<DOC>
[108th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:96315.wais]
PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE
CYBER CITIZEN
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
APRIL 21, 2004
__________
Serial No. 108-209
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
96-315 WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER,
CANDICE S. MILLER, Michigan Maryland
TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of
MICHAEL R. TURNER, Ohio Columbia
JOHN R. CARTER, Texas JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee ------ ------
PATRICK J. TIBERI, Ohio ------
KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont
(Independent)
Melissa Wojciak, Staff Director
David Marin, Deputy Staff Director/Communications Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania ------ ------
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
Dan Daly, Professional Staff Member
Juliana French, Clerk
Adam Bordes, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on April 21, 2004................................... 1
Statement of:
Clinton, Larry, chief operating officer, Internet Security
Alliance; Andrew Howell, vice president, Homeland Security,
U.S. Chamber of Commerce; Rodney Petersen, security task
force coordinator, EDUCAUSE; and Douglas Sabo, member,
board of directors, National Cyber Security Alliance....... 58
Swindle, Orson, Commissioner, Federal Trade Commission; and
Amit Yoran, Director, National Cyber Security Directorate,
Department of Homeland Security............................ 12
Letters, statements, etc., submitted for the record by:
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 10
Clinton, Larry, chief operating officer, Internet Security
Alliance, prepared statement of............................ 61
Howell, Andrew, vice president, Homeland Security, U.S.
Chamber of Commerce, prepared statement of................. 69
Petersen, Rodney, security task force coordinator, EDUCAUSE,
prepared statement of...................................... 84
Putnam, Hon. Adam H., a Representative in Congress from the
State of Florida, prepared statement of.................... 5
Sabo, Douglas, member, board of directors, National Cyber
Security Alliance, prepared statement of................... 105
Swindle, Orson, Commissioner, Federal Trade Commission,
prepared statement of...................................... 15
Yoran, Amit, Director, National Cyber Security Directorate,
Department of Homeland Security, prepared statement of..... 36
PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE
CYBER CITIZEN
----------
WEDNESDAY, APRIL 21, 2004
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2 p.m., in
room 2154, Rayburn House Office Building, Hon. Adam H. Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam and Clay.
Staff present: Bob Dix, staff director; John Hambel, senior
counsel; Dan Daly, professional staff member and deputy
counsel; Juliana French, clerk; Suzanne Lightman, fellow;
Earley Green, minority chief clerk; and Jean Gosa, minority
assistant clerk.
Mr. Putnam. A quorum being present, this hearing of the
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census will come to order.
Good afternoon and welcome to another important hearing on
cyber security.
I want to welcome you all today to the hearing entitled
``Protecting our Nation's Cyber Space: Educational Awareness
for the Cyber Citizen.'' In the past few years, the growth in
access and use of the Internet, the increase in high-speed
connections that are always on, and the rapid development and
deployment of new computing devices has resulted in an
expanding global computing network. Although these advances
have improved our quality of life, this global network is
susceptible to viruses and worms that can circle the world in
minutes, not to mention the potential of more malicious cyber
attacks. While businesses, educational institutions, and home
users enjoy the benefits of using the Internet, they are often
not adequately informed about the potential dangers that their
computer systems face if left vulnerable and unprotected. The
good news is there are solutions and remedies to help mitigate
the threats; the bad news is awareness of these solutions and
the practice of safe Internet use is not far reaching. Attacks
are evolving at a greater speed than preparation.
This hearing will provide an opportunity to learn about the
efforts of the Federal Government, trade associations,
corporations, and nonprofits to raise awareness about the
importance of cyber security. Today I want to call on all
stakeholders to take immediate action. All of us have a role
and a responsibility to implement basic cyber security hygiene
in order to reduce the potential vulnerabilities that could
contribute to a successful cyber attack.
As use of the Internet all over the world grows, so do the
presence and ambitions of people with criminal and malicious
intent. Hackers attempt to take over people's computers to
create ways to send spam, steal information, and launch attacks
undetected. Criminals try to trick unsuspecting cyber citizens
to reveal personal information by impersonating respectable Web
sites, a crime known as ``phishing.'' Consumers on the Internet
may be tricked into downloading spyware. These programs may be
harmless, yet extremely annoying, such as delivering a
continuous stream of pop-up ads. Or they may be malicious,
extracting information such as passwords and personal
information for criminal purposes.
There are existing and emerging protections against these
threats. Cyber citizens can arm themselves with virus
protection software to help stop any potential impact of worms
and viruses. Use of firewalls can help prevent some forms of
spyware. Of course, after the rapid spread and dramatic impact
of worms and viruses this past year, I think we all know the
importance of keeping our systems patched and up to date.
Security notices are everywhere reminding us not to open e-mail
from people we do not know, and not to download programs from
unknown sources.
However, many Internet users, consumers, nonprofits,
educational institutions, and businesses do not employ these
well-known protections. They are either unaware of the risks,
or unaware of the solutions, or both.
User awareness is only part of the problem. Many of the
security problems that users face are rooted in products that
were designed to deliver functionality, often without adequate
regard to security. The manufacturers of both software and
hardware products must accept some responsibility in this area
and respond to the growing demands of the consuming public for
improved quality and security. This subcommittee has already
held hearings on the proliferation of worms and viruses and on
the issue of software assurance. And I will continue to pursue
those issues. But I am heartened by what I see as signs that
the manufacturers are stepping up to the plate. I see an
increased attention to security that seems to go beyond merely
lip service. Manufacturers of all levels of notoriety are
publicly confirming their commitment to providing consumers
with products that are less ``buggy'' and more secure.
In an effort to dramatically improve information security
throughout corporate America, I convened a group of 25 leaders
from business organizations, as well as representatives from
academic and institutional communities to form the Corporate
Information Security Working Group. The intent was to produce a
set of recommendations that could form the basis of an action
plan for improving cyber security for businesses and
enterprises of all sizes and sectors. The group divided into
subgroups, one of which was the Awareness, Education, and
Training Subgroup. This subgroup's mission was to identify,
partner with and build on the good work of organizations that
have or are developing campaigns to raise awareness on the
importance of cyber security. Let me pause and acknowledge the
tremendous work that Commissioner Swindle and the FTC have been
pursuing for some time now. It is my view that our collective
efforts can make a difference. The Awareness, Education, and
Training Subgroup reported recommendations for three categories
of users--small businesses, large enterprises, and home users.
For small businesses, the group suggested creating and
distributing a Small Business Guidebook for Cyber Security that
explains cyber security risks in terms that are readily
understood and that motivate small business owners to take
action.
For large enterprises, the Awareness, Education, and
Training Subgroup suggested enhancing distribution of existing
documents for large enterprise managers. Many organizations,
including the Institute for Internal Auditors, the Internet
Security Alliance, and the Business Software Alliance, have
done great work in this regard. The group believes these
documents deserve greater distribution and will work with
organizations representing large corporations to find the
proper channels for broader dissemination. Furthermore, for
large enterprises, the group suggested creating a guide for
information security for C-level executives, such as CEOs,
CFOs, and COOs. A user-friendly guide for C-level executives is
necessary to raise the profile of the information security
issue in terms senior executives can understand. To that end,
the group is currently working with representatives of large
business organizations to see how it might collaborate on and
distribute such a guide.
Finally, the group suggested targeted efforts aimed at the
mass market would help educate home users. The group is seeking
to buildupon existing relationships and forging new
partnerships between organizations, corporations, and the
government to help educate the home user base on cyber
security.
One of the other subgroups worked diligently on developing
a set of best practices and guiding principles in information
security that could apply from the most unsophisticated home
user to the most sophisticated enterprise. Those efforts have
produced incredible results, and provided a foundation for the
Awareness, Education, and Training Subgroup to buildupon.
In addition to my Corporate Information Security Work
Group, there are several other organizations, including both
public and private entities, that are working to improve
awareness and provide education to cyber citizens. This
includes a broad base of constituent groups, including the
education community. Today we will hear about awareness and
education efforts in the K through 12 community, as well as in
institutions of higher education. In addition to these
awareness and education efforts, I am pleased to announce at
this hearing two partnerships that the Department of Homeland
Security is undertaking to train information security and
assurance professionals through our Nation's colleges and
universities. The Department will be partnering with NSA to
enhance the Centers of Academic Excellence in Information
Assurance Education Program to increase the number of
information security professionals entering the work force. The
Department will also be partnering with the National Science
Foundation on a Scholarship for Service Program, which provides
2-year scholarships for training information assurance
specialists who in turn make a commitment to work for a Federal
civilian agency for 2 years. I look forward to hearing more
about these various initiatives in the testimony today.
I will note that I do have a concern. I worry that if we
bombard our cyber citizens with too many messages from too many
sources, they may become confused and take no action at all. If
we are to begin a national, intensive campaign to educate
individuals, and small and medium businesses on cyber security,
we need to have a collaborative strategy that facilitates the
delivery of a clear and common message about how folks can
protect against the threat of a cyber attack. I look forward to
hearing from today's witnesses that my concern is being
addressed in a proactive and collaborative manner.
We must maintain the advantages that multiple channels give
us for outreach and we must continue to recognize that one size
does not fit all and that a required level of cyber security
hygiene will vary depending on the profile of the user. Some
basic steps are invariably common to most users and today we
will identify steps being taken to convey that information. The
more voices repeating the message, the more people are likely
to hear it and pay attention. It would be difficult in my
estimation and based on what I have learned to overstate the
importance and timeliness of such an effort.
I look forward to the testimony of our witnesses and I
thank them for their contribution to the cyber security of our
Nation.
Today's hearing can be viewed live via Web cast by going to
reform.house.gov and clicking on the link under live committee
broadcast.
[The prepared statement of Hon. Adam H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T6315.001
[GRAPHIC] [TIFF OMITTED] T6315.002
[GRAPHIC] [TIFF OMITTED] T6315.003
[GRAPHIC] [TIFF OMITTED] T6315.004
Mr. Putnam. I would like to welcome the gentleman from
Missouri, our ranking member of the subcommittee, Mr. Clay, and
recognize him for his opening remarks.
Mr. Clay.
Mr. Clay. Thank you, Mr. Chairman, for holding today's
hearing on ways we can improve our educational efforts in the
realm of cyber security. I, too, share your concerns and I am
hopeful that our witnesses can share with us different
perspectives on effective methods for reaching our goals.
As our global economy becomes more dependent on the
efficiencies associated with the information super-highway, we
must become more aware of the risks and costs associated with
such advanced technology. Although legislating appropriate
standards in rapidly changing technologies is, at best, a
reactive approach to policymaking, we may have few other viable
options. The ominous threat of widespread and well-orchestrated
cyber attack would have severe consequences in both real
economic terms and consumer confidence. If efforts to legislate
cyber security standards are to be effective, the prevention of
such attacks through outreach, training, education, and
awareness must be central to its mission.
Once again, I believe there are two central components that
are integral to providing adequate computer security for the
Federal Government. First, the management of our agencies'
networks must become a top priority throughout the government.
This approach should not only include adequate funding for
computer security, but better stewardship of our critical
assets and more frequent vulnerability assessments for our
investments.
Second, the government must find a way to incorporate
minimal software and hardware security standards into its
annual $60 billion investment in information technology. We
must harness the purchasing power of the Federal Government to
demand more stringent computer security standards from vendors
and contractors at every level of the procurement process.
I want to thank our chairman for his work on improving
computer security standards through the Corporate Information
Security Working Group. It is my hope that his collaborative
efforts with the private sector can bring us closer to
achieving what have been, to this point, elusive goals.
Mr. Chairman, this concludes my remarks, and I ask that
they may be inserted into the record. Thank you.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T6315.005
[GRAPHIC] [TIFF OMITTED] T6315.006
Mr. Putnam. Without objection, so ordered.
I will move directly into the oath. As is the custom with
this committee, our witnesses are sworn in.
[Witnesses sworn.]
Mr. Putnam. Note for the record that both witnesses
responded in the affirmative.
