[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
THE CYBER INITIATIVE
=======================================================================
HEARING
before the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 28, 2008
__________
Serial No. 110-98
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED]
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
44-063 PDF WASHINGTON DC: 2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California Peter T. King, New York
Edward J. Markey, Massachusetts Lamar Smith, Texas
Norman D. Dicks, Washington Christopher Shays, Connecticut
Jane Harman, California Mark E. Souder, Indiana
Peter A. DeFazio, Oregon Tom Davis, Virginia
Nita M. Lowey, New York Daniel E. Lungren, California
Eleanor Holmes Norton, District of Mike Rogers, Alabama
Columbia David G. Reichert, Washington
Zoe Lofgren, California Michael T. McCaul, Texas
Sheila Jackson Lee, Texas Charles W. Dent, Pennsylvania
Donna M. Christensen, U.S. Virgin Ginny Brown-Waite, Florida
Islands Gus M. Bilirakis, Florida
Bob Etheridge, North Carolina David Davis, Tennessee
James R. Langevin, Rhode Island Paul C. Broun, Georgia
Henry Cuellar, Texas
Christopher P. Carney, Pennsylvania
Yvette D. Clarke, New York
Al Green, Texas
Ed Perlmutter, Colorado
Bill Pascrell, Jr., New Jersey
Jessica Herrera-Flanigan, Staff Director & General Counsel
Todd Gee, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
(II)
C O N T E N T S
----------
Page
Statements
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security.............................................. 1
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas........................................ 2
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island:
Prepared Statement............................................. 4
Witnesses
Ms. Karen Evans, Administrator, Electronic Government and
Information Technology, Office of Management and Budget:
Oral Statement................................................. 6
Prepared Statement............................................. 8
Mr. Robert D. Jamison, Under Secretary, National Protection and
Programs Directorate, Department of Homeland Security,
Accompanied by Mr. Scott Charbo, Deputy Under Secretary,
National Protection and Programs Directorate, Department of
Homeland Security:
Oral Statement................................................. 11
Prepared Statement............................................. 12
Appendix
Questions From Honorable Yvette D. Clarke........................ 35
THE CYBER INITIATIVE
----------
Thursday, February 28, 2008
U.S. House of Representatives,
Committee on Homeland Security,
Washington, DC.
The committee met, pursuant to notice, at 10:13 a.m., in
Room 311, Cannon House Office Building, Hon. Bennie G. Thompson
[Chairman of the committee] presiding.
Present: Representatives Thompson, Harman, Christensen,
Etheridge, Langevin, Green, McCaul, Dent, and Brown.
Chairman Thompson [presiding]. The committee will come to
order.
The committee is meeting today to receive testimony on the
Cyber Initiative. The infiltration and exploitation of Federal
Government networks and critical infrastructure networks is one
of the most critical national security issues confronting our
country today.
Public reports suggest that Federal networks have been
under attack for years. These attacks have resulted in the loss
of indeterminate amounts of information. The purpose of today's
hearing is to discuss the administration's proposed Cyber
Initiative, a proposal that attempts to reduce the
vulnerability of our Federal computer networks and critical
infrastructure and the consequences of attacks against these
networks.
We aim to discuss several things today, including the
consolidation of trusted internet centers, known as TICs, which
would reduce the number of Federal connections to the internet
and allow for easier monitoring of incoming and outgoing
traffic, the implementation of the Department of Homeland
Security's cyber monitoring capabilities throughout Federal
agencies, known as Einstein, the privacy implications of
electronic data collection, efforts underway to conduct damage
assessment of Federal systems, and efforts to secure our
federally and privately owned critical infrastructure from
cyber attack.
Thus far, I have been extremely disappointed in this
administration's efforts in cybersecurity. The administration
drafted a high-level national strategy for a secure cyberspace
in 2002 that presented problems and possible solutions to high-
level cybersecurity issues but never mandated any changes
required to improve security.
In 2003, the administration eliminated its top advisor on
cybersecurity, Richard Clarke, who was a key advisor to the
president. Then, after Congress pushed for the creation of an
assistant secretary for cybersecurity, DHS waited over a year
to fill the position and buried it four levels down in the
bureaucracy.
Despite the creation of a cross-agency intelligence
director, the administration failed to educate Federal agency
officials on the cyber threat. For instance, in a 2007 hearing
before this committee, the chief information officer at DHS,
Scott Charbo, who is with us today, told us that he had never
received any intelligence reports about nation state hacking
and that he was unfamiliar with this activity. To me, this
suggests a failure on the part of the director of national
intelligence who is charged with connecting dots that would
prevent cross-agency intelligence failures from occurring.
This administration regularly requested inadequate budgets
for DHS cybersecurity activities, both for the National Cyber
Security Division, the US-CERT and the CIO security budget and
the R&D activities undertaken at the Science and Technology
Directorate.
This administration has vested responsibility for securing
these networks in folks who don't understand the threat or the
technical methods to deal with the threat. Secretary Chertoff's
decision to promote Mr. Charbo to the position of deputy under
secretary for National Protection and Programs places him in
charge of DHS' efforts in the Cyber Initiative. This decision
was made in spite of the committee's investigation into how he
and his staff failed both to protect the Department's computers
from intrusion and properly manage the contractor in charge of
security.
In light of these and other issues, it is hard to believe
that this administration now believes it has the answers to
secure our Federal networks and critical infrastructure.
I want to be clear: I believe that cybersecurity is a
serious problem, maybe the most complicated national security
issue in terms of threat and jurisdiction. This problem will be
with us for decades to come.
I am pleased that this administration recognizes the
challenges we face in securing this area.
As Chairman of this committee, I continue to have numerous
practical and theoretical questions about the initiative and
the possibilities of its success: Who is in charge, what are
the matrix for success, who is accountable, how are privacy
concerns being addressed, how will future technologies be
incorporated, how will future threats be addressed, what legal
frameworks must be amended, how will the administration work
with the private sector, and what will be done with critical
infrastructure?
I am committed to charting a course toward freedom from
fear, and I look forward to working through these difficult
questions in the weeks, months and years to come.
The Chair now recognizes the Ranking Member of the
subcommittee and who is standing in for the Ranking Member of
the full committee, the gentleman, Mr. McCaul, for an opening
statement.
Mr. McCaul. Thank you, Mr. Chairman.
Today's hearing is on the administration Cyber Security
Initiative, which is a sweeping effort to better secure the
computer networks owned and operated by the Federal Government.
In my judgment, since 9/11, we have been very focused on
the threats in the physical world, and yet not enough
attention, in my view, has been paid on threats in the virtual
world.
I am glad to see that the administration has come forward
with an initiative, a plan. Congressman Langevin and I have
launched a nonpartisan commission to study the threat of
cybersecurity to this Nation and to provide recommendations to
the next President of the United States, and I look forward to
seeing their recommendations as well.
As this committee learned last year, the Government's
computer networks are under constant attack from hackers and
criminals, many of whom are sponsored by foreign nations. Just
last year, the country of Estonia was temporarily taken off the
internet by organized hackers. While the chances that a similar
attack could achieve similar results in this country are small,
the threat remains very real.
The Department of Homeland Security will play a prominent
role in developing and implementing the administration's
initiative. In fact, the President's fiscal year 2009 budget
request includes close to $200 million more for DHS than was
requested last year for cybersecurity, and I am pleased to see
that.
In addition, media reports indicates the administration
plans to ask for up to $30 billion over the next 5 years. If
this figure is accurate, Congress needs to know how that money
will be spent. This project is still in the formative stages;
therefore, I understand a number of details cannot be shared at
this time or possibly in an open forum. But it is important,
however, that the administration keep Congress informed so as
to avoid any misunderstanding about what this initiative is
designed to do.
With such a large project that cuts across the Government,
efficient congressional oversight may be difficult to achieve
because so many different committees claim jurisdiction over
DHS. It is times like this that highlight the fact that despite
promises to fulfill all the remaining 9/11 commission's
recommendations, the Congress still has not consolidated
oversight of DHS, and, unfortunately, it now has oversight by
86 committees and subcommittees.
I understand that the administration doesn't believe that
further authorities are necessary for this initiative, but this
area potentially could be added to our annual DHS authorization
bill, which I urge the Chairman and this committee to take up
prior to congressional action on DHS' appropriations bill later
this spring. I raised this issue during our full committee this
past Tuesday and was pleased to hear an optimistic response
from Chairwoman Sanchez.
We on the Republican side look forward to working with our
majority counterparts and colleagues on another bipartisan DHS
authorization bill.
I yield back.
Chairman Thompson. Thank you very much.
Other Members of the committee reminded that under
committee rules opening statements may be submitted for the
record.
[The statement of Hon. Langevin follows:]
Prepared Statement of Hon. James R. Langevin
February 28, 2008
the cyber initiative
For years, Federal networks have been under attack. I believe that
the infiltration and exploitation of these networks is one of the most
critical issues confronting our Nation. The acquisition of our
Government's information by outsiders undermines our strength as a
Nation. If sensitive information is stolen and absorbed by our
adversaries, we are strategically harmed.
Last year, as Chairman of the Subcommittee on Emerging Threats,
Cybersecurity, Science and Technology, I held a series of hearings on
the cyber threats to our Federal networks and critical infrastructure.
It is clear that our failure to secure Government networks has more to
do with mismanagement, and less to do with inadequate technology. This
administration simply has not made cybersecurity a priority. They have
not comprehensively identified or mitigated vulnerabilities on our
networks; they have not held anybody accountable for breaches; and they
have not invested adequate resources to solve the problems.
Unfortunately, we are paying the price today.
I remain deeply concerned about the growing threat to our national
critical infrastructure. The effective functioning of many
infrastructures is highly dependent on control systems. which are
computer-based systems used to monitor and control sensitive processes
and physical functions. Cyber attacks against these pieces of
infrastructure have the potential to cause serious--if not
catastrophic--damage to the economy and our way of life. The
administration's Cyber Initiative does not adequately prioritize this
issue.
With the right vision and leadership, we can improve security on
our Federal networks and critical infrastructure. There are some
promising elements of the Cyber Initiative, but there are also some
gaping holes. I assure the American people that we will continue to
perform robust oversight on this issue.
recap of the subcommittee's previous hearings
Last year, as Chairman of the subcommittee on Emerging Threats,
Cybersecurity, Science and Technology, I held a series of hearings on
the cyber threats to our Federal networks and critical infrastructure.
We began in April 2007, with a hearing on cyber attacks against the
Departments of State and Commerce. At that time, it was clear to me
that the Federal Government did not understand the severity of the
threat. Officials did not know the scope or topology of networks; who
infiltrated our networks in the past; who was inside of our networks at
the present; and how much information had been stolen. At that hearing,
I promised to begin an investigation to assess the cybersecurity
posture at the Department of Homeland Security. Chairman Thompson and I
began requesting documents from the Department's Chief Information
Officer the following week.
Our second hearing in April focused on the need to reduce critical
infrastructure vulnerabilities through investment in research and
development. In the last 7 years, more than 20 reports from such
entities as the INFOSEC Research Council, the National Science
Foundation, the National Institute of Justice, the National Security
Telecommunications Advisory Committee, the National Research Council
and the President's Commission on Critical Infrastructure Protection
have all urged the Government to do more to drive, discover and deliver
new solutions to address cyber vulnerabilities. Yet the administration
routinely proposed reductions or flat funding for research and
development efforts at the Department of Homeland Security. Our
witnesses described the necessity to dramatically reduce the
vulnerability of the national information infrastructure to attack, and
make major, strategic investments that can significantly reduce
infrastructure vulnerabilities over a 5- to 10-year period.
During a June 2007 subcommittee hearing, we discussed the
preliminary results of our investigation into the security of the
Department's networks. Due to poor security practices on its networks,
the Department of Homeland Security suffered numerous significant
security incidents. Routine security reviews--like rogue tunnel audits,
ingress/egress filtering, widespread internal and external penetration
tests, and contractor audits--were not performed. Multi-factor
authentication was not fully implemented And in spite of nearly 900
cybersecurity incidents between fiscal year 2005 and fiscal year 2006,
the Department continued to under-invest in IT security.
