11 November 1997
Thanks to Peter Neumann and David Wagner

Forwarded message:
Date: Tue, 11 Nov 97 8:26:29 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Senate hearings on PCCIP

[BCCed to my relevant crypto groups...]

Note the statement by Feinstein that she did not hear anything from any
CEOs.  I have flagged it with "*****".  Please help to get some flak sent
back to her from CEOs.  She seems hopelessly wedged, although this is
totally consistent with her appearance at our Senate hearing on crypto in
July when she said the FBI should get whatever it wants.


[JYA note: Probable date of hearing November 5, 1997]

Transcript of Senate Subcommittee on Terrorism Hearing on PCCIP...

Dr. Hamre is especially well-suited to discuss how Congress, the
administration and industry can work together to find solutions to the
challenges that this nation faces from the threat of information warfare. 

Having spent four years as undersecretary of defense prior to his
appointment as deputy secretary and 10 years prior to that as a professional
staff member of the Senate Armed Services Committee, where he worked with
the Defense Department and industry on procurement, research and development

Dr. Hamre, thank you very much for being here today.  We look forward to
your testimony.

HAMRE: Chairman Kyl, thank you very much for inviting me.  I must confess
to be a bit unnerved when an opening statement is better than my testimony.
So I am somewhat nervous about what I'm going to say.

But nonetheless, I would ask that you include my written testimony in the
record of the committee. 

KYL: It will be included in its entirety. 

HAMRE: Thank you. 

I, too, would like to add my words of thanks and commendation to General
Marsh and his panel.  I think they have just done a splendid job.  This is
probably the hardest, most complicated problem that anybody faces, and they
tackled it and they've just done a terrific job and I'm so glad that they are
here today. 

I apologize that I have to -- have asked to lead off as witness because I
must go to the White House for a meeting shortly.  But I, too, want to say
it's been tremendous service on their behalf.  And all the entire country's
grateful, frankly, for their efforts.

Mr. Chairman, I know that others have used the analogy before that we are
facing the prospect of an electronic Pearl Harbor.  May I take that analogy
-- I happen to agree with that.  But may I take that analogy in a slightly
different direction because I think it would help inform our thinking here

As I mentioned to you in the previous session, there was not a single
battleship that saw service during World War II where we hadn't laid the keel
for that battleship before Pearl Harbor.  Many people think back that Pearl
Harbor was a shocking surprise attack and that we had done nothing to get ready
for World War II. 

That was not true.  It turns out if we were to go down to Norfolk, to the
Norfolk Navy Shipyard, you'd see the world's largest dry dock and that dry
dock was actually built in the mid-'30s, and it was built by naval planners,
with the support of Congress, who saw the need to have in place the
capability, the infrastructure, the weapons systems it was going to take to
defend the country in the next war.

I believe most firmly that that's exactly where we are today. There is
going to be an electronic attack on this country sometime in the future.
What we do now -- and frankly, your leadership here becomes absolutely
indispensable -- what we as a country do now is, I think, exactly analogous
to what those far-thinking planners did in the mid-'30s getting ready for
World War II.

We could either choose to be ready and have in place the infrastructure and
the discipline to be able to handle this or we can ignore it and I think suffer
very serious consequences if we choose to ignore it. 

That's why this hearing is so absolutely critical, and I strongly agree with
what you've said. 

Let me say that this is not primarily a defense responsibility. This new
electronic attack will differ from Pearl Harbor in one very important
dimension.  That was an attack on what was clearly military capability at
the time.

An electronic attack on us is going to be quite different because it's
not clearly going to be against just military capabilities.  More likely
than not, it's going to be against the private sector infrastructure that
we, the Department of Defense, will be using in the future and increasingly
using private sector resources.

So we have a very complicated new environment that's emerged -- one where
an attack against the United States is not necessarily an attack against the
traditional military infrastructure of the United States.  It could be an
attack much more broadly against its commercial and industrial

This is a difficult issue to manage because, if an attack comes in it's one
of three things.  It's either an act of terrorism.  It's a deliberate act of
war.  Or it's a crime.  And those things are handled in different ways in our

Criminal activity is handled in our justice system, and rightly they need to
be first responders in that event. 

If it's an act of war, that clearly is our responsibility.  And if it's an
act of terrorism, it is in the foggy in-between. 

As you said in your opening statement, the troubling thing about this new
world of potential war in cyberspace is that the attack will inherently be
ambiguous.  An opponent, if they choose to do this, has years to probe
vulnerabilities in our system, and quietly accumulate information, an order
of battle, an electronic order of battle.

And they can build that quietly.  And to us, we will not see all the dots
and connect them.  You know that game we all played as kids where you
connect the dots to get a picture.

If only part of the dots are in the Department of Defense infrastructure
and most of the other dots are -- some are in private industry and some are
in other parts of them, who is going to pull that together and create a
coherent picture of what's going on in advance?

And that's the central challenge, I think, that we face here, and you
face as a leader of this country in the Congress, that we face working in
the department.
I come to you today in two roles.  I come to you as basically the chief
operating officer for the largest corporation in the world.  And I come to you
today as the deputy secretary of defense, responsible for the defense of this
country with the secretary of -- with Secretary Cohen. 

When you confront so far reaching a challenge as this, one can easily get
lost very quickly in the complexity of everything that's in front of us, and
so I have sat back and said -- What are the things we have to tackle first?

And I put them in three categories. 

First, I think we need to start investing in the tools of defense so that
we, at least, are starting down the road of buying what we need in order to
defend at least the Defense Department and then other elements of the
government and the country where we need to.

We're starting first with the Department of Defense.  In the last three
years, we have bought over 400,000 Fortezza cards, which is a kind of a
centerpiece for a key encryption system inside our most heavily defended and
most sensitive communications channels.

We have bought over 300 certificate work stations in order to hand out
certificates to people who must operate inside this network.

We have invested in early warning centers and centers that monitor our
own Department of Defense installations and our communications networks.
We've invested in secure Internet capability so that, while we're riding on
commercial Internet backbone, we have a secure capability on that backbone.

So we've been investing in the department in some of the tools that we're
going to need as the Department of Defense.

It is, as you said in your statement, obviously not sufficient in a world
where we're increasingly using private sector resources in order to
undertake our business and we're using those private sector resources to
hold down cost in peacetime, therefore we're dependent on the health and
well-being of those private sector infrastructure resources when it comes to
time of war.

The second thing that I think we have to do is -- and I think I'm
treading into what I know is a controversial area -- but we have got to
begin putting in place strong encryption in our information technology
systems, and we have to have a key recovery system to support -- and I'm
talking to you now as a businessman.

I run the largest business in the world, and it is inconceivable to me
that I can do business -- not just warfighting but actual business -- in the
future without having strong encryption and a key recovery system.

