incident and vulnerability reporting protocols. This will increase the flow of critical security information throughout the Internet community by leveraging the extensive resources and brand of the Federal Government and Carnegie Mellon's CERT/Coordination Center. The CERT/CC is a part of the Software Engineering Institute (SEI) and is affiliated with Carnegie Mellon's new Cyber Security Laboratory. A key enabler of this partnership is the 19 years of leadership demonstrated by the U.S. Department of Defense in its sponsorship of the SEI, a federally funded research & development center. By integrating capabilities from the Government (FedCIRC), Academia (The CERT/CC), and the private sector (vendors of security products and services), the US-CERT will provide a coordination center that, for the first time, links public and private response capabilities to facilitate communication across all infrastructure sectors. Before detailing our future programs and initiatives, I would like to begin by providing rationale behind the decision to treat physical and cyber security on part with one another, within the IAIP directorate. I believe that this approach is the correct one for three reasons. First, cyber security cannot be a ``stand alone'' effort. As I described earlier in my statement, the success of DHS as a Department, and IAIP specifically, depends on our ability to protect the entire critical infrastructure against physical and cyber attacks together. We realize the dominant components common to all 13 critical infrastructures are physical and cyber components. To best protect the country against attack, careful integration of both components is required to achieve a holistic view of critical infrastructure vulnerabilities. In fact, this view is validated by a common criticism voiced by the private sector and security experts preceding the creation of the Department: physical and cyber security were being addressed by the government independently. We believe the physical and cyber domains are inextricably linked and vulnerabilities cannot be effectively analyzed independently. Placing both responsibilities under one Under Secretary and one Assistant Secretary has ensured successful integration. Second, the NCSD will identify, analyze, and reduce cyber threats and vulnerabilities; disseminate threat warning information, coordinate incident response; and provide technical assistance in Continuity of operations and recovery planning. With the creation of the NCSD, we have for the first time, implemented a single point of contact for the prevention, protection, and coordination of response to incidents, that will interact with all federal agencies, private industry, the research community, State and local governments, and other partners on a 24x7 basis. Third, while the Director of the NCSD serves as the technical and operational lead for cybersecurity issues, it is important to remember that the cyber security issue will now be championed within IAIP by Under Secretary Frank Libutti, and myself. The Under Secretary and I have already demonstrated our commitment to developing a world-class cyber security capability within the Department and believe the continued implementation and full funding of the NCSD is one of the top priorities for the IAIP Directorate. Furthermore, cyber security research and development will be conducted in partnership with the Department's Science and technology Directorate under the leadership of Under Secretary Charles McQueary. Now I would like to focus the remainder of my testimony on our plans for building on our accomplishments of the last three months to fully implement the operational NCSD in the coming months. The Mission: Outreach, Prevention, and Remediation As demonstrated by recent events, the consequences of a cyber attack can manifest with little or no warning, on a widespread scale, and with tremendous speed. Impacts can quickly cascade across multiple infrastructures, resulting in widespread disruptions of essential services, significant economic losses, and potentially endangering public safety and national security. The National Cyber Security Division, therefore, is implementing its objectives through the timely execution of three key mission areas--Outreach, Prevention, and Remediation. Outreach The NCSD will create, in coordination with the Office of Personnel Management and the National Institute of Standards and Technology, cyber security awareness and education programs and partnerships with consumers, businesses, governments, academia and international communities. An effective outreach program lays the foundation for the ultimate success of all mission areas of the NCSD. Accordingly, the NCSD championing the implementation of awareness efforts and campaigns that use a multi-level approach to provide awareness/educational tools for all users; for the home, awareness tools for children, parents and teens; customized approaches for small, medium, and large businesses; and for government agencies. Every level of user must realize they have an equally important role in the security of cyberspace. The end user, for example, needs to be informed about the technical aspects of security and about their role as gatekeepers in a larger data and information sharing community. The NCSD is aggressively pursuing an outreach agenda that will target groups of citizens by providing education tools for children, parents, teachers and business owners and operators. There are many effective existing programs and the NCSD is developing partnerships with government agencies, such as the Federal Trade Commission, non- profits like the National Cyber Security Alliance, and the Internet Service Providers to establish and enhance awareness programs for all users. We are working to build on existing public/private outreach groups to assist the spectrum of users in securing their systems through implementation of effective security practices. One quick example is establishing National Cyber Security Days. As Americans change their clocks twice a year, to Daylight Savings and Standard times, the partnership of the NCSD and the National Cyber Security Alliance's StaySafeOnline Campaign asks consumers to use the days as reminders to assess their own computer security. Computer security needs to be a regular consideration when protecting a home. Just as consumers remember to lock their doors, so too should they remember to secure their computers. As a result of this partnership with the NCSD many other partners in the business and government communities are starting to design their national ad campaigns around these two dates to further amplify this important message. At the same time, the NCSD is partnering with other federal agencies, including, Commerce, NSA and DOD, state and local government, private industry, and academia to promote a well-trained IT security workforce. Prevention Consistent with law and policy, NCSD will coordinate closely with the Office of Management and Budget and NIST regarding the security of Federal systems and coordinate with Federal law enforcement authorities, as appropriate. NCSD will leverage other DHS components including the Science and Technology Directorate, the U.S. Secret Service and the Department's privacy officer. To achieve its mission, the NCSD is working with State and local governments, and the private sector to conduct infrastructure vulnerability field assessments, while providing the best and most cost-effective prevention and protection strategies for ``at risk'' infrastructure facilities, assets, and personnel. Due to the diversity of the critical infrastructure, cyber protection strategies for each sector must be customized based on the unique geographical and business operating models of that sector. Due to the highly interconnected yet physically distributed nature of our critical infrastructure, prevention and protection strategies are prioritized based on regional, State, and local needs and on the need for cross-sector coordination. We recognize that collaborating with industry, academia, and Government is a key focus of our NCSD activities. With partnerships as the foundation for program implementation, the NCSD will coordinate implementation of protective and preventative measures to reduce America's vulnerability to cyber attacks. It is crucial that we improve existing public-private partnerships whose missions are consistent with NCSD functions. A prime example is the National Cyber Security Alliance, whose members have committed their time and resources to regularly educating the home consumer and small businesses on good security practices. With nearly all of the backbone of cyberspace owned by the private sector, it is imperative that the NCSD strengthen its relationships with them. Fortunately, there are mechanisms already in place to facilitate cooperation between industry and government on cyber security, most notably the National Coordinating Center (NCC) for Telecommunications and its Telecommunications Information Sharing and Analysis Center (ISAC), which are each part of the National Communications System (NCS) and IAIP. These entities provide the Department with direct access to leading industry operational and security experts whose knowledge and insights may prove crucial in managing a cyber incident. The NCSD, as part of IAIP, also helps to support two CEO-level advisory committees--The National Security Telecommunications Advisory Committee (NSTAC) and the National Infrastructure Advisory Council (NIAC),--which provide advice and counsel on national security telecommunications and critical infrastructure matters, including cyber security issues. By acting as a champion for creating a national and international culture of cyber security, we aim to promote a security culture at the CEO-level and demonstrate to corporate leaders that cyber security ultimately promotes the resiliency of their infrastructures, protects the interests of their shareholders and corporate brand, and preserves value and competitive advantage for businesses that implement security best practices. Remediation As I discussed earlier, the proactive response and recovery efforts associated with the Blaster worm and SoBig computer virus offer the best evidence of the value of partnerships. SoBig spread faster and more aggressively than any previous email virus, affecting millions of residential, business, and government computers worldwide. Internet traffic was substantially affected by these two events, causing a 25 percent increase in internet traffic and infecting over 600,000 computers. It had a significant impact on cross-sector communication and impacted productivity. In August, when the Blaster worm surfaced on the Internet, the NCSD issued a timely warning to security professionals, suggesting that Internet service providers and other corporate network administrators shut off inbound traffic to ports 135, 139, and 445 to block the spreading of the Blaster infection. Blaster took advantage of a known vulnerability in a Windows operating system component that handles messages sent using the remote procedure call (RPC) protocol. RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment. Vulnerable systems were compromised automatically without any interaction from users. Through the advisory, users were instructed to install the appropriate software patches to prevent their computers from being infected. In the following weeks, the NCSD continued to issue advisories warning security professionals that a variant of the Blaster worm, dubbed ``nachi,'' ``welchia'' or ``msblast.D,'' was proliferating. Working with Internet security researchers and experts from private industry and academia, the Division and the FBI uncovered malicious code hidden within the SoBig worm on twenty master machines that was programmed to launch a massive denial of service attack. Federal authorities located the twenty computers infected with this variant of the worm and asked their Internet service providers to shut down their Internet access. As a consequence, the second wave of attacks never materialized. The NCSD recognizes that a cyber attack could cascade across multiple infrastructures, causing widespread rapid disruption of essential services, and impacting our national economy, public safety, and national security. While this generation of worms has not yet resulted in irreversible damage (albeit slowing communication, overstuffing e-mail inboxes, and reducing productivity), the NCSD is committed to working closely with other government and law enforcement agencies, private industry, as well as academia to help secure our cyberspace from future, and potentially more serious malicious exploitation. To this end, I am pleased to announce that we are beginning to organize a National Cyber Security Summit for later this fall, in order to assemble key industry and government leaders to energize decisions on several key National cyber security issues. Key goals of the summit are to--. Produce a common threat and vulnerability reporting protocol to enhance prevention and response capabilities and to drive a standards-based system for communicating threats and vulnerabilities across the Nation; Develop a Vulnerability Reduction Initiative to significantly reduce vulnerabilities based upon improved evaluation standards, tools and measures for software, new tools and methods for rapid patch deployment, and best practice adoption of security for cyber systems across the critical infrastructure in partnership with industry and the leading research universities in the United States; Create an outreach and education partnership to offer training and awareness to 50 million home users and small businesses in cyber security within one year; and Formulate and ratify a National Cyber Security Road Map that defines milestones, work streams, and metrics for ``raising the bar'' of cyber security across the United States and identify work stream leads from government and industry. Since its inception, the National Cyber Security Division has delivered on its commitment to provide a centralized coordination point for the collection and dissemination of protective measures to reduce vulnerabilities and risks to the cyber infrastructure through implementation of the Cyber Security Tracking Analysis and Response Center (CSTARC). As announced in our press release on Monday morning, CSTARC, through a partnership with Carnegie Mellon University's CERT/ Coordination Center, will evolve to a new capacity as a national Computer Emergency Response Team (US-CERT). The US-CERT will enhance our Nation's prevention of and response to cyber threats and vulnerabilities. There are currently over two hundred private sector groups, public sector groups, and universities that operate computer emergency response teams (CERTs) within the United States. Many of these groups have varying levels of informal and formal partnerships with each other and with the US-CERT. This initiative will harness this massive capability to significantly increase America's ability to protect against, and respond to, massive scale cyber attacks. We view the US-CERT as a fundamental element of the DHS strategy to ensure timely