Heads Up: C-SPAN Extra to Carry Today's Senate Hearing on the Y2K Information Center & Cyberterrorismgreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread |
I don't receive C-Span extra, but I think we can watch and listen to the hearing via a real player. 'Not sure, though. You can give it a try at:Senate Hearing on the Y2K Information Center & Cyberterrorism
'Just passin' it on. . . :)
-- FM (vidprof@aol.com), July 29, 1999
Hearing starts at 9:30 a.m. by the way. . .:)
-- FM (vidprof@aol.com), July 29, 1999.
What's up with the hearing... Are they late starting? Or aren't they going to put it on the 'net?It's now 9:44, and nothing seems to be happening...
..........................
-- housemouse (jgj@nevermind.net), July 29, 1999.
I'm watching/listening using the G2 RealPlayer as I write this.Go to:
Senator Bennett just adjourned the hearing to go vote on a bill. What gives?
-- Bingo1 (howe9@pop.shentel.net), July 29, 1999.
Yes, I am wondering why they are not starting, it says on their listing the hearings are from 9.30 am to 12.30 pm.. but nothing is going on yet..
-- Cassandra (american_storm@usa.net), July 29, 1999.
I missed the first hour. (What did I miss?)They're back now, however. It's a bit after 10:30 a.m.
:)
-- FM (vidprof@aol.com), July 29, 1999.
Here are my raw notes on the hearing (after the vote break)proceedings.Koskinen says Y2k shows us how reliant we are on computers. We'll be more so in the years to come.
Refers to Presidential Directive #63 and activities underway as a result.
They want to maximize lessons learned from Y2k to protect infrastructure in the future.
Says computerized processes developed by the ICC could be used by the National Infrastructure Protection Center.
Says President's Council was created for Y2k.
Koskinen says he won't be available for the role of a permanent Chief Information Officer for the executive branch if the position is created/continued. Mentions that Sally Katzen (sp) is currently serving in that role.
Bennett expressed concern that unless a permanent Chief Information Officer was a top level person in the executive branch, phone calls might not be returned, etc. Koskinen said that's not so.
Bennett concludes, "Y2k experience has made me aware in a way that I had never been before of just how vulnerable our society and our economy are to the possibility of some kind of computer breakdown."
Bennett talked about how the Defense Department is facing cyber attacks every day, and about his concern that if crackers continually encounter firewalls in the Defense Department systems, they may try something else, like trying to destroy the traffic system in New York City.
Bennett referred to the D.C. plane crash (the plane that hit the bridge a few years ago) and simultaneous derailment of the Metro..employees didn't get home until 2 a.m.
Implies this type of cyber attack could have as much impact as if enemies were to drop an actual bomb.
Says Y2k process is winding down...there is still a great deal of vigilance needed.
Turns if over to Dodd.
Dodd mentions New York Times article and begins discussion with Koskinen about privacy issues associated with a potential monitoring system.
(More to come if time permits)
:)
-- FM (vidprof@aol.com), July 29, 1999.
Oops. I spoke too soon. Or not soon enough."Says computerized processes developed by the ICC could be used by the National Infrastructure Protection Center."
See my reply in "U.S. Plans Y2K Bunker, Clinton Aide To Tell Senate (justme, justme@justme.net, 1999-07-29)"
They're getting pretty easy to figure out, aren't they.
Watch six and keep your...
-- eyes_open (best@wishes.net), July 29, 1999.
(Continuation of raw notes)Koskinen says Global Information Monitoring will commence on September 9, 1999, but system won't be fully functional on September 9, 1999.
They will use September 9, 1999 as a test, private sector, states, countries around the world have agreed to cooperate.
Center up and running on December 30, 1999. Twenty four hours a day. Ramp down after February 29, 1999 (after the leap year date)
Core staff will work through June to compile lessons learned.
Will work with FEMA to expand information collection problems with the states. States will provide status information.
Duplicate system will go to Mount Weather.
Real value of ICC experience will be to determine how to get information flow in and best ways to send it back, best ways to monitor cyber intrusion.
Koskinen talks about other Federal centers being set up throughout government. Department of Energy will garner info about oil (and utilities?) State Department will get info about embassies.
Info flow will begin at noon on Friday (December 31, 1999?)
Koskine hopes the center will provide an accurate timely picture of what is happening, so they don't have to follow media reports.
They hope to be able to determine if disruptions are really Y2k events, or something else.
Dodd says, "The potential for panic is just overwhelming." He goes on to question about software.
