<DOC> [107th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:76310.wais] CYBER SECURITY: PRIVATE-SECTOR EFFORTS ADDRESSING CYBER THREATS ======================================================================= HEARING before the SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION of the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS FIRST SESSION __________ NOVEMBER 15, 2001 __________ Serial No. 107-74 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house _______ U.S. GOVERNMENT PRINTING OFFICE 76-310 WASHINGTON : 2002 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 COMMITTEE ON ENERGY AND COMMERCE W.J. ``BILLY'' TAUZIN, Louisiana, Chairman MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan JOE BARTON, Texas HENRY A. WAXMAN, California FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida RALPH M. HALL, Texas PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey NATHAN DEAL, Georgia SHERROD BROWN, Ohio STEVE LARGENT, Oklahoma BART GORDON, Tennessee RICHARD BURR, North Carolina PETER DEUTSCH, Florida ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois GREG GANSKE, Iowa ANNA G. ESHOO, California CHARLIE NORWOOD, Georgia BART STUPAK, Michigan BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York JOHN SHIMKUS, Illinois TOM SAWYER, Ohio HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland JOHN B. SHADEGG, Arizona GENE GREEN, Texas CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri Mississippi TED STRICKLAND, Ohio VITO FOSSELLA, New York DIANA DeGETTE, Colorado ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin TOM DAVIS, Virginia BILL LUTHER, Minnesota ED BRYANT, Tennessee LOIS CAPPS, California ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana GEORGE RADANOVICH, California JANE HARMAN, California CHARLES F. BASS, New Hampshire JOSEPH R. PITTS, Pennsylvania MARY BONO, California GREG WALDEN, Oregon LEE TERRY, Nebraska David V. Marventano, Staff Director James D. Barnette, General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Commerce, Trade, and Consumer Protection CLIFF STEARNS, Florida, Chairman NATHAN DEAL, Georgia EDOLPHUS TOWNS, New York Vice Chairman DIANA DeGETTE, Colorado ED WHITFIELD, Kentucky LOIS CAPPS, California BARBARA CUBIN, Wyoming MICHAEL F. DOYLE, Pennsylvania JOHN SHIMKUS, Illinois CHRISTOPHER JOHN, Louisiana JOHN B. SHADEGG, Arizona JANE HARMAN, California ED BRYANT, Tennessee HENRY A. WAXMAN, California STEVE BUYER, Indiana EDWARD J. MARKEY, Massachusetts GEORGE RADANOVICH, California BART GORDON, Tennessee CHARLES F. BASS, New Hampshire PETER DEUTSCH, Florida JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois GREG WALDEN, Oregon ANNA G. ESHOO, California LEE TERRY, Nebraska JOHN D. DINGELL, Michigan, W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio) (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Axelrod, C. Warren, Board of Managers, FS/ISAC LLC........... 17 Casciano, John P., Senior Vice President and Group Manager, Secure Business Solutions Group, Science Applications International Corporation.................................. 40 Davidson, Mary Ann, Director, Security Product Management, Oracle Corporation......................................... 30 Doll, Mark W., National Director, Security & Technology Solutions, Ernest & Young.................................. 9 Klaus, Christopher, founder, Internet Security Systems....... 35 McCurdy, Dave, President, Electronic Industries Alliance, Executive Director, Internet Security Alliance............. 13 Morrow, David B., Managing Principal, Global Security and Privacy Consulting Practice, EDS........................... 26 Schmidt, Howard A., Chief Security Officer, Microsoft Corporation................................................ 49 (iii) CYBER SECURITY: PRIVATE-SECTOR EFFORTS ADDRESSING CYBER THREATS ---------- THURSDAY, NOVEMBER 15, 2001 House of Representatives, Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, Washington, DC. The subcommittee met, pursuant to notice, at 1 p.m., in room 2322, Rayburn House Office Building, Hon. Cliff Stearns (chairman) presiding. Members present: Representatives Stearns, Deal, Shimkus, Terry, DeGette, Doyle, Harman, and Markey. Also present: Representative McCarthy. Staff present: Ramsen Betfarhad, majority counsel; Jon Tripp, deputy communications director; Mike O'Rielly, majority professional staff; Brendan Williams, legislative clerk; and Bruce M. Gwinn, minority counsel. Mr. Stearns. Good afternoon. And welcome to the Subcommittee on Commerce, Trade, and Consumer Protection hearing on cyber security. You're welcome to sit down. I'm pleased that we are joined today by a group of distinguished witnesses and look forward to hearing their testimony. The witnesses today collectively represent the best minds on the issue of cyber security, and I'm confident they will help us better understand the issue and its increasing significance. In the aftermath of the tragic events of September 11 we as a Nation, it seems, have become obsessed with security, and that is understandable. So it is also understandable that our hearing today will also be colored to some extent by the events of September 11 and new worries over cyber terrorism. Still I do want to emphasize that the problems that gave rise to cyber security concerns predate September 11 and cyber terrorism worries. Most important, those problems have begun to increase in sheer numbers and magnitude in an alarming rate. Let me explain. In just over a year as a result of only three cyber attacks, the I Love You, Code Red viruses and February 2000 denial of service attacks in excess of $10 billion was lost. The number of cyber attacks as reported by the Computer Emergency Response Team at Carnegie-Mellon University is expected to double this year from last year to some 40,000. Now, a survey of 538 computer security professionals both within the government and private sector released this past March and conducted by the Computer Security Institute with participation of the FBI's field office in San Francisco, found that 85 percent of the respondents said that they had detected computer security breaches between March 2000 and 2001. Some 58 percent of those respondents had detected 10 or more incidents of vandalism, theft of information, financial fraud and denial of service attacks. Quite significantly, 64 percent of respondents had acknowledged financial losses due to cyber attacks or worse breaches of their information systems. Cyber attacks and breaches of our Nation's information systems are especially worrisome when we realize that most aspect of our daily lives from the mundane to the profane, are touched either directly or indirectly by various information systems storing, processing and exchanging information via the electronic medium, the most visible of which is the Internet. Just about everything we do involves the processing and exchanging of information electronically. Therefore, cyber threats to the Nation's information system, be they viruses, worms, denial of service attacks or something as yet not thought of must be taken very seriously. If there are attacks yielding substantial breaches of our Nation's information systems, not only will we face staggering financial losses, we will also face more instances of tragic loss of lives. As our information system infrastructure has become interoperatable, easy to access for sake of increasing efficiency and productivity, it has become more vulnerable to cyber attacks. The greater the degree of interconnection and interdependence between the various information systems, the higher the cost of disruption due to cyber attacks. The Internet has tremendously accelerated this move toward increased interconnectivity and ease of access to information systems. And as such, the Internet connection to an information system containing mission critical information, such as financial data and intellectual property, has become a frequent point of cyber attacks. The custodian of the Nation's information systems, the ones underpinning our economic welfare, is of course private industry. Companies large and small have historically made great strides in protecting their mission critical information operating systems. However, the cyber security challenges that they face have both increased in number and magnitude as the importance of information systems to our economic welfare has increased with the advent of the Internet. We'll hear today that private industry is rising to these new challenges, but there still is more work to be done. For example, even though the horrific events of September 11, 2001 have put additional pressure on companies to reexamine their security procedures and practices, according to a recent poll of 150 chief information officers by CIO magazine, almost 40 percent of America's larger companies still do not have cyber security experts on staff or under contract. Cyber security measures cannot be an afterthought when designing, operating and managing mission critical information systems. Since September 11, we have learned that terrorists do have the wherewithal to undertake the unexpected. Terrorists and their recruits also have grown up in the digital age and thus, most probably, possess the technical skills to undertake concerted and effective cyber attacks. And as the real and virtual worlds have become more closely intertwined, cyber terrorism can potentially engender greater pain and tragedy, and thus become more attractive to unscrupulous terrorists. I'll end by borrowing Ms. Davidson's most instructive words, ``The price of cyber security, as with liberty, is eternal vigilance,'' and as we all know, freedom is not free. With that, I'll turn to the ranking member of the committee, Ms. DeGette who is substituting for Mr. Towns. Ms. DeGette. Thank you very much, Mr. Chairman. And thank you for holding this hearing. In this time of uncertainty in our economy and in our country, these issues also face our business community. And I would echo very much of what the chairman talked about in terms of the integrity of our computer systems and our data in a time of terrorism, and the important role that private industry has to play in preserving the integrity of those systems so that we can preserve the integrity of our economy. I would like to talk an issue not raised by the chairman, because I do concur with so many of his statements, and that's the issue of identity theft. This is an issue that we've talked about for many months in this subcommittee and which is even more essential today with the terrorists that we're facing. An adequate cyber security in our commercial information system will increase the likelihood of identity theft. With the dawn of the information age companies collect, store and transmit large amounts of consumer information over computerized networks. Consumers rely on the security of these networks to protect personal data like Social Security numbers, unlisted telephone numbers, addresses, maiden names and information about their information. As we have heard during previous hearings of this subcommittee, if this type of personal security is compromised, any of the information can be obtained and used to steal identities of unsuspecting Americans. Therefore, the security of commercial information networks concerns all consumers and is another aspect of the importance of cyber security. Unfortunately--well, fortunately in one way but unfortunately in others, after September 11 we had thought that many of the hijackers of the airplanes on that day were using stolen identities. The fortunate thing was that in large part turned out to not be true, but yet stolen identifies were still used by some of terrorists in the September 11 attacks. At least one example that we know of was using the stolen identity of a deceased New Jersey woman in order to evade capture. And heaven knows how much this could happen in the future, and how difficult that would make apprehension by law enforcement agencies of suspected terrorists. It is essential that both the private sector and government work to eliminate unauthorized access to personally identifiable information, which is the source of identity theft. Unauthorized access to the commercial information systems can be overcome with cooperation, and that's one reason I'm particularly looking forward to hearing the testimony of our witnesses here today. Because as I've thought all along, this is not something that the government can work out in isolation, nor is it a problem that we should expect private industry to attack on its own. Mr. Chairman, we need to continue to fight the war against cyber terrorism on all fronts, including identity theft. And I look forward to working with you and also the other members of the committee and hearing from our distinguished panelists on this issue. And I yield back the balance of my time. Mr. Stearns. Thank you, gentlelady. Mr. Shimkus from Illinois. Mr. Shimkus. Thank you, Mr. Chairman. I want to thank you for holding this hearing, and you probably had mentioned to the panel, I'm glad to see you all here. We have a lot on our plate today with our bioterrorism hearing downstairs, our conference has called an airport security briefing at 1:15 in AC5, and now this. So if we're running back and forth, let me apologize for myself and the rest of my colleagues. Obviously, e-commerce and security are a big issue, and even with September 11 and the past, we will see an expediential growth, probably, in the use of facilities on electronic transactions. I actually had a meeting yesterday morning with the Postal Service, and their projections are now outdated because of how people will rapidly move into their realm, which means if it's an easy target, terrorists will attack easy targets. And if it's disruption of our commerce and communication, and the like, that's another aspect. So you all have been dealing with it in one way or the other. We know that you verified your threats, your vulnerabilities, and we would be interested in hearing what you're doing to protect yourselves and your clients. I will end with saying I don't know of security because of Ms. DeGette's statements, I don't know if security is just a cost of doing business. I do believe that, darn right, there should be a value added aspect of having good control over your own data bases and in protecting security; that should be beneficial in some aspects depending upon your business. It probably should not be considered just a cost of doing business, but there's probably some very good value added aspects, and if that is properly promoted that people can take advantage of. With that, Mr. Chairman, I think it's going to be a great hearing. I appreciate the panel being here. And be patient, we will get to you. Thank you. Mr. Stearns. I thank the gentleman. The gentleman from Pennsylvania, Mr. Doyle. Mr. Doyle. Thank you, Mr. Chairman, for holding this important and timely hearing on cyber security. The tragic events of September 11 demonstrate the willingness and capability of America's enemies to utilize modern communications mediums like the Internet and email to plan, organize and facilitate their attacks. And since that day we in Congress have examined a variety of proposals to strengthen and modernize both our domestic and international responses to terror. Legislation is in the works to ensure the safety of imported food, improve the safety of our airports and enhance our enforcement and investigative capacities. I think it's only logical that Congress should address the possibility that future attacks could likely exploit vulnerabilities in our cyber security systems, both public and private. Just as cyber security needs of essential government agencies such as the CIA and the Pentagon must be designed to prevent unwanted access to classified information, like intelligence directives and troop movements, private corporations need to ensure that personal information like Social Security or credit card numbers are not stolen by hackers looking to create false identities. After all, many of the hijackers on September 11 used fraudulent identification to carry out their evil business. In what may be a glimpse of the future, it seems now that one Federal agency is taking a proactive approach toward cyber security. An article that appears in the current issue of Defense News highlights the Pentagon's efforts to fight back against hackers by creating an active defense network capable of tracking hacker attacks back to their origin while covertly monitoring the source of suspicious attacks. According to the article, the agency predicts over 40,000 attacks on military networks by year's end, a figure that's up from about 22,000 in the year 2000. Back on my hometown of Pittsburgh we're fortunate to have one of America's greatest authorities or cyber security, the Center for Emergency Response Team or CERT of the Software Engineering Institute of Carnegie-Mellon University. CERT at SEI is a federally funded research and development center whose primary goals are to ensure that appropriate technology and systems management practice are used to resist attacks on network systems and limit damage and ensure continuity of critical services in spite of successful attacks. The center is the first to respond to computer attacks, such as the recent Nimba and I Love You viruses. According to CERT statistics, nearly 22,000 incidents of security violations occurred last year with over 34,000 recorded already this year. Clearly incidents of cyber attacks are on the rise in both the public and private sectors. I want to commend CERT and the Electronics Industry's Alliance for taking the initiative to form the Internet Security Alliance, a collaborative partnership that brings together industry and software experts to better address the growing need for timely, informative responses to cyber terrorism. I look forward to hearing from Mr. Dave McCurdy, the President of EIA and the Executive Director of the Internet Security Alliance about the efforts of this new collaboration. Legislators to executive, to Internet security technicians; we could all stand to learn a great deal from the Internet Security Alliance. As my colleagues are aware, this subcommittee has devoted a significant amount of time and resources aimed at providing members with a plethora of information relevant to online security measures and protection of personal information. We have listened to a range of testimony from experts who, in some instances, highlighted the need for strong protections guarding the access to and the unwanted use of personally identifiable information. I hope that this committee will soon take action to bolster to e-commerce activities of both the public and private sectors. Mr. Chairman, I thank you. I yield back the balance of my time. Mr. Stearns. I thank the gentleman. The gentleman from Georgia, Mr. Deal. Mr. Deal. Thank you, Mr. Chairman. Thank you for assembling this very impressive panel today, and I look forward to hearing your testimony. Like Mr. Shimkus said, it is a busy time and we may have to apologize for people running in and out, but we do so in advance and I hope you will understand that. It's a pleasure to see our former colleague, Mr. McCurdy. Nice to see you again, Dave. Mr. Chairman, you know, I'm like a lot of people, I wish for a simpler time. When I read Future Shock many years ago, like many of you, we probably thought it was science fiction and would never come to be. Unfortunately, that rush of the information age has truly crashed down upon us. I think of one of my colleagues in the General Assembly of Georgia who said that he lived in a small town, and to illustrate it was, he said it didn't even need turn signals on your car because everybody knew where you were supposed to be going and if you made the wrong turn, your wife would know about it before you got home anyway. We don't live in a world like that anymore. Unfortunately our lives are very tangled and confused in terms of who has control over our lives and who has control over information that's pertinent to us. And the security of that information, of course, is what all of us are concerned about. And it is a multifaceted issue, and I'm sure today we don't have time to deal with all of the facets of it. Everything from the issue of personal identification security and protection that has been alluded to the issue of the availability of law enforcement agencies to have access to information for purposes of their investigations, information that in normal circumstances might wish to be secure and protected. Now all the way to the issue of illegal immigration in our country, with some 7 plus million, many of whom are working in our country and presumably have somebody's Social Security number who don't know and we don't have the knowledge of what the implications of all of that is going to finally be when we sort it all out. I thank you all for being here today, and I look forward to your testimony, and also to the questions. Thank you, Mr. Chairman. Mr. Stearns. Thank you. The gentleman from Massachusetts, Mr. Markey. Mr. Markey. I thank the Chair very much for holding this very important hearing. Back in the 1960's the Federal Government went to AT&T and asked them if they would be willing to build a packet switch network for the United States. And AT&T said why would we do that, we already have a monopoly. We're not interested in the contract. And so, they then turned to IBM and asked them to build a national packet switch network, and IBM said why wold we do that? We have a monopoly. We're not interested. And so they turned to a company in Cambridge, BB&N and gave the contract to these very smart scientists at MIT to construct a packet switch network which while providing the role of being a scientific information sharing source of information, also had the additional advantage of providing a redundancy to the existing telecommunications network in the United States. The great fear was that there would be a preemptive attack upon the United States and they would bomb the AT&T national long lines that went right through the middle of the country, decapitating our national leadership. On September 11 the good news is that this brilliant invention of the scientists at BB&N did work. And even as Verizon or AT&T switches may have been effected, in fact the ability for packet switches to move information and reassemble it regardless of the course that was being taken at the point of destination was something that was really proof positive that the Federal Government in 1967, regardless of what the private sector might have thought about it, really did anticipate September 11. In addition, I'd just like to note, Mr. Chairman, that we as a committee and I think the Nation as well, has to divide the question. On the one hand we're all very concerned about identifying terrorists within our own country and we're willing to suspend some of the constitutional protections which we would otherwise ensure that everybody, even visitors to our country, were entitled to. And I think all of us, or most of us, at least are willing to suspend that. But we must divide the question between terrorist cells and corporate sellers in terms of the compromise of privacy information. You can't allow any change in attitude in our country to allow corporation America to begin to gain access to information within our country as though anything that happened on September 11 would justify it. So I look forward to this incredibly impressive panel of experts which you've brought here to us today, lead by our former very distinguished colleague, Mr. McCurdy. And I think it's going to be very helpful to us in understanding what policies should be adopted in the days and months ahead. Thank you. Mr. Stearns. I thank the gentleman. Ms. McCarthy, would you--are you prepared to---- Ms. McCarthy. I'd like to hear from the panel, and I'll put my remarks in the record. Mr. Stearns. Okay. By unanimous consent, so ordered. And Ms. Harman, do you have an interest in an opening statement? Ms. Harman. Thank you, Mr. Chairman, no. I'd like to hear from the panel. [Additional statement submitted for the record follows:] Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee on Energy and Commerce Let me begin by thanking the Subcommittee Chair, Mr. Stearns, for calling this hearing on cybersecurity and for assembling such a distinguished panel of witnesses. Let me also thank them, in advance, for their testimony. Recent events remind us how precious and essential security is-- something many of us previously had taken for granted. It is a basic component of our quality of life. Security also is an essential component of sound and successful commerce--particularly as it relates to the Internet and digital commerce. And I know that recent events have also increased scrutiny-- especially by the private sector--of this increasingly important slice of the security umbrella. The Internet is becoming a larger part of American life and a necessary instrument for American commerce. With more than 60% of Americans with access to the Internet and a great majority of American business interconnected, a certain level of Internet services are on the way to becoming ubiquitous. The success of Internet services and commerce depends directly on how security is handled by the private sector. For instance, how comfortable and confident consumers and businesses feel with how information is protected, is dependent on the level of security utilized by American business. Unlike national security issues, which are the responsibility of the Federal government, the structure of the Internet--primarily owned and run by the private companies--requires private sector innovation and leadership. We have seen the huge financial losses suffered by web viruses and worms. We have witnessed the losses by denial of service attacks. Successful cyber attacks can cost companies by disrupting service, exposing them to bad publicity, or manipulating or destroying sensitive company data. More importantly, successful attacks not only threaten the attacked company and its network but also the company's suppliers, partners, and relationship with its customers. It also effects the non-Internet- driven portion of the company. In essence, attacks create a certain domino effect, which sends economic harm cascading through businesses and Amercans' lives. In my opinion, the vast majority of American companies are doing a great deal to improve and maintain security in their networks and to ensure the security of information and materials they have. Even so, there are certain security vulnerabilities in the nature of the Internet and within the networks owned and operated by individual companies. There are some weak points in the inherent architecture. Networks of large American companies will always be targets of criminal attacks, whether by small time hackers or sophisticated terrorists. However, nobody should take away from this hearing the notion that there is a perilous state in the way companies protect their networks and information. Their ability to create cutting-edge protections against ever-changing threats is simply amazing. While more work must be done, much work has already been accomplished, just not spoken about--and understandably so. Companies are leery about highlighting how secure their networks are for fear of inviting determined attackers. I hope that some of today's panelists can speak to the work that their companies are doing to improve the security of their and their clients' networks. I hope they can elaborate a bit on recognition of the relevant issues, assessment testing, deploying necessary resources, and taking corrective measures. Moreover, as security becomes more of a necessity rather than cost-drag on industry, we need to know whether there is a sufficient market developing for solutions and products to improve the Internet security of all companies. I am also hopeful that this hearing will shed light on what vulnerabilities exist today, what steps are being taken by the private sector to address these vulnerabilities, and what role, if any, the federal government--specifically the Congress--can play to promote increased awareness and action on these issues. Mr. Stearns. Okay. All right. We do have, as all the members have pointed out, a full panel and Mr. McCurdy is, of course, a former member. And as sitting members we have great deference and reverence for former members. It's a tandem race. We show deference to them hoping that they'll remember us. But he has the wisdom of both being a Member of Congress and now on the other side. So, we're anxious to hear from him, and we welcome him, personally. Mr. Doll, I think what we'll do is start from my left and just come across. If each of you would just, in your opening statement, just give us your name and title and then we'll just after your 5 minute, we'll just keep moving down the table. So I welcome all of you. STATEMENTS OF MARK W. DOLL, NATIONAL DIRECTOR, SECURITY & TECHNOLOGY SOLUTIONS, ERNEST & YOUNG; DAVE McCURDY, PRESIDENT, ELECTRONIC INDUSTRIES ALLIANCE, EXECUTIVE DIRECTOR, INTERNET SECURITY ALLIANCE; C. WARREN AXELROD, BOARD OF MANAGERS, FS/ ISAC LLC; DAVID B. MORROW, MANAGING PRINCIPAL, GLOBAL SECURITY AND PRIVACY CONSULTING PRACTICE, EDS; MARY ANN DAVIDSON, DIRECTOR, SECURITY PRODUCT MANAGEMENT, ORACLE CORPORATION; CHRISTOPHER KLAUS, FOUNDER, INTERNET SECURITY SYSTEMS; JOHN P. CASCIANO, SENIOR VICE PRESIDENT AND GROUP MANAGER SECURE BUSINESS SOLUTIONS GROUP, SCIENCE APPLICATIONS INTERNATIONAL CORPORATION; AND HOWARD A. SCHMIDT, CHIEF SECURITY OFFICER, MICROSOFT CORPORATION Mr. Doll. Good afternoon, Mr. Chairman, and members of this committee. And thank you for this opportunity to testify before you today. I am Mark Doll, National Director of the Security & Technology Solutions for Ernst & Young with over 50 years experience working in cyber terrorism matters. Ernest & Young is a leading provider of accounting, assurance, and information technology services around the globe, with over 84,000 employees based in 130 countries. Today I'll discuss the need to assess risk and vulnerabilities of our critical IT infrastructure. Without being too alarmist, the focus on innovation and the lack of focus on security makes our critical infrastructure vulnerable to attack from criminals, hackers, disgruntled employees and, yes, terrorists. Whether it's via cyber attack, a worm, a virus; any of these things could wreak havoc throughout our interwoven IT reliance chain putting at risk our national security, the way corporate American conducts business and the way civilians and citizens conduct their lives. So what should we do? Effectively securing our corporate and critical infrastructure systems is no small chore, but we can't be paralyzed by the task at hand. We don't believe that there's any choice but to confront it. Already, however, positive steps are being taken, but more could be done to encourage companies, individuals, the government to address these vulnerabilities and tackle these hard issues. We need to first address the issues of authentication and authorization, interoperatability, recovery and validation. If we can focus on these concepts, we can take a positive step forward to improving the overall national security. What do I mean by these terms and what do these terms reveal? First, the term authentication refers to the ability to determine who is using a computer system. And authorization refers to what an authenticated individual is allowed to use or see on a system. Without an appropriate system authentication and authorization, we'll be unable to track and limit unauthorized individuals that might gain access to systems for a personal gain or cyber terrorism. Second, we need to simplify interoperatability. Interoperatability refers to the ability of systems to function seamlessly, regardless of operating system, application or hardware. Market innovation and