The testimony of the Department's Chief Information Officer, Scott
Charbo, was disturbing to the committee. Although the Chief Information
Officer is ultimately responsible for the security of the Department's
numerous information networks, Mr. Charbo seemed unaware and
unconcerned about any serious malicious activity on the networks he was
charged with securing. For example, when asked if he or his security
team had requested or received intelligence briefings about Chinese
hackers penetrating Federal networks, or if Department computers ever
exfiltrated information to Chinese servers, Mr. Charbo responded ``you
don't know what you don't know.'' This answer was typical of the
laissez-faire attitude that he exhibited throughout the investigation,
and suggested that neither he nor the rest of the Department was taking
the issue of cybersecurity seriously. Chairman Thompson and I sought
additional information to determine whether these incidents could be
tied to the same attacks that occurred on the networks at State and
Commerce.
In September 2007, Chairman Thompson and I concluded that the
Department was itself a victim not only of cyber attacks initiated by
foreign entities, but of incompetent and possibly illegal activity by
the contractor charged with maintaining security on its networks. The
Department's intrusion detection systems--designed to monitor networks
and issue alerts when outsiders attempted to gain access--were not
properly installed and monitored. This resulted in dozens of computers
becoming compromised by hackers, who sent an unknown quantity of
information to a Chinese-language Web site. We asked the Department's
Inspector General to begin an inquiry into these matters and refer the
case for criminal investigation.
In October 2007, my subcommittee again revisited the issue of
cybersecurity and critical infrastructure, specifically with regard to
the electric grid. The effective functioning of the bulk power system
is highly dependent on control systems, which are computer-based
systems used to monitor and control sensitive processes and physical
functions. Once largely proprietary, closed-systems, control systems
are becoming increasingly connected to open networks, such as corporate
intranets and the Internet. As such, the cyber risk to these systems is
increasing. Intentional and unintentional control system failures on
the bulk power system can have a significant and potentially
devastating impact on the economy, public health, and national security
of the United States.
The subcommittee learned about an experimental cyber attack led by
DHS researchers at Idaho National Laboratory. This experiment--code-
named Aurora--could inflict significant damage upon the electric
sector, and several Members joined me in calling upon the Federal
Electric Regulatory Commission (FERC) to investigate whether the owners
and operators were implementing mitigations to prevent this attack from
occurring. In light of these issues, I joined Chairman Thompson,
Chairwoman Jackson Lee, and Ranking Member McCaul in submitting
comments to the FERC rulemaking, arguing that their proposed standards
do not sufficiently ensure the production or delivery of power in the
event of intentional or unintentional cyber incidents involving
critical infrastructures. We suggested adopting standards for control
systems proposed by the National Institute of Science and Technology.
Our final hearing focused on the implementation of the cyber
aspects of the Sector Specific Plans. These 17 plans--one for each
critical infrastructure sector in the United States--are supposed to
describe how each sector will identify, prioritize, and protect their
physical and cyber assets. However, an investigation performed for the
committee by the GAO suggests that many of the 17 plans are incomplete
when it comes to cybersecurity. The GAO analyzed the 17 plans under
three categories: fully addressed, partially addressed, or not
addressed, and found that none of the plans fully addressed all 30
cybersecurity criteria. Even more distressing was the absence of an
implementation plan. Because Sector Specific Plans remain a voluntary
exercise for all sectors, the Federal Government is unable to assess
the effectiveness of the private sector's cybersecurity controls.
Each of these hearings suggests that the Federal Government is
vulnerable to a cyber attack against Federal networks or critical
infrastructure. We must continue to identify vulnerabilities in our
systems. We must continue to reduce those vulnerabilities. We must
continue to engage the private sector. We must make cybersecurity a
priority.
Chairman Thompson. I now welcome our witnesses to this
hearing.
Our first witness, Karen Evans, is the administrator of the
Office of Electronic Government and Information Technology at
the Office of Management and Budget. In this role, she oversees
implementation of IT throughout the Federal Government,
including advising the director on the performance of IT
investments, overseeing the development of enterprise
architecture within the agencies, directing activities of the
Chief Information Officer Council and overseeing the usage of
the e-government funds to support interagency partnership and
innovation.
Our second witness is Robert Jamison, the under secretary
for the National Protection and Program Directorate at the
Department of Homeland Security. He was confirmed in December
2007. Under Secretary Jamison leads the Department's integrated
effort to analyze, manage and reduce risk. Mr. Jamison oversees
the Department's efforts in the Cyber Initiative.
He will be joined in questioning period by Deputy Under
Secretary for National Protection and Programs Directorate
Scott Charbo. Mr. Charbo was named to this position earlier
this month after previously serving as the Department's chief
information officer.
Without objection, the witnesses' full statements will be
read into the record. I ask each witness to summarize their
statements, beginning with Ms. Evans for 5 minutes.
Ms. Evans.
STATEMENT OF KAREN EVANS, ADMINISTRATOR, ELECTRONIC GOVERNMENT
AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET
Ms. Evans. Good morning, Mr. Chairman and Members of the
committee. Thank you for inviting me to discuss the
administration's comprehensive National Cyber Security
Initiative. Our work on the Cyber Initiative is focused on
building upon our existing effort to continue to close the gap
in areas of continued weakness, implementing existing security
policies and managing our risk associated in particular with
non-secure external connections, including internet points of
presence.
Please note, our work is happening concurrently on all of
the programs described in my written statement.
Agencies connect to the internet to deliver timely
information and services to the public, but each new connection
multiplies threats and vulnerabilities. Agencies can
consolidate or reduce unnecessary connections while still
accomplishing program goals. OMB has set a target date of
completion for the reduction and optimization of agencies'
external connections, including those to the internet, by June
2008.
Agencies reduce the number of internet connections, as they
also will be determining transitions and, if so, their
transition strategy to the network's contract managed by the
General Services Administration. This transition provides an
opportunity for agencies to consolidate and optimize their
external access points and to obtain secure telecommunications
technologies and services.
In connection with the network's transition, Einstein will
be deployed at the appropriate external connection. Currently,
14 departments and agencies have deployed Einstein. Einstein
will be discussed more in depth by my colleague, Under
Secretary Jamison, during his statement.
Agencies are also taking advantage of products and services
offered by the Information Systems Security Line of Business.
This initiative, led by the Department of Homeland Security and
OMB, was introduced in the spring of 2005 and identified common
solutions for four areas to be shared by the government:
Security training; Federal Information Security Management Act,
FISMA, reporting; situational awareness and incident response;
and the selection, evaluation and implementation of security
solutions.
As of November 2007, 12 agencies had implemented security
awareness training services provided by three approved shared
service centers, and 13 agencies have begun using FISMA
reporting services provided by two approved shared service
centers. As a result, agencies are beginning to reduce
duplicative investment and common security tools, ensuring a
baseline level of training and reporting performance and are
better able to refocus their efforts to other complex and
critical security issues at their agency.
With the understanding that vulnerabilities result from
weaknesses in technology, as well as improper implementation
and oversight of technological products, we have collaborated
with the National Institute of Standards and Technology, NIST,
the Department of Defense, the National Security Agency, and
Microsoft to develop a set of information security controls to
be implemented on all Federal desktops, which are running
Microsoft Windows XP or Vista.
This set of controls, known as the Federal Desktop Core
Configuration, is currently being implemented across the
Federal enterprise. By implementing a common configuration, we
are gaining better control of our Federal systems and are
allowing for closer monitoring and correction of potential
vulnerabilities, while limiting the download of internet
applications to only authorized professionals.
In addition to the desktop configuration, we are also
working with the vendor community to make our application
safer. As part of this program, NIST has developed testing
tools for use by both the Federal agencies and the vendors.
NIST awarded Security Content Automation Protocol, or SCAP,
validation to three products as of February 4, 2008.
Three independent laboratories have been accredited by NIST
National Voluntary Laboratory Accreditation Program for the
SCAP product validation.
To help agency procurement officers ensure that new
acquisitions include the common security configurations, we
have also provided agencies with recommended procurement
language. The Federal Acquisition Council has approved the
language and is completing the process of adding this language
to the Federal acquisition regulations.
While notable progress in resolving IT security weaknesses
has been made, and I have included more examples in my written
statements, problems remain in agencies' implementation, and
new threats and vulnerabilities continue to materialize. Work
remains to continue to improve the security of information and
systems supporting the Federal Government's missions and manage
the risk associated with these systems.
To address these challenges, OMB looks forward to
continuing to work with the agencies, GAO and Congress to
promote the appropriate risk-based and cost-effective IT
security programs, policies and procedures.
I will be happy to answer any questions at the appropriate
time.
[The statement of Ms. Evans follows:]
Prepared Statement of Karen Evans
February 28, 2008
Good morning, Mr. Chairman and Members of the committee. Thank you
for inviting me to discuss the administration's Comprehensive National
Cybersecurity Initiative. My remarks today will focus on the progress
we have made in improving the security of the Government's information
and information technology (IT) systems as well as our strategy for
managing the risk associated with our Government services in this ever-
changing IT environment. In our increasingly interconnected and
interdependent environment, security risks left unaddressed by one
agency can exponentially compound security risks faced by all of us.
These weaknesses prevent agencies from achieving program goals and
erode the public's trust in us.
Information security and privacy are extremely important issues for
the administration. On March 1, 2008, the Office of Management and
Budget (OMB) will provide our fifth annual report to the Congress on
implementation of the Federal Information Security Management Act
(FISMA). This report will go into detail on our improvements and
remaining weaknesses for both security and privacy.
OMB policies and subsequent National Institute of Standards and
Technology (NIST) guidance focus on a risk-based, cost-effective
approach and reflect the balance between strong security and mission
needs. Agencies are responsible for implementing the policies and
guidance for their unique mission requirements within their capital
planning and investment control processes. Agency officials who own and
operate the agency business programs are ultimately responsible and
accountable for ensuring security is integrated into those program
operations. Our oversight is achieved in two primary ways--via the
budget and capital planning process, and through independent program
reviews.
Our work on the cyber initiative is focused on closing gaps in
areas of continued weakness--implementing existing security policy, and
managing non-secure external connection, including Internet points of
presence. Please note our work is happening concurrently on all of the
programs described.
effectively implementing existing security policies
Securing cyberspace is an ongoing process, so as new technologies
appear and new vulnerabilities are identified, NIST provides guidance
to Federal agencies on securing networks, systems, and applications.
Recommendations include user awareness briefings as well as training
for technical staff on security standards, procedures, and sound
security practices. As required by 44 U.S.C. � 3543, Federal agencies
must adopt and comply with standards promulgated by NIST, and identify
information security protections consistent with these standards.
For example, agencies must complete certification and accreditation
(C&A)--a fundamental security procedure required by law and policy. As
of first quarter fiscal year 2008, 985 systems (9.5% percent of all
systems) operate without a complete C&A. Based on our annual reports to
Congress, the percentage of systems C&A'd rise each year we need to be
at 100%. When performed correctly, C&As identify the risks when
operating an information system, tests controls necessary to mitigate
them, and provides program managers a level of assurance the systems
supporting their programs operate at an acceptable level of risk.
In addition to following existing policy, agencies are continuing
to take advantage of GSA's SmartBUY program when acquiring security
products and services. SmartBUY is a Federal Government procurement
vehicle designed to promote effective enterprise level software
management. By leveraging the Government's immense buying power,
SmartBUY has saved taxpayers millions of dollars through Government-
wide aggregate buying of Commercial Off the Shelf (COTS) software
products. Agencies are utilizing new SmartBUY agreements to acquire
quality security products at lower costs.
In one recent example, GSA and DoD established a SmartBUY agreement
for products certified through the NIST FIPS 140-2 Cryptomodule
Validation Program. These certified products will be used to encrypt
data at rest. This benefit is not confined solely to Federal agencies,
since the Blanket Purchase Agreement (BPA) was written so that States
and local governments can also take advantage of this opportunity.
In addition to the encryption BPA, GSA worked to complete two BPA's
for credit monitoring services deemed necessary by an agency in the
event of a breach of personally identifiable information (PII), as well
as risk assessment services for when a breach occurs. More information
about the BPA related to credit monitoring services can be found in our
OMB Memorandum M-07-04, ``Use of Commercial Credit Monitoring Services
Blanket Purchase Agreements (BPA),'' at http://www.whitehouse.gov/omb/
memoranda/fy2007/m07-04.pdf. More information about the BPA to assist
agencies to assess risk associated with data loss can be found in our
OMB Memorandum M-08-10, ``Use of Commercial Independent Risk Analysis
Services Blanket Purchase Agreements (BPA),'' at http://
www.whitehouse.gov/omb/memoranda/fy2008/m08-10.pdf.
