fully compliant or, in some cases, not even near fully compliant, foreigners.

There are terrorists, there are hostile states, proliferators of weapons of mass destruction, religious extremists, ethno-nationalist movements, crime syndicates, the sources of the threat to our vital interest in the continued successful functioning of what President Clinton referred to as our critical computer systems.

Let me just clarify that sort of shorthand for critical infrastructure systems. The computers themselves are used to control the networks of information that control our critical national infrastructures, for example telecommunications, electric power generation and distribution, the water supply of our cities, oil and gas storage and distribution, banking and finance and all of its aspects, medical systems, law enforcement, Federal, State, and local, and emergency services such as, for example, fire departments. All of these critical infrastructures in the United States have come to be controlled by information networks which in turn are, yes, controlled by computers. They are available to the kinds of people I listed before, terrorists, hostile states, ethno-nationalist movements, the enemies of civilization, in a nutshell.

A number of highly developed disruptive techniques-I am not talking about amateur hackers. These highly developed thieves and enemies of civilization now are capable of using and are using to a growing extent metamorphic viruses, viruses that get into the networks and into the computer systems and that metamorphize, that change just as the AIDS virus changes, we have learned in biology.

So the geniuses that are hostile to us have developed metamorphic viruses that change in response to defenses that develop within the systems, automated and undetected sniffing, spoofing, and hijacking sessions, and swarming, which is which refers to surrounding a critical infrastructure network with attacks from multiple places, and is the basis, then, for sustained pulsing, which can just simply overwhelm a network, an information network system.

Let me add that as our use of the Internet increases, which it is at a tremendous rate, so also have the numbers of intrusive and disruptive incidents increased, almost precisely along with increased use of the Internet, so we are talking about-I am in any case this morning focusing in on threats to our critical national infrastructures.

Number 2, what has been the U.S. Government's response? It has been pretty good, in my judgment. Beginning in 1993, right after President Clinton was elected, there began a campaign from within the Government, mostly within the Defense Department, to persuade the White House that this was a serious problem, and they did persuade the White House this was a serious problem, and so in the summer of 1996 President Clinton established a Presidential Commission on Critical Infrastructure Protection, which assembled experts from within the Government and from outside the Government in every field of activity and conducted as a presidential commission an outstanding analysis of the dangers and the vulnerabilities and the threats to our critical national infrastructure beginning in the summer of 1996, and they issued their report

to the President in October of 1997, and the President and his staff then studied it and reflected upon it, and in May of 1998 issued a presidential decision directive, PDD Number 63, so that is in the jargon of this area we are talking about, the famous piece of jargon, PDD-63.

Then in January of 1999, just a couple of months ago, the President addressed the National Academy of Sciences on this subject and proposed to put in his budget submission for the year 2000 about $1-1.5 billion to address this problem from the standpoint of the Federal Government.

Then as I indicated at the very beginning just last week, a week ago today, on February 26 at a speech in San Francisco he outlined five broad segments of emerging threats, and one of them this cyber threat was highlighted, in his words, sabotage against our critical computer systems.

Now, the presidential commission observed that one of the tremendous problems here with all of these national critical infrastructures and the threats to them is the fact that it is so complex, and that there are so many interdependencies, and that we do not know how, we have not learned how to deal with those complexities and interdependencies, and that leads me to my two points about, in my judgment, the inadequacies of the U.S. Government's response so far.

One is that I do not believe the administration, the U.S. Government, has fully taken on board how compelling and urgent this problem is, in view of the fact that you are going to have on 1 January of the year 2000 the Y2K-associated threats, people taking advantage of the Y2K problem to mask serious attacks on our critical infrastructure, the difficulties of interacting with users of our critical infrastructures, foreigners and others who may not be Y2K compliant, and then the complexities and interdependencies that refers to two layers of complexity and interdependency.

One is the fact that a good many of these critical infrastructures are under the jurisdiction not of the Federal Government but of State and local governments, and the other complexity and interdependency is the fact that almost all of our critical national infrastructures, with the exception of law enforcement and some emergency services, all of the rest are basically located in the private sector.

So our studies have shown us that there are all kinds of problems that I would be glad to get into later on in the interrelationship between the private sector who operate and control these critical national infrastructures and the Federal Government.

So my colleagues and I have outlined what we think could be done and could be done quickly, and that would be a pilot project R&D program in the real world involving, if we could select one, an element that would be a microcosm of the whole Nation.

In terms of what I am talking about, the interdependencies and the complexities, the threats, the vulnerabilities, it would involve multiple nodes in let us say-and speaking of telecommunications, I understand that our military's communications depend 90 percent on the private sector, on commercial telecommunications, and there are other dependencies of our military on these critical national infrastructures across the board.

