1997 Congressional Hearings
THURSDAY, NOVEMBER 6, 1997
U.S. House of Representatives,
Committee on Science,
Subcommittee on Technology,
The Subcommittee met, pursuant to notice, at 2 p.m., in room 2318, Rayburn House Office Building, Hon. Constance A. Morella, Chairwoman of the Subcommittee, presiding.
Mrs. MORELLA. I'm going to call to order the Technology Subcommittee of the Science Committee.
This is the hearing that we're going to have on the role of computer security in protecting U.S. infrastructures. Our hearing today is going to explore the appropriate role of government and of the private sector in securing the backbone of this country's information and telecommunications infrastructures. It will focus on the recommendations of the President's Commission on Critical Infrastructure Protection.
The Subcommittee is well familiar with the threat from computer break-ins. This hearing is the third sponsored by this Subcommittee on computer security-related matters this Congress. We've tried to highlight the need to improve computer security.
Earlier this year, to improve computer security in federal civilian agencies, this Subcommittee and the full House passed the Computer Security Enhancement Act of 1997, H.R. 1903, and the bill is currently awaiting Senate action. So get those Senators to move fast.
The Commission was tasked with addressing vulnerabilities of eight different critical infrastructures: telecommunications; electric power systems; water supply systems; transportation; banking and finance; gas, oil storage and distribution; emergency services, and continuity of government. Although the task of the Commission was to look at vulnerabilities which would involve physical and cyber security, their primary focus was on cyber threats.
The Commission focused on the fact that all of these infrastructures are independently vulnerable. The Commission further recognized that these critical infrastructures are closely related and dependent on the underlying computer communications infrastructure.
We've all been made familiar with stories of attacks on defense and civilian systems over the last several months. It is important, however, to remember that computer security affects all of us every day in ways both large and small.
Most of you may be aware that the Senate recently suffered an e-mail bomb which slowed its system to a crawl. What you may not have realized is that that attack was the work of one man. An individual who was experiencing difficulty with unwanted electronic junk mail, wrote to several Senate offices. Unhappy with the responses which he received, he decided to take matters in his own hands and forward on to Senate offices all unwanted mail he received with a header identifying himself and asking them to call if they had questions. I hope they don't get this idea on the House side, Mr. Gordon.
His actions caused the Senate mail system to crash. As the story was related to me, he was probably a bit naive about how serious the response would be to his actions, and was probably a bit taken back to receive a call from the FBI.
The majority of critical infrastructures are owned and operated not by government entities, but by private companies and citizens. In addition, most of the extraordinary advances in security and implementation of security technologies have been created by the private sector. Whatever security measures are taken by the government must, therefore, be based on a trust relationship led by the private sector. Any efforts to implement a top-down approach which ignores the expertise and ability of our citizens and companies will be doomed to fail.
So I look forward to hearing from our expert panelists today on how we can facilitate the needed public/private cooperation to ensure our economy is safe from both cyber crimes and potentially-stifling government mandates.
And I'm now very pleased to recognize our distinguished Ranking Member, Mr. Gordon, for his opening comments.
Mr. GORDON. Thank you, Madam Chairwoman.
In 1956, Howard Aiken, a computer pioneer from Harvard University, remarked, ''If it should ever turn out that a machine designed for the numerical solution of differential equations coincides with a machine intended to make bills for a department store, I regard this as the most amazing coincidence that I've ever encountered.''
Mr. GORDON. Fortunately for us, Dr. Aiken's assessment of probability was wrong. Forty years after his pronouncement, he would be hard-pressed to think of an activity that doesn't include some form of computer technology. Computers are a basic and essential element of every aspect of our infrastructure, including the air traffic control system, the stock market, medical diagnostics, and, yes, even department store billing. Today's hearing highlights the integration of computer technology into every aspect of our society.
I want to commend the Commission and General Marsh for what they've accomplished. The breadth and scope of this report produced in remarkably short time is impressive and provides a basis for discussion. The Commission's assessment that vulnerabilities and threats exist in all of these critical infrastructures should serve as a wake-up call to Congress and the public. Now our task, working with all the stakeholders, including industry, is to develop a workable, comprehensive plan to meet this challenge.
This is a process that will take time and will require close collaboration between industry and government. Clearly, the report leaves many details unaddressed and important issues remain to be solved. I'm surprised that the Commission report said so little about encouraging greater use of cryptology to secure the computer networks. These computer networks are at the heart of infrastructure vulnerability. Much work remains to be done in defining the research activities in the proposed major R&D initiatives.
Although I realize it's easy to focus on outside threats to the computer network, I'm disappointed also that the Commission didn't address a cyber threat that lurks within computer systems. I'm talking about the Year 2000 computer problem. Just last Tuesday, the Technology Subcommittee held a hearing on how the Year 2000 problem threatens some of the same basic infrastructures identified by the Commission.
Mrs. MORELLA. Thank you very much, Mr. Gordon. I'm sure that they'll probably comment in their testimony with regard to the points that you brought out that were not part of their report.
I'm now pleased to recognize the Vice Chair of this Technology Subcommittee, the gentleman from Minnesota, Mr. Gutknecht.
Mr. GUTKNECHT. Thank you, Madam Chairwoman. I'll be very brief.
Once again, you and the staff have assembled a very distinguished panel, and I look forward to their testimony. I especially want to thank Mr. Marsh for his service on the Critical Infrastructure Commission, and I will speak on behalf of some of the other members. We do apologize that there are a number of meetings going on at the same time. It's not that we are not interested in this issue; it's just that this is a very busy time in the Congressional session.
So, again, thank you, Madam Chairwoman, for this hearing, and I look forward to the testimony.
Mrs. MORELLA. Mr. Gutknecht is right; we're hoping to wind down. I hate to say when it will be, for fear that my prognostication will be awry because of that, but we do have many, many hearings. But we felt, this Subcommittee felt that this was so important that, before we adjourn this first session, that it was necessary for it to have an airing in Congress.
It is the policy of the Science Committee, and therefore of this Subcommittee, to swear in all of our witnesses, and so I might ask you, gentlemen, would you stand and raise your right hand?
Mr. MARSH. I do.
Mr. STEVENSON. I do.
Mr. KATZ. I do.
Mr. DAVIDSON. I do.
Mr. NEUMANN. I do.
Mrs. MORELLA. The report will demonstrate an affirmative response.
I'll introduce all of you at one time, one at a time, but right away, and then ask you each if you will try to confine your testimony as much as you can to about 5 minutes, recognizing that your written testimony in its totality is included in the record, so that you might want to summarize or bring out some other points that are not in your written testimony, and then we will have an opportunity to ask questions.
First of all, starting off with the Chairman, Mr. Robert T. Marsh, President's Commission on Critical Infrastructure Protection Chairman, Mr. Marsh is a retired four-star Air Force general who has an extensive background as an aerospace consultant. From 1989 to 1991, he served as the first Chairman of Thiokol Corporation.
Our next witness, Russell B. Stevenson, Jr., Esq., is General Counsel and Secretary of CyberCash, Inc. Before coming to CyberCash, Mr. Stevenson was engaged in private law practice in Washington, DC., concentrating on corporate and securities law.
Following him will be Mr. Stephen R. Katz, Chief Information Security Officer at Citibank, where he is head of the Corporate Information Security Office and responsible for the bank's worldwide information security program. Mr. Katz has been associated with information security for over 20 years.
Dr. Peter G. Neumann, the author of the book, is principal scientist in the Computer Science Laboratory at SRI International, where he has been since 1971. In 1985, he created and still moderates the Association of Computing Machinery Forum on Risks to the Public in the Use of Computers and Related Technology, which is one of the most widely-read of the online computer news groups. SRI International, an independent, nonprofit research institute, is a pioneer in the creation and application of innovative technologies to industry and government. And I have a book here, his latest book, Computer-Related Risks, and I appreciate that.
And so, gentlemen, we'll now commence, then, starting with Mr. Marsh.
TESTIMONY OF ROBERT T. MARSH, CHAIRMAN, PRESIDENT'S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION, WASHINGTON, DC
Mr. MARSH. Thank you, Madam Chairwoman and members of the Subcommittee. On behalf of my fellow Commissioners, several of whom are with me today, I'm pleased to discuss with you the work of the Commission and summarize the principal findings——
Mrs. MORELLA. You may want to introduce them, Mr. Marsh, or have them stand or——
Mr. MARSH. I would, please. If you'd stand—first, Mr.——
Mr. MARSH. Bill Joyce from the Central Intelligence Agency, Ms. Mary Culnan from Georgetown University, Mr. Stevan Mitchell from the Attorney General's Office, Ms. Sue Simens from the Federal Bureau of Investigation, Mr. John Davis from the National Security Agency, and let's see, I guess that's it.
