<DOC> [108th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:96315.wais] PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE CYBER CITIZEN ======================================================================= HEARING before the SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS AND THE CENSUS of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS SECOND SESSION __________ APRIL 21, 2004 __________ Serial No. 108-209 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ U.S. GOVERNMENT PRINTING OFFICE 96-315 WASHINGTON : 2004 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman DAN BURTON, Indiana HENRY A. WAXMAN, California CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland DOUG OSE, California DENNIS J. KUCINICH, Ohio RON LEWIS, Kentucky DANNY K. DAVIS, Illinois JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri CHRIS CANNON, Utah DIANE E. WATSON, California ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER, CANDICE S. MILLER, Michigan Maryland TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of MICHAEL R. TURNER, Ohio Columbia JOHN R. CARTER, Texas JIM COOPER, Tennessee MARSHA BLACKBURN, Tennessee ------ ------ PATRICK J. TIBERI, Ohio ------ KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont (Independent) Melissa Wojciak, Staff Director David Marin, Deputy Staff Director/Communications Director Rob Borden, Parliamentarian Teresa Austin, Chief Clerk Phil Barnett, Minority Chief of Staff/Chief Counsel Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census ADAM H. PUTNAM, Florida, Chairman CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri DOUG OSE, California STEPHEN F. LYNCH, Massachusetts TIM MURPHY, Pennsylvania ------ ------ MICHAEL R. TURNER, Ohio Ex Officio TOM DAVIS, Virginia HENRY A. WAXMAN, California Bob Dix, Staff Director Dan Daly, Professional Staff Member Juliana French, Clerk Adam Bordes, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on April 21, 2004................................... 1 Statement of: Clinton, Larry, chief operating officer, Internet Security Alliance; Andrew Howell, vice president, Homeland Security, U.S. Chamber of Commerce; Rodney Petersen, security task force coordinator, EDUCAUSE; and Douglas Sabo, member, board of directors, National Cyber Security Alliance....... 58 Swindle, Orson, Commissioner, Federal Trade Commission; and Amit Yoran, Director, National Cyber Security Directorate, Department of Homeland Security............................ 12 Letters, statements, etc., submitted for the record by: Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 10 Clinton, Larry, chief operating officer, Internet Security Alliance, prepared statement of............................ 61 Howell, Andrew, vice president, Homeland Security, U.S. Chamber of Commerce, prepared statement of................. 69 Petersen, Rodney, security task force coordinator, EDUCAUSE, prepared statement of...................................... 84 Putnam, Hon. Adam H., a Representative in Congress from the State of Florida, prepared statement of.................... 5 Sabo, Douglas, member, board of directors, National Cyber Security Alliance, prepared statement of................... 105 Swindle, Orson, Commissioner, Federal Trade Commission, prepared statement of...................................... 15 Yoran, Amit, Director, National Cyber Security Directorate, Department of Homeland Security, prepared statement of..... 36 PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE CYBER CITIZEN ---------- WEDNESDAY, APRIL 21, 2004 House of Representatives, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 2 p.m., in room 2154, Rayburn House Office Building, Hon. Adam H. Putnam (chairman of the subcommittee) presiding. Present: Representatives Putnam and Clay. Staff present: Bob Dix, staff director; John Hambel, senior counsel; Dan Daly, professional staff member and deputy counsel; Juliana French, clerk; Suzanne Lightman, fellow; Earley Green, minority chief clerk; and Jean Gosa, minority assistant clerk. Mr. Putnam. A quorum being present, this hearing of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census will come to order. Good afternoon and welcome to another important hearing on cyber security. I want to welcome you all today to the hearing entitled ``Protecting our Nation's Cyber Space: Educational Awareness for the Cyber Citizen.'' In the past few years, the growth in access and use of the Internet, the increase in high-speed connections that are always on, and the rapid development and deployment of new computing devices has resulted in an expanding global computing network. Although these advances have improved our quality of life, this global network is susceptible to viruses and worms that can circle the world in minutes, not to mention the potential of more malicious cyber attacks. While businesses, educational institutions, and home users enjoy the benefits of using the Internet, they are often not adequately informed about the potential dangers that their computer systems face if left vulnerable and unprotected. The good news is there are solutions and remedies to help mitigate the threats; the bad news is awareness of these solutions and the practice of safe Internet use is not far reaching. Attacks are evolving at a greater speed than preparation. This hearing will provide an opportunity to learn about the efforts of the Federal Government, trade associations, corporations, and nonprofits to raise awareness about the importance of cyber security. Today I want to call on all stakeholders to take immediate action. All of us have a role and a responsibility to implement basic cyber security hygiene in order to reduce the potential vulnerabilities that could contribute to a successful cyber attack. As use of the Internet all over the world grows, so do the presence and ambitions of people with criminal and malicious intent. Hackers attempt to take over people's computers to create ways to send spam, steal information, and launch attacks undetected. Criminals try to trick unsuspecting cyber citizens to reveal personal information by impersonating respectable Web sites, a crime known as ``phishing.'' Consumers on the Internet may be tricked into downloading spyware. These programs may be harmless, yet extremely annoying, such as delivering a continuous stream of pop-up ads. Or they may be malicious, extracting information such as passwords and personal information for criminal purposes. There are existing and emerging protections against these threats. Cyber citizens can arm themselves with virus protection software to help stop any potential impact of worms and viruses. Use of firewalls can help prevent some forms of spyware. Of course, after the rapid spread and dramatic impact of worms and viruses this past year, I think we all know the importance of keeping our systems patched and up to date. Security notices are everywhere reminding us not to open e-mail from people we do not know, and not to download programs from unknown sources. However, many Internet users, consumers, nonprofits, educational institutions, and businesses do not employ these well-known protections. They are either unaware of the risks, or unaware of the solutions, or both. User awareness is only part of the problem. Many of the security problems that users face are rooted in products that were designed to deliver functionality, often without adequate regard to security. The manufacturers of both software and hardware products must accept some responsibility in this area and respond to the growing demands of the consuming public for improved quality and security. This subcommittee has already held hearings on the proliferation of worms and viruses and on the issue of software assurance. And I will continue to pursue those issues. But I am heartened by what I see as signs that the manufacturers are stepping up to the plate. I see an increased attention to security that seems to go beyond merely lip service. Manufacturers of all levels of notoriety are publicly confirming their commitment to providing consumers with products that are less ``buggy'' and more secure. In an effort to dramatically improve information security throughout corporate America, I convened a group of 25 leaders from business organizations, as well as representatives from academic and institutional communities to form the Corporate Information Security Working Group. The intent was to produce a set of recommendations that could form the basis of an action plan for improving cyber security for businesses and enterprises of all sizes and sectors. The group divided into subgroups, one of which was the Awareness, Education, and Training Subgroup. This subgroup's mission was to identify, partner with and build on the good work of organizations that have or are developing campaigns to raise awareness on the importance of cyber security. Let me pause and acknowledge the tremendous work that Commissioner Swindle and the FTC have been pursuing for some time now. It is my view that our collective efforts can make a difference. The Awareness, Education, and Training Subgroup reported recommendations for three categories of users--small businesses, large enterprises, and home users. For small businesses, the group suggested creating and distributing a Small Business Guidebook for Cyber Security that explains cyber security risks in terms that are readily understood and that motivate small business owners to take action. For large enterprises, the Awareness, Education, and Training Subgroup suggested enhancing distribution of existing documents for large enterprise managers. Many organizations, including the Institute for Internal Auditors, the Internet Security Alliance, and the Business Software Alliance, have done great work in this regard. The group believes these documents deserve greater distribution and will work with organizations representing large corporations to find the proper channels for broader dissemination. Furthermore, for large enterprises, the group suggested creating a guide for information security for C-level executives, such as CEOs, CFOs, and COOs. A user-friendly guide for C-level executives is necessary to raise the profile of the information security issue in terms senior executives can understand. To that end, the group is currently working with representatives of large business organizations to see how it might collaborate on and distribute such a guide. Finally, the group suggested targeted efforts aimed at the mass market would help educate home users. The group is seeking to buildupon existing relationships and forging new partnerships between organizations, corporations, and the government to help educate the home user base on cyber security. One of the other subgroups worked diligently on developing a set of best practices and guiding principles in information security that could apply from the most unsophisticated home user to the most sophisticated enterprise. Those efforts have produced incredible results, and provided a foundation for the Awareness, Education, and Training Subgroup to buildupon. In addition to my Corporate Information Security Work Group, there are several other organizations, including both public and private entities, that are working to improve awareness and provide education to cyber citizens. This includes a broad base of constituent groups, including the education community. Today we will hear about awareness and education efforts in the K through 12 community, as well as in institutions of higher education. In addition to these awareness and education efforts, I am pleased to announce at this hearing two partnerships that the Department of Homeland Security is undertaking to train information security and assurance professionals through our Nation's colleges and universities. The Department will be partnering with NSA to enhance the Centers of Academic Excellence in Information Assurance Education Program to increase the number of information security professionals entering the work force. The Department will also be partnering with the National Science Foundation on a Scholarship for Service Program, which provides 2-year scholarships for training information assurance specialists who in turn make a commitment to work for a Federal civilian agency for 2 years. I look forward to hearing more about these various initiatives in the testimony today. I will note that I do have a concern. I worry that if we bombard our cyber citizens with too many messages from too many sources, they may become confused and take no action at all. If we are to begin a national, intensive campaign to educate individuals, and small and medium businesses on cyber security, we need to have a collaborative strategy that facilitates the delivery of a clear and common message about how folks can protect against the threat of a cyber attack. I look forward to hearing from today's witnesses that my concern is being addressed in a proactive and collaborative manner. We must maintain the advantages that multiple channels give us for outreach and we must continue to recognize that one size does not fit all and that a required level of cyber security hygiene will vary depending on the profile of the user. Some basic steps are invariably common to most users and today we will identify steps being taken to convey that information. The more voices repeating the message, the more people are likely to hear it and pay attention. It would be difficult in my estimation and based on what I have learned to overstate the importance and timeliness of such an effort. I look forward to the testimony of our witnesses and I thank them for their contribution to the cyber security of our Nation. Today's hearing can be viewed live via Web cast by going to reform.house.gov and clicking on the link under live committee broadcast. [The prepared statement of Hon. Adam H. Putnam follows:] [GRAPHIC] [TIFF OMITTED] T6315.001 [GRAPHIC] [TIFF OMITTED] T6315.002 [GRAPHIC] [TIFF OMITTED] T6315.003 [GRAPHIC] [TIFF OMITTED] T6315.004 Mr. Putnam. I would like to welcome the gentleman from Missouri, our ranking member of the subcommittee, Mr. Clay, and recognize him for his opening remarks. Mr. Clay. Mr. Clay. Thank you, Mr. Chairman, for holding today's hearing on ways we can improve our educational efforts in the realm of cyber security. I, too, share your concerns and I am hopeful that our witnesses can share with us different perspectives on effective methods for reaching our goals. As our global economy becomes more dependent on the efficiencies associated with the information super-highway, we must become more aware of the risks and costs associated with such advanced technology. Although legislating appropriate standards in rapidly changing technologies is, at best, a reactive approach to policymaking, we may have few other viable options. The ominous threat of widespread and well-orchestrated cyber attack would have severe consequences in both real economic terms and consumer confidence. If efforts to legislate cyber security standards are to be effective, the prevention of such attacks through outreach, training, education, and awareness must be central to its mission. Once again, I believe there are two