IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads

Congress of the United States

U.S. House of Representatives

* * * * * * * * *

Hearing of the Committee on Science

October 17, 2001

* * * * * * * * *

Testimony of

Governor James S. Gilmore, III


Governor of the Commonwealth of Virginia



Advisory Panel to Assess the Capabilities for

Domestic Response to Terrorism Involving Weapons of Mass Destruction



Chairman Boehlert, Ranking Member Hall, members of the Committee, I would like to discuss with you the recommendations of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction, a national panel established by Congress in 1999.


For three years, it has been my privilege to work with a bi-partisan group of experts in a broad range of fields – many from outside the Washington Beltway – including current and former federal, state and local officials and specialists in terrorism, intelligence, the military, law enforcement, emergency management, fire services, medicine and public health.


One member of our Panel – Ray Downey – served for years as the Chief of Special Operations for the New York City Fire Department. Ray was one of the first emergency responders to arrive at the World Trade Center on September 11. As of today, Ray is officially listed as “missing,” and our prayers go out to Ray and his family.


The Panel has had nearly three years to study the threat of terrorism, deliberately and quietly without the pressure or blur often associated with a crisis, and we have fulfilled our statutory duty to report our findings to Congress and the President in two reports – the first report issued in December of 1999, and the second issued in December of 2000.


The Panel is preparing to send to the President and Congress an interim third report in the next several days to provide you the benefit of our current work, and a more detailed report in December.


I would like to summarize our key recommendations for you today, with special emphasis on our most recent recommendations and their impact on the Nation’s preparedness for cyber attacks.


In light of the experience of September 11, let me say that our recommendations remain valid. What has changed is the urgency with which they should be implemented.


Summary of First & Second Report Recommendations


In our first report, we provided a comprehensive assessment of the actual threat of a terrorist attack on U.S. soil ...


First and foremost, we said the threat of a terrorist attack inside our borders – with unprecedented lethality – was inevitable and that the United States should prepare.


We called for a national strategy to address the full spectrum of possible attacks – including cyber attacks.


And we stressed, at the outset of our work, the paramount importance of preserving our citizens' constitutional rights and civil liberties.


Our second report, issued a year later, in December of 2000, proposed about 50 recommendations for improving our nation's preparedness against the threat of terrorism identified in our first report.


Most importantly, the second report emphasized the need for a national strategy. The federal government cannot address this threat alone. All levels of government as well as the private sector and our research universities have capabilities, resources, assets, experience and training that must be brought to bear in addressing this threat.


We also need new public and private partnerships – particularly in the protection of our Nation’s communications and Internet infrastructure – because 80% of our Nation’s infrastructure is owned and operated by the private sector.


And we called for creation of a national office for combating terrorism in the Executive Office of the President, with responsibility for developing and implementing a comprehensive national counter-terrorism strategy approved by the President.


President Bush has adopted this recommendation and has appointed the right man in Governor Tom Ridge to head this office.


President Bush also has tapped a career professional in Richard Clarke to advise the White House on Cyberspace Security.


Understanding the Threat of a Cyber Attack


Prior to September 11, many people questioned whether nation-states or rogue terrorists had the capability to disrupt our critical infrastructures on a wide scale. Since September 11, we must presume they do.


Critical information and communication infrastructures are targets for terrorists because of the broad economic and operational consequences a shutdown can inflict.


Our banking and finance systems, our “just-in-time” delivery system for goods, our hospitals, our state and local emergency services … all of these critical services rely upon their information connections and databases to … each is critical to the American economy and health of our citizens … and each can be shut down or severely handicapped by a cyber attack.


Consider the economic disruption caused by four airplanes crashing into buildings:


        Financial markets were shut down for over a week as companies struggled to restore communications and recover important IT assets;


        Trading was halted on our Nation’s principal stock exchanges for nearly a week;


        Telecommunications networks in and around New York City were so congested that emergency fire, medical, and police were unable to use cellular services for critical rescue and recovery efforts;


        Companies and businesses suffered uncertainty that their communications systems would be available; and


        The insurance sector’s resources have been severely strained, raising concerns about their ability to provide sufficient levels of protection for cyber-based attacks in the future.


These were all collateral impacts for the information technology sector. Just imagine the impacts of a direct assault upon the information technology infrastructure.


Whether the threat manifests itself in the form of a physical attack against computer hardware and real property that houses critical portions of the Nation’s Internet backbone, or in the form of a cyber attack against computer software and the Internet controls, America’s cyberspace needs protection.


