On September 12, one day after the terrorist attack on the World Trade Center and the Pentagon, although most hearings were cancelled, the Senate Governmental Affairs Committee convened a hearing on America's critical information infrastructure. The hearing was originally scheduled to examine the security of the critical cyber-infrastructure and to allow the Committee to hear the challenges that remain in government's efforts to secure the critical information infrastructure, which includes telecommunications and transportation, under Presidential Decision Directive 63. The Directive, signed by President Clinton in May 1998, requires agencies to protect both the cyber and physical infrastructure, and much of the attention has been on the protection of information systems. While the events of September 11 were not an attack on information systems, the members of the Committee examined what terrorist threats exist to these systems, and what should be done to minimize the risks. Sen. Joseph Lieberman (D-CT), the Chairman of the Committee, presided. Sen. Fred Thompson (R-TN), the ranking Republican also participated. Sen. Bob Bennett (R-UT) was present throughout the two hour hearing. Sen. Jim Bunning (R-KY), Sen. Carl Levin (D-MI), Sen. Tom Carper (D-DE), and Sen. Mark Dayton (D-MN), also participated. Although the Committee has jurisdiction over information infrastructure of government agencies only, the Senators addressed both government and private sector issues. Lieberman said that the events of September 11 begin a new era for American national security, and that future attacks will also target critical information infrastructure. The primary witness, Joel Willemssen, Managing Director of Information Technology Issues for the General Accounting Office (GAO), testified that "federal computer systems are riddled with weaknesses that continue to put critical operations and assets at risk. A GAO report released on September 12 adds that, "Despite the importance of maintaining the integrity, confidentiality and availability of important federal computerized operations ... [b]ecause of our government's and our nation's reliance on interconnected computer systems to support critical operations and infrastructures, poor information security could have potentially devastating implications for our country." Willemssen and other experts at the hearing said the federal government was lagging in its efforts to implement a comprehensive plan aimed at protecting services provided by utilities and the transportation and financial service sectors. Agencies are "inadequately implementing" the Directive, according to NASA Inspector General Roberta Gross, that "government oversight is a real key tool," and that Congress should monitor the lead agency for the sectors that are lagging in developing plans of action to confront tragedies similar to last week's event. Willemssen, also noted that, in particular, the public health and transportation sectors are at the bottom of the list in terms of their anti-terrorism efforts. "Among the most critical issues is clearly identifying roles and responsibilities of the all the players," and defining "who exactly is in charge," said Willemssen. He applauded a bill introduced by Lieberman and Thompson that would establish a federal Chief Information Officer as well as other initiatives to promote electronic government. Willemssen also stated that private sector information could help prevent the spread of cyberattacks, such as a denial of service attacks that could threaten infrastructure such as transportation, but the private sector is often unwilling to share security information in fear that they could be held liable for any problems. Gross also said a significant part of the government's vulnerability is that agencies are using private software "bought right off the shelf," and that much of that software has security holes in it because of private industry's "rush-to-market" mentality that relies on "patches" to fix problems only after the software has been installed and used. Thompson suggested that the way to get the private sector to share information about cyber security with government is to give it the same sort of statutory protection that the Congress gave in The Y2K Act. Lieberman, Bennett and Carper indicated during the hearing that they intend to pursue policy remedies that would increase the quality and quantity of security information-sharing between the public and private sectors as well as to give law enforcement added rules to prosecute hackers. Bennett says a bill that would promote computer and information security sharing with few risks and liabilities for private business is "very close to being ready" and that he "will find the right time" to introduce it soon. OMB Watch thinks that, rather than looking to allow the private sector to set the terms of what information on critical infrastructure it will share with the government and what it will allow the government to do with that information, Congress should move to determine what information government needs to collect from the private sector. A vigorous discussion needs to be held as to what that information might be and how it can be shared appropriately with the public in defense of the public's safety and well-being. The Y2K model is the absolute wrong one, as this is going to be an ongoing problem, and the private sector should not be shielded from liability for failures to fix risks and vulnerabilities when they are known and fixes are available. [This report is drawn from accounts in TechLaw Journal; Maureen Sirhal, National Journal's Technology Daily; Matthew Morrissey in BNA; and Diane Frank ] In a related story, Joshua Dean reported in Government Executive magazine, that spokesmen for the U.S. Space Command, the command that monitors military networks, reported no rise in malicious or nuisance network activity on Tuesday and Wednesday. An alert sent by the Computer Emergency Response Team Coordination Center at Carnegie Mellon University in Pittsburgh, PA, said the organization "is not seeing any significant increases in incident activity on the Internet."