Mrs. MORELLA. Very good, very good. Thank you. Thank you all for being here. I appreciate the work you did and the fact that you're here today. Thank you, Mr. Marsh.
Since you're all familiar with the background of the Commission, and maybe you have received copies of our report, I'll try to condense our 15-month effort into a summary of our significant findings and recommendations.
Our most important finding is that adapting to this challenge requires thinking differently about infrastructure protection. We must look through the lens of information technology as we approach the third millennium. We've long understood physical threats and vulnerabilities, but the fast pace of technology means we are always running to catch in the cyber dimension. Thus, the Commission's work and our report focus primarily on coping with the cyber threat.
We knew this could not be a big government effort. In fact, infrastructure protection is a shared responsibility. The private sector, which owns and operates most of the infrastructures, is responsible for prudent business investments that will protect against individual hackers and criminals. These steps will also assure a level of protection against cyber terrorist attack, adding a level of national security.
The Federal Government must collect information about tools, perpetrators, and intent, and then share this information, so that industry can take the necessary protective measures.
After 15 months of research, consultation, assessment, and deliberation, the Commission concluded that waiting for disaster is a dangerous strategy. Now is the time to act to protect our future, and this action requires a new partnership to address the risks of protecting our Nation's infrastructures.
The Commission's recommendations fall generally into three categories: actions the Federal Government must take, actions the owners and operators of the infrastructures must take, and actions that require partnership between government and industry. We heard time and again that the owners and operators of the infrastructures need more information about cyber threats and they need a trusted environment where they can freely exchange information without fear of regulation, loss of public confidence, incurred liability, or damaged reputation.
The Commission's recommendations lay the foundation for creating a new, collaborative environment that includes a two-way exchange of information. Our recommendations focus on protecting proprietary information and ensuring anonymity when necessary, easing legal impediments to information-sharing, such as antitrust provisions and the Freedom of Information Act, and creating information-sharing mechanisms both within industry and between industry and government.
We recommend specific steps the government must take to ensure owners and operators and state and local governments are sufficiently informed and supported to accomplish their infrastructure's protections role. Examples include expanding the availability of government risk assessments to the private sector and encouraging and assisting, if necessary, industry to develop risk methodologies, and doubling funds appropriated under the Nunn-Lugar-Domenici Domestic Preparedness Program.
Educating our citizens about the emerging threats and vulnerabilities in the cyber dimension is key to the success of all of our initiatives. The Commission's recommendations in this area range from grammar to graduate school and beyond. They include a series of White House conferences, a nationwide public awareness campaign, and grants by the National Science Foundation for graduate-level work on network security.
We examined a full range of legal issues relating to protecting the critical infrastructures. We proposed the further review and revision of major federal legislation relating to the critical infrastructures and the cyber threat; an expert study group, representing a wide range of interest groups to make recommendations for reform in the employer-employee relationship for certain sensitive positions, and easing legal impediments to information-sharing, such as antitrust provisions and the Freedom of Information Act.
Federal research and development efforts are inadequate to meet the challenge presented by emerging cyber threats. About $250 million is spent each year on infrastructure assurance-related R&D, of which $150 million is dedicated to information security. There is very little research supporting a national cyber defense.
We recommend doubling federal R&D funding for infrastructure protection to $500 million the first year with 20 percent increases each year for the next 5 years. This funding should target areas such as risk management, simulation and modeling, decision support, and early warning and response.
Institutionalizing infrastructure protection requires several channels between the public and private sectors. At the policymaking level, we recommend an Office of National Infrastructure Assurance located within the White House to serve as the Federal Government's focal point for infrastructure protection.
Second, a National Infrastructure Assurance Council comprised of selected infrastructure CEOs and Cabinet officials to propose policy and advise the President; and an Infrastructure Assurance Support Office to support both the Council and the national office.
In conclusion, just as the risks are shared between the public and private sectors, so must the solutions be. Our national and economic security has become a shared responsibility, one that will require a new kind of partnership between government and industry, one which encourages information-sharing, and one which requires the government to lead by example. And I believe the findings and conclusions of the Commission are based on accurate and reasonable information and analyses. Our recommendations, if implemented, will create the partnerships and the structures essential to reducing vulnerabilities in our infrastructures. They will provide the impetus for research and development efforts to increase information security and provide a cyber defense system. They will increase the Nation's ability to prepare, protect, and respond to any threat, strategic or otherwise, directed against our infrastructures, thereby ensuring their continued effective operation in support of our defense, economic growth, and general well-being.
This completes my statement, Madam Chairwoman. I'd be pleased to answer any questions you or your colleagues may have. Thank you.
[The prepared statement and attachments of Mr. Marsh follow:]
Insert offset folios 1-18
Before I turn to Mr. Stevenson, let me just acknowledge that the Vice Chair of the Science Committee, Dr. Vern Ehlers, has joined us, too. Thank you.
TESTIMONY OF RUSSELL B. STEVENSON, JR., ESQ., GENERAL COUNSEL, CYBERCASH, INC, RESTON, VA
Mr. STEVENSON. Thank you, Madam Chairwoman, members of the Subcommittee. I'm pleased to have the opportunity to appear before you this afternoon.
CyberCash is in the business of enabling secure financial transactions on the Internet. So, for obvious reasons, we have a deep and abiding interest in the security and stability of our electronic infrastructure.
I'd like to make three points this afternoon. First, public policy with respect to our infrastructure should limit collective action to those aspects of the infrastructure in which there's likely to be what economists call a market failure. That is, aspects in which the aggregate behavior of individual actors acting independently leads to a suboptimal system.
Second, it is critical that efforts to protect the electronic infrastructure not create unintentional consequences that curb the growth or stifle the creativity of the private sector in developing the infrastructure which has seen such remarkable growth to date.
Third, encryption is one of the cornerstones of security on the Internet, and nothing could threaten the security of electronic commerce more than ill-conceived public policy on encryption.
What is the proper role of government in addressing these weaknesses? As to the first, government may well play a constructive role in research and education on good security practices, and I'm pleased to see that the Commission's report emphasizes this as one of the major roles for the government in this area.
Regulation also has a narrow place in this area, particularly with respect to sensitive institutions such as our major financial institutions. The government should certainly use its regulatory power over banks and other financial institutions to assure their safety and soundness, for example.
With respect to flaws in the design or operation of the system as a whole, there may also be a role for government. What that role might be depends on the nature of the flaws and the steps necessary to remedy them. While the Commission addresses this question, it is one that deserves considerably more research, and, again, I'm pleased to see that that's one of the Commission's recommendations.
It is also important, as we consider the role of the government, to remember that this technology is evolving at a revolutionary pace, and issues cannot be resolved once and for all and then forgotten. These are issues that call for regular re-evaluation.
And now I come to encryption. Of all the technologies on which the security of a computer network depends, encryption is perhaps the most important. Without it, sensitive communications would be vulnerable to interception by terrorists, thieves, industrial spies, warriors, and the merely curious.
U.S. policy on encryption has been both confusing and controversial. This may be inevitable, as there are several legitimate, but conflicting interests at stake. Unfortunately, some participants in the controversy persist in either willful ignorance of, or deliberate refusal to acknowledge, the importance of encryption in the security of our electronic infrastructure. It is no small irony that the law enforcement interests who argue so ardently for limitations on encryption seem to fail to recognize the increased vulnerability to crime and terrorism that would result from those limitations.
In conclusion, in considering the recommendations of the Commission, Congress should limit the role of government to, first, research and education, and, second, identifying and addressing those weaknesses in the electronic infrastructure as a whole that cannot be effectively addressed by the efforts of the private sector.
Congress should also pay particular attention to the importance of encryption to the security of the Internet and electronic commerce. It should not expose the electronic infrastructure to attacks by terrorists and criminals in an ill-considered effort to provide law enforcement agencies with tools to investigate terrorists and criminals.
[The prepared statement and attachments of Mr. Stevenson follow:]
Insert offset folios 19-24
Mrs. MORELLA. Thank you, Mr. Stevenson.
I now recognize Mr. Katz.
We're going to be asking you later about encryption, so get ready for it.
STATEMENT OF STEPHEN R. KATZ, CHIEF INFORMATION SECURITY OFFICER, CITIBANK, NEW YORK, NY
Mr. KATZ. Madam Chairwoman, members of the Subcommittee, good afternoon. I'd like to thank you for the opportunity of your inviting me to appear here.
