House Hearing, 108TH Congress - Cyber Security: The Challenges Facing Our Nation in Critical Infrastructure Protection

CYBER SECURITY: THE CHALLENGES FACING OUR
NATION IN CRITICAL INFRASTRUCTURE PRO-

TECTION
HEARING
BEFORE THE
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION

POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
OF THE
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
APRIL 8, 2003
Serial No. 10813
Printed for the use of the Committee on Government Reform
(
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE

87230 PDF WASHINGTON : 2003
For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov Phone: toll free (866) 5121800; DC area (202) 5121800
Fax: (202) 5122250 Mail: Stop SSOP, Washington, DC 204020001
VerDate 11-MAY-2000 10:15 Aug 25, 2003 Jkt 000000 PO 00000 Frm 00001 Fmt 5011 Sfmt 5011 D:\DOCS\87230.TXT HGOVREF1 PsN: HGOVREF1
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. MCHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LATOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, JR., Tennessee LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma C.A. DUTCH RUPPERSBERGER, Maryland
NATHAN DEAL, Georgia ELEANOR HOLMES NORTON, District of
CANDICE S. MILLER, Michigan Columbia
TIM MURPHY, Pennsylvania JIM COOPER, Tennessee
MICHAEL R. TURNER, Ohio CHRIS BELL, Texas
JOHN R. CARTER, Texas
WILLIAM J. JANKLOW, South Dakota BERNARD SANDERS, Vermont
MARSHA BLACKBURN, Tennessee (Independent)
PETER SIRH, Staff Director

MELISSA WOJCIAK, Deputy Staff Director
RANDY KAPLAN, Senior Counsel/Parliamentarian
TERESA AUSTIN, Chief Clerk
PHILIP M. SCHILIRO, Minority Staff Director
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL

RELATIONS AND THE CENSUS
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California DIANE E. WATSON, California
TIM MURPHY, Pennsylvania STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio
EX OFFICIO
TOM DAVIS, Virginia HENRY A. WAXMAN, California
BOB DIX, Staff Director
JOHN HAMBEL, Counsel
CHIP WALKER, Professional Staff Member
URSULA WOJCIECHOWSKI, Clerk
DAVID MCMILLEN, Minority Professional Staff Member
(II)
CONTENTS
Page
Hearing held on April 8, 2003 ................................................................................ 1
Statement of:
Clarke, Richard, former special advisor to the President for Cyberspace
Security; Michael A. Vatis, director, Institute for Security Technology
Studies at Dartmouth College and chairman, Institute for Information
Infrastructure Protection; and Mark A. Forman, Associate Director,
Information Technology and Electronic Government, Office of Manage-
ment and Budget ........................................................................................... 9
MacLean, Rhonda, senior vice president and director of corporate infor-
mation security for Bank of America, sector coordinator for the Finan-
cial Services Industry Public/Private Partnership on Critical Infrastruc-
ture Protection and Homeland Security; Robert F. Dacey, Director,
Information Security Issues, U.S. General Accounting Office; and
Thomas Pyke, Chief Information Officer, Department of Commerce ....... 52
Letters, statements, etc., submitted for the record by:
Clarke, Richard, former special advisor to the President for Cyberspace
Security, prepared statement of .................................................................. 11
Dacey, Robert F., Director, Information Security Issues, U.S. General
Accounting Office, prepared statement of ................................................... 79
Forman, Mark A., Associate Director, Information Technology and Elec-
tronic Government, Office of Management and Budget, prepared state-
ment of ........................................................................................................... 33
MacLean, Rhonda, senior vice president and director of corporate infor-
mation security for Bank of America, sector coordinator for the Finan-
cial Services Industry Public/Private Partnership on Critical Infrastruc-
ture Protection and Homeland Security, prepared statement of .............. 55
Putnam, Hon. Adam H., a Representative in Congress from the State
of Florida, prepared statement of ................................................................ 4
Pyke, Thomas, Chief Information Officer, Department of Commerce, pre-
pared statement of ........................................................................................ 72
Vatis, Michael A., director, Institute for Security Technology Studies
at Dartmouth College and chairman, Institute for Information Infra-
structure Protection, prepared statement of ............................................... 22
(III)
CYBER SECURITY: THE CHALLENGES FACING
OUR NATION IN CRITICAL INFRASTRUC-
TURE PROTECTION
TUESDAY, APRIL 8, 2003
HOUSE OF REPRESENTATIVES,
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY,
INTERGOVERNMENTAL RELATIONS AND THE CENSUS,
COMMITTEE ON GOVERNMENT REFORM,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:30 a.m., in room
2247, Rayburn House Office Building, Hon. Adam Putnam (chair-
man of the subcommittee) presiding.
Present: Representatives Putnam and Clay.
Staff present: Bob Dix, staff director; John Hambel, senior coun-
sel; Chip Walker, Scott Klein, and Lori Martin, professional staff
members; Ursula Wojciechowski, clerk; David McMillen, minority
professional staff; and Jean Gosa and Early Green, minority clerks.
Mr. PUTNAM. A quorum being present, this hearing of the Sub-
committee on Technology, Information Policy, Intergovernmental
Relations and the Census will come to order.
Good morning, and welcome to a series of planned hearings on
cyber security, a topic that is critically important and one that has
largely been neglected both in congressional debate, private sector
action, and administrative action. It is a pleasure to have a distin-
guished panel of witnesses with us this morning.
Virtually every aspect of our lives is in some way, shape, or form
connected to computers. Networks that stretch from coast to coast
or around the world connect these computers to one another. In the
traditional sense, we have thought of our security as a Nation in
the physicalbridges, power plants, water supplies, airports, etc.
Security of our physical infrastructures has been a high priority
and a particularly visible priority since September 11, 2001.
The military, customs, and border patrol are charged with pro-
tecting and securing our borders. The Coast Guard protects our wa-
terways. Federal, State, and local law enforcement officials protect
our bridges, railways, and streets and provide for our own personal
protection. But in this day and age, this type of one-dimensional
thought is no longer adequate. Our critical infrastructure of the
cyber kind must have the same level of protection if we are to be
secure as a Nation from random hacker intrusions, malicious vi-
ruses, or worseserious cyber terrorism.
There are several things unique to cyber attacks that make the
task of preventing them particularly difficult. Cyber attacks can
(1)
2
occur from anywhere around the globe; from the caves of Afghani-
stan to the war fields of Iraq, from the most remote regions of the
world or simply right here in our own back yard, perhaps in the
bedroom of some 16-year-old who is particularly gifted in comput-
ers and electronics. The technology used for cyber attacks is readily
available and changes continuously. And perhaps most dangerous
of all is the failure of many people, critical to securing these net-
works and information from attack, to take the threat seriously, to
receive adequate training, and to take the steps needed to secure
their networks. I am happy to say today that all of the witnesses
here are on the forefront of this waron cyber terrorismand I
am looking forward to their insightful testimony.
In May 1998, President Clinton released Presidential Decision
Directive No. 63. This Directive set up groups within the Federal
Government to develop and implement plans that would protect
Government-operated infrastructures and called for a dialog be-
tween Government and the private sector to develop a National In-
frastructure Assurance Plan that would protect all of the Nations
critical infrastructures by 2003. The Directive has since been sup-
plemented by Executive Order 13231, which established President
Bushs Critical Infrastructure Protection Board and the Presidents
National Strategy for Homeland Security.
Since January 2001, efforts to improve Federal information secu-
rity have accelerated at individual agencies and at the Govern-
ment-wide level. For example, implementation of Government In-
formation Security Reform Act [GISRA] legislation, enacted by the
Congress in October 2000 was a significant step in improving Fed-
eral agencies information security programs and addressing their
serious, pervasive information security weaknesses. In implement-
ing GISRA, agencies have noted benefits, including increased man-
agement attention to and accountability for information security.
Although improvements are under way, recent GAO audits of 24 of
the largest Federal agencies continue to identify significant infor-
mation security weaknesses that put critical Federal operations
and assets in each of those agencies at risk.
On December 17, 2002, the Federal Information Security Man-
agement Act [FISMA], was enacted as Title III of the E-Govern-
ment Act of 2002. FISMA permanently authorizes and strengthens
the information security program, evaluation, and reporting re-
quirements established by GISRA. Among its provisions, it also re-
quires the National Institute of Standards and Technology to de-
velop standards that provide mandatory minimum information se-
curity requirements for Federal information security systems.
While securing Federal information systems is critical, so is se-
curing the critical infrastructure of the Nation80 percent of
which is privately controlled. Reports of computer attacks abound.
The 2002 report of the Computer Crime and Security Survey con-
ducted by the Computer Security Institute and FBIs San Francisco
Computer Intrusion Squad showed that 90 percent of the respond-
ents, mostly large corporations and Federal agencies, had detected
computer security breaches within the last 12 months; 90 percent.
In addition, the number of computer security incidents reported to
the CERT Coordination Center rose from over 9,800 in 1999 to over
3
52,000 in 2001 and over 82,000 in 2002. And these are only the at-
tacks that are reported.
The director for CERT Centers, operated by Carnegie Mellon
University, stated that he estimates as much as 80 percent of ac-
tual security incidents go unreported. In most cases, this is because
either the organization was unable to recognize its systems have
been penetrated or there were no indications of penetration or at-
tack, or the organization was just reluctant to report.
Our own GAO has found a disturbing trend among Federal agen-
cies. In both 2001 and 2002, GAO continued their analysis of audit
reports for 24 major departments and agencies. The audits identi-
fied significant information security weaknesses in each that put
critical Federal operations and assets at risk.
While the Federal Government and private sectors have made
improvements in cyber critical infrastructure protection, there is
still much work to be done. In July 2002, GAO identified at least
50 Federal organizations that have various national or multiagency
responsibilities related to cyber critical infrastructure protection.
The interrelationship of these organizations is vital to a successful
cyber CIP strategy. These organizations also interrelate and coordi-
nate with even more private sector organizations as well as the
State and local governments.
The ability of all of these groups to communicate well, to under-
stand the risks involved, accept common goals and minimum stand-
ards, and accept full accountability will be the keys to a successful
national effort to protect the Nations critical infrastructures and
our Government networks.
This subcommittee accepts the serious nature of the oversight re-
sponsibility related to this topic, and this hearing today is simply
the beginning of what will be a series of hearings that examine and
measure the progress toward achieving true cyber security.
We are delighted to be accompanied by the gentleman from Mis-
souri, the ranking member, Mr. Clay. I recognize you for any open-
ing remarks. Thank you for joining us.
[The prepared statement of Hon. Adam H. Putnam follows:]
4
5
6
7
Mr. CLAY. Good morning. Thank you, Mr. Chairman, for calling
this hearing. I would like to welcome the witnesses who are going
to testify before us today. The issue before us today, as the chair-
man has pointed out, is as critical as any national security issue.
Unfortunately, it is even more complex than most.
There are really two issues before us today. First, as the title of
this hearing implies, we must examine the processes in place for
protecting our Nations critical infrastructures, like the telephone
system, financial systems, the supply of electricity, natural gas,
water, and emergency services. Second, and equally important, we
must examine the security of the computer systems that run our
Government from day to day.
Just last November, this committee issued a report on computer
security where only 3 agencies got grades of C or above and 14
agencies failed. Some of the answers to these questions are the
same. Computer security takes place in the trenches. If the man
or woman sitting at the desk does not do the proper thing, then our
systems will not be secure. If the system administrator does not in-
stall the proper patches when they become available, then our sys-
tems will not be secure. If the procurement officer does not exam-
ine software for security features before recommending or approv-
ing a purchase, then our system will not be secure. All of the secu-
rity plans in the world will not make our systems secure unless
those at the heart of the system do their job.
As we have learned, computer security has not been a priority
at agencies. Over the past 4 years, Congress has steadily turned
up the heat. Former Representative Horn issued a number of re-
port cards, each one showing the situation was worse than we real-
ized. One of the lessons from that experience was that when we
asked agencies to evaluate themselves, they are often overly opti-
mistic. Last year, the report cards, based primarily on audit report
from the Inspector General, were the worst ever.
We may have turned the corner. Last year, we passed the Fed-
eral Information Security Management Act [FISMA], which is a
significant step forward in setting out requirements for computer
security that agencies must follow. Now we must assure that those
requirements are implemented. It is my understanding that OMB
has yet to issue the guidance required under FISMA. I hope that
Mr. Forman will tell us that OMB has renewed its efforts to assure
that the requirements of FISMA are implemented.
We have a long way to go but I believe we are on the right track
to secure our Governments day to day computer system. I am not
sure I can say the same thing about protecting our critical infra-
structure. While I believe we are making progress in this arena, it
is very slow. It has been almost 7 years since President Clinton es-
tablished the Presidents Commission on Critical Infrastructure
Protection and almost 5 years since President Clinton issued Presi-
dential Decision Directive No. 63, to assure critical infrastructure
protection. I expect our witnesses today will report on how we are
progressing toward the goals established in that Directive.
What concerns me, however, is that we have entered an era
where things like critical infrastructure protection and Homeland
Security are being used to erode our open Government. Just last
week, USA Today reported that we are facing the biggest rollback
8
of open Government laws since those laws were passed 30 years

