Ms. JOHNSON. Anything wired, people think they can listen to their conversations, get into their private business, look at where they shop, all of that. Mr. GEISSE. Well, I think, you know, I will answer your question in that your concern about terrorist attack, your concern about information being available on the Internet are real issues, and they are issues that industry has to constantly be looking at to protect our customers' information, which, for example, we do in the phone company religiously. I mean, we take it very, very serious, our customer information and protecting it, and are constantly looking for ways to prevent attacks on that information. Ms. JOHNSON. Thank you. Would anybody else like to comment or do you think you are saved by the bell? Mr. AKIN. The gentlelady's Ms. JOHNSON. My time is up. Mr. AKIN.-time is Ms. JOHNSON. Thank you very much. Mr. AKIN.-expired, and we have a vote on the House Floor, but if Dr. Ehlers can go quickly, we can get that in, I think. Mr. EHLERS. I thank you, Mr. Chairman. I will try to be pretty rapid. First of all, to respond to my colleague who just asked the question about telephone companies snooping. I grew up in southwest Minnesota, a very small town, hand crank telephone on the wall, a switchboard sitting downtown with an operator, and I can tell you, she knew more about the business of everyone in the town than anyone else did. So I suspect there is considerably less snooping by telephone companies by electronics than there was back then. But it is certainly a worthwhile question to ask. I would like to, first of all, just sitting here trying to put this all in perspective, it seems to me that most of the discussion has been about cyber security in the sense of software, and that is, of course, a major concern. It is a concern both in terms of industrial espionage, as it is called, certainly a concern in terms of national security. But then there is also the hardware factor, which was brought up by my colleague from Maryland. And since we are both scientists, maybe we have good reason for both worrying about the same thing, namely the hardware security. We have known about nuclear EMP for a long time. And I happen to be a nuclear physicist and worked at Livermore for one summer, years ago. And I never worried that much about it, because, frankly, I thought mutually assured destruction was pretty clear policy in that there is no benefit in any country to set off a nuclear weapon far above another country knowing that they, in turn, would have their systems destroyed. I do worry about it much, much more now, and I think Dr. Bartlett's fear is well founded in the sense that if you don't have a country that can be counterattacked, and if your goal is to disable your opponent as much as possible and to cause grief and pain and terror, the EMP is a very good way to do it, if you can manage to get the weapon and the launch vehicle. And I think it is something we have to take very seriously. Mr. Freese, I think you were a little optimistic in saying it would only affect certain areas of the country, but it de pends, again, on the size of the weapon. We are not hardening our equipment. And I was struck by a phrase that Mr. Kepler offered earlier that when communication stops, commerce stops. And I would even extend that beyond that. When commerce stops, then life is endangered and perhaps life stops, because with the proliferation, and I have been worrying about this for about 10 years now. I never worried about it too much until the proliferation of the Internet, but today, so much commerce is done over the Internet. But also, the proliferation of microprocessors and automobiles and everywhere else. And an EMP would not only affect communications but also transportation. How many of us would be able to drive our car after an EMP had wiped out the processors? And there are some 250, typically, microprocessors in the average American automobile today. How would trucks be able to deliver a product? How would people get food and water? I mean, this is really a doomsday scenario. And Mr. Purdy, I hope that you and others are worrying a great deal about this, because what we really need in place is an infrastructure that, at least in an emergency basis, would replace the infrastructure that we are becoming so dependent on through our use of microprocessors, Internet, and so forth. And I would like to give any of you time to react to my comments. Maybe I am off base, and if so, I would like to hear that. But if you could, briefly make a comment. Mr. Kepler. Mr. KEPLER. Yes, Congressman. I think one of the key issues as we talk about industry and government relationship is understanding the roles and responsibilities. It is probably not practical for companies to go address that problem. That requires government from that type of level, and that is my broader point is these major issues need to be led by government in terms of how we address in the sectors need to support. There are things the sectors need to do, but there are things the government needs to do in that environment. Mr. EHLERS. If I may just interject. It seems to me your role, however, is to try to harden your facilities so that you can continue to operate. Mr. KEPLER. Absolutely, and that is why we need diversification and structure. One point that has been brought up is the idea that the older technology can't be replaced, and that is true, but also the older technology is less vulnerable to the newer threats. So it is a real delicate balance in terms of putting this new technology in, because it is actually more vulnerable because of its complexity and size. So that is why I think we have got to be really careful of just putting