Page 1 TOP OF DOC
THE ROLE OF COMPUTER SECURITY IN PROTECTING U.S. INFRASTRUCTURES
THURSDAY, NOVEMBER 6, 1997
U.S. House of Representatives,
Committee on Science,
Subcommittee on Technology,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2
p.m., in room 2318, Rayburn House Office Building, Hon. Constance A.
Morella, Chairwoman of the Subcommittee, presiding.
Mrs. MORELLA. I'm going to call to order
the Technology Subcommittee of the Science Committee.
This is the hearing that we're going to have on
the role of computer security in protecting U.S. infrastructures. Our
hearing today is going to explore the appropriate role of government and of
the private sector in securing the backbone of this country's information
and telecommunications infrastructures. It will focus on the
recommendations of the President's Commission on Critical Infrastructure
Protection.
The Subcommittee is well familiar with the threat
from computer break-ins. This hearing is the third sponsored by this
Subcommittee on computer security-related matters this Congress. We've
tried to highlight the need to improve computer security.
Earlier this year, to improve computer security in
federal civilian agencies, this Subcommittee and the full House passed the
Computer Security Enhancement Act of 1997, H.R. 1903, and the bill is
currently awaiting Senate action. So get those Senators to move fast.
Page 2 PREV PAGE TOP OF DOC
The PCCIP—I never know whether or not
we can pronounce it; do we say ''PCCIP?''—was created on July 5,
1996, by Executive Order 13010. The stated reason for the order was the
need to assure the uninterrupted operation of critical infrastructure. The
PCCIP delivered its report to the President on Wednesday, October 22,
1997.
The Commission was tasked with addressing
vulnerabilities of eight different critical infrastructures:
telecommunications; electric power systems; water supply systems;
transportation; banking and finance; gas, oil storage and distribution;
emergency services, and continuity of government. Although the task of the
Commission was to look at vulnerabilities which would involve physical and
cyber security, their primary focus was on cyber threats.
The Commission focused on the fact that all of
these infrastructures are independently vulnerable. The Commission further
recognized that these critical infrastructures are closely related and
dependent on the underlying computer communications infrastructure.
We've all been made familiar with stories of
attacks on defense and civilian systems over the last several months. It is
important, however, to remember that computer security affects all of us
every day in ways both large and small.
Most of you may be aware that the Senate recently
suffered an e-mail bomb which slowed its system to a crawl. What you may
not have realized is that that attack was the work of one man. An
individual who was experiencing difficulty with unwanted electronic junk
mail, wrote to several Senate offices. Unhappy with the responses which he
received, he decided to take matters in his own hands and forward on to
Senate offices all unwanted mail he received with a header identifying
himself and asking them to call if they had questions. I hope they don't
get this idea on the House side, Mr. Gordon.
His actions caused the Senate mail system to
crash. As the story was related to me, he was probably a bit naive about
how serious the response would be to his actions, and was probably a bit
taken back to receive a call from the FBI.
Page 3 PREV PAGE TOP OF DOC
The size of the danger to our economy in
dollars is hard to gauge. The CSI/FBI survey of 1996 states that $4.5
billion was lost to business by compromises in information security.
Forty-two percent of all businesses report that they've experienced
attacks, and of these, 58 percent of the companies cite competitors as the
most likely authors of these attacks. These numbers pale somewhat when
compared to the fact that over 74 percent of the companies surveyed
believed they had experienced unauthorized access to material on their
systems.
The majority of critical infrastructures are owned
and operated not by government entities, but by private companies and
citizens. In addition, most of the extraordinary advances in security and
implementation of security technologies have been created by the private
sector. Whatever security measures are taken by the government must,
therefore, be based on a trust relationship led by the private sector. Any
efforts to implement a top-down approach which ignores the expertise and
ability of our citizens and companies will be doomed to fail.
So I look forward to hearing from our expert
panelists today on how we can facilitate the needed public/private
cooperation to ensure our economy is safe from both cyber crimes and
potentially-stifling government mandates.
And I'm now very pleased to recognize our
distinguished Ranking Member, Mr. Gordon, for his opening comments.
Mr. GORDON. Thank you, Madam
Chairwoman.
In 1956, Howard Aiken, a computer pioneer from
Harvard University, remarked, ''If it should ever turn out that a machine
designed for the numerical solution of differential equations coincides
with a machine intended to make bills for a department store, I regard this
as the most amazing coincidence that I've ever encountered.''
[Laughter.]
Mr. GORDON. Fortunately for us, Dr. Aiken's
assessment of probability was wrong. Forty years after his pronouncement,
he would be hard-pressed to think of an activity that doesn't include some
form of computer technology. Computers are a basic and essential element of
every aspect of our infrastructure, including the air traffic control
system, the stock market, medical diagnostics, and, yes, even department
store billing. Today's hearing highlights the integration of computer
technology into every aspect of our society.
Page 4 PREV PAGE TOP OF DOC
Computer systems and networks not only
support individual companies and industries, but linked together via the
Internet, they form a global information infrastructure expanding the ways
we do business and how we view security. Before the development of this
open international information network, threats to national infrastructure
were viewed only in a physical context. In this new world, an e-mail
message or a computer virus can wreak havoc on an entire network system.
Someone can do this damage from thousands of miles away in another country,
and often with complete anonymity. We are only beginning to think about the
nature of these threats and how to protect ourselves.
I want to commend the Commission and General Marsh
for what they've accomplished. The breadth and scope of this report
produced in remarkably short time is impressive and provides a basis for
discussion. The Commission's assessment that vulnerabilities and threats
exist in all of these critical infrastructures should serve as a wake-up
call to Congress and the public. Now our task, working with all the
stakeholders, including industry, is to develop a workable, comprehensive
plan to meet this challenge.
This is a process that will take time and will
require close collaboration between industry and government. Clearly, the
report leaves many details unaddressed and important issues remain to be
solved. I'm surprised that the Commission report said so little about
encouraging greater use of cryptology to secure the computer networks.
These computer networks are at the heart of infrastructure vulnerability.
Much work remains to be done in defining the research activities in the
proposed major R&D initiatives.
Although I realize it's easy to focus on outside
threats to the computer network, I'm disappointed also that the Commission
didn't address a cyber threat that lurks within computer systems. I'm
talking about the Year 2000 computer problem. Just last Tuesday, the
Technology Subcommittee held a hearing on how the Year 2000 problem
threatens some of the same basic infrastructures identified by the
Commission.
Page 5 PREV PAGE TOP OF DOC
This hearing is the first step in the ongoing
process of education and policy development. I want to thank our witnesses
for appearing before us today, and I would look forward to working with
Chairwoman Morella on this topic.
Mrs. MORELLA. Thank you very much, Mr.
Gordon. I'm sure that they'll probably comment in their testimony with
regard to the points that you brought out that were not part of their
report.
I'm now pleased to recognize the Vice Chair of
this Technology Subcommittee, the gentleman from Minnesota, Mr.
Gutknecht.
Mr. GUTKNECHT. Thank you, Madam Chairwoman.
I'll be very brief.
Once again, you and the staff have assembled a
very distinguished panel, and I look forward to their testimony. I
especially want to thank Mr. Marsh for his service on the Critical
Infrastructure Commission, and I will speak on behalf of some of the other
members. We do apologize that there are a number of meetings going on at
the same time. It's not that we are not interested in this issue; it's just
that this is a very busy time in the Congressional session.
So, again, thank you, Madam Chairwoman, for this
hearing, and I look forward to the testimony.
Mrs. MORELLA. Mr. Gutknecht is right; we're
hoping to wind down. I hate to say when it will be, for fear that my
prognostication will be awry because of that, but we do have many, many
hearings. But we felt, this Subcommittee felt that this was so important
that, before we adjourn this first session, that it was necessary for it to
have an airing in Congress.
It is the policy of the Science Committee, and
therefore of this Subcommittee, to swear in all of our witnesses, and so I
might ask you, gentlemen, would you stand and raise your right hand?
Page 6 PREV PAGE TOP OF DOC
Do you solemnly swear that the
truth—that the testimony that you're about to give is the truth and
nothing but the truth?
Mr. MARSH. I do.
Mr. STEVENSON. I do.
Mr. KATZ. I do.
Mr. DAVIDSON. I do.
Mr. NEUMANN. I do.
Mrs. MORELLA. The report will demonstrate
an affirmative response.
I'll introduce all of you at one time, one at a
time, but right away, and then ask you each if you will try to confine your
testimony as much as you can to about 5 minutes, recognizing that your
written testimony in its totality is included in the record, so that you
might want to summarize or bring out some other points that are not in your
written testimony, and then we will have an opportunity to ask
questions.
First of all, starting off with the Chairman, Mr.
Robert T. Marsh, President's Commission on Critical Infrastructure
Protection Chairman, Mr. Marsh is a retired four-star Air Force general who
has an extensive background as an aerospace consultant. From 1989 to 1991,
he served as the first Chairman of Thiokol Corporation.
Our next witness, Russell B. Stevenson, Jr., Esq.,
is General Counsel and Secretary of CyberCash, Inc. Before coming to
CyberCash, Mr. Stevenson was engaged in private law practice in Washington,
DC., concentrating on corporate and securities law.
Following him will be Mr. Stephen R. Katz, Chief
Information Security Officer at Citibank, where he is head of the Corporate
Information Security Office and responsible for the bank's worldwide
information security program. Mr. Katz has been associated with information
security for over 20 years.
Page 7 PREV PAGE TOP OF DOC
Mr. Glenn Davidson, Executive Vice President,
Computer and Communication Industry Association, CCIA is an association of
computer and communications firms, as represented by their senior
executives, including equipment manufacturers, software developers,
telecommunications, and online service providers, resellers, system
integrators, third-party vendors, and other related business ventures.
CCIA's member companies employ well over a half million workers and
generate annual revenues of nearly $200 billion.
Dr. Peter G. Neumann, the author of the book, is
principal scientist in the Computer Science Laboratory at SRI
International, where he has been since 1971. In 1985, he created and still
moderates the Association of Computing Machinery Forum on Risks to the
Public in the Use of Computers and Related Technology, which is one of the
most widely-read of the online computer news groups. SRI International, an
independent, nonprofit research institute, is a pioneer in the creation and
application of innovative technologies to industry and government. And I
have a book here, his latest book, Computer-Related Risks, and I appreciate
that.
And so, gentlemen, we'll now commence, then,
starting with Mr. Marsh.
TESTIMONY OF ROBERT T. MARSH, CHAIRMAN, PRESIDENT'S COMMISSION ON CRITICAL
INFRASTRUCTURE PROTECTION, WASHINGTON, DC
Mr. MARSH. Thank you, Madam Chairwoman and
members of the Subcommittee. On behalf of my fellow Commissioners, several
of whom are with me today, I'm pleased to discuss with you the work of the
Commission and summarize the principal findings——
Mrs. MORELLA. You may want to introduce
them, Mr. Marsh, or have them stand or——
Mr. MARSH. I would, please. If you'd
stand—first, Mr.——
Page 8 PREV PAGE TOP OF DOC
Mr. JOYCE. William Joyce.
