|Testimony of Sallie McDonald
Good afternoon Madam Chairwoman and members of the Subcommittee.
I am Sallie McDonald, the Assistant Commissioner for the GSA, FTS,
Office of Information Assurance and Critical Infrastructure Protection.
I wish to thank you for the opportunity to offer testimony with
regard to the National Infrastructure Protection Center (NIPC).
The Federal Computer Incident Response Center or FedCIRC, is a
component of GSA's Federal Technology Service. As designated by
the Government Information Security Reform Act, it is the central
coordination entity for dealing with computer security related incidents
affecting computer systems within the Federal civilian agencies
and Departments of the United States Government.
FedCIRC was established as a pilot by NIST in 1996 under the Office
of Management and Budget (OMB) policy authority as the primary means
for civilian Federal agencies to share information on externally
generated security incidents and common vulnerabilities. This was
recognized as an important activity given the shared risk environment
that results from a rise in interconnected systems across government
and with connection to the Internet which increases public access.
FedCIRC became operational in 1998 and was transferred to GSA. FedCIRC's
role was then and is today, one of assisting agencies and sharing
information under the overall security policy framework established
by OMB. FedCIRC is not intended to substitute for adequate agency
security practices or compete with the role of law enforcement or
national security authorities in addressing more serious types of
GSA reports at least quarterly to OMB on matters such as the number
and nature of security incidents reported by the agencies, whether
the incidents are the result of exploits of vulnerabilities for
which known repairs are readily available, and whether FedCIRC has
any specific recommendations for changes to OMB security policy
or the National Institute of Standards and Technology (NIST) security
By definition, a "computer security incident" encompasses
any violation of an established or implied security policy or statute.
Incidents include but are not necessarily limited to activities
such as attempts to gain unauthorized access to government systems
or data, disruption of service, unauthorized use of computing resources
and changes to system hardware or software without consent of the
FedCIRC and the NIPC are both crucial to effective cyber defense
but serve differing roles to the Federal community. FedCIRC's role
is to provide incident response and handling support to agencies.
When an agency reports an incident, FedCIRC works with the agency
to identify the type of incident, contain any damage to the agency's
system, and provide guidance to the agency on recovering from the
incident. The NIPC, on the other hand, collects incident reports
and is responsible for providing threat assessments, vulnerability
studies, warnings, and the coordination of the Federal government's
investigative response to attacks.
Upon receiving an incident report from a Federal agency, FedCIRC
evaluates and categorizes the incident with respect to its impact
and severity. If criminal activity is indicated, FedCIRC informs
the reporting agency of the requirement to immediately contact their
Inspector General or the NIPC. Should the incident appear to have
originated from a foreign country, FedCIRC categorizes it as having
potential national security implications and immediately contacts
both the NSIRC and the NIPC. The reporting agency is subsequently
notified of such action by FedCIRC. There is ongoing discussion
between the NIPC and FedCIRC to improve information sharing and
analytic efforts and to educate agencies of the value of rapid involvement
of the NIPC when incidents occur. When the escalation of an incident
has the potential for widespread proliferation or damage, FedCIRC
and the NIPC routinely pool their information and skills. FedCIRC
is frequently requested by the NIPC to collaborate with multiple
sources and the affected agency or agencies to gather more detailed
information specific to a given incident. Cyber-incidents involving
a pending or potential investigation are jointly handled in a manner
that preserves sensitive cyber-evidence without adverse impact to
the affected agency's mission functions or violation of constitutional
law and applicable privacy statutes.
Effective incident analysis is a product of multiple source data
collection efforts, collaboration to quantify related information,
and determination of the potential for proliferation and damage.
Over the past few years, a virtual network of partners has evolved.
This virtual network includes FedCIRC, the NIPC, the National Security
Agency's (NSA) National Security Incident Response Center (NSIRC),
the Department of Defense's (DOD) Joint Taskforce for Computer Network
Operations (JTF-CNO), industry, academia, and individual incident
response components within Federal agencies. Though their missions
vary in scope and responsibility, this virtual network enables the
Federal government to capitalize on the individual technical strengths,
each organization's strategic positioning within the national infrastructure
and their access to a variety of information resources. Bridging
the disparate boundaries has been a formidable challenge and although
there is still work to be done in this area the commitment of the
leadership in each organization is on the right path to build the
framework for the fluid and cooperative exchange of information.
The NIPC, NSIRC, JTF-CNO and FedCIRC are involved in a constant
sharing of sensitive cyber-threat and incident data, correlating
it with counter-terrorism and intelligence reports to develop strategic
defenses, threat predictions and timely alerts. These efforts depend,
not on any one participant, but on the unique and valuable contributions
of each organization. The NIPC, because of its relationships with
industry, is able to solicit additional participation when we must
deal the government deals with complex analysis issues. This broader
spectrum brings together some of the nation's best talent to work
on known and developing threats to the cyber infrastructure.