HAMRE: Let me just take a second to say why this is so important to us. 

As you know, we will increasingly be using private sector backbone for
our communications and for our information management. We will be riding on
that private sector backbone and we'll be sending messages across that

We can't afford to have an opponent read all of our messages, know what
it is we're thinking and planning, and we cannot afford to have an adversary
who would present to us spurious information that's been altered, and to
change our perceptions of reality or our perceptions of what's happening.

Therefore, we have to have systems that have the strongest level of
encryption required for the sensitivity of that business activity so that we
know it is safe from prying eyes and that it's not susceptible to spoofing.

But when you're riding on a network, and you do not see who's on the
other end of the computer terminal that's sending you information, you then
have to have a system that lets you know that the person you're dealing with
is really who they say they are.

You cannot have individuals on a network who spuriously can introduce false
information when you're dependent on remote input of data.  Data upon which
you're going to make crucial war-fighting decisions. 

To solve that problem, you must have strong encryption.  And you must have a
way of validating that whoever is on that network is who you think it is. 

And if someone who is trying to come into that network who is not authorized
to be in that network, you can quickly find out that they're a fake. 

Fortunately, mathematicians, brilliant people, have given us some tools
to deal with this.  And it's enormously important for us to now utilize
those tools and put in place both a strong encryption environment and the
infrastructure for recovery of keys so that we know who is on the network.
And who is talking to us.

This is a controversial subject in our country, right now, but it is a --
I'm speaking to you again, as a businessman who must have confidence that
whoever I'm dealing with, I know their identity.

I also need, as a businessman, to know that, if I have someone who is
behaving improperly inside the government, that I know they're leaving
fingerprints by their electronic identity, when they're moving throughout
this network and that I can turn that off.  I can shut it down, if
necessary.  These are absolutely indispensable to me as a businessman.

I would also argue that this is absolutely indispensable to us as a
country for our -- in long-term security.

Every businessman in this country, when he sits down and -- he or she --
sits down and thinks about what it means to do business over the Internet,
or business over remote networks, knows they have to have encryption in the
future.  They also know they've got to be able to secure that data and know,
with confidence, who it is they're dealing with.

And therein lies the importance of this second pillar, I believe. Which
is encryption and key recovery.  It doesn't mean that you have to have the
strongest form of encryption.  We're not going to put Fortezza in all of our
systems.  We'll put Fortezza where we have our most pressing and most
sensitive data.  For example, our nuclear command and control system.

For routine business transactions, when it's, say, paying an invoice or
paying a travel voucher, we can use commercial software and commercial key
recovery techniques.  It's very possible to layer this in an appropriate
way.  We're not burdening everybody with the most expensive and the most
complicated solution.  I think that's the second thing that we need to focus
on as a government.

The third thing that I believe we need to focus on, as you said in your
opening statement, this is a complicated problem that involves both the
government and the private sector.

We need to find ways to establish a working partnership with the private
sector so that we and they, together, are working to solve this problem.
But that can happen only if there is -- if there are venues of trust that we
can build on where we are working on common problems already.

We have one of those in the Department of Defense where we work with the
National Communications System, and its counterpart in the private sector.
It is an important venue for us to be talking openly with our partners in
industry who are our indispensable allies in the future.

We have to understand their constraints.  They need to understand our
needs.  We really do share a very common future and we have to be working
together.  And we need to find ways to build that.

And Mr. Chairman, and Senator Feinstein, if there's one thing I could ask
you help as a subcommittee doing, is creating this cooperative spirit
between the government and the private sector to find constructive
modalities for us to be solving this problem collaboratively in the future.
We cannot do it by ourselves.  We cannot do it as the Department of Defense
by ourselves. And we certainly can't do it as a government by ourselves.
Your help would be indispensable in that regard.

I thank you for the opportunity to come.  I know this is an enormously
busy day.  I know there are going to be some roll call votes.  Let me stop
here and if you would like to ask questions, now, that would be fine.  And
I'd be glad, of course, to respond to anything in writing, as well.

KYL: Thank you very much, Dr. Hamre.  And I know you do have to leave.  I'd


OK.  So you have a little bit of time... 

HAMRE: I do. 

KYL: ... we'll try to accommodate your schedule, certainly. 

HAMRE: Yes. 

KYL: We've been joined by Senator Feinstein, and before we engage in any
questions, perhaps I could ask her to give you her opening comments, or if
you'd like to begin questioning, that would be fine, too.

FEINSTEIN: Thank you. I don't -- I'll put my statement, if I may, Mr.
Chairman, in the record.  Let me just say that I very much appreciate the
secretary's comments.  And one of the things that is a great surprise to me
is really how little we're able to cope with the world we're going into.

And as the world becomes more computerized, the real opportunity for
people to wreak havoc becomes expanded greatly.  And we saw it in San
Francisco just a week ago.  Somebody got into a transmission station at PG&E
and was able to turn off the power grid for a lot of the city, which shut
down computers everywhere.

And then the first question I asked, when the CEO of PG&E called to tell
me about it, was, did they go off at the airport?  And he said, no; that was
on a different grid, or system.  And then I began to think what would have
happened if somebody got into the computers at San Francisco International
Airport.  And all of that havoc that could have been played out.

And then I thought back and I remembered my time aboard some of the more
sophisticated naval vessels when I was mayor.  And then I began to think,
well what happens if somebody gets inside their computers?

And you can just go from there.  And I guess if I've learned anything in
the time I've been here, it really is that nothing in this area is
impossible.  That the minds that surround the computer world are really so
bright and so different from my mind, in any event, that many more brain


... that they're really able to do things that no one ever thought
humanly possible.  And then it's -- so, I guess, the point, and I hope
you'll address it, and I'd like to defer to my chairman, because I don't
know what else we could other than have, you know, some form of key
recovery.  Or some methodology for getting at some of this.

And I know everybody's talking, but I gather, in terms of having really
finite solutions, there aren't too many, yet. 

HAMRE: Ma'am, we certainly do agree.  I think it's very important because
this is such a controversial issue.  I'm -- as I say, I'm speaking to you today
as the chief operating officer of this huge corporation.  And I am willing to
buy a key recovery system. 

You know, I think so many people are nervous, and they use freedom of
speech arguments and they use commercial competitivist arguments and all of
that.  And, I'm just saying, as a businessman, I'm willing to buy it.  It's
that important.

And as the Department of Defense, we have to have it for the future.  I
need to know at least our systems are secure.  I'm still going to be
dependent on the local power grid, and if the power grid goes down, we are
going to suffer consequences of that.  And so, ultimately we have to tackle
that, as well.

But right now, it is so important for us to have confidence in our own
systems that we have to have strong encryption and key recovery.  And I'm
willing to buy that.  And that's where we're going to start out here in the
next couple of months.  Because we've...