ago. What is tragic is that this renewed emphasis on secrecy is un-
necessary. In the 19th century, the cryptographer August Kirkovs
set down a principle that is the most advanced work in cryptog-
raphy today: In good systems, the system should not depend on se-
crecy and it should be able to fall into the enemys hands without
disadvantage. Put another way, the knowledge that American citi-
zens are going to jump anyone who tries to hijack a plane does
more to prevent hijacking than all of the secret plans at the Trans-
portation Security Agency. If we sacrifice the fundamental prin-
ciples of our society in the name of security, we have won neither
security nor freedom. Thank you, Mr. Chairman.
Mr. PUTNAM. Thank you very much.
At this time we will begin with our witnesses. All of you have
been very gracious to provide thorough written testimony. As you
know, we ask that you limit your oral presentation to 5 minutes.
There is a light box on your table; the green light means that you
may begin your remarks, and the red, we ask you to begin to sum
up because the time has expired. We do have several witnesses and
some panel members who are on a tight time schedule and we will
attempt to be as thorough and as efficient as possible.
As you know, it is the policy of this committee that we swear in
witnesses. So please rise and raise your right hands.
[Witnesses sworn.]
Mr. PUTNAM. Note for the record that all of the witnesses re-
sponded in the affirmative.
I would like to begin the first panel with Richard Clarke. Richard
Clarke is an internationally recognized expert on security, includ-
ing homeland security, national security, cyber security, and
counter-terrorism.
He has served the last three Presidents as a senior White House
advisor. Over the course of a record setting 11 consecutive years of
White House service, he has held the titles of special assistant to
the President for global affairs, national coordinator for security
and counter-terrorism, and special advisor to the President for
cyber security.
Prior to his White House years, Mr. Clarke served for 19 years
in the Pentagon, the Intelligence Community, and State Depart-
ment. During the Reagan administration, he was Deputy Assistant
Secretary of State for Intelligence. During the first Bush adminis-
tration, he was Assistant Secretary of State for political-military af-
fairs and coordinated diplomatic efforts to support the first Gulf
war and the subsequent security arrangements.
Today Mr. Clark consults on a range of issues, including: cor-
porate security risk management, information security technology,
dealing with the Federal Government on security and IT issues,
and counter-terrorism. Clearly, he is a well-qualified witness for
this subcommittee hearing.
We are delighted to have you with us, Mr. Clarke. With that, you
are recognized for 5 minutes.
9
STATEMENTS OF RICHARD CLARKE, FORMER SPECIAL ADVI-
SOR TO THE PRESIDENT FOR CYBERSPACE SECURITY; MI-
CHAEL A. VATIS, DIRECTOR, INSTITUTE FOR SECURITY
TECHNOLOGY STUDIES AT DARTMOUTH COLLEGE AND
CHAIRMAN, INSTITUTE FOR INFORMATION INFRASTRUC-
TURE PROTECTION; AND MARK A. FORMAN, ASSOCIATE DI-
RECTOR, INFORMATION TECHNOLOGY AND ELECTRONIC
GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET
Mr. CLARKE. Thank you, Mr. Chairman, Mr. Clay. Mr. Chair-
man, first let me start by commending you for having this hearing
and recognizing the importance of this issue. Your remarks were
right on point. I am not surprised that you are on top of this issue.
I recall very well that long before September 11th, you asked me
when I was the Counter-Terrorism Czar to come up and brief you
on al-Qaeda before most Members of the Congress knew what al-
Qaeda was. So I am not surprised that you are on top of this issue
before other people.
I would hope that with cyber security we could do more to raise
our defenses before we have a major disaster. With al-Qaeda, un-
fortunately, we had to wait until we had a major disaster for peo-
ple to get it and for people to act on that understanding. It would
be nice if, for once, we were able to get the Congress and the ad-
ministration and the corporate world to understand the issue be-
fore the disaster occurs.
The problems that we have had to date in cyber security are
minor when compared to the potential. And the mistake a lot of
people make is that they look at the past as a predictor of the fu-
ture, that the past $17 billion a year worth of damage by cyber se-
curity they think is just a minor nuisance. Unfortunately, as long
as we have major vulnerabilities in cyberspace and we do not ad-
dress those major vulnerabilities, we run the potential for some-
body doing us much more severe damage than has been done to
date. So people who look at the cost of cyberspace security prob-
lems today and say those problems are not significant should in-
stead be looking to the future and what could happen based on the
vulnerabilities that exist.
Mr. Chairman, I have suggested in my written testimony 10
things which I think this committee and the Congress could do in
general. Let me quickly go over them in the time allowed.
First and foremost, I think the Department of Homeland Secu-
rity must be the focus, the location in the executive branch that
has clear responsibility for cyberspace security. That is the intent
of President Bushs National Strategy. Unfortunately, the depart-
ment in its early days, and I admit these are early days, has not
organized itself to take on that heavy responsibility, has not cre-
ated a Cyberspace Security Center, has not recruited senior recog-
nized cyberspace security experts. Until it does, we will continue to
have a major problem.
Second, we still lack a Chief Information Security Officer for the
Federal Government. I have the utmost respect for my friend and
colleague Mark Forman, but he is not the Chief Information Secu-
rity Officer. We do not have one. You would think that since Con-
gress has given to OMB by law the responsibility for managing the
IT security of the Federal agencies, except for the Defense Depart-
10
ment and the Intelligence Community, that they would have a

large staff of people dedicated fully to this issue. They do not. And
until they do, we are likely to continue to have 14 agencies getting
Fs and no agencies getting better than C. No matter what laws we
pass, no matter what acronyms we adoptFISMA, GISRAuntil
there is a clear full-time responsible official in the White House
with a full-time responsible staff that is sufficiently large and suffi-
ciently qualified, we will not be able to implement these laws.
Third, the Congress passed last year the Cyber Security Re-
search Act. I think it is important that authorization be matched
with an appropriate appropriation this year.
Fourth, I think the committee ought to look at the mechanisms
of the Internet itself, the things which are owned in common, not
by the Government, not by a particular company, but the Internet
mechanisms for traffic flow, all of which are highly vulnerable as
was proved by the attack on the Domain Name System last year.
Fifth, I think rather than asking GAO to do periodic onsite in-
spections and come up with reports, GAO should be authorized by
this committee to buy the devices which are now available to allow
auditing and scanning of major enterprises for the 2,800 known
vulnerabilities on a daily basis. The technology is deployed in the
private sector. It allows companies CEOs, COOs, on a daily or
weekly basis, to see every machine in their network and to see
whether or not it is fixed, whether or not it is vulnerable. GAO
should have that technology and it should have it deployed in all
of the major Government agencies, so you, Mr. Chairman, members
of this committee can get a weekly report, a monthly report, rather
than having these one-off GAO inspections every year, which are
costly and which do not give you the same results as this kind of
automated auditing against the 2,800 known vulnerabilities.
Sixth, the General Services Administration has put into place a
Patch Management System. And as Mr. Clay said, there is a real
problem in this Government with a lack of people fixing patches.
That Patch Management System is a great place to invest addi-
tional dollars, the best place where we can invest in order to im-
prove security.
Let me stop there, Mr. Chairman, as my time is up.
[The prepared statement of Mr. Clarke follows:]
11
12
13
14
15
16
17
18
19
20

At this time we are pleased to welcome to the Subcommittee Mi-
chael Vatis. Mr. Vatis is Director of the Institute for Security Tech-
nology Studies at Dartmouth College and the Chairman of the In-
stitute for Information Infrastructure Protection, or I3P. ISTS is a
principal national center for research, development, and analysis of
counter-terrorism and cyber security technology. I3P is a consor-
tium of major research organizations, whose mission is to develop
a national R&D agenda for information infrastructure protection,
promote collaboration among researchers, and facilitate and fund
research in areas of national priority.
Between 1998 and 2001, Mr. Vatis founded and served as the
first director of the National Infrastructure Protection Center in
Washington, now part of the Department of Homeland Security.
NIPC was the lead Federal agency responsible for detecting, warn-
ing of, and responding to cyber attacks, including computer crime,
cyber-terrorism, and cyber-espionage.
Mr. Vatis has also served in the U.S. Departments of Justice and
Defense. As Associate Deputy Attorney General and Deputy Direc-
tor of the Executive Office of National Security, he coordinated the
Justice Departments national security activities and advised the
Attorney General and Deputy Attorney General on issues relating
to counter-terrorism, high-tech crime, counter-intelligence, and in-
frastructure protection. He is a graduate of Princeton and Harvard.
Welcome, Mr. Vatis.
Mr. VATIS. Thank you, Mr. Chairman. It is a pleasure to be here
this morning to testify before you and the subcommittee along with
my distinguished colleagues. I would like to wholeheartedly en-
dorse the substance of both your own statement and that of Mr.
Clay, as well as that of my colleague, Dick Clarke, because I think
all of those statements summarize very well the nature of the prob-
lem and where we are today in terms of our capability to deal with
an increasingly serious issue.
I would like to limit my oral remarks today to the part of my
written testimony that deals with where I think the principal
shortcomings are. I think it should be said that there are many
good initiatives going on right now in individual agencies. And
GSRA and FISMA were significant advances on Congress part in
dealing with the problem. But I think we have in some respects ac-
tually regressed in recent months in our ability to deal with this
issue.
One of the areas has to do with the fact that with the disman-
tling of the Presidents Critical Infrastructure Protection Board and
the Office of Cyberspace Security in the White HouseMr. Clarkes
former officethere is at the moment a serious void in the execu-
tive branchs leadership. There is no central locus right now for pol-
icymaking and for coordination of efforts across all of the agencies
at the policy level. I think that will significantly impede the Gov-
ernments ability to move forward on this issue.
Many of the responsibilities that had been carried out by the
Board and by Mr. Clarkes former office are supposed to be carried
out now by the new Department of Homeland Security. But most
of the officials who are supposed to take on those responsibilities
have, to my knowledge, not yet been formally nominated, let alone
21
confirmed. And so that void is likely to continue at the leadership

