You know, I don't want to see, as the Chairman said, you know, I don't want to be here at a hearing later on saying, "What went wrong? And how can we improve this thing?" I mean, the fact of the matter is that when the price of gas is stable, you know, nobody is really complaining, but when it spikes up and again, this is a private sector matter-but when it spikes up, the public says, "Where are the bums in Washington? What are you doing?"

Well, you know, we want to get in front of this. And quite frankly, after four years of Homeland Security working on this problem, we are not where we need to be, and we are not where we should be. I hope that this will be an impetus today to change that and to move that forward.

And so with that, Mr. Chairman, I again join you in welcoming these witnesses. This is an important hearing, and I look forward to moving forward with it.

[The prepared statement of Mr. Gordon follows:]

PREPARED STATEMENT OF REPRESENTATIVE BART GORDON

Today's hearing has two important purposes: To assess progress in improving the security of computer systems on which critical industries rely and to explore why progress has been so slow.

Networked information systems are key components of many of the Nation's critical infrastructures, including electric power distribution, banking and finance, water supply, and telecommunications.

Computer system vulnerabilities persist worldwide, and the initiators of random cyber attacks that plague the Internet remain largely unknown.

But we know that many international terrorist groups now actively use computers and the Internet to communicate, and they are clearly capable of developing or acquiring the technical skills to direct a coordinated attack against networked computers in the United States.

The disruptions and economic damages that could result from a successful cyber attack to one or more of our critical infrastructures could be substantial. And damage to water supply systems or to chemical processing plants, for example, could also create life threatening consequences.

Following the events of 9/11, ensuring the security of critical infrastructures has become a national priority, but progress in securing the cyber infrastructure has simply been too slow.

A presidential directive from the Clinton Administration, PDD-63, instituted policies and established new organizations to improve the Nation's ability to detect and respond to cyber attacks, including mechanisms to improve communication between the public and private sectors regarding cyber security matters. Subsequently, the new Department of Homeland Security was charged to be the government's focal point for cyber security.

And yet, in a report released this summer, GAO found that the Department of Homeland Security has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cyber security. This is simply not good enough.

Recent events make all too clear that inadequate recovery plans, either by design or execution, have dire consequences for the health and well being of our citizens. Inaction can be an enemy just as lethal as terrorists.

GAO stresses that to be successful in meeting its responsibilities, the Department will need to achieve organizational stability for cyber security activities, including an elevation of this function within the Department.

In addition, GAO indicates the Department must work to develop effective partnerships with stakeholders, and then achieve two-way information sharing with these stakeholders.

Today, we have an opportunity to hear from some of the stakeholders about what is being done within their industry sectors to improve cyber security, where they now stand, and what could be done to accelerate progress.

I am interested in hearing about their relationship to and interactions with the Department of Homeland Security and in their views on how the government can be more effective in achieving the overall goal of cyber security for critical infrastructures.

We need to understand what the fundamental impediments are to securing cyber space and to take appropriate action to overcome them.

Mr. Chairman, I want to thank you for calling this hearing, and I look forward to our discussion with the panel.

[The prepared statement of Mr. Costello follows:]

PREPARED STATEMENT OF REPRESENTATIVE JERRY F. COSTELLO

Good morning. I want to thank the witnesses for appearing before our committee to examine the current state of cyber security, how various critical infrastructure sectors depend on information systems, and what is and should be done to secure these systems. In addition, I am pleased today's hearing will also explore the respective roles of the Federal Government and private sector with respect to cyber security.

Certain socio-economic activities are vital to the day-to-day functioning and security of the country; for example, transportation of goods and people, communications, banking and finance, and the supply and distribution of electricity and water. Domestic security and our ability to monitor, deter, and respond to outside acts also depend on some of these activities as well as other more specialized activities like intelligence gathering and command and control of police and military forces. A serious disruption in these activities and capabilities could have a major impact on the country's well-being.

Even before the terrorist attacks of September 2001, concerns had been rising among security experts about the vulnerabilities to attack of computer systems and associated infrastructure. Yet, despite increasing attention from Federal and State governments and international organizations, the defense against attacks on these systems has appeared to be generally fragmented and varying widely in effectiveness. Concerns have grown that what is needed is a national cyber security framework-a coordinated, coherent set of public- and private-sector efforts required to ensure an acceptable level of cyber security for the Nation.

While industry and the Federal Government have increased their focus on cyber security in recent years, vulnerabilities remain, despite passage of the Cyber Security Research and Development Act. The bill authorized $903 million over five years for new federal programs to ensure that the U.S. is better prepared to prevent and combat terrorist attacks on private and government computers. The legislation was developed following a series of post-September 11, 2001 Science Committee hearings on the emerging cyber terrorist threat and the lack of a coordinated U.S. response. Despite this legislative and programmatic initiative, our computer and communications networks, upon which the country's economic and critical infrastructures for finance, transportation, energy and water distribution, and health and emergency services depend, are still among the Nation's vulnerabilities.

