H.R. 4246, THE CYBER SECURITY INFORMATION ACT OF 2000: AN EXAMINATION
OF ISSUES INVOLVING PUBLIC-PRIVATE PARTNERSHIPS FOR CRITICAL
INFRASTRUCTURES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
of the
COMMITTEE ON GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
ON
H.R. 4246
TO ENCOURAGE THE SECURE DISCLOSURE AND PROTECTED EXCHANGE OF
INFORMATION ABOUT CYBER SECURITY PROBLEMS, SOLUTIONS, TEST PRACTICES
AND TEST RESULTS, AND RELATED MATTERS IN CONNECTION WITH CRITICAL
INFRASTRUCTURE PROTECTION
__________
JUNE 22, 2000
__________
Serial No. 106-223
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
-----------
U.S. GOVERNMENT PRINTING OFFICE
72-361 WASHINGTON : 2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California ------
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH-HAGE, Idaho (Independent)
DAVID VITTER, Louisiana
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
David A. Kass, Deputy Counsel and Parliamentarian
Lisa Smith Arafune, Chief Clerk
Phil Schiliro, Minority Staff Director
Subcommittee on Government Management, Information, and Technology
STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois JIM TURNER, Texas
THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon MAJOR R. OWENS, New York
DOUG OSE, California PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Bonnie Heald, Director of Communications
Bryan Sisk, Clerk
Michelle Ash, Minority Counsel
C O N T E N T S
----------
Page
Hearing held on June 22, 2000.................................... 1
Text of H.R.................................................. 3
Statement of:
Johnstone, Ambassador L. Craig, senior vice president,
International Economic and National Security Affairs, U.S.
Chamber of Commerce........................................ 67
Oslund, Jack, chairman, Legislative and Regulatory Working
Group of the National Security Telecommunications Advisory
Committee.................................................. 74
Sobel, David L., general counsel, Electronic Privacy
Information Center......................................... 78
Tritak, John, Director, Critical Infrastructure Assurance
Office, U.S. Department of Commerce........................ 57
Willemssen, Joel C., Director, Accounting and Information
Management Division, U.S. General Accounting Office........ 20
Woolley, Daniel, president and chief operating officer,
Global Integrity Corp...................................... 86
Letters, statements, etc., submitted for the record by:
Davis, Hon. Thomas M., a Representative in Congress from the
State of Virginia, prepared statement of................... 15
Horn, Hon. Stephen, a Representative in Congress from the
State of California, Presidential Decision Directive 63.... 42
Johnstone, Ambassador L. Craig, senior vice president,
International Economic and National Security Affairs, U.S.
Chamber of Commerce, prepared statement of................. 69
Oslund, Jack, chairman, Legislative and Regulatory Working
Group of the National Security Telecommunications Advisory
Committee, prepared statement of........................... 76
Sobel, David L., general counsel, Electronic Privacy
Information Center, prepared statement of.................. 81
Tritak, John, Director, Critical Infrastructure Assurance
Office, U.S. Department of Commerce, prepared statement of. 61
Turner, Hon. Jim, a Representative in Congress from the State
of Texas, prepared statement of............................ 11
Willemssen, Joel C., Director, Accounting and Information
Management Division, U.S. General Accounting Office:
Information concerning critical infrastructure protection 113
Prepared statement of.................................... 22
Woolley, Daniel, president and chief operating officer,
Global Integrity Corp., prepared statement of.............. 91
H.R. 4246, THE CYBER SECURITY INFORMATION ACT OF 2000: AN EXAMINATION
OF ISSUES INVOLVING PUBLIC-PRIVATE PARTNERSHIPS FOR CRITICAL
INFRASTRUCTURES
----------
THURSDAY, JUNE 22, 2000
House of Representatives,
Subcommittee on Government Management, Information,
and Technology,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn, Biggert, Davis, and Turner.
Also present: Representative Moran.
Staff present: J. Russell George, staff director and chief
counsel; Bonnie Heald, director of communications; Bryan Sisk,
clerk; Will Ackerly, Chris Dollar, and Meg Kinnard, interns;
Michelle Ash, and Trey Henderson, minority counsels; Ellen
Rayner, minority chief clerk; Jean Gosa, minority clerk;
Melissa Wojack; and Amy Herrick.
Mr. Horn. The subcommittee will come to order.
Today's hearing is on a subject that is both important and
timely. The security threat posed to our Nation's critical
infrastructure is made more apparent each day as computer
viruses place at risk the free flow of information in the cyber
world.
When you consider that our critical infrastructure is
composed of the financial services arena, telecommunications
system, information technology, transportation, water systems,
electric power, gas and oil sectors, among many others, the
threat is one that must be taken seriously. These sectors have
traditionally operated independently but coordinated with the
Government to protect themselves against threats posed by
traditional warfare.
However, in today's environment these sectors must learn
how to protect themselves against unconventional threats such
as terrorist and cyber attacks. They must also recognize the
new vulnerabilities caused by technological advances. As we
learned when preparing for the year 2000 rollover, many of the
Nation's most critical computer systems and networks are highly
interconnected. With the many advances in information
technology, most of these sectors are linked to one another
which increases their exposure to cyber threats. What affects
one system can affect the other systems.
In the 104th Congress we called upon the administration to
study the Nation's critical infrastructure vulnerabilities and
to identify solutions to address those vulnerabilities. The
administration has identified a number of steps that must be
taken in order to eliminate the potential for significant
damage to our critical infrastructure. Foremost, among these
suggestions is the need to ensure proper coordination between
the public and private sectors who represent the Nation's
infrastructure community.
The goal of H.R. 4246, which we are examining today, is to
encourage cooperation in this vitally important effort. Before
I call on the primary author of this proposal, because a number
of our members have to be in and out of other markups around
the Hill, I now yield to Mr. Moran, who is a coauthor of the
legislation, for his opening statement on the bill.
[The text of H.R. 4246 follows:]
[GRAPHIC] [TIFF OMITTED] T2361.065
[GRAPHIC] [TIFF OMITTED] T2361.066
[GRAPHIC] [TIFF OMITTED] T2361.067
[GRAPHIC] [TIFF OMITTED] T2361.068
[GRAPHIC] [TIFF OMITTED] T2361.069
Mr. Moran. Well thank you very much, Chairman Horn, and
thank you for your courtesy. I have got another hearing over in
Cannon, but that is very nice of you to do that and appreciate
your leadership of this committee. Jim Turner is going to be
here shortly, the ranking member, and Tom Davis, the other
original sponsor of this legislation. Tom, as I think everyone
in this room knows, has been a tremendous leader in the area of
information technology and particularly cyber security. We both
represent northern Virginia's technology community and this is
a terribly important issue.
Every day in America thousands of unauthorized attempts are
made to intrude into the computer systems that control key
Government and industry networks, including defense facilities,
power grids, banks, Government agencies, telephone systems,
transportation systems. Some of these attempts fail but too
many succeed. Some gain systems administrator status, download
passwords, implant snippers to copy transactions, or insert
what are called trap doors to permit an easy return.
Some attacks are the equivalent of car thief joy-riders
committing a felony as a thrill. They are only mischievous. But
others are committed for industrial espionage, theft, revenge-
seeking vandalism, or extortion. Some may be committed for
intelligence collection, reconnaissance, or creation of a
future attack capability. The perpetrators range from juveniles
to thieves, from organized crime groups to terrorists,
potentially hostile militaries and intelligence services.
What has emerged in the last several years is a dramatic
increase in the seriousness of this threat. We know of foreign
governments creating offensive attack capabilities against
America's cyber networks. America is vulnerable to such attacks
because it has quickly become dependent upon computer networks
for so many essential services. It has become dependent while
paying little attention to protecting those networks. Water,
electricity, gas, communications, rail, aviation, and almost
all our critical functions are directed by computer controls
over vast information systems networks.
In 1995, Presidential Decision Directive 39, what we call
PDD 39, directed the Attorney General to lead a Government-wide
re-examination of the adequacy of the Nation's infrastructure
protection. That review prompted the President to establish in
1996 the President's Commission on Critical Infrastructure
Protection, a joint Government and private sector effort to
study threats to the Nation's critical infrastructure
industries, including cyber security threats.
In October 1997 this organization issued a report that
identified the need for a strategy of industry cooperation and
sharing of information relating to cyber security, including
threats, vulnerabilities, and interdependencies, as the
quickest and most effective way to achieve much higher levels
of infrastructure protection. The Director of the CIA recently
testified before Congress that cyber attacks from other
countries and rogue terrorist groups represent the most viable
option for leveling the playing field, disarming us in an armed
crisis against the United States.
The President's National Plan for Information Systems
Protection issued 6 months ago and an earlier Presidential
directive have called on Congress to pass legislation that
would encourage information sharing to address these cyber
security threats to our Nation's privately held critical
infrastructure. That is what this legislation is all about.
When Congressman Davis and I attended the Partnership for
Critical Infrastructure meeting at the U.S. Chamber of Commerce
the one consistent issue raised by the business community was
the sharing of sensitive but important security information.
Their concern stemmed from the lack of clarity in antitrust
laws and concerns related to disclosures the Government would
have to make based on Freedom of Information.
This Freedom of Information Act is the real stumbling
point. The challenge posed by the threat of potentially wide
spread Y2K failures offered a similar set of problems. It was a
parallel situation. In response to those problems, a coalition
of businesses worked with the bipartisan coalition in Congress
and the administration to meet the same need. Industry
cooperation and sharing of information related to Y2K,
including threats, vulnerabilities, and interdependencies.
Again, it was many of the same people that put that legislation
together, and as I mentioned, Tom was the original sponsor of
that too. A number of us put together a bipartisan approach and
it was effective. And after the passage of that Y2K Information
Readiness Disclosure Act, the information began to flow much
more freely. And that free flow of information was one of the
key reasons why Y2K came and went without significant problems.
A similar remedy addressing the cyber security of the
Nation's highly integrated critical infrastructure is necessary
to best protect Americans from cyber threats and
vulnerabilities. This legislation does just that. It is a
balanced approach. There is no issue more important to the
health of our economy than ensuring that our Nation's critical
infrastructure is protected. Government cannot protect the
Nation's infrastructure from cyber attacks without the help of
the private sector. As a result businesses must take the lead
and work together with the Government to share information so
that we can ensure that our Nation's critical infrastructure is
protected from cyber attacks and vulnerabilities.
So I am most happy to be cosponsoring the legislation along
with my colleague and good friend from Virginia, Tom Davis.
Coming out of this subcommittee with its record of achievement
with Chairman Horn and Ranking Member Turner, I trust this is
going to get speedy passage as well. I applaud this committee
for holding this hearing and I trust that as a result we are
going to be able to provide the framework that will provide
industry with the tools necessary for meeting this challenge.
It is important legislation. Thank you very much for having the
hearing, Mr. Chairman. I appreciate you giving me the
opportunity to make that statement. Thank you.
Mr. Horn. Thank you very much to the gentleman from
northern Virginia.
And now I yield to the ranking member, Mr. Turner, the
gentleman from Texas.
Mr. Turner. Thank you, Mr. Chairman. This clearly is one of
the most challenging issues that we face, the protection of
critical infrastructure. In the interest of time, Mr. Chairman,
I think I will submit my statement for the record and yield
back my time.
