<DOC>
[108th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:90728.wais]
CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
NOVEMBER 19, 2003
__________
Serial No. 108-52
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
90-728 WASHINGTON : 2003
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800, DC area (202) 512-1800 Fax: (202) 512-2250 Mail: stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas Ranking Member
FRED UPTON, Michigan HENRY A. WAXMAN, California
CLIFF STEARNS, Florida EDWARD J. MARKEY, Massachusetts
PAUL E. GILLMOR, Ohio RALPH M. HALL, Texas
JAMES C. GREENWOOD, Pennsylvania RICK BOUCHER, Virginia
CHRISTOPHER COX, California EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey
RICHARD BURR, North Carolina SHERROD BROWN, Ohio
Vice Chairman BART GORDON, Tennessee
ED WHITFIELD, Kentucky PETER DEUTSCH, Florida
CHARLIE NORWOOD, Georgia BOBBY L. RUSH, Illinois
BARBARA CUBIN, Wyoming ANNA G. ESHOO, California
JOHN SHIMKUS, Illinois BART STUPAK, Michigan
HEATHER WILSON, New Mexico ELIOT L. ENGEL, New York
JOHN B. SHADEGG, Arizona ALBERT R. WYNN, Maryland
CHARLES W. ``CHIP'' PICKERING, GENE GREEN, Texas
Mississippi KAREN McCARTHY, Missouri
VITO FOSSELLA, New York TED STRICKLAND, Ohio
ROY BLUNT, Missouri DIANA DeGETTE, Colorado
STEVE BUYER, Indiana LOIS CAPPS, California
GEORGE RADANOVICH, California MICHAEL F. DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire CHRISTOPHER JOHN, Louisiana
JOSEPH R. PITTS, Pennsylvania TOM ALLEN, Maine
MARY BONO, California JIM DAVIS, Florida
GREG WALDEN, Oregon JAN SCHAKOWSKY, Illinois
LEE TERRY, Nebraska HILDA L. SOLIS, California
ERNIE FLETCHER, Kentucky
MIKE FERGUSON, New Jersey
MIKE ROGERS, Michigan
DARRELL E. ISSA, California
C.L. ``BUTCH'' OTTER, Idaho
Dan R. Brouillette, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois
BARBARA CUBIN, Wyoming Ranking Member
JOHN SHIMKUS, Illinois HILDA L. SOLIS, California
JOHN B. SHADEGG, Arizona EDWARD J. MARKEY, Massachusetts
Vice Chairman EDOLPHUS TOWNS, New York
GEORGE RADANOVICH, California SHERROD BROWN, Ohio
CHARLES F. BASS, New Hampshire JIM DAVIS, Florida
JOSEPH R. PITTS, Pennsylvania PETER DEUTSCH, Florida
MARY BONO, California BART STUPAK, Michigan
LEE TERRY, Nebraska GENE GREEN, Texas
ERNIE FLETCHER, Kentucky KAREN McCARTHY, Missouri
MIKE FERGUSON, New Jersey TED STRICKLAND, Ohio
DARRELL E. ISSA, California DIANA DeGETTE, Colorado
C.L. ``BUTCH'' OTTER, Idaho JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Ansanelli, Joseph G., Chairman and CEO, Vontu, Inc........... 48
Burton, Daniel, V.ice President, Governmental Affairs,
Entrust Technologies....................................... 52
Charney, Scott, Chief Trustworthy Computing Strategist,
Microsoft Corporation...................................... 30
Davidson, Mary Ann, Chief Security Officer, Oracle
Corporation................................................ 43
Morrow, David B., Managing Principal, Global Security and
Privacy Services, EDS...................................... 37
Schmidt, Howard A., Vice President, Chief Information
Security Officer, eBay Inc................................. 23
Swindle, Hon. Orson, Commissioner, Federal Trade Commission.. 16
Thompson, Roger, Vice President of Product Development,
PestPatrol, Inc............................................ 58
(iii)
CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER?
----------
WEDNESDAY, NOVEMBER 19, 2003
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:10 a.m., in
room 2123, Rayburn House Office Building, Hon. Cliff Stearns
(chairman) presiding.
Members present: Representatives Stearns, Shimkus, Shadegg,
Pitts, Bono, Issa, Schakowsky, Towns, Davis, Green, and
McCarthy.
Staff present: Ramsen Betfarhad, policy coordinator and
majority counsel; Jill Latham, legislative clerk; Jon Tripp,
deputy communications director; David Cavicke, majority
counsel; and David Nelson, minority counsel.
Mr. Stearns. Good morning. Welcome to the Subcommittee on
Commerce, Trade, and Consumer Protection's hearing on
cybersecurity and consumer data. I am pleased that we are
joined this morning by a group of distinguished witnesses. And
all of us look forward to your testimony.
On November 15, 2001, nearly 2 years ago to the day, the
subcommittee held a hearing entitled, ``Cybersecurity: Private
Sector Efforts Addressing Cyber Threats.'' The focal point of
that hearing, as it is with this hearing, was cybersecurity as
it related to consumer data used in stream of commerce.
We are fortunate that three of our witnesses, Ms. Davidson,
Mr. Schmidt, and Mr. Morrow, all of whom testified at the
hearing 2 years ago, have joined us today to reflect on what
has transpired with regard to cybersecurity in the last 2
years. Normally you don't have people back to give you a little
post-analysis. So we are very fortunate to have that.I am
confident their insights, along with the testimony of the other
witnesses, will be particularly helpful to our better
understanding the issue, its evolution, and what we believe is
its increasing significance.
The subcommittee's hearings 2 years ago was held in the
shadow of the tragic events of September 11, when we as a
Nation, it seemed, had become obsessed with security. Of
course, that was and is understandable. Yet the problem that
gave rise to cybersecurity concerns that predated September 11,
in just the years 2000 and 2001, as a result of only three
cyberattacks--the ``I Love You'' and ``Code Red'' viruses and
the February 2000 denial-of-service attacks--the media reported
losses in excess of $10 billion.
The number of cyberattacks, as reported by the Computer
Emergency Response Team, CERT, at the Carnegie Mellon
University, was expected to nearly double in 2001 from 2,000 to
40,000.
Now, fast forward 2 years. In 2003, the ``SQL Slammer''
worm disrupted computers around the globe. And during the
attack, half of all Internet traffic was being lost. The
SoBig.F virus clogged e-mail boxes and networks around the
world, and became the fastest spreading virus on record,
infecting 1 in 17 e-mails at its peak.
Showing a bit of humor, the creator of the Blaster worm,
which caused some 500,000 computers running Windows to crash,
targeted the Microsoft Web site from which users could download
the program and the patch to protect their vulnerability with
Microsoft Windows code, the very weakness in Windows that the
worm itself was exploiting.
The virus and worm attacks of 2003 did bring about
disruptions, such as the SQL Slammer worm, knocking out Bank of
America's ATM machines for a while, but overall they did little
reported damage. Although the ultimate objective of the SoBig.F
virus is not known, the 2003 vintage of viruses and worms, like
most of the ones that preceded them, did not have a malicious
or destructive payload. If they did, their impact would have
been very, very different. These viruses and worm attacks are
external attacks to the networks, and, as such, according to
some estimates, only represent 30 percent of computer attacks.
The remaining 70 percent of the attacks are carried out from
within the corporate firewalls.
Those attacks or security breaches taking place within the
corporate firewalls, many argue, are the most costly and, of
course, the least reported. I raise the issue of virus and worm
payload within corporate firewall breaches, because one key
question I want answered today is ``What are the real risks and
costs to consumers from cybersecurity breaches, and what poses
the most risk to cybersecurity?''
One response to breaches in cybersecurity by industry and
government alike has been increased spending on security
technologies. UBS Warburg estimates that such spending will
increase from $6 billion in 2001 to over $13 billion in the
year 2003.
Meanwhile, other data suggests that companies spend less
than just 3 percent of their technology budget on security. The
technology budgets tend to be around 3 percent of revenues. So
why are these expenditures so low? Some argue because there is
no real understanding of quantifiable cost associated with
cybersecurity breaches, even among senior managers. Is this
true? This is another question for the panel to consider.
Finally, many argue that cybersecurity is not just a
technological problem and thus can't be solved by adding new
and improved technologies defending against cyberattacks, but,
rather, they argue that it is as much a governance or
management issue as it is a technological problem. Strategic
decisions, such as deciding the appropriate balance between
cost and risk, are ones that only senior managers can take. And
without a clear mandate from the top management, cybersecurity
measures will be disregarded as just simply nuisances by rank-
and-file employees.
Moreover, it appears that there is increased management
participation mostly when it is mandated either directly or
indirectly by government regulations. For example, the Graham-
Leach-Bliley Act, the Sarbanes-Oxley Act, the Health Insurance
Portability and Accountability Act, or enforcement actions by
the Federal Trade Commission.
I want to know, are these observations accurate? If so, is
there an optimum role for the Federal Government to play when
it comes to protecting consumers from cybersecurity threats?
With that, I conclude my opening statement and welcome the
ranking member for her opening statement.
Ms. Schakowsky. Thank you, Mr. Chairman, for conveying this
important hearing today. Cybersecurity is one of those words
that have recently entered our lexicon. Most people are
probably confused, as I was, the first time they hear or see it
in print. There are no doubt several interpretations of the
word. It is one of those things like electricity or television
signals that we all hope someone else understands enough to
assure its availability.
Before widespread viruses and ID theft became somewhat of a
norm, we were able to take cybersecurity for granted. Of
course, it should be safe to operate a home computer or a Palm
Pilot. Unfortunately more and more Americans, a
disproportionate share in and around Chicago, by the way, have
come to a very personal understanding of how vulnerable our
information technology, storage, and transmittal systems are.
No longer is cybersecurity something over which just
government and corporate technicians fret. Life savings now
disappear before victims are even aware that there is a threat
to the security of their personal and financial information.
Highly sensitive personal information is available for sale
without the knowledge, much less the consent, of targeted
individuals.
Americans expect that their government and the private
sector institutions they rely upon for financial and other
services will protect their privacy, and that those they rely
on for cybersecurity will do their job. It is becoming
increasingly apparent that consumers are not being adequately
protected.
Estimates of the economic impact of cybercrimes on society
vary widely. One of our witnesses will tell us that identify
theft alone totaled $24 billion last year, and is expected to
escalate to $73 billion by the end of this year. If he is
correct, this means that identity theft will cost Americans
more, perhaps much more, than the authorized cost of the war in
Iraq.
Another witness tells us that 1 in 10 Americans has been
victimized by identify theft. Each of these heists is estimated
to cost nearly $10,000; clearly this problem is reaching
epidemic proportions.
Added to the economic cost is the loss of our invaluable
privacy. We are all aware of the Orwellian dangers that may
flow from personal information that the government can tap,
using sophisticated technology. What many of us do not
adequately understand is the danger of intrusive prying by
private interests. The expropriation of commercially useful
data from each and every one of us that accesses the Internet
from a computer where personal information is stored is a
continuous process. And, of course, there is no reason to
believe that firms interested in selling us something are the
only ones looking.
I look forward to the testimony of the Federal Trade
Commission regarding what the Federal Government is doing to
control this electronic crime spree. I hope in the future we
can also hear from the Justice Department or the agencies that
regulate financial institutions, because it is my understanding
that much, if not most, of identify theft is perpetrated by
employees of banks, insurance companies, and the like.
I would have liked to hear directly from those private
institutions as well. Nonetheless, Mr. Chairman, I am looking
forward to hearing from the witnesses you have assembled. I am
sure they will be able to give us a sufficiently comprehensive
picture of the problems with our cybersecurity systems from
which we can fashion whatever policy changes may be necessary
to protect the privacy, pocketbook, and safety of our
constituents.
And, Mr. Chairman, I look forward to working with you, as
always, to end this epidemic. I look forward hearing from each
of our witnesses, and I thank them for taking time to share
their expertise with us today.
Mr. Stearns. I thank the gentlelady.
The gentlelady from California, Ms. Bono.
Mrs. Bono. Good morning, and thank you, Mr. Chairman. I
look forward to hearing from your colleagues and the witnesses
on the issue of cybersecurity as it relates to consumers.
Cybersecurity and the protection of consumer data is a very
real issue that the government, businesses, and consumers alike
must acknowledge and respond to. Of course, there are many
things that consumers can do to protect themselves.
Antivirus software and patches are regularly available for
downloading and updating. Moreover, one should always be
cautious while downloading software. Consumers should avoid
opening e-mails from strangers and should be hesitant to
disclose personally identifiable information over nonsecure
sites.
However, the methods of hacking into computers and data
bases are just as evolving as the technologies on which they
reside and function. Recently I introduced H.R. 2929, also
known as the Safeguards Against Privacy Invasions Act, or the
Spy Act. This bill aims to put consumers in the loop.
Unfortunately, consumers regularly and unknowingly download
software programs that have the ability to track their every
move.
Consumers are sometimes informed when they download such
software. However, the notice is buried deep inside multi-
thousand-word documents that are filled with technical terms
and legalese that would confuse even a high-tech expert.
Many spyware programs are purposefully designed to shut off
any antivirus or firewall software program it detects. The Spy
Act would help prevent Internet spying by requiring spyware
entities to inform computer users of the presence of such
software, the nature of spyware, and its intended function.
Moreover, before downloading such software, spyware
companies would first have to obtain permission from the
computer user. This a very basic concept. The PC has become our
new town square and global market as well as our private data
base. If a consumer downloads software that can monitor the
information shared during transactions for the sake of the
consumer as well as e-commerce, it is imperative that the
consumer be informed of whom he or she is inviting into their
computer and what he or she is capable of. After being
informed, the consumer should have the chance to decide whether
to continue with that download.
Since the introduction of H.R. 2929, I have had the
opportunity to speak with many different sectors of the
technology industry and retail businesses that operate on the
Internet. Through these discussions I have received meaningful
feedback, and I am currently working on refining H.R. 2929.
Once installed on computers, some spyware programs--like
viruses embedded among code for other programs--in effect how
these programs function on the users computer.
Additionally, spyware is becoming more and more difficult
to detect and remove. Usually such programs are bundled with
another unrelated application that cannot be easily removed,
even after the unrelated application has been removed.
According to a recent study, many problems with computer
performance can be linked in some way to spyware and its
applications. Additionally, some computers have several hundred
spyware advertizing applications running, which inevitably slow
down computers and can cause lockups. If you have spyware on
your computer, you most likely are getting more pop-up
advertisements than you would have if you have had no such
software on your computer.
Moreover, the advertisers may not always be forthcoming.
Many times spyware entities contract with companies to post
advertisements and, in turn, post such advertisements on the
Web sites of competitors. The result is confusion. In other
words, while visiting the Web site for Company A, you may be
browsing to purchase a product. However, while browsing, a pop-
up link may appear, informing you of a great sale. Under the
impression that you are looking at a link for Company A, you
may purchase the product, all the while uninformed that the
product was purchased via a pop-up link from Company B. I have
often thought that this would be a very effective campaign
tool, too, to put out a link and have someone go to my
opponent's Web site and my Web site pops up.
All of these consumer disadvantages can be decreased or
eliminated if disclosures surrounding spyware are required and
enforced. If consumers are informed about spyware, chances are
they will not choose to download the software. Upon choosing
not to download software, consumers' computers will run more
efficiently, their antivirus programs and firewalls will
function better, they can decide which information to share and
not share, and consumers will not be deceived into buying a
product or service from unknown entities or voting for our
opponents.
Thank you, and I look forward to hearing from the witnesses
on the issue.
Mr. Stearns. I thank the gentlelady.
Mr. Green.
Mr. Green. Thank you, Mr. Chairman. I thank you and our
ranking member for holding this important hearing on
cybersecurity and its impact on consumers.
The proliferation of Internet-based services and commerce
has dramatically changed the world we live in, and many of
these changes have been for the better, with consumers able to
make almost any purchase imaginable on line. Unfortunately,
these computing advances also create a fertile ground for
fraudulent activities and thus increase the pressing need for
computer security.
The problems are coming from all directions. We have
viruses, computer worms that are attempting to swarm our
networks and are causing terrible harm to computer users and
billions in damages to U.S. Businesses. We have unsolicited e-
mails taking over our in-boxes, spam that at the very least is
an annoyance and at worst is helping to transmit these computer
viruses and deliver pornographic e-mails to our children.