central components that are integral to providing adequate computer security for the Federal Government. First, the management of our agencies' networks must become a top priority throughout the government. This approach should not only include adequate funding for computer security, but better stewardship of our critical assets and more frequent vulnerability assessments for our investments. Second, the government must find a way to incorporate minimal software and hardware security standards into its annual $60 billion investment in information technology. We must harness the purchasing power of the Federal Government to demand more stringent computer security standards from vendors and contractors at every level of the procurement process. I want to thank our chairman for his work on improving computer security standards through the Corporate Information Security Working Group. It is my hope that his collaborative efforts with the private sector can bring us closer to achieving what have been, to this point, elusive goals. Mr. Chairman, this concludes my remarks, and I ask that they may be inserted into the record. Thank you. [The prepared statement of Hon. Wm. Lacy Clay follows:] [GRAPHIC] [TIFF OMITTED] T6315.005 [GRAPHIC] [TIFF OMITTED] T6315.006 Mr. Putnam. Without objection, so ordered. I will move directly into the oath. As is the custom with this committee, our witnesses are sworn in. [Witnesses sworn.] Mr. Putnam. Note for the record that both witnesses responded in the affirmative. We will now move into the testimony. I would like to introduce our first witness, Orson Swindle. Mr. Swindle was sworn in as Commissioner for the Federal Trade Commission December 18, 1997. In December 2001, Commissioner Swindle was appointed as head of the U.S. delegation to the Organization for Economic Cooperation and Development Experts' Group to review the 1992 OECD guidelines for the security of information systems. He has a distinguished military career, and served in the Reagan administration from 1981 to 1989 directing financial assistance programs to economically distressed rural and municipal areas of the country. As Assistant Secretary of Commerce for Development, he managed the Department of Commerce's national economic development efforts, directing seven offices across the country. He was State Director of the Farmers Home Administration for the U.S. Department of Agriculture, financing rural housing, community infrastructure, businesses, and farming. We welcome you to the subcommittee, and appreciate your work in this area. You are recognized for 5 minutes for your oral statement. Your written statements, for both witnesses, will be inserted into the record. You are recognized. STATEMENTS OF ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE COMMISSION; AND AMIT YORAN, DIRECTOR, NATIONAL CYBER SECURITY DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY Mr. Swindle. Mr. Chairman, Mr. Clay, and members of the subcommittee, I appreciate the opportunity to discuss the FTC's work on information security. The views expressed in the written statement represent the views of the Federal Trade Commission. My oral remarks and responses to questions, of course, are my own. This hearing is most timely and I applaud the chairman for his leadership on this very vital subject. Today, maintaining the security of our information systems and networks is essential to every aspect of our lives. We are all directly or indirectly linked together by this infrastructure. We benefit enormously from these systems; however, there are vulnerabilities that threaten the security of and do major harm to stored information, the flow of information, and the continued viability of the systems themselves. The FTC has sought to address these vulnerabilities through consumer and business education, stressing the fundamental importance of good security practices, plus law enforcement actions, and international cooperation. Safe computing practices by home computer users are especially important in our broadband world. Viruses, worms, and dial-up service attacks have left a trail of very costly destruction and, as the chairman mentioned, it could get worse. To help promote a culture of security, the FTC created an information security mascot, Dewie the e-Turtle, to educate businesses, consumers, and children about the importance of information security and the precautions they can take to protect personal information. The Dewie Web site has registered more than 600,000 visits since its deployment in August 2002. In addition the FTC had distributed a video news release seen by 1.5 million consumers; we have distributed 160,000 postcards featuring Dewie; and information security was the theme of National Consumer Protection Week in 2003. Our Web site contains tips on how to stay safe on line as well as publications addressing issues related to spam, file sharing, high-speed Internet access, shopping on line, and identity theft. The growing problem of phishing is addressed. This is a high-tech scam that uses spam to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive personal information. This information and our Web sites are available to Members of Congress for constituent services. Despite our efforts, only about three dozen Members of the Congress have their Web sites linked to the FTC Web site. I think we can all do better than this. The Internet has made us a global community and international collaboration is important to ensuring information security. The FTC has played a leading role within the OECD in revising and implementing its security guidelines, urging a widely publicized OECD Web site, and aggressively urging member countries to immediately implement the principles of information security. We are encouraging our global partners to share their experiences with the international community, including the APEC, the United Nations, and the TransAtlantic Business and Consumer Dialogues. The FTC, the Department of Homeland Security, and such organizations as the newly formed National Cyber Security Partnership of trade associations, which includes the Chamber of Commerce, ITAA, TechNet, and BSA, are working individually and together to enhance consumer and business education. The National Cyber Security Summit met in December 2003 to implement the National Strategy to Secure Cyber Space and formed five task forces, including one devoted to comprehensive awareness. I am pleased that Dan Caprio of my staff participated as co-chairman of the awareness task force. That task force issued a report recommending a number of very concrete proposals to increase consumer awareness, including a comprehensive cyber awareness campaign to reach consumers through a 3-year national advertising campaign; a partnership with ISPs to educate home users about cyber security issues; and distribution of a cyber security tool kit through Stay Safe On Line. The FTC remains committed to expanding our public-private partnership and leveraging relationships with consumer groups, industry, trade associations, other government agencies, and educators to raise consumer awareness. The Commission has used its law enforcement authority to address information security issues using our authority under Section 5 of the Federal Trade Commission Act. To date, the Commission's security cases have been based on deception. In four separate settlements with companies that collected personal information from consumers, including a settlement with Tower Records which was announced today, we have alleged that the companies made explicit or implicit promises to take appropriate steps to protect consumers' information. In fact, we found their security measures to be inadequate. We alleged that Tower made specific promises to protect personal information provided by consumers on its Web site, yet failed to take reasonable and appropriate steps to detect and prevent against well-known vulnerabilities. The lesson: When you are making changes, do not forget to ensure that your security safeguards are in place. Through these information security enforcement actions, the Commission has come to recognize several principles that govern any information security program. First, a company's security procedures must be appropriate for the kind of information it collects and maintains. Second, not all breaches of information security are violations of the Federal Trade Commission law. Third, there can be law violations without a known breach in security. And fourth, good security is an ongoing process of assessing and addressing risk and vulnerabilities. The critical reality in our information-based economy is that we all have a role to play in protecting cyber space. Creating a culture of security is a journey, it is not a destination, and leadership will be essential. Thank you for this opportunity to appear here today, and I look forward to answering your questions. [The prepared statement of Mr. Swindle follows:] [GRAPHIC] [TIFF OMITTED] T6315.007 [GRAPHIC] [TIFF OMITTED] T6315.008 [GRAPHIC] [TIFF OMITTED] T6315.009 [GRAPHIC] [TIFF OMITTED] T6315.010 [GRAPHIC] [TIFF OMITTED] T6315.011 [GRAPHIC] [TIFF OMITTED] T6315.012 [GRAPHIC] [TIFF OMITTED] T6315.013 [GRAPHIC] [TIFF OMITTED] T6315.014 [GRAPHIC] [TIFF OMITTED] T6315.015 [GRAPHIC] [TIFF OMITTED] T6315.016 [GRAPHIC] [TIFF OMITTED] T6315.017 [GRAPHIC] [TIFF OMITTED] T6315.018 [GRAPHIC] [TIFF OMITTED] T6315.019 [GRAPHIC] [TIFF OMITTED] T6315.020 [GRAPHIC] [TIFF OMITTED] T6315.021 [GRAPHIC] [TIFF OMITTED] T6315.022 [GRAPHIC] [TIFF OMITTED] T6315.023 [GRAPHIC] [TIFF OMITTED] T6315.024 Mr. Putnam. Thank you very much Commissioner. Our next witness is Amit Yoran. Mr. Yoran is the Director of the National Cyber Security Division of the Department of Homeland Security. The National Cyber Security Division provides for 24-7 functions, including conducting cyber space analysis, issuing alerts and warnings, improving information sharing, responding to major incidents, and aiding in national level recovery efforts. Most recently Mr. Yoran served as the vice president of worldwide managed security services at the Symantec Corp., overseeing 24-7 security operation centers delivering security services to hundreds of companies in over 40 countries around the world. Prior to working at Symantec, Mr. Yoran founded RipTech, an information security company. He also served as an officer in the U.S. military as the vulnerability assessment program director for the U.S. Department of Defense's computer emergency response team, and supported security efforts for the Office of the Assistant Secretary of Defense. We welcome you to the subcommittee. You are recognized for 5 minutes. Mr. Yoran. Good afternoon, Chairman Putnam and distinguished members of the subcommittee. My name is Amit Yoran, and I am Director of the National Cyber Security Division within the Office of Infrastructure Protection of the Homeland Security's Information Analysis and Infrastructure Protection Directorate. I am pleased to appear before you today to discuss our initiatives addressing educational awareness for the cyber citizen. We view cyber awareness as a critical component within our mandate to improve cyber security. We have implemented measures to reach as many people as quickly as possible. Education and training are also critical elements of our strategic initiatives to improve the long term cyber security posture of our Nation. Education of our cyber community on the rules of the road is fundamental for enhancing citizen safety in the cyber world. The National Cyber Security Division was created to serve as the national focal point for public and private sectors to address cyber security issues. NCSD is charged with coordinating the implementation of the National Strategy to Secure Cyber Space. The Department works closely with our partners in the Federal Government, at the State and local level, as well as with the private sector and academia on a variety of programs and initiatives to protect our information infrastructure. On January 28th of this year, the Department of Homeland Security unveiled the National Cyber Alert System, delivering targeted, timely, and actionable information to Americans to secure their computer systems. We have already issued several alerts and a periodic series of best practices and how-to guidance pieces. We strive to make the information provided understandable to all computer users, both the highly technical and those like my wife, who, despite her advanced degrees and profession, need this information presented in plain English. I am pleased to report that Americans are exhibiting a keen interest in the alert system. And on the day of the National Cyber Alert System launch we had over 1 million hits to the US- CERT Web site. Today, more than 250,000 direct subscribers are receiving National Cyber Alerts to enhance their cyber security. For your reference and for your constituents, I urge you to visit www.us-cert.gov and to encourage you to include a link to US-CERT on your congressional Web page and recommend your constituents sign up for the National Cyber Alert System to help them improve their cyber vigilance and protect our Nation. We have engaged in many media interactions to provide a voice of reason in our efforts to improve awareness among the cyber citizenry and also reach as many Americans as possible in the plain language they can easily understand and act upon. The Department of Homeland Security is the sponsor of the National Cyber Security Alliance and the Stay Safe On Line, a public- private effort created to educate home users and small businesses on cyber security best practices. Each time we turn our clocks ahead and back to account for Daylight Savings Time we encourage Americans to review and improve their cyber readiness. I challenge each Member of Congress to sponsor a cyber security awareness event in your district on October 31, the next National Cyber Security Day. Although Cyber Security Day is not yet broadly recognized, our continued and joint efforts will ensure their future success and effectiveness. In addition to awareness, other key aspects of our strategy are focused on training and education. Homeland Security is actively engaged with our intergovernmental partners and is also reaching out to academic institutions to establish cooperative relationships. I again cite the two recent accomplishments which you previously mentioned in this regard. We have signed on to partner with the National Security Agency to expand the NSA Center for Academic Excellence in Information Assurance Education Program to a broader National Centers of Academic Excellence initiative. The program was established by the NSA in 1998 to promote higher education in information assurance. Universities designated as centers are eligible for scholarships and grants through both the Federal and Department of Defense Information Assurance Scholarship programs. The new, increased scope will accelerate and expand the current program to attain national prominence, attract participation from other universities, resulting in an increased number of cyber security professionals for our Nation. Second, Homeland Security has partnered with the National Science Foundation