Koskinen says they are using existing software, trying not to invent anything new. Goal is to do nothing that requires significant testing. They want to be not state of the art, but state of the practice.
Target is the end of October for system to be functional if possible.
Dodd asks, how does the info get back out, and who receives the info?
Koskinen says that in exchange for their cooperation private industries will be given analyzed information (versus raw data).
Dodd mentions concerns about proprietary information going out.
Koskinen says so far there has been no problem. NERC is creating National Information Center, for example. This will consist of management information data, not reporting data.
Data will be summarized for public through joint public information center. Available through Website access, press briefings, etc. Koskinen says hardest thing to collect will be judgements on how long any outage will last.
Dodd wants to know if the ICC will be able to facilitate reconstruction services that will be presumably be needed.
Koskinen says ICC will not be a "reconstitution" body.
Premise is the people who know how to fix power plants, etc., will be those who work in that industry.
ICC won't be a help desk. But referrals to industry contacts will take place. Resources will be brokered. Power companies have a great history of sending crews back and forth, but it's done on an ad hoc basis.
ICC will add value through cyber attack monitoring.
Koskinen goes on to talk about how ICC will serve other countries. (Presumably in the same fashion--by mapping the world to find out where infrastructure came from so those experiencing failures can get in contact with the manufacturers, suppliers, etc.).
Dodd says he's been disappointed that the European Union and others haven't taken a lead on Y2k problem solving. He asks whether the U.S. will need to assume global responsibility?
Koskinen says Europe is paying more attention, and the existing structure needs to be energized. Contingency planning around the world.
Dodd says we need to think beyond Y2k.
(More to come if time permits)
:)
-- FM (vidprof@aol.com), July 29, 1999.
End of Koskinen testimonyBennett introduces second panel.
John S. Tritak, Director, The Critical Infrastructure Assurance Office
Michael Vatis, Director, The National Infrastructure Protection Center
Richard Schaeffer, Director, Infrastructure and Information Assurance, Department of Defense
Tritak, Director of the Critical Infrastructure Assurance Office (CIAO)
(Few hard hitting statements. Mostly repeating what's already been said)
Discusses background of office and need to coordinate with President's Y2k Council. Discusses the United States' massive use of technology.
Technology is a common thread running through all of our infrastructures.
Y2k is the first Cyberthreat that has the potential to touch all areas of our lives. Reiterates there is much that can be learned by monitoring what happens as a result of Y2k.
Michael Vatis, Director, The National Infrastructure Protection Center
Mentions World Trade Center bombing and the studies that occurred after that. They learned that critical infrastructures are vulnerable not just to terrorism attack, but cyber attacks.
Reliance on info systems creates vulnerability. This predates Y2k and will last beyond it.
NIPC is located at FBI and is charged with determining threats, notifying of same and coordinating Federal response.
Caseload of cyber-attacks has doubled, every year. Over 800 pending cases of computer-intrusion.
Kinds of attacks range from individual hackers, to organized crime groups to the potential of terrorist cyber attacks, to potential of foreign intelligence service, and ultimate worst case scenario foreign military going after a soft underbelly.
Talks about past attacks on emergency 911 systems, on banks to steal money, attacks on telecommunications, and air traffic control, attacks every day at Federal Level, (including DOD and Federal labs).
Since creation of agency last February, good progress has been made in creating a network of government and private entities. Communications links have been established to receive threats and issue warnings.
Melissa virus was an example. They were able to issue a warning.
They will be able to do the same with regard to Y2k
They want to prepare for any additional malicious activity around Y2k event.
In some instances it might be difficult to determine if an outage is a result of Y2k or malicious attack, so they are communicating with I.C.C.
One of their concerns is that during remediation process, companies who have hired outside companies may be subject to malicious code planted by remediators.
They've been in the business for a year and a half and are looking at Y2k as a means of learning about the consequences of system failures, etc.
Richard Schaeffer, Director, Infrastructure and Information Assurance, Department of Defense
Submits written testimony.
They are implementing Critical Infrastructure Protection Plan as ordered by Presidential Directive 63.
Answers some of the questions raised earlier by the committee:
DOD is working closely with ICC. Examples, early warning system involving Australia, facilitating Koskinen's meeting with Canadian authorities.
With regard to DOD role in "cyber-reconstitution"
Numerous and simultaneous demands for DOD resources will restrict the use of DOD infrastructure protection assets in any non-defense role.
If defense is used for reconstitution, legislation would be required to hold the government free of any liability.
