H.R. 4246, THE CYBER SECURITY INFORMATION ACT OF 2000: AN EXAMINATION OF ISSUES INVOLVING PUBLIC-PRIVATE PARTNERSHIPS FOR CRITICAL INFRASTRUCTURES ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION, AND TECHNOLOGY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION ON H.R. 4246 TO ENCOURAGE THE SECURE DISCLOSURE AND PROTECTED EXCHANGE OF INFORMATION ABOUT CYBER SECURITY PROBLEMS, SOLUTIONS, TEST PRACTICES AND TEST RESULTS, AND RELATED MATTERS IN CONNECTION WITH CRITICAL INFRASTRUCTURE PROTECTION __________ JUNE 22, 2000 __________ Serial No. 106-223 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ----------- U.S. GOVERNMENT PRINTING OFFICE 72-361 WASHINGTON : 2001 _______________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania JOHN L. MICA, Florida PATSY T. MINK, Hawaii THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio Carolina ROD R. BLAGOJEVICH, Illinois BOB BARR, Georgia DANNY K. DAVIS, Illinois DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts ASA HUTCHINSON, Arkansas JIM TURNER, Texas LEE TERRY, Nebraska THOMAS H. ALLEN, Maine JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California ------ PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont HELEN CHENOWETH-HAGE, Idaho (Independent) DAVID VITTER, Louisiana Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director David A. Kass, Deputy Counsel and Parliamentarian Lisa Smith Arafune, Chief Clerk Phil Schiliro, Minority Staff Director Subcommittee on Government Management, Information, and Technology STEPHEN HORN, California, Chairman JUDY BIGGERT, Illinois JIM TURNER, Texas THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania GREG WALDEN, Oregon MAJOR R. OWENS, New York DOUG OSE, California PATSY T. MINK, Hawaii PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Bonnie Heald, Director of Communications Bryan Sisk, Clerk Michelle Ash, Minority Counsel C O N T E N T S ---------- Page Hearing held on June 22, 2000.................................... 1 Text of H.R.................................................. 3 Statement of: Johnstone, Ambassador L. Craig, senior vice president, International Economic and National Security Affairs, U.S. Chamber of Commerce........................................ 67 Oslund, Jack, chairman, Legislative and Regulatory Working Group of the National Security Telecommunications Advisory Committee.................................................. 74 Sobel, David L., general counsel, Electronic Privacy Information Center......................................... 78 Tritak, John, Director, Critical Infrastructure Assurance Office, U.S. Department of Commerce........................ 57 Willemssen, Joel C., Director, Accounting and Information Management Division, U.S. General Accounting Office........ 20 Woolley, Daniel, president and chief operating officer, Global Integrity Corp...................................... 86 Letters, statements, etc., submitted for the record by: Davis, Hon. Thomas M., a Representative in Congress from the State of Virginia, prepared statement of................... 15 Horn, Hon. Stephen, a Representative in Congress from the State of California, Presidential Decision Directive 63.... 42 Johnstone, Ambassador L. Craig, senior vice president, International Economic and National Security Affairs, U.S. Chamber of Commerce, prepared statement of................. 69 Oslund, Jack, chairman, Legislative and Regulatory Working Group of the National Security Telecommunications Advisory Committee, prepared statement of........................... 76 Sobel, David L., general counsel, Electronic Privacy Information Center, prepared statement of.................. 81 Tritak, John, Director, Critical Infrastructure Assurance Office, U.S. Department of Commerce, prepared statement of. 61 Turner, Hon. Jim, a Representative in Congress from the State of Texas, prepared statement of............................ 11 Willemssen, Joel C., Director, Accounting and Information Management Division, U.S. General Accounting Office: Information concerning critical infrastructure protection 113 Prepared statement of.................................... 22 Woolley, Daniel, president and chief operating officer, Global Integrity Corp., prepared statement of.............. 91 H.R. 4246, THE CYBER SECURITY INFORMATION ACT OF 2000: AN EXAMINATION OF ISSUES INVOLVING PUBLIC-PRIVATE PARTNERSHIPS FOR CRITICAL INFRASTRUCTURES ---------- THURSDAY, JUNE 22, 2000 House of Representatives, Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2154, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn, Biggert, Davis, and Turner. Also present: Representative Moran. Staff present: J. Russell George, staff director and chief counsel; Bonnie Heald, director of communications; Bryan Sisk, clerk; Will Ackerly, Chris Dollar, and Meg Kinnard, interns; Michelle Ash, and Trey Henderson, minority counsels; Ellen Rayner, minority chief clerk; Jean Gosa, minority clerk; Melissa Wojack; and Amy Herrick. Mr. Horn. The subcommittee will come to order. Today's hearing is on a subject that is both important and timely. The security threat posed to our Nation's critical infrastructure is made more apparent each day as computer viruses place at risk the free flow of information in the cyber world. When you consider that our critical infrastructure is composed of the financial services arena, telecommunications system, information technology, transportation, water systems, electric power, gas and oil sectors, among many others, the threat is one that must be taken seriously. These sectors have traditionally operated independently but coordinated with the Government to protect themselves against threats posed by traditional warfare. However, in today's environment these sectors must learn how to protect themselves against unconventional threats such as terrorist and cyber attacks. They must also recognize the new vulnerabilities caused by technological advances. As we learned when preparing for the year 2000 rollover, many of the Nation's most critical computer systems and networks are highly interconnected. With the many advances in information technology, most of these sectors are linked to one another which increases their exposure to cyber threats. What affects one system can affect the other systems. In the 104th Congress we called upon the administration to study the Nation's critical infrastructure vulnerabilities and to identify solutions to address those vulnerabilities. The administration has identified a number of steps that must be taken in order to eliminate the potential for significant damage to our critical infrastructure. Foremost, among these suggestions is the need to ensure proper coordination between the public and private sectors who represent the Nation's infrastructure community. The goal of H.R. 4246, which we are examining today, is to encourage cooperation in this vitally important effort. Before I call on the primary author of this proposal, because a number of our members have to be in and out of other markups around the Hill, I now yield to Mr. Moran, who is a coauthor of the legislation, for his opening statement on the bill. [The text of H.R. 4246 follows:] [GRAPHIC] [TIFF OMITTED] T2361.065 [GRAPHIC] [TIFF OMITTED] T2361.066 [GRAPHIC] [TIFF OMITTED] T2361.067 [GRAPHIC] [TIFF OMITTED] T2361.068 [GRAPHIC] [TIFF OMITTED] T2361.069 Mr. Moran. Well thank you very much, Chairman Horn, and thank you for your courtesy. I have got another hearing over in Cannon, but that is very nice of you to do that and appreciate your leadership of this committee. Jim Turner is going to be here shortly, the ranking member, and Tom Davis, the other original sponsor of this legislation. Tom, as I think everyone in this room knows, has been a tremendous leader in the area of information technology and particularly cyber security. We both represent northern Virginia's technology community and this is a terribly important issue. Every day in America thousands of unauthorized attempts are made to intrude into the computer systems that control key Government and industry networks, including defense facilities, power grids, banks, Government agencies, telephone systems, transportation systems. Some of these attempts fail but too many succeed. Some gain systems administrator status, download passwords, implant snippers to copy transactions, or insert what are called trap doors to permit an easy return. Some attacks are the equivalent of car thief joy-riders committing a felony as a thrill. They are only mischievous. But others are committed for industrial espionage, theft, revenge- seeking vandalism, or extortion. Some may be committed for intelligence collection, reconnaissance, or creation of a future attack capability. The perpetrators range from juveniles to thieves, from organized crime groups to terrorists, potentially hostile militaries and intelligence services. What has emerged in the last several years is a dramatic increase in the seriousness of this threat. We know of foreign governments creating offensive attack capabilities against America's cyber networks. America is vulnerable to such attacks because it has quickly become dependent upon computer networks for so many essential services. It has become dependent while paying little attention to protecting those networks. Water, electricity, gas, communications, rail, aviation, and almost all our critical functions are directed by computer controls over vast information systems networks. In 1995, Presidential Decision Directive 39, what we call PDD 39, directed the Attorney General to lead a Government-wide re-examination of the adequacy of the Nation's infrastructure protection. That review prompted the President to establish in 1996 the President's Commission on Critical Infrastructure Protection, a joint Government and private sector effort to study threats to the Nation's critical infrastructure industries, including cyber security threats. In October 1997 this organization issued a report that identified the need for a strategy of industry cooperation and sharing of information relating to cyber security, including threats, vulnerabilities, and interdependencies, as the quickest and most effective way to achieve much higher levels of infrastructure protection. The Director of the CIA recently testified before Congress that cyber attacks from other countries and rogue terrorist groups represent the most viable option for leveling the playing field, disarming us in an armed crisis against the United States. The President's National Plan for Information Systems Protection issued 6 months ago and an earlier Presidential directive have called on Congress to pass legislation that would encourage information sharing to address these cyber security threats to our Nation's privately held critical infrastructure. That is what this legislation is all about. When Congressman Davis and I attended the Partnership for Critical Infrastructure meeting at the U.S. Chamber of Commerce the one consistent issue raised by the business community was the sharing of sensitive but important security information. Their concern stemmed from the lack of clarity in antitrust laws and concerns related to disclosures the Government would have to make based on Freedom of Information. This Freedom of Information Act is the real stumbling point. The challenge posed by the threat of potentially wide spread Y2K failures offered a similar set of problems. It was a parallel situation. In response to those problems, a coalition of businesses worked with the bipartisan coalition in Congress and the administration to meet the same need. Industry cooperation and sharing of information related to Y2K, including threats, vulnerabilities, and interdependencies. Again, it was many of the same people that put that legislation together, and as I mentioned, Tom was the original sponsor of that too. A number of us put together a bipartisan approach and it was effective. And after the passage of that Y2K Information Readiness Disclosure Act, the information began to flow much more freely. And that free flow of information was one of the key reasons why Y2K came and went without significant problems. A similar remedy addressing the cyber security of the Nation's highly integrated critical infrastructure is necessary to best protect Americans from cyber threats and vulnerabilities. This legislation does just that. It is a balanced approach. There is no issue more important to the health of our economy than ensuring that our Nation's critical infrastructure is protected. Government cannot protect the Nation's infrastructure from cyber attacks without the help of the private sector. As a result businesses must take the lead and work together with the Government to share information so that we can ensure that our Nation's critical infrastructure is protected from cyber attacks and vulnerabilities. So I am most happy to be cosponsoring the legislation along with my colleague and good friend from Virginia, Tom Davis. Coming out of this subcommittee with its record of achievement with Chairman Horn and Ranking Member Turner, I trust this is going to get speedy passage as well. I applaud this committee for holding this hearing and I trust that as a result we are going to be able to provide the framework that will provide industry with the tools necessary for meeting this challenge. It is important legislation. Thank you very much for having the hearing, Mr. Chairman. I appreciate you giving me the opportunity to make that statement. Thank you. Mr. Horn. Thank you very much to the gentleman from northern Virginia. And now I yield to the ranking member, Mr. Turner, the gentleman from Texas. Mr. Turner. Thank you, Mr. Chairman. This clearly is one of the most challenging issues that we face, the protection of critical infrastructure. In the interest of time, Mr. Chairman, I think I will submit my statement for the record and yield back my time. Again, I want to thank Mr. Davis and Mr. Moran for their leadership on the issue. [The prepared statement of Hon. Jim Turner follows:] [GRAPHIC] [TIFF OMITTED] T2361.001 Mr. Horn. I thank the gentleman. We