Mr. MARSH. Bill Joyce from the Central
Intelligence Agency, Ms. Mary Culnan from Georgetown University, Mr. Stevan
Mitchell from the Attorney General's Office, Ms. Sue Simens from the
Federal Bureau of Investigation, Mr. John Davis from the National Security
Agency, and let's see, I guess that's it.
Mrs. MORELLA. Very good, very good. Thank
you. Thank you all for being here. I appreciate the work you did and the
fact that you're here today. Thank you, Mr. Marsh.
Since you're all familiar with the background of
the Commission, and maybe you have received copies of our report, I'll try
to condense our 15-month effort into a summary of our significant findings
and recommendations.
Our most important finding is that adapting to
this challenge requires thinking differently about infrastructure
protection. We must look through the lens of information technology as we
approach the third millennium. We've long understood physical threats and
vulnerabilities, but the fast pace of technology means we are always
running to catch in the cyber dimension. Thus, the Commission's work and
our report focus primarily on coping with the cyber threat.
We knew this could not be a big government effort.
In fact, infrastructure protection is a shared responsibility. The private
sector, which owns and operates most of the infrastructures, is responsible
for prudent business investments that will protect against individual
hackers and criminals. These steps will also assure a level of protection
against cyber terrorist attack, adding a level of national security.
The Federal Government must collect information
about tools, perpetrators, and intent, and then share this information, so
that industry can take the necessary protective measures.
Page 9 PREV PAGE TOP OF DOC
And, finally, this is a long-term effort
which requires continuous improvement. There is no magic bullet
solution.
After 15 months of research, consultation,
assessment, and deliberation, the Commission concluded that waiting for
disaster is a dangerous strategy. Now is the time to act to protect our
future, and this action requires a new partnership to address the risks of
protecting our Nation's infrastructures.
The Commission's recommendations fall generally
into three categories: actions the Federal Government must take, actions
the owners and operators of the infrastructures must take, and actions that
require partnership between government and industry. We heard time and
again that the owners and operators of the infrastructures need more
information about cyber threats and they need a trusted environment where
they can freely exchange information without fear of regulation, loss of
public confidence, incurred liability, or damaged reputation.
The Commission's recommendations lay the
foundation for creating a new, collaborative environment that includes a
two-way exchange of information. Our recommendations focus on protecting
proprietary information and ensuring anonymity when necessary, easing legal
impediments to information-sharing, such as antitrust provisions and the
Freedom of Information Act, and creating information-sharing mechanisms
both within industry and between industry and government.
We recommend specific steps the government must
take to ensure owners and operators and state and local governments are
sufficiently informed and supported to accomplish their infrastructure's
protections role. Examples include expanding the availability of government
risk assessments to the private sector and encouraging and assisting, if
necessary, industry to develop risk methodologies, and doubling funds
appropriated under the Nunn-Lugar-Domenici Domestic Preparedness
Program.
Educating our citizens about the emerging threats
and vulnerabilities in the cyber dimension is key to the success of all of
our initiatives. The Commission's recommendations in this area range from
grammar to graduate school and beyond. They include a series of White House
conferences, a nationwide public awareness campaign, and grants by the
National Science Foundation for graduate-level work on network
security.
Page 10 PREV PAGE TOP OF DOC
The Federal Government must lead the way in
the partnership by developing and employing the tools, practices, and
policies required to conduct business in the cyber age. Some specifics
include improving government information security through best practices
and standards; formalizing information assurance as a foreign intelligence
priority, and recruiting and retraining law enforcement personnel with
cyber skills.
We examined a full range of legal issues relating
to protecting the critical infrastructures. We proposed the further review
and revision of major federal legislation relating to the critical
infrastructures and the cyber threat; an expert study group, representing a
wide range of interest groups to make recommendations for reform in the
employer-employee relationship for certain sensitive positions, and easing
legal impediments to information-sharing, such as antitrust provisions and
the Freedom of Information Act.
Federal research and development efforts are
inadequate to meet the challenge presented by emerging cyber threats. About
$250 million is spent each year on infrastructure assurance-related
R&D, of which $150 million is dedicated to information security. There
is very little research supporting a national cyber defense.
We recommend doubling federal R&D funding for
infrastructure protection to $500 million the first year with 20 percent
increases each year for the next 5 years. This funding should target areas
such as risk management, simulation and modeling, decision support, and
early warning and response.
Institutionalizing infrastructure protection
requires several channels between the public and private sectors. At the
policymaking level, we recommend an Office of National Infrastructure
Assurance located within the White House to serve as the Federal
Government's focal point for infrastructure protection.
Second, a National Infrastructure Assurance
Council comprised of selected infrastructure CEOs and Cabinet officials to
propose policy and advise the President; and an Infrastructure Assurance
Support Office to support both the Council and the national office.
Page 11 PREV PAGE TOP OF DOC
At the operational level, we recommend sector
infrastructure assurance coordinators or clearinghouses as focal points
within each infrastructure to share information; federal lead agencies to
promote and assist in establishing the sector coordinators, an
Information-Sharing and Analysis Center staffed by both private industry
and government to receive and share information about infrastructure
incidents and practices to be located in the private sector; and, finally,
a warning center designed to provide operational warning whenever possible
of an attack on the infrastructures, either physical or cyber, located
within the Federal Bureau of Investigation.
In conclusion, just as the risks are shared
between the public and private sectors, so must the solutions be. Our
national and economic security has become a shared responsibility, one that
will require a new kind of partnership between government and industry, one
which encourages information-sharing, and one which requires the government
to lead by example. And I believe the findings and conclusions of the
Commission are based on accurate and reasonable information and analyses.
Our recommendations, if implemented, will create the partnerships and the
structures essential to reducing vulnerabilities in our infrastructures.
They will provide the impetus for research and development efforts to
increase information security and provide a cyber defense system. They will
increase the Nation's ability to prepare, protect, and respond to any
threat, strategic or otherwise, directed against our infrastructures,
thereby ensuring their continued effective operation in support of our
defense, economic growth, and general well-being.
This completes my statement, Madam Chairwoman. I'd
be pleased to answer any questions you or your colleagues may have. Thank
you.
[The prepared statement and attachments of Mr.
Marsh follow:]
Insert offset folios 1-18
Page 12 PREV PAGE TOP OF DOC
Mrs. MORELLA. Thank you very much, Mr.
Marsh, for your testimony and for the work that you did on the Commission.
I note that you have given us, fortunately, a lot of information in
addition to what you've mentioned orally, and a whole long list of
recommendations, and most of them that you have mentioned now. And thank
you. We'll be asking questions.
Before I turn to Mr. Stevenson, let me just
acknowledge that the Vice Chair of the Science Committee, Dr. Vern Ehlers,
has joined us, too. Thank you.
Mr. Stevenson?
TESTIMONY OF RUSSELL B. STEVENSON, JR., ESQ., GENERAL COUNSEL, CYBERCASH,
INC, RESTON, VA
Mr. STEVENSON. Thank you, Madam Chairwoman,
members of the Subcommittee. I'm pleased to have the opportunity to appear
before you this afternoon.
CyberCash is in the business of enabling secure
financial transactions on the Internet. So, for obvious reasons, we have a
deep and abiding interest in the security and stability of our electronic
infrastructure.
I'd like to make three points this afternoon.
First, public policy with respect to our infrastructure should limit
collective action to those aspects of the infrastructure in which there's
likely to be what economists call a market failure. That is, aspects in
which the aggregate behavior of individual actors acting independently
leads to a suboptimal system.
Second, it is critical that efforts to protect the
electronic infrastructure not create unintentional consequences that curb
the growth or stifle the creativity of the private sector in developing the
infrastructure which has seen such remarkable growth to date.
Third, encryption is one of the cornerstones of
security on the Internet, and nothing could threaten the security of
electronic commerce more than ill-conceived public policy on
encryption.
Page 13 PREV PAGE TOP OF DOC
It is self-evident that there are strong
private incentives that work toward the security of the Internet. In a
perfect world, the combined actions of all of the users of this
infrastructure would lead to an optimal degree of security. We don't,
however, live in a perfect world. The greatest weaknesses in computer
security today are the result not of failures of technology, but of simple
human folly. People forget to put passwords on their computers; they
provide inadequate physical security, and do things that any security
consultant would say are simply stupid. A second class of potential
weakness, and one in which I would argue the government has a much greater
interest, is failure of the network itself resulting from flaws in design
or operation.
What is the proper role of government in
addressing these weaknesses? As to the first, government may well play a
constructive role in research and education on good security practices, and
I'm pleased to see that the Commission's report emphasizes this as one of
the major roles for the government in this area.
Regulation also has a narrow place in this area,
particularly with respect to sensitive institutions such as our major
financial institutions. The government should certainly use its regulatory
power over banks and other financial institutions to assure their safety
and soundness, for example.
With respect to flaws in the design or operation
of the system as a whole, there may also be a role for government. What
that role might be depends on the nature of the flaws and the steps
necessary to remedy them. While the Commission addresses this question, it
is one that deserves considerably more research, and, again, I'm pleased to
see that that's one of the Commission's recommendations.
It is also important, as we consider the role of
the government, to remember that this technology is evolving at a
revolutionary pace, and issues cannot be resolved once and for all and then
forgotten. These are issues that call for regular re-evaluation.
Page 14 PREV PAGE TOP OF DOC
All thoughtful observers of government policy
know about the iron law of unintended consequences, which says that all
regulation has unintended consequences, often adverse ones. This problem is
amplified when the government is dealing with rapidly-changing
technologies. Laws move at the speed of Congress. The Internet moves at the
speed of light. Congress should keep that firmly in mind when it's
formulating policy regarding the electronic infrastructure.
And now I come to encryption. Of all the
technologies on which the security of a computer network depends,
encryption is perhaps the most important. Without it, sensitive
communications would be vulnerable to interception by terrorists, thieves,
industrial spies, warriors, and the merely curious.
U.S. policy on encryption has been both confusing
and controversial. This may be inevitable, as there are several legitimate,
but conflicting interests at stake. Unfortunately, some participants in the
controversy persist in either willful ignorance of, or deliberate refusal
to acknowledge, the importance of encryption in the security of our
electronic infrastructure. It is no small irony that the law enforcement
interests who argue so ardently for limitations on encryption seem to fail
to recognize the increased vulnerability to crime and terrorism that would
result from those limitations.
In conclusion, in considering the recommendations
of the Commission, Congress should limit the role of government to, first,
research and education, and, second, identifying and addressing those
weaknesses in the electronic infrastructure as a whole that cannot be
effectively addressed by the efforts of the private sector.
Congress should also pay particular attention to
the importance of encryption to the security of the Internet and electronic
commerce. It should not expose the electronic infrastructure to attacks by
terrorists and criminals in an ill-considered effort to provide law
enforcement agencies with tools to investigate terrorists and
criminals.