on the Scholarship for Service program. This initiative promotes university level information assurance education and places program graduates into the Federal work force. The Department of Homeland Security has already hired graduates and we are excited about the capability of these graduates and the quality of the work force this program is producing. In addition to these accomplishments, we have identified other strategic education programs. We are working with the Department of Education, EDUCAUSE, and others to develop cyber security programs for the K through 12 curriculum in our public schools. It is imperative that we educate and raise America's youth in a culture which fosters prudent cyber security practices and ethics. Our goal is to ensure that all computer users understand the rules of the road for cyber security and are empowered to stay safe on line. Thank you for opportunity to testify before you today. I would be pleased to answer any questions that you have at this time. [The prepared statement of Mr. Yoran follows:] [GRAPHIC] [TIFF OMITTED] T6315.025 [GRAPHIC] [TIFF OMITTED] T6315.026 [GRAPHIC] [TIFF OMITTED] T6315.027 [GRAPHIC] [TIFF OMITTED] T6315.028 [GRAPHIC] [TIFF OMITTED] T6315.029 [GRAPHIC] [TIFF OMITTED] T6315.030 [GRAPHIC] [TIFF OMITTED] T6315.031 [GRAPHIC] [TIFF OMITTED] T6315.032 [GRAPHIC] [TIFF OMITTED] T6315.033 [GRAPHIC] [TIFF OMITTED] T6315.034 [GRAPHIC] [TIFF OMITTED] T6315.035 Mr. Putnam. Thank you, Mr. Yoran. I appreciate your being here today. You have had an interesting week. I would like to give you the opportunity to elaborate on the Cyber Alert that you have issued and if you would give some comment to this subcommittee on the nature of the vulnerability and the status of efforts to remedy that vulnerability on the Internet routers. Mr. Yoran. Thank you, Chairman Putnam. The creation of the National Cyber Alert System allows us to reach out directly to a large number of operators in cyber space with information targeted to them on how they can best protect their systems or the systems which they are responsible for. In a number of recent cases, vulnerabilities have been brought to our attention which would cause specific routers to malfunction and become inoperable and not pass the traffic which they were intended to pass. This vulnerability is not information which is actionable to most home users, but certainly through our targeted delivery mechanism we can reach out to the cyber security community and provide this information to them. The detail and accuracy of the information allow the Department of Homeland Security and the Federal Government to work closely and cooperatively with the private sector. In an alert we issued late last night, we worked closely with Cisco, who proved to be a valuable partner to the Department of Homeland Security and the Nation in being very forthright about a vulnerability which was brought to their attention in their close working relationship with the US-CERT and the Department of Homeland Security, and, perhaps most importantly, with their customers, to assure that Internet backbone services and routers were adequately protected in an expeditious fashion. Mr. Putnam. Why was it the British Government who revealed the vulnerability and not the Department of Homeland Security in our own country? Mr. Yoran. I will not comment on the logic behind the British Government releasing this vulnerability on their specific timeline. Given the availability of that information, it was important for the Department of Homeland Security, working with Cisco and key Internet service providers, to put out and make as broadly available as possible some technical information with an appropriate level of detail so that folks knew how best to protect themselves. I am happy to report that while this is a significant vulnerability, those warnings were rapidly heeded by much of the backbone community and the likelihood of significant Internet disruption as a result of this vulnerability has been minimized. Mr. Putnam. My understanding is, and correct me if I am wrong, that the potential for this vulnerability has been known for some time; it was not known that anyone could exploit it. Is that the case? And if so, how long has your office been aware of the existence of this potential vulnerability? And the followup would be, are there others that until now people have thought were not exploitable that we should be addressing and that people should be aware of? Mr. Yoran. Chairman Putnam, I would welcome the opportunity to brief you in a smaller forum, a more confidential venue on some of the pre-public announcement activities and coordination on what information was released and which communities we worked with to best serve the public interest and protect the Nation. In terms of specific exploit code, in terms of specific vulnerabilities which were known about and have recently had exploit code developed, there have been a series of vulnerabilities discovered over the past 24 hours. In fact, two alerts have been issued on very similar topics over the past 24 hours. One of those alerts, the one dealing with the border gateway protocol, the more commonly adopted best practices approach to router management would significantly mitigate the risk and exposure an organization would experience, again highlighting the need for best practices and best practice guidance such as your working group produced and is available from NIST and from many of the vendors. For the second of the recent vulnerabilities discovered, it is in fact a new vulnerability discovered in a specific vendor's implementation of the Simple Network Management Protocol. Mr. Putnam. I think that Mr. Clay and I both would appreciate the opportunity to discuss other issues in the appropriate forum and setting. But for the purposes of this hearing, let me just ask, is security enhanced by a fundamental shift from the Internet to IP-6? Mr. Yoran. Mr. Chairman, there are some very promising characteristics of IP version 6 which have security enhancing capability which have significant impact on how the Nation or the infrastructures might defend against some of the threats we face today. Many attack techniques which deal with exhaustive searching of Internet addresses, looking for vulnerabilities are much less practical in an IP v. 6-type of environment. Through a number of efforts within the Department of Homeland Security's Science and Technology Directorate, we are investing in a better understanding of IP v. 6's effect on Internet security. The Department of Commerce has a very active effort in understanding the implications of IP v. 6 and the adoption of IP v. 6 from a security perspective. It is important, however, to also recognize that many of the vulnerabilities which exist and many of the attack techniques which exist are not going to go away with the increased adoption of this new protocol. Mr. Putnam. Thank you. I appreciate that very much. We will return to the theme of the day. Commissioner Swindle, the evidence clearly indicates that computer users of all levels of sophistication are potential victims of worms and viruses and denial of service attacks. Who are the target audiences of the efforts by the FTC and, in Mr. Yoran's case, the cyber security division to address improvements in cyber security? I assume that the cyber turtle is not speaking to large enterprises. But in general, as you prioritize your audience, who is at the top of the list? Mr. Swindle. Mr. Chairman, the cyber turtle is actually a very sophisticated creature. He is handsome and he is affable and he was modeled after me, so let us be careful how we talk about him. [Laughter.] Mr. Putnam. Mr. Clay and I would like to meet him. Can we call him as a witness? [Laughter.] Mr. Swindle. The FTC has traditionally been involved with consumer protection matters and consumer education is a large aspect of how we go about doing our business, both from the antitrust side as well as the consumer protection side. It is all to enhance consumer welfare. We have a tremendous amount of experience in consumer education and our efforts with Dewie the e-Turtle have been addressed primarily to consumers and small businesses. However, in the process of finding better ways to communicate with consumers, we deal with industry associations and large businesses on a constant basis and have established some rather good relationships with these companies, seeking a better understanding of the problems, seeking their advice on how they market to their customers, and we learn together from each other's experiences. So, it is a rather comprehensive approach to educating the consumer. The target primarily is the broad base. If you can imagine a triangle of people concerned with computer and information systems security, the broad base of the triangle would be 250 million consumers here in the United States, and then we can multiply by all the people in the world who are also involved in this. Then we get up to higher levels of corporate involvement, lower levels of small business involvement, but yet the base is broad and the triangle narrows as you go higher. So our focus is on the broad base consumers, and we work closely with industry, small businesses, and associations to try to convey our message. Mr. Putnam. Thank you. We look forward to Dewie joining the great pantheon of other public servant characters like Woodsie the Owl, Smokey the Bear, and McGruff the Crime Dog. Mr. Swindle. That was the motivation behind my asking three bright young people, I said ``I want a Smokey the Bear to be our spokesperson.'' and they came up with Dewie. And it has been fairly successful. Mr. Putnam. Well, good. Mr. Swindle. At the Federal Trade Commission, while we have the potential and expertise to do a lot of consumer education, we are a relatively small agency. We've got Dewie launched, and we are hoping that industry will pick it up and expand it. And it has expanded. We have Dewie appearing in schools and on television and with industries, and we have many industries and associations of industries linked to our Web site in which you will see the presence of Dewie on each one of those, as well as the OECD, for that matter, in the international world. They are still trying to figure him out over in Germany, but they will get there. Mr. Putnam. Thank you, Commissioner. At this time, I would like to yield to Mr. Clay for his first round of questions. Mr. Clay. Mr. Clay. Thank you, Mr. Chairman. I appreciate it. Mr. Yoran, welcome to the committee. Can you describe for me the procedures that are in place to work with the private sector in circumstances that DHS advisories or warnings are necessary? For example, did the Department of Homeland Security collaborate effectively with Microsoft and the anti-virus companies during the recent wave of cyber attacks? Mr. Yoran. Thank you, Congressman Clay. The Department of Homeland Security, through the efforts of the U.S. Computer Emergency Readiness Team, have several venues and interaction points with which we are working with many entities in both the public and private sector. In many cases, before issuing a specific alert, in cases such as the recent Cisco alert which was published, in cases like recent viruses alerts and vulnerabilities in specific vendor operating systems such as MicroSoft, we have worked with and collaborated with those companies to assure that the information which we are providing is, in fact, technically accurate and that we are adequately providing enough information in an actionable fashion so that the public can work with the vendors providing those specific software packages on how they can best protect themselves. Further, our collaboration with the private sector extends beyond the vendor community and into the critical infrastructure owner-operator community, working closely with numerous ISACs, numerous industry associations, other information sharing organizations, and cyber security professionals and experts in the private sector to help them best assess the impact of these vulnerabilities on their specific industries. Mr. Clay. An extensive network of consulting going on there. Mr. Yoran. Yes, sir. There exists an extensive network and numerous interaction points which we are continually refining and expanding upon in a series of public-private partnerships. Mr. Clay. Thank you. In creating the Homeland Security Department, Congress moved the Federal Computer Response Team from GSA to Homeland Security. Has this move contributed in a positive manner in the ways in which DHS now responds to cyber attacks? Did anyone leave the agency rather than move, as we saw with some other agencies? Mr. Yoran. Well, sir, I could not provide details at this point as to whether anyone moved or not. I can certainly assure you that a number of highly qualified experts came into the Department of Homeland Security with the transition of the Fed- CERT capability and that Fed-CERT is very active in helping the Federal Government understand, address, and respond to vulnerabilities and malicious activities as they are discovered and as they occur. Earlier this morning, in fact, the Fed-CERT, Larry Hale, who is the Assistant Director of the US-CERT and the Director of Fed-CERT, conducted a conference call with OMB, under the leadership of Karen Evans, and the entire CIO council, we had representation there from the US-CERT, we had representation from Cisco, to help provide specific detail on the recent vulnerabilities, as, again, an illustration of how that Fed-CERT capability has translated into rapid capability for the Department of Homeland Security in addressing cyber security threats. We additionally conducted coordination activity with the chief information security officers of the Federal Government over the past 24 hours with respect to this specific vulnerability. Mr. Clay. OK. Thank you for that response. Mr. Swindle, from a business perspective, do you view the software security industry as competitive and cutting-edge, or are there limited participants that may impact the availability of products or the cost of these products? How do you view the industry as far as from a business perspective? Mr. Swindle. If I understand the question correctly, Mr. Clay, there is no doubt in my mind that we have very competitive companies out there attempting to come up with better and better and more acceptable, I mean that from the standpoint of consumer acceptability, products. As Chairman Putnam mentioned earlier, we have gone through this evolutionary process of getting into this world of cyber space and companies raced out, competitively, I might add, to try to acquire customer base, they had bells and whistles galore. Not many people were thinking too much about security or privacy for that matter, which has been a major concern of the Federal Trade Commission over the past few years. I think today, certainly on the privacy matter, these competitive companies are paying attention to it, and now I think they are focusing on security, and we are seeing better and better products from a security standpoint. I think we will eventually see an evolution, and I think this is driven by the capacity of technology to accommodate