competition has driven economic growth and you have tremendous increase in productivity. The same innovation and competition has, understandably, resulted in many proprietary protocols and has created an environment, a very complicated security design which has, in turn, led to security inefficiencies and vulnerabilities. As a result, it is costly and difficult for many organizations to implement truly effective security solutions. Today we must work together in a public/private partnership to simplify these protocols. Third, recovery. The term refers to the ability to correct system failures and catastrophes in a timely manner. Today, most companies are on their own when it comes to implement fail-safe systems and contingency plans. Many companies lack the necessary rigor and scale of recovery systems to respond to a national attack or cohesive cyber terrorism threat. Any consideration of cyber security must, therefore, take into account a national recovery system. Finally, validation. Securing our critical infrastructure should not be perceived as a problem that can be fixed simply by purchasing software or installing a firewall. Once a security application or process is put in place, it must be regularly monitored and effectively validated. Unfortunately, there are no common set of standards for validating the security of information systems. Instead, different countries, different individual industries and service providers employ different standards for assessing vulnerabilities and effectiveness of security solutions. This hampers efforts to conduct comprehensive risk assessments of network safeguards and controls across industries and applications. Service companies like Ernst & Young must then determine how to make these complicated set of standards work within a complex corporate environment while allowing innovation and growth. Any long-term discussion of IT security should, therefore, consider the need to harmonize these standard for validating effectiveness. In conclusion, critical IT infrastructure security raises difficult issues. Today's hearing is important and is welcome. The President in his Executive Order establishing a Critical Infrastructure Protection Board and the National Infrastructure Advisory Council hold promise. We need to work together in a public/private partnership to answer difficult questions and find effective solutions. Again, I appreciate the opportunity to outline what we believe will be some of the key issues of this security issue. And I'll be happy to answer questions. [The prepared statement of Mark W. Doll follows:] Prepared Statement of Mark W. Doll, National Director, Security & Technology Solutions, Ernst & Young INTRODUCTION Good morning Mr. Chairman, and thank you for the opportunity to appear before your subcommittee on the topic of security and private sector efforts to address cyber threats. I am Mark Doll, partner and National Director of the Security & Technology Solutions Practice for Ernst & Young LLP. Ernst & Young is a leader in providing accounting, assurance, and information technology services around the globe, with 84,000 employees based in 130 countries. While the Internet revolution has been occurring, Ernst & Young has been adapting to offer our clients a variety of assurance services aimed at securing their vital information and computer networks. I bring fifteen year's of experience working on IT systems implementations and corporate IT management. Today, my clients include many of the Fortune 500 and new and emerging companies. Of our 84,000 employees, over 1200 work specifically on security and IT risk matters, many of whom come to Ernst & Young from the United States military and intelligence communities. As a result of providing our services to numerous companies, Ernst & Young has a unique perspective on efforts to secure our country's critical IT infrastructure. Today I will suggest to you that recent events have brought to the forefront long-standing security risks and vulnerabilities throughout our nation's critical Information Technology (IT) infrastructure. In light of this, our nation now needs to work quickly and thoroughly--in public-private partnership--to assess these risks and vulnerabilities and implement effective security policies, not only to address today's problems, but also to prepare for tomorrow's unforeseen challenges. Security Has Not Kept Pace With Infrastructure Growth and Interdependency Corporate success has historically depended on the ability of management to control strategic business functions--product quality, management of physical plants, sales, and customer support--to stay ahead of competition. Today, technology has changed the traditional business environment, and is being used to increase productivity and enable the creation of non-traditional business relationships. Competitors are becoming partners, customers can now fulfill their own orders directly from supplier's inventories, and all organizations rely on telecommunications and information systems to manage the day-to-day operations of their businesses. Yet, as corporate America spent the last decade scrambling to react to and grow at the same pace as its competitors, it gave little regard to the ramifications of that growth. Internet technologies and new business processes created new markets, relationships, and unprecedented access to information systems, but it also created new risks to the security of those networks. Productivity and IT systems grew rapidly; but the security and controls around those systems did not develop at the same pace. This failure on the part of individual organizations to properly maintain the security of their IT systems could have a potentially disastrous ripple effect on our nation's collective security. Today, every business in America, every citizen who accesses the Internet, creates a portal into our vast interconnected system, creating not only a window through which information is gleaned, but also a potential door through which an attack on the whole system can be launched. Public and private sector organizations rely on many of the same IT systems to maintain productivity. Consumers and businesses today rely not only on their own ability to conduct transactions, but also on the reliability and availability of applications and infrastructure that are managed by others, including their customers, business partners, government, and other companies with whom they have no ``traditional'' business relationship. This has created a highly interdependent ``IT reliance chain'' of systems and businesses. What Is At Risk? Without being too alarmist, this failure to build security into our systems makes our critical infrastructure vulnerable to cyber attacks not only from terrorists, but also from criminals, hackers, and disgruntled employees. Such individuals often search for the weakest link within a system, sneaking in through a loophole in or between software or hardware systems. Once inside the cyber-perimeter of an IT system, a hacker is then free to disguise him or herself as a valid user, stealing confidential information or creating new vulnerabilities for others to exploit. Whether it is via a cyber attack, a worm, or a deliberately launched virus, a concerted effort could wreak havoc throughout the ``IT reliance chain,'' putting at risk our nation's security, the way corporate America conducts business, and the way citizens live their lives. Our nation depends on interlinked information systems to run our telecommunications, power, transportation, financial, and national security functions. Business transactions can only take place if the applications and IT systems on which they rely (i.e. software solutions that control manufacturing) are functioning appropriately. But no business is an island of itself. If our nation's critical infrastructure is unavailable, individual businesses will be unable to operate. Similar to a house of cards, if just one component of this chain were to come under attack, the whole network could be affected or, in the worst case scenario, fail. For individuals, even the most mundane tasks in life are dependent on the proper functioning of the reliance chain. We have become reliant on computer-controlled systems for banking, telecommunications, power, and also the vital systems that maintain our personal identities, and medical records. An attack on these systems would dramatically affect the American way of life we take for granted, putting at risk our ability to communicate with family and friends, access money, visit a hospital, or even light our homes. We are all highly dependent upon the near 100% availability of our country's critical infrastructure components. What Needs To Be Done? The security systems surrounding our critical infrastructure, specifically the information and communications networks, electrical power systems, gas and oil transportation and storage, banking and finance systems, transportation systems, water supply systems, emergency services and government services, must be properly managed. As you can imagine, effectively securing these systems will be a task of unprecedented proportions. But we must not let the size of the problem paralyze us. Already, hardware and software companies are institutionalizing efforts to proactively post known vulnerabilities and provide patches to their customers. Leading companies are moving quickly to assess vulnerabilities in their operational infrastructures. But we must do more to encourage companies and individuals alike to fix current systems vulnerabilities and tackle head-on the hard issues-- such as authentication, authorization, interoperability, recovery, and validation--required for critical infrastructure security. These are technical terms used by those of us in IT security industry to describe what are actually easy-to-understand concepts. Just as ``notice,'' ``choice,'' ``access,'' and ``security'' needed to be understood before policy makers could tackle data collection issues, ``authentication,'' ``interoperability,'' ``recovery,'' and ``validation'' need to be understood and debated if we are to move forward on a national cyber security program. 1. Authentication & Authorization--First, ``authentication.'' The term refers to the ability to determine who is using computer systems, how to make sure that individuals are actually who they say they are. ``Authorization'' is simply what an individual is allowed to use or see on a system. Without an appropriate system for authentication and authorization, we will be unable to track and limit unauthorized individuals that might gain access to systems for personal gain or cyber terrorism. 2. Interoperability--The second issue we will need to tackle if we are to ensure security is ``interoperability.'' Interoperability refers to the ability of systems to function seamlessly regardless of operating systems, applications, or hardware. We have today countless numbers of different protocols for operating systems, applications, and hardware. Each vendor has a proprietary interest in their protocols, including the organizations at the witness table with me today. This has created a dysfunctional environment of complicated interoperability between competing systems, applications, and hardware. This limited interoperability makes it costly and difficult for organizations to implement truly effective security solutions. 3. Recovery--Third, ``recovery.'' This term refers to the ability to correct systems failures and catastrophes in a timely manner, wherever they occur. Today, we rely on companies to unilaterally act to implement fail-safe systems and contingency plans. Although most have systems to restore a site, network or system failure, it is our experience that many companies lack the necessary rigor and scale of recovery systems to respond to a national attack or cohesive cyber terrorism threat. Any national consideration of IT security must take into account the necessity for a national program requiring and architecting a national recovery system. Admittedly, this will be a costly undertaking on the part of both corporate America and the government. 4. Validation--Finally, ``validation.'' Securing our critical infrastructure should not be perceived as a problem that can be fixed simply by purchasing the latest and greatest software or installing a firewall. Once a security application or process is put in place it must be regularly monitored and its effectiveness validated. This applies to all levels of security, including authentication, interoperability, and recovery. Unfortunately, there is no common set of standards for validating the security of computer and information systems. Instead, different countries, individual industries, application vendors, and hardware providers employ different standards for assessing vulnerabilities and the effectiveness of security solutions. This hampers efforts to conduct comprehensive risk assessments of network safeguards and controls across industries and applications. Services companies like Ernst & Young must then determine how to make all of these competing standards work within a complex corporate environment while allowing for innovation and growth. Any long-term discussion of IT security should, therefore, consider the need for harmonizing standards for validating effectiveness. Validation is, in my mind, the most crucial issue we need to tackle, for without it, we will not accomplish systemic change. Only by regularly assessing the effectiveness of controls around complex issues like authentication, interoperability, and recovery will we ensure that any quick fixes are working as intended. Public Private Partnership Is Necessary Clearly, critical IT infrastructure security raises difficult issues. Today's hearing is a step in the right direction. We need to work together, in a public-private partnership, to answer these difficult questions and deliberate on effective solutions. The Administration has issued a call to action to the private sector and government, through the President's October 16th Executive Order creating the Critical Infrastructure Protection Board (the ``Board''), to work together to develop standards and best practices necessary to secure information systems for critical infrastructure. Importantly, the Executive Order requires the Board to work with members of the private sector, including the audit community to, among other things, ``propose and develop ways to encourage private industry to perform periodic risk assessments of critical information and telecommunications systems.'' We look forward to working with the Administration and Congress on this important initiative. CONCLUSION In conclusion, the events of September 11, 2001, focused our country's attention on national security issues. It would be a mistake to focus solely on our country's outer security perimeter and overlook the security of our domestic IT infrastructure. We must work together to identify, prioritize and fix known vulnerabilities, as well as identify best practices to ensure the long-term safety and viability of the critical infrastructure on which our economy, citizens, and government rely. I appreciate the opportunity to be here this afternoon, and am happy to answer any questions. Mr. Stearns. I thank the gentleman. Mr. McCurdy? STATEMENT OF DAVE McCURDY Mr. McCurdy. Thank you, Mr. Chair. Again, thank you for the opportunity to be back on this floor. I lived on this floor for quite a whole, just around the corner. It's good to see my former colleagues. With your permission, I'd like my statement to be admitted in the record. Mr. Stearns. By unanimous consent, so ordered. Mr. McCurdy. And I'd like to just summarize, because having been on that side I know how important it is to get to the bottom line. There are a number of key points that I'd like to make, and I think this distinguished panel's going to raise a number of very good questions. Since the chairman alluded to it, I thought I would just give you one graphic. You cited the statistics from the CERT, as did Mr. Doyle. The progression on the security threats, the incidents, each one of these reports is an incident. I Love You was counted as one, the Malissa virus is counted as one. Last year over 22,000 this year at the progression it's currently on, will be over 40,000 separate incidents reported by the CERT. The important thing with that is the fact that the sophistication of those incidents is also increasing, but the knowledge necessary to perpetrate those attacks and bring back those incidents is actually declining. You no longer have to be a computer genius or, you know, some kind of geek to be able to go in and write software to get into these systems. A lot of this technology today and the knowledge is on the web. People can collaborate, and you see from a progression those with password guessing now to stealth advanced scanning techniques, automated probes and scans, worms, virus. So this in itself is a disturbing trend. And I'm going to save the last chart and, perhaps, take it up with a question, and that's the role of government versus the private sector. I think the threat is real. I think you know that. Many of us has been dealing with this long before September 11. Ms. Harman, knows. She actually sits on the three committees that I sat on; Intelligence, Science and Armed Services, and understands. It's not just a Nation, State, State actor environment. It's a number of individuals and organized crime and other efforts are out there to increase the risk. There is no such thing, and maybe some of my colleagues might differ, but I don't believe there's such a thing as Internet security or perfect security. If you want perfect security, you can be disconnected from the Internet. You could be totally isolated. But that defeats the purpose of the Internet. So if you want to be connected, then you're talking about risk management. And there a number of tools and efforts that need to be involved to provide that. The private sector can do a lot, not just in developing the tools and mechanisms, but improving the standards and best practices, which are management. And Mr. Doll mentioned that, but the important thing there is that this is not a U.S. centric technology. Mr. Markey gave us the Massachusetts' history of packet switching, but this is not a U.S. centric problem. This a borderless technology. It is global in nature, and therefore the risks are global. And it's important that we work on an international basis to provide solutions and reduce this risk. And the other point that I would make is that, you know, we witness it on a regular basis. Our country, maybe democracies are this way, but we're great at reacting. You know, after September 11 we had incredible forensic evidence and we were able to track these things; the terrorists and their movements and provide a great history. But we're not good in the proactive sense. And I think what we have to do in working with government is develop much more emphasis on developing those practices and standards that prevent and deter, and hopefully preempt some of these attacks. And I believe that the private sector can do that. The last chart that I was going to mention is one of your charts, not this committee's, but actually the government's. This is actually produced by the CHOW in the Department of Commerce, and it just shows you some of the organization. You saw the other day when Tom Ridge, our former colleague, was sworn in they showed the jurisdictional chart of the 41 agencies that he was involved in. Well, this is for Critical Infrastructure Protection and this chart, too, can kind of drive you crazy. The public/private partnerships in this are down here in the corner, down here. But I would submit that it's the public/ private partnerships in the private sector that's going to do the most to provide the real protection. The government role is simple: Should take steps and encourage efforts to increase the IT investment, work with CIOs and give them resources to improve the security of the systems of the Federal Government, but then work with the private sector to help establish these best practices and standards and help the industry to see the benefits of further responsibility and accountability at the board level to ensure that there's auditable standards and practices are in place. And last, Mr. Doyle mentioned Carnegie-Mellon. We are pleased with the establishment of the Internet Security Alliance joint venture with 2300 member companies of EIA and Carnegie-Mellon. It's more than just an FFRDC. In order to expand its reach, to leverage the incredible talent and resources, they need to build their private side of the house in a nonprofit way, which is what ISA's about, in order to get that information and that trusted network of over 40,000 people around the globe who provide over 99 percent of those incident reports. Those aren't generated by the government, those are private citizens around the world that submit those incident reports so that we can gain from that knowledge. And with that, I appreciate again the opportunity and look forward to our questions. [The prepared statement of Dave McCurdy follows:] Prepared Statement of Dave McCurdy, President, Electronic Industries Alliance, Executive Director, Internet Security Alliance Chairman Stearns, Ranking Member Towns, and members of the Commerce, Trade and Consumer Protection Subcommittee: I appreciate the opportunity to testify today on behalf of the Internet Security Alliance. I am deeply thankful to Congressmen Stearns and Towns for holding this informative hearing on the private sector's efforts addressing cyber threats. Since September 11th, the business community has become more security conscious than ever before. There is real alarm among companies concerning not only physical security but also cyber security, and with good reason. According to the CERT/CC at Carnegie Mellon's Software Engineering Institute the number of attacks on the Internet has increased at an exponential rate. The CERT/CC handled over 20,000 incidents in 2000 and are now estimating that they will now handle over 40,000 incidents in 2001. Each one of those ``incidents'' could ultimately bloom into Code Red or Nimda attack within hours of its detection. The threat is critical. Corporations and the government find themselves on the front lines defending the critical functions of the national infrastructure, as well as the assets of American companies. In addition, attacks are becoming more destructive, widespread and more difficult to contain. Consider the following information on costs of cyberattacks that businesses have faced recently. The Cost of Cyberattacks <bullet> SirCam: 2.3 million computers affected <bullet> Clean-up: $460 million <bullet> Lost productivity: $757 million <bullet> Code Red: 1 million computers affected <bullet> Clean-up: $1.1 billion <bullet> Lost productivity: $1.5 billion <bullet> Love Bug: 50 variants, 40 million computers affected <bullet> $8.7 billion for clean-up and lost productivity <bullet> Nimda <bullet> Cost still to be determined In April of 2001, Carnegie Mellon University and the Electronics Industries Alliance formed the non-profit Internet Security Alliance to advance the efforts of the private sector in the information security debate. You may know that the majority of the Internet, over 80%, is owned and operated by the private sector. Private sector leadership is essential to determining an overall strategy to increase the strength and survivability of the Internet. The Internet Security Alliance seeks to help in this endeavor As the Internet continues to ingrain itself as a linchpin of American business and with concern growing that the cyber environment is ripe for attack, industry now more than ever needs an independent, non-partisan organization that offers comprehensive, universal threat sharing and assessment, and collaborative solution development. We need to create a new paradigm for global information sharing to help companies that rely on the Internet deal with the growing threats to their continued success and growth. Furthermore, since 80 percent of technical vulnerabilities are common to all organizations, and misperceptions about robust security can lead even the most attentive security engineers to expose their systems to attack. Industry needs to develop universally recognized information security practices capable of being pushed down through supply chains so evolving Internet threats can be effectively mitigated and deterred. You are only as secure as your weakest link. The Internet Security Alliance is one of the few organizations working on behalf of industry to address these issues. With its international and multi-industry segment member representation and access to a network of more that 40,000 loyal systems administrators and security engineers who diligently report new threats and vulnerabilities, the Internet Security Alliance is redefining the concept of information sharing. On a near real-time, systematic basis, the alliance provides companies large and small with access to trusted and reliable information, solutions and decision support tools to help mitigate the vulnerabilities and emerging threats we are here to discuss today. Driven by some of the brightest security minds in industry and academia, the alliance has also begun work on a robust set of best practices that will serve as guiding principles for companies and their supply chains as they evolve their security policies and procedures. Our efforts enable companies to allocate their limited resources on other projects, such as deploying intrusion detection systems, firewalls, and raising security awareness within their company. Using the collective experience the Internet Security Alliance and its members, we can effectively promote sound information security practices, policies and technologies that enhance the security of the Internet and global information systems. Why is the private sector involvement so important? The Internet Security Alliance applauds the efforts of the current Administration in its dedication to raising the awareness of cyber- threats and cyber-terrorism. It's leadership on the recent cyber- attacks on Code Red and Nimda were invaluable to testing the true value of both private and public partnerships. On the government side, officials tend to view private sector participation as well as the agency involvement in terms of sectors or ``stovepipes'' (see attached chart for the government organization chart for cyber-security), therefore creating barriers to true information sharing. The private sector is critical of this approach and is looking for more inclusive participation from all sectors. In order to maximize the effectiveness of taking on the cyber-security issue, collaborations and communications should be cross-sector and horizontal to all companies and government entities (where appropriate). We are all facing a common threat with respect to cyber-terrorism and vulnerabilities and will need to work together in order to protect our most critical assets. International problem vs. U.S. centric problem: Cyber-Security The Internet knows no boundaries and is accessible from most parts of the world. As the Internet continues to be a tool that promotes the openness of ours and many other societies, it brings along vast risks and vulnerabilities. The Internet operates with no bias or cultural differences--it provides information and interaction. Since the concept of the Internet was based on the issue of trust, we can see the probability of its being compromised fairly easily. With that in mind, we would be foolhardy to not communicate with other nations on their experiences and potential remedies for cyber- attacks that have happened on their networks. Not taking into account the expertise of foreign security experts would put the U.S. effort at a severe disadvantage. In addition, if the U.S. is not inclusive of other countries in this global problem, we stand to weaken our resolve to protecting ourselves by operating with limited knowledge of potential threats. Proactive Measures vs. Reactive Response Finding solutions to cyber-security vulnerabilities and attacks has been historically reactive. Attacks happen, analyses made and a patch would be provided, if possible. We cannot continue to solve individual attacks on a case-by-case basis, while not addressing the larger problem. A better approach is to implement practices and policies that improve the protection of our networks by thwarting a higher percentage of attacks. In other words . . . becoming more proactive in our approach to cyber-security. By promoting practices currently in place for more security-focused companies and tailoring them for other sectors, additional protection could be provided. Many companies, especially medium-sized and smaller firms are vulnerable and looking for assistance in determining what security practices can help them better protect their systems. Private and Public Partnerships The security and survivability of the Internet depends on the cooperation between the private and public sectors. Congress should promote interaction between government and the private sector and should also address issues such as exemption from FOIA and anti-trust barriers. In addition, Congress can set a great example for the private sector by increasing the security of all government systems, which historically have been out-dated and have not met minimal standards for security. The Internet Security Alliance is able to act as a bridge between the private sector and public sector by promoting best practices and appropriate data sharing mechanisms. The Internet Security Alliance is also involved in the following activities: <bullet> Providing thought leadership on information security issues <bullet> Representing industry's interest on information security issues before legislators and regulators <bullet> Creating mechanisms that cause rapid development and implementation of information security practices, policies and technologies <bullet> Identifying and standardizing best practices in Internet security and network survivability <bullet> Creating a collaborative environment to develop and implement information security solutions <bullet> Promoting universal sharing of information and intelligence on emerging threats/vulnerabilities/ countermeasures <bullet> Information Sharing --Providing vulnerability catalog, threat alerts and analysis, executive communications, call center, trend briefings, economic impact analysis --Shaping and influence practices and resources at CERT/CC to meet the needs of industry <bullet> Best Practices/Standards --Establishing common benchmarks --Evaluating relevance of existing standards, define gaps and agree on relevant and uniform criteria for standards moving forward --Developing a Software Seal of Approval <bullet> Policy Development --Providing decisive influence on the public policy issues whether nationally or internationally --Targeting cybercrime and terrorism, privacy, information sharing, corporate responsibility and leadership on information security issues <bullet> Security Tools --Sector-tailored versions of OCTAVE<SUP>'</SUP> --Sharing of R&D expertise of Alliance members To summarize, only by combining the strengths of both the private sector and public sector on issues such as early warning detection and information dispersal, promotion of best practices, agreement over sound information security policies will we be able to turn the tide on the cyber-security threat facing our nation. The Internet Security Alliance is poised to represent and promote the needs and views of the private sector on cyber-security. We thank the committee for its interest and for allowing us to participate in this necessary and timely hearing. Mr. Stearns. I thank my colleague. Mr. Axelrod? STATEMENT OF C. WARREN AXELROD Mr. Axelrod. Thank you, Chairman Stearns, and members of your subcommittee for the opportunity