Page 15 PREV PAGE TOP OF DOC
Thank you, Madam Chairwoman.
[The prepared statement and attachments of Mr.
Stevenson follow:]
Insert offset folios 19-24
Mrs. MORELLA. Thank you, Mr. Stevenson.
I now recognize Mr. Katz.
We're going to be asking you later about
encryption, so get ready for it.
STATEMENT OF STEPHEN R. KATZ, CHIEF INFORMATION SECURITY OFFICER,
CITIBANK, NEW YORK, NY
Mr. KATZ. Madam Chairwoman, members of the
Subcommittee, good afternoon. I'd like to thank you for the opportunity of
your inviting me to appear here.
I think the report that was done was an impressive
piece of work, and as I begin to address my comments and recommendations, I
would first say that the main product offered by banks is trust. We have a
trust contract with our customers, so at all times we ensure the integrity,
the confidentiality, and the availability of data, and in today's world
that is 24 hours a day, literally from anywhere in the world, and
increasingly via the Internet. And any significant compromise that would
occur at a number of—in a small number of money central and super
regional banks could pose a substantial risk to the confidence of the
financial services industry.
I would also like to take this opportunity to
correct what I think it a significant misconception. Contrary to what has
generally been reported in the media, banks must, and consistently do,
comply with the extensive regulatory requirements in reporting losses that
result from breaches in information security. Under the Bank Secrecy Act,
since then, the financial crimes enforcement at work requires financial
institutions to report suspicious transactions and known or suspected
violations.
Page 16 PREV PAGE TOP OF DOC
It is my assessment that banks are leaders in
implementing information security. Banks have been one of the major users
of cryptography, and were among the earliest adapters in implementing
state-of-the-art technology to identify the identity of our customers
dealing with us electronically.
The reasons for this are multiple. First and
foremost, sound business practices require that we meet our trust contract
with our customers. Second, we are highly regulated by multiple federal and
state authorities—all of which require information security and
continuity of business programs. In addition, associations like the
American Bankers Association and the New York Clearinghouse have for years
encouraged and facilitated ongoing dialog and sharing of information among
bank information security officers.
Bank products and services at this point in time
are inexorably intertwined with technology. You really can't figure out
where one begins and the other ends, and it is essential that security
become a fundamental and is a fundamental component of any product.
Therefore, I'll just very quickly touch on some of the risks and concerns
that we deal with.
For instance, technology that does damage: Global
availability, often via the Internet, provides access to a large number of
malicious code or hacker tools, Trojan horses, denial-of-service programs,
very similar to what the Senate experienced, and programs designed to steal
and corrupt data.
Then we have the internal threat. It is estimated
that the greatest exposure posed to a company is from security breaches
caused by insiders. They have availability; they have access, and they have
knowledge. While banks routinely perform drug testing and submit
fingerprints to the FBI, and conduct minimal background checks, we do not
have the mechanisms available to us to openly check the background and
employment history of current and potential employees.
In addition, concerns about liability tend to
prevent prior employers from discussing performance issues, employee
performance issues, with us. In fact, all they will provide at best are
dates of employment. This risk is further exacerbated by the lack of
information available about contractors, consultants, and outsource
vendors, where it is even more difficult to get information.
Page 17 PREV PAGE TOP OF DOC
Technology: New and emerging technology often
does not have effective security. Hardware and software is often delivered
with security functionality turned off, and in fact much of the technology
is delivered with widely known default passwords turned on. As a result,
unless extreme care is taken, back doors, vulnerabilities, and unauthorized
entry points in the systems and networks can be left open.
Extremely important is intrusion detection. There
are few effective tools today that can function as real-time burglar
alarms, burglar alarms to notify us that there are problems with the system
or that somebody is trying to break in.
In terms of recommendations, the first is the need
for sound practices for information security.
Mrs. MORELLA. Since you hesitated, we have
now 15 minutes to vote, but I really think we can finish our testimony, if
we do it well. So you'll hear the bells again in another 5 minutes. If
that's amenable to you, then we'll come back and start the questioning.
Proceed.
Mr. KATZ. Okay. Do you want me to continue
then? Okay.
Last year the New York Federal Reserve Bank formed
a task force to develop information security sound practices. The task
force was under the aegis of the supervisory wing of the Fed. However, they
asked the person responsible for internal security at the New York Fed to
lead the effort. What added to his credibility is that he is a well-known
and active member of a number of banking industry and information security
organizations, and well respected in the private sector. The result that
they produced will help set the direction for information security
standards and practices within the banking sector. So I recommend that the
government charter and direct a similar effort, but please note that I am
not advocating best practices, since ''best'' is always a moving target and
creates a really false sense of confidence. I'm not advocating detailed,
across-the-board standards. What I am advocating is sound practices.
Page 18 PREV PAGE TOP OF DOC
Oversight: Bank Circular 177 requires boards
of directors to have oversight over continuity of business plans. The board
should also have oversight and responsibility for information security.
Privacy and confidentiality: The banking sector,
as you know, is heavily regulated. Voluntary data recovery is routinely
performed by banks to satisfy information requests during regulatory
examinations. That, coupled with the requirement to ensure customer
privacy, mandates the need and justifies the use of unrestricted, robust
cryptography, regardless of key length and without requiring mandatory key
escrow systems.
Historically, the government has recognized the
need for security and financial networks. Consequently, export controls on
encryption products used by banks have included special exemptions. It is
essential that these exemptions not only be continued, but be broadened to
ensure that we can generally export cryptography without key escrow
recovery requirements.
Digital signatures: Numerous States have enacted
some form of electronic digital signature legislation. The laws tend to be
inconsistent and also create a tremendous amount of uncertainty. In order
for there to be secure and effective electronic commerce without the
overriding threat of forgery, banks need federal regulation to ensure
consistent treatment of electronic authentication and digital signatures
within the United States. And since e-commerce is borderless, we then need
international agreements governing standards.
Education and awareness is an area where funds
should and must be invested. A program stressing computer ethics must be
put together and reinforced at all grade levels, literally from
kindergarten through graduate school.
Partnership for information-sharing: There is a
need to establish an informal partnership between government and industry
to share information security practices and education and training
programs. There is also a need to have greater access to reliable,
up-to-date information from the government and across industry regarding
the identification of threats and liabilities.
Page 19 PREV PAGE TOP OF DOC
The types of information being shared need to
be defined by experienced security practitioners from multiple sectors. In
addition, once criteria are defined, information-sharing needs to be via
specific trade organizations—for example, the American Bankers
Association—in a climate of trust, where anonymity is ensured and
liability is limited.
That concludes my testimony, Madam Chairwoman, and
I would be pleased to answer your questions.
[The prepared statement and attachments of Mr.
Katz follow:]
Insert offset folios 25-36
Mrs. MORELLA. Thank you, Mr. Katz.
We've decided it would not do justice to our
witnesses to have them try to rush through in a few minutes. So we are
going to recess for probably 15 minutes. We think we're going to have
another vote following this particular vote, and then we'll come right back
and we'll hear our last two witnesses. Does that work out for everybody?
And then we'll go through the questioning. Thank you.
[Brief Recess.]
Mrs. MORELLA. We're going to recommence or
continue with our hearing on the critical infrastructure report and its
implications, and we're going to start off with Mr. Davidson.
TESTIMONY OF GLENN DAVIDSON, EXECUTIVE VICE PRESIDENT, COMPUTER AND
COMMUNICATION INDUSTRY ASSOCIATION, WASHINGTON, DC
Mr. DAVIDSON. Thank you.
Mrs. MORELLA. Thank you, sir.
Page 20 PREV PAGE TOP OF DOC
Mr. DAVIDSON. Chairwoman
Morella——
Mrs. MORELLA. Incidentally, may I say that
we've been joined by my colleague from Maryland, Roscoe Bartlett—Dr.,
Congressman, Scientist Bartlett. Thank you.
Proceed, sir.
Mr. DAVIDSON. And Congressman Bartlett,
thank you for the honor and privilege of appearing here today.
Let me say right from the start that we at CCIA
fully understand and identify with the need to guard against any attacks
capable of disabling our Nation's first-class infrastructure, systems that
are so vital to the operation of government and to our economy, and we
recognize that in today's information age such attacks can be more than
just physical; they can be also—there's dangers of techno-terrorism.
However, we have some serious concerns about the Commission's work and
recommendation which we have been following since its outset in July of
1996.
First, we fail to understand why the Commission's
work and report is shrouded in secrecy, especially when the Commission
readily admits that it has no evidence of an imminent cyber threat. The
reason I suggest this is that the National Research Council, on one hand,
can make some very important decisions concerning information security in
its report on cryptography without its work being classified. So why is the
Commission hiding behind the mantle of classified information in this
regard?
Just allow me to suggest, and the reason I raise
this, allow me to suggest that if the public generally and industry
specifically are to accept the Commission's sweeping recommendations, then
it must provide more than anecdotal evidence; it must come forward with a
threat assessment, so that it may be discussed, debated, and understood by
the public. That's the first point.
Page 21 PREV PAGE TOP OF DOC
The second point is, which all the other
panelists have shared today, we don't understand why the report is so weak
on encryption. The Commission calls for the immediate and universal
implementation of various protection tools, including firewalls, password
controls, authentication mechanisms, action logs, etc., to guard against
cyber attacks, and it fails to advocate the use of the strongest available
encryption, perhaps the most effective means to individuals and companies
to secure communications and protect digital files against fraud,
white-collar crime, economic espionage, and even terrorism.
Despite its 178-page length, the report devotes
nary a page to the subject of encryption. It states that, ''The
establishment of trustworthy key management infrastructures is the only way
to enable encryption on a large scale and must include the development of
appropriate standards for interoperability on a global scale.'' Call it
what you will, key management, key recovery, or key escrow, industry will
tell you that the system just will not work on a large scale. Just ask the
National Research Council, which came to the same conclusion.
Third, the report suggests in a thinly-veiled
fashion that industry has an obligation to pay for ruggedizing our critical
infrastructures to suit the government's national security and law
enforcement objectives. We in industry have long understood the need for
information security and network reliability. In fact, providers and
operators of public switch networks have long established redundant
networks in the event of natural and even man-made catastrophes. Providers
of private switched networks do much the same, at the request or insistence
of their clients. We have also developed and utilized various security
tools, which we've mentioned before, to protect the integrity of our
solutions.
However, if our Nation's security and law
enforcement agencies desire a higher level of security and reliability of
our systems and networks than what commerce itself demands, then I believe
and our association believes that they should be the ones to pay for it.
The cost of the difference between what we provide our customers to allow
safe communications and the integrity of information and what the
government wants for national security or national defense or law
enforcement purposes should be borne by the government. CCIA believes that
requiring American industry to bear the cost of building such super-rugged
infrastructure would constitute an excessive financial burden that would
blunt the competitive edge of American industry.
