FAS | Secrecy | Congress ||| Index | Search | Join FAS




 H.R. 4246, THE CYBER SECURITY INFORMATION ACT OF 2000: AN EXAMINATION 
     OF ISSUES INVOLVING PUBLIC-PRIVATE PARTNERSHIPS FOR CRITICAL 
                            INFRASTRUCTURES

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                      INFORMATION, AND TECHNOLOGY

                                 of the

                     COMMITTEE ON GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                                   ON

                               H.R. 4246

     TO ENCOURAGE THE SECURE DISCLOSURE AND PROTECTED EXCHANGE OF 
 INFORMATION ABOUT CYBER SECURITY PROBLEMS, SOLUTIONS, TEST PRACTICES 
   AND TEST RESULTS, AND RELATED MATTERS IN CONNECTION WITH CRITICAL 
                       INFRASTRUCTURE PROTECTION

                               __________

                             JUNE 22, 2000

                               __________

                           Serial No. 106-223

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform

                              -----------

                   U.S. GOVERNMENT PRINTING OFFICE
72-361                     WASHINGTON : 2001


_______________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Printing 
                                 Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
               Mail: Stop SSOP, Washington, DC 20402-0001

                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida                PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio
    Carolina                         ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia                    DANNY K. DAVIS, Illinois
DAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas             JIM TURNER, Texas
LEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                             ------
PAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont 
HELEN CHENOWETH-HAGE, Idaho              (Independent)
DAVID VITTER, Louisiana


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
           David A. Kass, Deputy Counsel and Parliamentarian
                    Lisa Smith Arafune, Chief Clerk
                 Phil Schiliro, Minority Staff Director

   Subcommittee on Government Management, Information, and Technology

                   STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois               JIM TURNER, Texas
THOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon                  MAJOR R. OWENS, New York
DOUG OSE, California                 PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
                Bonnie Heald, Director of Communications
                           Bryan Sisk, Clerk
                     Michelle Ash, Minority Counsel

                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 22, 2000....................................     1
    Text of H.R..................................................     3
Statement of:
    Johnstone, Ambassador L. Craig, senior vice president, 
      International Economic and National Security Affairs, U.S. 
      Chamber of Commerce........................................    67
    Oslund, Jack, chairman, Legislative and Regulatory Working 
      Group of the National Security Telecommunications Advisory 
      Committee..................................................    74
    Sobel, David L., general counsel, Electronic Privacy 
      Information Center.........................................    78
    Tritak, John, Director, Critical Infrastructure Assurance 
      Office, U.S. Department of Commerce........................    57
    Willemssen, Joel C., Director, Accounting and Information 
      Management Division, U.S. General Accounting Office........    20
    Woolley, Daniel, president and chief operating officer, 
      Global Integrity Corp......................................    86
Letters, statements, etc., submitted for the record by:
    Davis, Hon. Thomas M., a Representative in Congress from the 
      State of Virginia, prepared statement of...................    15
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, Presidential Decision Directive 63....    42
    Johnstone, Ambassador L. Craig, senior vice president, 
      International Economic and National Security Affairs, U.S. 
      Chamber of Commerce, prepared statement of.................    69
    Oslund, Jack, chairman, Legislative and Regulatory Working 
      Group of the National Security Telecommunications Advisory 
      Committee, prepared statement of...........................    76
    Sobel, David L., general counsel, Electronic Privacy 
      Information Center, prepared statement of..................    81
    Tritak, John, Director, Critical Infrastructure Assurance 
      Office, U.S. Department of Commerce, prepared statement of.    61
    Turner, Hon. Jim, a Representative in Congress from the State 
      of Texas, prepared statement of............................    11
    Willemssen, Joel C., Director, Accounting and Information 
      Management Division, U.S. General Accounting Office:
        Information concerning critical infrastructure protection   113
        Prepared statement of....................................    22
    Woolley, Daniel, president and chief operating officer, 
      Global Integrity Corp., prepared statement of..............    91

 
 H.R. 4246, THE CYBER SECURITY INFORMATION ACT OF 2000: AN EXAMINATION 
     OF ISSUES INVOLVING PUBLIC-PRIVATE PARTNERSHIPS FOR CRITICAL 
                            INFRASTRUCTURES

                              ----------                              


                        THURSDAY, JUNE 22, 2000

                  House of Representatives,
Subcommittee on Government Management, Information, 
                                    and Technology,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn, Biggert, Davis, and Turner.
    Also present: Representative Moran.
    Staff present: J. Russell George, staff director and chief 
counsel; Bonnie Heald, director of communications; Bryan Sisk, 
clerk; Will Ackerly, Chris Dollar, and Meg Kinnard, interns; 
Michelle Ash, and Trey Henderson, minority counsels; Ellen 
Rayner, minority chief clerk; Jean Gosa, minority clerk; 
Melissa Wojack; and Amy Herrick.
    Mr. Horn. The subcommittee will come to order.
    Today's hearing is on a subject that is both important and 
timely. The security threat posed to our Nation's critical 
infrastructure is made more apparent each day as computer 
viruses place at risk the free flow of information in the cyber 
world.
    When you consider that our critical infrastructure is 
composed of the financial services arena, telecommunications 
system, information technology, transportation, water systems, 
electric power, gas and oil sectors, among many others, the 
threat is one that must be taken seriously. These sectors have 
traditionally operated independently but coordinated with the 
Government to protect themselves against threats posed by 
traditional warfare.
    However, in today's environment these sectors must learn 
how to protect themselves against unconventional threats such 
as terrorist and cyber attacks. They must also recognize the 
new vulnerabilities caused by technological advances. As we 
learned when preparing for the year 2000 rollover, many of the 
Nation's most critical computer systems and networks are highly 
interconnected. With the many advances in information 
technology, most of these sectors are linked to one another 
which increases their exposure to cyber threats. What affects 
one system can affect the other systems.
    In the 104th Congress we called upon the administration to 
study the Nation's critical infrastructure vulnerabilities and 
to identify solutions to address those vulnerabilities. The 
administration has identified a number of steps that must be 
taken in order to eliminate the potential for significant 
damage to our critical infrastructure. Foremost, among these 
suggestions is the need to ensure proper coordination between 
the public and private sectors who represent the Nation's 
infrastructure community.
    The goal of H.R. 4246, which we are examining today, is to 
encourage cooperation in this vitally important effort. Before 
I call on the primary author of this proposal, because a number 
of our members have to be in and out of other markups around 
the Hill, I now yield to Mr. Moran, who is a coauthor of the 
legislation, for his opening statement on the bill.
    [The text of H.R. 4246 follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.065
    
    [GRAPHIC] [TIFF OMITTED] T2361.066
    
    [GRAPHIC] [TIFF OMITTED] T2361.067
    
    [GRAPHIC] [TIFF OMITTED] T2361.068
    
    [GRAPHIC] [TIFF OMITTED] T2361.069
    
    Mr. Moran. Well thank you very much, Chairman Horn, and 
thank you for your courtesy. I have got another hearing over in 
Cannon, but that is very nice of you to do that and appreciate 
your leadership of this committee. Jim Turner is going to be 
here shortly, the ranking member, and Tom Davis, the other 
original sponsor of this legislation. Tom, as I think everyone 
in this room knows, has been a tremendous leader in the area of 
information technology and particularly cyber security. We both 
represent northern Virginia's technology community and this is 
a terribly important issue.
    Every day in America thousands of unauthorized attempts are 
made to intrude into the computer systems that control key 
Government and industry networks, including defense facilities, 
power grids, banks, Government agencies, telephone systems, 
transportation systems. Some of these attempts fail but too 
many succeed. Some gain systems administrator status, download 
passwords, implant snippers to copy transactions, or insert 
what are called trap doors to permit an easy return.
    Some attacks are the equivalent of car thief joy-riders 
committing a felony as a thrill. They are only mischievous. But 
others are committed for industrial espionage, theft, revenge-
seeking vandalism, or extortion. Some may be committed for 
intelligence collection, reconnaissance, or creation of a 
future attack capability. The perpetrators range from juveniles 
to thieves, from organized crime groups to terrorists, 
potentially hostile militaries and intelligence services.
    What has emerged in the last several years is a dramatic 
increase in the seriousness of this threat. We know of foreign 
governments creating offensive attack capabilities against 
America's cyber networks. America is vulnerable to such attacks 
because it has quickly become dependent upon computer networks 
for so many essential services. It has become dependent while 
paying little attention to protecting those networks. Water, 
electricity, gas, communications, rail, aviation, and almost 
all our critical functions are directed by computer controls 
over vast information systems networks.
    In 1995, Presidential Decision Directive 39, what we call 
PDD 39, directed the Attorney General to lead a Government-wide 
re-examination of the adequacy of the Nation's infrastructure 
protection. That review prompted the President to establish in 
1996 the President's Commission on Critical Infrastructure 
Protection, a joint Government and private sector effort to 
study threats to the Nation's critical infrastructure 
industries, including cyber security threats.
    In October 1997 this organization issued a report that 
identified the need for a strategy of industry cooperation and 
sharing of information relating to cyber security, including 
threats, vulnerabilities, and interdependencies, as the 
quickest and most effective way to achieve much higher levels 
of infrastructure protection. The Director of the CIA recently 
testified before Congress that cyber attacks from other 
countries and rogue terrorist groups represent the most viable 
option for leveling the playing field, disarming us in an armed 
crisis against the United States.
    The President's National Plan for Information Systems 
Protection issued 6 months ago and an earlier Presidential 
directive have called on Congress to pass legislation that 
would encourage information sharing to address these cyber 
security threats to our Nation's privately held critical 
infrastructure. That is what this legislation is all about.
    When Congressman Davis and I attended the Partnership for 
Critical Infrastructure meeting at the U.S. Chamber of Commerce 
the one consistent issue raised by the business community was 
the sharing of sensitive but important security information. 
Their concern stemmed from the lack of clarity in antitrust 
laws and concerns related to disclosures the Government would 
have to make based on Freedom of Information.
    This Freedom of Information Act is the real stumbling 
point. The challenge posed by the threat of potentially wide 
spread Y2K failures offered a similar set of problems. It was a 
parallel situation. In response to those problems, a coalition 
of businesses worked with the bipartisan coalition in Congress 
and the administration to meet the same need. Industry 
cooperation and sharing of information related to Y2K, 
including threats, vulnerabilities, and interdependencies. 
Again, it was many of the same people that put that legislation 
together, and as I mentioned, Tom was the original sponsor of 
that too. A number of us put together a bipartisan approach and 
it was effective. And after the passage of that Y2K Information 
Readiness Disclosure Act, the information began to flow much 
more freely. And that free flow of information was one of the 
key reasons why Y2K came and went without significant problems.
    A similar remedy addressing the cyber security of the 
Nation's highly integrated critical infrastructure is necessary 
to best protect Americans from cyber threats and 
vulnerabilities. This legislation does just that. It is a 
balanced approach. There is no issue more important to the 
health of our economy than ensuring that our Nation's critical 
infrastructure is protected. Government cannot protect the 
Nation's infrastructure from cyber attacks without the help of 
the private sector. As a result businesses must take the lead 
and work together with the Government to share information so 
that we can ensure that our Nation's critical infrastructure is 
protected from cyber attacks and vulnerabilities.
    So I am most happy to be cosponsoring the legislation along 
with my colleague and good friend from Virginia, Tom Davis. 
Coming out of this subcommittee with its record of achievement 
with Chairman Horn and Ranking Member Turner, I trust this is 
going to get speedy passage as well. I applaud this committee 
for holding this hearing and I trust that as a result we are 
going to be able to provide the framework that will provide 
industry with the tools necessary for meeting this challenge. 
It is important legislation. Thank you very much for having the 
hearing, Mr. Chairman. I appreciate you giving me the 
opportunity to make that statement. Thank you.
    Mr. Horn. Thank you very much to the gentleman from 
northern Virginia.
    And now I yield to the ranking member, Mr. Turner, the 
gentleman from Texas.
    Mr. Turner. Thank you, Mr. Chairman. This clearly is one of 
the most challenging issues that we face, the protection of 
critical infrastructure. In the interest of time, Mr. Chairman, 
I think I will submit my statement for the record and yield 
back my time.
    Again, I want to thank Mr. Davis and Mr. Moran for their 
leadership on the issue.
    [The prepared statement of Hon. Jim Turner follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.001
    
