[House Hearing, 106 Congress] [From the U.S. Government Publishing Office] ENHANCING COMPUTER SECURITY: WHAT TOOLS WORK BEST ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION, AND TECHNOLOGY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ MARCH 29, 2000 __________ Serial No. 106-181 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ U.S. GOVERNMENT PRINTING OFFICE 69-819 DTP WASHINGTON : 2001 _______________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania JOHN L. MICA, Florida PATSY T. MINK, Hawaii THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio Carolina ROD R. BLAGOJEVICH, Illinois BOB BARR, Georgia DANNY K. DAVIS, Illinois DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts ASA HUTCHINSON, Arkansas JIM TURNER, Texas LEE TERRY, Nebraska THOMAS H. ALLEN, Maine JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California ------ PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont HELEN CHENOWETH-HAGE, Idaho (Independent) DAVID VITTER, Louisiana Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director David A. Kass, Deputy Counsel and Parliamentarian Lisa Smith Arafune, Chief Clerk Phil Schiliro, Minority Staff Director ------ Subcommittee on Government Management, Information, and Technology STEPHEN HORN, California, Chairman JUDY BIGGERT, Illinois JIM TURNER, Texas THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania GREG WALDEN, Oregon MAJOR R. OWENS, New York DOUG OSE, California PATSY T. MINK, Hawaii PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Matt Ryan, Senior Policy Director Bryan Sisk, Clerk Trey Henderson, Minority Counsel C O N T E N T S ---------- Page Hearing held on March 29, 2000................................... 1 Statement of: Brock, Jack L., Jr., Director, Governmentwide and Defense Information Systems, U.S. General Accounting Office, accompanied by Jean Boltz, U.S. General Accounting Office.. 7 Collier, Paul, division general manager, Identix, Inc........ 39 Nelson, Dave, Deputy Chief Information Officer, National Aeronautics and Space Administration....................... 27 Letters, statements, et cetera, submitted for the record by: Brock, Jack L., Jr., Director, Governmentwide and Defense Information Systems, U.S. General Accounting Office, prepared statement of...................................... 13 Collier, Paul, division general manager, Identix, Inc, prepared statement of...................................... 42 Horn, Hon. Stephen, a Representative in Congress from the State of California, prepared statement of................. 3 Nelson, Dave, Deputy Chief Information Officer, National Aeronautics and Space Administration, prepared statement of 30 Turner, Hon. Jim, a Representative in Congress from the State of Texas, prepared statement of............................ 5 ENHANCING COMPUTER SECURITY: WHAT TOOLS WORK BEST ---------- WEDNESDAY, MARCH 29, 2000 House of Representatives, Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2154, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn and Turner. Staff present: J. Russell George, staff director and chief counsel; Matt Ryan, senior policy director; Bonnie Heald, director of communications; Bryan Sisk, clerk; Ryan McKee, staff assistant; Trey Henderson, minority counsel; and Jean Gosa, minority assistant clerk. Mr. Horn. A quorum being present, the Subcommittee on Government Management, Information, and Technology will come to order. This is the second in a series of hearings to examine computer security concerns in the Federal Government. The subcommittee's first hearing 3 weeks ago shed light on two important topics, awareness of the increasing number of computer threats against Federal and private computer systems, and the need for a coordinated Federal effort to meet this challenge. History is full of claims of developing the ultimate weapon, whether it was a battleship, a supersonic fighter jet, or a weapon capable of massive destruction. Today's computer systems and networks provide the newest frontier, the weaponry of knowledge. With only a few keystrokes, computers provide massive amounts of information, information that only a decade ago would have taken months or years to compile. It is, of course, imperative that these computers and the wealth of information they contain be protected. Nearly all computer networks are vulnerable to attack at some level, but steps can be taken to prevent or reduce those intrusions. Organizations must focus on two areas, physical security and information security. No one would buy an expensive house, furnish it, then walk away leaving the doors wide open. Physical assets must be protected. Yet many organizations fail to take basic precautions to protect either their facilities or their computer systems. Electronic government and electronic commerce trends should continue to dictate the way important data are exchanged. From tax refunds and health records to credit card purchases and Social Security numbers, organizations must demonstrate that the information flowing into their computers is secure. Tools are available to help organizations and citizens protect their computers against unwanted and unruly intruders. However, they must be carefully used to ensure that they lead to meaningful improvement. Today our witnesses will talk about some of these tools that can enhance computer security at little or no cost. We welcome our panel of witnesses. We look forward to their testimony. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T9819.001 Mr. Horn. It is now my pleasure to call on the ranking member of the subcommittee, Mr. Turner of Texas, for an opening statement. Mr. Turner. Thank you, Mr. Chairman. This is the second in a series of hearings that the chairman has designated to discuss the issue of computer security in the Federal Government, and it is apparent to all of us that we have become increasingly dependent upon computer systems and the Internet. It represents one of our greatest strengths, but perhaps also one of our greatest weaknesses and vulnerabilities. While we rely extensively on electronic data, we have become increasingly vulnerable. The General Accounting Office has stated that our computer security system is not where it needs to be to protect ourselves from cyberinvaders. We lack an overall comprehensive program in the Federal Government to protect our computer system, and billions of dollars in Federal assets and large amounts of sensitive data are at risk to the threat of hackers, both foreign and domestic. I am pleased that the chairman has chosen to focus upon this issue of computer security, and I look forward to hearing from each of our witnesses today. Mr. Horn. I thank the gentleman. [The prepared statement of Hon. Jim Turner follows:] [GRAPHIC] [TIFF OMITTED] T9819.002 [GRAPHIC] [TIFF OMITTED] T9819.003 Mr. Horn. Let me tell you the procedure here. Some of you have testified here before, but when we introduce you, and we will go in the order it is on the agenda, your statement, as written, is fully in the record. What we would like you to do is spend 5 minutes and at the most 8 or 10 to summarize your statement, not read it to us. We can read. Then we have more time for dialog between the three of you and dialog with the Members here today. So we, as you know, swear in all witnesses before these subcommittees of government reform, and if you will stand, raise your right hand, we will swear you in. Anybody that is going to give you advice, swear them in, too. [Witnesses sworn.] Mr. Horn. The record will note that three witnesses and one helper affirmed the oath. So we will now start with Mr. Brock of the U.S. General Accounting Office, part of the legislative branch of Congress, who does a wonderful job on both programmatic and fiscal matters. Mr. Jack Brock is no stranger to this subcommittee. He is Director of Governmentwide and Defense Information Systems for the U.S. General Accounting Office, otherwise known as GAO. Mr. Brock. STATEMENT OF JACK L. BROCK, JR., DIRECTOR, GOVERNMENTWIDE AND DEFENSE INFORMATION SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE, ACCOMPANIED BY JEAN BOLTZ, U.S. GENERAL ACCOUNTING OFFICE Mr. Brock. Thank you very much, Mr. Chairman. Good morning to you. Good morning, Mr. Turner. I would like to note that my license plates say Native Texan. I would also like to introduce Ms. Jean Boltz. Ms. Boltz is a senior manager in my group and actually directs a great deal of our computer security work. Mr. Horn. That's B-O-W-L-T-Z. Mr. Brock. B-O-L-T-Z. Mr. Horn. I am glad I asked. Mr. Brock. I know you have had a prior hearing on computer security, and in that hearing you discussed the importance of good security, but good computer security is important to every facet of government operations. It assures the integrity and the confidentiality of information and key processes. It is important to national security. It is important to other critical operations. It is important in assuring the integrity of transactions between the government and its citizens; and as e-commerce and e-government become more prevalent, it is the cornerstone of making sure that those services actually achieve the objectives of better government, more efficient government, more productive government. What we found, though, in our work, as you have noted, is that at virtually every major agency that we go to computer security, the computer security practices within those agencies doesn't match the importance of the topic. We or other independent auditors whose work we reviewed have found serious computer security weaknesses in virtually every major Federal agency, and these weaknesses threaten or potentially threaten the ability of these agencies to protect the confidentiality of key data, to perform critical operations, and assure the integrity of important financial and data transactions. I have identified several examples in my testimony, but I would just like to quote here what we found at EPA, which is our most recent report. We found serious and pervasive problems that essentially render EPA's agencywide information security program ineffective. We found that the current security program planning and management is largely a paper exercise that has done little to substantially identify, evaluate, and mitigate risk to the agency's data and systems. What we found essentially, Mr. Chairman, that EPA has a central network, and most of EPA's business functions operate off that network. We were able to penetrate the firewall, which was largely ineffective, penetrate limited access controls, and essentially could have had access to most of the information and processes that ran throughout the entire agency. So the entire agency in this case was vulnerable. EPA is not alone. Recent reports at DOD, at NASA--Mr. Nelson will be talking about that in a moment--the State Department, the National Finance Center, the Veterans Administration all had serious weaknesses. I would, at the risk of preempting Mr. Nelson, say that they have made substantial strides in improving their program, and our limited followup work has substantiated those improvements. I would like to spend just a moment, if I could, going over the common problems that we find at agencies, and we have a chart that I would refer you to. Mr. Mike Gilmore is up there handling the charts. First of all, computer security programs have to support the organizational