Again, I want to thank Mr. Davis and Mr. Moran for their
leadership on the issue.
[The prepared statement of Hon. Jim Turner follows:]
[GRAPHIC] [TIFF OMITTED] T2361.001
Mr. Horn. I thank the gentleman.
We now call on the author of the bill, Mr. Davis, the
gentleman from northern Virginia.
Mr. Davis. Thank you, Mr. Chairman. I would like to thank
you for holding this hearing today. It is my hope that today's
hearing will facilitate the ongoing dialog in addressing cyber
security vulnerabilities and the threats facing our critical
infrastructures.
Since this dialog began in 1997 with the creation of the
President's Commission on Critical Infrastructure Protection,
we have recognized that critical infrastructure security cannot
be addressed without partnering with the private sector, as we
did with Y2K. Over 80 percent of our critical infrastructure is
owned and operated by the private sector. Traditional national
defense models do not work in this environment. Instead, we
have to look to market forces and voluntary participation in
partnerships to successfully protect those infrastructures
without burdensome regulations which could unintentionally hurt
the competitiveness of U.S. markets.
Critical infrastructures are those systems that are
essential to the minimum operations of the economy and the
Government. Our critical infrastructures comprise the financial
services, telecommunications, information technology,
transportation, water systems, emergency services, electrical
power, gas and oil sectors in private industry, as well as our
national defense, law enforcement, and international security
sectors within the Government. Traditionally these sectors
operated largely independently of one another and coordinated
with the Government to protect themselves against threats posed
by traditional warfare.
With the many advances in information technology, many of
our critical infrastructure sectors are linked to one another
and face increased vulnerability to cyber threats. Technology
interconnectivity increases the risk that problems affecting
one system will affect other connected systems. Computer
networks can provide pathways among systems to gain
unauthorized access to data and operations from outside
locations if they are not fully monitored and protected.
Attacks on critical infrastructure can come in many
different forms. They can originate from groups or persons with
malicious intent to destroy or damage our safety and our
economy, or from individuals who just enjoy the challenge of
attacking and infiltrating computer networks. In a cyber
security conference held this past Monday, Richard Clark, the
National Security Council staff coordinator for security
infrastructure protection and counter-terrorism, issued a
warning that the United States faces an electronic Pearl Harbor
unless Government and industry work together to strengthen the
information security systems protecting our Nation's critical
infrastructure. Infiltration of our financial services,
telecommunications, and electrical power systems would not be
any less devastating than attacks on our military and our
nuclear systems.
On May 4th, we were reminded once again that love can be
painful. As you know, May 4th is the day the ``I love you''
viruses rocketed around the globe causing an estimated $8
billion in damages. That figure does not account for the
countless frustrations experienced by governments and consumers
around the world. Additionally, difference in Government and
private-sector response to the virus highlight the need for
greater partnership and trust. If the Government had more
clearly established channels of communication when this virus
hit, it might have avoided significant delays in notifying its
own agencies of the virus. I was greatly concerned when I read
the General Accounting Office's preliminary results of the
Federal Government's handling of the ``I love you'' virus. The
Financial Services Information Sharing and Analysis Center,
ISAC, had notified their member companies by 3 a.m. about the
virus. But the Federal Bureau of Investigation didn't release
its first warning until 11 a.m. Additionally, the Department of
Health and Human Services reported that on May 4th the ``Love
bug'' rendered that agency incapable of responding to a
biological disaster.
Clearly, this is another area that requires a greater
commitment to partnership and coordination between the public
and private sectors. I would like to say this is a perfect
example of the success of private public partnerships that we
need to make a greater commitment to facilitating. The
Financial Services ISAC is currently the only one of its kind
that is clearly doing its job in getting out timely
information.
Moreover, recent studies have demonstrated that the
incidence of cyber security threats to both the Government and
the private sector are only increasing. According to an October
1999 report issued by the GAO, the number of reported computer
security incidents handled by Carnegie Mellon's CERT
coordination center has increased from 1,334 in 1993 to 4,398
during the first two quarters of 1999. According to information
currently posted on CERT's Web site, that number totaled
10,000, doubling the 1998 total for computer security
incidents. At this time, Mr. Chairman, I would like to request
that the information from CERT's Web site be inserted into the
hearing record. Additionally, the Computer Security Institute
reported an increase in attacks for the 3rd year in row on
responses to their annual survey on computer security.
Because the private sector controls the vast majority of
our critical infrastructure, I am concerned that employing a
private public partnership to monitor the computer networks,
analyze data, issue real time alerts, and employ defenses must
be the primary component for protecting Americans. But when we
asked the private sector to volunteer some information that
otherwise would never be known to external entities,
information is often proprietary, which could impose many
different liabilities and risks were it to become publicly
disseminated. Not surprisingly, we find a great reluctance on
these companies to cooperate with the Government.
Mr. Moran and I introduced this bill.
Mr. Horn. May I say the material you and the Chair and the
ranking member want to put in at this point, without objection,
that is approved.
Mr. Davis. Thank you, and I will ask unanimous consent to
put the total statement in there.
We introduced this bill to give critical infrastructure
industries the assurances they needed in order to confidently
share information with the Federal Government. And as we
learned with the Y2K model, the Government and industry can
work in partnership to produce the best outcome for the
American people.
I have a fairly lengthy statement that I would like to ask
unanimous consent to have it all in the record. But I would
just like to add, Mr. Chairman, I want to thank you for holding
this hearing today and look forward to working with you. I
appreciate our panelists taking time out from their schedules
to share their thoughts on this before we mark this bill up in
the subcommittee and then move to full committee. We read your
comments and will take them into account and hope for a
continuing dialog in this. The challenges that face the
Government and the private sector on critical infrastructure
security remain very important to us. I hope this legislation
will go a long way toward resolving these conflicts. Thank you.
[The prepared statement of Hon. Thomas M. Davis follows:]
[GRAPHIC] [TIFF OMITTED] T2361.002
[GRAPHIC] [TIFF OMITTED] T2361.003
[GRAPHIC] [TIFF OMITTED] T2361.004
[GRAPHIC] [TIFF OMITTED] T2361.005
[GRAPHIC] [TIFF OMITTED] T2361.006
Mr. Horn. Well I'm sure it will.
I am particularly grateful to the members of the panel that
we are about to swear in. You nobly came here despite the very
short notice and we are most grateful to you for having your
perspective in this area. So let me just explain how this place
works. Mr. Willemssen can tell it better than I can. It's good
to see you, Joel. We start down the line based on the agenda.
We've got your statements, it is automatically in the record
when I introduce you. And second, we would like you, if you
can, to not read it because we just do not have that kind of
time. And so if you want to take 5 minutes, maybe 8 minutes,
that is fine, but just summarize it. The staff and everybody
else has gone through the written material, even though that
was a last minute affair and we thank each of you for that.
We also swear in all witnesses in this committee. So if you
would stand and raise your right hands, and if you have anybody
that backs you up, also have them do it.
[Witnesses sworn.]
Mr. Horn. The clerk will note that the six witnesses and
the two supporters have taken the oath.
We will start with Mr. Willemssen, the Director of
Accounting and Information Management Division of the U.S.
General Accounting Office, part of the legislative branch of
Government. Mr. Willemssen has great experience with this. He
has followed us all over the world on the Y2K situation. I am
glad to see you in one place, we don't have to run around the
country or the world anymore.
So Mr. Willemssen, we look forward to your overview.
STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, ACCOUNTING AND
INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE
Mr. Willemssen. Thank you, Mr. Chairman, Ranking Member
Turner, Congressman Davis. Thank you for inviting us to
testify. It is an honor to appear again before you today. As
requested, I will briefly summarize our statement.
Overall, the level of concern over cyber security continues
to grow. Understanding cyber security risks and how to best
address them are major challenges that the Federal Government
has recently begun to address. Earlier this year, the White
House released version one of its National Plan for Information
Systems Protection. The plan encourages the creation of
information sharing and analysis centers to facilitate public
and private sector information exchange about actual threats
and vulnerabilities. Although such partnerships are central to
addressing critical infrastructure protection, some in the
private sector have expressed concerns about voluntarily
sharing information.
H.R. 4246, the proposed Cyber Security Information Act of
2000, was developed to address these concerns and encourage the
disclosure and exchange of information about cyber security
problems and solutions. In many respects, the bill is modeled
after the year 2000 Information and Readiness Disclosure Act,
which provided limited exemptions and protections for the
private sector to facilitate the sharing of information on Y2K
readiness. In short, the bill creates an additional protected
channel for potentially valuable information that the Federal
Government would not otherwise have.
Such information sharing proved invaluable in addressing
Y2K. The Y2K Readiness Disclosure Act helped pave the way for
disclosures on readiness and available fixes and helped the
work of the year 2000 Conversion Council's sector-based working
groups. H.R. 4246 could have a similar positive affect.
However, there are challenges remaining that need to be
addressed to make the legislation a success.
First, the Federal Government needs to be sure it collects
the right type of information, that it can effectively analyze
this information, and that it can appropriately share the
results of its analysis. This is a complex and challenging
task, especially given how rapidly threats and vulnerabilities
can change.
Second, to effectively engage with the private sector, the
Federal Government needs to be a model for computer security.
Currently it is not. Audits conducted by us and the Inspectors
General show that 22 of the largest Federal agencies have
significant computer security weaknesses, ranging from poor
controls over access to sensitive systems and data to poor
controls over software development and changes.
While a number of factors have contributed to weak
information security, the fundamental underlying problem is
poor security program management. To attain effective security,
several key elements are needed, including: (1) a framework of
effective access controls and management oversight; (2)
periodic independent audits of agency security programs; (3)
more prescriptive guidance on the level of protection required;
(4) strengthened incident detection and response capabilities;
and (5) adequate technical expertise. Especially important is
the need for strong centralized leadership. Such leadership has
proven essential to addressing other Government-wide management
challenges such as Y2K. And we believe it will be similarly
critical in tackling the growing security risks to computer
systems and critical infrastructures.
That concludes a summary of my statement. Thank you again
for the opportunity to testify, and I will be pleased to
address any questions.
[The prepared statement of Mr. Willemssen follows:]
[GRAPHIC] [TIFF OMITTED] T2361.007
[GRAPHIC] [TIFF OMITTED] T2361.008
[GRAPHIC] [TIFF OMITTED] T2361.009
[GRAPHIC] [TIFF OMITTED] T2361.010
[GRAPHIC] [TIFF OMITTED] T2361.011
[GRAPHIC] [TIFF OMITTED] T2361.012
[GRAPHIC] [TIFF OMITTED] T2361.013
[GRAPHIC] [TIFF OMITTED] T2361.014
[GRAPHIC] [TIFF OMITTED] T2361.015
[GRAPHIC] [TIFF OMITTED] T2361.016
[GRAPHIC] [TIFF OMITTED] T2361.017
[GRAPHIC] [TIFF OMITTED] T2361.018
[GRAPHIC] [TIFF OMITTED] T2361.019
[GRAPHIC] [TIFF OMITTED] T2361.020
[GRAPHIC] [TIFF OMITTED] T2361.021
[GRAPHIC] [TIFF OMITTED] T2361.022
[GRAPHIC] [TIFF OMITTED] T2361.023
[GRAPHIC] [TIFF OMITTED] T2361.024
[GRAPHIC] [TIFF OMITTED] T2361.025
Mr. Horn. Thank you very much, Mr. Willemssen. That was
very helpful.
