[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
H.R. 285: DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY ENHANCEMENT ACT
OF 2005
=======================================================================
HEARING
before the
SUBCOMMITTEE ON ECONOMIC
SECURITY, INFRASTRUCTURE
PROTECTION, AND CYBERSECURITY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
APRIL 20, 2005
__________
Serial No. 109-11
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
22-904 WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�0900012005
COMMITTEE ON HOMELAND SECURITY
Christopher Cox, California, Chairman
Don Young, Alaska Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas Loretta Sanchez, California
Curt Weldon, Pennsylvania, Vice Edward J. Markey, Massachusetts
Chairman Norman D. Dicks, Washington
Christopher Shays, Connecticut Jane Harman, California
Peter T. King, New York Peter A. Defazio, Oregon
John Linder, Georgia Nita M. Lowey, New York
Mark E. Souder, Indiana Eleanor Holmes Norton, District of
Tom Davis, Virginia Columbia
Daniel E. Lungren, California Zoe Lofgren, California
Jim Gibbons, Nevada Sheila Jackson-Lee, Texas
Rob Simmons, Connecticut Bill Pascrell, Jr., New Jersey
Mike Rogers, Alabama Donna M. Christensen, U.S. Virgin
Stevan Pearce, New Mexico Islands
Katherine Harris, Florida Bob Etheridge, North Carolina
Bobby Jindal, Louisiana James R. Langevin, Rhode Island
Dave G. Reichert, Washington Kendrick B. Meek, Florida
Michael McCaul, Texas
Charlie Dent, Pennsylvania
______
Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity
Daniel E. Lungren, California, Chairman
Don Young, Alaska Loretta Sanchez, California
Lamar S. Smith, Texas Edward J. Markey, Massachusetts
John Linder, Georgia Norman D. Dicks, Washington
Mark E. Souder, Indiana Peter A. DeFazio, Oregon
Tom Davis, Virginia Zoe Lofgren, California
Mike Rogers, Alabama Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida James R. Langevin, Rhode Island
Bobby Jindal, Louisiana Bennie G. Thompson, Mississippi
Christopher Cox, California (Ex (Ex Officio)
Officio)
(II)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Chairman Subcommittee on
Economic Security, Infrastructure Protection and Cybersecurity. 1
The Honorable Loretta Sanchez, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Economic Security, Infrastructure Protection and Cybersecurity. 3
The Honorable Christopher Cox, a Representative in Congress From
the State of California, and Chairman, Committee on Homeland
Security....................................................... 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security
Oral Statement................................................. 49
Prepared Statement............................................. 49
The Honorable Bobby Jindal, a Representative in Congress From the
State of Louisiana............................................. 53
The Honorable Zoe Lofgren, a Representative in Congress From the
State of California
Oral Statement................................................. 4
Prepared Statement............................................. 6
The Honorable Stevan Pearce, a Representative in Congress From
the State of New Mexico........................................ 51
WITNESSES
Ms. Catherine Allen, President and CEO, BITS, Financial Services
Roundtable
Oral Statement................................................. 21
Prepared Statement............................................. 23
Mr. Paul Kurtz, Executive Director, Cyber Security Industry
Alliance
Oral Statement................................................. 16
Prepared Statement............................................. 18
Mr. Harris Miller, President, Information Technology Association
of America
Oral Statement................................................. 11
Prepared Statement............................................. 12
Mr. Ken Silva, Chairman of the Board of Directors, Internet
Security Alliance
Oral Statement................................................. 37
Prepared Statement............................................. 39
Mr. Amit Yoran, President, Yoran Associates
Oral Statement................................................. 7
Prepared Statement............................................. 9
Appendix
Questions and Responses from Ms. Catherine A. Allen.............. 57
Questions and Responses from Mr. Paul B. Kurtz................... 61
Questions and Responses from Mr. Ken Silva....................... 63
H.R. 285: DEPARTMENT OF HOMELAND
SECURITY CYBERSECURITY ENHANCEMENT
ACT OF 2005
----------
Wednesday, April 20, 2005
House of Representatives,
Subcommittee on Economic Security, Infrastructure
Protection, and Cybersecurity,
Committee on Homeland Security,
Washington, D.C.
The subcommittee met, pursuant to call, at 11:05 a.m., in
Room 210, Cannon House Office Building, Hon. Dan Lungren
[chairman of the subcommittee] presiding.
Present: Representatives Lungren, Souder, Pearce, Jindal,
Cox (ex officio), Sanchez, Dicks, Lofgren, Langevin, Thompson
(ex officio), and Linder.
Mr. Lungren. The Committee on Homeland Security
Subcommittee on Economic Security, Infrastructure Protection,
and Cybersecurity will come to order. The subcommittee is
meeting today to hear testimony on H.R. 285, the Department of
Homeland Security Cybersecurity Enhancement Act.
In 1983, the film ``War Games'' depicted smart, tech-savvy
teenagers finding a back door into the Department of Defense
tactical computer. Mistaking real life for a war game, they
inadvertently bring the country to the brink of a nuclear war.
Although enjoyable as a film and fictional, the movie is a
stark reminder of the potential threats, vulnerabilities and
consequences of cyberattack.
Today's world is even more interconnected through
cyberspace, not just through the use of computers, but because
of our increasing reliance on cybersystems to control our
national infrastructures and economy.
Ensuring that essential services and industries survive an
attack has always been a part of our national security
strategy. What is new is how cyberspace networks have created
complex interdependencies that have never existed to this
extent before. The complexity and extent of these networks is
not fully understood. The technology and networks are
themselves constantly changing.
Identifying what is critical is becoming simultaneously
more difficult and more vital. Furthermore, the majority of
critical infrastructure is outside of Federal control, with 85
percent in private hands. The Department must work hand in hand
with the private sector not only because the majority of
structure is owned privately, but because the private sector is
at the forefront of innovative, productive and efficient
technologies to secure cyberspace and associated critical
infrastructure.
Many of us recognize the average cyberattack such as a worm
or virus is a nuisance, one that irritates us, slows down our
computers or prevents us from e-mailing. Yet deliberate
cyberattacks have the potential to do physical harm in the form
of attacks on cybersystems controlling critical
infrastructures, such as dams and power plants or medical
systems. Since I live just downriver of a dam, I am
particularly acutely aware of that. They can also be launched
coincident with physical attacks to interfere with our response
and to make a bad situation even worse.
It is typical to measure the potential cost of
probabilities of such attacks. There are no standard
methodologies for cost measurement, although the 2003 loss
estimates due to hostile digital acts range from $13 billion,
worms and viruses only, to $226 billion for all forms of overt
attacks.
Although accidental, the blackout of August 2003 may have
cost us about 6--to $10 billion for the U.S. economy alone,
which would amount to 1/10 of 1 percent of GDP. Clearly if the
attack had been deliberate, the potential loss could have been
much worse, and an attack on the financial services sector or
the stock market could have incalculable long-term economic
repercussions.
Recognizing this importance of cybersecurity to homeland
and economic security, the Congress, when it created the
Department of Homeland Security, directed this new department
to lead the effort to develop a comprehensive cybersecurity
strategy for the Nation. In response, the Department
established the National Cybersecurity Division within the
Information, Analysis and Infrastructure Protection Directorate
headed by a Director reporting to the Assistant Secretary of
Infrastructure Protection.
As chairman of the subcommittee, I appreciate the oversight
work that was done by the Select Committee on the Homeland
Security Subcommittee on Cybersecurity, Science, and Research
and Development during the last Congress, which culminated in
the subcommittee's excellent report entitled Cybersecurity for
the Homeland.
The report makes clear that under current organizational
structure, cybersecurity has not received the priority and
attention it deserves within the Department, and that the
National Cybersecurity Division needs explicit statutory duties
and authorities. These findings led to the drafting and
introduction of the bill that we are considering today, H.R.
285, the DHS Cybersecurity Enhancement Act of 2005, which was
introduced earlier this year by Congressman Mac Thornberry, the
former subcommittee chairman, and Congresswoman Zoe Lofgren,
the former Ranking Member and currently a member of our
subcommittee.
I am pleased we have an excellent panel of witnesses today
to help the subcommittee examine the need for this legislation.
In particular. We will hear from Mr. Amit Yoran, who was the
first Director of the National Cybersecurity Division with DHS,
and is a highly regarded cybersecurity expert. He left the
Department after 1 year and is in the unique position to help
us explore the challenges of cybersecurity within DHS.
Passage of H.R. 285 would not solve all of the problems
with cybersecurity within DHS, but it would elevate the mission
within the Department by creating a new position of Assistant
Secretary of Cybersecurity. This change would give the head of
the National Cybersecurity Division not only increased
prominence within the Department, but also give this official
greater clout across the Federal Government and the private
sector.
The bill also contains specific language that would outline
the responsibilities of the assistant secretary, guiding the
work that needs to be done to identify the threats and
vulnerabilities, mitigate those vulnerabilities, institute a
warning system, and be able to effectively and quickly respond
to an attack should one occur.
These statutory authorities will also serve to clarify
within DHS for the outside world the role and responsibilities
of the DHS Cybersecurity Office. Under the bill, the assistant
secretary also would assume authority over the National
Communications System, which will bring an end to DHS's current
treatment of telecommunications as separate from information
technology. This is essential because the real world
convergence of telephony and data is proceeding rapidly, and
DHS must integrate policy for securing these elements of the
cyberworld.
Today we have witnesses who represent the leading experts
in the cybersecurity industry with extensive experience working
either in or with DHS. We look forward to hearing from them and
why they think this legislation is important, presuming they do
believe it is important.
I would thank you all for appearing today.
I would recognize the Ranking Member Ms. Sanchez for any
opening remarks you would make.
Ms. Sanchez. Thank you, Mr. Chairman, and thank you all for
appearing before us today. We are looking forward to your
testimony. This morning we are going to hear testimony, and
this afternoon we are going to mark up H.R. 285, the Department
of Homeland Security Cybersecurity Enhancement Act of 2005.
I am so proud that this was written by my good friend from
California Ms. Zoe Lofgren and by Mr. Thornberry of Texas in
the last Congress when they had the roles of heading up the
subcommittee that handled cybersecurity, which of course now
has been put into this larger committee. I congratulate both of
them for the diligent work that they did and for bringing it
forward.
I am very grateful to the chairman of this committee and to
Mr. Cox and our Ranking Member Bennie Thompson for seeing the
necessity to bring this forward early in this session so that
we could get it done.
I know that it is a very bipartisan manner in which Ms.
Lofgren and Mr. Thornberry worked on this. I am happy to be a
cosponsor of this particular bill. I think it is incredibly
important that we look at the cybersecurity component of our
economic security of this country, in particular banking and
finance. I myself used to work in that arena on Wall Street. I
believe it is just incredibly important for us to make sure
that we do secure this.
I hope that this bill, H.R. 285, will raise the visibility
of the need to really explore cybersecurity, understand it, and
get that under control so that we don't have an attack on
either one of our infrastructure pieces, like a dam, for
example, or, more importantly, that we don't lose everybody's
money somewhere out in cyberspace or to the bad guys.
So I am looking forward to this. I think having an
assistant secretary is going to be important, and that person
will be able to raise the visibility of this. I am confident
that we are going to pass this piece of legislation.
So, thank you, Mr. Chairman, and I--.
Ms. Lofgren. Would the gentlelady yield?
Ms. Sanchez. Should I yield to her, or will you be
recognizing her?
Mr. Lungren. I was going to recognize her after I recognize
the chairman of the full committee.
Ms. Lofgren. Okay.
Mr. Lungren. The chairman of the full committee.
Mr. Cox. Thank you very much.
Since we are about to hear from Congresswoman Lofgren, and
since Mr. Thornberry is not here, let me acknowledge both of
them, and thank you for your leadership on this legislation.
The Homeland Security Committee has organized itself again, as
we did as a select committee in the preceding Congress, in
subcommittee around this mission of cybersecurity. It is the
fact that not only is the Department of Homeland Security, our
newest Cabinet department, already the third largest Cabinet
department, but, in addition, it is the locus within the
Federal Government for a new mission not just for our
government, but for our country, and that is cybersecurity.
It is the focal point within the Federal Government for all
of our efforts not just at the government level, but also
internationally and in the private sector, to prevent harm to
our national security and to our economy from cyberattacks.
We have, I think, some skeletal frameworks from which to
work: HSPD 7, the President's National Strategy to Secure
Cyberspace, the National Response Plan to the extent that it
treats cyberincidents. But what we need clearly inside the
Department of Homeland Security is leadership, and that entails
organizational responsibility and the opportunity to lead. So
this Committee in the 109th Congress, the Select Committee in
the 108th, have identified, with our partners outside the
government, this organizational step as a key one, the step
that we are proposing to take in this legislation.
I am very, very anxious to hear from our witnesses today to
make sure that we continue on the right track. But I believe
that an extraordinary amount of thought has been given to this
over the period of now a few years under the leadership of Mr.
Thornberry and Ms. Lofgren. So I want to thank you for that
leadership.
I want to thank the chairman and Ranking Member of this
subcommittee for renewing our efforts as a Homeland Security
Committee and to see this job through completion. I hope that
today's hearing moves us along on that path.
Mr. Lungren. Thank you, Mr. Chairman.
Before we hear from the panel, I would recognize the
gentlelady from California Ms. Lofgren, who is the author of
the bill and a member of this subcommittee.
Ms. Lofgren. Thank you very much, Mr. Chairman.
I do believe this bill is very important, and as has been
mentioned, it is very bipartisan in nature. It was largely
prepared through the direction of Congressman Mac Thornberry
and myself in our roles in the last Congress in the
Cybersecurity Subcommittee. Want to thank Mac Thornberry and
also his staff for their collaboration and hard work on this
bill. I am really very proud of the work that Mac and I did in
a truly bipartisan way on the issue of cybersecurity in the
last Congress.
During that 108th Congress, the subcommittee conducted many
hearings and briefings from Members of Congress and staff on
cybersecurity issues. The subcommittee also reached out to
diverse groups of individuals on seeking ways to improve
cybersecurity for the Nation. Since May of 2003, 15 hearings
and briefings were conducted, as well as additional and formal
meetings with Members and staff. We heard from private sector
experts who operate critical information infrastructure;
Federal, State and local officials; academic experts and the
like. A variety of witnesses also discussed the Department of
Homeland Security's role and responsibilities in securing
cyberspace.
To make a long story short, as the chairman of the full
committee has mentioned, we do have an adopted strategy, but
the strategy has not yet been implemented. It has become clear
to myself and Congressman Thornberry and many, many others that
we need a higher level of attention within the Department.
Obviously, there is much to do. This bill will not in and of
itself solve the issues, but it will put us on a footing, we
believe, to actually get the attention that we need.
The position would be an Assistant Secretary of
Cybersecurity within the Information, Assurance and
Infrastructure Protection Directorate, and the second--the path
the bill also accomplishes is to define cybersecurity at the
department level so that a consistent and authoritative
definition can be integrated throughout the Department.
I would ask that my full statement be submitted for the
record, but I would note that the Department of Homeland
Security is not alone in focusing on the issue of
cybersecurity. Clearly most of the infrastructure is within the
private sector, not within the government. NSF has recently
engaged in a very important funding of research in the
cybersecurity area with a number of academic institutions. One
of them, Professor Shankar Sastry at the University of
California, who has been very helpful to us on this effort, was
recently quoted and talking about the issue of cybersecurity,
that we don't want to have a digital equivalent of Pearl
Harbor.
So right now we are worried about viruses and worms, but
the exposure that we have is very large. We are very behind in
where we need to be to protect the infrastructure of the
Nation. So this is serious stuff. I believe that adopting this
bill promptly will get us further down the road to where we
need to be.
I appreciate the support of the chairman and Ranking
Member, both of the full committee and the subcommittee, in
promptly moving this forward.
I yield back the balance of my time, and I thank you.
Prepared Statement of the Congresswoman Zoe Lofgren
This bill addresses an issue that I believe is very
important making sure that our government, working together with the
private sector and academia, is doing all that it can to ensure that
cyber security is a top priority in our nation's homeland security
strategy.
This bill is bipartisan in nature and was largely prepared
through the direction of Representative Mac Thornberry and myself in
our roles as leaders of the Cyber security Subcommittee last year. I
thank Mac and his staff for their collaboration and hard work on this
bill, I am proud to have been able to work with him in a truly
bipartisan fashion to address this great need.
During the 108th Congress, the Subcommittee conducted
numerous hearings and briefings fro Members of Congress and staff on
cyber security issues. The Subcommittee also reached out to diverse
groups and individuals on ways to improve cyber security for the
nation. Since May 2003, fifteen hearings and briefings were conducted,
as well as several other informal sessions with Members and staff. The
committee heard from private sector experts who own and operate
critical information infrastructure. Federal, state and local
government officials and academic experts testified on the need to
fortify the nation's cyber security. A variety of witnesses also
discussed the Department of Homeland Security's role and
responsibilities in securing cyberspace.
The subcommittee initially focused its oversight on the
key management functions required for the success of any organization.
Through hearings and oversight letters, the Subcommittee questioned DHS
about its cyber security mission and functions. The subcommittee was
also interested in how DHS was developing working definitions related
to cyber security and what progress it was making to implement a viable
organizational structure, as well as formal personnel, resource and
programmatic efforts.
Unfortunately, the level and detail of planning documents
needed to manage the new cyber mission within DHS was not forthcoming.
Budget paperwork throughout the fiscal year was vague. It is still
unknown whether spending plans and detailed budget execution data
exists.
These are some of the reasons why I believe this bill is
necessary and can only help to improve our nation's level of cyber
security.
This bill accomplishes two essential tasks: it establishes
an Assistant Secretary of Cyber Security within the Information
Assurance and Infrastructure Protection Directorate to prioritize cyber
security and protect our computer networks.
The position, at this higher level, will be better able to
coordinate with other Assistant Secretaries within the Directorate, as
well as officials throughout the Department, other federal agencies,
and the private sector.
The second task this bill accomplishes is to define cyber
security at the Department level, so that a consistent and
authoritative definition can be integrated throughout the Department's
mission and policy functions.
I continue to hear from cyber security experts about the
threats and vulnerabilities facing our nation's networks and
systems.Unfortunately, these continue to grow faster than our nation
can address them.
These vulnerabilities will continue to hamper our homeland
security efforts if we do not make cyber security a major priority.As
long as our critical infrastructures are interconnected and
interdependent, the likelihood that a cyber attack will disrupt major
services or cripple our economy will remain and the threat will
increase.
If a cyber attack occurred simultaneously as a physical
attack, critical emergency response systems and communications
operations could be taken out, increasing the casualties and confusion
of an attack.
The Department needs to be advancing on cyber security -
it cannot afford to sit back and make minimal, if any, progress in this
area. It certainly needs to be doing more than re-creating programs
that existed before the Department's creation.Unfortunately, that is
all that is happening today.
I fear that the Department is unable to move forward on
cyber security because it lacks the leadership necessary to focus on
its unique and cross-cutting nature. The individual responsible for
leading the government's cyber security efforts must have more
authority within the Department of Homeland Security.
I recognize that the government cannot develop plans for
physical security in a vacuum--those dealing with both of those issues
must be able to communicate and collaborate. At the same time, though,
the government cannot be naive in its approach. The first responders
and security actors for cyber assets are not the same as in the
physical world. This bill recognizes this difference, while keeping in
place the mechanisms for collaboration with the Infrastructure
Protection Directorate.
Thank you Chairman Cox and Ranking Member Thompson for
bringing this bill before us today. I am certain that our discussion
that we are about to have on the merits and the importance of this
bill.
I know that some may argue that this bill is unnecessary
and that the Department already has authority to do this work now. If
that is true, then I ask why it has not been done already. In our role
of as the authorizers and the overseers of the Department of Homeland
Security, I believe it is critical for us to give the Department
guidance as to how it should manage the tremendous tasks that it has
been given. To sit by and do nothing would place our nation in greater
danger than it is today, and I for one am unwilling to do nothing.
I strongly urge you to vote in favor of this bill.
Mr. Lungren. I thank the gentlelady for her comments and
congratulate her on this piece of legislation.
Other members of the committee are reminded that opening
statements may be submitted for the record.
We are pleased to have the distinguished panel of witnesses
before us on this important topic.
The Chair now recognizes Mr. Amit Yoran, the president of
Yoran Associates and the former Director of the National
Cybersecurity Division of the Department of Homeland Security.
Before you testify, could you tell me if I am pronouncing
your name correctly?
Mr. Yoran. Yes, sir, that was perfect.
Mr. Lungren. Very good. Thank you.
All witnesses should know that your written testimony will
be submitted for the record. I would ask that you try to limit
your comments to 5 minutes so that we can make sure that we
hear all of you and then get involved in Q and A.
Mr. Yoran.
STATEMENT OF AMIT YORAN, PRESIDENT, YORAN ASSOCIATES
Mr. Yoran. Good afternoon, Chairman Lungren and
distinguished members of the subcommittee. I would like to
first thank Congressman Thornberry and Congresswoman Lofgren
and their staffs for their tireless efforts in the important
topic of cybersecurity and for the entire subcommittee's
bipartisan attention to this important topic.
My name is Amit Yoran, and I am pleased to have the
opportunity to appear before the subcommittee today to discuss
enhancements to our national efforts to secure cyberspace. I am
president of Yoran Associates, a technology strategy and risk
advisory business headquartered in northern Virginia.
In our practice we advise a number of global enterprises on
their technology strategy and mitigating associated business
risks and exposures. Prior to founding Yoran Associates, I
served as the Director of the National Cybersecurity Division
of the Department of Homeland Security responsible for building
a national cyberresponse system, a national threat and
vulnerability reduction program, a national cyberawareness and
training program, and establishing increased security and
coordination among and between government and international
counterparts. Much work has been done in the implementation of
the above responsibilities by both the public and private
sectors, and even more work remains ahead of us.
Protecting America from physical threats is a concept well
understood by senior leadership and risk managers, where sound
understanding of the challenges, consequences of failure and
specific work plans to be accomplished are ongoing as part of a
unified protection effort. Our ability to conceptualize and
defend against physical threats has matured over many years.
Changes to critical infrastructures do not occur on a highly
dynamic basis.
On the other hand, our use of and reliance on technology
transforms continually in today's modern competitive
environments. Significant challenges remain in raising
awareness and understanding of vulnerabilities to cyberfailure
or attacks to the leadership which structure and resource
defensive efforts. The challenge to change our thinking is
consistent in both the government and private sector.
Since the creation of the Department of Homeland Security
approximately 2 years ago, a massive restructuring has occurred
in the Federal Government. More important than the
restructuring and the organizational charts is the fantastic
work being accomplished by so many talented and dedicated
public servants serving in the most noble and challenging of
undertakings, protecting our homeland and the American people.
Responsibility for protecting these business-critical
systems lies largely in the private sector, where nearly all of
these critical infrastructure systems are owned and operated.
Organizational leadership must encourage the inclusion of
technology risks into their business risk management practices.
Responsible business risk practices require a thorough
evaluation and informed acceptance of technology and business
exposures, or investment in risk mitigation techniques.
Forward-thinking organizations are protecting themselves from
significant threats and exercising their response plans in
simulated cybercrisis scenarios. These types of activities can
be used effectively to create awareness among organizational
leadership. In essence, industry must not wait for government
action before securing systems and improving their
organizational policies and procedures.
Some critical functions and responsibilities in our
national cybersecurity efforts are inherently governmental,
such as providing a survivable communications capability in
various bad-case cyber and telecommunications outage scenarios,
raising the awareness of threat information and coordinating
national response efforts. I challenge the committee to assist
the Department in increasing the investments being made in
fundamental cybersecurity research and development.
Secretary Chertoff is in the midst of his departmental
analysis and restructuring effort, the second stage review. The
Directorate of Information Analysis and Infrastructure
Protection under which the National Cybersecurity Division
resides is charged with performing some of the most important
mission functions of DHS. It is imperative that we afford the
Secretary the opportunity to design and structure the
Department to the best of his ability and satisfaction and to
provide him and his team whatever support we can in
accomplishing their mission. Creating greater unity and clarity
around cyberefforts will result in further inclusion and better
integration of cybersecurity thinking, awareness and protective
measures across all of the various programs and efforts taking
place to protect America.