    Mr. Horn. I thank the gentleman.
    We now call on the author of the bill, Mr. Davis, the 
gentleman from northern Virginia.
    Mr. Davis. Thank you, Mr. Chairman. I would like to thank 
you for holding this hearing today. It is my hope that today's 
hearing will facilitate the ongoing dialog in addressing cyber 
security vulnerabilities and the threats facing our critical 
infrastructures.
    Since this dialog began in 1997 with the creation of the 
President's Commission on Critical Infrastructure Protection, 
we have recognized that critical infrastructure security cannot 
be addressed without partnering with the private sector, as we 
did with Y2K. Over 80 percent of our critical infrastructure is 
owned and operated by the private sector. Traditional national 
defense models do not work in this environment. Instead, we 
have to look to market forces and voluntary participation in 
partnerships to successfully protect those infrastructures 
without burdensome regulations which could unintentionally hurt 
the competitiveness of U.S. markets.
    Critical infrastructures are those systems that are 
essential to the minimum operations of the economy and the 
Government. Our critical infrastructures comprise the financial 
services, telecommunications, information technology, 
transportation, water systems, emergency services, electrical 
power, gas and oil sectors in private industry, as well as our 
national defense, law enforcement, and international security 
sectors within the Government. Traditionally these sectors 
operated largely independently of one another and coordinated 
with the Government to protect themselves against threats posed 
by traditional warfare.
    With the many advances in information technology, many of 
our critical infrastructure sectors are linked to one another 
and face increased vulnerability to cyber threats. Technology 
interconnectivity increases the risk that problems affecting 
one system will affect other connected systems. Computer 
networks can provide pathways among systems to gain 
unauthorized access to data and operations from outside 
locations if they are not fully monitored and protected.
    Attacks on critical infrastructure can come in many 
different forms. They can originate from groups or persons with 
malicious intent to destroy or damage our safety and our 
economy, or from individuals who just enjoy the challenge of 
attacking and infiltrating computer networks. In a cyber 
security conference held this past Monday, Richard Clark, the 
National Security Council staff coordinator for security 
infrastructure protection and counter-terrorism, issued a 
warning that the United States faces an electronic Pearl Harbor 
unless Government and industry work together to strengthen the 
information security systems protecting our Nation's critical 
infrastructure. Infiltration of our financial services, 
telecommunications, and electrical power systems would not be 
any less devastating than attacks on our military and our 
nuclear systems.
    On May 4th, we were reminded once again that love can be 
painful. As you know, May 4th is the day the ``I love you'' 
viruses rocketed around the globe causing an estimated $8 
billion in damages. That figure does not account for the 
countless frustrations experienced by governments and consumers 
around the world. Additionally, difference in Government and 
private-sector response to the virus highlight the need for 
greater partnership and trust. If the Government had more 
clearly established channels of communication when this virus 
hit, it might have avoided significant delays in notifying its 
own agencies of the virus. I was greatly concerned when I read 
the General Accounting Office's preliminary results of the 
Federal Government's handling of the ``I love you'' virus. The 
Financial Services Information Sharing and Analysis Center, 
ISAC, had notified their member companies by 3 a.m. about the 
virus. But the Federal Bureau of Investigation didn't release 
its first warning until 11 a.m. Additionally, the Department of 
Health and Human Services reported that on May 4th the ``Love 
bug'' rendered that agency incapable of responding to a 
biological disaster.
    Clearly, this is another area that requires a greater 
commitment to partnership and coordination between the public 
and private sectors. I would like to say this is a perfect 
example of the success of private public partnerships that we 
need to make a greater commitment to facilitating. The 
Financial Services ISAC is currently the only one of its kind 
that is clearly doing its job in getting out timely 
information.
    Moreover, recent studies have demonstrated that the 
incidence of cyber security threats to both the Government and 
the private sector are only increasing. According to an October 
1999 report issued by the GAO, the number of reported computer 
security incidents handled by Carnegie Mellon's CERT 
coordination center has increased from 1,334 in 1993 to 4,398 
during the first two quarters of 1999. According to information 
currently posted on CERT's Web site, that number totaled 
10,000, doubling the 1998 total for computer security 
incidents. At this time, Mr. Chairman, I would like to request 
that the information from CERT's Web site be inserted into the 
hearing record. Additionally, the Computer Security Institute 
reported an increase in attacks for the 3rd year in row on 
responses to their annual survey on computer security.
    Because the private sector controls the vast majority of 
our critical infrastructure, I am concerned that employing a 
private public partnership to monitor the computer networks, 
analyze data, issue real time alerts, and employ defenses must 
be the primary component for protecting Americans. But when we 
asked the private sector to volunteer some information that 
otherwise would never be known to external entities, 
information is often proprietary, which could impose many 
different liabilities and risks were it to become publicly 
disseminated. Not surprisingly, we find a great reluctance on 
these companies to cooperate with the Government.
    Mr. Moran and I introduced this bill.
    Mr. Horn. May I say the material you and the Chair and the 
ranking member want to put in at this point, without objection, 
that is approved.
    Mr. Davis. Thank you, and I will ask unanimous consent to 
put the total statement in there.
    We introduced this bill to give critical infrastructure 
industries the assurances they needed in order to confidently 
share information with the Federal Government. And as we 
learned with the Y2K model, the Government and industry can 
work in partnership to produce the best outcome for the 
American people.
    I have a fairly lengthy statement that I would like to ask 
unanimous consent to have it all in the record. But I would 
just like to add, Mr. Chairman, I want to thank you for holding 
this hearing today and look forward to working with you. I 
appreciate our panelists taking time out from their schedules 
to share their thoughts on this before we mark this bill up in 
the subcommittee and then move to full committee. We read your 
comments and will take them into account and hope for a 
continuing dialog in this. The challenges that face the 
Government and the private sector on critical infrastructure 
security remain very important to us. I hope this legislation 
will go a long way toward resolving these conflicts. Thank you.
    [The prepared statement of Hon. Thomas M. Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.002
    
    [GRAPHIC] [TIFF OMITTED] T2361.003
    
    [GRAPHIC] [TIFF OMITTED] T2361.004
    
    [GRAPHIC] [TIFF OMITTED] T2361.005
    
    [GRAPHIC] [TIFF OMITTED] T2361.006
    
    Mr. Horn. Well I'm sure it will.
    I am particularly grateful to the members of the panel that 
we are about to swear in. You nobly came here despite the very 
short notice and we are most grateful to you for having your 
perspective in this area. So let me just explain how this place 
works. Mr. Willemssen can tell it better than I can. It's good 
to see you, Joel. We start down the line based on the agenda. 
We've got your statements, it is automatically in the record 
when I introduce you. And second, we would like you, if you 
can, to not read it because we just do not have that kind of 
time. And so if you want to take 5 minutes, maybe 8 minutes, 
that is fine, but just summarize it. The staff and everybody 
else has gone through the written material, even though that 
was a last minute affair and we thank each of you for that.
    We also swear in all witnesses in this committee. So if you 
would stand and raise your right hands, and if you have anybody 
that backs you up, also have them do it.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note that the six witnesses and 
the two supporters have taken the oath.
    We will start with Mr. Willemssen, the Director of 
Accounting and Information Management Division of the U.S. 
General Accounting Office, part of the legislative branch of 
Government. Mr. Willemssen has great experience with this. He 
has followed us all over the world on the Y2K situation. I am 
glad to see you in one place, we don't have to run around the 
country or the world anymore.
    So Mr. Willemssen, we look forward to your overview.

   STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, ACCOUNTING AND 
INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Willemssen. Thank you, Mr. Chairman, Ranking Member 
Turner, Congressman Davis. Thank you for inviting us to 
testify. It is an honor to appear again before you today. As 
requested, I will briefly summarize our statement.
    Overall, the level of concern over cyber security continues 
to grow. Understanding cyber security risks and how to best 
address them are major challenges that the Federal Government 
has recently begun to address. Earlier this year, the White 
House released version one of its National Plan for Information 
Systems Protection. The plan encourages the creation of 
information sharing and analysis centers to facilitate public 
and private sector information exchange about actual threats 
and vulnerabilities. Although such partnerships are central to 
addressing critical infrastructure protection, some in the 
private sector have expressed concerns about voluntarily 
sharing information.
    H.R. 4246, the proposed Cyber Security Information Act of 
2000, was developed to address these concerns and encourage the 
disclosure and exchange of information about cyber security 
problems and solutions. In many respects, the bill is modeled 
after the year 2000 Information and Readiness Disclosure Act, 
which provided limited exemptions and protections for the 
private sector to facilitate the sharing of information on Y2K 
readiness. In short, the bill creates an additional protected 
channel for potentially valuable information that the Federal 
Government would not otherwise have.
    Such information sharing proved invaluable in addressing 
Y2K. The Y2K Readiness Disclosure Act helped pave the way for 
disclosures on readiness and available fixes and helped the 
work of the year 2000 Conversion Council's sector-based working 
groups. H.R. 4246 could have a similar positive affect. 
However, there are challenges remaining that need to be 
addressed to make the legislation a success.
    First, the Federal Government needs to be sure it collects 
the right type of information, that it can effectively analyze 
this information, and that it can appropriately share the 
results of its analysis. This is a complex and challenging 
task, especially given how rapidly threats and vulnerabilities 
can change.
    Second, to effectively engage with the private sector, the 
Federal Government needs to be a model for computer security. 
Currently it is not. Audits conducted by us and the Inspectors 
General show that 22 of the largest Federal agencies have 
significant computer security weaknesses, ranging from poor 
controls over access to sensitive systems and data to poor 
controls over software development and changes.
    While a number of factors have contributed to weak 
information security, the fundamental underlying problem is 
poor security program management. To attain effective security, 
several key elements are needed, including: (1) a framework of 
effective access controls and management oversight; (2) 
periodic independent audits of agency security programs; (3) 
more prescriptive guidance on the level of protection required; 
(4) strengthened incident detection and response capabilities; 
and (5) adequate technical expertise. Especially important is 
the need for strong centralized leadership. Such leadership has 
proven essential to addressing other Government-wide management 
challenges such as Y2K. And we believe it will be similarly 
critical in tackling the growing security risks to computer 
systems and critical infrastructures.
    That concludes a summary of my statement. Thank you again 
for the opportunity to testify, and I will be pleased to 
address any questions.
    [The prepared statement of Mr. Willemssen follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.007
    
    [GRAPHIC] [TIFF OMITTED] T2361.008
    
    [GRAPHIC] [TIFF OMITTED] T2361.009
    
    [GRAPHIC] [TIFF OMITTED] T2361.010
    
    [GRAPHIC] [TIFF OMITTED] T2361.011
    
    [GRAPHIC] [TIFF OMITTED] T2361.012
    
    [GRAPHIC] [TIFF OMITTED] T2361.013
    
    [GRAPHIC] [TIFF OMITTED] T2361.014
    
    [GRAPHIC] [TIFF OMITTED] T2361.015
    
    [GRAPHIC] [TIFF OMITTED] T2361.016
    
    [GRAPHIC] [TIFF OMITTED] T2361.017
    
    [GRAPHIC] [TIFF OMITTED] T2361.018
    
    [GRAPHIC] [TIFF OMITTED] T2361.019
    
    [GRAPHIC] [TIFF OMITTED] T2361.020
    
    [GRAPHIC] [TIFF OMITTED] T2361.021
    
    [GRAPHIC] [TIFF OMITTED] T2361.022
    
    [GRAPHIC] [TIFF OMITTED] T2361.023
    
    [GRAPHIC] [TIFF OMITTED] T2361.024
    
    [GRAPHIC] [TIFF OMITTED] T2361.025
    
    Mr. Horn. Thank you very much, Mr. Willemssen. That was 
very helpful.
    At this point, I also want to put into the record the 
President's White Paper, the Clinton administration's Policy on 
Critical Infrastructure Protection, Presidential Decision 
Directive 63. Without objection, it will be at this point in 
the record.
    [The information referred to follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.070
    
