Congress of the United States
U.S. House of Representatives
* * * *
* * * * *
Hearing of the
Committee on Science
October 17, 2001
* * * *
* * * * *
Governor James S. Gilmore, III
Governor of the Commonwealth of Virginia
Panel to Assess the Capabilities for
Response to Terrorism Involving Weapons of Mass Destruction
Chairman Boehlert, Ranking Member Hall, members of
the Committee, I would like to discuss with you the recommendations of the
Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving
Weapons of Mass Destruction, a national panel established by Congress in
For three years, it has been my privilege to work
with a bi-partisan group of experts in a broad range of fields – many from
outside the Washington Beltway – including current and former federal, state
and local officials and specialists in terrorism, intelligence, the military,
law enforcement, emergency management, fire services, medicine and public
One member of our Panel – Ray Downey – served for
years as the Chief of Special Operations for the New York City Fire
Department. Ray was one of the first
emergency responders to arrive at the World Trade Center on September 11. As of today, Ray is officially listed as
“missing,” and our prayers go out to Ray and his family.
The Panel has had nearly three years to study the
threat of terrorism, deliberately and quietly without the pressure or blur often
associated with a crisis, and we have fulfilled our statutory duty to report
our findings to Congress and the President in two reports – the first report issued in December of 1999, and the second
issued in December of 2000.
The Panel is preparing to send to the
President and Congress an interim third report in the next several days to
provide you the benefit of our current work, and a more detailed report in
I would like to summarize our key recommendations
for you today, with special emphasis on our most recent recommendations and
their impact on the Nation’s preparedness for cyber attacks.
In light of the experience of September
11, let me say that our recommendations remain valid. What has changed is the urgency with which they should be
Summary of First &
Second Report Recommendations
In our first report, we provided a
comprehensive assessment of the actual threat of a terrorist attack on
U.S. soil ...
First and foremost, we said the threat of a
terrorist attack inside our borders – with unprecedented lethality – was
inevitable and that the United States should prepare.
We called for a national strategy to address the
full spectrum of possible attacks – including cyber attacks.
And we stressed, at the outset of our work, the
paramount importance of preserving our citizens' constitutional rights and
Our second report, issued a year later,
in December of 2000, proposed about 50 recommendations for improving our nation's preparedness against the threat of terrorism
identified in our first report.
Most importantly, the second report emphasized the
need for a national strategy. The federal government cannot address this
threat alone. All levels of government
as well as the private sector and our research universities have capabilities,
resources, assets, experience and training that must be brought to bear in
addressing this threat.
We also need new public and private partnerships –
particularly in the protection of our Nation’s communications and Internet
infrastructure – because 80% of our Nation’s infrastructure is owned and
operated by the private sector.
called for creation of a national office for combating terrorism in the
Executive Office of the President, with responsibility for developing and
implementing a comprehensive national counter-terrorism strategy approved by
Bush has adopted this recommendation and has appointed the right man in
Governor Tom Ridge to head this office.
Bush also has tapped a career professional in Richard Clarke to advise the
White House on Cyberspace Security.
Understanding the Threat of
a Cyber Attack
Prior to September 11, many people questioned
whether nation-states or rogue terrorists had the capability to disrupt our
critical infrastructures on a wide scale.
Since September 11, we must presume they do.
Critical information and communication
infrastructures are targets for terrorists because of the broad economic and
operational consequences a shutdown can inflict.
Our banking and finance systems, our “just-in-time”
delivery system for goods, our hospitals, our state and local emergency
services … all of these critical services rely upon their information
connections and databases to … each is critical to the American economy and
health of our citizens … and each can be shut down or severely handicapped by a
Consider the economic disruption caused by four
airplanes crashing into buildings:
markets were shut down for over a week as companies struggled to restore
communications and recover important IT assets;
was halted on our Nation’s principal stock exchanges for nearly a week;
networks in and around New York City were so congested that emergency fire,
medical, and police were unable to use cellular services for critical rescue
and recovery efforts;
and businesses suffered uncertainty that their communications systems would be
insurance sector’s resources have been severely strained, raising concerns
about their ability to provide sufficient levels of protection for cyber-based
attacks in the future.
These were all collateral impacts for the
information technology sector. Just
imagine the impacts of a direct assault upon the information technology
Whether the threat manifests itself in the form of a
physical attack against computer
hardware and real property that houses critical portions of the Nation’s
Internet backbone, or in the form of a cyber
attack against computer software and the Internet controls, America’s
cyberspace needs protection.