The creation of an assistant secretary position to address
cybersecurity issues is not inconsistent with a unified or
integrated risk management approach. On its own, it does not
address the government's challenges in cybersecurity. There are
several areas where greater clarity is needed and support must
be given to centralize cybersecurity functions across the
government. The Department of Homeland Security struggles with
its mission responsibility of security for government computer
systems, but FISMA authorities lay entirely within OMB.
Consideration of this topic by the committee can provide needed
attention and have significant impact on improving operations
on government cyberpreparedness.
Procurement practices by the Federal Government to enhance
cybersecurity features, functionality and requirements are not
effective and are rarely enforced with consistency, resulting
in the single greatest missed opportunity to positively
influence and drive better security capabilities into the
products that are used by both government and private sectors.
There are many dedicated Americans in both the public and
private sector working on these challenges to our economic and
homeland security. It is my hope that the Committee on Homeland
Security can provide them further mission guidance, support our
common cause and assistance wherever possible.
I look forward to answering any questions you may have.
Mr. Lungren. Thank you very much, Mr. Yoran.
[The statement of Mr. Yoran follows:]
Prepared Statement of Amit Yoran
Good afternoon, Chairman Lungren and distinguished Members of the
Subcommittee. My name is Amit Yoran and I am pleased to have an
opportunity to appear before the subcommittee today to discuss
enhancements to our national efforts to security cyberspace. I am the
President of Yoran Associates, a technology strategy and risk advisory
business headquartered in Northern Virginia. In our practice, we advise
a number of global enterprises on their technology strategy and
associated business risks and exposures. Prior to founding Yoran
Associates I served as the Director of the National Cyber Security
Division of the Department of Homeland Security (DHS), responsible for
building, (1) a national cyber response system; (2) a national threat
and vulnerability reduction program; (3) a national cyber awareness and
training program; and (4) establishing increased security and
coordination among and between government and international
counterparts. Much work has been done in the implementation of the
above responsibilities by both the public and private sector and even
more work remains ahead of us.
Protecting America from physical threats is a concept well
understood by senior leadership and risk managers, where sound
understanding of the challenges, consequences of failure, and specific
work plans to be accomplished are ongoing as part of a unified
protection effort. Our ability to conceptualize and defend against
physical threats has matured over many years. Changes to critical
infrastructures do not occur on a highly dynamic basis. On the other
hand, our use of and reliance on technology transforms continually in
modern competitive environments . Significant challenges remain in
raising awareness and understanding of vulnerability to cyber failures
or attacks to the leadership which structure and resource defensive
efforts. This challenge to change our thinking is consistent in
government and the private sector.
Since the creation of the Department of Homeland Security,
approximately two years ago, a massive restructuring has occurred in
the Federal Government. But more important than the restructuring and
the organizational charts is the fantastic work being accomplished by
so many talented and dedicated public servants serving in the most
noble and challenging undertakings; protecting our homeland and the
American people.
The task in securing America's cyber infrastructures is a daunting
and very real challenge. Efforts to secure the computer systems on
which our nation's critical infrastructures and our economic stability
rely are being addressed with a pre-9/11 lack of urgency. As we failed
to grasp the gravity of the World Trade Center bombings in 1993, today
we are not acting aggressively on the numerous warning signs of
critical infrastructure computer failures; the Northeast-Midwest
blackout of 2003, ATM outages and airline system failures or on the
numerous computer threats actively working against our economic
security. Simply put, many American business interest have a
significant if not complete reliance on general purpose computers and
inter-connected networks which can generally be categorized as
untrustworthy. The recipes for disaster are present.
Responsibility for protecting these business critical systems lies
largely in the private sector where nearly all of these critical
infrastructure systems are owned and operated. Organizational
leadership must encourage the inclusion of technology risks into their
business risk management practices. Responsible business risk practices
require a thorough evaluation and informed acceptance of technology and
business exposures or investment in risk mitigation techniques. Forward
thinking organizations are protecting themselves from significant
threats and exercising their response plans in simulated cyber crisis
scenarios. These types of activities can be used to effectively create
awareness among organizational leadership. In essence, industry must
not wait for government action to begin securing systems and improving
organizational policies and procedures.Sec.
Some critical functions and responsibilities in our national cyber
security efforts are inherently governmental, such as providing a
survivable communications capabilities in various bad-case cyber and
telecommunications outage scenarios, raising awareness of threat
information and coordinating national response efforts. I challenge the
Committee to assist the Department in increasing the investments being
in fundamental cyber security research and development.
Secretary Chertoff is in the midst of his departmental analysis and
restructuring effort--the second stage review. The Directorate of
Information Analysis and Infrastructure Protection under which the
National Cyber Security Division resides, is charged with performing
some of the most important mission functions of DHS. It is imperative
that we afford the Secretary the opportunity to design and structure
the Department to the best of his ability and satisfaction and to
provide him and his team whatever support we can in accomplishing their
mission. Creating greater unity and clarity around cyber efforts will
result in the further inclusion and better integration of cyber
security thinking, awareness and protective measures across all of the
various programs and efforts taking place to protect America.
The creation of an Assistant Secretary position to address
cybersecurity issues is not inconsistent with a unified or integrated
risk management approach. On its own it does not address the
Government's challenges in cyber security. There are several areas
where greater clarity is needed and support must be given to centralize
cyber security functions across government. The Department of Homeland
Security struggles with its mission responsibilities of security for
government computer systems, but FISMA authorities lay entirely within
OMB. Consideration of this topic by the Committee can provide needed
attention and have significant impact on improving operations and
government cyber preparedness. Procurement practices by the Federal
Government to enhance cyber security features, functionality and
requirements are not effective and are rarely enforced with
consistency, resulting in the single greatest missed opportunity to
positively influence and drive better security capabilities into the
product sets used by both government and private sectors.
There are many dedicated Americans in both the public and private
sector working on these challenges our economic and homeland security.
It is my hope that this Committee on Homeland Security can provide them
further mission guidance, support our common cause and assistance
wherever possible. I look forward to answering any questions you may
have.
Mr. Lungren. The Chair now recognizes Mr. Harris Miller,
president of the Information Technology Association of America,
to testify. I must say I knew Mr. Miller in another life when
he was neither as well dressed or as profitable-looking as he
is now. It is good to see you have reached success in your
older years.
STATEMENT OF HARRIS N. MILLER, PRESIDENT, INFORMATION
TECHNOLOGY ASSOCIATION OF AMERICA
Mr. Miller. Thank you, Mr. Chairman. It is a great honor
and pleasure to be here in front of Lungren 2, Congressman
Lungren's return. We got the great opportunity to work with you
on the Judiciary Committee. It was a great honor and pleasure
to serve you there. It is a great honor to appear before you,
Congresswoman Sanchez, Chairman Cox and Ranking Member
Thompson, and other members of the subcommittee today.
I want to join in commending Congressman Thornberry and
Congresswoman Lofgren for introducing this important
legislation, and I urge the subcommittee to pass it and move it
through the full committee of the House, and we hope to get
cooperation from the other side of the Hill, too.
Exhibit A about why this legislation is sitting immediately
to my right. Mr. Yoran is too much of a gentleman to perhaps
explain fully why he is back in the private sector after a
relatively short period of time in the government, and I am not
going to put any words in his mouth, but we at the private
sector were very excited when he agreed to come back into
government to serve in this position.
But we felt that because of where the position is located
in the Department, a head of a division as opposed to an
assistant secretary level, that a lot of the ideas and work and
enthusiasm that might have been brought to the position simply
couldn't be done because of where the position is located.
We also commend the current Acting Director Mr. Purdy. He
is also trying very hard. But at the end of the day, Mr.
Chairman, as you know very well, in this town where you stand
is where you sit; and where you sit is where you stand. When
you are down as a head of a division, you simply cannot bring
the firepower and the leadership to the issue that you can as
an assistant secretary, a confirmable position.
So we think that the idea that Congressman Thornberry and
Congresswoman Lofgren have incorporated into this legislation
is critical. We urge you and the subcommittee to move it
forward.
Certainly, a couple of simple points, number one, prior to
the formation of the Department of Homeland Security, the
cybersecurity issue was so important in this administration
that the position was a special advisor to the President of the
United States. That is where the locus of this government's
focus on cybersecurity was. After the Department was formed, it
was--ended up--as a head stuck in a division. That shows you
that without any real indication of any change of the
importance of the issue in terms of our country and protecting
our homeland, the position was significantly downgraded. As a
result, a lot of the work that President Bush and his
administration put into the National Strategy to Secure
Cyberspace, which was released a little over 2 years ago,
frankly hasn't been implemented because we have not had the
type of leadership we need. This is no slap on Secretary Ridge
and now Secretary Chertoff, but at the end of the day, if you
don't have someone high enough in the organization to show
leadership on the issue, it simply isn't going to happen.
Now we understand that--the argument on the other side,
that physical security and cybersecurity need to be closely
integrated. That is why they initially didn't want to have an
Assistant Secretary for Cybersecurity because it not was not
thought to be a separate issue. We understand that there is an
argument on that side, But we happen to think it is inaccurate
for reasons that Mr. Yoran indicated.
Just think about it. At the end of the day, people are much
more afraid of bombs and anthrax than they are of viruses and
worms. They have a lot of experience of dealing with these
physical threats. But the cyberworld is much different. It is
much more out there in cyberspace, so to speak, and people
don't quite understand it. So, again, putting it in the
physical arena, the resources, the attention, the expertise and
the government was all loaded toward people on the physical
side, which is incredibly important, Mr. Chairman. We are not
saying it is not, but it simply is different.
There is also a fundamental cultural issue. How many people
involved in law enforcement and physical threats have ever gone
to cyberschool, and how many cybergeeks have ever gone to
physical school? They simply live in different cultures, in
difference worlds. Now there are a few people that have skills
on both sides, but it is a different world. It is a different
set of issues.
Again, having someone in government who understands that
fundamentally at the right level of government, at the
assistant secretary level, we think is critically important to
furthering the agenda that is absolutely necessary. It is all
about resource allocation. It is all about allocating those
resources, and it is all about having the ear of the people at
the top.
At the end of the day, Mr. Chairman, as you said in your
opening statement, 85 percent of our critical infrastructure is
controlled by the private sector. One of the most important
roles the government can play in cybersecurity is as a bully
pulpit, getting out in front of people in the private sector to
explain to them why they have to put as much priority on
cybersecurity as they do on physical security, why they can't
always be trying to turn around and say, what is the ROI on
this? Again, I ask you, is it more likely to be successful if
that person sending that message is an Assistant Secretary for
Cybersecurity, or is it someone who frankly is pretty far down
in the bureaucracy?
Mr. Chairman, as you said your opening statement, creating
an assistant secretary is not going to solve all the problems,
but it will get the cybersecurity issue back to the level of
attention it had prior to the creation of the Department of
Homeland Security. It will enable us to move forward with so
many great ideas, which are included in President Bush's
National Strategy.
I think moving this legislation will be very important to
the protection of our Nation's homeland.
Mr. Lungren. Thank you, Mr. Miller.
[The statement of Mr. Miller follows:]
Prepared Statement of Harris N. Miller
Introduction
I am Harris N. Miller, President of the Information Technology
Association of America (ITAA), representing over 380 member companies
in the information technology (IT) industry--the enablers of the
information economy. Our members are located in every state in the
United States, and range from the smallest IT start-ups to industry
leaders in the software, services, systems integration,
telecommunications, Internet, and computer consulting fields. These
firms are listed on the ITAA website at www.itaa.org.
I appreciate this Subcommittee taking time from its very busy
schedule to hold this hearing today on the need to elevate the issue of
cyber security within the Department of Homeland Security (DHS) by
creating an Assistant Secretary for Cyber Security. The constant
attention by this Committee to the importance of cyber security in
protecting our nation against terrorism is greatly appreciated by my
members and all IT customers, whether they be individuals or companies.
After a lull in major network exploits, we have seen the issues of
information security and critical infrastructure protection spring back
into the news with the recent data breaches experienced by data
brokers, database companies, universities, payroll processors and other
types of organizations. As the development and adoption of electronic
commerce evolves, the issue of ``trust'' becomes increasingly
important. Businesses, government and citizens alike must trust the
security of their information and the identity of the person or company
on the other end. They must know the systems they are using are
reliable. Events that shake this trust--whether real or perceived--pose
a threat to the development of electronic commerce and the growth of
the U.S. economy.
ITAA has played a major role in addressing the numerous issues of
enhanced information security and cyber crime prevention. Our
information security program dates back to 1999, with active
participation from 250 IT companies. Since that time, along with many
other accomplishments, ITAA has been proud to serve as a co-founder of
the National Cyber Security Partnership, to chair the Partnership for
Critical Infrastructure Protection, to co-found the National Cyber
Security Alliance and the IT Information Sharing and Analysis Center
(IT-ISAC) and to act as Sector Coordinator for the IT industry under
Homeland Security Presidential Directive 7.
Why the U.S. Needs an Assistant Secretary for Cyber Security
Since the creation of the Department of Homeland Security, the
Congress has become increasingly aware of the enormously complex
challenges related to cyber security. The result is overwhelming
bipartisan support in the committees of jurisdiction for a robust
National Cyber Security Division (NCSD) to meet the broad challenges
posed in the 2003 President's National Strategy to Secure Cyberspace.
These challenges include creating and managing: a national cyber
response system; a national program to reduce cyber security threats
and vulnerabilities; a national cyber awareness and training program;
and programs of coordination among federal, state and local
governments, as well as with the private sector and with international
partners.
ITAA, too, has been for several years advocating the need for a
senior cyber security executive within the Federal government to help
coordinate national cyber security policy among all industry,
government and private sector stakeholders. We were the first
organization to call for the creation of a cyber security ``czar,'' and
were very pleased that first President Clinton, by holding a White
House meeting on cyber security in early 2000, and then President Bush,
by establishing a cyber security advisor in the White House at the
beginning of his term, each showed great leadership. But since the
creation of the Department of Homeland Security, and the effective
organizational demotion of the cyber security position, our concerns
about Executive Branch leadership have returned.
Given strong bipartisan calls within Congress for a more robust
NCSD capable of pulling together and coordinating among diverse
entities within both government and the private sector, we feel very
strongly that an Assistant Secretary position leading the NCSD is
needed to meet the growing public administration, resource and policy
challenges related to cyber security. This means coordinating closely
with, but outside of, the Infrastructure Protection Division. When DHS
was created, the decision was made to subsume cyber security
coordination and outreach functions under an Assistant Secretary for
Infrastructure Protection, on the premise that the integration of
physical security and cyber security is better managed by one person,
and that cyber security is only one component of physical security.
Our view, on the contrary, is that integration is best managed by
two individuals, each experts in their respective fields, with a
commitment to coordinating physical and cyber security where they are
interrelated, with neither vital function subordinated to the other. It
is clear that all of the nation's critical infrastructures, including
water, chemicals, transportation, energy, financial services, health
care, and others, rely significantly on computer networks to deliver
the services that maintain our safety and national economy. It,
therefore, is incumbent on the owners and operators of those critical
infrastructures to manage improvements in the security of their
information systems and to have a senior individual within the
government, with effective influence and budget authority, who can
coordinate collaborative efforts across critical infrastructure sectors
and with state and local governments.
The NCSD has indeed made some progress; we applaud the valiant
efforts of the former director and the current acting director and
their creative and dedicated staff. But the current integration of
cyber security and physical security is not working. As the IT Sector
Coordinator, co-founder of the National Cyber Security Partnership and
Chair of the Partnership for Critical Infrastructure Security--the
cross-sectoral council of Federally-designated sector coordinators--
ITAA has witnessed the growing demands the Congress has placed on the
NCSD to implement policies consistent with and beyond the President's
National Strategy to Secure Cyberspace. ITAA also has experienced
ongoing frustration with the confusion in the NCSD and its unrealized
potential.
Indeed, the President's National Strategy is not being implemented
as quickly and fully as it should, in large part, we believe, because
the current organizational structure at DHS allows cyber security
priorities to be marginalized against other physical security
activities considered to have higher priority. Good management is
always about allocating resources to the highest priorities set by both
the Department and Congress, but too often the cyber security function
has suffered from missteps, and an increasing inability to meet the
growing challenges that have been identified by Congress, government
entities and the private sector.
Among them:
DHS took several months to provide formal response to
major private sector recommendations emerging from the December
2003 National Cyber Security Summit (see
www.cyberpartnership.org), conducted in partnership with DHS
and Secretary Ridge and designed to act on the President's
National Strategy;
A major ``Partner Program'' conference scheduled last
year with industry and DHS was abruptly cancelled days before
the event without explanation;
The development of implementing regulations under the
Homeland Security Act to protect critical infrastructure
information (PCII) voluntarily submitted by private sector
entities fails to facilitate information flows--as the law
intended--from the private sector custodians of cyber security
early warning, analysis, and forensics--to DHS. The IT-ISAC,
for example, has submitted no critical cyber security
information to DHS under this program, because the prescribed
process does not reflect the realities of information
management and proprietary business information within the
private sector;
DHS attempts to reorganize the private-sector ``Sector
Coordinator'' and ISAC structures under Homeland Security
Presidential Directive 7 proceeded against the counsel of
several critical infrastructure representatives whose views may
have been better reflected in this DHS initiative had they been
heard at a more senior political level--such as an Assistant
Secretary--with guiding authority over staff;
NCSD's cyber security R&D budget authority remains low
and ineffectual. A division with an Assistant Secretary at the
helm would likely command more resources; and
It will not be until November of 2005 before we have a
full cyber threat and attack exercise as a component of the
DHS/industry critical infrastructure protection/emergency
response exercises in the TOPOFF series, despite the real and
identified threat of a coordinated physical/cyber attack on one
or more of our critical infrastructures
The resulting bipartisan proposal within the Intelligence Reform
bill to authorize the creation of an Assistant Secretary for Cyber
Security underscores Congressional demands for a confirmable position
of increased leadership within DHS that reflects the need for greater
accountability to Congress.
Congressional Leadership
Last year, an amendment in the 9/11 bill creating the Assistant
Secretary position was removed because of confusion during 11th hour
negotiations. What was clear, however, was a White House position of
``no objection'' to the bill. Administrations as a matter of principle
object to Congressional micromanagement of the President's
organizational prerogatives. The official White House position of
neutrality in this particular case, however, speaks volumes, in our
view, about the level of support within the White House for an
improvement in the functioning of the cyber security activities of DHS.
The House Subcommittee on Cyber Security, Science and Research &
Development underscored the need for an Assistant Secretary in its
December 2004 Report on Cyber Security for the Homeland. The
Subcommittee cited creation of this position as one of six ``core''
areas in its cyber security roadmap for the future.
We wholeheartedly applaud and support Congress in its efforts to
provide the legislative impetus for this important position, and
accordingly support H.R. 285.
While we believe the Assistant Secretary position is critical, it
is not the only critical step remaining in this journey. The cyber
security threat is constantly changing, and Congress has a role in
assuring that adequate investment is made in safeguarding critical
infrastructure and the U.S. economy from next generation threats.
Practical steps involve increasing appropriations for cyber
security research as authorized in the Cyber Security Research and
Development Act of 2002. More research is needed to improve information
systems, and identify and reduce their vulnerabilities. Congress should
also authorize and appropriate increases in the funding of NIST to
support its Computer Security Division--a critical resource in the
development of computer security standards and best practices for the
private sector and government agencies.
Congress should also act to encourage the private sector to adopt
more rigorous information security practices. For instance, lawmakers
should explore whether, and under what circumstances, commercially
viable information security insurance can be used as a market driver
toward improvements in information security management in the
enterprise. Other potentially productive strategies include considering
limits on liability from cyber security breaches for companies that
implement industry-agreed practices and creating economic incentives
for information security technology procurement and implementation
Finally, the Senate should ratify the Council of Europe Convention
on Cyber Crime, signed by the United States in November 2001.
Conclusions
No government executive will create single-handedly the policies or
regulations to herald a new age of information security or to make
cyber vulnerability a thing of the past. Logic tells us that we have
turned a corner in our reliance on the Internet, and that along with
the many blessings of the information economy and the knowledge society
come the risks posed by the cyber delinquent, cyber criminal and cyber
terrorist. A responsible government takes the steps necessary to
maximize the benefits and to manage the risks appropriately.
Creating an Assistant Secretary for Cyber Security advances the
cause of information security, introducing practical advantages and
sending an important symbolic message. Much needs to be done to improve
the performance and to elevate the position of cyber security as an
issue in the Administration, to coordinate information security across
disparate government agencies, and to build the necessary bridges
between the federal government and critical infrastructure industries.
For far too long, the federal government's symbolic role in information
security has gone begging--the ``bully pulpit'' stands empty.
Consumers, small businesses and other organizations peg their response
to various issues by the actions (or lack thereof) of policymakers. We
believe that cyber security is one such issue.
In calling for the increased leadership that we believe an
Assistant Secretary will bring to the goal of heightened cyber
security, industry also stands ready to do its part--and the good news
is that we have done much already. An ITAA-commissioned survey
conducted by the University of Southern California's Institute for
Critical Information Infrastructure Protection (ICIIP) at the Marshall
School of Business identified 175 examples of cyber security enhancing
products, services or activities from 65 responding organizations,
including cross-sectoral and vertical industry groups and trade
associations, multinational and owner-operated businesses, academic
institutions, and professional societies. Intrusion detection and early
warning networks, structures for information sharing, enhanced
commercial products across an array of information security
functionalities, guides, white papers, no-charge anti-virus protections
and automatic software update capabilities are just some examples of
the industry-led strides to raise the nation's cyber security profile.
The federal government faces a full agenda of cyber security
issues. The challenges of providing critical infrastructure protection
are formidable today and are likely to be even significant in the
future. An Assistant Secretary for Cyber Security can make an important
difference. We thank the Subcommittee for bringing this important issue
to the attention of the American people.
Thank you very much.
Mr. Lungren. The Chair will now recognize Mr. Paul Kurtz,
the executive director of the Cybersecurity Industry Alliance,
to testify.
STATEMENT OF PAUL KURTZ, EXECUTIVE DIRECTOR, CYBER SECURITY
INDUSTRY ALLIANCE
Mr. Kurtz. Thank you, Mr. Chairman. Thank you, Ranking
Member Sanchez.
I want to recognize, as Amit and Harris have done, the work
of Congressman Thornberry and Congresswoman Lofgren in putting
together this piece of legislation. As executive director of
CSIA, I am also pleased to speak on behalf of the Business
Software Alliance on the need for an Assistant Secretary for
Cybersecurity at DHS.
We want to urge early and urgent passage of H.R. 285. Since
the late 1990s, we have spoken of a partnership to secure the
critical infrastructure. For this partnership to work and to
truly be successful and not be simply rhetoric, we need a clear
leader in the Department of Homeland Security to act as the
focal point.
A director or a deputy-assistant-secretary-level position
does not have the sufficient stature, programmatic authority or
accountability to reach across government and industry sectors.
A leader in securing the critical infrastructure must have the
authority and resources to accomplish this important and
complex mission. This leader must be at least at the assistant
secretary level to have the impact needed.
Unlike other sectors, the information infrastructure is
dynamic. It will continue to evolve for the foreseeable future.
Changes within the information infrastructure are driving
change in all other sectors. Cyber and physical infrastructure
security will receive greater respect and attention with an
Assistant Secretary For Cybersecurity working alongside another
assistant secretary focused on the protection of the physical
structure while remaining integrated under an Under Secretary
for IAIP.
It is particularly important that the Assistant Secretary
for Cybersecurity have primary authority over the National
Communications System, which is, of course, included in this
bill. This is important given the convergence of data and voice
networks.
As you know, the National Communications System has control
over priority communications. These networks proved critical in
the immediate aftermath of 9/11. CSIA strongly believes that
the government needs a comprehensive approach to cybersecurity,
and by establishing assistant secretary, we can do much better
than we are today.