    [GRAPHIC] [TIFF OMITTED] T2361.071
    
    [GRAPHIC] [TIFF OMITTED] T2361.072
    
    [GRAPHIC] [TIFF OMITTED] T2361.073
    
    [GRAPHIC] [TIFF OMITTED] T2361.074
    
    [GRAPHIC] [TIFF OMITTED] T2361.075
    
    [GRAPHIC] [TIFF OMITTED] T2361.076
    
    [GRAPHIC] [TIFF OMITTED] T2361.077
    
    [GRAPHIC] [TIFF OMITTED] T2361.078
    
    [GRAPHIC] [TIFF OMITTED] T2361.079
    
    [GRAPHIC] [TIFF OMITTED] T2361.080
    
    [GRAPHIC] [TIFF OMITTED] T2361.081
    
    [GRAPHIC] [TIFF OMITTED] T2361.082
    
    [GRAPHIC] [TIFF OMITTED] T2361.083
    
    [GRAPHIC] [TIFF OMITTED] T2361.084
    
    Mr. Davis. Mr. Chairman, I would also like to ask that an 
article on E-FOIA be inserted in the record from the August 
1997 issue of Government Executive Virtual Records. If that 
could be put in the record as well.
    Mr. Horn. Without objection, so ordered.
    Our next witness is John Tritak, the Director of the 
Critical Infrastructure Assurance Office of the U.S. Department 
of Commerce. We are glad you are here.

  STATEMENT OF JOHN TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE 
         ASSURANCE OFFICE, U.S. DEPARTMENT OF COMMERCE

    Mr. Tritak. Thank you, sir. I want to thank you and the 
subcommittee for giving me the opportunity to appear here 
before you today. I, too, will try to be brief and summarize my 
remarks that are being submitted for the record.
    I would like to set the context a little bit, in order to 
underscore the importance of the discussion that is taking 
place today. It has been a little over 2 years since President 
Clinton issued PDD 63, establishing defense of the Nation's 
critical infrastructure as a national security priority. And in 
doing so however, he presented a rather unique challenge in 
which we recognized, perhaps for the first time, that we have a 
national security challenge that the Federal Government's 
national security establishment cannot solve alone. With over 
90 percent of the Nation's infrastructures being privately 
owned and operated, the need for industry to take a leadership 
role in securing the Nation's critical infrastructures is 
essential.
    The goal here is, as much as possible, to find market 
solutions to deal with the problems of computer security and 
infrastructure assurance, and then, where market forces fail, 
the Government would step in, in cooperation with Congress, to 
address any potential gaps in the interests of national 
security and defense.
    Part of what is essential to industry's leadership is the 
need for strong collaborative partnering arrangements. One of 
the things that I find striking is that what we are really 
talking about here are two different kinds of partnerships. One 
partnership, and perhaps the more important, is the partnership 
of industry in which each of the sectors organize themselves to 
address this problem. Then, of course, there is the partnership 
between industry and Government to identify areas where 
collaborative effort makes sense. What is essential to both 
forms of partnership, however, is the need for information 
sharing, both to raise awareness, improve understanding, share 
common experiences, and, as appropriate, to serve as a catalyst 
for action.
    Within industry itself, a lot of progress has been made in 
establishing effective information sharing arrangements. In the 
telecommunications area, the National Communications Center 
under the leadership of the NSTAC, which Dr. Oslund will talk 
about later, was really one of the first effective information 
sharing arrangements to deal with national security concerns. 
More recently, the banking and finance industry established an 
information sharing and analysis center to share important and 
sensitive information about threats and vulnerabilities in that 
industry. The North American Electric Reliability Council 
recently established a pilot program with the National 
Infrastructure Protection Center housed at the FBI, to share 
certain types of information on threats to the electric power 
industry as a whole. Both the NERC and the National Petroleum 
Council are working with the Department of Energy to develop a 
coherent sector plan for addressing threats and vulnerabilities 
and to share arrangements. Shortly, the information technology 
industry, under the leadership of Harris Miller of the 
Information Technology Association of America, is going to 
establish an information technology ISAC in response to the 
computer summit that President Clinton held last February as a 
result of the denial of service attacks that we saw.
    When we talk about industry taking a leadership role, we 
are starting to see that played out in a lot of different ways. 
We are also seeing increasingly good working relationships 
between industry sectors and their Federal lead agency 
counterparts in the Federal Government. For example, the 
Commerce Department's National Telecommunications and 
Information Administration is responsible for working closely 
with the information technology and telecommunications 
industry, and of course the National Security 
Telecommunications Advisory Council [NSTAC] has actually played 
a very important role in helping to guide that dialog and to 
provide very useful and affective suggestions on how to go 
forward.
    One of the things that becomes clearer as you go further 
into this issue is that, because industry is increasingly 
becoming part of the same digital nervous system, you cannot 
address critical infrastructure security in a stovepipe 
fashion. The digital age does not recognize the distinctions 
between the transportation sector, the electric power industry, 
and telecommunications. And so there is a growing need within 
industry to discuss and meet with representatives of the 
respective sectors to determine where the common issues of 
concern are and how they might be addressed.
    There is also a need, if you are going to maximize the 
market as a means of raising the bar of security across the 
country, to bring in other stakeholders which includes the risk 
management community, the investment community, State and local 
governments, as well as main line businesses who are actually 
ultimate consumers of the infrastructure of services that 
generate the wealth of the Nation. And it was with that in 
mind, that was the impetus for the creation of the Partnership 
for Critical Infrastructure Security. It serves as a forum for 
fostering cross-sector dialog to address areas of common 
concern and experiences with a view toward taking action as 
appropriate. It also brings in the other professional 
communities, including the legal community, privacy community, 
risk-management and the like so that what you have is really a 
distillation of the markets that is going to have to be 
involved in this effort if we are going to actually see the 
security of the Nation's infrastructures improved.
    To date there are over 150 companies participating. 
Congressman Davis and Congress Moran addressed the first 
working group meeting, and as Congressman Moran indicated in 
his remarks, it was a very fruitful discussion. Our next 
meeting will be held in July in San Francisco in which many of 
the issues that were identified, including issues regarding 
FOIA, will be further discussed, as well as industry will begin 
to engage the Federal Government on how to participate in the 
next version of the National Plan, which I think is essential 
to having a national agenda for a new administration to deal 
with.
    I indicated very early on in my remarks that the core of 
all this is voluntary information sharing, information that 
does not have to be provided under existing laws and 
regulations. Some of that information is sensitive. Concerns 
that the existing statutory environment in any way chills that 
sort of information sharing therefore must be taken seriously. 
It was in addressing these concerns that we had a very 
successful Y2K period, where you saw an unusual and 
unprecedented amount of the information sharing between 
Government and between industry. And since I was located very 
near the ICC, I was able to witness firsthand the success of 
that.
    The President's Commission on Critical Infrastructure 
Protection acknowledged the importance of dealing with this 
issue, ``We envision the creation of a trusted environment that 
would allow the Government and private sector to share 
sensitive information openly and voluntarily. Success will 
depend on the ability to protect as well as disseminate needed 
information. We propose altering several legal provisions that 
appear to inhibit protection and thus discourage 
participation.'' The PCCIP went on to include the Freedom of 
Information Act, antitrust provisions, and protection from 
liability among the areas that needed to be analyzed. In 
addition, as I indicated a moment ago, the organizational 
meeting of the Partnership for Critical Infrastructure Security 
included in its action items the removal of disincentives to 
information sharing.
    Therefore, I wholeheartedly applaud the intent as well as 
the objectives of the Cyber Security Information Act that was 
proposed by Congressmen Davis and Moran. Based on my own 
experience with these issues over the past years, I believe 
sharing information regarding common vulnerabilities, threats, 
and interdependencies is important to effective security 
controls across the interconnected and shared risk environment 
within which both Government and industry operate.
    The act would create a new exemption from FOIA to protect 
industry's submitted critical information vulnerability 
information. As a general matter, we support maximum Government 
openness while recognizing that certain information such as 
that relating to cyber vulnerability should be protected from 
wide dissemination. As with any exemption from Government 
openness, we need to study this proposal very carefully and 
need to strike a balance between the goal of information 
sharing and Government openness. Similarly, we should be 
confident that the proposed provisions dealing with antitrust 
and liability protection are measured to achieve their intended 
goals and not create unintended results.
    As the bill points out, prompt, thorough and secure 
information sharing is clearly a matter of national importance. 
I think the ability to develop and share designated cyber 
security information
would be a useful step toward this important goal. We are 
looking forward to a full and vigorous national discussion on 
this important legislation. I wish to thank you for the 
opportunity to testify here today, Mr. Chairman.
    [The prepared statement of Mr. Tritak follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.026
    
    [GRAPHIC] [TIFF OMITTED] T2361.027
    
    [GRAPHIC] [TIFF OMITTED] T2361.028
    
    [GRAPHIC] [TIFF OMITTED] T2361.029
    
    [GRAPHIC] [TIFF OMITTED] T2361.030
    
    [GRAPHIC] [TIFF OMITTED] T2361.031
    
    Mr. Horn. Thank you very much, Mr. Tritak. That is very 
helpful.
    We now turn to Ambassador Craig Johnstone, senior vice 
president for International Economic and National Security 
Affairs of the U.S. Chamber of Commerce.
    Mr. Ambassador, please proceed.

    STATEMENT OF AMBASSADOR L. CRAIG JOHNSTONE, SENIOR VICE 
    PRESIDENT, INTERNATIONAL ECONOMIC AND NATIONAL SECURITY 
               AFFAIRS, U.S. CHAMBER OF COMMERCE