Mr. Chairman, if I could ask unanimous consent to put in an
article from Business Week that was published on August 12
about the unholy matrimony, spam versus virus.
Mr. Stearns. By unanimous consent, so ordered.
[The article referred to follows:]
[Business Week--August 12, 2003]
Unholy Matrimony: Spam and Virus
By Jane Black
Their common goal is subterfuge, and by combining their strategies,
they could make today's junk e-mail look like a mere nuisance
In June, half of all e-mail was spam--those annoying unsolicited
messages that hawk everything from porn and Viagra to mortgage-
refinancing deals and weight-loss patches. But if you think spam is out
of control, prepare yourself. It could get a lot worse.
Over the past few months, e-mail security companies have seen
mounting evidence that spammers are using virus-writing techniques to
assure that their sales pitches get through. At the same time, intrepid
virus writers have latched onto spammers' trusty mass-mailing
techniques in an effort to wreak widespread digital mayhem. ``What
we're seeing is the convergence of the spammer and the malicious code
writer,'' says David Perry, global director of education at antivirus
company Trend Micro (TMIC).
RELAY STATIONS. Witness the recent spread of a virus known as
Webber, which was discovered on July 16. It carried the subject line
``Re: Your credit application.'' Users who opened the attachment
downloaded a malicious program that turned a home PC into a so-called
open relay server, which allows a third party to send or receive e-
mail--including spam--remotely from that PC. Spammers are notorious for
using open relays to hide their identities. According to British e-mail
security company MessageLabs, 70% of spam comes through open relays.
Then there's Sobig.E, a virus that grabs e-mail addresses from
several different locations on a PC, including the Windows address book
and Internet cache files. Sobig.E then tries to send a copy of itself
to each address. It also uses one of the stolen addresses to forge the
source of the message, so that it appears to come from someone else.
MessageLabs believes Sobig.E is a spammers' virus designed to harvest
legitimate e-mail addresses from users' computers.
So far, no concrete evidence shows any home PCs that have been
infected by either Webber or Sobig.E have been used to send spam. But
experts fear that the two viruses could be ``spam zombies,'' programs
that will lie in wait on a PC until called on by the spammer to send
out millions of untraceable e-mails.
``I LOVE YOU'' MORE. The convergence of spam and malicious code
makes sense, says Chris Miller, Symantec's (SMYC ) group product
manager for enterprise e-mail security. ``They have a common goal--to
do what they're doing without being seen,'' Miller says.
Virus writers and spammers send out their messages from
illegitimate e-mail accounts, never from the ISPs where they are
registered. It isn't hard to see where the union of these two insidious
groups' techniques might lead. Using such weapons as Sobig.E and
Webber, spammers can hijack a user's address book, then use the PC to
send out hundreds, even thousands, of junk messages.
And virus writers can use mass-mailing techniques to spread
malicious code even faster than before. The destructive ``I Love You''
virus of 2000 was originally sent to a small number of people. Within
days it had affected tens of millions of computers and caused damage
worth hundreds of millions of dollars. Imagine if, like spam, it had
originally been mailed to a half-million computers.
Security experts cite other recent examples of spam-virus
convergence:
� Key-logger Trojans. In May, 2003, a major food-manufacturing company
received a spam e-mail that, when viewed in a preview pane in
Microsoft Outlook, showed a message that appeared to be an
opportunity to sign up for a newsletter. First, though, the
message asked the recipient to verify their e-mail log-on ID
and password. That information was collected by the key-logger
code and then sent to the spammer, who could then log into the
user's e-mail at any time and search for valuable information.
� Drive-by downloads. Recent spam sent to a major airline manufacturer
led unsuspecting users to Web pages where spying software was
secretly downloaded without the user's knowledge. So-called
spyware monitors a user's activity on the Internet and
transmits that information to someone else, usually an
advertiser or online marketer. Spyware can also gather
information about e-mail addresses, passwords, and credit-card
numbers. Drive-by downloads can be done without either
notifying the user or asking permission because many users
accept such a download without question, thinking it's a normal
function of the Web site.
CALL IT ``MALWARE.'' According to the strictest definitions, key
loggers and drive-by downloads aren't viruses, which are programs that
replicate themselves. (If you've seen The Matrix Reloaded, think of the
way Agent Smith makes infinite copies of himself to try to destroy
Keanu Reeves' Neo.) A Trojan is a program that rolls into your computer
unannounced, then persuades the computer to launch it through fraud.
As spam and malicious code converge, however, such definitions are
becoming less useful. That's why experts like Trend Micro's Perry are
now looking at a broader term--``malware''--to describe any program
with malicious intent. ``With traditional hackers, the motivation has
always been to prove that you're a rad dude,'' Perry said in a phone
interview from the Las Vegas hacker convention DefCon. ``But when we
start seeing these techniques used for commercial gain like spam, it's
going to get a whole lot more serious.'' Cybersurfers, beware.
Mr. Green. Thank you, Mr. Chairman. We can all agree that
spam is a serious problem that both Congress and the private
sector should address quickly, and I hope that Congress will
act before the end of the session to enact the Wilson-Green
Antispam Act of 2003, which is the strongest antispam bill in
Congress.
And, Mr. Chairman, again, I would like to ask unanimous
consent to place into the record a letter by the Internet
Committee of the National Association of Attorney Generals that
talks about the Senate bill that passed and the need for strong
legislation.
Mr. Stearns. By the unanimous consent, so ordered.
[The letter follows:]
[GRAPHIC] [TIFF OMITTED] 90728.001
[GRAPHIC] [TIFF OMITTED] 90728.002
[GRAPHIC] [TIFF OMITTED] 90728.003
[GRAPHIC] [TIFF OMITTED] 90728.004
[GRAPHIC] [TIFF OMITTED] 90728.005
Mr. Green. Thank you, again, Mr. Chairman.
When we investigate cybersecurity, however, we must also
consider the increasing troubles and problem of identity theft.
According to the Federal Trade Commission, identity theft is
the most common complaint from consumers in all 50 States. With
simple personal information such as name, Social Security
number, or credit card number, identity thieves can commit
fraud or other crimes in our name.
The implications for victims of identify theft can't be
overexaggerated. They can easily include damaged credit
records, unauthorized credit card charges, and bank
withdrawals, not to mention the months or even years that it
takes for victims to restore their good names and credit
records.
The magic question remains, how can we prevent these
computer-related security problems that seem to be spiraling
out of control? With the increased organization, efficiency,
and productivity that computer systems offer, it is safe to say
that our dependence on computers will continue to rise;
therefore, we must ensure that we take the appropriate
precautions to ensure that any information stored in or
transmitted through computers, be it personal, medical, or
financial, is secure.
We also need to examine the extent to which the Federal
Government and other law enforcement mechanisms can help solve
this problem. By some estimates, less than 30 percent of
computer attacks come from outside of a company or computer
system. That being said, I think we have to work with the
private sector to take a hard look at the practices companies
are putting in place to combat attacks within their own
firewall.
I am also interested to hear our witnesses' experience with
cybersecurity and learn their opinions on how best we can go
about solving these problems. And, again, I would like to thank
our panel today, and look forward to their testimony.
Thank you, Mr. Chairman and Ranking Member Schakowsky.
Mr. Stearns. Thank you.
Mr. Pitts.
Mr. Pitts. Thank you, Mr. Chairman. And thank you for
convening this important hearing on cybersecurity.
Rapid advances in technology are greatly impacting the
lives of every American. Computer software, information
systems, and cybernetworks are revolutionizing the way that we
communicate, and the way we conduct business and provide
services. And while there is a lot of good in the advances,
there is also great potential for harm.
Technology is a cat-and-mouse game. Each advancement of
technology leads to an exploitation that we must vigilantly
guard against, and the hearing this morning takes a look at the
myriad threats to cybersecurity. One area that I am greatly
concerned about is the development of peer-to-peer software.
Peer-to-peer software allows individuals to download and
trade files, many of which are illegal, with one another. It
has also become the latest vehicle that pedophiles use to
exploit and abuse innocent children by distributing child
pornography. And peer-to-peer software can cause any personal
information stored in a computer, such as financial or medical
records, to be inadvertently shared with anyone else with the
same software.
And that is why my colleague Chris John and I introduced
H.R. 2885, ``The Protecting Children from Peer to Peer
Pornography Act.''
Mr. Chairman, I appreciate your interest in this issue. It
is my hope that we can have a hearing in the near future
dedicated to taking a closer look at this dangerous new
software that threatens our children or a person's privacy and
our cybersecurity in general.
Thank you, Mr. Chairman.
Mr. Stearns. Thank you.
The gentleman from New York, Mr. Towns.
Mr. Towns. Thank you very much, Mr. Chairman.
The Internet will never reach its fullest potential unless
consumers feel comfortable and confident while surfing the Web
and partaking in e-commerce. How can we ask citizens to put
personal information, such as credit cards, PIN numbers, onto
the computer if they are worried about issues such as identity
theft, spam, or other privacy protections?
It seems that every time we turn around there is a new
virus harming commerce on the Internet, and the most pressing
of these data and privacy abuses is what has come to be known
as spyware. Spyware is a particularly dangerous threat to the
future of e-commerce and Internet consumer confidence.
Many times consumers do not even know what this software--
which can track all movements on a computer, copy keystrokes,
and open security holes in networks--is open on their system,
much less have the knowledge it takes to get them removed.
It should also be noted that many of the peer-to-peer
programs suggested Kazaa and Morpheus are funded largely by
allowing these spyware companies to piggyback on their network,
allowing for corporate entities to gain information about our
children and their on-line habits.
I am proud upon the lead Democratic sponsor of H.R. 2929,
the Safeguard Against Privacy Invasion Act, with my friend from
California, Mrs. Bono. This bill will ban these programs from
being downloaded from the Internet to unknowing consumers. It
is a commonsense approach to privacy protection, and I would
like to thank the many members on both sides of the aisle from
this committee who have chosen to cosponsor the bill with us,
and look forward to working closely with the leadership to
ensure its passage through the committee.
On that note, Mr. Chairman, I yield back the balance of my
time.
Mr. Stearns. I thank the gentleman.
Mr. Shimkus.
Mr. Shimkus. Thank you, Mr. Chairman, and I will be brief.
I always want to take the opportunity to, especially in
consumer protection that deals with the Internet and
cybersecurity, to continue to mention .kids.us as a place safe
for kids, that was passed into law, signed by the President,
and now we have groups that are using it: Smithsonian.kids.us,
it is safe, no hyperlinks, no chatrooms for kids under the age
of 13.
And so I use the bully pulpit here to continue to help
build interest and movement for people to take use of .kids.us.
Other than that, Mr. Chairman, I know we have got a great
panel of people testifying. I want to get to that. Thank you
for the time. And I yield back.
Mr. Stearns. I thank the gentleman.
The gentlelady from Missouri.
Ms. McCarthy. Mr. Chairman, I want to thank you for pulling
together such a distinguished panel of experts for our work
today. I am going to put my remarks in the record so that we
can get on learning about the wisdom that is here to be shared.
Mr. Stearns. I thank the gentlelady.
And the vice chairman of the committee, Mr. Shadegg.
Mr. Shadegg. Thank you, too, Mr. Chairman. I too want to
thank you for holding this important hearing today and for
putting together a tremendous panel for us to learn from.
And I do want to mention that both as a member of this
subcommittee, and as a member of the Select Homeland Security
Committee, I worry deeply about these issues. I have devoted a
great deal of time to them, having written in 1998 the Identity
Theft and Assumption Deterrence Act, which made identity theft
a Federal crime for the first time.
We have already heard here this morning the degree to which
millions of Americans are victimized by that crime, and that we
are losing billions of dollars to it.
The Fair Credit Reporting Act, which is now in conference,
includes some important provisions to deal with that issue. But
there is much more we can do. And I appreciate, Mr. Chairman,
your holding this hearing, and I look forward to the testimony
of the witnesses.
Mr. Stearns. I thank my colleague.
[Additional statement submitted for the record follows:]
Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee
on Energy and Commerce
Mr. Chairman, Thank you for calling this important hearing today.
Cyber security is a very serious concern in today's digital world,
and as our global economy and all of our lives rely more and more on
computers, it will become essential that we ensure that our nation's
computers--corporate, government, and personal computers--are safe from
the hackers and other malefactors in the digital environment. We've
learned in the last few years how much damage viruses and worms, such
as ``Sobig.F'' and ``Blaster,'' can do to our computer infrastructure.
In fact, the New York Times estimated that the cost of the ``I Love
you'' virus alone--which seriously affected this House and this
Committee--may have reached as much as $15 Billion.
Computers affect almost every aspect of our daily lives. From our
computers at home and our personal e-mail accounts, to the daily work
of the public and private sectors, the role of computers in our society
is so ubiquitous as to go almost unnoticed at times. The security of
these systems however cannot go unnoticed. Not only can the e-mail
system of the House of Representatives be hindered or disabled, but one
shudders to think of the damage that could be done to countless
consumers if someone was able to infiltrate one of the many enormous
databases in this country and steal the personal information--from
credit card numbers to music preferences--of millions of Americans.
This kind of theft and misuse of personal data is not yet a
widespread problem, but unless we all facilitate and encourage open
discussion about how we best combat the bad actors, we will only see
these problems grow. Most computer scientists don't say ``if'' when
discussing this possibility, they say ``when.'' They believe that a
truly debilitating virus will inevitably make its way around the
Internet sometime in the relatively near future. Companies must take a
preventive approach when looking at solutions to security problems.
They must realize that, as the old adage says, ``An ounce of prevention
is worth a pound of cure.'' We must combat technology with technology.
Investment must be made in the security of vital and sensitive systems,
in order to ensure the confidence of the American people in the retail,
banking, and health care computer systems they depend upon.
But simply investing in technology to combat viruses is not enough.
In the end, the private sector and the American people must work in
concert to best protect the computers and networks we all use. The
private sector needs to reevaluate its vulnerabilities as well as its
current security priorities. The public needs to be better educated
about anti-virus software and personal firewalls for their home
computers, as well as the insidious ``SpyWare'' technology that can
monitor individuals' computers and their actions on the Internet. I
know the gentlelady from California, Ms. Bono, has introduced a bill--
H.R. 2929, ``The Safeguard Against Privacy Invasions Act''--that
attempts to deal with this concern, and I look forward to working with
her on the bill to try to prevent these intrusions.
In the end, Mr. Chairman, it seems that the genie is out of the
proverbial bottle, and this problem is not going to go away on its own.
It is up to all of us to work together to safeguard our computer
infrastructure to prevent the next serious virus from becoming a
nationwide, indeed even a worldwide problem.
Thank you, and I yield back the balance of my time.
Mr. Stearns. And with that, we will start with the panel
and welcome the Honorable Orson Swindle, the Commissioner of
the Federal Trade Commission; Mr. Howard Schmidt, Vice
President, Chief Information Security Officer of eBay; Mr.
Scott Charney, Chief Trustworthy Computing Strategist from
Microsoft Corporation; Mr. David Morrow, Managing Principal,
Global Security and Privacy Services; Ms. Mary Ann Davidson,
Chief Security Officer, Oracle Corporation; Mr. Joseph G.
Ansanelli, Chairman and CEO of Vontu, Incorporated; Mr. Daniel
Burton, Vice President of Government Affairs, Entrust
Technologies; and Mr. Roger Thompson, Vice President of Product
Development, PestPatrol, Incorporated.
And we will let Commissioner Swindle start. We will go from
my right to my left. I welcome you.
STATEMENTS OF HON. ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE
COMMISSION; HOWARD A. SCHMIDT, VICE PRESIDENT, CHIEF
INFORMATION SECURITY OFFICER, eBAY INC.; SCOTT CHARNEY, CHIEF
TRUSTWORTHY COMPUTING STRATEGIST, MICROSOFT CORPORATION; DAVID
B. MORROW, MANAGING PRINCIPAL, GLOBAL SECURITY AND PRIVACY
SERVICES, EDS; MARY ANN DAVIDSON, CHIEF SECURITY OFFICER,
ORACLE CORPORATION; JOSEPH G. ANSANELLI, CHAIRMAN AND CEO,
VONTU, INC.; DANIEL BURTON, VICE PRESIDENT, GOVERNMENTAL
AFFAIRS, ENTRUST TECHNOLOGIES; AND ROGER THOMPSON, VICE
PRESIDENT OF PRODUCT DEVELOPMENT, PESTPATROL, INC.