I think there are three documents that we could look at
that set out the government's overall policy or the
administration's policy in cybersecurity. The first is the
President's National Strategy, the second is Homeland Security
Presidential Directive Number 7, and the third is the National
Response Plan.
There are some common characteristics among those
documents. I think in the first instance, it is worthwhile
pointing out that these documents bound, if you will, the
responsibilities of DHS--they don't, and DHS too, if you will,
boil the ocean. They bound their responsibilities in the area
of creating an emergency communications network in case of an
attack, to prepare contingency plans in the case of an attack,
to carefully look at reconstitution issues in case of an
attack, to look at early warning issues; for example, if the
government has the means to understand through intelligence
assets that might be overseas or here, to pass that information
on to the private sector, and it might not be readily available
to the private sector. Those are private tasks that the
Department of Homeland Security has been given under the three
documents I mentioned.
The progress to date at the Department has not been what
you would hope. They have a myriad of programs set up,
wonderful intentions, but at the end of the day, they are not
succeeding in those very critical tasks that are so important
to our economic and national security.
If I were to prioritize those tasks, they would be just as
I have outlined. It would be simply working on to identify and
prioritize critical infrastructure related to information
systems, prepare for contingencies by ensuring that we have
survivable communications in place, work closely with the
private sector on any sort of reconstitution plans that need to
be put in place, provide warning of disruption, provide early
warning of an attack through intelligence means. These tasks
can really only be effectively done at the assistant secretary
level or higher. They cannot be done at a lower level.
I want to speak very quickly, before I close, on the
difference between cyber and physical infrastructure. By
advocating for an Assistant Secretary of Cybersecurity, we are
not dismissing the need to integrate cyber and physical
infrastructure protection, nor are we saying that the
protection of cyberinfrastructure is more important than the
protection of physical infrastructure. Although it is--
increasingly the IT infrastructure is a critical component in
the operation of our physical infrastructures.
Cyberinfrastructure is attacked and defended differently
than the physical infrastructure. Cyberinfrastructure is
largely defended by technical specialist, not through guns,
gates, guards and cameras. Vulnerabilities are discovered
through technical means and often require immediate remediation
involving a variety of parties across different sectors of the
economy.
A cyberattack may be launched remotely, requiring no
physical access to a target. Cyberattacks may not necessarily
be abrupt. For instance, a cyberattack may be low and slow,
changing or otherwise corrupting political data over an
extended period of time.
The infrastructure is dynamic, constantly changing. Amit
and Harris have addressed this. But I want to point out also,
in the event of an event of national significance affecting one
or more sectors across the economy, we are going to turn to our
information systems to help bail us out.
The National Communications System post-9/11 helped us in
that environment. By the way, the National Communications
System under DOD was run by a lieutenant general. Now we are at
an acting--acting director level. It is important that we have
an assistant secretary in place as soon as possible. During Q
and A I would be happy to speak to source issues.
Thank you.
Mr. Lungren. Thank you very much, Mr. Kurtz.
[The statement of Mr. Kurtz follows:]
Prepared Statement of Paul B. Kurtz
Thank you, Chairman Lungren and Ranking Member Sanchez for inviting
the Cyber Security Industry Alliance (CSIA) to testify before this
subcommittee in reference to HR 285. I would also like to acknowledge
Congressman Thornberry and Congresswoman Lofgren for their continued
efforts in support of an Assistant Secretary for Cyber Security
position in DHS. Their bi-partisan work is evident in their co-
sponsorship of this bill.
As Executive Director of CSIA, I am pleased to speak about the need
for an Assistant Secretary for Cyber Security in the Department of
Homeland Security. CSIA supports rapid passage of HR 285.
The members of the Business Software Alliance also support this
legislation and I am also speaking on their behalf.
Since the late 1990s, we have spoken of a ``partnership'' to secure
the critical infrastructure of the United States, particularly the
information infrastructure, since it is owned and operated by the
private sector. For this partnership to truly be successful and not
simply rhetoric, we need a clear leader in the Department of Homeland
Security to act as a focal point for this partnership. A Director-level
position does not have the sufficient stature or programmatic authority
for accountability, or to reach across sectors. A leader in securing
the critical infrastructure must have the authority and resources to
accomplish this important and complex mission.
This leader must be at least at the Assistant Secretary level to
have the impact that is needed.
Unlike other sectors, the information infrastructure is dynamic and
will continue to evolve for the foreseeable future. Changes within the
information infrastructure are driving change in all other sectors.
Cyber and physical infrastructure security will receive greater
respective attention with an Assistant Secretary for Cyber Security
working alongside the Assistant Secretary for Infrastructure
Protection, while remaining integrated under the leadership of the
Undersecretary for Infrastructure Protection and Information Analysis.
It is particularly important that the Assistant Secretary for Cyber
Security have primary authority over the National Communications
System, given the convergence of voice and data networks.
CSIA strongly believes that the Federal government needs a
comprehensive approach to cyber security protection. The establishment
of an Assistant Secretary for Cyber Security in the Department of
Homeland Security is a critical initial step in this approach.
I will cover three areas in my testimony:
A brief introduction to CSIA
An overview of the roles and responsibilities of the
Department of Homeland Security in the area of cyber security
The importance of clear leadership on the issue of
cyber security
Introduction to CSIA
CSIA is dedicated to enhancing cyber security through public policy
initiatives, public sector partnerships, corporate outreach, academic
programs, alignment behind emerging industry technology standards and
public education. CSIA is the only CEO-led public policy and advocacy
group exclusively focused on cyber security policy issues. We believe
that ensuring the security, integrity and availability of global
information systems is fundamental to economic and national security.
We are committed to working with the public sector to research, create
and implement effective agendas related to national and international
compliance, privacy, cybercrime, and economic and national security. We
work closely with other associations representing vendors as well as
critical infrastructure owners and operators, as well as consumers.
Members of the CSIA include BindView Corp; Check Point Software
Technologies Ltd.; Citadel Security Software Inc.; Citrix Systems,
Inc.; Computer Associates International, Inc.; Entrust, Inc.; Internet
Security Systems Inc.; iPass Inc.; Juniper Networks, Inc.; McAfee, Inc;
PGP Corporation; Qualys, Inc.; RSA Security Inc.; Secure Computing
Corporation; Symantec Corporation and TechGuard Security, LLC.
CSIA understands that the private sector bears a significant burden
for improving cyber security. CSIA embraces the concept of sharing that
responsibility between information technology suppliers and operators
to improve cyber security. Cyber security also requires non-partisan
government leadership. Work to strengthen cyber security began in the
Clinton administration. The Bush administration has continued and
boosted this work, through the creation of the National Strategy to
Secure Cyberspace. The National Strategy remains timely and salient.
Roles and Responsibilities
Last December, the Cyber Security Industry Alliance released an
agenda for the administration that outlined twelve steps to help build
a more secure critical infrastructure that called for an Assistant
Secretary level post in the Department of Homeland Security. To
understand why we feel this is critically important to the protection
of our cyber infrastructure, I thought it would be helpful to expand on
the Agenda and offer a framework to help define Federal versus private
sector responsibilities in the area of cyber security.
By outlining the responsibilities of the Department of Homeland
Security in the area of cyber security, we feel that the need for an
Assistant Secretary-level position can be better understood.
Three Federal documents provide a framework for Federal
responsibilities to secure cyberspace:
The President's National Strategy to Secure Cyberspace
(February 14, 2003)
Homeland Security Presidential Directive-7 (December
17, 2003)
The National Response Plan's Cyber Incident Annex
(January 6, 2005)
President's National Strategy to Secure Cyberspace
The President's National Strategy is an appropriate place to start.
While the Strategy's recommendations receive substantial attention, it
also provides clear policy guidance on the Federal government's role.
The President's cover letter for the Strategy states:
``The policy of the United States is to protect against the
debilitating disruption of the operation of information systems for
critical infrastructures and, thereby help to protect the people,
economy, and national security of the United States.'' He continues,
``We must act to reduce our vulnerabilities to these threats before
they can be exploited to damage the cyber systems supporting our
nation's critical infrastructure and ensure that such disruptions of
cyberspace are infrequent, of minimal duration, manageable and cause
the least damage possible.''
The strategy adds some additional guidance on its role, noting that
it is appropriate for the government to assist with forensics, attack
attribution, protection of networks and systems critical to national
security, indications and warnings, and protection against organized
attacks capable of inflicting debilitating damage to the economy.
Additionally, Federal activities should also support research and
development that will enable the private sector to better secure
privately-owned portions of the nation's critical infrastructure.
These statements lead to the conclusion that Federal activity is
bounded to protecting against debilitating attacks against critical
infrastructure, attack attribution for national security systems,
forensics and research and development.
The Strategy also sets specific responsibilities for Federal
agencies, including the Department of Homeland Security. The Strategy
states that the Department should:
Develop a comprehensive plan to secure critical
infrastructure.
Provide crisis management and technical assistance to
the private sector with respect to recovery plans for failures
of critical information systems
Coordinate with other Federal agencies to provide
specific warning information and advice about appropriate
protective measures and countermeasures to state, local and
nongovernmental organizations including the private sector,
academia and the public
Perform and fund research and development along with
other agencies that will lead to new scientific understanding
and technologies in support of homeland security.
It is important to note that the Strategy does not place
responsibility for every problem associated with cyber security with
DHS, but focuses its role on contingency planning and emergency
communications--two critical areas of defense against threats to our
national security.
HSPD-7
HSPD-7 establishes the U.S. government's policy for the
identification and protection of critical infrastructure from terrorist
attacks. It advances the President's strategy in a number of areas and
helps further refine the Federal government's role in securing
cyberspace.
HSPD-7 focuses in large part on the identification and protection
of assets that if attacked would cause catastrophic health effects or
mass casualties comparable to those from the use of a weapon of mass
destruction. It also addresses the protection of infrastructure that if
attacked would:
Undermine state and local government capacities to
maintain order and to deliver minimum essential public
services.
Damage the private sector's capability to ensure the
orderly functioning of the economy and delivery of essential
services
Have a negative effect of the economy through the
cascading disruption of other critical infrastructure and key
resources.
Undermine the public's morale and confidence in our
national economic and political institutions.
HSPD-7 designated the Department of Homeland Security as a focal
point for information infrastructure protection, including cyber
security, stating:
11The Secretary will continue to maintain an organization to serve
as a focal point for the security of cyberspace. The organization's
mission includes analysis, warning, information sharing, vulnerability
reduction, mitigation, and aiding national recovery efforts for
critical infrastructure information systems.''
The National Response Plan's Cyber Incident Annex
The National Response Plan (NRP) upholds the President's National
Strategy to Secure Cyberspace and HSPD-7. The NRP Cyber Incident Annex
states that the Federal government plays a significant role in managing
intergovernmental (Federal, state, local and tribal) and, where
appropriate, public-private coordination in response to cyber incidents
of national significance.
A Framework for Federal Action
The President's National Strategy to Secure Cyberspace,
Presidential Directive 7 and the National Response Plan yield a
possible two-tier framework for Federal responsibility.
Tier One--Functions Critical to U.S. Economic and National Security
1. Identify and prioritize critical information infrastructure
that if disrupted would have a debilitating impact on critical
infrastructure or systems essential to U.S. economic or
national security
2. Prepare for such contingencies by ensuring survivable
communications networks among key critical information
infrastructure operations in the government and private sector
3. Prepare contingency plans in the event of a disruption that
include crisis management and restoration of critical networks,
and regularly exercise, test and refine these plans.
4. Provide warning of attack or disruption to critical
infrastructure owners and operators from resources or
capabilities that are not available to the private sector
through such means as intelligence.
Tier Two--Supporting Functions that Improve Coordination,
Awareness, Education and Personnel Readiness
1. Facilitate coordination between individual sectors of the
economy by establishing appropriate government advisory
committees
2. Facilitate and support general awareness among all
information system users, including home users and small
businesses
3. Track trends and costs associated with information
infrastructure attacks and disruptions, through such means as
U.S. CERT.
4. Coordinate and support long-term research and development
for cyber security.
The Importance of Clear Leadership on the Issue of Cyber Security
When you look closely at the responsibilities of The Department of
Homeland Security in the area of cyber security, you see that while it
may be narrowly defined, its responsibilities are extremely significant
to our economic and national security. DHS is the government's focal
point for the prevention, response and recovery from cyber security
incidents that have a debilitating impact on our national and economic
security. While the private sector has a critical role to play in the
protection of critical information infrastructure, DHS serves as the
government's and nation's point of coordination for all our efforts.
Senior DHS leadership is needed to build an effective government-
private sector relationship, to understand the technical and global
complexities of cyber security, and to marshal the resources necessary
to provide an effective partnership with private sector organizations
and initiatives.
Cyber vs. Physical Infrastructure Protection
By advocating for an Assistant Secretary for Cyber Security, we are
not dismissing the need to integrate cyber and physical infrastructure
protection. Nor are we saying that the protection of the cyber
infrastructure is more important than the protection of the physical
infrastructure--although it is increasingly a critical component in the
operation of our physical infrastructures, and in fact, it cuts across
all of our physically infrastructures. The physical and cyber
infrastructures are related, but they are fundamentally different in a
variety of ways. For example:
Cyber infrastructure is attacked and defended
differently than the physical infrastructure. Cyber
infrastructure is largely defended by technical specialists,
not through guns, gates, guards, and cameras. Vulnerabilities
are discovered through technical means and often require
immediate remediation involving a variety of parties across
different sectors of the economy. A cyber attack may be
launched remotely, requiring no physical access to a target.
Cyber attacks may not necessarily be abrupt. For example, a
cyber attack may be ``low and slow,'' changing or otherwise
corrupting critical data over an extended period of time.
Cyber infrastructure is dynamic, where the physical
infrastructure is more static. For example, power plants, power
lines, chemical plants, railroads, bridges remain stationary
with more gradual changes in technology, where information
networks are rapidly changing. An IP-based transaction may
traverse the globe via satellite, wireless, or terrestrial
cable. The technologies that support these different means are
changing rapidly.
In an event of national significance affecting one or more of the
physical infrastructures, the cyber infrastructure takes on additional
responsibility for ensuring we have the ability to coordinate and
respond to attacks. Our IT infrastructure is operational; without it,
our national response capability is crippled.
We believe it is appropriate to have an Assistant Secretary for
Cyber Security working along side an assistant secretary responsible
for securing the physical infrastructure under the leadership of an
Under Secretary as proposed in H. 285.
Conclusion
Mr. Chairman, we are seeing increased threats and vulnerabilities
associated with our information infrastructure. We rely upon our
information infrastructure, yet there is no one clearly in charge of
coordinating its security and reliability. Presidential guidance and
the Homeland Security Act clearly identify the Department of Homeland
Security as the most appropriate focal point for coordinating the
protection of our information infrastructure. We strongly support HR
285 and its creation of a more senior position at DHS to lead efforts
to build a more secure information infrastructure for both the
government and private sector.
Mr. Lungren. The Chair now recognizes Catherine Allen,
president and CEO of BITS, a division of the Financial Services
Roundtable, to testify.
STATEMENT OF CATHERINE ALLEN, PRESIDENT AND CEO, BITS,
FINANCIAL SERVICES ROUNDTABLE
Ms. Allen. Thank you very much. Thank you, Chairman Lungren
and committee members, for the opportunity to testify before
the committee. We commend Congressman Thornberry and
Congresswoman Lofgren on the bill.
I am Catherine Allen, CEO of BITS, a nonprofit industry
consortium of the largest 100 financial institutions in the
U.S. We are a nonlobbying division of the Financial Services
Roundtable. Our mission is to serve the financial services
needs at the interface between commerce, technology and
financial services. We work with government organizations, DHS,
Treasury, Federal financial regulators, the Federal Reserve and
other technology associations.
Given the short amount of time, I want to focus on three
major points today: First, the state of cybersecurity; second,
reasons in favor of elevating the cybersecurity position at
DHS; and third, steps the government could take to strengthen
cybersecurity.
My written statement contains additional information on
BITS, cybersecurity, crisis management, critical
infrastructure, management of outsources and fraud reduction
efforts. It also contains suggestions that BITS has given to
DHS in the past, as well as others on how to strengthen
cybersecurity.
The importance of cybersecurity cannot be overstated. Our
Nation's economic and national security relies on the security,
reliability, recoverability, continuity and maintenance of
information systems. The security and reliability of the
information systems are increasingly linked to consumer and
investor confidence.
As I speak, criminals are writing code to compromise
systems. Viruses are epidemic. Hackers are closing the window
between the discovery of a flaw and the release of a new virus,
now an average of 5.8 days. Over 1,200 new security flaws were
discovered just in the last 6 months of 2004.
Beyond threats to our Nation's infrastructure, leaders in
the financial services industry are growing increasingly
concerned about the impact on consumer confidence. As one
example, fraudsters are finding new ways to trick consumers in
providing initial information that can facilitate ID theft
through phishing, pharming and other e-scams.
The financial services industry has been aggressive in its
efforts to strengthen cybersecurity and reduce fraud. We are
sharing information; analyzing threats; creating best
practices; urging the software and technology providers to do
more to secure their products and services, something we call a
higher duty of care; and combating fraud and identity theft.
Just last week BITS and the Roundtable announced the
permanent creation of an Identity Theft Assistance Center, a
free service to financial institution customers that helps
victims restore their financial identity. The ITAC has helped,
to date, nearly 700 consumers restore their financial
identities since it became operational last August. The ITAC
information is shared with law enforcement to help prosecute
the perpetrators, and the ITAC is the cornerstone of a broader
industry effort to detect and prevent fraud, help victims
address the causes of identity theft and prosecution of
fraudsters.
In a related effort, BITS created a phishing prevention and
investigation network, again helping our industry to shut down
on-line scams and aid in investigating perpetrators and
providing a united front with law enforcement.
Last year I submitted a letter in support of a proposal to
elevate the position of Cybersecurity Director at the
Department of Homeland Security to the assistant secretary
level. We support rapid passage of H.R. 285. Cybersecurity is
handled in DHS at a level far below where most financial
services corporations handle the issues today, and that is at
the board-room level. Elevating this critical position and
insuring that adequate funding is provided will help us to
focus greater attention on cybersecurity issues within the
government and provide a more senior-level dialogue with the
private sector. It will enable implementation of many key
elements that were identified in the administration's National
Strategy to Secure Cyberspace.
Much of the focus at DHS has been on physical security.
While that is important, we believe there are several areas
that need much more focus. It starts with cybersecurity, but
also a means addressing the interdependencies between our
sector and other critical infrastructures, including the
telecommunications and power industries. They, too, rely and
need a strengthened cybersecurity effort. Elevating the
cybersecurity position within DHS should be a first significant
step as part of a broader strategy to strengthening
cybersecurity.
For the record, it is important for the committee to
understand that the financial regulators are taking
cybersecurity issues seriously. Treasury is a sector leader.
DHS plays an important role in bringing the other sectors along
in addressing the cybersecurity issues.
We believe that there is much more that can be done to
strengthen cybersecurity. My written statement includes a more
detailed review of seven key elements that the Federal
Government should support to ensure information technology
security. I refer to them by the acronym PREPARE.
The first is promote, playing an important role of
promoting the importance of secure information technology and
in facilitating collaboration.
The second is responsibility, promoting shared
responsibility between the suppliers and the end users for
developing, deploying and maintaining secure information
software and networks.
The third is educate. All sectors should make it a priority
to communicate to all users of information technology the
importance of safe practices.
The fourth is procure, using its purchasing power to
leverage security requirements, such as software testing. Along
with employing best practices developed by public and private
sectors, the government can play an important role in
encouraging the changes that need to take place.
The fifth is analyze. Government should collect and provide
to the critical infrastructures and policymakers the kinds of
statistics we need on threats, risks and vulnerabilities.
The next to last is research. The government can play an
important role in funding R&D in the development of more secure
software development practices, testing and certification
programs.
Lastly, enforce. Law enforcement must do more to enforce,
investigate and prosecute cybercrimes here and abroad. E-crimes
are growing and undermine our economy. Law enforcement must
have the resources and mandate to go forward.
In conclusion, the financial services sector is a key part
of the Nation's critical infrastructure. Customer trust in the
security of financial transactions is vital to the security of
not only the infrastructure, but the strength of the Nation's
economy. Our sector is a target of cybercriminals as well as
terrorists. We have a vested interest in this being raised to a
higher level of dialogue in the community.
We have taken major strides to respond to the risks that we
have today. We need the government to support these efforts, to
support cybersecurity, with the same level of the energy,
resources and stature as protecting physical security through
DHS. Elevating the cybersecurity position to an assistant
secretary level is a step in the right direction, but there is
much more that is needed.
Thank you for the opportunity to testify.
Mr. Lungren. Thank you very much, Ms. Allen.
[The statement of Ms. Allen follows:]
Prepared Statement of Catherine A. Allen
Introduction
Thank you, Chairman Lungren and Ranking Member Sanchez, for the
opportunity to submit testimony before the House Committee on Homeland
Security's Subcommittee on Economic Security, Infrastructure Protection
and Cybersecurity about proposed legislation to elevate the Cyber
Security Director at the Department of Homeland Security (DHS) to the
Assistant Secretary level.
I am Catherine Allen, CEO of BITS, a nonprofit industry consortium
of 100 of the largest financial institutions in the U.S. BITS is the
non-lobbying division of The Financial Services Roundtable. BITS'
mission is to serve the financial services industry's needs at the
interface between commerce, technology and financial services. BITS
members hold about $9 trillion of the nation's total managed financial
assets of about $18 trillion. BITS works as a strategic brain trust to
provide intellectual capital and address emerging issues where
financial services, technology and commerce intersect. BITS' activities
are driven by the CEOs and their direct reports--CIOs, CTOs, Vice
Chairmen and Executive Vice President-level executives of the
businesses. BITS works with government organizations including the U.S.
Department of Homeland Security, U.S. Department of the Treasury,
federal financial regulators, Federal Reserve, technology associations,
and major third-party service providers to achieve its mission.
Attached to this statement is an overview of our work related to cyber
security, crisis management coordination, critical infrastructure
protection, and fraud reduction.
The importance of cyber security cannot be overstated. Our nation's
economic and national security relies on the security, reliability,
recoverability, continuity, and maintenance of information systems. IT
security has a direct and profound impact on the government and private
sectors, and the nation's critical infrastructure. Further, the
security and reliability of information systems is increasingly linked
to consumer and investor confidence.
As I speak, hackers are writing code to compromise systems. Viruses
are epidemic. Hackers are closing the window between the discovery of a
flaw and the release of a new virus. Fraudsters are finding new ways to
trick consumers into providing personal information that can facilitate
ID theft. Beyond threats to our nation's infrastructure, leaders in the
financial services industry are growing increasingly concerned with the
impact on consumer confidence.
The financial services industry has been aggressive in its efforts
to strengthen cyber security. We are sharing information, analyzing
threats, urging the software and technology industries to do more to
provide more secure products and services, and combating fraud and
identity theft. Just last week, BITS and The Roundtable announced the
results of a pilot of the Identity Theft Assistance Center (ITAC). The
ITAC has helped nearly 700 consumers restore their financial identities
since it became operational last August. The ITAC is a free service to
financial institution customers. It is a key part of industry efforts
to help victims and address the causes of identity theft.
Last year I submitted a letter in support of a proposal to elevate
the position of Cyber Security Director at the Department of Homeland
Security to the Assistant Secretary level (Attachment A).
BITS and The Financial Services Roundtable support this effort to
increase the administration's focus on cyber security concerns and
address our sector's concerns. While much of DHS' focus has been on
physical security, it has not focused enough attention on addressing
cyber security concerns. Elevating the cyber security position is a
small step as part of a broader strategy to strengthen cyber security.
Cyber security is handled at a level far below where most corporations
handle the issues today. Elevating this critical position and ensuring
that adequate funding is provided will help to focus greater attention
on cyber security issues within the government and throughout the
private sector and thus implement many areas identified in the
Administration's National Strategy to Secure Cyberspace.
