11 November 1997
Thanks to Peter Neumann and David Wagner
Forwarded message: Date: Tue, 11 Nov 97 8:26:29 PST From: "Peter G. Neumann" <email@example.com> Subject: Senate hearings on PCCIP [BCCed to my relevant crypto groups...] Note the statement by Feinstein that she did not hear anything from any CEOs. I have flagged it with "*****". Please help to get some flak sent back to her from CEOs. She seems hopelessly wedged, although this is totally consistent with her appearance at our Senate hearing on crypto in July when she said the FBI should get whatever it wants. Peter --------------- [JYA note: Probable date of hearing November 5, 1997] Transcript of Senate Subcommittee on Terrorism Hearing on PCCIP... Dr. Hamre is especially well-suited to discuss how Congress, the administration and industry can work together to find solutions to the challenges that this nation faces from the threat of information warfare. Having spent four years as undersecretary of defense prior to his appointment as deputy secretary and 10 years prior to that as a professional staff member of the Senate Armed Services Committee, where he worked with the Defense Department and industry on procurement, research and development programs. Dr. Hamre, thank you very much for being here today. We look forward to your testimony. HAMRE: Chairman Kyl, thank you very much for inviting me. I must confess to be a bit unnerved when an opening statement is better than my testimony. So I am somewhat nervous about what I'm going to say. But nonetheless, I would ask that you include my written testimony in the record of the committee. KYL: It will be included in its entirety. HAMRE: Thank you. I, too, would like to add my words of thanks and commendation to General Marsh and his panel. I think they have just done a splendid job. This is probably the hardest, most complicated problem that anybody faces, and they tackled it and they've just done a terrific job and I'm so glad that they are here today. I apologize that I have to -- have asked to lead off as witness because I must go to the White House for a meeting shortly. But I, too, want to say it's been tremendous service on their behalf. And all the entire country's grateful, frankly, for their efforts. Mr. Chairman, I know that others have used the analogy before that we are facing the prospect of an electronic Pearl Harbor. May I take that analogy -- I happen to agree with that. But may I take that analogy in a slightly different direction because I think it would help inform our thinking here today. As I mentioned to you in the previous session, there was not a single battleship that saw service during World War II where we hadn't laid the keel for that battleship before Pearl Harbor. Many people think back that Pearl Harbor was a shocking surprise attack and that we had done nothing to get ready for World War II. That was not true. It turns out if we were to go down to Norfolk, to the Norfolk Navy Shipyard, you'd see the world's largest dry dock and that dry dock was actually built in the mid-'30s, and it was built by naval planners, with the support of Congress, who saw the need to have in place the capability, the infrastructure, the weapons systems it was going to take to defend the country in the next war. I believe most firmly that that's exactly where we are today. There is going to be an electronic attack on this country sometime in the future. What we do now -- and frankly, your leadership here becomes absolutely indispensable -- what we as a country do now is, I think, exactly analogous to what those far-thinking planners did in the mid-'30s getting ready for World War II. We could either choose to be ready and have in place the infrastructure and the discipline to be able to handle this or we can ignore it and I think suffer very serious consequences if we choose to ignore it. That's why this hearing is so absolutely critical, and I strongly agree with what you've said. Let me say that this is not primarily a defense responsibility. This new electronic attack will differ from Pearl Harbor in one very important dimension. That was an attack on what was clearly military capability at the time. An electronic attack on us is going to be quite different because it's not clearly going to be against just military capabilities. More likely than not, it's going to be against the private sector infrastructure that we, the Department of Defense, will be using in the future and increasingly using private sector resources. So we have a very complicated new environment that's emerged -- one where an attack against the United States is not necessarily an attack against the traditional military infrastructure of the United States. It could be an attack much more broadly against its commercial and industrial underpinnings. This is a difficult issue to manage because, if an attack comes in it's one of three things. It's either an act of terrorism. It's a deliberate act of war. Or it's a crime. And those things are handled in different ways in our government. Criminal activity is handled in our justice system, and rightly they need to be first responders in that event. If it's an act of war, that clearly is our responsibility. And if it's an act of terrorism, it is in the foggy in-between. As you said in your opening statement, the troubling thing about this new world of potential war in cyberspace is that the attack will inherently be ambiguous. An opponent, if they choose to do this, has years to probe vulnerabilities in our system, and quietly accumulate information, an order of battle, an electronic order of battle. And they can build that quietly. And to us, we will not see all the dots and connect them. You know that game we all played as kids where you connect the dots to get a picture. If only part of the dots are in the Department of Defense infrastructure and most of the other dots are -- some are in private industry and some are in other parts of them, who is going to pull that together and create a coherent picture of what's going on in advance? And that's the central challenge, I think, that we face here, and you face as a leader of this country in the Congress, that we face working in the department. I come to you today in two roles. I come to you as basically the chief operating officer for the largest corporation in the world. And I come to you today as the deputy secretary of defense, responsible for the defense of this country with the secretary of -- with Secretary Cohen. When you confront so far reaching a challenge as this, one can easily get lost very quickly in the complexity of everything that's in front of us, and so I have sat back and said -- What are the things we have to tackle first? And I put them in three categories. First, I think we need to start investing in the tools of defense so that we, at least, are starting down the road of buying what we need in order to defend at least the Defense Department and then other elements of the government and the country where we need to. We're starting first with the Department of Defense. In the last three years, we have bought over 400,000 Fortezza cards, which is a kind of a centerpiece for a key encryption system inside our most heavily defended and most sensitive communications channels. We have bought over 300 certificate work stations in order to hand out certificates to people who must operate inside this network. We have invested in early warning centers and centers that monitor our own Department of Defense installations and our communications networks. We've invested in secure Internet capability so that, while we're riding on commercial Internet backbone, we have a secure capability on that backbone. So we've been investing in the department in some of the tools that we're going to need as the Department of Defense. It is, as you said in your statement, obviously not sufficient in a world where we're increasingly using private sector resources in order to undertake our business and we're using those private sector resources to hold down cost in peacetime, therefore we're dependent on the health and well-being of those private sector infrastructure resources when it comes to time of war. The second thing that I think we have to do is -- and I think I'm treading into what I know is a controversial area -- but we have got to begin putting in place strong encryption in our information technology systems, and we have to have a key recovery system to support -- and I'm talking to you now as a businessman. I run the largest business in the world, and it is inconceivable to me that I can do business -- not just warfighting but actual business -- in the future without having strong encryption and a key recovery system. HAMRE: Let me just take a second to say why this is so important to us. As you know, we will increasingly be using private sector