Assistant Secretary for Infrastructure Protection
Acting Director, National Cyber Security Division
Department of Homeland Security

Subcommittee on Cybersecurity, Science, and Research & Development Statement of Robert Liscouski - September 16, 2003

Good morning Chairman Thornberry and Members of the committee. My name is Robert Liscouski, I am the Assistant Secretary for Infrastructure Protection and Acting Director of the National Cyber Security Division (NCSD) within the Department of Homeland Security. I am pleased to appear before your Subcommittee to discuss some of our efforts to protect and secure our Nation’s critical infrastructure.

Last week’s observances of the two-year anniversary of the September 11th attacks offer a stark reminder of the threats and vulnerabilities we as a Nation still confront. The Department’s Information Analysis and Infrastructure Protection Directorate (IAIP) was established by the Homeland Security Act to lead the Nation’s efforts to prepare for, prevent, respond to, and recover from terrorist attacks like those perpetrated on 9/11. These terrorist acts may manifest in many forms, including physical and cyber attacks against our critical infrastructure, key assets, and national icons. Both physical and cyber assets have vulnerabilities that may be exploited by our enemies. The highly interconnected nature of our infrastructure makes these physical and cyber weaknesses impossible to separate – and difficult to address separately. Our protection methodology leverages an integrated physical/cyber protection approach to reduce vulnerabilities and to optimize our response when an attack does occur.

From the beginning of DHS, the IAIP directorate which includes the Infrastructure Protection Office for which I am responsible, has implemented a dedicated organization committed to protecting physical assets. The organization is called the Protective Security Division (PSD). Recognizing the equal importance of protecting cyber assets, we created the National Cyber Security Division on June 6 of this year. These organizations within the Infrastructure Protection Office work together to implement the integrated protection methodology that I previously discussed. Today, I am here to give you a progress report on where we are now, and what we have in store for the coming months and years to implement the President’s National Strategy to Secure Cyberspace.

I am pleased to announce that Amit Yoran has been formally named as the Director of the NCSD effective today. Mr. Yoran is a strategic, disciplined leader who understands the unique threats and vulnerabilities manifested in cyberspace and is an individual capable of managing a diverse, highly technical organization Mr.Yoran was most recently the Vice President for Managed Security Services at Symantec Corporation where he was primarily responsible for managing security infrastructures in 40 different countries. Before working with Symantec, Mr. Yoran was the Founder, President and CEO of Riptech, Inc., a leader in outsourced information security management and monitoring. Before working in the private sector, he was the Director of the Vulnerability Assessment Program within the Computer Emergency Response Team at the Department of Defense and the Network Security Manager and the Department of Defense where he was responsible for maintaining operations of the Pentagon’s network Mr. Yoran’s leadership and respect within the information security industry will further accelerate our efforts in building the full NCSD team, and increasing the strength of our public and private sector partnerships.

Since its formal establishment in June, the National Cyber Security Division has worked closely with our partners in the private sector, including coordinating response and mitigation of the Blaster worm and SoBig virus. Without these coordinated efforts, the significant economic impact of these attacks could have been much worse. In each situation, the Department’s cyber security experts demonstrated the ability to quickly reach out to the security community, rapidly assess emerging threats, and provide timely warnings to government, industry, and the general public. These initial efforts were crucial—they allowed the NCSD to establish its credibility and demonstrate its value to the national and international cyber security community.

Since June, IAIP has been assembling a consolidated and coordinated team of cyber security professionals. These experts were integrated from portions of the National Infrastructure Protection Center (NIPC), Critical Infrastructure Assurance Office (CIAO), Energy Assurance Office (EAO), and the Federal Computer Incident Response Center (FedCIRC). Despite the many organizational and cultural challenges associated with integrating these elements into one entity, our initial efforts have yielded effective and tangible results. Creation of the NCSD has enabled:

• Planning for consolidation of three 24x7 cyber watch centers;

• Formulation of a standardized incident handling procedure for responding to cybersecurity events; and

• Creation of a single national focal point for cybersecurity leadership for prevention, protection, and response to incidents.

