[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
CYBER SECURITY: PRIVATE-SECTOR EFFORTS ADDRESSING CYBER THREATS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 15, 2001
__________
Serial No. 107-74
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
_______
U.S. GOVERNMENT PRINTING OFFICE
76-310 WASHINGTON : 2002
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
NATHAN DEAL, Georgia EDOLPHUS TOWNS, New York
Vice Chairman DIANA DeGETTE, Colorado
ED WHITFIELD, Kentucky LOIS CAPPS, California
BARBARA CUBIN, Wyoming MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona JANE HARMAN, California
ED BRYANT, Tennessee HENRY A. WAXMAN, California
STEVE BUYER, Indiana EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon ANNA G. ESHOO, California
LEE TERRY, Nebraska JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Axelrod, C. Warren, Board of Managers, FS/ISAC LLC........... 17
Casciano, John P., Senior Vice President and Group Manager,
Secure Business Solutions Group, Science Applications
International Corporation.................................. 40
Davidson, Mary Ann, Director, Security Product Management,
Oracle Corporation......................................... 30
Doll, Mark W., National Director, Security & Technology
Solutions, Ernest & Young.................................. 9
Klaus, Christopher, founder, Internet Security Systems....... 35
McCurdy, Dave, President, Electronic Industries Alliance,
Executive Director, Internet Security Alliance............. 13
Morrow, David B., Managing Principal, Global Security and
Privacy Consulting Practice, EDS........................... 26
Schmidt, Howard A., Chief Security Officer, Microsoft
Corporation................................................ 49
(iii)
CYBER SECURITY: PRIVATE-SECTOR EFFORTS ADDRESSING CYBER THREATS
----------
THURSDAY, NOVEMBER 15, 2001
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 1 p.m., in
room 2322, Rayburn House Office Building, Hon. Cliff Stearns
(chairman) presiding.
Members present: Representatives Stearns, Deal, Shimkus,
Terry, DeGette, Doyle, Harman, and Markey.
Also present: Representative McCarthy.
Staff present: Ramsen Betfarhad, majority counsel; Jon
Tripp, deputy communications director; Mike O'Rielly, majority
professional staff; Brendan Williams, legislative clerk; and
Bruce M. Gwinn, minority counsel.
Mr. Stearns. Good afternoon. And welcome to the
Subcommittee on Commerce, Trade, and Consumer Protection
hearing on cyber security.
You're welcome to sit down.
I'm pleased that we are joined today by a group of
distinguished witnesses and look forward to hearing their
testimony. The witnesses today collectively represent the best
minds on the issue of cyber security, and I'm confident they
will help us better understand the issue and its increasing
significance.
In the aftermath of the tragic events of September 11 we as
a Nation, it seems, have become obsessed with security, and
that is understandable. So it is also understandable that our
hearing today will also be colored to some extent by the events
of September 11 and new worries over cyber terrorism. Still I
do want to emphasize that the problems that gave rise to cyber
security concerns predate September 11 and cyber terrorism
worries.
Most important, those problems have begun to increase in
sheer numbers and magnitude in an alarming rate. Let me
explain.
In just over a year as a result of only three cyber
attacks, the I Love You, Code Red viruses and February 2000
denial of service attacks in excess of $10 billion was lost.
The number of cyber attacks as reported by the Computer
Emergency Response Team at Carnegie-Mellon University is
expected to double this year from last year to some 40,000.
Now, a survey of 538 computer security professionals both
within the government and private sector released this past
March and conducted by the Computer Security Institute with
participation of the FBI's field office in San Francisco, found
that 85 percent of the respondents said that they had detected
computer security breaches between March 2000 and 2001. Some 58
percent of those respondents had detected 10 or more incidents
of vandalism, theft of information, financial fraud and denial
of service attacks.
Quite significantly, 64 percent of respondents had
acknowledged financial losses due to cyber attacks or worse
breaches of their information systems.
Cyber attacks and breaches of our Nation's information
systems are especially worrisome when we realize that most
aspect of our daily lives from the mundane to the profane, are
touched either directly or indirectly by various information
systems storing, processing and exchanging information via the
electronic medium, the most visible of which is the Internet.
Just about everything we do involves the processing and
exchanging of information electronically. Therefore, cyber
threats to the Nation's information system, be they viruses,
worms, denial of service attacks or something as yet not
thought of must be taken very seriously.
If there are attacks yielding substantial breaches of our
Nation's information systems, not only will we face staggering
financial losses, we will also face more instances of tragic
loss of lives.
As our information system infrastructure has become
interoperatable, easy to access for sake of increasing
efficiency and productivity, it has become more vulnerable to
cyber attacks. The greater the degree of interconnection and
interdependence between the various information systems, the
higher the cost of disruption due to cyber attacks.
The Internet has tremendously accelerated this move toward
increased interconnectivity and ease of access to information
systems. And as such, the Internet connection to an information
system containing mission critical information, such as
financial data and intellectual property, has become a frequent
point of cyber attacks.
The custodian of the Nation's information systems, the ones
underpinning our economic welfare, is of course private
industry. Companies large and small have historically made
great strides in protecting their mission critical information
operating systems. However, the cyber security challenges that
they face have both increased in number and magnitude as the
importance of information systems to our economic welfare has
increased with the advent of the Internet.
We'll hear today that private industry is rising to these
new challenges, but there still is more work to be done. For
example, even though the horrific events of September 11, 2001
have put additional pressure on companies to reexamine their
security procedures and practices, according to a recent poll
of 150 chief information officers by CIO magazine, almost 40
percent of America's larger companies still do not have cyber
security experts on staff or under contract. Cyber security
measures cannot be an afterthought when designing, operating
and managing mission critical information systems.
Since September 11, we have learned that terrorists do have
the wherewithal to undertake the unexpected. Terrorists and
their recruits also have grown up in the digital age and thus,
most probably, possess the technical skills to undertake
concerted and effective cyber attacks. And as the real and
virtual worlds have become more closely intertwined, cyber
terrorism can potentially engender greater pain and tragedy,
and thus become more attractive to unscrupulous terrorists.
I'll end by borrowing Ms. Davidson's most instructive
words, ``The price of cyber security, as with liberty, is
eternal vigilance,'' and as we all know, freedom is not free.
With that, I'll turn to the ranking member of the
committee, Ms. DeGette who is substituting for Mr. Towns.
Ms. DeGette. Thank you very much, Mr. Chairman. And thank
you for holding this hearing.
In this time of uncertainty in our economy and in our
country, these issues also face our business community. And I
would echo very much of what the chairman talked about in terms
of the integrity of our computer systems and our data in a time
of terrorism, and the important role that private industry has
to play in preserving the integrity of those systems so that we
can preserve the integrity of our economy.
I would like to talk an issue not raised by the chairman,
because I do concur with so many of his statements, and that's
the issue of identity theft. This is an issue that we've talked
about for many months in this subcommittee and which is even
more essential today with the terrorists that we're facing.
An adequate cyber security in our commercial information
system will increase the likelihood of identity theft. With the
dawn of the information age companies collect, store and
transmit large amounts of consumer information over
computerized networks. Consumers rely on the security of these
networks to protect personal data like Social Security numbers,
unlisted telephone numbers, addresses, maiden names and
information about their information.
As we have heard during previous hearings of this
subcommittee, if this type of personal security is compromised,
any of the information can be obtained and used to steal
identities of unsuspecting Americans. Therefore, the security
of commercial information networks concerns all consumers and
is another aspect of the importance of cyber security.
Unfortunately--well, fortunately in one way but
unfortunately in others, after September 11 we had thought that
many of the hijackers of the airplanes on that day were using
stolen identities. The fortunate thing was that in large part
turned out to not be true, but yet stolen identifies were still
used by some of terrorists in the September 11 attacks. At
least one example that we know of was using the stolen identity
of a deceased New Jersey woman in order to evade capture. And
heaven knows how much this could happen in the future, and how
difficult that would make apprehension by law enforcement
agencies of suspected terrorists.
It is essential that both the private sector and government
work to eliminate unauthorized access to personally
identifiable information, which is the source of identity
theft. Unauthorized access to the commercial information
systems can be overcome with cooperation, and that's one reason
I'm particularly looking forward to hearing the testimony of
our witnesses here today. Because as I've thought all along,
this is not something that the government can work out in
isolation, nor is it a problem that we should expect private
industry to attack on its own.
Mr. Chairman, we need to continue to fight the war against
cyber terrorism on all fronts, including identity theft. And I
look forward to working with you and also the other members of
the committee and hearing from our distinguished panelists on
this issue.
And I yield back the balance of my time.
Mr. Stearns. Thank you, gentlelady.
Mr. Shimkus from Illinois.
Mr. Shimkus. Thank you, Mr. Chairman. I want to thank you
for holding this hearing, and you probably had mentioned to the
panel, I'm glad to see you all here.
We have a lot on our plate today with our bioterrorism
hearing downstairs, our conference has called an airport
security briefing at 1:15 in AC5, and now this. So if we're
running back and forth, let me apologize for myself and the
rest of my colleagues.
Obviously, e-commerce and security are a big issue, and
even with September 11 and the past, we will see an
expediential growth, probably, in the use of facilities on
electronic transactions.
I actually had a meeting yesterday morning with the Postal
Service, and their projections are now outdated because of how
people will rapidly move into their realm, which means if it's
an easy target, terrorists will attack easy targets. And if
it's disruption of our commerce and communication, and the
like, that's another aspect.
So you all have been dealing with it in one way or the
other. We know that you verified your threats, your
vulnerabilities, and we would be interested in hearing what
you're doing to protect yourselves and your clients.
I will end with saying I don't know of security because of
Ms. DeGette's statements, I don't know if security is just a
cost of doing business. I do believe that, darn right, there
should be a value added aspect of having good control over your
own data bases and in protecting security; that should be
beneficial in some aspects depending upon your business. It
probably should not be considered just a cost of doing
business, but there's probably some very good value added
aspects, and if that is properly promoted that people can take
advantage of.
With that, Mr. Chairman, I think it's going to be a great
hearing. I appreciate the panel being here. And be patient, we
will get to you. Thank you.
Mr. Stearns. I thank the gentleman.
The gentleman from Pennsylvania, Mr. Doyle.
Mr. Doyle. Thank you, Mr. Chairman, for holding this
important and timely hearing on cyber security.
The tragic events of September 11 demonstrate the
willingness and capability of America's enemies to utilize
modern communications mediums like the Internet and email to
plan, organize and facilitate their attacks. And since that day
we in Congress have examined a variety of proposals to
strengthen and modernize both our domestic and international
responses to terror.
Legislation is in the works to ensure the safety of
imported food, improve the safety of our airports and enhance
our enforcement and investigative capacities. I think it's only
logical that Congress should address the possibility that
future attacks could likely exploit vulnerabilities in our
cyber security systems, both public and private.
Just as cyber security needs of essential government
agencies such as the CIA and the Pentagon must be designed to
prevent unwanted access to classified information, like
intelligence directives and troop movements, private
corporations need to ensure that personal information like
Social Security or credit card numbers are not stolen by
hackers looking to create false identities. After all, many of
the hijackers on September 11 used fraudulent identification to
carry out their evil business.
In what may be a glimpse of the future, it seems now that
one Federal agency is taking a proactive approach toward cyber
security. An article that appears in the current issue of
Defense News highlights the Pentagon's efforts to fight back
against hackers by creating an active defense network capable
of tracking hacker attacks back to their origin while covertly
monitoring the source of suspicious attacks. According to the
article, the agency predicts over 40,000 attacks on military
networks by year's end, a figure that's up from about 22,000 in
the year 2000.
Back on my hometown of Pittsburgh we're fortunate to have
one of America's greatest authorities or cyber security, the
Center for Emergency Response Team or CERT of the Software
Engineering Institute of Carnegie-Mellon University. CERT at
SEI is a federally funded research and development center whose
primary goals are to ensure that appropriate technology and
systems management practice are used to resist attacks on
network systems and limit damage and ensure continuity of
critical services in spite of successful attacks.
The center is the first to respond to computer attacks,
such as the recent Nimba and I Love You viruses. According to
CERT statistics, nearly 22,000 incidents of security violations
occurred last year with over 34,000 recorded already this year.
Clearly incidents of cyber attacks are on the rise in both the
public and private sectors.
I want to commend CERT and the Electronics Industry's
Alliance for taking the initiative to form the Internet
Security Alliance, a collaborative partnership that brings
together industry and software experts to better address the
growing need for timely, informative responses to cyber
terrorism.
I look forward to hearing from Mr. Dave McCurdy, the
President of EIA and the Executive Director of the Internet
Security Alliance about the efforts of this new collaboration.
Legislators to executive, to Internet security technicians; we
could all stand to learn a great deal from the Internet
Security Alliance.
As my colleagues are aware, this subcommittee has devoted a
significant amount of time and resources aimed at providing
members with a plethora of information relevant to online
security measures and protection of personal information. We
have listened to a range of testimony from experts who, in some
instances, highlighted the need for strong protections guarding
the access to and the unwanted use of personally identifiable
information.
I hope that this committee will soon take action to bolster
to e-commerce activities of both the public and private
sectors.
Mr. Chairman, I thank you.
I yield back the balance of my time.
Mr. Stearns. I thank the gentleman.
The gentleman from Georgia, Mr. Deal.
Mr. Deal. Thank you, Mr. Chairman. Thank you for assembling
this very impressive panel today, and I look forward to hearing
your testimony.
Like Mr. Shimkus said, it is a busy time and we may have to
apologize for people running in and out, but we do so in
advance and I hope you will understand that.
It's a pleasure to see our former colleague, Mr. McCurdy.
Nice to see you again, Dave.
Mr. Chairman, you know, I'm like a lot of people, I wish
for a simpler time. When I read Future Shock many years ago,
like many of you, we probably thought it was science fiction
and would never come to be. Unfortunately, that rush of the
information age has truly crashed down upon us.
I think of one of my colleagues in the General Assembly of
Georgia who said that he lived in a small town, and to
illustrate it was, he said it didn't even need turn signals on
your car because everybody knew where you were supposed to be
going and if you made the wrong turn, your wife would know
about it before you got home anyway. We don't live in a world
like that anymore.
Unfortunately our lives are very tangled and confused in
terms of who has control over our lives and who has control
over information that's pertinent to us. And the security of
that information, of course, is what all of us are concerned
about. And it is a multifaceted issue, and I'm sure today we
don't have time to deal with all of the facets of it.
Everything from the issue of personal identification security
and protection that has been alluded to the issue of the
availability of law enforcement agencies to have access to
information for purposes of their investigations, information
that in normal circumstances might wish to be secure and
protected.
Now all the way to the issue of illegal immigration in our
country, with some 7 plus million, many of whom are working in
our country and presumably have somebody's Social Security
number who don't know and we don't have the knowledge of what
the implications of all of that is going to finally be when we
sort it all out.
I thank you all for being here today, and I look forward to
your testimony, and also to the questions.
Thank you, Mr. Chairman.
Mr. Stearns. Thank you.
The gentleman from Massachusetts, Mr. Markey.
Mr. Markey. I thank the Chair very much for holding this
very important hearing.
Back in the 1960's the Federal Government went to AT&T and
asked them if they would be willing to build a packet switch
network for the United States. And AT&T said why would we do
that, we already have a monopoly. We're not interested in the
contract. And so, they then turned to IBM and asked them to
build a national packet switch network, and IBM said why wold
we do that? We have a monopoly. We're not interested. And so
they turned to a company in Cambridge, BB&N and gave the
contract to these very smart scientists at MIT to construct a
packet switch network which while providing the role of being a
scientific information sharing source of information, also had
the additional advantage of providing a redundancy to the
existing telecommunications network in the United States. The
great fear was that there would be a preemptive attack upon the
United States and they would bomb the AT&T national long lines
that went right through the middle of the country, decapitating
our national leadership.
On September 11 the good news is that this brilliant
invention of the scientists at BB&N did work. And even as
Verizon or AT&T switches may have been effected, in fact the
ability for packet switches to move information and reassemble
it regardless of the course that was being taken at the point
of destination was something that was really proof positive
that the Federal Government in 1967, regardless of what the
private sector might have thought about it, really did
anticipate September 11.
In addition, I'd just like to note, Mr. Chairman, that we
as a committee and I think the Nation as well, has to divide
the question. On the one hand we're all very concerned about
identifying terrorists within our own country and we're willing
to suspend some of the constitutional protections which we
would otherwise ensure that everybody, even visitors to our
country, were entitled to. And I think all of us, or most of
us, at least are willing to suspend that. But we must divide
the question between terrorist cells and corporate sellers in
terms of the compromise of privacy information. You can't allow
any change in attitude in our country to allow corporation
America to begin to gain access to information within our
country as though anything that happened on September 11 would
justify it.
So I look forward to this incredibly impressive panel of
experts which you've brought here to us today, lead by our
former very distinguished colleague, Mr. McCurdy. And I think
it's going to be very helpful to us in understanding what
policies should be adopted in the days and months ahead.
Thank you.
Mr. Stearns. I thank the gentleman.
Ms. McCarthy, would you--are you prepared to----
Ms. McCarthy. I'd like to hear from the panel, and I'll put
my remarks in the record.
Mr. Stearns. Okay. By unanimous consent, so ordered.
And Ms. Harman, do you have an interest in an opening
statement?
Ms. Harman. Thank you, Mr. Chairman, no. I'd like to hear
from the panel.
[Additional statement submitted for the record follows:]
Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee
on Energy and Commerce
Let me begin by thanking the Subcommittee Chair, Mr. Stearns, for
calling this hearing on cybersecurity and for assembling such a
distinguished panel of witnesses. Let me also thank them, in advance,
for their testimony.
Recent events remind us how precious and essential security is--
something many of us previously had taken for granted. It is a basic
component of our quality of life.
Security also is an essential component of sound and successful
commerce--particularly as it relates to the Internet and digital
commerce. And I know that recent events have also increased scrutiny--
especially by the private sector--of this increasingly important slice
of the security umbrella.
The Internet is becoming a larger part of American life and a
necessary instrument for American commerce. With more than 60% of
Americans with access to the Internet and a great majority of American
business interconnected, a certain level of Internet services are on
the way to becoming ubiquitous.
The success of Internet services and commerce depends directly on
how security is handled by the private sector. For instance, how
comfortable and confident consumers and businesses feel with how
information is protected, is dependent on the level of security
utilized by American business. Unlike national security issues, which
are the responsibility of the Federal government, the structure of the
Internet--primarily owned and run by the private companies--requires
private sector innovation and leadership.
We have seen the huge financial losses suffered by web viruses and
worms. We have witnessed the losses by denial of service attacks.
Successful cyber attacks can cost companies by disrupting service,
exposing them to bad publicity, or manipulating or destroying sensitive
company data.
More importantly, successful attacks not only threaten the attacked
company and its network but also the company's suppliers, partners, and
relationship with its customers. It also effects the non-Internet-
driven portion of the company. In essence, attacks create a certain
domino effect, which sends economic harm cascading through businesses
and Amercans' lives.
In my opinion, the vast majority of American companies are doing a
great deal to improve and maintain security in their networks and to
ensure the security of information and materials they have.
Even so, there are certain security vulnerabilities in the nature
of the Internet and within the networks owned and operated by
individual companies. There are some weak points in the inherent
architecture. Networks of large American companies will always be
targets of criminal attacks, whether by small time hackers or
sophisticated terrorists.
However, nobody should take away from this hearing the notion that
there is a perilous state in the way companies protect their networks
and information. Their ability to create cutting-edge protections
against ever-changing threats is simply amazing.
While more work must be done, much work has already been
accomplished, just not spoken about--and understandably so. Companies
are leery about highlighting how secure their networks are for fear of
inviting determined attackers.
I hope that some of today's panelists can speak to the work that
their companies are doing to improve the security of their and their
clients' networks. I hope they can elaborate a bit on recognition of
the relevant issues, assessment testing, deploying necessary resources,
and taking corrective measures. Moreover, as security becomes more of a
necessity rather than cost-drag on industry, we need to know whether
there is a sufficient market developing for solutions and products to
improve the Internet security of all companies.
I am also hopeful that this hearing will shed light on what
vulnerabilities exist today, what steps are being taken by the private
sector to address these vulnerabilities, and what role, if any, the
federal government--specifically the Congress--can play to promote
increased awareness and action on these issues.
Mr. Stearns. Okay. All right. We do have, as all the
members have pointed out, a full panel and Mr. McCurdy is, of
course, a former member. And as sitting members we have great
deference and reverence for former members. It's a tandem race.
We show deference to them hoping that they'll remember us. But
he has the wisdom of both being a Member of Congress and now on
the other side. So, we're anxious to hear from him, and we
welcome him, personally.
Mr. Doll, I think what we'll do is start from my left and
just come across. If each of you would just, in your opening
statement, just give us your name and title and then we'll just
after your 5 minute, we'll just keep moving down the table.
So I welcome all of you.
STATEMENTS OF MARK W. DOLL, NATIONAL DIRECTOR, SECURITY &
TECHNOLOGY SOLUTIONS, ERNEST & YOUNG; DAVE McCURDY, PRESIDENT,
ELECTRONIC INDUSTRIES ALLIANCE, EXECUTIVE DIRECTOR, INTERNET
SECURITY ALLIANCE; C. WARREN AXELROD, BOARD OF MANAGERS, FS/
ISAC LLC; DAVID B. MORROW, MANAGING PRINCIPAL, GLOBAL SECURITY
AND PRIVACY CONSULTING PRACTICE, EDS; MARY ANN DAVIDSON,
DIRECTOR, SECURITY PRODUCT MANAGEMENT, ORACLE CORPORATION;
CHRISTOPHER KLAUS, FOUNDER, INTERNET SECURITY SYSTEMS; JOHN P.
CASCIANO, SENIOR VICE PRESIDENT AND GROUP MANAGER SECURE
BUSINESS SOLUTIONS GROUP, SCIENCE APPLICATIONS INTERNATIONAL
CORPORATION; AND HOWARD A. SCHMIDT, CHIEF SECURITY OFFICER,
MICROSOFT CORPORATION
Mr. Doll. Good afternoon, Mr. Chairman, and members of this
committee. And thank you for this opportunity to testify before
you today.
I am Mark Doll, National Director of the Security &
Technology Solutions for Ernst & Young with over 50 years
experience working in cyber terrorism matters.
Ernest & Young is a leading provider of accounting,
assurance, and information technology services around the
globe, with over 84,000 employees based in 130 countries.
Today I'll discuss the need to assess risk and
vulnerabilities of our critical IT infrastructure.
Without being too alarmist, the focus on innovation and the
lack of focus on security makes our critical infrastructure
vulnerable to attack from criminals, hackers, disgruntled
employees and, yes, terrorists. Whether it's via cyber attack,
a worm, a virus; any of these things could wreak havoc
throughout our interwoven IT reliance chain putting at risk our
national security, the way corporate American conducts business
and the way civilians and citizens conduct their lives.
So what should we do? Effectively securing our corporate
and critical infrastructure systems is no small chore, but we
can't be paralyzed by the task at hand. We don't believe that
there's any choice but to confront it. Already, however,
positive steps are being taken, but more could be done to
encourage companies, individuals, the government to address
these vulnerabilities and tackle these hard issues.
We need to first address the issues of authentication and
authorization, interoperatability, recovery and validation. If
we can focus on these concepts, we can take a positive step
forward to improving the overall national security. What do I
mean by these terms and what do these terms reveal?
First, the term authentication refers to the ability to
determine who is using a computer system. And authorization
refers to what an authenticated individual is allowed to use or
see on a system. Without an appropriate system authentication
and authorization, we'll be unable to track and limit
unauthorized individuals that might gain access to systems for
a personal gain or cyber terrorism.
Second, we need to simplify interoperatability.
Interoperatability refers to the ability of systems to function
seamlessly, regardless of operating system, application or
hardware. Market innovation and competition has driven economic
growth and you have tremendous increase in productivity. The
same innovation and competition has, understandably, resulted
in many proprietary protocols and has created an environment, a
very complicated security design which has, in turn, led to
security inefficiencies and vulnerabilities. As a result, it is
costly and difficult for many organizations to implement truly
effective security solutions. Today we must work together in a
public/private partnership to simplify these protocols.
