[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
ENHANCING AND IMPLEMENTING THE
CYBERSECURITY ELEMENTS OF THE
SECTOR-SPECIFIC PLANS
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON EMERGING
THREATS, CYBERSECURITY AND
SCIENCE AND TECHNOLOGY
joint with the
SUBCOMMITTEE ON TRANSPORTATION
SECURITY AND INFRASTRUCTURE
PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
OCTOBER 31, 2007
__________
Serial No. 110-82
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
COMMITTEE ON HOMELAND SECURITY
U.S. GOVERNMENT PRINTING OFFICE
48-977 WASHINGTON : 2009
-----------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�0900012009
BENNIE G. THOMPSON, Mississippi, Chairman
LORETTA SANCHEZ, California, PETER T. KING, New York
EDWARD J. MARKEY, Massachusetts LAMAR SMITH, Texas
NORMAN D. DICKS, Washington CHRISTOPHER SHAYS, Connecticut
JANE HARMAN, California MARK E. SOUDER, Indiana
PETER A. DeFAZIO, Oregon TOM DAVIS, Virginia
NITA M. LOWEY, New York DANIEL E. LUNGREN, California
ELEANOR HOLMES NORTON, District of MIKE ROGERS, Alabama
Columbia BOBBY JINDAL, Louisiana
ZOE LOFGREN, California DAVID G. REICHERT, Washington
SHEILA JACKSON LEE, Texas MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin CHARLES W. DENT, Pennsylvania
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
JAMES R. LANGEVIN, Rhode Island GUS M. BILIRAKIS, Florida
HENRY CUELLAR, Texas DAVID DAVIS, Tennessee
CHRISTOPHER P. CARNEY, Pennsylvania
YVETTE D. CLARKE, New York
AL GREEN, Texas
ED PERLMUTTER, Colorado
VACANCY
Jessica Herrara-Flanigan, Staff Director & General Counsel
Rosaline Cohen, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
------
SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND
TECHNOLOGY
JAMES R. LANGEVIN, Rhode Island, Chairman
ZOE LOFGREN, California MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin DANIEL E. LUNGREN, California
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
AL GREEN, Texas PETER T. KING, New York (Ex
VACANCY Officio)
BENNIE G. THOMPSON, Mississippi (Ex
Officio)
Jacob Olcott, Director & Counsel
Dr. Chris Beck, Senior Advisor for Science & Technology
Carla Zamudio-Dolan, Clerk
Dr. Diane Berry, Minority Senior Professional Staff Member
?
SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION
SHEILA JACKSON LEE, Texas, DANIEL E. LUNGREN, California
Chairwoman GINNY BROWN-WAITE, Florida
EDWARD J. MARKEY, Massachusetts MARSHA BLACKBURN, Tennessee
PETER A. DeFAZIO, Oregon GUS M. BILIRAKIS, Florida
ELEANOR HOLMES NORTON, District of PETER T. KING, New York (Ex
Columbia Officio)
YVETTE D. CLARKE, New York
ED PERLMUTTER, Colorado
BENNIE G. THOMPSON, Mississippi (Ex
Officio)
Mathew Washington, Director
Erin Daste, Counsel
Natalie Nixon, Deputy Chief Clerk
Coley O'Brien, Minority Senior
Counsel
(iii)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island, Chairman, Subcommittee on
Emerging Threats, Cybersecurity, and Science:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, Ranking Member, Subcommittee on
Emerging Threats, Cybersecurity, and Science................... 5
The Honorable Sheila Jackson-Lee, a Representative in Congress
From the State of Texas, and Chairwoman, Subcommittee on
Transportation Security and Infrastructure Protection:
Oral Statement................................................. 6
Prepared Statement............................................. 8
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Ranking Member, Subcommittee
on Transportation Security and Infrastructure Protection....... 9
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York.......................................... 48
The Honorable Bill Pascrell, Jr., a Representative in Congress
From the State of New Jersey................................... 40
Witnesses
Panel I
Mr. Greg Garcia, Assistant Secretary, Office of Cyber Security
and Telecommunication, Department of Homeland Security:
Oral Statement................................................. 10
Prepared Statement............................................. 12
Mr. George Hender, Banking/Financial Sector Coordinating Council,
Management Vice Chairman, Options Clearing Corporation:
Oral Statement................................................. 26
Prepared Statement............................................. 28
Mr. J. Michael Hickey, Chairman, Telecommunications Sector
Coordinating Council, Vice President, Government Affairs-
National Security Policy, Verizon:
Oral Statement................................................. 18
Prepared Statement............................................. 20
Mr. David Powner, Director, Information Technology Management
Issues, Government Accountability Office....................... 16
Panel II
Mr. Larry Clinton, President and CEO, Internet Security Alliance:
Oral Statement................................................. 75
Prepared Statement............................................. 77
Dr. Lawrence A. Gordon, Ernst & Young Alumni Professor,
Managerial Accounting and Information Assurance, Robert H.
Smith School of Business, University of Maryland:
Oral Statement................................................. 81
Prepared Statement............................................. 84
Ms. Sally Katzen, Visiting Professor of Law, George Mason
University School of Law:
Oral Statement................................................. 52
Prepared Statement............................................. 54
For the Record
Dr. Michael O'Hanlon, Senior Fellow, Brookings Institution:
Prepared Statement............................................. 100
Mr. David Powner, Director, Information Technology Management
Issues, Government Accountability Office:
Prepared Statement............................................. 115
Appendixes
Appendix I: Cyber Security Criteria............................. 125
Appendix II: Thirteen DHS Cyber Security Responsibilities....... 126
ENHANCING AND IMPLEMENTING THE CYBERSECURITY ELEMENTS OF THE SECTOR-
SPECIFIC PLANS
----------
Wednesday, October 31, 2007
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Emerging Threats, Cybersecurity,
and Science and Technology,
joint with the
Subcommittee on Transportation Security and Infrastructure
Protection,
Washington, DC.
The subcommittee met, pursuant to call, at 3:45 p.m., in
Room 311, Cannon House Office Building, Hon. James R. Langevin
[chairman of the Emerging Threats, Cybersecurity, and Science
and Technology Subcommittee], presiding.
Present: Representatives Langevin, Etheridge, Pascrell,
Jackson Lee, Clarke, McCaul, and Lungren.
Mr. Langevin. The Subcommittee on Emerging Threats,
Cybersecurity, and Science and Technology, and the Subcommittee
on Transportation Security and Infrastructure Protection will
now come to order.
The subcommittees today are meeting to receive testimony on
enhancing and implementing the cybersecurity elements of the
sector-specific plans. I will begin by recognizing myself for
the purpose of an opening statement.
Good afternoon. Over the past few months, the Subcommittee
on Emerging Threats, Cybersecurity, and Science and Technology
has held numerous hearings to assess how far-reaching our
cybersecurity vulnerabilities are and how best to address them.
Today, we will be focusing on the extent to which cybersecurity
has been implemented as part of our 17 different sector-
specific plans.
We are joined today by the Transportation Security and
Infrastructure Protection Subcommittee led by Chairwoman Sheila
Jackson Lee of Texas and Ranking Member Lungren. Though this is
our first joint hearing on the subject, I very much look
forward to working with the chairwoman and ranking member,
along with my ranking member on the subcommittee on these
issues of the 110th Congress as it continues.
Although critical infrastructure protection is usually
associated with physical protection of facilities, there is a
growing realization that cybersecurity must receive equal
attention. This holds true especially since the Nation's
critical infrastructure relies extensively on computerized
information systems and electronic data.
As we learned 2 weeks ago in a hearing on control systems
and the electricity grid, many elements of our Nation's
critical infrastructure are vulnerable to cyber attack in part
because the computers are connected to the Internet. A cyber
attack against a portion of our critical infrastructure could
have devastating consequences that could cascade across the
country.
Similarly, an attack on our control systems could cause
serious physical harm, for example, through the introduction of
raw sewage into drinking water systems or through the
catastrophic failure of critical electrical generators.
One of the most important ways we can secure our
infrastructure is through the implementation of the sector-
specific plans. These 17 plans, one for each critical
infrastructure sector in the U.S., are supposed to describe how
each sector will identify, prioritize, and protect their
physical and cyber assets. These plans are based on the high
level of Federal guidance in the National Infrastructure
Protection Plan, or NIPP, released by DHS in 2006. The NIPP is
the roadmap for the sectors to follow when developing their
sector-specific plans.
The completion of the sector-specific plans will allow DHS
to write a national annual report on critical infrastructure
protection which is designed to give us a general assessment of
the security of our infrastructure. This firsthand report is
scheduled to be released next week. Today, we will focus
specifically on the cyber aspects of these plans.
I have two significant concerns about the efforts of the
Department of Homeland Security in this area. First, according
to the Government Accountability Office report, released today,
many of the 17 plans are incomplete when it comes to
cybersecurity. The GAO rated these 17 sector-specific plans
according to three categories--either fully addressed,
partially addressed, or not addressed at all--and found that
none of the plans fully addressed all 30 cybersecurity
criteria. GAO reports many plans have no way of identifying the
consequences of a cyber attack or reporting metrics of progress
in implementing the plans to DHS. GAO concluded that without
comprehensive plans, certain sectors could be ill prepared to
respond to a cyber attack.
Now, the plans are supposed to be the easier part of this
process, but if we are struggling just to get the plans right,
we are going to have an even tougher time achieving true
security. Our main goal, of course, is actually protecting our
critical infrastructure or at least making it resilient to
attack; that should be the primary focus of our efforts. But as
the first step, DHS must improve the current state of the cyber
elements of the sector-specific plans. What we have now is
simply unacceptable.
My second concern is with the implementation of the plan.
Today's sector witnesses will describe the varying degrees to
which they have begun translating their plans into actual
improvements. It should be noted, of course, that the sector-
specific plans were officially released in May 2007, so there
has not been a great deal of time for action. While sectors
have started implementing their plans, much work clearly
remains to be done.
Under the Department's current public-private partnership
approach, I don't believe the Federal Government can adequately
ensure the security of our critical infrastructure. Thus far,
DHS has adopted a laissez-faire approach, it seems, towards
critical infrastructure owners and operators. The sector-
specific plan process is entirely voluntary and there are no
regulatory requirements attached to it.
Many would argue, however, that protecting critical
infrastructure is an issue of national security, a core
constitutional responsibility of the Federal Government. Under
this viewpoint, laissez-faire is arguably not the appropriate
model.
This observation is not intended to be an argument for more
regulation or a criticism of our private sector partners. In a
perfect world, we either wouldn't have to worry about security
or would have an unlimited amount of money to spend on it, but
this is clearly not a perfect world.
The Federal Government and the American people want to
ensure that there is a high level of cybersecurity protections
on our critical infrastructure. But, as Dr. Gordon notes in his
testimony, private sector owners and operators have a hard time
making the business case for increased cybersecurity
investments.
Recognizing there may, in fact, be a market failure when it
comes to private sector cybersecurity, I have asked the second
panel of witnesses to discuss ways to incentivize owners and
operators of critical infrastructure to better protect their
systems. Some believe that with the proper incentives, the
private sector can respond faster and more efficiently to
future threats. Clearly, without appropriate consideration of
all available public policy tools, the private sector's
participation in critical infrastructure efforts may not reach
its full potential, but I do think we need to look at a broad
range of options in this area.
I have great apprehension, though, about the current
framework DHS is creating with the sector-specific plans as
they relate to cybersecurity. But I am hopeful that today's
discussion will be a valuable tool in trying to strike the
right balance that will ensure a high level of security with a
low level of government involvement.
Mr. Langevin. That concludes my opening statement, and the
Chair now recognizes the ranking member of the subcommittee,
the gentleman from Texas, Mr. McCaul, for an opening statement.
Prepared Statement of the Honorable James R. Langevin, Chairman,
Subcommittee on Emerging Threats, Cybersecurity, and Science
Good afternoon. Over the past few months, the Subcommittee on
Emerging Threats, Cybersecurity and Science and Technology has held
numerous hearings to assess how far reaching our cybersecurity
vulnerabilities are and how best to address them. Today we will be
focusing on the extent to which cybersecurity has been implemented as
part of our 17 different Sector Specific Plans. We are joined today by
the Transportation Security and Infrastructure Protection Subcommittee,
led by Chairwoman Jackson-Lee and Ranking Member Lungren. Though this
is our first joint hearing on the subject, I very much look forward to
working with the Chairwoman and Ranking Member on these issues as the
110th Congress continues.
Although critical infrastructure protection is usually associated
with physical protection of facilities, there is a growing realization
that cybersecurity must receive equal attention. This holds true
especially since the nation's critical infrastructure relies
extensively on computerized information systems and electronic data. As
we learned two weeks ago in a hearing on control systems and the
electricity grid, many elements of our nation's critical infrastructure
are vulnerable to cyber attack in part because their computers are
connected to the Internet. A cyber attack against a portion of our
critical infrastructure could have devastating consequences that
cascade across the country. Similarly, an attack on our control systems
could cause serious physical harm, for example through the introduction
of raw sewage into drinking water systems or through the catastrophic
failure of critical electrical generators.
One of the most important ways we can secure our infrastructure is
through the implementation of the Sector Specific Plans. These 17
plans----one for each critical infrastructure sector in the U.S.--are
supposed to describe how each sector will identify, prioritize, and
protect their physical and cyber assets. These Plans are based on the
high level Federal guidance in the National Infrastructure Protection
Plan--or NIPP--released by DHS in 2006. The NIPP is the road map for
the sectors to follow when developing their Sector Specific Plans. The
completion of the Sector Specific Plans will allow DHS to write a
National Annual Report on Critical Infrastructure Protection, which is
designed to give us a general assessment of the security of our
infrastructure. The first annual report is scheduled to be released
next week.
Today we will focus specifically on the cyber aspects of these
plans. I have two significant concerns about the efforts of the
Department of Homeland Security._First, according to the Government
Accountability Office report released today, many of the 17 plans are
incomplete when it comes to cybersecurity. The GAO rated the 17 Sector
Specific Plans according to three categories: fully addressed,
partially addressed, or not addressed, and found that none of the plans
fully addressed all 30 cybersecurity criteria_GAO reports that many
plans have no way of identifying the consequences of a cyber attack or
reporting metrics of progress in implementing the plans to DHS. GAO
concluded that without comprehensive plans, certain sectors could be
ill prepared to properly respond to a cyber attack.
Now, the plans are supposed to be the easier part of this process.
But if we're struggling just to get the plans right, we're going to
have an even tougher time achieving true security. Our main goal, of
course, it actually protecting our critical infrastructure, or at least
making it resilient to attack. That should be the primary focus of our
efforts, but, as a first step, DHS must improve the current state of
the cyber elements of the sector specific plans. what we have now is
simply unacceptable. My second concern is with the implementation of
the plans. Today's sector witnesses will describe the varying degrees
to which they have begun translating their plans into actual
improvements. It should be noted that the sector plans were officially
released in May 2007, so there has not been great deal of time for
action. While many sectors have started implementing their plans, much
work remains to be done. Under the Department's current public/private
partnership approach, I do not believe the Federal government can
adequately ensure the security of our critical infrastructure.
Thus far, DHS has adopted a laissez-faire approach toward critical
infrastructure owners and operators. The Sector specific Plan process
is entirely voluntary, and there are no regulatory requirements
attached to it. Many would argue, however, that protecting critical
infrastructure is an issue of national security, a core constitutional
responsibility of the Federal government. Under this viewpoint,
laissez-faire is arguably not the appropriate model. This observation
is not intended to be an argument for more regulation or a criticism of
our private sector partners. In a perfect world, we either wouldn't
have to worry about security or would have an unlimited amount of money
to spend on it. But this is clearly not a perfect world.
The Federal government and the American people want to ensure there
is a high level of cybersecurity protections on our critical
infrastructure, but, as Dr. Gordon notes in this testimony, private
sector owners and operators have a hard time ``making the business
case'' for increased cybersecurity investments. Recognizing that there
may in fact be a market failure when it comes to private sector
cybersecurity, I've asked the second panel witnesses to discuss ways to
incentivize owners and operators of critical infrastructure to better
protect their systems. Some believe that with the proper incentives,
the private sector can respond faster and more efficiently to future
threats. Clearly, without appropriate consideration of all available
public policy tools, the private sector's participation in critical
infrastructure protection efforts may not reach its full potential.
I have great apprehension about the current framework DHS is
creating with the sector specific plans as they relate to
cybersecurity. But I am hopeful that today's discussion will be a
valuable tool in trying to strike the right balance that will ensure a
high level of security with a low level of government involvement.
Mr. McCaul. I thank the chairman, and Chairwoman Jackson
Lee and Ranking Member Lungren.
Let me first say how honored I was yesterday to announce
with you the creation of a commission to study this issue of
cybersecurity, which has the top and brightest minds in the
country on cybersecurity participating. It will be chaired by
Admiral Inman, who is a former Director of NSA, Deputy Director
of CIA, a good friend of mine, one of the brightest individuals
I think I have ever met; and Scott Charney, who I had the
opportunity to work with at the Department of Justice, who
headed up the Computer Crime and Intellectual Property section.
I look forward to working with you in a bipartisan way. It
is actually a nonpartisan commission that will provide
recommendations for the next administration and the Congress on
this very important issue.
This hearing today will bring attention to the importance
of protecting the Nation's critical information technology
infrastructure. In response to the President's seventh Homeland
Security Directive, the Department of Homeland Security has
developed the National Infrastructure Protection Plan. It is
designed to provide a coordinated approach to establish
national priorities, goals, and requirements for all 17 sectors
of our economy that own and operate critical infrastructures
across the country.
Since every sector depends to a certain extent on IT
systems and networks, it is very important that each sector's
plan includes its approach to securing its information
infrastructure. The sector-specific plans have undergone what
some might call a tortuous evolution. Even so, it is important
to realize that these plans are one piece of developing a
common framework across the 17 diverse sectors.
What this subcommittee has discovered in its hearings is
that each of the 17 sectors is dependent upon information
infrastructure in one way or another. Some are more dependent
upon it than others, but each sector could be vulnerable to
cyber threats and cyber attacks if appropriate steps are
ignored. For example, a hacker could infiltrate the billing
system of a hospital or retail store or affect credit numbers
or health information for a vast number of individuals. This
would inject the financial and/or health care system with
uncertainty.
Similarly, we learned earlier this month that industrial
control systems could cause very real physical damage if not
properly secured.
We need to make sure that all the sectors are aware of
their inherent interdependencies, and also that all sectors
have critical information infrastructure, even if they don't
think they do, that needs to be evaluated and appropriately
secured. The sector-specific plans are the first step in
securing this country's critical infrastructure.
Again, Chairman Langevin and I--I was pleased to announce
yesterday that we are participating in a commission to develop
recommendations on cyber and information security policy for
the next President. It is important to evaluate the actions of
the current administration, build upon its successes, and
incorporate its lessons learned as we move forward to improve
our Nation's overall cybersecurity.
With that, Mr. Chairman, I yield back.
Mr. Langevin. I thank the gentleman.
And the Chair now recognizes the chairwoman of the
Subcommittee on Transportation Security and Infrastructure
Protection, the gentlelady from Texas, Ms. Sheila Jackson Lee,
for an opening statement. And let me just again, as I mentioned
in private to the chairwoman, say how grateful I am that we are
doing this joint hearing and how much I certainly look forward
to working with you, Madam Chair, as we go forward.
Ms. Jackson Lee. Thank you very much, Mr. Chairman. And let
me offer my equal appreciation of the opportunity to continue a
topic that my committee, Transportation Security and
Infrastructure Protection, along with the ranking member of
that subcommittee, has continued to have a keen eye.
And as I do so, might I just acknowledge the existence of
the National Infrastructure Protection Plan. In meeting with a
number of those from the private sector, we know that the work
that we are doing today, the work that you have done, is
extremely important and is an urgent topic of the private
sector's participation in protecting our country's critical
infrastructure.
So, again, I am grateful to Chairman Langevin for inviting
the Subcommittee on Transportation Security and Infrastructure
Protection to participate in this hearing; and I look forward
to our future collaboration where our issues of concern
interact.
Today's hearing regards the implementation or existence of
the cybersecurity elements of the 17 sector-specific plans,
SSPs, under the National Infrastructure Protection Plan.
Ranking Member Lungren and myself take particular interest in
this topic as DHS protection falls under our subcommittee's
jurisdiction. We have been and continue to be very vigilant
about the Department's protection of our Nation's critical
infrastructure, beyond cybersecurity to also address physical
and human considerations. Thanks again to Chairman Langevin,
however, we will learn today about how the Department is
protecting critical infrastructure from a cybersecurity
perspective, and I look forward to seeing how the lessons
learned today apply to other critical infrastructure protection
programs. Thus far, I have been disappointed with DHS SSP
efforts, but I look forward to learning more today and
continuing the journey so that we can work together public and
private sector.
SSP is a massive and unprecedented undertaking. According
to the Homeland Security Act of 2002, critical infrastructure
includes systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction
of such systems and assets would have a debilitating impact on
security, national economic security, national public health or
safety, or any combination of these matters. Based upon this
definition, critical infrastructure is not just bridges and
water utilities, but also financial centers and transactions.
It is therefore clear that when such a vast and important
mission is combined with a young agency, it is incumbent upon
it and its oversight committee to have frank and honest
discussions about the efficacy of our SSP efforts.
Protecting our systems and assets from natural and human-
made disasters is exclamated by the fact that approximately 85
percent of the country's critical infrastructure is owned and
operated by the private sector. Furthermore, this
administration did not encourage the government to regulate the
private sector owners and operators, and for them, instead--to
protect their critical infrastructure, but instead it
encouraged voluntary partnerships.
I raised the question earlier this morning about whether or
not there needs to be regulation or should we continue in the
voluntary effort. How well the Department manages this
voluntary relationship with the private sector to protect our
critical infrastructure is and will continue to be a major
priority for our committee and my subcommittee specifically.
Recently, Chairman Thompson and I directed committee staff
to investigate the implementation of the NIPP and SSPs to learn
whether they are motivating private industry to protect our
critical infrastructure. Because such a large task is based
upon a voluntary partnership, we need to give great attention
to whether actions are indeed being taken. That will be the
focus of my attention at today's hearings.
And might I also say that I believe there is a great
interest in the private sector to be engaged. They know that
they have a large share of the private infrastructure or the
infrastructure of this Nation. Then, what is the vehicle, what
is the formula, what is the structure that should be utilized
to engage the private sector and to make this work?
After all, we are responsible for securing America
collectively, and this committee, the full committee, knows
full well the question will be asked, maybe only of this
committee, if the possibility occurs of a terrorist act in this
Nation.
The release of the NIPP and SSPs was delayed significantly.
Unfortunately, the threat to our critical infrastructure was
not simultaneously delayed. As a result, we have to quickly
determine whether these plans are being implemented by owners
and operators to better protect our critical infrastructure.
It is not enough to create large, nearly unreadable
documents and to discuss processes. Instead, we must focus on
implementation and execution. For instance, we must have
effective and efficient communication between private sector
owners and operators of critical infrastructure at all levels
of government.
On September 26, Chairman Thompson and I sent a letter to
Assistant Secretary Stephan and Director Caboli about the
implementation of the SSPs and the standards of the national
annual report that is supposed to describe the implementation
of protection efforts. Based upon the Department's responses,
we are quite concerned about whether verifiable action is being
taken by the private sector.
I am not here to reprimand the private sector or to
officially call for its regulation; but as I indicated, can we
collaborate and can we work together? Because of the mission,
however, I believe that all options should be on the table, and
I believe that we need to give these partnerships a chance. We
need to know whether the Department is executing them
effectively; and what can we do to help make them work better?
I believe the owners and operators of these assets will in
most cases act without regulation if an effective case for
action is made and there is adequate and necessary follow-
through by the Department, oversight, and the opportunity to
share how we can do better.
I want to learn from our witnesses, from the private sector
how the Department can be more effective in encouraging this
necessary and urgent activity.
It is now time for an open and honest conversation about
protecting our critical infrastructure. We are done with
documents and verbiage; it is time for action. It is time for
us to learn about the tools that you need and how this Congress
can be helpful.
We may not need a regulatory hammer, but we certainly need
a national discussion about civic and corporate responsibility
and cooperation.
I believe, Chairman Langevin, that today's hearing is the
beginning of establishing that cooperation and dialogue on
behalf of the American people. I thank you.
Mr. Langevin. I thank the gentlelady for her comments, and
particularly the sentiment of our cooperation, I know that will
continue, and I look forward to that.
[The statement of Ms. Jackson Lee follows:]
Prepared Statement of the Honorable Sheila Jackson Lee, Chairwoman,
Subcommittee on Transportation Security and Infrastructure Protection
I would like to take this opportunity to thank all of you for
joining us this afternoon to discuss the urgent topic of private sector
participation in protecting our country's critical infrastructure. I am
particularly grateful to Chairman Langevin for inviting the
Subcommittee on Transportation Security and Infrastructure Protection
to participate in this hearing, and I look forward to future
collaboration where our issues of concern intersect.
Today's hearing regards the implementation--or existence--of the
cyber security elements of the 17 Sector Specific Plans (SSPs) under
the National Infrastructure Protection Plan (NIPP). Ranking Member
Lungren and I take particular interest in this topic as DHS'
infrastructure protection efforts fall under our subcommittee's
jurisdiction. We have been--and continue to be--very vigilant about the
Department's protection of our nation's critical infrastructure beyond
cyber security, to also address physical and human considerations.
Thanks to Chairman Langevin, however, we will learn today about how
the Department is protecting critical infrastructure from a
cybersecurity perspective, and I look forward to seeing how the lessons
learned today apply to other critical infrastructure protection (CIP)
programs. Thus far, I have not been very impressed with DHS' CIP
efforts.
CIP is a massive and unprecedented undertaking. According to the
Homeland Security Act of 2002, ``critical infrastructure'' includes
``systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems and
assets would have a debilitating impact on security, national economic
security, nation public health or safety any combination of these
matters,'' Based upon this definition, ``critical infrastructure'' is
not just bridges and water utilities, but also financial centers and
transactions. It is, therefore, clear that when such a vast and
important mission is combined with a young agency, it is incumbent upon
it and its oversight committee to have frank and honest discussions
about the efficacy of our CIP efforts.
Protecting theses systems and assets from natural--and human-made
disasters is exacerbated by the fact that approximately 85 percent of
the country's critical infrastructure is owned and operated by the
private sector. Furthermore, this Administration did not encourage the
government to regulate and mandate private sector owners and operators
protect their critical infrastructure but, instead, it encouraged
voluntary partnerships. How well the Department manages this voluntary
relationship with the private sector to protect our critical
infrastructure is--and will continue to be--a major priority for our
Committee, and my subcommittee specifically.
Recently, Chairman Thompson and I directed Committee staff to
investigate the implementation of the NIPP and SSPs to learn whether
they are motivating private industry to protect our critical
infrastructure. Because such a large task is based upon a voluntary
partnership, we need to give great attention to whether actions are,
indeed, being taken. That will be the focus of my attention at today''s
hearing.
The release of the NIPP and the SSPs was delayed significantly.
Unfortunately, the threat to our critical infrastructure was not
simultaneously delayed. As a result, we have to quickly determine
whether these plans are being implemented by owners and operators to
better protect our critical infrastructure. It is not enough to create
large, nearly unreadable documents and to discuss processes; instead,
we must focus on implementation and execution. For instance, we must
have effective and efficient communication between private sector
owners and operators of critical infrastructure and all levels of
government.
On September 26, 2007, Chairman Thompson and I sent a letter to
Assistant Secretary Stephan and Director Caverly about the
implementation of the SSPs and the status of the National Annual Report
that is supposed to describe the implementation of protection efforts.
Based upon the Department's responses, we are quite concerned about
whether verifiable action is being taken by the private sector.
I am not here to reprimand the private sector or to viscerally call
for its regulation. Because of the mission, however, I believe that all
options should be on the table. I believe that we need to give these
partnerships a chance. We need to know whether the Department is
executing them effectively. I believe the owners and operators of these
assets will, in most cases, act without regulation if an effective case
for action is made and there is adequate and necessary follow through
by the Department. I want to learn from our witnesses from the private
sector how the Department can be more effective in encouraging this
necessary--and urgent--activity.
It is now time for an open and honest conversation about protecting
our critical infrastructure. We are done with documents and verbiage.
It is time for action. It is time for us to learn about the tools you
need and how this Congress can help. We may not need a regulatory
hammer, but we certaintly need a national discussion about civic and
corporate responsibility. Perhaps today's hearing begins that
conversation and will lead to concrete steps that will make america
truly safer.
Mr. Langevin. The Chair now recognizes the ranking member
of the subcommittee, the gentleman from California, Mr.
Lungren, for the purpose of an opening statement. And,
likewise, I look forward to working with the gentleman from
California.
Mr. Lungren. Thank you very much, Mr. Chairman. And I thank
the gentlelady and I thank the gentleman from Texas, Mr.
McCaul.
First of all, let me say that I believe that the Department
of Homeland Security did a good job in putting together the
sector-specific plans and coming up with the National
Infrastructure Protection Plan under the direction of Colonel
Stephan. I know, when he first came in, he was dissatisfied
with what was then in the works, and asked us for extra time to
make sure that we could put a good product together. And I
think the Department has; I congratulate you on that. Frankly,
it is a good piece of work.
I am, as my colleagues are, dismayed by the recent GAO
review which did find that most of the sectors lacked a process
for identifying the consequences of cyber attacks against their
assets. That is probably not surprising, because most Americans
and most in Congress look at guns, gates, and guards as the
traditional means of protecting our critical infrastructure;
and it is only after stepping back a ways that we realize the
importance of the cyber world in all of this.
It is my feeling that a public-private partnership is
absolutely essential, not just because 85, 86, 87, whatever
percentage you want to say of our critical infrastructure is
privately owned and operated; but the agility with which the
private sector is able to adapt in the area of technology is at
least the equal of those of us in government. We would do
ourselves a disservice if we in any way followed procedures on
the bureaucratic side or the regulatory side which denied us
that agility, that creativity, and that ingenuity in responding
to what are threats that change, not yearly, not monthly, not
weekly, not daily, but, frankly, minute by minute.
So I am very interested in the testimony we will receive
today from both the public and the private sectors. But I hope
that we will find a way to reach that balance that is necessary
between government regulation and private ingenuity and
effectiveness.
Thank you very much, Mr. Chairman.
Mr. Langevin. I thank the gentleman for his opening
statement.
Mr. Langevin. Other members of the subcommittee are
reminded that under the committee rules, opening statements may
be submitted for the record.
I now welcome our first panel of witnesses. I want to begin
by thanking the panel for their patience and willingness to
stick around. We wish we had a little more control over the
schedule around this place, but it doesn't seem to work out
that way.
But I do want to begin by welcoming our first witness, Mr.
Greg Garcia, Assistant Secretary for Cybersecurity and
Communications. Assistant Secretary Garcia oversees the
Department of Homeland Security's mission to prepare for and
respond to incidents that could degrade or overwhelm the
operation of the Nation's information technology and
communications infrastructure.
So I welcome you, Mr. Secretary.
Our second witness, Dave Powner, is the Director of
Information Technology Management Issues at the Government
Accountability Office.
Thank you for your participation, and we welcome you here
today, Mr. Powner.
Our third witness is Mr. J. Michael Hickey, the Chairman of
the Communications Sector Coordinating Council. Mr. Hickey is
also the Vice President of Government Affairs and National
Security Policy at Verizon.
Welcome, Mr. Hickey.
Our fourth witness is Mr. George Hender, the Chairman of
the Banking and Financial Sector Coordinating Council. Mr.
Hender is the Vice Chairman of the Options Clearing
Corporation.
Welcome to you, Mr. Hender.
Without objection, the witnesses' full statements will be
inserted into the record.
Mr. Langevin. And I now ask each witness to summarize his
statement for 5 minutes, beginning with Assistant Secretary
Garcia.
The floor is yours.
STATEMENT OF GREG GARCIA, ASSISTANT SECRETARY, OFFICE OF
CYBERSECURITY AND TELECOMMUNICATION, U.S. DEPARTMENT OF
HOMELAND SECURITY
Mr. Garcia. Thank you, sir.
Mr. Chairman, Madam Chairwoman, members of the
subcommittees, thank you very much for inviting me again to
speak about the Department of Homeland Security's effort to
strengthen the security and resilience of our Nation's critical
infrastructure.
My comments today will focus on three areas: first, how my
office has worked with each of the 17 critical infrastructure
and key resource sectors to ensure cybersecurity is integrated
into their sector-specific plans, or SSPs;
Second, I will report on the findings from our
cybersecurity review of each SSP; and
Third, our plan for continuing to increase attention that
each sector gives to cybersecurity.
Under the National Infrastructure Protection Plan, or NIPP,
my office, the Office of the Cybersecurity and Communications,
works to reduce cyber risk and enhance cybersecurity in two
ways. We serve as the Federal lead for the IT and
communications sector infrastructure protection efforts, and as
the lead for addressing the cross-sector cyber element for all
sectors.
Throughout the development of the SSPs, my office provided
cybersecurity guidance and support to the sectors. This
included providing sector-specific agencies with resources for
identifying cybersecurity practices and protective programs,
helping them identify cyber R&D priorities, and developing a
comprehensive cyber guidance checklist which gave each sector a
framework for integrating cybersecurity into their SSPs.
In addition, sectors asked us to review drafts of their
SSPs, and we provided recommendations on ways to address
cybersecurity. My office also conducted a review of the cyber
elements in each plan to determine sector-specific efforts and
identify cross-sector trends. Our review was generally
consistent with the findings of the GAO's analysis.
In particular, I am pleased that the GAO found that 12 out
of the 17 sectors were comprehensive in addressing
cybersecurity and their SSPs. This is clear evidence of all the
hard work that has been done to date. Since the development of
the SSPs, sectors have been implementing their plans and
enhancing efforts to address the security of their cyber
infrastructure.
Our review of the 2007 sector annual reports revealed an
increased integration of cybersecurity considerations across
the sectors. For example, more than half of the sectors
identified at least one cybersecurity goal and/or priority.
This is a significant improvement from the 2006 sector annual
reports, and it is a strong indication of increased
understanding about the importance of cybersecurity.
Additionally, sectors are incorporating DHS-sponsored
cybersecurity measures, such as our cybersecurity vulnerability
assessment tool, into their risk assessment efforts.
I would add, no discussion of cybersecurity and
infrastructure protection efforts would be complete without
mentioning the cross-sector cybersecurity working group. This
group is composed of experts from each sector and serves to
enhance cross-sector understanding of mutual dependencies and
interdependencies. It is currently focused on addressing common
cybersecurity challenges identified in each sector's initial
SSP and developing improvements that can be leveraged across
the sectors.
Overall, while we are seeing greater attention given to
cybersecurity, there is still more work to do. Each sector must
consider their own cybersecurity posture and balance against
other sector-specific risk management efforts. Specifically,
sectors should continue to focus on identifying their critical
cyber infrastructure, assessing their cyber risk, implementing
protective programs, and measuring the effectiveness of their
efforts.
My office is currently engaging with sectors that may not
have fully captured the good cybersecurity work they are
already doing in their initial SSPs. We will work with them to
more fully document their efforts as they update their SSPs and
develop their 2008 sector annual reports.
We will also continue to work with individual sectors to
implement the cyber aspects of their SSPs in order to
measurably enhance security within their sectors. We will
conduct workshops with sectors to identify incentives, cyber
metrics, and current and future cyber R&D requirements.
The development of the SSPs represented a significant
milestone for public and private sector national protection and
preparedness activities. My office is committed to promoting
cybersecurity strategies that can address the evolving risks we
face. We are thankful for the work that has been done to date,
and we encourage all sectors to continue working with us to
address cybersecurity and their infrastructure protection
activities.
Thank you all for your time today, and I am happy to
address any questions that you may have.
Mr. Langevin. Thank you, Secretary Garcia, for your
testimony.
[The statement of Mr. Garcia follows:]
Prepared Statement of Gregory Garcia
Good afternoon, Chairman Langevin, Chairwoman Jackson-Lee, Ranking
Member McCaul, Ranking Member Lungren, and Members of the
Subcommittees. Thank you for inviting me to speak about our efforts to
work with all 17 critical infrastructure and key resource (CI/KR)
sectors to address the security of the cyber elements of their
infrastructures, including the incorporation of cyber security into
their Sector-Specific Plans (SSP), progress in advancing mitigation
actions, and plans for continuing to engage with the CI/KR sectors to
further address cyber security.