Valid concerns remain that the U.S. is still not appropriately organized and prepared to counter and respond to cyber security. Multiple federal agencies, as well as institutions of higher education and the private sector, have critical roles to play; yet, no enactment of or planning for the National Strategy has occurred and coordination is was lacking among agencies as they developed their research and development budget requests for FY 2006. The absence of a clear advocate for cyber security at the Department of Homeland Security, coupled with the multiple senior DHS cyber security officials leaving the department sends a clear signal to Congress that the National Cyber Security Division does not have enough authority to work effectively with the private sector. I am aware that legislation has been proposed to elevate the head of the cyber security office to the assistant secretary level to give cyber security more visibility within DHS and to allow higher level input to national policy decisions, and consider this a positive step in the right direction.

I again thank the witnesses for being with us today and providing testimony to our committee.

[The prepared statement of Ms. Johnson follows:]

PREPARED STATEMENT OF REPRESENTATIVE EDDIE BERNICE JOHNSON

Mr. Chairman and Ranking Member, I am pleased that the Science Committee is discussing our nation's cyber security today.

I appreciate each guest being here today. You all are uniquely qualified to speak about how well our infrastructure and policies are set up to handle disruptions or attacks on critical information systems.

Every year, the world relies more heavily on information technology. We view our banking accounts over the Internet, we apply for loans on-line, we even pay our bills

on-line. We manage our prescriptions on-line, and there's not much today we DON'T do on-line.

We hear of small- and large-scale breaches in the security of our on-line information. One situation that comes to mind is of a large bank that had to contact all of its members because sensitive financial information had become insecure.

Congress needs to exert leadership in the area of cyber security. Our current system contains a patchwork of programs that represents neither an efficient nor effective coordinated federal effort.

I am interested to hear from today's witnesses how we can improve our current efforts in this critical area.

Thank you, Mr. Chairman. I yield back and reserve the balance of my time.

[The prepared statement of Mr. Carnahan follows:]

PREPARED STATEMENT OF REPRESENTATIVE RUSS CARNAHAN

Mr. Chairman and Mr. Ranking Member, thank you for hosting this hearing. Mr. Purdy, Mr. Leggate, Mr. Freese, Mr. Kepler, and Mr. Geisse, thank you for joining us today to discuss the future cyber security of our nation. I am very interested in how we can improve this critical infrastructure and our nation's security.

In May 2005, the GAO released a report entitled "Critical Infrastructure Protection: Challenges in Addressing Cyber Security." I hope that you will touch on some of the issues raised in this report and suggest potential options to ensure the security of our cyber infrastructure. Information sharing lapses between the public and private sectors is one of the most critical areas raised by the GAO study. It is my hope that today's hearing will help us understand opportunities for improvement. We are pleased to have you with us and I look forward to hearing your testimony. Chairman BOEHLERT. Thank you very much, Mr. Gordon, for those very well thought out and well reasoned arguments.

Once again, as so frequently occurs on this committee, there is not strong disagreement. There is strength in the compatibility of our views as we go forward on a very important subject.

Part of the problem is over at the Roberts hearing there are probably 200 press people. You know how this announcement of a hearing on cyber security is greeted outside the Committee room? With a muffled yawn, "Oh, what is cyber security?" This is a very important topic.

So let me, once again, express to all of you my deep and personal appreciation for your willingness to be guides for those of us sitting on this side of the witness table.

And Mr. Purdy, please relay to the Secretary our appreciation for the fact that he has announced the creation of the Assistant Secretary for Cyber Security position. I would hope that would be filled in a timely manner. I know attention is diverted in this critical period, in the aftermath of Katrina. All of the resources of the Federal Government, on the domestic side, are focused on that, understandably so. But that soon will be over. We are on the way to recovery and rebuilding one of the most important areas of the country.

Now we have got to get on with the job of cyber security. And I will say to my friends down in the Administration, particularly those who have the heavy responsibility of working for OMB, the Office of Management and Budget, that I would remind them that we passed the Cyber Security Research and Development Act in 2002. It wasn't yesterday. It wasn't last month. It wasn't last year. It was 2002.

But unfortunately, we don't control the purse strings. So we can determine the seriousness of the problem. We can provide direction in authorizing funds to address the problem in a comprehensive and meaningful way, but we don't control the purse strings. The

appropriators, our colleagues on the Appropriations Committee, do. The people developing the budget, the people at OMB, do. And they better get a message from this hearing: this is a priority subject and it better get the priority attention it deserves, including within DHS and within the entire Executive Branch and the Legislative Branch of government.