At this point, I also want to put into the record the
President's White Paper, the Clinton administration's Policy on
Critical Infrastructure Protection, Presidential Decision
Directive 63. Without objection, it will be at this point in
the record.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T2361.070
[GRAPHIC] [TIFF OMITTED] T2361.071
[GRAPHIC] [TIFF OMITTED] T2361.072
[GRAPHIC] [TIFF OMITTED] T2361.073
[GRAPHIC] [TIFF OMITTED] T2361.074
[GRAPHIC] [TIFF OMITTED] T2361.075
[GRAPHIC] [TIFF OMITTED] T2361.076
[GRAPHIC] [TIFF OMITTED] T2361.077
[GRAPHIC] [TIFF OMITTED] T2361.078
[GRAPHIC] [TIFF OMITTED] T2361.079
[GRAPHIC] [TIFF OMITTED] T2361.080
[GRAPHIC] [TIFF OMITTED] T2361.081
[GRAPHIC] [TIFF OMITTED] T2361.082
[GRAPHIC] [TIFF OMITTED] T2361.083
[GRAPHIC] [TIFF OMITTED] T2361.084
Mr. Davis. Mr. Chairman, I would also like to ask that an
article on E-FOIA be inserted in the record from the August
1997 issue of Government Executive Virtual Records. If that
could be put in the record as well.
Mr. Horn. Without objection, so ordered.
Our next witness is John Tritak, the Director of the
Critical Infrastructure Assurance Office of the U.S. Department
of Commerce. We are glad you are here.
STATEMENT OF JOHN TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE
ASSURANCE OFFICE, U.S. DEPARTMENT OF COMMERCE
Mr. Tritak. Thank you, sir. I want to thank you and the
subcommittee for giving me the opportunity to appear here
before you today. I, too, will try to be brief and summarize my
remarks that are being submitted for the record.
I would like to set the context a little bit, in order to
underscore the importance of the discussion that is taking
place today. It has been a little over 2 years since President
Clinton issued PDD 63, establishing defense of the Nation's
critical infrastructure as a national security priority. And in
doing so however, he presented a rather unique challenge in
which we recognized, perhaps for the first time, that we have a
national security challenge that the Federal Government's
national security establishment cannot solve alone. With over
90 percent of the Nation's infrastructures being privately
owned and operated, the need for industry to take a leadership
role in securing the Nation's critical infrastructures is
essential.
The goal here is, as much as possible, to find market
solutions to deal with the problems of computer security and
infrastructure assurance, and then, where market forces fail,
the Government would step in, in cooperation with Congress, to
address any potential gaps in the interests of national
security and defense.
Part of what is essential to industry's leadership is the
need for strong collaborative partnering arrangements. One of
the things that I find striking is that what we are really
talking about here are two different kinds of partnerships. One
partnership, and perhaps the more important, is the partnership
of industry in which each of the sectors organize themselves to
address this problem. Then, of course, there is the partnership
between industry and Government to identify areas where
collaborative effort makes sense. What is essential to both
forms of partnership, however, is the need for information
sharing, both to raise awareness, improve understanding, share
common experiences, and, as appropriate, to serve as a catalyst
for action.
Within industry itself, a lot of progress has been made in
establishing effective information sharing arrangements. In the
telecommunications area, the National Communications Center
under the leadership of the NSTAC, which Dr. Oslund will talk
about later, was really one of the first effective information
sharing arrangements to deal with national security concerns.
More recently, the banking and finance industry established an
information sharing and analysis center to share important and
sensitive information about threats and vulnerabilities in that
industry. The North American Electric Reliability Council
recently established a pilot program with the National
Infrastructure Protection Center housed at the FBI, to share
certain types of information on threats to the electric power
industry as a whole. Both the NERC and the National Petroleum
Council are working with the Department of Energy to develop a
coherent sector plan for addressing threats and vulnerabilities
and to share arrangements. Shortly, the information technology
industry, under the leadership of Harris Miller of the
Information Technology Association of America, is going to
establish an information technology ISAC in response to the
computer summit that President Clinton held last February as a
result of the denial of service attacks that we saw.
When we talk about industry taking a leadership role, we
are starting to see that played out in a lot of different ways.
We are also seeing increasingly good working relationships
between industry sectors and their Federal lead agency
counterparts in the Federal Government. For example, the
Commerce Department's National Telecommunications and
Information Administration is responsible for working closely
with the information technology and telecommunications
industry, and of course the National Security
Telecommunications Advisory Council [NSTAC] has actually played
a very important role in helping to guide that dialog and to
provide very useful and affective suggestions on how to go
forward.
One of the things that becomes clearer as you go further
into this issue is that, because industry is increasingly
becoming part of the same digital nervous system, you cannot
address critical infrastructure security in a stovepipe
fashion. The digital age does not recognize the distinctions
between the transportation sector, the electric power industry,
and telecommunications. And so there is a growing need within
industry to discuss and meet with representatives of the
respective sectors to determine where the common issues of
concern are and how they might be addressed.
There is also a need, if you are going to maximize the
market as a means of raising the bar of security across the
country, to bring in other stakeholders which includes the risk
management community, the investment community, State and local
governments, as well as main line businesses who are actually
ultimate consumers of the infrastructure of services that
generate the wealth of the Nation. And it was with that in
mind, that was the impetus for the creation of the Partnership
for Critical Infrastructure Security. It serves as a forum for
fostering cross-sector dialog to address areas of common
concern and experiences with a view toward taking action as
appropriate. It also brings in the other professional
communities, including the legal community, privacy community,
risk-management and the like so that what you have is really a
distillation of the markets that is going to have to be
involved in this effort if we are going to actually see the
security of the Nation's infrastructures improved.
To date there are over 150 companies participating.
Congressman Davis and Congress Moran addressed the first
working group meeting, and as Congressman Moran indicated in
his remarks, it was a very fruitful discussion. Our next
meeting will be held in July in San Francisco in which many of
the issues that were identified, including issues regarding
FOIA, will be further discussed, as well as industry will begin
to engage the Federal Government on how to participate in the
next version of the National Plan, which I think is essential
to having a national agenda for a new administration to deal
with.
I indicated very early on in my remarks that the core of
all this is voluntary information sharing, information that
does not have to be provided under existing laws and
regulations. Some of that information is sensitive. Concerns
that the existing statutory environment in any way chills that
sort of information sharing therefore must be taken seriously.
It was in addressing these concerns that we had a very
successful Y2K period, where you saw an unusual and
unprecedented amount of the information sharing between
Government and between industry. And since I was located very
near the ICC, I was able to witness firsthand the success of
that.
The President's Commission on Critical Infrastructure
Protection acknowledged the importance of dealing with this
issue, ``We envision the creation of a trusted environment that
would allow the Government and private sector to share
sensitive information openly and voluntarily. Success will
depend on the ability to protect as well as disseminate needed
information. We propose altering several legal provisions that
appear to inhibit protection and thus discourage
participation.'' The PCCIP went on to include the Freedom of
Information Act, antitrust provisions, and protection from
liability among the areas that needed to be analyzed. In
addition, as I indicated a moment ago, the organizational
meeting of the Partnership for Critical Infrastructure Security
included in its action items the removal of disincentives to
information sharing.
Therefore, I wholeheartedly applaud the intent as well as
the objectives of the Cyber Security Information Act that was
proposed by Congressmen Davis and Moran. Based on my own
experience with these issues over the past years, I believe
sharing information regarding common vulnerabilities, threats,
and interdependencies is important to effective security
controls across the interconnected and shared risk environment
within which both Government and industry operate.
The act would create a new exemption from FOIA to protect
industry's submitted critical information vulnerability
information. As a general matter, we support maximum Government
openness while recognizing that certain information such as
that relating to cyber vulnerability should be protected from
wide dissemination. As with any exemption from Government
openness, we need to study this proposal very carefully and
need to strike a balance between the goal of information
sharing and Government openness. Similarly, we should be
confident that the proposed provisions dealing with antitrust
and liability protection are measured to achieve their intended
goals and not create unintended results.
As the bill points out, prompt, thorough and secure
information sharing is clearly a matter of national importance.
I think the ability to develop and share designated cyber
security information
would be a useful step toward this important goal. We are
looking forward to a full and vigorous national discussion on
this important legislation. I wish to thank you for the
opportunity to testify here today, Mr. Chairman.
[The prepared statement of Mr. Tritak follows:]
[GRAPHIC] [TIFF OMITTED] T2361.026
[GRAPHIC] [TIFF OMITTED] T2361.027
[GRAPHIC] [TIFF OMITTED] T2361.028
[GRAPHIC] [TIFF OMITTED] T2361.029
[GRAPHIC] [TIFF OMITTED] T2361.030
[GRAPHIC] [TIFF OMITTED] T2361.031
Mr. Horn. Thank you very much, Mr. Tritak. That is very
helpful.
We now turn to Ambassador Craig Johnstone, senior vice
president for International Economic and National Security
Affairs of the U.S. Chamber of Commerce.
Mr. Ambassador, please proceed.
STATEMENT OF AMBASSADOR L. CRAIG JOHNSTONE, SENIOR VICE
PRESIDENT, INTERNATIONAL ECONOMIC AND NATIONAL SECURITY
AFFAIRS, U.S. CHAMBER OF COMMERCE
Ambassador Johnstone. Well thank you very much, Mr.
Chairman, and a particular vote of thanks to Mr. Moran and Mr.
Davis for having sponsored this very important legislation. I
represent the U.S. Chamber of Commerce, the world's largest
business organization with 3 million businesses, associations,
and chambers represented around the world, and we strongly
endorsed this legislation.
Mr. Chairman, we are all witness to the process of
globalization and all of the revolutionary changes that we are
seeing as a result of new technologies--information management,
biotechnology. It has changed the very nature of economic life
in our country and it is full of opportunities, but it also
brings with it a great number of risks.
There are a new set of security risks unlike those we have
ever witnessed previously in our history. These new security
risks do not come in the form of foreign armies marching across
borders. They're more sophisticated, they're more insidious,
and more pervasive. Their providence is more difficult to
determine and the defenses are very difficult to mount. These
are the threats to our Nation's critical infrastructure, to our
computer systems, to our financial infrastructure, to our power
grids, to our water supplies. These threats exploit the tools
of modern science to attack weak points in our increasingly
complex and increasingly vulnerable economic system.
These are very real threats. If you just look in the narrow
sector of the threats to the computer infrastructure, you take
the CERT Coordination Center's recent report alluded to by Mr.
Davis and just take a look at what has happened recently. Over
a 2-day period starting February 7th, some of the leading
Internet sites of the country came under denial of service
attacks from hackers. The sites included Yahoo, eBay, CNN.com,
Amazon.com and e-Trade. Less than a month later 350,000 credit
card numbers were stolen from the music retailer CD-universe
and posted online in an attempt to extort $100,000 from the
company. On May 5th the international ``Love bug'' virus that
we are all familiar with struck at enormous cost to American
business. And these attempts were perpetrated by amateurs.