One of the most pressing challenges facing the Department of
Homeland Security (DHS) is preparing for cyber attacks against our CI/
KR. Threats to the Nation's CI/KR are numerous and constantly evolving.
The ability of threat actors to exploit vulnerabilities is facilitated
by the widespread availability of tools, techniques, and information. A
variety of cyber threats could exploit vulnerabilities in the Nation's
CI/KR assets, systems, networks, and functions, potentially threatening
national and economic security, public health and safety, and
confidence in the government. The President's National Strategy to
Secure Cyberspace recognized the importance of assessing threats and
vulnerabilities and determining how likely or significant those attacks
could be on critical infrastructure. It called for public-private
partnerships to address five critical priorities: (1) a national
cyberspace security response system, (2) a national cyberspace security
threat and vulnerability reduction program, (3) a national cyberspace
security awareness and training program, (4) securing governments'
cyberspace, and (5) national security and international cyberspace
security cooperation. The first three priorities speak directly to the
development and implementation of the SSPs.
In implementing the National Strategy DHS' Office of Cybersecurity
and Communications (CS&C), working in partnership with the Office of
Infrastructure Protection (OIP), Sector-Specific Agencies (SSAs), and
public- and private-sector security partners, is committed to
preventing, preparing for, responding to, and recovering from cyber
attacks and their consequences. CS&C's strategic goals include
preparing for and deterring catastrophic incidents by achieving a
collaborative risk management and deterrence capability with a mature
partnership between government and the private sector. One example of
this partnership is CS&C's National Coordinating Center (NCC). Since
1984, the NCC has served as a forum through which the Federal
government and private sector communications providers can interact
face-to-face on a daily basis. This strategic goal also encompasses
tactical efforts to secure and protect the Nation's cyber
infrastructure from attacks and disasters by identifying and mitigating
threats, vulnerabilities, and consequences.
Our vision, philosophy, and strategy for preventing, responding to,
and recovering from cyber attacks reflect the expanding and widespread
importance of the cyber infrastructure. Policies that advance a safe
and secure infrastructure rely on the valuable relationships between
the public and private sectors and on public trust and confidence.
The key to continued success is partnering strategically with the
private sector to identify, prioritize and protect critical cyber
assets, systems, networks and functions. Even though the private sector
builds, owns and operates most of the cyber infrastructure, CS&C takes
an active role in its protection by building public-private
partnerships that are vital to our strategy to secure cyberspace and to
facilitating efforts to raise cyber security awareness, train
personnel, stimulate market forces to secure cyberspace, improve
technology through the identification of cyber research and development
requirements, identify and remediate vulnerabilities, and exchange
information.
CS&C works to reduce cyber risk and enhance cyber security in two
primary ways under the National Infrastructure Protection Plan (NIPP)
framework: (1) as Federal lead for the Information Technology (IT)
Sector's infrastructure protection and preparedness responsibilities
(in partnership with the Communications Sector); and (2) as a cross-
sector cyber element that involves DHS, the SSAs for each of the 17 CI/
KR sectors, and public and private sector owners and operators.
Homeland Security Presidential Directive 7 designates DHS as the
SSA for both the Communications and IT sectors. CS&C's National
Communications System (NCS) and the National Cyber Security Division
(NCSD) carry out the SSA responsibility for the Communications and IT
Sectors, respectively. Both sectors recently released their Sector
Specific Plans (SSPs), which are planning documents that focus on
overall sector preparedness, including managing risk to the sectors'
critical functions and infrastructures that support homeland, economic,
and national security. Under the NIPP framework, the Internet and its
associated services are identified as a shared key resource of the IT
and Communications Sectors, reflecting the convergence of voice and
data communications networks and services. In their respective DHS-
designated roles for the Communications and IT infrastructure sectors,
the NCS and NCSD share responsibility with public--and private-sector
security partners for the availability of the Internet and its
associated services. Recognizing the synergies between IT and
Communications, the chair of each sector's Government and Sector
Coordinating Councils also participates in the other sector's council.
In addition, representatives from the IT and communications sectors
participate in each other's risk assessment methodology development
efforts.
Cyber Security in the Sector-Specific Plans
In support of the cross-sector cyber responsibility, NCSD is
working closely with OIP, the SSAs, and other security partners to
integrate cyber security into the CI/KR sectors' protection and
preparedness efforts.
During the SSP development process, NCSD provided cyber expertise
to the sectors, including reviews of draft SSPs and participation in
sector-specific cyber security meetings. Specifically, as sectors were
developing their SSPs, NCSD developed and provided information to SSAs
on resources for cyber security practices and protective programs that
are applicable across all sectors, as well as some that are more
focused on individual sectors, to help inform the identification of
cyber security-related protective programs. For each protective
program, a brief description and the specific activities they supported
within the preparedness spectrum were provided. NCSD also developed
information on cyber research and development (R&D) requirements and
priorities to help SSAs in the identification of cyber-related R&D
priorities. A description of Federal organizations that support cyber
R&D and several references to R&D documents that outlined specific
cyber security initiatives were provided. NCSD also offered to work
directly with any sector that requested assistance and worked with
responding sectors to develop and review cyber security content for the
SSPs.
NCSD also developed a comprehensive SSP Cyber Guidance Checklist,
which provided sectors with a framework for integrating cyber security
throughout each section of their SSPs. The checklist complemented DHS'
2006 CI/KR Protection SSP Guidance developed by OIP and was intended to
provide a starting point for SSAs as they integrated cyber into their
SSPs. The checklist included an outline and guidance for the
development of cyber content for the SSPs. NCSD shared the checklist in
OIP-sponsored technical assistance sessions with SSAs to provide
expertise and answer questions regarding the inclusion of cyber
security in the SSPs. NCSD personnel also met individually with those
SSA representatives who expressed an interest in determining approaches
for incorporating cyber security into their SSPs and sector risk
management efforts.
In December 2006 and January 2007, NCSD conducted a review of the
final draft SSPs as part of OIP's review process to (1) assess each
sector's plan for securing its cyber infrastructure and (2) understand
the coordination between NCSD and the sectors needed to better secure
the sector's cyber infrastructure. In addition to considering the full
content of the SSPs, this review focused on specific areas where future
coordination between NCSD and the sectors might be necessary to address
the security of the cyber elements of the Nation's CI/KR, including the
critical initial action to identify the sectors' cyber security
partners that NCSD should engage with to manage cyber risk. NCSD also
determined that coordination may be required in understanding how each
sector plans to identify and assess risk to its cyber infrastructure.
Coordination is also required when assisting sectors in the development
or refinement of methodologies intended to identify critical cyber
elements and to assess cyber risk. Finally, the review identified
protective programs specific to cyber security that fall within NCSD's
responsibility and cyber R&D priorities requiring coordination across
the sectors and with DHS' Science and Technology Directorate.
After the SSPs were finalized, NCSD conducted a second review of
the documents on behalf of the Cross-Sector Cyber Security Working
Group (CSCSWG). The CSCSWG provides a forum for exchanging information
on common cyber security challenges and issues (i.e., threats,
vulnerabilities, and consequences) and enhancing the understanding
across sectors of mutual dependencies and interdependencies. The
working group includes cyber security experts from the CI/KR sectors
collaborating to identify systemic cyber risks and mitigation
strategies for the Nation's CI/KR sectors. The CSCSWG held its
inaugural meeting on May 30, 2007, and determined that an initial area
of focus would be reviewing the cyber security components of the SSPs
to better understand the various efforts to protect cyber elements of
the 17 CI/KR sectors and identify trends in cyber infrastructure
protection that cut across the sectors. Using the NCSD review as a
starting point, the group provided input on sectors' cyber content and
on cyber activities not fully captured or initiated after the drafting
process. The group has begun to share successes, best practices, and
lessons learned to help the development and implementation of more
effective cyber risk management activities across the sectors. For
example, through the CSCSWG, members learned about the Roadmap to
Secure Control Systems in the Energy Sector. As a result, the Water and
Chemical Sectors have chosen to initiate similar efforts to address the
unique concerns of control systems security within their sectors.
Progress in Advancing Mitigation Actions
Many of the SSPs were created in summer and fall of 2006. Sectors
have been implementing the plans, continuing or initiating efforts to
address the security of their cyber infrastructure. Sectors are not
uniformly comprehensive in their cyber security efforts and should not
necessarily be. Each sector must consider its cyber security posture
and balance that against other risk management efforts, in
consideration of the unique aspects of its infrastructure. Cyber risk
varies by sector, based on its dependence on cyber elements. For
example, the extensive use of control systems in the Energy Sector and
of business systems in the Financial Services Sector must factor into
the extent, sophistication, and unique implementation of mitigation and
protection strategies within those sectors. Other sectors do not have
cyber infrastructure integrated as ubiquitously in their essential
services, a fact that influences the focus and maturity of their cyber
security efforts. The length of time a sector's public and private
partners have been working together on infrastructure protection issues
is another factor in the comprehensiveness of their plans. These
observations regarding the cyber security position of the SSPs are
generally consistent with the findings of the Government Accountability
Office's (GAO) analysis.
The integration and maturing nature of cyber security across the 17
CI/KR sectors was clear when NCSD reviewed and contributed to the
Sector Annual Reports (SARs). The sectors' 2007 SARs were much improved
over their initial 2006 efforts. For example, more than half of the
sectors identified at least one cyber security goal and/or priority in
their second SAR. This represents a significant increase in the number
of sectors from the 2006 SAR, suggesting that the understanding of the
importance of cyber security is becoming more pervasive in the sectors.
Further, more sectors are implementing DHS-sponsored protective
measures, such as the Comprehensive Review, the Risk Analysis and
Management for Critical Asset Protection (RAMCAP), and the Site
Assistance Visit programs. NCSD collaborates with OIP to incorporate
cyber security into these DHS risk and vulnerability assessment
programs so that sectors implementing them would address the cyber
elements of their infrastructure. We encourage sectors to assess cyber
risk by using the Cyber Security Vulnerability Assessment (CSVA), a
flexible and scalable approach that analyzes an entity's cyber security
posture and describes gaps and targeted considerations that can reduce
overall cyber risks. It assesses the policies, plans, and procedures in
place to reduce cyber vulnerability in 10 categories (e.g., access
control, configuration management, physical security of cyber assets,
etc.) and leverages various recognized standards, guidance, and
methodologies (e.g., International Organization for Standardization
27001, Information Systems Audit and Control Association Control
Objects for Information and related Technology, and the National
Institute of Standards and Technology Special Publication 800 series).
The CSVA tool is being used by six sectors in their tailored
vulnerability assessments: five through their sector specific RAMCAP
modules and another, the Transportation Sector, in its customized cyber
security assessment.
Plans for Continuing to Engage with the CI/KR Sectors to Further
Address Cyber Security
Our review of the SSPs and SARs found that sectors are paying
attention to cyber security, but more needs to be done. Over the next
year, sectors need to focus on identifying their critical cyber
infrastructure, assessing cyber risk and promoting voluntary
assessments, implementing protective programs, and measuring the
effectiveness of their efforts.
NCSD has created an action plan and is engaging with sectors in
addressing cyber security issues not fully addressed in those sectors'
initial SSPs. This action plan includes working with sectors to review
cyber security priorities, assess effects of cyber attacks, develop
protective programs, and evaluate R&D requirements and initiatives to
identify areas where additional capabilities are needed. NCSD has
already worked with the cyber experts of the Chemical Sector
Coordinating Council (SCC) and the SSA to identify cyber security
content needed for the 2008 update to their SSP. Some of the
opportunities for engagement are based on sector specific needs, but
others address more common challenges. The action plan will address
both individual and more universal steps.
While all sectors have established SCCs and Government Coordinating
Councils (GCCs), the degree of examination of specific cyber risk and
of cyber information sharing varies. Some sectors--such as Financial
Services--consider cyber security as critical to their core business
functions and integrate cyber security into all of their SSP
implementation activities. In fact, the Financial Services SSA, the
Department of the Treasury, sits on the IT GCC because of its interest
and expertise in cyber security. Other sectors have historically had
less focus on cyber security due to the lack of prominence of IT in the
business of the sector. Representation from the sectors' SCCs and GCCs
are participating in the CSCSWG provides a mechanism for two-way
information flow on cyber concerns across all sectors. Participation in
the CSCSWG may help less-mature sectors make more rapid progress in
identifying cyber goals, gaps, and interdependencies, as well as
developing programs to deter, respond and recover from cyber attacks by
enabling them to leverage the experiences, work, and cyber functional
expertise that exists in many sectors.
In addition, the reliance of some sectors on control systems
highlights an area for increased coordination of risk management
efforts. NCSD's Control Systems Security Program (CSSP) and the Process
Control Systems Forum (PCSF) are resources to help address control
systems risk. The CSSP coordinates efforts among Federal, State, local,
and tribal governments, as well as control system owners, operators,
and vendors, to improve control system security within and across all
critical infrastructure sectors. In support of risk mitigation efforts,
the CSSP developed the Control Systems Cyber Security Self Assessment
Tool and provides training in control systems cyber security. The PCSF,
a standing group under the CSCSWG, works to develop solutions for
process control systems security, aggregate information, connect
decision makers, and leverage other groups' work.
Sectors may leverage the United States Computer Emergency Readiness
Team (US-CERT) to share information on cyber threats and
vulnerabilities and enhance situational awareness. The timely detection
and analysis of cyber attacks further helps to assess operational risk
and mitigate the impact on our Nation's critical infrastructures of
cyber vulnerabilities. US-CERT is working with the Information Sharing
and Analysis Center Council to expand this operational interaction.
Finally, most sectors are taking on the challenge of identifying or
developing metrics to measure the effectiveness of all infrastructure
protection efforts, including those for cyber. Since sectors have
different overall approaches to infrastructure identification and risk
management, NCSD will work with the sectors to develop some cross-
sector qualitative measures that correlate to cyber security to help
measure the effectiveness of sectors' cyber security efforts.
Conclusion
The development of the 17 CI/KR SSPs represented a significant
milestone in sectors' protection and preparedness activities. Sectors
varied in how they addressed the security of the cyber elements of
their infrastructures, including the incorporation of cyber security
into their SSPs, but demonstrated increased understanding of the
importance of cyber security in the SARs and implementation activities.
As the sectors work to address the feedback from the GAO on the
cyber security aspects of the SSPs, CS&C, and specifically, NCSD will
continue to execute its cross-sector cyber responsibility to work with
sectors to reduce cyber risk and enhance cyber security. Our goal is to
create a clear and actionable path forward with the sectors and to work
together to secure our critical cyber infrastructure.
NCSD will continue to schedule regular interactions with individual
sectors as well as meetings with multiple sectors. For example, we plan
to meet with each SSA at least twice a year, once before the sectors
update their SSPs and once in early spring of 2008 as sectors are
preparing their SARs. NCSD will develop guidance on cyber elements that
should be considered for inclusion in the SSPs and SARs. This guidance
will complement guidance from the Office of Infrastructure Protection.
NCSD will also work with sectors through their coordinating councils to
identify cyber subject matter experts within their sectors and raise
awareness of the sectors' reliance on cyber infrastructure. NCSD is
piloting this approach by convening a small group of cyber security
experts with security clearances from across the sectors to support the
SSA risk assessment process for the 2008 National CI/KR Protection
Annual Report.
NCSD also plans to offer workshops in 2008 with sector partners and
other invited subject matter experts to address incentives to encourage
voluntary risk assessments, develop cross-sector cyber metrics, and
identify existing cyber research and development projects. The outcome
of these workshops will provide sectors with ideas for incentives for
investing in cyber security, metrics that enable realistic evaluation
of cyber security, and cyber R&D priorities. NCSD will also continue to
support the efforts of the CSCSWG as it addresses opportunities to
enhance cyber security across the sectors and share information about
strong cyber programs and practices. Further, NCSD will continue to
roll out important efforts like the CSVA, software assurance, and
control systems acquisition guidance, training, and cyber exercises to
our sector partners.
We encourage sectors to continue to work collaboratively with NCSD
on addressing cyber security in their infrastructure protection
activities. Through participation in the CSCSWG, individual meetings
with NCSD, and various NCSD-sponsored workshops and programs, sectors
can make significant progress in the future to address or more fully
address cyber security.
We must reinforce a culture of preparedness, shift from a reactive
to a proactive stance, and prepare by promoting effective cyber
security strategies that evolve as the risks evolve. There is much work
to be done, but progress continues every day. We rely on the support
and expertise of the sectors to advance this mission.
I would like to thank the Subcommittees for their time today, and I
appreciate this opportunity to discuss these important cyber security
priorities.
Mr. Langevin. I now recognize Mr. Powner to summarize his
statement for minutes.
Welcome.
STATEMENT OF DAVID POWNER, DIRECTOR, INFORMATION TECHNOLOGY
MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Powner. Chairman Langevin, Chairwoman Jackson Lee,
Ranking Members McCaul and Lungren, and members of the
subcommittees, we appreciate the opportunity to testify on our
report being released today on cybersecurity elements of the
sector plans to protect our Nation's critical infrastructures.
Chairman Langevin and Ranking Member McCaul, I would like
first to thank you for your leadership and oversight of the
Nation's cyber critical infrastructure.
As the focal point for SSP, DHS has many cyber-related
roles and responsibilities that are called for in law and
policy that we have previously testified on before this
subcommittee. These are highlighted in detail in my written
statement. One of these is the development of a comprehensive
national plan that requires each of the 17 sectors to develop
sector-specific plans that include how each sector will
identify, assess, and protect its cyber assets. Today's request
is--I will discuss how well these plans address key cyber
aspects of cybersecurity and GAO's observations and
recommendations to move beyond the planning phase.
The extent to which the sectors address aspects of
cybersecurity and their plans varied. The strongest plans were
the ones from the IT and communications sectors, while the
weakest included the agriculture and commercial facilities
sectors. The banking and finance sectors assessment fell near
the middle of these plans.
DHS has acknowledged these shortcomings and has stated that
these are only early efforts by sectors to develop their
respective plans. DHS attributed the variations to several
items, including the maturity of the sector and the extent to
which the sector worked with DHS to develop their plans.
Nevertheless, until these plans fully address the key cyber
elements, infrastructure sectors may not adequately identify,
prioritize, and protect critical cyber assets.
Another reason why these plans are incomplete is that based
on our broader work for the full committee and for the
subcommittee chaired by Ms. Jackson Lee, some of the sectors
claim that these plans are not that useful. In particular, some
sectors believe that they have progressed beyond these plans.
In these cases, then, this is just a paper exercise.
It is important to note that these are just plans. They do
not identify actual assets and vulnerabilities; rather, they
identify approaches the sectors will pursue. Moving forward, if
in fact these plans are truly to be used to identify gaps in
our Nation's cyber protection efforts on a national level, as
intended, these plans need to be improved, meaning that they
comprehensively address cyber elements and, even more
importantly, the plans need to be effectively implemented.
From an oversight perspective, it will be important to
track how these plans evolve and are implemented in the
critical infrastructure protection annual report due to the
Executive Office of the President each September, although we
hear that this year's report will be issued in November.
Beyond its involvement with developing and implementing
these plans, DHS's national Cybersecurity Division needs to
continue to bolster its capabilities so that it is viewed as a
valuable service provider to infrastructure owners. Today, this
is not necessarily the case.
To its credit, DHS's efforts to lead cyber exercises, like
Cyber Storm, provide valuable information to participants to
improve response, and coordination mechanisms. However, our
Nation still lacks a national threat assessment and a mature
analysis and warning capability, an area that we are currently
reviewing for you, Mr. Chairman. If DHS is to effectively
fulfill its role as the focal point for cyber critical
infrastructure protection, it must fulfill more of its
responsibilities and build more capability.
Our Nation continues to progress at a slow pace in
implementing this sector-based approach to protecting our
Nation's critical infrastructures. We are almost 10 years into
this approach, and although there is some progress in areas, we
are not where we need to be. Unless we start making more
progress and actually protecting our critical infrastructures,
we may want to consider alternative approaches such as
prioritizing and protecting by asset criticality regardless of
sector.
In summary, Mr. Chairman, and Madam Chair, if the sector-
based approach to protecting our Nation's critical
infrastructures is to be effective, we will need comprehensive
plans. However, ultimately our Nation needs to move beyond the
planning stages and into implementation of effective protective
and recovery programs. Implementation of these plans is more
likely if DHS can successfully fulfill its responsibilities and
become a provider of valuable information on threats and
analytical products to our Nation's critical infrastructure
owners.
This concludes my statement. I will be pleased to respond
to questions.
Mr. Langevin. I thank you, Mr. Powner, for your testimony.
[The statement of Mr. Powner follows:]\1\
---------------------------------------------------------------------------
\1\See For the Record.
---------------------------------------------------------------------------
M. Langevin. And the Chair now recognizes Mr. Hickey for
his statement for 5 minutes.
STATEMENT OF J. MICHAEL HICKEY, CHAIRMAN, TELECOMMUNICATIONS
SECTOR COORDINATING COUNCIL
Mr. Hickey. Good afternoon, Chairman Langevin and
Chairwoman Jackson Lee, Ranking Members McCaul and Mr. Lungren.
It is a pleasure to be here representing the communications
sector and to testify on behalf of the sector in terms of what
we are doing day in and day out to advance not only
cybersecurity, but business continuity and emergency
preparedness practice within our sector.
What I would like to do in my few minutes with you is to
discuss four areas of involvement. The first is focused on what
companies like Verizon do day in and day out that really
addresses not only cybersecurity, but broader asset protection
within our companies.
I would also like to spend a few minutes talking about the
collaborative activity that is under way, again day in and day
out not only within our sector, but with our partners in
government.
Third, I will speak briefly to the Communications Sector
Coordinating Council structure and the work that we are doing
on our sector-specific plan.
And I will conclude with a few observations in terms of
what I think we can do, what we must do, with government, going
forward.
Effective industry and government collaboration starts with
the actions of individual organizations. The private sector
owns and operates from 85 to 90 percent of this country's
critical infrastructure. Because of industry's important role
in national and homeland security, corporations like Verizon
must dedicate the operations, experience, resources, and
oversight necessary to be as self-aware and self-reliant as
possible.
Verizon's communications, voice, data, and video networks
are touched by over 100 million consumers and government and
business customers daily. Because of this reach, we have a
longstanding and growing commitment to national security and
emergency preparedness. For instance, we have designed, built,
and managed networks that are resilient and redundant. We have
adopted best-practice business methods and security procedures.
We have created and tested business continuity and emergency
preparedness programs. We have responded successfully to a wide
range of crises and have provided leadership to industry and
government organizations dedicated to national security and
emergency preparedness.
From a structural standpoint internally, we have corporate
policy statements that require attention to business
continuity, emergency preparedness, and cybersecurity. We have
a number of senior leaders within our business from a chief
information officer, who is an executive vice president, to a
new chief technology officer, again another executive vice
president, to the announcement of a new chief security officer
for Verizon Corporation who will start with us in January, who
currently serves as executive assistant director of the FBI for
Criminal, Cyber, and International Security.
We have groups within our IT organization that serve as
service bureaus to all of our business units to make sure that
cybersecurity practices are designed, engineered, and adopted
business unit by business unit. We actually focus on security
within our company from more of an organic standpoint.
We rely on ground-up business unit activity, identifying
and dealing with issues; and beyond that, to coordinate
activity across our corporation, we have executive security
councils and a Verizon information security council that is
responsible not only for oversight, but to make sure that best
practices are implemented within our business organizations.
We have a cyber intrusion response team that provides 7-by-
24 coverage for the entire enterprise, supporting all business
units and organizational points of contact to assess intrusion
impacts, contain and control further dissemination of problem
areas across the company, and capture and preserve evidence for
law enforcement and legal purposes.
So, within Verizon Corporation, as within many other
corporations that I work with day in and day out, there are
strong practices in place. There is a real focus day in and day
out on cybersecurity and critical assets protection within our
organizations.
I would like to address, just for a minute, sector
collaboration. Verizon and its peer companies within the
communications sector have a long history of cooperation on
national security and emergency preparedness. We have a 40-year
history that stems back to the aftermath of the Cuban missile
crisis when the National Communications System was created to
deal with issues of interoperability and sustainable
communications.
Since that time, in 1984, the National Coordinating Center
for Telecommunications was formed as a partner organization
with the National Communications System. It was broadened. It
was established when Executive Order 12472 created it, and it
has focused since that time on making sure that industry and
government work together closely day in and day out on a full
range of asset protection measures. The focus is on
facilitating information sharing among government and industry
participants regarding vulnerability, threat, intrusion, and
anomaly information affecting the telecommunications
infrastructure.
I might point to the recent Southern California fires where
the NCC Watch took a real leadership role in coordinating
private sector and government information, sharing real-time on
what was happening within the field and how industry and
government could respond together. That information developed
there was shared with a joint field office when established on
the West Coast.
There is a network reliability and interoperability council
established by the FCC back in 1992. There have been a series
of seven councils since that time. Most have focused on some
aspect of security practice. Verizon and industry in general
have been very active in working not only with the FCC, but
with other government partners in advancing sound practice on a
voluntary basis as a result of the work done within the NRIC.
There is another organization called the National Security
Information Exchange. In 1990, the NCS focused on actions
industry and government could pursue to protect critical
telecommunications from the growing hacker threat. Ultimately,
the NCS and NSTAC created national security information
exchanges. These exchanges, since that time, have brought
together expertise from government and subject matter experts
on security practice from industry to address a full range of
security practices relevant to the evolving risk environment.
Pertinent to the Communications Sector Coordinating
Council, I am very proud to be its chair for this year, and it
points out the complexities, I think, of working together not
just within our sector, but on a cross-sector basis; and we
have focused very much on our interdependencies not just within
our sector, but across sectors.
The Communications Sector Coordinating Council became
operational in calendar year 2006. It was chartered to foster
the coordination of policy initiatives to improve the physical
and cybersecurity of sector assets and to ease the flow of
information within the sector, across sectors, and with
designated Federal agencies.
We now embrace 35 member companies that are broadly
representative of the sector. I think that is a real benefit of
the Sector Coordinating Council's having been established,
because we are not just traditional wireline and wireless; we
are satellite, we are undersea cable. We represent the National
Broadcasters, the Association of Public Television Stations, a
wide range of companies.
To summarize, the sector has been very proactive through
the Sector Coordinating Council, through other mechanisms, and
we have really focused on our sector-specific plan, currently
on the risk assessment which we plan to have complete by the
end of this calendar year in draft form and in final form by
the end of the first quarter next year. Thank you.
Mr. Langevin. Thank you.
[The statement of Mr. Hickey follows:]
Prepared Statement of J. Michael Hickey
Overview:
Mr. Chairman and Members of the Subcommittee, my name is Mike
Hickey and I thank you for the opportunity to testify before you on
measures we have taken to address cybersecurity in the Communications
Sector Specific Plan. I serve as Vice President of Government Affairs
for National Security Policy at Verizon and as Chair of the
Communications Sector Coordinating Council. I also serve as Vice Chair
of the Internet Security Alliance and am an active member of the US
Chamber of Commerce Homeland Security Task Force. Of these
organizations, the Communications Sector Coordinating Council is
uniquely chartered to represent the breadth of the communications
sector on policy issues relating to the protection of critical
communications infrastructure and key assets. Since 2005, it has
emerged as an instrument for business engagement with government on
policy matters relating to homeland security and emergency
preparedness.
My comments will address the roles that have been established for
industry and government in protecting the nation's critical physical
and cyber communications assets, steps taken to protect these assets,
what measures have worked effectively and what needs to be done to
sharpen the collective focus as we move forward.
Tiered Approach to Critical Asset Protection:
Effective industry and government collaboration starts with the
actions of individual organizations. The private sector owns and
operates nearly 90% of this country's critical infrastructure. Because
of industry's important role in national and homeland security,
corporations like Verizon must dedicate the operations experience,
resources and oversight necessary to be as self-aware and self-reliant
as possible. Verizon is obligated to its shareowners and customers to
take the steps necessary to secure its cyber, physical and human assets
from disruption or attack. We cooperate with peer companies in order to
support communications sector mutual aid obligations. We also
proactively address our interdependencies with other sectors to ensure
continuity of operations in time of crisis. Finally, we continue to
work with government agencies at the Federal, State, regional and local
levels to support appropriate security and emergency preparedness
initiatives.
Strength from Within:
Verizon Communications Inc. is a Dow 30 company. It employs over
240,000 employees. In 2006, the company generated $88 billion in annual
revenue and spent $17.1 billion on capital investments. Verizon's
state-of-the-art voice, data and video networks are touched by over 100
million consumers and government and business customers daily.
Given its breadth of service and geographic coverage, Verizon's
commitment to national security and emergency preparedness--grounded in
corporate policy, sound business practice and hands-on experience--is
long-standing and growing. In order to ensure the continuity of its own
operations and to meet the requirements of its critical customers in
time of crisis, Verizon has:
Designed, built and managed network facilities that
are robust and resilient;
Embraced ``best practice'' business methods and
security procedures;
Created and tested business continuity and emergency
preparedness programs that have served the corporation and its
customers in times of stress;
Responded successfully to a wide range of crises; and,
Provided leadership strength to industry and
government organizations dedicated to national security and
emergency preparedness.
Verizon's Internal Security Councils: Verizon takes a holistic
approach to addressing information security by coordinating business
unit activity around network and information protection. This effort is
led by the Verizon Executive Security Council (VESC), established in
1995 to oversee all aspects of information security within Verizon.
Reporting to the VESC is the Verizon Information Security Council
(VISC), an enterprise-wide, cross-organizational working committee
comprised of lead security managers and information security teams. The
VISC is charged with instituting a secure environment for company
network, information management, processing, transport and delivery.
The Verizon business units that comprise the VISC are dedicated to
providing coordinated information and network security services for
Verizon. These services include firewall support, host (mainframe and
distributed) management, virus protection, risk assurance, information
security practices, information security awareness, Incident Response &
Vulnerability scanning, and remote access security administration.
Computer Intrusion Response Team (CIRT): The Verizon CIRT provides
7x24 coverage for the entire enterprise, supporting all business units
and organizational points of contact to assess intrusion impacts,
contain and control further dissemination of problems across the
company, and capture and preserve evidence for law enforcement/legal
purposes. The CIRT also provides restoration options, identifies and
closes security vulnerabilities (exploited or otherwise), and uses
secure communication channels during response.
The CIRT's network of contacts and organizational breadth enable it
to effectively work with the appropriate company personnel to
coordinate incident response and resolution. A single point of contact
is designated for all network or computer related security advisories
to the enterprise, thus eliminating duplication of information and
effort by quality checking all data prior to distribution. A historical
repository of advisory data is also maintained for reference.
Management Structure: Verizon has sharpened its focus in addressing
its evolving challenges in network technology and security. Key
internal organizations have been realigned to apply consistent, best
practice solutions to IT and network technology across business units.
Verizon's Executive Vice President and Chief Information Officer has
oversight over a range of technical support organizations serving the
company's major business units. Meanwhile, a newly created position of
Executive Vice President and Chief Technology Officer has
responsibility for establishing and managing the overall direction,
technology and planning of all Verizon networks. The CTO in each of
Verizon's business groups remains responsible for the day-to-day
execution of their network deployment strategies.
Technical Support:T1 A full array of internal technical, consulting
and R&D services are available to guide decision making and strengthen
best practice within all major business units. For instance, the
Verizon Information and Network Security organization advances security
strategies that integrate people, process and technology (such as
firewalls, intrusion detection systems, virus protection, and remote
access) with full adherence to information security policies and
practices; while also providing technical and consulting services to
business units--all with a primary focus on information asset
protection.
Verizon Information Security Focus is Crucial: In today's evolving
threat environment, malicious insiders are the greatest threat to our
critical national infrastructures. Today's geo-political climate will
result in cyber attacks against national communications and control
systems of economic, safety, or political significance. And politically
(ideologically) motivated cyber attacks are increasing in volume,
sophistication, and coordination. Verizon is addressing today's very
real threats. Standards organizations must address carrier class
security issues and architectures. The vendor community needs to
produce equipment & software that meet Verizon's security objectives.
And our customers and peer carriers need to work with us to mitigate
security risks.
Sector Leadership and Collaboration:
Verizon, and its peer companies within the Communications Sector,
have a long history of cooperation in national security and emergency
preparedness. This history distinguishes the Communications Sector from
most other critical sectors identified in the National Infrastructure
Protection Plan. The sector personifies cooperation and trusted
relationships that have resulted in the delivery of critical services
when emergencies and disasters occur. A strong bond between the private
and public sectors exists today in large part because of several
organizations that were created in response to earlier threats to the
nation's critical infrastructure.
National Communications System: The Sector Specific Agency for the
Communications Sector is the National Communications System (NCS),
currently housed within the Department of Homeland Security's National
Cyber Security and Communications Division.
The NCS was established by President Kennedy in the aftermath of
the Cuban missile crisis when communications problems between the
United States and key international players threatened to further
complicate the crisis. Since 1963, the NCS has worked to strengthen the
communications facilities and components of various Federal agencies,
focusing on interconnectivity and survivability.
National Coordinating Center for Telecommunications: In 1982,
telecommunications industry and Federal Government officials identified
the need for a joint mechanism to coordinate the initiation and
restoration of national security and emergency preparedness
telecommunications services. In 1984, Executive Order 12472 broadened
the NS/EP role of the National Communications System and created the
National Coordinating Center for Telecommunications as a central
public-private sector organization to coordinate response to emergency
communications situations.
In January 2000, the NCC was designated an Information Sharing and
Analysis Center for Telecommunications in accordance with PDD-63. The
NCC-ISAC facilitates information sharing among government and industry
participants regarding vulnerability, threat, intrusion, and anomaly
information affecting the telecommunications infrastructure.
The National Security Telecommunications Advisory Committee
(NSTAC): The NSTAC was created 25 years ago, in 1982, by Executive
Order 12382. NSTAC provides another highly successful example of how
the private sector helps direct government decisions around national
security and emergency preparedness communications (NS/EP). This
advisory committee to the President brings together 30 industry chief
executives representing major telecommunications companies, network
providers, information technology companies, finance and aerospace
businesses. NSTAC provides industry-based advice and expertise to the
President on a wide range of telecommunications problems related to
implementing NS/EP communications policy issues. These include, but are
not limited to, information security, information assurance, and
critical infrastructure protection.
NS/EP communications enable the government to make an immediate and
coordinated response to all emergencies, including cyber attacks. NS/EP
communications allow the President and other senior Administration
officials to be continually accessible, even under stressed conditions.
The impact of today's dynamic technological and regulatory environment
is profound with new technologies and increasing competition bringing
both new opportunities and new vulnerabilities to the information
infrastructure. The NSTAC is strongly positioned to offer advice to the
President on how to leverage this dynamic environment to enrich NS/EP
communications capabilities and ensure that new architectures fulfill
requirements to support NS/EP operations; and to avoid introducing
vulnerabilities into the information infrastructure that could
adversely affect NS/EP communications services. The NSTAC's current
work plan includes issues ranging from information sharing and the
security and reliability of converged networks to research and
development (R&D) issues related to converged networks.
The Network Reliability and Interoperability Council (NRIC):
Government-imposed solutions may hinder the ability of business to
adapt and respond effectively to the changing threat environment. So it
becomes critical for business and government to work collaboratively
towards solutions that are meaningful, adaptable and sustainable. The
voluntary development of and compliance with ``best/sound practice''
approaches to physical and cyber security is a model that is time
tested. It is illustrated through the work of the Federal
Communications Commission's Network Reliability and Interoperability
Council. The NRIC is a successor to the National Reliability Council,
first established in 1992. Through the work of seven successive
councils, subject matter experts from business and government have come
together to address network reliability and interoperability issues of
concern, develop best/sound practices and encourage voluntary adoption.
The NRIC will soon merge with the Media Security and Reliability
Council (MSRC) to create a new organization, the Communications
Security, Reliability, and Interoperability Council (CSRIC).
National Security Information Exchange (NSIE): In April 1990, the
Chairman of the National Security Council's Policy Coordinating
Committee requested the NCS Manager identify what actions industry and
Government should pursue to protect critical NS/EP telecommunications
from the growing ``hacker'' threat. The NCS Manager subsequently
requested that the NSTAC provide industry's perspective on the network
security issue. Ultimately NSTAC created a mechanism for security
information exchange and produce a corresponding implementation plan.