Now with that, let me introduce our panel of very distinguished witnesses: Mr. Donald Purdy, Acting Director, National Cyber Security Division, the Department of Homeland Security; Mr. John Leggate, Chief Information Officer and Group Vice President, Digital & Communications Technology, BP; Mr. David Kepler, Corporate Vice President of Shared Services and Chief Information Officer, the Dow Chemical Company; Mr. Gerald Freese, Director of Enterprise Information Security, American Electric Power.

And for the purpose of an introduction, the Chair is pleased to recognize Mr. Akin.

Mr. AKIN. Thank you, Mr. Chairman.

And I really appreciate this opportunity to introduce a native son of the Show Me State, Andy Geisse, the Chief Information Officer of SBC. Andy grew up in my hometown in St. Louis, earned a Bachelor's degree in economics and mathematics from the University of Missouri, Columbia, and an MBA from Washington University also in St. Louis.

And he has had a long and illustrious career with SBC Communications, starting back in 1979 where he began as Assistant Manager in the comptroller's department of SBC's predecessor corporation, Southwestern Bell. He then held a variety of information technology, sales, and strategic marketing positions, including serving as the Director for Wireless Product Development for Southwestern Bell Mobile Systems, and Vice President and General Manager for Southwestern Bell Mobile Systems' Oklahoma and West Texas regions.

In 1995, he moved to Santiago, Chile, and served as Vice President and Chief Executive Officer of VTR Cellular. He later became President of the Board of STARTEL Communications, the first nationwide cellular company in Chile. SBC has interests in both companies.

In January of 1998, Andy moved to New York as President and General Manager of SBC's Cellular One upstate New York subsidiary. Later, he moved and became Vice President of Enterprise and ŎSS Systems for SBC and its subsidiaries located in California. In October of 1999, Andy was appointed Senior Vice President, Enterprise Software Solutions, responsible for cooperate-wide software solutions where he relocated again to San Antonio, Texas. And boy, the mileage is piling up here, Andy.

SBC Communications is an important and valued corporate citizen of St. Louis and Missouri. It has been a distinct pleasure working with the fine employees of SBC to ensure the citizens of my District receive excellent telecommunications services.

On behalf of Chairman Boehlert and other Members of this fine committee, welcome to Congress, Andy. Thank you.

Chairman BOEHLERT. Wow. That is quite an introduction. You know what I learned from that? It is an experience in upstate New York that makes you a very valued member for this panel.

Mr. AKIN. He has got something for everybody, Mr. Chairman. Chairman BOEHLERT. Thank you very much, Mr. Akin.

And I ask unanimous consent that our colleague, Mr. Sessions of Texas, be permitted to sit in on this hearing. He is a very valuable Member of the entire Congress and one who is deeply and personally interested in the matter before the Committee. Mr. Sessions, do you have anything you would care to say?

Mr. SESSIONS. Mr. Chairman, thank you so much. It is good to be back over here. I have been gone from the Science Committee now for seven years.

Mr. Chairman, one might assume, after Mr. Akin and myself, that it is an Andy Geisse Day in Congress, but I wanted to take just a moment. He has been properly introduced by the gentleman from Missouri. Mr. Geisse and I have known each other for 22 years, during which time I have known Andy and his family. During the service that I spent some two years as Vice Chairman of the Cyberscience Research and Development Subcommittee for Homeland Security, I counted on Andy to provide information to me, background information that would help me to better serve not only this nation, but also that committee. And I am very happy that SBC has chosen to send Mr. Geisse up here. He is a dear friend, and I think he will add a lot to today's hearing.

And I want to thank you for allowing me to sit with you and the Members of this committee.

I yield back the time.

Chairman BOEHLERT. Thank you very much, Mr. Sessions. I do appreciate it.

Now to our witnesses. And the rule here is essentially the same as in most Committees. We ask that you try to summarize your opening statement in five minutes or thereabouts. And I am usually offended when I make that announcement, because we have very distinguished witnesses who have so much to offer and to ask them to capsulize their thinking in 300 seconds or less is sort of unrealistic. And so the Chair is not going to be arbitrary. You are the only part of the only panel we will have before us today, and you all have so much value to add to our knowledge base. So I would ask that you be guided by the lights, not directed by the lights.

With that, Mr. Purdy, you are first up.

STATEMENT OF MR. DONALD “ANDY” PURDY, JR., ACTING DIRECTOR, NATIONAL CYBER SECURITY DIVISION, DEPARTMENT OF HOMELAND SECURITY

Mr. PURDY. Good morning, Chairman Boehlert and distinguished Members of the Committee. My name is Andy Purdy. I am the Acting Director of the Department of Homeland Security's National Cyber Security Division.

I am delighted to appear before you to share the work of NCSD and those with whom we are partnering to secure our national cyberspace and critical infrastructure.

Pursuant to President Bush's Homeland Security Presidential Directive 7 (HSPD-7), our Infrastructure Protection Office developed the National Infrastructure Protection Plan (NIPP) to serve as a guide for addressing critical infrastructure and key resource pro