I think the report that was done was an impressive piece of work, and as I begin to address my comments and recommendations, I would first say that the main product offered by banks is trust. We have a trust contract with our customers, so at all times we ensure the integrity, the confidentiality, and the availability of data, and in today's world that is 24 hours a day, literally from anywhere in the world, and increasingly via the Internet. And any significant compromise that would occur at a number of—in a small number of money central and super regional banks could pose a substantial risk to the confidence of the financial services industry.
I would also like to take this opportunity to correct what I think it a significant misconception. Contrary to what has generally been reported in the media, banks must, and consistently do, comply with the extensive regulatory requirements in reporting losses that result from breaches in information security. Under the Bank Secrecy Act, since then, the financial crimes enforcement at work requires financial institutions to report suspicious transactions and known or suspected violations.
The reasons for this are multiple. First and foremost, sound business practices require that we meet our trust contract with our customers. Second, we are highly regulated by multiple federal and state authorities—all of which require information security and continuity of business programs. In addition, associations like the American Bankers Association and the New York Clearinghouse have for years encouraged and facilitated ongoing dialog and sharing of information among bank information security officers.
Bank products and services at this point in time are inexorably intertwined with technology. You really can't figure out where one begins and the other ends, and it is essential that security become a fundamental and is a fundamental component of any product. Therefore, I'll just very quickly touch on some of the risks and concerns that we deal with.
For instance, technology that does damage: Global availability, often via the Internet, provides access to a large number of malicious code or hacker tools, Trojan horses, denial-of-service programs, very similar to what the Senate experienced, and programs designed to steal and corrupt data.
Then we have the internal threat. It is estimated that the greatest exposure posed to a company is from security breaches caused by insiders. They have availability; they have access, and they have knowledge. While banks routinely perform drug testing and submit fingerprints to the FBI, and conduct minimal background checks, we do not have the mechanisms available to us to openly check the background and employment history of current and potential employees.
In addition, concerns about liability tend to prevent prior employers from discussing performance issues, employee performance issues, with us. In fact, all they will provide at best are dates of employment. This risk is further exacerbated by the lack of information available about contractors, consultants, and outsource vendors, where it is even more difficult to get information.
Extremely important is intrusion detection. There are few effective tools today that can function as real-time burglar alarms, burglar alarms to notify us that there are problems with the system or that somebody is trying to break in.
In terms of recommendations, the first is the need for sound practices for information security.
Mrs. MORELLA. Since you hesitated, we have now 15 minutes to vote, but I really think we can finish our testimony, if we do it well. So you'll hear the bells again in another 5 minutes. If that's amenable to you, then we'll come back and start the questioning.
Mr. KATZ. Okay. Do you want me to continue then? Okay.
Last year the New York Federal Reserve Bank formed a task force to develop information security sound practices. The task force was under the aegis of the supervisory wing of the Fed. However, they asked the person responsible for internal security at the New York Fed to lead the effort. What added to his credibility is that he is a well-known and active member of a number of banking industry and information security organizations, and well respected in the private sector. The result that they produced will help set the direction for information security standards and practices within the banking sector. So I recommend that the government charter and direct a similar effort, but please note that I am not advocating best practices, since ''best'' is always a moving target and creates a really false sense of confidence. I'm not advocating detailed, across-the-board standards. What I am advocating is sound practices.
Privacy and confidentiality: The banking sector, as you know, is heavily regulated. Voluntary data recovery is routinely performed by banks to satisfy information requests during regulatory examinations. That, coupled with the requirement to ensure customer privacy, mandates the need and justifies the use of unrestricted, robust cryptography, regardless of key length and without requiring mandatory key escrow systems.
Historically, the government has recognized the need for security and financial networks. Consequently, export controls on encryption products used by banks have included special exemptions. It is essential that these exemptions not only be continued, but be broadened to ensure that we can generally export cryptography without key escrow recovery requirements.
Digital signatures: Numerous States have enacted some form of electronic digital signature legislation. The laws tend to be inconsistent and also create a tremendous amount of uncertainty. In order for there to be secure and effective electronic commerce without the overriding threat of forgery, banks need federal regulation to ensure consistent treatment of electronic authentication and digital signatures within the United States. And since e-commerce is borderless, we then need international agreements governing standards.
Education and awareness is an area where funds should and must be invested. A program stressing computer ethics must be put together and reinforced at all grade levels, literally from kindergarten through graduate school.
Partnership for information-sharing: There is a need to establish an informal partnership between government and industry to share information security practices and education and training programs. There is also a need to have greater access to reliable, up-to-date information from the government and across industry regarding the identification of threats and liabilities.
That concludes my testimony, Madam Chairwoman, and I would be pleased to answer your questions.
[The prepared statement and attachments of Mr. Katz follow:]
Insert offset folios 25-36
Mrs. MORELLA. Thank you, Mr. Katz.
We've decided it would not do justice to our witnesses to have them try to rush through in a few minutes. So we are going to recess for probably 15 minutes. We think we're going to have another vote following this particular vote, and then we'll come right back and we'll hear our last two witnesses. Does that work out for everybody? And then we'll go through the questioning. Thank you.
Mrs. MORELLA. We're going to recommence or continue with our hearing on the critical infrastructure report and its implications, and we're going to start off with Mr. Davidson.
TESTIMONY OF GLENN DAVIDSON, EXECUTIVE VICE PRESIDENT, COMPUTER AND COMMUNICATION INDUSTRY ASSOCIATION, WASHINGTON, DC
Mr. DAVIDSON. Thank you.
Mrs. MORELLA. Thank you, sir.
Mrs. MORELLA. Incidentally, may I say that we've been joined by my colleague from Maryland, Roscoe Bartlett—Dr., Congressman, Scientist Bartlett. Thank you.
Mr. DAVIDSON. And Congressman Bartlett, thank you for the honor and privilege of appearing here today.
Let me say right from the start that we at CCIA fully understand and identify with the need to guard against any attacks capable of disabling our Nation's first-class infrastructure, systems that are so vital to the operation of government and to our economy, and we recognize that in today's information age such attacks can be more than just physical; they can be also—there's dangers of techno-terrorism. However, we have some serious concerns about the Commission's work and recommendation which we have been following since its outset in July of 1996.
First, we fail to understand why the Commission's work and report is shrouded in secrecy, especially when the Commission readily admits that it has no evidence of an imminent cyber threat. The reason I suggest this is that the National Research Council, on one hand, can make some very important decisions concerning information security in its report on cryptography without its work being classified. So why is the Commission hiding behind the mantle of classified information in this regard?
Just allow me to suggest, and the reason I raise this, allow me to suggest that if the public generally and industry specifically are to accept the Commission's sweeping recommendations, then it must provide more than anecdotal evidence; it must come forward with a threat assessment, so that it may be discussed, debated, and understood by the public. That's the first point.
Despite its 178-page length, the report devotes nary a page to the subject of encryption. It states that, ''The establishment of trustworthy key management infrastructures is the only way to enable encryption on a large scale and must include the development of appropriate standards for interoperability on a global scale.'' Call it what you will, key management, key recovery, or key escrow, industry will tell you that the system just will not work on a large scale. Just ask the National Research Council, which came to the same conclusion.
Third, the report suggests in a thinly-veiled fashion that industry has an obligation to pay for ruggedizing our critical infrastructures to suit the government's national security and law enforcement objectives. We in industry have long understood the need for information security and network reliability. In fact, providers and operators of public switch networks have long established redundant networks in the event of natural and even man-made catastrophes. Providers of private switched networks do much the same, at the request or insistence of their clients. We have also developed and utilized various security tools, which we've mentioned before, to protect the integrity of our solutions.
However, if our Nation's security and law enforcement agencies desire a higher level of security and reliability of our systems and networks than what commerce itself demands, then I believe and our association believes that they should be the ones to pay for it. The cost of the difference between what we provide our customers to allow safe communications and the integrity of information and what the government wants for national security or national defense or law enforcement purposes should be borne by the government. CCIA believes that requiring American industry to bear the cost of building such super-rugged infrastructure would constitute an excessive financial burden that would blunt the competitive edge of American industry.
Furthermore, if a major foreign partner cannot be assured of confidentiality, we really believe that they'll move to another corporation in another country. In today's global economy, these concerns are not hypothetical; they're real.
But one of the things that bothers us in all this information-sharing is it recommends the modification of our Nation's antitrust laws, so that companies would be free to share information with each other and our government. To our knowledge, our industry is not asking for safe harbor from our antitrust laws, with maybe the exception of Microsoft and Intel. Allow me to suggest that if it were not for the U.S. government's vigorous enforcement of our antitrust laws, the dynamic, innovative, entrepreneurial, and competitive computer and communications industry that we know and enjoy today would not exist.