Currently, the Information System Security Line of Business
(ISSLOB) is working across Federal agencies and with GSA to assess the
feasibility of additional security related SmartBUY and BPA
opportunities for situational awareness and discovery tool sets.
managing multiple non-secure external connections
Agencies connect to the Internet to deliver timely information and
services to the public, but each new connection multiplies threats and
vulnerabilities. Agencies can consolidate or reduce unnecessary
connections while still accomplishing program goals. Per OMB guidance,
agencies must reduce and/or consolidate their external connections
including those to the internet by June 2008 with a target of no more
than 50 access points in total for the civilian agencies.
As agencies reduce the number of internet connections, they are
also determining whether to transition, and if so, their transition
strategy, to Networx. As you know, FTS2001/Crossover Bridge contracts,
which provide services for telecommunications and networking services,
for current customers will expire in May and June 2010. The Networx
program is the primary replacement vehicle for these expiring
contracts. We believe that this transition will provide an opportunity
for agencies to consolidate and optimize their external access points
including internet connections and obtain secure telecommunications
technologies and services. Networx Universal and Enterprise Service
contracts were awarded in March and May 2007, respectively.
OMB anticipates agencies choosing to use the Networx contract can
leverage the transition process and service offerings to meet the goal
of reducing the number of external connections including Internet
points of presence. OMB has asked the Federal Chief Information
Officers (CIO) Council to prepare a cost-benefit analysis regarding the
use of the Networx contract.
The Interagency Management Council's Transition Working Group (TWG)
has asked agencies seeking to qualify for transition cost reimbursement
to complete Fair Opportunity decisions by September 2008. GSA
recommends agencies target the completion of Fair Opportunity decisions
by March 2008 to ensure sufficient time to complete transition of
services prior to the expiration of FTS2001/Crossover Bridge contracts.
Currently, one major agency has completed a Fair Opportunity
Analysis and selected a service provider (Treasury). As of February
2008, GSA has received 21 Statements of Work (SOWs), and anticipates at
least 58 more SOWs from major agencies by September 2008.
The TWG deadline for agencies to submit all transition orders is
April 2010. GSA recommends agencies target the submission of all
transition orders to the extent possible for January 2009 to allow
sufficient time for service providers to complete the processing of all
orders and establish service on the new contracts before the expiration
of FTS2001/Crossover Bridge contracts.
In concert with Networx transition, Einstein will be deployed at
the appropriate external connections, including Internet points of
presence; 14 departments and/or agencies have currently deployed
Einstein. Einstein is an intrusion detection system managed by DHS to
collect, analyze, and share aggregated network computer security
information across the Federal Government. As a result of these
deployments, agencies maintain an awareness of their network while DHS
maintains awareness of Government-wide information security threats and
vulnerabilities. With this information, agencies will be able to
quickly take corrective action and reduce their risk to a manageable
level.
Agencies are also taking advantage of products and services offered
by the Information System Security Line of Business (ISSLOB). This
initiative, led by DHS and OMB was introduced in the Spring of 2005. An
inter-agency Task Force identified common solutions to be shared across
Government. The Task Force identified common solutions in four areas:
security training; FISMA reporting; situational awareness/incident
response; and selection, evaluation and implementation of security
solutions.
All agencies were asked to submit proposals to either become a
Shared Service Center (SSC) for other agencies, or migrate to another
agency from which they would acquire expert security awareness training
services and FISMA reporting services. DHS helped coordinate the
selection of SSCs, and agency implementation of these services.
As of November 2007, 12 agencies had implemented security awareness
training services provided by three approved SSC, and 13 agencies had
begun using FISMA reporting services provided by two approved SSC. As a
result, agencies are beginning to reduce duplicative investment in
common security tools, ensuring a baseline level of training and
reporting performance, and are able to refocus their efforts to other
complex and critical security issues at their agency. OMB expects
agencies will fully report the number of employees trained via the
ISSLOB in their fiscal year 2008 annual FISMA report.
Finally, vulnerabilities result from weaknesses in technology as
well as improper implementation and oversight of technological
products. Over the past year, in collaboration with NIST, the
Department of Defense, the National Security Agency, and Microsoft, we
have developed a set of information security controls to be implemented
on all Federal desktops which are running Microsoft Windows XP or
VISTA. This set of controls, known as the Federal Desktop Core
Configuration (FDCC) is currently being implemented across the Federal
enterprise. By implementing a common configuration, we are gaining
better control of our Federal systems, and allowing for closer
monitoring and correction of potential vulnerabilities. Security
configurations provide a baseline level of security, reduce risk from
security threats and vulnerabilities, and save time and resources. In
particular, security configurations help protect connections to the
Internet and limit the download of Internet applications to only
authorized professionals.
In addition to the desktop configuration, we are also working with
the vendor community to make their applications safer. As part of this
program, NIST has developed testing tools for use by both Federal
agencies and vendors. NIST awarded Security Content Automation Protocol
(SCAP) Validation to three products as of February 4, 2008. These
products and their associated validation information can be found at
http://nvd.nist.gov/scapproducts.cfm. Three independent laboratories
have been accredited by the NIST National Voluntary Laboratory
Accreditation Program (NVLAP) for SCAP Product Validation testing. The
list of accredited labs is available at the same URL. We are very
optimistic this program will greatly enhance the security of our
Federal desktops, and, of our Federal enterprise as a whole. To help
agency procurement officers ensure that new acquisitions include common
security configurations, we have provided agencies with recommended
procurement language. This language can be found in our Memorandum M-
07-18, ``Ensuring New Acquisitions Include Common Security
Configurations,'' at http://www.whitehouse.gov/omb/memoranda/fy2007/
m07-18.pdf. Currently, the Federal Acquisition Council is in the
process of adding similar language to the Federal Acquisition
Regulation.
These initiatives described in my testimony today in combination
with other administration initiatives (including: IPv6, HSPD-12,
minimum communications capabilities for continuity of Government and
continuity of operation plans, and IT Infrastructure Line of Business)
address our potential security gaps, help agencies optimize their
information infrastructure, and facilitate appropriate network
consolidation and configuration. In turn, agencies will be able to
better manage their information infrastructure, allowing them to reduce
risks to an acceptable level.
In closing, OMB is committed to a Federal Government with resilient
information systems. The dangers posed by the internet must not be
allowed to significantly affect agency business processes or disrupt
services to the citizen. I would like to acknowledge the significant
work of agencies and IGs in conducting the annual reviews and
evaluations. This effort gives OMB and the Congress much greater
visibility into agency security status and progress.
While notable progress in resolving IT security weaknesses has been
made, problems remain in agency implementation and new threats and
vulnerabilities continue to materialize. Work remains to continue to
improve the security of the information and systems supporting the
Federal Government's missions and manage the risk associated with these
systems. To address these challenges, OMB will continue to work with
agencies, GAO, and Congress to promote appropriate risk-based and cost-
effective IT security programs, policies, and procedures to adequately
secure our operations and assets.
Chairman Thompson. Thank you very much.
The Chair now recognizes Mr. Jamison for 5 minutes.
STATEMENT OF ROBERT D. JAMISON, UNDER SECRETARY, NATIONAL
PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND
SECURITY, ACCOMPANIED BY SCOTT CHARBO, DEPUTY UNDER SECRETARY,
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF
HOMELAND SECURITY
Mr. Jamison. Thank you, Mr. Chairman.
Chairman Thompson. Congressman McCaul and Members of the
committee, I appreciate the opportunity to update you on the
Department of Homeland Security's efforts to improve America's
cybersecurity posture.
I also appreciate the committee's interest in the Cyber
Initiative. The Department and our interagency partners are
committed to an ongoing engagement with Congress in an
appropriate setting on the classified aspects of our
activities.
In my role as under secretary for the National Protection
and Programs Directorate, one of my most important programmatic
activities has been cybersecurity, and I have served as the
lead DHS official for the Cyber Initiative since last summer.
I am pleased this morning to be joined on this panel by my
esteemed colleagues from OMB, Karen Evans, and the former DHS
chief information officer and just recently appointed deputy
under secretary, Scott Charbo.
Secretary Chertoff identified cybersecurity as one of the
Department's top priorities for 2008, and the President's 2008
and 2009 budgets reflect this priority. We are aware of, and
have defended against, malicious cyber activity directed at the
U.S. Government. We take these threats seriously and remain
really concerned that this activity is growing more
sophisticated, more targeted and more prevalent.
The nature of the threat is diverse, ranging from
unsophisticated hackers to very technically competent
adversaries using state-of-the-art intrusion techniques. Many
of these malicious attacks are designed to steal information
and disrupt, deny access to, degrade or destroy critical
Federal information systems.
Over the past 4 months, the Department has provided this
committee with several classified briefings on a number of
different cyber-related topics, including threats. The
Department and our interagency partners remain committed to an
ongoing dialog with Congress in an appropriate setting on these
classified topics.
DHS has the lead responsibility for assuring the security
resiliency and reliability of the Nation's information
technology and communications infrastructure. Since 2003, the
Department has been investing in the development of a nimble,
effective cyber emergency response capability and a culture of
preparedness. These activities have positioned DHS to play a
key role in this important initiative we will discuss today.
We have established the National Cyber Security Division to
focus on securing cyberspace. In NCSD, we have built a 24�7
watch, warning and response operation centers to defend against
and respond to cyber attack, the US-CERT. US-CERT has developed
and deployed an Einstein program, which provides Government
officials with situational awareness about malicious activity
across the Federal civilian network so we can protect against
and respond to cyber threats more effectively.
Under the National Infrastructure Protection Plan
framework, we have also worked closely with our private sector
partners to develop 17 sector-specific plans, which all include
a cybersecurity component.
We are here today because we must do more. The Federal
Government has a vast information interstate system with
thousands of points of access. At last count, the Federal
network had at least 4,000 access points. Defending the Federal
system in its current configuration is a significant challenge.
Implementing effective defensive strategies requires a
manageable number of access points. Therefore, we are working
with OMB to reduce the number of access points.
As we reduce the number of access points, we plan to employ
an enhanced intrusion detection capability, enhanced Einstein.
While valuable, currently our Einstein capability is limited.
We do not have comprehensive coverage, and it is a delayed flow
analysis tool. We need to enhance the capability through
comprehensive coverage across our Federal system external
access points and upgrade Einstein to detect malicious activity
in real time.
Our goal is a comprehensive, consistent intrusion detection
capability that is informed by our full understanding of the
threat.
Mr. Chairman, the threat is real. To defend our networks, a
comprehensive situational awareness capability must augment the
foundation already in place at the Department. We will achieve
this improved situational awareness by consolidating our
Federal connections, enhancing our intrusion detection
capabilities, improving our threat assessment and information-
sharing capabilities and building a stronger watch and warning
system.
These changes, coupled with an investment in our people,
processes and systems, will enable the Federal Government to
apply the full capabilities to the defense of our networks.
Thank you for the opportunity to update you today on DHS'
efforts to improve America's cybersecurity posture, and I
welcome the questions.
Thank you.
[The statement of Mr. Jamison follows:]
Prepared Statement of Robert D. Jamison
February 28, 2008
introduction
Chairman Thompson, Congressman King, and Members of the committee,
I appreciate the opportunity to speak about the Department of Homeland
Security's ongoing efforts to improve cybersecurity. I also appreciate
the committee's continued interest in the Department's cybersecurity
activities and in particular the Department's role in Comprehensive
National Cybersecurity Initiative. As we have done since last year, the
Department and our interagency partners will continue to engage with
the committee and Congress in an appropriate setting on the classified
portions of our activities.
As our economy, critical infrastructure, and national security
become more reliant on technology, it is essential that we take
proactive measures to enhance the security and resiliency of the
information technology (IT) systems and networks on which we rely. We
face increasing global threats to our cyber infrastructure, and the
exploitation of vulnerabilities is facilitated by the widespread
availability of tools, techniques, and information. The Department has
made progress in enhancing the cybersecurity of the Nation; however, we
recognize the need to take deliberate action to reinforce and build on
those efforts as the threat grows. To underscore the Department's
efforts in this area, Secretary Chertoff has identified cybersecurity
as one of the top priorities for the Department for 2008. The enacted
fiscal year 2008 and the President's proposed fiscal year 2009 budget
reflect the necessary investment for this priority.
