<DOC> [108th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:90728.wais] CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER? ======================================================================= HEARING before the SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION of the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS FIRST SESSION __________ NOVEMBER 19, 2003 __________ Serial No. 108-52 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house __________ U.S. GOVERNMENT PRINTING OFFICE 90-728 WASHINGTON : 2003 _______________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800, DC area (202) 512-1800 Fax: (202) 512-2250 Mail: stop SSOP, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE W.J. ``BILLY'' TAUZIN, Louisiana, Chairman MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan JOE BARTON, Texas Ranking Member FRED UPTON, Michigan HENRY A. WAXMAN, California CLIFF STEARNS, Florida EDWARD J. MARKEY, Massachusetts PAUL E. GILLMOR, Ohio RALPH M. HALL, Texas JAMES C. GREENWOOD, Pennsylvania RICK BOUCHER, Virginia CHRISTOPHER COX, California EDOLPHUS TOWNS, New York NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey RICHARD BURR, North Carolina SHERROD BROWN, Ohio Vice Chairman BART GORDON, Tennessee ED WHITFIELD, Kentucky PETER DEUTSCH, Florida CHARLIE NORWOOD, Georgia BOBBY L. RUSH, Illinois BARBARA CUBIN, Wyoming ANNA G. ESHOO, California JOHN SHIMKUS, Illinois BART STUPAK, Michigan HEATHER WILSON, New Mexico ELIOT L. ENGEL, New York JOHN B. SHADEGG, Arizona ALBERT R. WYNN, Maryland CHARLES W. ``CHIP'' PICKERING, GENE GREEN, Texas Mississippi KAREN McCARTHY, Missouri VITO FOSSELLA, New York TED STRICKLAND, Ohio ROY BLUNT, Missouri DIANA DeGETTE, Colorado STEVE BUYER, Indiana LOIS CAPPS, California GEORGE RADANOVICH, California MICHAEL F. DOYLE, Pennsylvania CHARLES F. BASS, New Hampshire CHRISTOPHER JOHN, Louisiana JOSEPH R. PITTS, Pennsylvania TOM ALLEN, Maine MARY BONO, California JIM DAVIS, Florida GREG WALDEN, Oregon JAN SCHAKOWSKY, Illinois LEE TERRY, Nebraska HILDA L. SOLIS, California ERNIE FLETCHER, Kentucky MIKE FERGUSON, New Jersey MIKE ROGERS, Michigan DARRELL E. ISSA, California C.L. ``BUTCH'' OTTER, Idaho Dan R. Brouillette, Staff Director James D. Barnette, General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Commerce, Trade, and Consumer Protection CLIFF STEARNS, Florida, Chairman FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois BARBARA CUBIN, Wyoming Ranking Member JOHN SHIMKUS, Illinois HILDA L. SOLIS, California JOHN B. SHADEGG, Arizona EDWARD J. MARKEY, Massachusetts Vice Chairman EDOLPHUS TOWNS, New York GEORGE RADANOVICH, California SHERROD BROWN, Ohio CHARLES F. BASS, New Hampshire JIM DAVIS, Florida JOSEPH R. PITTS, Pennsylvania PETER DEUTSCH, Florida MARY BONO, California BART STUPAK, Michigan LEE TERRY, Nebraska GENE GREEN, Texas ERNIE FLETCHER, Kentucky KAREN McCARTHY, Missouri MIKE FERGUSON, New Jersey TED STRICKLAND, Ohio DARRELL E. ISSA, California DIANA DeGETTE, Colorado C.L. ``BUTCH'' OTTER, Idaho JOHN D. DINGELL, Michigan, W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio) (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Ansanelli, Joseph G., Chairman and CEO, Vontu, Inc........... 48 Burton, Daniel, V.ice President, Governmental Affairs, Entrust Technologies....................................... 52 Charney, Scott, Chief Trustworthy Computing Strategist, Microsoft Corporation...................................... 30 Davidson, Mary Ann, Chief Security Officer, Oracle Corporation................................................ 43 Morrow, David B., Managing Principal, Global Security and Privacy Services, EDS...................................... 37 Schmidt, Howard A., Vice President, Chief Information Security Officer, eBay Inc................................. 23 Swindle, Hon. Orson, Commissioner, Federal Trade Commission.. 16 Thompson, Roger, Vice President of Product Development, PestPatrol, Inc............................................ 58 (iii) CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER? ---------- WEDNESDAY, NOVEMBER 19, 2003 House of Representatives, Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, Washington, DC. The subcommittee met, pursuant to notice, at 10:10 a.m., in room 2123, Rayburn House Office Building, Hon. Cliff Stearns (chairman) presiding. Members present: Representatives Stearns, Shimkus, Shadegg, Pitts, Bono, Issa, Schakowsky, Towns, Davis, Green, and McCarthy. Staff present: Ramsen Betfarhad, policy coordinator and majority counsel; Jill Latham, legislative clerk; Jon Tripp, deputy communications director; David Cavicke, majority counsel; and David Nelson, minority counsel. Mr. Stearns. Good morning. Welcome to the Subcommittee on Commerce, Trade, and Consumer Protection's hearing on cybersecurity and consumer data. I am pleased that we are joined this morning by a group of distinguished witnesses. And all of us look forward to your testimony. On November 15, 2001, nearly 2 years ago to the day, the subcommittee held a hearing entitled, ``Cybersecurity: Private Sector Efforts Addressing Cyber Threats.'' The focal point of that hearing, as it is with this hearing, was cybersecurity as it related to consumer data used in stream of commerce. We are fortunate that three of our witnesses, Ms. Davidson, Mr. Schmidt, and Mr. Morrow, all of whom testified at the hearing 2 years ago, have joined us today to reflect on what has transpired with regard to cybersecurity in the last 2 years. Normally you don't have people back to give you a little post-analysis. So we are very fortunate to have that.I am confident their insights, along with the testimony of the other witnesses, will be particularly helpful to our better understanding the issue, its evolution, and what we believe is its increasing significance. The subcommittee's hearings 2 years ago was held in the shadow of the tragic events of September 11, when we as a Nation, it seemed, had become obsessed with security. Of course, that was and is understandable. Yet the problem that gave rise to cybersecurity concerns that predated September 11, in just the years 2000 and 2001, as a result of only three cyberattacks--the ``I Love You'' and ``Code Red'' viruses and the February 2000 denial-of-service attacks--the media reported losses in excess of $10 billion. The number of cyberattacks, as reported by the Computer Emergency Response Team, CERT, at the Carnegie Mellon University, was expected to nearly double in 2001 from 2,000 to 40,000. Now, fast forward 2 years. In 2003, the ``SQL Slammer'' worm disrupted computers around the globe. And during the attack, half of all Internet traffic was being lost. The SoBig.F virus clogged e-mail boxes and networks around the world, and became the fastest spreading virus on record, infecting 1 in 17 e-mails at its peak. Showing a bit of humor, the creator of the Blaster worm, which caused some 500,000 computers running Windows to crash, targeted the Microsoft Web site from which users could download the program and the patch to protect their vulnerability with Microsoft Windows code, the very weakness in Windows that the worm itself was exploiting. The virus and worm attacks of 2003 did bring about disruptions, such as the SQL Slammer worm, knocking out Bank of America's ATM machines for a while, but overall they did little reported damage. Although the ultimate objective of the SoBig.F virus is not known, the 2003 vintage of viruses and worms, like most of the ones that preceded them, did not have a malicious or destructive payload. If they did, their impact would have been very, very different. These viruses and worm attacks are external attacks to the networks, and, as such, according to some estimates, only represent 30 percent of computer attacks. The remaining 70 percent of the attacks are carried out from within the corporate firewalls. Those attacks or security breaches taking place within the corporate firewalls, many argue, are the most costly and, of course, the least reported. I raise the issue of virus and worm payload within corporate firewall breaches, because one key question I want answered today is ``What are the real risks and costs to consumers from cybersecurity breaches, and what poses the most risk to cybersecurity?'' One response to breaches in cybersecurity by industry and government alike has been increased spending on security technologies. UBS Warburg estimates that such spending will increase from $6 billion in 2001 to over $13 billion in the year 2003. Meanwhile, other data suggests that companies spend less than just 3 percent of their technology budget on security. The technology budgets tend to be around 3 percent of revenues. So why are these expenditures so low? Some argue because there is no real understanding of quantifiable cost associated with cybersecurity breaches, even among senior managers. Is this true? This is another question for the panel to consider. Finally, many argue that cybersecurity is not just a technological problem and thus can't be solved by adding new and improved technologies defending against cyberattacks, but, rather, they argue that it is as much a governance or management issue as it is a technological problem. Strategic decisions, such as deciding the appropriate balance between cost and risk, are ones that only senior managers can take. And without a clear mandate from the top management, cybersecurity measures will be disregarded as just simply nuisances by rank- and-file employees. Moreover, it appears that there is increased management participation mostly when it is mandated either directly or indirectly by government regulations. For example, the Graham- Leach-Bliley Act, the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, or enforcement actions by the Federal Trade Commission. I want to know, are these observations accurate? If so, is there an optimum role for the Federal Government to play when it comes to protecting consumers from cybersecurity threats? With that, I conclude my opening statement and welcome the ranking member for her opening statement. Ms. Schakowsky. Thank you, Mr. Chairman, for conveying this important hearing today. Cybersecurity is one of those words that have recently entered our lexicon. Most people are probably confused, as I was, the first time they hear or see it in print. There are no doubt several interpretations of the word. It is one of those things like electricity or television signals that we all hope someone else understands enough to assure its availability. Before widespread viruses and ID theft became somewhat of a norm, we were able to take cybersecurity for granted. Of course, it should be safe to operate a home computer or a Palm Pilot. Unfortunately more and more Americans, a disproportionate share in and around Chicago, by the way, have come to a very personal understanding of how vulnerable our information technology, storage, and transmittal systems are. No longer is cybersecurity something over which just government and corporate technicians fret. Life savings now disappear before victims are even aware that there is a threat to the security of their personal and financial information. Highly sensitive personal information is available for sale without the knowledge, much less the consent, of targeted individuals. Americans expect that their government and the private sector institutions they rely upon for financial and other services will protect their privacy, and that those they rely on for cybersecurity will do their job. It is becoming increasingly apparent that consumers are not being adequately protected. Estimates of the economic impact of cybercrimes on society vary widely. One of our witnesses will tell us that identify theft alone totaled $24 billion last year, and is expected to escalate to $73 billion by the end of this year. If he is correct, this means that identity theft will cost Americans more, perhaps much more, than the authorized cost of the war in Iraq. Another witness tells us that 1 in 10 Americans has been victimized by identify theft. Each of these heists is estimated to cost nearly $10,000; clearly this problem is reaching epidemic proportions. Added to the economic cost is the loss of our invaluable privacy. We are all aware of the Orwellian dangers that may flow from personal information that the government can tap, using sophisticated technology. What many of us do not adequately understand is the danger of intrusive prying by private interests. The expropriation of commercially useful data from each and every one of us that accesses the Internet from a computer where personal information is stored is a continuous process. And, of course, there is no reason to believe that firms interested in selling us something are the only ones looking. I look forward to the testimony of the Federal Trade Commission regarding what the Federal Government is doing to control this electronic crime spree. I hope in the future we can also hear from the Justice Department or the agencies that regulate financial institutions, because it is my understanding that much, if not most, of identify theft is perpetrated by employees of banks, insurance companies, and the like. I would have liked to hear directly from those private institutions as well. Nonetheless, Mr. Chairman, I am looking forward to hearing from the witnesses you have assembled. I am sure they will be able to give us a sufficiently comprehensive picture of the problems with our cybersecurity systems from which we can fashion whatever policy changes may be necessary to protect the privacy, pocketbook, and safety of our constituents. And, Mr. Chairman, I look forward to working with you, as always, to end this epidemic. I look forward hearing from each of our witnesses, and I thank them for taking time to share their expertise with us today. Mr. Stearns. I thank the gentlelady. The gentlelady from California, Ms. Bono. Mrs. Bono. Good morning, and thank you, Mr. Chairman. I look forward to hearing from your colleagues and the witnesses on the issue of cybersecurity as it relates to consumers. Cybersecurity and the protection of consumer data is a very real issue that the government, businesses, and consumers alike must acknowledge and respond to. Of course, there are many things that consumers can do to protect themselves. Antivirus software and patches are regularly available for downloading and updating. Moreover, one should always be cautious while downloading software. Consumers should avoid opening e-mails from strangers and should be hesitant to disclose personally identifiable information over nonsecure sites. However, the methods of hacking into computers and data bases are just as evolving as the technologies on which they reside and function. Recently I introduced H.R. 2929, also known as the Safeguards Against Privacy Invasions Act, or the Spy Act. This bill aims to put consumers in the loop. Unfortunately, consumers regularly and unknowingly download software programs that have the ability to track their every move. Consumers are sometimes informed when they download such software. However, the notice is buried deep inside multi- thousand-word documents that are filled with technical terms and legalese that would confuse even a high-tech expert. Many spyware programs are purposefully designed to shut off any antivirus or firewall software program it detects. The Spy Act would help prevent Internet spying by requiring spyware entities to inform computer users of the presence of such software, the nature of spyware, and its intended function. Moreover, before downloading such software, spyware companies would first have to obtain permission from the computer user. This a very basic concept. The PC has become our new town square and global market as well as our private data base. If a consumer downloads software that can monitor the information shared during transactions for the sake of the consumer as well as e-commerce, it is imperative that the consumer be informed of whom he or she is inviting into their computer and what he or she is capable of. After being informed, the consumer should have the chance to decide whether to continue with that download. Since the introduction of H.R. 2929, I have had the opportunity to speak with many different sectors of the technology industry and retail businesses that operate on the Internet. Through these discussions I have received meaningful feedback, and I am currently working on refining H.R. 2929. Once installed on computers, some spyware programs--like viruses embedded among code for other programs--in effect how these programs function on the users computer. Additionally, spyware is becoming more and more difficult to detect and remove. Usually such programs are bundled with another unrelated application that cannot be easily removed, even after the unrelated application has been removed. According to a recent study, many problems with computer performance can be linked in some way to spyware and its applications. Additionally, some computers have several hundred spyware advertizing applications running, which inevitably slow down computers and can cause lockups. If you have spyware on your computer, you most likely are getting more pop-up advertisements than you would have if you have had no such software on your computer. Moreover, the advertisers may not always be forthcoming. Many times spyware entities contract with companies to post advertisements and, in turn, post such advertisements on the Web sites of competitors. The result is confusion. In other words, while visiting the Web site for Company A, you may be browsing to purchase a product. However, while browsing, a pop- up link may appear, informing you of a great sale. Under the impression that you are looking at a link for Company A, you may purchase the product, all the while uninformed that the product was purchased via a pop-up link from Company B. I have often thought that this would be a very effective campaign tool, too, to put out a link and have someone go to my opponent's Web site and my Web site pops up. All of these consumer disadvantages can be decreased or eliminated if disclosures surrounding spyware are required and enforced. If consumers are informed about spyware, chances are they will not choose to download the software. Upon choosing not to download software, consumers' computers will run more efficiently, their antivirus programs and firewalls will function better, they can decide which information to share and not share, and consumers will not be deceived into buying a product or service from unknown entities or voting for our opponents. Thank you, and I look forward to hearing from the witnesses on the issue. Mr. Stearns. I thank the gentlelady. Mr. Green. Mr. Green. Thank you, Mr. Chairman. I thank you and our ranking member for holding this important hearing on cybersecurity and its impact on consumers. The proliferation of Internet-based services and commerce has dramatically changed the world we live in, and many of these changes have been for the better, with consumers able to make almost any purchase imaginable on line. Unfortunately, these computing advances also create a fertile ground for fraudulent activities and thus increase the pressing need for computer security. The problems are coming from all directions. We have viruses, computer worms that are attempting to swarm our networks and are causing terrible harm to computer users and billions in damages to U.S. Businesses. We have unsolicited e- mails taking over our in-boxes, spam that at the very least is an annoyance and at worst is helping to transmit these computer viruses and deliver pornographic e-mails to our children. Mr. Chairman, if I could ask unanimous consent to put in an article from Business Week that was published on August 12 about the unholy matrimony, spam versus virus. Mr. Stearns. By unanimous consent, so ordered. [The article referred to follows:] [Business Week--August 12, 2003] Unholy Matrimony: Spam and Virus By Jane Black Their common goal is subterfuge, and by combining their strategies, they could make today's junk e-mail look like a mere nuisance In June, half of all e-mail was spam--those annoying unsolicited messages that hawk everything from porn and Viagra to mortgage- refinancing deals and weight-loss patches. But if you think spam is out of control, prepare yourself. It could get a lot worse. Over the past few months, e-mail security companies have seen mounting evidence that spammers are using virus-writing techniques to assure that their sales pitches get through. At the same time, intrepid virus writers have latched onto spammers' trusty mass-mailing techniques in an effort to wreak widespread digital mayhem. ``What we're seeing is the convergence of the spammer and the malicious code writer,'' says David Perry, global director of education at antivirus company Trend Micro (TMIC). RELAY STATIONS. Witness the recent spread of a virus known as Webber, which was discovered on July 16. It carried the subject line ``Re: Your credit application.'' Users who opened the attachment downloaded a malicious program that turned a home PC into a so-called open relay server, which allows a third party to send or receive e- mail--including spam--remotely from that PC. Spammers are notorious for using open relays to hide their identities. According to British e-mail security company MessageLabs, 70% of spam comes through open relays. Then there's Sobig.E, a virus that grabs e-mail addresses from several different locations on a PC, including the Windows address book and Internet cache files. Sobig.E then tries to send a copy of itself to each address. It also uses one of the stolen addresses to forge the source of the message, so that it appears to come from someone else. MessageLabs believes Sobig.E is a spammers' virus designed to harvest legitimate e-mail addresses from users' computers. So far, no concrete evidence shows any home PCs that have been infected by either Webber or Sobig.E have been used to send spam. But experts fear that the two viruses could be ``spam zombies,'' programs that will lie in wait on a PC until called on by the spammer to send out millions of untraceable e-mails. ``I LOVE YOU'' MORE. The convergence of spam and malicious code makes sense, says Chris Miller, Symantec's (SMYC ) group product manager for enterprise e-mail security. ``They have a common goal--to do what they're doing without being seen,'' Miller says. Virus writers and spammers send out their messages from illegitimate e-mail accounts, never from the ISPs where they are registered. It isn't hard to see where the union of these two insidious groups' techniques might lead. Using such weapons as Sobig.E and Webber, spammers can hijack a user's address book, then use the PC to send out hundreds, even thousands, of junk messages. And virus writers can use mass-mailing techniques to spread malicious code even faster than before. The destructive ``I Love You'' virus of 2000 was originally sent to a small number of people. Within days it had affected tens of millions of computers and caused damage worth hundreds of millions of dollars. Imagine if, like spam, it had originally been mailed to a half-million computers. Security experts cite other recent examples of spam-virus convergence: Key-logger Trojans. In May, 2003, a major food-manufacturing company received a spam e-mail that, when viewed in a preview pane in Microsoft Outlook, showed a message that appeared to be an opportunity to sign up for a newsletter. First, though, the message asked the recipient to verify their e-mail log-on ID and password. That information was collected by the key-logger code and then sent to the spammer, who could then log into the user's e-mail at any time and search for valuable information. Drive-by downloads. Recent spam sent to a major airline manufacturer led unsuspecting users to Web pages where spying software was secretly downloaded without the user's knowledge. So-called spyware monitors a user's activity on the Internet and transmits that information to someone else, usually an advertiser or online marketer. Spyware can also gather information about e-mail addresses, passwords, and credit-card numbers. Drive-by downloads can be done without either notifying the user or asking permission because many users accept such a download without question, thinking it's a normal function of the Web site. CALL IT ``MALWARE.'' According to the strictest definitions, key loggers and drive-by downloads aren't viruses, which are programs that replicate themselves. (If you've seen The Matrix Reloaded, think of the way Agent Smith makes infinite copies of himself to try to destroy Keanu Reeves' Neo.) A Trojan is a program that rolls into your computer unannounced, then persuades the computer to launch it through fraud. As spam and malicious code converge, however, such definitions are becoming less useful. That's why experts like Trend Micro's Perry are now looking at a broader term--``malware''--to describe any program with malicious intent. ``With traditional hackers, the motivation has always been to prove that you're a rad dude,'' Perry said in a phone interview from the Las Vegas hacker convention DefCon. ``But when we start seeing these techniques used for commercial gain like spam, it's going to get a whole lot more serious.'' Cybersurfers, beware. Mr. Green. Thank you, Mr. Chairman. We can all agree that spam is a serious problem that both Congress and the private sector should address quickly, and I hope that Congress will act before the end of the session to enact the Wilson-Green Antispam Act of 2003, which is the strongest antispam bill in Congress. And, Mr. Chairman, again, I would like to ask unanimous consent to place into the record a letter by the Internet Committee of the National Association of Attorney Generals that talks about the Senate bill that passed and the need for strong legislation. Mr. Stearns. By the unanimous consent, so ordered. [The letter follows:] [GRAPHIC] [TIFF OMITTED] 90728.001 [GRAPHIC] [TIFF OMITTED] 90728.002 [GRAPHIC] [TIFF OMITTED] 90728.003 [GRAPHIC] [TIFF OMITTED] 90728.004 [GRAPHIC] [TIFF OMITTED] 90728.005 Mr. Green. Thank you, again, Mr. Chairman. When we investigate cybersecurity, however, we must also consider the increasing troubles and problem of identity theft. According to the Federal Trade Commission, identity theft is the most common complaint from consumers in all 50 States. With simple personal information such as name, Social Security number, or credit card number, identity thieves can commit fraud or other crimes in our name. The implications for victims of identify theft can't be overexaggerated. They can easily include damaged credit records, unauthorized credit card charges, and bank withdrawals, not to mention the months or even years that it takes for victims to restore their good names and credit records. The magic question remains, how can we prevent these computer-related security problems that seem to be spiraling out of control? With the increased organization, efficiency, and productivity that computer systems offer, it is safe to say that our dependence on computers will continue to rise; therefore, we must ensure that we take the appropriate precautions to ensure that any information stored in or transmitted through computers, be it personal, medical, or financial, is secure. We also need to examine the extent to which the Federal Government and other law enforcement mechanisms can help solve this problem. By some estimates, less than 30 percent of computer attacks come from outside of a company or computer system. That being said, I think we have to work with the private sector to take a hard look at the practices companies are putting in place to combat attacks within their own firewall. I am also interested to hear our witnesses' experience with cybersecurity and learn their opinions on how best we can go about solving these problems. And, again, I would like to thank our panel today, and look forward to their testimony. Thank you, Mr. Chairman and Ranking Member Schakowsky. Mr. Stearns. Thank you. Mr. Pitts. Mr. Pitts. Thank you, Mr. Chairman. And thank you for convening this important hearing on cybersecurity. Rapid advances in technology are greatly impacting the lives of every American. Computer software, information systems, and cybernetworks are revolutionizing the way that we communicate, and the way we conduct business and provide services. And while there is a lot of good in the advances, there is also great potential for harm. Technology is a cat-and-mouse game. Each advancement of technology leads to an exploitation that we must vigilantly guard against, and the hearing this morning takes a look at the myriad threats to cybersecurity. One area that I am greatly concerned about is the development of peer-to-peer software. Peer-to-peer software allows individuals to download and trade files, many of which are illegal, with one another. It has also become the latest vehicle that pedophiles use to exploit and abuse innocent children by distributing child pornography. And peer-to-peer software can cause any personal information stored in a computer, such as financial or medical records, to be inadvertently shared with anyone else with the same software. And that is why my colleague Chris John and I introduced H.R. 2885, ``The Protecting Children from Peer to Peer Pornography Act.'' Mr. Chairman, I appreciate your interest in this issue. It is my hope that we can have a hearing in the near future dedicated to taking a closer look at this dangerous new software that threatens our children or a person's privacy and our cybersecurity in general. Thank you, Mr. Chairman. Mr. Stearns. Thank you. The gentleman from New York, Mr. Towns. Mr. Towns. Thank you very much, Mr. Chairman. The Internet will never reach its fullest potential unless consumers feel comfortable and confident while surfing the Web and partaking in e-commerce. How can we ask citizens to put personal information, such as credit cards, PIN numbers, onto the computer if they are worried about issues such as identity theft, spam, or other privacy protections? It seems that every time we turn around there is a new virus harming commerce on the Internet, and the most pressing of these data and privacy abuses is what has come to be known as spyware. Spyware is a particularly dangerous threat to the future of e-commerce and Internet consumer confidence. Many times consumers do not even know what this software-- which can track all movements on a computer, copy keystrokes, and open security holes in networks--is open on their system, much less have the knowledge it takes to get them removed. It should also be noted that many of the peer-to-peer programs suggested Kazaa and Morpheus are funded largely by allowing these spyware companies to piggyback on their network, allowing for corporate entities to gain information about our children and their on-line habits. I am proud upon the lead Democratic sponsor of H.R. 2929, the Safeguard Against Privacy Invasion Act, with my friend from California, Mrs. Bono. This bill will ban these programs from being downloaded from the Internet to unknowing consumers. It is a commonsense approach to privacy protection, and I would like to thank the many members on both sides of the aisle from this committee who have chosen to cosponsor the bill with us, and look forward to working closely with the leadership to ensure its passage through the committee. On that note, Mr. Chairman, I yield back the balance of my time. Mr. Stearns. I thank the gentleman. Mr. Shimkus. Mr. Shimkus. Thank you, Mr. Chairman, and I will be brief. I always want to take the opportunity to, especially in consumer protection that deals with the Internet and cybersecurity, to continue to mention .kids.us as a place safe for kids, that was passed into law, signed by the President, and now we have groups that are using it: Smithsonian.kids.us, it is safe, no hyperlinks, no chatrooms for kids under the age of 13. And so I use the bully pulpit here to continue to help build interest and movement for people to take use of .kids.us. Other than that, Mr. Chairman, I know we have got a great panel of people testifying. I want to get to that. Thank you for the time. And I yield back. Mr. Stearns. I thank the gentleman. The gentlelady from Missouri. Ms. McCarthy. Mr. Chairman, I want to thank you for pulling together such a distinguished panel of experts for our work today. I am going to put my remarks in the record so that we can get on learning about the wisdom that is here to be shared. Mr. Stearns. I thank the gentlelady. And the vice chairman of the committee, Mr. Shadegg. Mr. Shadegg. Thank you, too, Mr. Chairman. I too want to thank you for holding this important hearing today and for putting together a tremendous panel for us to learn from. And I do want to mention that both as a member of this subcommittee, and as a member of the Select Homeland Security Committee, I worry deeply about these issues. I have devoted a great deal of time to them, having written in 1998 the Identity Theft and Assumption Deterrence Act, which made identity theft a Federal crime for the first time. We have already heard here this morning the degree to which millions of Americans are victimized by that crime, and that we are losing billions of dollars to it. The Fair Credit Reporting Act, which is now in conference, includes some important provisions to deal with that issue. But there is much more we can do. And I appreciate, Mr. Chairman, your holding this hearing, and I look forward to the testimony of the witnesses. Mr. Stearns. I thank my colleague. [Additional statement submitted for the record follows:] Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee on Energy and Commerce Mr. Chairman, Thank you for calling this important hearing today. Cyber security is a very serious concern in today's digital world, and as our global economy and all of our lives rely more and more on computers, it will become essential that we ensure that our nation's computers--corporate, government, and personal computers--are safe from the hackers and other malefactors in the digital environment. We've learned in the last few years how much damage viruses and worms, such as ``Sobig.F'' and ``Blaster,'' can do to our computer infrastructure. In fact, the New York Times estimated that the cost of the ``I Love you'' virus alone--which seriously affected this House and this Committee--may have reached as much as $15 Billion. Computers affect almost every aspect of our daily lives. From our computers at home and our personal e-mail accounts, to the daily work of the public and private sectors, the role of computers in our society is so ubiquitous as to go almost unnoticed at times. The security of these systems however cannot go unnoticed. Not only can the e-mail system of the House of Representatives be hindered or disabled, but one shudders to think of the damage that could be done to countless consumers if someone was able to infiltrate one of the many enormous databases in this country and steal the personal information--from credit card numbers to music preferences--of millions of Americans. This kind of theft and misuse of personal data is not yet a widespread problem, but unless we all facilitate and encourage open discussion about how we best combat the bad actors, we will only see these problems grow. Most computer scientists don't say ``if'' when discussing this possibility, they say ``when.'' They believe that a truly debilitating virus will inevitably make its way around the Internet sometime in the relatively near future. Companies must take a preventive approach when looking at solutions to security problems. They must realize that, as the old adage says, ``An ounce of prevention is worth a pound of cure.'' We must combat technology with technology. Investment must be made in the security of vital and sensitive systems, in order to ensure the confidence of the American people in the retail, banking, and health care computer systems they depend upon. But simply investing in technology to combat viruses is not enough. In the end, the private sector and the American people must work in concert to best protect the computers and networks we all use. The private sector needs to reevaluate its vulnerabilities as well as its current security priorities. The public needs to be better educated about anti-virus software and personal firewalls for their home computers, as well as the insidious ``SpyWare'' technology that can monitor individuals' computers and their actions on the Internet. I know the gentlelady from California, Ms. Bono, has introduced a bill-- H.R. 2929, ``The Safeguard Against Privacy Invasions Act''--that attempts to deal with this concern, and I look forward to working with her on the bill to try to prevent these intrusions. In the end, Mr. Chairman, it seems that the genie is out of the proverbial bottle, and this problem is not going to go away on its own. It is up to all of us to work together to safeguard our computer infrastructure to prevent the next serious virus from becoming a nationwide, indeed even a worldwide problem. Thank you, and I yield back the balance of my time. Mr. Stearns. And with that, we will start with the panel and welcome the Honorable Orson Swindle, the Commissioner of the Federal Trade Commission; Mr. Howard Schmidt, Vice President, Chief Information Security Officer of eBay; Mr. Scott Charney, Chief Trustworthy Computing Strategist from Microsoft Corporation; Mr. David Morrow, Managing Principal, Global Security and Privacy Services; Ms. Mary Ann Davidson, Chief Security Officer, Oracle Corporation; Mr. Joseph G. Ansanelli, Chairman and CEO of Vontu, Incorporated; Mr. Daniel Burton, Vice President of Government Affairs, Entrust Technologies; and Mr. Roger Thompson, Vice President of Product Development, PestPatrol, Incorporated. And we will let Commissioner Swindle start. We will go from my right to my left. I welcome you. STATEMENTS OF HON. ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE COMMISSION; HOWARD A. SCHMIDT, VICE PRESIDENT, CHIEF INFORMATION SECURITY OFFICER, eBAY INC.; SCOTT CHARNEY, CHIEF TRUSTWORTHY COMPUTING STRATEGIST, MICROSOFT CORPORATION; DAVID B. MORROW, MANAGING PRINCIPAL, GLOBAL SECURITY AND PRIVACY SERVICES, EDS; MARY ANN DAVIDSON, CHIEF SECURITY OFFICER, ORACLE CORPORATION; JOSEPH G. ANSANELLI, CHAIRMAN AND CEO, VONTU, INC.; DANIEL BURTON, VICE PRESIDENT, GOVERNMENTAL AFFAIRS, ENTRUST TECHNOLOGIES; AND ROGER THOMPSON, VICE PRESIDENT OF PRODUCT DEVELOPMENT, PESTPATROL, INC. Mr. Swindle. Thank you, Mr. Chairman. Mr. Chairman, members of the subcommittee, I appreciate the opportunity to present the Commission's views on Cybersecurity and Consumer Data: What is at risk for the consumer? At the outset, I believe that it is important that we not lose sight of the forest for the trees. Cybersecurity is a vast issue that faces many threats, and the challenges that the Commission faces in protecting consumers in cyberspace are numerous. The Commission takes action to protect consumers from fraud, whether they are individuals or companies who engage in identity theft, use a pretext to obtain personal information, employ deceptive spam to trick consumers into providing personal and financial information (phishing), misrepresent the sender of spam to misdirect the ``remove me'' request to an innocent third party (spoofing), or exploit computer system vulnerabilities in order to extort money from consumers (D- Square Solutions). Consumers are also placed at risk by their own conduct, such as through peer-to-peer file-sharing or failing to use firewalls and antivirus software. While there are many challenges to cybersecurity, I will focus my remarks on companies who obtain and control consumer information. The Commission addresses information security concerns through aggressive law enforcement actions, consumer and business education, and international cooperation. Through these efforts we strive to enhance the security of information systems and networks and bring attention to the fact that all users of information technology, that is, government, industry, and the general public, must play a role in this effort. If companies fail to keep their express and implied promises to protect sensitive information obtained from consumers, then those promises are deceptive. The Commission has brought enforcement actions against such companies for violating Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive practices. Three of these Commission cases illustrate some important principles. The case against Eli Lilly demonstrates that a company's security procedures must be appropriate for the kind of information it collects and maintains. Despite promises to maintain security of sensitive information, Eli Lilly inadvertently disclosed the names of consumers who used a prescription drug. Our case against Microsoft illustrates that there can be law violations without a known or actual breach of security. Microsoft promised consumers that it would maintain a high level of security for its Passport and Passport Wallet system of accounts. Even though there was no actual security breach, after reviewing Microsoft's systems, the Commission alleged that Microsoft failed to take reasonably appropriate measures to maintain the security of consumers' personal information. The case against Guess, Inc. illustrates that good security depends upon an ongoing process of risk assessment, identifying vulnerabilities, and taking reasonable steps to minimize or eliminate those risks. We alleged that Guess stored consumers' information, including credit card numbers, in clear unencrypted text, despite claims to the contrary. Unencrypted information is vulnerable to attackers, something that is well known in the industry and can be corrected. The Commission's settlements in these three cases require the companies to implement comprehensive information security programs. In addition, Microsoft and Guess must obtain an independent security audit every 2 years. The Commission has engaged in a broad and continuing awareness and outreach campaign to educate businesses, consumers, and political leaders about the importance of cybersecurity. We work closely with industry, government agencies, and consumer groups to expand awareness. This is the single most essential element in creating a culture of security that is increasingly necessary for the protection of our critical infrastructure. We have a first-class Web site focusing on safe computing practices. Our site provides a wealth of information on cybersecurity and how each of us can and must contribute to the effort. Our Web site registered more than 400,000 visits in the first year of deployment, making it one of the most popular FTC Web pages. And, a Google search recently indicates that 445 other Web sites link to our security site. Every House and Senate office has a copy of our safe computing disk. And I might add, I will hold this up, and I think there is a package on your desk with a lot of our information security material in the package. This CD disk was designed to assist each Member of Congress and staff in educating constituents on safe computing practices. Several Members of Congress have constructed excellent information security pages on their Web sites using information from the FTC. Each Member is an outstanding leader within his or her community and district. As the FTC's authorizing body and as the leaders in consumer protection, this committee in particular can partner with us effectively in our consumer awareness efforts on information security. Our staff and I personally are standing by to help you and join with you in leading. In addition to law enforcement and our awareness campaign, the Commission has taken an active leadership role in international efforts promoting cybersecurity. In 2002, the FTC led the U.S. Delegation, working with the OECD, to revise its security guidelines. The revised guidelines serve as an excellent, common sense starting point for government, business, and organizations to implement information security. They address accountability, awareness, and action by all participants and form the basis for international cooperation toward establishing a culture of security. The guidelines have been embraced by the United Nations, APEC, nongovernment organizations, and many international businesses and associations. In conclusion, attaining adequate information security will be a continuing journey; a long project, where complacency is not an option. I look forward to responding to your questions. Thank you. [The prepared statement of Hon. Orson Swindle follows:] Prepared Statement of Hon. Orson Swindel, Commissioner, Federal Trade Commission i. introduction Mr. Chairman, and members of the subcommittee, I am Commissioner Orson Swindle.<SUP>1</SUP> I appreciate the opportunity to appear before you today to discuss the Federal Trade Commission's role in protecting information security and its importance to both consumers and businesses. Today, maintaining the security of our computer-driven information systems is essential to every aspect of our lives. A secure information infrastructure is required for the operation of everything from our traffic lights to our credit and financial systems, including our nuclear and electrical power supplies, and our emergency medical service. We are all, therefore, directly or indirectly linked together by this infrastructure. Consumers rely on and use computers at work and at home; increasingly, more consumers are making purchases over the Internet and paying bills and banking online. These interconnected information systems provide enormous benefits to consumers, businesses, and government alike. At the same time, however, these systems can create serious vulnerabilities that threaten the security of the information stored and maintained in these systems as well as the continued viability of the systems themselves. Every day, security breaches cause real and tangible harms to businesses, other institutions, and consumers.<SUP>2</SUP> These breaches and the harm they do shake consumer confidence in the companies and systems to which they have entrusted their personal information. ii. the federal trade commission's role The Federal Trade Commission has a broad mandate to protect consumers and the Commission's approach to information security is similar to the approaches taken in our other consumer protection efforts. As such, the Commission has sought to address concerns about the security of our nation's computer systems through a combined approach that stresses the education of businesses, consumers, and government agencies about the fundamental importance of good security practices; law enforcement actions; and international cooperation. Our program encompasses efforts to ensure the security of computer networks, an understanding that we all have a role to play, as well as efforts to ensure that companies keep the promises they make to consumers about information security and privacy. In the information security matters, our enforcement tools derive from Section 5 of the FTC Act,<SUP>3</SUP> which prohibits unfair or deception acts or practices, and the Commission's Gramm-Leach-Bliley Safeguard Rule (``Safeguards Rule'' or ``Rule'').<SUP>4</SUP> Our educational efforts include business education to promote compliance with the law, consumer and business education to help promote a ``Culture of Security,'' international collaboration, public workshops to highlight emerging issues, and outreach to political leaders. A. Section 5 The basic consumer protection statute enforced by the Commission is Section 5 of the FTC Act, which provides that ``unfair or deceptive acts or practices in or affecting commerce are declared unlawful.'' <SUP>5</SUP> The statute defines ``unfair'' practices as those that ``cause[] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.'' <SUP>6</SUP> To date, the Commission's security cases have been based on deception,<SUP>7</SUP> which the Commission and the courts have defined as a material representation or omission that is likely to mislead consumers acting reasonably under the circumstances.<SUP>8</SUP> The companies that have been subject to enforcement actions have made explicit or implicit promises that they would take appropriate steps to protect sensitive information obtained from consumers. Their security measures, however, proved to be inadequate; their promises, therefore, deceptive. Through the information security enforcement actions, the Commission has come to recognize several principles that govern any information security program. 1. Security procedures should be appropriate under the circumstances First, a company's security procedures must be appropriate for the kind of information it collects and maintains. Different levels of sensitivity may dictate different types of security measures. It is highly problematic when a company inadvertently releases sensitive personal information due to inadequate security procedures. The Commission's first information security case, Eli Lilly,<SUP>9</SUP> involved an alleged inadvertent disclosure of sensitive information despite the company's promises to maintain the security of that information. Specifically, Lilly put consumers' e-mail addresses in the ``To'' line of the e-mail that was sent to Prozac users who subscribed to a service on Lilly's website, essentially disclosing the identities of all of the Prozac user-subscribers. Given the sensitivity of the information involved, this disclosure was a serious breach. Nevertheless, the Commission recognized that there is no such thing as ``perfect'' security and that breaches can occur even when a company has taken all reasonable precautions. Therefore, the Commission construed statements in Lilly's privacy policy as a promise to take steps ``appropriate under the circumstances'' to protect personal information. Similarly, the complaint alleged that the breach resulted from Lilly's ``failure to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information.'' <SUP>10</SUP> The focus was on the reasonableness of the company's efforts. According to the complaint in the Lilly matter, the company failed, among other things, to provide appropriate training and oversight for the employee who sent the e-mail and to implement appropriate checks on the process of using sensitive customer data. The order contains strong relief that should provide significant protections for consumers, as well as ``instructions'' to companies. First, it prohibits the misrepresentations about the use of, and protection for, personal information. Second, it requires Lilly to implement a comprehensive information security program similar to the program required under the FTC's Gramm-Leach-Bliley Safeguards Rule, which is discussed below. Finally, to provide additional assurances that the information security program complies with the consent order, every year the company must have its program reviewed by a qualified person to ensure compliance. 2. Not All Security Breaches Are Violations of FTC Law The second principle that arises from the Commission's enforcement in the information security area is that not all breaches of information security are violations of FTC law--the Commission is not simply saying ``gotcha'' for security breaches. Although a breach may indicate a problem with a company's security, breaches can happen, as noted above, even when a company has taken every reasonable precaution. In such instances, the breach will not violate the laws that the FTC enforces. Instead, the Commission recognizes that security is an ongoing process of using reasonable and appropriate measures in light of the circumstances. When breaches occur, our staff reviews available information to determine whether the incident warrants further examination. If it does, the staff gathers information to enable us to assess the reasonableness of the company's procedures in light of the circumstances surrounding the breach. This allows the Commission to determine whether the breach resulted from the failure to have procedures in place that are reasonable in light of the sensitivity of the information. In many instances, we have concluded that FTC action is not warranted. When we find a failure to implement reasonable procedures, however, we act. 3. Law Violations Without a Known Breach of Security The Commission's case against Microsoft <SUP>11</SUP> illustrates a third principle--that there can be law violations without a known breach of security. Because appropriate information security practices are necessary to protect consumers' privacy, companies cannot simply wait for a breach to occur before they take action. Particularly when explicit promises are made, companies have a legal obligation to take reasonable steps to guard against reasonably anticipated vulnerabilities. Like Eli Lilly, Microsoft promised consumers that it would keep their information secure. Unlike Lilly, there was no specific security breach that triggered action by the Commission. The Commission's complaint alleged that there were significant security problems that, left uncorrected, could jeopardize the privacy of millions of consumers. In particular, the complaint alleged that Microsoft did not employ ``sufficient measures reasonable and appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained through Passport and Passport Wallet.'' <SUP>12</SUP> The complaint further alleged that Microsoft failed to have systems in place to prevent unauthorized access; detect unauthorized access; monitor for potential vulnerabilities; and record and retain systems information sufficient to perform security audits and investigations. Again, sensitive information was at issue-- financial information including credit card numbers. Like the Commission's order against Eli Lilly, the Microsoft order prohibits any misrepresentations about the use of, and protection for, personal information and requires Microsoft to implement a comprehensive information security program. In addition, Microsoft must have an independent professional certify, every two years, that the company's information security program meets or exceeds the standards in the order and is operating effectively. 4. Good Security is an Ongoing Process of Assessing Risks and Vulnerabilities The Commission's third case, against Guess, Inc.,<SUP>13</SUP> highlighted a fourth principle--that good security is an ongoing process of assessing and addressing risks and vulnerabilities. The risks companies and consumers confront change over time. Hackers and thieves will adapt to whatever measures are in place, and new technologies likely will have new vulnerabilities waiting to be discovered. As a result, companies need to assess the risks they face on an ongoing basis and make adjustments to reduce these risks. The Guess case highlighted this crucial aspect of information security in the context of web-based applications and the databases associated with them. Databases frequently house sensitive data such as credit card numbers, and Web-based applications are often the ``front door'' to these databases. It is critical that online companies take reasonable steps to secure these aspects of their systems, especially when they have made promises about the security they provide for consumer information. In Guess, the Commission alleged that the company broke such a promise concerning sensitive information collected through its website, www.guess.com. According to the Commission's complaint, by conducting a ``web-based application'' attack on the Guess website, an attacker gained access to a database containing 191,000 credit card numbers. This particular type of attack was well known in the industry and appeared on a variety of lists of known vulnerabilities. The complaint alleged that, despite specific claims that it provided security for the information collected from consumers through its website, Guess did not: employ commonly known, relatively low-cost methods to block web- application attacks; adopt policies and procedures to identify these and other vulnerabilities; or test its website and databases for known application vulnerabilities, which would have disclosed that the website and associated databases were at risk of attack. Essentially, the Commission alleged that the company had no system in place to test for known application vulnerabilities or to detect or to block attacks once they occurred. In addition, the complaint alleged that Guess misrepresented that the personal information it obtained from consumers through www.guess.com was stored in an unreadable, encrypted format at all times; but, in fact, after launching the attack, the attacker could read the personal information, including credit card numbers, stored on www.guess.com in clear, unencrypted text. As in its prior security cases, the Commission's emphasis in Guess was on reasonableness. When the information is sensitive, the vulnerabilities well known, and the fixes inexpensive and relatively easy to implement, it is unreasonable simply to ignore the problem. As in the prior orders, the Commission's order against Guess prohibits the misrepresentations, requires Guess to implement a comprehensive information security program, and, like Microsoft, requires an independent audit every two years. B. GLB Safeguards Rule In addition to our enforcement authority under Section 5 of the FTC Act, the Commission also has responsibility for enforcing its Gramm- Leach-Bliley Safeguards Rule, which requires financial institutions under the FTC's jurisdiction to develop and implement appropriate physical, technical, and procedural safeguards to protect customer information.<SUP>14</SUP> The Rule became effective on May 23 of this year, and the Commission expects that it will quickly become an important enforcement and guidance tool to ensure greater security for consumers' sensitive financial information. The Safeguards Rule requires a wide variety of financial institutions to implement comprehensive protections for customer information--many of them for the first time. If fully implemented by companies, as required, the Rule could go a long way to reduce risks to this information, including identity theft. The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. Due to the wide variety of entities covered, the Rule requires a plan that accounts for each entity's particular circumstances--its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each financial institution must: (1) designate one or more employees to coordinate the safeguards; (2) identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks; (3) design and implement a safeguards program, and regularly monitor and test it; (4) hire appropriate service providers and contract with them to implement safeguards; and (5) evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business arrangements or operations, or the results of testing and monitoring of safeguards. The Safeguards Rule requires businesses to consider all areas of their operation, but identifies three areas that are particularly important to information security: employee management and training; information systems; and management of system failures. Prior to the Rule's effective date, the Commission issued guidance to businesses covered by the Safeguards Rule to help them understand the Rule's requirements.<SUP>15</SUP> Commission staff also met, and continues to meet, with a variety of trade associations and companies to alert them to the Rule's requirements and to gain a better understanding of how the Rule is affecting particular industry segments. Now that the Rule is effective, the Commission is investigating compliance by covered entities. C. Education and workshops In addition to our law enforcement efforts and conducting outreach under the Commission's Safeguard's Rule, the Commission has engaged in a broad educational campaign to educate businesses and consumers about the importance of information security and the precautions they can take to protect or minimize risks to personal information. These efforts have included creation of an information security ``mascot,'' Dewie the e-Turtle, who hosts a portion of the FTC website devoted to educating businesses and consumers about security,<SUP>16</SUP> publication of business guidance regarding common vulnerabilities in computer systems,<SUP>17</SUP> speeches by Commissioners and staff about the importance of this issue, and outreach to the international community. Many offices in the Commission including the Commission's Bureau of Consumer Protection, the Office of Public Affairs, and the Office of Congressional Relations, have participated in this effort to educate consumers and businesses. The Commission's outreach effort is centered on the Commission's information security website.<SUP>18</SUP> The website registered more than 400,000 visits in its first year of deployment, making it one of the most popular FTC web pages. The site is now available in CD-ROM and PDF format and frequently updated with new information for consumers on cybersecurity issues. In addition, the Commission's Office of Consumer and Business Education has produced a video news release, which has been seen by an estimated 1.5 million consumers; distributed 160,000 postcards featuring Dewie and his information security message to approximately 400 college campuses nationwide; and coordinated the 2003 National Consumer Protection Week with a consortium of public- and private-sector organizations around the theme of information security. Finally, the Commission's Office of Congressional Relations has conducted outreach through constituent service representatives in each of the 535 House and Senate member offices by mailing ``Safe Computing'' CDs. We would like to thank Chairman Stearns for his leadership on the issue of cybersecurity, and for encouraging his colleagues, in his July 18, 2003 ``Dear Colleague'' letter announcing the delivery of the FTC's safe Internet practices outreach kit, to educate their constituents on safe computing practices. In addition, the Commission uses opportunities that arise in non- security cases to educate the public about security issues. For example, in early November, the Commission announced that a district court issued a temporary restraining order in an action against D Squared Solutions, and its principals.<SUP>19</SUP> The complaint alleged that the defendants operated a scam that barraged consumers' computers with repeated Windows Messenger Service pop up ads--most of which advertised software that consumers could purchase for about $25 to block future pop ups. Part of what made the defendants' conduct so egregious is that consumers continued to be bombarded by pop-ups, even when they were off of the Internet and working in other applications such as word-processing or spreadsheet programs and that the defendants allegedly either sold or licensed their pop-up sending-software to other people allowing them to engage in the conduct. The defendants' website allegedly offered software that would allow buyers to send pop- ups to 135,000 Internet addresses per hour, along with a database of more than two billion unique addresses. Contrary to the defendants' representations, consumers, when educated about how the Windows operating systems works, can actually stop pop-up spam at no cost by changing the Windows default system. In addition to bringing a law enforcement action to halt the defendants' conduct, the Commission issued an alert to consumers about the security issues raised in the case. The ``Consumer Alert'' provides instructions for consumers on how to disable the Windows Messenger Service in order to avoid other pop-up spam. The alert <SUP>20</SUP> also discusses the use of firewalls to block hackers from accessing consumers' computers. Finally, the Commission continues, and will continue, to host workshops on information security issues when appropriate. Last summer, the Commission hosted two workshops focusing on the role technology plays in protecting personal information.<SUP>21</SUP> The first workshop focused on the technologies available to consumers to protect themselves. Panelists generally agreed that, to succeed in the marketplace, these technologies must be easy to use and built into the basic hardware and software consumers purchase. The second workshop focused on the technologies available to businesses. We learned that businesses, like consumers, need technology that is easy to use and compatible with their other systems. Unfortunately, we also heard that too many technologies are sold before undergoing adequate testing and quality control, frustrating progress in this area. The Commission also held a workshop on unsolicited commercial e- mail (``spam'') which was instructive about the security risks that spam poses. We learned that, in addition to other problems, spam can also serve as a vehicle for malicious and damaging code. D. International Efforts In addition to our cases and domestic efforts, the Commission has taken an active international role in promoting cybersecurity. We recognize that American society and societies around the world need to think about security in a new way. The Internet and associated technology have literally made us a global community. We are joining with our neighbors in the global community in this enormous effort to educate and establish a culture of security. During the summer of 2002, the Organization for Economic Cooperation and Development (``OECD'') issued a set of principles for establishing a culture of security--principles that can assist us all in minimizing our vulnerabilities. Commissioner Swindle has had the opportunity to work with this organization and to head the U.S. Delegation to the Experts Group on the post-September 11 review of existing OECD Security Guidelines and to the Working Party on Information Security and Privacy. The OECD principles are contained in a document entitled ``Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security.'' <SUP>22</SUP> The nine principles are an excellent, common-sense starting point for formulating a workable approach to security. They address awareness, accountability, and action. They also reflect the principles that guide the FTC in its analysis of security-related cases, including that security architecture and procedures should be appropriate for the kind of information collected and maintained and that good security is an ongoing process of assessing and addressing risks and vulnerabilities. These principles can be incorporated at all levels of use among consumers, government policy makers, and industry. They already have been the model for more sector-specific guidance by industry groups and associations. Besides the OECD, the Commission also is involved in information privacy and cybersecurity work undertaken by the Asian Pacific Economic Cooperation (``APEC'') forum. APEC's Council of Ministers endorsed the OECD Security Guidelines in 2002. Promoting information system and network security is one of its chief priorities. The APEC Electronic Commerce Steering Group (``ECSG'') promotes awareness and responsibility for cybersecurity among small and medium-sized businesses that interact with consumers. Commission staff participated in APEC workshop and business education efforts this past year and is actively engaged in this work for the foreseeable future. Along with the OECD and APEC, in December 2002, the United Nations General Assembly unanimously adopted a resolution calling for the creation of a global culture of cybersecurity. Other UN groups, international organizations, and bilateral groups with whom the Commission has dialogues, including the TransAtlantic Business and Consumer Dialogues, the Global Business Dialogue on Electronic Commerce, and bilateral governmental partners in Asia and in the EU also are working on cybersecurity initiatives. Notwithstanding these global efforts, developing a ``Culture of Security'' is a daunting challenge. The FTC and other government agencies have a role to play, but the government cannot do this alone, nor should it try. The Commission is working with consumer groups, business, trade associations, and educators to instill this new way of thinking. We are encouraging our global partners to do the same and to share what is learned. iii. conclusion The Commission, through law enforcement and consumer and business education, is committed to reducing the harm that occurs through information security breaches. Maintaining good security practices is a critical step in preventing these breaches and the resulting harms, which can range from major nuisance to major destruction. The critical lesson in this information-based economy is that we are all in this together: government, private industry, and consumers, and we must all take appropriate steps to create a culture of security. ENDNOTES <SUP>1</SUP> The views expressed in this statement represent the views of the Commission. My oral presentation and responses to questions are my own and do not necessarily represent the views of the Commission or any other Commissioner. <SUP>2</SUP> For example, our recently released Identity Theft Report, available at http://www.ftc.gov/os/2003/09/synovatereport.pdf, showed that over 27 million individuals have been victims of identity theft, which may have occurred either offline or online, in the last five years, including almost 10 million individuals in the last year alone. The survey also showed that the average loss to businesses was $4800 per victim. Although various laws limit consumers' liability for identity theft, their average loss was still $500--and much higher in certain circumstances. <SUP>3</SUP> 15 U.S.C. 45. <SUP>4</SUP> 16 C.F.R. Part 314, available online at http:// www.ftc.gov/os/2002/05/67fr36585.pdf. <SUP>5</SUP> 15 U.S.C. 45 (a) (1). <SUP>6</SUP> 15 U.S.C. 45(n). <SUP>7</SUP> Where appropriate, the Commission has also brought Internet cases using the unfairness doctrine. See FTC v. C.J., Civ. No. 03-CV-5275-GHK (RZX) (Filed C.D. Cal. July 24 2003), http:// www.ftc.gov/os/2003/07/phishingcomp.pdf. <SUP>8</SUP> Letter from FTC to Hon. John D. Dingell, Chairman, Subcommittee on Oversight and Investigations (Oct. 14, 1983), reprinted in appendix to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984) (setting forth the commission's Deception Policy Statement.). <SUP>9</SUP> The Commission's final decision and order against Eli Lilly is available at www.ftc.gov/os/2002/05/elilillydo.htm. The complaint is available at www.ftc.gov/os/2002/05/elilillycmp.htm. <SUP>10</SUP> Eli Lilly Complaint, paragraph 7. <SUP>11</SUP> The Commission's final decision and order against Microsoft is available at http://www.ftc.gov/os/2002/12/ microsoftdecision.pdf. The complaint is available at http:// www.ftc.gov/os/2002/12/microsoftcomplaint.pdf. <SUP>12</SUP> Microsoft Complaint, paragraph 7. <SUP>13</SUP> The Commission's final decision and order against Guess, Inc. is available at http://www.ftc.gov/os/2003/06/ guessagree.htm. The complaint is available at http://www.ftc.gov/os/ 2003/06/guesscmp.htm. <SUP>14</SUP> 16 C.F.R. Part 314, available online at http:// www.ftc.gov/os/2002/05/67fr36585.pdf. <SUP>15</SUP> Financial Institutions and Customer Data: Complying with the Safeguards Rule, available at http://www.ftc.gove/bcp/conline/ pubs/buspubs/safeguards.htm. <SUP>16</SUP> See http://www.ftc.gov/bcp/conline/edcams/ infosecurity/index.html. <SUP>17</SUP> See http://www.ftc.gov/bcp/conline/pubs/buspubs/ security.htm. <SUP>18</SUP> See http://www.ftc.gov/infosecurity. <SUP>19</SUP> The Commission's press release announcing the case can be found at http://www.ftc.gov/opa/2003/11/dsquared.htm. <SUP>20</SUP> The alert can be found at http://www.ftc.gov/bcp/ conline/pubs/alerts/popalrt.html. <SUP>21</SUP> Additional information about the workshops are available at http://www.ftc.gov/bcp/workshops/technology/indes.html. <SUP>22</SUP> http://www.oecd.org/dataoecd/16/22/15582260.pdf Mr. Stearns. I thank the Commissioner. Mr. Schmidt, welcome. STATEMENT OF HOWARD A. SCHMIDT Mr. Schmidt. Thank you, Mr. Chairman. Chairman Stearns, distinguished members of the committee, my name is Howard Schmidt. I am the Vice President and Chief of Information Security for eBay, where