[106 Senate Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:63639.wais] S. Hrg. 106-486 CYBER ATTACK: IS THE GOVERNMENT SAFE? ======================================================================= HEARING BEFORE THE COMMITTEE ON GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ MARCH 2, 2000 __________ Printed for the use of the Committee on Governmental Affairs U.S. GOVERNMENT PRINTING OFFICE 63-639 cc WASHINGTON : 2000 _______________________________________________________________________ For sale by the Superintendent of Documents, Congressional Sales Office U.S. Government Printing Office, Washington, DC 20402 COMMITTEE ON GOVERNMENTAL AFFAIRS FRED THOMPSON, Tennessee, Chairman WILLIAM V. ROTH, Jr., Delaware JOSEPH I. LIEBERMAN, Connecticut TED STEVENS, Alaska CARL LEVIN, Michigan SUSAN M. COLLINS, Maine DANIEL K. AKAKA, Hawaii GEORGE V. VOINOVICH, Ohio RICHARD J. DURBIN, Illinois PETE V. DOMENICI, New Mexico ROBERT G. TORRICELLI, New Jersey THAD COCHRAN, Mississippi MAX CLELAND, Georgia ARLEN SPECTER, Pennsylvania JOHN EDWARDS, North Carolina JUDD GREGG, New Hampshire Hannah S. Sistare, Staff Director and Counsel Ellen B. Brown, Senior Counsel Susan G. Marshall, Professional Staff Member Joyce A. Rechtschaffen, Minority Staff Director and Counsel Deborah Cohen Lehrich, Minority Counsel Darla D. Cassell, Administrative Clerk C O N T E N T S ------ Opening statements: Page Senator Thompson............................................. 1 Senator Lieberman............................................ 3 Senator Akaka................................................ 5 Senator Collins.............................................. 16 Senator Edwards.............................................. 18 Witness Thursday, March 2, 2000 Kevin Mitnick.................................................... 6 Jack L. Brock, Jr., Director, Governmentwide and Defense Information Systems, Accounting and Information Management Division, U.S. General Accounting Office....................... 21 Roberta L. Gross, Inspector General, National Aeronautics and Space Administration........................................... 23 Kenneth Watson, Manager, Critical Infrastructure Protection, Cisco Systems, Inc............................................. 33 James Adams, Chief Executive Officer, Infrastructure Defense, Inc............................................................ 35 Alphabetical List of Witnesses Adams, James: Testimony.................................................... 35 Prepared statement........................................... 88 Brock, Jack L., Jr.: Testimony.................................................... 21 Prepared statement........................................... 55 Gross, Roberta L.: Testimony.................................................... 23 Prepared statement........................................... 71 Mitnick, Kevin: Testimony.................................................... 6 Prepared statement........................................... 47 Watson, Kenneth: Testimony.................................................... 33 Prepared statement........................................... 83 Appendix Copy of S. 1993.................................................. 92 Questions for the record submitted by Senator Akaka and responses from: Jack L. Brock, Jr............................................ 113 Roberta L. Gross............................................. 116 Kenneth Watson............................................... 119 CYBER ATTACK: IS THE GOVERNMENT SAFE? ---------- THURSDAY, MARCH 2, 2000 U.S. Senate, Committee on Governmental Affairs, Washington, DC. The Committee met, pursuant to notice, at 10:05 a.m., in room SD-342, Dirksen Senate Office Building, Hon. Fred Thompson, Chairman of the Committee, presiding. Present: Senators Thompson, Collins, Lieberman, Akaka, and Edwards. OPENING STATEMENT OF CHAIRMAN THOMPSON Chairman Thompson. The Committee will be in order, please. I am afraid we are going to have a vote. I guess it is on right now, so we will have to leave momentarily, but let us see if we can get a little something accomplished before we have to leave. Today, the Committee on Governmental Affairs is holding a hearing on the ability of the Federal Government to protect against and respond to potential cyber attacks. This Committee spent considerable time during the last Congress examining the state of Federal Government information systems. Numerous Governmental Affairs Committee hearings and General Accounting Office reports uncovered and identified systemic failures of government information systems, which highlighted our Nation's vulnerability to computer attacks from international and domestic terrorists, to crime rings, to everyday hackers. We directed GAO to study computer security vulnerabilities at several Federal agencies, including the Internal Revenue Service, the State Department, the Federal Aviation Administration, the Social Security Administration, and the Department of Veterans' Affairs. From these and other numerous reports, we learned that our Nation's underlying information infrastructure is riddled with vulnerabilities which represent severe security flaws and risks to our national security, public safety, and personal privacy. Every year, the government gathers information on every one of us because we give the government this information in order to obtain government services, like getting Social Security benefits, veterans' benefits, Medicare, or paying taxes, and yet, year after year, this Committee continues to receive reports detailing security breaches at these same agencies. Sometimes these things improve. Agencies usually will respond to specific GAO recommendations or to a particular Inspector General report. But this is a band-aid approach to protecting information systems, that is, fixing the system little by little, problem by problem after it is revealed that it is no longer secure. What is most alarming to me is that after all this time and all these reports, there is still no organization-wide approach to preventing cyber attacks and the security program management is totally inadequate. I am afraid it is another example of how difficult it is to get the Federal bureaucracy to move even in an area as important as this. Those reports highlight that an underlying cause of Federal information security vulnerabilities is inadequate security program planning and management. When GAO studied the management practices of eight organizations known for their superior security programs, GAO found that these organizations manage information security through continuous management activities, which included specific practices to support their information security principles. We think this is lacking in the Federal Government. And we think agencies must do more than establish programs and set management goals. Agencies and the people responsible for information systems in those agencies must be held accountable for their actions, and I believe that Congress should examine how we can provide assistance to the agencies to ensure that they have the resources necessary to maintain information technology security preparedness at all times. It is clear to me, based on GAO report after GAO report, that what needs to emerge in government is a coordinated and comprehensive management approach to protecting information which incorporates the efforts already underway and takes advantage of the extended amount of evidence that we have gathered over the years. The objective of such an approach should be to encourage agency improvement efforts and measure their effectiveness through an appropriate level of oversight. In order to develop such an approach and begin to find solutions to the problems which have been identified, we concluded that a more complete statutory foundation for improvement is needed. That is why Senator Lieberman and I introduced S. 1993, the Government Information Security Act, at the end of last year. The primary objective of our bill is to address the management challenges associated with operating in the current interdependent computing environment. Our bill begins where the Paperwork Reduction Act of 1995 and the Clinger-Cohen Act of 1996 left off. These laws and the Computer Security Act of 1987 provide the basic framework for managing information security. We recognize that these are not the only things that need to be done. Some have suggested we provide specific standards in the legislation. Others have recommended we establish a new position of a national chief information officer or even a national security czar. These things should be considered and these issues and more will be brought up during our hearing today. The witnesses before us represent a broad array of experience and expertise in the area of information security. First, we have Kevin Mitnick, who has described himself as a reformed hacker. Next, we will hear from Jack Brock, who is the Director of Governmentwide and Defense Information Systems at GAO, and Roberta Gross, Inspector General for NASA. Both of them have done significant work in the area of Government information security. We will also hear from Ken Watson, who is the Manager of Critical Infrastructure Protection at Cisco Systems, Inc., and James Adams, the CEO and co-founder of iDEFENSE. I welcome all of you and look forward to your testimony about the cyber threats that we face today and how we can work together to fashion solutions to the many problems associated with computer security. Senator Lieberman. OPENING STATEMENT OF SENATOR LIEBERMAN Senator Lieberman. Thank you very much, Mr. Chairman. Thanks for calling this hearing on a topic of enormous concern to all of us. The security of our digital information is something that affects every one of us on a daily basis and should be taken as seriously as the security of our property, of our neighborhoods, of our communities, of our Nation, and in the worst case, as seriously as the security of our lives. The reach of the Internet and the alacrity with which it has achieved that reach is the story of the closing years of the 20th Century and the beginning of the 21st Century. Enabled by the remarkable innovation in information technology, we are fast approaching a time when the world will always be on, always connected, always open for business. It will be a fast environment marked by increasing efficiency and decreased cost. But it also will be intensely competitive and without boundaries. Almost every institution we rely on in our daily lives is feeling the effect of this latest technological revolution. Just last month, the General Services Administration's Chief Information Officer, Bill Piatt, wrote something that I think all of us in government should keep in mind, ``From the perspective of our bosses, the citizens, electronic government is neither an option to be chosen nor a mandate to be decreed. It is simply expected.'' So the basic goals of e-Government, which are the electronic delivery of information and services, are the same as government's goals have always been, as enumerated in our Constitution and the laws that we have adopted pursuant to it. But if government is going to be plugged into the networked world as an active permanent presence, we will have to protect the confidentiality, the integrity, and, of course, the availability of the information contained on government computers. We must be acutely aware of the range and content of the information at stake here. It covers everything from the movements of our armed forces and the deployment of our most powerful weapons to accumulated data about the economy and the financial markets, to support for our transportation networks, to the most private information about the American people, such as tax, wage, and medical records. The information in far too many cases today is wide open to exploitation, from pranksters to terrorists and every disaffected person in between. The fact that the GAO has labeled as ``high risk'' virtually the entire computer security system of our government is just unacceptable. We must take action, and quickly, to get the government's computer security systems off of the high-risk watch list. Last year, Senator Thompson and I, and this Committee, looked into what went wrong in the Federal investigation of Dr. Wen Ho Lee, the former Los Alamos nuclear laboratory scientist who is charged with downloading classified information to an unclassified computer. Mr. Lee has been indicted now. The Justice Department is still investigating other areas and, of course, his guilt or innocence is yet to be determined. But the case should focus everyone's attention on the vulnerability that comes with reliance on computers. So, too, should the more recent revelations of former CIA Director John Deutch, who maintained sensitive information on his home computer. The hacking of government sites, including those at the Senate, the FBI, the White House, Interior, and the Department of Defense is actually becoming a near daily occurrence, and I would not be surprised if scores of other government sites have also been invaded. But the truth is, we will never know because monitoring intrusions, much less reporting them, is not required. There are many reasons Federal computer-based information is inadequately protected, but the underlying problem, according to GAO, who we will hear from this morning, is poor management. In some cases, this is a cultural problem. Our concentration on security simply has not grown at the same pace as our reliance on computers. That is why the Government Information Security Act of 1999, which Chairman Thompson and I have introduced, is a beginning step toward correcting this fundamental shortcoming. The bill would put every government agency on notice that it must implement a computer security plan which will be subject to annual independent audits, report unauthorized intrusions, and provide security awareness training for all its workers. There are a number of areas we have not addressed in our bill yet and we will be asking for input on how best to handle them. For example, the government needs to increase dramatically the number of trained information security professionals. In that regard, I am intrigued by President Clinton's proposal for a Federal Cyberservice at universities based on the ROTC model, and we need incentives for universities to train more people in this area. We also need to consider what to do to keep the government informed of technological changes in computer security so we do not fall behind. The President's proposal to establish a National Institute for Infrastructure Protection sounds like a good idea if it provides assistance with R&D and technical support. Mr. Chairman, I am hopeful that the proposal that you and I have made will stimulate significant debate and early action. Our bill is a work in progress. I know that we anticipate hearing from a broad range of interested parties. We have got to particularly listen to those in private industry who have made, I think, much more headway than we in the public sector have in protecting the security of computer-based information, because we do not need to reinvent the wheel here, a very high- tech wheel. We need to share experiences and exchange ideas to learn what works best. I think we have put together a very interesting group of witnesses today. I look forward to their testimony, which I know will help us craft the best possible legislation to secure the government's vast and important treasury of information. Thank you very much. Chairman Thompson. Thank you very much. We are down to a minute or 2 on the vote, so we will recess for a few minutes to vote. [Recess.] Chairman Thompson. Let us go back into session. Senator Akaka, did you have a statement. OPENING STATEMENT OF SENATOR AKAKA Senator Akaka. Thank you very much, Mr. Chairman. Thank you for scheduling this hearing. I have a longer statement, Mr. Chairman. I will ask that my longer statement be made part of the record. Chairman Thompson. It will be a part of the record. Senator Akaka. I just have a few points to make, three of them, to be exact. First, computer hacking has gone beyond the stage of being mischief making. Too much money is being lost. Hacking is a crime, but it has also become an act of international aggression. Last year, there were more than 20,000 cyber attacks on Defense Department networks alone. Second, current technology has so far failed to provide adequate safeguards for critical infrastructure networks. We have little ability to detect or to recognize a cyber attack and even less capability to react. Third, the President has unveiled his national plan for information systems protection. This, I feel, is a good proposal and deserves the immediate support of Congress. Again, Mr. Chairman, my thanks to you. The legislation you have introduced on this subject, S. 1993, is something that we need to address immediately, and the Government Information Security Act is an important contribution. I look forward to today's discussion. Thank you, Mr. Chairman. Chairman Thompson. Thank you very much. [The prepared statement of Senator Akaka follows:] PREPARED STATEMENT OF SENATOR AKAKA Thank you, Mr. Chairman and Senator Lieberman, for providing the opportunity to discuss cybersecurity. In this new age of information warfare, no issue is of more vital importance to our security. A cyber attack against our national information infrastructure would affect the integrity of our telecommunications, energy, banking and finances, transportation, water systems, and emergency services. As the Ranking Member of the Subcommittee on International Security, Proliferation, and Federal Services, I applaud all efforts to call attention to this issue. It is one in which the Subcommittee has also been involved. The Chairman and Ranking Member deserve great credit for the effort that they have made to heighten awareness of the threat while proposing methods to counter the threat. Computer hacking can no longer be labeled benign mischief. Once, those who gained unauthorized access to government and private sector computer networks were heralded as technical icons, whose exploits were lionized by the popular media. That is not the reality any more. Now hacking is a Federal crime at the very least--at the worst, an international act of aggression. As Deputy Secretary of Defense John Hambre has stated, ``We are at war--right now. We are in a cyber war.'' Total losses from cyber fraud, including loss of service, recovery, and restoration costs, are estimated to be in the hundreds of millions of dollars. We now know that hostile countries have, or are