FEINSTEIN: I'm very pleased... 

HAMRE: ... got to get going. 

FEINSTEIN: ... to hear that. 

KYL: And just to put this in a real-world context and not to get into the
details of the classified exercise this was just briefed to us, but anyone can
imagine that when people in the Pentagon begin to hear reports from different
places that something is going on. 

That the communications are down over here.  And there seems to be a
befuddlement of some kind over here.  And then a very explicit message comes
through by someone saying, I am messing with your system, and if you don't
comply with my demands, I'll mess with it even more.  Immediately, then, you
know you've got a problem. 

KYL: So, how do you begin communicating with each other in a way that you
know is secure?  You already know they've gotten into parts of your system.
And you don't know which parts you can trust or not. And that's precisely
the problem that, Dr. Hamre, you've been -- one of the many problems you've
identifying here.

I also have to respond to the analogy you drew early on -- well, the
Pearl Harbor comment, which I found to be very illuminating.  That the keels
of all of the capital ships that fought in World War II were actually laid
before Pearl Harbor.

Now that did show some advance planning.  And I heard, this morning at a
breakfast, a comment attributed to Bobby Knight, the colorful basketball
coach at the University of Indiana.  He said, almost anybody can have the
will to win.  But what real champions have is the will to prepare to win.
That takes real discipline.  And commitment.  And that is what impressed me
about Dr. Hamre's presentation and the desire to begin this preparation.

Can I quote something in a -- if we could just go back and forth Dianne... 

FEINSTEIN: Yes, that's fine. 

KYL: ... that'll be in front of me.  The very reputable Defense Science
Board has a task force on information warfare and I'll just quote one
sentence of their 1996 report, which said, we conclude that there is a need
for extraordinary action to deal with the present and emerging challenges of
defending against possible information warfare attacks on facilities,
information, information systems and networks of the United States, which
would seriously affect the ability of the Department of Defense to carry out
its assigned missions and functions.

And in trying to convey to the American people the need to support this
kind of effort, both financially and in policy that the Congress and the
administration would set.  And also to communicate to the commercial world
in general how important it is for them to participate, the challenge you
laid before us.

Let me give you the opportunity to try to express in words that Americans
need to hear to help us respond adequately to this challenge.  How you view the
Defense Science Board's comment that this is the -- now is the time for, in
their words, extraordinary action? 

HAMRE: We agree.  When the Defense Science Board wrote that report, and
of course it had months of preparation before it, we were just in the very
earliest stages as the Defense Department coming to grips with this.  Since
that time, we have invested heavily and will continue to invest heavily.

We have now placed -- we have a network monitoring capability for all of
our megacenters.  We have network monitoring capabilities for our
Internet-based communications systems.  We now have network monitoring
capabilities at every Air Force installation.  This is a new thing we're
just opening up this year.

It is very important for us all to realize: this threat is in our future.
It isn't here right now, but how we prepare for it is very much how we're
going to be judged by history.  And that is not just us in DOD.  We cannot
fix this problem by ourselves.

We will be anybody's partner to fix it.  But we cannot fix this problem
by ourselves.  Just like the chairman-CEO of a utility, is going to bear
responsibilities.  He'll be accountable to not only his stock owners.  He
will be responsible to his regulatory authorities. And frankly, to all the
people that are in his service area.

Every one of our business people have a broader sense of responsibility
and we cannot ignore this problem.  This problem is our shared problem.  And
it's our national problem.

We will be anybody's partner in trying to fix it.  But we do need to
have, as you said earlier, a strategy that's coherent, that reaches out over
time to address this problem.  And it's one that has to involve the entire
government.  And we will be working on that over the next several months.
As we've just received the report that the Marsh panel has produced, we
think it's a great starting point, we now need to give you a priority list
of actions.

Where do we start first?  What should we really be acting on? What is the
first line of -- first items to be acting on?  How will we measure our
progress?  That's what we need to be presenting to you in the next couple of
months.  And we would be glad to be coming back to you to tell you where we

FEINSTEIN: Thank you very much, Mr. Chairman.  I may be a little behind
the curve here, but let me ask this question.  Last year, the DOD
authorization bill contained a provision written by Senators Nunn, Lugar,
and Domenici, which focused on the need for local law enforcement and fire
fighters to be better prepared to respond to either nuclear, chemical or
biological or other terrorist kinds of attacks.

And I think over 100 million has been authorized for DOD to move in that
area.  And the commission recommends doubling it.  Can you tell us what has
been done to date...

HAMRE: Yes, ma'am. 

FEINSTEIN: ... and what you see needing to be done in that regard? 

HAMRE: When the legislation was passed, and it was put into the Defense
Authorization Bill, and we received funding to get started, everybody at the
time knew that this was just a starting point.  In the long run, this was
largely a process that had to be carried on by the Federal Emergency
Management Administration, not by the Department of Defense.

But, because we're command-oriented, you can give us a mission and we'll get
out and we'll get started.  We may not be terribly efficient and we may not get
A-minuses every time, but at least we'll get going. 

We've done that.  We have pulled together teams.  We now have, I think, met
with -- we have identified 108 cities that we are going to go through detailed
consultation.  We have already met with 27 of the cities. 

We sit down and these are comprehensive meetings.  We sit down with the
police department, the fire department, the emergency civil defense folks,
the local National Guard units; this sort of thing. And we go through a
two-week process of surveying: where are they? what are their capabilities?
do they know what their needs might be? what can we bring to the table?
what kind of training program should we develop?

Fairly comprehensive program.  But it's very much in the survey mode.  Where
are we as a country?  Where are we in these metropolitan areas? 

I think it's fair to say it's an uneven picture.  If -- we just had a team
that was out at Indianapolis and, frankly, they did a splendid job.  The people
in Indianapolis had been thinking and worrying about this problem for over 18
months.  And they are really on top of it.  It was a model. 

Not all the other cities we've been to are nearly as far along. We will
continue to go through -- the list in the survey phase of the 108 cities.  And,
of course, those are the 108 largest metropolitan areas. 

We are in the process of transitioning this effort over to the Federal
Emergency Management Administration, which really has the civil defense
interface responsibilities with local authorities.  It belongs there and we are
perfectly happy to work with them and transition that effort over.  And we will
continue to be partners with them as long as we can be constructive. 

We feel there's a long-term role for the Department of Defense through the
National Guard in our Reserve components in working with local communities.
Especially on things like terrorist incidents involving chemical and biological
weapons.  This is a terrifying prospect in our future. 

FEINSTEIN: Have any cities refused to participate? 

HAMRE: To my knowledge, no city has refused to participate.  I will --
but I will give you a formal response for the record.  I think the more
likely, fuller answer would be, some cities have not really seen the
necessity for this as others have.  And so we've had an uneven level of

Invariably, when you sit down and talk to people and you talk to
individuals, they will say, yes, this is a problem.  This is something we
all need to work on.

