Computing Research Policy Blog: House Science Cyber Security and Critical Infrastructures Hearing Wrapup

September 16, 2005

House Science Cyber Security and Critical Infrastructures Hearing Wrapup

As mentioned previously, the House Science Committee met yesterday to focus on the threat cyber security vulnerabilities pose to various critical sectors of the Nation's critical infrastructure. Representatives from the oil and gas, chemical, electrical and communications sectors all testified that their industries are becoming more and more dependent upon public networks, those networks are under serious threat from cyber attack, and the federal government has a clear role both in supporting information exchange and coordination among all the industry stakeholders, and supporting a research agenda aimed at addressing the threat, primarily in the long-term. I'm not sure there's much more I need to add to that, other than to point to the archived video, the hearing charter (pdf), and the testimony of the five witnesses.

A few observations:

Committee chairman Sherwood Boehlert (R-NY) set the tone for the hearing in his opening statement by declaring that despite everything else that was taking place on the Hill that day -- including the Roberts confirmation hearing and the party caucus meeting to choose a new Chairman of the Homeland Security Committee (Rep. Peter King (R-NY) was the choice) -- he couldn't think of another event more important than this hearing on cyber security.

We shouldn’t have to wait for the cyber equivalent of a Hurricane Katrina - or even and Hurricane Ophelia might serve - to realize that we are inadequately prepared to prevent, detect and respond to cyber attacks.

And a cyber attack can affect a far larger area at a single stroke that can any hurricane. Not only that, given the increasing reliance of critical infrastructures on the Internet, a cyber attack could result in deaths as well as in massive disruption to the economy and daily life.
...
So our goal this morning is to help develop a cybersecurity agenda for the federal government, especially for the new Assistant Secretary. I never want to have to sit on a special committee set up to investigate why we were unprepared for a cyber attack. We know we are vulnerable, it’s time to act.

Despite federally-supported research and development in cyber security being cited as a critical need by each one of the industry witnesses, the only federal witness -- Andy Purdy, Director of the National Cyber Security Division at DHS -- didn't mention R&D in his oral remarks other than to hope that he'd get a chance to talk about it during questioning (alas, he didn't). In his written testimony, Purdy noted that DHS' R&D goals are almost exclusively short-term:

Perform R&D aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems;
Develop new and enhanced technologies ofr the detection of, prevention of, and response to cyber attacks on the nation's critical infrastructure; and
Facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.

Of course, as PITAC found in its review of the nation's cyber security R&D portfolio, even this narrow commitment to the short-term suffers from a severe lack of priority within the agency. The agency has requested only $17 million for FY 06 ($1 million less than last year) for cyber security research, out of a total S&T budget of over a billion dollars. I was disappointed that the members of the committee didn't spend more time questioning DHS' priority when it comes to funding cyber security R&D.

The hearing was well-attended by members of the committee. Despite lots of other events on the Hill, the hearing drew at least 23 different Members of Congress, with many sticking around to ask questions. There was plenty of room in the audience and the sections reserved for press however, which led Chairman Boehlert to complain that cyber security is still greeted with a "muffled yawn" outside his committee room and that he hoped it wasn't going to take a "cyber Katrina" to wake people up about the dangerous threat.

I was pleased that Boehlert took a few minutes out of the question period to suggest to the industry representatives (SBC, British Petroleum, Dow Chemical, and American Electric Power were all represented) that they make use of their exceptionally persuasive "hired guns" in DC to advocate for more R&D and better coordination. The lobbyists need to be out there putting focus on the importance of this subject, he said.

Finally, an odd tack during the question and answer portion of the hearing: Rep. Roscoe Bartlett (R-MD) used his five minutes to berate DHS and the industry representatives for failing to plan and prepare adequately for the "ultimate low-probability, high-impact event" threatening the nation: a nuclear electromagnetic pulse attack. An EMP attack (by detonating a large yield nuclear weapon many miles in the atmosphere above the US) would potentially render every non-hardened microprocessor in the country completely inoperable, which given the ubiquitousness of microprocessors in just about everything, would have a devastating effect on the country. Bartlett was especially interested in hearing how the energy companies would cope, given that every transformer they operate would likely be destroyed, including ones we no longer have the ability to manufacture domestically. None of the witnesses could point to any significant preparation in their sectors.

Posted by PeterHarsha at September 16, 2005 05:02 PM | TrackBack
Posted to Events | Policy | Security