    Ambassador Johnstone. Well thank you very much, Mr. 
Chairman, and a particular vote of thanks to Mr. Moran and Mr. 
Davis for having sponsored this very important legislation. I 
represent the U.S. Chamber of Commerce, the world's largest 
business organization with 3 million businesses, associations, 
and chambers represented around the world, and we strongly 
endorsed this legislation.
    Mr. Chairman, we are all witness to the process of 
globalization and all of the revolutionary changes that we are 
seeing as a result of new technologies--information management, 
biotechnology. It has changed the very nature of economic life 
in our country and it is full of opportunities, but it also 
brings with it a great number of risks.
    There are a new set of security risks unlike those we have 
ever witnessed previously in our history. These new security 
risks do not come in the form of foreign armies marching across 
borders. They're more sophisticated, they're more insidious, 
and more pervasive. Their providence is more difficult to 
determine and the defenses are very difficult to mount. These 
are the threats to our Nation's critical infrastructure, to our 
computer systems, to our financial infrastructure, to our power 
grids, to our water supplies. These threats exploit the tools 
of modern science to attack weak points in our increasingly 
complex and increasingly vulnerable economic system.
    These are very real threats. If you just look in the narrow 
sector of the threats to the computer infrastructure, you take 
the CERT Coordination Center's recent report alluded to by Mr. 
Davis and just take a look at what has happened recently. Over 
a 2-day period starting February 7th, some of the leading 
Internet sites of the country came under denial of service 
attacks from hackers. The sites included Yahoo, eBay, CNN.com, 
Amazon.com and e-Trade. Less than a month later 350,000 credit 
card numbers were stolen from the music retailer CD-universe 
and posted online in an attempt to extort $100,000 from the 
company. On May 5th the international ``Love bug'' virus that 
we are all familiar with struck at enormous cost to American 
business. And these attempts were perpetrated by amateurs. 
Imagine the threat were there to be a concerted effort not just 
of amateurs, but of people working under Government auspices of 
some kind, somewhere, from some corner of the Earth. The range 
of weapons that can be brought to bear on a single company 
today, they can be brought to bear on a single company or they 
can be brought to bear to affect the lives of millions of 
people.
    Our country must come up with the strategies that address 
this problem. It does no good for Government to develop a 
strategy on its own when 90 plus percent of the critical 
infrastructure of this country is in hands of the private 
sector. The kind of strategies we need must be developed 
between industry and Government within individual industries. 
We can address our critical infrastructure vulnerabilities but 
only through cooperation and the free flow of information and 
ideas.
    This legislation moves us a step in that direction by 
establishing trust between industry and Government. You can 
expect the amount of valuable information exchange on critical 
infrastructure threats and vulnerabilities to be directly 
proportional to the amount of safety provided by H.R. 4246. We 
faced a very similar problem on the Y2K issue and the 1998 Y2K 
Information and Readiness Disclosure Act paved the way for much 
smoother relations between the public and private sectors.
    Providing a FOIA exemption and an antitrust waiver is 
critical for the level of success of industry-wide information 
sharing and analysis centers [ISACs]. These ISACS share 
information on the nature of vulnerabilities, attempted attacks 
or unauthorized intrusions, coordinate R&D issues, examine 
vulnerabilities and dependencies and develop education and 
awareness programs. This legislation is critical to those 
efforts, it is also critical to the success of the Partnership 
for Critical Infrastructure Security, which performs many of 
the same functions but this time not within industries but 
between industries, and between industry and government.
    I am pleased to say that the U.S. Chamber of Commerce has 
actively participated in the formation and development of the 
Partnership for Critical Infrastructure Security and we are 
pleased to provide ongoing support in collaboration with the 
Critical Infrastructure Assurance Office and we commend the 
office for the leadership that it has given on this issue. It's 
clear from our experience with Y2K, from the requirements of 
the National Plan, and from the feedback we have received from 
our own companies, our member companies that this legislation 
is important, even critical toward accomplishing the 
cooperation we must have to advance our security goals.
    Again, I would like to commend Mr. Davis and Mr. Moran for 
their leadership in taking on this issue, and I would like to 
encourage this committee and House to support the Cyber 
Security Information Act of 2000. Thank you.
    [The prepared statement of Ambassador Johnstone follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.032
    
    [GRAPHIC] [TIFF OMITTED] T2361.033
    
    [GRAPHIC] [TIFF OMITTED] T2361.034
    
    [GRAPHIC] [TIFF OMITTED] T2361.035
    
    [GRAPHIC] [TIFF OMITTED] T2361.036
    
    Mr. Horn. Thank you, Mr. Ambassador.
    We now move to Mr. Jack Oslund, the chairman of the 
Legislative Regulatory Working Group of the National Security 
Telecommunications Advisory Committee. Mr. Oslund.

STATEMENT OF JACK OSLUND, CHAIRMAN, LEGISLATIVE AND REGULATORY 
   WORKING GROUP OF THE NATIONAL SECURITY TELECOMMUNICATIONS 
                       ADVISORY COMMITTEE

    Mr. Oslund. Thank you, Mr. Chairman. I would like to open 
up with an apology. I have laryngitis and I will do the best I 
can. It may govern the speed with which I work against your 
clock. Thank you for the opportunity to testify here today 
regarding the President's NSTAC. As you said, I chair the 
Legislative and Regulatory Working Group of the Industry 
Executive Subcommittee. My remarks are based on the work of the 
NSTAC. They do not necessarily represent the views of my 
company, nor will they address issues on which the NSTAC 
principals have not taken a formal position.
    NSTAC and its representatives have been involved in 
industry-Government information sharing for 18 years. We have 
learned many lessons in our various activities that we are 
always willing to share as other infrastructures begin their 
own public private partnership arrangements. If the Chair will 
allow, I would like to provide supporting materials for the 
committee's use.
    Mr. Horn. We will review them and try to get them into the 
hearing record as best we can, without objection.
    Mr. Oslund. Thank you, sir. What makes information sharing 
successful? Participants in NSTAC, the NCC, and the NSIEs have 
built relationships based on trust that fosters the sharing of 
information. These relationships are largely dependent on 
individual relationships and the recognition that through 
cooperation the security of the Nation's critical 
telecommunications networks can be strengthened.
    The NSTAC has examined information sharing initiatives and 
observed the following: it is already occurring in a number of 
forums, it may be affected and in some cases it is being 
affected by legal barriers, it is mostly voluntary, it is 
dependent on receiving a benefit when voluntarily shared, it is 
based on trusted relationships, and it may depend upon the 
company and the individual participant.
    The NSTAC also has focused on the potential regulatory and 
legal barriers which are being discussed today--FOIA, 
liability, and antitrust. I will limit my oral testimony to 
FOIA.
    FOIA provides the public with access to records maintained 
by Government departments and agencies. It also sets forth a 
number of exemptions that allow withholding specific 
information from disclosure, including proprietary company 
information. None of these exemptions specifically addresses 
critical infrastructure protection information that is shared 
within the ISAC. Yet PDD 63 calls for long-term voluntary 
information sharing between industry and Government to achieve 
protection for the Nation's critical infrastructures.
    As evidenced by the voluntary information sharing that took 
place during the Y2K rollover, companies were prepared to share 
information with each other and the Government that otherwise 
would not have been available without the FOIA exemption 
granted by the Y2K Act.
    With respect to information sharing related to critical 
infrastructure protection, the threat is not as clear as it was 
for Y2K. The problem is unbounded. There is no fixed deadline 
for action and, as stated earlier, there currently is no 
protection from disclosure of critical infrastructure, 
protection information voluntarily shared with the Government. 
We are in a continuing dialog with Mr. Tritak and his staff at 
CIAO on this matter.
    The NCC expanded its function to include serving as a 
telecommunications ISAC this past March. Most industry 
participants in the NCC feel that the expansion of its 
activities to include ISAC functions increases the need for 
protection of information voluntarily shared with Government. 
To date, FOIA has not been a significant concern in the NCC, 
primarily because the NCC does not maintain a data base. 
However, the NCC ISAC is developing an automated information 
sharing and analysis system that will store data from events 
and situations reported by participating organizations. As 
awareness of the NCC and its activities, particularly as an 
ISAC increases, FOIA requests for the data base may cause 
participants to be reluctant to share information. It is 
critical that sensitive company information shared with the 
Government be protected from disclosure.
    Significantly, in May 2000 the NSTAC recommended that the 
President support legislation to protect critical 
infrastructure protection information voluntarily shared with 
the Government from disclosure under FOIA. NSTAC has not yet 
discussed the pending legislation. It was introduced too late 
during the last NSTAC work cycle. It will be reviewed during 
the work cycle that is just beginning.
    In conclusion, the lessons learned from the NSTAC's 
experiences in information sharing are applicable to all 
critical infrastructures as they begin their own protection 
efforts. The road to complete trust between and among industry 
and Government is a long and bumpy one. Legislation is 
necessary but not sufficient for information sharing. There are 
other areas that must evolve in order to achieve the level of 
information sharing sufficient to accomplish the goal of 
protecting the Nation's critical infrastructures. Technical, 
logistical, cultural, and human factors issues need to be 
addressed. While legislation will not solve all the challenges 
in information sharing, it goes a long way in providing the 
protection industry needs as well as demonstrating the 
Government's commitment to being an active member of the 
information sharing process.
    Thank you for inviting me to speak today. I look forward to 
any questions that you may have.
    [The prepared statement of Mr. Oslund follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.037
    
    [GRAPHIC] [TIFF OMITTED] T2361.038
    
    Mr. Horn. Well thank you, and we wish you well with your 
laryngitis. There are more allergies on Capitol Hill than 
anyplace in the world because there is a tree I am told for 
every tree in the world.
    Mr. Oslund. Mr. Chairman, the doctor did assure me that I 
do not have a virus bug.
    Mr. Horn. Thank you. Let me explain that when you see 
Members walking in and out now it is because we have a vote on 
the floor on the rule and we have 15 minutes to respond. Mr. 
Davis has gone over there. When he comes back, he will preside 
and I will go over there. We do not like to miss votes.
    We will start with Mr. Sobel now, the general counsel of 
the Electronic Privacy Information Center. Mr. Sobel.

