<DOC>
[108th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:98486.wais]
IDENTITY THEFT: THE CAUSES, COSTS, CONSEQUENCES, AND POTENTIAL
SOLUTIONS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 22, 2004
__________
Serial No. 108-272
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
98-486 WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
TODD RUSSELL PLATTS, Pennsylvania JOHN F. TIERNEY, Massachusetts
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida DIANE E. WATSON, California
EDWARD L. SCHROCK, Virginia STEPHEN F. LYNCH, Massachusetts
JOHN J. DUNCAN, Jr., Tennessee CHRIS VAN HOLLEN, Maryland
NATHAN DEAL, Georgia LINDA T. SANCHEZ, California
CANDICE S. MILLER, Michigan C.A. ``DUTCH'' RUPPERSBERGER,
TIM MURPHY, Pennsylvania Maryland
MICHAEL R. TURNER, Ohio ELEANOR HOLMES NORTON, District of
JOHN R. CARTER, Texas Columbia
MARSHA BLACKBURN, Tennessee JIM COOPER, Tennessee
PATRICK J. TIBERI, Ohio BETTY McCOLLUM, Minnesota
KATHERINE HARRIS, Florida ------
------ ------ BERNARD SANDERS, Vermont
(Independent)
Melissa Wojciak, Staff Director
David Marin, Deputy Staff Director/Communications Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania BETTY McCOLLUM, Minnesota
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
Dan Daly, Professional Staff Member/Deputy Counsel
Juliana French, Clerk
Adam Bordes, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on September 22, 2004............................... 1
Statement of:
Schmidt, Howard, former White House Cybersecurity advisor,
and vice president, chief information security officer,
eBay, Inc.; Bill Hancock, vice president, security practice
& strategy, chief security officer, Savvis Communications
Corp.; Bill Conner, chairman and chief executive officer,
Entrust, Inc.; and Jody Westby, chair of privacy and
computer crime committee, American Bar Association, section
of science and technology law, and managing director,
PricewaterhouseCoopers..................................... 76
Swindle, Orson, Commissioner, Federal Trade Commission;
Steven Martinez, Deputy Assistant Director, Cyber Division,
Federal Bureau of Investigation; Larry Johnson, Special
Agent in Charge, Criminal Investigative Division, U.S.
Secret Service; and Patrick O'Carroll, Acting Inspector
General, Social Security Administration.................... 16
Letters, statements, etc., submitted for the record by:
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 14
Conner, Bill, chairman and chief executive officer, Entrust,
Inc., prepared statement of................................ 99
Hancock, Bill, vice president, security practice & strategy,
chief security officer, Savvis Communications Corp.,
prepared statement of...................................... 91
Johnson, Larry, Special Agent in Charge, Criminal
Investigative Division, U.S. Secret Service, prepared
statement of............................................... 50
Martinez, Steven, Deputy Assistant Director, Cyber Division,
Federal Bureau of Investigation, prepared statement of..... 38
O'Carroll, Patrick, Acting Inspector General, Social Security
Administration, prepared statement of...................... 59
Putnam, Hon. Adam H., a Representative in Congress from the
State of Florida, prepared statement of.................... 7
Schmidt, Howard, former White House Cybersecurity advisor,
and vice president, chief information security officer,
eBay, Inc., prepared statement of.......................... 80
Swindle, Orson, Commissioner, Federal Trade Commission,
prepared statement of...................................... 19
Westby, Jody, chair of privacy and computer crime committee,
American Bar Association, section of science and technology
law, and managing director, PricewaterhouseCoopers,
prepared statement of...................................... 116
IDENTITY THEFT: THE CAUSES, COSTS, CONSEQUENCES, AND POTENTIAL
SOLUTIONS
----------
WEDNESDAY, SEPTEMBER 22,
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:46 p.m., in
room 2154, Rayburn House Office Building, Hon. Adam Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam and Clay.
Staff present: Bob Dix, staff director; John Hambel, senior
counsel; Dan Daly, professional staff/deputy counsel; Juliana
French, clerk; Adam Bordes, minority professional staff member;
and Jean Gosa, minority assistant clerk.
Mr. Putnam. A quorum being present, this hearing of the
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census will come to order.
Good afternoon, and welcome to the subcommittee's hearing
entitled, ``Identity Theft: The Causes, Costs, Consequences,
and Potential Solutions.''
Today the subcommittee conducts its 11th hearing this
Congress on cybersecurity issues, and this is the 39th hearing
overall of this subcommittee in the 108th Congress. I certainly
want to commend staff for the majority and staff for the
minority and the hard work that they have put into all of these
hearings and the work of the membership, as we have covered an
awful lot of ground in this Congress.
Throughout the 108th Congress, the subcommittee has focused
a great deal of attention and oversight on the topic of
computer information security, and the growing cyberthreat to
this Nation. This hearing will examine the cybersecurity threat
from a somewhat different perspective and delve into an issue
that has already adversely impacted millions of Americans and
has the potential to become even worse as more and more
information is gathered, stored and shared through the Internet
in an all too often unprotected environment.
The issue is computer identity theft. I am concerned about
the threat that identity theft poses to the U.S.' national and
economic security. Identity theft is one of the fastest-growing
crimes in the United States, and it appears that the
battleground is expanding from one populated primarily by those
seeking notoriety, to those seeking profit and disruptive
impact. Federal statistics show that nearly 10 million
identities were stolen in the United States last year alone,
and that the total cost of this crime in the United States is
approximately $50 billion per year. Some predict that the
worldwide costs of identity theft in all of its forms will
exceed $2 trillion in financial losses by the end of 2005.
These numbers are staggering, and they highlight why this
hearing is so important.
As use of the Internet continues to expand every day, more
personal information is converted into electronic data. Both
the Federal Government and the private sector maintain large
data bases of personal information about their employees and
customers. The efficiencies realized through the increased
availability of electronic data storage and transmission are
tremendous, but the wealth of available personal information in
digital form also provides a target-rich environment for
criminals and terrorists. By hacking into data bases, paying
off insiders, loading spyware onto users' machines or using
fraudulent e-mails to trick users into revealing Social
Security and other account numbers, criminals and terrorists
are utilizing the Internet to profit illegally.
It seems as if not a day goes by without a new report of
some worm, virus, phishing scheme or other cybercrime
threatening users of the Internet. This week we have also
learned that there is a dramatic increase in the number of
zombie PCs, also called bots. These are computers infected by
worms or Trojans and taken over surreptitiously by hackers and
used to send spam, more viruses, harvest financial and personal
information, or launch denial of service attacks. It is
estimated that the number of computers being taken over by
remote control is now averaging 30,000 per day, peaking at
75,000 in a single day. We need to quarantine and vaccinate
infected computers, close the back doors, shut down the tunnels
and cutoff bad guy access to our computers and networks.
A recent crackdown on cybercrime by the Department of
Justice known as Operation Web Snare demonstrates just how
large a problem cybercrime has become. The Department, through
its U.S. Attorneys' offices, its Criminal Division, and the
FBI, coordinated with the Secret Service, the FTC and a variety
of other State, local and Federal and foreign law enforcement
agencies, conducted this operation. Investigators identified
more than 150,000 victims with estimated losses of more than
$200 million. This operation to date has resulted in more than
150 arrests and convictions for electronic crimes including
identity theft, fraud, counterfeiting software, computer
intrusions and other intellectual property crimes.
We have representatives from the FBI, the FTC and the
Secret Service with us here today. I applaud your efforts and
the efforts of all of those involved in this operation, and I
thank you for your service to this Nation.
In addition to highlighting the threat of organized crime
on the Internet, Operation Web Snare touched on another growing
problem: the potential nexus between cybercrime and terrorism.
The report on the operation noted that terrorists and their
support groups are hiding behind the cloak of the Internet to
conceal their true locations and to communicate, generate funds
and develop resources in support of terrorism. Furthermore, the
report noted an increase in on-line complaints in which
illegally obtained funds are flowing to parts of the world
where terrorist groups are known to operate.
Operation Web Snare makes it clear that this is a global
problem, and not only are criminals and terrorists aware of the
vulnerabilities in cyberspace, but they are exploiting them for
monetary profit as well. Make no mistake about it, our Nation's
information systems are under attack 24 hours a day, 7 days a
week from around the world. We cannot stick our heads in the
sand and ignore these problems or continue to make excuses for
why we are not taking more affirmative action. We have to
address them head on and make sure that our cyberdefenses are
prepared to repel these intruders.
Unfortunately through the work of this subcommittee,
through our extensive research and oversight, I am not
convinced that we are prepared either in the public or the
private sector to adequately deal with these problems. I fear
that cybercrime may get worse before it gets better. And I do
not wish to wait for some large-scale failure of our Internet
infrastructure or the launch of a combined physical and
confined cyberattack against our citizens and our economy
before we as a Nation get serious about protecting our
information systems.
About a year ago, after several oversight hearings on the
subject, in an information-gathering visit to Silicon Valley, I
began to realize just how vulnerable this Nation had become to
a growing and dangerous threat of cyberattack. Not only were
Federal agencies failing to comply with the requirements of the
law as outlined by FISMA, but the private sector was also
seriously delinquent in its attention to these matters. After
examining alternatives, we drafted the Corporate Information
Security Accountability Act, which would have set forth certain
computer information security plan reporting requirements for
publicly traded companies in an effort to elevate the profile
of this matter to the ``C'' level of management and respective
boards of directors.
I did not introduce the legislation at that time,
preferring a private-sector-driven, market-based solution to
this growing threat to the American people and the economy, and
hearing from the private sector that they could address this
issue without the assistance or intervention by Congress. Well,
here we are a year later, and, quite frankly, not only has the
problem not gotten much better, there is compelling evidence,
some of which we will hear today, that the problem was getting
worse, and perhaps a lot worse. Thankfully, there are some key
stakeholders such as Microsoft, RSA and AOL who are taking
visible steps to proactively address this challenge.
But the world has grown to be a very dangerous place. Most
of us make sure that we lock our doors and windows in our homes
and businesses before we end the day. Some even pay extra to
have an alarm system installed in their home or business to
provide protection against unwanted intruders who wish to do us
harm or steal our assets. In today's digital world, we must
also protect our cyberassets and our personal information from
intruders, both internal and external, from those who would do
us harm and steal our information.
We have not focused sufficiently on this challenge, and as
a result our personal and national security, and our personal
and national economic stability, are subject to a growing risk
from enemies who may attack at any time of day and night from
anywhere in the world 365 days a year.
So today I call on this Nation, everyone in this Nation, to
take immediate actions to increase their protection and to
dramatically improve the cybersecurity profile of this country.
We are all stakeholders, and we all have responsibility to be a
part of the solution and not a continuing part of the problem.
I call on major corporations to schedule on the agenda of
their next senior management meeting and their next board of
directors meeting, a discussion about your company's computer
information security plan. This is a management, governance and
business process issue and must be treated accordingly. Have
you invested in the implementation of fundamental information
security best practices and benchmarks, and is your IT security
risk assessment and risk management plan up to date? The
National Cybersecurity Partnership, with the tremendous help
and leadership of the Business Software Alliance and others,
has produced a Guide to Corporate Governance that provides
tools and strategies that corporations can affordably implement
immediately.
I am tired of hearing that lawyers are advising against the
adoption and implementation of cybersecurity best practices or
on-line privacy policy because they are afraid that they may be
creating liability. Friends, in my estimation, a failure to
aggressively address these issues may in and of itself be
creating the liability. While I am not a lawyer, I am a
businessman, I am a citrus grower, taxpayer, I am an involved
citizen. This issue is about national security and economic
stability along with sound business practices and deserves
immediate attention. How about training for employees and
information about how to protect their home computers from
unwanted intruders and thieves? What a great and inexpensive
corporate benefit that would be. And for those who are already
doing that, thank you, and keep up the great work.
We call on the larger businesses of corporate America to
work with your entire supply chain to demand that all the
businesses that connect to your network understand the
responsibility to make sure their systems are secure.
We speak to the financial services sector, credit card
companies, health care providers and others to reexamine their
own information security protection profiles. Many Americans
trust you with their most personal information and have an
expectation that the information will remain confidential and
protected.
Why are we experiencing such a proliferation of identity
theft? Is the day of the pin and password behind us, and we
need to move immediately to a two-part authentication process
that may include biometrics? Are we making the necessary
investments to protect the information? Or do some view the
cost of identity theft as merely the cost of doing business?
I call on software and hardware manufacturers and the
national associations that represent you to take the lead from
a number of major CEOs who have already publicly committed to
improving the quality and security of their products by issuing
a public statement that makes that commitment in a manner that
the public can have the confidence to know that you, too, view
the proliferation of worms, viruses and other challenges
resulting from vulnerabilities in your software and hardware
products as a matter deserving of a greater investment of time
and resources to provide sturdier and more secure products for
the marketplace.
I would further call on those same hardware and software
manufacturers to expand your commitment to providing the
consuming public with secure out-of-the-box computing products
with user-friendly instructions, preset default security
controls, and alerts about creating and maintaining a secure
computing environment.
I call on the manufacturers of these essential products to
work more closely with critical infrastructure sectors to
provide security and configuration requirements in advance and
build those requirements into the life cycle development
process to deliver more compatible, secure and higher-quality
products to the marketplace. Companies like Oracle, Microsoft,
Sun, Verizon and Entrust are examples of those who are taking
this matter seriously.
I call on Internet service providers and operating systems
manufacturers to work more aggressively with other public and
private stakeholders to provide consumers of all levels of
sophistication--to provide information about affordable, user-
friendly tools that are available to help protect themselves
and immediately improve their cybersecurity hygiene.
We urge small businesses to take the time and learn about
steps that you can take that are affordable and user-friendly
to make your system more secure from the growing threats of
cyberspace. There are fundamental steps in cybersecurity
hygiene that will improve your protection profile overnight.
You are an important stakeholder in this matter, and you
have a responsibility to be a part of the solution. Home users
are not exempt. Home users can become more aware of the tools
that are available to improve the protection of their home
computer. Make sure that you know about the antivirus software
and personal firewalls and how to update your applications,
including your operating system, in a timely manner.
The National Cybersecurity Alliance is sponsoring National
Cybersecurity Awareness Month during October, and you may get a
lot of the necessary information about fundamental steps that
you can take to protect yourselves by visiting their Website at
www.staysafeonline.info.
Today we call on the States and local governments to
examine their own information security plans, along with their
education, awareness and training programs, and, again, to
speak to the agencies of the Federal Government, large and
small, to step up and provide the example for the rest of the
Nation. Receiving Ds and Fs on scorecards about requirements
and compliance with the law is unacceptable. We must absolutely
experience a recommitment by every Cabinet Secretary,
department agency and bureau head to address the issue of
securing the Federal computer networks and protecting the
information assets that they contain. Federal CIOs and CISOs
must be empowered to develop and implement effective strategies
and to examine opportunities for enterprise solutions.