Page 22 PREV PAGE TOP OF DOC
Fourth and finally—and there are many
more concerns—I want to talk about sharing information. Today I was
very happy to hear from General Marsh that this is to be a two-way flow of
information, which I had not heard before. But while we at CCIA are not
opposed in principle to the sharing of such information, it's just putting
that principle into work or into practice that concerns us. If the
government purposefully or inadvertently released information about network
vulnerabilities and security breaches, clients and customers could sue
providers and operators for the damages, claiming that these firms knew
that those vulnerabilities existed and insufficient steps were taken to
prevent them. We in industry would need protection from such frivolous
lawsuits, and we are pleased to know that this report discusses that.
Furthermore, if a major foreign partner cannot be
assured of confidentiality, we really believe that they'll move to another
corporation in another country. In today's global economy, these concerns
are not hypothetical; they're real.
But one of the things that bothers us in all this
information-sharing is it recommends the modification of our Nation's
antitrust laws, so that companies would be free to share information with
each other and our government. To our knowledge, our industry is not asking
for safe harbor from our antitrust laws, with maybe the exception of
Microsoft and Intel. Allow me to suggest that if it were not for the U.S.
government's vigorous enforcement of our antitrust laws, the dynamic,
innovative, entrepreneurial, and competitive computer and communications
industry that we know and enjoy today would not exist.
I will conclude by suggesting, and go back to the
top, which is, you know, I think we should move at a slower, more reasoned
pace. Again, I was happy to hear that the General talked about this being a
long-term effort and that there is no single bullet. But let's release the
Commission's full report and allow it to be publicly discussed and debated.
If General Marsh really wants to see buy-in from all sectors, as the report
suggests, then the American people need and deserve to understand the
threat assessment, so they may appreciate and accommodate the changes and
actions that are envisioned here.
Page 23 PREV PAGE TOP OF DOC
Thank you for your time, and I'm willing to
take questions.
[The prepared statement and attachments of Mr.
Davidson follow:]
Insert offset folios 37-45
Mrs. MORELLA. Thank you very much, Mr.
Davidson.
I'm now pleased to recognize Dr. Neumann.
TESTIMONY OF PETER G. NEUMANN, PRINCIPAL SCIENTIST, COMPUTER SCIENCE
LABORATORY, SRI INTERNATIONAL, MENLO PARK, CA
Mr. NEUMANN. Thank you very much. I'm
speaking as an individual, not as a member of the not-for-profit
organization to which I belong. I would like to cover a great deal of
material. I'll do the best I can. I may talk a little too rapidly for
recorders, but that's life.
I was delighted to hear Congressman Gordon mention
Howard Aiken, who was the person who got me into computers in the first
place in 1953. I'm delighted to see what it says up here on the board:
''Where there is no vision, the people perish''—from Proverbs, 29:18.
This is exactly the issue that is confronting us here today. We have to
take a relatively long look at the problem. We're not dealing just with
security or just with reliability or just with survivability of our
infrastructures. We're dealing with the integration of all of those things
into one coherent, sensible organization. And I'm not going to deal with
the specific organizations that the Commission has recommended create; I'm
going to try to deal with the principles and the problems that need to be
addressed.
I will mention in passing that there is only a
three-page section on research and development in the Commission's report,
which I find surprising, not just because I come from a research
organization.
Page 24 PREV PAGE TOP OF DOC
To illustrate this business about security
and reliability and survivability, I again go back to Congressman Gordon,
who noticed that the Year 2000 problem was not really very evident. I spent
Monday and Tuesday of this week on the General Accounting Office Executive
Council for Information Management. The first half-day was devoted
exclusively to the Year 2000 problem, and the GAO is badgering that, I
think, very nicely.
If you look at my handout, you'll see—not my
testimony, but my attachment—you'll see a long list of
calendar-related and clock-related problems, one of which is the fact that
the global positioning satellite system clock was designed in such a way
that on the 21st of August, 1999, it goes back to the 6th of January, 1980.
There was a fundamental problem. So they have a Year 2000 problem before
the Year 2000 happens.
The point there is, very simply, that if we look
at all of the systems that are being developed, they are, for the most
part, deeply flawed. We have serious problems in our system development
projects. If you look at, say, the IRS tax modernization system, the FBI
fingerprint system, the FAA's air traffic control rehosting, all of those
systems went down the tubes at the cost of billions and billions of
dollars.
We simply in this country do not know how to
procure and develop very large systems. If we cannot develop even
modest-sized systems properly—and I look at, say, operating systems
and networking software, which are riddled with security holes and crash
all the time—how can we possibly be expected to develop a key
recovery scheme that will work without any risks? And when you consider all
of the people risks, we have an even bigger problem.
Again quoting a GAO report, they looked at the IRS
and they found rampant misuse of IRS information systems, and they found
rampant misuse of law enforcement systems. If the government cannot be
expected to have employees who are above-board, how can you expect a key
recovery scheme to work without risk?
Let me touch briefly on cryptography. This is a
subject that is of great complexity. The Commission has basically thrown
in, as you said, one page. They have said that key recovery is a good
thing; it's prudent; therefore, you should do it. They did not look at any
of the risks of key recovery. They didn't even cite our National Research
Council study. They didn't cite the 11-authored report that I cite in my
written testimony. And I think I have to make a very careful distinction
between key management, on one hand, which is absolutely necessary, and key
recovery. Key recovery implies that the keys are kept around. If you ask
the NSA folks whether they're willing to share their keys with a trusted
third party, they're going to laugh you in the face. This is absolutely
absurd. So the notion of a trusted third party who might not be trustworthy
is a very, very difficult topic.
Page 25 PREV PAGE TOP OF DOC
And I have to make the very careful
distinction between trustworthiness and trust. Trustworthiness means it's
worthy of trust. Trust merely means that you're stupid enough to trust it
without understanding the issues. And I suggest that when we deal with
cryptography, this is an issue where everything that appears to be true
tends not to be true, when you start scraping the surface. So I urge you to
look at all of the backup materials that the Commission has not really
sought to mention. Perhaps it's there somewhere in their backup materials
that I haven't seen, as I presume the research and development material
will appear eventually in some form or another.
But I think the important thing here is that, even
though somebody will show you a demo of a key recovery system, that is not
a demonstration that there are no risks involved, and if you can't trust
the computer systems and you can't trust the communications, and you can't
trust the implementations of the cryptography that are in the operating
systems developed by the folks who are producing the commercial systems on
which the entire Nation depends, and if you can't trust all of the people,
we have a situation which is essentially intractable. And I think you
really have to look at those risks in great detail.
With regard to the question of preparedness, are
all of the risks that one might worry about real? If you look at, again,
the handout material that I've included, you'll see a list of thousands of
cases of things where things didn't work the way they were supposed to. And
the real paradox—do I get another 30 seconds or is that it?—the
real paradox is that if you are really prepared, then nothing bad is likely
to happen. If you're not really prepared, you never know whether something
colossally bad is happening.
And as was indicated at the very beginning,
simultaneous, systematic coordinated attacks on the entire national
infrastructure are possible. If they occurred at a strategically-opportune
moment in combination with something else, they could be devastating to the
Nation.
Page 26 PREV PAGE TOP OF DOC
I will stop at this point and hope that
you'll ask some questions that will allow me to talk a little more. Thank
you.
[The prepared statement and attachments of Mr.
Neumann follow:]
Insert offset folios 46-81
Mrs. MORELLA. I thank you very much.
We really could have questions that could take
another 2 hours and still have more questions. I'm going to start off with
General Marsh, and I'm going to then allow any of you to respond to any of
the questions, and then give Mr. Bartlett an opportunity to ask questions,
and we'll do it all within 10 minutes.
The Commission's definition of national
security-related infrastructures seems to include just about everything.
The report also indicates that the private sector should take a lead in
securing these systems. I wonder, General Marsh, do you feel that there's a
conflict between the designation of infrastructures as national
security-related and retaining civilian control of security for these
infrastructures?
Mr. MARSH. Madam Chairwoman, it appears as
a conflict, but I think it brings to light to fundamental challenge that
this Nation's facing as we go forward, and that is that we're entering an
era where we no longer have the peaceable neighbors and the great oceans on
all sides to protect our critical infrastructures. We're approaching an era
where they now may be the front lines of defense of our very society, and
be important targets for anyone who would do us serious harm, and tools
that are readily available with which to do that harm, the knowledge is
readily available; the vulnerabilities exist. All it takes is the intent to
do harm, and therefore, it becomes a national security problem as well as
an economic security and a society well-being problem.
Mrs. MORELLA. Let me also ask you about how
you think that the safeguards that you have enumerated and which are in the
written testimony, as well as in the report—I guess one of the
concerns I've sensed, that others have asked, too, and I was concerned
about, is: How would these safeguards be funded?
Page 27 PREV PAGE TOP OF DOC
Mr. MARSH. In the main, the safeguards
that will protect against commonplace threats—that is, hackers,
criminals, thieves—if those safeguards are put into place in the
cyber arena, if they're put into place and rigorously enforced, they'll
give protection against a wide range of threats, all the way up to the
terrorist threat. In other words, the tools are the same, whether they be
employed by the recreational hacker or the information warrior. And so it's
our expectation that if the private sector becomes better aware and if the
government does a better job of making the private sector aware of the
tools or weapons, if you will, that are available to those that would do
harm, we believe the private sector in its own interest will undertake to
protect itself against those tools.
Mrs. MORELLA. Would any of the rest of you
like to comment, particularly on the private sector aspect of it? Yes?
Thank you, Mr. Davidson.
Mr. DAVIDSON. Yes, thank you. The
underlying premise of this report is probably the most bothersome for me
because in the foreword the report says national defense is no longer the
exclusive preserve of the government. And for me, I have to ask, since
when? I always thought the Nation's defense, the Nation's security, was the
preserve of government exclusively and we were to provide a vibrant
economy.
Later the report goes on to say that shared
threats demand a shared response from increased partnership between
government and the owners and operators of our infrastructure. For me,
shared response is a code word for you, too, are going to pay.
The point I wanted to make early on is we are more
than happy to learn about other tools or techniques that we can employ to
make sure that our infrastructures are protected. However, anything beyond
what we need to do for commerce I think needs to be paid for by the
government. Otherwise, it puts us at a competitive disadvantage in
providing those kinds of things worldwide.
Mrs. MORELLA. Does Citibank feel the same
way?
Page 28 PREV PAGE TOP OF DOC
Mr. KATZ. I think the answer is
probably mixed. Every tool for security that General Marsh has mentioned,
and that we're aware of, is incorporated within the bank as we can to
ensure commerce. So it is a mixed blend, but if there is a way to improve
security within the bank, we'll certainly do it, and that is very much part
of our fundamental behavior.
Mrs. MORELLA. Does CyberCash feel the same
way?
Mr. STEVENSON. I think one needs to draw a
broad distinction here between Citibank's or CyberCash's protection of
itself against threats, where, as I've said in my testimony the government
can best help us, if at all, by encouraging research and education, so that
we can be constantly up to date on the latest security tools.