Since the creation of DHS in March 2003, BITS has worked closely
with many DHS officials, including the director and acting director of
the Cyber Security Division. We have provided numerous suggestions for
DHS actions to strengthen cyber security and ways it can work in
partnership with leaders in the private sector. Earlier this year, the
National Cyber Security Division convened a ``retreat'' of
representatives from the major associations (e.g., BITS, Center for
Internet Security, Cyber Security Industry Alliance, Educause,
Information Technology Association of America, ISAlliance, Technet,
SANS Institute, U.S. Chamber of Commerce), individual companies (e.g.,
IBM, Microsoft, RSA), law enforcement (e.g., Federal Bureau of
Investigations, U.S. Secret Service) and government (e.g., Central
Intelligence Agency, Commerce Department, Defense Department, Homeland
Security Department, House of Representatives, Justice Department,
Treasury Department, National Security Agency). DHS played an important
leadership role in convening the meeting and other meetings of the US-
CERT program. Attachment B is a summary of answers to several questions
DHS officials asked in advance of the meeting.
More Can Be Done
As an organizational and symbolic step, elevating this critical
position will help to focus greater attention on cyber security issues
within the government and throughout the private sector.
However, this should be viewed as just one of many steps that must
be taken to strengthen cyber security.
Government plays an enormous role. Our nation's economic and
national security relies on the security, reliability, recoverability,
continuity, and maintenance of information systems. IT security has a
direct and profound impact on the government and private sectors, and
the nation's critical infrastructure. Further, the security and
reliability of information systems is increasingly linked to consumer
and investor confidence. In recent years, members of the user community
that rely on technology provided by the IT industry--private-sector
companies, universities and government agencies--are demanding greater
accountability for the security of IT products and services.
PREPARE
The federal government can play an important role in protecting the
nation's IT assets. The following are seven key elements that the U.S.
government should support to secure information technology.
Promote. Government can play an important role in promoting the
importance of secure information technology. Also, government should do
more to facilitate collaboration among critical infrastructure sectors
and government. Some sectors, such as financial services, are heavily
regulated and supervised to ensure that customer information is
protected and that financial institutions operate in a safe and sound
manner. Examples of actions the government can take include:
Government should lead by example by ensuring that the
issue of cyber security receives adequate attention in the
Department of Homeland Security. Today, cyber security is
handled at a level far below where most corporations handle
these issues. Congress could create a more senior-level policy
level position within DHS to address cyber security issues and
concerns and ensure that adequate funding is provided.
Strengthen information sharing coordination
mechanisms, such as the Information Sharing and Analysis
Centers (ISACs), by ensuring adequate funding is made available
to Federal agencies sponsoring such organizations. Information
sharing and trend analysis within a sector is essential to
protecting information security and responding to events.
Information sharing among sectors is equally important as cyber
threats sometimes reach some sectors before others.
Create an emergency communication and reconstitution
system in the event of a major cyber attack or disruption of
information networks. Such an attack or disruption could
potentially cripple many of the primary communication channels.
To allow maximum efficiency of information dissemination to key
individuals in such an event, a thorough and systematic plan
should be in place. The financial services industry has
developed such a plan for industry-specific events in the BITS/
FSR Crisis Communicator. Other organizations have developed
similar communication mechanisms. These emergency
communications programs should be examined as potential models
for a national cyber security emergency communication system.
Reform of the Common Criteria/National Information
Assurance Partnership (NIAP). The current software
certification process is costly, inefficient, used on a limited
basis by the Federal government, and virtually unknown to the
private sector. NIAP should be reformed so that it is more cost
effective for vendors to seek certification while ensuring
consistent Federal procurement practices and expanded
commercial adoption of NIAP-certified products. The BITS
Product Certification Program may well be able to serve as a
model.
Responsibility. Government should promote shared responsibility
between suppliers and end users for developing, deploying, and
maintaining secure information networks. Government can play an
important role in establishing incentives and making producers of
software and hardware accountable for the quality of their products.
Examples of actions the government can take include:
Provide tax or other incentives for achieving higher
levels of Common Criteria certification. Incremented incentives
would help to compensate companies for the time and cost of
certification. This should encourage certification and increase
the overall security of hardware and software.
Provide tax or other incentives for certification of
revised or updated versions of previously certified software.
Under Common Criteria, certification of updated versions is
costly and time consuming. Incentives are necessary to ensure
that all software is tested for security
Require software providers to immediately notify ISACs
of newly discovered cyber threats and to provide updated
information on such threats until an effective patch is
provided. It is vital that critical infrastructure companies
receive immediate notice of serious vulnerabilities.
Establish requirements that improve the patch-
management process to make it more secure and efficient and
less costly to organizations.
Educate. Communicate to all users of information technology the
importance of safe practices. Public confidence in e-commerce and e-
government is threatened by malicious code vulnerabilities, online
fraud, phishing, spam, spyware, etc. Ensuring that users (home users,
businesses of all sizes, and government) are aware of the risks and
take appropriate precautions is an important role for government and
the private sector. Examples of actions the government can take
include:
Fund joint FTC/DHS consumer cyber security awareness
campaign. The FTC should focus its efforts on building consumer
awareness, and DHS should coordinate more detailed technical
education regarding specific serious threats. In addition,
government employees should be trained in proper cyber safety
measures.
Train government employees on proper cyber security
measures.
Educate corporate executives and officers regarding
their duties under Sarbanes-Oxley, GLBA, and HIPAA as they
relate to cyber security.
Procure. Using its purchasing power and leveraging security
requirements and best practices developed by the public and private
sectors, government can play an important role in encouraging the IT
industry to deliver and implement more secure systems. Examples of
actions the government can take include:
Require high levels of cyber security in software
purchased by the government through procurement procedures.
Extend such requirements to software used by government
contractors, subcontractors, and suppliers.
Provide NIST with adequate resources to develop
minimum cyber security requirements for government procurement.
NIST should include software developers and other stakeholders
in the standard-creation process.
Analyze. Government should collect information and analyze the
costs and impact of information security risks, vulnerabilities and
threats and provide this analysis to policy makers. Examples of actions
the government can take include:
Assign to the Commerce Department or another
appropriate agency the responsibility of tracking and reporting
such costs and their impact on the economy. Measuring and
making these costs transparent will aid law makers and
regulators as they assign resources to cyber security programs.
Research. Government can play an important role in funding R&D in
the development of more secure software development practices, testing
and certification programs. In addition, training future generations of
programmers, technicians and business leaders that understand and
manage information security can be accomplished by establishing
university and educational/certification programs. Government can help
by facilitating collaboration with the users and suppliers of IT to
develop standards for safe practices. Examples of actions the
government can take include:
Enhance DHS, NSF, and DARPA cyber security R&D
funding.
Carefully manage long- and short-term R&D to avoid
duplication.
Establish a mechanism to share educational training
and curricula.
Enforce. Law enforcement must do more to enforce, investigate and
prosecute cyber crimes here and abroad. Examples of actions the
government can take include:
Ratify the Council of Europe's Convention on
Cybercrime.
Enhance criminal penalties for cyber crimes.
Make cyber crimes and identity theft enforcement a
priority among law enforcement agencies.
Encourage better coordination among law enforcement
agencies in order to detect trends.
The Financial Services Industry Is Leading the Way
in Responding to the Cyber Security Challenge
The financial services sector is a key part of the nation's
critical infrastructure. Customer trust in the security of financial
transactions is vital to the stability of financial services and the
strength of the nation's economy. At the same time, our sector is a
favorite target of cyber criminals as well as of terrorists, as was
made clear on 9/11.
Since 9/11, the financial services sector has taken major strides
to respond to the risks we face today. BITS has made coordinating
financial services industry crisis management efforts a top priority.
Senior executives at our member companies have dedicated countless
hours to preparing for the worst. We have convened numerous conferences
and meetings to bring together leaders and experts, developed emergency
communication tools, strengthened our sector's Information Sharing and
Analysis Center (FS/ISAC), conducted worst case scenario exercises,
engaged in partnerships with the telecommunications sector and key
software providers, compiled lessons learned from 9/11 and the August
2003 blackout, developed best practices and voluntary guidelines,
created a model for regional coalitions, developed liaisons and pilots
with the telecommunications industry for diversity and redundancy, and
combated new forms of online fraud. Additionally, BITS is now
developing best practices in collaboration with the electric power
industry.
Lessons Learned
BITS regularly gathers and disseminates ``lessons learned'' from
its membership. These lessons are a critical building block for BITS'
best practices. Below are some of those lessons for the Committee to
consider.
We must work with other parties in the private and public sectors
to address these issues sufficiently. We understand that the risks for
national security and economic soundness cannot be underestimated.
Neither can the importance of our working together to address them.
We need to look strategically and holistically at the nation's
critical infrastructures and what can be done to enhance resiliency and
reliability. We urge the Committee to consider all aspects of critical
infrastructure--the software and operating systems, the critical
infrastructure industries, and the practices of firms, industries and
the government--in addressing software security and vulnerability
management.
Preparation is critical. The events of 9/11 and subsequent
preparations by the private sector and government enhanced mutual trust
and the ability to communicate, shift to backup systems, and continue
operations. Prior to the August 2003 blackout, BITS conducted a
scenario exercise that included the West Coast power grid being out for
seven days and the impact that might have on the sector. That exercise
helped the industry think through things like communications, water
shortages, backup for ATM operations, and fuel for generators.
Critical infrastructure industries and the public need to have an
understanding of the scope and cause as early as possible when a major
event occurs. During the August 2003 blackout, the announcement that
the problem was not the result of a terrorist event alleviated public
concerns and made for orderly execution of business continuity
processes. If it had been a terrorist event, other communications and
directives such as ``shields up''--in which external communications to
institutions are blocked--might have occurred.
Diverse and resilient communication channels are essential. Diverse
elements--such as cell phones, wireless email devices, landline phones,
and the Internet--are required. Both diversity and redundancy are
needed within critical infrastructures to assure backup systems are
operable and continuity of services will be maintained.
The power grid must be considered among the most vital of critical
infrastructures and needs investment to make sure it works across the
nation. The cascading impact on the operation of financial services,
access to fuel, availability of water, and sources of power for
telephone services and Internet communications cannot be overstated.
Recognize the dependence of all critical infrastructures on
software operating systems and the Internet. A clear understanding of
the role of software operating systems and their ``higher duty of
care,'' particularly when serving the nation's critical
infrastructures, needs to be explored. Further, the Committee should
recognize that the financial sector is driven by its ``trusted''
reputation as well as regulatory requirements. Other industries do not
have the same level of regulatory oversight, liability, or business
incentives. However, we rely on other sectors because of our
interdependencies. Responsibility and liability need to be shared.
Financial Industry Efforts to Strengthen Cyber Security
In October 2003, BITS began its Software Security and Patch
Management initiative to respond to increasing security risks and
headline-sweeping viruses. Since then, BITS has worked to mitigate
security risks to financial services consumers and the financial
services infrastructure, ease the burden of patch management caused by
vendor practices, and help member companies comply with regulatory
requirements. BITS also began forging partnerships with the software
vendors most commonly used in our industry.
In February 2004, BITS and The Financial Services Roundtable held a
Software Security CEO Summit. The event launched BITS and Roundtable
efforts to promote CEO-to-CEO dialogue on software security issues.
More than 80 executives from financial services, other critical
infrastructure industries, software companies, and government discussed
software vulnerabilities and identified solutions. A ``toolkit'' with
software security business requirements, sample procurement language,
and talking points for discussing security issues with IT vendors was
distributed to 400 BITS and Roundtable member company executives. One
important deliverable from this Forum is the set of Software Security
Business Requirements, which are essential from the perspective of the
financial services sector. These requirements and the full ``toolkit''
are available in the public area of the BITS website, at
www.bitsinfo.org.
A theme of the event was the importance of collaborating with other
critical infrastructure industries and government. Since the Summit we
have worked with all the associations representing the financial
services industry, as well as The Business Roundtable, the Cyber
Security Industry Alliance and other relevant groups.
In April 2004, BITS and The Financial Services Roundtable announced
a joint policy statement calling on the software industry to improve
the security of products and services it provides to financial services
customers. The policy statement calls on software providers to accept
responsibility for their role in supporting financial institutions and
other critical infrastructure companies. BITS and The Roundtable
support incentives and other measures that encourage implementation of
more secure software development processes and sustain long-term R&D
efforts to support stronger security in software products. We also
support protection from antitrust laws for critical infrastructure
industry groups to discuss baseline security specifications for the
software and hardware that they purchase. Additionally, as part of the
policy, BITS and The Roundtable are encouraging regulatory agencies to
explore supervisory tools to ensure critical third-party service
providers and software vendors deliver safe and sound products and
services to the financial services industry.
We continue to work with software companies to create solutions
acceptable to all parties. In 2004 BITS successfully negotiated with
Microsoft to provide additional support to BITS member companies using
Windows NT. We have provided Microsoft and other software and hardware
companies with Software Security Business Requirements. (See Attachment
A.) BITS members agree that these requirements are critical to the
soundness of systems used in the financial services industry.
In July 2004, BITS published best practices for software patch
management in response to the increasing urgency of patch
implementation, given the speed with which viruses are targeting new
vulnerabilities. This document is available to the public at no cost
and applicable to industries outside of financial services.\1\
---------------------------------------------------------------------------
\1\ Patch management and implementation alone can cost one
financial institution millions of dollars annually. A BITS survey of
member institutions found that costs to the financial services industry
associated with software security, including patch management, are
approaching $1 billion annually. BITS' best practices help companies
mitigate these costs.
---------------------------------------------------------------------------
In July, BITS published The Kalculator: BITS Key Risk Measurement
Tool for Information Security Operational Risks. This tool helps
financial institutions evaluate critical information security risks to
their businesses. Financial institutions use the Kalculator to score
their own information security risks based on the likelihood of an
incident, the degree to which the organization has defended itself
against the threat, and the incident's possible impact. The tool brings
together an extensive body of information security risk categories
outlined in international security standards and emerging operational
risk regulatory requirements. Like the patch management best practices,
the Kalculator is available to the public at no cost and applicable to
industries outside of financial services.
BITS participated in the Corporate Information Security Working
Group (CISWG) sponsored by Congressman Adam Putnam, then-Chairman of
the House of Representatives' Subcommittee on Technology, Information
Policy, Intergovernmental Relations on the Census. CISWG is made up of
corporate, industry and academic leaders and is working to pursue a
private sector-driven approach to enhancing the protection of the
nation's corporate computer networks. BITS is active in the best
practices, incentives, and procurement subgroups. In addition, BITS has
participated in task forces established by DHS and several technology
associations.
Finally, the BITS Product Certification Program is another
important part of our work to address software security. The BITS
Product Certification Program is a testing capability that provides
security criteria against which software can be tested. A number of
software companies are considering testing. The criteria are also used
by financial institutions in their procurement processes. We are
working to hand this over to DHS and secure ongoing funding for it.
Identity Theft and Phishing: Prevention and Victim Assistance
Just as financial institutions are a key target for hackers and
other cyber criminals, our industry is increasingly the target of
fraudsters operating online. BITS and The Financial Services Roundtable
are responding to the escalation in identity theft with a series of
steps to facilitate prevention of the crime and assist victims when it
occurs. The goals of these efforts are to help maintain trust in the
financial services system, assist member companies' customers, and
mitigate fraud losses. BITS and The Roundtable are working with the
Administration, Congress, and law enforcement and regulatory agencies
to accomplish these goals.
A cornerstone to these efforts is the Identity Theft Assistance
Center (ITAC). Developed by BITS and The Roundtable, with the support
of 50 founding member institutions, the ITAC helps victims of identity
theft restore their financial identity. If a consumer or a member
company suspects a problem, the consumer and the company resolve any
issues, and if the problem involves identity theft, the customer is
offered the ITAC service. The ITAC walks the consumer through his or
her credit report to find any other suspicious activity. Then, the ITAC
notifies the affected creditors and places fraud alerts with the credit
bureaus. The ITAC also shares information with the Federal Trade
Commission and law enforcement agencies, to help arrest and convict the
perpetrators and prevent future identity theft crimes.
Because a consistent understanding of the problem is essential to
finding solutions, a 2003 BITS white paper on identity theft outlines
the full identity theft landscape, establishing key terms as well as
identifying factors that contribute to identity theft. The paper
provides background about the legislative and policy environment,
including existing and proposed laws, as well as industry best
practices.
Along with the white paper, BITS developed guidelines for financial
institutions to use to prevent identity theft and restore victims'
financial identities. The guidelines include processes for providing a
``single point of contact'' at companies to whom victims may report
cases of identity theft.
Additionally, the BITS Fraud Reduction Steering Committee and the
Federal Trade Commission have created a Uniform Affidavit to simplify
the recovery process for victims. The Uniform Affidavit streamlines the
reporting process by recording the victim's information about the
crime, so that victims only have to tell their story once.
BITS is also responding to ``phishing'' through its Fraud Reduction
Program. Phishing is the practice of luring consumers to provide bank
account and other personal information to fraudsters through bogus
email messages. In response to these and other online scams, BITS has
created a Phishing Prevention and Investigation Network. The Phishing
Network provides member institutions with information and resources to
expedite investigations and address phishing/spoofing incidents. The
Phishing Network includes a searchable database of information from
financial institutions on their phishing incident and response
experience, including contacts at law enforcement agencies, foreign
governmental agencies, and ISP Web administrators. The Phishing Network
also provides data on trends to help law enforcement build cases and
shut down identity theft operations.
Financial institutions are regulated to ``know your customers.''
However, financial institutions currently do not have access to various
government databases to validate information provided at new account
openings. For instance, financial institutions cannot validate that a
passport number belongs to the individual providing it and matches the
address given at a new account opening. This is also true of driver's
license and tax ID numbers. (A pilot is underway with Social Security
numbers; BITS is hopeful that financial institutions will finally be
able to validate Social Security numbers.) Financial institutions do
not want direct access to the information; they would like to have
access to a ``yes'' or ``no'' response through a trusted third party.
Complying with Regulatory Requirements
As you know, financial institutions are heavily regulated and
actively supervised by the Federal Reserve, Federal Deposit Insurance
Corporation, Office of the Comptroller of Currency, Office of Thrift
Supervision, National Credit Union Administration, and the Securities
and Exchange Commission. Regulators have stepped up their oversight on
business continuity, information security, third party service
providers, and critical infrastructure protection. Our industry is
working consistently and diligently to comply with new regulations and
ongoing examinations. In addition, BITS and other industry associations
have developed and disseminated voluntary guidelines and best practices
as part of a coordinated effort to strengthen all critical players in
the sector.
Regardless of how well financial institutions respond to
regulations, we simply cannot address these problems alone. Our
partners in other critical industry sectors--particularly the
telecommunications and software industries--must also do their fair
share to ensure the soundness of our nation's critical infrastructure.
Recommendations
The Congress can help the financial services sector meet the
challenges of a post 9/11 environment in a number of ways. We have
developed these key recommendations for the Committee to consider:
1. Recognize that the financial sector is driven by its
``trusted'' reputation as well as regulatory requirements.
Other industries do not have the same level of regulatory
oversight, liability, or business incentives. However, we rely
on other sectors because of our interdependencies.
Responsibility and liability need to be shared.
2. Maintain rapid and reliable communication. Critical
infrastructure industries and the public need to have an early
understanding of the scope and cause as early as possible when
a major event occurs. Diverse communication channels such as
cell phones, wireless email devices, landline phones, and the
Internet are necessary. Both diversity and redundancy are
needed within critical infrastructures to assure backup systems
are operable and continuity of services will be maintained.
3. Recognize the dependence of all critical infrastructures on
software operating systems and the Internet. Given this
dependence, the Congress should encourage providers of software
to the financial services industry to accept responsibility for
the role their products and services play in supporting the
nation's critical infrastructure. In so doing, Congress should
support measures that make producers of software more
accountable for the quality of their products and provide
incentives such as tax incentives, cyber-insurance, liability/
safe harbor/tort reform, and certification programs that
encourage implementation of more secure software. Congress also
could provide protection from U.S. antitrust laws for critical
infrastructure industry groups that agree on baseline security
specifications for the software and hardware that they
purchase.
4. Encourage regulatory agencies to review software vendors--
similar to what the regulators currently do in examining third-
party service providers--so that software vendors deliver safe
and sound products to the financial services industry.
5. Encourage collaboration and coordination among other
critical infrastructure sectors and government agencies to
enhance the diversity and resiliency of the telecommunications
infrastructure. For example, the government should ensure that
critical telecommunications circuits are adequately protected
and that redundancy and diversity in the telecommunications
networks are assured.
6. Invest in the power grid because of its critical and
cascading impact on other industries and other critical
infrastructures. The power grid must be considered among the
most vital of critical infrastructures and needs investment to
make sure it works across the nation.
7. Establish improved coordination procedures across all
critical infrastructures and with federal, state, and local
government when events occur. Coordination in planning and
response between the private sector and public emergency
management is inadequate and/or inconsistent. For example, a
virtual national command center for the private sector that
links to the Homeland Security Operations Center would help to
provide consistency.
8. Encourage law enforcement to prosecute cyber criminals and
identity thieves, and publicize U.S. government efforts to do
so. These efforts help to reassure the public and businesses
that the Internet is a safe place and electronic commerce is an
important part of the nation's economy.
On behalf of both BITS and The Financial Services Roundtable, thank
you for the opportunity to testify before you today. I will now answer
any questions.
Attachment A
Letter from BITS and The Financial Services Roundtable
The Financial Services Rountable
BITS
FINANCIAL SERVICES
ROUNTABLE
JULY 13, 2004
Representative Christopher Cox,
Chairman, Select Committee on Homeland Security
2402 Rayburn House Office Building
Washington, DC 20515
Representative Jim Turner
Ranking Member, Select Committee on Homeland Security
330 Cannon House Office Building
Washington, DC 20515
Representative Mac Thornberry
Chairman, Cybersecurity Subcommittee
2457 Rayburn House Office Building
Washington, DC 20515
Representative Zoe Lofgren
Ranking Member, Cybersecurity Subcommittee
102 Cannon House Office Building
Washington, D.C. 20515
RE: Cybersecurity Concerns
Dear Representatives Cox, Turner, Thornberry and Lofgren:
Thank you for the opportunity to discuss the concerns of financial
institutions with regard to strengthening software security.
The Financial Services Roundtable (FSR) and BITS want to offer our
support for the recommendation to elevate the position of cybersecurity
director to the level of Assistant Secretary. We support this effort as
a way to increase the administration's focus on cybersecurity concerns
and address issues such as those outlined in the attached BITS/FSR
Software Security Policy Statement. Furthermore, we believe that this
elevation to Assistant Secretary will provide support for those areas
identified by the National Strategy as requiring additional actions.
Finally, we would like to acknowledge the responsiveness of the
National Communications System (NCS) to meeting the needs of the
financial services industry. As such, we would like to ensure that
moving the NCS into the Cybersecurity Division will not undermine the
excellent work of the NCS.
Best regards,
Steve Bartlett
President, The Financial Services Roundtable.
Catherine A. Allen
Chief Executive Officer.
Enclosure: BITS/FSR Software Security Policy Statement
SOFTWARE SECURITY
Security is a fundamental building block for all financial
services. It is also a regulatory requirement. The financial services
industry relies upon software to operate complex systems and provide
services, as well as to protect customer information.
Financial services companies comply with a host of legal and
regulatory requirements to ensure the privacy and security of customer
information. Recently, the prevalence of security risks, threats and
viruses, combined with a lack of accountability for software
vulnerabilities, has saddled financial institutions with significant
risks and skyrocketing costs.
In early 2004, BITS surveyed its members to estimate the costs to
financial institutions of addressing software security and patch-
management problems. Based on the survey, BITS and Financial Services
Roundtable members pay an estimated $400 million annually to deal with
software security and patch management. Extrapolated to the entire
financial services industry, these costs are approaching $1 billion
annually.
The members of BITS and The Financial Services Roundtable believe:
Because the financial services industry plays a
central role in the nation's critical infrastructure and is
dependent on the products and services of software providers,
such providers of mission critical software to the financial
services industry need to accept responsibility for the role
their products and services play in supporting the nation's
critical infrastructure and should exhibit and be held to a
``higher duty of care'' to satisfy their own critical
infrastructure responsibilities.