I lead a team responsible for ensuring the trustworthiness and security of the services that bring so many global citizens together each day in this tremendous global marketplace. I would like to thank you again for the opportunity to come before the committee for the second time and your continued leadership in this very important issue. Prior to arriving at eBay a few months ago, I had the privilege of being appointed by President Bush to lead, with Richard Clarke, the President's Critical Infrastructure Protection Board, which represented one part of the overall government response to the threat of cybersecurity attacks in the wake of September 11; and after 31 years retired, and we successfully published the National Strategy Defense for Cyberspace, working with a team of dedicated public servants, this body, and the American public. In addition to my day job, I continue to proudly serve at the U.S. Army Reserves, assigned to the 701st MP Group as a Special Agent with the computer crimes section, and also serve on the board of directors for ISC Squared, the body that oversees certification for security professionals through the CISSB certification. My remarks today will focus primarily on the changes that have taken place with both business and government to create the level of information-sharing and collaboration necessary to improve cybersecurity and to further improve security for consumers, as well as how the sharing and collaboration has indeed improved the level of information and protection of consumer data. I would like to provide my update in specific examples of improvement in four major areas. Those areas are awareness and education, product enhancement, government activities and private sector initiatives. While these examples will not be comprehensive, they will indeed be some representative efforts we have undergone. I would also state, even though my comments are very optimistic as where we have come from, I think we will also have a long way to go. I think under the block of awareness and education, one of the biggest visible changes that has taken place is the increase in dialog and training to better inform the end user and consumer on how to secure their computer systems and their information. One of the first consumer-targeted awareness programs was truly a joint public/private partnership between many of the companies, the FTC, NSA, as well as some other government agencies, and it took place in the formation of the Cybersecurity Alliance, and the creation of our Web site, staysafeonline.info, which we drove out of the efforts of the White House. This Web site has a wealth of information to help even the most inexperienced users understand cybersecurity, potential threats from on-line criminals, and steps they can take to protect themselves. In addition, we at the White House held a series of town hall meetings over the past 18 months to meet with private sector partners, individuals, parent-teacher organizations, with speakers ranging from CEOs of major financial institutions, to my distinguished colleague to my left, Commissioner Orson Swindle. Many of these town meetings were also Webcast to get the broadest audience to be able to see them and participate over the Internet. Private sector companies have also held free seminars around the country, providing awareness to citizens. Many of these sessions focused on informing the elderly, one of the segments of our society who has received great benefits in the on-line world and the resources that it can provide. Also, as we enter the holiday season, there will be mass media campaigns to educate consumers further on how to safely and securely enjoy the richness and robustness of the on-line e-commerce world. Under product enhancements, another major improvement we have seen over the past 2 years has been the way security is now offered as a standard within software and hardware. One very visible example is with the hardware provided to use wireless technology and broadband, we now see firewalls being built directly into these components as well as antivirus software being built into wireless modem operations. Major operating systems have now auto update features as antivirus functions. Many antivirus vendors have done an amazing job in speeding up the detection and analysis of many of the threats that you have mentioned in your opening comments of the viruses and trojans that are found in the wire. Many of them even provide free on-line services for consumers to be able to download and inspect their systems as a public service, and I noticed in the paper this morning, one of them is now offering free antivirus software for the next year. Under the heading of government activities, there have been a number of great activities beyond the creation of the National Strategy to Defend Cyberspace. Recently the Department of Homeland Security created the U.S. Computer Emergency Response Team at Carnegie Mellon as a focal point for building partnerships based on cybersecurity response networks and providing a notification network of threats and vulnerabilities as they are discovered. The Department of Justice, the U.S. Secret Service, and the FBI have significantly improved the response times and increased priorities around the investigation of cybercrimes. As a matter of fact, Director Mueller has placed cybercrime as one of the top five priorities within the FBI, and the Secret Service is growing a cadre of expert agents working with private sector called the Electronic Crime Task Force. Additionally, the Department of Defense continues to work in that area as well. On the government effort, since these things have no borders, the State Department has done a wonderful job in creating multilateral and bilateral discussions with international partners, many of which the industry colleagues, some of us sitting here today, have been a part of since the very beginning. Two quick examples in the private sector initiatives: We know that there will be no silver bullets in enhancing cybersecurity, but recently we created a coalition to address specifically the area of on-line identity theft. We have fully recognized that the vast majority of identity theft occurs in the off-line world through dumpster diving and other mechanisms, but we have seen, as many of you have, an increase in criminals attempting to do the same thing on line. The two recent methods are what we call phishing, with a p- h, or spoofed e-mails, where criminals send out thousands of e- mails telling people to update their information. We are working to address this in four areas: building new technologies to prevent this; second, to provide awareness and training to consumers so they are better informed to not fall victim to these scams; third, to share information amongst very competitive companies on protection of these things; and fourth, to work with the law enforcement community to prevent these people through deterrence of investigation. In closing, I want to cite three specific areas I think that we can look at because, despite the great security enhancements we have seen and will continue to see, there are clear challenges you must address. We must review our commitment to enhance consumer awareness of basic cybersecurity practices, and the recent attacks have once again demonstrated how home users are now becoming the target. Second, while we build an effective response network, we must not lose sight of the innovation frontier. Technologists on the horizon hold the potential to dramatically and potentially decisively transform our cybersecurity challenges. Self-healing computers, embedded technologies, can enable devices that recognize and defend against these attacks. We must not inhibit their ability to move forward in collaboration with our best universities. And, finally, we must recognize that cybersecurity is no longer merely about product services and strategies. What is at stake in the effective implementation of advanced cybersecurity technology is nothing less than the ability to unleash the next wave of IT-led growth in jobs and productivity. Cybersecurity is an essential enabler. In closing, I want to say that the next step of this will be on December 2 and 3. Homeland Security has invited a lot of the public service or private sector organizations to create a summit, creating a task force to move forward in a lot of those areas that we mentioned and we care very deeply about. This concludes my prepared remarks and I thank you for the opportunity to be here. [The prepared statement of Howard A. Schmidt follows:] Prepared Statement of Howard A. Schmidt, Vice President and Chief Information Security Officer, eBay Corporation introduction Chairman Stearns, distinguished members of the Committee, my name is Howard A. Schmidt. I am the Vice President and Chief Information Security Officer for eBay, where I lead a team responsible for ensuring the trustworthiness and security of the services that bring so many global citizens together in this tremendous global marketplace each day. I would like to thank you for the opportunity to come before this Committee again as well as your continued leadership on this very important issue. Prior to my current position at eBay and subsequent to my last appearance, I had the privilege of being appointed by President Bush to lead, with Richard Clarke, the President's Critical Infrastructure Protection Board, which represented one part of the overall governmental response to the threat of cyber security attacks in the wake of September 11. I retired from 31 years of public service after completing and publishing the ``National Strategy to Defend Cyberspace,'' working with a team of dedicated public servants, this body, and the American public. I have had the privilege of working with committed individuals in the private sector, law enforcement, and government to forge the collaboration and cooperation that is so essential to safeguard cyber space for everyone, from inexperienced home users to large well-run corporate enterprises. I assisted in the formation of some of the first collaborative efforts in the law enforcement community to address cyber crime in local law enforcement and the FBI. I also helped lead the creation of the Information Technology Information Sharing and Analysis Center (IT-ISAC) and had the honor of serving as its first president. I continue to proudly serve in the U.S. Army reserves, assigned to the 701st MP Group, (CID) as a Special Agent with the computer crime unit at CID headquarters. I also serve on the Board of Directors for ISC2, the body that oversees certification of security professionals through the CISSP certification. My remarks today will focus primarily on the changes that have taken place within both business and government to create the level of information sharing and collaboration necessary to improve Cybersecurity and further improve security for consumers, as well as how this sharing and collaboration has improved the level of information and protection of consumer computer data. Today, the Internet connects over 170 million computers and an estimated 680 million users, with an estimated growth to 904 million by the end of 2004. From major data operations conducting large-scale financial transactions, to wireless devices keeping families connected, the Internet touches virtually all aspects of our economy and quality of life. eBay is a prime example of how deeply ingrained the Internet is in American life. Every day on eBay, millions of Americans, along with millions of people in countries around the world, come together to buy and sell all types of goods and services. Business relationships and, often, deep friendships are formed on the basis of commerce and shared interests. The eBay marketplace reflects the enormous power of the Internet to unite humanity at a crucial moment in history. More pointedly, the Internet has become a fundamental component of business processes--enhancing productivity by speeding connectivity between remote locations or across functional operations. The Internet is deeply ingrained in managing power, producing chemicals, designing and manufacturing cars, managing money and delivering government services ranging from human services to environmental permitting. The flip side of these productivity-enhancing applications is an increase in attacks against the online community. Today the Internet is utilized by hundreds of millions of users all across the globe sending information ranging from homework assignments and simple greetings to the most sensitive financial and operational data of government and industry, all at the speed of light. The Internet landscape also includes a private sector security industry that has grown to an estimated $17 billion per year in goods and services. And, as we are all painfully aware, attack speeds today are measured in seconds, not days. I would like to provide my update in the format specific examples of improvement in four major areas. Those areas are: Awareness and education; product enhancements; government activities; and private sector initiatives. While we have made significant progress, I also want to stress that we still have much work to do and will continue to improve overall Cybersecurity by continued improvement in some of the examples I will mention today. Awareness & Education: One of the biggest visible changes that has taken place is increased dialogue and training to better inform the end user on how to secure their computers and information. One of the first consumer- targeted awareness programs was truly a joint private-public partnership. This partnership took place in the form of the Cyber Security Alliance. The alliance combined the expertise of a number of private sector entities with the efforts of government partners to create a comprehensive website for consumers. The website, www.staysafeonline.info has a wealth of information to help even the most inexperienced users understand cyber security, potential threats from online criminals, and steps they can take to protect themselves. In addition, the White House held a series of town hall meetings around the country with private sector partners. These town hall meetings were open to the public and well-attended, with speakers ranging from CEOs of major financial institutions and exchanges, to subject-matter experts in cyber security. Many of these town hall meetings were webcast so those that could not attend in person could participate over the Internet. Private sector companies have also held free seminars around the country to provide awareness to citizens. Many of the sessions focused on informing the elderly, one of the segments of our society that has received great benefit from the online world and the resources that it provides. As we enter the holiday shopping season, there will be mass media campaigns to educate consumers on how to safely and securely enjoy the richness and robustness of the online e-commerce world. In the category of formal education, the National Security Agency (NSA) has a program identifying universities that meet the criteria to be designated a center of academic excellence in information security. This NSA program not only ensures the education of the next generation of information security professionals, but also guarantees that the university has sound cyber security practices in place as well as awareness education for the students, who make up a large number of the online users and consumers. The NSA also administers the Cyber Corp program with NSF and OPM, providing scholarships for students in cyber security. Product Enhancements: Another major improvement that we have seen in the past two years is the way security enhancements are now offered standard in software and hardware. One very visible example is the hardware provided to use wireless technology. Broadband technology (Cable modem, DSL, satellites etc.) has given us capabilities and speeds that were only available to corporations before. We now see firewalls and the ability to download anti-virus software being built into wireless modems. The major operating systems now have auto-update features included, and are now being turned on by default in more future versions. Products are now being shipped with many services turned off by default, thus making them more secure. Many of the online email services block potentially malicious code and do a much better job of blocking the Spam that often contains malicious functions. Anti-virus vendors have done an amazing job in speeding up the detection, analysis and updates for many of the viruses that are found in the wild. Many of them even provide free online virus scans as a public service to assist consumers. Government Activities: There have been a number of government actions that have taken place since I last appeared before this committee--most notably the creation of the President's Critical Infrastructure Protection Board and the release of the National Strategy to Defend Cyberspace. This critical document set the framework for much of the private public partnerships, focusing a section on home users and small/medium enterprises. I would also argue that the consolidation of cyber security related organizations into the Department of Homeland Security in the Infrastructure Protection Director was a valuable reorganization. The bringing together of the NIPC (FBI), Fed-CIRC (GSA), CIAO (Commerce), Energy Information Assurance Division (DoE) and the National Communications System (DoD) created a center of excellence that, with the help of focused leadership, will move to implement the national strategy. This new organization is called the National Cyber Security Division. Recent action taken by the Department of Homeland Security (DHS) to create the US CERT at Carnegie Mellon University has the potential to significantly enhance security for all users. The US CERT is designed to serve as a focal point for building partnerships based cyber security response network and provide a notification network as threats and vulnerabilities are discovered. The goal for US CERT is to ensure that there is an average response time of no less than 30 minutes in the case of any attack. The very specific nature of this goal is designed to deliberately focus the US CERT on building broad participation by the private sector. The US CERT will undertake the following major initiatives: Develop common incident and vulnerability reporting protocols to accelerate information sharing across the public and private response communities; Develop initiatives to enhance and promote the development of response and warning technologies; and Forge partnerships to improve incident prevention methods and technologies; The Dept. of Justice, the U.S. Secret Service and the FBI have significantly decreased their response times and increased priorities around investigations of cyber crimes. Director Mueller has placed cyber crime in the top 5 priorities at the FBI, and the Secret Service has added a number of electronic crime task forces in order to successfully investigate and prosecute cyber criminals. All of the Defense Department's investigative organizations have led the way investigating cyber crimes and have some of the best investigators in the world. The Department of Justice, through its Computer Crime and Intellectual Property Section, has chaired the G-8 Subcommittee on cyber crime and has been a significant driving force in combating worldwide cyber crime. Since there are no borders when it comes to cyber space, and criminal attacks on consumers can come from all corners of the world, the State Department has conducted bilateral and multilateral discussions to ensure that there is international cooperation in the effort to protect cyber security. I have had the extreme pleasure of working with Commissioner Swindel of the Federal Trade Commission, who has been a beacon of light for the protection of consumers' privacy and security. With his help in the creation of the FTC's ``Dewey'' program and his tireless support for town hall meetings, he truly has created a ``culture of security'' globally. Private Sector Initiatives: While there will be no silver bullets in enhancing cyber security, the private sector continues to grow its capabilities and make solid improvement in securing their part of cyberspace . Two of the earliest examples of private-public cooperation for ``Cyber Crime/Cyber Security'' were the the High Tech Crime Investigators Association (HTCIA) and the Information Systems Security Association (ISSA). Both organizations date back to the mid/late 80's and are dedicated to sharing nformation on cyber crime and information security. They still exist today and their membership and value have increased significantly over the years. Most recently, the private sector has created a coalition that I see as an excellent example of efforts to enhance consumer cyber security. As you are probably aware, identity theft is a major problem. While the vast majority of ID theft occurs in the physical world, we have seen an increase in the activities of criminals to commit the same types of crime online. The most recent method is by using what we call ``phishing'' or ``spoofed'' emails. The criminals will send out thousands of emails telling people that there is an error with their online account and ask them to fill in an ``update form'' or their account will be closed. This form has the look and feel of major e- commerce sites--there was even a fake email from someone pretendingto be the FBI and asking unsuspecting users to enter personal information into a fake web site. To combat this, many of the major players in the e-commerce space banded together to create an Anti-Online ID Theft Coalition. The Coalition boasts many private sector members, with the Information Technology Association of America providing support as the executive director. The Coalition has four major goals: 1) to build technology to reduce the likelihood of these mails even reaching their intended victim; 2) to provide awareness training to consumers so they can more readily identify these criminal acts; 3) to share information on new scams amongst the various security teams; and 4) to insure accountability by working with law enforcement to identify and prosecute these bad actors. In a larger perspective, Sector Coordinators representing each of the major sectors of our economy have been appointed to fight potential cyber attack. A sector coordinator is an individual in the private sector identified by the sector lead agency to coordinate their sector, acting as an honest broker to organize and bring the sector together to work cooperatively on sector cyber security protection issues. The sector coordinator can be an individual or an institution from a private entity. These private sector leaders provide the central conduit to the federal government for the information needed to develop an accurate understanding of what is going on throughout the nation's infrastructures on a strategic level with regards to critical infrastructure protection activities. The sector coordinators and the various sector members were key to the creation of the National Strategy to Defend Cyber Space. In addition, there has been a number of new private sector Information Sharing and Analysis Centers (ISACs). An ISAC is an operational mechanism to enable members to share information about vulnerabilities, threats, and incidents (cyber and physical). The sector coordinator develops these Centers with support from the sector liaison. In some cases, an ISAC Manager may be designated, who is responsible for the day-to-day operations of the ISAC, to work with the sector coordinator or the sector coordinating body with support from DHS and the lead federal agencies. Despite these security enhancements, we can be certain that as increased collaboration continues to enhance our protection and responsiveness, the nature and sophistication of attacks will certainly evolve. There are clear challenges we must continue to address. First, we must renew our commitment to enhance consumer awareness of basic cyber security practices. The recent attacks demonstrate that home users can be used as an effective pathway to launch attacks, or as a gateway into large enterprises. We need to build on the public/ private initiatives to promote cyber security with a focused and aggressive outreach effort to benefit all consumers. Second, while we build an effective response network we must not lose sight of the innovation frontier. Technologies on the horizon hold the potential to dramatically and potentially decisively transform our cyber security challenges. Self-healing computers, embedded technologies that enable devices to recognize and defend against attacks, and devices which enhance both security and privacy are within reach with an aggressive technology development agenda. This effort must be industry-led in collaboration with our best Universities. Most importantly, it must be synergistically linked with our response initiatives. Finally, we must recognize that cyber security is no longer merely about products, services and strategies to protect key operations. What is at stake in the effective implementation of advanced cyber security technologies and strategies is nothing less than the ability to unleash the next wave of information technology-led growth in jobs and productivity. Cyber security is an essential enabler to the advent of the next generation Internet and all it holds for how we work, live, and learn. I don't want to close without mentioning my expectation that many of these challenges will be addressed, and indeed met head-on, with tangible commitments and deliverables through the upcoming National Cyber Security Summit, to be held on December 2-3, 2003. This Summit will be co-hosted by the Information Technology Association of America, the U.S. Chamber of Commerce, TechNet and the Business Software Alliance, with the support of the Department of Homeland Security. I have the honor to serve at that summit, as will many of the brightest minds and most innovative companies across all sectors of the economy. The work of this summit will continue past December 2-3 through task force work programs that will drive toward solutions in intense work before, during, and beyond the Summit. We expect that many of these proposals will be forwarded to DHS early next year, after which we can measure progress on an ongoing basis. We expect this to be an all-hands-on-deck effort where we bring together, distill, and integrate many of the outstanding work products from many groups regarding cyber security metrics, software development and maintenance, public outreach initiatives, and, of course, public-private partnerships in information sharing and early warning systems. Chairman Stearns, this concludes my prepared remarks. I thank you for the opportunity to come before this Committee and welcome any questions that you and the Committee members may have. Mr. Stearns. Thank you. Mr. Charney. STATEMENT OF SCOTT CHARNEY Mr. Charney. Thank you. Chairman Stearns, Ranking Member Schakowsky, and members of the subcommittee, my name is Scott Charney, and I am Microsoft's Chief Trustworthy Computing Strategist. I want to thank you for the opportunity to appear here today to provide our views on cybersecurity and what we are doing to secure consumer data. At Microsoft, security is our No. 1 priority. We are committed to continually improving the security of our software. As Howard Schmidt just said, there are no silver bullets in cybersecurity; there will always be vulnerabilities in complex software and systems. As was true when we testified before you in 2001, cybersecurity involves many layers and many collaborative partnerships. In other words, cybersecurity involves management of technologies, as much as the technology itself. Meanwhile, much has changed since we last testified before you. Consumer dependence on the Internet has grown. And as of March 2003, 30 million homes in America had a broadband connection to the Internet, double the number who had high- speed connections at the end of 2001. Another key change over the past 2 years is that the time between the issuance of a patch and the time when we see a concrete exploit taking advantage of the underlying vulnerability has dramatically shortened. Therefore, once a patch is released, a race ensues between those installing the patch to eliminate the vulnerability and those developing code that exploits the vulnerability. Moreover, the sophistication and severity of cyberattacks are also increasing. In response to these threats, industry has increased tremendously the resources and priority it devotes to cybersecurity issues, and the government has also taken significant steps during this time period to address these heightened risks for on-line consumers, including creating the National Cybersecurity Division at the Department of Homeland Security and signing the Council of Europe's Cybercrime Treaty. We commend these actions as important steps and hope the Senate ratifies the treaty when it is received. Security is Microsoft's top priority, and we know that security is a journey rather than a destination. 2 years ago before this committee, my friend and co-panelists Howard Schmidt properly stated: We know there is no finish line for these efforts, but by working as we have with industry peers and with governments, we have a chance to keep one step ahead of cyber criminals. Shortly thereafter, Bill Gates had launched our trustworthy computing initiative, which involves every aspect of Microsoft and focuses on four key pillars: security, privacy, reliability, and business integrity. As part of this, we have enhanced the training of our developers to put security at the heart of software design and at the foundation of the development process. Through this effort we are seeing a quantifiable decrease in vulnerabilities. For example, if you compare Windows Server 2000 and Windows Server 2003, for the last 6 months Windows Server 2003 has required fewer patches. Another part of trustworthy computing involves communicating with our customers. In the wake of Blaster, we launched the Protect Your PC campaign, urging commerce to take three steps to improve their security, all available through Microsoft.com/protect. Two years ago, we also spoke about the need of increased deterrence of criminal hacking. Although the Cybersecurity Enforcement Act passed last year, there is still much more that needs to be done. Despite the best and laudable efforts of dedicated law enforcement personnel, far too many hackers unleash their malicious code, commit crimes with no punishment. This is an untenable situation. Earlier this month, we took a significant step to support law enforcement by creating the Antivirus Reward Program to provide monetary rewards for information resulting in the arrest and conviction of hackers. The government continues to play a key role in efforts to secure consumers' software and data. I want to outline a few specific areas where government initiatives can be particularly helpful in promoting cybersecurity. First, the public sector should increase its support for basic research and security technology. Second, the government can lead by example by securing its own systems, buying software that is engineered for security, providing better training for government systems administrators and leading public awareness campaigns, such as the FTC's campaign featuring Dewey the Turtle. Third, government and industry should reduce barriers to exchanges of information. Fourth, law enforcement should receive additional resources. We also support the forfeiture of personal property used in committing these crimes. Fifth, greater cross-jurisdictional cooperation among law enforcement is needed for investigating cyberattacks. In conclusion, we will continue to pursue trustworthy computing and to work closely with our partners in the computer software and communications industries, the government and our commerce to enhance cybersecurity. Thank you, and I look forward to your questions. [The prepared statement of Scott Charney follows:] Prepared Statement of Scott Charney, Chief Trustworthy Computing Strategist, Microsoft Corporation Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee: My name is Scott Charney, and I am Microsoft's Chief Trustworthy Computing Strategist. I want to thank you for the opportunity to appear today to provide our views on cybersecurity and on what we are doing to secure consumer data. I oversee the development of strategies to create more secure software and services and to enhance consumer security and privacy through our long-term Trustworthy Computing initiative. My goal is to reduce the number of successful computer attacks and increase the confidence of all computer users. This is something I have worked toward throughout much of my career, including during my service as chief of the Computer Crime and Intellectual Property Section (CCIPS) in the Criminal Division of the U.S. Department of Justice. While at CCIPS, I helped prosecute nearly every major hacker case in the United States from 1991 to 1999. At Microsoft, security is our number one priority, and as an industry leader, we are committed to continually improving the capability of our software to protect the privacy of consumers and the security of their data. We are at the forefront of industry efforts to enhance the security of computer programs and networks and to educate consumers about good cybersecurity practices. We also work closely with our partners in industry and governments around the world to identify security threats to computer networks, share best practices, improve our coordinated responses to security breaches, and prevent computer attacks from happening in the first place. This hearing is exceptionally timely because of the rapid developments in cybersecurity over the past two years. We wholeheartedly agree with this Subcommittee that it is critical for all of us to address consumer concerns about the privacy and security of their online data in order to stimulate the further growth of e- commerce and to help realize the Internet's full potential. Today, I want to describe the risks posed to consumers' cybersecurity, and the ways in which industry and government are working together to protect consumers' online data. First, I will discuss the general state of cybersecurity since November 2001, when we last appeared before this Subcommittee; I will touch both on what has stayed the same, and on what has changed. Second, I will discuss Microsoft's ongoing efforts to help secure consumers' computer data. Third, I will offer a few suggested steps that the government can take to enhance the security of consumer data. i. cybersecurity since november 2001 The pursuit of cybersecurity involves a daily and never-ending contest between industry, governments, and computer users, on the one hand, and cyber criminals, on the other. Hackers remain elusive, aggressive, and innovative. When we last testified before this Subcommittee on this topic, the ``ILOVEYOU,'' Code Red, Ramen, Li0n, and Trinoo worms and viruses had already struck a variety of operating systems. Since that time, criminal hackers have unleashed Slapper, Scalper, Slammer, Blaster, SoBig, and many other viruses and worms to infect computers, deny service, and impair recovery. There are no silver bullets in cybersecurity, and there will always be vulnerabilities in complex software and systems, as well as human errors made. As was true in 2001, cybersecurity involves many layers and many collaborative partnerships, including software design, software configuration, software patching, the sharing of threat and vulnerability information, user education, user practices, and the investigation and prosecution of cybercrime both within the United States and internationally. In other words, cybersecurity involves management of technology as much as the technology itself. Meanwhile, much has changed since we last testified before you. Consumer dependence on the Internet has grown, and consumers are more frequently sharing their personal information, including