mission and goals of the agency. They can't be divorced from what the agency does, or they are not relevant. Running across the agency is an entitywide security program planning and management. This is what assures the relevancy of your computer security program to what you are trying to achieve at the agency. And then under that we have found a series of problems that are present in most of our reviews. First of all, many agencies do not have relevant security program planning and management, and we are going to talk about that in a little bit, but that's the root of the problem. When you look at access controls--access controls, you were talking about a house, access controls represent the fence around the house. They represent the lock on the door. They are not in place. Here we are talking mainly about processes that provide authentication that you are who you say you are and, second, that limit your rights to material that's relevant to you. Software development and change controls. We are actually doing an assignment for you right now and we are meeting with your staff next week to go over the results of that. That means that when you change software, when you make changes in code, or when new software is introduced, that is tested to make sure that you are not maliciously--you are inadvertently introducing new weaknesses into your application, we find that to be a common problem in many agencies, where that testing is not done, and weaknesses are then inserted into an application that was previously strong. The next one is on service continuity controls, there you want to maintain the ability to recover from disaster, or if the worst happens, that you are able to take strides to recover your operations and to move forward. Many agencies that we have gone to do not have good service continuity controls, would not be able to reconstruct their principal systems, and would have difficulty bringing--coming back up to speed in an acceptable amount of time. System software controls, these are really sort of the heart and brains of many systems. These are the basic operating systems, the utilities, that if you don't have good controls over these, a hacker or an intruder can go in and assume control over the entire network by becoming a systems administrator and assuming higher powers than he or she should. And then finally segregation of duties, if you don't separate the duties from the person who writes the code, the person who inserts the code, the person who tests, the various people who have some element of authorities over the computer security, then you run the risk of empowering one person or a small number of people with too much authorities. It is much like someone who might have authorities over receiving funds, recording those funds, disbursing those funds, and then doing the final accounting. The more you place those duties in the hands of one or a very small number of people, you run the risk of malfeasance. These are the problems, and you requested that we prepare for you a listing of things that you could do to fix the problems. This really falls into two categories: Is what can you do right now, and what do you need to do on a long-term to have more permanency? Again, I am going to go back to your house example. Ideally, in a house you have some sort of an alarm system, a fire suppressant system, or whatever. In this case, the house is on fire. Building a fire suppressant system isn't going to do you much good. You have to throw a pail of water on it right now. So we have identified a number of actions that an agency can do now. Any agency could start on this this afternoon and work on it. So, again, I would refer you to the next table up there, and we have identified a number of things in our work that can be done. The diagram there is designed so that if you take these actions, you will, in fact, be compressing risk and minimizing risk. The first thing you need to do is to increase awareness at all levels, and at the management levels managers need to be aware that this is their information, these are their programs, that poor computer security endangers their activities that they have accountability and responsibility for. At the user level, you need to make users aware that actions they take in terms of poor password control, sharing passwords, not following agency procedures and processes may, in fact, endanger the system, and at the technical level system administrators need to be aware that if they don't take their actions seriously, if they don't have the right kind of training, if they don't institute software patches or whatever, they are also endangering the system. So there needs to be a much higher level of awareness in most agencies. Second, you have to make sure that the controls you have work. I know there are going to be tools demonstrated here today. Every agency has tools, and when we go into agencies, we frequently find that those tools aren't working. They are not turned on. They are not monitored. So agencies are spending money for tools, but they are not using the tools. It is very similar to the set of tools I have in my garage that my father gave me when I moved here from Texas 27 years ago. He said, you will need these tools, and I am sure I do need the tools, but they are still in the tool box. The same thing with many agencies. Tools are present, but they are not turned on, they are not monitored. You are really not sure that they are working or not. Third, is implementing software patches. The Carnegie Mellon CERT-CC has said in most of the intrusions they get, most of the incidents that are reported to that organization exploit known vulnerabilities, and for most known vulnerabilities there are existing patches that could be implemented. Many agencies are aware of the patches. They don't follow the advisories that are coming up from the vendors, they don't follow the advisories that are coming out from the CERT, or they don't follow the advisories that come out of their own agencies. By not patching software with known holes, they are leaving in place known vulnerabilities that offer a hacker or an intruder an opportunity to enter into their system. Next, is to identify and propagate pockets of excellence. Almost every agency we go to, regardless of their overall program and whether it is good or bad, have individual centers or individual programs that work really well. Unfortunately, they are working in concert with other programs that don't work so well, and so sometimes the good effect there is mitigated. But if agencies would identify those pockets of excellence, use those as best practices within the agency, where the agency culture to some degree has already accepted these practices, propagate those across the agency, there would be opportunities for immediate improvements. Finally, to focus on the most common vulnerabilities first, when we go into agencies, we find throughout the agency that there are a few set of problems that come up time and time again, and surprisingly enough, when we go from one system administrator to the other, they are frequently not aware of the problems that their compatriot down the hall is facing. These need to be shared within the agency. Those need to be addressed first. Further, we are finding that many of these common problems also exist across agencies, and, again, there is very little sharing of that information across the agency. If we could turn to the next chart, please. And these are things agencies can do now. However, computer security is very dynamic. The technology is changing in a hurry. The tools are changing. The techniques that intruders might be using are changing. So the program really has to have a sense of structure in order to make sure that the computer security program is dynamic and, in fact, changes as the threat and risk changes. About 2 years ago we did a study of leading organizations that had good computer security, and we found a common set of practices in these agencies that we believe are appropriate for Federal agencies to use. In fact, the Federal CIO Council endorsed these practices, and several agencies have included them within their own policy and structure. The S. 1993, the computer security bill introduced by Senators Thompson and Lieberman earlier this year, also incorporates these practices, they start off with a central focal point for computer security. Regardless of whether the agency is decentralized or centralized, the central focal point--there was always a central focal point. I think this is true at NASA, where NASA is highly decentralized, and yet Mr. Nelson is the central focal point for security. The real cornerstone of that, though, is that agencies need to assess the risk and determine needs. Without risk assessment, you can't move to that next box and have effective controls and policies. Your controls and policies need to be built on your risk assessment. They need to be appropriate for the risks that you are facing and, from that, promote awareness. Again, you can increase awareness at all levels on a general level, but at some point the awareness needs to be focused on your exact controls that you are using, how to use them, and on the risks that you are facing so that people throughout the organization can take appropriate action; and then, finally, monitor, and evaluate. There are two parts to that. First, managers need to do their own self-evaluation so that they can continually assess where the agency is; and second, there needs to be an independent evaluation, something that we might do or the NASA IG might do that would allow both the agency and the oversight agencies or committees such as yourself to take a look at what is going on within the agency. We feel that if this framework was adopted, truly adopted, by agencies, it would go a long ways toward correcting the common problems that we see. By establishing a framework, we think that an agency can fulfill several key tasks: One, that agency actions are appropriately controlled and coordinated; that the testing tools are appropriately selected and tested; that personnel involved in using the tools are trained; that good practices and lessons learned are shared on an agencywide basis; that controls are systematically tested to ensure that they are effective; and that appropriate risk management decisions are made regarding the best way to address and identify problems. I would just like to highlight that a little bit. If you do not assess the risk, the controls that you have implemented may or may not be appropriate. You may well be spending too much money. You may not be spending enough money. But almost certainly you will have the wrong kind of control in place, and you really won't address your company'S problems. In conclusion, we also believe, Mr. Chairman, there needs to be some reconsideration of the current legislative framework. The Computer Security Act and A-130, which provides the regulations for the Computer Security Act, really is a system-based piece of legislation. It is based on making every system good and that the accumulation of those good systems will, in fact, represent a good agency program. I don't think that works. It hasn't worked. Legislation needs to be considered that would, in fact, provide a management framework and a management perspective. Also CSA has two categories of information. It is