to address you today on the very timely questions of what the private sector is doing to protect itself against cyber attacks, what it should be doing and how government might help. I would also ask for my written statement to be included in the record. My name is Warren Axelrod, I'm a Director responsible for global information security with the Pershing Division of Donaldson, Lufkin and Jenrette Securities Corporation, which is a Credit Suisse First Boston company. I'm also on the board of managers of the Financial Services Information Sharing and Analysis Center for the FS/ISAC. Today I will share with you my thoughts and suggestions on cyber security as someone who is an information security professional and a practitioner with more than a quarter of a century's experience as an information technology manager in the financial services industry. It's well known that with the relatively recent and rapid adoption of the commercial Internet, government and business have become increasingly dependent on a critical infrastructure over which they have little or no control. Largely due to this lack of control, we have see a proliferation of damaging computer viruses, worms, denial-of-service attacks and network and system breaches. With such an accelerating use of the Internet, the impact on commerce of unintentional network and deliberate acts of terrorism and compromise is greater each day. While thousands of new viruses and worms are created each month, relatively few cause significant damage. However, millions of scans of the Internet run each day by those seeking out weaknesses, only a very small percentage actually result in compromises. However, since the number of attempted attacks and the population of potential victims are both so enormous, even a very small rate of success has produced estimated damage in the billions of dollars per year. Since at this time deterrence is not sufficiently effectively and the pressure is on to expand services over the Internet, we are left with preventative measures as our best hope for reducing potential damage from cyber attacks. The greatest counterforce in this battle is, in my opinion, information sharing. Knowledge of new threats, newly discovered weaknesses and actual incidents gives organizations the opportunity to prepare for impending attacks or prevent exploitation by closing off known vulnerabilities. This is where the FS/ISAC comes in. The FS/ISAC is an industry funded product of Presidential decision directive 63 on critical infrastructure protection. PDD 63 required government agencies to partner with the sectors that make up critical infrastructure. The PDD additionally suggested that all critical sectors from ISAC to collect and analyze threat vulnerability and incident data. The U.S. Department of the Treasury is the partner of the banking and finance sector, and has been extremely supportive of the FS/ISAC. A key feature of the FS/ISAC is it allows members to submit information anonymously while insuring that submittals are from an authentic source. More recently, the banking and finance sector has ramped up several initiatives, including a crises management committee initiated by the Banking Industry Technology Secretariat and the Business Continuity Committee established by the Securities Industry Association. While I believe that the banking and finance sector has reason to be proud of initiatives that it has already put in place, there remains a considerable amount still to be done before we can feel comfortable with our state of preparedness. There are many ways in which Congress can help promote programs and processes to improve our defenses against cyber attacks and our ability to handle them. The willingness of industry members to share information, particularly about cyber incidents with other members of the ISAC would be much greater were there not the fear of infringing anti-trust laws. The ability of private industry to share security information with government depends very much on obtaining an exemption from the Freedom of Information Act, which would eliminate concern that damaging information would become available to competitors and potential attackers. Both of these items are central to the Critical Infrastructure Information Security Act of 2001 proposed by Senators Bennett and Kyl for which there has not yet been any inclusion in the legislative calendar. The proposal in the Act are key if we are to encourage a much broader sharing of important security related information. I would like to suggest to Congress that it revisits this issue and, if possible, accelerates litigation such as the Bennett Kyl bill. Similar legislation worked for year 2000 and it can work against cyber terrorism as well. We need the ability to pursue cyber attacks and prosecute them fully if we are to discourage others from attacking out networks and computers. I would propose that Congress consider legislation to further empower law enforcement to track down perpetrators. We also need reciprocal arrangements with friendly countries so that they will support these endeavors. I believe that the government should support the establishment of separate secured private Internets such as the proposed government network. I suggest that Congress encourage the development of these networks by providing appropriate and if necessary, authorizing funds to seed them. I would propose that Congress consider supporting programs to educate our people about the importance of maintaining the security of the networks and computers of our critical infrastructure. I would suggest that Congress consider funding a permanent information coordination center along the lines of that established for the year 2000 period, which was subsequentially dismantled. There should be a dedicated section in the center for cyber security. Finally, I would suggest that Congress support the development of a national strategy for protecting the Nation's critical infrastructure. I recognize that I am proposing a costly series of programs at a time when budgets are tight. However, the size of threats are very real and we must protect ourselves against them. It will be a long and bitter battle, but we must engage in it if we are to prevail. Mr. Chairman, again, thank you for the opportunity to present to you and your subcommittee. This concludes my statement. I will be happy to answer questions. [The prepared statement of C. Warren Axelrod follows:] Prepared Statement of C. Warren Axelrod, Board of Managers, FS/ISAC LLC I wish to thank you, Chairman Stearns, and the members of your Subcommittee on Commerce, Trade and Consumer Protection, for the opportunity to address you today on the very timely questions of what the private sector is doing to protect itself against cyber attacks, what it should be doing, and how government might help the private sector in accomplishing its goals. Mr. Chairman, you and your subcommittee members, show both foresight and insight in focussing your attention on protecting our critical infrastructure from cyber attacks against the computer systems and networks upon which the economy of the United States of America increasingly depends. You are to be commended for tackling this important category of risk to commerce at a time when the Nation is distracted by the tragic events of September 11th, an unresolved bioterrorism attack, and a war in Afghanistan. Just one week after the September 11th terrorist attacks, our computer systems and networks were hit with one of the most devious and sophisticated cyber infections to date--the Nimda worm. Nimda is an example of a new generation of malicious software, or malware, that spreads in many ways and is difficult to eliminate from infected machines. Perhaps the Nation's initial focus on the aftermath of the physical attacks, followed a short time later with a frightening anthrax scare, made Nimda appear less of a threat than it actually was. The impact of Nimda was also considerably mitigated by organizations having patched their systems as a result of the Code Red worm, thereby providing greater protection. However, many security professionals see this evolution in cyber-attack capability as a very disturbing and ominous trend. The timing of the Nimda attack is also noteworthy, since it was launched at a time when a number of major financial organizations were operating in less-than-ideal disaster recovery modes. This suggests the recognition by cyber attackers that their activities can be even more effective against targets that are already weakened. MY PERSPECTIVE I am a director, responsible for Global Information Security, of the Pershing Division of Donaldson, Lufkin and Jenrette Securities Corporation, a Credit Suisse First Boston company. Today, I intend to share with you my thoughts and suggestions on cyber security as someone who is an information security professional and a practitioner with more than a quarter of a century's experience as an information technology manager in the financial services industry. It is a great honor for me to represent the securities industry and I hope that my testimony will lead to measures that will help in some ways to protect our Homeland from the costly effects of cyber attacks. I wish to thank the SIA (Securities Industry Association) for their support in preparing for this hearing. As one of the founders of the FS/ISAC (Financial Services Information Sharing and Analysis Center) and a current member of its Board of Managers, I am firmly committed to the important role of information sharing in assisting the financial services industry in protecting itself from malicious cyber attacks. In the late 1990s, I co-chaired two SIA committees on Year 2000 contingency planning and event management, which provided extensive guidance for the financial services industry. I recently recounted those efforts to the industry to help deal with today's heightened fears, which are not much different from those preceding Year 2000. Over the millennium weekend, I served in the Cyber-Assurance National Information Center, representing the banking and finance sector. The Cyber NIC was located adjacent to, and continuously in contact with, the Information Coordination Center(a center established by the Federal government to coordinate across state and local governments as well as with industry sectors. I was with a group of private sector volunteers who were monitoring the condition of cyberspace during a time of great concern over potential cyber attacks. That apprehension was not unfounded. THE NATURE OF CYBER THREATS It is well known that, with their relatively recent and rapid adoption of the commercial Internet, government and business organizations have become increasingly dependent on a component of the critical infrastructure over which they have little or no control. Largely due to this lack of control, we have seen a proliferation of a whole variety of damaging creations and activities, such as viruses, worms, denial-of-service attacks and network and system breaches. With such accelerating use of the Internet, the impact on commerce of unintentional network and system breakdowns and deliberate acts of destruction and compromise is greater each day. Another way in which cyber malfeasance differs from physical acts of terrorism, is that location, cost, and fear of arrest and punishment do not seem to hinder or deter cyber terrorists. While thousands of new viruses and worms are created each month, relatively few make it from ``the zoo'' into ``the wild'' and cause significant damage. While there are millions of scans of the Internet run each day by those seeking out weaknesses, only a very small percentage result in actual system compromises. However, since the number of attempted attacks and the population of potential victims are both so enormous, even a very small rate of success has produced estimated damage in the billions of dollars per year over the past several years. Some forms of malware, such as viruses, are released onto the Internet by their creators and spread from system to system through the unknowing complicity of others, not unlike their physical counterparts. Modern viruses and worms frequently incorporate ``social engineering'' to get their unwitting accomplices to take actions, such as opening an e-mail attachment, that will propagate their payloads. The ``I LOVE YOU'' virus was a crowning example. Terrorist groups or hostile countries would not generally use viruses and worms to compromise an enemy's computer systems and clog its networks, since such attacks are not directed and could just as easily impact friends as enemies. Rather they would target specific Web sites or computer systems. We have seen that virus developers and activators (who are not necessarily the same individuals) tend to be out to undermine society in general or make a name for themselves among their peers. However, the damage from viruses to commerce and government can be very large, and measures are needed to reduce their impact, if not eliminate them entirely. Cyber attacks that are more directed can take several forms. Most commonly, the attacker will search for exposures in the software products and equipment that typically make up organizations' defenses and seek access into such systems by exploiting their vulnerabilities. When access has been gained, the attacker will try to gain control of the system as a so-called privileged user. Once in control, the attacker may destroy, alter or steal data (including nonpublic, personal consumer information), programs and other information assets, such as credit card numbers, or may change various features of the system, such as by defacing public Web pages. Alternatively, attackers may leave some program code in place to facilitate their own future access and potentially perpetrate a distributed denial-of-service attack on a particular Web site.<SUP>1</SUP> The targets of such attacks are determined in advance, and the attackers have to take specific actions (versus their passive role in the spreading of computer viruses) to carry out such an attack. --------------------------------------------------------------------------- \1\ In a distributed denial-of-service attack, the attacker will compromise a number, perhaps in the hundreds or thousands, of weakly- defended computer systems and turn them into ``zombies'' by depositing some program code on those systems. At a particular point in time, the attacker will instruct all the zombies to direct a flood of messages at a specific site, which is overwhelmed and taken out of service. --------------------------------------------------------------------------- It is because cyber attacks can be hugely disruptive and costly that we are compelled to take protective measures. MEASURES THAT HAVE BEEN TAKEN In this section, I will discuss what measures have been taken generally, and, where appropriate, by the banking and finance sector in particular, according to the categories of deterrence, avoidance, prevention, recovery and restoration. Deterrence From an economic perspective, it does not really matter what the source or type of attack may be. After all, the damage can be much the same from a virus, worm, denial of service, or information destruction or theft, whether the perpetrator is a recreational hacker, terrorist, or hostile government or government-sponsored group. Indeed, internal staffs have initiated some of these same compromises, whether intentionally or not. However, from a deterrence point of view, there is a big difference. If the source is domestic, then there is a greater possibility of arrest and due process, whereas if the attacker is in a foreign country, particularly one hostile to the U.S., the chances of capture are much diminished, even when the perpetrator is identified. Law enforcement has tracked down quite a number of violators, but in general the risk of apprehension has been low and the punishment moderate. I think that we can safely say that deterrence generally has minimal effect and that the attacker population continues to increase rapidly, as can be seen from the continuing upward trend in the number of incidents and the increasing effectiveness of their weapons (i.e., viruses, worms, and other malicious programs). Avoidance The ease of use, global reach and low cost of the Internet have been major motivators for government and business, as well as for individuals, to move commercial activities to the Internet. With this growth, however, comes the increasing risk of cyber attacks. Even if it were desirable, which it generally is not, restricting the use of the Internet is difficult to accomplish, although many have stated that electronic commerce (e-commerce) has been significantly held back due to the lack of security, and hence privacy, for commercial transactions. In such situations implementing security measures is seen as enabling commerce in situations where consumers' information would not be protected adequately without the measures. Thus, it is possible to have a Web site certified by a third party. However, many customers are not aware of these certifications nor is there overwhelming evidence that customers choose one site over another because of certification. Many organizations use specialized software products to block employees' access to certain Web sites that they deem inappropriate. This tends to reduce the risk of accessing less well-protected Web sites that might be harboring a worm, such as Nimda. Similarly, organizations strip off specific attachments on incoming e-mail, such as those with file names with ``exe'' extensions, which are more likely to harbor viruses and worms. There are signs that private Internets may be considered an answer to cyber security in some situations, as with the recent call for a private GovNet by Richard Clarke, recently-appointed chairman of the President's Critical Infrastructure Protection Board. Avoidance served to reduce risk considerably during the Y2K date transition period. Over that weekend, in particular, many companies shut down their Internet connections, and took their computer systems off line. There were also fewer aircraft in the air and many, who would normally be out celebrating such an occasion, were at work monitoring their organizations' computer systems and networks. While difficult to quantify, such tactics may well have resulted in far fewer incidents than might have been expected. Prevention Since, at this time, deterrence is not sufficiently effective, and the pressure has been to expand services over the Internet rather than restrict them, we are left with preventative measures as our best hope for reducing potential damage from cyber attacks. The principle behind prevention is to identify and block cyber attacks as they happen using technologies such as routers, firewalls and intrusion detection software. E-mail is scanned for pre-specified words and phrases and those items that appear suspicious are quarantined. Commercial software is ``patched'' with the latest ``fixes'' to eliminate known vulnerabilities, which might otherwise be exploited directly by a hacker or through a virus or worm or similar piece of self-generating malicious software. If the world of cyber threats were static, then the above measures would eventually eliminate risks due to those threats. However, that is not the case. As mentioned above, there is a constant torrent of new dangers, and the government and business worlds must struggle to keep up with them. The greatest counter-force in this battle is, in my opinion, information sharing. Knowledge of new threats, newly- discovered weaknesses, and actual incidents that have happened to others in their industries and elsewhere, gives organizations the opportunity to prepare for impending attacks or prevent exploitation by closing off known vulnerabilities. This is where the FS/ISAC comes in. The FS/ISAC The FS/ISAC was a product of Presidential Decision Directive Number 63 (PDD 63) on Critical Infrastructure Protection, dated May 1998. PDD 63, which incorporated President Clinton's critical infrastructure strategy, required government agencies to partner with the sectors that make up the critical infrastructure. The PDD additionally suggested that various industry sectors form Information Sharing and Analysis Centers, or ISACs, which would collect and analyze threat, vulnerability, and incident data. The U.S. Department of the Treasury is the designated partner of the banking and finance sector. Treasury has been, and remains, extremely supportive of the FS/ISAC. Treasury Secretary Robert Rubin was very encouraging during the initial stages of the critical infrastructure effort for the banking and finance sector and Treasury Secretary Lawrence Summers officially launched the FS/ISAC on October 1, 1999. With almost 50 full-time members and another 50 firms in a trial program, the member companies of the FS/ISAC membership account for the processing and protection of perhaps 80 percent of the financial assets handled by U.S. financial institutions. The FS/ISAC provides warnings of threats and vulnerabilities, up-to-the-minute notification of incidents as they unfold, and helpful advice as to how to avoid or prevent threats from turning into disasters. It does so according to a unique model, which I will now describe. The FS/ISAC derives its information from many sources, including government agencies. Members are expected to report security information or experiences to which they are privy. This information can be submitted anonymously or can be attributed, at the member's discretion. While, for anonymous submissions, the FS/ISAC does not know the originator of the information, authentication technologies ensure that the submitter is actually with a member company. The FS/ISAC analyzes incoming information with respect to validity, importance, timeliness, and severity. If the submission passes muster, it is then ``scrubbed'' to remove all indications of the source (unless it is expressly permitted to reveal the source), and notifications, with warnings as to their urgency, are disseminated to members via e- mail, pager, telephone or fax. Unfortunately, over the past two months, members have received distressingly many alerts marked crisis or urgent. Redundancy, Recovery and Repair Despite best efforts, it is not always possible to prevent cyber threats from succeeding, so that a number of incidents of varying severity do occur. In most cases, security compromises or breaches can be quickly resolved through the use of alternative on-site networks and systems, while the compromised systems are being repaired. For this to be possible, suitable redundant facilities need to be planned and installed in advance. If a cyber attack renders a site unusable, an organization must turn to its business continuity and/or disaster recovery plans as well as its crisis management capabilities in order to operate in recovery mode at a different location. It should be noted that a location can be rendered unusable if, for example, a cyber attack were to take down other parts of the critical infrastructure, such as the electrical power grid or telecommunications network. In financial services, many companies had developed contingency plans for Y2K. It was reported that a number of firms located in and around the World Trade Center invoked their Y2K plans in response to the events of September 11th and that the devastating impact of the catastrophe on firms was considerably less because they were better prepared. Since then, the banking and finance sector has ramped up several initiatives, including a crisis management committee initiated by BITS (Banking Industry Technology Secretariat) and the Business Continuity Committee established by the SIA. As mentioned previously, the SIA had played an important leadership role in Y2K contingency planning and established a command center in New York, with which I was able to communicate from Washington over the Y2K weekend. The financial services industry, in particular, has developed extensive contingency plans, due to the criticality of their operations to the economy and from having to meet strong legislative and regulatory requirements. WHAT STILL NEEDS TO BE DONE While I believe that the banking and finance sector has reason to be proud of the initiatives that it has already put in place, there remains a considerable amount still to be done before we can feel comfortable with our state of preparedness. Information Sharing The FS/ISAC model for the sharing of cyber security information has been adopted by a number of other critical sectors at home and by several countries internationally. In addition, the FS/ISAC has had discussions with these and other ISACs regarding the sharing of cyber security information, while still maintaining anonymity of the source when desired. The goal is to have a global network of ``friendly'' ISACs to leverage the advantages of a broader reach and a larger population of incidents from which to derive patterns of activities that might lead to an attack. The FS/ISAC receives information from many government agencies, including intelligence and law enforcement, and disseminates it among its members. Unfortunately, it is not yet feasible to return the favor and provide government with information that the FS/ISAC has obtained from its membership, since there are antitrust and freedom-of- information issues that need to be resolved. I feel strongly that the broadcasting over the Internet of information about vulnerabilities by those who think that they are benefiting mankind by forcing software vendors to strengthen their products is misguided and damaging to the information infrastructure. For example, the Code Red virus appeared just a couple of weeks after a security expert had posted a notice on the Internet about a specific vulnerability in a particular piece of Web server software for all to see. His rationale was that the particular software vendor had not responded to his exhortations to fix the problem. Code Red resulted in possibly billions of dollars in lost business. How much better would it have been if the network of ISACs had been informed and had distributed the information on a need-to-know basis to its members? In fact, members of the FS/ISAC had received prior notice of an update to the software in question that, if applied to their systems, avoids the effects of this particular virus. Outreach, Education and Training There is a clear need for reaching out to the general public, educating them about cyber security and making them aware of reasonable precautions that they might take to limit the impact of a cyber attack. This should be done without arousing undue concern or revealing information that would not be in the national interest. There is a severe shortage of qualified information security professionals to handle the broad spectrum of knowledge and capabilities required in order to protect our government agencies and private businesses from the increasing threats to the computers and networks that make up the critical infrastructure. We need programs to educate and train the requisite numbers of individuals in the basics if information security and to provide on-the-job training for practitioners in related areas. Some private companies are already doing this, but security certifications of various types need to be encouraged so that more of those on the Internet have taken necessary actions to secure their system and network environments. A National Strategy It is key to educate the general public and those in leadership positions of the issues surrounding cyber security and its importance of sustaining the critical infrastructure. Several National Plans for ensuring the protection of the U.S. critical infrastructure systems have been written. One for government agencies was published in January 2000. Sector plans have been developed but not disseminated as yet. I worked on the draft of the Banking and Finance Sector National Plan for Information System Protection. These planning documents, or ones very like them, should be shared with industry leaders and the public and should become the basis for a National Strategy for Homeland Security, as it relates to cyberspace. At the moment the destiny of the National Plan documents is not clear. Prior to the establishment of the Office of Homeland Security, the Critical Infrastructure Assurance Office (CIAO) was coordinating the collection and aggregation of the plans from the various critical sectors. Research and Development One way to keep up with, and even get ahead of, cyber attackers is to develop tools with the ability to rapidly identify and block attacks, to determine vulnerabilities in deployed systems and networks, and to discern suspicious activities before they develop into full- blown attacks. An active, well-supported research and development program for cyber security should be initiated. The topics being researched need to have a strong practical bent and meet the needs of the private sector. Separate Networks The building of separate, restricted and highly secured networks, using the technology of the Internet but not being as accessible to everyone, is something to consider in the light of the risks in using a public, uncontrolled network environment. GovNet might be the first, but others should follow as the concept proves itself. Simulation Modeling As the complexities of modern economies become even greater, it is not possible for an individual, or group of individuals, to understand all the complicated interactions and dependencies of the various components on one another. This can only reasonably be achieved through the use of simulation models to express the interdependencies and provide the capability to examine what might happen if certain parts of the infrastructure were to fail or be brought down by a cyber attack. Contingency Planning, Incident Response and Crisis Management As mentioned above, the initial steps have been taken in the banking and finance sector to reconstitute the information coordination centers of the Y2K era, with their attendant contact lists, chains of command, and information gathering, analysis and reporting systems. Once communication, coordination, command and control capabilities have been established, it is important that they are maintained at some level on a round-the-clock basis into the foreseeable future and can be ramped up rapidly to full-scale operations when an incident occurs. RECOMMENDATIONS FOR CONGRESSIONAL ACTION There are many ways in which Congress can help promote programs and processes to improve our defenses against cyber attacks and our ability to handle them. Information Sharing The willingness of industry members to share information, particularly about incidents, with others members of an ISAC would be much greater were there not the fear of infringing antitrust laws. The ability of private industry to share security information with government agencies depends very much on obtaining an exemption, for this type of information, from the Freedom of Information Act, since that would eliminate the concern that damaging information would become available to the public, including competitors and potential attackers. Both of these items were central to the ``Critical Infrastructure Information Security Act of 2001'' proposed by Senators Bennett and Kyl, but which has not yet been included in the legislative agenda. The proposals in the Act are key if we are to encourage a much broader sharing of important security-related information. This would to lead to broader availability of much more valuable information and strengthen our ability to protect ourselves from cyber attacks. I would like to suggest to Congress that it revisits this issue and, if possible, accelerates legislation such as the Bennett-Kyl Bill. Similar legislation worked for Year 2000, and it can work against cyber terrorism as well. Deterrence We need the ability to pursue cyber attackers and prosecute them