Imagine the threat were there to be a concerted effort not just
of amateurs, but of people working under Government auspices of
some kind, somewhere, from some corner of the Earth. The range
of weapons that can be brought to bear on a single company
today, they can be brought to bear on a single company or they
can be brought to bear to affect the lives of millions of
people.
Our country must come up with the strategies that address
this problem. It does no good for Government to develop a
strategy on its own when 90 plus percent of the critical
infrastructure of this country is in hands of the private
sector. The kind of strategies we need must be developed
between industry and Government within individual industries.
We can address our critical infrastructure vulnerabilities but
only through cooperation and the free flow of information and
ideas.
This legislation moves us a step in that direction by
establishing trust between industry and Government. You can
expect the amount of valuable information exchange on critical
infrastructure threats and vulnerabilities to be directly
proportional to the amount of safety provided by H.R. 4246. We
faced a very similar problem on the Y2K issue and the 1998 Y2K
Information and Readiness Disclosure Act paved the way for much
smoother relations between the public and private sectors.
Providing a FOIA exemption and an antitrust waiver is
critical for the level of success of industry-wide information
sharing and analysis centers [ISACs]. These ISACS share
information on the nature of vulnerabilities, attempted attacks
or unauthorized intrusions, coordinate R&D issues, examine
vulnerabilities and dependencies and develop education and
awareness programs. This legislation is critical to those
efforts, it is also critical to the success of the Partnership
for Critical Infrastructure Security, which performs many of
the same functions but this time not within industries but
between industries, and between industry and government.
I am pleased to say that the U.S. Chamber of Commerce has
actively participated in the formation and development of the
Partnership for Critical Infrastructure Security and we are
pleased to provide ongoing support in collaboration with the
Critical Infrastructure Assurance Office and we commend the
office for the leadership that it has given on this issue. It's
clear from our experience with Y2K, from the requirements of
the National Plan, and from the feedback we have received from
our own companies, our member companies that this legislation
is important, even critical toward accomplishing the
cooperation we must have to advance our security goals.
Again, I would like to commend Mr. Davis and Mr. Moran for
their leadership in taking on this issue, and I would like to
encourage this committee and House to support the Cyber
Security Information Act of 2000. Thank you.
[The prepared statement of Ambassador Johnstone follows:]
[GRAPHIC] [TIFF OMITTED] T2361.032
[GRAPHIC] [TIFF OMITTED] T2361.033
[GRAPHIC] [TIFF OMITTED] T2361.034
[GRAPHIC] [TIFF OMITTED] T2361.035
[GRAPHIC] [TIFF OMITTED] T2361.036
Mr. Horn. Thank you, Mr. Ambassador.
We now move to Mr. Jack Oslund, the chairman of the
Legislative Regulatory Working Group of the National Security
Telecommunications Advisory Committee. Mr. Oslund.
STATEMENT OF JACK OSLUND, CHAIRMAN, LEGISLATIVE AND REGULATORY
WORKING GROUP OF THE NATIONAL SECURITY TELECOMMUNICATIONS
ADVISORY COMMITTEE
Mr. Oslund. Thank you, Mr. Chairman. I would like to open
up with an apology. I have laryngitis and I will do the best I
can. It may govern the speed with which I work against your
clock. Thank you for the opportunity to testify here today
regarding the President's NSTAC. As you said, I chair the
Legislative and Regulatory Working Group of the Industry
Executive Subcommittee. My remarks are based on the work of the
NSTAC. They do not necessarily represent the views of my
company, nor will they address issues on which the NSTAC
principals have not taken a formal position.
NSTAC and its representatives have been involved in
industry-Government information sharing for 18 years. We have
learned many lessons in our various activities that we are
always willing to share as other infrastructures begin their
own public private partnership arrangements. If the Chair will
allow, I would like to provide supporting materials for the
committee's use.
Mr. Horn. We will review them and try to get them into the
hearing record as best we can, without objection.
Mr. Oslund. Thank you, sir. What makes information sharing
successful? Participants in NSTAC, the NCC, and the NSIEs have
built relationships based on trust that fosters the sharing of
information. These relationships are largely dependent on
individual relationships and the recognition that through
cooperation the security of the Nation's critical
telecommunications networks can be strengthened.
The NSTAC has examined information sharing initiatives and
observed the following: it is already occurring in a number of
forums, it may be affected and in some cases it is being
affected by legal barriers, it is mostly voluntary, it is
dependent on receiving a benefit when voluntarily shared, it is
based on trusted relationships, and it may depend upon the
company and the individual participant.
The NSTAC also has focused on the potential regulatory and
legal barriers which are being discussed today--FOIA,
liability, and antitrust. I will limit my oral testimony to
FOIA.
FOIA provides the public with access to records maintained
by Government departments and agencies. It also sets forth a
number of exemptions that allow withholding specific
information from disclosure, including proprietary company
information. None of these exemptions specifically addresses
critical infrastructure protection information that is shared
within the ISAC. Yet PDD 63 calls for long-term voluntary
information sharing between industry and Government to achieve
protection for the Nation's critical infrastructures.
As evidenced by the voluntary information sharing that took
place during the Y2K rollover, companies were prepared to share
information with each other and the Government that otherwise
would not have been available without the FOIA exemption
granted by the Y2K Act.
With respect to information sharing related to critical
infrastructure protection, the threat is not as clear as it was
for Y2K. The problem is unbounded. There is no fixed deadline
for action and, as stated earlier, there currently is no
protection from disclosure of critical infrastructure,
protection information voluntarily shared with the Government.
We are in a continuing dialog with Mr. Tritak and his staff at
CIAO on this matter.
The NCC expanded its function to include serving as a
telecommunications ISAC this past March. Most industry
participants in the NCC feel that the expansion of its
activities to include ISAC functions increases the need for
protection of information voluntarily shared with Government.
To date, FOIA has not been a significant concern in the NCC,
primarily because the NCC does not maintain a data base.
However, the NCC ISAC is developing an automated information
sharing and analysis system that will store data from events
and situations reported by participating organizations. As
awareness of the NCC and its activities, particularly as an
ISAC increases, FOIA requests for the data base may cause
participants to be reluctant to share information. It is
critical that sensitive company information shared with the
Government be protected from disclosure.
Significantly, in May 2000 the NSTAC recommended that the
President support legislation to protect critical
infrastructure protection information voluntarily shared with
the Government from disclosure under FOIA. NSTAC has not yet
discussed the pending legislation. It was introduced too late
during the last NSTAC work cycle. It will be reviewed during
the work cycle that is just beginning.
In conclusion, the lessons learned from the NSTAC's
experiences in information sharing are applicable to all
critical infrastructures as they begin their own protection
efforts. The road to complete trust between and among industry
and Government is a long and bumpy one. Legislation is
necessary but not sufficient for information sharing. There are
other areas that must evolve in order to achieve the level of
information sharing sufficient to accomplish the goal of
protecting the Nation's critical infrastructures. Technical,
logistical, cultural, and human factors issues need to be
addressed. While legislation will not solve all the challenges
in information sharing, it goes a long way in providing the
protection industry needs as well as demonstrating the
Government's commitment to being an active member of the
information sharing process.
Thank you for inviting me to speak today. I look forward to
any questions that you may have.
[The prepared statement of Mr. Oslund follows:]
[GRAPHIC] [TIFF OMITTED] T2361.037
[GRAPHIC] [TIFF OMITTED] T2361.038
Mr. Horn. Well thank you, and we wish you well with your
laryngitis. There are more allergies on Capitol Hill than
anyplace in the world because there is a tree I am told for
every tree in the world.
Mr. Oslund. Mr. Chairman, the doctor did assure me that I
do not have a virus bug.
Mr. Horn. Thank you. Let me explain that when you see
Members walking in and out now it is because we have a vote on
the floor on the rule and we have 15 minutes to respond. Mr.
Davis has gone over there. When he comes back, he will preside
and I will go over there. We do not like to miss votes.
We will start with Mr. Sobel now, the general counsel of
the Electronic Privacy Information Center. Mr. Sobel.
STATEMENT OF DAVID L. SOBEL, GENERAL COUNSEL, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Sobel. Thank you, Mr. Chairman. I appreciate the
opportunity to appear today to discuss the Cyber Security
Information Act. The Electronic Privacy Information Center, or
EPIC, is a frequent user of the Freedom of Information Act. We
obtain Government documents on a wide variety of policy areas
and we firmly believe that public disclosure of this
information improves Government oversight and accountability
and really assists the public in becoming fully informed about
the activities of the Government.
I have personally been involved with FOIA issues for almost
20 years representing a wide variety of FOIA requesters. In the
early 1980's, I assisted in the publication of a book entitled,
``Former Secrets,'' which documented 500 instances in which
material released under FOIA served the public interest. I am
sure that if there were to be a revision of that book done
today in the year 2000, we could easily come up with thousands
of such examples of beneficial uses of the Freedom of
Information Act.
EPIC, as a member of the FOIA requester community, has,
along with other members of that community, for many years
expressed concerns about a number of proposals to enact new
broad exemptions to the FOIA's disclosure requirements. Most
recently, we have joined with scientific, journalist, library,
and civil liberties organizations in questioning the need for a
new exemption to cover information dealing with the protection
of critical infrastructure protections, such as the exemption
that would be created in the bill before the subcommittee. We
collectively believe that such an approach is fundamentally
inconsistent with the basic objectives of FOIA, which is, as
the Supreme Court has noted, ``to ensure an informed
citizenry.''
It is clear that as we enter the new century and become
increasingly involved in electronic networking that the
Government is going to be more and more involved in the
protection of critical infrastructure. It is equally apparent
that the Government's activity in this area is going to become
a matter of increased public interest and debate.
My organization EPIC has monitored developments in this
area since the creation of the President's Commission on
Critical Infrastructure Protection. After the commission's
report came out, we issued a report entitled, ``Critical
Infrastructure Protection and the Endangerment of Civil
Liberties,'' in which we raised some questions about possible
impacts of some of the proposals. Now while reasonable
observers can disagree over the advantages or disadvantages of
the commission's proposal, or the more recent initiatives
contained in the administration's National Plan, I think we can
all agree that critical infrastructure protection raises some
significant public policy issues that deserve full and informed
public debate.
In fact, public disclosure of information in this area has
already helped to shape the administration's policy in the
area. As an example, I would cite to the subcommittee the so-
called FIDNET proposal, the Federal Intrusion Detection
Network, which, as originally proposed, would have subjected
private sector computer networks to a potentially invasive
monitoring system administered by the FBI. Following news media
accounts of that proposal and the negative public reaction,
that proposal was significantly scaled back. We at EPIC have
received material under the FOIA dealing with these issues, we
have made it public, and we think that is an important part of
the process, of public debate on these issues.
I would like to focus specifically on the need for the
exemption that is contained in this legislation.
Mr. Horn. Let me just interrupt you at this point.
I am going to recess the hearing to go vote. The time
remaining is almost expired. Apparently Mr. Davis could not get
back in time. But he will pick it up and then have you pick it
up.
So we are going to recess for 5 minutes or until Mr. Davis
returns.
[Recess.]
Mr. Davis. The subcommittee hearing will reconvene.
Mr. Sobel, do you want to continue your remarks.
Mr. Sobel. Thank you, Congressman Davis. I was pointing out
the valuable information that has already been disclosed under
the Freedom of Information Act concerning critical
infrastructure protection, and citing the example of the
initial FIDNET proposal and the revisions that the
administration made to that proposal after publication of the
details and incorporating the public concern that that
engendered. So I think that is a very good example of the
importance of public disclosure and the Freedom of Information
Act in this particular area.
