CYBER SECURITY: U.S. VULNERABILITY AND PREPAREDNESS THURSDAY, SEPTEMBER 15, 2005 HOUSE OF REPRESENTATIVES, COMMITTEE ON SCIENCE, Washington, DC. The Committee met, pursuant to call, at 10:00 a.m., in Room 2318 of the Rayburn House Office Building, Hon. Sherwood L. Boehlert [Chairman of the Committee] presiding. COMMITTEE ON SCIENCE U.S. HOUSE OF REPRESENTATIVES Cyber Security: U.S. Vulnerability and Preparedness 2318 Rayburn House Office Building (WEBCAST) Witness List Mr. Donald "Andy" Purdy National Cyber Security Division Mr. John Leggate Chief Information Officer & Group Vice President Mr. David Kepler Corporate Vice President of Shared Services & Chief Information Officer Mr. Gerald Freese Director of Enterprise Information Security Mr. Andrew Geisse Section 210 of the Congressional Accountability Act of 1995 applies the rights and protections covered under the Americans with Disabilities Act of 1990 to the United States Congress. Accordingly, the Committee on Science strives to accommodate/meet the needs of those requiring special assistance. If you need special accommodation, please contact the Committee on Science in advance of the scheduled event (3 days requested) at (202) 225-6371 or FAX (202) 225-0891. Should you need Committee materials in alternative formats, please contact the Committee as noted above. HEARING CHARTER COMMITTEE ON SCIENCE U.S. HOUSE OF REPRESENTATIVES Cyber Security: U.S. Vulnerability THURSDAY, SEPTEMBER 15, 2005 10:00 A.M.-12:00 P.M. 2318 RAYBURN HOUSE OFFICE BUILDING 1. Purpose On Thursday, September 15, 2005, the House Science Committee will hold a hearing to examine the extent of U.S. vulnerability to cyber attacks on critical infrastructure such as utility systems, and what the Federal Government and private sector are doing, and should be doing, to prevent and prepare for such attacks. The hearing will also examine what duties should be given to the new Assistant Secretary for Cyber Security and Telecommunications at the Department of Homeland Security. 2. Witnesses Mr. Donald "Andy” Purdy is Acting Director of the National Cyber Security Division at the Department of Homeland Security (DHS). Prior to joining DÍS, he served as senior advisor for Information Technology Security and Privacy to the President's Critical Infrastructure Protection Board. Mr. John Leggate is the Chief Information Officer at BP Inc. (formerly known as British Petroleum). In addition, he is Chairman of the Chief Executive Officers' Roundtable on Digital and Cyber Infrastructure Security at the industry organization Business Executives for National Security. Mr. David Kepler is Corporate Vice President of Shared Services and Chief Information Officer of The Dow Chemical Company. In addition, he leads the Chemical Sector Cyber Security Information Sharing Forum, an industry association. Mr. Gerald Freese is the Director of Enterprise Information Security at American Electric Power, one of the largest electric utilities in the United States. He has also been active in the North American Electric Reliability Council-coordinated development of cyber security standards for the energy industry. Mr. Andrew Geisse is the Chief Information Officer of SBC Services Inc. (formerly Southwestern Bell Corporation), the largest telecommunications carrier in the United States. 3. Overarching Questions • How do critical infrastructure sectors depend on public and private information systems? What are the possible consequences for these sectors of disruption or attack on their information systems? What steps are being and should be taken to secure these systems? • What are the most critical responsibilities of the Department of Homeland Security (DHS) in cyber security for critical infrastructure sectors, and what are the most urgent steps the new Assistant Secretary for Cyber Security and Telecommunications should take? • In what areas are current cyber security technical solutions for critical infrastructure sectors inadequate? Where is further research needed to mitigate existing and emerging threats and vulnerabilities? How should federal agencies, such as DHS, the National Science Foundation (NSF), the National Institute of Standards and Technology (NIST), and the Defense Advanced Research Projects Agency (DARPA), and academic researchers work with industry to define priorities and support research in these areas? 4. Issues Is the U.S. adequately protecting critical information systems and is the U.S. able to detect, respond to, and recover from a cyber attacks on critical infrastructure? While industry and the Federal Government have increased their focus on cyber security in recent years, vulnerabilities remain, and many experts believe the U.S. needs to do more. An informal survey by a business group early this year found that in the telecommunications, energy, chemical, and transportations industries, executives estimated that 20 to 35 percent of their revenue depends directly on the Internet. Yet despite the crucial role of information technology, the vulnerabilities in information technology systems are myriad. About 10 new entries are added each day to the National Vulnerability Database (maintained by the National Institute of Standards and Technology), which contains about 12,000 entries describing vulnerabilities in commonly used information technology products. (Statistics about attacks on critical infrastructure are hard to obtain because such attacks are often not reported.) Is there are clear line of responsibility within the Federal Government to deal with cyber security? When DHS was formed in 2002, cyber security responsibilities (other than research and development) were assigned to the Assistant Secretary for Infrastructure Protection. Ever since, industry representatives have repeatedly expressed concern that cyber security has been a distant second to physical security in DHS's critical infrastructure protection activities and that the lack of a high-level official dedicated to cyber security has meant that the Department has failed to devote attention and resources to cyber security. In May 2005, the Government Accountability Office (GAO) found that DHS was having trouble with a number of its cyber responsibilities, including developing national cyber threat and vulnerability assessments and government/industry contingency recovery plans for cyber security, establishing effective partnerships with stakeholders, and achieving two-way information sharing with these stakeholders. (The summary of this report is included in Attachment A.) In response to Congressional and industry concerns, the Secretary of Homeland Security created in July the new