I will conclude by suggesting, and go back to the top, which is, you know, I think we should move at a slower, more reasoned pace. Again, I was happy to hear that the General talked about this being a long-term effort and that there is no single bullet. But let's release the Commission's full report and allow it to be publicly discussed and debated. If General Marsh really wants to see buy-in from all sectors, as the report suggests, then the American people need and deserve to understand the threat assessment, so they may appreciate and accommodate the changes and actions that are envisioned here.
[The prepared statement and attachments of Mr. Davidson follow:]
Insert offset folios 37-45
Mrs. MORELLA. Thank you very much, Mr. Davidson.
I'm now pleased to recognize Dr. Neumann.
TESTIMONY OF PETER G. NEUMANN, PRINCIPAL SCIENTIST, COMPUTER SCIENCE LABORATORY, SRI INTERNATIONAL, MENLO PARK, CA
Mr. NEUMANN. Thank you very much. I'm speaking as an individual, not as a member of the not-for-profit organization to which I belong. I would like to cover a great deal of material. I'll do the best I can. I may talk a little too rapidly for recorders, but that's life.
I was delighted to hear Congressman Gordon mention Howard Aiken, who was the person who got me into computers in the first place in 1953. I'm delighted to see what it says up here on the board: ''Where there is no vision, the people perish''—from Proverbs, 29:18. This is exactly the issue that is confronting us here today. We have to take a relatively long look at the problem. We're not dealing just with security or just with reliability or just with survivability of our infrastructures. We're dealing with the integration of all of those things into one coherent, sensible organization. And I'm not going to deal with the specific organizations that the Commission has recommended create; I'm going to try to deal with the principles and the problems that need to be addressed.
I will mention in passing that there is only a three-page section on research and development in the Commission's report, which I find surprising, not just because I come from a research organization.
If you look at my handout, you'll see—not my testimony, but my attachment—you'll see a long list of calendar-related and clock-related problems, one of which is the fact that the global positioning satellite system clock was designed in such a way that on the 21st of August, 1999, it goes back to the 6th of January, 1980. There was a fundamental problem. So they have a Year 2000 problem before the Year 2000 happens.
The point there is, very simply, that if we look at all of the systems that are being developed, they are, for the most part, deeply flawed. We have serious problems in our system development projects. If you look at, say, the IRS tax modernization system, the FBI fingerprint system, the FAA's air traffic control rehosting, all of those systems went down the tubes at the cost of billions and billions of dollars.
We simply in this country do not know how to procure and develop very large systems. If we cannot develop even modest-sized systems properly—and I look at, say, operating systems and networking software, which are riddled with security holes and crash all the time—how can we possibly be expected to develop a key recovery scheme that will work without any risks? And when you consider all of the people risks, we have an even bigger problem.
Again quoting a GAO report, they looked at the IRS and they found rampant misuse of IRS information systems, and they found rampant misuse of law enforcement systems. If the government cannot be expected to have employees who are above-board, how can you expect a key recovery scheme to work without risk?
Let me touch briefly on cryptography. This is a subject that is of great complexity. The Commission has basically thrown in, as you said, one page. They have said that key recovery is a good thing; it's prudent; therefore, you should do it. They did not look at any of the risks of key recovery. They didn't even cite our National Research Council study. They didn't cite the 11-authored report that I cite in my written testimony. And I think I have to make a very careful distinction between key management, on one hand, which is absolutely necessary, and key recovery. Key recovery implies that the keys are kept around. If you ask the NSA folks whether they're willing to share their keys with a trusted third party, they're going to laugh you in the face. This is absolutely absurd. So the notion of a trusted third party who might not be trustworthy is a very, very difficult topic.
But I think the important thing here is that, even though somebody will show you a demo of a key recovery system, that is not a demonstration that there are no risks involved, and if you can't trust the computer systems and you can't trust the communications, and you can't trust the implementations of the cryptography that are in the operating systems developed by the folks who are producing the commercial systems on which the entire Nation depends, and if you can't trust all of the people, we have a situation which is essentially intractable. And I think you really have to look at those risks in great detail.
With regard to the question of preparedness, are all of the risks that one might worry about real? If you look at, again, the handout material that I've included, you'll see a list of thousands of cases of things where things didn't work the way they were supposed to. And the real paradox—do I get another 30 seconds or is that it?—the real paradox is that if you are really prepared, then nothing bad is likely to happen. If you're not really prepared, you never know whether something colossally bad is happening.
And as was indicated at the very beginning, simultaneous, systematic coordinated attacks on the entire national infrastructure are possible. If they occurred at a strategically-opportune moment in combination with something else, they could be devastating to the Nation.
[The prepared statement and attachments of Mr. Neumann follow:]
Insert offset folios 46-81
Mrs. MORELLA. I thank you very much.
We really could have questions that could take another 2 hours and still have more questions. I'm going to start off with General Marsh, and I'm going to then allow any of you to respond to any of the questions, and then give Mr. Bartlett an opportunity to ask questions, and we'll do it all within 10 minutes.
The Commission's definition of national security-related infrastructures seems to include just about everything. The report also indicates that the private sector should take a lead in securing these systems. I wonder, General Marsh, do you feel that there's a conflict between the designation of infrastructures as national security-related and retaining civilian control of security for these infrastructures?
Mr. MARSH. Madam Chairwoman, it appears as a conflict, but I think it brings to light to fundamental challenge that this Nation's facing as we go forward, and that is that we're entering an era where we no longer have the peaceable neighbors and the great oceans on all sides to protect our critical infrastructures. We're approaching an era where they now may be the front lines of defense of our very society, and be important targets for anyone who would do us serious harm, and tools that are readily available with which to do that harm, the knowledge is readily available; the vulnerabilities exist. All it takes is the intent to do harm, and therefore, it becomes a national security problem as well as an economic security and a society well-being problem.
Mrs. MORELLA. Let me also ask you about how you think that the safeguards that you have enumerated and which are in the written testimony, as well as in the report—I guess one of the concerns I've sensed, that others have asked, too, and I was concerned about, is: How would these safeguards be funded?
Mrs. MORELLA. Would any of the rest of you like to comment, particularly on the private sector aspect of it? Yes? Thank you, Mr. Davidson.
Mr. DAVIDSON. Yes, thank you. The underlying premise of this report is probably the most bothersome for me because in the foreword the report says national defense is no longer the exclusive preserve of the government. And for me, I have to ask, since when? I always thought the Nation's defense, the Nation's security, was the preserve of government exclusively and we were to provide a vibrant economy.
Later the report goes on to say that shared threats demand a shared response from increased partnership between government and the owners and operators of our infrastructure. For me, shared response is a code word for you, too, are going to pay.
The point I wanted to make early on is we are more than happy to learn about other tools or techniques that we can employ to make sure that our infrastructures are protected. However, anything beyond what we need to do for commerce I think needs to be paid for by the government. Otherwise, it puts us at a competitive disadvantage in providing those kinds of things worldwide.
Mrs. MORELLA. Does Citibank feel the same way?
Mrs. MORELLA. Does CyberCash feel the same way?
Mr. STEVENSON. I think one needs to draw a broad distinction here between Citibank's or CyberCash's protection of itself against threats, where, as I've said in my testimony the government can best help us, if at all, by encouraging research and education, so that we can be constantly up to date on the latest security tools.
If there are threats to the infrastructure as a whole, which is a very different problem, it may be that little old CyberCash or even great big Citibank can't, acting by ourselves, or even in conjunction with industry groups, solve those infrastructure threats, truly infrastructure threats. I am not an expert in network security or infrastructure stability. Those are technical issues that I'm not confident to comment on. However, I do think that if the work of the Commission will lead to more attention to that issue, then perhaps that is a collective problem, and that does require some sort of shared response.
Mrs. MORELLA. Mr. Neumann, you wanted to mention——
Mr. NEUMANN. Thank you. I would add several things. One is that the National Research Council report makes a very explicit case that when you talk about national security, it is not just the defense of the Nation in the military sense. It is the survival of the infrastructure. That was a point we made very strongly, and I believe it.
The problem here is that the industry is not doing the job by itself. Our security systems are riddled with security flaws. Our reliability is bad. The survivability of the telecommunications systems and the power systems are bad. We had the AT&T collapse of 1990, where long distance was out for half a day, and we had the most recent case where the western States, 12 States, had major power outages on July 2.
The fundamental question is: Can the risks be eliminated? And if you look at the background that I've provided in my handout materials, you will see that the history says there are vulnerabilities in everything we deal with, and we are very slow to avoid those. So we do need to do something.