Mr. Swindle. Thank you, Mr. Chairman. Mr. Chairman, members
of the subcommittee, I appreciate the opportunity to present
the Commission's views on Cybersecurity and Consumer Data: What
is at risk for the consumer?
At the outset, I believe that it is important that we not
lose sight of the forest for the trees. Cybersecurity is a vast
issue that faces many threats, and the challenges that the
Commission faces in protecting consumers in cyberspace are
numerous. The Commission takes action to protect consumers from
fraud, whether they are individuals or companies who engage in
identity theft, use a pretext to obtain personal information,
employ deceptive spam to trick consumers into providing
personal and financial information (phishing), misrepresent the
sender of spam to misdirect the ``remove me'' request to an
innocent third party (spoofing), or exploit computer system
vulnerabilities in order to extort money from consumers (D-
Square Solutions).
Consumers are also placed at risk by their own conduct,
such as through peer-to-peer file-sharing or failing to use
firewalls and antivirus software. While there are many
challenges to cybersecurity, I will focus my remarks on
companies who obtain and control consumer information.
The Commission addresses information security concerns
through aggressive law enforcement actions, consumer and
business education, and international cooperation. Through
these efforts we strive to enhance the security of information
systems and networks and bring attention to the fact that all
users of information technology, that is, government, industry,
and the general public, must play a role in this effort.
If companies fail to keep their express and implied
promises to protect sensitive information obtained from
consumers, then those promises are deceptive. The Commission
has brought enforcement actions against such companies for
violating Section 5 of the Federal Trade Commission Act, which
prohibits unfair and deceptive practices.
Three of these Commission cases illustrate some important
principles. The case against Eli Lilly demonstrates that a
company's security procedures must be appropriate for the kind
of information it collects and maintains. Despite promises to
maintain security of sensitive information, Eli Lilly
inadvertently disclosed the names of consumers who used a
prescription drug.
Our case against Microsoft illustrates that there can be
law violations without a known or actual breach of security.
Microsoft promised consumers that it would maintain a high
level of security for its Passport and Passport Wallet system
of accounts. Even though there was no actual security breach,
after reviewing Microsoft's systems, the Commission alleged
that Microsoft failed to take reasonably appropriate measures
to maintain the security of consumers' personal information.
The case against Guess, Inc. illustrates that good security
depends upon an ongoing process of risk assessment, identifying
vulnerabilities, and taking reasonable steps to minimize or
eliminate those risks. We alleged that Guess stored consumers'
information, including credit card numbers, in clear
unencrypted text, despite claims to the contrary.
Unencrypted information is vulnerable to attackers,
something that is well known in the industry and can be
corrected.
The Commission's settlements in these three cases require
the companies to implement comprehensive information security
programs. In addition, Microsoft and Guess must obtain an
independent security audit every 2 years.
The Commission has engaged in a broad and continuing
awareness and outreach campaign to educate businesses,
consumers, and political leaders about the importance of
cybersecurity. We work closely with industry, government
agencies, and consumer groups to expand awareness. This is the
single most essential element in creating a culture of security
that is increasingly necessary for the protection of our
critical infrastructure.
We have a first-class Web site focusing on safe computing
practices. Our site provides a wealth of information on
cybersecurity and how each of us can and must contribute to the
effort. Our Web site registered more than 400,000 visits in the
first year of deployment, making it one of the most popular FTC
Web pages. And, a Google search recently indicates that 445
other Web sites link to our security site.
Every House and Senate office has a copy of our safe
computing disk. And I might add, I will hold this up, and I
think there is a package on your desk with a lot of our
information security material in the package.
This CD disk was designed to assist each Member of Congress
and staff in educating constituents on safe computing
practices. Several Members of Congress have constructed
excellent information security pages on their Web sites using
information from the FTC. Each Member is an outstanding leader
within his or her community and district. As the FTC's
authorizing body and as the leaders in consumer protection,
this committee in particular can partner with us effectively in
our consumer awareness efforts on information security.
Our staff and I personally are standing by to help you and
join with you in leading.
In addition to law enforcement and our awareness campaign,
the Commission has taken an active leadership role in
international efforts promoting cybersecurity. In 2002, the FTC
led the U.S. Delegation, working with the OECD, to revise its
security guidelines. The revised guidelines serve as an
excellent, common sense starting point for government,
business, and organizations to implement information security.
They address accountability, awareness, and action by all
participants and form the basis for international cooperation
toward establishing a culture of security. The guidelines have
been embraced by the United Nations, APEC, nongovernment
organizations, and many international businesses and
associations.
In conclusion, attaining adequate information security will
be a continuing journey; a long project, where complacency is
not an option. I look forward to responding to your questions.
Thank you.
[The prepared statement of Hon. Orson Swindle follows:]
Prepared Statement of Hon. Orson Swindel, Commissioner, Federal Trade
Commission
i. introduction
Mr. Chairman, and members of the subcommittee, I am Commissioner
Orson Swindle.<SUP>1</SUP> I appreciate the opportunity to appear
before you today to discuss the Federal Trade Commission's role in
protecting information security and its importance to both consumers
and businesses.
Today, maintaining the security of our computer-driven information
systems is essential to every aspect of our lives. A secure information
infrastructure is required for the operation of everything from our
traffic lights to our credit and financial systems, including our
nuclear and electrical power supplies, and our emergency medical
service. We are all, therefore, directly or indirectly linked together
by this infrastructure. Consumers rely on and use computers at work and
at home; increasingly, more consumers are making purchases over the
Internet and paying bills and banking online.
These interconnected information systems provide enormous benefits
to consumers, businesses, and government alike. At the same time,
however, these systems can create serious vulnerabilities that threaten
the security of the information stored and maintained in these systems
as well as the continued viability of the systems themselves. Every
day, security breaches cause real and tangible harms to businesses,
other institutions, and consumers.<SUP>2</SUP> These breaches and the
harm they do shake consumer confidence in the companies and systems to
which they have entrusted their personal information.
ii. the federal trade commission's role
The Federal Trade Commission has a broad mandate to protect
consumers and the Commission's approach to information security is
similar to the approaches taken in our other consumer protection
efforts. As such, the Commission has sought to address concerns about
the security of our nation's computer systems through a combined
approach that stresses the education of businesses, consumers, and
government agencies about the fundamental importance of good security
practices; law enforcement actions; and international cooperation. Our
program encompasses efforts to ensure the security of computer
networks, an understanding that we all have a role to play, as well as
efforts to ensure that companies keep the promises they make to
consumers about information security and privacy. In the information
security matters, our enforcement tools derive from Section 5 of the
FTC Act,<SUP>3</SUP> which prohibits unfair or deception acts or
practices, and the Commission's Gramm-Leach-Bliley Safeguard Rule
(``Safeguards Rule'' or ``Rule'').<SUP>4</SUP> Our educational efforts
include business education to promote compliance with the law, consumer
and business education to help promote a ``Culture of Security,''
international collaboration, public workshops to highlight emerging
issues, and outreach to political leaders.
A. Section 5
The basic consumer protection statute enforced by the Commission is
Section 5 of the FTC Act, which provides that ``unfair or deceptive
acts or practices in or affecting commerce are declared unlawful.''
<SUP>5</SUP> The statute defines ``unfair'' practices as those that
``cause[] or [are] likely to cause substantial injury to consumers
which is not reasonably avoidable by consumers themselves and not
outweighed by countervailing benefits to consumers or to competition.''
<SUP>6</SUP> To date, the Commission's security cases have been based
on deception,<SUP>7</SUP> which the Commission and the courts have
defined as a material representation or omission that is likely to
mislead consumers acting reasonably under the
circumstances.<SUP>8</SUP>
The companies that have been subject to enforcement actions have
made explicit or implicit promises that they would take appropriate
steps to protect sensitive information obtained from consumers. Their
security measures, however, proved to be inadequate; their promises,
therefore, deceptive.
Through the information security enforcement actions, the
Commission has come to recognize several principles that govern any
information security program.
1. Security procedures should be appropriate under the circumstances
First, a company's security procedures must be appropriate for the
kind of information it collects and maintains. Different levels of
sensitivity may dictate different types of security measures. It is
highly problematic when a company inadvertently releases sensitive
personal information due to inadequate security procedures.
The Commission's first information security case, Eli
Lilly,<SUP>9</SUP> involved an alleged inadvertent disclosure of
sensitive information despite the company's promises to maintain the
security of that information. Specifically, Lilly put consumers' e-mail
addresses in the ``To'' line of the e-mail that was sent to Prozac
users who subscribed to a service on Lilly's website, essentially
disclosing the identities of all of the Prozac user-subscribers.
Given the sensitivity of the information involved, this disclosure
was a serious breach. Nevertheless, the Commission recognized that
there is no such thing as ``perfect'' security and that breaches can
occur even when a company has taken all reasonable precautions.
Therefore, the Commission construed statements in Lilly's privacy
policy as a promise to take steps ``appropriate under the
circumstances'' to protect personal information. Similarly, the
complaint alleged that the breach resulted from Lilly's ``failure to
maintain or implement internal measures appropriate under the
circumstances to protect sensitive consumer information.''
<SUP>10</SUP> The focus was on the reasonableness of the company's
efforts.
According to the complaint in the Lilly matter, the company failed,
among other things, to provide appropriate training and oversight for
the employee who sent the e-mail and to implement appropriate checks on
the process of using sensitive customer data. The order contains strong
relief that should provide significant protections for consumers, as
well as ``instructions'' to companies. First, it prohibits the
misrepresentations about the use of, and protection for, personal
information. Second, it requires Lilly to implement a comprehensive
information security program similar to the program required under the
FTC's Gramm-Leach-Bliley Safeguards Rule, which is discussed below.
Finally, to provide additional assurances that the information security
program complies with the consent order, every year the company must
have its program reviewed by a qualified person to ensure compliance.
2. Not All Security Breaches Are Violations of FTC Law
The second principle that arises from the Commission's enforcement
in the information security area is that not all breaches of
information security are violations of FTC law--the Commission is not
simply saying ``gotcha'' for security breaches. Although a breach may
indicate a problem with a company's security, breaches can happen, as
noted above, even when a company has taken every reasonable precaution.
In such instances, the breach will not violate the laws that the FTC
enforces. Instead, the Commission recognizes that security is an
ongoing process of using reasonable and appropriate measures in light
of the circumstances.
When breaches occur, our staff reviews available information to
determine whether the incident warrants further examination. If it
does, the staff gathers information to enable us to assess the
reasonableness of the company's procedures in light of the
circumstances surrounding the breach. This allows the Commission to
determine whether the breach resulted from the failure to have
procedures in place that are reasonable in light of the sensitivity of
the information. In many instances, we have concluded that FTC action
is not warranted. When we find a failure to implement reasonable
procedures, however, we act.
3. Law Violations Without a Known Breach of Security
The Commission's case against Microsoft <SUP>11</SUP> illustrates a
third principle--that there can be law violations without a known
breach of security. Because appropriate information security practices
are necessary to protect consumers' privacy, companies cannot simply
wait for a breach to occur before they take action. Particularly when
explicit promises are made, companies have a legal obligation to take
reasonable steps to guard against reasonably anticipated
vulnerabilities.
Like Eli Lilly, Microsoft promised consumers that it would keep
their information secure. Unlike Lilly, there was no specific security
breach that triggered action by the Commission. The Commission's
complaint alleged that there were significant security problems that,
left uncorrected, could jeopardize the privacy of millions of
consumers. In particular, the complaint alleged that Microsoft did not
employ ``sufficient measures reasonable and appropriate under the
circumstances to maintain and protect the privacy and confidentiality
of personal information obtained through Passport and Passport
Wallet.'' <SUP>12</SUP> The complaint further alleged that Microsoft
failed to have systems in place to prevent unauthorized access; detect
unauthorized access; monitor for potential vulnerabilities; and record
and retain systems information sufficient to perform security audits
and investigations. Again, sensitive information was at issue--
financial information including credit card numbers.
Like the Commission's order against Eli Lilly, the Microsoft order
prohibits any misrepresentations about the use of, and protection for,
personal information and requires Microsoft to implement a
comprehensive information security program. In addition, Microsoft must
have an independent professional certify, every two years, that the
company's information security program meets or exceeds the standards
in the order and is operating effectively.
4. Good Security is an Ongoing Process of Assessing Risks and
Vulnerabilities
The Commission's third case, against Guess, Inc.,<SUP>13</SUP>
highlighted a fourth principle--that good security is an ongoing
process of assessing and addressing risks and vulnerabilities. The
risks companies and consumers confront change over time. Hackers and
thieves will adapt to whatever measures are in place, and new
technologies likely will have new vulnerabilities waiting to be
discovered. As a result, companies need to assess the risks they face
on an ongoing basis and make adjustments to reduce these risks.
The Guess case highlighted this crucial aspect of information
security in the context of web-based applications and the databases
associated with them. Databases frequently house sensitive data such as
credit card numbers, and Web-based applications are often the ``front
door'' to these databases. It is critical that online companies take
reasonable steps to secure these aspects of their systems, especially
when they have made promises about the security they provide for
consumer information.
In Guess, the Commission alleged that the company broke such a
promise concerning sensitive information collected through its website,
www.guess.com. According to the Commission's complaint, by conducting a
``web-based application'' attack on the Guess website, an attacker
gained access to a database containing 191,000 credit card numbers.
This particular type of attack was well known in the industry and
appeared on a variety of lists of known vulnerabilities. The complaint
alleged that, despite specific claims that it provided security for the
information collected from consumers through its website, Guess did
not: employ commonly known, relatively low-cost methods to block web-
application attacks; adopt policies and procedures to identify these
and other vulnerabilities; or test its website and databases for known
application vulnerabilities, which would have disclosed that the
website and associated databases were at risk of attack. Essentially,
the Commission alleged that the company had no system in place to test
for known application vulnerabilities or to detect or to block attacks
once they occurred.
In addition, the complaint alleged that Guess misrepresented that
the personal information it obtained from consumers through
www.guess.com was stored in an unreadable, encrypted format at all
times; but, in fact, after launching the attack, the attacker could
read the personal information, including credit card numbers, stored on
www.guess.com in clear, unencrypted text.
As in its prior security cases, the Commission's emphasis in Guess
was on reasonableness. When the information is sensitive, the
vulnerabilities well known, and the fixes inexpensive and relatively
easy to implement, it is unreasonable simply to ignore the problem. As
in the prior orders, the Commission's order against Guess prohibits the
misrepresentations, requires Guess to implement a comprehensive
information security program, and, like Microsoft, requires an
independent audit every two years.
B. GLB Safeguards Rule
In addition to our enforcement authority under Section 5 of the FTC
Act, the Commission also has responsibility for enforcing its Gramm-
Leach-Bliley Safeguards Rule, which requires financial institutions
under the FTC's jurisdiction to develop and implement appropriate
physical, technical, and procedural safeguards to protect customer
information.<SUP>14</SUP> The Rule became effective on May 23 of this
year, and the Commission expects that it will quickly become an
important enforcement and guidance tool to ensure greater security for
consumers' sensitive financial information. The Safeguards Rule
requires a wide variety of financial institutions to implement
comprehensive protections for customer information--many of them for
the first time. If fully implemented by companies, as required, the
Rule could go a long way to reduce risks to this information, including
identity theft.
The Safeguards Rule requires financial institutions to develop a
written information security plan that describes their program to
protect customer information. Due to the wide variety of entities
covered, the Rule requires a plan that accounts for each entity's
particular circumstances--its size and complexity, the nature and scope
of its activities, and the sensitivity of the customer information it
handles.
As part of its plan, each financial institution must: (1) designate
one or more employees to coordinate the safeguards; (2) identify and
assess the risks to customer information in each relevant area of the
company's operation, and evaluate the effectiveness of the current
safeguards for controlling these risks; (3) design and implement a
safeguards program, and regularly monitor and test it; (4) hire
appropriate service providers and contract with them to implement
safeguards; and (5) evaluate and adjust the program in light of
relevant circumstances, including changes in the firm's business
arrangements or operations, or the results of testing and monitoring of
safeguards. The Safeguards Rule requires businesses to consider all
areas of their operation, but identifies three areas that are
particularly important to information security: employee management and
training; information systems; and management of system failures.