We will now move into the testimony. I would like to
introduce our first witness, Orson Swindle. Mr. Swindle was
sworn in as Commissioner for the Federal Trade Commission
December 18, 1997. In December 2001, Commissioner Swindle was
appointed as head of the U.S. delegation to the Organization
for Economic Cooperation and Development Experts' Group to
review the 1992 OECD guidelines for the security of information
systems. He has a distinguished military career, and served in
the Reagan administration from 1981 to 1989 directing financial
assistance programs to economically distressed rural and
municipal areas of the country. As Assistant Secretary of
Commerce for Development, he managed the Department of
Commerce's national economic development efforts, directing
seven offices across the country. He was State Director of the
Farmers Home Administration for the U.S. Department of
Agriculture, financing rural housing, community infrastructure,
businesses, and farming.
We welcome you to the subcommittee, and appreciate your
work in this area. You are recognized for 5 minutes for your
oral statement. Your written statements, for both witnesses,
will be inserted into the record. You are recognized.
STATEMENTS OF ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE
COMMISSION; AND AMIT YORAN, DIRECTOR, NATIONAL CYBER SECURITY
DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY
Mr. Swindle. Mr. Chairman, Mr. Clay, and members of the
subcommittee, I appreciate the opportunity to discuss the FTC's
work on information security. The views expressed in the
written statement represent the views of the Federal Trade
Commission. My oral remarks and responses to questions, of
course, are my own. This hearing is most timely and I applaud
the chairman for his leadership on this very vital subject.
Today, maintaining the security of our information systems
and networks is essential to every aspect of our lives. We are
all directly or indirectly linked together by this
infrastructure. We benefit enormously from these systems;
however, there are vulnerabilities that threaten the security
of and do major harm to stored information, the flow of
information, and the continued viability of the systems
themselves.
The FTC has sought to address these vulnerabilities through
consumer and business education, stressing the fundamental
importance of good security practices, plus law enforcement
actions, and international cooperation. Safe computing
practices by home computer users are especially important in
our broadband world. Viruses, worms, and dial-up service
attacks have left a trail of very costly destruction and, as
the chairman mentioned, it could get worse. To help promote a
culture of security, the FTC created an information security
mascot, Dewie the e-Turtle, to educate businesses, consumers,
and children about the importance of information security and
the precautions they can take to protect personal information.
The Dewie Web site has registered more than 600,000 visits
since its deployment in August 2002. In addition the FTC had
distributed a video news release seen by 1.5 million consumers;
we have distributed 160,000 postcards featuring Dewie; and
information security was the theme of National Consumer
Protection Week in 2003.
Our Web site contains tips on how to stay safe on line as
well as publications addressing issues related to spam, file
sharing, high-speed Internet access, shopping on line, and
identity theft. The growing problem of phishing is addressed.
This is a high-tech scam that uses spam to deceive consumers
into disclosing their credit card numbers, bank account
information, Social Security numbers, passwords, and other
sensitive personal information. This information and our Web
sites are available to Members of Congress for constituent
services. Despite our efforts, only about three dozen Members
of the Congress have their Web sites linked to the FTC Web
site. I think we can all do better than this.
The Internet has made us a global community and
international collaboration is important to ensuring
information security. The FTC has played a leading role within
the OECD in revising and implementing its security guidelines,
urging a widely publicized OECD Web site, and aggressively
urging member countries to immediately implement the principles
of information security. We are encouraging our global partners
to share their experiences with the international community,
including the APEC, the United Nations, and the TransAtlantic
Business and Consumer Dialogues.
The FTC, the Department of Homeland Security, and such
organizations as the newly formed National Cyber Security
Partnership of trade associations, which includes the Chamber
of Commerce, ITAA, TechNet, and BSA, are working individually
and together to enhance consumer and business education. The
National Cyber Security Summit met in December 2003 to
implement the National Strategy to Secure Cyber Space and
formed five task forces, including one devoted to comprehensive
awareness. I am pleased that Dan Caprio of my staff
participated as co-chairman of the awareness task force. That
task force issued a report recommending a number of very
concrete proposals to increase consumer awareness, including a
comprehensive cyber awareness campaign to reach consumers
through a 3-year national advertising campaign; a partnership
with ISPs to educate home users about cyber security issues;
and distribution of a cyber security tool kit through Stay Safe
On Line.
The FTC remains committed to expanding our public-private
partnership and leveraging relationships with consumer groups,
industry, trade associations, other government agencies, and
educators to raise consumer awareness. The Commission has used
its law enforcement authority to address information security
issues using our authority under Section 5 of the Federal Trade
Commission Act. To date, the Commission's security cases have
been based on deception. In four separate settlements with
companies that collected personal information from consumers,
including a settlement with Tower Records which was announced
today, we have alleged that the companies made explicit or
implicit promises to take appropriate steps to protect
consumers' information. In fact, we found their security
measures to be inadequate. We alleged that Tower made specific
promises to protect personal information provided by consumers
on its Web site, yet failed to take reasonable and appropriate
steps to detect and prevent against well-known vulnerabilities.
The lesson: When you are making changes, do not forget to
ensure that your security safeguards are in place.
Through these information security enforcement actions, the
Commission has come to recognize several principles that govern
any information security program. First, a company's security
procedures must be appropriate for the kind of information it
collects and maintains. Second, not all breaches of information
security are violations of the Federal Trade Commission law.
Third, there can be law violations without a known breach in
security. And fourth, good security is an ongoing process of
assessing and addressing risk and vulnerabilities.
The critical reality in our information-based economy is
that we all have a role to play in protecting cyber space.
Creating a culture of security is a journey, it is not a
destination, and leadership will be essential. Thank you for
this opportunity to appear here today, and I look forward to
answering your questions.
[The prepared statement of Mr. Swindle follows:]
[GRAPHIC] [TIFF OMITTED] T6315.007
[GRAPHIC] [TIFF OMITTED] T6315.008
[GRAPHIC] [TIFF OMITTED] T6315.009
[GRAPHIC] [TIFF OMITTED] T6315.010
[GRAPHIC] [TIFF OMITTED] T6315.011
[GRAPHIC] [TIFF OMITTED] T6315.012
[GRAPHIC] [TIFF OMITTED] T6315.013
[GRAPHIC] [TIFF OMITTED] T6315.014
[GRAPHIC] [TIFF OMITTED] T6315.015
[GRAPHIC] [TIFF OMITTED] T6315.016
[GRAPHIC] [TIFF OMITTED] T6315.017
[GRAPHIC] [TIFF OMITTED] T6315.018
[GRAPHIC] [TIFF OMITTED] T6315.019
[GRAPHIC] [TIFF OMITTED] T6315.020
[GRAPHIC] [TIFF OMITTED] T6315.021
[GRAPHIC] [TIFF OMITTED] T6315.022
[GRAPHIC] [TIFF OMITTED] T6315.023
[GRAPHIC] [TIFF OMITTED] T6315.024
Mr. Putnam. Thank you very much Commissioner.
Our next witness is Amit Yoran. Mr. Yoran is the Director
of the National Cyber Security Division of the Department of
Homeland Security. The National Cyber Security Division
provides for 24-7 functions, including conducting cyber space
analysis, issuing alerts and warnings, improving information
sharing, responding to major incidents, and aiding in national
level recovery efforts. Most recently Mr. Yoran served as the
vice president of worldwide managed security services at the
Symantec Corp., overseeing 24-7 security operation centers
delivering security services to hundreds of companies in over
40 countries around the world. Prior to working at Symantec,
Mr. Yoran founded RipTech, an information security company. He
also served as an officer in the U.S. military as the
vulnerability assessment program director for the U.S.
Department of Defense's computer emergency response team, and
supported security efforts for the Office of the Assistant
Secretary of Defense.
We welcome you to the subcommittee. You are recognized for
5 minutes.
Mr. Yoran. Good afternoon, Chairman Putnam and
distinguished members of the subcommittee. My name is Amit
Yoran, and I am Director of the National Cyber Security
Division within the Office of Infrastructure Protection of the
Homeland Security's Information Analysis and Infrastructure
Protection Directorate. I am pleased to appear before you today
to discuss our initiatives addressing educational awareness for
the cyber citizen. We view cyber awareness as a critical
component within our mandate to improve cyber security. We have
implemented measures to reach as many people as quickly as
possible. Education and training are also critical elements of
our strategic initiatives to improve the long term cyber
security posture of our Nation. Education of our cyber
community on the rules of the road is fundamental for enhancing
citizen safety in the cyber world.
The National Cyber Security Division was created to serve
as the national focal point for public and private sectors to
address cyber security issues. NCSD is charged with
coordinating the implementation of the National Strategy to
Secure Cyber Space. The Department works closely with our
partners in the Federal Government, at the State and local
level, as well as with the private sector and academia on a
variety of programs and initiatives to protect our information
infrastructure.
On January 28th of this year, the Department of Homeland
Security unveiled the National Cyber Alert System, delivering
targeted, timely, and actionable information to Americans to
secure their computer systems. We have already issued several
alerts and a periodic series of best practices and how-to
guidance pieces. We strive to make the information provided
understandable to all computer users, both the highly technical
and those like my wife, who, despite her advanced degrees and
profession, need this information presented in plain English. I
am pleased to report that Americans are exhibiting a keen
interest in the alert system. And on the day of the National
Cyber Alert System launch we had over 1 million hits to the US-
CERT Web site. Today, more than 250,000 direct subscribers are
receiving National Cyber Alerts to enhance their cyber
security. For your reference and for your constituents, I urge
you to visit www.us-cert.gov and to encourage you to include a
link to US-CERT on your congressional Web page and recommend
your constituents sign up for the National Cyber Alert System
to help them improve their cyber vigilance and protect our
Nation.
We have engaged in many media interactions to provide a
voice of reason in our efforts to improve awareness among the
cyber citizenry and also reach as many Americans as possible in
the plain language they can easily understand and act upon. The
Department of Homeland Security is the sponsor of the National
Cyber Security Alliance and the Stay Safe On Line, a public-
private effort created to educate home users and small
businesses on cyber security best practices. Each time we turn
our clocks ahead and back to account for Daylight Savings Time
we encourage Americans to review and improve their cyber
readiness. I challenge each Member of Congress to sponsor a
cyber security awareness event in your district on October 31,
the next National Cyber Security Day. Although Cyber Security
Day is not yet broadly recognized, our continued and joint
efforts will ensure their future success and effectiveness.
In addition to awareness, other key aspects of our strategy
are focused on training and education. Homeland Security is
actively engaged with our intergovernmental partners and is
also reaching out to academic institutions to establish
cooperative relationships. I again cite the two recent
accomplishments which you previously mentioned in this regard.
We have signed on to partner with the National Security
Agency to expand the NSA Center for Academic Excellence in
Information Assurance Education Program to a broader National
Centers of Academic Excellence initiative. The program was
established by the NSA in 1998 to promote higher education in
information assurance. Universities designated as centers are
eligible for scholarships and grants through both the Federal
and Department of Defense Information Assurance Scholarship
programs. The new, increased scope will accelerate and expand
the current program to attain national prominence, attract
participation from other universities, resulting in an
increased number of cyber security professionals for our
Nation.
Second, Homeland Security has partnered with the National
Science Foundation on the Scholarship for Service program. This
initiative promotes university level information assurance
education and places program graduates into the Federal work
force. The Department of Homeland Security has already hired
graduates and we are excited about the capability of these
graduates and the quality of the work force this program is
producing.
In addition to these accomplishments, we have identified
other strategic education programs. We are working with the
Department of Education, EDUCAUSE, and others to develop cyber
security programs for the K through 12 curriculum in our public
schools. It is imperative that we educate and raise America's
youth in a culture which fosters prudent cyber security
practices and ethics. Our goal is to ensure that all computer
users understand the rules of the road for cyber security and
are empowered to stay safe on line.
Thank you for opportunity to testify before you today. I
would be pleased to answer any questions that you have at this
time.