developing, the capability to engage in overt and covert information warfare. Last year alone there were more than 20,000 cyber attacks on Department of Defense networks alone. Astonishingly, we do not know who was behind the majority of those attacks. In 1998, during a period of increased tensions with Iraq over United Nations weapons inspections, over 500 U.S. military, civilian government, and private sector computer systems were attacked. What was first thought to be a sophisticated Iraqi cyber attack proved to be a rather unsophisticated, yet highly effective attack by two juveniles from California with the cooperation of several individuals in Israel. Last month, cyber-based denial of service attacks had a dramatic and immediate impact on many Americans and resulted in the loss of millions of dollars when several large e-commerce sites were shut down for several hours. Just recently a student at a major university was arrested and charged with hacking into Federal Government computers at the National Aeronautics and Space Administration (NASA) and the Department of Defense where he was able to read, delete, and alter protected files and intercept and save log-in names. Clearly, cybercrime has become a pervasive problem. And it is getting worse. According to FBI Director Louis Freeh, cybercrime is one of the fastest evolving areas of criminal behavior and a significant threat to our national and economic security. The escalation of cybercrime is rapidly overwhelming our current capability to respond. Current technology has thus far failed to provide adequate safeguards for critical infrastructure networks. The Internet is international, knowing no boundaries and no ownership. Any attempt to stifle its growth and development would be counter productive to the economic interests of America. A variety of easy to use sophisticated hacker tools are freely available on the Internet, available for use by anyone in the world with an inclination to mount a cyber attack. Today, the United States has little ability to detect or recognize a cyber attack against either government or private sector infrastructures and even less capability to react. Nevertheless, we must, through cooperative public and private sector efforts, develop adequate defensive technologies to neutralize threats. Without new defenses, it is likely that attacks will occur with greater frequency, do more damage, and be more difficult to detect and counter. In January 2000, President Clinton unveiled his ``National Plan for Information Systems Protection,'' which proposes critically needed infrastructure improvements with milestones for implementation. This multifaceted plan promotes an unprecedented level of public/private cooperation, and proposes 10 programs to assess vulnerabilities, and significantly enhance capabilities to deter, detect, and effectively respond to hacking incidents. It also calls for vital research and educational enhancements to train adequate numbers of desperately needed information security specialists and sustain their perishable skills. Our continued leadership and prosperity in the global economy may well hinge on our national commitment to act as leaders in bringing information assurance to the global information environment we have helped to create. I commend the Chairman and Ranking Member for their leadership in calling attention to this particularly insidious problem by their introduction of S. 1993, the Government Information Security Act. I welcome our witnesses, and look forward to hearing their testimony today. Chairman Thompson. Our first witness will be Kevin Mitnick. Mr. Mitnick, thank you for being with us here today. Please introduce yourself. Your full statement will be made a part of the record. If you could summarize that for us, we would appreciate it very much. TESTIMONY OF KEVIN MITNICK \1\ Mr. Mitnick. Great. Good morning. It is an honor to be here. I am glad that you value my opinion. It is interesting to note that the United States was my adversary in years of litigation, and despite that fact, I am with you here today. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Mitnick appears in the Appendix on page 47. --------------------------------------------------------------------------- Chairman Thompson. I have seen those documents several times, United States of America versus some individual. It is kind of intimidating, is it not? Mr. Mitnick. It sure is. Despite that, I am ready, willing, and able to assist, and that is why I am here today. I have written a prepared statement. That way, I can just read it and hopefully will answer some questions. Hon. Chairperson Thompson, distinguished Senators, and Members of the Committee, my name is Kevin Mitnick. I appear before you today to discuss your efforts to create legislation that will ensure the future security and reliability of information systems used by the Federal Government. As you know, I have submitted my written remarks to the Committee. I would like to use this time to emphasize some of those remarks and to introduce a few ideas that I did not include in my written testimony. I have 20 years' experience circumventing information security measures and can report that I have successfully compromised all systems that I targeted for unauthorized access except one. I have 2 years' experience as a private investigator and my responsibilities included finding people and their money, primarily using social engineering techniques. Breaching information security measures is a difficult undertaking. As I stated in my prepared remarks, my success depended on exploiting weaknesses in computer systems and network security and the use of social engineering techniques. However, even the sophisticated techniques I have exploited for 2 decades depended on the lack of commitment by software manufacturers to deliver software free of security weaknesses. The manufacturers of operating systems and software applications are under enormous pressure to deliver their products to the market with new features and are unwilling to thoroughly test their software under current market conditions. As a result, operating systems and applications contain security flaws that allow people with the required time, money, resources, motivation, and persistence to exploit those weaknesses. The Federal Government has no control over the security weaknesses that software manufacturers permit to reach the marketplace. Thus, it is imperative to enhance other security measures to overcome these shortcomings. The average American's confidence in the public telephone system is misplaced. Here is why. If I decided to target a computer system with a dial-in modem, my first step would be to use social engineering techniques to find the number of the modem. Next, I would gain access to the telephone switch that controls the number assigned to the modem line. Using that control, I would redirect the modem number to a log-in simulator that would enable me to capture the passwords necessary to access the target machine. This technique can be performed in real time to capture dynamic passwords that are changed once per minute. All of the actions I just described would be invisible to anyone monitoring or auditing the target computer security. What is important here is to consider the big picture. People use insecure methods to verify security measures. The public's confidence in the telephone system as secure is misplaced, and the example I just described demonstrates the reason why. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption, and secure access devices and it is money wasted because none of these measures address the weakest link in the security chain, the people who use, administer, operate, and account for computer systems that contain protected information. It is my understanding that this Committee oversees information security for the Internal Revenue Service and the Social Security Administration. In the United States v. Czubinski, an IRS employee was convicted of wire and computer fraud, the same crimes for which I spent 5 years in Federal prison. It is not lost on me that Mr. Czubinski's conviction was overturned by the First Circuit Court of Appeals as the court found that he never deprived the IRS of their property interest in the confidential information he accessed just to satisfy his personal curiosity, the same circumstances which precisely match the crimes to which I plead guilty in March 1999. Ironically, in their publicly filed briefs, the government revealed the name of the computer system used by IRS employees and the commands reportedly used by Mr. Czubinski and IRS employees in general to obtain confidential taxpayer information. I would like to bring to this Committee's attention how I successfully breached information security at the IRS and the Social Security Administration using social engineering techniques before 1992, which just so happens to be beyond the applicable statute of limitations. [Laughter.] I called employees within these agencies and used social engineering to obtain the name of the target computer system and the commands used by agency employees to obtain protected taxpayer information. Once I was familiar with the agency's lingo, I was able to successfully social engineer other employees into issuing the commands required to obtain information for me using as a pretext the idea that I was a fellow employee having computer problems. I successfully exploited the security measures for which this Committee has oversight authority. I obtained confidential information in the same way government employees did and I did it all without even touching a computer. Let me emphasize for the Committee the fact that these breaches of information security are ongoing and even as I stand before you today and that agency employees are being manipulated using social engineering exploits despite the current policies, procedures, guidelines, and standards already in place at these agencies. S. 1993 is an important step toward protecting the confidentiality, integrity, and availability of critical data residing in government computer systems. However, after successfully exploiting similar security measures at the IRS and the Social Security Administration, as well as some of the planet's largest technology companies, including Motorola, Nokia, Sun Microsystems, and Novell, I am concerned that enacting this law without vigorous monitoring and auditing accompanied by extensive user education and training will fall short of the Committee's admirable goals. In closing, I would be happy to offer my knowledge and expertise to the Committee regarding methods that may be used to counteract the weakest link in the security chain, the human element of information security. That is it. Thank you. Chairman Thompson. Thank you very much. That was very short but very powerful, Mr. Mitnick. Thank you very much. It seems, in essence, what you are telling us is that all of our systems are vulnerable, both government and private. Mr. Mitnick. Absolutely. Chairman Thompson. We had the members of The L0pft here a couple of years ago, some of the computer hackers, who basically told us the same thing. They said they could shut down the Internet and it was not a real problem. As I sit here and listen to you, you are one individual. Obviously, you are very bright, but there are a lot of very bright individuals out there. It makes you wonder, if one individual can do what you have done, what in the world could a foreign nation, with all the assets that they would have at their disposal do. Mr. Mitnick. It is pretty scary. Chairman Thompson. The point, and I think it is one that you make, is that we really do not know to what extent we already have been compromised, and the fact that we do not know or that other people or entities have not taken advantage of that or done something bad to us yet does not mean that we have not already been compromised in some way, is that not true? Mr. Mitnick. It is a possibility. Chairman Thompson. You also point out that the key to all of this, we sit here and think of systems and programs and all, but you point out the key is personnel, that that is the weakest link. No matter what kind of system you have, unless you have personnel that are adequately trained, adequately motivated--can you explain the importance of the personnel aspect to this and what you think we might be able to do about it? Mr. Mitnick. In my experience, when I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. I believe that the government employees and people in the private sector, that their level of awareness has to be--you have to do something to raise their level of awareness that they could be the victim of some sort of scam over the telephone. What I might suggest is maybe a videotape be made that would demonstrate somebody being manipulated over the phone and the types of pretexts and ruses that are used and maybe that will make somebody think the next time they get a phone call. The problem is, people do what they call information mining, is where you call several people within an organization and you basically ask questions that appear to be innocuous, but it is really intended to gain intelligence. For instance, a vendor might call a company and ask them what software, what are you currently using, what computer systems do you have, to sell them a particular product, because they need to know that information, but the intent of the caller might be to gain intelligence to try to target their computer systems. So I really have a firm belief that there has to be extensive training and education to educate the users and the people who administer and use these computer systems that they can be victims of manipulation over the telephone, because like I said in my prepared statement, companies could spend millions of dollars towards technological protections and that is money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computer's defenses or reveals the information that they are seeking. Chairman Thompson. So you can compromise a target without ever even using the computer? Mr. Mitnick. Yes. For example, personally, with Motorola, I was working at a law firm in Denver and I left work that day and just on an impulse, I used my cellular telephone and called Motorola, their 800 number, and without getting into details of how this, because of the time constraints, is by the time I left work and by the time I walked home, which was about a 20- minute period, 15- to 20-minute period, without any planning or anything, I was able to, by the time I walked to the front door, I had the source code to the firmware which controlled the Motorola Ultralight telephone sitting on a server in Colorado. Just by simply making pretext telephone calls within that 15- to 20-minute period, I had the software. I convinced somebody at Motorola to send the software to a particular server. Chairman Thompson. So this has to do with personnel, it has to do with training within a larger umbrella of management. Mr. Mitnick. Absolutely, and I think the management has to be from top down, and the whole idea here is to protect the information regardless of whether it resides on a computer system or not, because whether or not this information is printed on a printout or is sitting on a floppy disk, it is still information which you want to protect against any type of confidentiality breach and the integrity of the information from being modified or destroyed. Chairman Thompson. These are the things we are trying to address in our bill. Mr. Mitnick. Yes, I read the bill. Chairman Thompson. We appreciate your comments on that. One of the questions we are going to have to deal with is whether or not we ought to be more specific in terms of training, for example. Mr. Mitnick. I think you should be, because---- Chairman Thompson. We vest the responsibility, but we kind of end it there and leave it up to the agencies to take it from there, but some have suggested that we might be more specific and more precise in exactly what kind of training we ought to have. Mr. Mitnick. Yes, I think that is important because I am not privy to this information, but I assume that there are policies, procedures, guidelines, and standards in effect for protecting information at these agencies, just by protecting the information without regard to the computer systems. I think by explaining my background and experience with the Committee today that you can see that those policies and procedures were easily circumvented. So what the Committee has to--I guess what has to be done is there has to be a way to figure out what the Federal Government could do to protect its information, and just enacting a law or policies and procedures may not be effective. I do not know. I think it really depends on really training the systems administration staff, management, and the people who use, administer, and have access to the information about all the different methodologies that could be used to breach computer security, which is not only just the human element. You have physical security, you have network security, and you have security of computer systems. So it is a very complex issue, so you have to be able to get people on board that would know how to protect each different area. Chairman Thompson. We are not interested in another overlay of statutory requirements, and you are right, there are plenty of laws on the books that have to do with information systems in general. Technology has changed and the government has not changed with it, and what we have discovered is that although we have a lot of laws on the books, there is no comprehensive management scheme out there. There is no way to measure and evaluate the effectiveness of what anybody is doing. We will have a GAO witness here in a little while and we will go over the fact that for a few years now, we keep being told that government is ineffective. It is not working. It is not doing the job. So we go back and Congress does more. So that is what we are trying to do here and your testimony is very helpful. We have other Senators here, so I will pass. Senator Lieberman. Senator Lieberman. Thanks, Mr. Chairman. Mr. Mitnick. Can I make a comment? Chairman Thompson. Yes. Mr. Mitnick. And, by the way, private investigators and information brokers today obtain confidential taxpayer information from Social Security and the IRS and they are doing it as we speak. You can go to any private investigator and hire them to do this. Chairman Thompson. We have had testimony to that effect. Mr. Mitnick. So obviously it is somebody who has access to the computer either illegitimately or somebody that is taking