Software vendors should ensure their products are
designed to include security as part of the development process
using security-trained and security-certified developers on
product development and lifecycle teams.
Software vendors should ensure through testing that
their products meet quality standards and that financial
services security requirements are met before products are
sold.
Software providers should develop patch-management
processes that minimize costs, complexity, downtime, and risk
to user organizations. Software vendors should identify
vulnerabilities as soon as possible and ensure that the patch
is thoroughly tested.
Software vendors should continue patch support for
older, but still viable, versions of software.
Collaboration and coordination among other critical
infrastructure sectors and government agencies are essential to
mitigate software security risks.
The members of BITS and The Financial Services Roundtable:
Support measures that make producers of software more
accountable for the quality of their products.
Support incentives (e.g., tax incentives, cyber-
insurance, liability/safe harbor/tort reform, certification
programs) and other measures that encourage implementation of
more secure software development processes and sustain long-
term R&D efforts to support stronger security in software
products.
Seek protection from U.S. antitrust laws for critical
infrastructure industry groups that agree on baseline security
specifications for software and hardware that they purchase.
Encourage regulatory agencies to explore supervisory
tools to ensure that critical third-party service providers and
software vendors deliver safe and sound products to the
financial services industry.
Support and incorporate, where possible, the BITS
Product Security Criteria into security policies, and encourage
technology vendors to test products to meet these criteria.
Apply a risk-management approach to software security
by assessing risks and applying appropriate tools and best
practices to ensure the most secure deployment and application
of software possible across the entire enterprise.
Participate in and support efforts to strengthen the
Financial Services Information Sharing and Analysis Center (FS/
ISAC) in order to share vulnerability information on the
products deployed by financial institutions.
Educate policy makers on the significance of the risks
posed to the financial services sector and other critical
infrastructure industries and the need to take action to
mitigate these risks.
BUSINESS REQUIREMENTS
FOR
SOFTWARE SECURITY AND PATCH MANAGEMENT
Members of BITS and The Financial Services Roundtable believe
software vendors should take responsibility for the quality of their
products. Especially when selling products to companies that are within
critical infrastructure industries, certain minimum requirements should
be met. Following are recommended critical infrastructure sector
Business Requirements.
Provide a higher ``duty of care'' when selling to critical
infrastructure industry companies.
To meet this higher duty of care, vendors should:
Make security a fundamental component of software
design.
Support older versions of software (e.g., NT),
particularly if existing programs are functional and not past
the end of their estimated life cycle.
Make upgrading easier, less cumbersome and less
costly, and offer more support.
-- Products should be less prone to failure and have an
automated back-out feature.
-- Components (including embedded components used in
other products) should be clearly defined in order for
the customer to assess the cascading effect of the
upgrade or installation.
-- Publish metrics on security of new and existing
products.
-- Expand coordination and establish better
communication with individual clients and industry
groups.
-- Vendors should give customers an aggressive ``patch
playbook'' which would provide clear guidance and
explicit instructions for risk mitigation throughout
the patch management process and especially in times of
crisis.
-- Vendors should offer critical infrastructure
customers access to one-on-one, private, early
vulnerability notice prior to notifying the general
public, possibly by establishing ``preferred'' customer
levels. (Some vendors offer financial institutions
advanced notification if they agree to serve as a
``beta'' site, however, this is not practical as an
industry-wide solution.)
Provide better security-trained and security-certified
developers on product teams.
Establish Regional Centers of Excellence to service
major financial institutions in their area. Centers would keep
IT profiles for each institution in order to:
-- Inform institutions of the likely effects of a new
vulnerability on their specific IT environment.
-- Continually advise institutions on how to best apply
patches.
-- Expedite patch installation by visiting the
financial institution site.
-- Make on site or remote consultation available when
patches affect other applications.
Comply with security requirements before releasing software products.
Vendors should:
Meet minimum security criteria, such as BITS software
security criteria and/or the Common Criteria.
Thoroughly test software products, taking into
consideration that:
-- Testing needs to address both quality assurance as
well as functionality against known and unknown
threats.
Conduct code reviews.
--Whether conducted internally or outsourced, code
reviews should involve tools or processes, such as code
profilers and threat models, to ensure code integrity.
Improve the patch-management process to make it more secure and
efficient and less costly to organizations.
Vendors should:
Issue patch alerts as early as possible.
Continue patch support for older software.
-- Vendors should be clear about the level of support
provided for each software version.
--Vendors are strongly encouraged to provide support
for up to two versions of older software, i.e., the N-2
level.
Provide automatic, user-controlled patch-management
systems, such as uniform, reliable, and, possibly, industry-
standard installers.
Ensure all patches come with an automated back-out
function and do not require reboots.
Support clients who purchase third-party installer
tools (until a standard is established).
Thoroughly test patches before release.
-- Testing should include patch-to-patch testing to
identify any cascade effects and in-depth compatibility
testing for effects on networks and applications.
Issue better patch and vulnerability technical
publications. Publications should include more thorough
analyses of the impact of vulnerabilities on unpatched systems
as well as data on the environments and applications for which
the patches were tested. Impact on other patches should also be
addressed.
Conduct independent security audits of the patch-
development and deployment processes.
Distribute a communication and mitigation plan,
including how vulnerability/patch information will be relayed
to the customer, for use in times of crisis.
Attachment B
BITS Response to DHS' Questions on Cyber Security January 4, 2005
The National Cyber Security Division of DHS hosted a retreat at Wye
River, Maryland on January 6-7, 2005 to assess private and public
sector progress in meeting the goals and objectives of the
Administration's National Strategy to Secure Cyberspace. DHS asked
participants in advance of the meeting to answer three questions. BITS
submitted the following answers to these questions.
Question 1: What are the top three initiatives your organization is
currently involved in to advance cybersecurity (such as the goals
articulated in the National Strategy to Secure Cyber Space)?
BITS is involved in numerous efforts to address cyber security and
protect the Nation's critical infrastructure. For 2005, BITS will focus
on the following top three initiatives to advance cybersecurity: (1)
urge major software vendors to address software security business
requirements; (2) combat on-line fraud and identity theft; and (3)
support efforts to develop meaningful software product certification
programs. In addition to the three initiatives outlined below, BITS
also will continue to educate policy makers on cyber security risks and
steps that can be taken to protect the Nation's critical
infrastructure. (See appendix B for a summary of BITS' accomplishments
in 2004.)
A. Urge major software vendors to address the BITS/FSR software
security business requirements. In April 2004, BITS and The Financial
Services Roundtable announced a joint policy statement calling on the
software industry to improve the security of products and services it
provides to financial services customers. The policy statement calls on
software providers to accept responsibility for their role in
supporting financial institutions and other critical infrastructure
companies. BITS and the Roundtable support incentives (e.g., tax
incentives, cyber-insurance, liability/safe harbor/tort reform,
certification programs) and other measures that encourage
implementation of more secure software development processes and
sustain long-term research and development efforts to support stronger
security in software products. (The BITS/FSR Software Security Business
Requirements are attached to the April 2004 BITS/FSR Software Security
Policy statement which is available at http://www.bitsinfo.org/
bitssoftsecuritypolicyapr04.pdf) In addition, BITS is working with
major software vendors to discuss business requirements. In June 2003,
BITS announced it had successfully negotiated with Microsoft to provide
additional support to BITS member companies for Windows NT. We have
provided Microsoft and other software and hardware companies with the
Software Security Business Requirements. BITS members agree that these
requirements are critical to the soundness of systems used in the
financial services industry. BITS also is working with or has plans in
early 2005 to work with Cisco, IBM and RedHat on software security
issues.
B. Combat on-line fraud and identity theft and explore appropriate
authentication strategies. BITS is involved in supporting the pilot of
the BITS/FSR Identity Theft Assistance Center (ITAC), developing the
BITS Phishing Prevention and Investigation Network, and focusing on
authentication practices and strategies.
The ITAC is a one-year pilot program intended to help victims of
identity theft by streamlining the recovery process and enabling law
enforcement to identify and prosecute perpetrators of this crime. ITAC
is an initiative of The Financial Services Roundtable and BITS, which
represent 100 of the largest integrated financial services companies.
Fifty BITS and Roundtable Members are participating and funding the
ITAC pilot program as a commitment to their customers and maintain
trust in the Nation's financial services system. The ITAC's services
are free-of-charge to customers and made available based on referrals
to the ITAC by one of the 50 members of the ITAC pilot program. BITS
has also published several business practices guidelines and white
papers on various aspects of identity theft and fraud reduction
strategies.
The BITS Phishing Prevention and Investigation Network has three
primary purposes. First, the Network helps financial institutions shut
down online scams. Second, it aids in investigations of scam
perpetrators by providing law enforcement with trend data. Law
enforcement agencies can use the data to build cases and stop scamming
operations. Finally, the BITS Network facilitates communication among
fraud specialists at financial institutions, law enforcement agencies
and service providers, resulting in a ``united front'' for combating
online scams. Financial institutions can also use the BITS Network to
share information about online scams. Through its searchable database,
fraud professionals at BITS member institutions learn from other
institutions' phishing incidents and responses. The database provides
quick access to contacts at law enforcement agencies, foreign
governmental agencies, and ISP administrators. Founded under the
auspices of the BITS eScams Subcommittee of the BITS Internet Fraud
Working Group, the Network is hosted by the Financial Services
Information Sharing and Analysis Center (FS/ISAC). Resources to develop
the Network were contributed by Microsoft Corporation and RDA
Corporation.
On March 8, 2005, BITS will host a Forum entitled ``A Strategic
Look at Authentication'' in Washington, DC. Authentication issues have
emerged in a number of BITS' working groups. This strategic Forum will
focus on the following issues: business issues that drive the need for
authentication; business challenges to implementation; public policy
implications; and emerging technologies in the authentication area.
C. Support efforts to develop meaningful software product
certification programs. The BITS Product Certification Program (BPCP)
is an important part of our work to address software security. The BPCP
provides product testing by unbiased and professional facilities
against baseline security criteria established by the financial
services industry. A product certification, the BITS Tested Mark, is
awarded to those products that meet the defined criteria. An option is
available for technology providers to meet the product certification
requirements via the internationally recognized Common Criteria
certification schema. BITS has initiated discussions with DHS to
support efforts to enhance product certification programs, including
the Common Criteria program run by the National Security Agency (NSA)
and National Institutes of Technology and Standards (NIST). DHS has
expressed support for broad-based, not sector specific, certification
programs. Moreover, DHS wants ``buy in'' from the broader user
community. Consequently, BITS has been in discussions with The Business
Roundtable, NIST, and the Cyber Security Industry Alliance (CSIA) to
develop a joint proposal.
Question 2 & 3: Aside from funding, what can the government (if
appropriate, specify which agency(ies)) do to help advance the
cybersecurity agenda/priority(ies)/initiative(s) of your organization?
What else should government and the private sector be doing to help
facilitate enhanced cybersecurity?
Our Nation's economic and national security relies on the security
of information technology (IT). This security depends on the
reliability, recoverability, continuity, and maintenance of information
systems. The issue of secure information technology has a direct and
profound impact on both the government and private sectors, and
includes the Nation's critical infrastructure. The security and
reliability of information systems are increasingly linked to consumer
and investor confidence. Financial institutions (and others that make
up the ``user'' community) are demanding greater accountability for the
security of IT products and services. The federal government can play
an important role in protecting the Nation's IT assets. The following
are steps the U.S. government can and should take to secure information
technology.
Strengthen the Information Sharing and Analysis
Centers (ISACs) by providing complete and adequate federal
funding. Information sharing and trend analysis within a sector
is essential to protecting information security and responding
to events. The ISACs are a good vehicle for such sharing, but
they require additional resources.
Encourage sharing of essential information among
industry ISACs. Threats to cyber security will reach some
sectors before others--oftentimes resulting in simultaneous or
cascading effects. Mandatory sharing among the ISACs will
provide valuable advance notice to sectors not immediately
threatened.
Utilize the ISACs to inform critical infrastructures
of cyber threats discovered through national intelligence and
law enforcement. As a primary target of cyber attacks, the
government expends substantial resources to protect, detect and
respond to attacks. The information gathered by the government
regarding present, imminent, or gathering threats should be
shared with sectors that are widely understood to be critical
to the security of the country. ISACs represent a centralized
way of quickly disseminating important security information.
Create an emergency communication system in the event
of a massive cyber attack. Such an attack could potentially
cripple many of the primary communication channels. To allow
maximum efficiency of information dissemination to key
individuals in such an event, a thorough and systematic plan
should be in place. The financial services industry relies on
the BITS/FSR Crisis Management Process and Manual of
Procedures, including the BITS/FSR Crisis Communicator.
Create and promote security standards for technology
products which address the Common Criteria certification
concerns noted by the National Cyber Security Partnership
(NCSP). These concerns include:
Cost and delay of the certification process
Need to make certification applicable to the
needs of both government and industry
Uniform tying of federal procurement policies
to the certification system
In the alternative to repairing the Common Criteria, a new system
should be developed that would address from the beginning the
limitations of the Common Criteria. DHS has expressed interest in such
a certification program if it is not sector specific. The BITS Product
Certification Program may well be able to serve as a model for such a
certification program.
Increase staffing, funding, and prominence of cyber
security in the DHS. Cyber security is a unique threat to
national security. As such, it should be elevated in importance
at DHS.
Create a more senior level policy level position
within DHS to address cyber security issues and concerns.
Provide tax or other incentives for achieving higher
levels of Common Criteria certification. Presently, Common
Criteria certification is the primary uniform means of
evaluating the security of software and hardware. Incremented
incentives, based upon the level of certification achieved,
would help to compensate companies for the time and cost of
certification. This should encourage more certification and
increase the overall security of hardware and software.
Provide tax or other incentives for certification of
revised or updated versions of previously certified software.
Under Common Criteria, certification of updated versions is
costly and time consuming. Incentives are necessary to ensure
that all software is tested for security and not a single build
or version of a product.
Require software providers to immediately notify ISACs
of newly discovered cyber threats and to provide updated
information on such threats until an effective patch is
provided. Regulatory controls may be necessary to prevent the
wider broadcast of such information, but it is vital that the
critical infrastructure receive immediate notice of serious
vulnerabilities. Regulatory action will also be necessary to
police software provider compliance with such an information
sharing requirement.
Establish requirements which improve the patch-
management process to make it more secure and efficient and
less costly to organizations that use software.
Fund joint FTC/DHS consumer cyber security awareness
campaign. The FTC should focus its efforts on building consumer
awareness, and DHS should coordinate more detailed technical
education regarding specific serious threats. In addition,
government employees should be trained in proper cyber safety
measures.
Train government employees on proper cyber security
measures.
Provide tax or other incentives for industry cyber
security awareness campaigns. Because security should not be
grounds for competitive advantage, cyber security awareness
campaigns undertaken on an industry-wide basis should be
encouraged.
Educate corporate executives and officers regarding
their duties under Sarbanes-Oxley, GLBA, and HIPAA as relates
to cyber security.
Require high levels of cyber security in software
purchased by the government through procurement procedures.
Extend such requirements to software used by government
contractors, subcontractors, and suppliers.
Provide NIST with adequate resources to develop
minimum cyber security requirements for government procurement.
NIST should include software developers and other stakeholders
in the standard creation process.
Assign to the Commerce Department or another
appropriate agency the responsibility of tracking and reporting
such costs and the impact on the economy. Measuring and making
transparent these costs will aid law makers and regulators as
they assign resources to cyber security programs.
Fund research and development of more secure software
development practices, testing and certification programs.
Facilitate collaboration with the users and suppliers
of information technology to develop standards for safe
practices.
Enhance DHS, NSF, and DARPA cyber security R&D
funding.
Carefully manage long and short term R&D to avoid
duplication.
Establish a mechanism to share educational training
and curriculum.
Encourage law enforcement to enforce, investigate and
prosecute cyber crimes here and abroad.
Ratify the Council of Europe's Convention on
Cybercrime.
Enhance criminal penalties for cyber crimes.
Make cyber crimes and identity theft enforcement a
priority among law enforcement agencies.
Encourage better coordination among law enforcement
agencies in order to detect trends, share information and
identify and prosecute offenders.
Mr. Lungren. I think the chief clerk wants to make sure
that we hear Mr. Silva. This is high-tech right here.
The Chair now recognizes Mr. Ken Silva, chairman of the
board of directors of the Internet Security Alliance, to
testify. Thank you for appearing.
STATEMENT OF KEN SILVA, CHAIRMAN OF THE BOARD OF DIRECTORS,
INTERNET SECURITY ALLIANCE
Mr. Silva. Good morning, Mr. Chairman.
I am Ken Silva. I am the chief security officer and vice
president for infrastructure security of VeriSign,
Incorporated. I am also chairman of the board for the Internet
Security Alliance, on whose behalf I am here today. With the
Chairman's permission, I ask that my entire statement be
inserted into the record.
Before I detail what is in H.R. 285 that the IS Alliance
finds promising, let me tell you a little bit about ISA and one
of its members companies, VeriSign. ISA was established in
April of 2001 as a trade association comprising over 200 member
companies spanning four continents. ISA member companies
represent a wide diversity of economic sectors representing the
vendors and users of the technology network, and the ISA
focuses exclusively on information security issues. Among IS
Alliance's core beliefs are, first, because we are the stewards
of the Internet's physical assets, it is the private sector's
responsibility to aggressively secure them.
Second, more needs to be done by both government and
industry to provide adequate information security. This means
security not only securing the physical and logical elements of
the network--but also securing the highly valuable electronic
cargo running over the network.
Third, a great deal can be accomplished simply with
enhanced technology and greater awareness and training of
individuals--from the top corporate executives down to the
solitary PC user.
Fourth, while technology, education and information sharing
are critical to cybersecurity, they must be supported by
research, aggressive global intelligence gathering, information
sharing, and vigorous law enforcement efforts against those who
attack the network.
Lastly, new and creative structures and incentives need to
evolve to ensure adequate and ongoing information security.
VeriSign, as one of the member companies of the Internet
Security Alliance, is in a unique position to preserve and
protect the Internet's infrastructure, at least part of it, in
our role as steward for the dot.com and dot.net top-level
domains of the Internet and also 2 of the 13 root servers.
I am pleased to have the opportunity to speak in support of
H.R. 285, the Department of Homeland Security Cybersecurity
Enhancement Act of 2005. I would like to make three overarching
points about this legislation.
First, both the public and private sectors need to become
more proactive with respect to cybersecurity. The FBI declares
cybercrime to be our Nation's fastest-growing crime. According
to the CERT, there has been an increase of nearly 4,000 percent
in computer crimes since 1997. We also know from reliable
intelligence that has been reported that terrorist groups are
not only using cybercrime to fund their activities, but
studying how to use the information and attacks to undermine
our critical infrastructures.
Second, the administrative changes in management tasking
set out in H.R. 285 must be supported by an adequate level of
funding to permit the Department to carry out critical mandates
of this bill. In particular, increased funding for
cybersecurity research is one critical area not specifically
mentioned in this legislation. The Internet's basic protocols
are nearly 30 years old, and at the time of their creation,
they didn't contemplate the security or scale issues we face
today.
Third, sufficient real authority and trust must be invested
in the person who heads up the cybersecurity organization.
Without this stature and trust, the elevation of the
organization to an office and the bestowing of an assistant
secretary title will have little benefit.
Mr. Chairman, there is no shame in pointing out what we all
know to be true. Our economic and national security depends on
this job being done right. Cybersecurity means the protection
of physical and logical assets of a complex distributed
network. Cybersecurity means protection of the economic and
national security activity carried on that infrastructure.
These infrastructure assets support activity that in the
commercial area alone account for about $3 trillion daily.
According to the Federal--excuse me, this is according to the
Federal Reserve Board. That is $130 billion an hour that
depends on there being a safe, reliable and available Internet.
An infrastructure of such great importance to America's
economic and national security demands leadership that is
trusted, visible and effective.
In summary, Mr. Chairman, the challenge of America and the
rest of the Internet-dependent world, security organizations
like DHS, is threefold. First, DHS and other government
cyberagencies need to understand the architecture of the
network today and to recognize its ever-growing diversity and
complexity.
Second, cybersecurity agencies need to collaborate with the
industries that operate most of these network assets and
exchange and understand the information exchanged with
industry, including employing the best engineering talent
available.
Lastly, the cybersecurity agencies here and around the
world must be organized and cooperate to respond to threats and
attacks against our cyberinfrastructure rapidly and
effectively.
Mr. Chairman, this H.R. 285 moves the Department of
Homeland Security in the direction of addressing these three
challenges. It is especially helpful simply because it applies
more attention to cybersecurity.
IS Alliance members want to work with the committee and the
Department to ensure that good intentions expressed in this
document become a reality that strengthens America's ability to
prevent attacks against our networks and to make them strong
enough to withstand any attacks that do come our way.
Thank you, Mr. Chairman.
Mr. Lungren. Thank you very much, Mr. Silva.
[The statement of Mr. Silva follows:]
Prepared Statement of Ken Silva
Good morning Mr. Chairman. I am Ken Silva. I am the Chief Security
Officer and Vice President for Infrastructure Security of VeriSign,
Incorporated. I have the privilege of being the Chairman of the Board
of the Internet Security Alliance (ISAlliance), on whose behalf I am
here today
Before I detail what it is in H.R. 285 that the IS Alliance finds
promising, let me tell you a bit more about both the IS Alliance and
VeriSign.
Established in April 2001 as collaboration between Carnegie Mellon
University and the Electronic Industries Alliance, the IS Alliance is a
trade association comprising over 200 member companies spanning four
continents. IS Alliance member companies represent a wide diversity of
economic sectors including banking, insurance, entertainment,
manufacturing, IT, telecommunications, security, and consumer products.
The IS Alliance programs focus exclusively on information security
issues. We provide our member companies with a full suite of services
including: information sharing, best practice, standard, and
certification development, updated risk management tools, model
contracts to integrate information technology with legal compliance
requirements, and market incentives to motivate an ever-expanding
perimeter of security.
Among the IS Alliance's core beliefs are:
First, because the Internet is primarily owned and operated by
private organizations, it is the private sector's responsibility to
aggressively secure the Internet.
Second, not enough is currently being done by either government or
industry to provide adequate information security. This means security
not only of the physical and logical elements of the network--but also
security of the highly valuable electronic cargo running over the
network. Third, a great deal can be accomplished simply with enhanced
technology and greater awareness and training of individuals--from the
top corporate executives down to the solitary PC users.
Fourth, while technology, education, and information sharing are
critical, they are insufficient to maintain appropriate cybersecurity
and respond to an ever-changing technological environment. Research,
aggressive global intelligence gathering, information sharing, and
vigorous law enforcement efforts against those who attack our networks
are also essential.
Fifth, new and creative structures and incentives may need to
evolve to assure adequate and ongoing information security. While
government is a critical partner, industry must shoulder a substantial
responsibility and demonstrate leadership in this field if we are to
eventually succeed.
As Chairman of ISAlliance's Board, one of my roles is to carry
these messages not only to government, but also to potential new
members of the ISAlliance. When VeriSign helped found the ISAlliance
four years ago, there were fewer than a dozen members. But the
ISAlliance's key points resonate with ANY organization that uses the
information superhighway to conduct its affairs--whether commercial
business, academic institution, NGOs, or government. Thus, it is not
surprising that, since its inception, the ISAlliance has grown by
nearly twenty-fold.
Certainly, my own company, VeriSign takes these principles
seriously. VeriSign is a microcosm of the diverse ``e'' activities on
the Internet, of the convergence of the traditional ``copper'' networks
with computer driven digital networks, soon to become the ``NGNs'' or
Next Generation Networks. Commerce, education, government, and
recreation all are enabled by the infrastructures and services we and
our colleague companies support. VeriSign, the company I am privileged
to serve as Chief Security Officer, was founded 10 years ago in
Mountain View, California. VeriSign operates the Internet
infrastructure systems that manage .com and .net, handling over 14-
billion Web and email look-ups every day. We run one of the largest
telecom signaling networks in the world, enabling services such as
cellular roaming, text messaging, caller ID, and multimedia messaging.