backbone for our communications and for our information management. We will be riding on that private sector backbone and we'll be sending messages across that network. We can't afford to have an opponent read all of our messages, know what it is we're thinking and planning, and we cannot afford to have an adversary who would present to us spurious information that's been altered, and to change our perceptions of reality or our perceptions of what's happening. Therefore, we have to have systems that have the strongest level of encryption required for the sensitivity of that business activity so that we know it is safe from prying eyes and that it's not susceptible to spoofing. But when you're riding on a network, and you do not see who's on the other end of the computer terminal that's sending you information, you then have to have a system that lets you know that the person you're dealing with is really who they say they are. You cannot have individuals on a network who spuriously can introduce false information when you're dependent on remote input of data. Data upon which you're going to make crucial war-fighting decisions. To solve that problem, you must have strong encryption. And you must have a way of validating that whoever is on that network is who you think it is. And if someone who is trying to come into that network who is not authorized to be in that network, you can quickly find out that they're a fake. Fortunately, mathematicians, brilliant people, have given us some tools to deal with this. And it's enormously important for us to now utilize those tools and put in place both a strong encryption environment and the infrastructure for recovery of keys so that we know who is on the network. And who is talking to us. This is a controversial subject in our country, right now, but it is a -- I'm speaking to you again, as a businessman who must have confidence that whoever I'm dealing with, I know their identity. I also need, as a businessman, to know that, if I have someone who is behaving improperly inside the government, that I know they're leaving fingerprints by their electronic identity, when they're moving throughout this network and that I can turn that off. I can shut it down, if necessary. These are absolutely indispensable to me as a businessman. I would also argue that this is absolutely indispensable to us as a country for our -- in long-term security. Every businessman in this country, when he sits down and -- he or she -- sits down and thinks about what it means to do business over the Internet, or business over remote networks, knows they have to have encryption in the future. They also know they've got to be able to secure that data and know, with confidence, who it is they're dealing with. And therein lies the importance of this second pillar, I believe. Which is encryption and key recovery. It doesn't mean that you have to have the strongest form of encryption. We're not going to put Fortezza in all of our systems. We'll put Fortezza where we have our most pressing and most sensitive data. For example, our nuclear command and control system. For routine business transactions, when it's, say, paying an invoice or paying a travel voucher, we can use commercial software and commercial key recovery techniques. It's very possible to layer this in an appropriate way. We're not burdening everybody with the most expensive and the most complicated solution. I think that's the second thing that we need to focus on as a government. The third thing that I believe we need to focus on, as you said in your opening statement, this is a complicated problem that involves both the government and the private sector. We need to find ways to establish a working partnership with the private sector so that we and they, together, are working to solve this problem. But that can happen only if there is -- if there are venues of trust that we can build on where we are working on common problems already. We have one of those in the Department of Defense where we work with the National Communications System, and its counterpart in the private sector. It is an important venue for us to be talking openly with our partners in industry who are our indispensable allies in the future. We have to understand their constraints. They need to understand our needs. We really do share a very common future and we have to be working together. And we need to find ways to build that. And Mr. Chairman, and Senator Feinstein, if there's one thing I could ask you help as a subcommittee doing, is creating this cooperative spirit between the government and the private sector to find constructive modalities for us to be solving this problem collaboratively in the future. We cannot do it by ourselves. We cannot do it as the Department of Defense by ourselves. And we certainly can't do it as a government by ourselves. Your help would be indispensable in that regard. I thank you for the opportunity to come. I know this is an enormously busy day. I know there are going to be some roll call votes. Let me stop here and if you would like to ask questions, now, that would be fine. And I'd be glad, of course, to respond to anything in writing, as well. KYL: Thank you very much, Dr. Hamre. And I know you do have to leave. I'd just... (OFF-MIKE) OK. So you have a little bit of time... HAMRE: I do. KYL: ... we'll try to accommodate your schedule, certainly. HAMRE: Yes. KYL: We've been joined by Senator Feinstein, and before we engage in any questions, perhaps I could ask her to give you her opening comments, or if you'd like to begin questioning, that would be fine, too. FEINSTEIN: Thank you. I don't -- I'll put my statement, if I may, Mr. Chairman, in the record. Let me just say that I very much appreciate the secretary's comments. And one of the things that is a great surprise to me is really how little we're able to cope with the world we're going into. And as the world becomes more computerized, the real opportunity for people to wreak havoc becomes expanded greatly. And we saw it in San Francisco just a week ago. Somebody got into a transmission station at PG&E and was able to turn off the power grid for a lot of the city, which shut down computers everywhere. And then the first question I asked, when the CEO of PG&E called to tell me about it, was, did they go off at the airport? And he said, no; that was on a different grid, or system. And then I began to think what would have happened if somebody got into the computers at San Francisco International Airport. And all of that havoc that could have been played out. And then I thought back and I remembered my time aboard some of the more sophisticated naval vessels when I was mayor. And then I began to think, well what happens if somebody gets inside their computers? And you can just go from there. And I guess if I've learned anything in the time I've been here, it really is that nothing in this area is impossible. That the minds that surround the computer world are really so bright and so different from my mind, in any event, that many more brain cells... (LAUGHTER) ... that they're really able to do things that no one ever thought humanly possible. And then it's -- so, I guess, the point, and I hope you'll address it, and I'd like to defer to my chairman, because I don't know what else we could other than have, you know, some form of key recovery. Or some methodology for getting at some of this. And I know everybody's talking, but I gather, in terms of having really finite solutions, there aren't too many, yet. HAMRE: Ma'am, we certainly do agree. I think it's very important because this is such a controversial issue. I'm -- as I say, I'm speaking to you today as the chief operating officer of this huge corporation. And I am willing to buy a key recovery system. You know, I think so many people are nervous, and they use freedom of speech arguments and they use commercial competitivist arguments and all of that. And, I'm just saying, as a businessman, I'm willing to buy it. It's that important. And as the Department of Defense, we have to have it for the future. I need to know at least our systems are secure. I'm still going to be dependent on the local power grid, and if the power grid goes down, we are going to suffer consequences of that. And so, ultimately we have to tackle that, as well. But right now, it is so important for us to have confidence in our own systems that we have to have strong encryption and key recovery. And I'm willing to buy that. And that's where we're going to start out here in the next couple of months. Because we've... FEINSTEIN: I'm very pleased... HAMRE: ... got to get going. FEINSTEIN: ... to hear that. KYL: And just to put this in a real-world context and not to get into the details of the classified exercise this was just briefed to us, but anyone can imagine that when