it. I mean, everybody sort of knows what we want to do, getting the technology that will do it economically is another question. We are seeing us progress to a point where more and more computers, especially home computers, the personal devices that the masses of people use, will have baked into them more and more security and privacy attributes that will hopefully take some of the necessary action away from the user and make it automatic. I guess probably the best analogy I have found throughout this whole discussion has been the automobile. I can remember and I guess, I am looking around the room here, I may be the only one in here that can remember the way automobiles were back in the early 1950's. There were an awful lot of things we had to do then that we do not even know exist today. So I think we will see this industry progress that way. We have tremendous private sector companies trying to do good work, and they are working very hard at it. Mr. Clay. I thank you for that response. One other question. From your perspective, are there additional measures that the Federal Government ought to pursue to strengthen security measures taken by those in private industry? And are there economic-based computer security hygiene standards or other mechanisms in the marketplace? Mr. Swindle. I think the answer to that question is multifaceted. It is going to take all of us working on it. It is going to take legislative pressure, it is going to take regulatory pressure, it is going to take competition pressure. As I said, we all got out front providing bells and whistles and nobody thought about security. Now, the company that gets ahead of its competition is one that is providing good security. So I think all these forces together are going to play a role. I think the chairman's program with the private sector and the initiatives he has taken are good. He has sort of waived the flag of regulation or some new law, and it is just amazing how that inspires people to get moving. Mr. Clay. To get together, right. Mr. Swindle. And I do the same thing. I say either you do it--it is like the old Fram oil filter commercial where the guy holds it up and says either you buy one of these now or I will see you over here, and there is a smoldering engine over here. So, legislation alone will not solve this problem. It is moving too fast. By the time the Congress enacts legislation, that problem has come and gone and we have a new one. I just do not think legislation alone is a solution. But I do think we progress if we are all pushing each other, challenging each other, and we continue this dialog in search of the right answer--because we all have a stake in this. We all have a selfish interest in getting it right because we are going to pay the price either as a home user whose computer which costs $700 got a virus and destroyed it, he has an interest in it, as well as Microsoft and AOL and all these other big guys, and the Federal Government. So we all have to work on this and push. Mr. Clay. Thank you for your response, Mr. Swindle. Mr. Swindle. Yes, sir. Mr. Putnam. Thank you, Mr. Clay. Before I get back into some more questions, I would like to introduce Matthew Jaunce, from Laughton-Childs Middle School in Lakeland, FL, who has a class assignment of shadowing a member of the community, hopefully a productive member of the community, unfortunately, he chose to shadow a Congressman. But Matthew, wave your hand, and welcome to Washington. [Applause.] Mr. Putnam. Commissioner Swindle, is there an estimate on the amount of economic impact or harm that has been done through phishing, phishing with a P? Mr. Swindle. P-H. Mr. Putnam. Phishing with a P-H. Mr. Swindle. I struggle with that also. I do not know, Mr. Chairman, if we have an accurate quantitative assessment of how much of a problem it is. But we know that identity theft is very large. I think we did a survey here recently, I think it was last September, in which it is estimated, if I remember correctly something on the order of 27 million people over the past 5 years have had some unfortunate engagement with identity theft. As you certainly know, and as I mentioned earlier, phishing is a process whereby people are tricked into giving vital information such as their names and their Social Security numbers. Those two items alone can lead to an awful lot of mischief on the part of bad guys because they can use those two pieces of information to get credit cards, and by the time you catch them, your credit report has been done such damage it will take you years to get over it. These are serious problems and phishing is expanding. There are lots of different things that could help curtail it. But I still contend the one thing that will help most is individual responsibility. And for people to be responsible and protect themselves they have to know what is happening. And that is a part of our consumer education program, to let people know the kinds of bad things that go on. We are seeing good signs. There is a commercial running on at least cable networks, because that is about all I get a chance to look at, advertising, if I remember correctly, a shredder. It shows a guy rummaging through a trash can, and he finds some stuff, puts it in his pocket, and the owner of the trash can drives up. It is late in the evening, and the guy who is rummaging through the trash can says, ``Hi, Tom'' or something to that effect, as if he knew this guy, and the guy has a puzzled look on his face. So much of this information does come from trash cans and mishandled information, carelessly handled information. So the problem of phishing, I cannot give you quantitative numbers on it, but I can assure you it is growing. The damage caused by bits and pieces of personal information falling into the wrong hands either by people losing it, which tends to be the dominant way, or somebody stealing it through the technology of computers is major. Very large. Mr. Putnam. As a corollary to that, has any action been taken to prevent the deliberate construction of Web sites that prey on people's misspellings and particularly target children, a common misspelling of Britney Spears would lead you into a pornographic site, or, the most common one, whitehouse.com instead of whitehouse.gov. I know that is not exactly a cyber security issue, but since we are talking about protecting the home user, that certainly is an important piece. Has anything been done on that where they deliberately construct a Web site to lure children into these sites? Mr. Swindle. We have had a couple of cases which go back a couple of years. One we refer to as ``Fat Finger Dialing,'' or something of that nature. But we have taken some action against people who do these kinds of things. Again, it is a large world out there. I do not recall many complaints of recent times about that because I frankly think people are sort of savvy to this and pick up on it. But it is certainly out there, and it is another pitfall that people can fall prey to. Mr. Putnam. Sure. Mr. Yoran, what has been the impact of current and recent legislative initiatives such as Graham- Leach-Bliley, HIPPA, and Sarbanes-Oxley on improving information security, not just for the regulated sectors but throughout corporate America? Mr. Yoran. Chairman Putnam, some of the corollary effects of both existing legislation and some of the proposed legislation is an increased visibility of cyber security issues, an increased awareness in the private sector of their responsibilities, and an increased focus on execution of cyber security practices in the private sector. I will also add, given the opportunity, to some of the comments Commissioner Swindle made earlier in terms of cyber crime. I certainly commend the Department of Justice's focus in the protection of children and going after child pornography, and also commend various efforts in the private sector to help curtail this type of activity, specifically America OnLine and other organizations which are providing an infrastructure and a much safer environment for America's youth in terms of their cyber security and their exposure to some of these threats. Mr. Putnam. What steps has your division taken to motivate the private sector to report intrusion incidents, and how is that information protected so as not to produce a competitive disadvantage for those people who are doing the right thing and coming forward with that information? Mr. Yoran. There are a number of initiatives underway to help encourage collaboration with the private sector, one component of which is the reporting of incidents. Certainly, in our technical alerts and in delivering technical information and assistance, guidance to the private sector is one form of activity underway which encourages and has resulted already in the private sector's willingness to discuss cyber security issues with the Department of Homeland Security and we are confident that will continue. Additionally, sharing the increased practices around information sharing not only within the public sector, but from the public sector to the private sector have encouraged increased collaboration with the private sector. Again, I will cite two recent interactions with Cisco as the US-CERT and Cisco's willingness to be very forthright with us and use us as one mechanism for their outreach to their customers and the set of people who may be affected by recent vulnerability discoveries. Mr. Putnam. Commissioner Swindle, do you believe that some of the recent legislation like HIPPA, and Graham-Leach-Bliley, and Sarbanes-Oxley have aided in improving information security throughout corporate America? Mr. Swindle. In a word, yes. I think again back to that pressure, and I think it has brought a greater awareness among corporate America, and the consumers, and vendors, and clients and customers that this is serious business. And while some of it may be an enormous burden, as oftentimes legislation tends to be, we have to keep working to minimize those burdens while at the same time, where it is possible through legislation, put in place measures that will improve the circumstances. I think getting corporate America's leadership focused on this, getting boards of directors focused on this, on why it is important, and the bottom line is why it is important for most of those people, that will help us create this culture of security that I mentioned. I do not know of a better way that we can solve this problem or at least minimize this problem. I do not know that we will ever solve the problem because technology is moving too much, but when concerns about information security and privacy of customers and clients and the information that pertains to them becomes part of a corporate culture, it will be the way we do things as opposed to something we have to do. I think in this new world in which we are living, knowing that is what we should be responsible for doing, that this is what we ought to do for the benefit of the corporation ought to be a part of that company's culture. It is the establishing through audit and other means of how the company does business and certifying the ethics, the morality, if you will, the proper procedures that they use for their corporation. I think that is just a part of the new world that we live in. And more and more corporate leadership is realizing this and they will adopt it because I think they represent responsible companies that want to do well. I think they are going to have to do these kinds of things to do well. I would hope they would do it of their own initiative as opposed to having to have a law that says you have to do this. This is common sense. It is the right thing to do. Mr. Putnam. What is the role of the ISP community in serving as a communications channel to computer users about computer security hygiene and cyber ethics? Mr. Swindle. I think they have a large responsibility in this and, as I mentioned I think in my oral testimony, a part of the recent task force on comprehensive awareness, one of the features of it, initiatives of it would be to have the ISPs engage in a lot of consumer education. The ISPs have two big problems. One is all this stuff flooding in on top of it which is consuming its resources, causing it great expense. And on the other side of that, the ISPs push, and e-mail comes to mind right away because that is what most consumers are engaged in and that is where an awful lot of this mischief goes on, the nuisances go right out to consumers. The ISPs I think have made remarkable progress, certainly the major ones, and I am sure some of the smaller ones have done so also, over the past couple of years in providing their subscribers with great tools. I use one of the major ISPs, and I was beating them up rather severely a couple of years ago and now with their system I rarely see any spam. I can go see the spam if I want to, but I do not have to engage it at all. They are doing good work. They are providing the tools. What I think the biggest challenge is is getting the point across to consumers, users, home users, this wide base, the necessity that they do certain things. It is sort of like changing the oil in your car. We can build the finest car in the world, but if you do not change the oil in it, it will not be the finest very long because it is going to have problems. I think we need to make this idea of information security as much a part of our mindset as changing the oil in the car, making sure the brake pads are in good shape, or, even more simply, looking to the left and right when you cross the street. There is a role, as we have both said, for everyone to play here. I just think we have to convey that message to everyone that they have to play this role. Mr. Putnam. Mr. Yoran, the role of the ISP community? Mr. Yoran. Thank you, Chairman Putnam. Similar to Commissioner Swindle's comments, I believe we need a common responsibility framework, certainly looking at and pointing to responsibilities and action which ISPs can take up, and many of them are taking up, is one venue for progress. But, similarly, the consumers and the users of technology need to adapt better practices. They need to place greater emphasis on their cyber security and cyber security preparedness. The produce vendors and the software community need to adopt better software development practices and take up the responsibility to do that, to make cyber security more understandable. If you were not thrown off by all the technical jargon required to explain some of the vulnerabilities of the past 24 hours, you are in a small minority. Cyber security is too complex in today's environment. There is a clear role for educators to improve cyber security awareness, ethics, and make more available cyber security courses and information so that we can better train a cadre of cyber security professionals. And there is a significant role for industry to play in their information sharing and analysis centers and in the operator community to address with a unified front cyber security challenges facing their industries. Mr. Putnam. Commissioner, what is the role of the law enforcement community here? Are they doing an adequate job in prosecuting hackers and people who are using