fully, if we are to discourage others from attacking our networks and computers. I would propose that Congress considers legislation that will further empower law enforcement agencies to track down perpetrators of cyber crime. In addition, we need reciprocal arrangements with friendly foreign countries so that they will support and participate in these endeavors. On a global level, it may be reasonable to expect a commitment of funds for law enforcement to counter cyber terrorism among the more prosperous and advanced countries of the industrial world. However, this may not be true of so-called Third World countries, especially those from which attacks emanate. Cyber terrorism coming from hostile countries requires special consideration and response. Avoidance I believe that the government should support, and subsidize where appropriate, the establishment of separate secured private Internets, such as the proposed GovNet network. I suggest that Congress encourage the development of these networks by providing appropriate support and, if necessary, authorizing funds to seed these initiatives. Outreach, Education and Awareness I would propose that Congress consider supporting programs to educate our population about the importance of maintaining the security of the networks and computers that constitute much of our critical infrastructure. Also, I suggest that the government should consider special programs, such as subsidizing college-level studies, to develop information security professionals. Research and Development While I am very much in favor of promoting research and development programs to come up with ideas and capabilities to improve our cyber security, I am concerned that such research might not result in a sufficient number of practical solutions. I suggest, therefore, that R&D programs be conducted with some industry representation so that the results meet the needs of real-world entities. This is an area for which the best use of funds is not obvious. Therefore I suggest to Congress that a study be conducted, in conjunction with the private sector, to ascertain the best way to generate new ideas in cyber protection. Simulation Modeling The development of simulation models that appropriately represent the critical sectors, their mutual interactions, and the impact of component failures is a daunting task. I am aware that Los Alamos National Laboratories and Sandia National Laboratories have done work in this area. I would recommend that Congress should support and encourage these efforts but that, before major commitments are made, the requirements of the models be determined by a working group that includes subject-matter experts from various critical sectors. Industry and government representatives should participate in the design process to ensure that the models are realistic and useful. Contingency Planning and Event Management I would suggest to Congress that it should consider approving funding of a permanent Information Coordination Center (ICC) along the lines of the one which was established for the Year 2000 period, and which was subsequently dismantled. A mix of individuals representing both government and the private sector should staff the ICC. Under normal conditions, the ICC would have a minimal level of staffing, but have the capacity to rapidly grow to full capability if an emergency is declared. I believe that there should be a dedicated permanent section of the ICC that focuses on cyber security, rather than the ancillary arrangement that existed during Year 2000. The cyber security group requires extensive and immediate access to top experts in the field as well as an advanced capability to continuously monitor activity on the Internet. National Strategy Finally, I would suggest to Congress that it should support the development of a National Strategy for protecting the Nation's critical infrastructure and that participants from the various sectors be included in the development of the plans in conjunction with representatives from assigned government agencies. CONCLUSION I recognize that I am proposing an extensive and costly series of programs to protect the Nation's critical infrastructure from increasingly dangerous and damaging cyber attacks, especially during a time of diminishing budgets. The cyber threats are very real, as we have seen in recent years, and we must protect ourselves against them. It will surely be a long and bitter battle, but we must engage in it if we are to prevail, which we must. Unfortunately, the impact of a very successful cyber attack can far exceed that of many of the physical attacks, which we have seen in recent weeks and about which we speculate. Mr. Chairman, I want to thank you again for the opportunity to present my thoughts and experiences to you and your Subcommittee. This concludes my prepared statement. I am happy to answer any questions that you and other members of the Subcommittee wish to ask. Mr. Stearns. And I thank you. Mr. Morrow. Just pull that mike right close to you. STATEMENT OF DAVID MORROW Mr. Morrow. Thank you, Mr. Chairman. Mr. Chairman and members of the subcommittee, thank you for the opportunity to testify before you today. My name is Dave Morrow, and I'm the Managing Principal for the Global Security and Privacy Consulting Practice of EDS. I have over 25 years of experience in the information technology field as a computer crime investigator, an IT security officer and an IT manager. I'm honored of this invitation to present to this subcommittee on EDS' views of the state of information technology security in U.S. industry. I will submit my full testimony for the record and summarize for you now. The tragic events of September 11 have brought many changes to our way of life. One of the changes are the physical security of public places such as airports and sports venues. We have witnessed a dramatic increase in the attention being paid to the security of what our Chairman and CEO Dick Brown has referred to as today's economic currency; knowledge and information. Over the past several years the frequency and severity of cyber attacks against both government and commercial infrastructures has increased dramatically. While many if not most of these attacks are relatively minor, such as website defacement and simply harassment, others are designed to cripple, damage or destroy the computer networks they encounter. For example, our own EDS network infrastructure detects and neutralizes over 20,000 viruses, worms and network attacks per month. Our economic system is based on trust; trust between trading and investing partners, trust between consumers and merchants, trust between suppliers and purchasers. If this sense of trust is damaged or destroyed, our economy would be crippled. Maintaining these trust relationships is one of the most important things we all can do to ensure the continued development and growth of our information economy. Since September 11, however, we have seen a great interest in expression of concern from corporate management and request for information from our clients about IT security. We've doubled those requests, especially in the areas of business continuity planning and overall security best practices. Tragic is a word and the events of September 11 have helped drive home the fact that security should be considered an essential investment rather than simply an expense to be minimized. Overall, however, I would characterize the state of IT security industry as poor and struggling to improve. While many Fortune 500 corporations focus a good deal of attention to security, many small and medium organizations, both in and out of government, still leave the bulk of the work of securing their systems to individuals who perform these critical tasks as an addition to their normal jobs and have little training to do so. According to the Federal computer incident response center, about 90 percent of successful attacks are caused by the lack of updated software patches, a task that is a basic to good security practice. A striking example of this can be found in the fact that the Code Red worm, which wreaked havoc on numerous corporate systems a few months ago, took advantage of computer vulnerabilities that had been identified and corrected by a software patch months before. Finally, while we have seen a laudable increase in spending on many aspects of physical security since 11 September, there appears to be little increase in funds allocated to strengthening the security of the commercial information infrastructure which fuels our economy. So what can be done? First, we can concentrate on developing a more coordinated program of industry/government cooperation that stretches beyond the critical infrastructures designated by PDD 63 to encompass a wider variety of companies and institutions. Also the legislation introduced by Representatives Davis and Moran is a good start. Second, we should increase incentives for companies to allocate the necessary funds to upgrade their IT security. Today's interdependent electronic economy, a failure of security in one area, can spread to encompass numerous other institutions in a very short time. Third, we should renew our emphasis on security research and development, especially in developing secure and stable software for our critical tasks. Finally, we should work together to continue to develop, expand and professionalize the cadre of IT security professionals practicing today. Currently, there are few widely accepted standards defining what an IT security professional knows and does. There's also a dramatic shortage of qualified IT security professionals. In closing, I would like to reemphasize what is perhaps the most important point of my testimony today. Security is not a static goal that we can ever fully achieve. Rather, security is a continual journey. There is no technical or procedural silver bullet that will magically solve all security issues. Rather, good security is a constantly evolving spectrum of processes, technical tools, policies, and human values that is continually changing and being updated to meet new threats and risks. Only by effectively emphasizing all aspects of this spectrum can we maximize the security and integrity of our national information infrastructure. Thank you again for the opportunity to share my thoughts with you today. I'll be glad to answer any questions. [The prepared statement of David Morrow follows:] Prepared Statement of David Morrow, Managing Principal, Global Security and Privacy Consulting Practice, EDS Mr. Chairman and members of the Subcommittee, thank you for the opportunity to testify before you today. My name is David Morrow and I am the Managing Principal for the Global Security and Privacy consulting practice of EDS. I have over 25 years of experience in the information technology (``IT'') field as a computer programmer and analyst, operations chief, security officer, investigator, and consultant. Prior to joining EDS I was a security consultant with Ernst & Young LLP and Fiderus Strategic Security and Privacy Services, a small start-up consulting firm. I also spent 13 years of a 22-year Air Force career as an investigator of computer crime for the Air Force Office of Special Investigations (AFOSI). When I retired in 1998, I was the chief of the computer crime investigations and information warfare division for AFOSI. I am honored for this invitation to present to the Subcommittee EDS' views on the state of IT security in U.S. industry. The tragic events of September 11 have brought many changes to our way of life. Along with changes to the physical security of public places such as airports and sports venues/arenas, we have witnessed a dramatic increase in attention being paid to the security of what EDS chairman and CEO Dick Brown has referred to as today's economic currency: knowledge and information. Although media attention to cyber attacks has increased in recent months, the fact is that commercial and government computers have been under daily attack for many years. However, over the past several years, the frequency and severity of cyber attacks against both government and commercial infrastructures have increased dramatically. While many, if not most, attacks are relatively minor, such as web site defacement and simple harassment, others are designed to cripple, damage, or destroy the computer networks they encounter. For example, our own EDS network infrastructure detects and destroys over 20,000 viruses, worms (programs that spread through a network by reproducing and transmitting themselves to other network systems), and network attacks per month. Over the past several years, cyber attack software such as worms, viruses, and hacking tools have become both more sophisticated and easier to use. A computer novice can now download and launch computer attack software as easily as launching a commonly used commercial product such as a word processing program. Although massive attacks against the national information infrastructure, the so called ``electronic Pearl Harbor'', have long been predicted and expected, such attacks have, for the most part, failed to materialize. In the current war against terrorism, however, the stakes have risen considerably. A massive, coordinated denial of service attack or a fast spreading program like the recent Nimda worm could have devastating effects on our economy, especially if the attack were designed to introduce random changes to various pieces of data on every system it corrupted, as opposed to simply slowing or halting the system itself. Our economic system is based upon trust--trust between trading and investing partners . . . trust between consumer and merchant . . . trust between supplier and purchaser. If this sense of trust were damaged or destroyed our economy would be crippled. Maintaining these trust relationships is one of the most important things we can do to insure the continued development and growth of the information economy. For many years, practitioners of IT security have worried about the lack of both a sense of urgency and priority for corporate IT security. Prior to September 11, companies often viewed IT security as a variable, discretionary expense that lacked a clear benefit to offset the costs involved. This was especially true in companies in nonregulated industries where no clear mandatory standards forced a minimum degree of security planning and structure. Since September 11, however, we have seen a doubling in requests for information about IT security, especially in the areas of business continuity planning and overall security best practices. Tragic as they were, the events of September 11 helped to drive home the fact that security should be considered an essential capital investment rather than simply an expense. Overall, I would characterize the state of IT security in industry as poor and struggling to improve. New technical vulnerabilities and threats, such as viruses and worms, are released on a regular basis. Many organizations, both in and out of government, still leave the bulk of the work of securing their systems to individuals who perform these critical tasks as an addition to their normal jobs. Because of this, critical security duties, such as making sure software is properly updated with the latest security patches, is a low priority, if it is done at all. The bulk of the problem remains rooted in a lack of continuing, process oriented attention to basic security principles such as good password practices, tracking and installing critical software patches, as well as user training and education on security basics. According to the federal computer incident response center, about 90% of successful attacks are caused by the lack of updated software patches. A striking example of this is found in the fact that the Code Red worm, which wreaked havoc on numerous corporate systems a few months ago, took advantage of computer vulnerabilities that had been identified and corrected by a software patch months before. The patch had simply not been installed in many of the machines. Another example can be found in the ease with which many web sites have been vandalized by exploiting well-known and documented flaws in web server software. Finally, while we have seen a laudable increase in spending on many aspects of physical security, there appears to be little increase in funds allocated to strengthening the security of the commercial information infrastructure which fuels our economy. While many companies are attempting to increase security on their own, the approach is piecemeal as there is no incentive from the government for companies to coordinate their efforts with their industry partners, suppliers, and customers. Such incentive is vital, especially in the current economy. What can be done? First, we can concentrate on developing a more coordinated program of industry/government cooperation that stretches beyond the critical infrastructures designated by Presidential Decision Directive 63 to encompass a wider variety of companies and institutions. Programs such as the FBI's Infragard are a good start, but more needs to be done to bolster the commercial sector's level of trust in the government. As an investigator of numerous network attacks, I can attest to the fact that coordinated information sharing among victims of an attack is essential to halting the attack and identifying the attacker. Companies should not be penalized for acting together for the common good. Legislation introduced by Representatives Davis and Moran is a good start. Second, we should increase incentives for companies to allocate the necessary funds to upgrade their IT security. In today's interdependent electronic economy, a failure of security in one area can spread to encompass numerous other institutions within a very short time. Security of all networks should be viewed as something we do for the good of society as a whole rather than as a discretionary cost to be reduced or eliminated when times are difficult. We believe that the 30 percent bonus depreciation provision included in the House-passed economic stimulus bill would be a big help in this regard. We also think measures that specifically target investments in security and technology, such as those introduced by Representatives Weller and Upton, would be very helpful. Third, we should renew our emphasis on security research and development, especially in developing secure and stable software for our critical tasks. A permanent extension of the research and development tax credit could be part of the solution here. Finally, we should work together to continue to develop and professionalize the cadre of IT security professionals practicing today. Currently, there are few widely accepted standards defining what an IT security professional knows and does. Given the critical role these professionals currently play in our society, we need to insure that we have only the best and most trustworthy individuals guarding our systems. As a last point, I would like to reemphasize what is perhaps the most important point of my testimony today. Security is not a static goal that we can ever fully achieve. Rather, security is a continual journey. There is no technical or procedural silver bullet that will magically solve all security issues. Rather, good security is a constantly evolving spectrum of processes, technical tools, policies, and human values that is continually changing and being updated to meet new threats and risks. Only by fully utilizing all aspects of this spectrum can we maximize the security and integrity of our national information infrastructure. Thank you again for the opportunity to share my thoughts with you today. I will be glad to answer any of the Subcommittee's questions. Mr. Stearns. I thank the gentleman. Ms. Davidson? STATEMENT OF MARY ANN DAVIDSON Ms. Davidson. Mr. Chairman and distinguished members of the subcommittee, thank you for the opportunity to address you today. I'm Mary Ann Davidson. I'm the Director of Security Product Management for Oracle Corporation. Oracle is the second largest software company in the world, and we are a large provider of secure information management systems to both commercial and governmental customers. A number of our customers are involved in national defense or intelligence activities. Information was on the ascendancy long before the horrific events of September 11 became seared into our national consciousness, and information security remains in our thoughts as we now move to strength our defenses. As ghastly as attacks on our physical infrastructure have been, how enticing would it be to our Nation's enemies to attack our critical infrastructure from cyberspace, where there are no borders, and evildoers can attack us from virtually anywhere, via a computer and a modem? The information security explosion began several years ago and has accelerated with the growth of the Internet, which has been good news for providers of secure systems and those who depend on them. As more companies have embraced the Internet, security has moved from an afterthought to an essential part of business infrastructure. In that sense, the commercial world is merely catching up to the U.S. Government in terms of the importance it places on information security. Prior to the Internet, the requirements for strong information security were almost solely driven a select set of ``professional paranoids,'' and I mean that kindly, such as intelligence agencies, the Department of Defense and financial institutions. These organizations have understood for years that information security is central to their operations; they are literally out of business without it. For organizations only recently joining the ranks of the security-aware, for example, by becoming ebusinesses, the threat that one's mission-critical systems-- now exposed to customers and partners--could be compromised has clearly elevated security on their radar screens. The good news in cyber security is that, while there is still no magic bullets--that's a popular phrase today--there are many steps that companies, whether they're suppliers or consumers of information technology, can take are taking to protect themselves. It's important to note, however, that both consumers and providers of information technology have responsibilities. Consumers of information technology have a requirement to make security a purchasing criteria. I'm sure you're familiar with the expression that if you don't vote, you lose the right to complain about the election afterwards. This is also true in security. If you do not make it a purchasing criteria, you lose the right to complain afterwards if you've been hacked. The other thing that consumers need to look for is independent attestations to the security-worthiness of a solution. And there are, in fact, international standards of what it means when you say you're secure. For example, the International Common Criteria, which is an ISO standard, lays out the requirements for vendors of secure products to have their solutions verified by independent third parties. That way it is not merely the vendor's say so that they are secure. And, in fact, no vendor will stand up and tell you that they have a security hole big enough to drive the QE III through. They'll all say that they're secure. The government has long recognized the value of independent third party attestations, and in fact there are directives which require people to procure products that have been independently evaluated, such as NSTISSP No. 11. I think it would be important to bring something like that, which I believe goes into effect July next year, forward in a post- September 11 world. It's also important for the government not to deviate from these requirements. Every time sometime grants a waiver on a Federal procurement, you're effectively saying we said security was very important, but we didn't really mean it. There are many vendors who do provide evaluated product, and I think it would be important for the government as a large consumer of secure information systems, to get what they pay for. Vendors, of course, also have many requirements to provide better cyber security. One of them is to commit to a secure product life cycle; that means everything from building security into your engineering process because you can't add it after the fact, to being very aggressive in treating security vulnerabilities and notifying a customer base when there are problems in our product suites. Commitment to standards is also important. The more that security is easy to work with and fits together cohesively, the more widely deployed it will be and the better it will work. By cooperation on industry standards, it will facilitate the delivery of secure products and it will give consumers better choices. You don't get good products in a monopoly market. The more that there are standards, the more strong security providers you can have, the more secure will be the result in systems. Vendors also have a responsibility to think like hackers. Hackers, 98 percent of whom really just want bragging rights when they break into your system, they don't intend to use the information maliciously. It's important for companies to use that type of thought processes to defend their own systems, very much like the Department of Defense conducts war games. Another requirement among vendors of secure systems is to join industry ISAC. As the expression goes, either we hang together or we shall all hang separately. And typically when someone does break into your system, they will try the exact same tact on someone else's system or someone else's product. So it's really important to cooperate. And I believe members of the ISAC are represented here today. In conclusion, I would like to remind you--I guess I'm quoting you Mr. Chairman quoting me--but as with liberty, the price of security is eternal vigilance. We all have a responsibility to pay attention to it and to continue to elevate it our consciousness. Thank you for your time. I'll be happy to answer any questions. [The prepared statement of Mary Ann Davidson follows:] Prepared Statement of Mary Ann Davidson, Director, Security Product Management, Oracle Corporation Representative Stearns, distinguished members of the House of Representatives: Information security was on the ascendancy long before the horrific events of September 11 became seared into our national consciousness, and information security remains in our thoughts as we now move to strengthen our defenses. As ghastly as attacks on our physical infrastructure have been, how enticing would it be to our nation's enemies to attack our critical infrastructure from cyberspace, where there are no borders, and evildoers can attack us from virtually anywhere, via a computer and a modem? The information security explosion began several years ago and has accelerated with the growth of the Internet, which has been good news for providers of secure systems and those who depend on them. As more companies have embraced the Internet, security has moved from an afterthought to an essential part of business infrastructure. In that sense, the commercial world is merely catching up to the US government in terms of the importance it places on information security. Prior to the Internet, the requirements for strong information security were almost solely driven by a select set of ``professional paranoids,'' such as intelligence agencies, the Department of Defense, and financial institutions. These organizations have understood for years that information security is central to their operations; they are literally out of business without it. For organizations only recently joining the ranks of the security-aware, e.g. by becoming ebusinesses, the threat that one's mission-critical systems--now exposed to customers and partners--could be compromised has clearly elevated security on their radar screens. The good news in cybersecurity is that, while there are still no security magic bullets, there are many steps that companies--whether they are suppliers or consumers of information technology--can take and are taking to protect themselves. Consumers of information technology need to be discriminating; they must make security a purchasing criteria, and hold vendors accountable through independent proof of information assurance. They must create a ``culture of security'' within their own organizations, so that security is not diminished by the ``weakest link'' of a careless or unknowing employee. Vendors of information technology need to cooperate on security standards to facilitate the growth of secure systems, and commit to a secure product lifecycle. Paradoxically, vendors need to both join industry organizations that share information about hacker threats, and embrace the same hacking techniques that expose so many security vulnerabilities (i.e. to detect and mend vulnerabilities in their own products and networks). In order for any organization to secure their infrastructure, they need to make security a purchasing criteria. Organizations must assess their security requirements--and not deviate from them--as part of system design. If security is not built into a product or system from the get-go, it is often impossible to retrofit it after-the-fact. Organizations also need to look at the total cost of securing a system, including assessing the lifecycle cost of security, such as how often they will have to patch their systems due to significant security vulnerabilities. While no product is bug-free, an ostensibly secure product, for which a vendor is constantly issuing security patches, is a sign that the vendor did not pay enough attention to security during design, and at some level does not ``get it,'' or care about security. More importantly, often the single easiest way hackers break into systems is through public vulnerabilities for which the patch has not been applied. A vendor issuing a patch per day or every other day for their product suite is, in effect, building insecure and unsecurable systems. Industry has begun to recognize the disparate cost of securing products (from competing vendors) through the pricing mechanisms of hacker insurance; products with comparatively poor security track records are priced at a premium relative to their more secure cousins by the companies offering such insurance. For example, one widely- deployed operating system carries a 25% risk premium relative to other commercial operating systems because of the difficulty in securing it. While the government ``self-insures'' against cyberattacks, the higher risk premium should serve as a signal to the government, as it does to the commercial sector, that a system is riskier and less secure to deploy. Lest we forget the stakes: it is impossible to put a price on national security. One easy measure of the security-worthiness of products is that of formal, independent security evaluations against objective criteria of ``what it means to be secure.'' There have been many such criteria emerging in the past 15 years, including the US Trusted Computer Systems Evaluation Criteria (TCSEC or ``Orange Book''), the UK Information Technology Security Evaluation Criteria (ITSEC), the Russian Criteria, and most recently, the international Common Criteria. The Common Criteria is an International Standards Organization (ISO) standard (15408), and as such, is the de facto worldwide standard for independent security evaluations. An independent security evaluation against the Common Criteria is mutually recognized by multiple countries, including the US, the United Kingdom, Germany, and most recently, Israel. This enables a vendor to create a single product ``acknowledged to be secure'' in many major markets. The US Federal government has already realized the value of independent security evaluations, as witnessed by the many Federal procurement programs (for example, in the Department of Defense) requiring that a product has completed a formal security