Page 1       TOP OF DOC
[H.A.S.C. No. 108–12]








JULY 24, 2003

 Page 2       PREV PAGE       TOP OF DOC



JIM SAXTON, New Jersey, Chairman
JOE WILSON, South Carolina
JOHN KLINE, Minnesota
ROBIN HAYES, North Carolina
JO ANN DAVIS, Virginia
W. TODD AKIN, Missouri

MARTY MEEHAN, Massachusetts
ADAM SMITH, Washington
MIKE McINTYRE, North Carolina
BARON P. HILL, Indiana
 Page 3       PREV PAGE       TOP OF DOC
SUSAN A. DAVIS, California
RICK LARSEN, Washington
JIM COOPER, Tennessee

Thomas Hawley, Professional Staff Member
Jean Reed, Professional Staff Member
Uyen Dinh, Professional Staff Member
William Natter, Professional Staff Member
Curtis Flood, Staff Assistant





    Thursday, July 24, 2003, Cyber Terrorism: The New Asymmetric Threat


    Thursday, July 24, 2003

 Page 4       PREV PAGE       TOP OF DOC



    Saxton, Hon. Jim, a Representative from New Jersey, Chairman, Terrorism, Unconventional Threats and Capabilities Subcommittee

    Meehan, Hon. Martin T., a Representative from Massachusetts, Ranking Member, Terrorism, Unconventional Threats and Capabilities Subcommittee


    Charney, Scott, Chief Security Strategist, Microsoft Corporation

    Dacey, Robert, Director, Information Technology Team, General Accounting Office

    Lentz, Robert, Director, Information Assurance, Department of Defense, and DOD Chief Information Officer

    Spafford, Eugene, Director, Center for Education and Research and Information Assurance and Security (CERIAS), Purdue University

 Page 5       PREV PAGE       TOP OF DOC

[The Prepared Statements can be viewed in the hard copy.]

Charney, Scott
Dacey, Robert
Lentz, Robert
Spafford, Eugene


[The Documents can be viewed in the hard copy.]


[The Questions and Answers can be viewed in the hard copy.]

Mr. Bartlett
Ms. Davis (Susan)
Mr. Langevin
Mr. Meehan
Mr. Thornberry

 Page 6       PREV PAGE       TOP OF DOC

House of Representatives,
Committee on Armed Services,
Subcommittee on Terrorism, Unconventional Threats and Capabilities,
Washington, DC, Thursday, July 24, 2003.

    The subcommittee met, pursuant to call, at 10:01 a.m., in room 2118, Rayburn House Office Building, Hon. Jim Saxton (chairman of the subcommittee) presiding.


    Mr. SAXTON. Good morning. The Subcommittee on Terrorism, Unconventional Threats and Capabilities meets this morning to assess the new asymmetric threat of cyber terrorism. In particular, we would like to have a better understanding of this threat against the Department of Defense (DOD) information technology (IT) systems and networks.

    Information dominance is a cornerstone of the Department's force transformation in the 21st century. We have witnessed these remarkable technological capabilities—from sensors gathering intelligence to sending that information to shooters in the air or on the ground or both. And both in Operation Enduring Freedom and Operation Iraqi Freedom, these issues were crucial.

    This incredible transmission of data was accomplished with greater accuracy, in a shorter amount of time and with fewer casualties. Armed with these incredible capabilities, our military forces have gone into battle with more situational awareness than any other troops in history.
 Page 7       PREV PAGE       TOP OF DOC

    While new technological advances bring information superiority, it also brings new responsibilities and new challenges. Technology evolves rapidly.

    While programmers and software developers build more advanced systems to run more tasks, criminals become more creative in their methods to break into these systems. Their purpose may be to steal information, wreak havoc or send out false commands or information.

    Without a defense-wide information assurance policy and implemented practices, the Department of Defense's networks may be vulnerable to anyone who has a computer, the knowledge and the willpower to launch cyber attacks.

    Information assurance (IA) is a critical issue in the Department because it operates approximately 3 million computers, 100,000 local area networks and 100 long-distance networks. These systems include military service-based, joint defense and intelligence computers and networks are a part of the Global Information Grid (GIG), part of which is dependent on the commercial civilian systems.

    All of these systems are susceptible to acts of cyber terrorists 24 hours a day. I wholeheartedly agree with Secretary of Defense Donald Rumsfeld that IT is the enabler behind defense transformation.

    What we need is the ability to leverage the technology and commercial best practices to ensure the security and integrity of the Department's networks. This is a major undertaking with extraordinary consequences.
 Page 8       PREV PAGE       TOP OF DOC

    While the subcommittee recognizes the critical efforts and difficulty of implementing the Defense-wide Information Assurance Program (DIAP), concerns have been raised that there is not sufficient oversight or management at the Department to achieve the objectives contained in the program.

    The subcommittee is interested to learn more about the Department's information assurance policy and the immediate and potential cyber threats against the Department's IT systems and networks. Additionally, the subcommittee is interested to learn about the procedures or defense mechanisms presently in place at the department to counter cyber attacks.

    Finally, the subcommittee would like to know more about the processes or best commercial practices that private industry has implemented to handle cyber security issues and whether these practices are applicable to the Department. This hearing will attempt to determine what progress the Department has made in implementing its DIAP.

    We are also interested to learn what challenges lie ahead for the Department as it confronts cyber terrorists in cyberspace.

    I would like to yield at this point to Mr. Meehan, our ranking member, for any comments he may wish to make.

    [The prepared statement of Mr. Saxton can be viewed in the hard copy.]

 Page 9       PREV PAGE       TOP OF DOC

    Mr. MEEHAN. Thank you, Mr. Chairman. And I commend you for holding this hearing. And I join you in welcoming our guests this morning.

    Mr. Chairman, I view information technology or IT as critical to both the national security and the economic strength of the United States. You may remember that at a hearing this past April, I raised this very point and questioned Secretary Stenbit about his vision of IT for enabling military transformation.

    We heard a great many things that day. And many were positive. Yet we also learned that all is not rosy.

    Many of the existing DOD IT systems remain redundant, outdated or inefficient. And many are vulnerable to cyber attacks from terrorists, criminals, hackers and even foreign intelligence services.

    That day's testimony also brought forth the importance of the Department of Defense IT modernization budget, something that our panel subsequently proposed to cut. This cut, nearly $2 billion, is currently under consideration before the full House-Senate Defense Authorization Conference. And as I have said before, I question the wisdom of such a proposal.

    Today, we receive further testimony about the increasing nature of threats to the information systems, the pervasive weaknesses to the DOD IT systems and the challenges and proposed solutions that we must consider. I am particularly concerned with the status of the Department's enterprise architecture and the investment management controls needed to implement it.
 Page 10       PREV PAGE       TOP OF DOC

    But my concern also includes our Nation's overall approach to this evolving and growing challenge during this era. I hope that today's guests will help us better understand these issues and also, I think, assist us in our efforts to plan down the road, for we have many, many important decisions that must be made, both in terms of this subcommittee and the full committee. And again, Mr. Chairman, I thank you for putting this hearing together.

    Mr. SAXTON. Thank you, Mr. Meehan. We have one very distinguished panel today. We are very pleased to welcome you all here. And let me just, by way of introduction, say that I would like to welcome Professor Eugene H. Spafford, who is the director of Purdue University's Center for Education and Research and Information Assurance and Security.

    We also will hear from Mr. Robert F. Lentz, director of information assurance, Office of the Assistant Secretary of Defense for Networks and Information Integration and the Chief Information Officer (CIO) at the Department of Defense.

    In addition: Mr. Robert Dacey, Director of the General Accounting Office technology team; and Mr. Scott Charney, Chief Security Strategist for the Microsoft Corporation.

    Welcome. And thank all of you for coming. I know that you have obviously made some sacrifices to be with us here today. And we appreciate your time and effort to get here.

    At the outset, I would like to ask unanimous consent that all members' and witnesses' written opening statements will be included in the record. And also I would like to ask unanimous consent that all articles, exhibits and extraneous or tabular material referred to be included in the record. Without objection on both counts, so we will begin to hear from our witnesses.
 Page 11       PREV PAGE       TOP OF DOC

    Professor Spafford, if you would like to begin, we would appreciate it.


    Mr. SPAFFORD. Thank you, Chairman Saxton and Ranking Member Meehan and members of the committee. Thank you very much for inviting me here to speak to you.

    This is an area where I have been conducting research and education for 20 years. And it is one of great importance to the country and to me as well, as an individual.

    I have provided in my written testimony background and history of a number of the software threats that can be committed against our infrastructure, our information infrastructure. And I am not going to go into detail on all of those here.

    I would like to single out two of those issues in particular that I believe are particularly important. As you know, we have an extremely well trained, well equipped military. And they demonstrate their excellence repeatedly on behalf of the country.

    However, the technology and the training that they have is very dependent upon the information technology that they use. There is computing technology at the heart of the command and control systems, communications systems, smart weapons systems and the logistics that provide the material that they need to carry out their mission.
 Page 12       PREV PAGE       TOP OF DOC

    If that is disrupted, if that is altered, if that is denied, it creates a great hardship and puts them in harm's way, as well as interfering with their missions. So of the many issues that face them, I believe there are two that we should consider especially.

    The first is that over the last two decades, we have adopted a policy, we followed a policy of using COTS products—commercial, off-the-shelf products—whenever possible. This has had great benefit to our military and to our taxpayers because the software has developed very quickly. We have been able to get advance software quickly, deploy it and use it in a cost-effective manner to provide capabilities that our military might not otherwise have.

    There is, however, a downside to our increasing dependence upon the commercial, off-the-shelf products. Most of those products are not written to be used in an environment where there is significant threat.

    Today's threat environment is major. We have, as was noted in your opening remarks, attacks being committed by hackers, by anarchists, by criminals, probably by foreign intelligence services and, in some cases, perhaps more active attacks against our resources.

    The COTS products have not been developed to be reliable and robust under those kinds of circumstances, particularly when used in high-stress environments such as occurs in the battlefield. We have furthermore gone to a very small set of COTS products for a majority of our platforms. And this forms a near monoculture.

    When a new attack is found that is effective against one of these products, it sweeps through the entire network, not only the military, but government, academia and the public infrastructure. This should be of great concern to us, that these points of weakness occur.
 Page 13       PREV PAGE       TOP OF DOC

    And it is not just a few now and then. The Computer Security Emergency Response Team Coordination Center (CERT CC), the response center at the Software Engineering Institute (SEI), noted that last year there were 2,000 vulnerabilities reported for common COTS products alone.

    This means that operators of systems may be in the position of applying three to five security-critical patches per week to every system under their control. That really is unacceptable for us to be in a state of high readiness.

