SPEAKERS       CONTENTS       INSERTS    
 Page 1       TOP OF DOC

??–???
2002
  
[H.A.S.C. No. 107–31]

HEARINGS

ON

NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2003—H.R. 4546

AND

OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS

BEFORE THE

COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES

ONE HUNDRED SEVENTH CONGRESS

SECOND SESSION
 Page 2       PREV PAGE       TOP OF DOC

MILITARY READINESS SUBCOMMITTEE HEARINGS
ON
TITLE III—OPERATION AND MAINTENANCE

HEARINGS HELD
MARCH 7, 8, 13, and 14, 2002

  

  

MILITARY READINESS SUBCOMMITTEE

JOEL HEFLEY, Colorado, Chairman
CURT WELDON, Pennsylvania
SAXBY CHAMBLISS, Georgia
WALTER B. JONES, North Carolina
BOB RILEY, Alabama
DUNCAN HUNTER, California
JAMES V. HANSEN, Utah
J.C. WATTS, Jr., Oklahoma
VAN HILLEARY, Tennessee
JIM GIBBONS, Nevada
HEATHER WILSON, New Mexico
 Page 3       PREV PAGE       TOP OF DOC
ROB SIMMONS, Connecticut
MARK STEVEN KIRK, Illinois

SOLOMON P. ORTIZ, Texas, Ranking Democrat
LANE EVANS, Illinois
ROBERT A. UNDERWOOD, Guam
JAMES H. MALONEY, Connecticut
MIKE McINTYRE, North Carolina
CIRO D. RODRIGUEZ, Texas
ROBERT A. BRADY, Pennsylvania
BARON P. HILL, Indiana
SUSAN A. DAVIS, California
RICK LARSEN, Washington

Mary Ellen Fraser, Counsel
Diane W. Bowman, Staff Assistant

C O N T E N T S

CHRONOLOGICAL LIST OF HEARINGS
2002

HEARINGS:
    Friday, March 8, 2002, Fiscal Year 2003 National Defense Authorization Act—Information Assurance Issues
 Page 4       PREV PAGE       TOP OF DOC

APPENDIXES:
    Friday, March 8, 2002

FRIDAY, MARCH 8, 2002
FISCAL YEAR 2003 NATIONAL DEFENSE AUTHORIZATION ACT—INFORMATION ASSURANCE ISSUES

STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

    Hefley, Hon. Joel, a Representative from Colorado, Chairman, Military Readiness Subcommittee
    Ortiz, Hon. Solomon P., a Representative from Texas, Military Readiness Subcommittee

WITNESSES

    Cuviello, Lt. Gen. Peter M., Chief Information Officer, U.S. Army
    Davidson, Mary Ann, Chief Security Officer, Oracle Corporation
    Gilligan, John M., Chief, Information Officer, Department of Air Force
    Meyerrose, Maj. Gen. Dale W., Director, Command and Control, U.S. Space Command
    Mines, Robert F., Senior Vice President, Engineering, Entercept Security Technologies, Inc.
    Porter, Daniel E., Chief Information Officer, Department of the Navy
    Wells, Linton, II, Principal Deputy Assistant Secretary of Defense for Command, Control and Communications, Department of Defense
 Page 5       PREV PAGE       TOP OF DOC

APPENDIX

PREPARED STATEMENTS:
Cuviello, Lt. Gen. Peter M.
Davidson, Mary Ann
Gilligan, John M.
Meyerrose, Maj. Gen. Dale W.
Mines, Robert
Porter, Daniel E.
Wells, Linton

DOCUMENTS SUBMITTED FOR THE RECORD:
[There were no Documents submitted for the Record.]

QUESTIONS AND ANSWERS SUBMITTED FOR THE RECORD:
[There were no Questions and Answers submitted for the Record.]

INFORMATION ASSURANCE ISSUES

House of Representatives,
Committee on Armed Services,
Military Readiness Subcommittee,
Washington, DC, Friday, March 8, 2002.

 Page 6       PREV PAGE       TOP OF DOC
    The subcommittee met, pursuant to call, at 2:00 p.m., at the Elkhorn Conference Center, Fort Carson, Colorado, Hon. Joel Hefley (chairman of the subcommittee) presiding.

OPENING STATEMENT OF THE HON. JOEL HEFLEY, A REPRESENTATIVE FROM COLORADO, CHAIRMAN, MILITARY READINESS SUBCOMMITTEE

    Mr. HEFLEY. This morning the subcommittee had an interesting, and what I would consider a successful hearing on military training. This afternoon, we will address the more focused, but equally significant issue of information assurance, a significant component of military readiness.

    The Department of Defense tells us that information assurance is an essential element of its ability to sustain operational readiness. The need for accurate and reliable information is obvious. The consequence of obtaining and relying on inaccurate and unreliable information is also painfully obvious.

    This afternoon we will have two panels of senior DOD, military, and private sector officials to discuss what is necessary to achieve information assurance. We will hear testimony on policy, procedures, resources, and the tools available from the private sector.

    I am concerned with the information assurance of the Department of Defense. From May 2000 to September 2001, the General Accounting Office, the Defense Inspector General, along with the individual military service inspector generals, have together released 61 reports criticizing the information assurance programs within the federal government and DOD, including 13 DOD IG reports that found material weakness in the policy, procedures, and practice of information assurance. I find these negative reports especially troubling for such an important national security problem.
 Page 7       PREV PAGE       TOP OF DOC

    In the budget request for fiscal year 2003, the Department of Defense is requesting approximately $1.94 billion for its various information assurance programs. Information assurance is not a specific program, and for purposes of budgeting, DOD and the military services use differing terminology which makes it difficult to track the budget estimate. The $1.94 billion is DOD's best guess at the funding level for next year. It has come to my attention that even this guesstimate may only at best be sufficient to meet basic requirements for information assurance programs next year.

    Among—along with examining the management and budgetary problems that face DOD today, we are also going to examine and learn about information technology and information assurance products. Almost all systems, applications, operating systems, firewalls, routers, and enterprise applications that DOD purchases come from the private sector; and they all have varying capabilities and limitations with respect to information technology security.

    We would like to hear about the quality of these products, and how does the continuous need to patch holes and fix bugs affect DOD's information security. Also, we would like to hear about the steps the federal government is doing to ensure the integrity of some of these products, and how the private sector is responding.

    We are honored to have the witnesses with us today, and I would like to turn to Mr. Ortiz and see if he has a statement.

STATEMENT OF THE HON. SOLOMON ORTIZ, A REPRESENTATIVE FROM TEXAS
 Page 8       PREV PAGE       TOP OF DOC

    Mr. ORTIZ. Thank you, Mr. Chairman. I join you in welcoming all of you to this hearing today.

    Information assurance undergirds every aspect of our national security. Not only is it core to traditional information operations of war fighting, it is an issue that is key to successful execution of the newly-declared war on terrorism.

    As I listen to briefings on how we have been conducting operations in Afghanistan, I cannot imagine how we could be conducting operations without being concerned about information assurance. I am also curious about how we can successfully provide for protection of critical infrastructure or ensure effective homeland defense activities with the myriad of federal, state, and local government organizations and agencies without an effective information assurance program.

    For all practical reasons, information assurance is not a new subject. The increased reliance on information in the military and the incorporation of even more advanced weapons concepts has placed increased emphasis on this area. I know that the service has given great thought to this area over the years, to include conducting studies, but I recommend establishing specific elements to address information assurance.

    I look forward to hearing more about those efforts, establishing for me that we have the right people here to provide such information. I believe that the greater challenge lies in how we stay ahead of potential adversaries in this area. It is highly complex and technical. It is also a most dynamic area, and we cannot afford to sit where we are today and expect to be successful. It requires a healthy budget and a willingness to devote the resources needed. It requires that we maximize the capabilities of not only our active and reserve component personnel, but also commercial enterprises that have invested much effort to this matter.
 Page 9       PREV PAGE       TOP OF DOC

    I am familiar with what the Navy and the Marine Corps is attempting to do with the Navy-Marine Corps Intranet concept. Even the approach alone will not last forever. For that reason, I am pleased that the Readiness Subcommittee is providing an opportunity for us to learn how industry is addressing information assurance. Our forces, when called upon, habitually perform well. It would be a tragedy if, through failure of the leadership to effectively address information assurance concerns, we diluted their efforts and detracted from their remarkable selfless and honorable service to this nation. I look forward to listening to your testimony, and thank you for joining us today.

    Mr. HEFLEY. The panel—the first panel will be composed of the Honorable Dr. Linton Wells, Principal Deputy Assistant Secretary of Defense, Command and Control and Communications; Lieutenant General Peter Cuviello. And I know I did not pronounce that right, General, but—

    General CUVIELLO. Cuviello. It is Italiano.

    Mr. HEFLEY. All right. Good. Chief Information Officer, Deputy of the Army; Mr. Dan Porter, Chief Information Officer, Department of the Navy; Mr. John Gilligan, Chief Information Officer, Department of the Air Force; and Major General Dale Meyerrose—

    Major General MEYERROSE. Yes, sir. Meyerrose.

    Mr. HEFLEY. Meyerrose. Okay. And so I think we will turn now to Dr. Wells, and we will begin and move down the line that way.
 Page 10       PREV PAGE       TOP OF DOC

STATEMENT OF THE HON. LINTON WELLS, II, PRINCIPAL DEPUTY ASSISTANT SECRETARY OF DEFENSE FOR COMMAND, CONTROL, AND COMMUNICATIONS, DEPARTMENT OF DEFENSE

    Mr. WELLS. Thank you, Mr. Chairman. I appreciate the chance to be here. Mr. Stenbit, the Assistant Secretary of Defense for C3I, regrets he cannot be here, and asked me to extend his regrets to the committee.

    Secretary Rumsfeld, when he laid out his goals for transformation of the department, outlined six areas in which we needed to emphasize transformation. One of those was leveraging information technology. At the same time, recognizing we are moving to a more network centric environment, the security of our networks and the ability to actively defend them was the second of these six transformational goals. So fully one-third of the transformational goals of the department directly affect on the business the committee is looking at today.

    Building on this, Mr. Stenbit, the Assistant Secretary, looked at three principal ways to achieve these. And the first is to build a network, a wide band width, secure, worldwide network which people will use and trust, into which they will put their information. The second piece is to populate that network with information of value to the war fighter; for example, not just intelligence information, but Blue Force locators, personnel, medical logistics, all the information one needs to conduct the business of the department.