The most recent accomplishment of the NCSD is the creation of the National Computer Emergency Response Team (US-CERT). The US-CERT, in collaboration with the private sector and leading response organizations, will improve warning and response time to security incidents by fostering the development of detection tools and utilizing common commercial incident and vulnerability reporting protocols. This will increase the flow of critical security information throughout the Internet community by leveraging the extensive resources and brand of the Federal Government and Carnegie Mellon’s CERT/Coordination Center. The CERT®/CC is a part of the Software Engineering Institute (SEI) and is affiliated with Carnegie Mellon’s new Cyber Security Laboratory. A key enabler of this partnership is the 19 years of leadership demonstrated by the U.S. Department of Defense in its sponsorship of the SEI, a federally funded research & development center. By integrating capabilities from the Government (FedCIRC), Academia (The CERT®/CC), and the private sector (vendors of security products and services), the US-CERT will provide a coordination center that, for the first time, links public and private response capabilities to facilitate communication across all infrastructure sectors.

Before detailing our future programs and initiatives, I would like to begin by providing rationale behind the decision to treat physical and cyber security on part with one another, within the IAIP directorate. I believe that this approach is the correct one for three reasons.

First, cyber security cannot be a “stand alone” effort. As I described earlier in my statement, the success of DHS as a Department, and IAIP specifically, depends on our ability to protect the entire critical infrastructure against physical and cyber attacks together. We realize the dominant components common to all 13 critical infrastructures are physical and cyber components. To best protect the country against attack, careful integration of both components is required to achieve a holistic view of critical infrastructure vulnerabilities. In fact, this view is validated by a common criticism voiced by the private sector and security experts preceding the creation of the Department: physical and cyber security were being addressed by the government independently. We believe the physical and cyber domains are inextricably linked and vulnerabilities cannot be effectively analyzed independently. Placing both responsibilities under one Under Secretary and one Assistant Secretary has ensured successful integration.

Second, the NCSD will identify, analyze, and reduce cyber threats and vulnerabilities; disseminate threat warning information, coordinate incident response; and provide technical assistance in Continuity of operations and recovery planning. With the creation of the NCSD, we have for the first time, implemented a single point of contact for the prevention, protection, and coordination of response to incidents, that will interact with all federal agencies, private industry, the research community, State and local governments, and other partners on a 24x7 basis.

Third, while the Director of the NCSD serves as the technical and operational lead for cybersecurity issues, it is important to remember that the cyber security issue will now be championed within IAIP by Under Secretary Frank Libutti, and myself. The Under Secretary and I have already demonstrated our commitment to developing a world-class cyber security capability within the Department and believe the continued implementation and full funding of the NCSD is one of the top priorities for the IAIP Directorate. Furthermore, cyber security research and development will be conducted in partnership with the Department’s Science and technology Directorate under the leadership of Under Secretary Charles McQueary.

Now I would like to focus the remainder of my testimony on our plans for building on our accomplishments of the last three months to fully implement the operational NCSD in the coming months.

The Mission: Outreach, Prevention, and Remediation

As demonstrated by recent events, the consequences of a cyber attack can manifest with little or no warning, on a widespread scale, and with tremendous speed. Impacts can quickly cascade across multiple infrastructures, resulting in widespread disruptions of essential services, significant economic losses, and potentially endangering public safety and national security. The National Cyber Security Division, therefore, is implementing its objectives through the timely execution of three key mission areas – Outreach, Prevention, and Remediation.

Outreach

The NCSD will create, in coordination with the Office of Personnel Management and the National Institute of Standards and Technology, cyber security awareness and education programs and partnerships with consumers, businesses, governments, academia and international communities.

An effective outreach program lays the foundation for the ultimate success of all mission areas of the NCSD. Accordingly, the NCSD championing the implementation of awareness efforts and campaigns that use a multi-level approach to provide awareness/educational tools for all users; for the home, awareness tools for children, parents and teens; customized approaches for small, medium, and large businesses; and for government agencies. Every level of user must realize they have an equally important role in the security of cyberspace. The end user, for example, needs to be informed about the technical aspects of security and about their role as gatekeepers in a larger data and information sharing community.

The NCSD is aggressively pursuing an outreach agenda that will target groups of citizens by providing education tools for children, parents, teachers and business owners and operators. There are many effective existing programs and the NCSD is developing partnerships with government agencies, such as the Federal Trade Commission, non-profits like the National Cyber Security Alliance, and the Internet Service Providers to establish and enhance awareness programs for all users. We are working to build on existing public/private outreach groups to assist the spectrum of users in securing their systems through implementation of effective security practices.