    The second issue that I believe bears considerable concern is the fact that we have much of this software and an increasing amount of this software is being written by individuals that we would not allow into the environments where it is operated. And the reason for that is because they are not U.S. citizens. They have criminal records. They do not have any kind of background check.

    A recent study that I saw quoted in a newspaper article said that 80 percent of all of our software companies either currently outsource to other countries some of their development or are planning to do so. This is wonderful for the world economy. It is very good for our U.S. economy.

    It provides low-cost labor that allows our companies to compete better and produce software more effectively. But it also introduces a tremendous vulnerability to our systems because the software is being developed, sometimes tens of millions of lines, by individuals whose motivations and agenda may not be fully known.
 Page 14       PREV PAGE       TOP OF DOC

    We do not have the tools or the technology to fully examine that software to understand all of the features that may have been added without our request. As a result, we may be placing some of our critical operations and their personnel in danger from hidden logic bombs, Trojan horses and other kinds of mailware that will have been written into that software.

    This is something that we need to be very cautious about and rethink out policies, as to how we are obtaining software and deploying it.

    With that, I will leave any further comments in response to your questions. And I thank you for your attention.

    [The prepared statement of Mr. Spafford can be viewed in the hard copy.]

    Mr. SAXTON. Thank you very much. Mr. Dacey.


    Mr. DACEY. Mr. Chairman and members of the subcommittee, I am pleased to be here today to discuss the status of efforts by the Department of Defense to protect its information systems from cyber attacks.

    As you requested, I will briefly summarize my written statement.

 Page 15       PREV PAGE       TOP OF DOC
    Dramatic increases in reported security incidents, the ease of obtaining and using hacking tools, the steady advance in sophistication and effectiveness of attack technologies, dire warnings of potential and more destructive attacks, including combined cyber and physical attacks, an increasing dependence on and standardization of information systems continue to evidence the growing threat of cyber attacks to our infrastructures.

    The potential sources of attacks include individuals and groups with malicious intent, such as crime, terrorism, foreign intelligence gathering and acts of war, as well as insiders. At the same time, although there have been some individual agency improvements, our most recent analysis of audit and evaluation reports for 23 major federal agencies continued to highlight significant information security weaknesses that place a broad array of federal operations at risk.

    Concerned that significant weaknesses in federal information security make them vulnerable to attack, in October 2000, the Congress passed and the President signed Government Information Security Reform Provisions, commonly known as GISRA, requirements that are now permanently authorized and strengthened through the recently enacted Federal Information Security Management Act, or FISMA.

    In its fiscal year 2002 GISRA report, DOD reported that the Department has an aggressive information assurance posture and highlighted several initiatives and accomplishments, which include development of an overall Department-wide strategy that identifies goals and objectives for information assurance and in the process of aligning its strategic objectives and the strategy in developing milestones and performance measures for gauging success; two, the issuance of numerous information security policy directives, instructions, manuals and policy memoranda to establish a Department-wide information assurance policy framework; three, completing certification and accreditation of security controls for a sample of its networks; and four, significant progress in developing network defense capabilities.
 Page 16       PREV PAGE       TOP OF DOC

    However, DOD's reporting also acknowledges that a number of challenges remain for the Department in implementing both its policies and procedures and statutory information security requirements, including: completing actions to correct reported material weaknesses in information assurance; implementing key FISMA requirements for the systems reviewed. And another challenge will be eventually expanding FISMA reviews to all Department systems and networks.

    Our past work has shown that an important challenge Federal agencies face in implementing information security management is ensuring that they have appropriate management structures and processes in place to strategically manage information security, as well as ensure the reliability of performance information.

    For example, disciplined processes can routinely provide the agency with reliable, useful and timely information for day-to-day management of information security. DOD has undertaken its Defense-wide Information Assurance Program, or DIAP, to promote an integrated, comprehensive and consistent information assurance practice across the Department.

    However, as indicated by the GISRA report, DOD's audit community indicated that DOD did not yet have a mechanism in place for comprehensively measuring compliance with department policies.

    With the first agency reporting under FISMA expected in September of this year, updated information on the status of DOD's information assurance efforts will be available for continued congressional oversight.
 Page 17       PREV PAGE       TOP OF DOC

    Mr. Chairman, this concludes my testimony. I would be pleased to answer any questions that you or other members of the subcommittee may have.

    [The prepared statement of Mr. Dacey can be viewed in the hard copy.]

    Mr. SAXTON. Thank you very much, Mr. Dacey. Mr. Lentz.


    Mr. LENTZ. Thank you, Mr. Chairman and members of the subcommittee. I am honored to be here and pleased to have the opportunity to speak with your committee as the DOD Information Assurance, or IA, Director about actions the Department of Defense is taking to address the threats to the security of its network, systems and information.

    We have and continue to make significant progress in our quest to secure and defend our computer networks. This committee has been briefed extensively on leveraging information technology to create a seamless, interoperable, net-centric environment.

    I must underscore that our dependence on information technology is critical. IT and IA go hand in hand. The criticality of protecting and defending our information has become even more important as our adversaries see the way we conduct operations, both in peace time and in war time. In recognition of this, the Secretary established the protection of U.S. information networks from attack as another foundational transformation goal.
 Page 18       PREV PAGE       TOP OF DOC

    And Mr. Stenbit, the CIO, recently testified before your committee and has made IA one of his top three goals. To guide and manage the Department's IA portfolio, we established, with strong congressional support, the Defense-wide Information Assurance Program, the DIAP.

    The DIAP is critical to guiding DOD investments, promoting enterprise decisionmaking and interoperability and is responsible for overseeing policy and architecture development. To enable transformation to net-centric operations, we are executing a comprehensive IA policy framework.

    We have also designed an IA strategic plan that provides a corporate blueprint to leverage IT for business and warfighting environments and are in the process of developing a comprehensive IA end-to-end architecture to tie all the pieces together.

    In addition, an IA senior, two-star working group has been put together to provide oversight over all these IA activities. This group has challenged us to make the policy process more open, visible, collaborative and, as a consequence, faster.

    We are working with the private sector, the academic community and our closest allies to ensure sound management practices for governing our vast network. Our IA strategic plan, our road map, has five major goals.

    Protecting information is goal one. This means that all information must be protected from end to end and through its life cycle from our most sensitive nuclear command and control to business transactions.
 Page 19       PREV PAGE       TOP OF DOC

    DOD has already invested in programs such as public key infrastructure, biometrics and a common access card program, so that by the end of the year, nearly all DOD personnel will be outfitted with a capability for identifying itself and accessing the network. It is a world-class network. We are also aggressively modernizing all of our cryptographic systems.

    Goal two is defending the system and the network. Specifically, we must be able to recognize, to react and to respond to threats.

    DOD systems and networks are constantly under attack and must be continuously defended, 24 x 7. Intrusion attempts into DOD continue to grow. And the speed and complexity of these attacks are increasing. Last year, we successfully defended against approximately 50,000 attempts to gain root-level access into the DOD network.

    Goal three emphasizes situation awareness in IA command and control. We must provide the combatant commanders sufficient visibility into their network's threats and into their operations to gain full awareness of their situation at all times. This extends to other government and private sector partners as well. In addition, our international allies are closely aligned with us in this strategy.

    We must be able to proactively defend our forces, both at home and globally. The growing sophistication of attacks makes speed of detection and response absolutely essential.

    Goal four is focused on process improvements and research. We realize DOD is not an island. The net-centric warfare environment requires innovation.
 Page 20       PREV PAGE       TOP OF DOC

    We have published our IA hardest problems to challenge the research community to help us develop new capabilities. We are also challenging industry to be more responsible in the security of current commercial software products and are aggressively looking at ways to improve the overall software assurance area. DOD is actively enforcing security testing.

    Lastly and most important is goal five, which focuses on creating an IA-empowered workforce that is trained, highly skilled, knowledgeable and aware of its role in assuring information. We are leveraging initiatives to create centers of academic excellence, now up to 50 universities and colleagues around the United States, as well as IA scholarships with the goal to improve our recruitment and retention.

    Through efforts like these and our system and security administrative efforts, we are certifying our system administrators. And we are beginning to make significant progress overall in empowering our workforce.

    The Federal Information Security Management Act of 2002, FISMA—as Bob was talking about—is the most influential statutory requirement for DOD with respect to IA. The policies and strategic plan I described for you are our tools to meet those responsibilities. And we take them very seriously.

    In both 2001 and 2002 GISRA reports to Congress, Office of Management and Budget (OMB) mentioned that training and incident response areas, within the Department of Defense, we excel. And in fact, our Incident and Response Center is an integral part of the federal community's cyber warning network, set up soon after 9/11.
 Page 21       PREV PAGE       TOP OF DOC

    We have road maps. And we are working diligently to improve our system certification and accreditation practices and databases that will help us track those certifications. This is a very important priority of ours.

    The challenges we face are similar to those found throughout the government and industry and with our allies. Size, global presence, dynamic technical and operational requirements all contribute to the complexity of our environment.

    But we are adapting. We are making progress. We are managing the risk and are managing it successfully across all of our national security missions.

    Most important, however, our progress is reflected in our ability to act as an enabler, not an impediment, in the conduct of net-centric operations in several theaters around the globe.

    I appreciate the opportunity to appear before the subcommittee and look forward to your continued support and questions. Thank you.

    [The prepared statement of Mr. Lentz can be viewed in the hard copy.]

    Mr. SAXTON. Thank you very much for your statement. Mr. Charney.

 Page 22       PREV PAGE       TOP OF DOC

    Mr. CHARNEY. Chairman Saxton, Ranking Member Meehan and members of the subcommittee, thank you for the opportunity to appear here today. As Microsoft's chief security strategist, I oversee the development of strategies to implement our long-term trustworthy computing initiative, the objective of which is to create more secure software, services and infrastructures.

    At Microsoft, we are deeply committed to cyber security. And we recognize our responsibility, as well as the responsibility of our industry, to make our products ever more secure.

    It is for this reason that our trustworthy computing initiative is our top priority and involves every aspect of our company. The focus of trustworthy computing is on four key pillars: security, privacy, reliability and business integrity.

    The security pillar is most relevant for today's hearing. Here, we work to create products and services for the Department of Defense and for all of our customers that are secure by design, secure by default and secure in deployment.

    Secure by design means two things: writing more secure code and architecting more secure software and services. Secure by default means that computer software is secure out of the box, whether it is in a home environment or an IT department.

    Secure in deployment means making it easier for consumers, commercial and government users and IT professionals to maintain the security of their systems. One thing is clear: no matter the investment, there will be vulnerabilities in complex software.
 Page 23       PREV PAGE       TOP OF DOC

    Last week one was discovered and patched for Windows Server 2003. While disappointing, all platforms—including Windows, Linux and Unix—will have vulnerabilities.