Protections against physical attacks will remain primarily conventional, such as security systems and security guards. The intelligence community also will have to detect plots and communicate that information to the private owners in enough time to permit security precautions.


Of course, in the case of a catastrophic physical attack like September 11, back-up systems and redundancies must be in place.


But cyber attacks are more complex. Digital hijackers don’t have to walk through metal detectors or occupy a cockpit to spark a cyber blackout.


We need only look at the consequences of cyber-hackers and recent viruses like Code Red and Nimda to contemplate the severe economic and governmental harm that could be inflicted.


The impact could be ten times greater if the hacker is a well-financed cyber-terrorist intent on ruining a major financial institution or an entire state government’s central computer.


Security against a cyber attacks, therefore, will require far greater coordination and cooperation between private companies, the federal and state government agencies, universities, and law enforcement. It will require new protocols and an unprecedented level of trust and cooperation.


Virginia’s Cyber-Security Measures


These are not new issues. And as the Governor of Virginia, I have been concerned long before last month’s tragedies about the security of Virginia’s critical information assets, and for a very important reason: no other state or region has the concentration of both public and private critical information assets as are found in Virginia:


        the Pentagon


        two premiere national laboratories,

        the only shipyard capable of building nuclear submarines at Newport News,

        critical NATO facilities,

        the Federal Reserve Bank in Richmond, and

        many other critical public sector and Federal facilities.


On the civilian and private side, more than 50 percent of the country’s Internet traffic flows through Mae East in Northern Virginia. We are home to the highest concentration of critical data centers, including those of America Online, Worldcom, Global Crossing, Verisign’s domain registry, and others.


The security of these facilities – and their significance for public and private sector operations far beyond Virginia’s borders – has presented a major issue for our State.


Therefore, nearly two years ago, I directed Virginia’s Secretary of Technology, Don Upson, to work closely with the Federal Critical Infrastructure Assurance Office in the Department of Commerce.


The Director of that office, John Tritak, together with Secretary Upson, key members of our General Assembly, a special advisory commission with private sector and university representation I established, and the Virginia Attorney General, are developing a plan that could serve as a blueprint for our national strategy.


Under the Virginia plan, the first step is to catalog our critical information assets – public and private, real estate and databases. As new assets come into operation, they will be added to the list.


The second step is to propose a comprehensive program to manage each asset’s unique risk.


And the third step is to coordinate our preparedness with other states, industries, the public and certainly the Federal government that may depend upon the services and capabilities of each asset.


All states need such a plan, and each plan needs to be woven into a national network so that the Nation’s critical assets are catalogued, independent back-ups can be prepared at separate locations, and each asset’s connections to other critical functions can be understood in order to limit collateral damage through redundancies and firewalls.


Included in that plan are important legislative and policy proposals to protect critical and highly sensitive information about these assets.


For example, Virginia’s Freedom of Information Act restricts public access to security systems used to protect data and telecommunications systems and even some engineering and construction drawings for public buildings.


The Virginia FOIA framework is not perfect, but does afford protections the Federal government and other states should consider.


We also have tapped the expertise housed in our universities to provide valuable research and training today’s security environment demands.


Two public universities in Virginia, James Madison University and George Mason University, are among seven universities designated nationally by the National Security Agency as centers of excellence for Information Security.


Richard Clarke, the President’s new Cyber Security Advisor, has visited these universities and hopefully they will provide a blueprint for other government agencies.


In terms of Virginia’s government operations, we are in the process of deploying highly secure software so that information and attachments transmitted via e-mail over the Internet meets the highest Department of Defense security standards.


Yesterday, in fact, a major pilot project to secure the email of my office and cabinet, and the state police, was launched. I hope to move quickly to extend this security across all Virginia government.


The cost is low, the application is seamless to the user, and the benefit obviously is great.


Cyber-Security Issues:


The national Panel I chair also has identified cyber-security as a critical issue.


Our Panel undertook its first year of work just as the Nation was busily preparing for potential problems associated with Y2K.


This experience led us to consider a “holistic” counter-terrorism strategy that balances defenses for all types of threats: weapons of mass destruction, conventional weapons, and cyber weaponry.


This conclusion has been further validated by briefings from federal officials and most notably from states and communities.


For example, we have documented, in a national survey of local first responders – fire, rescue, police and health organizations – their need for federal assistance to strengthen their communications and computer systems against cyber attacks.


We also concur with the Government Accounting Office’s conclusion, reported in April 2001, that the FBI’s National Infrastructure Protection Center (NIPC) has been hampered in its efforts to provide a universal cyber security program across all government agencies and particularly the private sector – and that more needs to be done to coordinate the various federal offices with bits and pieces of cyber security responsibilities.


