COMMITTEE ON SCIENCE

U.S. HOUSE OF REPRESENTATIVES

HEARING CHARTER

Cyber Terrorism – A View From the Gilmore Commission

Wednesday, October 17, 2001

10:00am – Noon

2318 Rayburn House Office Building

1.      Purpose

On Wednesday, October 17, 2001 at 10:00 a.m. the House Committee on Science will hold its second hearing to examine the vulnerability of our nation’s computer infrastructure as well as research-related challenges and opportunities facing the nation’s network security infrastructure and management.

Testifying before the committee will be The Honorable James S. Gilmore, III, Governor of the Commonwealth of Virginia and Chairman of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction.  Governor Gilmore will assess the threats to our nation’s information infrastructure, describe the level of preparedness to address these threats, and describe steps that need to be taken to ensure that Federal, state, and local governments are prepared to respond.

2.      Background

The terrorist attacks of September 11, 2001 brought into stark relief the nation’s physical and economic vulnerability to attack within our borders.  The relative ease with which terrorists were able to implement their plans serves as a pointed reminder to the nation to identify critical ‘soft spots’ in the nation’s defenses. Among the nation’s vulnerabilities are our computer and communications networks, upon which the country’s economic and critical infrastructures for finance, transportation, energy and water distribution, and health and emergency services depend.  The existence of these vulnerabilities has called into question the extent to which the nation’s  research programs, educational system, and interconnected operations are able to meet the challenge of cyber warfare in the 21^st century.  The Los Angeles Times in a recent editorial emphasized the importance of meeting this challenge:  "A cyberterrorist attack would not carry the same shock and carnage of September 11.  But in this information age…one could be more widespread and just as economically destructive.”

For additional information, refer to the charter for the full Committee hearing held on October 10, 2001 entitled Cyber Security—How Can We Protect American Computer Networks from Attack? located at http://www.house.gov/science/full/oct10/full_charter_101001.htm

The Gilmore Commission

Congress authorized the establishment of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction (Gilmore Commission) in 1998 as part of P.L. 105-261, the Strom Thurmond National Defense Authorization Act for Fiscal Year 1999.   The Act required the Secretary of Defense, in consultation with the Attorney General, the Secretary of Energy, the Secretary of Health and Human Services, and the Director of the Federal Emergency Management Agency to enter into a contract with a federally funded research and development center (FFRDC) to establish an expert panel to assess Federal, state, and local capabilities for responding to terrorism involving weapons of mass destruction.  The National Defense Research Institute, a division of the Rand Corporation, was awarded the contract and selected the 20 members of the panel in consultation with the Secretary of Defense.   In April of 1999, Defense Secretary Cohen announced the selection of Governor Gilmore to serve as Chairman of the Commission.    The Gilmore Commission’s charter will expire on February 17, 2002.

First Annual Report –Assessing the Threat

The Gilmore Commission released its first annual report in December of 1999 entitled “Assessing the Threat.”  The Commission noted that there has been a trend toward increasing lethality in terrorism over the past ten years and that terrorists may feel less constrained from using weapons of mass destruction “in an attempt to cause mass casualties, especially following the precedent-setting attack in 1995 by the Aum Shinrikyo.[1]  For the Gilmore Commission, this event marked a turning point in the history of terrorism requiring a reexamination of the motives and means by which terrorists would attempt to accomplish their aims.

The 1995 Aum attack illustrated the potential lethality of non-state sponsored terrorist attacks. In response, President Clinton signed Presidential Decision Directive 39 (PDD 39).   This PDD directed Federal agencies to improve domestic response capabilities to manage the consequences of attacks employing unconventional weapons.   A year later, “The Defense Against Weapons of Mass Destruction Act” was enacted as part of P.L 105-261.   A key component of the Act focused on programs to enhance state and local emergency response capabilities.

The Gilmore Commission concluded that despite this increase in attention and funding, the nation still lacked a comprehensive national strategy that could guide efforts to design integrated national domestic preparedness plans to combat terrorism.   These plans must recognize that state and local authorities usually provide the first response to terrorist events and are responsible for addressing preparedness and long-term community consequences.

The threat assessment conducted by the Gilmore Commission did not offer a formal assessment of the threat posed by cyber terrorism but concluded that the issues of cyber terrorism, while not conventionally included within definitions of weapons of mass destruction[2], were so interrelated to the forms of terrorist activity they had considered, that they could not be ignored. The Commission stated that it would  "consider issues related to cyber terrorism in its activities, and include in its subsequent reports conclusions and recommendations on the subject." 

Second Annual Report—Toward a National Strategy for Combating Terrorism

The Gilmore Commission released its second annual report entitled Toward a National Strategy for Combating Terrorism in December 2000.   This report built upon the threat assessment provided in the previous report by conducting a broad program assessment of Federal, state and local efforts to prepare for terrorist attacks.  The Commission made five findings with corresponding recommendations.    In addition, the Commission made six specific functional recommendations, including recommendations for research and development, national standards, and the provision of cyber security against terrorism (see appendix II).