now call on the author of the bill, Mr. Davis, the gentleman from northern Virginia. Mr. Davis. Thank you, Mr. Chairman. I would like to thank you for holding this hearing today. It is my hope that today's hearing will facilitate the ongoing dialog in addressing cyber security vulnerabilities and the threats facing our critical infrastructures. Since this dialog began in 1997 with the creation of the President's Commission on Critical Infrastructure Protection, we have recognized that critical infrastructure security cannot be addressed without partnering with the private sector, as we did with Y2K. Over 80 percent of our critical infrastructure is owned and operated by the private sector. Traditional national defense models do not work in this environment. Instead, we have to look to market forces and voluntary participation in partnerships to successfully protect those infrastructures without burdensome regulations which could unintentionally hurt the competitiveness of U.S. markets. Critical infrastructures are those systems that are essential to the minimum operations of the economy and the Government. Our critical infrastructures comprise the financial services, telecommunications, information technology, transportation, water systems, emergency services, electrical power, gas and oil sectors in private industry, as well as our national defense, law enforcement, and international security sectors within the Government. Traditionally these sectors operated largely independently of one another and coordinated with the Government to protect themselves against threats posed by traditional warfare. With the many advances in information technology, many of our critical infrastructure sectors are linked to one another and face increased vulnerability to cyber threats. Technology interconnectivity increases the risk that problems affecting one system will affect other connected systems. Computer networks can provide pathways among systems to gain unauthorized access to data and operations from outside locations if they are not fully monitored and protected. Attacks on critical infrastructure can come in many different forms. They can originate from groups or persons with malicious intent to destroy or damage our safety and our economy, or from individuals who just enjoy the challenge of attacking and infiltrating computer networks. In a cyber security conference held this past Monday, Richard Clark, the National Security Council staff coordinator for security infrastructure protection and counter-terrorism, issued a warning that the United States faces an electronic Pearl Harbor unless Government and industry work together to strengthen the information security systems protecting our Nation's critical infrastructure. Infiltration of our financial services, telecommunications, and electrical power systems would not be any less devastating than attacks on our military and our nuclear systems. On May 4th, we were reminded once again that love can be painful. As you know, May 4th is the day the ``I love you'' viruses rocketed around the globe causing an estimated $8 billion in damages. That figure does not account for the countless frustrations experienced by governments and consumers around the world. Additionally, difference in Government and private-sector response to the virus highlight the need for greater partnership and trust. If the Government had more clearly established channels of communication when this virus hit, it might have avoided significant delays in notifying its own agencies of the virus. I was greatly concerned when I read the General Accounting Office's preliminary results of the Federal Government's handling of the ``I love you'' virus. The Financial Services Information Sharing and Analysis Center, ISAC, had notified their member companies by 3 a.m. about the virus. But the Federal Bureau of Investigation didn't release its first warning until 11 a.m. Additionally, the Department of Health and Human Services reported that on May 4th the ``Love bug'' rendered that agency incapable of responding to a biological disaster. Clearly, this is another area that requires a greater commitment to partnership and coordination between the public and private sectors. I would like to say this is a perfect example of the success of private public partnerships that we need to make a greater commitment to facilitating. The Financial Services ISAC is currently the only one of its kind that is clearly doing its job in getting out timely information. Moreover, recent studies have demonstrated that the incidence of cyber security threats to both the Government and the private sector are only increasing. According to an October 1999 report issued by the GAO, the number of reported computer security incidents handled by Carnegie Mellon's CERT coordination center has increased from 1,334 in 1993 to 4,398 during the first two quarters of 1999. According to information currently posted on CERT's Web site, that number totaled 10,000, doubling the 1998 total for computer security incidents. At this time, Mr. Chairman, I would like to request that the information from CERT's Web site be inserted into the hearing record. Additionally, the Computer Security Institute reported an increase in attacks for the 3rd year in row on responses to their annual survey on computer security. Because the private sector controls the vast majority of our critical infrastructure, I am concerned that employing a private public partnership to monitor the computer networks, analyze data, issue real time alerts, and employ defenses must be the primary component for protecting Americans. But when we asked the private sector to volunteer some information that otherwise would never be known to external entities, information is often proprietary, which could impose many different liabilities and risks were it to become publicly disseminated. Not surprisingly, we find a great reluctance on these companies to cooperate with the Government. Mr. Moran and I introduced this bill. Mr. Horn. May I say the material you and the Chair and the ranking member want to put in at this point, without objection, that is approved. Mr. Davis. Thank you, and I will ask unanimous consent to put the total statement in there. We introduced this bill to give critical infrastructure industries the assurances they needed in order to confidently share information with the Federal Government. And as we learned with the Y2K model, the Government and industry can work in partnership to produce the best outcome for the American people. I have a fairly lengthy statement that I would like to ask unanimous consent to have it all in the record. But I would just like to add, Mr. Chairman, I want to thank you for holding this hearing today and look forward to working with you. I appreciate our panelists taking time out from their schedules to share their thoughts on this before we mark this bill up in the subcommittee and then move to full committee. We read your comments and will take them into account and hope for a continuing dialog in this. The challenges that face the Government and the private sector on critical infrastructure security remain very important to us. I hope this legislation will go a long way toward resolving these conflicts. Thank you. [The prepared statement of Hon. Thomas M. Davis follows:] [GRAPHIC] [TIFF OMITTED] T2361.002 [GRAPHIC] [TIFF OMITTED] T2361.003 [GRAPHIC] [TIFF OMITTED] T2361.004 [GRAPHIC] [TIFF OMITTED] T2361.005 [GRAPHIC] [TIFF OMITTED] T2361.006 Mr. Horn. Well I'm sure it will. I am particularly grateful to the members of the panel that we are about to swear in. You nobly came here despite the very short notice and we are most grateful to you for having your perspective in this area. So let me just explain how this place works. Mr. Willemssen can tell it better than I can. It's good to see you, Joel. We start down the line based on the agenda. We've got your statements, it is automatically in the record when I introduce you. And second, we would like you, if you can, to not read it because we just do not have that kind of time. And so if you want to take 5 minutes, maybe 8 minutes, that is fine, but just summarize it. The staff and everybody else has gone through the written material, even though that was a last minute affair and we thank each of you for that. We also swear in all witnesses in this committee. So if you would stand and raise your right hands, and if you have anybody that backs you up, also have them do it. [Witnesses sworn.] Mr. Horn. The clerk will note that the six witnesses and the two supporters have taken the oath. We will start with Mr. Willemssen, the Director of Accounting and Information Management Division of the U.S. General Accounting Office, part of the legislative branch of Government. Mr. Willemssen has great experience with this. He has followed us all over the world on the Y2K situation. I am glad to see you in one place, we don't have to run around the country or the world anymore. So Mr. Willemssen, we look forward to your overview. STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, ACCOUNTING AND INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE Mr. Willemssen. Thank you, Mr. Chairman, Ranking Member Turner, Congressman Davis. Thank you for inviting us to testify. It is an honor to appear again before you today. As requested, I will briefly summarize our statement. Overall, the level of concern over cyber security continues to grow. Understanding cyber security risks and how to best address them are major challenges that the Federal Government has recently begun to address. Earlier this year, the White House released version one of its National Plan for Information Systems Protection. The plan encourages the creation of information sharing and analysis centers to facilitate public and private sector information exchange about actual threats and vulnerabilities. Although such partnerships are central to addressing critical infrastructure protection, some in the private sector have expressed concerns about voluntarily sharing information. H.R. 4246, the proposed Cyber Security Information Act of 2000, was developed to address these concerns and encourage the disclosure and exchange of information about cyber security problems and solutions. In many respects, the bill is modeled after the year 2000 Information and Readiness Disclosure Act, which provided limited exemptions and protections for the private sector to facilitate the sharing of information on Y2K readiness. In short, the bill creates an additional protected channel for potentially valuable information that the Federal Government would not otherwise have. Such information sharing proved invaluable in addressing Y2K. The Y2K Readiness Disclosure Act helped pave the way for disclosures on readiness and available fixes and helped the work of the year 2000 Conversion Council's sector-based working groups. H.R. 4246 could have a similar positive affect. However, there are challenges remaining that need to be addressed to make the legislation a success. First, the Federal Government needs to be sure it collects the right type of information, that it can effectively analyze this information, and that it can appropriately share the results of its analysis. This is a complex and challenging task, especially given how rapidly threats and vulnerabilities can change. Second, to effectively engage with the private sector, the Federal Government needs to be a model for computer security. Currently it is not. Audits conducted by us and the Inspectors General show that 22 of the largest Federal agencies have significant computer security weaknesses, ranging from poor controls over access to sensitive systems and data to poor controls over software development and changes. While a number of factors have contributed to weak information security, the fundamental underlying problem is poor security program management. To attain effective security, several key elements are needed, including: (1) a framework of effective access controls and management oversight; (2) periodic independent audits of agency security programs; (3) more prescriptive guidance on the level of protection required; (4) strengthened incident detection and response capabilities; and (5) adequate technical expertise. Especially important is the need for strong centralized leadership. Such leadership has proven essential to addressing other Government-wide management challenges such as Y2K. And we believe it will be similarly critical in tackling the growing security risks to computer systems and critical infrastructures. That concludes a summary of my statement. Thank you again for the opportunity to testify, and I will be pleased to address any questions. [The prepared statement of Mr. Willemssen follows:] [GRAPHIC] [TIFF OMITTED] T2361.007 [GRAPHIC] [TIFF OMITTED] T2361.008 [GRAPHIC] [TIFF OMITTED] T2361.009 [GRAPHIC] [TIFF OMITTED] T2361.010 [GRAPHIC] [TIFF OMITTED] T2361.011 [GRAPHIC] [TIFF OMITTED] T2361.012 [GRAPHIC] [TIFF OMITTED] T2361.013 [GRAPHIC] [TIFF OMITTED] T2361.014 [GRAPHIC] [TIFF OMITTED] T2361.015 [GRAPHIC] [TIFF OMITTED] T2361.016 [GRAPHIC] [TIFF OMITTED] T2361.017 [GRAPHIC] [TIFF OMITTED] T2361.018 [GRAPHIC] [TIFF OMITTED] T2361.019 [GRAPHIC] [TIFF OMITTED] T2361.020 [GRAPHIC] [TIFF OMITTED] T2361.021 [GRAPHIC] [TIFF OMITTED] T2361.022 [GRAPHIC] [TIFF OMITTED] T2361.023 [GRAPHIC] [TIFF OMITTED] T2361.024 [GRAPHIC] [TIFF OMITTED] T2361.025 Mr. Horn. Thank you very much, Mr. Willemssen. That was very helpful. At this point, I also want to put into the record the President's White Paper, the Clinton administration's Policy on Critical Infrastructure Protection, Presidential Decision Directive 63. Without objection, it will be at this point in the record. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T2361.070 [GRAPHIC] [TIFF OMITTED] T2361.071 [GRAPHIC] [TIFF OMITTED] T2361.072 [GRAPHIC] [TIFF OMITTED] T2361.073 [GRAPHIC] [TIFF OMITTED] T2361.074 [GRAPHIC] [TIFF OMITTED] T2361.075 [GRAPHIC] [TIFF OMITTED] T2361.076 [GRAPHIC] [TIFF OMITTED] T2361.077 [GRAPHIC] [TIFF OMITTED] T2361.078 [GRAPHIC] [TIFF OMITTED] T2361.079 [GRAPHIC] [TIFF OMITTED] T2361.080 [GRAPHIC] [TIFF OMITTED] T2361.081 [GRAPHIC] [TIFF OMITTED] T2361.082 [GRAPHIC] [TIFF OMITTED] T2361.083 [GRAPHIC] [TIFF OMITTED] T2361.084 Mr. Davis. Mr. Chairman, I would also like to ask that an article on E-FOIA be inserted in the record from the August 1997 issue of Government Executive Virtual Records. If that could be put in the record as well. Mr. Horn. Without objection, so ordered. Our next witness is John Tritak, the Director of the Critical Infrastructure Assurance Office of the U.S. Department of Commerce. We are glad you are here. STATEMENT OF JOHN TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE ASSURANCE OFFICE, U.S. DEPARTMENT OF COMMERCE Mr. Tritak. Thank you, sir. I want to thank you and the subcommittee for giving me the opportunity to appear here before you today. I, too, will try to be brief and summarize my remarks that are being submitted for the record. I would like to set the context a little bit, in order to underscore the importance of the discussion that is taking place today. It has been a little over 2 years since President Clinton issued PDD 63, establishing defense of the Nation's critical infrastructure as a national security priority. And in doing so however, he presented a rather unique challenge in which we recognized, perhaps for the first time, that we have a national security challenge that the Federal Government's national security establishment cannot solve alone. With over 90 percent of the Nation's infrastructures being privately owned and operated, the need for industry to take a leadership role in securing the Nation's critical infrastructures is essential. The goal here is, as much as possible, to find market solutions to deal with the problems of computer security and infrastructure assurance, and then, where market forces fail, the Government would step in, in cooperation with Congress, to address any potential gaps in the interests of national security and defense. Part of what is essential to industry's leadership is the need for strong collaborative partnering arrangements. One of the things that I find striking is that what we are really talking about here are two different kinds of partnerships. One partnership, and perhaps the more important, is the partnership of industry in which each of the sectors organize themselves to address this problem. Then, of course, there is the partnership between industry and Government to identify areas where collaborative effort makes sense. What is essential to both forms of partnership, however, is the need for information sharing, both to raise awareness, improve understanding, share common experiences, and, as appropriate, to serve as a catalyst for action. Within industry itself, a lot of progress has been made in establishing effective information sharing arrangements. In the telecommunications area, the National Communications Center under the leadership of the NSTAC, which Dr. Oslund will talk about later, was really one of the first effective information sharing arrangements to deal with national security concerns. More recently, the banking and finance industry established an information sharing and analysis center to share important and sensitive information about threats and vulnerabilities in that industry. The North American Electric Reliability Council recently established a pilot program with the National Infrastructure Protection Center housed at the FBI, to share certain types of information on threats to the electric power industry as a whole. Both the NERC and the National Petroleum Council are working with the Department of Energy to develop a coherent sector plan for addressing threats and vulnerabilities and to share arrangements. Shortly, the information technology industry, under the leadership of Harris Miller of the Information Technology Association of America, is going to establish an information technology ISAC in response to the computer summit that President Clinton held last February as a result of the denial of service attacks that we saw. When we talk about industry taking a leadership role, we are starting to see that played out in a lot of different ways. We are also seeing increasingly good working relationships between industry sectors and their Federal lead agency counterparts in the Federal Government. For example, the Commerce Department's National Telecommunications and Information Administration is responsible for working closely with the information technology and telecommunications industry, and of course the National Security Telecommunications Advisory Council [NSTAC] has actually played a very important role in helping to guide that dialog and to provide very useful and affective suggestions on how to go forward. One of the things that becomes clearer as you go further into this issue is that, because industry is increasingly becoming part of the same digital nervous system, you cannot address critical infrastructure security in a stovepipe fashion. The digital age does not recognize the distinctions between the transportation sector, the electric power industry, and telecommunications. And so there is a growing need within industry to discuss and meet with representatives of the respective sectors to determine where the common issues of concern are and how they might be addressed. There is also a need, if you are going to maximize the market as a means of raising the bar of security across the country, to bring in other stakeholders which includes the risk management community, the investment community, State and local governments, as well as main line businesses who are actually ultimate consumers of the infrastructure of services that generate the wealth of the Nation. And it was with that in mind, that was the impetus for the creation of the Partnership for Critical Infrastructure Security. It serves as a forum for fostering cross-sector dialog to address areas of common concern and experiences with a view toward taking action as appropriate. It also brings in the other professional communities, including the legal community, privacy community, risk-management and the like so that what you have is really a distillation of the markets that is going to have to be involved in this effort if we are going to actually see the security of the Nation's infrastructures improved. To date there are over 150 companies participating. Congressman Davis and Congress Moran addressed the first working group meeting, and as Congressman Moran indicated in his remarks, it was a very fruitful discussion. Our next meeting will be held in July in San Francisco in which many of the issues that were identified, including issues regarding FOIA, will be further discussed, as well as industry will begin to engage the Federal Government on how to participate in the next version of the National Plan, which I think is essential to having a national agenda for a new administration to deal with. I indicated very early on in my remarks that the core of all this is voluntary information sharing, information that does not have to be provided under existing laws and regulations. Some of that information is sensitive. Concerns that the existing statutory environment in any way chills that sort of information sharing therefore must be taken seriously. It was in addressing these concerns that we had a very successful Y2K period, where you saw an unusual and unprecedented amount of the information sharing between Government and between industry. And since I was located very near the ICC, I was able to witness firsthand the success of that. The President's Commission on Critical Infrastructure Protection acknowledged the importance of dealing with this issue, ``We envision the creation of a trusted environment that would allow the Government and private sector to share sensitive information openly and voluntarily. Success will depend on the ability to protect as well as disseminate needed information. We propose altering several legal provisions that appear to inhibit protection and thus discourage participation.'' The PCCIP went on to include the Freedom of Information Act, antitrust provisions, and protection from liability among the areas that needed to be analyzed. In addition, as I indicated a moment ago, the organizational meeting of the Partnership for Critical Infrastructure Security included in its action items the removal of disincentives to information sharing. Therefore, I wholeheartedly applaud the intent as well as the objectives of the Cyber Security Information Act that was proposed by Congressmen Davis and Moran. Based on my own experience with these issues over the past years, I believe sharing information regarding common vulnerabilities, threats, and interdependencies is important to effective security controls across the interconnected and shared risk environment within which both Government and industry operate. The act would create a new exemption from FOIA to protect industry's submitted critical information vulnerability information. As a general matter, we support maximum Government openness while recognizing that certain information such as that relating to cyber vulnerability should be protected from wide dissemination. As with any exemption from Government openness, we need to study this proposal very carefully and need to strike a balance between the goal of information sharing and Government openness. Similarly, we should be confident that the proposed provisions dealing with antitrust and liability protection are measured to achieve their intended goals and not create unintended results. As the bill points out, prompt, thorough and secure information sharing is clearly a matter of national importance. I think the ability to develop and share designated cyber security information would be a useful step toward this important goal. We are looking forward to a full and vigorous national discussion on this important legislation. I wish to thank you for the opportunity to testify here today, Mr. Chairman. [The prepared statement of Mr. Tritak follows:] [GRAPHIC] [TIFF OMITTED] T2361.026 [GRAPHIC] [TIFF OMITTED] T2361.027 [GRAPHIC] [TIFF OMITTED] T2361.028 [GRAPHIC] [TIFF OMITTED] T2361.029 [GRAPHIC] [TIFF OMITTED] T2361.030 [GRAPHIC] [TIFF OMITTED] T2361.031 Mr. Horn. Thank you very much, Mr. Tritak. That is very helpful. We now turn to Ambassador Craig Johnstone, senior vice president for International Economic and National Security Affairs of the U.S. Chamber of Commerce. Mr. Ambassador, please proceed. STATEMENT OF AMBASSADOR L. CRAIG JOHNSTONE, SENIOR VICE PRESIDENT, INTERNATIONAL ECONOMIC AND NATIONAL SECURITY AFFAIRS, U.S. CHAMBER OF COMMERCE Ambassador Johnstone. Well thank you very much, Mr. Chairman, and a particular vote of thanks to Mr. Moran and Mr. Davis for having sponsored this very important legislation. I represent the U.S. Chamber of Commerce, the world's largest business organization with 3 million businesses, associations, and chambers represented around the world, and we strongly endorsed this legislation. Mr. Chairman, we are all witness to the process of globalization and all of the revolutionary changes that we are seeing as a result of new technologies--information management, biotechnology. It has changed the very nature of economic life in our country and it is full of opportunities, but it also brings with it a great number of risks. There are a new set of security risks unlike those we have ever witnessed previously in our history. These new security risks do not come in the form of foreign armies marching across borders. They're more sophisticated, they're more insidious, and more pervasive. Their providence is more difficult to determine and the defenses are very difficult to mount. These are the threats to our Nation's critical infrastructure, to our computer systems, to our financial infrastructure, to our power grids, to our water supplies. These threats exploit the tools of modern science to attack weak points in our increasingly complex and increasingly vulnerable economic system. These are very real threats. If you just look in the narrow sector of the threats to the computer infrastructure, you take the CERT Coordination Center's recent report alluded to by Mr. Davis and just take a look at what has happened recently. Over a 2-day period starting February 7th, some of the leading Internet sites of the country came under denial of service attacks from hackers. The sites included Yahoo, eBay, CNN.com, Amazon.com and e-Trade. Less than a month later 350,000 credit card numbers were stolen from the music retailer CD-universe and posted online in an attempt to extort $100,000 from the company. On May 5th the international ``Love bug'' virus that we are all familiar with struck at enormous cost to American business. And these attempts were perpetrated by amateurs. Imagine the threat were there to be a concerted effort not just of amateurs, but of people working under Government auspices of some kind, somewhere, from some corner of the Earth. The range of weapons that can be brought to bear on a single company today, they can be brought to bear on a single company or they can be brought to bear to affect the lives of millions of people. Our country must come up with the strategies that address this problem. It does no good for Government to develop a strategy on its own when 90 plus percent of the critical infrastructure of this country is in hands of the private sector. The kind of strategies we need must be developed between industry and Government within individual industries. We can address our critical infrastructure vulnerabilities but only through cooperation and the free flow of information and ideas. This legislation moves us a step in that direction by establishing trust between industry and Government. You can expect the amount of valuable information exchange on critical infrastructure threats and vulnerabilities to be directly proportional to the amount of safety provided by H.R. 4246. We faced a very similar problem on the Y2K issue and the 1998 Y2K Information and Readiness Disclosure Act paved the way for much smoother relations