level for several months.
At the operational level, I think we see a similar void. Many dif-
ferent entities in the Government that had some responsibility for
cyber securityincluding parts of my former organization, the
NIPC; the Critical Infrastructure Assurance Office; and FedCIRC
all were moved into the Department of Homeland Security on the
theory that the efforts of these organizations should be consolidated
to achieve greater efficiency and effectiveness. The problem, how-
ever, is that for at least some of those entities, in fact, the consoli-
dation is less than meets the eye.
My former organization, the NIPC, was supposed to contribute
over 300 of the positions in the new department that would be fo-
cusing on intelligence analysis and infrastructure protection. In
fact, though, if you examine what actually occurred, it was a trans-
fer of vacant FTEs, not of actual people, because most of the people
stayed at the FBI or found other jobs elsewhere in the Federal Gov-
ernment. And so, in fact, now DHS has a tall order: filling hun-
dreds of job vacancies. And the capabilities that were built up at
the NIPC over the 5-years since its inception have essentially been
dismantled or ramped down considerably because of the lack of per-
sonnel. So, again, given the length of time that hiring of Federal
employees takes, particularly when you add in the need for back-
ground investigations, it is my view unfortunately, that it could
take over a year before we even get back to where we were in
terms of our capability to detect, warn of, and respond to major
cyber attacks.
The other issue I think that needs to be focused on is at the pol-
icy level: what is the Governments policy with regard to the pri-
vately owned critical infrastructures and how can it induce greater
security of those critical infrastructures? Both the Clinton adminis-
tration and the Bush administration, in my view, have primarily
relied on what I call the soapbox strategy, having officialslike
Mr. Clarke, like myself when I was in the Government, like Mr.
Formanget up on a proverbial soapbox and talk about the seri-
ousness of this problem and urge the owners and operators of infra-
structures to take the problem seriously and do something about it.
I think those efforts have been partially successful in raising
awareness, in getting more attention focused on the problem. But
I think at the end of the day those efforts clearly are not enough.
More needs to be done.
And so I would urge this subcommittee to consider some more
imaginative and more aggressive approaches; perhaps regulation
modelled after HIPAA for health care providers, or the Graham-
Leach-Bliley Act for financial service companies; and perhaps
other, what I would call, softer approaches to incent the market-
place, to create incentives for companies to make more secure prod-
ucts and for owners and operators of infrastructures to take secu-
rity more seriously. Rather than simply saying we do not want to
regulate in this high-tech area, we should at least give serious con-
sideration to measures that would move us beyond the soapbox
strategy. Thank you very much.
[The prepared statement of Mr. Vatis follows:]
22
23
24
25
26
27
28
29
30

Our next witness is Mark Forman. Mr. Forman is the Chief In-
formation Officer for the Federal Government. Under his leader-
ship, the U.S. Federal Government has received broad recognition
for its successful use of technology and E-Government. He is
charged with managing over $58 billion in IT investments and
leading the Presidents E-Government initiative to create a more
productive, citizen-centric Government.
He is also the leader in the development and implementation of
the Federal information technology policy, and is responsible for a
variety of oversight functions statutorily assigned to the Office of
Management and Budget. He also oversees Executive branch CIOs
and directs the activities of the Federal CIO Council, as well as
chairing or being a member of several key IT-related boards includ-
ing the Presidents Critical Infrastructure Board. To improve re-
sults from Federal IT spending, Mr. Forman created a framework
that couples cross-agency teamwork and leadership with a Govern-
ment-wide IT budget decision process built around a results-driven
modernization blueprint.
Mr. Forman is a frequent witness before this subcommittee and
his insight is always very helpful. We are delighted to have you
again with us this morning. Welcome.
Mr. FORMAN. Thank you, Mr. Chairman. Good morning. I want
to take a moment just to commend Mr. Clarke on what I think is
a truly outstanding career in public service that, as you know, he
has recently retired from. I think his career serves as really a
benchmark for those of us in public service. Clearly, his dedication
to the country, the security of Americans is remarkable and out-
standing, and as an American and personally, I just appreciate his
service so much.
I want to thank you for inviting me to discuss the status of the
Federal Governments IT security. Cyber security is a top priority
in the administrations IT and counter-terrorism efforts. The chal-
lenge, as you pointed out, is to provide the maximum protection
while ensuring the free flow of information and commerce and pro-
tecting privacy. I am going to briefly summarize my statement.
First of all, I am pleased to report to you today that the Federal
Government has made substantial improvements in securing the
information and information systems that we protect. Let me do
this by explaining the difference between where we were on Sep-
tember 10, 2001, and where we were 1 year later in September
2002.
September 2001, only 40 percent of Federal systems had up to
date security plans; 1 year later, that was up to 61 percent. Simi-
larly, the number of Federal systems certified and accredited was
at 27 percent in 2001; 1 year later, that was up to 47 percent. The
number of systems with contingency plans, 30 percent in Septem-
ber 2001; September of last year, 53 percent.
There are other significant improvements, and I had a table with
that data in my written testimony, but items such as agencies
using plans of actions and milestones as the authoritative manage-
ment tool to ensure that program and system level IT security
weaknesses are prioritized, tracked, and corrected. These measures
reveal in some cases over 50 percent measured performance im-
31
provements since 2001. But they also identify an awful lot of work
to be done.
The administration plans to make significant progress again this
year. In our Clinger-Cohen report, which was Chapter 22 of the
Analytical Perspectives of the Presidents 2004 budget, we included
targets for improvement in critical IT security weaknesses by the
end of this calendar year. Some of the key targets: All agencies
shall have an adequate process in place for developing and imple-
menting the plans of actions and milestones to ensure that pro-
gram and system level IT security weaknesses are identified,
tracked, and corrected.
Eighty percent of Federal IT systems shall be certified and ac-
credited.
Eighty percent of the Federal Governments fiscal year 2004
major IT investments shall appropriately integrate security into
the lifecycle of their investments.
I would like to talk a little bit about funding. Our analysis for
the second year in a row shows that there is not a direct correla-
tion between how much agencies spend on IT security and the
quality of their results. That said, spending on IT security has in-
creased 70 percent since 2002. Federal agencies plan to spend
$4.25 billion this year on IT security, that is 7 percent of the Fed-
eral Governments overall IT budget and a 57 percent increase
from the $2.7 billion spent last fiscal year. In next fiscal year,
agencies plan to spend $4.7 billion on IT security, and that will rise
to 8 percent of the overall Federal Government IT budget.
I would like to talk very briefly about some of the improvements
and changes in handling cyber security incidents. Last year when
I testified before the Government Reform Committee, I pointed out
that we need to move to respond to threats within 24 hours. And
so we have taken fairly aggressive action to do that.
OMB and the CIO Council have developed and deployed a proc-
ess to rapidly identify and respond to cyber threats and critical
vulnerabilities. CIOs are advised by a conference call as well as fol-
lowup e-mail of specific actions needed to protect agency systems
when a threat has been identified. Agencies must then report to
OMB on the implementation of the required countermeasures. This
emergency notification and response process has been used three
times since the beginning of the year. We started out with the first
vulnerability with a 90 minute cycle time to get the message out
and get affirmative contact back that the process had begunfirst
for the Slammer Worm and then for the Sendmail and the IIS
vulnerabilities. As a result of these early alerts, agencies have been
able to rapidly close vulnerabilities that otherwise might have been
exploited.
I would also like to talk a little bit about the integration of
FedCIRC, the National Infrastructure Protection Center and the
Critical Infrastructure Assurance Office [CIAO], under one depart-
ment. That represents an opportunity for the administration to
strengthen the Government-wide processes for intrusion detection
and response through maximizing and leveraging the important re-
sources of these previously separate offices. Now this has only been
in effect for a little over a month. So I think as they produce the
32
results of their planning, you will see that there will be significant
action.
Experts agree though, and I would just like to conclude with a
final thought, it is virtually impossible to ensure perfect security of
IT systems. Therefore, we must maintain constant vigilance while
also maintaining the focus, as my colleagues have said, on business
continuing plans. Thank you.
[The prepared statement of Mr. Forman follows:]
33
34
35
36
37
38
39
40
41
42
43
Mr. PUTNAM. Thank you very much, Mr. Forman. I thank all of
our panelists. We will get right to the questions.
All of you have touched on the simple fact that most of the criti-
cal infrastructure is controlled by the private sector. Mr. Vatis, in
particular, singled out the need for an aggressive innovative ap-
proach that goes beyond merely the soapbox to incent or coerce
greater accountability and compliance, greater focus on cyber secu-
rity in the private sector. Could you elaborate a little bit more, be-
ginning with Mr. Vatis, and then the other two as well, on the best
way for the Federal Government to approach the regulation of and
the incentivizing of better cyber security in the private sector.
Mr. VATIS. Mr. Chairman, thank you. I do not have any particu-
lar silver bullet that I think is the answer to the problem. But I
think there are a number of ideas that have been discussed but
over the past few years have basically been dismissed out of hand
because of the fear of even getting into anything that might smack
of regulation. So what I am really urging is a considered study of
several different options. The fact of the matter is we do have some
instances of direct regulation, of coercion, if you will, that are al-
ready in place but which were not instituted for securitys sake, per
se, but more out of a concern for privacy: of HIPAA and Graham-
Leach-Bliley, for example.
So I think one thing that should be done is to study those acts
as they are implemented to see if they actually result in a net in-
crease of security, and if so, at what cost, in terms of efficiency or
other things. I think there are other ideas that have been talked
about, such as requiring disclosure of security plans for security
breaches by companies that suffer breaches so that there is a fur-
ther incentive to take security seriously. Because what we have
seen over the years again and again and again is that many com-
panies are simply sweeping the problem under rug so that it does
not become public. I think if there were some sort of disclosure re-
quirement, as the State of California, for example, is now institut-
ing for companies that do business in that State, as of this sum-
mer, that could create an additional incentive. Requiring disclosure
of plans in a 10k form for publicly traded companies is another
idea that has been talked about. Tax incentives for upgrading of
technology to address security is another idea. Best practices for
hardware and software manufacturers.
So there are many ideas. I think the wonderful congressional
staff that are out there are a good resource to look into these ideas.
And some of the Federal R&D moneys should be devoted not just
to technical R&D, but to research into the legal, policy, and eco-
nomic factors that affect the implementation of technical security
requirements.
Those are some of the things that I would urge.
Mr. PUTNAM. Mr. Clarke.
Mr. CLARKE. Mr. Chairman, I think we want to avoid regulation
here. The thought of having a Federal cyber security regulation
agency and a Federal cyber security police scares me to death. But
I think there are some things we can do to stimulate the private
sector without regulation. One, Michael just mentioned, is we can
have the SEC do what it did for Y2K, which is to require that pub-
licly traded companies have in their reports a report against some
44
set of auditing standards that the auditing industry could come up