people in the Pentagon begin to hear reports from different places that something is going on. That the communications are down over here. And there seems to be a befuddlement of some kind over here. And then a very explicit message comes through by someone saying, I am messing with your system, and if you don't comply with my demands, I'll mess with it even more. Immediately, then, you know you've got a problem. KYL: So, how do you begin communicating with each other in a way that you know is secure? You already know they've gotten into parts of your system. And you don't know which parts you can trust or not. And that's precisely the problem that, Dr. Hamre, you've been -- one of the many problems you've identifying here. I also have to respond to the analogy you drew early on -- well, the Pearl Harbor comment, which I found to be very illuminating. That the keels of all of the capital ships that fought in World War II were actually laid before Pearl Harbor. Now that did show some advance planning. And I heard, this morning at a breakfast, a comment attributed to Bobby Knight, the colorful basketball coach at the University of Indiana. He said, almost anybody can have the will to win. But what real champions have is the will to prepare to win. That takes real discipline. And commitment. And that is what impressed me about Dr. Hamre's presentation and the desire to begin this preparation. Can I quote something in a -- if we could just go back and forth Dianne... FEINSTEIN: Yes, that's fine. KYL: ... that'll be in front of me. The very reputable Defense Science Board has a task force on information warfare and I'll just quote one sentence of their 1996 report, which said, we conclude that there is a need for extraordinary action to deal with the present and emerging challenges of defending against possible information warfare attacks on facilities, information, information systems and networks of the United States, which would seriously affect the ability of the Department of Defense to carry out its assigned missions and functions. And in trying to convey to the American people the need to support this kind of effort, both financially and in policy that the Congress and the administration would set. And also to communicate to the commercial world in general how important it is for them to participate, the challenge you laid before us. Let me give you the opportunity to try to express in words that Americans need to hear to help us respond adequately to this challenge. How you view the Defense Science Board's comment that this is the -- now is the time for, in their words, extraordinary action? HAMRE: We agree. When the Defense Science Board wrote that report, and of course it had months of preparation before it, we were just in the very earliest stages as the Defense Department coming to grips with this. Since that time, we have invested heavily and will continue to invest heavily. We have now placed -- we have a network monitoring capability for all of our megacenters. We have network monitoring capabilities for our Internet-based communications systems. We now have network monitoring capabilities at every Air Force installation. This is a new thing we're just opening up this year. It is very important for us all to realize: this threat is in our future. It isn't here right now, but how we prepare for it is very much how we're going to be judged by history. And that is not just us in DOD. We cannot fix this problem by ourselves. We will be anybody's partner to fix it. But we cannot fix this problem by ourselves. Just like the chairman-CEO of a utility, is going to bear responsibilities. He'll be accountable to not only his stock owners. He will be responsible to his regulatory authorities. And frankly, to all the people that are in his service area. Every one of our business people have a broader sense of responsibility and we cannot ignore this problem. This problem is our shared problem. And it's our national problem. We will be anybody's partner in trying to fix it. But we do need to have, as you said earlier, a strategy that's coherent, that reaches out over time to address this problem. And it's one that has to involve the entire government. And we will be working on that over the next several months. As we've just received the report that the Marsh panel has produced, we think it's a great starting point, we now need to give you a priority list of actions. Where do we start first? What should we really be acting on? What is the first line of -- first items to be acting on? How will we measure our progress? That's what we need to be presenting to you in the next couple of months. And we would be glad to be coming back to you to tell you where we are. FEINSTEIN: Thank you very much, Mr. Chairman. I may be a little behind the curve here, but let me ask this question. Last year, the DOD authorization bill contained a provision written by Senators Nunn, Lugar, and Domenici, which focused on the need for local law enforcement and fire fighters to be better prepared to respond to either nuclear, chemical or biological or other terrorist kinds of attacks. And I think over 100 million has been authorized for DOD to move in that area. And the commission recommends doubling it. Can you tell us what has been done to date... HAMRE: Yes, ma'am. FEINSTEIN: ... and what you see needing to be done in that regard? HAMRE: When the legislation was passed, and it was put into the Defense Authorization Bill, and we received funding to get started, everybody at the time knew that this was just a starting point. In the long run, this was largely a process that had to be carried on by the Federal Emergency Management Administration, not by the Department of Defense. But, because we're command-oriented, you can give us a mission and we'll get out and we'll get started. We may not be terribly efficient and we may not get A-minuses every time, but at least we'll get going. We've done that. We have pulled together teams. We now have, I think, met with -- we have identified 108 cities that we are going to go through detailed consultation. We have already met with 27 of the cities. We sit down and these are comprehensive meetings. We sit down with the police department, the fire department, the emergency civil defense folks, the local National Guard units; this sort of thing. And we go through a two-week process of surveying: where are they? what are their capabilities? do they know what their needs might be? what can we bring to the table? what kind of training program should we develop? Fairly comprehensive program. But it's very much in the survey mode. Where are we as a country? Where are we in these metropolitan areas? I think it's fair to say it's an uneven picture. If -- we just had a team that was out at Indianapolis and, frankly, they did a splendid job. The people in Indianapolis had been thinking and worrying about this problem for over 18 months. And they are really on top of it. It was a model. Not all the other cities we've been to are nearly as far along. We will continue to go through -- the list in the survey phase of the 108 cities. And, of course, those are the 108 largest metropolitan areas. We are in the process of transitioning this effort over to the Federal Emergency Management Administration, which really has the civil defense interface responsibilities with local authorities. It belongs there and we are perfectly happy to work with them and transition that effort over. And we will continue to be partners with them as long as we can be constructive. We feel there's a long-term role for the Department of Defense through the National Guard in our Reserve components in working with local communities. Especially on things like terrorist incidents involving chemical and biological weapons. This is a terrifying prospect in our future. FEINSTEIN: Have any cities refused to participate? HAMRE: To my knowledge, no city has refused to participate. I will -- but I will give you a formal response for the record. I think the more likely, fuller answer would be, some cities have not really seen the necessity for this as others have. And so we've had an uneven level of response. Invariably, when you sit down and talk to people and you talk to individuals, they will say, yes, this is a problem. This is something we all need to work on. They also think, well, maybe this is a way we can get some money to do something. And so, you tend to get sidetracked, sometimes, off on some rabbit warrens. But by and large, as soon as you have a chance to talk to people who are in the business of emergency response, they say, yes, we need to do this. FEINSTEIN: The reason I'm raising this is, I think this is an extraordinarily important effort. I think if you ask most Americans, you know, are there a lot of terrorists in this country? Despite what even happened