Prior to the Rule's effective date, the Commission issued guidance
to businesses covered by the Safeguards Rule to help them understand
the Rule's requirements.<SUP>15</SUP> Commission staff also met, and
continues to meet, with a variety of trade associations and companies
to alert them to the Rule's requirements and to gain a better
understanding of how the Rule is affecting particular industry
segments. Now that the Rule is effective, the Commission is
investigating compliance by covered entities.
C. Education and workshops
In addition to our law enforcement efforts and conducting outreach
under the Commission's Safeguard's Rule, the Commission has engaged in
a broad educational campaign to educate businesses and consumers about
the importance of information security and the precautions they can
take to protect or minimize risks to personal information. These
efforts have included creation of an information security ``mascot,''
Dewie the e-Turtle, who hosts a portion of the FTC website devoted to
educating businesses and consumers about security,<SUP>16</SUP>
publication of business guidance regarding common vulnerabilities in
computer systems,<SUP>17</SUP> speeches by Commissioners and staff
about the importance of this issue, and outreach to the international
community. Many offices in the Commission including the Commission's
Bureau of Consumer Protection, the Office of Public Affairs, and the
Office of Congressional Relations, have participated in this effort to
educate consumers and businesses.
The Commission's outreach effort is centered on the Commission's
information security website.<SUP>18</SUP> The website registered more
than 400,000 visits in its first year of deployment, making it one of
the most popular FTC web pages. The site is now available in CD-ROM and
PDF format and frequently updated with new information for consumers on
cybersecurity issues. In addition, the Commission's Office of Consumer
and Business Education has produced a video news release, which has
been seen by an estimated 1.5 million consumers; distributed 160,000
postcards featuring Dewie and his information security message to
approximately 400 college campuses nationwide; and coordinated the 2003
National Consumer Protection Week with a consortium of public- and
private-sector organizations around the theme of information security.
Finally, the Commission's Office of Congressional Relations has
conducted outreach through constituent service representatives in each
of the 535 House and Senate member offices by mailing ``Safe
Computing'' CDs. We would like to thank Chairman Stearns for his
leadership on the issue of cybersecurity, and for encouraging his
colleagues, in his July 18, 2003 ``Dear Colleague'' letter announcing
the delivery of the FTC's safe Internet practices outreach kit, to
educate their constituents on safe computing practices.
In addition, the Commission uses opportunities that arise in non-
security cases to educate the public about security issues. For
example, in early November, the Commission announced that a district
court issued a temporary restraining order in an action against D
Squared Solutions, and its principals.<SUP>19</SUP> The complaint
alleged that the defendants operated a scam that barraged consumers'
computers with repeated Windows Messenger Service pop up ads--most of
which advertised software that consumers could purchase for about $25
to block future pop ups. Part of what made the defendants' conduct so
egregious is that consumers continued to be bombarded by pop-ups, even
when they were off of the Internet and working in other applications
such as word-processing or spreadsheet programs and that the defendants
allegedly either sold or licensed their pop-up sending-software to
other people allowing them to engage in the conduct. The defendants'
website allegedly offered software that would allow buyers to send pop-
ups to 135,000 Internet addresses per hour, along with a database of
more than two billion unique addresses. Contrary to the defendants'
representations, consumers, when educated about how the Windows
operating systems works, can actually stop pop-up spam at no cost by
changing the Windows default system.
In addition to bringing a law enforcement action to halt the
defendants' conduct, the Commission issued an alert to consumers about
the security issues raised in the case. The ``Consumer Alert'' provides
instructions for consumers on how to disable the Windows Messenger
Service in order to avoid other pop-up spam. The alert <SUP>20</SUP>
also discusses the use of firewalls to block hackers from accessing
consumers' computers.
Finally, the Commission continues, and will continue, to host
workshops on information security issues when appropriate. Last summer,
the Commission hosted two workshops focusing on the role technology
plays in protecting personal information.<SUP>21</SUP> The first
workshop focused on the technologies available to consumers to protect
themselves. Panelists generally agreed that, to succeed in the
marketplace, these technologies must be easy to use and built into the
basic hardware and software consumers purchase.
The second workshop focused on the technologies available to
businesses. We learned that businesses, like consumers, need technology
that is easy to use and compatible with their other systems.
Unfortunately, we also heard that too many technologies are sold before
undergoing adequate testing and quality control, frustrating progress
in this area.
The Commission also held a workshop on unsolicited commercial e-
mail (``spam'') which was instructive about the security risks that
spam poses. We learned that, in addition to other problems, spam can
also serve as a vehicle for malicious and damaging code.
D. International Efforts
In addition to our cases and domestic efforts, the Commission has
taken an active international role in promoting cybersecurity. We
recognize that American society and societies around the world need to
think about security in a new way. The Internet and associated
technology have literally made us a global community. We are joining
with our neighbors in the global community in this enormous effort to
educate and establish a culture of security.
During the summer of 2002, the Organization for Economic
Cooperation and Development (``OECD'') issued a set of principles for
establishing a culture of security--principles that can assist us all
in minimizing our vulnerabilities. Commissioner Swindle has had the
opportunity to work with this organization and to head the U.S.
Delegation to the Experts Group on the post-September 11 review of
existing OECD Security Guidelines and to the Working Party on
Information Security and Privacy.
The OECD principles are contained in a document entitled
``Guidelines for the Security of Information Systems and Networks:
Towards a Culture of Security.'' <SUP>22</SUP> The nine principles are
an excellent, common-sense starting point for formulating a workable
approach to security. They address awareness, accountability, and
action. They also reflect the principles that guide the FTC in its
analysis of security-related cases, including that security
architecture and procedures should be appropriate for the kind of
information collected and maintained and that good security is an
ongoing process of assessing and addressing risks and vulnerabilities.
These principles can be incorporated at all levels of use among
consumers, government policy makers, and industry. They already have
been the model for more sector-specific guidance by industry groups and
associations.
Besides the OECD, the Commission also is involved in information
privacy and cybersecurity work undertaken by the Asian Pacific Economic
Cooperation (``APEC'') forum. APEC's Council of Ministers endorsed the
OECD Security Guidelines in 2002. Promoting information system and
network security is one of its chief priorities. The APEC Electronic
Commerce Steering Group (``ECSG'') promotes awareness and
responsibility for cybersecurity among small and medium-sized
businesses that interact with consumers. Commission staff participated
in APEC workshop and business education efforts this past year and is
actively engaged in this work for the foreseeable future.
Along with the OECD and APEC, in December 2002, the United Nations
General Assembly unanimously adopted a resolution calling for the
creation of a global culture of cybersecurity. Other UN groups,
international organizations, and bilateral groups with whom the
Commission has dialogues, including the TransAtlantic Business and
Consumer Dialogues, the Global Business Dialogue on Electronic
Commerce, and bilateral governmental partners in Asia and in the EU
also are working on cybersecurity initiatives.
Notwithstanding these global efforts, developing a ``Culture of
Security'' is a daunting challenge. The FTC and other government
agencies have a role to play, but the government cannot do this alone,
nor should it try. The Commission is working with consumer groups,
business, trade associations, and educators to instill this new way of
thinking. We are encouraging our global partners to do the same and to
share what is learned.
iii. conclusion
The Commission, through law enforcement and consumer and business
education, is committed to reducing the harm that occurs through
information security breaches. Maintaining good security practices is a
critical step in preventing these breaches and the resulting harms,
which can range from major nuisance to major destruction. The critical
lesson in this information-based economy is that we are all in this
together: government, private industry, and consumers, and we must all
take appropriate steps to create a culture of security.
ENDNOTES
<SUP>1</SUP> The views expressed in this statement represent the
views of the Commission. My oral presentation and responses to
questions are my own and do not necessarily represent the views of the
Commission or any other Commissioner.
<SUP>2</SUP> For example, our recently released Identity Theft
Report, available at http://www.ftc.gov/os/2003/09/synovatereport.pdf,
showed that over 27 million individuals have been victims of identity
theft, which may have occurred either offline or online, in the last
five years, including almost 10 million individuals in the last year
alone. The survey also showed that the average loss to businesses was
$4800 per victim. Although various laws limit consumers' liability for
identity theft, their average loss was still $500--and much higher in
certain circumstances.
<SUP>3</SUP> 15 U.S.C. � 45.
<SUP>4</SUP> 16 C.F.R. Part 314, available online at http://
www.ftc.gov/os/2002/05/67fr36585.pdf.
<SUP>5</SUP> 15 U.S.C. � 45 (a) (1).
<SUP>6</SUP> 15 U.S.C. � 45(n).
<SUP>7</SUP> Where appropriate, the Commission has also brought
Internet cases using the unfairness doctrine. See FTC v. C.J., Civ. No.
03-CV-5275-GHK (RZX) (Filed C.D. Cal. July 24 2003), http://
www.ftc.gov/os/2003/07/phishingcomp.pdf.
<SUP>8</SUP> Letter from FTC to Hon. John D. Dingell, Chairman,
Subcommittee on Oversight and Investigations (Oct. 14, 1983), reprinted
in appendix to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984)
(setting forth the commission's Deception Policy Statement.).
<SUP>9</SUP> The Commission's final decision and order against Eli
Lilly is available at www.ftc.gov/os/2002/05/elilillydo.htm. The
complaint is available at www.ftc.gov/os/2002/05/elilillycmp.htm.
<SUP>10</SUP> Eli Lilly Complaint, paragraph 7.
<SUP>11</SUP> The Commission's final decision and order against
Microsoft is available at http://www.ftc.gov/os/2002/12/
microsoftdecision.pdf. The complaint is available at http://
www.ftc.gov/os/2002/12/microsoftcomplaint.pdf.
<SUP>12</SUP> Microsoft Complaint, paragraph 7.
<SUP>13</SUP> The Commission's final decision and order against
Guess, Inc. is available at http://www.ftc.gov/os/2003/06/
guessagree.htm. The complaint is available at http://www.ftc.gov/os/
2003/06/guesscmp.htm.
<SUP>14</SUP> 16 C.F.R. Part 314, available online at http://
www.ftc.gov/os/2002/05/67fr36585.pdf.
<SUP>15</SUP> Financial Institutions and Customer Data: Complying
with the Safeguards Rule, available at http://www.ftc.gove/bcp/conline/
pubs/buspubs/safeguards.htm.
<SUP>16</SUP> See http://www.ftc.gov/bcp/conline/edcams/
infosecurity/index.html.
<SUP>17</SUP> See http://www.ftc.gov/bcp/conline/pubs/buspubs/
security.htm.
<SUP>18</SUP> See http://www.ftc.gov/infosecurity.
<SUP>19</SUP> The Commission's press release announcing the case
can be found at http://www.ftc.gov/opa/2003/11/dsquared.htm.
<SUP>20</SUP> The alert can be found at http://www.ftc.gov/bcp/
conline/pubs/alerts/popalrt.html.
<SUP>21</SUP> Additional information about the workshops are
available at http://www.ftc.gov/bcp/workshops/technology/indes.html.
<SUP>22</SUP> http://www.oecd.org/dataoecd/16/22/15582260.pdf
Mr. Stearns. I thank the Commissioner.
Mr. Schmidt, welcome.
STATEMENT OF HOWARD A. SCHMIDT
Mr. Schmidt. Thank you, Mr. Chairman.
Chairman Stearns, distinguished members of the committee,
my name is Howard Schmidt. I am the Vice President and Chief of
Information Security for eBay, where I lead a team responsible
for ensuring the trustworthiness and security of the services
that bring so many global citizens together each day in this
tremendous global marketplace.
I would like to thank you again for the opportunity to come
before the committee for the second time and your continued
leadership in this very important issue. Prior to arriving at
eBay a few months ago, I had the privilege of being appointed
by President Bush to lead, with Richard Clarke, the President's
Critical Infrastructure Protection Board, which represented one
part of the overall government response to the threat of
cybersecurity attacks in the wake of September 11; and after 31
years retired, and we successfully published the National
Strategy Defense for Cyberspace, working with a team of
dedicated public servants, this body, and the American public.
In addition to my day job, I continue to proudly serve at
the U.S. Army Reserves, assigned to the 701st MP Group as a
Special Agent with the computer crimes section, and also serve
on the board of directors for ISC Squared, the body that
oversees certification for security professionals through the
CISSB certification.
My remarks today will focus primarily on the changes that
have taken place with both business and government to create
the level of information-sharing and collaboration necessary to
improve cybersecurity and to further improve security for
consumers, as well as how the sharing and collaboration has
indeed improved the level of information and protection of
consumer data.
I would like to provide my update in specific examples of
improvement in four major areas. Those areas are awareness and
education, product enhancement, government activities and
private sector initiatives. While these examples will not be
comprehensive, they will indeed be some representative efforts
we have undergone.
I would also state, even though my comments are very
optimistic as where we have come from, I think we will also
have a long way to go. I think under the block of awareness and
education, one of the biggest visible changes that has taken
place is the increase in dialog and training to better inform
the end user and consumer on how to secure their computer
systems and their information.
One of the first consumer-targeted awareness programs was
truly a joint public/private partnership between many of the
companies, the FTC, NSA, as well as some other government
agencies, and it took place in the formation of the
Cybersecurity Alliance, and the creation of our Web site,
staysafeonline.info, which we drove out of the efforts of the
White House. This Web site has a wealth of information to help
even the most inexperienced users understand cybersecurity,
potential threats from on-line criminals, and steps they can
take to protect themselves.
In addition, we at the White House held a series of town
hall meetings over the past 18 months to meet with private
sector partners, individuals, parent-teacher organizations,
with speakers ranging from CEOs of major financial
institutions, to my distinguished colleague to my left,
Commissioner Orson Swindle. Many of these town meetings were
also Webcast to get the broadest audience to be able to see
them and participate over the Internet.
Private sector companies have also held free seminars
around the country, providing awareness to citizens. Many of
these sessions focused on informing the elderly, one of the
segments of our society who has received great benefits in the
on-line world and the resources that it can provide. Also, as
we enter the holiday season, there will be mass media campaigns
to educate consumers further on how to safely and securely
enjoy the richness and robustness of the on-line e-commerce
world.
Under product enhancements, another major improvement we
have seen over the past 2 years has been the way security is
now offered as a standard within software and hardware. One
very visible example is with the hardware provided to use
wireless technology and broadband, we now see firewalls being
built directly into these components as well as antivirus
software being built into wireless modem operations.
Major operating systems have now auto update features as
antivirus functions. Many antivirus vendors have done an
amazing job in speeding up the detection and analysis of many
of the threats that you have mentioned in your opening comments
of the viruses and trojans that are found in the wire. Many of
them even provide free on-line services for consumers to be
able to download and inspect their systems as a public service,
and I noticed in the paper this morning, one of them is now
offering free antivirus software for the next year.
Under the heading of government activities, there have been
a number of great activities beyond the creation of the
National Strategy to Defend Cyberspace. Recently the Department
of Homeland Security created the U.S. Computer Emergency
Response Team at Carnegie Mellon as a focal point for building
partnerships based on cybersecurity response networks and
providing a notification network of threats and vulnerabilities
as they are discovered.
The Department of Justice, the U.S. Secret Service, and the
FBI have significantly improved the response times and
increased priorities around the investigation of cybercrimes.
As a matter of fact, Director Mueller has placed cybercrime as
one of the top five priorities within the FBI, and the Secret
Service is growing a cadre of expert agents working with
private sector called the Electronic Crime Task Force.
Additionally, the Department of Defense continues to work in
that area as well.
On the government effort, since these things have no
borders, the State Department has done a wonderful job in
creating multilateral and bilateral discussions with
international partners, many of which the industry colleagues,
some of us sitting here today, have been a part of since the
very beginning.
Two quick examples in the private sector initiatives:
We know that there will be no silver bullets in enhancing
cybersecurity, but recently we created a coalition to address
specifically the area of on-line identity theft. We have fully
recognized that the vast majority of identity theft occurs in
the off-line world through dumpster diving and other
mechanisms, but we have seen, as many of you have, an increase
in criminals attempting to do the same thing on line.