between the public and private sectors. Providing a FOIA exemption and an antitrust waiver is critical for the level of success of industry-wide information sharing and analysis centers [ISACs]. These ISACS share information on the nature of vulnerabilities, attempted attacks or unauthorized intrusions, coordinate R&D issues, examine vulnerabilities and dependencies and develop education and awareness programs. This legislation is critical to those efforts, it is also critical to the success of the Partnership for Critical Infrastructure Security, which performs many of the same functions but this time not within industries but between industries, and between industry and government. I am pleased to say that the U.S. Chamber of Commerce has actively participated in the formation and development of the Partnership for Critical Infrastructure Security and we are pleased to provide ongoing support in collaboration with the Critical Infrastructure Assurance Office and we commend the office for the leadership that it has given on this issue. It's clear from our experience with Y2K, from the requirements of the National Plan, and from the feedback we have received from our own companies, our member companies that this legislation is important, even critical toward accomplishing the cooperation we must have to advance our security goals. Again, I would like to commend Mr. Davis and Mr. Moran for their leadership in taking on this issue, and I would like to encourage this committee and House to support the Cyber Security Information Act of 2000. Thank you. [The prepared statement of Ambassador Johnstone follows:] [GRAPHIC] [TIFF OMITTED] T2361.032 [GRAPHIC] [TIFF OMITTED] T2361.033 [GRAPHIC] [TIFF OMITTED] T2361.034 [GRAPHIC] [TIFF OMITTED] T2361.035 [GRAPHIC] [TIFF OMITTED] T2361.036 Mr. Horn. Thank you, Mr. Ambassador. We now move to Mr. Jack Oslund, the chairman of the Legislative Regulatory Working Group of the National Security Telecommunications Advisory Committee. Mr. Oslund. STATEMENT OF JACK OSLUND, CHAIRMAN, LEGISLATIVE AND REGULATORY WORKING GROUP OF THE NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE Mr. Oslund. Thank you, Mr. Chairman. I would like to open up with an apology. I have laryngitis and I will do the best I can. It may govern the speed with which I work against your clock. Thank you for the opportunity to testify here today regarding the President's NSTAC. As you said, I chair the Legislative and Regulatory Working Group of the Industry Executive Subcommittee. My remarks are based on the work of the NSTAC. They do not necessarily represent the views of my company, nor will they address issues on which the NSTAC principals have not taken a formal position. NSTAC and its representatives have been involved in industry-Government information sharing for 18 years. We have learned many lessons in our various activities that we are always willing to share as other infrastructures begin their own public private partnership arrangements. If the Chair will allow, I would like to provide supporting materials for the committee's use. Mr. Horn. We will review them and try to get them into the hearing record as best we can, without objection. Mr. Oslund. Thank you, sir. What makes information sharing successful? Participants in NSTAC, the NCC, and the NSIEs have built relationships based on trust that fosters the sharing of information. These relationships are largely dependent on individual relationships and the recognition that through cooperation the security of the Nation's critical telecommunications networks can be strengthened. The NSTAC has examined information sharing initiatives and observed the following: it is already occurring in a number of forums, it may be affected and in some cases it is being affected by legal barriers, it is mostly voluntary, it is dependent on receiving a benefit when voluntarily shared, it is based on trusted relationships, and it may depend upon the company and the individual participant. The NSTAC also has focused on the potential regulatory and legal barriers which are being discussed today--FOIA, liability, and antitrust. I will limit my oral testimony to FOIA. FOIA provides the public with access to records maintained by Government departments and agencies. It also sets forth a number of exemptions that allow withholding specific information from disclosure, including proprietary company information. None of these exemptions specifically addresses critical infrastructure protection information that is shared within the ISAC. Yet PDD 63 calls for long-term voluntary information sharing between industry and Government to achieve protection for the Nation's critical infrastructures. As evidenced by the voluntary information sharing that took place during the Y2K rollover, companies were prepared to share information with each other and the Government that otherwise would not have been available without the FOIA exemption granted by the Y2K Act. With respect to information sharing related to critical infrastructure protection, the threat is not as clear as it was for Y2K. The problem is unbounded. There is no fixed deadline for action and, as stated earlier, there currently is no protection from disclosure of critical infrastructure, protection information voluntarily shared with the Government. We are in a continuing dialog with Mr. Tritak and his staff at CIAO on this matter. The NCC expanded its function to include serving as a telecommunications ISAC this past March. Most industry participants in the NCC feel that the expansion of its activities to include ISAC functions increases the need for protection of information voluntarily shared with Government. To date, FOIA has not been a significant concern in the NCC, primarily because the NCC does not maintain a data base. However, the NCC ISAC is developing an automated information sharing and analysis system that will store data from events and situations reported by participating organizations. As awareness of the NCC and its activities, particularly as an ISAC increases, FOIA requests for the data base may cause participants to be reluctant to share information. It is critical that sensitive company information shared with the Government be protected from disclosure. Significantly, in May 2000 the NSTAC recommended that the President support legislation to protect critical infrastructure protection information voluntarily shared with the Government from disclosure under FOIA. NSTAC has not yet discussed the pending legislation. It was introduced too late during the last NSTAC work cycle. It will be reviewed during the work cycle that is just beginning. In conclusion, the lessons learned from the NSTAC's experiences in information sharing are applicable to all critical infrastructures as they begin their own protection efforts. The road to complete trust between and among industry and Government is a long and bumpy one. Legislation is necessary but not sufficient for information sharing. There are other areas that must evolve in order to achieve the level of information sharing sufficient to accomplish the goal of protecting the Nation's critical infrastructures. Technical, logistical, cultural, and human factors issues need to be addressed. While legislation will not solve all the challenges in information sharing, it goes a long way in providing the protection industry needs as well as demonstrating the Government's commitment to being an active member of the information sharing process. Thank you for inviting me to speak today. I look forward to any questions that you may have. [The prepared statement of Mr. Oslund follows:] [GRAPHIC] [TIFF OMITTED] T2361.037 [GRAPHIC] [TIFF OMITTED] T2361.038 Mr. Horn. Well thank you, and we wish you well with your laryngitis. There are more allergies on Capitol Hill than anyplace in the world because there is a tree I am told for every tree in the world. Mr. Oslund. Mr. Chairman, the doctor did assure me that I do not have a virus bug. Mr. Horn. Thank you. Let me explain that when you see Members walking in and out now it is because we have a vote on the floor on the rule and we have 15 minutes to respond. Mr. Davis has gone over there. When he comes back, he will preside and I will go over there. We do not like to miss votes. We will start with Mr. Sobel now, the general counsel of the Electronic Privacy Information Center. Mr. Sobel. STATEMENT OF DAVID L. SOBEL, GENERAL COUNSEL, ELECTRONIC PRIVACY INFORMATION CENTER Mr. Sobel. Thank you, Mr. Chairman. I appreciate the opportunity to appear today to discuss the Cyber Security Information Act. The Electronic Privacy Information Center, or EPIC, is a frequent user of the Freedom of Information Act. We obtain Government documents on a wide variety of policy areas and we firmly believe that public disclosure of this information improves Government oversight and accountability and really assists the public in becoming fully informed about the activities of the Government. I have personally been involved with FOIA issues for almost 20 years representing a wide variety of FOIA requesters. In the early 1980's, I assisted in the publication of a book entitled, ``Former Secrets,'' which documented 500 instances in which material released under FOIA served the public interest. I am sure that if there were to be a revision of that book done today in the year 2000, we could easily come up with thousands of such examples of beneficial uses of the Freedom of Information Act. EPIC, as a member of the FOIA requester community, has, along with other members of that community, for many years expressed concerns about a number of proposals to enact new broad exemptions to the FOIA's disclosure requirements. Most recently, we have joined with scientific, journalist, library, and civil liberties organizations in questioning the need for a new exemption to cover information dealing with the protection of critical infrastructure protections, such as the exemption that would be created in the bill before the subcommittee. We collectively believe that such an approach is fundamentally inconsistent with the basic objectives of FOIA, which is, as the Supreme Court has noted, ``to ensure an informed citizenry.'' It is clear that as we enter the new century and become increasingly involved in electronic networking that the Government is going to be more and more involved in the protection of critical infrastructure. It is equally apparent that the Government's activity in this area is going to become a matter of increased public interest and debate. My organization EPIC has monitored developments in this area since the creation of the President's Commission on Critical Infrastructure Protection. After the commission's report came out, we issued a report entitled, ``Critical Infrastructure Protection and the Endangerment of Civil Liberties,'' in which we raised some questions about possible impacts of some of the proposals. Now while reasonable observers can disagree over the advantages or disadvantages of the commission's proposal, or the more recent initiatives contained in the administration's National Plan, I think we can all agree that critical infrastructure protection raises some significant public policy issues that deserve full and informed public debate. In fact, public disclosure of information in this area has already helped to shape the administration's policy in the area. As an example, I would cite to the subcommittee the so- called FIDNET proposal, the Federal Intrusion Detection Network, which, as originally proposed, would have subjected private sector computer networks to a potentially invasive monitoring system administered by the FBI. Following news media accounts of that proposal and the negative public reaction, that proposal was significantly scaled back. We at EPIC have received material under the FOIA dealing with these issues, we have made it public, and we think that is an important part of the process, of public debate on these issues. I would like to focus specifically on the need for the exemption that is contained in this legislation. Mr. Horn. Let me just interrupt you at this point. I am going to recess the hearing to go vote. The time remaining is almost expired. Apparently Mr. Davis could not get back in time. But he will pick it up and then have you pick it up. So we are going to recess for 5 minutes or until Mr. Davis returns. [Recess.] Mr. Davis. The subcommittee hearing will reconvene. Mr. Sobel, do you want to continue your remarks. Mr. Sobel. Thank you, Congressman Davis. I was pointing out the valuable information that has already been disclosed under the Freedom of Information Act concerning critical infrastructure protection, and citing the example of the initial FIDNET proposal and the revisions that the administration made to that proposal after publication of the details and incorporating the public concern that that engendered. So I think that is a very good example of the importance of public disclosure and the Freedom of Information Act in this particular area. What I would really like to discuss and focus on in my remaining time is my belief that the Freedom of Information Act, as currently written and construed by the courts, does in fact provide adequate protection for the information that we are discussing and I would maintain really negates the need for a new exemption to be added to the FOIA regime. I think in looking at this issue, we do need to keep in mind that critical infrastructure protection is an issue of concern not just for the Government and industry, but also for the public, particularly the local communities in which these facilities that we are discussing are located. The FOIA exemptions that currently exist, in particular I would like to focus on exemption 4, have been the subject of 25 years of litigation. We have extensive caselaw that we can look to. And I believe that caselaw establishes that existing exemption 4 is adequate. For information to come within scope of exemption 4, it must be shown that the information is either a trade secret or, most significantly here, information which is commercial or financial, obtained