position of Assistant Secretary for Cyber Security and Telecommunications to bring a higher profile to this area and high level attention to these problems. The position has not yet been filled. Are private companies doing enough to secure their information systems? To what extent are they coordinating with each other and the Federal Government on cyber security? The record is mixed. For many companies, it can be difficult to quantify the risks associated with their dependence on information systems and hence difficult to justify investment in cyber security. In other cases, the relevant cyber security technologies may not be available. In many industries, companies have undertaken cyber security activities within industry organizations to set standards, share best practices, and work with information technology companies to improve the security of information systems and increase their cyber security options. (The companies testifying have generally been leaders in taking cyber security seriously.) In some cases, cyber security work has been hampered by the problems in the Federal Government described above. Industry groups have indicated that they do not yet trust the processes for sharing sensitive information related to their cyber security with the government and have not yet been convinced of the value of information and services DHS would provide in return. What should the priorities be for federal cyber security research and development programs? Is funding for these programs adequate? Recommended areas for federal cyber security research in general were outlined in the recent report1 of the President's Information Technology Advisory Committee (PITAC) and include monitoring and detection technologies, software quality assurance processes, authentication techniques, mitigation and recovery technologies, and metrics, benchmarks, and best practices. The PITAC report recommended substantial increases in funding at the National Science Foundation (NSF), DHS, and the Defense Advanced Research Projects Agency (DARPA). (Currently, funding for cyber security research programs at NSF and the National Institute of Standards and 1 The President's Information Technology Advisory Committee released their report, Cyber Security: A Crisis of Prioritization, on March 18, 2005. It is available on line at http:// www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf. Technology (NIST) is well below the levels authorized in the Cyber Security Research and Development Act.) The Cyber Security Industry Alliance, an association of cyber security software, hardware and services companies, the Internet Security Alliance, an association of information security users from sectors such as banking, insurance, and manufacturing, and the Information Technology Association of America, a trade association of the information technology industry, have all also publicly recommended increased federal funding for cyber security research and develop ment. 5. Brief Overview • Critical infrastructure2 sectors include electric power generation and transmission, oil and gas production and distribution, communications, chemicals, food production, banking and finance, transportation systems, and water processing systems. These sectors are increasingly dependent on information systems to administer business operations (such as billing and supply chain management) and to monitor and control physical operations (such as manufacturing processes and distribution systems). • As reliance on information technology grows, the number of ways that critical infrastructure systems can be interfered with and the extent of disruption or damage that can be created via such interference is also growing. In addition, the potential impact of a combined physical and cyber attack on a critical facility e.g., using disruption of information systems to interfere with response and recovery after an explosion-would be severe. • Some cyber security products and techniques (such as firewalls, intrusion detection systems, and virus-protection checks) can be used to safeguard many types of standard information systems (e.g., protecting billing systems and customer databases). However, specialized information technology products are often used to manage and control critical infrastructure facilities. These process control systems often use customized or older hardware and software and have different performance requirements and hence may require specialized security solutions and strategies. • In May 2005, GAO assessed the DHS role in cyber critical infrastructure protection and found that DHS was having trouble with a number of its cyber responsibilities, including developing national cyber threat and vulnerability assessments and government/industry contingency recovery plans for cyber security (including a plan for recovering key Internet functions), establishing effective partnerships with stakeholders, and achieving two-way information sharing with these stakeholders. • In response to stakeholder and Congressional concerns that DHS needed to make information security, particularly information security for critical infrastructure sectors, a higher priority, the Secretary of Homeland Security announced in July 2005 that the Department would create a new position of Assistant Secretary for Cyber Security and Telecommunications. This new position will have responsibility for identifying and assessing the vulnerability of critical telecommunications infrastructure and assets, providing timely and usable threat information, and leading the national response to cyber and telecommunications attacks. • In information technology systems, new vulnerabilities and new threats emerge regularly and spread quickly. Cyber security research programs supported by the Federal Government and the private sector develop tools that provide security in the current environment, as well as produce the defenses against the next generation of cyber security risks. Following passage of the Cyber Security Research and Development Act in 2002, funding for National Science Foundation programs in this area has increased; however, at the same time the Defense Advanced Research Projects Agency funding for unclassified research in cyber security has dropped significantly. Other federal cyber security research and development programs exist, particularly at DHS and at the National Institute of Standards and Technology, but these are relatively small. 2 As defined in the USA PATRIOT Act (P.L. 107-56), critical infrastructure is "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters." This definition is used broadly throughout the Federal Government. |