The NSTAC and NCS Manager also established separate, but closely
coordinated, Network Security Information Exchanges (NSIEs). In May
1991, the NSIE charters were finalized, and NSTAC companies and
government departments and agencies designated their NSIE
representatives, chairmen, and vice-chairmen. The NSTAC and government
NSIEs held their first joint meeting in June 1991.
Industry and government coordinate through their respective NSIEs
to voluntarily share sensitive information on threats to operations,
administration, maintenance, and provisioning systems supporting the
telecommunications infrastructure. Government NSIE members include
departments and agencies that use national security and emergency
preparedness (NS/EP) telecommunications services, represent law
enforcement, or have information relating to network security threats
and vulnerabilities. NSTAC NSIE representatives include subject matter
experts who are engaged in prevention, detection, and/or investigation
of telecommunications software penetrations or have security and
investigative responsibilities.
The Communications Sector Coordinating Council (CSCC) and its
Sector Specific Plan (SSP):
Verizon recognizes its critical operational dependence on other
sectors and has established the necessary vendor relationships to meet
both normal and extraordinary continuity of business requirements. In
turn, all critical sectors are heavily reliant on the Communications
Sector to support their own continuity of operations.
The Homeland Security Act of 2002 provided the basis for DHS' role
in the protection of the nation's critical infrastructure and key
resources (CI/KR.) The Act assigned DHS responsibility for developing a
comprehensive national plan for securing CI/KR in conjunction with
other Federal agencies, State and local agencies and authorities, the
private sector and other entities.
The complexity of cross sector independencies was recognized in the
2006 National Infrastructure Protection Plan, resulting from Homeland
Security Presidential Directive 7. HSPD-7 focused on the
identification, prioritization and protection of the nation's critical
assets. It prescribed the development of the National Infrastructure
Protection Plan (NIPP) and corresponding Sector Specific Plans. Perhaps
most significantly, the NIPP encouraged the establishment of sector
coordinating councils. In so doing, it brought greater sector diversity
to the table and significantly advanced the institutional capacity of
sectors to formally and proactively address cross-sector dependencies.
Communications Sector Coordinating Council (CSCC): The
Communications Sector Coordinating Council (CSCC) became operational in
calendar year 2006. It was chartered to foster the coordination of
policy initiatives to improve the physical and cyber security of sector
assets, and ease the flow of information within the sector, across
sectors and with designated Federal agencies. Through the CSCC,
private-sector owners, operators and suppliers can engage Federal
government entities to: identify and coordinate policy issues related
to the protection of critical infrastructure and key resources;
facilitate the sharing of information related to physical and cyber
threats, vulnerabilities, incidents, potential protective measures, and
best practices; and, address policy issues related to response and
recovery activity and communication following an incident or event. The
CSCC now embraces 35 member companies and has become more
representative of the diversity of the Communications sector. Members
include wireline, wireless, cable, satellite, information service
providers, as well as commercial and public broadcasters, service
integrators, and equipment vendors. Small and medium size companies are
represented through CTIA, USTelecom, ITA and NCTA. Verizon currently
chairs the CSCC.
CSCC members meet quarterly to review industry and government
actions on critical infrastructure protection priorities, confer with
Federal agency representatives, review cross sector CIP issues, and
coordinate with industry participants in NSTAC and the NCC ISAC to
ensure industry coordination. Council work groups meet frequently to
engage industry and government SME's on task force initiatives. Top
2007 CSCC priorities include the sector's risk assessment of critical
assets, cross sector pandemic planning and implementation of access and
credentialing and emergency wireless protocols.
The CSCC and IT Sector Coordinating Councils maintain close
coordination on a range of policy and operational initiatives. Both
sectors participate in a recently formed cross sector cyber security
work group. Both have worked to heighten industry's role in NS/EP
exercises such as last summer's ESF2 exercise in New Orleans and in
TopOff 4. In the aftermath of Katrina, the Councils met to discuss ways
of strengthening industry preparation and response to major events.
Both participate in ongoing sector risk assessment activity. Both
organizations have elected sector liaisons to attend each other's
coordinating council meetings and they meet annually to confer, with
government counterparts, on ongoing sector activity.
Partnership for Critical Infrastructure Protection (PCIS): The
Communications Sector Coordinating Council is a member of the
Partnership for Critical Infrastructure Security (PCIS.), a private
sector organization. PCIS is comprised of the leadership from each of
the Sector Coordinating Councils, which represent the owners and
operators of the critical infrastructure and key resources sectors
identified by the government in HSPD-7. The mission of PCIS is to
coordinate cross-sector initiatives that promote public and private
efforts to help ensure secure, safe, and reliable critical
infrastructure services. This mission encompasses physical, cyber, and
human security that rely on strong infrastructure integrity and
resilience. Accordingly, the PCIS mission spans the full spectrum of
critical infrastructure matters from prevention, planning, and
preparedness to business continuity, mitigation, response, and
recovery.
The PCIS has worked to encourage a productive industry partnership
with the Federal government over the past six years. It was formally
recognized as the Private Sector Cross-Sector Council in the National
Infrastructure protection Plan when it was released in 2006. The NIPP
states that the ``cross-sector issues and interdependencies are
addressed among the sector coordinating councils through PCIS. PCIS
members, including the CSCC, continue to work with designated Federal
agencies on implementation of their sector specific plans.
Communications Sector Specific Plan (CSSP): The CSCC completed work
on the CSSP for critical infrastructure and key resource (CI/KR)
protection, as recommended by the NIPP, in December 2006 the plan was
subsequently released in May 2007. It was developed jointly by industry
and the National Communications System, with input from Federal
government agencies ranging from the US Department of Commerce to the
Federal Communications Commission.
The CSSP provides a framework for protecting the Nation's critical
communications assets and key resources. It addresses asset
identification, risk assessment and mitigation, protective programs and
government measurements.
The goals of the CSSP include the need to:
Protect the overall health of the national
communications backbone;
Rapidly reconstitute critical communications services
after national and regional emergencies;
Plan for emergencies and crises by participating in
exercises and updating response and continuity of operations
plans;
Develop protocols to manage the exponential surge in
utilization during an emergency situation and ensure the
integrity of sector networks during and after an emergency
event;
Educate stakeholders on communications infrastructure
resiliency and risk management practices in the Communications
Sector;
Ensure timely, relevant, and accurate threat
information sharing between the law enforcement and
intelligence communities and key decision makers in the sector;
Establish effective cross-sector coordination
mechanisms to address critical interdependencies, including
incident situational awareness, and cross-sector incident
management.
The CSSP acknowledges the lead role played by private sector owners
and operators in protecting critical assets. The communications
companies that own, operate and supply the Nation's communications
infrastructure have historically factored natural disasters and
accidental disruptions into network resiliency architecture, business
continuity plans, and disaster recovery strategies. The interconnected
and interdependent nature of these service provider networks has
fostered crucial information sharing and cooperative response and
recovery relationships for decades. The CSSP also articulates the role
of the Federal government in providing the support and resources
necessary to identify threats and help mitigate risk.
The Communications Sector's strategy is to ensure the nation's
communications networks and systems are secure, resilient, and rapidly
restored after an incident. The approach outlined in the CSSP includes:
Defining industry and government roles in protecting
communications infrastructure by leveraging corporate
capabilities and government programs;
Adopting an architectural approach to infrastructure
identification and risk assessment processes;
Coordinating with other sectors and customers on
critical infrastructure dependencies and solutions for
mitigating risk; and
Working closely with DHS to advance sector protection
and mitigation measures.
The CSSP defines the three major arenas where risk assessments are
conducted: industry self-assessments; government-sponsored assessments
and government-sponsored cross sector dependency analyses. Industry
self-assessments of risk are ongoing. Such assessments are conducted to
verify compliance with company policies, industry standards, contract
agreements and regulatory requirements.
Throughout 2007, industry has turned its attention to working with
government to define relevant government sponsored assessments through
a National Sector Risk Assessment (NSRA) process. Through this process,
industry and government have undertaken a qualitative risk analysis of
Communications Sector infrastructure and have narrowed the scope of
risk assessments to nationally critical network elements. This process
will result in a draft government assessment by December 2007, with a
final report to be completed by March 2008. Based on the outcomes of
this government assessment process, government may conduct more
quantitative assessments of selected architecture elements in
conjunction with industry.
The third and final element of the CSSP risk assessment process is
the analysis that government will undertake with industry on cross-
sector dependencies. Work will commence in 2008, the process will
identify high-level critical sector communications dependencies and
will leverage NCS risk assessment methodologies to identify
communications dependencies specific to a facility or function. The
goal will be to assist other sectors in the assessment of
communications dependencies for high-risk assets.
The Communications and IT Sector Coordinating Councils have worked
to ensure that respective risk assessment efforts, although distinct,
are complementary where the sectors overlap. This cross-sector
participation increases information sharing, including lessons learned.
In each sector, cyber threats associated with the sector's functional
or network elements will be identified and vulnerabilities and
consequences associated with such threats will be assessed to determine
risk.
Whatever success the CSCC has achieved in the development of the
CSSP has resulted from industry's singular focus on developing a
critical asset protection plan that is designed by industry for
implementation by industry. In order to accomplish this, the NCS
stepped forward to advocate industry positions within the Department of
Homeland Security and with DHS project contractors. A strong element of
social capital exists among industry representatives and Federal agency
personnel within the Communications Sector. This trusted relationship
helped to produce a practical, meaningful asset protection framework
that can now be used by industry and government partners to better meet
the country's security requirements. The CSSP is realistic and well-
grounded.
Critical Asset Protection Over the Long Term: What cannot be
underestimated by policymakers is the enormous amount of private sector
resources that are being devoted to finding solutions--with government
partners--to achieve greater effectiveness in our country's security
and response programs. The Communications Sector continues to commit
significant financial resources and subject matter expertise to
strengthen critical business practices. It will continue to dedicate
time and expertise to its work with the NCS and other Federal, state
and local government partners to address emerging operational and
policy issues.
To ensure even greater effectiveness in protecting the Nation's
critical communications infrastructure--both physical and cyber--
industry and government partners must be clear about their respective
roles in getting the job done. Industry is the first line of defense in
protecting assets and mitigating risks, and aggressive business
continuity and security practice will remain critically important as
the Nation's risk environment continues to evolve. Although the
Communications Sector's long history of coordination will change as
industry restructuring continues, close planning and coordination
within the sector will continue to be a mainstay of efforts to fortify
physical and cyber security programs.
Government must continue to ensure clarity of roles and
responsibilities among all levels of government and the private sector.
It should continue to advocate for strong sector and cross sector
collaboration on operational and policy issues and in providing the
necessary intelligence and operational support to ensure effective
industry preparedness and response, in particular by refining and
improving roles and responsibilities in the National Response
Framework.
Although industry and government have made progress on long
standing issues pertaining to protection of critical assets and key
resources, much work lies ahead. There must be an even greater Federal
government focus on effective engagement and integration of state and
local authorities in all aspects of critical infrastructure protection
and emergency response, including the rollout and coordination of
initiatives ``on the ground''. For instance, practical steps on access
and credentialing and emergency wireless protocols for shutdown and
restoration of service must be taken to facilitate industry response to
natural or man-made disasters. Myriad jurisdictional laws and
requirements may be complex, but real world execution is overdue.
Government must also continue to integrate industry more fully on
operational planning, coordination and joint policy initiatives.
Effective partnerships require early involvement of industry and direct
engagement in government programs, including protection and response
plans, which impact the private sector's critical industry assets.
Although government has recognized the importance of sharing timely
threat intelligence with industry, more needs to be done in this area
to advance NS/EP interests. Finally, recent Congressionally mandated
changes in organization and functions within DHS need to be fully
implemented and understood by all stakeholders in the critical
infrastructure protection and emergency response domain. In sum,
Industry and the Federal government have much to do on the full array
of critical infrastructure protection initiatives, while advancing
transition plans for the upcoming change in Administration.
Mr. Chairman, this concludes my testimony. I would be happy to
answer any questions you or the subcommittee might have about Verizon
or the Communications Sector.
Mr. Langevin. I now recognize Mr. Hender to summarize your
statement for 5 minutes.
STATEMENT OF GEORGE HENDER, BANKING/FINANCIAL SECTOR
COORDINATING COUNCIL, AND MANAGEMENT VICE CHAIRMAN, OPTIONS
CLEARING CORPORATION
Mr. Hender. Chairman Langevin, Chairwoman Jackson Lee,
Ranking Members McCaul and Lungren, and members of both
subcommittees, my name is George Hender, and I am Chairman of
the Financial Services Sector Coordinating Council, also known
as FSSCC. I am pleased to appear today on FSSCC's behalf to
discuss the important topic of cybersecurity.
FSSCC was established by the Department of Treasury. FSSCC
is a private sector coalition of the Nation's leading banks,
financial firms, insurance companies, and their trade
associations. FSSCC worked collaboratively with Treasury, our
sector specific agency, and with FSSCC, our government
coordinating council, to craft our sector-specific plan.
Our plan identifies three specific goals: first, to
maintain a sector strong position of resilience, risk
management, and redundant systems;
Second, to manage the risk posed by cross-sector
interdependencies; and
Third, to work with law enforcement, the private sector,
and our international counterparts to track and arrest
criminals.
The remainder of my testimony will focus on FSSCC's efforts
to meet these goals in the area of cybersecurity.
Modern financial services are built on a foundation of
informational technology. Financial firms' systems are a target
for cyber attack because that is where the money is. As the
nature and the complexity of attacks grow more sophisticated,
FSSCC continues to implement a number of cyber-related
initiatives. I would like to highlight some of those
initiatives.
A year prior to the National Infrastructure Protection
Plan's release in 2006, FSSCC formed the first sector R&D
committee. In April 2006, this committee published The Research
Challenges, a report identifying eight specific R&D priorities.
An overarching theme throughout this report is protecting the
sector from cyber attacks.
In October 2006, the R&D committee published our research
agenda to demonstrate how research challenges relate to the
NIPP. Together with these two publications, the necessary steps
to produce a robust cyber secure platform was formed.
Another vital asset of FSSCC is the Financial Services
Information Sharing Analysis Center, or FS-ISAC. Our ISAC has
been an effective information-sharing tool in the fight against
cyber attacks. Every day our ISAC forwards cyber and physical
security risk updates from over 100 sources to over 11,000
sector participants. Our ISAC also shares this information with
Treasury and law enforcement to help stop and prevent attacks.
FSSCC and our ISAC have also been active participants in
several business continuity exercises, including the
congressionally mandated Top Off exercises. Additionally, ISAC
represented FSSCC in Cyber Storm and Cyber Tempest, two
exercises focused on cyber-related issues. Our ISAC is also
helping us to plan for Cyber Storm II, which is scheduled for
March 2008.
FSSCC believes exercise participation is critical, and we
encourage the planners of these exercises to include the
private sectors during the planning phases of these exercises.
FSSCC has been an active participant in the Partnership for
Critical Infrastructure Security, PCIS. I am a member of the
executive committee and board of PCIS. PCIS has a working group
focusing on cross-sector collaboration on cybersecurity issues.
Many cybersecurity issues are ongoing and there are still
several issues to address. Two issues relate to the GAO's SSP
report and the DHS's R&D budget. According to GAO, the banking
and finance sector SSP was ranked somewhat comprehensive in
addressing cybersecurity. Because the GAO did not consult with
the Treasury or FSSCC when preparing this report, I
respectfully disagree with their conclusions.
Our SSP included the research challenge document which
fully addresses the GAO criteria for cybersecurity R&D. For
example, our R&D committee is identified as the primary
mechanism to solicit information on R&D initiatives; and the
research challenges report details the sector's goals and gaps
related to cybersecurity. Examples of the SSP in my written
testimony contradict GAO's finding that we failed to identify
the programs to detect, deter, respond, and recover from cyber
attacks.
The GAO report also stated our SSP failed to describe the
process for R&D investment priorities, but the R&D committee
clearly identified a number of priorities where investment
dollars could be directed. Without further guidance, it is
unclear how the GAO reached these conclusions. We will welcome
a dialogue with GAO on these important issues.
Finally, FSSCC believes DHS should consult with the private
sector when funding private research. FSSCC thinks it makes
good economic sense to fund R&D industry experts and to use
those experts to achieve this goal. Greater communication and
consulting is necessary between DHS, Treasury, and FSSCC.
Another option would be to provide direct grant authority
to the Treasury. Currently, FSSCC can only influence R&D
projects through comment letters.
In short, FSSCC believes that the DHS cybersecurity R&D
budget should be more closely aligned with the level of threat.
An appropriation of only $11 million is clearly insufficient.
Our Nation would be better served by providing additional
budget discretion and dollars to projects identified by the
industry under attack.
Thank you for the opportunity to provide FSSCC's views for
this important hearing. I would be pleased to answer any
questions.
[The statement of Mr. Hender follows:]
Prepared Statement of George S. Hender
Chairman Langevin, Chairwoman Jackson Lee, Ranking Members McCaul
and Lungren, and members of the Subcommittee on Emerging Threats,
Cybersecurity, and Science and Technology and the Subcommittee on
Transportation Security and Infrastructure Protection of the House
Homeland Security Committee, I am George Hender, Management Vice
Chairman of The Options Clearing Corporation (OCC), which is the
world's largest derivatives clearing organization.\1\ OCC is a leader
in business continuity planning in the financial services sector and
was a founding member of the Financial Services Sector Coordinating
Council (FSSCC) and ChicagoFIRST, a regional public/private partnership
addressing homeland security and emergency management issues in the
financial services industry. I am pleased to submit this statement on
the very important topic of cybersecurity on behalf of FSSCC.\2\
---------------------------------------------------------------------------
\1\ OCC, founded in 1973, was the first clearinghouse to receive a
'AAA'credit rating from Standard & Poor's Corporation. Operating under
the jurisdiction of the Securities and Exchange Commission and the
Commodity Futures Trading Commission, OCC provides clearing and
settlement services for the American Stock Exchange, the Boston Options
Exchange, the Chicago Board Options Exchange, the CBOE Futures
Exchange, the International Securities Exchange, NYSE Arca, OneChicago,
the Philadelphia Stock Exchange and the Philadelphia Board of Trade.
\2\ The members of FSSCC are the America's Community Bankers (ACB);
American Bankers Association (ABA); American Council of Life Insurers
(ACLI); American Insurance Association (AIA); American Society for
Industrial Security (ASIS) International; BAI; BITS/The Financial
Services Roundtable; ChicagoFIRST; Chicago Mercantile Exchange (CME);
The Clearing House (TCH); CLS Group; Consumer Bankers Association
(CBA); Credit Union National Association (CUNA); The Depository Trust &
Clearing Corporation (DTCC); Fannie Mae; Financial Industry Regulatory
Authority (FINRA); Financial Information Forum (FIF); Financial
Services Information Sharing and Analysis Center (FS-ISAC); Financial
Services Technology Consortium (FSTC); Freddie Mac; Futures Industry
Association (FIA); ICE Futures U.S.; Independent Community Bankers of
America (ICBA); Investment Company Institute (ICI); Managed Funds
Association (MFA); The NASDAQ Stock Market, Inc.; National Association
of Federal Credit Unions (NAFCU); National Futures Association (NFA);
NACHA--The Electronic Payments Association; The Options Clearing
Corporation; Securities Industry Automation Corporation (SIAC);
Securities Industry and Financial Markets Association (SIFMA); State
Street Global Advisors; VISA USA Inc.
---------------------------------------------------------------------------
On June 6, 2006, I was appointed to serve as Sector Coordinator for
the Financial Services Sector by former Secretary of the Treasury John
Snow. Thus, I am the Chairman of FSSCC. Prior to my appointment, I
served as FSSCC's Vice Chairman from September 2004 through May 2006.
Additionally, I am on the Executive Committee and Board of the
Partnership for Critical Infrastructure Security (PCIS), which is the
private sector organization that coordinates homeland security issues
for all national critical infrastructures. I have also formerly served
as Vice Chairman of the Financial Services Information Sharing and
Analysis Center (FS-ISAC). This is the organization responsible for
communicating key cyberspace, physical security, and Homeland Security
information to the financial services sector.
I applaud the Committee for holding today's hearing on such an
important topic. Before I focus on measures taken by FSSCC related to
cybersecurity, I would first like to discuss the important role the
financial services sector has in our economy and the role FSSCC plays
in improving the sector's resilience through safeguarding its critical
infrastructure and employees.
Introduction and Background
The United States financial services sector is the backbone of the
world economy. With United States assets estimated to be in excess of
$55 trillion,\3\ this large and diverse sector accounted for over $1
trillion in 2006 gross domestic product (GDP) or 7.8 percent of total
GDP.\4\ The sector is primarily owned and operated by the private
sector whose institutions are extensively regulated by Federal and, in
many cases, state government. In addition to these public sector
entities, self-regulatory organizations (SROs), such as the 1Municipal
Securities Rulemaking Board (MSRB), the Financial Industry Regulatory
Authority (FINRA), and the National Futures Association (NFA), and
exchanges, such as the Chicago Mercantile Exchange (CME), the New York
Stock Exchange (NYSE), also play an important role in industry
oversight.
---------------------------------------------------------------------------
\3\ http://www.financialservicesfacts.org/financial2/today/assets
\4\ http://www.bea.gov/bea/dn2/gdpbyind_data.htm
---------------------------------------------------------------------------
Working together, the public and private sector regulators
encourage a highly competitive market where identifying and managing a
myriad of financial and nonfinancial risks is essential to success.
Through numerous laws enacted by Congress over the past 150 years,
federal financial regulators have implemented a complex regime that
includes examinations of the sector's institutions' operational,
financial and technological systems. These examinations are designed to
determine the extent to which an institution is addressing its
financial and non-financial risks, such as Internet and information
technology vulnerabilities. They also evaluate the adequacy of controls
and applicable risk management practices at the institution.
Public-Private Partnership
Both the public and private sector financial services organizations
recognize the importance of business continuity planning in preparing
for catastrophic events; however, our sector's organizations know they
will not operate as independent entities during a real crisis.
Therefore, planning for these events should be done in a coordinated
fashion.
FSSCC was established at the request of the U.S. Treasury
Department in response to Homeland Security Presidential Directive 7,
which required sector-specific Federal departments and agencies to
identify, prioritize and protect United States critical infrastructure
and key resources. We are a private sector coalition of the nation's
leading financial services firms and trade associations that are
working to reinforce the financial services sector's resilience to
terrorist attacks, man-made and natural disasters, and other threats,
such as cyber attacks, facing the sector's critical infrastructure.
FSSCC closely interacts with its Sector Specific Agency (SSA), the
Department of the Treasury (Treasury), and the Financial and Banking
Information Infrastructure Committee (FBIIC), its public-sector
counterpart.\5\ We also strongly support regional public/private
partnerships, such as ChicagoFIRST and DFWfirst. These organizations
address homeland security and emergency management issues on a local
level, where many catastrophic events are primarily managed.
---------------------------------------------------------------------------
\5\ The members of FBIIC are the Commodity Futures Trading
Commission (CFTC); the Conference of State Bank Supervisors (CSBS); the
Department of the Treasury; the Farm Credit Administration (FCA); the
Federal Deposit Insurance Corporation (FDIC); the Federal Housing
Finance Board (FHFB); the Federal Reserve Bank of New York; the Federal
Reserve Board (Fed); the National Association of Insurance
Commissioners (NAIC); the National Association of State Credit Union
Supervisors (NASCUS); the National Credit Union Administration (NCUA);
the North American Securities Administrators Association (NASAA); the
Office of the Comptroller of the Currency (OCC); the Office of Federal
Housing Enterprise Oversight (OFHEO); the Office of Thrift Supervision
(OTS); the Securities and Exchange Commission (SEC); and the Securities
Investor Protection Corporation (SIPC).
---------------------------------------------------------------------------
The combined efforts and close interaction of these groups with
FSSCC fosters a spirit of cooperation within our sector that
facilitates effective preparation for a critical event, such as a cyber
attack. Equally important, this collaboration creates a streamlined
approach to working with other sectors where cross-industry
interdependencies exist. The financial services sector is very
dependant on a number of other sectors, especially the energy,
telecommunications and transportation sectors.
At the beginning of my term as FSSCC Chairman, I personally met
with representatives from nearly every FSSCC member to solicit their
ideas on how to further strengthen the resilience of the financial
services sector and reduce vulnerability to cyber threats, terrorist
attacks, criminal or illegal activities, and man-made or natural
disasters. These conversations, as well as the large number of formal
and informal meetings taking place each year within FSSCC and between
FSSCC and FBIIC, help show how our partnership model addresses threats
and risks posed by the Sector's dependency upon other sectors.
FSSCC's general meetings provide an example of this model. Here
members meet and hear from critical sectors on which our sector heavily
relies. They also provide a venue in which to coordinate and prioritize
sector initiatives. Another example is the FSSCC working group which is
working with the Department of Homeland Security (DHS) to develop an
emergency credential for FSSCC members' use in extraordinary
emergencies. Development of such a credential is a priority reflected
in our overall research plan. Just this last summer, the FSSCC
credentialing working group participated in the cross-sector exercise
known as ``Summer Breeze.'' This exercise validated the use of First
Responder Authentication Credential (FRAC) identification cards.
Arguably, the most important example of collaboration within the
sector is the ongoing effort to plan for pandemic influenza. On October
12, 2007, FSSCC and FBIIC completed the most comprehensive exercise
ever held for the U.S. financial services sector. This important
exercise focused on the response of the sector's members to pandemic
influenza; over 2,700 financial firms participated. FSSCC understands
that effective business continuity planning must envision and prepare
for a diverse range of issues and threats. This is encompassed in our
mission statement and goals.
FSSCC's Mission and Goals
FSSCC's mission is to foster and facilitate the coordination of
sector-wide voluntary activities and initiatives designed to bolster
critical infrastructure protection and homeland security. FSSCC strives
to improve sector awareness of critical infrastructure protection
issues, to promote information sharing on these issues, and to find
opportunities for improved coordination throughout the sector. Through
its efforts, FSSCC seeks to enhance public trust and confidence in the
sector's ability to withstand and recover from significant disasters.
Treasury, in close collaboration with FSSCC and FBIIC, completed
the Banking and Finance Sector's Sector Specific Plan (SSP) \6\ in
December 2006. This plan, combined with the 16 other critical
infrastructure SSPs, helps form the overall National Infrastructure
Protection Plan (NIPP). Our sector's SSP outlines a strategy for
working collaboratively with public and private sector partners to
identify, prioritize and coordinate the protection of critical
infrastructure. FSSCC believes DHS appropriately guides each critical
infrastructure sector in coordinating their SSPs. However, each sector
specific agency should retain control over SSP implementation. Also,
DHS and each sector should view the SSPs as a starting point for
developing a comprehensive, nationally-oriented, critical
infrastructure regime.
---------------------------------------------------------------------------
\6\ https://www.fsscc.org/reports/2006/Bank_Finance_SSP_061213.pdf
---------------------------------------------------------------------------
The Banking and Finance Sector's SSP, including its Research and
Development (R&D) appendices, outlines three sector-specific goals.
First, the sector seeks to maintain its strong position of resilience,
risk management and redundant systems, in the face of a myriad of
intentional, unintentional, man-made and natural threats. Second, the
sector aims to address and manage the risks posed by the sector's
dependency on telecommunications, information technology, energy and
transportation sectors. Lastly, the sector plans to continue to work
with the law enforcement community, the private sector, and our
international counterparts to increase available resources used to
track and arrest criminals. Specifically, to track and arrest those
persons responsible for crimes against the sector, including cyber
attacks and other electronic crimes.
The remainder of my testimony will focus on FSSCC's efforts in
addressing these goals in light of protecting against cyber attacks and
other electronic crimes.
Specific Actions for Cybersecurity
Modern financial services are built on a foundation of information
technology, including computing hardware, software and
telecommunications. This foundation is afflicted by multiple
vulnerabilities and an increasingly high level of threats. Our sector's
cybersecurity strategy seeks to address these threats by generally
focusing on people, process and technology. Ensuring our sector has the
brightest minds, most efficient processes and state-of-the-art
technology to protect against cyber threats is our highest priority
because our sector understands our entities' systems and networks are a
target because ``that's where the money is.'' \7\ In addition, as
September 11, 2001, showed us, our sector is a focus of terrorists
because of our iconic status.\8\
---------------------------------------------------------------------------
\7\ The members of FBIIC expend considerable effort to ensure the
information security platforms serving as our industry's cornerstone
are not compromised. In the case of financial institutions, federal
examiners are often permanently located within the entity being
reviewed. The Federal Financial Institutions Examination Council
(FFIEC) is the primary federal interagency body empowered to develop
uniform principles and standards for the examination of financial
institutions. The FFIEC operates an Information Technology Council
devoted to addressing cybersecurity issues, and its recommendations are
incorporated into the FFIEC Handbook. Examiners use the Handbook to
determine the extent to which the institution has identified its
financial and non-financial risks, such as Internet and information
technology vulnerabilities. Also, it is used to evaluate the adequacy
of controls and applicable risk management practices at the
institution. Additionally, the federal financial regulatory authorities
issue numerous guidance documents and Financial Institution Letters
(FILs) specifically related to cybersecurity. Similarly, the Securities
and Exchange Commission and the securities SROs review the
cybersecurity programs of exchanges, broker-dealers and clearing
organizations as part of their ongoing supervisory exams and related
activities.
\8\ For many years, the culture of our sector has emphasized strong
internal controls, physical and cybersecurity, and a comprehensive
approach to business continuity planning that recognizes the importance
of recovering and resuming business operations as swiftly as possible.
Business continuity planning in our sector follows an ``all hazards''
approach that focuses on the impact of a disruption, rather than its
cause, to ensure that high impact but low probability events are
incorporated into the planning process. After September 11, the Fed,
Office of the Comptroller of the Currency, and SEC issued the
Interagency Paper on Sound Practices to Strengthen the Resilience of
the U.S. Financial System (Sound Practices Paper), Securities Exchange
Act Release No. 47638 (April 7, 2003). This paper identified stringent
resumption or recovery objectives for core clearing and settlement
organizations providing services for critical financial markets or
acting as large payment system operators, and for firms that play
significant roles in one or more critical financial markets. The Sound
Practices Paper sets out an objective of recovering or resuming
clearing and settlement activities within the business day on which a
disruption occurs and maintaining geographically dispersed resources
sufficient to meet those recovery or resumption activities. Last year,
the agencies that issued the Sound Practices Paper reported to Congress
that ``the core clearing and settlement organizations, which present
the greatest potential risk to the operation of the financial system,
have made significant investments in their operating infrastructures,
and all have achieved substantial implementation of the sound
practices.'' Joint Report on Efforts of the Private Sector to Implement
the Interagency Paper on Sound Practices to Strengthen the resilience
of the US. Financial System (April 2006).
GAO has also examined the preparedness of these organizations in
the light of the Sound Practices paper, and has found continuing
progress in protecting our nation's financial system from a variety of
threats, including cyber attacks. See Financial Market Preparedness:
Significant Progress Has Been Made, But Pandemic Planning and Other
Challenges Remain GAO-07-399 (March 2007); Financial Market
Organizations Have Taken Steps to Protect Against Electronic Attacks,
But Could Take Additional Actions GAO-05-679R (June 2005): Financial
Market Preparedness: Improvements Made, But More Action Needed to
Prepare for Wide-Scale Disasters GAO-04-984 (September 2004).
---------------------------------------------------------------------------
Our sector faces a number of cyber-related threats such as,
hacking, virus dissemination, software piracy, identity theft, account
fraud, phishing,\9\ spoofing,\10\ and pump and dump \11\ schemes.
FSSCC's members have responded to these challenges aggressively. For
example, FSSCC member organizations have prepared a document to help
financial institutions develop and execute response programs when
confidential and sensitive information is accessed or misused by
unauthorized individuals. The Identity Theft Assistance Center,
developed by a FSSCC member, provides a free victim assistance service
and provides data about identity theft to law enforcement.
---------------------------------------------------------------------------
\9\ ``Phishing'' is a fraudulent scheme where an e-mail directs its
recipients to Web sites where they are asked to provide confidential
personal or financial information. Reports of phishing attacks have
risen dramatically in the last year.
\10\ ``Spoofing'' is an attempt to gain unauthorized system access
by mimicking, impersonating or posing as an authorized user.
\11\ ``Pump and Dump'' is a fraudulent scheme involving
artificially inflating the price of a stock or other security through
false or exaggerated promotion. Then the stock or security is sold at
inflated prices.
---------------------------------------------------------------------------
The financial services sector has always placed itself on the
cutting edge of cybersecurity initiatives. Our institutions were among
the first to have Chief Information Security Officers as part of their
management teams. Also, the sector was among the first to use various
authentication tools to protect against internet fraud. Similarly, many
financial institutions embrace the concept of layered security by using
multiple intrusion detection and prevention products. Firms regularly
work with technology companies to improve these products. Without such
security measures in place, customers would hesitate to use on-line
products which are a central component of a financial firm's business
model. In addition to the threat to individual customers, our sector is
also focused on cyber-related threats to our financial structure. The
nature and complexity of attacks are growing more sophisticated. As a
result, our sector works in close collaboration with the nation's
intelligence community to address this concern.
FSSCC R&D Committee
Prior to the NIPP's issuance in June 2006, FSSCC recognized
cybersecurity as a critical issue and formed a standing R&D Committee.
This committee was established to identify and prioritize areas of
need, in which the most promising opportunities exist for research and
development initiatives. These initiatives significantly improve the
sector's critical infrastructure protection. The R&D Committee began
developing a list of priorities in 2005. In April 2006, the committee
published Research Challenges,\12\ a document which identifies eight
R&D areas the sector needs to address.\13\
---------------------------------------------------------------------------
\12\https://www.fsscc.org/reports/2006/
Research_Challenges_Booklet061117.pdf
\13\ The eight R&D projects are: (1) Secure Financial Transaction
Protocol (SFTP); (2) Resilient Financial Transaction System (RFTS); (3)
Enrollment and Identity Credential Management; (4) Suggested Practices
and Standards; (5) Understanding and Avoiding the Insider Threat; (6)
Financial Information Tracing and Policy Enforcement; (7) Testing; and
(8) Standards for Measuring ROI of CIP and Security Technology.
---------------------------------------------------------------------------
An over-arching theme throughout our Research Challenges is
securing the sector's information technology infrastructure to prevent
intrusion from unauthorized sources. In October 2006, the FSSCC R&D
committee, with Treasury advising, demonstrated for DHS how FSSCC's
Research Challenges related to the NIPP by publishing FSSCC's Research
Agenda. Together these two publications provide industry, academia, and
the public with a shared insight into the opportunities and
requirements necessary to produce a robust cybersecurity platform.
FS-ISAC
The FS-ISAC is another vital asset to FSSCC and the sector. It was
created on October 1, 1999, as a means of meeting the sector's
information-sharing obligation under the 1998 Presidential Decision
Directive 63 on Critical Infrastructure Protection.\14\
---------------------------------------------------------------------------
\14\ http://www.cybercrime.gov/white_pr.htm
---------------------------------------------------------------------------
The FS-ISAC channels information from more than 100 sources to
reach over 11,000 sector participants daily and promotes information
sharing between the public and private sectors. The FS-ISAC provides
sector-wide knowledge about cyber and physical security risks faced by
the financial services sector. Specifically, FS-ISAC's incident alerts
notify members about the type of attack, its origin, and suggested
remedial action. FS-ISAC information allows members to immediately
receive threat and vulnerability information; share vulnerabilities
anonymously and communicate within a secure portal; access new data
feeds of threat and vulnerability information; and access a wide range
of user data from which users can produce their own reports and
metrics. The FS-ISAC also uses this information to work with Treasury
and law enforcement in helping to stop and prevent attacks.
Two important government information sources for the FS-ISAC's 24/7
Security Operations Center are DHS's Homeland Security Information
Network (HSIN) and the U.S.-Computer Emergency Readiness Team (US-
CERT). Relevant information from these data sources is monitored by the
FS-ISAC and shared with trusted sector representatives through FS-
ISAC's notification system and web portal. Then reports from FS-ISAC
approved members are uploaded through the system. Both sources provide
a valuable service to the FS-ISAC. FSSCC and the FS-ISAC continue to
work with DHS to coordinate these reports into the sector's information
sharing structure.