Protections against physical attacks will remain primarily
conventional, such as security systems and security guards. The intelligence community also will have to
detect plots and communicate that information to the private owners in enough
time to permit security precautions.
Of course, in the case of a catastrophic physical
attack like September 11, back-up systems and redundancies must be in place.
But cyber attacks are more complex.
Digital hijackers don’t have to walk through metal detectors or occupy a
cockpit to spark a cyber blackout.
We need only look at the
consequences of cyber-hackers and recent viruses like Code Red and Nimda to
contemplate the severe economic and governmental harm that could be inflicted.
The impact could be ten times
greater if the hacker is a well-financed cyber-terrorist intent on ruining a
major financial institution or an entire state government’s central computer.
Security against a cyber attacks,
therefore, will require far greater coordination and cooperation between
private companies, the federal and state government agencies, universities, and
law enforcement. It will require new
protocols and an unprecedented level of trust and cooperation.
These are not new issues. And as the Governor of Virginia, I have been
concerned long before last month’s tragedies about the security of Virginia’s
critical information assets, and for a very important reason: no other state or region has the
concentration of both public and private critical information assets as are
found in Virginia:
two premiere national
the only shipyard
capable of building nuclear submarines at Newport News,
the Federal Reserve
Bank in Richmond, and
many other critical
public sector and Federal facilities.
the civilian and private side, more than 50 percent of the country’s Internet
traffic flows through Mae East in Northern Virginia. We are home to the highest concentration of critical data
centers, including those of America Online, Worldcom, Global Crossing,
Verisign’s domain registry, and others.
The security of these facilities – and their significance
for public and private sector operations far beyond Virginia’s borders – has
presented a major issue for our State.
Therefore, nearly two years ago, I directed
Virginia’s Secretary of Technology, Don Upson, to work closely with the Federal
Critical Infrastructure Assurance Office in the Department of Commerce.
The Director of that office, John Tritak, together
with Secretary Upson, key members of our General Assembly, a special advisory
commission with private sector and university representation I established, and
the Virginia Attorney General, are developing a plan that could serve as a
blueprint for our national strategy.
Under the Virginia plan, the first step is to
catalog our critical information assets – public and private, real estate and
databases. As new assets come into
operation, they will be added to the list.
The second step is to propose a comprehensive
program to manage each asset’s unique risk.
And the third step is to coordinate our preparedness
with other states, industries, the public and certainly the Federal government
that may depend upon the services and capabilities of each asset.
All states need such a plan, and each plan needs to
be woven into a national network so that the Nation’s critical assets are
catalogued, independent back-ups can be prepared at separate locations, and
each asset’s connections to other critical functions can be understood in order
to limit collateral damage through redundancies and firewalls.
Included in that plan are important legislative and
policy proposals to protect critical and highly sensitive information about
For example, Virginia’s Freedom of Information Act
restricts public access to security systems used to protect data and
telecommunications systems and even some engineering and construction drawings
for public buildings.
The Virginia FOIA framework is not perfect, but does
afford protections the Federal government and other states should consider.
We also have tapped the expertise housed in our
universities to provide valuable research and training today’s security
Two public universities in Virginia, James Madison
University and George Mason University, are among seven universities designated
nationally by the National Security Agency as centers of excellence for
Richard Clarke, the President’s new Cyber Security
Advisor, has visited these universities and hopefully they will provide a
blueprint for other government agencies.
In terms of Virginia’s government operations, we are
in the process of deploying highly secure software so that information and
attachments transmitted via e-mail over the Internet meets the highest
Department of Defense security standards.
Yesterday, in fact, a major pilot project to secure
the email of my office and cabinet, and the state police, was launched. I hope to move quickly to extend this
security across all Virginia government.
The cost is low, the application is seamless to the
user, and the benefit obviously is great.
The national Panel I chair also has identified
cyber-security as a critical issue.
Our Panel undertook its first year of work just as
the Nation was busily preparing for potential problems associated with Y2K.
experience led us to consider a “holistic” counter-terrorism strategy that
balances defenses for all types of threats:
weapons of mass destruction, conventional weapons, and cyber
This conclusion has been further validated by
briefings from federal officials and most notably from states and communities.
For example, we have documented, in a national
survey of local first responders – fire, rescue, police and health
organizations – their need for federal assistance to strengthen their
communications and computer systems against cyber attacks.