They also think, well, maybe this is a way we can get some money to do
something.  And so, you tend to get sidetracked, sometimes, off on some rabbit
warrens.  But by and large, as soon as you have a chance to talk to people who
are in the business of emergency response, they say, yes, we need to do this. 

FEINSTEIN: The reason I'm raising this is, I think this is an
extraordinarily important effort.  I think if you ask most Americans, you
know, are there a lot of terrorists in this country?  Despite what even
happened at Oklahoma City, most bore (ph) at the World Trade Center most
people would say, no, when in fact there are.

And those of us that have had the briefings know that.  And I think it's
extraordinarily important that, you know, Mr. and Mrs. America understand that,
to be forewarned and prepared is really to be forearmed.  To be able to deal
with this.  Some of these things can happen in such a way that they run a risk
to loss of tremendous life. And I hope no city has refused to participate in
this effort. 

HAMRE: I will give you a formal response and check that for the record.  I
don't know the answer to that, here. 

Again, let me emphasize.  We at the Department of Defense are prepared to be
partners with anybody.  Ultimately, this is a law enforcement and emergency
response responsibility and we need to count on the lead agencies, the Justice
Department and FEMA for a lot of this.  But they can count on us being right
there with them as partners. 

FEINSTEIN: Thanks, Mr. Chairman. 

KYL: You bet.  Thank you, very much.  I think in view of your
responsibilities, Dr. Hamre, we can excuse you at this point.  We may want to
submit some other questions to you. 

HAMRE: Yes. 

KYL: I guess I would like to conclude by again thanking you.  I thank the
Department of Defense and the secretary for their support for our effort to
identify this problem to especially discuss the national security implications
of it. 

KYL: And lay the ground work for the continuing discussion of the
commission report as we begin to implement solutions to the problems as you
identified here today and we look forward to working with you and again, thank

HAMRE: Secretary Cohen asked to specifically say we admire you for your
leadership and you can count us in being your partners here in the next years on
this issue.  

KYL: Thank you very much.  As the chairman of the commission, General Marsh
comes up.  Let me officially ask to add into the record a list of documents
including copies of previous acts of the Congress and executive orders which I
will submit for the record. 

And without objection, we will include those in the record of this hearing.
Now, as our featured witness for today, I'm very pleased to welcome Tom Marsh. 

General Marsh, after retiring from a long and distinguished career in the
Air Force that culminated as commander of Air Force Systems Command, took on
numerous responsibilities in the private sector, including most recently,
CEO of Thiokol Corporation.

In 1996, he was appointed by President Clinton to chair the President's
Commission on Critical Infrastructure Protection.  The purpose of the
commission was to assess the threats to, as well as the vulnerabilities of, our
national infrastructures and to make recommendations as to how deal with them. 

Mr. Marsh is here today to discuss with us these recommendations. In so
doing, it is important to put the commission's report in context. 

The commission was created only last July by executive order and required to
appoint its members and complete its report with recommendations upon its
disbandment within 15 months which was just over two weeks ago.  That's a hefty
assignment by anybody's book. 

So, I want you to know, Mr. Marsh that this subcommittee recognizes that
your commission was presented with an enormously difficult task and I want
to especially commend you and your colleagues for a job well done.

Your service to the nation is equally distinguished by that -- by your
leadership of this commission as by your many years of dedicated service in
uniform.  So, we thank you very much for being here.  We look forward to your
testimony and certainly the opportunity to benefit from your insights. 

MARSH: Thank you, Mr. Chairman and members -- Senator Feinstein. I'm
pleased to be here today to discuss with you the work of the commission,
outline its principle findings and recommendations that are reflected in our
report that was just issued, "Critical Foundations."

Before my prepared remarks, I'd like to express my appreciation to you,
Senator Kyl.  Your far-sighted vision in this area for the needs and the
well-being of the country really has been key to the establishment of the
commission itself and for many of the other actions that have been taken by
the FBI, by the Department of Defense in this past year.

And I think you've seen results of much of your prodding start to take
action and we sincerely appreciate that.  To give you some perspective on
the commission's challenge imagine, if you will, the power goes out in the
Northwest, the 911 system is disrupted in a major city because someone's
flooded out the phone lines with repeat calls, two bridges across the
Mississippi River are destroyed -- bridges that not only carry trucks and
trains but also telephone cables -- and two Internet service providers in
New York City are out of service.

Well, what do you do in such a situation?  Whose in charge?  Is it merely
coincidence or a concentrated attack and you referred to eligible receiver,
Mr.  Chairman, as clear evidence of this statement of the problem.

But these are the types of questions that the commission has been
considering.  Questions to which there are really no easy answers. Questions
we hope our recommendations will help lay the foundation for answering.

Appreciate the opportunity to talk about the commission's work, discuss
why we have come to believe that protecting our infrastructures is so
important in light of the new vulnerabilities and threats of the cyber age,
present our key findings and then briefly summarize our recommendations.

I must say right up front that our findings, conclusions and
recommendations are very different from what we anticipated and different
from what our stake holders anticipated.  Many thought that this was an easy
problem that government alone could solve in a few easy steps.

But during the past year and a half, we definitely concluded that
protecting our infrastructures is a public/private undertaking that requires
a new kind of partnership and protecting the infrastructures is going to
take time and require long-term efforts and a new way of thinking.

The commission was established by the executive order on July 15, 1996.
It was a joint government and private sector endeavor that was charged to
develop a national policy and an implementation strategy for protecting our
critical infrastructures from both physical and cyber threats and assuring
their continued operation.

The president identified eight infrastructures as our national life
support systems.  These national infrastructures are vital in that their
incapacity or destruction would have a debilitating impact on the defense
and economic security of the United States and these are the

Critical infrastructures have long been lucrative targets for anyone
wanting to attack another country.  Our nation relies on its infrastructures
for national security, public welfare and its economic strength.

Those who would attack the infrastructures would do so to reduce our
ability to act in our own interests or erode our public confidence in
critical services or reduce American economic competitiveness.  In the Gulf
War, for example, disabling Iraq's infrastructures was one of the keys to
our success.

A lesson noted with much interest by many countries around the world.  The
commission was uniquely tailored for the task recognizing that the critical
infrastructures are largely owned and operated by the private sector, the
commission's structure was a joint public/private undertaking. 

The commission was comprised of representatives of both industry and
government.  The steering committee of senior government officials oversaw the
work of the commission and guided us through myriad government concerns. 

A presidentially-appointed advisory committee of key industry leaders
provided the unique perspective of owners and operators of the
infrastructures and finally the Infrastructure Protection Task Force was
established at the same time as the commission to support infrastructure
protection until the commission's recommendations are acted upon.