   STATEMENT OF DAVID L. SOBEL, GENERAL COUNSEL, ELECTRONIC 
                   PRIVACY INFORMATION CENTER

    Mr. Sobel. Thank you, Mr. Chairman. I appreciate the 
opportunity to appear today to discuss the Cyber Security 
Information Act. The Electronic Privacy Information Center, or 
EPIC, is a frequent user of the Freedom of Information Act. We 
obtain Government documents on a wide variety of policy areas 
and we firmly believe that public disclosure of this 
information improves Government oversight and accountability 
and really assists the public in becoming fully informed about 
the activities of the Government.
    I have personally been involved with FOIA issues for almost 
20 years representing a wide variety of FOIA requesters. In the 
early 1980's, I assisted in the publication of a book entitled, 
``Former Secrets,'' which documented 500 instances in which 
material released under FOIA served the public interest. I am 
sure that if there were to be a revision of that book done 
today in the year 2000, we could easily come up with thousands 
of such examples of beneficial uses of the Freedom of 
Information Act.
    EPIC, as a member of the FOIA requester community, has, 
along with other members of that community, for many years 
expressed concerns about a number of proposals to enact new 
broad exemptions to the FOIA's disclosure requirements. Most 
recently, we have joined with scientific, journalist, library, 
and civil liberties organizations in questioning the need for a 
new exemption to cover information dealing with the protection 
of critical infrastructure protections, such as the exemption 
that would be created in the bill before the subcommittee. We 
collectively believe that such an approach is fundamentally 
inconsistent with the basic objectives of FOIA, which is, as 
the Supreme Court has noted, ``to ensure an informed 
citizenry.''
    It is clear that as we enter the new century and become 
increasingly involved in electronic networking that the 
Government is going to be more and more involved in the 
protection of critical infrastructure. It is equally apparent 
that the Government's activity in this area is going to become 
a matter of increased public interest and debate.
    My organization EPIC has monitored developments in this 
area since the creation of the President's Commission on 
Critical Infrastructure Protection. After the commission's 
report came out, we issued a report entitled, ``Critical 
Infrastructure Protection and the Endangerment of Civil 
Liberties,'' in which we raised some questions about possible 
impacts of some of the proposals. Now while reasonable 
observers can disagree over the advantages or disadvantages of 
the commission's proposal, or the more recent initiatives 
contained in the administration's National Plan, I think we can 
all agree that critical infrastructure protection raises some 
significant public policy issues that deserve full and informed 
public debate.
    In fact, public disclosure of information in this area has 
already helped to shape the administration's policy in the 
area. As an example, I would cite to the subcommittee the so-
called FIDNET proposal, the Federal Intrusion Detection 
Network, which, as originally proposed, would have subjected 
private sector computer networks to a potentially invasive 
monitoring system administered by the FBI. Following news media 
accounts of that proposal and the negative public reaction, 
that proposal was significantly scaled back. We at EPIC have 
received material under the FOIA dealing with these issues, we 
have made it public, and we think that is an important part of 
the process, of public debate on these issues.
    I would like to focus specifically on the need for the 
exemption that is contained in this legislation.
    Mr. Horn. Let me just interrupt you at this point.
    I am going to recess the hearing to go vote. The time 
remaining is almost expired. Apparently Mr. Davis could not get 
back in time. But he will pick it up and then have you pick it 
up.
    So we are going to recess for 5 minutes or until Mr. Davis 
returns.
    [Recess.]
    Mr. Davis. The subcommittee hearing will reconvene.
    Mr. Sobel, do you want to continue your remarks.
    Mr. Sobel. Thank you, Congressman Davis. I was pointing out 
the valuable information that has already been disclosed under 
the Freedom of Information Act concerning critical 
infrastructure protection, and citing the example of the 
initial FIDNET proposal and the revisions that the 
administration made to that proposal after publication of the 
details and incorporating the public concern that that 
engendered. So I think that is a very good example of the 
importance of public disclosure and the Freedom of Information 
Act in this particular area.
    What I would really like to discuss and focus on in my 
remaining time is my belief that the Freedom of Information 
Act, as currently written and construed by the courts, does in 
fact provide adequate protection for the information that we 
are discussing and I would maintain really negates the need for 
a new exemption to be added to the FOIA regime.
    I think in looking at this issue, we do need to keep in 
mind that critical infrastructure protection is an issue of 
concern not just for the Government and industry, but also for 
the public, particularly the local communities in which these 
facilities that we are discussing are located.
    The FOIA exemptions that currently exist, in particular I 
would like to focus on exemption 4, have been the subject of 25 
years of litigation. We have extensive caselaw that we can look 
to. And I believe that caselaw establishes that existing 
exemption 4 is adequate. For information to come within scope 
of exemption 4, it must be shown that the information is either 
a trade secret or, most significantly here, information which 
is commercial or financial, obtained from a person, and 
privileged or confidential. The latter category of information, 
that is, commercial information that is privileged or 
confidential, is directly relevant to the issue that is before 
the subcommittee.
    Commercial information is deemed to be confidential ``if 
disclosure of the information is likely to have either of the 
following effects,'' and significantly the one we are concerned 
with here, ``To impair the government's ability to obtain the 
necessary information in the future.'' My understanding is that 
H.R. 4246 seeks to ensure that the Government is able to obtain 
critical infrastructure protection information from the private 
sector on a voluntary basis. So that concern clearly comes 
within exemption 4's so-called ``impairment'' prong.
    In fact, the courts have liberally construed impairment, 
finding that where information is voluntarily submitted to a 
Government agency, it is exempt from disclosure if the 
submitter can show that it does not customarily release the 
information to the public. This is the critical mass case that 
the D.C. Circuit decided back in 1992. In essence, the courts 
defer to the wishes of the private sector submitter and protect 
the confidentiality of information that the submitter itself 
does not routinely make public.
    In addition to the protections for private sector 
submitters that are contained in exemption 4 and the relevant 
caselaw, agency regulations also seek to ensure that protected 
data is not improperly disclosed. Under the provisions of 
Executive Order 12600, which President Reagan issued in 1987, 
agencies are required to give submitters of information an 
opportunity to submit objections to proposed disclosures and 
those objections have to be considered by the agency before a 
disclosure determination is made. The protections don't end 
there. If the submitter is still unhappy with an agency 
determination to disclose the submitted information, the 
submitter can go to the courts, file what is known as a 
``reverse FOIA'' lawsuit and litigate the confidentiality 
issue. So there are many procedural safeguards already built 
into the FOIA regime.
    I think to a large extent the concern that we hear from 
industry is really a misperception of existing law. I think 
this is something that can become a self-fulfilling prophecy. 
If the agencies responsible for collecting this information are 
saying to submitters we cannot protect your information, then 
obviously the flow of information is going to dry up. So I 
think it is important to direct the efforts toward education 
and reassuring the private sector submitters that existing law 
does in fact adequately protect their confidentiality.
    I think the FOIA over the last 25 years has worked very 
well in making these kinds of balances between the need to 
know, on the one hand, and protecting against harmful 
disclosures. I would encourage the subcommittee not to upset 
that delicate balance that we have already developed over the 
25 years of litigation. I thank the committee for considering 
these issues and will be happy to take any questions.
    [The prepared statement of Mr. Sobel follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.039
    
    [GRAPHIC] [TIFF OMITTED] T2361.040
    
    [GRAPHIC] [TIFF OMITTED] T2361.041
    
    [GRAPHIC] [TIFF OMITTED] T2361.042
    
    [GRAPHIC] [TIFF OMITTED] T2361.043
    
    Mr. Horn. Thank you very much for being here. I will have 
some questions for you later.
    Mr. Woolley.

  STATEMENT OF DANIEL WOOLLEY, PRESIDENT AND CHIEF OPERATING 
                OFFICER, GLOBAL INTEGRITY CORP.

    Mr. Woolley. Good morning, Congressman Davis, Chairman 
Horn, members of the subcommittee. I would like to thank you 
for requesting my perspective on the important issue of 
information sharing and the quest for cyber security. My name 
is Dan Woolley and I am the president and chief operating 
officer for Global Integrity, a company based in Reston, VA.
    Global Integrity is a wholly owned subsidiary of Science 
Applications International Corp., an information security 
consulting company, and a resource for many Fortune 100 and 
Global 100 corporations, including online businesses, banks, 
brokerage houses, insurance companies, telecommunications, and 
entertainment companies, and other dot-com industries. In this 
capacity, we test the overall computer security of our client 
sites, help them develop secure information architectures, and 
help them to respond to attacks and incidents. We monitor and 
report to our clients about the most recent threats and 
vulnerabilities in cyber space, and help them to cooperate with 
regulations and law enforcement agencies where required or 
where appropriate.
    Global Integrity is also a recognized leader in information 
sharing to promote cyber security. We established the very 
first information sharing and analysis center called for by the 
Presidential Decision Directive, or PDD 63, and since then have 
established several additional ISACs that have been demanded by 
the market. Therefore, I am particularly pleased to offer our 
views today on H.R. 4246, on the state of cyber security, on 
information sharing and the public-private partnership, 
including some of the appropriate roles of Government.
    Presidential Decision Directive 63 recognized that the 
critical infrastructure of the United States is not owned by 
the Government but rather is in the hands of the private 
sector. While both the Government and the private sector have 
significant incentive to protect this infrastructure, the 
ultimate financial responsibility for protecting it lies 
squarely at the foot of private sector. Moreover, the 
Government's interest is in protecting the infrastructure 
against cyber warfare and the deniable service attacks. The 
private sector's interest is in protecting its infrastructure 
not only from these attacks but also from attacks by 
competitors, preventing insider abuse, enforcing corporate 
policies, protecting investor interest, as well as providing 
customers with safe, secure, and private means of conducting 
electronic commerce. While the goals of the private sector and 
the Government converge, they are not always identical.
    We recognize the precariousness of the concept between 
public and private partnerships on something so sensitive as 
cyber security, yet we think it a concept worth pursing, albeit 
it with caution. Certainly the last thing a private company 
wants is to have its own cyber vulnerabilities publicly exposed 
to regulators, customers, investors, or competitors. On the 
other hand, the Government has a legitimate right to be 
concerned about the security of the Nation's critical 
infrastructure and even the security of the businesses that 
underpin the Nation's economy.
    Yet because the private sector owns the infrastructure, we 
believe they have a primary responsibility for securing it does 
and should rest with the private sector--those in the financial 
services, energy, transportation, agriculture, and 
communications sectors, as well as those in the thousands of 
IT-dependent businesses. These are the people who own the 
infrastructure, are familiar with it, and are responsible for 
making decisions not only about the security, but also about 
the things like functionality, interoperability, strategic fit, 
and, of course, cost.
    Yet the Government correctly notes that our critical 
infrastructures are subject to the intrusion and disruption in 
cyber security if not taken extremely seriously at the very 
highest levels both within Government and within the private 
sector. While the private sector should lead, we believe the 
Government does have a legitimate role in promoting cyber 
security. The Government must continue in its efforts to 
recruit and train cyber security professionals and perhaps make 
laboratory or forensic facilities available to the private 
sector.
    The Government can lead by example, by securing its own 
infrastructure and by sharing techniques and lessons learned. 
Global Integrity supports legislative efforts to encourage and 
even require Government agencies to batten down their own cyber 
hatches and serve as a model for the private sector. The 
Government also can help set security standards and best 
practices to promote education on subjects like computer 
security, computer forensics, computer law, computer ethics. 
Finally, the Government can promote private sector cooperation 
both within the private sector and with the Government by 
removing any actual or perceived barriers to such cooperation, 
and by actively and aggressively advocating for such 
cooperation. The Government should also consider what rewards 
may be offered to the private sector to encourage safe and 
secure practices.
    According to the Department of Justice statistics, cyber 
crime cases have increased 43 percent from 1977 to 1999. 
Threats to the infrastructure are both real and perceived. A 
survey of 1,000 Americans conducted on June 8-11 this year by 
the polling firm of Fabrizio McLaughlin Associates found that 
67 percent of respondents feel threatened by, or are concerned 
about cyber crime, and 62 percent believe not enough is being 
done to protect the Internet consumers against such crime. 
Sixty-one percent say they are less likely to do business on 
the Internet as a result of cyber crime, and 65 percent believe 
online criminals have less of a chance of being caught than 
criminals in the real world.
    We have identified the following trends in cyber attacks: 
No. 1, distributed attacks are increasing, and abusers take 
advantage of jurisdictional and sovereignty distinctions to 
avoid detection and prosecution. No. 2, attackers are using the 
known and publicized security holes to compromise systems. This 
is particularly true with respect to the worm type attacks that 
continue to take advantage of user's willingness to execute 
unknown and unverified computer programs. No. 3, most incidents 
and penetrations seem to be attacks of opportunity, although 
sophisticated hackers may target specific companies or 
information with a combination of electronic attacks and 
deception through social engineering. No. 4, the release of 
point and click tools has made the ability to take on systems 
easy and accessible. For example, a well-known tool called 
B02K, freely available on the Internet, allows an 
unsophisticated hacker to take over a victim's computer 
completely, read all files and even turn on attached cameras 
and microphones to conduct surreptitious surveillance in the 
room in which the computer is located. No. 5, the increase of 
the use and potential use of high-speed, always on DSL and 
cable connections at home increase the risk to both home and 
corporate attacks. A home user may suffer as many as 40-100 
attempted attacks per month on a home DSL connection, ranging 
from somewhat benign probes to very sophisticated attacks. The 
attacks come from diverse locations, including Eastern Europe, 
China, Korea, and other nations in the Far East. The increased 
of wireless technologies to transmit business critical or 
personally sensitive information increases the risk of 
compromise. New security strategies and implementations must be 
developed for these technologies.
    One of the best ways that Government can promote cyber 
security in the private sector is by encouraging information 
sharing, and this of course is one of the central objectives of 
PDD 63. The Directive's charge to create ISACs, Information 
Sharing Analysis Centers, where information on threats, 
incidents, vulnerabilities, with associated recommendations and 
solutions need to be shared and analyzed. This is a critical 
step in defending against cyber attacks.
    When these attacks do occur, companies are often left in 
the dark, they cannot tell whether the attack is local, 
regional, or national. They cannot easily determine whether the 
attack is directed at them alone, their entire industry, or 
represents part of a series of random or concerted attacks. To 
defend against potential future attacks, companies must also 
know about vulnerabilities in the operating systems, 
applications, browsers, and thousands of the myriads of pieces 
of software that make up the overall infrastructure. Finally, 
they must have access to the raw intelligence about the threats 
to the infrastructure, increased attacks or activity, and new 
fraud schemes in order to be prepared.
    At Global Integrity, we have spent over $3 million in the 
last 10 months developing the first ISAC for the financial 
services industry. Thousands of man-hours were dedicated not 
only by Global, but by dozens of companies led throughout the 
world by initiatives for the financial services sector toward 
perfecting this model. The initial goal was to create a broad 
based model for the financial services industry--banks, 
insurance companies, brokerages, and other organizations. This 
model is now being replicated for many companies and sectors 
around the world.
    The FS/ISAC was formally launched in October 1999 and it 
was based upon the fears of publicity, fears of inviting 
additional attacks, fears of confidentiality, and fears of 
antitrust liability.
    In the past, the limitations and the willingness of 
industry members to share information was critical. Today, 
nobody wants to be reported on the front page of the Washington 
Post that their institution has been a victim of an attack or 
attempted attack.
    The FS/ISAC today provides a means for sharing information 
and for distributing threat data obtained from Government 
sources without the fear of attribution or publicity. Nothing 
contained in the FS/ISAC rules or regulations alters the 
obligations of banks or financial institutions to report these 
criminal activities. In other words, the decision whether or 
not to report an incident lies with the victim of the attack, 
and not with the repository of the collected information. To 
protect the confidentiality of the information, each paid 
member issues a series of anonymous certificates which 
authenticates them but does not specifically identify the 
member.
    We have also recently established the equivalent of news 
bureaus to collect, analyze, and disseminate information of 
both regional and national interest. We are establishing 
bureaus in Asia, Middle East, Central Europe, and the United 
Kingdom, as well as South America. These regional bureaus are 
providing incident threat, vulnerability, resolution data 
regarding events occurring in their regions back to the Reston 
analysis center for redistribution to all ISAC members on a 
worldwide basis. The FS/ISAC as well as other ISACs represent a 
form of public and private cooperation.
    As a result of the operation of the FS/ISAC and its 
advanced warning stations in Asia and Europe, members of the 
financial services industries that have chosen to participate 
received early warning about recent threats. For example, the 
FS/ISAC notified members not only of the methodologies behind 
the distributed denial of service attacks which were launched 
last February, but also about specific information indicating 
that hackers activity was increasing. Indeed, Global took such 
threats seriously enough to issue generalized news releases on 
the possibility of such attacks hours before those attacks 
actually occurred. As Congressman Davis noted, the FS/ISAC 
advised members about the Love Bug worm several hours before 
the Government agencies sent out generalized alerts, and 
provided detailed technical analysis of how these worms worked 
in the early notification.
    There are certain roles and functions that are the province 
of Government. One, to set minimum standards for security and 
interoperability, conducting and supporting fundamental 
research on new security technologies, promoting awareness of 
issues relating to information protection, ensuring greater 
international cooperation between law enforcement, Government 
agencies, and bringing down the barriers which inhibit 
cooperation.
    Finally, a word about the role of Congress in specific. I 
believe that Congress should take a cautious approach to 
passing new legislation. We do think that legislation requiring 
the Government to get its own cyber house in order would be 
productive. We also think that limited legislation such as H.R. 
4246, which removes barriers to information sharing, is a good 
idea. Whether these barriers are real or perceived is a 
question on which lawyers cannot agree. However, we know that 
in many cases perception is a stronger force than reality, and 
so removing perceived barriers can
be every bit as important to the broader goal, which is to 
encourage information sharing of incidents, threats, and 
vulnerabilities.
    I thank you, Mr. Chairman, for the opportunity to present 
our views, and welcome any questions the committee may have.
    [The prepared statement of Mr. Woolley follows:]