    The third then is deny your opponent the same advantages, both by defending your own network and by attacking his. Thus, information assurance is critical, in that if people do not trust this network from the beginning, they will not post their information to it. And posting the information to it is the only way that we are going to get away from the present stovepipe way of handling information. It is mine; I am not going to share it with anyone. You get the network, you post it. So trust is an absolute prerequisite for that, and the security is the bedrock on which the trust is built. So this aspect of securing our networks, the information assurance is one of the key foundations to the entire transformation of the Defense Department.
 Page 11       PREV PAGE       TOP OF DOC

    Information assurance, from our perspective, really consists of five elements. The networks must be available when needed. The information, then, must maintain its integrity. You must be able to authenticate the information—the users of the network. You have to maintain its confidentiality, and there has to be an aspect of non-repudiation; meaning that if you sign contracts electronically, you have to be sure that the person is actually conducting the transaction electronically, just as they would be in person.

    This involves the critical infrastructure that keeps the network secure, on which the network depends. And so there is a large measure of integration between the public and private sectors in this. We depend for something like 95 percent of our communications on the public switch network, it will ride the public switch network. It is important to its life. Therefore, there have to be these sorts of public-private sector partnerships.

    As such, it becomes very important that we increase the security of those private sector products. We have been very encouraged by some of the recent statements by industry leaders, that they will emphasize security as an integral part of their product equal to functionality. We remain—we look forward to seeing the proof of those statements in the security of the products as they come out. This is just a new attitude, in many respects, on the part of the industry, and we hope that it will be carried forward.

    In the meantime, though, we have a number of mechanisms to try to ensure that our networks remain secure, even in the face of insecurities of individual components. There is something called the Information Assurance Vulnerability Assessment, or IAVA. And in the IAVA process, wherever a vulnerability is identified, whether it is identified in the press, whether it is identified to us confidentially from industry, whether it is identified by our own mechanisms, the word is put out to the various components that here is a vulnerability that needs to be fixed, and that vulnerability then comes back and is tracked. And I think we have made a lot of progress, since 1998, when this system was first put in place, in being to get—being able to understand the status of our networks.
 Page 12       PREV PAGE       TOP OF DOC

    In particular, if you look at the recent—the current problem with something called SNMP, the Simple Network Management Protocol, and also some of the recent viruses, like Code Red and others, the Defense Department networks have been relatively more secure than their civilian counterparts, and I think that is due, in large measure, to not only the terrific job that my colleagues here on the panel are doing, but also the structured processes that have been built up over the past several years to address these.

    There is also something called the NIAP, the National Information Assurance Partnership. And this is jointly done by the National Institute of Standards and Technology and the National Security Agency (NSA) to evaluate commercial products. Beginning this summer, we will require that commercial products used in DOD systems will have to—excuse me, I am sorry, secure systems will have to be certified through the NIAP process. And so this will be a significantly larger lever than we have had in the past.

    Mr. Chairman, I know there are many other questions you would like to ask, but let me stop here with my statement. Thank you.

    Mr. HEFLEY. Okay, thank you.

    General.

    [The prepared statement of Mr. Wells can be found in the Appendix on page ?.]

 Page 13       PREV PAGE       TOP OF DOC
STATEMENT OF LIEUTENANT GENERAL PETER M. CUVIELLO, CHIEF INFORMATION OFFICER, DEPARTMENT OF THE ARMY

    General CUVIELLO. Mr. Chairman, members of the subcommittee, I am Pete Cuviello, and I am the Chief Information Officer, but also I am the G6 of the Army, which is the Director of Command, Control, Communications, and Computers. So my area realms all the way from the very top of the business systems, down to the tactical systems on the battlefield.

    The Army's vision has three tenets: it is people, readiness, and transformation. People are first. Our information assurance team consists of active military, Army Guard, Army Reserve, our Army civilians, and our industry partners. The combined cooperative efforts of this team recruits, trains, and works to retain this pool of highly trained information assurance professionals who are the bedrock of the Army's knowledge enterprise, both from a reliability, a survivability, and a security standpoint.

    The readiness of the Army to command and control our deployed forces, and to rapidly respond to any potential homeland security threat depends on our information assurance capabilities. Since 1994 the Army has conducted advanced war fighting experiments that have demonstrated the importance of transforming the Army into a network centric information dominant force.

    In 2001, the Fourth Infantry Division, stationed in Ft. Hood, Texas, completed a series of division capstone exercises where information assurance capabilities and protecting command and control and communications systems were proven. This digitization effort, combined with information assurance, provides the combat multiplying effect by safeguarding realtime situational awareness and our information systems.
 Page 14       PREV PAGE       TOP OF DOC

    Our nation's information technology revolution continues to enable Army transformation. The Army maintains a longstanding and cohesive relationship with our partners from industry and academia. This relationship is vital to the development and the implementation of emerging technologies.

    The private sector has supported the Army's information assurance program in several ways. Industry has played a key role in the development of information assurance tools, and has developed information systems and network protection measures under their own research and development programs. Several Department of Defense programs have been established to leverage commercial, off-the-shelf capabilities, while safeguarding our information systems and our communications networks.

    The National Information Assurance Partnership, as Dr. Wells mentioned, has become an important element in evaluating the effectiveness of information assurance products. The long-term goal of the NIAP is to assist in insuring the security of information, technology systems, and networks through cost-effective testing, evaluation, and validation programs.

    The National Security Telecommunications and Information Systems Security Policy Number 11 requires the DOD, as Dr. Wells said, to acquire commercial off-the-shelf information assurance (IA) and IA-capable products that have undergone this formal evaluation product. Specifically, the Army requires its users to purchase only approved IA categories of tools through an Army enterprise blanket purchase agreement.

    Today, technology changes at an unprecedented rate. Tremendous advances in hardware, all-too-frequent software upgrades, exponential growth in network connectivity, and the expansion of the wireless technologies are examples of the rapidly changing environment we live in. To be effective, information assurance must keep the pace with these technological changes. We have received significant help from you in Congress and from DOD agencies, but this process must be streamlined. Current resourcing is, at best, reasonably sufficient to meet basic requirements.
 Page 15       PREV PAGE       TOP OF DOC

    The Army's information assurance road ahead includes several programs that are significantly improving our network security. These initiatives include employing biometrics and the public key encryption across the Army's networks. Additionally, as the DOD lead for cyber protection of homeland security, we are working with the critical information assurance office just set up, the National Guard, and state governments, to coordinate national information, processes, and shared experiences, to protect the state's critical infrastructure from cyber attack.

    The employment of an enterprise concept is embodied in the Army's knowledge management framework. The execution of this concept through the focused use of a single Army knowledge portal and organizing ourselves with a single community of management and operations practice will allow us to further develop our enterprise organizations, its missions and its functions. This is already bearing fruit in allowing us to make a much easier incorporation of information assurance.

    I know I have kept it at the higher level, but I am ready to come down from 10,000 feet with your questions, and answer any specific as they come up. The Army is very grateful to you all for your support in our information assurance, and in the readiness of our Army. Thank you very much.

    Mr. HEFLEY. Thank you.

    Mr. Porter.

 Page 16       PREV PAGE       TOP OF DOC
    [The prepared statement of General Cuviello can be found in the Appendix on page ?.]

STATEMENT OF DAN PORTER, CHIEF INFORMATION OFFICER, DEPARTMENT OF THE NAVY

    Mr. PORTER. Chairman Hefley and distinguished members of the Military Readiness Subcommittee, thank you for the opportunity to appear before you today. I have provided a written statement for the record, and would like to use this time to briefly highlight some key points.

    The availability and integrity of information has long been a top priority for the Navy-Marine Corps team, and is absolutely crucial to our goals of network centric warfare and information superiority. We are focused on a comprehensive, full-dimensional protection strategy that brings together information assurance, critical infrastructure protection, and privacy efforts.

    Our information assurance approach is based on the fact that we are not just bolting it on, we are building it in as a fundamental element of our information technology efforts. The Navy-Marine Corps Intranet substantially improves our information assurance posture. This enterprise network provides a single security architecture, performance measurement, red teaming to assess our strengths and vulnerabilities, and the use of public key infrastructure digital certificates on the Department of Defense common access card. The Navy-Marine Corps Intranet (NMCI) will secure—enable secure information exchange and collaboration, with the added benefit of positively identifying network users to mitigate insider threat concerns.
 Page 17       PREV PAGE       TOP OF DOC

    The Navy-Marine Corps Intranet information strike force industry team brings to bear skilled information assurance experts in addition to our own. Partnerships with private industry, leveraging their strengths as we have done with the Navy-Marine Corps Intranet, are a requirement for success in the highly dynamic information technology sector.

    We are also working closely with vendors of wireless mobile devices, such as the Blackberry two-way pager, to ensure that even if their radio transmissions are intercepted by third parties, that encryption protection keeps that information safe from eavesdroppers. Our critical infrastructure protection efforts have included the development of a ground-breaking tool for Navy and Marine Corps activities to assess and remediate vulnerabilities in the physical and information infrastructures that they rely upon.

    At the same time, we have turned our attention toward privacy issues, and protecting personally identifying information. Information assurance is integral to our readiness, and we are working hard to ensure that sailors, Marines, and civilians are trained and ready, from providing our military personnel with opportunities to train side-by-side with industry experts at our Navy-Marine Corps Intranet network operations centers, to providing a wide range of formal training and educational opportunities at the Naval Academy and Navy Postgraduate School.

    Last year we announced the creation of the Information Professional Community for Naval Officers, insuring that this cadre receives continuing education and professional development.

    Thank you for the strong, continuing support that this committee has provided. I am happy to answer any questions, and look forward to continuing to work with you on this important initiative.
 Page 18       PREV PAGE       TOP OF DOC

    Mr. HEFLEY. Mr. Gilligan.

    [The prepared statement of Mr. Porter can be found in the Appendix on page ?.]

STATEMENT OF JOHN M. GILLIGAN, CHIEF INFORMATION OFFICER, DEPARTMENT OF THE AIR FORCE

    Mr. GILLIGAN. Mr. Chairman, distinguished members of the subcommittee, I appreciate the opportunity to share with you a brief summary of what the Air Force is doing in information assurance.