with, a report on their performance. Now we do not want their se-
curity plans revealed publicly and we do not want them to have to
report individual incidents. But they ought to get a grade from an
outside auditing firm, IT security auditing firm, and that ought to
be reported as part of their public annual disclosure. That had a
great effect during Y2K and we ought to think seriously about ask-
ing the SEC to look into that.
Similarly, cyber insurance could have a big effect. The insurance
industry could set standards for cyber security insurance and the
rates that they charge could reflect how good a company is doing.
Requiring certain kinds of companies that are doing business with
the Federal Government, not small businesses, but larger busi-
nesses to have cyber security insurance would have an enormous
effect on the market.
Mr. PUTNAM. Before we go to Mr. Forman, let me followup on
that. You mentioned as part of your 10 point plan in your testi-
mony the need for any congressional action on terrorism risk insur-
ance to include a cyber insurance provision. Presumably, that
would have some type of Federal backstop or subsidy in that risk
insurance, and you mentioned that alone would raise the bar of se-
curity on the cyber side. But you differ from Mr. Vatis in saying
that companies should not have to report breaches of security. Why
is that?
Mr. CLARKE. I do not think you want to have specific breaches
of security reported because I think it gives too much information
to the people who want to do the breaches. I think what you want
is an overall grade. All too often when there is one minor security
violation that gets into the press because it has been reported, a
company suffers disproportionately from what its real security
problem is. So I do not think you want to force companies to report
individual security violations, but to report an overall grade on per-
formance.
The Cyber Risk Insurance Act, of course, has passed. The com-
mittee language suggests it covers cyber security. That is not clear
in the language of the bill. But the real problem with cyber insur-
ance right now is it is not clear that there is a Federal backstop
against catastrophic terrorism as there is for other forms of terror-
ism, and there really is not a decent actuarial data base yet that
allows underwriters to decide on what policy should be. So if the
Government could collect information, statistics, or, better yet, get
someone like Mike to do it, not have a Government agency do it,
but somebody, Carnegie Mellow, Dartmouth, someone to collect
enough information so that the underwriters in the insurance in-
dustry would feel better writing more policy, and requiring when
they do write policy that companies live up to certain standards
and best practices, that would go a long way.
Mr. PUTNAM. How would you have an actuarially sound policy if
breaches are not required to be reported?
Mr. CLARKE. Not reported publicly. I think they should be re-
ported perhaps in an anonymized way to a third party.
Mr. PUTNAM. Mr. Forman.
Mr. FORMAN. I think you have to look at a couple of factors. First
of all, you have got to ask what is the market failure here. We be-
45
lieve that normal market approaches would not suggest regulation

if there is something holding the companies accountable in the
marketplace. In other words, if a company loses customers because
they are not protecting their security well, then we expect normal
marketplace forces to work. And I think there is pretty strong evi-
dence of that. If you look at a couple years ago, we had firewalls,
we had antivirus technology. By looking at the growth over the last
year and the trends in the marketplace on how to protect against
cyber threats, well, threat management systems and software, and
then highly reliable redundant systems that leverage the architec-
ture of the internet so it is moved out of the security technology
realm into hosting and other architecture tools; companies such as
Akamai growing terrifically fast. So it is clear the marketplace will
respond.
I would give you a couple of thoughts on the issue. First of all,
are the issues essentially related to criminal type threats. Those
may not be made public for a number of reasons. But that may be
something to deal with and look at as a tradeoff between how do
we associate law enforcement structures, is that right for the inter-
net age. And the other is what do you do about organized cyber ter-
rorism. You have different Government roles and responsibilities
issues there. That should basically guide, we believe, the regulatory
answer to the question of whether regulation is even needed in the
first place.
Mr. PUTNAM. Mr. Clarke and Mr. Vatis both alluded to or specifi-
cally said that we do not have a centralized mechanism in the Fed-
eral Government for overseeing cyber security compliance, cyber se-
curity coordination and collaboration. So are you satisfied with the
current framework that calls for its placement in Homeland Secu-
rity, or is it still too diffused between FBI and Homeland Security
and OMB and other agencies?
Mr. FORMAN. There are two parts of the picture I think that you
have to look at. First of all, we do spend an awful lot of money.
We are the worlds largest buyer of information technology. So have
we got enough central focus and the right structures in place, I am
very confident now, and I think the data show, we are able to track
and measure the gaps in cyber security, we are able to hit the cycle
time that we are looking for.
I do not know that private sector industries have anything like
that. We can focus because we do have an organizational structure.
So the question is when you get into the other industries, should
it be dealt with on an industry by industry approach, should it be
dealt with on a company by company approach. And there is a real
question on what that structure should be. I think that was thor-
oughly vetted in creation of the Information Integration and Infra-
structure Assurance under secretariat, it was vetted within the ad-
ministration, it was vetted within the House and the Senate.
Now one thing that I should correct for the record. The under
secretary is a confirmed position. But the assistant secretary that
has key responsibilities here is an appointed position. And that
person is in his job now, Bob Wiskowski, and he has been there a
couple of weeks. He comes from Coca Cola and, of course, people
would say the formula for Coke is one of the most protected secrets
in the world today. So there is an interesting background that he
46
brings. But, again, the department has only been up for several
weeks now. I think when you see their go forward plan, you will
see how they have integrated things, building on the successes and
giving some innovation to that as well.
Mr. PUTNAM. Mr. Vatis, do you want to comment on that?
Mr. VATIS. I am hopeful, Mr. Chairman, that Mr. Forman will
prove to be right and that once the key personnel are in place in
the new department we will see things start to roll. But I think,
to be realistic, it will take some time, because the operational per-
sonnel are not likely to be in place for over a year, and there are
so many vacant positions now that are responsible for infrastruc-
ture protection and intelligence analysis.
I would make one other point about something that worries me.
And that is what appears to be the administrations policy that
cyber security is a subset of critical infrastructure protection as a
whole, including physical vulnerabilities of our critical infrastruc-
tures. I think there is definitely a logic to that view in that we do
need to look at the infrastructures as a whole and consider all the
different vulnerabilities. But the worry I have is that if an official
or a subset of DHS is looking at both physical and cyber
vulnerabilities and threats, cyber will always get short-shrift, espe-
cially in these years so soon after September 11th when so much
focus is on the vulnerability to physical terrorist attack. I think we
have seen that happen in prior years. When we tried to do both
things through the same offices, through the same people, cyber al-
ways got less attention than it was due. So that is another thing
I think we need to keep an eye on, to make sure that does not hap-
pen.
Mr. PUTNAM. Mr. Clarke, when you analyze the threat environ-
ment out there, what particular nations or particular non-state ac-
tors are out there that have made cyber security a priority as their
way of getting at capitalism or the United States or western civili-
zation or whatever?
Mr. CLARKE. Mr. Chairman, there is a classified answer to that
in terms of what we know about other nations that have created
offensive cyber security organizations. Suffice it to say in an open
hearing there are nations, including our own, that have created
cyber security offensive organizations. And there are terrorist
groups, organized criminal groups that are interested in this. I am
not very good at predicting the who here. And I think we make a
mistake by focusing on who is going to do it to us.
I think rather than focus on the who, we should focus on the
what, what are they going to do. And it is real simple. As long as
we have major cyber security vulnerabilities that would allow
someone who does not like us to screw up our economy, then some-
one will. It may not happen this year. We may not be able to guess
who it is in advance. But it is a very high probability that as long
as we have very well known major vulnerabilities that are cheaply
exploited, somebody will do it. And I do not think the emphasis
ought to be on trying to figure out who that is in advance and get-
ting them before they do it, because someone else will do it. What
we should try to do is raise the barrier.
And in answer to your last question about DHS and OMB, I
think the question answers itself when you ask who is the highest
47
level official in the Department of Homeland Security whose full-