payola to reveal this information that is within the agency. Chairman Thompson. Thank you. Senator Lieberman. Thanks. Mr. Mitnick, thanks for your testimony. You have been very illuminating and helpful. My staff lifted up some clips in preparation and one of them described you as ``arguably the most notorious computer hacker in the world.'' I thought I would ask you if you would be comfortable, as we confront this problem, helping us to answer the question of ``why?'' I mean, in one sense, the ``why'' of a certain number of people, national certainly in security areas is clear. If a foreign government, such as the Serbs during the Kosovo conflict, or some subnational group of terrorists tries to break into our computer systems, that is a pretty clear ``why.'' But this is not like most crime waves. To a certain extent, as I read about your story and hear about others in the kind of daily breaking of government computer systems, it seems to me that there is a different sort of motivation. In some sense, it almost seems to be the challenge of it. If you would, just talk about why you, or if you want to third personalize it, why people generally become hackers. Mr. Mitnick. Well, the definition of the word hacker, it has been widely distorted by the media, but why I engage in hacking activity, my hacking activity actually was--my motivation was the quest for knowledge, the intellectual challenge, the thrill, and also the escape from reality, kind of like somebody who chooses to gamble to block out things that they would rather not think about. My hacking involved pretty much exploring computer systems and obtaining access to the source code of telecommunications systems and computer operating systems because what my goal was was to learn all I can about security vulnerabilities within these systems. My goal was not to cause any harm. It was not to profit in any way. I never made a red cent from doing this activity, and I acknowledge that breaking into computers is wrong and we all know that. I consider myself a trespasser and my motivation was more of--I felt like an explorer on these computer systems and I was trying--it was not really towards any end. What I would do is I would try to obtain information on security vulnerabilities that would give me greater ability at accessing computers and accessing telecommunications systems, because ever since I was a young boy, I was fascinated with communications. I started with CB radio, ham radio, and eventually went into computers and I was just fascinated with it. And back then, when I was in school, computer hacking was encouraged. It was an encouraged activity. Senator Lieberman. Who encouraged it? Mr. Mitnick. In school. In fact, I remember one of the projects my teacher gave me was writing a log-in simulator. A log-in simulator is a program to trick some unknowing user into providing their user name and password, and of course, I got an A---- [Laughter.] But it was encouraged back then. We are talking about the 1970s. And now, it is taboo. A lot of people in the industry today, like Steven Jobs and Steven Wozniak, they started out by manipulating the phone system and I think even went to the point of selling blue boxes on Berkeley's campus, and they are well recognized as computer entrepreneurs. They were the founders of Apple Computer. Senator Lieberman. Yes. The fork in the road went in different directions in their case. Mr. Mitnick. Just slightly. [Laughter.] Senator Lieberman. Well, maybe there is still time. You are young, so there is still time. Your answer is very illuminating again. Part of what you are saying struck me, which is unlike other forms of trespass or crime, you did not profit at all. Mr. Mitnick. I did not make a single dime, but that is not to say--one of the methods how I would try to avoid detection and being traced was to use illegitimate cellular phone numbers and electronic serial numbers to mask my location. Senator Lieberman. Right. Mr. Mitnick. I did not use this to avoid the cost of making a phone call, because most of the phone calls were local. I could have picked up a phone at home and it would have been a flat rate call. I did it to avoid detection, but at the same time, it was cellular phone fraud because I was using airtime without paying for it. Senator Lieberman. Were you aware as you went through this pattern of behavior that you were violating the law? Mr. Mitnick. Oh, of course, yes. Senator Lieberman. You were? Were you encouraged or at least not deterred by the fact that you had some confidence that there were few or no consequences attached to it? There are cases where people know that they are doing something illegal, but they think that the prospects of being apprehended and charged are so slight that they go forward nonetheless. Mr. Mitnick. Well, that is true, because as you are doing some illegal activity, you are not doing a cost-benefit analysis--well, at least I was not doing a cost-benefit analysis. I did not think of the consequences when I was engaging in this behavior. I just did it, but I was not thinking about, well, if I were to get caught, I would have these consequences. It was just focusing on the activity at hand and just doing it. Senator Lieberman. Because of what you described before as the thrill of it or the challenge of it, the adventure. Mr. Mitnick. It was quest for knowledge, it was the thrill, and it was the intellectual challenge, and a lot of the companies I targeted to get the software was simply a trophy. I would copy the code, store it on a computer, and go right on to the next without even reading the code. Senator Lieberman. Interesting. Mr. Mitnick. I mean, that is a complete different motivation of somebody who is really out for financial gain or a foreign country or a competitor trying to obtain information, like economic espionage, for instance. Senator Lieberman. Right, very different. Clearly, as a lawmaker, part of why I ask these questions is because I wonder whether if we raise the stakes, that is to say we set up security systems that make detection more likely and increase penalties for this kind of trespass, Internet trespass, whether there is a prospect of deterring the next Kevin Mitnick. Mr. Mitnick. You are talking about enacting further criminal---- Senator Lieberman. Yes, raising the prospects that a so- called hacker is going to be detected, for one, and then second, raising the criminal penalties for the hacking. Mr. Mitnick. I would encourage you to come up with a method of prevention and detection, and I encourage the computer industry today to look to methods to better detect intrusions and, again, extensive user training and education on how to prevent the human exploitation. For instance, in my case, I was basically doing this out of the curiosity rather than for financial gain, and what is interesting to note is in that case I described in that U.S. v. Czubinski case, where this was an IRS agent who obtained confidential taxpayer information and was eventually prosecuted, his convictions were reversed by the First Circuit Court of Appeals because what the court held is that Mr. Czubinski did not deprive the IRS of their property interest in this information because he had no intent to use or disclose the information he obtained. That is the same circumstances as in my case. I was not doing it to use the information or disclose it to anybody. It was the trophy. So it is a very interesting issue of whether I really engaged in computer trespass or fraud, because fraud is where you deprive somebody of their money or property, and in my case, while it was a gross invasion of privacy, I never, in my opinion, deprived any of these companies of their software or used it to their detriment. So that is the difference in my hacking. Then you have people out there who are working for private investigators, trying to obtain confidential information like from the IRS or Social Security and through State and local government agencies to sell. Information brokers sell it to private investigators who have clientele that are trying to find information on people. Senator Lieberman. You know, I hate to suggest a waste of your talent, but as I listen to you, I think you would make a great lawyer. [Laughter.] Mr. Mitnick. Well, I do not know if you are convicted of a felony, if they would allow you to be admitted to the bar. Senator Lieberman. That is harder to do. [Laughter.] Let me ask you just a few more questions. Mr. Mitnick. Maybe I could get a Presidential pardon. Senator Lieberman. Yes. Maybe we will come back. Chairman Thompson. We have a lot of criminal lawyers around here. Senator Lieberman. Yes, we do. [Laughter.] Chairman Thompson. Nothing personal. Senator Lieberman. The response of the people attending was much more enthusiastic than we might like. [Laughter.] Mr. Mitnick, building on what you have just said, obviously, you have been away, involuntarily, from the world of computers for a number of years now. I wonder if you feel that the techniques that you used are still useful today and whether they have retained their relevance in light of all the change that has occurred, and whether you have any sense that today's computer security systems are more sophisticated than they were when you were involved in your hacking. Mr. Mitnick. Well, I can say that the social engineering or the exploiting the human element of computer security, I think is in the same state as it was 5 years ago before I went to prison. Senator Lieberman. Yes. Mr. Mitnick. However, by reading materials and magazines and reading advertisements, I know that the industry is building security products to try to protect information that resides on computer systems. I have not had a chance to evaluate it, but it is simply if somebody has the resources, the time, money, and motivation, they can get into any computer. The only thing that the Federal Government and private sector can do is to reduce the threat. You cannot reduce it to zero---- Senator Lieberman. Make it harder. Mr. Mitnick [continuing]. You can only make it harder, and hopefully, the attacker will find it difficult that they will go to the next guy, just like people do at home. They put a lock on the door. If somebody really wants to get in, they are going to go through a window, and you can only make it more difficult so they try to go to the next guy. Then if somebody is really targeted, government information or trying to target information in the private sector, I think it would be extremely difficult to prevent, and that is why management is so important to really encourage systems administrators and the users of these computer systems, maybe to do some sort of rewards program, or if information is breached under their control, there should be some punishment. I have not really given it that much thought, but for the human element, I think it is still in the same state, and I believe there have been some technological improvements, but the Internet, do not forget, the Internet started out as the ARPANET, which was pretty much academia, government agencies, and universities sharing information and the protocols were not developed with security in mind. They were developed to allow these individuals or these companies to share information and to co-work on projects, and now everybody is scrambling because of the e-commerce to build security on top of a weak foundation. Maybe what should be considered is building a strong foundation. Senator Lieberman. Well said. I am struck by your emphasis on the human element as the weak link in this computer security chain and it conforms to other information we have heard that the so-called cultural factors, in some cases just plain negligence or inattention by people in charge of computers, leads to most of the problems in security that we have. Let me ask one last question and then yield to my colleagues. In the question of security, as we think about computer security as it affects our national security, we naturally think of defense. But I have read some material that makes, I think, the good point that a hostile group or Nation wanting to do harm to the United States might not only go after traditional defense targets but might try to incapacitate power grids, for instance, public utility grids or transportation information systems or even stock or commodities markets. To the best of your knowledge and experience, would you say that those essential but non-defense systems are probably as vulnerable as you have described systems to be generally? Mr. Mitnick. Perhaps. If you have the resources of a foreign government, what would stop a foreign government from putting operatives to work in the companies to develop the hardware and software that is utilized by these groups, or the power grid, transportation, and these things of national importance, and put some type of back doors or some type of flaw in the operating system or the software applications that allows them to have access. I mean, they can go to those extremes and they have the resources to do it. Senator Lieberman. Your answer leads me to just ask one last question: You have talked about the prominent role of what you have described as social engineering, which is to manipulate unwitting employees. I know it is hard to state a percentage on this, but would you guess that most hacking is being done in that way-by the manipulation of the cultural weaknesses, the human weaknesses? And to that extent, how much does hacking depend on successful human penetration of a system as opposed to technological penetration of a system without any assistance from anybody inside, with the assistance from inside coming either knowledgeably, that is, by somebody who has been placed in there, or just unwittingly by a negligent employee? Mr. Mitnick. In my experience, most of my hacking involved the social engineering exploitations, but I think that most of the hacking out there is really the weaknesses that are exploited in the operating systems and the software applications, because if you go on the Internet, you can simply connect to computer sites that basically have scripts of the exploit scripts, so anybody that has access to a computer and modem could download these exploits and exploit these vulnerabilities that are in the operating systems developed by the software manufacturers. That is why I brought out the point that I think it is important for the software manufacturers to be committed to thoroughly testing their software to avoid these security flaws from being released to the marketplace. Senator Lieberman. It is a very important point. Mr. Mitnick. And maybe government and private industry, if these companies are not committed to it, is maybe going with another company. Senator Lieberman. Thanks, Mr. Mitnick. You have been very helpful. I think you have turned your unfortunate experience in the past into some very constructive support this morning. Thank you. Mr. Mitnick. Thank you for having me. Chairman Thompson. How much time did you actually serve? Mr. Mitnick. Fifty-nine months and 7 days. Senator Lieberman. Five years. Chairman Thompson. Fifty-nine months? Mr. Mitnick. I do not know how many minutes or hours. Chairman Thompson. Well, you know if instead you had raised millions of dollars for political campaigns, you would have gotten probation. [Laughter.] Senator Collins. OPENING STATEMENT OF SENATOR COLLINS Senator Collins. How can I follow that, Mr. Chairman? Chairman Thompson. You had better choose your excitement more carefully in the future. Mr. Mitnick. I think that is a good idea. Senator Collins. Mr. Chairman, I want to first commend you and Senator Lieberman for holding this hearing to highlight the pervasive vulnerability of our private sector and government computer systems. Mr. Mitnick, I was struck by your emphasis, as was Senator Lieberman, on the human element involved, because I think we often think of computer security in terms of technological safeguards or the physical security of the computers in restricting access. Yet your experience as well as the recent revelations about the former CIA Director's carelessness with his home computer suggest that we may be overlooking what is the most important factor, which is the human element. In general, do you think there is a lack of awareness of the risks of the human element, both in the private sector and in the public sector? I am particularly thinking of at the higher levels of corporations and government agencies. I think training tends to occur at the lower levels, and yet the risk may be just as high at the higher levels. Could you comment on that? Mr. Mitnick. I think the greater risk is at the lower levels. I do want to make a point. When you order a pizza, how they verify that you are the one that ordered it is by calling you on the telephone to verify that that is you. Well, you have got to really look at the big picture, and because there is a false reliance placed on telecommunications systems, such as the public telephone network, which is easily exploitable. So, for instance, if I were to call you at your--what I did is offer to do a demonstration today if the government would give me immunity, but there was not any time. But anyway, what somebody could actually do is if they have access to the telephone switch, they could actually manipulate it so you can call back a legitimate number that you think you are calling to verify the authenticity of the request, but that number has been rerouted to the attacker. So because of the reliance on faxes, on voice mail, on telephones in general to verify the legitimacy, and that is easily exploitable, that is what makes it so easy to exploit the human element. Senator Collins. How easy is it for a computer hacker to use work done by others--I am told it is called an attack script--in order to hack into a computer? Would such a person even have to really understand how the computer code was written in an attack script in order to use it to hack into a system? Mr. Mitnick. Not really. If there is a shell script or a script is written where they just run it and it gives them the super-user privileges or system administrator privileges, they really do not have to know how it is working, and what is unfortunate, you have a lot of people out there that have access to those scripts that really do not know what they are doing, so if they get into a computer and obtain system administrator-level privileges, they could easily destroy information or damage the computer by trial and error and without realizing what they are doing because they do not have the knowledge or the experience on that particular type of computer system. So it is concerning. Senator