classified or nonclassified, sensitive or nonsensitive. Actually, information is graduated. Some systems are at a very low level of risk. Some are at a high level of risk, and policies need to be implemented that really reflect that gradation. It doesn't recognize the need for an independent audit, and second--or third, it doesn't recognize the need for more prescriptive guidance that would give agencies more of a framework. Finally, there is no call for central leadership, somebody that can stir the pot, somebody that can make sure that things are being done, someone that can provide leadership across the government. That completes the summary of my statement, Mr. Chairman. Mr. Horn. Thank you very much, Mr. Brock. That's a most helpful summary. [The prepared statement of Mr. Brock follows:] [GRAPHIC] [TIFF OMITTED] T9819.004 [GRAPHIC] [TIFF OMITTED] T9819.005 [GRAPHIC] [TIFF OMITTED] T9819.006 [GRAPHIC] [TIFF OMITTED] T9819.007 [GRAPHIC] [TIFF OMITTED] T9819.008 [GRAPHIC] [TIFF OMITTED] T9819.009 [GRAPHIC] [TIFF OMITTED] T9819.010 [GRAPHIC] [TIFF OMITTED] T9819.011 [GRAPHIC] [TIFF OMITTED] T9819.012 [GRAPHIC] [TIFF OMITTED] T9819.013 [GRAPHIC] [TIFF OMITTED] T9819.014 [GRAPHIC] [TIFF OMITTED] T9819.015 [GRAPHIC] [TIFF OMITTED] T9819.016 [GRAPHIC] [TIFF OMITTED] T9819.017 Mr. Horn. I might add, I mentioned that all of your texts will be in when we introduce you. So will your resumes. The next gentleman, the next two, have very rich resumes. Dr. David Nelson in particular has certainly been through the whole computer community, I can see, in terms of committees and responsibilities you have had. Currently, he is Deputy Chief Information Officer at the National Aeronautics and Space Administration. Mr. Nelson. STATEMENT OF DAVE NELSON, DEPUTY CHIEF INFORMATION OFFICER, NATIONAL AERONAUTICS AND SPACE ADMINISTRATION Mr. Nelson. Thank you, Mr. Chairman. Members of the subcommittee, I am pleased to appear before you today to discuss NASA's views on the security of our information technology environment. I have submitted my written statement for the record. My oral summary will be quite consistent with that of Mr. Brock. I would like to emphasize three points. My first point is the importance of a sound management framework for information technology security. Two years ago, NASA did not have a satisfactory framework. Since then we have worked hard to align our policy, organization, funding and objectives for effective security. This began with senior management attention and support, including the recognition that information technology security is required for safety of lives and property. In an internal study, we benchmarked ourselves against good organizations and copied the best of what we found. We accepted the recommendations of the General Accounting Office review of NASA security that Mr. Brock referred to. Our actions included issuing up-to-date policy, establishing a senior Council to set strategic directions, clarifying management responsibilities, budgeting for key tasks and collecting metrics of progress. NASA places operational responsibility for information technology security on line management, complemented by a cadre of computer security professionals who provide technical assistance and oversight. I have mentioned budgets and metrics. If I could have the chart, please. This chart shows one of our metrics. Plotted is the number of serious incidents. Those are things like destruction of data, theft of passwords, or damage to software, versus on the X axis the percent of the information technology budget that is spent on security. Each point is a specific center, and the data is real. Notice the trend line. As you start from the left, as the percentage of budget increases to about 2 percent, the number of incidents levels off. This suggests that spending about 2 percent of information technology budget on security gives a good return on information. Spending less increases risk, as shown by the trend line. Spending more may not add much return. We have compared notes on this metric with leading companies. They see the same sort of trend and the same sort of sweet spot. Now, this metric isn't perfect, but it gives us a place to start. Metrics like this are our headlights. They guide our actions and indicate where we need to work harder. My second point is the importance of training. NASA is a highly technical organization. We create and modify leading- edge information systems to serve our missions. Security risk evolves as threats and, as a result, vulnerabilities change, so our personnel must understand the principles of effective security and apply them to changing situations. Program and project managers must be trained to evaluate risks and vulnerabilities in designing and maintaining systems entrusted to them. System administrators must be trained to properly configure and upgrade their systems, to recognize attacks and to respond to them. Users must be trained to practice good security, to recognize certain types of attack, and to know how to get help. Over the last 2 years, NASA has developed or acquired new training material for managers, system administrators, and users. This training is now mandatory for all civil servants, and we are gathering metrics on its delivery. In addition, NASA has requested comments on a draft regulation that would require NASA contractors to adhere to the same standards of training that apply to civil servants. My last point is the importance of appropriate tools. Security tools, which are a combination of computer hardware and software programs, help to protect systems and defend against attacks. The technical details of a particular attack may be very complicated, but once the attack is understood, defense against it can be incorporated into a tool that is easy to use by a trained person. Organizations with modest funding, but substantial technical skills can obtain free, reputable tools from the Internet that offer good capability. However, they may not be well-documented or supported and may be somewhat difficult to use. NASA tends to purchase key commercial tools and augment them with free tools. Obviously, purchased commercial tools have a higher initial cost. However, they are often easier to use and may have a lower sustaining labor cost. Most successful attacks are enabled by a relatively small number of weaknesses, as Mr. Brock has observed. These include lack of virus detection software; trivial passwords that can easily be cracked, that means decrypted; failures to install patches for well-known software vulnerabilities; and poorly configured computers with open vulnerability holes. Tools help us to deal with each of these classes of problems. In my written statement, I have described a number of these and the practices that NASA uses. New problems keep appearing, along with new defenses. Thus, the tools and their use must evolve. There is no substitute for good proactive management that can respond quickly and effectively. Unfortunately, easy-to-use tools for attacking systems are also available on the Internet, and they are constantly getting better. This means it takes less skill to mount a sophisticated attack than it used to. The ecologists would call this a classic predator-prey situation in which both predator and prey evolve quickly to secure competitive advantage. In conclusion, NASA is facing the challenge of the evolving security universe by marshalling effective management, effective training, and effective technology. We are in an environment of increasingly numerous and serious threats, along with systems whose vulnerabilities tend to increase as they become more complicated. Fortunately, our tools and process allow us to make progress in dealing with this environment, but it is a never- ending process. We take response--we take seriously our responsibility as stewards of the public's space and aeronautics information and systems. We are committed to working with other agencies of the executive branch and with the Congress to ensure that we maintain the proper balance between accessibility of research results and protection of our information technology investment. Thank you for the opportunity to testify before you today. I look forward to answering your questions. Mr. Horn. Well, thank you very much. [The prepared statement of Mr. Nelson follows:] [GRAPHIC] [TIFF OMITTED] T9819.018 [GRAPHIC] [TIFF OMITTED] T9819.019 [GRAPHIC] [TIFF OMITTED] T9819.020 [GRAPHIC] [TIFF OMITTED] T9819.021 [GRAPHIC] [TIFF OMITTED] T9819.022 [GRAPHIC] [TIFF OMITTED] T9819.023 [GRAPHIC] [TIFF OMITTED] T9819.024 [GRAPHIC] [TIFF OMITTED] T9819.025 [GRAPHIC] [TIFF OMITTED] T9819.026 Mr. Horn. Those bells show that there is a vote on the floor, so we are going to have to go into recess for 20 minutes before we will take up Mr. Collier and then the questions. So relax. [Recess.] Mr. Horn. The subcommittee will now end the recess for the voting on the floor, and we will begin with Mr. Paul Collier, division general manager of Identix Solutions. You might want to tell us a little about Identix Solutions. Put in a plug so I can understand it. Go ahead, Mr. Collier. STATEMENT OF PAUL COLLIER, DIVISION GENERAL MANAGER, IDENTIX, INC. Mr. Collier. Thank you, Mr. Chairman. Thank you for inviting me to be a part of this distinguished panel today. My testimony will focus on technology available that offers a significant advance in the protection of computer networks and critical data systems. The greatest challenge we face in controlling access to computers and information is positive user authentication. Recent events show that the proliferation of the Internet, our increased reliance on computer-based information and the rapid growth of mobile computing has far outpaced our ability to secure these systems. Traditionally the use of passwords has been our best defense. Recent advances in password cracking software and increased computer processor speeds have required passwords to become more complex and changed more frequently. The human element in this new equation has been pushed to the limit. We now see more passwords written on the back of mouse pads, on desk leaves, and even on Post-It notes affixed to monitors. In addition, users tend to leave work stations logged on and unattended because of the added inconvenience. It should be noted that there is no single technology that can serve as a panacea for positive user authentication. However, a combination of available technologies, working in concert, can provide a significant advance in addressing this need. The positive user authentication model consists of three elements, something you have, something you know, and something you are: Something you have, such as a smart card with a digital certificate embedded in the microprocessor; something you know, a simple PIN, as few as four digits; and something you are, one or more biometrics. Someone can give an unauthorized individual their smart card or token and tell them their PIN number or password. The biometric is the only nontransferable element in this model. Briefly, a biometric is a quantitative measurement of a unique human attribute or behavioral characteristic, such as fingerprints, face, voice, iris pattern, etc. Using fingerprints as an example in this model, a finger is placed on a sensor and then scanned. The image of the fingerprint is then processed by a series of algorithms which