time job is cyber security. What office in the Department of Home-
land Security does nothing but cyber security? Who is the highest
ranking person in OMB who does nothing but cyber security? How
many people in OMB, the organization to which the Congress has
given the full responsibility for cyber security in the Federal Gov-
ernment, how many people in OMB have that as their full-time re-
sponsibility? The answers to those questions are pretty frightening
I think.
Mr. PUTNAM. Mr. Forman, do you want to answer those ques-
tions?
Mr. FORMAN. We have an interesting change going on in our soci-
ety. I think from a policy perspective as it relates to Federal IT,
we cannot differentiate the work that we need to do in our archi-
tectures from cyber security. I certainly have spent a lot of time,
but I think we as an administration have spent an awful lot of time
making sure that we get the communications between the CIOs
and the cyber security community. These are two separated com-
munities that have to talk to each other. So, for example, when we
have denial service attacks, we find increasingly over the last few
months people organize over the Web and they will target the
White House Web site because in areas outside of America people
feel that is similar to attacking the administration.
Mr. PUTNAM. That is the whitehouse.gov Web site?
Mr. FORMAN. That is correct. As opposed to others that may be
out there that I have never known about. So these people will orga-
nize and they are known. They will run advertisements in the
newspaper, they will run advertisements on the Internet. Essen-
tially, the characterization will be come to our Web site if you want
to attack President Bush for some action. The cyber security com-
munity will be aware of that and never communicate that to the
CIO of the White House, the CIO of the Energy Department, and
others. We have worked pretty hard over the last 2 months to cor-
rect that problem. And the integration of these two communities is
absolutely critical; we cannot separate them.
Mr. PUTNAM. And you are satisfied that integration will occur
under the new structure of Homeland Security once they are up
and running?
Mr. FORMAN. Absolutely. In fact, as I pointed out in my oral and
put in more detail in the written testimony, as it relates to Federal
cyber security, we have had to make that happen. As I pointed out,
we have had three major events this year. We started out with a
90 minute cycle time and we have been able to shrink that down
even more so.
But there is the longer term issue of how we secure the infra-
structure. There is the fast response issue of what do we do. And
to give you a feel, I tend to think of this as three dimensions. We
have literally thousands of vulnerabilities. Anybody who could
know all the vulnerabilities and make sure the patches are de-
ployed is truly detail oriented, and, as Dick said, there is software
that does that for you. You have to rely on the technology to man-
age the technology. The second dimension are the threats. There
are people out there, some of whom are organized, some of whom
will leverage the Internet to organize very rapidly. And the third
48
thing is what will it mean for the actual technology, your architec-
ture that you have deployed as a department.
So, as an example, we worried and fast responded to the Slamer
threat. But as you recall, the Congress was affected by this. There
was a cyber sit-in where people called and used the Internet as a
way to show their response to the administrations policy in the
war in Iraq. Our policy decision on that was that was not a cyber
security threat; that was e-democracy moving into the Internet age.
The cyber security community view on that was that was a cyber
threat. So if we do not meld these two groups together and look at
this from the standpoint of the CIO overall, as was laid out going
back to the Clinger-Cohen Act, we will not be able to get that deci-
sion properly placed as a policy decision.
Mr. PUTNAM. Correct me if I am wrong or if I am heading in the
wrong direction on this. But from my perspective, the OMB role
would be an internal Federal IT management role, protecting and
preserving the sanctity of Federal systems, of the Federal net-
works, of containing the costs of a breach that would spread agen-
cy-wide or department-wide or Government-wide. The role of
Homeland Security would be analyzing the threats, detecting as
quickly as possible when a virus or some other cyber attack has oc-
curred, and then distributing that word as quickly as possible to
the public and private sectorState, local governments, the re-
mainder of the Federal Government, and critical infrastructure. So
how well is Homeland Security equipped to handle that, not from
an internal Federal IT perspective, but from the external perspec-
tive?
Mr. FORMAN. Again, a lot of this may change, but let me tell you
because there is an area of overlap between the Federal and the
external. FedCIRC maintains the catalogue, if you will, of the
vulnerabilities and the patches that are associated with fixing that
vulnerability. Generally, when we see a threat materialize that we
have to respond quickly to, the threat targets a certain vulner-
ability. And if the patch gets rapidly deployed or if it had already
been deployed, there is no impact. And so we have been fairly effec-
tive, certainly this year we have been 100 percent effective, in mak-
ing sure that when the threat is identified FedCIRC puts out, in
coordination with the CIO Council, the link to the patch and the
characterization of that vulnerability, the threat, etc.
There is a partner organization, the National Infrastructure Pro-
tection Center, that was not totally but the key elements moved
from the FBI to that same office to integrate this together better.
They produce a daily report. I expect that will continue. I do not
know that for a fact. We will see I think some innovation there.
But that tells you the threats that are current, the patches that are
current, hot links, and so forth. So I think that part is focusing
fairly well on the topical threats.
In the area outside of Government, the longer term remediation
and maintenance of the architectures is an area where I think
there is a big question as to how to proceed. There is a multifaceted
approach laid out in the Presidents National Cyberspace Strategy.
And that was thoroughly vetted, as in Dick Clarkes testimony. So
I am fairly comfortable we are going to see a good implementation
plan for that as Bob has the time to make that work at Depart-
49
ment of Homeland Security and they are ready to release their im-
plementation plan for that strategy.
Mr. PUTNAM. I know that there has been a great deal of focus
on this and I know that it is a daunting task. But in the latest re-
port in 2002, after 4 solid years of focused, specific attention to this
issue of cyber security, we only had 3 out of 24 agencies that re-
ceived a report card grade that was better than a D, and 14 of the
24 got an F. What are we doing wrong? What is Congress role?
That is just unacceptable, obviously. And while it does not reflect
a lack of effort on the part of OMB perhaps to manage this, it cer-
tainly reflects a lack of success on the part of agencies to improve
outcomes. So I will let you get situated and then answer that.
Mr. FORMAN. I share 100 percent this focus. First of all, we did
have differences in scores and ratings between what Mr. Horn
scored the agencies on and how we scored them in 2001. I will say
2001 was the first year that we actually measured progress and
that set the benchmark. So it was not until the end of 2001 that
we even knew quantitatively how bad it was and subsequent to
that put in place a process, these plans of actions and milestones,
that laid out the workload to fix that.
Last year, we had pretty much quarterly oversight for both OMB
as well as Congress. I would ask that we maintain that because I
think we made a lot of progress. It is documented in the data that
we shared in the testimony, in some more detailed data we shared
with the staff and GAO in the 2002 GISRA report, and we will be
able to see to the agency. But the progress of going from 27 percent
to 53 percent, is 53 percent acceptable? Absolutely not. By the end
of this year, we believe, it is a slight stretch goal, but with the con-
stant vigilance, we believe we get up to 80 percent on a couple of
these security measures and 100 percent on putting in place a proc-
ess. That is going to take a lot of continued oversight throughout
this year to get there. But at that point we are talking about sig-
nificantly improved security. And I would put that up against any
company and you will find very few that hit those benchmarks.
Mr. PUTNAM. Just very briefly, would you put that up against
any other country?
Mr. FORMAN. I think that there are a coupleI have not really
thought about that. But certainly our view is that the United
States spends the most, we have to protect our citizens and the in-
formation, and so we are going to be the best not because we are
competing with other countries, but because it is the right thing to
do for Americans.
Mr. PUTNAM. Mr. Clarke, Mr. Vatis, what other countries out
there are ahead of us on protecting critical infrastructure from
cyber attack?
Mr. CLARKE. The good news, Mr. Chairman, is that nobody is
ahead of us. The bad news is that we are pretty bad. I disagree
with Mark in saying that the Federal Government is as good as
any company. That just is not true. The private sector is way
ahead of the Federal Government.
Mr. PUTNAM. So who do I needI do not mean to interrupt, I am
going to let you finishwhat companys CIO do I need to bring in
to our next hearing?
50
Mr. CLARKE. Rhonda MacLean, from Bank of America, will tell

you, if you ask her the right questions, how she is doing it. She is
doing a great job. Bank of America is better than any Federal Gov-
ernment agency in terms of its IT security. That is true of most
major banks in the United States. They are doing a much better
job. Why? Because they have got someone who is a senior person
who is full-time in charge of IT security. I did not hear in Marks
answer who is the senior OMB official who is full-time in charge
of IT security and nothing else. I did not hear who in the Depart-
ment of Homeland Security is in charge of cyber security and noth-
ing else full-time. I did not hear how many people we have in OMB
full-time working on cyber security.
I think there is another big mistake we are making, and that is
we are trying to get the departments to do this themselves essen-
tially. And with all due respect to civil servants, I was one for 30
years, you are not going to get this done without outsourcing it.
There is a real reluctance in Federal departments to outsource IT
security. But there is a solution. Take the Department of Labor,
take the Department of Agriculture and have it contract to any of
the big integrators or any of the IT security firms and then hold
them responsible and fine them in terms of their contract if there
is not performance. Instead of just bringing the CIO of Labor or
Agriculture up here and berating them that they got an F again,
have them outsource it to a company that has penalties in its con-
tract if that grade is an F again.
Mr. PUTNAM. Does the law currently preclude them from doing
that?
Mr. CLARKE. No, it does not.
Mr. PUTNAM. Mr. Vatis.
Mr. VATIS. I agree 100 percent with what
Mr. PUTNAM. With which one, Mr. Clarke or Mr. Forman?
Mr. VATIS. With Mr. Clarke. I think he is exactly right on the
lack of sufficient high level personnel devoted to this issue. I think
the cyber issue will always get short-shrift. I think the idea that
we need a hammer to truly make progress happen within the agen-
cies is also exactly right. I served in the FBI for a few years and
lived within an infrastructure that, despite some efforts over those
years to improve it, never really got anywhere. And I think that
is a case study of how not to manage information systems in a cru-
cial Federal agency.
Mr. PUTNAM. Sort of a recurring theme in these E-Government
issues in our subcommittee hearings is that we have a cultural
challenge, a human capital challenge throughout the Federal Gov-
ernment in dealing with this issue.
We could go on, but I have a second panel. I want to thank all
of you for your very insightful and thoughtful testimony. I will give
each of you 1 minute to say whatever is on your heart that I did
not ask you about or to rebut or give a counterpoint to something
that somebody else has said. We want to be as thorough and as fair
as possible.
We will begin with Mr. Forman. You have 1 minute to say what-
ever you would like to say to conclude.
Mr. FORMAN. Thank you, Mr. Chairman. I just want to congratu-
late you again for this hearing. Oversight of progress has been and
51
will continue to be incredibly important to our success. I will pledge

to you that the administration is focused on this all the way to the
highest levels, that we are holding deputy secretaries and secretar-
ies accountable. And I would ask for your cooperation and support
in doing the same.
Mr. PUTNAM. You have it. Mr. Vatis.
Mr. VATIS. I think from our testimony you can gather that how
the DHS evolves is going to be critical, especially at the operational
level. So I think one thing that this committee could fruitfully do
is keep the heat on to make sure that DHS devotes the requisite
attention to cyber security and that they do not let it get lost in
the shuffle of dealing with physical terrorism and reducing our vul-
nerability to physical terrorist attacks. Make sure that they hire
people as quickly as possible, and that the consolidation actually
achieves the promises that have been made about new efficiencies
among all these entities that were formerly separate. Without some
heat from Congress, it will not be done nearly quickly enough or
well enough.
Mr. PUTNAM. Mr. Clarke.
Mr. CLARKE. Mr. Chairman, just again to thank you for your rec-
ognition of this issue. And to echo Mike Vatis, you personally have
a great opportunity here to be a pain in the rear end to the admin-
istration, and I encourage you to do that.
Mr. PUTNAM. That is very kind of you, Mr. Clarke. [Laughter.]
The first panel is dismissed.
The subcommittee will stand in recess for about 2 minutes while
we set up the second panel.
[Recess.]
Mr. PUTNAM. I will reconvene the subcommittee hearing.
We would like to welcome our second panel of witnesses. As is
the custom with the committee, we swear in our witnesses. So
please rise and raise your right hands and repeat after me.
[Witnesses sworn.]
Mr. PUTNAM. Note for the record that all of the witnesses have
responded in the affirmative.
We welcome you to the subcommittee. You have had an oppor-
tunity to hear the testimony of the first panel and some of the
interchange. Following the ladies first rule, we will begin with Ms.
MacLean, who has received a warm introduction and very high
praise in the first panel.
Rhonda MacLean is senior vice president and director of cor-
porate information security for Bank of America. Ms. MacLean
joined Bank of America in 1996 as the director of corporate infor-
mation security and is responsible for providing global leadership
for information security policy, procedures, risk management, secu-
rity technology implementation, cyber investigations/forensics, and
general information security awareness. In addition, she is respon-
sible for enterprise business continuity planning and the companys
regional recovery centers.
In May 2002, the Department of the Treasury appointed Ms.
MacLean as the private sector coordinator for the financial services
industry public/private partnership on critical infrastructure pro-
tection and homeland security. She will act in concert with Treas-
urys private sector liaison to draw together industry initiatives re-
52
lated to critical infrastructure protection and homeland security. In

