Chairman Saxton, Senator Bennett, Senator Reed, and members of the
Committee. I am pleased to be able to support your examination of
cyber security in the U.S. economy. This is a difficult, multifaceted
challenge. This morning I'd like to briefly highlight a few of the
major issues related to cyber security that I believe require attention
and that you may wish to examine in greater detail.
Duane P. Andrews
Corporate Executive Vice President
Science Applications International Corporation (SAIC)
Joint Economic Committee
Hearing on The Wired Economy:
Cyber Security and the U.S. Economy
For perspective, I have been involved with cyber security matters
for some time both in government and in industry. Currently SAIC
provides support to the Department of Defense and several civil
agencies, including supporting the FEDCIRC Incident Reporting and
Handling Services, as well as commercial firms. We developed and
still have an interest in a commercial security firm - Global Integrity
- that created and operates the first Information Sharing Analysis
Center, or ISAC, for the financial services industry - as well as
ISACs for global firms and for Korea. I personally am active with
the Industry Executive Subcommittee of the National Security Telecommunications
Advisory Committee, commonly known as the NSTAC. In 1994 and 1999,
I was a commissioner on both of the Secretary of Defense/Director
of Central Intelligence-sponsored Joint Security Commissions that
addressed cyber security, among other topics. I chaired the 1996
Defense Science Board Task Force on Information Warfare Defense.
And as the assistant secretary of defense for C3I in the previous
Bush administration, I initiated the Defense Information Assurance
Program and the Department's information warfare program.
In the seven years since the first report of the Joint Security
Commission, which included the observation that "the security of
information systems and networks [is] the major security challenge
of this decade and possibly the next century and ... there is insufficient
awareness of the grave risks we face in this arena," there has been
progress. ISACs are enabling some industry sectors to share information
on cyber threats. Presidential Decision Directive 63 organized efforts
to address the critical infrastructures of the United States, and
similar efforts are underway in several other countries. The Department
of Defense has established a Joint Task Force for Computer Network
Defense and has assigned operational control to USCINCSPACE. Firewalls
are in widespread use and there has been modest improvement in training
the work force on how to react to cyber events like viruses.
However, in my view, the rate of progress has been slower than
the growth of the potential threat, and overall we have lost ground.
A number of nations are developing information warfare skills; technology
has gotten more complex; we have had deregulation of the telecommunications
industry and are entering an era of converged services for voice,
video and data; and, our commercial software packages are so large
and complex that we cannot be sure what they contain. Further, the
Internet has gotten too big to monitor effectively. In May of this
year there were over 122 million Internet hosts, and the University
of California at Berkley estimates there are 550 billion web-accessible
documents, growing at 7.3 million pages per day. And in the next
one to two years English will no longer be the dominant language
of the Internet as much of Asia comes on line.
The failure to act is another major contributor to why we have
lost ground. For a decade we have had study after study and report
after report pointing out that our economy and our national security
depend on the flow of information and that this flow is at risk.
Numerous scenarios have suggested that the interconnection of systems
and cascading effects can result in major disruptions to our economy
and our national security systems.
These studies have also shown that we don't have to spend the
gross national product or wait a decade to significantly improve
our security posture and that we can take sound steps to protect
systems and networks without trampling on civil rights.
So the question is: why haven't we taken the necessary steps to
address the cyber threat? I can think of four factors that contribute.
To amplify, I'll start with critical infrastructure protection. This
effort traces its legislative roots to Section 1053 of the National
Defense Authorization Act for Fiscal Year 1996, entitled Report of
National Policy On Protecting the National Information Infrastructure
Against Strategic Attacks. This was known as the Kyl Amendment after
its sponsor, Senator Kyl.
- One: this is technically complex and hard to understand - a
high geek factor - and that makes it hard for policy makers to
- Two: every dollar that would go into protection, detection
and reaction is a dollar that comes out of some mission or business
- Three: there is no oversight mechanism that holds federal agencies
and critical business functions accountable. And,
- Four: we are treating this as a tactical, not a strategic problem.
This legislation called for the President to submit to the Congress
a report setting forth the results of a review of the national policy
on protecting the national information infrastructure against strategic
attacks. The report was to address the national policy and architecture
governing the plans for establishing procedures, capabilities, systems,
and processes necessary to perform indications, warning, and assessment
functions regarding strategic attacks [emphasis added] by foreign
nations, groups, or individuals, or any other entity against the
national information infrastructure.