their identities, contact information, financial data, and health information, over the Internet. Moreover, as the personal computer becomes more central to the daily lives of many citizens and to the daily functions of the public and private sectors, the government, consumers, and business enterprises are storing more personal information on their Internet-connected computers and networks, thus potentially exposing their data to hackers even if that personal information is never transmitted over the Internet. In addition, consumers with broadband are, unlike those with a dial-up connection, connected to the Internet with unvarying IP addresses and at a high connection speed, and therefore place consumer data at greater risk. As of March 2003, 30 million homes in America had a broadband connection to the Internet, double the number who had a high-speed connection at home at the end of 2001 and a 50% increase from March 2002. Another key change over the past two years is that the time between the issuance of a patch and the time when we see a concrete exploit taking advantage of the underlying vulnerability has dramatically shortened. This time period is crucial because we have had very few attacks that actually precede the patch; more typically, once a patch is released, a race ensues between those installing the patch to eliminate the vulnerability and those developing code that exploits the vulnerability. When an exploit is developed faster, enterprises and individuals have that much less time to learn of, test, and install the patch before a hacker uses the exploit to inflict damage. That window for the NIMDA virus was 331 days between patch release and exploit; for Blaster, less than two years later, it was only 26 days. The chronology leading up to the criminal launch of the Blaster worm illustrates the complex interplay between software companies, security researchers, persons who publish exploit code, and hackers. On July 16, we delivered a patch for the vulnerability and a security bulletin to our customers. This was followed by ongoing outreach to consumers, analysts, the press, our industry partners, and the government. On July 25, nine days after we released the patch, a security research group called XFOCUS published a tool to exploit the vulnerability that the security bulletin and patch had highlighted. In essence, XFOCUS analyzed our patch by reverse engineering it to identify the vulnerability, then developed a means to attack the vulnerability, and finally offered that attack to the world so that any unsophisticated hacker could then unleash an attack by downloading XFOCUS's work and using launch tools freely available on the Internet. At this point, we heightened our efforts to inform our customers about the steps they should take to secure their computers. On August 11, only 26 days after release of the patch, the Blaster worm was discovered as it spread through the Internet. This sequence of events underscores a dilemma: the same information that helps customers to secure their systems also enables self-identified security researchers and others to develop and publish exploit code, which hackers then use to launch damaging criminal attacks. The sophistication and severity of cyberattacks are also increasing. The Slammer worm in January 2003 did not attack the data of infected systems, but resulted in a dramatic increase in network traffic worldwide and in temporary loss of Internet access for some users. This past summer, criminal hackers released the Blaster worm, which spread by exploiting a security vulnerability for which we had released a patch. Machines infected by Blaster used the network connection to locate new, vulnerable machines, whereupon the worm would copy itself, infect the new machine, and continue the process. Blaster affected Windows NT4, Windows XP, Windows 2000, and Windows Server 2003 systems, but could not reach those machines that were patched and defended by a properly configured firewall. The worm also tried to deny service to those users seeking to download the patch for Blaster. In addition, cybercriminals have been able to make viruses more prevalent and harder for consumers to detect by ``spoofing'' legitimate email addresses, which makes it more difficult to determine who the real sender is. In 2002, there were twice as many email viruses as there were in 2001. In January 2003, the SoBig virus spoofed email addresses and contained infectious .pif attachments, which if opened would infect the user's computer and search the infected user's hard drive for email addresses of possible further victims. Multiple variants of the SoBig virus surfaced during the year. It is important to note that SoBig did not exploit any software vulnerability; it was a social engineering attack based on users' willingness to trust email that appeared to be from individuals whom they knew. In response to these threats, industry has increased tremendously the resources and priority it devotes to cybersecurity issues. Many of those efforts continue today, and I will describe them in more detail in the next Section. Over the past two years, the government has also taken significant steps during this time period to address these heightened risks for online consumers. We commend these actions as important steps in our shared journey toward enhanced cybersecurity. First and foremost, the Department of Homeland Security created the National Cyber Security Division (NCSD) under the Department's Information Analysis and Infrastructure Protection Directorate. The NCSD is established to provide 24 x 7 functions, including cyberspace analysis, issuing alerts and warning, improving information sharing, responding to major incidents, and aiding in national-level recovery efforts. The Department created the NCSD as part of its implementation of the Homeland Security Act of 2002 and the National Strategy to Secure Cyberspace, which the White House released in February 2003 after soliciting extensive comments from consumers, industry, and other government actors. We worked with government officials in all of these activities, and we are encouraged by the work DHS has done to date. Moreover, I personally look forward to co-chairing a task force at its December ``National Cyber Security Summit.'' Second, the United States signed the Council of Europe Convention on Cybercrime in November 2001. The Convention requires parties to have minimum procedural tools to investigate such attacks, and to facilitate international cooperation in investigating those attacks. Because of the inherently international nature of cybercrime, the Council of Europe cybercrime treaty is an important step towards the transborder cooperation that is vital to combating cybercrime and protecting consumers. We look forward to the day when the treaty is sent to the Senate for its consideration. ii. our response to cybersecurity threats today Security is Microsoft's top priority. We have devoted and will continue to devote enormous resources to enhancing security. As we confront new challenges and develop new approaches and new partnerships, we continue to learn that perfect security in cyberspace is unattainable, just as it is in the physical world. Operating system software is one of the most complex items that humans have created, and it is impossible to eliminate all software vulnerabilities. Thus, we know that security is a journey rather than a destination, and it can only be improved by partnerships involving government, industry, responsible security researchers, and customers around the world including government agencies, enterprises, and individual users. Two years ago before this committee, my friend and co-panelist Howard Schmidt properly stated, ``We know that there is no finish line to these efforts, but by working as we have with industry peers--including some of these panelists--and with governments, we have a chance to keep one step ahead of cyber-criminals.'' A. Trustworthy Computing In January 2002, Bill Gates launched our Trustworthy Computing initiative, which involves every aspect of Microsoft and focuses on four key pillars: security, privacy, reliability, and business integrity. Security involves designing programs and systems that are resilient to attack so that the confidentiality, integrity, and availability of data and systems are protected. The goal of our privacy efforts is to give individual consumers greater control over their personal data and to ensure, as with the efforts against spam, their right to be left alone. Reliability means creating software and systems that are dependable, available when needed, and perform at expected levels. Finally business integrity means acting with honesty and integrity at all times, and engaging openly and transparently with customers. Under the security pillar, we are working to create software and services for all of our customers that are Secure by Design, Secure by Default, and Secure in Deployment, and to communicate openly about our efforts. ``Secure by Design'' means two things: writing more secure code and architecting more secure software and services. ``Secure by Default'' means that computer software is more secure out of the box, with features turned off until needed and turned on by the users, whether it is in a home environment or an IT department. ``Secure in Deployment'' means making it easier for consumers, commercial and government users, and IT professionals to maintain the security of their systems. ``Communications'' means sharing what we learn both within and outside of Microsoft, providing clear channels for people to talk with us about security issues, and addressing those issues with governments, our industry counterparts, and the public. The Trustworthy Computing goals are real and specific, and this effort is now ingrained in our culture and is part of the way we value our work. We have enhanced the training of our developers to put security at the heart of software design and at the foundation of the development process. Security is and will continue to be our highest software development priority. All new software releases and service packs are now subject to an enhanced security release process which has already resulted in a notable decline of vulnerabilities in some of our server software. This effort, which can cost hundreds of millions of dollars and delay the software's release to the market, is a critical step in improving software security and reliability. We are seeing a quantifiable and dramatic decrease in vulnerabilities: for example, Windows Server 2003 followed this process and in the first ninety days, we reported and patched three critical or important security vulnerabilities and six total in the first 180 days. Whereas in Windows Server 2000, we found eight critical or important vulnerabilities in the first ninety days, and twenty one in the first 180 days. When an attack does occur, our Microsoft Security Response Center (MSRC) coordinates the investigation of reported vulnerabilities, the development of patches, and our customer outreach efforts. We are very proud of this organization and believe it represents the industry's state of the art response center. Although we have made major strides, much work on Trustworthy Computing remains ahead of us. One key piece of that work is the Next- Generation Secure Computing Base (NGSCB). This is an on-going research and development effort to help create a safer computing environment for users by giving them access to four core hardware-based features missing in today's PCs: strong process isolation, sealed storage, a secure path to and from the user, and strong assurances of software identity. These changes, which require new PC hardware and software, can provide protection against malicious software and enhance user privacy, computer security, data protection and system integrity. Part of Trustworthy Computing involves communicating with our customers. In the wake of Blaster, we launched the Protect Your PC campaign, urging customers to take three steps to improve their security: install and/or activate an Internet firewall, stay up to date on security patches, and install an anti-virus solution and keep it up to date. The www.microsoft.com/protect web site serves as the focal point for the campaign. We also provide a wide range of free security tools and prescriptive guidance to make it easier for consumers to make their computers and their data more secure. B. Streamlining the Patching Process Patch management is a significant issue. We recognize that the most important solution is to reduce the number of vulnerabilities in code, thus reducing the need for patching. This is why we are emphasizing secure by design. But no operating system--regardless of development model--will ever be free of all vulnerabilities. We must manage this risk by providing customers with simple and easy to use patches. To streamline those processes, we are taking the following steps: Improving our testing of patches to ensure patch quality. Reducing the number of patch installers to provide users with a consistent patch experience, and make patching simpler. Working to ensure that each patch is reversible, so a rollback is possible if deployment raises an unanticipated issue, such as adversely affecting a legacy application. Ensuring that patches register their presence on the system--and producing improved scanning tools--so a user can quickly determine if his or her machine is patched appropriately. Making our security patch releases more predictable. We are now providing security updates once a month, but we will still provide patches outside this schedule when necessary, such as when exploit code is publicly available. Avoiding reboot of the computer where practicable, as our customers are more likely to apply a patch more quickly, if server availability will not be interrupted. Producing specific technology, such as Software Update Services and Systems Management Server, so enterprises can download patches, test them in their unique environments, and then easily deploy them. Informing customers about the AutoUpdate feature in recent Microsoft operating systems, which can automatically download updates and then either install them as scheduled or request permission from the user to do so. C. Securing Enterprises to Protect Consumers As noted, protecting consumer security depends, in part, on protecting the security of enterprise servers, which often hold valuable consumer data. Steve Ballmer, Microsoft's Chief Executive Officer, announced last month that we are working to secure these networks from the hazards that arise when users log into those networks from home or other remote locations. Those hazards include malicious e- mails, viruses and worms, malicious web content, and buffer overruns. While patches remain part of the solution, we are developing what we call safety technology to secure these networks at the perimeter by: Reducing the risk from computers such as notebooks and portable computers that are moved between an enterprise's network and external networks. Improving browsing technologies to minimize the risk of hostile web sites executing malicious code on visiting users' computers. Enhancing memory protection to help prevent successful buffer overrun attacks. Improving the Internet Connection Firewall within Windows while also working closely with partners in the software security industry. Through these measures, we hope to help protect machines even when not patched, thus giving enterprises more time to test and deploy patches and enabling enterprises to patch on their schedule, not on a schedule determined by hackers. We are also providing new information and guidance on how enterprises can secure their computers to protect data, including the personal information of their customers. D. Industry Partnerships We embrace our role in providing more secure computing for all our customers. Because security is an industry-wide issue, we participate actively in partnerships that span the industry, customers and both the public and private sectors to encourage customers to implement software in more secure ways. For example, we are a founding member of the Organization for Internet Safety (OIS), an alliance of leading technology vendors, security researchers, and consultancies that is dedicated to the principle that security researchers and vendors should follow common processes and best practices to efficiently resolve security issues and to ensure that Internet users are protected. We also work with the Virus Information Alliance (VIA), a centralized resource for Internet users seeking information about the latest virus threats. Through its member companies, Microsoft, Network Associates, Trend Micro, Computer Associates, Sybari, and Symantec, the VIA offers recommended best practices for preventing malicious attacks, information about specific viruses, how-to articles and links to other anti-virus resources on its web site. I am personally participating with some of my co-panelists in the Global Council of Chief Security Officers, a newly formed think tank that will share information with member companies and governments on cybersecurity issues and enhance the involvement of private sector officials in cybersecurity issues. We also helped found the Information Technology--Information Sharing and Analysis Center (IT--ISAC) and I serve on its board today. The IT-ISAC coordinates information-sharing on cyber-events among information technology companies and the government. E. Anti-Virus Reward Program Two years ago we spoke about the need to increase deterrence of criminal hacking. Although the Cyber Security Enforcement Act passed this Congress last year, there is still much more that needs to be done. Despite the best and laudable efforts of dedicated law enforcement personnel, far too many hackers unleash their malicious code or commit crimes with no punishment, as evidenced by the fact that the authorities have yet to bring to justice the criminals who launched major attacks like Blaster, NIMDA and Slammer. This is an untenable situation, and it is one the nation allows to persist in no other area. We need a robust deterrent to criminal activity online. When criminal attacks are launched, we work with law enforcement officials to support their investigations. And earlier this month, we took a significant step to support them by creating the Anti-Virus Reward Program to provide monetary rewards for information resulting in the arrest and conviction of hackers. For example, we have announced a reward of $250,000 each for information leading to the arrest and conviction of those responsible for the SoBig virus and the Blaster worm. To use a medical analogy, we are strengthening the Internet's immune system through initiatives such as the anti-virus reward program, our technical and legal anti-spam efforts, consumer education, and efforts to secure existing systems and to make security integral to new systems and applications. In the meantime, interim treatment will be necessary. iii. the government's role The government continues to play a key role in efforts to secure consumers' software and data. We have recently collaborated with the Department of Homeland Security to raise awareness of cyberthreats through release of security bulletins. Such partnering between industry and the government is a vital step toward additional cybersecurity for consumers. I want to outline a few specific areas where government initiatives can be particularly helpful in promoting cybersecurity. First, sustained public support of research and development continues to play a vital role in advancing the IT industry's efforts to secure consumers' software and data. A major portion of our $6.9 billion annual R&D investment goes to security, and accordingly, we support additional federal funding for basic cybersecurity research and development (R&D), including university-driven research. The public sector should increase its support for basic research in technology and should maintain its traditional support for transferring the results of federally-funded R&D under permissive licenses to the private sector so that all industry participants can further develop the technology and commercialize it to help make all software more secure. Second, the government can lead by example by securing its own systems through the use of reasonable security practices, buying software that is engineered for security, and providing better training for government systems administrators. We also hope government will continue to promote security awareness among both home consumers and businesses--as the Federal Trade Commission did in its information campaign featuring Dewie the Turtle. Third, government and industry should continue to examine and reduce barriers to appropriate exchanges of information, and to build mechanisms and interfaces for such exchanges. One encouraging step in this direction is the NCSD's recent creation of the National Computer Emergency Response Team (US-CERT). This coordination center, for the first time, links public and private response capabilities to facilitate communication of critical security information throughout the Internet community. Fourth, it will take increased government commitment to root out those who hack into computers and propagate destructive worms and viruses that harm millions of computer users. Therefore, law enforcement should receive additional resources, personnel, and equipment in order to investigate and prosecute cyber crimes. We also support tough penalties on criminal hackers, such as forfeiture of personal property used in committing these crimes. Fifth, because cybersecurity is inherently an international problem with international solutions, greater cross-jurisdictional cooperation among law enforcement is needed for investigating cyber-attacks. conclusion We will continue to pursue Trustworthy Computing and to work closely with our partners in the computer, software, and communications industries, the government, and our customers to enhance cybersecurity. In the end, a shared commitment to reducing cybersecurity risks and a coordinated response to cybersecurity threats of all kinds--one that is based on dialogue and cooperation between the public and private sectors--offer the greatest hope for protecting the privacy of consumer data, enhancing the confidence of consumers in the Internet, and fostering the growth of a vibrant, trustworthy online economy. Mr. Stearns. I thank the gentleman. Mr. Morrow, welcome. STATEMENT OF DAVID B. MORROW Mr. Morrow. Thank you. Mr. Chairman and members of the subcommittee, thank you for the opportunity to testify before you today on Cybersecurity and Consumer Data: What is at risk for the consumer? My name is David Morrow and I am the Deputy Director of Global Security and Privacy Services at Electronic Data Systems, Incorporated. I have over 25 years of experience in the information technology field, with an emphasis on security. I am honored to join you today to present EDS's views on the state of information security or cybersecurity 2 years after my last appearance before the subcommittee. I will focus today my comments on what has changed in the last 2 years, what needs improvement, and what can be done by both industry and the government to further protect our information networks. I will provide an outline here and request that my written comments be entered into the record. So, what has changed? Thankfully, we have not seen another September 11. But as has been noted previously, we are still in a heightened threat environment. More recent attacks on our information networks, such as the DNS Root Server attacks in October 2002 and several high-profile virus and worm attacks, have not stopped us from relying on these networks to conduct business and live our lives. In that context, here are some of the things that we are seeing: We are seeing an increase in the tempo and severity of new viruses and other attacks on our information infrastructure. That makes what we call ``patch management'' a much larger issue. We are also seeing an alarming increase in the incidence of identity theft and criminal misuse of personal information that affects millions of Americans. Other changes are occurring in the regulatory environment. While regulations don't give detailed requirements for information security, and shouldn't in my opinion, they do have implications for improving the integrity of everyone's data. Due to the increasing number of attacks and some of the regulatory requirements, we are seeing an increased awareness of the problem. More clients are coming to us with questions about how to address their information and network security, but they are often still asking the wrong questions. There is not one solution that can address everything. Information security is a continual process that elevates security planning out of the traditional information technology silo. Companies and agencies need to look at information security in a holistic way to create and integrate what has been dubbed ``the culture of security'' into their entire enterprise. Despite this demonstrated critical importance and increased awareness, we have not seen a notable increase in the amount of investment that small and medium companies are making, and the government, are making in information security. There is cause for hope, however, because in a survey of corporate information officers released earlier this month by Forrester Research, increased funding for security and privacy efforts were at the top of the priority list for 2004. What companies have been doing is committing some resources and expertise to the greater dialog in information security. Importantly, efforts are extending beyond the so-called high- technology sector into the greater business community, but more still needs to be done in that area. EDS recently led a project in Business Roundtable to develop a cybersecurity road map for large corporations in any sector. ``Building Security in the Digital Economy: An Executive Resource,'' was submitted as part of my written testimony. So what needs improvement? Based on the changes I have mentioned, I would like to make two points about areas where we can do more. First, while I appreciate the increased level of awareness about information security, we need to improve on the level of real investment. In order to do that, we need to incorporate the notion of security as a business enabler into all of our business models. Enterprises that do so are investing in more strategic ways and are better able to serve their clients, consumers, citizens and business partners. Second, we can improve upon the effectiveness of our information-sharing and public/private partnership efforts. We have made important strides in this area, but we need to do more to coordinate activities and results. In sum, I would characterize that our state of information security information is marginally better than it was 2 years ago, with the hope for greater improvement. So what can we do? I would like to make a few recommendations based on my comments today. First, we can continue our efforts for a more coordinated program of industry/government cooperation. Second, we can strive to improve information-sharing mechanisms and look for ways to collaborate across them as well as within them. Third, we still believe that there are areas where incentives are necessary for companies to upgrade their information security, especially for small- and medium-sized companies. This is also particularly true for functions that the U.S. Government deems to be of critical importance to our economic and, therefore, our national security. Fourth, we must continue to emphasize research and development for innovations in security. Fifth, I still remain a strong proponent of ways in which we can develop and professionalize the cadre of information security professionals practicing today, including the expansion of programs beyond purely technical disciplines and into the more general business and general curriculums. And finally, due to the interconnected networks that transcend traditional borders today, it is imperative that we engage in the overall global dialog on information security as well. In conclusion, I would like to emphasize that the improvements we have made over the last 2 years in information security have much to do with increased awareness, and I support efforts such as this hearing toward that objective. We are now better off and we are leaning in the right direction, but we can and need to do more now. I outlined some suggestions for future focus that I hope are helpful. Mr. Chairman, thank you for the opportunity to share my views and EDS's experience once again. I will be happy to answer questions you or members of the subcommittee may have. [The prepared statement of David B. Morrow follows:] Prepared Statement of David Morrow, Deputy Director, Global Security and Privacy Services, EDS introduction Mr. Chairman and Members of the Subcommittee, thank you for the opportunity to testify before you today on Cybersecurity and Consumer Data: What's at Risk for the Consumer. My name is David Morrow, and I am the deputy director for global security and privacy services at EDS. I have over 25 years of experience in the information technology (``IT'') field as a computer programmer and analyst, operations chief, security officer, investigator, and consultant. Prior to joining EDS, I was a security consultant with Ernst and Young, LLP and Fiderus Strategic Security and Privacy Services, a small, start-up consulting firm. I also spent 13 years of a 22-year Air Force career as an investigator of computer crime for the Air Force Office of Special Investigations (AFOSI). When I retired in 1998, I was the Chief of the Computer Crime Investigations and Information Warfare Division for AFOSI. I am honored to join you today to present EDS' views on the state of information technology security, two years after my last appearance before the Subcommittee. In my testimony two years ago, I focused on the changes in our way of life after the tragedy of September 11, and the need to make investments to protect our information networks. I called upon government and industry to increase their collaboration, to focus not only on physical security but also information security, and to view cyber security as an essential capital investment rather than as an expense. I also noted a few ways that government can help industry bear the burden to protect our information economy and, therefore, our economic security. At the risk of repeating myself, I do want to emphasize that all those comments still hold true. Today, I will focus my comments on what has changed in the last two years, what needs improvement, and once again where I think both industry and government can make greater efforts. What has changed? Thankfully, we have not seen another September 11. However, we are still in a heightened threat environment. More recent attacks on our information networks, such as the DNS root server attacks in October 2002 and several high profile virus and worm attacks, have not stopped us from relying on them to conduct business and live our lives. In fact, we continue to look to information technology to drive innovation, efficiency, and productivity in our business operations. In addition, consumer use of the Internet for recreation and to conduct business continues to expand. And, our networks and the data on them are still vulnerable. At EDS, we are seeing an increase in the tempo and severity of new viruses and other attacks on our information infrastructure. As I believe many of us predicted here two years ago, the complexity and sophistication of such attacks has continued to increase, making the task of defending and repairing our networks and systems all the more difficult. Installing software ``patches'' to deflect intrusions has become the favored way of addressing impending attacks. But, our clients are concerned about the need to install patch after patch after patch in rapid succession, on thousands of servers and tens of thousands of desktops. As you can imagine, it is a daunting task to do three major patch updates in one week in a large company or government agency. As these attacks become more frequent, severe, and sophisticated in often incompatible environments, what we call patch management has become a larger issue. Unfortunately, another change we have seen is the increased incidence of identity theft and criminal misuse of personal information that affects millions of Americans at any given moment. While there are a variety of both high and low technology ways to obtain personal identity and credit information, the biggest ``bang'' for the criminal ``buck'' is still to locate and steal such information from an insecure network. I am disturbed by the increasing number of identity theft victims, and I believe more effective practices in network security and protection of personal data would benefit us all, both individually and as a society. I am glad to see that the Administration and Congress took the opportunity of reauthorizing the Fair Credit Reporting Act to address this challenge in a positive way and look forward to the passage of that legislation very soon. Another change is the regulatory environment for us and for our clients. The Federal Trade Commission's new ``Do-Not-Call-List'', the Sarbanes-Oxley Act, and the pending FCRA reauthorization are the latest iterations. They follow the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. None of these regulatory frameworks give specific requirements for information security--and shouldn't, in my opinion. But in one way or another, either through greater corporate accountability, stronger privacy requirements, or new reporting obligations, each has direct or indirect implications for improving the integrity of data. As such, I would argue that each raises the level of awareness of information security in enterprises across the country. This increasing awareness is a key component in the changes that I have seen in the last two years. More and more companies are coming to us with questions about how to address their information and network security. The problem is, they are still often asking the wrong questions. There is not a silver bullet that can address everything that achieves a stronger security posture. You can't point and click and say ``done.'' There are no magic technologies or software. Information security is a continual process that elevates security planning out of the traditional information technology silo and involves the whole enterprise: IT, legal, regulatory, sales, marketing, and security, as well as each individual employee and business partner. It's hard work, but it's essential. Another concern is the lack of details or guidance on standards of acceptable security practices. There are many organizations that are putting forth standards that purport to drive best practices or interoperability, for example. But the proliferation of differing standards has caused some confusion among some of our clients that has prevented them from making important changes as they wait for further direction. We often use the ISO Standards because they are widely accepted, but there is room for improvement in developing standards for the future that are flexible enough to reflect changes in technology and business operations. As modern global businesses become increasingly intertwined through partnerships, consortia, and merger and acquisition activity, traditional network and security boundaries are, in many cases, no longer intact. The security problems of one member of a partnership arrangement or newly acquired company now quickly become the problems of the entire group as the insecure network or system becomes the weak link in the entire chain. In addition, information security entails many things that may not appear to be security issues at first glance, such as enterprise training, for example. Addressing these issues requires strategic thinking about: the way a company or agency uses information, both on the network and off; what information is critical to the