    Today, however, Microsoft is making unprecedented efforts to create secure code. And we have also provided a state-of-the-art Security Response Center.

    Notwithstanding the robust nature of our own efforts, we recognize that trustworthy computing and improved cyber security will not result from the efforts of any one company alone. As described in more detail in my written statement, we work with industry and government leaders to make security a reality for the entire industry.

    We are also committed to working closely with DOD to support its information technology and research. For example, we are providing DOD with patch management solutions and developing tools to increase DOD's efficiency while properly controlling access to sensitive information.

    Additionally, using commercial, off-the-shelf applications such as Microsoft Exchange and Outlook, we are supporting the Defense Messaging Service.

    I would also like to spend just one moment talking about some of my experiences at the Justice Department. That experience suggests that the government generally, and DOD in particular, faces new challenges in cyber space.

 Page 24       PREV PAGE       TOP OF DOC
    The notion that only states have access to weapons of war is no longer correct, at least not if information warfare is considered. Simply put, we have distributed a technology that is far more powerful than most that have been placed in the public domain.

    Although the Defense Department has traditionally focused on states of concern, it must now concern itself with terrorist groups and individuals of concern, a far larger pool and one that is harder to identify and police. Today, an attack upon DOD may come not only from a foreign nation or a terrorist group conducting information warfare, but also from juveniles on the West Coast, as it did in Solar Sunrise, the case name for a widespread attack against DOD that appeared initially to come from the Middle East.

    To the extent the nation detects a cyber attack but does not know who is attacking—a juvenile, a criminal, a spy or a nation state or terrorist group bent on committing information warfare—the role of the Department of Defense may not be entirely clear.

    In the face of this cyber security challenge, I want to outline a few specific areas where government policy can be particularly helpful in promoting cyber security within the government and throughout our infrastructures. First, the government can lead by example by securing its own system through the use of reasonable security practices, such as buying products evaluated and certified under the common criteria.

    We applaud DOD's recent efforts to make clear that its security policies apply to all software, regardless of development and licensing models.

 Page 25       PREV PAGE       TOP OF DOC
    Second, we support additional federal funding for cyber security research and development. And it is equally important that the government maintains a traditional support for transferring the results of federally funded R&D under permissive licenses to the private sector.

    Third, government has a critical role to play in facilitating information sharing. In short, the government must be an active provider, as well as an avid consumer of, valuable threat and vulnerability information.

    In closing, Microsoft is committed to strengthening the security of our software and services and are equally committed to working with Congress, DOD, other government agencies and our industry peers on security issues, whether by offering our views on proposed regulatory or policy measures or participating in joint public and private security initiatives.

    [The prepared statement of Mr. Charney can be viewed in the hard copy.]

    Mr. SAXTON. Thank you each very much. We are going to go to Mr. Meehan first for questions. But at least let me make an observation, if I may, in thanking each of you for your opening statements. It is impossible to listen without being concerned because of the challenges that you have each outlined in a slightly different way. So it looks like we have a big job ahead of us. And we want to be partners of DOD in helping to solve or bring into focus—clear focus—some of these issues that we need to deal with. And so we look forward to working with you. Mr. Meehan.

    Mr. MEEHAN. Thank you, Mr. Chairman. Mr. Lentz—and actually, I would appreciate it if all the witnesses could comment on this question—it is my understanding that large portions of the commercial off-the-shelf software may actually be produced outside the United States. The media has reported that software production is moving offshore to India, due to cheaper labor costs.
 Page 26       PREV PAGE       TOP OF DOC

    How can we ensure that the software is not corrupted by unscrupulous persons or even, in some instances, our allies? And how can the Department of Defense create secure computing capabilities using this COTS software that may have been produced outside of the United States?

    Mr. LENTZ. Thank you, sir. That is a very important priority of ours within the Department of Defense and, for that matter, throughout the entire community.

    The President challenged us over a year ago to begin working in earnest to get a handle on that particular issue. We have a very aggressive series of working groups going on within the community as we speak, to identify a very definitive course of action on how to address that particular problem.

    I will tell you that clearly one of the big gaps that needs to be filled immediately is the need to do more research in this area. We, I think, have to live with the reality that products and software are going to be designed overseas. That is the nature of the world we live in.

    But I think by putting in investments in research and technology, we can develop the right tools and techniques to be able to allow us to inspect that software—we hope—in a way that we can have higher confidence in its implementation within DOD or within other infrastructures. But it is clearly a major concern of ours. And I will underscore that we have a series of working groups working throughout the community. And we are going to work with industry and the academic community in order to deal with it.
 Page 27       PREV PAGE       TOP OF DOC

    Mr. MEEHAN. Mr. Charney, I am interested——

    Mr. CHARNEY. Yes, as a large software developer, I would like to address this question. And I might respectfully suggest that we might be asking the wrong question. And I say that because although most of our core components and our core products are developed in the United States, if you walked around the Redmond Campus, you would get quite an international flavor.

    And at the same time, we have to remember that Timothy McVeigh and Aldridge James and Robert Hanssen were all Americans. And two of the three had security clearances.

    I think the issue might not be where the code is developed, but rather the quality assurance techniques that are placed around the code. So one of the things you have to have is very rigorous processes in place to examine your code, test your code and have quality assurance built in, so that you know the code——

    Mr. MEEHAN. Would you agree that it would be more difficult to do that with software made outside of the United States?

    Mr. CHARNEY. It depends on the development process. Although most of our software is here, if you are getting components from overseas, for example, and actually reviewing, the vendors reviewing the quality of the component and testing the component, you will know what is in your code.
 Page 28       PREV PAGE       TOP OF DOC

    And the difficulty is, as well, that a lot of code developed in the United States is actually developed by foreigners who are residing here and doing software development. So it really comes back to quality assurance for the code.

    Mr. SPAFFORD. I would echo Mr. Charney's comments that the location where the code is produced is not the only factor. It certainly has a great deal to do with the parties involved, their training, the tools available to them.

    As an underline to this, it is really going to be, unfortunately, a question of cost and time. To get higher assurance of software may require that the U.S. government have a process for obtaining source code and running extra tests against that code or extra examinations.

    That will undoubtedly cost more to acquire than simply buying it in bulk and shrink-wrapped packages. However, for mission-critical applications where we have to depend on that code, I think it is certainly important that we do so.

    The current quality assurance methodologies that are being used allow literally hundreds of software flaws to slip past. So clearly, what we are doing now is not going to be sufficient.

    Mr. DACEY. I would also echo the comments that it is certainly a challenge and it does need to be looked at. And certainly, GAO is working on a request right now from Congress to look at that in certain areas.
 Page 29       PREV PAGE       TOP OF DOC

    In terms of the process though, there needs to be a quality assurance process built in to provide some reasonable assurance that something has not gotten in there, whether it is intentional or unintentional, into that code. And the challenges of that are, if someone else is developing it, coming up with—I agree with Mr. Lentz—research and development.

    It is very difficult right now to fully analyze the code. And I think some additional research would be certainly appropriate to try to find better ways to look at it for these kinds of problems.

    Mr. MEEHAN. Let me ask each of the panelists again, is there any analysis of terrorist organizations' plans to grow cyber terrorism capabilities? In other words, are there terrorist training camps for computer geeks, designed to raise the skill level of cyber terrorists?

    Is there any analysis or evidence that any of the panelists could present to the committee?

    Mr. LENTZ. Well, I think probably that might be left for a classified discussion. I think we can provide you more details on that at a later time.

    [The information referred to can viewed in the hard copy.]

    Mr. SPAFFORD. I will observe that there are bulletin boards and discussion lists where techniques are taught, where tools are available, so that anyone—and as Mr. Charney mentioned earlier, even juveniles spending a minimal amount of time online are able to learn some very sophisticated attack methodologies, download those tools and modify them for their own use.
 Page 30       PREV PAGE       TOP OF DOC

    So we have, perhaps, a virtual worldwide training camp going on, on a regular basis, of individuals with various motivations using these tools and techniques, trying them out against our civilian and military infrastructures around the world.

    Mr. MEEHAN. I will stop here.

    Mr. SAXTON. Thank you. Dr. Spafford, help me with some terms. If we talk about a system or systems, can you just define for us what we are talking about when we use the term ''system?''

    Mr. SPAFFORD. That, sir, is a bit difficult because of the interdependence of communications and distributed processing that currently occurs. Sometimes, a system will be a stand-alone computer with memory and input-output devices.

    Other times, a system requires the interoperation with other computers in other locations, such as a sensor network system or a communications system that requires processing nodes at different locations with wires between them. All of those as a system, however, behave at their heart as a processor that takes information in, manipulates it, puts it out and may have local storage. And that is about as close as I can come, sir.

    Mr. SAXTON. Right. Mr. Lentz, DOD systems have grown up in a, I guess I would call it, appear to have grown up in a kind of a fragmented way. None of the services has a system, a single system, from what we have been able to understand. And the systems have grown up as, I guess the term we use around this institution is a stovepipe effect.
 Page 31       PREV PAGE       TOP OF DOC

    And we know that is true because now, for the first, the Navy and Marine Corps are trying to develop the Navy-Marine Corps Information System. And that is hard to do because of the fragmented nature of the way we develop the system. Do we know how many systems, following the definition of Dr. Spafford, we have in DOD?

    Mr. LENTZ. Yeah, I agree with the doctor. It is a very difficult question to answer because you have so many different ways to look at it.

    You have local systems that could be on an Air Force base, isolated in one department versus integrated networks that tie multiple systems together. It is an extremely hard question to answer. But I do believe——

    Mr. SAXTON. It is hard just to define the term ''system,'' is it not?

    Mr. LENTZ. It is.

    Mr. SAXTON. To know what a system is? If it is hard to define the term system and we have all these interrelated, sometimes independent, sometimes systems, how do we secure them? If we cannot get our arms around what the system is and where they are and how many we have, how do we secure them?

    Mr. LENTZ. Well, I think the one way that we are addressing that within DOD is we most recently put out a DOD IA policy. In fact, it is our capstone policy for information assurance. It was put out in October of last year.
 Page 32       PREV PAGE       TOP OF DOC

    We identify a number of parameters. And it really comes down to providing what we call designated approval authorities, or DAAs, who are responsible for identifying those systems or networks that they believe they are responsible for within their area of responsibility.

    And in working with their CIOs, they then will put together the right template of areas of responsibility. And through that process, we are enforcing certain security controls that they will have to make the risk management decisions on.

    So we are following this new IA policy. And it has been our top priority, over the past couple of years, to get this policy out.