The two recent methods are what we call phishing, with a p-
h, or spoofed e-mails, where criminals send out thousands of e-
mails telling people to update their information. We are
working to address this in four areas: building new
technologies to prevent this; second, to provide awareness and
training to consumers so they are better informed to not fall
victim to these scams; third, to share information amongst very
competitive companies on protection of these things; and
fourth, to work with the law enforcement community to prevent
these people through deterrence of investigation.
In closing, I want to cite three specific areas I think
that we can look at because, despite the great security
enhancements we have seen and will continue to see, there are
clear challenges you must address.
We must review our commitment to enhance consumer awareness
of basic cybersecurity practices, and the recent attacks have
once again demonstrated how home users are now becoming the
target.
Second, while we build an effective response network, we
must not lose sight of the innovation frontier. Technologists
on the horizon hold the potential to dramatically and
potentially decisively transform our cybersecurity challenges.
Self-healing computers, embedded technologies, can enable
devices that recognize and defend against these attacks. We
must not inhibit their ability to move forward in collaboration
with our best universities.
And, finally, we must recognize that cybersecurity is no
longer merely about product services and strategies. What is at
stake in the effective implementation of advanced cybersecurity
technology is nothing less than the ability to unleash the next
wave of IT-led growth in jobs and productivity. Cybersecurity
is an essential enabler.
In closing, I want to say that the next step of this will
be on December 2 and 3. Homeland Security has invited a lot of
the public service or private sector organizations to create a
summit, creating a task force to move forward in a lot of those
areas that we mentioned and we care very deeply about.
This concludes my prepared remarks and I thank you for the
opportunity to be here.
[The prepared statement of Howard A. Schmidt follows:]
Prepared Statement of Howard A. Schmidt, Vice President and Chief
Information Security Officer, eBay Corporation
introduction
Chairman Stearns, distinguished members of the Committee, my name
is Howard A. Schmidt. I am the Vice President and Chief Information
Security Officer for eBay, where I lead a team responsible for ensuring
the trustworthiness and security of the services that bring so many
global citizens together in this tremendous global marketplace each
day. I would like to thank you for the opportunity to come before this
Committee again as well as your continued leadership on this very
important issue. Prior to my current position at eBay and subsequent to
my last appearance, I had the privilege of being appointed by President
Bush to lead, with Richard Clarke, the President's Critical
Infrastructure Protection Board, which represented one part of the
overall governmental response to the threat of cyber security attacks
in the wake of September 11. I retired from 31 years of public service
after completing and publishing the ``National Strategy to Defend
Cyberspace,'' working with a team of dedicated public servants, this
body, and the American public.
I have had the privilege of working with committed individuals in
the private sector, law enforcement, and government to forge the
collaboration and cooperation that is so essential to safeguard cyber
space for everyone, from inexperienced home users to large well-run
corporate enterprises. I assisted in the formation of some of the first
collaborative efforts in the law enforcement community to address cyber
crime in local law enforcement and the FBI. I also helped lead the
creation of the Information Technology Information Sharing and Analysis
Center (IT-ISAC) and had the honor of serving as its first president.
I continue to proudly serve in the U.S. Army reserves, assigned to
the 701st MP Group, (CID) as a Special Agent with the computer crime
unit at CID headquarters. I also serve on the Board of Directors for
ISC2, the body that oversees certification of security professionals
through the CISSP certification. My remarks today will focus primarily
on the changes that have taken place within both business and
government to create the level of information sharing and collaboration
necessary to improve Cybersecurity and further improve security for
consumers, as well as how this sharing and collaboration has improved
the level of information and protection of consumer computer data.
Today, the Internet connects over 170 million computers and an
estimated 680 million users, with an estimated growth to 904 million by
the end of 2004. From major data operations conducting large-scale
financial transactions, to wireless devices keeping families connected,
the Internet touches virtually all aspects of our economy and quality
of life. eBay is a prime example of how deeply ingrained the Internet
is in American life. Every day on eBay, millions of Americans, along
with millions of people in countries around the world, come together to
buy and sell all types of goods and services. Business relationships
and, often, deep friendships are formed on the basis of commerce and
shared interests. The eBay marketplace reflects the enormous power of
the Internet to unite humanity at a crucial moment in history.
More pointedly, the Internet has become a fundamental component of
business processes--enhancing productivity by speeding connectivity
between remote locations or across functional operations. The Internet
is deeply ingrained in managing power, producing chemicals, designing
and manufacturing cars, managing money and delivering government
services ranging from human services to environmental permitting. The
flip side of these productivity-enhancing applications is an increase
in attacks against the online community.
Today the Internet is utilized by hundreds of millions of users all
across the globe sending information ranging from homework assignments
and simple greetings to the most sensitive financial and operational
data of government and industry, all at the speed of light. The
Internet landscape also includes a private sector security industry
that has grown to an estimated $17 billion per year in goods and
services. And, as we are all painfully aware, attack speeds today are
measured in seconds, not days.
I would like to provide my update in the format specific examples
of improvement in four major areas. Those areas are: Awareness and
education; product enhancements; government activities; and private
sector initiatives. While we have made significant progress, I also
want to stress that we still have much work to do and will continue to
improve overall Cybersecurity by continued improvement in some of the
examples I will mention today.
Awareness & Education:
One of the biggest visible changes that has taken place is
increased dialogue and training to better inform the end user on how to
secure their computers and information. One of the first consumer-
targeted awareness programs was truly a joint private-public
partnership. This partnership took place in the form of the Cyber
Security Alliance. The alliance combined the expertise of a number of
private sector entities with the efforts of government partners to
create a comprehensive website for consumers. The website,
www.staysafeonline.info has a wealth of information to help even the
most inexperienced users understand cyber security, potential threats
from online criminals, and steps they can take to protect themselves.
In addition, the White House held a series of town hall meetings
around the country with private sector partners. These town hall
meetings were open to the public and well-attended, with speakers
ranging from CEOs of major financial institutions and exchanges, to
subject-matter experts in cyber security. Many of these town hall
meetings were webcast so those that could not attend in person could
participate over the Internet.
Private sector companies have also held free seminars around the
country to provide awareness to citizens. Many of the sessions focused
on informing the elderly, one of the segments of our society that has
received great benefit from the online world and the resources that it
provides. As we enter the holiday shopping season, there will be mass
media campaigns to educate consumers on how to safely and securely
enjoy the richness and robustness of the online e-commerce world.
In the category of formal education, the National Security Agency
(NSA) has a program identifying universities that meet the criteria to
be designated a center of academic excellence in information security.
This NSA program not only ensures the education of the next generation
of information security professionals, but also guarantees that the
university has sound cyber security practices in place as well as
awareness education for the students, who make up a large number of the
online users and consumers. The NSA also administers the Cyber Corp
program with NSF and OPM, providing scholarships for students in cyber
security.
Product Enhancements:
Another major improvement that we have seen in the past two years
is the way security enhancements are now offered standard in software
and hardware. One very visible example is the hardware provided to use
wireless technology. Broadband technology (Cable modem, DSL, satellites
etc.) has given us capabilities and speeds that were only available to
corporations before. We now see firewalls and the ability to download
anti-virus software being built into wireless modems.
The major operating systems now have auto-update features included,
and are now being turned on by default in more future versions.
Products are now being shipped with many services turned off by
default, thus making them more secure. Many of the online email
services block potentially malicious code and do a much better job of
blocking the Spam that often contains malicious functions.
Anti-virus vendors have done an amazing job in speeding up the
detection, analysis and updates for many of the viruses that are found
in the wild. Many of them even provide free online virus scans as a
public service to assist consumers.
Government Activities:
There have been a number of government actions that have taken
place since I last appeared before this committee--most notably the
creation of the President's Critical Infrastructure Protection Board
and the release of the National Strategy to Defend Cyberspace. This
critical document set the framework for much of the private public
partnerships, focusing a section on home users and small/medium
enterprises.
I would also argue that the consolidation of cyber security related
organizations into the Department of Homeland Security in the
Infrastructure Protection Director was a valuable reorganization. The
bringing together of the NIPC (FBI), Fed-CIRC (GSA), CIAO (Commerce),
Energy Information Assurance Division (DoE) and the National
Communications System (DoD) created a center of excellence that, with
the help of focused leadership, will move to implement the national
strategy. This new organization is called the National Cyber Security
Division.
Recent action taken by the Department of Homeland Security (DHS) to
create the US CERT at Carnegie Mellon University has the potential to
significantly enhance security for all users. The US CERT is designed
to serve as a focal point for building partnerships based cyber
security response network and provide a notification network as threats
and vulnerabilities are discovered.
The goal for US CERT is to ensure that there is an average response
time of no less than 30 minutes in the case of any attack. The very
specific nature of this goal is designed to deliberately focus the US
CERT on building broad participation by the private sector.
The US CERT will undertake the following major initiatives:
� Develop common incident and vulnerability reporting protocols to
accelerate information sharing across the public and private
response communities;
� Develop initiatives to enhance and promote the development of
response and warning technologies; and
� Forge partnerships to improve incident prevention methods and
technologies;
The Dept. of Justice, the U.S. Secret Service and the FBI have
significantly decreased their response times and increased priorities
around investigations of cyber crimes. Director Mueller has placed
cyber crime in the top 5 priorities at the FBI, and the Secret Service
has added a number of electronic crime task forces in order to
successfully investigate and prosecute cyber criminals. All of the
Defense Department's investigative organizations have led the way
investigating cyber crimes and have some of the best investigators in
the world. The Department of Justice, through its Computer Crime and
Intellectual Property Section, has chaired the G-8 Subcommittee on
cyber crime and has been a significant driving force in combating
worldwide cyber crime.
Since there are no borders when it comes to cyber space, and
criminal attacks on consumers can come from all corners of the world,
the State Department has conducted bilateral and multilateral
discussions to ensure that there is international cooperation in the
effort to protect cyber security.
I have had the extreme pleasure of working with Commissioner
Swindel of the Federal Trade Commission, who has been a beacon of light
for the protection of consumers' privacy and security. With his help in
the creation of the FTC's ``Dewey'' program and his tireless support
for town hall meetings, he truly has created a ``culture of security''
globally.
Private Sector Initiatives:
While there will be no silver bullets in enhancing cyber security,
the private sector continues to grow its capabilities and make solid
improvement in securing their part of cyberspace . Two of the earliest
examples of private-public cooperation for ``Cyber Crime/Cyber
Security'' were the the High Tech Crime Investigators Association
(HTCIA) and the Information Systems Security Association (ISSA). Both
organizations date back to the mid/late 80's and are dedicated to
sharing nformation on cyber crime and information security. They still
exist today and their membership and value have increased significantly
over the years.
Most recently, the private sector has created a coalition that I
see as an excellent example of efforts to enhance consumer cyber
security. As you are probably aware, identity theft is a major problem.
While the vast majority of ID theft occurs in the physical world, we
have seen an increase in the activities of criminals to commit the same
types of crime online. The most recent method is by using what we call
``phishing'' or ``spoofed'' emails. The criminals will send out
thousands of emails telling people that there is an error with their
online account and ask them to fill in an ``update form'' or their
account will be closed. This form has the look and feel of major e-
commerce sites--there was even a fake email from someone pretendingto
be the FBI and asking unsuspecting users to enter personal information
into a fake web site.
To combat this, many of the major players in the e-commerce space
banded together to create an Anti-Online ID Theft Coalition. The
Coalition boasts many private sector members, with the Information
Technology Association of America providing support as the executive
director. The Coalition has four major goals: 1) to build technology to
reduce the likelihood of these mails even reaching their intended
victim; 2) to provide awareness training to consumers so they can more
readily identify these criminal acts; 3) to share information on new
scams amongst the various security teams; and 4) to insure
accountability by working with law enforcement to identify and
prosecute these bad actors.
In a larger perspective, Sector Coordinators representing each of
the major sectors of our economy have been appointed to fight potential
cyber attack. A sector coordinator is an individual in the private
sector identified by the sector lead agency to coordinate their sector,
acting as an honest broker to organize and bring the sector together to
work cooperatively on sector cyber security protection issues. The
sector coordinator can be an individual or an institution from a
private entity.
These private sector leaders provide the central conduit to the
federal government for the information needed to develop an accurate
understanding of what is going on throughout the nation's
infrastructures on a strategic level with regards to critical
infrastructure protection activities. The sector coordinators and the
various sector members were key to the creation of the National
Strategy to Defend Cyber Space.
In addition, there has been a number of new private sector
Information Sharing and Analysis Centers (ISACs). An ISAC is an
operational mechanism to enable members to share information about
vulnerabilities, threats, and incidents (cyber and physical). The
sector coordinator develops these Centers with support from the sector
liaison. In some cases, an ISAC Manager may be designated, who is
responsible for the day-to-day operations of the ISAC, to work with the
sector coordinator or the sector coordinating body with support from
DHS and the lead federal agencies.
Despite these security enhancements, we can be certain that as
increased collaboration continues to enhance our protection and
responsiveness, the nature and sophistication of attacks will certainly
evolve. There are clear challenges we must continue to address.
First, we must renew our commitment to enhance consumer awareness
of basic cyber security practices. The recent attacks demonstrate that
home users can be used as an effective pathway to launch attacks, or as
a gateway into large enterprises. We need to build on the public/
private initiatives to promote cyber security with a focused and
aggressive outreach effort to benefit all consumers.
Second, while we build an effective response network we must not
lose sight of the innovation frontier. Technologies on the horizon hold
the potential to dramatically and potentially decisively transform our
cyber security challenges. Self-healing computers, embedded
technologies that enable devices to recognize and defend against
attacks, and devices which enhance both security and privacy are within
reach with an aggressive technology development agenda. This effort
must be industry-led in collaboration with our best Universities. Most
importantly, it must be synergistically linked with our response
initiatives.
Finally, we must recognize that cyber security is no longer merely
about products, services and strategies to protect key operations. What
is at stake in the effective implementation of advanced cyber security
technologies and strategies is nothing less than the ability to unleash
the next wave of information technology-led growth in jobs and
productivity. Cyber security is an essential enabler to the advent of
the next generation Internet and all it holds for how we work, live,
and learn.
I don't want to close without mentioning my expectation that many
of these challenges will be addressed, and indeed met head-on, with
tangible commitments and deliverables through the upcoming National
Cyber Security Summit, to be held on December 2-3, 2003. This Summit
will be co-hosted by the Information Technology Association of America,
the U.S. Chamber of Commerce, TechNet and the Business Software
Alliance, with the support of the Department of Homeland Security. I
have the honor to serve at that summit, as will many of the brightest
minds and most innovative companies across all sectors of the economy.
The work of this summit will continue past December 2-3 through
task force work programs that will drive toward solutions in intense
work before, during, and beyond the Summit. We expect that many of
these proposals will be forwarded to DHS early next year, after which
we can measure progress on an ongoing basis. We expect this to be an
all-hands-on-deck effort where we bring together, distill, and
integrate many of the outstanding work products from many groups
regarding cyber security metrics, software development and maintenance,
public outreach initiatives, and, of course, public-private
partnerships in information sharing and early warning systems.
Chairman Stearns, this concludes my prepared remarks. I thank you
for the opportunity to come before this Committee and welcome any
questions that you and the Committee members may have.
Mr. Stearns. Thank you.
Mr. Charney.
STATEMENT OF SCOTT CHARNEY
Mr. Charney. Thank you. Chairman Stearns, Ranking Member
Schakowsky, and members of the subcommittee, my name is Scott
Charney, and I am Microsoft's Chief Trustworthy Computing
Strategist.
I want to thank you for the opportunity to appear here
today to provide our views on cybersecurity and what we are
doing to secure consumer data. At Microsoft, security is our
No. 1 priority. We are committed to continually improving the
security of our software.
As Howard Schmidt just said, there are no silver bullets in
cybersecurity; there will always be vulnerabilities in complex
software and systems. As was true when we testified before you
in 2001, cybersecurity involves many layers and many
collaborative partnerships. In other words, cybersecurity
involves management of technologies, as much as the technology
itself.
Meanwhile, much has changed since we last testified before
you. Consumer dependence on the Internet has grown. And as of
March 2003, 30 million homes in America had a broadband
connection to the Internet, double the number who had high-
speed connections at the end of 2001.
Another key change over the past 2 years is that the time
between the issuance of a patch and the time when we see a
concrete exploit taking advantage of the underlying
vulnerability has dramatically shortened. Therefore, once a
patch is released, a race ensues between those installing the
patch to eliminate the vulnerability and those developing code
that exploits the vulnerability.