Third, recovery. The term refers to the ability to correct
system failures and catastrophes in a timely manner. Today,
most companies are on their own when it comes to implement
fail-safe systems and contingency plans. Many companies lack
the necessary rigor and scale of recovery systems to respond to
a national attack or cohesive cyber terrorism threat. Any
consideration of cyber security must, therefore, take into
account a national recovery system.
Finally, validation. Securing our critical infrastructure
should not be perceived as a problem that can be fixed simply
by purchasing software or installing a firewall. Once a
security application or process is put in place, it must be
regularly monitored and effectively validated. Unfortunately,
there are no common set of standards for validating the
security of information systems. Instead, different countries,
different individual industries and service providers employ
different standards for assessing vulnerabilities and
effectiveness of security solutions.
This hampers efforts to conduct comprehensive risk
assessments of network safeguards and controls across
industries and applications. Service companies like Ernst &
Young must then determine how to make these complicated set of
standards work within a complex corporate environment while
allowing innovation and growth. Any long-term discussion of IT
security should, therefore, consider the need to harmonize
these standard for validating effectiveness.
In conclusion, critical IT infrastructure security raises
difficult issues. Today's hearing is important and is welcome.
The President in his Executive Order establishing a Critical
Infrastructure Protection Board and the National Infrastructure
Advisory Council hold promise. We need to work together in a
public/private partnership to answer difficult questions and
find effective solutions.
Again, I appreciate the opportunity to outline what we
believe will be some of the key issues of this security issue.
And I'll be happy to answer questions.
[The prepared statement of Mark W. Doll follows:]
Prepared Statement of Mark W. Doll, National Director, Security &
Technology Solutions, Ernst & Young
INTRODUCTION
Good morning Mr. Chairman, and thank you for the opportunity to
appear before your subcommittee on the topic of security and private
sector efforts to address cyber threats. I am Mark Doll, partner and
National Director of the Security & Technology Solutions Practice for
Ernst & Young LLP. Ernst & Young is a leader in providing accounting,
assurance, and information technology services around the globe, with
84,000 employees based in 130 countries.
While the Internet revolution has been occurring, Ernst & Young has
been adapting to offer our clients a variety of assurance services
aimed at securing their vital information and computer networks. I
bring fifteen year's of experience working on IT systems
implementations and corporate IT management. Today, my clients include
many of the Fortune 500 and new and emerging companies. Of our 84,000
employees, over 1200 work specifically on security and IT risk matters,
many of whom come to Ernst & Young from the United States military and
intelligence communities. As a result of providing our services to
numerous companies, Ernst & Young has a unique perspective on efforts
to secure our country's critical IT infrastructure.
Today I will suggest to you that recent events have brought to the
forefront long-standing security risks and vulnerabilities throughout
our nation's critical Information Technology (IT) infrastructure. In
light of this, our nation now needs to work quickly and thoroughly--in
public-private partnership--to assess these risks and vulnerabilities
and implement effective security policies, not only to address today's
problems, but also to prepare for tomorrow's unforeseen challenges.
Security Has Not Kept Pace With Infrastructure Growth and
Interdependency
Corporate success has historically depended on the ability of
management to control strategic business functions--product quality,
management of physical plants, sales, and customer support--to stay
ahead of competition. Today, technology has changed the traditional
business environment, and is being used to increase productivity and
enable the creation of non-traditional business relationships.
Competitors are becoming partners, customers can now fulfill their own
orders directly from supplier's inventories, and all organizations rely
on telecommunications and information systems to manage the day-to-day
operations of their businesses.
Yet, as corporate America spent the last decade scrambling to react
to and grow at the same pace as its competitors, it gave little regard
to the ramifications of that growth. Internet technologies and new
business processes created new markets, relationships, and
unprecedented access to information systems, but it also created new
risks to the security of those networks. Productivity and IT systems
grew rapidly; but the security and controls around those systems did
not develop at the same pace.
This failure on the part of individual organizations to properly
maintain the security of their IT systems could have a potentially
disastrous ripple effect on our nation's collective security. Today,
every business in America, every citizen who accesses the Internet,
creates a portal into our vast interconnected system, creating not only
a window through which information is gleaned, but also a potential
door through which an attack on the whole system can be launched.
Public and private sector organizations rely on many of the same IT
systems to maintain productivity. Consumers and businesses today rely
not only on their own ability to conduct transactions, but also on the
reliability and availability of applications and infrastructure that
are managed by others, including their customers, business partners,
government, and other companies with whom they have no ``traditional''
business relationship. This has created a highly interdependent ``IT
reliance chain'' of systems and businesses.
What Is At Risk?
Without being too alarmist, this failure to build security into our
systems makes our critical infrastructure vulnerable to cyber attacks
not only from terrorists, but also from criminals, hackers, and
disgruntled employees. Such individuals often search for the weakest
link within a system, sneaking in through a loophole in or between
software or hardware systems. Once inside the cyber-perimeter of an IT
system, a hacker is then free to disguise him or herself as a valid
user, stealing confidential information or creating new vulnerabilities
for others to exploit. Whether it is via a cyber attack, a worm, or a
deliberately launched virus, a concerted effort could wreak havoc
throughout the ``IT reliance chain,'' putting at risk our nation's
security, the way corporate America conducts business, and the way
citizens live their lives.
Our nation depends on interlinked information systems to run our
telecommunications, power, transportation, financial, and national
security functions. Business transactions can only take place if the
applications and IT systems on which they rely (i.e. software solutions
that control manufacturing) are functioning appropriately. But no
business is an island of itself. If our nation's critical
infrastructure is unavailable, individual businesses will be unable to
operate. Similar to a house of cards, if just one component of this
chain were to come under attack, the whole network could be affected
or, in the worst case scenario, fail.
For individuals, even the most mundane tasks in life are dependent
on the proper functioning of the reliance chain. We have become reliant
on computer-controlled systems for banking, telecommunications, power,
and also the vital systems that maintain our personal identities, and
medical records. An attack on these systems would dramatically affect
the American way of life we take for granted, putting at risk our
ability to communicate with family and friends, access money, visit a
hospital, or even light our homes. We are all highly dependent upon the
near 100% availability of our country's critical infrastructure
components.
What Needs To Be Done?
The security systems surrounding our critical infrastructure,
specifically the information and communications networks, electrical
power systems, gas and oil transportation and storage, banking and
finance systems, transportation systems, water supply systems,
emergency services and government services, must be properly managed.
As you can imagine, effectively securing these systems will be a
task of unprecedented proportions. But we must not let the size of the
problem paralyze us. Already, hardware and software companies are
institutionalizing efforts to proactively post known vulnerabilities
and provide patches to their customers. Leading companies are moving
quickly to assess vulnerabilities in their operational infrastructures.
But we must do more to encourage companies and individuals alike to fix
current systems vulnerabilities and tackle head-on the hard issues--
such as authentication, authorization, interoperability, recovery, and
validation--required for critical infrastructure security.
These are technical terms used by those of us in IT security
industry to describe what are actually easy-to-understand concepts.
Just as ``notice,'' ``choice,'' ``access,'' and ``security'' needed to
be understood before policy makers could tackle data collection issues,
``authentication,'' ``interoperability,'' ``recovery,'' and
``validation'' need to be understood and debated if we are to move
forward on a national cyber security program.
1. Authentication & Authorization--First, ``authentication.'' The
term refers to the ability to determine who is using computer systems,
how to make sure that individuals are actually who they say they are.
``Authorization'' is simply what an individual is allowed to use or see
on a system. Without an appropriate system for authentication and
authorization, we will be unable to track and limit unauthorized
individuals that might gain access to systems for personal gain or
cyber terrorism.
2. Interoperability--The second issue we will need to tackle if we
are to ensure security is ``interoperability.'' Interoperability refers
to the ability of systems to function seamlessly regardless of
operating systems, applications, or hardware. We have today countless
numbers of different protocols for operating systems, applications, and
hardware. Each vendor has a proprietary interest in their protocols,
including the organizations at the witness table with me today. This
has created a dysfunctional environment of complicated interoperability
between competing systems, applications, and hardware. This limited
interoperability makes it costly and difficult for organizations to
implement truly effective security solutions.
3. Recovery--Third, ``recovery.'' This term refers to the ability
to correct systems failures and catastrophes in a timely manner,
wherever they occur. Today, we rely on companies to unilaterally act to
implement fail-safe systems and contingency plans. Although most have
systems to restore a site, network or system failure, it is our
experience that many companies lack the necessary rigor and scale of
recovery systems to respond to a national attack or cohesive cyber
terrorism threat. Any national consideration of IT security must take
into account the necessity for a national program requiring and
architecting a national recovery system. Admittedly, this will be a
costly undertaking on the part of both corporate America and the
government.
4. Validation--Finally, ``validation.'' Securing our critical
infrastructure should not be perceived as a problem that can be fixed
simply by purchasing the latest and greatest software or installing a
firewall. Once a security application or process is put in place it
must be regularly monitored and its effectiveness validated. This
applies to all levels of security, including authentication,
interoperability, and recovery.
Unfortunately, there is no common set of standards for validating
the security of computer and information systems. Instead, different
countries, individual industries, application vendors, and hardware
providers employ different standards for assessing vulnerabilities and
the effectiveness of security solutions. This hampers efforts to
conduct comprehensive risk assessments of network safeguards and
controls across industries and applications. Services companies like
Ernst & Young must then determine how to make all of these competing
standards work within a complex corporate environment while allowing
for innovation and growth. Any long-term discussion of IT security
should, therefore, consider the need for harmonizing standards for
validating effectiveness.
Validation is, in my mind, the most crucial issue we need to
tackle, for without it, we will not accomplish systemic change. Only by
regularly assessing the effectiveness of controls around complex issues
like authentication, interoperability, and recovery will we ensure that
any quick fixes are working as intended.
Public Private Partnership Is Necessary
Clearly, critical IT infrastructure security raises difficult
issues. Today's hearing is a step in the right direction. We need to
work together, in a public-private partnership, to answer these
difficult questions and deliberate on effective solutions.
The Administration has issued a call to action to the private
sector and government, through the President's October 16th Executive
Order creating the Critical Infrastructure Protection Board (the
``Board''), to work together to develop standards and best practices
necessary to secure information systems for critical infrastructure.
Importantly, the Executive Order requires the Board to work with
members of the private sector, including the audit community to, among
other things, ``propose and develop ways to encourage private industry
to perform periodic risk assessments of critical information and
telecommunications systems.'' We look forward to working with the
Administration and Congress on this important initiative.
CONCLUSION
In conclusion, the events of September 11, 2001, focused our
country's attention on national security issues. It would be a mistake
to focus solely on our country's outer security perimeter and overlook
the security of our domestic IT infrastructure. We must work together
to identify, prioritize and fix known vulnerabilities, as well as
identify best practices to ensure the long-term safety and viability of
the critical infrastructure on which our economy, citizens, and
government rely.
I appreciate the opportunity to be here this afternoon, and am
happy to answer any questions.
Mr. Stearns. I thank the gentleman.
Mr. McCurdy?
STATEMENT OF DAVE McCURDY
Mr. McCurdy. Thank you, Mr. Chair. Again, thank you for the
opportunity to be back on this floor. I lived on this floor for
quite a whole, just around the corner. It's good to see my
former colleagues.
With your permission, I'd like my statement to be admitted
in the record.
Mr. Stearns. By unanimous consent, so ordered.
Mr. McCurdy. And I'd like to just summarize, because having
been on that side I know how important it is to get to the
bottom line.
There are a number of key points that I'd like to make, and
I think this distinguished panel's going to raise a number of
very good questions.
Since the chairman alluded to it, I thought I would just
give you one graphic. You cited the statistics from the CERT,
as did Mr. Doyle. The progression on the security threats, the
incidents, each one of these reports is an incident. I Love You
was counted as one, the Malissa virus is counted as one. Last
year over 22,000 this year at the progression it's currently
on, will be over 40,000 separate incidents reported by the
CERT.
The important thing with that is the fact that the
sophistication of those incidents is also increasing, but the
knowledge necessary to perpetrate those attacks and bring back
those incidents is actually declining. You no longer have to be
a computer genius or, you know, some kind of geek to be able to
go in and write software to get into these systems.
A lot of this technology today and the knowledge is on the
web. People can collaborate, and you see from a progression
those with password guessing now to stealth advanced scanning
techniques, automated probes and scans, worms, virus. So this
in itself is a disturbing trend.
And I'm going to save the last chart and, perhaps, take it
up with a question, and that's the role of government versus
the private sector.
I think the threat is real. I think you know that. Many of
us has been dealing with this long before September 11. Ms.
Harman, knows. She actually sits on the three committees that I
sat on; Intelligence, Science and Armed Services, and
understands. It's not just a Nation, State, State actor
environment. It's a number of individuals and organized crime
and other efforts are out there to increase the risk.
There is no such thing, and maybe some of my colleagues
might differ, but I don't believe there's such a thing as
Internet security or perfect security. If you want perfect
security, you can be disconnected from the Internet. You could
be totally isolated. But that defeats the purpose of the
Internet.
So if you want to be connected, then you're talking about
risk management. And there a number of tools and efforts that
need to be involved to provide that.
The private sector can do a lot, not just in developing the
tools and mechanisms, but improving the standards and best
practices, which are management. And Mr. Doll mentioned that,
but the important thing there is that this is not a U.S.
centric technology. Mr. Markey gave us the Massachusetts'
history of packet switching, but this is not a U.S. centric
problem. This a borderless technology. It is global in nature,
and therefore the risks are global. And it's important that we
work on an international basis to provide solutions and reduce
this risk.
And the other point that I would make is that, you know, we
witness it on a regular basis. Our country, maybe democracies
are this way, but we're great at reacting. You know, after
September 11 we had incredible forensic evidence and we were
able to track these things; the terrorists and their movements
and provide a great history. But we're not good in the
proactive sense. And I think what we have to do in working with
government is develop much more emphasis on developing those
practices and standards that prevent and deter, and hopefully
preempt some of these attacks. And I believe that the private
sector can do that.
The last chart that I was going to mention is one of your
charts, not this committee's, but actually the government's.
This is actually produced by the CHOW in the Department of
Commerce, and it just shows you some of the organization. You
saw the other day when Tom Ridge, our former colleague, was
sworn in they showed the jurisdictional chart of the 41
agencies that he was involved in. Well, this is for Critical
Infrastructure Protection and this chart, too, can kind of
drive you crazy.
The public/private partnerships in this are down here in
the corner, down here. But I would submit that it's the public/
private partnerships in the private sector that's going to do
the most to provide the real protection. The government role is
simple: Should take steps and encourage efforts to increase the
IT investment, work with CIOs and give them resources to
improve the security of the systems of the Federal Government,
but then work with the private sector to help establish these
best practices and standards and help the industry to see the
benefits of further responsibility and accountability at the
board level to ensure that there's auditable standards and
practices are in place.
And last, Mr. Doyle mentioned Carnegie-Mellon. We are
pleased with the establishment of the Internet Security
Alliance joint venture with 2300 member companies of EIA and
Carnegie-Mellon. It's more than just an FFRDC. In order to
expand its reach, to leverage the incredible talent and
resources, they need to build their private side of the house
in a nonprofit way, which is what ISA's about, in order to get
that information and that trusted network of over 40,000 people
around the globe who provide over 99 percent of those incident
reports. Those aren't generated by the government, those are
private citizens around the world that submit those incident
reports so that we can gain from that knowledge.
And with that, I appreciate again the opportunity and look
forward to our questions.
[The prepared statement of Dave McCurdy follows:]
Prepared Statement of Dave McCurdy, President, Electronic Industries
Alliance, Executive Director, Internet Security Alliance
Chairman Stearns, Ranking Member Towns, and members of the
Commerce, Trade and Consumer Protection Subcommittee: I appreciate the
opportunity to testify today on behalf of the Internet Security
Alliance. I am deeply thankful to Congressmen Stearns and Towns for
holding this informative hearing on the private sector's efforts
addressing cyber threats.
Since September 11th, the business community has become more
security conscious than ever before. There is real alarm among
companies concerning not only physical security but also cyber
security, and with good reason. According to the CERT/CC at Carnegie
Mellon's Software Engineering Institute the number of attacks on the
Internet has increased at an exponential rate. The CERT/CC handled over
20,000 incidents in 2000 and are now estimating that they will now
handle over 40,000 incidents in 2001. Each one of those ``incidents''
could ultimately bloom into Code Red or Nimda attack within hours of
its detection. The threat is critical. Corporations and the government
find themselves on the front lines defending the critical functions of
the national infrastructure, as well as the assets of American
companies.
In addition, attacks are becoming more destructive, widespread and
more difficult to contain. Consider the following information on costs
of cyberattacks that businesses have faced recently.
The Cost of Cyberattacks
SirCam: 2.3 million computers affected
Clean-up: $460 million
Lost productivity: $757 million
Code Red: 1 million computers affected
Clean-up: $1.1 billion
Lost productivity: $1.5 billion
Love Bug: 50 variants, 40 million computers affected
$8.7 billion for clean-up and lost productivity
Nimda
Cost still to be determined
In April of 2001, Carnegie Mellon University and the Electronics
Industries Alliance formed the non-profit Internet Security Alliance to
advance the efforts of the private sector in the information security
debate. You may know that the majority of the Internet, over 80%, is
owned and operated by the private sector. Private sector leadership is
essential to determining an overall strategy to increase the strength
and survivability of the Internet. The Internet Security Alliance seeks
to help in this endeavor
As the Internet continues to ingrain itself as a linchpin of
American business and with concern growing that the cyber environment
is ripe for attack, industry now more than ever needs an independent,
non-partisan organization that offers comprehensive, universal threat
sharing and assessment, and collaborative solution development. We need
to create a new paradigm for global information sharing to help
companies that rely on the Internet deal with the growing threats to
their continued success and growth.
Furthermore, since 80 percent of technical vulnerabilities are
common to all organizations, and misperceptions about robust security
can lead even the most attentive security engineers to expose their
systems to attack. Industry needs to develop universally recognized
information security practices capable of being pushed down through
supply chains so evolving Internet threats can be effectively mitigated
and deterred. You are only as secure as your weakest link.
The Internet Security Alliance is one of the few organizations
working on behalf of industry to address these issues. With its
international and multi-industry segment member representation and
access to a network of more that 40,000 loyal systems administrators
and security engineers who diligently report new threats and
vulnerabilities, the Internet Security Alliance is redefining the
concept of information sharing. On a near real-time, systematic basis,
the alliance provides companies large and small with access to trusted
and reliable information, solutions and decision support tools to help
mitigate the vulnerabilities and emerging threats we are here to
discuss today.
Driven by some of the brightest security minds in industry and
academia, the alliance has also begun work on a robust set of best
practices that will serve as guiding principles for companies and their
supply chains as they evolve their security policies and procedures.
Our efforts enable companies to allocate their limited resources on
other projects, such as deploying intrusion detection systems,
firewalls, and raising security awareness within their company.
Using the collective experience the Internet Security Alliance and
its members, we can effectively promote sound information security
practices, policies and technologies that enhance the security of the
Internet and global information systems.
Why is the private sector involvement so important?
The Internet Security Alliance applauds the efforts of the current
Administration in its dedication to raising the awareness of cyber-
threats and cyber-terrorism. It's leadership on the recent cyber-
attacks on Code Red and Nimda were invaluable to testing the true value
of both private and public partnerships. On the government side,
officials tend to view private sector participation as well as the
agency involvement in terms of sectors or ``stovepipes'' (see attached
chart for the government organization chart for cyber-security),
therefore creating barriers to true information sharing. The private
sector is critical of this approach and is looking for more inclusive
participation from all sectors. In order to maximize the effectiveness
of taking on the cyber-security issue, collaborations and
communications should be cross-sector and horizontal to all companies
and government entities (where appropriate). We are all facing a common
threat with respect to cyber-terrorism and vulnerabilities and will
need to work together in order to protect our most critical assets.
International problem vs. U.S. centric problem: Cyber-Security
The Internet knows no boundaries and is accessible from most parts
of the world. As the Internet continues to be a tool that promotes the
openness of ours and many other societies, it brings along vast risks
and vulnerabilities. The Internet operates with no bias or cultural
differences--it provides information and interaction. Since the concept
of the Internet was based on the issue of trust, we can see the
probability of its being compromised fairly easily.
With that in mind, we would be foolhardy to not communicate with
other nations on their experiences and potential remedies for cyber-
attacks that have happened on their networks. Not taking into account
the expertise of foreign security experts would put the U.S. effort at
a severe disadvantage. In addition, if the U.S. is not inclusive of
other countries in this global problem, we stand to weaken our resolve
to protecting ourselves by operating with limited knowledge of
potential threats.
Proactive Measures vs. Reactive Response
Finding solutions to cyber-security vulnerabilities and attacks has
been historically reactive. Attacks happen, analyses made and a patch
would be provided, if possible. We cannot continue to solve individual
attacks on a case-by-case basis, while not addressing the larger
problem. A better approach is to implement practices and policies that
improve the protection of our networks by thwarting a higher percentage
of attacks. In other words . . . becoming more proactive in our
approach to cyber-security. By promoting practices currently in place
for more security-focused companies and tailoring them for other
sectors, additional protection could be provided. Many companies,
especially medium-sized and smaller firms are vulnerable and looking
for assistance in determining what security practices can help them
better protect their systems.
Private and Public Partnerships
The security and survivability of the Internet depends on the
cooperation between the private and public sectors. Congress should
promote interaction between government and the private sector and
should also address issues such as exemption from FOIA and anti-trust
barriers. In addition, Congress can set a great example for the private
sector by increasing the security of all government systems, which
historically have been out-dated and have not met minimal standards for
security.
The Internet Security Alliance is able to act as a bridge between
the private sector and public sector by promoting best practices and
appropriate data sharing mechanisms. The Internet Security Alliance is
also involved in the following activities:
Providing thought leadership on information security issues
Representing industry's interest on information security
issues before legislators and regulators
Creating mechanisms that cause rapid development and
implementation of information security practices, policies and
technologies
Identifying and standardizing best practices in Internet
security and network survivability
Creating a collaborative environment to develop and implement
information security solutions
Promoting universal sharing of information and intelligence on
emerging threats/vulnerabilities/ countermeasures
Information Sharing
--Providing vulnerability catalog, threat alerts and analysis,
executive communications, call center, trend briefings,
economic impact analysis
--Shaping and influence practices and resources at CERT/CC to meet
the needs of industry
Best Practices/Standards
--Establishing common benchmarks
--Evaluating relevance of existing standards, define gaps and agree
on relevant and uniform criteria for standards moving
forward
--Developing a Software Seal of Approval
Policy Development
--Providing decisive influence on the public policy issues whether
nationally or internationally
--Targeting cybercrime and terrorism, privacy, information sharing,
corporate responsibility and leadership on information
security issues
Security Tools
--Sector-tailored versions of OCTAVE'
--Sharing of R&D expertise of Alliance members
To summarize, only by combining the strengths of both the private
sector and public sector on issues such as early warning detection and
information dispersal, promotion of best practices, agreement over
sound information security policies will we be able to turn the tide on
the cyber-security threat facing our nation.
The Internet Security Alliance is poised to represent and promote
the needs and views of the private sector on cyber-security. We thank
the committee for its interest and for allowing us to participate in
this necessary and timely hearing.
Mr. Stearns. I thank my colleague.
Mr. Axelrod?
STATEMENT OF C. WARREN AXELROD
Mr. Axelrod. Thank you, Chairman Stearns, and members of
your subcommittee for the opportunity to address you today on
the very timely questions of what the private sector is doing
to protect itself against cyber attacks, what it should be
doing and how government might help.
I would also ask for my written statement to be included in
the record.
My name is Warren Axelrod, I'm a Director responsible for
global information security with the Pershing Division of
Donaldson, Lufkin and Jenrette Securities Corporation, which is
a Credit Suisse First Boston company.
