ANSWERS TO POST-HEARING QUESTIONS Responses by Gerald S. Freese, Director of Enterprise Information Security, American Electric Power Questions submitted by Chairman Sherwood L. Boehlert Q1. Measuring Cyber Security Qla. How do you measure your company's cyber security? Ala. Measurement is most effective against a backdrop consisting of a security policy and standards. Measurement is accomplished in several ways, depending on the intended focus: • Compliance with internal security standards-measured against metrics derived from self-imposed security requirements (based on business drivers and best practices). • Compliance with regulatory requirements—measured against externally generated security mandates (Sarbanes Oxley, HIPAA, FERC, GLB, etc.). • Penetration testing-Tests technical security architecture for vulnerabilities. Provides multiple levels of security gap determinations and direction for remediation. Q1b. How do you determine if your company's level of cyber vulnerability is being reduced? Alb. Using periodic scanning of networks, servers and workstation for known vulnerabilities; ongoing compliance checks determine levels of compliance with standards. Compliance checks rely on the use of technical and process metrics developed through best practices or regulatory requirements. Q1c. How do you decide what is secure enough? Alc. "Secure enough" is determined through analysis of several variables; these are risk to business systems, regulatory requirements and the level of security implemented in the technical architecture. Qld. How should DHS determine if the Nation is making progress? Ald. DHS must continue to work toward comprehensive information sharing with critical infrastructure industries. The NIPP is an excellent start toward greater cooperation but the PCII program needs to be fully implemented and socialized to be effective. Qle. Are government mandates needed to increase the progress and get to "secure enough?" Ale. Critical infrastructure industries do not want government mandates to increase security. Unfortunately, there is no way for the government to effectively help protect critical infrastructure if its components do not have some consistency in the level of risk-based protection they have in place. I feel that at some point in the future, government will step in and establish federal requirements. Hopefully they will do it with full industry collaboration. Q2. Business Case for Cyber Security Q2a. Within your company, how do you make the business case for the costs associated with more secure information technology products? A2a. In several ways: Regulatory or legislative requirements; Risk identification and mitigation; Cultivating strong executive support for CI protection. Q2b. What can the Federal Government do to help make this case? A2b. The government can provide more pertinent, substantiated threat information. They can also design financial assistance for selected protective measures. These would have to be accomplished with extensive collaboration with the private sector. Q3. Information Sharing Q3a. What information would you find most helpful to receive from the government (especially DHS) or from other companies when you are making decisions related to what cyber security you need? When responding to an attack or an incident? A3a. In question two, we discussed that there is a need for more pertinent and substantiated threat information from the government. When responding to an attack or incident, government sources, outside of some law enforcement liaison, will probably be less timely than commercial enterprises specializing in early warning and incident response measures. Attacks or exploits, however, are threats come to fruition. Initial government involvement in early warning and threat analysis would go a long way toward better prevention or deflection of these exploits. Q3b. What information have you been asked for by DHS that you feel uncomfortable providing? Why? What are the barriers to information sharing? Are changes in legislation or regulations needed to overcome these barriers? A36. On numerous occasions, federal and State DHS authorities have asked us for information on our critical assets and on the protective measures (physical and cyber) surrounding them. Without the PCII program in place, we are very reluctant to provide that data, and have repeatedly declined their requests. We cannot be sure under the current situation of only partial implementation of the PCII program who will have access to that data. Once PCII is fully established and implemented, we will revisit information sharing and support the effort. We are committed to doing all we can to help the government protect our nation's critical infrastructure. Q4. Responding to Cyber Attacks Q4a. If the information systems of a critical infrastructure company were attacked today, is the U.S. prepared to detect the attack and reel it or repair the systems quickly? A4a. While there are many companies that have successfully repelled one or more major cyber attacks, many more have not and a good number could not. Those that have the security technology and mature incident response programs are usually well equipped to handle both directed and general cyber attacks. Those that have few technical solutions in place or that have poorly defined incident response procedures are often victims of even the most well-known and preventable threats. So the answer to this question must be qualified with an "it depends on who is attacked" caveat. Overall as a country I believe we are not well equipped to repel such attacks. Q4b. What about if the attack were on the Internet? A4b. If attacks are recognized quickly (very likely) and there are preventive measures already in place and properly configured, responses after a major Internet attack can probably effectively thwart attackers. These measures range from network and system processes to equipment/communication redundancy. Q4c. What role can and should DHS and other public and private organizations play in these response activities? A4c. DHS should be providing the most up to date threat data available, along with