One quick example is establishing National Cyber Security Days. As Americans change their clocks twice a year, to Daylight Savings and Standard times, the partnership of the NCSD and the National Cyber Security Alliance’s StaySafeOnline Campaign asks consumers to use the days as reminders to assess their own computer security. Computer security needs to be a regular consideration when protecting a home. Just as consumers remember to lock their doors, so too should they remember to secure their computers. As a result of this partnership with the NCSD many other partners in the business and government communities are starting to design their national ad campaigns around these two dates to further amplify this important message.

At the same time, the NCSD is partnering with other federal agencies, including, Commerce, NSA and DOD, state and local government, private industry, and academia to promote a well-trained IT security workforce.

Prevention

Consistent with law and policy, NCSD will coordinate closely with the Office of Management and Budget and NIST regarding the security of Federal systems and coordinate with Federal law enforcement authorities, as appropriate. NCSD will leverage other DHS components including the Science and Technology Directorate, the U.S. Secret Service and the Department’s privacy officer.

To achieve its mission, the NCSD is working with State and local governments, and the private sector to conduct infrastructure vulnerability field assessments, while providing the best and most cost-effective prevention and protection strategies for “at risk” infrastructure facilities, assets, and personnel. Due to the diversity of the critical infrastructure, cyber protection strategies for each sector must be customized based on the unique geographical and business operating models of that sector. Due to the highly interconnected yet physically distributed nature of our critical infrastructure, prevention and protection strategies are prioritized based on regional, State, and local needs and on the need for cross-sector coordination.

We recognize that collaborating with industry, academia, and Government is a key focus of our NCSD activities. With partnerships as the foundation for program implementation, the NCSD will coordinate implementation of protective and preventative measures to reduce America’s vulnerability to cyber attacks. It is crucial that we improve existing public-private partnerships whose missions are consistent with NCSD functions. A prime example is the National Cyber Security Alliance, whose members have committed their time and resources to regularly educating the home consumer and small businesses on good security practices.

With nearly all of the backbone of cyberspace owned by the private sector, it is imperative that the NCSD strengthen its relationships with them. Fortunately, there are mechanisms already in place to facilitate cooperation between industry and government on cyber security, most notably the National Coordinating Center (NCC) for Telecommunications and its Telecommunications Information Sharing and Analysis Center (ISAC), which are each part of the National Communications System (NCS) and IAIP. These entities provide the Department with direct access to leading industry operational and security experts whose knowledge and insights may prove crucial in managing a cyber incident. The NCSD, as part of IAIP, also helps to support two CEO-level advisory committees - The National Security Telecommunications Advisory Committee (NSTAC) and the National Infrastructure Advisory Council (NIAC), - which provide advice and counsel on national security telecommunications and critical infrastructure matters, including cyber security issues.

By acting as a champion for creating a national and international culture of cyber security, we aim to promote a security culture at the CEO-level and demonstrate to corporate leaders that cyber security ultimately promotes the resiliency of their infrastructures, protects the interests of their shareholders and corporate brand, and preserves value and competitive advantage for businesses that implement security best practices.

Remediation

As I discussed earlier, the proactive response and recovery efforts associated with the Blaster worm and SoBig computer virus offer the best evidence of the value of partnerships. SoBig spread faster and more aggressively than any previous email virus, affecting millions of residential, business, and government computers worldwide. Internet traffic was substantially affected by these two events, causing a 25% increase in internet traffic and infecting over 600,000 computers. It had a significant impact on cross-sector communication and impacted productivity.

In August, when the Blaster worm surfaced on the Internet, the NCSD issued a timely warning to security professionals, suggesting that Internet service providers and other corporate network administrators shut off inbound traffic to ports 135, 139, and 445 to block the spreading of the Blaster infection. Blaster took advantage of a known vulnerability in a Windows operating system component that handles messages sent using the remote procedure call (RPC) protocol. RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment. Vulnerable systems were compromised automatically without any interaction from users. Through the advisory, users were instructed to install the appropriate software patches to prevent their computers from being infected. In the following weeks, the NCSD continued to issue advisories warning security professionals that a variant of the Blaster worm, dubbed "nachi," "welchia" or "msblast.D," was proliferating.