    And we are very pleased that it is out on the streets. And that is going to be the mechanism we are going to use to bring all these pieces together to provide the right governance for the overall network.

    Mr. SAXTON. Mr. Dacey, is this a problem?

    Mr. DACEY. I think one of the challenges is trying to figure out how you put this group of systems together. Some of the discussions we have had here on interconnectivity are probably the most challenging because even if you define systems across any agency, there is likely to be interconnectivity that you have to consider.

    So in looking at security, one of the ways in which FISMA is addressing some of those challenges is to require the development of different risk levels and minimum standards for each of those risk levels. And given that, if we have a process where we can at least identify what the risk level of that system is, which would include all the relevant data and processing capabilities, then you can better understand connectivity.
 Page 33       PREV PAGE       TOP OF DOC

    And you do not want to have situations where you have a high-risk system attached to a low-risk system and not have good controls between those two. So I think that will be a key effort.

    I would note that the Department of Defense, in their policy, actually has already developed a structure of risk levels, as well as connectivity agreements, on how those systems can be connected in a process. So that gets to be the key, is really identifying what is the sensitivity or risk in these systems and making sure that we are protecting the boundaries and the interconnectivity of those systems with others. And I think that is going to be the challenge for the federal government as a whole.

    Mr. SAXTON. Mr. Lentz, have we identified all the systems?

    Mr. LENTZ. It goes back to what I said. We are in the process, following the policy that Mr. Dacey talked about, which we are very proud of because it is providing that template.

    We have three areas we call mission-critical, mission support and administrative. And in regards to Dr. Spafford's area, that might be the template in how to overlay software assurance at some point in time, in terms of focusing on maybe those three areas.

    But the policy lays that out. And that will provide us the road map in order to be able to pull together, using these designated approval authorities with the CIOs, what is going to be the overall way we are managing the network.
 Page 34       PREV PAGE       TOP OF DOC

    Mr. SAXTON. Thank you. Mr. Charney, is this an issue that is of concern in the private sector?

    Mr. CHARNEY. Oh, absolutely. I mean, one of the difficulties is getting your arms around the problem. And what most people focus on is people, process and technology.

    And this is an oversimplification. But if you think about the highway system, for example, you have a lot of different entities that build roads.

    You have a lot of different entities that test drivers. You have a lot of different entities that make sure that cars meet certain standards.

    But at the end of the day, when you think about people, you want drivers to be trained on how to use the cars effectively. You want processes in place, like rules of the road, that everyone adheres to. And you want technology that is safe.

    And in some respects, that applies to this too. You want users to be trained on how to use the technology safely. You want IT administrators to know how to secure their systems.

    You want processes in place, which means you want accountability for who is responsible for security. You want a documented information security program.

 Page 35       PREV PAGE       TOP OF DOC
    And then you want to buy good technology that enables those people and processes. And you actually have to take each piece and then make sure that each one is done well.

    Mr. SAXTON. Thank you.

    Mr. Dacey, where do you think we are, in terms of meeting the goals that need to be met by DOD, with regard to the general subject of cyber security?

    Mr. DACEY. I think in an overall analysis, I would look at the work that is being done for their FISMA reporting. I think on the positive side, there has been an acknowledgement of what the challenges are. There has also been a lot of work that is being done to implement a security framework, which we have recommended in our prior report.

    So there is certainly quite a bit of effort taking place there. At the same time, there are a number of challenges, which I think DOD has acknowledged in their reporting and is setting out this strategy and currently developing a more detailed plan, I believe, and guidelines and goals, timeframes, if you will.

    So I think those are going to be important to continue to look at in the process. At the same time, I would like to acknowledge that DOD has been, given its challenges, DOD has been at the forefront of many information security initiatives in the federal government.

    We have been doing work there over a number of years. And certainly, they started doing red team testing, which is actively trying to break into systems, in the early to mid-1990s, before most agencies had thought about it.
 Page 36       PREV PAGE       TOP OF DOC

    They had also developed a process, at least within the Defense Information Systems Agency (DISA), to set standards and measure those standards from management, not from the auditor, but management doing that. So there have been a number of efforts underway that have really been at the forefront.

    At the same time, the whole government is challenged, as we reported, with security issues.

    Mr. SAXTON. Thank you very much.

    We are going to move to Mr. Larsen now. We are also going to move to use the five-minute rule at this point. There is obviously a lot of interest and many members here to ask questions.

    So Mr. Larsen, if you would like to begin?

    Mr. LARSEN OF WASHINGTON. Thank you, Mr. Chairman. I want to thank you for calling this hearing as well. And given the five-minute rule, I will be hanging around for another five minutes.

    Mr. SAXTON. Let me thank you for advocating for this hearing. This was a great idea. Thank you.

    Mr. LARSEN OF WASHINGTON. Appreciate that very much.
 Page 37       PREV PAGE       TOP OF DOC

    First set of questions is for Mr. Lentz. And for the panel, I appreciate all of you taking time to come and help us understand cyber security at the Department of Defense.

    Earlier this year, as Mr. Meehan mentioned, Mr. Lentz, the full committee—and this is the subcommittee and the full committee—proposed and passed a cut of $2 billion out of a $28 billion DOD IT budget, on the authorizing side. And that got me thinking about what does that mean for security?

    But it also got me thinking about what that may mean for security? There was a Frontline documentary entitled, ''Cyber Wars'' that ran earlier this year. And I forced some of the committee staff to sit in my office and watch a portion of it on my computer screen to sort of bring these issues out about security.

    Given the cuts that we proposed on the authorizing side and some of the concerns that were brought out through this Frontline documentary, I want to talk about what that might mean—these cuts might mean—for security. Can you just briefly though start by giving me your view, your own description, of what the DOD IT programs play in creating our current joint warfighting capability?

    Mr. LENTZ. Well clearly, as I said in my opening remarks, IT and IA go hand in hand. You cannot have one without the other.

    When I go and visit the combatant commanders and I see the combatant commanders using very aged computer systems in order to operate their systems, it is very troubling. Because you cannot overlay information assurance on an old age technology.
 Page 38       PREV PAGE       TOP OF DOC

    I talked earlier about public key infrastructure; that is, the common access card that all DOD employees are going to have very shortly. You cannot, as an example, allow a Public Key Infrastructure (PKI) system to be deployed on a Windows 95 system. And there are lots—still—of Windows 95 systems, IT systems out there. It just will not work effectively.

    So as a result, you need IT modernization to be able to do that. And as the chairman was talking about, as you have legacy systems out there, the sooner you get rid of those legacy systems and move to more modern systems.

    As an example, our net-centric enterprise server. It is a very, very essential program. It is the hub of how we are going to move information throughout the department to allow the warfighters to be able to pull information wherever they are going to be around the world. And we know in this global war on terrorism, that is going to be the name of the game.

    And you have to have a modern IT infrastructure at the applications level to be able to allow the users to pull that information. That gives us things like configuration management. It gives us new ways to put patches—as was mentioned by Mr. Charney—down to the lowest echelons of the field. It allows you to manage it to client level. That is all part of IT modernization.

    Mr. LARSEN OF WASHINGTON. I could not agree with you more.

    I want to move forward to one of the questions that emerged from watching this particular documentary. And it has to do with one exercise that was done in 1997-1998 in the Department of Defense called Eligible Receiver. And the results of that were published widely in the public domain.
 Page 39       PREV PAGE       TOP OF DOC

    And also Moonlight Maze, which was not a DOD exercise, you are probably aware. I was wondering though, Eligible Receiver and Moonlight Maze got me thinking, if we implanted these cuts, how might those cuts erode in key Pentagon capabilities to ensure that there are adequate firewalls or to draw down our ability to keep pace in the future with hackers? If we are making across-the-board cuts in DOD IT programs, at what point does that begin eroding our ability to put in the security to prevent things like Eligible Receiver or a future Moonlight Maze?

    Mr. LENTZ. Well, clearly, what Eligible Receiver did—and Eligible Receiver was one of the red teams that Mr. Dacey was talking about—and what it does, it attacks the weakest point in any network. And once it goes inside the network, it is the soft underbelly.

    And as Dr. Spafford said, the inside problem is probably our greatest problem. But when an outside entity gets in, it can wreak havoc within your network, without a strong IT fabric providing defense in-depth mechanisms to be able to stop and deter an adversary, either coming from the outside or from the inside and also to monitor those activities. And that is one of the keys, to monitor activities, to monitor behavior on the network.

    The Eligible Receivers of the world, the red teams, are going to be able to have their day every single time they launch themselves. And that translates to the adversaries.

    Mr. LARSEN OF WASHINGTON. Thank you.
 Page 40       PREV PAGE       TOP OF DOC

    Mr. Chairman, at some point, I would like to come back for another set of questions. Thank you.

    Mr. SAXTON. Mr. Kline?

    Mr. KLINE. Thank you, Mr. Chairman. Thank you all for coming today. I want to follow up a little bit on what the chairman was discussing earlier about the Navy-Marine Internet, for example.

    As the department is moving to put everybody on the same page, I am wondering if that makes it harder or easier for people to get into the system?

    Mr. LENTZ. From my vantage point, I think, by having positive configuration control at all layers, I think that only makes it more difficult because it synchronizes all your efforts.

    I often like to use the analogy of I coach little kids on a soccer field. The best way to learn to win on a soccer field is everybody is in their positions and knowing what to do.

    And that is what you do with things like Navy-Marine Corps Internet (NMCI). It has strong configuration management, a system view of that, tying all the pieces together.

 Page 41       PREV PAGE       TOP OF DOC
    And that is the best way to be able to defend your networks.

    Mr. KLINE. I guess the weakness that seems to occur, sort of intuitively, is if there is only one system, only one Internet, and you get into it, you have hit everybody; whereas, if you have the sort of hodgepodge system we have now, you would not hit everybody at the same time. Is that not so?

    Mr. LENTZ. Well, I know Dr. Spafford has written quite a bit on the idea of the differences between a homogeneous system versus the other side. I think there needs to be a mix of both.

    I think you have to use both techniques in defending your network. That is why you have to modernize at all times, if you know what I mean. I think it does not do you any good to really have chaos on your network if you want to plan to defend it.

    Mr. KLINE. Okay. Assuming that you had a common Internet like the Navy-Marine Corps Internet, how do you address the proliferation of sort of individual systems; that is, that there is a system, an Internet, but each individual sailor or Marine now is running around with his own laptop and his own BlackBerry and his own cell phone and so forth. Is that just a matter of discipline and keeping people from using those?

    Or would it be impossible then for individual systems to access that Internet because of its own protections?