    A primary emphasis of the Air Force's transformation of how we conduct air and space operations is to more effectively leverage electronically stored and transmitted information. The Air Force believes that improved access and use of information holds the key to allowing us to shorten military response times, and to deal with asymmetric threats. In fact, we are seeing significant benefits of our focus on better use of information in the current war in Afghanistan.

    In light of this emphasis, the Air Force is increasingly concerned about protecting our information, and the systems and networks that we use to process and transmit the information. People are the backbone of our information assurance capability, and we take their training and retention seriously. We are training and formally certifying our information assurance workforce, employing the proven methods used to train and mission certify our air crew members.
 Page 19       PREV PAGE       TOP OF DOC

    Retention of our most experienced enlisted personnel continues to be a major challenge. We are using reenlistment bonuses for our information assurance specialists to help ease this situation. In addition, we are committed to providing information assurance training across the entire Air Force. We are now in our second annual information assurance campaign.

    We have a robust set of tools that we have fielded at each of our bases to provide boundary protection, authentication, and access control for authorized users, as well as monitoring of our networks and systems. We have encrypted all inter-base communications traffic using virtual private network technology. This capability significantly reduces our exposure to external attacks and common Internet vulnerabilities such as recently found with the System Network Monitoring Protocol, or SNMP. To complement the protection capabilities at our bases, we have a world class computer emergency response capability, or AFERC, in San Antonio, Texas.

    Progress in information assurance does not happen without smart investments, and the Air Force has made significant investments in our information assurance capabilities. For fiscal year 02, the Air Force has allocated over $227 million for direct support to our information assurance efforts. We have targeted investments in hardware and software information assurance tools, expanding our cyber defense operations at our AFCERC, fielding of public key infrastructure and common access cards, training of our Air Force personnel, as well as research and advanced protection tools and methods. Our annual investment in information assurance will almost double over the next few years, as we replace outdated cryptographic equipment, enhance our systems and network protection and management tools, and fully field our public key infrastructure.
 Page 20       PREV PAGE       TOP OF DOC

    During 2001, the number of suspicious network connection attempts that we tracked rose to over one billion incidents within the Air Force. This is a threefold increase over the previous year. Fortunately, the rate of successful connections by an unauthorized outsider decreased to one unauthorized access for every 84 million suspicious connection attempts, versus one for every 20 million attempts in 2000, a fourfold increase. Excuse me, a fourfold improvement.

    I would like to close by briefly mentioning what I see as future challenges for the Air Force, as well as areas where we are looking for help from industry. We are working hard to remedy the weaknesses that were identified in the first annual assessment of compliance with the government Information Security Reform Act. Weaknesses in certification and accreditation, as well as timeliness of patching known vulnerabilities are clearly management issues, and we are addressing them as such.

    In addition, we recognize the need for improved security protection models and in corresponding policies that recognize the need to group and protect collections of information and systems using other than classification level as the primary determination of protection requirements.

    Finally, and perhaps most difficult in the short run, is the critical need to improve the quality of software products that we use to operate our networks and systems. Poor quality of our commercial software products is the single biggest vulnerability that we have. Moreover, the costs of the find-and-fix approach to resolving design encoding errors is increasingly costly and an unacceptable risk to the systems and networks that we rely on to conduct our air and space operations.
 Page 21       PREV PAGE       TOP OF DOC

    In summary, information assurance is a priority for the Air Force, and for me as Chief Information Officer. I believe that we are doing a good job, but we were working hard to improve. Moreover, we are making significant investments to make our program stronger. I am pleased with our recent progress, and I am absolutely committed to continuing to ensure that we provide extremely robust information assurance capabilities across the Air Force enterprise.

    Thank you. This concludes my opening remarks.

    Mr. HEFLEY. Thank you.

    General.

    [The prepared statement of Mr. Gilligan can be found in the Appendix on page ?.]

STATEMENT OF MAJOR GENERAL DALE W. MEYERROSE, DIRECTOR, COMMAND AND CONTROL, U.S. SPACE COMMAND

    General MEYERROSE. Yes, sir. Mr. Chairman, distinguished members, I am happy to appear before you today, and very honored. Your interest in this critical mission area is not only commendable, but vital, as is your support, and we thank you.

    You have my written statement, so I will only outline a couple of points that I would like to reiterate. U.S. Space Command is clearly focused on the operational aspects of information assurance. In that regard, we view operational availability as the most important aspect of information assurance. And as you know, our communications architectures dictate and predetermine the nature of information assurance, regardless of our operational intent, which is why we in U.S. Space Command are very supportive of the service and agency initiatives and request for help.
 Page 22       PREV PAGE       TOP OF DOC

    Second, U.S. Space Command takes our information assurance leadership responsibility seriously. While we have much work ahead of us, we have rapidly matured our computer network defense and information assurance vulnerability assessment processes, details of which are outlined in my written statement.

    Again, it is my pleasure to again appear before you, and I thank you for your continuing interest in this vital area.

    [The prepared statement of General Meyerrose can be found in the Appendix on page ?.]

    Mr. HEFLEY. Thank you very much.

    General, you kicked off something that—I should not ask you, I should have asked the panel before, and it does not have anything to do with information assurance, but I just would like your opinion, if you have one; and if you do not, that is okay to say you do not. Almost everybody says that people first, that taking care of our people is the number one readiness thing. And yet in this year's budget, one of the big things, it seems to me, or at least I have always felt this in taking care of our people, is to give them a decent place to live and a decent place to work. And in this year's budget, the military construction budget, overall, is down substantially. And I classify that as the decent place to work. And the military housing budget holds steady, which I was tinkled pink that it did not go down like the other. But still, that is not where we need to be.

 Page 23       PREV PAGE       TOP OF DOC
    Do you have any opinion on why that is? Is this that typical phenomenon that we—when budgets are tight, we just do not do the infrastructure?

    General CUVIELLO. Sir, I can give you my personal observations, but I will reserve the official answer to be given by those that—

    Mr. HEFLEY. I know I am not being fair to you, so we understand where you are—

    General CUVIELLO. The challenge is, as we become more operational, our OPTEMPO, continuing to grow, and the need for modernization of weaponry, of—in our own world of information technologies, those things are very expensive. And if you also notice, our procurement budgets have gone up, too, to try to get to that point.

    So yes. And I had a side conversation with Congressmen Ortiz, and that—the issue becomes that—and I heard you in the press conference. You were right on when you said it. And that is that that is the easiest place to go to, to say, hey, you know, we can hang on just a little bit longer. And so that is about all I—my view on why I think where we are.

    Mr. HEFLEY. Well, thank you. And I will not press it any further. But I—you know, our challenge today is to get bright young people for the kind of things we are talking about here, information technology and so forth. But then, to keep those people. And it seems to me a decent place to live and work are two of the main factors for keeping the people.
 Page 24       PREV PAGE       TOP OF DOC

    I am going to turn to Mr. Ortiz. I know he has to be out of here before too long, and so I want to give him—

    Mr. ORTIZ. Well, Mr. Chairman, I thank you, and I want to say thank you to the witnesses for being with us to do. And my good friend, Mr. Udall, has been at the end of the questions. Let me yield my time to Congressman Udall, because he is going to have to leave, as well, and see if he has got a question.

    Mr. HEFLEY. Surely.

    Mr. UDALL. Thank you, Mr. Chairman. I also want to extend my thanks to the panel for your very interesting testimony.

    If I might, I could direct a question to General Meyerrose.

    General MEYERROSE. Yes, sir.

    Mr. UDALL. You talked, in your written statement in particular, but also you implied this in your spoken testimony, about the work you are doing with the civilian sector. And I am curious if you might comment on how that work is proceeding, and how you foresee perhaps some of the applications you are discovering might be useful in the civilian or public sector, and vice-versa, how what is going on in the corporate sector is working to the benefit of our armed services. And finally, the big, long set of questions for you, what kind of applications did you—would you might foresee in the civilian sector from what you are developing in your efforts.
 Page 25       PREV PAGE       TOP OF DOC

    General MEYERROSE. Yes, sir. The gist that underlines the work that we have been doing is sharing processes and how we handle processes of analysis. And the commercial sector has been very forthcoming in helping us do that. And they do so at several levels, to include the level of—with our computer emergency response teams (CERTS), our service (CERTS) and our DOD CERT and our JTF, our joint task force for computer network operations. And usually in working out those processes, you capture and get down to the crux of whatever issue you are talking about, whether you are talking about a vulnerability or an improvement or a change of technology. And that has been very, very helpful for us.

    Additionally, many of the vulnerabilities that we discover come from the corporate industry. They are the ones that build much of the software which we use, much of the commercial, off-the-shelf software we use. And as a result, they usually are a good barometer of things to come. And so the tight coupling that we have done through the National Infrastructure Protection Center, the joint task force in computer network operations and U.S. Space Command, as well as the other services and some of our agencies has been vital to us, anticipating things that are coming and showing up, which is why we are getting better and better at dealing with these issues.

    One other area that I might add that corporate America, in particular, has helped us with, and this includes the training and education area. As you will notice in my written statement that we have teamed with the University of Colorado at Colorado Springs in a training initiative which we hope will some day lead to a full degree program within the University of Colorado school system. And so we are—in fact, we just started classes this week for the first 15 students entered into that program. It is a certificate awarding program, not a degree awarding program in which, in conjunction with the University of Colorado at Colorado Springs, we have designed a series of courses which we think meet our information assurance needs on some very basic education and training issues. And so the combination of process, technical interchange, and education and training opportunities are the areas where we have really benefitted from this association.
 Page 26       PREV PAGE       TOP OF DOC

    Mr. UDALL. That sounds like an exciting endeavor. And, as you know, the University of Colorado home campus is in my district in Boulder. I will note your excitement to President Hoffman when I next see her.

    General MEYERROSE. Yes, sir.

    Mr. UDALL. And to her credit, she makes me aware, every time I see her, that the university system is all over the state, when I become Boulder centric, which Chairman Hefley will tell you happens way too often. But—

    General MEYERROSE. Sir, if I might,—

    Mr. UDALL. Yes.

    General MEYERROSE. —last week I was up at University of Colorado at Boulder at the invitation of the engineering department, to speak to their telecommunications master's degree program. And, in fact, we brokered an arrangement for some of the faculty and resources at Colorado, Boulder, to participate in our program that we are developing here at the University of Colorado, Colorado Springs.