Moreover, the sophistication and severity of cyberattacks
are also increasing. In response to these threats, industry has
increased tremendously the resources and priority it devotes to
cybersecurity issues, and the government has also taken
significant steps during this time period to address these
heightened risks for on-line consumers, including creating the
National Cybersecurity Division at the Department of Homeland
Security and signing the Council of Europe's Cybercrime Treaty.
We commend these actions as important steps and hope the Senate
ratifies the treaty when it is received.
Security is Microsoft's top priority, and we know that
security is a journey rather than a destination. 2 years ago
before this committee, my friend and co-panelists Howard
Schmidt properly stated: We know there is no finish line for
these efforts, but by working as we have with industry peers
and with governments, we have a chance to keep one step ahead
of cyber criminals.
Shortly thereafter, Bill Gates had launched our trustworthy
computing initiative, which involves every aspect of Microsoft
and focuses on four key pillars: security, privacy,
reliability, and business integrity. As part of this, we have
enhanced the training of our developers to put security at the
heart of software design and at the foundation of the
development process.
Through this effort we are seeing a quantifiable decrease
in vulnerabilities. For example, if you compare Windows Server
2000 and Windows Server 2003, for the last 6 months Windows
Server 2003 has required fewer patches.
Another part of trustworthy computing involves
communicating with our customers. In the wake of Blaster, we
launched the Protect Your PC campaign, urging commerce to take
three steps to improve their security, all available through
Microsoft.com/protect.
Two years ago, we also spoke about the need of increased
deterrence of criminal hacking. Although the Cybersecurity
Enforcement Act passed last year, there is still much more that
needs to be done. Despite the best and laudable efforts of
dedicated law enforcement personnel, far too many hackers
unleash their malicious code, commit crimes with no punishment.
This is an untenable situation.
Earlier this month, we took a significant step to support
law enforcement by creating the Antivirus Reward Program to
provide monetary rewards for information resulting in the
arrest and conviction of hackers. The government continues to
play a key role in efforts to secure consumers' software and
data.
I want to outline a few specific areas where government
initiatives can be particularly helpful in promoting
cybersecurity.
First, the public sector should increase its support for
basic research and security technology.
Second, the government can lead by example by securing its
own systems, buying software that is engineered for security,
providing better training for government systems administrators
and leading public awareness campaigns, such as the FTC's
campaign featuring Dewey the Turtle.
Third, government and industry should reduce barriers to
exchanges of information.
Fourth, law enforcement should receive additional
resources. We also support the forfeiture of personal property
used in committing these crimes.
Fifth, greater cross-jurisdictional cooperation among law
enforcement is needed for investigating cyberattacks.
In conclusion, we will continue to pursue trustworthy
computing and to work closely with our partners in the computer
software and communications industries, the government and our
commerce to enhance cybersecurity.
Thank you, and I look forward to your questions.
[The prepared statement of Scott Charney follows:]
Prepared Statement of Scott Charney, Chief Trustworthy Computing
Strategist, Microsoft Corporation
Chairman Stearns, Ranking Member Schakowsky, and Members of the
Subcommittee: My name is Scott Charney, and I am Microsoft's Chief
Trustworthy Computing Strategist. I want to thank you for the
opportunity to appear today to provide our views on cybersecurity and
on what we are doing to secure consumer data. I oversee the development
of strategies to create more secure software and services and to
enhance consumer security and privacy through our long-term Trustworthy
Computing initiative. My goal is to reduce the number of successful
computer attacks and increase the confidence of all computer users.
This is something I have worked toward throughout much of my career,
including during my service as chief of the Computer Crime and
Intellectual Property Section (CCIPS) in the Criminal Division of the
U.S. Department of Justice. While at CCIPS, I helped prosecute nearly
every major hacker case in the United States from 1991 to 1999.
At Microsoft, security is our number one priority, and as an
industry leader, we are committed to continually improving the
capability of our software to protect the privacy of consumers and the
security of their data. We are at the forefront of industry efforts to
enhance the security of computer programs and networks and to educate
consumers about good cybersecurity practices. We also work closely with
our partners in industry and governments around the world to identify
security threats to computer networks, share best practices, improve
our coordinated responses to security breaches, and prevent computer
attacks from happening in the first place.
This hearing is exceptionally timely because of the rapid
developments in cybersecurity over the past two years. We
wholeheartedly agree with this Subcommittee that it is critical for all
of us to address consumer concerns about the privacy and security of
their online data in order to stimulate the further growth of e-
commerce and to help realize the Internet's full potential.
Today, I want to describe the risks posed to consumers'
cybersecurity, and the ways in which industry and government are
working together to protect consumers' online data. First, I will
discuss the general state of cybersecurity since November 2001, when we
last appeared before this Subcommittee; I will touch both on what has
stayed the same, and on what has changed. Second, I will discuss
Microsoft's ongoing efforts to help secure consumers' computer data.
Third, I will offer a few suggested steps that the government can take
to enhance the security of consumer data.
i. cybersecurity since november 2001
The pursuit of cybersecurity involves a daily and never-ending
contest between industry, governments, and computer users, on the one
hand, and cyber criminals, on the other. Hackers remain elusive,
aggressive, and innovative. When we last testified before this
Subcommittee on this topic, the ``ILOVEYOU,'' Code Red, Ramen, Li0n,
and Trinoo worms and viruses had already struck a variety of operating
systems. Since that time, criminal hackers have unleashed Slapper,
Scalper, Slammer, Blaster, SoBig, and many other viruses and worms to
infect computers, deny service, and impair recovery.
There are no silver bullets in cybersecurity, and there will always
be vulnerabilities in complex software and systems, as well as human
errors made. As was true in 2001, cybersecurity involves many layers
and many collaborative partnerships, including software design,
software configuration, software patching, the sharing of threat and
vulnerability information, user education, user practices, and the
investigation and prosecution of cybercrime both within the United
States and internationally. In other words, cybersecurity involves
management of technology as much as the technology itself.
Meanwhile, much has changed since we last testified before you.
Consumer dependence on the Internet has grown, and consumers are more
frequently sharing their personal information, including their
identities, contact information, financial data, and health
information, over the Internet. Moreover, as the personal computer
becomes more central to the daily lives of many citizens and to the
daily functions of the public and private sectors, the government,
consumers, and business enterprises are storing more personal
information on their Internet-connected computers and networks, thus
potentially exposing their data to hackers even if that personal
information is never transmitted over the Internet. In addition,
consumers with broadband are, unlike those with a dial-up connection,
connected to the Internet with unvarying IP addresses and at a high
connection speed, and therefore place consumer data at greater risk. As
of March 2003, 30 million homes in America had a broadband connection
to the Internet, double the number who had a high-speed connection at
home at the end of 2001 and a 50% increase from March 2002.
Another key change over the past two years is that the time between
the issuance of a patch and the time when we see a concrete exploit
taking advantage of the underlying vulnerability has dramatically
shortened. This time period is crucial because we have had very few
attacks that actually precede the patch; more typically, once a patch
is released, a race ensues between those installing the patch to
eliminate the vulnerability and those developing code that exploits the
vulnerability. When an exploit is developed faster, enterprises and
individuals have that much less time to learn of, test, and install the
patch before a hacker uses the exploit to inflict damage. That window
for the NIMDA virus was 331 days between patch release and exploit; for
Blaster, less than two years later, it was only 26 days.
The chronology leading up to the criminal launch of the Blaster
worm illustrates the complex interplay between software companies,
security researchers, persons who publish exploit code, and hackers. On
July 16, we delivered a patch for the vulnerability and a security
bulletin to our customers. This was followed by ongoing outreach to
consumers, analysts, the press, our industry partners, and the
government. On July 25, nine days after we released the patch, a
security research group called XFOCUS published a tool to exploit the
vulnerability that the security bulletin and patch had highlighted. In
essence, XFOCUS analyzed our patch by reverse engineering it to
identify the vulnerability, then developed a means to attack the
vulnerability, and finally offered that attack to the world so that any
unsophisticated hacker could then unleash an attack by downloading
XFOCUS's work and using launch tools freely available on the Internet.
At this point, we heightened our efforts to inform our customers
about the steps they should take to secure their computers. On August
11, only 26 days after release of the patch, the Blaster worm was
discovered as it spread through the Internet. This sequence of events
underscores a dilemma: the same information that helps customers to
secure their systems also enables self-identified security researchers
and others to develop and publish exploit code, which hackers then use
to launch damaging criminal attacks.
The sophistication and severity of cyberattacks are also
increasing. The Slammer worm in January 2003 did not attack the data of
infected systems, but resulted in a dramatic increase in network
traffic worldwide and in temporary loss of Internet access for some
users. This past summer, criminal hackers released the Blaster worm,
which spread by exploiting a security vulnerability for which we had
released a patch. Machines infected by Blaster used the network
connection to locate new, vulnerable machines, whereupon the worm would
copy itself, infect the new machine, and continue the process. Blaster
affected Windows NT4, Windows XP, Windows 2000, and Windows Server 2003
systems, but could not reach those machines that were patched and
defended by a properly configured firewall. The worm also tried to deny
service to those users seeking to download the patch for Blaster.
In addition, cybercriminals have been able to make viruses more
prevalent and harder for consumers to detect by ``spoofing'' legitimate
email addresses, which makes it more difficult to determine who the
real sender is. In 2002, there were twice as many email viruses as
there were in 2001. In January 2003, the SoBig virus spoofed email
addresses and contained infectious .pif attachments, which if opened
would infect the user's computer and search the infected user's hard
drive for email addresses of possible further victims. Multiple
variants of the SoBig virus surfaced during the year. It is important
to note that SoBig did not exploit any software vulnerability; it was a
social engineering attack based on users' willingness to trust email
that appeared to be from individuals whom they knew.
In response to these threats, industry has increased tremendously
the resources and priority it devotes to cybersecurity issues. Many of
those efforts continue today, and I will describe them in more detail
in the next Section. Over the past two years, the government has also
taken significant steps during this time period to address these
heightened risks for online consumers. We commend these actions as
important steps in our shared journey toward enhanced cybersecurity.
First and foremost, the Department of Homeland Security created the
National Cyber Security Division (NCSD) under the Department's
Information Analysis and Infrastructure Protection Directorate. The
NCSD is established to provide 24 x 7 functions, including cyberspace
analysis, issuing alerts and warning, improving information sharing,
responding to major incidents, and aiding in national-level recovery
efforts. The Department created the NCSD as part of its implementation
of the Homeland Security Act of 2002 and the National Strategy to
Secure Cyberspace, which the White House released in February 2003
after soliciting extensive comments from consumers, industry, and other
government actors. We worked with government officials in all of these
activities, and we are encouraged by the work DHS has done to date.
Moreover, I personally look forward to co-chairing a task force at its
December ``National Cyber Security Summit.''
Second, the United States signed the Council of Europe Convention
on Cybercrime in November 2001. The Convention requires parties to have
minimum procedural tools to investigate such attacks, and to facilitate
international cooperation in investigating those attacks. Because of
the inherently international nature of cybercrime, the Council of
Europe cybercrime treaty is an important step towards the transborder
cooperation that is vital to combating cybercrime and protecting
consumers. We look forward to the day when the treaty is sent to the
Senate for its consideration.
ii. our response to cybersecurity threats today
Security is Microsoft's top priority. We have devoted and will
continue to devote enormous resources to enhancing security. As we
confront new challenges and develop new approaches and new
partnerships, we continue to learn that perfect security in cyberspace
is unattainable, just as it is in the physical world. Operating system
software is one of the most complex items that humans have created, and
it is impossible to eliminate all software vulnerabilities. Thus, we
know that security is a journey rather than a destination, and it can
only be improved by partnerships involving government, industry,
responsible security researchers, and customers around the world
including government agencies, enterprises, and individual users. Two
years ago before this committee, my friend and co-panelist Howard
Schmidt properly stated, ``We know that there is no finish line to
these efforts, but by working as we have with industry peers--including
some of these panelists--and with governments, we have a chance to keep
one step ahead of cyber-criminals.''
A. Trustworthy Computing
In January 2002, Bill Gates launched our Trustworthy Computing
initiative, which involves every aspect of Microsoft and focuses on
four key pillars: security, privacy, reliability, and business
integrity. Security involves designing programs and systems that are
resilient to attack so that the confidentiality, integrity, and
availability of data and systems are protected. The goal of our privacy
efforts is to give individual consumers greater control over their
personal data and to ensure, as with the efforts against spam, their
right to be left alone. Reliability means creating software and systems
that are dependable, available when needed, and perform at expected
levels. Finally business integrity means acting with honesty and
integrity at all times, and engaging openly and transparently with
customers.
Under the security pillar, we are working to create software and
services for all of our customers that are Secure by Design, Secure by
Default, and Secure in Deployment, and to communicate openly about our
efforts.
� ``Secure by Design'' means two things: writing more secure code and
architecting more secure software and services.
� ``Secure by Default'' means that computer software is more secure out
of the box, with features turned off until needed and turned on
by the users, whether it is in a home environment or an IT
department.
� ``Secure in Deployment'' means making it easier for consumers,
commercial and government users, and IT professionals to
maintain the security of their systems.
� ``Communications'' means sharing what we learn both within and
outside of Microsoft, providing clear channels for people to
talk with us about security issues, and addressing those issues
with governments, our industry counterparts, and the public.
The Trustworthy Computing goals are real and specific, and this
effort is now ingrained in our culture and is part of the way we value
our work.
We have enhanced the training of our developers to put security at
the heart of software design and at the foundation of the development
process. Security is and will continue to be our highest software
development priority. All new software releases and service packs are
now subject to an enhanced security release process which has already
resulted in a notable decline of vulnerabilities in some of our server
software. This effort, which can cost hundreds of millions of dollars
and delay the software's release to the market, is a critical step in
improving software security and reliability. We are seeing a
quantifiable and dramatic decrease in vulnerabilities: for example,
Windows Server 2003 followed this process and in the first ninety days,
we reported and patched three critical or important security
vulnerabilities and six total in the first 180 days. Whereas in Windows
Server 2000, we found eight critical or important vulnerabilities in
the first ninety days, and twenty one in the first 180 days.
When an attack does occur, our Microsoft Security Response Center
(MSRC) coordinates the investigation of reported vulnerabilities, the
development of patches, and our customer outreach efforts. We are very
proud of this organization and believe it represents the industry's
state of the art response center.
Although we have made major strides, much work on Trustworthy
Computing remains ahead of us. One key piece of that work is the Next-
Generation Secure Computing Base (NGSCB). This is an on-going research
and development effort to help create a safer computing environment for
users by giving them access to four core hardware-based features
missing in today's PCs: strong process isolation, sealed storage, a
secure path to and from the user, and strong assurances of software
identity. These changes, which require new PC hardware and software,
can provide protection against malicious software and enhance user
privacy, computer security, data protection and system integrity.
Part of Trustworthy Computing involves communicating with our
customers. In the wake of Blaster, we launched the Protect Your PC
campaign, urging customers to take three steps to improve their
security: install and/or activate an Internet firewall, stay up to date
on security patches, and install an anti-virus solution and keep it up
to date. The www.microsoft.com/protect web site serves as the focal
point for the campaign. We also provide a wide range of free security
tools and prescriptive guidance to make it easier for consumers to make
their computers and their data more secure.
B. Streamlining the Patching Process
Patch management is a significant issue. We recognize that the most
important solution is to reduce the number of vulnerabilities in code,
thus reducing the need for patching. This is why we are emphasizing
secure by design. But no operating system--regardless of development
model--will ever be free of all vulnerabilities. We must manage this
risk by providing customers with simple and easy to use patches. To
streamline those processes, we are taking the following steps:
� Improving our testing of patches to ensure patch quality.
� Reducing the number of patch installers to provide users with a
consistent patch experience, and make patching simpler.
� Working to ensure that each patch is reversible, so a rollback is
possible if deployment raises an unanticipated issue, such as
adversely affecting a legacy application.
� Ensuring that patches register their presence on the system--and
producing improved scanning tools--so a user can quickly
determine if his or her machine is patched appropriately.
� Making our security patch releases more predictable. We are now
providing security updates once a month, but we will still
provide patches outside this schedule when necessary, such as
when exploit code is publicly available.