    Mr. LENTZ. Well, first of all, it is something that FISMA advocates and one that we are taking very seriously, which is strong policy controls and enforcement in governance. That is what it really is all about.
 Page 42       PREV PAGE       TOP OF DOC

    Mr. KLINE. Okay. Thank you. I yield back.

    Mr. SAXTON. Mr. Thornberry?

    Mr. THORNBERRY. Thank you, Mr. Chairman. Let me thank you for having this hearing.

    Over the past several weeks, in Homeland Security, we have had three hearings on cyber security. And one of the things that comes across and one of the reasons it is challenging is because it is a national security, a homeland security, as well as a legal and economic issue and that it is hard to know what level you are dealing with.

    So I guess I would like to ask Dr. Spafford first to just comment briefly, if you will, on cyber terrorism as a national security concern, not an economic security, not stealing a bunch of credit card numbers, not slowing down email necessarily. Help us get a perspective on why the Armed Services Committee ought to be concerned about that.

    In addition, of course, to interfering with the DOD's ability to conduct warfighting, beyond that, as cyber terrorism, why should we worry about this?

    Mr. SPAFFORD. Well, sir, one of the goals of terrorists certainly is to disrupt, to spread confusion, to spread terror. And a way to do that is, in conjunction with a physical event, would be to disable communications to disrupt processing to reduce the responsiveness of agencies to provide aid; those agencies being civilian, as well as some of the military—the National Guard in a state level, for instance, or the military in something of a wide scale nature.
 Page 43       PREV PAGE       TOP OF DOC

    When they construct cyber threats, these may be untargeted. They can be network, self-propagating kinds of viruses or worms that, because we have a shared kind of architecture, we have shared networks, those would spread not only to civilian infrastructure, first responders, but also into the military systems. Causing that disruption, using them as platforms and amplifiers, would further disrupt those systems and add to their overall goals.

    Mr. THORNBERRY. Thank you.

    Mr. Lentz, it is estimated that something like 90 percent of DOD communications go through public backbone or public systems? I would like to know pretty specifically what communication interaction are you having now with the Department of Homeland Security about trying to protect those systems and about making sure that your reliance upon them is protected?

    Mr. LENTZ. Well, we have and we will continue to have a very, very strong relationship with organizations like the National Communications System that was previously led by DISA that is now in Homeland Security. We have a tremendous working relationship with the National Infrastructure Protection Center (NIPC), which was formerly in the FBI.

    And worked also very closely with Federal Computer Emergency Response Team (FedCERT) at the federal level. So we have and will continue to have a very strong relationship with those entities. In fact, we have put military personnel, as an example, in the NIPC.

    Mr. THORNBERRY. But do you have daily contact now with the Department of Homeland Security?
 Page 44       PREV PAGE       TOP OF DOC

    Mr. LENTZ. Yes, we do. We work with a number of members of the department.

    Mr. THORNBERRY. Do you talk to them at all about the research? Several times it has come up already, about research into various areas. How is that coordinated? Or are you coordinating at all, the Department of Defense with the Department of Homeland Security? And I realize that is not completely your bailiwick, but——

    Mr. LENTZ. I have had some discussions with them on research objectives. I have not had and my staff has not had specific dealings with them on the research topics.

    But clearly, that is something we have said amongst ourselves, because the national cyber strategy calls it out, as something that we have to collaborate on as they become more organized and be able to deal with these issues.

    Mr. THORNBERRY. Mr. Chairman, I have a number of other questions that I would like to submit for the record.

    But finally, I would like to invite Dr. Spafford and also Mr. Charney to comment on Mr. Kline's question. Because I think maybe Dr. Spafford has a slightly different perspective.

    But Mr. Charney, you have to worry about this too. If Microsoft has the position it has, does that not make us more vulnerable? Because if you break into Microsoft, then you are into all sorts of things. And so, I think it is a good question that I would appreciate a little additional perspectives on.
 Page 45       PREV PAGE       TOP OF DOC

    Mr. CHARNEY. I would say that actually reasonable minds are debating whether a homogenous environment or a heterogeneous environment is better and increases or decreases risk. And to be frank, I think there are arguments on both sides.

    The advantage of a homogeneous environment or more of a monoculture is that it is much easier to manage. You train your people on a particular system.

    And they manage that system. They know all the security settings. They can run tools to make sure they have locked it down. When you run a lot of different software in the same environment, you need different expertise. And sometimes, connecting those different systems raises its own vulnerability.

    The flip side is when you have a monoculture, you worry about the risk that if there is an event that affects a particular product, it will have a broader impact. And then the flip side about that is, if that is true and the software vendor is actually very responsive in providing security, then a single patch may take care of the problem. So I think at the end of the day, there are both pluses and minuses. And it is really a question of risk management.

    Mr. SPAFFORD. I would basically echo that there are advantages to having a common platform. The situation here, however, is giving network access, giving computing access to as many individuals as we do, including not only our enlisted personnel, but our contractors and others, perhaps family members of some of the military, in the cases of communicating with their loved ones remotely, is in effect the equivalent to giving an automatic weapon to each one of those individuals without them even knowing that it is an automatic weapon.
 Page 46       PREV PAGE       TOP OF DOC

    They do not have the training. They do not have the background. The safety is not in place. And as a result, any one of them becomes a potential launching point for a problem. If everybody is using the same platform, that problem has a farther reach.

    So until we get to the point where we have the appropriate training, we have the appropriate safeguards in place for every one of those individuals and the reach of what they do is limited, it is perhaps better to have some partitions in place—some internal firewalls, if you will—that may be also brought about not simply by logical means, but by different vendors and different platforms so that we do not have a wide-ranging incident.

    Mr. SAXTON. Thank you very much for those great questions.

    Mr. Akin.

    Mr. AKIN. Thank you, Mr. Chairman. I do not know if you can answer my question.

    I do recall a hearing, I think it was probably 3 years ago or so, about the fact that one of the most supposedly internally secure of our government databases or files was rummaged through. Somebody had accessed it. And we found out 6 months later, or something like that, that it had been reviewed.

    And they had come and gone. And we had not been aware of it for some time.

 Page 47       PREV PAGE       TOP OF DOC
    Is there some truth to that? Or is that one of those things that was not supposed to have leaked out?

    Mr. LENTZ. Yeah, I am not particularly aware of the details of that particular topic to be able to answer at this point in time. I am sorry.

    Mr. AKIN. I do not remember the details. Thank you.

    Mr. SAXTON. Mr. Rodriguez?

    Mr. RODRIGUEZ. Thank you, Mr. Chairman. I want to thank you also for holding this particular hearing on cyber terrorism.

    And I live in San Antonio. And I have the pleasure of also having the Air Intelligence Agency there. And we also have the Center for Infrastructure Assurance and Security there at UT at San Antonio.

    I am also pleased that we have the Dark Screen project going on. And maybe later on, we can get a little feedback on what is happening with the Dark Screen exercise in San Antonio that has been occurring.

    But I wanted to also share with you that in the process of going through that Dark Screen that has been going on for about a year, that there has been some real needs that have come up. And one of those has been in terms of looking at how both the private and the public sector—and this goes for Microsoft and the others to maybe provide feedback—there is a real need to see how we can dialogue and communicate.
 Page 48       PREV PAGE       TOP OF DOC

    No on is willing to share. We have the Federal Bureau of Investigations (FBI) participating, the Central Intelligence Agency (CIA). We have the local government and the mayor, the county government, the state. We have the private sector, some of the banks.

    And maybe you can also give me some feedback on some current laws that we need to look at for sharing, both from private to public, as to how. And we are even having difficulty within the utility companies and the water systems and those kind of things, in terms of that sharing. So I wanted to get some feedback, both from the private sector and maybe from DOD, on those things, especially as it relates to current law that we might have to look at, that we might have to look at changing some of those things.

    Mr. CHARNEY. Yes. So I believe everyone in government and industry agrees that information sharing, especially about threats and vulnerabilities, is critical. Historically, information sharing has not been very good. And there is a host of both cultural and legal reasons for that. From a cultural perspective, governments are used to holding information closely because of its sensitivity.

    And on the industry side, the same can be said. They hold a lot of information closely because sometimes exposing information has business risk, especially vulnerability information. If you disclose vulnerability information without having a patch in place, you really run the risk that your customers will be injured, as opposed to helped.

    And then there are also legal aspects to information sharing. The concern for industry was that if we shared information with the government, it might be released pursuant to a Freedom of Information Act (FOIA) request and be put in the public domain.
 Page 49       PREV PAGE       TOP OF DOC

    Some of that has been resolved, of course, by exemptions to the FOIA for information that industry voluntarily provides to the government in this regard. There are some who want to roll back or repeal those exemptions. We think they are very important. And they open up a possibility of greater information sharing.

    The other thing I would say is that historically information sharing has occurred when the individuals on both sides—the government and industry person—trusted each other and had a relationship. And what industry and government have been working hard to do, through information sharing and analysis centers and other industry and industry-government groups, is to basically institutionalize the trust; that is, come up with protocols and methods for sharing information that are institutional in nature, so they are not dependent on the personal relationships of the industry and government member.

    And some of those efforts are just starting to bear fruit. And it is important that we, of course, continue to protect this information so that we can share it more freely.

    Mr. RODRIGUEZ. I was wondering maybe if DOD, because I know with Dark Screen, we have had a little difficulty in terms of that sharing and that dialogue and in terms of gathering the information that is needed.

    Mr. LENTZ. Yeah, I am not aware of any difficulties in that area. I know our position has been that we do not believe that additional legislation is needed in this area. We are quite satisfied with the current state in that regard.
 Page 50       PREV PAGE       TOP OF DOC

    Mr. RODRIGUEZ. Can I ask you specifically? For example, we know and we anticipate that if we have problems, one of the first things of any major attack is going to be through cyber.

    And sometimes, that will come in the private sector, which you might not have any idea that it is coming down. How do we get access to that? And that has been one of the difficulties.

    If they hit, if the intent of a terrorist is to hit the private sector, DOD will be the last one to know if that is the case, unless there is some dialogue going on.

    Mr. LENTZ. Well, I think that is an excellent question. And in fact, I often will say that a great deal of the events that have affected DOD or the nation at large has actually been detected by the private sector.

    And they in fact have notified DOD very quickly upon their detection of those events. And they have helped us analyze those events cooperatively. There has not been any impediment for that sharing of information.

    Mr. RODRIGUEZ. You said there had been no impediment?

    Mr. LENTZ. That is correct.

    Mr. RODRIGUEZ. Because I know it is a concern that the private sector has when they start having difficulties. And I will make the analogy, because I sit on a higher education board, it is difficult to get the universities to report how many rapes they have had on their own campuses.
 Page 51       PREV PAGE       TOP OF DOC

    And so I know how difficult it is for a company to report how many intrusions they have had or how many difficulties that they had and when they have come. And so the timing is critical. And that is important.