Working with Internet security researchers and experts from private industry and academia, the Division and the FBI uncovered malicious code hidden within the SoBig worm on twenty master machines that was programmed to launch a massive denial of service attack. Federal authorities located the twenty computers infected with this variant of the worm and asked their Internet service providers to shut down their Internet access. As a consequence, the second wave of attacks never materialized.

The NCSD recognizes that a cyber attack could cascade across multiple infrastructures, causing widespread rapid disruption of essential services, and impacting our national economy, public safety, and national security. While this generation of worms has not yet resulted in irreversible damage (albeit slowing communication, overstuffing e-mail inboxes, and reducing productivity), the NCSD is committed to working closely with other government and law enforcement agencies, private industry, as well as academia to help secure our cyberspace from future, and potentially more serious malicious exploitation.

To this end, I am pleased to announce that we are beginning to organize a National Cyber Security Summit for later this fall, in order to assemble key industry and government leaders to energize decisions on several key National cyber security issues. Key goals of the summit are to—

• Produce a common threat and vulnerability reporting protocol to enhance prevention and response capabilities and to drive a standards-based system for communicating threats and vulnerabilities across the Nation;

• Develop a Vulnerability Reduction Initiative to significantly reduce vulnerabilities based upon improved evaluation standards, tools and measures for software, new tools and methods for rapid patch deployment, and best practice adoption of security for cyber systems across the critical infrastructure in partnership with industry and the leading research universities in the United States;

• Create an outreach and education partnership to offer training and awareness to 50 million home users and small businesses in cyber security within one year; and

• Formulate and ratify a National Cyber Security Road Map that defines milestones, work streams, and metrics for “raising the bar” of cyber security across the United States and identify work stream leads from government and industry.

Since its inception, the National Cyber Security Division has delivered on its commitment to provide a centralized coordination point for the collection and dissemination of protective measures to reduce vulnerabilities and risks to the cyber infrastructure through implementation of the Cyber Security Tracking Analysis and Response Center (CSTARC). As announced in our press release on Monday morning, CSTARC, through a partnership with Carnegie Mellon University’s CERT®/Coordination Center, will evolve to a new capacity as a national Computer Emergency Response Team (US-CERT). The US-CERT will enhance our Nation’s prevention of and response to cyber threats and vulnerabilities. There are currently over two hundred private sector groups, public sector groups, and universities that operate computer emergency response teams (CERTs) within the United States. Many of these groups have varying levels of informal and formal partnerships with each other and with the US-CERT. This initiative will harness this massive capability to significantly increase America’s ability to protect against, and respond to, massive scale cyber attacks.

We view the US-CERT as a fundamental element of the DHS strategy to ensure timely notification of all types of attacks, working toward having, within a year, an average of a 30-minute response to any attack. Moreover, the US-CERT will provide a coordination center that, for the first time, links all public and private response capabilities and facilitates communication across all sectors. US-CERT will also lead collaboration with the private sector to develop and distribute new tools and methods for detecting and identifying vulnerabilities in an effort to significantly reduce vulnerabilities. Lastly, US-CERT will help improve incident prevention methods and technologies by identifying and disseminating best practices and working with the private security industry to improve warning sensor data collection and analysis.

Conclusion

The Internet and cyber technologies have greatly improved both the quality of life for our citizens and the efficiency and productivity of our businesses and our government. These societal and economic benefits are not without their costs. Malicious actors are devising new and ingenious ways to exploit vulnerabilities in those cyber systems, to disrupt our quality of life and to threaten our national and economic security. Our ever-growing reliance on the Internet and cyber systems compels us to counter these threats and vulnerabilities by building productive partnerships with key stakeholder communities in cyberspace, improving how we share information, and developing and fielding innovative technical solutions. As the focal point for the prevention, protection and coordination of response to incidents, the NCSD must achieve its mission of ensuring the security of cyberspace. We know this will not be an easy assignment. Much like the larger global war on terrorism, this effort will take time, resources, dedication, energy, and hard work to succeed. But in a few short months, we have made great strides and are excited about the possibilities that the future offers. With the appointment of the new Director of the NCSD, we have focused leadership to guide us forward, to forge new alliances and partnerships, to implement new tools and capabilities, and to provide a vision for cyberspace security.