Our approach recognized that most of the infrastructures operate within an
existing framework of government policy and regulation.  But they are also
privately owned, competitive enterprises. 

As such, protection recommendations should not undermine a company's
competitive position.  We recognize that any solution would have to be
viable in the marketplace as well as the public policy arena.

Thus, we adopted the following guiding principles: first, we knew that this
could not be a big government only effort.  Government must set the example.
But it is the owners and operators who are the key to success. 

They have a strong economic stake in protecting their assets and
maximizing customer satisfaction.  They understand the infrastructures and
know best how to respond to disruptions.

Second, while we may be undergoing an information revolution, we felt
that utilizing the best ideas and processes from current structures and
relationships was the proper way to proceed.  This means building on
existing organizations and relationships as well as fostering voluntary

Partnership between industry and government will be more effective and
efficient than legislation or regulation. Finally, this is a long-term
effort which requires continuous improvement.

We must take action in practical increments.  There is no magic solution.
We must aim not only to protect the infrastructures but also to enhance

Outreach was a cornerstone of our effort.  In fact, our conclusions and
recommendations result directly from the conversations and meetings we had
with approximately 6,000 individuals from industry, academia, science,
technology, the military and government.

We held five public meetings around the country, participated in numerous
conferences, hosted simulations, games and focus groups and sought to
increase awareness of this effort throughout the media and our web site.

MARSH: In the past, broad oceans and peaceable neighbors provided the
infrastructure protection we needed.  That all changed during the Cold War.
Technology became preeminent and geography became less relevant.  Soviet and
U.S. nuclear weapons were targeted against each other's power grids, rail
networks and energy industries. 

But the costs remained high and the ability to carry out such an attack
was available to only a few major powers.  Computers and electrons changed
the picture entirely.  Now, the capability is widely available at relatively
little costs.  This is the new geography in which the commission has focused
its efforts.  A border less, cyber- geography whose major typographical
features are technology and change.

We've long understood physical threats and vulnerabilities.  But not so, in
cyber space.  The fast pace of technology means we are always running to catch
up in the cyber dimension. 

Thus, the commission's work and our report focus primarily on coping with
the cyber threat.  Our foremost concern is the interdependencies presented
by the system of systems we rely on for the daily operation of our critical

Furthermore, information that describes our vulnerabilities is increasingly
accessible.  Most of it is unclassified and much of it is available on the
Internet.  We had to be careful in compiling this information not to provide a
handbook for those who would use it for harmful purposes. 

So, who is the threat?  We view the threat as anyone with the capability,
technology and intent to do harm.  While we've not found a smoking keyboard
-- if you will -- that is, we do not know who has the intent to do harm.  We
do know that the threat is a function of capability and intent.

We characterize capability as a combination of skills and tools. Skills
that even most teenagers have.  And tools that are readily available,
widespread even on the Internet.  In short, the opportunity to do harm is
expansive and growing.  The bad actors who use these tools range from the
recreational hacker who thrives on the thrill and challenge of breaking into
another's computer.  To the national security threat of information warriors
intent on achieving strategic advantage.

Common to all threats is the insider.  We could spend millions on
technology to protect our infrastructures.  But a well placed insider or
disgruntled employee could render near all protection useless. 

The new arsenal of weapons of mass destruction in the cyber world include
Trojan horses, viruses and e-mail attacks that can be used to alter or steal
data.  These tools recognize neither borders nor jurisdictions.  They can be
used anywhere, any time by anyone with the capability, technology and intent
to do harm.  And they offer the advantage of anonymity.

We examined the respective roles of the private sector and the federal
government in light of this new threat and the potential bad actors.  We
concluded that the private sector has a responsibility to protect itself
from local threats such as individual hackers and criminals.  And that the
federal government has a larger responsibility to protect our citizens from
national security threats.

In short, we found that infrastructure protection is a shared
responsibility.  The private sector is responsible for taking prudent
measures to protect itself from common place hacker tools.  If these tools
are also used by the terrorists, then the private sector will also be
protecting against cyber terrorists attack.  And will be playing a
significant role in national security.

The federal government is responsible for collecting information about the
tools, the weapons, the perpetrators and their intent from all sources,
including the owners and operators of the infrastructures.  The government must
share this information with the private sector so that industry can take the necessary protective measures. 

In some respects, our most important finding is that adapting to this
challenge requires thinking differently about infrastructure protection.  We
must look through the lens of information technology as we approach the
third millennium.

Specifically, we found that information sharing is the most immediate
need.  Responsibility is shared among owners and operators and government.
The federal government has an important role in the new alliance.
Infrastructure protection requires a focal point within the government.  We
must develop an analysis and warning capability. The existing legal
framework is imperfectly tuned to deal with cyber threats.

And finally, research and development efforts are inadequate to support
infrastructure protection.  We know our infrastructures have substantial
vulnerabilities to domestic and international threats. Some have been
exploited.  So far, chiefly by insiders.

Protecting our infrastructures into the 21st Century requires that we
develop greater understanding of the vulnerabilities and act decisively to
reduce them.  In the last 15 months, the commission has thoroughly reviewed
the vulnerabilities and threats facing our infrastructures, assessed the
risks, consulted with thousands of experts and deliberated at length as to
how best to assure our nation's critical foundations in the decades to come.

Our fundamental conclusion is that waiting for disaster is a dangerous
strategy.  Now is the time to act to protect our future. 
And this action requires a new partnership to address the risks of protecting. 

The commission's recommendations are the products of much research,
discussion and deliberation.  They are founded on shared core principles and
they are based on fact.  They are aimed at improving coordination and
establishing roles for infrastructure protection, fostering partnerships among
all stake holders and coordinating diverse interests. 

Every recommendation was discussed at length in a series of deliberations
that addressed all feasible options and the pros and cons of each.  All
commissioners accepted the final report as reasonable, balanced and acceptable
for submission to the president. 

The commission's recommendations fall generally into three categories.
Actions the federal government must take, actions the owners and operators of
the infrastructures must take and actions that require partnership between
government and industry. 

During our extensive outreach efforts, we heard time and again that the
owners and operators of the infrastructures need more information about
cyber threats.  They also said that a trusted environment must be built so
that they can freely exchange information with each other and with
government without fear of regulation, loss of public confidence, incurred
liability or damaged reputation.

The commission's recommendations laid the foundation for creating a new
collaborative environment that includes a two way exchange of information,
not more burdensome regulation.  Our recommendations focus on protecting
proprietary information and ensuring anonymity when necessary.  Reviewing
legal impediments to information sharing, such as antitrust provisions and
the Freedom of Information Act.  And creating information sharing mechanisms
both within industry and between industry and government.

