SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
77–603PS
2002
CYBER TERRORISM—A VIEW
FROM THE GILMORE COMMISSION
HEARING
BEFORE THE
COMMITTEE ON SCIENCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
OCTOBER 17, 2001
Serial No. 107–40
Printed for the use of the Committee on Science
Available via the World Wide Web: http://www.house.gov/science
COMMITTEE ON SCIENCE
Page 2 PREV PAGE TOP OF DOC
HON. SHERWOOD L. BOEHLERT, New York, Chairman
LAMAR S. SMITH, Texas
CONSTANCE A. MORELLA, Maryland
CHRISTOPHER SHAYS, Connecticut
CURT WELDON, Pennsylvania
DANA ROHRABACHER, California
JOE BARTON, Texas
KEN CALVERT, California
NICK SMITH, Michigan
ROSCOE G. BARTLETT, Maryland
VERNON J. EHLERS, Michigan
DAVE WELDON, Florida
GIL GUTKNECHT, Minnesota
CHRIS CANNON, Utah
GEORGE R. NETHERCUTT, JR., Washington
FRANK D. LUCAS, Oklahoma
GARY G. MILLER, California
JUDY BIGGERT, Illinois
WAYNE T. GILCHREST, Maryland
W. TODD AKIN, Missouri
TIMOTHY V. JOHNSON, Illinois
MIKE PENCE, Indiana
FELIX J. GRUCCI, JR., New York
Page 3 PREV PAGE TOP OF DOC
MELISSA A. HART, Pennsylvania
J. RANDY FORBES, Virginia
RALPH M. HALL, Texas
BART GORDON, Tennessee
JERRY F. COSTELLO, Illinois
JAMES A. BARCIA, Michigan
EDDIE BERNICE JOHNSON, Texas
LYNN C. WOOLSEY, California
LYNN N. RIVERS, Michigan
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
BOB ETHERIDGE, North Carolina
NICK LAMPSON, Texas
JOHN B. LARSON, Connecticut
MARK UDALL, Colorado
DAVID WU, Oregon
ANTHONY D. WEINER, New York
BRIAN BAIRD, Washington
JOSEPH M. HOEFFEL, Pennsylvania
JOE BACA, California
JIM MATHESON, Utah
STEVE ISRAEL, New York
DENNIS MOORE, Kansas
MICHAEL M. HONDA, California
Page 4 PREV PAGE TOP OF DOC
C O N T E N T S
October 17, 2001
Hearing Charter
Opening Statements
Statement by Representative Sherwood L. Boehlert, Chairman, Committee on Science, U.S. House of Representatives
Written Statement
Statement by Representative Ralph M. Hall, Minority Ranking Member, Committee on Science, U.S. House of Representatives
Written Statement
Prepared Statement of Congresswoman Constance Morella, Member, Committee on Science, U.S. House of Representatives
Prepared Statement of Congressman J. Randy Forbes, Member, Committee on Science, U.S. House of Representatives
Prepared Statement of Congressman Nick Smith, Member, Committee on Science, U.S. House of Representatives
Page 5 PREV PAGE TOP OF DOC
Prepared Statement of Congressman Jerry F. Costello, Member, Committee on Science, U.S. House of Representatives
Prepared Statement of Congresswoman Sheila Jackson Lee, Member, Committee on Science, U.S. House of Representatives
Panel
Governor James S. Gilmore, III, Commonwealth of Virginia; Chairman, Advisory Panel to Assess the Capabilities for Domestic Response to Terrorism Involving Weapons of Mass Destruction
Discussion
Appendix 1: Written Testimony
Governor James S. Gilmore, III, Commonwealth of Virginia; Chairman, Advisory Panel to Assess the Capabilities for Domestic Response to Terrorism Involving Weapons of Mass Destruction
Written Statement
Biography
Appendix 2: Additional Material for the Record
NATO Parliamentary Assembly, Science and Technology Committee, Draft General Report on ''Information Warfare and International Security'' by General Rapporteur The Honorable Vernon J. Ehlers (MoC)
Page 6 PREV PAGE TOP OF DOC
RAND Background on the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction; including Charter, Membership List, Executive Summary from the First Report and Executive Summary from the Second Report
Presidential Decision Directive 39 (Unclassified)
CYBER TERRORISM—A VIEW FROM THE GILMORE COMMISSION
WEDNESDAY, OCTOBER 17, 2001
House of Representatives,
Committee on Science,
Washington, DC.
The Committee met, pursuant to call, at 10:10 a.m., in Room 2318 of the Rayburn House Office Building, Hon. Sherwood L. Boehlert (chairman of the committee) presiding.
HEARING CHARTER
COMMITTEE ON SCIENCE
U.S. HOUSE OF REPRESENTATIVES
Cyber Terrorism—A View
Page 7 PREV PAGE TOP OF DOC
From the Gilmore Commission
WEDNESDAY, OCTOBER 17, 2001
10:00 A.M.–12:00 P.M.
2318 RAYBURN HOUSE OFFICE BUILDING
1. Purpose
On Wednesday, October 17, 2001 at 10:00 a.m. the House Committee on Science will hold its second hearing to examine the vulnerability of our Nation's computer infrastructure as well as research-related challenges and opportunities facing the Nation's network security infrastructure and management.
Testifying before the committee will be The Honorable James S. Gilmore, III, Governor of the Commonwealth of Virginia and Chairman of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction. Governor Gilmore will assess the threats to our Nation's information infrastructure, describe the level of preparedness to address these threats, and describe steps that need to be taken to ensure that Federal, state, and local governments are prepared to respond.
2. Background
Page 8 PREV PAGE TOP OF DOC
The terrorist attacks of September 11, 2001 brought into stark relief the Nation's physical and economic vulnerability to attack within our borders. The relative ease with which terrorists were able to implement their plans serves as a pointed reminder to the Nation to identify critical 'soft spots' in the Nation's defenses. Among the Nation's vulnerabilities are our computer and communications networks, upon which the country's economic and critical infrastructures for finance, transportation, energy and water distribution, and health and emergency services depend. The existence of these vulnerabilities has called into question the extent to which the Nation's research programs, educational system, and interconnected operations are able to meet the challenge of cyber warfare in the 21st century. The Los Angeles Times in a recent editorial emphasized the importance of meeting this challenge: ''A cyberterrorist attack would not carry the same shock and carnage of September 11. But in this information age. . .one could be more widespread and just as economically destructive.''
For additional information, refer to the charter for the full Committee hearing held on October 10, 2001 entitled Cyber Security—How Can We Protect American Computer Networks From Attack? located at http://www.house.gov/science/full/oct10/full–charter–101001.htm
The Gilmore Commission
Congress authorized the establishment of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction (Gilmore Commission) in 1998 as part of P.L. 105–261, the Strom Thurmond National Defense Authorization Act for Fiscal Year 1999. The Act required the Secretary of Defense, in consultation with the Attorney General, the Secretary of Energy, the Secretary of Health and Human Services, and the Director of the Federal Emergency Management Agency to enter into a contract with a federally funded research and development center (FFRDC) to establish an expert panel to assess Federal, state, and local capabilities for responding to terrorism involving weapons of mass destruction. The National Defense Research Institute, a division of the Rand Corporation, was awarded the contract and selected the 20 members of the panel in consultation with the Secretary of Defense. In April of 1999, Defense Secretary Cohen announced the selection of Governor Gilmore to serve as Chairman of the Commission. The Gilmore Commission's charter will expire on February 17, 2002.
Page 9 PREV PAGE TOP OF DOC
First Annual Report—Assessing the Threat
The Gilmore Commission released its first annual report in December of 1999 entitled ''Assessing the Threat.'' The Commission noted that there has been a trend toward increasing lethality in terrorism over the past ten years and that terrorists may feel less constrained from using weapons of mass destruction ''in an attempt to cause mass casualties, especially following the precedent-setting attack in 1995 by the Aum Shinrikyo.''(see footnote 1) For the Gilmore Commission, this event marked a turning point in the history of terrorism requiring a reexamination of the motives and means by which terrorists would attempt to accomplish their aims.
The 1995 Aum attack illustrated the potential lethality of non-state sponsored terrorist attacks. In response, President Clinton signed Presidential Decision Directive 39 (PDD 39). This PDD directed Federal agencies to improve domestic response capabilities to manage the consequences of attacks employing unconventional weapons. A year later, ''The Defense Against Weapons of Mass Destruction Act'' was enacted as part of P.L. 105–261. A key component of the Act focused on programs to enhance state and local emergency response capabilities.
The Gilmore Commission concluded that despite this increase in attention and funding, the Nation still lacked a comprehensive national strategy that could guide efforts to design integrated national domestic preparedness plans to combat terrorism. These plans must recognize that state and local authorities usually provide the first response to terrorist events and are responsible for addressing preparedness and long-term community consequences.
Page 10 PREV PAGE TOP OF DOC
The threat assessment conducted by the Gilmore Commission did not offer a formal assessment of the threat posed by cyber terrorism but concluded that the issues of cyber terrorism, while not conventionally included within definitions of weapons of mass destruction,(see footnote 2) were so interrelated to the forms of terrorist activity they had considered, that they could not be ignored. The Commission stated that it would ''consider issues related to cyber terrorism in its activities, and include in its subsequent reports conclusions and recommendations on the subject.''
Second Annual Report—Toward a National Strategy for Combating Terrorism
The Gilmore Commission released its second annual report entitled Toward a National Strategy for Combating Terrorism in December 2000. This report built upon the threat assessment provided in the previous report by conducting a broad program assessment of Federal, state and local efforts to prepare for terrorist attacks. The Commission made five findings with corresponding recommendations. In addition, the Commission made six specific functional recommendations, including recommendations for research and development, national standards, and the provision of cyber security against terrorism (see appendix II).
The Commission offered a scathing critique of existing Federal efforts to ensure domestic preparedness against terrorism. It concluded that instead of a coherent and integrated strategy, the Nation had a loosely coupled set of plans and programs with varied objectives. The Commission reiterated concerns raised in its previous report and recommended that the next President develop and present a coherent national strategy for combating terrorism within one year of assuming office. This strategy was to be based upon the following assumptions:
Page 11 PREV PAGE TOP OF DOC
Local response entities (law enforcement, fire service, etc.) will always be the first and potentially the only response to a terrorist event;
In the event of a major terrorist assault, no single jurisdiction will be able to respond without outside assistance;
Existing emergency response and management capabilities, developed for response to natural disasters, disease outbreaks and accidents should be used as a base for enhancing our domestic capability for response to terrorist attacks; and
The national strategy should address the full spectrum of our efforts against terrorism—intelligence, deterrence, prevention, investigation, prosecution, preemption, crisis management, and consequence management.