And we call on Congress to work with all stakeholders,
including military, intelligence and law enforcement agencies,
domestic and international, to ensure an adequate level of
preparedness to meet this growing cyberchallenge and recognize
this battle in an overall threat domain.
There is much that each of us can do today. The magnitude
of this threat demands that we pay increased attention to the
issue. If each of us takes the steps today to ensure that we
have implemented the basic fundamental elements of
cybersecurity hygiene, the cybersecurity protection profile of
this Nation will improve overnight. We will send in an enormous
message to all of the bad guys that we take this challenge
seriously, and we will make the necessary steps to protect our
national security and economic stability.
As e-government, e-commerce, e-banking and e-health
continue to take hold, we must be sure that we have a
comprehensive national strategy that provides flexibility,
while encouraging innovation and creativity in developing the
tools and strategies necessary to secure the computer networks
of this Nation and to protect the information that they
contain.
Today's hearing provides the subcommittee the opportunity
to examine this challenge in the context of the impact that
unprotected computers and networks have had on the rise of
computer-related identity thefts and the adverse impact that
these data thefts are having on the national security and
economic profile of this Nation.
We will hear from experts about potential solutions to
these problems, such as vulnerability management, credentialing
and authentication tools which may help reduce the impacts of
viruses, worms, spyware, spam and phishing, and in return
reduce identity-related cyberthefts.
I eagerly look forward to the expert testimony that our
panel of leaders in information security will provide today, as
well as the opportunity to discuss the challenges ahead.
Today's hearing can be viewed live via Webcast by going to
reform.house.gov and clicking on the multimedia link.
[The prepared statement of Hon. Adam H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T8486.001
[GRAPHIC] [TIFF OMITTED] T8486.002
[GRAPHIC] [TIFF OMITTED] T8486.003
[GRAPHIC] [TIFF OMITTED] T8486.004
[GRAPHIC] [TIFF OMITTED] T8486.005
[GRAPHIC] [TIFF OMITTED] T8486.006
Mr. Putnam. At this time I would like to recognize the
distinguished ranking member of the subcommittee, the gentleman
from Missouri Mr. Clay, for his opening statement.
Mr. Clay. Thank you, Mr. Chairman for holding today's
hearing for what is a new topic for our subcommittee, but also
part of a growing threat to our Nation's economy, identity
theft. That said, I am hopeful that our distinguished panelists
will offer constructive and thoughtful proposals on how the
Federal Government can be a catalyst for protecting its
citizens from those using the Internet or other electronic
methods for criminal activity.
The costs associated with identity theft activities are
staggering when accounting for both economic losses and the
time dedicated by victims to remedying credit ratings and
financial records. According to the FTC September 2003 survey,
the personal costs accumulated by victims of identity theft
totals approximately $5 billion annually, with the average
costs ranking between $500 and $1,200 per victim. In addition,
approximately 15 percent of those surveyed had their personal
information misused in nonfinancial activities, often
subjecting them to legal investigations or other unwarranted
personal invasions.
Although the Federal Government has taken steps to counter
identity theft-related activity, I remain troubled that
identity-theft related investigations are not properly
coordinated among local, State and Federal agencies. While
progress has been made in coordinating such investigations
through the FTC's Identity Theft Data Clearinghouse, efforts
must continue to ensure its interconnectivity to all State and
local law enforcement jurisdictions. Success can only be
achieved when such systems are seamless and interoperable with
all stakeholders.
In closing, I am hopeful that this issue will remind us of
the importance of ensuring the security of our Nation's
critical infrastructure and the electronic commerce-based
industry. Our Nation's security depends on it. Thank you, Mr.
Chairman, and I yield back.
Mr. Putnam. I thank the gentleman.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T8486.007
[GRAPHIC] [TIFF OMITTED] T8486.008
Mr. Putnam. And we will move right to testimony. I would
ask the first panel of witnesses, and anyone accompanying you
who will be providing support to your answers, to please rise
and raise your right hands for the administration of the oath.
[Witnesses sworn.]
Mr. Putnam. I note for the record that all of the witnesses
responded in the affirmative.
I would like to introduce our first witness for his opening
statement. All of your written testimony will be included for
the record. We would ask you to summarize those statements to a
5-minute opening, and we will begin with Mr. Swindle.
Commissioner Orson Swindle was sworn in as a Commissioner
on the Federal Trade Commission in December 1977. Commissioner
Swindle was appointed in December 2001 as head of the U.S.
delegation to the Organization for Economic Cooperation and
Development experts group to review the 1992 OECD guidelines
for the security of information systems. Commissioner Swindle
has had a distinguished military career and served in the
Reagan administration from 1981 to 1989 directing financial
assistance programs to economically distressed rural and
municipal areas of the country.
We welcome you back to the subcommittee, sir, and you are
recognized for 5 minutes.
STATEMENTS OF ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE
COMMISSION; STEVEN MARTINEZ, DEPUTY ASSISTANT DIRECTOR, CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION; LARRY JOHNSON,
SPECIAL AGENT IN CHARGE, CRIMINAL INVESTIGATIVE DIVISION, U.S.
SECRET SERVICE; AND PATRICK O'CARROLL, ACTING INSPECTOR
GENERAL, SOCIAL SECURITY ADMINISTRATION
Mr. Swindle. Thank you. Mr. Chairman, Mr. Clay and members
of the subcommittee, I appreciate this opportunity to discuss
the theft and misuse of electronic data and the FTC's efforts
to promote better information security practices. My written
statement represents the views of the Commission. My comments
today are my own and do not necessarily reflect those of the
Commission.
Consumers and businesses enjoy many benefits in today's
information economy. We can purchase products, process
financial transactions and access information at any time. The
same information-rich data bases that make this possible also
are attractive targets for identity thieves and other
criminals. The challenge for each of us, consumers, businesses
and government alike, is to protect these data bases and the
national information infrastructure that supports them.
Vulnerabilities and threats to the information economy are
very real. Many instances have occurred in which computers are
stolen, our networks penetrated, and sensitive personal
information of thousands of individuals compromised. These
breaches of information security lead to identity theft and
impose great cost on both consumers and businesses. Perhaps
more damaging is the loss of consumer confidence in using
electronic commerce and the vast benefits of the information
age.
Addressing these threats begins with education. Consumers
and businesses must learn how to better protect personal
information. Law enforcement actions by the Federal Trade
Commission and others can help stop harmful practices and
highlight the importance of information security. We also
encourage the development of authentication and other security
technology to help protect consumers from spam and phishing
attacks. This November the FTC will host a workshop to explore
and promote the adoption of e-mail authentication standards.
Improving information security is essential to our society.
We have conducted security-related workshops, worked with the
OECD on its information security guidelines, issued the Gramm-
Leach-Bliley Safeguards Rule, and brought numerous law
enforcement actions. Some basic lessons are evident from our
work.
First, information security is an ongoing, never-ending
process of assessing risks and vulnerabilities. As security
threats and technologies constantly evolve, so must our
security measures.
Second, there is no one-size-fits-all solution for all
organizations and types of information. Security procedures
must be reasonable and appropriate with regard to the
organization, the complexity and sensitivity of the information
itself, and the nature and scope of activities in which the
information is used.
Third, there is no such thing as perfect security. Breaches
can happen, even when a company or person has taken every
reasonable precaution. Conversely, the absence of a breach does
not necessarily mean that adequate security precautions are in
place.
Fourth, all computer users have an extraordinary role to
play in achieving adequate information security, and they must
do their job. Information security demands that all of us be
involved.
Recognizing these lessons, we believe there are some basic
steps businesses can take to help minimize vulnerabilities and
compromises. Businesses should implement a security plan and
make good information practices an essential part of their
business operations, literally a part of their business
culture. Information security practices must include: risk
assessment; identifying internal vulnerabilities and external
threats to personal information; designing and implementing
safeguards to control these risks; routinely evaluating
effectiveness of these safeguards; adjusting the plan as
necessary to maintain effective security; and overseeing the
information-handling practices of third-party or affiliated
service providers who have access to personal information.
A good security plan includes effective response procedures
should a breach or compromise of sensitive personal information
occur. For example, if the breach would result in harm to a
person or business, report the situation to appropriate law
enforcement agencies. If a breach affects other businesses,
such as when a company stores personal information on behalf of
other businesses, notify that business.
In addition, some breaches dictate that businesses notify
customers. Although notifying customers or consumers may not be
necessary in all situations, when identity theft is possible
because of a breach, customers need to know this quickly. For
example, the theft of Social Security numbers. Early
notification of consumers allows them to take steps to limit
harm, such as placing a fraud alert on their credit file with a
consumer reporting agency. The FTC provides businesses valuable
information and advice on steps to take in the event of an
information security breach.
Our law enforcement and education efforts should help deter
identity theft before it occurs. However, identity theft will
no doubt continue, and the FTC has a comprehensive program to
assist consumers and businesses who become victims.
The Commission serves as the Federal Government's central
repository for identity theft complaints. We take the lead in
referring complaints about identity theft to appropriate law
enforcement authorities. We provide victim assistance and
consumer education. Our identity theft Website provides a
variety of resources for both customers and businesses.
Educating customers and businesses about the risks to
personal information and the importance of good security
practices has high priority at the Commission. We will pursue
those who violate information security laws, and we will
provide assistance to victims of identity theft.
Chairman Putnam, in closing I would like to thank you and
Chairman Davis for your Dear Colleague letters in support of
the National Cybersecurity Awareness Month and your personal
leadership on these issues in general. Thank you for this
opportunity today, and I look forward to responding to your
questions.
Mr. Putnam. Thank you very much, Commissioner.
[The prepared statement of Mr. Swindle follows:]
[GRAPHIC] [TIFF OMITTED] T8486.009
[GRAPHIC] [TIFF OMITTED] T8486.010
[GRAPHIC] [TIFF OMITTED] T8486.011
[GRAPHIC] [TIFF OMITTED] T8486.012
[GRAPHIC] [TIFF OMITTED] T8486.013
[GRAPHIC] [TIFF OMITTED] T8486.014
[GRAPHIC] [TIFF OMITTED] T8486.015
[GRAPHIC] [TIFF OMITTED] T8486.016
[GRAPHIC] [TIFF OMITTED] T8486.017
[GRAPHIC] [TIFF OMITTED] T8486.018
[GRAPHIC] [TIFF OMITTED] T8486.019
[GRAPHIC] [TIFF OMITTED] T8486.020
[GRAPHIC] [TIFF OMITTED] T8486.021
[GRAPHIC] [TIFF OMITTED] T8486.022
[GRAPHIC] [TIFF OMITTED] T8486.023
[GRAPHIC] [TIFF OMITTED] T8486.024
[GRAPHIC] [TIFF OMITTED] T8486.025
Mr. Putnam. Our next witness is Steven Martinez. Mr.
Martinez began work for the FBI in 1987. He has held a variety
of supervisory and investigative positions within the FBI
throughout the United States. In February 2003, Mr. Martinez
was assigned as the FBI's first on-scene commander at CENTCOM,
or Central Command, in Doha, Qatar, and in Baghdad, Iraq, in
the staging of Operation Iraqi Freedom. While there he was in
charge of all deployed FBI personnel and managed the FBI's
counterterrorism and counterintelligence efforts spanning the
initial combat phase of the war.
Mr. Martinez was appointed to his current position as
Deputy Director of the Cyber Division in August 2004.
Welcome to the committee, Mr. Martinez. You are recognized.
Welcome home.
Mr. Martinez. Thank you, Mr. Chairman.
Again, good afternoon, Mr. Chairman and members of the
subcommittee. I want to thank you for the opportunity to
testify today regarding the FBI's efforts to combat identity
theft as well as overlapping cybercrime problems.
Some studies show that last year alone more than 10 million
victims were victimized by identity theft, with estimated
losses exceeding $50 billion. These efforts demonstrate the
significant impact identity theft has on U.S. citizens and
businesses.
Identity theft is a growing problem and can manifest itself
in many ways, to include large-scale intrusions into third-
party credit card processors, theft from the mails of printed
checks and preapproved credit cards, credit card skimming,
phishing schemes and other cyber-related crimes.
More than 2 years ago, the FBI prioritized and restructured
its approach to cybercrime with the establishment of the Cyber
Division. Under the Cyber Division, the Internet Crime
Complaint Center, or IC3, has focused on combating identity
theft through the development of joint investigative
initiatives with both our law enforcement partners and key e-
commerce stakeholders. The IC3 receives on average more than
17,000 consumer complaints every month. Of the more than
400,000 complaints referred to the IC3 since its opening in May
2000, more than 100,000 can be characterized as identity theft.
The FBI is working to combat identity theft on many fronts,
to include targeting criminal spammers. Spam is often the front
end of a number of cybercrime scenarios used to invite
unsuspecting customers to provide personal, financial or credit
card information. Multiple agency operations, coordinated by
the FBI to include Operation Web Snare, SLAM-Spam, Cyber Sweep
and E-Con, has successfully launched hundreds of identity theft
investigations. These investigations, involving thousands of
U.S. victims and millions in dollars of losses, have resulted
in the successful identification and arrest of hundreds of
subjects. These operations further serve to alert both
customers and industry about new or evolving schemes to which
they may fall victim to identity theft.
Integral to each of such initiatives are public service
advisories, which are developed in coordination with the FBI,
our law enforcement partners and the FTC. These advisories are
posted on law enforcement and industry Websites in order to
warn the public about Internet identity theft scams.
The FBI has also seen an increase in identity theft matters
with a foreign nexus to include a number of subjects from
Eastern Europe and Africa. Many of these subjects solicit their
victims through Internet job postings, e-mail, chat rooms,
requesting detailed personal information under the guise of
offering legitimate employment opportunities.
In response, the FBI has developed a close working
partnership with many international law enforcement agencies,
frequently providing agents and resources abroad in order to
directly go after perpetrators.
Finally, computer intrusions can also significantly
contribute to the problem of identity theft. One such instance
involved the hacking of an e-commerce company system resulting
in the network compromised and extortion of over 100 U.S.
banks; 30 million credit card accounts, including subscriber
information, were stolen as a result of the compromise.
The FBI takes a proactive role in working to investigate
these types of cases to include maintaining close private
industry contacts through programs such as InfraGard, a public-
private alliance of more than 13,000 members.