convert it into a binary representation or template. This template is then compared to a reference template stored either on a computer or a card-based data storage medium. Like most biometrics, you cannot reverse-engineer this binary representation and recreate the fingerprint image. Fingerprint biometrics have been used in many civil and government programs for over 10 years. They have been very effective in reducing fraud, eliminating multiple identities, and securing access to sensitive areas. These wide-scale deployments have served as real-world proving grounds for this technology and involve many millions of people. Knowledge gained from these programs and applied to improvements and cost reductions help produce much of the commercial products available today. The Federal Government, in partnership with industry, has made a significant contribution to the evolution of biometric technology. Biometrics would not have advanced to their present level without the help of such agencies as the Department of Defense, the National Security Agency, the Departments of Justice, Energy, Treasury and the National Institute for Standards and Technology. Like many technologies, biometrics have become faster, better, and cheaper. An example, only a few years ago the cost to integrate fingerprint biometric technology was approximately $3,000 per computer. Recent advances have reduced the cost to less than $100 per computer. History has shown the ephemeral nature of benchmarks in information technology, and in the near future we can anticipate still further reduction in costs and improved performance. Commercial Off-The-Shelf products are entering the government market via GSA schedule and other procurement vehicles. The recent Smart Access/Common ID procurement by the General Services Administration represents a 10-year, $1.5 billion governmentwide contract that includes provisions for biometrics used for both physical and logical access. Mr. Chairman, with your permission, I would like to demonstrate two of the products available today. The first is configured to demonstrate the positive user authentication model that I discussed earlier. The computer work station that you see here is in a locked mode. Attached to it is a keyboard with an integrated smart card reader and fingerprint scanner. These are commercially available, and the government has really taken to this particular one. The user takes his or her smart card, which, as you can see, has the smart card chip on the back, and inserts it into the work station. The log-on prompts the user to choose their log-on ID, enter the four-digit PIN number, which is the something-you-know portion--it is telling me I haven't put my finger on the scanner--and then place my finger on the scanner to complete the log-in process. If the user removes the smart card from the computer keyboard, the system locks. The second product, which is available commercially, many of the components of which were developed in conjunction with the National Security Agency, is a PC card which has a built-in fingerprint scanner. This is a simple replacement for password configuration that you see here. The user need only go up to the computer, place their finger on the scanner, and the log-on process is complete, nothing to remember. In 1998, several key companies founded the International Biometrics Industry Association. The charter is a nonprofit trade association to promote competition, establish an industry code of ethics, represent industry concerns, and serve as a single voice on major issues such as privacy, computer security, e-commerce, and legislative issues. I would like to thank the chairman for the opportunity to appear here today and demonstrate these products to you. Thank you, Mr. Chairman. Mr. Horn. Well, we thank you and your other two colleagues there. [The prepared statement of Mr. Collier follows:] [GRAPHIC] [TIFF OMITTED] T9819.027 [GRAPHIC] [TIFF OMITTED] T9819.028 [GRAPHIC] [TIFF OMITTED] T9819.029 [GRAPHIC] [TIFF OMITTED] T9819.030 [GRAPHIC] [TIFF OMITTED] T9819.031 [GRAPHIC] [TIFF OMITTED] T9819.032 [GRAPHIC] [TIFF OMITTED] T9819.033 [GRAPHIC] [TIFF OMITTED] T9819.034 [GRAPHIC] [TIFF OMITTED] T9819.035 [GRAPHIC] [TIFF OMITTED] T9819.036 [GRAPHIC] [TIFF OMITTED] T9819.037 [GRAPHIC] [TIFF OMITTED] T9819.038 [GRAPHIC] [TIFF OMITTED] T9819.039 [GRAPHIC] [TIFF OMITTED] T9819.040 [GRAPHIC] [TIFF OMITTED] T9819.041 [GRAPHIC] [TIFF OMITTED] T9819.042 [GRAPHIC] [TIFF OMITTED] T9819.043 [GRAPHIC] [TIFF OMITTED] T9819.044 [GRAPHIC] [TIFF OMITTED] T9819.045 [GRAPHIC] [TIFF OMITTED] T9819.046 [GRAPHIC] [TIFF OMITTED] T9819.047 [GRAPHIC] [TIFF OMITTED] T9819.048 [GRAPHIC] [TIFF OMITTED] T9819.049 [GRAPHIC] [TIFF OMITTED] T9819.050 [GRAPHIC] [TIFF OMITTED] T9819.051 Mr. Horn. Let me just ask you about the biometric technology chart. While going over to vote and coming back, I talked with Mr. Tauzin, who is very interested in this, and he is going to have a meeting of the Internet group here on May 19th and 20th. So we hope what will come out of this testimony of yours and the previous panel a couple of weeks ago will be helpful. One of these patterns is rather interesting to me. A few years ago, the Immigration and Naturalization Service put on a demonstration in a room in the Capitol, various things they could do to identify people. I was fascinated by the one where you put your hand in. Is that on your chart, the vein patterns, paren, hand? Is that the one, or is that separate from that? Mr. Collier. They are different technologies, though they are essentially similar. Mr. Horn. Looking at the spread of your fingers, and they claimed it was better than fingerprints. Mr. Collier. Well, we all have claims, I guess. The hand geometry system used by the Immigration and Naturalization Service, I think, were deployed in their INS-Pass Program and are still working to this day. Hand geometry is a viable technology. Fingerprints appear to be what the government has embraced because of the long experience with them. Mr. Horn. Yes. So is there any sort of works on this that will give us an idea as to which is the better of the two between fingerprints and the hand pattern? Anybody research that? Mr. Collier. I believe they both have their place. There are about 15 different biometric disciplines. There is no one discipline that fits all scenarios. The real issue comes down to cost per seat, per deployment. Some of the biometrics available are extremely effective, but may cost $100,000 per unit to deploy. It is never going to see widespread deployment at that cost. There are studies that have been done by the National Security Agency that are available. There are studies done by the National Biometric Test Center at San Jose State University, and Sandia Laboratories did some studies several years ago for the Department of Energy. Mr. Horn. This is a question really for all of you, and that's based on the testimony. It appears many computer security tools are free or at little cost, and I guess the question is this: Why aren't more agencies taking advantage of all the security tools readily available to them? What is your experience on that? Mr. Brock. Well, I think that many tools are free, are readily available. Many of the tools you can actually download from the Internet or are made available from vendors free or low charge. What we have seen is that agencies inconsistently use the tools, or they don't provide the appropriate training to understand how to use the tools, or they don't even know how to turn the tools on. So while the tools are available, they are just not used properly. That seems to be the biggest problem that we have found. Mr. Nelson. I would agree and would add there is motivation and resources involved. As I said in my testimony, nothing is free because there is a labor cost. Many system administrators were sort of pressed into the job. They weren't well-trained. It is a new field, and many of them are overloaded because management doesn't appreciate the importance of security, so that even if they know in principle the tools are available, finding the time to acquire them, to understand them, and to deploy them and to then take action based on them is a pretty big load. As I indicated in my testimony, at NASA we have deployed uniform suites of commercially acquired tools because our study--I won't say it was a thorough study, but we looked at the cost of labor and the ease of use, and we found that the commercial tools were a better buy for us, but then augmented by selected free tools. No tool is perfect. Mr. Horn. I was interested in your testimony where you put the stress on training and supervision, and you remind me now on management we put a measure through here, and it is, I think, almost law, or it is still in the Senate, and that would be to give the new President, whoever that is, a chance to relate to the top management that he would bring in. Ordinarily, between the Cabinet, the independent agencies, that's about 30. Then you have got about 300 Commissioners and Under Secretaries, so forth. I think we definitely ought to get on that agenda, then, their understanding of this type of security management. If it goes up that high, and they don't understand it, I think it will--and staff will note this, and we will put it in maybe even as two words or something in what is coming out of the Senate. Mr. Nelson. What we did at NASA at the Administrator's direction, the Chief Information Officer and I--I am Deputy Chief Information Officer--visited each of our 10 centers and headquarters and gave hands-on training briefings to the center senior and middle managers. Now, that wasn't a lot of time, but it emphasized that we meant business, and we talked about metrics. We talked about actions we were taking. We talked about their responsibilities. It seems to be working. So I would commend the administration to think of something like that. Mr. Horn. Yes, I agree. The way we got leadership finally on the Y2K thing in the executive branch was when Mr. Koskinen was picked and went around and sat down with all the Deputy Secretaries of each department to get them to understand that this was serious business. Any other comments on that? Mr. Collier. Mr. Collier. The tools that are available at little or no cost need only the person's desire to implement them. We constantly see Windows basic tools for securing systems totally inactive. It is a tradeoff between security and convenience. Biometrics, we feel, brings both to the party in the sense that it does give you the speed. It is not something else to flip on and flip off. It is not something else lengthy to remember. If we look at what we have done at passwords to overcome this ability for people to break into our systems by finding out what our passwords are, it is not the dog's name anymore; it is not a simple thing that you can keep for a year, or your wife's maiden name. It is an upper/lower case, full eight-character ASCII 2 set. It is extremely difficult for anyone to remember that. Change it every 30 to 60 days, and give them three or four to remember, it can bring about a problem. So I think the real issue is utilizing the tools that are available and making the operators understand that the security is important at the risk of what little inconvenience it is going to cause. Mr. Horn. Well, with reference to this subject, where on the