� Avoiding reboot of the computer where practicable, as our customers
are more likely to apply a patch more quickly, if server
availability will not be interrupted.
� Producing specific technology, such as Software Update Services and
Systems Management Server, so enterprises can download patches,
test them in their unique environments, and then easily deploy
them.
� Informing customers about the AutoUpdate feature in recent Microsoft
operating systems, which can automatically download updates and
then either install them as scheduled or request permission
from the user to do so.
C. Securing Enterprises to Protect Consumers
As noted, protecting consumer security depends, in part, on
protecting the security of enterprise servers, which often hold
valuable consumer data. Steve Ballmer, Microsoft's Chief Executive
Officer, announced last month that we are working to secure these
networks from the hazards that arise when users log into those networks
from home or other remote locations. Those hazards include malicious e-
mails, viruses and worms, malicious web content, and buffer overruns.
While patches remain part of the solution, we are developing what
we call safety technology to secure these networks at the perimeter by:
� Reducing the risk from computers such as notebooks and portable
computers that are moved between an enterprise's network and
external networks.
� Improving browsing technologies to minimize the risk of hostile web
sites executing malicious code on visiting users' computers.
� Enhancing memory protection to help prevent successful buffer overrun
attacks.
� Improving the Internet Connection Firewall within Windows while also
working closely with partners in the software security
industry.
Through these measures, we hope to help protect machines even when
not patched, thus giving enterprises more time to test and deploy
patches and enabling enterprises to patch on their schedule, not on a
schedule determined by hackers.
We are also providing new information and guidance on how
enterprises can secure their computers to protect data, including the
personal information of their customers.
D. Industry Partnerships
We embrace our role in providing more secure computing for all our
customers. Because security is an industry-wide issue, we participate
actively in partnerships that span the industry, customers and both the
public and private sectors to encourage customers to implement software
in more secure ways.
For example, we are a founding member of the Organization for
Internet Safety (OIS), an alliance of leading technology vendors,
security researchers, and consultancies that is dedicated to the
principle that security researchers and vendors should follow common
processes and best practices to efficiently resolve security issues and
to ensure that Internet users are protected.
We also work with the Virus Information Alliance (VIA), a
centralized resource for Internet users seeking information about the
latest virus threats. Through its member companies, Microsoft, Network
Associates, Trend Micro, Computer Associates, Sybari, and Symantec, the
VIA offers recommended best practices for preventing malicious attacks,
information about specific viruses, how-to articles and links to other
anti-virus resources on its web site.
I am personally participating with some of my co-panelists in the
Global Council of Chief Security Officers, a newly formed think tank
that will share information with member companies and governments on
cybersecurity issues and enhance the involvement of private sector
officials in cybersecurity issues.
We also helped found the Information Technology--Information
Sharing and Analysis Center (IT--ISAC) and I serve on its board today.
The IT-ISAC coordinates information-sharing on cyber-events among
information technology companies and the government.
E. Anti-Virus Reward Program
Two years ago we spoke about the need to increase deterrence of
criminal hacking. Although the Cyber Security Enforcement Act passed
this Congress last year, there is still much more that needs to be
done. Despite the best and laudable efforts of dedicated law
enforcement personnel, far too many hackers unleash their malicious
code or commit crimes with no punishment, as evidenced by the fact that
the authorities have yet to bring to justice the criminals who launched
major attacks like Blaster, NIMDA and Slammer. This is an untenable
situation, and it is one the nation allows to persist in no other area.
We need a robust deterrent to criminal activity online.
When criminal attacks are launched, we work with law enforcement
officials to support their investigations. And earlier this month, we
took a significant step to support them by creating the Anti-Virus
Reward Program to provide monetary rewards for information resulting in
the arrest and conviction of hackers. For example, we have announced a
reward of $250,000 each for information leading to the arrest and
conviction of those responsible for the SoBig virus and the Blaster
worm.
To use a medical analogy, we are strengthening the Internet's
immune system through initiatives such as the anti-virus reward
program, our technical and legal anti-spam efforts, consumer education,
and efforts to secure existing systems and to make security integral to
new systems and applications. In the meantime, interim treatment will
be necessary.
iii. the government's role
The government continues to play a key role in efforts to secure
consumers' software and data. We have recently collaborated with the
Department of Homeland Security to raise awareness of cyberthreats
through release of security bulletins. Such partnering between industry
and the government is a vital step toward additional cybersecurity for
consumers. I want to outline a few specific areas where government
initiatives can be particularly helpful in promoting cybersecurity.
First, sustained public support of research and development
continues to play a vital role in advancing the IT industry's efforts
to secure consumers' software and data. A major portion of our $6.9
billion annual R&D investment goes to security, and accordingly, we
support additional federal funding for basic cybersecurity research and
development (R&D), including university-driven research. The public
sector should increase its support for basic research in technology and
should maintain its traditional support for transferring the results of
federally-funded R&D under permissive licenses to the private sector so
that all industry participants can further develop the technology and
commercialize it to help make all software more secure.
Second, the government can lead by example by securing its own
systems through the use of reasonable security practices, buying
software that is engineered for security, and providing better training
for government systems administrators. We also hope government will
continue to promote security awareness among both home consumers and
businesses--as the Federal Trade Commission did in its information
campaign featuring Dewie the Turtle.
Third, government and industry should continue to examine and
reduce barriers to appropriate exchanges of information, and to build
mechanisms and interfaces for such exchanges. One encouraging step in
this direction is the NCSD's recent creation of the National Computer
Emergency Response Team (US-CERT). This coordination center, for the
first time, links public and private response capabilities to
facilitate communication of critical security information throughout
the Internet community.
Fourth, it will take increased government commitment to root out
those who hack into computers and propagate destructive worms and
viruses that harm millions of computer users. Therefore, law
enforcement should receive additional resources, personnel, and
equipment in order to investigate and prosecute cyber crimes. We also
support tough penalties on criminal hackers, such as forfeiture of
personal property used in committing these crimes.
Fifth, because cybersecurity is inherently an international problem
with international solutions, greater cross-jurisdictional cooperation
among law enforcement is needed for investigating cyber-attacks.
conclusion
We will continue to pursue Trustworthy Computing and to work
closely with our partners in the computer, software, and communications
industries, the government, and our customers to enhance cybersecurity.
In the end, a shared commitment to reducing cybersecurity risks and a
coordinated response to cybersecurity threats of all kinds--one that is
based on dialogue and cooperation between the public and private
sectors--offer the greatest hope for protecting the privacy of consumer
data, enhancing the confidence of consumers in the Internet, and
fostering the growth of a vibrant, trustworthy online economy.
Mr. Stearns. I thank the gentleman.
Mr. Morrow, welcome.
STATEMENT OF DAVID B. MORROW
Mr. Morrow. Thank you. Mr. Chairman and members of the
subcommittee, thank you for the opportunity to testify before
you today on Cybersecurity and Consumer Data: What is at risk
for the consumer?
My name is David Morrow and I am the Deputy Director of
Global Security and Privacy Services at Electronic Data
Systems, Incorporated. I have over 25 years of experience in
the information technology field, with an emphasis on security.
I am honored to join you today to present EDS's views on the
state of information security or cybersecurity 2 years after my
last appearance before the subcommittee.
I will focus today my comments on what has changed in the
last 2 years, what needs improvement, and what can be done by
both industry and the government to further protect our
information networks. I will provide an outline here and
request that my written comments be entered into the record.
So, what has changed? Thankfully, we have not seen another
September 11. But as has been noted previously, we are still in
a heightened threat environment. More recent attacks on our
information networks, such as the DNS Root Server attacks in
October 2002 and several high-profile virus and worm attacks,
have not stopped us from relying on these networks to conduct
business and live our lives.
In that context, here are some of the things that we are
seeing: We are seeing an increase in the tempo and severity of
new viruses and other attacks on our information
infrastructure. That makes what we call ``patch management'' a
much larger issue.
We are also seeing an alarming increase in the incidence of
identity theft and criminal misuse of personal information that
affects millions of Americans. Other changes are occurring in
the regulatory environment. While regulations don't give
detailed requirements for information security, and shouldn't
in my opinion, they do have implications for improving the
integrity of everyone's data. Due to the increasing number of
attacks and some of the regulatory requirements, we are seeing
an increased awareness of the problem. More clients are coming
to us with questions about how to address their information and
network security, but they are often still asking the wrong
questions.
There is not one solution that can address everything.
Information security is a continual process that elevates
security planning out of the traditional information technology
silo. Companies and agencies need to look at information
security in a holistic way to create and integrate what has
been dubbed ``the culture of security'' into their entire
enterprise.
Despite this demonstrated critical importance and increased
awareness, we have not seen a notable increase in the amount of
investment that small and medium companies are making, and the
government, are making in information security. There is cause
for hope, however, because in a survey of corporate information
officers released earlier this month by Forrester Research,
increased funding for security and privacy efforts were at the
top of the priority list for 2004.
What companies have been doing is committing some resources
and expertise to the greater dialog in information security.
Importantly, efforts are extending beyond the so-called high-
technology sector into the greater business community, but more
still needs to be done in that area.
EDS recently led a project in Business Roundtable to
develop a cybersecurity road map for large corporations in any
sector. ``Building Security in the Digital Economy: An
Executive Resource,'' was submitted as part of my written
testimony.
So what needs improvement? Based on the changes I have
mentioned, I would like to make two points about areas where we
can do more. First, while I appreciate the increased level of
awareness about information security, we need to improve on the
level of real investment. In order to do that, we need to
incorporate the notion of security as a business enabler into
all of our business models. Enterprises that do so are
investing in more strategic ways and are better able to serve
their clients, consumers, citizens and business partners.
Second, we can improve upon the effectiveness of our
information-sharing and public/private partnership efforts. We
have made important strides in this area, but we need to do
more to coordinate activities and results.
In sum, I would characterize that our state of information
security information is marginally better than it was 2 years
ago, with the hope for greater improvement.
So what can we do? I would like to make a few
recommendations based on my comments today.
First, we can continue our efforts for a more coordinated
program of industry/government cooperation.
Second, we can strive to improve information-sharing
mechanisms and look for ways to collaborate across them as well
as within them.
Third, we still believe that there are areas where
incentives are necessary for companies to upgrade their
information security, especially for small- and medium-sized
companies. This is also particularly true for functions that
the U.S. Government deems to be of critical importance to our
economic and, therefore, our national security.
Fourth, we must continue to emphasize research and
development for innovations in security.
Fifth, I still remain a strong proponent of ways in which
we can develop and professionalize the cadre of information
security professionals practicing today, including the
expansion of programs beyond purely technical disciplines and
into the more general business and general curriculums.
And finally, due to the interconnected networks that
transcend traditional borders today, it is imperative that we
engage in the overall global dialog on information security as
well.
In conclusion, I would like to emphasize that the
improvements we have made over the last 2 years in information
security have much to do with increased awareness, and I
support efforts such as this hearing toward that objective. We
are now better off and we are leaning in the right direction,
but we can and need to do more now. I outlined some suggestions
for future focus that I hope are helpful.
Mr. Chairman, thank you for the opportunity to share my
views and EDS's experience once again. I will be happy to
answer questions you or members of the subcommittee may have.
[The prepared statement of David B. Morrow follows:]
Prepared Statement of David Morrow, Deputy Director, Global Security
and Privacy Services, EDS
introduction
Mr. Chairman and Members of the Subcommittee, thank you for the
opportunity to testify before you today on Cybersecurity and Consumer
Data: What's at Risk for the Consumer. My name is David Morrow, and I
am the deputy director for global security and privacy services at EDS.
I have over 25 years of experience in the information technology
(``IT'') field as a computer programmer and analyst, operations chief,
security officer, investigator, and consultant. Prior to joining EDS, I
was a security consultant with Ernst and Young, LLP and Fiderus
Strategic Security and Privacy Services, a small, start-up consulting
firm. I also spent 13 years of a 22-year Air Force career as an
investigator of computer crime for the Air Force Office of Special
Investigations (AFOSI). When I retired in 1998, I was the Chief of the
Computer Crime Investigations and Information Warfare Division for
AFOSI. I am honored to join you today to present EDS' views on the
state of information technology security, two years after my last
appearance before the Subcommittee.
In my testimony two years ago, I focused on the changes in our way
of life after the tragedy of September 11, and the need to make
investments to protect our information networks. I called upon
government and industry to increase their collaboration, to focus not
only on physical security but also information security, and to view
cyber security as an essential capital investment rather than as an
expense. I also noted a few ways that government can help industry bear
the burden to protect our information economy and, therefore, our
economic security. At the risk of repeating myself, I do want to
emphasize that all those comments still hold true. Today, I will focus
my comments on what has changed in the last two years, what needs
improvement, and once again where I think both industry and government
can make greater efforts.
What has changed?
Thankfully, we have not seen another September 11. However, we are
still in a heightened threat environment. More recent attacks on our
information networks, such as the DNS root server attacks in October
2002 and several high profile virus and worm attacks, have not stopped
us from relying on them to conduct business and live our lives. In
fact, we continue to look to information technology to drive
innovation, efficiency, and productivity in our business operations. In
addition, consumer use of the Internet for recreation and to conduct
business continues to expand. And, our networks and the data on them
are still vulnerable.
At EDS, we are seeing an increase in the tempo and severity of new
viruses and other attacks on our information infrastructure. As I
believe many of us predicted here two years ago, the complexity and
sophistication of such attacks has continued to increase, making the
task of defending and repairing our networks and systems all the more
difficult. Installing software ``patches'' to deflect intrusions has
become the favored way of addressing impending attacks. But, our
clients are concerned about the need to install patch after patch after
patch in rapid succession, on thousands of servers and tens of
thousands of desktops. As you can imagine, it is a daunting task to do
three major patch updates in one week in a large company or government
agency. As these attacks become more frequent, severe, and
sophisticated in often incompatible environments, what we call patch
management has become a larger issue.
Unfortunately, another change we have seen is the increased
incidence of identity theft and criminal misuse of personal information
that affects millions of Americans at any given moment. While there are
a variety of both high and low technology ways to obtain personal
identity and credit information, the biggest ``bang'' for the criminal
``buck'' is still to locate and steal such information from an insecure
network. I am disturbed by the increasing number of identity theft
victims, and I believe more effective practices in network security and
protection of personal data would benefit us all, both individually and
as a society. I am glad to see that the Administration and Congress
took the opportunity of reauthorizing the Fair Credit Reporting Act to
address this challenge in a positive way and look forward to the
passage of that legislation very soon.
Another change is the regulatory environment for us and for our
clients. The Federal Trade Commission's new ``Do-Not-Call-List'', the
Sarbanes-Oxley Act, and the pending FCRA reauthorization are the latest
iterations. They follow the Gramm-Leach-Bliley Act and the Health
Insurance Portability and Accountability Act. None of these regulatory
frameworks give specific requirements for information security--and
shouldn't, in my opinion. But in one way or another, either through
greater corporate accountability, stronger privacy requirements, or new
reporting obligations, each has direct or indirect implications for
improving the integrity of data. As such, I would argue that each
raises the level of awareness of information security in enterprises
across the country.
This increasing awareness is a key component in the changes that I
have seen in the last two years. More and more companies are coming to
us with questions about how to address their information and network
security. The problem is, they are still often asking the wrong
questions. There is not a silver bullet that can address everything
that achieves a stronger security posture. You can't point and click
and say ``done.'' There are no magic technologies or software.
Information security is a continual process that elevates security
planning out of the traditional information technology silo and
involves the whole enterprise: IT, legal, regulatory, sales, marketing,
and security, as well as each individual employee and business partner.
It's hard work, but it's essential.
Another concern is the lack of details or guidance on standards of
acceptable security practices. There are many organizations that are
putting forth standards that purport to drive best practices or
interoperability, for example. But the proliferation of differing
standards has caused some confusion among some of our clients that has
prevented them from making important changes as they wait for further
direction. We often use the ISO Standards because they are widely
accepted, but there is room for improvement in developing standards for
the future that are flexible enough to reflect changes in technology
and business operations.