As to actions that the government should take, we recommend specific
steps to ensure owners and operators and state and local governments are
sufficiently informed and supported to accomplish their infrastructure
protection roles.  These include designated federal agencies continuing and
expanding the availability of risks assessment services to the private

Encouraging industry and assisting, when necessary, the development of risks
methodologies.  The U.S. security policy board should study and recommend how
best to protect specific private sector information on threats and
vulnerabilities to their critical infrastructures. 

And, the funds appropriated under the Nunn-Lugar-Domenici domestic
preparedness program -- that we just discussed -- should be doubled to expand
and accelerate sharing of capabilities to mitigate the effects of WMD attacks. 

MARSH: And we heard that from law enforcement and emergency responders
throughout the nation. 

Key to the success of these initiatives is educating our citizens about
the emerging threats and vulnerabilities in the cyber dimension. The culture
has changed, and our way of thinking about technology and the resulting
threats and vulnerabilities must also change.  The commission's
recommendations are aimed at all levels of education, from grammar to
graduate school and beyond.

They include a series of White House conferences to spur new curricula in
computer ethics and intellectual property for elementary and secondary
schools; a nationwide public awareness campaign, simulations and roundtable
discussions to educate the general public, as well as industry and
government leaders; grants by the National Science Foundation to promote
graduate-level research and teaching of network security; and partnership
between the Department of Education and Industry to develop curricula and
market demand for properly trained information security technicians and

Infrastructure assurance is a joint responsibility, but the federal
government has an unmistakable duty to lead the effort. Clearly, the federal
government must lead by example as it exhorts the private sector and state and
local governments to raise the level of security of their systems.  The federal
government must pursue the tools, practices and policies required to conduct
business in the cyber age. 

This includes improving government information security through developing,
implementing and enforcing best practices and standards, and then conducting
certification and measures against those standards; working with industry to
expedite efforts for alternative information security and encryption key
management pilot programs. 

We strongly believe that we must lower the temperature of the encryption
debate and demonstrate a key management infrastructure management system
with good encryption that can allay the concerns of all of the various
interests that are involved in the encryption debate.

Elevating and formalizing information assurance as a foreign intelligence
priority, and we've made such a formal recommendation. Recruiting and retaining
adequate numbers of law enforcement personnel with cyber skills.  We found this
problem at all levels -- the FBI, state and local law enforcement agencies. 

And finally, conducting a thorough risk assessment of the national
aerospace system, of the planned national aerospace system, and the planned
sole reliance on the global positioning system. That's a specific but a very
important matter.

We examined a full range of legal issues relating to protecting the critical
infrastructures, but with three goals in mind: Increasing the effectiveness of
government's protection efforts; enhancing the private sector's ability to
protect itself; and enabling effective public-private partnership where most

We propose the further review of major federal legislation as it relates to
the critical infrastructures and the cyber threat.  We have developed modest
recommendations in the area of criminal law and procedure.  Specifically, the
federal sentencing guidelines, to take into account the true harm done by
attacks on the critical infrastructures. 

We call for an expert study group representing labor, management, government
and privacy interests to make recommendations for long-term reform in the
employer-employee relationship, yet balancing security and privacy. 

And we recommend easing legal impediments to information sharing, such as
antitrust provisions, federal and private liability, and the Freedom of
Information Act. 

Federal research and development efforts are inadequate to meet the
challenge presented by the emerging cyber threats.  About $250 million is
spent each year on infrastructure assurance-related R&D, of which 60 percent
or $150 million is dedicated to information security, largely conducted by
the National Security Agency and DARPA.

There is very little research supporting a national cyber defense.  The
commission believes that real time detection, identification and response tools
are urgently needed, and we concluded that market forces are insufficient to
meet those needs. 

Thus, we recommend doubling federal R&D funding for infrastructure
protection to $500 million the first year, with 20 percent increases each
year for the next five years.

We recommend this funding target risk management, simulation and modeling
and decision support, contingency planning, incident response and recover,
information assurance, vulnerability assessment and system analysis, and
early warning and response monitoring and threat detection.

I need to talk a little about how the federal government and industry can
work together to address infrastructure protection concerns.  It might be
easiest if I first explain a little about our methodology before jumping
right into our partnering recommendations.

First, the commission identified five general functions that are the
foundation of infrastructure protection and assurance efforts, and they are
shown here -- policy formulation and so on.  Next, we flesh them out to
include all the tasks that must be formed, performed, to assure our
infrastructures, as shown there.

We knew that a great many people and organizations needed to accomplish
these tasks, but we were not sure who or where.  We devised a framework or
matrix to help determine who should be responsible for each task.  Along the
top of this matrix, roles range from the purely public to the purely

Along the side, roles range from decentralized to centralized. The top left
quadrant, for example, is the role of the federal government, centralized and
public.  The bottom right quadrant is the place for individual companies,
decentralized and private. 

Using this framework, we plotted the specific tasks of infrastructure
assurance where we thought they should be performed. And the result is a
high concentration in the four distinct quadrants, but also a high
concentration along the borders.  And it was the concentration along the
borders that gave us pause, for these are the functions that require a new
awareness, a new way of doing business, and a new partnership.

We next look at how infrastructure assurance is being performed today,
and there are many players in this game, including the privately-owned
infrastructures as well as federal, state and local governments.  There are
also a great many existing relationships, such as regulating or enforcing
laws.  But there are no specific relationships for infrastructure protection
and assurance, and we focused on bridging this gap.

And this is how we propose to facilitate the public-private partnership,
how to bridge the gap to best protect our infrastructures.  At the
policymaking level, we recommend an office of national infrastructure
assurance, located within the White House, to serve as the federal
government's focal point for infrastructure protection.

Secondly, a national infrastructure assurance council comprised of selected
infrastructure CEOs and cabinet officials to propose policy and advise the
president.  And, an infrastructure assurance support office to support both the
council and the national office. And this office we recommend be located in the
Department of Commerce. 

At the operational level, we recommend sector infrastructure assurance
coordinators as focal points within each industry infrastructure to share
information.  These would be clearinghouses that would provide anonymity and
protect the proprietary information that the industry would want to share with
the other agencies and government. 

And then federal lead agencies to promote and assist in establishing
those sector coordinator clearinghouses.  And an information sharing and
analysis center staffed by both private industry and government to receive
and share information about infrastructure intrusions, to be located in the
private sector.

And finally, a warning center designed to provide operational warning
whenever possible of an attack on the infrastructures, either physical or
cyber, and we propose that that be built upon the existing and embryonic
warning center of the CTAC within the FBI.

In conclusion, just as the risks are shared between the public and
private sectors, so will the solutions be found.  Our national and economic
security has become a shared responsibility, one that will require a new
kind of partnership between government and industry, one which encourages
information sharing, and one which requires the government to lead by

I believe the findings and conclusions of the commission are based on
accurate and reasonable information and analyses.