Mrs. MORELLA. I would be very interested at some point, and maybe during the interim, for the Commission and for those of you who are here testifying, give us the list of what you think needs legislative remedy in some way, and maybe we can work on it, massage it, maybe come up with something; maybe it could be done administratively.
I know that I want Mr. Bartlett to have a chance to ask questions. There are just two other points that I'll have an opportunity to perhaps pose with you, and that is, again, why the omission of the Year 2000 computer glitch? I mean, maybe it was just simply taken for granted. Second, the concept of encryption, and before I get to that, I'm asking, General Marsh, why don't you come out on record and support the Computer Security Enhancement Act, which is, I think, H.R. 1903? It's a pretty good bill, isn't it?
Mr. MARSH. Yes, Madam Chairwoman, it's a pretty good bill.
On the Year 2000 problem, we concluded early on that's a major problem and challenge facing the Nation and all companies, and so on. We felt there was very little value that we could add to that. It was being worked very, very hard. We added what we hoped was one small element of value, and that is that in the rush to cope with the Year 2000 problem, some companies are exposing their critical information to firms, and even to overseas organizations, to help them, and in the process they may make themselves more vulnerable to malicious acts, and we flag that caution.
Anyone else want to comment briefly on it?
How about encryption? That's critically important. Did you want—did you hope to have more time to get into encryption in the——
Mr. MARSH. No, ma'am.
Mr. NEUMANN. It's a hot potato. May I state briefly there's absolutely no question that good, solid encryption is essential to the critical infrastructure protection problem, and especially for the critical control functions that are associated with the critical infrastructures. There has to be, in our judgment, key recovery means. That's essential for both the public and the private sectors and for very good, sound business reasons. Our conclusion was that the government ought to really get serious about a pilot undertaking of encryption systems, especially one that involves providing a public service, and we believe that such an undertaking could, in fact, uncover the problems and the difficulties of developing and instituting a key management infrastructure. And we believe the only way to put the debate to rest is to move out and try and construct such a program.
Mrs. MORELLA. What I'm going to do is I'm going to—we're going to both go to vote. We decided that we were going to come back, if you can be patient. Can you? And we'll pick up on the encryption, so that both of us will have another round of questioning. Great. Thanks.
Mrs. MORELLA. Do you know what my staff said to me, General Marsh? They said, ''You didn't get such strong support for that bill.'' So how about giving us some response to that?
Mr. MARSH. We support it stronger then.
Mrs. MORELLA. Thank you. Thank you very much.
We were talking about encryption, and I think that now that we voted—the third time never fails. So that we'll be able to continue, usually they say, in a seamless fashion.
And so back to the encryption. I think, Mr. Davidson, you were speaking on it, weren't you? You were going to try to.
Mr. DAVIDSON. Yes, as a matter of fact, I think all the panelists ended up talking about encryption to some degree. I mean, I think the bottom line is we don't believe—and we've stated this in testimony before other committees as well—that a key management, key escrow, or even key recovery systems are not going to work for a number of different reasons. And one includes—is that internationally it's not being adopted. In fact, this Administration tried to promote that agenda for key management overseas before the OECD, and the OECD rejected it, which means that basically we're providing a market for foreign corporations' products that we're not fulfilling. So we're losing jobs; we're losing opportunities.
So the bottom line is, for key management—I mean, that's one of the reasons; a second reason is, obviously, people don't want information over the Internet or over networks that they don't think is secure, that other people have access to. So for a number of different reasons, we just don't think—and the National Research Council, obviously, supports this and said—we didn't think it was going to work.
Mrs. MORELLA. Thank you. I know that Mr. Neumann, in his testimony, spent some time talking about key recovery and encryption. Would you like to elaborate at all on that, Mr. Neumann?
Mrs. MORELLA. Yes.
Mr. NEUMANN. We spent 2 years on the NRC study with clearances, with access to things that apparently nobody had ever seen before, and came to the conclusion that the classified—it was not necessary to make the arguments that we were making with any reference to classified arguments, and that's already been pointed out here. But I think it's a very fundamental conclusion.
On the other hand, you've got to look at all of the details. ''The devil is in the details,'' is the characteristic statement. And if you look at the vulnerabilities that have existed and that continue to exist in computer operating systems and computer networking, basically, you need wonderful, unsubvertible cryptography in order to build a secure infrastructure, but you need a secure infrastructure to be able to have that in the first place. So there's a cyclic loop here of you have to—if we had ham, we could have ham and eggs, if we had eggs—is sort of the cyclic loop.
You need an infrastructure. It's not a question, again, whether it can be built. It's clear that key management infrastructures can be built. The question is: Can key recovery schemes be built in such a way that there are only risks that can be considered as reasonable? And if, in fact, you have fundamental flaws in the computer infrastructure, that is very unlikely.
Mrs. MORELLA. I have this book here. Did you read it all?
Mrs. MORELLA. This is the one that he mentioned, the National Research Council study. There is a bill that has been going through multi-committees called the SAFE bill on encryption; I think it's H.R. 695. Anybody want to briefly mention whether you think it's good, bad, indifferent? No opinion on it? Do you think you'd like to—Mr. Stevenson?
One of the problems in this discussion is that the terminology is very slippery, and terms like ''key management infrastructure,'' ''key escrow,'' ''key recovery,'' and so forth, mean different things to different people, and so I'm not quite sure how the Commission was intending to use key management infrastructure, but taken in context, it seems to me to have a rather broad meaning. And I can report, from the point of view of one company, that we use encryption in our systems, and we don't have a key management infrastructure in that sense, in the broader sense, and our systems work, as far as I know, pretty well. And they are on their way to being truly global. We operate a system in the United States today that is going to interconnect eventually with systems throughout most of the world, we hope, and those systems won't need to be modified to create some sort of a massive key management infrastructure in the larger sense.
As to the SAFE bill, I think it depends on what version of the SAFE bill we are talking about. It has, as you're well aware, been the victim of a number of terrorist attacks.
Mr. STEVENSON. The original bill looked pretty good to us, and we would simply encourage you to protect it against any future terrorist attacks.
Mrs. MORELLA. Yes, sir, Mr. Katz?
Mr. KATZ. Let me say I completely agree with Mr. Stevenson about the first version of the SAFE bill. It had a lot to offer. I think what is essential for electronic commerce essential for electronic banking, is the export of robust cryptography. I think we really have to differentiate between key recovery and data recovery, and we tend to get the two confused.
Mrs. MORELLA. Yes, any other comments on it?
Mr. NEUMANN. Yes, I have one further question——
Mrs. MORELLA. Mr. Neumann.
Mr. NEUMANN. One further comment. The ultimate issue here is one of surreptitious access in which the corporation or the individual would not know that the information was being gained, similar to a wire tap. If you look at the pending legislation, the Kerrey-McCain bill, as proposed, doesn't require a federal judge to issue a warrant; it's sufficient to issue a subpoena, which is tantamount to saying that there is no security at all, if I may carry that to the extreme.
The second point is that Judge Freeh himself has—Director Freeh—has admitted that there is no real business model for key recovery in communications from one system to another, not e-mail, but just network traffic. And he said that because there is no business model for that, he doesn't think that industry will ever get around to doing it, unless it becomes mandatory, and he said that he would like to outlaw all crypto unless it contains key recovery that gives the Justice Department or the FBI access to the keys.
Now, again, the distinction between the data access and the key access is important, because access to keys, if you are in fact getting access to a master key or a certificate key, you have access to vastly more than you should be able to have access to. And this is a very, very fundamental, somewhat subtle distinction that needs to be made.
Mr. MARSH. Yes, Madam Chairwoman.
Mrs. MORELLA. Mr. Stevenson, did you want to comment, sir?
Mr. STEVENSON. No, I have no further comment.
Mrs. MORELLA. Oh, sorry, Mr. Davidson, I didn't give you a chance.
Mr. DAVIDSON. I will—suffice it to say that CCIA fully supports the SAFE bill, the Goodlatte-Lofgren bill, as originally drafted, and seeks, obviously, its passage. And we would also support the Computer Security Enhancement Act and regret the fact that section 7 was removed, which we thought would have been a very important enhancement.
Mrs. MORELLA. We do, too. Thank you. Thank you.
I'm not pleased to turn to Congressman Bartlett. Oh, and we've been joined by Mr. McHale from Pennsylvania.
Mr. BARTLETT. Thank you very much. Madam Chairwoman, thank you very much for calling this meeting. As our infrastructure becomes more and more dependent on the role of computers, it's more and more appropriate that we look at the vulnerability of our infrastructure relative to the role of computers in the infrastructure.