spam and using spyware and using phishing techniques illegally to defraud people, and are they doing an adequate job of educating the public about the penalties for engaging in that type of conduct? Mr. Swindle. I will answer the last question first, whether they are doing a great enough job of educating the public as to the penalties they might suffer. I think we are hampered in this business of technology by the inability sometimes to find the bad guys. Certainly, we at the Federal Trade Commission have pressed cases over the past several years in which large corporations have been called to task for some of their negligence and carelessness in how they protect information, and they pay prices in a civil sense, not a criminal sense. They are put under order to not do this again. In several cases that I mentioned in my written testimony, a couple of the companies have at least a 20 year love affair to endure with the Federal Trade Commission because they have to do audits and report to us. As far as the criminals go, I know the spam issue is something that everybody is familiar with. Finding the perpetrators of spam is a very difficult process. We are doing a number of investigations in the Federal Trade Commission, and we are going to have some results. But oftentimes, as we have said previously in testimony, when we get to the end of the trail and find the bad guys, there is nothing for us really to get other than put him out of business. And for every one of those you put out of business, there is another one that pops up. I think we do a pretty darn good job of law enforcement under the laws that we have. I would not advocate for more laws other than what has been passed here in the Can Spam Act. We are looking at the requirements of that act trying to figure out how we successfully employ the requirements of it. We are getting lots of input from industry, from consumer groups, from privacy advocates, from all sorts of people, to help us formulate the best possible way we can enforce the law. Part of our education effort is to work with law enforcement agencies. In the past year or so, we visited I think it is at least 10 cities speaking to law enforcement personnel telling them about identity theft, because it is singularly, if I remember correctly, the largest complaint we get, trying to help them help consumers and victims. And, we put out a lot of education materials to try to help consumers who have been victims to work their way out of some of the problems that are created. So, there is a large effort going on. Unfortunately, it is a target rich environment, and it is difficult to get to everyone. Mr. Putnam. Thank you very much. Commissioner, I know you have another engagement that you need to attend to. Before we conclude, if you would give us the top three things that the home user should do to make their systems more secure. Mr. Swindle. Think. Always think. You know, as I mentioned, the ISPs in the last couple of years I think have done a good job and what they have given you is a good spam blocker, they have provided prompted updates of virus protections and firewall protections. If the average consumer, home user would employ a virus program, employ a firewall, keep those up to date, use a spam blocker to narrow down how much garbage comes in your computer, and be careful about how you open e-mail and things of this nature, you could avoid a lot of grief because a lot of these really bad acts come through, believe it or not, the simple feat of sending an e-mail. It can do a lot of destruction. And employing these simple steps is not a difficult thing to do. Again, it is back to making everybody aware. And we would solicit the help of industry, as we are doing, and we would certainly ask that Congress call on us. We will make materials available. I would like to see, as sort of a goal for all of us, see every Member of Congress have a link to the Federal Trade Commissionsite as well as the sites that I think you mentioned earlier that industry has identified. There is so much good information out there about how to be safer. And that is what we have to achieve--safe computing. And I thank you very much for this opportunity. Mr. Putnam. Thank you very much, Commissioner. Mr. Yoran, top three things home users can do to make their systems more secure? Mr. Yoran. I would agree that the top one is think. Many of the mistakes which are made could be easily avoided by folks taking a moment to reflect before opening attachments from folks they have not received e-mail from or from which they are not expecting e-mail. I would encourage folks to subscribe to the National Cyber Alert System to receive tips and information on how they can protect themselves from online scams, phishing, and a wide variety of activities. And to also learn more through participation in many of the Stay Safe On Line initiatives. Certainly, if turtles can be teenage mutant ninja and martial arts experts, they can help America better protect our cyber citizens. Mr. Putnam. Thank you very much. I thank the entire first panel. And with that, I will dismiss panel I and we will go into recess momentarily as we set up for panel II. The subcommittee is in recess. [Recess.] Mr. Putnam. The subcommittee will convene. I would like to ask the second panel to rise and raise your right hand for the administration of the oath. [Witnesses sworn.] Mr. Putnam. Note for the record that all the witnesses responded in the affirmative and have their official souvenir photo of being sworn in. We will move directly to the testimony. Our first witness is Larry Clinton. Mr. Clinton is currently the deputy executive director and chief of staff of the Internet Security Alliance, a collaboration between the CERT/cc at Carnegie Mellon University and one of the Nation's largest trade groups, the 1,200 member company Electronic Industries Alliance. This past year Mr. Clinton has served as the private sector coordinator of the Corporate Information Security Working Group on Market Incentives for Improved Cyber Security. Prior to coming to ISAlliance last year, Mr. Clinton was with U.S. Telecom Association for 12 years including the last 6 as vice president. We welcome you to the subcommittee. You are recognized for 5 minutes. STATEMENTS OF LARRY CLINTON, CHIEF OPERATING OFFICER, INTERNET SECURITY ALLIANCE; ANDREW HOWELL, VICE PRESIDENT, HOMELAND SECURITY, U.S. CHAMBER OF COMMERCE; RODNEY PETERSEN, SECURITY TASK FORCE COORDINATOR, EDUCAUSE; AND DOUGLAS SABO, MEMBER, BOARD OF DIRECTORS, NATIONAL CYBER SECURITY ALLIANCE Mr. Clinton. ``I am very busy. Do I really need to read this?'' That, Mr. Chairman, is the first line of the ``Common Sense Guide to Cyber Security for Small Businesses'' which the Internet Security Alliance released on its Web site earlier this month. We decided to begin our publication in this unusual way because during the market research we did preparing the document we learned a critical fact. That is, that education is far more than simply raising awareness or disseminating information. Education, resulting in behavior change, requires motivation. The Internet Security Alliance is a collaboration between the CERT/cc at Carnegie Mellon University and the Electronic Industries Alliance. We are an international organization with membership on four continents and a wide variety of economic sectors, including banking, insurance, entertainment, traditional manufacturing, as well as telecommunications, security, and consumer food products. The ISAlliance runs an intensive information sharing program with the CERT/cc and we have taken this information and from it produced a series of best practice guides which are provided free of charge on our Web site. In December of last year, the ISAlliance was asked by the National Cyber Security Summit to produce a best practices document, this time targeted to small business users. Small businesses are particularly vulnerable to cyber attack. One out of every three small businesses was affected by the MyDoom virus, fully twice the number of larger businesses. Obviously, larger organizations have more to lose in terms of absolute dollars; however, smaller margins that smaller businesses operate under vastly magnify the impact an attack can have on a small business. Despite the need, there is very little help being offered to this community. The very first conclusion reached by the Best Practices task force you formed, Mr. Chairman, on the Corporation Information Security Working Group, was that available IS guidance as a whole is not readily scalable to meet the varying needs of large, mid-size, and small organizations. We decided to approach this project in a market-driven way and asked the target audience what they needed to know and how we could best motivate them. We coordinated with the National Association of Manufacturers, the National Federation of Independent Businesses, and the U.S. Chamber of Commerce. Each of these organizations agreed to gather for us a group of their membership and we conducted 10 focus groups, involving nearly 100 actual small businesses, to discuss their cyber security needs. We learned that small businesses are aware of the potential impact of cyber attacks but they are also aware of the costs both in time and money to constantly keep up with the ever evolving threats and vulnerabilities. Attempting to address the needs of small businesses and cyber security without realistically addressing the costs of their full participation is shortsighted and will ultimately be ineffective. Having been educated by our audience, we produced a document that I believe looks unlike any other in the field. To speak to the small business owner's needs, we provided a real list of cast studies drawn from the media, the FBI Web site, and reported directly to us during our research. These are actual cases of small manufacturers, contractors, credit unions, hotels, diners, limo services, law firms, accountants, and venture capitalists, all of whom have had their businesses severely hurt by cyber attacks. They describe a wide variety of situations we believe the typical small business owner can relate to. We then outlined a 12-step program of cyber security specifically for small businesses including why they need to take the step, how to get started, who needs to be involved, the degree of technical skill required, and, specifically, the cost involved. However, more important than the product we produced is what we learned while we were producing it. For too long, cyber security has been thought of as an IT problem with an IT solution. While obviously there are technology elements to cyber security, it is also a management problem, it is an economic problem, and it is a cultural problem. And to adequately address the need, we need to listen to the IT people of course, but also the users, the educators, the marketers, and the economists. We need a broad, market-centered, incentive-laden approach to the issue, rather than a narrow, techno-centered dogmatic approach. We learned again that to achieve long term behavior change, which is the goal of education, we need to do more than simply share information. You noted it yourself, Mr. Chairman, in the letter you sent inviting us to today's hearing. You said, for example, the Blaster worm infected over 400,000 computers worldwide in less than 5 days, despite the fact that the patch that would have prevented the infection had been available for over a month. The information was there, Mr. Chairman, but the necessary incentives to use it were not. Speaking as a former teacher, who is married to an elementary school teacher with two small children in school, I can assure you that education takes more than providing information. Some students are motivated by praise, some by pride in good grades, some by the prospect of tangible rewards. Few are motivated by threats. Computer users are no different. Creative thinking needs to be done on the issue of incentives. ISAlliance is taking the lead on this issue. In the first quarter of 2003, we signed an agreement with AIG, the world's largest provider of cyber insurance. Under this agreement, AIG will provide premium credits, where permitted, of up to 15 percent for companies who will join the Alliance and subscribe to our best practices. We believe this is the first operating program which specifically ties a widely independently endorsed set of cyber security best practices specifically to directly lower business cost. I understand that today we are here to discuss straightforward the issues of education. But I would urge the Chair to consider another hearing soon to discuss the complex issues of developing a market incentive program to compliment the educational initiatives. I must thank you and your staff, particularly Mr. Dixon, Mr. Chairman, for the leadership you have shown in this regard. Thank you. [The prepared statement of Mr. Clinton follows:] [GRAPHIC] [TIFF OMITTED] T6315.037 [GRAPHIC] [TIFF OMITTED] T6315.038 [GRAPHIC] [TIFF OMITTED] T6315.039 [GRAPHIC] [TIFF OMITTED] T6315.040 [GRAPHIC] [TIFF OMITTED] T6315.041 [GRAPHIC] [TIFF OMITTED] T6315.042 Mr. Putnam. Thank you, Mr. Clinton. Our next witness is Andrew Howell. Mr. Howell is the vice president of Homeland Security for the U.S. Chamber of Commerce, the world's largest business federation. As such, he is the organization's principal spokesman on homeland security issues and responsible for building and maintaining relationships with the administration and regulatory agency leaders. He is also responsible for developing the organization's overall homeland security policy strategy and ensuring that it is implemented. Prior to his current position, Mr. Howell served as senior vice president of the National Chamber Foundation, a public policy research arm of the U.S. Chamber of Commerce. Welcome to the subcommittee. You are recognized for 5 minutes. Mr. Howell. Thank you and good afternoon, Chairman Putnam, Congressman Clay. My name is Andrew Howell. I am vice president of homeland security for the U.S. Chamber of Commerce. The Chamber is the world's largest business federation representing more than 3 million businesses and organizations of every size, sector, and region. Thank you for giving me this opportunity to discuss the Chamber's cyber security awareness efforts with you all. Also, Mr. Chairman, I would like to thank you for your leadership on this issue, and for recognizing the importance of enhancing awareness of cyber security among the public and private sectors. ``The National Strategy to Secure Cyberspace,'' released in February 2003, called for a comprehensive, national awareness program to empower all Americans--businesses, the general work force, and the general population--to secure their own parts of cyberspace. This strategy asserts that everyone who uses the Internet has a responsibility to secure the portion of cyberspace that they control. The Chamber supports this view. It is the responsibility of a person using a product to know how to use that product safely. However, we do not believe that raising awareness is the only step in our journey to enhancing cyber security. Instead, it is one very important leg in this trip. Enhancing cyber security