notification of all types of attacks, working toward having, within a year, an average of a 30-minute response to any attack. Moreover, the US-CERT will provide a coordination center that, for the first time, links all public and private response capabilities and facilitates communication across all sectors. US-CERT will also lead collaboration with the private sector to develop and distribute new tools and methods for detecting and identifying vulnerabilities in an effort to significantly reduce vulnerabilities. Lastly, US-CERT will help improve incident prevention methods and technologies by identifying and disseminating best practices and working with the private security industry to improve warning sensor data collection and analysis. Conclusion The Internet and cyber technologies have greatly improved both the quality of life for our citizens and the efficiency and productivity of our businesses and our government. These societal and economic benefits are not without their costs. Malicious actors are devising new and ingenious ways to exploit vulnerabilities in those cyber systems, to disrupt our quality of life and to threaten our national and economic security. Our ever-growing reliance on the Internet and cyber systems compels us to counter these threats and vulnerabilities by building productive partnerships with key stakeholder communities in cyberspace, improving how we share information, and developing and fielding innovative technical solutions. As the focal point for the prevention, protection and coordination of response to incidents, the NCSD must achieve its mission of ensuring the security of cyberspace. We know this will not be an easy assignment. Much like the larger global war on terrorism, this effort will take time, resources, dedication, energy, and hard work to succeed. But in a few short months, we have made great strides and are excited about the possibilities that the future offers. With the appointment of the new Director of the NCSD, we have focused leadership to guide us forward, to forge new alliances and partnerships, to implement new tools and capabilities, and to provide a vision for cyberspace security. Again, I appreciate the opportunity to testify before you today. I would be pleased to answer any questions that you have at this time. Mr. Thornberry. Thank you. And I can assure you that this subcommittee shares your goal of working together to help the country be safer. Let me just ask one brief question before yielding to Ms. Lofgren. It seems as though that the Department has made several significant announcements yesterday and today. The establishment of the US-CERT, the naming of the Director for the Cybersecurity Division, and now this National Cybersecurity Summit, which will take place later this fall. Why is it all coming down now? What has been your decision- making process, and why are we just having these decisions made. Mr. Liscouski. Well, Mr. Chairman, it is a function of our timing is, we have been working very hard since June, and as you well know, we have engaged in a lot of other activities in standing up the division. One of the things I have been working hard at over the past few months is putting the right team in place to ensure we could actually carry out the things that we announced just these past couple of days. So it is one. We could have announced them, or at least our intention is to execute on these objectives, earlier; but the framework from which we are operating is really one in which we plan carefully, but quickly, and then with the ability to execute. So I am here before you today to say that our announcements are timed with our ability to execute, not so much as anything else, but just a function of the ability that we are working very hard, and we have got a good plan together, and we finally have our teams together to be able to execute on the strategies we have identified. Mr. Thornberry. Yield to Ms. Lofgren. Ms. Lofgren. Thank you, Mr. Chairman. I have just a few questions. As I mentioned in my opening statement, the President had a Special Advisor on Cybersecurity, but that position has been eliminated. Will the director of the Cybersecurity Division have direct contact with the President or with Secretary Ridge on cybersecurity issues? What kind of access will this individual have? This is kind of a nerdy subject we all know that and yet it is very important; and it is important that the decision makers, who are not necessarily living and breathing computer, be contacted and be aware of the scope of the issues. Mr. Liscouski. Yes, ma'am. Mr. Yoran--first of all let me explain. Our management style at DHS is, one, a very direct one. Working for Under Secretary Libutti and Secretary Ridge requires one to be constantly engaged to ensure that the leadership knows what is going on. I mean, this is a constant dialogue we have at senior management levels, particularly as it relates to infrastructure protection. Information analysis, because of the very uniqueness of what IAIP brings to the Department in terms of a function, is one which is heavily relied upon by the senior management of DHS. So I can tell you from personal experience that Secretary Ridge, Under Secretary Libutti reach down into the organization at any level that they think they need to get the answers to questions that they have, and we are very responsive. To that end, Secretary Ridge has been personally involved in not just overseeing the implementation or the creation of this division, but engaged with me in identifying the type of leadership we need and what we need to do to be successful in this endeavor. So if Mr. Yoran is going to have the the pleasure, because it is indeed a pleasure to work with the senior leadership, but more importantly the responsibility of reporting directly. My management style, Under Secretary Libutti's management style, is not one in which we say, You have got to go through a, quote, unquote, ``chain of command.'' Ours is pretty much, You are the expert, you have got the con, you take the lead, answer the questions, take the initiatives. Ms. Lofgren. Okay. That is very reassuring. Thank you. One of the questions I was mentioning to the chairman, there is modeling going on around the country, university based, and I am interested in whether the Cybersecurity Division will be working with the Science and Technology Directorate on modeling in simulation issues and whether cyber threats are going to be integrated into these efforts. Can you give us a progress update on that? Mr. Liscouski. Yes, ma'am. Let me take the partnership with S&T first because I think that is where it starts. The Cyber Division has got a direct nexus into Under Secretary McCrery's S&T organization, the Directorate. We have a deputy director named in the research center in S&T. So we are directly partnering by driving requirements in S&T that we have identified from the field, not just from our own efforts, but through our partnerships with State and local governments, with the industry, with our international partners. We are taking those requirements and driving them into S&T. That is point number one. As it relates to the universities, our relationship with the US-CERT at Carnegie Mellon clearly is one example. We have many other relationships with universities and labs to do modeling. We have got the benefit of having the opportunity of reaching out to lab relationships we have currently that came over to us when we formed DHS earlier this year, so we have already been working on computer simulations for different types of modeling for attacks and for things that relate to cybersecurity as well as other parts of our infrastructure. Ms. Lofgren. Can I ask you about this US-CERT? I saw the announcement. We have the Federal Government has been a partner with CERT at Carnegie Mellon for many years. And how is US-CERT going to be different than regular old CERT? Mr. Liscouski. Well, I would like to recognize the Department of Defense obviously for taking the initiative back some almost 20 years ago, after the Morris worm, to establish the CERT/CC capability. That relationship has allowed many parts of the Federal Government to take advantage of the CERT capabilities. CERT, as you well know, remains one of the premier capabilities in the world, and to that end, the partnership that DHS is establishing is a key one for us because we are increasing our level of financing to the CERT. So therefore we are increasing the resources available directly to DHS, vis-a- vis the CERT, to do things not just around the incident response area, but also looking at establishing a malicious code lab there, as well as other enhancements through financing, through partnerships, through positioning people at the CERT, working closely with them to ensure that US-CERT can mature to a capability that is going to serve the National Strategy for Cyberspace. Ms. Lofgren. Finally, one of the responsibilities of your office is to coordinate outreach to State and local governments, and I am interested in how you are doing that. Is there an office that is responsible for outreach? Is outreach institutionalized? And in particular I am interested not just in what we might think of as cybersecurity, but the physical infrastructure that allows the cyber world to exist; and I continue to be concerned about the level of information and coordination between the Federal Government and State and local, especially local police officials, in terms of vulnerabilities that exist to the physical infrastructure. Because we are very concerned with the viruses and worms and cyber attack, but the model for terrorists remains some maniac with a bomb; and so we have vulnerabilities in that area that I am not yet convinced we have addressed adequately. And really our first line of defense is going to be local, not Federal officers. So can you address that issue for me? Mr. Liscouski. Yes, ma'am. And I agree with you; I don't think we have addressed it adequately yet either. We are working hard to do that. We have got a number of mechanisms for outreach, and let me just articulate those. We have a branch in the NCSD dedicated to outreach. It is headed up by a very seasoned professional. Sally McDonald, who came to us from the Fed CERT, has done a tremendous amount of effort in outreach and has got a lot of experience in this area, so we are relying upon Ms. McDonald to really take the programs where we need to go. We have a number of programs currently established at the NCSD. StaySafeOnline Campaign is one of the dominant ones in which we are using that to reach many different levels of constituents in the cyber world. That is just one example. We are partnering up as you may know, we have got relationships with ISACS, the Information Sharing Analysis Centers. There is an IT ISAC, but there is a cyber component in every ISAC we use for outreach. We have our advisory systems in which we put out notices about threats or incidents and events relating to the cyber world. We are going to continue to use the private sector for outreach. Our partnerships with the private sector are absolutely key for us to ensure that we have got the right things, the right awareness, going on because, as you are fully aware, this problem is not necessarily just a technological problem. In fact, most computer security professionals would articulate that the problem is typically not the technology; it is the implementation of proper standards and procedures to ensure that the technology is used accordingly, patches are made, remediation work is being done. And those are process issues; those are not technological issues. It is all about awareness training, so we are reaching out using universities, using the private sector, using our own outreach capabilities to ensure we have multilevel awareness programs going on; and these are in development, and we are welcoming suggestions from any of those out there, anybody who has got an interest in this area to ensure we are doing the right thing. As I mentioned in my statement, we are working with ISPs to ensure that we have got the right awareness going on for users of broadband connections to ensure that they understand the dangers of getting on line and in open systems without taking the appropriate precautions, so--. Ms. Lofgren. Thank you. I will reserve my other questions for the next second round. Mr. Liscouski. Thank you. Mr. Thornberry. I think the Chair will use the clock not just as a guide for members, not as a hard and fast rule; and Ms. Lofgren and I have agreed that we will have as many rounds as members have questions, with Mr. Liscouski's indulgence. The Chair would now recognize the gentlelady from Washington. Ms. Dunn. I thank the chairman. Mr. Liscouski, this committee has made it a priority to understand how communications and information are being shared across Federal agencies. How will the Cyber Division work within the larger Information Analysis Division responsible for analysis and warnings to the Homeland Security community and, if necessary in an extreme case, to the public? Mr. Liscouski. Let me describe first our relationship with the Information Analysis Office. That is the IA component of IAIP. We are tightly knit together. The IAIP Directorate, combined of those two offices, was created with the intention of ensuring that we had overlap of our functions and our thinking within the structure to ensure that we always had a very close look at the intelligence components of the threats mapping vulnerabilities, whether they be physical vulnerabilities or logical or cyber vulnerabilities. And in this case, the NCSD plays sort of a unique role. While it is not an intelligence function, it is a capability- oriented, technical capability. And we lend ourselves to the IA function to understand how technical exploits can be used to conduct cyber terrorist attacks, while the IA function has clearly got the intelligence requirements to understand how terrorist groups may, or what their intentions may be to use technologies to conduct a cyber attack. They are a portal to the Intelligence Community. We drive our requirements through the information analysis component to ensure that they maintain that constant look and their constant contextual piece around what we are worried about from a vulnerability standpoint and what the Intelligence Community needs to be looking at from an intelligence standpoint. So we are tightly integrated. We drive requirements. We have--the IA analysts are frequently as knowledgeable about the technology, at least at a top level, as our folks are to understand what the vulnerabilities are. So when they see intelligence pieces they understand the relevance of intelligence to a particular infrastructure component. Ms. Dunn. Will you find yourself working with TTIC, with or through TTIC, during any of the process? Mr. Liscouski. Yes, ma'am. We would be working with TTIC, and we do now quite actively through our IA counterparts; and my colleague, Bill Parrish, the Acting Assistant Secretary for Information Analysis can go into that much more deeply. But I am very familiar with our relationships there. We use them quite robustly. But, again, we drive those