Good morning Mr. Chairman and members of the Subcommittee.
I wish to thank you for inviting me to appear before you this morning and speak about foreign information warfare activities against the United States. Protecting our critical information systems and information-based infrastructures is a subject that is worthy of considerable attention and is an issue that I am deeply concerned about.
Over the past 20 years, our nation has witnessed and contributed greatly to a technology revolution. As a result, our government, business, and citizens have become increasingly dependent on an interconnected network of telecommunications and computer-based information systems. These systems, such as the ones comprising the public switched telephone network, serve as a critical backbone for the entire U.S. public and private sectors. U.S. military logistic and operational elements increasingly rely on computer databases and the public telephone network for their classified, as well as unclassified, activities. In addition, the U.S. civil sector also increasingly depends on the uninterrupted and trusted flow of digital information. Day-to-day operations of U.S. banking, energy distribution, air traffic control, emergency medical services, transportation, and many other industries all depend on reliable telecommunications and an increasingly complex network of computers, information databases, and computer-driven control systems. The Internet has created a global information network that will be an enabler for an exciting new opportunity for digital commerce. This connectivity will create a seemingly seamless world of commerce without borders.
I, like many others in this room, am concerned that this connectivity and dependency make us vulnerable to a variety of information warfare attacks. While attention is focused on computer-based "cyber" attacks, we should not forget that key nodes and facilities that house critical systems and handle the flow of digital data can also be attacked with conventional, high-explosives. These information attacks, in whatever form, could not only disrupt our daily lives, but also seriously jeopardize our national or economic security. Without sufficient planning as we build these systems, I am also concerned that the potential for damage could grow in the years ahead.
I welcome the efforts of this Subcommittee to increase public awareness about these important issues. I believe steps need to be taken to address information system vulnerabilities and efforts to exploit them. We must think carefully about the kinds of attackers that might use information warfare techniques, their targets, objectives, and methods.
There has been much discussion in the press and testimony before this Subcommittee about computer-based intrusions into banks and other financial institutions. We are keenly aware of the several, well-publicized incidents where computers were used to divert funds by false bank wires, embezzlement, and credit card fraud. To date, these incidents appear to be isolated and the goal limited to theft; that is, high-technology bank robbery. If so, they do not yet pose a serious national security threat to the United States. However, the number and size of these intrusions may grow to the point where they begin to threaten our economic well-being. In addition, we do not fully understand the real source and purpose of these events. Some may be sponsored by foreign adversaries in support of broader political, economic, or military goals.
My greatest concern is that hackers, terrorist organizations, or other nations might use information warfare techniques as part of a coordinated attack designed to seriously disrupt:
Virtually any "bad actor" can acquire the hardware and software needed to attack some of our critical information-based infrastructures. Hacker tools are readily available on the Internet, and hackers themselves are a source of expertise for any nation or foreign terrorist organization that is interested in developing an information warfare capability. In fact, hackers, with or without their full knowledge, may be supplying advice and expertise to rogue states such as Iran and Libya.
It is important to keep in mind, however, that computer-based tools are only one part of an information warfare capability. An adversary also needs highly detailed information about the target and its vulnerabilities, access to the target, and some way to judge how effective the attack will be. While some key U.S. infrastructure targets may be vulnerable to both physical destruction and "cyber" attacks, others are more secure.
Last summer, the National Intelligence Council, with help from a number of Intelligence Community agencies, produced a classified report compiling our knowledge of foreign information warfare plans and programs. Produced at the request of the Pentagon, it focused on foreign efforts to attack the U.S. public switched telephone network and so-called Supervisory Control and Data Acquisition (or SCADA)
systems--the computers that control electric power distribution, oil refineries, and other similar utilities. This Intelligence Community publication was the first of its kind on this topic and served as a vehicle for organizing the Intelligence Community's collection and analysis on this subject.
While the details are classified and cannot be discussed here, we have evidence that a number of countries around the world are developing the doctrine, strategies, and tools to conduct information attacks. At present, most of these efforts are limited to information dominance on the battlefield; that is, crippling an enemy's military command and control centers, or disabling an air defense network prior to launching an air attack. However, I am convinced that there is a growing awareness around the world that advanced societies, especially the U.S., are increasingly dependent on open, and potentially vulnerable information systems.
The Intelligence Community is on the look-out for information that would indicate whether any of the "rogue" states have plans and programs underway to develop an offensive information warfare capability. These countries are very difficult intelligence targets and such programs, by their nature, are almost certainly highly covert and difficult to uncover. In virtually all of them we see advances in computer connectivity and information systems technology that would contribute to an offensive capability. We are alert for any evidence that these technologies are being applied to offensive information warfare programs, as well as information that suggests they may be sponsoring hacker activities.
International terrorist groups clearly have the capability to attack the information infrastructure of the United States, even if they use relatively simple means. Since the possibilities for attacks are not difficult to imagine, I am concerned about the potential for such attacks in the future. The methods used could range from such traditional terrorist methods as a vehicle-delivered bomb--directed in this instance against, say, a telephone switching center or other communications node--to electronic means of attack. The latter methods could rely on paid hackers. The ability to launch an attack, however, are likely to be within the capabilities of a number of terrorist groups, which themselves have increasingly used the Internet and other modern means for their own communications. The groups concerned include such well-known, long-established organizations as the Lebanese Hizballah, as well as nameless and less well-known cells of international terrorists such as those who attacked the World Trade Center.
As I noted earlier, many of the tools and technologies needed to penetrate computer systems and launch information warfare attacks are readily available to foreign adversaries. However, we need to remember that a threat is comprised not only of a capability, but also the intent to conduct an attack.
There are a number of activities underway designed to improve our ability to quantify the information system threat to our critical information systems.
I am convinced that organized information warfare threat from both state and non-state actors will grow over the next decade as the technology proliferates. I am encouraged by the steps we have taken over the past year to improve our collection and analytic posture on this issue.
However, intelligence and threat analysis are only part of the infrastructure protection process. We also need to determine which systems are most important for the functioning of our society and which are most vulnerable to attack. The steps outlined by Attorney General Reno in the Critical Infrastructure Security study, in which the Intelligence Community participated, is an excellent starting point for government action. Much more needs to be done. I look forward to working with this Subcommittee and others on this issue in the months ahead.