evaluation. The National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11 requires (as of July 2002), that procurement of commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled IT products to be used on systems entering, processing, storing, displaying, or transmitting national security information be limited to those which have independent security evaluations (i.e. against the criteria outlined above, or the Federal Information Processing Standard (FIPS)-140, which attests to the correctness of cryptographic modules). Information assurance efforts are undermined by procurement efforts which bypass these directives. Each time a procurement waiver is granted that evades the requirement for evaluated product, it negates the value of information security, and the efforts of vendors who do comply with Federal directives. An independent security evaluation of a large complex product, such as a database server, represents about $500,000 of additional security quality control, by someone other than the vendor. Independent security evaluations are the ``good housekeeping seal of security,'' and customers of information security products neglect or negate them at their peril. As the saying goes ``you get what you pay for;'' the US Federal government, as perhaps the largest consumer of secure systems, must demand better security in their procurements and accept nothing less. An important factor in a strong cyberdefense is the level of awareness of the entire organization--not merely the information technology (IT) department--of the importance of security. The creation of a ``culture of security'' is a factor in any organization's cyberdefense, for the reason that you can never hire enough ``cyberpolice'' to secure your infrastructure without the cooperation and awareness of the users of the infrastructure. The best security policy in the world can be defeated by users who are ignorant of their responsibilities under it, or who deliberately flout security policies, much as an alarm system will not protect your home if you leave the door unlocked, or the spare key under the mat. Not every organization requires a culture of security on the order of the National Security Agency; yet every organization has secrets. Creating and enforcing security policies must go hand in hand with employee education and awareness. Most employees want to do the secure thing, but they need to know what it is. Industry associations such as the IT industry ISAC (Information Sharing and Analysis Center) finds multiple organizations unified against a common threat of cyberattack. Hackers have a nasty habit of repeating prior successes; as one discrete type of vulnerability is exposed, the hack is repeated through similar products from that vendor, or from other vendors. An organization that shares information about a threat to it, whether it is outright attacks on that organization's networks and systems, or a vulnerability in their product--even at the risk that the vulnerability will be used against it by a competitor--helps strengthen the entire nation's critical infrastructure. As the saying goes ``we must all hang together or we shall surely hang separately.'' Fierce business rivals can and are cooperating in industry ISACS, including the IT industry ISAC. IT ISAC alerts are part of the early warning system for cyberattacks; many of the companies whose products are the foundation of the nation's IT infrastructure are members of the IT industry ISAC. The cooperation of many vendors upon common security standards facilitates a secure infrastructure in several key ways. One of them is that a protocol that is well-defined and subject to peer review is, all other things being equal, more likely to be secure than one that is proprietary and shrouded in secrecy. ``Security by obscurity,'' the practice of hiding a product's security mechanisms and hoping someone cannot discover a weakness, does not work. Hackers are all too clever at reverse-engineering code and finding security weaknesses. If it's not secure under the light of day, it is not secure at all. Consumers of secure systems should seek security standards-compliant product, as it increases the chances that the security works, and will work with other related products. Another way in which standards facilitate better security is that it is easier for vendors to integrate security into their products; security is easier to deploy and more widely-deployed when there are common integration interfaces. Finally, the growth and adoption of standards goes hand in hand with market expansion, and this provide consumers of security-related products with greater choice of higher quality products. You just do not get good products in a monopoly market dominated by proprietary security mechanisms, or one in which security solutions are fragmented and do not work together. An example of this is the growth of public key infrastructure (PKI) a security technology with important applications including network encryption (e.g. via the Secure Sockets Layer, an Internet standard) and digital signatures, which can enable non-repudiation of electronic transactions. The PKI market has been slow to grow, because ``I'' is the operative word: deployment of a PKI requires major infrastructure changes in all products that use it, which has historically been expensive and difficult. Until recently, many vendors of PKI products and services were more concerned with pushing their proprietary technology than cooperating on standards, and growing the market. It has only been with agreement upon and adoption of standards that PKI has been broadly deployable. Private industry offers many specific cybersecurity technologies that can potentially enable us to better secure other aspects of our nation's critical infrastructure. For example, one of the lessons of September 11 is the necessity of sharing data among interested parties, real-time, while preserving ``need to know.'' At the same time, the needs of national security and privacy must be carefully balanced, so that the privacy of all is not compromised to identify the few who are malefactors. For example, ``watch lists'' could be compared against airline reservation databases, and only those matching records culled and labeled so that those with ``need to know'' could access them. Suspect names from intercepts from one entity could be centralized in a database, with selected access by other law enforcement agencies. The data, of course, needs to be labeled with appropriate security classifications and compartments, and may be relabeled real-time to facilitate information sharing among greater or lesser groups of law enforcement organizations, intelligence agencies and other parties with need-to-know. Commercial technology exists today from Oracle Corporation that enables multiple companies' data to be stored in the same database, ensuring that Company A only sees Company A's data, and Company B sees Company B's data. Data may also be accessed by both companies (for example, if they are trading partners), and can be natively labeled with sensitivity classifications (e.g. ``Company Confidential: A and B'') much like government classifications of fine granularity (e.g. ``Secret'' or ``Top Secret: Project X''). The ability of commercial off-the-shelf software to natively manage data ``owned'' by different entities, and label data with sensitivity classifications, allows both separation and sharing of data, real-time. We believe this technology to be even more valuable in ensuring national cybersecurity than it is for supporting hosted information systems, exchanges, and ``communities of interest'' on the Internet, where it is currently used. The practice of ``ethical hacking'' is being employed by many companies as a cyberdefense, much as the armed forces conduct wargames. The notion is simple: break into your own systems--or, in the case of software and hardware providers, break into your products--before someone else does. Learning how to think like, and act like a hacker makes it easier to build hack-resistant or hack-proof product. ``Lessons learned'' from hacking attempts can be used to educate IT professionals and product developers, as well as continuously improve engineering processes. Ethical hacking is an important weapon in a company's security arsenal. Ironically, the best cyberdefense for our infrastructure may be the hacking community itself. The vast majority of hackers merely want ``bragging rights'' among their peers for discovering a security vulnerability; they are not malicious with that knowledge. The more that hackers expose product vulnerabilities and contact the vendors whose products they so creatively break into, giving them time to address the vulnerabilities, the more secure the resulting product is. As much as no vendor likes hackers going after their product, we learn from them and we build better product because of them. It's not too far fetched to think that a ``cybercorps'' of hackers can measurably help secure the nation's critical infrastructure against the hackers of a malicious foreign power. There are no security magic bullets. Industry and government, consumers and purveyors of information technology: each must each do his part. The price of cybersecurity, as with liberty, is eternal vigilance. Mr. Stearns. I thank the gentlelady. Mr. Klaus? STATEMENT OF CHRISTOPHER KLAUS Mr. Klaus. Chairman and members of the subcommittee, thank you for giving me the opportunity to testify today. I'm the founder and chief technology officer of Internet Security Systems. I've been in security for about 10 years. And Internet Security Systems has grown to be a global company and pioneered in the area of intrusion detection, vulnerability assessment, finding a lot of the holes that are on the Internet today. And we put together a team we call X-Force. It's about 100 security researchers who do nothing but examine all the latest vulnerabilities proactively examining various vendors' products. We've worked with several companies that are here on the panel in terms of helping identify issues, working with them to correct a lot of security holes in their products so they can be more robust. And we have a data base of over 10,000 vulnerabilities and threats. So we're kind of like the CDC for computer vulnerabilities. I guess was looking to address, how have we changed since 9/11. I think, overall, companies are getting more serious about security, but I think there are some other factors that have increased the awareness of security. It's really been the automated attack tools out there, Code Red, Nimba that have proliferated and has had probably the most dramatic effect that I've seen in my history of security in terms of talking to companies where almost company I've talked to has been nailed by Nimba and has been infected all over their network. And one of the ramifications of that has been a shift in probably the leadership within the security groups of large companies. Probably a year ago or more you'd go into a company and you'd talk to them. And the person in charge of security was somebody whose real technical. He could explain the bits and bytes of security. In the last 6 months we've seen, you know, almost everybody I meet who is charge of security now is somebody who had nothing to do with security in the past, who was a business person focused in on solving the security issue for corporations. And it makes it easier for us, because we're able to talk with them and they're able to translate the bits and bites to getting more resources, putting in the proper policies, etc, for a lot of the companies out there. So we're seeing an increase within the priority of elevating somebody in terms of business. So it's happening on the private sector, and I think it's also happening within government where we're seeing like Richard Clark being in charge of security reporting up to the President. So that's all improvements. One of the things that, you know, there's a lot of people screaming ``security, security, we need more it.'' And I wanted to kind of just talk about, you know, how real is the security issue or how real is cyber terrorism. Last week I was with Howard Schmidt at a conference, and we talked about a lot of the security issues and how real are they. And I think a lot of the automated attack tools like the Nimba, were not designed to be that bad. They were bad, they speak all over, they caused a lot of people to clean up a lot of machines, but realistically without much development cost. If you tried to add in some additional malicious features like after 2 hours of being infected and trying to spread itself, someone could easily make a program to go out and try to erase the hard drives of not only the computer itself, but all the computers on the network. We're also seeing the capability of sharing very sensitive files. I think SirCam virus would email personal files off your computer to your friends without your permission. And I've had several friends that were like ``Oh, my God. I'm glad certain files did not get out.'' You know, it just happened that it was very limited in number of files. But with Nabster like program out there, even though Nabster itself is not as popular, there's been a ton of other Nabster like clones out there where if somebody wanted to, they could share lots of sensitive data across the Internet. And to that extent, it would probably take about 2 months to develop a much more malicious attack that utilizes the same capabilities of Nimba, Code Red. So it is very real in the potential that somebody could do that. Some of the other threats out there we've discussed, such as DNS attacks. The domain name services. When you type in ``whitehouse.gov,'' it uses the DNS service to translate that into basically the IP address. It's like a lookup of all the addresses on the Internet. All the DNS servers, there's only 13 DNS servers that represent the core root of all DNS servers. So with 13 machines out there, somebody if they were clever, just like they could try and bring down the whitehouse.gov with a flood or a denial- of-service, you could attack 13 DNS servers and bring down the ability to look up addresses on the Internet. And if you can't look up addresses on the Internet, a lot of businesses are going to have trouble communicating with their other partners, etc. So that's an area that could easily be improved on. And also denial-of-service. We're seeing that, going back to consumers, most of the threat of denial-of-services actually originate from the fact that so many people are logging on to cable modems, DSL servers, DSL modems and the fact that they don't have a personal firewall or any protection on their home computer. And those computers are being infected or compromised in large numbers, and it's very easy to use 10,000 home computers on a cable modem to attack any network in the world and have a dramatic effect on their ability to do business. Some of the solutions out there that we're seeing companies starting to do. Penetration testing, security assessments. They call up and say, ``hey, how do I secure myself?'' And, you know, first up in any problem is first the assessment. And so many companies haven't done any kind of assessment. They're rolling out new ebusiness applications on their websites. We go into banks all the time where on the Internet you can get right in there and basically get into--if you want to talk about identity theft, you can easily steal all the data information right off their website. The other thing that was kind of surprising to me is about 2 months ago I was at a banking conference. And it was all the IT guys, the guys who really know what's happening in the banking infrastructure. And I was ``Like how many people here are doing any kind of around the block, 24/7 monitoring from a security perspective over their network?'' So if someone tries to break in and steal credit cards, would somebody notice. And everybody put their head down, because nobody was doing it. And then they looked around and said ``Oh, okay, I guess we're not alone in not monitoring the network.'' So with that, I said how many think within the next 5 years will you be doing monitoring around the clock? And they all raised their hands, and said ``Yes, that would be a good thing.'' So, there's a lot of things out there that people can be doing to improve security. I would say with government, the ISAC are a good movement forward. And I think that within government a lot of times I hear questions about should government regulate security, etc. Probably one of the things that we'd recommend is just working with government to make themselves a good example for others. Because a lot of international governments or governments outside the U.S. are saying what do we do about security and they would like to look to the U.S. Government as a prime example. And right now it's slowly turning around to become better. So, thank you. [The prepared statement of Christopher Klaus follows:] Prepared Statement of Chris Klaus, Founder of Internet Security Systems My name is Chris Klaus and I am the Founder of Internet Security Systems, known as ISS. ISS is the pioneer and leading provider of information protection solutions. We are headquartered in Atlanta with additional offices throughout the U.S. and international operations in Sweden, Italy, Belgium, England, France, Germany, Japan and Latin America. ISS is a trusted advisor to most large U.S. commercial banks and several government entities. Founded in 1994, ISS has experienced phenomenal growth as we have addressed the critical need for companies and governments to protect their information systems. Every day, Internet Security Systems stops criminal hackers and cyber-thieves by researching computer vulnerabilities and threats and offering a unique, proactive line of defense for an ever-changing spectrum of threats. More and more individuals are using the Internet for business-to-business warfare and corporate espionage, international cyber-terrorism, or to generally cause havoc and mayhem in our technology infrastructure. ISS dynamically protects online assets through development of the most current protection products available and cost-efficient Managed Security Services. We also monitor networks and systems around the clock (24 x 7 x 365) from the US, Japan, South America, and Europe in our six Security Operations Centers and our Global Threat Operations Center in Atlanta. We search for attacks and misuse, identify and prioritize security risks, and generate reports and analysis explaining the security risks and what can be done to fix them. At the heart of our solution is our team of world-class security experts focused on uncovering and protecting against the latest threats. This team of global specialists, dubbed the X-Force, understands exactly how to transform the complex technical challenges into an effective, practical, and affordable strategy. Because of all of these capabilities, companies and governments turn to us as their trusted computer security advisor. the tragic events of september 11 have heightened awareness of the need for cyber security. protection is no longer a backroom discussion, and security is no longer something businesses are willing to consider after the fact. The threat of terrorist attacks against U.S. citizens and U.S. interests around the world has become the nation's most pressing national security issue. Even more likely are cyber attacks aimed at further disrupting U.S. interests and business, or sympathizers with general anti-U.S. and anti-allied sentiments. During the past five years, the world has witnessed a clear escalation in the number of politically motivated cyber attacks often resulting in embroiling hackers from around the world in regional disputes, this to the detriment of the corporations and government networks, specifically targeted or innocently attacked. Over the course of the last three months, hackers have launched sophisticated attacks, including Code Red II, Code Blue, and Nimda and the Nimda.E attacks. A 2001 industry survey conducted by ``Information Security,'' released on October 16, indicated that out of 2,100 respondents, an overwhelming 89% experienced virus, worms, or trojan breeches in the last three months. This is up from 80% a year ago, even though 87% of respondents had deployed anti-virus software. This indicates the importance of constantly managing the growing and changing threats on the Internet and the growing complexity of corporate and government networks. Moreover, the percentage of those reporting Web server attacks increased over the past year from 24% to 28%. These attacks cost the industry billions in lost productivity and system downtime. The writing is not only on the wall, it is on the front page of every newspaper in the democratic world, as well as on the minds of corporate officers and directors around the world. The network is the gateway to our assets, and it is the lifeblood of corporations and governments. Quite simply, it must be protected. The tragic events of September 11 have highlighted the need for increased cyber security. More attention is being paid to detection needed to ward off cyber terrorism. We are seeing this at a policy level here in Washington and in other governments that we serve around the world. The same trend is occurring in state and local governments. We are also seeing it on a demand level in terms of the number of inquiries that are coming into our business. As a result, we are engaging in much broader and more strategic risk management discussions, which include the network and the overall protection strategy for the network. Information is currency in today's global economy. Any organization with critical information assets stored on a network is at risk. The lone hacker may grab headlines, but industrial espionage, employee sabotage and simple disabling attacks actually constitute the vast majority of attacks against information resources. These incidents rarely make the evening news, but they add up to additional billions in business losses each year. We pay for these incidents through higher prices for goods and services, lower stock price valuations, increased insurance premiums for online business operations and consumer reluctance to adopt efficient, innovative online business opportunities. These attacks against information resources are a significant threat to our economic base and our national security. The unfortunate truth is that relatively few organizations are prepared to understand, let alone confront, the threats to information critical for normal business operations. Security specialists are in short supply, and command premium salaries. The cost of this expertise is out of the reach of many organizations. Meanwhile, the dollar losses continue to mount. It's no mystery how this situation has come to pass. The Internet is designed for rapid, simple communications. That's what allowed it to grow from an academic research network into the World Wide Web, and allowed everyone from individual users to multinational corporations to invent new ways to reach out to each other. Since security is not part of the Internet's fundamental design, it must be added after an application is written, a system is deployed and/or staff has been trained. In spite of increasing legal, financial and regulatory incentives to invest in security solutions, very few businesses focus on security as part of their core competence. Security measures, therefore, do not receive the attention that other, more profitable business operations demand. Tight budgets and overworked IT staff create an almost irresistible temptation to skimp on security until a crisis occurs. No one builds a house, then fits the doors for locks after a family moves in. No one adds tail lights and a horn to a car two weeks after it leaves the dealer's lot. And yet, that is exactly how we graft security onto our computer code. We need a more cost-effective means to protect the availability, integrity and confidentiality of electronic information. We need to make security part of the basic design of our information technology infrastructures. in responding to our customers to priority of protecting their information infrastructure, iss has developed a common system to manage threats and vulnerabilities across the entire threat spectrum. A resounding request from our customers is to deliver systems that incorporate the ability to monitor and protect a broad spectrum of threats across their desktops, networks, and servers. This simplification in the market is being driven by the customers needs to protect the environment with an effective system while understanding that the total cost of ownership is critical to enterprise deployment. Security is quickly evolving and consolidating into two key foundational elements: inclusion and exclusion. Inclusion represents the security products which allow users to access the resources of a network or a system. These products include authentication authorization and the associated technologies which enable these functions, such as directory management systems, PKI, Smart Cards, tokens, authentication interfaces like biometrics and other forms of authentication. The second element of security is exclusion, defined as how do I keep unwanted elements off of my system? ISS defines this as protection, and we are leading the way to incorporate a number of innovative technologies into a single common agent to protect the system from the vast array of threats, including threats from content, trojans, worms, denial of service exploits and ultimately misuse by trusted or unauthorized users. What is needed is better protection, less complexity, lower cost of ownership and 7 x 24 services to augment and assure the integrity of the network and the support of the internal security operations. The ideal solution is a single agent to protect a system from threats, as opposed to several different products from several different vendors, which are not integrated. To protect themselves from all threats and minimize their vulnerabilities, companies need systems that will prevent and detect security risks at every potential point of compromise on desktops, servers, networks, and gateways. Earlier this year, ISS unveiled the industry's first pervasive protection platform strategy. Our unique product, Real-SecureTM, converges intrusion detection, security assessment, active blocking, and malicious content and code protection capabilities to protect against the converging and broader threat spectrum. Last month, we announced the next major component of our protection platform known as Site-ProtectorTM. As a result of this unified product, customers will be able to control, monitor, and analyze their security protection systems from one central site enabling them to dramatically simplify their security management, reduce their total cost of ownership, and increase the scale of management across broader segment of the network. america has received a wake up call that cyber security is important and can no longer be ignored. ISS' vast experience with security breaches has caused us to realize how crucial a secure infrastructure is to the safety and security of our society. Computer security products empower organizations to proactively monitor, detect and respond to increasing network vulnerabilities and threats to enterprise information. These products provide the tools vital for protection in today's world of global connectivity. The public needs to be aware of the breadth of possible security breaches. Government can help realize this goal by focusing more attention and funds on computer security. This includes educating and training the human resources necessary to implement the necessary security measures. Our extensive experience has shown that computer crimes are increasing and will continue to do so. Web sites are an important tool in helping government be more responsive and effective, but they are often a target for computer crime. Web sites should be set up in a secure manner and protected once they are set up. Everyone must learn that protection of our National Infrastructure requires everyone to properly update and protect their system, much like using a seat belt before you leave the parking spot. Government must be seen as a leader in protecting its systems and in assisting corporate and private Americans to do the same. Unless the U.S. invests the necessary resources in this area, America's critical infrastructure will be at risk. Mr. Stearns. I thank the gentleman. Mr. Casciano, for your opening statement? STATEMENT OF JOHN P. CASCIANO Mr. Casciano. Chairman Stearns, Congresswoman DeGette and members of the subcommittee, I'm very happy to be here today to support your investigation into cyber security in U.S. industry. My name is John Casciano. I manage the Secure Business Solutions Group for Science Applications International Corporation, otherwise known as SAIC. As you may know, SAIC is the largest employee owned high tech company in the United States, about $6 billion in revenues. And we support both commercial and government clients around the world. With your permission I would like to submit my formal testimony for the record. Mr. Stearns. By unanimous consent, so ordered. Mr. Casciano. And I look forward to your questions. For perspective, I've been involved with cyber security matters for many years in both government and industry. I come from a background of 32 years in the United States Air Force where I had the privilege of commanding organizations that were responsible for developing and operating defenses against cyber attacks, some of which have been reported in the press. Things like Solar Sunrise and Moonlight Maze. I continue to be involved in Department of Defense cyber security issues today. For example, I served on the 2000 Defense Science Board Task Force on Defensive Information Operations and was also one of the handful of ``outside'' reviewers on last year's National Intelligence Estimate for Information Warfare threats. As I mentioned, today I run a business that is oriented in the commercial world. And as you know, for the last 5 years or so we've all exposed to reporting on threats and vulnerabilities to our information infrastructure, and I need not recount them here. Suffice it to say they exist, they are real and have had some impact on the privacy of Americans and on the conduct of American business in the information age. The thing that concerns me is that the security problems, if they are in fact reported at all, tends to be one or 2 day media stories and then they recede into the background, and yet the issues they raise are fundamental to American values and to the future of our way of life and, in fact, our prosperity as a Nation. They represent a legitimate constitutional concern as well as an economic security concern. Of course, there are lots of reasons cyber security hasn't risen to the level of public consciousness that I believe it deserves. First, it's difficult to understand what I call the-- it has a high geek factor. And second, it's not yet resulted in massive losses to individuals or businesses. The incidents of identity theft, release of private data, theft or proprietary information and impacts on the bottom line is apparently at a tolerable level for most people. Since our focus today is on business, let me make a couple of comments on the business response. First, many managers aren't really attuned to the problem. Part of the reason is the geek factor that I mentioned a minute ago, but part of it relates to the business case for investing in security. For many managers the problem is tossed to this chief information officer or to the technical staff to solve, but without the resources or the clout to implement and enforce strong security. Until cyber security becomes a CEO and a board of directors issue, it will not get the attention or the investment that it needs. In addition, except for