technical solutions in and not having the broad policy understandings and risk balancing here. Mr. EHLERS. That is precisely the point, and the policy has to come from the Federal Government, but also the industry has to be aware of the need to harden their facilities as much as they can so at least emergency services can continue. Mr. KEPLER. We agree with that. Mr. EHLERS. Mr. Purdy, do you have a comment? Mr. PURDY. I will have to defer to National Communication Systems on your follow-up question. Mr. EHLERS. Any other comments? I think everyone is eager to go vote, and I am as popular as a skunk at the tea party at this point, so I will defer to the Chairman and yield back. Mr. AKIN. No, you are very popular, Dr. Ehlers. And-but your time has expired. And now all of our time is expired, because we have got to go vote. We will leave the record open for five days for Members to submit additional written questions for the witnesses. And I want to thank the witnesses for your time and your testimony. You are experts in your fields, and you have added to our understanding, and we thank you. And the Committee stands adjourned. [Whereupon, at 12:00 p.m., the Committee was adjourned.] ANSWERS TO POST-HEARING QUESTIONS Responses by Donald "Andy" Purdy, Jr., Acting Director, National Cyber Security Division, Department of Homeland Security Questions submitted by Chairman Sherwood L. Boehlert Q1. Measuring Cyber Security Q1a. How do you measure national cyber security? Ala. National cyber security is a rapidly changing area in which a dynamic market drives the continuous emergence of new technologies and an evolving threat environment. As a result, measuring national cyber security is an important but challenging goal. Organizations, including all levels of industry, government, and academia, do not necessarily have total network cognizance, which prevents them from being able to measure their own level of security. To create an assessment of national cyber security, an entity would require accurate reporting from all organizations that rely on cyber systems on their own individual networks. Until all organizations achieve this, it will be very difficult to measure national cyber security. NCSD is working toward achieving greater situational awareness through efforts with: federal agencies, such as federal agency network monitoring; the private sector through interaction with Information Sharing and Analysis Center (ISACs); and, international partners through the international Computer Emergency Response Team collaboration. Enhanced situational awareness will help to provide a better estimation of the state of cyber security and identify methods of measuring changes and improvement. In addition, NCSD's responsibilities under the National Infrastructure Protection Plan (NIPP) for the IT Sector and cyber guidance across the critical infrastructures, will involve working with key governmental entities and the private sector to complete a sector specific plan that when implemented will help to create a national assessment of cyber risk, together with the prioritization of cyber risk mitigation measures. Several critical infrastructure cyber measures and metrics will be tracked across each sector based on the Sample Cyber Measures and Metrics being developed for the NIPP. The Counter-intelligence community also supports these efforts from the perspective of cyber espionage threat assessments. Foreign intelligence services are increasingly using cyber espionage as a means for collecting sensitive information. We are developing methodologies for identifying their cyber capabilities and for assessing, in more precise form, the damage to national security that might be caused by various cyber intrusion incidents. Q1b. How do you determine if the Nation's level of cyber vulnerability is being reduced? Alb. In order to determine whether the Nation's level of cyber vulnerability is being reduced, NCSD undertakes a risk management approach that includes measuring threat, vulnerability, and consequences. There are a number of DHS initiatives underway that examine cyber-related vulnerabilities in addition to physical risk and vulnerability assessments. In coordination with the private sector, DHS is identifying cyber vulnerability assessment best practices. This effort began with an evaluation of various methodologies in use throughout the public and private sectors. In addition, NCSD is working closely with other DHS components to ensure that cyber aspects of threat, consequence, and vulnerability analysis are consistently and appropriately included in risk methodology efforts. These efforts include the Risk Analysis and Management for Critical Asset Protection (RAMCAP), the Vulnerability Identification Self Assessment Tool, Comprehensive Reviews, and Site Assistance Visits. NCSD is sponsoring several exercise initiatives that will enhance U.S. preparedness in the event of a cyber incident and improve communication, coordination, and procedures between DHS, other government agencies, the public and private sectors, and with select foreign partners. In February 2006, NCSD will conduct the National Cyber Exercise: Cyber Storm, which will test federal response to a cyber-related incident of national significance; examine state, federal and international intra-governmental coordination; and emphasize public/private cooperation and communications using the energy, information technology, telecommunications and transportation sectors. In addition to Cyber Storm, NCSD has also coordinated extensively with and supported the creation of two regional partnerships in the Gulf Coast and the Pacific Northwest consisting of public and private sector entities. In each of |