National Office for Combating Terrorism (NOCT)
The Commission called for the statutory creation of a National Office for Combating Terrorism in the Executive Office of the President responsible for developing and coordinating a national strategy. The office should be comprehensive, with responsibility for efforts to deter, prevent, prepare for, and respond to both international and domestic terrorism. The office should have at least five major sections, each headed by an Assistant Director: 1) domestic preparedness programs, 2) intelligence, 3) health and medical programs, 4) research, development, test, and evaluation and national standards, and 5) management and budget. The office would have some program and budget authority and would provide direction and priorities for research and development, related test and evaluation, as well as in developing nationally recognized standards for equipment and laboratory protocols and techniques.
Page 12 PREV PAGE TOP OF DOC
Research, Development, Test and Evaluation for Combating Terrorism
The Gilmore Commission concluded that the strategy developed by the NOCT must include a comprehensive plan for long-range research as well as a clear set of priorities for research and development. To accomplish this, the Commission recommended that the NOCT should enter into a formal relationship with the Office of Science and Technology Policy (OSTP) or have members of the OSTP staff detailed to the NOCT on a rotating basis. The top priorities for targeted research included responder personnel protective equipment, medical surveillance, identification and forensics; improved sensor and rapid read out capability for identifying chemical or biological agents, vaccines and antidotes, communications and interoperability.
National Standards for Equipment, Training, and Laboratory Processes
No single jurisdiction will be capable of responding to a major terrorist attack without assistance. As a result, the Gilmore Commission concluded that the development of national technical standards is a critical element of an effective national plan. The Commission recommended that the Assistant Director for research, development and standards establish a national standards program for combating terrorism with a focus on equipment, training and laboratory processes. The objectives for equipment standards would be nationwide compatibility and increased availability of dual or multi-use equipment that could be utilized in both terrorist created and accidental emergencies. (e.g., disease outbreaks or fires). For training, the objectives would be interdisciplinary curricula and training exercises based upon realistic scenarios. The objectives for laboratories would be strict protocols for forensics and for the identification and reporting of chemical and biological agents.(see footnote 3) The Commission states that the ultimate goal for this program should be certification of specific equipment, training and laboratory protocols and dissemination of a digest of certifications for use by response agencies.
Page 13 PREV PAGE TOP OF DOC
The Commission recommended that the National Institute for Standards and Technology (NIST) and the National Institute for Occupational Safety and Health (NIOSH) be designated as co-lead agencies. Certification standards developed by these agencies should be developed in coordination with Federal agencies and with input from state and local response entities, professional organizations that represent response disciplines, and private and quasi-public certifying entities.
Providing Cyber Security Against Terrorism
The Gilmore Commission noted that ''cyber attacks incident'' to conflicts in the Middle East ''emphasized the potentially disastrous effects that such concentrated attacks can have on information and other critical government and private sector electronic systems.'' The Commission concluded that while not ''mass destructive,'' attacks on our critical infrastructure would certainly be ''mass disruptive.'' It also concluded that the most likely perpetrators of cyber attacks on critical infrastructures are terrorists and criminal groups rather than nation-states. As a result, the Commission predicted that detection of these attacks would fall primarily to the private sector and to local law enforcement authorities.
In light of this, the Commission concluded that greater efforts must be made to establish effective partnerships with the private sector and to improve coordination with state and local governments. In particular, private sector cooperation is essential to response efforts in the areas of deterrence, detection, identification, prevention, response, recovery, and restoration. The Committee reported that it would focus on specific aspects of information infrastructure protection in the third and final report. A preliminary list of items to be considered in the next report included information assurance research, security standards for emerging technologies, legal issues (tort liability, antitrust patent and copyright protection, FOIA, privacy and insurance), and critical infrastructure alert, warning and response.
Page 14 PREV PAGE TOP OF DOC
3. Witnesses
The Committee will receive testimony from the Honorable James S. Gilmore, III, Governor of the Commonwealth of Virginia and Chairman of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction.
4. Questions
Governor Gilmore will be asked to discuss the following questions in his testimony:
1. What are the current and potential threats to cyber security and how equipped are we to address them?
2. What are the unmet challenges in computer/network security as they relate to terrorism? What types of research are needed to protect critical information systems from attack and what role do standards play in protecting critical information systems?
3. How effective are the various industry/government/academic cooperation mechanisms—particularly those mechanisms relating to law enforcement—at countering terrorist threats to our information infrastructure? How can government and/or federal funding help prioritize and encourage more industry and university-based research and cooperation in information assurance?
Page 15 PREV PAGE TOP OF DOC
4. What are your views on current state of information assurance education and training? What are the gaps in education and training as it relates to information assurance?
5. APPENDICES
Appendix I—Charter of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction (Gilmore Commission)
Appendix II—Membership List
Appendix III—Executive Summary from the First Report
Appendix IV—Executive Summary from the Second Report
Appendix V—Presidential Decision Directive 39 (Unclassified)
Note: See Appendix 2: Additional Material for the Record, pages 55–85 for the above documents.
Cyber Terrorism—A View From the Gilmore Commission
Chairman BOEHLERT. The hearing will come to order. I want to welcome everyone here today for our second hearing on cyber security. It may be difficult or even seem odd to concentrate on cyber security while the Congress itself seems to be the victim of a biological attack. Yet, in some ways, recent events point out more than ever the need to worry about the security of our computer networks.
Page 16 PREV PAGE TOP OF DOC
What the recent and ongoing anthrax attacks and the attacks of September 11 have in common is that they turn our own basic system of daily connections against us—in those cases, our postal system and our transportation system. Turning our computer systems against us would seem to be a logical extension of that mode of operation. And, as we noted last week, we are more and more reliant on these computer networks.
Last week's hearing provided a sober report on the state of our vulnerability to computer attacks. Our witnesses made four primary points. One, the United States has a woefully inadequate investment in computer security. Two, two top researchers have been drawn into the field of computer security, which has remained essentially unchanged in its failed approaches since its inception. As a matter of fact, in the last three years, our leading universities have only graduated less than two dozen Ph.D.s with a specialty in computer security.
Three, the Federal Government has no agency that is focused on and responsible for assuring that the necessary research and implementation are undertaken to improve computer security. And, finally, market forces have given most in private industry little incentive to invest in computer security even as their reliance on the Internet grows.
We are now starting to work on legislation to address those shortcomings. Today we will continue our investigation into computer security. And, once again, we will focus on the area where the Committee has special expertise and responsibility for longer-range planning that will ensure that the vulnerabilities we have today do not exist tomorrow.
We will hear from Governor Gilmore who will outline the recommendations in the Gilmore Commission's upcoming report on cyber security. I will be particularly interested to hear the recommendations relating to research and development and standards, the issues on which this Committee has focused. And the standards discussion should help set up a hearing we will have in two weeks on the problems emergency personnel had in communicating with each other because of incompatible equipment.
Page 17 PREV PAGE TOP OF DOC
I have no doubt that the Governor's recommendations will be thought-provoking because the Commission's previous reports have given that impression. They outlined the terrorist threat and the needed preparations to combat it while most of us were still insulated by our complacency. That complacency has now vanished.
I must add, though, that complacency must not be replaced with panic. As we move ahead, we must protect our basic American values, our sense of openness, our fate that the normal machinery of government has the ability to weather a storm as it has so many others.
We should view with skepticism proposals that would turn our decision-making to new insular technocracies. Instead, we should acknowledge that the Federal Government has a key active role to play in ensuring that the national interest and the public interest take precedent at a time when narrower interests and ideologies can stand in the way of needed steps to ensure our safety.
Let me stress that this Committee is focusing on this area for good and sufficient reason. We have to be thinking long-term. There are no quick fixes. We are not going to have anything that would develop overnight. This is long term. Excuse me one second.
I have just been advised by counsel that the order has come to close the Capitol Hill Complex. Now, let me just verify that. I will call on Mr. Hall for his opening statement, and in the meantime we will try to get some verification of this.
[The prepared statement of Mr. Boehlert follows:]
Page 18 PREV PAGE TOP OF DOC
PREPARED STATEMENT OF CHAIRMAN SHERWOOD BOEHLERT
I want to welcome everyone here today for our second hearing on cyber security. It may be difficult, or even seem odd, to concentrate on cyber security while the Congress itself seems to be the victim of a biological attack. Yet, in some ways, recent events, point up more than ever the need to worry about the security of our computer networks.
What the recent anthrax attacks and the attacks of September 11 have in common is that they turn our own basic systems of daily connections against us—in those cases, our postal system and our transportation system. Turning our computer systems against us would seem to be a logical extension of that mode of operation. And, as we noted last week, we are more and more reliant on those computer networks.
Last week's hearing provided a sober report on the state of our vulnerability to computer attacks. Our witnesses made four primary points:
The United States has a woefully inadequate investment in computer security;
Few top researchers have been drawn into the field of computer security, which has remained essentially unchanged in its (failed) approaches since its inception;
The Federal Government has no agency that is focused on, and responsible for ensuring that the necessary research and implementation are undertaken to improve computer security; and
Page 19 PREV PAGE TOP OF DOC
Market forces have given most in private industry little incentive to invest in computer security even as their reliance on the Internet grows. We are now starting to work on legislation to address those shortcomings.
Today, we will continue our investigation into computer security. And once again we will focus on the area where this Committee has special expertise and responsibility—the longer-range planning that will ensure that the vulnerabilities we have today do not exist tomorrow.
We will hear from Governor Gilmore, who will outline the recommendations in the Gilmore Commission's upcoming report on cyber security. I will be particularly interested to hear the recommendations relating to research and development, and standards—the issues on which this Committee has focused. And the standards discussion should help set up a hearing we will have in two weeks on the problems emergency personnel have in communicating with each other because of incompatible equipment.
I have no doubt that Governor Gilmore's recommendations will be thought-provoking because the Commission's previous reports have been prescient. They outlined the terrorist threat and the needed preparations to combat it, while most of us were still insulated by our complacency. That complacency has now vanished.
I must add, though, that complacency must not be replaced with panic. As we move ahead, we must protect our basic American values, our sense of openness, our faith that the normal machinery of government has the ability to weather this storm as it has so many others.
Page 20 PREV PAGE TOP OF DOC
We should view with skepticism proposals that would turn over our decision-making to new, insular technocracies.
Instead, we should acknowledge that the federal government has a key, active role to play in ensuring that the national interest and the public interest take precedent at a time when narrower interests and ideologies can stand in the way of needed steps to ensure our safety.
I welcome Governor Gilmore and I look forward to his testimony.
Mr. HALL. Mr. Chairman, thank you very much. And I, too, am honored to welcome Governor Gilmore, one of the clearly great Governors in the 50 states and a friend of my Governor from Texas, and, frankly, one of the young leaders of this country that will help our President and our Nation through anxious and apprehensive years to come. Governor, you are welcome here.
With this hearing and our last hearing, last Wednesday, we focused on the security in cyberspace. And I think the Chairman is a little apprehensive about following the orders, and I will make my recommendations and opening statement very brief.