some enterprises such as financial institutions, the business case for investing in cyber security either hasn't been made or hasn't been accepted. Every internal investment effects the bottom line, and that's certainly true of the cost of security. If losses due to poor security are generally tolerable, managers will limit their investment. Second, there's what I call the search for the magic black box, not the magic bullet, the single technology solution to the problem. It's my belief that there is not one there today, nor will there be in any future that I can envision. What needs to be better understood is that good security depends on three interdependent components: People, process and technology. If you don't combine all three, I think you are lacking. I think the national security community understands this, but I'm not sure that business in general does. The final comment that I'd like to make relates to the rule of government in supporting cyber security in business. First, I think government needs to set a better example of good cyber security practice. This should include steps to maintain and raise the information security posture in departments and agencies over time. They must maintain and expand funding for cyber security, and they need to encourage reasonable standards for security projects and processes. The recent grades assigned to government agencies by the Congress for their 2001 security responses are half grades and are very disappointment. Second, I think government needs to promote a favorable environment for cyber security. This includes steps to fund key research, more investment in training and education, and the granting of legal relief under the Freedom of Information Act, anti-trust and other regulations which currently impede industry cooperation in the planning and sharing of cyber threat and vulnerability information. Finally, I think there should be subsidies for cyber protection in industries that are especially sensitive to threats and which are probably least able to defray the cost for cyber protection. On balance, I'm cautiously optimistic, but much remains to be done. I look forward to your questions. Thank you. [The prepared statement of John P. Casciano follows:] Prepared Statement of John P. Casciano, Senior Vice President and Group Manager, Secure Business Solutions Group, Science Applications International Corporation Chairman Stearns, Congressman Towns, and members of the Subcommittee. I am pleased to be able to support your examination of cyber security in US industry and of how industry can effectively protect itself against cyber threats. This is a complex and multifaceted challenge. Today, I would first like to highlight briefly a few of the major threats and vulnerabilities related to cyber security for American businesses, and then discuss approaches the private sector can take at reasonable cost to increase its own levels of cyber protection and assurance. Finally, I'd like to address some steps the Congress could consider in promoting and encouraging an improved cyber security posture for US industry. For perspective, I have been involved with cyber security matters for some time both in government and in industry. During my 32 years of service in the US Air Force, I had the privilege of commanding both the Air Intelligence Agency and what is now known as the Joint Information Operations Center. In those assignments, I had responsibility for both the Air Force Computer Emergency Response Team and the Air Force Information Warfare Center, and had the opportunity to observe and direct the development of information technology capabilities for both defensive and offensive purposes in support of Joint operations. More recently, while on the US Air Force Headquarters Staff, I participated in developing and managing the response to the real world cyber attacks against the Department of Defense information infrastructure that came to be known as Solar Sunrise and Moonlight Maze. I continue to be involved in Department of Defense cyber security issues through pro bono work. For example, I served on the 1999 USCINCSPACE Summer Study on Computer Network Defense and on the 2000 Defense Science Board Task Force on Defensive Information Operations. I was also one of a handful of ``outside'' reviewers for last year's National Intelligence Estimate on Information Warfare threats. I retired from the Air Force in 1999, and for the last two and a half years have become involved in cyber security in the private sector, serving both government and commercial clients. Currently, I manage the Secure Business Solutions Group, the information security practice at Science Applications International Corporation (SAIC). SAIC provides diversified professional and technical services that involve the application of scientific expertise, and computer and systems technologies, to solve complex technical problems. SAIC is a Fortune 500 company with annual revenues of $5.9 Billion and over 41,000 employees, and is the largest employee-owned, high-tech company in the U.S. Within SAIC, the Secure Business Solutions Group provides clients with the full spectrum of information security offerings--consulting, implementation, education and training, and managed services. For many years, SAIC has provided support to the Department of Defense and several civil agencies--including support to the FEDCIRC Incident Reporting and Handling Services--as well as commercial clients. We developed and still have an interest in a commercial security firm-- Global Integrity--that created and operates the first Information Sharing Analysis Center, or ISAC, for the financial services industry-- as well as ISACs for global firms and for Korea. Today, nearly 40 per cent of my Group's business is for commercial customers concerned with protecting the security, integrity, privacy, and survivability of their business information and that of their clients. While the terrible events of September 11, 2001 have heightened all our concerns for security and are seen by many as defining the beginning of a new era in U. S. national security, the vulnerabilities--both physical and cyber--have been with us for quite some time. The whole trend toward globalization and the reach brought about by modern transportation and communications have eroded the sanctuary we Americans have enjoyed for over two centuries. These terrorist events have taken both a shocking human toll that we must never let the world forget and an economic toll that has been extremely disruptive to the American people and others around the world. One notable observation from these events is that the cost of entry for such attacks is extremely low. The cost to the perpetrators to plan and mount the attacks was probably less than a million dollars--certainly no more than a few million--while the human and economic consequences have been staggering. The impact of the losses to our economy alone is in the billions of dollars. For the last several years, we have observed the same low cost of entry for those who would disrupt or attack in cyber space, and the same disproportionate consequences for those who have been attacked. While the impacts of cyber attacks are difficult to quantify, largely due to the reluctance of businesses to report fully, or at all, for competitive reasons, we saw the stock prices of several large companies such as AOL and Yahoo fall significantly as a result of the Distributed Denial of Service attacks in 2000, and some estimates place the recovery and lost business costs at nearly $10 Billion. We have also seen the progress of E-commerce be impeded in recent years over concerns for the security and integrity of transactions, with probable significant impacts on our economic expansion and competitiveness. More recently, the NIMDA virus was detected and spread within a week of the terrorist attacks. I'm not suggesting a relationship, because we just don't know, but NIMDA represents a new, more dangerous class of virus that operates at a peer-to-peer level, infecting not just servers, but clients and even web pages. The losses from NIMDA-- measured directly in disrupted business and in opportunity costs of repair and reconstitution--may well have exceeded several billion dollars despite some early warning by the National Infrastructure Protection Center and the ISACs. The difficulty in attributing the sources of these attacks and in prosecuting them make them a special concern. The general sources of these cyber attacks are by now familiar, ranging from the ``recreational hacker'' on the low end to the more sinister perpetrators from international criminal and terrorist elements and nation-states. Following is a brief synopsis of these: <bullet> Hackers, Crackers, and Other Outsiders. These have been the most active source of background ``noise'' in the cyber environment. They include casual hackers who are often juveniles or ``hobbyists'' using scripted attacks and commonly available tools from the Internet and its many ``clubs.'' There are also professional level attackers who can design and mount novel attacks against protected targets using both a combination of commonly available tools and ``homegrown'' capabilities sometimes based on cracking encryption. Their purposes range from joyriding and ego gratification to criminal intent, where fraud or financial theft is the goal. Of interest, the 2001 CSI/FBI Computer Crime and Security Survey indicates among a sample of 186 business respondents that internet connections and outsider activities are now generating the largest source of attacks against the business information infrastructure, more numerous than those due to insiders. <bullet> Insiders. One of the most costly and dangerous human threats to business has historically been the insider, and this continues to be the case in the information age as well. Insiders have legitimate access to at least some of the business information resources and IT infrastructure of the enterprise, and often know enough of the company's technology, processes, and human elements to be in a good position to subvert them. They may act maliciously if they are disgruntled employees--sometimes destroying, corrupting, or locking out access to information. On other occasions they may use the system to embarrass the business to the public or use it for financial advantage for themselves and others if they are industrial spies. In every case, they are clear and present threats to the intellectual property, information resources, IT infrastructure, and the reputation of the business. <bullet> Terrorists and Criminal Elements. These may be foreign or domestic persons or organizations, and they may launch their attacks through cutouts and indirect network paths from overseas or from within the US. Terrorists resorting to cyber attacks may be advancing a political cause, using direct cyber action to advocate environmental issues; opposing globalization, or attacking modernism on fundamentalist religious grounds. In each case, for them, their end justifies their means. Dramatic, headline-grabbing disruption of the US economy is their goal, and US businesses, especially those that are large and have a global footprint or multinational operations, are attractive targets. Much of the current cyber terrorist activity is low level, to include web site defacement and temporary disruption of business operations. However, terrorism is an activity planned and executed by the alienated, and terrorists and their causes have increasing appeal to students here and abroad who have the skills to become serious cyber threats to business. Of particular concern is the possibility of a combination of terrorist attacks against targeted businesses, wherein cyber, physical, and anti-personnel actions may be taken. <bullet> State Enabled Threats. The most complex and difficult threat to combat for both businesses and governments is one that is sponsored and executed with the technology and resources that only a nation-state can bring to bear. Such attacks could be conducted with outsiders, insiders, proxies, or combinations of all three, using leading edge technologies to defeat commercial grade cyber security for even the best-protected enterprises. Businesses that would be logical targets for such attacks would be proprietors/ operators of our national infrastructures (e.g., telecommunications, transportation, energy/power, banking/finance, etc) or those large companies that provide key products and manufacturing (defense contractors, chip makers, etc). Unfortunately, the numbers of nations that could conduct such attacks against the US and its businesses are likely to grow, given the low barriers to entry in such warfare. This is warfare based on brainpower--readily available worldwide--and the weapons of choice are computers, fast becoming commodities. State-enabled attacks against U. S. businesses are both a national and economic security threat, and they require vigilance and response by the Federal government, and close cooperation by the business community. Malicious threats to the information and IT infrastructures of commercial enterprises seek to exploit vulnerabilities in business computer information systems. These vulnerabilities stem in part from worldwide business trends, paths in technology development, and operating standards which affect business processes and decision making: <bullet> Globalization. Business is going international as never before and is in a fierce worldwide competition for talent, resources, and markets. Time is money and to the swift belongs victory. Commercial attention is riveted on the business plan, the pursuit of core business, and above all on bottom line performance. Broad connectivity and numerous interfaces both within and without the enterprise are needed to thrive in the ``brave new world'' of globalization. However, cyber security imposes delays and additional costs of doing business, both of which are unattractive to business leaders responsible for customer satisfaction and the bottom line. <bullet> Open Processes. To cut business costs and improve responsiveness, businesses are connecting directly with suppliers and customers, sharing information, and even providing the opportunity for people and organizations outside the enterprise to access and input critical information on production and delivery, purchasing, and marketing. This integration via supplier and customer chains depends heavily on trust and constitutes an inherent process vulnerability, if not addressed by cyber security and other technical and operational checks. Of note, ``Information Week Research'' issued a study that was conducted this spring among 375 respondents, 67% of whom reported that supply-chain collaboration has increased in the last year. However, only 21% of 4500 security professionals surveyed worldwide by IWR indicate that security policies include procedures for partners and suppliers. <bullet> Wide Access. As global businesses concentrate on core competencies, they increasingly rely on outsiders in maintaining and supporting their administrative processes and IT infrastructures. Outsourcing is increasing steadily as a means to cut costs and gain additional business efficiency. Maintainer and outsourcer personnel, a constantly changing parade of names and faces, vetted in uncertain ways in many cases, have insider access to systems and information, and therefore the opportunity to do serious mischief to businesses. <bullet> Standard Architectures. Because of the continuing increase in desktop, workstation, and server computing power, the client-server architecture reigns supreme, increasingly supplanting mainframes. Client-server uses standard software in normalized configuration for operating systems and applications; industry-wide protocols for information sharing, display, and storage; and common approaches to design and implementation of system and subsystem interfaces for interoperability in communications and information exchange. Variations in information system design are shunned due to cost and support considerations, even though such variations increase the immunity of the business information systems to cyber attack techniques that target standardized architectures and designs. Over recent years, the losses to industry from cyber attacks have been real and steadily growing, drawing considerable media attention. The 2001 CSI/FBI Computer Crime and Security Survey reports a 41% increase in electronic financial losses among 186 business respondents compared to a similar sample for 2000. It is a fair question to ask why industry--with or without government support--has not done more to safeguard its information systems and the intellectual property contained within its information infrastructure, and to protect its bottom line. There are several apparent answers: <bullet> Many managers aren't attuned to the problem. Cyber security is a consideration for them, but the losses attributed to security lapses are tolerable for many; that is, they view them as part of the cost of doing business. To the extent that managers are attuned to it at all, they generally put the issue into the hands of their Chief Information Officer, who may not have the resources or operational clout to implement and enforce security solutions. The lack of senior management attention is further exacerbated by a failure in current accounting methods to attribute current real costs of losses due to cyber insecurity in business, and to assess the potential magnitude of future losses that could accrue as the cyber threat to business grows. <bullet> Poor cyber security performance by government. Starting with the federal government and extending to state and local levels, government ``talk'' about cyber security has generally far exceeded the resource commitment and management attention it has been willing to devote to the problem of protecting the privacy, integrity, and access to government information and information infrastructure. This judgment has been validated on an annual basis by the House Government Reform Subcommittee on Government Efficiency, which for FY 2001 has awarded government a grade of ``F'' for its overall cyber security posture. Two thirds of the agencies and departments failed based on the information they are required to provide the Office of Management and Budget. Here, the parallel with the business world is striking, as resources for security solutions are scarce and often considered a problem for the technical staff and not the operational leadership. Federal jawboning of industry on cyber security has led to a proliferation of advisory and coordinating organizations, but precious little in the way of practical technical support, tailored alerting/warning systems, security incentives, or subsidies to industry to improve cyber protections. In sum, government sets an uncertain example and has provided little help to industry in coping with cyber security issues. <bullet> The ``commons'' problem. Enterprise IT environments are growing, changing, and being used in new ways such as to resist system identification and configuration control. They contain an expanding number of real or potential vulnerabilities in their software, hardware, communications, internal/external interfaces, people, and processes. Moreover, they are frequently subject to decentralized control and resourcing. Everyone depends on them, but nobody owns them. Line organizations do not want to pay for IT, far less cyber security, because of the ``free rider'' problem in funding the IT ``commons'' and ensuring its security. Within a business sector, losses due to cyber insecurity may be tolerable if they are judged to be comparable to other costs of doing business, and especially if competitors appear equally affected by the same cyber attacks. The business case for cyber security so far is not well made in businesses outside the financial sector, which necessarily must lead integration of cyber security capabilities into its IT infrastructure based on historic experience with fraud, embezzlement, and theft. Government is waiting for industry to solve the cyber security problem technically, and is waiting too for its shrink-wrapped product solutions. Industry looks upon it as too big, too complex, and too diverse to tackle without government funding and legal relief from public information (FOIA) and anti- trust. The ``commons'' problem of cyber security will be dealt with over time, either by an insurance approach, by regulation, or by some combination of the two. For now, however, industry does not have the means, authority, or motivation to work a global solution. Given the threats and vulnerabilities that businesses face, and the tough, highly competitive business environment that keeps management attention on bottom line issues as opposed to security, what can enterprises do to improve their security postures? In developing a suitable cyber security posture for a business, there are certain top- level actions that management must take, and they are independent of the size or resources of the company. In the final analysis, sound security depends on three interdependent elements: people, process, and technology. The elements outlined below are intended to size the requirement for cyber security using the same logical approaches employed for any other business decision: <bullet> Develop and deploy a sound security policy. This is a no cost/ low cost first step that many businesses fail to take. What is the general approach to security and how will it be addressed and inculcated organizationally? What behaviors and what competencies are expected of users of enterprise IT and information? What will be the standards for access and the levels of information sensitivity? How will management oversight of security be conducted and performance measured over time? How will security lapses be dealt with? <bullet> Identify critical information, processes, and systems. What constitutes the major components of the critical IT infrastructure and critical business information, and what levels of protection are required for each? The objective is not to eliminate the threat altogether, but rather to manage it. <bullet> Analyze threats and vulnerabilities. What are the real sources of threats and vulnerabilities to the business's IT and information? These are based on business sector experience, state of the world, competition, enterprise footprint, and future business plans. What are the technical, process, and operational vulnerabilities in the IT infrastructure and information resources? <bullet> Perform risk management. In examining the combination of threats and vulnerabilities affecting the enterprise IT infrastructure and its information, it is important to make informed and deliberate management decisions about how to deal with risks, consistent with sound business principles. The choices are several, but depend on an assessment of how much risk a business can tolerate versus how many resources it has to commit: <bullet> Avoid risks. Take actions that eliminate or do not incur the threat/vulnerability duality of concern in the first place. <bullet> Shift risks. Use insurance when available or move liability to others if a threat/vulnerability must be faced. Cyber insurance is a nascent but developing specialty in the insurance industry as work proceeds on identifying risks and developing tools to set premiums. <bullet> Mitigate risks. Take technical and/or procedural steps to reduce the threats/vulnerabilities if necessary, economic, and efficient to do. With improvements in security technologies and products, the choices for mitigation are on the rise. <bullet> Accept risks/develop contingency plans and backups. Risks that must be run and which are expensive but improbable in occurrence may be accepted if downside plans and alternative approaches can be developed in advance. <bullet> Revisit and review. With changes in the threats and vulnerabilities, the whole range of technologies, business processes, people, and IT infrastructure, assumptions and decisions about the level and extent of cyber security must be subject to periodic management reconsideration. In facing up to the requirements for improved cyber security, there are certain bedrock principles that any business, regardless of size, should consider in developing procedural solutions. They are not technology driven and do not require capital investment as much as management attention. <bullet> Ownership: Identify primary and alternate system and data owners to be responsible for identifying the sensitivity and criticality of the information on their systems and validate protection controls and access requirements. <bullet> Accountability: Hold individuals with access to information responsible and accountable for protecting information while in their possession. <bullet> Awareness: Users are the first line of defense. They should be educated about policies, standards and procedures and adhere to them. <bullet> Detection & Monitoring: Implement tools and methods to detect misuse and anomalous activities on both a real-time and periodic basis. <bullet> Incident Response: Develop and publish a response plan that details actions required when a violation to the security policy is detected. <bullet> Defense in depth: Implement security measures in multiple layers versus single layers, and place security devices as close to the item of value as possible. <bullet> System Configuration: System vulnerabilities that can be eliminated without reducing functionality should be corrected. System support devices and data storage should contain only applications or services for which a business reason exists. <bullet> Assessment/Audit: Conduct periodic reviews of systems, networks, and applications against policies, standards and procedures to test and measure compliance and determine vulnerability to emerging exploits. <bullet> Reliable Records: Maintain secure chronological records and logs on significant activities on the network and critical systems. <bullet> Recovery: Implement tools and mechanisms to ensure recoverability and business continuity. <bullet> Access: Personnel, systems, or applications should only be granted access rights and privileges based on justified business- related requirements. These rights and privileges must be exercised within the scope and limits of identified responsibilities. <bullet> Exception: Exceptions to policies, standards and procedures should be granted or denied based on individual review and management acceptance of risk. All exceptions should be documented. <bullet> Research: Investigate, study, and understand emerging security technologies and techniques to develop appropriate methods and controls that protect against ascending threats and vulnerabilities. The cyber security problem has spawned significant creativity in the development of improved cyber security products by many vendors. Properly selected, integrated, configured, deployed, operated, and supported, these can upgrade the security posture of any business. With increasing attention to and demand for cyber security, and the growth in the commercial cyber security industry, the general classes of security technologies and capabilities below are emerging as shrink- wrapped products which are easy to integrate into IT infrastructures. In parallel, IT product vendors are increasing the direct integration of cyber security functions into their own software lines, making each generation more secure and robust. However, a word of caution! There is a real danger in looking for a single, ``black box'' solution to an enterprise's security problems. It is my belief that there is not one today; nor will there be in any future I can envision. The combination of people, process, and technology offers the best hope of managing cyber security risks. Some of the more common technologies enterprises should consider are listed below: <bullet> Perimeter defenses. Firewall software and devices at the enterprise, network, server, and even host level are becoming standard. These permit a variety of steps to limit access by sender, receiver, domain, function, and data type. Although not the total security solution, these are a necessary portion of the security configuration for business systems, and the first layer in the defense in depth implementation for cyber security. <bullet> Intrusion Detection. Unauthorized penetration of business information systems must be assumed. Rapid detection is a requirement. Intrusion Detection Systems (IDS) work with sensors which either detect (1) specific activities or processes which have been previously templated as threatening, or (2) departures from previous information system activity and behaviors which have been assessed to fall in the ``normal'' range. New approaches to IDS are beginning to emerge that include combinations of such sensors and detection criteria supported by enhanced data fusion, display, and decision support capabilities. IDS capabilities are improving relative to threat and vulnerabilities, and becoming more widespread. <bullet> Autonomic Response. Most IT system response to intrusion and anomaly detection is ad hoc. The next area for improvement will be in automated response to penetration, wherein pre-planned reactions are automatically executed to contain, reduce, and eliminate damage and sources of threat. Over time, development work for DoD may provide for commercialized capabilities for adaptive response to penetration. This area of cyber security products is currently very immature but appears promising for the future. <bullet> Virtual Private Networks (VPN). Virtual Privacy Networks provide secure tunnels between trusted sources connected over paths through less trusted domains by using encryption. This approach is mature now and proving necessary for ensuring privacy for businesses using the internet as part of their extended IT infrastructure. In view of globalization and the rise of collaborative working with international partners, VPN technology is a necessary security component for many businesses. <bullet> Encryption. Cheap, reliable digital encryption using software has now become available and practical for industry. Software based encryption is susceptible to attack by a state level threat, but is sufficient for all others. Encryption is now required to protect sensitive data in motion (i.e., as it moves through networks and across telecommunications paths) and at rest (i.e., in storage) to ensure integrity and privacy. Encryption is also useful in providing authentication between sender and receiver, and non- repudiation services (for accountability). <bullet> Public Key Infrastructure (PKI). Public Key Infrastructure using asymmetric keys has emerged as the only practical technology to support encryption requirements, such as those above, for numerous, diverse users who are geographically dispersed but functionally connected. In a word, this is globalized, 24/7 business today. PKI has been criticized as not being user friendly and scaleable, but outsourced providers can reduce its application to something like a subscriber service for most businesses. <bullet> Digital Rights Management (DRM). Digital Rights Management technology provides persistent controls of information and intellectual property over time. It can set and enforce rules for sharing, display, editing/modification, usage, and even expiration of storage. Other DRM capabilities will support secure billing and micro-payments, provide auditing and transaction tracking, and permit alteration in the rules as requirements may change. PKI solutions can provide necessary encryption support. DRM is not yet mature but is an emergent technology that can improve the cyber security of business processes in the future. I am generally optimistic about the improvements that we see developing in cyber security technology and believe these can be integrated at reasonable cost in ways that will markedly improve protection