[The prepared statement of Mr. Yoran follows:]
[GRAPHIC] [TIFF OMITTED] T6315.025
[GRAPHIC] [TIFF OMITTED] T6315.026
[GRAPHIC] [TIFF OMITTED] T6315.027
[GRAPHIC] [TIFF OMITTED] T6315.028
[GRAPHIC] [TIFF OMITTED] T6315.029
[GRAPHIC] [TIFF OMITTED] T6315.030
[GRAPHIC] [TIFF OMITTED] T6315.031
[GRAPHIC] [TIFF OMITTED] T6315.032
[GRAPHIC] [TIFF OMITTED] T6315.033
[GRAPHIC] [TIFF OMITTED] T6315.034
[GRAPHIC] [TIFF OMITTED] T6315.035
Mr. Putnam. Thank you, Mr. Yoran. I appreciate your being
here today. You have had an interesting week. I would like to
give you the opportunity to elaborate on the Cyber Alert that
you have issued and if you would give some comment to this
subcommittee on the nature of the vulnerability and the status
of efforts to remedy that vulnerability on the Internet
routers.
Mr. Yoran. Thank you, Chairman Putnam. The creation of the
National Cyber Alert System allows us to reach out directly to
a large number of operators in cyber space with information
targeted to them on how they can best protect their systems or
the systems which they are responsible for. In a number of
recent cases, vulnerabilities have been brought to our
attention which would cause specific routers to malfunction and
become inoperable and not pass the traffic which they were
intended to pass. This vulnerability is not information which
is actionable to most home users, but certainly through our
targeted delivery mechanism we can reach out to the cyber
security community and provide this information to them. The
detail and accuracy of the information allow the Department of
Homeland Security and the Federal Government to work closely
and cooperatively with the private sector. In an alert we
issued late last night, we worked closely with Cisco, who
proved to be a valuable partner to the Department of Homeland
Security and the Nation in being very forthright about a
vulnerability which was brought to their attention in their
close working relationship with the US-CERT and the Department
of Homeland Security, and, perhaps most importantly, with their
customers, to assure that Internet backbone services and
routers were adequately protected in an expeditious fashion.
Mr. Putnam. Why was it the British Government who revealed
the vulnerability and not the Department of Homeland Security
in our own country?
Mr. Yoran. I will not comment on the logic behind the
British Government releasing this vulnerability on their
specific timeline. Given the availability of that information,
it was important for the Department of Homeland Security,
working with Cisco and key Internet service providers, to put
out and make as broadly available as possible some technical
information with an appropriate level of detail so that folks
knew how best to protect themselves. I am happy to report that
while this is a significant vulnerability, those warnings were
rapidly heeded by much of the backbone community and the
likelihood of significant Internet disruption as a result of
this vulnerability has been minimized.
Mr. Putnam. My understanding is, and correct me if I am
wrong, that the potential for this vulnerability has been known
for some time; it was not known that anyone could exploit it.
Is that the case? And if so, how long has your office been
aware of the existence of this potential vulnerability? And the
followup would be, are there others that until now people have
thought were not exploitable that we should be addressing and
that people should be aware of?
Mr. Yoran. Chairman Putnam, I would welcome the opportunity
to brief you in a smaller forum, a more confidential venue on
some of the pre-public announcement activities and coordination
on what information was released and which communities we
worked with to best serve the public interest and protect the
Nation.
In terms of specific exploit code, in terms of specific
vulnerabilities which were known about and have recently had
exploit code developed, there have been a series of
vulnerabilities discovered over the past 24 hours. In fact, two
alerts have been issued on very similar topics over the past 24
hours. One of those alerts, the one dealing with the border
gateway protocol, the more commonly adopted best practices
approach to router management would significantly mitigate the
risk and exposure an organization would experience, again
highlighting the need for best practices and best practice
guidance such as your working group produced and is available
from NIST and from many of the vendors.
For the second of the recent vulnerabilities discovered, it
is in fact a new vulnerability discovered in a specific
vendor's implementation of the Simple Network Management
Protocol.
Mr. Putnam. I think that Mr. Clay and I both would
appreciate the opportunity to discuss other issues in the
appropriate forum and setting. But for the purposes of this
hearing, let me just ask, is security enhanced by a fundamental
shift from the Internet to IP-6?
Mr. Yoran. Mr. Chairman, there are some very promising
characteristics of IP version 6 which have security enhancing
capability which have significant impact on how the Nation or
the infrastructures might defend against some of the threats we
face today. Many attack techniques which deal with exhaustive
searching of Internet addresses, looking for vulnerabilities
are much less practical in an IP v. 6-type of environment.
Through a number of efforts within the Department of Homeland
Security's Science and Technology Directorate, we are investing
in a better understanding of IP v. 6's effect on Internet
security. The Department of Commerce has a very active effort
in understanding the implications of IP v. 6 and the adoption
of IP v. 6 from a security perspective. It is important,
however, to also recognize that many of the vulnerabilities
which exist and many of the attack techniques which exist are
not going to go away with the increased adoption of this new
protocol.
Mr. Putnam. Thank you. I appreciate that very much. We will
return to the theme of the day.
Commissioner Swindle, the evidence clearly indicates that
computer users of all levels of sophistication are potential
victims of worms and viruses and denial of service attacks. Who
are the target audiences of the efforts by the FTC and, in Mr.
Yoran's case, the cyber security division to address
improvements in cyber security? I assume that the cyber turtle
is not speaking to large enterprises. But in general, as you
prioritize your audience, who is at the top of the list?
Mr. Swindle. Mr. Chairman, the cyber turtle is actually a
very sophisticated creature. He is handsome and he is affable
and he was modeled after me, so let us be careful how we talk
about him. [Laughter.]
Mr. Putnam. Mr. Clay and I would like to meet him. Can we
call him as a witness? [Laughter.]
Mr. Swindle. The FTC has traditionally been involved with
consumer protection matters and consumer education is a large
aspect of how we go about doing our business, both from the
antitrust side as well as the consumer protection side. It is
all to enhance consumer welfare. We have a tremendous amount of
experience in consumer education and our efforts with Dewie the
e-Turtle have been addressed primarily to consumers and small
businesses. However, in the process of finding better ways to
communicate with consumers, we deal with industry associations
and large businesses on a constant basis and have established
some rather good relationships with these companies, seeking a
better understanding of the problems, seeking their advice on
how they market to their customers, and we learn together from
each other's experiences. So, it is a rather comprehensive
approach to educating the consumer.
The target primarily is the broad base. If you can imagine
a triangle of people concerned with computer and information
systems security, the broad base of the triangle would be 250
million consumers here in the United States, and then we can
multiply by all the people in the world who are also involved
in this. Then we get up to higher levels of corporate
involvement, lower levels of small business involvement, but
yet the base is broad and the triangle narrows as you go
higher. So our focus is on the broad base consumers, and we
work closely with industry, small businesses, and associations
to try to convey our message.
Mr. Putnam. Thank you. We look forward to Dewie joining the
great pantheon of other public servant characters like Woodsie
the Owl, Smokey the Bear, and McGruff the Crime Dog.
Mr. Swindle. That was the motivation behind my asking three
bright young people, I said ``I want a Smokey the Bear to be
our spokesperson.'' and they came up with Dewie. And it has
been fairly successful.
Mr. Putnam. Well, good.
Mr. Swindle. At the Federal Trade Commission, while we have
the potential and expertise to do a lot of consumer education,
we are a relatively small agency. We've got Dewie launched, and
we are hoping that industry will pick it up and expand it. And
it has expanded. We have Dewie appearing in schools and on
television and with industries, and we have many industries and
associations of industries linked to our Web site in which you
will see the presence of Dewie on each one of those, as well as
the OECD, for that matter, in the international world. They are
still trying to figure him out over in Germany, but they will
get there.
Mr. Putnam. Thank you, Commissioner. At this time, I would
like to yield to Mr. Clay for his first round of questions.
Mr. Clay.
Mr. Clay. Thank you, Mr. Chairman. I appreciate it.
Mr. Yoran, welcome to the committee. Can you describe for
me the procedures that are in place to work with the private
sector in circumstances that DHS advisories or warnings are
necessary? For example, did the Department of Homeland Security
collaborate effectively with Microsoft and the anti-virus
companies during the recent wave of cyber attacks?
Mr. Yoran. Thank you, Congressman Clay. The Department of
Homeland Security, through the efforts of the U.S. Computer
Emergency Readiness Team, have several venues and interaction
points with which we are working with many entities in both the
public and private sector. In many cases, before issuing a
specific alert, in cases such as the recent Cisco alert which
was published, in cases like recent viruses alerts and
vulnerabilities in specific vendor operating systems such as
MicroSoft, we have worked with and collaborated with those
companies to assure that the information which we are providing
is, in fact, technically accurate and that we are adequately
providing enough information in an actionable fashion so that
the public can work with the vendors providing those specific
software packages on how they can best protect themselves.
Further, our collaboration with the private sector extends
beyond the vendor community and into the critical
infrastructure owner-operator community, working closely with
numerous ISACs, numerous industry associations, other
information sharing organizations, and cyber security
professionals and experts in the private sector to help them
best assess the impact of these vulnerabilities on their
specific industries.
Mr. Clay. An extensive network of consulting going on
there.
Mr. Yoran. Yes, sir. There exists an extensive network and
numerous interaction points which we are continually refining
and expanding upon in a series of public-private partnerships.
Mr. Clay. Thank you. In creating the Homeland Security
Department, Congress moved the Federal Computer Response Team
from GSA to Homeland Security. Has this move contributed in a
positive manner in the ways in which DHS now responds to cyber
attacks? Did anyone leave the agency rather than move, as we
saw with some other agencies?
Mr. Yoran. Well, sir, I could not provide details at this
point as to whether anyone moved or not. I can certainly assure
you that a number of highly qualified experts came into the
Department of Homeland Security with the transition of the Fed-
CERT capability and that Fed-CERT is very active in helping the
Federal Government understand, address, and respond to
vulnerabilities and malicious activities as they are discovered
and as they occur. Earlier this morning, in fact, the Fed-CERT,
Larry Hale, who is the Assistant Director of the US-CERT and
the Director of Fed-CERT, conducted a conference call with OMB,
under the leadership of Karen Evans, and the entire CIO
council, we had representation there from the US-CERT, we had
representation from Cisco, to help provide specific detail on
the recent vulnerabilities, as, again, an illustration of how
that Fed-CERT capability has translated into rapid capability
for the Department of Homeland Security in addressing cyber
security threats. We additionally conducted coordination
activity with the chief information security officers of the
Federal Government over the past 24 hours with respect to this
specific vulnerability.
Mr. Clay. OK. Thank you for that response.
Mr. Swindle, from a business perspective, do you view the
software security industry as competitive and cutting-edge, or
are there limited participants that may impact the availability
of products or the cost of these products? How do you view the
industry as far as from a business perspective?
Mr. Swindle. If I understand the question correctly, Mr.
Clay, there is no doubt in my mind that we have very
competitive companies out there attempting to come up with
better and better and more acceptable, I mean that from the
standpoint of consumer acceptability, products. As Chairman
Putnam mentioned earlier, we have gone through this
evolutionary process of getting into this world of cyber space
and companies raced out, competitively, I might add, to try to
acquire customer base, they had bells and whistles galore. Not
many people were thinking too much about security or privacy
for that matter, which has been a major concern of the Federal
Trade Commission over the past few years. I think today,
certainly on the privacy matter, these competitive companies
are paying attention to it, and now I think they are focusing
on security, and we are seeing better and better products from
a security standpoint.
I think we will eventually see an evolution, and I think
this is driven by the capacity of technology to accommodate it.
I mean, everybody sort of knows what we want to do, getting the
technology that will do it economically is another question. We
are seeing us progress to a point where more and more
computers, especially home computers, the personal devices that
the masses of people use, will have baked into them more and
more security and privacy attributes that will hopefully take
some of the necessary action away from the user and make it
automatic. I guess probably the best analogy I have found
throughout this whole discussion has been the automobile. I can
remember and I guess, I am looking around the room here, I may
be the only one in here that can remember the way automobiles
were back in the early 1950's. There were an awful lot of
things we had to do then that we do not even know exist today.
So I think we will see this industry progress that way. We have
tremendous private sector companies trying to do good work, and
they are working very hard at it.