at Oklahoma City, most bore (ph) at the World Trade Center most people would say, no, when in fact there are. And those of us that have had the briefings know that. And I think it's extraordinarily important that, you know, Mr. and Mrs. America understand that, to be forewarned and prepared is really to be forearmed. To be able to deal with this. Some of these things can happen in such a way that they run a risk to loss of tremendous life. And I hope no city has refused to participate in this effort. HAMRE: I will give you a formal response and check that for the record. I don't know the answer to that, here. Again, let me emphasize. We at the Department of Defense are prepared to be partners with anybody. Ultimately, this is a law enforcement and emergency response responsibility and we need to count on the lead agencies, the Justice Department and FEMA for a lot of this. But they can count on us being right there with them as partners. FEINSTEIN: Thanks, Mr. Chairman. KYL: You bet. Thank you, very much. I think in view of your responsibilities, Dr. Hamre, we can excuse you at this point. We may want to submit some other questions to you. HAMRE: Yes. KYL: I guess I would like to conclude by again thanking you. I thank the Department of Defense and the secretary for their support for our effort to identify this problem to especially discuss the national security implications of it. KYL: And lay the ground work for the continuing discussion of the commission report as we begin to implement solutions to the problems as you identified here today and we look forward to working with you and again, thank you. HAMRE: Secretary Cohen asked to specifically say we admire you for your leadership and you can count us in being your partners here in the next years on this issue. KYL: Thank you very much. As the chairman of the commission, General Marsh comes up. Let me officially ask to add into the record a list of documents including copies of previous acts of the Congress and executive orders which I will submit for the record. And without objection, we will include those in the record of this hearing. Now, as our featured witness for today, I'm very pleased to welcome Tom Marsh. General Marsh, after retiring from a long and distinguished career in the Air Force that culminated as commander of Air Force Systems Command, took on numerous responsibilities in the private sector, including most recently, CEO of Thiokol Corporation. In 1996, he was appointed by President Clinton to chair the President's Commission on Critical Infrastructure Protection. The purpose of the commission was to assess the threats to, as well as the vulnerabilities of, our national infrastructures and to make recommendations as to how deal with them. Mr. Marsh is here today to discuss with us these recommendations. In so doing, it is important to put the commission's report in context. The commission was created only last July by executive order and required to appoint its members and complete its report with recommendations upon its disbandment within 15 months which was just over two weeks ago. That's a hefty assignment by anybody's book. So, I want you to know, Mr. Marsh that this subcommittee recognizes that your commission was presented with an enormously difficult task and I want to especially commend you and your colleagues for a job well done. Your service to the nation is equally distinguished by that -- by your leadership of this commission as by your many years of dedicated service in uniform. So, we thank you very much for being here. We look forward to your testimony and certainly the opportunity to benefit from your insights. MARSH: Thank you, Mr. Chairman and members -- Senator Feinstein. I'm pleased to be here today to discuss with you the work of the commission, outline its principle findings and recommendations that are reflected in our report that was just issued, "Critical Foundations." Before my prepared remarks, I'd like to express my appreciation to you, Senator Kyl. Your far-sighted vision in this area for the needs and the well-being of the country really has been key to the establishment of the commission itself and for many of the other actions that have been taken by the FBI, by the Department of Defense in this past year. And I think you've seen results of much of your prodding start to take action and we sincerely appreciate that. To give you some perspective on the commission's challenge imagine, if you will, the power goes out in the Northwest, the 911 system is disrupted in a major city because someone's flooded out the phone lines with repeat calls, two bridges across the Mississippi River are destroyed -- bridges that not only carry trucks and trains but also telephone cables -- and two Internet service providers in New York City are out of service. Well, what do you do in such a situation? Whose in charge? Is it merely coincidence or a concentrated attack and you referred to eligible receiver, Mr. Chairman, as clear evidence of this statement of the problem. But these are the types of questions that the commission has been considering. Questions to which there are really no easy answers. Questions we hope our recommendations will help lay the foundation for answering. Appreciate the opportunity to talk about the commission's work, discuss why we have come to believe that protecting our infrastructures is so important in light of the new vulnerabilities and threats of the cyber age, present our key findings and then briefly summarize our recommendations. I must say right up front that our findings, conclusions and recommendations are very different from what we anticipated and different from what our stake holders anticipated. Many thought that this was an easy problem that government alone could solve in a few easy steps. But during the past year and a half, we definitely concluded that protecting our infrastructures is a public/private undertaking that requires a new kind of partnership and protecting the infrastructures is going to take time and require long-term efforts and a new way of thinking. The commission was established by the executive order on July 15, 1996. It was a joint government and private sector endeavor that was charged to develop a national policy and an implementation strategy for protecting our critical infrastructures from both physical and cyber threats and assuring their continued operation. The president identified eight infrastructures as our national life support systems. These national infrastructures are vital in that their incapacity or destruction would have a debilitating impact on the defense and economic security of the United States and these are the infrastructures: Critical infrastructures have long been lucrative targets for anyone wanting to attack another country. Our nation relies on its infrastructures for national security, public welfare and its economic strength. Those who would attack the infrastructures would do so to reduce our ability to act in our own interests or erode our public confidence in critical services or reduce American economic competitiveness. In the Gulf War, for example, disabling Iraq's infrastructures was one of the keys to our success. A lesson noted with much interest by many countries around the world. The commission was uniquely tailored for the task recognizing that the critical infrastructures are largely owned and operated by the private sector, the commission's structure was a joint public/private undertaking. The commission was comprised of representatives of both industry and government. The steering committee of senior government officials oversaw the work of the commission and guided us through myriad government concerns. A presidentially-appointed advisory committee of key industry leaders provided the unique perspective of owners and operators of the infrastructures and finally the Infrastructure Protection Task Force was established at the same time as the commission to support infrastructure protection until the commission's recommendations are acted upon. Our approach recognized that most of the infrastructures operate within an existing framework of government policy and regulation. But they are also privately owned, competitive enterprises. As such, protection recommendations should not undermine a company's competitive position. We recognize that any solution would have to be viable in the marketplace as well as the public policy arena. Thus, we adopted the following guiding principles: first, we knew that this could not be a big government only effort. Government must set the example. But it is the owners and operators who are the key to success. They have a strong economic stake in protecting their assets and maximizing customer satisfaction. They understand the infrastructures and know best how to respond to disruptions. Second, while