Statement of Senator Orrin G. Hatch
Before the Senate Committee on the Judiciary
Subcommittee on Technology, Terrorism, and
"Improving our Ability to Fight Cyber-crime:
Oversight of The National Infrastructure Protection Center"
There was a time when a battle began with the sound of a trumpet
and a cavalry charge.
In the 20th century, a battle was likely to begin with the sound
of airplane engines on a bombing run.
In this new century, a battle will likely begin with the sound
of a person typing at a computer keyboard, and the release of
an electronic virus designed to paralyze an adversarys computers.
And it is not only warfare that is changing.
No longer do aspiring bank robbers need to don a ski-mask and
carry a shotgun into a bank. Millions of dollars can be stolen
electronically by illegally accessing the computer networks of
the financial services industry.
No longer do aspiring terrorists need to plant a bomb to draw
attention to their cause. Millions of peoples lives can
be threatened electronically by disrupting air traffic
control functions; or shutting down a power grid; or blocking
access to 911 operators.
As a recently as a decade ago, these threats were barely imagined.
And it is only in the last three years that the federal government
has formulated a comprehensive strategy to protect the nations
basic computer infrastructure from malicious attacks made by criminals,
terrorists, and hostile foreign states.
The National Infrastructure Protection Center has, for the last
three years, been on the forefront of protecting our countrys
computer networks from outside attack. And, given where we were
just three years ago, the NIPC has laid an important foundation
in the protection of our critical computer infrastructure.
But the integrity of our computer infrastructure is so vital
to our well-being as a nation, and the technology is evolving
at such a rapid rate, that it is essential that we continue to
reevaluate whether the federal government is doing everything
it can do to protect our critical computer infrastructure. And
for that reason, I applaud Senator Feinstein, Senator Kyl, and
the Senators on this subcommittee, not only for holding this hearing
today, but also for having had the foresight, over a year ago,
to order the GAO study that is the focus of todays hearing.
As a result of that foresight, and the hard work of the GAO personnel
who prepared the report, we are able to pursue todays inquiry
at a much deeper level, and with a greater degree of insight,
than would otherwise be possible. So I commend the senators on
this subcommittee, and the hard-working staff at the GAO.
I have examined the GAOs report, and I find it to be, on
the whole, a balanced and well-reasoned assessment of the NIPCs
performance. It highlights both the successes of the NIPC, and
those areas where the NIPC has come up short of its original goals.
Not surprisingly, the NIPC has succeeded at those functions
that are most traditionally within the expertise of the FBI, and
it has been less successful at those functions that are least
familiar to the Bureau.
The GAO found that "the NIPC has provided valuable support
and coordination" in the investigation of computer crime.
I agree, and I believe that the NIPC should be commended for its
success, in a relatively short span of time, at making itself
into a valuable resource for use by the law enforcement community
when dealing with computer crime.
To facilitate the investigation of illegal access to computer
networks, the NIPC has established teams of specially-trained
computer crime investigators in each of the FBIs 56 field
offices. In addition, the NIPC provides technical assistance to
the field offices and coordinates investigations among the field
offices. Since 1998, the NIPC has issued 93 warnings to systems
administrators, alerting them, and the general public, about specific
threats and vulnerabilities within their computer networks. An
advisory issued in March of this year regarding a specific e-commerce
vulnerability is estimated to have stopped over 1600 attempted
Our experience over the last three years has shown the value
of having a multi-agency entity, like NIPC, with the resources
to investigate computer intrusions that are often national in
Obviously, there is room for improvement. The GAO report makes
some specific recommendations to the NIPC leadership, such as
improved information sharing between the NIPC and the agents in
the field offices. I hope that the NIPC leadership gives serious
consideration to these recommendations.
Some of the other problems identified in the GAO report appear
to be beyond the control of the NIPCs leadership
such as the failure of agencies outside the FBI to provide full
cooperation with the NIPC. We, in the Congress, must continue
to exercise our oversight authority over the Executive Branch
to ensure that all agencies are motivated to provide the needed
cooperation in this vital area. I, for one, promise to do everything
in my power to discourage institutional rivalries between the
Executive Branch agencies from disrupting the important mission
of the NIPC.
It is those functions furthest from the FBIs traditional
responsibilities that the NIPC has had the most difficulty accomplishing.
According to the GAOs findings, the NIPC has made little
progress in producing a comprehensive, strategic analysis of the
vulnerabilities of, and threats to, the nations critical
computer infrastructure. Similarly, the NIPC has not been particularly
successful in establishing information-sharing arrangements with
The development of a comprehensive, strategic threat analysis
is certainly one of the most important tasks that has been assigned
to the NIPC. In the absence of such a strategic assessment, law
enforcement will be perpetually consigned to responding reactively
instead of proactively addressing and eliminating threats
to the system.
The GAO has identified several obstacles faced by the NIPC in
performing its strategic assessment: the lack of an accepted methodology
for evaluating threats; confusion within the Executive Branch
about the scope of the NIPCs mandate; and inadequate technical
expertise within the NIPC personnel.
Implicitly, the GAO report raises a fair question that
is, whether the NIPC, which has so far served principally as an
"operational" organization, is the best entity within
the federal government to conduct what appears to be an abstract,
almost academic, assessment of the strategic threats facing the
critical computer infrastructure.
By giving voice to this question, I do not mean to suggest that
I have reached an answer. I simply do not know, at this point,
whether or not the NIPC is the ideal entity to perform this analysis.
It may well be that the NIPC brings more technical expertise to
this question than any other governmental entity.
The Administration has recently announced its intention to review
Presidential Decision Directive 63, and to reevaluate the effectiveness
of our national plan for cyberspace security and critical infrastructure
protection. I hope and expect that, as part of this evaluation,
the Administration will assess whether the NIPC is, in fact, the
best entity to perform the strategic threat assessment. Certainly,
I believe that Congress should await the Administrations
determination on this matter, before reaching its own decision.
The other area which the GAO highlighted as a shortcoming in
the NIPCs performance is the NIPCs lack of success
in establishing information-sharing arrangements with private
industry. It is in this area that I believe Congress could potentially
provide the NIPC with the most help.
Obviously, the NIPC is hamstrung in its efforts to investigate
computer intrusions when the private sector does not provide them
with notification that an intrusion has occurred. On the other
hand, private firms are often reluctant to report an intrusion,
out of fear that publicity regarding an unauthorized intrusion
will be detrimental to the firms commercial interests. Although
the NIPC has undertaken significant outreach efforts in an effort
to win the private sectors confidence, there is little that
the NIPC can do to overcome this basic divergence of interests.
It is possible, though, that Congress can help.
There is legislation pending, which I support, that would strengthen
the FOIA exemption applicable to information provided by companies
when they self-report an unauthorized computer intrusion.
I believe that Congress can go even farther. I believe that
we should explore a range of financial incentives to the private
sector -- possibly tax credits or liability caps for companies
that provide the NIPC with full and timely notification of unauthorized
computer intrusions. Only by reversing the private sectors
financial incentives pertaining to cooperation with the NIPC can
we enlist the aid of the private sector against the criminals
and terrorists who would compromise our computer networks.
In sum, I believe we should commend the leadership of the NIPC,
who have, in the short span of three years, laid the groundwork
for a comprehensive defense of our critical computer infrastructure.
As with any new venture, there have been successes, and there
have been areas in which the leadership has fallen short of their
Given the interconnected nature of todays digital world,
it is impossible to overstate the importance of the NIPCs
mission. Hopefully, the GAO Report, and todays hearing,
have set in motion a healthy dialogue on how best to face these
new and emerging threats to our well-being as a nation.
# # # #