for individual business IT infrastructures operating in many different business risk environments. These technical safeguards, combined with proper operating procedures and people with suitable training and policy direction, can make business cyber security postures quite robust. Unfortunately, it is also clear that cyber attack tools are improving steadily in their capability and ease of use. We can expect new waves of attack based on widespread internet dissemination of vulnerability information, the advent of adaptive of ``polymorphic'' viruses, improved counter-encryption capabilities, and clever attack tactics that evade IDS. These attacks will come from an increased number of people globally who are prepared to use cyberspace and sophisticated software tolls in malicious ways. This is particularly of concern as we realize that in the next year the majority of internet content will no longer be in English, and the number of aggrieved foreign players with access and attitude rises. For the present, the experience SAIC has had as a cyber security integrator with numerous industry customers is a bit mixed. <bullet> Financial sector clients are far ahead of all others in awareness and concerns about cyber security, and in the sophistication of their solutions. They in fact can provide technical and procedural lessons in best practices to the US national security community as well as other parts of the private sector. <bullet> Many of our other commercial clients approach us when they have had a penetration or other IT infrastructure failure. They want quick fixes, some testing to assure the problem has been resolved, and hesitate on cost grounds to support a longer-term relationship in which their security posture is systematically tested and upgraded. <bullet> In assessing the sources of penetration, we normally find the attacks are not novel, but in fact are familiar. In the majority of cases, patches have been available, but were not implemented. In other cases cyber security systems were not correctly configured. Those persons responsible for cyber security were overworked, under trained, or poorly supported and resourced by their management. <bullet> Many commercial clients are still doubtful about the business case for cyber security and typically do not make high demands on software developers of their operating systems and applications to incorporate strong security features. <bullet> Outside of the financial sector, encryption and PKI are coming more slowly to industry customers than to the Federal government. Government pressures for vendors to use PKI based encryption services in B2G transactions will gradually increase usage patterns. There is some interest in outsourcing cyber security support services and to use managed cyber security service models on a subscriber basis. This is economic, especially for small- and mid-sized firms that are mindful of the cyber security threat, but want to concentrate on their core business competency. Unfortunately, it may take a catastrophic event in cyber space to galvanize business attention fully to cyber security issues and change perceptions about the business case. Against this background discussion of growing cyber risks, actionable best practices, technology trends, and current business realities, there is an important role for the Congress to play to encourage improvements in commercial cyber security. For good or ill-- and I believe for good--we live in the information age, and there is no turning back. While the ``dot com'' euphoria in the stock market may have come to an abrupt end, the underlying march of information and information technology has not. We are wedded to the cyber realm for our future prosperity in virtually every area. Our challenge is to learn how to live and operate in this new domain. It will take time to evolve public policies and craft information age laws, but progress is being made. In my view, here are some of the things the Congress may wish to pursue. <bullet> Encourage industry to define standards for due diligence in the development and validation of secure software by developers, and its secure implementation and operation by users. In the event these standards were not met they would provide a basis for judicial allocation of liability and compensation. Part of this approach would be to promote security testing of developer's software products according to accepted standards, and to increase emphasis on the integration of proper software configurations with prompt patch updates for operators. <bullet> Advocate an insurance-based solution to appropriate aspects of the cyber security problem that do not lend themselves to ``ownership''--the ``commons'' problem--and an immediate technology solution. As has been proposed in the aftermath of 9/11 for insurers of physical properties, it might be possible to consider Federal backing if insured losses exceeded a certain total due to cyber attack. <bullet> Consider tax subsidies or other incentives for improved cyber protections for certain industries or for the mitigation of particular classes of risks. Low margin industries vital to public welfare in food and transportation, for instance, might be beneficiaries of such support for improved cyber security. <bullet> Support education and training programs for cyber security skills. It does not matter whether graduates of such programs enter government or commercial jobs since their capabilities will benefit business and the nation as a whole. Ideally this would reduce dependence on foreign providers of those skills and services over time. <bullet> Fund certain highly promising cyber security technologies and approaches that are under development. Those that permit information systems to operate in degraded mode despite intrusion, to self-diagnose, and to heal themselves seem especially valuable and promising. However, these technologies are far from ready for a shrink wrapped solution and will require considerable development over time that industry alone will not pursue. <bullet> Resist the inclination to legislate specific technical solutions. As in many similar problems, Congress will serve industry and the nation best by promoting an environment and development of the infrastructure of people and technologies required to define, implement, and upgrade efficient cyber security solutions over time. For reasons I discussed earlier, to fix on any single technical approach now in a field so volatile is certain to fail. There are bills in various stages of progress in Congress that include provisions promoting improvements in business cyber security practices and capabilities. HR 2435, ``The Cyber Security Information Act,'' and S 1456, ``The Critical Infrastructure Information Security Act of 2001,'' each have provisions to protect from FOIA requirements and antitrust concerns B2B and B2G sharing of sensitive information for alerting and warning of threats to business information infrastructures. I commend these provisions for your favorable consideration in any legislation that is forthcoming this session. To summarize, industry faces a future of increasing and evolving threats to its IT infrastructure, Intellectual Property, and other critical information. There is every expectation that better technology is emerging to improve protections. But, more than technology, people at every level of the business enterprise are crucial to achieving upgrades to cyber security. To be effective, managers must provide-- first and foremost--competent, executable security policy. That policy must be implemented in specific processes and technologies. Cyber security must become an integral part of business operations. People at the management level need to believe there is a business case for IT security and manage accordingly, and employees must receive training that maintains both security awareness and competence as a sustaining activity in their careers. I thank you for requesting SAIC's views on this important matter, and I would be pleased to answer any of your questions. Mr. Stearns. I thank the gentleman. Mr. Schmidt for your opening statement. STATEMENT OF HOWARD A. SCHMIDT Mr. Schmidt. Thank you, Mr. Chairman, and the subcommittee. I'd also like to request that my full written testimony be submitted in the record. Mr. Stearns. In the record. Mr. Schmidt. Thank you. Mr. Chairman, members of the subcommittee, my name is Howard Schmidt. I'm the Chief Security Officer of Microsoft Corporation. I also have the honor of serving as the President of the Information Technology Information Sharing and Analysis Center or the IT-ASAC, the Information System Security Association or ISSA, and I also serve on the board of the Partnership for Critical Infrastructure Security. I'm also an industry executive subcommittee representative for the National Security Telecommunications Advisory Council. I've served in the public sector for over 30 years with the United States Air Force, the FBI and local law enforcement. And on September 11, I was in Washington, D.C. for a day long meeting with several senators when I learned of the attacks. As a current military reservist with Army Criminal Investigations Computer Crime Investigations Unit, I reported to Fort Belvoir, was placed on active military duty for the next month and deployed to work for the Joint Task Force for Computer Network Operations, working with the Department of Justice and the FBI through the NIPC FBI headquarters. That particular experience built upon the many years in the field have given me the ability to see individuals in both communities, both private and public sector, wage daily battles in a war without silver bullets or black boxes, where there will also be someone trying to exploit vulnerabilities and where criminal hackers are proving themselves to be allusive, diverse and endlessly resourceful. With this background, I would like to review some problems we face and address the steps that Microsoft takes as an industry leader, and some steps I believe that the government should take to address cyber threats. The issues posed by criminal hackers are real, cross- platform and costly. The Love You virus of 200 caused an estimated $8 billion in damages. Ramen and Lion worms, which attacked Linux software used to deface websites and extra sensitive information such as passwords. And the Code Red worm exploited Windows server software. Damage has been estimated in those cases $2.4 billion. The Rhino attacks exploited vulnerabilities in the Solaris operating system to stage denial of service attacks. That damage was estimated as $1.2 billion. Truly these are genuine weapons of mass disruption, not mass destruction, but mass disruption. Yet, perhaps the most depressing fact in all of these stated attacks there has been no perpetrator that has been caught, absent the incident with the I Love You virus writer who remains free since there were no laws in this country that criminalize those actions. Those attacks did not occur because the innovative engineers who created the underlying code disregarded security. They occurred because equally innovative criminal hackers worked day after day to find, create and exploit vulnerabilities in the software or in the human nature that gave them new ways to repass on our computers, to steal our data and shutdown our networks. Microsoft is deeply involved in advancing policies to improve critical infrastructure protection through senior executive leadership, continuous improvement of software development, security response, and coordination with law enforcement. First of all, we lead from the top. Bill Gates, our Chief Software Architect and Chairman, is a Presidentially appointed member of the National Infrastructure Advisory Council. Craig Mundie, our Senior Vice President and Chief Technology Officer was appointed by the President to the National Security Telecommunications Advisory Council. And on a personal basis, I am deeply involved with the U.S. Government's efforts around critical infrastructure protection, the G8 Subcommittee on Cyber Crime, various United Nations initiatives and including I was a U.S. Industry Delegate in the U.S. Australian bilateral meetings on critical infrastructure protection. Allow me to mention for a moment some of the things we have done in the direction of our executives. We've created a new program to deal with the patch applications that was cited by my colleagues as one of the issues that faces us in the vulnerability issue. We're also developing superior code analysis processes to root out subtle flaws that can create vulnerabilities in commercial products. We're expanding the testing of our software by using independent penetration teams and working closely with third party experts in and outside the government to make these tests work. In addition, we've created a fully staffed highly effective security response organization which we believe is one of the best in the industry. Like traditional crimes, cyber crime needs to be opposed with strict criminal laws, strong enforcement capabilities and well-equipped and highly trained law enforces. Yet despite the billions of dollars in damage that we've seen in these network disruptions in the past, writers still remain at large. In this troubled time, we can only expect that some of these may fall under the control of terrorist organizations or hostile nations, and thus we need to address the inadequate enforcement of criminal laws and insufficient law enforcement resources. Law enforcers should receive additional resources, personnel, and equipment in order to investigate and prosecute cyber crimes. These hard working officials are often short- staffed and under-funded. Many also lack the state-of-the-art technology used by hackers, and increased funding is needed to place them on par with those they investigate. We support the following specific actions. We see a need for increased funding for law enforcement personnel training and equipment. We support tougher penalties on criminal hackers such as civil forfeiture of personal property used in committing these crimes. We seek clear guidance from the Sentencing Commission on how courts should punish those convicted felons. We strongly support greater international cooperation among law enforcers in these times-sensitive investigations. And we want to have the ability to have ISPs to have the authority to share information voluntarily with the entire government once they see that life or limb is endangered. We've worked very closely with the authors of the pending Freedom of Information Act reform legislation, and when President Bush signaled his support of this reform, and as President of the IT-ISAC, and I assure you that this simple change could lead many companies to answer the government's request to do more in sharing of security information with the government. From the international perspective, we need international laws enforcement framework that establishes minimum liability and penalty rules for cyber crime, and common intergovernmental cooperation. Without all this, the computer laws on the laws on the books may wind up being useless when cyber criminals cross international borders. Let me close by thanking this subcommittee for inviting me to testify. The recent horrific terrorist attacks in New York and Washington were physical in nature. And we were fortunate that terrorists or a random hacker did not further create mayhem by unleashing a corresponding cyber attack, yet this is a risk that we still continue to face. We must take steps now to deter these actions to improve technology: Fully funded law enforcement; tough criminal penalties and continued industry and government dialog and cooperation. We know that security is a journey, not a destination, and by working with our industry peers including some of my distinguished colleagues here, and with the government, we have a chance to keep pace and hopefully get ahead with the cyber criminals and cyber terrorists. Thank you, and I'll be happy to take questions. [The prepared statement of Howard A. Schmidt follows:] Prepared Statement of Howard A. Schmidt, Chief Security Officer, Microsoft Corporation INTRODUCTION Mr. Chairman and members of the Subcommittee, my name is Howard Schmidt. I am the Chief Security Officer at the Microsoft Corporation. As such, I am one of many who are responsible for the development of a trusted computing environment at Microsoft and, to the extent possible, throughout the information technology industry. I serve as president of the Information Technology Information Sharing and Analysis Center (IT- ASAC), which coordinates information sharing on cyber vulnerabilities among information technology companies and the U.S. government. I serve on the board of the Partnership for Critical Infrastructure Security, a cross-sector, cross-industry effort supported by the National Security Council and the Department of Commerce. I am also an industry executive subcommittee member of the National Security Telecommunications Advisory Committee. I served for several years in the United States Air Force, the FBI, and local law enforcement, and on September 11th I arrived in Washington, D.C. for one stop among many that would take me across the globe. I was meeting that morning with several Senators when I learned of the attacks, and I immediately reported for duty at the Pentagon. There I stayed for the next several weeks after being called to active duty with the United States Army. During that time I was deployed simultaneously to the Joint Task Force for Computer Network Operations, the Department of Justice, and the FBI's National Infrastructure Protection Center. That experience built upon my many years of computer security work in the public and private sectors, in which I have observed extremely talented and committed individuals in both communities wage daily battles in a war without silver bullets, where there will always be some vulnerabilities, and where the criminal hacker has proven itself elusive, diverse, and endlessly resourceful. With this background, I would like to review some problems we face and address two elements of cyber-security. First, the steps Microsoft takes as an industry leader, and second, some steps I believe the government should take to stop cyber-crime. THE PROBLEM Mr. Chairman, the information technology revolution has transformed the way business is transacted, government operates, and national defense is conducted. Those functions depend on an interdependent network of physical and technological critical information infrastructures that industry and government work together constantly to secure. Protection of these systems is essential to government and to the telecommunications, energy, financial services, manufacturing, water, transportation, health care, information technology and emergency services sectors--the so-called critical infrastructures of our economy. These sectors are national assets. Their loss or degradation would severely impact our national defense and the very stability of our economy. Yet, unlike other national defense assets, they were largely built, and are owned and operated, by the private sector. That is why this Administration and its predecessor have insisted that securing critical infrastructures requires a partnership between government and industry. Voluntary cooperation and industry-led initiatives will work best to address computer security issues. The issues posed by criminal hackers are real, cross-platform, and costly. The ``ILOVEYOU'' virus of 2000 caused an estimated $8 billion in damages. The Ramen and Lion worms attacked Linux software to deface websites and extract sensitive information such as passwords. The Code Red worm exploited Windows server software to deface websites, infect computers, attack other websites, and make computers susceptible to attack by third parties. Damage has been estimated at $2.4 billion. The Trinoo attacks exploited vulnerabilities in the Solaris operating system to stage distributed denial of service attacks against several prominent websites. The damage was $1.2 billion. Truly, these are genuine ``weapons of mass disruption.'' Yet, perhaps the most depressing fact in all of these attacks is that no perpetrator has been caught with one exception--the ``ILOVEYOU'' virus writer remains free since the law of his country did not criminalize his actions. These attacks did not occur because the extremely innovative engineers creating the underlying codes disregarded security. They occurred because equally innovative criminal hackers worked day after day to find, create and exploit vulnerabilities in the software or in human nature that gave them new ways to trespass on your computers, steal your data and shut down your networks. elements of a solution: microsoft and cybersecurity Leadership. We at Microsoft are deeply involved at the national level and within the information technology sector in advancing policies to improve critical infrastructure protection. This takes form through senior executive leadership, continuous improvement in software development, security response, and coordination with law enforcement. First of all, we lead from the top. Bill Gates, our Chairman and Chief Software Architect, is a presidentially-appointed member of the National Infrastructure Assurance Council (NIAC). The NIAC is intended to advise the President and encourage cooperation between the public and private sectors to address physical threats and cyber threats to the Nation's critical infrastructure. Craig Mundie, Microsoft's Senior Vice President and Chief Technical Officer for Advanced Strategies and Policy, was appointed by the President to the National Security Telecommunications Advisory Council (NSTAC). The NSTAC advises the President on policy and technical issues associated with telecommunications. Steve Lipner, Microsoft's Lead Program Manager for Security, serves on the Congressionally-mandated Computer Systems Security and Privacy Advisory Board. Finally, I am deeply involved in U.S. government, G8, United Nations and state & local cyber-security initiatives. In addition to my duties at the IT-ISAC and NSTAC, I recently participated in a U.S.- Australia bilateral meeting on critical infrastructure protection led by the U.S. Departments of State and Commerce. From the top down, our senior executives believe in excellent security. They drive our thinking on what we need to do to create a more secure Internet infrastructure, and they simultaneously play a leading role in shaping the general U.S. technological and policy environment. Service & Development. Allow me to mention several examples of what we have done at their direction. About four weeks ago, we rolled out the Strategic Technology Protection Program (STPP) which addresses the patch application problems while also enhancing our software development practices. As part of this initiative, we are doing several things, including deploying many of our personnel to our customers' sites to assist them in utilizing our patches. We also are providing advanced training to our own developers so they better understand current threats and vulnerabilities; we are developing superior code analysis tools to root out subtle flaws that can create vulnerabilities; we are expanding testing of our software by using independent penetration teams; and we are working closely with third party experts in and outside government. In addition to the STPP, we have created a fully staffed, highly effective security response organization. We believe that it is the industry's best such organization. It investigates thoroughly all reported vulnerabilities, then builds and disseminates any needed security updates. In 2000, for instance, we received and investigated over 10,000 reports from our customers. Where we found vulnerabilities--as we did in 100 cases--we delivered updated software through well publicized web sites and our free mailing list to 200,000 subscribers. Another major element of our protection efforts focuses on incorporating new security features in our products. As examples, we have integrated previous stand-alone patches in products like Outlook 2001, installed a personal firewall in Windows XP, and added software restriction policies to Windows XP to allow administrators to limit what software can run on the system. The feedback we have received thus far from our customers, outside analysts and the press has been overwhelmingly positive. We consider that an essential vote of confidence in the direction we have taken, and these programs are not one-time initiatives. We take them very seriously, for security and privacy go to the heart of our culture. Education. Leading by example is one way to improve computer security. Making sure that it becomes a national ethic for business and government, however, requires serious, sustained efforts to educate our colleagues in both the public and private sector. Like any real solution to reducing computer security vulnerabilities, this requires that both sectors play a part. On the industry side, we strongly support industry-generated efforts to spread the gospel of cyber security. At Microsoft, we have done this through the good works of our top executives and through other broad-based efforts to encourage appropriate security practices. For instance, at an industry-wide level, Microsoft this month sponsored its second annual Trusted Computing conference at our Silicon Valley Campus. This conference brought together leaders from industry, government, the academic community and other interested parties to discuss and reach consensus on issues of security and privacy. One of the highlights of this year's event has been a debate about the handling of product vulnerability information. With several other companies, we have taken a leadership position that the public release of ``exploit code'' by ``security researchers''--that subsequently can be used by hackers to break into customers' systems--is harmful to customers and inconsistent with professional responsibility. We believe that similar efforts to reach consensus within the industry can improve both security awareness and lead to real security improvements. On the government side, I admire and support the job Dick Clarke is doing as the President's cyber security advisor and coordinator. He has worked tirelessly for years to bring the message of computer vulnerability and the need for increased computer security to the nation's boardrooms and cabinet offices. He needs support throughout the government in making clear that this is a national priority. Certainly this message has reached the Department of Defense, which so heavily relies on information technology to gain battlefield superiority. It must become part of the lexicon of many other government agencies and officials. Criminal Enforcement. Like traditional crime, cyber-crime needs to be opposed with strict criminal laws, strong enforcement capabilities, and well-equipped and highly trained law enforcers. Yet despite the billions in damage and significant network disruption, many criminal code writers remain at large. In this troubled time, we can expect that some may fall under the control of terrorist organizations and hostile nations, and thus we need to address the inadequate enforcement of criminal laws and insufficient law enforcement resources. To slow this growing threat, penalties for cyber-crime should be increased and law enforcement capabilities should be enhanced. The Computer Fraud and Abuse Act and other statutes make hacking, unauthorized access to computers, and the theft, alteration, or destruction of data federal crimes. However, penalties are weakly enforced, and tougher sentences need to be imposed to deter and punish cyber criminals. Law enforcement should receive additional resources, personnel, and equipment in order to investigate and prosecute cyber-crimes. These hard working officials are often short-staffed and under-funded. Many also lack the state-of-the-art technology used by hackers, and increased funding is needed to place them on par with those they investigate. Finally, cyber-criminals and cyber-terrorists operate across international borders, as in the ``ILOVEYOU'' virus, the ``Solar Sunrise'' attack, and the ``Anna Kournikova'' virus. Enhanced international law enforcement cooperation is a vital tool our law enforcers need to fight and find the cyber criminals and cyber- terrorists. That's why Microsoft strongly supports adding new cyber-crime provisions to the anti-terrorism laws and the criminal code. We see a need for increased funding for law enforcement personnel, training, and equipment. We support tougher penalties on criminal hackers, such as civil forfeiture of personal property used in committing these crimes, and we seek clear guidance from the Sentencing Commission on how courts should punish these convicted felons. We strongly support greater international cooperation among law enforcers in these time-sensitive investigations. And we want ISPs to have the authority to share information voluntarily with the entire government once they see that life or limb are endangered. We have also worked closely with the authors of the pending legislation to provide an exemption from the Freedom of Information Act (FOIA) for cyber security information voluntarily shared with the federal government. In a letter to the NSTAC, President Bush signaled his support for this reform and as President of the IT-ISAC, I can assure you that this simple change will lead many companies to answer the government's urging that they provide much more computer security data to the government. When that happens, the government network administrators will learn much more about network vulnerabilities from the private sector and be in a far better position to secure their own networks. They will also be able to model future attacks and position themselves to anticipate them in advance, whereas today most analysis occurs after the attack. Finally, the Council of Europe has completed negotiations on a comprehensive cyber-crime treaty. We know that from an ISP perspective it contains a number of controversial or vague requirements affecting both privacy and regular business practices. We share many of these concerns and worked in several industry coalitions to ameliorate them. Yet we see the clear need for an international law enforcement framework that establishes minimum liability and penalty rules for cyber-crime, and common procedures for intergovernmental cooperation. Without this, all the computer crime laws on the books are useless when cyber-criminals cross international borders. Whether or not the Council of Europe treaty is an ideal vehicle I leave to the lawyers to decide, but I assure you that we do need harmonization and cooperation in this area, and we need it now. Investment. Microsoft believes that there is a demonstrated need to protect and defend the nation's critical information infrastructures from computer hackers and cyber-terrorists. Law enforcement must be adequately trained and properly equipped to fight cyber-crime, whether it is hacking, or other forms of cyber-security offenses, committed by terrorists and other criminal entities. That is why we propose giving the Attorney General additional discretionary funds to expand staffing, training and technological capabilities of the Computer Crime and Intellectual Property Section and the National Infrastructure Protection Center; to accelerate funding for law enforcement computer modernization; to hire experts in cyber-security; and to fund state and local law enforcement efforts to deter, investigate and prosecute cyber-security offenses. Government Response. Software security is a rapidly evolving market of suppliers and consumers. We have seen over the past few years tremendous growth and a massive increase in awareness of these issues. There is no single nor comprehensive solution and there will always be more to do. For this reason, I