Committee:  House Government Affairs Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations

Members Present: Chairman Horn (R-CA) and Representative Maloney (D-NY)

Witnesses:  Joel Willemssen, Managing Director, Information Technology Issues, U.S. GAO; Richard Pethia, Director, CERT Centers, Software Engineering Institute, Carnegie Mellon University; Michael Vatis, Director, Institute for Security Technology Studies, Dartmouth College; Ronald Dick, Director, National Infrastructure Protection Center; FBI; Mark Seetin, Vice President, Governmental Affairs, New York Mercantile Exchange; and Harris Miller, President Information Technology Association of America.

Chairman Horn opened the hearing by stating that the horrific events of September 11 were a wake-up call that illustrates this nation’s vulnerability to attack.  During the crisis in New York and Washington, the nation’s communication systems were not as strong as they needed to be–cellular phones stopped working.  City leaders were not able to communicate with other officials in the immediate aftermath.  The nation’s information technology systems are already under cyber-assault.  Followng the recent terrorists attacks, the “Nimda” worm attacked computer systems around the world.  These attacks are increasing in intensity, sophistication and potential damage.

Mr. Willemssen said overall their review continues to show Federal agencies have serious and widespread computer security weaknesses presenting substantial risks to Federal operations, access and confidentiality.  Areas such as taxpayer records, law enforcement, national defense, and a wide-range of benefit programs are at risk.  The September 11 tragedy demonstrated how critical it is for government and business to be able to continue operations during emergency situations.  Contingency planning and business continuity has been critical factor in restoring New York’s financial district.   He believes key underlying problem is ineffective security program management.  In a recent report on combating terrorism, GAO recommended that the Assistant to the President for National Security Affairs ensure that a more fully defined strategy to address computer-based threats be developed.

Mr. Pethia described how the recent attack by the Nimda, or W32/Nimda worm demonstrate our vulnerability.  Problems such as the Nimda worm will occur again and attack technology will evolve to support attacks that are even more damaging. Our current solutions are not keeping pace with the increased strength and speed of attacks leaving our information infrastructures at risk.  Recommends making changes in software design and development practices, increasing the number of trained system managers and administrators, improving the knowledge level of users and increasing research into secure systems.  More government support for research, development and education in computer and network security would have a positive effect on the overall security of the Internet.

Mr. Vatis stated that the likelihood of cyber attacks against U.S. and allied information infrastructures is high.  Attacks could come from terrorists and/or their nation-state sponsors, but are more likely to come from sympathizers of terrorists or of nation-states targeted by U.S.-led military operations and from hackers with anti-U.S. sentiments.  Attacks will probably target the web sites of government agencies and private companies in the U.S. and allied countries, but could also attack more high-value targets such as the networks that control critical infrastructures.  Attacks could utilize destructive worms and viruses, Distributed Denial of Service exploits and intrusions to disrupt targeted networks and could be combined into a potent mix to cause widespread disruption including physical terrorist attacks.  He believes what is needed is a “Manhattan Project” for counterterrorism technology so that America’s leading scientists in industry, academia and government can use our technological prowess to design tools and technology to assist in the war on terrorism.  A significant portion of this effort should focus on technology to secure the information infrastructure that provides the foundation for much of our economy and national security.

Mr. Dick reviewed the NIPC’s initiatives including InfraGard, the largest government/private sector joint partnership for infrastructure protection in the world.  Their website provides public with the ability to report computer attacks and intrusions online by submitting an Incident Reporting Form.  NIPC provides timely information on cyber vulnerabilities, hacker exploit scripts, hacker trends, virus information and other critical infrastructure best practices through its bi-weekly publication Cybernotes.  NIPC provides policy and decision-makers information about current events, incidents, developments and trends through its monthly publication called Highlights.  NIPC’s Watch Center operates around the lock and communicates daily with DOD’s  Joint Task Force for Computer Network Operations.  NIPC partners with GSA’s Federal Computer Incident Response Center (FedCIRC) to further secure government technology systems.  Multi-agency team works, for example, with Information Sharing and Analysis Centers throughout the country including those that represent the Financial Services Sector, the Electric Power Sector, the Telecommunications Sector, the Information Technology industry and the computer software anti-virus industry.  NIPC manages all computer intrusion investigations nationwide for the FBI and NIPC’s Special Technologies and Applications Unit has been providing technical assistance to the PENTTBOM investigation.

