cal attacks and civil Departments and Agencies focus on relatively lowlevel conventional explosives and limited chemical attacks.

We need to be equally careful not to compartment our analysis of information warfare so that the Department worries about true information warfare while civil departments and agencies worry about hacking and cracking at much lower levels of threat.

Finally, we need to consider the full implications of our call for missile defense, and of our counterproliferation activities. The more we succeed in blocking overt threats, the more we will drive states towards finding alternative means of attack. It makes little sense to close the barn door and leave the windows open.

We need to focus on key areas of technological change. We cannot yet predict what technical capabilities hostile states, extremists and movements will acquire over the next 15-25 years. We can, however, predict that there are several major areas of technological change that can radically alter the effectiveness of asymmetric and terrorist attacks and which require care attention from the intelligence community:

• The vulnerability of our critical infrastructure is changing: Our financial systems, communications systems, utilities, and transportation nets are far more tightly integrated than in the past, and we rely far more on national and regional systems, rather than large autonomous local ones. This reduces vulnerability in some ways, but increases vulnerability in others. Systems netting and integration involves shifts in technology that need careful examination.

• Information systems create new vulnerabilities: It is all too possible to grossly over-exaggerate our dependency on information systems, their vulnerability, and the difficulty in finding work-grounds, and reconstituting critical systems. Many statements are being made that have no real analytic underpinning and the importance of given systems is poorly researched. The Internet, in particular, is being glamorized to the point of absurdity. Nevertheless, information systems have become part of our critical infrastructure, and virtually invisible cyberattacks may prove to be more lethal in some cases than high explosives. New physical methods of attack, such as EMP weapons, may also be becoming more practical.

• Chemical weapons and toxins are changing: It is impossible to discuss fourth generation chemical weapons in an unclassified forum, but the threat has been openly raised by Department of Defense officials. The technology and equipment for older types of chemical weapons is also proliferating at a civil level and becoming steadily more available to governments, extremist movements, and individuals.

Biological weapons are changing: It has been possible to make dry storable biological weapons with nuclear lethality since at least the late 1950s. Advances in biotechnology, food processing equipment, pharmaceuticals, and other dualuse facilities and technologies are also proliferating at a civil level and becoming steadily more available to governments, extremist movements, and individuals. These problems are compound by the rapid spread of expertise and equipment for genetic engineering. The end result is that the technology of attacks on humans, livestock, and crops is becoming steadily more available, and in forms which not only can be extremely lethal and/or costly, but difficult to attribute to a given attacker.

• The availability of nuclear weapons may change: It is far too soon to say that broad changes are taking place in the nuclear threat. Nevertheless, the break up of the FSU, and proliferation in India and Pakistan, does create a growing risk that fissile material may become more available for “dirty” and low yield weapons, and the knowledge of how to make crude nuclear devices, handle the high explosives, provide neutron initiators, and deal with the complex triggering problems is also spreading.

• The risk from radiological weapons may change: Radiological weapons have not been particularly attractive options in the past. There is, however, a steadily growing mass of nuclear waste, and some studies indicate that the long-term genetic effects of such weapons may be more serious than their short-term effects.

• The ability to exploit the media and psychological dimension of new technologies has grown: Far more is involved than body counts, physical damage, and economic loss. Even the most limited CBRN or information attack on the US or US targets has great political and psychological impact both within the US and overseas. The spread of mass communications, and use of tools like the Internet and Satellite TV, also increases the impact of attacks. It is all too easy to exaggerate today's threat in each of these areas, but it is equally easy to exaggerate the difficulties that individual terrorist movements and extremists now face in

using such technologies. There is a clear need to examine how states can use such weapons covertly or through proxies, and forecast how widely spread each of these threats is likely to become in the future.

We need to reexamine the problem of vulnerability. We cannot hope to accurate predict our attacker or their means of attack, but we can do much to improve our analysis of vulnerability and shape our intelligence and planning effort around the need to detect threats to our greatest vulnerabilities. To be specific, there are several areas of vulnerability that need special attention:

• We need to conduct and systematically update our analysis of the vulnerability of our critical infrastructure, including financial systems, information systems, communications systems, utilities, and transportation nets and make sure our intelligence can focus on potential threats.

• We need to reexamine our vulnerability to the chemical threat in the light of fourth generation weapons, and the growing ease with which states, extremists, and terrorists can obtain them.

• We need to rethink the risk of biological attack: We need to look beyond the risk of the limited use of crude, long-known weapons and toxins, and assess the extent to which genetic weapons are increasing our vulnerabilities. We also need to look beyond single agent non-infectious attacks on human beings, and consider multiple agent attacks, infectious attacks, and/or attacks on our agriculture.

We need to reconsider the cumulative risk of covert or terrorist nuclear attack: It still seems unlikely that any state or terrorist movement could both acquire a nuclear device in the near future, and be willing to take the risk of using it. The cumulative risk over time, however, is sufficiently great to justify more analysis of our key vulnerabilities.