The FS-ISAC has been an effective tool in the fight against cyber
attacks. For example, in November 2006, an FS-ISAC member detected an
unusually large number of unauthorized log-in attempts against its
systems and anonymously reported this information to the FS-ISAC. Soon
after, the FS-ISAC issued an alert to its members. Later, five more
financial institutions reported similar activity. This information
sharing proved the financial institutions were under attack from a
single source. While the attack was relatively insignificant in terms
of its potential sector-wide impact, it demonstrates how the FS-ISAC's
collaborative model can be an effective means to quickly deliver real-
time information so financial institutions may be alerted to act
against real threats.
The FS-ISAC was effective once again this past August when it
alerted several member banks of suspicious web-site activity. The FS-
ISAC then helped to avoid compromise of several major money center and
regional banking institutions user accounts.\15\
---------------------------------------------------------------------------
\15\ FS-ISAC discovered use of Torpig Trojans, which use malicious
code designed to place themselves into on-line banking applications for
the purpose of stealing user login IDs and passwords. These Trojans
evade detection by disabling security warning messages. Then they log
open window sessions to capture user log-on information which is sent
back to the attacker. After discovering use of the malicious code on
several members' web sites, FS-ISAC was able to issue an incident alert
that led to the discovery and eradication of this Trojan on web sites
both in the U.S. and overseas.
Cyber Syllabus
In May 2006, the U.S. Department of Defense sought a private sector
partner to help develop an undergraduate studies curriculum designed to
provide exposure to information technology cybersecurity issues. FSSCC,
through its R&D Committee, took the initiative to partner with the
National Terrorism Preparedness Institute at St. Petersburg College in
Florida to complete the project. I am pleased to report the syllabus
was completed in May 2007, resulting in an on-line training program
that can be made available to all universities. Additionally, FSSCC is
working to identify an educational institution capable of making this
program available to our members at no cost. It is our hope this type
of public-private collaboration will help to inspire a new generation
of ideas and resources devoted to protecting our nation's cyber space.
Handbook of Science and Technology for Homeland Security
Another joint DHS/FSSCC initiative currently underway is the
drafting of a handbook designed to educate researchers on the critical
needs of the homeland security and intelligence communities. It will
also promote interdisciplinary dialogue in those fields. I am pleased
to report FSSCC is on target to provide this information to DHS by
year's end. Also, this handbook should be distributed worldwide in
online and print formats next year.
Cybersecurity Exercises
FSSCC and FS-ISAC have been active participants in several business
continuity exercises, including the congressionally mandated TOPOFF
exercises and a number of regional and national cybersecurity
exercises. In February 2006, FS-ISAC represented our sector in Cyber
Storm, the first government-led, full scale cybersecurity exercise of
its kind. Ten months later, in December 2006, FS-ISAC participated in
Cyber Tempest, an exercise devoted to testing a wide area of cyber
issues from a regional perspective. Both of these exercises provided
positive benefits to our sector's business continuity planning, such as
developing better integration between FSSCC and the FS-ISAC. FSISAC is
now involved in planning Cyber Storm II scheduled for March 2008. These
opportunities are a vital resource to leverage. We believe exercise
leaders would benefit by increasing our level of involvement in future
exercises.
PCIS Working Group
FSSCC has been an active participant in PCIS, which was formally
recognized in the NIPP as the Private Sector Cross-Sector Council. PCIS
is dedicated to coordinating cross-sector initiatives aimed at
promoting public and private efforts to improve the security and safety
of our nation's critical infrastructure. PCIS has established a working
group focused on cross-sector collaboration of cybersecurity issues.
Each Sector Coordinating Council must appoint a sector representative
to participate on the working group. The FSSCC has selected FS-ISAC
Chairman, Eric Guerrino, for this task. The PCIS working group is
another example of how the financial services sector is following a
collaborative model to develop a strong cybersecurity network.
Future Challenges
FSSCC has achieved a great deal over the past few years. However,
there are still many issues which must be addressed regarding
cybersecurity. Some of these issues have been highlighted in a recent
Government Accountability Office (GAO) report entitled Critical
Infrastructure Protection: Sector-Specific Plans' Coverage of Key
Cybersecurity Elements Varies. Another less apparent, but equally
important, issue includes increasing the level of consultation between
DHS and its SSCs and SSAs over research and development initiatives. I
will take a few moments to highlight each issue.
GAO Report
The GAO recently conducted a review of each SSP to determine if key
aspects of cybersecurity related to the NIPP had been adequately
covered. The GAO's preliminary results have found none of the plans
fully addressed all 30 cybersecurity related criteria. Consequently,
the GAO recommends that DHS require all SSPs be amended to address all
cyber-related criteria by September 2008. Based on the cyber-related
criteria established by GAO for its report, the GAO concluded the
Banking and Finance Sector's SSP ``somewhat comprehensively'' covers
cybersecurity. We respectfully disagree with the GAO's analysis.
Because the GAO did not consult the SSAs or Sector Specific Councils
when conducting its review, I would like to take this opportunity to
explain our view on several areas the report concluded our SSP did not
address.
Under section seven of the report, GAO stated our sector's SSP
failed to (1) describe a process to solicit information on ongoing
cyber R&D initiatives and (2) identifies existing cyber-related
projects that support goals and identifies gaps. The sector's SSP
highlights the R&D committee as the primary mechanism to solicit
information on R&D initiatives, and the R&D Committee's Research
Challenges outlines in detail the sector's goals and gaps related to
cybersecurity. Further, our sector's priority on R&D is evidenced by
the establishment of the FSSCC R&D Committee in 2005 and publication of
its Research Challenges in April 2006, well before the NIPP was issued
last year. FSSCC believes the SSP and the Research Challenges document,
which was incorporated into the SSP in an appendix, adequately
addresses the GAO's criteria. We welcome a dialogue with the GAO on
this issue.
Additionally, GAO's review stated, under section five, that our
sector failed to identify programs to deter, respond, and recover from
cyber attack. The Banking and Finance Sector SSP used a deter, respond
and recover approach throughout all sections. Our testimony today
highlights a number of initiatives mentioned in our SSP aimed at this
very issue--the R&D Committee, FS-ISAC, Cyber Syllabus, Cyber Threat
Exercises, and PCIS. Consequently, without further guidance from GAO it
is unclear how they reached a conclusion that our sector completely
failed to address this issue.
The GAO report, under section eight, also stated our SSP failed to
describe a process for investment priorities. Although FSSCC does not
have any budget authority, we believe our R&D Committee's Research
Challenges and Research Agenda highlight a number of priorities where
investment dollars are most needed for our sector.
FSSCC, FBIIC and Treasury worked in close collaboration to develop
our SSP, which we believe memorializes past and current initiatives
into a living document serving as a guide for future action. In other
words, we agree with DHS's assessment that the SSPs ``represent only
the early efforts by the sectors to develop their respective plans.''
Consequently, we welcome all comments and dialogue from interested
parties on how to improve our nation's critical infrastructure
protection regime and believe that our sector is a model for less
regulated sectors with less mature cybersecurity plans.
SSC/SSA R&D Budget
FSSCC believes DHS should consult with the SSCs, and, at the very
least, their SSAs, on business continuity research projects to ensure
optimal resource allocation is taking place. FSSCC would like to
encourage the Subcommittees and Congress as a whole to work with DHS to
ensure the same collaborative model used in our sector to generate
business continuity information and reports extends to actual resource
allocation for critical infrastructure programs. Failure to consult
with experts from the organizations representing each sector severely
limits the ability to maximize returns from investment dollars in an
efficient manner.
Over the past few years, FSSCC and its members have devoted
significant resources to generating information, developing plans, and
identifying issues related to cybersecurity and opportunities for
research for the public sector. While much information has been
collected, FSSCC fears this information risks being lost in a ``black
hole.'' To avoid this result, FSSCC seeks to work with its public and
private partners to develop a formal program that would channel
resources to areas and programs that would provide the most positive
impact for our nation's critical infrastructure. FSSCC thinks that it
makes good economic sense to channel available sector and public
research resources to programs supporting the Research Challenges and
Research Agenda developed by industry experts on FSSCC's R&D Committee.
To achieve this goal, greater communication and consultation about
opportunities for R&D spending is necessary between DHS, Treasury and
FSSCC. Another option would be to provide grant authority to SSAs such
as the Treasury Department.
Currently, FSSCC is limited to influencing R&D project funding
through support letters. Recently, FSSCC R&D Committee members visited
Carnegie Mellon University (CMU) with a Treasury official to introduce
CMU officials to the FSSCC R&D Agenda. While at CMU, the FSSCC R&D
Committee reviewed CMU research projects that CMU judged to be of
interest to the financial community. Committee members found that CMU
projects focused on Operational Resiliency, Keystroke Pattern Analysis,
Device-Enabled Authentication, and Insider Threat Analysis specifically
addressed major FSSCC research challenges, as well as the corresponding
NIPP research agenda themes. FSSCC could not fund these research
projects but wrote letters of support to encourage funding from other
sources.
FSSCC believes the DHS cybersecurity R&D budget should be more
closely aligned with the threat posed. Twelve million dollars
appropriated for this purpose is insufficient to cover the R&D demands
within DHS and throughout the critical infrastructure sectors. Our
nation would be better served by providing additional budget discretion
and dollars to those most closely aligned with the work to be
performed.
Conclusion
The financial services sector has a long history of thoughtfully
and carefully preparing for threats to its critical infrastructure and
employees. The members of FSSCC are proud of our progress since our
inception in staying abreast of new and unexpected threats to the
critical infrastructure of the financial services sector.
The financial services sector is working diligently to refine best
practices, business continuity plans, and homeland security efforts to
better protect employees and financial assets from cyber attacks. We
are grateful for the collaboration and coordination with our public
sector partners, the Department of the Treasury and the other members
of FBIIC, as we develop these plans. We will continue to work
diligently, and I am confident that the financial sector's preparation
for cyber attacks will meet the high standards of planning for which
our industry is well respected.
Thank you again for the opportunity to provide FSSCC's views for
this important hearing. I would be pleased to answer any questions.
Mr. Langevin. I want to thank the witnesses for their
testimony. And I remind each member that he or she will have 5
minutes to question the panel.
I now recognize myself for 5 minutes for the purpose of
questions.
Mr. Hender, thank you for your testimony. You discussed the
R&D piece of your sector plan and your information sharing and
analysis center. What I didn't hear, though, is how your sector
protects its assets and what efforts are under way in that
respect.
Would you address that?
Mr. Hender. Certainly.
As I indicated in my testimony, our ISAC on a daily basis,
a daily basis, receives well over 100 sources of independent
information which it analyzes, and then passes on that analysis
every day before the markets open.
Mr. Langevin. That is information sharing. What about--what
steps do you take? What concrete steps are you taking?
Mr. Hender. Well, part of the information that is fed to
the 11,000 participants is, in fact, potential cyber attacks.
They then take that information and use that information to
look at their systems to see whether they have vulnerabilities.
Also, attacks take place and they are able to pass on to
the other participants the attacks that are ongoing and how
those attacks can be mitigated. We also use that information to
pass on to the other government agencies to make sure that
those attacks are taken seriously and the government agencies
can use their best efforts to stop them.
Mr. Langevin. I think, clearly, what would be helpful to
this subcommittee, for better understanding of the situation,
is more concrete steps--instead of action plans, steps that
they actually take as opposed to just being notified and
sharing information.
What steps are then taken to make sure that the attacks are
not successful and then security mechanisms are actually put
into place? I would have felt more comfortable--you spoke about
intrusion detection devices and other beefing up, fire walls
and things of that nature.
Mr. Hender. Clearly, the members of FSSCC spend billions
and billions of dollars building just those things that you
have mentioned to prevent the attacks.
As we all know, these attacks are becoming more
sophisticated every day, and the things that they have in
place, which maybe were adequate a year ago or 6 months ago, we
now know are not. So they are continuously spending money to
make sure that those fire walls and other protection devices
are in place to stop an attack.
When those protection things fail, it is very important to
get that information out so it does not spread.
Mr. Langevin. Secretary Garcia, let me turn to you on
another topic. The White House has announced a few weeks ago a
new initiative called the Cyber Initiative. It has been said
that the Cyber Initiative will be a multi-year, multi-billion-
dollar operation which will help protect government and private
communication networks from cyber attacks. I have also heard
that the DNI will be coordinating this effort with over 2,000
people from DHS, NSA and other Federal agencies.
It is extremely disconcerting, however, that everything
that I have heard about this new initiative has come from
newspaper articles, despite repeated requests for a briefing
from DHS. Why won't the Department brief this committee on the
Cyber Initiative?
Mr. Garcia. Mr. Chairman, thank you very much.
First of all, we take very seriously our commitment to
inform and engage the Congress on matters as important as
cybersecurity. And along those lines, we are glad that we have
had the opportunity to brief members of the committee on more
than one occasion on the classified threats that we are facing
as a Nation, and particularly as a Federal Government.
So the question becomes, then, what do we actually do about
it? And this is--in fact, many of the issues that I have
testified to you about we have a number of programs under way
in DHS under my Office of Cybersecurity and Communications that
are addressing this day after day. And one of the highest
priorities that I stated at the outset of my tenure at the
Department was to protect Federal networks, which are
constantly under attack, cyber attack, on a day-to-day basis.
So that has been well-stated as one of my highest priorities.
In terms of making that a comprehensive, holistic
Government program that involves all members of the Federal
Government on an interagency basis, it is a complex plan in
process. And we would want to be sure that we have an accurate
assessment of the way forward before we brief the Congress on
this. The last thing we want to do is give you an incomplete or
fragmented strategy.
Mr. Langevin. Well, Secretary Garcia, you know, I just
remind you that this is supposed to be a collaborative effort,
and both the administration working with the Congress. And when
you are talking about the Cyber Initiative, something this
massive, involving this many people, with the direct
involvement potentially of the NSA, along with billions of
dollars that are going to be spent, the lack of being
forthcoming and engaging in a full disclosure with the
Congress, particularly with this committee, subcommittee, it is
very upsetting, it is disconcerting, and I am not happy. I am
not satisfied with that answer.
Now, according to an article in the Baltimore Sun, the
Cyber Initiative calls for NSA to work with DHS and other
Federal agencies to monitor critical infrastructure networks to
prevent unauthorized intrusions. One presumes this would mean
the monitoring of both Federal and privately owned critical
infrastructure networks.
If this is true, what impact will this have, this
initiative have, on the cybersecurity elements of the sector-
specific plans? And beyond that, what impact will this have on
the public-private partnership that DHS has been developing?
Mr. Garcia. Sir, certainly I wouldn't want to comment on an
article that is speculative before we really finalize our
plans. But we certainly look forward to briefing the committee
at the appropriate time when we have finalized our plans.
But let me tell you that everything that we have been doing
over the past year and a half or 2 years has been focused on
this public-private partnership, and that needs to continue. My
emphasis, absent the public-private partnership, is in
strengthening our Federal networks. And that really is one of
the highest priorities. And that is what we are focusing on
here for the purposes of this hearing. The NIPP and the sector-
specific plan process is one that we are committed to, year
after year, as we involve the private sector in our efforts.
Mr. Langevin. Mr. Secretary, I certainly look forward to
getting that briefing on the Cyber Initiative at the earliest
possible opportunity.
With that, the Chair now recognizes the ranking member of
the subcommittee, Mr. McCaul, for 5 minutes.
Mr. McCaul. I thank the Chair.
And I would also like to raise the issue--we have had
several hearings on cybersecurity. And, Secretary Garcia, you
have participated in many of those.
And it is my assumption that this plan that DHS is working
on with the administration, you are in the process of
developing that plan at this point in time? Is that correct?
Mr. Garcia. That is correct, sir. It is an interagency
process.
Mr. McCaul. Right. When do you anticipate that the plan
will be fully developed so that you will be in a position to
brief Members of Congress?
Mr. Garcia. Sir, I wouldn't want to commit to a time at
this point. We are still in the planning stages.
Mr. McCaul. Okay. Certainly, if it hasn't been finalized, I
can see why it is an ongoing process at this point. But I would
ask, as well as to echo the Chairman's remarks, that, to the
extent when you are ready to share and coordinate with us on
that, we certainly would like to know what the plan is.
In addition, the commission that was formed as of yesterday
I am sure will be very interested in working with you on that,
as well.
Mr. Garcia. Sir, let me just say I appreciate and commend
you and Chairman Langevin for the appointment of that
commission. I think this really shows proactive thinking about
an ongoing attention that needs to be paid to cybersecurity and
what is working, where are the gaps, what do we need to be
doing, going forward.
Mr. McCaul. And I thank you for saying that. I think as the
Chairman mentioned yesterday, we see it as a forward-looking
vehicle, not a ``gotcha'' exercise. It is a policy exercise,
looking forward, what can we do to better protect our systems.
And I think you will find it should be a very friendly, not
hostile, relationship with the Department of Homeland Security
and the administration.
Having said that, I think as you mentioned, Secretary, the
12 of 17, as I look at the report card, is actually some good
news, that we have plans that are satisfactory. There are a few
that are not.
And, Mr. Powner, I want to ask you about some of those,
specifically the financial sector, which has some concern. If
the financial networks were hacked into and the numbers were
moved on the ledger, you can imagine the economic chaos that
would cause. And we know that, whether they are criminal
enterprises wanting to steal or whether it would be terrorists
that would like to cause economic devastation in this country,
you can imagine the consequences. So this particular sector is
of some concern.
Mr. Hender has raised the issue that your review is not as
thorough as it should have been on the financial sector, and I
want to get your response on that. He specifically said you did
not consult with Treasury on your analysis. Can you comment on
that?
Mr. Powner. Yes, a couple comments.
First of all, I would like to start by saying, do we think,
based on our years of work looking at cyber critical
infrastructure, that the banking and finance sector is one of
the mature sectors? We do. Okay.
When we did our analysis, we were surprised, okay. The way
we go about our analysis, I have a team that has actually
looked at this for many years, and we had multiple folks where
they independently came up with the same assessment. Okay. So
we stand by our assessment. I think Secretary Garcia mentioned
that our assessment overall was consistent with his assessment.
So I think there is a disagreement not with just GAO but
perhaps with the DHS.
Now, going forward, I am more than willing to sit down with
Mr. Hender. We have talked about this, and we will talk about
the differences here. I think the larger question here is
this--not to go over checkmarks in this category or this
category when you look at 30--is, what is the value of the
plans? Okay. Some mature sectors--and it wasn't the banking and
finance sector, but in other work we have done, the water
sector, for instance, has mentioned, we are beyond the planning
phase; these plans are not that helpful for us. And my only
question is whether that is similar with the banking and
finance sector.
Mr. McCaul. Are you questioning the necessity for the plans
or the----
Mr. Powner. Well, I think as you heard from the two
witnesses here, there is a lot going on, on an individual
company basis. And when you look at the whole sector approach,
we have been trying to do this well prior to the, you know, 9/
11, the Homeland Security Act. This goes back to a Presidential
directive in 1998. Okay.
So we are almost 10 years into this, and many would argue
that we haven't made much progress. We are still in the
planning and assessing phase, and we ought to be into the
protecting and putting in place robust recovery plans.
So I am not saying that the plans necessarily aren't
useful, because they could be useful. It is a question of
whether we complete them and effectively implement them going
forward.
Mr. McCaul. Just to follow up to that, what more needs to
be done to the financial sector to put it in the passing
category? I am of the view that mandates and regulatory actions
should be a last resort, that we should allow the private
sector to work with the public to work this out. What more, in
your opinion, needs to be done?
Mr. Powner. Well, in order to get their plan more
comprehensive, I think there are probably only six or seven
criteria that they could easily bump their plan up and they
would be one of the most comprehensive. So it is matter of just
making the plan complete at this point. And do we have
confidence that will occur? Yes.
And we are more than willing to sit down with Mr. Hender,
too, to make sure we didn't miss anything. But, once again, we
stand by our analysis.
Mr. McCaul. Last question. My time has expired, but I would
like to ask Mr. Hender, how vulnerable, in your opinion, is the
financial sector to a cyber attack?
Mr. Hender. Well, I would never sit here and tell you that
a cyber attack could not happen against our sector, but I don't
want to leave the impression with this committee that we are
still in the planning phase in terms of cyber.
I think if the GAO had looked at our full plan and the
appendices that were attached to that plan, and if they would
have understood that we are way beyond the planning stage--we
are a highly regulated industry. And back in 2006, there was an
analysis done by the Federal Reserve, the Office of the
Comptroller of the Currency, and the SEC to see what progress
our sector had made not only in physical but also in cyber. And
I will tell you, I would like to submit for the record the
results of their findings, because I think you will find, if
you read that report, we are way beyond the planning stage. We
have done an enormous amount of work to protect this sector, so
that if it is a cyber attack or a physical attack, we are in as
good of shape as we think we can be. That is not to say you
can't be better, but we work at it every single day to try and
get better.
Mr. McCaul. And what is the name of the report you
mentioned again?
Mr. Hender. The name of the report is the ``Joint Report on
Efforts of the Private Sector to Implement the Interagency
Paper on Sound Practices to Strengthen the Resilience of the
U.S. Financial System,'' and is dated April 2006.
Mr. McCaul. Mr. Chairman, I would respectfully request that
report be entered into the record.
Mr. McCaul. I see my time has expired. Thank you.
Mr. Langevin. The Chair now recognizes the gentleman from
New Jersey, Mr. Pascrell, for 5 minutes.
Mr. Pascrell. Did I hear you right, Mr. Hender, that the
GAO did not take into account the appendix of the report?
Mr. Hender. That is my impression. I don't know that for a
fact. Because if you look at the appendix, it really answers
the questions where they found fault with our sector.
Mr. Pascrell. Mr. Powner, did you take into account the
appendix?
Mr. Powner. I would have to go back and revisit the full
plan. A lot of these plans are quite comprehensive. Was there
an appendix, or the one that Mr. Hender was referring to? I
would have to look at that.
Mr. Pascrell. When you are looking at the chart, you are
looking at the chart that you presented to us, the five areas
that need, really, some improvement and are still perhaps in
the planning stage, as you go back before 9/11, this process
started, correct, Mr. Powner?
Mr. Powner. That is correct.
Mr. Pascrell. We are talking about banking and finance,
defense industrial base, national monuments, agriculture, food
and commercial facilities are the worst. Aren't they?
Mr. Powner. Correct.
Mr. Pascrell. Why is agriculture and food the worst, one of
the worst? Specifically?
Mr. Powner. Specifically? I could go through in detail, you
know, those areas.
Mr. Pascrell. I read your testimony.
Mr. Powner. Right.
Mr. Pascrell. But you know that off the top of your head.
What stands out? Is there any one thing that stands out?
Mr. Powner. I would have to get back to you on that. I
mean, we have details here in an appendix for each of the 30
criteria that we looked at, but clearly when you look at that,
with as many categories that were not fully satisfied, there
are eight overall categories, you know, do you have----
Mr. Pascrell. Right.
Mr. Powner. --do you have a methodology to assess your
assets? Do you have a methodology to perform your risk
assessments? There be would be weaknesses in all those. Are
there appropriate methodologies for recovery plans?
Mr. Pascrell. Might not the biggest problem be here, to go
back to something stated earlier, that we do not have a
national risk assessment? What is the relationship between
that, Mr. Powner, and the results which you have come up with,
in your estimation?
Mr. Powner. A national cyber risk assessment?
Mr. Pascrell. Right.
Mr. Powner. Well, one of the things that is clear is we
have never had a national cyber threat assessment. Okay. So we
have not had that.
Mr. Pascrell. Ten years into the plan, and we don't have a
risk assessment.
Mr. Powner. Correct.
Mr. Pascrell. All right.
Let me ask Mr. Hender this question. Nothing changes under
the sun. How are you verifying what companies are doing with
the information you provide? How do you know what they are
doing with it?
You are not just sending information, you are not just
sending out an advisory. This is serious business, as you well
know better than I do. So what are you doing with the
information? What are the companies doing with the information
you give them?
Mr. Hender. Well, I have talked to the companies. And
depending upon the threat level, the company either has a
problem or doesn't have a problem.
Mr. Pascrell. Do we have a list of what is done? Do we have
a report to present to this committee as to what these
companies are doing with the information that is provided?
Mr. Hender. I think if you look at the report that I
referred to earlier----
Mr. Pascrell. Right.
Mr. Hender. ----that report is very comprehensive. And it
also deals with the companies that make up the sector. And I
think the agencies that regulate them--I mean, we are highly
regulated. These regulatory agencies----
Mr. Pascrell. You are highly regulated about--what things
are you talking about?
Mr. Hender. We are highly regulated by a number of things,
but cyber is one of the things that we are regulated by.
Mr. Pascrell. And how are you regulated?
Mr. Hender. We are regulated by examination. And, in fact,
in some of the large companies, the regulators sit right in the
offices to make sure that the things that you are worried about
don't happen.
Mr. Pascrell. So you think the assessment that was made by
GAO is just a result of them not reading all the information
that should be available and is available to them? If they read
that information, they are going to change their assessment,
they are going to change the report. They are going to send
back a report to this committee and say, ``Oh, we missed three
or four different things, and we really want to change the
banking and financial assessment to comprehensive. We don't
think they are somewhat comprehensive; they are
comprehensive.''
Is that what you want us to believe?
Mr. Hender. I truly believe that. And I think our sector
coordinating agency, the United States Treasury, truly believes
that. I believe that we are one of the most mature sectors that
are out there. We take this very seriously.
Mr. Pascrell. No one is saying that you are not taking it
seriously. You have been on this for 10 years.
Mr. Hender. And we--
Mr. Pascrell. Excuse me. You have been on this for 10
years, and I am not convinced, in what I have read and what I
have heard today--I am asking you to convince me. You haven't
so far; you might. I am asking you to convince me that there
have been tangible actions on your part, not you personally,
but in that sector, that would indicate that we have come a
long way. I don't feel that. What am I missing?
Mr. Hender. Maybe I am just not a good communicator.
Mr. Pascrell. No, I don't think that is the case at all.
You have to have something to communicate.
Mr. Hender. I think the amount of money that the firms have
spent since 9/11 in making our sector more robust and able to
deal not only with the physical threats but the cyber threats
are very, very impressive. As I said, they take this very
seriously. Our regulators take it very seriously.
And I think that I would be surprised if the GAO, when we
have our conversation and point to them the real efforts--not
plans, but the real things that we have in place to protect
this sector--would not change their opinion. I would be very
surprised.
Mr. Pascrell. Well, in conclusion, Mr. Chairman, we are 10
years into this, with this particular sector, and there is a
very serious statement that Mr. Hender has made, that we
respectfully disagree with the GAO's analysis.
Those are your words, Mr. Hender. And I respect those
words. Don't get me wrong. I am more inclined, at this point--
not you personally--I am more inclined to believe GAO, because
they have a different part of this. They are involved in a very
different part of this than you may be or I may be.
And I would hope that you will prove to them that they are
wrong and so that this committee will get the report back, and
maybe I will change my mind, or maybe some of the other
committee members who feel like I do will change their mind.
But going back to what Mr. Powner said, we need a national
risk assessment plan. And we cannot be honest with the American
people about how safe they are unless we have that plan.
And that plan is overdue, is it not, Mr. Powner?
Mr. Powner. Yes, it is.
Mr. Pascrell. Thank you, Mr. Chairman. I appreciate your
giving me those courtesies.
Mr. Langevin. I appreciate the gentleman's line of
questioning. His point is well-taken, and the Chair certainly
agrees.
With that, the Chair now recognizes the gentleman from
California, Mr. Lungren, for 5 minutes.
Mr. Lungren. Thank you very much, Mr. Chairman.
Let me ask both Mr. Hickey and Mr. Hender this. It seems to
me that the nature of your industries are such that the cyber
world is an essential part of it, an obvious, central part of
it. It is part of what you do. It is part of what you are. It
is part of how you provide your services. As opposed to some
other sectors where cyber is important, extremely important,
but it is not so transparent to the user that if you were to
charge them for protecting the cyber aspect of their business
the user would say, ``Well, I understand that,'' in your
industry it seems to me to be far more obvious.
So I would ask you this, in both cases. How do your
respective industries view cyber protection as a part of the
cost of doing business, such that your members can justify to
your shareholders the bottom line? Because I happen to think
that that is one of the most important things we are going to
have to do in the private arena. And it would seem to me it
would be more obvious in both of your cases to begin with. So I
would say these may be the easy cases.
But can you give me an idea of how the companies that make
up your organizations view that as part of cost of doing
business and, therefore, part of the cost of being active
competitors?
Mr. Hickey. I think when you take a look at today's
marketplace, our customers--which are enterprise customers,
Government customers, and consumers--are demanding that
companies like Verizon put in place safeguards to protect their
business and their livelihoods within our organization. So the
market is demanding that companies like Verizon invest, and
invest very heavily, in technologies that will safeguard not
just our physical assets and certainly our human assets but,
very importantly, our cybersecurity assets.
Mr. Lungren. Let me ask you this, then. You can look at a
whole array of potential attacks. They could be hackers. They
could be mischievous college students. They could be the bad
guys who want to be able to get into your company and therefore
extract some economic benefit on their part or to harm you so
that someone else is benefitted. Those, it seems to me, are, in
terms of possibilities, greater than a terrorist attack, which
has greater consequence but the likelihood is far less.
How do you calculate that such that you make a judgment to
either insulate your operation from a cyber attack by a
terrorist organization, transnational or national, or to create
redundancies in the event that they are successful with an
attack?
Mr. Hickey. I think if we continue to focus on the blocking
and tackling of cybersecurity practice, given the environment,
given the fact that we are looking at an all-hazards
environment, that we will continue to invest as necessary in
the technology and the expertise to help secure the interests
of our customers.
Verizon in 2006 invested over $17 billion in infrastructure
build-out. And we are doing that certainly with an eye to our
customer and our future customer base. And vendors that do
business with Verizon know very clearly what our priorities
are, in terms of the technologies that we require to make our
network more secure going forward.
So, again, going back to the marketplace, we are mindful of
our customers' needs; our vendors are mindful of our needs as a
major carrier. And companies like Verizon continue to invest
very aggressively to make sure that we are addressing all
hazards within the cybersecurity realm.
Mr. Lungren. I would say parenthetically, if Verizon were
one of those companies that we asked to assist us after 9/11 on
our efforts on foreign intelligence that we are now refusing to
give immunity, it is kind of tough for us to tell you to trust
us as we go forward. Hopefully, we will address that.
Let me ask both of you--and I know I asked both questions
to you as well, Mr. Hender, but I am limited in time. Do you
have, in the private sector, among the companies that would
receive information that would be of value to them from the
Government, do you have or do those companies have their people
that have the proper clearances that they could receive that
information? And is it at the CIO level? And if a CIO has that
information, has that clearance, how does the CIO interact with
the CEO if the CEO doesn't have that clearance? And what have
we done in terms of recommendations, if any, in your sectors to
deal with that?
Mr. Hender. I think our sector--Specific agency, Treasury,
has been very responsive in getting the right people in our
sector the necessary clearances that we need and, in addition
to that, giving us access to the people in the Federal
Government who are charged with collecting the intelligence
information and passing that information on to us.
You ask a very important question, though. And that is,
what can the person who has the clearance do with that
information? Clearly, if there is a life-threatening event that
is going on that is classified, that person has an exemption
and can pass that information on to anyone to make sure that
those lives are not lost. Also, that person, with the
permission of the agency, can work and make sure that the
appropriate people within that company or within that entity
know what is going on to protect that entity.
It has never really been a challenge, to date, where
something has come to our attention that has been classified
where we have not been able to use that information to protect
the sector.
Mr. Lungren. Mr. Hickey, you feel the same way?
Mr. Hickey. Our sector-specific agency is the National
Communications System. And just as Mr. Hender said, the NCS has
been very attentive to the needs of not just my company but
others, in making sure we have the right clearances for the
right individuals.
I can say that, from a Verizon standpoint, our CEO, Ivan
Seidenberg, has just received his top-secret clearance. So,
right to the top within our organization. If we, at the ground
level, if my team becomes aware of information shared within
the NCS or, you know, within the HITRAC organization, within
the IP division, we can share that at the very highest levels
of the business with the appropriate individuals to make the
right decisions, from a response standpoint.
Mr. Lungren. Thank you.
Mr. Langevin. I thank the ranking member.
The Chair now recognizes the Chairwoman of the Subcommittee
on Transportation Security and Infrastructure Protection for 5
minutes.
Ms. Jackson Lee. Thank you very much.
And I thank the witnesses.
And I am having trouble with double appointments and
hearings that we have responsibility for, but I am delighted
that the testimony has contributed to, I think, a very
important discussion.
I am going to start on this debate that is going on with
the initial offering to work with the private sector. Again,
the private sector holds 85 percent of the infrastructure. And,
certainly, cybersecurity being a seamless part of that, there
is a dialogue going on about the question of the voluntary
cooperation, which I made mention of in my opening remarks, or
a regulatory framework.
So I would like to ask Mr. Hender, based upon your
experience--let me pose the question first to Mr. Powner, and
then, Mr. Hender, you might want to comment.
But based upon your experience in critical infrastructure
work, protection work, do you think the Department of Homeland
Security should continue to work with the private sector, or
providing the private sector with an adequate value proposition
to encourage it to effectively protect critical infrastructure?
In essence, are we giving them enough of a carrot to do it
voluntarily, or should there be some form of a regulatory
framework in this partnership?
Mr. Powner?
Mr. Powner. I think when you look at what was envisioned in
national policy going back pre-HSPD-7, one of the things that
the Federal Government needs to do a better job--and Assistant
Secretary Garcia and I have talked about this--if there were
more products, analytical products coming out of the US-CERT,
more information on national threat information that was of
value to the critical infrastructure owners, I think that would
improve the partnership. Okay.
So in order to have an effective partnership, you have to
be offering something that these sectors want. Okay.
Historically, when you look at where it has really worked, I
think there were times when we provided grants to the water
sector to do vulnerability assessments. That opened up the
communications, okay, because the Government was paying for
certain vulnerability assessments, so they were more inclined
to open the discussion.
I think there are pockets of sectors, due to the maturity
of them working in regulated environments, that are more mature
and have worked more effectively together, like the banking and
finance sector.
So I think regulation should be considered if we don't make
more progress. But there is also--if you stay the course with
the NIPP and the sector plans, the Federal Government needs to
offer more and provide more of a service to the infrastructure
owners.
Ms. Jackson Lee. And that is service in what form?
Mr. Powner. The service--the things that the Government
controls more, when you look at the roles and responsibilities
of the NCSD under Assistant Secretary Garcia, is threat
information and it is analytical products on vulnerabilities
and incidents. Okay.
We have a US-CERT that we continue to attempt to build out
capability with the vision that we are going to have more
robust analytical products that we can provide to these
infrastructure owners. As an example, if you go to DOD or some
parts of the intelligence community, you will see some fairly
robust analysis and warning capability, when it comes to cyber.
Okay?
So there are pockets in the Federal Government where we
have this. All right? What we need to do is we need to build
that out and transfer that information to the infrastructure
owners. That would help with the partnership.
Ms. Jackson Lee. And the pockets in the Federal Government
are just scattered, or there is some order to them?
Mr. Powner. I think there is order, but it depends on where
it is at. If you look at DOD and some of their capabilities in
this area, some of it is fairly robust.
Ms. Jackson Lee. We need to harness it. We need to get some
sort of organized way of connecting.
Mr. Powner. Absolutely. If you look at HSPD-7 and if you go
back to analysis and warning pre-DHS, we had this capability,
and we were building it within the FBI. There was something
there called the National Infrastructure Protection Center.
With the creation of DHS, we moved it from the FBI and it now
became the US-CERT.
So, clearly, we have had some starts and stops. We have
progressed forward; we have taken some steps backward. But if
we really want to build out that capability, that is one way to
build a more effective partnership, if you offer more on the
Government side that was of value to these sector owners.
Ms. Jackson Lee. Let me, Mr. Hender----
Mr. Hender. It is very clear that, unless there is a
partnership between the private sector and the public sector,
the things that we have discussed today are never going to be
solved. I think a good example and a model is to look at the
partnership that we have with Treasury. It is so critical to
have information that flows both ways.