Mr. Seetin described some of the tragic events of September 11 as they affected the New York Mercantile Exchange, NYMEX and how NYMEX was the first New York exchange to resume operations on September 14.  Most valuable item in carrying out response to the crisis was the corporate “Emergency Contact List” which contained telephone, fax, home and cellular telephone numbers of the Board of Directors and senior staff.  Also essential was the compilation of telephone, fax, e-mail and cellular contacts in Federal, state and local emergency management agencies and law enforcement.  Most important part of any disaster response plan centers on communications.  Essential to have resources, including leadership, staff and vendors identified and have the ability to communicate with them.  Use of website and 800 numbers was essential.  Obstacles faced included, transportation (lack of surface access has limited the commuting of staff and members of NYMEX to water shuttles); environmental cleanup (costly cleanup effort); utilities (NYMEX has had to rely on several layers of backup generation); and security (events of September 11 have created new and unprecedented security demands.

Mr. Miller stressed that the nation’s IT investment paid off.  Information technology took a huge hit on September 11–many IT professionals died or have been listed as missing in the attacks and one estimate places losses in IT resources by the financial community at $3.2B.  A coordinated government response to the disaster was badly needed.  FEMA established a disaster field office at New York’s Pier 90 with satellite link for voice and data communications to its regional center.  The Internet played an important communications role and the nation’s communications infrastructure withstood the test.  Stressed the importance of having business continuity plans and the need to create more redundancy in our telecommunications infrastructure.  Suggested that U.S. computer assets be safeguarded by adopting more sound information security practices.

Chairman Horn asked about the implementation of PDD-63 and Mr. Vatis replied that it sets forth a good structure, that the principal problem is the lack of resources and the lack of designating responsibilities.  Most agencies consider it an unfunded mandate.  Mr. Pethia reiterated the need for an expanded research agenda.  Mr. Pethia said that we need an engineering framework to support the structure for information assurance and Mr. Miller emphasized the need for government long term R&D funding focused on information security.  Chairman Horn asked about the proposal for an R&D center to be set up at NIST and Mr. Miller said that as a result of a series of meetings between government, industry and academia to discuss the structure of the proposed center, it was suggested that NIST play an important part such as the Director of the operation to come from NIST and the Deputy Director to come from industry.   The center would be funded on a larger scale and would not be a grants program.  Mr. Miller believes the challenges of duplicate research could be overcome.  Chairman Horn and Mr. Miller discussed the importance of having one person in charge of government information security within the Executive Branch (OMB has too much to do already), not with a big budget and staff--the individual agency CIO’s in government would have budgets, but that would have the ear of the President and would represent government agencies.  Chairman Horn asked what activities are most important to improve computer security and Mr. Pethia responded the need for Federal agencies to identify their critical assets; Mr. Dick responded putting in place policies and procedures that implement the practice of information security.  Chairman Horn asked about the vulnerability of the Internet and Mr. Vatis replied that the Internet is very vulnerable to attack particularly through routing and domain names and that there are a lot of problems that are well known and are not being addressed due to lack of resources or direction from the top.  Mr. Miller and Mr. Seetin discussed the value of locating backup systems far from computers–not in the same building. Mr. Willemssen believes this is a good time for agencies to reevaluate their business continuity and contingency plans.  Mr. Miller stressed the need for patches to be implemented possibly through a massive public service campaign.

Prepared by: Relda Nacos, NIST, 975-3080
 
REPORT REFLECTS AN INDIVIDUAL’S PERCEPTION OF WHAT TRANSPIRED DURING THE HEARING.  FOR OFFICIAL INFORMATION, CONSULT THE COMMITTEE REPORT.