through the IA component, ma'am. Ms. Dunn. Do you--in your Cyber Division, do you believe now you have adequate resources to conduct all your activities? Are there areas where you see specific needs our committee ought to be focusing on? Mr. Liscouski. I think, for the present, we have the resources we need. As you know, we are staffing up. We currently have approximately 65 people in the division, and we are looking to staff up to somewhere, I would say about 100 or so for fiscal year 2004 is our plan. From my perspective, I think we are adequately staffed. I think we have got the resources we need, particularly with the partnership with the US-CERT. I think downstream, as we learn more about the vulnerabilities and particularly the initiatives we want to take and the resource areas in the short terms areas that we need to make improvements, we will probably be coming back to this committee and articulating what those needs are. Ms. Dunn. I am not seeing any timing clock. Do you have one, Mr. Chairman? Mr. Thornberry. The green light is down in front of the witness. Ms. Dunn. Got it. As I mentioned in my opening statement, we all fully appreciate cyberspace has no borders. How will you find yourself working with international organizations in your role? Mr. Liscouski. The international component is a very critical one for us. As you know, we have some informal arrangements. We are working closely with the British Government, with the Australians, the Germans, the Canadians. It is critical for us to expand our relationships for international cooperation. We are working with the Department of State to formalize those agreements. Bilateral and multilateral agreements are very key for us. The national strategy articulated the need for signing for the--I am sorry--the European convention on cybersecurity. That is not the exact term, but we fully support that. We need to work with the international community to ensure that we have got uniform laws across international boundaries to enforce violations, to ensure that we have got good thinking about best practices. To your point, there are no boundaries. A vulnerability in Slovakia is as critical as a vulnerability in the United States. If a company is a Fortune 50 company operating around the world, we have to be very cognizant of those vulnerabilities. We are working hard with our partners to bring them up a level of capability, as well. Ms. Dunn. And does that include cooperative working when responding to something? Mr. Liscouski. Yes, ma'am. The US-CERT is going to be nexus for that capability. We are going to be using the US-CERT as a model for CERTs around the world to--and this has clearly been the model. So to your point, yes. Ms. Dunn. What about--is your division considering and in cooperation with the private sector, considering setting up a code of standards, best practices, that would be in place both for the private sector, which you, in your testimony, mentioned had something over 80 percent of all of the cyber work that we need to be dealing with and also the public sector? Mr. Liscouski. Yes, ma'am. And best practices occur at many different levels. We are trying to articulate identify and articulate best practices for home users, for small businesses, universities, big businesses. We have got to work in cooperation with the industry to ensure that best practices are effective, implementable, cost-effective, measurable, all the elements that you would want to have programs to identify what the right level of security is. This is a big area, a big body of work, and we are spending, we have been spending time, and we are spending much more a lot more time in the future on this. We are working with our councils. We have got the NIAC, the National Infrastructure Advisory Council, you are familiar with, I am sure; the NSTAC, the National Security Telecommunications Advisory Council. Both of those bodies have been involved in helping us identify standards. We are working with the private sector to determine what additional standards may be necessary. We are going to make these standards publicly available on our Web sites as we promulgate them. So this is all part of our outreach program. Ms. Dunn. And you can do that, you believe, without legislation? Mr. Liscouski. Yes, ma'am. And I think at this point in time, we have got the industry with the support of the Congress, with the support of this administration, attuned to the need that security is more than just something which you can spend a dollar for and say, I have got adequate security. The biggest challenge in the business community is, again, ensuring you can identify what the appropriate level is and what the right level of investment for a dollar of security, does it get you anything in return. The cost and the return on investment is always a key component in the private sector. The business case here in terms of why businesses should be spending money on security in advance of legislation, I think, is one which is based upon competitive advantage. The more we can educate consumers, either at the basic consumer level, those who might shop at Amazon.com on line or those who implement multimillion dollar programs in their businesses, should know that they have choices about what the right choices are to make for security, for levels of security in the technology that they are buying; and the more we can make those--that awareness known to the consumer groups, the more pressure they will put on the private sector to ensure that security is baked into their programs. Ms. Dunn. Good. Thank you very much. Thanks, Mr. Chairman. Mr. Liscouski. Thank you. Mr. Thornberry. Thank the gentlelady. The gentleman from North Carolina. Mr. Etheridge. Thank you, Mr. Chairman, and thank you for holding this hearing. I think it is we all know how important it is. Mr. Liscouski, when we think in terms of cybersecurity, a lot of folks, when they first hear it, they think of it as how we protect computers. The truth is, as you know, it is much broader than that, because so much of our productivity and our economic fiber of this country is tied to the whole integration system that we have; and over the last 10, 20 years we have seen tremendous amounts. So let me get back to the risk assessment, and I am going to try not to cover something that hasn't been covered, but maybe get a little better perspective on it. Because realizing that a department is just gearing up, and thinking about just the amount of problems we have had that was mentioned by our ranking member just this past August, the economic damage that was done to business and others by independent assessments, by some of the digital risk companies are saying it was about $32 to $33 billion. So obviously, this whole issue of cybersecurity is a huge issue. What progress has the Department of Homeland Security made in identifying cyber threats and vulnerabilities? And in conjunction with that, how have you been able to share this information with State and local organizations, which I think is critical? You know, just because they have the information doesn't really do us a whole lot of good unless we can figure out how we can get it, to get some results in the assessment area. Mr. Liscouski. It is an excellent question because it is the heart of what a good protection program is all about: understanding the risks, the vulnerabilities to those risks, and the right practices in which you can engage to mitigate or reduce those risks or alleviate them. To that end, a major component of what we have done there are a number of them. We have got one effort as part of our responsibility for securing the Federal Government, which is initiated through the Fed CERT. That is the responsibility, to ensure that the proper warning alerts, incident notices, are going out across the Federal Government. That program has been in place for a while, originally established with GSA, now moved over to DHS, and is, at the heart, the NCSD. It is a very robust program. Part of that is also a patch remediation capability which goes back to the reduction of vulnerabilities and spreading that word. As it relates to the private sector and State and local governments, I think that is where much of our work is required to be done yet. We have got great relationships in the private sector in providing us information about vulnerabilities. Our relationships with Microsoft, with Cisco recently, have enabled us to be able to respond very quickly to vulnerability information and exploits and put notices out there to the general public and the State and local governments as well. They are all on the same alert system, so therefore they have the opportunity of receiving this information very quickly. It is our goal, with the establishment of the US-CERT and the leadership that we are establishing in the NCSD, to reduce these notification times from hours, currently, to, hopefully by the end of fiscal year 2004, an average of 30 minutes. We are looking to get robust communications capabilities out there beyond what we have now working, establishing networks with State and local governments. We have got some efforts under way right now, which I would like to keep at a top level, in terms of working very closely with State initiatives to develop communication networks, and then ultimately to establish State CERTs again, using the US- CERT as a model to reach down into the State governments to help them set up their own capabilities for incident response and incident warnings. So there are a number of initiatives we have got going in the pipeline. Again, we have only been working here for 3 months, so we are moving from the thinking and planning stages into the execution stages in the next quarter. Mr. Etheridge. Let me follow that up, if I might, please, because I think you moved into the advisory and warning area, which I think is very critical as you deal with the assessed risk assessment. You have started a long--but as the Department looks at this whole area of integrating warnings about the possible problems of cybersecurity, and you have talked about what you are doing across the Federal Government to get it done on the security advisory system, talk to us a little bit more, if you will, please, about how are you reaching out to locals. You have talked about it in general terms. Because I think it is important, because most of the people who are going to be called upon to respond to such an attack are not traditional first responders, as we think, in terms of the agency reaching out to first responders--our fire, police or rescue; they are important because they have to receive it too--but you are also talking about a whole new group of first responders. How about talking about how those two are integrated, because I think it is critical to know, and what the Department is doing on it? Because if all you do is go to the end user, that will help, but you have really got to get upstream; and I hope that is what you are talking about. Mr. Liscouski. Yes, sir. And if I understand your question correctly, this is again a multilevel approach. Mr. Ethridge. Absolutely, because you have also got the private sector category there. Mr. Liscouski. That is correct. The first responder category in the cyber world is every user. I mean, it starts with prevention, as you well know, and ensuring we have got the right procedures in place to protect our systems; and that is just through basic security practices. Part of our outreach program is intended to continue to elevate the level of awareness and understanding and security posture within our--across the entire Nation by getting the average user or the business user to understand what they must do to protect themselves. In response mode, I think the Blaster and the SoBig virus are a example of how our response needs to be enhanced. I think we did a very admirable job responding and putting the advisories out, and we got a significant reach across our community to do that, both horizontally and vertically within the State and local government community, as well as in the private sector. But the home user was the one that I believe probably lacked the ability to understand what the implication of the-- they clearly understood the implication, primarily because they couldn't get on the Internet. It was--remediating from that problem was where we saw the biggest challenge to be. So we are looking at many creative ways to put out the word. We are working with the major media, establishing relationships with the major media to put the word out to make sure we have got a consistent message across there. Information sharing is the primary goal of DHS. It is often said, you know, it is not need to know, but it is need to share, and we are looking for as many ways as we can to put the information out there--on best practices, on vulnerabilities, on threats--that we possibly can, irrespective of whether they are in the physical world or the cyber world. We are not differentiating those things. The only thing I would add, and I can probably get into this a little bit later, is the speed at which the cyber world works. As you well know, it requires a little bit of a different sort of ops tempo, so to speak, or posture in ensuring that we have got a consistent, a thorough and a consistent look across all the infrastructure to ensure that we are aware of what is going on in the cyber world. I can address that later. Mr. Ethridge. Mr. Chairman, I know my time is up, but may I follow up with one final, since we are on this point, because I think it is so critical as we do this. I hope at some point we have in the system a measurement to know at least when we have we have had some measure of success. You know, it is one thing to do the assessment, another to notify. But unless we have a measurement down the road we talk about what business does in terms of measuring inputs and outputs. But we have to find a way to know, because this pressures us to speed up our process in the decision-making process to save those multitudes of billions of dollars down the road. Mr. Liscouski. You are absolutely right, sir. It is about metrics. It is about ensuring we can find those measurable programs and those factors within our programs to determine if, in fact, we are doing the right thing. That is precisely the business approach that we are taking. Again, going back to the leadership--and the comments earlier, ma'am, about, you know, why it took so long to find our director--the only response on that is, we wanted to make sure--we are only going to get a chance of doing this right once, and finding the person with the right capabilities and qualifications that can understand working in an entrepreneurial environment. How do you build an organization and who do you be able to quickly execute against the requirements you have and this type of highly threatened environment to make those --to measure those successes is the type of person we were looking for and is precisely the reason we were looking for them. It is all about metrics. Mr. Etheridge. Thank you, Mr. Chairman. Mr. Thornberry. Thank the gentleman. The gentleman from Georgia. Mr. Linder. Thank you, Mr. Chairman. I only have a