we may be undergoing an information revolution, we felt that utilizing the best ideas and processes from current structures and relationships was the proper way to proceed. This means building on existing organizations and relationships as well as fostering voluntary cooperation. Partnership between industry and government will be more effective and efficient than legislation or regulation. Finally, this is a long-term effort which requires continuous improvement. We must take action in practical increments. There is no magic solution. We must aim not only to protect the infrastructures but also to enhance them. Outreach was a cornerstone of our effort. In fact, our conclusions and recommendations result directly from the conversations and meetings we had with approximately 6,000 individuals from industry, academia, science, technology, the military and government. We held five public meetings around the country, participated in numerous conferences, hosted simulations, games and focus groups and sought to increase awareness of this effort throughout the media and our web site. MARSH: In the past, broad oceans and peaceable neighbors provided the infrastructure protection we needed. That all changed during the Cold War. Technology became preeminent and geography became less relevant. Soviet and U.S. nuclear weapons were targeted against each other's power grids, rail networks and energy industries. But the costs remained high and the ability to carry out such an attack was available to only a few major powers. Computers and electrons changed the picture entirely. Now, the capability is widely available at relatively little costs. This is the new geography in which the commission has focused its efforts. A border less, cyber- geography whose major typographical features are technology and change. We've long understood physical threats and vulnerabilities. But not so, in cyber space. The fast pace of technology means we are always running to catch up in the cyber dimension. Thus, the commission's work and our report focus primarily on coping with the cyber threat. Our foremost concern is the interdependencies presented by the system of systems we rely on for the daily operation of our critical infrastructures. Furthermore, information that describes our vulnerabilities is increasingly accessible. Most of it is unclassified and much of it is available on the Internet. We had to be careful in compiling this information not to provide a handbook for those who would use it for harmful purposes. So, who is the threat? We view the threat as anyone with the capability, technology and intent to do harm. While we've not found a smoking keyboard -- if you will -- that is, we do not know who has the intent to do harm. We do know that the threat is a function of capability and intent. We characterize capability as a combination of skills and tools. Skills that even most teenagers have. And tools that are readily available, widespread even on the Internet. In short, the opportunity to do harm is expansive and growing. The bad actors who use these tools range from the recreational hacker who thrives on the thrill and challenge of breaking into another's computer. To the national security threat of information warriors intent on achieving strategic advantage. Common to all threats is the insider. We could spend millions on technology to protect our infrastructures. But a well placed insider or disgruntled employee could render near all protection useless. The new arsenal of weapons of mass destruction in the cyber world include Trojan horses, viruses and e-mail attacks that can be used to alter or steal data. These tools recognize neither borders nor jurisdictions. They can be used anywhere, any time by anyone with the capability, technology and intent to do harm. And they offer the advantage of anonymity. We examined the respective roles of the private sector and the federal government in light of this new threat and the potential bad actors. We concluded that the private sector has a responsibility to protect itself from local threats such as individual hackers and criminals. And that the federal government has a larger responsibility to protect our citizens from national security threats. In short, we found that infrastructure protection is a shared responsibility. The private sector is responsible for taking prudent measures to protect itself from common place hacker tools. If these tools are also used by the terrorists, then the private sector will also be protecting against cyber terrorists attack. And will be playing a significant role in national security. The federal government is responsible for collecting information about the tools, the weapons, the perpetrators and their intent from all sources, including the owners and operators of the infrastructures. The government must share this information with the private sector so that industry can take the necessary protective measures. In some respects, our most important finding is that adapting to this challenge requires thinking differently about infrastructure protection. We must look through the lens of information technology as we approach the third millennium. Specifically, we found that information sharing is the most immediate need. Responsibility is shared among owners and operators and government. The federal government has an important role in the new alliance. Infrastructure protection requires a focal point within the government. We must develop an analysis and warning capability. The existing legal framework is imperfectly tuned to deal with cyber threats. And finally, research and development efforts are inadequate to support infrastructure protection. We know our infrastructures have substantial vulnerabilities to domestic and international threats. Some have been exploited. So far, chiefly by insiders. Protecting our infrastructures into the 21st Century requires that we develop greater understanding of the vulnerabilities and act decisively to reduce them. In the last 15 months, the commission has thoroughly reviewed the vulnerabilities and threats facing our infrastructures, assessed the risks, consulted with thousands of experts and deliberated at length as to how best to assure our nation's critical foundations in the decades to come. Our fundamental conclusion is that waiting for disaster is a dangerous strategy. Now is the time to act to protect our future. And this action requires a new partnership to address the risks of protecting. The commission's recommendations are the products of much research, discussion and deliberation. They are founded on shared core principles and they are based on fact. They are aimed at improving coordination and establishing roles for infrastructure protection, fostering partnerships among all stake holders and coordinating diverse interests. Every recommendation was discussed at length in a series of deliberations that addressed all feasible options and the pros and cons of each. All commissioners accepted the final report as reasonable, balanced and acceptable for submission to the president. The commission's recommendations fall generally into three categories. Actions the federal government must take, actions the owners and operators of the infrastructures must take and actions that require partnership between government and industry. During our extensive outreach efforts, we heard time and again that the owners and operators of the infrastructures need more information about cyber threats. They also said that a trusted environment must be built so that they can freely exchange information with each other and with government without fear of regulation, loss of public confidence, incurred liability or damaged reputation. The commission's recommendations laid the foundation for creating a new collaborative environment that includes a two way exchange of information, not more burdensome regulation. Our recommendations focus on protecting proprietary information and ensuring anonymity when necessary. Reviewing legal impediments to information sharing, such as antitrust provisions and the Freedom of Information Act. And creating information sharing mechanisms both within industry and between industry and government. As to actions that the government should take, we recommend specific steps to ensure owners and operators and state and local governments are sufficiently informed and supported to accomplish their infrastructure protection roles. These include designated federal agencies continuing and expanding the availability of risks assessment services to the private sector. Encouraging industry and assisting, when necessary, the development of risks methodologies. The U.S. security policy board should study and recommend how best to protect specific private sector information on threats and vulnerabilities to their critical