look to leverage those standards as potential baselines in our efforts and are glad to see vendors meet such useful guidelines. How should federal agencies, such as DHS, the National Science Foundation, the National Institute of Standards and Technology, and the Defense Advanced Research Projects Agency, and the academic researchers work with industry to define priorities for and support research in these areas? Cyber security must become a priority in the creation of new information technologies. To date, security components for information technologies often appeared to be an afterthought. Examples of this can be seen in early versions of cellular and Wi-Fi technologies, where calls could be intercepted, cell phones cloned, and data snooping could occur. Internet Protocol (IP) based services wrestle constantly with the need to traverse the same network paths where unscrupulous persons may have the ability to interfere, impede, or intrude on the service itself. IP based services must find new ways to protect the content of each packet that is carried and delivered in this shared Internet world. We have all seen that virus and worm attacks have risen over the past several years. Research focus on how to prevent the distribution of malicious content through virus, worms, and e-mail should be a high priority for all industries that use the Internet for communications and business. The ability to detect and remove unwanted data content and attacks as it progresses through the network is more desirable than expecting each end device to have the same ability to protect itself from its neighbors on the networks. Admittedly, security requirements interfere with convenience of the product or service offered. However, we need cyber security and software development standards that insist new technologies embrace security as part of their evolution and development. In this way, society as a whole benefits through improved assurance of integrity, reliability, service, and subsequent reduced resource costs to support those services. SBC is committed to work with the information industry to build the next generation of Internet-based voice, video and data communications, securely. What are the most critical responsibilities of the Department of Homeland Security (DHS) in cyber security for the communications sector and what are the most urgent steps the new Assistant Secretary for Cyber Security and Telecommunications should take? Mr. Chairman and Members of the Committee, your assistance to focus industry attention on cyber security is greatly appreciated. We encourage the Department of Homeland Security to continue: ⚫ to support research grants and assistance that focus on National cyber security, • to support industry organizations and government agencies that create security standards and best practices, • to continue to provide early warnings of security events, through various government agencies, • and to make sure the security best practices that various critical government agencies develop are shared with our critical infrastructure industries. I would like to add that you should make sure our laws carry serious penalties for cyber security issues and that the instigators are prosecuted to the full extent of the law. It must become a major crime. It is no longer just kids playing with computers. The attacks are serious. Thank you for the opportunity to appear before you today. The work you are doing is critical to our future as a nation. Cyber terrorism is a real threat and we must stay diligent. BIOGRAPHY FOR ANDREW M. GEISSE Andy Geisse, Chief Information Officer, is responsible for Information Technology, Payroll and Billing Operations for SBC Communications, Inc. and its subsidiaries. He was appointed to this position in October 2004 and is located in San Antonio, Texas. Andy began his telecommunications career in 1979 with Southwestern Bell Telephone Company as Assistant Manager for the comptrollers department. He then held a variety of information technology, sales, and strategic marketing positions for Southwestern Bell and SBC Communications Inc. Andy served as Executive Direc tor, Wireless Product Development for Southwestern Bell Mobile Systems and Vice President and General Manager for Southwestern Bell Mobile Systems' Oklahoma and West Texas regions. In 1995, he moved to Santiago, Chile, and served as Vice President and Chief Executive Officer of VTR Cellular. He later became President of the Board of STARTEL Communications, the first nationwide cellular company in Chile. SBC had interests in both companies. In January 1998, Andy moved to New York, as President and General Manager of SBC's Cellular One upstate New York subsidiary. Later that year, he became Vice President Enterprise and OSS Systems for SBC and its subsidiaries, located in San Ramon, California. In October 1999 Andy was appointed Senior Vice President, Enterprise Software Solutions, responsible for corporate-wide software solutions. Andy grew up in Minneapolis, Minnesota, and St. Louis, Missouri. He earned a Bachelor's degree in Economics and Mathematics from the University of MissouriColumbia and a M.B.A. from Washington University in St. Louis. He and his wife, Jane, have four children. Thank you for the invitation to mutify before the Committee on Science of the U.S. House of Specifically, SBC has received no federal funding directly supporting the subject matter on which I will Sincerely, DISCUSSION Chairman BOEHLERT. Thank you very much, and thank all of you. You know, one of the dangers of a hearing dealing with a sensitive subject like this is that we provide fire for tabloid trash. And I darn sure don't want to go to my supermarket checkout counter next week, and I do the grocery shopping incidentally, and read a headline that says, you know, "Science Committee Warns Cyber Katrina Imminent.' Now having said that, and taking that risk, using DHS's own color-coding system, I would say the threat is, at a minimum, at best, yellow, and perhaps even orange. My question to all of you is do you think collectively, one, the private sector gets it and understands the full dimensions and implications, and two, the government understands the full dimensions and potential implications? Let me ask each of you. Mr. Geisse? I believe the private sector understands it is critical, and I also do believe the government does as well. But I think it is sometimes an afterthought in the sense that it is more of a technology issue and it is not only a technology issue. It is truly a part of our critical infrastructure and something that we have to be focused on as a country. Chairman BOEHLERT. Mr. Freese. Mr. FREESE. I think both the government and the private sector understand the issues. I see some basic fundamental problems, though, in addressing these issues as a combined force. Just as I referred to in my comments, information sharing with DHS has got to be extremely frustrating for them. They ask for information on critical infrastructure assets. We can't provide that, because there is no way that they can protect that information. It stalls the whole process. Chairman BOEHLERT. So it is very necessary for the government and the private sector to cooperate, but you don't have the confidence Mr. FREESE. Absolutely. Chairman BOEHLERT.