• Mapping the current capabilities of government agencies related to cyber defense relative to detection and recognition of cyber activity of concern, attribution, response and mitigation, and reconstitution;

• Identifying capabilities within the government that US-CERT should leverage to maximize interagency coordination of cyber defense capabilities;

• Performing a gap analysis to identify the surge capabilities for possible leverage by, or collaboration with, the US-CERT for cyber defense issues in order to detect potentially damaging activity in cyberspace, to analyze exploits and warn potential victims, to coordinate incident responses, and to restore essential services that have been damaged; and

• Consider establishing formal resource sharing agreements with the other agencies per the cyber defense coordination needs identified through the process identified above.

An important element of a National Cyberspace Response System is our ability to address the global nature of cyberspace. Implementation of NCSD's international cyber security strategy and its related outreach and collaboration objectives is well underway, as we participate in bilateral and multilateral outreach efforts and have established cooperative programs with key allies and countries of interest. Such international cooperation contributes to our overall global situational awareness and incident response capabilities in an area in which information moves at Internet speed and traditional borders do not apply.

With our efforts, accomplishments, and on-going programs, NCSD has made significant progress in managing cyber incidents and has taken substantial strides toward building a National Cyberspace Response System. We know there is more to do, and we are enhancing and evolving our readiness and response programs to further our efforts and address this dynamic environment.

Priority 2-Cyber Risk Management: Assessing the Threat and Reducing the Risk

NCSD incorporated a risk management approach aligned with HSPD-7 and the resulting interim NIPP into its effort to better assess the threat and reduce the risk to our national cyberspace. Risk management includes risk assessment based on threat, vulnerabilities, and consequences, as well as efforts to reduce the risk by addressing vulnerabilities before an attack occurs, and mitigating and managing the consequences of a cyber attack that does occur. The NIPP risk management framework entails work with the intelligence community, law enforcement, and the private sector to better understand the cyber threat and a collaborative partnership between the private sector and Federal, State, and local governments looking at people, cyber, and physical assets to identify and prioritize those assets, assess vulnerabilities, and coordinate the protection of critical infrastructure and key re

sources.

With regard to assessing the threat, NCSD collaborates with the law enforcement and the intelligence communities in a number of ways. DHS assisted in the coordination of cyber-related issues for the "National Intelligence Estimate (NIE) of Cyber Threats to the U.S. Information Infrastructure." The resulting classified document issued in February 2004 details actors (nation states, terrorist groups, organized criminal groups, hackers, etc.), capabilities, and intent (where known). In addition, NCSD has infused cyber requirements into the Standing Information Needs (SINs) and Priority Information Needs (PINs) for the intelligence community and continues to collaborate with them through IA to characterize cyber threats for accuracy. Finally, the NCRCG includes law enforcement and intelligence agencies and has working groups addressing botnets and attribution issues.

The private sector is also a resource for threat and risk related information, and NCSD works with its industry stakeholders to gather and communicate that information. The US-CERT Internet Health Service enables US-CERT to gather information from private sector resources regarding vulnerabilities, network attacks, and malicious code activity and provide that information to federal agencies. In addition, NCSD has identified preparedness and response as a key area of joint public-private effort and is working with the critical infrastructure sectors to identify attack/threat scenarios against which proactive protective measures can be taken and response plans can be developed. And, DHS utilizes the ISACS and critical sector elements of the HSIN to obtain and share cyber security information.

With regard to reducing the risk, DHS's SŠA responsibilities under the NIPP include the Information Technology (IT) Sector and the Telecommunications Sector. Specifically, NCSD coordinates the IT Sector, and the National Communications System (NCS), another of the divisions in the IP directorate, coordinates the Telecommunications Sector. Reflecting the increasing convergence between these two communications sectors in today's market, NCSD and NCS work together closely to

coordinate all efforts to protect the Nation's critical cyber systems and the telecommunications transport layer.

The NIPP includes a cross-sector cyber responsibility for NCSD in addition to its IT Sector responsibility. The cross-sector responsibility is the collaborative effort between DHS/NCSD and the SSAs to ensure that deployed cyber elements have been secured in an appropriate and consistent manner across sectors. NCSD is responsible for providing cyber guidance to all sectors assisting them in understanding and mitigating cyber risk (including cyber infrastructure vulnerabilities) and in developing effective and appropriate protective measures. This guidance includes contributing cyber elements to the NIPP, reviewing the cyber aspects of the respective Sector Specific Plans (SSPs), and delivering cyber Critical Infrastructure Protection (CIP) training to SSAS to help them enhance the cyber aspects of their SSPs.

