1996 Congressional Hearings
Intelligence and Security

JUNE 5, 1996

Today the Permanent Subcommittee on Investigations continues its examination of the security of our national information infrastructure. As advances in computer technology continue with blinding speed, this information infrastructure has come to form the foundation upon which many of the critical aspects of our society depend.

In our first hearing we focused on the Department of Defense's information systems. The Department runs a vast network of unclassified computer systems which support such critical defense missions as troop movement, operational plans, procurement, and weapons systems maintenance. In a report prepared for the Subcommittee, the General Accounting Office found that the Department's unclassified network is vulnerable to attack -- as many as 250,000 attacks are carried out against the Departments systems every year using tools and techniques available to millions of Internet users world-wide and as many as 65% of those attacks are likely successful. Of even more concern, we learned that the Department lacks uniform policies for protecting its network, responding to incidents, and assessing the risks of, and damage from, such computer attacks.

This morning we will focus on our non-Defense government systems and on key components of our private sector. In the broad sense, our national security depends as much on these components as it does on our defense sector. How would our society function without energy, communication, transportation, and financial systems?

As we will hear from today's witnesses, these systems rely heavily on information networks in their day-to-day operations. How vulnerable are these information networks? Could a computer-based attack cripple them or erode consumer confidence in their services? These are some of the issues we will explore with our witnesses. Unfortunately, the statistics in this area are not encouraging. A survey of corporations, financial institutions, government agencies, universities, and health care institutions conducted jointly by the Computer Security Institute ("CSI") and the FBI revealed that 42% of those responding stated they had experienced some form of intrusion or other unauthorized use of computer systems within the previous 12 months. Over 15% of these attacks involved the unauthorized altering of data. Again, perhaps of most concern, over 50% of those responding stated that they did not have a written policy on how to deal with these kinds of network intrusions.

Just how important are these statistics in terms of actual impact? While the total picture is unclear, we will hear today that a group of computer security companies estimated the losses among their clients last year alone was over $800 million worldwide as a result of computer intrusions primarily in the financial industry. Of that number, however, only a small fraction was ever reported to federal law enforcement authorities.

Indeed, what is most disturbing about this issue is what we do not know. We will hear from the Subcommittee Staff today that when it comes to computer security, the intelligence community has few analysts dedicated to data analysis, and inadequate resources devoted to collection and processing of intelligence information. The law enforcement community has been similarly unable to provide reliable threat assessment in this area, perhaps because so little is ever reported to law enforcement. According to the CSI/FBI survey, only 17% of those responding indicated that they would advise law enforcement if attacked.

The reluctance of private industry to share information regarding system vulnerabilities and threats is perhaps epitomized by the fact that two witnesses who were scheduled to appear here this morning have canceled at the last moment. Mark Rasch and Henry Kluepfel, senior representatives from SAIC, a private company which, among other things, provides information systems security services, were scheduled to testify this morning about threats to the financial and telecommunications industries. On the eve of this hearing, SAIC representatives informed the Subcommittee that these witnesses would not testify because SAIC's clients demanded the company not discuss these issues -- even generally -- in a public forum. This despite the fact that the Subcommittee had assured SAIC that it would not ask company representatives to reveal client identities or proprietary information. While I understand the position SAIC is in vis a vis its clients, I regret that members of the corporate community have taken the position that information regarding the vulnerability of critical parts of our nation's infrastructure cannot be shared with Congress. This is a shortsighted approach by the private sector which may create more problems for them in the future.

Without reliable threat assessment data we can neither conduct meaningful risk management, nor structure a coherent national response to this issue. This is one area where we cannot afford to be operating in the dark. Too many parts of our society have come to rely on the information infrastructure for us to remain ignorant of the extent of our vulnerabilities and the nature of the threat facing us. In this regard, I am pleased to note the efforts of the Critical Information Working Group headed by the Attorney General, and chaired by the Deputy Attorney General Jamie Gorelick. In future hearings, we will be hearing from some of the principals of the Working Group as to their efforts to formulate both a short-term and long-term response to the cyber threat.

I hope that today's hearing and those which follow will help to raise the level of awareness -- not only among the Members of this body, but among the public at large --as to the crucial implications of the new information age. It is only then that we can begin to confront the many challenges we face.