CSO

Within a few days of my last post (about a friend who was the target of several email attacks as a result of his congressional testimony) I found it very ironic that I would be offered an opportunity to testify before the House Committee on Homeland Security - Subcommittee on Emerging Threats.  Throughout my career I have had the opportunity to speak to thousands of people, in forums ranging from dozens of people to several thousand at a time - I have never prepared so feverishly and felt anxiety about delivering a message like I did leading up to my congressional testimony.
 
Our team here at INL knew exactly what message we wanted to deliver, but we had to decide on the means of delivery.  Which examples to use to illustrate the problem?  What specific research did we want to highlight?  How could we avoid information overload?  What information would be just enough without cutting out the important evidence that we wanted to reference?  Over the course of two weeks I worked with the team here at INL to put some general ideas together, and then I reached out through my network of friends and colleagues in the information security area to get their assistance and input.  Mudge, Dan Greer, industry CSO's, and a host of other experts provided me with excellent feedback that served to help prepare me to face the Subcommittee.

After a furious last-minute push to polish the remarks, we submitted the written testimony by the deadline and then waited for the big day to arrive.  When it did, I was surprised by the attendance at the hearing and also a bit intimidated as the afternoon progressed.  The hearing was split into two parts, with the first focusing on witnesses from GAO, Departments of State, Commerce and Homeland Security.  I was sitting on the front row and watched as all of the participants were summarily reprimanded for their security problems and low FISMA grades.  As posted here on CSO Blogs, Chairman Langevin proceeded along a no-holds-barred path of questioning DHS' capability at every opportunity.  First, Langevin asked DHS' Jerry Dixon why Greg Garcia did not attend the hearing and suggested that he show up at the next invitation.  In the next breath, DHS was asked why their testimony was not submitted by the deadline.  From my vantage point, I immediately began to wonder how I was going to fare based on what I was witnessing - I was nervous to say the least.
 
After a hearing recess during which the subcommittee members went to vote on a House bill, I was invited to take my seat - front and center.  I had been instructed that my prepared spoken remarks must be delivered in under five minutes and I was up first.  My five minutes went by in a blur, and before I realized it I had finished my prepared statement.  Directly following my remarks, Ken Silva from Verisign had the opportunity to present an overview of the issues facing the internet's DNS infrastructure.  When he had finished, the questions from the subcommittee began.  Over the next hour the discussion ranged from the role of government in regulating private infrastructure owners, to the capabilities of the underground hacking community, to evaluating the root cause for the recent surge in interest in the area of hacking critical infrastructure components, and ending with the subcommittee's consensus that they needed to spend additional time looking into the subjects discussed.
 
Overall, it was an amazing experience.  It was very satisfying for me to use my expertise in the area of cyber security to provide input into such an important area.  Watch for a version of my testimony to be published soon here on CSO Online and for additional insights from my travels working with government, infrastructure owners and security researchers.
 
- Aaron Turner