enterprise; what risk mitigation measures need to be put in place for what functions, how your information security fits into an overall business continuity plan; and how privacy and security policies and processes complement--or contradict--each other in the business. Companies need to look at information security in a holistic way to create and integrate what has been dubbed a ``culture of security'' in to their enterprise. This may be a daunting task for those enterprises that are behind, but it is crucial to ensuring our economic security. Despite its demonstrated critical importance, we have not seen a universally overwhelming increase in the amount of investment that companies or the government are making in information security. Some of the early adopters are often driven by regulation or in response to an attack, but there are many more who have taken a wait-and-see approach and hope that the next incident does not affect them--at least not too much. Part of that is a response to the current economic situation, and part is still a lack of understanding of the loss implications from an attack or even a natural disaster. There is cause for hope, however. In a survey of corporate Chief Information Officers released earlier this month by Forrester Research, increased funding for security and privacy efforts were at the top of the list of priorities for 2004. I am hopeful that as the economy continues to recover, these plans will materialize into concrete actions and investment in the security and privacy of our national data resources. What companies have been doing since September 11, is committing some resources and expertise to the greater dialogue on information security. Trade associations and other industry groups are including information security in their work program, or beefing up existing programs. New information sharing mechanisms are developing, existing ones are working to improve their impact, and industry groups are putting forth best practices and other guidance for their industry. EDS was a founding member of the Information Technology Information Sharing Analysis Center, or ISAC, one of 13 that were set up as part of Presidential Decision Directive 63 for the designated critical infrastructures. We have also taken on a role in the National Infrastructure Advisory Council (NIAC) that was established after September 11. Importantly, efforts are also extending beyond the so-called high technology sector. EDS led an effort in the Business Roundtable, an association of Fortune 200 Chief Executive Officers, to develop a roadmap for large corporations in any sector to seriously consider their cyber security. The publication is called Building Security in the Digital Economy: An Executive Resource and is submitted as part of my written testimony. What still needs improvement? While I appreciate the increased level of awareness, I still think we need to do more to increase the level of real investment and improvement in information security. I believe it requires a recognition that security is not merely good for its own sake. We need to incorporate the notion of security as a business enabler into our business models. Enterprises that are looking at security as an enabler to their business are investing in more strategic ways, and are, therefore, better able to serve their clients, consumers, citizens, and business partners. As I said earlier, it's not just a business expense . . . it's an essential element in today's strategic--and networked-- business model. I believe the jury is still out on the role of the Department of Homeland Security in information security. We do applaud the creation of the National Cyber Security Division (NCSD) as well as its initial efforts on establishing the U.S. Computer Emergency Response Team (US- CERT) and collaborating with industry. EDS will be participating in the Cyber Security Summit scheduled for early December and the ongoing work of the summit's designated task forces. However, we hope that its placement in the new agency does not illustrate a lack of concern, authority, or funding for information security efforts in the US government. We all need to be diligent to make sure the NCSD's efforts are maintained and relevant. Virtually every one on this panel two years ago called for a public-private partnership and increased collaboration on cyber security. Arguably, we have made important strides in that direction as more companies, people, and agencies are talking about these issues in our associations and in government groups. These efforts are encouraging, but I argue we can do more, particularly by coordinating and learning from them, rather than duplicating them. In addition, once again we cannot look at individual aspects of security in isolation. As we consider our infrastructure protection, we have to look at the convergence of physical and cyber security because they can no longer be looked at independently. In sum, I would characterize our state of information security readiness as marginally better than it was two years ago, with hope for greater improvement. While more are concerned, many are not doing as little as possible to remedy the problems they have. While more are aware of the threat, they are not mitigating the corresponding risks with appropriate measures. And, while there is more activity and public-private collaboration on information security, it is not well coordinated across the spectrum of industries and issues that are impacted by security measures. What can be done? First, we can continue our efforts for a more coordinated program of industry-government cooperation. The release of the Administration's National Strategy to Secure Cyberspace earlier this year provides a framework for continued work, and I urge both industry and government to take advantage of the upcoming Summit to solidify some of that work going forward. The Department of Homeland Security's National Cyber Security Division provides a focal point for monitoring industry efforts and participating as appropriate. As DHS solidifies its operations, we should ensure that the division has the appropriate mandate, funding, and industry coordination to support its activities. Second, we can strive to improve information sharing mechanisms that are an important component of the public-private partnership on cyber security. For example, the Information Sharing and Analysis Centers (ISACs) are still active and are looking for ways to be more effective for their industries. I would argue the ISACs should also look for ways to communicate and even collaborate with each other when appropriate. Just as we cannot put information security into one silo, we cannot look at each industry sector in isolation. We are all interconnected now and rely on not only the security of our own network, but that of our suppliers, customers, partners, and competitors. Industry was collectively pleased when Congress provided for Freedom of Information Act exemptions for information shared on cyber security in the Homeland Security Act. We urge Congress to preserve the integrity of that provision in any future reviews of the Act in order to allow continued information sharing about vulnerabilities, breaches, attacks, and other actual or anticipated cyber incidents. Our experience has repeatedly shown that effective and timely information sharing is one of the most effective ways to prevent widespread incidents and to combat them when they do occur. Third, we still believe there are areas where incentives are necessary for companies to allocate the necessary funds to upgrade their information security. This is particularly true for functions that the US Government deems to be of critical importance to our economic--and, therefore, our national security. Fourth, we must continue to emphasize research and development for innovations in information security and encourage Congress to keep these avenues open for resolution in the budget process. Fifth, I remain a strong proponent of ways in which we can continue to develop and professionalize the cadre of information security professionals practicing today. In the past two years we have seen a notable increase in the number of educational institutions offering courses and even advanced degrees in information security topics. While this is an encouraging sign, I still believe that there is great room for improvement in expanding the discussions beyond the purely technical disciplines and into the more general business curriculum. Finally, as stated earlier, our intertwined information networks are global in nature and transcend traditional borders. That directly impacts global companies such as ours as well as consumers. It is imperative that we engage in the global dialogue on information security as well. I commend the Organization for Economic Cooperation and Development and the Asia Pacific Economic Cooperation for their efforts to bring this issue to the international arena. Conclusion In conclusion, I would just like to emphasize the fact that the improvements we have made over that last two years in information security have much to do with an increasing awareness of cyber security concerns for all of us. Increased awareness here at home and abroad will continue to be crucial for our security going forward, and I support efforts such as this hearing toward that objective. We are better off and heading in the right direction, but we can and need to do more--now. I have outlined some suggestions for future focus that I hope are helpful to the Committee. Mr. Chairman, thank you for the opportunity to share my views and EDS' experience once again. I will be happy to answer any questions you and the Members of the Subcommittee may have. Mr. Stearns. Thank you. Ms. Davidson, welcome. STATEMENT OF MARY ANN DAVIDSON Ms. Davidson. Thank you, Mr. Chairman, Ranking Member Schakowsky, and members of the subcommittee. My name is Mary Ann Davidson and I am the Chief Security Officer of Oracle. Thank you for inviting me here again to talk about the efforts information technology consumers, producers, caretakers, and policymakers can take to advance information assurance. As you know, I appeared before the subcommittee just a few months after the events of September 11. In the shadow of one of the most tragic terrorist attacks in history, all of us contemplated the potential catastrophe caused by cyberterror on a massive scale. While we have yet to witness a point-and-click terrorist attack, we have experienced, through Code Red, Blaster and SoBig, its forbears, billions of dollars in damage and lost productivity. These attacks are a grim reminder that far too much commercial software is built without attention to information assurance principles, leaving many of our national cyberassets vulnerable to attack; and the vulnerability increases every day. Bounty money may nab us a few bad guys' scalps, but it won't slow the development of automated hacking tools. This is a cyber arms race and the bad guys are winning. For us at Oracle, the goal is clear: to achieve an industry culture where all commercial software is designed, developed, and deployed securely. It has been said twice there are no silver bullets, so I won't say that. I will say it is not going to be a slam dunk. And, in fact, good intentions can do more harm than good. In California, a breach of a major data center prompted the legislature to hastily impose reporting requirements on security breaches. However well intended, the law was passed without a fundamental understanding of the limits of current technology and arguably could make the consumer data more vulnerable to unauthorized access. We need sound ideas, not good intentions from government. Fortunately, the Federal Government can do good both as a software buyer and a policymaker to strengthen the culture of secure software. The Federal Government first of all can leverage its buying power by insisting on more secure software. And we know at Oracle how this works, because we built security for 25 years, because of one of our important customer bases, who I affectionately refer as the ``professional paranoids'' asked us for it. The Defense Department is setting an excellent example by enforcing a pro-security approach to procurement through NISSIP 11, which says for national security systems an agency can purchase only that software which has been independently evaluated under the Common Criteria or the Federal Information Processing Standards Cryptomodule Validation Program. That is a mouthful. Since NSTISSP 11 went into effect 17 months ago, we have seen a number of positive developments. First, many firms are finally pursuing evaluations under FIPS of the Common Criteria for the first time, and it is high time. Second, several firms, including Oracle, are financing evaluations of open-source products. Third, many organizations, such as the financial services industry, are coming together to make security a purchasing criteria industrywide, and are using NSTISSP 11 as a model. Thanks to NSTISSP 11, security is now far more in the software development consciousness than it was 2 years ago. That is a victory for which a large part of the credit goes to Congress and to DOD and the intelligence agencies. There are other ways that the Federal Government can leverage its buying power. For example, the Federal Government could insist that the commercial software it buys is either defaulted to a secure setting ``out of the box'' or made easy for the customer to change security settings, such as through automated tools. As more private and public consumers seek Common Criteria and FIPS as potential security benchmarks, a go-to clearinghouse is needed to validate vendor security claims and compare them to evaluation results themselves; to make apples- to-apples comparisons. For example, a couple of vendors can do common criteria evaluation and yet have far more stringent targets or less stringent targets. The clearinghouse would enable buyers to perform scorecarding and facilitate comparisons. Evaluations can cost a half million dollars under the Common Criteria, so it is clearly not for everyone and probably not for consumer software. A software equivalent of the Underwriters Laboratories could ensure that even this kind of software is secure by design, delivering deployment. Thanks to the UL, most consumer products are generally difficult to operate in an insecure fashion. We don't expect a consumer to do anything special to operate Cuisinarts securely; they just are secure. And, in fact, you have to make the product do something unnatural to hurt yourself while using it. Consumers should not be expected to be computer security experts. Industry needs to make it easy for them to be secure. Finally, a culture of security has to have an academic component for professional development and research in areas not addressed in the commercial marketplace. It is said, to err is human. A developer can check 20 of 21 conditions, and if failure to check the 21st causes a buffer overflow, the system is sometime vulnerable. Hackers only need to find one error, but developers have to close every one. It is an uneven battle. Federal support can help level the playing field. Research is needed on tools that can scan software and pinpoint irregularities or back doors in the code. This type of product is not seen as an attractive option among venture capitalists, because the dominant market mentality in information assurance is focused on developing a better Band- Aid, rather than an effective vaccine. The recently enacted Cbersecurity Research and Development Act can be a useful resource for these types of challenges and Congress should make the highest possible investments to implement this legislation. If the medical community can eradicate smallpox with a strong investment in research, we should be able to eradicate buffer overflows. It is just code, after all. The R&D Act can also fund new and improved academic programs and research centers on computer security in order to increase the number of graduates with this specialty. And, in fact, we need to change the mentality around who we allow to work on critical cyberinfrastructure. We don't allow engineers to design buildings merely because they use the coolest materials; they have to be licensed professional engineers. A similar approach is needed in cybersecurity. Ignorance and hubris are the enemies of reliable cyberinfrastructure. Industry lacks for neither of these, unfortunately, so long as we hire based on knowledge of programming languages and not whether those employees understand the language of cybersecurity. We are at war and all of our foot soldiers must be armed with the knowledge of what the enemy can and will do to the careless or unprepared. A strong academic component can also foster a diverse culture. Diversity will prevent the TI equivalent of the Irish potato famine, where reliance on one strain of potatoes brought on mass starvation and emigration. Lack of biological diversity in many IT infrastructures has rendered them immensely susceptible to cyberplagues, and I daresay that far more than one-quarter of our population would be affected should the next cyberplague be more destructive than its predecessors. Biological diversity breeds resistance and the lack of it is deadly. Ultimately, any culture is as strong as the institutions it supported, so our hope is that government will work with us in an industry, in an academia to facilitate the institutions practices and mores necessary to build a vibrant strong culture and security. I believe we turned the corner and are making progress. We are extremely pleased to be a part of the next month's Cybersecurity Summit being planned by the Department of Homeland Security. That kind of dialog can ensure that we have turned the corner for the better. Mr. Stearns. I may need you to sum up. Ms. Davidson. Thank you, Mr. Chairman, and I thank you for the opportunity to appear before you today. [The prepared statement of Mary Ann Davidson follows:] Prepared Statement of Mary Ann Davidson, Chief Security Officer, Oracle Corporation Mr. Chairman, Ranking Member Schakowsky, and members of the Subcommittee, my name is Mary Ann Davidson, Chief Security Officer of Oracle Corporation. Thank you for inviting me here again to talk about cybersecurity, and specifically, the efforts all of us can take--as information technology consumers, producers, caretakers and policymakers--to advance information assurance. As you know, I appeared before this subcommittee just a few months after the ghastly events of September 11th. In the shadow of one of the most tragic terrorist attacks in history, all of us contemplated the potential catastrophe caused by cyberterror on a massive scale, and the need for all of us to take far greater responsibility toward better information assurance. While we have yet to witness a point-and-click terrorist attack, we have experienced, through CodeRed, Blaster and Sobig.F, its forebears, with billions of dollars in damage and lost productivity. These attacks are a grim reminder of what I warned this subcommittee two years ago: Far too much commercial software is built without attention to information assurance principles, leaving many of our national cyberassets--most in private hands--vulnerable to attack. This vulnerability increases every day. Bounty money may result in the arrest of one or two of those responsible for cyberplagues, but it won't slow the development of advanced hacking tools, or change our increasing dependence on Internet-based platforms to administer public and private enterprises--two trends that are at the heart of our growing vulnerability. We are in our own version of an arms race, and the bad guys are winning. For the information technology industry, our contribution to cybersecurity is straightforward: to achieve a marketplace and an industry culture where all commercial software is designed, delivered and deployed securely. There are no ``silver bullets'' to get there. A culture of security will require years to achieve and decades to maintain. Good intentions are not good enough and frankly, can do more harm than good. We already have seen one instance, in California, where a cyber-related event triggered a rush by the legislature to impose reporting requirements on security breaches. This law was passed without a fundamental understanding of the limits of current technology, and arguably could make consumer data more vulnerable to unauthorized access. It's not good intentions, but sound ideas that we need from government, and fortunately, there are a number of constructive steps the federal government can take, as both a software buyer and policy-maker to move us toward a culture of secure software. Let the buyers be wary. Try as you might, Congress can't legislate good software. Those in a position to make a difference for the better are software consumers, from small business enterprises to big government agencies. All they have to do is make security a purchasing criterion. We at Oracle made the investments to integrate security throughout our development process because our customers asked for it. Our first customers, the intelligence community, who I affectionately call the ``professional paranoids,'' are some of the most security- conscious people on the planet. After ten years of an on-again, off-again merry-go-round by the federal government to become a more responsible software buyer, we are seeing constructive action being taken by the Defense Department to enforce a pro-security approach to software procurement known as NSTISSP #11. Simply put, for national security systems, an agency can only purchase commercial software that has been independently evaluated under the international Common Criteria (ISO 15408) or the Federal Information Processing Standards (FIPS) Cryptomodule Validation Program (CMVP). Since NSTISSP #11 went into effect 14 months ago, we've seen several positive developments. First, a number of firms, including several of our competitors, are getting their products evaluated under FIPS or the Common Criteria for the first time. Second, we're seeing firms, including Oracle, financing evaluations of open source products. The security of open source versus proprietary software must not be a religious argument, as it so often is, but a business one. Open source, like proprietary software, is here to stay. We must all work to make it as secure as possible. Third, several industry organizations, such as the financial services industry, are coming together to make security a purchasing criterion industry-wide and are using NSTISSP #11 as a model. We're seeing all of this because the initial impression from an industry perspective is that the federal government--the largest single buyer of commercial software--means business this time. As a result, security is now more in the software development consciousness than it was two years ago, and all of us as information technology consumers stand to benefit. That, in and of itself, is a major victory, and credit goes to the people within the Defense Department and intelligence agencies, as well as Congress, who are making a concerted effort to make this process work. Secure ``out of the box.'' NSTISSP #11 is a strong lesson that the federal government, acting as a security conscious software buyer, can change the entire commercial software landscape for the better. That said, are there ways, other than NSTISSP #11, that can accomplish the same purpose? We believe one measure worth considering is for the federal government to insist that the commercial software it buys is either defaulted to a secure setting right out of the box, or made easy for the customer to change security settings, for example, through automated tools that enable customers to become, and remain, secure. For example, the Office of Management and Budget, working in conjunction with the federal agencies, the National Institute of Standards and Technology (NIST) and private industry, could specify what is the appropriate default security setting for the software it buys, or require appropriate and easy-to-use tools needed to change these settings. Software Underwriters Lab. Government can be a useful vehicle to promote voluntary cooperation in the name of better security. For example, the Federal Trade Commission could work with the software industry to establish the software equivalent of the Underwriters Laboratories (UL). Security evaluations under the Common Criteria, which can cost half a million dollars per evaluation, are not for everyone, especially for many forms of consumer software. A software version of the UL is a cost-effective vehicle to capture less complex, more consumer-oriented forms of software. Again, the fundamental goal is to make all commercial software secure by design, delivery and deployment. To get there, the federal government should work with private industry to establish a consumer software equivalent of the UL. Thanks to the UL, most consumer products are generally difficult to operate in an insecure fashion. For example, Cuisinarts are designed so that you can't lose a finger while the blades are whirling. We don't expect the consumer to do anything special to operate Cuisinarts securely; they just are secure. Similarly, consumers should not be expected to be rocket scientists or security experts. Industry needs to make it easy to be secure. Better Information for Buyers. There are already several good web sites to help private and public customers understand Common Criteria, FIPS and NSTISSP #11. However, particularly as more and more private customers see Common Criteria as a potential security benchmark, we are finding that what many of our customers need is a one stop, ``go to'' site in order to validate vendor security claims and compare them to the evaluation results themselves. It would be useful for a government procurement officer, or a private sector buyer, to be able to see all evaluations of any type, for a single vendor, at a single glance, from a single location, whether FIPS-140 or Common Criteria, whether evaluated here or abroad. This empowers them to make apples to apples comparisons. For example, two database vendors can both receive an EAL4 certification, even though one database vendor made two functionality claims in a security target, while the other database vendor made forty security claims. A clearinghouse would enable buyers to perform security target ``scorecarding'' and facilitate this and other types of comparisons. Academic Research and Professional Development. As in many disciplines, the market alone cannot produce every security solution. A culture of security, like any professional culture, has to have an academic component for professional development, and to advance the field in areas not addressed in the commercial marketplace. For example, even with a good development process, ``to err is human.'' A developer can check 20 of 21 conditions, and if failure to check the 21st causes a buffer overflow, the system is still potentially vulnerable. Keep in mind, hackers only need to find one error, while developers have to anticipate and close every one. It's an uneven battle. Federal government resources directed toward academic talent can work with industry and level the playing field. One area that deserves attention, especially as more and more US firms partner with foreign countries on software development, is research on effective tools that can scan software and pinpoint irregularities or backdoors in the code. Unfortunately, this type of product research and development is not seen as an attractive option among venture capitalists, who generally channel their funds toward products that are nothing more than techno-band-aids for security faults. In other words, the market mentality toward information assurance is focused on developing a better Band-Aid, rather than an effective vaccine. Congress last year took an important step in filling this void when it passed the Cyber Security Research and Development Act, which authorizes nearly a billion dollars over five years to invest in projects like code-scanning tools. We are about to enter the second year of this five-year program, and Congress is providing very limited assistance to pursue the goals of this legislation. We hope Congress will increase its investment. If the medical community could eradicate smallpox with a strong investment in research, we should be able to eradicate buffer overflows. It's just code, after all. A portion of the proposed investments under the Cyber Security R&D Act is authorized to create or improve academic programs and research centers on computer security in order to increase the number of graduates with this specialty. These kinds of investments are needed. The National Science Foundation reported earlier this year that only seven PhD's in cybersecurity are awarded each year. Research conducted more than two years ago found that while there were twenty-three schools identified as ``centers of excellence'' in information assurance, not one four-year university offered a bachelor's program in cybersecurity. Only one associate degree program was offered at two- year institutions. We've seen some progress on this front, but much more can be done if the federal government invested more resources in this effort. The private sector can be a critical support component as well, especially given the current and growing demand for information security professionals among publicly held corporations. In the IT industry, no one should be able to work on software that becomes part of critical infrastructure without proving that they understand and can demonstrate sound software design, coding and engineering principles. We do not allow engineers to design buildings merely because they use ``the coolest materials.'' They must be licensed professional engineers. Why do we hire programmers to design critical IT infrastructure merely because they know the coolest programming languages? Ignorance and hubris are the enemies of reliable cyber infrastructure. Industry lacks for neither of these, unfortunately, so long as we hire based on what programming languages someone knows, and not whether they speak the language of cybersecurity. We are at war, and all our footsoldiers must be armed with the knowledge of what the enemy can and will do to the unprepared or careless. A strong academic component in our culture of security also fosters a competitive and diverse culture. Strong competition and diversity will prevent the IT equivalent of the Irish potato famine, where reliance on one strain of potatoes brought on mass starvation and emigration. Similarly, lack of ``biological'' diversity in many IT infrastructures renders them immensely susceptible to cyberplagues. I dare say that far more than one quarter of our population would be affected should the next cyberplague be more destructive than its predecessors. Biological diversity breeds resistance. Lack of it is deadly. As today's hackers and virus spreaders demonstrate every day, cybersecurity is an evolving discipline, one that combines art and science, and determination and passion. One cannot simply take a snapshot of a company's IT systems today and compare it to some preconceived list and say ``yes, you are secure,'' or ``yes, you are doing the right things toward better security.'' The state of the art is in a perpetual state of revolution. Ultimately, any culture is as good as the institutions that serve as the foundation of that culture. So, if there is an overarching recommendation for you and your congressional colleagues, it is to work with us in industry and in academia to facilitate the development of the institutions, practices and mores necessary to build a strong, vibrant and diverse culture of security. I believe we have turned a corner, and are making progress toward getting more and more of our customers to think about security. Further steps are needed, such as the ones outlined here. Again, these recommendations are no silver bullets, but what we at Oracle believe are the next appropriate steps up this ladder of better security. We are very pleased to be a part of next month's Cybersecurity Summit being planned by the Department of Homeland Security, and some of our leading trade associations. Establishing that kind of regular, continuing dialogue is yet another link toward making sure we have truly turned a corner for the better, rather than yet another trip on the merry-go-round of information assurance. Thank you again, Mr. Chairman, for the opportunity to appear before you today. Mr. Stearns. And I thank the gentlewoman. Mr. Ansanelli. STATEMENT OF JOSEPH G. ANSANELLI Mr. Ansanelli. Good morning. I am Joseph Ansanelli, CEO of Vontu. Our company provides information security software, specifically designed to help organizations protect consumer data by monitoring for the inappropriate distribution of non- public information via the Internet. Mr. Chairman, members of the subcommittee, I commend your efforts in organizing this hearing. The FTC recently provided, I think, an excellent answer for what is at risk for the consumer. As many of you know, in 2002 approximately 10,000,000 people were victims of identity theft. They reported $5 billion in out-of-pocket expenses and many hours repairing credit histories. In the last 5 years, almost 30 million people were victims. Clearly, identity theft is a risk for consumers. There is also a risk for businesses, who last year suffered an estimated loss of nearly $48 billion. Additionally, businesses risk something even more important, the loss of consumer trust. Vontu recently commissioned a study of 1,000 consumers to understand the relationship between consumer data security trust and commerce. Three highlights from this study. No. 1, security drives purchasing decisions. More than 75 percent of consumers said security and privacy were important in their purchasing decisions. No. 2, consumer notification is important. About 80 percent of the consumers said that they wanted to be notified when companies are at least 75 percent sure that personal information has been compromised, and, three, all security violations are not the same. More than half of the respondents said they would be more concerned if their private information fell into the wrong hands due to an incident caused by an employee rather than a hacker. This third point is very important. While most security testimony has focused on the remarks related to hackers breaking into computer networks from the outside, our focus is on the new security threat, insiders. Every day we create and store records that contain credit card numbers, Social Security numbers, and other types of non-public personal information. The sad fact is that many identity thieves never have to break into a firewall to get to this data. Their employer has already issued them the password to access this information. As a result, last year, a customer service representative of TeleData Communications who had easy access to consumer credit reports allegedly stole 30,000 customer records using his legitimate access. TeleData is the single largest identity theft crime ever prosecuted. Also, the Secret Service has assembled teams to investigate fraud rings that enlist corporate employees to steal consumer information, and last consumer credit information provider Trans Union issued a report stating that the top cause of identity fraud today is now theft of records from employers or other businesses. The problem with better protecting consumer data is no longer just an issue of keeping up with the hacker, but also one of ensuring that those with access keep the information secure. It is clear to me that we need new efforts to minimize this growing risk of identity theft as well as the insider threat. However, I do not believe new government regulations alone can solve this problem. The right solution is a partnership with government and industry. To begin with, I suggest this committee consider developing a consumer data security standard, part of the Consumer Privacy Protection Act of 2003, H.R. 1636. This would ensure a nationally unified and standard