    I do not know if the GAO wants to make a comment on that. But I think that that is one of the areas that we really need to make some inroads.

    Would you want to comment?

    Mr. DACEY. I just wanted to echo what Mr. Charney said. We have done a fair amount of work on information sharing and issued several products which lay out some of the issues. Mr. Charney summarized most of those issues.

    But the other part of that, I guess, is there has been some action—a lot of action—both by agencies, by the private sector and certain provisions of the Homeland Security Act, including a whole section on Information Sharing Act, which is designed to help facilitate the communication of information out to the private sector and sharing information.

    I believe the act calls for reporting by November by the Department of Homeland Security on their plans for doing that. So I think, hopefully soon, we will be seeing some more concrete plans by the Homeland Security Department.

    But they have assumed responsibility for coordinating efforts with the private sector and the federal government on cyber and physical threats.
 Page 52       PREV PAGE       TOP OF DOC

    Mr. RODRIGUEZ. Mr. Chairman, I apologize for going over.

    Mr. SAXTON. Thank you very much, Mr. Rodriguez.

    Mr. Bartlett.

    Mr. BARTLETT. Thank you very much. As a consequence of 9/11, all of our government agencies and I suspect most of our private sector entities now have a Continuation of Operation Plan; that is a COOP plan.

    If your main facility is gone as a result of a terrorist act, these COOP plans assure that you will be able to continue your operation. I want to use that as an analogy for the cyber concern that we have this morning.

    If the main facility of the FBI, for instance, is analogous to our computer system, I am concerned if it is possible to have the equivalent of a COOP plan. It seems to me that all we are doing now relative to this asset and the fact that we just cannot do without it is the equivalent of putting more guards around the facility, making the fence higher, having a better system to put out the fires more quickly after the event occurs. Is it possible to have the equivalent of a COOP plan? Or are we just through if our computers and that system do not work?

    It appears to me that if it were possible to have a COOP plan where we could make do in the event that we could not expel the intruder and reconstitute the system, that we ought to be doing it. I do not know if that is even doable.
 Page 53       PREV PAGE       TOP OF DOC

    Have we come to the point where, without computers, we just cannot?

    Mr. LENTZ. I guess the one comment I would say is that as part of our certification and accreditation process that we have within DOD—and I believe it is the same with the national level process—when you do a certification and accreditation, one of the things you have to lay out is COOP issues, continuity of operation, reconstitution of your resources.

    So from a cyber standpoint, we view that as a very critical element of any certification and accreditation of a network.

    Mr. BARTLETT. So is that just starting up another capability at another site? The presumption here, I think, is that an intruder could just simply take down our system. If the system is taken down, you cannot reconstitute the system.

    Is there a way of doing what we are now doing without the computers? Or are we just through if we do not have the computers? Is this the Achilles heel? Is this an insult for which we have no response?

    Mr. CHARNEY. I guess what I would say is certainly computers and networks today are a critical asset. And there are a lot of other critical assets that, you know, if you think what would happen if the water supply went away or the power supply went away.

    These networks are critical in that regard. But having said that, there is a lot of resiliency and redundancy built into the network. And when the networks have been broadly affected, they have been reconstituted fairly quickly. And so yes, we are heavily reliant on them. If they went away, it would be really hard to live our lives as we are used to. And that is why we need to protect them and build in appropriate redundancy and resiliency.
 Page 54       PREV PAGE       TOP OF DOC

    Mr. BARTLETT. Is anybody looking at what we would do if they went away and were not coming back?

    Mr. CHARNEY. I think the answer to that, in terms of having a disaster relief plan that says there are no computers in the world, I would be surprised if anyone is planning for that contingency. I would say probably not.

    Mr. DACEY. I would just like to add the point that I think that continuity of operations is a critical element of information security. Obviously, you need to secure your networks and systems to the extent you can. But in the event of something happening, you need to be prepared not only to have the plan, but to test it.

    In terms of our analysis of the federal agencies as a whole, that is probably one of the most critical issues is the lack of testing of these plans—if they exist—to see if they work. So I think that is important. And I think those plans need to consider the criticality of those systems.

    I think it would be hard to imagine a lot of functions happening without those systems in place, particularly with the high volume transactions and real-time nature of many of our commerce and the things we do. So I think we need to plan to have that capability to come back.

    And that can be done in different ways. That can be done through a very sophisticated process of concurrent processing so that if one site goes down, the other immediately takes over.
 Page 55       PREV PAGE       TOP OF DOC

    But that gets into assessing the sensitivity and criticality of those systems. And your plan needs to take that into consideration. So if you have a highly critical system that you really need to have, you better be putting in extremely strong procedures to come back, not only of the system, but the people that operate and maintain the system are as important as well.

    Mr. BARTLETT. That is a bit like putting out the fire quickly. But it is not really a COOP. So I wonder if the professor has an observation on this, if you had looked at that, sir.

    Mr. SPAFFORD. Very quickly, sir. Taking out all of the computers would be a very difficult thing to do. However, there are key points where there are potential threats. They may not be very large at the moment.

    For instance, I believe Mr. Kline noted that we have 90 percent or so of our communications traffic going through commercial networks. If a number of communications satellites or major links were taken down, that would be very disruptive of our systems. I am not sure how well we would be able to recover full capacity as a result of that.

    And then to follow up on Mr. Dacey's remark, we have not really tested many of these things. Our systems and interconnections are so complex that there are emergent effects that we have not anticipated and cannot anticipate until potentially they occur. So I do hope that there is considerable planning going into redundant systems. But we may not know until an incident actually occurs.
 Page 56       PREV PAGE       TOP OF DOC

    Mr. BARTLETT. Thank you, Mr. Chairman.

    Mr. SAXTON. Thank you.

    We are going to go to Mr. Meehan and then back to Mr. Wilson.

    Mr. MEEHAN. I think I will submit my question for the record in the interest of time. I know Mr. Larsen has some questions as well. But I just want to comment, this has been an excellent panel. The information has been very, very good. Thank you.

    Mr. SAXTON. Great staff work.

    Mr. Wilson.

    Mr. WILSON. Thank you, Mr. Chairman. And thank you all for coming today. I apologize that I was late.

    But what you are doing is so important in working together. This is very interesting. And I appreciate what you have done to protect our country.

    A question that I have is: is there an analysis of terrorist organizations' plans to grow their cyber terrorism capabilities? And for all of you, does anyone know if there are any terrorist training camps for computer experts, designed to raise the skill of cyber terrorists?
 Page 57       PREV PAGE       TOP OF DOC

    Mr. LENTZ. I think earlier we talked a little bit about that. And we can provide you classified information later on for the record on that particular issue if you would like.

    Mr. SPAFFORD. I will reiterate the comment I made earlier that there is a great deal of information in the public domain on the networks, even in the bookstores, that anyone can become a terrorist effectively, similar to downloading plans on how to make a fertilizer explosive. They can do the same thing in cyber offense.

    Mr. DACEY. I would also reiterate the same comments. If someone were really intent on doing it, it would not take them a great deal of effort to become fairly knowledgeable and to be able to use fairly sophisticated tools—but easy to use tools—to launch attacks.

    Mr. CHARNEY. I think we have to assume that, as people become more computer literate, including our adversaries and terrorist groups, they will be more prone to use this technology since it has global reach. And it is very hard to trace back events to their source.

    So there are a lot of reasons this could be a medium of choice for those kinds of attacks. And we have to prepare for it.

    Mr. WILSON. In taking into account what Dr. Spafford said about public domain, could you share with me your perspectives about the ''Introduction to Hacking'' sites on the Internet, which list known vulnerabilities in computing and communications systems. And in particular, who would post that? And for what purpose?
 Page 58       PREV PAGE       TOP OF DOC

    Mr. SPAFFORD. Well, there are a number of different motivations that have been expressed. And talking to some of the individuals, I believe they are sincere.

    There are some individuals who believe that this is the only way to get vendors to respond to fixing those problems. And historically, that was true. I am not sure that is the case now. I know some companies such as Microsoft are very, very aggressive about fixing problems when they are reported.

    A second motivation, some claim, is to make others empowered so that they can check their own systems that may be different, to see if those problems occur in their different configuration. A third motivation is to make it available for study by researchers or hobbyists.

    And then there are the anarchists who simply wish to cause disruption, those who wish to embarrass or inconvenience particular companies, those who hope that it is used as a background for political activity. And it may be the case that there are some elements who are introducing these to create background noise so that they can use that as a cover for targeted attacks against industry or government.

    Mr. WILSON. And finally, is there a relationship between cyber terrorists and physical attacks? Do any of you have any knowledge of synchronized acts of terrorism? And is there a correlation between these acts?

    Mr. LENTZ. I am not aware of any specific examples that I could cite at this point in time in that regard.
 Page 59       PREV PAGE       TOP OF DOC

    Mr. SPAFFORD. The potential certainly exists.

    Mr. DACEY. Yeah, I think there is a significant potential for those combined attacks. And in that case, it is possible to either use cyber to do some damage or to use cyber to actually delay or interfere with the response of the appropriate people to that particular physical event.

    Mr. WILSON. And I think you indicated correctly too, that possibly cover prior to or simultaneously as to acts occurring. But thank you all again for being here today. I yield the balance of my time.

    Mr. SAXTON. Professor Spafford, you seem to be quite good at putting technical subjects and language into language that we can understand as laymen. So let me ask you a question that has been talked about by staff here at some length.

    It is our understanding that the official request for comment for the future Internet network layer protocol has proposed some security and quality of service features. Could you give us your perspective on this subject?

    Mr. SPAFFORD. The Internet protocols are constantly evolving. The protocol right now that is at the heart of much of our network communication was written at a time when there were only a few thousand machines on the network. It has served admirably in that regard. But the environment has changed. Now worldwide network with millions of hosts.

 Page 60       PREV PAGE       TOP OF DOC
    The next evolution of this protocol includes capabilities for making it possible to add security to communications. It is not a requirement. It is simply an addition. There are some extra bits in place. There is some extra capability.

    However, that is not backwards-compatible with existing equipment. And as Mr. Lentz noted that we would have to replace a large number of machines in government use, in commercial use, to take advantage of those capabilities.

    So it is a very valuable step forward. And it probably is not going to be the last protocol that is suggested because as we grow, perhaps we will end up with interplanetary networks that will require yet another addition. That might be nice to think about, perhaps.

    But we have to make sure that all of our underlying software and hardware is compatible with that to take advantage of it. And that is actually the biggest step to move in that direction is all of the legacy hardware that we have out there.