Internet can organizations and citizens find these tools? Is it there? Mr. Nelson. Let me speak to that. In my testimony I indicated two sites. One, is our own NASIRC site, www.nasirc.gov. The second, that I indicated was the Carnegie Mellon CERT that I think Jack also mentioned. They have a good set of tools. With search engines and other news groups, it is probably a half-hour to get started. I mean, this is very easy to do. This is probably the easiest step. There is the step of, well, what is good and what is not so good; what is easy to use, what is not so good--what is not so easy to use. But access is the easy part. Mr. Brock. I would agree with that. Mr. Horn. Intrusion detection tools can either be manual or labor-intensive. Is there a better way to monitor potential intruders? Mr. Brock. Intrusion detection tools are a necessity. What is difficult about intrusion detection tools is actually following up. I mean, if you--you have an intrusion detection tool, and you are logging in intrusions, you need to followup. The issue that we found at many agencies is if they have intrusion detection tools, and they are logging them in, frequently they are not following up on the incidents to take corrective action or to do something to stop the intruder. That's why they are labor-intensive. You have to look at each one individually. I can't recall any intruder detection tool that would automatically fix the problem or stop the intrusion. At some point somebody has to intervene. Mr. Nelson. Let me speak to that. Right now, and I agree with what Mr. Brock said, right now it is manual, it is labor- intensive. At NASA we require that every incident be reported to the IT security manager at the center, and then to our NASIRC, which we use as a coordination means. So we send out encrypted alerts to our security people at all centers based on the incidents reported by each center. Many of those incidents are detected by the intrusion detection tools. The securities managers followup with the system administrators to get things fixed. Again, that's quite manual. What we are looking at and what I would encourage the industry to work harder on is automated, if you will, artificial intelligence means to identify intrusions and identify a recommended course of action. One of the things we are looking at doing, we have not done it yet, is to gather from each center--see, we are using the same tool--into a centralized analysis location what those tools are reporting and apply the artificial intelligence to the set of reports. We find that if one NASA is--one NASA center is being attacked, often several others are. These are coordinated attacks. But I repeat, the artificial intelligence tools for analysis do not appear to exist yet. It is an area that NASA is tracking carefully, and we hope that in the next year or two we will see something we can start to deploy. Mr. Brock. If I could just add to that, Mr. Chairman, that's true. The intrusion detection tools are very immature at this point, and they are evolving. Again, another risk is that as--is once an agency or an individual buys a tool, that tool is changing rapidly, and the intrusion detection tools, they are changing very rapidly, and they are not at a stage of maturity now where they are going to provide the final answer. Mr. Horn. Is there any way you can tell with the intrusion that the--the type of computer is doing that, or is it just hopeless? Because I am looking at individuals have one capacity generally; foreign governments do have another capacity. If any of them have something such as a Cray computer in terms of what they can spin around and test things against to break through particular firewalls, I am just curious about that. Mr. Nelson. Usually we can tell what is called the source Internet protocol address, and that identifies the location of the attacker fairly well. Occasionally those addresses can be what they call spoofed, which means they are faked, but typically we can identify that. Now, your discussion about the difference between an individual and a foreign country, I wouldn't make too much of that because groups of individuals are acting together, and the power of modern, even personal computers and certainly work stations is fully adequate to mount an attack that is very serious. So we pay a lot of attention to individuals. Obviously when we sense that it is a better organized group, all the way up to a government, we pay particular attention to it, but we wouldn't want to make too fine a point on that distinction. Mr. Horn. Any other thoughts on that? OK. Mr. Brock, you mentioned in your statement that poor security planning and management is, ``the rule rather than the exception.'' So why is this posture the rule and not an exception? Mr. Brock. I wish there was a real simple answer to that and that it would be easy to fix. It is, unfortunately, like a lot of other issues, and very similar to the Y2K issue, is that it--the actual computer security break-ins, the failings there are technical. The correction is a management issue. There have to be resources devoted to it. There have to be dollars, and there has to be training, and the people that own the processes, that own the information, that are accountable for that need to be accountable for computer security. That is not the case, and until that ownership occurs, I don't think you will see widespread, systematic repair of the poor computer security problems. I think that happened in Y2K, in large part because of the intensive oversight in Congress, in large part because of Mr. Koskinen coming on board, in large part because Federal managers were made aware there was a crisis. Those three elements have not yet been put in place for computer security. Mr. Horn. Well, you have put them very well, and that's what I was leading to, in the sense that when Mr. Koskinen came on board as assistant to the President, he worked with the Chief Information Officer's Council and got the best out of them. And I guess I would ask, does the Federal Government need one organization or one high-ranking information technology officer to coordinate security planning and management? Do we need to continue a sort of Koskinen situation and relate it to security? Mr. Brock. That's an excellent question. I guess when you start off saying that's an excellent question, that means you are going to be wondering about my answer. Mr. Horn. Is there an excellent answer? Mr. Brock. I hope so. Mr. Horn. We are college professors. We ask questions. We don't answer them. Mr. Brock. Well, I will go ahead with the answer now. The--I believe there needs to be a Federal CIO. I think very strongly that the information management issues, the information technology issues that run across agencies are serious. It is not just in computer security, but it is in terms of how you control your investment dollar. It is do you have an architecture that will support your business needs and your technical needs. There are a series of issues that need to be addressed on a consistent basis. I think the CIO Council has done a reasonable job of looking at some of these, but they are not in power. They don't have budget. They don't have staff. They are volunteers on this. There needs to be someone who is providing more direction, more leadership. Now, in terms of--and I believe that in this case a Federal CIO would also be responsible for computer security. Similarly, if you decided that computer security was an important issue in terms of critical infrastructure protection, where you were also involving the private sector and you were involving physical security as well, I could easily see a role for a national coordinator for critical infrastructure protection that might be separate from a Federal CIO who would be dealing primarily with agency responsibilities. Mr. Horn. I have one reservation here, having been in the largest educational system in the country, which is California State University system. When you put somebody in the system headquarters, everybody sort of says, oh, that's their problem, and pretty soon they forget that it is their problem. They are the campus administrators; that's where it happens. It doesn't happen in headquarters. They never educated a student in their life. A university does, and so do our departments. They are mission-oriented, and they are producing things. I worry if, say--to say, well, that isn't my business, let those people over in OMB; or if we can separate it into the Office of Management or the Office of Budget, and that's what worries me. Doesn't that really sort of let up the heat on the individual, the independent agencies, Cabinet departments? Mr. Brock. If I could go back to the Y2K experience, I think that even though there was a national coordinator with Mr. Koskinen, he clearly held agencies accountable for their actions, as did the President. I was here for several hearings, and you were holding those agencies accountable. I think you can keep the heat on the agencies. That's where the responsibility lies for good computer security. Mr. Horn. Right. Mr. Brock. But the focal point, the Federal CIO, could assist in that. I do not think that the Federal focal point should become the stopgap; that this will solve the problems. That still has to occur at the agencies, but certainly a CIO at the national level could propagate good practices, could leverage resources that were available to that individual and serve a role, frankly, very similar to the one that Mr. Koskinen served. Mr. Horn. Yes. We had a specific time period that wasn't going to be for 10, 20, or 100 years. It was just going to be a few months, and that's really what it boiled down to. And the job was very well done obviously, but that's--I need that balance, I think. Mr. Brock. Yes. Mr. Horn. So you don't have people say, hey, it isn't my problem, they do that over there, and wash their hands of it. I don't think that will help us at all. Mr. Brock. No, it would not. Mr. Horn. Yes. But we certainly ought to have somebody that had the right skills, people skills, so they aren't some czar. The czar makes my spine shudder. But so that they are a coordinator in getting people in the various systems that overlap to work together, that's the way I would view that coordinator role. Mr. Brock. I would agree. I think that the success of any coordinator or official like that does depend very much on that individual's personal skills in terms of working with a very diverse group of organizations who have different needs and different objectives. That's a difficult job, very hard job. Mr. Horn. That's right. Mr. Nelson, any thoughts on that? Mr. Nelson. Yes. Just to add a bit to Mr. Brock, I agree up to possibly whether a CIO, Federal CIO, is warranted. As you know, that's being debated within the administration, and I won't take a position on that. I agree with him that one does not want to separate the computer security aspects from other aspects of management. We are focusing on computer security today because, indeed, it is a new problem. I am an optimist, and I think we are going to get this problem under control, and if we have a legacy of a fragmented management approach, it is going to take on a life of its own. A number of years ago, I worked on environmental protection and on OSHA problems, and one of the things that I pushed on was to reintegrate