Statement of Senator Charles E. Grassley S.2448

[cult hero <jericho () ATTRITION ORG>]

FYI--from the NY Electronic Crimes Task Force:

STATEMENT OF SENATOR CHARLES E. GRASSLEY
JUDICIARY COMMITTEE MARK-UP OF S. 2448
JUNE 15, 2000

 Mr. Chairman, I'd like to raise a concern I had about the bill (S. 2448)
related to NIPC.  The concern led to an amendment that I had prepared.
However, (I hope) the authors of the bill (will accommodate) accommodated
my amendment, for which I am greatly appreciative.  I would like to
explain the issues behind my concerns.

 The NIPC has been tasked by Presidential Decision Directive 63 to provide
timely warnings, mitigate attack, and monitor re-constitution efforts.  It
is also tasked with providing comprehensive analyses to determine if an
attack is underway, the scope and origin of the attack, and then the
coordination of the Government's response.

 Last month, the Attorney General released an update of the Department's
five-year, Counter-Terrorism plan.  The plan is classified and I cannot
comment on the specifics.  But I can say that the absence of details as to
how NIPC is developing key national capabilities is symptomatic of a
poorly-conceived mission, and a lack of operational capability.

 The General Accounting Office recently did a review of NIPC's
performance.  It looked in particular at the ILOVEYOU virus, and NIPC's
response to that.

 The GAO review was critical of NIPC.  It noted that NIPC did not issue an
alert on its Web site until 11am on May 4.  This was hours after the rest
of the world already knew, from CNN.  My own office was notified before
9am, two hours before NIPC even issued its alert.  And, it wasn't until 10
o'clock at night that advice on how to deal with the virus was posted by
NIPC.  My office got that advice at 9am, when we got the alert.

 Here's what the GAO said about NIPC's performance:

 "The lack of more effective early warning clearly affected most federal
agencies...  Clearly, more needs to be done to enhance the government's
ability to collect, analyze and distribute timely information that can be
used by agencies to protect their critical information systems from
possible attack.  In the ILOVEYOU incident, NIPC and FedCIRC, despite
their efforts, had only a limited impact on agencies being able to
mitigate the attack."

 This issue is only a symptom of a much larger and serious problem within
NIPC.  But if you understand the larger, systemic problem, you'll
understand exactly why NIPC's performance on the ILOVEYOU bug was so
pathetic.  The program was supposed to be a clearing house for information
from all sources, and a focal point to coordinate the investigations of
various federal law enforcement agencies.  The private sector
participation is intended to be voluntary.

 But the private sector has not participated.  That's because they can't
get information or cooperation from the FBI.  And many of the agencies are
either not participating or have pulled out.  Most notably Treasury, State
and Commerce.  That's because all the incoming cases have been taken by
the FBI.  The PDD calls upon them to distribute cases according to
expertise.  That's not being done.

 Out of the 800 cases that have come in to NIPC, not one has gone to
another agency.  Of those 800 cases, only a handful have a direct impact
or pose a threat to the nation's critical infrastructures.

 Instead, here's what's happening: NIPC gets a $40 million budget per
year.  Under this bill, it will increase to $45 billion.  When a complex
computer crime case comes in to the FBI - I'm not talking about a critical
infrastructure-related case, but an ordinary computer crime case - that
case is often sent to NIPC.  From there, the case is sent out to an FBI
field office.  And the criminal case is worked.

 In other words, NIPC was meant to be a focal point to coordinate the
investigations of various federal law enforcement agencies.  Instead, it
has become a cash cow for the FBI to fund its computer crime cases.  It's
nothing more than a computer crime fraud squad of the FBI.  That's not
what was ever envisioned.

 I note that the Administration's original point-person on this issue has
also been critical.  This committee knows the name Jamie Gorelick very
well.  She was in charge of the Administration's policy in this area from
1994-1997.  She was quoted recently in USA Today.  She said, "There needs
to be some agile operational capacity in the government, an ability to
move quickly to provide warnings.  This doesn't sound at all like what we
had in mind."

 Also, the former chief of the FBI's own national computer crime program
was interviewed by the L.A. Times.  His name is Jim Settles.  He told the
Times that NIPC is inept, and says it fails to pursue strong cases
delivered to it after substantial private investigation.

  The problem is, when we try to oversee this office, we get no
information.  And I'm talking about basic, fundamental information.

 For instance, I've been briefed by GAO that NIPC, to this day, hasn't
responded formally to its request for information about the ILOVEYOU
incident.  That was after nearly five weeks of asking.  Other agencies
responded within 24 hours.

 Two and a half months ago, at a hearing before this committee, I
submitted follow-up questions about NIPC to the FBI Director.  I have yet
to hear back.  And these are some pretty basic questions about NIPC's
performance.  We're funding this organization over $40 million a year.
There are plenty of indications that the place is a managerial nightmare.
And it appears we're being stonewalled for information.  The speculation
I've heard is that we won't get answers until NIPC gets the budget
extentions contained in this bill.  To me, that's upside-down logic, and
this committee shouldn't let them get away with it.

 Some senators on this committee, myself included, have asked for an audit
by GAO, and an investigation into whether NIPC is fulfilling its charter.
This will be a major undertaking by GAO.  And I think members of the
committee will want to see the results.  So I would urge caution about
funding the program without making some much-needed changes.

 That's the purpose behind my effort to limit the budget stream, from five
years to one or two.  That will give us enough time to learn from GAO's
investigation, to evaluate the program, and to make the necessary changes
needed to make it a public-service oriented program, as it was originally
intended. There's a very fundamental reason why these problems in NIPC are
occurring.  The program is supposed to gather information quickly, and
warn the public and affected institutions as soon as possible.

 But the FBI handles everything as a criminal case.  It doesn't share
information.  It restricts information.  Getting the criminal is its first
priority.  Warning the public is secondary.  But that's too late.  And
that is exactly why we should not allow the FBI to commandeer this
program.  It should be jointly coordinated, as it says in PDD 63.

 Senator Kyl's subcommittee recently issued an oversight report on NIPC,
which was very clairvoyant in this regard.  His subcommittee predicted
these problems occurring if the program were housed within the FBI.  It
noted the FBI's methodology of investigating crimes as being incompatible
with the mission intended for NIPC.  So, I would like to commend Senator
Kyl for his foresight.

 I would also like to raise another red flag on another program within
this bill.  The National Cyber-Crime Technical Support Center would create
an inter-agency coordinating center for cyber-crime information sharing,
training and forensic labs.  If we don't carefully monitor this Center
from the beginning, we may have another fiasco like NIPC.

 It is my hope, Mr. Chairman, that this Committee would give NIPC some
much-needed scrutiny, and make the necessary changes to get it moving in
the right direction.  The public's safety and security are at risk.

 And second, before this bill goes to the floor, I hope the Committee will
use its leverage and authority to demand answers from the FBI about NIPC
that some members of the Committee submitted some two and a half months
ago.

 Thank you, Mr. Chairman.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".