requires the combined efforts of users, technologists, and senior executives, those that use software and hardware, those that make software and hardware, and those that manage enterprises that rely on software and hardware to make the company operate. While technologists have a responsibility to make secure products, end users have a responsibility to use those products securely. A good analogy to this is the automobile. While cars provide individuals with great benefits, they also can be dangerous. Therefore, cars come equipped with seatbelts and airbags. However, ultimately, it is the driver's responsibility to buckle his seatbelt and know how to operate the vehicle safely. The vehicle must be maintained regularly, and when there is a recall notice, the owner has the responsibility to take the car in for repair. At the same time, automakers continue to design cars with new and innovative features, including new ones oriented to improve safety, and market them to the consumer. By promoting user awareness, we are not, as some maintain, blaming users for cyber vulnerabilities. Instead, it is through awareness that we highlight the issue of cyber security, inform people what they can do to manage online risks, and, in the process, create a market of consumers who can intelligently factor security into their purchasing decisions. By informing users about what they can do to enhance their cyber security, we will reduce the number of breaches, mitigate economic losses, and create a market that demands more secure products. Moving the market to demand more secure products is an important component of enhancing our Nation's level of cyber security preparedness. Ultimately, we believe the market is better able to respond to security challenges than regulations will ever be. Whereas market forces propel companies to be flexible, innovative, and customer oriented, regulations are reactive and constrictive. As companies of all types become more aware of information security risks and protective steps they can take, we are confident they will demand more secure products. Companies that recognize this market shift and sell products that exploit it will have an advantage over their competitors. The market remains a powerful vehicle for increasing cyber security, but before this power is fully realized, we need to better inform consumers on why cyber security is an issue that matters to them. For these reasons, the U.S. Chamber of Commerce is committed to increasing the awareness of cyber security in the business community and explaining cyber security in terms that businesses understand. For too long the issue of cyber security has been talked about in technological terms, as Larry mentioned. As a result, many corporate leaders and small business owners view it as a technology issue that should be solved by technologists. From our perspective, this is a mistaken perception that must be corrected. The U.S. Chamber has regularly used our membership publications, including USChamber.com, to provide tips and guidance to small business owners, to explain why cyber security is important to their businesses, and to offer easy to implement advice on how to better secure their networks. Included with my prepared statement is one such article which appeared in the April edition of our monthly newsletter. Mr. Chairman, my prepared statement details activity the Chamber has undertaken to implement the awareness component of the National Strategy. Given our limited time, I will not go into detail about these activities. However, as you know, the Chamber co-chaired the Awareness in Education Group that was created as part of your Corporate Information Security Working Group, and we serve as secretariat of the National Cyber Security Summit Awareness and Outreach Task Force. Both our National Cyber Security Summit Task Force Report and reports to the CISWG were submitted with my prepared statement. Mr. Chairman, thank you again for this opportunity. I would be pleased to answer any questions at the end of this panel you or anyone else might have. Thank you. [The prepared statement of Mr. Howell follows:] [GRAPHIC] [TIFF OMITTED] T6315.043 [GRAPHIC] [TIFF OMITTED] T6315.044 [GRAPHIC] [TIFF OMITTED] T6315.045 [GRAPHIC] [TIFF OMITTED] T6315.046 [GRAPHIC] [TIFF OMITTED] T6315.047 [GRAPHIC] [TIFF OMITTED] T6315.048 [GRAPHIC] [TIFF OMITTED] T6315.049 [GRAPHIC] [TIFF OMITTED] T6315.050 [GRAPHIC] [TIFF OMITTED] T6315.051 [GRAPHIC] [TIFF OMITTED] T6315.052 [GRAPHIC] [TIFF OMITTED] T6315.053 [GRAPHIC] [TIFF OMITTED] T6315.054 Mr. Putnam. Thank you, Mr. Howell. Our next witness is Rodney Petersen. Mr. Petersen is policy analyst with EDUCAUSE, and the project coordinator for the EDUCAUSE/Internet2 Computer and Network Security Task Force. EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. Mr. Petersen recently co-edited the book ``Computer and Network Security in Higher Education.'' He was formerly the director of IT policy and planning in the office of the vice president and chief information officer at the University of Maryland. In addition, he was the founder of Project Nethics at the University of Maryland, a group whose mission is to ensure responsible use of information technology through user education and enforcement of acceptable use policies. You are recognized for 5 minutes. Welcome to the subcommittee. Mr. Petersen. Thank you, Mr. Chairman and members of the committee. I want to thank you for the opportunity to testify today regarding education and awareness for the cyber citizen. Later in my testimony, I have a video and some slides I would like to display, and with your permission, Mr. Chairman, I would like them added to the record. By holding this hearing today, you signal the importance of education and awareness as part of an overall strategy to improve the cyber security of the Nation. The present challenges of cyber security require the establishment of a life-long culture of security from the cradle to the grave. And to emphasize something you said earlier, Mr. Chairman, in your opening remarks, education and awareness is a necessary but insufficient approach to protecting our Nation's cyber space. I am here today, as you said, on behalf of the EDUCAUSE Internet2 Computer and Network Security Task Force. EDUCAUSE is a nonprofit association of nearly 2,000 colleges and universities. Internet2 develops and deploys advanced network applications and technologies for research and higher education, accelerating tomorrow's Internet. EDUCAUSE and Internet2 established a Computer and Network Security Task Force in July 2000. The Security Task Force is coordinating its efforts on behalf of a diverse group of associations and types of educational institutions, including research universities, State colleges and universities, Land- Grant institutions, independent colleges and community colleges; some 4,000-plus colleges and universities across the United States. The Security Task Force prepared the higher education contribution to the National Strategy to Secure Cyber Space. And more recently, we participated in the National Cyber Security Summit. I was a member of the Awareness Task Force that has been previously referenced, where I served as the co- chair for the Subcommittee on Schools and Institutions of Higher Education. Therefore, my testimony today will address education and awareness from kindergarten through college based upon the findings and recommendations of that subcommittee. Colleges and universities have long been interested in supporting the efforts of elementary and secondary schools to improve awareness of students on issues such as cyber ethics and security. After all, life-long habits are formed early, and the better we educate students about online safety in the K through 12 setting, the less we will be required once they arrive to college. Similarly, cyber security awareness facilitated by schools and colleges will benefit companies and government agencies that will eventually employ a new generation of technology-savvy and security conscious workers. While at the University of Maryland, I was the founder of the group you previously described, Project NEThics. Every spring, the university hosts Maryland Day, which so happens to be this coming weekend, and we invite members of the local community to come onto the College Park campus for family fun and educational activities. One year, Project NEThics, in partnership with our Prince Georges County computer forensics unit, hosted a computer lab where we invited children and their parents to participate in activities designed to increase their awareness for online safety. We talked to parents about the important role of adult supervision and watching their children's online activities and wanting to acquaint parents with the risks and benefits of computer use. And we left parents with literature, including an online safety pledge provided by the Center for Missing and Exploited Children. Project NEThics also works closely at the University of Maryland with the College of Education to develop seminars for teachers and school media specialists on cyber ethics and security. This summer, the university will host a conference entitled ``Cyberethics, Cybersecurity, and Cybersafety for Professional Educators.'' The Consortium on School Networking is a national nonprofit organization whose mission is to advance the K through 12 education community's capacity to effectively use technology to improve learning. COSN is currently working to help superintendents, chief technology officers of local school districts better integrate effective security practices into district management, operations, and the user experience. And CyberSmart is a nonprofit organization that develops and provides curricula and training programs for teachers, school administrators, and students. The EDUCAUSE/Internet2 Computer and Network Security Task Force has been pursing efforts to increase education and awareness in higher education. To this end, we have developed a working group that has identified a set of target audiences, among them including executives, all users relevant to this panel, members of the information assurance team, users of business systems, IT staff, faculty staff, students, and guests. Individuals interact with technology differently depending on their specific roles or responsibilities and the educational levels as well as cultural influences may vary. Therefore, education awareness is often customized to meet the target population. For example, at this time I would like to show you an awareness video developed for students at the University of Virginia. Mr. Putnam. We have to keep it short. [Video presentation follows:] Student. When I go to UVA---- Student. I want to open e-mail attachments from strangers and get a virus. Student. I want to post obscene messages on the Internet. Student. Commit fraud using someone else's online identity. Student. I want to run a business from my UVA personal Web page. Student. I want to share my address and phone number---- Student. My password---- Student. My private fantasies with faceless creeps on the Net. Student. When I go to UVA---- Student. When I go to UVA, I want to leave my e-mail open so strangers can read my incoming messages and answer them. Student. Filing a copy I lost by pirating music and posting it on the Web. Student. Harass people by sending threatening e-mails or chain letters or pornographic URLs. Student. I want to hack into government computers and go to Federal prison. [End of video presentation.] Mr. Petersen. So I think the video underscores the need for messages that are creative and targeted toward the audience they are intended to address. Because of time, I am going to skip over some further slides here that have examples of posters. But the one that is currently before you is a campaign where the slogan is ``Passwords are like underwear'' and some of the themes are ``change yours often,'' ``don't leave yours lying around,'' ``don't share with a friend,'' ``the longer the better,'' ``be mysterious.'' And you can get the point that you have to reach students where they are and humor is a key ingredient. Let me just say one thing and then I will conclude by talking about Cyber Security Day. Several colleges and universities did recently observe the Cyber Security Day, and we expect a number of campuses to plan activities during the week of October 31st to observe the next Cyber Security Day. In conclusion, first, the improvement of cyber security is needed, and we need to see support both from the public and the private for what is happening in our schools and institutions of higher education. Second, the baseline information that is required of all users must be kept to a minimum. Third, there should be consistency in the basic awareness messages. And finally, our efforts to increase awareness and education regarding cyber security must happen in parallel to the development of more secure technologies. Thank you. [The prepared statement of Mr. Petersen follows:] [GRAPHIC] [TIFF OMITTED] T6315.055 [GRAPHIC] [TIFF OMITTED] T6315.056 [GRAPHIC] [TIFF OMITTED] T6315.057 [GRAPHIC] [TIFF OMITTED] T6315.058 [GRAPHIC] [TIFF OMITTED] T6315.059 [GRAPHIC] [TIFF OMITTED] T6315.060 [GRAPHIC] [TIFF OMITTED] T6315.061 [GRAPHIC] [TIFF OMITTED] T6315.062 [GRAPHIC] [TIFF OMITTED] T6315.063 [GRAPHIC] [TIFF OMITTED] T6315.064 [GRAPHIC] [TIFF OMITTED] T6315.065 [GRAPHIC] [TIFF OMITTED] T6315.066 [GRAPHIC] [TIFF OMITTED] T6315.067 [GRAPHIC] [TIFF OMITTED] T6315.068 [GRAPHIC] [TIFF OMITTED] T6315.069 [GRAPHIC] [TIFF OMITTED] T6315.070 [GRAPHIC] [TIFF OMITTED] T6315.071 [GRAPHIC] [TIFF OMITTED] T6315.072 [GRAPHIC] [TIFF OMITTED] T6315.073 Mr. Putnam. Thank you, Mr. Petersen. Our final witness on the second panel is Douglas Sabo. Mr. Sabo is appearing today in his role as a member of the board of directors of the National Cyber Security Alliance. He is also the director of government and community relations for McAfee Security. In that role, Mr. Sabo addresses domestic and international public policy issues affecting the company and oversees the company's corporate citizenship activities. McAfee Security, headquartered in Santa Clara, CA, is a leading supplier of security and intrusion protection solutions for e- businesses. Mr. Sabo also serves as chair of the Security Working Group of the Business Software Alliance and co-chair of Department of Commerce's International Outreach Subcommittee of the Economic Security Working Group. You are recognized for 5 minutes. Mr. Sabo. Thank you. I am not sure how I am going to followup a discussion of underwear. [Laughter.] Good afternoon, Mr. Chairman, Ranking Member Clay, and members of the subcommittee. My name is Douglas Sabo. I am a member of the board of directors of the National Cyber Security Alliance and I testify this afternoon on behalf of that organization. And as you mentioned, Mr. Chairman, I am also director of government and community relations for McAfee Security. I join with my colleagues on this panel in thanking you for your personal leadership on the cyber security issue, both through your series of cyber security hearings as well as your working groups with industry. I also commend your