those functions. I called them the OSHA Mafia, back with management, because management was abdicating its responsibility, and, frankly, the Mafia in some cases were running rampant with things that didn't make sense. Now, that's a very personal observation. It's not NASA's observation. But my experience in this area tells me that you want to integrate, you want to set high standards, you want to measure, you want to train, but you put the responsibility on the people who have to make the tradeoffs and get the job done. Mr. Horn. I agree with you completely on that. You say it very well. Mr. Collier, any further thoughts on this? Mr. Collier. Mr. Brock and Mr. Nelson both mentioned that communication between different agencies and even within a particular agency is a critical element here. Within the government, of course, the Critical Information Assurance Office paper that came out this past year points to that. The CIOs do have several venues in which they talk to each other. The Government Information Technology Services Board, I think, has done a good job in at least keeping the communication flowing between agencies. But I would tend to agree with you that to establish an individual to take on this responsibility may not be the proper way. The proper way to do this would be probably to continue the communications, the lines of discussions, between agencies. Mr. Horn. In your statement, Mr. Brock, you mentioned that your audits have shown that Governmentwide computer security is generally weak because current policies and controls are not operating effectively. You also stated that the General Accounting Office audits frequently find the same vulnerabilities over and over and over again. In your opinion, what would you specifically suggest that agencies do to strengthen existing policy or to create stronger policies? What is your thinking on that? Mr. Brock. The--you are correct. Our reports have found the same problem over and over again. A couple of observations. First of all, many of the policies have no relationship or a limited relationship to the problems that we are finding. They are not specific to the issues and problems that are within an agency. We believe that policies and procedures need to be based on the risk that the agencies are facing, and if you do a good risk assessment, you can then, in fact, determine policies and procedures that will minimize or mitigate those risks. Second, most agencies aren't testing their controls. They rely on GAO or IG to come in and do the test, so there is too limited information within the agency, one, about what the risks are and whether the policies would be reflective of reducing that risk, and second, are the controls in place working, are they being tested? Those are the things that we would do to, one, develop policies that are appropriate, and, second, to strengthen existing policies to make them more responsive. Mr. Horn. You also suggested that agencies develop and distribute lists of vulnerabilities. To whom would these lists be distributed? Mr. Brock. Well, first of all---- Mr. Horn. Should it be GAO; should it be OMB; what, CIO Council? Mr. Brock. Everyone. Mr. Horn. All of the above? Mr. Brock. First of all, let's start within the agency. I believe I mentioned earlier within some agencies we would go to, they do not distribute such lists within the agency so that people that are literally down the hall are not getting these lists. So, first of all, you need to start within the agency. Second, there are other organizations, such as the CERT-CC, the Carnegie Mellon, the Fed CERT, the GSA runs, organizations that do have distribution mechanisms that are appropriate as well. Mr. Horn. Yet Dilbert and the cubicle is broken down? Mr. Brock. Yes. Mr. Horn. Mr. Brock, you stated that establishing a framework for managing security is important. What specific elements of the framework are missing at most agencies? Mr. Brock. If I could indulge Mr. Gilmore to put up the circular chart, the wheel. The risk management cycle, we believe, is the framework. I will go back to an answer I just gave you, that the framework has to start with a central focal point, the accountability. From there, determine what the risks are, develop controls based on that risk, promote awareness, and then continuously monitor and evaluate. That's the framework. Certainly there are things that you can do independent of that framework, or you don't have to implement everything in that exact cycle, but it is dynamic. It is continuous. The threat is growing. The threat changes. The technology grows. The technology changes. The services that an agency provides change. So the risk management cycle has to roll on a continuous basis. Mr. Horn. So it is interactive in many ways? Mr. Brock. Yes, sir. Mr. Horn. Gentleman, Mr. Nelson, Mr. Collier, what do you think about that approach there, just as one vision? Mr. Nelson. Yes. I agree with Mr. Brock. I would like to give you some examples of what we are doing at NASA along these lines. I said before that it starts with management. We have identified what we call special management attention systems. These are important computer systems for NASA's missions, and we are requiring 100 percent completion of security plans for those systems by this year, and we have asked our Inspector General to audit that, including the involvement of management in those plans and management signature on the readiness of those systems to operate. But we have had to operate in parallel because the risk is too great. So at the same time we have identified what we call the top 50 vulnerabilities in NASA, and we have distributed that list to every center. It was done by consensus, not somebody in a closet, but using the tools that I described, all of our systems are being audited for the presence of those vulnerabilities. When those vulnerabilities are detected, management is informed of them and asked to correct them, and then those systems are rescanned. Now, management, if in its interest it believes that some of those vulnerabilities must maintain because the risk is tolerable and the loss to mission is too great, they can do a waiver. But this forces them to act even before some of their plans are completed, because we think that it is too much of a crisis. Mr. Horn. OK. Any other comments on that question? Mr. Collier. I would agree that it is a management and policy issue. When the Department of Defense began its studies of biometrics back in the late 1980's, early 1990's, there was as much emphasis placed on the people interface to biometrics as there was on the technology side. I found that a very refreshing model. I mean, the human element is really what is the issue here. Technology pretty much does what we make it to do, and it keeps on doing it. In the area of security, however, the Department of Defense studies, especially of the National Security Agency, involved the study of time, motion, and the people's acceptance of a new way of doing things, and labor was definitely a part of the decisionmaking process. I think that's a critical element in moving forward, to remain dynamic enough to meet the threats as they continue to improve on a day-to-day basis. Mr. Horn. Mr. Nelson, any further comment on that question? Mr. Nelson. No, thank you. Mr. Horn. Mr. Turner has joined us. I am delighted to yield such time as he may need for questioning. Mr. Turner. Mr. Turner. Mr. Nelson, I wanted to ask you if you could describe for us the kind of computer intrusions and attacks that you have experienced. We talk about this all the time, and I don't really have a good grasp on the scope of the problem. So can you quantify that and maybe give us some specific examples of how some hacker has invaded your system, what the consequences have been? Mr. Nelson. Yes. Mr. Turner. I know that we always read this is a widespread problem. Mr. Nelson. Yes. Mr. Turner. I don't think we have a real feel for how widespread it really is. Mr. Nelson. First of all, NASA experiences a lot of attacks, hundreds to thousands per month. Mr. Turner. You say hundreds to thousands? Mr. Nelson. Hundreds to thousands--of serious--to thousands per month of serious attacks. Mr. Turner. Hundreds to thousands? Mr. Nelson. Yes. And we are not unusual, although we may be are slightly favored. Let me give an example of an attack which has several of the elements we have been talking about in our testimony. I am not going to describe the center, but in this particular instance a system administrator observed that someone from a foreign country had logged into the computer and had no reason to think why that person should have--should be able to log into the computer. He did this by examining records logs, so he was doing the right thing. Now, he found by looking at the log that the person had used a well-known vulnerability to take over that computer; in other words, to achieve what is called root access. That's like god of the computer. You can do anything with the computer if you are root. Then the person used that vulnerability and his godlike powers to install what is called a password sniffer. This is software that observes the network traffic flowing by and looks for packets that have passwords in them. And he was able, the intruder, to grab a number of passwords, some of which were for accounts at another center. So using those passwords and then the ability to log on as a user, the attacker went to another center and attacked several other computers. Now, the sad part about this was that the initial vulnerability should have been fixed. The system administrator thought he had fixed it. He installed what is called a patch. It is a thing like a Band-Aid; it is like a patch that changes a software to get rid of the vulnerability, but the patch didn't take. It was a defective installation process, and the system administrator didn't know it. So he was hit twice with the same vulnerability. Now, we have had other attacks, and we keep track of how much they cost, that have had a direct cleanup cost in time and resources approaching half a million dollars, one attack. Of course, it affected a lot of computers. Mr. Turner. You say one attack cost half a million dollars? Mr. Nelson. Approached half a million, a little under. The numbers are not, of course, audit quality, but these are expensive attacks. It took--in the case that I am referring to of almost half a million dollars, it took about a month to put all of these computers back together again. It was a major problem. We have had centers actually take themselves off the Internet, in other words totally sever connections with the outside for a brief period of time, because they felt that they were being attacked, the risk was too high, they needed that time to fix things up. Now, the incidents that I am describing now are a year or two old, and we don't have such bad problems now, but we still get significant attacks. Does this help? Does this give you a sense of--oh, one area that I didn't describe is theft of data. We had an incident not too long ago where substantial number of documents were stolen by an Internet attack. Mr. Turner. And what--were those sensitive documents? Mr. Nelson. No, fortunately not. They were copyrighted. They had commercial value. They were not sensitive. And these particular documents were not resident on a NASA computer. It was a NASA