—that the information you share, and that is very important information to determine vulnerability and response capability. You are concerned about providing that, because you are concerned about the security of sharing proprietary information-all right. Mr. FREESE. That is correct, Mr. Chairman. And that has been going on for a couple of years now. Mr. KEPLER. Yes, I think industry has put the time into this thing and understands the risks-based approach. The concern I would have is that there is a lot of problems in cyber security and are we focused on getting the right solutions for the major issues so at the end you can work on everything and not be effective in anything. And I think we really have to be focused on the major, national impacts as a first wave of fixing things. Chairman BOEHLERT. Mr. Leggate. Mr. LEGGATE. I would say, in my experience, that most boards get it. Most boards who run serious companies understand their dependency, in this age, on this whole digital environment. So that, I think, is done. Whether small businesses understand the services that they need for everyday transactions, I am not sure about that. On the government level, I would say in the United States, maybe-who understand entirely departmentally the issue. Where the challenge comes, I think, is to put this into practical action in a timely way and to then set a set of priorities become of-almost a national plan to do things very quickly in a focused way, not across a whole landscape, but just nail the big issues. And to me, that is where the gap is. Chairman BOEHLERT. Yes. And let me ask, and one of the lessons learned from Katrina is diffused responsibility. Everybody's responsibility tends to be no one's responsibility. Where would you suggest the focal point should be? I am encouraged, as I hope you are, that the Secretary has announced the creation of an Assistant Secretary for Cyber Security and Telecommunications. Would that be the focal point? I mean, there is somebody that has to be sort of at the center of coordinating all of these activities. You can't have 14 people the center of coordination, because they don't coordinate amongst themselves. Where would you suggest that be? Mr. Leggate. Mr. LEGGATE. Well, I would separate the notion of coordination from accountability. So coordination is a fine thing to do, and done well is good. But where do we look for the ultimate accountability for the service level we get from the Internet? To whom do we look of that? And so I think big steps to go forward to improve coordination, but I do think at some level we must actually break through into accountabilities that isn't visible today. Chairman BOEHLERT. Mr. Kepler. Mr. KEPLER. Yes. I think information technology is pervasive, so the idea that you would have a focused effort on cyber security, we think, is exactly correct. But to John Leggate's point is that when you think about emergency response, you think about physical securing of critical infrastructure. Those also have Internet impacts. So the you can't separate all of these things in the Departments and have them link together. You have to have coordination but then recognition that these bodies really have to work together to come with come up with common capabilities to, you know, defend, protect, and respond. Chairman BOEHLERT. Mr. Freese. Mr. FREESE. I agree. I think the coordination, I think, should lie at that new position's role. But again, and I may sound like a broken record here, but if there is going to be a coordination point, there has to be representation, and strong representation, from the private sector to assist in that coordination, because I have seen too many times in the past, it looks like a good thing to do from an overall perspective, but it is not focused to where it really needs to be. Chairman BOEHLERT. Mr. Geisse. Mr. GEISSE. Well, I think you brought up a good point, Mr. Chairman. I think we have lots of agencies focused on cyber security, but we don't have a single, real focal point. And maybe by the Department of Homeland Security setting this up, it should help do that. Chairman BOEHLERT. So I would take it that your reaction is the same as mine: the welcoming of the announcement by the Secretary that we are going to have a new Assistant Secretary for Cyber Security and Telecommunications, the sooner the better. Mr. GEISSE. Yes, sir. Chairman BOEHLERT. But that is progress. We are moving in the right direction. The red light is on for me. And I have got to practice what I preach, so I have got to shut up and now recognize Mr. Gordon. Mr. GORDON. Thank you, Mr. Chairman. And because we do have that red light, in all due respect, I would like for you to try to be crisp in your answers. And let me tell you, I want to ask each of our industry sector representatives to tell me what they think about how vulnerable your sector might be to a serious, focused, cyber attack; what could be the consequences of that attack for your industry; and what role would you suggest for Homeland Security or other parts of the Federal Government in trying to help you develop a plan and also more preferably, avoid that, and then if there is something that happens, the recovery? And while you are thinking about that, let me quickly ask a question for Mr. Purdy. Mr. Purdy, I recognize you are just recently been appointed the Acting Director of the agency, and so all of the either omissions or, probably more likely, the low priority that the agency has placed toward cyber security over the last four years can't be laid at your feet. But it seems like your testimony mostly was a litany of things you want to do or you are starting to do and that, really, the only plans are really just a framework document. This is concurred by the General Accounting Office, which had a report this summer that said the DHS has not yet developed national cyber threat and vulnerability assessments or government industry contingency recovery plans for cyber security. And so my really simple question is, when do you estimate these assessments and recovery plans will be in place? Mr. PURDY. Well, attempting to comply with your request that we be succinct, let me say that I am proud to associate myself with the activity of the Department of Homeland Security since it was set up. I worked on the National Strategy to Secure Cyberspace on the White House staff and then came over to the Department to help set up this agency, and I have been Acting Director since October of last year. We have made tremendous progress in building our watching warning capability Mr. GORDON. Yes, and I don't mean to be disrespectful, but I said one simple question. When do you estimate that these assessments and recovery plans will be in place? Mr. PURDY. We have a couple different levels. The fundamental response to attacks is the ESF-2, is the communications piece, |