And if I could make a recommendation, I would think it
would work very well and be very important to take people from
the private sectors, just not our sector but all the sectors,
and house them in some form or fashion within CERT or some
other intelligence organizations, so, as this information comes
in, it can be analyzed, not only by the Government, but you
have the private sector sitting there and saying, ``This is
important information. This is a threat. This is what this
means, this information.'' Unless you have that partnership and
unless you have those people sitting there working together, a
lot of information that maybe flows into these intelligence
organizations, I think we are missing a golden opportunity. And
I think we are missing it.
Ms. Jackson Lee. We are missing it.
Mr. Garcia--Mr. Chairman, if I can, I just have a couple of
quick questions, probably not quick on the answers.
Secretary Garcia, let me thank you for your service. This
is a tough business that we are in. And I think there are some
tough concerns that we have as members.
You know that I expressed my concern about the national
annual report regarding the status of critical infrastructure
protection nationally and within each of the sectors. The
report is due on November 5th. And my question is, is it ready?
Is it something that we can expect? And you might want to
acknowledge whether this is still the case, that we will have a
full report.
And I have another question for you that I would like to
just offer so that you can answer it. The incident at the Idaho
laboratory provided you with an opportunity to showcase how
effectively you can reach out to the private sector with best
practices. My concern, though, is how you verify the
implementation of these advisories. And I think this was
mentioned by one of the witnesses.
How do we have a two-way street? How are you measuring such
implementation? And into what obstacles are you running, so
that the private sector can become vested in what you do?
Mr. Garcia. Absolutely. Thank you, Madam Chairwoman.
On the first point, I believe we are on track for
delivering that report to you.
And on the second issue, you are correct that one of the
most important things for us to achieve over time is the
ability to measure progress. Where DHS is not empowered to
compel reporting back from the private sector on the extent to
which they have implemented best practices or other----
Ms. Jackson Lee. DHS is not compelled to report back to the
private sector?
Mr. Garcia. No, to the extent that DHS cannot compel the
private sector to report back to DHS.
Ms. Jackson Lee. To report back. So there is a lack of
either oversight or regulatory structure.
Mr. Garcia. Right. And for those sector coordinating
councils that we have worked with, for example, they, in turn,
are not necessarily empowered to demand from their member
companies that they report back to them. So, much of this is,
in fact, voluntary.
I would point out, I think the fact that, through this
whole NIPP process and the sector-specific plan process, the
fact that there are 17 critical sectors that have come to the
table with DHS and other sector-specific agencies without
actually being compelled to do so is, I think, in fact, a
testament to the importance that the entire private sector,
sector-specific agencies give to this issue of the joint
public-private partnership.
Ms. Jackson Lee. Quickly, Mr. Hickey, has the DHS given
enough incentives to the business community to do what Mr.
Garcia says is missing, which is to come back and report back
on best practices? Apparently, there is a schism there, in
terms of being able to do this in a voluntary manner.
Mr. Hickey. I would respond to that by saying that there
are a great number of forums that companies like Verizon
participate in, from the National Security Telecom Advisory
Committee to the President, where you have 30 companies coming
together from a full array of sector participants, that come
together regularly to develop plans and policy and
recommendations to the President on global infrastructure
resiliency, on network security, on GPS issues, on a full array
of issues where we feel an obligation to bring our subject-
matter expertise to the table to work with Government and
support Government initiatives.
The NSIE, the National Security Information Exchange, where
Government and industry come together, again, it is
voluntarily, but willingly, to share best practice around
cybersecurity and other security practice.
My sense is that companies like Verizon are there because
we feel an obligation to Government and to the country to
participate not only in planning but in operationalizing
security practice to protect the country's best interests. So
we are there willingly.
I think, from an incentive standpoint, the issue of real-
time sharing of threat intelligence is very important. And that
is helpful for companies like Verizon, to have a good, accurate
source of timely information regarding threats, cybersecurity
and otherwise, that we can then internalize and deal with from
an operational standpoint.
Within Assistant Secretary Garcia's organization, he has
made, I think, a positive move toward bringing together, even
more closely, the information-technology sector and the
communications sector by collocating our NCC ISAC, our National
Coordinating Center for Telecommunications ISAC, with the IT
ISAC and with the US-CERT. That brings us closer together,
physically, day in and day out. We can address, as things
evolve, operational issues much more quickly on a day-to-day
basis.
So threat intelligence would be a major incentive, but I
think there is a real willingness there to assist our
Government partners. And we are, I think, continuing to move in
the right direction.
Ms. Jackson Lee. Thank you. I think we have a lot of work
that we can look at that you have done that we need to do.
Thank you.
Mr. Langevin. I thank the gentlelady.
There is a vote on right now, but we will go to Ms. Clarke
for the final question before we dismiss this panel. Ms. Clarke
is recognized for 5 minutes.
Ms. Clarke. Thank you very much, Mr. Chair.
This question is to Mr. Powner.
You just suggested to Chair Jackson Lee that the Federal
Government could assist these sectors to ensure greater
consistency through partnership, if you will. Clearly, there is
a lack of consistency in the quality of the various sector-
specific plans.
Do you feel that DHS is doing enough to work with each
respective set of public-private stakeholders to ensure greater
consistency? And have your offices recommended or determined a
good way for them to do this?
Mr. Powner. Well, clearly, Assistant Secretary Garcia had
mentioned his office and the interaction they had with various
sectors in putting those plans together.
I think what is important is, when you look at this next
annual report that is due out, the annual report should be
providing some assurance, Madam Chairwoman, that you mentioned,
that, one, the plans are now complete and, two, that we are
actually moving down the road toward implementation.
Ms. Clarke. Mr. Garcia, Assistant Secretary Garcia, good to
see you again.
In response to Representative Pascrell's questioning, Mr.
Powner said that there needs to be a national risk assessment
for cybersecurity. Five months ago, the Department stood up the
Risk Management and Analysis Division. Have you engaged with
that office to date?
Mr. Garcia. That is part of the National Protection and
Programs Directorate, to which my office belongs as well. CS&C
is part of that, as well as the Risk Management Analysis
Office. So, yes, we interact regularly.
The national risk assessment that we are focusing on is, in
fact, the National Infrastructure Protection Plan, the sector-
specific plans that go with it. And I think, as we implement
these plans, as Mr. Powner says, we are going to have a
national risk assessment with metrics in place that we can
measure how well we are doing.
I would emphasize that it is important to note that this is
the first time we have done this, that 17 sectors, industry
sectors, have organized themselves around a common mission, and
then to organize themselves to interact with the Government in
a collaborative process, a framework by which we are going to
measure the vulnerability, assess the vulnerability of our
infrastructure nationwide, and then take the steps to actually
mitigate those vulnerabilities and strengthen our
infrastructure.
So I think we have come a long way in just a year-and-a-
half worth of time. And the fact that most of these sector-
specific plans were written around the middle of last year,
there has been a tremendous amount of effort and resources put
into infrastructure protection since then in the cyber area.
Ms. Clarke. Assistant Secretary, I recognize that, you
know, this is a major, major undertaking, and some would say
just putting together the Department of Homeland Security has
been a major, major undertaking.
The concern is that there be some sort of a driving force
that puts some, you know, some energy behind getting this done
in a timely fashion, and that we are not sort of leaving it up
to inertia to get us there.
You know, with each passing day, people are concerned that
we have, you know, the critical infrastructure, particularly
with respect to cybersecurity, in place. Because it seems like
there is a generation of intelligentsia out there that just
lives to get ahead of us, with respect to cyberspace.
So I hope that you will certainly recognize the urgency
from which you hear this committee speaking, because we
certainly believe time is of the essence but, at the same time,
understand that haste can make waste. So we hope you will take
that under advisement.
And this question is--really, my final question is to
anyone on the panel. Although there are many differences
between each sector represented in the NIPP and there is merit
to the idea that each area tailor its own plan, when it comes
to cybersecurity, many of these sectors deal with some of the
same problems. For example, organizations of every sector have
to deal with the possibility of data theft or that systems can
be brought down. Therefore, if planners in one sector figure
out a useful solution that can apply to other sectors, it would
be useful if this information were disseminated.
Is there any information-sharing occurring between the
coordinating councils for each sector? And is this a role that
DHS plays or could play?
Mr. Garcia. Absolutely, Congresswoman. Thanks very much for
that question.
We, last May, set up--my office set up the Cross-Sector
Cybersecurity Working Group. And it is composed now of experts
in cybersecurity from all of the 17 sectors. And we meet at
least monthly and, I think, more frequently on conference call.
And this is the forum precisely for those various sectors to
share their experiences in cybersecurity and see where there
are dependencies on one another in their cyber infrastructure
and interdependencies, and see where are there are common
problems across all of them.
Control systems, a subject that this committee held a
hearing on on October 17th, is a prime example, where there is
a nexus between cybersecurity and physical security. That the
process control systems that enable us to purify water,
manufacture chemicals, to run the electric grid, all of these
digital control systems have a nexus to information networks or
communications networks.
And so, the fact that these sector representatives are
coming together on a regular basis to share those concerns,
identify common vulnerabilities, this is taking us a long way
down the track of doing that national risk assessment that we
are heading toward.
And I think this is a perfect example of how the sector-
specific plans, the NIPP process, is working.
Ms. Clarke. You want to say anything?
Mr. Hickey. I would just like to comment that the
Communications Sector Coordinating Council and the IT Sector
Coordinating Council work very closely together, day in and day
out. We have cross-membership. We work together in a number of
forums. Actually, the chair of the IT Sector Council is in
today's audience. So there is a very close relationship.
As was pointed out earlier by one of your colleagues, it is
hard to distinguish where pure providers end and information
service providers start. Companies like Verizon and other
companies, large and small, are aware of the fact that, with
convergence of technologies, cybersecurity has to remain a real
focus. And I can assure you that, both within the IT sector and
com sector, we work very, very closely together.
Mr. Hender. I would just like to comment that we just
finished a 3-week pandemic exercise. Part of the component of
that exercise was cyber, because if the Internet is not there,
then the work-at-home programs that the firms have put together
are going to be useless.
It is our intention to make those findings public in 2008,
early in 2008, not only to our sector, but to all the sectors
in this country and to the international countries that are
interested in learning the experiences we had during this
pandemic exercise.
Ms. Clarke. Thank you.
Thank you very much, Mr. Chairman.
Mr. Langevin. I thank the gentlelady.
And I thank the witnesses for their testimony.
There is one last thing I am going to pose. Unfortunately,
we don't have time for the answer since there is a vote on
right now. We have about 2 minutes.
But, you know, when we talk about the risk assessment--
Secretary Garcia, I would ask you to respond to this in
writing. And, Mr. Powner, if you would comment.
You know, a risk assessment is composed of threat and
vulnerability and consequence. You know, how will the national
report be a risk assessment, when it is lacking these critical
issues?
So I pose that to you. And we will have some other
questions that we would like you to respond to in writing.
Again, I thank the witnesses for their valuable testimony,
the members for their questions.
The members of the subcommittee, as I mentioned, may have
additional questions for the witnesses, and we ask that you
respond expeditiously in writing to those questions.
At this time, the first panel of witnesses is dismissed.
And the Chair now recesses for what will be one vote, and
we will reconvene in approximately 15 minutes.
Thank you.
[Recess.]
Mr. Langevin. The committee will come to order. As we call
up the second panel of witnesses, I want to thank the panel for
your patience and willingness to stick around. We do appreciate
it, and I know you have valuable testimony to offer.
Unfortunately, Mr. O'Hanlon was not able to stick around. He
was going to be on this panel as the lead-off. Mr. O'Hanlon
specializes in U.S. national security policy and is the co-
author of a book called Protecting the Homeland 2006, 2007, and
he would have been discussing one of his articles in that book.
But he has submitted a statement for the record, and we will
certainly forward look forward to reviewing that and hearing
from Mr. O'Hanlon on a later date. In the meantime, of course,
we are very grateful for the rest of our panel being here.
Our first witness will be Ms. Sally Katzen, faculty member
of the George Mason School of Law and a senior consultant to
the Critical Infrastructure Protection Program at George Mason
University. We thank you, Ms. Katzen, for being here.
Our next witness is Mr. Larry Clinton, president of the
Internet Security Alliance. We are grateful for you being here
as well, Mr. Clinton.
And our next witness, the last witness is Dr. Larry Gordon,
Ernst & Young Alumni Professor Managerial Accounting
Information Assurance at the Robert H. Smith School of Business
at the University of Maryland. Dr. Gordon is also an affiliate
professor with the University of Maryland Institute for
Advanced Computer Studies.
Mr. Langevin. Again, we want to thank you for being here.
Without objection, the witnesses' full statements will be
inserted into the record. And I now ask each of the witnesses
to summarize their statement for 5 minutes, beginning with Ms.
Katzen.
And before I turn the floor over to, Ms. Katzen, I
understand that it is your anniversary today. Let me take the
prerogative as Chair to wish you a happy anniversary, and thank
you for spending your anniversary with us today.
Ms. Katzen. My husband thanks you as well. Thank you.
Mr. Langevin. I don't know if that was sincere or not. He
may question it as well. Thank you.
STATEMENT OF SALLY KATZEN, GEORGE MASON SCHOOL OF LAW, SENIOR
CONSULTANT TO THE CRITICAL INFRASTRUCTURE PROTECTION PROGRAM,
GEORGE MASON UNIVERSITY
Ms. Katzen. Chairman Langevin, Chairman Jackson Lee,
Ranking Members McCaul and Lungren, other distinguished members
of the subcommittee. My background and qualifications and the
credentials of the George Mason Law School CIPP program are set
forth in the written testimony. Given the lateness of the hour,
I want to condense my oral comments to the bare essentials.
First point. You have heard it before, but it cannot be
overemphasized. One of the problems that we have had with cyber
CIPP is that for too long and in too many places, both in the
private sector and in government, the task of identifying and
addressing cyber CIPP risks has been confined to those in the
enterprise that own, operate, maintain the computers, the
servers, the networks. In other words, the IT department. But
viewing cybersecurity as an IT problem with an IT solution
greatly understates the problem and misperceives the solution.
As we explain in the written testimony, even the best
technical defenses are no better than the physical security and
personnel security elements that must accompany them. And not
only are these elements typically outside the direction and
control of the IT department, but also they like the IT
department typically fall on the operations side of the
enterprise which generally is not well represented at the
highest levels of corporate accountability and governance.
Based on the extensive work that the CIPP program at GMU
has done, we are impressed with what is called the ERM, the
Enterprise Risk Management program. The emphasis in ERM is on
the enterprise as a whole and raising cyber CIPP issues to the
highest corporate level of accountability. And we have got a
lot of discussion in our written testimony about how it works
and what it does. I hope you like the cowboy graphic.
Second point. Six years and billions of dollars since 9/11,
how much progress have we made? Now, the headlines from the GAO
study say 12 of the 17 SSPs have comprehensively addressed the
30 cybersecurity criteria. We think that may be an overly rosy
summary if you look at the individual cyber criteria, plan by
plan and sector by sector.
In the written testimony, we highlight section 6 of the GAO
criteria, which speaks to the measures of progress. And in that
connection, the representative from GAO in the earlier panel
said, well, we are passed the plans. We are now into
implementation. Fine. In fact, good. But if you don't have
quality metrics to establish benchmarks at the outset and over
time, how to you measure this implementation? How do you
evaluate the implementation? And we think the verification of
that is also essential.
To our mind, the problem is the dearth of data, the absence
of valid information. And I have heard from some that the
Paperwork Reduction Act is part of the problem. I think it is
part of the solution. And this is something that we can get
into another time, but I think it is really important to focus
on getting good information.
Third point. What should we do to improve the situation? We
propose that the government provide incentives for the private
sector to do the right thing. To be sure, companies already
have lots of incentives in terms of smoother, more efficient
operations and in terms of marketplace acceptance. There is the
Ernst & Young study which shows the correlation between success
in risk management and success on Wall Street. But, again, the
GAO report, and again just looking at the plans, Section 3
which says incentives--that is where the bottom fell out. Only
three sectors have fully addressed incentivizing vulnerability
assessments.
We gave five different carrots for you all to chew on.
Carrots are good for your diet. They are part of my diet, if I
get dinner tonight. In any event, many of them are actually
discussed in Mr. Clinton's testimony, and I am going to defer
to him on virtually all of them but I want to make two
comments.
I do want to distance myself from his discussion of
liability limitations, limitations on liabilities for
companies. I disagree with that approach. And, also, the
reinsurance program at DHS. I don't think it should be a
government-sponsored reinsurance program. I think he hits the
nail on the head when he talks about government leading by
example and the importance of the government getting its act
together.
One of my responsibilities while I was in Federal service
at OMB was the Y2K experience. Now, that is a very different
order of magnitude from what we are talking about now. But if
you think about the Y2K adventure as a mini pilot of how the
government can face these problems and work within, we had no
additional command and control authorities, we had no
regulatory authorities. We were nonetheless able to work
collegially with the groups. We were able, with the various
sectors, to share best practices, to work through the problems
that had to be done on a cooperative basis, and to use trusted
established relationships that already exist between members of
the private sector and their State or local regulators or their
Federal regulators or their colleagues.
And the problem, in answer to Chairman Jackson Lee's
question, what do we do? How do we solve, how do we change this
relationship? We do not recommend any additional commands and
control authorities. We do not think you should go the
regulatory route either with respect to making DHS the SSA for
the other sectors or with respect to even the sectors that it
has.
But DHS should not be trying to do it alone. DHS should not
be dictating to others to ``do it my way.'' Rather, as we
experienced in Y2K, DHS should adroitly use its convening
powers, take advantage for its opportunities for collaborative
work together and collegially work through programs with their
partners.
In our written testimony, we give an even more recent
example than Y2K. DOE has done this very successfully on a
smaller scale.
That is it. Smash the stove pipes, develop metrics, and
gather quality data, and have the government help in a
noncommand and control regulatory way.
I look forward to any questions you may have. Thank you so
much.
Mr. Langevin. Thank you, Ms. Katzen, for your testimony.
And we enjoyed hearing what you had to say.
[The statement of Ms. Katzen follows:]
Prepared Statement of Sally Katzen, Esq
Mr. Langevin. The Chair now recognizes Mr. Clinton for 5
minutes. Welcome.
STATEMENT OF LARRY CLINTON, PRESIDENT, INTERNET SECURITY
ALLIANCE
Mr. Clinton. Thank you, Mr. Chairman, Mr. McCaul.
The Internet Security Alliance believes the threat to our
economy, our Nation, and our citizenry from cyber attacks is
real and growing. We also believe that government and industry
must work much more aggressively to address these threats. We
are past the time for simple education. Now is the time for
action.
However, for industry and government to create a
sustainable and effective cyber defense system, we need a
fundamental rethinking about how we address these issues.
First, the Internet is unlike anything we have ever dealt
with before and, hence, securing it will require a solution
unlike anything we have done before. In its June 2006 GAO
report, they cited the number one challenge to developing a
public-private sector partnership for cybersecurity was the
innate characteristics of the Internet itself. The Internet is
just different. It transmits phone calls but it is not a phone
line. It makes copies but it is not a Xerox machine. It houses
books but it is not a library. It broadcasts images but it is
not a TV station. Is critical to our national defense but it is
not a military installation.
The Internet is international, interactive, constantly
changing, constantly under attack. We cannot simply cut and
paste old governing systems and realistically expect that we
are going to be able to manage this new system effectively.
Even if Congress were to enact an enlightened statute, it
would reach only to our natural borders and hence would not be
comprehensive enough. Even if some agency wrote a brilliant
regulation, it would probably be out of date before it got
through the entire process.
Second. Information security, as Ms. Katzen has pointed
out, is not a static and merely technical problem. The threats
to the Net have recently morphed from the broad, benign, and
well publicized attacks like Love Bug and Blaster, to Designer
Now-ware that is constructed to target specific systems where
it can reside undetected for a long time while causing
significant economic and physical damage.
As a result, traditional antivirus software and viral
solutions are becoming inadequate. To adequately address the
modern threats, we need an ever-evolving system that addresses
all the vulnerabilities, technical and otherwise.
Third, the threat to our infrastructure from cyber attack
is very, very serious and growing.
Two years ago, the Internet Security Alliance reported to
this committee that the main protocols that the Internet is
based on were over 30 years old and had multiple well-known
security flaws. Since then, the massive growth in Internet use
based on these same protocols has increased our vulnerability
at a massive rate. Moreover, the Internet attacks are no longer
based on publicity but now are designed to generate money or,
more insidiously, power and destruction.
Especially worrisome are cyber attacks that would hijack
systems with false information in order to discredit systems
and do lasting physical damage. At a corporate level, attacks
on this kind have the potential to create liabilities and
losses large enough to bankrupt large companies. At a national
level, attacks directed at our critical infrastructure
industries could cause hundreds of billions of dollars worth of
damage and thousands of lives.
But, fortunately, we know a good deal about how to protect
ourselves. The best evidence of this is that the Internet has
been under attack constantly thousands of times a day and has
yet to go down. The largest study ever done of best practices
found that organizations that follow the approved best
practices for information security have shown a remarkable
ability to fend off attacks, recover from attacks, and even
deter attacks. The problem is, we need more entities to embrace
these practices while also working with us to develop new ones.
The best mechanism to effectively establish a sustainable
defense system is to inject market incentives to motivate the
adoption of best practices.
Unlike some of the conversation at the first panel, markets
do not emerge spontaneously. They must be created and managed.
That is what we need to do with cybersecurity.
In this regard, the Internet Security Alliance has come to
the committee with a specific and concrete proposal. This
proposal is detailed more fully in our written testimony, but
it offers a market-based incentive program to bridge the gap
between the purely voluntary program as outlined in the
national strategy to secure cyber space, and a regulatory model
which, A, won't work and, B, would probably be
counterproductive.
The core elements of the Cyber Safety Act would be for
government to use its market power instead of its regulatory
power to promote security primarily through the procurement
practice. Congress can lead by example, as Ms. Katzen pointed
out. Congress can tie incentives such as civil liabilities safe
harbors such as those that are currently provided in the SAFETY
Act. Congress can stimulate the stunted cyber insurance market,
and I would be delighted to discuss the specifics with this
further with the committee. And, Congress can create government
industry consortiums similar to what we did with the Sema-Tech
to solve our computer chip problem in the 1980s. And,
government can create awards programs.
There are other market-based programs such as the use of
model contracts that we can use to expand the perimeter of
cybersecurity. But I urge the committee to consider acting, but
acting in a novel and creative fashion. The old system won't
work. A new system must be created. Thank you.
[The statement of Mr. Clinton follows:]
Prepared Statement of Larry Clinton
Good Morning, I am Larry Clinton, President & CEO of the Internet
Security Alliance (ISAlliance). I also am a member of the DHS's
Communications Sector Coordinating Council, the Critical Infrastructure
Partnership Advisory Council and serve as an Officer on the IT Sector
Coordinating Council.
ISAlliance is a cross-sector trade association focused exclusively
on information security. We were created in 2001 as collaboration with
the Carnegie Mellon University. We now have roughly 1,000 member
companies. We provide our members with a range of services, including
technical, business operational and public policy. ISAlliance provides
its members with an integrated series of security services addressing
the technical, legal, business and public policy concerns
simultaneously.
I want to thank the Chairman for inviting me to participate.
ISAlliance continues to believe that the threat to our economy, our
nation, and our citizenry from cyber attacks is real and growing.
We also believe that government and industry must work much more
aggressively to address these threats. We are past the time for simple
education about the cyber threat. Now is the time for action.
However, for industry and government to create a sustainable and
effective system of cyber defense we need a fundamental re-thinking of
how we go about addressing these issues.
This rethinking must include at least three critical realizations.
First, the Internet is a technology unlike anything we have dealt
with before and hence will require a solution unlike what we have
traditionally used to address technology and business.
We need to change the way government, perhaps including Congress,
thinks about and conceptualizes its role in assuring Internet security.
In its June 2006 report, ``Internet Infrastructure: DHS Faces
Challenges in Developing a Joint Public/Private Recovery Plan,'' the
GAO got it right. It listed as the number one challenge we face the
``innate characteristics of the Internet.''
How then is the Internet different?
It transmits phone calls but it is not a phone line.
It makes copies but it is not a Xerox machine.
It houses books but it is not a library.
It broadcasts images but it is not a TV station.
It is critical to our national defense, but it is not
a military installation.
It is all these things and much, much more.
The Internet is international, interactive, constantly changing,
constantly under attack, then changes and changes again.
It is not even really an ``It.'' It is actually lots of ``Its'' all
knitted together--some public, some private--all transmitting
information across corporate and national borders without stopping to
pay tolls or check regional sensitivities.
We can not simply ``cut and paste'' previous governance systems
from old technologies or business models and realistically expect that
we will be able to manage this system effectively.
The regulatory model we have traditionally used to govern business
has not changed much since we created it to deal with the breakthrough
technology of 2 centuries ago--the railroad.
To manage the railroad, Congress decided to create an expert
agency, the ICC, to pass specific regulations. The ICC begat the rest
of the alphabet soup: the FCC, the SEC, the FTC. And, that system has
worked arguably well in most instances.
But that system will not work with Internet security. Even if
Congress were to enact an enlightened statute, it would not have reach
beyond our national borders and hence would not be comprehensive
enough. Even if some agency wrote a brilliant regulation, it would
likely be out-dated before it got through the process, a process that
can be further delayed with court challenges.
And that assumes, unrealistically, that the political process
inherent in a government regulation system doesn't ``dumb-down'' the
eventual regulations so that we wind up with a campaign-finance-style
standard where everyone can attest that they met the federal
regulations, but everyone knows the system is really not working.
That may work in politics, but, frankly, we can't afford that when
it comes to Internet security.
Regrettably not enough is being done, either by government or
industry, to secure cyber space. We have attempted to manage the risk
of 21st century technology solely using regulatory models designed two
centuries ago. While regulation has its place, a new, more creative,
model built on market incentives must be developed.
Yet, we can't stand idly by either. We must, together, develop a
mechanism to assure an effective and sustainable system of security
that will accommodate the global breadth of the Internet and still
result in a dynamic and constantly improving system of mutual security.
Second, information security is not a static technical problem.
Even within the past couple of years the threats have become not just
more sophisticated, but more subtle.
For example, we now know that threats to the net have morphed from
broad and often relatively benign, if well publicized, attacks like
Love Bug and Blaster, to designer malware constructed to target
specific systems where it can reside undetected by traditional methods
for an indeterminate period of time while causing serious damage.
As a result, traditional AV software and firewall solutions are
becoming inadequate. However, a new generation of security products has
been, and continues to be, developed to address the continually
evolving threats.
To adequately address information security concerns we need to
address the full organizational system which relies on information
infrastructure.
Our members now look to us to provide a comprehensive risk
management approach that encompasses the full-system approach necessary
to address the problem. An example is our Enterprise Integration
Program which addresses discrete cyber security issues ranging from
preventing and handling breaches of personal information to securing
the IT supply chain in the era of globalization.
We address these issues by looking at their technical, business
operational, human resource, legal and public policy aspects
simultaneously and developing an integrated solution. We would commend
this fully integrated model to our government partners to consider.
Third, the threat to this nation's and the world's economic
infrastructure from the risk of cyber-attack is real.
Two years ago ISA reported to this Committee that the main protocol
used to protect this data is over 30 years old and has multiple well-
know security flaws.
Since then the massive growth in Internet use based on these same
protocols has increased the vulnerability of the Internet at a massive
rate.
In addition there are now far more attackers and they have become
increasingly more sophisticated. Whereas only a few years ago
``hackers'' created cutely named attacks like the ``love bug'' and
``slammer'' largely to get attention, the current generation use
stealth and designer malware that is difficult to detect and in some
cases virtually impossible to eradicate.
Even worse, the motivation for Internet attacks is no longer
publicity, but money, and more insidiously power and destruction.
Especially worrisome are the cyber-attacks that would hijack
systems with false information in order to discredit the systems or do
lasting physical damage. At a corporate level, attacks of this kind
have the potential to create liabilities and losses large enough to
bankrupt most companies. At a national level, attacks of this kind,
directed at critical infrastructure industries, have the potential to
cause hundreds of billions of dollars worth of damage and to cause
thousands of deaths.
Some of the attack scenarios that would produce the most
devastating consequences are now being outlined on hacker websites and
at hacker conventions. The overall patterns of cyber intrusion
campaigns suggest that a number of potentially hostile groups and
nation states are actively acquiring the capability to carry out such
attacks. Meanwhile, the many ways in which criminal organizations could
reap huge profits from highly destructive attacks are also now being
widely discussed. Forth, there is some good news: We actually know a
good deal about how to protect the Internet.
The best evidence of this is that although the Internet is under
attack constantly--thousands of times a day--it has yet to fail. The
owners and operators of the Internet, primarily the major private
sector players are doing a terrific job managing the defense.
Major independent surveys, such as the PricewaterhouseCoopers
``Global State of Information Security''--the largest study of its
kind--have indicated that those entities that follow approved best
practices of information security show a remarkable ability to fend off
attacks, recover from attacks and even deter attacks.
The problem is that as the Internet continues to grow we need more
entities to embrace these practices and technologies while also working
with us to develop new ones.
The critical question is: how precisely can we create such a
system, if the models we have used for previous technologies are
inadequate?
The best mechanism to assure an adequate and sustainable defense
system is to inject market incentives to motivate the adoption of best
practices.
That has been the mantra of the Internet Security Alliance, and The
National Infrastructure Protection Plan officially embraced the need
for a government supported market based incentive program stating that
the ``Government can. . .[create] an environment that supports
incentives for companies to voluntarily adopt widely accepted sound
security practices.''
Fifth, there is a concrete proposal for moving forward.
The ISAlliance has long campaigned for the development of a
publicly supported market based incentive program to bridge the gap
between a regulatory and pure volunteer approach.
ISAlliance believes that the Federal government should advance
homeland security preparedness through reliance on existing published
standards and best practices, and defer to the private sector to
continue to invest in and develop appropriate general and industry-
specific standards for improved security.
Fortunately, there exist a number of paths, most with Congressional
precedent, for Congressional action to provide incentives that are in
the national interest. Among these paths are:
1. Congress can use its market power, instead of its regulatory
power by more prominently including security, along with cost
into its procurement process.
2. Congress can lead by example by fully funding federal agency
needs for cyber security and integrating security compliance
into personnel evaluations along with other HR criteria
3. Congress can tie incentives such as civil liability safe
harbors such as those provided in the Safety Act, or provide
procurement credits to companies who can demonstrate compliance
with market generated best practices for cyber security;
4. Congress can stimulate the stunted cyber insurance market by
temporarily sharing the risk of a massive cyber-hurricane until
the market is sufficiently large to take the risk themselves.
5. The Congress can create an industry/government/university
consortium to stimulate the needed research, development and
adoption of security protocols, similar to the Sema-Tech model
used in the late 1980s to address the computer chip gap.
6. The Government can create awards programs similar to the
``Baldrige Awards'' for quality which eventually became a
sought after market differentiator for corporations.
Earlier this year the Board of Directors of the Internet Security
Alliance met and approved an outline for a legislative approach we
offer for your considerations which we call the ``Cyber-Security Safety
Act of 2007.'' I spend the balance of my statement further detailing
our thoughts on how the Saftey Act can be used as a model for improved
cyber security.
We do not come to the Committee with legislative language which we
are endorsing, but rather with a set of concrete policy proposals we
urge the Congress to work with us on perfecting.
We believe the ``Cyber Safety Act'' offers a coherent approach
which will create specific Federal support for a package of incentives
that will affirmatively encourage private sector investment in improved
security and protection of the Internet. I would like to use the
remainder of my testimony to outline he specific incentive
recommendations and offer a brief analysis in their support:
Establish a mechanism which will enable companies that
adopt standards-based information security programs or best
practices to be qualified to receive the specified incentives
(``Qualified Companies'').
The availability of incentives requires some type of baseline
as a criterion to be met for the incentives to be available.
The ISAlliance has long advocated that private sector standards
and best practices are already in place that can be adopted by
DHS as a basis for incentives.
Create, in connection with privacy reform legislation
(such as uniform breach notice laws), a Federal limitation of
liability for Qualifying Companies that would limit their
liability for breaches that occur, notwithstanding their use of
standards-based security and best practices.
Information security is closely associated with privacy protection.
Many companies otherwise eligible to be Qualified Companies have large
volumes of personal information requiring protection under various
Federal and state laws. Those companies will not be motivated to move
forward with their cyber-security investments if they still are exposed
to liability when breaches occur notwithstanding good security
practices. As a final piece of the litigation-related incentives, this
incentive eliminates the inhibitor of continued privacy-related
liability for Qualifying Companies.
Establish Federal Acquisition Regulations (FARs) and
other legal frameworks through which private sector companies
do business with the United States government that:
Require the agencies to specify published standards and
best practices as required elements for any contract
relating to information security, data protection or
similar services.
Qualified Companies should be able to acquire
additional cyber-security insurance to cover losses arising
from CINS-related catastrophic events, and limit their
liability to third-parties to the amount of that insurance. The
amount of the insurance acquired must be reasonable in order to
qualify for the limited liability.
Many companies defer investments in improved security out of a
concern that, even with improved security, they are not protected from
liability for losses that occur despite the quality of their security
controls. Businesses are encouraged to invest in becoming Qualified
Companies when they are offered the protection that is provided by (a)
assuring the availability of insurance to cover losses from CINS-
related catastrophic events and (b) limited their liability to the
amount of insurance that has been obtained.
The principles of limiting liability to encourage improved homeland
security are similar to the structures used to incent new homeland
security technologies under the SAFETY Act which was enacted as part of
the Homeland Security Act of 2002.
To support the preceding insurance market, the Federal
government should create within DHS a national program for
temporary, short term reinsurance, through which insurers may
purchase reinsurance coverage for their exposure to CINS-
related catastrophic losses under policies issued to Qualified
Companies.
Insurance carriers have been reluctant to create a vigorous
marketplace for cybersecurity insurance. The chief reason is that the
insurance companies lack sufficient experience with cyber-terrorism to
effectively evaluate the overall risks in order to determine effective
premium levels, particularly for CINS-related catastrophes.
The proposed establishment of a reinsurance program provides
underwriting for the insurance companies. In the event losses are
incurred by the purchasing insurance carrier is greater than their
reinsurance deductible, the insurer would be entitled to coverage under
the reinsurance agreement with the Federal program. The program
administrator would have the right to increase future reinsurance
premiums as deemed necessary to accomplish a revenue neutral goal. Over
time, the program could be sunsetted as the insurance market gains
experience with cyber-security coverage. This solution is similar to
Federal legislation that enhances the airline transport industry.
Qualified Companies with appropriate insurance will
also have litigation-related incentives available, excluding
liability for consequential and punitive damages and limiting
their liability for non-economic losses.
Similar to the incentive provided by a limitation on
losses to the available insurance, the limitation of
liability for consequential and punitive damages, and
limited liability for non-economic losses removes a
serious inhibitor to information security investments--
i.e., the risk of losses for which responsibility is
assigned notwithstanding a company's good faith
investments in adequate information security.
Eliminating that inhibitor encourages a more secure
preparedness, company-by-company.
On many occasions, the Federal government has employed
its influence as a major purchaser from the private
sector to encourage companies to develop and implement
improved business practices. Establishing criteria tied
to providing services to the government offers new
market opportunities to Qualified Companies and, in
doing so, provides strong economic incentives to
improving their cyber-security.
Establish a ``Baldrige Award'' for information
security quality and excellence, coordinated with specific
industry organizations to develop and create awareness of
information security as a competitive differentiator.
The Malcolm Baldrige Award by the US Department of
Commerce has become a cherished recognition of
excellence in the marketplace. A similar program,
perhaps recognizing information security excellence
within industry sectors, will greatly increase
awareness of the value of information security and its
function as a competitive differentiator, thereby
encouraging new investments.
Create and fund an industry/government/university
consortium to stimulate the needed research, development and
adoption of security protocols that can, in turn, stimulate
improved technologies for adoption across the private sector
and government computer systems.
In the late 1980's, the Federal government provided matching
funding to create an industry-government cooperative consortium that
collaborated in accelerating solutions to common manufacturing problems
in semi-conductor production (SEMATECH). This successful model
revitalized the U.S. semiconductor industry and continues to generate
industry leadership and innovation long after Federal funding was
voluntarily terminated by the consortium.