(He then goes on to use veiled language referring to things like cyber assurance assets? Very clear he didn't want to use plain language here)
Collaboration is essential for protecting infrastructure now and in the future. As long as we continue to work openly, we will build necessary government and private sector trust.
Dodd asks about a recent hacking report.
Schaeffer did not want to respond in this public forum.
Vatis remarked that it's difficult to immediately know what type of a hacker is involved with a break in (teenage hacker, organized crime, etc.), but under 50 percent appear to be organized?
Dodd, mentions potential problems introduced during remediation efforts. Asks if there is any hard evidence that that may be occurring?
Vatis does not want to comment in public. Says it's reasonable to conclude there is a significant risk.
Dodd keeps after them. Says he might interpret from their reluctance to answer that there IS a problem. They agreed, there is a problem.
Dodd goes back to New York Times article regarding monitoring. Privacy issue is brought up again.
Tritak says the program is still being considered. Justice Department has to review. Other legal reviews must also take place. Privacy is of paramount concern. Privacy concerns are legitimate. System is still being developed.
Dodd: "How long has it been under consideration?"
Tritak doesn't know.
Tritak says final report may be released by this Fall.
Vatis discusses NYT article, and he points out innaccuracies. One, computer would not monitor private sector systems, but would only monitor illegal intrusions into Federal systems. Two, FBI would not run program. GSA would run program.
If IRS were hacked for example, Commerce would get early warning and then contact FBI.
Dodd wants to go into this in greater depth. Says he'd like a briefing. He's relying on a news story. It's a matter of some concern, and he'd like a formal briefing in the next week or so.
Dodd goes back to ICC issue, asks about long-term responses, risks, etc. What role could ICC play beyond Y2k?
Tritak says again that Y2k will be a teaching tool. There will be a lot of cooperation at various levels of our society, the government, private sector, etc. Says, we need to work hard on problem confronting us, and evaluate how well ICC worked, and how these resources can be used in the future.
Dodd says it would be hard to get the American public to accept that 40 million dollars of their money would be spent on a Web site offering press releases, but if you get into the cyber-reconstruction phase that might have value.
Vatis defends the ICC, saying again what they learn will be important in the future.
Schaeffer says mechanisms must be set up because cyber events occur in an instant in time. Information sharing after the fact doesn't work. ICC would provide foundation for that.
Dodd asks how you distinguish between attacks and Y2k problems?
Michael Vatis says his group is working with DOD on methodology to distinguish the difference.
Schaeffer says they are baselining as they do their Y2K tests, as a means of determining whether a potential outage is a cyber attack or not.
Dodd talks about early warning systems. Is it conceiveable to fabricate a strike on an early warning system? Can it be done? (Opinion: Did Dodd see the movie "War Games?" Sheesh!)
Michael Vatis replies that it's easy to do that. Hacking by juveniles has produced something along those lines.
Dodd goes into the joint discussions between the Americans and the Russians. No one on the panel can speak to the status of the joint early warning facility. Dodd's fealing very uneasy about that. Wants a cooperative environment.
(I lost the feed here. 'Guess that's it. Hope this info is useful, and after hearing THIS, I REALLY hope we work with the Russians!)
:)
Also, new words for the day: "Cyber-reconstruction," and "Cyber-reconstitution." 'Wonder if Reader's Digest will pick up on these.
-- FM (vidprof@aol.com), July 29, 1999.
Excellent reporting as usual FM. Glad you're back with us, and thanx.
-- Ashton & Leska in Cascadia (allaha@earthlink.net), July 29, 1999.
One more thingie:It's clear to me, after listening to the above speakers (Except for Clarke, who I missed) that the Federal Government in no way wants to be forced to rely on Peter Jennings, et. al., for information regarding actual Y2k failures.
Further, to me, the real "nugget" that emerged from this hearing is the alleged difficulty of determining whether actual failures will be the result of "cyber-attacks" or Y2k.
Accordingly, if my cynical twin were writing this, the observation might be:
"Uh, huh. There's an election in Year 2000. If the you-know-what really does hit the fan, wouldn't it be convenient if certain politicians would be able to say that Y2k was not the cause? That they never could have predicted the problems, because the evil Y2k was not REALLY at the root of them?"
(Hmmm. . . Last I heard, my cynical twin was still reading that book by George Stephanopoulos. Good. Keeps her out of MY hair. . .)
:)
-- FM (vidprof@aol.com), July 29, 1999.
Ashton & Leska,Thanks, and you are most welcome.
(I'll be checking in now and then when I see something really important. Feel free to clue ME in if YOU see something important and I'm not around!)