The Department has outlined four areas of focus within
cybersecurity to guide our efforts over the coming year. First, we are
enhancing Federal cyber situational awareness, intrusion detection,
information sharing, and response capabilities. Second, we are
expanding the Department's cadre of cybersecurity personnel, its
capabilities, and its services to our public and private sector
partners. Third, we are strengthening our efforts to integrate
cybersecurity into Federal, State, private sector, and international
preparedness, response, and resilience efforts. Finally, we are
developing and promoting the adoption of proven cybersecurity practices
with Government, private sector, the general public, and the
international community.
Today, I will provide an overview of the Department's efforts to
improve cybersecurity across Federal departments and agencies will
focus on our first priority. Specifically, I will address two programs
focused on cyber risk reduction across the Federal enterprise: the
Trusted Internet Connections initiative (TIC) and the EINSTEIN program.
cybersecurity: a departmental priority
As Under Secretary for the National Protection and Programs
Directorate (NPPD), I oversee the Directorate's efforts to advance the
Department's mission of risk reduction, which encompasses identifying
threats, determining vulnerabilities, and targeting resources where
risk is greatest, including to our critical information systems. A key
area within this mission includes the Office of Cybersecurity and
Communications' (CS&C) efforts to improve cybersecurity by reducing
risk to the Nation's cyber infrastructure and maintaining the
resilience of our communications systems. The 2007 National Strategy
for Homeland Security articulated the importance of this mission by
recognizing that many of our essential and emergency services,
including our critical infrastructure, ``rely on the uninterrupted use
of the Internet and the communications systems, data, monitoring, and
control systems that comprise our cyber infrastructure. A cyber attack
could be debilitating to our highly interdependent [Critical
Infrastructure and Key Resources] and ultimately to our economy and
national security.''
Global threats to our cyber infrastructure and to the services,
systems, and assets that depend on them continue to increase. The
nature of the threat is large and diverse and ranges from
unsophisticated hackers to very sophisticated adversaries. We are
seeing more state-of-the-art intrusion techniques designed to disrupt,
deny access to, degrade, or destroy critical information systems and
steal our intellectual capital and proprietary information.
The Department is positioned to address these threats through our
watch, warning, and response capabilities; our information sharing and
coordination efforts with the public and private sectors; and our
programs and initiatives through the National Cyber Security Division
(NCSD) and United States Computer Emergency Readiness Team (US-CERT).
These programs and initiatives are designed to carry out our mission of
preparing for and responding to incidents that could degrade or
overwhelm the operation of our Federal IT and communications
infrastructure.
securing federal departments and agencies
Since its inception, the Department of Homeland Security has been
working to strengthen Federal and critical infrastructure systems and
enhance our cyber operational response capabilities. The Department
established a number of programs and initiatives to coordinate efforts
with Federal departments and agencies to improve cybersecurity. These
programs focus on enhancing situational awareness, increasing
collaboration across Federal operational security teams, preventing
cyber incidents, and providing inter-agency coordination during a cyber
event.
The Department conducts outreach to Federal departments and
agencies to raise cybersecurity awareness with operational security
teams and senior official through channels such as the Government Forum
of Incident Response and Security Teams (GFIRST). GFIRST is a community
of more than 50 incident response teams from various Federal agencies
working together to improve Federal Government security. The Department
sponsors the annual GFIRST Conference, which fosters greater
information sharing among IT security professionals from various
departments and agencies. The 2007 conference garnered unprecedented
attendance, including more than 550 IT professionals, representing
numerous Federal departments and agencies, including more than 100
attorneys from the Department of Justice. We expect similar success at
the upcoming GFIRST Conference in June 2008.
To enhance collaboration on control systems security across the
Federal Government, NCSD established and facilitates the Federal
Control Systems Security Working Group, consisting of over 30
Government organizations. Since late 2006, this group has been
developing a Federal Coordinating Strategy to Secure Control Systems,
which seeks to place related Federal control systems activities into a
unified framework, assess opportunities for sharing and leveraging
information and resources, and identify possible gaps in Federal
efforts. In addition, NCSD is working with other Federal organizations,
such as the Tennessee Valley Authority and the U.S. Army Corps of
Engineers, to provide control systems specific tools in their areas of
responsibility.
NCSD co-chairs the National Cyber Response Coordination Group
(NCRCG) with the Department of Justice (DOJ) and the Department of
Defense (DoD) to coordinate response to a cyber incident across the
Federal Government. The NCRCG serves as the principal interagency
mechanism for providing subject matter expertise, recommendations, and
strategic policy support to the Secretary of Homeland Security during
and in anticipation of a cyber incident. The NCRCG comprises senior
representatives from Federal agencies that have roles and
responsibilities related to preventing, investigating, defending
against, responding to, mitigating, and assisting in the recovery from
cyber incidents. The senior-level membership of the NCRCG helps ensure
that during a significant national incident, appropriate Federal
capabilities will be deployed in a coordinated and effective fashion.
To ensure processes and procedures involved with response to cyber
incidents are up-to-date and comprehensive, the Department sponsors
exercises to allow participants in the public and private sector to
examine their cyber response capabilities. In February 2006, the
Department held the first National Cyber Exercise--Cyber Storm--to
examine various aspects of our operational mission, including
collaboration with Federal departments and agencies. The Department and
other participants continues to address lessons learned and after-
action items from the exercise. Progress made to improve response
processes and procedures will be measured in Cyber Storm II, which is
scheduled for March 2008. Cyber Storm II will simulate a coordinated,
large-scale cyber attack on four of the Nation's critical
infrastructure sectors. The exercise will include participants from 18
Federal departments and agencies, 9 States, over 40 private sector
companies, and 4 international partners. For the Federal Government
Cyber Storm II will exercise strategic incident response decisionmaking
and interagency coordination in accordance with national-level policies
and procedures. The exercise will strengthen the ability of
participating organizations to prepare for, protect against, and
respond to the effects of cyber attacks.
US-CERT is the Department's watch and warning mechanism for the
Federal Government's internet infrastructure. It provides around-the-
clock monitoring of Federal network infrastructure and coordinates the
dissemination of information to key constituencies including all levels
of Government and industry. In addition, US-CERT serves as the main
component for helping Government, industry, and the public work
together to respond to cyber threats and vulnerabilities. A main area
of focus for US-CERT is our work with Federal departments and agencies.
US-CERT provides Government partners with actionable information needed
to protect information systems and infrastructures. In addition, US-
CERT leverages its technical expertise to further efforts to secure
Federal networks and systems through targeted programs, such as the
Trusted Internet Connections (TIC) initiative and EINSTEIN.
Trusted Internet Connections Initiative
The Trusted Internet Connections (TIC) initiative is a multifaceted
plan to improve the Federal Government's security posture by
significantly reducing the number of Federal external connections.
External connections include, but are not limited to, any connection
outside a department or agency, such as government-to-government
connections and Internet access points. Currently, there are several
thousand Federal external connections. The existence of such a large
number inhibits the Federal Government's ability to implement
standardized security measures effectively. The TIC initiative aims to
reduce and consolidate the number of external connections to create a
more clearly defined ``cyber border.'' Fewer external connections will
enable more efficient management and implementation of security
measures and reduce avenues for malicious attacks. Once fully
implemented, the TIC initiative will facilitate security
standardization for access points across the Federal Government.
The Office of Management and Budget (OMB) maintains oversight of
the TIC initiative, and implementation relies on the technical
expertise of US-CERT, all participating Federal departments and
agencies, and the Information Systems Security Line of Business (ISS
LOB). The ISS LOB is part of the President's Management Agenda to
expand Electronic Government. The goal of the ISS LOB is to address
those areas of information security which are common to all agencies
and are not specific to the mission of any individual agency,
ultimately resulting in improved information systems security. OMB has
selected DHS as the managing agency for the ISS LOB, and DHS, through
the NCSD, is leveraging its role in the ISS LOB to enhance the TIC
initiative.
OMB announced \1\ the TIC initiative to the heads of Federal
Government departments and agencies in November 2007, subsequently
outlining the specific steps departments and agencies should take as
part of the initiative, including compiling a comprehensive inventory
of each department and agencies' existing network infrastructure. Each
department and agency is required to develop a Plan of Actions and
Milestones (POA&M) to reduce and consolidate the number of external
connections with a target completion date of June 2008. NCSD is in the
process of reviewing initial POA&M submitted to NCSD, via the ISS LOB,
for review to ensure completeness and alignment with the goals and
objectives of the TIC initiative. In addition, US-CERT and the ISS LOB
created an interagency technical working group to establish, for OMB's
approval, a list of requirements and standards for the implementation
of each TIC. Once approved, these requirements will be passed to the
department and as for implementation.
---------------------------------------------------------------------------
\1\ The TIC was announced in OMB Memorandum 08-05.
---------------------------------------------------------------------------
The reduction of external connections will have a number of
benefits for the Federal Government, particularly when coupled with
other security measures. First, fewer external connections will provide
the ability to establish a central oversight and compliance function.
This central function will benefit Federal systems by facilitating the
implementation of standardized information security policies. In
addition, the TIC will enable the implementation of 24-hour watch and
warning capabilities across the Federal Government and enable faster
and more effective response to cyber incidents. The TIC will also
enable the rollout of an intrusion detection system across Federal
networks to provide better situational awareness, earlier
identification of malicious activity, and overall, a more comprehensive
network defense.
The EINSTEIN Program
The EINSTEIN program is another critical element of our efforts to
increase cybersecurity across Federal departments and agencies.
EINSTEIN is a collaborative information-sharing program that was
developed in response to increasingly common network attacks on and
disruptions to Federal systems. The program was initially established
to help departments and agencies more effectively protect their systems
and networks and to generate and report necessary IT-related
information to US-CERT. EINSTEIN enhances situational awareness of the
Federal Government's portion of cyberspace, allowing US-CERT and
cybersecurity personnel to identify anomalies and respond to potential
problems quickly. EINSTEIN is presently deployed at 15 Federal
agencies, including the Department of Homeland Security, and US-CERT is
in the process of deploying EINSTEIN across all Federal departments and
agencies. With the TIC initiative providing a reduced number of
external connections, EINSTEIN will be able to more effectively monitor
activity across Federal Government networks.
The EINSTEIN program supplements departments' and agencies'
intrusion detection systems by monitoring their networks from outside
their firewalls, 24 hours a day, 7 days a week. EINSTEIN utilizes an
automated process for rapidly collecting, correlating, analyzing, and
sharing government computer security information with US-CERT and
department and agency system administrators. EINSTEIN utilizes a
specific tool set to analyze network flow, which is comprised of a
brief summary of a network connection, including source, destination,
time, bytes, and packets transferred.
US-CERT deploys EINSTEIN to Federal departments and agencies, along
with all necessary hardware, software, support services, and staff
training. Once implemented within a Federal department or agency,
EINSTEIN identifies and establishes a baseline for normal network
operational activity. From this baseline, security personnel are able
to identify unusual network traffic patterns and trends, such as
configuration problems, unauthorized network traffic, network
backdoors, routing anomalies, and unusual network scanning activities.
With this information, security personnel can quickly identify,
prevent, and respond to potential problems.
EINSTEIN analyzes the information collected and posts it to a
secure internet portal, which only approved personnel can access.
System administrators from participating departments and agencies
review their data and determine if any mitigation activities are
necessary, often in collaboration with US-CERT. Simultaneously, US-CERT
personnel analyze the data from participating department and agency
networks to determine if any recurring patterns and trends exist,
potentially indicating the presence of malicious cyber activity
targeting the Government as a whole. If US-CERT finds such patterns of
unusual activity across multiple agencies, US-CERT notifies appropriate
stakeholders and coordinates mitigation and response actions as
necessary.
EINSTEIN already has proven successful in enhancing security within
the Federal Government. For example, through the Department of
Transportation's (DOT's) participation in the EINSTEIN program, we were
able to quickly detect malicious activity and prevent it from infecting
other government computers. In this case, a computer worm had infected
an unsecured government computer in a U.S. Government agency. When the
worm, in its attempts to increase its network of infected computers,
tried to attack DOT's network, EINSTEIN detected the unusual traffic.