We also concur with the Government Accounting
Office’s conclusion, reported in April 2001, that the FBI’s National
Infrastructure Protection Center (NIPC) has been hampered in its efforts to
provide a universal cyber security program across all government agencies and
particularly the private sector – and that more needs to be done to coordinate
the various federal offices with bits and pieces of cyber security
Most importantly, the Panel focused on the level of
coordination and multi-disciplinary advisory bodies critical to resolving the
patchwork quilt of public and private cyber security issues, and several of our
recommendations directly address this critical need.
The point we want to make is that, as our Nation
develops a comprehensive national strategy to address our homeland security,
our preparedness for conventional, Weapons of Mass Destruction and cyber
attacks must be fully integrated at the community, state and federal levels and
must include the participation of the private sector – all relevant
stakeholders from the technology community must answer a call to arms.
With this paradigm in mind, I would like to spend a
few minutes outlining some of our recommendations regarding Cyber Security:
the White House recently announced new initiatives related to cyber security,
including the creation of an interagency cyber security panel with
representatives of 23 federal agencies.
This is a critical first step.
Based upon the significant inter-dependencies between local, state and
federal agencies as well as the private sector in deterring, preventing and
responding to cyber-attacks, and all facets or terrorism, there must be the
capability to ensure significant input and representation from all
"stakeholders" in the process.
This will ensure an effective top-to-bottom national solution.
the complexity of the subject demands closer attention. We recommend Congress create an independent
advisory body similar to our Panel to evaluate programs designed to promote
cyber-security and recommend strategies to the President and Congress. This advisory commission should conduct a
thorough review of federal statutes to update statutes implicated by homeland
cyber security. We would envision a
Panel much like ours that can study the issues and make reasoned
recommendations regarding executive branch coordination for Governor Ridge to
implement, and statutory changes for Congress to enact.
cyber-security will require an unprecedented partnership between the public and
private sectors. Sharing of
intelligence and real time information concerning impending or on-going cyber
attacks will be critical. The private
sector has legitimate concerns about their customers’ privacy and confidence,
as well as the value of their own proprietary information and earnings. At the
same time, some government agencies needing security critical data have
responsibilities for protecting the people of the United States. Conflict is inevitable. Thus, we recommend that Congress create a
not-for-profit entity that can represent the interests of all affected
stakeholders – public and private – including national security, law
enforcement and other government functions, business and industry interests to
provide cyber detection, alert and warning functions. A seismic shift in our way of thinking and cooperating will be
required, and so a not-for-profit organization devoted solely to the task of
resolving these conflicts is recommended.
we recommend the establishment of a special "Cyber Court" patterned
after the court established in the Foreign Intelligence Surveillance Act
(FISA). Prosecutors and investigators
are often impeded in the enforcement process because the lack of effective
procedures and understanding by many in the judiciary concerning the nature and
urgency of cyber security. This is more
the result of our rapid transformation into the information age than neglect. A court dedicated to criminal cyber conduct
can develop the needed expertise to act appropriately on investigative
activities while ensuring the protection of civil rights and liberties. We envision and electronic, real time and
secure method for prosecutors to contact a "cyber judge" on short
notice using a process similar to FISA applications.
we need an entity to develop and implement a comprehensive plan for research,
development, test and evaluation of processes to enhance cyber security in the
same manner as we must do for other potential terrorist attacks. This is where our colleges and universities
can have a dramatic impact not only in developing needed immediate capacity,
but in training the next generation of "cyber soldiers" to protect
our critical information systems and infrastructures. The Institute for Security Technology Studies at Dartmouth
College is providing resources to form the basis for establishing such an
entity. This effort cannot and should
not be the role of one but rather a publicly-funded consortium of many
not-for-profit universities and think-tanks.
we recommend that all government agencies continue their Y2K offices as “cyber
Conclusion – A New Approach
Mr. Chairman and members of the Committee, the
horrifying events of September 11th have indeed changed our nation forever.
Terrorism attacked freedom that
day. And, as we move to rebuild, we
must remember that the Internet and information technologies are tools of
freedom in the 21st century.
We must move swiftly to protect those tools as well as the freedom they
Our Panel concluded, after much thoughtful debate
over the past three years, that what we need are not major structural changes
among federal agencies or in our states and communities.
Rather, we need to marshal the efforts of millions
of government workers, the intellectual power housed in our universities, and
the entrepreneurial spirit of our private sector toward a common goal of
enhanced Homeland Security to deter, prevent, detect, and should our vigilance
falter, to respond when attacks occur.
Defense of freedom will require nothing less.
The President has put in-place the structure. Governor Ridge is developing the
strategy. And it is incumbent upon all
of us to assist in its implementation in the defense of freedom and the
American way of life.
# # #