Mr. Clay. I thank you for that response. One other
question. From your perspective, are there additional measures
that the Federal Government ought to pursue to strengthen
security measures taken by those in private industry? And are
there economic-based computer security hygiene standards or
other mechanisms in the marketplace?
Mr. Swindle. I think the answer to that question is
multifaceted. It is going to take all of us working on it. It
is going to take legislative pressure, it is going to take
regulatory pressure, it is going to take competition pressure.
As I said, we all got out front providing bells and whistles
and nobody thought about security. Now, the company that gets
ahead of its competition is one that is providing good
security. So I think all these forces together are going to
play a role. I think the chairman's program with the private
sector and the initiatives he has taken are good. He has sort
of waived the flag of regulation or some new law, and it is
just amazing how that inspires people to get moving.
Mr. Clay. To get together, right.
Mr. Swindle. And I do the same thing. I say either you do
it--it is like the old Fram oil filter commercial where the guy
holds it up and says either you buy one of these now or I will
see you over here, and there is a smoldering engine over here.
So, legislation alone will not solve this problem. It is moving
too fast. By the time the Congress enacts legislation, that
problem has come and gone and we have a new one. I just do not
think legislation alone is a solution. But I do think we
progress if we are all pushing each other, challenging each
other, and we continue this dialog in search of the right
answer--because we all have a stake in this. We all have a
selfish interest in getting it right because we are going to
pay the price either as a home user whose computer which costs
$700 got a virus and destroyed it, he has an interest in it, as
well as Microsoft and AOL and all these other big guys, and the
Federal Government. So we all have to work on this and push.
Mr. Clay. Thank you for your response, Mr. Swindle.
Mr. Swindle. Yes, sir.
Mr. Putnam. Thank you, Mr. Clay. Before I get back into
some more questions, I would like to introduce Matthew Jaunce,
from Laughton-Childs Middle School in Lakeland, FL, who has a
class assignment of shadowing a member of the community,
hopefully a productive member of the community, unfortunately,
he chose to shadow a Congressman. But Matthew, wave your hand,
and welcome to Washington.
[Applause.]
Mr. Putnam. Commissioner Swindle, is there an estimate on
the amount of economic impact or harm that has been done
through phishing, phishing with a P?
Mr. Swindle. P-H.
Mr. Putnam. Phishing with a P-H.
Mr. Swindle. I struggle with that also. I do not know, Mr.
Chairman, if we have an accurate quantitative assessment of how
much of a problem it is. But we know that identity theft is
very large. I think we did a survey here recently, I think it
was last September, in which it is estimated, if I remember
correctly something on the order of 27 million people over the
past 5 years have had some unfortunate engagement with identity
theft. As you certainly know, and as I mentioned earlier,
phishing is a process whereby people are tricked into giving
vital information such as their names and their Social Security
numbers. Those two items alone can lead to an awful lot of
mischief on the part of bad guys because they can use those two
pieces of information to get credit cards, and by the time you
catch them, your credit report has been done such damage it
will take you years to get over it. These are serious problems
and phishing is expanding.
There are lots of different things that could help curtail
it. But I still contend the one thing that will help most is
individual responsibility. And for people to be responsible and
protect themselves they have to know what is happening. And
that is a part of our consumer education program, to let people
know the kinds of bad things that go on. We are seeing good
signs. There is a commercial running on at least cable
networks, because that is about all I get a chance to look at,
advertising, if I remember correctly, a shredder. It shows a
guy rummaging through a trash can, and he finds some stuff,
puts it in his pocket, and the owner of the trash can drives
up. It is late in the evening, and the guy who is rummaging
through the trash can says, ``Hi, Tom'' or something to that
effect, as if he knew this guy, and the guy has a puzzled look
on his face. So much of this information does come from trash
cans and mishandled information, carelessly handled
information.
So the problem of phishing, I cannot give you quantitative
numbers on it, but I can assure you it is growing. The damage
caused by bits and pieces of personal information falling into
the wrong hands either by people losing it, which tends to be
the dominant way, or somebody stealing it through the
technology of computers is major. Very large.
Mr. Putnam. As a corollary to that, has any action been
taken to prevent the deliberate construction of Web sites that
prey on people's misspellings and particularly target children,
a common misspelling of Britney Spears would lead you into a
pornographic site, or, the most common one, whitehouse.com
instead of whitehouse.gov. I know that is not exactly a cyber
security issue, but since we are talking about protecting the
home user, that certainly is an important piece. Has anything
been done on that where they deliberately construct a Web site
to lure children into these sites?
Mr. Swindle. We have had a couple of cases which go back a
couple of years. One we refer to as ``Fat Finger Dialing,'' or
something of that nature. But we have taken some action against
people who do these kinds of things. Again, it is a large world
out there. I do not recall many complaints of recent times
about that because I frankly think people are sort of savvy to
this and pick up on it. But it is certainly out there, and it
is another pitfall that people can fall prey to.
Mr. Putnam. Sure. Mr. Yoran, what has been the impact of
current and recent legislative initiatives such as Graham-
Leach-Bliley, HIPPA, and Sarbanes-Oxley on improving
information security, not just for the regulated sectors but
throughout corporate America?
Mr. Yoran. Chairman Putnam, some of the corollary effects
of both existing legislation and some of the proposed
legislation is an increased visibility of cyber security
issues, an increased awareness in the private sector of their
responsibilities, and an increased focus on execution of cyber
security practices in the private sector.
I will also add, given the opportunity, to some of the
comments Commissioner Swindle made earlier in terms of cyber
crime. I certainly commend the Department of Justice's focus in
the protection of children and going after child pornography,
and also commend various efforts in the private sector to help
curtail this type of activity, specifically America OnLine and
other organizations which are providing an infrastructure and a
much safer environment for America's youth in terms of their
cyber security and their exposure to some of these threats.
Mr. Putnam. What steps has your division taken to motivate
the private sector to report intrusion incidents, and how is
that information protected so as not to produce a competitive
disadvantage for those people who are doing the right thing and
coming forward with that information?
Mr. Yoran. There are a number of initiatives underway to
help encourage collaboration with the private sector, one
component of which is the reporting of incidents. Certainly, in
our technical alerts and in delivering technical information
and assistance, guidance to the private sector is one form of
activity underway which encourages and has resulted already in
the private sector's willingness to discuss cyber security
issues with the Department of Homeland Security and we are
confident that will continue. Additionally, sharing the
increased practices around information sharing not only within
the public sector, but from the public sector to the private
sector have encouraged increased collaboration with the private
sector. Again, I will cite two recent interactions with Cisco
as the US-CERT and Cisco's willingness to be very forthright
with us and use us as one mechanism for their outreach to their
customers and the set of people who may be affected by recent
vulnerability discoveries.
Mr. Putnam. Commissioner Swindle, do you believe that some
of the recent legislation like HIPPA, and Graham-Leach-Bliley,
and Sarbanes-Oxley have aided in improving information security
throughout corporate America?
Mr. Swindle. In a word, yes. I think again back to that
pressure, and I think it has brought a greater awareness among
corporate America, and the consumers, and vendors, and clients
and customers that this is serious business. And while some of
it may be an enormous burden, as oftentimes legislation tends
to be, we have to keep working to minimize those burdens while
at the same time, where it is possible through legislation, put
in place measures that will improve the circumstances.
I think getting corporate America's leadership focused on
this, getting boards of directors focused on this, on why it is
important, and the bottom line is why it is important for most
of those people, that will help us create this culture of
security that I mentioned. I do not know of a better way that
we can solve this problem or at least minimize this problem. I
do not know that we will ever solve the problem because
technology is moving too much, but when concerns about
information security and privacy of customers and clients and
the information that pertains to them becomes part of a
corporate culture, it will be the way we do things as opposed
to something we have to do. I think in this new world in which
we are living, knowing that is what we should be responsible
for doing, that this is what we ought to do for the benefit of
the corporation ought to be a part of that company's culture.
It is the establishing through audit and other means of how the
company does business and certifying the ethics, the morality,
if you will, the proper procedures that they use for their
corporation.
I think that is just a part of the new world that we live
in. And more and more corporate leadership is realizing this
and they will adopt it because I think they represent
responsible companies that want to do well. I think they are
going to have to do these kinds of things to do well. I would
hope they would do it of their own initiative as opposed to
having to have a law that says you have to do this. This is
common sense. It is the right thing to do.
Mr. Putnam. What is the role of the ISP community in
serving as a communications channel to computer users about
computer security hygiene and cyber ethics?
Mr. Swindle. I think they have a large responsibility in
this and, as I mentioned I think in my oral testimony, a part
of the recent task force on comprehensive awareness, one of the
features of it, initiatives of it would be to have the ISPs
engage in a lot of consumer education. The ISPs have two big
problems. One is all this stuff flooding in on top of it which
is consuming its resources, causing it great expense. And on
the other side of that, the ISPs push, and e-mail comes to mind
right away because that is what most consumers are engaged in
and that is where an awful lot of this mischief goes on, the
nuisances go right out to consumers. The ISPs I think have made
remarkable progress, certainly the major ones, and I am sure
some of the smaller ones have done so also, over the past
couple of years in providing their subscribers with great
tools. I use one of the major ISPs, and I was beating them up
rather severely a couple of years ago and now with their system
I rarely see any spam. I can go see the spam if I want to, but
I do not have to engage it at all. They are doing good work.
They are providing the tools.
What I think the biggest challenge is is getting the point
across to consumers, users, home users, this wide base, the
necessity that they do certain things. It is sort of like
changing the oil in your car. We can build the finest car in
the world, but if you do not change the oil in it, it will not
be the finest very long because it is going to have problems. I
think we need to make this idea of information security as much
a part of our mindset as changing the oil in the car, making
sure the brake pads are in good shape, or, even more simply,
looking to the left and right when you cross the street. There
is a role, as we have both said, for everyone to play here. I
just think we have to convey that message to everyone that they
have to play this role.
Mr. Putnam. Mr. Yoran, the role of the ISP community?
Mr. Yoran. Thank you, Chairman Putnam. Similar to
Commissioner Swindle's comments, I believe we need a common
responsibility framework, certainly looking at and pointing to
responsibilities and action which ISPs can take up, and many of
them are taking up, is one venue for progress. But, similarly,
the consumers and the users of technology need to adapt better
practices. They need to place greater emphasis on their cyber
security and cyber security preparedness. The produce vendors
and the software community need to adopt better software
development practices and take up the responsibility to do
that, to make cyber security more understandable. If you were
not thrown off by all the technical jargon required to explain
some of the vulnerabilities of the past 24 hours, you are in a
small minority. Cyber security is too complex in today's
environment.
There is a clear role for educators to improve cyber
security awareness, ethics, and make more available cyber
security courses and information so that we can better train a
cadre of cyber security professionals. And there is a
significant role for industry to play in their information
sharing and analysis centers and in the operator community to
address with a unified front cyber security challenges facing
their industries.
Mr. Putnam. Commissioner, what is the role of the law
enforcement community here? Are they doing an adequate job in
prosecuting hackers and people who are using spam and using
spyware and using phishing techniques illegally to defraud
people, and are they doing an adequate job of educating the
public about the penalties for engaging in that type of
conduct?
Mr. Swindle. I will answer the last question first, whether
they are doing a great enough job of educating the public as to
the penalties they might suffer. I think we are hampered in
this business of technology by the inability sometimes to find
the bad guys. Certainly, we at the Federal Trade Commission
have pressed cases over the past several years in which large
corporations have been called to task for some of their
negligence and carelessness in how they protect information,
and they pay prices in a civil sense, not a criminal sense.
They are put under order to not do this again. In several cases
that I mentioned in my written testimony, a couple of the
companies have at least a 20 year love affair to endure with
the Federal Trade Commission because they have to do audits and
report to us.
As far as the criminals go, I know the spam issue is
something that everybody is familiar with. Finding the
perpetrators of spam is a very difficult process. We are doing
a number of investigations in the Federal Trade Commission, and
we are going to have some results. But oftentimes, as we have
said previously in testimony, when we get to the end of the
trail and find the bad guys, there is nothing for us really to
get other than put him out of business. And for every one of
those you put out of business, there is another one that pops
up.