addition, she was elected to the Board of Directors for the Partner-
ship for Critical Infrastructure Security, which brings together
leaders from across multiple critical sectors such as energy, tele-
communications, finance, etc.
We welcome you to the panel, and recognize you for 5 minutes
for your opening statement.
STATEMENTS OF RHONDA MACLEAN, SENIOR VICE PRESI-
DENT AND DIRECTOR OF CORPORATE INFORMATION SECU-
RITY FOR BANK OF AMERICA, SECTOR COORDINATOR FOR
THE FINANCIAL SERVICES INDUSTRY PUBLIC/PRIVATE
PARTNERSHIP ON CRITICAL INFRASTRUCTURE PROTEC-
TION AND HOMELAND SECURITY; ROBERT F. DACEY, DIREC-
TOR, INFORMATION SECURITY ISSUES, U.S. GENERAL AC-
COUNTING OFFICE; AND THOMAS PYKE, CHIEF INFORMA-
TION OFFICER, DEPARTMENT OF COMMERCE
Ms. MACLEAN. Thank you, Chairman Putnam, and thank you for
inviting me here today to testify at the hearing. I am very honored
to speak on behalf of the financial services sector in my role as the
Department of Treasury-appointed private sector coordinator for
critical infrastructure protection.
In listening to the testimony this morning, something struck me
that I wanted to add to this statement. This challenge that we
have before us takes vision, leadership, execution, and accountabil-
ity. I want to touch on those things today with the information that
I provide you about the financial services industrys involvement in
critical infrastructure protection, the current work of our financial
services sector coordinating council, and discuss some of the oppor-
tunities where I think Government and industry really can partner
to address some of the challenges we have in securing our cyber
space.
The administrations National Strategy to Secure Cyber Space
identified the critical infrastructures as consisting of physical and
cyber assets of the public and private sector and institutions.
Though the basic approach of security must fundamentally address
people, process, and technology aspects of the infrastructure, I do
want to iterate that there is no single solution to this challenge.
Creating the appropriate balance of these elements is based on an
operational risk management consideration that addresses the crit-
ical nature of the systems as well as the exposures to which they
can be subjected.
I would like to talk about the sectors critical infrastructure pro-
tection efforts, and specifically about our Council. At the time of my
appointment, there was no integrated entity that could represent
the entire financial services sector. Individual associations were ac-
tively and effectively working on their Members behalf and pro-
vided much leadership for our critical infrastructure protection ef-
forts. To ensure coordination across the sector, with the public sec-
tors support and encouragement, and with the leadership of the
Department of Treasury, we formed the Financial Services Sector
Coordinating Council. Today, we have 24 organizations consisting
of key national exchanges, clearing organizations, trade associa-
tions in banking, securities, bond and insurance segments of our
53
industry, and we are working together to improve the critical infra-

structure protection for our sector as well as others on which we
depend.
Through our Council members, we engage nearly all financial
service sector entities. Let me highlight three of the five strategic
areas on which we have focused.
The first area is in information dissemination and information
sharing. Our goal is to ensure that a universal service to dissemi-
nate trusted and timely information will be made available to all
sector participants.
Second, crisis and response management needs to be imple-
mented. When events occur with broad sector or national impact,
a planned and adopted approach for communicating and respond-
ing as a sector, including coordination with Government entities, is
the focus of this particular effort.
Third, we are leading the sectors efforts to revise our, the finan-
cial services sectors, national strategy component in response to
the two national strategies released in February by the President.
We believe this is our opportunity to define strategic as well as tac-
tical, actionable, and measurable actions as part of our sector-wide
critical infrastructure and homeland security efforts.
In my chairperson role for the Financial Services Sector Coordi-
nating Council, I work closely with the lead agency, the Depart-
ment of Treasury, and specifically the Office of Critical Infrastruc-
ture Protection and Compliance which was created by the Treasury
Assistant Secretary Wayne Abernathy and led by Deputy Assistant
Secretary Michael Dawson. Together, they lead the Financial and
Banking Information Infrastructure Committee. That council is
really the public side of what I would call the public-private part-
nership. It is through council members and our Government part-
ners cooperative efforts that we are able to maximize our resources
and achieve our objectives to ensure protection of our critical infra-
structures to the benefit of the economy and to the financial serv-
ices customers.
Let me transition the discussion to some opportunities for con-
tinuing the progress that has been made both by the government
and the private sector.
First, let us talk a little bit more about information analysis and
information infrastructure protection. The need for synergy be-
tween information analysis and infrastructure protection has clear-
ly been recognized in the assignment of those responsible to the un-
dersecretary within the Department of Homeland Security. We ex-
pect this to provide a much more robust alerting, threat warning,
and information flow from the public sector based on the vast re-
sources that they have made available through their integration.
Second is understanding the threat. Based on the Governments
visibility of threats to the private sector, a clear understanding of
the protection needs must exist between the public and the private
sector. Gaps between the private sectors protection efforts and the
Governments view of the necessary protections must be defined
and clearly understood. There may be situations where, unknown
to the private sector, normal business practices will not adequately
address the level of threat understood by the Government. Where
market focus does not provide the appropriate incentives to provide
54
these protections, augmentation of market mechanisms, such as in-

centives, may be appropriate.
Third, product security. Because the private sector mainly em-
ploys commercial products, services, and software to implement
cyber security protection and monitoring, those efforts that improve
the security of such products have broad benefit. As a sector, we
work closely with our vendors to achieve higher levels of security.
BITS, or the Bankers Information Technology Secretariatthe
technology group for the Financial Services Round Tableand a
member of our Coordinating Council, has implemented a product
certification program as a prime example of our industrys efforts
in this area.
And finally, the voluntary sharing of threat and incident infor-
mation. We must continue to encourage processes that accommo-
date companies voluntary sharing of sensitive information, such as
the provisions outlined in the Homeland Security Act of 2002.
In closing, Mr. Chairman, and members of the committee, we be-
lieve the strong public-private sector partnership that is emerging
is the right approach. And it is finally with that vision, leadership,
and execution, we believe that we can continue to make progress
in this important area.
[The prepared statement of Ms. MacLean follows:]
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

I now recognize Tom Pyke. As Chief Information Office of the
U.S. Department of Commerce, Mr. Pyke is responsible for guiding
the Departments effective use of information technology and man-
aging the Departments IT resources, with an annual budget of
over $1.5 billion. His responsibilities include IT policy, planning,
and capital investment review, IT security and critical infrastruc-
ture protection, IT architecture, information quality, E-Govern-
ment, information dissemination through the Internet and the Next
Generation Internet, and the oversight of IT operations.
He has been a senior manager of information technology in the
Commerce Department for over 30 years, most recently serving as
CIO and Director for Higher Performance Computing and Commu-
nications of the National Oceanic and Atmospheric Administration
and Director of the GLOBE program.
Welcome. You are recognized.
Mr. PYKE. Thank you, Mr. Chairman. I am pleased to be here
this morning to share with the subcommittee a summary of the ac-
tions that the Commerce Department has taken over the last 2
years to strengthen our information security posture.
The Departments actions to improve its management of informa-
tion security started at the top. Secretary Don Evans, in June
2001, directed all Commerce agency heads to focus their personal
attention on establishing information technology or IT security as
a priority. He directed them to allocate the necessary resources to
ensure that the Departments data and information systems are
adequately protected against risks resulting from misuse or unau-
thorized access. This important action ensures accountability for IT
security by all of the Departments senior managers, and both the
Secretary as well as Deputy Secretary Sam Bodman have empha-
sized this personal responsibility of Commerce agency heads as
they have communicated with these senior managers in the De-
partment about the importance of IT security over the past 2 years.
The Secretary also instituted a Department-wide IT management
restructuring plan that empowered the Departments CIOs by pro-
viding them with the necessary authority to manage IT security as
well as other aspects of information technology planning and oper-
ations and IT capital investment review. As the Department CIO,
I issue security policy and provide IT security guidance to the Com-
merce agency heads and to the Commerce agency CIOs. I partici-
pate in the annual review of the performance of each of the Com-
merce agency CIOs, which bolsters the authority that my staff and
I have at the Department level as we oversee the management of
the expenditure of $1.5 billion in information technology each year
on a Department-wide basis. This $1.5 billion, by the way, includes
the resources that we devote to protecting our systems and infor-
mation assets through our Department-wide IT security program.
We have issued this January a comprehensive Department-wide
IT security policy, as well as minimum standards for management,
operational, and technical controls, and other key aspects of imple-
menting this policy. We also issued a Password Management Policy
and a Remote Access Security Policy. Policy implementation guides
have been issued that address critical corrective action plans to
identify and correct security weaknesses, to document security and
70
privacy in the IT capital asset planning process, and to maintain

complete inventories of all of our systems relative to their security
status.
The Department instituted a compliance monitoring process in
2002, through which we determine Commerce agency compliance
with Department IT security policies, standards, and guidance.
This process includes tests of all management, operational, and
technical controls, including tests of systems and networks to en-
sure that they are adequately protected against unauthorized ac-
cess. We also established an IT security training program, through
which every Commerce employee and every contractor employee
has received IT security awareness training, and is receiving up-
dated training every year. Specialized training for IT security per-
sonnel, managers, and system administrators is also being pro-
vided.
The Department has established a computer incident response
capability that supports actions to protect systems and data when
incidents do occur, and facilitates proper reporting of incidents. A
Department-wide IT security alert capability has also been estab-
lished, that ensure 24 x 7 transmittal of IT security alerts through-
out the Department and activation of Commerce agency IT security
emergency mobilization plans, as appropriate.
Especially since the Commerce Department has been coming
from behind as it has implemented this comprehensive IT security
program, numerous corrective actions have been identified that
need special attention to correct IT security weaknesses. A Depart-
ment-wide data base of needed corrective actions has been created
and is being maintained. It includes every IT security action that
has resulted from GAO and Commerce Office of Inspector General
audits, as well as actions that have resulted from Department IT
security compliance reviews and from self-assessments by the Com-
merce agencies themselves. We expect to complete by this Septem-
ber all of the corrective actions that were open at the beginning of
fiscal year 2003. Over 74 percent of these actions are already com-
pleted. We expect to have completed by the end this fiscal year all
but 2 of the over 200 corrective actions that have been identified
during this fiscal year.
The top level measure we use to manage IT security across the
Department is what we call IT security program maturity. By the
end of fiscal year 2003, we expect that every Commerce agency will
be operating at ease at a level 3 maturity, which requires that all
IT systems have implemented policies and procedures. We have
identified our national critical and mission critical IT assets and
the IT system components of those assets, and we expect to have
certification and accreditation for full operation of these systems
completed by the end of this fiscal year.
I would like to tell you very briefly how we are doing against
some of the performance measures that Mark Forman introduced
in his testimony this morning, in which he provided Government-
wide data. At Commerce, we have assessed 96 percent of our sys-
tems for risk, 90 percent of our systems have contingency plans, 92
percent are certified and accredited, and 98 percent of our systems
have up to date IT security plans.
71
Thank you for this opportunity to tell you about what we have
done in the Commerce Department to improve our information se-
curity posture. We have come a long way in these last 2 years, and
we are working hard to complete the next steps that are essential
to provide adequate protection of our data and systems. We under-
stand, however, that IT security is a never-ending process, and we
are committed to maintaining a high level of vigilance to ensure
that the Department is able to carry out its mission without dis-
ruption caused by cyber threats.
[The prepared statement of Mr. Pyke follows:]
72
73
74
75
76
77
Mr. PUTNAM. Thank you, Mr. Pyke.