from a person, and privileged or confidential. The latter category of information, that is, commercial information that is privileged or confidential, is directly relevant to the issue that is before the subcommittee. Commercial information is deemed to be confidential ``if disclosure of the information is likely to have either of the following effects,'' and significantly the one we are concerned with here, ``To impair the government's ability to obtain the necessary information in the future.'' My understanding is that H.R. 4246 seeks to ensure that the Government is able to obtain critical infrastructure protection information from the private sector on a voluntary basis. So that concern clearly comes within exemption 4's so-called ``impairment'' prong. In fact, the courts have liberally construed impairment, finding that where information is voluntarily submitted to a Government agency, it is exempt from disclosure if the submitter can show that it does not customarily release the information to the public. This is the critical mass case that the D.C. Circuit decided back in 1992. In essence, the courts defer to the wishes of the private sector submitter and protect the confidentiality of information that the submitter itself does not routinely make public. In addition to the protections for private sector submitters that are contained in exemption 4 and the relevant caselaw, agency regulations also seek to ensure that protected data is not improperly disclosed. Under the provisions of Executive Order 12600, which President Reagan issued in 1987, agencies are required to give submitters of information an opportunity to submit objections to proposed disclosures and those objections have to be considered by the agency before a disclosure determination is made. The protections don't end there. If the submitter is still unhappy with an agency determination to disclose the submitted information, the submitter can go to the courts, file what is known as a ``reverse FOIA'' lawsuit and litigate the confidentiality issue. So there are many procedural safeguards already built into the FOIA regime. I think to a large extent the concern that we hear from industry is really a misperception of existing law. I think this is something that can become a self-fulfilling prophecy. If the agencies responsible for collecting this information are saying to submitters we cannot protect your information, then obviously the flow of information is going to dry up. So I think it is important to direct the efforts toward education and reassuring the private sector submitters that existing law does in fact adequately protect their confidentiality. I think the FOIA over the last 25 years has worked very well in making these kinds of balances between the need to know, on the one hand, and protecting against harmful disclosures. I would encourage the subcommittee not to upset that delicate balance that we have already developed over the 25 years of litigation. I thank the committee for considering these issues and will be happy to take any questions. [The prepared statement of Mr. Sobel follows:] [GRAPHIC] [TIFF OMITTED] T2361.039 [GRAPHIC] [TIFF OMITTED] T2361.040 [GRAPHIC] [TIFF OMITTED] T2361.041 [GRAPHIC] [TIFF OMITTED] T2361.042 [GRAPHIC] [TIFF OMITTED] T2361.043 Mr. Horn. Thank you very much for being here. I will have some questions for you later. Mr. Woolley. STATEMENT OF DANIEL WOOLLEY, PRESIDENT AND CHIEF OPERATING OFFICER, GLOBAL INTEGRITY CORP. Mr. Woolley. Good morning, Congressman Davis, Chairman Horn, members of the subcommittee. I would like to thank you for requesting my perspective on the important issue of information sharing and the quest for cyber security. My name is Dan Woolley and I am the president and chief operating officer for Global Integrity, a company based in Reston, VA. Global Integrity is a wholly owned subsidiary of Science Applications International Corp., an information security consulting company, and a resource for many Fortune 100 and Global 100 corporations, including online businesses, banks, brokerage houses, insurance companies, telecommunications, and entertainment companies, and other dot-com industries. In this capacity, we test the overall computer security of our client sites, help them develop secure information architectures, and help them to respond to attacks and incidents. We monitor and report to our clients about the most recent threats and vulnerabilities in cyber space, and help them to cooperate with regulations and law enforcement agencies where required or where appropriate. Global Integrity is also a recognized leader in information sharing to promote cyber security. We established the very first information sharing and analysis center called for by the Presidential Decision Directive, or PDD 63, and since then have established several additional ISACs that have been demanded by the market. Therefore, I am particularly pleased to offer our views today on H.R. 4246, on the state of cyber security, on information sharing and the public-private partnership, including some of the appropriate roles of Government. Presidential Decision Directive 63 recognized that the critical infrastructure of the United States is not owned by the Government but rather is in the hands of the private sector. While both the Government and the private sector have significant incentive to protect this infrastructure, the ultimate financial responsibility for protecting it lies squarely at the foot of private sector. Moreover, the Government's interest is in protecting the infrastructure against cyber warfare and the deniable service attacks. The private sector's interest is in protecting its infrastructure not only from these attacks but also from attacks by competitors, preventing insider abuse, enforcing corporate policies, protecting investor interest, as well as providing customers with safe, secure, and private means of conducting electronic commerce. While the goals of the private sector and the Government converge, they are not always identical. We recognize the precariousness of the concept between public and private partnerships on something so sensitive as cyber security, yet we think it a concept worth pursing, albeit it with caution. Certainly the last thing a private company wants is to have its own cyber vulnerabilities publicly exposed to regulators, customers, investors, or competitors. On the other hand, the Government has a legitimate right to be concerned about the security of the Nation's critical infrastructure and even the security of the businesses that underpin the Nation's economy. Yet because the private sector owns the infrastructure, we believe they have a primary responsibility for securing it does and should rest with the private sector--those in the financial services, energy, transportation, agriculture, and communications sectors, as well as those in the thousands of IT-dependent businesses. These are the people who own the infrastructure, are familiar with it, and are responsible for making decisions not only about the security, but also about the things like functionality, interoperability, strategic fit, and, of course, cost. Yet the Government correctly notes that our critical infrastructures are subject to the intrusion and disruption in cyber security if not taken extremely seriously at the very highest levels both within Government and within the private sector. While the private sector should lead, we believe the Government does have a legitimate role in promoting cyber security. The Government must continue in its efforts to recruit and train cyber security professionals and perhaps make laboratory or forensic facilities available to the private sector. The Government can lead by example, by securing its own infrastructure and by sharing techniques and lessons learned. Global Integrity supports legislative efforts to encourage and even require Government agencies to batten down their own cyber hatches and serve as a model for the private sector. The Government also can help set security standards and best practices to promote education on subjects like computer security, computer forensics, computer law, computer ethics. Finally, the Government can promote private sector cooperation both within the private sector and with the Government by removing any actual or perceived barriers to such cooperation, and by actively and aggressively advocating for such cooperation. The Government should also consider what rewards may be offered to the private sector to encourage safe and secure practices. According to the Department of Justice statistics, cyber crime cases have increased 43 percent from 1977 to 1999. Threats to the infrastructure are both real and perceived. A survey of 1,000 Americans conducted on June 8-11 this year by the polling firm of Fabrizio McLaughlin Associates found that 67 percent of respondents feel threatened by, or are concerned about cyber crime, and 62 percent believe not enough is being done to protect the Internet consumers against such crime. Sixty-one percent say they are less likely to do business on the Internet as a result of cyber crime, and 65 percent believe online criminals have less of a chance of being caught than criminals in the real world. We have identified the following trends in cyber attacks: No. 1, distributed attacks are increasing, and abusers take advantage of jurisdictional and sovereignty distinctions to avoid detection and prosecution. No. 2, attackers are using the known and publicized security holes to compromise systems. This is particularly true with respect to the worm type attacks that continue to take advantage of user's willingness to execute unknown and unverified computer programs. No. 3, most incidents and penetrations seem to be attacks of opportunity, although sophisticated hackers may target specific companies or information with a combination of electronic attacks and deception through social engineering. No. 4, the release of point and click tools has made the ability to take on systems easy and accessible. For example, a well-known tool called B02K, freely available on the Internet, allows an unsophisticated hacker to take over a victim's computer completely, read all files and even turn on attached cameras and microphones to conduct surreptitious surveillance in the room in which the computer is located. No. 5, the increase of the use and potential use of high-speed, always on DSL and cable connections at home increase the risk to both home and corporate attacks. A home user may suffer as many as 40-100 attempted attacks per month on a home DSL connection, ranging from somewhat benign probes to very sophisticated attacks. The attacks come from diverse locations, including Eastern Europe, China, Korea, and other nations in the Far East. The increased of wireless technologies to transmit business critical or personally sensitive information increases the risk of compromise. New security strategies and implementations must be developed for these technologies. One of the best ways that Government can promote cyber security in the private sector is by encouraging information sharing, and this of course is one of the central objectives of PDD 63. The Directive's charge to create ISACs, Information Sharing Analysis Centers, where information on threats, incidents, vulnerabilities, with associated recommendations and solutions need to be shared and analyzed. This is a critical step in defending against cyber attacks. When these attacks do occur, companies are often left in the dark, they cannot tell whether the attack is local, regional, or national. They cannot easily determine whether the attack is directed at them alone, their entire industry, or represents part of a series of random or concerted attacks. To defend against potential future attacks, companies must also know about vulnerabilities in the operating systems, applications, browsers, and thousands of the myriads of pieces of software that make up the overall infrastructure. Finally, they must have access to the raw intelligence about the threats to the infrastructure, increased attacks or activity, and new fraud schemes in order to be prepared. At Global Integrity, we have spent over $3 million in the last 10 months developing the first ISAC for the financial services industry. Thousands of man-hours were dedicated not only by Global, but by dozens of companies led throughout the world by initiatives for the financial services sector toward perfecting this model. The initial goal was to create a broad based model for the financial services industry--banks, insurance companies, brokerages, and other organizations. This model is now being replicated for many companies and sectors around the world. The FS/ISAC was formally launched in October 1999 and it was based upon the fears of publicity, fears of inviting additional attacks, fears of confidentiality, and fears of antitrust liability. In the past, the limitations and the willingness of industry members to share information was critical. Today, nobody wants to be reported on the front page of the Washington Post that their institution has been a victim of an attack or attempted attack. The FS/ISAC today provides a means for sharing information and for distributing threat data obtained from Government sources without the fear of attribution or publicity. Nothing contained in the FS/ISAC rules or regulations alters the obligations of banks or financial institutions to report these criminal activities. In other words, the decision whether or not to report an incident lies with the victim of the attack, and not with the repository of the collected information. To protect the confidentiality of the information, each paid member issues a series of anonymous certificates which authenticates them but does not specifically identify the member. We have also recently established the equivalent of news bureaus to collect, analyze, and disseminate information of both regional and national interest. We are establishing bureaus in Asia, Middle East, Central Europe, and the United Kingdom, as well as South America. These regional bureaus are