I think we do a pretty darn good job of law enforcement
under the laws that we have. I would not advocate for more laws
other than what has been passed here in the Can Spam Act. We
are looking at the requirements of that act trying to figure
out how we successfully employ the requirements of it. We are
getting lots of input from industry, from consumer groups, from
privacy advocates, from all sorts of people, to help us
formulate the best possible way we can enforce the law.
Part of our education effort is to work with law
enforcement agencies. In the past year or so, we visited I
think it is at least 10 cities speaking to law enforcement
personnel telling them about identity theft, because it is
singularly, if I remember correctly, the largest complaint we
get, trying to help them help consumers and victims. And, we
put out a lot of education materials to try to help consumers
who have been victims to work their way out of some of the
problems that are created.
So, there is a large effort going on. Unfortunately, it is
a target rich environment, and it is difficult to get to
everyone.
Mr. Putnam. Thank you very much. Commissioner, I know you
have another engagement that you need to attend to. Before we
conclude, if you would give us the top three things that the
home user should do to make their systems more secure.
Mr. Swindle. Think. Always think. You know, as I mentioned,
the ISPs in the last couple of years I think have done a good
job and what they have given you is a good spam blocker, they
have provided prompted updates of virus protections and
firewall protections. If the average consumer, home user would
employ a virus program, employ a firewall, keep those up to
date, use a spam blocker to narrow down how much garbage comes
in your computer, and be careful about how you open e-mail and
things of this nature, you could avoid a lot of grief because a
lot of these really bad acts come through, believe it or not,
the simple feat of sending an e-mail. It can do a lot of
destruction. And employing these simple steps is not a
difficult thing to do.
Again, it is back to making everybody aware. And we would
solicit the help of industry, as we are doing, and we would
certainly ask that Congress call on us. We will make materials
available. I would like to see, as sort of a goal for all of
us, see every Member of Congress have a link to the Federal
Trade Commissionsite as well as the sites that I think you
mentioned earlier that industry has identified. There is so
much good information out there about how to be safer. And that
is what we have to achieve--safe computing. And I thank you
very much for this opportunity.
Mr. Putnam. Thank you very much, Commissioner.
Mr. Yoran, top three things home users can do to make their
systems more secure?
Mr. Yoran. I would agree that the top one is think. Many of
the mistakes which are made could be easily avoided by folks
taking a moment to reflect before opening attachments from
folks they have not received e-mail from or from which they are
not expecting e-mail. I would encourage folks to subscribe to
the National Cyber Alert System to receive tips and information
on how they can protect themselves from online scams, phishing,
and a wide variety of activities. And to also learn more
through participation in many of the Stay Safe On Line
initiatives. Certainly, if turtles can be teenage mutant ninja
and martial arts experts, they can help America better protect
our cyber citizens.
Mr. Putnam. Thank you very much. I thank the entire first
panel. And with that, I will dismiss panel I and we will go
into recess momentarily as we set up for panel II.
The subcommittee is in recess.
[Recess.]
Mr. Putnam. The subcommittee will convene.
I would like to ask the second panel to rise and raise your
right hand for the administration of the oath.
[Witnesses sworn.]
Mr. Putnam. Note for the record that all the witnesses
responded in the affirmative and have their official souvenir
photo of being sworn in.
We will move directly to the testimony. Our first witness
is Larry Clinton. Mr. Clinton is currently the deputy executive
director and chief of staff of the Internet Security Alliance,
a collaboration between the CERT/cc at Carnegie Mellon
University and one of the Nation's largest trade groups, the
1,200 member company Electronic Industries Alliance. This past
year Mr. Clinton has served as the private sector coordinator
of the Corporate Information Security Working Group on Market
Incentives for Improved Cyber Security. Prior to coming to
ISAlliance last year, Mr. Clinton was with U.S. Telecom
Association for 12 years including the last 6 as vice
president.
We welcome you to the subcommittee. You are recognized for
5 minutes.
STATEMENTS OF LARRY CLINTON, CHIEF OPERATING OFFICER, INTERNET
SECURITY ALLIANCE; ANDREW HOWELL, VICE PRESIDENT, HOMELAND
SECURITY, U.S. CHAMBER OF COMMERCE; RODNEY PETERSEN, SECURITY
TASK FORCE COORDINATOR, EDUCAUSE; AND DOUGLAS SABO, MEMBER,
BOARD OF DIRECTORS, NATIONAL CYBER SECURITY ALLIANCE
Mr. Clinton. ``I am very busy. Do I really need to read
this?'' That, Mr. Chairman, is the first line of the ``Common
Sense Guide to Cyber Security for Small Businesses'' which the
Internet Security Alliance released on its Web site earlier
this month.
We decided to begin our publication in this unusual way
because during the market research we did preparing the
document we learned a critical fact. That is, that education is
far more than simply raising awareness or disseminating
information. Education, resulting in behavior change, requires
motivation.
The Internet Security Alliance is a collaboration between
the CERT/cc at Carnegie Mellon University and the Electronic
Industries Alliance. We are an international organization with
membership on four continents and a wide variety of economic
sectors, including banking, insurance, entertainment,
traditional manufacturing, as well as telecommunications,
security, and consumer food products. The ISAlliance runs an
intensive information sharing program with the CERT/cc and we
have taken this information and from it produced a series of
best practice guides which are provided free of charge on our
Web site.
In December of last year, the ISAlliance was asked by the
National Cyber Security Summit to produce a best practices
document, this time targeted to small business users. Small
businesses are particularly vulnerable to cyber attack. One out
of every three small businesses was affected by the MyDoom
virus, fully twice the number of larger businesses. Obviously,
larger organizations have more to lose in terms of absolute
dollars; however, smaller margins that smaller businesses
operate under vastly magnify the impact an attack can have on a
small business.
Despite the need, there is very little help being offered
to this community. The very first conclusion reached by the
Best Practices task force you formed, Mr. Chairman, on the
Corporation Information Security Working Group, was that
available IS guidance as a whole is not readily scalable to
meet the varying needs of large, mid-size, and small
organizations.
We decided to approach this project in a market-driven way
and asked the target audience what they needed to know and how
we could best motivate them. We coordinated with the National
Association of Manufacturers, the National Federation of
Independent Businesses, and the U.S. Chamber of Commerce. Each
of these organizations agreed to gather for us a group of their
membership and we conducted 10 focus groups, involving nearly
100 actual small businesses, to discuss their cyber security
needs.
We learned that small businesses are aware of the potential
impact of cyber attacks but they are also aware of the costs
both in time and money to constantly keep up with the ever
evolving threats and vulnerabilities. Attempting to address the
needs of small businesses and cyber security without
realistically addressing the costs of their full participation
is shortsighted and will ultimately be ineffective.
Having been educated by our audience, we produced a
document that I believe looks unlike any other in the field. To
speak to the small business owner's needs, we provided a real
list of cast studies drawn from the media, the FBI Web site,
and reported directly to us during our research. These are
actual cases of small manufacturers, contractors, credit
unions, hotels, diners, limo services, law firms, accountants,
and venture capitalists, all of whom have had their businesses
severely hurt by cyber attacks. They describe a wide variety of
situations we believe the typical small business owner can
relate to. We then outlined a 12-step program of cyber security
specifically for small businesses including why they need to
take the step, how to get started, who needs to be involved,
the degree of technical skill required, and, specifically, the
cost involved.
However, more important than the product we produced is
what we learned while we were producing it. For too long, cyber
security has been thought of as an IT problem with an IT
solution. While obviously there are technology elements to
cyber security, it is also a management problem, it is an
economic problem, and it is a cultural problem. And to
adequately address the need, we need to listen to the IT people
of course, but also the users, the educators, the marketers,
and the economists. We need a broad, market-centered,
incentive-laden approach to the issue, rather than a narrow,
techno-centered dogmatic approach.
We learned again that to achieve long term behavior change,
which is the goal of education, we need to do more than simply
share information. You noted it yourself, Mr. Chairman, in the
letter you sent inviting us to today's hearing. You said, for
example, the Blaster worm infected over 400,000 computers
worldwide in less than 5 days, despite the fact that the patch
that would have prevented the infection had been available for
over a month. The information was there, Mr. Chairman, but the
necessary incentives to use it were not. Speaking as a former
teacher, who is married to an elementary school teacher with
two small children in school, I can assure you that education
takes more than providing information. Some students are
motivated by praise, some by pride in good grades, some by the
prospect of tangible rewards. Few are motivated by threats.
Computer users are no different. Creative thinking needs to be
done on the issue of incentives.
ISAlliance is taking the lead on this issue. In the first
quarter of 2003, we signed an agreement with AIG, the world's
largest provider of cyber insurance. Under this agreement, AIG
will provide premium credits, where permitted, of up to 15
percent for companies who will join the Alliance and subscribe
to our best practices. We believe this is the first operating
program which specifically ties a widely independently endorsed
set of cyber security best practices specifically to directly
lower business cost. I understand that today we are here to
discuss straightforward the issues of education. But I would
urge the Chair to consider another hearing soon to discuss the
complex issues of developing a market incentive program to
compliment the educational initiatives.
I must thank you and your staff, particularly Mr. Dixon,
Mr. Chairman, for the leadership you have shown in this regard.
Thank you.
[The prepared statement of Mr. Clinton follows:]
[GRAPHIC] [TIFF OMITTED] T6315.037
[GRAPHIC] [TIFF OMITTED] T6315.038
[GRAPHIC] [TIFF OMITTED] T6315.039
[GRAPHIC] [TIFF OMITTED] T6315.040
[GRAPHIC] [TIFF OMITTED] T6315.041
[GRAPHIC] [TIFF OMITTED] T6315.042
Mr. Putnam. Thank you, Mr. Clinton.
Our next witness is Andrew Howell. Mr. Howell is the vice
president of Homeland Security for the U.S. Chamber of
Commerce, the world's largest business federation. As such, he
is the organization's principal spokesman on homeland security
issues and responsible for building and maintaining
relationships with the administration and regulatory agency
leaders. He is also responsible for developing the
organization's overall homeland security policy strategy and
ensuring that it is implemented. Prior to his current position,
Mr. Howell served as senior vice president of the National
Chamber Foundation, a public policy research arm of the U.S.
Chamber of Commerce.
Welcome to the subcommittee. You are recognized for 5
minutes.
Mr. Howell. Thank you and good afternoon, Chairman Putnam,
Congressman Clay. My name is Andrew Howell. I am vice president
of homeland security for the U.S. Chamber of Commerce. The
Chamber is the world's largest business federation representing
more than 3 million businesses and organizations of every size,
sector, and region.
Thank you for giving me this opportunity to discuss the
Chamber's cyber security awareness efforts with you all. Also,
Mr. Chairman, I would like to thank you for your leadership on
this issue, and for recognizing the importance of enhancing
awareness of cyber security among the public and private
sectors.
``The National Strategy to Secure Cyberspace,'' released in
February 2003, called for a comprehensive, national awareness
program to empower all Americans--businesses, the general work
force, and the general population--to secure their own parts of
cyberspace. This strategy asserts that everyone who uses the
Internet has a responsibility to secure the portion of
cyberspace that they control.
The Chamber supports this view. It is the responsibility of
a person using a product to know how to use that product
safely. However, we do not believe that raising awareness is
the only step in our journey to enhancing cyber security.
Instead, it is one very important leg in this trip. Enhancing
cyber security requires the combined efforts of users,
technologists, and senior executives, those that use software
and hardware, those that make software and hardware, and those
that manage enterprises that rely on software and hardware to
make the company operate. While technologists have a
responsibility to make secure products, end users have a
responsibility to use those products securely.
A good analogy to this is the automobile. While cars
provide individuals with great benefits, they also can be
dangerous. Therefore, cars come equipped with seatbelts and
airbags. However, ultimately, it is the driver's responsibility
to buckle his seatbelt and know how to operate the vehicle
safely. The vehicle must be maintained regularly, and when
there is a recall notice, the owner has the responsibility to
take the car in for repair. At the same time, automakers
continue to design cars with new and innovative features,
including new ones oriented to improve safety, and market them
to the consumer.