After further investigation, US-CERT discovered the worm and worked
with the affected departments and agencies to prevent its spread.
EINSTEIN reduces the time it takes to gather and share critical
data on computer security risks from an average of 4 to 5 days to an
average of 4 to 5 hours. Quick notification results in the Federal
Government being able to respond to incidents and mitigate potential
problems more efficiently and effectively. Government-wide deployment
of EINSTEIN will further enhance the ability of US-CERT to gain a more
comprehensive view of Federal systems, increasing US-CERT's analytic
capabilities and augmenting the extent and quality of US-CERT's
information sharing activities. Together with the TIC, broad deployment
of EINSTEIN will increase our ability to address potential threats in
an expedited and efficient manner.
conclusion
Securing the Nation's IT systems and networks in an environment of
increasing global threats by agile and sophisticated adversaries is a
difficult challenge that requires a coordinated and focused effort.
Secretary Chertoff's prioritization of cybersecurity for the year ahead
underscores the importance of this challenge. Accordingly, the
Department is working with its Federal partners to develop and
implement a holistic strategy for securing our Federal networks and
systems.
We have established a strong foundation of programs and activities
to address the dynamic threat, and we continue to expand and improve
upon those programs through new and enhanced efforts. The TIC's
reduction of Internet access points and EINSTEIN's situational
awareness capabilities are examples of initiatives designed to prevent
the disruption of Federal critical infrastructure from unauthorized
users that penetrate Federal systems and steal or compromise vital or
sensitive information.
Government-wide deployment of TIC and EINSTEIN enables strategic,
cross-agency assessments of irregular or abnormal Internet activity
that could indicate a vulnerability or problem in the system. These
programs enhance Federal Government cybersecurity by providing more
robust security monitoring capabilities to facilitate the
identification and response to cyber threats and attacks. They
contribute to the improvement of network security, increasing the
resilience of critical electronically delivered government services,
and enhancing the survivability of the internet.
The Federal Government is committed to increasing its capabilities
to address cyber risks associated with our critical networks and
systems. Every Federal department and agency plays a role in and adds
to the protection of our Nation and its citizens from cyber threats.
Thank you for your time today, and I am happy to answer any
questions from the committee.
Chairman Thompson. Thank you very much.
I thank the witnesses for their testimony.
I now remind each member that he or she will have 5 minutes
to question the panel.
I now recognize myself for the first set of questions.
Mr. Charbo, we had a hearing in June of last year where Mr.
Langevin chaired the subcommittee, and it was quite revealing
that a number of attacks had occurred on our system, and
perhaps we were not as notified, or you and your Department, of
many of those attacks until a contractor informed you of that.
The infamous, ``You don't know what you don't know,'' comment
was in response.
Now, to the extent possible, since that hearing, can you
give this committee the follow-up as to what you have
instituted in your previous position and this present position
to prevent such attacks?
Mr. Charbo. Thank you, Mr. Chairman.
At that hearing, we were asked about some of the security
notifications that we have had on our networks through our
intrusion detection systems. In 2005, we looked at the current
contract that we had on those local networks. We identified
gaps, and we put dollars in place to fill a lot of those gaps,
including putting contract support in place for that. We also
identified a need to recompete that contract, which we have
done.
It is true that at the time of that hearing, I had not been
read into any of the specific threat vectors that are in place
and that we are now aware of. The first briefing that we did
have was with OMB--that was to the general CIO Council, and
since that, we have had follow-up briefings. This initiative
has caused a number of briefings, and my staff and I have also
gone out and pretty aggressively looked toward any sources we
can to identify briefings that get beyond a sensitive but
unclassified or even a secret level.
At the time, we said, ``We are only focused on the data.
That is all we can look at in terms of data of intrusion sets,
et cetera, to identify anything back to whether it is a nation
state attack or what is the nature of the vulnerability.'' We
are still in that phase. There's a handful of issues that we
are continuing to look at. Those in a classified state. We take
every security incident very seriously at the operation.
At the Department of Homeland Security, we have instituted
several issues since I have started at that Department. The one
we have spoke about many times is OneNet. We have said very
publicly, ``That is the most important IT project that we can
put in place at the Department.'' That is a consolidation of a
wide area of points of access. It mirrors very closely to what
the TIC effort is about.
We want to put state-of-the-art intrusion detection at
those access points that includes Einstein and other services.
We have put that in place. We have put a security operations
center in place that is 24�7.
We are beginning to peer to those from our different
components at the Department. We have raised the
classifications of the CIOs, of our security, administrators,
of our network administrators, of our deputy CIOs so that no
longer are they just getting an unclassified brief. Quite
honestly, what you get in that state is just a piece of
information that is very difficult to interpret back to any
attribution at all or to identify what the gaps are.
What makes it even more difficult at the Department of
Homeland Security is we are an immigration agency, which we
have clients from outside of this country who are trying to
receive information on our public points of access, as well as
law enforcement points, as well as border and port agencies. So
we have done a number of things before the hearing, since the
hearing in order to shore up our security operations at the
Department, including doing a number of recompetitions and
rebuilds of certain applications, moving it to our points of
access, which were part of the OneNet project.
Chairman Thompson. Thank you. We will come back to some
other questions.
I yield to the Ranking Member for questions.
Mr. McCaul. Thank you, Mr. Chairman.
I just want to follow up on the Chairman's line of
questioning, because at the last hearing, when you testified,
it did raise some serious concerns. You are the chief
information officer for the Department of Homeland Security.
There is a major threat of intrusion into our Federal networks,
and yet you are not read into, as you said, read into the
threat factors at the time. I understand you didn't know what
you didn't know, but who was responsible for ensuring that you
had that information, that didn't get you that information that
you should have had?
We talk a lot after 9/11 about silos and not connecting the
dots, not sharing information, and yet we have what I consider
to be a major breach at the Federal level of not sharing
information that should have been shared with you. I mean, you
are the CIO of Homeland Security, and you didn't have this
threat factor information.
Can you tell me what happened? Then I think you explained
what you have done to correct that; that is the good news. You
had a clearance, I assume, at the time. But you said you have
upgraded now all the CIOs, they have the clearance to share
that information.
What happened back then?
Mr. Charbo. It is difficult to tell what happened, sir. The
briefings that we get are on a compartmentalized basis. They
are tear lines between information moving down from
classifications level. Most of the information that we got
prior was at an unclassified level. At that point, it is very
difficult to interpret that.
If I can bring this back to the hearing point, in terms of
the enterprise network, I think this is an issue that is going
to have to be addressed across a lot of the components--raising
classification levels, moving information onto secure networks
and not trying to do this on our unclassed networks--and that
is going to be a training, a clearance issue, a network issue.
We have addressed that.
Once we do have the information at Homeland, I think we
have moved very aggressively in terms of raising the visibility
with our key points. We have taken that to mean our CIOs within
the Department, our security officers within the Department,
our network administrators. We can bring together in classified
settings, action those and then task those on in an
unclassified point of presence.
All I can say is, prior to that there were gaps in that.
Mr. McCaul. You suffered from that gap, obviously, and I
think as we move forward with this initiative and as Congress
provides its oversight in how best to implement this
initiative, that has got to be one of the key factors to make
sure the CIOs for each of the major Federal agencies involved
with this initiative are certainly read into the classification
level to share that kind of threat information. I mean, we have
gotten the reports that the Federal Government has had massive
intrusions into its Federal networks, and it seems to me the
CIOs of these agencies should be aware of that fact to better
protect itself.
I know this is part of the initiative, but I would
encourage you to make this a priority in this initiative, and
we will be looking at that issue.
Mr. Jamison, did you have a comment?
Mr. Jamison. Yes, sir. Congressman, you are exactly on
point: This is one of the fundamental challenges that we are
facing, and a lot of the threat information was extremely
classified. What we are talking about trying to do is get
comprehensive situational awareness.
So as we improve our Einstein deployment, improve intrusion
detection, we are also coordinating with our intelligence
components and all of the Federal Government agencies that have
threat information so we can get more real-time information to
the CIOs and to the network operation centers and security
operation centers so that they can take defensive action. That
is the top priority.
Mr. McCaul. My second question is, under this initiative--I
am a believer in clear lines of authority. When you have these
mergers and partnerships and sharing agreements and what not,
you need to know who is in charge and who is in charge of the
budget.
Under this initiative, can you tell me--maybe Mr. Jamison--
who is in charge here?
Mr. Jamison. Sure. First, let me caveat this statement by,
I would be happy to give you a detailed briefing on the full
budget, including the classified parts in a close session.
For what we are talking about today, for the TIC
consolidation, we share the lead with OMB on helping them
consolidate internet access points, but we have the lead to
deploy the intrusion detection, to own, operate and manage the
intrusion detection and come up with that comprehensive
situational awareness picture.
There are many more parts to this initiative that I can't
discuss openly in this forum and would be happy to give you a
classified briefing on that.
Mr. McCaul. I understand that. I think at one of the
hearings that the Chairman of the subcommittee, Langevin, and I
had, we had testimony that the DHS was not really coordinating,
certainly as well as we would hope, with the Department of
Defense, and I know that may be getting into a classified area.
I hope that is an area that will be focused on as well. They
certainly have great expertise in this area that I think the
DHS could be of great value to you in terms of the
coordination. So I certainly hope that takes place.
Then, last, we heard about the declassified operation,
Aurora, where the Idaho National Labs found a vulnerability
where a power grid could be shut down, exploited, with the
click of a mouse. That causes, obviously, shockwaves, I think,
through not only in the Federal Government but also the
administration and the Congress, in terms of the vulnerability.
That is great work, though, in terms of detecting that
vulnerability and fixing it.
Can I hear from you maybe some of the lessons learned from
this project and what you are doing to protect the United
States?
Mr. Jamison. Sure. I think it was a success story. I think,
as always, when you look back there is always room for
improvement. But what happened with the Aurora vulnerability is
research that was funded by the Department of Homeland Security
through our lab networks identified the vulnerability. Once we
identified the vulnerability, we worked through the national
security infrastructure protection process and our interagency
partners to validate that there was a vulnerability and
actually develop mitigation plans.
We developed those mitigation plans and tested those
mitigation plans and actually came up with a dissemination plan
within that NIPP framework, leveraging both our interagency
partners and the Federal Government and our private sector
partners and drove those implementation plans.
We continue to monitor the implementation plans. We are
pleased with the results. What we must continue to do is make
sure that we are able to validate that those measures are still
being taken in the field and we continue to pursue enhanced
cybersecurity.
But I do think it was a success story, especially given the
fact of the sensitivity of the information and the challenges
with trying to get implementation measures down the field while
you don't highlight a vulnerability, and I think the system
worked.
Mr. McCaul. I agree with that and look forward to hearing
more about it.
Thank you, Mr. Chairman.
Chairman Thompson. Thank you very much.
I now recognize the gentleman from Rhode Island and
Chairman of the subcommittee for 5 minutes, Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. I appreciate you
yielding, and I appreciate the witnesses for their testimony. I
have deep appreciation for the Chairman's line of questions, as
well as the Ranking Member, about who knew what when and this
issue of silos.
Obviously, the Department of Homeland Security being the
lead agency for security needs to know what threats we are
facing and making sure that the dots are connected, and I
haven't been satisfied previously that that had been happening.
I hope that this is changing, and we heard some of that in your
testimony today.
I am not going to go on about that, but I will say,
obviously, for years now, our Federal networks have been under
attack, and I believe that the infiltration and exploitation of
these networks is one of the most critical issues confronting
our Nation. The acquisition of our Government's information by
outsiders undermines our strength as a Nation, and if sensitive
information clearly is stolen and absorbed, our systems are
hacked by our adversaries, clearly, we are strategically
harmed.
I don't believe that this administration, at least up until
now, has made cybersecurity the priority that it should be. I
believe that is starting to change, and with the right vision
and leadership, I believe we can improve security of our
Federal networks and our critical infrastructure.
There are some promising elements of the Cyber Security
Initiative, but there are still some gaping holes, and I just
want to assure the American people that under Chairman
Thompson's leadership and the work that we are doing on our
subcommittee that we are going to continue to perform robust
oversight of this issue.