We provide managed security services, security consulting, strong
authentication solutions, and commerce, email, and anti-phishing
security services to over 3,000 enterprises and 400,000 Web sites
worldwide. And, in North America alone, we handle over 30 percent of
all e-commerce transactions, securely processing $100 million in daily
sales.
Of these activities, the one that places us in a very unique
position to observe, and to protect the Internet's infrastructure is
our role as steward of the .COM and .NET top level domains of the
Internet, and of two of the Internet's 13 global root servers. These
are the Internet's electronic ``directory'' The services VeriSign
provides over many hundreds of millions of dollars worth of servers,
storage and other infrastructure hardware enables the half trillion
daily Internet address lookups generated by all of your web browsing
and emails to actually reach their intended destinations. Consequently
as the manager of several 24x7 watch centers where our engineering
staff observe as these 500 billion daily requests circle the globe, we
see when elements of the infrastructure are attacked, impaired, taken
off the air for maintenance, or otherwise have their status or
performance altered. Because we observe and record this, VeriSign is
capable of, and often involved in the identification of the nature,
severity, duration, type, and sometimes even source of attacks against
the Internet. Our experience in doing this for over a decade, I believe
makes VeriSign uniquely interested in how the government architects its
companion cybersecurity services.
I am pleased to have the opportunity to speak in support of H.R.
285, the Department of Homeland Security Cybersecurity Enhancement Act
of 2005; I would like to make three overarching points about the
legislation:
First, both the public and private sectors need to become more pro-
active with respect to cybersecurity.
A smattering of statistics can briefly outline the growing nature
of the growing cyber security problem. According to Carnegie-Mellon
University's CERT, there has been an increase of nearly 4000 percent in
computer crime since 1997. The FBI declares Cybercrime to be our
nation's fastest growing crimes. One FTC estimate puts the number of
Americans who have experienced identity theft at nearly 20 million in
the past 2 years, suggesting the link between Cybercrime and identity
theft is not merely coincidental. CRS reported last year that the
economic loss to companies suffering cyber attacks can be as much as 5
percent of stock price. Furthermore, the OECD reports that as many as 1
in 10 e-mails are viruses and that every virus launched this year has a
zombie network backdoor or Trojan (RAT). Globally they estimate 30
percent of all users, which would mean more than 200 million PCs
worldwide, are controlled by RATs.
Perhaps most ominously, we know from reliable intelligence that
terrorist groups are not only using Cybercrime to fund their
activities, but are studying how to use information attacks to
undermine our critical infrastructures.
Second, the administrative changes and management taskings set out
in H.R. 285 must be supported by an adequate level of funding to permit
the Department to carry out the critical mandates of this bill.
In particular, cybersecurity research is one area of critical
financial need NOT specifically mentioned in the legislation. The basic
protocols the Internet is based on are nearly 30 years old; they did
not contemplate the security or scale issues we face today and will
continue to face in the future. Increasing Federal funding for
cybersecurity research and development was recently cited by the
President's Information Technology Advisory Committee, (the ``PITAC'').
After studying the U.S. technology infrastructure for nearly a year,
PITAC noted in its report entitled ``Cyber Security: A Crisis of
Prioritization'' that ``most support is given to short-term, defense-
oriented research, but that little is given to research that would
address larger security vulnerabilities.'' The IS Alliance fully
agrees. Substantial funding needs to be provided for basic research in
cybersecurity. Industry, itself, can not sustain the level of research
investment that is required. The US government must increase its
investment.
Third, sufficient REAL authority and trust need to be invested in
the person who heads up the Cybersecurity organization within the
Department. Without this stature and trust, the elevation of the
organization to an ``Office'' and the bestowing of an Assistant
Secretary title will have little benefit. Mr. Chairman, there should be
no shame in pointing out what we all know to be true: our economic and
national security depends on this job being done right.
``Cybersecurity'' means the protection of the physical and logical
assets of a complex distributed network comprised of long-haul fiber,
large data switching centers, massive electronic storage farms, and
other physical assets worth hundreds of billions of dollar; the
software programs, engineering protocols, and human capital and
expertise which underlie it all are equally valuable. And cybersecurity
means protection of the activity--economic and national security--
carried on that infrastructure. All of these infrastructure assets
combine to support activity that, in the commercial area alone, account
for about $3 trillion dollars daily, according to the Federal Reserve
Board. That's $130 billion per hour that depends on a safe, reliable,
and available Internet. An infrastructure of such great importance to
America's economic and national security demands leadership that is
trusted, visible, and effective.
Several provisions of H.R. 285 are of special note:
First, the final section does us all the important service of
attempting to define--and to BROADLY ``define--cybersecurity'', to
encompass all of the diverse legacy, present and emerging networked
electronic communications tools and systems.
Second, the bill's repeated emphasis on collaboration between the
Department and the private sector--in each present and proposed NCSO
operational area, as well as across government--reflects a wise
understanding of the dynamic nature of the cyber infrastructure, and
the diverse interests in and out of government which must cooperate to
assure the networks' security and stability. I will address some
specifics, as well as IS Alliance's incentives programs, later in my
testimony.
Third, in a related area, language in Section 2 (d) directs the
consolidation into the NCSO of the existing National Communications
System (NCS) and its related NCC industry watch center, which for two
decades has provided industry-based alert, warning, and analysis
regarding attacks against the traditional telephone networks. These
existing important watch functions support critical national security
and emergency preparedness communications; their consolidation will
bring Departmental practice more inline with emerging technological
realities. If done with appropriate care and recognition of the
valuable, unique role the NCC has played in supporting NS/EP
communications for two decades, consolidation could also make the
function stronger and better able to protect these converging assets.
Fourth, the IS Alliance strongly supports voluntary cybersecurity
best practices highlighted in section 5(A). We believe that market-
driven cyber security is the appropriate model to compel positive
cybersecurity improvements within the nation's cyber critical
infrastructure. Towards this end, the insurance industry, among others,
have made great strides and continue to advance the state-of-the-art
among market-driven cybersecurity best practices.
COMMENTS on SPECIFIC PROVISIONS
Developing new tools to address cyber threats depends on real
public-private cooperation. H.R. 285 provides the Department with
significant improvements that the ISAlliance believes may help achieve
better organization, more cooperation, and greater effectiveness in its
collaborations with the industrial, private-sector custodians of the
cyber infrastructure, in its cooperation with other agencies of
government at the Federal, sub-Federal and international levels, and in
its development of new tools to combat cyber threats.
With its focus on government-industry cooperation and cross-
governmental cooperation, this bill correctly identifies the two
centers of gravity for successfully meeting the cybersecurity
challenge. Current programs must continue, which address:
analysis of threat information;
detection and warning of attacks against the cyber
infrastructure;
restoration of service after attacks;
reducing vulnerabilities in exiting network
infrastructure, including assessments and risk mitigation
programs;
awareness, education, and training programs on
cybersecurity across both the public and private sectors;
coordination of cybersecurity (as directed by HSPD-7
and the Homeland Security Act) across Federal agencies, and
between Federal and sub--federal jurisdictions; and
international cybersecurity cooperation.
All of these are essential functions. Even in our custodial role
for many of the infrastructures that support the $10 trillion
U.S.''eConomy'', few would assert that private industry can, or even
SHOULD, manage these functions. They are PUBLIC functions, properly
performed by government, but in cooperative collaboration--persistent
and polite collaboration between government and industry. I want to
note here, Mr. Chairman, that we realize the challenges for DHS/NCSD
are far, far easier said than done. Everyone working at the Department,
including those in the infrastructure protection and cybersecurity
divisions, deserves our sincerest gratitude. I want to personally thank
my colleague on the panel today Mr. Yoran, as well as his predecessors,
Mr. Clark & Mr. Simmons, as well as his successor Acting Director
Purdy. And Mr. Liscouski who oversaw the entire infrastructure
division; they all worked, or are working, as hard as they can at an
imposing task.
That said however, it is a task that must be completed, no matter
how difficult And IS Alliance is not unmindful of cost. But a national
cybersecurity awareness and training program as provided by subsection
(1)(C), a government cybersecurity program to coordinate and consult
with Federal, State, and local governments to enhance their
cybersecurity programs as provided by subsection (1)(D), and a national
security and international cybersecurity cooperation program as
provided by subsection (1)(E) are all important and welcome
improvements to the nation's overall cybersecurity posture. Absent
adequate funding however, the long-term effectiveness of these critical
cybersecurity programs will be uncertain.
Unfortunately, and despite great effort to date, the track-record
of the Department and NCSD in achieving even an effective dialogue on
how to conduct these essential activities has been spotty and even
disappointing.
The provisions of Section 2 of H.R. 285 that direct these specific
functions may--hopefully, WILL--jumpstart the collaborations that will
rapidly make these programs a reality. America cannot fail in doing
these things; a cyber Pearl Harbor is not just a catch phrase, but very
much a potential reality. The Department's own ``Red Cell'' exercises,
including a notable one published last September, clearly forecasts
``blended'' terror attacks against the physical and logical assets of
our information networks and institutions that depend on them. Such
unavoidably attractive targets have the potential to disrupt economic,
social, and government activities at all levels. Improved cyber-
resiliency--established in part through effective public-private
cooperation such as spelled out in Section 2 of H.R. 285--is one
important step in reducing that threat.
Similarly, cross-agency collaborations within Department
components--and with other security and anti-terrorism components of
government--is not merely common sense, they are essential. In
VeriSign's business, we have had opportunities from time to time to try
to ``go it alone'' and reap the innovator's premium from the
marketplace, or to cooperate with competitors on standards and
accessible platforms that grow markets and increase business
opportunities for all participants. I can tell you that cooperation and
the ``rising tide raises all boats'' approach is preferable to being
the single-handed sailor. In cybersecurity, the expertise of many
different agencies--Treasury on financial crimes, or Justice on
international frauds--being brought to bear just seems compelling.
Several other provisions of the bill have been long-standing areas
of interest to the IS Alliance:
The information sharing provision of HR 285 refers back to Section
214 of the Homeland Security Act; the Department's ``Protected Critical
Infrastructure Information'' program attempting to implement this
Congressional mandate is long overdue for reexamination. The ``PCII''
program, though perhaps well meaning has, rather than encouraging
information sharing between industry and the Department, chilled the
flow of information. The implementing regulations represent a complex
bureaucratic structure that seems more intent on keeping Federal
employees from accidentally mishandling information, and thus facing
prosecution, rather than encouraging a timely flow of attack and threat
information from network custodians to the Department. VeriSign and
some of our ISAlliance partners who are members of the IT-ISAC helped
draft the original Section 214 of the Homeland Security Act. We are
anxious to see it work in a manner consistent with its original
Congressional intent and enable information flow that will help respond
to attacks, mitigate the damage and, above all, prevent a recurrence.
And, as mentioned earlier, the proposal to merge the watch
functions of the NCS into NCSO, and create a single, industry-supported
watch effort that covers traditional and IP-based assets is clearly a
beneficial way to manage the monitoring of network exploits. However,
cyber-security is not the sole mission of the National Communications
System. Executive Order (EO) 12472 assigns the NCS with support for
critical communications of the President and government including, the
National Security Council, the Director of the Office of Science and
Technology Policy and the Director of the Office of Management and
Budget. The NCS was established by EO 12472 as a Federal interagency
group assigned national security and emergency preparedness (NS/EP)
telecommunications responsibilities throughout the full spectrum of
emergencies--disaster and warfare as well as cyber attacks. These
responsibilities include planning for, developing, and implementing
enhancements to the national telecommunications infrastructure to
achieve improvements in survivability, interoperability, and
operational effectiveness under all conditions and seeking greater
effectiveness in managing and using national telecommunication
resources to support the Government during any emergency. While this
mission does cover the spectrum of cyber-security issues, there is more
to the legacy role of the NCS that must not be forgotten or overlooked
and from which the NCSO can learn as these functions move forward
together.
A key issue is missing from HR. 285, however. Funding for
cybersecurity research and development is essential. The Director of
the U.K.'s equivalent agency, the NISCC, observed recently that the
U.K. alone last year spent 3 times as much on cyber R&D in 2004 as the
$68 million spent by the Department and the National Academy's ``cyber
trust'' programs to fund private sector cyber R&D. The United States
should not be taking a second place position in the funding of
cybersecurity research. While we are benefited by the many investments
being made by intelligence and defense agencies that do not appear on
such comparative scorecards, R&D to support improved security for the
majority privately-held network assets must continue and must grow. In
a tech industry where 2-3 percent is not an unusual R&D budget, the FY
2004 $68 million number is an amount you would expect one $2 billion
cyber company to spend on R&D, not the entire government of the country
that invented the technology.
We are increasingly seeing the solutions for improved security
originating from research outside the United States, with outside
investment and ownership in the solutions. Unless the U.S. commits to
self-defense, funding the research locally at our universities that
will produce solutions to secure our nation's economic infrastructure,
we run the risk of having our security developed and managed by others
than Americans--and that could be a fragile policy both economically
and from the perspective of homeland security. We must figure out a way
to invest more to match the clever advances being made by the
terrorists who WILL attack these networks.
Finally, let me cite three examples of marketplace incentives that
IS Alliance believe promote improved cybersecurity investment by
industry: The ISAlliance, together with AIG, have agreed on a program
wherein if member companies comply with our published best practices
they will be eligible to receive up to 15 percent off their cyber
insurance premiums. Visa, another ISAlliance member company, has
developed its KISP program which again uses market entry, in this case
the ability of commercial vendors to use the Visa card, as a motivator
to adopt cybersecurity best practices. And the IS Alliance has recently
launched its Wholesale Membership Program which allows small companies
access to IS Alliance services at virtually no cost, provided their
trade associations also comply with IS Alliance criteria.
There is also a role for the government to play in promoting
industry cyber security; government should be a critical partner if
incentive programs will have their maximum impact. Examples of critical
incentive programs include the need to motivate and enhance the
insurance industry participation in offering insurance for cyber-
security risks, where AIG has been a leader, and the creation of
private sector certification programs such as those provided by Visa in
its Digital Dozen program. These and several other government incentive
programs were highlighted last year in the report of the Corporate
Information Security Working Group on Incentives which we commend to
the Committee for its consideration.
In summary. Mr. Chairman, the challenge of America's--and the rest
of the Internet-dependant world's security organizations--like the
Department's is threefold:
First, DHS and other government cyber agencies need to understand
the architecture of the network today and to recognize its ever-growing
diversity and complexity;
Second, cybersecurity agencies need to collaborate with the
industries that operate most of these network assets and exchange and
understand the information exchanged with industry (including employing
the best engineering talent available); and
Third, the cybersecurity agencies here and around the world need to
cooperate to respond to threats and attacks against our cyber
infrastructure rapidly and effectively.
Mr. Chairman, H.R. 285 moves the Department of Homeland Security in
the direction of addressing these three challenges. It is especially
helpful simply because it applies more attention to cyber security.
ISAlliance members want to work with the Committee and the Department
to assure that the good intentions expressed in this document become a
reality that strengthens America's ability to prevent attacks against
our networks and to make them strong enough to withstand any attacks
that do come our way.
I appreciate the opportunity to bring our views before you today,
and I am happy take any questions you may have.
Mr. Lungren. I thank all of you for your testimony. I would
just like to ask a question of all of you, and that is it is
premised on the fact that this hearing, while it is a hearing
on a particular bill, is actually part of oversight in a sense.
If we didn't think we needed a bill like this, we wouldn't be
doing it for a position there.
So I would ask this, and I would just go down right to
left, starting with Mr. Silva, and asking each of you, do you
believe there is a sense of urgency to pass this bill so that
it prods DHS to do what everyone seems to suggest we want DHS
to be doing? Mr. Silva?
Mr. Silva. Well, Mr. Chairman, I think that the sooner we
start, if you will, getting on the ball with the cybersecurity
issues, I think the better. Decisions around this have sort of
floundered for long enough. The longer we wait, the longer this
is going to linger as an issue and potentially lose interest. I
think the sooner you could get this passed, I think it will
express to the Department how urgent you feel this issue is.
With our support, I think we will also reinforce that as well.
Mr. Lungren. Ms. Allen.
Ms. Allen. Yes. I do think there is a sense of urgency,
first of all because of the escalation of attacks that are
occurring; secondly, because we need leadership from the
government; and, thirdly, I think, as said before, we have the
potential of having a digital Pearl Harbor, and we want to
avoid that.
Mr. Lungren. Mr. Kurtz. Everybody trying to share a
computer monitor.
Mr. Kurtz. Yes. Simply stated, I think it is urgent that we
seek passage of this. It has been 2 years since the National
Strategy was issued. We have a crisis of organization and
prioritization at DHS with regard to cybersecurity, and it
would be nice if we could do this and not have to learn the
hard way.
Having an assistant secretary will help develop those
programs and plans and the communications issues in order for
us, when we have an eventual attack, work out of it more
cleanly than we are in a position now.
Mr. Lungren. Thank you.
Mr. Miller.
Mr. Miller. Yes.
Mr. Lungren. Thank you.
Mr. Yoran.
Mr. Yoran. I am a cybersecurity strategist and operator.
Just to point out the obvious, I am not particularly well
versed in legislative process or motive. All of the fundamental
concepts represented in this bill are well informed and
constructive, and should be dealt with with the sense of
urgency that they deserve.
Mr. Lungren. Well, let me ask you this. From your
testimony, it doesn't sound to me like you think that it is
right now receiving, that is the issue of cybersecurity, the
kind of urgency, the kind of priority that is necessary. Would
that be a correct characterization of your feeling?
Mr. Yoran. I would say that the threat against our Nation
and our Nation's vulnerability to cyberattacks is increasing at
a rate that is faster than the problem is being dealt with.
Mr. Lungren. Let me ask you this then, Mr. Yoran. If I were
to ask you what the top three priorities would be, if we were
to establish an Assistant Secretary of Cybersecurity, what
would you say they would be; the most important priorities that
we need right now to address from the standpoint of DHS, and,
if this law passes, within the personification of this person
as Assistant Secretary For Cybersecurity?
Mr. Yoran. Mr. Chairman, I believe that the single top
priority for an assistant secretary, should one be created,
would be to refine the Department's mission statement around
the area of cybersecurity to go beyond the National Strategy
and get to more specificity around what activities are under
way within the Department, and also to point government
counterparts as well as private sector counterparts to other
components of the Federal Government which are playing an
active role in our Nation's defense from cybersecurity threats.
So that single top priority would be to refine the mission
statement.
The second would be to integrate cybersecurity activities
and priorities into and across all of the various programs of
the Department of Homeland Security and across the Federal
Government. So to the extent that cybersecurity and physical
security risks have not been fully integrated and fully brought
to the table to address vulnerabilities which may exist, I
think that would be a top--a second priority for an assistant
secretary.
The third would be in the area of resource allocation, once
the mission definition has been refined; once more active
participation has been integrated into various protection
programs of the Department and across the Federal Government,
to look at the resource allocation challenges and determine if
the resources are sufficient for dealing with the refined
mission and requirements.
Mr. Lungren. Thank you. My 5 minutes are up.
So Ms. Sanchez is recognized for 5 minutes of questions.
Ms. Sanchez. Thank you, Mr. Chairman, and thank you all for
testifying once again.
I actually think that the whole arena of cybersecurity is
so large and so vast and with so many things being so
interconnected that it is just an incredibly overwhelming job.
I represent Newport Beach, Santa Ana, Irvine area in Orange
County, which, you know, is one of the top places for white-
collar crime, most of it involving either telephone or
computer. So it is just so overwhelming when my law enforcement
officials tell me about all the scams that go on and the way
that people get taken.
My question is about the identity theft that is going on
in, like, for example, the ChoicePoint situation that we
recently had. What do you think that a new Assistant Secretary
of Cybersecurity should do or can begin to do to address some
of these just large databases that exist that can be either
broken into or that you can pay $9.95 and find out everything
you ever wanted to know about Loretta Sanchez, including her
Social Security number, bank account and name of her kitty cat,
et cetera? What are we going to do about that? Do you have any
suggestions? I think that is just one of the scariest things
that I see out there on the horizon for us. Any of you have any
ideas on that?
Mr. Miller. I think, Congresswoman, you have addressed a
critical point. I think this is an example, again, where the
assistant secretary position would make a difference, because
what you are in need of is partnership between government and
industry; having an assistant secretary there to work with the
Treasury Department, with organizations like Ms. Allen's
organization and others in the financial services industry and
others to come up with an aggressive process that protects
these data better, protects the citizens and the consumers
whose data are at risk without harming electronic commerce,
without making electronic transactions impossible to actually
conduct.
Having someone at the assistant secretary level could
convene a meeting along with his level, along with his or her
colleagues and the other relevant agencies, as well as the
Federal Trade Commission and Department of Treasury. But again,
it is very hard to do that. It is very hard to have someone who
is the head of the division to have internal clout to bring all
the parties together and/or, frankly, to bring all the members
of the industry together. So by passing this legislation that
has been crafted by Congresswoman Lofgren and Mr. Thornberry,
then you get the kind of clout you need to make these
partnerships happen.
Ms. Sanchez. Thank you.
Anybody else on that?
Mr. Kurtz. I will expand briefly on what Harris has
described. I think a lot of this comes down to leadership and
having that focal point within the Department that other
agencies can look at across the Federal Government, as well as
individuals in the private sector. And that is absent now. That
is why we have this drift.
Now, is the Department of Homeland Security ultimately
responsible for removing all spyware or stopping all phishing
and stopping all data warehouse issues? I would argue, frankly,
no, at the end of the day. They have a leadership role, but
that is largely the responsibility of the private sector. But,
nonetheless, we need that focal point and leader within a
department that people can turn to to pull together that
overall strategy.
I would contend that the key priorities for the Department
remain identifying that critical infrastructure that is so
important to our economic and national security and working on
communications, contingency plans, recovery plans. That is
consistent with the mission of the Department; and that, to me,
is what is absent today at the Department of Homeland Security.
Ms. Allen. I would just say I think there is a role for the
DHS to play. Certainly on the identity theft issue, just as you
said, it is a very complex issue. That is a crime that comes
out of software vulnerabilities. It is a crime that comes out
of processes that may be lax. It is something that is just not
a financial services issue. And certainly our regulators are
very active and very strongly supporting those kinds of
processes and technology changes that will help address some of
the issues.
The problem is the data is out there. You can go on the
Internet in a very short period of time and find out everything
that you need to know about you. So the Internet has
exacerbated the problem by making it easier to pull this
information together. So it is a combination of educating,
preparing people and consumers and businesses to understand
what these threats are and how to prevent them from either a
process or a technology point of view. It is a point of going
after the software vulnerabilities and encouraging the
providers of IT to close those gaps. It is an issue of best
practices and policies that can be instituted in all kinds of
institutions. And, most important, it is support of law
enforcement, the people that are talking to you, letting them
have both the knowledge and the resources to go after these
fraudsters.
Ms. Sanchez. Thank you.
Thank you, Mr. Chairman, for the time. I appreciate it.
Mr. Lungren. Thank you.
And now the Chair recognizes the Chairman of the full
committee, Mr. Cox.
Mr. Cox. I thank the Chairman.
I want to thank, once again, each of our witnesses for your
outstanding presentations.
I want to ask about the National Computer Security Division
and ask you whether or not you agree or disagree with the
position of the previous assistant secretary of homeland
security for information analysis and infrastructure
protection, who told us that keeping the National Computer
Security Division under the assistant secretary for
infrastructure protection was the correct thing to do. In the
assistant secretary's view, its placement there allowed better
integration of efforts to protect critical infrastructure from
both physical and cyberthreats.
Do you agree or disagree with this position and why? And
can you also add to that whether you see any ways to address
perceived problems with integration? And, finally, could that
integration occur at a higher level?
Yes, Mr. Kurtz.
Mr. Kurtz. I would respectfully disagree with the previous
assistant secretary. I think the elegance of the bill that has
been put together is that you don't lose the integration in
what has been proposed. Under the bill, you have created a new
assistant secretary that focuses on cybersecurity who works
alongside an assistant secretary who presumably is working on
physical security, and you have your information analysis
assistant secretary working there as well. So you have three
assistant secretaries working under an under secretary, and the
under secretary can work to integrate programs and policies as
appropriate.