I'm also on the board of managers of the Financial Services
Information Sharing and Analysis Center for the FS/ISAC.
Today I will share with you my thoughts and suggestions on
cyber security as someone who is an information security
professional and a practitioner with more than a quarter of a
century's experience as an information technology manager in
the financial services industry.
It's well known that with the relatively recent and rapid
adoption of the commercial Internet, government and business
have become increasingly dependent on a critical infrastructure
over which they have little or no control. Largely due to this
lack of control, we have see a proliferation of damaging
computer viruses, worms, denial-of-service attacks and network
and system breaches. With such an accelerating use of the
Internet, the impact on commerce of unintentional network and
deliberate acts of terrorism and compromise is greater each
day.
While thousands of new viruses and worms are created each
month, relatively few cause significant damage. However,
millions of scans of the Internet run each day by those seeking
out weaknesses, only a very small percentage actually result in
compromises. However, since the number of attempted attacks and
the population of potential victims are both so enormous, even
a very small rate of success has produced estimated damage in
the billions of dollars per year.
Since at this time deterrence is not sufficiently
effectively and the pressure is on to expand services over the
Internet, we are left with preventative measures as our best
hope for reducing potential damage from cyber attacks. The
greatest counterforce in this battle is, in my opinion,
information sharing. Knowledge of new threats, newly discovered
weaknesses and actual incidents gives organizations the
opportunity to prepare for impending attacks or prevent
exploitation by closing off known vulnerabilities. This is
where the FS/ISAC comes in.
The FS/ISAC is an industry funded product of Presidential
decision directive 63 on critical infrastructure protection.
PDD 63 required government agencies to partner with the sectors
that make up critical infrastructure. The PDD additionally
suggested that all critical sectors from ISAC to collect and
analyze threat vulnerability and incident data.
The U.S. Department of the Treasury is the partner of the
banking and finance sector, and has been extremely supportive
of the FS/ISAC.
A key feature of the FS/ISAC is it allows members to submit
information anonymously while insuring that submittals are from
an authentic source.
More recently, the banking and finance sector has ramped up
several initiatives, including a crises management committee
initiated by the Banking Industry Technology Secretariat and
the Business Continuity Committee established by the Securities
Industry Association.
While I believe that the banking and finance sector has
reason to be proud of initiatives that it has already put in
place, there remains a considerable amount still to be done
before we can feel comfortable with our state of preparedness.
There are many ways in which Congress can help promote
programs and processes to improve our defenses against cyber
attacks and our ability to handle them. The willingness of
industry members to share information, particularly about cyber
incidents with other members of the ISAC would be much greater
were there not the fear of infringing anti-trust laws.
The ability of private industry to share security
information with government depends very much on obtaining an
exemption from the Freedom of Information Act, which would
eliminate concern that damaging information would become
available to competitors and potential attackers.
Both of these items are central to the Critical
Infrastructure Information Security Act of 2001 proposed by
Senators Bennett and Kyl for which there has not yet been any
inclusion in the legislative calendar. The proposal in the Act
are key if we are to encourage a much broader sharing of
important security related information.
I would like to suggest to Congress that it revisits this
issue and, if possible, accelerates litigation such as the
Bennett Kyl bill. Similar legislation worked for year 2000 and
it can work against cyber terrorism as well.
We need the ability to pursue cyber attacks and prosecute
them fully if we are to discourage others from attacking out
networks and computers. I would propose that Congress consider
legislation to further empower law enforcement to track down
perpetrators.
We also need reciprocal arrangements with friendly
countries so that they will support these endeavors.
I believe that the government should support the
establishment of separate secured private Internets such as the
proposed government network. I suggest that Congress encourage
the development of these networks by providing appropriate and
if necessary, authorizing funds to seed them.
I would propose that Congress consider supporting programs
to educate our people about the importance of maintaining the
security of the networks and computers of our critical
infrastructure.
I would suggest that Congress consider funding a permanent
information coordination center along the lines of that
established for the year 2000 period, which was subsequentially
dismantled. There should be a dedicated section in the center
for cyber security.
Finally, I would suggest that Congress support the
development of a national strategy for protecting the Nation's
critical infrastructure.
I recognize that I am proposing a costly series of programs
at a time when budgets are tight. However, the size of threats
are very real and we must protect ourselves against them. It
will be a long and bitter battle, but we must engage in it if
we are to prevail.
Mr. Chairman, again, thank you for the opportunity to
present to you and your subcommittee.
This concludes my statement. I will be happy to answer
questions.
[The prepared statement of C. Warren Axelrod follows:]
Prepared Statement of C. Warren Axelrod, Board of Managers, FS/ISAC LLC
I wish to thank you, Chairman Stearns, and the members of your
Subcommittee on Commerce, Trade and Consumer Protection, for the
opportunity to address you today on the very timely questions of what
the private sector is doing to protect itself against cyber attacks,
what it should be doing, and how government might help the private
sector in accomplishing its goals.
Mr. Chairman, you and your subcommittee members, show both
foresight and insight in focussing your attention on protecting our
critical infrastructure from cyber attacks against the computer systems
and networks upon which the economy of the United States of America
increasingly depends. You are to be commended for tackling this
important category of risk to commerce at a time when the Nation is
distracted by the tragic events of September 11th, an unresolved
bioterrorism attack, and a war in Afghanistan.
Just one week after the September 11th terrorist attacks, our
computer systems and networks were hit with one of the most devious and
sophisticated cyber infections to date--the Nimda worm. Nimda is an
example of a new generation of malicious software, or malware, that
spreads in many ways and is difficult to eliminate from infected
machines.
Perhaps the Nation's initial focus on the aftermath of the physical
attacks, followed a short time later with a frightening anthrax scare,
made Nimda appear less of a threat than it actually was. The impact of
Nimda was also considerably mitigated by organizations having patched
their systems as a result of the Code Red worm, thereby providing
greater protection. However, many security professionals see this
evolution in cyber-attack capability as a very disturbing and ominous
trend. The timing of the Nimda attack is also noteworthy, since it was
launched at a time when a number of major financial organizations were
operating in less-than-ideal disaster recovery modes. This suggests the
recognition by cyber attackers that their activities can be even more
effective against targets that are already weakened.
MY PERSPECTIVE
I am a director, responsible for Global Information Security, of
the Pershing Division of Donaldson, Lufkin and Jenrette Securities
Corporation, a Credit Suisse First Boston company.
Today, I intend to share with you my thoughts and suggestions on
cyber security as someone who is an information security professional
and a practitioner with more than a quarter of a century's experience
as an information technology manager in the financial services
industry.
It is a great honor for me to represent the securities industry and
I hope that my testimony will lead to measures that will help in some
ways to protect our Homeland from the costly effects of cyber attacks.
I wish to thank the SIA (Securities Industry Association) for their
support in preparing for this hearing.
As one of the founders of the FS/ISAC (Financial Services
Information Sharing and Analysis Center) and a current member of its
Board of Managers, I am firmly committed to the important role of
information sharing in assisting the financial services industry in
protecting itself from malicious cyber attacks.
In the late 1990s, I co-chaired two SIA committees on Year 2000
contingency planning and event management, which provided extensive
guidance for the financial services industry. I recently recounted
those efforts to the industry to help deal with today's heightened
fears, which are not much different from those preceding Year 2000.
Over the millennium weekend, I served in the Cyber-Assurance
National Information Center, representing the banking and finance
sector. The Cyber NIC was located adjacent to, and continuously in
contact with, the Information Coordination Center(a center established
by the Federal government to coordinate across state and local
governments as well as with industry sectors. I was with a group of
private sector volunteers who were monitoring the condition of
cyberspace during a time of great concern over potential cyber attacks.
That apprehension was not unfounded.
THE NATURE OF CYBER THREATS
It is well known that, with their relatively recent and rapid
adoption of the commercial Internet, government and business
organizations have become increasingly dependent on a component of the
critical infrastructure over which they have little or no control.
Largely due to this lack of control, we have seen a proliferation of a
whole variety of damaging creations and activities, such as viruses,
worms, denial-of-service attacks and network and system breaches. With
such accelerating use of the Internet, the impact on commerce of
unintentional network and system breakdowns and deliberate acts of
destruction and compromise is greater each day.
Another way in which cyber malfeasance differs from physical acts
of terrorism, is that location, cost, and fear of arrest and punishment
do not seem to hinder or deter cyber terrorists. While thousands of new
viruses and worms are created each month, relatively few make it from
``the zoo'' into ``the wild'' and cause significant damage. While there
are millions of scans of the Internet run each day by those seeking out
weaknesses, only a very small percentage result in actual system
compromises. However, since the number of attempted attacks and the
population of potential victims are both so enormous, even a very small
rate of success has produced estimated damage in the billions of
dollars per year over the past several years.
Some forms of malware, such as viruses, are released onto the
Internet by their creators and spread from system to system through the
unknowing complicity of others, not unlike their physical counterparts.
Modern viruses and worms frequently incorporate ``social engineering''
to get their unwitting accomplices to take actions, such as opening an
e-mail attachment, that will propagate their payloads. The ``I LOVE
YOU'' virus was a crowning example.
Terrorist groups or hostile countries would not generally use
viruses and worms to compromise an enemy's computer systems and clog
its networks, since such attacks are not directed and could just as
easily impact friends as enemies. Rather they would target specific Web
sites or computer systems.
We have seen that virus developers and activators (who are not
necessarily the same individuals) tend to be out to undermine society
in general or make a name for themselves among their peers. However,
the damage from viruses to commerce and government can be very large,
and measures are needed to reduce their impact, if not eliminate them
entirely.
Cyber attacks that are more directed can take several forms. Most
commonly, the attacker will search for exposures in the software
products and equipment that typically make up organizations' defenses
and seek access into such systems by exploiting their vulnerabilities.
When access has been gained, the attacker will try to gain control of
the system as a so-called privileged user. Once in control, the
attacker may destroy, alter or steal data (including nonpublic,
personal consumer information), programs and other information assets,
such as credit card numbers, or may change various features of the
system, such as by defacing public Web pages. Alternatively, attackers
may leave some program code in place to facilitate their own future
access and potentially perpetrate a distributed denial-of-service
attack on a particular Web site.1 The targets of such
attacks are determined in advance, and the attackers have to take
specific actions (versus their passive role in the spreading of
computer viruses) to carry out such an attack.
---------------------------------------------------------------------------
\1\ In a distributed denial-of-service attack, the attacker will
compromise a number, perhaps in the hundreds or thousands, of weakly-
defended computer systems and turn them into ``zombies'' by depositing
some program code on those systems. At a particular point in time, the
attacker will instruct all the zombies to direct a flood of messages at
a specific site, which is overwhelmed and taken out of service.
---------------------------------------------------------------------------
It is because cyber attacks can be hugely disruptive and costly
that we are compelled to take protective measures.
MEASURES THAT HAVE BEEN TAKEN
In this section, I will discuss what measures have been taken
generally, and, where appropriate, by the banking and finance sector in
particular, according to the categories of deterrence, avoidance,
prevention, recovery and restoration.
Deterrence
From an economic perspective, it does not really matter what the
source or type of attack may be. After all, the damage can be much the
same from a virus, worm, denial of service, or information destruction
or theft, whether the perpetrator is a recreational hacker, terrorist,
or hostile government or government-sponsored group. Indeed, internal
staffs have initiated some of these same compromises, whether
intentionally or not.
However, from a deterrence point of view, there is a big
difference. If the source is domestic, then there is a greater
possibility of arrest and due process, whereas if the attacker is in a
foreign country, particularly one hostile to the U.S., the chances of
capture are much diminished, even when the perpetrator is identified.
Law enforcement has tracked down quite a number of violators, but in
general the risk of apprehension has been low and the punishment
moderate. I think that we can safely say that deterrence generally has
minimal effect and that the attacker population continues to increase
rapidly, as can be seen from the continuing upward trend in the number
of incidents and the increasing effectiveness of their weapons (i.e.,
viruses, worms, and other malicious programs).
Avoidance
The ease of use, global reach and low cost of the Internet have
been major motivators for government and business, as well as for
individuals, to move commercial activities to the Internet. With this
growth, however, comes the increasing risk of cyber attacks. Even if it
were desirable, which it generally is not, restricting the use of the
Internet is difficult to accomplish, although many have stated that
electronic commerce (e-commerce) has been significantly held back due
to the lack of security, and hence privacy, for commercial
transactions.
In such situations implementing security measures is seen as
enabling commerce in situations where consumers' information would not
be protected adequately without the measures. Thus, it is possible to
have a Web site certified by a third party. However, many customers are
not aware of these certifications nor is there overwhelming evidence
that customers choose one site over another because of certification.
Many organizations use specialized software products to block
employees' access to certain Web sites that they deem inappropriate.
This tends to reduce the risk of accessing less well-protected Web
sites that might be harboring a worm, such as Nimda. Similarly,
organizations strip off specific attachments on incoming e-mail, such
as those with file names with ``exe'' extensions, which are more likely
to harbor viruses and worms.
There are signs that private Internets may be considered an answer
to cyber security in some situations, as with the recent call for a
private GovNet by Richard Clarke, recently-appointed chairman of the
President's Critical Infrastructure Protection Board.
Avoidance served to reduce risk considerably during the Y2K date
transition period. Over that weekend, in particular, many companies
shut down their Internet connections, and took their computer systems
off line. There were also fewer aircraft in the air and many, who would
normally be out celebrating such an occasion, were at work monitoring
their organizations' computer systems and networks. While difficult to
quantify, such tactics may well have resulted in far fewer incidents
than might have been expected.
Prevention
Since, at this time, deterrence is not sufficiently effective, and
the pressure has been to expand services over the Internet rather than
restrict them, we are left with preventative measures as our best hope
for reducing potential damage from cyber attacks. The principle behind
prevention is to identify and block cyber attacks as they happen using
technologies such as routers, firewalls and intrusion detection
software. E-mail is scanned for pre-specified words and phrases and
those items that appear suspicious are quarantined. Commercial software
is ``patched'' with the latest ``fixes'' to eliminate known
vulnerabilities, which might otherwise be exploited directly by a
hacker or through a virus or worm or similar piece of self-generating
malicious software.
If the world of cyber threats were static, then the above measures
would eventually eliminate risks due to those threats. However, that is
not the case. As mentioned above, there is a constant torrent of new
dangers, and the government and business worlds must struggle to keep
up with them. The greatest counter-force in this battle is, in my
opinion, information sharing. Knowledge of new threats, newly-
discovered weaknesses, and actual incidents that have happened to
others in their industries and elsewhere, gives organizations the
opportunity to prepare for impending attacks or prevent exploitation by
closing off known vulnerabilities. This is where the FS/ISAC comes in.
The FS/ISAC
The FS/ISAC was a product of Presidential Decision Directive Number
63 (PDD 63) on Critical Infrastructure Protection, dated May 1998. PDD
63, which incorporated President Clinton's critical infrastructure
strategy, required government agencies to partner with the sectors that
make up the critical infrastructure. The PDD additionally suggested
that various industry sectors form Information Sharing and Analysis
Centers, or ISACs, which would collect and analyze threat,
vulnerability, and incident data. The U.S. Department of the Treasury
is the designated partner of the banking and finance sector. Treasury
has been, and remains, extremely supportive of the FS/ISAC. Treasury
Secretary Robert Rubin was very encouraging during the initial stages
of the critical infrastructure effort for the banking and finance
sector and Treasury Secretary Lawrence Summers officially launched the
FS/ISAC on October 1, 1999.
With almost 50 full-time members and another 50 firms in a trial
program, the member companies of the FS/ISAC membership account for the
processing and protection of perhaps 80 percent of the financial assets
handled by U.S. financial institutions. The FS/ISAC provides warnings
of threats and vulnerabilities, up-to-the-minute notification of
incidents as they unfold, and helpful advice as to how to avoid or
prevent threats from turning into disasters. It does so according to a
unique model, which I will now describe.
The FS/ISAC derives its information from many sources, including
government agencies. Members are expected to report security
information or experiences to which they are privy. This information
can be submitted anonymously or can be attributed, at the member's
discretion. While, for anonymous submissions, the FS/ISAC does not know
the originator of the information, authentication technologies ensure
that the submitter is actually with a member company.
The FS/ISAC analyzes incoming information with respect to validity,
importance, timeliness, and severity. If the submission passes muster,
it is then ``scrubbed'' to remove all indications of the source (unless
it is expressly permitted to reveal the source), and notifications,
with warnings as to their urgency, are disseminated to members via e-
mail, pager, telephone or fax. Unfortunately, over the past two months,
members have received distressingly many alerts marked crisis or
urgent.
Redundancy, Recovery and Repair
Despite best efforts, it is not always possible to prevent cyber
threats from succeeding, so that a number of incidents of varying
severity do occur.
In most cases, security compromises or breaches can be quickly
resolved through the use of alternative on-site networks and systems,
while the compromised systems are being repaired. For this to be
possible, suitable redundant facilities need to be planned and
installed in advance.
If a cyber attack renders a site unusable, an organization must
turn to its business continuity and/or disaster recovery plans as well
as its crisis management capabilities in order to operate in recovery
mode at a different location. It should be noted that a location can be
rendered unusable if, for example, a cyber attack were to take down
other parts of the critical infrastructure, such as the electrical
power grid or telecommunications network.
In financial services, many companies had developed contingency
plans for Y2K. It was reported that a number of firms located in and
around the World Trade Center invoked their Y2K plans in response to
the events of September 11th and that the devastating impact of the
catastrophe on firms was considerably less because they were better
prepared. Since then, the banking and finance sector has ramped up
several initiatives, including a crisis management committee initiated
by BITS (Banking Industry Technology Secretariat) and the Business
Continuity Committee established by the SIA. As mentioned previously,
the SIA had played an important leadership role in Y2K contingency
planning and established a command center in New York, with which I was
able to communicate from Washington over the Y2K weekend.
The financial services industry, in particular, has developed
extensive contingency plans, due to the criticality of their operations
to the economy and from having to meet strong legislative and
regulatory requirements.
WHAT STILL NEEDS TO BE DONE
While I believe that the banking and finance sector has reason to
be proud of the initiatives that it has already put in place, there
remains a considerable amount still to be done before we can feel
comfortable with our state of preparedness.
Information Sharing
The FS/ISAC model for the sharing of cyber security information has
been adopted by a number of other critical sectors at home and by
several countries internationally. In addition, the FS/ISAC has had
discussions with these and other ISACs regarding the sharing of cyber
security information, while still maintaining anonymity of the source
when desired. The goal is to have a global network of ``friendly''
ISACs to leverage the advantages of a broader reach and a larger
population of incidents from which to derive patterns of activities
that might lead to an attack.
The FS/ISAC receives information from many government agencies,
including intelligence and law enforcement, and disseminates it among
its members. Unfortunately, it is not yet feasible to return the favor
and provide government with information that the FS/ISAC has obtained
from its membership, since there are antitrust and freedom-of-
information issues that need to be resolved.
I feel strongly that the broadcasting over the Internet of
information about vulnerabilities by those who think that they are
benefiting mankind by forcing software vendors to strengthen their
products is misguided and damaging to the information infrastructure.
For example, the Code Red virus appeared just a couple of weeks after a
security expert had posted a notice on the Internet about a specific
vulnerability in a particular piece of Web server software for all to
see. His rationale was that the particular software vendor had not
responded to his exhortations to fix the problem. Code Red resulted in
possibly billions of dollars in lost business. How much better would it
have been if the network of ISACs had been informed and had distributed
the information on a need-to-know basis to its members? In fact,
members of the FS/ISAC had received prior notice of an update to the
software in question that, if applied to their systems, avoids the
effects of this particular virus.
Outreach, Education and Training
There is a clear need for reaching out to the general public,
educating them about cyber security and making them aware of reasonable
precautions that they might take to limit the impact of a cyber attack.
This should be done without arousing undue concern or revealing
information that would not be in the national interest.
There is a severe shortage of qualified information security
professionals to handle the broad spectrum of knowledge and
capabilities required in order to protect our government agencies and
private businesses from the increasing threats to the computers and
networks that make up the critical infrastructure. We need programs to
educate and train the requisite numbers of individuals in the basics if
information security and to provide on-the-job training for
practitioners in related areas. Some private companies are already
doing this, but security certifications of various types need to be
encouraged so that more of those on the Internet have taken necessary
actions to secure their system and network environments.
A National Strategy
It is key to educate the general public and those in leadership
positions of the issues surrounding cyber security and its importance
of sustaining the critical infrastructure. Several National Plans for
ensuring the protection of the U.S. critical infrastructure systems
have been written. One for government agencies was published in January
2000. Sector plans have been developed but not disseminated as yet. I
worked on the draft of the Banking and Finance Sector National Plan for
Information System Protection. These planning documents, or ones very
like them, should be shared with industry leaders and the public and
should become the basis for a National Strategy for Homeland Security,
as it relates to cyberspace.
At the moment the destiny of the National Plan documents is not
clear. Prior to the establishment of the Office of Homeland Security,
the Critical Infrastructure Assurance Office (CIAO) was coordinating
the collection and aggregation of the plans from the various critical
sectors.
Research and Development
One way to keep up with, and even get ahead of, cyber attackers is
to develop tools with the ability to rapidly identify and block
attacks, to determine vulnerabilities in deployed systems and networks,
and to discern suspicious activities before they develop into full-
blown attacks. An active, well-supported research and development
program for cyber security should be initiated. The topics being
researched need to have a strong practical bent and meet the needs of
the private sector.
Separate Networks
The building of separate, restricted and highly secured networks,
using the technology of the Internet but not being as accessible to
everyone, is something to consider in the light of the risks in using a
public, uncontrolled network environment. GovNet might be the first,
but others should follow as the concept proves itself.
Simulation Modeling
As the complexities of modern economies become even greater, it is
not possible for an individual, or group of individuals, to understand
all the complicated interactions and dependencies of the various
components on one another. This can only reasonably be achieved through
the use of simulation models to express the interdependencies and
provide the capability to examine what might happen if certain parts of
the infrastructure were to fail or be brought down by a cyber attack.
Contingency Planning, Incident Response and Crisis Management
As mentioned above, the initial steps have been taken in the
banking and finance sector to reconstitute the information coordination
centers of the Y2K era, with their attendant contact lists, chains of
command, and information gathering, analysis and reporting systems.
Once communication, coordination, command and control capabilities have
been established, it is important that they are maintained at some
level on a round-the-clock basis into the foreseeable future and can be
ramped up rapidly to full-scale operations when an incident occurs.
RECOMMENDATIONS FOR CONGRESSIONAL ACTION
There are many ways in which Congress can help promote programs and
processes to improve our defenses against cyber attacks and our ability
to handle them.
Information Sharing
The willingness of industry members to share information,
particularly about incidents, with others members of an ISAC would be
much greater were there not the fear of infringing antitrust laws. The
ability of private industry to share security information with
government agencies depends very much on obtaining an exemption, for
this type of information, from the Freedom of Information Act, since
that would eliminate the concern that damaging information would become
available to the public, including competitors and potential attackers.
Both of these items were central to the ``Critical Infrastructure
Information Security Act of 2001'' proposed by Senators Bennett and
Kyl, but which has not yet been included in the legislative agenda. The
proposals in the Act are key if we are to encourage a much broader
sharing of important security-related information. This would to lead
to broader availability of much more valuable information and
strengthen our ability to protect ourselves from cyber attacks.
I would like to suggest to Congress that it revisits this issue
and, if possible, accelerates legislation such as the Bennett-Kyl Bill.
Similar legislation worked for Year 2000, and it can work against cyber
terrorism as well.
Deterrence
We need the ability to pursue cyber attackers and prosecute them
fully, if we are to discourage others from attacking our networks and
computers. I would propose that Congress considers legislation that
will further empower law enforcement agencies to track down
perpetrators of cyber crime. In addition, we need reciprocal
arrangements with friendly foreign countries so that they will support
and participate in these endeavors.