By promoting user awareness, we are not, as some maintain,
blaming users for cyber vulnerabilities. Instead, it is through
awareness that we highlight the issue of cyber security, inform
people what they can do to manage online risks, and, in the
process, create a market of consumers who can intelligently
factor security into their purchasing decisions. By informing
users about what they can do to enhance their cyber security,
we will reduce the number of breaches, mitigate economic
losses, and create a market that demands more secure products.
Moving the market to demand more secure products is an
important component of enhancing our Nation's level of cyber
security preparedness. Ultimately, we believe the market is
better able to respond to security challenges than regulations
will ever be. Whereas market forces propel companies to be
flexible, innovative, and customer oriented, regulations are
reactive and constrictive. As companies of all types become
more aware of information security risks and protective steps
they can take, we are confident they will demand more secure
products. Companies that recognize this market shift and sell
products that exploit it will have an advantage over their
competitors. The market remains a powerful vehicle for
increasing cyber security, but before this power is fully
realized, we need to better inform consumers on why cyber
security is an issue that matters to them.
For these reasons, the U.S. Chamber of Commerce is
committed to increasing the awareness of cyber security in the
business community and explaining cyber security in terms that
businesses understand. For too long the issue of cyber security
has been talked about in technological terms, as Larry
mentioned. As a result, many corporate leaders and small
business owners view it as a technology issue that should be
solved by technologists. From our perspective, this is a
mistaken perception that must be corrected.
The U.S. Chamber has regularly used our membership
publications, including USChamber.com, to provide tips and
guidance to small business owners, to explain why cyber
security is important to their businesses, and to offer easy to
implement advice on how to better secure their networks.
Included with my prepared statement is one such article which
appeared in the April edition of our monthly newsletter.
Mr. Chairman, my prepared statement details activity the
Chamber has undertaken to implement the awareness component of
the National Strategy. Given our limited time, I will not go
into detail about these activities. However, as you know, the
Chamber co-chaired the Awareness in Education Group that was
created as part of your Corporate Information Security Working
Group, and we serve as secretariat of the National Cyber
Security Summit Awareness and Outreach Task Force. Both our
National Cyber Security Summit Task Force Report and reports to
the CISWG were submitted with my prepared statement.
Mr. Chairman, thank you again for this opportunity. I would
be pleased to answer any questions at the end of this panel you
or anyone else might have. Thank you.
[The prepared statement of Mr. Howell follows:]
[GRAPHIC] [TIFF OMITTED] T6315.043
[GRAPHIC] [TIFF OMITTED] T6315.044
[GRAPHIC] [TIFF OMITTED] T6315.045
[GRAPHIC] [TIFF OMITTED] T6315.046
[GRAPHIC] [TIFF OMITTED] T6315.047
[GRAPHIC] [TIFF OMITTED] T6315.048
[GRAPHIC] [TIFF OMITTED] T6315.049
[GRAPHIC] [TIFF OMITTED] T6315.050
[GRAPHIC] [TIFF OMITTED] T6315.051
[GRAPHIC] [TIFF OMITTED] T6315.052
[GRAPHIC] [TIFF OMITTED] T6315.053
[GRAPHIC] [TIFF OMITTED] T6315.054
Mr. Putnam. Thank you, Mr. Howell.
Our next witness is Rodney Petersen. Mr. Petersen is policy
analyst with EDUCAUSE, and the project coordinator for the
EDUCAUSE/Internet2 Computer and Network Security Task Force.
EDUCAUSE is a nonprofit association whose mission is to advance
higher education by promoting the intelligent use of
information technology. Mr. Petersen recently co-edited the
book ``Computer and Network Security in Higher Education.'' He
was formerly the director of IT policy and planning in the
office of the vice president and chief information officer at
the University of Maryland. In addition, he was the founder of
Project Nethics at the University of Maryland, a group whose
mission is to ensure responsible use of information technology
through user education and enforcement of acceptable use
policies.
You are recognized for 5 minutes. Welcome to the
subcommittee.
Mr. Petersen. Thank you, Mr. Chairman and members of the
committee. I want to thank you for the opportunity to testify
today regarding education and awareness for the cyber citizen.
Later in my testimony, I have a video and some slides I would
like to display, and with your permission, Mr. Chairman, I
would like them added to the record.
By holding this hearing today, you signal the importance of
education and awareness as part of an overall strategy to
improve the cyber security of the Nation. The present
challenges of cyber security require the establishment of a
life-long culture of security from the cradle to the grave. And
to emphasize something you said earlier, Mr. Chairman, in your
opening remarks, education and awareness is a necessary but
insufficient approach to protecting our Nation's cyber space.
I am here today, as you said, on behalf of the EDUCAUSE
Internet2 Computer and Network Security Task Force. EDUCAUSE is
a nonprofit association of nearly 2,000 colleges and
universities. Internet2 develops and deploys advanced network
applications and technologies for research and higher
education, accelerating tomorrow's Internet.
EDUCAUSE and Internet2 established a Computer and Network
Security Task Force in July 2000. The Security Task Force is
coordinating its efforts on behalf of a diverse group of
associations and types of educational institutions, including
research universities, State colleges and universities, Land-
Grant institutions, independent colleges and community
colleges; some 4,000-plus colleges and universities across the
United States.
The Security Task Force prepared the higher education
contribution to the National Strategy to Secure Cyber Space.
And more recently, we participated in the National Cyber
Security Summit. I was a member of the Awareness Task Force
that has been previously referenced, where I served as the co-
chair for the Subcommittee on Schools and Institutions of
Higher Education. Therefore, my testimony today will address
education and awareness from kindergarten through college based
upon the findings and recommendations of that subcommittee.
Colleges and universities have long been interested in
supporting the efforts of elementary and secondary schools to
improve awareness of students on issues such as cyber ethics
and security. After all, life-long habits are formed early, and
the better we educate students about online safety in the K
through 12 setting, the less we will be required once they
arrive to college. Similarly, cyber security awareness
facilitated by schools and colleges will benefit companies and
government agencies that will eventually employ a new
generation of technology-savvy and security conscious workers.
While at the University of Maryland, I was the founder of
the group you previously described, Project NEThics. Every
spring, the university hosts Maryland Day, which so happens to
be this coming weekend, and we invite members of the local
community to come onto the College Park campus for family fun
and educational activities. One year, Project NEThics, in
partnership with our Prince Georges County computer forensics
unit, hosted a computer lab where we invited children and their
parents to participate in activities designed to increase their
awareness for online safety. We talked to parents about the
important role of adult supervision and watching their
children's online activities and wanting to acquaint parents
with the risks and benefits of computer use. And we left
parents with literature, including an online safety pledge
provided by the Center for Missing and Exploited Children.
Project NEThics also works closely at the University of
Maryland with the College of Education to develop seminars for
teachers and school media specialists on cyber ethics and
security. This summer, the university will host a conference
entitled ``Cyberethics, Cybersecurity, and Cybersafety for
Professional Educators.''
The Consortium on School Networking is a national nonprofit
organization whose mission is to advance the K through 12
education community's capacity to effectively use technology to
improve learning. COSN is currently working to help
superintendents, chief technology officers of local school
districts better integrate effective security practices into
district management, operations, and the user experience.
And CyberSmart is a nonprofit organization that develops
and provides curricula and training programs for teachers,
school administrators, and students.
The EDUCAUSE/Internet2 Computer and Network Security Task
Force has been pursing efforts to increase education and
awareness in higher education. To this end, we have developed a
working group that has identified a set of target audiences,
among them including executives, all users relevant to this
panel, members of the information assurance team, users of
business systems, IT staff, faculty staff, students, and
guests. Individuals interact with technology differently
depending on their specific roles or responsibilities and the
educational levels as well as cultural influences may vary.
Therefore, education awareness is often customized to meet the
target population. For example, at this time I would like to
show you an awareness video developed for students at the
University of Virginia.
Mr. Putnam. We have to keep it short.
[Video presentation follows:]
Student. When I go to UVA----
Student. I want to open e-mail attachments from strangers
and get a virus.
Student. I want to post obscene messages on the Internet.
Student. Commit fraud using someone else's online identity.
Student. I want to run a business from my UVA personal Web
page.
Student. I want to share my address and phone number----
Student. My password----
Student. My private fantasies with faceless creeps on the
Net.
Student. When I go to UVA----
Student. When I go to UVA, I want to leave my e-mail open
so strangers can read my incoming messages and answer them.
Student. Filing a copy I lost by pirating music and posting
it on the Web.
Student. Harass people by sending threatening e-mails or
chain letters or pornographic URLs.
Student. I want to hack into government computers and go to
Federal prison.
[End of video presentation.]
Mr. Petersen. So I think the video underscores the need for
messages that are creative and targeted toward the audience
they are intended to address.
Because of time, I am going to skip over some further
slides here that have examples of posters. But the one that is
currently before you is a campaign where the slogan is
``Passwords are like underwear'' and some of the themes are
``change yours often,'' ``don't leave yours lying around,''
``don't share with a friend,'' ``the longer the better,'' ``be
mysterious.'' And you can get the point that you have to reach
students where they are and humor is a key ingredient.
Let me just say one thing and then I will conclude by
talking about Cyber Security Day. Several colleges and
universities did recently observe the Cyber Security Day, and
we expect a number of campuses to plan activities during the
week of October 31st to observe the next Cyber Security Day.
In conclusion, first, the improvement of cyber security is
needed, and we need to see support both from the public and the
private for what is happening in our schools and institutions
of higher education. Second, the baseline information that is
required of all users must be kept to a minimum. Third, there
should be consistency in the basic awareness messages. And
finally, our efforts to increase awareness and education
regarding cyber security must happen in parallel to the
development of more secure technologies. Thank you.
[The prepared statement of Mr. Petersen follows:]
[GRAPHIC] [TIFF OMITTED] T6315.055
[GRAPHIC] [TIFF OMITTED] T6315.056
[GRAPHIC] [TIFF OMITTED] T6315.057
[GRAPHIC] [TIFF OMITTED] T6315.058
[GRAPHIC] [TIFF OMITTED] T6315.059
[GRAPHIC] [TIFF OMITTED] T6315.060
[GRAPHIC] [TIFF OMITTED] T6315.061
[GRAPHIC] [TIFF OMITTED] T6315.062
[GRAPHIC] [TIFF OMITTED] T6315.063
[GRAPHIC] [TIFF OMITTED] T6315.064
[GRAPHIC] [TIFF OMITTED] T6315.065
[GRAPHIC] [TIFF OMITTED] T6315.066
[GRAPHIC] [TIFF OMITTED] T6315.067
[GRAPHIC] [TIFF OMITTED] T6315.068
[GRAPHIC] [TIFF OMITTED] T6315.069
[GRAPHIC] [TIFF OMITTED] T6315.070
[GRAPHIC] [TIFF OMITTED] T6315.071
[GRAPHIC] [TIFF OMITTED] T6315.072
[GRAPHIC] [TIFF OMITTED] T6315.073
Mr. Putnam. Thank you, Mr. Petersen.
Our final witness on the second panel is Douglas Sabo. Mr.
Sabo is appearing today in his role as a member of the board of
directors of the National Cyber Security Alliance. He is also
the director of government and community relations for McAfee
Security. In that role, Mr. Sabo addresses domestic and
international public policy issues affecting the company and
oversees the company's corporate citizenship activities. McAfee
Security, headquartered in Santa Clara, CA, is a leading
supplier of security and intrusion protection solutions for e-
businesses. Mr. Sabo also serves as chair of the Security
Working Group of the Business Software Alliance and co-chair of
Department of Commerce's International Outreach Subcommittee of
the Economic Security Working Group.
You are recognized for 5 minutes.
Mr. Sabo. Thank you. I am not sure how I am going to
followup a discussion of underwear. [Laughter.]