    Mr. UDALL. Excellent. It is just another example of the tremendous synergy we have in Colorado between the private sector, the university system, and the federal laboratories, which you know have a very significant presence in the Boulder area, as well.
 Page 27       PREV PAGE       TOP OF DOC

    One last question, Mr. Chairman. Is there more that Congress could do to help promote what we have just been discussing here; that is, the relationship and the synergy that is created between the Department of Defense and the corporate sector?

    General MEYERROSE. Sir, there are probably several areas, and it is a matter of helping initiatives that are already ongoing. As my colleagues outlined several training elements, several network infrastructure initiatives amongst the services, all of those things are progressing nicely, but it is a matter of resources and making sure that they meet all of the goals and all of the objectives.

    I know that each of the services does have some relationship with universities that are around their centers of excellence of information assurance around the nation. And most of those are in their infancy stages. And things in their infancy stages, in order to mature in the right fashion, do need resources. And I know that the ones that I am involved with, we have several objectives and requirements for which we do not have the resources for, but we have plans on how to work on that.

    Mr. UDALL. Well, you can count on my support if you will assure me that there will be no more viruses attacking my home computer, and you get rid of all the spam that comes in.

    General MEYERROSE. Sir, that is a little bit above my pay grade.

 Page 28       PREV PAGE       TOP OF DOC
    Mr. UDALL. Mr. Chairman, I thank you for the time, and again thank the panel for their interesting testimony, important testimony.

    General MEYERROSE. Yes, sir.

    Mr. HEFLEY. Mr. Gibbons.

    Mr. GIBBONS. Thank you, Mr. Chairman. And to our panel members, as well, thank you for your appearance here today. Probably no other issue plagues, I think, all of America, whether it is our industrial complex or our military complex, more than it is the information technology and the prevention of intrusion and disruption in that information. It is the basis of our economy, it is the basis of our strategy when we deal with the military.

    I would like to ask Dr. Wells, assuming, if you will, Doctor, that the equipment, the IT systems, and the programs that you have at your hands today, that you have installed, work flawlessly, what assurances can you give this committee that a realtime intrusion or disruption of our information can be prevented?

    Mr. WELLS. This is a very important question. And one of the issues is the time factor and the dynamism of this. This first appeared in the wild, if you will, on the Internet about two years ago, and evolved through three complete generations of easier to use, more sophisticated attack tools in the span of about 20 months. This is within sort of one programming and budget cycle for the Defense Department. And so the tools that we have fielded now, the tools that we have deployed are certainly a vast improvement over where we were. And as several have mentioned, I think we have done very well in the—compared with the private sector, in fighting off some of the viruses and the other vulnerabilities.
 Page 29       PREV PAGE       TOP OF DOC

    So could I give you a hundred percent guarantee? No. Could I give—could I say it is much better than it is—than it was a year ago? Yes. This is not just an issue of technology, but it is operations, policy, people, and technology together. We have got to train the people, we have got to retain the people, but also we have to find a way to respond more rapidly. And because the important thing is not so much where we are today, it is where we are going to be a year from now or two years from now or three years from now. And the pace of commercial technology and the pace of hacking expertise, whatever, is going easier and easier and easier for people to, you know, conduct fairly sophisticated attacks online.

    So to answer your question, I feel quite confident today that we would detect the kind of intrusions that have appeared in the press, we would be able to counter them, the sort that the private sector has normally seen. I have concerns that, having to wait the kind of—if we detect an absolutely new type of virus today, it will be the beginning—it will be September, October of next—October of 2003—I am sorry, October of 2002, if it is in the 2003 budget, maybe even October of 2003 before we would be able to deploy those new tools. And so, to respond probably to Congressman Udall's question, what could Congress do to help, is give us the flexibility to sort of respond to some of these new challenges as they come out. And whether that is things like management reserves or whether that is being able to reprogram more rapidly or find new ways to respond to changing circumstances, that, I think, would be very important.

    Mr. GIBBONS. Let me ask a question. Can we today, if we did have a serious intrusion into our intelligence or our information systems, be able to rebuild the data quickly enough as a response to that intrusion and disruption?
 Page 30       PREV PAGE       TOP OF DOC

    Mr. WELLS. One of the striking things that has come out of the September 11th tragedy is the increased emphasis on continuitive operations efforts. And the Congress has provided a lot of money in the defense emergency response fund that has been put to immediate use to do that. So I think you will find that more and more of our operations centers, more of our critical data are being backed up, mirrored servers at remote locations, repeated testing of that. What we have found in some cases, you know, we had the remote location, we had the equipment up there, but nobody had been up there in two or three years; and so it was out of date. That is now being handled in near realtime. So again, I feel very confident the most critical data have already been identified and are being backed up; and over the course of the next few months, we will expand that.

    Mr. GIBBONS. And to—very briefly, from each of the services that are here, with regard to the information IT systems that we have in each of the services and their important functions, are we finding that the recruits we are bringing in today are up to the level we expect them to be? In other words, can we train them adequately, do we have the training capability to bring our recruits into a system to make sure that they are up to the level of expectations of being able to protect our systems?

    General CUVIELLO. Sir, I will kick that off. Absolutely yes. We have—recruiting is always a challenge. But in the IT world, they are waiting at the doors. And we have also got a lot of folks in the military who want to transfer into the IT world.

    The challenge we have is the retention of them. Because, as we train them and they become certified and really good at their job, then the opportunities in the commercial world, which is very lucrative, is a real challenge for us from a retention standpoint.
 Page 31       PREV PAGE       TOP OF DOC

    Transformation is all about change. Change is traumatic. As you become more senior, you become less willing to change. So our challenge is, is trying to be agents of change, is that it is not at the top level—it is not at the bottom level that we are having a problem with, okay. It is at the more senior level.

    So, to answer your question directly, no, we are not having a problem with that, and they get it. They get it.

    Mr. GIBBONS. And are you able to retain them now?

    General CUVIELLO. Sir, things are going better. I mean, the economy has helped us a wee bit. In our world, has helped us. And we have also found that the things that are keeping them, though we cannot offer them more money or bonuses, like you can on the commercial side, education and using. Sir, as the chairman said, you know, what retains these folks; it is doing a job that they love, they are getting the training for it, and they see that the military is changing and it is a place where they can do what it is they want to do.

    Mr. GIBBONS. Mr. Porter?

    Mr. PORTER. I would echo the comments that General Cuviello had. The quality of the recruits, as we see them coming out of school, is first class. They learn an awful lot with gaming and with doing just Internet at home.

    I think one of the things that keeps people—money is a dissatisfier when there is not sufficient funding for their salaries. But the thing that keeps people excited about their job is the quality of their supervision and a sense of mission. And we provide both of those.
 Page 32       PREV PAGE       TOP OF DOC

    Mr. GIBBONS. Mr. Gilligan?

    Mr. GILLIGAN. Yeah, I would echo the comments from General Cuviello and Mr. Porter. I think the quality of our recruits is extraordinarily high. They are technically savvy. The training that we provide for them in information assurance is extensive, and it is probably some of the best in the world. And that is what gives rise to, I think, some of the difficulties on retaining the folks.

    I think the environment that we provide, the challenge is unique, and that what keeps most of them in. Retention, quality of life, housing, pay, other benefits are also extremely important. And that is key for us, to be able to keep these folks, when they could walk out the door and double and triple their salary overnight. Especially those that we have trained with these extensive information assurance capabilities. So that is something we watch very carefully, and so we work both the monetary, but also the non-monetary benefits to be able to keep them in the fold.

    Mr. GIBBONS. General Meyerrose, I believe your answer would be identical?

    General MEYERROSE. Yes, sir, it would.

    Mr. GIBBONS. Mr. Chairman, thank you very much. I have to leave, and I want to extend my best to the witnesses.

 Page 33       PREV PAGE       TOP OF DOC
    Mr. HEFLEY. Well, I would just like to point out that I do not know what it was, but Mr. Gilligan said something that offended half the committee, and they are—

    Mr. GILLIGAN. I apologize, Mr. Chairman.

    Mr. HEFLEY. Do you have that effect often, Mr. Gilligan?

    We appreciate Mr. Gibbons, we appreciate all of you being here. I think Mr. Udall has to leave, too, pretty soon. But we will—like for you to stay as long as you can.

    Mr. UDALL. I will stay as long as I can.

    Mr. HEFLEY. Okay, Mark. And Mr. Underwood and I will be here till the bitter end.

    Mr. WELLS. Mr. Chairman.

    Mr. HEFLEY. Yes.

    Mr. WELLS. May I expand my answer to Mr. Gibbons just for a moment on two points in terms of the vulnerabilities and how well we respond. One of the things that really bothers me at night is the insider problem. I think we have done vastly better in terms of being able to defend ourselves from outside attackers. But a fairly large number of the people who have gone bad on us in the past had their security clearances before they went bad. And we need to find a way to make the technology work for us in detecting their anomalous behavior, rather than working against us and letting them hack.
 Page 34       PREV PAGE       TOP OF DOC

    The other piece is the vulnerability of the private sector critical infrastructure on which we depend, which is sort of outside of our purview, as far as control, is a problem, as well.

    Mr. GIBBONS. Thank you.

    Mr. HEFLEY. Mr. Underwood.

    Mr. UNDERWOOD. Thank you. Actually, I was going to ask a question on the training of people and how to keep them in, but that has already been covered.

    Basically, in terms of ensuring that the information system remains secure, the information systems that we have remain secure, could you characterize, Dr. Wells, where we are in terms of—in comparison to other countries in terms of our own information systems, and whether we perceive the threats to our own information systems to come from other countries or people going bad or, you know, just bad groups of individuals.

    Mr. WELLS. You know, I would put the security of our information systems against those of any other in the world, Mr. Underwood. And I think, on a relative basis, we are doing quite well.

    However, in many cases, as I mentioned before, the threat is also changing very quickly. And the fact that we are ahead of Country X or twice as good as Country Y is not really the standard we need to work on. The standard is are we secure enough to meet our own information needs. And more importantly, our own—this is really a continuity of operations problem. The whole information assurance issue is: Can we continue to operate, no matter what kind of a threat we are under? And this is the sort of effort that they have—my colleagues have been making enormous progress to be able to allow the war fighters to continue to meet their war fighting needs. It may be you have to rely on Backup System A, it may be you have to rely on Backup Database B. Maybe you have to use an alternative communication system. But I am absolutely confident we can do the job in meeting our military readiness needs in the face of the attacks we are likely to face.
 Page 35       PREV PAGE       TOP OF DOC

    Mr. UNDERWOOD. Also one other thing that you said in response to an earlier question that caught my attention, is that you were talking about in our relationship with the private sector, since we cannot guarantee the security of the systems in the private sector, it occurs to me that then the issue of how much work are we outsourcing versus how much work do we—how much do we try to develop in-house becomes a critical issue, particularly since 9–11. And also the issue of how cozy a relationship, and I know the next panel will have an opinion on this, as well. How cozy a relationship is being developed between the services and the private sector? And could you speak to that? And I would like to hear everyone's comments on that.