infrastructures. And, the funds appropriated under the Nunn-Lugar-Domenici domestic preparedness program -- that we just discussed -- should be doubled to expand and accelerate sharing of capabilities to mitigate the effects of WMD attacks. MARSH: And we heard that from law enforcement and emergency responders throughout the nation. Key to the success of these initiatives is educating our citizens about the emerging threats and vulnerabilities in the cyber dimension. The culture has changed, and our way of thinking about technology and the resulting threats and vulnerabilities must also change. The commission's recommendations are aimed at all levels of education, from grammar to graduate school and beyond. They include a series of White House conferences to spur new curricula in computer ethics and intellectual property for elementary and secondary schools; a nationwide public awareness campaign, simulations and roundtable discussions to educate the general public, as well as industry and government leaders; grants by the National Science Foundation to promote graduate-level research and teaching of network security; and partnership between the Department of Education and Industry to develop curricula and market demand for properly trained information security technicians and managers. Infrastructure assurance is a joint responsibility, but the federal government has an unmistakable duty to lead the effort. Clearly, the federal government must lead by example as it exhorts the private sector and state and local governments to raise the level of security of their systems. The federal government must pursue the tools, practices and policies required to conduct business in the cyber age. This includes improving government information security through developing, implementing and enforcing best practices and standards, and then conducting certification and measures against those standards; working with industry to expedite efforts for alternative information security and encryption key management pilot programs. We strongly believe that we must lower the temperature of the encryption debate and demonstrate a key management infrastructure management system with good encryption that can allay the concerns of all of the various interests that are involved in the encryption debate. Elevating and formalizing information assurance as a foreign intelligence priority, and we've made such a formal recommendation. Recruiting and retaining adequate numbers of law enforcement personnel with cyber skills. We found this problem at all levels -- the FBI, state and local law enforcement agencies. And finally, conducting a thorough risk assessment of the national aerospace system, of the planned national aerospace system, and the planned sole reliance on the global positioning system. That's a specific but a very important matter. We examined a full range of legal issues relating to protecting the critical infrastructures, but with three goals in mind: Increasing the effectiveness of government's protection efforts; enhancing the private sector's ability to protect itself; and enabling effective public-private partnership where most needed. We propose the further review of major federal legislation as it relates to the critical infrastructures and the cyber threat. We have developed modest recommendations in the area of criminal law and procedure. Specifically, the federal sentencing guidelines, to take into account the true harm done by attacks on the critical infrastructures. We call for an expert study group representing labor, management, government and privacy interests to make recommendations for long-term reform in the employer-employee relationship, yet balancing security and privacy. And we recommend easing legal impediments to information sharing, such as antitrust provisions, federal and private liability, and the Freedom of Information Act. Federal research and development efforts are inadequate to meet the challenge presented by the emerging cyber threats. About $250 million is spent each year on infrastructure assurance-related R&D, of which 60 percent or $150 million is dedicated to information security, largely conducted by the National Security Agency and DARPA. There is very little research supporting a national cyber defense. The commission believes that real time detection, identification and response tools are urgently needed, and we concluded that market forces are insufficient to meet those needs. Thus, we recommend doubling federal R&D funding for infrastructure protection to $500 million the first year, with 20 percent increases each year for the next five years. We recommend this funding target risk management, simulation and modeling and decision support, contingency planning, incident response and recover, information assurance, vulnerability assessment and system analysis, and early warning and response monitoring and threat detection. I need to talk a little about how the federal government and industry can work together to address infrastructure protection concerns. It might be easiest if I first explain a little about our methodology before jumping right into our partnering recommendations. First, the commission identified five general functions that are the foundation of infrastructure protection and assurance efforts, and they are shown here -- policy formulation and so on. Next, we flesh them out to include all the tasks that must be formed, performed, to assure our infrastructures, as shown there. We knew that a great many people and organizations needed to accomplish these tasks, but we were not sure who or where. We devised a framework or matrix to help determine who should be responsible for each task. Along the top of this matrix, roles range from the purely public to the purely private. Along the side, roles range from decentralized to centralized. The top left quadrant, for example, is the role of the federal government, centralized and public. The bottom right quadrant is the place for individual companies, decentralized and private. Using this framework, we plotted the specific tasks of infrastructure assurance where we thought they should be performed. And the result is a high concentration in the four distinct quadrants, but also a high concentration along the borders. And it was the concentration along the borders that gave us pause, for these are the functions that require a new awareness, a new way of doing business, and a new partnership. We next look at how infrastructure assurance is being performed today, and there are many players in this game, including the privately-owned infrastructures as well as federal, state and local governments. There are also a great many existing relationships, such as regulating or enforcing laws. But there are no specific relationships for infrastructure protection and assurance, and we focused on bridging this gap. And this is how we propose to facilitate the public-private partnership, how to bridge the gap to best protect our infrastructures. At the policymaking level, we recommend an office of national infrastructure assurance, located within the White House, to serve as the federal government's focal point for infrastructure protection. Secondly, a national infrastructure assurance council comprised of selected infrastructure CEOs and cabinet officials to propose policy and advise the president. And, an infrastructure assurance support office to support both the council and the national office. And this office we recommend be located in the Department of Commerce. At the operational level, we recommend sector infrastructure assurance coordinators as focal points within each industry infrastructure to share information. These would be clearinghouses that would provide anonymity and protect the proprietary information that the industry would want to share with the other agencies and government. And then federal lead agencies to promote and assist in establishing those sector coordinator clearinghouses. And an information sharing and analysis center staffed by both private industry and government to receive and share information about infrastructure intrusions, to be located in the private sector. And finally, a warning center designed to provide operational warning whenever possible of an attack on the infrastructures, either physical or cyber, and we propose that that be built upon the existing and embryonic warning center of the CTAC within the FBI. In conclusion, just as the risks are shared between the public and private sectors, so will the solutions be found. Our national and economic security has become a shared responsibility, one that will require a new kind of partnership between government and industry, one which encourages information sharing, and one which requires the government to lead by example. I believe the findings and conclusions of the