In terms of questions, in terms of what I see as gaps, what
I want to know is, how many and what kinds of connections does
the trusted internet connection cover? For instance, does the
TIC cover government-to-contractor network connections? Because
we know that it is not only about the security on networks but
authorized intrusions. We need to be secure about that.
We had problems right at the Department of Homeland
Security where we had contractors plugging unauthorized laptops
into our own network, which you have viruses on there that
infiltrate our networks. So you could be securing your networks
but if you have unauthorized access, that is a problem.
Also does it cover Federal-to-State and local connections?
What about public service e-gov Web sites, such as student
loans at the Department of Education or Social Security or the
IRS e-file site? How about law enforcement internet connections
used for investigative purposes?
So I would like you to answer that, as well as what will
the Cyber Initiative do to secure federally owned or privately
owned critical infrastructure, such as nuclear power plants and
the electric grid from cyber attacks? As part of the TIC
consolidation, will you consolidate connections between
federally owned critical infrastructure and the internet? In
other words, will dams operated by the Bureau of Reclamation or
power plants operated by the TVA consolidate their connections,
and will you install Einstein on these connections?
Ms. Evans. I would be happy to answer the first part of the
question, which is, what types of connections, and the way that
we are approaching it is, it is all external connections.
As you clearly outlined, any external connection to an
entity causes or poses a risk. So all agencies were required to
report back to DHS by the guidance of OMB to tell how many
external connections, and that is all of them, whether it is
going to a Federal contractor, whether it is your internet
point of presence, whether it is a direct connect between you
and another. If it is external to your operation, it counts and
it is being looked at as part of this effort.
Because we need to manage the risk associated with those,
because this is a shared responsibility of managing the risk by
department, by department. They all have to look at what type
of information they have, what type of services they are
providing and then manage the risk accordingly to that.
So they have all reported in. We gave them a reporting
template. We have the number baseline of connections that they
have right now so that we can then move to optimize those going
forward.
Mr. Langevin. And the second part of the question?
Mr. Jamison. I will just follow up on the critical
infrastructure.
As Karen mentioned, we are focused on all external
connections and getting those external points solidified. The
initial focus of the effort is to get the dot-gov networks
under stronger intrusion detection management and situational
awareness.
We are continuing our dialog through the NIPP process on
critical infrastructure and how we better manage cybersecurity
in those areas. We will continue to engage them and develop a
stronger plan, and some of those initiatives we will be happy
to talk in more detail about in a classified session.
Mr. Langevin. That is promising. We are going to continue
to follow up on that.
Mr. Chairman, with your indulgence, I do have one last
question. Have we ever done a full damage assessment of Federal
agency networks or DHS networks? If not, why not, and will this
be covered under the Cyber Initiative?
Mr. Jamison. Not to my knowledge that a full damage
assessment has been done, but I will say that we investigate
known intrusions and make sure that each agency follows up and
has that responsibility, and Karen may want to go into more
detail about that.
US-CERT has played a support role in investigating
intrusion activity and making sure that we follow up with
damage assessments from known intrusions.
There is a broader effort to do a more detailed risk
assessment, as we move forward with this initiative on the
total risk picture for the Federal Government, as we address
those risks.
Karen, you may want to follow up on that.
Ms. Evans. I would like to clarify a couple of pieces here.
One, under the FISMA, Federal Information Security Management
Act, agencies do need to do an assessment right off the bat on
all their systems, and the guidance has been given out to the
agencies, and we report on this on an annual basis. So all
systems are categorized by high-, medium- and low-risk, and we
report on that. Then they all have to do testing, have security
controls in place and then also then evaluate what that is. So
we report on that on an annual basis. That report is due March
1 every year.
Mr. Langevin. If I could just stop you there, because that
is a risk assessment. That is different than a damage
assessment.
Ms. Evans. I am going to get there.
Mr. Langevin. Okay.
Ms. Evans. So the second part of that is, as a result of
the loss of data that happened at the VA situation with the
personal identifiable information, we put additional procedures
in place so that as agencies have things happen--we also now
have a BPA available for all agencies so that they can then do
an assessment after the fact so that they can then go in and
see how much damage has actually occurred, what they are
supposed to do.
The policy is in place, they have teams that are in place
at the highest levels of each department so that as they lose
data, they are supposed to assess it, what is the risk
associated with that, and then take proper precautions and
proper notification associated with it.
Mr. Langevin. Okay, but that is prospectively. You are
saying that we have not and we are not going to do a damage
assessment----
Ms. Evans. No, sir. They need to do a damage assessment
each time things--that is how the policy is set up now. So they
do an assessment as each incident occurs and as they report the
incidents in. So they report incidents into US-CERT. They have
to make an assessment at that point depending on the type of
incident, by the categories we have, and then they have to
continue on doing the assessment. You are calling it a damage
assessment; we call it a risk, data breach type of assessment
so that they can then take the appropriate actions.
That is whether you turn it over to law enforcement,
whether you have to notify individuals for the services that
you have done if their information may have been compromised or
notify your partners so that they are aware of what has
happened within your entity to be able to share for more
awareness across the board.
So we have enhanced our procedures to make sure that that
is being done on a consistent basis.
Mr. Langevin. I yield back, Mr. Chairman.
Chairman Thompson. Thank you very much.
We now yield 5 minutes to the gentleman from Pennsylvania,
Mr. Dent.
Mr. Dent. Thank you, Mr. Chairman.
My question is to Mr. Jamison.
Mr. Jamison, I guess my first question is, who is in charge
of the Cyber Initiative and who is going to hold the budget
authority for it?
Mr. Jamison. Congressman, for the portions that we are
talking about today, with the TIC consolidation, we share the
lead with OMB, but the $115 million budget supplemental that
addresses this issue of deploying Einstein and dramatically
ramping up our comprehensive situational awareness, DHS has the
budget authority for that and are owning, operating and
managing that equipment.
I would be happy to go into more details in follow-up
briefings on the rest of the classified budget and who has the
leads for the other pieces.
Mr. Dent. I guess in a follow-up to that question, if the
initiative is spread across the entire Government, who is going
to have the ultimate control over how everybody is working
together? Obviously, Mr. McCaul pointed out some gaps and
people not knowing things that they needed to know, apparently,
so who is going to have that ultimate control to make sure that
people are actually working together on this?
Mr. Jamison. Let me answer the question in a couple of
ways. The director of national intelligence has a coordination
role for all aspects of the initiative to help coordinate the
project management of those initiatives. Each individual agency
that has authorities and responsibilities under the initiative
have that responsibility.
We would be happy to come back in a classified session and
give you a lot more details on that aspect.
The Department of Homeland Security plays a key role in the
protection of the dot-gov and Federal networks from an Einstein
perspective and has a lead role in that. We also have a
coordination role across the cybersecurity domain, and we would
be happy, as that develops, the plan for that develops, to come
back up in a classified session and lay out in detail how that
coordination role is going to be played out to coordinate all
of the activities across the Federal Government.
Mr. Dent. Thank you for that answer.
It is also my understanding that US-CERT is going to be
able to view the content of communications over government
networks. I guess the question is, why is this important, and
what information will they be collecting, and what will they do
with it?
Mr. Jamison. First of all, if I may, I brought a couple of
props with me, if I can ask one of----
Mr. Dent. Please.
Mr. Jamison [continuing]. My employees to come up. I would
like to, kind of, explain to you what the differences are.
So if you get the other two first, I want to show this.
Mr. Dent. We can't see that, by the way. Well, maybe some
of you can but not me.
Mr. Jamison. Can you take it up to the Congressman?
Our current Einstein capability is a flow analysis tool, so
if you look at the current Einstein flow records, this is the
basic information that Einstein captures: IP addresses, the
size of data packets and where is information is flowing from
network to network. We capture that and then once day, or
routinely, we download it. The other chart shows you the types
of analysis that we do on that information.*
---------------------------------------------------------------------------
* Copies of the charts have been retained in committee files.
---------------------------------------------------------------------------
So we are trying to detect patterns, we are trying to
detect malicious IP addresses and to do analysis on activity
that would look suspicious or have malicious intent. It is
delayed and our effectiveness--and we have got good analysts--
but our effectiveness is limited to how good our analysts are.
Where we want to go is we want to be able to detect the
malicious code that we know about. When an adversary or an
intrusion has a signature of malicious code, we want the
sensors to be able to scan for that malicious code and alert us
when we know that we have malicious activity.
Let me point out that this is no different than intrusion
detection capabilities that are on Federal systems today. They
all have commercial capability to do intrusion detection. What
is different is that we are going to have comprehensive
coverage of our external points to make sure that we have got
intrusion detection at all those points.
We are also going to make sure it is consistent so the same
intrusion detection is consistent, and it is going to be
informed by the knowledge of the Federal Government of what we
know about the threat, so we will have the latest signature
information on the threat comprehensively across the Federal
Government.
So it addresses some of the concerns that I have heard from
the committee today about not knowing all the threat avenues
and one agency knowing more threat information than another.
This is the intent, to get to comprehensive situational
awareness.
Mr. Dent. Thank you.
Real quickly, the specific role of US-CERT, the
administration is requesting, I guess, about $100 million more
than was enacted last year, and so I guess the question is, how
are you going to spend this US-CERT money?
Mr. Jamison. It really breaks down into a couple of
different components. The majority of it is in deploying the
equipment, so the intrusion detection equipment to the sites.
We also have a large chunk of money, about $43 million, for the
2008 budget in facilities as we ramp up our capabilities to add
more people.
We have to build the backend analytical capabilities. So
just as I have shown you, some of the analysis has to be done
on flow records. We need to build our capability to do analysis
on that, to handle a much larger percentage of the traffic.
Currently, our Einstein capability handles a very, very, very
small percentage of the Federal Government traffic. We want to
expand that to 100 percent through this initiative, so we have
to back up our analytical capability.
It also will allow us to build our malicious malware
analysis labs and those things and expand them to handle the
additional volume.
Those are the major components.
Mr. Dent. Thank you. I yield back.
Chairman Thompson. Thank you very much.
We now recognize the gentlelady from California, Ms.
Harman, for 5 minutes.
Ms. Harman. Thank you, Mr. Chairman, and thank you for
holding this hearing.
As I think the witnesses know, Members of this committee
have received a number of classified briefings on the threat.
Obviously, we are not discussing the threat here, but since my
focus over all my years in Congress, all 100 years that I have
served in Congress, has been on security threats, I take that
kind of information very seriously, and I think the threats are
substantial, starting with hackers but going on to much bigger
threats.
I have been sitting here with my mouth open. I think that
this hearing reminds me of FEMA trailers, the Government doing
something and 2 years later deciding that it is toxic and
taking it away. I think while all of you are well meaning and
working hard at your jobs, the fact that you don't have the
threat information and that you are working on projects that
will take years to complete is absolutely shocking. Let me
repeat that: I think it is shocking.
If we are serious about these threats--and I am serious
about these threats--we are not being serious about our
response to the threats. It is not timely, I don't get any
sense of urgency, I don't think much of it will work.
As an example, as we all know, most of the cyber network is
in the private sector. I think, absolutely, everybody knows
that. You have been talking about private sector collaboration
and cooperation. My understanding is the private sector
considers Einstein too passive, and it doesn't deliver
information in real time.
So how is it that we are going, in real time, have a
response to a very significant threat? I just don't see it
happening. I don't see DHS being able to do it within DHS, let
alone coordinate a response across our Government. So I am
sitting here really concerned about that.
Second, I hear from constituents all the time in my
district. They are really aware of programs that involve having
access to personal information of American citizens. Obviously,
for this program to work, as you have been discussing, there
has to be some collaboration with some of our security
agencies, like NSA and DOD.
I have no doubt that you are working on, and that we have
been briefed on, some legal protocols about all that and that
there is an effort to protect privacy. However, I assure you
that constituents of mine listening to this hearing--and I am
sure they are all tune in, even though it is pretty early in
California--are thinking about this as, ``Government sets up
new spy network.'' That is how they are going to receive this
information.
So let me ask you to respond--all of you--to what I have
just said, two parts. No. 1, is this in real time and fast
enough to mount a serious response to a serious threat? No. 2,
what would you advise me to tell my constituents who are going
to call me this afternoon and ask me how I am going to stop
this latest government spy network into their personal privacy?
Mr. Jamison. Thank you, Congressman, I will address those.
The previous charts I put up were trying to get exactly to that
point. Obviously, I could do a better job of explaining it. But
I would say that right now our Einstein capability is passive.