To implement these two NIPP Cyber elements, NCSD works with the Information Technology Information Sharing and Analysis Center (IT-ISAC) and the newly established Information Technology Sector Coordination Council (IT-SCC), as well as with the SSAS, ISACS and emerging SCCs in the other sectors.

In addition to NCSD's specific NIPP responsibilities, there are three major components to our cyber risk mitigation approach: the Internet Disruption Working Group (IDWG), the Control Systems Security Program, and the Software Assurance Program.

Protection of critical cyber assets goes hand-in-hand with protection of critical telecommunications assets; accordingly, NCSD and NCS are working closely together to collaborate on issues related to threats, identification of critical cyber assets, vulnerability and risk assessments, and development of appropriate protective measures that could be recommended for implementation by owners/operators. Within the NIPP framework, NCSD and NCS established the Internet Disruption Working Group (IDWG) in December 2004 to address the resiliency and recovery of Internet functions in case of a major cyber incident. The Department of Treasury and the Department of Defense are also engaged, and the working group is acting to extend the partnership to representatives from the private sector as well as international stakeholders. The IDWG reflects the convergence of telecommunications and information technology sectors in today's environment and the emergence of Next Generation Networks (NGN) that will compose the Internet of the future. An initial focus of the working group is to identify near-term actions related to situational awareness, protection, and response that government and its stakeholders can take to better prepare for, protect against, and mitigate nationally significant Internet disruptions.

The interdependency between physical and cyber infrastructures is hardly more acute than in the use of control systems as integral operating components by many of our critical infrastructures. "Control Systems" is a generic term applied to hardware, firmware, communications, and software used to perform vital monitoring and controlling functions of sensitive processes and enable automation of physical systems. Specific control systems used in the various critical infrastructure sectors include Supervisory Control and Data Acquisition (SCADA) systems, Process Control Systems (PCS), and Distributed Control Systems (DCS).

Examples of the critical infrastructure processes and functions that control systems monitor and control include energy transmission and distribution, pipelines, water and pumping stations, telecommunications, chemical processing, pharmaceutical production, rail and light rail, manufacturing, and food production. Increasingly, these control systems are implemented with remote access, open connectivity, and connections to open networks such as corporate intranets and the Internet. These sophisticated information technology tools are making our critical infrastructure assets more automated, more productive, more efficient, and more innovative, but they also may expose many of those physical assets to physical consequences from new, cyber-related threats and vulnerabilities.

To assure immediate attention is directed to protect these systems, NCSD established the Control Systems Security Program to coordinate efforts among Federal, State, and local governments, as well as control system owners, operators, and vendors to improve control system security within and across all critical infrastructure sectors. As part of this Program, NCSD developed a Control Systems Strategy that incorporates five highly integrated goals to address the issues and challenges associated with control systems security. As such, our control systems activities support NCSD's overall efforts to address cyber security across critical infrastructure sectors over the long-term, as well as the US-CERT's capability in the management, response, and handling of incidents, vulnerabilities, and mitigation of threat actions specific to critical control systems functions. NCSD also recognizes the significant attention being paid to PCS and SCADA security by various industry organizations

in developing encryption standards, cryptography, modeling, and other tools to improve cyber security of control systems.

NCSD also established the US-CERT Control Systems Security Center (CSSC) in partnership with Idaho National Laboratory (INL) and other Department of Energy National Laboratories4 in June 2004. The CSSC is involving other partners from control systems industry associations, universities, control systems vendors, and industry experts. Since its establishment, the CSSC has made considerable progress and some of its major accomplishments include:

• Established the US-CERT CSSC assessment and incident response facility located at INL and a US-CERT Support Operations Center for Control Systems;

• Established relationships with more than 25 potential industry partners and completed several agreements that established initial assessment, analysis, and vulnerability reduction plans within various industry sectors;

• Created the Critical Infrastructure Cyber Consequence Matrix to determine the industries of most concern, and a list of specific sites from the National Asset Database where Control Systems could cause a negative consequence due to failure or attack;

• Created a quantitative control systems cyber risk/decision analysis measurement methodology; and,

• Established the Process Control System Forum (PCSF) (in partnership with DHS's Science and Technology Directorate) with industry, academia, and government to accelerate the development of technology that will enhance the security, safety, and reliability of Control Systems, including legacy installations.