commission are based on accurate and reasonable information and analyses. MARSH: Our recommendations if implemented, will create the partnerships and structures essential to reducing vulnerabilities in our infrastructures. They will provide the impetus for research and development to increase information security and provide a cyber defense system. They will increase the nation's ability to prepare, protect and respond to any threats -- strategic or otherwise -- directed against our infrastructures, thereby ensuring their continued effective operation in support of our defense, economic growth and general well-being. Mr. Chairman, that completes my statement. I'd be pleased to answer any questions that you or Senator.... KYL: Thank you very much, Mr. Marsh. There are so many questions and for the benefit of the audience, let me tell you that we expect a vote on the motion to proceed on Fast Track at 4:20. Now that's 10 minutes from now, and therefore, Senator Feinstein and I conclude that we will try to do our best to conclude this hearing at about 4:30, which should enable us to run to get to the vote. And so, we'll try to be as quick as we can. But we need to ask you some questions for the record, and you've already indicated a willingness to continue the dialogue informally. So, I know we'll be able to count on that too. You discussed the best practices concept. And I wonder if you would tell us some of the ways that you think we could actually and establish an institutionalize best practices for information assurance, not only in the government, but also in the private sector? MARSH: Yes, Mr. Chairman. We believe that NIST within the Department of Commerce and the NSA are best equipped of all the agencies of government to identify those best practices, best fire walls, best means of controlling access by way of password control, etc., best to describe under what conditions encryption ought to be used and how it ought to be implemented. And therefore, we believe NIST in collaboration with NSA ought to be charged to develop and disseminate best practices within government. We believe that this information and analysis center that we're proposing, would be the mechanism then, to exchange those best practices. And we advocate they be exchanged with the private sector out through the clearing houses that we've proposed creating. KYL: The reason I mention this is, it's critical that because government uses so much of the private sector for its own purposes, and because the private sector constitutes the vast majority of the communications and the telecommunications and the energy sector, all of the other things that were identified; five out of the eight are totally private sector. And elements of the other three are, at least two of the three are also private sector. It's critical that the private sector also embrace these best practices. And the model could be anything from something that I wouldn't propose which is standards such as we have under the Clean Air Act let's say. The industry shall remove a certain amount of its pollutants or not emit more than X amount of pollutants, and here are the practices that we approve for the purpose of achieving those goals. That's a very heavy handed approach to it. All the way from that to a purely voluntary kind of thing. But, because the government itself relies upon many of these private sector communications and systems, is it your view that we're going to have to find incentives and other mechanisms sufficient to ensure that these best practices are built into the private sector systems as well as the government systems? MARSH: Mr. Chairman, we debated that a length within the commission that whether or not we ought to seek mandatory means of imposing best practices and standards. And our considered conclusion was that we not do that, that we attempt as a first step to get this information sharing system really working, and we believe through an education and awareness process that businessman will find that it's in their very best interest to incorporate these best practices against the commonplace threats. And if they'll do that, and they need to do that; we believe that will give us a great measure of protection against the more serious threats. And therefore, we do not believe it's yet time to mandate such best practices upon the private sector, except that that of course, is an option if we find that they are not well accepted. KYL: Well, and again, I reiterate that that's not my preference certainly. I think we are going to have to face up to the realistic challenge however, of providing incentives for industry to adopt best practices. Because, it is no longer a matter of going it alone. Everyone is depended upon everyone else at this age, and that's part of the whole point of this exercise. And given that interdependence and due to the inter operability of the systems, I think we're going to have to have us some national commitments here that enable us to secure our systems against the kind of challenges that you've discussed. Let me just ask one other question and then turn to Senator Feinstein. About 20 percent of the recommendations in the report pertain for the need for additional studies. And, some might read into this the kicking the can down the road approach. I know that is not your approach to this. How would you characterize the level of urgency with which we should move forward? MARSH: I believe I tried to summarize in the statement that it would be totally irresponsible to delay taking action against this problem. And we believe it's an urgent problem that steps be taken now, and if they should not be taken; I believe we're facing a very likely major challenge within the coming years. FEINSTEIN: Thank you, Mr. Chairman. General, take my comments with a grain of salt because I'm one that's still trying to master my little IBM think pad. So, I'm new to cyberspace and I find it quite a wondrous world. Having said that, you know, I'm not necessarily new to matters that are related to security. And in prior hearings that Senator Kyl has had, and I've been ranking member, this whole subject of encryption and key recovery has come up and I've made some comments, saying, you know, I think this is really important, and etc. etc. ****************************************************************************** And everybody says, you're going to get a storm of protests. How can you say that from California. Do you know I didn't have a single phone call from any CEO of any computer company, anywhere. ****************************************************************************** Now the trade people went off, you know, on sort of a lark. I think that the CEO's of these big companies really understand that we're in a new day. And, I wanted to just brashly make a recommendation to you that it might be well to convene a meeting of top CEO's throughout the United States, and really kind of give them your views of where we are as a nation, what the threats are, and to kind of bring them in on a cooperative basis right at the very beginning. Because, I think you'll have some very willing partners. MARSH: Senator, I think that's right. I believe that as we've interacted with the CEO's, and we have them on our advisory council as well as many other fora over the course of the last year, when you sit down and talk about this problem; we get a shared feeling of the nature of the problem on the part of all. Very few are skeptical of our undertaking. FEINSTEIN: Can you outline any of the concrete changes that might be able to be immediately implemented to strengthen our system against cyber or physical threat, that we might be able to take now? MARSH: Senator, there are wide range of techniques and tools available to the private sector right now. Such arcane things as fire walls and good password control, good discipline, good system administrators managing the networks, whether it be within your company or within your office. And the tools are available. It takes a commitment on the part of management to invest, and that investment is not large to install such mechanisms and to enforce the disciplined used of them. So, much of that is available. And certainly, encryption is available. And we want to see that adopted over all critical control functions at a very early date. And that's why we're so anxious that this debate evolve and be completed early. FEINSTEIN: You spoke about establishing a new office of national infrastructure assurance. And placing it within the confines of the White House. I'm not really sure that's the right place for it. FEINSTEIN: I mean I would hope that, based on what the -- Dr. Hamre said and the concern of the Defense Department and what Senator Kyl has just said about there really needs to be a whole separate branch in defense -- I hope I'm not misspeaking... KYL: No. FEINSTEIN: ... to really deal with this, it would sort of seem to me that perhaps a separate branch in defense that had the R&D potential, was able to really go out and tap the best brain cells in the nation might really be a better way to go. Why did you not recommend that? MARSH: Senator, we felt that this was a multidisciplined problem, if you will. That is it has the law enforcement dimension, and that's a very important one. It has an intelligence dimension. It has the defense. But it also has an economic dimension. That is the economic concerns of the private sector have to be taken into account as you formulate policy and all. And it was our judgment that, therefore, that office ought not be viewed strictly as a national security/national defense problem, but in this broader context. And we felt placing it in the White House would give it that kind of emphasis across all branches of government. FEINSTEIN: Not to belabor it, but I think placing it in defense would give it a status and a credibility and remove it from any political dimension, which I think is extraordinarily important in this. I mean I really believe this is a major threat to the well- being of all of us. And the more we have, you know, our top defense people in a sort of separate effort working on it, the better off our nation is going to be in the long term. I hate to see it get involved in politics in any way -- not that -- you know, and I'm not casting any aspersions on the White House. But you know, we all -- I've been around here long enough now to see what happens, and that, dependent on the president, you get a certain amount of criticism for whatever you do if you're not in that party. And I would not like to see that happen with something as critical as this. MARSH: We do not want the problem to be politicized if at all possible. FEINSTEIN: Now, I thank you very much. I think both you and Dr. Hamre were really very -- very effective in stating the urgency of this. And I would just hope that nobody, you know, looks at this as anything but top priority, and we really move fast. And I, for one, am willing to help my chairman just as much as I possibly can in this regard. MARSH: Thank you, Senator. KYL: Mr. Marsh, let me make a couple of statements maybe that you would feel less comfortable making just to put a couple of things in context, too. The administration, having just received your report, has begun the process of evaluating it, vetting it among the various departments, agencies, that they'd like to get responses from in order to develop its official response in terms of actions that it might take or recommendations to Congress and other steps that might be taken. So we appreciate the fact the administration has not yet responded and are not asking anyone from the administration to respond at this point. We felt it important to have you brief the public in an open session as soon as the report was declassified, and the report is now declassified, so at least in this version of it. There is also a classified version of it. And we view this as the beginning of the debate. Senator Feinstein, I think importantly, mentioned a couple of points and I second her motion of bringing people with industry together as much as possible as soon as possible. You did that as a part of your commission. I think the president was wise to include the private sector segment. I know we've dealt with the NSTAC people before. I had to ask my staff -- remind me exactly what that stands for -- the National Security Telecommunications Advisory Council, a group of CEOs that has been very aggressive in working with government and trying to advise the president on how he could help to deal with some of these problems. And so I know that there are some very good people in the private sector who very much want to work on these problems. I think the thing that we would like to leave the public with today is the same point that Senator Feinstein ended on. And that the sense of urgency which is why I asked you that last question and why I read the Defense Science Board recommendation to Dr. Hamre. And he reiterated the point of urgency. It is important, while the administration evaluates your report, that it also takes steps like the Interagency Task Force and other steps to immediately begin to deal with the problems. And if I could kind of conclude on this note, for those who haven't had the benefit of reading the report and other documents, we're really talking about a couple of different things here. In terms of the threat, we're not just talking about the security threat, a challenge by a foreign nation, for example, to multiple parts of our national infrastructure, but also as you pointed out lesser threats -- a terrorist threat, which may or may not be strategic in its implications; just a sophisticated hacker, as you pointed out; and also natural events, which also threaten our infrastructure. And in addition to talking about the computers at the Defense Department, we're talking about all of the telecommunications intertwined with all the switching in the country and the energy grids, as they go through all of their complicated intertwined connections. You mentioned the global positioning satellite, how our airplanes all depend upon getting where they're going at exactly the right place and time on a system which could be very vulnerable. All of these things are subject to all of those different kinds of threats. And so, as we evaluate the proper response for it, we have to keep them all in mind. I tend to agree with Senator Feinstein that, as to the security of the nation in terms of a strategic threat, clearly there needs to be within the Defense Department a central command to deal with that. In order to insure that we have the proper law enforcement follow-up and strategic warnings that only a group like the FBI can provide, we need to have a clear component in the FBI or the Justice Department or some similar place to insure those capabilities. I mentioned these -- and then the emergency response that Senator Feinstein mentioned earlier and so on. All of this, I think, illustrates the complexity of the problem, the complexity of the structures that are going to be necessary to deal with it, the fact that many different committees in Congress are going to be dealing with this, many different agencies of the government. You've tried to pull all of that together in some sense in this report to begin to discuss how this all relates together. I commend you again and the members of the commission for the job well done under very difficult circumstances, and pledge to you our cooperation. I'm sure I speak both for the -- both sides of the aisle here. This is not a partisan issue at all. And we look forward to the continuing dialogue with you. I would like to request a couple of things from you if you could provide them for the record. A copy of the legal database which the commission assembled would be very valuable to us. MARSH: Yes, sir. KYL: And also any other studies or products that you used in the production of your report that might be useful to us as well. We'll submit a specific list for you as well as possible additional questions for the record. Senator Feinstein, anything else... FEINSTEIN: Thank you very much. KYL: We'll look forward to working with you... MARSH: Thank you very much. KYL: ... General Marsh and thank you very much for being here. END NOTES: ???? - Indicates Speaker Unkown - Could not make out what was being said. off mike - Indicates Could not make out what was being said.
[Added by JYA] [Congressional Record: November 5, 1997 (Digest)] [Page D1214-D1217] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr05no97-1] Wednesday, November 5, 1997 Senate [Excerpt] NATIONAL INFRASTRUCTURE PROTECTION Committee on the Judiciary: Subcommittee on Technology, Terrorism, and Government Information concluded hearings to review the findings and recommendations of the President's Commission on Critical Infrastructure Protection report, and to examine policy implications of new risks to the information-based national infrastructure, after receiving testimony from John J. Hamre, Deputy Secretary of Defense; and Robert T. Marsh, former Chairman, President's Commission on Critical Infrastructure Protection. ------------------------------------------------------------------------- [Congressional Record: November 6, 1997 (Digest)] [Page D1228-D1231] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr06no97-2] House of Representatives [Excerpt] COMPUTER SECURITY--U.S. INFRASTRUCTURE Committee on Science: Subcommittee on Technology held a hearing on the Role of Computer Security in Protecting the U. S. Infrastructure. Testimony was heard from Robert T. Marsh, Chairman, President's Commission on Critical Infrastructure Protection; and public witnesses.