On a global level, it may be reasonable to expect a commitment of
funds for law enforcement to counter cyber terrorism among the more
prosperous and advanced countries of the industrial world. However,
this may not be true of so-called Third World countries, especially
those from which attacks emanate. Cyber terrorism coming from hostile
countries requires special consideration and response.
Avoidance
I believe that the government should support, and subsidize where
appropriate, the establishment of separate secured private Internets,
such as the proposed GovNet network. I suggest that Congress encourage
the development of these networks by providing appropriate support and,
if necessary, authorizing funds to seed these initiatives.
Outreach, Education and Awareness
I would propose that Congress consider supporting programs to
educate our population about the importance of maintaining the security
of the networks and computers that constitute much of our critical
infrastructure. Also, I suggest that the government should consider
special programs, such as subsidizing college-level studies, to develop
information security professionals.
Research and Development
While I am very much in favor of promoting research and development
programs to come up with ideas and capabilities to improve our cyber
security, I am concerned that such research might not result in a
sufficient number of practical solutions. I suggest, therefore, that
R&D programs be conducted with some industry representation so that the
results meet the needs of real-world entities.
This is an area for which the best use of funds is not obvious.
Therefore I suggest to Congress that a study be conducted, in
conjunction with the private sector, to ascertain the best way to
generate new ideas in cyber protection.
Simulation Modeling
The development of simulation models that appropriately represent
the critical sectors, their mutual interactions, and the impact of
component failures is a daunting task. I am aware that Los Alamos
National Laboratories and Sandia National Laboratories have done work
in this area. I would recommend that Congress should support and
encourage these efforts but that, before major commitments are made,
the requirements of the models be determined by a working group that
includes subject-matter experts from various critical sectors. Industry
and government representatives should participate in the design process
to ensure that the models are realistic and useful.
Contingency Planning and Event Management
I would suggest to Congress that it should consider approving
funding of a permanent Information Coordination Center (ICC) along the
lines of the one which was established for the Year 2000 period, and
which was subsequently dismantled. A mix of individuals representing
both government and the private sector should staff the ICC. Under
normal conditions, the ICC would have a minimal level of staffing, but
have the capacity to rapidly grow to full capability if an emergency is
declared.
I believe that there should be a dedicated permanent section of the
ICC that focuses on cyber security, rather than the ancillary
arrangement that existed during Year 2000. The cyber security group
requires extensive and immediate access to top experts in the field as
well as an advanced capability to continuously monitor activity on the
Internet.
National Strategy
Finally, I would suggest to Congress that it should support the
development of a National Strategy for protecting the Nation's critical
infrastructure and that participants from the various sectors be
included in the development of the plans in conjunction with
representatives from assigned government agencies.
CONCLUSION
I recognize that I am proposing an extensive and costly series of
programs to protect the Nation's critical infrastructure from
increasingly dangerous and damaging cyber attacks, especially during a
time of diminishing budgets. The cyber threats are very real, as we
have seen in recent years, and we must protect ourselves against them.
It will surely be a long and bitter battle, but we must engage in it if
we are to prevail, which we must. Unfortunately, the impact of a very
successful cyber attack can far exceed that of many of the physical
attacks, which we have seen in recent weeks and about which we
speculate.
Mr. Chairman, I want to thank you again for the opportunity to
present my thoughts and experiences to you and your Subcommittee. This
concludes my prepared statement. I am happy to answer any questions
that you and other members of the Subcommittee wish to ask.
Mr. Stearns. And I thank you.
Mr. Morrow. Just pull that mike right close to you.
STATEMENT OF DAVID MORROW
Mr. Morrow. Thank you, Mr. Chairman.
Mr. Chairman and members of the subcommittee, thank you for
the opportunity to testify before you today.
My name is Dave Morrow, and I'm the Managing Principal for
the Global Security and Privacy Consulting Practice of EDS. I
have over 25 years of experience in the information technology
field as a computer crime investigator, an IT security officer
and an IT manager.
I'm honored of this invitation to present to this
subcommittee on EDS' views of the state of information
technology security in U.S. industry.
I will submit my full testimony for the record and
summarize for you now.
The tragic events of September 11 have brought many changes
to our way of life. One of the changes are the physical
security of public places such as airports and sports venues.
We have witnessed a dramatic increase in the attention being
paid to the security of what our Chairman and CEO Dick Brown
has referred to as today's economic currency; knowledge and
information.
Over the past several years the frequency and severity of
cyber attacks against both government and commercial
infrastructures has increased dramatically. While many if not
most of these attacks are relatively minor, such as website
defacement and simply harassment, others are designed to
cripple, damage or destroy the computer networks they
encounter.
For example, our own EDS network infrastructure detects and
neutralizes over 20,000 viruses, worms and network attacks per
month.
Our economic system is based on trust; trust between
trading and investing partners, trust between consumers and
merchants, trust between suppliers and purchasers. If this
sense of trust is damaged or destroyed, our economy would be
crippled. Maintaining these trust relationships is one of the
most important things we all can do to ensure the continued
development and growth of our information economy.
Since September 11, however, we have seen a great interest
in expression of concern from corporate management and request
for information from our clients about IT security. We've
doubled those requests, especially in the areas of business
continuity planning and overall security best practices.
Tragic is a word and the events of September 11 have helped
drive home the fact that security should be considered an
essential investment rather than simply an expense to be
minimized. Overall, however, I would characterize the state of
IT security industry as poor and struggling to improve. While
many Fortune 500 corporations focus a good deal of attention to
security, many small and medium organizations, both in and out
of government, still leave the bulk of the work of securing
their systems to individuals who perform these critical tasks
as an addition to their normal jobs and have little training to
do so. According to the Federal computer incident response
center, about 90 percent of successful attacks are caused by
the lack of updated software patches, a task that is a basic to
good security practice.
A striking example of this can be found in the fact that
the Code Red worm, which wreaked havoc on numerous corporate
systems a few months ago, took advantage of computer
vulnerabilities that had been identified and corrected by a
software patch months before.
Finally, while we have seen a laudable increase in spending
on many aspects of physical security since 11 September, there
appears to be little increase in funds allocated to
strengthening the security of the commercial information
infrastructure which fuels our economy.
So what can be done? First, we can concentrate on
developing a more coordinated program of industry/government
cooperation that stretches beyond the critical infrastructures
designated by PDD 63 to encompass a wider variety of companies
and institutions.
Also the legislation introduced by Representatives Davis
and Moran is a good start.
Second, we should increase incentives for companies to
allocate the necessary funds to upgrade their IT security.
Today's interdependent electronic economy, a failure of
security in one area, can spread to encompass numerous other
institutions in a very short time.
Third, we should renew our emphasis on security research
and development, especially in developing secure and stable
software for our critical tasks.
Finally, we should work together to continue to develop,
expand and professionalize the cadre of IT security
professionals practicing today. Currently, there are few widely
accepted standards defining what an IT security professional
knows and does. There's also a dramatic shortage of qualified
IT security professionals.
In closing, I would like to reemphasize what is perhaps the
most important point of my testimony today. Security is not a
static goal that we can ever fully achieve. Rather, security is
a continual journey. There is no technical or procedural silver
bullet that will magically solve all security issues. Rather,
good security is a constantly evolving spectrum of processes,
technical tools, policies, and human values that is continually
changing and being updated to meet new threats and risks. Only
by effectively emphasizing all aspects of this spectrum can we
maximize the security and integrity of our national information
infrastructure.
Thank you again for the opportunity to share my thoughts
with you today. I'll be glad to answer any questions.
[The prepared statement of David Morrow follows:]
Prepared Statement of David Morrow, Managing Principal, Global Security
and Privacy Consulting Practice, EDS
Mr. Chairman and members of the Subcommittee, thank you for the
opportunity to testify before you today. My name is David Morrow and I
am the Managing Principal for the Global Security and Privacy
consulting practice of EDS. I have over 25 years of experience in the
information technology (``IT'') field as a computer programmer and
analyst, operations chief, security officer, investigator, and
consultant. Prior to joining EDS I was a security consultant with Ernst
& Young LLP and Fiderus Strategic Security and Privacy Services, a
small start-up consulting firm. I also spent 13 years of a 22-year Air
Force career as an investigator of computer crime for the Air Force
Office of Special Investigations (AFOSI). When I retired in 1998, I was
the chief of the computer crime investigations and information warfare
division for AFOSI. I am honored for this invitation to present to the
Subcommittee EDS' views on the state of IT security in U.S. industry.
The tragic events of September 11 have brought many changes to our
way of life. Along with changes to the physical security of public
places such as airports and sports venues/arenas, we have witnessed a
dramatic increase in attention being paid to the security of what EDS
chairman and CEO Dick Brown has referred to as today's economic
currency: knowledge and information.
Although media attention to cyber attacks has increased in recent
months, the fact is that commercial and government computers have been
under daily attack for many years. However, over the past several
years, the frequency and severity of cyber attacks against both
government and commercial infrastructures have increased dramatically.
While many, if not most, attacks are relatively minor, such as web
site defacement and simple harassment, others are designed to cripple,
damage, or destroy the computer networks they encounter. For example,
our own EDS network infrastructure detects and destroys over 20,000
viruses, worms (programs that spread through a network by reproducing
and transmitting themselves to other network systems), and network
attacks per month.
Over the past several years, cyber attack software such as worms,
viruses, and hacking tools have become both more sophisticated and
easier to use. A computer novice can now download and launch computer
attack software as easily as launching a commonly used commercial
product such as a word processing program.
Although massive attacks against the national information
infrastructure, the so called ``electronic Pearl Harbor'', have long
been predicted and expected, such attacks have, for the most part,
failed to materialize. In the current war against terrorism, however,
the stakes have risen considerably. A massive, coordinated denial of
service attack or a fast spreading program like the recent Nimda worm
could have devastating effects on our economy, especially if the attack
were designed to introduce random changes to various pieces of data on
every system it corrupted, as opposed to simply slowing or halting the
system itself.
Our economic system is based upon trust--trust between trading and
investing partners . . . trust between consumer and merchant . . .
trust between supplier and purchaser. If this sense of trust were
damaged or destroyed our economy would be crippled. Maintaining these
trust relationships is one of the most important things we can do to
insure the continued development and growth of the information economy.
For many years, practitioners of IT security have worried about the
lack of both a sense of urgency and priority for corporate IT security.
Prior to September 11, companies often viewed IT security as a
variable, discretionary expense that lacked a clear benefit to offset
the costs involved. This was especially true in companies in
nonregulated industries where no clear mandatory standards forced a
minimum degree of security planning and structure. Since September 11,
however, we have seen a doubling in requests for information about IT
security, especially in the areas of business continuity planning and
overall security best practices. Tragic as they were, the events of
September 11 helped to drive home the fact that security should be
considered an essential capital investment rather than simply an
expense.
Overall, I would characterize the state of IT security in industry
as poor and struggling to improve. New technical vulnerabilities and
threats, such as viruses and worms, are released on a regular basis.
Many organizations, both in and out of government, still leave the bulk
of the work of securing their systems to individuals who perform these
critical tasks as an addition to their normal jobs. Because of this,
critical security duties, such as making sure software is properly
updated with the latest security patches, is a low priority, if it is
done at all.
The bulk of the problem remains rooted in a lack of continuing,
process oriented attention to basic security principles such as good
password practices, tracking and installing critical software patches,
as well as user training and education on security basics. According to
the federal computer incident response center, about 90% of successful
attacks are caused by the lack of updated software patches.
A striking example of this is found in the fact that the Code Red
worm, which wreaked havoc on numerous corporate systems a few months
ago, took advantage of computer vulnerabilities that had been
identified and corrected by a software patch months before. The patch
had simply not been installed in many of the machines. Another example
can be found in the ease with which many web sites have been vandalized
by exploiting well-known and documented flaws in web server software.
Finally, while we have seen a laudable increase in spending on many
aspects of physical security, there appears to be little increase in
funds allocated to strengthening the security of the commercial
information infrastructure which fuels our economy. While many
companies are attempting to increase security on their own, the
approach is piecemeal as there is no incentive from the government for
companies to coordinate their efforts with their industry partners,
suppliers, and customers. Such incentive is vital, especially in the
current economy.
What can be done?
First, we can concentrate on developing a more coordinated program
of industry/government cooperation that stretches beyond the critical
infrastructures designated by Presidential Decision Directive 63 to
encompass a wider variety of companies and institutions. Programs such
as the FBI's Infragard are a good start, but more needs to be done to
bolster the commercial sector's level of trust in the government. As an
investigator of numerous network attacks, I can attest to the fact that
coordinated information sharing among victims of an attack is essential
to halting the attack and identifying the attacker. Companies should
not be penalized for acting together for the common good. Legislation
introduced by Representatives Davis and Moran is a good start.
Second, we should increase incentives for companies to allocate the
necessary funds to upgrade their IT security. In today's interdependent
electronic economy, a failure of security in one area can spread to
encompass numerous other institutions within a very short time.
Security of all networks should be viewed as something we do for the
good of society as a whole rather than as a discretionary cost to be
reduced or eliminated when times are difficult. We believe that the 30
percent bonus depreciation provision included in the House-passed
economic stimulus bill would be a big help in this regard. We also
think measures that specifically target investments in security and
technology, such as those introduced by Representatives Weller and
Upton, would be very helpful.
Third, we should renew our emphasis on security research and
development, especially in developing secure and stable software for
our critical tasks. A permanent extension of the research and
development tax credit could be part of the solution here.
Finally, we should work together to continue to develop and
professionalize the cadre of IT security professionals practicing
today. Currently, there are few widely accepted standards defining what
an IT security professional knows and does. Given the critical role
these professionals currently play in our society, we need to insure
that we have only the best and most trustworthy individuals guarding
our systems.
As a last point, I would like to reemphasize what is perhaps the
most important point of my testimony today. Security is not a static
goal that we can ever fully achieve. Rather, security is a continual
journey. There is no technical or procedural silver bullet that will
magically solve all security issues. Rather, good security is a
constantly evolving spectrum of processes, technical tools, policies,
and human values that is continually changing and being updated to meet
new threats and risks. Only by fully utilizing all aspects of this
spectrum can we maximize the security and integrity of our national
information infrastructure.
Thank you again for the opportunity to share my thoughts with you
today.
I will be glad to answer any of the Subcommittee's questions.
Mr. Stearns. I thank the gentleman.
Ms. Davidson?
STATEMENT OF MARY ANN DAVIDSON
Ms. Davidson. Mr. Chairman and distinguished members of the
subcommittee, thank you for the opportunity to address you
today.
I'm Mary Ann Davidson. I'm the Director of Security Product
Management for Oracle Corporation. Oracle is the second largest
software company in the world, and we are a large provider of
secure information management systems to both commercial and
governmental customers. A number of our customers are involved
in national defense or intelligence activities.
Information was on the ascendancy long before the horrific
events of September 11 became seared into our national
consciousness, and information security remains in our thoughts
as we now move to strength our defenses. As ghastly as attacks
on our physical infrastructure have been, how enticing would it
be to our Nation's enemies to attack our critical
infrastructure from cyberspace, where there are no borders, and
evildoers can attack us from virtually anywhere, via a computer
and a modem?
The information security explosion began several years ago
and has accelerated with the growth of the Internet, which has
been good news for providers of secure systems and those who
depend on them. As more companies have embraced the Internet,
security has moved from an afterthought to an essential part of
business infrastructure. In that sense, the commercial world is
merely catching up to the U.S. Government in terms of the
importance it places on information security. Prior to the
Internet, the requirements for strong information security were
almost solely driven a select set of ``professional
paranoids,'' and I mean that kindly, such as intelligence
agencies, the Department of Defense and financial institutions.
These organizations have understood for years that information
security is central to their operations; they are literally out
of business without it. For organizations only recently joining
the ranks of the security-aware, for example, by becoming
ebusinesses, the threat that one's mission-critical systems--
now exposed to customers and partners--could be compromised has
clearly elevated security on their radar screens.
The good news in cyber security is that, while there is
still no magic bullets--that's a popular phrase today--there
are many steps that companies, whether they're suppliers or
consumers of information technology, can take are taking to
protect themselves. It's important to note, however, that both
consumers and providers of information technology have
responsibilities.
Consumers of information technology have a requirement to
make security a purchasing criteria. I'm sure you're familiar
with the expression that if you don't vote, you lose the right
to complain about the election afterwards. This is also true in
security. If you do not make it a purchasing criteria, you lose
the right to complain afterwards if you've been hacked.
The other thing that consumers need to look for is
independent attestations to the security-worthiness of a
solution. And there are, in fact, international standards of
what it means when you say you're secure. For example, the
International Common Criteria, which is an ISO standard, lays
out the requirements for vendors of secure products to have
their solutions verified by independent third parties. That way
it is not merely the vendor's say so that they are secure. And,
in fact, no vendor will stand up and tell you that they have a
security hole big enough to drive the QE III through. They'll
all say that they're secure.
The government has long recognized the value of independent
third party attestations, and in fact there are directives
which require people to procure products that have been
independently evaluated, such as NSTISSP No. 11. I think it
would be important to bring something like that, which I
believe goes into effect July next year, forward in a post-
September 11 world.
It's also important for the government not to deviate from
these requirements. Every time sometime grants a waiver on a
Federal procurement, you're effectively saying we said security
was very important, but we didn't really mean it. There are
many vendors who do provide evaluated product, and I think it
would be important for the government as a large consumer of
secure information systems, to get what they pay for.
Vendors, of course, also have many requirements to provide
better cyber security. One of them is to commit to a secure
product life cycle; that means everything from building
security into your engineering process because you can't add it
after the fact, to being very aggressive in treating security
vulnerabilities and notifying a customer base when there are
problems in our product suites.
Commitment to standards is also important. The more that
security is easy to work with and fits together cohesively, the
more widely deployed it will be and the better it will work. By
cooperation on industry standards, it will facilitate the
delivery of secure products and it will give consumers better
choices. You don't get good products in a monopoly market. The
more that there are standards, the more strong security
providers you can have, the more secure will be the result in
systems.
Vendors also have a responsibility to think like hackers.
Hackers, 98 percent of whom really just want bragging rights
when they break into your system, they don't intend to use the
information maliciously. It's important for companies to use
that type of thought processes to defend their own systems,
very much like the Department of Defense conducts war games.
Another requirement among vendors of secure systems is to
join industry ISAC. As the expression goes, either we hang
together or we shall all hang separately. And typically when
someone does break into your system, they will try the exact
same tact on someone else's system or someone else's product.
So it's really important to cooperate. And I believe members of
the ISAC are represented here today.
In conclusion, I would like to remind you--I guess I'm
quoting you Mr. Chairman quoting me--but as with liberty, the
price of security is eternal vigilance. We all have a
responsibility to pay attention to it and to continue to
elevate it our consciousness.
Thank you for your time. I'll be happy to answer any
questions.
[The prepared statement of Mary Ann Davidson follows:]
Prepared Statement of Mary Ann Davidson, Director, Security Product
Management, Oracle Corporation
Representative Stearns, distinguished members of the House of
Representatives: Information security was on the ascendancy long before
the horrific events of September 11 became seared into our national
consciousness, and information security remains in our thoughts as we
now move to strengthen our defenses. As ghastly as attacks on our
physical infrastructure have been, how enticing would it be to our
nation's enemies to attack our critical infrastructure from cyberspace,
where there are no borders, and evildoers can attack us from virtually
anywhere, via a computer and a modem?
The information security explosion began several years ago and has
accelerated with the growth of the Internet, which has been good news
for providers of secure systems and those who depend on them. As more
companies have embraced the Internet, security has moved from an
afterthought to an essential part of business infrastructure. In that
sense, the commercial world is merely catching up to the US government
in terms of the importance it places on information security. Prior to
the Internet, the requirements for strong information security were
almost solely driven by a select set of ``professional paranoids,''
such as intelligence agencies, the Department of Defense, and financial
institutions. These organizations have understood for years that
information security is central to their operations; they are literally
out of business without it. For organizations only recently joining the
ranks of the security-aware, e.g. by becoming ebusinesses, the threat
that one's mission-critical systems--now exposed to customers and
partners--could be compromised has clearly elevated security on their
radar screens.
The good news in cybersecurity is that, while there are still no
security magic bullets, there are many steps that companies--whether
they are suppliers or consumers of information technology--can take and
are taking to protect themselves. Consumers of information technology
need to be discriminating; they must make security a purchasing
criteria, and hold vendors accountable through independent proof of
information assurance. They must create a ``culture of security''
within their own organizations, so that security is not diminished by
the ``weakest link'' of a careless or unknowing employee. Vendors of
information technology need to cooperate on security standards to
facilitate the growth of secure systems, and commit to a secure product
lifecycle. Paradoxically, vendors need to both join industry
organizations that share information about hacker threats, and embrace
the same hacking techniques that expose so many security
vulnerabilities (i.e. to detect and mend vulnerabilities in their own
products and networks).
In order for any organization to secure their infrastructure, they
need to make security a purchasing criteria. Organizations must assess
their security requirements--and not deviate from them--as part of
system design. If security is not built into a product or system from
the get-go, it is often impossible to retrofit it after-the-fact.
Organizations also need to look at the total cost of securing a system,
including assessing the lifecycle cost of security, such as how often
they will have to patch their systems due to significant security
vulnerabilities. While no product is bug-free, an ostensibly secure
product, for which a vendor is constantly issuing security patches, is
a sign that the vendor did not pay enough attention to security during
design, and at some level does not ``get it,'' or care about security.
More importantly, often the single easiest way hackers break into
systems is through public vulnerabilities for which the patch has not
been applied. A vendor issuing a patch per day or every other day for
their product suite is, in effect, building insecure and unsecurable
systems.
Industry has begun to recognize the disparate cost of securing
products (from competing vendors) through the pricing mechanisms of
hacker insurance; products with comparatively poor security track
records are priced at a premium relative to their more secure cousins
by the companies offering such insurance. For example, one widely-
deployed operating system carries a 25% risk premium relative to other
commercial operating systems because of the difficulty in securing it.
While the government ``self-insures'' against cyberattacks, the higher
risk premium should serve as a signal to the government, as it does to
the commercial sector, that a system is riskier and less secure to
deploy. Lest we forget the stakes: it is impossible to put a price on
national security.
One easy measure of the security-worthiness of products is that of
formal, independent security evaluations against objective criteria of
``what it means to be secure.'' There have been many such criteria
emerging in the past 15 years, including the US Trusted Computer
Systems Evaluation Criteria (TCSEC or ``Orange Book''), the UK
Information Technology Security Evaluation Criteria (ITSEC), the
Russian Criteria, and most recently, the international Common Criteria.
The Common Criteria is an International Standards Organization (ISO)
standard (15408), and as such, is the de facto worldwide standard for
independent security evaluations. An independent security evaluation
against the Common Criteria is mutually recognized by multiple
countries, including the US, the United Kingdom, Germany, and most
recently, Israel. This enables a vendor to create a single product
``acknowledged to be secure'' in many major markets.
The US Federal government has already realized the value of
independent security evaluations, as witnessed by the many Federal
procurement programs (for example, in the Department of Defense)
requiring that a product has completed a formal security evaluation.
The National Security Telecommunications and Information Systems
Security Policy (NSTISSP) No. 11 requires (as of July 2002), that
procurement of commercial off-the-shelf (COTS) information assurance
(IA) and IA-enabled IT products to be used on systems entering,
processing, storing, displaying, or transmitting national security
information be limited to those which have independent security
evaluations (i.e. against the criteria outlined above, or the Federal
Information Processing Standard (FIPS)-140, which attests to the
correctness of cryptographic modules).
Information assurance efforts are undermined by procurement efforts
which bypass these directives. Each time a procurement waiver is
granted that evades the requirement for evaluated product, it negates
the value of information security, and the efforts of vendors who do
comply with Federal directives. An independent security evaluation of a
large complex product, such as a database server, represents about
$500,000 of additional security quality control, by someone other than
the vendor. Independent security evaluations are the ``good
housekeeping seal of security,'' and customers of information security
products neglect or negate them at their peril. As the saying goes
``you get what you pay for;'' the US Federal government, as perhaps the
largest consumer of secure systems, must demand better security in
their procurements and accept nothing less.