account that was used, and there was a serious weakness in the vendor's security. But that's an example of an attack that NASA was peripherally involved with. Mr. Turner. So you say there are hundreds to even maybe 1,000 attacks per month? Mr. Nelson. Correct. Mr. Turner. Now, have you been able to successfully determine the source of any of these attacks? Or do these things just go on daily, and you try to prevent them, but you don't know who did it? Mr. Nelson. We can determine the source of most of them, at least within the country, and maybe the organization. And we work closely with our Inspector General and then with the FBI, and several of these have been prosecuted and the perpetrator convicted. In a--on a regular basis, if we see an attack, we inform the organization that the attack is coming from, and often the attack is from someone not connected with that organization, but someone who has seized a computer, seized meaning this root access, god powers within the organization. The organization may not know it. That could be a government organization or a private organization in this country or abroad. So one wants to be careful saying we are being attacked from a certain country; they must be hostile. Maybe they are the victim. Mr. Turner. So there have been some convictions that have resulted from your investigation? Mr. Nelson. Yes, sir. Yes, sir. Mr. Turner. Would it be fair to say that the vast majority of the attacks, that the source of them are--that you never quite figure out who did it? Mr. Nelson. Yes. Mr. Turner. Or where they are from? Mr. Nelson. Yes. Not in who the individual was or what their motives were, that's correct. And attack isn't necessarily successful. I want to make it clear that when I talk about hundreds to thousands of attacks, I am including all of the incidents that we gather metrics on. The successful attacks would be a lot smaller, and increasingly we ward off those attacks. We use another metric of what is the success rate of incidents, and we are seeing the numbers turn over. It is sort of a nice payoff for the hard work we have gone through in the last couple of years that our numbers are getting better. The attack rates are going up. The successful attack rates are going down. Mr. Turner. Tell me the examples of intrusions from foreign governments or agencies of foreign governments. Mr. Nelson. I don't have data on that that I would be confident in saying, even in a conversation. So I am sorry, I do not have any data on attacks by foreign governments that I would have any confidence in reporting. You know, it is hard to know, when you have an attack from an IP address, even if that is located within an agency of a foreign government, is that the activity of a foreign government. To the best of my knowledge, we have no evidence of NASA attacks by agents of foreign governments, but I do not have high confidence in that statement because we do not have good data. Mr. Turner. The convictions that have resulted from the efforts, what kind of individuals are we talking about that have actually been convicted of a crime? Mr. Nelson. Our Inspector General would be a lot more authoritative on this, but I believe they have tended to be fairly young males working either alone or with others of like mind, but at least my knowledge is that they do not appear to be part of what one might call organized either crime or terrorism in the conventional sense. Their prime aim, as I recall--but I think if you would like we could submit for the record a response from our Inspector General, I could request it--but as I recall, they have not been industrial espionage cases or the like. Mr. Turner. I do think it would be helpful, with the chairman's permission, to ask you to at least give us some indication maybe for the last 2 or 3 years of the number of attacks, how they have been resolved, and whatever information you can provide us about the source of them, because at least by looking at it as a whole, we would get some picture for us to look at of how serious this problem really is. Is that possible to put that kind of data together to give us an overview? Mr. Nelson. Indeed, it would. If you will give us just a little leeway. We try to not advertise the successful attacks. Our experience is that one of the motivations for attackers is the recognition, if you will, the thrill. We are very leery of playing to that. Mr. Turner. I suspect that your reticence on that point is shared by many people in various agencies of the government, and I think one of the difficulties that we have as a committee in trying to address this problem is trying to get some data together to indicate how serious this problem really is. Mr. Nelson. We would be eager to work with you on getting data that is helpful to you. Mr. Turner. When you deal with these kind of intrusions, do you rely upon NASA employees, or do you rely on contractors to help you resolve them? Mr. Nelson. Both. Many of NASA's services are now operated by contractors, and so we have integrated those contractors into our operations. In our testimony--in my testimony, I mentioned that we have a draft regulation out for comment that would require the same training standards for our contractors as for ourselves. NASA has not outsourced or not contracted out our security responsibilities. So where we have contractors operating systems within our centers, or otherwise directly attached to NASA, we retain the responsibility and the capability for detecting and responding to attacks. Now, that response may be asking the contractor to do something. Since they are well-integrated now into our planning, they are eager to do that. I think the system is working fairly well, but it has added a complication of crossing these contract boundaries. Mr. Turner. Is it possible for an intruder to compromise the success of any of our missions? I know you have had a tremendous problem recently with success in some of the Mars missions. Is it possible that a problem could be created of that nature by an intruder into our computer systems? Mr. Nelson. We take pretty strong security precautions for mission-critical systems. Having said that, there is always a possibility. We are into risk management. Risk avoidance is very difficult. We do, though, take, as I said, very strong precautions, including in some cases simply severing the critical system, planned severing from any outside communication to minimize that risk, but we are talking about risk management, not risk avoidance. Mr. Turner. Thank you, Mr. Chairman. Mr. Horn. Well, we thank you. That was a very useful interchange, questions and answers. Let me go back, Mr. Nelson. Has your top 50 list of vulnerabilities been distributed outside of NASA? Mr. Nelson. Not to my knowledge. It was a list that we arrived at working among ourselves, and it is a list that we have programmed into our auditing tools. So it is, in effect, automated now. But I am not aware that we have distributed it outside the agency. There are other agencies that are doing similar lists, and I think the overlap would be pretty large. Mr. Horn. Well, would it be helpful if in a report from this subcommittee that we use some of that information if there are ones beyond NASA that differ, and then the question would be does that encourage hacking or doesn't it? But how we deal with it, I think we have to get the word out. Mr. Nelson. We wouldn't want it known what number 51 is, and 50 was a good round number, and that 50 will change. It is partly getting well. We have had to beat on this one, as I indicated earlier, to get managements attention, but we expect that next year's top 50 will be a different list, and it may not even be 50. But, yes, with appropriate precautions we would be willing to share that list, certainly, with responsible people in other agencies. Mr. Horn. On Mr. Turner's point, I just suggested to Mr. Ryan that we find from Justice how many have been jailed and where are they. I know a few are in the Atlanta prison, but I think it is good to get at least some of them. We don't have to make heroes out of them. We can say Mr. Blank and Ms. Blank or whatever, because I don't want to have this be the award system for hackers. Let me ask you, again, Mr. Nelson, another thing. You gave a very interesting chart when you said you are spending roughly 2 percent of the funding for information technology on security provided adequate protection. Two percent seems like a very modest amount to spend on security, so I guess do you think that's pretty low, and should we invest more? Mr. Nelson. I can only speak for NASA, and we do gather budget data on our actual costs. Our information technology budget as a whole is about $2.1 billion, and our fiscal year 2000 expenditure on information technology security is about $46 million, which is a little bit over 2 percent. Now, we don't know that that is optimally allocated. So I would say at first, my initial reaction is that NASA--and that increased quite a bit, by the way, from 1999 to 2000. But NASA is now spending about the right amount, and it is a case of efficient allocation so that we hit the most important things. Mr. Horn. So you think you are at the right level of spending on this then? Mr. Nelson. Approximately. Mr. Horn. OK. Mr. Nelson. Yes. Now, Mr. Collier, in your written statement, you explained that the prevalence of computer passwords written on the back of computer mouse pads, on desk leaves, and even on paper attached to computer monitors do exist. I know what you mean. I think it is all around Capitol Hill, too. In addition, you stated that remembering a PIN, the personal identification number, is a key piece of computer security. In your opinion, what can individuals do to better recall passwords? Mr. Collier. Aside from memory exercises, if we are going into this 8 character password with, again, a full keyboard set of characters, I think the idea is to do something to move away from these complex passwords. The positive user authentication model that I presented earlier is an effort to do just that. Again, we have the human being factor here at the edge of the envelope. Our company has clients, for instance, in the wire transfer business where they have 25 passwords to remember. Now, unless you are the Great Kreskin, it is pretty difficult to do that. So I think rather than trying to formulate ways to help people remember passwords, we have to find ways to eliminate them entirely, and I think the positive user identification model, which I think the DOD originally had come up with 10 years ago, is a move toward that. Mr. Horn. Does that mean a certain unit has to be built on every machine to do that in terms of the fingerprint and all of the rest? Mr. Collier. Biometrics are certainly one of the legs of the stool. The cost, again, is coming down greatly. Right now we are seeing it move into the mainstream, certainly in the commercial world, protecting enterprise systems within large corporations. The Federal Government is doing it at the division and command level now, and I think it is just a matter of time before we see biometrics not only in computers, of course, but in many, many areas of our lives where we have to remember passwords, PINs, and the like. Mr. Horn. If you had the, say, thumb identification to access your particular personal computer, is there any way a hacker getting into