:)
-- FM (vidprof@aol.com), July 29, 1999.
An article about today's hearing:"U.S. Plans Y2K Bunker, Clinton Aide To Tell Senate"
http://infoseek.go.com/Content?arn=a0821rontz-19990729&qt=% 22year+2000% 22+bug*+glitch*+y2k&sv=IS&lk=noframes&col=NX&kt=A&ak=news1486
-- Linkmeister (link@librarian.edu), July 29, 1999.
An article of related interest:http://www.msnbc.com/news/294532.asp
"U.S. backs off private monitoring"
-- Linkmeister (link@librarian.edu), July 29, 1999.
Here's another little goodie from today's hearing:Experts Warn of New Y2K Threat
By TED BRIDIS
.c The Associated Press
WASHINGTON (AP) - Two of the government's top computer security experts said today that some programmers hired to fix Year 2000 problems may be quietly installing malicious software codes to sabotage companies or gain access to sensitive information after the new year.
The alarms were sounded at a hearing on the ``Y2K glitch'' and cyberterrorism before the Senate Committee on the Year 2000 Technology Problem.
``Many of these (rogue programmers) have no security clearance, do not work for the government, and yet they have access to critical systems that if sabotaged could wreak havoc to our financial institutions and our economy,'' said Sen. Christopher Dodd, D-Conn., the committee's vice chairman.
A recent analysis by the Gartner Group predicted electronic thefts worth at least $1 billion, noting that the computer networks of financial institutions, corporations and governments handle transactions worth $11 trillion annually.
Michael Vatis, director of the FBI's National Infrastructure Protection Center, said experts hired by U.S. companies to fix their computers could secretly program ``trap doors'' - ways to let them gain access later - or add malicious codes, such as a logic bomb or time-delayed virus that could disrupt systems.
``While systems have been and will continue to be extensively tested, the probability of finding malicious code is extremely small,'' agreed Richard Schaeffer, director of the Defense Department's Infrastructure and Information Assurance program.
Neither expert suggested the possible scope of the problem.
Schaeffer said problems are complicated by the New Year's rollover, when some computers programmed to recognize only the last two digits of a year may mistake 2000 for a full century earlier.
``It may be difficult to distinguish between a true Y2K event and some other anomaly caused by a perpetrator with malicious intent,'' Schaeffer said.
Both experts said the risks were exacerbated by the amount of software repaired by companies overseas. Vatis called the situation ``a unique opportunity for foreign countries and companies to access, steal from or disrupt sensitive national and proprietary information systems.''
Vatis recommended that companies thoroughly check the backgrounds of companies they hire for software repairs. He also said they should test for the existence of trap doors after the repairs, possibly even hiring teams to try to electronically crack into their own networks.
The latest warnings come on the heels of new disclosures about White House plans to create a government-wide security network to protect the nation's most important computer systems from hackers, thieves, terrorists and hostile countries.
The 148-page proposal from the Clinton administration describes building an elaborate network of electronic obstacles, monitors and analyzers to prevent and watch for potentially suspicious activity on federal computer systems.
Sen. Robert Bennett, R-Utah, said today that the scope of the Y2K problem shows that a successful attack on a computer system - such as the network that controls the traffic lights or subway in New York - ``could have as much impact on the economy as if somebody actually dropped a bomb.''
Civil liberties groups complain that the security tools also would make possible unprecedented electronic monitoring, especially because of the increasingly widespread use of computers by the government in almost every aspect of its citizens' daily lives.
The White House defended the proposal.
``We are very concerned about protecting privacy rights,'' said Clinton's national security adviser, Sandy Berger. ``But there is also a privacy right in not having hostile entities attack systems. We're not only talking about 17-year-old kids in their basement. We're talking about governments that we know are developing systems to get access to our computer systems.''
The first 500 intrusion monitors would be installed on nonmilitary government computers next year, according to a draft copy of the proposal obtained by The Associated Press. The full system would be completed by May 2003.
The plan also suggests ways to convince private companies to monitor their corporate computer networks and share information about threats. But it said explicitly that the government will not force companies to permit federal monitoring of their systems.
-- my (oh@my.ohmy), July 29, 1999.
Bennett's right about the traffic lights. I lived in Austin when a hacker managed to get into the traffic signal system, he programmed it so on Friday the 13th every single traffic light in the city was on the blink and it took hours to get home from work. Nightmare. Hot tempers too.
-- mommacares (harringtondesignX@earthlink.net), July 29, 1999.