If there are threats to the infrastructure as a
whole, which is a very different problem, it may be that little old
CyberCash or even great big Citibank can't, acting by ourselves, or even in
conjunction with industry groups, solve those infrastructure threats, truly
infrastructure threats. I am not an expert in network security or
infrastructure stability. Those are technical issues that I'm not confident
to comment on. However, I do think that if the work of the Commission will
lead to more attention to that issue, then perhaps that is a collective
problem, and that does require some sort of shared response.
Mrs. MORELLA. Mr. Neumann, you wanted to
mention——
Mr. NEUMANN. Thank you. I would add several
things. One is that the National Research Council report makes a very
explicit case that when you talk about national security, it is not just
the defense of the Nation in the military sense. It is the survival of the
infrastructure. That was a point we made very strongly, and I believe
it.
The problem here is that the industry is not doing
the job by itself. Our security systems are riddled with security flaws.
Our reliability is bad. The survivability of the telecommunications systems
and the power systems are bad. We had the AT&T collapse of 1990, where
long distance was out for half a day, and we had the most recent case where
the western States, 12 States, had major power outages on July 2.
Page 29 PREV PAGE TOP OF DOC
Basically, the industry is waiting for the
government to do something, and the government is waiting for the industry
to do something, and until we get to the point where there is a general
realization that we are seriously at risk, I don't think we're going to get
off this standoff.
The fundamental question is: Can the risks be
eliminated? And if you look at the background that I've provided in my
handout materials, you will see that the history says there are
vulnerabilities in everything we deal with, and we are very slow to avoid
those. So we do need to do something.
Mrs. MORELLA. I would be very interested at
some point, and maybe during the interim, for the Commission and for those
of you who are here testifying, give us the list of what you think needs
legislative remedy in some way, and maybe we can work on it, massage it,
maybe come up with something; maybe it could be done administratively.
I know that I want Mr. Bartlett to have a chance
to ask questions. There are just two other points that I'll have an
opportunity to perhaps pose with you, and that is, again, why the omission
of the Year 2000 computer glitch? I mean, maybe it was just simply taken
for granted. Second, the concept of encryption, and before I get to that,
I'm asking, General Marsh, why don't you come out on record and support the
Computer Security Enhancement Act, which is, I think, H.R. 1903? It's a
pretty good bill, isn't it?
[Laughter.]
Mr. MARSH. Yes, Madam Chairwoman, it's a
pretty good bill.
On the Year 2000 problem, we concluded early on
that's a major problem and challenge facing the Nation and all companies,
and so on. We felt there was very little value that we could add to that.
It was being worked very, very hard. We added what we hoped was one small
element of value, and that is that in the rush to cope with the Year 2000
problem, some companies are exposing their critical information to firms,
and even to overseas organizations, to help them, and in the process they
may make themselves more vulnerable to malicious acts, and we flag that
caution.
Page 30 PREV PAGE TOP OF DOC
Mrs. MORELLA. It's a liability. I
mean, there are just so many implications of not resolving this, but nobody
seems to understand it. Everybody's eyes glaze over, blinders on. We've all
got to do something about it.
Anyone else want to comment briefly on it?
[No response.]
How about encryption? That's critically important.
Did you want—did you hope to have more time to get into encryption in
the——
Mr. MARSH. No, ma'am.
[Laughter.]
Mr. NEUMANN. It's a hot potato. May I state
briefly there's absolutely no question that good, solid encryption is
essential to the critical infrastructure protection problem, and especially
for the critical control functions that are associated with the critical
infrastructures. There has to be, in our judgment, key recovery means.
That's essential for both the public and the private sectors and for very
good, sound business reasons. Our conclusion was that the government ought
to really get serious about a pilot undertaking of encryption systems,
especially one that involves providing a public service, and we believe
that such an undertaking could, in fact, uncover the problems and the
difficulties of developing and instituting a key management infrastructure.
And we believe the only way to put the debate to rest is to move out and
try and construct such a program.
Mrs. MORELLA. What I'm going to do is I'm
going to—we're going to both go to vote. We decided that we were
going to come back, if you can be patient. Can you? And we'll pick up on
the encryption, so that both of us will have another round of questioning.
Great. Thanks.
[Brief Recess.]
Mrs. MORELLA. Do you know what my staff
said to me, General Marsh? They said, ''You didn't get such strong support
for that bill.'' So how about giving us some response to that?
Page 31 PREV PAGE TOP OF DOC
[Laughter.]
Mr. MARSH. We support it stronger then.
[Laughter.]
Mrs. MORELLA. Thank you. Thank you very
much.
We were talking about encryption, and I think that
now that we voted—the third time never fails. So that we'll be able
to continue, usually they say, in a seamless fashion.
And so back to the encryption. I think, Mr.
Davidson, you were speaking on it, weren't you? You were going to try
to.
Mr. DAVIDSON. Yes, as a matter of fact, I
think all the panelists ended up talking about encryption to some degree. I
mean, I think the bottom line is we don't believe—and we've stated
this in testimony before other committees as well—that a key
management, key escrow, or even key recovery systems are not going to work
for a number of different reasons. And one includes—is that
internationally it's not being adopted. In fact, this Administration tried
to promote that agenda for key management overseas before the OECD, and the
OECD rejected it, which means that basically we're providing a market for
foreign corporations' products that we're not fulfilling. So we're losing
jobs; we're losing opportunities.
So the bottom line is, for key management—I
mean, that's one of the reasons; a second reason is, obviously, people
don't want information over the Internet or over networks that they don't
think is secure, that other people have access to. So for a number of
different reasons, we just don't think—and the National Research
Council, obviously, supports this and said—we didn't think it was
going to work.
Mrs. MORELLA. Thank you. I know that Mr.
Neumann, in his testimony, spent some time talking about key recovery and
encryption. Would you like to elaborate at all on that, Mr. Neumann?
Page 32 PREV PAGE TOP OF DOC
Mr. NEUMANN. Oh, this is a very, very
long and arduous discussion.
Mrs. MORELLA. Yes.
Mr. NEUMANN. We spent 2 years on the NRC
study with clearances, with access to things that apparently nobody had
ever seen before, and came to the conclusion that the classified—it
was not necessary to make the arguments that we were making with any
reference to classified arguments, and that's already been pointed out
here. But I think it's a very fundamental conclusion.
On the other hand, you've got to look at all of
the details. ''The devil is in the details,'' is the characteristic
statement. And if you look at the vulnerabilities that have existed and
that continue to exist in computer operating systems and computer
networking, basically, you need wonderful, unsubvertible cryptography in
order to build a secure infrastructure, but you need a secure
infrastructure to be able to have that in the first place. So there's a
cyclic loop here of you have to—if we had ham, we could have ham and
eggs, if we had eggs—is sort of the cyclic loop.
You need an infrastructure. It's not a question,
again, whether it can be built. It's clear that key management
infrastructures can be built. The question is: Can key recovery schemes be
built in such a way that there are only risks that can be considered as
reasonable? And if, in fact, you have fundamental flaws in the computer
infrastructure, that is very unlikely.
Mrs. MORELLA. I have this book here. Did
you read it all?
[Laughter.]
Mrs. MORELLA. This is the one that he
mentioned, the National Research Council study. There is a bill that has
been going through multi-committees called the SAFE bill on encryption; I
think it's H.R. 695. Anybody want to briefly mention whether you think it's
good, bad, indifferent? No opinion on it? Do you think you'd like
to—Mr. Stevenson?
Page 33 PREV PAGE TOP OF DOC
Mr. STEVENSON. Before I talk about the
SAFE bill, I'd just like to make one observation about the statement of the
report on Key Management and Infrastructure. The report says in a message
which Mr. Davidson has already quoted, ''establishment of trustworthy key
management infrastructures is the only way to enable encryption on a large
scale.''
One of the problems in this discussion is that the
terminology is very slippery, and terms like ''key management
infrastructure,'' ''key escrow,'' ''key recovery,'' and so forth, mean
different things to different people, and so I'm not quite sure how the
Commission was intending to use key management infrastructure, but taken in
context, it seems to me to have a rather broad meaning. And I can report,
from the point of view of one company, that we use encryption in our
systems, and we don't have a key management infrastructure in that sense,
in the broader sense, and our systems work, as far as I know, pretty well.
And they are on their way to being truly global. We operate a system in the
United States today that is going to interconnect eventually with systems
throughout most of the world, we hope, and those systems won't need to be
modified to create some sort of a massive key management infrastructure in
the larger sense.
As to the SAFE bill, I think it depends on what
version of the SAFE bill we are talking about. It has, as you're well
aware, been the victim of a number of terrorist attacks.
[Laughter.]
Mr. STEVENSON. The original bill looked
pretty good to us, and we would simply encourage you to protect it against
any future terrorist attacks.
Mrs. MORELLA. Yes, sir, Mr. Katz?
Mr. KATZ. Let me say I completely agree
with Mr. Stevenson about the first version of the SAFE bill. It had a lot
to offer. I think what is essential for electronic commerce essential for
electronic banking, is the export of robust cryptography. I think we really
have to differentiate between key recovery and data recovery, and we tend
to get the two confused.
Page 34 PREV PAGE TOP OF DOC
At least in the banking sector, when the
examiners come in and they ask us to produce data that's a portion of their
exam, they never quite ask us whether it has been stored encrypted or
whether it's been stored in someone's desk drawer, whether it's been stored
in offsite storage. The data has to be produced in a reasonable amount of
time, regardless of whether or not it had been in an encrypted state. I
think if we begin to focus on data recovery and appropriate orders to
recover data, when needed, we might well clarify the situation and not get
hung up on this whole key recovery process, which I agree with Dr. Neumann
that while it is theoretically possible, it is at a practical level almost
inconceivable.
Mrs. MORELLA. Yes, any other comments on
it?
Mr. NEUMANN. Yes, I have one further
question——
Mrs. MORELLA. Mr. Neumann.
Mr. NEUMANN. One further comment. The
ultimate issue here is one of surreptitious access in which the corporation
or the individual would not know that the information was being gained,
similar to a wire tap. If you look at the pending legislation, the
Kerrey-McCain bill, as proposed, doesn't require a federal judge to issue a
warrant; it's sufficient to issue a subpoena, which is tantamount to saying
that there is no security at all, if I may carry that to the extreme.
The second point is that Judge Freeh himself
has—Director Freeh—has admitted that there is no real business
model for key recovery in communications from one system to another, not
e-mail, but just network traffic. And he said that because there is no
business model for that, he doesn't think that industry will ever get
around to doing it, unless it becomes mandatory, and he said that he would
like to outlaw all crypto unless it contains key recovery that gives the
Justice Department or the FBI access to the keys.
Now, again, the distinction between the data
access and the key access is important, because access to keys, if you are
in fact getting access to a master key or a certificate key, you have
access to vastly more than you should be able to have access to. And this
is a very, very fundamental, somewhat subtle distinction that needs to be
made.
Page 35 PREV PAGE TOP OF DOC
Mrs. MORELLA. I guess you didn't
comment, General Marsh, because you are subscribing to the Administration's
policy?
Mr. MARSH. Yes, Madam Chairwoman.