MARSH: Our recommendations if implemented, will create the partnerships
and structures essential to reducing vulnerabilities in our infrastructures.
They will provide the impetus for research and development to increase
information security and provide a cyber defense system.  They will increase
the nation's ability to prepare, protect and respond to any threats --
strategic or otherwise -- directed against our infrastructures, thereby
ensuring their continued effective operation in support of our defense,
economic growth and general well-being.

Mr. Chairman, that completes my statement.  I'd be pleased to answer any
questions that you or Senator.... 

KYL: Thank you very much, Mr. Marsh. There are so many questions and for the
benefit of the audience, let me tell you that we expect a vote on the motion to
proceed on Fast Track at 4:20. 

Now that's 10 minutes from now, and therefore, Senator Feinstein and I
conclude that we will try to do our best to conclude this hearing at about
4:30, which should enable us to run to get to the vote.  And so, we'll try
to be as quick as we can.

But we need to ask you some questions for the record, and you've already
indicated a willingness to continue the dialogue informally. So, I know
we'll be able to count on that too.

You discussed the best practices concept.  And I wonder if you would tell
us some of the ways that you think we could actually and establish an
institutionalize best practices for information assurance, not only in the
government, but also in the private sector?

MARSH: Yes, Mr. Chairman.  We believe that NIST within the Department of
Commerce and the NSA are best equipped of all the agencies of government to
identify those best practices, best fire walls, best means of controlling
access by way of password control, etc., best to describe under what
conditions encryption ought to be used and how it ought to be implemented.
And therefore, we believe NIST in collaboration with NSA ought to be charged
to develop and disseminate best practices within government.

We believe that this information and analysis center that we're proposing,
would be the mechanism then, to exchange those best practices.  And we advocate
they be exchanged with the private sector out through the clearing houses that
we've proposed creating. 

KYL: The reason I mention this is, it's critical that because government
uses so much of the private sector for its own purposes, and because the
private sector constitutes the vast majority of the communications and the
telecommunications and the energy sector, all of the other things that were
identified; five out of the eight are totally private sector.  And elements
of the other three are, at least two of the three are also private sector.

It's critical that the private sector also embrace these best practices.
And the model could be anything from something that I wouldn't propose which
is standards such as we have under the Clean Air Act let's say.

The industry shall remove a certain amount of its pollutants or not emit
more than X amount of pollutants, and here are the practices that we approve
for the purpose of achieving those goals.  That's a very heavy handed
approach to it.  All the way from that to a purely voluntary kind of thing.

But, because the government itself relies upon many of these private
sector communications and systems, is it your view that we're going to have
to find incentives and other mechanisms sufficient to ensure that these best
practices are built into the private sector systems as well as the
government systems?

MARSH: Mr. Chairman, we debated that a length within the commission that
whether or not we ought to seek mandatory means of imposing best practices and

And our considered conclusion was that we not do that, that we attempt as
a first step to get this information sharing system really working, and we
believe through an education and awareness process that businessman will
find that it's in their very best interest to incorporate these best
practices against the commonplace threats.

And if they'll do that, and they need to do that; we believe that will give
us a great measure of protection against the more serious threats.  And
therefore, we do not believe it's yet time to mandate such best practices upon
the private sector, except that that of course, is an option if we find that
they are not well accepted. 

KYL: Well, and again, I reiterate that that's not my preference
certainly.  I think we are going to have to face up to the realistic
challenge however, of providing incentives for industry to adopt best

Because, it is no longer a matter of going it alone.  Everyone is depended
upon everyone else at this age, and that's part of the whole point of this

And given that interdependence and due to the inter operability of the
systems, I think we're going to have to have us some national commitments here
that enable us to secure our systems against the kind of challenges that you've

Let me just ask one other question and then turn to Senator Feinstein.
About 20 percent of the recommendations in the report pertain for the need
for additional studies.  And, some might read into this the kicking the can
down the road approach.  I know that is not your approach to this.  How
would you characterize the level of urgency with which we should move

MARSH: I believe I tried to summarize in the statement that it would be
totally irresponsible to delay taking action against this problem.  And we
believe it's an urgent problem that steps be taken now, and if they should
not be taken; I believe we're facing a very likely major challenge within
the coming years.

FEINSTEIN: Thank you, Mr. Chairman.  General, take my comments with a
grain of salt because I'm one that's still trying to master my little IBM
think pad.  So, I'm new to cyberspace and I find it quite a wondrous world.
Having said that, you know, I'm not necessarily new to matters that are
related to security.

And in prior hearings that Senator Kyl has had, and I've been ranking
member, this whole subject of encryption and key recovery has come up and
I've made some comments, saying, you know, I think this is really important,
and etc. etc.

And everybody says, you're going to get a storm of protests.  How can you
say that from California.  Do you know I didn't have a single phone call
from any CEO of any computer company, anywhere.

Now the trade people went off, you know, on sort of a lark.  I think that
the CEO's of these big companies really understand that we're in a new day.
And, I wanted to just brashly make a recommendation to you that it might be
well to convene a meeting of top CEO's throughout the United States, and
really kind of give them your views of where we are as a nation, what the
threats are, and to kind of bring them in on a cooperative basis right at
the very beginning.  Because, I think you'll have some very willing

MARSH: Senator, I think that's right.  I believe that as we've interacted
with the CEO's, and we have them on our advisory council as well as many other
fora over the course of the last year, when you sit down and talk about this
problem; we get a shared feeling of the nature of the problem on the part of
all.  Very few are skeptical of our undertaking. 

FEINSTEIN: Can you outline any of the concrete changes that might be able to
be immediately implemented to strengthen our system against cyber or physical
threat, that we might be able to take now? 

MARSH: Senator, there are wide range of techniques and tools available to
the private sector right now.  Such arcane things as fire walls and good
password control, good discipline, good system administrators managing the
networks, whether it be within your company or within your office.  And the
tools are available.  It takes a commitment on the part of management to
invest, and that investment is not large to install such mechanisms and to
enforce the disciplined used of them.

So, much of that is available.  And certainly, encryption is available.
And we want to see that adopted over all critical control functions at a
very early date.  And that's why we're so anxious that this debate evolve
and be completed early.

FEINSTEIN: You spoke about establishing a new office of national
infrastructure assurance.  And placing it within the confines of the White
House.  I'm not really sure that's the right place for it. 

FEINSTEIN: I mean I would hope that, based on what the -- Dr. Hamre said and
the concern of the Defense Department and what Senator Kyl has just said about
there really needs to be a whole separate branch in defense -- I hope I'm not

KYL: No. 

FEINSTEIN: ... to really deal with this, it would sort of seem to me that
perhaps a separate branch in defense that had the R&D potential, was able to
really go out and tap the best brain cells in the nation might really be a
better way to go. 