    Mr. SAXTON. Can you comment on Internet Protocol version 6 (IPv6) in terms of quality of service?

    Mr. SPAFFORD. It has extra features to provide some quality of service, to ensure that we have end-to-end Parallel Access Volumes (PAVs) with enough capacity to move messages along, to increase their priority. But that has to be respected at all steps along the way.

    Because of the way we route messages, it is based on good faith of the behavior of the processors along the way. And if we have network nodes that are being operated by individuals who do not wish to adhere to that—it is not a requirement, it is a request—then they are not a firm guarantee. Does that answer your question?
 Page 61       PREV PAGE       TOP OF DOC

    Mr. SAXTON. Others like to comment?

    Mr. LENTZ. I guess two points. And Mr. Stenbit, our CIO, you probably are aware, just recently put out a policy regarding IPv6. And I think that was a very visionary step in his direction that recognizes the importance of that protocol.

    And he said by 2008, we are going to be involved in implementing fully that particular protocol. So I think that has put the department on a firm direction in working with industry and the academic community to deal with those issues.

    And clearly, there are a number of information assurance advantages by moving to IPv6.

    Mr. CHARNEY. I can certainly say Microsoft has been supporting IPv6. But as Dr. Spafford notes, because it is essentially changing the language of the Internet, it requires everyone to convert.

    And although in the interim you try and build some backwards compatibility through translation essentially between two languages, that poses its own problems. But we are strongly supportive of it. And as Dr. Spafford noted, when the current Internet protocols were adopted, security was not the primary focus.

    Mr. SAXTON. Thank you very much.

 Page 62       PREV PAGE       TOP OF DOC
    Mr. Larsen.

    Mr. LARSEN OF WASHINGTON. Thank you, Mr. Chairman.

    I cannot help but think, in listening to the panel today and listening to the discussion about the need to replace legacy systems and upgrade systems to have secure, upgraded systems to help the joint warfighter, to have security investments to prevent any draw down of our ability to protect the DOD IT systems, that the cuts that we authorized in the DOD IT budgets, we could have benefited from this discussion earlier this year. And I would hope that as we move forward into next year, that we remember this panel today as we move forward into the authorizing exercise next year. Because I think it is the security of the DOD systems, to the joint warfighter, to the building itself and to everything that is taking place in the Pentagon building and around the world, we need to keep what we are hearing today in our minds as we move forward on that budget exercise next year.

    I want to ask Mr. Charney a few questions. And this gets into the heterogeneity and homogeneity discussion a little bit.

    Your response was quality assurance (QA). The answer to developing code is to make sure that you have a QA system involved as you are moving through this. But it occurred to me that your response might be more of certainly a private sector response, as opposed to considering the specific needs, say, of a defense system and mission-critical functions. So can you help me out a little bit in thinking through how you develop a quality assurance system that looks specifically for things that an Armed Services Committee or the Pentagon might be looking for? What is in that code to prevent the kinds of problems that would be more detrimental than not for our joint warfighter and our ability to communicate?
 Page 63       PREV PAGE       TOP OF DOC

    Mr. CHARNEY. Sure. So the Defense Department, in addition to using commercial, off-the-shelf products, also uses proprietary code that they specifically hired to be built. And for the companies that develop code, there are certain things that we found that you need to do to make sure that that code is secure.

    The first thing is you have to give your developers training on writing secure code because most programmers historically have been taught to write functional code. And when Microsoft started training its 8,500 developers in Windows Server 2003, we took our learnings and actually published it in a book. It is publicly available because we want to share those learnings.

    The next thing is someone is going to write the code. And there should always be a quality code review process, where other people review the code of the first programmer. There is a couple of reasons for that. One is the obvious one that you want to look for mistakes and do an extensive code review.

    But not unlike having two tellers count the money at a bank ATM machine, having business controls in place make it harder for someone to put improper, unauthorized code in the code base.

    The next thing we found was effective is what we call threat modeling, which is where you figure out how someone would attack your code because knowing how the attack may occur gives you an idea of where you need to batten down the hatches and better secure your code.
 Page 64       PREV PAGE       TOP OF DOC

    And then the third thing in the code assurance area is penetration testing; basically, having people attack your code as if they were hackers. We actually do that on three different levels. Each product group does penetration testing. That is good because they know their product. It is also bad because they know their product. And they may not think outside the box.

    The second thing is when a group responsible for delivering the code is testing the code, if they see a problem, it creates a natural business tension between delivery and non-delivery. So we have a second group of penetration testers who work for me. I am a cost center. I report to the chief technical officer, who reports to Bill Gates.

    And then we have a third, we bring outside pen-testers in from private companies. In addition to all of that security, you also need business controls in place for the code itself. So when developers create code, they need to sign the code, digitally sign it. And it has to basically keep chain of custody over the code in every step from development to production.

    This does a couple of things. One is if there is a problem with the code, you can figure out where the problem was introduced. It creates a general deterrence. It allows the code to be quickly identified if there is a problem. So it is really a question of building good code and then putting business controls over the process so you can ensure its integrity.

    Mr. LARSEN OF WASHINGTON. Did the staff get all that? I think it is important that you run through that because the question I want to ask Mr. Lentz has to do with one of the GAO's conclusions about, a lot of advancements have been accomplished in IA within DOD. But there is still a few gaps, including regular testing, as opposed to some of the pilot testing that is taking place.
 Page 65       PREV PAGE       TOP OF DOC

    I was wondering, Mr. Lentz, if you used what Charney said as a benchmark, how close are we? And what do you need from us to help you get to implementing the plan that you talked about earlier that you have in place? What do you need from us to help you then moving forward to implement your plan?

    Mr. LENTZ. First of all, I would like to compliment Microsoft for their initiative. I think it is a very solid way to address that particular problem. One of the things that DOD did—and it was started at the national level—is we created a formal process using the international common criteria that has been discussed already in order to test products.

    There is not an IA or IA-enabled product that is going to be installed in the DOD network today that has not gone through that process. And through the certification and accreditation process, if a product is found to not be compliant with that policy, that system will not be certified. So that is our first step in that regard. And it is our most significant step.

    Mr. SAXTON. Mr. Bartlett.

    Mr. BARTLETT. Thank you very much.

    Mr. Chairman, there may be some dispute as to what a large extra atmospheric nuclear detonation would do to our ground-based computers. But I think there is no dispute as to what it would do to the communications satellite. I think it was Mr. Dacey who mentioned how critical they were in our communications.
 Page 66       PREV PAGE       TOP OF DOC

    It is my understanding that they are the softest link of our communications net, that a large extra-atmospheric nuclear detonation, producing a surge of Compton electrons, would take out all of the satellites that were in line of sight. And those that were not would shortly die because of pumped Van Allen belts. So they would decay very quickly.

    I have only two or three or so hardened satellites, radiation-hardened satellites, the Milstar satellites. They carry a tiny percentage of even our military communications, to say nothing of other communications.

    And by the way, you cannot launch a new satellite if this happens because Van Allen belts are still pumped up, will remain so for a year or so. So to get communications through satellites, you would have to build some radiation-hardened satellites and launch those. And clearly, by that time, the Van Allen belts would have receded and you could now launch conventional satellites.

    And by the way, this could all happen with an ''Oops, I am sorry,'' kind of an event, an accidental launch. And they detonate the missile high in space so that it is not going to hurt anybody on Earth. What would we do if that happened? This is the ultimate in asymmetric terrorist attack, of course?

    Just an ''Oops, I am sorry,'' kind of thing, you know, that was an accident. But now all of our communications satellites are gone and will be gone for probably a year or so.

 Page 67       PREV PAGE       TOP OF DOC
    What will we do? And is there a COOP plan for that?

    Mr. LENTZ. What I would like to respectfully do is take that question for the record. And we will get back to you on that as soon as possible.

    Mr. BARTLETT. Professor Spafford, you, I noted, reflected an interest in this?

    Mr. SPAFFORD. I am unaware. But I am not privy to the plans that have been made like this. I believe it would certainly be quite disruptive for some time, not only to the military, but certainly to the civilian population. It would be very difficult to recover from.

    Mr. BARTLETT. This is not an impossible event. It is a bit like a fire in your home. That is not very likely to happen. But none of you would sleep very well tonight if you did not have fire insurance on your home.

    I think that having a plan as to what we would do if this happened is pretty much the equivalent of investing a bit in a fire insurance policy for your home. I am not aware that we have any of the equivalent of a fire insurance policy for this.

    Don't you think that we ought to? Because this is not an impossible event at all. I am not sure it is an even unlikely event in today's world.

    Has no one looked at this and been concerned about what would we do? Now there are an increasing number of countries that could do this—North Korea.
 Page 68       PREV PAGE       TOP OF DOC

    China now has I think 13 Long March missiles, each tipped with a 4.4 megaton weapon, we believe pointed at our 13 largest metropolitan areas in this country. The detonation of just one of those extra-atmospherically, anywhere around the globe, by the way, it really does not matter where it happens, it has exactly the same effect.

    Is anybody looking at the consequences of this and what would we do? If they are not, do you think we ought to?

    Yes, sir?

    Mr. SPAFFORD. Sir, I would just observe that in addition to communications, our GPS systems used in all our smart weapons and other systems would also be affected.

    Mr. BARTLETT. That is all gone, sir, unless they are hardened. And I do not know whether we have hardened any of the GPS assets or not. I doubt it.

    Mr. DACEY. I would just make one side comment. I cannot address your central question. But I can say that we did a report last year, which indicated a need for some further consideration of the reliance upon commercial satellites by the government.

    That does not fix your problem. But at least there were some issues. And one of the issues raised was that they typically are not as hardened as the military satellites.

 Page 69       PREV PAGE       TOP OF DOC
    But anyway, I can certainly provide you a reference to that report, if you are interested.

    Mr. BARTLETT. As the professor pointed out, not only can you not talk to each other, you do not even know where you are if the GPS is gone. It is a whole new world that we could quickly be thrust into. And I am concerned that apparently there is little thought being given to what we would do in that eventuality.

    Thank you very much, Mr. Chairman.

    Mr. SAXTON. Thank you.

    Mr. Rodriguez.

    Mr. RODRIGUEZ. Thank you very much. Let me start off by just indicating that I am going to ask the chairman. And I know there were some comments about initially that there was over 50,000 hits just in the last year.

    Maybe we can have, Mr. Chairman, a closed meeting on maybe the sources and the character and the patterns that we might have. And we have not had one of those for a while. And talk about some of those things.

    In addition to that, I know that there was a little dialogue about the importance of the people that are working. I know and I keep bringing this up. Because we always talk about immigration, you know, but we have been also a brain drain on the rest of the world.
 Page 70       PREV PAGE       TOP OF DOC

    And out of those 300,000 people that we brought in each year, right prior to 9/11, a large number of them were in computers. And I know that DOD has made a tremendous effort at reaching out to our universities and starting that process.