It is important to note that the US intelligence community and Department of Defense is already addressing many of these issues, as is the National Security Council and a broader federal Homeland defense effort. At the same time, these are all areas where Congressional oversight can play a major role in assessing the quality of the intelligence effort and the broader effort within the Executive Branch.

OTHER PROBLEMS IN INTELLIGENCE

Let me close with several comments focused on the problem of intelligence coverage of terrorism and asymmetric warfare. It has been some years since I was directly involved in intelligence planning and assessment, but there are some things that never seem to change:

• It is far easier to call for strategic warning than to get it, or get policymakers to, act on it of they do receive it. We can always improve our analysis of warning indicators. In fact, the intelligence community does this all the time. We cannot, however, count on any method of analysis sorting through the constant "noise level" in these indicators and providing reliable probability analysis or warning. Furthermore, we cannot count on policymakers reacting.

• We should improve our analysis, but no system of warning, defense, and response can rely on strategic warning. Moreover, it is my impression that even when the intelligence community does make improvements, decision-makers choose to ignore unpopular or expensive warning or demand that the community free them from the burden of ambiguity and uncertainty.

It is always easy for decision-makers to demand prophecy and attack intelligence analysis when they don't get it. This may explain why there are so many calls for improved strategic warning and so few calls for improved decision-maker re

sponse.

• It is far easier to call for better HUMINT than it is to get it. I have listened to three decades of calls for improved human intelligence. In practice, however, it remains as underfunded as ever, and partly because it is so difficult to make cost-effective investments and to be sure they pay off. Far too often, successes are matters of chance and not of the scale of effort.

• Yes, we should improve HUMINT-where we can show there is a feasible plan and a cost-effective path for success. However, calling for improved HUMINT all too often is both a confession of the severe limits of National Technical Means and a substitute for serious planning and effort.

• New intelligence toys are not new systems, and systems always have limitations. The other side of this coin is that we probably face growing limitations in our imagery and signals intelligence capabilities in many of the areas that affect our vulnerability to asymmetric warfare and terrorism. These are not a problem that should be addressed in open testimony, nor can I claim that my background in these issues is up-to-date. However, it is far from clear that some of

the extremely expensive improvements we plan in National Technical Means will really pay off in the areas we are discussing today, or that some of the new tactical detectors and sensors being developed are integrated into effective systems. There may well be a need for independent net intelligence assessment of our probable future capabilities in these areas.

• We need more focus on weaponization, weapons effects, and different kinds of vulnerability. Proliferation and changes in information warfare are creating major new challenges in how the community should assess the weapons available to state and extremist actors. This is particularly true of biotechnology and information warfare, but it also involves the risk of "dirty," unsafe, and unpredictable nuclear weapons. Most weapons effects analysis is badly dated, and related to use against military targets. Weaponization analysis often does not address the acute uncertainty that may occur in weapons effects, and most vulnerability analysis is now dated. The technical issues of what attackers can, really do, the problem intelligence may face in characterizing their resources, and the risk of combinations of new methods of attack-combining information systems and CBRN attacks, cocktails of biological weapons, etc. needs more attention. • We need an effective bridge between foreign intelligence and law enforcement that responds to the scale of the emergency. We now have a wide range of barriers between foreign intelligence collection, surveillance of US citizens and activities within the US, military operations, and law enforcement activities. In general, these involve useful and necessary protections of American civil liberties. If, however, the threat rises to the level of a tangible risk an attack may use effective biological weapons, use nuclear weapons, or cripple our critical infrastructure, we need some way to react to a true national emergency that eliminates as many of these barriers as possible, and which does so at the state and local level and not just the federal one. We have long talked about the need for the "fusion" of intelligence and operations in warfighting. We may well face a similar need in Homeland defense, and the "fusion" of foreign intelligence and law enforcement activity will be critical.

One final point. Whenever new threats emerge, there is a natural tendency to call for new organizations, czars, and interagency structures. It is far easier to say that a new organization is needed than to get into the nitty gritty of actually having to improve existing capabilities or develop new ones. A set of problems involving this many uncertainties and new skills may or may not require new federal organizations, and new organizations within the intelligence community,

Ultimately, however, what improving our capability to deal with terrorism and asymmetric warfare requires most is resources and improving collection, analysis, and fusion at sophisticated technical levels. The real issue is one of how to improve depth, give the community the right perspective, and how to improve "quality," and not how to change organization or leadership. This requires both serious planning and a serious program and supporting budget. Changing the name on the door is almost mindlessly easy, but changing the capability within is what counts.

Chairman KYL. Thank you very much.

Dr. Alexander?

STATEMENT OF YONAH ALEXANDER, SENIOR FELLOW AND DIRECTOR, INTERNATIONAL CENTER FOR TERRORISM STUDIES, POTOMAC INSTITUTE FOR POLICY STUDIES, ARLINGTON, VIRGINIA

Mr. ALEXANDER. Thank you, Mr. Chairman. I appreciate the opportunity to appear today before this subcommittee. My only regret is that I don't have a written paper because I was out of town. But with your permission, I would like to submit a formal paper at a later date.

Chairman KYL. Absolutely.