At this time, the subcommittee recognizes Robert Dacey. Mr.
Dacey is currently Director of Information Security Issues at the
U.S. General Accounting Office. His responsibilities include evalu-
ating information systems security in Federal agencies and cor-
porations, including the development of related methodologies; as-
sessing the Federal infrastructure for managing information secu-
rity; evaluating the Federal Governments efforts to protect our Na-
tions private and public critical infrastructure from cyber threats;
and identifying the best security practices at leading organizations
and promoting their adoption by Federal agencies.
Previously, Mr. Dacey led GAOs annual audits of the consoli-
dated financial statements of the U.S. Government, audits I think
which revealed about the same grades as they have been getting
on their IT scorecards; GAOs financial audit quality assurance ef-
forts, including methodology and training; and other GAO financial
statement audit efforts, including HHS and the IRS.
Welcome to the subcommittee. You are recognized for 5 minutes.
Mr. DACEY. Thank you, Mr. Chairman, Mr. Clay. I am pleased
to be here today to discuss the challenges our Nation faces concern-
ing Federal information security and critical infrastructure protec-
tion. CIP involves activities that enhance the security of our Na-
tions cyber and physical public and private infrastructures that
are essential to national security, economic security, and/or public
health and safety. As you requested, I will briefly summarize my
written statement which provides details on the status and
progress of efforts to address these challenges.
We have identified and made numerous recommendations over
the last several years concerning Federal information security and
CIP challenges that need to be addressed. For each of these chal-
lenges, improvements have been made and continuing efforts are
in progress. However, much more is needed to fully address them.
These challenges include: One, addressing pervasive weaknesses in
Federal information security. Our analysis of audit and evaluation
reports in November of last year continued to show significant per-
vasive weaknesses in Federal unclassified computer systems for all
24 major agencies reviewed that put critical operations and assets
at risk. The implementation of GISRA continues to play a signifi-
cant role in the improvement of Federal information security. Sec-
ond year agency GISRA reports indicate agency progress, provide
comparative performance information and an improved perform-
ance baseline, and highlight areas where additional efforts are nec-
essary. The administration has taken important actions to address
information security, such as integrating it into the Presidents
Management Agenda Scorecard.
The successful implementation of FISMA, which permanently au-
thorizes and strengthens GISRA requirements, is essential to sus-
taining these agency efforts to identify and correct significant
weaknesses. As FISMA is implemented, it will be important to con-
tinue efforts to certify, accredit, and regularly test systems to iden-
tify and correct vulnerabilities in all agency systems; two, to com-
plete development and test contingency plans to ensure that criti-
cal systems can resume after an emergency; three, to validate
78
agency reported information through independent evaluation; and

four, to achieve other FISMA requirements.
The second major challenge is the development of a national CIP
strategy. A more complete strategy is still needed that addresses
specific roles, responsibilities, and relationships for all CIP entities,
that clearly defines interim objectives and milestones and sets
timeframes for achieving them, and establishes appropriate per-
formance measures and a monitoring process. The Presidents Na-
tional Homeland Security strategy, the Presidents cyber and phys-
ical CIP strategies, and the Homeland Security Act call for a com-
prehensive national infrastructure plan.
The third major challenge is improving information sharing on
threats and vulnerabilities. Information sharing needs to be en-
hanced both within the Federal Government and between the Fed-
eral Government and the private sector and State and local govern-
ments. The Presidents national strategies identify partnering with
non-Federal entities as a major initiative. Information sharing and
analysis centers continue to play a key role in this strategy.
The fourth major challenge is improving analysis and warning
capabilities. More robust warning and analysis capabilities are
needed to identify threats and provide timely warning. Such capa-
bilities need to address both cyber and physical threats. Again, the
Presidents national strategies call for major initiatives in this
area.
The fifth challenge is encouraging non-Federal entities to in-
crease their CIP efforts. The Federal Government needs to assess
whether additional incentives, such as grants or regulation, are
needed to encourage non-Federal entities to increase their efforts
to implement suggested CIP activities.
The Homeland Security Act and the Presidents national strate-
gies acknowledge the need to address many of these challenges.
However, much work remains to effectively respond to them. Until
a comprehensive and coordinated strategy is developed, our Nation
risks not having a consistent and appropriate structure to deal
with the growing threat of attacks on its Federal systems and on
its critical infrastructures.
Mr. Chairman, Mr. Clay, this concludes my oral statement. I
would be pleased to answer any questions at this time.
[The prepared statement of Mr. Dacey follows:]
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
Mr. PUTNAM. Thank you very much, Mr. Dacey. We appreciate

all of the remarks of the panel.
I will recognize Mr. Clay for his questions.
Mr. CLAY. Thank you, Mr. Chairman. Mr. Dacey, Mr. Clarke sug-
gested that GAO should develop the capacity to give Congress real-
time security reports on all executive agencies computer systems.
Is GAO prepared to undertake this responsibility?
Mr. DACEY. Not as of today. I would say that we have been doing
reviews, and, in fact, while Mr. Pyke did not say prior to his ap-
pointment as CIO, we had done a review of Commerce and I am
very pleased to hear of the progress they have made in the last 2
years since that. We certainly have a suite of tools, and there are
tools available commercially, that can be used to assess security in
systems, to scan them, so to speak. We use them, other people in
the commercial sector use them to do testing of networks. So in
terms of technologies, those types of systems are available. Now,
what we run into routinely when we go to agencies is we have to
figure out how to run them on their systems and how to interface,
and how to use them on their networks and how their networks are
configured, which actually takes a large amount of our time to do
that.
So I guess the question of active monitoring, GAO has and con-
tinues to support that agencies should be regularly monitoring
their systems for these kinds of vulnerabilities, and there are thou-
sands, I heard a number before but there are literally thousands
of these vulnerabilities. I do know that NASA has undertaken for
the last year or so a project to actually assess all of their networks
for a subset of vulnerabilities, 20 or 30 odd vulnerabilities, I forget
the exact number, that they actively report on to agency manage-
ment in terms of whether those vulnerabilities exist. They have
metrics and measurements performance measures against that.
So, at least with respect to a subset, I think it has been dem-
onstrated that agencies can do that. I will leave it to Congress and
others to decide who will do that. But certainly it is very possible
to be done.
Mr. CLAY. OK. It is my understanding that the National Insti-
tute of Standards and Technology is about to release a draft of se-
curity standards required under FISMA. Have you reviewed those
standards? And if not, what are your plans for reviewing them?
Mr. DACEY. FISMA required NIST to develop basically risk levels
and minimum security standards for each risk level. Separately, as
part of the Cyber Research and Development Act, NIST is required
to develop checklists for settings on technologies that are widely
used or will be widely used in the Federal Government. FISMA
made as one of its requirements that NIST consult with GAO on
this issue, and they have consulted with us thus far. They are still
actively developing those standards. What we have done is to basi-
cally look at what we use in terms of our audit process, what do
we audit against and trying to ensure that their standards would
at least include at a minimum the kind of things that we look for
when we do our audits. So that process is taking place. I cannot
say exactly when those standards will be developed, but they are
intended I understand to be developed for public exposure and com-
ment.
148
Mr. CLAY. Thank you. Mr. Pyke, in the last panel, Mr. Clarke
suggested that IT security be contracted to private firms with pen-
alties on the contractor for breaches. I would like to hear your
thoughts on that suggestion.
Mr. PYKE. Mr. Clay, I respectfully disagree with that particular
recommendation, although I think that there is plenty of room for
us to outsource many of the capabilities we need to have a com-
plete and effective IT security program. As we have done in Com-
merce from the Secretary on down, I think it is very important to
have personal accountability of our managers for the management
of IT security. I also think it is important to have a high level indi-
vidual or individuals responsible for IT security within the organi-
zation. When I was the CIO of the National Oceanic and Atmos-
pheric Administration, I raised IT security to the top level within
the CIO office. At the Commerce Department, we have IT security
and critical infrastructure protection at the top level within the
Commerce CIO office. I should add that we have full-time individ-
uals responsible for each of these important functions.
So I do not think the responsibility for IT security within any
Federal agency can be delegated by outsourcing. But I do think, es-
pecially since we all face a shortfall of the scarce resources nec-
essary to keep on top of IT security, I do think that it is an excel-
lent idea to take advantage of outsourcing to get the job done.
Mr. CLAY. Mr. Pyke, let me also ask you about the Census Bu-
reau. Do they have an enterprise architecture for the moderniza-
tion of its geographic system, and has your office reviewed that ar-
chitecture?
Mr. PYKE. Yes. The Census Bureau does have an architecture,
and their overall architecture for the agency as a whole and for
moving ahead toward the next decennial census is a part of the
overall enterprise architecture that we have for the entire Depart-
ment of Commerce.
Mr. CLAY. What is the cost of this modernization project?
Mr. PYKE. Are you talking about the census modernization?
Mr. CLAY. Yes.
Mr. PYKE. If I may, sir, I would like to provide that number for
you for the record.
Mr. CLAY. That will be fine. Thank you.
Ms. MacLean, the last question. Has the banking industry been
concerned about sharing information with the Federal Govern-
ment? And does the FOIA exclusion passed as part of Homeland
Security address those concerns?
Ms. MACLEAN. That is a very great question. The financial serv-
ices sector as a whole believes strongly that FOIA protection is crit-
ical to our ability to share information with the Federal Govern-
ment. Being able to share that information without fear of disclo-
sure of specifics I think is very, very important. So, keeping with
that FOIA protection another aspect of that, if we go back to Y2K
and the way that Y2K protection was handled with the FOIA; also,
liability protection is another aspect that we feel is important.
Mr. CLAY. Thank you. Thank you, Mr. Chairman.
Mr. PUTNAM. Thank you, Mr. Clay. I would like to followup on
that question with Ms. MacLean. What would be the threshold of
breach or the threshold of cyber threat or cyber attack that would
149
trigger the need for a public disclosure to the customer or client