Collins. Another issue that you raised earlier was that when the Internet was in the early stages of development, the emphasis was on sharing information, accessibility, openness, free exchange of ideas. The emphasis was not on security and that has made us vulnerable in some ways. Do you think that is also a problem with the growth of e- commerce, that there has been insufficient attention given to security, that the emphasis has been on accessibility, ease of use, making it easy for people to make purchases? Do you think the private sector has been a little bit slow in turning its attention and investing in the security of its systems? Mr. Mitnick. Well, unfortunately, because I was unavailable for the last 5 years and e-commerce just started after I was sent away, I was not really able to keep up with it. But today, everybody is reluctant to use their credit card over the Internet because they think somebody is going to get their credit card number and defraud them. I think that there is a loss of confidence in using the Internet, especially with doing financial transactions, because mostly you hear about these media reports of these people being able to circumvent security so easily. What is interesting is people will go into a restaurant and will hand their credit card number to a waiter or waitress and they have no problem with that, but they are afraid to type their number onto the Internet because they figure it could be captured, which is a possibility, but I think what is interesting is I think there is limited liability if someone were to obtain your card and use it without permission. There is maybe a $50 to $100 liability. Maybe security systems have to be created that would raise the level of confidence that the public has in using the Internet for e-commerce. Senator Collins. Thank you, Mr. Mitnick. I just want to wish you well as you go on with your life. You clearly have a great deal of talent and intelligence, and it seems to me, as we have been discussing, that you paid a pretty heavy price for your crime and I wish you well. Mr. Mitnick. Thank you very much. [The prepared statement of Senator Collins follows:] PREPARED STATEMENT OF SENATOR COLLINS Mr. Chairman, I appreciate the work you and Senator Lieberman have done on the important topic of the security of the computer system of the Federal Government. The Internet offers unprecedented openness and accessibility. Those same attributes make it vulnerable to attacks by unauthorized users. The pervasive vulnerability of our computer systems raises the specter of malicious attacks by terrorists rather than simply the relatively benign intrusions of teenagers. As one expert in computer security recently stated, ``The Net changes the nature of crime. You don't need skills to be an attacker. If you are going to make counterfeit bills or burglarize a building, you need certain abilities. On the Net, you download an attack script and click here.'' The sophistication of computers has been matched by the opportunity for malicious activity based on information obtained through the Internet. In my view, this creates an increased ability for a greater number of people to threaten government computers. We have an excellent group of individuals on the panels today who can share their view of what the government can do to better protect its computer system. I look forward to their testimony. Chairman Thompson. Thank you very much. Senator Edwards. OPENING STATEMENT OF SENATOR EDWARDS Senator Edwards. Thank you, Mr. Chairman. Good morning, Mr. Mitnick. Mr. Mitnick. Good morning. Senator Edwards. I am from North Carolina and actually live in Raleigh and I remember vividly---- Mr. Mitnick. I have been there. [Laughter.] Senator Edwards. You were big news for a long time in Raleigh. I remember it very well. Let me ask you about a couple of things. In answering one of Senator Lieberman's questions about why you got involved in hacking to begin with, I was listening to the words you were using and they sounded very much to me like a description of addictive behavior. Do you believe that addictive behavior is involved with folks who are habitually involved in hacking like you were? Mr. Mitnick. I am not sure I would consider it addictive behavior. It was just an activity I was intensely interested and focused on, because ever since I was a young boy, I was interested in telecommunications and computers and that was just my calling, just like somebody is very interested in sports and every day they go out and practice. I am not sure that you can really equate it to like a physical addiction. But then again, I am not a health services professional, so I would not know. Senator Edwards. No, I understand. But did you feel like you yourself were addicted to this hacking behavior? Mr. Mitnick. I enjoyed it. I would say it was a distinct preoccupation, but I do not think I could label it as an addiction, per se. Senator Edwards. Did you ever try to stop? Mr. Mitnick. I did stop for a while, and then at that time that I was not engaging in that behavior, the Department of Justice, specifically the FBI, sent this informant to target me, and basically, I got hooked back into computer hacking because of the enticements that this fellow that they sent to target me, enticed me back into that arena. Senator Edwards. What advice would you give to other hackers, or probably more importantly, potential hackers? Mr. Mitnick. That is hard to say. I would have to really think about that. I do not encourage any activity which maliciously destroys, alters, or damages computer information. Breaking into computer systems is wrong. Nowadays, which was not possible for me when I was younger, computer systems are now more affordable and if somebody wants to hack, they can buy their own computer system and hack the operating system and learn the vulnerabilities on their own system without affecting anybody else with the potential for causing any type of harm. So what I would suggest is if people are interested in the hacking aspect of computers, they can do it with their own systems and not intrude upon and violate other personal or corporations' privacy, or government. Senator Edwards. Do you think it is possible to use things like click stream data to identify people who are least potentially going to---- Mr. Mitnick. Excuse me, to use what? Senator Edwards. Click stream data. Do you know what that is? Mr. Mitnick. No. Senator Edwards. OK. Do you think there is some way to identify people who are likely to become engaged in hacking just based upon their patterns of behavior in using their computer systems? Mr. Mitnick. I do not know. Senator Edwards. You said in your testimony, and maybe someone has asked you this and I did not hear it, that in 20 years of experience in circumventing information security measures, you have been able to successfully compromise all systems save one. Mr. Mitnick. That is true. Senator Edwards. Which one? Mr. Mitnick. It was a computer system run by an individual and this computer was at his home and it was in the U.K., in England, and I was unable to circumvent the security on that system because I did not have control of BT, which was British Telecom. Senator Edwards. So there is nothing about the security system itself that gives us a lesson on how we can make systems more secure? Mr. Mitnick. See, a real important point is the more people that have access to a computer system, the easier it is to penetrate because--well, of course, for the social engineering exploit, like in government or in large corporations, it is very easy. But the less people that have access to the computer system, the less vulnerable it is, and in this particular instance, it was one person and it was his home machine, so it was extremely difficult and this person was very, very sharp on computer security issues. In fact, this individual is the one that found security vulnerabilities in the VMS operating system which was manufactured by Digital Equipment Corporation, and why I targeted this individual was to basically find and obtain all the security flaws that he discovered in the operating system because my goal was obtaining information on all security vulnerabilities so I would be effective at being able to compromise any system that I chose to compromise. Senator Edwards. One last thing. In North Carolina, we have a company called Red Hat. Mr. Mitnick. Linux? Senator Edwards. Yes. They have been, as you know, very successful. I had a meeting a few weeks ago with Bob Young, who is the founder of that company, and I was just curious whether you--and based on my discussions with him, I had some feeling that there was at least the potential for these open source software systems to be more secure. Do you have any views about that? Mr. Mitnick. Yes. I think that is true, the reason being is they are open for inspection by the public at large and in so doing, just like with systems that utilize encryption, I think those security flaws could be readily identified and published and fixed rather than in a proprietary system where it is not open to the public and then you maybe have the individuals that find these holes do not report them and they use them to exploit vulnerabilities and access computer systems without anyone knowing the better, or without detection. Senator Edwards. Thank you very much. Good luck to you. Chairman Thompson. Thank you very much, Mr. Mitnick. You have been very, very helpful to us. Good luck to you. Mr. Mitnick. Thank you. Chairman Thompson. Thanks for being with us today. Mr. Mitnick. It is an honor to be here today. Chairman Thompson. I would like to introduce our second panel, Jack Brock, Director of Governmentwide and Defense Information Systems at GAO, who is responsible for most of the work done by the GAO for this Committee over the last few years. Also on the panel is Roberta Gross, the Inspector General for NASA, who has done much work in the area of computer security and even has a special investigative unit on computer crimes, so thank you for being with us. We always take more time with our first panel, whether it is one witness or 10. We are going to have to be out of here in about an hour, so as far as we are concerned and the panels are concerned, let us keep that in mind and do what we can. Mr. Brock, do you have any opening comments to make? TESTIMONY OF JACK L. BROCK, JR.,\1\ DIRECTOR, GOVERNMENTWIDE AND DEFENSE INFORMATION SYSTEMS, ACCOUNTING AND INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE Mr. Brock. Yes, sir. I could actually spend my entire time reading you a list of the reports that we have done on computer security, many of these for your Committee. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Brock appears in the Appendix on page 55. --------------------------------------------------------------------------- Chairman Thompson. Could you summarize all that? Mr. Brock. Absolutely. Chairman Thompson. Would you say there is a bunch? Mr. Brock. There are a lot. Chairman Thompson. All right. Mr. Brock. Unlike Mr. Mitnick, when we go into agencies, we are doing so with the full knowledge and authorization of the agencies we go in. A long time ago, when we did computer security work, we examined agencies' controls and we would comment on those controls and we would say the controls are inadequate and the agency would say, well, no, they are adequate, so we disagree with you. A few years ago, we started doing our own testing of the controls. We do not call it hacking, we call it penetration testing. We have been uniformly successful in getting into agencies. The reports that we have done for your Committee over the past few years at NASA, State, DOD, and the IRS, indicate that, typically, agencies have very poor controls. EPA, which we have just released a report on a couple of weeks ago, we went in through their firewall, which offered virtually no protection. We had access to their mainframe computer center, which had almost no controls set up, and we were able to wander around the agency almost at will. It was not really difficult. At another agency where the firewall offered better protection, we did what Mr. Mitnick was referring to as social engineering. We simply call people and say, I am Joe Blow. I am the system administrator. Here is my telephone number. Call me back. We are having a problem with your account. Give me your password, and you can call this number and check it. It is amazing how many people just call you right back and give you the password. If that does not work, you just gain access to the building and walk around and you find computers that are open. You find the computer monitors with the password in a sticky on it. It is not very difficult to get access. So as we have gone to agency after agency after agency, the specific weaknesses are usually technical. There is a technical reason that we are getting in. The software has a hole in it. The firewall is not very good. It is not very rigorous. Password protection is weak, or whatever. We, frankly, after doing many of these and we are doing the same report over and over, we said, there has got to be a better way of doing this, and at your request, we looked at agencies or at organizations that have good computer security, and there we found that good management attention to the problem is the secret. It is much like if you have a house and you have wood rot and people come in and they say, well, you have got a problem, and you patch it over with a little putty, you still have that underlying weakness. We found when we were going into agencies and pointing out specific computer weaknesses, that these weaknesses would be corrected. They would patch it. But the underlying causes, the poor management, the lack of management attention, the lack of budget, all of these things really did not fix the underlying problem. So it was like sticking your finger in the dike. You would plug up one hole and another hole would spring out somewhere else and things would leak through. That is the condition we find at agencies, and we find it consistently. One of the things that your bill does is it changes the direction of the computer security legislative framework. The Computer Security Act is inherently flawed in that it is built on a system-by-system basis. It starts with the premise that computer security can be fixed at the system level when really it needs to start at the management level. I would like to briefly go over a few features in your bill that we think are very commendable and we would encourage that if legislation is being considered, that these items be kept. First of all, it incorporates the best practices that we found at leading organizations, in other words, those management practices that agencies or organizations undertook to, in fact, provide a secure framework throughout their organization. Second, your bill requires a risk-based approach to be implemented by agency program managers and technical specialists. Let me just talk about this a little bit. If you do not know what your risk is, and risk is a function of the vulnerability of the system, a function of the threat to the system and a function of the value of the information of the process that that system controls. If you do not understand your risk, you are not going to put in the right kind of controls, you are not going to have the right kind of training, you are not going to have the right kind of testing. Rarely do we find agencies that do a good job at determining the risk they face, and again, without determining the risk, you are not going to know what sort of controls need to be put into place. Third, your bill provides for an independent audit and we think that is an absolute must. An independent audit gives OMB, oversight committees, such as yourself, and agencies themselves an opportunity to see how well do controls work, how well do training policies work, how well are they doing as a management entity in terms of providing good computer security over our information resources. Finally, it also eliminates the distinction between national security and non-national security systems. Right now, there is a dividing line. We have actually gone to some agencies and talked to them about computer security and they say, we do not have any classified information. Therefore, computer security is not an issue with us. And by having that distinction between national security and non-national security, we think that in many agencies, it creates a barrier to having an effective agency-wide security program. If I could just indulge you for a moment more, we would like to talk about a couple of features that we think you should consider. The first of those, and you alluded to this in your opening remarks, is that we believe there should be mandatory standards put into place and that these standards should be in two parts. The first part would be a standard set of data classifications which would be used by all agencies, for example, risk levels ranging from one to whatever, and that data would be classified in one of these risk elements, ranging from things that you did not care that much about, information that was not particularly sensitive, was not particularly vulnerable, all the way to national security information. In turn, this would lead to a set of mandatory control requirements that would set minimum requirements for each of these data classifications. We believe if this were instituted across the government, it would improve the ability of the government to enforce computer security, it would improve the ability of managers to provide a minimal level of support for their agency, it would permit better targeting of resources, and it would improve the ability of the independent auditors to do a good job. Finally, we think there is also a need for stronger central guidance. I think the lessons learned from Y2K is that a strong central hand, in this case, John Koskinen, really can provide much needed oversight and impetus to agencies in terms of making sure that they are following good practices, making sure that budget submissions are responsive, and in general, providing the leadership that seems to be lacking in computer security. That is my brief statement, and I would ask you, Mr. Chairman, that my full statement be included in the record. Chairman Thompson. All statements will be made a part of the record. Thank you very much. Chairman Thompson. Ms. Gross, thank you. TESTIMONY OF ROBERTA L. GROSS,\1\ INSPECTOR GENERAL, NATIONAL AERONAUTICS AND SPACE ADMINISTRATION Ms. Gross. Good morning. Thank you very much for inviting me here to testify on the act. I am here in a double capacity. I am here as the NASA Inspector General. I also head a task force that is looking at this bill on behalf of the Inspector Generals, and so I will weave in some remarks that will reflect some of the community remarks. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Gross appears in the Appendix on page 71. --------------------------------------------------------------------------- This is a world of limited budgets. We all know that. And in making decisions, agencies have to decide--Mr. Brock pointed that out--they have to figure out what is the risk to their systems. Obviously, in an agency like NASA, you are going to give a different kind of security to the public website than you would, for example, to protecting the astronauts on the space shuttle. So you have to make these risk/benefits and that requirement is a key element of this act. But there is a complication to agencies making investments in IT security. I think if you look at the Y2K issue, the problem of the change of the year for the computers, once it was a success, headlines were, this was maybe a hype and we spent too much money. Well, if it was not a success, there would have been a different set of headlines. So investment in IT security is very difficult for agencies to make, because if its security is working, you do not get headlines. But boy, when it does not work, you get headlines. I think recent events about the hackers attacking different systems, it makes headlines. But agencies do not see the visibility of IT security until it fails. I would draw your attention to the success of the Y2K coordinated efforts. I think it provides a model that is reflected in your bill about how to approach IT security. It was at the highest level supported and everybody plugged in. You had the President, OMB, agency heads, the CIOs, GAO, and the IGs, as well as the Congress in its exercise of oversight, and the focus worked. We entered the new millennium with minimal Y2K problems. This act asks many of the same players to have the same sustained focus, and that is key, a sustained focus. It was easy for Y2K, because it started rolling around and everybody started really focusing on it. But computer security is an ongoing effort, and I think it will be very helpful for this Committee and other committees with oversight to keep that sustained focus. We (NASA OIG) support the placement of the focus of OMB, the Deputy Director, having oversight. I think it gives a high level attention. Also the Deputy Director has a unique vantage point. The Deputy Director serves as the chair for the IG councils, the CFO, the chief financial officer councils, the CIO councils, and also the president management councils (That is the very senior level executives that head up the agencies). And so you have a person at a high level that is able to coordinate all these different councils for a government-wide focus and I think that was a good selection. You also make the heads of agencies to be accountable. Heads of agencies occupy bully pulpits. They are able to set the priorities of their agencies. Use the Y2K example. I can remember Dan Goldin saying, ``I am being held accountable and we are not going to fail.'' He had the bully pulpit and everybody heard. So this is enlisting again the heads of agencies, and you need to hold the agency heads accountable because they can change a culture of ``I do not care,'' or ``we are just scientists,'' or ``we just want information, how does it impact me?'' So that is a very important feature. In terms of the CIOs, we had a discussion with the IG working groups. Many in the working groups view these CIOs as not having resources, not having staff, not having budget. Some even characterize their CIOs as paper tigers. So this act gives a lot of responsibility to the CIOs and it is going to be important for OMB and for this Committee and other committees to make sure that those CIOs have the authority and the resources to do what this act is expecting. I would use the example of NASA. We have repeatedly made criticisms of the way that NASA establishes the CIO. He is doing the best he can, but he has no budget, or little budget, he has almost no staff, and NASA has decentralized the CIOs at each of the centers, and there are ten NASA centers. They (the center CIOs) do not report to him. He does not control their budget. He does not do their evaluation. The centers can give the CIOs collateral duties or they can decide what grade level the CIO should be: an SES, a 15, or a 14. If they do not agree, who do they report to? They report to the centers, not to the CIO, the head CIO. That decentralization and fragmentation impedes IT security. To further compound that problem at NASA they have bifurcated, not bifurcated, they have given each of the centers various tasks. In Glenn in Ohio, the Glenn Center does training. In Ames in California, that is the center of excellence for IT security. You go to Marshall and that is the center for the firewalls, and on and on. Each center is a little center of excellence and none of those people report to the CIO. He does speak with them. They do collaborate. They do have telecons. But is it any wonder that it takes a long time for NASA to get any policies and procedures? We have had reports pointing out instances where this decentralization and fragmentation, that whole kind of structure in and of itself weakens IT security, and we have more to say on that in my testimony, the written testimony. I want to get to the part of the act that has to do with the Inspector Generals. In terms of the OIG working group, we did have a problem with the act narrowly defining the independent external auditor. Under the act, if the IGs do not do the work, an external auditor can be hired, but we thought that that implies a financial orientation and it should be any qualified external entity, and that is just a wording change. But one of the things that the OIG working group commented on was they welcomed the act's tasking. They think you cannot be doing the high-risk work that agencies are facing without doing the review work, but the IGs will have to recruit, train, and retain a good cadre of professionals. That is going to require the support of the agencies and OMB and the Congress in supporting their budgets. In my written testimony, I went through how for the past 4 years I have been recruiting a cadre of people in the audit arena and in the criminal investigative arena, as well as my inspectors, and that has taken time and these are a high-paid, qualified group. They are worth it. They are definitely worth it. But it does take time and it does take money and this group (Congress) has got to be supporting the budget that goes with that. The last detail that I want to address is the section that talks about law enforcement authorities. The act requires that security incidents be reported to law enforcement officials, but it does not define that term. Where an OIG has a computer crimes division, then the agency system administrators need to report security incidents to and work closely with the IG special agents so that the agency ends up preserving evidence, maintaining chain of custody, and that you have the documents that you need and the materials that you need so that you can have a court case. The Department of Justice has made clear in writings and in its actions that it is not just the FBI that does the criminal investigations on computer intrusions, and in my written testimony, I have a letter, referred to a letter by Scott Charney, who was then the former head of the Department of Justice Computer Crimes and Intellectual Property Division, where he talks about other agencies that do and have the authority for computer crimes--Secret Service, Air Force audit and their investigative service, as well as NASA's Inspector General. But I think that is very important for this oversight Committee to understand that. Obviously, the Presidential Directive, PDD-63, established the NIPC, the National Infrastructure Protection Center, so that you can have the critical infrastructure reviews and investigations done by the FBI. But there are thousands of intrusions each year and every intrusion is not against the critical infrastructure. Indeed, at NASA, space does not even make the critical infrastructure. It is very important, then, that NASA have a good Inspector General's computer crimes unit, to have a group that has a focus on NASA as the victim. It is important that this Congress support the efforts of Inspector Generals to have a computer crimes unit. It takes training. It takes training people. You have to have a very qualified cadre of people. But if you recall, the Inspector General Act was to have the synergism of audits and investigations so that if you are doing an investigation and you see internal control problems, you also tell your auditor so that they can do a system-wide look-see. That synergism is very important and it is very important that the Inspector General communities have computer crimes units so that the IGs can make sure that they protect the victim agencies. In sum, I think you have the framework for a very good act. It has an oversight capacity, which I think is very important, and it also enlists the players that need to be there--OMB, heads of agencies, and CIOs. Thank you very much. Chairman Thompson. Thank you very much. You were invited to come because of the innovative approaches that you have at NASA, and you remind us how important the IGs are in this whole process, so thank you very much for what you are doing and your helpful testimony. Mr. Brock, let me address a few questions to you. The thing that jumps out at me first when I start to look at this, in February 1997, the GAO had a series of reports to Congress and things were so bad that this security problem was put on the high-risk list at that time. Late in that same year, 1997, the CIO Council, which is, of course, under the OMB, delineated it as a top priority. On March 31, 1998, the GAO filed another report on the consolidated financial statements and that report pointed out widespread deficiencies in terms of information security. Then again in September 1998, of course, we have this report entitled, ``Serious Weaknesses Place Critical Federal Operations and Assets at Risk.'' I do not know how much more pointed you could be than that. It is really outrageous that the Federal Government in an area of this sensitivity cannot do more faster. Since at least 1997, it has been 3 years since we have known--at least--since we have known about the seriousness of this problem. We get report after report after report. If I were you guys, I would wonder why you are even in business and whether or not we pay any attention to you or not. This last report still points out serious deficiencies, still do not have any management in the system, and we are still extremely vulnerable, and it makes you wonder what in the world it takes to get anybody's attention. I look back at the current law and wonder, what are we doing to help the process? Are we overlaying an already complex process? I see we have given OMB responsibilities before. We have given agencies responsibilities before. Are we just telling them again to do it and we really mean it this time, or what are we really doing? I am playing devil's advocate with our own bill here, I guess, but are we really doing something here that is different from all of these other acts, the Computer Security Act, the Clinger-Cohen Act, Paperwork Reduction Act, on and on and on, the Privacy Act. I mean, you have a dozen pieces of legislation that in some way deal with this overall problem, so our solution is another piece of legislation. I am very skeptical, generally, of that problem. Now, I do not want to waste my time or yours on this unless we are really doing something that, for the first time, can have some accountability. Until people are held accountable, until somebody is fired or somebody loses some money or somebody is embarrassed more than we have been able to so far, nothing is going to change. It looks to me like we have a chance here maybe of having some accountability. With the Results Act and everything, everybody is talking about measurements and measuring results and accountability from those results. I do not know whether we mean it or not yet, but we are all talking about it now, and now we are bringing it to this problem, measurable outputs and things like that. First of all, is my assessment off base? If not, why has it taken so long to do anything and are we, in our bill, really doing anything that has a decent chance of making a difference? Mr. Brock. First, Mr. Chairman, as chairman of our oversight committee, I hope you were not really serious about wondering why we are in business. [Laughter.] Chairman Thompson. Well, I would have to ask the same thing about ourselves, would I not? Mr. Brock. I agree with your basic premise. It is a shame that you have to have a bill to mandate good management. I mean, clearly, it is not a crime now to have good management in agencies that said, we are going to do things the right way. But clearly, the reports that we have done for your Committee over the past few years have indicated agencies are not doing the things the right way, that something is broken, and that attention needs to be paid to this. I think the features you have in the bill, that many of these features are the kinds of things that are designed to pick things up by the nape of the neck and shake and grab attention. The independent assessments every year are a mechanism where you can identify weaknesses, where you can identify where accountability should lie and where it has not been exercised and where it gives the administration, as well as the Congress, an opportunity to take corrective action, and that is the next step. Pointing out the weaknesses, pointing out the management deficiencies is one thing, and then taking the next step to exercise that accountability is something that would still remain to be done. Chairman Thompson. I take it that you feel that we need to be more specific in establishing standards. Mr. Brock. Yes, sir. Chairman Thompson. Than the bill as currently drafted? Mr. Brock. Yes. Chairman Thompson. And we need to delineate what with regard to risk levels, a requirement that they be considered or we tell them how to consider it, or how specific should we get on the mandatory requirements in determining risk level and also how specific in the mandatory minimum requirements, I guess you might say, in addressing those levels? Obviously, we cannot deal with all that here today, but---- Mr. Brock. Your bill starts off in the right direction on that by requiring agencies to do a risk-based assessment. But once they do the assessment, they need to be able to categorize that. We have this level of risk, or we have this risk level. What category should that be in? How risky is it? Chairman Thompson. That is really kind of management 101, is it not? Mr. Brock. Basically. Chairman Thompson. I guess they do need to be told to do that. Mr. Brock. Basically, but if you had it consistent across the agencies, it would be much easier to have guidance that could be more easily developed and more easily taught and trained. But then the next step, if you are at a certain risk level, what are the minimum things you should do in terms of authentication, in terms of encryption, or in terms of independent testing to make sure that you are meeting those levels of control? Chairman Thompson. So it would be a mistake to let each individual agency determine what it needed to do to address these because they have not shown any indication that they have the capability or the motivation to do that, is that correct? Mr. Brock. Yes. I think it is---- Chairman Thompson. You said it would be much easier to have minimum good standards that would apply to any agency. Mr. Brock. Right. I think it is appropriate for each agency to determine its risk that it faces, but then if you had the common standards. I think just the very process of developing those common standards would really create a rich dialogue and go a long ways towards improving a shared understanding among agencies about what some of the good features of computer security should be. Chairman Thompson. And third, you mentioned some stronger central guidance. Obviously, OMB has not been doing its job. They have responsibility here. Now their major objection to your report, I understand, was that you are focusing too much on our responsibility at OMB and they either do not think they have that or want it. They are pointing to the agencies, and the agencies, I am sure, are pointing to somebody else. So here we go with OMB again, which causes some people to say we need a new information security czar, because maybe OMB inherently, if the allocation of their resources and what is going on over there, maybe they are not the right ones to be bird-dogging this. They sure have not done a good job of it so far. What are we doing that is going to improve that situation? I understand that we cannot even tell where the money that we appropriate is supposed to go for, maybe it is not line item, but it is supposed to go for security enhancement. You cannot even find it. We do not know how it is being spent, in terms of information security, is that true? Mr. Brock. That is correct. We have trouble determining how much money is spent within each agency on computer security. I think Ms. Gross in her statement, when she talked about the similarities between the Y2K problem and how top managers within each agency felt accountable, and I think one of the reasons they felt accountable was really the strong role that the central manager, in this case, Mr. Koskinen, made in making sure they understood they were being held accountable. We do not have that situation on computer security. I think it should be closely examined as to whether there should be a computer security czar, though, and separate that from a CIO that would have responsibilities for other aspects for information management. We have rarely gone to a good organization that had good computer security, and we found out when we go there that they also have other good information management practices. It is part and parcel. We have never gone to a place that had poor information management, where they had poor lifecycle management, poor systems development efforts, poor software acquisition processes and had good computer security. It all runs together. Therefore, I would be reluctant to suggest that you separate computer security from the other aspects of information management. Next year, the OIRA reauthorization will