We know the many values in the systems that are vital to the Nation, such as the electric power grid, railways, and all that. And your Commission has recognized that vulnerability and you are facing it and you are doing something about it. With that, Mr. Chairman, I will put my statement in the record and let you make the decision as to when we leave.
Page 21 PREV PAGE TOP OF DOC
[The prepared statement of Mr. Hall follows:]
PREPARED STATEMENT OF THE HONORABLE RALPH M. HALL
Mr. Chairman, I want to join you in welcoming Governor Gilmore to this morning's hearing. Governor, we appreciate your taking the time to meet with the Committee to discuss the important work of your terrorism advisory panel.
This hearing and our hearing last Wednesday have focused on security in cyberspace. Many systems that are vital to the Nation, such as the electric power grid, railways, and financial services, rely on the transfer of information through computer networks. The Gilmore Commission has recognized this vulnerability and has been looking at the security of networked information systems as part of its review and assessment activities.
In the Committee's previous hearing, we learned that the nation has been under investing in information security R&D. The result has been a focus on near-term, incremental research. We also found that too few scientists and engineers are working on problems in information security. In addition, the lack of resources has discouraged talented young computer scientists and scientists from entering the field.
Finally, our witnesses last week suggested the need for better coordination of R&D activities among industry, academia, and government. It appears that there is no home within the Federal Government for support of information security research, especially for long-term research. We need to ensure this critical problem is resolved.
Page 22 PREV PAGE TOP OF DOC
This morning, we look forward to reviewing the findings and recommendations of the Gilmore Commission that address various aspects of critical infrastructure protection. I am interested in recommendations relating to specific research needs, and to policy oversight and coordination of Federal research on networked information systems.
We look forward to working with the Gilmore Commission on how to develop the needed human resource base of research scientists and computer security professionals.
Governor Gilmore, I appreciate your attendance at today's hearing, and I look forward to our discussions.
PREPARED STATEMENT OF CONGRESSWOMAN CONSTANCE MORELLA
Mr. Chairman, this is the second hearing in as many weeks in which we have confronted the issue of cyber security and I appreciate the attention you have focused on this critical issue. Last week we heard from academics and businessmen who highlighted all the things we don't know. Hopefully today, we will begin the slow process of correcting these oversights.
Unfortunately, the success of the Internet is precisely the reason for our vulnerability. America's recent prosperity has been largely due to the technological advancements brought by the computer age. Our reliance on cyberspace to coordinate communications, banking and financial services, power generation and distribution, production and supply, as well as a host of other functions, has led our economy to global dominance, but has also made us susceptible to attack. In addition, the freewheeling innovative nature of the web has defied the normal standard setting processes. This has lead to unprecedented growth in record time, but also makes any top down security measures or other organizational structures difficult to implement. The Internet's greatest strengths are quickly becoming its greatest weaknesses and we need to find ways to shore up our vulnerabilities before our enemies learn to exploit them.
Page 23 PREV PAGE TOP OF DOC
We need to proceed on two fronts, one short-term and one long-term. To begin, we need to develop and implement security standards to be used on our current systems. I have sponsored legislation, H.R. 1259, to address this issue by relying on the expertise of the National Institute of Standards and Technology. This legislation passed this committee last year and I hope we will consider it again soon. I was pleased to learn that Governor Gilmore's commission made a recommendation very similar to my bill in their last report.
On a larger scale, we need to address deficiencies in our computer expertise. Last week, we heard about the current shortage of computer security experts as well as the lack of new students entering the field. We have a small program in H.R. 1259 to provide fellowships for computer security, but more needs to be done. I have been working on legislation to create additional incentives as well as foster industry-government collaborations. In addition, the Chairman of this committee has just introduced legislation supporting programs designed to increase the number of undergraduate degrees awards in science and technology, with priority going to fields where there is a specific industry need and a flat or declining number of graduates. Clearly computer security is one such area and should be targeted by these programs. I welcome the Chairman's interest and I look forward to working with him on this issue.
In closing, I want to thank Governor Gilmore for taking time away from his busy schedule to testify before us today. I hope that he will be willing to make some recommendations in advance of his Commission's third and final report. I also hope his comments will serve as a catalyst for the Committee to quickly consider the legislation that the Chairman and I have already proposed in addition to any new ideas that may come out of today's hearing.
Page 24 PREV PAGE TOP OF DOC
PREPARED STATEMENT OF CONGRESSMAN J. RANDY FORBES
First, let me thank you, Mr. Chairman and Ranking Member, Mr. Hall, for holding this important hearing today.
And, as the panel's only Virginia representative, I would also like to thank our Governor, Jim Gilmore, for appearing before our panel today to discuss the findings of his commission on terrorism. Not only have you had the opportunity, Governor Gilmore, to examine these issues from an academic perspective over the past two years, but given the recent terrorist attack at the Pentagon, you have had the responsibility of responding to a very real and horrific situation. I know that Virginia is still recovering from that episode and that you are very busy with that work. I appreciate your taking the time to be with us today.
As the attacks on the Pentagon and the World Trade Center and the failed attempt in Pennsylvania show us; a quick and coordinated state and local response is the key to facing and beating terrorist threats on our soil. The fire, rescue, and police personnel are the first on the scene, the first to assess the situation, and the first to respond to the victims.
But, with some exceptions, they are equipped now only to respond to the routine emergencies that occur in everyday life, not the potential serious threats posed by chemical, biological, radiological, and other weapons of that magnitude. As the attacks of September 11th have proven, there is no limited to the twisted imaginations of our terrorist enemies. Our first responders must have the ability to think outside the box as well.
You may be interested to know that I recently introduced legislation that would help these state and local public safety personnel get the equipment that they need to fight these threats. The First Responders Homeland Defense Act (H.R. 3025) would expand an existing federal program through which state and local law enforcement can purchase equipment for counter-drug activities.
Page 25 PREV PAGE TOP OF DOC
These local law enforcement agencies use their own funds, but by leveraging the buying power of the federal government, they are able to access vastly reduced prices. In fact, the estimates of cost savings run as high as 700 percent for some items. And, items that can be purchased range from spare helicopter parts to first aid kits and firefighting equipment to surveillance monitors. Clearly, these are items that first responders can use in the war against terrorism just as effectively as they've used them in the war against drugs.
Forty-four states, including Virginia, currently use this program to help stretch state and local law enforcement budgets. It is clear that the war against terrorism is going to place a further burden on these already strained budgets. This program is one way that the federal government can help to ease that burden.
Thank you, again, Governor Gilmore, for joining us today. I look forward to your comments.
PREPARED STATEMENT OF CONGRESSMAN NICK SMITH
I want to thank Chairman Boehlert and Ranking Member Hall for holding this hearing to examine the vulnerability of our Nation's computer infrastructure, as well as research-related challenges and opportunities facing the Nation's network security infrastructure and management. I would also like to thank Governor Gilmore for joining us today and for all of his hard work as Chairman of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction.
Page 26 PREV PAGE TOP OF DOC
The tragic events of September 11, 2001 brought into sharp focus how vulnerable we are to attacks of terrorism. Recent news reports regarding Anthrax and the contamination of some of our Capitol complex has brought into focus terrorism involving weapons of mass destruction. We have all struggled with what we can do to stop this and to improve our Nation's homeland defense. This hearing will hopefully provide some answers to that question.
The Gilmore Commission is a panel of experts has spent the last three years studying the implications and risks of a terrorist attack involving weapons of mass destruction. The final report of this panel will soon be issued, and I hope that Governor Gilmore will be able to share some of the findings and recommendations of that report with us today. The recommendations of past reports from this commission have been frank and specific and are reflected in the actions that President Bush has taken over the past month.
Our technological advancements in computers, software, networks and information technology in general has actually made us more vulnerable to disruption. Physical security is now indelibly tied to cyber security. This new reality is most true for attacks that may involve weapons of mass destruction. Our water supplies, to give one example, are protected physically by fences and guards but they are also protected electronically by control systems that monitor the purification process. Terrorists must breach both systems to succeed in tampering with the water. Today we have a heightened sense of awareness and a heightened vigilance with regard to security—both seen and unseen. The Gilmore Commission has added to this awareness with knowledgeable analysis and risk assessment.
I would like to take this opportunity to thank the President, Governor Gilmore, and the entire Advisory Panel for their efforts. I have been particularly interested in the panels finding that state and local response efforts such as emergency response plans, law enforcement and fire fighters will be the first and probably the most effective response to a terrorist event. In the 106th Congress I sponsored legislation passed into law that called for a review of the counter-terrorism training programs offered by the United States Fire Administration and other Federal agencies and authorized new funding for anti-terrorism training, including associated curriculum development, for fire and emergency services personnel. The Fire Administration Authorization Act of 2000 (P.L. 106–503) also required the Administrator of the United States Fire Administration to prepare a 5-year strategic plan and a research agenda for the United States Fire Administration. I hope to hold hearings on the status and impact of that law later this year but I would also appreciate the Governor's comments on this.
Page 27 PREV PAGE TOP OF DOC
The focus of this hearing is on cyber security. The growing interdependence of physical security and cyber security make it very difficult to discuss, or plan for one without the other. Clearly there is work to be done on both fronts and research needed across the board.
At this time, protecting our Nation from terrorists is the most critical issue before the Congress. We need to learn as much as we can and do as much as we can to ensure the safety of our people from this serious threat.
PREPARED STATEMENT OF THE HONORABLE JERRY F. COSTELLO
Good morning. I want to thank the witnesses for appearing before our Committee to discuss the role of Federal agencies in responding to bioterrorism. As you are aware, coordination among Federal agencies is critical for homeland security and hopefully this hearing will allow us to gauge our preparedness. Over the last two months, my colleagues and I have found ourselves deeply affected by bioterrorism, so much so that stringent precautions are now being taken to deal with our mail coming to the Capitol Hill complex. However, we must remember the issue of bioterrorism and bioterrorism preparedness is not just something affecting metropolitan areas. Instead, bioterrorism is a threat to all Americans and the Federal Government must provide an efficient response.
As a member of the Homeland Security Taskforce and through information garnered from recent Committee hearings, I have been working with my colleagues to keep America safe from bioterrorism. However, the main challenge facing the Federal Government in dealing with bioterrorism is not that more assets need to be built, but that Federal involvement needs to be coordinated and streamlined. Many Federal agencies have been fiercely competing for the missions and money associated with a bioterrorism response, an unfortunate circumstance that has resulted in redundant capabilities, wasteful spending, and, at the local level, confusion as to which agency would lead the Federal component of a response. Because of this, I am particularly interested in learning more about how we can improve accountability without hindering a unified effort, particularly in the area of research and development, and the cost of providing resources to address deficiencies in bioterror preparedness. In addition, I would like to learn more about the role Governor Ridge and the Office of Homeland Security will play in coordinating a response to bioterrorism and updating the Federal Response Plan to meet the new challenges facing our Nation.