staff for being first-rate on all of these issues. As you have heard others mention, the National Cyber Security Alliance [NCSA], is a unique partnership among the Federal Government, leading private sector companies, trade associations, and educational organizations, including all of the organizations testifying here today. Our fundamental purpose is to contribute to our Nation's overall cyber security by improving the behaviors of consumers, small businesses, and our youth from kindergarten to higher ed. And Mr. Chairman, we share your concerns about bombarding citizens with too many messages from too many sources. We hope that our partnership will contribute to avoiding that problem. Others have already talked today about the overall challenge and the important role that these audiences do play. The NCSA strongly agrees with these assessments. And rather than reiterate this information, I would like to introduce you to initiatives that we hope will reach our three main audiences. First, for small businesses, the NCSA is developing cyber security tool kits to discuss vulnerabilities and threats as well as tips and steps for responding. These tool kits, which will be available in soft and hard copy, will include materials, guidebooks, and training programs on the cyber security essentials. We are in discussions with a number of organizations to develop and distribute these tool kits, including the Small Business Administration, InfraGard, the ISP community and others, and we hope to begin distribution by mid- June. Second, we are focusing on educating our youth on cyber security practices to make sure the next generation of users is cyber secure. Through partnering with outside organizations such as EduCalls and CyberSmart!, we hope to develop and disseminate cyber security curriculum to educators across the country. These materials already are developed for the K through 8 audience, with 9 through 12 pending. And to reach our youngest audience, the NCSA also supported a national poster contest in which students were asked to creatively depict the importance of cyber security. We plan to hold this contest again this fall. Finally, I would like to use a couple minutes to focus on the consumer audience. Already the NCSA has launched our flagship Web site, www.staysafeonline.info, which received over 1 million hits in its first month alone. This site contains our top 10 cyber security tips, self-tests, tech talks, and more. In addition, we have held semi-annual National Cyber Security Days timed with Daylight Savings Time changes. While these have not been as successful as we had hoped, we are busy working to relaunch these this fall. But what the NCSA is most excited about in the consumer area is what we hope will be the cornerstone of the NCSA effort, a multi-year national cyber security awareness campaign. This campaign, targeted at home users, will use public service announcements and other creative methods to raise awareness of the cyber security issue and steps people should take to protect themselves, and thus all of us. While our efforts certainly will depend on the resources we are able to raise for this campaign, we hope that our national cyber security awareness campaign will be on the level of many of those that I am sure you are familiar with, healthy lifestyles, wildfire prevention, drunk driving prevention, the importance of voting, drug abuse prevention, and terrorism emergency preparedness. These broad campaigns have imprinted our culture with a number of easily recognizable campaign catch phrases, such as, ``Don't drink and drive,'' ``Buckle Up,'' ``Only you can prevent wildfires,'' and ``Take a bite out of crime.'' Perhaps our effort will add a new one. Are public awareness campaigns effective? We certainly believe they can be. Consider please the results of the Ad Council, a nonprofit organization that uses volunteer talent from the advertising and communications industries. Applications, for example, for Big Brothers, Big Sisters mentors increased by 75 percent in the first 8 months of their campaign. Destruction of our forests by wildfires has been reduced from 22 million acres to less than 4 million acres per year since their forest fire prevention campaign began. And safety belt usage rose from 14 percent to 79 percent since their safety belt campaign launched in 1985, saving an estimated 85,000 lives. With the proper resources, we believe the NCSA national awareness campaign can achieve the same level of success for cyber security behavior. It will not be a silver bullet, but together with all the other NCSA efforts as well broader initiatives to reduce vulnerabilities, improve security usability, expand R&D, and enhanced corporate governance, we can truly make a difference. Mr. Chairman and members of the subcommittee, I thank you again for the opportunity to testify today. And I look forward to answering any questions you may have. [The prepared statement of Mr. Sabo follows:] [GRAPHIC] [TIFF OMITTED] T6315.074 [GRAPHIC] [TIFF OMITTED] T6315.075 [GRAPHIC] [TIFF OMITTED] T6315.076 [GRAPHIC] [TIFF OMITTED] T6315.077 [GRAPHIC] [TIFF OMITTED] T6315.078 [GRAPHIC] [TIFF OMITTED] T6315.079 [GRAPHIC] [TIFF OMITTED] T6315.080 [GRAPHIC] [TIFF OMITTED] T6315.081 [GRAPHIC] [TIFF OMITTED] T6315.082 Mr. Putnam. Thank you, Mr. Sabo. Thank you to all of our witnesses. We will begin with Mr. Clay's questions. Mr. Clay. Thank you very much, Mr. Chairman. Thank you all for being here today. Mr. Clinton, we will start with you. What steps can the Federal Government take to use its procurement power to improve the security of computer software? Is the Internet security industry able to agree on some minimal standards for computer security hygiene? I guess that is a two-part question. Mr. Clinton. Thank you, Mr. Clay. We do think that the procurement process is probably the best first step for the Federal Government to take in terms of establishing benchmarks for appropriate security to be included within products that they purchase. I think what we think is most important about this is that it would be the Federal Government using its market forces rather than its regulatory forces to encourage behavior. We think absolutely that is the model that is going to be most effective is the use of the market. During the Corporate Information Security Working Group we discussed this quite a bit and talked about how if the Federal Government could act as a model through its procurement practices, as the Department of Energy already has started, that we might be able to make an awful lot of steps, and that has the effect on the rest of the market of likely lowering costs, making these sorts of devices or procedures more accessible to small businesses. Now the second question, Mr. Clay, was whether or not we could agree on standards. It kind of depends on what you are talking about in terms of standards. There is an awful lot of standards activity that is already underway. If what you are suggesting is do we think that the Federal Government should be passing legislation or regulation mandating standards, we would think that is the wrong way to go. And let me explain why. It is not so much that we are opposed to standards. EIA is one of the largest standards producers in the entire world. It has to do, Mr. Clay, with the nature of the Internet. The Internet is a 21st century technology. Most of the regulatory models that we use in the Federal Government now are 18th century models. The FCC and the SEC are modelled on the old ICC which regulated railroads. We are dealing with something that is entirely different now. We think that for security purposes we need a much more dynamic manager of the Internet and the only mechanism that we can identify that will be dynamic enough to keep up with the ever-increasing attacks and technologies of the attackers is to use market forces. So, more creative use of insurance, more creative use of liability carrots involving marketing for cyber security. And there is a range of things that we identified in our incentives group report we think are far more likely to succeed in our ultimate aim of achieving cyber security than a federally mandated standard. Mr. Clay. Oh, please do not misunderstand the question. I was just asking could the industry come together and establish the standards. I never made inference to a Federal law, and that is not where I am going with that. Mr. Clinton. I appreciate that. And, yes, we are working on that quite hard. Mr. Clay. Thank you for the answer. Mr. Sabo, do you believe the Federal Government's commitment to cyber security training and certification particularly at the systems and network administrator level is adequate? And how important is training and certification to cyber security? Mr. Sabo. Thank you, Ranking Member Clay. The National Cyber Security Alliance itself does not have a particular position on those areas. But if I could speak on behalf of myself and the company that I do work for during the day, I do think, and the organizations that support the NCSA would probably agree, there is significant training going on but that there is always more that could be done. I think we heard from the director of the NCSD previously about the number of programs that are out there, the scholarship for service and the other organizations, and I think there is certainly a lot more to be done. In our purview of the awareness side, we did talk significantly about awareness for home users. But I think you could take what we plan to do for home users and also put that for Federal Government workers, both as users that will then be going home and using their personal systems probably to even connect into Federal Government systems, and then also as employees of the Federal Government. So our awareness efforts certainly would be useful for that audience as well. Mr. Clay. OK. I thank you for that comment. Mr. Chairman, I think my time is up. Mr. Putnam. You are welcome to continue. Mr. Clay. OK. Just one more question for Mr. Petersen. Before I ask the question, I just want to make you aware that I too am a University of Maryland graduate. So fear the turtle. [Laughter.] Mr. Petersen. Yes. I was thinking of that earlier when Dewie was displayed. [Laughter.] Mr. Clay. On a serious note, though, is the Congress adequately funding research and development in the cyber security area? And what other methods could the Federal Government employ in order to achieve widespread cyber security? Mr. Petersen. Thank you for your question. I do think you are on the right path to increasing funding for cyber security research and development efforts. The university environments are particularly participating in National Science Foundation solicitations, they currently are reviewing proposals now for a cyber trust solicitation. We have been working pretty regularly with the Science and Technology Directorate of the Department of Homeland Security, although I note that in their $1 billion- plus budget only $18 million are devoted to cyber security and many of us think that is wholly inadequate and perhaps symbolizes that cyber security is not thought to be the priority that it should be. Having said that, I think there is more room for funding for R&D. But I do not want us to forget what we are here about today and certainly what our group represents, which is securing today's Internet. There are not nearly enough Federal Government funds available to deal with education and awareness of the mass populace, including kids in schools and higher education, and efforts needed to secure our current infrastructure. Mr. Clay. Thank you for that response. Mr. Chairman, I yield back the balance of my time. Mr. Putnam. Thank you, Mr. Clay. Mr. Clinton, one of the key ingredients to a successful education and awareness campaign is clarity and credibility of the message. Given your experiences and knowledge of the work to identify cyber security best practices, what is the most direct and clear message that can be conveyed to home users and small businesses? Mr. Clinton. Thank you, Mr. Chairman. I was thinking of this when you asked the first panel the question. My answer is a little different. I support their view that people need to think. But I think they need to think of their computer in a different sense. My experience is that most home users tend to think, and I am saying most home users, not the sophisticates, most home users still think of their computer like it is a TV set, that you just turn it on and it provides you things. And that is the wrong way to think of your computer. I think a better way to think of your computer is like it is a gifted child; it is something you need to work with, it is something you need to interact with, and if you treat it well and protect it and develop it, it can do great things, but if you do not, it could come back and cause all sorts of tremendous problem. I think we need to get consumers to think of the technology very, very differently. Most of us have become so comfortable with some of the rudimentary elements of the Internet we forget that just a few years ago e-mail scared us. I remember when I worked for my first Member here on Capitol Hill, and I will not say who that was, I had to show him how to turn on the computer. It was not that long ago. But I do not think that we have completely kept up with what is really behind this medium. It looks too easy. So I would say what we need to do is we need to get people to rethink what it is they are dealing with. They have to have an active relationship with their network, not just treat it as a passive appliance. Mr. Putnam. Mr. Howell, your thoughts? Mr. Howell. I agree entirely with Larry. And I would argue that a computer is also a gold mine which has tremendous potential and has to be exploited in order to achieve that potential. In one of our most recent efforts to educate our membership, we were talking to several of our small companies who had no concept of the fact that keeping customer information--customer invoices, sales lists, sales figures, revenue and expense items, their general ledger--on a computer that was accessible via high speed to the Internet without a firewall and without anti-virus was essentially a security risk. They just had not thought about their computer that way. I would agree with Larry, they viewed it as almost an entertainment vehicle, something there for their pleasure and their ease of use, and they did not view any of the risks that the sophisticated users see out there everyday. And it is because, frankly, we have not done enough to educate people about the threats that are facing them and, at the same time, make action to mitigate those threats possible. Mr. Putnam. What is the appropriate role for the hardware and software vending community, not only to provide more secure and higher quality products, but also to educate their consumers about basic cyber security practices? Mr. Howell. I think that all three parts of this triangle, the hardware and software vendors as well as the user community, must do much more collaboratively to talk about risks, vulnerabilities, and mitigation of risk and vulnerabilities. Among large enterprises you are seeing much more collaboration