A similar program today will enable government, academia and
industry to work together to replace today's security poor Internet
protocols with security-rich protocols. Those protocols can enhance the
quality and integrity of the hardware devices, switches and other
components from which the Internet is constructed.
Mr. Langevin. Thank you, Mr. Clinton.
Mr. Langevin. And the Chair now recognizes Dr. Gordon to
summarize your statement for 5 minutes. Welcome, Dr. Gordon.
STATEMENT OF LARRY GORDON, ERNST & YOUNG, ALUMNI PROFESSOR,
MANAGERIAL ACCOUNTING INFORMATION ASSURANCE, ROBERT H. SMITH
SCHOOL OF BUSINESS,
Mr. Gordon. Chairman Langevin, Chairwoman Jackson Lee.
Thank you very much for inviting me here. My comments are going
to focus on how to improve cybersecurity investments within the
private sector. I am going to concentrate on four points which
are all detailed in my testimony that I wrote up and submitted
already.
But before I talk about these four points, let me just
mention two things. One is that in the private sector,
efficient allocation of resources is fundamental, and the
reason that is fundamental is because that leads to profits,
and profits leads to increasing the value of the firm. And
increasing the value of the firm is a key concern to all senior
executives in the private sector.
The second point I want to make is that investments in
cyber computer compete with other investments. And I think that
is also fundamental to keep in mind.
With that said, let me go to my four points. The first
point I want to make is that the best, the strongest incentive
by far is to have the private sector recognize that it is in
their best interests in terms of increasing the value of the
firm to increase investments in cybersecurity.
There is a well-established process among business people
for looking at efficient allocation of resources. That often is
a concept that falls under the umbrella of what we sometimes
call making the business case. Making the business case is the
notion of using a well-established metric cost benefit
analysis. There are various models of cost benefit analysis.
And actually looking at alternative investments, rank ordering
them, and then allocating their resources.
So my first point is that in order to get business people
to invest more in cybersecurity, what you want them to do is to
recognize the importance of efficient allocation of resources
toward cybersecurity investments. In other words, it is an
internal incentive. It is a business incentive.
Now, one of the problems in this regard is that the people
who are often arguing for cybersecurity investments, the CIOs,
the chief security officers, their training is primarily in
technology what you might call computer security. And many of
them, at least traditionally, have not been well versed in the
notion of how to make the business case. So let me give you a
little real world story.
About 5 years ago, I was approached by the chief security
officer for a Fortune 500 company, and he came up to me and
said--he met with me for lunch, and he was all upset because he
met with his CFO for his company and he asked for a $10 million
upgrade to the network, the security of the network for that
company. And the CFO said to him: Where is your business case?
So when he came to me and we discussed it at lunch, he
said: What's wrong with the CFO? Doesn't he understand the
importance of security? And my immediate reaction was: If I
were the CFO, when you left the room I would probably be
saying, what's wrong with you? Don't you understand the
importance of economics? If I give you $10 million to upgrade
the security.
I am essentially taking away from something else. And the
name of the game for the private sector is, generating profits
so that what you can do is you can increase the value of the
firm. And when you talk about cybersecurity investments, it is
what we call in capital budgeting a cost savings project. And
what you really want to do when you are in a private sector is
not only save costs, but equally if not more important is
increase revenues. In other words, there is two ways to
increase profits. You can increase revenues, save costs.
And when you talk about cybersecurity investments, one of
the big problems, this is my second point, is estimating the
benefits which are really cost benefits here, what you are
really talking about is estimating the cost savings. And the
cost savings are particularly tough to estimate for two
reasons. One is a big chunk of the cost savings really come
from, if you have a cybersecurity breach what you have here is
you lose customers and so a big chunk of those cost savings
come from avoiding lost customers. And a second big chunk of
those cost savings come from the notion of potential
liabilities. And these are two very tough things to measure.
And in order to measure them properly, you have got to take
into consideration risks, the risks associated with the breach.
And there are different notions of risk. There is a well-
established body of literature in economics and finance and in
insurance which has all kinds of metrics for measuring risk.
These metrics have not been well integrated into the
cybersecurity literature. You don't have to go out and discover
new metrics. They are there already. So that is my second
point.
My third point is that when you talk about cybersecurity,
you have got another unique kind of issue and that is you have
got what we call spillover effects, or in economics we call it
externalities. And these externalities really relate to the
fact that a big chunk of the costs associated with
cybersecurity are private costs, costs associated to a private
company. But also, another large share of these costs we call
social costs. And these social costs, this is where government
incentives become important. These social costs are costs that
are borne by other companies, not the company that is not
practicing cybersecurity.
And my last point that I want to make relates to Sarbanes-
Oxley Act, or affectionately known as SOX. One of the things
that recent research has shown is that SOX actually has as a
side effect increased the cybersecurity activities of firms. It
was, seems to me, unintended. Part of SOX requires that
corporations improve their internal controls systems. There is
no way an internal control system can be improved if you don't
have strong security. And what has happened since SOX has gone
into effect, research has shown that corporations are
increasing their security activities.
I would suggest that in respect to all four of these
points, that this committee and the Department of Homeland
Security can do several things to improve cybersecurity
investments. First, my first recommendation would be to set up
some kind of workshops associated with making the business case
for cybersecurity investments. That is the first thing.
The second thing is that we need more research in looking
at how do you actually determine the benefits associated with
cybersecurity investments.
Third, we need to look at the kinds of incentive plans that
governments set up related to these externalities, these social
costs.
Now, lots of people talk about tax credits, and that is
certainly one option. Another option, one that I probably think
should be looked at more carefully, is maybe the government
needs to set up tough security standards. Now, you can do this
by regulation, but I would recommend something different. I
might recommend setting up tough security standards, and
alongside of those is basically give preferential treatment on
government contracts to those companies that comply with those
standards. So you are giving them an economic incentive to
comply with those standards.
And the last point I want to make is I think this committee
and DHS should take a close look at the relation between
cybersecurity activities at firms and Sarbanes-Oxley Act. I
think what you will find is that a lot of good things are
coming out of that that actually relate to your concern with
improving cybersecurity in the private sector.
Thank you for giving me this opportunity, and I will be
glad to answer any questions you have related to my comments.
Mr. Langevin. Thank you, Dr. Gordon, and I thank the panel
for their testimony.
[The statement of Mr. Gordon follows:]
Incentives for Improving Cybersecurity in the Private Sector: A Cost-
Benefit Perspective
Prepared Statement of Dr. Lawrence A. Gordon
(http://www.rhsmith.umd.edu/faculty/lgordon/)
Thank you for inviting me here today to talk about economic aspects
of improving cybersecurity in the private sector. I commend the members
of the Subcommittee for focusing on this critical and complicated
issue.
Introduction
My comments today will center on ways of encouraging (i.e.,
providing incentives for) investments that are directed at improving
cybersecurity in profit-oriented organizations operating in the private
sector. However, much of what I have to say would also apply, with some
modifications, to non-profit organizations (in both the private and
public sector). My comments are based on an ongoing stream of research
on ``economic aspects of cyber/information security'' that I (along
with several colleagues) started in 1998. Part of this research has
already been published, as indicated in the reference section at the
end of this testimony.\1\
---------------------------------------------------------------------------
\1\ Given the limited nature of this testimony, many facets of the
above noted stream of research are not directly addressed in this
document (e.g., cybersecurity risk management).
---------------------------------------------------------------------------
A key concern among profit-oriented organizations is efficiency.
This concern is usually thought of in terms of facilitating the
generation of profits (i.e., the difference between revenues and costs)
for the owners of an organization, with the ultimate goal being to
increase the value of the organization. Indeed, the most powerful
incentive for an organization in the private sector to invest in
cybersecurity activities is the motivation to increase the
organization's value to its owners. For a publicly traded profit-
oriented corporation, this value proposition is usually (or at least
primarily) thought of in terms of increasing the stockholders' value.
At the heart of implementing this stockholders' value proposition
is the notion of cost-benefit analysis. ``Cost-benefit analysis
compares the costs of an activity to the benefits of that activity,
thereby focusing attention on the process of efficiently allocating
scarce resources among competing activities. In the context of
cybersecurity, the cost-benefit analysis principle means that managers
need to compare the costs of an additional information security
activity with the benefits derived from that activity'' (Gordon and
Loeb, 2006, p. 20-21). When the benefits exceed the costs, the value of
the organization will increase. Thus, in considering a decision to
increase spending on cybersecurity activities, it is important that the
organization believe that the benefits will exceed the costs.
A fundamental assumption underlying the above concept of cost-
benefit analysis is the fact that organizations have scarce resources
that need to be allocated to competing activities, including
cybersecurity activities. In other words, cybersecurity activities are
competing with other organizational activities (e.g., new product
development, R&D, merger and acquisition decisions, fringe benefits for
employees, etc.). If an organization invests more in cybersecurity
activities, that means less will be available for other initiatives
(i.e., organizations have finite resources to invest in competing
projects). Accordingly, it is important for profit-oriented
organizations to be able to argue that cybersecurity investments
represent a more efficient allocation of organizational resources (on a
cost-benefit basis) than if such resources were put to an alternative
use (e.g., developing a new product). In the vernacular of business,
this means it is important to be able to ``make the business case'' for
investing in the cybersecurity activities. Generally speaking, there is
a well established process for making the business case for an
investment, including investments in cybersecurity activities. Figure 1
provides a diagram of that process.
As indicated in Figure 1, making the business case starts with
specifying the cybersecurity objectives for the organization. Next,
various alternative investments for achieving the cybersecurity
objectives need to be identified. Once the alternatives have been
identified, the data associated with each alternative needs to be
specified and analyzed. The next step is to conduct a cost-benefit
analysis and to rank the various investment alternatives, followed by
the allocation of resources to particular cybersecurity
investment(s).\2\ The final step in the business case framework is to
conduct a post-audit of the investment decision (i.e., evaluate the
effectiveness of the cybersecurity investment decision).
---------------------------------------------------------------------------
\2\ For a detailed explanation on the mathematics underlying cost-
benefit analysis, based on discounted cash flows, see Chapter 2 of
Gordon and Loeb (2006).
---------------------------------------------------------------------------
Unfortunately, making the business case for cybersecurity
investments is often more difficult than making the business case for
many other investments. There are at least three separate, albeit
related, aspects to this added difficulty. First, the benefits derived
from cybersecurity investments are especially difficult to assess.
Second, the risks associated with cybersecurity investments are also
especially difficult to assess. Third, there are externalities (spill-
over effects) associated with cybersecurity investments. A brief
discussion of each of these concerns is provided below.
In addition to the benefits, risks and externalities associated
with cybersecurity investments, there are two other items that are
important to any discussion of improving cybersecurity investments in
the private sector. These two additional items concern the total amount
to spend on cybersecurity activities and the Sarbanes-Oxley Act of
2002. A brief discussion of both of these items is also provided below.
Benefits Derived from Cybersecurity Investments
The first difficulty associated with cybersecurity investments has
to do with identifying and estimating the benefits derived from such
investments. The primary benefits associated with cybersecurity
investments are the future ``cost savings'' derived from the prevention
of losses due to cybersecurity breaches.\3\ However, if breaches were
prevented, the actual losses would not occur and therefore would not be
observable. In fact, the better the security, the less an organization
will observe the losses resulting from cybersecurity breaches. Thus,
organizations need to estimate the potential losses from cybersecurity
breaches in order to estimate the benefits derived from cybersecurity
investments. These estimates can be based on past experiences, where
such experience exists.
---------------------------------------------------------------------------
\3\ It can also be argued that cybersecurity investments can create
a competitive advantage for an organization, which in turn translates
into potential benefits. Although this argument is correct, such
benefits are generally considered to be secondary in relation to the
potential cost savings from such investments.
---------------------------------------------------------------------------
A fundamental problem in coming up with estimates of the benefits
derived from cybersecurity investments is that the most important
potential losses are due to unobservable lost customers resulting from
cyber breaches and the potential liabilities associated with cyber
breaches. In fact, as shown in the Campbell et al. (2003) study, these
costs can be staggering.\4\ Unfortunately, even when organizations have
data upon which to estimate the explicit losses associated with
detecting and correcting past breaches, they rarely have data upon
which to estimate the implicit losses associated with lost customers
and the potential liabilities.
---------------------------------------------------------------------------
\4\ The Campbell et al. (2003) study also shows that many
cybersecurity breaches are not statistically significant, in an
economic sense.
---------------------------------------------------------------------------
One way of addressing part of the problem discussed above
concerning estimates of the benefits of cybersecurity investments is to
take a ``wait-and-see'' approach to such investments. As pointed out in
the Gordon, Loeb and Lucyshyn (2003a) study, this wait-and-see approach
is consistent with the ``real options'' (more specifically, the
``deferment option'') approach to capital budgeting. Of course, as the
name suggests, it also means that it is often best to defer certain
investments in cybersecurity due to the problems associated with
estimating the potential benefits.
The fact that the benefits derived from cybersecurity investments
are essentially ``cost savings'' raises an additional issue not
discussed above. That additional issue has to do with the fact that
most corporate executives would prefer to increase profits by
increasing revenues rather than by decreasing costs. The reason for
this preference is due to the fact that the stock market tends to
reward the owners of firms for growth as well as efficiency. Thus, in
competing for funds, cybersecurity investments have a built in bias
against them relative to ``revenue generating'' projects.
Risks Associated with Cybersecurity Investments
The second difficulty associated with cybersecurity investments
deals with the risks (or uncertainty) associated with such
investments.\5\ It is important to recognize at the onset that 100%
security is rarely feasible in a technical sense, and certainly not
cost-beneficial in an economic sense. Thus, it is important to realize
that cybersecurity investments are intended to reduce the risk (i.e.,
probability) of cybersecurity breaches. However, determining the
reduction in the probability of a particular breach taking place, let
alone a string of breaches taking place, as result of a cyber
investment is extremely difficult to estimate. Nevertheless, in
estimating the benefits from cybersecurity investments it becomes
necessary to associate those benefits with the probability of the
occurrence of security breaches. In other words, the ``expected'' cost
savings (i.e., expected benefits) from cybersecurity investments are
actually derived by multiplying the potential cyber losses by the
difference between the probability of the cyber security losses
occurring prior to the cybersecurity investment and the probability of
the cybersecurity losses occurring after the investment.
---------------------------------------------------------------------------
\5\ In the early economics literature, a distinction is sometimes
made between the terms risk and uncertainty (see Gordon and Loeb, 2006,
p. 96). For purposes of this testimony, no such distinction is made.
---------------------------------------------------------------------------
Not surprisingly, estimating the before and after probabilities
associated with cyber losses is more an art than a science. Thus, many
have argued that the entire process of trying to estimate the expected
benefits derived from cybersecurity investments is nothing more than an
academic exercise. However, the fact that it is difficult to estimate
the risk (uncertainty) associated with cybersecurity breaches should
not be used as an excuse for avoiding the determination of such
estimates.
Another aspect of the risk associated with cybersecurity
investments deals with the definition of the term risk. In the
cybersecurity literature, risk is usually associated with the expected
loss from security breaches (i.e., the sum of the product of potential
losses multiplied by the probability of such losses). The goal of
reducing the risk of a cybersecurity breach, according to this
definition of risk, is to reduce the expected loss. However, there are
other important notions of risk that should be of interest to those
responsible for allocating cybersecurity investments. For example,
reducing the variance (i.e., variation) of the potential losses is
another valuable facet of risk when discussing cybersecurity
investments.\6\ Although beyond the scope of the testimony being
submitted today, it should be noted that one way for an organization to
reduce the risk associated with cybersecurity breaches is to invest in
cybersecurity insurance (see Gordon, Loeb and Sohail, 2003).
---------------------------------------------------------------------------
\6\ The expected loss and reducing the variance of potential losses
are only two of the different concepts of risk that could be considered
in the context of cybersecurity investments. For a further discussion
of various risk concepts applicable to cybersecurity investments, see
Chapter 5 of Gordon and Loeb (2006).
Externalities Associated with Cybersecurity Investments
The third difficulty associated with cybersecurity investments
relates to the externalities (i.e., spillover effects) associated with
such investments. These spillover effects are largely the result of the
inherent interconnectivity associated with computer networks. In other
words, the security of a computer network--particularly the Internet--
depends on the actions of all users of the network. This creates a
problem in the following sense. When a firm invests in information
security activities in an effort to improve its cybersecurity, it bears
all the costs, but does not reap all the benefits. The larger the share
of the benefits that accrue to other firms, the smaller the incentive
for a firm to increase its investments in cybersecurity activities.
This may result in the firm, and hence society, under-investing in
information security. While the government could, in principle,
counteract this tendency by creating incentives for information
security investments (for example, by offering tax credits for such
investments), the government currently does not know the right level of
incentives to provide.
The externalities associated with the Internet have resulted in all
sorts of efforts to coordinate cybersecurity activities on both a
national and international level. The ISACs (Information Sharing
Analysis Centers) and the US-CERT (United States Computer Emergency
Response Team) are two good examples of efforts to coordinate
cybersecurity activities. Both of these efforts rely heavily on
information sharing related to computer security, with particular
emphasis placed upon protecting the nation's critical infrastructure.
Information sharing has the potential for lowering the cost of
cybersecurity for each organization involved in such a program.
Unfortunately, the free-rider problem (i.e., the situation where each
member of a group shares a little amount of information, in the hope of
learning a lot about the other members of the group), is prevalent
among information sharing arrangements related to cybersecurity (see
Gordon, Loeb and Lucyshyn, 2003b). Thus, unless economic incentives are
devised to offset the free-rider problem, much of the potential benefit
from information sharing organizations will not be realized.
How much in Total should be Invested in Cybersecurity Activities?
The cost-benefit framework discussed above provides a
straightforward way of assessing the benefits and costs associated with
incremental investments in cybersecurity activities. If we assume that
an organization already has in place some initial level of
cybersecurity spending, then the total spending on cybersecurity
activities would be this initial spending plus the sum of incremental
investments. A more sophisticated approach to deriving the right amount
to invest in cybersecurity activities is to assume a zero-base starting
position for such investments. In its most rigorous form, a
mathematical model can be developed to derive the optimal amount an
organization should spend on cybersecurity activities. Although cost-
benefit analysis would be embedded within such a model, an optimization
approach would be a far more sophisticated (in terms of the
mathematics) approach to deriving the right amount to invest in
cybersecurity. This model should involve specifying security breach
functions, the potential losses associated with security breaches, the
probability of such losses, and the productivity of cybersecurity
investments.
One model for deriving the optimal amount to invest in
cybersecurity activities, which has gained wide acceptance among
academicians and many practitioners, is referred to as the Gordon-Loeb
Model. This model is described in the paper by Gordon and Loeb (2002).
It must be emphasized, however, that the Gordon-Loeb Model is best
viewed as a ``framework'' for examining the optimal level of spending
on cybersecurity, rather than as an absolute solution to the
cybersecurity investment dilemma. Indeed, in the final analysis,
determining the right amount to spend on cybersecurity activities
requires sound business judgment (based on experience and knowledge
related to a particular firm and industry), as well as the application
of sound economic principles. In other words, in the final analysis,
there is no silver bullet for deriving the right amount to spend on
cybersecurity.
Since cybersecurity investment decisions are made based on
expectations of the future, the likelihood of getting the optimal
solution to the investment problem is close to zero. However, it is
important to realize that on average an organization would be better
off by utilizing sound economic principles in making cybersecurity
investment decisions than ignoring such principles.
Sarbanes-Oxley Act has Created an Incentive to Increase Cybersecurity
Activities
The accounting scandals of the late 1990s resulted in the Sarbanes-
Oxley Act (SOX) of 2002. A key aspect of this legislation deals with
the internal control requirements of SOX under Section 404. In essence,
SOX requires firms registered with the U.S. Securities and Exchange
Commission to develop sound internal control procedures associated with
financial reporting. Given the computer-based nature of modern
organizations, it is generally agreed that sound internal controls
implies sound information security. Thus, as shown by Gordon, Loeb,
Lucyshyn and Sohail (2006), an indirect result of SOX has been to
create an incentive for firms to increase their information security
activities (and by implication, investments) by firms. In essence,
research suggests that SOX has created a strong incentive for
organizations to increase their cybersecurity investments. Although the
above claim has not been directly tested, the findings by Gordon, Loeb,
Luchyshyn and Sohail (2006) clearly point to the validity of this
claim.
Summary and Recommendations
The above discussion highlights several key aspects of investments
directed at improving cybersecurity within profit-oriented
organizations operating within the private sector. These aspects can be
summarized in terms of the following five points.
1. The most powerful incentive for an organization in the
private sector to invest in cybersecurity activities is the
motivation to increase the organization's value to its owners.
At the heart of implementing this value proposition is the
concept of cost-benefit analysis, which falls under the
umbrella of ``making the business case'' for cybersecurity
investments. The idea of deriving an optimal level of
investment in cybersecurity activities is closely associated
with this cost-benefit concept. Unfortunately, many (if not
most) CIOs (Chief Information Officers) and CSOs (Chief
Security Officers) are not well versed in the economic
underpinnings of cost-benefit analysis. Accordingly, it is
often difficult for those responsible for cybersecurity
activities within a firm to make a cogent argument for
increasing the firm's spending on such activities. Remember, an
increase in spending on cybersecurity activities generally
means that less is available for spending on other initiatives
(including revenue generating initiatives) within the
organization. Thus, my recommendation is for this Subcommittee
to initiate an effort to establish training sessions for CIOs
and CSOs on how to apply cost-benefit analysis to cybersecurity
investment decisions. The development of these sessions could
fall under the auspices of the Department of Homeland Security.
In my opinion, such training would go a long way toward
improving the allocation of private sector resources toward
cybersecurity activities.
2. A fundamental problem in coming up with estimates of the
benefits from cybersecurity investments is that the most
important potential losses are due to unobservable lost
customers resulting from cyber breaches and potential
liabilities associated with cyber breaches. Until organizations
feel more comfortable with their estimates of the benefits from
cybersecurity investments, it is unlikely they will make the
necessary commitment to such investments. In other words, the
tendency will be to treat cybersecurity investments as a
necessary evil rather than sound economic investments. Thus, my
recommendation is for this Subcommittee to encourage, under the
auspices of the Department of Homeland Security, additional
research related to estimating the benefits of cybersecurity
investments.
3. The fact that it is difficult to estimate the risks
associated with cybersecurity breaches should not be used as an
excuse for avoiding the determination of such estimates. The
risks associated with cybersecurity are difficult to estimate.
As a result, many view the process of deriving the ``expected
benefits'' from cybersecurity investments as merely an academic
exercise. However, there is an extensive body of existing
literature on risk that has direct bearing upon cybersecurity
investments. To date, this literature on risk has not been well
integrated into the cybersecurity literature. Thus, my
recommendation is that the cost-benefit analysis training
sessions suggested in the first point above should include
coverage of this literature on risk.
4. The inherent interconnectivity associated with computer
networks creates externalities (spillover effects). These
externalities revolve around issues related to welfare
economics (i.e., a branch of economics associated with
improving the welfare of an entire society or economic system,
usually based on such principles as the efficiency of resource
allocations and equitable income distribution to individuals).
Since it is difficult to get organizations to incorporate these
externalities into their decisions regarding cybersecurity
investments, the development of exogenous government incentives
may be appropriate. Thus, my recommendation is for this
Subcommittee to encourage research directed at examining the
appropriateness of developing incentives to address these
externalities.
5. Research suggests that the Sarbanes-Oxley Act of 2002 has
created a strong incentive for organizations to increase their
cybersecurity activities. The fact that there is preliminary
evidence that SOX has created a strong incentive for
organizations to increase their cybersecurity activities, and
by implication their spending on such activities, is worth
exploring in greater depth. Indeed, assuming these preliminary
findings are correct, there may be ways for the Department of
Homeland Security to capitalize on this development. Thus, my
recommendation is for this Subcommittee to facilitate further
exploration of this SOX-cybersecurity relation.
[GRAPHIC] [TIFF OMITTED] T1082.13.
eps[GRAPHIC] [TIFF OMITTED] T1082.14.
epsMr. Langevin. I now recognize myself for 5 minutes. And
let me begin with you briefly, Dr. Gordon, on your point that
one of the primary goals of a firm is to increase the asset
value of the firm. But what about protecting the asset value of
the firm? And why is it that that isn't more readily apparent
as a need, in a sense a primary goal of doing business, right
along with increasing value at the firm?
Mr. Gordon. I think both of those actually address the
issue of increasing value, but I would put it in a slightly
different context. I would say that in the capital budgeting
literature, we talk about generic areas of capital investments.
One is revenue generating products, new product development,
mergers and acquisitions. Another one would be what we call
cost savings projects. Cybersecurity investments fall under
that category. The third category is what we often call must-do
projects.
So the way I would answer your question is to say that when
you get to these cost savings projects, it is much tougher. And
when you get to cybersecurity investments they are the
toughest. And the reason they are the toughest, it is much
tougher to actually observe the benefits. And the reason for
that is if you do the job right, then you have avoided those
breaches, you have avoided those catastrophes, and you don't
really see what you would have incurred as a cost.
So that is why they are particularly tough. And that is
why, when you talk about protecting assets in that sense, it is
a different kind of project. It is not that they don't add
value to the firm. They do. It is just often harder for
managers to figure out how to quantify it.
I am a big believer in that you should try to--you know,
what you measure is what you get. You need metrics. And after
you come up with these, I look at these metrics as a framework.
Once you get those, then of course you have got to bring in
good business judgment, nonfinancial concerns, nonquantitative
concerns. But there is a well established process for doing
that. So what you have to do is go through and estimate these
benefits.
Mr. Langevin. You have each had the opportunity to hear
each other's testimony. Let me just go down the line and ask,
was there anything that you heard in the other testimony of
your fellow panel members right now that struck you that you
highly agree with or strongly disagree with?
Ms. Katzen. On the basis of both the oral statements and
the written testimony which I had read, I think we are in
violent agreement. We all seem to believe and advocate that
necessity for getting good metrics, good data, good research;
that the government should not be regulating; that one size
does not fit all; that it is not an IT problem, that it is an
enterprise-wide problem. That there are business cases
involved, and that there should be market-based incentives,
with the government holding out some additional incentives to
bring the companies to the table. And I don't hear very much
difference among us.
Mr. Clinton. I would have to agree with Ms. Katzen. I am
struck very pleasantly by the degree of agreement with regard
to what is the best way forward for Congress. And it is for
Congress to act, but for Congress to act in a novel fashion.
Professor Gordon's testimony, which I think is probably
pretty difficult to summarize orally, although I think he did a
wonderful job with it, goes into really good detail on why it
is very, very difficult for real corporations to justify the
sort of extraordinary expenses that we would like to have them
make for security that goes beyond their corporate borders.
That is just not going to happen.
For about 6 years, we have been hearing rhetoric from DHS
and others saying, well, gee, if industry would only get it and
realize the value proposition is there for them to protect
their own resources, then that would take care of it. That has
not happened. The amount of spending has not increased
dramatically. It is not going to increase dramatically unless
we develop a market for this. Now, that is an unhappy solution,
but I don't see how we can come to any other realistic
solution. There are a range of things.
One of the things we haven't talked about here is that
virtually all of the ideas, and again most of us have
articulated pretty much the same ideas, use procurement better,
use awards programs. You know, based on standards. You know,
most of the standards are already there in the private sector.
We already know a lot about how to do this. We are under attack
thousands of times a day. We are preventing lots of them. We
just need more people to adopt these things.
So we don't need the government to come in and provide
standards. We don't need the government to come in and regulate
these things. We need the government to come in and provide
incentives. And the sort of incentives that I have articulated
in my testimony are incentives that have already been used in
agriculture, in aviation, in the environmental sphere, in
ground transportation, in tax law. The government has done this
stuff before, they have just not applied it to cybersecurity.
And that is what I would argue, is that if we would take the
precedent that we have found in other sectors of the economy
and the standards that have already been proven effective in
mitigating the attacks that we are having every day, that is
the payoff forward for improved cybersecurity, which is in the
national interest.
Mr. Gordon. In general, I would agree with what my
colleagues have to say here, although--and I hate to put an end
to the love fest, but I see a different focus. And let me tell
you the focus.
First of all, market-based incentives, they already exist.
The clearest market-based incentive is to get firms to realize
it is in their best interest in terms of cost efficiency to
invest more in cybersecurity investments.
And the other point I would make is, so it is not that we
disagree, but I am saying the focus to me is it is already out
there. We have got to get firms to understand how to use that
better, and I think that is something your committee could
certainly facilitate.
The other point I want to mention is that I thought the
point mentioned about Enterprise Risk Management, ERM, was
really a good one. And so I appreciate the fact that it was
mentioned. However, having done a lot of work in that area, let
me tell you the problem with ERM. ERM comes from COSO, the
Committee on Sponsoring Organization from the accounting
organizations. And COSO talks about ERM in four categories.
They talk about operations, they talk about financial
reporting, they talk about compliance and strategy.
What they don't do is give you a metric for measuring it.
And if you go and read this ERM literature, what you will find
is and you need, in my opinion, is if you need a metric for
measuring it. In fact, I have got a Ph.D. student who just
finished up a dissertation working on this very topic. And when
he came to me and wanted to do something on ERM, the first
thing I said to him is, you realize you are going to have to
come up with a metric. What we need is some kind of a metric
for measuring have we improved it.
So it is not that I would disagree. I would just say the
focus has to be on developing a metric for ERM. And so I don't
think we disagree. It is just a question of focus. I tend to be
more focused on the quantitative metrics.
Mr. Langevin. My question for Mr. Clinton is, isn't it the
case, though, that firms in the private sector when, in a sense
creating standards, that they tend to create substandard
standards?
Mr. Clinton. No. I am not aware of any evidence of that. In
my testimony, I cite the largest study that has been done on
information security which, independent study,
PriceWaterhouseCoopers study. And they found that the
companies, the best practices group, the group they classified
as following these things, were able to mitigate against
attacks better, didn't lose money like others did, and, in
fact, could deter tax.
It is, as Professor Gordon has just alluded, companies do
want to protect their own cyber systems. But the Internet
transcends those cyber systems. If you read the discussion of
externalities that is in Professor Gordon's testimony, I think
he makes a really good argument here. Basically, what we need
is for corporations that go to their own corporate borders for
their own self-interests, to provide security that goes to the
entire system. And that is--it is important to remember, there
is no private sector. There is no thing that is the private
sector. The private sector is thousands and thousands of
different companies, with different goals, technologies, et
cetera. We have to get all these guys to cooperate. They do
cooperate. They set standards all the time to make sure their
systems are interoperable, so that they can generate more
investment, have cooperative engagements, et cetera, et cetera.
There is plenty of reason for them to set good standards.
And the research indicates that when they follow those
standards and best practices, we do have demonstrable
improvements in cybersecurity. I am not going to say it is 100
percent, because the threat, as I also pointed out, continually
evolves. So we need to continue to work on it.
But the evidence that I am aware of, with all respect, Mr.
Chairman, is the opposite. Is that rather industry set
standards adequate to meet their needs, and then attempts to
meet those standards.
Moreover, one last point. One of the projects that we are
involved in at the Internet Security Alliance is to develop
model contracts around those standards, so that the really good
players like Verizon who testified on the first panel--and they
are doing a great job. They are just doing as good a job as you
can do, I think, from what I can see. What they want to do and
what we are working with them to do is to take their system and
write contracts for their vendors, their suppliers, their
customers, that include in those contracts compliance with the
high-level security systems that Verizon is already having, so
that we are using contracts to expand the perimeter of security
rather than using regulation. And those contracts are much
easier to update, keep up with the technology, keep up with the
evolving threat, than going through a regulatory model which
takes years. And, frankly, I think it is the regulatory model.
You get a bunch of lobbyists coming in, they will dumb it down
for you.
Mr. Langevin. My concern is that the private sector would
tend to skimp or to underestimate risk. We heard testimony last
week on the electric grid, where the industry ostensibly self
regulates through NERC that makes recommendations to FERC about
the type of regulations that should be put in place. Yet,
clearly the self regulation process in that instance doesn't
quite go far enough. And I believe that a model similar to the
Nuclear Regulatory Commission is stronger where they have the
ability to come in and direct, as opposed to just allowing
industry to kind of self-advise, self-regulate.
Mr. Clinton. If I could respond quickly to the chairman.
And I apologize for taking too much time. I wouldn't classify
myself as an expert in that particular sector. I frankly don't
have any members in that particular sector. We are a cross-
sector organization.
My sense would be that that is the sort of thing that we
could work with. I can tell you that there are standards that
have been shown to work. I am unfamiliar with the standards
that they have. It would seem to me that the government,
particularly in a regulated sector such as the one you are
describing, certainly can use that.
But let me point out something that was not pointed out in
the first panel, which is when GAO did their study, they found
that the number one sector that had done the best job was
completely unregulated, the IT sector. The banking sector,
which is heavily regulated, did among the worst jobs.
So I don't think that there is a one-to-one correspondence
here with respect to regulated/unregulated in terms of doing a
good job in this area. I think what we need to do is find a set
of standards that we would agree on meet certain metrics. No
disagreement on that. And then find ways to get more companies
to do that. But you have got to do it in a way so that you can
keep up with the threat.
Ms. Katzen. If I could. What I hear, though, is almost so
obvious, that this is not easy on the ERM. There are lots of
ERM models, and they have to be adapted in different ways. Cost
benefit analysis, I have spent the last 10 years of my
professional life of doing cost benefit analysis. It is not
easy. There are ways of doing it and there is literature out
there and it has to work.
The problem is the diversity of the corporate models, the
diversity of corporate awareness, the differences in technical
capabilities. You are not dealing with the monolithic world.
Someone said there is no private sector, there is lots of
components of a private sector. And this decentralized nature
can be very offputting or frustrating.
But if you can't fix it, flaunt it. Use it. And that means
don't look for a silver bullet. Don't look for a one-size-fits-
all. Don't look for the perfect thing that would work in one
sector to be applied in another, but apply sort of what comes
naturally to each sector.
Thank you.
Mr. Langevin. Thank you. The Chair now recognizes the
ranking member.
Mr. McCaul. Thank you, Mr. Chairman. I appreciate
everybody's patience. It is getting late, and we have got an
anniversary, we have trick-or-treaters tonight. We convened at
2:30. It has been 4 hours. I would like to get more input in
writing, if that would be acceptable. It is just getting a
little late and I have got to run on to another obligation.
But what I am hearing is, and tell me if I am wrong. It
sounds like, nobody here is advocating regulatory reform, but,
rather, market-based incentives. Is that correct? Is that a
fair statement, from all three?
Mr. Gordon. I think there is something in between. And the
something in between is you can have government incentives,
which is not necessarily regulatory in nature. For example, you
could go to NIST and ask NIST to set up the standards for you
for security, and you can reward companies. Companies that are
following those standards, you might give them preferential
treatment with government contracts. I don't view that as
regulation, but that is not straightforward market reform.
Mr. McCaul. Sort of the novel, Mr. Clinton, where you are
talking about the novel creative approach would be to look at
this through the government contracting process, to provide
incentives through that process?
Mr. Clinton. That is one way absolutely. Yes.
Mr. McCaul. What are some other market-based initiatives or
incentives that can be used without regulation?
Ms. Katzen. One of the ones that we talk about, and I think
Mr. Clinton does as well, is a recognition and reward program
modeled on the Energy Star, which we use to increase energy
efficiency; and, have a Cyber Star program where there would be
recognition if you set the bar high enough and you require them
to keep increasing their security.
Another of the workshops that I think we are all talking
about, whether it is to educate for how to use or do a risk
assessment or whether you are talking about how to use ERM, we
are all talking about providing additional information. Not
trying to hoard it, but to share it. And I think those kinds of
incentives, whether the government picks up the cost of
Federally-sponsored programs or gives tax credits for it are
things that each of us have talked about in different ways, but
somehow uses the Federal support for information sharing.
Those are just two ideas that I think all three of us have
signed onto one way or the other.
Mr. Clinton. Briefly, Mr. McCaul. In addition to what has
been said, there are a number of things that can be done with
insurance. Insurance is one of the strongest motivators that we
use in health care, you know, good driving, et cetera, cetera,
and there are a whole range of things that could be done with
respect to insurance. As we have mentioned procurement, there
are awards programs like the Baldrige Award. Make security a
market differentiator, publicize that. There are creative
consortiums like the Sema-Tech program that we did back in the
1980s. There are the contract systems that we use. As I said,
there is at least a half dozen.