So it would involve multiple jurisdictions, Federal, State, and local. That would be a large piece of the critical infrastructure, so that we could learn about public and private interactions and interdependencies, and a key element in our studies indicate that in order to motivate the private sector to begin to take this seriously-which they have not. We have been in touch with the private sector across the board, and they are very reluctant to spend money on this problem.

However, we have discovered, we believe, that if insurance and risk transfer companies could be part of the picture, then they could begin to provide serious motivation for the private sector to take the necessary steps to reduce their vulnerabilities by_adjusting the deductibles and adjusting the premiums so as to reflect the difference between various elements of the private sector as to whether they are pursuing best practices, which would still have to be defined, and any such pilot project would not have to interfere with the operation of the selected area for the experiment, but would enhance their operation by assessing the vulnerabilities and the risks, analyzing options and developing a plan of action.

Mr. Chairman, I would be glad to respond later to any questions you may have, and the other members of the committee. Thank you.

[The prepared statement of Mr. Ellsworth follows:]

PREPARED STATEMENT BY HON. ROBERT F. ELLSWORTH

Mr. Chairman, members of the subcommittee, ladies and gentlemen. I am Robert Ellsworth, Managing Director of The Hamilton Group, LLC, and a former Deputy Secretary of Defense. I am pleased to be here today to provide remarks on the emerging threats to our national security.

If the world order today is being re-made by a clash of civilizations, as Professor Samuel Huntington says "The most dangerous clash is that between civilization itself and the several enemies of civilization. As the United States is the most dynamic, wealthiest and militarily most powerful civilization today, the United States is also a special target of those enemies of civilization."

I will speak about the particular threats to the nation's critical infrastructures, specifically these threats posed by those able to launch so-called "cyber" attacks against our critical information infrastructures. As President Clinton pointed out in San Francisco last Friday, February 26, one of our five central national security challenges today includes "sabotage against our critical computer systems." I will also share with you some ideas I have for implementing the President's program for developing a national plan to protect those systems.

INTRODUCTION

The New Face of Terrorism: On the morning of February 26, 1993, a huge bomb exploded in the garage below New York's World Trade Center, killing five people and forcing a hectic evacuation of some 50,000 people from the massive twin tower complex. More than 1,000 people were treated for injuries, most from smoke inhalation. Damage to the building's structure was minor.

As devastating and tragic as the World Trade Center bombing was, it could have been worse-much worse. For if the terrorists had the blueprints to the tower complex, they might have been able to place the same car bomb in a location that would have ensured the destruction of critical structures of the tower's foundation, rendering the building permanently uninhabitable or even causing it to collapse.

But obtaining those blueprints would have been no small feat. Such information is not, as a rule, available to the public. The terrorists would have had to break into the offices of the Port Authority of New York and New Jersey where the blueprints were stored, risking detection, incarceration, or worse.

However, were the terrorists to attempt the bombing today, they might take another approach altogether-that of hacking their way into the computer system of the Port Authority, hoping that the information contained in the blueprints was ac

cessible in the system's data base. Indeed, in its 1991 final report, the President's Commission on Čritical Infrastructure Protection observed the following:

Today, more sophisticated physical attacks may... exploit the emerging vulnerabilities associated with the complexity and interconnectedness of our infrastructures. In the networked world of today, the effects of such physical attacks could spread far beyond the radius of bomb blast. Adding to our physical vulnerability is the fact that information readily available on the World Wide Web (WWW) may disclose to a terrorist the best place to set explosive charges for maximum disruptive effects. The Report of the President's Commission on Critical Infrastructure Protection, October 13, 1997.

As the nation's government and economy become increasingly reliant on information networks controlled by computers, so do its critical infrastructures become increasingly vulnerable to cyber, as well as physical, attack. These critical infrastructures comprise those physical and cyber-based systems and networks-mostly in the private sector-necessary to the operation of the nation's economy and government. They include medical services, electric power generation and distribution, transportation, telecommunications, banking and finance, oil and gas production, storage and distribution, water supply systems, law enforcement, government services, and emergency services.

According to the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, Richard Clarke, the threat posed by cyber-based, information warfare may ultimately be as devastating to a nation's infrastructure as physical attacks once were.

We're not talking about a few teenagers violating the law and getting into a computer system and having some fun.

We're talking about something called information warfare, where a nation or a terrorist group or a criminal cartel could do a systematic national intrusion into the computer systems that control the electric power grids, the telephone networks, the banking and finance system, the transportation nodes, and effectively shut the nation off. In other words, just as in World War II, nations flew bombery over each other's countries to try to destroy infrastructure by dropping bombs. What we're concerned about is in the feature, nations will have that same capability to destroy each other's infrastructure, not by bombs, but by cyber attacks... Press Conference at the National Academy of Sciences, January 22, 1999.

For many terrorists today, destruction of physical targets is not as tempting as disruption of information infrastructures by metamorphic viruses and undetected and automated spoofing, sniffing and hijacking sessions. Recent RAND studies show that these dangers will increase as terrorists move beyond isolated acts of disruption toward campaigns based on "swarming" a target with multiple attacks from all directions. The aim of "swarming" is "sustainable pulsing" of repeated attacks that swamp the target.