on all three sides of that. But it has taken a long time to develop and a lot of those things develop based on trust and years of working with one another and the information technology industry is relatively young. At the same time, I think that we are seeing more medium-size enterprises catch up and do some of this. And the challenge therefore remains the small enterprise community. And as Larry mentioned, that was quickly viewed within our Corporate Information Security Working Group as an area where there is no targeted information on risk mitigation and what the real threats are. So I think it is a multifaceted process depending on what particular market you are looking at--the large enterprise market, I think it is a collaborative process; medium-size enterprises, I think they are moving toward that collaboration; small enterprises, it is still very much awareness and education oriented. Mr. Putnam. Mr. Petersen, your thoughts on that? Mr. Petersen. Your question about hardware and software reminded me of a story over the Christmas holidays. I had a friend who subscribed for the first time to Comcast cable and when he went to the local shopping mall he got a CD and the installation instructions and he came home and installed it and within a matter of seconds he got the Blaster worm. And in trying to help my friend troubleshoot the problem, the first thing that occurred to me is how come Comcast cable is not distributing information to its customers about the threats that currently existed at that point in time, that when you move from being off-line to broadband you better make sure your operating system is up to date, and, by the way, here is a CD that can provide you the latest patches and the latest anti- virus stuff. So I think absolutely there is a role for hardware and software and other service providers to play in providing consumers with educational and awareness materials. Second, if you think about our parents and students who are buying computers for their children, think if they open that computer box and there is a label that said, you know, ``Tear this off and be aware, if you do not do X, Y, and Z, you could lose your data and all the important work that you put into this machine.'' I do believe that, aside from our role in educating and making users aware, hardware and software vendors could help. Mr. Putnam. Mr. Sabo, do you want to add anything to that? Mr. Sabo. Yes, thank you, Mr. Chairman. I do think there is significant information out there from the software/hardware vendors and the ISP community. But I think there is a fundamental research need that we all could perhaps support in looking at user behavior, benchmarks, metrics, in order to understand how we reach these users, what are the best messages--and I do not think there is a one size fits all message for security; I think what will motivate users will vary greatly among them; fundamental research in where to reach them, to what sites to go, what places in the real world and the virtual world to place these messages' and then fundamental research in who to reach, who are these ``users.'' I think a number of studies have shown that a majority of home users who are doing a lot of the financial transactions in households are the women in the households. I think that would impact therefore where we deliver these messages, what types of Web sites, what types of media that perhaps our awareness campaign will target. So I think there is a lot of information that is out there but, exactly as you said in your opening statement, perhaps we run the risk of having too much and we may need to really think about where are the best places to go and to put this information. Mr. Putnam. That is a perfect segue into my next question. You have heard the FTC testify about the turtle, you have Stay Safe On Line, there are a number of other approaches to increasing awareness. Is that type of symphony of approaches helpful in that you are hitting different pieces of the audiences, or do you believe that there should be a more centralized message, centralized theme, centralized Web site for people to go for information on becoming more secure? Mr. Sabo. I definitely agree that we are in a period of ``let a thousand flowers bloom.'' And perhaps in a way we have become victims of our own success, that we have talked about the important need for all these awareness efforts and we are starting to get them. And I think behind scenes we are also seeing a lot more effort to do the centralization, but centralization of the organization behind it. So you have the folks who are running these talking to each other much more. And I think there is a lot of room for improvement in that area. We certainly would commit ourselves to being part of any effort that would help with that. I do think, at the end of the day, each set of users are going to respond to different types of messages in different media. Mr. Putnam. Mr. Petersen. Mr. Petersen. I share your concern but I think we are headed in the right direction. I know even EDUCAUSE has more recently become a sponsor of the Alliance. We are working closely with the FTC. And when we look at our colleges and university environments, many of them, like Florida State University, Florida, University of Maryland, are large enterprises. So whatever messages we might be targeting toward large businesses probably apply to our large colleges and universities. Many of them are small colleges and community colleges and the small business environment messages are the same. One of the things we have worked hard with the Alliance on is when you take their top 10 cyber tips, those should be the same top 10 cyber tips that all of our users hear about, our students, faculty, staff. So rather than us starting from scratch or writing our own messages, we are working hard to make sure their messages get put into the appropriate language so that we can use them and convey a consistent message. Mr. Putnam. Mr. Clinton, do you want to add something to that? Mr. Clinton. I would agree that the messages should be consolidated. But I do want to caution that there is a problem if we think we have the right answer and so all we have to do is go out and make everybody understand the right answer. We have published two best practices that we are very proud of and that got endorsed by a lot of people and we thought they were great. And we took our best practices to the small business guys and they said, ``What are you talking about? We do not understand this. No small business guy would ever read this stuff.'' But the technologist people think, hey, this is the right message. And we found out by doing the market research it was not the right message. So I think that there needs to be some consolidation with regard to messages, that we should not have conflicting messages, for sure. But I do not think we do. I would agree with the rest of the panel that I think we are moving in the right direction. But the way messages are presented need to be targeted differently to different audiences. We represent small companies and we represent enormous companies and they deal with these issues very, very differently. I think that the approach that we need to take is a market-centered approach. We need to go out to each target market. And small business may not be a target market. Small business may be an enormous market that needs to be much better segmented within that market in order to better appreciate these people. There are small technology companies and there are small marketing companies, and you talk to these guys in different ways. So I do not think it is quite as simple as saying we have the message, all we have to do is get it out. I think that we have a lot of the right ideas but I think we need to continue to work on it and we need to involve the users, we need to involve the target audiences much more in developing the messages. And I think we are just at the beginning of that process. Mr. Putnam. Mr. Howell. Mr. Howell. I would agree. But I would just add one thing, and that is, you also have to look at the messenger and the affinity of the desired market to that messenger. Different organizations have different affinity with different type and sizes of organizations and companies. And agreed, having the same set or a similar set of messages is essential. But one organization that may be the best messenger might have absolutely no affinity with or relation to the target market, and therefore, if one were to follow our principles of not opening e-mails, for example, from an unknown sender, that e- mail would get deleted because there is no affinity to that sender. So that is the only other issue I would add here. And at the same time, I think the National Cyber Security Summit, held last December and an ongoing vehicle, as well as NCSA, both have been fantastic vehicles, joining with your Information Security Working Group, in aggregating organizations that have been working just in an area of awareness alone to sit down at a table, think about how they can multiply or take advantage of their efforts and reduce waste and enhance efficiency and increase awareness. It has been tremendous. Every week, for example, since we started participating in your group we have been approached by at least one other association who wants to join in what we are trying to do on education and awareness. That has been one of the most rewarding things we have seen so far in all the education and awareness efforts. Mr. Putnam. And finally, do you all believe that this issue has risen to the boardroom, to the C-level executives? All the talk about worms and viruses and exploits, some attention through Sarbanes-Oxley and Section 404, are top level executives finally treating cyber security as a business risk? We will begin with Mr. Sabo and work down the table. Mr. Sabo. Thank you. I think today, compared to 2, even 3 years ago, we have come a significant way in getting the attention to that level. But I think there is certainly a lot more in the corporate governance side between the work that the Cyber Security Summit Working Group as well as your own has done is significant and the word needs to get out now. And that is I think the stage we are at. Mr. Petersen. I would say no. In the college and university environment, we have a long way to go particularly at the president level and the board level. In fact, I would say that is one of the reasons why in my first bullet I said we need support from the private and government sector. It was not just referring to financial support. Many people in government and certainly part of corporations sit on college and university boards, and I am hoping the awareness that is being created within industry and government will translate to board members going to those board meetings and saying what are you doing about information security on your campus, why have we not talked about it in the context of governance. And I think the same message needs to be carried forward to our presidents and chancellors and other executive leaders. We are certainly doing our part as our task force to raise awareness, but I think we could use the assistance and support of other executives. Mr. Putnam. Mr. Howell. Mr. Howell. One of the recommendations that we made within our National Cyber Security Summit Large Enterprises Working Group was that our ad hoc coalition come together with DHS and we recommended a series of forums across the country with senior DHS officials and CEOs to discuss information security and corporate governance. And we hope that DHS will take up that recommendation because we believe that it is essential. I would agree with Doug, we have made progress. But I think much more remains to be done. At the same time, we need to move forward with a collaborative approach with a framework similar to what the Corporate Governance Task Force of the National Cyber Security Summit came out with recently. That is a great starting point, one of many materials that are out there. And moving forward with implementation of all of these documents is, I think, an essential next step. Mr. Putnam. Thank you. Mr. Clinton. Mr. Clinton. I would have to say that we have maybe taken the first steps in this direction. But, no, Mr. Chairman, we have not at all reached the summit of the CEOs and the COOs. Just a couple of facts. I heard the first panel talk about how they were under the impression that Graham-Leach-Bliley, Sarbanes-Oxley may have increased awareness, and perhaps it has increased awareness some. But the fact is, Mr. Chairman, that the number of incidents last year and again early this year are going through the roof. The amount of money that is being lost is going through the roof. So if there is some increased awareness, it is not enough. Another fact. The most recent study that I have seen on this, done by CSO magazine, indicated that most corporations they recommended should be increasing their IT cyber security budget by approximately 33 percent. They went back and looked at how many corporations had done that. They found that only 22 percent of the corporations had increased it, and only 7 percent of the corporations had increased it the amount that was required. So we are a long way away. Mr. Chairman, this I think goes back into the conversation we just had on your last question, finding the right messages for this particular target audience, COOs, CEOs. I do not want to cast any aspersions on the CEOs and COOs who fund, frankly, my organization, but the fact of the matter is, Mr. Chairman, they are not going to do this because it is in the national interest. We need to find messages that speak to their corporate interest. We need to find issues that speak to the corporate interest. We need to do a better job demonstrating the return on investment to good cyber security. We need to do a better job of providing the sort of incentives that level of corporate executive pays attention to--lower business costs, less liability exposure. Those are the sorts of things that are talked about in CEO board rooms and CEO discussions. And we have not done that yet. I think that there is a tremendous amount that we have not yet gotten to in the public-private partnership in that area that lays still before us. And we are enthusiastic about working with the Congress in those areas. But we are just at the first couple steps, in my opinion, sir. Mr. Putnam. Thank you, Mr. Clinton, particularly for your candor. We assume that is not going to be the punch-out quote in your monthly newsletter to your members. Mr. Clinton. No, sir. I am going to use your opening statement as our punch-out quote. Mr. Putnam. I want to thank all of our witnesses for your efforts in this important arena. I know that your work continues to help our cyber citizens enjoy the benefits of the Internet in a safe and secure manner. I also want to thank Mr. Clay for his participation today. In the event that there are additional questions that we did not get to today, the record will remain open for 2 weeks for submitted questions and answers. With that, the subcommittee stands adjourned. [Whereupon, at 4:07 p.m., the subcommittee was adjourned, to reconvene at the call of the Chair.] <all>