So I think, you know, in my written remarks, in my oral
remarks, I also think there is a fundamental misunderstanding
of how we defend information networks versus physical assets
which we require a different set of skill set. It is far more
complex, I would argue, than securing a physical
infrastructure. So I would--.
Mr. Cox. And are you of the view that NCS would come under
the new assistant secretary?
Mr. Kurtz. Most definitely, especially with the integration
voice and data networks. I think it would be a mistake to leave
the NCS out to the side.
I would note that when we talk about priority
communications, which are the responsibility of the NCS, if you
were to set that to the side in a VOIP environment, it would be
very difficult and cumbersome to coordinate downstream. You
need to--we need to recognize the confluence of telecom and IP
networks and have the leadership in place to take care of it.
Ms. Allen. I would respectfully disagree, also. The reason
is it is a different skill set in cybersecurity; and it is much
more complex, as Paul mentioned, to understand the
cybersecurity issues. And in a way the model of how the public-
private sector works together is one of cooperation and
collaboration. I don't see why that can't occur within the
Department of Homeland Security; and I think it would be
important for Congress to reward success in collaboration and
problem solving and working together, as opposed to having silo
approaches.
Lastly, let me address--the NCS I think is a fabulous
organization. BITS has worked very closely with them on the
telecom redundancy and diversity issues. They have been a key
player in addressing some of the problems that we had after 9/
11 with the business continuity issues, with the telecom
industry, and I think they belong under the cybersecurity
arena.
Mr. Cox. Mr. Miller.
Mr. Miller. Mr. Cox, the other point I would add, I totally
agree with my colleagues, with all due respect to the former
assistant secretary's view. But in addition why this is so
important is the reason that Ms. Allen brought up so eloquently
in her testimony is the cross-sectorial work. Not having an
assistant secretary to bring the other government agencies
together and get them to focus more on cyber in addition to
physical is a problem.
Until yesterday, when my tenure ended, I spent the last 16
months chairing the Partnership For Critical Infrastructure
Security, which is an organization of private sector
representatives of each of the critical sectors. Until I
brought Mr. Yoran to speak before them about a year and a half
ago at one of our meetings, many of those other sectors had
never even thought about the cyber issue, Ms. Allen's
organization's being a great exception, because financial
services does and telecommunications does, but many of the
other sectors hadn't even thought about these issues. And the
government agencies with which they liaise, Mr. Chairman, a lot
of them don't have expertise internally. Having an assistant
secretary at the Department of Homeland Security can help the
other agencies do a better job in terms of working with these
other critical sectors.
Mr. Cox. I just want to note, Mr. Chairman, that the
legislation that is before us would in fact give the assistant
secretary primary authority within the Department over the
National Communications System.
My time has expired.
Mr. Lungren. I thank you.
The Chair now recognizes the ranking member of the full
committee, Mr. Thompson.
Mr. Thompson. Thank you, Mr. Chairman; I have an opening
statement that I want to include in the record, rather, now at
this time.
[The statement of Mr. Thompson follows:]
Prepared Statement of the Honorable Bennie Thompson, Ranking Member,
Committee on Homeland Security
Thank you Mr. Chairman, Ranking Member Sanchez. I am glad we are
here today to consider this important legislation.
H.R. 285 is an important step in fixing a very big problem at the
Department of Homeland Security. It is clear from the Department's
actions over the past two years that it does not consider cybersecurity
to be an important issue.
For example, the last Director of the National Cybersecurity
Division, Mr. Amit Yoran who is with us today, left last Fall ? and the
Department has still made no attempt to identify a replacement.
In addition, the Department has moved slowly, if at all, to
implement the goals set out in the National Strategy to Secure
Cyberspace.
This inaction is inexcusable. Cybersecurity is about more than just
the world of computers and hackers. In the 21st century, the prosperity
of each and every American is dependent in one way or another on
information technology, and those systems must be protected against
breaches like the ones experienced by LexisNexis or ChoicePoint.
Vital assets such as the electric power grid, gas pipelines,
nuclear power plants, and our air traffic control systems rely on the
cyber infrastructure for operation. This is also true of vital
government and military systems. With the ever-changing threats facing
our cyber infrastructure, time is of the essence.
It is hard for me to understand how the Administration can be so
reluctant on this issue, given the overwhelming support by the private
sector, our colleagues across the aisle, and the Democrats in Congress.
Today, as we hear from the private sector, I hope to hear
suggestions as to how the Department of Homeland Security can improve
its strategy, management skills, and resource allocation to get the job
done.
We also need to know whether, from your perspective, you think that
the government is living up to its obligation in this public-private
partnership. Is there someone in the government devoting 24-hours a
day, 7 days a week to cybersecurity? If a cyberattack were to happen
today, would we be ready for it?
When it comes to ensuring cybersecurity, I believe that government
and industry must work together closely, and that this effort requires
attention at the highest level in both the public and private sectors.
We can develop a culture of security within our computer networks
and ensure our national security. But first, we must have effective
leadership on cybersecurity issues at the Department and we must have
that leadership now.
That is why I urge my colleagues, during the markup of H.R. 285
later today, to vote for this critical legislation. Thank you.
Mr. Thompson. Let me first compliment and congratulate Mr.
Silva for his promotion. We all could benefit from such lofty
movement. Congratulations.
And I want to compliment Ms. Lofgren and Mr. Thornberry for
this bill. It is a wonderful bill. We have tried for a while to
make it happen. There is no question about the fact that we
need to elevate the position. In Washington, unless you are at
a certain level, people don't pay you much attention. I think
clearly the issue of cybersecurity has not been given the level
of attention that it should have, and hopefully we will correct
it.
With respect to merging cyber and physical infrastructure,
is that something that individually you all see as something
that is very positive for what is going on, or how do you see
those two issues?
Mr. Silva. I think we can't overlook the need to have at
least close collaboration between the physical and the cyber
side. I think, as my colleagues have already pointed out, there
are clearly different disciplines there, but to spin cyber
separate from physical I think would probably--I think what we
don't want to do is we don't want to create too much of a
disconnect between those two, because there is a relationship
between the physical and the cyber, and I think it shouldn't be
ignored. As we said in our testimony, or as I said in my
testimony, it is very important that the leaders of both of
those organizations, physical and cyber, be empowered
individuals and be able to work closely together and coordinate
their efforts in such a way that we don't sacrifice one for the
other.
Mr. Thompson. Ms. Allen.
Ms. Allen. I think that there is an interdependency.
Certainly, the systems that run much of our critical
infrastructure are run off the same operating system that the
financial services runs, that the first responders run. So we
have to understand the interdependency that our industries, the
physical industries have on the IT industry, the software
operating systems, on the telecommunications and the power
industries. Because if they are down or if there is a cascading
effect of them being down, our physical structures as well as
our cyberstructures are going to be--we will not be able to
communicate. So I do think there need to be separate assistant
secretary level positions, but I do think there needs to be the
collaboration and cooperation in addressing the issues.
Mr. Kurtz. I would essentially agree with what Cathy has
just pointed out. I think there is--if you pictured a physical
infrastructure in one circle and the cyberinfrastructure in
another, there is certainly some overlap between the two. But
the disciplines through which you use to protract those
infrastructures, to defend those infrastructures are very
different. So, on the whole, yeah, there needs to be that
integration under an under secretary type individual, but there
is different disciplines involved in protection and defense.
Mr. Yoran. Sir, I would point out that, just as battle
plans may include elements of air power, armor, sea power,
intelligence, similarly we need integrated risk management
practices. But all of those disciplines are highly specialized
in and of themselves and need to remain specialized in order to
be effective.
I would also--if I could just take a second or two to
answer the previous question with a slightly different
perspective, and that is it may have been possible that at the
initial phases of the National Cyber Security Division it was a
more effective strategy to make it part of infrastructure
protection. Simply put, there was no organization. It was a
from-ground-zero startup. We had to go in and recruit the
individuals, and having a larger organization to participate in
may have facilitated some growth and enabled us to build and
accomplish what we were able to accomplish.
As Secretary Chertoff moves into his second stage review, I
would say we also need to look at how in the current
environment, not with legacy perspectives, we can integrate our
cybercapabilities into a holistic risk management practice.
This means having cybersecurity at the table along with
physical security and participating in the grant programs, the
emergency planning and readiness programs, the Office of
Domestic Preparedness, and State and local programs across the
Department and, just as importantly, alongside other
departments and agencies. Many of the issues and challenges
mentioned earlier by my counterparts include many policy
coordination roles in which the FDC, the Department of State,
the Department of Justice, and Commerce have a primary
regulatory or significant stake.
Mr. Lungren. Thank you very much.
The gentleman Mr. Pearce is recognized.
Mr. Pearce. Thank you, Mr. Chairman.
Ms. Allen, you had stated that investor confidence and
reliability of information systems are linked to the security
and reliability. What countries are excelling in that
particular relationship today, in security and reliability?
Ms. Allen. Well, the U.S. has the leadership. Even though
we have headlines about breaches or problems that we have with
cybersecurity, the U.S. has the most sophisticated people in
terms of information security and IT. So if you look at best
practices or you look at the development of software, anti-
intrusion software or other types of software that help to
prevent or identify breaches, it is mostly U.S. based.
Mr. Pearce. Also, it would be useful to know, if I were to
look at the nearest competition, how many laps behind us are
they? Are they catching up, or is the rest of the world moving?
Because as we look at the flows of financial capital, this is
going to be the determining factor.
Ms. Allen. That is right. In the U.S., we fortunately have
a good reputation in terms of the--and because of all the
regulation that we have of the financial community and the
economic system; and I think we will continue to enjoy that.
The U.S. is light years ahead of regulators in other countries
around regulating us against or for information security,
information technology, all of the issues that help us to
provide safety and soundness. So we are far ahead of any other
country in that area.
There are other countries, however, that have the
leadership role, so to speak, in the bad guys, the hackers and
the countries where the ISPs, the Internet service providers,
are not regulated or there is not oversight.
So I think we have a challenge in the U.S. to not only
maintain leadership to maintain our economic livelihood, but we
also have a challenge to help bring the other regulators and
the other countries up to speed on these issues, and to help--
to cooperate with them to go after the fraudsters and the
hackers and the criminals.
Mr. Pearce. Sure. Actually, the flows of financial capital
have actually disciplined them very well. I am not so concerned
that we bring them up, because simply the evaporation of
capital from them as they fail to do their own internal
strengthening is going to accomplish that. And we saw that even
in the recent trip to South America and to some of the
countries that have turned sharply to the left. Their political
climate shifted to the left, but their business advisers, their
economic advisers stayed solidly in the business sector. And
that is with realization that we can talk what we want to in
politics, but we had better keep our financial house moving
forward.
You talked somewhat in your written testimony about market
incentives, and I have got one more question for Mr. Silva. So
if you could give me a very brief description of the market
incentives that you see available for these functions.
Ms. Allen. I think both R&D dollars that could help to
encourage the development of technologies. Because, in the end,
we are going to have to address this partially as a
technological issue, the ability to have software that will
counteract what is happening.
I think a second is tax incentives to build the critical
infrastructures. Again, I come back to the telecommunications
industry as one where we are all reliant on their diversity and
resiliency, and we need--they are in dire need of help to
develop that capability.
Mr. Pearce. Thank you.
Mr. Silva, you talk about the essential information sharing
and the fact that it has been hindered by the complex
bureaucratic structure that mostly is worried about protecting
people from lawsuits. How can we basically see that the new
structure is free from those constraints?
Mr. Silva. I think that particularly--some of this had been
addressed a couple of years ago with some of the protections
for FOIA protection and some other areas. But the problem is
that when organizations want to share information with the
government, the government either has to make it available to
all of them or, if it chooses to provide that information only
to a select few, then there are going to be issues that arise
from that.
I mean, there are so many different organizations; and what
tends to happen is when the information--whenever we create a
new sharing relationship with an organization that seems to be
at the exclusion of the other organizations--and this is very
confusing to the various organizations. In fact, if you want to
have your bases covered, you have to sort of join every
organization to make sure that you are covered, and it is quite
confusing. If the Department can establish a unified policy of
sharing across the board with all of the organizations that are
relevant, then I think that would go a long ways to solving
that problem.
Mr. Pearce. Thank you. Thank you, Mr. Chairman.
Mr. Lungren. The gentlelady from California, Ms. Lofgren.
Ms. Lofgren. Thank you, Mr. Chairman. And I will be brief
because I think the witnesses have covered the issues very well
and thoroughly.
I would just note, as I said in my opening statement, that
the staff on the subcommittee in the last Congress worked very
hard and together. I mentioned Mr. Thornberry's excellent
staff; and I see that Jessica Herrera who was his Democratic
staffer, has also came. She also did a fabulous job, and I
would like to publicly add my thanks to her along with Mr.
Thornberry's staff.
As some of the witnesses have mentioned, there is much to
do, I mean, from identifying and prioritizing the critical
infrastructure in the cyberspace, to increased funding, to
implementing the strategy. I mean, we are behind where we
should be as a nation. And this bill alone doesn't solve that
problem. What it does is set the stage to solve that problem, I
believe.
We in the Congress cannot do the hire for this position.
That would be inappropriate. But I think that we will give the
Department an essential tool to recruit an excellent person,
because the assistant secretary will have the clout and the
prestige and the authority to actually get the job done. I
think that has been a frustration for those in the Department
who have worked hard and who are smart people and who are
skillful, but they haven't really had the ability to use their
talents to move the country forward in a way that is so
important.
Mr. Thornberry and I, at the end of the last Congress in
December, issued a report of the activities and findings of the
cybersecurity subcommittee, and I think some of the issues
raised here today are really covered in that report in the to
do list. I am hopeful that this subcommittee, although we have
a very wide range of responsibilities, that we will have the
time to schedule some hearings and some oversight on the
elements that Mr. Thornberry and I identified in the last
Congress.
The General Accounting Office is coming back with reports
to us on some of the issues. One I think has just been received
in draft form, and we will be receiving another. They are very
helpful. We know that we need to pay some attention to whether
or not we need to act to provide incentives for market
solutions. I mean, there are differences of opinion that are
valid, but we need--we have not seen the market move forward in
the way that we had expected. I think we need to explore why
that has happened and whether there is anything we can or
should do about that.
The one thing we do know is that we don't want a heavy
legislative regulatory approach to this, because our lawmaking
will never catch up with the code writers. I mean, we really
need to use market incentives in the leadership of the Federal
Government in ways that are successful.
There isn't enough time to really go through how much needs
to be done. In addition to the reach efforts that have been
mentioned here, I am very grateful to NSF for stepping up to
the bat, but clearly there are things that the Department needs
to do. So I am pleased to be here today. I look forward to the
markup later today, and I would yield back the balance of my
time with thanks, Mr. Chairman.
Mr. Lungren. Thank you very much.
Mr. Jindal.
Mr. Jindal. I have two quick questions. The first was
regarding--Ms. Allen talked about the international
marketplace, international response to the issue of
cyberterrorism. I am wondering, is there a need for more
coordinated international response given the fact that maybe
attacks may be launched abroad because of the lack of
protection overseas? Is there more that could be done? Or what
can be done?
And the second question--I will go ahead and ask both my
questions, also building on this question, about the legal
liability. My question was, how is the insurance industry
responding to this? Have they created products for the private
sector to insure against these kinds of risks? If they haven't,
what can we do to help integration of those products?
Ms. Allen. I am going to answer both quickly, and I am
going to defer to Paul on one of the issues of what we can do
on an international basis.
The answer is, yes, there is much more that we need to do
on an international basis, not only cooperation with the laws
but also with law enforcement. Most of the phishing attacks
that occur in the U.S. are launched from overseas. Most of the
phishing attacks that come from the U.S. are launched on
overseas institutions, and we have got to cooperate and try to
shut down these fraudsters. So it is a higher level of
cooperation; and I know Paul will tell you exactly, or at least
one way to do that.
Secondly, on your question on market incentives. Yes, the
insurance industry is developing products that will help to
ensure best practices or appropriate behaviors of institutions,
not just financial institutions, but all institutions,
practices in cybersecurity. I think most of you know, on the
legal liability side, the financial institutions are by law
required to make all customers whole if there is any problem in
an electronic delivery or an electronic transaction. Not all
other countries have that same restriction. So it is also one
of the things that makes us a target for potential fraud. There
is much to do here, but we are looking at market incentives
from the insurance industry to help move companies along.
Mr. Jindal. Thank you.
Mr. Silva. So, while I have the mike on my end, actually,
some of the insurance companies have started market incentives
already. In fact, AIG, which is one of our member companies,
actually offers discounts to companies that adhere to a set of
best practices. Now, while this is certainly not an end all to
everything, I think it is an example of a market incentive
which has a very positive effect and I think offers a
reasonable reward to companies that are willing to take the
steps. So I think that it is just starting. It is just
starting.
Mr. Miller. On the international, just coincidentally this
week there is actually a meeting going on in Delhi between
officials of the U.S. government, the Indian government, the
U.S. IT industry, the U.S. financial services industry, and the
industry of India, because India has become such a destination
for so much offshore work.
But I would certainly agree, we are really in the infancy
in the international cooperation. In addition to my chairing
the U.S. IT association, I chair an international organization
which is 65 countries. I spend a lot of time traveling around
the world. And this issue simply hasn't raised itself at a
higher level in other countries.
In the IT industry, and most customers, as Ms. Allen said
in an earlier response to Mr. Pearce's question, certainly in
the financial services industry, the U.S. is far ahead.
And, again, while the DHS has domestic responsibility, I
would contend that having an assistant secretary--to come back
to the purpose of the hearing--would help to elevate the issue.
The State Department is doing some good work in holding
bilateral meetings with other countries around the world. The
Department of Justice, the Cyber Crime Division, has been doing
some work with the G8 and other countries. But I think having
someone at DHS at a higher position would help the
internationalization of the need to collaborate on these
issues.
Mr. Kurtz. I will just expand on what has been said.
I worked a lot on international issues when I was at the
White House and did some of the initial trips at India and
other places to foster international cooperation. At the time,
we had a good pedestal to stand on. We had a national
cybersecurity czar. We had a special adviser to the President.
We don't have that now. It is hard for us to make the point to
other countries that they need to organize and react when we
ourselves are not in the position we used to be. This is where
I go to Harris's point. Having an assistant secretary would
help us in this space.
Second point, the Council of Europe Convention on Cyber
Crime, negotiated under President Clinton, signed under
President Bush, it is in with the Senate. We would urge
ratification of the Council of Europe Convention on Cyber
Crime. I believe Business Software Alliance, ITAA, BITS, and a
few other organizations have come together to say, to urge for
ratification of this convention. What will that do? It will put
in place that global framework for us to go afterSec. excuse
me, for law enforcement to go after and prosecute
cybercriminals abroad. We don't have that framework now.
Finally, on the insurance question. There is insurance out
there. I think the problem has been there is no actuarial data
available, or very little, which means there needs to be some
sort of best practice or standard put in place. And I think
until we have that best practice or standard in place that can
be more widely adopted, we aren't going to see the insurance
industry be all it can be, if you will, in that space.
Mr. Jindal. Thank you.
Mr. Lungren. The gentleman's time has expired.
We thank all the panelists, all the witnesses for their
valuable testimony and the members for their questions. Members
of the committee may have some additional questions for the
witnesses, and they may submit them in writing to you. We would
ask you to respond to them, if you can.
The hearing record will be held open for 10 days.
The subcommittee stands adjourned. We are going to be
meeting at 2:00 for markup on this. Thank you very much.
[Whereupon, at 12:36 p.m., the subcommittee was adjourned.]
A P P E N D I X
Material Submitted For the Record
Questions Submitted by the Honorable James R. Langevin for Catherine A.
Allen
Question 1: One thing I have heard consistently over the past two
years is that government regulation is the wrong way to bolster cyber
security. The argument is that the government cannot move nearly as
rapidly as market forces where it comes to information systems and
security. Best practices are frequently used to demonstrate how the
private sector is working to encourage a culture of security, except
that it seems they are not updated as often as may be needed. This begs
the question of whether these should be standardized by a group like
NIST or not. I would like the panel's honest assessment of what the
government's role in cybersecurity.
Answer 1: Financial institutions are heavily regulated and actively
supervised at the federal level by the Federal Reserve, Federal Deposit
Insurance Corporation, Office of the Comptroller of Currency, Office of
Thrift Supervision, National Credit Union Administration, and the
Securities and Exchange Commission and at the state level by numerous
state banking and insurance commissioners. In recent years, these
regulators have stepped up their oversight on business continuity,
information security, third party service providers, and critical
infrastructure protection. The financial services industry is working
consistently and diligently to comply with new regulations and ongoing
examinations. In addition, BITS and other industry associations have
developed and disseminated voluntary guidelines and best practices as
part of a coordinated effort to strengthen all critical players in the
financial sector.
The financial services industry has been aggressive in its efforts
to strengthen cyber security. We are sharing information, analyzing
threats, urging the software and technology companies to do more to
provide more secure products and services, and to combat fraud and
identity theft.
Regardless of how well financial institutions respond to
regulations, we simply cannot address these problems alone. Our
partners in other critical industry sectors--particularly the
telecommunications and software industries which are not regulated from
a safety and soundness or data protection perspective--must do their
fair share to ensure the soundness of our nation's critical
infrastructure.
Our nation's economic and national security relies on the security,
reliability, recoverability, continuity, and maintenance of information
systems. IT security has a direct and profound impact on the government
and private sectors, and the nation's critical infrastructure. Further,
the security and reliability of information systems is increasingly
linked to consumer and investor confidence. In recent years, members of
the user community that rely on technology provided by the IT
industry--private-sector companies, universities and government
agencies--are demanding greater accountability for the security of IT
products and services.
The federal government can play an important role in protecting the
nation's IT assets. The following are seven key elements that the U.S.
government should support to secure information technology. I refer to
these as PREPARE, which is an acronym based on the first letter of each
element.
Promote. Government can play an important role in promoting the
importance of secure information technology. Also, government should do
more to facilitate collaboration among critical infrastructure sectors
and government. Some sectors, such as financial services, are heavily
regulated and supervised to ensure that customer information is
protected and that financial institutions operate in a safe and sound
manner. Examples of actions the government can take include:
Government should lead by example by ensuring that the
issue of cyber security receives adequate attention in the
Department of Homeland Security. Today, cyber security is
handled at a level far below where most corporations handle
these issues. Congress could create a more senior-level policy
level position within DHS to address cyber security issues and
concerns and ensure that adequate funding is provided.
Strengthen information sharing coordination
mechanisms, such as the Information Sharing and Analysis
Centers (ISACs), by ensuring adequate funding is made available
to Federal agencies sponsoring such organizations. Information
sharing and trend analysis within a sector is essential to
protecting information security and responding to events.
Information sharing among sectors is equally important as cyber
threats sometimes reach some sectors before others.
Create an emergency communication and reconstitution
system in the event of a major cyber attack or disruption of
information networks. Such an attack or disruption could
potentially cripple many of the primary communication channels.
To allow maximum efficiency of information dissemination to key
individuals in such an event, a thorough and systematic plan
should be in place. The financial services industry has
developed such a plan for industry-specific events in the BITS/
FSR Crisis Communicator. Other organizations have developed
similar communication mechanisms. These emergency
communications programs should be examined as potential models
for a national cyber security emergency communication system.
Reform of the Common Criteria/National Information
Assurance Partnership (NIAP). The current software
certification process is costly, inefficient, used on a limited
basis by the Federal government, and virtually unknown to the
private sector. NIAP should be reformed so that it is more cost
effective for vendors to seek certification while ensuring
consistent Federal procurement practices and expanded
commercial adoption of NIAP-certified products. The BITS
Product Certification Program may well be able to serve as a
model.
Responsibility. Government should promote shared responsibility
between suppliers and end users for developing, deploying, and
maintaining secure information networks. Government can play an
important role in establishing incentives and making producers of
software and hardware accountable for the quality of their products.
