IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


Statement of Senator Orrin G. Hatch

Before the Senate Committee on the Judiciary

Subcommittee on Technology, Terrorism, and Government Information

Hearing on

"Improving our Ability to Fight Cyber-crime:
Oversight of The National Infrastructure Protection Center"


There was a time when a battle began with the sound of a trumpet and a cavalry charge.

In the 20th century, a battle was likely to begin with the sound of airplane engines on a bombing run.

In this new century, a battle will likely begin with the sound of a person typing at a computer keyboard, and the release of an electronic virus designed to paralyze an adversary’s computers.

And it is not only warfare that is changing.

No longer do aspiring bank robbers need to don a ski-mask and carry a shotgun into a bank. Millions of dollars can be stolen electronically by illegally accessing the computer networks of the financial services industry.

No longer do aspiring terrorists need to plant a bomb to draw attention to their cause. Millions of people’s lives can be threatened electronically – by disrupting air traffic control functions; or shutting down a power grid; or blocking access to 911 operators.

As a recently as a decade ago, these threats were barely imagined. And it is only in the last three years that the federal government has formulated a comprehensive strategy to protect the nation’s basic computer infrastructure from malicious attacks made by criminals, terrorists, and hostile foreign states.

The National Infrastructure Protection Center has, for the last three years, been on the forefront of protecting our country’s computer networks from outside attack. And, given where we were just three years ago, the NIPC has laid an important foundation in the protection of our critical computer infrastructure.

But the integrity of our computer infrastructure is so vital to our well-being as a nation, and the technology is evolving at such a rapid rate, that it is essential that we continue to reevaluate whether the federal government is doing everything it can do to protect our critical computer infrastructure. And for that reason, I applaud Senator Feinstein, Senator Kyl, and the Senators on this subcommittee, not only for holding this hearing today, but also for having had the foresight, over a year ago, to order the GAO study that is the focus of today’s hearing. As a result of that foresight, and the hard work of the GAO personnel who prepared the report, we are able to pursue today’s inquiry at a much deeper level, and with a greater degree of insight, than would otherwise be possible. So I commend the senators on this subcommittee, and the hard-working staff at the GAO.


I have examined the GAO’s report, and I find it to be, on the whole, a balanced and well-reasoned assessment of the NIPC’s performance. It highlights both the successes of the NIPC, and those areas where the NIPC has come up short of its original goals.

Not surprisingly, the NIPC has succeeded at those functions that are most traditionally within the expertise of the FBI, and it has been less successful at those functions that are least familiar to the Bureau.

The GAO found that "the NIPC has provided valuable support and coordination" in the investigation of computer crime. I agree, and I believe that the NIPC should be commended for its success, in a relatively short span of time, at making itself into a valuable resource for use by the law enforcement community when dealing with computer crime.

To facilitate the investigation of illegal access to computer networks, the NIPC has established teams of specially-trained computer crime investigators in each of the FBI’s 56 field offices. In addition, the NIPC provides technical assistance to the field offices and coordinates investigations among the field offices. Since 1998, the NIPC has issued 93 warnings to systems administrators, alerting them, and the general public, about specific threats and vulnerabilities within their computer networks. An advisory issued in March of this year regarding a specific e-commerce vulnerability is estimated to have stopped over 1600 attempted hacking incidents.

Our experience over the last three years has shown the value of having a multi-agency entity, like NIPC, with the resources to investigate computer intrusions that are often national in scope.

Obviously, there is room for improvement. The GAO report makes some specific recommendations to the NIPC leadership, such as improved information sharing between the NIPC and the agents in the field offices. I hope that the NIPC leadership gives serious consideration to these recommendations.

Some of the other problems identified in the GAO report appear to be beyond the control of the NIPC’s leadership – such as the failure of agencies outside the FBI to provide full cooperation with the NIPC. We, in the Congress, must continue to exercise our oversight authority over the Executive Branch to ensure that all agencies are motivated to provide the needed cooperation in this vital area. I, for one, promise to do everything in my power to discourage institutional rivalries between the Executive Branch agencies from disrupting the important mission of the NIPC.

It is those functions furthest from the FBI’s traditional responsibilities that the NIPC has had the most difficulty accomplishing. According to the GAO’s findings, the NIPC has made little progress in producing a comprehensive, strategic analysis of the vulnerabilities of, and threats to, the nation’s critical computer infrastructure. Similarly, the NIPC has not been particularly successful in establishing information-sharing arrangements with private industry.

The development of a comprehensive, strategic threat analysis is certainly one of the most important tasks that has been assigned to the NIPC. In the absence of such a strategic assessment, law enforcement will be perpetually consigned to responding reactively – instead of proactively addressing and eliminating threats to the system.

The GAO has identified several obstacles faced by the NIPC in performing its strategic assessment: the lack of an accepted methodology for evaluating threats; confusion within the Executive Branch about the scope of the NIPC’s mandate; and inadequate technical expertise within the NIPC personnel.

Implicitly, the GAO report raises a fair question – that is, whether the NIPC, which has so far served principally as an "operational" organization, is the best entity within the federal government to conduct what appears to be an abstract, almost academic, assessment of the strategic threats facing the critical computer infrastructure.

By giving voice to this question, I do not mean to suggest that I have reached an answer. I simply do not know, at this point, whether or not the NIPC is the ideal entity to perform this analysis. It may well be that the NIPC brings more technical expertise to this question than any other governmental entity.


The Administration has recently announced its intention to review Presidential Decision Directive 63, and to reevaluate the effectiveness of our national plan for cyberspace security and critical infrastructure protection. I hope and expect that, as part of this evaluation, the Administration will assess whether the NIPC is, in fact, the best entity to perform the strategic threat assessment. Certainly, I believe that Congress should await the Administration’s determination on this matter, before reaching its own decision.

The other area which the GAO highlighted as a shortcoming in the NIPC’s performance is the NIPC’s lack of success in establishing information-sharing arrangements with private industry. It is in this area that I believe Congress could potentially provide the NIPC with the most help.

Obviously, the NIPC is hamstrung in its efforts to investigate computer intrusions when the private sector does not provide them with notification that an intrusion has occurred. On the other hand, private firms are often reluctant to report an intrusion, out of fear that publicity regarding an unauthorized intrusion will be detrimental to the firm’s commercial interests. Although the NIPC has undertaken significant outreach efforts in an effort to win the private sector’s confidence, there is little that the NIPC can do to overcome this basic divergence of interests.

It is possible, though, that Congress can help.

There is legislation pending, which I support, that would strengthen the FOIA exemption applicable to information provided by companies when they self-report an unauthorized computer intrusion.

I believe that Congress can go even farther. I believe that we should explore a range of financial incentives to the private sector -- possibly tax credits or liability caps – for companies that provide the NIPC with full and timely notification of unauthorized computer intrusions. Only by reversing the private sector’s financial incentives pertaining to cooperation with the NIPC can we enlist the aid of the private sector against the criminals and terrorists who would compromise our computer networks.

In sum, I believe we should commend the leadership of the NIPC, who have, in the short span of three years, laid the groundwork for a comprehensive defense of our critical computer infrastructure. As with any new venture, there have been successes, and there have been areas in which the leadership has fallen short of their goals.

Given the interconnected nature of today’s digital world, it is impossible to overstate the importance of the NIPC’s mission. Hopefully, the GAO Report, and today’s hearing, have set in motion a healthy dialogue on how best to face these new and emerging threats to our well-being as a nation.

# # # #