couple of questions on this idea of sharing intelligence and information. I think we are beyond the stage where our intelligence agencies are not sharing with each other. Is that fair to say? Mr. Liscouski. Yes, if I heard you say, we are beyond the point where we are not sharing. Mr. Linder. Yeah. Mr. Liscouski. Implying we really are sharing the information. Yes, sir, you are correct. Mr. Linder. How good are we at analyzing what we are getting? Mr. Liscouski. At what level, at the physical level or the traditional threat level or at the cyber level, sir? Mr. Linder. The threat level. Mr. Liscouski. At the traditional threats level, I think we are very good at analyzing it. This is an extremely difficult problem, and I can speak to it some, but I really defer to my colleague, Bill Parrish, the Assistant Secretary for Information Analysis, in his domain. But I have operated in this space for quite a long time, and our capabilities for analyzing information have only increased over the years. I mean, we have gotten very good as a whole, as the Intelligence Community, to analyze information. It is an extremely complex problem because you never have the perfect information. You can never do the perfect analysis. You can only do it in hindsight and retrospect. It is an extremely difficult problem to solve. But I think the capability is the people we have attracted into the Intelligence Community, particularly in DHS, are really some of the finest minds out there to be able to understand these complex problems. Mr. Linder. And lastly, how cautious or how careful are you in sharing this with first responders? There was a time when they were being overburdened with unanalyzed intelligence right after September 11 to the point they just set it all aside, and it had no value whatsoever. I think you have to be careful what you give to them, that it has to have some specificity, some analysis, and that it is right down their alley. Mr. Liscouski. Yes, sir. In fact, our focus is not on first responders, and I don't mean this in any other way than calling them first preventors. When we are sharing intelligence information, it is really intended to prevent the act from occurring, and we will err on the side of sharing probably too much sometimes. Of course, not in the sense of sharing classified information inappropriately. But working with TTIC, IA, the FBI, we have been very aggressive in assuring we can quickly declassify information to share out to the field, to our consumer base, as quickly and as effectively as we can. That is a challenge we are always going face. Sources and methods, as you well know, are one of those things--that is something that has to be guarded very carefully. But I believe--and I have seen it in practice--that we will err on the side of maybe sharing too much information sometimes, because the frustration you can create by sharing general information without specifics, and particularly with specific activities to follow, sometimes can create a frustration. But, nonetheless, I think as we all mature in this process, particularly as our end users understand the context during this threat environment, they themselves will raise up their capabilities as well. Mr. Linder. Thank you. Mr. Liscouski. Thank you, sir. Mr. Thornberry. Thank the gentleman. Gentlelady from the Virgin Islands. Mrs. Christensen. Thank you, Mr. Chairman. I want to welcome the Assistant Secretary and thank the chairman and ranking member for holding this hearing, given the recent attacks, like the Blaster worm, and the concerns that even a worse attack could occur within several hours or days and the fact that so much of our physical infrastructure is dependent--is so cyber dependent. It is an important hearing, and I want to applaud you, Mr. Assistant Secretary, for your focus on ensuring that cybersecurity and physical infrastructure security are linked in your operation, as it is important as they are linked in reality. I have a couple of questions. One of the--we have been concerned about the slowness of the Department in getting started and being able to plan and address many issues; and one of the obstacles to that has been the fact that we were bringing together 22 agencies and trying to blend them into a smooth operational unit. The NCSD brings together about five different parts of five different agencies--FBI, Commerce, Defense--as well as a center. Are you pretty comfortable that some of the obstacles of bringing different agencies with different cultures together has been addressed and that you are able to move forward smoothly now? Mr. Liscouski. Yes, ma'am. I will tell you why that is a great question. I am satisfied because--I mean, that has been tremendously challenging. I mean, bringing these organizations together under one roof has been something that I don't think any person who even architected this in the planning stages understood the complexity of it. I can speak for my own area within IAIP. As you pointed out, we brought five different organizations into the NCSD and IAIP. I just remind everyone respectfully that we have been in business for 6 months, and the challenge we face in trying to overcome some of those organizations has been pretty daunting; I've got to be honest with you. I mean, when I came in from the private sector to do this, it set me back a little bit when I thought about, How are we going to do this and how are we going to do this in the context that we have a real threat we are facing every single day? If you recall, when we did this, we were at war; and we had to organize ourselves around work to respond to very real threats in addition to bringing people on, creating organization. It was pretty challenging. The leadership at DHS, the senior leadership of DHS, provided the right latitude in order to make mistakes. And that is what we are going to be doing. I mean, clearly, as we start out with this organization what it looks like today, in 2003, will probably be a lot different in 2005, 2010. And hopefully if we are succeeding we are going to continue the path of evolution that will eventually evolve DHS into the robust organization it really does need to be. But we are on that path. It is a long road, but it has been good. I mean, I can tell you in my private-sector experience the thing that has been kind of very helpful to me is knowing that we are going to make mistakes. But we don't have the luxury of not making them. In fact, when we tell people when they come on board--and I have said this before, I think, before the committee--that we have got sort of one thinking. It is a think big, act small scale, fast. We know we are going to make mistakes. We know we have to learn and we are going to evolve. It has been gratifying when you look at it; and we were, on the way over here, reminding ourselves it has only been 3 months for the division and it is been 6 months for the DHS. In dog years it seems like it has been a lifetime. I can tell you that right now, it has been pretty challenging, but we are making some very tremendous progress. Mrs. Christensen. The other concern that I have is, the officials who have left the positions over the few months; and is, related to this, the difficulty in bringing the Department together? Have you identified what the fault is, what were the problems that would cause these officials to leave? As you were looking for a Director of the NCSD several candidates had indicated they weren't interested because it was too far down the chain; they didn't have a direct link to the Secretary. Have you identified what it is that needed to be fixed? Because the continuity of leadership is critical. Mr. Liscouski. Yeah. I would suggest that I am not so sure it needed to be fixed as much as we just had to find the right person that understood this is about execution. The challenge we had was taking a strategy, a highly articulate and well-developed National Strategy to Secure Cyberspace, and then putting implementation plans for that strategy for execution. Two different types of people are required for that job. And it is really difficult to be a strategist at one level and an implementer at another level; and we needed an implementer, and we needed a start-up person that could take something where, to be quite candid with you, is now somewhat of a chaotic environment, when you start things up and just make some very short-term, measurable progress. And that is the type of person we were looking for. So I don't think there was a problem as much as there was finding the right talent to fit that. And it is a challenge, and it is a very risky challenge, because, you know, Mr. Yoran is coming in to us with very definable goals. We have got high expectations. It is very visible. And the risk to him--is you know, at a personal level in terms of potentially not succeeding, as well as to the Department is great. So it is--when you are out there publicly like that, not many people really want to take that challenge on. Mrs. Christensen. Okay. One last question in this round. Reading some of the articles in our background material--and it is also my feeling that the Federal Government should lead by example in cybersecurity--where are we in identifying the risks and vulnerabilities of the government's cyber assets? Are we leading by example? Mr. Liscouski. Leading by example; I think we are probably on a path to leading by example. I suspect there is always a lot of room for improvement. We do have efforts underway to do that. I think FISMA--the law has provided us tremendous guidance and leadership or a framework from which we can operate to ensure we are doing the rights things. So from that perspective I think, frankly, FISMA is a wonderful example to look at as a guide across the board. So I suggest the government is leading by example on that, in that realm. In our purchasing requirements, our ability to justify our programs based upon good security practice, are things that I think are very rational approaches to take as it relates to cybersecurity. So I would argue, yes, I would think that the government is leading by example. We can be doing better. Cataloging our infrastructures, understanding the interdependencies, those are things we are trying to do across the board, and we have got programs in place to do that. I think we will be getting better as we move along. Mrs. Christensen. Thank you. Mr. Thornberry. I thank the gentlelady. The gentleman from Kentucky, Mr. Lucas. Mr. Lucas. Thank you, Mr. Chairman. Mr. Secretary, in June you had detailed the plans for Consolidated Cybersecurity Tracking Analysis and Response Center that would detect and respond to Internet incidents, track potential threats and vulnerabilities, and coordinate cybersecurity and incident response for the Federal, State, local governments, private sector, and international partners. What has been the status of the center? Mr. Liscouski. Sir, the CSTARC, the Cybersecurity Tracking Analysis Center, has evolved into the US-CERT. That was a preliminary step for us to be able to organize ourselves around this effort, consolidate the watch centers and the efforts we had within the other organizations that came to us when DHS was created--those organizations being the NIPC, the CIAO, elements of the NCS, the FedCIRC--into one organization. And that CSTARC represented the first iteration of what we knew was going to become the US-CERT. With the CSTARC we were able to very capably manage a number of significant incidents, the SoBig, the Blaster virus, the Cisco vulnerability. And then that, as I indicated, provided the framework for us to be able to build on that to create the CERT, the US-CERT. Mr. Lucas. This is a hypothetical. In the event that we had a terrorist incident today, a cyberterrorist event, could you just explain to me what process we would use today to notify all these different interested agencies? Mr. Liscouski. Yes, sir. In the hypothetical example, suppose we were notified in the private sector that they first identified a particular exploit, and that exploit resulted in our analysis to determine that that might be something that would be used or may be the focus of a terrorist attack. The combination of resources we have across the Federal Government currently, if it comes to DHS first, our analysis capabilities, leveraging on the US-CERT to understand those exploits is our first stopping point. The US-CERT then quickly engages with other components of the Federal Government, the JTF, CNO, for cooperation and additional analysis. We would reach out to the private sector to do additional analysis. And as quickly as we get our analysis completed to determine what the vulnerability or the threat might be, then DHS has got the advisory capability of putting warnings out very quickly to the entire community vis-a-vis its alert system as well as the ISACs to ensure that we have got thorough coverage. And, again, it is a work in progress. I am not suggesting it works the way it should work all the time or it is as thorough as it should be. Over time, our goal is to ensure that we increase that coverage. Mr. Lucas. I understand you said you were staffing up. You have about 65 now, and you are hoping to have 100-plus. Mr. Liscouski. Yes, sir. Mr. Lucas. So, do I take it from that that you feel that you have the financial resources you need to carry out your mission? Or, if you had additional financial resources, how would you utilize them? Mr. Liscouski. You could always use money, but I am not so sure if adding more money at any point in time is necessarily the quickest solution. The biggest thing you have got to do is build the right framework in the right organization in which to put people in in the partnerships. I think we are adequately funded right now. I think we have got the right path to go on. We can come back and address that downstream in fiscal year 2005. Mr. Lucas. Those are my questions. Mr. Thornberry. I thank the gentleman. The Chair recognizes the Vice Chairman of the subcommittee, Mr. Sessions. Mr. Sessions. I thank the Chairman and appreciate him holding this hearing today, along with the Ranking Member. Mr. Liscouski, welcome. We are delighted to have you here today. And I would say to you, and I think you have heard this from members, we appreciate your private sector experience and the things which you learned there and the focus that that brings to you and the DHS; I think that the Federal Government will be better off because of those lessons that you have learned. I would like to focus my questions today; I just heard you use the word ``framework.'' Some people could also say the word ``business plan'' might fit in the middle of that, framework business plan. On page 2 of your testimony, there are six different pieces that are called status of integrating organizations and functions below into DHS. And it talks about the elements of the National Infrastructure protection center--formerly housed in the Federal Bureau of Investigation--DOD, FEMA, Department of Commerce, Energy, and General Services, GSA, into functions that you are evidently going to be responsible for. I am interested in your discussion with us about the word ``framework,'' about how you