Subsequently, the President's Commission on Critical Infrastructures
was established and the commission delivered a report entitled Critical
Foundations Protecting America's Infrastructures. The recommendations
in the report led to the creation of the National Infrastructure
Protection Center (NIPC) and related activities. In my view, the
commission and its report did not fully come to grips with preparation
for strategic attack as called for by the Congress but rather turned
to more tractable tactical matters.
In April of this year the General Accounting Office released a
report [GAO-01-323] entitled Critical Infrastructure Protection:
Significant Challenges in Developing National Capabilities. While
highlighting some progress in investigation and response support,
the report notes several areas that need attention, particularly
in aspects of national security.
I understand the current administration is addressing the government's
critical infrastructure protection strategy and the specific requirements
of the NIPC and hope they fully address the challenges and shortcomings
identified by the GAO.
The decision to place the NIPC in the Justice Department led to
law enforcement assuming the role as the front line ofcyber defense.
Once again, this focused efforts at the tactical level. Today, by
default, the NIPC considers a cyber intrusion to be a crime. This
has led to a lot of focus on hackers and on computer viruses. Clearly
these activities require attention, but I do not believe they rise
to the level of a strategic attack on the national information infrastructure.
This is not to fault the important work or dedication of the law
enforcement entities as they fight crime in the cyber arena. It
is just that law enforcement is not a sufficient response to this
strategic challenge. More importantly, because of this tactical
focus, as a nation we are not addressing the architectural strategies
and recovery capabilities that can both deter and ensure we can
recover from strategic attacks.
The Defense Science Board Task Force on Defensive Information
Operations, 2000 Summer Study, March 2001, notes "Current policies
and legal interpretations at the NIPC, the FBI, and the Justice
Department ... have prevented timely and effective information sharing
about potential national security risks."
Today there is no effective process in place to rapidly shift
from a law enforcement posture to a national security posture. Nor
is there a coordinated effort to be able to rapidly restore vital
functions that are essential to the national defense or to the national
These are areas that require attention. The Department of Defense
should be required, and empowered, to take all appropriate steps
to engage and repel intruders from its computers and networks without
having to first resort to the criminal justice system. When warranted
by circumstance, the DoD should also be prepared to participate
in the protection of networks of critical importance to the national
economic security. Maintaining an agile, robust, ability to defend
the nation must have priority over criminal prosecutions.
Let me briefly turn to accountability. For over ten years the
federal government has promulgated sound information security policy
in 0MB Circular A-130. If this policy had been followed over the
years the protection of information in the government would be in
much better shape than it is today. I suspect industry would have
followed the government leadership and also improved its security
posture. However, I am unaware that anyone has been held accountable
for not following that clear policy.
The Congress addressed this lack of accountability with the enactment
of the Government Information Security Reform Act as a part of the
FY2001 National Defense Authorization Act. The Security Act directs
heads of agencies to identify, use, and share best security practices
and to develop agency-wide information security plans, and to ensure
sufficient protection "commensurate to the risk and the magnitude
of harm that could result."
I applaud the Congress for this legislation and urge the Congress
to provide strong oversight to ensure this legislation is followed
in letter and spirit and not just given the lip service that has
been the case for the past decade. However, I expect that we may
see some interesting interpretations of "risk" and "harm" as agencies
attempt to avoid reallocating funds for information protection.
Another major challenge that requires attention is the sharing
of information about cyber incidents between businesses, between
governments, and between the government and business and academic
entities. The GAO report I cited earlier reports some progress in
this area but notes that many challenges remain. I urge both government
and industry to more freely share information that reveals cyber
weaknesses. I understand legislation is being considered to protect
information exchanges on cyber incidents between industry and government
from release under the Freedom of Information Act and to provide
some antitrust protection to information sharing on cyber threat
within industry groups. Such legislation would be a useful step.
Most importantly, I believe we must begin to address cyber and
Internet issues from a broad, strategic point of view, not get overly
focused on the equities of any particular government constituency.
In conclusion, I believe we need to take a fresh look at the challenge
of a strategic attack through or on the nation's cyber infrastructure.
I believe the federal government needs to better clarify the issues
and better characterize the strategic threat for the private sector.
This concludes my statement. I would be pleased to answer any
questions you may have.