that would be able to digitize the lines and everything else so they could duplicate that? Mr. Collier. At the direction of the computer industry and the Department of Defense, primary responsibility from the NSA side of things, we have addressed the issue of intruder attacks, we do encrypt the signals coming out of the scanner, so they can't be sniffed. Our product in the sense of the templates is part of the operating system which is part of the layered security shell around the password protection. We do secure sessions between all pieces of hardware, as well as between client and work station. There have been a lot of efforts put into making this stuff spoof-resistant. James Bond might still be able to get in, but not the average user, that's for sure. Mr. Horn. Well, I was interested when one of you compared the need for looking at how you divide the issues in computer security are very much like a responsible accounting operation when you are handling a lot of money, and you want more than one, and my chief auditor said many years ago--he said, make sure everybody takes a vacation. The system--when they found one in another system in California where the vice chancellor just happened to be buying bales of hay for his ranch, but not the university ranch, he was charging it to the university, and the only way they found that was when he finally took leave and somebody said, gee, this is strange, and that was solved. That's, I think, what we have to do here. Is there something along that line that we ought to be telling everybody that runs a computer center in the Federal Government and how we could apply what people do in the finance and auditing in universities and corporations for standard practice? Mr. Brock. Mr. Brock. Segregation of duties is perhaps one of the most absolute basic controls there is for any type of operation, whether it is financial matters, as you were talking about, or computer security. In fact, when you look at any critical operation from beginning to end, you can make breaks in there where you say, we are going to have a division of labor, and in computer security, if you were looking at a process of changing software, you can make breaks from the people who make the change to the people who do the testing to the people who do the installation, to make sure that there is an independence there. You could do that for other aspects of security as well. Mr. Horn. Well, in other words, in your opinion, are Federal agencies susceptible to having one individual either intentionally or inadvertently render the computer system useless due to the lack of segregation of duties or separation of duties involved? Mr. Brock. I don't have the exact numbers now, but we have--maybe I do have the exact numbers. Mr. Horn. Ms. Boltz, glad you came today. Mr. Brock. We don't have numbers, but we did identify, for example, at the Department of Defense and VA that system program and security administration duties were combined. So the people who were establishing the controls were also doing the programming. At the FMS, we were saying that programmers had access to production data. So, in both cases they were able to combine pieces of information; if they had chosen to, could have taken over programs and assumed other responsibilities as well. This is fairly common. In some respects, it is done not out of a malicious intent. It is done because I think, as Mr. Nelson alluded to, you have too few people trying to do too many things. Mr. Horn. Any other thoughts on that, Mr. Nelson, Mr. Collier? Mr. Nelson. Yes, I would say I agree with Mr. Brock. However, in the scientific and technical area, the terminology may be different, and so one has to be a little careful not to be too rote in the prescriptions. What applies well to a financial system may not apply very well to a scientific data analysis system. The principles are correct, but the application has to be careful. Mr. Horn. Yes. Mr. Collier. Mr. Collier. You know, applications that we run into within the government, we have established some two-man rules in some cases. We have established complex procedures to ensure reduction in fraud, for instance, in transferring of funds, payment of benefits, etc. What I think biometrics and this security model bring to the party there, and that's what we are hearing from the government agencies, is we now have established the fact who was sitting behind the monitor when this fraud took place, not a matter of someone could have gotten my PIN or whatever. The banking industry has really embraced this because of the nonrepudiation issues and the home banking and wire transfers. As we get less and less on a face- to-face human basis, the problem increases, and they are trying to do something about the future that we know is going to explode before it does. Mr. Horn. Thank you. Any other thoughts on that? Mr. Brock. No, sir. Mr. Horn. One of my last questions here will be, in your opinion is the current legal framework, which includes the Computer Security Act of 1987 supporting Federal information security requirements, is that adequate? What needs to be updated or modified? Are there things that should be dealt with? Mr. Turner and I will be glad to move that legislation, if there is need for it. What does the CIO Council think on some of these things? Mr. Nelson. Let me take that. In my opinion, the legal framework is pretty good. I am not a lawyer, so I will speak generally. But there is a potential problem that we are dealing with, and I think Mr. Brock alluded to it in his oral remarks. It has to do with classification. The laws governing classification in this country are rather strict with regard to national security systems, and as the importance of information security has increased and the role of commercial and private systems has increased in their aid to national defense, then the question of where strictly national security stops and broader areas that are related to security starts. And so the particular problem that we are having is that we believe that within NASA a compendia, that is, lists, of open serious vulnerabilities, such as, for example, would be turned up by what we call a penetration test where we hire somebody or on our own to go through all of our systems and look to see how hackers would get in, that those lists are very sensitive, and my understanding--and we have been working with our legal staff and with the National Archives and Records Administration, which has ultimate classification authority, on the criteria under which these can be classified. The issue is a little murky, but right now it looks like maybe they cannot be, not even at a confidential level. So it could be that some clarification of the extent of national security provisions in this gray area of civil systems closely allied with national security systems would be helpful. Mr. Horn. Well, that's very interesting because this is the subcommittee that has oversight for the National Archives and the Freedom of Information, and we try to balance all of that. If there isn't a need for classification, it shouldn't be classified. So I would welcome any thoughts you have on that, and I know Mr. Turner would also. So---- Mr. Brock. Mr. Horn. Mr. Horn. Mr. Brock. Mr. Brock. Can I have a moment of disagreement? I have been agreeing with Mr. Nelson all along. I do not think the overarching framework is adequate. As we mentioned in the testimony, the Computer Security Act is based, I think, on an old way of doing things. It is based on an environment that existed before the Internet. It was based on a mainframe environment, and I believe that it was based on an environment where locks and keys were the prevalent security devices. It's system-based. It is not management-oriented. It misplaces responsibility and accountability. I think it needs to be overhauled. I think there needs to be more emphasis placed on management accountability. I think there needs to be more emphasis placed on risk assessments and risk determination. I believe there needs to be more emphasis placed on independent audit and management audit so that controls can be evaluated. Those are not present in the Computer Security Act. Now, as you know, there is no law against good management. There is no law or anything to prevent an agency from doing all of those good practices, but at the same time there is no law or legislation or regulation that really encourages that type of action and then provides a lever or an oversight mechanism to the administration or to the Congress for assuring that that framework is being met. Mr. Horn. Well, thank you, because that was the answer I was going to lead with a question, and I am so used to Joe Wilmingson following me around the country on Y2K that I always asked, and now I will ask you and anybody from GAO, to what degree have we not covered the questions that we should have covered. And you have just nailed one down, and I appreciate that. Would GAO and the CIO Council, Chief Information Officer Council, put their thinking caps on, and we would welcome taking a look at that again. We need to update it. It has been over two decades right now--or a decade and a half, I guess. So are there any other questions any of you think--and you, Mr. Brock, in particular--what else should we get on the record that we haven't put on? Mr. Brock. I think that my last response covered the one item, and we are continuing to work with your staff on a number of computer security issues as well, particularly as they might relate to e-commerce and other initiatives that are coming up. We are pleased to have the opportunity today to discuss these items with you. Mr. Horn. Well, we are glad to do it. We certainly welcome the comments of these witnesses, as well as the ones from our first panel. They were a very excellent group. Thank you, Mr. Collier, for coming. Mr. Nelson. Mr. Nelson. Yes, I would just like to maybe amend what I said so perhaps Mr. Brock and I can agree. In addressing your question on legal framework, I was responding from the standpoint of NASA or an agency as to whether the current law gets in our way of doing good things. But for an agency that does not wish to practice good management, a legal encouragement might not be out of order. Mr. Horn. Well, that's well said. I would tell you that this chamber operates not by consensus, but like a university does, and maybe NASA, but if we have 218 votes, we can do almost anything. But obviously we also could lose 218 votes if we haven't thought it through very well. So I thank you all. I want to thank the staff that worked on this hearing. You have been excellent witnesses. J. Russell George is in the doorway over there. Gosh, are you getting framed now over there or what? Staff director and chief counsel, and he works wonders. Matt Ryan to my left, your right, senior policy director, and who is a GAO alumnus, as are a number of our people; Bonnie Heald, director of communications, seated in the back there; Bryan Sisk, our clerk; Ryan McKee, the staff assistant; and for Mr. Turner's staff, Trey Henderson as counsel, and Jean Gosa, the minority clerk. And our court reporter today is one, and that's Mindi Colchico, and we didn't have to wear you out and bring another one in, I take it. So thank you for coming again. With that, we are adjourned. [Whereupon, at 12 noon, the subcommittee was adjourned.] -