1997 Congressional Hearings
Intelligence and Security

Chairwoman Morella’s Speech

The Role of Computer Security in Protecting U.S. Infrastructures

A review of the findings of

The President’s Commission on Critical Infrastructure Protection



Thursday, November 6th 1997

2:00 P.M. to 4:00 P.M.

2318 Rayburn House Office Building



Our hearing today will explore the appropriate role of government and of the private sector in securing the backbone of this country’s information and telecommunications infrastructures. It will focus on the recommendations of the Presidents Commission on Critical Infrastructure Protection (PCCIP).


The Subcommittee is well familiar with the threat from computer break-ins. This hearing is the third sponsored by this Subcommittee on computer security related matters this Congress, highlighting the need to improve computer security. Earlier this year, to improve computer security in Federal civilian agencies, this Subcommittee, and the full House, passed the Computer Security Enhancement Act of 1997, H.R. 1903. The bill is currently awaiting Senate action.


The PCCIP was created on July 5, 1996 by Executive Order 13010. The stated reason for the order was the need to assure the uninterrupted operation of critical infrastructure. The PCCIP delivered its report to the President on Wednesday, October 22, 1997.


The Commission was tasked with addressing vulnerabilities of eight different critical infrastructures: Telecommunications, electric power systems, water supply systems, transportation, banking and finance, gas-oil storage and distribution, emergency services and continuity of government. Although the task of the Commission was to look at vulnerabilities which would involve physical and cyber security, their primary focus was on cyber threats.


The Commission focused on the fact that all of these infrastructures are independently vulnerable. The Commission further recognized that these critical infrastructures are closely related and dependent on the underlying computer-communications infrastructure.


We have all been made familiar with stories of attacks on defense and civilian systems over the last several months. It is important, however, to remember that computer security affects all of us every day in ways both large and small. Most of you may be aware that the Senate recently suffered an e-mail bomb which slowed its system to a crawl. What you may not have realized is that that attack was the work of one man. An individual who was experiencing difficulty with unwanted electronic (junk) mail wrote to several Senate offices. Unhappy with the responses which he received he decided to take matters in his own hands and forward on to Senate offices all unwanted mail he received with a header identifying himself and asking them to call if they had questions. His actions caused the Senate mail system to crash. As the story was related to me, he was probably a bit naive about how serious the response would be to his actions and was probably a bit taken back to receive a call from the FBI.


The size of the danger to our economy in dollars is hard to gauge. The CSI - FBI Survey of 1996 states that $4.5 billion dollars was lost to business by compromises in information security. 42% of all businesses report that they have experienced attacks. Of these 58% of the companies cite competitors as the most likely authors of these attacks. These numbers pale somewhat when compared to the fact that over 74% of the companies surveyed believed they had experienced unauthorized access to material on their systems.


The majority of critical infrastructures are owned and operated not by government entities, but by private companies and citizens. In addition, most of the extraordinary advances in security and implementation of security technologies have been created by the private sector. Whatever security measures are taken by the government must, therefore, be based on a trust relationship lead by the private sector. Any efforts to implement a top-down approach which ignores the expertise and ability of our citizens and companies will be doomed to fail.


I look forward to hearing from our expert panelists today on how we can facilitate the needed public/private cooperation to ensure our economy is safe from both cyber crimes and potentially stifling government mandates.