whose information is jeopardized?
Ms. MACLEAN. I would like to say it somewhere happens natu-
rally. We do share information today as part of our Information
Sharing and Analysis Center. We have an FSISAC where today we
share information among institutions. We also are required by law
and by regulation to notify the Government of any major breach
through our SAR program at the financial institution level.
I think making things public really just depends on whether or
not there is that need that would assist us in helping resolve the
issue. I do not think that it is conducive to make that public every
time there is a breach. I think one of the metrics, and I heard you
say earlier in the very beginning about the increased numbers of
incidents, I actually think that is a positive metric. I think we
should be looking for those reports to go up. But I do not think you
necessarily need to make those public in order to work the issues
and determine what vulnerabilities need to be addressed.
Mr. PUTNAM. Is there a current Federal law or regulation that
requires a customer or client whose information may have been
breached to be notified? If there is not, what is your companys pol-
icy?
Ms. MACLEAN. Yes, from a privacy perspective. And in the State
of California, I think it was mentioned earlier, that if there is a
breach where public or private information is compromised, you are
required to notify that customer. That is different than going on
CNN and making that public. It is also for the protection of those
customers that I do believe the customer should be notified but not
necessarily make all that information public because it does violate
their privacy from another aspect.
Mr. PUTNAM. Mr. Pyke, your role as CIO of Commerce, you have
oversight for critical infrastructure protection, is that correct?
Mr. PYKE. That is correct.
Mr. PUTNAM. Not just within the Department itself but within
the infrastructures that are within the jurisdiction of the Depart-
ment?
Mr. PYKE. I have responsibility for critical infrastructure within
the Department. I am the Critical Infrastructure Assurance Officer.
Mr. PUTNAM. OK. So if there is a substantial cyber threat on an
industry within the regulation of the Department of Commerce, are
you the first one notified or is someone in Homeland Security the
first one notified?
Mr. PYKE. I am notified only when there is a threat or possible
threat to our systems and data, not to the sectors of industry that
we relate to or interact with. My understanding is that is where
the Department of Homeland Security comes in. They are one of
the sources of alerts to us about a possible threat, and, as Mr.
Forman mentioned, we received three very helpful alerts fairly re-
cently that we and the other agencies across Government have
been able to react to. I would hope that those kinds of alerts are
made available to the private sector as well.
Mr. PUTNAM. Ms. MacLean, one of the recurring themes today
has been that there is a high level of reluctance to compel the pri-
vate sector to report and there is also some tremendous concern
about increasing the regulatory role in setting minimum standards.
150
What are your feelings on the minimum standards and the ap-
proach of regulation? How do we incent that in the private sector
so that we have the information that we need and we are getting
the results that we need without an over-reaching from the regu-
latory approach?
Ms. MACLEAN. Today, our particular sector, the financial services
sector is highly regulated. So, in some ways, we are already the
beneficiary of having some of those guidelines in place. There are
a number of regulations today. I think it was mentioned, the
Graham-Leach-Bliley Act is one of those regulations which incent
or require you to put in additional controls.
The second part of that question on how do we make that proc-
ess, should we make that process and do more of that, I really do
not think additional regulation is conducive to actually getting
companies to put those controls in place. Risk management, in
most companies, especially in the financial sector, is in the busi-
ness of selling trust. So it is to our advantage to really provide se-
cure services to our customers. The customers demand that. And
so there is a market force that really is at the heart of everything
we do. We do it because it makes good business sense. And the
checks and balances are in place, if you will, through the regu-
latory agencies who oversee us.
Mr. PUTNAM. Did you agree with the recommendation of the first
panel that perhaps the way to get at publicly traded corporations
is to have a certified audit process that is reflected in a report to
the SEC?
Ms. MACLEAN. I do agree with that. And we do that to an extent
today within the financial services sector. I think that would be an
effective means. And you are looking more at an effective program
versus regulating that program.
Mr. PUTNAM. One of the challenges that has come up is that a
number of the issues we deal with are not as much technological
challenges as they are human challenges or cultural challenges.
How are you or others in the private sector held accountable for
protecting your infrastructure from security breaches?
Ms. MACLEAN. My whole job at Bank of America is to provide
that leadership, that vision, and I mentioned execution and ac-
countability. I think those are four core things that have to be in
place for any effective program. I think within the financial serv-
ices sector, the way that we have organized with the associations
is to provide that leadership and guidance to all of the financial
services sector so that we are consistent in our approach.
The other key to this I think is the outreach opportunities, be-
cause we are very interdependent on other sectors, such as tele-
communications and energy and our government partners, the Fed-
eral Reserve Bank, other people with whom we have interdepend-
encies. Making sure that everyone within each link of the chain,
if you will, those chains, the links in the chains are all doing the
right things. I think the leadership around those best practices and
expectations that we have are really critical to having a cohesive
integrated program.
Mr. PUTNAM. Let me give you a version of what I asked Mr.
Pyke. If you get a report that there is something very suspicious
going on, something that is raising red flags in your infrastructure
151
protection systems, is your first instinct to call the Comptroller

General or the Federal Reserve or Homeland Security?
Ms. MACLEAN. My first instinct is to call our crisis management
hotline together which includes all of our institutions, and includes
our regulators who are a part of that process. And that is part of
what the council has put into place. Having that blast message, if
you will, which goes out to multiple avenues so that we ensure that
we get everybody on the phone, would be the first thing that we
would do.
Mr. PUTNAM. And I would assume that would probably be rep-
licated throughout the different sectorsthe power companys first
response would be to notify FERC or DOE; telecommunications,
their equivalent agency or department of jurisdiction. It makes you
wonder at what point it finally gets to the people who are in charge
of that, which would be Homeland Security.
Mr. Dacey, what is the biggest obstacle that you have found in
the failure of the Federal Government to have adequate informa-
tion security, and is it a human challenge or a technological chal-
lenge?
Mr. DACEY. Most of the issue really relates I think to a human
challenge. We have many technologies to monitor and manage
these systems and I think it is a matter of getting the right amount
of attention, focus, responsibility, and accountability in place. What
we have now is a situation where some agencies have done better
than others. If you look at our written testimony, there are a lot
of charts that summarize some of the GISRA reporting for the sec-
ond year and some agencies are reporting statistics, such as Mr.
Pyke, that are quite high and others that are low. And I think the
issue is really focusing in on what are the reasons why some of
these agencies are doing better than others.
There is no silver bullet to any of this. But one of the things that
Mr. Pyke referred to earlier is the fact that he has responsibility
for establishing information security standards and monitoring
those and maintaining accountability for people to implement those
throughout the agency. In many of the agencies that we have
looked at, that has not always been the case. The CIO at the agen-
cy level has certain responsibilities but oftentimes the component
parts of the agency have autonomy to develop and establish their
networks and their security. And in those environments, if you
have a situation where one component has weak security, that can
jeopardize the rest of the agency considering that in most cases
their systems are interlinked and oftentimes trusted, so that get-
ting access to one can readily get you access to another.
So I think those are the primary issues. I think OMB laid those
out in their first year GISRA report and are continuing to work
those issues. If you look at the numbers, again, there is definitely
progress being shown. But if you look at some of them, you will see
that there is a lot of information we do not have yet. We talk about
a process for managing vulnerabilities, but in many cases systems
have not really been fully tested or analyzed to identify the
vulnerabilities that exist so that it can be fixed. So there is a proc-
ess here that needs to take place. But, certainly, the GISRA and
now FISMA I think have been landmark changes in the way in
which information security has been viewed by the agencies.
152
The last part, which was referred to a little earlier, is research

and development. I think it is key that continue in a cohesive fash-
ion so that we can make sure that we are developing the best tech-
nologies we have to defend against cyber threats.
Mr. PUTNAM. Certainly, the current in IT management and pro-
curement has been away from the traditional stovepipe system and
the inherent redundancies and duplication. But presumably a posi-
tive benefit of those stovepipes and of those redundancies is some
limited protection from a cyber security threat. For all the con-
sequences of not being able to communicate with one another, the
benefits have been that you had some kind of a firewall there.
Would you comment on that a little bit. As we press these agencies
to tear down stovepipes, what consequence does that have for cyber
security?
Mr. DACEY. I think many, if not all, of the agencies have really
gotten to a point where they are highly internetworked within
themselves. I think, based upon the studies we have done where
we have actually gone in and assessed security, we have generally
found that, again, the systems are fairly trusted. One of the con-
cerns that we have expressed is not only the impact of an external
party coming in, but also internal parties are a threat to security
as well. When you have got tens of thousands of users in some of
these systems, you really have to be careful to manage that.
What we have not seen in many systems is once we are able to
get in, we do try as part of our audits to break into systems both
internally and externally, and are generally successful, but when
we do that, we typically find that we can use that access to gain
privileges throughout the entire network and other places. So to
some extent, I think removing the stovepipes in terms of informa-
tion security is critical or you are going to continue to have that.
What we have not seen is really an effective segmenting of net-
works so that if one is broken into, you cannot get access to other
parts. That is certainly technologically possible. And if you follow
through FISMA and the idea that there will be different risk level
systems, you are going to have to come up with a strategy on seg-
menting them so you have one high level risk system that does not
connect to a low level risk system without appropriate protections.
Mr. PUTNAM. Mr. Pyke, we have heard from Ms. MacLean on the
accountability measures that are in place in the private sector to
ensure an appropriate commitment to cyber security. What has
Secretary Evans empowered you to do that has made the Depart-
ment of Commerce a model for success in a situation where every-
one else is pretty well mired in failure?
Mr. PYKE. Mr. Chairman, one of the things he has done has been
not just to empower me as CIO to do my job and do it in a full
way, but he has empowered and mandated that the Commerce
agency heads, the under secretaries, assistant secretaries, and di-
rectors of the individual bureaus or operating units within the De-
partment, that they give their time and attention to computer secu-
rity, to protecting the infrastructure. And this has opened the way
for my staff and me to be able to provide policy guidance, to pro-
vide direction, and have it received well. It has opened the way for
us to work with the Commerce agencies and have them be respon-
sive when we have an incident that we need to handle.
153
I might mention with regard to something you asked me earlier

in terms of incident handling, we have had at least one incident
that I am aware of where we had an intrusion that we reported.
When we have an intrusion that we detect we report the incident
to FedCIRC, to the Federal Computer Incident Response Center
which is now part of the Department of Homeland Security. That
particular incident resulted in a Government-wide alert and I be-
lieve an alert that went out to the private sector as well with re-
gard to the appropriate measures to take to respond to that par-
ticular threat.
Mr. PUTNAM. Thank you, Mr. Pyke.
I want to thank all of our witnesses from both panels for their
outstanding testimony and their ability to help us understand what
is a very complex issue. It is clear that the time to act is now. We
have not made the progress that we need to make to be as pre-
pared as we should be as a Nation. We must all work together to
protect our Nation from what could certainly be a digital disaster.
I want to thank Mr. Clay for his input and his support of our
efforts on the subcommittee. And recognizing that we were not able
to answer all the questions that people had, I will keep the record
open for 2 weeks for submitted questions and answers.
Mr. Dacey, Mr. Pyke, Ms. MacLean, we appreciate what you do.
We appreciate your service to the subcommittee.
And with that, we stand adjourned.
[Whereupon, at 11:30 a.m., the subcommittee was adjourned, to
reconvene at the call of the Chair.]


House Hearing, 108TH Congress - Cyber Security: The Challenges Facing Our Nation in Critical Infrastructure Protection

Uploaded by

Copyright:

Available Formats

House Hearing, 108TH Congress - Cyber Security: The Challenges Facing Our Nation in Critical Infrastructure Protection

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

House Hearing, 108TH Congress - Cyber Security: The Challenges Facing Our Nation in Critical Infrastructure Protection

Uploaded by

Copyright:

Available Formats

CYBER SECURITY: THE CHALLENGES FACING OUR

NATION IN CRITICAL INFRASTRUCTURE PRO-

SUBCOMMITTEE ON TECHNOLOGY, INFORMATION

Serial No. 10813

Printed for the use of the Committee on Government Reform

U.S. GOVERNMENT PRINTING OFFICE

For sale by the Superintendent of Documents, U.S. Government Printing Office

PETER SIRH, Staff Director

SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL

TUESDAY, APRIL 8, 2003

of open Government laws since those laws were passed 30 years

ment and the Intelligence Community, that they would have a

Mr. PUTNAM. Thank you very much.

confirmed. And so that void is likely to continue at the leadership

Mr. PUTNAM. Thank you very much.

set of auditing standards that the auditing industry could come up

lieve that normal market approaches would not suggest regulation

level official in the Department of Homeland Security whose full-

Mr. CLARKE. Rhonda MacLean, from Bank of America, will tell

will continue to be incredibly important to our success. I will pledge

lated to critical infrastructure protection and homeland security. In

industry, and we are working together to improve the critical infra-

these protections, augmentation of market mechanisms, such as in-

Mr. PUTNAM. Thank you very much.

privacy in the IT capital asset planning process, and to maintain

Mr. PUTNAM. Thank you, Mr. Pyke.

agency reported information through independent evaluation; and

Mr. PUTNAM. Thank you very much, Mr. Dacey. We appreciate

trigger the need for a public disclosure to the customer or client

protection systems, is your first instinct to call the Comptroller

The last part, which was referred to a little earlier, is research

I might mention with regard to something you asked me earlier

You might also like