Most importantly, the Panel focused on the level of coordination and multi-disciplinary advisory bodies critical to resolving the patchwork quilt of public and private cyber security issues, and several of our recommendations directly address this critical need.


The point we want to make is that, as our Nation develops a comprehensive national strategy to address our homeland security, our preparedness for conventional, Weapons of Mass Destruction and cyber attacks must be fully integrated at the community, state and federal levels and must include the participation of the private sector – all relevant stakeholders from the technology community must answer a call to arms.


With this paradigm in mind, I would like to spend a few minutes outlining some of our recommendations regarding Cyber Security:


        First, the White House recently announced new initiatives related to cyber security, including the creation of an interagency cyber security panel with representatives of 23 federal agencies. This is a critical first step. Based upon the significant inter-dependencies between local, state and federal agencies as well as the private sector in deterring, preventing and responding to cyber-attacks, and all facets or terrorism, there must be the capability to ensure significant input and representation from all "stakeholders" in the process. This will ensure an effective top-to-bottom national solution.


        Second, the complexity of the subject demands closer attention. We recommend Congress create an independent advisory body similar to our Panel to evaluate programs designed to promote cyber-security and recommend strategies to the President and Congress. This advisory commission should conduct a thorough review of federal statutes to update statutes implicated by homeland cyber security. We would envision a Panel much like ours that can study the issues and make reasoned recommendations regarding executive branch coordination for Governor Ridge to implement, and statutory changes for Congress to enact.


        Third, cyber-security will require an unprecedented partnership between the public and private sectors. Sharing of intelligence and real time information concerning impending or on-going cyber attacks will be critical. The private sector has legitimate concerns about their customers’ privacy and confidence, as well as the value of their own proprietary information and earnings. At the same time, some government agencies needing security critical data have responsibilities for protecting the people of the United States. Conflict is inevitable. Thus, we recommend that Congress create a not-for-profit entity that can represent the interests of all affected stakeholders – public and private – including national security, law enforcement and other government functions, business and industry interests to provide cyber detection, alert and warning functions. A seismic shift in our way of thinking and cooperating will be required, and so a not-for-profit organization devoted solely to the task of resolving these conflicts is recommended.


        Fourth, we recommend the establishment of a special "Cyber Court" patterned after the court established in the Foreign Intelligence Surveillance Act (FISA). Prosecutors and investigators are often impeded in the enforcement process because the lack of effective procedures and understanding by many in the judiciary concerning the nature and urgency of cyber security. This is more the result of our rapid transformation into the information age than neglect. A court dedicated to criminal cyber conduct can develop the needed expertise to act appropriately on investigative activities while ensuring the protection of civil rights and liberties. We envision and electronic, real time and secure method for prosecutors to contact a "cyber judge" on short notice using a process similar to FISA applications.


        Fifth, we need an entity to develop and implement a comprehensive plan for research, development, test and evaluation of processes to enhance cyber security in the same manner as we must do for other potential terrorist attacks. This is where our colleges and universities can have a dramatic impact not only in developing needed immediate capacity, but in training the next generation of "cyber soldiers" to protect our critical information systems and infrastructures. The Institute for Security Technology Studies at Dartmouth College is providing resources to form the basis for establishing such an entity. This effort cannot and should not be the role of one but rather a publicly-funded consortium of many not-for-profit universities and think-tanks.


        Sixth, we recommend that all government agencies continue their Y2K offices as “cyber security offices.”


Conclusion – A New Approach to Freedom


Mr. Chairman and members of the Committee, the horrifying events of September 11th have indeed changed our nation forever.


Terrorism attacked freedom that day. And, as we move to rebuild, we must remember that the Internet and information technologies are tools of freedom in the 21st century. We must move swiftly to protect those tools as well as the freedom they represent.


Our Panel concluded, after much thoughtful debate over the past three years, that what we need are not major structural changes among federal agencies or in our states and communities.


Rather, we need to marshal the efforts of millions of government workers, the intellectual power housed in our universities, and the entrepreneurial spirit of our private sector toward a common goal of enhanced Homeland Security to deter, prevent, detect, and should our vigilance falter, to respond when attacks occur.


Defense of freedom will require nothing less.


The President has put in-place the structure. Governor Ridge is developing the strategy. And it is incumbent upon all of us to assist in its implementation in the defense of freedom and the American way of life.



# # #

IWS Mailing Lists

Mailing Lists Overview