In closing, the problem of identity theft is a significant
matter, impacting the life and livelihood of U.S. citizens. The
FBI appreciates the opportunity to share with you our efforts
and successes in addressing this problem. The FBI will continue
to combat identity theft so that America's citizens and the
economy can be protected. Thank you.
Mr. Putnam. Thank you very much, Mr. Martinez.
[The prepared statement of Mr. Martinez follows:]
[GRAPHIC] [TIFF OMITTED] T8486.026
[GRAPHIC] [TIFF OMITTED] T8486.027
[GRAPHIC] [TIFF OMITTED] T8486.028
[GRAPHIC] [TIFF OMITTED] T8486.029
[GRAPHIC] [TIFF OMITTED] T8486.030
[GRAPHIC] [TIFF OMITTED] T8486.031
[GRAPHIC] [TIFF OMITTED] T8486.032
[GRAPHIC] [TIFF OMITTED] T8486.033
[GRAPHIC] [TIFF OMITTED] T8486.034
[GRAPHIC] [TIFF OMITTED] T8486.035
Mr. Putnam. Our next witness is Larry Johnson. Mr. Johnson
has been a part of the Secret Service for 22 years and has held
supervisory positions in both its Protective and Investigative
Divisions. He currently holds the title of Special Agent in
Charge of the Criminal Investigative Division and is
responsible for the oversight of the Secret Service's criminal
investigations, both domestic and abroad. The Criminal
Investigative Division also manages the Secret Service's
electronic crime programs and initiatives, including the
specialized training of agents in computer forensics and the
developments and implementation of the Secret Service's
electronic crime task forces.
Welcome to the subcommittee, sir, you are recognized for 5
minutes.
Mr. Johnson. Chairman Putnam, Mr. Clay, members of the
subcommittee, thanks for inviting me today.
In addition to providing the highest level of physical
protection to our Nation's leaders, the Secret Service
exercises broad investigative jurisdiction over a wide variety
of financial crimes. As an original guardian of our Nation's
financial payment system, the Secret Service has a long history
of protecting American customers and industry from financial
fraud. In recent years, the combination of the information
revolution, the effects of globalization and the rise of
international terrorism have caused the investigative mission
of the Secret Service to evolve dramatically. The explosive
growth of these crimes has resulted in the elevation of the
Secret Service to an agency that is recognized worldwide for
its expertise in the investigation of all types of financial
crimes.
In today's markets, customers routinely provide personal
and financial identifiers to companies engaged in business on
the Internet. Information trading and the wealth of personal
information available creates a target-rich environment for
today's sophisticated criminals, many of whom are organized and
operate across international borders.
Internet crime has increased significantly in the last
several years. Since the early 1990's, organized computer
underground networks have developed an extraordinary record of
malicious software development. Starting in the late 1990's and
increasing over the last few years, this criminal element has
used such malicious software to penetrate financial and
government institutions, extract data and illicit traffic in
stolen and financial identity information.
Criminal networks engage in electronic financial fraud,
participate in a wide range of activities in order to make
their scheme successful. They first obtain and store financial
data for future exploitation. Gaining access to this data
involves various techniques, technical methods, including
hacking, virus-writing, phishing and skimming.
The criminal underground active in credit card fraud and
identity theft crimes has rapidly adapted its operations to an
on-line world, where it has found convenient solutions to the
age-old problems in the forms of anonymous communication
networks, as well as global, unregulated movement of illegally
obtained funds.
This has created new challenges for Federal and local law
enforcement agencies. By working closely with international
police agencies, other Federal, State and local law
enforcement, the Secret Service is able to provide a
comprehensive network of ongoing investigative operations,
intelligence sharing, resource sharing and technical expertise
that has bridged judicial boundaries. This partnership approach
to law enforcement is exemplified by our financial and
electronic crime task forces located throughout the country.
These task forces primarily target suspects in criminal
enterprises engaged in financial and electronic criminal
activity that fall within the investigative jurisdiction of the
Secret Service. Members of these task forces, who include
representatives from local and State law enforcement,
prosecutors' offices, private industry and academia, pool their
resources and expertise in a collaborative effort to detect and
prevent electronic crimes and identity theft.
The value of this crime-fighting and crime-prevention model
has been recognized by Congress, which has authorized the
Secret Service, pursuant to the U.S. Patriot Act of 2001, to
expand our electronic crimes task forces to cities and regions
across the country. Two new electronic crime task forces will
be established this month, bringing the total number of ECTFs
to 15.
The Secret Service Electronic Crimes Task Force Program
bridges the gap between conventional cybercrime investigations
and the larger picture of critical infrastructure protection.
Secret Service efforts to combat cyber-based assaults that
target information and communications systems supporting the
financial sector are a part of the larger and more
comprehensive critical infrastructure protection.
A key element in our strategy of sharing information and
operating with other Federal agencies, to include IC3, the
department of Treasury, Department of State and the FBI, are
the 17 permanent U.S. Secret Service field offices that support
both our protective and investigative missions. The Secret
Service provides training for counterfeit investigations,
financial crimes and computer intrusions to our international
law enforcement partners.
In a joint effort with the Department of Justice, the U.S.
Postal Inspection Service, the FTC and the International
Association of Police Chiefs, the Secret Service is hosting
identity crime training seminars for local enforcement officers
across the country. These training seminars are focused on
providing local and State law enforcement officers with tools
and resources that they can immediately put to use in their
investigations of identity crime. Additionally, officers are
provided resources that they can pass on to members of their
community who are victims of identity crime.
The Secret Service will continue its aggressive domestic
and international pursuit of cybercriminals who are involved in
the hacking of our Nation's computer systems, the intrusions of
our networks and the theft of identities of U.S. citizens
through mainly prevention and disruption. The Secret Service,
with the assistance of the Department of Homeland Security, is
committed to the deterrence and apprehension of all potential
cybercriminal suspects who threaten citizens of the United
States and its critical infrastructure.
Mr. Chairman, that concludes my prepared statement.
Mr. Putnam. Thank you very much, Mr. Johnson.
[The prepared statement of Mr. Johnson follows:]
[GRAPHIC] [TIFF OMITTED] T8486.036
[GRAPHIC] [TIFF OMITTED] T8486.037
[GRAPHIC] [TIFF OMITTED] T8486.038
[GRAPHIC] [TIFF OMITTED] T8486.039
[GRAPHIC] [TIFF OMITTED] T8486.040
[GRAPHIC] [TIFF OMITTED] T8486.041
[GRAPHIC] [TIFF OMITTED] T8486.042
Mr. Putnam. Our next witness is Patrick O'Carroll. Nice
French name.
Mr. O'Carroll currently serves as the acting inspector
general for the Office of the Inspector General of the Social
Security Administration. In fiscal year 2003, the office of
investigators has reported over $356 million in investigative
accomplishments.
Prior to coming to the Social Security Administration, Mr.
O'Carroll had 24 years of experience with the U.S. Secret
Service. So we have two Secret Service representatives with us
today. Throughout his career, Mr. O'Carroll has received
numerous awards for his meritorious service.
Welcome to the subcommittee, sir. You are recognized for 5
minutes.
Mr. O'Carroll. Good afternoon, Mr. Chairman and Mr. Clay.
Thank you for the invitation today to be here for this
important hearing. You have my statement for the record, so I
will provide a few remarks.
Protecting information is vital to the Social Security
Administration and its programs. Any breach in the
confidentiality or integrity of their data would seriously
jeopardize the agency's mission and erode the public's
confidence in SSA programs. As part of the mission of the SSA
Office of the Inspector General, we work closely with the
agency to ensure that SSA has the proper controls in place to
preserve the integrity of its data and business processes.
Today I will focus on why it is important to prevent electronic
data theft, what my office is doing to help SSA, some of SSA's
data security efforts, and what more needs to be done.
The information technology revolution brings a heightened
risk of disruption or sabotage of critical operations. We need
to protect the public by preventing destruction and
cyberattacks when possible, or ensuring that they are
infrequent and manageable.
Another threat to our essential electronic data is identity
theft, the fastest growing form of white-collar crime in
America. Our investigations in this area reveal how widespread
the misuse of SSNs and other sensitive data from public and
private sector data bases has become.
The topic of identity theft is more than just dollars and
numbers. Let me give you a specific example. We have recently
received a letter from an individual who found that her and her
husband's personal information was posted on a publicly
available government Website complete with her Social Security
number. In a letter to me, she indicated she had made multiple
inquiries at the local, State and Federal level trying to have
her personal information removed. The individual commented in
her letter that the Government, both State and Federal, should
do whatever is possible to ensure the integrity of every
citizen's SSN. I couldn't agree more.
In addition to our efforts regarding SSN misuse, we also
consider investigations of employee fraud a high priority. It
only takes one corrupt employee to compromise the integrity of
the Social Security system. In particular, illegally used SSNs
puts the financial integrity of the SSA system at risk and
inhibits the country's work for terrorism.
Let me discuss two of our successful investigations. In
one, a 15-year SSA employee provided Social Security cards for
a scheme in which immigrants paid up to $75,000 for
citizenship. The SSA employee resigned and was only sentenced
to 2 months of incarceration.
In another, an SSA employee knowingly approved fraudulent
applications for over 1,700 Social Security cards for
approximately $1,000 each as part of a $4.3 million criminal
enterprise. The SSA employee lost his job, was sentenced to 71
months in prison, and was ordered to forfeit $1 million.
SSA has made significant progress in strengthening SSN
integrity and has implemented important suggestions which our
office has made. SSA's efforts toward protection of electronic
data include the SSA Enumeration Response Team comprised of
agency executives, including OIG representatives, that has
implemented numerous policies and procedures designed to better
ensure that only individuals authorized to receive an SSN are
available to do so.
The agency is also piloting an on-line Social Security
number verification system, which will allow employers and
third parties to verify employer names and SSNs via the
Internet, using information and SSA records for wage-reporting
purposes. This system will also indicate if the SSA record
shows that an employee is deceased.
While SSA protects its data with numerous controls and
safeguards, we are concerned about how other Federal agencies
maintain security of SSNs. Given the potential risk, we believe
Federal agencies would benefit by strengthening controls over
the access, disclosure and use of SSNs by State and local
governments and other external entities. Misused SSNs, stolen
or misappropriated birth certificates, and false or
fraudulently obtained drivers' licenses are keys to identity
fraud in the United States. Our OIG works closely with SSA to
help ensure the integrity of all of its data.
As technology has advanced, SSA has kept pace in developing
appropriate safeguards against intrusion. SSA must continue to
strike a balance between the need to be user-friendly and the
demands for increased security. Together with Congress and SSA,
we have made important strides in reducing vulnerabilities, and
that effort continues.
Still, to strengthen our defenses even further, we believe
that SSA should work with agencies across government to improve
safeguards for data security. We also believe SSA and lawmakers
should exam the feasibility of the following initiatives:
limiting the SSN's public availability, prohibiting the sale of
SSNs, and prohibiting their display on public records, and
enacting strong enforcement mechanisms and stiffer penalties to
discourage SSN issues.
I would be happy to answer any questions you may have.
[The prepared statement of Mr. O'Carroll follows:]
[GRAPHIC] [TIFF OMITTED] T8486.043
[GRAPHIC] [TIFF OMITTED] T8486.044
[GRAPHIC] [TIFF OMITTED] T8486.045
[GRAPHIC] [TIFF OMITTED] T8486.046
[GRAPHIC] [TIFF OMITTED] T8486.047
[GRAPHIC] [TIFF OMITTED] T8486.048
[GRAPHIC] [TIFF OMITTED] T8486.049
[GRAPHIC] [TIFF OMITTED] T8486.050
Mr. Putnam. Thank you very much, and I want to thank all of
our first panel of witnesses, and we will go straight to
questions.
Commissioner Swindle, in the current threat environment in
which we live where systems face ongoing attacks, probes, or
are constant for vulnerabilities, the bots, the zombies and
everything else, some companies, it is becoming clear, are
purposefully avoiding conducting IT risk assessments because of
the fear that those assessments themselves will establish
knowledge of vulnerabilities that could be used against them in
litigation. What are your thoughts on the position that a lot
of these companies have taken?
Mr. Swindle. Mr. Chairman, I would compare their conduct to
that conduct you spoke of earlier about lawyers recommending
they don't have privacy policies so as to avoid liability. I
think it is a road to suicide, quite frankly, because it will
catch up with them eventually. And, I think consumers, as they
become more aware of the full privacy issue and certainly
information security issue, are going to look to companies that
are responsible, and they will and turn away from those that
are not. Soon there will be more of those that are resonsible
than not, and the losers will be the ones that choose this
course of action. I think it is incredibly dumb.
I have encountered this in several fora that I have
attended over the years, and I just look at them with
astonishment that they would take that approach, because I
don't think it is realistic. It is certainly not responsible.
Mr. Putnam. Is there a need for some form of safe harbor
that would encourage companies to conduct thorough examinations
and then come forward with whatever deficiencies they find?
Mr. Swindle. Safe harbor, I would say, is perhaps a good
vehicle to protect those who do the right thing, and
inadvertently have security failures, as I said, no security
package is going to be complete. They have taken responsible
actions, they have done as much as they could see to do, and a
breach occurs--I don't think they should be held responsible
for something they couldn't really avoid. But, I have a hard
time giving people an easy way out, if you will. But, we may
have to come to that position, because, as both Mr. Clay and
yourself have mentioned, these problems are growing.
We are making progress, but the problems are growing faster
oftentimes than the progress, and it may be that we have to
seek some kind of means to encourage people to get in and start
doing the right thing. But, I would still prefer to see the
private sector lead, for their own self-interest, to do the
right thing. I am still not convinced that we are incapable of
doing that. I have hopefully not unfounded confidence that we
will do the right thing.
Mr. Putnam. Thank you.
Mr. Martinez, Mr. Johnson, a recent survey was conducted by
Carnegie Mellon and Information Week of 100 small and medium-
sized businesses that found that 17 percent of the
participating companies had been the targets of some form of
cyberextortion. Could you tell us more about the cyberextortion
problem and the trends that you are seeing out there, and what
advice you would have for companies who are faced with that
threat? With the FBI?
Mr. Martinez. Well, in simplified terms, the cyberextortion
is not just the mere use of the facility of the Internet to
make an extortion as demand, but instead a sophisticated hacker
might find a vulnerability in a system, steal proprietary
information, customer lists, personnel information from a
company, and then pitch them that they can fix it. And if they
aren't allowed to come in as a, ``consultant,'' they will
release that information in a way that would be harmful to that
company. That's one manner in which it can occur.
Trends, the level of sophistication, absolutely is going
up. The ease with which tools can be obtained to make the
initial intrusion are becoming far, far more available and
simpler to use. It doesn't take a rocket scientist to drive
some of these tools at this point. It was mentioned previously
about the playing field changing from hacking for fun to now
hacking for profit.