be coming up and you will have an opportunity at that time, as well, to examine the Paperwork Reduction Act, the Clinger-Cohen Act, as well, and I think these are good questions to also bring up at that time. Chairman Thompson. We are looking forward to that, but we are not vesting responsibility there in this bill. We are bringing it to a little higher level than that, but thank you very much. Senator Lieberman. Senator Lieberman. Thanks, Mr. Chairman. Thanks to both of you. I think your testimony, both written and here today, has been really very direct and very helpful and you are both obviously quite knowledgeable. The Chairman has covered some of the areas I had an interest in, so I will be fairly brief. I take it that you agree not only with what Mr. Mitnick said, but what I have learned generally in my reading here, that a lot of the problems of computer security are cultural, which is to say human, correct? Mr. Brock. Yes. Senator Lieberman. Beyond management, which obviously is critical and at the heart of this, let me just ask you to speak a little bit more about the question of whether there should be consequences if a Federal employee fails to follow proper procedures relating to computer security. Or, on the other end, whether there ought to be consequences for exemplary behavior with regard to computer security. Mr. Brock. Yes, I would agree with that. The problem we have, though, and some Federal agencies are going to, that accountability is always at the technical level. Well, we have had a break-in, we have had a failure, it must be the guys in the computer room's fault or we would not have had this. And for specific weaknesses, that might well be true, but the accountability typically does not extend upwards into management, where an atmosphere has been created or budget resources have not been appropriated or whatever and those individuals also need to assume their share of the accountability. In the private sector, we found very definite links and control mechanisms for measuring accountability, for measuring performance against that accountability and holding individuals responsible, whether they be system administrators or the system process owners. Senator Lieberman. How are they held responsible in the private sector? Mr. Brock. In one good example we have, managers have to define the risk. Along with the technical people, they agree upon the vulnerabilities and the threats. They then have to allocate money and resources to providing an appropriate level of protection and they sign off on that. At the end of the year, the independent audit comes in and, first of all, determines did you, in fact, appropriately determine the risk and are you appropriately protecting these to the level you agreed upon. In some cases, we found good examples where they made a business decision not to provide a level of protection, but it was a business decision and it was examined and agreed upon by the board. And in some cases, I believe that people were fired when they failed to meet the terms of their contract. Senator Lieberman. Ms. Gross, do you want to add anything about individual accountability here? Ms. Gross. Yes. I think what you have to do is first implement a training program---- Senator Lieberman. Right. Ms. Gross [continuing]. Because this is very much a cultural thing. I mean, NASA, you go to, for example, the Goddard Space Center and its scientists, its engineers, they are collegial. They are talking with universities and they are interested in their earth science programs and they do not think about security. It is not until, for example, you will tell a scientist who is collecting data and working on a journal article, if somebody takes your information through the computer and publishes that information a year ahead of you or 6 months ahead of you, do you care? Oh, they all of a sudden-- it comes home that it actually does impact them. Senator Lieberman. Sure. Ms. Gross. And I think the GAO audit on NASA pointed out they did not have a training program. They still do not. They are still getting it together and trying to work out what should be the appropriate training program, partially because they did not have IT security standards, so how can you develop your training program. But meanwhile, you have to have systems administrators trained. They expect to have it in 2001. You cannot wait until 2001. You have got to have systems administrators held accountable in some ways. So the issue on accountability is a lot more complex than just saying, you have got to be accountable and we are going to take action. On the other hand, on very simple, no-cost, low- cost things that the agency can do, they should be held accountable. They are supposed to banner their systems, both for law enforcement and for downstream liability, it is supposed to say, this is a government computer, you are accessing a government computer, so the hacker knows he is trespassing. He cannot say, oh, I was just surfing. I was looking for America On-Line and look what I got, I got NASA. So bannering is simple, but it does not happen. In that case, if a system administrator is not going to banner the computer, we just take away the computer. They cannot do their science. That you can hold for simple, no-cost, low-cost, which we have identified and we can continue to identify. You can hold them accountable because it makes the agency safer right away. On the other hand for some of the major accountabilities, you have to have risk assessments and you also have to then make sure that your systems administrators, and that is not insignificant numbers, are trained, and let me explain why I am saying it is not an insignificant number. For example, the Goddard Space Center, they said, how many of you think that you are system administrators, in other words, you have basically root access and have super controls of the computer. Nine hundred people need a basic training and an advanced training so that they can be systems administrators, and in many of those cases it is a collateral duty. They are not security specialists, they are scientists, but they have a very powerful computer system that networks with other systems, so they need training. So I am trying to put it in a context, because you can say, OK, we are going to hold people accountable and we should have very powerful consequences. I think that, definitely, agencies can start immediately, no cost, low cost. There is no reason why agencies cannot be bannering their computers. That is nothing new. Senator Lieberman. Right. Ms. Gross. There is no reason why people cannot be using passwords that are a little more difficult than the dictionary. I mean, the security office gives instructions on how to have better passwords. All those things, you can start holding people accountable for, and I think what you end up having to have is your CIO making a range of things that we expect tomorrow or next week, and these are the other things we are going to phase in, but it takes attention, and again, you start with the bully pulpit of the head of the agency. You (Congress) all have the bully pulpit also, and that is important, but the agency does, too. Senator Lieberman. Right. I think the intention of the bill--though it does more than this--is to raise up computer security as a priority consideration of Federal agencies and of individual Federal employees who have responsibility. Let me ask a last question of you, Mr. Brock. I am sure you know that the President proposed a Federal Intrusion Detection Network, FIDNet, to monitor patterns of intrusions in the Federal systems, which is supposed to be housed at GSA's Federal Computer Incident Response Capability office. Mr. Brock. Yes. Senator Lieberman. In your testimony, you mentioned the need to improve the government's ability to respond to attacks on computer systems. So my question is, just to build a bit on whether we need a stronger Central Incident Response Center, whether the President's idea and location is the right one. Mr. Brock. Well, those all go together. Senator Lieberman. Right. Mr. Brock. We do believe that incident response is important and that intrusion detection is important. A specific criticism we had of the President's plan was the fact that it focused so much on intrusion detection, you began to get the impression that that was the primary means they had of improving the government's or the Federal Government's computer security program. Senator Lieberman. You mean as opposed to all the other management---- Mr. Brock. As opposed to prevention, for example. Senator Lieberman. Prevention, right. Mr. Brock. One agency that we have gone to at EPA, they did a pretty good job of reporting and recording their intrusions. They did a very bad job of doing anything to prevent those intrusions or in analyzing those intrusions in order to take corrective action. So intrusion detection is important. It is important to share that information with other agencies so that you can learn from it. So to that point, we strongly support sharing the information. We would strongly support some sort of incident response capability so that you could take action, but it needs to be part and parcel of an entire program and should not be the primary or the only focus of such a program. Senator Lieberman. Thanks very much. Thank you both. That was very helpful. Chairman Thompson. Thank you very much. We could spend a lot of time with the both of you. You have been very helpful today and we will continue to work together on this. We appreciate your contribution to this and your fine work. Mr. Brock. Thank you. Ms. Gross. Before I go, I would like to just incorporate into the record my full written testimony. Chairman Thompson. Absolutely. All statements will be made a part of the record. Ms. Gross. And both Senators, I would like to leave for you all, we have done a ``Clearing Information From Your Computer's Hard Drive'' pamphlet. Mr. Mitnick was saying how easy it is at the lowest levels to end up having intrusions. This is when you excess your computer and you get a nice new super computer and you think you have deleted all your files and what happens is a lot of your information that you think is very sensitive is going out to schools, to prisons, etc. We have some on the desk and I certainly draw this to your attention. Thank you. Chairman Thompson. Thank you very much. On our third panel, we are fortunate to have Ken Watson, Manager of Critical Infrastructure Protection at Cisco Systems, Inc., and James Adams, who is the CEO and co-founder of iDEFENSE. Both of these gentlemen are known in the industry as experts on the issues related to information protection and security. Gentlemen, thank you very much for being with us here today. Mr. Watson, do you have an opening statement to make? TESTIMONY OF KENNETH WATSON,\1\ MANAGER, CRITICAL INFRASTRUCTURE PROTECTION, CISCO SYSTEMS, INC. Mr. Watson. Thank you, Chairman Thompson, Ranking Member Lieberman, and distinguished Members who are here. I appreciate the opportunity to speak to you about network security best practices. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Watson appears in the Appendix on page 83. --------------------------------------------------------------------------- The last 8 years of my 23 years in the Marine Corps I spent helping to draft policy and doctrine for information warfare and taking joint teams and conducting information operations to integrate those into other military operations. When I retired, I went to work for WheelGroup Corporation, where I managed our security consulting team. We would do legal contracted security posture assessments in corporate networks and provide them reports of their vulnerabilities. When Cisco acquired WheelGroup, I transitioned to critical infrastructure protection and that is my role now at Cisco. That team just recently conducted a 6-month study of vulnerabilities in corporate networks and I have put together the top three to five vulnerabilities that were discovered in every area as the last two pages of my written testimony and it is just a table of what are the vulnerabilities and how do you fix them. It is important to note that the way this team works, it does not use anything like social engineering or other things that might cross the bounds into becoming illegal activities. They concentrate on working at the keyboard only and finding technical vulnerabilities and that is it. It is kind of interesting that they are continually successful in penetrating external defenses about 75 percent of the time, but once inside, they are about 100 percent successful in gaining unauthorized access between machines inside a network, and that would be true for government or private sector networks. Cisco systems is serious about network security and about its implications for critical infrastructures on which this and other developed nations depend. Few can argue that the Internet is changing every aspect of our lives. Internet economy is creating a level playing field for companies, countries, and individuals around the world. In the 21st Century, the big will no longer outperform the small. Rather, the fast will beat the slow. So how do you decide on a best practices solution? I would like to offer a simple way to organize network security technologies and practices and talk a little bit about what Cisco has seen in customer networks. Our model is not reinventing the wheel, but it is what we call the security wheel and it talks to five general areas where you can group technologies and practices and it is a management model. Good security must be based on policy. Employees must know what they can and cannot do with company systems or government systems and that they will be held accountable by whoever is the boss, the CIO or whoever is accountable, and those people should be accountable, also. The policy must also be risk-based, so I am in concurrence with a lot of what you have already heard today. After setting appropriate policies, a company or organization must methodically consider security as a part, an integrated part of normal network operations. This could be as simple as configuring routers to not accept unauthorized addresses or services, or as complex as installing firewalls, intrusion detection systems, authentication, and encrypted virtual private networks. A basic tenet of military combat engineers is that an unobserved obstacle will eventually be breached, and that is also true for networks. Hackers will eventually figure a way around or through static defenses. The number and frequency of computer attacks is constantly on the rise. There are no vacation periods. As such a critical part of the security wheel is to monitor the network, intrusion detection and other monitoring devices, so that you have 24 by 7 visibility into what is going on inside and outside the network. The next stop is testing the network. Organizations that scan their networks regularly, updating electronic network maps, determining what hosts and services are running, and cataloging vulnerabilities, and they should also bring in experts for independent network security posture audits once or twice a year to provide a more thorough assessment of vulnerability. It is just like cleaning your teeth. We brush our teeth every day. Those are like your internal own network scans. And you go to the dentist once or twice a year and get an independent outside observation. It may be painful, but you get a lot of good out of it in the long run. Finally, there needs to be a feedback loop in every best practice. System administrators must be empowered to make improvements. Senior management has to be held accountable for network security. Those involved in day-to-day operations must have their attention. If you were to ask me, what is the most important step to do right now, I would give you two answers, one for the short- term and one for the long-term. In the short-term, the best thing I think any company or organization can do is to conduct a security posture assessment along with a risk assessment to establish a baseline. Without measuring where you are, you cannot possibly figure out where you need to go. For the long term, the best thing we can do together is to close the alarming skills gap. The requirement for highly skilled security specialists is increasing faster than all the training programs combined can produce qualified candidates. Universities are having difficulty attracting both professors and students. The government is also having a hard time retaining skilled security professionals. We in the private sector are building and maintaining state-of-the-art security training programs and we are collaborating with education institutions and training partners to provide a wide base for delivery. We are also helping the Office of Personnel Management to identify knowledge skills, abilities, and ongoing training requirements and career management and mentoring ideas for a Federal IT security workforce. This human resources issue is by far the most critical information security problem we face in the long term and the solution must be based on government, industry, and academic collaboration. Corporate network perimeters are blurring. That is also true for the lines between government and industry. The Internet knows no boundaries and we are all in this together. We are very enthusiastic about the new Partnership for Critical Infrastructure Security, a voluntary organization of some 120 companies from across the country dedicated to improving the network security of our critical infrastructures. As we further build the relationship between the public and private sectors, we hope the great spirit of cooperation currently led by the Department of Commerce and the Critical Infrastructure Assurance Office will continue. We believe that confidence in e-commerce is increasing. Thirty-eight new web pages are being added to the World Wide Web every second. Our job, all of us, all of our job, is to raise the bar of security overall, worldwide, so that we can empower our citizens and customers to take full advantage of the Internet economy in the Internet century. Thank you very much. I will be glad to answer any questions. Chairman Thompson. Thank you very much. Mr. Adams. TESTIMONY OF JAMES ADAMS,\1\ CHIEF EXECUTIVE OFFICER, INFRASTRUCTURE DEFENSE, INC. Mr. Adams. Chairman Thompson, Ranking Member Lieberman, thank you very much for including me on this distinguished panel. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Adams appears in the Appendix on page 88. --------------------------------------------------------------------------- By way of brief background, my company, iDEFENSE, provides intelligence-driven products--daily reports, consulting, and certification--that allow clients to mitigate or avoid computer network information and Internet asset attacks before they occur. As an example, iDEFENSE began warning its clients about the possibility of distributed denial of service attacks, the kind of hacker activity that is capturing headlines currently around the world, back in October and November of last year. At the outset, I would like to commend you and your staff for crafting such thoughtful and badly needed legislation in the area of computer security for the Federal Government. We are currently in the midst of a revolution, the information revolution, which calls for dramatic and bold steps in the area of securing cyberspace. It is in this context that your bill takes a crucial step forward by shaking out the current culture of lethargy and inertia gripping the Federal Government. With a proposal to put teeth into the OMB's oversight of computer security issues, this bill is a solid step in the right direction. Why does this matter? Few revolutions are accomplished without bloodshed. Already, as we plunge headlong and terribly ill-prepared into the knowledge age, we are beginning to receive the initial casualty reports from the front line of the technology revolution and to witness firsthand the cyber threats that, if allowed to fully mature, could cause horrendous damage. The recent denial of service attacks were mere pinpricks on the body of e-commerce. Consider instead that some 30 countries have aggressive offensive information warfare programs and all of them have America firmly in their sights. Consider, too, that if you buy a piece of hardware or software from several countries, among them some of our allies, there is real concern that you will be buying doctored equipment that will siphon copies of all material that passes across that hardware or software back to the country of manufacture. The hacker today is not just the stereotypical computer geek with a grudge against the world. The hacker today is much more likely to be in the employ of a government or big business or organized crime, and the hackers of tomorrow will be all of that and the disenfranchised of the 21st Century who will resort to the virtual space to commit acts of terrorism far more effective than anything we have seen in the 20th Century. The government, in all its stateliness, continues to move forward as if the revolution is not happening. Seven months ago, my company won a major contract with a government agency to deliver urgently needed intelligence. The money was allocated, the paperwork done. Yet, it remains mired in the bureaucratic hell from which apparently it cannot be extricated. [Laughter.] Another government agency is trying to revolutionize its procurement processes to keep up with the pace of the revolution. They are proudly talking about reducing procurement times down to under 2 years. In other words, by the time new equipment is in place, the revolution has already moved on 8 Internet years. In my company, if I cannot have a revolutionary new system in place within 90 days, I do not want it. The Thompson-Lieberman legislation is a good first step to try and control and drive the process that will bring the government up to speed with this revolution. I believe, however, that to effectively cope with the technology revolution, this proposal must be strengthened. What is needed is an outside entity with real power to implement drastic change in the way government approaches technology and the underlying security of its systems. Currently, jurisdictional wrangling, procurement problems, and a slew of other issues are seriously hampering the government's ability to stay current. The Thompson-Lieberman bill provides a framework to begin sorting through this mess. However, what is needed most is a person or an entity that will draw on skill sets in many areas that will overlap that of the CIOs, CFOs, CSO, and most of the other officers or entities that currently exist. Let us give this person the title of Chief of Business Assurance, or perhaps the Office of Business Assurance, to relate it directly to the Federal Government. The OBA's task would be to continuously gather and synthesize infrastructure-related trends and events, to intelligently evaluate the technological context within which the organization operates, to identify and assess potential threats, and then to suggest defensive action, or viewed from the positive side, to assess the technological revolution's opportunities and propose effective offensive strategies. The OBA must be a totally independent organization with real teeth and real power. There is much in common between government and industry when it comes to the challenges and the opportunities that the technology revolution poses. Both sectors face a common threat. Both factors share common goals for the well-being of America and her people. Both employ technologies that are, in essence, identical, and both must work together to protect each other. I leave you with this thought. In the near term, you will see total transformations of the way business and government is conducted, internally and externally. A failure to change to meet these new challenges is to risk the destruction that all revolutions bring in their wake. Proactive action is the route to survival. We have heard a great deal in recent months about the potential of a digital divide developing between the computer haves and the computer have-nots. I believe there is another digital divide that is growing between the American Government and its citizens. If this Committee's efforts do not move forward in changing this culture of inertia, there is real danger that the digital divide that exists between government and the private sector will only widen. We cannot afford a situation where the governed feel that their government is out of touch and increasingly irrelevant to their lives. By stepping up to the plate and tackling computer security with an innovative, bold approach, the Thompson-Lieberman bill significantly boosts the chances of reversing the current bureaucratic approach to a very dynamic problem. Thank you again for the honor of appearing before you. Chairman Thompson. Thank you, Mr. Adams. Very well said. You heard me mention, I am sure, a while ago about all of the reports and assessments and so forth over the last 2 or 3 years pointing this out. Now, in addition to all of that, we have the President's first version of the National Plan for Information Systems Protection. The plan discusses the need to make the government a model for cyber protection. As I look at it, I see few concrete proposals as to how to do that. As you know, I am mindful of these overlays and these impressions that we try to leave sometimes that we are doing something when we are really not. Where does this plan fit into the solution to what we are talking about here today? Mr. Adams. Well, I would just say a couple things about that. First, the plan was 7 months late. It is not a plan, it is an invitation to dialogue, a very different thing. If you asked those who were involved in the formulation of the plan, they will tell you that it was a ``business as usual, government at work'' nightmare. Every meeting, 100 people would turn up. They would talk about not what was good for the Nation but what was good for their existing equities. The result was a bureaucratic compromise, which is the document that you see, that raises some interesting points. But a plan will actually emerge, I would guess, a year from now, longer. Meanwhile, we all march on. It requires, I think, more than that, and where the action will have to come from and the leadership will come from is exactly right here. It is not going to come from the Federal Government as we know it, because it is a revolution and governments do not become revolutionaries. They naturally evolve, which is a great strength in a democracy. But in the middle of a revolution, it is actually a threat and a challenge to us that we need to step up to try and meet. Chairman Thompson. So we are trying to do something very tough but very necessary, is what you are saying. Mr. Adams. Absolutely, and the great thing, I think, that you are doing is saying, yes, this needs to be done. The very difficult thing for you, as you were rightly articulating earlier, is how to force what needs to be done to actually occur, because you say to the OMB, an inert bureaucracy in its own right, you have to force other organizations to change. True, but how exactly, and typically, it does not work like that. If you look at what the CIA is doing to try and embrace the revolution, they formed an outside organization, INCUTEL, that is driving technology revolution into the organization and pushing change from without to within, and to expect or ask organizations that are comfortable with business as usual to say, no, no, no, revolutionize, they will not do it. Imposition of change is the only way it will occur, and it will be resisted, but the consequence of not doing it can be very, very serious, and you can already see how relevant does anybody in Silicon Valley think the government is--not at all. Mr. Watson. If I might add a comment---- Chairman Thompson. Yes, go ahead. Mr. Watson. Mr. Chairman, the plan is not a complete plan yet, but at least---- Chairman Thompson. We are relevant in terms of the harm we can do them and how we can mess things up. From a positive standpoint, it is a very good question. Excuse me. Go ahead. Mr. Watson. But at least there was enough foresight in the Critical Infrastructure Assurance Office to at least get a plan started, and it is an invitation to a dialogue. They have asked industry to help complete this plan, add our perspective, bring in a physical dimension, look at the international aspects that are not in the current plan. I look forward to working with the Partnership, the big ``P'' Partnership that we just launched, to help make that come to pass. Chairman Thompson. It has taken 3 years since this all has been on the high-risk list, and now, when we cannot even take a baby step, we are talking about flying an airplane, and international and all these other high-sounding things which may eventually come about when China becomes a full democracy. Let me explore, you obviously feel like we have to have some kind of an outside entity. You refer to the OBA. Where does this individual fit into the process? What kind of entity are you talking about? Who is this person? How is this person selected? Who are they accountable to? I take it it is not within OMB, is what you have got in mind. Have you thought that through to that extent? Mr. Adams. I think OMB has got a long and traditional role in oversight and it does that job and has done so for a long time. It would be possible to have something sitting outside of OMB but working within the Federal Government structure but with a rather different mandate. If you look at the way industry sets up revolutionary change, it does so by--Steve Jobs and Apple is a good example. Put them in a different building, you set them outside the culture, you put a pirate flag on the roof, they develop their own language and culture and they come up with new and creative ideas. What we see at the moment is the traditional organization says we will go to the traditional places, the traditional consulting companies. They are use to forming committees, punching button A, producing a report in 6 months. Everybody thinks about it and does not do anything. Meanwhile, the people who really are making this revolution occur are the very different organizations that are the dot-com companies, and there needs to be some mechanism for allowing them to have input into change. So I would envisage something where you, Congress, would mandate and budget a group that would have the ability and the authority to impose change. Now, there is a thought, to impose, and if you do not do it, you will be held accountable in a culture, remember, where many of the things that government has traditionally thought of as its own self. To take Cisco, for example, they have 26,000 employees. They have three people in the whole organization doing expense accounting. Now, in the government, you have hundreds and thousands or however many people doing the process that can be outsourced. So we need to think about this and how can we make government efficient, relevant, fast moving, changing, dynamic, and I do not believe that it can be done imposing internal solutions. Processes and all of those things need to come from outside--technology, people, and processes. They will not be able to meet the technology because they cannot procure it fast enough. They cannot hire the people because they cannot afford them. We cannot, and we are paying much more money. And you will not have the processes because you need to impose them in a constantly dynamic way. So those three things will have to come from outside, and the only place that can mandate it, I think, is Congress, which will enforce it, enforce a different structure, a different way of thinking. Chairman Thompson. Thank you. Senator Lieberman. Senator Lieberman. Thanks. Again, thanks to both of you. I think, Mr. Chairman, we have had really excellent witnesses today. Mr. Mitnick earlier made the allegation that part of the problem here, though, as you know, he focused on the human management problem, is that there is such competition, particularly among software manufacturers, to get the product out to the market quickly that they are not spending sufficient time to deal with potential security flaws in that software. In fact, you have actually gone one step to the other side, really stunningly, or to me, fascinatingly, in saying that some foreign manufacturers may, in fact, be putting, I do not know whether you would call it a virus or something in the system that allows it to divert information back to them to be more easily hacked. Let me ask you to go at both parts of that. First, whether Mitnick has a point that manufacturers are not spending sufficient time dealing with systems to stop security problems before they put their products on the market. Mr. Adams. Well, we clearly know that that is correct. The rush to market, speed is of the essence. You clearly do not waste time. They are able to get away with that partly because we are all rushing forward with the revolution and absorbing it as fast as we can, and partly because there is not any training, there is not any process, and people are not security aware. If there was, as Jack Brock was talking about earlier, a minimum benchmark above which you have to be, then there would become a market-driven demand. I am not going to buy this software because it just simply does not meet my minimum standard, but I will buy this because it does. So there will be a market-driven enforcer that would say, if you do not raise your standards to become more security aware, you are out of business. Senator Lieberman. Yes. In other words, people who are doing it may advertise that as an attribute, for instance---- Mr. Adams. Absolutely. Senator Lieberman [continuing]. Market it, and then, hopefully, you drive the market. Mr. Adams. My security is better than his security, so---- Senator Lieberman. So you should buy mine. Mr. Adams. Exactly right. Senator Lieberman. Do you want to respond, Mr. Watson? Mr. Watson. Yes, sir. We do see market pressure to provide more secure products and that is why we do provide a whole range of them and everyone else is getting into that game, too. Senator Lieberman. Right. So that is happening now? Mr. Watson. It is happening. No. 1, demand from the market is speeding quality of service. No. 2 is security, and that may switch. We do not know. There is a great enabler that security brings to freedom of use of the Internet economy. Senator Lieberman. Say a little more about this other part of it, the other side, that some foreign manufacturers are putting in gaps, vulnerabilities in the system that they can then penetrate. Is that being done by them for private gain or is it being done by their governments or what is happening? Mr. Adams. If you look at the way, to take just 2, China and France, see the opportunity of the virtual space, they see this as no different from the terrestrial environment and there is a blurring, unlike in the United States, between the public and private sector. So what the Nation does, it does on behalf of the private sector. It was striking when I was in Moscow a couple of years ago talking to their intelligence people and their sort of security folks in the prime minister's office. They were obsessed by what they felt were American attacks in the virtual space. So any equipment they bought from overseas, computer software, hardware, they felt had bugs of one kind or another planted in it. Senator Lieberman. That U.S. manufacturers had put in it? Mr. Adams. Yes. Now, I have no idea whether that is true or not. What we do know is that other countries are very aggressively, indeed, contacting the United States, both with their impregnated devices of one kind or another and attacking through the virtual space. The challenge that we have is that we still see the front line as a Nation as soldier/sailor/ airman/marine, our border. The front line actually is the private sector, because as you were rightly saying earlier, who is going to attack a soldier? You are actually going to attack the power grid or the telecom or you are going to steal the national intellectual property, and how easy it is because we do not actually understand the threat. The awareness among CEOs or CIOs in the private sector and, indeed, in the public sector, is lamentable, and yet the threat and the way the America's technological advantage, and the fact that we are the most wired Nation in the world, is being exploited on a daily basis is a national outrage, and yet here we are. Senator Lieberman. Is there any way for a purchaser of a software system with a bug in it to determine that there is a bug in it as they use it? Mr. Adams. You can, but it is very difficult. It is rather--I would say that there needs to be some way of a dialogue taking place between the traditional defenders of the nation-state, the intelligence community, the early warning system---- Senator Lieberman. Right. Mr. Adams [continuing]. And those that are in the front line and need to be defended. There is intelligence. There is information. There are things that you can do, but the degree of sharing of that knowledge is very, very limited indeed currently. Senator Lieberman. One of