analysis of potential and actual cyber threats. In addition, they should provide awareness information to companies that is substantive, citing examples of attacks, providing recommended solutions and adding real value to the knowledge base. To make this more meaningful, DHS might want to make this a collaborative effort with commercial companies that already have a large critical infrastructure customer base. Q4d. What are the barriers to DHS companies or other organizations providing a quick, effective and coordinated response? A4d. I can't speak for other companies, but regarding DHS, it needs to staff its ranks with true cyber security experts and be willing to pay the costs of their expertise. This does not mean hiring the standard group of government contractors. It means recruiting individuals from the commercial world that have industry credibility, can offer real knowledge and experience and feel that protecting critical infrastructure is a vital mission for our national security. Q4e. What is DHS doing to foster greater private sector efforts in cyber security, and what could the agency do that it is not doing now? A4e. DHS seems to be addressing most of the right areas as evidenced by the NIPP draft. They are also increasing involvement in industry groups, making sure their message is being effectively communicating. What they could add is accurate threat data and greater awareness of the impact that cyber attacks can have on the infrastructure and economy. Q4f. Are effective practices, procedures and technologies now available to guard against the adverse impacts of cyberspace vulnerabilities? Are there shortcomings for particular critical infrastructure areas? A4f. Currently there are effective practices, procedures and technologies available. And they will keep improving. The problem is that these are not used consistently across all infrastructure organizations. Unfortunately, with cyber security we're still only as strong as our weakest link. ANSWERS TO POST-HEARING QUESTIONS Responses by Andrew M. Geisse, Chief Information Officer, SBC Services, Inc. Questions submitted by Chairman Sherwood L. Boehlert Q1. Measuring Cyber Security How do you measure your company's cyber security? How do you determine if your company's level of cyber vulnerability is being reduced? How do you decide what is "secure enough"? Are there specific metrics you use in evaluating the cyber security of your company? How should the Department of Homeland Security (DHS) determine if the Nation is making progress? Are government mandates needed to increase the progress to get to "secure enough"? A1. There is no single metric or measurement that suffices to describe a company's cyber security readiness. SBC proactively determines the cyber security readiness of its environment through the use of internal and external audit reviews, secure system management compliance, application security compliance, routine scans to identify vulnerabilities, and periodic component review within the infrastructure. In addition, an annual assessment of deployed security solutions is conducted based upon new or changing requirements and conditions. SBC also has a team of IT Security professionals dedicated to the protection of its internal cyber resources. A key metric for SBC is the number of attempted and investigated intrusions within the environment and the corrective actions taken to address them. As a way to measure private companies' progress towards cyber security, the Department of Homeland Security could use publicly reported information, such as annual Sarbanes-Oxley disclosure reports. Government mandates should not be necessary. The DHS could focus on cyber security best practices and standards. Also helpful would be tools so companies could measure their compliance towards those best practices. Q2. Business Case for Cyber Security Within your company, how do you make the business case for the costs associated with more secure information technology products? What can the Federal Government do to help you make this case and make investment in cyber security more attractive? A2. SBC well understands the need for cyber security, within the company infrastructure and as a service we can provide to users of our data products. Business cases to support cyber security preparedness to protect internal cyber resources must clearly define the risks to the business, the security tools needed and processes required, and then should be evaluated based on needs of the business. Most often, business cases supporting cyber security are developed because of new business opportunities, changing cyber technologies, new identified vulnerabilities, growth of our environment, or new legislative requirements. Awareness of cyber security to the public can show a positive impact to businesses that help support cyber infrastructure (i.e., Internet). The more people understand virus protection, anti-spam tools, identity theft protection, and phishing risks, the better the Internet-connected community and services can perform on their behalf. Government education programs that could also be used within businesses would help defray internal education costs. Q3. Information Sharing Q3a. What information would you find most helpful to receive from the government (especially DHS) or from other companies when you are making decisions related to what cyber security you need? When responding to an attack or incident? A3a. SBC would find it helpful if information from the DHS includes: current cyber vulnerabilities, attack methods, and attack sources. The most current information helps us prepare strategies to deal with new sources of attack and new methods of attack. The same can be said when responding to an incident. Understanding how an attack may occur and from where allows SBC to better prepare defenses that could block specific protocols or specific IP addresses. Q3b. What information have you been asked for by DHS that you feel uncomfortable providing? Why? A3b. Information that SBC has been asked to share that has made us uncomfortable includes items that we consider private within the company and restricted to |