are going to bring these functions in to make sure--I guess the best word is to say, ``to measure twice and saw once'' for the efficiency and the effectiveness so that we are not recreating something 7 or 8 or 10 months down the line because of your need just to rush into service. Would you mind discussing those things, those activities of those six different pieces. Mr. Liscouski. Sure. And this is broader than cyber, sir. This really relates to the entire Infrastructure Protection Office. And I would be happy to address that because I think I have got to talk about that, and then the framework for the other divisions fall out of that. Generally speaking--and I will go back to the very beginning when I came to DHS back in March--as I indicated, it was obviously brand new. We had been involved-- when I got there it was about 3 weeks old. So--and we were in the middle of a war and we were staffing up to respond to the threats we had. It was immediately apparent that the work that we were engaged in could not change substantively, because the same elements that came to us from the Energy assurance office, from the NIPC, from the CIAO, from the NCS, those elements were the very elements that were responding to the threats of the present day. So we had to be very careful as we were building this framework and identifying what our bigger mission requirements were that we didn't break anything. So that was job one, and make sure that we responded to those threats. So in our current-day thinking, what we did was basically establish a capability that would operate at one level, which was just putting one foot in front of the other to make sure we were not stepping on a land mine, so to speak, and we were executing against the goals that we had against that particular threat. Now, by the same token, we had to also think in a bigger picture to understand what did the organization need to look like over the 6, 12, or 18 months? So we began to develop an organization based upon the work that we were in. And that was the first question: What business were we in? You know, were we out there doing vulnerability assessments; were we just out there thinking great thoughts about protection strategies we should be doing? How do we create a capability that could address critical infrastructure vulnerabilities across 13 critical infrastructures, 5 key assets, the cyber environment, in a way that we could put coherence around this? So we were able to organize ourselves at the first level to understand what the organization needed to look like. It started off with a very basic line of block chart with two organizations in it. We added a third. We kind of mixed it up. I mean, we really learned as we were going. To your point, we wanted to ensure that we acted quickly to identify the immediate needs but as we built an organization for the longer term. We are exactly in that process right now. I now have four divisions in my organization, because we have identified the need to build it out but yet stay integrated; not specialize too much, but orient ourselves according to sort of our business approach. And I can get into some more detail if you would like. But effectively what we started doing was a supply chain analysis. We looked at our client base and we looked at the private sector, the Federal sector, State and local governments, the territories. We looked at all those client bases and determined what was it we were delivering, what was it they needed, and how do we deliver it and what were the inputs into that delivery system, into the production system. And that is precisely what we are doing. So we are still going through that process. I suggest it is going to take a few more months before we really figure out the exact processes we need in terms of an organization. And then, as I said earlier, this organization is probably going to evolve as we learn more about our businesses as we go along. It will be a continuous work in process, I can promise you that. Mr. Sessions. You know, I think some of my comments--and I don't presume to know the things which are important necessarily to each one of these elements, not being aware of all the databases; but it is my hope that you would be able to develop in some efficient factor a database with firewalls with the elements that you need to avoid six database administrators, six of everything to accomplish these things. And that kind of goes back to the framework that the house--the sandbox you are going to build. And it is my hope that really your private sector vision would allow you and the assistant secretary that luxury to please make sure when you build that, whatever it is, that you do it within that framework. And I guess my last comment is very plain. And that is, we heard testimony last week where the people who were in charge didn't communicate what they were in charge of, didn't tell anybody what they needed to be doing, and there was a failure from top to bottom, command-and-control structure. And it is my hope that you really do follow up with those things of integrating yourself with business leaders and commercial leaders in this country to make sure they know not only what you stand for but the lessons learned; because I think that the key to this is avoiding or being prepared to avoid a strike that would cripple this great Nation. Thank you for your service. And we appreciate your being here today. Mr. Liscouski. Thank you, sir. Mr. Thornberry. The gentlelady from Texas. Ms. Jackson-Lee. I thank the Chairman and Ranking Member again for holding a very vital and important hearing. And Mr. Liscouski, thank you for your willingness to accept what I think is a larger-than-life challenge. It is something that I hear when we travel. We had some hearings, field hearings in Los Angeles and Long Beach, looking at the ports; and cybersecurity technology permeates every aspect of the needs of homeland security. And I am hoping that you are getting that sense by the position. And I am going to take a line of very rapid-fire questions and a series of them, and then if you could try to respond. One of the questions already asked about being able to coordinate, if there was a cybersecurity or cyber attack, coordinate with respect to our own Federal agencies. My pointed question is: Do you feel confident that you have the authority, in essence the power, to be able to command forces that deal with cyber issues in a time of a cyber attack? And I really want you to be pointed on the question of authority, because that is our responsibility. How can we assist you to do that? Because it certainly is telling that we have had a trail of back--the back of people's backs--and that is departures-- respecting their reasons for doing so, but that is what has occurred. So it is a great concern to me that you be vested with the authority to do the job. One of the things that the Federal Government has as its assets--it has many assets, but it has several that relate to homeland security and terrorist attacks. Certainly it is a role model in action. So goes the Federal Government, so goes the rest of the community in terms of looking to how we respond. They watched us on 9/11, and I think we are quite grateful that we were able to muster our senses about us and maintain the continuity of government. The Pentagon was excellent in the face of tragedy, and we all tried to support them and go forward. But that was looked upon. We also have the bully pulpit as to how we can encourage communities to pull up their boot straps and get going on some important issues. So I want to know specifically about the authority. Let me also say that--have we made and do you have under your belt the enunciated vulnerabilities of the Federal Government; specifically know where the cracks in our armor is? We wanted to come and either have you delineate those--and you might give them to me generally--but if we wanted to have a closed-door session where you said, really pointed out some of the large gaping holes, could you today, September the 16, 2003, list those for us? Very vital. Because as I said, if the government collapsed in the midst of a tragedy, we are certainly sending a bad signal out to those who are struggling to overcome whatever the problem is. Rapid fire, I continue. Have you found any connection to cyber problems with respect to the massive blackout? Are you engaged in a collaborative effort in that investigation? What would be your response to the fact that we are raising brighter and more inquisitive teenagers? I cite the 17-year-old in the western State who was part of the virus epidemic. Of course, everybody is talking about what a great young man he is; he didn't mean it. But they are everywhere. How are we dealing with the potential of this bright emerging army of detractors? And do we do an outreach campaign? Do we work with schools? How can Homeland Security be of help to you on that? Do we have a doctor in the House? Are we able to have our researchers and doctors look at--and when I say ``doctors,'' I put quotes around it--look at the next virus on the scene? Why are we only reacting? Our Nation is going to look to us to be preventative medicine, so why are we in the same boat as my BlackBerry ran away with itself a couple of weeks ago with it is coming, it is coming, it is coming? No solution, but it is coming. I think we need to be in the business of preventative medicine. Who are we retaining? What kind of resources do you need to be able to be the predictor of what is to come? And, finally, we did something in a bipartisan manner last week that I am very proud of, and that is the Fair Credit Act, I believe. But a big piece of that was the protection against identity theft. But we can't do it alone with an authorization bill under financial services. I believe that identity threat is a threat to the homeland security because why? Terrorists can steal your identity and walk around and be as unpredictable as possible. What are we doing with respect to identity theft which comes a lot through the computer? And I thank you for responding to these rapid- fire questions. Mr. Liscouski. Thank you, ma'am. If I took them down right, I will be able to respond to them intelligently, hopefully. First, I have to be able to read my own handwriting. With respect to coordination, and specifically with respect to the question of authority, I want to clarify one point. DHS has got authority, protection authority. By statute, the Homeland Security Act has set DHS up to be the promulgator of protection strategies. From an investigative standpoint, we partner up with the FBI, with the Secret Service, which is clearly part of DHS. But the FBI has got the lead in many of these cases to-- and this is where we probably need to get in a little bit of a closed-door session, I think. But at the top level, the authorities that we have, clearly I would say we have adequate authorities to ensure that we have protection on our cyberspace. And I say that in a thinking mode primarily because we are just in the execution phase of our strategy. And I think time will tell whether we have the appropriate--whether we are impeded from executing fully the strategy that we need, as has been articulated in the strategy and as we have identified it. But I would say right now, yes, DHS has been provided the full authority that we need, there are some excellent programs we have in place and that we have in plan, that are not appropriate for this session, that I think really can articulate what those authorities are and how we are meeting those things. As it relates to responding to an attack and what that might imply for other activities the U.S. Government would be engaged in to prevent or actually to intercede or interdict a cyber attack, those are resources which are not just owned by DHS but other components of the Federal Government. So again, that might be a more appropriate discussion for a closed session, if you can indulge me on that. On the second point: Have we made a full analysis of our vulnerabilities? Again, I can tell you it is a work in progress. I don't think we will ever know. I mean, the context of a full analysis of our vulnerabilities implies that we can get our arms around these things. And in the dynamic and ever- changing environment in the technology world, new vulnerabilities are always going to be coming out. And the challenge we have is not just articulating or clearly identifying and articulating those vulnerabilities in a steady state. But there is no such thing as a steady state in the technology world you identify with the vulnerability of a nuclear power plant, because typically that technology doesn't change. The threats to the nuclear power plant are not necessarily static, but there are only so many ways you can attack it. In the cyber world, it is very dynamic. So that will be a continuous work in progress. We have our hands on what I think is a good fund of information that articulates what our vulnerabilities are in the government, and clearly we are working hard on that. Again, that might be more appropriate discussion for a closed session. With respect to the blackout, again I have to apologize. In fact, I guess I will be coming back tomorrow at a different committee hearing to discuss the blackout. I am not at liberty to say what we have found in terms of root cause and what the respective relationships are in the cyber components. That report will be coming out. I believe there will be an interim report here in October, and that will be published by DOE and the task force. I will have to indulge you on that question as well. An interesting point you brought up about the teenagers and those who are propagating viruses and the relative ease they have with which they can do that is a serious concern. You have got a number of different types of viruses that can be created out there. One is just basic tool sets that people pick up off the Internet. They get bored with--they decide they want to cobble them together, and they create a virus, and that can happen fairly quickly. There is a different one, a different set, different mind-set of people who decide they want to do this, and then just quietly make them available to those in the quote -unquote teenage realm here that you described, that they are not even smart enough to maybe make their own viruses; they might evolve them a little bit, but they are not the original architects, and then all of a sudden these viruses find their way into the public domain. I think our authorities, I think the law enforcement community needs to aggressively pursue these people. I think this is similar to a discussion I had with some advocates in the private sector who operate in the security space, that they really want to see the government, the law enforcement community, go after folks who provide the basic tool sets, the basic knowhow to anybody on how to propagate a virus. This is similar to becoming a conspirator in a crime. Somebody mentioned an excellent example. If you are the driver of a getaway car in a bank robbery and a passenger, your codefendant, decides to shoot somebody and kills them, you are equally as guilty as the shooter, just being the