    Mr. WELLS. Well, this is a very crucial question. We had an interesting symposium about a year ago, and the issue was the extent to which COTS, commercial off-the-shelf products, could ever be fully secured. And the answer was that in the private sector there are beginning to be a number of—what shall I say—additional incentives. For example, the insurance industry is beginning to look at providing changed insurance rates for those companies that have good information assurance practices. There may be litigation coming to bear of people who fail to secure their clients' information. And these financial incentives will work fairly well in the private sector in terms of the normal sorts of problems that are dealt with in the business case.

    The problem that this model led to, though, was that none of these private sector market incentives would cover the case of a dedicated information warfare attack by a sophisticated, state-sponsored opponent. And this should be considered, if you will, a market failure. And so then the question is: To what extent does the government need to invest in GOTS, in government products and fully redundant, isolated systems that do not link to the Internet or whatever, in order to ensure, you know, the backups that we need. And that is something that we are still wrestling through. I think we are encouraged by the fact the private sector is providing more security. I think we are also looking—in fact, I know we are in the current deliberations within the department, about what the right balance of GOTS is.
 Page 36       PREV PAGE       TOP OF DOC

    And that is not an easy question, because we have tried this several times in the past, and you developed a government-only system. The private sector is moving so quickly, now you have to—even if you have solved, you know, a problem at a point in time, how do you keep that current and functional.

    So your question is absolutely right. I do not have a definitive answer. I will tell you it is under—you know, under very serious consideration.

    With regard to the private sector infrastructure, the critical infrastructure, there are—there was a Presidential Decision Directive 63, signed some years ago, that set up the National Infrastructure Protection Center that General Meyerrose referred to, but also established a series of what are called ISAACs, information sharing and analysis centers, which is the beginnings of effort for the private sector to share information with the government, and vice-versa.

    And after a few little teething problems, these are actually starting to mature fairly well, and they are maturing particularly well in the private sector. I mean, in the telecommunications sector. So I think we are getting a much better dialogue with the private sector. And the question is—I think the curve is going to look something like this. It is—what we have seen is that functionality, for a long time, was the—you know, the one thing that the private sector tried to roll out, and security was always sort of a secondhand add-on after the fact. This certainly was the case as more and more companies sought to connect their infrastructures to Internet-based systems in order to manage them. I think everyone is starting to realize the dangers of doing this, and there is going to be a sort of a time before it turns back up again. But I think we are starting to see a change in that direction in the private sector, as well.
 Page 37       PREV PAGE       TOP OF DOC

    Mr. UNDERWOOD. General.

    General CUVIELLO. Sir, the same thing. One of my crusades is to drive industry to taking on security as a core competency and have it just as important, as Dr. Wells talked about, as functionality. Instead of selling the product, trying to get a relationship where it is not a buyer-seller relationship, but it is a partnering relationship. And if I fall, you fall, too. Because some of these companies are pretty well dependent on the government for their wherewithal.

    The other part is, is we have the economy; okay. And the economy is also driving—meaning like the banking industry and the insurance industry that are really getting paranoid about their information, too. So I think it is up to us to keep crusading on this thing and driving the commercial sector to come on board with us to ensure that security and information assurance is as important in selling their product as is the functionality aspect of it.

    We are not going to be able to develop a whole lot ourselves. And just as Dr. Wells talked about, it is changing too fast. It takes the government too long to get stuff done. And we have become dependent on industry, and now we have got to stand up and we have got to force them to come along with us in this partnering relationship.

    Mr. UNDERWOOD. Mr. Porter?

    Mr. PORTER. Mr. Congressman, when we considered contracting for the Navy-Marine Corps Intranet, I took it upon myself to initiate a study about what we thought was the inherently governmental function and what we were willing to put in the hands of the commercial sector. And we concluded there were three essential things that had to be kept in the hands of government: One, exercising essential command authority over our network; two, ensuring that security requirements were managed and met at all times; and three, all offenses on information operations.
 Page 38       PREV PAGE       TOP OF DOC

    I feel very good about the strategies we put in place. Some of our network operations, network administration activities will be put in the hands of the commercial sector. But essential command authority always remains in the hands of the government.

    I think, as far as coziness goes, we have been raising the bar on information security, and I think certainly, after September 11, the entire country expects that we raise that bar even higher.

    Mr. UNDERWOOD. Thank you.

    Mr. Gilligan?

    Mr. GILLIGAN. I would agree with the previous comments. What we see in the Air Force is we are inextricably tied to the industry that supports us. And so whether it is outsourcing, or just interdependency for our logistics support, we cannot prosecute our air and space operations without the support and their IT of those in industry.

    So we have got a symbiotic relationship. And so we need a cozy relationship, but we need one not that is non-productive, we need one that is very productive. And I think, as has been mentioned, we need to—and I think the area that I would suggest that needs some significant attention is we need to then have some standards against which we can measure those who are providing us service, and in particular, as it has been mentioned, the software products that we get really do not measure up to what we are now viewing as commonly accepted quality standards. And we need to establish those, and we need to have accountability, such that, as we have this close, cozy relationship, there is a clear understanding of what are the expectations, and when are we meeting those expectations; and when are we failing to meet those expectations, as we continue this tight linkage with industry.
 Page 39       PREV PAGE       TOP OF DOC

    Mr. UNDERWOOD. General?

    General MEYERROSE. Sir, I would offer two points. The first point I would offer is not all of our information systems are subject to the same risk. We have classified and command and control information systems which are not open to either the Internet or to other systems themselves. And the more classified the system and the more directly related to command and control functions within our services, the more testing and certifying we do of software, whether that software comes from commercial off-the-shelf or from government.

    And so I very much agree with the previous comments that our partnership with commercial off-the-shelf software brings varying risks. But in some sense, it is not something that we can universally address to all information systems. And the scenario I just gave you about the more secure and classified systems reemphasizes the point of Dr. Wells about the insider threat being the most serious in that regard.

    The other point I would offer to you is, is that we have mechanisms which we have morphed over time. In the early 1980s, during the time of the deregulation of the telephone system, we created an advisory committee for the President called the National Strategic Telecommunications Advisory Council (NSTAC). And this was a group of senior CEOs, presidents of commercial telecommunication providers who would advise the President directly, and the Department of Defense indirectly, and other elements of government on matters of strategic importance that were deemed to help us over transitioning into a deregulated telecommunications environment. Over the last four or five years, the membership of the National Strategic Telecommunication Advisory Council, has changed to encompass several IT providers that are not the traditional telecom providers, but in fact the software, computer providers. And, in fact, the NSTAC is meeting next week with the Administration and with senior DOD officials. And we meet with them on a twice-a-year basis, and we have several standing committees, of which I am a member of a couple, in which we continually work the issues which you outlined. And there are very few easy solutions. But we are working very diligently at improving them.
 Page 40       PREV PAGE       TOP OF DOC

    Mr. UNDERWOOD. Well, yes, go ahead.

    Mr. WELLS. One other element, this again in the aspect of things Congress can help us with, the ability of the Internet and modern information technology gathering tools to pull together disparate bins of information actually creates new classes of information which, by them—where all the individual pieces may not be sensitive, but the collective becomes very sensitive. And the infrastructure is a good example of this. Nothing about any given power system or water system or pipeline system is classified. When you pull together in one place the totality of the, you know, electric distribution system in the country, that is an area of concern.

    There has been discussion—there is discussion in the homeland security area about so-called sensitive, but unclassified information and finding ways to protect that. And clearly the Freedom of Information Act and the importance of keeping the citizenry informed is—has to be balanced against the fact that here you have information that is in the public domain which, when aggregated, becomes a potentially serious threat to the public good. And so I would encourage that when this debate comes to the Congress, that this be considered a matter of importance, because it certainly has become a matter of concern for us.

    Mr. UNDERWOOD. Well, thank you for those very thoughtful answers. And I am a little relieved—I am much relieved that you have thought a lot of these things through. But it seems—and maybe it is only because I only occasionally come up to the issue from time-to-time. But, you know, as you try to figure out how do you responsibly use government resources, and then you become highly dependent upon the private sector, and then you develop a relationship, and then at the same time we are getting information that the whole information—the whole series of information assurance activities do not lend themselves to a clear analysis as to how much money and how much effort and how much resources are being spent on it because it is all over the place; and it is—now it also includes homeland security. It makes it all seem very fuzzy. And, of course, given the nature of the rapidity of technological change in the area, itself, it means that as you complete one cycle, it appears that another cycle is galloping along. And then you contrast that with more traditional DOD type activities, like procurement of weapons systems or trying to understand military construction and all the other things which are—even those are pretty tough stuff to sort out, too, as well. But they certainly lend themselves to understanding it a little bit better. And so it gives me the uneasy feeling that relationships are being cultivated over time that may not be in the best interest of the government. And, of course, the bottom line on all of it is the security of the systems we have in place. And I think you have given some thoughtful answers to that, but I did want to raise that concern. Because it all seems to lack the kind of clarity, particularly when we start off with the assumption, or at least it is not clear to me, what kinds of resources are devoted to information assurance, and how they appear to be everywhere. It is not an easy thing to sort out. There is not one box in the budget. And that is—and so, as a consequence, and then the rapidity of change and maybe necessarily cozy relationship we have with the private sector, all those other things. Thank you. Thank you, Mr. Chairman.
 Page 41       PREV PAGE       TOP OF DOC

    Mr. HEFLEY. Thank you, Mr. Underwood.

    You know, it is obvious you all think it is important, and we all think it is important, but in light of the numerous GAO and IG studies and reports that have been done, that have been very negative, and the budget problem we have of figuring out how to break out this particular activity from the budget, is this really a point of emphasis with the Department of Defense and your various departments? And if we did a GAO or an IG study today, would it show improvement over the last time such a study was done? Are we actually making—you are doing a lot of things to try to help solve it—but are we actually making progress towards a goal of having a secure system?