An important factor in a strong cyberdefense is the level of
awareness of the entire organization--not merely the information
technology (IT) department--of the importance of security. The creation
of a ``culture of security'' is a factor in any organization's
cyberdefense, for the reason that you can never hire enough
``cyberpolice'' to secure your infrastructure without the cooperation
and awareness of the users of the infrastructure. The best security
policy in the world can be defeated by users who are ignorant of their
responsibilities under it, or who deliberately flout security policies,
much as an alarm system will not protect your home if you leave the
door unlocked, or the spare key under the mat. Not every organization
requires a culture of security on the order of the National Security
Agency; yet every organization has secrets. Creating and enforcing
security policies must go hand in hand with employee education and
awareness. Most employees want to do the secure thing, but they need to
know what it is.
Industry associations such as the IT industry ISAC (Information
Sharing and Analysis Center) finds multiple organizations unified
against a common threat of cyberattack. Hackers have a nasty habit of
repeating prior successes; as one discrete type of vulnerability is
exposed, the hack is repeated through similar products from that
vendor, or from other vendors. An organization that shares information
about a threat to it, whether it is outright attacks on that
organization's networks and systems, or a vulnerability in their
product--even at the risk that the vulnerability will be used against
it by a competitor--helps strengthen the entire nation's critical
infrastructure. As the saying goes ``we must all hang together or we
shall surely hang separately.'' Fierce business rivals can and are
cooperating in industry ISACS, including the IT industry ISAC. IT ISAC
alerts are part of the early warning system for cyberattacks; many of
the companies whose products are the foundation of the nation's IT
infrastructure are members of the IT industry ISAC.
The cooperation of many vendors upon common security standards
facilitates a secure infrastructure in several key ways. One of them is
that a protocol that is well-defined and subject to peer review is, all
other things being equal, more likely to be secure than one that is
proprietary and shrouded in secrecy. ``Security by obscurity,'' the
practice of hiding a product's security mechanisms and hoping someone
cannot discover a weakness, does not work. Hackers are all too clever
at reverse-engineering code and finding security weaknesses. If it's
not secure under the light of day, it is not secure at all. Consumers
of secure systems should seek security standards-compliant product, as
it increases the chances that the security works, and will work with
other related products.
Another way in which standards facilitate better security is that
it is easier for vendors to integrate security into their products;
security is easier to deploy and more widely-deployed when there are
common integration interfaces. Finally, the growth and adoption of
standards goes hand in hand with market expansion, and this provide
consumers of security-related products with greater choice of higher
quality products. You just do not get good products in a monopoly
market dominated by proprietary security mechanisms, or one in which
security solutions are fragmented and do not work together.
An example of this is the growth of public key infrastructure (PKI)
a security technology with important applications including network
encryption (e.g. via the Secure Sockets Layer, an Internet standard)
and digital signatures, which can enable non-repudiation of electronic
transactions. The PKI market has been slow to grow, because ``I'' is
the operative word: deployment of a PKI requires major infrastructure
changes in all products that use it, which has historically been
expensive and difficult. Until recently, many vendors of PKI products
and services were more concerned with pushing their proprietary
technology than cooperating on standards, and growing the market. It
has only been with agreement upon and adoption of standards that PKI
has been broadly deployable.
Private industry offers many specific cybersecurity technologies
that can potentially enable us to better secure other aspects of our
nation's critical infrastructure. For example, one of the lessons of
September 11 is the necessity of sharing data among interested parties,
real-time, while preserving ``need to know.'' At the same time, the
needs of national security and privacy must be carefully balanced, so
that the privacy of all is not compromised to identify the few who are
malefactors. For example, ``watch lists'' could be compared against
airline reservation databases, and only those matching records culled
and labeled so that those with ``need to know'' could access them.
Suspect names from intercepts from one entity could be centralized in a
database, with selected access by other law enforcement agencies. The
data, of course, needs to be labeled with appropriate security
classifications and compartments, and may be relabeled real-time to
facilitate information sharing among greater or lesser groups of law
enforcement organizations, intelligence agencies and other parties with
need-to-know.
Commercial technology exists today from Oracle Corporation that
enables multiple companies' data to be stored in the same database,
ensuring that Company A only sees Company A's data, and Company B sees
Company B's data. Data may also be accessed by both companies (for
example, if they are trading partners), and can be natively labeled
with sensitivity classifications (e.g. ``Company Confidential: A and
B'') much like government classifications of fine granularity (e.g.
``Secret'' or ``Top Secret: Project X''). The ability of commercial
off-the-shelf software to natively manage data ``owned'' by different
entities, and label data with sensitivity classifications, allows both
separation and sharing of data, real-time. We believe this technology
to be even more valuable in ensuring national cybersecurity than it is
for supporting hosted information systems, exchanges, and ``communities
of interest'' on the Internet, where it is currently used.
The practice of ``ethical hacking'' is being employed by many
companies as a cyberdefense, much as the armed forces conduct wargames.
The notion is simple: break into your own systems--or, in the case of
software and hardware providers, break into your products--before
someone else does. Learning how to think like, and act like a hacker
makes it easier to build hack-resistant or hack-proof product.
``Lessons learned'' from hacking attempts can be used to educate IT
professionals and product developers, as well as continuously improve
engineering processes. Ethical hacking is an important weapon in a
company's security arsenal.
Ironically, the best cyberdefense for our infrastructure may be the
hacking community itself. The vast majority of hackers merely want
``bragging rights'' among their peers for discovering a security
vulnerability; they are not malicious with that knowledge. The more
that hackers expose product vulnerabilities and contact the vendors
whose products they so creatively break into, giving them time to
address the vulnerabilities, the more secure the resulting product is.
As much as no vendor likes hackers going after their product, we learn
from them and we build better product because of them. It's not too far
fetched to think that a ``cybercorps'' of hackers can measurably help
secure the nation's critical infrastructure against the hackers of a
malicious foreign power.
There are no security magic bullets. Industry and government,
consumers and purveyors of information technology: each must each do
his part. The price of cybersecurity, as with liberty, is eternal
vigilance.
Mr. Stearns. I thank the gentlelady.
Mr. Klaus?
STATEMENT OF CHRISTOPHER KLAUS
Mr. Klaus. Chairman and members of the subcommittee, thank
you for giving me the opportunity to testify today.
I'm the founder and chief technology officer of Internet
Security Systems. I've been in security for about 10 years. And
Internet Security Systems has grown to be a global company and
pioneered in the area of intrusion detection, vulnerability
assessment, finding a lot of the holes that are on the Internet
today. And we put together a team we call X-Force. It's about
100 security researchers who do nothing but examine all the
latest vulnerabilities proactively examining various vendors'
products. We've worked with several companies that are here on
the panel in terms of helping identify issues, working with
them to correct a lot of security holes in their products so
they can be more robust. And we have a data base of over 10,000
vulnerabilities and threats. So we're kind of like the CDC for
computer vulnerabilities.
I guess was looking to address, how have we changed since
9/11. I think, overall, companies are getting more serious
about security, but I think there are some other factors that
have increased the awareness of security. It's really been the
automated attack tools out there, Code Red, Nimba that have
proliferated and has had probably the most dramatic effect that
I've seen in my history of security in terms of talking to
companies where almost company I've talked to has been nailed
by Nimba and has been infected all over their network. And one
of the ramifications of that has been a shift in probably the
leadership within the security groups of large companies.
Probably a year ago or more you'd go into a company and
you'd talk to them. And the person in charge of security was
somebody whose real technical. He could explain the bits and
bytes of security. In the last 6 months we've seen, you know,
almost everybody I meet who is charge of security now is
somebody who had nothing to do with security in the past, who
was a business person focused in on solving the security issue
for corporations. And it makes it easier for us, because we're
able to talk with them and they're able to translate the bits
and bites to getting more resources, putting in the proper
policies, etc, for a lot of the companies out there. So we're
seeing an increase within the priority of elevating somebody in
terms of business.
So it's happening on the private sector, and I think it's
also happening within government where we're seeing like
Richard Clark being in charge of security reporting up to the
President. So that's all improvements.
One of the things that, you know, there's a lot of people
screaming ``security, security, we need more it.'' And I wanted
to kind of just talk about, you know, how real is the security
issue or how real is cyber terrorism.
Last week I was with Howard Schmidt at a conference, and we
talked about a lot of the security issues and how real are
they. And I think a lot of the automated attack tools like the
Nimba, were not designed to be that bad. They were bad, they
speak all over, they caused a lot of people to clean up a lot
of machines, but realistically without much development cost.
If you tried to add in some additional malicious features like
after 2 hours of being infected and trying to spread itself,
someone could easily make a program to go out and try to erase
the hard drives of not only the computer itself, but all the
computers on the network.
We're also seeing the capability of sharing very sensitive
files. I think SirCam virus would email personal files off your
computer to your friends without your permission. And I've had
several friends that were like ``Oh, my God. I'm glad certain
files did not get out.'' You know, it just happened that it was
very limited in number of files.
But with Nabster like program out there, even though
Nabster itself is not as popular, there's been a ton of other
Nabster like clones out there where if somebody wanted to, they
could share lots of sensitive data across the Internet. And to
that extent, it would probably take about 2 months to develop a
much more malicious attack that utilizes the same capabilities
of Nimba, Code Red. So it is very real in the potential that
somebody could do that.
Some of the other threats out there we've discussed, such
as DNS attacks. The domain name services. When you type in
``whitehouse.gov,'' it uses the DNS service to translate that
into basically the IP address. It's like a lookup of all the
addresses on the Internet.
All the DNS servers, there's only 13 DNS servers that
represent the core root of all DNS servers. So with 13 machines
out there, somebody if they were clever, just like they could
try and bring down the whitehouse.gov with a flood or a denial-
of-service, you could attack 13 DNS servers and bring down the
ability to look up addresses on the Internet. And if you can't
look up addresses on the Internet, a lot of businesses are
going to have trouble communicating with their other partners,
etc. So that's an area that could easily be improved on.
And also denial-of-service. We're seeing that, going back
to consumers, most of the threat of denial-of-services actually
originate from the fact that so many people are logging on to
cable modems, DSL servers, DSL modems and the fact that they
don't have a personal firewall or any protection on their home
computer. And those computers are being infected or compromised
in large numbers, and it's very easy to use 10,000 home
computers on a cable modem to attack any network in the world
and have a dramatic effect on their ability to do business.
Some of the solutions out there that we're seeing companies
starting to do. Penetration testing, security assessments. They
call up and say, ``hey, how do I secure myself?'' And, you
know, first up in any problem is first the assessment. And so
many companies haven't done any kind of assessment. They're
rolling out new ebusiness applications on their websites.
We go into banks all the time where on the Internet you can
get right in there and basically get into--if you want to talk
about identity theft, you can easily steal all the data
information right off their website.
The other thing that was kind of surprising to me is about
2 months ago I was at a banking conference. And it was all the
IT guys, the guys who really know what's happening in the
banking infrastructure. And I was ``Like how many people here
are doing any kind of around the block, 24/7 monitoring from a
security perspective over their network?'' So if someone tries
to break in and steal credit cards, would somebody notice. And
everybody put their head down, because nobody was doing it. And
then they looked around and said ``Oh, okay, I guess we're not
alone in not monitoring the network.'' So with that, I said how
many think within the next 5 years will you be doing monitoring
around the clock? And they all raised their hands, and said
``Yes, that would be a good thing.'' So, there's a lot of
things out there that people can be doing to improve security.
I would say with government, the ISAC are a good movement
forward. And I think that within government a lot of times I
hear questions about should government regulate security, etc.
Probably one of the things that we'd recommend is just working
with government to make themselves a good example for others.
Because a lot of international governments or governments
outside the U.S. are saying what do we do about security and
they would like to look to the U.S. Government as a prime
example. And right now it's slowly turning around to become
better.
So, thank you.
[The prepared statement of Christopher Klaus follows:]
Prepared Statement of Chris Klaus, Founder of Internet Security Systems
My name is Chris Klaus and I am the Founder of Internet Security
Systems, known as ISS. ISS is the pioneer and leading provider of
information protection solutions. We are headquartered in Atlanta with
additional offices throughout the U.S. and international operations in
Sweden, Italy, Belgium, England, France, Germany, Japan and Latin
America. ISS is a trusted advisor to most large U.S. commercial banks
and several government entities. Founded in 1994, ISS has experienced
phenomenal growth as we have addressed the critical need for companies
and governments to protect their information systems.
Every day, Internet Security Systems stops criminal hackers and
cyber-thieves by researching computer vulnerabilities and threats and
offering a unique, proactive line of defense for an ever-changing
spectrum of threats. More and more individuals are using the Internet
for business-to-business warfare and corporate espionage, international
cyber-terrorism, or to generally cause havoc and mayhem in our
technology infrastructure. ISS dynamically protects online assets
through development of the most current protection products available
and cost-efficient Managed Security Services. We also monitor networks
and systems around the clock (24 x 7 x 365) from the US, Japan, South
America, and Europe in our six Security Operations Centers and our
Global Threat Operations Center in Atlanta. We search for attacks and
misuse, identify and prioritize security risks, and generate reports
and analysis explaining the security risks and what can be done to fix
them. At the heart of our solution is our team of world-class security
experts focused on uncovering and protecting against the latest
threats. This team of global specialists, dubbed the X-Force,
understands exactly how to transform the complex technical challenges
into an effective, practical, and affordable strategy. Because of all
of these capabilities, companies and governments turn to us as their
trusted computer security advisor.
the tragic events of september 11 have heightened awareness of the need
for cyber security. protection is no longer a backroom discussion, and
security is no longer something businesses are willing to consider
after the fact.
The threat of terrorist attacks against U.S. citizens and U.S.
interests around the world has become the nation's most pressing
national security issue. Even more likely are cyber attacks aimed at
further disrupting U.S. interests and business, or sympathizers with
general anti-U.S. and anti-allied sentiments. During the past five
years, the world has witnessed a clear escalation in the number of
politically motivated cyber attacks often resulting in embroiling
hackers from around the world in regional disputes, this to the
detriment of the corporations and government networks, specifically
targeted or innocently attacked.
Over the course of the last three months, hackers have launched
sophisticated attacks, including Code Red II, Code Blue, and Nimda and
the Nimda.E attacks. A 2001 industry survey conducted by ``Information
Security,'' released on October 16, indicated that out of 2,100
respondents, an overwhelming 89% experienced virus, worms, or trojan
breeches in the last three months. This is up from 80% a year ago, even
though 87% of respondents had deployed anti-virus software. This
indicates the importance of constantly managing the growing and
changing threats on the Internet and the growing complexity of
corporate and government networks. Moreover, the percentage of those
reporting Web server attacks increased over the past year from 24% to
28%. These attacks cost the industry billions in lost productivity and
system downtime.
The writing is not only on the wall, it is on the front page of
every newspaper in the democratic world, as well as on the minds of
corporate officers and directors around the world. The network is the
gateway to our assets, and it is the lifeblood of corporations and
governments. Quite simply, it must be protected.
The tragic events of September 11 have highlighted the need for
increased cyber security. More attention is being paid to detection
needed to ward off cyber terrorism. We are seeing this at a policy
level here in Washington and in other governments that we serve around
the world. The same trend is occurring in state and local governments.
We are also seeing it on a demand level in terms of the number of
inquiries that are coming into our business. As a result, we are
engaging in much broader and more strategic risk management
discussions, which include the network and the overall protection
strategy for the network.
Information is currency in today's global economy. Any organization
with critical information assets stored on a network is at risk. The
lone hacker may grab headlines, but industrial espionage, employee
sabotage and simple disabling attacks actually constitute the vast
majority of attacks against information resources.
These incidents rarely make the evening news, but they add up to
additional billions in business losses each year. We pay for these
incidents through higher prices for goods and services, lower stock
price valuations, increased insurance premiums for online business
operations and consumer reluctance to adopt efficient, innovative
online business opportunities.
These attacks against information resources are a significant
threat to our economic base and our national security. The unfortunate
truth is that relatively few organizations are prepared to understand,
let alone confront, the threats to information critical for normal
business operations. Security specialists are in short supply, and
command premium salaries. The cost of this expertise is out of the
reach of many organizations. Meanwhile, the dollar losses continue to
mount.
It's no mystery how this situation has come to pass. The Internet
is designed for rapid, simple communications. That's what allowed it to
grow from an academic research network into the World Wide Web, and
allowed everyone from individual users to multinational corporations to
invent new ways to reach out to each other.
Since security is not part of the Internet's fundamental design, it
must be added after an application is written, a system is deployed
and/or staff has been trained. In spite of increasing legal, financial
and regulatory incentives to invest in security solutions, very few
businesses focus on security as part of their core competence. Security
measures, therefore, do not receive the attention that other, more
profitable business operations demand. Tight budgets and overworked IT
staff create an almost irresistible temptation to skimp on security
until a crisis occurs.
No one builds a house, then fits the doors for locks after a family
moves in. No one adds tail lights and a horn to a car two weeks after
it leaves the dealer's lot. And yet, that is exactly how we graft
security onto our computer code. We need a more cost-effective means to
protect the availability, integrity and confidentiality of electronic
information. We need to make security part of the basic design of our
information technology infrastructures.
in responding to our customers to priority of protecting their
information infrastructure, iss has developed a common system to manage
threats and vulnerabilities across the entire threat spectrum.
A resounding request from our customers is to deliver systems that
incorporate the ability to monitor and protect a broad spectrum of
threats across their desktops, networks, and servers. This
simplification in the market is being driven by the customers needs to
protect the environment with an effective system while understanding
that the total cost of ownership is critical to enterprise deployment.
Security is quickly evolving and consolidating into two key
foundational elements: inclusion and exclusion. Inclusion represents
the security products which allow users to access the resources of a
network or a system. These products include authentication
authorization and the associated technologies which enable these
functions, such as directory management systems, PKI, Smart Cards,
tokens, authentication interfaces like biometrics and other forms of
authentication.
The second element of security is exclusion, defined as how do I
keep unwanted elements off of my system? ISS defines this as
protection, and we are leading the way to incorporate a number of
innovative technologies into a single common agent to protect the
system from the vast array of threats, including threats from content,
trojans, worms, denial of service exploits and ultimately misuse by
trusted or unauthorized users.
What is needed is better protection, less complexity, lower cost of
ownership and 7 x 24 services to augment and assure the integrity of
the network and the support of the internal security operations. The
ideal solution is a single agent to protect a system from threats, as
opposed to several different products from several different vendors,
which are not integrated.
To protect themselves from all threats and minimize their
vulnerabilities, companies need systems that will prevent and detect
security risks at every potential point of compromise on desktops,
servers, networks, and gateways. Earlier this year, ISS unveiled the
industry's first pervasive protection platform strategy. Our unique
product, Real-SecureTM, converges intrusion detection, security
assessment, active blocking, and malicious content and code protection
capabilities to protect against the converging and broader threat
spectrum. Last month, we announced the next major component of our
protection platform known as Site-ProtectorTM. As a result of this
unified product, customers will be able to control, monitor, and
analyze their security protection systems from one central site
enabling them to dramatically simplify their security management,
reduce their total cost of ownership, and increase the scale of
management across broader segment of the network.
america has received a wake up call that cyber security is important
and can no longer be ignored.
ISS' vast experience with security breaches has caused us to
realize how crucial a secure infrastructure is to the safety and
security of our society. Computer security products empower
organizations to proactively monitor, detect and respond to increasing
network vulnerabilities and threats to enterprise information. These
products provide the tools vital for protection in today's world of
global connectivity. The public needs to be aware of the breadth of
possible security breaches. Government can help realize this goal by
focusing more attention and funds on computer security. This includes
educating and training the human resources necessary to implement the
necessary security measures. Our extensive experience has shown that
computer crimes are increasing and will continue to do so. Web sites
are an important tool in helping government be more responsive and
effective, but they are often a target for computer crime. Web sites
should be set up in a secure manner and protected once they are set up.
Everyone must learn that protection of our National Infrastructure
requires everyone to properly update and protect their system, much
like using a seat belt before you leave the parking spot. Government
must be seen as a leader in protecting its systems and in assisting
corporate and private Americans to do the same. Unless the U.S. invests
the necessary resources in this area, America's critical infrastructure
will be at risk.
Mr. Stearns. I thank the gentleman.
Mr. Casciano, for your opening statement?
STATEMENT OF JOHN P. CASCIANO
Mr. Casciano. Chairman Stearns, Congresswoman DeGette and
members of the subcommittee, I'm very happy to be here today to
support your investigation into cyber security in U.S.
industry.
My name is John Casciano. I manage the Secure Business
Solutions Group for Science Applications International
Corporation, otherwise known as SAIC.
As you may know, SAIC is the largest employee owned high
tech company in the United States, about $6 billion in
revenues. And we support both commercial and government clients
around the world.
With your permission I would like to submit my formal
testimony for the record.
Mr. Stearns. By unanimous consent, so ordered.
Mr. Casciano. And I look forward to your questions.
For perspective, I've been involved with cyber security
matters for many years in both government and industry. I come
from a background of 32 years in the United States Air Force
where I had the privilege of commanding organizations that were
responsible for developing and operating defenses against cyber
attacks, some of which have been reported in the press. Things
like Solar Sunrise and Moonlight Maze.
I continue to be involved in Department of Defense cyber
security issues today. For example, I served on the 2000
Defense Science Board Task Force on Defensive Information
Operations and was also one of the handful of ``outside''
reviewers on last year's National Intelligence Estimate for
Information Warfare threats.
As I mentioned, today I run a business that is oriented in
the commercial world. And as you know, for the last 5 years or
so we've all exposed to reporting on threats and
vulnerabilities to our information infrastructure, and I need
not recount them here. Suffice it to say they exist, they are
real and have had some impact on the privacy of Americans and
on the conduct of American business in the information age. The
thing that concerns me is that the security problems, if they
are in fact reported at all, tends to be one or 2 day media
stories and then they recede into the background, and yet the
issues they raise are fundamental to American values and to the
future of our way of life and, in fact, our prosperity as a
Nation. They represent a legitimate constitutional concern as
well as an economic security concern.
Of course, there are lots of reasons cyber security hasn't
risen to the level of public consciousness that I believe it
deserves. First, it's difficult to understand what I call the--
it has a high geek factor. And second, it's not yet resulted in
massive losses to individuals or businesses.
The incidents of identity theft, release of private data,
theft or proprietary information and impacts on the bottom line
is apparently at a tolerable level for most people.
Since our focus today is on business, let me make a couple
of comments on the business response. First, many managers
aren't really attuned to the problem. Part of the reason is the
geek factor that I mentioned a minute ago, but part of it
relates to the business case for investing in security. For
many managers the problem is tossed to this chief information
officer or to the technical staff to solve, but without the
resources or the clout to implement and enforce strong
security. Until cyber security becomes a CEO and a board of
directors issue, it will not get the attention or the
investment that it needs.
In addition, except for some enterprises such as financial
institutions, the business case for investing in cyber security
either hasn't been made or hasn't been accepted. Every internal
investment effects the bottom line, and that's certainly true
of the cost of security. If losses due to poor security are
generally tolerable, managers will limit their investment.
Second, there's what I call the search for the magic black
box, not the magic bullet, the single technology solution to
the problem. It's my belief that there is not one there today,
nor will there be in any future that I can envision. What needs
to be better understood is that good security depends on three
interdependent components: People, process and technology. If
you don't combine all three, I think you are lacking. I think
the national security community understands this, but I'm not
sure that business in general does.
The final comment that I'd like to make relates to the rule
of government in supporting cyber security in business. First,
I think government needs to set a better example of good cyber
security practice. This should include steps to maintain and
raise the information security posture in departments and
agencies over time. They must maintain and expand funding for
cyber security, and they need to encourage reasonable standards
for security projects and processes. The recent grades assigned
to government agencies by the Congress for their 2001 security
responses are half grades and are very disappointment.