As far as advice goes, of course, good computer security,
engaging in private industry partnership, partnerships with law
enforcement organizations such as InfraGard where information
could be shared so that we can have a prophylactic effect, you
know, share information about how we can protect systems, and
also, as was mentioned previously, have a response plan.
Companies have to have a response plan, they need to know what
to do when they have been attacked. By all means, contact law
enforcement.
There's a lot we can do. There are a lot of resources we
can bear to solve the problem. Not all of these problems can be
solved from the desk, from the desktop of a systems
administrator.
Again, we need to know how to respond, how to freeze
evidence, how to establish the logs so that we can go in and
determine what the methodology was, see if it is common with
another case we have been working in the past and what
resources we can bring to bear to work with the problem.
Mr. Putnam. Mr. Johnson, I understand that the Secret
Service recently released a report on insider cybercrime
activities in the banking and finance sector. As part of its
ongoing insider cyberthreat study, could you elaborate on the
threats of that study, the difficulties of dealing with an
insider threat, and the implications that report has for
combating identity theft?
Mr. Johnson. Yes, Mr. Chairman. I echo the sentiments and
statements of the FBI in that we recently had a case involving
AOL that involved an insider threat, the selling of personal
identities to spammers for monetary gain.
With the insider threat, the last 2 years, the Secret
Service, in conjunction with Carnegie Mellon University CERT
Coordination Center, collaborated on this insider threat study.
The threat to critical systems includes individuals who have
manipulated vulnerabilities within the system for personal
gain, as is the case I mentioned with AOL. Some of the relevant
findings of the study were similar to a lot of things that we
have talked about today, and that is updating firewalls when
employees leave, taking them out of the access to networks,
changing passwords. The simplest-type things are being
overlooked by businesses and IT people.
Most incidents were not sophisticated or complex. A
majority of the incidents were thought out and planned in
advance, and, in most cases, others had knowledge of the
insider's intentions, plans and activities.
Like the locks on your doors, changing access to network
and changing passwords and updating firewalls is a smart
business practice.
Mr. Putnam. Mr. Martinez, you mentioned a series of ongoing
investigations that involve, in some, the theft of 30 million
credit card account numbers and potential losses of $15
billion.
Can you elaborate on how thefts like this grow to such epic
proportions, and are the penalties for cybercrime under the
current code commensurate with the damage that is being done?
Mr. Martinez. Well, of course, a case can be taken to this
scope by consolidating like cases, and that's one of the things
we try to do in developing strategies both for proactive
efforts, and then also once we have complaints that have
commonalities. And in order to do that, we have to employ
analytical tools and analysts in a form like IC3 in order to
determine if we have a problem that goes beyond the scope of a
single complaint.
In this case a rather large list of credit information was
obtained. Again, it involved many different credit card
companies, and so, again, I think we put the number at 100 that
were affected, financial services and institutions.
The idea here is to identify the scope and then work with
these institutions, work with victims in order to track back.
Let's see where this threat came from, see if we can't put our
resources together in order to address the problem and to be
proactive about the next attack.
Mr. Putnam. Mr. Johnson, do you wish to add anything to
that?
Mr. Johnson. Not at this time.
Mr. Putnam. Very good. My time has expired. I will
recognize the distinguished ranking member, Mr. Clay, for his
questions.
Mr. Clay. Thank you, Mr. Chairman.
Mr. Swindle, since your agency carries the responsibility
for protecting the private information of consumers, what
additional efforts need to be undertaken by FTC to further
educate the public and corporate community on issues
surrounding identity theft, or is education and awareness the
key to prevention, or are more stringent regulations concerning
privately held consumer information necessary to improve
security?
Mr. Swindle. Mr. Clay, I would hope that we are not, as
stated, responsible for protecting the privacy of all the
American citizens. That would be a hell of a big job, and I
know you didn't mean it exactly that way.
Mr. Clay. I would want you to.
Mr. Swindle. We certainly do the best that we can, and we
are taking every step we possibly can, given the resources we
have--and this is not a plea for more resources, by the way--to
help educate, and, through education, to deter the invasions of
privacy and this theft of this personal identification of which
we have all been speaking, and the damage it can do to people.
A part of an education process is dealing with businesses,
it is dealing with government agencies, it is dealing with
Members of the Congress, asking them to help us make more
people, the consumers, aware. It is dealing with the business
association and working internationally, dealing with cross-
border fraud issues and trying to work with just hundreds of
agencies.
We are now, with our identity theft complaint
clearinghouse, I believe we call it, we are making that
available to in excess of 1,000 law enforcement agencies around
the country. We are about to make it available to the Canadians
on a 24-hour basis. We are working with international groups.
We are working with local and State law enforcement agencies.
So, there is a lot going on, but I think that gets to the
problem, as the chairman had mentioned, and Mr. Clay, I believe
you mentioned also, the occurrence of these crimes seem to be
growing no matter what we do. And, it is the proverbial needle-
in-the-haystack operation, except that this haystack is the
global haystack, and there are lots of needles in there. Trying
to find solutions and punish those who are guilty is a
difficult process.
I don't know that we can solve the problem without massive
education of customers and business. Then everyone who is
involved becomes aware of the role that they can play and take
it seriously. It is going to take a lot more effort. We have
some, if I remember correctly, about 45 or 50 Congressmen, that
have participated with a program we tried to initiate 2 years
ago. We could get what, 395 more that could do it and help us a
lot. It is just a massive problem. It is going to take
repetition, repetition, repetition.
Mr. Clay. What are the main things that the public should
be aware of? What should they look out for? What advice do you
give the public about identities?
Mr. Swindle. Well, just starting off, liken it to an
automobile. We know automobiles and safety intuitively. We have
to get the use of computers into that mode of thinking. That
means first realizing that a computer is a very sophisticated
thing. It is now just second nature to log on and talk to
somebody halfway across the world. When you and I were growing
up, we didn't know how to talk to the community 15 miles away.
Things have greatly changed. We have to educate people to
learn. It will literally take an education program that starts
with young persons. We are not doing enough. But also in the
business side of the world, it's talking to businessmen and
board members. They have to take information security and
privacy seriously. It is their corporation, their business. It
should be a primary part of the culture of that company to do
these things right, and then it has to ripple right down the
stream to the lowest levels.
Mr. Clay. Thank you for that response.
Let me shift real quickly to Mr. Johnson, and seeing my
time is short. It seems to me the responsibility of the Secret
Service runs concurrent to many other law enforcement agencies
at all levels of government. Can you update us on any specific
identity theft prevention activities among groups collaborating
with the Secret Service, such as the Joint Terrorism Task
Forces or Operation Direct Action? And are these groups
improving the methods used to coordinate against suspected
identity theft activity?
Mr. Johnson. Yes, Mr. Clay. The Secret Service prides
itself in the education of local and State law enforcement. We
have a Secret Service e-information network that is available
on line. We have a CD-Rom for State and locals. We have best
practices for seizing electronic evidence.
Operation Direct Action is working with third-party
processors. Two of the primary third-party processors of credit
cards are involved in Omaha, Nebraska, and Columbus, Georgia.
By working and having agents assigned to those locations, we've
found that access to the information that they can provide
gives us quick response to State and locals or first responders
to either identity theft or credit card fraud. We have seen the
benefits in a good percentage of the cases that are ongoing and
other cases that have been concluded.
Mr. Clay. I thank you for that response.
And thank you, Mr. Chairman, for your indulgence.
Mr. Putnam. You are very welcome.
Mr. O'Carroll, you mentioned that in your work on behalf of
the President's Council on Integrity and Efficiency on controls
over Social Security numbers that 9 of 15 inspectors reported
that their agencies had inadequate controls over the protection
of Social Security numbers in their data bases. Given the
extensive information security requirements for Federal
agencies under FISMA and GISRA, how can this be?
Mr. O'Carroll. Mr. Chairman, historically the use of the
SSN was the Federal identifier of employees, and much as we
found with universities where it was on their identification
card, in many Federal agencies it was on the identification
card for the agency. It was posted on walls. Instead of system
security flaws on it, it was mostly posting an easily
observable SSN.
And what we are fearing--we did the study of other
inspector generals on this thing--is as much as you said there,
is our feeling is that the first place to start correcting the
use of the publication of SSNs is within the Federal
Government. One of the ways that we just changed it recently,
as probably many of the people in the room are aware, is when
any check was going out from the Federal Government, in the
window of it, it had the Social Security number of the
individual receiving the check. These are all baby steps that
were taken. We finally have gotten that taken off of the check.
We have been stopping the publication of it.
We are doing studies now in terms of the uses of non-
Federal agencies' use of SSNs, for example, colleges and
universities, and we are trying to do an education program to
get the SSN taken out of the daily usage. And we figure that
will be a good way to prevent its misuse in government, and
misuse period.
Mr. Putnam. Many companies avoid reporting security
breaches due to the effect that the news would have on their
reputation. Is that sound policy? It's certainly to a degree
understandable. Or does it merely make the problem worse and
encourage those cybercriminals by having them to believe that
they won't get caught? We'll begin with Mr. Martinez.
Mr. Martinez. Well, this issue is addressed across the
board in some of the cybercrime matters that we address. I know
when I was an assistant special agent in charge in Los Angeles,
we worked with the entertainment community on IPR issues,
intellectual property rights, and there was a bit of a dance
that we had to do with the industry because they don't like to
admit that they have a problem. It is bad business sometimes.
It gives their competitors possibly an edge. And the same thing
applies to e-commerce businesses, etc.
So our approach to that is to try to engage to the fullest
extent we can with those businesses, give them a comfort with
us, let them know what to expect through training. Again, our
InfraGard program, that's part and parcel, is to let them know
what to expect if they do report and the FBI shows up, what we
are going to be looking for, what we would hope to find when we
get there as far as the procedures they've put in place to
maintain evidence.
Mr. Putnam. Anyone else want to answer that? Commissioner
Swindle?
Mr. Swindle. I believe I addressed this in part in my last
response. There is almost a Washington, DC, ostrich syndrome
that I think permeates the whole society that when we do
something wrong, we fear addressing it up front more than I
think is necessary. I think if we deal with things direct, up
front, get it out, find a solution, we are far better off. I
think it speaks well to the reputation of legitimate companies
that they will do that. To do otherwise is just ignoring a
problem that will never go away. It will come back, it will be
found out, and then you are going to deal with why you covered
it up.
Mr. Putnam. It is not just Washington, as it might be a
network problem, too.
Anyone else want to add to that?
The President has transmitted to the Senate the Council of
Europe's Convention on Cybercrime. Given the international
nature on this, and we certainly have law enforcement
represented has to operate across borders, how important is the
ratification of this treaty to improving our ability to
apprehend cybercriminals? Mr. Martinez.
Mr. Martinez. Well, absolutely it is important. The FBI has
made a significant investment in international training and
trying to work jointly with law enforcement agencies in other
countries where we know we have problems and issues, where
attacks are generated, where phishing schemes are located. And,
again, we are very proactive about that, offering through
international law enforcement academy several different blocks
of cybertraining, ad hoc training really, anywhere in the world
where it's required. We have 47 legal attache offices, about to
add 3 more, and that's a big part of their job is to put us in
contact with law enforcement agencies that need that kind of
help.
So having those kinds of devices to allow us to solidify
those relationships, standardize the law and response in areas
across the world is critical to our being able to address the
problem here in the United States.
Mr. Putnam. Mr. Johnson, do you wish to add anything?
Mr. Johnson. Yes, Mr. Chairman. I would agree and the
Secret Service would agree that the victimization of Americans
and of businesses overseas is growing at a rapid pace. The
world is borderless. The Internet provides the foreign
criminals easy access to the United States and their citizens
by quickly getting on line. Many countries have Internet
access, they have TV access. Foreign public can only buy
Western products on line. That is their only capabilities. The
growing number of significant investigations overseas,
virtually all terrorist investigations have a foreign nexus.
The field offices that we have established have provided rapid
response overseas and provided that capability, and it is also
extending the reach of American law enforcement in general.
Mr. Putnam. Commissioner, this is my final question, and
then I will yield back to Mr. Clay. California has a law that
took effect in 2003 that requires businesses or State agencies
that maintain computerized data that includes specified
personal information to disclose any breach of security to any
California resident whose unencrypted information was or is
reasonably believed to have been acquired by an unauthorized
person. What effect do you think that law will have on
improving information security? And what are your thoughts on
taking it national?
Mr. Swindle. Mr. Chairman, as I mentioned in my testimony,
there certainly are circumstances where a person ought to be
notified that there has been a breach. However, I don't for a
minute believe that in every circumstance they should be
notified. And I think, taken to extreme, that could be an
enormous burden on businesses, and it would solve no problems.
I don't think it necessarily would prevent it from happening
again, and there may very well not be any damage done at all. A
lot of the information that it is personally identifying is
publicly known in phone books, for example.
So I think you would have to deal with those circumstances
on a case-by-case basis. And, to my knowledge, I think
California is the only State, at least to date, that has that
kind of legislation. That's not to say it is probably not being
considered by many other States, but I think I would move in
that direction extremely cautiously because I think it could be
an overkill.
Mr. Putnam. Mr. Clay, you are recognized.
Mr. Clay. Thank you, Mr. Chairman.
I will start with Mr. O'Carroll. Since the release of the
2003 report on the internal control structures for the use of
Social Security numbers among Federal agencies, have there been
any notable improvements reported by agencies that were
identified as having deficiencies in the methods and practices
used for protecting Social Security numbers or identifiers?
Mr. O'Carroll. Mr. Clay, we were going to be doing another
followup audit on that next year to see what improvements there
have been. But anecdotally, from other inspectors general and
from having conferences with them and discussions with them,
most of those other agencies have all started robust plans on
correcting the use of SSNs in their agency, and we expect it to
be a much better audit when we do it next year.
Mr. Clay. Thank you for that.
Let me ask Mr. Martinez. Last Friday the Washington Post
published an article on the increasing number of fraud-related
investigations by the FBI within the mortgage marketplace, and
identified my home State of Missouri as a so-called hot spot of
activity. Can you provide for us any information on the number
of cases that are specifically related to the use of fake
identities or straw buyers or forged loan documents in the
recent upswing of activities? Are you familiar with it at all?
Mr. Martinez. I am familiar with the article and the
circumstances; and that would fall under the responsibility of
our Criminal Investigative Division that has the responsibility
for traditional white-collar crime cases. I can tell you that
it is certainly within the realm of possibility that type of
criminal activity could be part and parcel of mortgage loan
fraud. Again, identity theft might very well be applied.