    Mr. WELLS. If I could offer a couple of points. First of all, I think we are making progress because the proof is in the pudding, to some extent, is the fact that the DOD systems were not brought to their knees by Code Red or the Nimda worm in the way that many of the private sector systems were. So at least a couple of data points out there that suggest that the myriad of things—and there is no single point solution to this—the combination of these are getting better.

    The second is that there have begun to be some qualitative metrics developed. And these may seem like small things, but they are not. For example, a year or two ago when we talked, the only vocabulary we had was to talk about attacks on our systems. Now there is a taxonomy of if something—if an intrusion gains a root directory or, I mean, a most serious high level access to a computer, that is termed a Category 1 incident. If somebody tries to get that but does not succeed, you get some kind of penetration, that is a Category 2. If something is a denial of service, that is another category. You can begin to understand what it is that is happening to us, which frankly a couple of years ago we could not even articulate to ourselves what really was going on.
 Page 42       PREV PAGE       TOP OF DOC

    With regard to Mr. Underwood's comment about sort of cozy relationships with the private sector, this is a list of—it is something called the common criteria, which is a series of means of evaluating products as to their information assurance security. And these have been adopted, not just by the U.S., but by Britain, and even France and Germany and other countries. And they maintain a list of the products that can—that have satisfied these criteria. And if you look at them, they are not all from one or two companies. In fact, they are not even from one or two countries. I can go and pick an approved product that is made in Europe, if need be, and be confident that it meets the criteria that have been set up by these international standards.

    So there is still a—competition is still being maintained in the process, even as we have to cooperate with the firms to—you know, it is much better to have a relationship where they understand our information assurance concerns from the beginning and begin to factor it into the design, rather than roll out their product and all of a sudden find they have to patch 15 holes and leave others that nobody has detected.

    So I do not know that I can ever tell you there will be a clear, bright, shining line where no cooperation is possible or even desirable, but I do not believe we are in such a cozy relationship that there is no alternative.

    General CUVIELLO. Mr. Chairman, I think we are making significant progress. Today the Chief of Staff of the Army and the Secretary of the Army, on a daily basis, get briefed on any intrusions into any networks of the military. So I think that there is leadership involvement in that.
 Page 43       PREV PAGE       TOP OF DOC

    This thing is a spider web that, as fast as we get our arms around where we think we are moving, technology and ingenuity and imagination creates branches and sequels that we did not think about. And I do not think there is an objective here. I think this is a journey of learning, trying to—one of the things we are spending a lot of time on is becoming predictive, to try to predict when something will happen. And that is really, really breaching—that is leading edge, not bleeding edge technology in trying to do that.

    So from my perspective, I think we are doing better. We can always do much better. But as we get there, it is—like I say, it is like a spider web; it keeps going out there. I would love to—I have been doing this thing for 33 years now, and I did not have a handle on it as a second lieutenant, and now I am—I am the main man, and I still go home at night and say, ''What the hell have I done? Have I really made progress? Because I take—I know I have stepped foot forward, but I always wonder how many inches do I step backwards, too, because of the technology, and then the imagination that is out there in the world of how to break down and break into and do whatever.

    So I want to give you a warm and fuzzy that we are doing better, but this is not—we cannot give up. We will never get there. I guess that is my point. Because as soon as we think we have reached that, somebody has thought of something else.

    Mr. WELLS. You will never spike the ball as you cross this goal line.

    Mr. HEFLEY. Any other additions to that? Yes, sir.
 Page 44       PREV PAGE       TOP OF DOC

    General MEYERROSE. Yes, sir. I am not familiar with which report you are specifically citing; and obviously, those reports are roll-ups of large organizations, departments. But we have an opportunity to see lots of reports because of U.S. Space Command's position for computer network defense. And, in fact, we have been the recipient of five such assessments since 9–11. One has come from a service audit agency, two from DOD agency assessments, and two red teams. And all five of these were revisits from assessments or inspections done a year ago. And in each case, they validated that we had made several improvements. They did not necessarily give us an absolutely perfectly clean bill of health. They did point out things that we needed to continue to work on. Process improvements, those types of things. But in every case, the audits that we have received since 9–11 have showed a maturation of our process, and a more effectiveness of our people in dealing with information assurance operations over a year ago.

    Mr. HEFLEY. Well, that is encouraging. You know, that is what we want to hear.

    Mr. WELLS. There is another step that I think is important. About two weeks ago I received this, which is called a common access card. And this is the new identification card that will eventually become DOD-wide. But it contains in it a chip. And that chip will eventually—again, I think within a month or so I will not be able to use certain features of my computer without having inserted this card and put in my personal identification feature as well.

    This has on it not only electronic identification, it has got a biometric; my fingerprint is actually on the card. And it also handles your traditional swiping sort of thing you have. And so there is no industry standard yet, and it is hard then to say exactly which one you should pick. So the card actually uses three different methods of identification. But this now begins to get at the very important question of how you authenticate who are the people on your network. Because it is going to be very hard now for someone else to sit down at my computer and pretend to be me.
 Page 45       PREV PAGE       TOP OF DOC

    And so as you begin, just like the credit card, when I use my credit card, if I make an exorbitantly large purchase or an unusually large purchase, I get a call from the company saying, you know, ''Is this you? Did you want to do this? This does not fit the pattern.''

    So with this sort of thing in place, we begin to establish patterns of the people inside our organizations, and why is Wells trying to dial the Secretary of Defense's computer at midnight. That kind of thing can be identified and flagged very quickly, as opposed to three or four days later you read an audit log and say hmm.

    So I think there are a number of things that are coming along that will help. And as the general said, it is a dynamic process. But we are in there swinging.

    Mr. HEFLEY. Well, committee, our witnesses, we thank you very much. Very helpful. We want to work with you on it. And we appreciate you taking the time to come and help inform us. We will have some written questions that we want answers to. And we appreciate your time.

    We are going to proceed to our second panel, which will be Mr. Robert Mines, Senior Vice President of Engineering, Entercept Security Technologies; and Ms. Mary Ann Davidson, Chief Security Officer for Oracle Corporation.

    We had a witness from Cisco Systems that was going to be here, but yesterday the company decided that they were not going to be here. We do not know why. We are disappointed. But they are not here. So we are going to have the two witnesses that I mentioned.
 Page 46       PREV PAGE       TOP OF DOC

    Okay, I am going to ask you, if you would, to give a brief opening statement, and we will put your full statement in the record. And we will start with Mr. Mines.

STATEMENT OF ROBERT F. MINES, SENIOR VICE PRESIDENT, ENGINEERING, ENTERCEPT SECURITY TECHNOLOGIES

    Mr. MINES. Mr. Chairman and committee members, it is truly an honor to be here today to talk about information assurance, and especially about National Information Assurance Partnership (NIAP).

    I was sitting in my office about three weeks ago and I got a phone call that said, ''Gee, you know, Bob, you have an opportunity to go speak before the House Armed Services Committee.'' I said, ''Wow, that is really amazing.'' And I am sitting there going, ''Great, I am going—I am going to go to Washington. I love DC It is a great town.'' And, you know, but a few days later somebody calls me back and says, ''Oh, no, actually it is in Ft. Carson.'' So I said, ''Oh, okay.'' So I hung up the phone, thought about it for a while. I said, ''Gee, I did not know we had forts in Washington, DC. That is new.''

    So my point is I think it is—you know, it is really great that the committee has chosen this location. I think it shows, you know, it is good to be out there on the front lines and show yourself to the troops. I did not know there was a Ft. Carson before today, so—and now I do. So I think it is a good thing.

    So through my testimony, I only have a brief statement I want to make. But as I go through my testimony, I really want to provide two things. I want to provide you some information as to how NIAP really would affect the product strategy at a company like Entercept or other software company, and really how it may affect the systems that the government deploys in the future.
 Page 47       PREV PAGE       TOP OF DOC

    When Code Red came out, in 24 hours it did $2.5 billion worth of damage. That is 24 hours, $2.5 billion; that is a phenomenal number. And if we look at sort of the trends in vulnerabilities, you know, the rate of growth, it is 50 percent a year. So we see a trend that is constantly increasing; it is not decreasing. And although we continue to make progress, we do make progress, but the bad guys make progress faster. And that is really sort of the trends that we are looking at today.

    If we look at the major operating system vendors, whether it is Microsoft, Sun, or whoever, they have all had dozens and dozens of security advisories they have put out this year related to their software. So clearly there is a problem to be addressed.

    I work at a company called Entercept, and we provide a host space intrusion detection system. This system, we believe, is state of the art. It allows people to deploy this software to their server and not only detect intrusion, but prevent intrusions from taking place on their servers. So it detects malicious attacks, and prevents the code from executing on that server. And we believe that this is the wave of the future in protecting servers from vulnerabilities. It does this through something we call behavior rules, which is a patented technology from Entercept.

    Okay, what I was hoping to do is just walk through a simple incident response that Entercept gets faced with all the time. So we are in the security business, we have to protect our customers' servers and key resources. Several people today have mentioned the Simple Network Management Protocol (SNMP) demon attacks that came out. And there was a series of vulnerabilities and alerts that came out about three weeks ago related to SNMP. So what I am going to do is just walk through what happened at Entercept when those things—advisories came out, and what the process is that we went to, then I relate that back to NIAP.
 Page 48       PREV PAGE       TOP OF DOC

    So SNMP is a piece of code that exists on virtually every operating system that is sold today. And it has been there for years and years. This is a piece of code that we thought was safe. It has been on the servers, with no known major vulnerabilities that have not been patched already. So what we did is, as soon as we saw the—you know, the advisories were released, what we have to do is, the companies say, ''Okay, well, how does this affect our product?'' And so what we do is we read the vulnerability, and then we create the code, what we call the expert code. And this expert code is what really executes that vulnerability against a server. So first we have to figure out what the advisory really says, and create some executable code that simulates that. Then we take it into the simulation lab and we say, okay, how does this affect our customers' products with our product onboard and without our product onboard, to see if we can either protect our customers by developing new behavior rules, or tell our customers that they are safe and protected.

    In this particular case, there were five problems that we found associated with SNMP. And we were able to develop behavior rules in our simulation lab, test them to validate that we could—by running the expert code, that we could actually prevent these attacks.