At the same time that the telecommunications and financial sectors have increased their dependence on information systems overall for information flows, service provision, and financial transactions, the energy, chemical, nuclear, food and agriculture, transportation, and water sectors have become increasingly dependent on process control systems for their critical operations. To more fully utilize the Matrix for analysis on the nature of consequences of attacks on the various sectors for risk management purposes, more information is needed about how these various sectors are using process control systems and the subsequent interdependencies.

Future FY05 and FY06 activities for NCSD's Control Systems Security Program include efforts to:

Develop a comprehensive set of control systems security assurance levels for owners and operators;

Sponsor government/industry workshops to increase awareness among control systems owners and operators of potential cyber incident impacts and vulnerabilities;

• Develop, populate, and validate control systems security scenario assessment tools to provide response teams a web-based application to assess impacts; • Assess a minimum of three core systems and provide solutions to vulnerabilities and recommendations to protect against cyber threats; and Develop the US-CERT CSSC web page for information exchange.

The third major component of NCSD's cyber risk management program is our Software Assurance Program. Software is an essential component of the Nation's critical infrastructure (power, water, transportation, financial institutions, defense industrial base, etc); however, defects in software can be exploited to launch cyber attacks as well as attacks against the critical infrastructure. NCSD developed a comprehensive software assurance framework that addresses people, process, technology, and acquisition throughout the software development lifecycle.

As part of the shared responsibility approach to cyber security, DHS is working to achieve a broader ability to routinely develop and deploy trustworthy software products. As such, DHS is shifting the security paradigm from "patch management" to "software assurance” by encouraging U.S. software developers to raise the bar on software quality and security. In collaboration with other federal agencies, academia, and the private sector, we are:

Sponsoring the development of a repository of best practices and practical guidance for the software development community;

4 Idaho (INL), Pacific Northwest (PNNL), Los Alamos (LANL), Argonne (ANL), Sandia (SNL), Savannah River (SRNL)

• Developing a software assurance common body of knowledge from which to develop curriculum for education and training;

• Examining recommendations from the Networking and Information Technology Research and Development (NITRD), Software Design and Productivity (SDP), and High Confidence Software and Systems (HCSS) coordination groups and anticipating greater direct engagement with them in the future. • Facilitating discussions with industry and academic institutions through Software Assurance Forums;

• Collaborating with NIST to inventory software assurance tools and measure effectiveness, identify gaps and conflicts, and develop a plan to eliminate gaps and conflicts;

• Completing the DHS/Department of Defense co-sponsored comprehensive review of the National Information Assurance Partnership (NIAP) 5 with the draft report to be published in September 2005; and

• Promoting investment in applicable software assurance research and development.

DHS will seek to reduce risks by raising the level of trust for all software, minimizing vulnerabilities and understanding threats. DHS will collaborate with government, industry, academic institutions, and international allies to achieve these software assurance objectives.

Another important cyber element of national infrastructure protection is the proliferation of the Internet in our society and daily lives. To mitigate the risks inherent in the rapidly growing user base and increasing usage, NCSD is engaged in a cyber security awareness program that leverages a variety of partners including the National Cyber Security Alliance, the Multi-State ISAČ, and the Federal Trade Commission, among others, to reach out to the home user, K-12, small business, and higher education audiences to raise the American public's awareness of cyber risks and security measures.

Research and Development for Cyber Security and Critical Infrastructure Protection

Cyber-related research and development (R&D) is vital to improving the resiliency of the Nation's critical infrastructures. This difficult strategic challenge requires a coordinated and focused effort from across the Federal Government, State and local governments, the private sector, and academia to advance the security of critical cyber systems.

A critical area of focus for DHS is the development and deployment of technologies to protect the Nation's cyber infrastructure, including the Internet and other critical infrastructures that depend on IT systems for their mission. Two components within DHS share responsibility for cyber R&D, with the Science & Technology (S&T) Directorate serving as the primary agent responsible for executing cyber security R&D programs. NCSD has responsibility for developing requirements for DHS' cyber security R&D projects.