Good afternoon, Mr. Chairman, Ranking Member Clay, and
members of the subcommittee. My name is Douglas Sabo. I am a
member of the board of directors of the National Cyber Security
Alliance and I testify this afternoon on behalf of that
organization. And as you mentioned, Mr. Chairman, I am also
director of government and community relations for McAfee
Security. I join with my colleagues on this panel in thanking
you for your personal leadership on the cyber security issue,
both through your series of cyber security hearings as well as
your working groups with industry. I also commend your staff
for being first-rate on all of these issues.
As you have heard others mention, the National Cyber
Security Alliance [NCSA], is a unique partnership among the
Federal Government, leading private sector companies, trade
associations, and educational organizations, including all of
the organizations testifying here today. Our fundamental
purpose is to contribute to our Nation's overall cyber security
by improving the behaviors of consumers, small businesses, and
our youth from kindergarten to higher ed. And Mr. Chairman, we
share your concerns about bombarding citizens with too many
messages from too many sources. We hope that our partnership
will contribute to avoiding that problem.
Others have already talked today about the overall
challenge and the important role that these audiences do play.
The NCSA strongly agrees with these assessments. And rather
than reiterate this information, I would like to introduce you
to initiatives that we hope will reach our three main
audiences. First, for small businesses, the NCSA is developing
cyber security tool kits to discuss vulnerabilities and threats
as well as tips and steps for responding. These tool kits,
which will be available in soft and hard copy, will include
materials, guidebooks, and training programs on the cyber
security essentials. We are in discussions with a number of
organizations to develop and distribute these tool kits,
including the Small Business Administration, InfraGard, the ISP
community and others, and we hope to begin distribution by mid-
June.
Second, we are focusing on educating our youth on cyber
security practices to make sure the next generation of users is
cyber secure. Through partnering with outside organizations
such as EduCalls and CyberSmart!, we hope to develop and
disseminate cyber security curriculum to educators across the
country. These materials already are developed for the K
through 8 audience, with 9 through 12 pending. And to reach our
youngest audience, the NCSA also supported a national poster
contest in which students were asked to creatively depict the
importance of cyber security. We plan to hold this contest
again this fall.
Finally, I would like to use a couple minutes to focus on
the consumer audience. Already the NCSA has launched our
flagship Web site, www.staysafeonline.info, which received over
1 million hits in its first month alone. This site contains our
top 10 cyber security tips, self-tests, tech talks, and more.
In addition, we have held semi-annual National Cyber Security
Days timed with Daylight Savings Time changes. While these have
not been as successful as we had hoped, we are busy working to
relaunch these this fall.
But what the NCSA is most excited about in the consumer
area is what we hope will be the cornerstone of the NCSA
effort, a multi-year national cyber security awareness
campaign. This campaign, targeted at home users, will use
public service announcements and other creative methods to
raise awareness of the cyber security issue and steps people
should take to protect themselves, and thus all of us. While
our efforts certainly will depend on the resources we are able
to raise for this campaign, we hope that our national cyber
security awareness campaign will be on the level of many of
those that I am sure you are familiar with, healthy lifestyles,
wildfire prevention, drunk driving prevention, the importance
of voting, drug abuse prevention, and terrorism emergency
preparedness. These broad campaigns have imprinted our culture
with a number of easily recognizable campaign catch phrases,
such as, ``Don't drink and drive,'' ``Buckle Up,'' ``Only you
can prevent wildfires,'' and ``Take a bite out of crime.''
Perhaps our effort will add a new one.
Are public awareness campaigns effective? We certainly
believe they can be. Consider please the results of the Ad
Council, a nonprofit organization that uses volunteer talent
from the advertising and communications industries.
Applications, for example, for Big Brothers, Big Sisters
mentors increased by 75 percent in the first 8 months of their
campaign. Destruction of our forests by wildfires has been
reduced from 22 million acres to less than 4 million acres per
year since their forest fire prevention campaign began. And
safety belt usage rose from 14 percent to 79 percent since
their safety belt campaign launched in 1985, saving an
estimated 85,000 lives. With the proper resources, we believe
the NCSA national awareness campaign can achieve the same level
of success for cyber security behavior. It will not be a silver
bullet, but together with all the other NCSA efforts as well
broader initiatives to reduce vulnerabilities, improve security
usability, expand R&D, and enhanced corporate governance, we
can truly make a difference.
Mr. Chairman and members of the subcommittee, I thank you
again for the opportunity to testify today. And I look forward
to answering any questions you may have.
[The prepared statement of Mr. Sabo follows:]
[GRAPHIC] [TIFF OMITTED] T6315.074
[GRAPHIC] [TIFF OMITTED] T6315.075
[GRAPHIC] [TIFF OMITTED] T6315.076
[GRAPHIC] [TIFF OMITTED] T6315.077
[GRAPHIC] [TIFF OMITTED] T6315.078
[GRAPHIC] [TIFF OMITTED] T6315.079
[GRAPHIC] [TIFF OMITTED] T6315.080
[GRAPHIC] [TIFF OMITTED] T6315.081
[GRAPHIC] [TIFF OMITTED] T6315.082
Mr. Putnam. Thank you, Mr. Sabo. Thank you to all of our
witnesses.
We will begin with Mr. Clay's questions.
Mr. Clay. Thank you very much, Mr. Chairman. Thank you all
for being here today.
Mr. Clinton, we will start with you. What steps can the
Federal Government take to use its procurement power to improve
the security of computer software? Is the Internet security
industry able to agree on some minimal standards for computer
security hygiene? I guess that is a two-part question.
Mr. Clinton. Thank you, Mr. Clay. We do think that the
procurement process is probably the best first step for the
Federal Government to take in terms of establishing benchmarks
for appropriate security to be included within products that
they purchase. I think what we think is most important about
this is that it would be the Federal Government using its
market forces rather than its regulatory forces to encourage
behavior. We think absolutely that is the model that is going
to be most effective is the use of the market. During the
Corporate Information Security Working Group we discussed this
quite a bit and talked about how if the Federal Government
could act as a model through its procurement practices, as the
Department of Energy already has started, that we might be able
to make an awful lot of steps, and that has the effect on the
rest of the market of likely lowering costs, making these sorts
of devices or procedures more accessible to small businesses.
Now the second question, Mr. Clay, was whether or not we
could agree on standards. It kind of depends on what you are
talking about in terms of standards. There is an awful lot of
standards activity that is already underway. If what you are
suggesting is do we think that the Federal Government should be
passing legislation or regulation mandating standards, we would
think that is the wrong way to go. And let me explain why. It
is not so much that we are opposed to standards. EIA is one of
the largest standards producers in the entire world. It has to
do, Mr. Clay, with the nature of the Internet.
The Internet is a 21st century technology. Most of the
regulatory models that we use in the Federal Government now are
18th century models. The FCC and the SEC are modelled on the
old ICC which regulated railroads. We are dealing with
something that is entirely different now. We think that for
security purposes we need a much more dynamic manager of the
Internet and the only mechanism that we can identify that will
be dynamic enough to keep up with the ever-increasing attacks
and technologies of the attackers is to use market forces. So,
more creative use of insurance, more creative use of liability
carrots involving marketing for cyber security. And there is a
range of things that we identified in our incentives group
report we think are far more likely to succeed in our ultimate
aim of achieving cyber security than a federally mandated
standard.
Mr. Clay. Oh, please do not misunderstand the question. I
was just asking could the industry come together and establish
the standards. I never made inference to a Federal law, and
that is not where I am going with that.
Mr. Clinton. I appreciate that. And, yes, we are working on
that quite hard.
Mr. Clay. Thank you for the answer. Mr. Sabo, do you
believe the Federal Government's commitment to cyber security
training and certification particularly at the systems and
network administrator level is adequate? And how important is
training and certification to cyber security?
Mr. Sabo. Thank you, Ranking Member Clay. The National
Cyber Security Alliance itself does not have a particular
position on those areas. But if I could speak on behalf of
myself and the company that I do work for during the day, I do
think, and the organizations that support the NCSA would
probably agree, there is significant training going on but that
there is always more that could be done. I think we heard from
the director of the NCSD previously about the number of
programs that are out there, the scholarship for service and
the other organizations, and I think there is certainly a lot
more to be done. In our purview of the awareness side, we did
talk significantly about awareness for home users. But I think
you could take what we plan to do for home users and also put
that for Federal Government workers, both as users that will
then be going home and using their personal systems probably to
even connect into Federal Government systems, and then also as
employees of the Federal Government. So our awareness efforts
certainly would be useful for that audience as well.
Mr. Clay. OK. I thank you for that comment. Mr. Chairman, I
think my time is up.
Mr. Putnam. You are welcome to continue.
Mr. Clay. OK. Just one more question for Mr. Petersen.
Before I ask the question, I just want to make you aware that I
too am a University of Maryland graduate. So fear the turtle.
[Laughter.]
Mr. Petersen. Yes. I was thinking of that earlier when
Dewie was displayed. [Laughter.]
Mr. Clay. On a serious note, though, is the Congress
adequately funding research and development in the cyber
security area? And what other methods could the Federal
Government employ in order to achieve widespread cyber
security?
Mr. Petersen. Thank you for your question. I do think you
are on the right path to increasing funding for cyber security
research and development efforts. The university environments
are particularly participating in National Science Foundation
solicitations, they currently are reviewing proposals now for a
cyber trust solicitation. We have been working pretty regularly
with the Science and Technology Directorate of the Department
of Homeland Security, although I note that in their $1 billion-
plus budget only $18 million are devoted to cyber security and
many of us think that is wholly inadequate and perhaps
symbolizes that cyber security is not thought to be the
priority that it should be.
Having said that, I think there is more room for funding
for R&D. But I do not want us to forget what we are here about
today and certainly what our group represents, which is
securing today's Internet. There are not nearly enough Federal
Government funds available to deal with education and awareness
of the mass populace, including kids in schools and higher
education, and efforts needed to secure our current
infrastructure.
Mr. Clay. Thank you for that response. Mr. Chairman, I
yield back the balance of my time.
Mr. Putnam. Thank you, Mr. Clay. Mr. Clinton, one of the
key ingredients to a successful education and awareness
campaign is clarity and credibility of the message. Given your
experiences and knowledge of the work to identify cyber
security best practices, what is the most direct and clear
message that can be conveyed to home users and small
businesses?
Mr. Clinton. Thank you, Mr. Chairman. I was thinking of
this when you asked the first panel the question. My answer is
a little different. I support their view that people need to
think. But I think they need to think of their computer in a
different sense. My experience is that most home users tend to
think, and I am saying most home users, not the sophisticates,
most home users still think of their computer like it is a TV
set, that you just turn it on and it provides you things. And
that is the wrong way to think of your computer. I think a
better way to think of your computer is like it is a gifted
child; it is something you need to work with, it is something
you need to interact with, and if you treat it well and protect
it and develop it, it can do great things, but if you do not,
it could come back and cause all sorts of tremendous problem. I
think we need to get consumers to think of the technology very,
very differently.
Most of us have become so comfortable with some of the
rudimentary elements of the Internet we forget that just a few
years ago e-mail scared us. I remember when I worked for my
first Member here on Capitol Hill, and I will not say who that
was, I had to show him how to turn on the computer. It was not
that long ago. But I do not think that we have completely kept
up with what is really behind this medium. It looks too easy.
So I would say what we need to do is we need to get people to
rethink what it is they are dealing with. They have to have an
active relationship with their network, not just treat it as a
passive appliance.
Mr. Putnam. Mr. Howell, your thoughts?
Mr. Howell. I agree entirely with Larry. And I would argue
that a computer is also a gold mine which has tremendous
potential and has to be exploited in order to achieve that
potential. In one of our most recent efforts to educate our
membership, we were talking to several of our small companies
who had no concept of the fact that keeping customer
information--customer invoices, sales lists, sales figures,
revenue and expense items, their general ledger--on a computer
that was accessible via high speed to the Internet without a
firewall and without anti-virus was essentially a security
risk. They just had not thought about their computer that way.
I would agree with Larry, they viewed it as almost an
entertainment vehicle, something there for their pleasure and
their ease of use, and they did not view any of the risks that
the sophisticated users see out there everyday. And it is
because, frankly, we have not done enough to educate people
about the threats that are facing them and, at the same time,
make action to mitigate those threats possible.