    But I also know that we are way behind. And I was just wondering, in terms of the fact that I really feel that we need to allocate more resources for the training and so we can grow our own computer people, instead of bringing them from abroad.

    Mr. LENTZ. I cannot agree with you more, that this is a very, very important priority. And funding is always an issue in the education and training area.

    We are getting ready to issue, this September, the first comprehensive information assurance policy directive on education and training and awareness. It is going to lay out specific requirements for the schoolhouses, certification standards, the ways we are going to codify people in particular specialties. We are working with the Under Secretary for Personnel and Readiness to be able to do that in the military services. So we are taking that very seriously.

    And I agree with you 100 percent. It is absolutely a vital. And it is the most important goal that we have in our five-point strategy plan.

    Mr. RODRIGUEZ. Thank you. Because I know we have to grow our own. It is okay sometimes to bring them from abroad. But when it comes to the Department of Defense, we have to make sure that we can grow our own.

 Page 71       PREV PAGE       TOP OF DOC
    So I think that is critical. And if we can have a closed meeting on the discussions, I would be interested to see some of the new occurrences that have been happening. I know one of the patterns that we have had is that every time we had an international incident, the number of hits would jump up from just the regular hackers to some organized efforts. And I know that there has been some worldwide efforts at increasing that.

    And then they are educating themselves. And they are getting tougher and tougher in seeing what we might need to do in order to be able to cope with that.

    So thank you very much, Mr. Chairman.

    Mr. SAXTON. Let me just ask a couple of questions and then if Mr. Larsen has any. We have talked on a couple of occasions today about the possibility of terrorist groups having so-called training camps or whatever to teach people these skills necessary for this.

    And I understand the answers to that. But a related question is, with regard to terrorist groups such as al-Qaeda, do they have the capability or is there any evidence that they have the capability to employ or coordinate cyber attacks?

    Mr. LENTZ. Well, clearly, as I think we have discussed on the panel, the availability of these technologies on the Internet certainly provides them the technology to be able to wage cyber warfare as they so desire. As to the specifics of what they are capable of doing and how they might do that, I prefer to put that on the record and give you a more classified report on that.
 Page 72       PREV PAGE       TOP OF DOC

    Mr. SAXTON. We will look forward to it. We know they are creative. And we know that we have to be creative to deal with them. And sometimes, some of the things that we find ourselves doing surprise us. General Handy, who is the commander of FORCECOM, was in my office the other day. And I showed him this picture on my wall of two of our special operators in Afghanistan, working with the Mujahideen, the B–52 overhead and regular conventional soldiers marching down the road.

    And he said, ''You know what surprised us the most about Afghanistan was that RC–17s doing air drops were dropping bales of hay and other things that were necessary to keep our soldiers comfortable while they were riding horses.'' And so we go all the way from those kinds of things that we have to creatively figure out, as we deal with terrorists, to the most technically sophisticated things that are involved in cyber attacks and other technical types of attacks that we might face.

    So it is a complicated world. And this is one of the issues that I think is really important for us to look at. And that is why we are having the hearing, thanks to Mr. Larsen.

    Mr. Lentz, what is the department's plan for an integrated response to attacks across multiple networks? Is it possible that an attack could remove the department's ability to coordinate a recovery effort across sites?

    Mr. LENTZ. The third goal of our strategic plan deals with situational awareness and command and control. It is clearly a goal that we are taking very seriously. And we are putting as many resources into it that we can.
 Page 73       PREV PAGE       TOP OF DOC

    The good news is that with the establishment of strategic command as the focal point for managing computer network defense activities and what I believe is probably the most vivid good example of what has occurred in the past several years, which is the establishment of the Joint Task Force (JTF) for computer network operations, we are able to coordinate across the globe, across each one of our combatant commands, to be able to respond effectively.

    In addition, in my opening remarks, I mentioned we have a very close partnership with our international partners. So that a virus that may strike in Australia, as an example, their command center and their computer emergency response center will notify us immediately upon the indication of that particular event, giving us hours of notice to be able to react, as an example.

    So this is a global activity, from a command and control standpoint. And I think we are doing a good job in that regard.

    Mr. SAXTON. Mr. Dacey, do you want to comment?

    Mr. DACEY. We did work on the JTF and the incident reporting capabilities and handling capabilities back in 2001. But we really have not done any work since then. So I do not really have any comments on the current state of efforts. I do know we made several recommendations. And the department has implemented or is in the process of implementing most of those.

    Mr. SAXTON. Okay. Thank you.
 Page 74       PREV PAGE       TOP OF DOC

    Mr. Larsen.

    Mr. LARSEN OF WASHINGTON. Mr. Chairman, I have no more questions for this setting. I want to really thank you for taking the leadership in calling this hearing today.

    And I want to second what Mr. Rodriguez said about perhaps a follow up hearing in a classified setting. Because I do have some additional questions, which I suspect I will get an answer that will be along the lines of, ''Perhaps those are better for another setting.''

    But I think it is going to be important to have a follow up to get at some of those questions. And so with that, I again want to thank you and thank the panel for making their time available and answering the questions of the committee.

    Mr. SAXTON. Thank you.

    Mr. Bartlett has one final——

    Mr. BARTLETT. Thank you, Mr. Chairman. I too would like to thank you for a very important and timely hearing.

    Gentlemen, I have had a concern—I hope a concern I need not have—that there could be a virus or a worm that lay there dormant until there was a surge in activity, such as would occur during an emergency. It would then become active and we could then be denied our assets just when we needed them most.
 Page 75       PREV PAGE       TOP OF DOC

    Can our security systems detect a dormant virus or a worm? Or do they have to be squirming before we can see them?

    Mr. CHARNEY. There are virus checkers, of course. And if the worm is a known worm and usually most——

    Mr. BARTLETT. But suppose, sir, that they are there and doing absolutely nothing. They are just totally dormant, waiting for a surge in activity.

    And they are queued to become active as the surge in activity, which would occur during an emergency. Then they would become active and deny us our assets when we needed them most.

    Do our security systems have the capability of detecting a virus or a worm that is doing nothing?

    Mr. CHARNEY. Yes. If it is a known worm for which we have a signature or virus——

    Mr. BARTLETT. But if it is not a known worm for which we have a signature or virus. It is a new one that they plant in there and it will stay there quietly, awaiting a surge in activity, at which time it will become active. Can we or can we not detect that?

 Page 76       PREV PAGE       TOP OF DOC
    Mr. CHARNEY. There are some techniques to detect it. But I would not say that there are 100 percent certain techniques.

    We have seen cases when I was in the Justice Department of time bombs in systems, things that were set to go off at a certain date and time. But there have been very, very few cases of what we call zero-day vulnerabilities, where something happens in terms of an exploit, that no researcher or the community was completely unaware of.

    Usually, there is prior awareness. Most exploits happen after the vulnerability has been widely reported.

    And anti-virus vendors constantly update their signature files. The key is that when the vendors put out these updated signature files, it is incumbent upon users at all levels to make sure they download the most current files and run them against their machines.

    Is it possible that there would be a time bomb of unknown proportion that activates? Yes, it is possible.

    Mr. BARTLETT. Dr. Spafford.

    Mr. SPAFFORD. Yes, there are two ways that this could occur. One would be something external to the installed system, a traditional kind of virus or worm that has been inserted on to the system through the network, for instance, that would then lie dormant.

    There are techniques to find that: system configuration scanning tools, things that know what the system should look like and then compare to see if there has been any change. It would be found on some machines, eventually reported into the signature files, as Mr. Charney was speaking about. And then we would find that that was there.
 Page 77       PREV PAGE       TOP OF DOC

    The insider problem, however, the one that I referred to earlier, there could be code that has been added to software that is supposed to be on the system that we do not know is there. And that could be what is awaiting a trigger.

    We do not have any kind of mechanism to look for that. We have to depend on whoever has produced the software to have done a good job of quality assurance. And we also have to depend on the contractors and the people who have installed it and operated it not to have manipulated it. I would say, for that case, we really do not have the guarantees in place that you would like to have.

    Mr. BARTLETT. Thank you. Thank you very much. And thank you, Mr. Chairman.

    Mr. SAXTON. Thank you, Mr. Bartlett, for your questions. Let me just ask one final question, kind of a general kind of a thing. The Congress of the United States would like nothing better than to say that we have done a good job in this area. And we have had a couple of hours worth of conversation here today about a variety of subjects.

    Have we missed anything? Is there something that Congress should be doing that you are aware of that we are not? Do you have any suggestions for us?

    Mr. SPAFFORD. I made several suggestions in my written testimony. And rather than reiterate those here, they are on the record.

 Page 78       PREV PAGE       TOP OF DOC
    I believe there are some things we could do better. I am pleased, however, at the efforts that have been represented by industry and by the government.

    We have made great progress in the last few years. But there is a great more that we can do yet.

    Mr. DACEY. I would just like to say that I think holding oversight hearings like this are very important. And one of the key issues with issuing FISMA was that the agencies, including the Department of Defense, would be providing annual—and now they are going to some quarterly reporting on certain information—about information security.

    So I think that will provide an opportunity. It was meant to provide an opportunity, I believe, for congressional oversight.

    And those reports are due out in September for the first year of the FISMA implementation. And those will provide a gauge and comparative information from year to year on progress that is being made.

    Mr. LENTZ. Yes, sir. I would like to concur with what Mr. Dacey says completely. The fact that we are having these types of hearings, I think awareness is the number one, I think, advantage that we have. Making everybody understand what the problems and challenges are is, I think, the key element of this.

    As I mentioned in my opening remarks and Mr. Larsen echoed that, we are very dependent upon IT modernization for our ability to be able to protect the network. It is the foundation, the bedrock, for our success.
 Page 79       PREV PAGE       TOP OF DOC

    And I think having hearings like this, I think, will give us a chance to be able to emphasize that. And I think the closed door session will also provide further insight into that.

    Thank you.

    Mr. CHARNEY. And I too had recommendations in my testimony. So——

    Mr. SAXTON. Well, thank you very much. Unless there are other questions, we will thank you for being here today. And your input has been extremely valuable.

    And I would also like to thank Mr. Meehan and Mr. Larsen and Mr. Bartlett and Mr. Wilson and the other members that took place, and the staff, who worked so hard to bring this all together.

    Thank you very much. I believe it is been insightful. And unless there is something further, the subcommittee stands in recess. And we will hopefully see you all again sometime soon.

    Thank you.

    [Whereupon, at 11:52 p.m., the subcommittee was adjourned.]