    As soon as we did that, we contacted our customers and made those new rules available to their system. And this all took place in the course of about three to five days. Nimda was—and Code Red were much faster than that, a much larger impact. But this is a typical example of how fast you have to be able to react to these things. And that is one point I want to make. And the other is, is that this is code that has been around for a long time, and it is pervasive.

 Page 49       PREV PAGE       TOP OF DOC
    So, although we think that we are getting better and better at protecting things, I think that the level of sophistication of the attacks is clearly getting stronger and stronger—and particularly many of these vulnerabilities originate outside of the U.S.

    So there is no silver bullet for solving the security computer and networking solution problems that we face today. It is going to be an ongoing effort. We are going to make progress. There is going to be times when other people are going to—the bad guys are going to go ahead of us. It is going to go back and forth for some time. There is a long way to go. Currently, where we are at is they are focusing their attacks on widely-distributed software. What is going to happen in the near future is you are going to start to see them moving up the application stack to attacking application level software, so that the software that companies buy, a Microsoft platform or whatever, and develop applications on top of, there will be attacks against theirs.

    So we looked at NIAP, and we are evaluating and pursuing NIAP evaluation at Entercept. We believe it is a necessary part of information assurance, and we are pursuing certification. But we do not believe it is sufficient, in and of itself.

    In addition to that, I think it is important to point out that, from Entercept's standpoint, it is important that there be a balance between the need for certification and common evaluation models, and the need for getting the best possible protection to our servers' information infrastructure that we have deployed. And at some point, those two become counter to each other.

    So, to that point, you know, we really cannot allow NIAP to be a barrier to deploying new software. We have to have, I believe, the best possible protection mechanisms available. In addition to that, we have to be able to react quickly, as was mentioned by several of the previous panel members, to attacks when they take place. These happen in a matter of hours or days, and if you do not respond, the cost is tremendous. So to the extent that the NIAP is useful in developing certified software, that is an excellent goal and we strongly support that.
 Page 50       PREV PAGE       TOP OF DOC

    So looking at the process, I think if you look at the key attributes of a successful process for doing certification from a vendor's perspective, there are a few parts that I think are essential. I am just going to go through a few of those that I think are particularly important.

    First of all, you know, new technology is coming out every day. And small companies tend to develop those technologies. It comes from startups, small companies around the world. You have to get those companies involved in the process, so if the process is too expensive and they are shut out, you are limiting the effectiveness of your protection.

    In addition to that, the process must be short in duration, as to not to restrict time to market for vendors. If I have to hold back product releases because I have to go through a certification process, that would be a negative impact to the company.

    Probably the most important point I think we need to make is there has to be a clear advantage to the vendors to go through this process. You say we should be certified because our software wants to be—we want our software to be secure. And that is a great goal. Everybody would agree. But in the private sector, you know, we look at what space, we look at the cost versus, you know, the revenue prospects. And that is how that evaluation is going to get made.

    So I think it is important that you articulate clearly to the software venders the advantage of going through the certification process, and the revenue opportunities that would be available to them.
 Page 51       PREV PAGE       TOP OF DOC

    Just to make one more point again, the process must provide for us to be nimble when new attacks come out. We have to be able to deploy either patches, updates, new signatures, new behavior rules to our products to protect our systems immediately. There will not be time to go back through an evaluation process.

    So, in summary, we believe NIAP is an essential part of information protection, information assurance, and Entercept is pursuing NIAP certification. But the process must not be a barrier to new technologies, and it must be flexible and dynamic enough to allow us to respond to attacks in our systems. Again, I would like to thank you for the opportunity to testify today.

    Mr. HEFLEY. Thank you, Mr. Mines.

    Ms. Davidson.

    [The prepared statement of Mr. Mines can be found in the Appendix on page ?.]

STATEMENT OF MARY ANN DAVIDSON, CHIEF SECURITY OFFICER, ORACLE CORPORATION

    Ms. DAVIDSON. Chairman Hefley and members of the committee, I am Mary Ann Davidson. I am the Chief Security Officer for Oracle Corporation. We are the second largest software company in the world. Thank you for the opportunity to speak to you about information assurance, which is a subject near and dear to my heart.
 Page 52       PREV PAGE       TOP OF DOC

    When it comes to security, you get what you pay for. Most people will not purchase a $50 electronic device without looking for an Underwriter's Laboratory sticker, yet they purchase software at a thousand times the price that they use for running their enterprises, with no consideration of product security mechanisms.

    Within the U.S. federal government the security stakes are even higher, as these information systems protect our nation's secrets. In this environment, not just technical security measures that are important, it is the confidence that you place in those measures, and that is what information assurance is all about.

    The security equivalence of Underwriter's Laboratory can establish confidence that the software consumer is secure. There are standards to establish information security assurance. That is, validation that a product does what it claims to do in terms of security by means of formal security evaluations. Vendors submit their products to a third party, that is, a government certified lab, that evaluates the security claims against formal criteria of what you mean when you say you are secure, such as the international common criteria and the U.S. Federal Information Processing Standard, FIPS 140.

    Evaluations have three key benefits for vendors doing them which accrue to their customers. One, a more secure product. Evaluators find security vulnerabilities. You have to fix them before you get the evaluation certificate. Two, a secure development process. Evaluations include a review of the product security architecture, the functional specifications, the design and test mechanisms. Security cannot be bolted on by a one-month process at the end, but it has to be wired in from inception. Evaluations force vendors to change the way they build products, because it is the development process that is evaluated.
 Page 53       PREV PAGE       TOP OF DOC

    Last, and most importantly, a culture of security. Completing a security evaluation, or many of them, changes the corporate culture. Security becomes part of the corporate DNA, woven into the fabric of the organization. That is the biggest long term benefit of evaluations.

    The U.S. federal government has drawn a security line in the sand versus—via National Security Telecommunications Information Systems Security Policy Number 11. That is, requiring third-party evaluations against the common criteria for any system involved in national security. This is the first line of defense in our nation's infrastructure. If the government does not require brutally secure software to protect our nation's secrets, is anything worthy of protection?

    As a leader in independent security evaluations with 14 independent evaluations for our core products, Oracle Corporation lauds the government for requiring software to be provably secure through independent security evaluations. But there are several caveats in our almost unqualified enthusiasm for National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11. Our first comment is that NSTISSP 11 does not go far enough. It needs to be applied rigorously and expanded mercilessly.

    Richard Clark has repeatedly made the point that our enemies will use our technology against us, and this is absolutely the case in information security. Products that are built with no concept of or adherence to information assurance principles are inherently weak, vulnerable, and will be exploited by our enemies. We are at war, and war is no place for indolent security providers and lazy procurement officers. Shape up or ship out. NSTISSP 11 needs to be expanded to all federal systems.
 Page 54       PREV PAGE       TOP OF DOC

    The second comment is that the intent of NSTISSP 11 can be undone, as its predecessors have been, by procurement dodge and weave. Prior to NSTISSP 11, federal procurements have had requirements for independent evaluations for years. Oracle's first evaluations were against the Orange Book, which is now obsolete.

    FIPS 140 certifications have been required for years. However, many vendors have been able to bypass the requirement for information assurance by obtaining waivers on procurements which specify them. And we see the same vendors pushing back on NSTISSP 11. The definition of ''chutzpah'' is someone who commits patricide, and asks the court for mercy because he is now an orphan. My definition would be vendors who have made no effort to comply with information assurance requirements of the federal government for the past ten years, and now ask for procurement waivers on the grounds that there are not enough evaluated products on the market. Shame on them, and shame on us if we allow our nation's security to be jeopardized by these corporate malingerers. It is time to chirp or get off the twig regarding information assurance. If not now, when?

    Waivers can apply the entities of the federal government, as well. One large intelligence agency has opted out of NSTISSP 11 entirely, which sends a terrible message to the marketplace, and negates the intent of NSTISSP 11. What is more central to national security than intelligence? It is a substantial long-term commitment by a vendor to build and maintain secure software. You cannot change the rules in midstream. Those of us who have been—who have spent, as Oracle has, about a million dollars apiece for high assurance evaluations should not be penalized for doing the right thing. If NSTISSP 11 is the federal government's way of saying, ''We care about information security,'' waivers from that are their way of saying, ''Except that securing our national security systems is not, after all, really very important to us.''
 Page 55       PREV PAGE       TOP OF DOC

    Those of us who have done the right thing for years are feeling like dupes for having done so. Tell us we were not wrong to care passionately about information assurance, and invest heavily in it for our core customer base. There should be no waivers from NSTISSP 11, period.

    The U.S. federal government must make security a purchasing criterion, because it is impossible to bolt on security that is not built into a product, just as it is impossible to put a lock on a door made of cheap plywood. The bad guys are going to kick the door in and bypass the lock entirely.

    The U.S. federal government is the only customer base big enough to change the security marketplace merely by the act of consistently making security a purchasing criteria. It is that simple. Consistent and uniform application of NSTISSP 11 and extension of it to all federal systems through changes in the federal acquisition regulations is the single most effective measure the U.S. government can take to strengthen our cyber defenses. And I might add that the benefits of doing this would accrue to the rest of the critical infrastructure, as well, because every product would have to be secure to be released in the marketplace.

    I have specific recommendations for how we can make NSTISSP 11 work better in my statement, which I will not go into. I commend you to read it.

    In conclusion, Oracle stands behind the security of our products. We have spent over 20 years of building systems for the most security-conscious customers in the world, including intelligence agencies and the Department of Defense. And we have the assurance afforded by 14 independent security evaluations. We believe that we are uniquely qualified to comment upon information assurance, as we have made a long-term investment in it.
 Page 56       PREV PAGE       TOP OF DOC

    In fact, the basis of our latest marketing campaign, ''Unbreakable'', is information assurance. We owe much of our commercial success to the requirements of the Defense Department, because we built secure software specifically for DOD. Information assurance has been our long-term commitment to our customers yesterday, today, and tomorrow. While there are no security magic bullets, NSTISSP 11 at least ensures that the secure gun does what it is supposed to do without misfiring and killing the user.

    The stakes have never been higher for information security, and especially for information assurance. The merry-go-round of information assurance has been that more vendors have not done evaluations because the government has not been serious about them, and the government has not been serious about them because not enough vendors do them. Worse, the vendors who grab for the security brass ring risk have it taken away and handed to someone else. A lazy vendor is just a weasel-willed procurement officer away from saving a million dollars by cheating on evaluations. It is time to stop the merry-go-round. The government must hold firm on information assurance, or the last opportunity to do so will be lost, to the detriment of our nation's security.