Various groups across the spectrum of crime and terror seem to be evolving in this direction: Hamas in the Middle East, the Asian Triads, and various domestic U.S. gangs. Contemporary and familiar enemies of civilization are modifying their methods to take advantage of information network designs: hostile states, transnational terrorist groups, transnational crime syndicates, religious extremists, black-market proliferators of weapons of mass destruction, ethno-nationalist movements, and militant single-issue groups. The information systems of the U.S. military are likely to be attractive targets. Our military telecommunications and other systems are highly dependent on the commercial world.

To defend against such cyber network threats, governments and the private sector must urgently develop cooperative and collaborative defenses involving networked structures. In fact, the nation's challenge is not so much technological as it is new ways of cooperation and collaboration.

Y2K is a Critical Infrastructure Problem: The Year 2000 problem ("Y2K"), as it is called, is a subset of the broader threat posed to the nation's critical infrastructures and results from the way computer systems store and manipulate dates. Many computer systems worldwide are expected to malfunction or produce incorrect information on January 1, 2000, when the date rolls over from 1999 to 2000, and computer programs fail to recognize the change in the century, misreading “00” for the year 1900 instead of the year 2000.

Y2K-related disruptions are likely to be systemic in nature, threatening even those operators who are Y2K-compliant. Systems depend on other systems in ways that are not readily appreciated. Disruptions may result from the interface between Y2K compliant and non-compliant (especially foreign) users relying on the same in

frastructures on and after January 1, 2000. This may be an especially challenging problem for America's air and sea ports, banks, and telecommunications. Disruptions may also result from deliberate cyber-based attacks against critical infrastructures masking as Y2K problems. Perhaps more serious, disruptions may result from the malicious embedding of code in existing programs by programmers ostensibly “fixing" software to make programs Y2K compliant. This latter problem is likely to confront operators long after the immediate concerns over Y2K have passed.

THE NATIONAL RESPONSE

In an address delivered at the National Academy of Sciences on January 22, 1999, President Clinton proposed to invest $1.46 billion in fiscal year 2000 to carry out his May 1998 directive calling for the development of a national plan “to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructure." According to the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, the President's address was intended "to raise consciousness, in the American people, in the scientific community, in the corporate community, and in the Congress, that such attacks are growing increasingly likely." Funding would be provided for investment in research and development to safeguard key computer systems, intrusion detection systems, information sharing and analysis centers, and recruitment of a "Cyber Corps" to respond to crises.

In his address, the President underscored the need for greater appreciation of the complexities and interdependencies created by the growth of information systems.

More and more, these critical systems are driven by, and linked together with, computers, making them more vulnerable to disruption. Last spring, we saw the enormous impact a single failed electronic link, when a satellite malfunctioned-disabled pagers, ATMs, credit card systems and television networks all around the world. We already are seeing the first wave of deliberate cyber attacks-hackers break into government and business computers, stealing and destroying information, raiding bank accounts, running up credit card charges, extorting money by threats to unleash computer viruses. President Clinton, National Academy of Sciences, January 22, 1999.

The President also reiterated the importance of “building partnerships with the private sector to find and reduce vulnerabilities; to improve warning systems; and to rapidly recover if attacks occur." The complexities of doing business in the information age have laid out a stark challenge not only to the government, but also for the Boards of Directors, the Chief Executive Officers, and the Chief Information Officers of American companies.

The President's Commission on Critical Infrastructure Protection, and his May 1998 Presidential Decision Directive No. 63 (PDD-63), highlight the vulnerability of the nation's private and public critical information infrastructures.

In the cyber dimension there are no boundaries. Our infrastructures are exposed to new vulnerabilities-cyber vulnerabilities—and new threats— cyber threats. Perhaps most difficult of all, the defenses that served us so well in the past offer little protection from the cyber threat. Our infrastructures can now be struck directly by a variety of malicious tools. The Report of the President's Commission on Critical Infrastructure Protection, October 13, 1997.

Under PDD-63, the United States is supposed to achieve and maintain within 5 years the ability to protect from deliberate cyber-based attacks those critical infrastructures necessary for:

the federal government to conduct national defense, intelligence, international diplomacy and commerce, and law enforcement;

• state and local governments to perform law enforcement and critical public services; and

• the private sector to deliver telecommunication, energy, financial, and transportation services.

In order to achieve the aims of PDD-63, the following actions are essential: • Public-Private Partnership: An effective partnership between government and infrastructure owners and operators is needed, with increased sharing of information relating to infrastructure threats, vulnerabilities, complexities and interdependencies.

• Education and Awareness: There is a need to educate and inform decision-makers and private industry, government, and the general public about infrastructure assurance, especially the importance of protecting their own information.