driver. We should probably take the same attitude toward people who propagate viruses. This is serious. And when you talk about billions of dollars' worth of damage and losses to the private sector and the government, these are no light matters. We need to take this seriously. The doctor in the house, the capability that we have in the research community of developing the right talent, I think DHS partnered up with others in the community, DOD in particular, creating centers of excellence, providing scholarship programs for cyber--you know, in the information security world. It is a tremendous step forward. Do we need more people? We absolutely need more people. And I think we are making the right steps to address those needs. And your final question: The Fair Credit Act and what are we doing to protect against that? Again, I think there are good efforts going on in that space. I think the FTC, and I know Orson Swindle in particular, has been very aggressive in putting the word out about what consumers need to do to protect themselves. The Secret Service operates in the identity theft space. I agree with you, it is a very, very important issue. It gets back to the issue about privacy and how you protect privacy, and that is a central component of information security. You cannot have privacy without good information security. So,I appreciate your questions. Mr. Thornberry. The gentleman from Rhode Island. Mr. Langevin. Thank you, Mr. Chairman. And I want to join with my colleagues in thanking the Chairman and the Ranking Member for organizing this hearing. And, Mr. Secretary, thank you for being here as well. If I could, you had said that home and broadband users are one of the groups you would like to focus on outreach and education. And certainly, without a doubt, they are one of the greatest neglected weaknesses in our national plan to secure cyberspace. Can you give us a better sense of how DHS is planning to address this? And would it be appropriate to work with, for example, the Federal Trade Commission, which, as you may know, is also mounting its own ``stay safe on-line campaign''? And do you feel that a large-scale public awareness campaign needs to be launched? And, in particular, and following up with one of the points my colleague from Texas made in terms of reaching out to young people, and maybe through demonstration programs, how we can involve young people in these awareness campaigns and kind of harness their energy and natural ability to work with computers? I think that would be a good place to start. And one other point I would like to address, and this may have to be addressed in closed session, but I think it is an important point of focus. And that is in your vulnerability assessment on our national assets and other areas. We have seen a trend in recent years worldwide among terrorist attacks, that terrorists focus on high-casualty, high-shock value events. And I am curious and I think we all need to be attentive to what those areas are in the world of cybersecurity that fall into that realm. There may be only a few areas that would compare to the use of a WMD in the cyber world, but those are the things that I think we need to have high priority and focus on. And I would like to at some point, even if we can't do it here in open session, to follow up on that. And I think that would be important. Thank you. Mr. Liscouski. Thank you. I am just trying to read my own handwriting--your first question. Mr. Langevin. It was on your comment earlier that home and broadband users--. Mr. Liscouski. Do we need a large-scale--exactly. With respect to the broadband, one of the things we are working with the National Cybersecurity Alliance. Among those representatives on the Alliance are ISPs, AOL, and others. And they are taking an individual responsibility to educate home users to the challenges and security challenges they face in broadband connections. I would like to see that expanded. I think there is no question that the broadband community, you know, the commercial space there needs to be really--from my point of view, I need to use the bully pulpit to get them to understand their responsibility that, as they sell broadband connections, they have got to provide better awareness notices to their users about the potential damage that can be done. Because it doesn't just affect the individual. As you are well aware, the individual user--these viruses propagate very quickly, and consequently can spread across--using zombies or using personal computers that are accessible via broadband connections and then propagate these attacks. So there is a real, I would suggest almost fiduciary responsibility on their behalf. But that might be a little bit too aggressive. But at the end of the day, we need to put that awareness and that responsibility with the ISPs and the broadband connections, cable companies, et cetera. So I do certainly agree with that. The educational efforts, the outreach efforts, from our point of view are geared toward educating the consumer. Your point about young people and education, I liken that to, you know, the DARE program, the Drug Abuse Resistance Education program that has been around for--must be 20 years now. Educating kids--and this is clearly a different perspective. We are moving from self-esteem to responsibility and how do you act. But I agree. I mean, it scares me to death to know that young kids are on these Internet connections not knowing about the dangers that they face through going to chat rooms and the vulnerabilities that they have there. I mean, just the vulnerabilities of kids being on the Internet is something that scares me. And that is something that we can address through good education programs in the schools. DHS is going to be working hard to figure out how we do that and reaching out to the schools to provide good awareness and good education programs. Fortunately, the NIPC did this previously. We have inherited those programs so we have got a basis for doing that, and I think they have been successful. They have got poster programs. But we need to expand that. It is a high priority for me personally. The vulnerability assessments, the trend in recent years that you have articulated. Clearly, you know, I can get into depth in this in a closed session, but at a top level we do worry about the combination of a physical and cyber attack. You know, a cyber attack preceding a physical attack, taking out a 9/11 system and then combining that with a physical attack. You know, it is a scare. Is it doable? I would say at this point anything is doable. And it is something we worry about a lot. And we are working down--I can tell you one thing we are working very aggressively on is--and the categories of all the critical infrastructure we really worry about--we look at what the nexus would be with a cyber attack to see how that might be enhanced or what that sequence might look like. Mr. Langevin. Thank you. Mr. Thornberry. I thank the gentleman. Mr. Liscouski, I would like to--first let me ask this. Before you took office, the administration put forward this document, which is the National Strategy to Secure Cyberspace, dated February 2003. So far, have you discovered a major gap or something that--where you think the emphasis was not placed, the proper emphasis was not placed in this document? Or is this something that you can still go by today? Mr. Liscouski. No, sir. It is still a very valid document. A lot of good thinking went into that, and I think the private sector's input into that became particularly valuable to me as we thought about how we needed to create our national cybersecurity division. Mr. Thornberry. Well, I would like to just briefly--and this will entail a little bit of repetition from what you have already talked about--but I would like to go through those five priorities and ask you to kind of give us a snapshot of where we are with each of them. For example, the first priority listed in that document was a National Cyberspace Security Response System. And they talked about a public/private architecture where you would analyze attacks and warn and manage incidents and then respond. It sounds to me like that is essentially what US-CERT is going to be doing. Is that the primary way that we are going to implement that priority? Mr. Liscouski. Yes, sir. It is the foundation for it. The US-CERT is clearly the linchpin for that effort. Mr. Thornberry. And then what more needs to be done? Mr. Liscouski. Well, we need to--clearly, building relationships at the private sector. I think the US-CERT is an excellent start at that foundation. And we have engaged in discussions with the private sector, the Nortons and the McAfees of the world, to determine how we can integrate their contributions to this effort. I think there is a lot of good work that can be done there. The private sector is doing a tremendous amount of good information collection and analysis on viruses and vulnerabilities that we would like to be able to integrate more robustly. And then extending the information out--as we spoke earlier, the National Response System is not just national but it is international as well. So we have a lot of work to do there as well, sir. Mr. Thornberry. The second priority is a National Cyberspace Security Threat and Vulnerability reduction program, where the National Strategy talks about reducing the threat, identifying vulnerabilities, and then trying to develop systems with fewer vulnerabilities. Give me a snapshot of our efforts to implement priority No. 2. Mr. Liscouski. Again, and you know, the dominant theme here is private sector. And we have to again work with the major manufacturers and the smaller manufacturers of both hardware and software technologies to ensure that when they produce technology, it is according to guidelines and expectations that they have fewer and fewer security vulnerabilities. And if we can--and to be candid with you, companies are stepping up to that challenge. You know, pointing out to Microsoft and the things that they have done, they have taken this responsibility. I know they have been subject to a lot of criticism, but at the end of the day they are--their chief security officer is responsible for overseeing many of the programs that they have. They have taken very good steps here. It is a good example of what we need to be doing with the private sector. Those who produce it have to understand that they have the responsibility of producing good technology the first time around. Security defaults should not be off. I mean, this is the classic thinking of just basic things that need to be done. They are making good inroads there. The other point is to continually look at the infrastructures, you know,the vulnerabilities that we create by implementing technologies. I mean, this is a bigger discussion, to be quite candid with you, but we are doing a lot of analysis as converging technologies come in. I mean, we look at the convergence between the IP world and the telecom world and the vulnerabilities that are inherent there, because of--and forgive me for going too deep into this. But just as an interesting example, one of the advances of technologies, because they become more efficient, they themselves bring about vulnerabilities because now one device can do the work of 10. Where you had redundancy before, now you are down to a critical path of one device as being a key vulnerability. So we are constantly looking at those things as well. Mr. Thornberry. Talking about the private sector, at this point, do you have an opinion about whether market forces are going to be enough to elicit the kind of response from hardware and software vendors that the country must have? Mr. Liscouski. I am optimistic that the market forces will be sufficient. But I am prepared to say that if they are not, we need to quickly adapt our thinking. Mr. Thornberry. And as part of that reduction of vulnerability, is the Department looking at physical infrastructure related to cybersecurity as part of our vulnerabilities and part of what we need to assess? Mr. Liscouski. Yes, sir. And, unfortunately, this has been going on prior to even the establishment or the articulation of a national strategy. The NCS, the National Communication System, which was previously a DOD component, did a significant amount of work on vulnerability analysis of the telecom industry and then the IP backbones. So we have got a significant amount of data here that already allows us to be able to identify these vulnerabilities, and we are continuing to expand that. Mr. Thornberry. It seems to me greater work is going to be needed in that area, and we can discuss that at another time. Mr. Liscouski. Yes, sir. Mr. Thornberry. Let me briefly go through. The third priority was a Cybersecurity Awareness and Training Program; a number of questions have dealt with that so far. Is that going to be the focus of your summit in the fall? Mr. Liscouski. That is a key component of it--for us, understanding how we can better reach the community. And our summit is going to include not just those in the technology industry, but across industries, so we have a broad approach to understanding the problems. So, yes, sir. Mr. Thornberry. The fourth priority was securing government's own cyberspace. You have been asked about that before. But I am unclear, frankly, as to how much authority or influence you have in bringing the rest of the Federal Government along. My understanding is that that has been primarily OMB's responsibility. And just about every witness we have had before this subcommittee says that the government is nowhere near where they should be, and that if the government would lead, it is such a big consumer and has such market power, that it brings the rest of the country along with it. But what is your role exactly in bringing the rest of the government along? Mr. Liscouski. Our role is really to support the OMB. OMB does have the initial lead to ensure that, through FISMA and through the regulations that they provide and the oversight, that the government is responding to their responsibilities to provide security. DHS's role in this is really to coordinate the incident response and warning through the FedCIRC through the Federal Government, and I think that could be expanded to understanding more about the vulnerabilities. As I indicated earlier, we do have the patch for remediation responsibility through the PATC to ensure that the right tools are available to the government. So we have a responsibility there, sir. Mr. Thornberry. The final priority was national security and international security cooperation. I don't know--you have alluded to those things briefly before in your testimony. I suppose that is an area where there are an ongoing efforts and will have to continue to be ongoing. Let me ask you to do this. Rate where you believe international cooperation is on cybersecurity at this point. Mr. Liscouski. I had said in the beginning stages, it is tough to put a numerical code on it. I would say we are really in the beginning stages of understanding--well, we clearly know what we need to do, but we are just in the very beginning stages of really making some