providing incident threat, vulnerability, resolution data regarding events occurring in their regions back to the Reston analysis center for redistribution to all ISAC members on a worldwide basis. The FS/ISAC as well as other ISACs represent a form of public and private cooperation. As a result of the operation of the FS/ISAC and its advanced warning stations in Asia and Europe, members of the financial services industries that have chosen to participate received early warning about recent threats. For example, the FS/ISAC notified members not only of the methodologies behind the distributed denial of service attacks which were launched last February, but also about specific information indicating that hackers activity was increasing. Indeed, Global took such threats seriously enough to issue generalized news releases on the possibility of such attacks hours before those attacks actually occurred. As Congressman Davis noted, the FS/ISAC advised members about the Love Bug worm several hours before the Government agencies sent out generalized alerts, and provided detailed technical analysis of how these worms worked in the early notification. There are certain roles and functions that are the province of Government. One, to set minimum standards for security and interoperability, conducting and supporting fundamental research on new security technologies, promoting awareness of issues relating to information protection, ensuring greater international cooperation between law enforcement, Government agencies, and bringing down the barriers which inhibit cooperation. Finally, a word about the role of Congress in specific. I believe that Congress should take a cautious approach to passing new legislation. We do think that legislation requiring the Government to get its own cyber house in order would be productive. We also think that limited legislation such as H.R. 4246, which removes barriers to information sharing, is a good idea. Whether these barriers are real or perceived is a question on which lawyers cannot agree. However, we know that in many cases perception is a stronger force than reality, and so removing perceived barriers can be every bit as important to the broader goal, which is to encourage information sharing of incidents, threats, and vulnerabilities. I thank you, Mr. Chairman, for the opportunity to present our views, and welcome any questions the committee may have. [The prepared statement of Mr. Woolley follows:] [GRAPHIC] [TIFF OMITTED] T2361.044 [GRAPHIC] [TIFF OMITTED] T2361.045 [GRAPHIC] [TIFF OMITTED] T2361.046 [GRAPHIC] [TIFF OMITTED] T2361.047 [GRAPHIC] [TIFF OMITTED] T2361.048 [GRAPHIC] [TIFF OMITTED] T2361.049 [GRAPHIC] [TIFF OMITTED] T2361.050 [GRAPHIC] [TIFF OMITTED] T2361.051 [GRAPHIC] [TIFF OMITTED] T2361.052 [GRAPHIC] [TIFF OMITTED] T2361.053 [GRAPHIC] [TIFF OMITTED] T2361.054 Mr. Horn. Thank you. I now recognize Mr. Davis for questioning for 8 minutes. Mr. Davis. I thank you very much, Mr. Chairman. Let me start with Mr. Sobel, who is probably the most skeptical about the bill. I guess it is your position that we do not need to change FOIA. Mr. Sobel. That is correct. Mr. Davis. The problem is that the companies that we want to release the information and share information do not share that view and do not want to have to go through the litigious process of trying to establish that every time they want to release something. That is the difficulty we have. We have tried to craft a narrow exemption so that it does not do more than we intend it to do. Is there any limiting language that you would find acceptable under this, or is it your strict position that the FOIA law is the FOIA law and we live with it and it will handle all of our needs? Mr. Sobel. Let me back up a minute and talk about your opening premise, which is that there is the perception amongst the private sector submitters that there is not currently adequate protection. Mr. Davis. I am going to argue about the law in a minute, but there is certainly the perception. Mr. Sobel. Well, I think that the only way to address that perception is to bring people up to speed on what the law is. It is my considered opinion, as well as the opinion of the FOIA requester community that has been involved in the cases that I am citing and frankly has lost a lot of the cases, that the courts give great deference to private sector information that is held by Government agencies. And we can see no scenario under which information that is submitted to the Government voluntarily and that the private sector submitter wishes to maintain the confidentiality of would be disclosed. So I would prefer to see the resources of the agencies go into reassuring the submitters and get the Justice Department to come forward and say, yes, it is our view that existing law is adequate, and have the Congressional Research Service look at the issue. I am confident that a legal review of that kind will create the kind of reassurance that I think has been lacking thus far. Mr. Davis. So it is not your view that anytime Government is present that there is a public right to know under FOIA, regardless of how that information is obtained. Mr. Sobel. The courts have certainly construed all of the exemptions, from my perspective, very broadly. I think the perception out there amongst the requester community is that we have lost most of the big cases, that there has been great deference to both the agencies that seek to withhold information and the private sector submitters of information that do not want the information disclosed. So I think it is pretty clear if you look at the caselaw and the history of the development of exemption 4 that the courts have really bent over backward to make sure that private companies do in fact feel comfortable in voluntarily sharing information with the Government. I also want to repeat the point that I made in my testimony, which is that it is not only the caselaw that we need to look at, but there was a lot of concern about this issue in the 1980's during the Reagan administration. President Reagan issued Executive Order 12600 which created procedures within all of the agencies to give submitters rights to object. Mr. Davis. But we have had enough of companies that keep coming back that in 1997 the Defense Authorization Act had to prohibit agencies from releasing most contract proposals because there was a lot of proprietary information in the proposals that was leaking out and being FOIAed. This is a constant problem. If you are a private company, and I come out of the private sector, once you give that information out, I think you want ironclad assurance that that information is not going anywhere else either intentionally or sometimes unintentionally, because then you get your trial lawyers, you have antitrust, you have a whole lot of issues that get raised through that. I guess my question is, what is wrong with clarifying it here? Do you think this is drawn too broadly? We have tried to draw this as narrowly as we can. If we could narrow it in some other way to give everybody the rightful protections, we would be happy to do that. Mr. Sobel. I think I would start from the proposition in this area that if it is not broken, why try to fix it, because in the process you might just be creating some new unintended problems. I point out in my written testimony that I think, given the history of FOIA over the last 25 years, that any new exemption or any new language that is inserted into that regime results in protracted litigation. I think we have devoted considerable judicial resources over the last 25 years to ironing out the meaning of exemption 4. As I say, I think the outcome of that process has been one that is very protective for the private sector. And one of the concerns would be that we are just going to be tied up in litigation for several years as the meaning of this new exemption gets sorted out. Whereas, we have a body of caselaw that we can look at right now that I believe resolves the issue. I think any time you introduce new language into this regime you invite problems. Mr. Davis. Clearly, if you introduce new language, you have new language that has never been litigated before. Mr. Sobel. Correct. Mr. Davis. But I think at this point you draw your line way over where what you have said would be assumed and is clarified even further. Let me just ask Mr. Tritak and others if they would like to comment. Do you feel you have adequate protections at this point under current law? Mr. Tritak. Sir, I actually would like to go back to the initial point that you made or this premise of what has been discussed. The fact is there is a debate and it is a debate that is not between lawyers, on one hand, and non-lawyers, on the other. It is a debate among some in the legal community that there is not sufficient clarity about the protections for information sharing. Now putting aside for a moment the understandable concern that you do not want to change the law, particularly something like FOIA, lightly, we still have the problem and the debate. I think the only way you resolve that is by having that debate and discussing it not only within the legal community, but also you get your owners and operators of infrastructures, the people who are actually expressing these concerns, and their legal counsel to express what it is they are worried about, what is the kind of information that they are concerned may not be protected and under what circumstance. But I think the fact that there is a debate is the problem that needs to be resolved. The Government and many people believe that the current protections are sufficient. That's fine. But if you are talking about voluntary information and people are concerned that it is not sufficiently clear and they do not provide the information, then arguably you have a public policy goal that you may not be able to achieve. Mr. Davis. It seems pretty clear to me. This is information the Government would have no right to under ordinary circumstance and therefore the public would have no right to under ordinary circumstances. But because we are trying to work together to stop the cyber security threats to our Nation's security, companies are willing to come forward and share information, but only if they can be absolutely sure that their information that they give is going to be protected. The Government would not have it otherwise. That is all this legislation says. It clarifies it. Without that, as you say, there is debate in the legal community, there are court decisions all over the lot, and you could get something that does not fit within that exemption that you have discussed, Mr. Sobel. I cannot right here say under what circumstances that could be, but somebody could volunteer some information that may not be proprietary but it could be very dangerous if that information were to get out, it could hurt shares of stocks, it could show some exposures, for example, in your own security of your company in terms of somebody coming in potentially and if that information were to get out it could damage among investors and the like. And you would not want that information out, but for the good of national security you are willing to come forward with that. I am not sure under those circumstances that meets the protections of the trade secret protections. That is our concern, is that we want to make sure when companies come forward, are working in a cooperative venture to attack this enemy called cyber terrorism that we can work together and that nobody is going to be damaged as a result of that. Does anyone else on the panel want to address that? Yes, Ambassador Johnstone. Ambassador Johnstone. Yes, I would. First of all, I would like to start off by saying that I commend Mr. Sobel for his defense of the Freedom of Information Act. The U.S. Chamber of Commerce also strongly believes in the Freedom of Information Act. We have used it on behalf of American business frequently, and we are a strong supporter of the act. However, beyond that, I think we certainly are in disagreement with respect to exclusion 4. For example, he says that exclusion 4 provides adequate protections and that if business simply understood, through a public education effort of some sort, they would understand that fact. But the fact of the matter is that as soon as we start getting into exchange of information, there will be attorneys who will stand up and say that exemption 4 does not apply to those situations and there will be a debate. Mr. Sobel points out that that is subject to a review panel process. So now suddenly we have moved from having the protection of the law into something that will be debated within a review panel. Or, alternatively, that there is litigation always possible. So now we have moved it out of the review panel into potential litigation. So that for a company what you do is you face then a very uncertain prospect that may drag you into litigation, or have the assurance of the law and the clarification that is written into the law. The point that you made, Mr. Davis, I think is the salient point here. That is to say there is nothing written here that is different than what it is Mr. Sobel says is already in the law but which is disputed. So it is a question of clarification and that clarification is critically important for American business. When a businessman has to sit down and decide whether he or she is going to participate in this process, the fact that that clarification has been written into the law is vitally important and I think is the difference that is going to make the difference between cooperation or non-cooperation on this issue. Mr. Sobel. If I could just respond briefly. I do not think that the language that the subcommittee is considering is going to preclude litigation in any way. If the agencies' position upon receiving a request is that it is not covered because of this language, that is going to be litigated. So I think we are talking about litigation one way or another if information is submitted and requested and there is a dispute. My point is that at least under existing exemption 4 we have a body of caselaw that has