And I don't advocate tax incentives. I think the tax
incentives would probably be a good idea, but IS Alliance lives
in the world. We don't imagine that we are going to get tax
relief for large corporations for security, even though I think
it is a good idea. Politically, it probably isn't going to fly.
But these other things ought to fly. We have done them, as I
said, in a variety of other sectors. They passed. We really
want to work with you on this.
Mr. McCaul. We have a Sema-Tech in Austin and that is a
great model.
Just in the interest of time, because it is getting late.
To the extent you can provide us additional information on what
we can do at this level, what congressional action would be
helpful to facilitate these incentives you are referring to;
whether it be the contracting, whether it be the insurance, the
information sharing? All these are great ideas that the
chairman and I can look at in terms of crafting legislation
that wouldn't be overburdensome in terms of regulating, but
rather facilitating.
Mr. Clinton. We have a good deal of material, Mr. McCaul,
and we would be happy to share that with you and the Chairman
and the rest of the committee and discuss it in greater detail
at your convenience.
Mr. McCaul. I certainly appreciate that. Thank you.
Mr. Langevin. And I agree. I look forward to seeing your
recommendations as well.
The Chair now recognizes the chairwoman of the
Transportation Subcommittee, Ms. Sheila Jackson Lee.
Ms. Jackson Lee. Thank you very much, Mr. Chairman. To your
ranking member, to my ranking member, and to the staying power
of the witnesses, let me thank you for accepting our invitation
to become fixtures in this place. But you are doing it well and
we thank you very much.
Allow me to, I held up this large document that is the
National Infrastructure Protection Plan. Let me just read into
the record some language.
Protection includes actions to mitigate the overall risk to
the critical infrastructure and key resources assets, systems,
networks, functions, or their interconnecting links resulting
from exposure, injury, destruction, incapacitation or
exploitation in the context of the National Infrastructure
Protection Plan. This includes actions to deter the threat,
mitigate vulnerabilities, or minimize consequences associated
with a terrorist attack or other incident.
And so we have our marching orders through this plan. And
you are giving us sort of the wide perspective of the private
sector. Can I get sort of a sentence answer from all of you,
though this is cybersecurity? You heard individuals
representing telecommunications and financial services on the
first panel.
Do you believe that, overall, the private sector has been
engaged in actions to mitigate the risk to these assets systems
and networks? And do you think there have been sufficient
incentives for them to do that? And as we do that, I will ask
my next question of what more once I hear where you are on that
question. Ms. Katzen. And welcome.
Ms. Katzen. Thank you. It is very good to see you.
Ms. Jackson Lee. It is good to see you. Put that on the
record.
Ms. Katzen. Thank you.
It is hard to know how much action has been taken because
we have yet to develop meaningful quality metrics to measure.
But one of the problems with the NIPP, the plan, is that it
calls for information from the private sector, but you don't
know what you are measuring against. We don't have benchmarks,
we don't have metrics by which to make progress.
I think a lot of work is being done. And much of it must be
productive, but I am not able to sit here and tell you that it
is or it isn't as long as we have a lack of a real partnership.
And this is what I was trying to say earlier. DHS has got to
work in a public-private partnership, public-public partnership
in a way that is respectful and exploits the trusted
relationships that exist, and that provides the--and I will go
back to the incentives--provides incentives for the private
sector to do the right thing. Right now, I think they are more
in a ``do it my way'' or dictate to the SSAs as or the private
sector what they should do, and I don't think that is as
productive.
Ms. Jackson Lee. Mr. Clinton.
Mr. Clinton. Thank you, Madam Chairman. I would say, first
of all, with regard to your first question, is the private
sector engaged? Yes, many people in the private sector are;
however, not nearly enough.
I participate on a number of these organizations. The
outreach to the breadth of U.S. industry is, in my opinion,
woefully inadequate. We need----
Ms. Jackson Lee. When you say breadth, you are going beyond
even the cybersecurity?
Mr. Clinton. No, Ms. Jackson Lee. I am speaking within the
context of cybersecurity. Frankly, I think that probably would
be true beyond cybersecurity. We are not reaching enough people
with respect to being involved in these various plans.
Ms. Jackson Lee. DHS is not reaching enough people?
Mr. Clinton. Yes. And with respect to do they need more
incentives, I am afraid the answer is yes. Now, certainly, as
Dr. Gordon has pointed out, there are incentives. Lots of
people are doing a lot of good things. That best practices
group I was referring to before that was found in the
PriceWaterhouseCoopers found about 30 percent of corporations,
many of the larger corporations. That is a lot of people, but
that means 70 percent are not being reached. And when we deal
with the Internet, the weakest link is the problem. So that if
we have the small businesses or the commercial sectors not
being engaged at all, they are intertwined with everybody else
and they can help bring down the whole system. We need a much
more expansive effort. And the only motivator that is going to
be dynamic enough to work is the profit motive. We have to
inject that in.
And you have got to remember, as somebody else pointed out
before, it is not just a U.S. problem. The Internet is
inherently international. So we need to reach out to the Indias
and the Chinas and everybody else. We have to have some sort of
system that is going to transcend that, and market incentives
is the most logical one, which is why I think the three of us
independently came to that conclusion.
Ms. Jackson Lee. Mr. Gordon.
Mr. Gordon. I would say that the private sector is clearly
engaged. Clear evidence of that is the growing importance of
setting up a chief security officer apart from the chief
information officer within a company. You have now most of your
major corporations have someone in charge of security who may
report to the chief information officer or may even report
directly to CFO.
Are they doing enough? That is a tough one to answer,
because in order to answer that one, you have got to really
understand where they are and where they want to be. I can only
give you my own experience, is I get contacted by at least one
senior executive a week. And one of the biggest issues from a
chief security officer's point of view is they want more
security, okay, because not only is the company their concern
but their job is their concern.
So they have the option, they have an incentive. There is
an agency problem; that is what we call it in economics. They
have an incentive to overinvest. But the biggest problem they
face is getting more funds out of the CFO for cybersecurity
investments.
So a little side note here is if you take a look at what
companies invest, all the studies tend to show that companies
invest somewhere around 5 to 7 percent of their IT budget on
security. And the interesting thing about that is that security
is becoming one of the fastest growing concerns, and the
percentage of the budget for security is not growing. So that
would suggest to me that they are not getting the share they
should be getting. It suggests that to me; but without having
the deed on particular companies, and I am sure it varies from
company to company.
Ms. Jackson Lee. My questions are never quick, but I am
going to try to offer two more quick questions recognizing your
time and the lateness of the hour. But what I would ask without
having that answered, I would like to get from the witnesses
your list of incentives that can be utilized more effectively
through DHS. And I would like that in writing. But let me try
to get Mr. Clinton, and then I have a question for Ms. Katzen
and Mr. Gordon.
You never were a fan in particular for the approach dealing
with a regulatory scheme, if you will, I don't think. You were
sort of interested in trying to, as you said, get DHS to be
more enthusiastic on this best practices area. I am still
looking at whether or not this should be a totally voluntary
approach with incentives, or whether or not we need some
regulatory structure, which I have heard my colleagues say and
I too am looking at legislation along that line. I obviously
have an array of infrastructure issues to look at.
But what I would like to know is what has been your
association in terms of being involved with DHS to promote the
best practices so that they are more broadly adopted across the
IT sector through this program.
Have you been able to engage with DHS to talk about best
practices? And I am just saying you in particular because you
represent a component of the industry that I think is
important. And, isn't this program a great way to encourage
more effective cross-sector cybersecurity protection? Meaning
this whole best practices. Have you been engaged in particular?
Let me ask my other question to both Ms. Katzen and Mr.
Gordon. I think cybersecurity gives value to companies. And it
would look like that would be one of the industry incentives
that, if my investors knew that I was managing my risk, that
that would make my product more valuable. Question is, does
Wall Street give value to cybersecurity so that companies then
are self-rewarded for what they have done? And, in essence,
does the government? Have they narrowed the rewards to even
that way? Cybersecurity, more valuable, protect the America's
assets?
I will go to Mr. Clinton first on this whole best practices
and interacting with the DHS.
Mr. Clinton. Thank you, Ms. Jackson Lee. Yes. I, speaking
as the Internet Security Alliance, am very involved.
Ms. Jackson Lee. Is that the name of the program, so you
will at least be--I will put it on the record. The Voluntary
Private Sector Preparedness Certification Program.
Mr. Clinton. Well, the Internet Security Alliance is very,
very involved in developing best practices and finding
incentives for our Members to use them. We do have an insurance
incentive program with the largest insurance provider of cyber
insurance for our best practices. We publish best practices
basically once every year. We talked earlier about the model
contracts that we provide.
So we do on the private sector side a great deal with
respect to developing best practices, providing incentives for
best practices, et cetera. With respect to, is DHS the mode for
that? I would have to tell you that we have not really found
very much grounding in working with DHS in that regard.
Most of the improvements in cybersecurity that I am aware
of happen by the private sector doing things through the
private sector, not through DHS. Maybe that will change as DHS
matures. But to this point, I would have to tell you that none
of my members would say that they are doing anything to improve
their security thanks to DHS. They are doing it for other
reasons; some are for social, some are business, for a variety
of other things.
But our view is that the infrastructure is owned and
operated by the private sector. You have to work with the
private sector to get it strengthened. When you strengthen that
infrastructure, you are also fulfilling an important homeland
security and national security function. But you do it through
private sector. Going through DHS, I think you are really
trying to stick a square peg in a round hole, and I think it is
going to be counterproductive.
Ms. Katzen. On the issue of both market value and Wall
Street, and it is referred to in my testimony, the Ernst &
Young study, which shows a very strong correlation between
success in managing risks and success on Wall Street, and that
investors do appreciate that. So I think there are data there
that support that.
Mr. Gordon. I would agree with that. Actually, if you take
a look at my written testimony, I discuss this notion of what
you call value added as opposed to cost savings from
cybersecurity investments. It is usually thought of as sort of
a secondary effect, but in the short run firms certainly can
carve out a niche for themselves, a competitive advantage of
showing they have more security than another firm. In the long
run, it will be hard to keep that competitive advantage. I do
discuss that point in my written testimony.
Ms. Jackson Lee. Thank you very much to all of the
witnesses. And, Mr. Chairman, it has been a pleasure to be able
to unveil and to pull back the covers on what has either been
happening or not been happening with DHS. And I think that
there are some roads not yet traveled that we can work on, in
particular public-public, public-private relationships and
incentives rewards.
Mr. Clinton, I don't want to leave DHS completely out and I
am not convinced that they should be completely out or not,
that they not be a regulatory structure. But I do believe that
there should be rewards that you are aware of that are given
through DHS, and apparently we have not established that
structure yet.
Mr. Clinton. I would agree with that, Ms. Jackson.
Ms. Jackson Lee. And so, let me just thank Chairman
Langevin. I look forward that we have an opportunity to work
again together on this issue. And I yield back.
Thank you all for your testimony.
Mr. Langevin. Thank you, Madam Chair. Let me just say how
much I appreciate your participation in this joint hearing, as
well as Ranking Member Lungren. This was very productive, and
some great things came out of it. I look forward to our
continuing to work together.
I also, of course, want to thank the panelists for your
patience, for your testimony. You have added great insight into
the work that we have ahead of us and perhaps a road map of
what we need to do to better coordinate this effort of
cybersecurity and working together with the public and the
private sector.
So I thank you for your testimony and the members for their
questions.
The members of the subcommittee may have additional
questions for the witnesses, and we would ask that you respond
expeditiously in writing to those questions.
Hearing no further business--again, happy anniversary to
you, Ms. Katzen. I hope you get home soon. And sorry for the
lateness of the hour, but certainly an important issue.
Hearing no further----
Ms. Jackson Lee. Happy anniversary.
Mr. Chairman, would you allow a moment of personal
privilege?
Mr. Langevin. Certainly.
Ms. Jackson Lee. Professor Katzen goes back with my
combined family.
My spouse, Dr. Elwyn Lee, he sends his greetings.
Ms. Katzen. Thank you.
Ms. Jackson Lee. And you allowed me a moment of
reminiscing, and she is as young and vibrant. And I am
apologetic. Go home for that anniversary, please. And greetings
from myself and my husband. Congratulations.
I thank you for giving me a moment of personal privilege.
Mr. Langevin. Certainly.
Ms. Jackson Lee. The check is on Chairman Langevin, so do
whatever you want to do tonight.
[Laughter.]
Mr. Langevin. On that note, hearing no further business,
the subcommittee stands adjourned. Thank you.
[Whereupon, at 6:53 p.m., the subcommittee was adjourned.]
For the Record
Prepared Statement of Michael O'Hanlon
Greetings. It is an honor to appear before the committee today.
My opening comments will be brief and rather broad. I am not an
expert on cybersecurity, hence my contribution today will involve
creating a framework within which this important aspect of homeland
security can be considered and analyzed.
It is useful to think in terms of different possible strategies for
homeland security. Clearly, in a society like ours, huge as it is, as
open and free as it is, we could be far more diligent about protecting
ourselves from terrorism than we are today.
For example, if the degree of terrorist threat here was anything
approaching that in Israel, or if even a single additional major attack
had been successfully carried out since 9/11, we would do things that
are presently seen as politically infeasible or strategically
unnecessary (such as searching baggage on most trains and buses,
tightening up land borders far more, and worrying about truck bomb
vulnerability at far more prominent buildings).
But we are already much more diligent than we were before 9/11, and
are spending more than $50 billion a year in federal funds on the
effort (whereas a decade ago we spent perhaps one fifth as much on
counterterrorism, and did not even employ the term homeland security in
the federal lexicon). So our current strategy might be seen as an
intermediate one along a spectrum of possible approaches.
A notional list of a full spectrum of possible approaches to
homeland security might look something like this, in ascending order of
intensity and cost:
Pre-9/11 Approach. The philosophy here would be to
protect only against very specific threats that have manifested
themselves before, or that would be especially worrisome. For
example, we protected nuclear power plants from sabotage, and
top officials from assassination. The annual cost to the
federal government is under $10 billion for such an approach,
roughly and notionally speaking.
Post-9/11 Threat-Based Approach. This approach would
follow a similar logic but expand the list of credible threats
based on what we learned on September 11, 2001 and in various
events around the world since then. Jeremy Shapiro of Brookings
is a proponent of this approach (see opportunity08.org).
Airline security is an obvious area of focus for this approach,
which would emphasize prevention of what we know that al-Qa'ida
and related groups CAN do, as opposed to what they might wish
to do. Reducing our vulnerability to truck bombs at prominent
sites is another logical area of emphasis, given known patterns
of terrorist activity around the world. The annual cost is
about $20 billion to $30 billion (my estimates).
Bush Administration Approach. This goes beyond the
threat-based approach to include as well attention to those
types of attacks that we know al-Qa'ida would LIKE to carry
out, as well as those that would be so horrible we have to
worry that they might occur even if they probably will not
(such as WMD attacks). Estimated annual cost $50 billion.
Brookings Approach. This approach, reflected in two
Brookings studies this decade by a team of authors, is similar
in some ways to the Bush administration's concept. But it takes
a slightly broader approach to defining threats and toughens up
the steps taken to address them in some cases. We focus
primarily on attacks that could cause major damage to our
national security, our population, or our economy (catastrophic
attacks). For example, we emphasize better protection of the
chemical industry and the hazardous trucking industry, as well
as improved use of intelligence to find patterns of possible
terrorist attack before they occur (a ``google function for
counterterrorism'') along the lines also proposed by the Markle
Foundation. Estimated yearly cost $60 billion.
``America the Vulnerable'' approach. I borrow here
from Stephen Flynn of the Council on Foreign Relations; former
Bush administration homeland security official Clark Kent Ervin
has written a somewhat similar book. The approach here is to
take imagination to its logical extreme, and suppose that any
serious attack al-Qa'ida might be able to carry out we should
defend robustly against. It is a vulnerability-based approach,
but with vulnerability defined in a broad way. Great attention
is paid to inspecting cargo in international shipping by Flynn,
for example, even though it could be very difficult to rework
our port infrastructure to make this possible. Estimated cost
$80 billion a year.
Council on Foreign Relations task force approach. This
Hart-Rudman task force of several years ago reflected the logic
of Flynn, who was involved with the project as well, and also
placed particular emphasis on equipping and training most of
America's millions of first responders to deal with WMD attacks
and other catastrophes. About $90 billion a year.
Israel-style approach. If we had to worry about small
bombs going off in most public places, a whole different level
of effort would be required, with annual costs perhaps reaching
$200 billion (and many inconveniences introduced to daily
life).
This is a very short written testimony but I hope its succinctness
will be of some use in providing a simple taxonomy for further
discussion. I would be happy in particular to explain the Brookings
approach, both in broad philosophy and in its specific recommendations.
I am attaching as an appendix a chapter in a recent Brookings book
I coauthored in 2006. I have no reason to believe my coauthor's
thinking has changed. However, given his current position, please
assign responsibility for this ``republishing'' of material that first
appeared a year and a half ago entirely to me.\1\
---------------------------------------------------------------------------
\1\ Micahel d'Arcy, Michael O'Hanlon, Peter Orszag, Jeremy Shapiro,
and James Steinberg, Protecting the Homeland 2006/2007 (Washington,
D.C.: Brookings, 2007), pp. 73-95. ???
---------------------------------------------------------------------------
Appendix: Protecting Infrastructure and Providing Incentives
for the Private Sector to Protect Itself
Since the attacks of September 11th, the private sector has
generally not done nearly enough to improve its security
against terrorist attack. For example, the Congressional Budget
Office recently concluded that ``there is relatively little
evidence that firms have been making additional investments
since September 11 to improve their security and avoid
losses.'' \2\ About 85 percent of the nation's critical
infrastructure is owned by the private sector, and security had
typically not been sufficient before the attacks, so the
failure to materially improve security measures in many key
industries represents one of the most glaring and dangerous
shortcomings in the nation's response to the terrorist attacks.
---------------------------------------------------------------------------
\2\ Congressional Budget Office, ``Federal Terrorism Reinsurance:
An Update,'' January 2005, page 13. Some industries (such as
transportation, energy, utilities, and financial services) have
increased spending modestly. See Benjamin Weiser and Claudia H.
Deutsch, ``Many Offices Holding the Line on Post-9/11 Security
Outlays,'' New York Times, August 16, 2004; and the Conference Board,
Corporate Security Management: Organization and Spending Since 9/11
(New York: The Conference Board, 2003), p. 5.
---------------------------------------------------------------------------
The key to improved security in the private sector is structuring
incentives properly: Markets respond to incentives. But to date, the
federal government has done little to alter firms' incentives for
protecting most private sector infrastructure from terrorist attack.
Apart from efforts to protect those types of infrastructure that have
already been attacked, such as commercial airliners, the
Administration's policy has been very restrained. Part of its
reluctance to intervene may be a reflection of the admittedly daunting
nature of the task--and the impossibility of knowing exactly which
types of infrastructure to protect to what standards of robustness. But
the Administration's laissez-faire approach also risks leaving
undefended targets within the United States that could nonetheless
cause catastrophic harm.
The greatest concerns apply to key pieces of private
infrastructure--chemical facilities, skyscrapers, other large
buildings, many hospitals, and so on. Such infrastructure is
predominately owned by the private sector, but is critical to the
functioning of our broader society. Protection of the public is not
always consistent with private incentives in such settings. Given
existing incentives, economic logic suggests that owners of key
infrastructure will, from the point of view of the broader public
interest, underinvest in security precautions.\3\ At present, many
industries see counterterrorism protection as a costly way to provide
an uncertain degree of protection against an unlikely threat. There are
few perceived benefits and many costs to improving security. As Frank
Cilluffo, former Special Assistant to the President for Homeland
Security in the Bush administration puts it: ``We need to be able to
spur [that] investment by providing incentives. Right now, the
incentives are disincentives.'' \4\
---------------------------------------------------------------------------
\3\ Peter R. Orszag, ``Homeland Security and the Private Sector,''
Testimony before the National Commission on Terrorist Attacks Upon the
United States, November 19, 2003.
\4\ Frank Cilluffo, ``The Mission of Homeland Security,'' The NYU
Review of Law and Security: Are We Safer?, Issue No. 3 (Fall 2004), p.
38.
---------------------------------------------------------------------------
Private markets by themselves do not generate sufficient incentives
for homeland security, and government intervention can therefore be
warranted, for several reasons. Most broadly, national security is a
core constitutional responsibility of the federal government. Even if a
given terrorist attack only affects private property, it can have
broader ramifications for the country's sense of safety. In the
terminology of economists, such an attack imposes a ``0negative
externality.'' The presence of this negative externality means that
private markets will undertake less investment in security than would
be socially desirable: Individuals or firms deciding how best to
protect themselves against terrorism are unlikely to take the external
costs of an attack fully into account, and therefore will generally
provide an inefficiently low level of security against terrorism on
their own.\5\ Without government involvement, private markets will thus
typically under-invest in anti-terrorism measures.\6\
---------------------------------------------------------------------------
\5\ It is also possible, at least in theory, for private firms to
invest too much in anti-terrorism security. In particular, visible
security measures (such as more uniformed guards) undertaken by one
firm may merely displace terrorist attacks onto other firms, without
significantly affecting the overall probability of an attack. In such a
scenario, the total security precautions undertaken can escalate beyond
the socially desirable levels--and government intervention could
theoretically improve matters by placing limits on how much security
firms would undertake. Unobservable security precautions (which are
difficult for potential terrorists to detect), on the other hand, do
not displace vulnerabilities from one firm to another and can at least
theoretically reduce the overall level of terrorism activity. For an
interesting application of these ideas to the Lojack automobile
security system, see Ian Ayres and Steven Levitt, ``Measuring Positive
Externalities from Unobservable Victim Precaution: An Empirical
Analysis of Lojack,'' Quarterly Journal of Economics, Vol. 108, no. 1
(February 1998). For further analysis of evaluating public policy in
the presence of externalities, see Peter Orszag and Joseph Stiglitz,
``Optimal Fire Departments: Evaluating Public Policy in the Face of
Externalities,'' Brookings Institution Working Paper, January 2002.
\6\ The Coase theorem shows that under very restrictive conditions,
the negative externality can be corrected by voluntary private actions
even if the role of government is limited to enforcing property rights.
But the Coase theorem requires that all affected parties are able to
negotiate at sufficiently low cost with each other. Since virtually the
entire nation could be affected indirectly by a terrorist attack, the
costs of negotiation are prohibitive, making the Coase theorem
essentially irrelevant in the terrorism context.
---------------------------------------------------------------------------
Second, a more specific negative externality exists with regard to
inputs into terrorist activity. For example, loose security at a
chemical facility can provide terrorists with the materials they need
for an attack. Similarly, poor security at a biological laboratory can
provide terrorists with access to dangerous pathogens. The costs of
allowing terrorists to obtain access to such materials are generally
not borne by the facilities themselves: the attacks that use the
materials could occur elsewhere. Such a specific negative externality
provides a compelling rationale for government intervention to protect
highly explosive materials, chemicals, and biological pathogens even if
they are stored in private facilities. In particular, preventing access
to such materials is likely to reduce the overall risk of catastrophic
terrorism, as opposed to merely displacing it from one venue to
another.
Third, a related type of externality involves ``contamination
effects.'' Contamination effects arise when a catastrophic risk faced
by one firm is determined in part by the behavior of others, and the
behavior of these others affects the incentives of the first firm to
reduce its exposure to the risk. Such interdependent security problems
can arise, for example, in network settings. The problem in these
settings is that the risk to any member of a network depends not only
on its own security precautions but also on those taken by others. Poor
security at one establishment can affect security at others. The result
can often be weakened incentives for security precautions.\7\ For
example, once a hacker or virus reaches one computer on a network, the
remaining computers can more easily be contaminated. This possibility
reduces the incentive for any individual computer operator to protect
against outside hackers.
---------------------------------------------------------------------------
\7\ See Howard Kunreuther and Geoffrey Heal, ``Interdependent
Security,'' Journal of Risk and Uncertainty 26: 231-249 (March/May
2003), and Howard Kunreuther, Geoffrey Heal, and Peter Orszag,
``Interdependent Security: Implications for Homeland Security Policy
and Other Areas,'' Policy Brief #108, Brookings Institution, October
2002.
---------------------------------------------------------------------------
Even stringent cyber-security may not be particularly helpful if a
hacker has already entered the network through a ``weak link.''
A fourth potential motivation for government intervention involves
information--in particular, the cost and difficulty of accurately
evaluating security measures. For example, one reason that governments
promulgate building codes is that it would be too difficult for each
individual entering a building to evaluate its structural soundness.
Since it would also be difficult for the individual to evaluate how
well the building's air intake system could filter out potential bio-
terrorist attacks, the same logic would suggest that the government
should set minimum anti-terrorism standards for buildings if there were
some reasonable threat of a terrorist attack on the relevant type of
buildings (so that the individual would have some interest in ensuring
that the building were protected against biological attack). Similarly,
it would be possible, but inefficient, for each individual to conduct
extensive biological anti-terrorism safety tests on the food that he or
she was about to consume. The information costs associated with that
type of system, however, make it much less attractive than a system of
government regulation of food safety.
The fifth justification for government intervention is that
corporate and individual financial exposures to the losses from a major
terrorist attack are inherently limited by the bankruptcy laws. For
example, assume that there are two types of possible terrorist attacks
on a specific firm: A very severe attack and a somewhat more modest
one. Under either type of attack, the losses imposed would exceed the
firm's net assets, and the firm would declare bankruptcy--and therefore
the extent of the losses beyond that which would bankrupt the firm
would be irrelevant to the firm's owners. Since the outcome for the
firm's owners would not depend on the severity of the attack, the firm
would have little or no incentive to reduce the likelihood of the more
severe version of the attack even if the required preventive steps were
relatively inexpensive. From society's perspective, however, such
security measures may be beneficial--and government intervention can
therefore be justified to address catastrophic possibilities in the
presence of the bankruptcy laws.
The sixth justification for government intervention is that the
private sector may expect the government to bail it out should a
terrorist attack occur. The financial assistance to the airline
industry provided by the government following the September 11th
attacks provides just one example of such bailouts. Such expectations
create a ``moral hazard'' problem: private firms, expecting the
government to bail them out should an attack occur, do not undertake as
much security as they otherwise would. If the government cannot
credibly convince the private sector that no bailouts will occur after
an attack, it may have to intervene before an attack to offset the
adverse incentives created by the expectation of a bailout.
The final justification for government intervention involves
incomplete markets. The most relevant examples involve imperfections in
capital and insurance markets. For example, if insurance firms are
unable to obtain reinsurance coverage for terrorism risks (that is, if
primary insurers are not able to transfer some of the risk from
terrorism costs to other insurance firms in the reinsurance market),
some government involvement may be warranted. In addition, certain
types of activities may require large-scale coordination, which may be
possible but difficult to achieve without governmental intervention.
These market shortcomings provide a justification for targeted
government intervention. But providing a high degree of protection for
all possible targets would be prohibitively expensive and practically
impossible. Focusing on high-impact attacks helps to narrow the range
of private-sector settings in which government intervention is
warranted.
When government intervention is needed, the best approach is to use
government regulation to alter incentives for the private sector for
better protecting itself. This can be done either by providing firms
with certain advantages when they adopt appropriate measures (the
carrot approach), or by imposing costs on those who fail to adopt such
measures (the stick approach). In both cases, the goal would be the
same: to introduce a difference in the cost of one activity compared to
another, accomplished either by reducing the cost of the first activity
(e.g., an investment in security) or by raising the cost of the second
activity (e.g., business as usual).
For example, consider the case of trucking. Truck drivers can be
subjected to more intensive background searches, and advanced
technologies can be used to monitor trucks and ensure the security of
their cargo in real time. The government could directly subsidize such
steps, for example by providing tax credits to firms that adopt them.
Or it could mandate insurance for trucking firms, thereby relying on
insurances firms to impose costs (e.g., through higher premiums) on
firms that fail to adopt appropriate security measures. The government
could also combine either of these approaches with some form of
regulation, such as allowing better protected cargo trucks to travel
closer to population centers than less protected trucks, thereby
providing time and money savings to the firms that invest in protecting
their trucks.
The key distinction between the ``carrot'' and the ``stick''
approaches is who pays. Government subsidies or tax credits spread the
cost of homeland security spending in a particular private market
across the entire population, rather than the stakeholders (the owners
of businesses, the workers, and consumers of the product) in that
sector itself. The stick approach--either through regulation or
insurance, or some combination thereof--instead concentrates its costs
on the stakeholders in that sector. If particular sectors are
inherently more dangerous than others, we as a society may want to
encourage activity in other, safer sectors where we have a choice--
which would be better accomplished by having stakeholders in the sector
bear the full cost of protection. The reason is that imposing the cost
on the stakeholders rather than the general public would raise the
costs of the most dangerous activities. The market would thus
discourage such activities (through higher prices), which would help to
mitigate the risk of a terrorist attack in the most dangerous sectors.
Before turning to a discussion of specific industries, we first
examine these generic approaches to improving security in the private
sector.
SUBSIDIES
Perhaps the most obvious way of strengthening incentives for
protective measures in the private sector is to provide a government
subsidy. For example, some policy-makers have proposed tax credits for
security measures. This approach, however, is generally flawed, and not
just because of the substantial budget imbalance facing the nation.
Subsidies or tax credits can encourage unnecessarily expensive
investments in security measures (or ``gold plating''). The problem is
particularly severe in the case of investments that provide protection
against terrorist attack but also have substantial other benefits to
firms. Even if they don't encourage firms to undertake excessively
costly investments with minimal homeland security benefits, subsidies
or tax credits can provide benefits to firms that would have undertaken
the investments even in the absence of the tax subsidy--raising the
budget cost without providing any additional security. In other words,
subsidies or tax credits ``buy out the base'' of what firms are already
doing to protect themselves against terrorist attack. Subsidies or tax
credits also do a poor job of differentiating between high-risk and
lower-risk sectors, yet the degree of government intervention should
clearly vary by circumstance. In other words, designing and
implementing subsidies or tax credits is likely to be just as
cumbersome and inefficient as designing direct regulations.
INSURANCE AS A MECHANISM FOR IMPROVING INCENTIVES
An alternative is to provide incentives for better security through
the insurance system. At first glance, terrorism insurance may seem
counterproductive: Firms and individuals with insurance against
terrorist attack would appear to lack incentives to take appropriate
precautions against an attack. However, where such insurance is
available, it typically comes with provisions (such as a deductible) to
ensure that the insured bear at least some of the cost of an attack,
and thus have an economic incentive to avoid such attacks or minimize
their consequences. More important, the insurance companies themselves
have an incentive to encourage risk-reducing activities. Indeed,
insurance firms are well positioned to provide incentives for
mitigation efforts--for firms to take steps ahead of time to protect
themselves against terrorist attack. The terrorism insurance market
could thus guide protective efforts. Best practices would be encouraged
through graduated rate structures for insurance that encourage
individual owners to adopt prudent and cost-effective technologies and
procedures for protecting their assets and the people within them.
Three critical questions arise with regard to the use of insurance
in this way. The first is whether firms will voluntarily purchase the
insurance. Terrorism insurance coverage among large firms has expanded
noticeably: take-up rates were quite low in 2003 but nearly doubled in
2004, reaching almost half of large firms in mid2004.\8\ Despite the
recent increases, however, take-up of terrorism insurance remains well
below 100 percent.\9\ In the absence of universal take-up, at least
among firms that own critical infrastructure, the incentives provided
by the insurance industry would be much less likely to produce adequate
risk reduction. Furthermore, voluntary insurance markets often suffer
from classic problems of ``adverse selection,'' in which firms that are
riskier are the ones that are more likely to purchase insurance,
creating a potential spiral of rising premiums and reduced take-up.
---------------------------------------------------------------------------
\8\ Congressional Budget Office, ``Federal Terrorism Reinsurance:
An Update,'' January 2005, page 6; and Erwann Michel-Kerjan and
Burkhard Pedell, ``Terrorism Risk Coverage in the post-9/11 Era: A
Comparison of Public-Private Partnerships in France, Germany, and the
U.S,'' Risk Management and Decision Processes Center, Wharton School,
University of Pennsylvania, Working Paper 2004029, October 2004, page
22.
\9\ Some economists argue that many firms should not insure
themselves against terrorist attack, since the owners of the firm can
mostly if not entirely diversify that risk. Kent Smetters, ``Insuring
Against Terrorism: The Policy Challenge,'' NBER Working Paper 11038,
January 2005.
---------------------------------------------------------------------------
The shortcomings with voluntary terrorism insurance raise the
question of whether insurance should be mandatory--at least for large
firms or key sectors. Mandatory insurance would not only facilitate
risk-mitigation efforts on a broader scale and allow the insurance
industry to spread its risks more effectively, but would also reduce
the likely demands on government following any attack in the
future.\10\
---------------------------------------------------------------------------
\10\ Howard Kunreuther and Erwann Michel-Kerjan, ``Policy Watch:
Challenges for Terrorism Risk Insurance in the United States,'' Journal
of Economic Perspectives, Volume 18, Number 4, Fall 2004, page 211.
---------------------------------------------------------------------------
In France, terrorism insurance is mandatory.\11\ Former Deputy
Homeland Security Adviser Richard Falkenrath has suggested that
Congress mandate that terrorism insurance be included in all commercial
insurance policies.\12\ In our view, terrorism insurance should indeed
be required on all commercial policies, perhaps above some minimum
threshold of several million dollars to avoid unnecessary
administrative costs in settings unlikely to cause high-impact
terrorist damage.
---------------------------------------------------------------------------
\11\ Erwann Michel-Kerjan and Burkhard Pedell, ``Terrorism Risk
Coverage in the post-9/11 Era: A Comparison of Public-Private
Partnerships in France, Germany, and the U.S,'' Risk Management and
Decision Processes Center, Wharton School, University of Pennsylvania,
Working Paper 2004029, October 2004.
\12\ Statement of Richard A. Falkenrath before the United States
Senate Committee on Homeland Security and Governmental Affairs, January
26, 2005.
---------------------------------------------------------------------------
The second question is whether the insurance industry will be able
to develop the tools for evaluating terrorism risk. Models of terrorism
risk at the level of zip codes or specific locations are now available
from firms such as Risk Management Systems, EQECAT, and Applied
Insurance Research Worldwide.\13\ These models represent significant
advances; they are, however, inherently limited not only by the paucity
of historical data on terrorist attacks but also by the difficulties in
predicting how terrorist behavior will evolve over time. For example,
one model assumes that risk is mostly concentrated in high visibility
targets; another assumes that attacks at low visibility targets could
be employed to sow confusion and broad fears.\14\ The key issue is not
whether the models are fully reliable; they clearly are not.\15\
Instead, the fundamental question is whether the models could become
good enough to provide the basis for an insurance-oriented approach to
protective efforts. From this perspective, especially compared to an
alternative of failing to provide incentives for private efforts or
relying exclusively on government regulation, the models seem
relatively insightful. And it should be possible for them to be
informed by government risk analyses as well. Homeland Security
Presidential Directive 7 (HSPD 7) requires the Secretary of Homeland
Security to coordinate national protection efforts in infrastructure
sectors such as information technology, telecommunications,
transportation, and the chemical industry, and requires the government
as a whole to prioritize protection activities.\16\
---------------------------------------------------------------------------
\13\ Congressional Budget Office, ``Federal Terrorism Reinsurance:
An Update,'' January 2005, page 4.
\14\ Congressional Budget Office, ``Federal Terrorism Reinsurance:
An Update,'' January 2005, page 4.
\15\ The insurance industry operates in many areas in which models
are nowhere close to fully reliable, including tort cases. See Kent
Smetters, ``Insuring Against Terrorism: The Policy Challenge,'' NBER
Working Paper 11038, January 2005.
\16\ President George W. Bush, ``Homeland Security Presidential
Directive/HSPD 7: Critical Infrastructure Identification,
Prioritization, and Protection,'' December 17, 2003, available at
www.whitehouse.gov/news/releases/2003/12/print/20031217-5.htlm.