Mr. Putnam. What is the appropriate role for the hardware
and software vending community, not only to provide more secure
and higher quality products, but also to educate their
consumers about basic cyber security practices?
Mr. Howell. I think that all three parts of this triangle,
the hardware and software vendors as well as the user
community, must do much more collaboratively to talk about
risks, vulnerabilities, and mitigation of risk and
vulnerabilities. Among large enterprises you are seeing much
more collaboration on all three sides of that. But it has taken
a long time to develop and a lot of those things develop based
on trust and years of working with one another and the
information technology industry is relatively young. At the
same time, I think that we are seeing more medium-size
enterprises catch up and do some of this. And the challenge
therefore remains the small enterprise community. And as Larry
mentioned, that was quickly viewed within our Corporate
Information Security Working Group as an area where there is no
targeted information on risk mitigation and what the real
threats are. So I think it is a multifaceted process depending
on what particular market you are looking at--the large
enterprise market, I think it is a collaborative process;
medium-size enterprises, I think they are moving toward that
collaboration; small enterprises, it is still very much
awareness and education oriented.
Mr. Putnam. Mr. Petersen, your thoughts on that?
Mr. Petersen. Your question about hardware and software
reminded me of a story over the Christmas holidays. I had a
friend who subscribed for the first time to Comcast cable and
when he went to the local shopping mall he got a CD and the
installation instructions and he came home and installed it and
within a matter of seconds he got the Blaster worm. And in
trying to help my friend troubleshoot the problem, the first
thing that occurred to me is how come Comcast cable is not
distributing information to its customers about the threats
that currently existed at that point in time, that when you
move from being off-line to broadband you better make sure your
operating system is up to date, and, by the way, here is a CD
that can provide you the latest patches and the latest anti-
virus stuff. So I think absolutely there is a role for hardware
and software and other service providers to play in providing
consumers with educational and awareness materials.
Second, if you think about our parents and students who are
buying computers for their children, think if they open that
computer box and there is a label that said, you know, ``Tear
this off and be aware, if you do not do X, Y, and Z, you could
lose your data and all the important work that you put into
this machine.'' I do believe that, aside from our role in
educating and making users aware, hardware and software vendors
could help.
Mr. Putnam. Mr. Sabo, do you want to add anything to that?
Mr. Sabo. Yes, thank you, Mr. Chairman. I do think there is
significant information out there from the software/hardware
vendors and the ISP community. But I think there is a
fundamental research need that we all could perhaps support in
looking at user behavior, benchmarks, metrics, in order to
understand how we reach these users, what are the best
messages--and I do not think there is a one size fits all
message for security; I think what will motivate users will
vary greatly among them; fundamental research in where to reach
them, to what sites to go, what places in the real world and
the virtual world to place these messages' and then fundamental
research in who to reach, who are these ``users.'' I think a
number of studies have shown that a majority of home users who
are doing a lot of the financial transactions in households are
the women in the households. I think that would impact
therefore where we deliver these messages, what types of Web
sites, what types of media that perhaps our awareness campaign
will target. So I think there is a lot of information that is
out there but, exactly as you said in your opening statement,
perhaps we run the risk of having too much and we may need to
really think about where are the best places to go and to put
this information.
Mr. Putnam. That is a perfect segue into my next question.
You have heard the FTC testify about the turtle, you have Stay
Safe On Line, there are a number of other approaches to
increasing awareness. Is that type of symphony of approaches
helpful in that you are hitting different pieces of the
audiences, or do you believe that there should be a more
centralized message, centralized theme, centralized Web site
for people to go for information on becoming more secure?
Mr. Sabo. I definitely agree that we are in a period of
``let a thousand flowers bloom.'' And perhaps in a way we have
become victims of our own success, that we have talked about
the important need for all these awareness efforts and we are
starting to get them. And I think behind scenes we are also
seeing a lot more effort to do the centralization, but
centralization of the organization behind it. So you have the
folks who are running these talking to each other much more.
And I think there is a lot of room for improvement in that
area. We certainly would commit ourselves to being part of any
effort that would help with that. I do think, at the end of the
day, each set of users are going to respond to different types
of messages in different media.
Mr. Putnam. Mr. Petersen.
Mr. Petersen. I share your concern but I think we are
headed in the right direction. I know even EDUCAUSE has more
recently become a sponsor of the Alliance. We are working
closely with the FTC. And when we look at our colleges and
university environments, many of them, like Florida State
University, Florida, University of Maryland, are large
enterprises. So whatever messages we might be targeting toward
large businesses probably apply to our large colleges and
universities. Many of them are small colleges and community
colleges and the small business environment messages are the
same.
One of the things we have worked hard with the Alliance on
is when you take their top 10 cyber tips, those should be the
same top 10 cyber tips that all of our users hear about, our
students, faculty, staff. So rather than us starting from
scratch or writing our own messages, we are working hard to
make sure their messages get put into the appropriate language
so that we can use them and convey a consistent message.
Mr. Putnam. Mr. Clinton, do you want to add something to
that?
Mr. Clinton. I would agree that the messages should be
consolidated. But I do want to caution that there is a problem
if we think we have the right answer and so all we have to do
is go out and make everybody understand the right answer. We
have published two best practices that we are very proud of and
that got endorsed by a lot of people and we thought they were
great. And we took our best practices to the small business
guys and they said, ``What are you talking about? We do not
understand this. No small business guy would ever read this
stuff.'' But the technologist people think, hey, this is the
right message. And we found out by doing the market research it
was not the right message.
So I think that there needs to be some consolidation with
regard to messages, that we should not have conflicting
messages, for sure. But I do not think we do. I would agree
with the rest of the panel that I think we are moving in the
right direction. But the way messages are presented need to be
targeted differently to different audiences. We represent small
companies and we represent enormous companies and they deal
with these issues very, very differently. I think that the
approach that we need to take is a market-centered approach. We
need to go out to each target market. And small business may
not be a target market. Small business may be an enormous
market that needs to be much better segmented within that
market in order to better appreciate these people. There are
small technology companies and there are small marketing
companies, and you talk to these guys in different ways.
So I do not think it is quite as simple as saying we have
the message, all we have to do is get it out. I think that we
have a lot of the right ideas but I think we need to continue
to work on it and we need to involve the users, we need to
involve the target audiences much more in developing the
messages. And I think we are just at the beginning of that
process.
Mr. Putnam. Mr. Howell.
Mr. Howell. I would agree. But I would just add one thing,
and that is, you also have to look at the messenger and the
affinity of the desired market to that messenger. Different
organizations have different affinity with different type and
sizes of organizations and companies. And agreed, having the
same set or a similar set of messages is essential. But one
organization that may be the best messenger might have
absolutely no affinity with or relation to the target market,
and therefore, if one were to follow our principles of not
opening e-mails, for example, from an unknown sender, that e-
mail would get deleted because there is no affinity to that
sender. So that is the only other issue I would add here.
And at the same time, I think the National Cyber Security
Summit, held last December and an ongoing vehicle, as well as
NCSA, both have been fantastic vehicles, joining with your
Information Security Working Group, in aggregating
organizations that have been working just in an area of
awareness alone to sit down at a table, think about how they
can multiply or take advantage of their efforts and reduce
waste and enhance efficiency and increase awareness. It has
been tremendous. Every week, for example, since we started
participating in your group we have been approached by at least
one other association who wants to join in what we are trying
to do on education and awareness. That has been one of the most
rewarding things we have seen so far in all the education and
awareness efforts.
Mr. Putnam. And finally, do you all believe that this issue
has risen to the boardroom, to the C-level executives? All the
talk about worms and viruses and exploits, some attention
through Sarbanes-Oxley and Section 404, are top level
executives finally treating cyber security as a business risk?
We will begin with Mr. Sabo and work down the table.
Mr. Sabo. Thank you. I think today, compared to 2, even 3
years ago, we have come a significant way in getting the
attention to that level. But I think there is certainly a lot
more in the corporate governance side between the work that the
Cyber Security Summit Working Group as well as your own has
done is significant and the word needs to get out now. And that
is I think the stage we are at.
Mr. Petersen. I would say no. In the college and university
environment, we have a long way to go particularly at the
president level and the board level. In fact, I would say that
is one of the reasons why in my first bullet I said we need
support from the private and government sector. It was not just
referring to financial support. Many people in government and
certainly part of corporations sit on college and university
boards, and I am hoping the awareness that is being created
within industry and government will translate to board members
going to those board meetings and saying what are you doing
about information security on your campus, why have we not
talked about it in the context of governance. And I think the
same message needs to be carried forward to our presidents and
chancellors and other executive leaders. We are certainly doing
our part as our task force to raise awareness, but I think we
could use the assistance and support of other executives.
Mr. Putnam. Mr. Howell.
Mr. Howell. One of the recommendations that we made within
our National Cyber Security Summit Large Enterprises Working
Group was that our ad hoc coalition come together with DHS and
we recommended a series of forums across the country with
senior DHS officials and CEOs to discuss information security
and corporate governance. And we hope that DHS will take up
that recommendation because we believe that it is essential. I
would agree with Doug, we have made progress. But I think much
more remains to be done. At the same time, we need to move
forward with a collaborative approach with a framework similar
to what the Corporate Governance Task Force of the National
Cyber Security Summit came out with recently. That is a great
starting point, one of many materials that are out there. And
moving forward with implementation of all of these documents
is, I think, an essential next step.
Mr. Putnam. Thank you. Mr. Clinton.
Mr. Clinton. I would have to say that we have maybe taken
the first steps in this direction. But, no, Mr. Chairman, we
have not at all reached the summit of the CEOs and the COOs.
Just a couple of facts. I heard the first panel talk about how
they were under the impression that Graham-Leach-Bliley,
Sarbanes-Oxley may have increased awareness, and perhaps it has
increased awareness some. But the fact is, Mr. Chairman, that
the number of incidents last year and again early this year are
going through the roof. The amount of money that is being lost
is going through the roof. So if there is some increased
awareness, it is not enough.
Another fact. The most recent study that I have seen on
this, done by CSO magazine, indicated that most corporations
they recommended should be increasing their IT cyber security
budget by approximately 33 percent. They went back and looked
at how many corporations had done that. They found that only 22
percent of the corporations had increased it, and only 7
percent of the corporations had increased it the amount that
was required. So we are a long way away.
Mr. Chairman, this I think goes back into the conversation
we just had on your last question, finding the right messages
for this particular target audience, COOs, CEOs. I do not want
to cast any aspersions on the CEOs and COOs who fund, frankly,
my organization, but the fact of the matter is, Mr. Chairman,
they are not going to do this because it is in the national
interest. We need to find messages that speak to their
corporate interest. We need to find issues that speak to the
corporate interest. We need to do a better job demonstrating
the return on investment to good cyber security. We need to do
a better job of providing the sort of incentives that level of
corporate executive pays attention to--lower business costs,
less liability exposure. Those are the sorts of things that are
talked about in CEO board rooms and CEO discussions. And we
have not done that yet. I think that there is a tremendous
amount that we have not yet gotten to in the public-private
partnership in that area that lays still before us. And we are
enthusiastic about working with the Congress in those areas.
But we are just at the first couple steps, in my opinion, sir.
Mr. Putnam. Thank you, Mr. Clinton, particularly for your
candor. We assume that is not going to be the punch-out quote
in your monthly newsletter to your members.
Mr. Clinton. No, sir. I am going to use your opening
statement as our punch-out quote.
Mr. Putnam. I want to thank all of our witnesses for your
efforts in this important arena. I know that your work
continues to help our cyber citizens enjoy the benefits of the
Internet in a safe and secure manner. I also want to thank Mr.
Clay for his participation today. In the event that there are
additional questions that we did not get to today, the record
will remain open for 2 weeks for submitted questions and
answers.
With that, the subcommittee stands adjourned.
[Whereupon, at 4:07 p.m., the subcommittee was adjourned,
to reconvene at the call of the Chair.]
<all>