been developed over the last 25 years and we are not going to have to wait for a lot of clarification on the meaning of new language. I do not think it is a question of litigation or no litigation. I think it is a question of how protracted is that litigation likely to be. Mr. Woolley. One key point that I would like to make, if you will, from the voice of experience. Companies involved with the financial services ISAC needed to know for certain that that information they were providing to the FS/ISAC was in fact locked down and would never get out or they would not share it. It was mandatory that was involved. As a result, we spent a tremendous amount of time developing a significant anonymity system with checks and balances and rewrappers that could prove that the information that came in was completely anonymous. That was the only way that the financial services industry would participate. And now we have gotten very, very high participation from that industry and it is that anonymity that has now spawned the international ISAC and the worldwide ISAC that are now providing tremendous inputs. So I think that the issue needs to be there. If you do not have the anonymity, if you do not have the lock down, American corporations will not participate. They are too spooked about being dragged into any sort of litigation or disclosure that would be very detrimental to their organizations. Mr. Horn. Yes, and this will be the last response to it. Go ahead, Mr. Oslund. Mr. Oslund. Thank you, Mr. Chairman. In the NCC information sharing process, there is no anonymity when the participants share the information. It is a process that has been going on for a number of years and that is why we stress the trust relationships. Relationships have been developed so companies can share information directly. When we are talking about real time operations, and that is what information sharing for CIP is, you cannot share information under uncertainty. There has to be certainty that you can move this information forward and it will not be challenged. NSTAC felt FOIA legislation was needed for Y2K. And the conclusions are the same for CIP. The background materials we have provided to the committee, demonstrate these conclusions were reached after a lot of deliberation. Thank you. Mr. Horn. Thank you. I now yield 10 minutes to the ranking minority member, Mr. Turner, the gentleman from Texas. Mr. Turner. Mr. Sobel, you shared your concern a minute ago that the language in the proposed legislation would not preclude litigation. In fact, your opinion was that it might foment additional litigation. Going beyond that concern, could you please articulate any other concerns that you have about this exemption from liability. Is it your concern that it could be misused, that it could be used as a shield by corporation that might be willing to disclose and therefore they would then be able to hide behind the shield of liability? I assume there is further concern other than the fact that you just think it will result in additional litigation. Mr. Sobel. Well, I think from the perspective of the FOIA requester community there is always a concern about Congress stepping into the process of amending a statute that has worked very well for a long time. And there is a general apprehension about creating these piecemeal exemptions. The FOIA, as Congress amended it in 1974, contains nine very specific exemptions that have been construed by the courts and in our opinion really cover all of the harms that we are talking about here. I should note also it is not just exemption 4. There are situations where exemption 1 for classified information would come into play if we are dealing with defense contractors, for instance. Exemption 7's law enforcement protections would come into play, for instance, if a company is acting in the role as a confidential source. In the context of a hacking investigation, for instance, exemption 7's law enforcement protections would come into play. So the point is that we have a very well-developed FOIA scheme right now and there is a general apprehension to adding on piecemeal exemptions. Now with particular regard to this area, critical infrastructure protection, I think the concern is that we would be muddying the waters. That you introduce a degree of uncertainty into the FOIA requesting process and the result is likely to be that a new barrier is going to be erected to the disclosure of information that should properly be disclosed that the subcommittee is not seeking to protect the disclosure of. So I think it is really a question of just muddying what is today some very settled water in this area and creating yet another excuse for not making information public. Mr. Turner. Maybe I need you to pose a hypothetical for me to help me understand your concern. Because the first impression I have when you talk about trying to view this from the point of view of the requester community is that, as I understand it, we are talking about information that the Government does not have and Freedom of Information is always, as I understand it, directed toward information the Government has. So we are talking about information that were it not voluntarily shared by a corporate entity, the Government would not have it anyway. So from a point of view of the requester community that is interested in preserving access to Government information, it seems to be fairly easy in my mind to say that the requester's concern really should not reach information that the Government really would never have anyway were it not for the voluntary relinquishment of it by private entity. Mr. Sobel. I think you have to start from the proposition that once the Government receives information, whether it is under mandatory requirements or provided voluntarily, that information starts to form the basis of what a Government agency is doing and it can in certain instances become an important indication of the operations of that agency. Certainly, for instance, the Food and Drug Administration obtains a lot of information from private companies and in order for the public to really assess what the FDA is doing, you necessarily are going to need some access to that private sector information that has been provided to the agency. Now on the question of whether or not what we are talking about today is something new, the idea of voluntary submission of information to Government agencies, that is not new. In fact, that is the reason why the cases that I have cited in my testimony have arisen. The courts have specifically dealt with the question under exemption 4 of what should the standards be, what should the rules be when a company voluntarily submits information to an agency. So I think it is important to recognize that we are not writing on a clean slate here. There have been many instances in the past where agencies have received information voluntarily from private sector submitters, that information has been sought under FOIA, and those are the cases that have developed the caselaw that I am talking about which deals directly with the issue of voluntarily submitted information. In terms of the importance of this information, to sort of remove this from the theoretical realm, for instance, a local community in which a power plant or a nuclear plant or a water facility is located I think legitimately has some interest in knowing if there are vulnerabilities and safety problems in that facility that might form the basis of a so-called cyber security statement. I think we are going to need some mechanism for sorting that out. There are some very legitimate public interest reasons for making some of this information available. But again I come back to the way the courts have dealt with these issues. And they have been very protective of the private sector submitters. I believe that the courts have gone too far in this area. I want my position to be clear. I think a lot of the information we are talking about probably should be and could be made public without harm to the private submitter. But the courts have disagreed. But I think there is a lot of important health and safety information that can get caught up in this process. Mr. Turner. Thank you. Mr. Horn. I thank the gentleman. You have 2 minutes remaining. If Mr. Moran would like to get in the 2-minutes here, and then we will yield to Mrs. Biggert for 10. Mr. Moran. Thank you, Mr. Horn. I have got to go back to another hearing, so I will leave after my 2 minutes. I appreciate the courtesy. Thank you. As I mentioned in my opening statement, the reason why Mr. Davis and I returned from the Chamber of Commerce meeting and came up with this legislation is because there was such a widespread view that companies simply could not cooperate to the extent that was necessary and that was requested by the Federal Government and that I think they knew was in their long-term best interest because of their concern about FOIA. And so we have a situation here where regardless of what your point of view might be, Mr. Sobel, perception is reality. If the general counsels of these firms feel that FOIA is a very serious threat to the privacy of this information and to the viability of their corporation, they are simply not going to cooperate in the way that they know is in the national security interest. I do not see why it is a problem even if we restate what is existing law. You are suggesting that it may complicate things. And I am only picking on you because you are the only one that has come up with what seems to be such an unreasonable point of view, Mr. Sobel. [Laughter.] I mean I would not do it if you did not deserve it. I am kidding there. We need somebody to be the devil's advocate here on the panel, and I appreciate you playing that role. Mr. Sobel. Glad to do that. Mr. Horn. And I might add unanimous consent for the participation of our eloquent Irishman today. And hearing no objection, you are free to participate. [Laughter.] Mr. Moran. Thank you very much, Mr. Chairman, I appreciate that very much. Clearly, we do not have the level of participation, the initiative being taken by corporations who have very valuable information to share. And this is the reason why they do not feel that they can. It is not that they do not want to cooperate. And so even if we are restating legislation clarifying that legislation, as Mr. Davis has suggested, it would seem to be meeting a very important need. And it took what, three decades or something to clarify the meaning of FOIA, three decades of litigation to make it clear what FOIA meant. We cannot afford to go through such an extended process of litigation to clarify the extent of sharing with regard to cyber attacks and cyber vulnerabilities. So it would seem that even if a lawyer might be able to make an argument that you could share that information, they nevertheless would be subjecting themselves to litigation, and that is what we do not want. So we want to facilitate the process. We have got very important national security interests at stake here. Every day the sophistication of mischievous and malicious hackers is increased our vulnerabilities increase. As we have stated and as I know you are very much aware of, our entire economic and security infrastructure is at stake. We heard one story about some intelligence officials being given enough money to buy personal computers, two or three dozen of them, and they were told to pretend they were from North Korea and see if they could invade our security infrastructure. And sure enough, within a relatively short period of time they had access to enough computer systems that they could have shut down our power grid and invaded the most classified information. We cannot let that happen. It is more effective, much easier, much less expensive to invade our information systems than it is to drop bombs on our large cities and power systems. I have been encouraged by the level of cooperation that the business community wants to express, wants to participate in. But if they have that concern, then we need to respond and to make it clear, to underscore, to clarify that they can exchange that information without fear of protracted litigation and exposing even greater vulnerabilities. So, it is a good piece of legislation. I am glad the vast majority of witnesses on the panel agree. I certainly appreciate your having the hearing, Mr. Chairman. I trust that we are going to be able to get the bill on the floor in an expedited fashion. Thank you, Mr. Horn. Mr. Horn. We thank you. Since I am not a lawyer, and having listened to this discussion, I suggest we put a simplification in one of the findings that this is the Lawyer's Relief Act of the year 2000. [Laughter.] I now yield to Mrs. Biggert for 10 minutes for questioning. Mrs. Biggert. Thank you, Mr. Chairman. Mr. Tritak, in your outreach efforts to coordinate with the private sector and initiate public-private partnerships, what hurdles have you run into? For example, does the fear of the Federal law enforcement community hinder your ability to work with the private sector in addressing cyber security problems before they occur? Mr. Tritak. No, I would not say that law enforcement interferes with that activity. The fact is that the relationships between the Federal Government and private industry vary from sector to sector and company to company. There are many companies who feel very comfortable in an information exchange arrangement with Federal law enforcement, and a number of companies that participate in the National Infrastructure Protection Center exchange that kind of sensitive information. There are others who are concerned that sharing information with the Government could precipitate investigations which can have an impeding effect on their ability to conduct business. And that is a hurdle that they view exists. Again, I think it is one of these things where when those kinds of concerns are expressed they need to be taken seriously to get to the core of what the problem may be. What I find very interesting, of course, is that when someone talks about whether industry is interested in dealing with Government, I