Second, I think government needs to promote a favorable
environment for cyber security. This includes steps to fund key
research, more investment in training and education, and the
granting of legal relief under the Freedom of Information Act,
anti-trust and other regulations which currently impede
industry cooperation in the planning and sharing of cyber
threat and vulnerability information.
Finally, I think there should be subsidies for cyber
protection in industries that are especially sensitive to
threats and which are probably least able to defray the cost
for cyber protection.
On balance, I'm cautiously optimistic, but much remains to
be done.
I look forward to your questions. Thank you.
[The prepared statement of John P. Casciano follows:]
Prepared Statement of John P. Casciano, Senior Vice President and Group
Manager, Secure Business Solutions Group, Science Applications
International Corporation
Chairman Stearns, Congressman Towns, and members of the
Subcommittee. I am pleased to be able to support your examination of
cyber security in US industry and of how industry can effectively
protect itself against cyber threats. This is a complex and
multifaceted challenge. Today, I would first like to highlight briefly
a few of the major threats and vulnerabilities related to cyber
security for American businesses, and then discuss approaches the
private sector can take at reasonable cost to increase its own levels
of cyber protection and assurance. Finally, I'd like to address some
steps the Congress could consider in promoting and encouraging an
improved cyber security posture for US industry.
For perspective, I have been involved with cyber security matters
for some time both in government and in industry. During my 32 years of
service in the US Air Force, I had the privilege of commanding both the
Air Intelligence Agency and what is now known as the Joint Information
Operations Center. In those assignments, I had responsibility for both
the Air Force Computer Emergency Response Team and the Air Force
Information Warfare Center, and had the opportunity to observe and
direct the development of information technology capabilities for both
defensive and offensive purposes in support of Joint operations. More
recently, while on the US Air Force Headquarters Staff, I participated
in developing and managing the response to the real world cyber attacks
against the Department of Defense information infrastructure that came
to be known as Solar Sunrise and Moonlight Maze. I continue to be
involved in Department of Defense cyber security issues through pro
bono work. For example, I served on the 1999 USCINCSPACE Summer Study
on Computer Network Defense and on the 2000 Defense Science Board Task
Force on Defensive Information Operations. I was also one of a handful
of ``outside'' reviewers for last year's National Intelligence Estimate
on Information Warfare threats.
I retired from the Air Force in 1999, and for the last two and a
half years have become involved in cyber security in the private
sector, serving both government and commercial clients. Currently, I
manage the Secure Business Solutions Group, the information security
practice at Science Applications International Corporation (SAIC). SAIC
provides diversified professional and technical services that involve
the application of scientific expertise, and computer and systems
technologies, to solve complex technical problems. SAIC is a Fortune
500 company with annual revenues of $5.9 Billion and over 41,000
employees, and is the largest employee-owned, high-tech company in the
U.S.
Within SAIC, the Secure Business Solutions Group provides clients
with the full spectrum of information security offerings--consulting,
implementation, education and training, and managed services. For many
years, SAIC has provided support to the Department of Defense and
several civil agencies--including support to the FEDCIRC Incident
Reporting and Handling Services--as well as commercial clients. We
developed and still have an interest in a commercial security firm--
Global Integrity--that created and operates the first Information
Sharing Analysis Center, or ISAC, for the financial services industry--
as well as ISACs for global firms and for Korea. Today, nearly 40 per
cent of my Group's business is for commercial customers concerned with
protecting the security, integrity, privacy, and survivability of their
business information and that of their clients.
While the terrible events of September 11, 2001 have heightened all
our concerns for security and are seen by many as defining the
beginning of a new era in U. S. national security, the
vulnerabilities--both physical and cyber--have been with us for quite
some time. The whole trend toward globalization and the reach brought
about by modern transportation and communications have eroded the
sanctuary we Americans have enjoyed for over two centuries. These
terrorist events have taken both a shocking human toll that we must
never let the world forget and an economic toll that has been extremely
disruptive to the American people and others around the world. One
notable observation from these events is that the cost of entry for
such attacks is extremely low. The cost to the perpetrators to plan and
mount the attacks was probably less than a million dollars--certainly
no more than a few million--while the human and economic consequences
have been staggering. The impact of the losses to our economy alone is
in the billions of dollars.
For the last several years, we have observed the same low cost of
entry for those who would disrupt or attack in cyber space, and the
same disproportionate consequences for those who have been attacked.
While the impacts of cyber attacks are difficult to quantify, largely
due to the reluctance of businesses to report fully, or at all, for
competitive reasons, we saw the stock prices of several large companies
such as AOL and Yahoo fall significantly as a result of the Distributed
Denial of Service attacks in 2000, and some estimates place the
recovery and lost business costs at nearly $10 Billion. We have also
seen the progress of E-commerce be impeded in recent years over
concerns for the security and integrity of transactions, with probable
significant impacts on our economic expansion and competitiveness.
More recently, the NIMDA virus was detected and spread within a
week of the terrorist attacks. I'm not suggesting a relationship,
because we just don't know, but NIMDA represents a new, more dangerous
class of virus that operates at a peer-to-peer level, infecting not
just servers, but clients and even web pages. The losses from NIMDA--
measured directly in disrupted business and in opportunity costs of
repair and reconstitution--may well have exceeded several billion
dollars despite some early warning by the National Infrastructure
Protection Center and the ISACs. The difficulty in attributing the
sources of these attacks and in prosecuting them make them a special
concern.
The general sources of these cyber attacks are by now familiar,
ranging from the ``recreational hacker'' on the low end to the more
sinister perpetrators from international criminal and terrorist
elements and nation-states. Following is a brief synopsis of these:
Hackers, Crackers, and Other Outsiders. These have been the
most active source of background ``noise'' in the cyber
environment. They include casual hackers who are often juveniles or
``hobbyists'' using scripted attacks and commonly available tools
from the Internet and its many ``clubs.'' There are also
professional level attackers who can design and mount novel attacks
against protected targets using both a combination of commonly
available tools and ``homegrown'' capabilities sometimes based on
cracking encryption. Their purposes range from joyriding and ego
gratification to criminal intent, where fraud or financial theft is
the goal. Of interest, the 2001 CSI/FBI Computer Crime and Security
Survey indicates among a sample of 186 business respondents that
internet connections and outsider activities are now generating the
largest source of attacks against the business information
infrastructure, more numerous than those due to insiders.
Insiders. One of the most costly and dangerous human threats
to business has historically been the insider, and this continues
to be the case in the information age as well. Insiders have
legitimate access to at least some of the business information
resources and IT infrastructure of the enterprise, and often know
enough of the company's technology, processes, and human elements
to be in a good position to subvert them. They may act maliciously
if they are disgruntled employees--sometimes destroying,
corrupting, or locking out access to information. On other
occasions they may use the system to embarrass the business to the
public or use it for financial advantage for themselves and others
if they are industrial spies. In every case, they are clear and
present threats to the intellectual property, information
resources, IT infrastructure, and the reputation of the business.
Terrorists and Criminal Elements. These may be foreign or
domestic persons or organizations, and they may launch their
attacks through cutouts and indirect network paths from overseas or
from within the US. Terrorists resorting to cyber attacks may be
advancing a political cause, using direct cyber action to advocate
environmental issues; opposing globalization, or attacking
modernism on fundamentalist religious grounds. In each case, for
them, their end justifies their means. Dramatic, headline-grabbing
disruption of the US economy is their goal, and US businesses,
especially those that are large and have a global footprint or
multinational operations, are attractive targets. Much of the
current cyber terrorist activity is low level, to include web site
defacement and temporary disruption of business operations.
However, terrorism is an activity planned and executed by the
alienated, and terrorists and their causes have increasing appeal
to students here and abroad who have the skills to become serious
cyber threats to business. Of particular concern is the possibility
of a combination of terrorist attacks against targeted businesses,
wherein cyber, physical, and anti-personnel actions may be taken.
State Enabled Threats. The most complex and difficult threat
to combat for both businesses and governments is one that is
sponsored and executed with the technology and resources that only
a nation-state can bring to bear. Such attacks could be conducted
with outsiders, insiders, proxies, or combinations of all three,
using leading edge technologies to defeat commercial grade cyber
security for even the best-protected enterprises. Businesses that
would be logical targets for such attacks would be proprietors/
operators of our national infrastructures (e.g.,
telecommunications, transportation, energy/power, banking/finance,
etc) or those large companies that provide key products and
manufacturing (defense contractors, chip makers, etc).
Unfortunately, the numbers of nations that could conduct such
attacks against the US and its businesses are likely to grow, given
the low barriers to entry in such warfare. This is warfare based on
brainpower--readily available worldwide--and the weapons of choice
are computers, fast becoming commodities. State-enabled attacks
against U. S. businesses are both a national and economic security
threat, and they require vigilance and response by the Federal
government, and close cooperation by the business community.
Malicious threats to the information and IT infrastructures of
commercial enterprises seek to exploit vulnerabilities in business
computer information systems. These vulnerabilities stem in part from
worldwide business trends, paths in technology development, and
operating standards which affect business processes and decision
making:
Globalization. Business is going international as never before
and is in a fierce worldwide competition for talent, resources, and
markets. Time is money and to the swift belongs victory. Commercial
attention is riveted on the business plan, the pursuit of core
business, and above all on bottom line performance. Broad
connectivity and numerous interfaces both within and without the
enterprise are needed to thrive in the ``brave new world'' of
globalization. However, cyber security imposes delays and
additional costs of doing business, both of which are unattractive
to business leaders responsible for customer satisfaction and the
bottom line.
Open Processes. To cut business costs and improve
responsiveness, businesses are connecting directly with suppliers
and customers, sharing information, and even providing the
opportunity for people and organizations outside the enterprise to
access and input critical information on production and delivery,
purchasing, and marketing. This integration via supplier and
customer chains depends heavily on trust and constitutes an
inherent process vulnerability, if not addressed by cyber security
and other technical and operational checks. Of note, ``Information
Week Research'' issued a study that was conducted this spring among
375 respondents, 67% of whom reported that supply-chain
collaboration has increased in the last year. However, only 21% of
4500 security professionals surveyed worldwide by IWR indicate that
security policies include procedures for partners and suppliers.
Wide Access. As global businesses concentrate on core
competencies, they increasingly rely on outsiders in maintaining
and supporting their administrative processes and IT
infrastructures. Outsourcing is increasing steadily as a means to
cut costs and gain additional business efficiency. Maintainer and
outsourcer personnel, a constantly changing parade of names and
faces, vetted in uncertain ways in many cases, have insider access
to systems and information, and therefore the opportunity to do
serious mischief to businesses.
Standard Architectures. Because of the continuing increase in
desktop, workstation, and server computing power, the client-server
architecture reigns supreme, increasingly supplanting mainframes.
Client-server uses standard software in normalized configuration
for operating systems and applications; industry-wide protocols for
information sharing, display, and storage; and common approaches to
design and implementation of system and subsystem interfaces for
interoperability in communications and information exchange.
Variations in information system design are shunned due to cost and
support considerations, even though such variations increase the
immunity of the business information systems to cyber attack
techniques that target standardized architectures and designs.
Over recent years, the losses to industry from cyber attacks have
been real and steadily growing, drawing considerable media attention.
The 2001 CSI/FBI Computer Crime and Security Survey reports a 41%
increase in electronic financial losses among 186 business respondents
compared to a similar sample for 2000. It is a fair question to ask why
industry--with or without government support--has not done more to
safeguard its information systems and the intellectual property
contained within its information infrastructure, and to protect its
bottom line. There are several apparent answers:
Many managers aren't attuned to the problem. Cyber security is
a consideration for them, but the losses attributed to security
lapses are tolerable for many; that is, they view them as part of
the cost of doing business. To the extent that managers are attuned
to it at all, they generally put the issue into the hands of their
Chief Information Officer, who may not have the resources or
operational clout to implement and enforce security solutions. The
lack of senior management attention is further exacerbated by a
failure in current accounting methods to attribute current real
costs of losses due to cyber insecurity in business, and to assess
the potential magnitude of future losses that could accrue as the
cyber threat to business grows.
Poor cyber security performance by government. Starting with
the federal government and extending to state and local levels,
government ``talk'' about cyber security has generally far exceeded
the resource commitment and management attention it has been
willing to devote to the problem of protecting the privacy,
integrity, and access to government information and information
infrastructure. This judgment has been validated on an annual basis
by the House Government Reform Subcommittee on Government
Efficiency, which for FY 2001 has awarded government a grade of
``F'' for its overall cyber security posture. Two thirds of the
agencies and departments failed based on the information they are
required to provide the Office of Management and Budget. Here, the
parallel with the business world is striking, as resources for
security solutions are scarce and often considered a problem for
the technical staff and not the operational leadership. Federal
jawboning of industry on cyber security has led to a proliferation
of advisory and coordinating organizations, but precious little in
the way of practical technical support, tailored alerting/warning
systems, security incentives, or subsidies to industry to improve
cyber protections. In sum, government sets an uncertain example and
has provided little help to industry in coping with cyber security
issues.
The ``commons'' problem. Enterprise IT environments are
growing, changing, and being used in new ways such as to resist
system identification and configuration control. They contain an
expanding number of real or potential vulnerabilities in their
software, hardware, communications, internal/external interfaces,
people, and processes. Moreover, they are frequently subject to
decentralized control and resourcing. Everyone depends on them, but
nobody owns them. Line organizations do not want to pay for IT, far
less cyber security, because of the ``free rider'' problem in
funding the IT ``commons'' and ensuring its security. Within a
business sector, losses due to cyber insecurity may be tolerable if
they are judged to be comparable to other costs of doing business,
and especially if competitors appear equally affected by the same
cyber attacks. The business case for cyber security so far is not
well made in businesses outside the financial sector, which
necessarily must lead integration of cyber security capabilities
into its IT infrastructure based on historic experience with fraud,
embezzlement, and theft. Government is waiting for industry to
solve the cyber security problem technically, and is waiting too
for its shrink-wrapped product solutions. Industry looks upon it as
too big, too complex, and too diverse to tackle without government
funding and legal relief from public information (FOIA) and anti-
trust. The ``commons'' problem of cyber security will be dealt with
over time, either by an insurance approach, by regulation, or by
some combination of the two. For now, however, industry does not
have the means, authority, or motivation to work a global solution.
Given the threats and vulnerabilities that businesses face, and the
tough, highly competitive business environment that keeps management
attention on bottom line issues as opposed to security, what can
enterprises do to improve their security postures? In developing a
suitable cyber security posture for a business, there are certain top-
level actions that management must take, and they are independent of
the size or resources of the company. In the final analysis, sound
security depends on three interdependent elements: people, process, and
technology. The elements outlined below are intended to size the
requirement for cyber security using the same logical approaches
employed for any other business decision:
Develop and deploy a sound security policy. This is a no cost/
low cost first step that many businesses fail to take. What is the
general approach to security and how will it be addressed and
inculcated organizationally? What behaviors and what competencies
are expected of users of enterprise IT and information? What will
be the standards for access and the levels of information
sensitivity? How will management oversight of security be conducted
and performance measured over time? How will security lapses be
dealt with?
Identify critical information, processes, and systems. What
constitutes the major components of the critical IT infrastructure
and critical business information, and what levels of protection
are required for each? The objective is not to eliminate the threat
altogether, but rather to manage it.
Analyze threats and vulnerabilities. What are the real sources
of threats and vulnerabilities to the business's IT and
information? These are based on business sector experience, state
of the world, competition, enterprise footprint, and future
business plans. What are the technical, process, and operational
vulnerabilities in the IT infrastructure and information resources?
Perform risk management. In examining the combination of
threats and vulnerabilities affecting the enterprise IT
infrastructure and its information, it is important to make
informed and deliberate management decisions about how to deal with
risks, consistent with sound business principles. The choices are
several, but depend on an assessment of how much risk a business
can tolerate versus how many resources it has to commit:
Avoid risks. Take actions that eliminate or do not incur the
threat/vulnerability duality of concern in the first place.
Shift risks. Use insurance when available or move liability to
others if a threat/vulnerability must be faced. Cyber insurance is
a nascent but developing specialty in the insurance industry as
work proceeds on identifying risks and developing tools to set
premiums.
Mitigate risks. Take technical and/or procedural steps to
reduce the threats/vulnerabilities if necessary, economic, and
efficient to do. With improvements in security technologies and
products, the choices for mitigation are on the rise.
Accept risks/develop contingency plans and backups. Risks that
must be run and which are expensive but improbable in occurrence
may be accepted if downside plans and alternative approaches can be
developed in advance.
Revisit and review. With changes in the threats and
vulnerabilities, the whole range of technologies, business
processes, people, and IT infrastructure, assumptions and decisions
about the level and extent of cyber security must be subject to
periodic management reconsideration.
In facing up to the requirements for improved cyber security, there
are certain bedrock principles that any business, regardless of size,
should consider in developing procedural solutions. They are not
technology driven and do not require capital investment as much as
management attention.
Ownership: Identify primary and alternate system and data
owners to be responsible for identifying the sensitivity and
criticality of the information on their systems and validate
protection controls and access requirements.
Accountability: Hold individuals with access to information
responsible and accountable for protecting information while in
their possession.
Awareness: Users are the first line of defense. They should be
educated about policies, standards and procedures and adhere to
them.
Detection & Monitoring: Implement tools and methods to detect
misuse and anomalous activities on both a real-time and periodic
basis.
Incident Response: Develop and publish a response plan that
details actions required when a violation to the security policy is
detected.
Defense in depth: Implement security measures in multiple
layers versus single layers, and place security devices as close to
the item of value as possible.
System Configuration: System vulnerabilities that can be
eliminated without reducing functionality should be corrected.
System support devices and data storage should contain only
applications or services for which a business reason exists.
Assessment/Audit: Conduct periodic reviews of systems,
networks, and applications against policies, standards and
procedures to test and measure compliance and determine
vulnerability to emerging exploits.
Reliable Records: Maintain secure chronological records and
logs on significant activities on the network and critical systems.
Recovery: Implement tools and mechanisms to ensure
recoverability and business continuity.
Access: Personnel, systems, or applications should only be
granted access rights and privileges based on justified business-
related requirements. These rights and privileges must be exercised
within the scope and limits of identified responsibilities.
Exception: Exceptions to policies, standards and procedures
should be granted or denied based on individual review and
management acceptance of risk. All exceptions should be documented.
Research: Investigate, study, and understand emerging security
technologies and techniques to develop appropriate methods and
controls that protect against ascending threats and
vulnerabilities.
The cyber security problem has spawned significant creativity in
the development of improved cyber security products by many vendors.
Properly selected, integrated, configured, deployed, operated, and
supported, these can upgrade the security posture of any business. With
increasing attention to and demand for cyber security, and the growth
in the commercial cyber security industry, the general classes of
security technologies and capabilities below are emerging as shrink-
wrapped products which are easy to integrate into IT infrastructures.
In parallel, IT product vendors are increasing the direct integration
of cyber security functions into their own software lines, making each
generation more secure and robust. However, a word of caution! There is
a real danger in looking for a single, ``black box'' solution to an
enterprise's security problems. It is my belief that there is not one
today; nor will there be in any future I can envision. The combination
of people, process, and technology offers the best hope of managing
cyber security risks. Some of the more common technologies enterprises
should consider are listed below:
Perimeter defenses. Firewall software and devices at the
enterprise, network, server, and even host level are becoming
standard. These permit a variety of steps to limit access by
sender, receiver, domain, function, and data type. Although not the
total security solution, these are a necessary portion of the
security configuration for business systems, and the first layer in
the defense in depth implementation for cyber security.
Intrusion Detection. Unauthorized penetration of business
information systems must be assumed. Rapid detection is a
requirement. Intrusion Detection Systems (IDS) work with sensors
which either detect (1) specific activities or processes which have
been previously templated as threatening, or (2) departures from
previous information system activity and behaviors which have been
assessed to fall in the ``normal'' range. New approaches to IDS are
beginning to emerge that include combinations of such sensors and
detection criteria supported by enhanced data fusion, display, and
decision support capabilities. IDS capabilities are improving
relative to threat and vulnerabilities, and becoming more
widespread.
Autonomic Response. Most IT system response to intrusion and
anomaly detection is ad hoc. The next area for improvement will be
in automated response to penetration, wherein pre-planned reactions
are automatically executed to contain, reduce, and eliminate damage
and sources of threat. Over time, development work for DoD may
provide for commercialized capabilities for adaptive response to
penetration. This area of cyber security products is currently very
immature but appears promising for the future.
Virtual Private Networks (VPN). Virtual Privacy Networks
provide secure tunnels between trusted sources connected over paths
through less trusted domains by using encryption. This approach is
mature now and proving necessary for ensuring privacy for
businesses using the internet as part of their extended IT
infrastructure. In view of globalization and the rise of
collaborative working with international partners, VPN technology
is a necessary security component for many businesses.
Encryption. Cheap, reliable digital encryption using software
has now become available and practical for industry. Software based
encryption is susceptible to attack by a state level threat, but is
sufficient for all others. Encryption is now required to protect
sensitive data in motion (i.e., as it moves through networks and
across telecommunications paths) and at rest (i.e., in storage) to
ensure integrity and privacy. Encryption is also useful in
providing authentication between sender and receiver, and non-
repudiation services (for accountability).
Public Key Infrastructure (PKI). Public Key Infrastructure
using asymmetric keys has emerged as the only practical technology
to support encryption requirements, such as those above, for
numerous, diverse users who are geographically dispersed but
functionally connected. In a word, this is globalized, 24/7
business today. PKI has been criticized as not being user friendly
and scaleable, but outsourced providers can reduce its application
to something like a subscriber service for most businesses.
Digital Rights Management (DRM). Digital Rights Management
technology provides persistent controls of information and
intellectual property over time. It can set and enforce rules for
sharing, display, editing/modification, usage, and even expiration
of storage. Other DRM capabilities will support secure billing and
micro-payments, provide auditing and transaction tracking, and
permit alteration in the rules as requirements may change. PKI
solutions can provide necessary encryption support. DRM is not yet
mature but is an emergent technology that can improve the cyber
security of business processes in the future.
I am generally optimistic about the improvements that we see
developing in cyber security technology and believe these can be
integrated at reasonable cost in ways that will markedly improve
protection for individual business IT infrastructures operating in many
different business risk environments. These technical safeguards,
combined with proper operating procedures and people with suitable
training and policy direction, can make business cyber security
postures quite robust. Unfortunately, it is also clear that cyber
attack tools are improving steadily in their capability and ease of
use. We can expect new waves of attack based on widespread internet
dissemination of vulnerability information, the advent of adaptive of
``polymorphic'' viruses, improved counter-encryption capabilities, and
clever attack tactics that evade IDS. These attacks will come from an
increased number of people globally who are prepared to use cyberspace
and sophisticated software tolls in malicious ways. This is
particularly of concern as we realize that in the next year the
majority of internet content will no longer be in English, and the
number of aggrieved foreign players with access and attitude rises.
For the present, the experience SAIC has had as a cyber security
integrator with numerous industry customers is a bit mixed.
Financial sector clients are far ahead of all others in
awareness and concerns about cyber security, and in the
sophistication of their solutions. They in fact can provide
technical and procedural lessons in best practices to the US
national security community as well as other parts of the private
sector.
Many of our other commercial clients approach us when they
have had a penetration or other IT infrastructure failure. They
want quick fixes, some testing to assure the problem has been
resolved, and hesitate on cost grounds to support a longer-term
relationship in which their security posture is systematically
tested and upgraded.
In assessing the sources of penetration, we normally find the
attacks are not novel, but in fact are familiar. In the majority of
cases, patches have been available, but were not implemented. In
other cases cyber security systems were not correctly configured.
Those persons responsible for cyber security were overworked, under
trained, or poorly supported and resourced by their management.
Many commercial clients are still doubtful about the business
case for cyber security and typically do not make high demands on
software developers of their operating systems and applications to
incorporate strong security features.
Outside of the financial sector, encryption and PKI are coming
more slowly to industry customers than to the Federal government.