I mean, I think the answer here is that smart criminals
will figure out a way to make it work for them. And with this
vulnerability, it is just another vulnerability to be
exploited, and I think it could be applied. But I couldn't give
you specific figures, but I can certainly talk to the Criminal
Investigative Division and get back with you on that.
Mr. Clay. Thank you for that.
Let me ask you for one last question. Can you cite for the
committee specific areas where legal or policy barriers
continue to impede information sharing or cooperation among
stakeholders investigating potential identity theft activities?
Mr. Martinez. I am not aware of any legal impediments. I
think there is just an awful lot of work to go around. So the
approach we have to take is to just leverage resources. Again,
I am not here with my hand out saying we need more bodies. Of
course I could throw another thousand agents at the identity
theft problem, and in cybercrime in particular, and not solve
it and not make a significant dent in what might continue to be
the problem.
But that said, we do have many, many initiatives that are
intelligence-based. I've mentioned IC3 several times. It is
more than just a place to receive complaints. We take that
information, we crunch the numbers, we decide where can we
apply our resources, our cyber task forces' resources, State
and local resources that can be brought to bear, regional
forensic labs to address the problem.
So it is enormous, but I do think that with some
collaboration, with our partners especially, you know, we have
mentioned several times with private industry, it is enormously
important. We can't do this alone. They are often out in front
of us as far as being able to detect and plan and see threats
coming. So we need to continue to leverage those resources the
best we can.
Mr. Clay. How successful is your agency in apprehending
those who participate in identity theft, those--especially the
bigger fish so to say? Pretty successful?
Mr. Martinez. Well, I guess I would like to say that we
have had some tremendous successes. Some of the things that
impede those successes are, again, the international nature of
the problem. Some of the groups that are perpetrating these
types of crimes are located in countries where we don't have a
good established working relationship. We work awful hard at
it, but there is just--sometimes you can't overcome those
problems. But, again, it is something that we need to work at
every day. We do have a good network of legal attache offices
and training and outreach that goes toward making those kinds
of strides.
Mr. Clay. Thank you for that response, Mr. Martinez. I
yield back the balance.
Mr. Putnam. Thank you, Mr. Clay.
Before we wrap up this panel, I would give all of you the
opportunity to have a final word or answer a question you wish
you had been asked, whatever the case may be. And we will begin
with Mr. O'Carroll and go down the line and just give you a
moment, if you have anything that you would like to say, and
then we will seat the second panel.
Mr. O'Carroll.
Mr. O'Carroll. The only thing I have to add, Mr. Chairman,
is--continuing on with what Mr. Martinez said, is that I think
nowadays since we all have so much more work than we have
people to handle it, that the wave of the future is going to be
cooperation between all Federal law enforcement agencies and
also working with local agencies. And by doing that, we are
using the task force concept which is being used right now very
effectively in the terrorism arena.
In the identity theft arena, I think that is the solution.
We can share information, it is easier to do it, there is less
structure--or strictures in relation to disclosures of
information on a task force. And I think that is something that
we are going to be seeing a lot more of. We participate in
about six identity theft task forces around the country that
have been very successful.
Mr. Putnam. Mr. Johnson.
Mr. Johnson. In closing, Mr. Chairman, I would agree with
Mr. O'Carroll, that our Electronic Crimes Task Force is--the 15
that we have established, we are looking to double that number
in the next 3 years. To further Mr. Clay's earlier question to
Mr. Martinez about the big fish, are we--I would just like to
say to the chairman that the Secret Service is, through
prevention, our training at the local levels all the way up to
the disruption of the major players in financial crimes and
identity theft, that we are making inroads every day with these
investigations. That along with the Electronic Crimes Task
Forces in the United States, the Secret Service is not only
dedicated to the problem, but it is a priority of our agency.
Mr. Putnam. Thank you.
Mr. Martinez.
Mr. Martinez. First, I want to tell you how much I
appreciate and the FBI appreciates the opportunity to come and
speak to you today and talk about this important crime problem.
And I want to tell you how much we appreciate Congress' support
in enacting the SLAM-Spam Act, the identity theft penalty
enhancement. These are the types of real tools that we can go
out and take and try to make an impact on this crime problem. I
just appreciate the opportunity to speak to you today. Thank
you.
Mr. Putnam. Thank you, sir.
Mr. Swindle.
Mr. Swindle. Mr. Chairman, someone, I've forgotten whether
it was you or Mr. Clay, asked the question to another
participant about whether or not the penalty matched the crime.
I have been a Federal Trade Commission for roughly 6\1/2\ years
now, and one of my great frustration is to see one scam artist
after another come through our process. Our staff does
remarkable work in finding them, building the case, but we are
a civil penalty organization and do not have criminal
authority. Oftentimes we find we catch the spammers, we catch
the scam artists, and so much of it is being done
electronically now, and we expend great resources to get them,
and they have nothing. It is just a difficult task. I don't
think the penalties anywhere come close to matching the crime.
One of my greatest frustrations is that it appears as
though some of this conduct is almost just the price of doing
business when you get caught because the penalty is so
insignificant relative to the size of the profits made.
Another one is oftentimes we find people after we track
them down and they have ripped off the consumers for
multimillions of dollars. Guess what? They have no assets
except perhaps a million-dollar house in Florida which we can't
touch because of the homestead exemption. We ought to find ways
to adjust the laws so that you don't get homestead exemption if
you are engaged in criminal activity or alleged criminal
activity and you settle.
It is a big problem. I think it is demoralizing to those
who try to apprehend these people, not to mention the poor
victims of some of these crimes, which it is in staggering
proportions. And I think that is something we should seriously
look at.
Mr. Putnam. Thank you very much. I want to thank all of
you. And at this time we will dismiss panel one, and the
committee will recess for such time as it takes to set up the
second panel.
[Recess.]
Mr. Putnam. The subcommittee will reconvene. I would like
to invite our second panel of witnesses and anyone accompanying
them to please rise and raise your right hands for the
administration of the oath.
[Witnesses sworn.]
Mr. Putnam. Note for the record that all the witnesses
responded in the affirmative.
We will move directly to testimony beginning with Howard
Schmidt. Mr. Schmidt joined eBay as vice president and chief
information security officer in May 2003 after retiring from
the Federal Government with 31 years of public service. He was
appointed by President Bush as the vice chair of the
President's Critical Infrastructure Protection Board and as the
special advisor for Cyberspace Security for the White House in
December 2001. He assumed the role of the Chair of the Board in
January 2003 until his retirement in May 2003.
Welcome to the subcommittee. You are recognized, sir, for 5
minutes.
STATEMENTS OF HOWARD SCHMIDT, FORMER WHITE HOUSE CYBERSECURITY
ADVISOR, AND VICE PRESIDENT, CHIEF INFORMATION SECURITY
OFFICER, eBAY, INC.; BILL HANCOCK, VICE PRESIDENT, SECURITY
PRACTICE & STRATEGY, CHIEF SECURITY OFFICER, SAVVIS
COMMUNICATIONS CORP.; BILL CONNER, CHAIRMAN AND CHIEF EXECUTIVE
OFFICER, ENTRUST, INC.; AND JODY WESTBY, CHAIR OF PRIVACY AND
COMPUTER CRIME COMMITTEE, AMERICAN BAR ASSOCIATION, SECTION OF
SCIENCE AND TECHNOLOGY LAW, AND MANAGING DIRECTOR,
PRICEWATERHOUSECOOPERS
Mr. Schmidt. Thank you, Mr. Chairman and Ranking Member
Clay. Thank you very much for the opportunity to be here today.
I would like to keep my verbal comments relatively brief in
lieu of all the questions that you had last time and I am sure
you will have again. But I want to basically focus my remarks
in three major areas: One, what eBay is--the company itself is
doing relative to the leadership, relative to the area of on-
line identity theft and phishing, as you have cited to,
accurately so, a growing threat to consumers, business, Federal
employees, and basically anybody that uses the Internet; also,
some of the industrywide efforts that are taking place to
collectively combat this area; and then some thoughts I think
that I want to share relative to the public-private partnership
that is so crucial to our success in moving forward on the
cyberspace security area, but more specifically on the on-line
identity management.
You know, you have heard the numbers from the FTC. They
reported earlier this year that the identity theft topped the
list of consumer complaints for the 4th year in a row, about a
33 percent increase in what we have seen over the previous
years, and even that didn't tell the full story. In June of
this year, the Forrester Report showed approximately 9 percent
of U.S. on-line consumers, about 6 million houses that use the
Internet, that experienced identity fraud. Now, when you look
at the overall international user base on the Internet, it is
estimated to be about 840 million users currently. So we are
talking about just the U.S. portion of that. And what I
probably worry about most more than anything else is the fact
that the numbers that we have mentioned are potentially capable
of growing if we don't take action quickly and we don't move in
a cohesive measure between private sector and public sector.
One of the reasons, of course, as some of the previous
folks testified about, and that is this issue around phishing.
What we have seen is an evolution as we have been very, very
concerted about better cybersecurity for enterprises. You
mentioned the California 1386 law relative to reporting things,
Sarbanes-Oxley-Graham. You list the name of things that have
given us incentives to do things better when it comes to
cybersecurity, and corporations both publicly traded as well as
privately owned are doing more. We are starting to see the
shift, the attack factor shift to the less sophisticated, the
end users, the cable modem users.
You know, we have seen instances even recently where
phishing e-mails have come reported to be from the FBI, the
FDIC telling people that if you don't fill out this form and
give us all your information, Social Security number, mother's
maiden name, dog's name, address, high school, we are going to
shut down your bank account, and that is tremendously scaring
to the uneducated and the non-IT professional.
But it is interesting that this is not a new phenomenon. We
have been dealing with this for over 20 years. In the 1980's,
we were actually teaching classes at the Federal law
Enforcement Training Center in Georgia on what we called at
that time carting, with actually doing shoulder surfing, going
to airports, New York La Guardia, and looking at people as they
used calling card numbers and credit card numbers to make calls
and using that for identity theft. And what we have seen as of
about 2 or 3 years ago when this new spate of phishing started,
they actually started from a perspective of trying to grab on-
line time for free. It wasn't about identity theft, it wasn't
about credit card fraud, it was getting on line for free.
And then what happened is that evolved, and they said,
well, listen, we can make money off of that. And I think all
the previous witnesses testified as well that this has now
moved from clever hobbyists and people thinking they are being
funny and hacking to where it is true criminal enterprises. And
other reports came out this year that estimated 57 million
users on line had received phishing e-mails. I am averaging one
a day now from major institutions all around the world.
Mr. Putnam. Excuse me. Can I just interrupt? Does that
include the Saudi plea?
Mr. Schmidt. Yes.
Mr. Putnam. Because that has to be at least two-thirds of
it.
Mr. Schmidt. That is a big chunk of it. Absolutely correct.
And then, of course, we add into the political fundraising
portion of it as well. And what happens now, we are seeing a
more focused, what is being referred to by Marcus Jacobson, who
did some analysis while at RSA Security Laboratories, what they
call context attacks, where the phishing attacks are the same
way. You just recently bought a new car, here is information
relative to that, and really convincing you that this is a
legitimate e-mail. So consequently, you know, this is indeed a
new challenge we have not seen before.
Now, what are some of the things we are doing? One, first
and foremost, many of us, particularly those of us who have
multi-multi-million-user bases like we do, are doing a
continuous education process. We've changed our business
process, so we no longer send active links in e-mails that we
send to customers anymore. As a matter of fact, we tell them,
if you want to do a transaction, type in the URL or use a
bookmark. But basically we have also spent a tremendous amount
of resources hiring people to do full time where we have the
ability to identify these phishing sites on a near real-time
basis and take them down.
Now, in closing, I just want to make one quick comment
relative to the overall homeland security piece, because as we
were doing the national strategy to secure cyberspace out of
the White House, some government agencies didn't feel that
identity theft and identity management were homeland security
issues, and I truly believe they are.
One, first and foremost, no better tool--as we get better
about physical identity, no better tool than for a terrorist or
an organized crime to use--criminal person to use than your
good name to be able to assume your identity and be able to
pass through airports. Second, it becomes a nexus. And as you
see in my written testimony that we are seeing 30,000 users
that are being compromised on a regular basis that then can be
used to launch denial of service attacks. And, last, to become
a gateway into corporate enterprises such as critical
infrastructure. And it is important to make sure that we do
everything we can to stop that from taking place.
So, with that, I thank you for the opportunity again, and I
stand by for any of your questions you may have. Thank you.
Mr. Putnam. Thank you very much.
[The prepared statement of Mr. Schmidt follows:]
[GRAPHIC] [TIFF OMITTED] T8486.051
[GRAPHIC] [TIFF OMITTED] T8486.052
[GRAPHIC] [TIFF OMITTED] T8486.053
[GRAPHIC] [TIFF OMITTED] T8486.054
[GRAPHIC] [TIFF OMITTED] T8486.055
[GRAPHIC] [TIFF OMITTED] T8486.056
[GRAPHIC] [TIFF OMITTED] T8486.057
[GRAPHIC] [TIFF OMITTED] T8486.058
Mr. Putnam. Our next witness is Dr. Bill Hancock. Dr.
Hancock is the vice president of Security Practice & Strategy
and the chief security officer of SAVVIS Communications, a
large global telecommunications hosting and IT services
company. He has designed thousands of networks and has been
involved in hundreds of hacker investigations in his career of
over 30 years in the high-tech industry.
Dr. Hancock has written extensively on security and
networking. He is well known in the industry as a technical
visionary due to his various original inventions such as
stealth firewall technology and intrusion detection and
prevention technologies. Dr. Hancock is also a founding member
and immediate past chairman of the Internet Security Alliance.
Welcome to the subcommittee, sir. You are recognized for 5
minutes.
Mr. Hancock. Thank you, Mr. Chairman, Mr. Clay, members of
the subcommittee. I would like to start off by saying I'm
probably the geek that you are going to have to deal with
today, and a geek with nervous social skills.
With that, I would like to do--we have heard from everyone
today about how bad the identity theft problem is. I would like
to do a couple things and point out a couple of little broader
topics having to do with identity theft, and then also offer
some ideas in terms of correction.
One of the problems that we have with the basic concept of
identity is, what is something? And that gets not even to the
point of what is money. We often think very much about what
happened on September 11. I had friends that were in one of the
aircraft that hit the World Trade Center, I have acquaintances
that were involved in the Pentagon, and I can tell you
categorically that if we suffered a cyberattack against our
financial resources of this Nation, it would cause trouble that
you cannot possibly imagine. I will say that specifically for
this reason: Money is an entry in a data base; it is not a pile
of cash in a vault, it is not a bunch of collateral that is
spread around evenly throughout different organizations.