An excellent example of this collaboration is the Government's response
to a very recent threat to the cyber infrastructure, know as the
"Leaves Worm". This exercise clearly demonstrated how
these collaborative relationships work and how each participant's
contributions helped to assessassist in assessing the damage potential.
In June, the SANS Institute, a private sector organization, informed
the NIPC of suspicious activities taking place in a large number
of systems across the Internet. Widespread scanning was taking place
to identify systems previously compromised by a relatively old trojan
called "SubSeven." Since SubSeven is for all intents and
purposes, a remote control program, once identified, the perpetrator
could gain full control of the infected system. It was through the
SubSeven trojan that the Leaves Worm was being deposited on large
numbers of systems around the globe but it was being accomplished
without direct intervention by the perpetrator. Clearly we had a
new worm of unknown potential and a new delivery method not previously
seen. The hacker community, typically vocal in Internet chat rooms
ofabout new attacks or malicious code, showed no evidence of any
knowledge of the Leaves Worm. The NIPC, DOJ, NSA, FedCIRC, CIA,
Department of State, DoD, NCS, NSC, academia, industry software
vendors, anti-virus engineers and security professionals quickly
activated a collaborative communication network to share details
as they diligently analyzed captured code from publicly available
web sites that were being used to propagate the worm. It was primarily
due to the NIPC's relationship with industry that the volumes of
information collected could be rapidly decoded, analyzed and reverse
engineered to provide the anti-virus vendors with critical information
to develop detection signaturesmethods for their respective products.
This episode serves as an excellent example of the progress various
government and private organizations have made in coming together
to work toward the common goal of protecting the nation's critical
The NIPC's responsibilities and relationships with various elements
in the private sector, its activities as a member of the intelligence
community and its lead role for counter-terrorism contribute significantly
to the FedCIRC's analytical ability by providing global threat information.
Of significant value is the NIPC's ability to reach beyond governmental
boundaries and draw on technical skills and information available
from components in industry then share those resources with other
members of the incident response community. The NIPC staff regularly
communicates information to FedCIRC, which in many cases, provides
deeper insight into developing situations and often can make the
difference between thwarting an attack or tolerating the ensuing
damage. Knowing the extent or pattern of incidents as they may impact
the private sector, for example, may influence the development of
an alert or advisory notice issued to government agencies.
Critical Infrastructure Protection efforts and, more specifically,
those for cyber-defense are a relatively new requirement in government
and in the private sector. Only recently have these efforts been
singled out as a priority for Federal agencies. As government direction
for reporting the occurrence of incidents has been promulgated,
attempts by agencies to develop related policies and procedures
have sometimes been divergent because of differing individual interpretation
and misunderstanding. FedCIRC and the NIPC are working diligently
to jointly assess problem areas, more clearly define agency responsibilities
for reporting incidents, and working with agencies to ensure they
have the proper processes and procedures in place to respond to
and prevent attacks on their information systems.
The NIPC and FedCIRC routinely exchange information. This exchange
is built upon a trust relationship and formalized with the detailing
of FedCIRC staff personnel to the NIPC's Watch and Warning Unit.
In addition Aalerts and advisories are frequently generated by the
NIPC, NSIRC, or FedCIRC as a collaborative effort and represent
a consensus when distributed to our constituents.
As a further example, Tto simplify the incident reporting process,
the NIPC, NSA and FedCIRC have begun efforts to create a single
uniform report process that will be used across government. The
process will employ common data elements that can be easily shared
and integrated into the respective organization's database for shared
or unique analysis efforts.
Effective cyber defenses ideally prevent an incident from taking
place. Any other approach is simply reactive. FedCIRC, the NIPC,
the NSIRC, the Department of Defense and industry components realize
that the best response is a preemptive and proactive approach. In
order to implement such an approach, all resources must be focused
on the common goal of securing the nation's critical infrastructures
and the strengths of each organization must be relied upon in order
to achieve the most effective results. FedCIRC, the NIPC, DOD, the
NSIRC and others comprise a virtual team, each offering significant
skills and contributions to the common defense.
Madam Chairwoman, the information presented today highlights the
high degree of cooperation among government agencies and the critical
and effective relationship that exists between FedCIRC and the NIPC.
Though allboth contribute individually to critical infrastructure
protection, theirour strength in protecting information systems
government-wide lies in their collaboration and coordination efforts.
I trust that you will derive from my remarks an understanding of
the cyber-threat and response issues and also an appreciation for
the joint commitment to infrastructure protection of FedCIRC and
the NIPC. We appreciate your leadership and that of the Committee
for helping us achieve our goals and allowing us to share information
that we feel is crucial to the defense of our technology resources.