Government pressures for vendors to use PKI based encryption
services in B2G transactions will gradually increase usage
patterns. There is some interest in outsourcing cyber security
support services and to use managed cyber security service models
on a subscriber basis. This is economic, especially for small- and
mid-sized firms that are mindful of the cyber security threat, but
want to concentrate on their core business competency.
Unfortunately, it may take a catastrophic event in cyber space to
galvanize business attention fully to cyber security issues and
change perceptions about the business case.
Against this background discussion of growing cyber risks,
actionable best practices, technology trends, and current business
realities, there is an important role for the Congress to play to
encourage improvements in commercial cyber security. For good or ill--
and I believe for good--we live in the information age, and there is no
turning back. While the ``dot com'' euphoria in the stock market may
have come to an abrupt end, the underlying march of information and
information technology has not. We are wedded to the cyber realm for
our future prosperity in virtually every area. Our challenge is to
learn how to live and operate in this new domain. It will take time to
evolve public policies and craft information age laws, but progress is
being made. In my view, here are some of the things the Congress may
wish to pursue.
Encourage industry to define standards for due diligence in
the development and validation of secure software by developers,
and its secure implementation and operation by users. In the event
these standards were not met they would provide a basis for
judicial allocation of liability and compensation. Part of this
approach would be to promote security testing of developer's
software products according to accepted standards, and to increase
emphasis on the integration of proper software configurations with
prompt patch updates for operators.
Advocate an insurance-based solution to appropriate aspects of
the cyber security problem that do not lend themselves to
``ownership''--the ``commons'' problem--and an immediate technology
solution. As has been proposed in the aftermath of 9/11 for
insurers of physical properties, it might be possible to consider
Federal backing if insured losses exceeded a certain total due to
cyber attack.
Consider tax subsidies or other incentives for improved cyber
protections for certain industries or for the mitigation of
particular classes of risks. Low margin industries vital to public
welfare in food and transportation, for instance, might be
beneficiaries of such support for improved cyber security.
Support education and training programs for cyber security
skills. It does not matter whether graduates of such programs enter
government or commercial jobs since their capabilities will benefit
business and the nation as a whole. Ideally this would reduce
dependence on foreign providers of those skills and services over
time.
Fund certain highly promising cyber security technologies and
approaches that are under development. Those that permit
information systems to operate in degraded mode despite intrusion,
to self-diagnose, and to heal themselves seem especially valuable
and promising. However, these technologies are far from ready for a
shrink wrapped solution and will require considerable development
over time that industry alone will not pursue.
Resist the inclination to legislate specific technical
solutions. As in many similar problems, Congress will serve
industry and the nation best by promoting an environment and
development of the infrastructure of people and technologies
required to define, implement, and upgrade efficient cyber security
solutions over time. For reasons I discussed earlier, to fix on any
single technical approach now in a field so volatile is certain to
fail.
There are bills in various stages of progress in Congress that
include provisions promoting improvements in business cyber security
practices and capabilities. HR 2435, ``The Cyber Security Information
Act,'' and S 1456, ``The Critical Infrastructure Information Security
Act of 2001,'' each have provisions to protect from FOIA requirements
and antitrust concerns B2B and B2G sharing of sensitive information for
alerting and warning of threats to business information
infrastructures. I commend these provisions for your favorable
consideration in any legislation that is forthcoming this session.
To summarize, industry faces a future of increasing and evolving
threats to its IT infrastructure, Intellectual Property, and other
critical information. There is every expectation that better technology
is emerging to improve protections. But, more than technology, people
at every level of the business enterprise are crucial to achieving
upgrades to cyber security. To be effective, managers must provide--
first and foremost--competent, executable security policy. That policy
must be implemented in specific processes and technologies. Cyber
security must become an integral part of business operations. People at
the management level need to believe there is a business case for IT
security and manage accordingly, and employees must receive training
that maintains both security awareness and competence as a sustaining
activity in their careers.
I thank you for requesting SAIC's views on this important matter,
and I would be pleased to answer any of your questions.
Mr. Stearns. I thank the gentleman.
Mr. Schmidt for your opening statement.
STATEMENT OF HOWARD A. SCHMIDT
Mr. Schmidt. Thank you, Mr. Chairman, and the subcommittee.
I'd also like to request that my full written testimony be
submitted in the record.
Mr. Stearns. In the record.
Mr. Schmidt. Thank you.
Mr. Chairman, members of the subcommittee, my name is
Howard Schmidt. I'm the Chief Security Officer of Microsoft
Corporation. I also have the honor of serving as the President
of the Information Technology Information Sharing and Analysis
Center or the IT-ASAC, the Information System Security
Association or ISSA, and I also serve on the board of the
Partnership for Critical Infrastructure Security. I'm also an
industry executive subcommittee representative for the National
Security Telecommunications Advisory Council.
I've served in the public sector for over 30 years with the
United States Air Force, the FBI and local law enforcement. And
on September 11, I was in Washington, D.C. for a day long
meeting with several senators when I learned of the attacks.
As a current military reservist with Army Criminal
Investigations Computer Crime Investigations Unit, I reported
to Fort Belvoir, was placed on active military duty for the
next month and deployed to work for the Joint Task Force for
Computer Network Operations, working with the Department of
Justice and the FBI through the NIPC FBI headquarters.
That particular experience built upon the many years in the
field have given me the ability to see individuals in both
communities, both private and public sector, wage daily battles
in a war without silver bullets or black boxes, where there
will also be someone trying to exploit vulnerabilities and
where criminal hackers are proving themselves to be allusive,
diverse and endlessly resourceful.
With this background, I would like to review some problems
we face and address the steps that Microsoft takes as an
industry leader, and some steps I believe that the government
should take to address cyber threats.
The issues posed by criminal hackers are real, cross-
platform and costly. The Love You virus of 200 caused an
estimated $8 billion in damages. Ramen and Lion worms, which
attacked Linux software used to deface websites and extra
sensitive information such as passwords. And the Code Red worm
exploited Windows server software. Damage has been estimated in
those cases $2.4 billion. The Rhino attacks exploited
vulnerabilities in the Solaris operating system to stage denial
of service attacks. That damage was estimated as $1.2 billion.
Truly these are genuine weapons of mass disruption, not
mass destruction, but mass disruption. Yet, perhaps the most
depressing fact in all of these stated attacks there has been
no perpetrator that has been caught, absent the incident with
the I Love You virus writer who remains free since there were
no laws in this country that criminalize those actions.
Those attacks did not occur because the innovative
engineers who created the underlying code disregarded security.
They occurred because equally innovative criminal hackers
worked day after day to find, create and exploit
vulnerabilities in the software or in the human nature that
gave them new ways to repass on our computers, to steal our
data and shutdown our networks.
Microsoft is deeply involved in advancing policies to
improve critical infrastructure protection through senior
executive leadership, continuous improvement of software
development, security response, and coordination with law
enforcement.
First of all, we lead from the top. Bill Gates, our Chief
Software Architect and Chairman, is a Presidentially appointed
member of the National Infrastructure Advisory Council. Craig
Mundie, our Senior Vice President and Chief Technology Officer
was appointed by the President to the National Security
Telecommunications Advisory Council. And on a personal basis, I
am deeply involved with the U.S. Government's efforts around
critical infrastructure protection, the G8 Subcommittee on
Cyber Crime, various United Nations initiatives and including I
was a U.S. Industry Delegate in the U.S. Australian bilateral
meetings on critical infrastructure protection.
Allow me to mention for a moment some of the things we have
done in the direction of our executives. We've created a new
program to deal with the patch applications that was cited by
my colleagues as one of the issues that faces us in the
vulnerability issue.
We're also developing superior code analysis processes to
root out subtle flaws that can create vulnerabilities in
commercial products.
We're expanding the testing of our software by using
independent penetration teams and working closely with third
party experts in and outside the government to make these tests
work.
In addition, we've created a fully staffed highly effective
security response organization which we believe is one of the
best in the industry.
Like traditional crimes, cyber crime needs to be opposed
with strict criminal laws, strong enforcement capabilities and
well-equipped and highly trained law enforces. Yet despite the
billions of dollars in damage that we've seen in these network
disruptions in the past, writers still remain at large. In this
troubled time, we can only expect that some of these may fall
under the control of terrorist organizations or hostile
nations, and thus we need to address the inadequate enforcement
of criminal laws and insufficient law enforcement resources.
Law enforcers should receive additional resources,
personnel, and equipment in order to investigate and prosecute
cyber crimes. These hard working officials are often short-
staffed and under-funded. Many also lack the state-of-the-art
technology used by hackers, and increased funding is needed to
place them on par with those they investigate.
We support the following specific actions. We see a need
for increased funding for law enforcement personnel training
and equipment.
We support tougher penalties on criminal hackers such as
civil forfeiture of personal property used in committing these
crimes.
We seek clear guidance from the Sentencing Commission on
how courts should punish those convicted felons.
We strongly support greater international cooperation among
law enforcers in these times-sensitive investigations.
And we want to have the ability to have ISPs to have the
authority to share information voluntarily with the entire
government once they see that life or limb is endangered.
We've worked very closely with the authors of the pending
Freedom of Information Act reform legislation, and when
President Bush signaled his support of this reform, and as
President of the IT-ISAC, and I assure you that this simple
change could lead many companies to answer the government's
request to do more in sharing of security information with the
government.
From the international perspective, we need international
laws enforcement framework that establishes minimum liability
and penalty rules for cyber crime, and common intergovernmental
cooperation. Without all this, the computer laws on the laws on
the books may wind up being useless when cyber criminals cross
international borders.
Let me close by thanking this subcommittee for inviting me
to testify. The recent horrific terrorist attacks in New York
and Washington were physical in nature. And we were fortunate
that terrorists or a random hacker did not further create
mayhem by unleashing a corresponding cyber attack, yet this is
a risk that we still continue to face. We must take steps now
to deter these actions to improve technology: Fully funded law
enforcement; tough criminal penalties and continued industry
and government dialog and cooperation.
We know that security is a journey, not a destination, and
by working with our industry peers including some of my
distinguished colleagues here, and with the government, we have
a chance to keep pace and hopefully get ahead with the cyber
criminals and cyber terrorists.
Thank you, and I'll be happy to take questions.
[The prepared statement of Howard A. Schmidt follows:]
Prepared Statement of Howard A. Schmidt, Chief Security Officer,
Microsoft Corporation
INTRODUCTION
Mr. Chairman and members of the Subcommittee, my name is Howard
Schmidt. I am the Chief Security Officer at the Microsoft Corporation.
As such, I am one of many who are responsible for the development of a
trusted computing environment at Microsoft and, to the extent possible,
throughout the information technology industry. I serve as president of
the Information Technology Information Sharing and Analysis Center (IT-
ASAC), which coordinates information sharing on cyber vulnerabilities
among information technology companies and the U.S. government. I serve
on the board of the Partnership for Critical Infrastructure Security, a
cross-sector, cross-industry effort supported by the National Security
Council and the Department of Commerce. I am also an industry executive
subcommittee member of the National Security Telecommunications
Advisory Committee. I served for several years in the United States Air
Force, the FBI, and local law enforcement, and on September 11th I
arrived in Washington, D.C. for one stop among many that would take me
across the globe. I was meeting that morning with several Senators when
I learned of the attacks, and I immediately reported for duty at the
Pentagon. There I stayed for the next several weeks after being called
to active duty with the United States Army. During that time I was
deployed simultaneously to the Joint Task Force for Computer Network
Operations, the Department of Justice, and the FBI's National
Infrastructure Protection Center.
That experience built upon my many years of computer security work
in the public and private sectors, in which I have observed extremely
talented and committed individuals in both communities wage daily
battles in a war without silver bullets, where there will always be
some vulnerabilities, and where the criminal hacker has proven itself
elusive, diverse, and endlessly resourceful.
With this background, I would like to review some problems we face
and address two elements of cyber-security. First, the steps Microsoft
takes as an industry leader, and second, some steps I believe the
government should take to stop cyber-crime.
THE PROBLEM
Mr. Chairman, the information technology revolution has transformed
the way business is transacted, government operates, and national
defense is conducted. Those functions depend on an interdependent
network of physical and technological critical information
infrastructures that industry and government work together constantly
to secure. Protection of these systems is essential to government and
to the telecommunications, energy, financial services, manufacturing,
water, transportation, health care, information technology and
emergency services sectors--the so-called critical infrastructures of
our economy.
These sectors are national assets. Their loss or degradation would
severely impact our national defense and the very stability of our
economy. Yet, unlike other national defense assets, they were largely
built, and are owned and operated, by the private sector. That is why
this Administration and its predecessor have insisted that securing
critical infrastructures requires a partnership between government and
industry. Voluntary cooperation and industry-led initiatives will work
best to address computer security issues.
The issues posed by criminal hackers are real, cross-platform, and
costly. The ``ILOVEYOU'' virus of 2000 caused an estimated $8 billion
in damages. The Ramen and Lion worms attacked Linux software to deface
websites and extract sensitive information such as passwords. The Code
Red worm exploited Windows server software to deface websites, infect
computers, attack other websites, and make computers susceptible to
attack by third parties. Damage has been estimated at $2.4 billion. The
Trinoo attacks exploited vulnerabilities in the Solaris operating
system to stage distributed denial of service attacks against several
prominent websites. The damage was $1.2 billion.
Truly, these are genuine ``weapons of mass disruption.'' Yet,
perhaps the most depressing fact in all of these attacks is that no
perpetrator has been caught with one exception--the ``ILOVEYOU'' virus
writer remains free since the law of his country did not criminalize
his actions.
These attacks did not occur because the extremely innovative
engineers creating the underlying codes disregarded security. They
occurred because equally innovative criminal hackers worked day after
day to find, create and exploit vulnerabilities in the software or in
human nature that gave them new ways to trespass on your computers,
steal your data and shut down your networks.
elements of a solution: microsoft and cybersecurity
Leadership. We at Microsoft are deeply involved at the national
level and within the information technology sector in advancing
policies to improve critical infrastructure protection. This takes form
through senior executive leadership, continuous improvement in software
development, security response, and coordination with law enforcement.
First of all, we lead from the top. Bill Gates, our Chairman and
Chief Software Architect, is a presidentially-appointed member of the
National Infrastructure Assurance Council (NIAC). The NIAC is intended
to advise the President and encourage cooperation between the public
and private sectors to address physical threats and cyber threats to
the Nation's critical infrastructure.
Craig Mundie, Microsoft's Senior Vice President and Chief Technical
Officer for Advanced Strategies and Policy, was appointed by the
President to the National Security Telecommunications Advisory Council
(NSTAC). The NSTAC advises the President on policy and technical issues
associated with telecommunications.
Steve Lipner, Microsoft's Lead Program Manager for Security, serves
on the Congressionally-mandated Computer Systems Security and Privacy
Advisory Board.
Finally, I am deeply involved in U.S. government, G8, United
Nations and state & local cyber-security initiatives. In addition to my
duties at the IT-ISAC and NSTAC, I recently participated in a U.S.-
Australia bilateral meeting on critical infrastructure protection led
by the U.S. Departments of State and Commerce.
From the top down, our senior executives believe in excellent
security. They drive our thinking on what we need to do to create a
more secure Internet infrastructure, and they simultaneously play a
leading role in shaping the general U.S. technological and policy
environment.
Service & Development. Allow me to mention several examples of what
we have done at their direction. About four weeks ago, we rolled out
the Strategic Technology Protection Program (STPP) which addresses the
patch application problems while also enhancing our software
development practices.
As part of this initiative, we are doing several things, including
deploying many of our personnel to our customers' sites to assist them
in utilizing our patches. We also are providing advanced training to
our own developers so they better understand current threats and
vulnerabilities; we are developing superior code analysis tools to root
out subtle flaws that can create vulnerabilities; we are expanding
testing of our software by using independent penetration teams; and we
are working closely with third party experts in and outside government.
In addition to the STPP, we have created a fully staffed, highly
effective security response organization. We believe that it is the
industry's best such organization. It investigates thoroughly all
reported vulnerabilities, then builds and disseminates any needed
security updates. In 2000, for instance, we received and investigated
over 10,000 reports from our customers. Where we found
vulnerabilities--as we did in 100 cases--we delivered updated software
through well publicized web sites and our free mailing list to 200,000
subscribers.
Another major element of our protection efforts focuses on
incorporating new security features in our products. As examples, we
have integrated previous stand-alone patches in products like Outlook
2001, installed a personal firewall in Windows XP, and added software
restriction policies to Windows XP to allow administrators to limit
what software can run on the system.
The feedback we have received thus far from our customers, outside
analysts and the press has been overwhelmingly positive. We consider
that an essential vote of confidence in the direction we have taken,
and these programs are not one-time initiatives. We take them very
seriously, for security and privacy go to the heart of our culture.
Education. Leading by example is one way to improve computer
security. Making sure that it becomes a national ethic for business and
government, however, requires serious, sustained efforts to educate our
colleagues in both the public and private sector.
Like any real solution to reducing computer security
vulnerabilities, this requires that both sectors play a part. On the
industry side, we strongly support industry-generated efforts to spread
the gospel of cyber security. At Microsoft, we have done this through
the good works of our top executives and through other broad-based
efforts to encourage appropriate security practices. For instance, at
an industry-wide level, Microsoft this month sponsored its second
annual Trusted Computing conference at our Silicon Valley Campus. This
conference brought together leaders from industry, government, the
academic community and other interested parties to discuss and reach
consensus on issues of security and privacy. One of the highlights of
this year's event has been a debate about the handling of product
vulnerability information. With several other companies, we have taken
a leadership position that the public release of ``exploit code'' by
``security researchers''--that subsequently can be used by hackers to
break into customers' systems--is harmful to customers and inconsistent
with professional responsibility. We believe that similar efforts to
reach consensus within the industry can improve both security awareness
and lead to real security improvements.
On the government side, I admire and support the job Dick Clarke is
doing as the President's cyber security advisor and coordinator. He has
worked tirelessly for years to bring the message of computer
vulnerability and the need for increased computer security to the
nation's boardrooms and cabinet offices. He needs support throughout
the government in making clear that this is a national priority.
Certainly this message has reached the Department of Defense, which so
heavily relies on information technology to gain battlefield
superiority. It must become part of the lexicon of many other
government agencies and officials.
Criminal Enforcement. Like traditional crime, cyber-crime needs to
be opposed with strict criminal laws, strong enforcement capabilities,
and well-equipped and highly trained law enforcers. Yet despite the
billions in damage and significant network disruption, many criminal
code writers remain at large. In this troubled time, we can expect that
some may fall under the control of terrorist organizations and hostile
nations, and thus we need to address the inadequate enforcement of
criminal laws and insufficient law enforcement resources.
To slow this growing threat, penalties for cyber-crime should be
increased and law enforcement capabilities should be enhanced. The
Computer Fraud and Abuse Act and other statutes make hacking,
unauthorized access to computers, and the theft, alteration, or
destruction of data federal crimes. However, penalties are weakly
enforced, and tougher sentences need to be imposed to deter and punish
cyber criminals.
Law enforcement should receive additional resources, personnel, and
equipment in order to investigate and prosecute cyber-crimes. These
hard working officials are often short-staffed and under-funded. Many
also lack the state-of-the-art technology used by hackers, and
increased funding is needed to place them on par with those they
investigate.
Finally, cyber-criminals and cyber-terrorists operate across
international borders, as in the ``ILOVEYOU'' virus, the ``Solar
Sunrise'' attack, and the ``Anna Kournikova'' virus. Enhanced
international law enforcement cooperation is a vital tool our law
enforcers need to fight and find the cyber criminals and cyber-
terrorists.
That's why Microsoft strongly supports adding new cyber-crime
provisions to the anti-terrorism laws and the criminal code. We see a
need for increased funding for law enforcement personnel, training, and
equipment. We support tougher penalties on criminal hackers, such as
civil forfeiture of personal property used in committing these crimes,
and we seek clear guidance from the Sentencing Commission on how courts
should punish these convicted felons. We strongly support greater
international cooperation among law enforcers in these time-sensitive
investigations. And we want ISPs to have the authority to share
information voluntarily with the entire government once they see that
life or limb are endangered.
We have also worked closely with the authors of the pending
legislation to provide an exemption from the Freedom of Information Act
(FOIA) for cyber security information voluntarily shared with the
federal government. In a letter to the NSTAC, President Bush signaled
his support for this reform and as President of the IT-ISAC, I can
assure you that this simple change will lead many companies to answer
the government's urging that they provide much more computer security
data to the government. When that happens, the government network
administrators will learn much more about network vulnerabilities from
the private sector and be in a far better position to secure their own
networks. They will also be able to model future attacks and position
themselves to anticipate them in advance, whereas today most analysis
occurs after the attack.
Finally, the Council of Europe has completed negotiations on a
comprehensive cyber-crime treaty. We know that from an ISP perspective
it contains a number of controversial or vague requirements affecting
both privacy and regular business practices. We share many of these
concerns and worked in several industry coalitions to ameliorate them.
Yet we see the clear need for an international law enforcement
framework that establishes minimum liability and penalty rules for
cyber-crime, and common procedures for intergovernmental cooperation.
Without this, all the computer crime laws on the books are useless when
cyber-criminals cross international borders. Whether or not the Council
of Europe treaty is an ideal vehicle I leave to the lawyers to decide,
but I assure you that we do need harmonization and cooperation in this
area, and we need it now.
Investment. Microsoft believes that there is a demonstrated need to
protect and defend the nation's critical information infrastructures
from computer hackers and cyber-terrorists. Law enforcement must be
adequately trained and properly equipped to fight cyber-crime, whether
it is hacking, or other forms of cyber-security offenses, committed by
terrorists and other criminal entities. That is why we propose giving
the Attorney General additional discretionary funds to expand staffing,
training and technological capabilities of the Computer Crime and
Intellectual Property Section and the National Infrastructure
Protection Center; to accelerate funding for law enforcement computer
modernization; to hire experts in cyber-security; and to fund state and
local law enforcement efforts to deter, investigate and prosecute
cyber-security offenses.
Government Response. Software security is a rapidly evolving market
of suppliers and consumers. We have seen over the past few years
tremendous growth and a massive increase in awareness of these issues.
There is no single nor comprehensive solution and there will always be
more to do. For this reason, I believe we need to let the Internet
economy and the information technology industry operate as a market.
That means that it must operate without government interference.
Federal security mandates or requirements, such as rules and
regulations for patch application, dictates on the type of technology a
company must use, or legal requirements that a company declare that it
follows some form of security best practices, would have the perverse
effect of slowing innovation in the security market. A rule requiring
notice of security practices would also have the unintended consequence
of causing companies to gravitate toward accepted practices rather than
toward innovative practices. In sum, there is a critical difference in
quality, innovation and thoroughness between security solutions driven
by market and private sector pressures and those driven by regulation,
bureaucratic timetables and one-size-fits-all approaches. A serious
government-industry partnership can encourage security innovation and
implementations, but will falter if regulation is imposed upon
information technology businesses.
SUMMARY
Let me close by thanking the Subcommittee for inviting me to
testify. Although the recent horrific terrorist attacks in New York and
Washington were physical in nature, Congress quite rightly must look
beyond the current tragedy and loss of those catastrophic attacks. We
were fortunate that the terrorists or a random hacker did not unleash a
corresponding cyber attack. Yet that is a risk we face, and we must
take steps now to deter these actions through improved technology,
fully funded cyber crime law enforcement, tough criminal penalties, and
continued industry & government cooperation. We know that there is no
finish line to these efforts, but by working as we have with industry
peers--including some of these panelists--and with governments, we have
a chance to keep one step ahead of cyber-criminals and cyber-
terrorists.
Thank you.
Mr. Stearns. Thank you, Mr. Schmidt.
The committee that I'm chairing now is using the
jurisdiction of Commerce to have you here. Some of the things
you mentioned, Mr. Schmidt, would most likely be under the
Judiciary Committee in terms of the laws that are developed.
But, Mr. Klaus, let me just ask you, I have lots of friends
in my congressional district that are banking Bank of America,
other banks. They do all their banking through the Internet.