Anymore when you present a credit card or you go to an ATM
machine, and you take that credit card in that ATM machine and
you swipe the magnetic strip, everything in the middle assumes
that is really who you say you are, and that the person who
owns that card and the person that possesses that card is the
person who is supposed to have that card.
We know from past experience, and I am sure that other
panelists will agree with this, that there are an enormous
number of ways to go back and spoof credit cards, to create new
credit cards, to go back over and create false magnetic strips
and all kinds of other mechanisms. And those things are widely
available on the Internet and almost anywhere you would like to
go.
Specifically, though, we have other types of attacks that
happen because of identity theft because we continue to use
protocols which are 30 years old. Specifically, when we sit
down and consider the fact of things like denial of service
attacks, which can be debilitating over a network, that can
take out a complete Website, that can take out e-commerce, that
can knock out a company completely from its network presence,
what we find is that many times those attacks are caused by
spoofing of source addresses or spoofing of destination
addresses because we do not properly identify devices that join
the network. If you are a device, and you get on the network
and you send the right formatted message, something gives you a
TCP/IP address, you are allowed to join the network, and you
can go back and do whatever you want to do.
In the cases of things like distributed denial of service
attacks, there are literally networks of hundreds of thousands
of zombies, and there is more and more being created every day.
As a matter of fact, I read an estimate just yesterday morning
that says that there is over 30,000 machines a day are being
acquired and put into zombie networks. These particular
networks can be used to go back and spoof source addresses
because we do not adequately identify machines, identify
technologies that join the networks, and then those source
addresses can be used to go back and debilitate a company that
is legitimately engaged in e-commerce all over the network.
So as we go back and we examine identity management, I
think one of the things that is very important to understand is
that we not only have the problem that we all hear about
consumer identity being stolen, that our consumer debt and
consumer confidence is being eroded, but simultaneously we are
also having the problem that networks themselves are being
killed off from the simple fact that we have network technology
that is being used that was never developed with security in
mind. There are no controls in the TCP/IP protocol sweep
whatsoever to go back and deal with the identity of a device
that joins the network. There is nothing within the protocol
that is used for Web sciences such as XML and HTML to properly
authenticate and identify an individual or identify a
particular program that may want to go back and access them
back in.
As a brief example, one of the more classic things that
happens is when a front-end data base that is located on a Web
surfer wishes to discuss something with a back-end data base
that may be a legacy mainframe, what we find very often is that
there is a singular identity that is exchanged between the two
data bases. And if you look at every single data base
transaction that happens, it comes from that same singular
identity no matter who came in on the front end and no matter
what you are asking for on the back end. And that is because of
improper identity management at the program level.
So, so far we have discussed the problems of identity
management at the device level, at the program level. We know
of the problems with the individuals.
So, therefore, what kind of things do we need to do? One of
the things we need to very seriously think about doing is a
heavy lift of different protocols that are used in network
communications. This is a very big deal because it allows us to
properly identify devices and properly identify services,
properly identify applications that are actually transacting
over the networks. Eventually security should be invisible. It
should be just like you walk in and you startup your car, you
put a key in the ignition, and all kinds of magic happens. The
fact that there is 28 processors under the hood and there is
probably a network running around inside the car is totally
irrelevant to you. And that is the way security should be over
time. We can't do that until the protocols themselves have the
controls and capabilities built into them.
We need to start thinking about authentication
implementation and audit capabilities at all companies. And,
frankly, I am more concerned about companies involved in things
like power grid management, water networks, food processing,
food movement-type of networks, because all of these use the
same protocols, all of these have exactly the same problem, yet
the level of criticality of these particular networks and these
particular types of infrastructures are more critical in terms
of what we do.
A good example is air-to-ground, ground-to-air uses a
specific set of protocols that are bizarre and unique. Those
are all being migrated right now to TCP/IP, which means very
soon ground-to-air and air-to-ground communications protocols
will be available to Internet connectivity.
We will also find that there needs to be multiple methods
of authentication, not just one. And the reason being is that
if you compromise one, you don't want to compromise all of
them. You need to take the time to establish the different
types and different levels of authentication to have a
defensive, in-depth type of profile. We need to think about
incentives through industry to go back and help people realize
that it is a good thing, a profitable thing to instill
security, but also to go back over and deal with the identity
management problem and to deal with the situation.
We need to take an international approach to all of this,
and this may even include modifications of trade agreements to
ensure that ourselves, our trading partners and everyone are
engaged in proper identity management when we start moving
things around between different areas, because the Internet is
truly without borders.
And we also need to go back and think about leading from
the front. Different companies, different organizations and
everything are not incented, they are not told, they are not
provided legislative requirements for CEOs to make the proper
types of decisions. I deal with this all the time. I go out and
I suggest to a customer, please improve your security. And they
say, why? And the answer I give back to them as a typical rule
is three things: Because of what I call a PAL technique of PR,
assets, and the law. There is reasons to protect your brand,
there are reasons to protect your assets, and there is laws
that you must adhere to.
That tends to be a good business case, but that is not the
real reason why people should put in security. They should go
back and install identity management because it is the right
thing to do.
With that, Mr. Chairman, that concludes my opening remarks.
I would be happy to take some questions.
Mr. Putnam. Thank you, Dr. Hancock.
[The prepared statement of Mr. Hancock follows:]
[GRAPHIC] [TIFF OMITTED] T8486.059
[GRAPHIC] [TIFF OMITTED] T8486.060
[GRAPHIC] [TIFF OMITTED] T8486.061
[GRAPHIC] [TIFF OMITTED] T8486.062
[GRAPHIC] [TIFF OMITTED] T8486.063
[GRAPHIC] [TIFF OMITTED] T8486.064
Mr. Putnam. Our next witness is Bill Conner. Mr. Conner is
among the most experienced security and infrastructure
executives worldwide, with a career that spans more than 20
years across numerous high-tech industries. Mr. Conner joined
Entrust as its president and CEO in April 2001. In 2003, Mr.
Conner received the corporate CEO award as part of the annual
Tech Titans Award program. Most recently he has been a leader
in the effort to elevate information security to a corporate
governance issue and to fashion a public-private partnership to
protect America's critical infrastructure.
Welcome to the subcommittee, Mr. Conner. You are recognized
for 5 minutes.
Mr. Conner. Thank you, Mr. Chairman. Good afternoon.
Chairman Putnam, Representative Clay, and members of the
subcommittee. Thank you for the opportunity to provide
testimony on this important subject.
My name is Bill Conner. I am chairman, president, and CEO
of Entrust. In my testimony today I will address the threat of
identity theft and phishing. I will also examine what Congress
can do about it.
I want to be very clear in my message: Identity theft and
phishing threaten not only to undermine the trust in business
and the Internet, but also to disrupt our national economy. We
need to protect all Internet users, not just the upper tier.
Identity theft and phishing do not discriminate between the
haves and have-nots, and corporate programs aimed at protecting
only the most valued customers won't solved the problem. These
are not isolated threats, but part of a broader cybersecurity
challenge.
I would like to first address why identity theft and
phishing are serious problems. Just as the Internet has
supercharged commercial transactions, it has also supercharged
cybercrime. When the Internet was used mainly to communicate
and access information, the lack of security didn't much
matter. Now that it is used for on-line transactions and
critical information, the absence of security is truly a big
problem. It is as if consumers and businesses that rely on the
Internet have wandered into a dangerous neighborhood of cheats,
pickpockets and thieves and don't even know it. The fact that 9
percent of U.S. on-line consumers have experienced identity
theft and that phishing attacks are now growing at 50 percent
per month show that the little yellow locks on your desktop
that are supposed to maintain law and order on the Internet are
inadequate.
The obvious question is why? Why has the market been so
slow to respond? As a result of my role at Entrust and my
experience as cochair of two major task forces on information
security, I have become convinced that the only way for
enterprises to address cybersecurity is to make it an executive
management priority with board oversight. This is not the case
today.
There are several reasons for the lack of progress. One,
companies don't know what to do. Many companies don't
understand the scope or the threat and how to respond. As a
result, they pretend the problem doesn't exist, and, if it
does, it won't hurt them.
Second, it is not a corporate priority. Even if they
understand it, many firms refuse to make it an executive
priority. They continue to treat cybersecurity as a technical
issue and one that can be delegated and relegated to the CIO.
Government regulations are unclear. A raft of legislation
has been passed in recent years including GLB, HIPAA,
California's Senate bill 1386, and most recently section 404
Sarbanes-Oxley. Until there is better understanding of what it
takes to comply and the penalties for the failure to do so,
progress will be slow.
And, fourth, technology vendors aren't doing enough.
Vendors share in this blame. We have been criticized for
overhyping solutions, failing to correct and connect products
to business needs, ignoring ways to measure the return on
investment, and producing poor-quality products that constantly
require patching.
That is why I urge you to consider the road to information
security lies through corporate governance. If the government
and private sector are to secure their information assets, they
must make cybersecurity an integral part of internal control
and policies. Like quality, cybersecurity is a journey of
continuous improvement, not a one-time event. The No. 1
priority for Congress should be to create a bright light
between acceptable and unacceptable behavior. As long as the
line is fuzzy, the market will be caught in the cybersecurity
paradox. Everyone knows there is a problem, but in the absence
of clear solutions or penalties, they are waiting for someone
else to take the lead.
I would offer the following recommendations for your
consideration: One, Congress should demand that Federal
agencies purchase and deploy cybersecurity technologies. Mr.
Chairman, as part of your oversight of FISMA, I would urge you
to initiate a dialog about how to drive deployment of security
technology that Federal agents have purchased but left sitting
on the shelf.
Two, Congress should stipulate that cybersecurity measures
are an explicit part of Sarbanes-Oxley section 404. By stating
that section 404 Sarbanes-Oxley applies to cybersecurity
controls, Congress could encourage publicly traded companies
like mine to make information security governance a corporate
policy and priority.
Third, the Federal Government should lead by example.
Congress should discourage Federal agencies from purchasing
products from companies with inadequate cybersecurity, as well
as create incentives for those that implement formations of
cybersecurity governance programs. An example of such a program
can be found in the report, ``Information Security Governance:
A Call to Action,'' that was released by the National
Cybersecurity Partnership Task Force on Corporate Governance in
April of this year.
Mr. Chairman, the cybersecurity threat is real and holds
potential to incapacitate the Internet and our economy. The
private sector has been much too slow to respond to this
challenge. I would urge you and your colleagues in Congress to
spur a rapid and constructive market response.
Mr. Chairman, I would personally like to thank you for your
leadership and your staff's in taking the lead and the
initiative here in this area.
Mr. Putnam. Thank you very much, Mr. Conner.
[The prepared statement of Mr. Conner follows:]
[GRAPHIC] [TIFF OMITTED] T8486.065
[GRAPHIC] [TIFF OMITTED] T8486.066
[GRAPHIC] [TIFF OMITTED] T8486.067
[GRAPHIC] [TIFF OMITTED] T8486.068
[GRAPHIC] [TIFF OMITTED] T8486.069
[GRAPHIC] [TIFF OMITTED] T8486.070
[GRAPHIC] [TIFF OMITTED] T8486.071
[GRAPHIC] [TIFF OMITTED] T8486.072
[GRAPHIC] [TIFF OMITTED] T8486.073
[GRAPHIC] [TIFF OMITTED] T8486.074
[GRAPHIC] [TIFF OMITTED] T8486.075
[GRAPHIC] [TIFF OMITTED] T8486.076
[GRAPHIC] [TIFF OMITTED] T8486.077
[GRAPHIC] [TIFF OMITTED] T8486.078
Mr. Putnam. Our next witness is Jody Westby. Ms. Westby
recently joined PricewaterhouseCoopers as a managing director.
Prior to joining PricewaterhouseCoopers, Ms. Westby held
several positions in the IT field including serving as
president of her own company, launching an IT solutions company
for the CIA, and managing the domestic policy department for
the U.S. Chamber of Commerce. She is the chair of the American
Bar Association's Privacy and Computer Crime Committee, and was
Chair, coauthor and editor of its International Guides to
Cybersecurity, to Privacy, and to Combating Cybercrime.
Welcome to the subcommittee. You are recognized for 5
minutes.
Ms. Westby. Thank you, Mr. Chairman, Mr. Clay. I appreciate
the opportunity to be here this afternoon. I would like to
clarify at the outset that my remarks, my testimony, is in my
individual capacity and is based on my own background and
experience. It does not necessarily reflect the views of the
American Bar Association or PricewaterhouseCoopers.
I applaud your attention to this critical issue. The
security breaches that allow access, unauthorized access, to
personally identifiable information go beyond unauthorized
credit card charges, although that is in and of itself a grave
issue. This data also feeds terrorist organizations, organized
crime, and other bad actors that can use this information to
exploit us for their own good, and to launch asymmetrical
attacks against us.
Because 85 percent of our information infrastructure in
this country is owned by the private sector, the only way we
can control these risks and protect our national and economic
security is to protect the critical infrastructure of the
companies. Herein lies the problem. Technical solutions alone
will not secure our networks.
Time and again over the past decade, hardware and software
has held hope that we could turn the tide. But the truth is the
bad guys are winning. The root of the problem is that there is
a lack of oversight and governance of enterprise security
programs by senior management and boards. Quite simply, we must
change the paradigm for information security.
Part of the problem is perception. Most people think of
information security as a technical issue. It is really a
multifaceted issue that requires a multidisciplinary approach.
It is multifaceted because it involves privacy and security and
cybercrime. It is multidisciplinary because it requires you to
dovetail the legal, operational, managerial, and technical
considerations of all three of those issues piled in with the
business plan that sets the architecture of a company. It is a
complicated process.
I believe the main reason privacy has taken off is because
people perceived privacy--CEOs and boards--readily at the
beginning as a policy issue. They readily appointed a chief
privacy officer, they put out policy statements, and privacy
was accepted as a corporate governance issue.
Security, on the other hand, is still perceived as a geek
issue. CEO and boards are afraid of becoming geeks. The primary
reason senior management and boards don't want to take on these
issues is because they don't know how to approach it from a
governance perspective. They think they have technical people
to take care of the computers, so why should they worry about
it; they hired them; that is their responsibility.
That is the wrong conclusion. Information and communication
technology comprises one of the largest line items in corporate
budgets. Officers and directors have a responsibility to
exercise oversight over this equipment for the very reason that
the viability and profitability of their corporation is
dependent on it. Also, 80 percent of corporate assets today are
digital. It is clear that directors and officers have a
fiduciary duty of care to protect business assets. There also
remains a high incidence of insider attacks, yet these are the
very people who are under the direct control of boards and
senior management. Companies also have a patchwork of laws and
regulations they must comply with in the area of privacy and
security, and compliance has always been viewed as a governance
issue.