Examples of actions the government can take include:
Provide tax or other incentives for achieving higher
levels of Common Criteria certification. Incremented incentives
would help to compensate companies for the time and cost of
certification. This should encourage certification and increase
the overall security of hardware and software.
Provide tax or other incentives for certification of
revised or updated versions of previously certified software.
Under Common Criteria, certification of updated versions is
costly and time consuming. Incentives are necessary to ensure
that all software is tested for security
Require software providers to immediately notify ISACs
of newly discovered cyber threats and to provide updated
information on such threats until an effective patch is
provided. It is vital that critical infrastructure companies
receive immediate notice of serious vulnerabilities.
Establish requirements that improve the patch-
management process to make it more secure and efficient and
less costly to organizations.
Educate. Communicate to all users of information technology the
importance of safe practices. Public confidence in e-commerce and e-
government is threatened by malicious code vulnerabilities, online
fraud, phishing, spam, spyware, etc. Ensuring that users (home users,
businesses of all sizes, and government) are aware of the risks and
take appropriate precautions is an important role for government and
the private sector. Examples of actions the government can take
include:
Fund joint FTC/DHS consumer cyber security awareness
campaign. The FTC should focus its efforts on building consumer
awareness, and DHS should coordinate more detailed technical
education regarding specific serious threats. In addition,
government employees should be trained in proper cyber safety
measures.
Train government employees on proper cyber security
measures.
Educate corporate executives and officers regarding
their duties under Sarbanes-Oxley, GLBA, and HIPAA as they
relate to cyber security.
Procure. Using its purchasing power and leveraging security
requirements and best practices developed by the public and private
sectors, government can play an important role in encouraging the IT
industry to deliver and implement more secure systems. Examples of
actions the government can take include:
Require high levels of cyber security in software
purchased by the government through procurement procedures.
Extend such requirements to software used by government
contractors, subcontractors, and suppliers.
Provide NIST with adequate resources to develop
minimum cyber security requirements for government procurement.
NIST should include software developers and other stakeholders
in the standard-creation process.
Analyze. Government should collect information and analyze the
costs and impact of information security risks, vulnerabilities and
threats and provide this analysis to policy makers. Examples of actions
the government can take include:
Assign to the Commerce Department or another
appropriate agency the responsibility of tracking and reporting
such costs and their impact on the economy. Measuring and
making these costs transparent will aid law makers and
regulators as they assign resources to cyber security programs.
Research. Government can play an important role in funding R&D in
the development of more secure software development practices, testing
and certification programs. In addition, training future generations of
programmers, technicians and business leaders that understand and
manage information security can be accomplished by establishing
university and educational/certification programs. Government can help
by facilitating collaboration with the users and suppliers of IT to
develop standards for safe practices. Examples of actions the
government can take include:
Enhance DHS, NSF, and DARPA cyber security R&D
funding.
Carefully manage long- and short-term R&D to avoid
duplication.
Establish a mechanism to share educational training
and curricula.
Enforce. Law enforcement must do more to enforce, investigate and
prosecute cyber crimes here and abroad. Examples of actions the
government can take include:
Ratify the Council of Europe's Convention on
Cybercrime.
Enhance criminal penalties for cyber crimes.
Make cyber crimes and identity theft enforcement a
priority among law enforcement agencies.
Encourage better coordination among law enforcement
agencies in order to detect trends.
Question: 2: If you do not want regulation, what do you want? Can
DHS actually have an impact if it is only a coordinator and not an
enforcer? Do you feel it is possible to draft regulations that would
require minimum security standards, or would that encourage
complacency?
Answer 2: Financial institutions are heavily regulated so no
additional regulation of financial institutions is warranted. Financial
institutions view the question as how best to urge the software
industry, telecommunications industry and power industry to take
greater responsibility for their products and services. It is important
for members of Congress and the Administration to recognize the
dependence of all critical infrastructures on software operating
systems and the Internet. Given this dependence, the Congress should
encourage providers of software to the financial services industry to
accept responsibility for the role their products and services play in
supporting the nation's critical infrastructure. In so doing, Congress
should support measures that make producers of software more
accountable for the quality of their products and provide incentives
such as tax incentives, cyber-insurance, liability/safe harbor/tort
reform, and certification programs that encourage implementation of
more secure software. Congress also could provide protection from U.S.
antitrust laws for critical infrastructure industry groups that agree
on baseline security specifications for the software and hardware that
they purchase.
In addition, DHS can encourage collaboration and coordination among
other critical infrastructure sectors and government agencies to
enhance the diversity and resiliency of the telecommunications
infrastructure. For example, the government should ensure that critical
telecommunications circuits are adequately protected and that
redundancy and diversity in the telecommunications networks are
assured. Further, the Congress should encourage law enforcement to
prosecute cyber criminals and identity thieves, and publicize U.S.
government efforts to do so. These efforts help to reassure the public
and businesses that the Internet is a safe place and electronic
commerce is an important part of the nation's economy.
Since its creation in 2003, DHS has focused primarily on physical
security. It has not focused enough attention on addressing cyber
security concerns. Elevating the cyber security position is a small
step as part of a broader strategy to strengthen cyber security. Cyber
security issues are handled in the government at a level far below
where most corporations in the private sector handle these issues
today. Elevating this critical position and ensuring that adequate
funding is provided will help to focus greater attention on cyber
security issues within the government and throughout the private sector
and thus implement many areas identified in the Administration's
National Strategy to Secure Cyberspace.
Since its creation, DHS has devoted substantial resources in
bringing interested parties together to discuss cyber security risks.
For example, DHS has hosted or supported fora to discuss steps that
government and the private sector can and should do to mitigate cyber
security risks. However, DHS has not devoted enough resources to
address other key components of securing cyberspace. This include
efforts to raise awareness of cyber security risks and steps consumers
can take to protect themselves, facilitating collaboration among
critical infrastructure sectors and government, strengthening a
information sharing coordination mechanisms, such as the Information
Sharing and Analysis Centers (ISACs), reforming the Common Criteria/
National Information Assurance Partnership (NIAP), and urging the IT
industry to take on greater responsibility for the security/quality of
its products and services.
Question 3: Ms. Allen, I would like to get your opinion on the
recent joint rules made by the FDIC, Comptroller of the Currency and
other agencies regarding data theft at financial institutions. Do you
believe they overstepped their bounds by doing this? If so, how do you
feel this growing problem should be dealt with?
Answer 3: The federal financial regulators issued a final rule on
customer notice breach requirements in March 2005 following a notice
and comment period. About 80 organizations submitted comment letters,
including BITS and The Financial Services Roundtable. Fortunately, the
regulators responded to some of the concerns voiced in these comment
letters. Consequently, the regulators provided greater flexibility for
financial institutions when deciding when and how best to notify
customers in response to a security breach.
Notifying customers is a complicated and complex process and can,
if poorly done, undermine confidence in the financial services
industry. Care must be exercised in alerting consumers to steps they
can take to protect themselves from ID theft and other forms of fraud
while averting needless alarm.
Members of BITS and The Financial Services Roundtable believe
financial institutions have a strong track record in protecting
customer information and in communicating with customers when security
concerns arise. Protecting customer information is of paramount concern
and our member institutions have taken a proactive approach in this
regard. Examples of these efforts include the creation of the Identity
Theft Assistance Center (ITAC) as well as BITS guidelines and best
practices for reducing fraud, managing third party providers, engaging
law enforcement agencies, and communicating with customers.
We believe that financial institutions should have the flexibility
to develop their own risk-based approaches toward dealing with
unauthorized access to customer information, whether at their own
operations or with a third party service provider, within the current
guidelines set forth in section 501b of GLBA. For example, financial
institutions should be given flexibility in determining a course of
action when they ``flag'' and secure accounts that have been
threatened.
Efforts by various states and regulatory agencies raise significant
implementation problems for financial institutions. In a transient
society, notification should occur uniformly regardless of which state
the consumer may live in. Moreover, inconsistent application of
inconsistent state law inevitably creates a compliance nightmare for
institutions with a multi-state presence.
Members of BITS and The Roundtable believe it is important for
legislators and regulators to adopt uniform national standards to avoid
serious implementation problems and inconsistent applications. Our
members also encourage legislators and regulators to mandate
notification only when there is some indication that the breach
actually has the potential to cause harm or injury. If harm is
demonstrably contained, for example, and no risk really exists, there
should not be any reason to notify and scare people. Moreover, we
believe it is wise policy that legislators and regulators require
companies that discover breaches in security to immediately notify law
enforcement authorities, as well as consumer reporting agencies, so
that law enforcement authority can get a jump on any existing
criminality and Credit Reporting Agencies may be better prepared for
the potential volume of consumer inquiries about the impact of any
breach on consumer credit history. Further, BITS and the Roundtable
support measures to impose caps on damages. Any allowable damages
should have firm caps and there should be no damages absent a showing
of intent or actual harm. Absent negligence, an affirmative defense
should be available if the company can demonstrate that is it a victim
of fraud. Other measures include providing ``safe harbors'' from
lawsuits for companies if they have instituted reasonable internal
notification procedures.
Questions Submitted by the Honorable Daniel Lungren for Paul B. Kurt
Question: 1. What is the Government's role in cybersecurity? If you
don't want regulation, what do you want? Can DHS actually have an
impact if it is only a coordinator and not an enforcer? Do you feel is
it possible to draft regulations that would require minimum security
standards, or would that encourage complacency?
Government's Role in Cybersecurity
The Federal Government is positioned to assist with forensics,
attack attribution, protection of networks and systems critical to
national security, indications and warnings, and protection against
organized attacks capable of inflicting debilitating damage to the
economy. Additionally, Federal activities should also support research
and development that will enable the private sector to better secure
privately-owned portions of the nation's critical infrastructure.
Three Federal documents provide a framework for Federal
responsibilities to secure cyberspace:
The President's National Strategy to Secure Cyberspace
(February 14,2003)
Homeland Security Presidential Directive-7 (HSPD-7)
(December 17, 2003)
The National Response Plan's Cyber Incident Annex
(January 6, 2005)
The President's National Strategy to Secure Cyberspace provides
clear policy guidance on the Federal government's role: ``The policy of
the United States is to protect against the debilitating disruption of
the operation of information systems for critical infrastructures and,
thereby, to help protect the people, economy, and national security of
the United States. . . We must act to reduce our vulnerabilities to
these threats before they can be exploited to damage the cyber systems
supporting our nation's critical infrastructure and ensure that such
disruptions of cyberspace are infrequent, of minimal duration,
manageable and cause the least damage possible.''
HSPD-7 establishes the U.S. government's policy for the
identification and protection of critical infrastructure from terrorist
attacks. It focuses in large part on the identification and protection
of assets that would cause catastrophic health effects or mass
casualties if attacked, comparable to those from the use of a weapon of
mass destruction.
Finally, The National Response Plan's Cyber Incident Annex upholds
the President's National Strategy to Secure Cyberspace and HSPD-7. The
NRP Cyber Incident Annex states that the Federal government plays a
significant role in managing intergovernmental coordination (Federal,
state, local and tribal) and, where appropriate, public-private
coordination in response to cyber incidents of national significance.
Ultimately, Federal activity is bounded by these three documents to
protecting against debilitating attacks against critical
infrastructure, attack attribution for national security systems,
forensics, and research and development.
The DHS Impact
The Department of Homeland Security (DHS), as designated by HSPD-7
and the National Strategy, is the government's focal point for
prevention, response and recovery from cyber security incidents that
have a debilitating impact on our national and economic security. The
Strategy sets specific responsibilities for the DHS, including:
Developing a comprehensive plan to secure critical
infrastructure
Coordinating with other Federal agencies to provide
specific warning information and advice about appropriate protective
measures and countermeasures to state, local and nongovernmental
organizations including the private sector, academia and the public.
DHS's responsibilities in the area of cyber security, although
narrowly defined, are extremely significant to our economic and
national security. DHS serves as the point of coordination for all
government and national efforts. Senior DHS leadership, at the
Assistant Secretary level or higher, is needed to build an effective
government-private sector relationship, to understand the technical and
global complexities of cyber security, and to marshal the resources
necessary to provide an effective partnership with private sector
organizations and initiatives.
Regulation
Regulation is difficult, due to rapid technology changes, and
regulation can also stymie innovation. A report from the Business
Roundtable (BRT) states, ``traditional regulations directing how
companies should configure their information systems and networks could
discourage more effective and successful efforts by driving cyber
security practices to a lowest common denominator, which evolving
technology would quickly marginalize.'' A regulatory approach could
result in more homogeneous security architectures that are less secure
than those currently deployed. Given the complexity and dynamism of
cyberspace, the marketplace will provide in most cases the necessary
impetus for improving IT security. In those instances where existing
market forces fail to provide such impetus, incentive programs that
rectify market shortfalls and encourage proactive security solutions
should be considered and adopted as appropriate.
Minimum Standards
CSIA believes we should encourage the adoption of existing
standards, rather than creating new ones. Several sets of standards and
best practices exist today. Some are required under current regulation,
such as Gramm-Leach-Bliley or the FDA Part 21, while others are
voluntary, such as International Standards Organization (ISO) 17799, or
Control Objectives for Information Technology and Related Systems
(COBIT).
Question 2: What can be done to improve cybersecurity within the
Government? Why is the Government's coordination so bad? Should DHS be
responsible for the Federal government's cybersecurity, or should OMB
retain this duty?
The Government has to address cybersecurity in a holistic manner,
rather than attempting to solve each problem piece by piece. By
securing entire networks from the ground up, coordination within the
Government will improve.
To even begin to accomplish this, OMB needs to look to the
authority it was granted in the Federal Information Security Management
Act of 2002 (FISMA). FISMA positions OMB to strengthen the federal
information security program, evaluation, and reporting requirements
for federal agencies. However, this has not been achieved to its
highest level, nor are there adequate--resources and personnel
available to accomplish this. The security of Federal systems could be
improved by ensuring OMB has more resources to ensure oversight of
FISMA implementation.
The government needs to use the power of procurement to encourage
vendors to provide products that meet a higher government standard.
Subsequently, the government can coordinate to implement standard
practices, procedures, and policies across all the federal agencies.
The security of Federal systems could also be improved by ensuring
FISMA is more thoroughly applied to contractors supporting the Federal
government. The GAO's recent report, ``Improving Oversight of Access to
Federal Systems and Data by Contractors Can Reduce Risk'' discusses
this issue in detail.
Finally, GAO identifies in ``Continued Efforts Needed to Sustain
Progress in Implementing Statutory Requirements'' the use of the annual
``report card'' on governmental information security as an effective
tool to identify and address security weaknesses.
Question 3: Is the private sector doing enough to educate consumers
and users about the importance of cyber security? There have been
several studies recently that show most computer users do not take
security very seriously. What can we do about this?
Based on the number of security breaches and increasing cases of
identity theft, it is fair to say that consumers are not as educated on
the importance of cybersecurity as they should be, leaving a large
percentage of computers unprotected. The private sector has increased
its efforts in recent years to educate consumers about cybersecurity
issues. Primarily, the private sector has established partnerships with
the major networking and operating system providers, which have eased
the burden on the consumer, while working to secure cyberspace.
Awareness campaigns, such as October's National Cyber Security
Awareness Month, have also helped in the effort. CSIA and the National
CyberSecurity Alliance(NCSA), along with a number of other awareness
organizations, work with the FTC, FBI, the Small Business
Administration, the Department of Homeland Security, the Department of
Commerce, and other government agencies at the federal, state, and
local level to promote cyber security awareness.
In instances where existing market forces fail to provide adequate
impetus, incentive programs that rectify market shortfalls and
encourage proactive security solutions should be considered and adopted
as appropriate. A recent Congressional Research Service Report
discusses incentives that may be adopted to help foster cyber security.
Finally, Federal government's leadership, particularly through an
Assistant Secretary position at DHS, fostering collaboration, reducing
legal barriers, and leading by example, will continue to assist the
private sector in educating consumers.
Questions Submitted by the Honorable James R. Langevin for Ken Silva
Questions: One thing I have heard consistently over the past two years
is that government regulation is the wrong way to bolster cyber
security. The argument is that government cannot move nearly as rapidly
as market forces when it comes to information systems and security.
Best practices are frequently used to demonstrate how the private
sector is working to encourage a culture of security, except it seems
they are not updated as often as may be needed. This begs the questions
of weather these should be standardized by a group like NIST or not. I
would like the panel's honest assessment of what the government's role
in cyber security is.
* If you don't want regulation what do you want? Can DHS actually
have an impact if it is only the coordinator and not the enforcer? Do
you feel it is possible to draft regulations that would require
minimum-security standards or would that encourage complacency?
Answer: You are correct that there seems to be a fairly broad
consensus not just in the private sector, but in the National Strategy
to Secure Cyber Space published by the Bush Administration, that
federal regulation is not the appropriate approach to improving cyber
security.
However, it is not just because the regulatory process is slow.
There are many other reasons as well.
I'm not sure the federal government is on very firm ground in
asserting that if they, through NIST of any other mechanism, wrote
standards that there would be dramatic improvement. After all, for the
fifth consecutive year the average score of the 24 federal agencies,
which are charged with meeting such federal standards for cyber
security, was a D+.As bad as things are generally in the private
sector, recent research shows there is a substantial minority of firms,
probably about 20% who are doing an excellent job at cyber security by
following best practices. I'm not aware that the federal government's
record is nearly that good.
And, while it is fine to say that federal standards intent would
only be to create a floor many feel that floor would, in reality,
become a ceiling. The last thing we want in the cyber security field is
something like we have in the campaign finance field where everyone
claims they meet the federal standards and no one really believes the
regulations are accomplishing their intended goals.
In the last Congress one of your colleagues, Congressman Adam
Putnam, circulated a draft bill that would have attempted to layout a
regulatory system. It was resoundingly opposed by virtually all
segments of the industry.
In response Congressman Putnam appointed the Corporate Information
Security Working Group (CISWG) to address the question you ask today.
At the conclusion of that effort last year Chairman Putnam wrote of the
CISWG group that: "The corresponding recommendations have provided
valuable information and have already produced a variety of initiatives
that have made a measurable difference."
The Internet Security Alliance was very active in that group and is
responsible for some of theses initiatives. The co-chairs of the
Committee on Incentives, Liability and Safe Harbors was co-chaired by
my first Vice Chairman on the ISAlliance Board, Ty Sagalow of AIG, and
our ISAlliance Chief Operating Officer, Larry Clinton.
15 different trade associations participated in the Incentives/
Liability Sub Group and produced two fairly detailed reports go a long
way toward answering your question. I am supplying the reports for the
record.
Briefly the group first answered your question of why regulatory
measures were inappropriate to address this issue. They provided a
series of reasons including the following:
1. The traditional regulatory structure (i.e. FCC/SEC style
regulation) is likely to be both ineffective and potentially
counterproductive to the interests of implementing a
comprehensive cyber security program.
2. A cyber security program based on positive incentives is
more likely to generate safer and more attractive products.
This will increase consumer and business confidence in advanced
technology and result in a better environment for the American
economy in general and American businesses and consumers in
particular.
3. Traditional regulatory structures are likely to be
ineffective because:
The international nature of the cyber security
issue demands a cross-boarder solution which national
legislation cannot achieve.
The ever-evolving nature of the Internet and
the cyber security threat demands a solution that can
be quickly adapted to changing circumstances which is
inconsistent with the nature of the traditional
regulatory structure.
The current US political consensus is that
regulation of the Internet is unwise and hence the time
it may take to enact a regulatory structure may not be
appropriate given the urgency of the worldwide cyber
security problem.
4. Traditional regulatory approach to cyber security is
potentially counterproductive because:
The traditional regulatory structure is an
open process of public comment and reply comments. Such
a process could lead to providing a roadmap of
vulnerabilities to nefarious parties intent on causing
damage.
Private industry is better able to innovate
and maintain the array of tools necessary to adequately
police Internet security. Relying on inadequate
resources could lead to the unsophisticated decisions
yielding less, rather than more security
The political process by which traditional
regulatory standards are reached encourages compromise
rather than maximum effectiveness. Hence the political
process could result in an inefficient program that
could yield a false sense of security.
Government regulation of technology may blunt
innovation resulting in less consumer choice, economy
and security.
5. Hence a program of positive incentives such as insurance
incentives, liability incentives and tax incentives is likely
to be an effective, comprehensive and ongoing program of
managing the security risks consistent with the ever evolving
and international nature of the technology and the threats to
it.
Based on this assessment the CISWG concluded, as did the National
Strategy to Secure Cyber Space, that the best approach would be for
governments and industry to work together. Specifically, the Working
Group outlined six different incentive programs that should be
considered three of which would be led by industry and three of which
would be led by government.
In summary they are:
Industry Led:
1. Development of Common Measurement Tools/Seal of
Approval and Vendor Certification Programs
2. Better Use of Cyber insurance tied to best practice
adoption
3. Development of market entry incentives
Government Led
1. Safe harbor/tort reform tied to best practice
implementation
2. Tax incentives
3. Credit programs such as FEMA credits or use of
government procurement to drive better security in
products sold
In the final phase of the CIWG process the group began to develop a
new paradigm which could be used to drive best practice adoption on an
international level by tying the various incentives into broadly
adopted best practices which would use market forces to continually
generate updates and modernizations.
The Sub-Group found that within the marketplace there already
exists a robust assortment of published regulations, standards, best
practices, and similar guidance. Research shows that compliance with
these existing practices can result in demonstrable improvements in
cyber security. Indeed, the largest study in the field to date found
that the approximately 20% of companies deemed the "best practices
group" suffered less monetary damage and downtime than less careful
corporations, and one-third of this group suffered no such
inconvenience despite being targeted by attackers regularly.
Further, the Group found that while there are apparently effective
best information security practices operative in the world, there is
still a consensus that no one size fits all. What qualifies for a
specific entity, as a best practice will be affected by size of the
entity, the culture or cultures it operates within, its sector specific
regulatory status, and a range of other variables?
Government's role in the public-private partnership is to fashion
an incentive program for the good actors that will create a business
advantage for them over less careful players. In so doing, we hope to
harness the power of the market to motivate cyber security.
The group specifically did not endorse the creation of a federally
specified standard of information security to be applied to the vast
private sector. Rather they were concerned that such an approach would
be too static and could put U.S. business at a competitive
disadvantage. Such an approach also might not be appropriate across
various sectors, might be weaker than needed due to the political
nature of the regulatory process, and hence, could be counter
productive. It would also be very hard to enact legislatively.
Instead, they proposed that companies have available federal
incentives if they implement information security pursuant to and meet
the:
Information security procedures adopted by a Federal
sector-specific regulatory agency.
Standards established and maintained by the following
recognized standards organizations:
International Organization for Standardization
American National Standards Institute
Electronic Industries Alliance
National Institute of Standards and Technology
Standards established and maintained by an accredited
security certification organization or a self-regulatory
organization such as NASD, BITS, or the emerging CISP
structure.
Finally, the Sub-Group analyzed the various types of incentives
available and proposes a series of classes for organizing these
incentives with the greater ability of an entity to demonstrate
performance of agreed upon security practices yielding greater benefit.
These incentives and their classification will require further analysis
as part of the enactment process security controls pursuant to the
identified standards should not be considered as conducting an unfair
or deceptive practice. Similar state-based claims would also be
preempted.
These benefits include:
Limits on FTC Jurisdiction--a company that
demonstrates it implemented information security controls
pursuant to the identified standards should not be considered
as conducting an unfair or deceptive practice. Similar state-
based claims would also be preempted.
Limits on State Actions--Once a company has
demonstrated it has met the security requirements, then
plaintiffs should face additional burdens, such as increases in
the burdens of proof, caps on punitive damages, prohibitions on
third-party liability, prelitigation notice requirements, or a
cap on damages.
In summary Mr. Langevin, the Internet is a new type of technology
that will require different methods of management and assurance than
those that have been applied to previous technologies. Federal
standards, for the reasons cited, above are not the answer.
This is not to say that the government, and governnient agencies
such as NIST have no role. Quite the contrary, they have a very
important role working with the private sector as part of a new model
to insure long term information security.
The Internet Security Alliance would be pleased to work with the
Committee in further developing this new model.