Are you saying today that you could go into those programs
and find out what their banking information is? Could I bring
you down to Okal, you sit down at a computer or could I tell
you where they are? I mean, tell me how would you--first of
all, is it possible for you, is it possible for a hacker today
to go in and find out all the information in my friend's
banking account with Bank of America?
Mr. Klaus. There's actually a pretty big misperception out
there where people think that if I don't shop on the line or I
don't access my bank account on line, I'm okay. I'm not
effected by this. But the reality is when we go into a bank or
do what we call a penetration test, we don't have to physically
go anywhere, we could just do it from anywhere on the Internet
and typically you can get into a bank. And from there you can
access not only the people who do access their accounts on
line, but even those that are off line in terms of
everybody's--everybody's account information is in the data
base.
Mr. Stearns. Okay. That's why we've always made the
agreement on this committee that if we do an Internet privacy,
it's off line/online, because just what you said; that you
could go in to find something and a person never gave a credit
card, never went on banking online, but dealt with a bank
offline and paid the mortgage, you could break in today you're
saying and do that?
Mr. Klaus. I mean, the banks use the same computer systems,
the same data bases to store the information whether the user's
online or not.
Mr. Stearns. Okay. What's the motivation in your opinion of
these people who do this? Is it for crime, is it just for
challenge, or what is the majority of the motivation?
Mr. Klaus. I think the motivation it's probably a bigger
different group that's out there today. Like 5 years ago or 10
years ago if you looked at it, a lot of people who were doing
it was more for play and exploratory type hacking, is kind of
the term they were using in terms of ``I'll see what I can get
into.''
Mr. Stearns. Sort of as a game.
Mr. Klaus. More as a game. But nowadays we're seeing a lot
more attacks that are actually criminal in nature, either
political motivation or actually money--you know, money is on
the Internet now, so a lot more of monetary attacks. Blackmail
a lot of times.
We were dealing with a bank in Georgia where they had been
hacked into and basically the data base of all their customers
had been taken back to someplace in Russia and, basically that
group had emailed the bank saying, you know, please give me
$100,000 otherwise we could be releasing this information,
might get out on the Internet.
Mr. Stearns. So they tried to blackmail the bank?
Mr. Klaus. Correct. And so we're seeing the motivation is
changing.
I think the automated attack tools, the motivation there
today nobody--since those people haven't been caught, it's hard
to question exactly what they're doing. But in many cases if
you look at virus writers, it's kind of like so many arsonists
out there. You set a fire and you go off and kind of watch it
from afar. And I think that's what a lot of the automated
attack pools like Nimba, Code Red, some of that motivation
might be.
Hey, let's write a program to see how much of a fire can I
create on the Internet, and kind of watch it from a distance.
Mr. Stearns. Ms. Davidson, you state that ``If security is
not built into a product system from the getgo, it is often
impossible to retrofit it after the fact.'' You might just
elaborate on that.
Ms. Davidson. Well, I think it's important that security
has to be part of a design process. And a vendor of a secure
product has to make a commitment to a secure product lifecycle.
For example, before you build a piece of software, you need
to sit down and say what are the security threats I'm
protecting against? What are the technical measures I'm going
to implement?
Mr. Stearns. Can you project that with this technological
advancement, this innovation we're seeing in America? Can you
be sure?
Ms. Davidson. I don't think you can ever be 100 percent
sure and there is no bullet proof security. But it basically
gets back to, I talk to my customers about the questions you
ought to be asking all of your vendors about security. And that
is, how do you build security? Is it part of the design
process? Is that one of the first things you think of? Do you
have secure coding practices? do you have a small group of
people? Because it's hard to get security right.
You have a small group of people who are the experts to
whom the rest of your company goes to make sure I'm building a
piece of software, I need to make sure the security people; I
talk to them, I use the code routines that are well formed and
well delivered, I have testing to test the security mechanisms,
I do security risk assessments or penetration tests, try to
break into it.
Mr. Stearns. Yes.
Ms. Davidson. We have a team of reputable hackers whose
very good that's breaking into things before the product goes
out the door.
Mr. Klaus. I'd like to add----
Mr. Stearns. Let me just finish here.
Mr. Schmidt, you've just heard what Ms. Davidson said. Some
people have criticized Microsoft plan to work to publicize
security flaws, but not the technical details. So there's some
controversy here, because people like to know the technical
details. You might give us why Microsoft proposed the action it
did.
Mr. Schmidt. Well, it goes around what we call ethical
reporting. There is the concern that if information comes out
before there's a fix, then we endanger the entire critical
infrastructure that we're talking about on a regular basis to
begin with. So when we talk about publishing details, it's
after we have the ability as an industry to resolve these
problems, that you get the patches out there, and then make
that information known on a very technical basis. In the
interim we're subject to saying there's a big hole, but there's
no way to fix it at this point.
Mr. Stearns. My last question is to Mr. McCurdy, would an
exemption from the Freedom of Information Act and/or any trust
laws help promote a better interaction and cooperation between
the government and private sector on cyber security matters?
Mr. McCurdy. Mr. Chairman, yes. I'm a firm supporter, as
our organization is, for both the Davis-Moran legislation from
the House and also the Bennett legislation in the Senate. We'd
like to see both of those tabled so we could go to conference
on that.
One for information sharing and--what we don't know is
probably a bigger question. I know it philosophical. But when
you talk about the motivation of hackers, in a lot of ways they
want to have those attacks publicized, but it's the criminal
elements, it's organized crime, it's the state actors that
quite frankly don't want you to know. And they're not using the
automated tools. they can do a number of things both externally
but also through insiders. As we know, the FBI knows a lot
about the potential threat from insiders.
So there are a number of things, and I think you have to
remember that used to use in national security the threat over
here and the likelihood of occurrence, but the lesser threat on
the other side. Those areas where there's the greatest threat
you won't hear a lot about. And that's why, you know, I think
there has to be a lot of effort from the government.
With regard to information sharing, banks have their own
incentive to report a certain level of intrusion and loses.
they don't want to lose confidence with the consumer or
customers. So it's also critical that in order to exchange
information with the government, that those reports remain
anonymous, that they not be traced back to individuals or to
companies. Because that has a chilling effect on the reporting.
And as far anti-trust, whenever you bring companies
together--you know, government tends to think in vertical silos
the way it's organized. The Internet cuts all through that, so
it goes across industries. It's not just a group of people from
one industry sitting in the same room together. It's a
process----
Mr. Stearns. I'm going to ask you please to summarize this,
because we're going to go back--I'd like to get the rest of the
committee.
Mr. McCurdy. The point is that anti-trust exemption for
this similar to the Y2K experience and informing sharing
exemptions are important and I think it should be supported in
a bipartisan basis.
Mr. Stearns. Okay. Thank you.
Ms. DeGette?
Ms. DeGette. Thank you, Mr. Chairman.
Following up on the chairman's question, Mr. McCurdy, I'm
wondering if there have been any prosecutions for anti-trust
violation as a result of information sharing, or if you're
concern is really one of a chilling effect?
Mr. McCurdy. It's more the chilling effect. Similar to Y2K.
Once----
Ms. DeGette. Yes, I got you. I don't have much time, as you
know better than anyone here.
Is anyone else on the panel aware of any anti-trust
prosecutions as a result of information sharing? So what I'm
really hearing is we're talking about a chilling effect that
could be very real for folks? Just for the record, everyone's
nodding their head affirmatively.
I was struck, a couple of a you talked about, including Ms.
Davidson, about how important it is for consumers to understand
exactly what the issues are because you can't complain if you
don't action. And I told the chairman my husband installed
protection software on our home PC. And we found that even on
the first day we had scores of attempts to break into our PC.
And I would be willing to bet--and he was surprised to hear it.
I shouldn't tell tales on him. But he was surprised to hear
that and asked me for the name of the software, which I'll get
him. But if we don't even know that on the subcommittee,
imagine how many millions of customers there are out there, and
that's not even at a business level. So I think that's advice
well taken.
I would like to ask a question of any member of the panel
who would care to answer it. If you know of any or if you've
learned of any particularly vulnerabilities in security systems
since September 11 or if there are really ongoing concerns that
we have and that we've been talking about for quite some time
in this subcommittee? Any new vulnerabilities that we learn of?
Mr. McCurdy. Well, I'll give you a quick site. You can go
to a website, and they report continuing vulnerabilities.
There's a lot that's--again, because of the technical concerns
that Mr. Schmidt raised, you don't want to give out before
there's a patch, but there are reports.
Since September 11 there has not been a huge rush of new
ones. We're not talking about a post-9/11 scenario here. This
is a continuing throughout the year threat the past 4 years,
which I think the trend that you're concerned about.
Ms. DeGette. Mr. Axelrod?
Mr. Axelrod. The status of the vulnerabilities is not
really a function of the threats.
Ms. DeGette. Right.
Mr. Axelrod. The vulnerabilities increase as new software
which is more complex comes into the marketplace. However, I do
believe that everyone's perceptions of threats has changed
dramatically. And I also think the reality of the threats has
changed. There is a whole portfolio of additional threats that
we didn't previously consider.
Ms. DeGette. Thank you.
Mr. Klaus?
Mr. Klaus. I'd add that, well, we've found at least three
new vulnerabilities since September 11. A couple of them were
like multi-vendor effected. Most of the UNIX platforms, Sun,
Linex, etcetera and worked with a lot of the vendors out there
that fixes issues.
The thing is, we're working with Microsoft and seven other
security companies to create a standard. Right now there's a
lack of a lot of security standards for whatever reasons, but
right now there's not a standard out there for how to disclose
that information.
ISS has come up with a standard that says, you know, we
will alert the vendors before we disclose any technical
details. and a lot of the debate is whether you release the
actual exploit tools. There's a lot of security companies that
will produce an exploit tool and say, hey, here's evidence that
this is a big issue. The problem is you can take that tool and
break into systems.
Even worse though is when you disclose I guess the source
code to the actual vulnerability and how to break into systems.
What we're finding is it lowers the barrier to creating the
next Code Red worm or the next worm. And that has the huge
effect. That's what scares me is the fact that, you know, new
vulnerabilities get amplified and they're a force multiplier in
terms of having a huge effect on the Internet.
Ms. DeGette. I got you. Thank you.
I'd like to question of Mr. Schmidt. A couple of the
excellent suggestions I thought that you made were increasing
penalties for hackers. We apparently have hackers out there who
haven't been prosecuted.
I'm wondering how many of the hackers that you are
experiencing in your company and maybe Oracle and others have
we determined are based domestically here?
Mr. Schmidt. Yes, it's really difficult to tell until you
actually put the habeas grabis on them, as we call it.
Ms. DeGette. Right.
Mr. Schmidt. Because they're often times----
Ms. DeGette. That's a term of art, right?
Mr. Schmidt. Because what happens, we see systems that are
compromised in foreign countries which may give the indication
that the source is indeed that country, but it could indeed be
someone domestically that's using that as a jumping off point.
Ms. DeGette. So in essence we don't really have a clear
sense of how many of the hackers are based here where we could
send in the FBI to get a more local law enforcement authorities
and how many are based physically internationally, which would
argue for even stronger international cooperation?
Mr. Schmidt. That's correct. Yes, ma'am.
Ms. DeGette. Yes, Ms. Davidson?
Ms. Davidson. Yes, I'd like to amplify an earlier comment.
In our experience most of the hackers, although that tends to
have a pejorative connotation, in our experience most of--I
would say 98 percent of the people that we deal with are
inquisitive, talented and, as I mentioned, really want to test
something rights on the Internet. Looky, see, I was the first
one to find this vulnerability. They are not malicious. They
bring the issues to our attention. They give us a chance to fix
them. And we're very good about acknowledging thank you. In
fact, I think some of us know the same people, is it Yorgi in
Russia whose very good at finding buffer overflows.
So as long as you put a little statement with an
acknowledgement to Mr. So-and-so who found this and worked with
us to help identify it, they're happy.
Mr. Schmidt. Yorgi.
Ms. Davidson. Yes, Yorgi. Everybody knows Yorgi.
Ms. DeGette. Unfortunately everybody does not have those
kind of----
Ms. Davidson. Yes, that's true. But most of them--so in
many cases they do self identify and they're very well known.
It's the 2 percent who are malicious that you never know they
are.
Ms. DeGette. Right.
Thank you, Mr. Chairman.
Mr. Stearns. Thank you.
The gentleman from Illinois.
Mr. Shimkus. Yorgi, alias Nathan Deal. You didn't know
that, did you?
Mr. Morrow. I didn't.
Thank you. I'd like to follow up on a couple of questions
of Mr. Morrow.
Mr. Morrow. Sure.
Mr. Shimkus. And since the Davis-Moran bill was mentioned,
I know in your testimony you mentioned it also. I want to know
if it's a good idea that there be an obligation to share
information?
Mr. Morrow. We don't really believe--I don't believe it's a
good idea to have the obligation, because I don't necessarily
believe it's required.
I think everybody that I run into in the commercial sector
wants to do the right thing. They're extremely cognizant of the
idea that we all have to share information. They are, quite
frankly, not to be dogging the attorneys in the room, the
corporate counsel always advise against it because of the
issues of anti-trust and the Freedom of Information Act.
You have to understand that even in the investigative
world--Howard and I were investigators together for the Air
Force. We would find that companies will forego investigation
because they don't want to see the information that they are
trying to keep sacred, their intellectual property, for
example, brought out in open court and read about it on the
front page of the Washington Post. And similarly, they're
afraid of the Freedom of Information Act will do essentially
the same thing, or the anti-trust implications will be kicked
in.
While it has not been that I'm aware of ever been a
prosecution of anti-trust based on this type of sharing, it's
certainly one of the things that a corporate counsel always
seems to be worried about.
Mr. Shimkus. Great. Thank you.
And I'm going to shift all over to different things based
upon the testimony.
Mr. Casciano, you had also addressed in your statements
about the applicability of insurance and how insurance may
shift risk and help address liability issues. Can you take us
through how this would work, just briefly talk us through that
whole insurance?
Mr. Casciano. Certainly. There are many ways that this can
be done, and the insurance companies and the underwriters are
trying to grapple with this now.
One possibility is that companies who are going after cyber
insurance would be subject to a very standard and rigorous
examination; vulnerability assessment, assessment of policy,
implementation of that policy, testing of that policy and then
would receive a rating from the underwriters based on their
adherence to the standards set by the insurance company.
Mr. Shimkus. Is there in the proposal a reevaluation of
their proposal at 6 months because of how things move so
rapidly?
Mr. Casciano. Oh, clearly. And that would be part of the
standards that would be applied, whether it be a 3-month
revisit, 6 month revisit or some other formula. But it would
have to be continuous, because the technology both for defense
and for offense are changing every day, literally.
Mr. Shimkus. Do you think companies that may offer this
might hire your EDA to try to prove them wrong.
Mr. Casciano. Or companies that hire Yorgi. The ethical
hacker.
Mr. Shimkus. Right.
Mr. Casciano. The ethical hacker. And several of the
companies that are represented here have stables of ethical
hackers that do this on behalf of clients.
Mr. Shimkus. Great. Thanks.
And I want to go to Mr. Doll for my last question. The
newly created Critical Infrastructure Protection Board, do you
think this should be codified? In other words, put into
statute?
Mr. Doll. I think the protection board is a positive step
forward to get a partnership with private industry and public.
And I think we're positive that it's a step in the right
direction, that we need to share information and to move those
things forward.
Now, what happens next and how that would play out, I don't
think I'm in a position to say how that really effects future
decisionmaking. so I think that we're cautiously optimistic
right now.
Mr. Shimkus. You know, we're legislators here, so our
question is always does the Executive Office suffice for now or
do we need legislation to codify it? It's evolutionary right
now. And I would recommend that if you--it's no different than
what we're doing in these other issues of bioterrorism of
homeland defense. As we move forward, if there's a time to
codify, then please come back.
Did you want to add, Mr. McCurdy?
Mr. McCurdy. Well, to me a follow up. Yes, I think we're in
an assessment period of time. The events of 9/11 have changed
how corporations are responding to this. We work with many of
the Fortune 500 and now board level responses are coming to
this. And I think we need to assess and then act aggressively
once we formulate some policy.
Mr. Doll. I would urge the committee and the Congress to be
careful about mandates with regard--and getting in the business
of architecting some kind of structure here. Because as soon as
you do, then the problem changes.
One of the challenges we in America face, and certainly you
as representing the government, is that the government is not
organized today and has become too stovepiped and too rigid.
And I think Mr. Ridge and others are finding the challenge of
that.
So I would think that the best model were to be the
voluntary model that was used during Y2K and look at some of
the specific legislative efforts to improve the information
sharing.
Mr. Shimkus. Thank you.
And I yield back, Mr. Chairman.
Mr. Stearns. I thank the gentleman.
Mr. Deal?
Mr. Deal. Thank you, Mr. Chairman.
We've been made aware over the last several weeks that some
of the same things you're alluding to exist in other areas of
government. For example, we are told that FERC, OSHA, other
Federal agencies require those over whom they have certain
jurisdictional controls to divulge to them the worst case
scenarios. In other words, where are your power plants most
vulnerable and how? Where are you pipelines most susceptible to
being bombed or interrupted.
And by virtue of the government agencies requiring this
information, it likewise under the Freedom of Information Act,
then becomes available to whoever might want to know what the
worst case scenario is and they don't even have to do their own
homework, the agency has been forced by the government to do it
for them.
Now when we talk about the Internet we, for most purposes,
kept our hands off of it pretty well. So I don't see it from
that angle, but is it the fact that many of your clients are
regulated by existing Federal agencies such as the banking
industry is regulated, and therefore if they disclose
information it then becomes available as to either problems
that have existed or potentially do exist? Is that same kind of
scenario that you are seeing playing out, and if so would
somebody elaborate on what it is? Because you mentioned the
Freedom of Information Act. I can see it from the standpoint of
once you disclose a vulnerability. But are there mandatory
requirements in place that require those disclosures or can you
as Mr. Morrow said, just maybe simply keep your mouth shut and
thereby avoid it? What is that?
Mr. McCurdy. Well, first of all, Mr. Deal, some of those
other agencies, FERC and others, are in heavily regulated
industries including telecommunications. Again, that's a
sectorized approach. The Internet cuts through that vertical
and that stovepiped organization. Eight-five percent or even
greater of the Internet's none government. It's publicly owned.
And it's hard to impose some kind of regulation or mandate on
them.
Grimm-Leach-Bliley was an important tool for the financial
industry, but that's--and it's a good standard, but it's not a
standard that should be applied all the way across. Eighty
percent of the problems of the Internet are common to all
industry, whether it's insurance, whether it's the utilities,
you know, entertainment industry. That's where we think that by
improving the information sharing, by having these horizonal
nonprofit private organizations as opposed to government, you
will get the greatest flow of information that improves best
practices, and that's what you're talking about. Not formal
rigid standards, but mandatory practices.
I thought the statement about people processing technology
is a good matrix to use. We ought to be focused on the people,
and that's what industry ought to be doing. Technology we can
do as well. We can cooperate through these public/private
partnerships, but I don't believe it should be a rigid
government standard.
Mr. Deal. Several of you, though, have mentioned the
Freedom of Information Act as being a problem area. Is any of
the legislation that is pending now address that particular----
Mr. McCurdy. Yes, Davis-Moran and Senator Bennett's bill
provide an exemption as in the Y2K exemption for information
sharing.
Mr. Deal. And that should solve most of those problems?
Mr. McCurdy. I think there's unanimous support here for
that position.
Mr. Deal. Okay. All right. Fine.
I believe we're getting probably close a vote on the floor,
from what I understand.
I'll yield back, Mr. Chairman.
Mr. Stearns. Well, no. We haven't got the 10 minute vote
yet.
Mr. Deal. Okay. Well, let me ask Mr. Klaus, and let me tell
you we are proud of Mr. Klaus, a Georgia Tech graduate----
Mr. Klaus. The Georgia mafia, you got to watch----
Mr. Deal. As you can tell by his appearance, he is one of
the younger more successful entrepreneurs and one of the really
leading experts in the area of security, and we welcome you
here.
You had a response I think to the earlier initial question
that the chairman had asked that you didn't have a chance to
respond. Can you remember what the issue was that you wanted to
respond to, and I was going to give you the chance to do that?
Mr. Klaus. It was adding onto a comment, and I did not
write it down in terms of exactly what it was going to be.
Mr. Deal. All right.
Mr. Klaus. I appreciate that.
Mr. Deal. I think all of us are concerned about what can we
do. We don't want to do anything that's going to make it worse,
we want to try to make it better. And I gather from your
comments that most of you are supportive of these remedial
pieces of legislation that are pending.
Obviously things like sentencing standards and sentencing
guidelines are not within our jurisdiction, nor the
jurisdiction of the Committee on Civil Forfeitures.
You know, I suppose we would have to forfeit a lot of
nerd's computers out there if this is the remedy that's there.
But if we have moved from just the prankster, the
intellectual graffiti artist to the more sophisticated people,
you've already elaborated on what some of those motives are,
whether it be blackmail--which that's an interesting one, I
hadn't thought about that one--to actually attempting to
actually seize some form of money and the processes that are
interchange of commerce, how do we get a handle on that?
Because obviously this is the Commerce Committee and we have
interstate commerce type jurisdiction whether we can pass it
maybe to the Judiciary Committee for their responsibilities or
not. But are there other areas of legislative corrections that
you envision need to be made that are not embodied in any of
the pending bills?
Mr. Klaus. I would suggest the other oversight
responsibility of this committee, which has an incredible
breadth of jurisdiction and continue to have the hearings.
Don't leave it up to government on the other side to do this.
Government can provide a model, but I would urge you to
look at other industries, cross industries. There's some
interesting things with regard to insurance.
There are cyber insurance policies today, now they're not
based on a lot of actuarial data, because there is very little
data. They're kind of seat-of-the-pants, and insurers will tell
you that. But there's some interesting contradictions.
For instance, physical coverage for terrorism is now
available, but cyber terrorism is not covered under insurance.
And the question is are you going to get boards of directors
and senior leadership of companies to pay attention if, in
fact, it's not. But if you mandate it, then you create a whole
potential area of cost.
So there's some tough balances here, and those are very
interesting questions that I would submit probably fall within
your jurisdiction.
Mr. Deal. One quick follow up. A lot of you have said the
government ought to be the one to set the example by the
agencies of the government. And you've also talked about the
industry trying to come up with industry type standards.
One of the worst things I think the government does is to
do something but do it differently from one agency to the
other. Has that begun to happen, and is there any effort now to
say if the government is going to initiate security
protections, that it should be a uniform type security
protection that every agency of the government follows the same
kinds of standards? Is that happening or is it not happening?
Ms. Davidson. Yes, Mr. Deal, there are some differences.
For example, even among the constituency that requires security
evaluations, for example, against the common criteria I have
seen agency specific what they call protection profiles. So
even though there's a common framework for what does it mean
when you say you're secure, I have seen a number of agencies
who say we want our own special Good Housekeeping seal of
approval, even though it may be the exact same product.
Mr. Deal. And that's for vendors attempting to sell
products.
Ms. Davidson. Exactly.
Mr. Deal. Okay.
Ms. Davidson. And that's very difficult because I would say
for a large complex data server, the cost of one of these
evaluations is about a half a million dollars plus, including
personnel costs, make it a round million dollars all in. And
for companies to do that on an unfunded basis is very
difficult, particularly in these economic times.
What I'd really like to see is to say if you do it once,
it's good across all the agencies or the entities who have an
interest in this type of product, and you could take the most
discriminatory approach and say we'll make the most rigid
standard rather than the least rigid standard the one that
companies have to comply with.
Mr. Deal. So that could be an oversight issue.
Mr. Stearns. I want to thank the gentleman.
And let me just conclude by thanking all the witnesses for
coming this morning and this afternoon. I think it's a very
good hearing.
I think the conclusion is that we're hoping industry will
step up to the plate and have Ms. Davidson has talked about, a
level of awareness of what information technology is. If not,
obviously Congress as a resort could mandate security
standards, which we don't want to do.
And with that, I'll adjourn the committee.
[Whereupon, at 2:50 p.m. the subcommittee was adjourned.]