We are looking at flow records, we are not looking for
malicious activity, we are doing it after the fact, and we want
to move that to real-time intrusion detection capabilities. So
we want to make sure we lock down our nodes of access to the
Federal Government and give ourselves real-time malicious
activity intrusion detection.
So that is exactly the intent of this. We are aggressive
about it. We are going to be employing--as we ramp down the
number of locations, we are going to be deploying that
equipment this year. As you can tell by our budget request, we
have ramped up our capabilities to respond to that.
Second, on the privacy issue, I can tell you one thing:
First of all, privacy and civil rights has been a top priority
for this. We have had our privacy folks and our civil rights
folks involved in this from the very start. Current Einstein
has a privacy impact assessment that is public. We are
currently in the process of doing a privacy impact assessment
for the new capability as we move it forward, as well as full
legal review, and we take that matter very seriously.
But I would like to add that the capability that we are
talking about for detecting that malicious activity in real
time is no different than a commercial intrusion detection
capabilities at many agencies and every corporation in America
has on their systems. The issue is, it is going to be
comprehensive, it is going to be consistent, it is going to be
informed by our threat information.
Ms. Harman. It is going to be massive, and it is going to
be across the Government and possibly across the private
sector. So it is a little bigger than any of the other networks
or tools that individual companies have, right?
Mr. Jamison. We are not talking about the private sector
right now, we are talking about the Federal Government node and
the traffic coming into the Federal Government.
Ms. Harman. Got it.
Other people have any answers to my two questions?
Ms. Evans. Yes, ma'am, I would like to answer those
questions as well.
In everything that we are talking about and even on the
threat information and the vulnerabilities that we are all
aware of, this all starts with a defense in depth. There is no
silver bullet, we all know that, and so there are several
things that the agencies are doing that, first and foremost,
most of these come from exploiting known vulnerabilities and
through configuration management.
There is a very extensive effort, and I mentioned this in
my testimony and we did this jointly with the NSA, which is set
up the way that FISMA was intended where they would do
standards in an open setting, and then we would go through the
process that the Commerce Department has. So we have set up 700
settings that then reduce the vulnerability and then make sure
that what we are doing is building that in right up front.
So some of these things that are common sense we are going
ahead and trying to take care of that on a mass basis. That is
also then going to be built into the computers that get
delivered to the agencies. So in spite of themselves, they will
be successful, because they will be coming configured securely.
That is the first thing that we are doing, because those things
we should take those right off the table, and that should not
be an issue.
The other thing that the agencies are doing are also
encrypting all their data--data at rest, data that is mobile--
so that should that happen, that then it becomes harder. So you
are raising the threshold up.
Then we are also using two-factor authentication, which
then makes sure that people who are authorized, you know that
those are the people who are supposed to be on your networks.
So we have these in place. The agencies are rolling out,
they have these measures, they are implementing these, and they
are upgrading their security as they go forward.
As part of privacy and security, that is an administration
concern, has always been. It is a high priority, and we have
been doing all of these activities in a very transparent way,
so that everyone can comment on what we are doing. The privacy
impact assessments are out there. We put it through the Federal
Register notice process so that it is done in a very
transparent way to make sure that the citizens know how we
intend to protect that information.
Ms. Harman. Did you want to comment?
If he could just finish his response, I would appreciate
that. Thank you.
Mr. Charbo. I would just add that the Einstein program is
only a part of the total cyber effort. We are really focused on
also changing the way networks are operated. That is down at
the operator level. In terms of just their situational
awareness, their training and how they react and respond on a
daily basis to operations, as well as to how we procure, how we
also configure the different things, which Ms. Evans just went
into.
Chairman Thompson. Thank you.
The gentleman from Georgia, Mr. Broun.
Mr. Broun. Thank you, Mr. Chairman.
I would like to just go a little further with a question
that Mr. Dent asked you all.
Secretary Jamison, it is my understanding that you all can
view the content of all the dot-gov connections, and I am
concerned about privacy too, as Congresswoman Harman is. We
have had your folks from civil rights as well as the privacy
protection of DHS come testify before this committee, and the
question I have or frustration I have is, I don't really see
beyond just DHS how folks in my district, privacy is really
going to be protected. It looks almost like the fox guarding
the henhouse, proverbially.
As a United States Marine, I am very concerned about the
security of this Nation, and as an original intent
constitutionalist, I believe that national security and what
you guys are doing is the prime purpose of the U.S. Government.
But I am not convinced, as I think Ms. Harman is not convinced,
that privacy is going to be protected in the process of
developing these cyber protections within the government
connections.
I encourage you to try to find something beyond Einstein
that is going to be focusing on the bad guys and not focusing
just on the general public but finding some way to protect the
privacy of American citizens, the good guys. As I see DHS
developing these policies, when I go through security at
airports or all these other things, it just looks to me as if
we are focusing more of our resources, which are very limited,
more of our personnel, greater and greater bureaucracy on
focusing upon all us good guys and not on the bad guys.
Can you assure me or tell me how you all maybe can go to
Einstein 2.0, or whatever the system is, that is going to
protect the privacy rights of American citizens, the good guys,
and make sure that we don't have these security threats within
the cyberspace of the dot-gov connections?
Mr. Jamison. Thank you, Congressman.
First of all, let me say that this is a comprehensive
initiative, and there are a lot of agencies involved, and it
has a comprehensive plan. We want to make sure that we have the
opportunity to brief that to you in full in a classified
session.
From the standpoint of privacy, it is a top concern. We are
currently not looking at content, as you put it. That is where
we need to go.
Mr. Broun. Not looking at any content.
Mr. Jamison. Not currently. We are proposing that we are
going to do that.
Mr. Broun. That is my concern, too.
Mr. Jamison. We are going through a privacy impact
assessment to do that and make sure that we follow all the
civil rights and civil liberties that are associated with that.
Congressman, the threat is real. Our adversaries are very
adept at hiding their attacks in normal traffic and the normal
everyday traffic that comes across the network very well could
be disguised, and it could be malicious. So the only true way
to protect your networks is to have intrusion detections. It is
what everybody has on all their networks now. It is not just
consistent in the Federal Government, and it is not informed by
our latest threat information of what we know. That is what we
are talking about.
There are a lot of other activities that we need to do to
focus on improving cybersecurity beyond just this and the
effort that we are talking about today, and we are working on
that, and we would be happy to brief you on that in a detailed
session.
Mr. Broun. Okay. Thank you very much.
Mr. Chairman, thank you. I yield back.
Chairman Thompson. Thank you very much.
We now yield 5 minutes to the gentleman from North
Carolina, Mr. Etheridge.
Mr. Etheridge. Thank you, Mr. Chairman.
Let me thank you for being here. I must confess, I join Ms.
Harman in listening to the testimony this morning.
So, Mr. Jamison, given the hundreds of cyber incidents that
have taken place over the last few years, how would you rate
the Department's response to cybersecurity, A through F?
Mr. Jamison. It's been a while since I have been in school.
I think currently we are----
Mr. Etheridge. Well, you find the number you want to, I
will be happy.
Mr. Jamison. I think we are a solid C, and if you will
allow me to expound on that from the standpoint of, as I
mentioned before, our current capability from a US-CERT
standpoint, and I am strictly talking about----
Mr. Etheridge. Let me just say something: If you say a
solid C, you know, I was a State superintendent of schools for
a few years, that is sort of average, at best.
Mr. Jamison. That is why we are here, Congressman.
Mr. Etheridge. That isn't even close to being good enough
in what we are talking about for the American people. But I
will let you continue, because I have another question
following that.
Mr. Jamison. Congressman, that is why we are here. As I
said in my opening statements, we need to do more. Currently,
from a DHS and US-CERT perspective of having that
responsibility across the Federal domain, we need to have more
comprehensive----
Mr. Etheridge. All right. Given that then, can you tell
this committee what accountability has been put in place,
because there are well-recorded numbers of breaches in the
Government system? What accountability do we have in place when
that happens? If it happens on my watch, what accountabilities
am I accountable for?
Mr. Jamison. Well, I will defer to Karen to talk about the
FISMA accountabilities and some of their requirements that each
CIO has.
Ms. Evans. We hold the agencies accountable through a
quarterly process. We manage, through the President's
management agenda, on the score card. However, when incidents
occur, agencies are held accountable. We do work with them to
ensure--because, first and foremost is when it does occur, that
there is a proper response, because it is involving the
citizens' data, and, first and foremost, we have to make sure
that the way that we handle that response is addressing their
immediate needs and that we take the proper precautions in
place to ensure that the citizen then knows that we are
addressing that.
Yes, sir.
Mr. Etheridge. Let me follow up on that, because I think
that leads to a little broader question in that area, because
every year OMB says that agencies are implementing more
security controls on their computers, yet every year the number
of successful penetrations in the Federal networks rise. This
means that every year we lose more and more information to our
adversaries.
That being true, OMB measures success by the percentage of
certified and accredited computer systems, but even the stamp
of approval that you are just talking about, sensitive data
tends to seep out, okay?
That being true, are we using the right metrics? The second
part of that question, shouldn't we be measuring our ability to
stop attacks or at a minimum use our ability to detect and
respond to attacks as the correct metric? Wouldn't that seem to
be a better metric to use in terms of where we are than just
measuring the other pieces? I mean, that just seems common
sense to me.
Ms. Evans. Okay. I would agree with you that initially when
we first started this process, when FISMA's predecessor was the
Government Information Security Act, and many of the Members
have brought this up: Initially, agencies didn't know what they
didn't know. So metrics evolved, and these are the first sets
of metrics that we use so that agencies could make sure that
they knew what their inventory was. Because if you don't know
what you own, then you can't manage it appropriately and know
the risk associated with it.
So the first set of metrics and the things that we have
measured may need to improve, and we have talked to Congress
about this and GAO, because we are now--and I would agree with
you that the metrics that we look at are more output-oriented
right now, and we are moving now to a level of more
performance, such as the types of metrics that you are talking
about, because----
Mr. Etheridge. Seems to me that is how you measure it.
Ms. Evans. Absolutely, and you know what the baseline is
now. We know what these systems are, we know how the agencies
are categorizing the systems, and there is consistency across
the board.
Mr. Etheridge. My time is running out. Let me touch one
more point, if I may get it in, because I think this is
critical.
Because it seems to me there are flaws on the on-the-job
training. I mean, we have already heard that. If we aren't
giving proper training and ongoing training, management
practices within Federal agencies where workforces do not
understand the effects of their actions on national security. I
mean, what are we doing to train employees? That is the other
side of it. We have got to measure both pieces, and that
metric, it seems to me, has to change, if we are going to get--
because if we do the same thing we have always done, we are
going to get the same results we have always gotten.
Ms. Evans. May I answer?
Mr. Etheridge. Please.
Ms. Evans. Thank you, sir.
Okay, so we pick certification and accreditation because it
is a soup-to-nuts process. If an agency approaches the process
for compliance, checks the box, because I have to tell OMB and
then it goes to Congress, we aren't going to get the result
that we intend.
But if you look at the process associated with that, all
the issues that you brought up, when you certify an accredited
system, you have to know what it is, you have to analyze the
risk, you have to put together rules of behavior so that each
user, as they sign on, know what they are supposed to do and
the consequences associated with not doing that.
The last part of that also is residual risk, because the
manager in charge needs to say, ``That service is important. I
will live with this risk. Here is the compensating control and
hold me accountable.''
That is really how the process is supposed to work, and
that is where we have to now move it to the next level so that
we are actually achieving the result versus a paperwork
exercise where we just get a bunch of paper and people are
producing stuff and people don't really know what their
responsibility is and what they should be held accountable for.
Mr. Etheridge. We are doing a lot of work.
Ms. Evans. We are improving it.
Mr. Etheridge. But the results are meager for the
investment, and we have got to do better to protect the
American people. I really believe that. Thank you.
Thank you.
I yield back, Mr. Chairman.
Chairman Thompson. Thank you.
The gentleman from Texas, Mr. Green, for 5 minutes.
Mr. Green. Thank you, Mr. Chairman. Thank you and the
Ranking Member for holding this hearing, and because I know
that time is of the essence, I will move as quickly as
possible.
I have a few questions, and thank you, witnesses, for
appearing today.