I'd like to spend just a few moments talking about something that is maybe a long shot in terms of threat, but I note that we're spending several billion dollars on national missile defense. We spent a lot of billions of dollars in the past. This is against a long shot pretty much, too; that is, that there's going to be a missile attack on this country, but we still, because that would be so devastating, we're spending some money on trying to ameliorate the consequences of that.
I don't lay awake nights worrying about whether my house is going to burn or not. There's a pretty low probability that it will burn, but I don't worry about it, and that's probably because I have a fire insurance policy on my home.
Your automobile will stop. It will not start again. Essentially, every computer in the country will be fried. I am told that spare parts on a warehouse shelf may also be fried, so they won't be available. There will be no power grid in the country. There will be no communications grid in the country, and fiber optics is not much help because we have switching stations, and so forth, and there are microelectronics involved there.
Now I know that the probability of this happening is nowhere as great as the probability that some hacker is going to get in there and try to wreak havoc with your computer, but this is not a zero possibility, or we wouldn't be spending billions of dollars on national missile defense. I will tell you that any sophisticated enemy, if he as but one bomb, that's where he will detonated. It does not harm one single person; it does not harm one single building, but it totally shuts down the infrastructure in our country. The consequences of this are so devastating that I think that we really must look at this.
I know that the President's Commission on Critical Infrastructure Protection looked at this, decided that it was a low probability. So they weren't going to look at it anymore, but it's not a zero probability. If it were a zero probability, we shouldn't be spending billions of dollars on national missile defense. It is a real possibility. And since the consequence of this would be totally devastating, we really need to look at that.
Mr. NEUMANN. You're probably getting into things that the U.S. government would not like you to talk about in open session. However——
Mr. BARTLETT. But this was in The New York Times.
Mr. NEUMANN. Yes, I understand. This is the old question of secrecy. You know, you have something that's a very serious risk, so you classify it, so that nobody realizes how bad it is. This is a serious problem, but let me suggest to you that there are others that are much easier to perpetrate.
For example, bringing down the telecommunications, power, water infrastructures—you've read Clancy's ''Executive Orders;'' you saw a wonderful threat in there that was rather devastating, short-lived, but it could have been protracted. The point, very simply, again is that the electronic terrorism can be carried out remotely, anonymously, with very little detection in some cases. Trojan horses could be planted in, for example, all of the telecommunications systems in the country, and all triggered to go off on December 31, 1999, just to enhance the fact that there's already a Y2K problem. And if that were to happen, I suspect we would take a very long time to recover from it.
There are people who suggest actually shutting down the government for a week or two around that period; that nobody should fly; nobody should have money in banks, and so on. But I think such an attack would be quite devastating. And the point is that it takes much less effort than your EMP attack.
If you start thinking about the EMI effects, as you will see in my handout, there's an enormous number of those. Now those are also just one more type of attack that one could consider. But I suggest that the one that you have gotten is probably the least likely, simply because it is so difficult to mount. But the warning is, when you deal with very low probability events, you are in real trouble because it's the lowest probability of events that tend to get forgotten completely or assumed that can never happen, and therefore, there's no defense against them. And, therefore, they really become the riskiest of all.
Mr. BARTLETT. I think you're absolutely right; if a potential enemy knows that we have no protection against something like that, they're more likely to use that. And by the way, any potential enemy is going to begin their attack with an EMP laydown, simply because even if you have planned for it, it can be quite devastating. If you haven't planned for it, it could be absolutely catastrophic. So if you have only two bombs—the first one is a high-level burst that produces an EMP laydown, then I'm wondering—this is a problem bigger than the U.S. government. You know, you are talking about a partnership and what is the role of the private sector. This is a problem bigger than the Federal Government can handle.
In our military even, we do not want to be decapitated, and so we, I think, are reasonably sure that we won't be decapitated. But using that analogy, I'm wondering what good you will be if you still have a brain, but no arms and legs after the attack. And I'm not sure how much of the arms and the legs will remain in our military after this attack. I know this is not something that you've spent a great deal of time thinking about, but we shouldn't be spending billions of dollars on the national missile defense, and we are, and we have, if there is no probability this will occur. So if we're spending that kind of money there, we at least need to spend some time and money thinking about our national infrastructure and how we would recover.
So I guess that my challenge would be to collectively think, what can we do, what should we do to make us less vulnerable to this eventually?
Mr. NEUMANN. I couldn't agree more, and I want to point out Stansfield Turner's new book, which brings to light something that I hadn't seen in print before, which was a very close miss. We came very close to a nuclear retaliation because the computer systems had in fact identified thousands of incoming missiles. That's documented in his book, and it's an extraordinary case. Would there have been—He mentions in the book there have been thousands of cases in which we've had close calls, but this one was extraordinarily close. It came within a second or two of Zbigniew Brzezinski waking up President Carter and initiating the retaliation sequence, because a computer error had falsely detected incoming missiles.
Mr. BARTLETT. There have been more recent ones. There was a scientific rocket from Norway that was——
Mr. NEUMANN. Yes.
Mr. BARTLETT (continuing). —mistakenly identified by the computer as a rocket launch from our country against Russia. They went so far as to bring out the black box. They were just minutes away from launch. This is the kind of thing that is now becoming public, and thank you very much for bringing this to our awareness.
Well, thank you all very much, and I know it's not problem we'll solve around the table today, but it's one I think we need to address then. And thank you.
I'll now recognize Mr. Gordon, the Ranking Member.
Mr. GORDON. As one of the panelists mentioned earlier, the laws pass at the speed of Congress, and that being the case, I'd like to just ask each member of the panel what they think are the one or two most significant, I guess, problems that Congress should act upon. Some of the problems we can't do anything about, but what are those things that we can and should get started on immediately? General Marsh, you might start.
Mr. MARSH. Thank you, Congressman Gordon.
We have two categories of legislation that need to be addressed. One is the enabling legislation that will enable the recommendations that we've made with respect to the national structure that we're recommending; that is, the Information-Sharing and Analysis Center, a joint public/private venture which is very unusual, unique, as far as we know; the establishment of the Council that we've recommended; the establishment of the support office. So there's enabling legislation that will be required to establish those structures that we've recommended, and that's one category of legislation. And I don't know what recommendations the President will accept, but if he accepts some of those and decides to move ahead with establishing those structures, then the enabling legislation will, I presume, be requested.
There's another category, and they include such acts as the Stafford Act, the War Production Act—I'm trying to think; there's another act—that bear directly on infrastructure protection in one way or another, but do not incorporate or do not include today cyber provision; that is, they do not—the Stafford Act which enables FEMA's actions, as you know, for recovery, etc., do not talk about a disabling infrastructure attack. And it's understandable why they do not, because in general terms those are the private sector—it's a private sector recovery problem. But the act does not address how to enable, how to assist the private sector, from a major disruption of an infrastructure. So those acts need to be addressed.
Mr. GORDON. Mr. Stevenson, also, maybe just take what you think is the No. 1 threat that deserves some kind of Congressional action, where Congressional action can be helpful——
Mr. STEVENSON. Can I have two?
Mr. GORDON. You can do two. You can do two, half the time on each.
Mr. STEVENSON. I do think, as I said in my testimony, that there is a role for the Federal Government here. I haven't had a year, as General Marsh has had, but a day instead to think through what the bureaucratic infrastructure might look like, and so I don't want to endorse the recommendations of the Commission in that respect, but I do think that some action to promote a dialog between the government and the private sector, directed at dealing with some of the infrastructure problems that the Commission has addressed, is in order.
And the second thing I would encourage Congress to do is to address the encryption issue and lay it to rest once and for all.
Mr. GORDON. Okay, thank you.
Mr. NEUMANN. No. Impossible.
Mr. KATZ. Again, two: First, support the SAFE bill, as originally written; get that out, and hopefully, begin to resolve the encryption issue.
And, second, I think there's a significant need for federal electronic authentication legislation. And if I could throw in one small commercial, we really need, perhaps under the Federal Government, a very intense public education program, literally beginning from kindergarten.
We were at one meeting that's, I guess, to provide input into the Commission, and one of the presenters at the meeting talked about how his 6-year-old hacked into his mother's account on the computer at home because he was given a password in school, and he thought he'd figure out what his mother did.
There is a total lack of ethics, and that has to be brought up and dealt with.
Mrs. MORELLA. Would the gentleman yield for a moment?
Mr. GORDON. Sure.
Mrs. MORELLA. I just wanted you to elaborate; what kind of education are you dealing with when you're dealing with kindergarten. I mean, I know we've done some grants in our legislation, the computer security one, to allow for computer security to be studied, and whatever, but beyond watching what your kid is doing on the computer, what are you talking about?