Studies have shown that cyberattacks can impact market
share and share price, two key areas of responsibility for
officers and directors. A Delaware derivative shareholder case,
Caremark, in 1996 was brought to the attention of the
information security world because it emphasized that boards
have to ensure that their corporate information reporting
systems are, in concept and design, adequate.
And the last reason why officers and directors need to pay
attention to this is because cyberattacks are so common today.
They are in the daily news. Leaving networks unsecured is the
equivalent of leaving the R&D lab door unlocked.
There are other consequences also that require
consideration, one which was brought up by my colleague today
about the inability to track and trace cyber incidents. Cyber
incidents frequently pass through many countries, and we
involve international cooperation of law enforcement, we have
dual criminality issues, we have extradition issues. But
terrorists and organized crime are exploiting this inability to
track and trace cyber incidents, and they are using that as a
way then to obtain this information and use it for trafficking
of drugs, money laundering, and purchasing weapons and
supplies. Corporations and data banks are their soft targets,
and this puts us all at risk.
Quite simply, corporations have to begin viewing security
as an enterprise issue that is also a governance issue.
Prevention of attacks is the best problem, and Congress can
help them do that by providing tax credits to corporations that
implement enterprise security programs. Such credits could
encompass risk assessments, implementing best practices and
standards, establishing internal controls, integrating
security, and of capital planning and training.
Another initiative could provide some funding grants to
help advance models for effectively measuring return on
investment for information security programs, and other tools
that would help boards and senior management through the
decisionmaking progress.
Last, I want to stress that this is not just a U.S.
problem, it is a global problem. The global security of the
Internet has never been more important. We are close to a
saturation point among the English-speaking populations in the
world. Connectivity in the future will be in Asia-Pacific,
Europe, and Latin America, in that order.
In a globally connected network, we are only as secure as
our neighbors, and we must help them if we are to help
ourselves. We have to help them draft privacy, security, and
cybercrime laws that are consistent with FISMA and the global
framework; to help them understand the nexus between privacy,
security, and cybercrime, and how to build enterprise security
programs using the best practices and standards; and, as our
earlier panel said, to train law enforcement and judges and
prosecutors.
The good news is this all repeatable. In the past several
years I have done a lot of work in developing countries. Road
shows with consistent materials trotted around the globe would
be very effective.
I am sorry, Mr. Bordes, do you have the three books that I
brought up here? Could you please share those with Congressmen
Clay and Putnam?
These books are available. The American Bar Association's
Privacy and Computer Crime has put its money where its mouth
is. These books are free to people in developing countries.
That is 180 countries around the world, they are free to them,
and they set out all the issues of privacy, security, and
cybercrime, and how to develop an enterprise security program.
Our books would significantly improve our own security and
advance world peace if we were able to get them into audiences
as workshops and textbook materials.
Thank you very much for your interest, and I await your
questions.
Mr. Putnam. Thank you very much.
[The prepared statement of Ms. Westby follows:]
[GRAPHIC] [TIFF OMITTED] T8486.079
[GRAPHIC] [TIFF OMITTED] T8486.080
[GRAPHIC] [TIFF OMITTED] T8486.081
[GRAPHIC] [TIFF OMITTED] T8486.082
[GRAPHIC] [TIFF OMITTED] T8486.083
[GRAPHIC] [TIFF OMITTED] T8486.084
[GRAPHIC] [TIFF OMITTED] T8486.085
[GRAPHIC] [TIFF OMITTED] T8486.086
[GRAPHIC] [TIFF OMITTED] T8486.087
[GRAPHIC] [TIFF OMITTED] T8486.088
[GRAPHIC] [TIFF OMITTED] T8486.089
[GRAPHIC] [TIFF OMITTED] T8486.090
[GRAPHIC] [TIFF OMITTED] T8486.091
[GRAPHIC] [TIFF OMITTED] T8486.092
[GRAPHIC] [TIFF OMITTED] T8486.093
[GRAPHIC] [TIFF OMITTED] T8486.094
Mr. Putnam. Mr. Schmidt and Mr. Conner, through your
extensive work on information security issues, what conclusions
have you drawn about why corporate America is not taking the
problem with information security seriously enough?
Mr. Schmidt. Well, I am not sure that I totally agree that
it is not being taken seriously. I think, as has been pointed
out more than once, there is a greater recognition now more so
than ever before of the tremendous importance that
cybersecurity is, but it is very complex. It is not as if we
designed a system to eventually become secure. Many
corporations that I see literally around the world have built
systems that they put a system in place, and then they add
another piece on top of it, so it has been very difficult.
What happens in the past couple years, now we recognize
obviously the critical infrastructure protection piece and the
governance pieces, as Mr. Conners related to, where we have
seen a lot more intended dollars and efforts put into the
cybersecurity. But it is a complex issue, and is not something
you can just flip a switch and turn it over. It will take a
couple years by the time we get operating systems and
engineering design and quality processes in place to make it be
able to respond and say, yes, we have much better security now
than we have in the past.
Mr. Putnam. Mr. Conner.
Mr. Conner. Simply, they are not taking the time. And if
you take the time, the question is where you start. That is why
we spent considerable amount of time on a framework, because I
personally believe, as many companies do, you need a framework
to systemically assess your business for where the high risk is
and how do you get a baseline to measure it. Once you have
that, then you can apply it. It is a very simple process to get
started, but if you don't know where to start, all your
journeys will take you somewhere, but maybe not where you want
to go, and you won't get a return on investment, and you won't
be more secure.
I think that starts with the senior management executives
and board saying, we are going to take a framework that exists
now, it is public, it has been there for 6 months, and get
started. And that means you can't delegate it to a CIO; you
have to assess your own business needs and risks. And that is
something in today's environment; many corporations do it, and
many more don't do it. And I can assure you, in the ones I talk
to, all of them are concerned about the liability of that
assessment. It is a litigious society, and in this environment
with class actions and others, that evidently comes through
every discussion.
Mr. Putnam. Dr. Hancock, do you wish to add anything to
that?
Mr. Hancock. I have two perspectives on it, sir. One is I
deal with the same folks that Mr. Schmidt and Mr. Conner deal
with in many respects because a lot of us all have the same
kind of customers. It has been my experience that most board of
directors-level folks have a very limited knowledge of
security, and a lot of that is because security is not personal
to them. They don't understand even the basics.
And I will give an example, sir. My son is 15 years old.
When he was 7 years old, someone tried to kidnap him. Because I
am a security person and by definition paranoid, when he
started--at 4 years old I started him in Taikwando. When the
person grabbed my son, my son dislocated his kneecap and four
of his knuckles. As a result of that, I believe that assets
should be self-defensible, and includes my family, includes my
children, includes my home, whatever the case may be.
Most people don't look at security that way. To them,
security is managed and dealt with by someone else, and, just
like Mr. Conner said, a lot of times delegated to the CIO. Many
times the CIO has no capabilities or understanding of what the
security issues are. It is chopped out of the budget. It is
considered to be something that is more of an irritant than
something that needs to be done.
So it's not part of the corporate agenda overall. The
second problem runs in, just from a pure technology
perspective. Very few people in the business really understand
how to secure things correctly. One of the problems we have is
we continue to deploy technologies that are not secure in
nature, and then we go back and try to provide technology to
secure that.
As a case in point in my own company, I operate well over
50,000 routers. Of those 50,000 routers, I have over 11,000
firewalls. I know categorically that those firewalls cannot
protect my network or my customers from everything that will
come by, because the oppositions are far more creative and have
a lot more time than my security people do.
As a result of that, we are in a constant challenge from a
pure security perspective. How do you stop things from
happening when the technology doesn't exist for us to identify
who is launching an attack or identify a way for us to go back
and trace it back to figure out where it is coming from, just
the very basics? So you have a secondary problem that if the
board of directors did come down tomorrow and they did embrace
security and said, yes, really want to do this, the sad reality
is much of the technology that is required to stop a lot of
this nonsense from happening just flat doesn't exist, and it
will take time for that technology to be put into place since
it is going to take research to make happen.
Mr. Putnam. Thank you. My time has expired. I will call on
Mr. Clay.
Mr. Clay. Thank you. Ms. Westby. I will start with Ms.
Westby. First of all, thank you for your publication, and can
you tell me what lessons can be learned from the private
sector's efforts to comply with the internal control
requirements of the Sarbanes-Oxley legislation by the Federal
agency community? Are there similarities between the public and
private sectors in terms of securing networks containing vast
amounts of individual data?
Ms. Westby. Actually, I think that the private sector in
this instance learns more from the government. Information
security is very different from the days when Al Gore was
reinventing the government and the government was looking to
the private sector for best practices.
Our government is clearly the world leader in information
security practices, and NIST has done world-class work. Their
guidance and controls in metrics is excellent, and they, the
enterprise security program mandated by FISMA and the NIST
guidance that corresponds with that, offer an excellent
example.
It is unfortunate that the word ``security'' is not
mentioned anywhere in Sarbanes-Oxley, and there is a lot of
traffic on my listserves about what does that really mean, what
do the internal control requirements really encompass and how
far does that go into checking integrity of financial data, how
far does that goes into systems.
Mr. Clay. Thank you for that response.
Mr. Schmidt, as a former White House Cyber Security
Adviser, would you agree that the Federal procurement process
would be an ideal mechanism to improve the security of products
and services delivered by vendors to the agency community?
Wouldn't this have a profound effect on the development of more
secure and uniform products for both the agency and critical
infrastructure and communities?
Mr. Schmidt. Yes, sir, I sure do. As a matter of fact, I
talked from time to time about discussions we have had with
vendors that supply service to the government and CIO, CSOs for
the government, and it was amazing the disconnect that I have
seen many times where, say, listen, we would like to actually
pay extra money to get security services, but nobody is willing
to provide it. And then you go to the vendor, vendor says
nobody is willing to pay the extra money for it.
So clearly the procurement arm of government can do much
to, you know, set requirements, instead of, you know, accepting
things the way they are, establish the requirements that one
would have, and then that will have that trickle down effect to
the rest of society, because if we are buying more secure
routers and more secure operating systems for the government
private sector is clearly going to jump on that bandwagon as
well. So it's a vehicle I think can take us a long way in a
short period of time.
Mr. Clay. Let me ask you, according to Mr. O'Carroll, from
our first panel, the SSA's Office of Inspector General had
recently discovered a plan by one individual to sell up to
10,000 Social Security numbers and matching names on your
company's Web site.
Can you outline for us the methods and controls utilized by
your company to identify and prevent such illicit activity?
Mr. Schmidt. Yes, we do. We have an entire group, literally
hundreds of people worldwide, that look at listings that occur
for everything from counterfeit currency to, you know, war
materiel, weapons, things of that nature, and we have not only
physical reviews of data but also automated reviews.
Various trigger mechanisms will actually flag something for
the customer service people to dig down further into it. The
challenge we run into from time to time is that people get
very, very creative about how they title certain things. So
they may not cite it saying, well, I am going to sell Social
Security numbers but they are going to say identification
cards, which may not trigger something. So we are constantly
evolving and changing to make sure we that we adapt to the
things that we see out there as new threats occur.
Mr. Clay. Thank you for that response.
Mr. Chairman, I yield back my time. I have no further
questions.
Mr. Putnam. Mr. Clay, thank you.
Ms. Westby, from your testimony, and you have heard the
answers that the other panelists have given about this issue,
the issue of ignoring information security risks and the
liability that it avoids or causes, in your experience in the
field of information technology law, do you see the attitude of
being proactive about information security taking hold?
Ms. Westby. Yes. The market has matured. The awareness has
increased, and I believe that especially in the environment we
have today, with heightened emphasis on corporate governance,
that senior management and boards are taking a look at what
exactly is within their realm of responsibility, and they, at
least many of the major companies who are assisting with
Sarbanes-Oxley, are saying we have to look at how you are
handling the data in the computer system. I think overall,
though, our efforts have been in vain.
Over the last 6 years there have been enormous efforts made
by the Federal Government, by different organizations, to
engage businesses through, as an enterprise, horizontally and
vertically across an organization. I do think that has matured
and that we are seeing progress.
Mr. Putnam. Thank you. Mr. Schmidt and Dr. Hancock, in your
lines of business, clearly spam and denial of service attacks
are of great concern. A recent Symantec report suggests that
for the first half of this year it saw a huge increase in
zombie PCs. The company said it was monitoring 30,000 per day.
You made reference to that, Dr. Hancock, with a peak of 75,000.
Some estimates state that it is possible that as many as half
of the machines on the Internet are in an infected state.
How big of a threat is this bot issue or zombie issue to
national or economic security?
Mr. Schmidt. Well, I couldn't agree more. We have seen
instances, in working with the law enforcement folks, those
exact numbers--we have actually been able to identify from
cable modem and home DSL users. So it's significant, because if
you look through the cascade of litanies and ills that can
result as a result of that, one clearly the hacking portion
into the critical infrastructure, the identity theft, the
denial of service attack capability.
If you remember back, February 2000, when we had the big
denial of service attack that people talked about all the time,
that was done at a rate of about 800 megabytes per second,
which is a relatively insignificant amount of data now. Now,
with 20,000 systems that have been compromised, you can do 3
gigabytes, you know, almost three times as much worth of
damage. So when you look at the overall aspect of it, you look
at the identity theft, you look at the lack of trust that we
have in the environment, if 87 percent of that 840 million
users I referenced to earlier, are doing e-mail, less than 17
percent are doing e-commerce, economically that's just as bad.
We should be able to go ahead and improve that. The way we can
go ahead and do that is by making sure that we have the defense
in depth where, No. 1, the spams and cams aren't getting in the
inbox for the most part. If they do get there, some sort of
firewall or browser protection or some sort of file validation
keeps you from doing something ill from there; and then last of
course making sure that we are getting a law enforcement
prosecution of these things.
The challenge I have with the law enforcement side, which
is directly related to this, is this is a crime in progress.
This is no different than somebody walking into a liquor store
and sticking up somebody with a gun, except you are not there
physically. It has to be dealt with on a real-time basis.
Mr. Putnam. Dr. Hancock.
Mr. Hancock. I will have to agree with Mr. Schmidt on all
of that. I will also add that one of the problems we have with
zombie networks is that many times that we found over the last
few years--is that those zombie networks are now being operated
by organized crime in some cases.
As a matter of fact, there was one I was recently involved
with--a direct investigation on--that was a gaming site, where
the gaming site was held up for extortion because of a denial
of service attack launched against it by a series of Russian
organized crime. We know that. We tracked it back. We worked
with the Russian law enforcement agencies. The fact of the
matter was we pinned it down and nailed the guy. But the
situation is that it took months to happen.