Is it true, Mr.--is it, Charbo, am I pronouncing it
correctly?--Mr. Charbo, that you were the CIO of Homeland
Security at a time when some intelligence reports about hacking
were known to other agencies but not reported to you? Is this
true?
Mr. Charbo. Well, sir, I am not sure what was reported to
other agencies. My assumption is, is that is probably correct.
Mr. Green. Okay. At a 2007 hearing, according to the
intelligence that I have, the Department of Homeland Security
CIO, Scott Charbo--that would be you--told the committee that
he had never received any intelligence reports about nation
states hacking and that he was unfamiliar with the activity.
Mr. Charbo. The response, I believe, was that we had had
one. I had had one previous to that hearing, which was
sponsored through the CIO Council----
Mr. Green. Yes, sir.
Mr. Charbo [continuing]. And at that time, there was
nothing that pointed back to DHS.
Mr. Green. You were not familiar with it. There were others
who knew but you did not know; is this true?
Mr. Charbo. Not by the name, I believe, that was being
discussed at the hearing. I mean, obviously, we had heard about
nation state hacking and different nations, but I had never had
a briefing that pointed back to the Department. They were all,
basically, in general at a lower classification level.
Mr. Green. Well, did it happen? Maybe I should start there.
Did this happen? Was there actually a hacking that took place?
Mr. Charbo. At the Department?
Mr. Green. Yes, sir.
Mr. Charbo. We have lots of security events at the
Department. Whether or not those are nation states----
Mr. Green. Whether they are nation states--all right, let's
talk about nation states. Was there a nation state hacking?
Mr. Charbo. Yes, there are a few that we are looking at,
and we would have to address that on a classified level.
Mr. Green. Okay. Is it your opinion that we have not had
any cross-agency intelligence failures?
Mr. Charbo. I certainly think it can be improved, and I
think that is what this effort is about.
Mr. Green. All right. Well, let me go to my next question.
Is it true that we had a contractor charged with securing
networks at the Department, and this contractor did not install
intrusion detection systems?
Mr. Charbo. Those are gaps that we identified, and that we
had them put in place.
Mr. Green. Is that a true statement?
Mr. Charbo. That is a true statement.
Mr. Green. Okay. The question becomes then, what are the
consequences when we have these kinds of occurrences? Have we
ever had a contractor terminated for failure to perform to the
level that this contractor failed to perform? Terminated. We
are not talking about renewing a contract. But have we ever had
one terminated?
Mr. Charbo. Well, I can only speak to this incident. I
mean, from a broader contracting perspective, that would have
to go to our contracts. We did recompete this contract.
Mr. Green. Let me ask you about what you know? Do you know
of any contractor ever having been terminated?
Mr. Charbo. I can't speak to anything specific.
Mr. Green. So you don't know of one.
Mr. Charbo. To my knowledge, I don't know of that.
Mr. Green. Okay. Do you know of anyone who has ever been
fired for failure to properly provide intelligence across
agencies that should have been provided?
Mr. Charbo. I couldn't put a name on it, but, certainly, we
have had contractors removed.
Mr. Green. Well, now I am talking about a person being
fired as opposed to a contractor. We went through the
contracting and you indicated that you didn't know about the
contractors.
Mr. Charbo. The question is?
Mr. Green. The question is, have we had anybody fired? Has
anybody ever been fired?
Mr. Charbo. To my knowledge, I have never fired a Federal
employee. We certainly have responded to performance, but I
have not fired a Federal employee.
Mr. Green. Do you know of anyone that has ever been fired
for failure to perform in this area of sensitive security
information transmission?
Mr. Charbo. I can't speak to anything specifically.
Chairman Thompson. Will that gentleman yield?
Mr. Green. Yes, sir.
Chairman Thompson. In the interest of making sure we get
the record straight, Mr. Charbo, that incident that was
referred to by Mr. Green I think it was the committee staff
that brought it to your attention of your shop that there had
been some problems with a contractor that you all were not
aware of. I think after that was brought to your attention, you
all moved forward and looked at it.
Please.
Mr. Charbo. The one incident that I believe is being
referred to was made aware of by our staff. What was incomplete
was the closure of that because of the different opinions. I
mean, much of this hearing is about the level of data that you
receive on a particular event. One analyst can look at a piece
of data and have one interpretation. Several others can look at
it and have different interpretations. A lot of that is
dependent on the situational awareness that an individual has.
In this case, that is what was presented to me. That
coincided with the hearing. We asked for that information. At
that time, I turned that over to our security group and said,
``I have conflicting information here. It is something for you
to look at.''
I believe that is currently still under investigation, sir.
Mr. Green. All right, Mr. Chairman, thank you.
Chairman Thompson. Thank you very much.
We now have three votes on the floor, and we have concluded
all of our witnesses and our questions for the witnesses. I
would like to thank them for their valuable testimony. The
Members of the committee may have additional questions for the
witnesses, and we will ask that you would respond expeditiously
in writing to those questions.
Hearing no further business, the committee stands
adjourned.
[Whereupon, at 11:27 a.m., the committee was adjourned.]
A P P E N D I X
----------
Question From Honorable Yvette D. Clarke for Honorable Karen Evans,
Administrator for Electronic Government and Information Technology,
Office of Management and Budget
Question. Ms. Evans, it is my understanding that you have worked
with Director Will Pelgrin, head of NY State's Cyber Security Office
and the chair of the Multi-State Information Sharing and Analysis
Center, including coordination on the Data-at-Rest Smart Buy program.
Can you describe your involvement with this effort with the State and
local governments and what were the results?
Answer. SmartBuy is a Government-wide initiative which leverages
the Federal Government's requirements and buying power. As a member of
the governance board, we help determine the priorities and technical
requirements to be included in SmartBuy efforts. A major effort of the
SmartBuy program was the Data-At-Request (DAR) Blanket Purchase
Agreements (BPAs) to provide encryption products to Federal agencies,
NATO, and State and local governments to protect sensitive,
unclassified data on mobile computing devices and removable media.
Protecting DAR is increasingly critical in today's information
technology (IT) environment of highly mobile data and decreasing device
size. Personal identity information or sensitive Government information
stored on devices such as laptops, thumb drives and personal digital
assistants (PDAs) can be unaccounted for and unprotected, and can pose
a problem if these devices are compromised. In addition to saving
taxpayer dollars, the DAR BPA enhances DAR information security and
requires vendors to meet stringent technical and information assurance
requirements.
OMB Memorandum M-06-16, Protection of Sensitive Agency Information,
issued in June 2006 was a key impetus for the actions resulting in
these agreements. Two months after OMB issued this memo, the DoD Data-
at-Rest Tiger Team (DARTT) was developed to address technical
requirements. Eventually, the DARTT evolved into an interagency team
comprised of 20 DoD components, 18 Federal agencies and NATO, with
State and local governments joining in March 2007. These requirements
were presented to the governance board and accepted.
The State and local governments are participating under GSA's
Cooperative Purchasing Program, which allows them to purchase IT
products and services from both GSA's Multiple Award Schedule 70 and
Consolidated Schedules that have IT special item numbers.
To date 127,296 licenses have been issued across 15 States
(including local governments). This has resulted in savings of $24.1
million on purchases of encryption software through use of these
Federal DAR contracts and approximately $8 million using the special
State and local government offers--for a total of more than $32 million
in savings/cost avoidance to date.
Question From Honorable Yvette D. Clarke for Honorable Robert D.
Jamison, Under Secretary, National Protection and Programs Directorate,
Department of Homeland Security
Question 1. Secretary Jamison, how much of the Infrastructure
Protection and Information Security (IPIS) account in the fiscal year
2009 budget request is intended to support State and local Government
cybersecurity activities?
Answer. The Department of Homeland Security collaborates with a
broad range of security partners, including State, local, and
international governments, private-sector owners and operators, and
individuals, in its efforts to improve the Nation's cybersecurity
posture. Specifically, the Department's United States Computer
Emergency Readiness Team (US-CERT), the national focal point for
coordinating the defense against and response to national cyber
attacks, engages with State and local governments by sharing
information with States and providing direct support to States
requiring response and recovery assistance. Budgetary support for State
and local government cybersecurity efforts is embedded within the
Department's many programs and activities and does not maintain a
specific line item; however, the Department does provide funding to the
Multi-State Information Sharing and Analysis Center (MS-ISAC). Much of
the increase in funding to cybersecurity will result in improved
situational awareness of threats, intrusions, and response methods
across the Federal domain. State and local governments will benefit
from this enhanced focus.
Through a contract with the Department, the MS-ISAC supports a
number of operational and awareness activities. The current contract
with the MS-ISAC, spanning from November 2007 through November 2008,
totals $1,694,825, and a similar amount is estimated for fiscal year
2009. These activities include operating the MS-ISAC State and Local
Operations Center for Cybersecurity, which collaborates with US-CERT
and contributes to State and local cybersecurity by maintaining
situational awareness of the State cyber landscape; by hosting bi-
monthly webcasts with cybersecurity experts for the general public to
raise awareness about emerging cybersecurity issues; and by developing
cybersecurity educational materials offering best practices, tools, and
tips as part of the Department's national cybersecurity awareness
efforts.
In addition to the funding provided to the MS-ISAC for these
efforts, the Department has dedicated staff to support ongoing MS-ISAC
efforts. This includes more than two full-time equivalents who liaise
with the MS-ISAC to ensure coordination with the Department on current
State and local government efforts by engaging in MS-ISAC activities,
including various working groups to help with the creation, production,
and dissemination of education and awareness resources for use by the
States; and by participating in regular meetings as well as the MS-ISAC
annual meeting. In addition, Department staff members work to oversee
the fulfillment of the statement of work. Staff support to and
coordination with the MS-ISAC is estimated at $270,000 annually.
An important component of the Department's work is its support of
efforts to advance State and local cybersecurity activities. In
addition to funding provided to support the MS-ISAC, the Department has
committed significant resources, through various programs and
activities, to help State and local security partners address their
cybersecurity preparedness and response needs and effectively manage
cybersecurity issues.
Question 2. Secretary Jamison, how much of the increased funding to
DHS for cybersecurity initiatives to address improvements in the
security posture of State and local governments is specifically set
aside for programs to be coordinated or performed by the Multi-State
ISAC?
Answer. The Cyber Initiative is an interagency effort that aims to
enhance the security of Federal Government networks. Increased funding
has been primarily directed to enhancements for the Department of
Homeland Security's United States Computer Emergency Readiness Team
(US-CERT), the Nation's watch and warning mechanism. US-CERT provides
around-the-clock monitoring of cyber infrastructure and coordinates the
dissemination of information to key constituencies, including all
levels of government and industry. It serves as the focal point for
helping Federal, State, local, and international governments, industry,
and the public work together to achieve the appropriate responses to
cyber threats and vulnerabilities. The additional funding allocated to
enhance US-CERT capabilities is primarily focused on improving Federal
network security through programs such as the Trusted Internet
Connections (TIC) initiative and the Einstein program. It will also
result in increased level of service and information sharing with all
cybersecurity partners, which includes all of the Information Sharing
and Analysis Centers (ISACs); however, no additional funding has been
allocated to the Multi-State Information Sharing and Analysis Center
(MS-ISAC) or any other ISAC under this initiative.
Although the Cyber Initiative is focused on Federal networks, the
enhanced products and services from US-CERT will provide specific
additional benefits to State and local governments. States are
dependent upon Federal network operations and information for a range
of services and daily critical functions. Cyber threats to the Federal
networks could have potentially devastating effects on State and local
government networks given their interconnectedness. Improving US-CERT's
capabilities to monitor, detect, report, and mitigate malicious
activity will enable the Department to identify threats to Federal
networks more effectively and efficiently, thus protecting those
networks upon which State and local governments rely.
The Department recognizes the importance of State and local
government cybersecurity in its efforts to better secure the Nation's
cyber assets. Under the Cyber Initiative, programs and activities to
secure Federal networks will benefit State and local governments.
Through US-CERT's enhanced watch, warning, and response capabilities,
State and local governments will benefit from improved information
sharing of alerts, warnings, and mitigations plans. In addition, the
Department has established and maintains strong cooperative
relationships with State and local governments, and it has developed
several programs directed at addressing State and local government
cybersecurity issues. With existing and new programs, the Department
remains committed to improving the cybersecurity posture of State and
local governments.