Mr. KATZ. One of the things—when you go to—talking about kindergarten, my grandchildren are there; they're told you don't take somebody else's coat; you don't take something out of somebody's locker; you don't break into somebody else's account. They just begin that way.
Thank you very much. I yield back.
Mr. DAVIDSON. Congressman Gordon, again, I would agree with Mr. Katz that I think where Congress could be the greatest help is in funding a public awareness campaign, so that in fact if the Commission would come forward with their threat assessment, so that we understood why they were making these sweeping recommendations, that would be helpful, as well as for R&D, because I think the Commission, which is, as deregulation occurs in telecommunications, generally, it means less money for R&D across the board. It's a very competitive industry. We put as much money as we possibly can in to be able to sell product and service and stay ahead of the curve. As you know, the product cycle in the computer industry is anywhere from 3 to 6 months these days, a little bit longer for telecommunications. So that would probably be the biggest help.
Second would be, of course, passage of the SAFE bill in its original form, because we need to get beyond the encryption debate. The one caveat I'd like to make here is that I really don't believe at this point in time that some of the other changes to laws that are envisioned by the Commission are necessary, and I pointed out in my testimony the antitrust laws which we would caution against changing.
And there's also one reference on page 98 of the report which calls for sponsoring legislative activities leading to a finding that certain critical infrastructures are instrumentalities of interstate commerce. To me, that means regulation of the Internet and World Wide Web, and that is something, obviously, we do not support.
Mr. NEUMANN. Each of us sees this question in his own image. I was once on a panel with the National Space Symposium. The question was: How should NASA be spending its money? Edward Teller said, ''We need smart weapons—smart satellites in space, so we can keep track of what's going on.'' Buzz Aldrin said, ''We need colonies on Mars and the Moon, so we can get to the outer planets.'' Hans Mark said, ''The Cold War is not over and we need Star Wars.'' General Kelly, who is the head of the Air Force Academy, said, ''Well, all of this is sort of useless if we don't have education.''
Insert offset folio 82
And I was the tail wagging the dog on that panel, and I'll do what I do now, which is to say, that absolutely fundamental is research. And I would say that the problem here is that much of the research that we're funding is not necessarily headed toward solving this particular problem. There's a lot of research that is tangential or interesting, but I think a very focused research effort needs to be conducted here, not just necessarily a billion dollars by 2004.
But that money into projects that have a serious chance of helping the security, survivability and reliability of the infrastructure. My colleague, Tony Barnes, is here from the Army Research Lab, and his is probably the only lab in the world that has the word ''survivability'' in its title. His efforts at the moment, which I'm working on with him, are explicitly looking at the problem of how can you build systems that are demonstrably reliable, secure, safe, and survivable, despite the fact that the components are not trustworthy, and the people are not trustworthy?
Mr. GORDON. Okay, thank you. I don't want to impose on anybody else's time. Thank you.
Mrs. MORELLA. Thank you, Mr. Gordon. I'd like to recognize Mr. McHale.
Mr. MCHALE. Thank you, Madam Chairwoman.
I arrived about a half-hour ago, and I've been listening to the testimony ever since. I don't know if it struck others, but the breadth and scope of this hearing in the last 20 minutes has been astonishing. We've gone from what my friend Roscoe Bartlett described—I realize he was quoting others—as the inevitability of an all-out nuclear exchange to the security risks arising out of a 6-year-old hacker.
That's a range of security in terms of our infrastructure that is breathtaking in its complexity and in its philosophical dimensions.
During the period of time that I have been here, there have been references sometimes in terms of terrorist attacks and sometimes the rhetoric was a little more restrained in terms of the changes in the original SAFE bill and how it evolved to a less appropriate forum. If you covered this before I got here, there's no need to please me and go back into it again, but let me simply ask all the members of the panel: Could you describe briefly the worst changes that were made in the bill in terms of its evolution through the process? Since I've been here, you've called repeatedly for the passage of the bill in its original form. What mistakes have occurred in the intervening period of time? General Marsh?
Mr. MARSH. Sir, I'm not well-informed on that, nor have I been tracking it carefully.
Mr. MCHALE. Okay.
Mr. STEVENSON. I'm afraid I haven't tracked it closely enough to know exactly where it is in the current status in the legislative process. What I was referring to when I referred to a terrorist attack was the efforts to turn the bill upside-down and take it from a bill which strengthened encryption and encouraged its use to a bill which would have effective gutted the possibility of using encryption for financial purposes, which is what I'm particularly concerned about, or for Internet security generally.
Mr. MCHALE. Well, I'm getting to—those are outcomes. What I'm asking is, what produced a change in the bill that turned it on its head? What specific changes in the language of the bill changed it from what I gather the consensus would appear to be, a pretty good piece of legislation, to one that you don't particularly care for?
Mr. STEVENSON. Well, the Oxley-Manton amendment, which is what I was referring to, would have turned it from a bill which allowed the export of encryption software to a bill that would have required a key—an ill-defined key escrow or key management or public key infrastructure system that would have put trapdoors in it for use domestically, which is certainly not the law today, and I think that would have gone from a bill that would have had salutary effects for system security and the stability and usability of the electronic infrastructure to a bill that would have created gaping holes in security.
Mr. DAVIDSON. Yes.
Mr. KATZ. Yes.
Mr. NEUMANN. Well, Oxley-Manton did not survive actually. On the other hand, there is a fundamental conflict between the Goodlatte-Lofgren bill, SAFE, and the Senate bills. And I think there is serious concern on the part of the privacy community and the business community and the banking community and the encryption ethic people that if in fact the Senate passes a Draconian bill that looks sort of like McCain-Kerrey or something of that nature, that gives law enforcement essentially unrestricted rights without any understanding of the risks of what could happen, then a conference committee might well do something rather horrible to this legislation.
So I think the issue in the House is that it is still unclear to me what legislation is likely to be considered, and it's even more unclear in the Senate. So I think we need to have a discussion offline in detail as to what the situation is.
Mr. MCHALE. All right, thank you.
My final question is for General Marsh, and that is, the Commission recommends doubling the federal R&D budget related to information security for Fiscal Year 1999, and then doubling it again, as I understand it, over the next 5 years. And so my final question to you, General Marsh, would be: How did the Commission arrive at the size of the R&D initiative required? And then as a kind of corollary to that, what is the rationale for a factor of four increase in the federal research effort over that 6-year period of time?
Mr. MARSH. Yes, sir. We conducted a very intensive study of what research and development is being undertaken by all agencies of the government now. Incidentally, this was done with the cooperation of Argonne National Labs, the Institute of Defense Analysis, the National Research Council, Sandia Laboratories—and I can't think of one other organization—NSA, the National Security Agency.
And then we also surveyed both the private sector and the public sector as to, what do you think needs to be done by way of the full range of tools? We discussed modeling and simulation. We discussed, obviously, the real-time detection capabilities, anomaly detectors, correlation tools to correlate disturbances here with disturbances there—the full range—actual isolation tools, such that if you know you're under attack, how do you isolate certain sensitive components, and on and on.
So we have a complete layout of what we believe needs to be undertaken. It was our judgment, best judgment, using the advice of all these experts, that would total up to about a billion dollars a year, if you pursued that aggressively. And we feel confident in our estimate of the $250 million that's currently being conducted. That's a good estimate and I think corroborated by the facts.
So we asked ourselves: How can we get there, up to the level that we think needs to be pursued? And we thought, and I must say it's a subjective judgment. Let's try to jumpstart it the first year, and let's try and double it that first year an get it to $500 million, and then let's over a period of 5 years try to grow to the objective that we think is necessary. And we have a detailed report that outlines the specific elements of research and development that we think need to be undertaken.
Mr. MCHALE. General, we appreciate your comments. Thank you, Madam Chairwoman.
Mrs. MORELLA. Thank you, Mr. McHale.
I think Mr. Bartlett wanted to do a follow-up question?
Both Congressman McHale and I are on the National Security Committee, and I think that part of the problems with the encryption bill had to do with some concerns that our committee had. They were very legitimate concerns. I'm sure you understand that there is a natural tension between the desire of most of our society to export anything and everything, because it's good for our economy, and the desire of the defense community to export nothing that would give our potential enemies any technical capability.
We were very much concerned about the language in the original bill, and I'm not sure that in the short amount of time that was available for making sure that the concerns of these two different communities that are really pretty much at two ends of the spectrum were adequately resolved. Clearly, we want to be able to export as much of our technology as we can, and, clearly, we do not want to export any technology that's going to bring us the potential grief in the future relative to our national security. And I'm not sure that we have the time or perhaps the wisdom to resolve those different perspectives.