progress and establishing the relationships that are so necessary for us. There is a lot of opportunity there for us. It is a big world. I mean, there is a lot. And as you pointed out earlier, this technology is ubiquitous. It is not necessarily discriminating by economic income in terms of gross national product. I mean, you can get cheap technology out there and create these vulnerabilities. So we have a lot of work ahead of us to do, and I think we are positioned to do it. Mr. Thornberry. Thank you. The Chair recognizes the distinguished gentleman from Florida, Mr. Meek. Mr. Meek. Thank you, Mr. Chairman. Thank you, Mr. Secretary, for being here. Speaking of the private sector, and I guess when we speak of the private sector we are just not talking about domestic private sector, because the cybersecurity is a huge issue. Recently, as you know, with the New York blackout you had thousands of New Yorkers in subways and you had folks in Detroit and auto plants that were shut down, and it halted after-hours trading as it relates to Wall Street. A lot of things took place. What exercise did the Department go through to find out was it or was it not a cyber attack? That is one. Two, what happened in the private sector as it relates to that, especially in our energy industry and those that handle their cyber needs? What took place as it relates to checking, making sure that we weren't under a cyber terrorist attack? Mr. Liscouski. Okay. If you can indulge me, I have to speak in general terms. Mr. Meek. Sure. Mr. Liscouski. We are in the process of investigating that component. I chair the Security Working Group for the Electricity Task Force. So, in that capacity, I have got to be careful what I can say and what I can't say. We are going to have a hearing tomorrow on this and we are going to be publishing reports downstream, so I want to be a little bit circumspect. But what I can do is discuss what we did as DHS during the blackout, and I might add some clarity about how this process works a little bit, because I think it is clearly relevant and it is not going to be disclosing anything that can't be disclosed. I am quite proud--I mean, DHS should be very proud of how we came together to respond to the blackout along with the rest of the Federal Government. But DHS in particular was sort of the point in contact in understanding what was going on in the industry. We immediately reached out, upon learning what was going on, to the industry to determine what was their perspective. I mean, it is the unique thing that DHS has the ability to reach, through the ISAACS, to the private sector, in this case the NERC, to determine what is going on and what is the situational awareness component that we need to respond to. Do we have a terrorist event? Because precisely how we are positioned to respond is, you look at an event like that, then you immediately go to the next step of saying what can occur next? Is this a terrorist event? And even if it is not, A, could it be exploited? Or, B, if it is a terrorist event, what is the next step? And we immediately have the capability to do that. So DHS was able to come together very quickly across its directorates, ask those questions, gain situational awareness, and provide direct advice to the Secretary and subsequently to the President about where we were. And then working with the FBI, the combination between DHS and FBI, we were able to quickly conclude from an initial perspective that there was no terrorist nexus there. Mr. Meek. So were you pleased with the checking process as it relates to is it terrorism or is it not terrorism amongst many departments and even the private sector? Mr. Liscouski. Yes, sir. Mr. Meek. So this report is going to be based upon trying to better what is good already? Or what areas will you be looking at? Mr. Liscouski. Well, the report is not examining how DHS or the Federal community acted. We are really looking at the root cause of the blackout. Mr. Meek. And its potential for taking place again? Mr. Liscouski. Correct. That is correct. Mr. Meek. As you know, with the World Trade Center, there were many attempts and sometimes folks get great ideas. Will there be any discussion on how to not only share with New Yorkers but Americans when an attack like that takes place--as you know, the power was out, there was no cable television for folks to look at, there was really no communications whatsoever. Will that be something that DHS will be looking at, to see how can we contact--I mean, everyone you hear, oh, New Yorkers, they did their thing, things went very smoothly, people knew where to go. But there was a lot of street hollering on the corner on how do you get out of Manhattan. Does the Department's looking into reaching out and to individuals need to be through two-way pagers, through the telephone, through things that were working? Mr. Liscouski. Yes, sir. In fact, that is really within the domain of Emergency Preparedness and Response Directorate under Secretary Mike Brown. They are looking, they are doing a deep look about that type of communication requirement, first responders, et cetera. I would really defer to them. Mr. Meek. Okay. One last question, Mr. Secretary, or I guess a concern of mine. I just want to make sure that cyber partners that we do have that are working with us against this effort in terrorism, that they are working as hard as possible and together. I look at what--your job is almost similar to almost the Intelligence Community. It is kind of hard to share information. You have competition, you have private sector needs and technology needs and things that they want to keep to themselves. But if is not put on the table on behalf of security as it relates to the cyber world here in the United States, we may very well have problems. And when we have a problem, that means that things will be legislated and decisions will be made in haste that individuals may not like. And I think it is important that we encourage them to work. I wish you well on your report. I am looking forward to seeing and hearing more about it. Mr. Liscouski. Thank you. Mr. Meek. Thank you, Mr. Chairman. Mr. Thornberry. I thank the gentleman, and want to mention, again, that this subcommittee as well as the Border Subcommittee will hold our second hearing tomorrow on this interdependency of infrastructures. And Mr. Liscouski will be one of the witnesses, as well as others from the Department, because I agree with the gentleman from Florida; these are critical issues and we need to learn the lessons when it happens the first time so that we are not put at a disadvantage. The Chair would recognize the Ranking Member. Ms. Lofgren. Thank you, Mr. Chairman. A lot of the questions I thought I would ask have already been asked, so I really just have two issues that I want to raise. One has to do with the ISACs. You mentioned them in your testimony. And the feedback I have received from the private sector is that some of them are performing a lot better than others. And that, in particular, telecom actually seems to be working pretty well, IT; but, in the other sectors, that they are basically not functioning. And--and I don't know if this is true or not, but this is what some of the private sector people have said--and the problem may be a lack of funding support. At least that is what some of the private sector people identified. Do you think that that assessment about some of these ISACs is correct? And what should we do to pump them up a bit? Mr. Liscouski. Yes, I think it is fair. I think your characterization of the telecoms and the IT-ISAC as well as others--I think the energy ISAC is another good example, oil and gas. We are looking at them. I guess the easiest answer is that we are examining the best model. I think currently it is sort of a one-size-fits-all model and it is really not the appropriate one. I think the more we learn about the way information sharing needs to be propagated across the sectors, they are so diverse, many of them are very diverse and not technically connected. We need to look at that more quickly, and we are going through that examination process right now. Ms. Lofgren. When will that be completed, do you think? Mr. Liscouski. You know, completion is probably--I mean, I am really looking at changing the model fairly quickly. The funding model is one of those things. I don't want to give you specific data. I would like to get back to you with more of an intelligent answer about what that is going to look like. I think what I would like to do and what I am planning on doing is actually starting a couple of different types of pilots to see what does work. And I would be happy to share that with you in more detail at a later time when we have pretty much our plans finalized. Ms. Lofgren. I would be interested in that, if you could keep us posted. I am sure the whole committee would like to know about it. And if there is a requirement to change the funding stream--I don't know whether we need legislation to do that or not--but I would be interested in that recommendation from you. Mr. Liscouski. Sure. Ms. Lofgren. And additionally, in addition to the functioning of the ISACs, internally I have heard criticism that there is sort of--they are piped, and that there really needs to be some communication among them as well. So I assume that you are--. Mr. Liscouski. Yes, ma'am, that is precisely the point we are looking. Ms. Lofgren. All right. The final question I have has to do with the vacancy rate in your Department. And when you were talking about how challenging it was to come in, I am sure it has been and you want to get good people, you want to get the right people; and it is hard to start an organization from scratch and try and go 65 miles an hour while you are doing it. So I don't want to appear overly critical. But I am concerned that the vacancy rate is still very high, about 40 percent, I would think. And in a way I have been concerned about this, not just with DHS but other Federal departments when we have tried to get people with expertise and technology to come to work for the Federal Government. I tried with the former commissioner of the INS before the creation of the Department. I mean, we couldn't get people to come to work for the Federal Government, which is disappointing. And especially now with the terrible economic situation in the tech sector, it seems almost mysterious that we can't do a faster, better job of recruiting in this sector. So the question is: What are you going to do to fill those vacancies? What can we do, if anything, to help you in getting staffed up as quickly as possible? Mr. Liscouski. Well, I appreciate the concern. And, you know, attrition rates and vacancy rates are things that always plague every business or every government. So it is not a question of that. And I can't speak to the exact number, so I apologize. I mean, we can get back to you on that. But let me just address it by this. First of all, the workforce we are attracting is a talented workforce. I mean, we are extremely fortunate with some of the folks that we have attracted. And I think, you know, in my experience--I was in the government; I left my career with the State Department back in 1991 And was very impressed with the folks I worked with and my colleagues. I am happy to say I think that workforce has continually increased in its capabilities, particularly in DHS; I have been gratified to see that, folks particularly in the IAIP area. So we have been successful in doing that. One of the challenges we have when we recruit people from the private sector is going through the clearance process, because the clearance process and working at the levels we are working at require us to take a 6--to 9-month clearance process, and you really can't even work effectively at all until you have got those appropriate clearances. So, while we may have people identified in positions, they can't occupy those positions until they have been vetted and the clearances have granted. And that might be contributing to some of the vacancies you are hearing about. But we are working hard. And, you know, I appreciate your comments and I would like to just kind of, I guess, recognize that the people that are there today are really working extremely hard. I mean, this country is extremely fortunate, and I have got the benefit of working with them on a daily basis, and they put in some incredible hours and they are really dedicated. And I can tell you right now, since March 1st, the folks that work in our directorate have been working nonstop. I mean, literally, you go in there on Saturdays and Sundays, and some days you think it is a Wednesday. You know, it is just--it is staffed, And people work hard and they are dedicated. So we are very fortunate. Ms. Lofgren. If I can follow up--and that is good to hear. Perhaps the resources that we should apply then might not even be in your Department but in the FBI to--maybe additional resources to do the clearances. Would that be of assistance? I mean, there is no real reason why it has to take 9 months to do the clearances, just the work is the lack of personnel to put on it. Mr. Liscouski. I am not competent to be able to answer that question, but I suspect we can probably get back to you on that. Ms. Lofgren. I would like to know that. And that may be something we could help to address, because that is something we ought to address, it seems to me. And I yield back my time, Mr. Chairman. Thank you. Mr. Thornberry. I thank the gentlelady. Dr. Christensen. Mrs. Christensen. Thank you, Mr. Chairman. Mr. Chairman and Ranking Member, it does occur to me, and it came up earlier, that there may be reasons for us to ask the assistant secretary to meet with us in a closed and classified setting, because there may be some questions we might not want to ask in a public hearing. I have one further question for you, Assistant Secretary. One of the objectives of the National Strategy is to foster adequate training and education programs to support the national security need. You talked about the relationship with Carnegie-Mellon and you made reference to relationships with other universities. I wonder if you would elaborate on that some, and also talk a bit about how you would ensure the involvement of historically black colleges and universities and other minority-serving institutions. Mr. Liscouski. Yes, ma'am. There are a couple of different ways we are addressing that. First of all, my colleague, Under Secretary McCreary, has got a program--and forgive me for not knowing the exact specifics on this--in which they are creating partnerships with universities. And I believe it is among those major components that the partnerships are to enhance educational opportunities for the specific areas that we need. So I think it is probably more appropriate to sort of field that question to Under Secretary McCreary's area. But in our area and working with other partners, you know, the NSA sponsoring the centers of excellence and the university programs that they have, are geared toward enabling opportunity, creating opportunities for educational programs and students to get into the information security area in particular. It