This sort of thing is happening more and more. We are
seeing a whole lot more happening where e-commerce is the
reason for the site to exist. And we are seeing more and more
of this happen where corporations are depending more on their
network infrastructure and then they are being held up for
extortion or being held up for some sort of, if you will,
ransom because of their technology being disabled through
things like denial-of-service attacks and things like zombie
nets being used.
I will also agree with Mr. Schmidt--what he just said--
about the severity of these types of attacks. We recently saw a
denial-of-service attack execute a 3.2 gigabytes. I had not
seen one like that before. We operate a very large network
infrastructure. We have a lot of customers out there that are
some of the places that you would normally frequent on the Web.
When that one hit we disabled that one within 6 minutes.
But what was more important about it was within 5 minutes after
that the attacker completely redirected and attacked a
completely different addressing block. I have never seen
something like that happen. That means you can take 10,000 to
20,000 zombies, literally have them turn on a dime, and then
reconnect and reattack a completely different site.
That basically shows technical sophistication on the part
of the attackers. It also shows that the zombie sophistication
is increasing, which means that these products can be directed,
redirected very, very quickly, and be pointed with a very
debilitating attack against a very large network pipe. As a
result of that, over time we are going to see more of that
happen, where the zombie networks where we have 5,000, 6,000
zombies all of a sudden become 100,000. And now the types of
attacks that can kill things like power networks, water
networks, those start to become very serious reality, where a
whole power grid is disabled simultaneously.
So I believe that the zombie threat is a very severe one. I
think it's going to get a lot worse, just like any other
software. There are new versions of it coming out all the time
and the zombies are being upgraded with additional
capabilities. All of these things put together are going to
cause very serious problems to our e-commerce capabilities.
Mr. Putnam. Who has the sophistication and technical
capacity to do what you just described?
Mr. Hancock. If you asked me that question 10 years ago, I
would have to say it would be a hard core, stone geek to do it.
The fact is any more it takes very little sophistication. The
attack Mr. Schmidt talked about in February 2000 was my first
day of employment at the company that was acquired--and then
acquired where I am now. I had been with the company exactly 2
minutes when Amazon.com, CNN.com and a few other sites went
splat. The realty of that was we found out later in the day
those attacks were executed by a 16-year-old out of Toronto,
Canada who went by the handle called Mafia Boy.
We were involved with the FBI and with the Secret Service
and quite a few other agencies to track this individual down.
We are capable of tracking these people down fairly quickly.
Trying to get them apprehended and dealt with is a different
story. That took weeks.
So the end result was you had a child here who downloaded
an ``exploit'' from a Web site. This individual had no
sophistication whatsoever in understanding that exploit or in
writing that tool. However, sophisticated people are all over
the Web. Those sophisticated people will find the
vulnerability. They will write the exploit. They will post it
on a Web site. They themselves do not execute that particular
attack. Instead, other people--which we call script kiddies, 13
to 18-year-old types--will download and execute debilitating
attacks. This is very, very common and compromises
approximately 80 percent of the attacks we see.
My infrastructure gets attacked anywhere from 200 to 400
times a day. As a result of that, we see a lot of this stuff.
We deal with a lot of that stuff. Most of the time it is pretty
straightforward to deal with it.
What I am concerned about is the people who are serious,
doing it for profit motives. Those people will employ
programmers--they will employ people with specific skill sets--
and those people with specific skill sets will create these
tools for a specific nation reason. There may be a nation state
that wishes to cause harm to us by debilitating capabilities or
somebody just as simple as a Russian mob trying to go back and
extort money from a company that executes business over the
Web.
Mr. Putnam. What responsibilities does the hardware and
software community have in all of this? How much does the
constant influx of new patches for vulnerabilities in their
products contribute to the problem of cyber crime?
Mr. Hancock. Well, sir, I will give you an example, a very
popular desktop operating system that's floating around, used
to have a version called Version 3 that comprised 3 million
lines of code. The current version, which was very popular on
most PCs, comes out with over 45 million lines of code. The
next version coming out next year is going to be b almost 50
million lines of code.
When you have something that large, trying to secure that,
no matter how conscientious you are, is virtually impossible.
And so the result is as our versions get more and more
sophisticated, as they get more and more and more complex and
we layer complexities on top of that operating system--for
example, a very popular data base out there has almost 1
billion codes in it. When you take an operating system that has
45 billion lines of code, a data base with 1 billion lines of
code, you then put on top of that object-oriented programming,
which is done by the programmer so that you can communicate to
the data base, so you can do something useful with it, you can
end up very quickly with a couple of billion lines of code on a
server sitting in a data center someplace. Trying to secure
that is not trivial. Trying to go back and instill programming
discipline to make that secure is not trivial.
All of these things require a great deal of education on
the part of programmers. They also require standards. They also
require other types of methodologies that say this is a good
way to write code or a bad way to write code. The problem that
we have is that we have gone and put all these types of
technology in for many years without any discipline in the
areas of security, all from the way our program is written to
the way that we deploy technology to the way we manage it on a
day-by-day basis. And just like when Mr. Conner said and Ms.
Westby said and Mr. Schmidt have said--a lot of it has to do
with corporate governance. There has not been an insistence by
the corporate echelon to require vendors to instill security in
their technology, to put security in, code, to put security in
even simple things like routers.
My most basic concern is that I work very closely with all
the chief security officers of the telcos through the FCC. We
offer something there called Focus Group 2B, which puts forth
cyber security best practices. There are 54 people involved
with that. We own about 90 percent of the actual infrastructure
that everybody uses.
We got together last December and told the FCC
categorically, and through public documentation, that one of
the biggest problems we have is we are keeping to deploying
technology which is woefully inadequate, and we keep deploying
more.
So to give you part of an example of a zombie problem, one
of my base concerns that keeps me awake right now is third
generation cell phones, and that is because most cell phones
coming out of the cell phone manufacturers operate an operating
system which is a derivative of Linux. That operating system
can have viruses. That operating system can be used as a
zombie. Under third generation cell phones they will all have a
TCP-IP address. This means that every single handset can become
a zombie and part of an attack vector, which means the current
population of approximately 850 million Internet nodes will
grow very quickly to 3 billion Internet nodes, all of which can
be attacked and put through worm automation technology, a
zombie parked on every handset out there.
In addition, those handsets will be used for everything
from e-commerce to charge services, to go back over and even
get a soda out of a soda machine, because they are all being
done that way in Europe right now. All those areas basically
mean that the software development, the hardware development,
has to instill security discipline, which is not there. In
addition to that, we will continue to deploy these
technologies, and these technologies have serious flaws in
them. That is not being corrected.
Mr. Putnam. That's uplifting.
Mr. Schmidt, you made reference to the fact that simply
using passwords is just not adequate any more and that the
Nation should move to a two-factor authentication by the end of
next year. Yesterday a major ISP announced that it would make
major authentication available to its customers. Do you see
this as being a positive development, and do you see that being
the beginning of even more offerings of and a greater
commitment to secure communications?
Mr. Schmidt. Yes. As a matter of fact, it's a tremendous
step forward. We have been working for about the past 7 months.
We, meaning a group of security experts, have been working with
that company, other companies, Mr. Conner's company, others,
looking for solutions that we can do on a real-time basis to
provide that extra two-factor authentication for the customer
and end user space. I cite my DOD side of life as a computer
crime investigator. I now have a spy card I can use on my
computer government system that I can log into my DOD account
with full encryption, full authentication, and to really know
it's me.
We need to move that way in a security space for the
consumers. It's probably going to be a slow process. There's
going to be some shaking up of who is going to be the coalition
and who is doing this. I think we have clearly reached a point
in society with the phishing e-mails, the identity theft, the
hacking, that society is ready to move to the ATM card of
online world, if you will.
Mr. Putnam. Mr. Conner, do you see other companies
following AOL's lead?
Mr. Conner. Yes. The only comment I made, and Howard and I
talk about, it's a necessary step but it's a baby step. Most of
these are cost prohibitive for the masses, and this is not an
issue that can be dealt with on the haves and have-nots. That
is going to require innovation and deployment around identity
and how do you deal with identity for every citizen or customer
of eBay or someone else. And the current technology, that
becomes quite cumbersome to do in terms of ease of use and
economics.
I would also offer it's only half the issue. Authentication
or identity is one-half. It's the information they are reaching
for that is the other half, and the second factor of any
authentication scheme only deals with who is allowed in or not.
That leaves the information itself still unprotected.
I just offer, you know, earlier, in the earlier panel, the
question on SB 1386 came up. I share with you, that's probably
been one of the more successful legislations in terms of focus
because it drove focus on information and how do you protect
information. It is a given people are going to get in. The
question is, what access to what information do they have when
they get in?
If all you are doing is playing defense on the perimeter
and trying to keep people out, you are never going to win. You
have to offensively protect and encrypt the information on the
inside. And the threat in California of class action suit.
Every corporate executive understands that, especially in
California. So I just offer that identity theft, you can't be
stuck on just the identity authentication, it is the
information that must ultimately be protected. And anything
that I have seen that's been announced up to this point, even
yesterday with the ISP, only deals with half the equation.
Mr. Putnam. Well, I would like to give this panel the same
opportunity that the first panel had, and we will begin with
you, Ms. Westby, of giving any closing remarks that you think
are important for the subcommittee to have on the record,
answering any question you wish you had been asked or giving us
any other thoughts.
Ms. Westby. Well, I would just leave you with the thought
that there are some black holes that need to be addressed
beyond technology gaps. One is in the legal framework. There is
absolutely no legal framework or rules of law for how nation
states will respond to cyber attacks. There is no capability
for allied countries to work together to have some sort of
allied response.
In defense circles cyber defense is not a category. A
defense category is still land, sea and air, and we see cyber
as footnotes in presentations. It is also not an integrated
response capability. And we have to think beyond, when we are
looking at terrorist attacks and information warfare and the
potential attacks from other countries, we have to look beyond
our legal framework and think about how we can respond in a
situation that would involve nation state activity or require
coordinated action by other nation states.
Mr. Putnam. Thank you.
Mr. Conner.
Mr. Conner. Mr. Chairman, I want to thank you for your
diligence, support of these issues, and your forceful viewing
of the hearing on these issues. I would just ask that the task
force report on framework--I think this specific subcommittee
that did such good work on GISRA and FISMA and putting the
report cards out needs to go to the framework of assessment
that we are asking private industry to do.
I think part of the problem with the report card piece is
it's a different model than what private industries are doing.
So there's a gap between the two, and I think you would find
you would make much more progress on a benchmark and
measurements by using the [ISO] 17/7/99 standard that we
consulted with FISMA on to hold the departments and agencies
accountable and give them a reference for it, for the private
industries they deal with, whether it's DOE with utilities or
whether it's Commerce with banks or Treasury with banks.
So I would just offer that as a final comment.
Mr. Putnam. Thank you, Dr. Hancock.
Mr. Hancock. Mr. Chairman, thank you very much for today
and also for your continued leadership in the area of cyber
security. One of the things that I think are important to
realize with all of this is that we have a problem with
corporate governance. I think that's pretty much a given. I
think the secondary problem that we have also at the same time
is that we have to realize that as we continue to deploy
technology we continue to make the networks larger and more
complex, and with complexity comes the difficulty of trying to
secure it. And we are going to find in a very short amount of
time that the size of the Internet will double or triple, and
the reason we will do that is because of handsets and because
of PDAs and because of other types of portable devices that
will become enabled or Internet capable.
We will also simultaneously find the technology that is
invisible to us now, such as a refrigerator, will become an
important machine on the network. We know that some vendors are
working right now with appliance manufacturers to go back and
provide an Internet connectivity with different types of
appliances. So someone could turn your refrigerator off from a
remote location if they desired or hack it.
The result is that I think what we see is extortive
attempts by people now will change. I think that what we will
see is identity theft will change, where you will steal an
entire city block's worth of IP addresses and sell them off to
someone else. I think we are going to see the whole framework
of what is an identity theft and what kind of crime could be
committed with that change quite radically over the next couple
of years.
So I think there is a serious sense of urgency in terms of
how do you deal with the identity of both individuals,
applications and technology devices, so that we can probably go
back over--not just trace these back, but secure them and put
them in the proper technologies to make that happen.
Mr. Putnam. And, Mr. Schmidt.
Mr. Schmidt. Mr. Chairman, I also would like to thank you
once again, not only for your leadership, continued leadership
in this area, but also for Bob Dix, who as I jokingly told a
friend of mine one time as I was driving out of D.C. after I
retired, looking back in a rear window, at least Bob is there
to keep this fight going. I thank you for that.
Just a couple of quick comments, one relative to the
private sector and the government now. We have seen over the
past few years the changing of the guard, if you would, when it
comes to cyber security within corporations. Executives such
as, you know, Mr. Hancock and myself are now outside of the IT
organization. We have a special focus on cyber security, no
longer just an IT function, which I think is very important,
because it is more than just the technology.
Looking at the government side, I think there probably
should be some good reviews on how the government functions in
that regard. How closely, you know, are we still putting
security folks in the IT organization, working for CIOs and
somewhat handicap them in somewhat former fashions.
The other portion of it--and both the Secret Service and
FBI--we talked about information sharing. I constantly get
calls from people because of my law enforcement. background
asking me, well, who do I call in the city? Do I call the
Secret Service, do I call the FBI? Is it the Electronic Crimes
Task Force, the Cyber Crimes Squad? And the answer is not
whoever gives you the best service. There should be a much more
formal form of consolidation. If we have a cyber crime squad
with the FBI, an electronic crimes in the same city, they
should be part of a joint task force. And that would help solve
a lot of the sharing information issue, plus a lot of the
confusion in the private sector on who to call.
And last, as I mentioned, I thank you for asking me that
question about the two-factor authentication. We are poised
within the government to do something about the stronger
authentication piece, OMB's office. I think we can look at that
from a two-factor perspective, provide some perspective not
only for government employees, but also for the private sector
as well, be able to do your health care, you know a litany of
things that could be done that could make two-factor
authentication the normal way of doing business as opposed to
what we have seen up to now. But thank you once again.
Mr. Putnam. Thank you.
I want to thank all of our witnesses for their
participation today. Your testimony is further evidence that it
is so important for us to take immediate steps to improve our
cyber security throughout the Nation. In the event there may be
additional questions we did not have time for today, the record
will remain open for 2 weeks for submitted questions and
answers. We thank you all for your hard work and look forward
to continued progress for the remainder of this year and in the
next Congress.
The subcommittee stands adjourned.
[Whereupon, at 4:15 p.m., the subcommittee was adjourned.]
<all>