What I would really like to discuss and focus on in my
remaining time is my belief that the Freedom of Information
Act, as currently written and construed by the courts, does in
fact provide adequate protection for the information that we
are discussing and I would maintain really negates the need for
a new exemption to be added to the FOIA regime.
I think in looking at this issue, we do need to keep in
mind that critical infrastructure protection is an issue of
concern not just for the Government and industry, but also for
the public, particularly the local communities in which these
facilities that we are discussing are located.
The FOIA exemptions that currently exist, in particular I
would like to focus on exemption 4, have been the subject of 25
years of litigation. We have extensive caselaw that we can look
to. And I believe that caselaw establishes that existing
exemption 4 is adequate. For information to come within scope
of exemption 4, it must be shown that the information is either
a trade secret or, most significantly here, information which
is commercial or financial, obtained from a person, and
privileged or confidential. The latter category of information,
that is, commercial information that is privileged or
confidential, is directly relevant to the issue that is before
the subcommittee.
Commercial information is deemed to be confidential ``if
disclosure of the information is likely to have either of the
following effects,'' and significantly the one we are concerned
with here, ``To impair the government's ability to obtain the
necessary information in the future.'' My understanding is that
H.R. 4246 seeks to ensure that the Government is able to obtain
critical infrastructure protection information from the private
sector on a voluntary basis. So that concern clearly comes
within exemption 4's so-called ``impairment'' prong.
In fact, the courts have liberally construed impairment,
finding that where information is voluntarily submitted to a
Government agency, it is exempt from disclosure if the
submitter can show that it does not customarily release the
information to the public. This is the critical mass case that
the D.C. Circuit decided back in 1992. In essence, the courts
defer to the wishes of the private sector submitter and protect
the confidentiality of information that the submitter itself
does not routinely make public.
In addition to the protections for private sector
submitters that are contained in exemption 4 and the relevant
caselaw, agency regulations also seek to ensure that protected
data is not improperly disclosed. Under the provisions of
Executive Order 12600, which President Reagan issued in 1987,
agencies are required to give submitters of information an
opportunity to submit objections to proposed disclosures and
those objections have to be considered by the agency before a
disclosure determination is made. The protections don't end
there. If the submitter is still unhappy with an agency
determination to disclose the submitted information, the
submitter can go to the courts, file what is known as a
``reverse FOIA'' lawsuit and litigate the confidentiality
issue. So there are many procedural safeguards already built
into the FOIA regime.
I think to a large extent the concern that we hear from
industry is really a misperception of existing law. I think
this is something that can become a self-fulfilling prophecy.
If the agencies responsible for collecting this information are
saying to submitters we cannot protect your information, then
obviously the flow of information is going to dry up. So I
think it is important to direct the efforts toward education
and reassuring the private sector submitters that existing law
does in fact adequately protect their confidentiality.
I think the FOIA over the last 25 years has worked very
well in making these kinds of balances between the need to
know, on the one hand, and protecting against harmful
disclosures. I would encourage the subcommittee not to upset
that delicate balance that we have already developed over the
25 years of litigation. I thank the committee for considering
these issues and will be happy to take any questions.
[The prepared statement of Mr. Sobel follows:]
[GRAPHIC] [TIFF OMITTED] T2361.039
[GRAPHIC] [TIFF OMITTED] T2361.040
[GRAPHIC] [TIFF OMITTED] T2361.041
[GRAPHIC] [TIFF OMITTED] T2361.042
[GRAPHIC] [TIFF OMITTED] T2361.043
Mr. Horn. Thank you very much for being here. I will have
some questions for you later.
Mr. Woolley.
STATEMENT OF DANIEL WOOLLEY, PRESIDENT AND CHIEF OPERATING
OFFICER, GLOBAL INTEGRITY CORP.
Mr. Woolley. Good morning, Congressman Davis, Chairman
Horn, members of the subcommittee. I would like to thank you
for requesting my perspective on the important issue of
information sharing and the quest for cyber security. My name
is Dan Woolley and I am the president and chief operating
officer for Global Integrity, a company based in Reston, VA.
Global Integrity is a wholly owned subsidiary of Science
Applications International Corp., an information security
consulting company, and a resource for many Fortune 100 and
Global 100 corporations, including online businesses, banks,
brokerage houses, insurance companies, telecommunications, and
entertainment companies, and other dot-com industries. In this
capacity, we test the overall computer security of our client
sites, help them develop secure information architectures, and
help them to respond to attacks and incidents. We monitor and
report to our clients about the most recent threats and
vulnerabilities in cyber space, and help them to cooperate with
regulations and law enforcement agencies where required or
where appropriate.
Global Integrity is also a recognized leader in information
sharing to promote cyber security. We established the very
first information sharing and analysis center called for by the
Presidential Decision Directive, or PDD 63, and since then have
established several additional ISACs that have been demanded by
the market. Therefore, I am particularly pleased to offer our
views today on H.R. 4246, on the state of cyber security, on
information sharing and the public-private partnership,
including some of the appropriate roles of Government.
Presidential Decision Directive 63 recognized that the
critical infrastructure of the United States is not owned by
the Government but rather is in the hands of the private
sector. While both the Government and the private sector have
significant incentive to protect this infrastructure, the
ultimate financial responsibility for protecting it lies
squarely at the foot of private sector. Moreover, the
Government's interest is in protecting the infrastructure
against cyber warfare and the deniable service attacks. The
private sector's interest is in protecting its infrastructure
not only from these attacks but also from attacks by
competitors, preventing insider abuse, enforcing corporate
policies, protecting investor interest, as well as providing
customers with safe, secure, and private means of conducting
electronic commerce. While the goals of the private sector and
the Government converge, they are not always identical.
We recognize the precariousness of the concept between
public and private partnerships on something so sensitive as
cyber security, yet we think it a concept worth pursing, albeit
it with caution. Certainly the last thing a private company
wants is to have its own cyber vulnerabilities publicly exposed
to regulators, customers, investors, or competitors. On the
other hand, the Government has a legitimate right to be
concerned about the security of the Nation's critical
infrastructure and even the security of the businesses that
underpin the Nation's economy.
Yet because the private sector owns the infrastructure, we
believe they have a primary responsibility for securing it does
and should rest with the private sector--those in the financial
services, energy, transportation, agriculture, and
communications sectors, as well as those in the thousands of
IT-dependent businesses. These are the people who own the
infrastructure, are familiar with it, and are responsible for
making decisions not only about the security, but also about
the things like functionality, interoperability, strategic fit,
and, of course, cost.
Yet the Government correctly notes that our critical
infrastructures are subject to the intrusion and disruption in
cyber security if not taken extremely seriously at the very
highest levels both within Government and within the private
sector. While the private sector should lead, we believe the
Government does have a legitimate role in promoting cyber
security. The Government must continue in its efforts to
recruit and train cyber security professionals and perhaps make
laboratory or forensic facilities available to the private
sector.
The Government can lead by example, by securing its own
infrastructure and by sharing techniques and lessons learned.
Global Integrity supports legislative efforts to encourage and
even require Government agencies to batten down their own cyber
hatches and serve as a model for the private sector. The
Government also can help set security standards and best
practices to promote education on subjects like computer
security, computer forensics, computer law, computer ethics.
Finally, the Government can promote private sector cooperation
both within the private sector and with the Government by
removing any actual or perceived barriers to such cooperation,
and by actively and aggressively advocating for such
cooperation. The Government should also consider what rewards
may be offered to the private sector to encourage safe and
secure practices.
According to the Department of Justice statistics, cyber
crime cases have increased 43 percent from 1977 to 1999.
Threats to the infrastructure are both real and perceived. A
survey of 1,000 Americans conducted on June 8-11 this year by
the polling firm of Fabrizio McLaughlin Associates found that
67 percent of respondents feel threatened by, or are concerned
about cyber crime, and 62 percent believe not enough is being
done to protect the Internet consumers against such crime.
Sixty-one percent say they are less likely to do business on
the Internet as a result of cyber crime, and 65 percent believe
online criminals have less of a chance of being caught than
criminals in the real world.
We have identified the following trends in cyber attacks:
No. 1, distributed attacks are increasing, and abusers take
advantage of jurisdictional and sovereignty distinctions to
avoid detection and prosecution. No. 2, attackers are using the
known and publicized security holes to compromise systems. This
is particularly true with respect to the worm type attacks that
continue to take advantage of user's willingness to execute
unknown and unverified computer programs. No. 3, most incidents
and penetrations seem to be attacks of opportunity, although
sophisticated hackers may target specific companies or
information with a combination of electronic attacks and
deception through social engineering. No. 4, the release of
point and click tools has made the ability to take on systems
easy and accessible. For example, a well-known tool called
B02K, freely available on the Internet, allows an
unsophisticated hacker to take over a victim's computer
completely, read all files and even turn on attached cameras
and microphones to conduct surreptitious surveillance in the
room in which the computer is located. No. 5, the increase of
the use and potential use of high-speed, always on DSL and
cable connections at home increase the risk to both home and
corporate attacks. A home user may suffer as many as 40-100
attempted attacks per month on a home DSL connection, ranging
from somewhat benign probes to very sophisticated attacks. The
attacks come from diverse locations, including Eastern Europe,
China, Korea, and other nations in the Far East. The increased
of wireless technologies to transmit business critical or
personally sensitive information increases the risk of
compromise. New security strategies and implementations must be
developed for these technologies.
One of the best ways that Government can promote cyber
security in the private sector is by encouraging information
sharing, and this of course is one of the central objectives of
PDD 63. The Directive's charge to create ISACs, Information
Sharing Analysis Centers, where information on threats,
incidents, vulnerabilities, with associated recommendations and
solutions need to be shared and analyzed. This is a critical
step in defending against cyber attacks.
When these attacks do occur, companies are often left in
the dark, they cannot tell whether the attack is local,
regional, or national. They cannot easily determine whether the
attack is directed at them alone, their entire industry, or
represents part of a series of random or concerted attacks. To
defend against potential future attacks, companies must also
know about vulnerabilities in the operating systems,
applications, browsers, and thousands of the myriads of pieces
of software that make up the overall infrastructure. Finally,
they must have access to the raw intelligence about the threats
to the infrastructure, increased attacks or activity, and new
fraud schemes in order to be prepared.
At Global Integrity, we have spent over $3 million in the
last 10 months developing the first ISAC for the financial
services industry. Thousands of man-hours were dedicated not
only by Global, but by dozens of companies led throughout the
world by initiatives for the financial services sector toward
perfecting this model. The initial goal was to create a broad
based model for the financial services industry--banks,
insurance companies, brokerages, and other organizations. This
model is now being replicated for many companies and sectors
around the world.
The FS/ISAC was formally launched in October 1999 and it
was based upon the fears of publicity, fears of inviting
additional attacks, fears of confidentiality, and fears of
antitrust liability.
In the past, the limitations and the willingness of
industry members to share information was critical. Today,
nobody wants to be reported on the front page of the Washington
Post that their institution has been a victim of an attack or
attempted attack.