    The U.S. government must deliver the following message to the marketplace: Without information assurance there is no security, no NSTISSP 11 waivers, no exceptions; play by the procurement rules for secure software, or go home. Thank you for your time.

    [The prepared statement of Ms. Davidson can be found in the Appendix on page ?.]

 Page 57       PREV PAGE       TOP OF DOC
    Mr. HEFLEY. Thank you both.

    Ms. Davidson, are you saying that the government is being too casual about security, not taking it seriously enough?

    Ms. DAVIDSON. I think there are elements that are being casual with it. And specifically, when you have a requirement that has been specified, and you grant waivers, seemingly willy-nilly, it does two things. One, it says that you are not really serious; and two, it puts the people who played by the rules at a competitive disadvantage.

    If what you really want is lots of new features with a bunch of security holes in them, people can do that. The problem is that you have said, ''No, we want secure software, FE and people who play by that rule and spend, you know, a half a million dollars in evaluation then are not awarded the contract because someone decided they liked the bells and whistles better on someone else's software which does not have an evaluation. That is the problem. It needs to be consistent, uniform, and fair.

    Mr. HEFLEY. Who should be responsible for the security? The vendor or the government or the—who should pay for those evaluations, those third-party evaluations?

    Ms. DAVIDSON. One of my recommendations—there are some issues with NSTISSP. Specifically, I think one of the gentlemen earlier mentioned that the common criteria has the benefit that—mutual recognition. Many countries will accept a common criteria evaluation. The problem occurs when you have specific agencies developing their own what they call protection profiles. That is the analysis of here is the threat, here is what I do technically to meet it.
 Page 58       PREV PAGE       TOP OF DOC

    At a particular level of assurance, if you do an evaluation, any country will accept it. When you start fiddling with those levels, you then have an agency-specific evaluation. So my comment was, I think any vendor should step up to the plate for one evaluation that has mutual recognition. We all ought to be willing to step up to that. When you have different entities having their own special—you know, I want the CD player and I want the power windows, if that causes the vendor to have to do a specific evaluation for that agency, I think the agency should pay for it as part of the cost of procurement.

    Mr. HEFLEY. Is the cost for the NSTISSP Number 11 too expensive for small business, do you think?

    Ms. DAVIDSON. I do not think that it is in the long run. And the reason for this is that the benefits really outweigh the costs over time. And that includes not only the benefit of being able to sell to the federal government, but the cost avoidance by building better software. This is particularly true for Oracle. We run on multiple operating systems, and we have a number of product releases that are supported. If we find a vulnerability in our product, I have issued as many as 78 patches for one vulnerability to handle all the different operating systems and all the different product releases. Anything I do up front to avoid 78 patches down the path, that is about a million dollars worth of software patches, is money in my pocket.

    Going through evaluations makes you change your development process, and that is the best thing that you get out of it. So, yes, are you paying to change your development environment, but it is a good thing for the company that they do that.
 Page 59       PREV PAGE       TOP OF DOC

    The problem right now is that, again, people do not make security a purchasing criterion. And it gets down to you get what you pay for. If you make it a criterion and you say it must be secure, it must be provably secure, everyone will have to adhere to that standard; and the federal government will change the security marketplace. Everyone will build better software because they have to. Right now they do not have to.

    Mr. HEFLEY. How long does the process take, and what happens if you disagree with the findings?

    Ms. DAVIDSON. The first one that you go through takes a while. It is sort of like when you are learning to do something new it takes you longer to acquire the skills to do it. Currently, we spend I would say it is about nine months to a year to do an evaluation. We have gotten the process down fairly quickly, so that we can usually get a certificate out the door within six months of our product actually being released. And that is not too bad. Usually most customers do not immediately launch—adopt the new software as soon as it is out the door.

    So is it expensive? Yes. Is it a prohibitively expensive or prohibitively long time to market? I do not think so.

    Mr. HEFLEY. Mr. Mines, you talked about attacks on the system, and we use that term a lot. Can you characterize what we mean by ''attacks''? Are most of the attacks we are trying to guard against sinister; are most of them computer hobbyists who love to play games and it is a challenge? Do you have any feeling for that?
 Page 60       PREV PAGE       TOP OF DOC

    Mr. MINES. I think there is generally speaking, if you look at just the numbers, the numbers would show that most of them are just generally hackers, script kiddies, things of that sort, doing, you know, minor damage. The problem is that, you know, 80 percent of the damage is done by 20 percent of the cases. So if you look at the cost, it comes to be 20 percent of the attacks. As I mentioned earlier, they are becoming more and more sophisticated, and the cost is going up for each attack. We see that trend clearly.

    I just want to get back to the point, you asked the question about the cost, is it overbearing, and the time. You know, to many companies, you know, a million dollars or nine to 12 months is a serious barrier. Most startup companies would not have that much time to be in business or spend that much money on the process. I think Oracle is in a little bit different situation than many software vendors, in that they have a well-established reputation, clear market leadership, and a product that has been around for 20 years.

    I think where we want at the purchasing issues is where people want to buy new technology, and getting that new technology available to the agencies is important.

    Mr. HEFLEY. Mr. Underwood.

    Mr. UNDERWOOD. Did you want to add something to that?

    Ms. DAVIDSON. Yes, I did. It is—to give you, you know, a sort of an accurate read, I mean, it is true that we have products that have been on the market for some time, but we are expanding evaluations for the rest of our product stock. And that includes some of our sort of web facing, short-time to market products, because we feel so strongly that this is really important. And again, this is—we believe this is required to sell into the federal marketplace. We are playing by the rules.
 Page 61       PREV PAGE       TOP OF DOC

    The cost of evaluation is actually about—really about $500,000 and two personnel. So you can either hire the personnel or yourself, or pay the evaluator. And I still do not think that is much to go into a new market. You know, the counter to that is if you do not prove that you have built your product securely and you paid attention to security at all in the development process, then the reality is that you are going to get junk. Because time to market is going to be so important, people will do anything they can to be the first one in the marketplace, and that means skimp on security. That is the problem.

    Mr. MINES. Yeah. I would not agree with the assessment that if somebody does not go through an evaluation process, that that makes their software junk or insecure, necessarily. There has not been a strong—any studies that I know that necessarily prove that going through the NIAP process will necessarily make your software more secure. What you are doing is, you are certifying that it says what you say it will do. As a vendor, you establish a profile. They see you match that profile. But that is not really where most sophisticated attacks take advantage of. They take advantage of other techniques that are not really going to be described as a feature in a product in terms of security.

    Ms. DAVIDSON. Excuse me. Most of the new attacks are coming in new technologies.

    Mr. UNDERWOOD. Well, it is my time now. It is my time now.

    Mr. MINES. Okay.

 Page 62       PREV PAGE       TOP OF DOC
    Ms. DAVIDSON. Okay, your turn.

    Mr. MINES. Sorry.

    Mr. UNDERWOOD. And I thought I was going to hear from a couple of vendors that had really cozy relationships with the government. Basically, just Ms. Davidson, just to finish up the issue of the waivers and, you know, you made a very strong statement on that, are you saying that whole agencies are issuing waivers, or they are issuing waivers to select companies, or what is your assessment of what is going on?

    Ms. DAVIDSON. There are two things that are occurring. One of them is one entire—one of the intelligence agencies has completely opted out of NSTISSP 11, which again specifically says systems involved in national security will have independent measures of assurance. And I am looking at this and saying, ''What is more central to national security than intelligence agency functions?''

    And you can make the case that for certain one-of-a-kind systems, perhaps they should not do that. But so much of what they run is standard, commercial software. How can they say it does not apply to us, particularly when another one of the agencies says, ''We are not opting out. We believe NSTISSP 11 does apply to us.'' That sends a really bad message to the market. So that is one issue. You have whole—you have a group saying it does not apply.

    The second issue is that there are a number of procurements, I can think of one actually right now, DIMHRS, Defense Integrated Manpower and Human Resource System. And the determination has apparently been made that, yes, NSTISSP applies. This is the integrated human resource system for the entire armed forces. I mean, how important could it be to know where someone is stationed or what their skills are? That would pertain to national security. And yet there are vendors bidding on that who do not—have never had an evaluation, do not now have an evaluation, have no plans to do an evaluation.
 Page 63       PREV PAGE       TOP OF DOC

    So I am looking at that and saying, ''You know, they are going to get a waiver.'' What is the matter with this picture? Who makes that decision, ''We like Vendor X. We are throwing the requirement out the window''? If you really think security is not important, tell us that. I can think of a lot of things I could do with a million dollars besides going through a paper exercise. If it really is important to you, then make it stick.

    Mr. UNDERWOOD. Okay. Mr. Mines, on the—you know, in the earlier panel we talked about security concerns and how the marketplace, particularly with banking and insurance, will drive that and will improve the systems of security as we go along. And yet I think probably—and I forget which one of your statements, I think maybe it was Ms. Davidson's, is that just government business alone could establish the benchmark for that. And how would—what would be your best estimate on that, or how would you characterize that? I mean, is just the development and the need for security in the private sector really driving this, or is it—or would it be driven more by government concerns about security?

    Mr. MINES. I think it is probably more from outside of the government. I think the government has more stringent needs than, generally speaking, some of the outside groups there. But it is a mix. Both groups are going to drive towards better solutions and force better solutions.

    Then, on the flip side of that, we are getting forced—vendors are being forced to say, ''Okay, we need more and more features and more and more functionality.'' You know, people want to be able to go scuba diving off the Banneret Coast, and do stock trades on their Palm Pilot while they are scuba diving. And that is kind of, you know, this pressure people are putting on the industry. And you have to make that secure, as well, while you do that, of course.
 Page 64       PREV PAGE       TOP OF DOC

    But I was thinking about your—Mr. Underwood, about your earlier—I think Mrs. Davis and I generally agree that certification—going through a certification process is a very good thing for a vendor to do. I think it is just a general level of support or strength that it provides, I think, a protection.

    Mr. UNDERWOOD. Okay. Thank you. Thank you, Mr. Chairman.

    Mr. HEFLEY. I think I am through, too. And I appreciate both of you being here, and it has been very helpful. And this committee stands adjourned.

    [Whereupon, at 3:49 p.m., the subcommittee was adjourned.]