think you cannot make it a broad statement because, for example, sometimes you may find companies feel more comfortable dealing with, let's say in the information technology area, dealing with the Commerce Department or dealing with the Defense Department, and others by tradition, for example the electric power industry, they have had very good, strong working relationships with Federal law enforcement well before the Information Age. So I think it depends--it depends on the culture of the industry, it depends on the nature of the type of information you are dealing with. Clearly, the roles and responsibilities at different agencies need to be defined over time. We are introducing a new, changing technology that is going to transform the way we all live, the way we do government, and the way we do business. I am sure that over time the respective roles of different governments and agencies are going to have to reflect that. And I think that as those adjustments are made, you will deal with some of the issues that you have just raised, about industry's reluctance in certain cases and proactivism in others to deal with government will be redressed. Mrs. Biggert. Is there any fear that if there is more coordination then between the agencies of the Federal Government that this might affect how companies would deal with it? Because information that they might feel comfortable about, for example, with the Commerce Department would be available to another agency. Mr. Tritak. I think some have that concern, not all though. But some, yes. Mrs. Biggert. Then version 1.0 of the President's National Plan for Information Systems Protection discusses the possibility that companies wishing to discuss possible systems vulnerability with the Federal Government may ``be deterred from doing so because of the possibility that information disclosed to the Government could become subject to a request for public disclosure under'' what we have been discussing, ``the Freedom of Information Act.'' Mr. Tritak. That has been a concern expressed by some companies, yes. Mrs. Biggert. Can you provide an estimate of how much private sector information is being withheld as a result of this? Mr. Tritak. I cannot say. I think to the extent that it has an inhibiting factor, it is the perception in certain cases that if the information may be used for reasons other than to help raise the level of security of the Nation's infrastructure is because it would become available to help address problems, that it can have a chilling effect. And depending on the companies and depending on their concerns, you never get to the point of deciding whether or not to give the information because your natural position is simply not to pass it on. And so it is hard to quantify. But I will say that it has been expressed and it has been expressed sufficiently so that I think it is not an isolated instance. Mrs. Biggert. Thank you. Ambassador Johnstone, are private sector participants concerned about the threat of law enforcement investigations hindering their ability to deliver critical services? Ambassador Johnstone. Actually, I do not disagree with Mr. Tritak. That is to say it is something that I have heard expressed. But in the many, many companies that I have talked to about this whole issue, that has not been high on people's agenda, the concern over law enforcement per se. I think the fear of the loss of proprietary information, the fear of public disclosure of information that would not otherwise become public, the concern, and perhaps this touches on law enforcement, that people might not be exempt from sort of monopoly building kind of activities cause some level of concern. The antitrust side of the equation. An American company, and I will speak from my own experiences having run an American company for a number of years, whenever you sit down with competitors you are surrounded by a galaxy of lawyers who are constantly looking at the antitrust implications of what you might do, even what you might do related to safety procedures and things of that type. And so there is a great deal of concern in terms of the antitrust implications. It would be a great relief to companies to have some relief from those concerns. I think public disclosure is certainly another area. In terms of law enforcement and people's fear of being the subject of persecution, for example, that I have not actually encountered in terms of any individual contacts that I have had with businesses. Mrs. Biggert. So there might be the concern about the law enforcement but you cannot really assess how much there is. Ambassador Johnstone. I think that concern is less than the concerns in the other areas. Mrs. Biggert. Then does the partnership work with private sector on networks to disseminate information in a timely manner on potential vulnerabilities from sector to sector? Ambassador Johnstone. Well let me just say that the partnership got kicked off this last December in the first meeting in New York. We then hosted at the U.S. Chamber of Commerce a meeting of the partnership in the month of February and the next meeting is in July. So it is fairly embryonic and is just in its startup mode. That being said, it certainly is the intent of the partnership, and certainly of the ISACS, to provide a maximum flow of information that will touch very much on the whole issue of network securities. Mrs. Biggert. So this really is a goal of the partnership? Ambassador Johnstone. Certainly. Mrs. Biggert. OK. Then would you be willing to share information with the Federal Government when uniform legal principles are established to structure the boundaries of a public-private partnership? Ambassador Johnstone. We would be willing to participate with the Federal Government on all aspects of working together to advance and to help protect the critical infrastructure, both when it comes to legislation as well as to working within the administrative framework. Mr. Tritak. If I may, Congresswoman. Mrs. Biggert. Certainly. Mr. Tritak. Just a point of clarification. What the partnership, as I indicated in my testimony, aims to do is to encourage cross-sectoral dialog and activity to bring the owners and operators together, bring together other stakeholders involved. If the industry participants in that activity decide that it makes sense to create information- sharing arrangements amongst themselves, the partnership is one form in which that would be discussed, debated, and created. I think it is important though that the partnership itself is a forum to bring these issues to the fore for discussion. It is not in itself a super ISAC. It is not an organization that actually would do that as much as it would facilitate that development. Mrs. Biggert. Thank you. And I cannot not ask Mr. Willemssen a question since he has been at so many of our hearings. So, Mr. Willemssen, could you tell us to what extent the regulations that exist within the Federal law enforcement community and with the Federal Government for reporting on the cyber attacks or threats or vulnerabilities, how do they overlap? Mr. Willemssen. There are some overlaps from an organizational standpoint. I would concur with Mr. Tritak's comments that there is a need for further definition and specificity on roles and responsibilities of Federal organizations so that the sectors and the private firms within those sectors know exactly who they are to deal with, what kind of information is going to be requested of them, what is going to be done with that information from an analysis perspective, and how the results of that analysis are going to be disseminated to others. Right now, that specificity does not exist. I know that Mr. Tritak and others are working on that and we would encourage them to continue doing that. That is definitely needed. Mrs. Biggert. So right now this overlap is really hindering the ability to deliver or exchange information? Mr. Willemssen. Yes. I think to the extent that further clarification can be provided, possibly in the next version of the National Plan which is due out this fall, that would be most beneficial to private sector. Mrs. Biggert. Thank you. Thank you, Mr. Chairman. Mr. Horn. I thank the gentlewoman from Illinois. I just have two questions here and then I will turn it over to all of you again. This is directed at Mr. Willemssen. The General Accounting Office has commented extensively over the past 5 years on the number of problems confronting the Federal Government on addressing information security issues governmentwide and from agency to agency. In your view, Mr. Willemssen, does the lack of coordination and planning within the executive branch of the Government hinder its ability to be an effective cyber security partner in monitoring potential threats? Mr. Willemssen. I think the lack of coordination has been a hindering factor. But I think there is a much bigger factor at play as it pertains to Federal agencies, and that is basic management of computer security issues. The Federal Government currently does not have its house in order on computer security and protection of its systems and data. So coordination is definitely an issue. But what we would like to see are individual agencies taking computer security much more seriously than they have in the past and making sure that they have done the risk assessments, they have adequate protection in place, they have made their staff very aware of the criticality of this issue, and there is an overall central guiding management to make sure that it is a priority within the agency. Mr. Horn. Has the General Accounting Office ever had a request from the Article III Judiciary on this area? I would think there is some mischief that could be made in that area. Mr. Willemssen. We do currently have a request looking at critical infrastructure from a Senate Judiciary Subcommittee. That work is ongoing. Mr. Horn. In relation to the Article III Judiciary? Mr. Willemssen. I do not believe it specifically covers that. But if I may, Mr. Chairman, get back to you and answer that for the record. Mr. Horn. You might want to talk with the Administrative Office of the U.S. Courts and see what is happening. Mr. Willemssen. Yes, sir. [The information referred to follows:] Our ongoing work on critical infrastructure protection does not address article III-related entities. Mr. Horn. The General Accounting Office has offered its view in support of the creation of a Federal Chief Information Officer, a CIO that would centrally manage information technology, including information security, in its comments on Senate bill S. 1993. In your view, would a central coordinating office within the Federal Government on critical infrastructure protection that would work with both the public and private sectors overcome some of the similar obstacles to management and overlapping regulation that you have mentioned? Mr. Willemssen. We are supportive of a strong central CIO position. In addition, we think, and it is instructive to look at Y2K as a lesson here, top management attention to a critical national issue is absolutely invaluable in making sure that the issue is adequately addressed in working with the public and private sector. So to the extent that an overall national coordinator can help fill that role, we think that would be beneficial. But to the extent that it is a separate position, we need to make sure that it works with the institutions in place that have an overall focus on CIO issues. I do not think you can take a critical infrastructure and computer security and put it off on the side necessarily. You still have to work in tandem with overall management of information technology. Mr. Horn. Well, it is an interesting view and we might be discussing this in the next few weeks because we have a few thoughts on the institutional aspects of the Presidency and how you relate to the departments. So I thank you for that view, and there might be a few other views. Let me ask my colleagues here, the gentleman from Texas, do you have some more questions you would like to ask? Mr. Turner. I have no further questions. Mr. Horn. The gentleman from Virginia? Mr. Davis. No questions. Mr. Horn. The gentlewoman from Illinois? No? There might be a few questions we will send you and we would appreciate it if you could just bat us out a simple answer to complete and round out the record. We again thank you for doing the last minute in a hurry. I suspect you were like the students in their senior year, they want to graduate and they stay up all night. So thank you for your energy and thank you for your wisdom on this. We appreciate it very much. I now want to thank the staff for both the majority and the minority. On my immediate left, your right, is J. Russell George, the staff director and chief counsel of the Subcommittee on Government Management, Information, and Technology; Bonnie Heald, the director of communications, is in the back; Bryan Sisk, our clerk; Will Ackerly, intern; Chris Dollar, a new intern; and Meg Kinnard, a new intern. With Mr. Turner's staff, Trey Henderson is the counsel; Jean Gosa is the minority clerk. And our official reporter of debates, whom we thank, is Elisabeth Lloyd. And we have Mr. Davis' staff has done some excellent work, and I know that from working with them over the last few months, and that is Melissa Wojack and Amy Herrick. We thank you for all the work you have done on this legislation. If there are no further questions, we thank you all. Mr. Davis. Mr. Chairman, let me just add that if anyone on the committee would like to serve as a cosponsor as this bill moves up, we would happy to put your name on it. Mr. Horn. OK. Thank you. We will now adjourn this hearing. [Whereupon, at 11:53 a.m., the committee proceeded to other business.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T2361.055 [GRAPHIC] [TIFF OMITTED] T2361.056 [GRAPHIC] [TIFF OMITTED] T2361.057 [GRAPHIC] [TIFF OMITTED] T2361.058 [GRAPHIC] [TIFF OMITTED] T2361.059 [GRAPHIC] [TIFF OMITTED] T2361.060 [GRAPHIC] [TIFF OMITTED] T2361.061 [GRAPHIC] [TIFF OMITTED] T2361.062 [GRAPHIC] [TIFF OMITTED] T2361.063 [GRAPHIC] [TIFF OMITTED] T2361.064