The FS/ISAC today provides a means for sharing information
and for distributing threat data obtained from Government
sources without the fear of attribution or publicity. Nothing
contained in the FS/ISAC rules or regulations alters the
obligations of banks or financial institutions to report these
criminal activities. In other words, the decision whether or
not to report an incident lies with the victim of the attack,
and not with the repository of the collected information. To
protect the confidentiality of the information, each paid
member issues a series of anonymous certificates which
authenticates them but does not specifically identify the
member.
We have also recently established the equivalent of news
bureaus to collect, analyze, and disseminate information of
both regional and national interest. We are establishing
bureaus in Asia, Middle East, Central Europe, and the United
Kingdom, as well as South America. These regional bureaus are
providing incident threat, vulnerability, resolution data
regarding events occurring in their regions back to the Reston
analysis center for redistribution to all ISAC members on a
worldwide basis. The FS/ISAC as well as other ISACs represent a
form of public and private cooperation.
As a result of the operation of the FS/ISAC and its
advanced warning stations in Asia and Europe, members of the
financial services industries that have chosen to participate
received early warning about recent threats. For example, the
FS/ISAC notified members not only of the methodologies behind
the distributed denial of service attacks which were launched
last February, but also about specific information indicating
that hackers activity was increasing. Indeed, Global took such
threats seriously enough to issue generalized news releases on
the possibility of such attacks hours before those attacks
actually occurred. As Congressman Davis noted, the FS/ISAC
advised members about the Love Bug worm several hours before
the Government agencies sent out generalized alerts, and
provided detailed technical analysis of how these worms worked
in the early notification.
There are certain roles and functions that are the province
of Government. One, to set minimum standards for security and
interoperability, conducting and supporting fundamental
research on new security technologies, promoting awareness of
issues relating to information protection, ensuring greater
international cooperation between law enforcement, Government
agencies, and bringing down the barriers which inhibit
cooperation.
Finally, a word about the role of Congress in specific. I
believe that Congress should take a cautious approach to
passing new legislation. We do think that legislation requiring
the Government to get its own cyber house in order would be
productive. We also think that limited legislation such as H.R.
4246, which removes barriers to information sharing, is a good
idea. Whether these barriers are real or perceived is a
question on which lawyers cannot agree. However, we know that
in many cases perception is a stronger force than reality, and
so removing perceived barriers can
be every bit as important to the broader goal, which is to
encourage information sharing of incidents, threats, and
vulnerabilities.
I thank you, Mr. Chairman, for the opportunity to present
our views, and welcome any questions the committee may have.
[The prepared statement of Mr. Woolley follows:]
[GRAPHIC] [TIFF OMITTED] T2361.044
[GRAPHIC] [TIFF OMITTED] T2361.045
[GRAPHIC] [TIFF OMITTED] T2361.046
[GRAPHIC] [TIFF OMITTED] T2361.047
[GRAPHIC] [TIFF OMITTED] T2361.048
[GRAPHIC] [TIFF OMITTED] T2361.049
[GRAPHIC] [TIFF OMITTED] T2361.050
[GRAPHIC] [TIFF OMITTED] T2361.051
[GRAPHIC] [TIFF OMITTED] T2361.052
[GRAPHIC] [TIFF OMITTED] T2361.053
[GRAPHIC] [TIFF OMITTED] T2361.054
Mr. Horn. Thank you.
I now recognize Mr. Davis for questioning for 8 minutes.
Mr. Davis. I thank you very much, Mr. Chairman.
Let me start with Mr. Sobel, who is probably the most
skeptical about the bill. I guess it is your position that we
do not need to change FOIA.
Mr. Sobel. That is correct.
Mr. Davis. The problem is that the companies that we want
to release the information and share information do not share
that view and do not want to have to go through the litigious
process of trying to establish that every time they want to
release something. That is the difficulty we have.
We have tried to craft a narrow exemption so that it does
not do more than we intend it to do. Is there any limiting
language that you would find acceptable under this, or is it
your strict position that the FOIA law is the FOIA law and we
live with it and it will handle all of our needs?
Mr. Sobel. Let me back up a minute and talk about your
opening premise, which is that there is the perception amongst
the private sector submitters that there is not currently
adequate protection.
Mr. Davis. I am going to argue about the law in a minute,
but there is certainly the perception.
Mr. Sobel. Well, I think that the only way to address that
perception is to bring people up to speed on what the law is.
It is my considered opinion, as well as the opinion of the FOIA
requester community that has been involved in the cases that I
am citing and frankly has lost a lot of the cases, that the
courts give great deference to private sector information that
is held by Government agencies. And we can see no scenario
under which information that is submitted to the Government
voluntarily and that the private sector submitter wishes to
maintain the confidentiality of would be disclosed.
So I would prefer to see the resources of the agencies go
into reassuring the submitters and get the Justice Department
to come forward and say, yes, it is our view that existing law
is adequate, and have the Congressional Research Service look
at the issue. I am confident that a legal review of that kind
will create the kind of reassurance that I think has been
lacking thus far.
Mr. Davis. So it is not your view that anytime Government
is present that there is a public right to know under FOIA,
regardless of how that information is obtained.
Mr. Sobel. The courts have certainly construed all of the
exemptions, from my perspective, very broadly. I think the
perception out there amongst the requester community is that we
have lost most of the big cases, that there has been great
deference to both the agencies that seek to withhold
information and the private sector submitters of information
that do not want the information disclosed. So I think it is
pretty clear if you look at the caselaw and the history of the
development of exemption 4 that the courts have really bent
over backward to make sure that private companies do in fact
feel comfortable in voluntarily sharing information with the
Government.
I also want to repeat the point that I made in my
testimony, which is that it is not only the caselaw that we
need to look at, but there was a lot of concern about this
issue in the 1980's during the Reagan administration. President
Reagan issued Executive Order 12600 which created procedures
within all of the agencies to give submitters rights to object.
Mr. Davis. But we have had enough of companies that keep
coming back that in 1997 the Defense Authorization Act had to
prohibit agencies from releasing most contract proposals
because there was a lot of proprietary information in the
proposals that was leaking out and being FOIAed. This is a
constant problem. If you are a private company, and I come out
of the private sector, once you give that information out, I
think you want ironclad assurance that that information is not
going anywhere else either intentionally or sometimes
unintentionally, because then you get your trial lawyers, you
have antitrust, you have a whole lot of issues that get raised
through that.
I guess my question is, what is wrong with clarifying it
here? Do you think this is drawn too broadly? We have tried to
draw this as narrowly as we can. If we could narrow it in some
other way to give everybody the rightful protections, we would
be happy to do that.
Mr. Sobel. I think I would start from the proposition in
this area that if it is not broken, why try to fix it, because
in the process you might just be creating some new unintended
problems. I point out in my written testimony that I think,
given the history of FOIA over the last 25 years, that any new
exemption or any new language that is inserted into that regime
results in protracted litigation.
I think we have devoted considerable judicial resources
over the last 25 years to ironing out the meaning of exemption
4. As I say, I think the outcome of that process has been one
that is very protective for the private sector. And one of the
concerns would be that we are just going to be tied up in
litigation for several years as the meaning of this new
exemption gets sorted out. Whereas, we have a body of caselaw
that we can look at right now that I believe resolves the
issue. I think any time you introduce new language into this
regime you invite problems.
Mr. Davis. Clearly, if you introduce new language, you have
new language that has never been litigated before.
Mr. Sobel. Correct.
Mr. Davis. But I think at this point you draw your line way
over where what you have said would be assumed and is clarified
even further.
Let me just ask Mr. Tritak and others if they would like to
comment. Do you feel you have adequate protections at this
point under current law?
Mr. Tritak. Sir, I actually would like to go back to the
initial point that you made or this premise of what has been
discussed. The fact is there is a debate and it is a debate
that is not between lawyers, on one hand, and non-lawyers, on
the other. It is a debate among some in the legal community
that there is not sufficient clarity about the protections for
information sharing.
Now putting aside for a moment the understandable concern
that you do not want to change the law, particularly something
like FOIA, lightly, we still have the problem and the debate. I
think the only way you resolve that is by having that debate
and discussing it not only within the legal community, but also
you get your owners and operators of infrastructures, the
people who are actually expressing these concerns, and their
legal counsel to express what it is they are worried about,
what is the kind of information that they are concerned may not
be protected and under what circumstance.
But I think the fact that there is a debate is the problem
that needs to be resolved. The Government and many people
believe that the current protections are sufficient. That's
fine. But if you are talking about voluntary information and
people are concerned that it is not sufficiently clear and they
do not provide the information, then arguably you have a public
policy goal that you may not be able to achieve.
Mr. Davis. It seems pretty clear to me. This is information
the Government would have no right to under ordinary
circumstance and therefore the public would have no right to
under ordinary circumstances. But because we are trying to work
together to stop the cyber security threats to our Nation's
security, companies are willing to come forward and share
information, but only if they can be absolutely sure that their
information that they give is going to be protected. The
Government would not have it otherwise.
That is all this legislation says. It clarifies it. Without
that, as you say, there is debate in the legal community, there
are court decisions all over the lot, and you could get
something that does not fit within that exemption that you have
discussed, Mr. Sobel. I cannot right here say under what
circumstances that could be, but somebody could volunteer some
information that may not be proprietary but it could be very
dangerous if that information were to get out, it could hurt
shares of stocks, it could show some exposures, for example, in
your own security of your company in terms of somebody coming
in potentially and if that information were to get out it could
damage among investors and the like. And you would not want
that information out, but for the good of national security you
are willing to come forward with that. I am not sure under
those circumstances that meets the protections of the trade
secret protections.
That is our concern, is that we want to make sure when
companies come forward, are working in a cooperative venture to
attack this enemy called cyber terrorism that we can work
together and that nobody is going to be damaged as a result of
that.
Does anyone else on the panel want to address that?
Yes, Ambassador Johnstone.
Ambassador Johnstone. Yes, I would. First of all, I would
like to start off by saying that I commend Mr. Sobel for his
defense of the Freedom of Information Act. The U.S. Chamber of
Commerce also strongly believes in the Freedom of Information
Act. We have used it on behalf of American business frequently,
and we are a strong supporter of the act. However, beyond that,
I think we certainly are in disagreement with respect to
exclusion 4. For example, he says that exclusion 4 provides
adequate protections and that if business simply understood,
through a public education effort of some sort, they would
understand that fact. But the fact of the matter is that as
soon as we start getting into exchange of information, there
will be attorneys who will stand up and say that exemption 4
does not apply to those situations and there will be a debate.
Mr. Sobel points out that that is subject to a review panel
process. So now suddenly we have moved from having the
protection of the law into something that will be debated
within a review panel. Or, alternatively, that there is
litigation always possible. So now we have moved it out of the
review panel into potential litigation. So that for a company
what you do is you face then a very uncertain prospect that may
drag you into litigation, or have the assurance of the law and
the clarification that is written into the law.
The point that you made, Mr. Davis, I think is the salient
point here. That is to say there is nothing written here that
is different than what it is Mr. Sobel says is already in the
law but which is disputed. So it is a question of clarification
and that clarification is critically important for American
business. When a businessman has to sit down and decide whether
he or she is going to participate in this process, the fact
that that clarification has been written into the law is
vitally important and I think is the difference that is going
to make the difference between cooperation or non-cooperation
on this issue.