Mrs. MORELLA. Mr. Stevenson, did you want
to comment, sir?
Mr. STEVENSON. No, I have no further
comment.
Mrs. MORELLA. Oh, sorry, Mr. Davidson, I
didn't give you a chance.
Mr. DAVIDSON. I will—suffice it to
say that CCIA fully supports the SAFE bill, the Goodlatte-Lofgren bill, as
originally drafted, and seeks, obviously, its passage. And we would also
support the Computer Security Enhancement Act and regret the fact that
section 7 was removed, which we thought would have been a very important
enhancement.
Mrs. MORELLA. We do, too. Thank you. Thank
you.
I'm not pleased to turn to Congressman Bartlett.
Oh, and we've been joined by Mr. McHale from Pennsylvania.
Mr. BARTLETT. Thank you very much. Madam
Chairwoman, thank you very much for calling this meeting. As our
infrastructure becomes more and more dependent on the role of computers,
it's more and more appropriate that we look at the vulnerability of our
infrastructure relative to the role of computers in the infrastructure.
I'd like to spend just a few moments talking about
something that is maybe a long shot in terms of threat, but I note that
we're spending several billion dollars on national missile defense. We
spent a lot of billions of dollars in the past. This is against a long shot
pretty much, too; that is, that there's going to be a missile attack on
this country, but we still, because that would be so devastating, we're
spending some money on trying to ameliorate the consequences of that.
I don't lay awake nights worrying about whether my
house is going to burn or not. There's a pretty low probability that it
will burn, but I don't worry about it, and that's probably because I have a
fire insurance policy on my home.
Page 36 PREV PAGE TOP OF DOC
What I want to talk about for a few
moments—and I've had the privilege of talking with General Marsh
about this—is EMP, electromagnetic pulse. This is an unavoidable
consequence of a nuclear explosion. If the explosion occurs at high
altitude in a single explosion over Nebraska, it would at the margins of
our country—at about 500 kilometers—it would at the margins of
our country produce 10 kilovolts per meter of power, of pulse, which, it's
my understanding, is adequate to fry, I guess is the right word,
essentially all microelectronics. This is potentially the ultimate
terrorist weapon, and it's not that this phenomenon is unknown. It was an
important part of a scenario in America—you remember, the TV
mini-series several years ago. It's a sequence in one of Tom Clancey's
books, and I understand that it's a major scenario in a soon-to-be-released
movie, EMP.
Your automobile will stop. It will not start
again. Essentially, every computer in the country will be fried. I am told
that spare parts on a warehouse shelf may also be fried, so they won't be
available. There will be no power grid in the country. There will be no
communications grid in the country, and fiber optics is not much help
because we have switching stations, and so forth, and there are
microelectronics involved there.
Now I know that the probability of this happening
is nowhere as great as the probability that some hacker is going to get in
there and try to wreak havoc with your computer, but this is not a zero
possibility, or we wouldn't be spending billions of dollars on national
missile defense. I will tell you that any sophisticated enemy, if he as but
one bomb, that's where he will detonated. It does not harm one single
person; it does not harm one single building, but it totally shuts down the
infrastructure in our country. The consequences of this are so devastating
that I think that we really must look at this.
I know that the President's Commission on Critical
Infrastructure Protection looked at this, decided that it was a low
probability. So they weren't going to look at it anymore, but it's not a
zero probability. If it were a zero probability, we shouldn't be spending
billions of dollars on national missile defense. It is a real possibility.
And since the consequence of this would be totally devastating, we really
need to look at that.
Page 37 PREV PAGE TOP OF DOC
I'm told that the problem is too big; that,
therefore, the simplest way to address it is just to ignore it. That's not
a responsible response to this problem. And I'm wondering if any of you
have looked at the consequences of EMP. And, by the way, it takes only a
tramp steamer and one scud missile and one nuclear weapon, and they can
shut down essentially all of the East Coast. If they do another one off the
West Coast, they shut down all of the West Coast—with facilities no
more complicated than a scud missile and a crude nuclear device.
Mr. NEUMANN. You're probably getting into
things that the U.S. government would not like you to talk about in open
session. However——
Mr. BARTLETT. But this was in The New York
Times.
Mr. NEUMANN. Yes, I understand. This is the
old question of secrecy. You know, you have something that's a very serious
risk, so you classify it, so that nobody realizes how bad it is. This is a
serious problem, but let me suggest to you that there are others that are
much easier to perpetrate.
For example, bringing down the telecommunications,
power, water infrastructures—you've read Clancy's ''Executive
Orders;'' you saw a wonderful threat in there that was rather devastating,
short-lived, but it could have been protracted. The point, very simply,
again is that the electronic terrorism can be carried out remotely,
anonymously, with very little detection in some cases. Trojan horses could
be planted in, for example, all of the telecommunications systems in the
country, and all triggered to go off on December 31, 1999, just to enhance
the fact that there's already a Y2K problem. And if that were to happen, I
suspect we would take a very long time to recover from it.
There are people who suggest actually shutting
down the government for a week or two around that period; that nobody
should fly; nobody should have money in banks, and so on. But I think such
an attack would be quite devastating. And the point is that it takes much
less effort than your EMP attack.
Page 38 PREV PAGE TOP OF DOC
I might also mention EMI attacks,
electromagnetic interference. In my book and in the handout, you'll see a
large number of strange cases that go way back to when the Sputnik
satellite went overhead; every time it went by, garage doors opened and
closed because they happened to be on the same frequency, and there was no
encryption used. There was no coding. Just signals at random were causing
garage doors to open and close.
If you start thinking about the EMI effects, as
you will see in my handout, there's an enormous number of those. Now those
are also just one more type of attack that one could consider. But I
suggest that the one that you have gotten is probably the least likely,
simply because it is so difficult to mount. But the warning is, when you
deal with very low probability events, you are in real trouble because it's
the lowest probability of events that tend to get forgotten completely or
assumed that can never happen, and therefore, there's no defense against
them. And, therefore, they really become the riskiest of all.
Mr. BARTLETT. I think you're absolutely
right; if a potential enemy knows that we have no protection against
something like that, they're more likely to use that. And by the way, any
potential enemy is going to begin their attack with an EMP laydown, simply
because even if you have planned for it, it can be quite devastating. If
you haven't planned for it, it could be absolutely catastrophic. So if you
have only two bombs—the first one is a high-level burst that produces
an EMP laydown, then I'm wondering—this is a problem bigger than the
U.S. government. You know, you are talking about a partnership and what is
the role of the private sector. This is a problem bigger than the Federal
Government can handle.
In our military even, we do not want to be
decapitated, and so we, I think, are reasonably sure that we won't be
decapitated. But using that analogy, I'm wondering what good you will be if
you still have a brain, but no arms and legs after the attack. And I'm not
sure how much of the arms and the legs will remain in our military after
this attack. I know this is not something that you've spent a great deal of
time thinking about, but we shouldn't be spending billions of dollars on
the national missile defense, and we are, and we have, if there is no
probability this will occur. So if we're spending that kind of money there,
we at least need to spend some time and money thinking about our national
infrastructure and how we would recover.
Page 39 PREV PAGE TOP OF DOC
And, by the way, I need to remind you of
something you've probably read about; Yamanatan Mountain, does that mean
anything to you? Apparently, at least one of our potential enemies are the
Russians—believe that an ultimate nuclear exchange is not only
possible, but inevitable and survivable. They are building there at
enormous cost—at enormous cost—the largest, most nuclear-secure
facility in all of the world. And so, you know, this now, I think, kind of
ups the possibility that something like this may happen in the future.
So I guess that my challenge would be to
collectively think, what can we do, what should we do to make us less
vulnerable to this eventually?
Mr. NEUMANN. I couldn't agree more, and I
want to point out Stansfield Turner's new book, which brings to light
something that I hadn't seen in print before, which was a very close miss.
We came very close to a nuclear retaliation because the computer systems
had in fact identified thousands of incoming missiles. That's documented in
his book, and it's an extraordinary case. Would there have been—He
mentions in the book there have been thousands of cases in which we've had
close calls, but this one was extraordinarily close. It came within a
second or two of Zbigniew Brzezinski waking up President Carter and
initiating the retaliation sequence, because a computer error had falsely
detected incoming missiles.
Mr. BARTLETT. There have been more recent
ones. There was a scientific rocket from Norway that was——
Mr. NEUMANN. Yes.
Mr. BARTLETT (continuing).
—mistakenly identified by the computer as a rocket launch from our
country against Russia. They went so far as to bring out the black box.
They were just minutes away from launch. This is the kind of thing that is
now becoming public, and thank you very much for bringing this to our
awareness.
Well, thank you all very much, and I know it's not
problem we'll solve around the table today, but it's one I think we need to
address then. And thank you.
Page 40 PREV PAGE TOP OF DOC
Mrs. MORELLA. Thank you, Mr.
Bartlett.
I'll now recognize Mr. Gordon, the Ranking
Member.
Mr. GORDON. As one of the panelists
mentioned earlier, the laws pass at the speed of Congress, and that being
the case, I'd like to just ask each member of the panel what they think are
the one or two most significant, I guess, problems that Congress should act
upon. Some of the problems we can't do anything about, but what are those
things that we can and should get started on immediately? General Marsh,
you might start.
Mr. MARSH. Thank you, Congressman
Gordon.
We have two categories of legislation that need to
be addressed. One is the enabling legislation that will enable the
recommendations that we've made with respect to the national structure that
we're recommending; that is, the Information-Sharing and Analysis Center, a
joint public/private venture which is very unusual, unique, as far as we
know; the establishment of the Council that we've recommended; the
establishment of the support office. So there's enabling legislation that
will be required to establish those structures that we've recommended, and
that's one category of legislation. And I don't know what recommendations
the President will accept, but if he accepts some of those and decides to
move ahead with establishing those structures, then the enabling
legislation will, I presume, be requested.
There's another category, and they include such
acts as the Stafford Act, the War Production Act—I'm trying to think;
there's another act—that bear directly on infrastructure protection
in one way or another, but do not incorporate or do not include today cyber
provision; that is, they do not—the Stafford Act which enables FEMA's
actions, as you know, for recovery, etc., do not talk about a disabling
infrastructure attack. And it's understandable why they do not, because in
general terms those are the private sector—it's a private sector
recovery problem. But the act does not address how to enable, how to assist
the private sector, from a major disruption of an infrastructure. So those
acts need to be addressed.
Page 41 PREV PAGE TOP OF DOC
And then we do, in fact, have some
recommendations with respect to some law enforcement, or you might call
them deterrent pieces of legislation. The sentencing guidelines, for
example, we're recommending that they, in fact, take into account the
consequences of cyber crime more than they do today. Most cyber crime is
viewed as a misdemeanor today without taking into account the financial
loss suffered by the destruction of the hard disk, etc., etc. And so we
have some pieces of legislation—all of that is laid out rather
carefully in our report, and we have a more detailed report that calls it
out even with more specificity.