The S&T Directorate's mission is to conduct, stimulate, and enable research, as well as to develop, test, evaluate, and transition homeland security capabilities to federal, State and local operational end-users. The goals of the DHS S&T Directorate's Cyber Security R&D program are to:

• Perform R&D aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems;

• Develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the Nation's critical information infrastructure; and

• Facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.

NCSD supports the overall DHS R&D mission by identifying areas for cyber innovation and coordinating with S&T. NCSD collects, develops, and submits cyber security R&D requirements to provide input to the federal cyber security R&D commu

5 The National Information Assurance Partnership, established in August of 1997, is a joint effort between NIST and NSA to provide technical leadership in security-related information technology test methods and assurance techniques. NIAP uses the Common Criteria to evaluate and certify commercial off the shelf (COTS) products. There has been much discussion in past years on the effectiveness (time and cost) of the NIAP process. As a result, the National Strategy to Secure Cyberspace recommended an independent review of the program be conducted to make recommendations for its improvement.

nity and specifically to inform the DHS S&T Directorate's cyber security research priorities.

DHS S&T's Cyber Security Research and Development Center is currently working on several projects that support the recommendations of the National Strategy to Secure Cyberspace, while addressing the vulnerabilities of critical systems and infrastructures. The major areas are:

• Working with industry to develop secure routing protocols for the core of the Internet.

• Development of a cyber security test bed for researchers and developers.

• Establishment of a large database of anonymized data collected from the Internet to support research on new cyber security tools and techniques.

• Partnering with the government of Canada on a joint experiment involving the handheld BlackBerry data devices for secure communications between first responders.

• Funding research on understanding and countering emerging Internet threats.

• Funding small business innovative research in the development of new cyber security products.

• Coordination with the Institute for Information Infrastructure Protection (I3P) on the development of new technologies for securing SCADA systems and networks and analyzing the economics of cyber security.

To support and document cyber security R&D initiatives across the Federal Government, NCSD participates in the Cyber Security and Information Assurance Interagency Working Group (CSIA IWG), co-chaired by S&T and the Office of Science and Technology Policy (OSTP). Participants include the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), the National Institute of Standards and Technology (NIST) and many others. By reporting to both the Infrastructure Subcommittee and NITRD, the CSIA IWG is positioned to coordinate cyber security and information assurance R&D across agencies, while ensuring that the security of critical infrastructures is emphasized. The CSIA IWG is currently completing the Federal Cyber Security and Information Assurance R&D Plan.

Moving Forward

In connection with the National Infrastructure Protection Plan, efforts are underway to assess cyber threats, reduce vulnerabilities and identify significant interdependencies. These efforts will be fully implemented as the SSAs implement their portion of the NIPP. In partnership with NCS and other agencies, we are working through the Internet Disruption Working Group to address the resiliency and recovery of Internet functions in the case of a major cyber incident. We have established a Control Systems Security Program to address core operating systems of critical infrastructure sectors. And, we are working with the government, private sector, and academia to promote the integrity and security of software. We continue to enhance our cyber incident readiness and response system, and we coordinate with our private sector stakeholders to provide protective guidance to our stakeholders through US-CERT. We are conducting a major exercise later this year to test the Cyber Annex to the National Response Plan. Through this effort, we will pull together appropriate entities in the Federal Government, State governments, and appropriate private sector stakeholders to test our capabilities and, subsequently, to improve our incident management process.

We are committed to achieving success in meeting our goals and objectives, but we cannot do it alone. We will continue to meet with industry representatives, our government counterparts, academia, and State representatives to formulate the partnerships needed for productive collaboration and leverage the efforts of all, so we, as a nation, are more secure in cyberspace and in our critical infrastructures. Again, thank you for the opportunity to testify before you today. I would be happy to answer any questions you may have at this time.

BIOGRAPHY FOR DONALD A. (ANDY) PURDY, JR.

In October 2004, Donald A. (Andy) Purdy, Jr. was appointed by Secretary Ridge as the Acting Director of the National Cyber Security Division (NCSD) for the Department of Homeland Security, within the Information Analysis and Infrastructure Protection (IAIP) Directorate. The IAIP Directorate identifies and assesses a broad range of intelligence information concerning threats to the people and communities