believe we need to let the Internet economy and the information technology industry operate as a market. That means that it must operate without government interference. Federal security mandates or requirements, such as rules and regulations for patch application, dictates on the type of technology a company must use, or legal requirements that a company declare that it follows some form of security best practices, would have the perverse effect of slowing innovation in the security market. A rule requiring notice of security practices would also have the unintended consequence of causing companies to gravitate toward accepted practices rather than toward innovative practices. In sum, there is a critical difference in quality, innovation and thoroughness between security solutions driven by market and private sector pressures and those driven by regulation, bureaucratic timetables and one-size-fits-all approaches. A serious government-industry partnership can encourage security innovation and implementations, but will falter if regulation is imposed upon information technology businesses. SUMMARY Let me close by thanking the Subcommittee for inviting me to testify. Although the recent horrific terrorist attacks in New York and Washington were physical in nature, Congress quite rightly must look beyond the current tragedy and loss of those catastrophic attacks. We were fortunate that the terrorists or a random hacker did not unleash a corresponding cyber attack. Yet that is a risk we face, and we must take steps now to deter these actions through improved technology, fully funded cyber crime law enforcement, tough criminal penalties, and continued industry & government cooperation. We know that there is no finish line to these efforts, but by working as we have with industry peers--including some of these panelists--and with governments, we have a chance to keep one step ahead of cyber-criminals and cyber- terrorists. Thank you. Mr. Stearns. Thank you, Mr. Schmidt. The committee that I'm chairing now is using the jurisdiction of Commerce to have you here. Some of the things you mentioned, Mr. Schmidt, would most likely be under the Judiciary Committee in terms of the laws that are developed. But, Mr. Klaus, let me just ask you, I have lots of friends in my congressional district that are banking Bank of America, other banks. They do all their banking through the Internet. Are you saying today that you could go into those programs and find out what their banking information is? Could I bring you down to Okal, you sit down at a computer or could I tell you where they are? I mean, tell me how would you--first of all, is it possible for you, is it possible for a hacker today to go in and find out all the information in my friend's banking account with Bank of America? Mr. Klaus. There's actually a pretty big misperception out there where people think that if I don't shop on the line or I don't access my bank account on line, I'm okay. I'm not effected by this. But the reality is when we go into a bank or do what we call a penetration test, we don't have to physically go anywhere, we could just do it from anywhere on the Internet and typically you can get into a bank. And from there you can access not only the people who do access their accounts on line, but even those that are off line in terms of everybody's--everybody's account information is in the data base. Mr. Stearns. Okay. That's why we've always made the agreement on this committee that if we do an Internet privacy, it's off line/online, because just what you said; that you could go in to find something and a person never gave a credit card, never went on banking online, but dealt with a bank offline and paid the mortgage, you could break in today you're saying and do that? Mr. Klaus. I mean, the banks use the same computer systems, the same data bases to store the information whether the user's online or not. Mr. Stearns. Okay. What's the motivation in your opinion of these people who do this? Is it for crime, is it just for challenge, or what is the majority of the motivation? Mr. Klaus. I think the motivation it's probably a bigger different group that's out there today. Like 5 years ago or 10 years ago if you looked at it, a lot of people who were doing it was more for play and exploratory type hacking, is kind of the term they were using in terms of ``I'll see what I can get into.'' Mr. Stearns. Sort of as a game. Mr. Klaus. More as a game. But nowadays we're seeing a lot more attacks that are actually criminal in nature, either political motivation or actually money--you know, money is on the Internet now, so a lot more of monetary attacks. Blackmail a lot of times. We were dealing with a bank in Georgia where they had been hacked into and basically the data base of all their customers had been taken back to someplace in Russia and, basically that group had emailed the bank saying, you know, please give me $100,000 otherwise we could be releasing this information, might get out on the Internet. Mr. Stearns. So they tried to blackmail the bank? Mr. Klaus. Correct. And so we're seeing the motivation is changing. I think the automated attack tools, the motivation there today nobody--since those people haven't been caught, it's hard to question exactly what they're doing. But in many cases if you look at virus writers, it's kind of like so many arsonists out there. You set a fire and you go off and kind of watch it from afar. And I think that's what a lot of the automated attack pools like Nimba, Code Red, some of that motivation might be. Hey, let's write a program to see how much of a fire can I create on the Internet, and kind of watch it from a distance. Mr. Stearns. Ms. Davidson, you state that ``If security is not built into a product system from the getgo, it is often impossible to retrofit it after the fact.'' You might just elaborate on that. Ms. Davidson. Well, I think it's important that security has to be part of a design process. And a vendor of a secure product has to make a commitment to a secure product lifecycle. For example, before you build a piece of software, you need to sit down and say what are the security threats I'm protecting against? What are the technical measures I'm going to implement? Mr. Stearns. Can you project that with this technological advancement, this innovation we're seeing in America? Can you be sure? Ms. Davidson. I don't think you can ever be 100 percent sure and there is no bullet proof security. But it basically gets back to, I talk to my customers about the questions you ought to be asking all of your vendors about security. And that is, how do you build security? Is it part of the design process? Is that one of the first things you think of? Do you have secure coding practices? do you have a small group of people? Because it's hard to get security right. You have a small group of people who are the experts to whom the rest of your company goes to make sure I'm building a piece of software, I need to make sure the security people; I talk to them, I use the code routines that are well formed and well delivered, I have testing to test the security mechanisms, I do security risk assessments or penetration tests, try to break into it. Mr. Stearns. Yes. Ms. Davidson. We have a team of reputable hackers whose very good that's breaking into things before the product goes out the door. Mr. Klaus. I'd like to add---- Mr. Stearns. Let me just finish here. Mr. Schmidt, you've just heard what Ms. Davidson said. Some people have criticized Microsoft plan to work to publicize security flaws, but not the technical details. So there's some controversy here, because people like to know the technical details. You might give us why Microsoft proposed the action it did. Mr. Schmidt. Well, it goes around what we call ethical reporting. There is the concern that if information comes out before there's a fix, then we endanger the entire critical infrastructure that we're talking about on a regular basis to begin with. So when we talk about publishing details, it's after we have the ability as an industry to resolve these problems, that you get the patches out there, and then make that information known on a very technical basis. In the interim we're subject to saying there's a big hole, but there's no way to fix it at this point. Mr. Stearns. My last question is to Mr. McCurdy, would an exemption from the Freedom of Information Act and/or any trust laws help promote a better interaction and cooperation between the government and private sector on cyber security matters? Mr. McCurdy. Mr. Chairman, yes. I'm a firm supporter, as our organization is, for both the Davis-Moran legislation from the House and also the Bennett legislation in the Senate. We'd like to see both of those tabled so we could go to conference on that. One for information sharing and--what we don't know is probably a bigger question. I know it philosophical. But when you talk about the motivation of hackers, in a lot of ways they want to have those attacks publicized, but it's the criminal elements, it's organized crime, it's the state actors that quite frankly don't want you to know. And they're not using the automated tools. they can do a number of things both externally but also through insiders. As we know, the FBI knows a lot about the potential threat from insiders. So there are a number of things, and I think you have to remember that used to use in national security the threat over here and the likelihood of occurrence, but the lesser threat on the other side. Those areas where there's the greatest threat you won't hear a lot about. And that's why, you know, I think there has to be a lot of effort from the government. With regard to information sharing, banks have their own incentive to report a certain level of intrusion and loses. they don't want to lose confidence with the consumer or customers. So it's also critical that in order to exchange information with the government, that those reports remain anonymous, that they not be traced back to individuals or to companies. Because that has a chilling effect on the reporting. And as far anti-trust, whenever you bring companies together--you know, government tends to think in vertical silos the way it's organized. The Internet cuts all through that, so it goes across industries. It's not just a group of people from one industry sitting in the same room together. It's a process---- Mr. Stearns. I'm going to ask you please to summarize this, because we're going to go back--I'd like to get the rest of the committee. Mr. McCurdy. The point is that anti-trust exemption for this similar to the Y2K experience and informing sharing exemptions are important and I think it should be supported in a bipartisan basis. Mr. Stearns. Okay. Thank you. Ms. DeGette? Ms. DeGette. Thank you, Mr. Chairman. Following up on the chairman's question, Mr. McCurdy, I'm wondering if there have been any prosecutions for anti-trust violation as a result of information sharing, or if you're concern is really one of a chilling effect? Mr. McCurdy. It's more the chilling effect. Similar to Y2K. Once---- Ms. DeGette. Yes, I got you. I don't have much time, as you know better than anyone here. Is anyone else on the panel aware of any anti-trust prosecutions as a result of information sharing? So what I'm really hearing is we're talking about a chilling effect that could be very real for folks? Just for the record, everyone's nodding their head affirmatively. I was struck, a couple of a you talked about, including Ms. Davidson, about how important it is for consumers to understand exactly what the issues are because you can't complain if you don't action. And I told the chairman my husband installed protection software on our home PC. And we found that even on the first day we had scores of attempts to break into our PC. And I would be willing to bet--and he was surprised to hear it. I shouldn't tell tales on him. But he was surprised to hear that and asked me for the name of the software, which I'll get him. But if we don't even know that on the subcommittee, imagine how many millions of customers there are out there, and that's not even at a business level. So I think that's advice well taken. I would like to ask a question of any member of the panel who would care to answer it. If you know of any or if you've learned of any particularly vulnerabilities in security systems since September 11 or if there are really ongoing concerns that we have and that we've been talking about for quite some time in this subcommittee? Any new vulnerabilities that we learn of? Mr. McCurdy. Well, I'll give you a quick site. You can go to a website, and they report continuing vulnerabilities. There's a lot that's--again, because of the technical concerns that Mr. Schmidt raised, you don't want to give out before there's a patch, but there are reports. Since September 11 there has not been a huge rush of new ones. We're not talking about a post-9/11 scenario here. This is a continuing throughout the year threat the past 4 years, which I think the trend that you're concerned about. Ms. DeGette. Mr. Axelrod? Mr. Axelrod. The status of the vulnerabilities is not really a function of the threats. Ms. DeGette. Right. Mr. Axelrod. The vulnerabilities increase as new software which is more complex comes into the marketplace. However, I do believe that everyone's perceptions of threats has changed dramatically. And I also think the reality of the threats has changed. There is a whole portfolio of additional threats that we didn't previously consider. Ms. DeGette. Thank you. Mr. Klaus? Mr. Klaus. I'd add that, well, we've found at least three new vulnerabilities since September 11. A couple of them were like multi-vendor effected. Most of the UNIX platforms, Sun, Linex, etcetera and worked with a lot of the vendors out there that fixes issues. The thing is, we're working with Microsoft and seven other security companies to create a standard. Right now there's a lack of a lot of security standards for whatever reasons, but right now there's not a standard out there for how to disclose that information. ISS has come up with a standard that says, you know, we will alert the vendors before we disclose any technical details. and a lot of the debate is whether you release the actual exploit tools. There's a lot of security companies that will produce an exploit tool and say, hey, here's evidence that this is a big issue. The problem is you can take that tool and break into systems. Even worse though is when you disclose I guess the source code to the actual vulnerability and how to break into systems. What we're finding is it lowers the barrier to creating the next Code Red worm or the next worm. And that has the huge effect. That's what scares me is the fact that, you know, new vulnerabilities get amplified and they're a force multiplier in terms of having a huge effect on the Internet. Ms. DeGette. I got you. Thank you. I'd like to question of Mr. Schmidt. A couple of the excellent suggestions I thought that you made were increasing penalties for hackers. We apparently have hackers out there who haven't been prosecuted. I'm wondering how many of the hackers that you are experiencing in your company and maybe Oracle and others have we determined are based domestically here? Mr. Schmidt. Yes, it's really difficult to tell until you actually put the habeas grabis on them, as we call it. Ms. DeGette. Right. Mr. Schmidt. Because they're often times---- Ms. DeGette. That's a term of art, right? Mr. Schmidt. Because what happens, we see systems that are compromised in foreign countries which may give the indication that the source is indeed that country, but it could indeed be someone domestically that's using that as a jumping off point. Ms. DeGette. So in essence we don't really have a clear sense of how many of the hackers are based here where we could send in the FBI to get a more local law enforcement authorities and how many are based physically internationally, which would argue for even stronger international cooperation? Mr. Schmidt. That's correct. Yes, ma'am. Ms. DeGette. Yes, Ms. Davidson? Ms. Davidson. Yes, I'd like to amplify an earlier comment. In our experience most of the hackers, although that tends to have a pejorative connotation, in our experience most of--I would say 98 percent of the people that we deal with are inquisitive, talented and, as I mentioned, really want to test something rights on the Internet. Looky, see, I was the first one to find this vulnerability. They are not malicious. They bring the issues to our attention. They give us a chance to fix them. And we're very good about acknowledging thank you. In fact, I think some of us know the same people, is it Yorgi in Russia whose very good at finding buffer overflows. So as long as you put a little statement with an acknowledgement to Mr. So-and-so who found this and worked with us to help identify it, they're happy. Mr. Schmidt. Yorgi. Ms. Davidson. Yes, Yorgi. Everybody knows Yorgi. Ms. DeGette. Unfortunately everybody does not have those kind of---- Ms. Davidson. Yes, that's true. But most of them--so in many cases they do self identify and they're very well known. It's the 2 percent who are malicious that you never know they are. Ms. DeGette. Right. Thank you, Mr. Chairman. Mr. Stearns. Thank you. The gentleman from Illinois. Mr. Shimkus. Yorgi, alias Nathan Deal. You didn't know that, did you? Mr. Morrow. I didn't. Thank you. I'd like to follow up on a couple of questions of Mr. Morrow. Mr. Morrow. Sure. Mr. Shimkus. And since the Davis-Moran bill was mentioned, I know in your testimony you mentioned it also. I want to know if it's a good idea that there be an obligation to share information? Mr. Morrow. We don't really believe--I don't believe it's a good idea to have the obligation, because I don't necessarily believe it's required. I think everybody that I run into in the commercial sector wants to do the right thing. They're extremely cognizant of the idea that we all have to share information. They are, quite frankly, not to be dogging the attorneys in the room, the corporate counsel always advise against it because of the issues of anti-trust and the Freedom of Information Act. You have to understand that even in the investigative world--Howard and I were investigators together for the Air Force. We would find that companies will forego investigation because they don't want to see the information that they are trying to keep sacred, their intellectual property, for example, brought out in open court and read about it on the front page of the Washington Post. And similarly, they're afraid of the Freedom of Information Act will do essentially the same thing, or the anti-trust implications will be kicked in. While it has not been that I'm aware of ever been a prosecution of anti-trust based on this type of sharing, it's certainly one of the things that a corporate counsel always seems to be worried about. Mr. Shimkus. Great. Thank you. And I'm going to shift all over to different things based upon the testimony. Mr. Casciano, you had also addressed in your statements about the applicability of insurance and how insurance may shift risk and help address liability issues. Can you take us through how this would work, just briefly talk us through that whole insurance? Mr. Casciano. Certainly. There are many ways that this can be done, and the insurance companies and the underwriters are trying to grapple with this now. One possibility is that companies who are going after cyber insurance would be subject to a very standard and rigorous examination; vulnerability assessment, assessment of policy, implementation of that policy, testing of that policy and then would receive a rating from the underwriters based on their adherence to the standards set by the insurance company. Mr. Shimkus. Is there in the proposal a reevaluation of their proposal at 6 months because of how things move so rapidly? Mr. Casciano. Oh, clearly. And that would be part of the standards that would be applied, whether it be a 3-month revisit, 6 month revisit or some other formula. But it would have to be continuous, because the technology both for defense and for offense are changing every day, literally. Mr. Shimkus. Do you think companies that may offer this might hire your EDA to try to prove them wrong. Mr. Casciano. Or companies that hire Yorgi. The ethical hacker. Mr. Shimkus. Right. Mr. Casciano. The ethical hacker. And several of the companies that are represented here have stables of ethical hackers that do this on behalf of clients. Mr. Shimkus. Great. Thanks. And I want to go to Mr. Doll for my last question. The newly created Critical Infrastructure Protection Board, do you think this should be codified? In other words, put into statute? Mr. Doll. I think the protection board is a positive step forward to get a partnership with private industry and public. And I think we're positive that it's a step in the right direction, that we need to share information and to move those things forward. Now, what happens next and how that would play out, I don't think I'm in a position to say how that really effects future decisionmaking. so I think that we're cautiously optimistic right now. Mr. Shimkus. You know, we're legislators here, so our question is always does the Executive Office suffice for now or do we need legislation to codify it? It's evolutionary right now. And I would recommend that if you--it's no different than what we're doing in these other issues of bioterrorism of homeland defense. As we move forward, if there's a time to codify, then please come back. Did you want to add, Mr. McCurdy? Mr. McCurdy. Well, to me a follow up. Yes, I think we're in an assessment period of time. The events of 9/11 have changed how corporations are responding to this. We work with many of the Fortune 500 and now board level responses are coming to this. And I think we need to assess and then act aggressively once we formulate some policy. Mr. Doll. I would urge the committee and the Congress to be careful about mandates with regard--and getting in the business of architecting some kind of structure here. Because as soon as you do, then the problem changes. One of the challenges we in America face, and certainly you as representing the government, is that the government is not organized today and has become too stovepiped and too rigid. And I think Mr. Ridge and others are finding the challenge of that. So I would think that the best model were to be the voluntary model that was used during Y2K and look at some of the specific legislative efforts to improve the information sharing. Mr. Shimkus. Thank you. And I yield back, Mr. Chairman. Mr. Stearns. I thank the gentleman. Mr. Deal? Mr. Deal. Thank you, Mr. Chairman. We've been made aware over the last several weeks that some of the same things you're alluding to exist in other areas of government. For example, we are told that FERC, OSHA, other Federal agencies require those over whom they have certain jurisdictional controls to divulge to them the worst case scenarios. In other words, where are your power plants most vulnerable and how? Where are you pipelines most susceptible to being bombed or interrupted. And by virtue of the government agencies requiring this information, it likewise under the Freedom of Information Act, then becomes available to whoever might want to know what the worst case scenario is and they don't even have to do their own homework, the agency has been forced by the government to do it for them. Now when we talk about the Internet we, for most purposes, kept our hands off of it pretty well. So I don't see it from that angle, but is it the fact that many of your clients are regulated by existing Federal agencies such as the banking industry is regulated, and therefore if they disclose information it then becomes available as to either problems that have existed or potentially do exist? Is that same kind of scenario that you are seeing playing out, and if so would somebody elaborate on what it is? Because you mentioned the Freedom of Information Act. I can see it from the standpoint of once you disclose a vulnerability. But are there mandatory requirements in place that require those disclosures or can you as Mr. Morrow said, just maybe simply keep your mouth shut and thereby avoid it? What is that? Mr. McCurdy. Well, first of all, Mr. Deal, some of those other agencies, FERC and others, are in heavily regulated industries including telecommunications. Again, that's a sectorized approach. The Internet cuts through that vertical and that stovepiped organization. Eight-five percent or even greater of the Internet's none government. It's publicly owned. And it's hard to impose some kind of regulation or mandate on them. Grimm-Leach-Bliley was an important tool for the financial industry, but that's--and it's a good standard, but it's not a standard that should be applied all the way across. Eighty percent of the problems of the Internet are common to all industry, whether it's insurance, whether it's the utilities, you know, entertainment industry. That's where we think that by improving the information sharing, by having these horizonal nonprofit private organizations as opposed to government, you will get the greatest flow of information that improves best practices, and that's what you're talking about. Not formal rigid standards, but mandatory practices. I thought the statement about people processing technology is a good matrix to use. We ought to be focused on the people, and that's what industry ought to be doing. Technology we can do as well. We can cooperate through these public/private partnerships, but I don't believe it should be a rigid government standard. Mr. Deal. Several of you, though, have mentioned the Freedom of Information Act as being a problem area. Is any of the legislation that is pending now address that particular---- Mr. McCurdy. Yes, Davis-Moran and Senator Bennett's bill provide an exemption as in the Y2K exemption for information sharing. Mr. Deal. And that should solve most of those problems? Mr. McCurdy. I think there's unanimous support here for that position. Mr. Deal. Okay. All right. Fine. I believe we're getting probably close a vote on the floor, from what I understand. I'll yield back, Mr. Chairman. Mr. Stearns. Well, no. We haven't got the 10 minute vote yet. Mr. Deal. Okay. Well, let me ask Mr. Klaus, and let me tell you we are proud of Mr. Klaus, a Georgia Tech graduate---- Mr. Klaus. The Georgia mafia, you got to watch---- Mr. Deal. As you can tell by his appearance, he is one of the younger more successful entrepreneurs and one of the really leading experts in the area of security, and we welcome you here. You had a response I think to the earlier initial question that the chairman had asked that you didn't have a chance to respond. Can you remember what the issue was that you wanted to respond to, and I was going to give you the chance to do that? Mr. Klaus. It was adding onto a comment, and I did not write it down in terms of exactly what it was going to be. Mr. Deal. All right. Mr. Klaus. I appreciate that. Mr. Deal. I think all of us are concerned about what can we do. We don't want to do anything that's going to make it worse, we want to try to make it better. And I gather from your comments that most of you are supportive of these remedial pieces of legislation that are pending. Obviously things like sentencing standards and sentencing guidelines are not within our jurisdiction, nor the jurisdiction of the Committee on Civil Forfeitures. You know, I suppose we would have to forfeit a lot of nerd's computers out there if this is the remedy that's there. But if we have moved from just the prankster, the intellectual graffiti artist to the more sophisticated people, you've already elaborated on what some of those motives are, whether it be blackmail--which that's an interesting one, I hadn't thought about that one--to actually attempting to actually seize some form of money and the processes that are interchange of commerce, how do we get a handle on that? Because obviously this is the Commerce Committee and we have interstate commerce type jurisdiction whether we can pass it maybe to the Judiciary Committee for their responsibilities or not. But are there other areas of legislative corrections that you envision need to be made that are not embodied in any of the pending bills? Mr. Klaus. I would suggest the other oversight responsibility of this committee, which has an incredible breadth of jurisdiction and continue to have the hearings. Don't leave it up to government on the other side to do this. Government can provide a model, but I would urge you to look at other industries, cross industries. There's some interesting things with regard to insurance. There are cyber insurance policies today, now they're not based on a lot of actuarial data, because there is very little data. They're kind of seat-of-the-pants, and insurers will tell you that. But there's some interesting contradictions. For instance, physical coverage for terrorism is now available, but cyber terrorism is not covered under insurance. And the question is are you going to get boards of directors and senior leadership of companies to pay attention if, in fact, it's not. But if you mandate it, then you create a whole potential area of cost. So there's some tough balances here, and those are very interesting questions that I would submit probably fall within your jurisdiction. Mr. Deal. One quick follow up. A lot of you have said the government ought to be the one to set the example by the agencies of the government. And you've also talked about the industry trying to come up with industry type standards. One of the worst things I think the government does is to do something but do it differently from one agency to the other. Has that begun to happen, and is there any effort now to say if the government is going to initiate security protections, that it should be a uniform type security protection that every agency of the government follows the same kinds of standards? Is that happening or is it not happening? Ms. Davidson. Yes, Mr. Deal, there are some differences. For example, even among the constituency that requires security evaluations, for example, against the common criteria I have seen agency specific what they call protection profiles. So even though there's a common framework for what does it mean when you say you're secure, I have seen a number of agencies who say we want our own special Good Housekeeping seal of approval, even though it may be the exact same product. Mr. Deal. And that's for vendors attempting to sell products. Ms. Davidson. Exactly. Mr. Deal. Okay. Ms. Davidson. And that's very difficult because I would say for a large complex data server, the cost of one of these evaluations is about a half a million dollars plus, including personnel costs, make it a round million dollars all in. And for companies to do that on an unfunded basis is very difficult, particularly in these economic times. What I'd really like to see is to say if you do it once, it's good across all the agencies or the entities who have an interest in this type of product, and you could take the most discriminatory approach and say we'll make the most rigid standard rather than the least rigid standard the one that companies have to comply with. Mr. Deal. So that could be an oversight issue. Mr. Stearns. I want to thank the gentleman. And let me just conclude by thanking all the witnesses for coming this morning and this afternoon. I think it's a very good hearing. I think the conclusion is that we're hoping industry will step up to the plate and have Ms. Davidson has talked about, a level of awareness of what information technology is. If not, obviously Congress as a resort could mandate security standards, which we don't want to do. And with that, I'll adjourn the committee. [Whereupon, at 2:50 p.m. the subcommittee was adjourned.]