the things that strikes me, and you referred to it in a way, is that not only would a hostile power or group think about striking at purely private systems, but governmental systems and military systems even use private communication lines to convey information so that there is vulnerability in different ways. So what you just said is very important: There is more electronic interdependence of public sector and private sector than we generally acknowledge, and, therefore, a true solution to this security problem really has to be joint. Mr. Adams. That is right, and if you think about how we traditionally see the nation-state, we see it as the government and the private sector goes on and does its thing and helps the nation-state when war breaks out. In the virtual space, war is going to be a constant. It is no different, if you like, to the way we were with terrorism in the early 1970s, when Congress would have hearings about bombings and assassinations and the bombers and assassins could choose the time and place and the target. We were very undefended. We did not understand the problem. This is very similar to that, except the targeting has changed. The methods have changed. We are moving everything to the virtual space and the same actors are out there. It is just that we do not yet understand how to manage it, and it will be a comprehensive thing. There is no single fix. It is a series of things, some of them being done by Cisco with some of the excellent things that they make, some of them being done with the public-private partnership, some of them being driven by leadership that is going to come from people like yourselves. Senator Lieberman. Very interesting. As you both know but I think a lot of people out there do not know, it was the Federal Government, certainly through DARPA and the Defense Department, that did some of the initial work that led to the Internet and to the whole information revolution. Now, of course, we have fallen behind, certainly in this computer security part of it, behind the private sector that we in government gave birth to or spawned. Do you have any ideas for what we might do to help government both be a stimulator, an incentivizer of more sophisticated computer security technology? Or in a broader sense, thinking perhaps idealistically, what government can do to be a model itself, which it is not now, for computer security? Mr. Adams. If I can give you one statistic first, 20 years ago, 70 percent of all technology development was funded one way or another in America by the American Government. Today, that is under 5 percent. So in a single generation, you had an absolute transfer of energy, drive, and power from public to private. So what that says is that there needs to be--the public sector is never going to be a model. It cannot move fast enough. It is never going to be a zero-sum game. You are never going to get rid of the problem. You are only going to be able to effectively manage it. So it is how to incorporate the private, how to see that the solution is outside and bring it in, rather than thinking about it being inside and imposing it out, and it is a very different way of thinking and a very radical way of thinking for government in its whole, because government in its whole tends to think that I am the answer, and in this case, that is not it. Senator Lieberman. I also serve on the Armed Services Committee. While this is not the perfect model and it is the minority of what happens, there is a lot more willingness to buy off-the-shelf today. In fact, some of our major defense systems are being built in a way that allows parts to be pulled out and the newest parts from the private sector to be put in over time, and maybe that is a model for computer security, as well. Mr. Watson, do you want to respond? Mr. Watson. Yes, sir. First of all, it is true that the Internet knows no boundaries. There are no more perimeters, no more borders. It is all cyberspace. Two things, though. Industry tends to develop things at Internet speed and move a lot faster than most governments can move. Since industry owns and operates most of the infrastructures on which the government, both private government and the infrastructures that we run, depend, it is our responsibility to do our part to develop solutions and we are doing that. Also, in our studies, we have discovered that you can spend a lot of time studying the threat, but it is a lot more profitable to look at vulnerabilities and solve those to raise the bar of security. So that is the direction that we are taking. We are looking at vulnerabilities and addressing those. That is why it is important to do security posture assessments, risk assessments, to look at where you are and to know what you can fix at zero or little cost, as the NASA IG said. Two provisions of the S. 1993 bill, I think, are really important. One is that it does include security as an integrated part, component, of each agency's business model and it emphasizes training as essential. That is a multi-faceted problem. Training security specialists is something we need to do and training everybody in the awareness problem and how users can better exercise security is important. Senator Lieberman. Should we be building on the DARPA model? Although again, maybe the private sector is zooming so far ahead that we do not have to do that. But there are certain areas in which, over time, we have found that because of market pressures, the private sector may not invest enough in research and development and so the government gets involved to do that. Is this an area where we ought to be targeting more Federal money in R&D and computer security breakthroughs? Mr. Watson. Before we will know the answer to that, it is important to have some kind of a clearinghouse and finding out what industry is doing, what academia is doing, what the government could target its money so it is not duplicating efforts. And I think the vehicle that we have in place right now, it is just a beginning, is the Partnership for Critical Infrastructure Security, and maybe the PCIS recommendation for the Institute for Information Infrastructure Protection might be able to be that clearinghouse. Senator Lieberman. Right. Mr. Adams. I also think, though, that the way of--you take the DARPA model---- Senator Lieberman. Right. Mr. Adams [continuing]. You speak to folks at DARPA now, as you, I am sure, know, they focus not so much on inventing the new but integrating what is there, a different thing. Private industry is moving very, very rapidly. Cisco invests more money in thinking about new stuff on securing the Web than the government could ever really get together. Senator Lieberman. So maybe there is not a need for us to do it if the market is driving it. Mr. Adams. But maybe there is a different way of doing it. I mean, what is there that the Federal Government can do to influence the outcome for the Nation? Education is fundamentally important. We go home at night, we unlock the door. We leave in the morning, we turn on the burglar alarm, we look the door, we make sure the windows are shut, and so on. Nobody is being trained in these elementary things. There is an enormous amount that could be done in education in schools, in universities, in funding programs, seed money that would ensure the security of the Nation going forward into this century rather than looking at, well, we have put in a spot of money here, but instead thinking about this in a national context. What is the best for the Nation as a whole that we, the Federal Government, can facilitate, because the private sector is continuing again to drive this revolution. So education is extremely important. Awareness is extremely important. And this is a major national security issue, so there are things that can be done from the Federal down to the local level. Senator Lieberman. Thank you both. You have been excellent witnesses. I appreciate your time. Mr. Watson. Thank you. Chairman Thompson. Could I ask, just very briefly, how would you sell that from a national security standpoint? We talk about educating the young people and bridging the gap between the rich and the poor and all that, but how would you articulate the necessity to do that from a national security standpoint? These are kids. They are obviously going to use it in the short-term for things other than that. But from a long- term national benefit, are there not going to be just specialists that do that sort of thing? For the masses, it is certainly beneficial and maybe necessary, but does it really have to do with national security? Mr. Adams. I would not posture it quite like that. Let me give you a brief anecdote. I was in a meeting about national security, American national security, a little while ago talking about future threats, 5 to 10 years. There was general agreement that China is a very significant threat to the United States. At that same meeting, one of America's leading high- technology companies, they had one of their senior officers there and he was describing how they have had to make an investment decision about a new technology product that they are making, a new next step in the revolution. This is an American company. Where do we go? We go to the place where there is a customer base, where we have cheap labor and we have a high number of engineers. Where do they build their new factory? China. National security is irrelevant. So the argument is not national security. The argument is what is going to be the resource for America in this century. Answer, trained and qualified people who can manage and master the revolution. As part of that, as part of that education process, just as you get trained in sanitation or good health practices, so you get trained in good security practices. It is part of being trained as an information specialist. Chairman Thompson. In order to remain in a leadership position in the global economy, you have to maintain the productivity and, therefore, maintain your technological advantages, and, therefore, you have to have the educational background. Mr. Adams. Exactly, and that is something that the government can absolutely influence the outcome of. Chairman Thompson. What kind of group was this that you said you just attended? Mr. Adams. I would have to talk to you about that outside. Chairman Thompson. All right. Mr. Watson. I would suggest incentives to collaborate with the private sector. Cisco networking academies are in all 50 States and 25 foreign countries. We are adding security modules into that training. We build security training syllabuses and training partners deliver that training. We would view Federal requirements for security training as a market pressure and we would develop products and services to meet that demand. Chairman Thompson. Mr. Watson, in your background with regard to information warfare, do you subscribe to the notion I have heard some say that it is almost for sure that in any future military attack, one industrialized country against another, that it would probably be preceded by a cyber attack? Mr. Watson. I would say that was possible and maybe even likely. Chairman Thompson. What would you think, Mr. Adams? Mr. Adams. I would say that most countries that have an information warfare capability see that as a precursor to full- scale war, and indeed, the full-scale war itself may occur in the virtual space. The interesting thing is that while America has a capability in this area, the lawyers have not yet decided what is war in the virtual space. So we may be attacked and in serious trouble before we can do anything about it. Chairman Thompson. One final thing. Senator Lieberman and you mentioned the shift of capability from the government to the private sector and now we are here in our legislation trying to decide what government should be doing, first of all, about itself and managing itself. You heard the GAO testimony about the government needing to decide minimum standards. I am wondering what is going on in the private sector out here. How is that going to interface with what we are trying to do? Should the government be setting standards for itself, minimum standards and as it is purchasing the hardware, software, servicing, and all from the outside, or should these be private standards determined by the private sector that we incorporate? Do you see what I am trying to get at? How does that interrelate? Mr. Adams. I think there are two different things that you are addressing. What we have at the moment as this revolution has unfolded is a multitude of standards--hardware, software, different in America, different in Britain, different in France, all over the world. Yes, it is a common arena, as Ken was saying earlier, and for the government or governments, more likely, the World Trade Organization to agree on a common standard is completely unrealistic, I think. It would take years and just will not happen. More likely will be if you go back to the housing problems at the beginning of this century in the United States, a tremendous amount of poor housing that were in very bad shape. Nobody could agree what to do about it, but when the insurance industry said, OK, here is a minimum standard or else you do not get insurance. If you do not have insurance, you cannot have a mortgage. Lo and behold, the standards raised up and the standards of housing went up with it. The market drove the solution, in other words, and I think exactly the same thing will happen here. There has been lots of talk about minimum risk standards and that needs to be applied. Two things will drive it. One will be down value chains. You are going to do business with me, you need to be affirmed at this risk level of some kind or another, certified at this risk level, and if you do not, then I am not going to do business with you. And the second will be the insurance industry, which will say, if you are going to be insured with me, just like if I issue you with a house insurance policy, you get 10 percent off for this burglar alarm, 15 percent off if you are connected to the police station, so it will be a similar thing in the virtual space. So those two market factors will drive it. Chairman Thompson. So instead of the government requiring certain standards of private industry, private industry would be requiring certain standards from the government? Mr. Adams. Exactly. Mr. Watson. And we are already working in that direction. We are beginning to dialogue with the insurance and audit industries to develop standards. There are no standards across the board for security posture assessments or penetration tests or white-hat hacking or whatever you want to call it. If you ask two companies to give you an assessment of your security, you will get two completely different answers because they are based on different standards. There is no standard training program for network security engineers to certify that someone has the skill required to do that kind of an assessment. There are no standard ratings for security in a network. How would you do that anyway? It would be an instantaneous security state, but how would you say, if you have a firewall, you have one level of standard. If you have a firewall, intrusion detection, and remote monitoring, you meet another security standard that could be insurable. Those are the kinds of questions that we need to address. Chairman Thompson. Well, you know the GAO has these best practices and so forth. Do we not have any minimal standards, without being so minimal that they are meaningless? Mr. Watson. They are just not defined yet. Mr. Adams. And there is no common language, we all speak-- it sounds similar, but we all interpret it differently and you can give yourself a tick in the box which actually you are nowhere near where you should be. Chairman Thompson. Thank you very, very much. We appreciate it. Senator Lieberman. Thank you. Chairman Thompson. The record will remain open for 1 week after the close of the hearing. We are adjourned. [Whereupon, at 12:50 p.m., the Committee was adjourned.] A P P E N D I X ---------- [GRAPHIC] [TIFF OMITTED] T3639.001 [GRAPHIC] [TIFF OMITTED] T3639.002 [GRAPHIC] [TIFF OMITTED] T3639.003 [GRAPHIC] [TIFF OMITTED] T3639.004 [GRAPHIC] [TIFF OMITTED] T3639.005 [GRAPHIC] [TIFF OMITTED] T3639.006 [GRAPHIC] [TIFF OMITTED] T3639.007 [GRAPHIC] [TIFF OMITTED] T3639.008 [GRAPHIC] [TIFF OMITTED] T3639.009 [GRAPHIC] [TIFF OMITTED] T3639.010 [GRAPHIC] [TIFF OMITTED] T3639.011 [GRAPHIC] [TIFF OMITTED] T3639.012 [GRAPHIC] [TIFF OMITTED] T3639.013 [GRAPHIC] [TIFF OMITTED] T3639.014 [GRAPHIC] [TIFF OMITTED] T3639.015 [GRAPHIC] [TIFF OMITTED] T3639.016 [GRAPHIC] [TIFF OMITTED] T3639.017 [GRAPHIC] [TIFF OMITTED] T3639.018 [GRAPHIC] [TIFF OMITTED] T3639.019 [GRAPHIC] [TIFF OMITTED] T3639.020 [GRAPHIC] [TIFF OMITTED] T3639.021 [GRAPHIC] [TIFF OMITTED] T3639.022 [GRAPHIC] [TIFF OMITTED] T3639.023 [GRAPHIC] [TIFF OMITTED] T3639.024 [GRAPHIC] [TIFF OMITTED] T3639.025 [GRAPHIC] [TIFF OMITTED] T3639.026 [GRAPHIC] [TIFF OMITTED] T3639.027 [GRAPHIC] [TIFF OMITTED] T3639.028 [GRAPHIC] [TIFF OMITTED] T3639.029 [GRAPHIC] [TIFF OMITTED] T3639.030 [GRAPHIC] [TIFF OMITTED] T3639.031 [GRAPHIC] [TIFF OMITTED] T3639.032 [GRAPHIC] [TIFF OMITTED] T3639.033 [GRAPHIC] [TIFF OMITTED] T3639.034 [GRAPHIC] [TIFF OMITTED] T3639.035 [GRAPHIC] [TIFF OMITTED] T3639.036 [GRAPHIC] [TIFF OMITTED] T3639.037 [GRAPHIC] [TIFF OMITTED] T3639.038 [GRAPHIC] [TIFF OMITTED] T3639.039 [GRAPHIC] [TIFF OMITTED] T3639.040 [GRAPHIC] [TIFF OMITTED] T3639.041 [GRAPHIC] [TIFF OMITTED] T3639.042 [GRAPHIC] [TIFF OMITTED] T3639.043 [GRAPHIC] [TIFF OMITTED] T3639.044 [GRAPHIC] [TIFF OMITTED] T3639.045 [GRAPHIC] [TIFF OMITTED] T3639.046 [GRAPHIC] [TIFF OMITTED] T3639.047 [GRAPHIC] [TIFF OMITTED] T3639.048 [GRAPHIC] [TIFF OMITTED] T3639.049 [GRAPHIC] [TIFF OMITTED] T3639.050 [GRAPHIC] [TIFF OMITTED] T3639.051 [GRAPHIC] [TIFF OMITTED] T3639.052 [GRAPHIC] [TIFF OMITTED] T3639.053 [GRAPHIC] [TIFF OMITTED] T3639.054 [GRAPHIC] [TIFF OMITTED] T3639.055 [GRAPHIC] [TIFF OMITTED] T3639.056 [GRAPHIC] [TIFF OMITTED] T3639.057 [GRAPHIC] [TIFF OMITTED] T3639.058 [GRAPHIC] [TIFF OMITTED] T3639.059 [GRAPHIC] [TIFF OMITTED] T3639.060 [GRAPHIC] [TIFF OMITTED] T3639.061 [GRAPHIC] [TIFF OMITTED] T3639.062 [GRAPHIC] [TIFF OMITTED] T3639.063 [GRAPHIC] [TIFF OMITTED] T3639.064 [GRAPHIC] [TIFF OMITTED] T3639.065 [GRAPHIC] [TIFF OMITTED] T3639.066 [GRAPHIC] [TIFF OMITTED] T3639.067 [GRAPHIC] [TIFF OMITTED] T3639.068 [GRAPHIC] [TIFF OMITTED] T3639.069 [GRAPHIC] [TIFF OMITTED] T3639.070 [GRAPHIC] [TIFF OMITTED] T3639.071 [GRAPHIC] [TIFF OMITTED] T3639.072 [GRAPHIC] [TIFF OMITTED] T3639.073 [GRAPHIC] [TIFF OMITTED] T3639.074 [GRAPHIC] [TIFF OMITTED] T3639.075 -  -