My understanding is that we now have five bills because of the five committees that have jurisdiction, and those now need to be melded into a single bill, which is not likely to happen this year, perhaps next year. And so we would invite your input so that we can have a bill that will accomplish what everyone essentially wants to accomplish, and that is to optimize the opportunities for export and enhancing our economy, and still to adequately protect ourselves from a national security viewpoint.
So since you are concerned and knowledgeable in this area, we would solicit your contributions to any or all of the five committees that have been involved in this.
Thank you very much, Madam Chairwoman.
Mrs. MORELLA. Thank you, Mr. Bartlett.
General Marsh, you mentioned research and development and the work that went into that, and I know that's the case. And yet as I look through this report, I only see like two pages and a half on research and development. I just wondered why you did not elaborate further on what you had done.
Maybe you want to comment on that.
Mr. MARSH. Well, our report to the President, which is making its way to the President, is, I believe, some 300 pages and does have detailed annexes and appendices, but it also has the national intelligence estimate, etc., and the complete compilation of vulnerabilities as we try to understand in each of the infrastructures. So it's much more comprehensive, and it's classified, and this was, I must honestly say, a rather quick attempt to synthesize the report as best we could, get the highlights out for unclassified release. And it doesn't really portray the tremendous research effort that underlies the Commission.
Mrs. MORELLA. I have no doubt of that, about that. It just seemed very interesting. There was such replication of these blank pages.
And with the R&D, too, I wonder, who would you designate to pay for the R&D and who should be doing it? Should it be civilian or should it be military?
Mr. MARSH. Madam Chairwoman, we looked at the civilian component, and that ranges—I believe I'm correct here—between about $150 and $350 million a year, depending on your definition of it. But most of it is product, near-term product-oriented, and it was our conclusion, the plus-up that I am talking about to a billion dollars is what we believe the Federal Government must undertake or it will not be undertaken. We concluded on these particular efforts that are described in our more detailed report—we concluded that market forces would not, in fact, spur that kind of research and development, the protective means that we feel are necessary for the infrastructures.
So we tried to segregate what we thought the private sector would undertake and what the government should undertake, and if not, it will not be undertaken.
Mr. MARSH. Those that you cited are fundamental, we believe, to constructing this trusted environment that will facilitate the information-sharing process that we believe is needed. In other words, we want the lead agencies—and, for example, the Department of Energy—to work with the electric power industry and promote the development in the electric power industry of that coordinator that we talked about, that's called out in the report, or the clearinghouse, and we want that clearinghouse to collect the information, be the receiver of the information of the electric power industry, provided anonymity where required, protect the proprietary information, be immune from FOIA, etc., and then share that with the Information-Sharing and Analysis Center that we propose being conducted. All of that is to facilitate this ability to create a trusted environment for information-sharing between the government and the private sector.
Mrs. MORELLA. Finally, General Marsh, what happens now? You presented it to the President. Does he, then, look it over or his advisors look it over, and then get ready for some implementation in the next Congress in terms of presenting his budget? Does he put money in for that? I mean, we certainly will look at the section that deals with legislative remedies, but we'll be looking for some direction also in terms of what is feasible, what is not.
What do you predict and what would you hope would happen?
Mr. MARSH. Well, of course, we'd hope, Madam Chairwoman, that the President will accept our recommendations and direct his administration to prepare the appropriate implementing instructions and propose legislation, etc. But right now, the process is an interagency process that's reviewing the report and getting ready to forward it to the President with the principal recommendations to him as to what—how he should treat the report.
Mr. MARSH. There is an interagency review process, yes, ma'am.
Mrs. MORELLA. Okay, very good. Well, I appreciate your being here.
I'm going to turn over for the last word to Mr. Gordon. Any comments?
Mr. GORDON. I have no further questions, and thank the panel for their time and hope that this is a start for this dialog that we need to continue, and we'll be in touch.
Mrs. MORELLA. I want to thank you for your patience also, as we went off to vote and came back and forth. I know we have other questions to ask you, but I seriously, on behalf of the Committee, not only thank you, but invite you to continue to stay posted and to give us your recommendations, based on your experience and expertise.
Thank you, General Marsh. Thank you, Mr. Stevenson. Thank you, Mr. Katz, Mr. Davidson, Mr. Neumann. Thank you very much.
Mr. MARSH. Madam Chairwoman, may I say just one last thing? I've been advised that the left pages are blank so that chapters can start on the righthand side.
Mrs. MORELLA. I'm delighted to have that clarification. I knew there was a reason for it beyond the fact that you didn't want us to see this data. Thank you.
The Subcommittee is now adjourned.
The record is going to be open for a period of days for any information you'd like to get to it, and also I wanted to give the other members of the Committee and myself an opportunity to send questions to you. Thank you.
[Whereupon, at 4:30 p.m., the hearing was adjourned.]
Insert offset folios 83-125
THE ROLE OF COMPUTER SECURITY IN PROTECTING U.S. INFRASTRUCTURES
COMMITTEE ON SCIENCE
SUBCOMMITTEE ON TECHNOLOGY
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTH CONGRESS
NOVEMBER 6, 1997
Printed for the use of the Committee on Science
COMMITTEE ON SCIENCE
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
SHERWOOD L. BOEHLERT, New York
HARRIS W. FAWELL, Illinois
CONSTANCE A. MORELLA, Maryland
CURT WELDON, Pennsylvania
DANA ROHRABACHER, California
STEVEN SCHIFF, New Mexico
JOE BARTON, Texas
KEN CALVERT, California
ROSCOE G. BARTLETT, Maryland
VERNON J. EHLERS, Michigan**
DAVE WELDON, Florida
MATT SALMON, Arizona
THOMAS M. DAVIS, Virginia
GIL GUTKNECHT, Minnesota
MARK FOLEY, Florida
THOMAS W. EWING, Illinois
CHARLES W. ''CHIP'' PICKERING, Mississippi
CHRIS CANNON, Utah
MERRILL COOK, Utah
PHIL ENGLISH, Pennsylvania
GEORGE R. NETHERCUTT, JR., Washington
TOM A. COBURN, Oklahoma
PETE SESSIONS, Texas
GEORGE E. BROWN, Jr., California RMM*
RALPH M. HALL, Texas
BART GORDON, Tennessee
JAMES A. TRAFICANT, Jr., Ohio
TIM ROEMER, Indiana
ROBERT E. ''BUD'' CRAMER, Jr., Alabama
JAMES A. BARCIA, Michigan
PAUL McHALE, Pennsylvania
EDDIE BERNICE JOHNSON, Texas
ALCEE L. HASTINGS, Florida
LYNN N. RIVERS, Michigan
ZOE LOFGREN, California
LLOYD DOGGETT, Texas
MICHAEL F. DOYLE, Pennsylvania
SHEILA JACKSON LEE, Texas
BILL LUTHER, Minnesota
WALTER H. CAPPS, California
DEBBIE STABENOW, Michigan
NICK LAMPSON, Texas
DARLENE HOOLEY, Oregon
TODD R. SCHULTZ, Chief of Staff
BARRY C. BERINGER, Chief Counsel
PATRICIA S. SCHWARTZ, Chief Clerk/Administrator
VIVIAN A. TESSIERI, Legislative Clerk
ROBERT E. PALMER, Democratic Staff Director
Subcommittee on Technology
CONSTANCE A. MORELLA, Maryland, Chairwoman
CURT WELDON, Pennsylvania
ROSCOE G. BARTLETT, Maryland
VERNON J. EHLERS, Michigan
THOMAS M. DAVIS, Virginia
GIL GUTKNECHT, Minnesota
THOMAS W. EWING, Illinois
CHRIS CANNON, Utah
KEVIN BRADY, Texas
MERRILL COOK, Utah
BART GORDON, Tennessee
EDDIE BERNICE JOHNSON, Texas
LYNN N. RIVERS, Michigan
JAMES A. BARCIA, Michigan
PAUL McHALE, Pennsylvania
MICHAEL F. DOYLE, Pennsylvania
ELLEN O. TAUSCHER, California
*Ranking Minority Member
C O N T E N T S
November 6, 1997:
Robert T. Marsh, Chairman, President's Commission on Critical Infrastructure Protection, Washington, DC
Russell B. Stevenson, Jr., Esq., General Counsel, CyberCash, Inc, Reston, VA
Stephen R. Katz, Chief Information Security Officer, Citibank, New York, NY
Glenn Davidson, Executive Vice President, Computer and Communication Industry Association, Washington, DC
Peter G. Neumann, Principal Scientist, Computer Science Laboratory, SRI International, Menlo Park, CA
|Join the GlobalSecurity.org mailing list|