Mr. Sobel. If I could just respond briefly. I do not think
that the language that the subcommittee is considering is going
to preclude litigation in any way. If the agencies' position
upon receiving a request is that it is not covered because of
this language, that is going to be litigated. So I think we are
talking about litigation one way or another if information is
submitted and requested and there is a dispute.
My point is that at least under existing exemption 4 we
have a body of caselaw that has been developed over the last 25
years and we are not going to have to wait for a lot of
clarification on the meaning of new language. I do not think it
is a question of litigation or no litigation. I think it is a
question of how protracted is that litigation likely to be.
Mr. Woolley. One key point that I would like to make, if
you will, from the voice of experience. Companies involved with
the financial services ISAC needed to know for certain that
that information they were providing to the FS/ISAC was in fact
locked down and would never get out or they would not share it.
It was mandatory that was involved.
As a result, we spent a tremendous amount of time
developing a significant anonymity system with checks and
balances and rewrappers that could prove that the information
that came in was completely anonymous. That was the only way
that the financial services industry would participate. And now
we have gotten very, very high participation from that industry
and it is that anonymity that has now spawned the international
ISAC and the worldwide ISAC that are now providing tremendous
inputs.
So I think that the issue needs to be there. If you do not
have the anonymity, if you do not have the lock down, American
corporations will not participate. They are too spooked about
being dragged into any sort of litigation or disclosure that
would be very detrimental to their organizations.
Mr. Horn. Yes, and this will be the last response to it. Go
ahead, Mr. Oslund.
Mr. Oslund. Thank you, Mr. Chairman. In the NCC information
sharing process, there is no anonymity when the participants
share the information. It is a process that has been going on
for a number of years and that is why we stress the trust
relationships. Relationships have been developed so companies
can share information directly. When we are talking about real
time operations, and that is what information sharing for CIP
is, you cannot share information under uncertainty. There has
to be certainty that you can move this information forward and
it will not be challenged.
NSTAC felt FOIA legislation was needed for Y2K. And the
conclusions are the same for CIP. The background materials we
have provided to the committee, demonstrate these conclusions
were reached after a lot of deliberation. Thank you.
Mr. Horn. Thank you.
I now yield 10 minutes to the ranking minority member, Mr.
Turner, the gentleman from Texas.
Mr. Turner. Mr. Sobel, you shared your concern a minute ago
that the language in the proposed legislation would not
preclude litigation. In fact, your opinion was that it might
foment additional litigation. Going beyond that concern, could
you please articulate any other concerns that you have about
this exemption from liability. Is it your concern that it could
be misused, that it could be used as a shield by corporation
that might be willing to disclose and therefore they would then
be able to hide behind the shield of liability? I assume there
is further concern other than the fact that you just think it
will result in additional litigation.
Mr. Sobel. Well, I think from the perspective of the FOIA
requester community there is always a concern about Congress
stepping into the process of amending a statute that has worked
very well for a long time. And there is a general apprehension
about creating these piecemeal exemptions. The FOIA, as
Congress amended it in 1974, contains nine very specific
exemptions that have been construed by the courts and in our
opinion really cover all of the harms that we are talking about
here.
I should note also it is not just exemption 4. There are
situations where exemption 1 for classified information would
come into play if we are dealing with defense contractors, for
instance. Exemption 7's law enforcement protections would come
into play, for instance, if a company is acting in the role as
a confidential source. In the context of a hacking
investigation, for instance, exemption 7's law enforcement
protections would come into play. So the point is that we have
a very well-developed FOIA scheme right now and there is a
general apprehension to adding on piecemeal exemptions.
Now with particular regard to this area, critical
infrastructure protection, I think the concern is that we would
be muddying the waters. That you introduce a degree of
uncertainty into the FOIA requesting process and the result is
likely to be that a new barrier is going to be erected to the
disclosure of information that should properly be disclosed
that the subcommittee is not seeking to protect the disclosure
of.
So I think it is really a question of just muddying what is
today some very settled water in this area and creating yet
another excuse for not making information public.
Mr. Turner. Maybe I need you to pose a hypothetical for me
to help me understand your concern. Because the first
impression I have when you talk about trying to view this from
the point of view of the requester community is that, as I
understand it, we are talking about information that the
Government does not have and Freedom of Information is always,
as I understand it, directed toward information the Government
has.
So we are talking about information that were it not
voluntarily shared by a corporate entity, the Government would
not have it anyway. So from a point of view of the requester
community that is interested in preserving access to Government
information, it seems to be fairly easy in my mind to say that
the requester's concern really should not reach information
that the Government really would never have anyway were it not
for the voluntary relinquishment of it by private entity.
Mr. Sobel. I think you have to start from the proposition
that once the Government receives information, whether it is
under mandatory requirements or provided voluntarily, that
information starts to form the basis of what a Government
agency is doing and it can in certain instances become an
important indication of the operations of that agency.
Certainly, for instance, the Food and Drug Administration
obtains a lot of information from private companies and in
order for the public to really assess what the FDA is doing,
you necessarily are going to need some access to that private
sector information that has been provided to the agency.
Now on the question of whether or not what we are talking
about today is something new, the idea of voluntary submission
of information to Government agencies, that is not new. In
fact, that is the reason why the cases that I have cited in my
testimony have arisen. The courts have specifically dealt with
the question under exemption 4 of what should the standards be,
what should the rules be when a company voluntarily submits
information to an agency.
So I think it is important to recognize that we are not
writing on a clean slate here. There have been many instances
in the past where agencies have received information
voluntarily from private sector submitters, that information
has been sought under FOIA, and those are the cases that have
developed the caselaw that I am talking about which deals
directly with the issue of voluntarily submitted information.
In terms of the importance of this information, to sort of
remove this from the theoretical realm, for instance, a local
community in which a power plant or a nuclear plant or a water
facility is located I think legitimately has some interest in
knowing if there are vulnerabilities and safety problems in
that facility that might form the basis of a so-called cyber
security statement. I think we are going to need some mechanism
for sorting that out. There are some very legitimate public
interest reasons for making some of this information available.
But again I come back to the way the courts have dealt with
these issues. And they have been very protective of the private
sector submitters. I believe that the courts have gone too far
in this area. I want my position to be clear. I think a lot of
the information we are talking about probably should be and
could be made public without harm to the private submitter. But
the courts have disagreed. But I think there is a lot of
important health and safety information that can get caught up
in this process.
Mr. Turner. Thank you.
Mr. Horn. I thank the gentleman. You have 2 minutes
remaining. If Mr. Moran would like to get in the 2-minutes
here, and then we will yield to Mrs. Biggert for 10.
Mr. Moran. Thank you, Mr. Horn. I have got to go back to
another hearing, so I will leave after my 2 minutes. I
appreciate the courtesy. Thank you.
As I mentioned in my opening statement, the reason why Mr.
Davis and I returned from the Chamber of Commerce meeting and
came up with this legislation is because there was such a
widespread view that companies simply could not cooperate to
the extent that was necessary and that was requested by the
Federal Government and that I think they knew was in their
long-term best interest because of their concern about FOIA.
And so we have a situation here where regardless of what
your point of view might be, Mr. Sobel, perception is reality.
If the general counsels of these firms feel that FOIA is a very
serious threat to the privacy of this information and to the
viability of their corporation, they are simply not going to
cooperate in the way that they know is in the national security
interest.
I do not see why it is a problem even if we restate what is
existing law. You are suggesting that it may complicate things.
And I am only picking on you because you are the only one that
has come up with what seems to be such an unreasonable point of
view, Mr. Sobel. [Laughter.]
I mean I would not do it if you did not deserve it. I am
kidding there. We need somebody to be the devil's advocate here
on the panel, and I appreciate you playing that role.
Mr. Sobel. Glad to do that.
Mr. Horn. And I might add unanimous consent for the
participation of our eloquent Irishman today. And hearing no
objection, you are free to participate. [Laughter.]
Mr. Moran. Thank you very much, Mr. Chairman, I appreciate
that very much.
Clearly, we do not have the level of participation, the
initiative being taken by corporations who have very valuable
information to share. And this is the reason why they do not
feel that they can. It is not that they do not want to
cooperate.
And so even if we are restating legislation clarifying that
legislation, as Mr. Davis has suggested, it would seem to be
meeting a very important need. And it took what, three decades
or something to clarify the meaning of FOIA, three decades of
litigation to make it clear what FOIA meant. We cannot afford
to go through such an extended process of litigation to clarify
the extent of sharing with regard to cyber attacks and cyber
vulnerabilities. So it would seem that even if a lawyer might
be able to make an argument that you could share that
information, they nevertheless would be subjecting themselves
to litigation, and that is what we do not want.
So we want to facilitate the process. We have got very
important national security interests at stake here. Every day
the sophistication of mischievous and malicious hackers is
increased our vulnerabilities increase. As we have stated and
as I know you are very much aware of, our entire economic and
security infrastructure is at stake. We heard one story about
some intelligence officials being given enough money to buy
personal computers, two or three dozen of them, and they were
told to pretend they were from North Korea and see if they
could invade our security infrastructure. And sure enough,
within a relatively short period of time they had access to
enough computer systems that they could have shut down our
power grid and invaded the most classified information. We
cannot let that happen. It is more effective, much easier, much
less expensive to invade our information systems than it is to
drop bombs on our large cities and power systems.
I have been encouraged by the level of cooperation that the
business community wants to express, wants to participate in.
But if they have that concern, then we need to respond and to
make it clear, to underscore, to clarify that they can exchange
that information without fear of protracted litigation and
exposing even greater vulnerabilities.
So, it is a good piece of legislation. I am glad the vast
majority of witnesses on the panel agree. I certainly
appreciate your having the hearing, Mr. Chairman. I trust that
we are going to be able to get the bill on the floor in an
expedited fashion. Thank you, Mr. Horn.
Mr. Horn. We thank you. Since I am not a lawyer, and having
listened to this discussion, I suggest we put a simplification
in one of the findings that this is the Lawyer's Relief Act of
the year 2000. [Laughter.]
I now yield to Mrs. Biggert for 10 minutes for questioning.
Mrs. Biggert. Thank you, Mr. Chairman.
Mr. Tritak, in your outreach efforts to coordinate with the
private sector and initiate public-private partnerships, what
hurdles have you run into? For example, does the fear of the
Federal law enforcement community hinder your ability to work
with the private sector in addressing cyber security problems
before they occur?
Mr. Tritak. No, I would not say that law enforcement
interferes with that activity. The fact is that the
relationships between the Federal Government and private
industry vary from sector to sector and company to company.
There are many companies who feel very comfortable in an
information exchange arrangement with Federal law enforcement,
and a number of companies that participate in the National
Infrastructure Protection Center exchange that kind of
sensitive information.
There are others who are concerned that sharing information
with the Government could precipitate investigations which can
have an impeding effect on their ability to conduct business.
And that is a hurdle that they view exists. Again, I think it
is one of these things where when those kinds of concerns are
expressed they need to be taken seriously to get to the core of
what the problem may be.
What I find very interesting, of course, is that when
someone talks about whether industry is interested in dealing
with Government, I think you cannot make it a broad statement
because, for example, sometimes you may find companies feel
more comfortable dealing with, let's say in the information
technology area, dealing with the Commerce Department or
dealing with the Defense Department, and others by tradition,
for example the electric power industry, they have had very
good, strong working relationships with Federal law enforcement
well before the Information Age. So I think it depends--it
depends on the culture of the industry, it depends on the
nature of the type of information you are dealing with.