approach to protecting consumer information. It should include a requirement for companies to do the basics in security, consider adding seat belts to automobiles. This requirement should include protecting and ensuring the confidentiality of non-public data, detecting potential misuse of consumer information, and correcting problems as they are discovered and notifying consumers when appropriate. These requirements are similar to those under Gramm-Leach- Bliley and HIPAA. I ask you to consider if and why the industries covered by Gramm-Leach-Bliley and HIPAA are somehow unique in their need to protect the same personal data such as a credit card and Social Security numbers that many other industries also store. It seems that any business it manages exposes consumers to identity theft risk and should be held to a similar standard. Also, a national standard is important because confusion is the enemy of consumer protection. Unless a national standard emerges I fear that businesses will be forced to comply with a patchwork of 50 different State regulations. Last, it is important to have a carrot to ensure partnership. The risk of civil lawsuits or steep fines discourages some companies from going beyond the basic requirement. We strongly suggest any future legislation include a regulatory carrot through a safe harbor to encourage companies to go beyond any basic security requirements without fear of severe penalties. In closing, if not more is done to protect consumer information, especially in the electronic form, the cost of identity theft will continue to grow, causing a drag on this country to sustain its leading position in the global company. I welcome the opportunity to answer any additional questions. [The prepared statement of Joseph G. Ansanelli follows:] Prepared Statement of Joseph Ansanelli, Chairman and CEO of Vontu, Inc. My name is Joseph Ansanelli and I am the CEO of Vontu, Inc. Our company provides information security software to help organizations protect consumer data by monitoring for the inappropriate distribution of non-public personal information via the internet. I am honored to provide testimony on information security, consumer data and the risks for consumers. Identity Theft is the Risk for Consumers The FTC recently provided an excellent answer to the question ``What's at Risk for the Consumer?'' They estimate that approximately 10 million people in the last year alone were victims of Identity Theft. These victims reported $5 billion in out-of-pocket expenses and countless hours of lost time repairing their credit histories. In the last five years, almost 30 million people or 10 percent of the US population were victims of identity theft. Clearly, identity theft is what is at risk for consumers. Losing Consumer Trust is the Risk for Business This is not only a risk for consumers, but is a risk for business as well. As part of the same FTC report, the losses to businesses totaled nearly $48 billion. Additionally, there is a risk that is not mitigated through insurance or other strategies--loss of consumer trust. Vontu recently commissioned a survey of 1000 consumers in the United States to better understand the effect that security of customer data has on consumer trust and commerce. Some of the findings include: Security drives purchasing decisions--More than 75 percent of consumers said security and privacy were important in their decisions from whom they purchase. Consumers will speak with their wallets--Fifty percent said that they would move their business to another company if they did not have confidence in a company's ability to protect their personal data. Insider theft increases concerns about a company's data security efforts--More than 50 percent of the consumers surveyed said an insider breach would cause them to be more concerned about how a company secures their information Clearly, financial costs and loss of consumer trust, as a result of identity theft, are what is at risk for business. The question is how does cybersecurity play into these risks? The Insider--A Major Cause of Identity Theft While most security testimony has focused on the threats related to hackers breaking into computer networks from the outside, my remarks today will focus a new and growing security threat--insiders. The sad fact is that many identity thieves never have to break through a firewall. Their employer has issued them a username and password that gives them access to a virtual treasure trove of consumer data. Everyday, companies throughout this country create and store millions of records that contain social security numbers, credit card numbers and other types of non-public personal information. At most of those companies, a significant percentage of employees have legitimate access to this data. This has created a potentially explosive combination of companies storing more consumer information and at the same time providing insiders with more access to that data. Last year, the volatility of this combination made headlines. A customer service employee of Teledata Communications Inc. who had easy access to consumer credit reports allegedly stole 30,000 customer records. This theft caused millions of dollars in financial losses and demonstrates that even though any computer system can be hacked, it is much easier, and in many cases far more damaging, for information to be stolen from the inside. Teledata is the single largest identity theft crime ever prosecuted. However, I am convinced that this kind of crime continues today, yet it often goes unrecognized. Insiders use their legitimate access to copy sensitive information and with a few clicks of their mouse, send it outside the company. Law enforcement and regulators are also starting to raise the issue of the growing danger to consumers from insiders. Special Agent Tim Cadigan testified this summer that the Secret Service has assembled special teams to investigate the growing number of incidents where fraud rings enlist corporate employees in schemes to steal consumer information. Mr. Howard Beales, Director of the Federal Trade Commission's Bureau of Consumer Protection, said in January that the FTC continues to see evidence that insiders were stealing consumer data at an increasing rate and using it to commit identity crimes. In September, the FTC reported that about a quarter of all consumers who knew that their information had been stolen believed that insiders were responsible. Lastly, consumer credit information provider TransUnion recently issued a publicly available report stating that the top cause of identity fraud is now theft of records from employers or other businesses. The problem of better protecting consumer data is no longer just an issue of keeping out the hacker but also one of ensuring that those with access to the data keep the information secure. Consumer Data Security Standard It is clear that we need new efforts to minimize this growing risk to consumers and businesses. However, I do not believe new government regulations alone can solve this problem. Instead, the right solution is to build a partnership of government and industry using both ``the carrot and the stick''. To begin with, I suggest this committee develop a Consumer Data Security standard--possibly as part of the proposed Consumer Privacy Protection Act of 2003 (HR 1636). This standard would ensure a national, unified and standard approach to protecting consumer information and thereby stop one of the primary sources of identity theft. It should be self-regulating with oversight from appropriate agencies when problems arise and include a requirement for companies to: Protect and ensure the confidentiality of all non-public personal information; Detect potential misuse of consumer information; Ensure compliance by its workforce with their data security policies; Correct problems as they are discovered. These requirements are similar to those required under Gramm Leach Bliley and HIPAA. Are the industries covered by these regulations unique in their need to protect personal data? It seems that any business that manages sensitive financial or other non-public personal information exposes consumers to identity theft. Whether it is providing your social security number when purchasing a mobile phone or using your credit card to buy groceries, you are exposing your personal information to theft--a cross-industry, unified approach is needed. Additionally, this committee may want to make notification a part of this standard. In our survey, consumers said they wanted to be notified early and often when security and privacy violations occur. In fact, 80 percent said they want to be notified when companies are 75 percent sure that a violation has occurred. This Consumer Data Security standard is the ``stick'' to ensure that there is a base level of responsibility for consumer data protection. Safe Harbor As mentioned earlier, a partnership between government and business is required to better protect consumer information. Unfortunately, today many of the current and proposed Federal and State regulations serve as a disincentive to proactively search for insider breaches or inappropriate disclosures of consumer information. For example, the risk of civil lawsuits or regulatory censure discourages some companies from going beyond what is considered a base requirement. Future legislation should include a regulatory ``carrot'' through a ``safe harbor'' to encourage companies to go beyond basic security requirements and aggressively pursue potential leaks of data without fear of severe penalties. This approach of the ``carrot and stick'' would not only encourage most companies to adopt new consumer protections quickly, it would free limited government resources to concentrate on the most egregious violations of the standard itself. Additionally, this proposal would help to solve one of the unaddressed issues regarding Identity Theft in both of the current Fair Credit Reporting Act bills approved this year by the House and the Senate. In closing, the increasing costs of identity theft coupled with consumers' increased demands for security protection are driving these issues to the top of the agenda for consumers, business and government. If more is not done by all parties involved with respect to protecting electronic information, the costs will continue to grow, potentially affecting the country's ability to expand its leading position in the world economy. I hope these comments will prove helpful to the subcommittee as it continues its deliberations on improving consumer data security. I welcome the opportunity to continue working with you, and am happy to answer any questions you might have. Thank you. Mr. Stearns. Thank you. Mr. Burton. STATEMENT OF DANIEL BURTON Mr. Burton. Good morning, and thank you for the opportunity to testify. My name is Dan Burton. I am Vice President of Government Affairs for Entrust, Inc., and as a world leader in securing digital identities and information, Entrust is driving the creation of a robust manageable business security environment through use of such technologies as encryption, digital signatures authentication and authorization. I want to be very clear in my message. The cybersecurity problem is not getting better. Since 2001, when this subcommittee held a hearing on this issue, CERT reports a tripling of breaches from 52,000 to a projected 150,000 by the end of 2003. Although awareness has increased, understanding has not. Most companies are still struggling with this issue. It is critical that this subcommittee provide the private sector with clear direction to protect sensitive consumer and business information. You can do so by strongly endorsing information and security governance programs that provide businesses risk assessment reporting and accountability. Let me give you some examples of the problem based on our market experience. The first example speaks to the fact that even if you understand the threat, it is hard for companies to justify more than just a limited response because of the complexity and the investment in people, time and resources that is required. Last year, a large consumer data company suffered a breach when one of its customer's employees used the company's server to hack the passwords of other customers. This company believed that it had taken reasonable precautions to protect its data, especially since the penalties for not taking action were vague. In this case, the seriousness of the breach and the new penalties created under California's SB 1386 forced the company to change the way it thought about protecting its information systems. This company has put in place a much more robust set of security measures. A second example speaks to the need to treat cybersecurity as a continuous process. A large financial institution implemented strong authentication digital signatures but year after year failed to upgrade its software, despite the fact that there was no cost to do so. The reason? It did not have the systems in place to treat cybersecurity as a continuous process. Only when the company failed an audit and was cutoff from outside software support did senior management get involved and put in place the necessary procedures. A final example shows how some companies are taking a more proactive approach. Several years ago, a major insurance company with a very large data base of confidential consumer records realized that it was a prime target for identity thieves and hackers. It couldn't simply lock up its records, since the field agents needed access to them, so it did a risk assessment and implemented a systemic information security governance plan. This program facilitated broad, highly secure access to data. These three charges paint very different responses to the cybersecurity threat, but they all underscore a similar theme and one that I want to highlight today. Companies need a clear understanding of cybersecurity costs, benefits, and penalties before they will make cybersecurity a priority. Where do we stand? The growing array of Federal legislation does not go far enough to ensure companies take sufficient action. Some major laws affecting cybersecurity have been in place and have been referred to today, Sarbanes-Oxley, Gramm- Leach-Bliley, HIPAA. These laws tend to treat cybersecurity as a secondary issue. Two other cybersecurity laws are having a more immediate impact on market behavior, the California Breach Notification Act, SB 1386, and the Federal Information Security Management Act, FISMA. Like it or not, and many people do not like it, by creating a private right of action for failure to report the breach of unencrypted personal information, SB 1386 has had a stark impact on industry's cost-benefit analysis and by treating cybersecurity as a management responsibility and tying it to OMB funding decisions, FISMA has had an immediate impact on the behavior of Federal agencies. We think that there is an information security governance imperative. A governance's framework is important because it guides the implementation, evaluation and improvement of cybersecurity practices. A successful program requires three basic functions, risk assessment, reporting, accountability. It is our experience that in the absence of mandates for these activities, cybersecurity never receives the management attention and funding that are critical to succeed. Entrust developed just such a framework for cybersecurity and brought it to the Business Software Alliance, which created a task force co-chaired by our CEO, Bill Conner. The BSA report released last month entitled Information Security Governance Toward a Framework for Action highlights the fact that if we are to make real progress we must treat cybersecurity not only as a technical issue but as a management issue. We are also asked to co-chair the Governance Task Force at the upcoming DHS Cybersecurity Summit. In conclusion, some compare cybersecurity to Y2K and emphasize the need to require public companies to report on their cybersecurity governance programs and their SEC filings. We didn't solve the Y2K problem by holding seminars for Cobol code writers. We solved it by engaging senior management in the issue and structuring liability laws appropriately. Others have compared cybersecurity to on-line privacy and emphasize the need for voluntary reporting about risks, breaches and policies backed up by FTC enforcement. There is no privacy without security, and my favorite metaphor here is that of a canary in a glass cage in a room full of hungry cats. This canary has absolutely no privacy. However, it has perfect security. We have got to solve security first if in fact we want to have true on-line privacy. Perhaps the best analogy for the issue, however, is quality. Like quality, cybersecurity requires numerous itegrative steps that are part of a continuous process. Companies must complete one cycle of the program, measure their progress, report their performance to senior management, fine- tune their efforts, and begin another cycle with slightly more rigor. Repeated cycles lead to improvements that will not only protect sensitive information but also enable productivity growth and new market opportunities. As a global leader in the field with the benefit of firsthand knowledge and the best practices implemented around the world, Entrust strongly urges this subcommittee to lead the effort to take cybersecurity out of esoteric, technical discussions and into mainstream business management. The goal should be to encourage companies to treat cybersecurity as a corporate governance issue, which includes business risk assessment and reporting with management accountability. A good governance framework will produce a transparent process that includes executive management as responsible and assigns the-- -- Mr. Stearns. Mr. Burton, I just need you to summarize. Mr. Burton. The cybersecurity is real, this is not a case of crying wolf. The statistics detail the increased damage and increased threats that occur daily. There is no reason to wait for a major breach or attack that incapacitates the Nation before acting, especially when there is strong consensus around of the steps industry must take. We are now all burdened with the awareness of the threat and have the corresponding responsibility to act. Congress must do everything that it can to ensure effective programs are in place for the private and government sector. Thank you. [The prepared statement of Daniel Burton follows:] Prepared Statement of Daniel Burton, Vice President of Government Affairs, Entrust, Inc. Good Morning. Chairman Stearns and Members of the Subcommittee, thank you for the opportunity to provide testimony on this important and timely subject. My name is Daniel Burton, and I am Vice President of Government Affairs for Entrust, Inc. In my testimony today, I will address our view of where the private sector stands in its efforts to secure its information systems and what this Subcommittee can do to accelerate progress. I want to be very clear in my message. The cyber security problem is not getting better. Since 2001, when this committee held a hearing on this issue, CERT has reported a tripling of cyber security breaches, from 52,000 in 2001 to a projected 150,000 by the end of 2003. Although some companies have recognized the threat of cyber attacks to their business performance and their customers' personal information, most are struggling to deal with the issue. It is incumbent on this Subcommittee to galvanize industry efforts to protect sensitive consumer and business information. This can only be accomplished by securing the private sector IT systems that control the majority of the nation's critical infrastructure. You can do so by strongly endorsing information security governance programs that drive business risk assessment, reporting and accountability. Entrust is a world leader in securing digital identities and information. Over 1,200 enterprises and government agencies in more than 50 countries use our security software solutions, so we have a good perspective on today's cyber security reality. As a company, we are leading the evolution from defensive, perimeter-oriented technology approaches to a more proactive business security strategy that enables increased productivity. This strategy involves creating a more robust, manageable business security environment through the use of technologies such as encryption, digital signatures, authentication and authorization. We also work with customers to put in place the policies and procedures that protect digital identities and information. Our biggest competition comes not from other companies, but from the ``do nothing'' business mindset regarding cyber security. i. examples of the problem A few examples based on Entrust's experience in the market show how enterprises are responding to cyber security today. Last year, a company that is a large collector and processor of consumer data suffered a breach when one of its customer's employees used the company's servers to hack the passwords of its other customers. The hacker then proceeded to access and copy databases containing highly personal consumer information. Because this company's clients include 14 of the top 15 credit card companies, 7 of the top ten automakers and 5 of the top 6 retail banks, in addition to other major consumer brands, the attack was not a trivial hack. Fortunately, no identity theft complaints have been traced directly to this breach. Despite the fact that many people focus on external threats, it is important to note that this breach, like most, was internal, meaning that it came from an insider. Moreover, it was discovered only by accident ten months after the incident occurred when law enforcement agents researching another breach discovered e-mails describing this one. As soon as the company learned of the attack, it informed its customers, as required by the California cyber security breach notification law (SB 1386), and implemented authentication and encryption systems to better protect its data. As a major database company with a pretty good security and privacy program, this company believed that it had taken reasonable precautions to protect its data, especially since it was doing as much as many other companies and the penalties for not taking action are vague. In this respect, it is typical of many companies. The reality facing business today is that even if you understand the threat, it is hard to justify more than limited cyber security measures because of the complexity involved and the investment in people, time and resources that is required. In this case, however, the seriousness of the breach and the new penalties created under California SB 1386 forced the company to change the way it thought about protecting its information systems. Today, this company is on the forefront of driving a higher standard and better understanding of cyber security reality. A second example speaks to the need to treat cyber security as a continuous process. Several years ago, a large financial institution implemented strong authentication and digital signatures on its cash management service offering for its business customers. I should note that billions of dollars traverse this network. Although there was no additional fee to upgrade this technology as new versions of the software were released, the company repeatedly failed to do so. The reason? It did not have the systems in place to treat cyber security as a continuous process. Only when the company failed an audit because it was cut off from software support did senior management become involved and take the necessary steps to upgrade the company's security systems. A third example shows that, despite the lip service they pay to the issue, some companies are unwilling to do anything about cyber security that will affect application performance. A major investment bank realized that it did not have adequate cyber security protections in place and undertook a review of solutions to securely authenticate its sensitive communications internally and with customers. As a condition of this review, however, it stated that it was not willing to sacrifice any application performance for better security. This meant that it would accept only a few milliseconds response time for authentication during fail over. Since no security products can meet this standard, now the company is deciding whether they will tolerate even a minimal performance compromise in order to include security. A fourth example involves Federal agencies, which in their size and complexity are similar to large enterprises. Until a few years ago, the Federal government did not have an adequate cyber security policy, despite the fact that year after year Congressional report cards gave most government agencies an ``F'' in information security. It was not until Congress passed the Government Information Security Reform Act (GISRA), later amended by the Federal Information Management Security Act (FISMA)--which coupled IT security performance with OMB budget controls--that Federal agencies began to change. By insisting that cyber security be treated as a governance and budget issue with risk assessment, reporting and senior management engagement, FISMA and OMB forced Federal agencies to begin to upgrade their cyber security programs. A final example shows that when companies view cyber security as a business enabler that improves productivity, they are more likely to be proactive. Several years ago, a major insurance company with a large database of confidential customer records realized that it was a prime target for identity thieves and hackers. The insurance company couldn't simply lock up its records since it had thousands of field agents that needed to access them to service customer needs. In order to solve this problem, the insurance company did a comprehensive risk assessment and, using digital signatures and authentication technology, implemented an information security governance plan that encompassed strategy, technology, people and process. By proactively securing its IT systems, the company not only protected confidential customer information, but also created the secure business operations necessary to increase the productivity of its agents. Although these examples paint different responses to the cyber security threat, they all underscore a similar theme--without a better business understanding of cyber security costs, benefits and penalties, most companies will take only limited cyber security measures. ii. where do we stand? Regardless of how you grade industry's response, there is no doubt that the cyber security risk is increasing. Although some companies are responding, overall business progress has been slow. The current situation brings to mind the ``boiling frog'' metaphor. If you drop a frog in boiling water, it will jump out. However, if you put a frog in a pot of water and gradually raise the temperature, the frog will cook. I think many companies are being ``cooked'' when it comes to cyber security. Like quality improvement, cyber security is not a one-time event, but a continuous process. Just as few managers understood the quality movement when Deming first introduced it, few business leaders fully grasp the new and evolving discipline of cyber security today. We are at the beginning of this brave new digital frontier, and Congress must find ways to accelerate industry's understanding and progress. Companies make little distinction between cyber terrorism, cyber crime and cyber vandalism. The fact that different actors with different motives perpetrate these attacks may be significant to government enforcement agencies, but it is of little consequence to industry. As far as industry is concerned, the primary question is not, who was responsible for the attack? But, how much damage did it cause? What is the likelihood that it will happen again? And, what are the cost, liability and brand implications? Anything that Congress can do to bring incentives for constructive action and clarity to industry's assessment of costs and benefits will help in the effort to protect our critical infrastructure. The growing array of Federal legislation has not adequately addressed this issue. Some major laws affecting cyber security are already in place, such as the Sarbanes-Oxley Act, the Gramm-Leach- Bliley Act and the Health Insurance Portability and Accountability Act. These laws, however, tend to treat cyber security as a secondary issue and cite requirements that are often so vague that they do little to improve focus or understanding of the issue or help industry better calculate costs and benefits. Faced with weighing ambiguous cyber security risks against other business and economic realities, companies have tended to follow one of three paths. Some have chosen to do nothing and wait until either the threat becomes more potent or regulatory requirements get clarified. Others--probably the majority-- have made some initial efforts, but have not really integrated cyber security into their core business operations. A third group--comprised of only a rare few exceptions--has embraced cyber security as a market differentiator, integrating it into their core operations and elevating it to an executive management concern. Two other cyber security laws, however, are having a more immediate and profound effect on market behavior: the California cyber security breach notification act (SB 1386) and the Federal Information Security Management Act (FISMA). These laws are specific about cyber security penalties and programs. By creating private rights of action and penalties for failure to report breaches of unencrypted personal information, SB 1386 has changed industry's cost-benefit analysis. And by treating cyber security as management responsibility that entails risk assessment and reporting, the Federal Information Security Management Act outlined a roadmap for Federal agencies that has enabled progress. iii. the information security governance imperative Given the increased awareness of the problem, the lack of understanding, and the legislative ambiguity, Entrust has moved proactively to foster collaboration between the public and private sectors on this topic. We first began working this issue inside our company, with the active engagement of our Board of Directors and executive management. At the direction of our CEO, Entrust began to develop and implement just such a cyber security governance program last year. As an information security software company, we felt it was our responsibility to help create a framework that would allow for appropriate risk assessments, performance measures, management guidelines and board audits. The program we developed is tailored to the business needs of Entrust and embodies our interpretation of ISO/ IEC 17799 and how the Federal Information Management Act (FISMA) can be applied to the private sector. We identified 141 elements that were important to measure progress. When we started, 25 of these elements were in the red, indicating the need for serious improvement; today, only two are. Our journey is off and running but not over. As an information security software company who lives in this space, our experience raises real concerns about the status of the average company and the country. As we discovered at the starting point of our cyber security review, we were not nearly as secure as we would have predicted. This discovery made us wonder whether other companies are are making real and ``measurable'' progress since many of them lack a framework. As a result of our experience, Entrust brought this framework to the Business Software Alliance (BSA) who created a cyber security task force co-chaired by Entrust's CEO, Bill Conner. The BSA report, entitled, Information Security Governance: Toward a Framework for Action, released in October 2003, found that information security is not only a technical issue, but also a corporate governance challenge. To quote that report, While there is broad consensus on the actions needed to create strong security, too often responsibility is left to the chief information officer or the chief information security officer. In fact, strong security requires the active engagement of executive management. By treating these challenges as a governance issue and defining specific tasks that employees at all levels of an organization can discharge, enterprises can begin to create a management framework that will lead to positive results. A governance framework is important because it guides the implementation, evaluation and improvement of cyber security practices. An organization that creates such a framework can use it to articulate goals and responsibilities and evaluate progress over time. One of the most important aspects of such a framework is that by defining business and cyber security responsibilities within an organization, it creates a roadmap for improvement. By specifying who does what and forcing companies to report on their results to their own boards, it allows companies to assign specific responsibilities and translate awareness into action. Effective cyber security governance programs usually have three basic functions: risk assessment, reporting and accountability. Their payoff comes from the fact that they insist on the systematic oversight and execution necessary to make cyber security part of a company's core business operations. Simply identifying best practices is not enough; they must be married with effective implementation at all levels of an organization. To be effective, each information security program must be tailored to the needs of the individual business and industry in which it operates. It must identify business drivers; clarify roles and responsibilities; recognize commonalities; define metrics; include periodic progress reports to executive management; and specify what corporate executives, business unit heads, senior managers, and CIOs should do. According to the BSA information security governance report, the board and the CEO has responsibility for overseeing policy coordination, business unit compliance and accountability. The business unit head has responsibility for providing information security protection commensurate with the company's risks and business needs, as well as training, controls, and reporting. The senior manager has responsibility for securing information and systems, assessing assets, determining appropriate levels of security, cost-effectively reducing risk, testing and controls. The CIO and CISO have responsibility for developing and maintaining compliance with the security program, designating a security officer, developing the required policies, assisting senior managers, and conducting a security awareness program. iv. conclusion Congress should embrace requirements for information security governance and reporting. Citing the Y2K experience, some have emphasized the need for a ruling that would require public companies to report on cyber security governance programs in their SEC filings. In order for such a provision to be successful, it will be necessary to avoid esoteric requirements that increase the cost and complexity of implementing solutions but do little to increase cyber security and shareholder value. Others have cited the online privacy debate and emphasized the need for voluntary reporting about cyber security policies and breaches, backed up by FTC enforcement. For this approach to succeed, it must also encompass the need to secure business information systems. Still others have compared cyber security to the quality movement and insisted that government provide incentives for companies to undertake the training and process improvements necessary to secure their information systems. We would recommend the following lessons for companies intent on securing our critical infrastructure: A business information security governance framework for risk assessment and reporting with executive management engagement and board oversight is essential. A good governance framework will produce a transparent process that allows management to assign responsibility and make investment decisions to address unacceptable risks. Businesses need to