    [GRAPHIC] [TIFF OMITTED] T2361.044
    
    [GRAPHIC] [TIFF OMITTED] T2361.045
    
    [GRAPHIC] [TIFF OMITTED] T2361.046
    
    [GRAPHIC] [TIFF OMITTED] T2361.047
    
    [GRAPHIC] [TIFF OMITTED] T2361.048
    
    [GRAPHIC] [TIFF OMITTED] T2361.049
    
    [GRAPHIC] [TIFF OMITTED] T2361.050
    
    [GRAPHIC] [TIFF OMITTED] T2361.051
    
    [GRAPHIC] [TIFF OMITTED] T2361.052
    
    [GRAPHIC] [TIFF OMITTED] T2361.053
    
    [GRAPHIC] [TIFF OMITTED] T2361.054
    
    Mr. Horn. Thank you.
    I now recognize Mr. Davis for questioning for 8 minutes.
    Mr. Davis. I thank you very much, Mr. Chairman.
    Let me start with Mr. Sobel, who is probably the most 
skeptical about the bill. I guess it is your position that we 
do not need to change FOIA.
    Mr. Sobel. That is correct.
    Mr. Davis. The problem is that the companies that we want 
to release the information and share information do not share 
that view and do not want to have to go through the litigious 
process of trying to establish that every time they want to 
release something. That is the difficulty we have.
    We have tried to craft a narrow exemption so that it does 
not do more than we intend it to do. Is there any limiting 
language that you would find acceptable under this, or is it 
your strict position that the FOIA law is the FOIA law and we 
live with it and it will handle all of our needs?
    Mr. Sobel. Let me back up a minute and talk about your 
opening premise, which is that there is the perception amongst 
the private sector submitters that there is not currently 
adequate protection.
    Mr. Davis. I am going to argue about the law in a minute, 
but there is certainly the perception.
    Mr. Sobel. Well, I think that the only way to address that 
perception is to bring people up to speed on what the law is. 
It is my considered opinion, as well as the opinion of the FOIA 
requester community that has been involved in the cases that I 
am citing and frankly has lost a lot of the cases, that the 
courts give great deference to private sector information that 
is held by Government agencies. And we can see no scenario 
under which information that is submitted to the Government 
voluntarily and that the private sector submitter wishes to 
maintain the confidentiality of would be disclosed.
    So I would prefer to see the resources of the agencies go 
into reassuring the submitters and get the Justice Department 
to come forward and say, yes, it is our view that existing law 
is adequate, and have the Congressional Research Service look 
at the issue. I am confident that a legal review of that kind 
will create the kind of reassurance that I think has been 
lacking thus far.
    Mr. Davis. So it is not your view that anytime Government 
is present that there is a public right to know under FOIA, 
regardless of how that information is obtained.
    Mr. Sobel. The courts have certainly construed all of the 
exemptions, from my perspective, very broadly. I think the 
perception out there amongst the requester community is that we 
have lost most of the big cases, that there has been great 
deference to both the agencies that seek to withhold 
information and the private sector submitters of information 
that do not want the information disclosed. So I think it is 
pretty clear if you look at the caselaw and the history of the 
development of exemption 4 that the courts have really bent 
over backward to make sure that private companies do in fact 
feel comfortable in voluntarily sharing information with the 
Government.
    I also want to repeat the point that I made in my 
testimony, which is that it is not only the caselaw that we 
need to look at, but there was a lot of concern about this 
issue in the 1980's during the Reagan administration. President 
Reagan issued Executive Order 12600 which created procedures 
within all of the agencies to give submitters rights to object.
    Mr. Davis. But we have had enough of companies that keep 
coming back that in 1997 the Defense Authorization Act had to 
prohibit agencies from releasing most contract proposals 
because there was a lot of proprietary information in the 
proposals that was leaking out and being FOIAed. This is a 
constant problem. If you are a private company, and I come out 
of the private sector, once you give that information out, I 
think you want ironclad assurance that that information is not 
going anywhere else either intentionally or sometimes 
unintentionally, because then you get your trial lawyers, you 
have antitrust, you have a whole lot of issues that get raised 
through that.
    I guess my question is, what is wrong with clarifying it 
here? Do you think this is drawn too broadly? We have tried to 
draw this as narrowly as we can. If we could narrow it in some 
other way to give everybody the rightful protections, we would 
be happy to do that.
    Mr. Sobel. I think I would start from the proposition in 
this area that if it is not broken, why try to fix it, because 
in the process you might just be creating some new unintended 
problems. I point out in my written testimony that I think, 
given the history of FOIA over the last 25 years, that any new 
exemption or any new language that is inserted into that regime 
results in protracted litigation.
    I think we have devoted considerable judicial resources 
over the last 25 years to ironing out the meaning of exemption 
4. As I say, I think the outcome of that process has been one 
that is very protective for the private sector. And one of the 
concerns would be that we are just going to be tied up in 
litigation for several years as the meaning of this new 
exemption gets sorted out. Whereas, we have a body of caselaw 
that we can look at right now that I believe resolves the 
issue. I think any time you introduce new language into this 
regime you invite problems.
    Mr. Davis. Clearly, if you introduce new language, you have 
new language that has never been litigated before.
    Mr. Sobel. Correct.
    Mr. Davis. But I think at this point you draw your line way 
over where what you have said would be assumed and is clarified 
even further.
    Let me just ask Mr. Tritak and others if they would like to 
comment. Do you feel you have adequate protections at this 
point under current law?
    Mr. Tritak. Sir, I actually would like to go back to the 
initial point that you made or this premise of what has been 
discussed. The fact is there is a debate and it is a debate 
that is not between lawyers, on one hand, and non-lawyers, on 
the other. It is a debate among some in the legal community 
that there is not sufficient clarity about the protections for 
information sharing.
    Now putting aside for a moment the understandable concern 
that you do not want to change the law, particularly something 
like FOIA, lightly, we still have the problem and the debate. I 
think the only way you resolve that is by having that debate 
and discussing it not only within the legal community, but also 
you get your owners and operators of infrastructures, the 
people who are actually expressing these concerns, and their 
legal counsel to express what it is they are worried about, 
what is the kind of information that they are concerned may not 
be protected and under what circumstance.
    But I think the fact that there is a debate is the problem 
that needs to be resolved. The Government and many people 
believe that the current protections are sufficient. That's 
fine. But if you are talking about voluntary information and 
people are concerned that it is not sufficiently clear and they 
do not provide the information, then arguably you have a public 
policy goal that you may not be able to achieve.
    Mr. Davis. It seems pretty clear to me. This is information 
the Government would have no right to under ordinary 
circumstance and therefore the public would have no right to 
under ordinary circumstances. But because we are trying to work 
together to stop the cyber security threats to our Nation's 
security, companies are willing to come forward and share 
information, but only if they can be absolutely sure that their 
information that they give is going to be protected. The 
Government would not have it otherwise.
    That is all this legislation says. It clarifies it. Without 
that, as you say, there is debate in the legal community, there 
are court decisions all over the lot, and you could get 
something that does not fit within that exemption that you have 
discussed, Mr. Sobel. I cannot right here say under what 
circumstances that could be, but somebody could volunteer some 
information that may not be proprietary but it could be very 
dangerous if that information were to get out, it could hurt 
shares of stocks, it could show some exposures, for example, in 
your own security of your company in terms of somebody coming 
in potentially and if that information were to get out it could 
damage among investors and the like. And you would not want 
that information out, but for the good of national security you 
are willing to come forward with that. I am not sure under 
those circumstances that meets the protections of the trade 
secret protections.
    That is our concern, is that we want to make sure when 
companies come forward, are working in a cooperative venture to 
attack this enemy called cyber terrorism that we can work 
together and that nobody is going to be damaged as a result of 
that.
    Does anyone else on the panel want to address that?
    Yes, Ambassador Johnstone.
    Ambassador Johnstone. Yes, I would. First of all, I would 
like to start off by saying that I commend Mr. Sobel for his 
defense of the Freedom of Information Act. The U.S. Chamber of 
Commerce also strongly believes in the Freedom of Information 
Act. We have used it on behalf of American business frequently, 
and we are a strong supporter of the act. However, beyond that, 
I think we certainly are in disagreement with respect to 
exclusion 4. For example, he says that exclusion 4 provides 
adequate protections and that if business simply understood, 
through a public education effort of some sort, they would 
understand that fact. But the fact of the matter is that as 
soon as we start getting into exchange of information, there 
will be attorneys who will stand up and say that exemption 4 
does not apply to those situations and there will be a debate.
    Mr. Sobel points out that that is subject to a review panel 
process. So now suddenly we have moved from having the 
protection of the law into something that will be debated 
within a review panel. Or, alternatively, that there is 
litigation always possible. So now we have moved it out of the 
review panel into potential litigation. So that for a company 
what you do is you face then a very uncertain prospect that may 
drag you into litigation, or have the assurance of the law and 
the clarification that is written into the law.
    The point that you made, Mr. Davis, I think is the salient 
point here. That is to say there is nothing written here that 
is different than what it is Mr. Sobel says is already in the 
law but which is disputed. So it is a question of clarification 
and that clarification is critically important for American 
business. When a businessman has to sit down and decide whether 
he or she is going to participate in this process, the fact 
that that clarification has been written into the law is 
vitally important and I think is the difference that is going 
to make the difference between cooperation or non-cooperation 
on this issue.
    Mr. Sobel. If I could just respond briefly. I do not think 
that the language that the subcommittee is considering is going 
to preclude litigation in any way. If the agencies' position 
upon receiving a request is that it is not covered because of 
this language, that is going to be litigated. So I think we are 
talking about litigation one way or another if information is 
submitted and requested and there is a dispute.
    My point is that at least under existing exemption 4 we 
have a body of caselaw that has been developed over the last 25 
years and we are not going to have to wait for a lot of 
clarification on the meaning of new language. I do not think it 
is a question of litigation or no litigation. I think it is a 
question of how protracted is that litigation likely to be.
    Mr. Woolley. One key point that I would like to make, if 
you will, from the voice of experience. Companies involved with 
the financial services ISAC needed to know for certain that 
that information they were providing to the FS/ISAC was in fact 
locked down and would never get out or they would not share it. 
It was mandatory that was involved.
    As a result, we spent a tremendous amount of time 
developing a significant anonymity system with checks and 
balances and rewrappers that could prove that the information 
that came in was completely anonymous. That was the only way 
that the financial services industry would participate. And now 
we have gotten very, very high participation from that industry 
and it is that anonymity that has now spawned the international 
ISAC and the worldwide ISAC that are now providing tremendous 
inputs.
    So I think that the issue needs to be there. If you do not 
have the anonymity, if you do not have the lock down, American 
corporations will not participate. They are too spooked about 
being dragged into any sort of litigation or disclosure that 
would be very detrimental to their organizations.
    Mr. Horn. Yes, and this will be the last response to it. Go 
ahead, Mr. Oslund.
    Mr. Oslund. Thank you, Mr. Chairman. In the NCC information 
sharing process, there is no anonymity when the participants 
share the information. It is a process that has been going on 
for a number of years and that is why we stress the trust 
relationships. Relationships have been developed so companies 
can share information directly. When we are talking about real 
time operations, and that is what information sharing for CIP 
is, you cannot share information under uncertainty. There has 
to be certainty that you can move this information forward and 
it will not be challenged.
    NSTAC felt FOIA legislation was needed for Y2K. And the 
conclusions are the same for CIP. The background materials we 
have provided to the committee, demonstrate these conclusions 
were reached after a lot of deliberation. Thank you.
    Mr. Horn. Thank you.
    I now yield 10 minutes to the ranking minority member, Mr. 
Turner, the gentleman from Texas.
    Mr. Turner. Mr. Sobel, you shared your concern a minute ago 
that the language in the proposed legislation would not 
preclude litigation. In fact, your opinion was that it might 
foment additional litigation. Going beyond that concern, could 
you please articulate any other concerns that you have about 
this exemption from liability. Is it your concern that it could 
be misused, that it could be used as a shield by corporation 
that might be willing to disclose and therefore they would then 
be able to hide behind the shield of liability? I assume there 
is further concern other than the fact that you just think it 
will result in additional litigation.
    Mr. Sobel. Well, I think from the perspective of the FOIA 
requester community there is always a concern about Congress 
stepping into the process of amending a statute that has worked 
very well for a long time. And there is a general apprehension 
about creating these piecemeal exemptions. The FOIA, as 
Congress amended it in 1974, contains nine very specific 
exemptions that have been construed by the courts and in our 
opinion really cover all of the harms that we are talking about 
here.
    I should note also it is not just exemption 4. There are 
situations where exemption 1 for classified information would 
come into play if we are dealing with defense contractors, for 
instance. Exemption 7's law enforcement protections would come 
into play, for instance, if a company is acting in the role as 
a confidential source. In the context of a hacking 
investigation, for instance, exemption 7's law enforcement 
protections would come into play. So the point is that we have 
a very well-developed FOIA scheme right now and there is a 
general apprehension to adding on piecemeal exemptions.
    Now with particular regard to this area, critical 
infrastructure protection, I think the concern is that we would 
be muddying the waters. That you introduce a degree of 
uncertainty into the FOIA requesting process and the result is 
likely to be that a new barrier is going to be erected to the 
disclosure of information that should properly be disclosed 
that the subcommittee is not seeking to protect the disclosure 
of.
    So I think it is really a question of just muddying what is 
today some very settled water in this area and creating yet 
another excuse for not making information public.
    Mr. Turner. Maybe I need you to pose a hypothetical for me 
to help me understand your concern. Because the first 
impression I have when you talk about trying to view this from 
the point of view of the requester community is that, as I 
understand it, we are talking about information that the 
Government does not have and Freedom of Information is always, 
as I understand it, directed toward information the Government 
has.
    So we are talking about information that were it not 
voluntarily shared by a corporate entity, the Government would 
not have it anyway. So from a point of view of the requester 
community that is interested in preserving access to Government 
information, it seems to be fairly easy in my mind to say that 
the requester's concern really should not reach information 
that the Government really would never have anyway were it not 
for the voluntary relinquishment of it by private entity.
    Mr. Sobel. I think you have to start from the proposition 
that once the Government receives information, whether it is 
under mandatory requirements or provided voluntarily, that 
information starts to form the basis of what a Government 
agency is doing and it can in certain instances become an 
important indication of the operations of that agency. 
Certainly, for instance, the Food and Drug Administration 
obtains a lot of information from private companies and in 
order for the public to really assess what the FDA is doing, 
you necessarily are going to need some access to that private 
sector information that has been provided to the agency.
    Now on the question of whether or not what we are talking 