Clearly, the roles and responsibilities at different
agencies need to be defined over time. We are introducing a
new, changing technology that is going to transform the way we
all live, the way we do government, and the way we do business.
I am sure that over time the respective roles of different
governments and agencies are going to have to reflect that. And
I think that as those adjustments are made, you will deal with
some of the issues that you have just raised, about industry's
reluctance in certain cases and proactivism in others to deal
with government will be redressed.
Mrs. Biggert. Is there any fear that if there is more
coordination then between the agencies of the Federal
Government that this might affect how companies would deal with
it? Because information that they might feel comfortable about,
for example, with the Commerce Department would be available to
another agency.
Mr. Tritak. I think some have that concern, not all though.
But some, yes.
Mrs. Biggert. Then version 1.0 of the President's National
Plan for Information Systems Protection discusses the
possibility that companies wishing to discuss possible systems
vulnerability with the Federal Government may ``be deterred
from doing so because of the possibility that information
disclosed to the Government could become subject to a request
for public disclosure under'' what we have been discussing,
``the Freedom of Information Act.''
Mr. Tritak. That has been a concern expressed by some
companies, yes.
Mrs. Biggert. Can you provide an estimate of how much
private sector information is being withheld as a result of
this?
Mr. Tritak. I cannot say. I think to the extent that it has
an inhibiting factor, it is the perception in certain cases
that if the information may be used for reasons other than to
help raise the level of security of the Nation's infrastructure
is because it would become available to help address problems,
that it can have a chilling effect. And depending on the
companies and depending on their concerns, you never get to the
point of deciding whether or not to give the information
because your natural position is simply not to pass it on. And
so it is hard to quantify. But I will say that it has been
expressed and it has been expressed sufficiently so that I
think it is not an isolated instance.
Mrs. Biggert. Thank you.
Ambassador Johnstone, are private sector participants
concerned about the threat of law enforcement investigations
hindering their ability to deliver critical services?
Ambassador Johnstone. Actually, I do not disagree with Mr.
Tritak. That is to say it is something that I have heard
expressed. But in the many, many companies that I have talked
to about this whole issue, that has not been high on people's
agenda, the concern over law enforcement per se.
I think the fear of the loss of proprietary information,
the fear of public disclosure of information that would not
otherwise become public, the concern, and perhaps this touches
on law enforcement, that people might not be exempt from sort
of monopoly building kind of activities cause some level of
concern.
The antitrust side of the equation. An American company,
and I will speak from my own experiences having run an American
company for a number of years, whenever you sit down with
competitors you are surrounded by a galaxy of lawyers who are
constantly looking at the antitrust implications of what you
might do, even what you might do related to safety procedures
and things of that type. And so there is a great deal of
concern in terms of the antitrust implications. It would be a
great relief to companies to have some relief from those
concerns. I think public disclosure is certainly another area.
In terms of law enforcement and people's fear of being the
subject of persecution, for example, that I have not actually
encountered in terms of any individual contacts that I have had
with businesses.
Mrs. Biggert. So there might be the concern about the law
enforcement but you cannot really assess how much there is.
Ambassador Johnstone. I think that concern is less than the
concerns in the other areas.
Mrs. Biggert. Then does the partnership work with private
sector on networks to disseminate information in a timely
manner on potential vulnerabilities from sector to sector?
Ambassador Johnstone. Well let me just say that the
partnership got kicked off this last December in the first
meeting in New York. We then hosted at the U.S. Chamber of
Commerce a meeting of the partnership in the month of February
and the next meeting is in July. So it is fairly embryonic and
is just in its startup mode.
That being said, it certainly is the intent of the
partnership, and certainly of the ISACS, to provide a maximum
flow of information that will touch very much on the whole
issue of network securities.
Mrs. Biggert. So this really is a goal of the partnership?
Ambassador Johnstone. Certainly.
Mrs. Biggert. OK. Then would you be willing to share
information with the Federal Government when uniform legal
principles are established to structure the boundaries of a
public-private partnership?
Ambassador Johnstone. We would be willing to participate
with the Federal Government on all aspects of working together
to advance and to help protect the critical infrastructure,
both when it comes to legislation as well as to working within
the administrative framework.
Mr. Tritak. If I may, Congresswoman.
Mrs. Biggert. Certainly.
Mr. Tritak. Just a point of clarification. What the
partnership, as I indicated in my testimony, aims to do is to
encourage cross-sectoral dialog and activity to bring the
owners and operators together, bring together other
stakeholders involved. If the industry participants in that
activity decide that it makes sense to create information-
sharing arrangements amongst themselves, the partnership is one
form in which that would be discussed, debated, and created. I
think it is important though that the partnership itself is a
forum to bring these issues to the fore for discussion. It is
not in itself a super ISAC. It is not an organization that
actually would do that as much as it would facilitate that
development.
Mrs. Biggert. Thank you.
And I cannot not ask Mr. Willemssen a question since he has
been at so many of our hearings. So, Mr. Willemssen, could you
tell us to what extent the regulations that exist within the
Federal law enforcement community and with the Federal
Government for reporting on the cyber attacks or threats or
vulnerabilities, how do they overlap?
Mr. Willemssen. There are some overlaps from an
organizational standpoint. I would concur with Mr. Tritak's
comments that there is a need for further definition and
specificity on roles and responsibilities of Federal
organizations so that the sectors and the private firms within
those sectors know exactly who they are to deal with, what kind
of information is going to be requested of them, what is going
to be done with that information from an analysis perspective,
and how the results of that analysis are going to be
disseminated to others. Right now, that specificity does not
exist. I know that Mr. Tritak and others are working on that
and we would encourage them to continue doing that. That is
definitely needed.
Mrs. Biggert. So right now this overlap is really hindering
the ability to deliver or exchange information?
Mr. Willemssen. Yes. I think to the extent that further
clarification can be provided, possibly in the next version of
the National Plan which is due out this fall, that would be
most beneficial to private sector.
Mrs. Biggert. Thank you. Thank you, Mr. Chairman.
Mr. Horn. I thank the gentlewoman from Illinois.
I just have two questions here and then I will turn it over
to all of you again.
This is directed at Mr. Willemssen. The General Accounting
Office has commented extensively over the past 5 years on the
number of problems confronting the Federal Government on
addressing information security issues governmentwide and from
agency to agency. In your view, Mr. Willemssen, does the lack
of coordination and planning within the executive branch of the
Government hinder its ability to be an effective cyber security
partner in monitoring potential threats?
Mr. Willemssen. I think the lack of coordination has been a
hindering factor. But I think there is a much bigger factor at
play as it pertains to Federal agencies, and that is basic
management of computer security issues. The Federal Government
currently does not have its house in order on computer security
and protection of its systems and data.
So coordination is definitely an issue. But what we would
like to see are individual agencies taking computer security
much more seriously than they have in the past and making sure
that they have done the risk assessments, they have adequate
protection in place, they have made their staff very aware of
the criticality of this issue, and there is an overall central
guiding management to make sure that it is a priority within
the agency.
Mr. Horn. Has the General Accounting Office ever had a
request from the Article III Judiciary on this area? I would
think there is some mischief that could be made in that area.
Mr. Willemssen. We do currently have a request looking at
critical infrastructure from a Senate Judiciary Subcommittee.
That work is ongoing.
Mr. Horn. In relation to the Article III Judiciary?
Mr. Willemssen. I do not believe it specifically covers
that. But if I may, Mr. Chairman, get back to you and answer
that for the record.
Mr. Horn. You might want to talk with the Administrative
Office of the U.S. Courts and see what is happening.
Mr. Willemssen. Yes, sir.
[The information referred to follows:]
Our ongoing work on critical infrastructure protection does
not address article III-related entities.
Mr. Horn. The General Accounting Office has offered its
view in support of the creation of a Federal Chief Information
Officer, a CIO that would centrally manage information
technology, including information security, in its comments on
Senate bill S. 1993. In your view, would a central coordinating
office within the Federal Government on critical infrastructure
protection that would work with both the public and private
sectors overcome some of the similar obstacles to management
and overlapping regulation that you have mentioned?
Mr. Willemssen. We are supportive of a strong central CIO
position. In addition, we think, and it is instructive to look
at Y2K as a lesson here, top management attention to a critical
national issue is absolutely invaluable in making sure that the
issue is adequately addressed in working with the public and
private sector.
So to the extent that an overall national coordinator can
help fill that role, we think that would be beneficial. But to
the extent that it is a separate position, we need to make sure
that it works with the institutions in place that have an
overall focus on CIO issues. I do not think you can take a
critical infrastructure and computer security and put it off on
the side necessarily. You still have to work in tandem with
overall management of information technology.
Mr. Horn. Well, it is an interesting view and we might be
discussing this in the next few weeks because we have a few
thoughts on the institutional aspects of the Presidency and how
you relate to the departments. So I thank you for that view,
and there might be a few other views.
Let me ask my colleagues here, the gentleman from Texas, do
you have some more questions you would like to ask?
Mr. Turner. I have no further questions.
Mr. Horn. The gentleman from Virginia?
Mr. Davis. No questions.
Mr. Horn. The gentlewoman from Illinois? No?
There might be a few questions we will send you and we
would appreciate it if you could just bat us out a simple
answer to complete and round out the record.
We again thank you for doing the last minute in a hurry. I
suspect you were like the students in their senior year, they
want to graduate and they stay up all night. So thank you for
your energy and thank you for your wisdom on this. We
appreciate it very much.
I now want to thank the staff for both the majority and the
minority. On my immediate left, your right, is J. Russell
George, the staff director and chief counsel of the
Subcommittee on Government Management, Information, and
Technology; Bonnie Heald, the director of communications, is in
the back; Bryan Sisk, our clerk; Will Ackerly, intern; Chris
Dollar, a new intern; and Meg Kinnard, a new intern. With Mr.
Turner's staff, Trey Henderson is the counsel; Jean Gosa is the
minority clerk. And our official reporter of debates, whom we
thank, is Elisabeth Lloyd. And we have Mr. Davis' staff has
done some excellent work, and I know that from working with
them over the last few months, and that is Melissa Wojack and
Amy Herrick. We thank you for all the work you have done on
this legislation.
If there are no further questions, we thank you all.
Mr. Davis. Mr. Chairman, let me just add that if anyone on
the committee would like to serve as a cosponsor as this bill
moves up, we would happy to put your name on it.
Mr. Horn. OK. Thank you.
We will now adjourn this hearing.
[Whereupon, at 11:53 a.m., the committee proceeded to other
business.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T2361.055
[GRAPHIC] [TIFF OMITTED] T2361.056
[GRAPHIC] [TIFF OMITTED] T2361.057
[GRAPHIC] [TIFF OMITTED] T2361.058
[GRAPHIC] [TIFF OMITTED] T2361.059
[GRAPHIC] [TIFF OMITTED] T2361.060
[GRAPHIC] [TIFF OMITTED] T2361.061
[GRAPHIC] [TIFF OMITTED] T2361.062
[GRAPHIC] [TIFF OMITTED] T2361.063
[GRAPHIC] [TIFF OMITTED] T2361.064