Page 28 PREV PAGE TOP OF DOC
I thank all of the witnesses for being with us today and providing testimony to our Committee.
PREPARED STATEMENT OF CONGRESSWOMAN SHEILA JACKSON LEE
Thank you, Mr. Chairman and Ranking Member Hall, for holding this important hearing on Cyber Terrorism. This is a very important issue because our government is now thinking about cyber warfare issues more than in the past. It also appears that we are now better organized to prevent and respond to cyber warfare. However, Mr. Chairman, it is not clear whether a national consensus has been formed on whether cyber threats constitute serious national security threats requiring a national security response.
According to the most recent White House report on National Security Strategy, ''we face threats to critical national infrastructures, which increasingly could take the form of a cyber attack in addition to physical attack or sabotage, and could originate from terrorist or criminal groups, as well as hostile states.''
Mr. Chairman, I am aware of at least three major cases where there have been substantial cyber or physical attacks to key information infrastructures: Air Force Rome Lab (1994); Eligible Receiver (1997); Solar Sunrise (1998). The facts of these cases causes us to question whether cyber war represent a fundamentally new form of 21st century warfare, for which the U.S. may or may not be prepared.
Mr. Chairman, in the wake of the horrible terrorist attacks on our country that took place on September 11, 2001, it would be very easy for us to focus all of their attention on the types of attacks we saw on that day, and on what needs to be done to prevent their reoccurrence. That is, of course, an extremely important issue, and it is crucial that we take steps such as improving aviation security to prevent similar attacks in the future. But it is also vitally important that we pay attention to the other types of threats to our Nation's security that are just as significant, and just as likely, today as they were before September 11. Among those threats are potential cyber attacks against our information infrastructure.
Page 29 PREV PAGE TOP OF DOC
Federal facilities, electric power plants and other portions of the Nation's critical infrastructure are highly vulnerable to cyber attacks from terrorist groups, rogue nations, disgruntled employees and hackers from across this country. This hearing today provides us an opportunity to discuss the vulnerability of our computer infrastructure and to discuss an approach to prepare our Nation to defend against such attacks.
The information revolution has surpassed the expectations of the some of the brightest minds, enabling so many to reap the benefits of a booming economy. The question today, however, if not to restate our mutual commitment to the development of computer technology and information. Rather, we are here to discuss the cumbersome challenges that cyber attacks have compelled all Americans to consider.
The recent cyber attacks designed to disrupt major web networks represents a serious weakness in security. It exposes how the vulnerabilities at one place on the Net can create risks for all. These recent cyber attacks demonstrate the need for us to work together to develop a strategy to strengthen cyber security.
All Americans have a vested interest in balancing the policing of cyber crimes with the protection of civil liberties and speech on the Internet. Finding the right balance is crucial.
Yet as devastating as computer crimes can be, in combating them we must remember to preserve the same rights as provided to traditional criminal defendants. As a Member of the House Committee on the Judiciary, I am always concerned about the protection of individual rights of all Americans. The Constitution has always been a flexible document, written to accommodate changes in society, and so we must act accordingly.
Page 30 PREV PAGE TOP OF DOC
Last year we held a hearing on the series of well-planned and coordinated cyber attacks on several of the Nation's biggest Internet sites. Two popular sites, Yahoo.com and Buy.com, were shut down for several hours, while sites such as CNN.com, ZDNet.com, Amazon.com, eBay.com, and E*Trade were similarly terrorized. These cyber attacks effected millions of Internet users and resulted in revenue losses for several sites. While this damage was relatively minimal in proportion to volume of the Internet, these events were a wake-up call to many of us as to the extent of cyber crime, and the degree to which we are all vulnerable.
The world of electronic communications is a developing one. Clearly, there is a growing need for enforcement, and in many instances, strengthening of our laws so that our law enforcement professionals can do their jobs and keep us all safe from cyber criminals.
Having said this, we must also recognize the need to heed the warnings from the examples of deprivations of civil liberties that are more and more abundant as the Internet continues to grow, and law enforcement struggles to keep up.
In a recent case in the state of Texas, which I represent the 18th Congressional District, law enforcement, acting on a tip from a local business, confiscated all of its competitor's business computers based on the accusation that the competitor engaged in electronic ''spamming.'' As a result, the accused business, against which charges were eventually dropped, lost months of business while incurring legal and other costs to get its equipment back.
To balance enforcement with protections, there must be a concerted effort to coordinate law enforcement between Federal, state and local entities. We must provide them with the equipment and training to enable them to keep up with the criminals who are operating in the cyber environment. In the process, we must protect the rights of Americans to free political, commercial, and other speech over the Internet.
Page 31 PREV PAGE TOP OF DOC
To this end we have many challenges. We need a balanced international strategy for combating cyber crime. We need round-the-clock Federal, state and local law enforcement officials with expertise in, and responsibility for, investigating and prosecuting cyber crime. We need new and more expansive procedural tools to allow state authorities to more easily gather evidence located outside their jurisdictions, and need to assess whether we have adequate tools at the Federal level to effectively investigate cyber crime. Finally, we need to work in partnership with industry to address cyber crime and security, where we can discuss challenges and develop effective solutions that do not pose a threat to individual privacy.
It is the role of government to protect all of these forms, of speech, as well as interstate commerce that over the Internet. Consequently, we must send a clear message to those who would attempt to interfere with the free speech and mobility of citizens and industry through the Internet—Americans take this very seriously. Cyber criminals will be dealt with along with other criminals.
I look forward to your comments.
Chairman BOEHLERT. All right. Thank you very much. Governor, with your indulgence, may we recess for just five minutes to get some clarification? We understand the Senate buildings have already been closed and that there is some hint that the House buildings are due to be closed imminently. But if you let us pause for just a couple of minutes, we will try to get some factual information so that we are not operating on theories. And——
Governor GILMORE. Mr. Chairman, I am at your disposal, and if I need to come back, I will be pleased to do so.
Page 32 PREV PAGE TOP OF DOC
Chairman BOEHLERT. Thank you.
Governor GILMORE. I am at the disposal of the Congress.
Chairman BOEHLERT. All right. And the Committee will be in recess for five minutes, pending clarification of the instructions on the continuation of ordinary business.
[Recess]
Chairman BOEHLERT. Governor, here is what we propose to do. We understand the leadership is meeting now and the current instructions are to continue with hearings throughout the Hill and that the building will be evacuated this afternoon to permit a thorough sweep of the Capitol Complex. We may get further instructions as this hearing proceeds, but my thought is, Governor, that we would receive your testimony, and this is in concurrence with Mr. Hall. We do everything on a bipartisan basis on this Committee. And then we would, after having your testimony, recess the hearing subject to the call of the Chair.
And you have very graciously indicated your willingness to come back at some future time. In the meantime, we would have a chance to examine your expert testimony and we would fashion some very challenging questions and we will have that dialogue. Is that all right with you?
Governor GILMORE. Mr. Chairman, that is fine with me. I have no anxiety about this one way or the other, and I am happy to work with the Congress on any schedule you would like. I would be happy to make my statement now and make myself available for ''Q&A'' at any time that you would like.
Page 33 PREV PAGE TOP OF DOC
Chairman BOEHLERT. Well, you are very gracious. And as you and I agreed, Mr. Hall, and I agree, the last thing anyone should do is panic. Obviously, we want accurate information, and when we get further instructions from on high, we will respond to those instructions. With that, let me welcome you, Governor, and thank you so much for being a valued resource for this Committee. And you are encouraged to proceed with your statement.
STATEMENT OF GOVERNOR JAMES S. GILMORE, III, GOVERNOR OF THE COMMONWEALTH OF VIRGINIA; CHAIRMAN, ADVISORY PANEL TO ASSESS THE CAPABILITIES FOR DOMESTIC RESPONSE TO TERRORISM INVOLVING WEAPONS OF MASS DESTRUCTION
Governor GILMORE. Thank you, Mr. Chairman Boehlert, and, Ranking Member Hall, and, members of this Committee. I want to discuss with you, and I appreciate the opportunity to, to discuss with each of you, the recommendations of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction. That is a national Panel that was established by the Congress in 1999 for the purpose of advising the Congress and advising the President on the issues of terrorism, weapons of mass destruction, and domestic response capabilities.
It has been three years that we have been working on this Commission, since 1999, three full years, '99, 2000, and, of course, 2001. It has been my privilege to work with a bipartisan group of experts in a broad range of fields, many, by the way, are from outside the Washington beltway, including current and former federal, state, and local officials, and specialists in terrorism, intelligence, the military, law enforcement, emergency management, fire services, medicine, and public health. So this was a designed Commission to provide all of the expertise necessary to deal with terrorism on a national strategic basis. And it has been, frankly, one of the great privileges of my life to work with this organization.
Page 34 PREV PAGE TOP OF DOC
One member of our Panel, Ray Downey, served for years as the Chief of Special Operations for the New York City Fire Department. Ray worked with our committee. He attended every meeting. He talked with us about what it was like to be on the ground at the time of a potential terrorist attack. He warned us about the possibility of secondary explosions and that type of thing that would endanger police and fire people. He was one of the first emergency responders to arrive at the World Trade Center on September the 11th. As of today, Ray is officially listed as missing and our prayers go out to Ray and to his family. Ray was at the World Trade Center getting people out when the building collapsed on him and 300 other New York fireman.
This Panel has had nearly three years to study the threat of terrorism, deliberately, quietly, with out the pressure or blur that is associated with a crisis, such as we are experiencing this morning, this kind of a blur that you see, when things are going on. We didn't have to deal with any of that. We could just meet quietly. We offered opportunities for the press to meet with us. They didn't much. And we had plenty of time to really just talk things through in a public forum and then think things through as we went along.
We have fulfilled our statutory duty to report our findings to Congress and the President in two previous reports. Our first report was delivered in December 1999, and the second was issued in December of 2000. The Panel is now preparing to send to the President and the Congress an interim third report. It would typically have been offered in December of 2001, but we have accelerated it to give a bit of an interim report in the next several days. And we will be in the position to provide you the benefit of our current work in a more detailed work in December at a later time.
Page 35 PREV PAGE TOP OF DOC
The third report will deal with about five subject areas, including the use of the military, local responders, border security, health and medical, but a specialized area also in cyber terrorism, which I know is the special interest of this hearing today and of this Panel.
So I want to summarize our key recommendation for you today with special emphasis of the most recent recommendations and their impact on the Nation's preparedness with respect to cyber attacks. In light of the experience of September the 11th, let me say that the recommendations that we have made these three years remain valid. What has changed is the urgency in which they should be implemented.
In our first report, in December 1999, we provided a comprehensive assessment of the actual threat of a terrorist attack on United States soil. First and foremost, we said that the threat of a terrorist attack inside our borders, with increased lethality, was inevitable and that the United States should prepare for that attack. That was in the December 1999 report.