about today is something new, the idea of voluntary submission 
of information to Government agencies, that is not new. In 
fact, that is the reason why the cases that I have cited in my 
testimony have arisen. The courts have specifically dealt with 
the question under exemption 4 of what should the standards be, 
what should the rules be when a company voluntarily submits 
information to an agency.
    So I think it is important to recognize that we are not 
writing on a clean slate here. There have been many instances 
in the past where agencies have received information 
voluntarily from private sector submitters, that information 
has been sought under FOIA, and those are the cases that have 
developed the caselaw that I am talking about which deals 
directly with the issue of voluntarily submitted information.
    In terms of the importance of this information, to sort of 
remove this from the theoretical realm, for instance, a local 
community in which a power plant or a nuclear plant or a water 
facility is located I think legitimately has some interest in 
knowing if there are vulnerabilities and safety problems in 
that facility that might form the basis of a so-called cyber 
security statement. I think we are going to need some mechanism 
for sorting that out. There are some very legitimate public 
interest reasons for making some of this information available.
    But again I come back to the way the courts have dealt with 
these issues. And they have been very protective of the private 
sector submitters. I believe that the courts have gone too far 
in this area. I want my position to be clear. I think a lot of 
the information we are talking about probably should be and 
could be made public without harm to the private submitter. But 
the courts have disagreed. But I think there is a lot of 
important health and safety information that can get caught up 
in this process.
    Mr. Turner. Thank you.
    Mr. Horn. I thank the gentleman. You have 2 minutes 
remaining. If Mr. Moran would like to get in the 2-minutes 
here, and then we will yield to Mrs. Biggert for 10.
    Mr. Moran. Thank you, Mr. Horn. I have got to go back to 
another hearing, so I will leave after my 2 minutes. I 
appreciate the courtesy. Thank you.
    As I mentioned in my opening statement, the reason why Mr. 
Davis and I returned from the Chamber of Commerce meeting and 
came up with this legislation is because there was such a 
widespread view that companies simply could not cooperate to 
the extent that was necessary and that was requested by the 
Federal Government and that I think they knew was in their 
long-term best interest because of their concern about FOIA.
    And so we have a situation here where regardless of what 
your point of view might be, Mr. Sobel, perception is reality. 
If the general counsels of these firms feel that FOIA is a very 
serious threat to the privacy of this information and to the 
viability of their corporation, they are simply not going to 
cooperate in the way that they know is in the national security 
interest.
    I do not see why it is a problem even if we restate what is 
existing law. You are suggesting that it may complicate things. 
And I am only picking on you because you are the only one that 
has come up with what seems to be such an unreasonable point of 
view, Mr. Sobel. [Laughter.]
    I mean I would not do it if you did not deserve it. I am 
kidding there. We need somebody to be the devil's advocate here 
on the panel, and I appreciate you playing that role.
    Mr. Sobel. Glad to do that.
    Mr. Horn. And I might add unanimous consent for the 
participation of our eloquent Irishman today. And hearing no 
objection, you are free to participate. [Laughter.]
    Mr. Moran. Thank you very much, Mr. Chairman, I appreciate 
that very much.
    Clearly, we do not have the level of participation, the 
initiative being taken by corporations who have very valuable 
information to share. And this is the reason why they do not 
feel that they can. It is not that they do not want to 
cooperate.
    And so even if we are restating legislation clarifying that 
legislation, as Mr. Davis has suggested, it would seem to be 
meeting a very important need. And it took what, three decades 
or something to clarify the meaning of FOIA, three decades of 
litigation to make it clear what FOIA meant. We cannot afford 
to go through such an extended process of litigation to clarify 
the extent of sharing with regard to cyber attacks and cyber 
vulnerabilities. So it would seem that even if a lawyer might 
be able to make an argument that you could share that 
information, they nevertheless would be subjecting themselves 
to litigation, and that is what we do not want.
    So we want to facilitate the process. We have got very 
important national security interests at stake here. Every day 
the sophistication of mischievous and malicious hackers is 
increased our vulnerabilities increase. As we have stated and 
as I know you are very much aware of, our entire economic and 
security infrastructure is at stake. We heard one story about 
some intelligence officials being given enough money to buy 
personal computers, two or three dozen of them, and they were 
told to pretend they were from North Korea and see if they 
could invade our security infrastructure. And sure enough, 
within a relatively short period of time they had access to 
enough computer systems that they could have shut down our 
power grid and invaded the most classified information. We 
cannot let that happen. It is more effective, much easier, much 
less expensive to invade our information systems than it is to 
drop bombs on our large cities and power systems.
    I have been encouraged by the level of cooperation that the 
business community wants to express, wants to participate in. 
But if they have that concern, then we need to respond and to 
make it clear, to underscore, to clarify that they can exchange 
that information without fear of protracted litigation and 
exposing even greater vulnerabilities.
    So, it is a good piece of legislation. I am glad the vast 
majority of witnesses on the panel agree. I certainly 
appreciate your having the hearing, Mr. Chairman. I trust that 
we are going to be able to get the bill on the floor in an 
expedited fashion. Thank you, Mr. Horn.
    Mr. Horn. We thank you. Since I am not a lawyer, and having 
listened to this discussion, I suggest we put a simplification 
in one of the findings that this is the Lawyer's Relief Act of 
the year 2000. [Laughter.]
    I now yield to Mrs. Biggert for 10 minutes for questioning.
    Mrs. Biggert. Thank you, Mr. Chairman.
    Mr. Tritak, in your outreach efforts to coordinate with the 
private sector and initiate public-private partnerships, what 
hurdles have you run into? For example, does the fear of the 
Federal law enforcement community hinder your ability to work 
with the private sector in addressing cyber security problems 
before they occur?
    Mr. Tritak. No, I would not say that law enforcement 
interferes with that activity. The fact is that the 
relationships between the Federal Government and private 
industry vary from sector to sector and company to company. 
There are many companies who feel very comfortable in an 
information exchange arrangement with Federal law enforcement, 
and a number of companies that participate in the National 
Infrastructure Protection Center exchange that kind of 
sensitive information.
    There are others who are concerned that sharing information 
with the Government could precipitate investigations which can 
have an impeding effect on their ability to conduct business. 
And that is a hurdle that they view exists. Again, I think it 
is one of these things where when those kinds of concerns are 
expressed they need to be taken seriously to get to the core of 
what the problem may be.
    What I find very interesting, of course, is that when 
someone talks about whether industry is interested in dealing 
with Government, I think you cannot make it a broad statement 
because, for example, sometimes you may find companies feel 
more comfortable dealing with, let's say in the information 
technology area, dealing with the Commerce Department or 
dealing with the Defense Department, and others by tradition, 
for example the electric power industry, they have had very 
good, strong working relationships with Federal law enforcement 
well before the Information Age. So I think it depends--it 
depends on the culture of the industry, it depends on the 
nature of the type of information you are dealing with.
    Clearly, the roles and responsibilities at different 
agencies need to be defined over time. We are introducing a 
new, changing technology that is going to transform the way we 
all live, the way we do government, and the way we do business. 
I am sure that over time the respective roles of different 
governments and agencies are going to have to reflect that. And 
I think that as those adjustments are made, you will deal with 
some of the issues that you have just raised, about industry's 
reluctance in certain cases and proactivism in others to deal 
with government will be redressed.
    Mrs. Biggert. Is there any fear that if there is more 
coordination then between the agencies of the Federal 
Government that this might affect how companies would deal with 
it? Because information that they might feel comfortable about, 
for example, with the Commerce Department would be available to 
another agency.
    Mr. Tritak. I think some have that concern, not all though. 
But some, yes.
    Mrs. Biggert. Then version 1.0 of the President's National 
Plan for Information Systems Protection discusses the 
possibility that companies wishing to discuss possible systems 
vulnerability with the Federal Government may ``be deterred 
from doing so because of the possibility that information 
disclosed to the Government could become subject to a request 
for public disclosure under'' what we have been discussing, 
``the Freedom of Information Act.''
    Mr. Tritak. That has been a concern expressed by some 
companies, yes.
    Mrs. Biggert. Can you provide an estimate of how much 
private sector information is being withheld as a result of 
this?
    Mr. Tritak. I cannot say. I think to the extent that it has 
an inhibiting factor, it is the perception in certain cases 
that if the information may be used for reasons other than to 
help raise the level of security of the Nation's infrastructure 
is because it would become available to help address problems, 
that it can have a chilling effect. And depending on the 
companies and depending on their concerns, you never get to the 
point of deciding whether or not to give the information 
because your natural position is simply not to pass it on. And 
so it is hard to quantify. But I will say that it has been 
expressed and it has been expressed sufficiently so that I 
think it is not an isolated instance.
    Mrs. Biggert. Thank you.
    Ambassador Johnstone, are private sector participants 
concerned about the threat of law enforcement investigations 
hindering their ability to deliver critical services?
    Ambassador Johnstone. Actually, I do not disagree with Mr. 
Tritak. That is to say it is something that I have heard 
expressed. But in the many, many companies that I have talked 
to about this whole issue, that has not been high on people's 
agenda, the concern over law enforcement per se.
    I think the fear of the loss of proprietary information, 
the fear of public disclosure of information that would not 
otherwise become public, the concern, and perhaps this touches 
on law enforcement, that people might not be exempt from sort 
of monopoly building kind of activities cause some level of 
concern.
    The antitrust side of the equation. An American company, 
and I will speak from my own experiences having run an American 
company for a number of years, whenever you sit down with 
competitors you are surrounded by a galaxy of lawyers who are 
constantly looking at the antitrust implications of what you 
might do, even what you might do related to safety procedures 
and things of that type. And so there is a great deal of 
concern in terms of the antitrust implications. It would be a 
great relief to companies to have some relief from those 
concerns. I think public disclosure is certainly another area.
    In terms of law enforcement and people's fear of being the 
subject of persecution, for example, that I have not actually 
encountered in terms of any individual contacts that I have had 
with businesses.
    Mrs. Biggert. So there might be the concern about the law 
enforcement but you cannot really assess how much there is.
    Ambassador Johnstone. I think that concern is less than the 
concerns in the other areas.
    Mrs. Biggert. Then does the partnership work with private 
sector on networks to disseminate information in a timely 
manner on potential vulnerabilities from sector to sector?
    Ambassador Johnstone. Well let me just say that the 
partnership got kicked off this last December in the first 
meeting in New York. We then hosted at the U.S. Chamber of 
Commerce a meeting of the partnership in the month of February 
and the next meeting is in July. So it is fairly embryonic and 
is just in its startup mode.
    That being said, it certainly is the intent of the 
partnership, and certainly of the ISACS, to provide a maximum 
flow of information that will touch very much on the whole 
issue of network securities.
    Mrs. Biggert. So this really is a goal of the partnership?
    Ambassador Johnstone. Certainly.
    Mrs. Biggert. OK. Then would you be willing to share 
information with the Federal Government when uniform legal 
principles are established to structure the boundaries of a 
public-private partnership?
    Ambassador Johnstone. We would be willing to participate 
with the Federal Government on all aspects of working together 
to advance and to help protect the critical infrastructure, 
both when it comes to legislation as well as to working within 
the administrative framework.
    Mr. Tritak. If I may, Congresswoman.
    Mrs. Biggert. Certainly.
    Mr. Tritak. Just a point of clarification. What the 
partnership, as I indicated in my testimony, aims to do is to 
encourage cross-sectoral dialog and activity to bring the 
owners and operators together, bring together other 
stakeholders involved. If the industry participants in that 
activity decide that it makes sense to create information-
sharing arrangements amongst themselves, the partnership is one 
form in which that would be discussed, debated, and created. I 
think it is important though that the partnership itself is a 
forum to bring these issues to the fore for discussion. It is 
not in itself a super ISAC. It is not an organization that 
actually would do that as much as it would facilitate that 
development.
    Mrs. Biggert. Thank you.
    And I cannot not ask Mr. Willemssen a question since he has 
been at so many of our hearings. So, Mr. Willemssen, could you 
tell us to what extent the regulations that exist within the 
Federal law enforcement community and with the Federal 
Government for reporting on the cyber attacks or threats or 
vulnerabilities, how do they overlap?
    Mr. Willemssen. There are some overlaps from an 
organizational standpoint. I would concur with Mr. Tritak's 
comments that there is a need for further definition and 
specificity on roles and responsibilities of Federal 
organizations so that the sectors and the private firms within 
those sectors know exactly who they are to deal with, what kind 
of information is going to be requested of them, what is going 
to be done with that information from an analysis perspective, 
and how the results of that analysis are going to be 
disseminated to others. Right now, that specificity does not 
exist. I know that Mr. Tritak and others are working on that 
and we would encourage them to continue doing that. That is 
definitely needed.
    Mrs. Biggert. So right now this overlap is really hindering 
the ability to deliver or exchange information?
    Mr. Willemssen. Yes. I think to the extent that further 
clarification can be provided, possibly in the next version of 
the National Plan which is due out this fall, that would be 
most beneficial to private sector.
    Mrs. Biggert. Thank you. Thank you, Mr. Chairman.
    Mr. Horn. I thank the gentlewoman from Illinois.
    I just have two questions here and then I will turn it over 
to all of you again.
    This is directed at Mr. Willemssen. The General Accounting 
Office has commented extensively over the past 5 years on the 
number of problems confronting the Federal Government on 
addressing information security issues governmentwide and from 
agency to agency. In your view, Mr. Willemssen, does the lack 
of coordination and planning within the executive branch of the 
Government hinder its ability to be an effective cyber security 
partner in monitoring potential threats?
    Mr. Willemssen. I think the lack of coordination has been a 
hindering factor. But I think there is a much bigger factor at 
play as it pertains to Federal agencies, and that is basic 
management of computer security issues. The Federal Government 
currently does not have its house in order on computer security 
and protection of its systems and data.
    So coordination is definitely an issue. But what we would 
like to see are individual agencies taking computer security 
much more seriously than they have in the past and making sure 
that they have done the risk assessments, they have adequate 
protection in place, they have made their staff very aware of 
the criticality of this issue, and there is an overall central 
guiding management to make sure that it is a priority within 
the agency.
    Mr. Horn. Has the General Accounting Office ever had a 
request from the Article III Judiciary on this area? I would 
think there is some mischief that could be made in that area.
    Mr. Willemssen. We do currently have a request looking at 
critical infrastructure from a Senate Judiciary Subcommittee. 
That work is ongoing.
    Mr. Horn. In relation to the Article III Judiciary?
    Mr. Willemssen. I do not believe it specifically covers 
that. But if I may, Mr. Chairman, get back to you and answer 
that for the record.
    Mr. Horn. You might want to talk with the Administrative 
Office of the U.S. Courts and see what is happening.
    Mr. Willemssen. Yes, sir.
    [The information referred to follows:]