---------------------------------------------------------------------------
A final question is whether the insurance industry requires a
government backstop to play the role envisioned for it here. Some
economists argue that the risks can be spread across private financial
markets without government intervention.\17\ Other economists and
market observers, however, argue that capital market imperfections
impede the ability of insurers to provide coverage against catastrophic
risks, such as those involved in terrorist activities. In such a case,
a government backstop may be required. Alan Greenspan, for example, has
testified that he has ``yet to be convinced'' that the terrorism
insurance market could operate effectively without a government
backstop.\18\
---------------------------------------------------------------------------
\17\ Kent Smetters, ``Insuring Against Terrorism: The Policy
Challenge,'' NBER Working Paper 11038, January 2005. See also Appendix
B in Congressional Budget Office, ``Federal Terrorism Reinsurance: An
Update,'' January 2005.
\18\ ``Senators Trying Again To Extend Terrorism Insurance Plan,''
CongressDaily, February 18, 2005.
---------------------------------------------------------------------------
The most pressing issue involves the Terrorism Risk Insurance Act
(TRIA), enacted in November 2002. TRIA is scheduled to expire on
December 31, 2005, and policymakers are debating whether it should be
extended. Under TRIA, insurance firms are required to offer terrorism
coverage, and the government agrees to pay a specified share of the
insured losses in the event of a terrorist attack.\19\ Although some
form of federal backstop should be extended past 2005, significant
changes in the existing program are warranted.\20\ A substantial flaw
with the current program is that no fee is imposed by the government
for the backstop. (The government would recover a certain amount of its
losses after the fact, but through a surcharge on all commercial
policies, rather than only on those with terrorism insurance
components. As a result, the government program effectively subsidizes
terrorism insurance, with all commercial policyholders potentially
liable to pay for part of the subsidy.) A better approach would have
the government charge a premium based on how much protection the
insurance firm itself wants; the government should continue, though,
only to provide coverage against extreme losses.\21\ Losses below the
catastrophic level should be covered entirely by private markets.
---------------------------------------------------------------------------
\19\ For a description, see Congressional Budget Office, ``Federal
Terrorism Reinsurance: An Update,'' January 2005.
\20\ See also Swiss Re, ``Terrorism Risks in Property Insurance and
Their Insurability After September 11, 2001'' (2003).
\21\ For one explanation of how various layers of insurance could
be provided, including a government layer for catastrophic losses, see
Howard Kunreuther and Erwann Michel-Kerjan, ``Policy Watch: Challenges
for Terrorism Risk Insurance in the United States,'' Journal of
Economic Perspectives, Volume 18, Number 4, Fall 2004.
A MIXED SYSTEM WITH INSURANCE AND REGULATIONS
An insurance-based system could be combined with a larger policy of
regulatory standards and third-party inspections. A mixed regulatory-
insurance system is already applied in many other areas, such as owning
a home or driving a car. Local building codes specify minimum standards
that homes must meet. But mortgages generally require that homes also
carry home insurance, and insurance companies provide incentives for
improvements beyond the building code level--for example, by providing
a reduction in the premiums they charge if the homeowner installs a
security system. Similarly, governments specify minimum standards that
drivers must meet in order to operate a motor vehicle. But they also
require drivers to carry liability insurance for accidents arising out
of the operation of their vehicles. Meanwhile, insurance companies
provide incentives for safer driving by charging higher premiums to
those with poorer driving records.\22\
---------------------------------------------------------------------------
\22\ To be sure, crucial differences exist between the terrorist
case and these other examples. For example, stable actuarial data exist
for home and auto accidents, but not for terrorist attacks.
Nonetheless, it may be possible for insurers to distinguish risks of
loss based on differences in damage exposures, given a terrorist
incident. Some financial firms are already trying to devise basic
frameworks for evaluating such risks. See, for example, Moody's
Investors Service, ``Moody's Approach to Terrorism Insurance for U.S.
Commercial Real Estate,'' March 1, 2002.
---------------------------------------------------------------------------
A mixed system of minimum standards coupled with an insurance
mandate not only can encourage actors to act safely, but also can
provide incentives for innovation to reduce the costs of achieving any
given level of safety. The presence of minimum regulatory standards
also helps to attenuate the moral hazard effect from insurance: Moral
hazard arises when firms, knowing that they are insured against
terrorist losses, take less care in protecting against attack. Minimum
standards could also provide guidance to courts in determining
negligence under liability laws.\23\
---------------------------------------------------------------------------
\23\ For a discussion of the potential benefits of a mixed system
of building code regulations and mandatory catastrophic risk insurance
in the context of natural disasters, see Peter Diamond, ``Comment on
Catastrophic Risk Management,'' in Kenneth Froot, ed., The Financing of
Catastrophe Risk (University of Chicago Press: Chicago, 1999), pages
85-88.
---------------------------------------------------------------------------
A mixed system also has the advantage of being flexible, a key
virtue in an arena where new threats will be ``discovered'' on an
ongoing basis. In situations in which insurance firms are particularly
unlikely to provide proper incentives to the private sector for
efficient risk reduction (for example, because insurers lack experience
in these areas), regulation can play a larger role.
Third-party inspections can be coupled with insurance protection to
encourage companies to reduce the risk of accidents and disasters.
Under such schemes, insurance corporations would hire third-party
inspectors to evaluate the safety and security of plants seeking
insurance cover. Passing the inspection would indicate to the community
and government that a firm complies with safety and security
regulations. The firm would also benefit from reduced insurance
premiums, since the insurer would have more confidence in the safety
and security of the firm.
This system takes advantage of two potent market mechanisms to make
firms safer, while freeing government resources to focus on the largest
risks. Insurance firms have a strong incentive to make sure that the
inspections are rigorous and that the inspected firms are safe, since
they bear the costs of an accident or terrorist attack. Private sector
inspections also reduce the number of audits the regulatory agency
itself must undertake, allowing the government to focus its resources
more effectively on those companies that it perceives to pose the
highest risks. The more firms decide to take advantage of private
third-party inspections, the greater the chances that high-risk firms
will be audited by the regulatory agency.
Studies have shown how such a program could be implemented in
practice. In Delaware and Pennsylvania, the State Departments of
Environmental Protection have worked closely with the insurance
industry and chemical plants to test this approach for chemical
facility safety.\24\
---------------------------------------------------------------------------
\24\ For further information, see Howard Kunreuther, Patrick
McNulty, and Yong Kang, ``Improving Environmental Safety Through Third
Party Inspection,'' Risk Analysis. 22: 309-18, 2002.
REQUIRED STEPS IN SPECIFIC INDUSTRIES AND SECTORS
The steps required to improve security vary across industries. In
keeping with the principles we set forth in chapter one, it is
important to find ways to maximize protection, particularly against
catastrophic attack, in cost-effective ways and where possible in a
manner that provides additional benefits outside the homeland security
realm. But applying these principles to specific industries and sectors
requires considerable detailed technical analysis on a case by case
basis.
One common theme in much of the below, however, is that appropriate
safeguards are often expensive to implement immediately but relatively
painless to build into new systems. For example, given that al-Qa'ida
appears to have considerable interest in biological agent attacks, and
given the continued difficulty of treating the symptoms of biological
attacks quickly and effectively (especially on a large scale), it
behooves the United States to adopt defensive measures where cost-
effective.\25\ Air intakes on buildings can be put well above street
level and beyond the reach of anyone without access to restricted
areas.\26\ Filters might be built into air circulation systems, to
impede the distribution of any chemical or biological agent introduced
into a building (and a slight overpressure maintained within buildings
to reduce the risk that agents will infiltrate from the outside).\27\
Addition of filters may sometimes only be practical when entire
heating, ventilation, and air conditioning systems are being
replaced.\28\ Still, over time, considerable progress is quite
feasible. Many modern heating and air circulation systems have the
kinds of sensors, adaptable flows, and other features that could help
protect against the effects of terrorist attack as well as optimize a
building's functioning and the quality of its air in normal times.\29\
This shows how measures taken in part to promote homeland security can
have other benefits.
---------------------------------------------------------------------------
\25\ Judith Miller, ``U.S. Has New Concerns About Anthrax
Readiness,'' New York Times, December 28, 2003, p. A20; and Philip
Shenon, ``Terrorism Drills Showed Lack of Preparedness, Report Says,''
New York Times, December 19, 2003.
\26\ Gregory Wright, ``Is Your Building's HVAC Safe Against
Terrorism?'' HVACR News, vol. 24, no. 2 (May 2004).
\27\ U.S. Army Corps of Engineers, ``Protecting Buildings and Their
Occupants from Airborne Hazards,'' draft, October 2001; Energy
Information Administration, Department of Energy, ``Building
Characteristics: Buildings Use Tables,'' table 12, available at
www.eia.doe.gov/emeu/consumption; Letter from Michael C. Janus,
Battelle Corporation, December 1, 2001, to Michael O'Hanlon; and Ann
Gerhart, ``Tom Ridge, on High Alert,'' Washington Post, November 12,
2001, p. C1.
\28\ Department of Health and Human Services, Guidance for
Protecting Building Environments from Airborne Chemical, Biological, or
Radiological Attacks (May 2002);
\29\ Jon C. Lund, ``Smart Buildings,'' IEEE Spectrum (August 2003),
pp. 18-23.
---------------------------------------------------------------------------
Protecting key buildings against attacks involving explosives is
difficult, but sometimes warranted when high casualties or other severe
damage to society could result from a given attack (and when any attack
is probably preventable through reasonably inexpensive measures).
Sometimes it is a matter of adopting simple steps of limited but useful
impact. For example, elevators might be built so as to descend to the
nearest floor in the event of a power outage--a wise investment against
the possibility of electricity overloading as well. (In the public
sector, relatedly, street lights could be given low-energy diode
emitters powered by batteries as backups to main power systems.\30\)
---------------------------------------------------------------------------
\30\ Peter Fairley, ``The Unruly Power Grid,'' IEEE Spectrum
(August 2004), pp. 22-27.
---------------------------------------------------------------------------
Truck bombs will remain a threat in the future; they have been the
weapon of choice of al-Qa'ida in most attacks since 9/11. Defending
against them can involve constructing new, prominent buildings a
certain distance back from streets--as has occurred with a number of
new U.S. embassies in recent years. Further desirable measures, at
least for the highest-profile buildings, can involve using shatterproof
glass or comparable coatings in the lower floors of such buildings, and
closing or at least inspecting entrants into underground parking
garages. Relatedly, one might worry about large bombs being assembled
piece by piece through the use of individual bags to carry explosives
into buildings. This threat may argue for controlling access to
symbolically important buildings in particular. At present, outside of
New York, very few major buildings have any checks or controls on
entry.\31\
---------------------------------------------------------------------------
\31\ Terry Pristin, ``Different Cities, Different Security for
Buildings,'' New York Times, July 9, 2003, p. C6.
The Chemical and Nuclear Industries
The U.S. chemical industry remains quite vulnerable to possible
terrorist strikes.\32\ As Richard Falkenrath recently testified, ``To
date, the federal government has made no material reduction in the
inherent vulnerability of hazardous chemical targets inside the Untied
States. Doing so should be the highest critical infrastructure
protection priority for the Department of Homeland Security in the next
two years.'' \33\ A DHS study that ranked a terrorist act releasing
chlorine, along with nuclear and anthrax attacks, as among the most
deadly plausible scenarios for the United States to worry about in the
future gives further credence to Falkenrath's view.\34\ As we argue in
chapter one, it is precisely such types of vulnerabilities that demand
the most urgent attention.
---------------------------------------------------------------------------
\32\ For further discussion of homeland security and the chemical
industry, see Congressional Budget Office, ``Homeland Security and the
Private Sector,'' Chapter 3 (Chemicals and Hazardous Materials),
December 2004.
\33\ Statement of Richard A. Falkenrath before the United States
Senate Committee on Homeland Security and Governmental Affairs, January
26, 2005.
\34\ Eric Lipton, ``U.S. Report Lists Possibilities for Terrorist
Attacks and Likely Toll,'' New York Times, March 16, 2005, p. 1.
---------------------------------------------------------------------------
Voluntary measures have been adopted by some chemical plants,
notably those of the American Chemistry Council, but these represent a
minority of the nation's total such facilities. Hardening plants
against sophisticated attacks by well-trained bands of terrorists, and
other such robust safeguards, could be uneconomical and in many cases
unnecessary. There are thousands of chemicals produced in the United
States, but only some 300 that are very dangerous and about half that
number that are most extreme in the threats they pose. There are tens
of thousands of chemical plants but only 4,000 to 8,000 where the
improper release of agent could kill 1,000 or more individuals.\35\ But
a more systematic approach that at least requires periodic assessments
of vulnerabilities and common-sense solutions is imperative.\36\
Senator Corzine introduced a bill to do just that but it has not been
passed by the Congress.\37\
---------------------------------------------------------------------------
\35\ Richard D. Farmer, Homeland Security and the Private Sector
(Washington, D.C.: Congressional Budget Office, December 2004), pp.
21--28.
\36\ Government Accountability Office, Homeland Security: Voluntary
Initiatives Are Under Way at Chemical Facilities, but the Extent of
Security Preparedness Is Unknown, GAO-03-439 (March 2003), summary
page.
\37\ Office of Senator Jon S. Corzine, ``Fact Sheet on Senator
Corzine's Chemical Security Legislation,'' November 17, 2003, available
at www.corzine.senate.gov/priorities/chem _sec.html; and Rick Hind and
David Halperin, ``Lots of Chemicals, Little Reaction,'' New York Times,
September 22, 2004, p. A31.
---------------------------------------------------------------------------
There are also situations where less dangerous chemicals can be
used in place of highly toxic ones. Reducing dependence on chlorine for
drinking water purification is the most notable example. In these
cases, the good sense of chemical plant owners combined with the
guiding hand of the insurance market are the ideal mechanisms for
improving safety.\38\
---------------------------------------------------------------------------
\38\ A related topic concerns the safeguards applied to the sales
of certain lethal chemicals. Not enough has yet been done to ensure
proper oversight in this regard. For example, a full decade after the
Oklahoma City tragedy, only three states have notable regulations on
the sale of ammonium nitrate fertilizer. Oklahoma joined South Carolina
and Nevada in requiring requiring presentation of identification from
anyone wishing such fertilizer and tracking sales of such materials to
allow for investigation of any problems that may result. Others should
follow this lead. In such cases where simple, common-sense, minimal-
cost regulations can be devised, they are hardly inconsistent with the
general approach advocated here of using market incentives where
possible but mixed approaches including some regulation when sensible.
See Associated Press, ``National Briefing--Oklahoma: Rules to Regulate
Selling of Fertilizer,'' New York Times, February 18, 2005, p. A17.
---------------------------------------------------------------------------
Another key challenge is securing nuclear materials.\39\ Power
plants are now protected fairly well. But the cooling ponds used for
storage of spent fuel may not be protected against certain types of
attacks (such as from airplanes).\40\ Nor are many areas where low-
medium-grade waste is stored. These latter materials can be used in
``dirty bombs.'' While such weapons might not kill large numbers, they
could cause enormous economic costs (due to cleanup) and disruption (if
a city center or other important area could not be used while being
cleaned). Here the most practical defense is much improved security for
sites where such materials are found, at home and abroad.\41\ In this
type of case, where the optimal safety features are not obvious,
regulation may be less desirable than reliance on insurance market
incentives.
---------------------------------------------------------------------------
\39\ See Congressional Budget Office, ``Homeland Security and the
Private Sector,'' Chapter 2 (Civilian Nuclear Power), December 2004.
\40\ Shankar Vedantam, ``Storage of Nuclear Spent Fuel
Criticized,'' Washington Post, March 28, 2005, p. 1.
\41\ Peter D. Zimmerman and Cheryl Loeb, ``Dirty Bombs: The Threat
Revisited,'' Defense Horizons, no. 38 (Washington, D.C.: National
Defense University, January 2004); and Joby Warrick, ``Smugglers
Targeting Dirty Bombs for Profit,'' Washington Post, November 30, 2003,
p. 1.
Passenger Trains, Buses, and Boats
On March 11, 2004, a simple terrorist strike against trains in
Madrid killed some 200 people and injured another 1,500. The July 7,
2005 London attacks, killing more than 50 themselves, underscored that
Madrid was not a fluke. This worry applies not only to trains, but in
similar ways to buses, ferries, and cruise ships. Yet not nearly as
much attention has been given to this issue as, for example, to
airplane security.\42\
---------------------------------------------------------------------------
\42\ Arnold M. Howitt and Jonathan Makler, ``On the Ground:
Protecting America's Roads and Transit Against Terrorism,''
(Washington, D.C.: Brookings, 2005).
---------------------------------------------------------------------------
Several experimental efforts have been made to monitor passengers
and cargo entering American trains. However, such efforts tend to rely
heavily on labor-intensive methods such dogs to detect explosives. The
challenge is the speed at which people must move through such stations,
and the number of passengers involved, particularly for heavily
traveled local train services and subways.\43\ For example, the New
York subway system carries nearly 4 million passengers a day (getting
on and off at 468 stations); all America's airports handle just 1.5
million people a day between them.\44\
---------------------------------------------------------------------------
\43\ Baronet Media Ltd., ``Washington Tests High Security System
for Trains,'' Vigilo Risk, issue #1, June 9, 2004, p. 7.
\44\ Gregg Easterbrook, ``In an Age of Terror, Safety Is
Relative,'' New York Times, June 27, 2004, p. 1.
---------------------------------------------------------------------------
Some additional safeguards are desirable for trains and buses.
Emergency communications systems can be improved, stations protected by
perimeter fencing and guards and monitoring, relevant tunnels hardened,
and spot checking made more common. Further federal funding is
appropriate here; insurance markets are unlikely to be of much help
since much train infrastructure is publicly owned.\45\ The American
Public Transportation Association has called for over $7 billion in
added funding for mass transit systems including trains over the next
three years--thirty times the expenditures of the last three years
combined.\46\ Indeed, there is a strong case for substantial funding
increases.\47\
---------------------------------------------------------------------------
\45\ Baronet Media Ltd., ``House Committee Seeks $1 Billion for
U.S. Rail Security,'' Vigilo Risk, issue #2, June 23, 2004, p. 7.
\46\ David Randall Peterman, ``Passenger Rail Security: Overview of
Issues,'' CRS Report for Congress (Washington, D.C.: Congressional
Research Service, July 29, 2005), pp. 2--3.
\47\ Nicole Gaouette, ``Senate is Split on Spending Bill for
Domestic Security,'' Los Angeles Times, July 12, 2005.
---------------------------------------------------------------------------
But the $7 billion added amount strikes us as too much. More
logical is a gradual, incremental increase that continually evaluates
the benefits of new and experimental measures as they are introduced.
The fact of the matter is that, almost independent of expenditure
levels, security will not be perfect on trains and buses. Controlling
access of all passengers at all times seems unrealistic.
Tightened security measures can be used for special events or in
the case of intelligence alerts suggesting particular cause for
concern. For example, police officers were put on every subway train in
New York the day after the July 7, 2005 London bombings.\48\ But alas
this vulnerability is one of those so difficult to address that it
underscores the need for preventive homeland security activities-border
patrols, prevention efforts by police departments and the FBI, and so
forth--as well as continued intelligence operations and offensive
action abroad.
---------------------------------------------------------------------------
\48\ Sewell Chan, ``In Added Security Measure, Officers are Riding
the Rails,'' New York Times, July 8, 2005.
---------------------------------------------------------------------------
A Democratic attempt to add $1.7 billion to the 2006 budget for
rail security failed in the Congress.\49\ The Democratic idea was sound
but the amount was, for the reasons noted above, probably too much.
That said, an increase in the range of hundreds of millions of dollars
would have been appropriate, and should be pursued for the 2007 budget.
---------------------------------------------------------------------------
\49\ David Rogers, ``Homeland Budget Accord Is Reached,'' Wall
Street Journal, September 30, 2005, p. 2.
---------------------------------------------------------------------------
The situation is similar for passenger ships and ferries. Some
improvements in security are warranted, but that said, vulnerability is
a fact of life.\50\ Given that most such attacks, however tragic they
might be, would not be catastrophic in the terms we use in chapter one,
a cost-benefit analysis--and the state of available technology and
procedures for security--suggest that only limited investments of the
type already underway are warranted at this time.\51\
---------------------------------------------------------------------------
\50\ In addition to the threat of explosives being placed in cars,
or planted directly on ferries and other ships, there is a risk of
scuba divers attacking ships. See Jim Gomez, ``Terror Plots May Reach
New Depths,'' Chicago Tribune, March 18, 2005. Sometimes certain risky
ports or waterways can be avoided overseas, but clearly this is not a
protection method of complete reliability. See David Wood, ``Terrorism
Fears Divert Navy Supply Ships from Suez Canal,'' Newhouse.com, January
13, 2005.
\51\ Eric Lipton, ``Trying to Keep the Nation's Ferries Safe from
Terrorists,'' New York Times, March 19, 2005, p. 18.
Cargo Trains, Trucks, and Barges Carrying Hazardous Materials
Trucks, trains, and barges are the chief methods for the transport
of hazardous materials in the United States today. On the issue of
trucks, at present there are few restrictions on who can drive the
trucks and where those trucks can go--except of course that as a matter
of public safety, tunnels and certain other very specific sections of
road are sometimes deemed off limits to certain classes of highly toxic
or flammable materials. Background checks have been begun for drivers
of especially dangerous classes of chemicals and other substances. But
efforts to authenticate their identities using identification with
biometric indicators remain in the pilot, testing stage.\52\ Moreover,
Mexican and Canadian drivers on American roads are not being checked in
the same way.\53\ Some municipalities have similarly decided to find
substitutes for the most lethal sorts of chemicals often carried by
trucks (such as chlorine) when possible. Some companies train their
employees in security precautions and monitor key facilities such as
fuel depots. But these efforts are at present scattershot.\54\
---------------------------------------------------------------------------
\52\ William H. Robinson, Jennifer E. Lake, and Lisa M. Seghetti,
``Border and Transportation Security: Possible New Directions and
Policy Options,'' CRS Report for Congress (Washington, D.C.:
Congressional Research Service, March 29, 2005), pp. 9--10.
\53\ Transportation Security Administration, information at
www.tsa.gov/public/display?content=09000519800d3fd3&print=yes, accessed
January 6, 2005.
\54\ See David Johnston and Andrew C. Revkin, ``Officials Say Their
Focus Is on Car and Truck Bombs,'' New York Times, August 2, 2004, p.
A13.
---------------------------------------------------------------------------
This situation is highly imprudent. Leaving aside the issue of
truck bombs, many trucks carry potentially lethal materials that could
kill thousands if dissipated in densely congested parts of cities. To
reduce the risks, several steps can be taken. First, for those drivers
transporting anything from gasoline to chlorine, background checks must
be done comprehensively and quickly. Names and fingerprints must be
compared to entries on terror watchlists. Second, truck storage yards
must meet minimal safety standards limiting access and monitoring
perimeters. Third, safety features should be used on the doors of
relevant trucks--reducing the odds that dangerous materials would be
stolen for subsequent use in a terrorist attack. Given the danger of
the materials involved, not just to the drivers of the trucks and
others directly involved but to society on the whole, minimal safety
standards are important enough to be done by regulation rather than
relying entirely on the insurance markets.
As an additional precaution, trucks carrying certain highly toxic
substances should be banned from the most central parts of cities--
unless escorted by security and outfitted with tracking technology as
well as automatic braking technology.\55\ Economic incentives would
thus come into play, with firms measuring the costs of protective
technology against the economic benefits of being granted greater
access to densely populated regions.
---------------------------------------------------------------------------
\55\ Flynn, America the Vulnerable, pp. 118--122.
---------------------------------------------------------------------------
The chlorine gas tragedy in South Carolina in January of 2005
underscored the need for upgrades to security in this realm as well.
Several types of improvements are needed. As the South Carolina
accident underscored, both would have benefits for general public
health beyond the subject of counterterrorism, reducing the risks of
routine accidents. Since it is a dual-benefit program, it serves one of
main goals we suggest in chapter one for guiding future homeland
security efforts.
When substitution of dangerous chemicals by safer chemicals cannot
happen, specific trains should be rerouted away from the centers of
cities when necessary and practical. In early 2005, the District of
Columbia prohibited shipments of hazardous materials through parts of
the nation's capital. A more systematic national effort is appropriate
as well.\56\ (The most lethal substances should be banned outright from
city centers; others could be permitted, as noted above, when companies
adopt best practices on safety such as automatic tracking and braking
technology on their trucks.)
---------------------------------------------------------------------------
\56\ Eric M. Weiss and Spencer S. Hsu. ``90-Day Hazmat Ban Is
Passed; Measure Will bar Shipments in DC.'' Washington Post, February
2, 2005, p. B1.
---------------------------------------------------------------------------
Finally, safety standards should be enforced. For example, it
should not be tolerated that half of the nation's 60,000 train cars
frequently carrying poisonous gases are obsolete or otherwise in poor
shape.\57\ This recommendation complements the first, since it is
easier to improve safety on a smaller number of trains.\58\
---------------------------------------------------------------------------
\57\ Walt Bogdanich and Christopher Drew, ``Deadly Leak Underscores
Concerns About Rail Safety.'' New York Times, January 9, 2005, p. 1.
\58\ Sara Kehaulani Goo, ``Accidents Spur New Focus on Securing
U.S. Raily System,'' Washington Post. Janaury 29, 2005.
The Food and Water Industries
Other areas where not enough has been done to prevent attacks are
the food industry and the country's water infrastructure.
In regard to food, the case for doing more can be debated. There
are no known cases of al-Qa'ida or affiliates attacking the food
supply, but that hardly means that an organization that has already
proved itself innovative will not attack it in the future. And certain
types of attacks, such as a small amount of botulism toxin poured into
a milk truck leaving a farm could literally cause tens if not hundreds
of thousands of deaths.\59\ Thus, if simple and economical measures
that bring other benefits beyond the counterterrorism domain can be
identified, they should be seriously considered.
---------------------------------------------------------------------------
\59\ Rick Weiss, ``Report Warns of Threat to Milk Supply,''
Washington Post, June 29, 2005, p. A8.
---------------------------------------------------------------------------
As he left the Bush administration, former Secretary of Health and
Human Services Tommy Thompson said the worries ``every single night''
about large-scale food poisoning.\60\ But infrastructure for monitoring
food supplies and quickly detecting any signs of contamination is
insufficient. Some additional funding has been added for food safety
investigators and laboratories to check for deliberate contamination.
But no demands have been placed on the nation's 50,000+ food processing
sites to improve site security. Some voluntary measures have been
adopted by the industry--and FDA and USDA have preferred to keep them
voluntary to avoid collecting data that could later be made available
due to Freedom of Information Act requests. But these have been
spotty.\61\
---------------------------------------------------------------------------
\60\ Mike Allen, ``Rumsfeld to Remain at Pentagon; Thompson Quits
at HHS, Warns of Vulnerabilities,'' Washington Post, December 4, 2004,
p. A1.
\61\ General Accounting Office, Food-Processing Security, GAO-03-
342 (February 2003), pp. 1--7.
---------------------------------------------------------------------------
Requiring sites such as food processing centers to carry terrorism
insurance (against any liability for poisoning that occurs on their
premises) may provide the simplest and soundest means of addressing
this vulnerability in a cost-effective way. At a minimum, it could lead
to more uniform adaptation of commonsense protective measures such as
more systematic patrolling and monitoring of the perimeters of
facilities.
As suggested by the Democratic members of the House Select
Committee on Homeland Security, each state or region should also have
the ability to quickly test foods for a wide range of possible
contaminants. This can allow spot checking of food under normal
circumstances, and prompt efforts to contain the consequences of any
attack should one occur.
As for water, it is extremely difficult to contaminate large water
systems because of the amount of material needed for lethal doses. That
means that protecting drinking water reservoirs, for example, need not
extend to the level of providing complete assurance that no person on
foot is ever near a reservoir at any time. Protective systems that keep
trucks away from such reservoirs, and monitor foot traffic well enough
to ensure that substantial numbers of people are not able to gain entry
to a reservoir, would generally suffice. And as for the chemical
treatment facilities, these can be viewed largely as any other chemical
plant--with risk, and appropriate security measures, determined by the
nature of the chemicals in use. To the extent chlorine is employed,
that implies a reasonably high level of protection, but nothing beyond
the scale of what would be properly applied to many other facilities in
the chemical industry.\62\
---------------------------------------------------------------------------
\62\ Government Accountability Office, Homeland Security: Agency
Plans, Implementation, and Challenges Regarding the National Strategy
for Homeland Security, GAO-05-33 (January 2005), pp. 84--93.
---------------------------------------------------------------------------
A second problem with water concerns the potential for attacks on
dams to flood metropolitan areas and create conditions not unlike those
produced by Hurricane Katrina--though this time without the warning.
Risk assessments have been completed for the nation's major dams.\63\
The amount of high explosive needed to destroy most of them, together
with improved site security near most, limit the likely danger
associated with this type of terrorist scenario. But they do not
eliminate the risk entirely by any means. At a minimum, this worry is
further reason for the nation to digest fully the lessons of Katrina--
and figure out how to mount large-scale responses to such catastrophes
within hours rather than days. This observation has implications for
many agencies, including NORTHCOM. The military should not be the lead
responder to the vast majority of natural disasters or terrorist
strikes, in terms of leading any effort. But leaving aside such issues,
as well as the question of whether posse comitatus should be modified,
the U.S. armed forces have physical capacities rivaled by no other
national institution and at a minimum need to be better prepared to
organize and deploy them fast in future crises.
---------------------------------------------------------------------------
\63\ Claudia Copeland and Betsy Cody, ``Terrorism and Security
Issues Facing the Water Infrastructure Sector,'' in Russell Howard,
James Forest, and Joanne Moore, eds., Homeland Security and Terrorism
(New York: McGraw Hill, 2006), p. 200.
Energy Infrastructure
It will not always be possible to know what infrastructure to
protect and what not to protect--until after the fact. Take for example
the Alyeska Pipeline in Alaska (or any other oil pipeline). It is
possible to use a rifle to disrupt the flow of oil, and in fact that
has happened before (though in an act closer to vandalism or
hooliganism than terrorism). Pipelines are of course attacked in
Colombia, Iraq, and elsewhere so this threat is hardly implausible.
That said, taking steps to try to prevent such attacks would clearly be
very difficult in some places, short of setting up dense security
perimeters (or burying the pipelines). Moreover, attacks on oil
pipelines would be unlikely to cause the loss of any human life. This
is the type of threat that should be in a second or even third tier of
importance.\64\ Some measures such as protecting choke points, ensuring
capacity for quick shutdown of damaged pipes, and protecting the
pumping stations (and key electronics) of pipeline systems are
warranted, but comprehensive protection is not.\65\
---------------------------------------------------------------------------
\64\ See for example, Andrea R. Mihailescu, ``Alaska's Vulnerable
Oil Pipeline,'' Jane's Terrorism and Security Monitor, September 1,
2004.
\65\ One area where it behooves the United States to establish
improved vigilance is in the vulnerability of power, communications,
transportation, and water infrastructure to electromagnetic pulse from
a high-altitude nuclear detonation. Terrorists are unlikely to carry
out such an attack, but a nation-state could, and the nature of the
preparation against such an attack is akin to homeland security
activities so worthy of brief mention here. Protecting all electronics
from such an attack is impractical (and modern electronic systems, with
their low power requirements and low voltage tolerances, are inherently
more vulnerable to such attacks than were vacuum tubes). But the
country's infrastructure should not be allowed to fail catastrophically
after such an attack; the period of recovery could last many months,
during which time the country would have function like a premodern
society. Devising protections to key nodes of major infrastructure is
estimated to cost about one to three percent of total system cost, if
done when a system is first being built. But retrofitting protections
onto existing equipment might be an order of magnitude more expensive,
implying costs reaching well into the tens of billions of dollars. This
suggests a two-track approach to protection, redressing glaring
vulnerabilities where feasible in the short term (that is, hardening
key electronics used by major infrastructure, or purchasing backup
systems), while planning to gradually eliminate other vulnerabilities
as infrastructure is modernized in the coming years. See 65 Commission
to Assess the Threat to the United States from Electromagnetic Pulse
(EMP) Attack, Report of the Commission to Assess the Threat to the
United States from Electromagnetic Pulse (EMP) Attack, Volume I:
Executive Report (2004), available at www.iwar.org.uk/iwar/resources/
emp/04-0722emp.pdf, accessed February 17, 2005; and Testimony of Frank
Gaffney before the House Committee on the Budget, U.S. Congress,
February 16, 2005.
---------------------------------------------------------------------------
To take another energy example, of greater concern given the
potential loss of life involved in any attack, Boston is the only major
city in the United States to have a liquid natural gas terminal nearby.
(Explosions of such tankers could cause structural damage to buildings
a third of a mile away and burn the skin of people a mile away.\66\ )
Tankers were not allowed to come into Boston harbor to service this
terminal during the 2004 Democratic convention, suggesting that there
is a real basis to worry about a possible attack. But has the danger
really passed now that the convention is over? This question suggests
that it would be prudent to move the terminal--if not immediately, then
at least when a major renovation would be needed on the existing
infrastructure.\67\
---------------------------------------------------------------------------
\66\ Justin Blum, ``Report Assesses Risks of Attack on Tankers,''
Washington Post, December 22, 2004, p. E1.
\67\ Associated Press, ``Collins Suicide Attack Warning,'' Lloyd's
List, July 5, 2004, p. 12.
Skyscrapers, Major Buildings and Other Structures
In the United States, most large buildings, famous public
facilities, sports stadiums, concert halls, and shopping malls are open
to the public--and thus to terrorists armed with explosives, chemicals,
or biological pathogens. Most such structures lack the types of filters
that could clean up contamination that gets inside. Few buildings have
the types of air circulation systems that reduce the danger of such
contamination in the first place. And few have common-sense protections
against the kinds of car and truck bombs that al-Qa'ida continues to
employ with frequency and effectiveness around the world even in the
post-9/11 era.
The degree of appropriate protection depends clearly on the nature
of the potential target. For the nation's 500 skyscrapers, 250 largest
arenas and stadiums, large train stations and airports, and any other
locations where many thousands of people gather in confined spaces,
special efforts are required when practical. New buildings might even
be built a certain distance back from streets (as is the case with many
U.S. embassies today), tougher structural building codes employed, and
parking garages kept physically separate from buildings. But these
sorts of sweeping measures are clearly not practical for all cases.\68\
---------------------------------------------------------------------------
\68\ See Protecting the American Homeland, pp. 54--56.
---------------------------------------------------------------------------
Existing structures can be equipped with shatterproof glass in
lower floors. Vehicles entering their parking garages can be searched
and in some cases restricted in their movements. When air circulation
systems are renovated, their intakes should be moved above street level
and monitored. Reverse pressure air systems and good filters are among
the other options. Again, insurance markets can help incentivize owners
to adopt such measures.\69\
---------------------------------------------------------------------------
\69\ See Eric Lipton and James Glanz, ``New Rules Proposed to Help
High-Rises Withstand Attacks,'' New York Times, March 6, 2002, p. A1;
Letter from Michael C. Janus, Battelle Corporation, December 1, 2001,
to Michael O'Hanlon; Ann Gerhart, ``Tom Ridge, on High Alert,''
Washington Post, November 12, 2001, p. C1; and Statement of Arden
Bement, Director, National Institute of Standards and Technology,
Hearing before the Committee on Science, U.S. House of Representatives,
107 Cong. 2 sess. (March 6, 2002).
---------------------------------------------------------------------------
CONCLUSION
The number of sites that might be targeted in the United States is
daunting, and a rigorous means of protecting the country
comprehensively is unaffordable (if even conceivable). But the United
States has a more limited number of sites of particular interest--where
thousands of individuals routinely congregate, where the economy has
important choke points or centers of activity, where the symbolic and
political effect of any attack could be hugely significant. Most such
sites are in the private sector, which holds 85 percent of the nation's
infrastructure, though an important number are clearly public too. By
focusing on this category of key locations (and establishing different
tiers of necessary protection within that category), and by using
insurance makrets and related mechanisms to give private owners
incentives to adopt best practices at reasonable cost, the country's
vulnerability to truly catastrophic terrorism can be substantially
mitigated. Since 9/11, we have moved towards this objective. But we
have a great distance still to go.
__________
[GRAPHIC] [TIFF OMITTED]
Appendixes
----------
[GRAPHIC] [TIFF OMITTED]