I might say, by the way, we assessed in two separate pieces—one for weapons of mass destruction and the other for a conventional attack. We refused to take off the table the possibility of a weapon of mass destruction—nuclear, bioterrorism. We refused to take that off the table, but it is harder to deliver in a mass basis. On the other hand, we believed that a conventional was inevitable.
We called for a national strategy to assess the full spectrum of possible attacks, including cyber attacks. And we stressed, at the outset of our work, the paramount importance of preserving our citizens' constitutional rights and civil liberties. This has been a primary theme of our Commission for all three years and remains so to this day.
Page 36 PREV PAGE TOP OF DOC
Now, the second report was issued a year later, in December of 2000, and it proposed about 50 recommendations for improving our Nation's preparedness against the threat of terrorism that was identified in the first report.
Most importantly, the second report emphasized the need for a national strategy. The Federal Government cannot assess and cannot address this issue, this threat, alone. All levels of government, as well as the private sector and our research universities, have capabilities, resources, assets, experience and training that must be brought to bear in addressing this threat.
Mr. Chairman, there is a tendency, I think, to say that a national strategy is a Federal strategy. It is not. A national strategy is a federal, state, and local strategy all in combination.
We also need new public and private partnerships, particularly in the protection of our Nation's communications and Internet infrastructure, because, ladies and gentleman, 80 percent of our Nation's infrastructure is owned and operated in the private sector. This creates a unique characteristic of the American society that we must take into consideration as we address security issues.
We called for the creation of a national office for combating terrorism, in the Executive Office of the President, with responsibility for developing and implementing a comprehensive national terrorism strategy approved by the President. President Bush has adopted this recommendation and has appointed, in my judgment, the right man for the job, Governor Tom Ridge, to head this office. President Bush has tapped a career professional in Dick Clarke, Richard Clarke, to advise the White House on cyber security—cyberspace security, as well.
Page 37 PREV PAGE TOP OF DOC
Let me speak to you for a few moments then about the cyber issue, which is the focus, I believe, of your Committee. Prior to September the 11th, many people questioned whether nation-states or rogue terrorists had the capability to disrupt our critical infrastructures on a wide scale. Since September the 11th, we must presume that they do.
Critical information and communication infrastructures are targets for terrorists because of the broad economic and operational consequences of a shutdown—what that can inflict.
Our banking and finance systems, ''just-in-time'' delivery system for goods and services, our hospitals, our state and local emergency services—all of these critical services rely upon the information connections and databases. Each is critical to the American economy and to the health of our Nation, of our citizens, and each could be shut down or severely handicapped by a cyber attack. It has not gone unnoticed by our committee that if a cyber attack occurs simultaneously with either a conventional attack or a weapon of mass destruction attack that it can compound and enhance the impact of the original attack.
Whether the threat manifests itself in the form of a physical attack against computer hardware or real property that houses critical portions of the Nation's infrastructure, or in the form of a cyber attack against computer software and the Internet controls, America's cyberspace needs protection today in the United States.
Let us speak for a moment about physical attacks. Protection against physical attacks are going to remain primarily conventional types of procedures. Security systems, security guards, the intelligence community, will have to detect plots and communicate that information to the private owners in enough time to permit security precautions or, at least, to the local police, or, at least, to state officials. Today, the communication of that intelligence is virtually unheard of. That is the nature of the intelligence system. Can you really imagine that anybody would get that information and tell the local police chief about it? But that is probably what we are going to have to get to.
Page 38 PREV PAGE TOP OF DOC
Of course, in the case of a catastrophic physical attack, like September the 11th, backup systems and redundancies must be in place, and they are often not. But cyber attacks, the other side of it, are more complex. Digital hijackers don't have to walk through metal detectors or occupy a cockpit to spark a cyber blackout. We have only got to look at the consequences of hackers, cyber-hackers, and recent viruses, of all the numerous names that are given to it that you see on the evening news, Code Red, NIMDA, which, by the way, virtually shut down Fairfax County this past summer, which contemplates the severe economic and governmental harm that could be inflicted.
The impact could be ten times greater if the hacker is well-financed and is a cyber-terrorist intent on ruining a major financial institution or an entire state government's central computer. Well-financed, well-planned, and well-focused, and well-targeted. It could be a very severe situation far beyond the general hacker.
Security against cyber attacks will require far greater coordination and cooperation between private companies, the Federal and state government agencies, universities, and law enforcement. It will require entirely new protocols and an unprecedented level of trust and cooperation.
These aren't new issues, ladies and gentleman. As the Governor of Virginia, I wanted to give you some of the Virginia experience so that you can think about that as a model, although many of the states are doing similar things. But I want to talk to you a little bit about what we have done in Virginia so that you can use it as an example or a model.
Page 39 PREV PAGE TOP OF DOC
We have been concerned long before the last month's tragedies about the security of Virginia's critical infrastructure assets, and for a lot of good reasons. No other state or region has the concentration of public and private critical information assets as are found in Virginia.
A few examples: The Pentagon; Langley; two premiere national laboratories—NASA, Langley, and Jefferson Laboratories, both in the Hampton Roads Peninsula areas of Virginia; the only major shipyard capable of—or one of the major shipyards capable of building nuclear submarines, the only shipyard in America capable of building nuclear aircraft carriers, at Newport News; critical NATO facilities; the Federal Reserve Bank in Richmond; and many other critical sector types of situations in our state. Think only of Northern Virginia alone and you see the significance of this.
On the civilian and private side, more than 50 percent of the Nation's Internet traffic flows through a place called Mae East in Northern Virginia. I will not give you the address in the meeting. We are home to the highest concentration of critical data centers, including those of America Online, Worldcom, Global Crossing, Verisign's domain registry, and others. So we have thought about this just because of the concentration of potential targets that we see in our state. The security of these facilities and their significance for private sector operations far beyond Virginia's borders, has presented major issues for our state.
So two years ago, I directed Virginia's Secretary of Technology, Don Upson, to work closely with the Federal Critical Infrastructure Assurance Office in the Department of Commerce. It is called CIAO, I am told. The Director of that office, John Tritak, together with Secretary Upson, key members of the General Assembly, and a special advisory commission with private sector and university representation, that I established, and the Virginia Attorney General, are developing a plan that could serve as a blueprint, an example, a model.
Page 40 PREV PAGE TOP OF DOC
Under the Virginia plan, the first step is to catalog our critical information assets, public and private, real estate, and databases. As new assets come into operation, they will be added to that list. I would hasten to say to you that, at the national level, Mr. Chairman, nobody is doing that. It has never been done.
I asked the Secretary of Technology this morning, do we know where all the locations, the target locations, would be that would require protection in this country. And the answer is, no, we don't. It is grown up. It is nothing judgmental about this. This is something that has grown up in an evolutionary sort of way. But when you begin to focus on the terrorism side, you begin to recognize that that has not yet evolved—the security piece of it.
The second step is to propose a comprehensive program to manage each of those assets' unique risk. And the third step is to coordinate our preparedness with other states, industries, the public, and certainly the Federal Government that may depend upon the services and the capabilities of the assets.
All states need a plan like this and each plan needs to be woven into a national network so that the Nation's critical assets are catalogued, independent back-ups can be prepared at separate locations, and that each asset's connections to other critical functions can be understood in order to limit collateral damage with redundancies and firewalls. Included in that plan are important legislative and policy proposals to protect infrastructure about these assets.
For example, Virginia's Freedom of Information Act, our FOIA, restricts public access to security systems used to protect data and communications systems and even some engineering and construction drawings for public buildings. Not so in the Federal system. The Virginia FOIA framework is not perfect, but it does afford protections that the Federal Government and other states ought to think about.
Page 41 PREV PAGE TOP OF DOC
We have tapped the expertise housed in our universities to provide research and training. Two public universities in Virginia, James Madison University and George Mason University, are among seven universities designated nationally by the National Security Agency as centers of excellence for information security. That means that they have certified curriculum by the Department of the Defense and the National Security Agency with respect to people that they are graduating who can participate in this security type of activities. Richard Clarke, the President's new Cyber Security Advisor, has visited these universities and hopefully they will provide a blueprint for some other government agencies.
In terms of our governmental operations, we are in the process of deploying highly secure software so that information and attachments by e-mail over the Internet meet the highest Department of Defense security standards.
In fact, yesterday, a major pilot program to secure the e-mail of my office, as Governor of Virginia, and my cabinet, and the state police, was launched. And we hope to move quickly to get that across Virginia government. The cost is low, the application is seamless to the user, and the benefit, obviously, is very great.
Now, let me turn my attention, for a moment, from the Virginia example, back over to the national Panel. Our Panel undertook its first year of work just as the Nation was busily preparing for potential problems associated with Y2K. This experience allowed us a holistic counter-terrorism strategy that balances defenses for all kinds of threats—weapons of mass destruction, conventional weapons, and cyber weaponry. The temptation, when we began, was to think in terms of nuclear and bioterrorism. And we concluded very quickly that that is not a broad enough scope, that you have to think about all of it, including cyber.
Page 42 PREV PAGE TOP OF DOC
This conclusion has been verified by briefings from Federal officials and also most notably from states and from communities.
For example, we have documented, in a national survey of local first responders, fire, rescue, police and health organizations, their need for Federal assistance to strengthen their communications and computer systems against cyber attacks.
We also concur with the General Accounting Office's conclusion, reported in April 2001, that the FBI's National Infrastructure Protection Center has been hampered in its efforts to provide a universal cyber security program across all government agencies and particularly the private sector, and that more needs to be done to coordinate these Federal offices with bits and pieces of cyber security responsibilities.
Most importantly, the Panel focused on the level of coordination and multi-disciplinary advisory boards critical to resolving a patchwork quilt of public and private cyber security issues, and several of our recommendations will address this critical need.
The point I want to make is that, as our Nation develops a comprehensive national strategy to address our homeland security, our preparedness for conventional, weapons of mass destruction, and cyber attacks must be fully integrated at the community, state, and Federal levels and must include the participation of the private sector. All the stakeholders from the technology community must answer a call to arms. We have a wonderful industry in this country located in many of our respective states. They, too, must respond as partners in this national effort.
Page 43 PREV PAGE TOP OF DOC
So let me talk to you a little bit about a few of our recommendations. First, the White House recently announced new initiatives related to cyber security, including the creation of an interagency cyber security panel with representatives of 23 Federal agencies. This is a critical first step based upon the significant interdependencies between local, state, and Federal agencies, as well as the private sector in deterring, preventing, and responding to cyber-attacks, and all facets of terrorism. This begins to move toward a national solution.