Mr. GORDON. Mr. Stevenson, also, maybe just
take what you think is the No. 1 threat that deserves some kind of
Congressional action, where Congressional action can be
helpful——
Mr. STEVENSON. Can I have two?
[Laughter.]
Mr. GORDON. You can do two. You can do two,
half the time on each.
Mr. STEVENSON. I do think, as I said in my
testimony, that there is a role for the Federal Government here. I haven't
had a year, as General Marsh has had, but a day instead to think through
what the bureaucratic infrastructure might look like, and so I don't want
to endorse the recommendations of the Commission in that respect, but I do
think that some action to promote a dialog between the government and the
private sector, directed at dealing with some of the infrastructure
problems that the Commission has addressed, is in order.
And the second thing I would encourage Congress to
do is to address the encryption issue and lay it to rest once and for
all.
Mr. GORDON. Okay, thank you.
Mr. NEUMANN. No. Impossible.
[Laughter.]
Page 42 PREV PAGE TOP OF DOC
Mr. GORDON. Does anybody else want to
add anything? Okay, go right ahead.
Mr. KATZ. Again, two: First, support the
SAFE bill, as originally written; get that out, and hopefully, begin to
resolve the encryption issue.
And, second, I think there's a significant need
for federal electronic authentication legislation. And if I could throw in
one small commercial, we really need, perhaps under the Federal Government,
a very intense public education program, literally beginning from
kindergarten.
We were at one meeting that's, I guess, to provide
input into the Commission, and one of the presenters at the meeting talked
about how his 6-year-old hacked into his mother's account on the computer
at home because he was given a password in school, and he thought he'd
figure out what his mother did.
There is a total lack of ethics, and that has to
be brought up and dealt with.
Mrs. MORELLA. Would the gentleman yield for
a moment?
Mr. GORDON. Sure.
Mrs. MORELLA. I just wanted you to
elaborate; what kind of education are you dealing with when you're dealing
with kindergarten. I mean, I know we've done some grants in our
legislation, the computer security one, to allow for computer security to
be studied, and whatever, but beyond watching what your kid is doing on the
computer, what are you talking about?
Mr. KATZ. One of the things—when you
go to—talking about kindergarten, my grandchildren are there; they're
told you don't take somebody else's coat; you don't take something out of
somebody's locker; you don't break into somebody else's account. They just
begin that way.
Page 43 PREV PAGE TOP OF DOC
Mrs. MORELLA. Value education,
exactly. I remember once seeing a book of values in a bookstore, and I
looked at it, and it was a list of outlet stores.
[Laughter.]
Thank you very much. I yield back.
Mr. DAVIDSON. Congressman Gordon, again, I
would agree with Mr. Katz that I think where Congress could be the greatest
help is in funding a public awareness campaign, so that in fact if the
Commission would come forward with their threat assessment, so that we
understood why they were making these sweeping recommendations, that would
be helpful, as well as for R&D, because I think the Commission, which
is, as deregulation occurs in telecommunications, generally, it means less
money for R&D across the board. It's a very competitive industry. We
put as much money as we possibly can in to be able to sell product and
service and stay ahead of the curve. As you know, the product cycle in the
computer industry is anywhere from 3 to 6 months these days, a little bit
longer for telecommunications. So that would probably be the biggest
help.
Second would be, of course, passage of the SAFE
bill in its original form, because we need to get beyond the encryption
debate. The one caveat I'd like to make here is that I really don't believe
at this point in time that some of the other changes to laws that are
envisioned by the Commission are necessary, and I pointed out in my
testimony the antitrust laws which we would caution against changing.
And there's also one reference on page 98 of the
report which calls for sponsoring legislative activities leading to a
finding that certain critical infrastructures are instrumentalities of
interstate commerce. To me, that means regulation of the Internet and World
Wide Web, and that is something, obviously, we do not support.
Mr. NEUMANN. Each of us sees this question
in his own image. I was once on a panel with the National Space Symposium.
The question was: How should NASA be spending its money? Edward Teller
said, ''We need smart weapons—smart satellites in space, so we can
keep track of what's going on.'' Buzz Aldrin said, ''We need colonies on
Mars and the Moon, so we can get to the outer planets.'' Hans Mark said,
''The Cold War is not over and we need Star Wars.'' General Kelly, who is
the head of the Air Force Academy, said, ''Well, all of this is sort of
useless if we don't have education.''
Page 44 PREV PAGE TOP OF DOC
[The following clarification was received for
the record:]
Insert offset folio 82
And I was the tail wagging the dog on that panel,
and I'll do what I do now, which is to say, that absolutely fundamental is
research. And I would say that the problem here is that much of the
research that we're funding is not necessarily headed toward solving this
particular problem. There's a lot of research that is tangential or
interesting, but I think a very focused research effort needs to be
conducted here, not just necessarily a billion dollars by 2004.
But that money into projects that have a serious
chance of helping the security, survivability and reliability of the
infrastructure. My colleague, Tony Barnes, is here from the Army Research
Lab, and his is probably the only lab in the world that has the word
''survivability'' in its title. His efforts at the moment, which I'm
working on with him, are explicitly looking at the problem of how can you
build systems that are demonstrably reliable, secure, safe, and survivable,
despite the fact that the components are not trustworthy, and the people
are not trustworthy?
Mr. GORDON. Okay, thank you. I don't want
to impose on anybody else's time. Thank you.
Mrs. MORELLA. Thank you, Mr. Gordon. I'd
like to recognize Mr. McHale.
Mr. MCHALE. Thank you, Madam
Chairwoman.
I arrived about a half-hour ago, and I've been
listening to the testimony ever since. I don't know if it struck others,
but the breadth and scope of this hearing in the last 20 minutes has been
astonishing. We've gone from what my friend Roscoe Bartlett
described—I realize he was quoting others—as the inevitability
of an all-out nuclear exchange to the security risks arising out of a
6-year-old hacker.
Page 45 PREV PAGE TOP OF DOC
[Laughter.]
That's a range of security in terms of our
infrastructure that is breathtaking in its complexity and in its
philosophical dimensions.
During the period of time that I have been here,
there have been references sometimes in terms of terrorist attacks and
sometimes the rhetoric was a little more restrained in terms of the changes
in the original SAFE bill and how it evolved to a less appropriate forum.
If you covered this before I got here, there's no need to please me and go
back into it again, but let me simply ask all the members of the panel:
Could you describe briefly the worst changes that were made in the bill in
terms of its evolution through the process? Since I've been here, you've
called repeatedly for the passage of the bill in its original form. What
mistakes have occurred in the intervening period of time? General
Marsh?
Mr. MARSH. Sir, I'm not well-informed on
that, nor have I been tracking it carefully.
Mr. MCHALE. Okay.
Mr. STEVENSON. I'm afraid I haven't tracked
it closely enough to know exactly where it is in the current status in the
legislative process. What I was referring to when I referred to a terrorist
attack was the efforts to turn the bill upside-down and take it from a bill
which strengthened encryption and encouraged its use to a bill which would
have effective gutted the possibility of using encryption for financial
purposes, which is what I'm particularly concerned about, or for Internet
security generally.
Mr. MCHALE. Well, I'm getting
to—those are outcomes. What I'm asking is, what produced a change in
the bill that turned it on its head? What specific changes in the language
of the bill changed it from what I gather the consensus would appear to be,
a pretty good piece of legislation, to one that you don't particularly care
for?
Mr. STEVENSON. Well, the Oxley-Manton
amendment, which is what I was referring to, would have turned it from a
bill which allowed the export of encryption software to a bill that would
have required a key—an ill-defined key escrow or key management or
public key infrastructure system that would have put trapdoors in it for
use domestically, which is certainly not the law today, and I think that
would have gone from a bill that would have had salutary effects for system
security and the stability and usability of the electronic infrastructure
to a bill that would have created gaping holes in security.
Page 46 PREV PAGE TOP OF DOC
Mr. MCHALE. As you're speaking, I'm
watching several heads go up and down. Unfortunately, the record doesn't
record that. Let me simply say, is that the principal change in the bill to
which the rest of you were objecting as well?
Mr. DAVIDSON. Yes.
Mr. KATZ. Yes.
Mr. NEUMANN. Well, Oxley-Manton did not
survive actually. On the other hand, there is a fundamental conflict
between the Goodlatte-Lofgren bill, SAFE, and the Senate bills. And I think
there is serious concern on the part of the privacy community and the
business community and the banking community and the encryption ethic
people that if in fact the Senate passes a Draconian bill that looks sort
of like McCain-Kerrey or something of that nature, that gives law
enforcement essentially unrestricted rights without any understanding of
the risks of what could happen, then a conference committee might well do
something rather horrible to this legislation.
So I think the issue in the House is that it is
still unclear to me what legislation is likely to be considered, and it's
even more unclear in the Senate. So I think we need to have a discussion
offline in detail as to what the situation is.
Mr. MCHALE. All right, thank you.
My final question is for General Marsh, and that
is, the Commission recommends doubling the federal R&D budget related
to information security for Fiscal Year 1999, and then doubling it again,
as I understand it, over the next 5 years. And so my final question to you,
General Marsh, would be: How did the Commission arrive at the size of the
R&D initiative required? And then as a kind of corollary to that, what
is the rationale for a factor of four increase in the federal research
effort over that 6-year period of time?
Mr. MARSH. Yes, sir. We conducted a very
intensive study of what research and development is being undertaken by all
agencies of the government now. Incidentally, this was done with the
cooperation of Argonne National Labs, the Institute of Defense Analysis,
the National Research Council, Sandia Laboratories—and I can't think
of one other organization—NSA, the National Security Agency.
Page 47 PREV PAGE TOP OF DOC
We tried to understand two things: what
research and development is being undertaken across the government that
bears on infrastructure protection, and further, what is being undertaken
by the private sector. That was more difficult to, as you can imagine, to
get our arms around, but we made an estimate of that.
And then we also surveyed both the private sector
and the public sector as to, what do you think needs to be done by way of
the full range of tools? We discussed modeling and simulation. We
discussed, obviously, the real-time detection capabilities, anomaly
detectors, correlation tools to correlate disturbances here with
disturbances there—the full range—actual isolation tools, such
that if you know you're under attack, how do you isolate certain sensitive
components, and on and on.
So we have a complete layout of what we believe
needs to be undertaken. It was our judgment, best judgment, using the
advice of all these experts, that would total up to about a billion dollars
a year, if you pursued that aggressively. And we feel confident in our
estimate of the $250 million that's currently being conducted. That's a
good estimate and I think corroborated by the facts.
So we asked ourselves: How can we get there, up to
the level that we think needs to be pursued? And we thought, and I must say
it's a subjective judgment. Let's try to jumpstart it the first year, and
let's try and double it that first year an get it to $500 million, and then
let's over a period of 5 years try to grow to the objective that we think
is necessary. And we have a detailed report that outlines the specific
elements of research and development that we think need to be
undertaken.
Mr. MCHALE. General, we appreciate your
comments. Thank you, Madam Chairwoman.