    Our ongoing work on critical infrastructure protection does 
not address article III-related entities.

    Mr. Horn. The General Accounting Office has offered its 
view in support of the creation of a Federal Chief Information 
Officer, a CIO that would centrally manage information 
technology, including information security, in its comments on 
Senate bill S. 1993. In your view, would a central coordinating 
office within the Federal Government on critical infrastructure 
protection that would work with both the public and private 
sectors overcome some of the similar obstacles to management 
and overlapping regulation that you have mentioned?
    Mr. Willemssen. We are supportive of a strong central CIO 
position. In addition, we think, and it is instructive to look 
at Y2K as a lesson here, top management attention to a critical 
national issue is absolutely invaluable in making sure that the 
issue is adequately addressed in working with the public and 
private sector.
    So to the extent that an overall national coordinator can 
help fill that role, we think that would be beneficial. But to 
the extent that it is a separate position, we need to make sure 
that it works with the institutions in place that have an 
overall focus on CIO issues. I do not think you can take a 
critical infrastructure and computer security and put it off on 
the side necessarily. You still have to work in tandem with 
overall management of information technology.
    Mr. Horn. Well, it is an interesting view and we might be 
discussing this in the next few weeks because we have a few 
thoughts on the institutional aspects of the Presidency and how 
you relate to the departments. So I thank you for that view, 
and there might be a few other views.
    Let me ask my colleagues here, the gentleman from Texas, do 
you have some more questions you would like to ask?
    Mr. Turner. I have no further questions.
    Mr. Horn. The gentleman from Virginia?
    Mr. Davis. No questions.
    Mr. Horn. The gentlewoman from Illinois? No?
    There might be a few questions we will send you and we 
would appreciate it if you could just bat us out a simple 
answer to complete and round out the record.
    We again thank you for doing the last minute in a hurry. I 
suspect you were like the students in their senior year, they 
want to graduate and they stay up all night. So thank you for 
your energy and thank you for your wisdom on this. We 
appreciate it very much.
    I now want to thank the staff for both the majority and the 
minority. On my immediate left, your right, is J. Russell 
George, the staff director and chief counsel of the 
Subcommittee on Government Management, Information, and 
Technology; Bonnie Heald, the director of communications, is in 
the back; Bryan Sisk, our clerk; Will Ackerly, intern; Chris 
Dollar, a new intern; and Meg Kinnard, a new intern. With Mr. 
Turner's staff, Trey Henderson is the counsel; Jean Gosa is the 
minority clerk. And our official reporter of debates, whom we 
thank, is Elisabeth Lloyd. And we have Mr. Davis' staff has 
done some excellent work, and I know that from working with 
them over the last few months, and that is Melissa Wojack and 
Amy Herrick. We thank you for all the work you have done on 
this legislation.
    If there are no further questions, we thank you all.
    Mr. Davis. Mr. Chairman, let me just add that if anyone on 
the committee would like to serve as a cosponsor as this bill 
moves up, we would happy to put your name on it.
    Mr. Horn. OK. Thank you.
    We will now adjourn this hearing.
    [Whereupon, at 11:53 a.m., the committee proceeded to other 
business.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T2361.055

[GRAPHIC] [TIFF OMITTED] T2361.056

[GRAPHIC] [TIFF OMITTED] T2361.057

[GRAPHIC] [TIFF OMITTED] T2361.058

[GRAPHIC] [TIFF OMITTED] T2361.059

[GRAPHIC] [TIFF OMITTED] T2361.060

[GRAPHIC] [TIFF OMITTED] T2361.061

[GRAPHIC] [TIFF OMITTED] T2361.062

[GRAPHIC] [TIFF OMITTED] T2361.063

[GRAPHIC] [TIFF OMITTED] T2361.064





FAS | Secrecy | Congress ||| Index | Search | Join FAS