Second, the complexity of the subject demands closer attention. We recommend that Congress create an independent advisory body, similar to the Panel that you have established that we are doing, to evaluate programs designed to promote cyber security and recommend strategies to the President and to you, the Congress. This advisory commission should conduct a thorough review of Federal statutes and to update statutes. We would envision a panel, very similar to the one that we have done, that can study these issues and make reasoned recommendations regarding executive branch coordination. And Governor Ridge can implement these statutory changes and present something for the Congress to implement.
I might say, by the way, our Panel is scheduled to go out of commission at the end of this year. The House of Representatives has recommended that it be extended. We are not lobbying one way or the other. We would be happy to serve, though, as we always have. I don't know what the Senate is going to do, but our guess is they probably will want to do that extension.
Third, cyber security is going to require an unprecedented partnership between the public and private sectors, very unusual, by the way, within the culture of America today and its government and organizations. Sharing of intelligence and real-time information concerning impending or on-going cyber attacks will be critical. One of the principal problems that we have identified in our report, not just in cyber, but everywhere, is the inability to share information across and up and down lines. It is very difficult to do.
Page 44 PREV PAGE TOP OF DOC
The private sector has legitimate concerns about their customers' privacy and confidence, as well as the value of their own proprietary information and earnings. So they are not—they are not encouraged to give information over to the Federal Government either, particularly in light of many of the conflicts that we have seen. At the same time, government agencies needing security critical data have responsibilities for protecting the people of the United States, so conflict is inevitable. Thus, we recommend that Congress create a not-for-profit entity that can represent the interests of all affected stakeholders, public and private, including national security, law enforcement and other government functions, business and industry interests, to provide cyber detection, and alert and warning functions.
Ladies and gentlemen, a seismic shift in our way of thinking and cooperating will be required. And so a not-for-profit organization devoted solely to these tasks is recommended.
Fourth, we recommend the establishment of a special cyber court patterned after the court established in the Foreign Intelligence Surveillance Act. Prosecutors and investigators are often impeded in their enforcement process because of the lack of effective procedures and understanding by many in the judiciary regarding the nature and urgency of cyber security. This is more the result of the rapid transformation into the information age than any kind of neglect. The court dedicated to cyber conduct can develop the needed expertise to act appropriately on investigative activities while, of course, ensuring our critical civil rights and civil liberties. So we envision that this will be an electronic, real-time secure method for prosecutors to contact a cyber judge so that they can make some applications that they need for further investigation.
Page 45 PREV PAGE TOP OF DOC
Fifth, we need an entity to develop and implement a comprehensive plan for research, development, test, and evaluation of processes to enhance cyber security. This is where the colleges and universities can have a dramatic impact. The Institute for Security Technology Studies at Dartmouth College is providing resources to form the basis for establishing an entity that can help with this research.
And, lastly, we recommend that all government agencies continue their Y2K offices as cyber security offices. Isn't that interesting? We spent all that money on Y2K, formed offices in all of the states. I can't even tell you today whether we ever had a threat there, but we have a threat now, and, yet, we shut down all those offices. Didn't we? Sent them all home, or, at least, re-deployed them. I took our people and re-deployed them in our Secretariat of Technology. What a perfect opportunity to re-put these things back together.
Now, Mr. Chairman, and, members of the Committee, so just to conclude now my testimony, the horrifying events that have changed the Nation forever—this is a watershed time, September the 11th, in the way we looked at things before and the way we look at things after. I don't think we need to be discouraged or concerned. We just have to just simply do things a little differently.
Terrorism attacked our freedoms that day. And, as we move to rebuild, we have to remember that the Internet and information technologies are tools of freedom and enablement for the 21st century. So we have to move swiftly to protect these tools, as well as the freedom and liberties that they represent.
Page 46 PREV PAGE TOP OF DOC
Our Panel concluded, after much debate over the past three years, that what we need are not major structural changes among Federal agencies or in our states and communities. This has set us apart from other reports. We don't believe you have to reorganize the government. We do believe that you have to marshal the efforts of millions of workers, the intellectual power housed in our universities, the entrepreneurial spirit of our private sector, toward a common goal of enhanced homeland security.
And we believe that the national office that we recommended that the President has set up, now led by Governor Ridge, will be able to facilitate and to play that role—to deter, protect, and defend, should our vigilance falter, to respond when attacks occur. And I think defense of freedom will require nothing less. Thank you, Mr. Chairman.
Discussion
Chairman BOEHLERT. Governor, let me on behalf of the entire Committee, as a matter of fact, the entire Congress, thank you for the very important national public service you have rendered. And I have no doubt that we will continue. As you indicated, the House has already given the blessing and I fully expect the Senate will too.
Secondly, let me praise you because I believe the state—the Commonwealth of Virginia was the first in the Nation to establish an office of a Secretary of Technology.
Governor GILMORE. Yes, sir.
Page 47 PREV PAGE TOP OF DOC
Chairman BOEHLERT. And let me further commend you for having the good judgment to appoint Don Upson to that very important and sensitive post. He comes from Capitol Hill and he is a dear friend and someone who is admired for his intellect, his vision, and so many other things. And I might add, he had the good training in New York.
Before—as I look at your testimony, let me point out a couple of things, if I may. On page three you note that prior to September 11, many people questioned whether national-state or rogue terrorists had the capability to disrupt our critical infrastructure on a wide scale. Since September 11, we must presume that they do.
Let me point out that this Committee, on a bipartisan basis, prior to September 11, recognized the importance of what you were saying in your first two reports and had already initiated action to develop the type of hearings that we are now having.
The Congress, all 435 in the House, and the 100 in the Senate, we are all spending a good deal of our time dealing with the crisis of the moment and trying, to the best of our ability, to come up with quick fixes. And that is understandable under the circumstances. But this Committee has to think longer range, because I am confident, as you are, that there will be a better tomorrow if we are well prepared. And that is why we are having the type of hearings we are having on such an important subject as cyber terrorism and cyber security.
I must also say, prior to September 11, when Mr. Hall or I would talk about this to some of our colleagues, it would elicit a muffled yawn because people just didn't really think in terms of something like cyber security having the ability to do serious damage to our basic infrastructure, to bring our financial community to its knees, etcetera, etcetera. The list goes on.
Page 48 PREV PAGE TOP OF DOC
But be that as it may, I—we are continuing, because this Committee looks long range. Obviously, we are looking to do everything we can, as quickly as we can. But we are also looking longer range.
We have been advised that the House will be closing after an 11:05 a.m. vote, which is anticipated. And, as I indicated prior to that, the Governor has agreed to return to the Committee, at a mutually convenient time, to respond to any questions and engage in a very important dialogue with us. And, in the meantime, we will have the advantage of absorbing fully your testimony and we will be developing our questions, and I look forward to that next session.
Dr. Ehlers would like recognition for a quick observation. Dr. Ehlers.
Mr. EHLERS. Thank you, Mr. Chairman. Actually, two observations. As one of the few nerds in the Congress, I spend a fair amount on this. And I have to tell you, Governor, this was the best summary of an action outline that I have heard or seen since I have come here. And I wanted to commend you and your group. It is just outstanding. The only thing I would add to it, I think hackers should also be considered terrorists and the penalties that hackers get should be commensurate with terrorist activity and not considered as vandals nor pranks.
The real purpose of my announcement—a few years ago, when the Chairman of this Committee was also Chairman of the Science and Technology Committee of the NATO Parliamentary Assembly, and I was a general repertoire, I wrote a report on the topic of information warfare and international security. It is in everyone's packet up here. I urge you to take a look at that too, and it may give you some insights on it. And in addition, there are copies of it on the table outside for members of the audience.
Page 49 PREV PAGE TOP OF DOC
Chairman BOEHLERT. Thank you very much, Dr. Ehlers.
Mr. EHLERS. Thank you, Mr. Chairman.
Chairman BOEHLERT. Mr. Hall.
Mr. HALL. Mr. Chairman, I will be brief. I think, Governor, that a couple of three years ago, you kicked off the effort to develop a cyber security plan and you have one that you are still working on. And I think you were among the leaders and you and Tom Ridge are not only personal friends, but professional friends. And I look forward to your working with our President and with Tom Ridge and with the American people to obtain the goal that you had enough foresight and vision. And I thank you for that and thank you for your public service.
Governor GILMORE. Thank you, Congressman.
Chairman BOEHLERT. And, finally, Governor, just let me point out that all your recommendations are well-taken and I can—I am convinced that this Committee will be a part of the effort to embrace them. But particularly, let me point out that your fifth recommendation is music to our ears because it endorses exactly what this Committee has been doing this year. We need an entity to develop and implement a comprehensive plan for research, development, test, and evaluation of processes to enhance cyber security in the same manner as we do for other potential terrorist attack.
So we are glad to have you as a partner to this effort. And, once again, let me conclude by thanking you profusely for the outstanding public service you are rendering for the Nation. And with that, this hearing is now adjourned.
Page 50 PREV PAGE TOP OF DOC
Governor GILMORE. Thank you, Mr. Chairman.
[Whereupon, at 11:10 a.m., the Committee was adjourned.]
Appendix 1:
Written Testimony
PREPARED STATEMENT OF GOVERNOR JAMES S. GILMORE, III
Introduction
Chairman Boehlert, Ranking Member Hall, members of the Committee, I would like to discuss with you the recommendations of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction, a national panel established by Congress in 1999.
For three years, it has been my privilege to work with a bipartisan group of experts in a broad range of fields—many from outside the Washington Beltway—including current and former federal, state and local officials and specialists in terrorism, intelligence, the military, law enforcement, emergency management, fire services, medicine and public health.
One member of our Panel—Ray Downey—served for years as the Chief of Special Operations for the New York City Fire Department. Ray was one of the first emergency responders to arrive at the World Trade Center on September 11. As of today, Ray is officially listed as ''missing,'' and our prayers go out to Ray and his family.
Page 51 PREV PAGE TOP OF DOC
The Panel has had nearly three years to study the threat of terrorism, deliberately and quietly without the pressure or blur often associated with a crisis, and we have fulfilled our statutory duty to report our findings to Congress and the President in two reports—the first report issued in December of 1999, and the second issued in December of 2000.
The Panel is preparing to send to the President and Congress an interim third report in the next several days to provide you the benefit of our current work, and a more detailed report in December.
I would like to summarize our key recommendations for you today, with special emphasis on our most recent recommendations and their impact on the Nation's preparedness for cyber attacks.
In light of the experience of September 11, let me say that our recommendations remain valid. What has changed is the urgency with which they should be implemented.
Summary of First & Second Report Recommendations
In our first report, we provided a comprehensive assessment of the actual threat of a terrorist attack on U.S. soil. . ..
First and foremost, we said the threat of a terrorist attack inside our borders—with unprecedented lethality—was inevitable and that the United States should prepare.
Page 52 PREV PAGE TOP OF DOC
We called for a national strategy to address the full spectrum of possible attacks—including cyber attacks.
And we stressed, at the outset of our work, the paramount importance of preserving our citizens' constitutional rights and civil liberties.
