HOUSE MEMBERS PRESS FOR DETAILS ON CYBERTHREAT TO INFRASTRUCTURE

The House Select Homeland Security Committee has separate subcommittees for cybersecurity and critical infrastructure, but many witnesses Thurs. said the 2 issues were inextricably linked, and in fact the 2 subcommittees were holding a joint hearing on the subject. “We all depend on telecommunications,” said Kenneth Watson, pres. of the Partnership for Critical Infrastructure Security, arguing that all economic sectors ranked telecom first or 2nd. “Nearly equal to telecommunications was electric power. Without electricity, there is no ‘e’ in e-commerce.”

With that interdependence in mind, several members of the 2 Homeland Security subcommittees and members at the separate hearing by the House Appropriations Homeland Security Subcommittee asked govt. officials to assess the level of threat from the Internet to critical infrastructure such as telecom networks. “The main message for this committee,” said full committee ranking Democrat Turner (Tex.) on critical infrastructure “is to remind us once again how vulnerable we are.” At times members appeared frustrated by the lack of specifics offered by govt. witnesses.

“Al Qaeda and groups like Al Qaeda have looked at a number of difficult targets,” FBI Exec. Asst. Dir. Larry Mefford said: “It’s difficult to get clear, precise pictures… to focus on one [threat] over another.” Mefford, who helped create the cybercrime unit at the FBI, said “we have seen [with Al Qaeda] a very basic computer capability… we have seen sophistication on the physical side” with explosives, so that is a larger focus for the FBI, he said. The State Dept. has “a great interest in cyberterrorism” and for years has cited the agency’s counterterrorism coordinator, Cofer Black, but he cautioned that his office’s role was merely to coordinate international counterterrorism efforts.

An terrorist attack on critical infrastructure is possible, Black said, possibly in conjunction with a physical attack, and “we do know that they look aggressively across the spectrum of targets.” However, he said, “so far most of their efforts have been to kill a lot of people” through explosions and other physical attacks. Mefford said: “There’s a lot of misinformation out there that terrorists are launching cyberattacks. We've seen no evidence of that. We're attuned to that, and we have not seen that.” Still, he acknowledged there was a cyberthreat to critical infrastructure. “While we don’t see an immediate threat right now, it would be foolish and unprofessional to neglect any area,” he said: “Long term, if this train continues on these tracks, it’s probably inevitable.”

No Dept. of Homeland Security (DHS) witness spoke at the Homeland Security Committee hearing, but DHS Undersecy. Frank Libutti did testify before the House Appropriations Homeland Security Subcommittee. Libutti runs the Information Analysis & Infrastructure Protection (IAIP) unit of DHS, but was challenged by Rep. Sabo (D-Minn.) on DHS’s lack of cooperation with the subcommittee. In particular, Sabo wanted to know how the agency was spending $70 million in supplemental spending for first responders, a query dating back to May: “We've been waiting.” Subcommittee Chmn. Rogers (R-Ky.) had raised that same point with Libutti before the hearing, and Libutti said he would be happy to talk with any subcommittee member after the hearing in a secure location, but he had no documentation with him to share. He defended himself in part by saying: “I've only been on board 2 months.”

Black and Mefford on several occasions suggested at the Homeland Security Committee hearing that DHS might better answer member concerns. Rep. Sanchez (D-Cal.) said DHS was proving less than cooperative. In response to a question from another DHS skeptic, Rep. Pascrell (D-N.J.), Mefford said the new agency’s focus on critical infrastructure protection had freed the FBI from private-sector outreach, permitting it instead to “run down every threat.” Of DHS, he said “it’s a new department but they've made tremendous progress.” At the appropriations hearing, Rep. Price (D- N.C.) raised concerns that IAIP was understaffed. Even though the FY 2004 budget requests an increase in full-time IAIP employees by 226 to 692, Price said his understanding was that IAIP wasn’t close to having all of its positions filled. Libutti didn’t respond directly, instead promising at another time to get Price updated employee numbers. He said he didn’t have those with him “and I don’t want to miss 1 or 2.”

One telecom witness said modeling could help predict and thus prevent cyberattacks on critical infrastructure. Karl Rauscher, a Bell Labs veteran who is founder and pres. of the Wireless Emergency Response Team (WERT), said that “in addition to strengthening reactionary measures” to cyberthreats, longer term fixes are needed. “Those bailing water out of the boat tend to get a lot of attention because they can show results,” but software vulnerabilities need to be plugged or the industry needs to “build other boats” to reduce vulnerability to networks.

Brookings Institute Senior Fellow Peter Orszag called for a regulatory approach. Even if most parties are aggressive in trying to protect networks, he said, “stringent cybersecurity may not be particularly helpful if a hacker has already entered the network through a ‘weak link.'” “We can’t just ‘leave it up to the market’ in protecting ourselves against terrorist attacks,” Orszag said. Instead, he said the govt. among other things should provide subsidies for antiterrorism measures to help them comply with mandates that the govt. would impose. To keep private industry from excessive investment due to subsidies, he said “some performance-oriented regulatory steps may therefore be warranted. For example, the government could require critical computer systems to be able to withstand mock cyberattacks, with the nature of the cyberattack varying from firm to firm.”