The Commission offered a scathing critique of existing Federal efforts to ensure domestic preparedness against terrorism.  It concluded that instead of a coherent and integrated strategy, the nation had a loosely coupled set of plans and programs with varied objectives.    The Commission reiterated concerns raised in its previous report and recommended that the next President develop and present a coherent national strategy for combating terrorism within one year of assuming office.   This strategy was to be based upon the following assumptions:

·        Local response entities (law enforcement, fire service, etc.) will always be the first and potentially the only response to a terrorist event;

·        In the event of a major terrorist assault, no single jurisdiction will be able to respond without outside assistance;

·        Existing emergency response and management capabilities, developed for response to natural disasters, disease outbreaks and accidents should be used as a base for enhancing our domestic capability for response to terrorist attacks; and

·        The national strategy should address the full spectrum of our efforts against terrorism—intelligence, deterrence, prevention, investigation, prosecution, preemption, crisis management, and consequence management.

National Office for Combating Terrorism (NOCT)

The Commission called for the statutory creation of a National Office for Combating Terrorism in the Executive Office of the President responsible for developing and coordinating a national strategy.   The office should be comprehensive, with responsibility for efforts to deter, prevent, prepare for, and respond to both international and domestic terrorism.    The office should have at least five major sections, each headed by an Assistant Director:  1) domestic preparedness programs, 2) intelligence, 3) health and medical programs, 4) research, development, test, and evaluation and national standards, and 5) management and budget.    The office would have some program and budget authority and would provide direction and priorities for research and development, related test and evaluation, as well as in developing nationally recognized standards for equipment and laboratory protocols and techniques.  

Research, Development, Test and Evaluation for Combating Terrorism

The Gilmore Commission concluded that the strategy developed by the NOCT must include a comprehensive plan for long-range research as well as a clear set of priorities for research and development.  To accomplish this, the Commission recommended that the NOCT should enter into a formal relationship with the Office of Science and Technology Policy (OSTP) or have members of the OSTP staff detailed to the NOCT on a rotating basis.    The top priorities for targeted research included responder personnel protective equipment, medical surveillance, identification and forensics; improved sensor and rapid read out capability for identifying chemical or biological agents, vaccines and antidotes, communications and interoperability.

National Standards for Equipment, Training, and Laboratory Processes

No single jurisdiction will be capable of responding to a major terrorist attack without assistance.   As a result, the Gilmore Commission concluded that the development of national technical standards is a critical element of an effective national plan.   The Commission recommended that the Assistant Director for research, development and standards establish a national standards program for combating terrorism with a focus on equipment, training and laboratory processes.      The objectives for equipment standards would be nationwide compatibility and increased availability of dual or multi-use equipment that could be utilized in both terrorist created and accidental emergencies. (e.g., disease outbreaks or fires). For training, the objectives would be interdisciplinary curricula and training exercises based upon realistic scenarios.   The objectives for laboratories would be strict protocols for forensics and for the identification and reporting of chemical and biological agents.[3]  The Commission states that the ultimate goal for this program should be certification of specific equipment, training and laboratory protocols and dissemination of a digest of certifications for use by response agencies.

The Commission recommended that the National Institute for Standards and Technology (NIST) and the National Institute for Occupational Safety and Health (NIOSH) be designated as co-lead agencies.   Certification standards developed by these agencies should be developed in coordination with Federal agencies and with input from state and local response entities, professional organizations that represent response disciplines, and private and quasi-public certifying entities.

Providing Cyber Security Against Terrorism

The Gilmore Commission noted that “cyber attacks incident” to conflicts in the Middle East “emphasized the potentially disastrous effects that such concentrated attacks can have on information and other critical government and private sector electronic systems.”   The Commission concluded that while not “mass destructive,” attacks on our critical infrastructure would certainly be “mass disruptive.”  It also concluded that the most likely perpetrators of cyber attacks on critical infrastructures are terrorists and criminal groups rather than nation-states.  As a result, the Commission predicted that detection of these attacks would fall primarily to the private sector and to local law enforcement authorities.

In light of this, the Commission concluded that greater efforts must be made to establish effective partnerships with the private sector and to improve coordination with state and local governments.  In particular, private sector cooperation is essential to response efforts in the areas of deterrence, detection, identification, prevention, response, recovery, and restoration.  The Committee reported that it would focus on specific aspects of information infrastructure protection in the third and final report.  A preliminary list of items to be considered in the next report included information assurance research, security standards for emerging technologies, legal issues (tort liability, antitrust patent and copyright protection, FOIA, privacy and insurance), and critical infrastructure alert, warning and response.  

3.      Witnesses

The Committee will receive testimony from the Honorable James S. Gilmore, III, Governor of the Commonwealth of Virginia and Chairman of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction.  

4.      Questions

Governor Gilmore will be asked to discuss the following questions in his testimony:

1.      What are the current and potential threats to cyber security and how equipped are we to address them?

2.      What are the unmet challenges in computer/network security as they relate to terrorism?  What types of research are needed to protect critical information systems from attack and what role do standards play in protecting critical information systems?

3.      How effective are the various industry/government/academic cooperation mechanisms – particularly those mechanisms relating to law enforcement – at countering terrorist threats to our information infrastructure?  How can government and/or federal funding help prioritize and encourage more industry and university-based research and cooperation in information assurance?

4.      What are your views on current state of information assurance education and training?  What are the gaps in education and training as it relates to information assurance?

5.            APPENDICES

Appendix I—Charter of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction (Gilmore Commision)

Appendix II-Membership List

Appendix III-Executive Summary from the First Report

Appendix IV-Executive Summary from the Second Report

Appendix V-Presidential Decision Directive 39 (Unclassified)