Our second report, issued a year later, in December of 2000, proposed about 50 recommendations for improving our Nation's preparedness against the threat of terrorism identified in our first report.
Most importantly, the second report emphasized the need for a national strategy. The federal government cannot address this threat alone. All levels of government as well as the private sector and our research universities have capabilities, resources, assets, experience and training that must be brought to bear in addressing this threat.
We also need new public and private partnerships—particularly in the protection of our Nation's communications and Internet infrastructure—because 80% of our Nation's infrastructure is owned and operated by the private sector.
And we called for creation of a national office for combating terrorism in the Executive Office of the President, with responsibility for developing and implementing a comprehensive national counter-terrorism strategy approved by the President.
President Bush has adopted this recommendation and has appointed the right man in Governor Tom Ridge to head this office.
Page 53 PREV PAGE TOP OF DOC
President Bush also has tapped a career professional in Richard Clarke to advise the White House on Cyberspace Security.
Understanding the Threat of a Cyber Attack
Prior to September 11, many people questioned whether nation-states or rogue terrorists had the capability to disrupt our critical infrastructures on a wide scale. Since September 11, we must presume they do.
Critical information and communication infrastructures are targets for terrorists because of the broad economic and operational consequences a shutdown can inflict.
Our banking and finance systems, our ''just-in-time'' delivery system for goods, our hospitals, our state and local emergency services. . .all of these critical services rely upon their information connections and databases to. . .each is critical to the American economy and health of our citizens. . .and each can be shut down or severely handicapped by a cyber attack.
Consider the economic disruption caused by four airplanes crashing into buildings:
Financial markets were shut down for over a week as companies struggled to restore communications and recover important IT assets;
Page 54 PREV PAGE TOP OF DOC
Trading was halted on our Nation's principal stock exchanges for nearly a week;
Telecommunications networks in and around New York City were so congested that emergency fire, medical, and police were unable to use cellular services for critical rescue and recovery efforts;
Companies and businesses suffered uncertainty that their communications systems would be available; and
The insurance sector's resources have been severely strained, raising concerns about their ability to provide sufficient levels of protection for cyber-based attacks in the future.
These were all collateral impacts for the information technology sector. Just imagine the impacts of a direct assault upon the information technology infrastructure.
Whether the threat manifests itself in the form of a physical attack against computer hardware and real property that houses critical portions of the Nation's Internet backbone, or in the form of a cyber attack against computer software and the Internet controls, America's cyberspace needs protection.
Protections against physical attacks will remain primarily conventional, such as security systems and security guards. The intelligence community also will have to detect plots and communicate that information to the private owners in enough time to permit security precautions.
Page 55 PREV PAGE TOP OF DOC
Of course, in the case of a catastrophic physical attack like September 11, back-up systems and redundancies must be in place.
But cyber attacks are more complex. Digital hijackers don't have to walk through metal detectors or occupy a cockpit to spark a cyber blackout.
We need only look at the consequences of cyber-hackers and recent viruses like Code Red and Nimda to contemplate the severe economic and governmental harm that could be inflicted.
The impact could be ten times greater if the hacker is a well-financed cyber-terrorist intent on ruining a major financial institution or an entire state government's central computer.
Security against a cyber attacks, therefore, will require far greater coordination and cooperation between private companies, the federal and state government agencies, universities, and law enforcement. It will require new protocols and an unprecedented level of trust and cooperation.
Virginia's Cyber Security Measures
These are not new issues. And as the Governor of Virginia, I have been concerned long before last month's tragedies about the security of Virginia's critical information assets, and for a very important reason: no other state or region has the concentration of both public and private critical information assets as are found in Virginia:
Page 56 PREV PAGE TOP OF DOC
the Pentagon
Langley,
two premiere national laboratories,
the only shipyard capable of building nuclear submarines at Newport News,
critical NATO facilities,
the Federal Reserve Bank in Richmond, and
many other critical public sector and Federal facilities.
On the civilian and private side, more than 50 percent of the country's Internet traffic flows through Mae East in Northern Virginia. We are home to the highest concentration of critical data centers, including those of America Online, Worldcom, Global Crossing, Verisign's domain registry, and others.
The security of these facilities—and their significance for public and private sector operations far beyond Virginia's borders—has presented a major issue for our State.
Therefore, nearly two years ago, I directed Virginia's Secretary of Technology, Don Upson, to work closely with the Federal Critical Infrastructure Assurance Office in the Department of Commerce.
Page 57 PREV PAGE TOP OF DOC
The Director of that office, John Tritak, together with Secretary Upson, key members of our General Assembly, a special advisory commission with private sector and university representation I established, and the Virginia Attorney General, are developing a plan that could serve as a blueprint for our national strategy.
Under the Virginia plan, the first step is to catalog our critical information assets—public and private, real estate and databases. As new assets come into operation, they will be added to the list.
The second step is to propose a comprehensive program to manage each asset's unique risk.
And the third step is to coordinate our preparedness with other states, industries, the public and certainly the Federal government that may depend upon the services and capabilities of each asset.
All states need such a plan, and each plan needs to be woven into a national network so that the Nation's critical assets are catalogued, independent back-ups can be prepared at separate locations, and each asset's connections to other critical functions can be understood in order to limit collateral damage through redundancies and firewalls.
Included in that plan are important legislative and policy proposals to protect critical and highly sensitive information about these assets.
Page 58 PREV PAGE TOP OF DOC
For example, Virginia's Freedom of Information Act restricts public access to security systems used to protect data and telecommunications systems and even some engineering and construction drawings for public buildings.
The Virginia FOIA framework is not perfect, but does afford protections the Federal government and other states should consider.
We also have tapped the expertise housed in our universities to provide valuable research and training today's security environment demands.
Two public universities in Virginia, James Madison University and George Mason University, are among seven universities designated nationally by the National Security Agency as centers of excellence for Information Security. .
Richard Clarke, the President's new Cyber Security Advisor, has visited these universities and hopefully they will provide a blueprint for other government agencies.
In terms of Virginia's government operations, we are in the process of deploying highly secure software so that information and attachments transmitted via e-mail over the Internet meets the highest Department of Defense security standards.
Yesterday, in fact, a major pilot project to secure the e-mail of my office and cabinet, and the state police, was launched. I hope to move quickly to extend this security across all Virginia government.
Page 59 PREV PAGE TOP OF DOC
The cost is low, the application is seamless to the user, and the benefit obviously is great.
Cyber Security Issues:
The national Panel I chair also has identified cyber security as a critical issue.
Our Panel undertook its first year of work just as the Nation was busily preparing for potential problems associated with Y2K.
This experience led us to consider a ''holistic'' counter-terrorism strategy that balances defenses for all types of threats: weapons of mass destruction, conventional weapons, and cyber weaponry.
This conclusion has been further validated by briefings from federal officials and most notably from states and communities.
For example, we have documented, in a national survey of local first responders—fire, rescue, police and health organizations—their need for federal assistance to strengthen their communications and computer systems against cyber attacks.
We also concur with the Government Accounting Office's conclusion, reported in April 2001, that the FBI's National Infrastructure Protection Center (NIPC) has been hampered in its efforts to provide a universal cyber security program across all government agencies and particularly the private sector—and that more needs to be done to coordinate the various federal offices with bits and pieces of cyber security responsibilities.
Page 60 PREV PAGE TOP OF DOC
Most importantly, the Panel focused on the level of coordination and multidisciplinary advisory bodies critical to resolving the patchwork quilt of public and private cyber security issues, and several of our recommendations directly address this critical need.
The point we want to make is that, as our Nation develops a comprehensive national strategy to address our homeland security, our preparedness for conventional, Weapons of Mass Destruction and cyber attacks must be fully integrated at the community, state and federal levels and must include the participation of the private sector—all relevant stakeholders from the technology community must answer a call to arms.
With this paradigm in mind, I would like to spend a few minutes outlining some of our recommendations regarding Cyber Security:
First, the White House recently announced new initiatives related to cyber security, including the creation of an interagency cyber security panel with representatives of 23 federal agencies. This is a critical first step. Based upon the significant interdependencies between local, state and federal agencies as well as the private sector in deterring, preventing and responding to cyber-attacks, and all facets or terrorism, there must be the capability to ensure significant input and representation from all ''stakeholders'' in the process. This will ensure an effective top-to-bottom national solution.
Second, the complexity of the subject demands closer attention. We recommend Congress create an independent advisory body similar to our Panel to evaluate programs designed to promote cyber security and recommend strategies to the President and Congress. This advisory commission should conduct a thorough review of federal statutes to update statutes implicated by homeland cyber security. We would envision a Panel much like ours that can study the issues and make reasoned recommendations regarding executive branch coordination for Governor Ridge to implement, and statutory changes for Congress to enact.
Page 61 PREV PAGE TOP OF DOC
Third, cyber security will require an unprecedented partnership between the public and private sectors. Sharing of intelligence and real time information concerning impending or on-going cyber attacks will be critical. The private sector has legitimate concerns about their customers' privacy and confidence, as well as the value of their own proprietary information and earnings. At the same time, some government agencies needing security critical data have responsibilities for protecting the people of the United States. Conflict is inevitable. Thus, we recommend that Congress create a not-for-profit entity that can represent the interests of all affected stakeholders—public and private—including national security, law enforcement and other government functions, business and industry interests to provide cyber detection, alert and warning functions. A seismic shift in our way of thinking and cooperating will be required, and so a not-for-profit organization devoted solely to the task of resolving these conflicts is recommended.
Fourth, we recommend the establishment of a special ''Cyber Court'' patterned after the court established in the Foreign Intelligence Surveillance Act (FISA). Prosecutors and investigators are often impeded in the enforcement process because the lack of effective procedures and understanding by many in the judiciary concerning the nature and urgency of cyber security. This is more the result of our rapid transformation into the information age than neglect. A court dedicated to criminal cyber conduct can develop the needed expertise to act appropriately on investigative activities while ensuring the protection of civil rights and liberties. We envision and electronic, real time and secure method for prosecutors to contact a ''cyber judge'' on short notice using a process similar to FISA applications.
Fifth, we need an entity to develop and implement a comprehensive plan for research, development, test and evaluation of processes to enhance cyber security in the same manner as we must do for other potential terrorist attacks. This is where our colleges and universities can have a dramatic impact not only in developing needed immediate capacity, but in training the next generation of ''cyber soldiers'' to protect our critical information systems and infrastructures. The Institute for Security Technology Studies at Dartmouth College is providing resources to form the basis for establishing such an entity. This effort cannot and should not be the role of one but rather a publicly-funded consortium of many not-for-profit universities and think-tanks.
Page 62 PREV PAGE TOP OF DOC
Sixth, we recommend that all government agencies continue their Y2K offices as ''cyber security offices.''
Conclusion—A New Approach to Freedom
Mr. Chairman and Members of the Committee, the horrifying events of September 11th have indeed changed our Nation forever.