get on with it--just do it. Information security is a very broad topic with seemingly endless detail. Companies should not try to solve the problem all at once. Instead, they should begin with the top-level policy issues. The important thing is to get started. Too many programs never get off the ground because the effort looks too daunting. Business information security governance is a continuous improvement program. Like quality, cyber security improvement requires numerous iterative exercises in a continuous journey. Companies should complete one cycle of the program at a high level, report to the Board on their performance, fine-tune their program and begin another cycle with slightly more rigor. Repeated cycles will lead to real improvements. Whatever course is taken, the objective should be to encourage companies to treat cyber security as a corporate governance issue that includes business risk assessment and reporting with management accountability. The cyber security threat is real, and there is strong consensus around the steps that industry must take. Congress needs to do everything it can to drive more effective programs in the private sector. This Subcommittee has extensive experience dealing with complex issues, and we are confident in your abilities to address this one. We are at an inflection point in the effort to strengthen cyber security and need your leadership. Mr. Stearns. I thank you, and, Mr. Thompson, thank you for your patience. We welcome your statement . STATEMENT OF ROGER THOMPSON Mr. Thompson. Good morning. Thank you for allowing me to testify. My name is Roger Thompson. Mr. Stearns. Could you pull it a little closer to you, the mike? Mr. Thompson. There we go. Thank you for allowing me to testify. My name is Roger Thompson. I am the former Director of Malware Research at the TruSecure Corporation, and I am currently Vice President of Product Development at PestPatrol. PestPatrol was founded in May 2000 by a team of software professionals to encounter the growing threat of malicious non-viral software. Currently one of PestPatrol's greatest concerns is the threat of Spyware, so I would like to introduce you to the problem as our customers see it, being consumers, and give you an idea of how the software community's efforts to protect is developing. Spyware is silent. It is invisible to the consumer. It allows criminals to steal from them. It arrives uninvited and unwanted. It has not received the attention needed to warn the unsuspecting of these dangers to their personal confidential information, and perhaps worst of all spyware and similar malware problems rob consumers of the confidence needed to make commerce over the Internet inviting, safe and successful. Every day we hear horror stories from our customers that illustrate the very real and personal losses caused by the spyware problem. Wanda Gilman is a church secretary from Saginaw, Michigan. Like most people, she has received warnings from her anti-virus software about virus attacks and she thought she was pretty well protected on that front and unfortunately it became abundantly clear to Wanda that she needed something more after she experienced two instances of identity theft. Neither incident involved more than $1,000, but it was an uncomfortable feeling for her to have her identity hijacked and a long and complicated recovery each time around. Michelle Scalero from New Jersey has a home computer that her family shares for on-line banking and purchasing, as well as enjoying what the Web has to offer them and their young children. They were extremely alarmed when they found their PC flooded with explicit teen porn pop-ups, caused by a Trojan horse program that had been delivered by a piece of spyware they had unknowingly downloaded onto their computer. Barbara Wolski bought a brand new computer that was supposed to be very fast, 2.6 gigs, which included a special feature called hyperthread technology to make the processing speed even faster, and then she found that her old computer which was only 1 gig ran faster than the new one. She ran the anti-spyware program and found over 5,000 pieces of spyware factory-installed on the new machine, all busy ``phoning home'' information about her, causing the massive slowdown. None of this needs to happen. We hear thousands of similar sad stories all the time. A record number of incidents were reported this year, more than 60,000 at the end of last month and it keeps growing. $24 billion is the estimated identity theft losses in the United States from identity theft last year, $73 billion, estimated identity theft projected domestically by the end of this year, and $9,800 the average take from each identity robbery. These numbers come from the Aberdeen Group, an industry analyst firm that calls identity theft ``the crime that pays.'' Aberdeen also warns that profits from these crimes are so encouraging that organized crime has become a factor. It has been 20 years since the first virus was created and for much of my career I watched the damage that computers could cause from children at home to senior corporate executives. My computer career began in Australia in 1979, where I worked as a mainframe systems engineer. I co-founded the first Australian anti-virus software company, Leprechaun Software, and launched the Virus Buster product back in 1987. In 1991, I moved to the United States. I started Thompson Network Software, which produced The Doctor range of systems management and security products. When I became Director of Malware Research at TruSecure Corporation, I was able to focus more closely on the way that different kinds of malware were developing, and the sheer size of the problem was really brought home to me. Now, at my current company I am working with malware's faster-growing and most insidious incarnation yet, spyware. Here is the new stuff. The anti-spyware is still in its infancy, but it has proven to me every day from the prevalence data collected by my company that this type of secretive invasive software is a huge problem for computer users. Before we can address possible solutions, we need to define what the spyware problem actually is. For me spyware is any software that is intended to aid an unauthorized person or entity in causing a computer, without the knowledge of the computer's user or owner, to divulge private information. The industry has begun to make consumers more aware of this threat by banding together. To begin educating the public on spyware and its dangers, we recently co-founded along with several other anti-spyware companies the Consortium of Anti- Spyware Technology, COAST. This nonprofit organization is a forum in which members cooperate to increase awareness of the growing problem. We reached agreement on the definition of spyware, which helps us technology vendors create products that address consumers' concerns. The dangers of spyware are not always known and are almost never obvious. Usually you know when you have a virus or worm. These problems are in your face. Spyware, on the other hand, silently installs itself on the PC, where it might take any number of different and unwanted actions; for example, phone home information about you, your computer and your surfing habits to a third party, to use to spam you or push pop-up ads to your screen, open up your computer to a remote attacker using a RAT, or Remote Access Trojan, to remotely control your computer, capture every key stroke you type, private or confidential e-mails, passwords, bank account information, and report it back to a thief or a blackmailer, allow your computer to be hijacked and attack a third party's computers in a denial of service attack that can cost companies millions and make you liable for damages. They can probe your system for vulnerability to otherwise exploit the system. If that does not make the computer users on the subcommittee nervous, consider that the on-line holiday season has already arrived. With more and more people shopping on- line, the potential for identity theft is much greater. Shoppers are stressed and distracted and may not take their usual care in protecting themselves from electronic pickpockets. No one would allow a silent and hidden burglar into his or her home without a fight and, as you saw with the real world experience I described earlier, spyware has the ability to ruin someone's Christmas. Like having your wallet stolen, life becomes a bureaucratic nightmare of new identity cards and credit cards. And ultimately how do you retrieve your privacy from an unknown or uncaring prowler using the Internet as a hunting ground? These anti-virus companies were often accused of hyping gloom and doom to help increase their own sales and profits. That was long ago proven to be unfounded. Today, the billions of dollars lost, in identity theft, transaction hijacking, sensitive information, are compounded by the huge losses to credit card companies that must reissue cards whenever an account is compromised or even suspected of being compromised. The growing threat is no exaggeration. I think everyone on this panel would agree a huge portion of damages and tangential damages caused by spyware and malware goes unreported and is unknown. Something must be done to protect the Wanda Gilmans, the Michelle Scaleros, and the Barbara Wolskis, who only want to conduct their on-line activities and purchases with peace of mind, knowing they can do it safely. H.R. 2929, the Safeguards against Privacy Invasions Act, is a powerful step in this direction. In person, consumers have the choice not to answer questions when they go shopping. Why shouldn't on-line shoppers have the same choice to say no to spyware. As a representative of my company and as a person who has devoted my working life to malware eradication, I urge you to pass the SPI Act. [The prepared statement of Roger Thompson follows:] Prepared Statement of Roger Thompson, Vice President, Product Development, PestPatrol, Inc. formerly Director of Malware Research, TruSecure Corporation Good morning. Spyware is silent. It's invisible to the consumer. It allows criminals to steal from them. It arrives uninvited and unwanted. It has not received the attention needed to warn the unsuspecting of these dangers to their personal and confidential information. And, perhaps worst of all, spyware and similar malware problems rob consumers of the confidence needed to make commerce over the Internet inviting, safe and successful. Every day, we hear horror stories from our customers that illustrate the very real and personal losses caused by the spyware problem. Listen for a moment to just three: Wanda Gilman is a church secretary from Saginaw, Michigan. Like most people, she has received warnings from her anti-virus software about virus attacks, and she thought she was pretty much protected on that front. Unfortunately, it became abundantly clear to Wanda that she needed something more than her anti- virus after she experienced not one but two incidences of identity theft. While neither incident involved more than $1000, it was an uncomfortable feeling for her to have her identity hijacked, and a long and complicated recovery each time around. Michelle Scalero from New Jersey has a home computer that her family shares for online banking and purchasing, as well as enjoying what the web has to offer them and their young children. They were extremely alarmed when they found their PC flooded with explicit teen porn pop-ups caused by a trojan horse program that had been delivered by a piece of spyware they had unknowingly downloaded onto their computer. Barbara Wolski bought a brand new computer that was supposed to be very fast (2.6 GHz), which included a special feature called hyperthread technology to make the processing speed even faster. While her old computer was only 1.2 GHz, it ran faster than the new one. Barbara ran our anti-spyware software on the new machine and found over 5000 pieces of spyware factory- installed on the new machine, all busy ``phoning home'' information about her--causing the massive slow-down.None of this needed to happen. And we hear thousands of similarly sad stories all the time. Our customers reported a record number of such incidents this year--more than 60,000 as of the end of last month--and the complaints keep growing. Here are some numbers to think about as we discuss protecting consumers from spyware: 24 billion dollars . . . that's estimated identity theft losses in the US from identity theft last year. 73 billion dollars . . . that's estimated losses from identity theft projected domestically by the end of this year. 9,800 dollars . . . that's the estimated average ``take'' from each identity robbery. These numbers come from the Aberdeen Group, an industry analyst firm that calls identity theft ``the crime that pays.'' Aberdeen also warns that the profits from these crimes are so encouraging that the organized crime is becoming a factor. You may have heard that last week was a dubious anniversary . . . it's been 20 years since the first virus was created. Through much of my career, I have watched the damage that computer intruders can cause--to every PC user from children at home to senior corporate executives. My computing career began in Australia (perhaps you recognize the accent) in 1979, where I worked as a mainframe systems engineer. I co- founded the first Australian anti-virus software company, Leprechaun Software, and launched the Virus Buster product back in 1987. After moving to the United States, I started Thompson Network Software, which produced The Doctor range of systems management and security products. When I became Director of Malware Research at TruSecure Corporation, I was able to focus more closely on the way that different kinds of malware were developing, and the sheer size of the problem was really brought home to me. And now, at my current company, I am working with malware's fastest-growing and most insidious incarnation yet-- spyware. The anti-spyware industry is still in its infancy, but it's proven to me every day from the prevalence data collected by my company that this type of secretive, invasive software is a huge problem for computer users. Before we can address possible solutions to the problem, however, we need to define what the spyware problem actually is. For me, spyware is any software that is intended to aid an unauthorized person or entity in causing a computer, without the knowledge of the computer's user or owner, to divulge private information. The industry has begun to make consumers more aware of this threat by banding together. To begin educating the public on spyware and its dangers, we recently co-founded, along with several other anti-spyware software companies, the Consortium Of Anti-Spyware Technology (COAST) group. This non-profit organization is a forum in which members cooperate to increase awareness of the growing spyware problem. We've reached agreement on the definition of spyware, which helps us technology vendors create products that address consumers' concerns. The dangers of spyware are not always known and are almost never obvious. Usually, you know when you have a virus or worm--these problems are ``in your face''. Spyware, on the other hand, silently installs itself on a PC, where it might start to take any number of different and unwanted actions. For example: ``Phone home'' information about you, your computer and your surfing habits to a third party to use to spam you or push pop-up ads to your screen Open up your computer to a remote attacker using a RAT (Remote Access Trojan) to remotely control your computer Capture every keystroke you type--private or confidential emails, passwords, bank account information--and report it back to a thief or blackmailer Allow your computer to be hijacked and used to attack a third party's computers in a denial-of-service attack that can cost companies millions and make you liable for damages Probe your system for vulnerabilities that can enable a hacker to steal files or otherwise exploit your system. If that doesn't make the computer users on the subcommittee nervous, consider that the holiday online commerce season has already arrived. During the holiday shopping season, with more and more people shopping online, the potential for identity theft is much greater-- shoppers are stressed and distracted, and may not take their usual care in protecting themselves from electronic pickpockets. No one would allow a silent and hidden burglar into his or her home without a fight. As you saw with the real-world experiences I described earlier, spyware has the potential to ruin someone's Christmas. Like having your wallet stolen, life becomes a bureaucratic nightmare of new identity cards and credit cards. And, ultimately, how do you retrieve your privacy from an unknown and uncaring prowler or corporation using the Internet as a hunting ground? The anti-virus companies were often accused of hyping gloom and doom to help increase their own sales and profits--that was long ago proven to be unfounded. Today, the billions of dollars lost--in identity theft, transaction hijacking, sensitive information--are compounded by the huge losses to credit card companies that must reissue cards whenever any account has been compromised or even suspected of being compromised. The growing threat is no exaggeration. I think everyone on this panel would agree that a huge portion of damages and tangential damages caused by spyware and malware goes unreported and is unknown. Something must be done to protect the Wanda Gilmans's, Michelle Scaleros's and Barbara Wolskis's, who only want to conduct their online activities and purchases with the peace of mind of knowing they can do so safely. H.R. 2929, the Safeguards Against Privacy Invasions Act, is powerful step in this direction. In person, consumers have the choice not to answer address, phone and email address questions when they go shopping. Why shouldn't on-line shoppers have the same choice to say no to spyware? As a representative of my company and as a person who has devoted my working life to malware eradication, I urge you to pass the SPI Act. Thank you. Mr. Stearns. I thank the gentleman, and now I will start the questions, and I think I go back to my opening statement. What are the real risks and costs to consumers for cybersecurity breaches and what poses the most risk to cybersecurity, and then what is the optimum role for the Federal Government to play when it comes to protecting consumers from cybersecurity threats? I would start out with Commissioner Swindle. You point out in your opening statement that not all security breaches are violations of the Federal Trade Commission. In your opinion, is there a need for legislation in this area, giving the FTC additional authority? What is your feeling here? Mr. Swindle. Mr. Chairman, to the point of not all breaches are security violations or violations of the law, I think if we just think of it in the context of a couple of examples if the breach resulted in my name and address going out to the world-- -- Mr. Stearns. That is a breach? Mr. Swindle. [continuing] that is not a problem. Mr. Stearns. That is a breach or not? Mr. Swindle. That can be a breach of the system because it is contained in the system, I think, but if along with that my credit card went, that is a serious problem and the consequences could be rather dire if somebody got hold of my financial information, my credit card. Just having my address, which is publicly known personal information, that does not necessarily constitute a violation of law, and I think we could look at it from the context of what harm has been done. Mr. Stearns. Do you have a data base in which you have actually collected this information that has internally affected employees or major companies? Do you have a data base at the Federal Trade Commission on this? Mr. Swindle. I am not aware of a data base of that nature. Mr. Stearns. Reliable data on harms to data infrastructures caused internally by employees of major data base companies? Do you have a reliable data base? Mr. Swindle. I have never thought of it in that context. I do not think we have a data base specifically designed as such. Mr. Stearns. Well, I guess. Mr. Swindle. And assembling that data base might even be setting up a target to be breached and causing a problem. Mr. Stearns. What about the Gramm-Leach-Bliley Act? Have you experienced any security problems or policies for financial institutions under the Gramm-Leach-Bliley Act we passed? Mr. Swindle. The problem with that act, the most obvious one, comes from the nature of the requirements for notice, and we have all received the copious quantities of papers that no one could understand. But, I think Gramm-Leach-Bliley has put a focus on institutions' obligation to security and privacy and, in a sense, I think that is good. Mr. Stearns. Okay. Mr. Charney, should there be common standards for independent security evaluations and why are such standards important and who should set those standards? Mr. Charney. For the most part, standards can be important. The risk is that if we set standards that fixate on a particular technology what we will end up doing is stifling innovation. So one of the things that we focus on more is best practices, so that we can develop methodologies in both product development and in management; that is, both at the same time, cutting edge but flexible enough to allow further innovation. So if you are talking about standards for security, for example, there is a risk. For example, the government had a standard for encryption called Data Encryption Standard, and when that standard was no longer viable the entire industry, including the government, moved away from that standard to something more secure, and it was 2 years later that the government finally promulgated a new standard, after everyone had already left the old one. So the challenge is to be able to provide prescriptive guidance to customers and consumers about how to protect themselves without locking in the technology. Mr. Stearns. I guess we would say security is a public good. Can markets alone be fully responsive to cybersecurity concerns, just the markets themselves, or---- Mr. Charney. I think the markets have some limitation. Mr. Stearns. This best practices you talked about, in your opinion do you think the Federal Government--like Mr. Ansanelli had indicated, there might be a Federal role here? Mr. Charney. Oh, there is clearly a Federal role and there is a couple of them actually. The government can lead the way in the development of best practices. The General Accounting Office, for example, frequently looks at the security of government systems and issues government report cards which, to be honest, have not been very favorable. The second thing is there are constraints on the market, and for public safety and for national security purposes governments may need higher levels of security than markets normally provide. In those kinds of cases, the government should take steps, particularly in research and development and other areas, to make sure that the gap between what the governments need and what markets will provide are in fact closed. Mr. Stearns. Mr. Ansanelli, you mentioned something about a consumer data security standard that has got our staff's attention, to ensure that there is a base level of responsibility for consumer protection, consumer data protection. Do you see the need for this kind of baseline standard and what should the standard be? Mr. Ansanelli. The reason why it is helpful to have that standard is when you compare what has happened between Gramm- Leach-Bliley and HIPAA, that those organizations tend to protect data more than other organizations, so you have seen improvements as a result of the security requirements and Grammm-Leach-Bliley, I think it is section 501(b), with respect to protecting consumer data. So there have been improvements in the protection of that data as a result, and I think that evidence indicates that it would be better to also then have other organizations that actually keep that same data, if a financial institution has my Social Security number, when I buy a phone if I have to give them my Social Security number because they do a credit check on me. So why is it that one industry might have to have a standard where another might not, and I think very importantly the risk that I think might happen is that the States will end up driving the requirements and the regulations, so that either companies will have to wind up dealing with a patchwork of lots of different regulations. There are about 200 different identity theft bills at the State level currently being discussed right now. I think it is important there is a uniform standard as opposed to 50 different standards that has to emerge. Mr. Stearns. So what you are saying is you would like the Federal Government to come up with the consumer data security standard? Mr. Ansanelli. Yes, and it should be about what are the best practices and what are the requirements that every company who stores non-public personal information should have to live by and it should be something that---- Mr. Stearns. Mr. Burton, would you like to comment and then I will close? Mr. Burton. Yes. Any of that is working on standards. I guess it is my concern that by treating it as a technical issue, which standards again puts you squarely back into a technical discussion, you are missing a huge motivator here, and that is that senior management is not making the decisions to invest, to train, to hold people accountable, because it is extremely complex and it is too often seen as a defensive technical issue. A porcupine if it rolls itself into a ball is perfectly protected. Its quills are everywhere, but they cannot move, they cannot eat, they cannot do anything productive, and I think so much of this discussion is on definitive technology issues that fail to address the management question and the issue that ultimately a lot of cybersecurity is enabling, just as quality is enabling, and I think you can make a huge contribution. Mr. Stearns. Thank you. Ms. Schakowsky. Ms. Schakowsky. Mr. Swindle, I wanted to get back to your comment that you made, regarding the fact that if my name and address went out that that is not a very serious breach of security, and so some things are serious and some things are not, and yet when you look at your testimony and you talk about the Commission's first information security case, the Eli Lilly case, which essentially was the name and address, in this case an e-mail address, but in any case it was consumers of Prozac-- was it? Yeah, Prozac, very sensitive information, and all that went out was a name and address. So I am disagreeing with you that name and address going out is not necessarily, or certainly can be an important breach of violation, I would think, since you treated it that way. But I also was concerned about the sanctions, which seem to me a very minor slap on the wrist, whereas the implications for consumers of that information, that very sensitive information going out, could be very serious. So I wanted you to just comment on this. Mr. Swindle. I would be happy to, Congresswoman. First off, I believe the question related to there could be a breach without a violation of the law. I believe that is the way I understood the question. The release of nothing more than my name and address, which is in the phone book, could hardly be construed as a violation of law. Now, in the case of Eli Lilly, it was a name and the address and the identification of a person who was using a medication. The use of that medication carries a connotation of health problems and all sorts of emotional problems perhaps and things of this nature, which could indeed be certainly a gross violation of personal information and privacy. So that can be construed, I think. They are entirely two different things if we take them in the context I gave them to you. But perhaps another way of looking at this: How can there can be a breach without a violation of the law? We are dealing, if I may describe this as an example, we are dealing with a machine with a million moving parts in it and to my mind nobody's perfected all one million parts, and companies can take every reasonable effort they know how to take, given the circumstances of the nature of the information and how it is stored and how it is used, and there might still be a breach in the security. Having taken every reasonable step they can take, then I think we would probably find it hard to say that is a violation of the law, when they did everything they possibly could. As technology evolves we will constantly be confronted with that problem. You know, the Defense Department has this problem, Congress has this problem, Microsoft has this problem, all companies have this problem because it is just a massive complex problem with which to deal. I do think there is a distinction there. Ms. Schakowsky. Are you talking about, what did you say, user error? Are you talking about perhaps issues of management, individual errors that are made? I mean, it would seem to me that a company would still or anybody would still have to take responsibility for that. I am trying to understand where you draw the line. Yes, we certainly expect that all possible measures are taken, and you are saying but if there is still a breach after that, then nobody is responsible for that? Mr. Swindle. No, I do not think I said that, Congresswoman. Ms. Schakowsky. Okay. Mr. Swindle. I did not address the accountability. We all have to be accountable. We are responsible for running the train, and I think industry does take that responsibility very seriously. In the case of Eli Lilly, we thought that the best possible solution. This is an incredibly fine company, as is Microsoft, as are the companies represented here on this panel. They are doing their utmost. In the case of Eli Lilly, there was negligence, not sufficient training, there were not sufficient technical safeguards put in. They are under scrutiny and have corrected those requirements, the deficiencies, and we are going to be monitoring them. As I think I indicated, they report to us with an audit system every 2 years. Ms. Schakowsky. Yeah, I would still think that it is more than a slight slap on the wrist. Mr. Swindle. And we were concerned with this, but what do we--what else perhaps--questionably, what else could we have done? Ms. Schakowsky. That is the question for us; is not it? Mr. Swindle. A huge penalty, would it accomplish that and correct the problem? The problem was mostly technical and training, I think. If they corrected the problem, we go on. They certainly can be subject to several penalty pursued by the people they harmed. That is always open to victims. Ms. Schakowsky. Well, I think much of the testimony here does say that there need to be appropriate sanctions, and that is certainly what we need to consider. I want, Mr. Chairman, to have your permission to leave the record open for further questions. I have a number of questions. Mr. Stearns. I think that is in order. Ms. Schakowsky. If I could put in? Mr. Stearns. Sure. Go ahead. Ms. Schakowsky. I wanted to ask--I wanted to submit this document, which is an e-mail from Bill Gates and addressed to Microsoft and subsidiaries. They are all FTE dated January 15, 2002, for the record, and I have a number of questions around that that I hope that Mr. Swindle will answer, and also actually Mr. Charney, about that. Mr. Stearns. Would you like to submit that? Ms. Schakowsky. If I could. Mr. Stearns. By unanimous consent, so ordered. [The information referred to follows:] From: Bill Gates Sent: Tuesday, January 15, 2002 5:22 PM To: Microsoft and Subsidiaries: All FTE Subject: Trustworthy computing Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing--or able--to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing. When we started work on Microsoft .NET more than two years ago, we set a new direction for the company--and articulated a new way to think about our software. Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services. We're driving the XML Web services standards so that systems from all vendors can share information, while working to make Windows the best client and server for this new era. There is a lot of excitement about what this architecture makes possible. It allows the dreams about e-business that have been hyped over the last few years to become a reality. It enables people to collaborate in new ways, including how they read, communicate, share annotations, analyze information and meet. However, even more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony. Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised.--Computing falls well short of this, ranging from the individual user who isn't willing to add a new application because it might destabilize their system, to a corporation that moves slowly to embrace e-business because today's platforms don't make the grade. The events of last year--from September's terrorist attacks to a number of malicious and highly publicized computer viruses--reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems. Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing. Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched--but as an industry leader we can and must do better. Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it. No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around .NET that we can achieve this. The key design decisions we made around .NET include the advances we need to deliver on this vision. Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code, so it is a key foundation element. I've spent the past few months working with Craig Mundie's group and others across the company to define what achieving Trustworthy Computing will entail, and to focus our efforts on building trust into every one of our products and services. Key aspects include: Availability: Our products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case. Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications. Privacy: Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information including controlling the use of email they send. Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving ``five-nines'' availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services. It's about smart software, services and industry-wide cooperation. There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level--from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company. In recent months, we've stepped up programs and services that help us create better software and increase security for our customers. Last fall, we launched the Strategic Technology Protection Program, making software like IIS and Windows .NET Server secure by default, and educating our customers on how to get--and stay--secure. The error- reporting features built into Office XP and Windows XP are giving us a clear view of how to raise the level of reliability. The Office team is focused on training and processes that will anticipate and prevent security problems. In December, the Visual Studio .NET team conducted a comprehensive review of every aspect of their product for potential security issues. We will be conducting similarly intensive reviews in the Windows division and throughout the company in the coming months. At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like ``Writing Secure Code,'' by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up. In addition, we must have even more highly trained sales, service and support people, along with offerings such as security assessments and broad security solutions. I encourage everyone at Microsoft to look at what we've done so far and think about how they can contribute. But we need to go much further. In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.-- A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services. Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it. This priority touches on all the software work we do. By delivering on Trustworthy Computing, customers will get dramatically more value out of our advances than they have in the past. The challenge here is one that Microsoft is uniquely suited to solve. Bill Mr. Stearns. Let's see, the gentlelady from California is recognized. Ms. Bono. Thank you, Mr. Chairman, and I thank the panelists for sticking with us through all of this. I think the one theme that generally has come up for me in this testimony so far is that Ms. Davidson alluded to the fact that California did some knee-jerk reacting to the situation and came up with legislation that was not very good, and whether or not you know this, Congress is probably--in all of the issues we deal with we are technologically challenged, and we were all thrilled the day we got Blackberrys, but there is a funny story I remember of a Member of Congress who held up his Blackberry and said this is great, I do not know how to work it, and I said why don't you try turning it on first, and that is a true story. Now, these people might be experts in whatever field they are in, we have the CDC and the NIH, who do a lot of our great work in medicine, but in Congress do we have the governmental entity in place? I think, Mr. Swindle, I would ask you the question. We have got the FTC, the FBI, but do we have an entity that works specifically with Congress to move more swiftly in the case of these issues or is it sort of--are we a little bit lacking in that area? Mr. Swindle. I do not think we have a central agency that would combine the resources of all of us to work with Congress, but I think each of these agencies, in their own realm, work with Congress very closely. I know we try to work with Congress as closely as we can when Congress is considering drafting legislation to solve a problem. Often we propose suggestions as to how current laws might be modified, and I think we are often on the side of urging caution before we legislate to solve a problem where very likely the proposed solution will perhaps cause more harm than good. As one of the panelists said earlier, sometimes the process is so slow that we have gone well beyond that problem and already found a solution to it. In all honesty, I think it takes each one of these agencies. They have some responsibility and oversight of these issues, dealing with their expertise, working with Congress, and realizing that there is no simple solution to any of these problems. Legislation alone will not solve it, technology alone will not solve it, and in my mind the most important single factor when you think of the base of the triangle of people who are involved, the consumers across the bottom, 270 million. As we work on up to the triangle top we are worrying about nuclear attack, but that is only a handful. But down at the bottom of this triangle, every one of the people in the base, consumers, students, business people, small business people who are using computers and are connected on the Internet, they are all part of the problem and part of the solution. Ms. Bono. Right. I am sorry for cutting you off, but my spyware legislation, I think you have seen it or your staff has seen it, and I was wondering if you could comment because to me this seems to be a good solution. It seems to address the situation. There have been some, you know, tremendous media reports, and I thank the media actually. Even The Washington Post today has a great article and in it he quotes something that shocked me. I do not believe anybody brought this point up. I have it here, I promise you. Anyway, he talks about--here it is, Sharman Networks, that when you download KaZaA, that they install something called ALLNET and that this ALLNET actually harnesses unused processing power on your CPU and then sells that processing power. I have never heard of sharing hardware over this and I am wondering if perhaps, Mr. Charney, you could comment on the fact that they are not only using data but they are basically stealing a little bit of your processing capability. Mr. Charney. The key word there is stealing, so one of the things we need to be clear about is that peer-to-peer networks have some important societal advantages. You look at something like SETI, the Search for Extraterrestrial Intelligence, where a lot of independent researchers and individuals agree to share processing time because what happens is that computers have become far more powerful. Home users have a lot more power on the desktop than they actually use or need, and one of the issues is can we harness that process in some way and share that power. The key is that those things have to be done with full notice and consent and not done to someone without their knowledge, where someone else is either taking their information or processing power without telling them, without getting their consent. But it would be a mistake to think that peer-to-peer in and of itself is a bad thing. Ms. Bono. Right. Mr. Charney. Merely the technology that permits the use of distributed processing. Ms. Bono. Well, is Microsoft concerned about spyware? Other than pretty much endorsing my bill, thank you for that, if that is what he was doing, Mr. Chairman. Mr. Charney. We absolutely care about spyware, so one of our pillars of trustworthy computing is privacy, and our philosophy is that consumers have to make informed choices of how data is used and to be able to control the data about them, and to the extent people are taking their data without their notice and consent, that is a problem, and the solution, like most IT solutions, will be a combination of best practices, technology, and in some cases regulations. Ms. Bono. Could the ISPs do a better job? I know you all have MSN, but obviously they are not going to, but could not, for example, your competitor, AOL, who promotes McAfee daily, every time you log on you get this sales pitch from McAfee, could not they install that along with their software, AOL, and have it built into the firewall and the automatic patches that you say consumers do not do often enough? Mr. Charney. We have tried to make this easier for consumers. We have built the ICF firewall into Windows, and if you go to the Microsoft.com/protect, we have links to anti- virus vendors, where people can easily get virus software. We have to make it much easier to manage. I would point out that you have to remember this technology was built by geeks for geeks. If you think about the telephone as phones ended up in every home in America, the phone company said if we are going to sell more services, we have to devise more complex software, call forwarding, caller ID, all those features. As they add all this complexity, the user interface remained the same, 12 buttons. My mother has a PC. She is 74 years old. She can go to a run command, write her own code and run it. She cannot, she is not technically capable of doing it, but we have given her the technology to do it. It is a completely different paradigm. Ms. Bono. Thank you. Mr. Chairman, I will yield back. Mr. Stearns. We are going to have a second round if you want to. Ms. Bono. Thank you. Mr. Stearns. I recognize the gentleman from Arizona. Mr. Shadegg. Mr. Ansanelli, you mentioned in your written testimony an unaddressed issue regarding identity theft in the Fair Credit Reporting Act, the legislation that is in conference that I referred to in my opening statement. Can you go into greater detail about that? Mr. Ansanelli. Sure. It has not been passed yet by the whole House and the Senate, but I think if you look at what the Fair Credit Reporting Act has in it, I think about the issue of identity theft as sort of three pillars. The first is protecting the data that is the consumer's identity to begin with. Second is detecting any problems that are occurring, either someone is trying to do fraud or, you know, trying to get a credit card as a result of fraud. And then the third thing is correcting the problem, primarily for consumers. How do consumers fix their credit? They have been a victim. How do they correct it? And as I look at the act there is quite a bit in correcting the problem for consumers, and that is good. There is a fair amount of detecting the problem with respect to address notifications and what not, but there is very little with regard to prescriptions for protecting information to begin with, and that goes again to the issue around consumer data standard, and if you do not protect the data you are only going to have to apply larger and larger BandAids in the future. Mr. Shadegg. I tried to amend that legislation to add further restrictions on the use of Social Security numbers. However, had we done that, it would have taken it out of the jurisdiction of the Financial Services Committee and put it in the jurisdiction of the Judiciary Committee and it would have caused the bill to require a second referral and we weren't able to do it, but would you agree that that is one of the most important things that needs to be done? Mr. Ansanelli. I agree that that is a glaring omission. Mr. Shadegg. The gentlelady sitting next to you, it seems you would like to make a comment on that point? Ms. Davidson. Hosanna. I was making a note to myself that no one--although you did ask the obvious question why is the Social Security number collected in so many nontaxable transactions. Having recently purchased a house in the great State of Idaho, I was astonished to find that every single entity in the city, whether it was sewage, power, trash pickup, required my Social Security number and I had to ask the question: Is sewage taxable, because it was a complete mystery to me why it was collected in the first place. The Social Security number, had it not become ubiquitous as a means to identify consumers, quite honestly, a lot of the identity theft problem would probably go away. Mr. Shadegg. My colleague, Clay Shaw, has a comprehensive bill addressing this issue, going right to the issue of Social Security numbers. That was the issue we would have tread on if we had been able to put further restrictions on Social Security numbers into the Fair Credit Reporting Act, and that is the reason we did not do it. You might want to contact his office and interject yourself into the debate on that bill because I think that is an important part of this discussion. We were able to require the truncation of Social Security numbers in the draft of the fair credit reporting bill that passed the House. We did that, so we have taken a minor step, but I think it is a serious problem. Mr. Ansanelli, Mr. Burton next to you says we shouldn't be looking at these technical issues and creating a standard. We ought to be instead creating incentives to do that. I am going to give him a chance to explain that, but how do you respond? Mr. Ansanelli. I agree. I am not proposing we have technical requirements or standards. I think the standards need to be around principles, and as I testified today, and I did testify in the House Financial Services Committee on FCRA, that it involves responsibility from everyone at the board level down to protect the data and you have to have those principles to make sure that everyone knows they are responsible for protecting the data, that they have an obligation to detect and enforce compliance by the people that have access to the data and you need to correct problems, and the correction of those problems includes things like training and education. It is definitely not proposing technical standards. It is having a clear understanding of the responsibility associated with the fact that you store and manage that consumer non-public, private information. Mr. Shadegg. With regard to the protection of information where you think we could have gone further in the Fair Credit Reporting Act, would you be willing to submit to my office your suggestions as to what we need to be doing to go beyond that? Mr. Ansanelli. More than willing. Mr. Shadegg. I have some doubts about the ability of Congress to micromanage this problem, legislative piece by legislative piece. We passed the Identity Theft Act a number of years ago, and it took a step in the right direction, but we are not there. It seems to me that crooks are always going to move faster than we are and we are not going to be able to achieve the kind of reform or the kind of protection we would like to just by legislating one bill at a time in this area. So your notion that business needs to take a completely different mindset seems to me a better solution. How do we go about creating the incentives or creating a dynamic in which business leaders will see it as in their interest to not act like the porcupine and roll up in a ball and defend itself, but rather aggressively go after this problem? Mr. Burton. That is a seminal question, I think, and I think that is a question that industry needs to ask itself, as well as this committee needs to reflect on, because to go back to Scott Charney, if the PC is something built by geeks for geeks, well, then cybersecurity is the pinnacle of the geekiness in the PC, and I think when this issue comes up, too often the reaction is oh, mine eyes glaze over. I will talk about privacy, that is a personal issue, that is a consumer issue, and I can understand it. Cybersecurity is a geek technical issue that I do not want to even open that book, and I think that if we somehow make the translation from a technical issue, and it is technical, I am not saying we should dismiss that, but it is often treated solely in those terms, and again the best paradigms that I have is quality, and quality awareness comes first, I think we have awareness with cybersecurity. Now we need to start building it systematically and to functions of our system, and I think anything this committee can do to clarify cost-benefits and perhaps penalties would be a big contribution, and again I think the levers are not that complex. I think it is risk assessment, it is reporting, it is accountability, and I think those three opinions can really drive huge, huge change in this field. So I do not have a specific answer for your question, but I do think that is the key question for this whole debate. Mr. Shadegg. Mr. Chairman, my time has expired. Thank you. Mr. Stearns. Thank you. Members, if you want to stay, we will have a second round. The gentlelady from Missouri. Mr. McCarthy. Mr. Chairman, let me apologize for having to leave. I had another hearing and of course when you do that, the question that you are going to ask might have been asked already. So, Mr. Chairman, please feel free to say read the record. Microsoft, let me just see. I think I want to give this to Ms. Davidson, I think might be in the best position to answer it. Microsoft Corporation made news when they announced a bounty program for information leading to the arrest and prosecution of hackers. Do you intend to launch a similar program for those hackers who attack your software? Ms. Davidson. That is a very interesting question. We have no immediate plans to do this, and I preface this statement by saying I have no wish to exceed Microsoft in this particular realm. Microsoft tends to be a very visible target for hackers, to be fair to them, because they are large, they have been very successful, and, quite honestly, there are more hackers gunning for them at this point than are gunning for Oracle, for which I am exceedingly grateful. I am happy to accede market leadership to you in that realm. At this point, I do agree with certainly Microsoft and others in the industry on one key point. We certainly welcome people who find faults in our software and bring it to our attention. We certainly do everything possible to avoid them the way that we build our product, and we are always happy to give recognition to those researchers who find fault and say thank you, we have fixed it, and we tell our customers. There are a group of researchers for whom thank you and potentially hiring them for bettering your software is not enough. They want your scalp, and one of the ways they get that is by releasing exploit code at forums such as Black Hat and other hacker conventions. No vendor will say that it is not their responsibility to build secure software. The buck definitely stops here, but those who trade in information about how to exploit vulnerabilities and give it to others are effectively arsonists swapping fire starting techniques, and they claim they want better building codes but try telling that to someone whose house has burned down. So at this point we have no plans to offer a bounty, but I do agree that the problem of irresponsible disclosure of detailed information about security faults, specifically creation of exploit code and releasing it into the wild, is in part responsible for a lot of the malicious and damaging behavior to our infrastructure. Mr. McCarthy. All right. Does open source software like Linux have vulnerabilities to worms and viruses? I have seen a recent report that an open source developer tried to insert a Trojan horse into Linux. First of all, could you explain what is a Trojan horse, and how do you ensure that your developers do not insert malicious codes like that into your data base? Ms. Davidson. A Trojan horse is--of course, goes all the way back to Greek literature in the Iliad, actually the Odyssey. The idea is to get something into your code base that does something malicious. For example, one could insert code that would capture a user's password and potentially mail it to a bad guy or capture a Social Security number or other sensitive piece of information. The premise is that someone has deliberately and willfully put code in that does something bad, unbeknownst to anyone else. This is something people spend a lot of time talking about and it is certainly not--it is a risk but, quite honestly, most of the problem in software that creates these viruses and worms is preventable, avoidable security faults. I mentioned, and I will not get all nerdy on you, but buffer overflows. That is about 70 percent of security faults, and it basically means that instead of--if a program is expecting 10 numbers and it does not handle gracefully if it receives 11 numbers, or letters or something else, it could create a buffer overflow and that is 70 percent approximately of security faults. It is just bad programming. So getting back to your question how do you prevent this-- -- Mr. McCarthy. Yes. Ms. Davidson. [continuing] I believe you cannot absolutely prevent someone from willfully putting malicious code in your software because you cannot prevent them from making careless errors. Now what you can do is to have very good development processes, you can have code reviews, you separate your code so that not everyone gets access to everything to make changes, and the one piece that truly is missing right now is we do not have automated tools that can scan code and find, first of all, avoidable, preventable security faults, which is really most of the problem in that, much less look for things like malicious code or malware. The tools just do not exist in the market now. Mr. McCarthy. Thank you very much, Mr. Chairman. I see my time has expired. Mr. Stearns. I thank the gentleman. Mr. Morrow, you summed up your testimony by characterizing, ``our state of information security readiness is marginally better than it was 2 years ago.'' What can we as the U.S. Government do so that 2 years from now the improvement in our information security readiness would be more than marginal? Mr. Morrow. Well, sir, I believe I outlined a few things in my testimony. One of the things that we see a lot of is that a lot of effort has been spent by very large organizations, the financial industry, you know Fortune 500 companies, but a lot of the issues have trickled down and a lot of the vulnerabilities are still being addressed at the levels of the mid-range business and the small-range business, and that is for several reasons. One, these things cost money to fix. A lot of companies in the last few years due to the economic downturn haven't had the money to invest in these type things, and you have to understand and always keep aware of the interconnected nature of all these things, and just because the Fortune 500 companies and the government may make great strides, if the smaller companies and smaller institutions, private organizations, et cetera, do not make similar strides, cannot make similar strides for economic reasons, then there is a problem because that opens up vulnerabilities to everyone. So I think one of the things personally that we can have a lot of bang for the buck, if you will, is to help figure out incentives for small and mid-size and smaller companies to--and organizations to address these problems. Mr. Stearns. Who would provide these incentives? Mr. Morrow. Well, I think it could be a couple of different ways. One could be financial incentives of some manner. That obviously is something in the purview of the Federal Government. Others might be the research and development, tax credits, things like that, and there may be an education or some sort of public service type of incentive where very small companies who offer--small tier companies and small businesses, privately owned businesses, who have one or two systems and have problems, they may require incentive from the government to provide them with basic tools, much like what Microsoft does in some of their software, for a very much reduced cost. I think that would go a long way. Mr. Stearns. Okay. Mr. Schmidt, to date how effective have cyberattacks been, and have you seen an increase in their effectiveness, and, if so, why do you think so? Mr. Schmidt. I think first and foremost we have to define what we mean by how effective they have been. For example, if the intent of some of these were to shut down major financial systems, shut down electrical power grids, no, they have not been successful on a universal basis. We have seen some spot outages. But, as we move forward, I think what we will see is the--as we referred to as the zero-day vulnerabilities and exploits. As both Ms. Davidson and Mr. Charney mentioned, the time between the identification of vulnerability and the time that it is exploited has been increasingly shorter. Now, you mentioned in your opening comments, Mr. Chairman, the SQL Slammer event back in January. That widespread event took place in less than 10 minutes, whereas some of the ones you mentioned earlier, the Code Red and Nimda, occurred over a matter of days to see maximum infection. The interesting piece of this is if you look at the ratio of computers affected versus the ratio of computers that are now currently employed, it was actually a smaller percentage of computers that were infected in a shorter period of time, but we have got a lot more computers out there. So we are doing a better job at it. So overall, the impact was probably less than it could have been had it been 2 years ago with that same number of computers. I think the fundamental issue is if we don't continue to improve these processes, reduce the vulnerabilities, make better tools available to prevent these things from even taking place, which, as the Department of Defense has shown, 98 percent of the successful intrusions into those systems were the result of someone not installing a patch, so if we install the patches, their effectiveness would be much less than they are today. Mr. Stearns. Ms. Davidson, I think you recommended a government software underwriters lab. I think that intrigued all of us here and the staff, sort of the consumer equivalent of--software equivalent of the UL. I would like you maybe to elaborate and then have the Commissioner maybe just give his comments on it. Ms. Davidson. Thank you. I would be happy to do that. We do have mechanisms for large pieces of commercial software to go through an independent security evaluation. There is an ISO standard for that, 15408, which is a common criteria. As I mentioned earlier, the Defense Department requires products used in national security systems to go through common criteria evaluations. They are really good, and they help improve the security of software, because it forces developers to a secure software development process. That is a great thing, and we are a great proponent of that. But they are best suited--it is certainly not a cure-all for all cybersecurity ills, and they really are best suited to more mature products with a longer life cycle that are really sort of large pieces of software, like operating systems or data bases, firewalls. That is not--and they are quite expensive. They can cost between $500,000 and $1 million. That is obviously not well-suited for a small consumer products device, where the cost of the evaluation might actually dwarf your product sales. Usually something is better than nothing when you are talking about improvements. If you can have something that is a lighter weight form of that for commercial products, like a PDA or other types of small devices, that would be---- Mr. Stearns. I talked to a president of a university, and he said he is going to have to spend $100,000 for software to protect his university from cyberattacks. So maybe that piece of software should go to a software underwriters lab. Is that what you are saying? Ms. Davidson. Well, I think you have to look at probably the complexity of the software, the target market, and what it is being used for. Mr. Stearns. So cost alone would not determine? Ms. Davidson. Cost alone doesn't. And as much as people complain about how expensive these are, I can tell you that it costs Oracle--if we have a security fault in our software that has been out there a few years, and we have to fix it on 20 operating systems and four product versions, which we have done to protect all our customers, happily to do that, it costs us $1 million to fix that type of avoidable, preventable security fault. If you prevent one of those or find it before you ship the product, you pay for the cost of the evaluation. Mr. Stearns. Uh-huh. Ms. Davidson. So it is cost-effective. And risk management doesn't really work when you are talking about, well, I am going to let my customers hang in the wind because I didn't feel like doing a better quality job with my product. That is not acceptable. Mr. Stearns. Commissioner, what do you think of the idea of a software underwriters lab? I mean, it wouldn't necessarily be under the Federal Trade Commission, but you are the only person here from the government, so we will ask you. Mr. Swindle. In this entire world of information technology we live in, I think creative ideas are going to be the currency of making progress. And I think any idea of this nature deserves attention, as Ms. Davidson said. These remedies that we often aspire to are very expensive, not to mention the fact that they are very complex. I think we are always interested, the FTC, in exploring new ideas. Something that I would suggest that deals with most of the questions that have been asked, that is security, sort of mirrors the privacy debate that we have had over the last 5 or 6 years that I have been at the Commission. If you go back 6 years ago, very few companies had privacy policies. They didn't post them. They were not very effective or were too difficult to understand. Today that has changed appreciably. And I used to say that privacy had better become a part of the corporate culture of businesses or there would be an FTC in their future, probably. I think security is along the same track, just running a few years behind. Security has got to become an essential part of the management scheme of all companies, because we are becoming more and more reliant upon handling of data and information and the transmission of that data and information. Without security, we jeopardize the whole system. It becomes a matter of critical importance to one's own self-interest that we do this right. So I think security is going to have to become a part of the corporate culture as well as privacy. Mr. Stearns. Okay. Let me just conclude, Mr. Thompson. We want to make sure you are involved here. Maybe just you can give a general evaluation on cybersecurity relative to this spyware that Ms. Bono has mentioned, maybe just some general comments. Mr. Thompson. Sure. I think I have heard some great ideas and some great suggestions. The only thing is that it has really all been aimed at protecting the corporate end of things, and protecting the consumer from the corporate end of things. But there is more to it than that. There is a whole world of consumers out there, and there is no one standing up for them. That is really the intent of Ms. Bono's bill. Every month I see thousands of Remote Access Trojans posted to the Usenet in an attempt to catch some of these consumers, and there is no--they are catching people, and there is no one sticking up for them. Mr. Stearns. Every month you see thousands? Mr. Thompson. Thousands of Trojan horses are disguised as adult movies or---- Mr. Stearns. Help aids? Mr. Thompson. Something. And they are posted to the Usenet. They are posted to the peer-to-peer networks. Mr. Stearns. So you download that, thinking this software is going to help you. Bingo, you are caught. Mr. Thompson. And are you caught. And these are the worst kind of spyware. These are the ones that do steal the keystrokes, these are the ones that do steal your credit cards, they do steal your identity. And no one is looking out for these people. Someone has to look out for them. Mr. Stearns. My time has expired. The gentlelady from California. Mrs. Bono. Thank you, Mr. Chairman. I want to piggyback on that for Mr. Thompson as well. If you installed something like Norton Utilities or an antivirus firewall, every time your computer transmits to the Internet, you can have a notification that tells you your computer is speaking to the Internet. Mr. Thompson. Sure. Mrs. Bono. Does that, in fact, notify you that spyware is transmitting data? Mr. Thompson. If everyone is playing by the rules. But sometimes they are subtle and they simply don't play by the rules, and they piggyback on something that has already been authorized. These things are tricky. Mrs. Bono. Some people have said that the problem with this legislation is companies would move offshore, similar to the antispam legislation. But, to me, this doesn't seem like a valid argument. Would you---- Mr. Thompson. I think some of them are offshore already, and probably some more would move offshore. But it would be nice to cut down on the people that were actually doing it openly. Mrs. Bono. I agree. Thank you. Ms. Davidson, you briefly mentioned hacker conventions or conferences. Is there a room filled with people at a Hyatt doing this, or is this something that is all taking place online? Ms. Davidson. I think they are a little more upscale than the Hyatt, no disrespect to Hyatt. Yes, there are such things. I am sure that Mr. Charney has been to one as well to see the amount of collusion going on in the halls to try to exploit the latest vulnerability in vendor software. Quite honestly, some of the hackers spend more time in the hall devising viruses than I think they do at the actual sessions. There are such things. One of the problems in the industry really is that the hackers are very good at playing nicely with one another. They share information. They share exploit code. One of the reasons there is such a shortening of this window is in the past you could assume if there was a vulnerability in your software, and it was difficult to find or exploit, someone would have to spend a lot of time doing that. Then you only had to worry about the one bad guy or bad gal as the case may be. Now those people create automated ways of doing bad things, and they share it with other people, who may then improve upon it and find more destructive or virulent forms of viruses or worms. And they actually have conventions. That is a real problem. Mrs. Bono. That is amazing to me that we can have physical get-togethers of bad guys, and they are infiltrated by the FBI or whoever ought to be there. How do we not know about this but you guys do? Ms. Davidson. Well, I think--Scott, I am sure, will have some comments on this. Actually there are a number of people who go to these from industry, partly because that is where they learn about the latest techniques for breaking into things. I am not against general discussions of how to--how things are broken so that you can understand how to better defend against those attacks. I think we would be sticking our heads in the sand if we didn't participate in that. But when someone creates the exact--effectively leaves a Molotov cocktail on the front lawn of a building with a box of matches next to it, with a sign that says, have fun throwing this, they have some accountability. And many of them feel that they have no accountability; it is intellectual showing off. Mr. Charney. I want to add a couple of comments, because I think they are important. I spent 9 years as Chief of the Computer Crime and Intellectual Property Section at the Justice Department. Law enforcement agents do go to these conferences. They actually have a Spot-the-Fed event, which is quite common. But there is something else that is also important to note. I mean, I agree with all Mary Ann's comments, but after the Oklahoma City bombing, the Office of Legal Council gave a constitutional opinion, at Congress's request, that bomb-making information on the Internet was first-amendment-protected. Similarly, information about code vulnerabilities, exploit code, other kinds of information like that is constitutionally protected most likely. It is one thing to deploy the code and take action, but to go to a conference and talk about how you might exploit a system is probably a constitutionally protected activity. And so we always have to keep this in some context. Ms. Bono. Thank you. Is there any--changing the subject a little bit, recognizing that the minute that something is digitized, it is a 1 and a zero, but are there hardware answers here like biometric identifiers or credit card terminals that hardware manufacturers are looking at? And I am basically back to consumer protection solely, but is there a hardware answer on the horizon? Mr. Charney. Microsoft is investing about $6.9 million this year on research and development, and one of the more important projects we are working on is something called the next generation security computing base. It is moving security into the hardware, working with the major chip manufacturers to create a secure chip set on your computer. You will still have the general purpose computer that you have today, but you will have a second chip set that will control what runs on your machine with strong memory and process isolation. And the goal of this, if this works, is that when code tries to execute on your machine without your permission, if it is on that protected side of the machine, you will be notified that code is trying to run. You will be able to block it. But, this is, you know, very difficult research and development. And, I mean, we are shooting for, in the long-term timeframe, the next version of the operating system, which means roughly 2006, give or take. Mrs. Bono. Well, thank you. Mr. Chairman, I can go on and on, but I will stop. I just thank you all so much for your time today. It has been very informative. Mr. Stearns. And I thank the gentlelady for staying for the second round. We have concluded our subcommittee hearing. I would point out that the Federal Trade Commission has a complete set of documents talking about how to stay safe online. They have a little mascot who is promoting it. And so I call attention to Members, too, that part of these programs probably should be on their congressional Websites so people can go to use, whether you are sight-seeing on the Internet or whether you are talking about electronic theft, or how to stay safe. The Federal Trade Commission has done a great deal of work on this and are to be commended for all that they are doing. With that I want to thank the witnesses, and we will probably have some follow-up questions for you. And I will allow the members to offer that to you, give you 5 working days to answer them if you could. With that, the subcommittee is adjourned. [Whereupon, at 12:20 p.m., the subcommittee was adjourned.] -