Mrs. MORELLA. Thank you, Mr. McHale.
I think Mr. Bartlett wanted to do a follow-up
question?
Page 48 PREV PAGE TOP OF DOC
Mr. BARTLETT. Yes, thank you very
much.
Both Congressman McHale and I are on the National
Security Committee, and I think that part of the problems with the
encryption bill had to do with some concerns that our committee had. They
were very legitimate concerns. I'm sure you understand that there is a
natural tension between the desire of most of our society to export
anything and everything, because it's good for our economy, and the desire
of the defense community to export nothing that would give our potential
enemies any technical capability.
We were very much concerned about the language in
the original bill, and I'm not sure that in the short amount of time that
was available for making sure that the concerns of these two different
communities that are really pretty much at two ends of the spectrum were
adequately resolved. Clearly, we want to be able to export as much of our
technology as we can, and, clearly, we do not want to export any technology
that's going to bring us the potential grief in the future relative to our
national security. And I'm not sure that we have the time or perhaps the
wisdom to resolve those different perspectives.
My understanding is that we now have five bills
because of the five committees that have jurisdiction, and those now need
to be melded into a single bill, which is not likely to happen this year,
perhaps next year. And so we would invite your input so that we can have a
bill that will accomplish what everyone essentially wants to accomplish,
and that is to optimize the opportunities for export and enhancing our
economy, and still to adequately protect ourselves from a national security
viewpoint.
So since you are concerned and knowledgeable in
this area, we would solicit your contributions to any or all of the five
committees that have been involved in this.
Thank you very much, Madam Chairwoman.
Mrs. MORELLA. Thank you, Mr. Bartlett.
General Marsh, you mentioned research and
development and the work that went into that, and I know that's the case.
And yet as I look through this report, I only see like two pages and a half
on research and development. I just wondered why you did not elaborate
further on what you had done.
Page 49 PREV PAGE TOP OF DOC
Second, as I look through the report, I've
got a lot of empty pages, intentionally left blank, intentionally
left—I didn't if we were supposed to doodle on them or make notes
or——
[Laughter.]
Maybe you want to comment on that.
Mr. MARSH. Well, our report to the
President, which is making its way to the President, is, I believe, some
300 pages and does have detailed annexes and appendices, but it also has
the national intelligence estimate, etc., and the complete compilation of
vulnerabilities as we try to understand in each of the infrastructures. So
it's much more comprehensive, and it's classified, and this was, I must
honestly say, a rather quick attempt to synthesize the report as best we
could, get the highlights out for unclassified release. And it doesn't
really portray the tremendous research effort that underlies the
Commission.
Mrs. MORELLA. I have no doubt of that,
about that. It just seemed very interesting. There was such replication of
these blank pages.
And with the R&D, too, I wonder, who would you
designate to pay for the R&D and who should be doing it? Should it be
civilian or should it be military?
Mr. MARSH. Madam Chairwoman, we looked at
the civilian component, and that ranges—I believe I'm correct
here—between about $150 and $350 million a year, depending on your
definition of it. But most of it is product, near-term product-oriented,
and it was our conclusion, the plus-up that I am talking about to a billion
dollars is what we believe the Federal Government must undertake or it will
not be undertaken. We concluded on these particular efforts that are
described in our more detailed report—we concluded that market forces
would not, in fact, spur that kind of research and development, the
protective means that we feel are necessary for the infrastructures.
So we tried to segregate what we thought the
private sector would undertake and what the government should undertake,
and if not, it will not be undertaken.
Page 50 PREV PAGE TOP OF DOC
Mrs. MORELLA. You also recommend
creating five new organizational entities, as well as designating lead
agencies, and I think it's sector infrastructure assurance coordinators for
each of the five sectors. I just wonder, are all of them needed? Which are
most important? And this is kind of an impediment to any legislative
enabling that you might need.
Mr. MARSH. Those that you cited are
fundamental, we believe, to constructing this trusted environment that will
facilitate the information-sharing process that we believe is needed. In
other words, we want the lead agencies—and, for example, the
Department of Energy—to work with the electric power industry and
promote the development in the electric power industry of that coordinator
that we talked about, that's called out in the report, or the
clearinghouse, and we want that clearinghouse to collect the information,
be the receiver of the information of the electric power industry, provided
anonymity where required, protect the proprietary information, be immune
from FOIA, etc., and then share that with the Information-Sharing and
Analysis Center that we propose being conducted. All of that is to
facilitate this ability to create a trusted environment for
information-sharing between the government and the private sector.
Mrs. MORELLA. Finally, General Marsh, what
happens now? You presented it to the President. Does he, then, look it over
or his advisors look it over, and then get ready for some implementation in
the next Congress in terms of presenting his budget? Does he put money in
for that? I mean, we certainly will look at the section that deals with
legislative remedies, but we'll be looking for some direction also in terms
of what is feasible, what is not.
What do you predict and what would you hope would
happen?
Mr. MARSH. Well, of course, we'd hope,
Madam Chairwoman, that the President will accept our recommendations and
direct his administration to prepare the appropriate implementing
instructions and propose legislation, etc. But right now, the process is an
interagency process that's reviewing the report and getting ready to
forward it to the President with the principal recommendations to him as to
what—how he should treat the report.
Page 51 PREV PAGE TOP OF DOC
Mrs. MORELLA. So this is going through
a number of agencies?
Mr. MARSH. There is an interagency review
process, yes, ma'am.
Mrs. MORELLA. Okay, very good. Well, I
appreciate your being here.
I'm going to turn over for the last word to Mr.
Gordon. Any comments?
Mr. GORDON. I have no further questions,
and thank the panel for their time and hope that this is a start for this
dialog that we need to continue, and we'll be in touch.
Mrs. MORELLA. I want to thank you for your
patience also, as we went off to vote and came back and forth. I know we
have other questions to ask you, but I seriously, on behalf of the
Committee, not only thank you, but invite you to continue to stay posted
and to give us your recommendations, based on your experience and
expertise.
Thank you, General Marsh. Thank you, Mr.
Stevenson. Thank you, Mr. Katz, Mr. Davidson, Mr. Neumann. Thank you very
much.
Mr. MARSH. Madam Chairwoman, may I say just
one last thing? I've been advised that the left pages are blank so that
chapters can start on the righthand side.
[Laughter.]
Mrs. MORELLA. I'm delighted to have that
clarification. I knew there was a reason for it beyond the fact that you
didn't want us to see this data. Thank you.
The Subcommittee is now adjourned.
The record is going to be open for a period of
days for any information you'd like to get to it, and also I wanted to give
the other members of the Committee and myself an opportunity to send
questions to you. Thank you.
[Whereupon, at 4:30 p.m., the hearing was
adjourned.]
Page 52 PREV PAGE TOP OF DOC
[The following information was received for
the record:]
Insert offset folios 83-125
46–176CC
1997
THE ROLE OF COMPUTER SECURITY IN PROTECTING U.S.
INFRASTRUCTURES
HEARING
BEFORE THE
COMMITTEE ON SCIENCE
SUBCOMMITTEE ON TECHNOLOGY
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTH CONGRESS
FIRST SESSION
NOVEMBER 6, 1997
Page 53 PREV PAGE TOP OF DOC
[No. XX]
Printed for the use of the Committee on Science
COMMITTEE ON SCIENCE
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
SHERWOOD L. BOEHLERT, New York
HARRIS W. FAWELL, Illinois
CONSTANCE A. MORELLA, Maryland
CURT WELDON, Pennsylvania
DANA ROHRABACHER, California
STEVEN SCHIFF, New Mexico
JOE BARTON, Texas
KEN CALVERT, California
ROSCOE G. BARTLETT, Maryland
VERNON J. EHLERS, Michigan**
DAVE WELDON, Florida
MATT SALMON, Arizona
THOMAS M. DAVIS, Virginia
GIL GUTKNECHT, Minnesota
MARK FOLEY, Florida
THOMAS W. EWING, Illinois
CHARLES W. ''CHIP'' PICKERING, Mississippi
CHRIS CANNON, Utah
Page 54 PREV PAGE TOP OF DOC
KEVIN BRADY, Texas
MERRILL COOK, Utah
PHIL ENGLISH, Pennsylvania
GEORGE R. NETHERCUTT, JR., Washington
TOM A. COBURN, Oklahoma
PETE SESSIONS, Texas
GEORGE E. BROWN, Jr., California RMM*
RALPH M. HALL, Texas
BART GORDON, Tennessee
JAMES A. TRAFICANT, Jr., Ohio
TIM ROEMER, Indiana
ROBERT E. ''BUD'' CRAMER, Jr., Alabama
JAMES A. BARCIA, Michigan
PAUL McHALE, Pennsylvania
EDDIE BERNICE JOHNSON, Texas
ALCEE L. HASTINGS, Florida
LYNN N. RIVERS, Michigan
ZOE LOFGREN, California
LLOYD DOGGETT, Texas
MICHAEL F. DOYLE, Pennsylvania
SHEILA JACKSON LEE, Texas
BILL LUTHER, Minnesota
WALTER H. CAPPS, California
DEBBIE STABENOW, Michigan
Page 55 PREV PAGE TOP OF DOC
BOB ETHERIDGE, North Carolina
NICK LAMPSON, Texas
DARLENE HOOLEY, Oregon
TODD R. SCHULTZ, Chief of Staff
BARRY C. BERINGER, Chief Counsel
PATRICIA S. SCHWARTZ, Chief Clerk/Administrator
VIVIAN A. TESSIERI, Legislative Clerk
ROBERT E. PALMER, Democratic Staff Director
Subcommittee on Technology
CONSTANCE A. MORELLA, Maryland, Chairwoman
CURT WELDON, Pennsylvania
ROSCOE G. BARTLETT, Maryland
VERNON J. EHLERS, Michigan
THOMAS M. DAVIS, Virginia
GIL GUTKNECHT, Minnesota
THOMAS W. EWING, Illinois
CHRIS CANNON, Utah
KEVIN BRADY, Texas
MERRILL COOK, Utah
BART GORDON, Tennessee
EDDIE BERNICE JOHNSON, Texas
LYNN N. RIVERS, Michigan
Page 56 PREV PAGE TOP OF DOC
DEBBIE STABENOW, Michigan
JAMES A. BARCIA, Michigan
PAUL McHALE, Pennsylvania
MICHAEL F. DOYLE, Pennsylvania
ELLEN O. TAUSCHER, California
*Ranking Minority Member
**Vice Chairman
(ii)
C O N T E N T S
November 6, 1997:
Robert T. Marsh, Chairman, President's Commission on Critical
Infrastructure Protection, Washington, DC
Russell B. Stevenson, Jr., Esq., General Counsel, CyberCash, Inc, Reston,
VA
Stephen R. Katz, Chief Information Security Officer, Citibank, New York,
NY
Glenn Davidson, Executive Vice President, Computer and Communication
Industry Association, Washington, DC
Peter G. Neumann, Principal Scientist, Computer Science Laboratory, SRI
International, Menlo Park, CA
(iii)