Terrorism attacked freedom that day. And, as we move to rebuild, we must remember that the Internet and information technologies are tools of freedom in the 21st century. We must move swiftly to protect those tools as well as the freedom they represent.
Our Panel concluded, after much thoughtful debate over the past three years, that what we need are not major structural changes among federal agencies or in our states and communities.
Rather, we need to marshal the efforts of millions of government workers, the intellectual power housed in our universities, and the entrepreneurial spirit of our private sector toward a common goal of enhanced Homeland Security to deter, prevent, detect, and should our vigilance falter, to respond when attacks occur.
Defense of freedom will require nothing less.
The President has put in-place the structure. Governor Ridge is developing the strategy. And it is incumbent upon all of us to assist in its implementation in the defense of freedom and the American way of life.
Page 63 PREV PAGE TOP OF DOC
Thank you.
BIOGRAPHY FOR GOVERNOR JAMES S. GILMORE, III
77603a.eps
Jim Gilmore was elected Virginia's 68th Governor in November 1997 on a philosophy of cutting taxes and providing all children in Virginia with quality education. Since taking office, Governor Gilmore has provided steady, conservative leadership that has resulted in the largest tax cut in Virginia history, implementation of Virginia's nationally acclaimed Standards of Learning, and a safer, more prosperous Commonwealth, leading to the creation of 175,000 new jobs.
Governor Gilmore's principled vision focuses on the well being of Virginia's working families. He believes all Virginians should have the opportunity to succeed personally and in their work life. Through tax relief and quality education, and by safeguarding individual liberties, the Governor is empowering people to chart their own course for the future. Governor Gilmore's principal goal is fostering unity among people within the state, leaving no citizen behind. As Governor, he has been successful in expanding Virginia's economic reach by leading trade delegations to Asia, Europe and South America. In Virginia, Governor Gilmore has hosted Presidents Hosni Mubarak of Egypt and Mary McAleese of Ireland.
Governor Gilmore served as chairman of the federal Advisory Commission on Electronic Commerce, a panel that reported directly to Congress on the future of Internet taxation. The Governor heads the Congressional Advisory Panel to Assess Preparedness for Weapons of Mass Destruction and is chairman of the Southern States Energy Board. He serves on the Technology Committee of the National Governors' Association. Governor Gilmore is the vice-chairman of the 30-member Republican Governors Association and was recently appointed by Texas Governor George W. Bush and the Republican National Committee to co-chair the Victory 2000 national election effort.
Page 64 PREV PAGE TOP OF DOC
Historic Tax Relief
Governor Gilmore is fulfilling his campaign promise to eliminate the onerous property tax on the first $20,000 value of all personally owned cars and trucks over a five-year period, 70 percent being eliminated by 2001. By the year 2002, more than 90 percent of Virginians will pay no car taxes. In addition, the Governor was successful in his drive to begin cutting the state sales tax on food by more than half, alleviate the state tax burden on active military personnel, reduce the sales tax on Internet software and hardware, and remove the state sales tax on non-prescription drugs. Since taking office the Governor has cut 16 different taxes. By 2002, Virginians will receive more than $1.5 billion in tax relief per year.
Quality Education
Educated in public schools, Governor Gilmore is working to provide the best possible education for all of Virginia's children. The Governor has overseen the implementation of Virginia's highly acclaimed Standards of Learning (SOLs)—a program designed to give students a solid academic foundation in core subjects such as Math, Science, English and History. To assist schools in the implementation of the SOLs, the Governor established Best Practice Centers throughout Virginia that provide teacher training services, resource materials, and diagnostic assistance to local school divisions that request assistance. Governor Gilmore is also committed to overseeing the successful implementation of these rigorous new academic standards to make sure students are learning and teachers and school administrators are accountable.
Page 65 PREV PAGE TOP OF DOC
This year, Governor Gilmore proposed and signed an Early Reading Initiative designed to assess the literacy needs of children in kindergarten and first grade and correct reading deficits by the end of the first grade. Furthermore, the Governor has successfully passed and implemented legislation ensuring all revenue raised from state lottery proceeds will be returned to localities for public education, including aid for school construction and renovation, books, additional teachers and teachers' salaries. Governor Gilmore continues to work to provide 4,000 new classroom teachers in Virginia's elementary schools.
Governor Gilmore's goal is to ensure the state's public colleges and universities are held accountable to the taxpayers who fund these public institutions. He has cut tuition and fees at Virginia's public colleges and universities by 20 percent. He also continued the freeze on tuition costs at Virginia's colleges and universities, and increased the maximum Tuition Assistance Grant award to $3000 per student at Virginia's independent colleges by 2001.
This year, Governor Gilmore provided $26 million in new funding for Virginia's historically black universities, Norfolk State University and Virginia State University, to enhance the institutions' quality of education and attract the best and brightest minds to Virginia.
Connecting to the Future
Virginia is the birthplace of the Internet and is a world leader in information technology. With Virginia's global technology community expanding at a rapid pace, Governor Gilmore is fostering a strong relationship between government and the technology community. He appointed a Secretary of Technology—the Nation's first cabinet-level technology post.
Page 66 PREV PAGE TOP OF DOC
Governor Gilmore established the Governor's Commission on Information Technology, a group that has already made recommendations on Internet policy, resulting in the Nation's first comprehensive state Internet policy. The seven pieces of legislation comprising this policy: incorporate unsolicited bulk electronic mail (spam) violations into the Computer Crimes Act; formally establish the Secretary of Technology; extend the Privacy Protection Act to the Internet; enhance penalties for the use of encryption in committing crimes; and extend state law to allow requested information sought under Virginia's Freedom of Information Act to be posted on the Internet or sent via electronic mail. As the chairman of the federal Advisory Commission on Electronic Commerce, a Congressional panel that studied e-commerce tax policy, Governor Gilmore submitted a report urging Congress to keep the Internet tax-free, repeal the century old tax on telecommunications and close the ''digital divide''.
Public Safety
Over the past six years, Virginia has led the Nation in numerous public safety reforms such as the abolition of parole, juvenile justice reform, habeas reform, and ''Three Strikes and You're Out.''
Through Governor Gilmore's leadership, Virginia became the first state in the Nation to implement a statewide version of ''Project Exile''—a program that calls for mandatory minimum five-year sentences for gun-wielding felons. Under Governor Gilmore's leadership, Virginia Exile has become the national model for anti-gun crime efforts. To fight the drug crisis in Virginia, Governor Gilmore has implemented the Substance Abuse Reduction Effort (SABRE), a comprehensive initiative that strengthens enforcement, treatment and prevention efforts.
Page 67 PREV PAGE TOP OF DOC
Inclusiveness
Governor Gilmore has made reaching out to all Virginia's communities a top priority of his administration. In addition to major funding increases for Virginia's historically black colleges over the last two years, Governor Gilmore succeeded this year in ensuring Martin Luther King, Jr. be honored on a holiday separate from the day Virginia remembers its Civil War generals. He has made black history a key to his Virginia tourism efforts, providing funding for the African-American Heritage Trail and the National Slavery Museum at Jamestown. Under the Governor's direction, Virginia is aggressively marketing African-American tourist sites to make the Commonwealth one of the Nation's leading African-American tourist destinations.
Background
A native Virginian, Jim Gilmore was born in Richmond on October 6, 1949. The son of working class parents, he grew up in Richmond's historic Fan District. He attended J.R. Tucker High School in Henrico County and worked as a grocery store cashier to help pay for his college education at the University of Virginia.
Governor Gilmore graduated from the University of Virginia in 1971 with a degree in Foreign Policy. He then volunteered for the U.S. Army. Upon graduating with honors from the Army Intelligence School and completing the Defense Language Institute in Monterey, CA, where he learned to speak fluent German, he joined the 650th Military Intelligence Group. Stationed in Mannheim, West Germany, Governor Gilmore served his country in counterintelligence and was awarded the Joint Service Commendation Medal for service to the North Atlantic Treaty Organization.
Page 68 PREV PAGE TOP OF DOC
After his Army tour was completed, Gilmore returned to Virginia and entered the University of Virginia Law School. He graduated from UVA Law School in 1977. After a decade of civic and community involvement as an attorney and small businessman, Jim Gilmore was elected in 1987 as Commonwealth's Attorney for Henrico County. He was overwhelmingly re-elected in 1991. After earning a solid reputation for fighting crime, he was elected Virginia's Attorney General in 1993, receiving 56 percent of the vote in what was supposed to be a close election. He served Virginians well as Attorney General and achieved real accomplishments in the areas of education, consumer protection, public safety, and the environment. As Attorney General, he led a nationwide effort to stop arson against African-American churches.
Governor Gilmore is married to Roxane Gatling Gilmore of Suffolk. Roxane is a teacher who has taught in public schools and currently teaches at Randolph-Macon College in Ashland. The Gilmore's are the parents of two boys, 13-year-old Ashton, and Jay, who is 17. They are members of River Road Methodist Church, located in Richmond.
Appendix 2:
Additional Material for the Record
77603b.eps
77603c.eps
77603d.eps
Page 69 PREV PAGE TOP OF DOC
77603e.eps
77603f.eps
77603g.eps
77603h.eps
77603i.eps
77603j.eps
77603k.eps
77603l.eps
77603m.eps
77603n.eps
77603o.eps
77603p.eps
Page 70 PREV PAGE TOP OF DOC
77603q.eps
77603r.eps
77603s.eps
77603t.eps
77603u.eps
77603v.eps
77603w.eps
77603x.eps
77603y.eps
77603z.eps
77603aa.eps
77603bb.eps
77603cc.eps
Page 71 PREV PAGE TOP OF DOC
77603dd.eps
77603ee.eps
77603ff.eps
77603gg.eps
77603hh.eps
77603ii.eps
77603jj.eps
77603kk.eps
77603ll.eps
77603mm.eps
77603nn.eps
77603oo.eps
Page 72 PREV PAGE TOP OF DOC
77603pp.eps
77603qq.eps
77603rr.eps
77603ss.eps
77603tt.eps
77603uu.eps
77603vv.eps
77603ww.eps
(Footnote 1 return)
In 1995 the religious group Aum Shinrikyo released sarin nerve gas on the Tokyo subway in an attempt to kill large numbers of people. The event is thought to be the first non-state sponsored effort to use a weapon of mass destruction against a civilian population. For more information, refer to ''The Cult at the End of the World: The Incredible Story of Aum'' by David E. Kaplan and Andrew Marshall.
(Footnote 2 return)
In order to ensure accuracy and clarity the Gilmore Commission substituted the term weapons of mass destruction (WMD) for chemical, biological, radiological or nuclear weapons (CBRN).
(Footnote 3 return)
The Commission noted that several major metropolitan areas have developed communications systems that in conjunction with the CDC National Electronic Disease Surveillance System (NEDSS) might serve as the basis for a national standard.