Why did you not recommend that? 

MARSH: Senator, we felt that this was a multidisciplined problem, if you
will.  That is it has the law enforcement dimension, and that's a very
important one.  It has an intelligence dimension. It has the defense.  But
it also has an economic dimension.  That is the economic concerns of the
private sector have to be taken into account as you formulate policy and

And it was our judgment that, therefore, that office ought not be viewed
strictly as a national security/national defense problem, but in this broader
context.  And we felt placing it in the White House would give it that kind of
emphasis across all branches of government. 

FEINSTEIN: Not to belabor it, but I think placing it in defense would
give it a status and a credibility and remove it from any political
dimension, which I think is extraordinarily important in this.  I mean I
really believe this is a major threat to the well- being of all of us.

And the more we have, you know, our top defense people in a sort of
separate effort working on it, the better off our nation is going to be in
the long term.

I hate to see it get involved in politics in any way -- not that -- you
know, and I'm not casting any aspersions on the White House. But you know,
we all -- I've been around here long enough now to see what happens, and
that, dependent on the president, you get a certain amount of criticism for
whatever you do if you're not in that party.

And I would not like to see that happen with something as critical as this. 

MARSH: We do not want the problem to be politicized if at all possible. 

FEINSTEIN: Now, I thank you very much.  I think both you and Dr. Hamre
were really very -- very effective in stating the urgency of this.  And I
would just hope that nobody, you know, looks at this as anything but top
priority, and we really move fast.

And I, for one, am willing to help my chairman just as much as I possibly
can in this regard.

MARSH: Thank you, Senator. 

KYL: Mr. Marsh, let me make a couple of statements maybe that you would feel
less comfortable making just to put a couple of things in context, too. 

The administration, having just received your report, has begun the process
of evaluating it, vetting it among the various departments, agencies, that
they'd like to get responses from in order to develop its official response in
terms of actions that it might take or recommendations to Congress and other
steps that might be taken. 

So we appreciate the fact the administration has not yet responded and are
not asking anyone from the administration to respond at this point. 

We felt it important to have you brief the public in an open session as soon
as the report was declassified, and the report is now declassified, so at least
in this version of it.  There is also a classified version of it. 

And we view this as the beginning of the debate. 

Senator Feinstein, I think importantly, mentioned a couple of points and I
second her motion of bringing people with industry together as much as possible
as soon as possible.  You did that as a part of your commission.  I think the
president was wise to include the private sector segment. 

I know we've dealt with the NSTAC people before.  I had to ask my staff
-- remind me exactly what that stands for -- the National Security
Telecommunications Advisory Council, a group of CEOs that has been very
aggressive in working with government and trying to advise the president on
how he could help to deal with some of these problems.

And so I know that there are some very good people in the private sector who
very much want to work on these problems. 

I think the thing that we would like to leave the public with today is
the same point that Senator Feinstein ended on.  And that the sense of
urgency which is why I asked you that last question and why I read the
Defense Science Board recommendation to Dr. Hamre.  And he reiterated the
point of urgency.

It is important, while the administration evaluates your report, that it
also takes steps like the Interagency Task Force and other steps to
immediately begin to deal with the problems.  And if I could kind of
conclude on this note, for those who haven't had the benefit of reading the
report and other documents, we're really talking about a couple of different
things here.

In terms of the threat, we're not just talking about the security threat,
a challenge by a foreign nation, for example, to multiple parts of our
national infrastructure, but also as you pointed out lesser threats -- a
terrorist threat, which may or may not be strategic in its implications;
just a sophisticated hacker, as you pointed out; and also natural events,
which also threaten our infrastructure.

And in addition to talking about the computers at the Defense Department,
we're talking about all of the telecommunications intertwined with all the
switching in the country and the energy grids, as they go through all of
their complicated intertwined connections.

You mentioned the global positioning satellite, how our airplanes all
depend upon getting where they're going at exactly the right place and time
on a system which could be very vulnerable.

All of these things are subject to all of those different kinds of
threats.  And so, as we evaluate the proper response for it, we have to keep
them all in mind.

I tend to agree with Senator Feinstein that, as to the security of the
nation in terms of a strategic threat, clearly there needs to be within the
Defense Department a central command to deal with that. In order to insure
that we have the proper law enforcement follow-up and strategic warnings
that only a group like the FBI can provide, we need to have a clear
component in the FBI or the Justice Department or some similar place to
insure those capabilities.

I mentioned these -- and then the emergency response that Senator
Feinstein mentioned earlier and so on.

All of this, I think, illustrates the complexity of the problem, the
complexity of the structures that are going to be necessary to deal with it,
the fact that many different committees in Congress are going to be dealing
with this, many different agencies of the government.

You've tried to pull all of that together in some sense in this report to
begin to discuss how this all relates together. 

I commend you again and the members of the commission for the job well
done under very difficult circumstances, and pledge to you our cooperation.
I'm sure I speak both for the -- both sides of the aisle here.  This is not
a partisan issue at all.  And we look forward to the continuing dialogue
with you.

I would like to request a couple of things from you if you could provide
them for the record.  A copy of the legal database which the commission
assembled would be very valuable to us.

MARSH: Yes, sir. 

KYL: And also any other studies or products that you used in the
production of your report that might be useful to us as well.  We'll submit
a specific list for you as well as possible additional questions for the

Senator Feinstein, anything else... 

FEINSTEIN: Thank you very much. 

KYL: We'll look forward to working with you...  

MARSH: Thank you very much. 

KYL: ... General Marsh and thank you very much for being here. 


????  - Indicates Speaker Unkown
- Could not make out what was being said. 
off mike - Indicates Could not make out what was being said.

[Added by JYA] [Congressional Record: November 5, 1997 (Digest)] [Page D1214-D1217] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr05no97-1] Wednesday, November 5, 1997 Senate [Excerpt] NATIONAL INFRASTRUCTURE PROTECTION Committee on the Judiciary: Subcommittee on Technology, Terrorism, and Government Information concluded hearings to review the findings and recommendations of the President's Commission on Critical Infrastructure Protection report, and to examine policy implications of new risks to the information-based national infrastructure, after receiving testimony from John J. Hamre, Deputy Secretary of Defense; and Robert T. Marsh, former Chairman, President's Commission on Critical Infrastructure Protection. ------------------------------------------------------------------------- [Congressional Record: November 6, 1997 (Digest)] [Page D1228-D1231] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr06no97-2] House of Representatives [Excerpt] COMPUTER SECURITY--U.S. INFRASTRUCTURE Committee on Science: Subcommittee on Technology held a hearing on the Role of Computer Security in Protecting the U. S. Infrastructure. Testimony was heard from Robert T. Marsh, Chairman, President's Commission on Critical Infrastructure Protection; and public witnesses.