Mr. ALEXANDER. In addition to that, I would like to mention that as an academician who works at a think tank and at a university center for terrorism studies, we have a great deal of publications that we would like to report to you about and to share with your staff, such as the new publication on Bin Ladin, on cyber terrorism, on super-terrorism, American perspectives, and so on and so forth.

If we may submit them to your staff, we would certainly appreciate that.

My intention basically is to make some preliminary remarks related to the threat and response. I fully agree with Tony Cordesman on some of the points he made because I think, No. 1, we have to learn lessons at history and look specifically at the nature of the threat. Now, we are discussing super-terrorism, biological, chemical, nuclear, cyber, but I would like to submit that even a very primitive kind of terrorism works and it is attractive, it is effective, and achieves a number of results.

We can go all the way back to the first century or to the 11th and 12th centuries, the Middle East, when they used primitive methods, but they were able to intimidate the Crusaders, for example, in the Middle East. So I think there are some lessons from history that we can take into account.

If we look at the situation today, obviously when we talk about contemporary terrorism, we talk about the new scale of violence both in terms of threats and responses. We are discussing the internationalization and brutalization of modern terrorism which actually is developing a new age of terrorism and super-terrorism with very serious implications for national, regional, and global security concerns.

I would like to underscore specifically about five dangers that we have to take into account. One danger is to the safety and welfare and rights of ordinary people. The second danger is to the stability of the state system the way we know it. The third is to the health of economic development. The fourth is to the expansion of democracy, and the fifth perhaps to the survival of civilization. By that I mean the worst is yet to come; it is not if, but when. Therefore, ensuring the safety of the citizens at home and abroad will continue to be every government's paramount responsibility in the coming years.

If I may look at the calendar of history, I would like to remind the Chairman and members of the Subcommittee that 30 years ago. there was a bombing right here in the U.S. Senate perpetrated by the Weather Underground. And then 13 years ago, in Iraq, we found that the Iraqis used chemical weapons against the Kurds. And 6 years ago, we had a glimpse of the future when the Aum Shinrikyo used sarin gas in Tokyo.

Now, in 1995 I had the privilege, with my colleague Dr. Ray Klein from the Center for Strategic and International Studies, to prepare a study on state-sponsored terrorism for the Subcommittee on Security and Terrorism, chaired by Senator Jeremiah Denton. The question arises, what is new, and if you look at the situation in those days and the situation today, of course, at that time the Soviet Union perpetrated terrorism. Today, the Soviet Union is a victim of terrorism, as we have seen in the past few days.

Nevertheless, I think we cannot dismiss state-sponsored terrorism in the coming months and years. Although there is a study of the CIA for the year 2015 indicating that the involvement of states is going to be reduced, nevertheless we have to take into account some states that can be labeled as failure states or states that are being exploited by the terrorists.

So therefore what I am really suggesting is that we have to look at both state-sponsored terrorism and sub-state terrorism, the freelancers, those who are able to initiate terrorism at a very low cost and cause a great deal of damage to our society. Therefore, I think the international community, and particularly under the leadership of the United States, must take whatever steps are necessary in order to reduce the risks.

Again, it is not a question of recommendations of committees and commissions. I know that some of us were involved over the years working with some of these groups. Nothing is wrong with specific recommendations. The problem is really implementation of the recommendations, and we have to move step by step, not dramatically or drastically change the system.

Therefore, I think every segment of the community can play a role, not only the Government, not only Congress, but the community in general. And I refer to the media, I refer to religious organizations, to the educational structure, and so forth, and together I think we can defeat the terrorists and secure our value system. I will stop here and be open to questions. Chairman KYL. Thank you very much.

Both of you have commented on the need to concern ourselves with cyber attacks, and that seems to me to be a somewhat overlooked potential threat because it is not just against the Government, it is not just against our defense and national security capabilities, but also against the society at large, which then also has a spillover effect against national security.

What, in your view, should the U.S. Congress be doing to enhance our ability to deal with this problem of cyber attack, especially if we are to, as you say, Dr. Cordesman, size it to the statesponsored terrorism threat, because clearly that would be the ultimate degree of cyber attack even though it might be coming from some group far smaller than state-sponsored? What could the Congress do to help begin to prepare us to deal with this threat?

I will start with you, Dr. Cordesman, and then Dr. Alexander. Mr. CORDESMAN. Let me give one example. In the previous administration, John Hamre issued a directive in the Department of Defense that no critical system be hooked up to the Internet. One of the problems is that we right now are spending most of our critical infrastructure protection money trying to protect the software and entry into the systems, not to create systems which close out outside attack because they are truly critical. We, in general, do not have adequate standards.

It has become clear, for example, that within the Federal Government no department as yet can police itself. To the extent there have been successful audits of cyber defense, they have been done by the General Accounting Office. And the moment the General Accounting Office does not repeat the audit, the department generally goes back to failing to protect its systems.

But more than that, you do not see an effort to reduce vulnerability, to ensure that you can reconstitute the system rapidly, that if there is a really major and successful attack, there is some alternative. Now, this I suspect is going to require legislation and regulation. Departments are not going to spend money that is not ap