is an area that we have a very keen interest in and we are looking to support that. I can't speak to the programs themselves in terms of where the emphasis is on that program in historically black colleges, but I am almost certain I remember a conversation with NSA officials that they have established centers of excellence at schools that really honor diversity. But, again, I can't speak competently to that question, but I would be happy to get back to you. Mrs. Christensen. Well, given the extensive need for personnel who are really--who are well-skilled and trained, and the sensitivity of the issues that we are going to be dealing with, not allowing us to always go overseas to seek personnel for these offices, I think it is important that we build up our personnel from within and that we extend and expand it to include these institutions as well. Mr. Liscouski. I agree. Mrs. Christensen. Thank you. Mr. Liscouski. Thank you. Mr. Thornberry. Ms. Jackson-Lee. Ms. Jackson-Lee. Thank you, Mr. Chairman. I again thank you for the hearing that we will have tomorrow and the one that we are having today. I would like to join Congresswoman Christensen on this issue of HBCUs and the matching of talent. And I think that your point about outreach is extremely important. I would make a suggestion that the Secretary be referred to having a meeting with the president of at least a number of our HBCUs. They are certainly--I think it is definable as to those institutions that may even have those disciplines that would be an excellent feeding source, or a source of talent. And I would add, of course, Hispanic-serving institutions as well. We did that in the previous administration with having a roundtable with about 10 to 20 HBCU presidents, and it really, really is effective in terms of getting them focused and working in partnership with talented individuals who may not be aware of the opportunities and but yet they have great talent. So I would appreciate it if we could get a response back on that request as to the facilitating of that meeting. And any way that we can help to facilitate would be happy to do so. Mr. Liscouski. Yes, ma'am, thank you. I think that is a great suggestion. And I can tell you, we would like to take you up on that, but we will get back to you formally. Ms. Jackson-Lee. I appreciate it very much. Mr. Liscouski. Thank you. Ms. Jackson-Lee. Let me note, if I understand, when I asked the question about blackout, just give me your answer again. You were saying it is another committee? Or you are going to be here tomorrow discussing? I know we have a hearing tomorrow and we have that as one of our topics. Is that what you were suggesting to me, that you would be able to give more on this issue of what impacts cyber had on the blackout tomorrow? Or are you waiting on a report? Mr. Liscouski. I may be able to speak at a top level tomorrow; but in earnest, I have to tell you, we have to really conclude the report. We are still going through the analysis. So it is really any preliminary conclusions we come to at this point can easily be eclipsed by other facts that might lead us to a different conclusion. So I will just have to defer to the report, ma'am. Ms. Jackson-Lee. And that report will be--what is the date are we looking at for that? Mr. Liscouski. I don't know if it has been published in terms of the specific dates. I know the task force is shooting for sometime in the late October time frame. Ms. Jackson-Lee. Late October. Mr. Liscouski. Yes, ma'am. Ms. Jackson-Lee. And that is, of course, a public report? Mr. Liscouski. Ma'am, I don't know, to be honest with you. I will have to find out. Ms. Jackson-Lee. All right. Well, will you provide us with that information even tomorrow as to the status of that report? Mr. Liscouski. Certainly. Ms. Jackson-Lee. Let me just pursue briefly the line of questioning that I had before about authority and the role of DHS. And I think you said to me that the role is to protect from cyber terrorism; that DHS protects from cyber terrorism, and the FBI is in the business of responding to the attacks or really on the aggressive end of it. My concern is does it make sense to divide the experts, the ones that are telling us the story, and then those who have to react to the story? Is there a protocol to have two teams, the two teams interact with each other? And then when there is a crisis--that is a question I was asking--who is in charge? Now, you indicated the FBI. But then how does the component that you work with get merged into the FBI? Because when we are in crisis, we need all of the thinkers working together, the reactors; but those who say I have got a solution, because I know on the protection side what we had to do. And a protection response, is it making it more difficult to get people in the protection side? Because certainly there is a lot more energy and excitement maybe on the response side. But I am particularly concerned about the authority question and the protocol that would merge them, if necessary, and whether there is interaction even in the backdrop of the day-to-day work, which I think is extremely important. Mr. Liscouski. I thank you for the opportunity to clarify, because I think I misled you a bit on my remarks earlier. It is not unique to the FBI in terms of the enforcement and the investigative responsibility. The Secret Service--and, as you know, Secret Service is a component of DHS with whom we closely work--also has a responsibility to investigate cyber crime. In fact, within the financial domain, they are really the preeminent experts. Ms. Jackson-Lee. That was a new addition to their responsibilities. Mr. Liscouski. Yes, ma'am, and they are effectively executing against that. They have some tremendous talent, as does the FBI. We are very ecumenical in our approach. We try to ensure that we have got the right resources. And I think the recent--forgive me, I don't know if it was Blaster or SoBig in which both the FBI and the Secret Service jointly investigated, and they worked extremely well together; they complemented themselves extremely well. From my point of view, you can never have enough resources to investigate these things. So I think if a little is good, more is better in this case. And the unique capabilities that are within the domain of the Bureau and the FBI I think both complement themselves and overlap where they are necessary; it is appropriate. We work very closely. And I will just state this: that my intention in creating our capability within IAP and the NCSD is to continuously increase our reliance upon the Secret Service for their capabilities. So, by extension, I would say DHS clearly has the authorities we need. When I was discussing this as it relates to the protection responsibility, it was really relevant to the IAIP mission and the infrastructure protection mission specifically. We do not have investigative authority. We don't need investigative authority, to be candid with you. We have the resources in-house, the DHS, to investigative requirements as we identify them. Ms. Jackson-Lee. But you feel you have sufficient authority to work on the matters that you are working on, but also to coordinate with the other agencies when there is a time of crisis? Mr. Liscouski. Yes, ma'am. In fact, I think we have been able to demonstrate that effectively, as I indicated, through the recent Blaster and SoBig viruses, the blackout. All those incidents have served to really validate the fact that this approach is the appropriate one. Ms. Jackson-Lee. Thank you. Thank you, Mr. Chairman. Mr. Thornberry. I thank the gentlelady. Does Mr. Meek have additional questions? Mr. Meek. Just a small one, Mr. Chairman. Mr. Secretary, I guess we are going to need at a future date--and I don't know, maybe the Chairman and others are thinking about it--but a closed hearing; we can ask a few aggressive questions as it relates to cybersecurity and as it relates to the security of our infrastructure here in the United States. What level of, would you say, urgency and concern that jointly government and the private sector may have as it relates to a cyber attack? The reason why I ask that question, Mr. Secretary--there may be a quick answer that you can give me--is the fact that we know that there are terrorist groups that are abroad, and possibly could be domestic, that would like to take our ability to be able to live financially and socially through the Internet. And since we are doing--seems that we are doing a good job as it relates to trying to keep terrorists and track them down before they cross our borders, and using the approach that they are using in Iraq right now of saying why do we have to come to the United States, we can go to Iraq and still accomplish our goal--what kind of urgency do you see? Because I hear a lot of we are fine, we don't need X, Y, and Z, when I know that there are issues out there that need to be addressed and there are issues that this subcommittee needs to address legislatively. There are issues that the Department needs to address rule-wise and administratively. But maybe there are some areas that you feel that are important that we need to fill the gap. And I am just trying to think of the urgency. I used to be a law enforcement person, and no one is really concerned about the parking lot security outside of any hospital until someone gets pushed down and their wallet or purse is taken. So I am trying to make sure that what--from a scale of 1 to 10, where do you think we are and where do we need to be? Or are we in the right position right now? Everyone, hands on deck, just like they were for the last couple of years? What do you think we need to do here? Mr. Liscouski. Well, I mean, let me just clarify my statements earlier about where we are. I think we are positioned for success. I think we have got the right architecture, the right framework to build on. I think we know where we have to go. But I did not mean to imply that the world out there is not a bad world. I agree with you 100 percent; there are some serious threats that we face. The cyber community, the cyber world is one which we are just really beginning to understand and beginning to see the evidence of what those threats can do to manifest themselves in our technologies. So in terms of sense of urgencies, I don't want to sit here calmly explaining to you what we are doing and give you the false perception that I am not worried about it. I am worried about it all the time. And we need to be worried about it. And the community needs to be worried about it, because we are not in control of those threats. The challenge we have on the cyber world, unlike the physical world where you can really put your arms around somebody and identify the command-and-control structure and the capabilities that they may or may not have to conduct an attack, the cyber world is a lot easier to work in. And although the technologies that you need to do to--there is a debate about how technically savvy you have to be to really conduct a really effective attack or a long sustainable attack. I would argue that I wouldn't want to wait to find that out, and we need to move aggressively and we need to be worried about it. So I am happy to sit calmly before this committee and talk about the things we are doing. But we are not sitting back calmly back at DHS and other places, just thinking about are we doing the right things. We are really trying to move out and get urgency around this. So I agree with you and I share that, and I appreciate your comments of concern, because we are concerned about it. These threats are real, they are ubiquitous, they are everything from the kid that gets bored and decides that he is going to put a virus out there, to organized crime groups that are out there exploiting our networks and exploiting our information and extorting them. Mr. Liscouski. Terrorist groups, state groups, you name it. They are out there. Common thieves, common criminals. They all have the capabilities of doing these things and doing it all the time. We are constantly under attack on the Internet, and you know, if you talk to any of the providers out there and you talk to the folks who are providing services on the Internet community, the backbone, they see threats all the time. They see stuff, it just would boggle your mind. Fortunately, you know they haven't manifest themselves in anything serious yet. And it is the ``yet'' that worries me, the ability to do that is out there, so. Mr. Meek. Mr. Secretary, if I may, that's where I mean, you are hitting exactly where I thought you would hit as it relates to the threat. And the threat is real. We have individuals that are being robbed right now over the Internet, stuck up, ransom, what have you, $50,000 transferred here and no one will ever know about it because it has a lot to do with stocks and trades and investors and security of their own infrastructure. I just want to make sure that we continue to have a sense of urgency. It is not about the preparedness. It is about the consistency of the preparedness. And I know my job and I know our job is to support the Department and the private sector in its efforts, but at the same time, make sure not only that DHS has what it needs, but we keep the pressure on all players of making sure that we do what we have to do, because the last thing that we want is for you for me or anyone on this committee to be identified as okay. You are okay, I am okay, okay, fine. Everything is fine. We need to make sure that you are okay, I am okay, how do we move this ball and play offense because they are playing offense. So I am glad to hear that you are still sitting on the edge of your seat personally and that people who serve in your capacity in the private sector has that same sitting on the edge of the seat hopefully as it relates to playing toward overall infrastructure protection. Thank you, Mr. Chairman. Mr. Liscouski. Thank you. Mr. Thornberry. I thank the gentleman. And I think that discussion that he just had with the witness is an appropriate way to end our hearing because--and I have some additional questions I would like to submit for the record, but I think that sense of urgency that he described is difficult to maintain, not just with cyber, with the whole range of Homeland Security responsibilities. But, yet, we must try to keep that sense of urgency because there is so much at stake. Mr. Liscouski, I will say for me, personally, I am impressed by the actions that you have taken in the cyber field to help bring us closer to where we need to be. I am also convinced that you maintain this sense of urgency. As you said at the end of your opening statement, we are partners in this effort. That doesn't mean we are a rubber stamp, it doesn't mean we are a cheerleading squad. But we are partners with you to try to help maintain the sense of urgency and take real concrete steps that help our country be safer. We look forward to working with you in the future to do that. And again, thank you for your appearance today. I thank the gentlelady from California as always for her work and with that the hearing stands adjourned. [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]