As modern global businesses become increasingly intertwined through
partnerships, consortia, and merger and acquisition activity,
traditional network and security boundaries are, in many cases, no
longer intact. The security problems of one member of a partnership
arrangement or newly acquired company now quickly become the problems
of the entire group as the insecure network or system becomes the weak
link in the entire chain. In addition, information security entails
many things that may not appear to be security issues at first glance,
such as enterprise training, for example. Addressing these issues
requires strategic thinking about:
� the way a company or agency uses information, both on the network and
off;
� what information is critical to the enterprise;
� what risk mitigation measures need to be put in place for what
functions, how your information security fits into an overall
business continuity plan; and
� how privacy and security policies and processes complement--or
contradict--each other in the business.
Companies need to look at information security in a holistic way to
create and integrate what has been dubbed a ``culture of security'' in
to their enterprise. This may be a daunting task for those enterprises
that are behind, but it is crucial to ensuring our economic security.
Despite its demonstrated critical importance, we have not seen a
universally overwhelming increase in the amount of investment that
companies or the government are making in information security. Some of
the early adopters are often driven by regulation or in response to an
attack, but there are many more who have taken a wait-and-see approach
and hope that the next incident does not affect them--at least not too
much. Part of that is a response to the current economic situation, and
part is still a lack of understanding of the loss implications from an
attack or even a natural disaster.
There is cause for hope, however. In a survey of corporate Chief
Information Officers released earlier this month by Forrester Research,
increased funding for security and privacy efforts were at the top of
the list of priorities for 2004. I am hopeful that as the economy
continues to recover, these plans will materialize into concrete
actions and investment in the security and privacy of our national data
resources.
What companies have been doing since September 11, is committing
some resources and expertise to the greater dialogue on information
security. Trade associations and other industry groups are including
information security in their work program, or beefing up existing
programs. New information sharing mechanisms are developing, existing
ones are working to improve their impact, and industry groups are
putting forth best practices and other guidance for their industry. EDS
was a founding member of the Information Technology Information Sharing
Analysis Center, or ISAC, one of 13 that were set up as part of
Presidential Decision Directive 63 for the designated critical
infrastructures. We have also taken on a role in the National
Infrastructure Advisory Council (NIAC) that was established after
September 11.
Importantly, efforts are also extending beyond the so-called high
technology sector. EDS led an effort in the Business Roundtable, an
association of Fortune 200 Chief Executive Officers, to develop a
roadmap for large corporations in any sector to seriously consider
their cyber security. The publication is called Building Security in
the Digital Economy: An Executive Resource and is submitted as part of
my written testimony.
What still needs improvement?
While I appreciate the increased level of awareness, I still think
we need to do more to increase the level of real investment and
improvement in information security. I believe it requires a
recognition that security is not merely good for its own sake. We need
to incorporate the notion of security as a business enabler into our
business models. Enterprises that are looking at security as an enabler
to their business are investing in more strategic ways, and are,
therefore, better able to serve their clients, consumers, citizens, and
business partners. As I said earlier, it's not just a business expense
. . . it's an essential element in today's strategic--and networked--
business model.
I believe the jury is still out on the role of the Department of
Homeland Security in information security. We do applaud the creation
of the National Cyber Security Division (NCSD) as well as its initial
efforts on establishing the U.S. Computer Emergency Response Team (US-
CERT) and collaborating with industry. EDS will be participating in the
Cyber Security Summit scheduled for early December and the ongoing work
of the summit's designated task forces. However, we hope that its
placement in the new agency does not illustrate a lack of concern,
authority, or funding for information security efforts in the US
government. We all need to be diligent to make sure the NCSD's efforts
are maintained and relevant.
Virtually every one on this panel two years ago called for a
public-private partnership and increased collaboration on cyber
security. Arguably, we have made important strides in that direction as
more companies, people, and agencies are talking about these issues in
our associations and in government groups. These efforts are
encouraging, but I argue we can do more, particularly by coordinating
and learning from them, rather than duplicating them. In addition, once
again we cannot look at individual aspects of security in isolation. As
we consider our infrastructure protection, we have to look at the
convergence of physical and cyber security because they can no longer
be looked at independently.
In sum, I would characterize our state of information security
readiness as marginally better than it was two years ago, with hope for
greater improvement. While more are concerned, many are not doing as
little as possible to remedy the problems they have. While more are
aware of the threat, they are not mitigating the corresponding risks
with appropriate measures. And, while there is more activity and
public-private collaboration on information security, it is not well
coordinated across the spectrum of industries and issues that are
impacted by security measures.
What can be done?
First, we can continue our efforts for a more coordinated program
of industry-government cooperation. The release of the Administration's
National Strategy to Secure Cyberspace earlier this year provides a
framework for continued work, and I urge both industry and government
to take advantage of the upcoming Summit to solidify some of that work
going forward. The Department of Homeland Security's National Cyber
Security Division provides a focal point for monitoring industry
efforts and participating as appropriate. As DHS solidifies its
operations, we should ensure that the division has the appropriate
mandate, funding, and industry coordination to support its activities.
Second, we can strive to improve information sharing mechanisms
that are an important component of the public-private partnership on
cyber security. For example, the Information Sharing and Analysis
Centers (ISACs) are still active and are looking for ways to be more
effective for their industries. I would argue the ISACs should also
look for ways to communicate and even collaborate with each other when
appropriate. Just as we cannot put information security into one silo,
we cannot look at each industry sector in isolation. We are all
interconnected now and rely on not only the security of our own
network, but that of our suppliers, customers, partners, and
competitors. Industry was collectively pleased when Congress provided
for Freedom of Information Act exemptions for information shared on
cyber security in the Homeland Security Act. We urge Congress to
preserve the integrity of that provision in any future reviews of the
Act in order to allow continued information sharing about
vulnerabilities, breaches, attacks, and other actual or anticipated
cyber incidents. Our experience has repeatedly shown that effective and
timely information sharing is one of the most effective ways to prevent
widespread incidents and to combat them when they do occur.
Third, we still believe there are areas where incentives are
necessary for companies to allocate the necessary funds to upgrade
their information security. This is particularly true for functions
that the US Government deems to be of critical importance to our
economic--and, therefore, our national security.
Fourth, we must continue to emphasize research and development for
innovations in information security and encourage Congress to keep
these avenues open for resolution in the budget process.
Fifth, I remain a strong proponent of ways in which we can continue
to develop and professionalize the cadre of information security
professionals practicing today. In the past two years we have seen a
notable increase in the number of educational institutions offering
courses and even advanced degrees in information security topics. While
this is an encouraging sign, I still believe that there is great room
for improvement in expanding the discussions beyond the purely
technical disciplines and into the more general business curriculum.
Finally, as stated earlier, our intertwined information networks
are global in nature and transcend traditional borders. That directly
impacts global companies such as ours as well as consumers. It is
imperative that we engage in the global dialogue on information
security as well. I commend the Organization for Economic Cooperation
and Development and the Asia Pacific Economic Cooperation for their
efforts to bring this issue to the international arena.
Conclusion
In conclusion, I would just like to emphasize the fact that the
improvements we have made over that last two years in information
security have much to do with an increasing awareness of cyber security
concerns for all of us. Increased awareness here at home and abroad
will continue to be crucial for our security going forward, and I
support efforts such as this hearing toward that objective. We are
better off and heading in the right direction, but we can and need to
do more--now. I have outlined some suggestions for future focus that I
hope are helpful to the Committee.
Mr. Chairman, thank you for the opportunity to share my views and
EDS' experience once again. I will be happy to answer any questions you
and the Members of the Subcommittee may have.
Mr. Stearns. Thank you.
Ms. Davidson, welcome.
STATEMENT OF MARY ANN DAVIDSON
Ms. Davidson. Thank you, Mr. Chairman, Ranking Member
Schakowsky, and members of the subcommittee. My name is Mary
Ann Davidson and I am the Chief Security Officer of Oracle.
Thank you for inviting me here again to talk about the efforts
information technology consumers, producers, caretakers, and
policymakers can take to advance information assurance.
As you know, I appeared before the subcommittee just a few
months after the events of September 11. In the shadow of one
of the most tragic terrorist attacks in history, all of us
contemplated the potential catastrophe caused by cyberterror on
a massive scale.
While we have yet to witness a point-and-click terrorist
attack, we have experienced, through Code Red, Blaster and
SoBig, its forbears, billions of dollars in damage and lost
productivity. These attacks are a grim reminder that far too
much commercial software is built without attention to
information assurance principles, leaving many of our national
cyberassets vulnerable to attack; and the vulnerability
increases every day.
Bounty money may nab us a few bad guys' scalps, but it
won't slow the development of automated hacking tools. This is
a cyber arms race and the bad guys are winning. For us at
Oracle, the goal is clear: to achieve an industry culture where
all commercial software is designed, developed, and deployed
securely.
It has been said twice there are no silver bullets, so I
won't say that. I will say it is not going to be a slam dunk.
And, in fact, good intentions can do more harm than good. In
California, a breach of a major data center prompted the
legislature to hastily impose reporting requirements on
security breaches. However well intended, the law was passed
without a fundamental understanding of the limits of current
technology and arguably could make the consumer data more
vulnerable to unauthorized access.
We need sound ideas, not good intentions from government.
Fortunately, the Federal Government can do good both as a
software buyer and a policymaker to strengthen the culture of
secure software.
The Federal Government first of all can leverage its buying
power by insisting on more secure software. And we know at
Oracle how this works, because we built security for 25 years,
because of one of our important customer bases, who I
affectionately refer as the ``professional paranoids'' asked us
for it.
The Defense Department is setting an excellent example by
enforcing a pro-security approach to procurement through NISSIP
11, which says for national security systems an agency can
purchase only that software which has been independently
evaluated under the Common Criteria or the Federal Information
Processing Standards Cryptomodule Validation Program. That is a
mouthful.
Since NSTISSP 11 went into effect 17 months ago, we have
seen a number of positive developments. First, many firms are
finally pursuing evaluations under FIPS of the Common Criteria
for the first time, and it is high time.
Second, several firms, including Oracle, are financing
evaluations of open-source products.
Third, many organizations, such as the financial services
industry, are coming together to make security a purchasing
criteria industrywide, and are using NSTISSP 11 as a model.
Thanks to NSTISSP 11, security is now far more in the
software development consciousness than it was 2 years ago.
That is a victory for which a large part of the credit goes to
Congress and to DOD and the intelligence agencies.
There are other ways that the Federal Government can
leverage its buying power. For example, the Federal Government
could insist that the commercial software it buys is either
defaulted to a secure setting ``out of the box'' or made easy
for the customer to change security settings, such as through
automated tools.
As more private and public consumers seek Common Criteria
and FIPS as potential security benchmarks, a go-to
clearinghouse is needed to validate vendor security claims and
compare them to evaluation results themselves; to make apples-
to-apples comparisons. For example, a couple of vendors can do
common criteria evaluation and yet have far more stringent
targets or less stringent targets. The clearinghouse would
enable buyers to perform scorecarding and facilitate
comparisons.
Evaluations can cost a half million dollars under the
Common Criteria, so it is clearly not for everyone and probably
not for consumer software. A software equivalent of the
Underwriters Laboratories could ensure that even this kind of
software is secure by design, delivering deployment.
Thanks to the UL, most consumer products are generally
difficult to operate in an insecure fashion. We don't expect a
consumer to do anything special to operate Cuisinarts securely;
they just are secure. And, in fact, you have to make the
product do something unnatural to hurt yourself while using it.
Consumers should not be expected to be computer security
experts. Industry needs to make it easy for them to be secure.
Finally, a culture of security has to have an academic
component for professional development and research in areas
not addressed in the commercial marketplace. It is said, to err
is human. A developer can check 20 of 21 conditions, and if
failure to check the 21st causes a buffer overflow, the system
is sometime vulnerable. Hackers only need to find one error,
but developers have to close every one. It is an uneven battle.
Federal support can help level the playing field.
Research is needed on tools that can scan software and
pinpoint irregularities or back doors in the code. This type of
product is not seen as an attractive option among venture
capitalists, because the dominant market mentality in
information assurance is focused on developing a better Band-
Aid, rather than an effective vaccine.
The recently enacted Cbersecurity Research and Development
Act can be a useful resource for these types of challenges and
Congress should make the highest possible investments to
implement this legislation. If the medical community can
eradicate smallpox with a strong investment in research, we
should be able to eradicate buffer overflows. It is just code,
after all.
The R&D Act can also fund new and improved academic
programs and research centers on computer security in order to
increase the number of graduates with this specialty. And, in
fact, we need to change the mentality around who we allow to
work on critical cyberinfrastructure. We don't allow engineers
to design buildings merely because they use the coolest
materials; they have to be licensed professional engineers.
A similar approach is needed in cybersecurity. Ignorance
and hubris are the enemies of reliable cyberinfrastructure.
Industry lacks for neither of these, unfortunately, so long as
we hire based on knowledge of programming languages and not
whether those employees understand the language of
cybersecurity.
We are at war and all of our foot soldiers must be armed
with the knowledge of what the enemy can and will do to the
careless or unprepared. A strong academic component can also
foster a diverse culture. Diversity will prevent the TI
equivalent of the Irish potato famine, where reliance on one
strain of potatoes brought on mass starvation and emigration.
Lack of biological diversity in many IT infrastructures has
rendered them immensely susceptible to cyberplagues, and I
daresay that far more than one-quarter of our population would
be affected should the next cyberplague be more destructive
than its predecessors.
Biological diversity breeds resistance and the lack of it
is deadly.
Ultimately, any culture is as strong as the institutions it
supported, so our hope is that government will work with us in
an industry, in an academia to facilitate the institutions
practices and mores necessary to build a vibrant strong culture
and security. I believe we turned the corner and are making
progress. We are extremely pleased to be a part of the next
month's Cybersecurity Summit being planned by the Department of
Homeland Security. That kind of dialog can ensure that we have
turned the corner for the better.
Mr. Stearns. I may need you to sum up.
Ms. Davidson. Thank you, Mr. Chairman, and I thank you for
the opportunity to appear before you today.
[The prepared statement of Mary Ann Davidson follows:]
Prepared Statement of Mary Ann Davidson, Chief Security Officer, Oracle
Corporation
Mr. Chairman, Ranking Member Schakowsky, and members of the
Subcommittee, my name is Mary Ann Davidson, Chief Security Officer of
Oracle Corporation. Thank you for inviting me here again to talk about
cybersecurity, and specifically, the efforts all of us can take--as
information technology consumers, producers, caretakers and
policymakers--to advance information assurance.
As you know, I appeared before this subcommittee just a few months
after the ghastly events of September 11th. In the shadow of one of the
most tragic terrorist attacks in history, all of us contemplated the
potential catastrophe caused by cyberterror on a massive scale, and the
need for all of us to take far greater responsibility toward better
information assurance.
While we have yet to witness a point-and-click terrorist attack, we
have experienced, through CodeRed, Blaster and Sobig.F, its forebears,
with billions of dollars in damage and lost productivity. These attacks
are a grim reminder of what I warned this subcommittee two years ago:
Far too much commercial software is built without attention to
information assurance principles, leaving many of our national
cyberassets--most in private hands--vulnerable to attack.
This vulnerability increases every day. Bounty money may result in
the arrest of one or two of those responsible for cyberplagues, but it
won't slow the development of advanced hacking tools, or change our
increasing dependence on Internet-based platforms to administer public
and private enterprises--two trends that are at the heart of our
growing vulnerability. We are in our own version of an arms race, and
the bad guys are winning.
For the information technology industry, our contribution to
cybersecurity is straightforward: to achieve a marketplace and an
industry culture where all commercial software is designed, delivered
and deployed securely. There are no ``silver bullets'' to get there. A
culture of security will require years to achieve and decades to
maintain. Good intentions are not good enough and frankly, can do more
harm than good. We already have seen one instance, in California, where
a cyber-related event triggered a rush by the legislature to impose
reporting requirements on security breaches. This law was passed
without a fundamental understanding of the limits of current
technology, and arguably could make consumer data more vulnerable to
unauthorized access. It's not good intentions, but sound ideas that we
need from government, and fortunately, there are a number of
constructive steps the federal government can take, as both a software
buyer and policy-maker to move us toward a culture of secure software.
Let the buyers be wary. Try as you might, Congress can't legislate
good software. Those in a position to make a difference for the better
are software consumers, from small business enterprises to big
government agencies. All they have to do is make security a purchasing
criterion. We at Oracle made the investments to integrate security
throughout our development process because our customers asked for it.
Our first customers, the intelligence community, who I affectionately
call the ``professional paranoids,'' are some of the most security-
conscious people on the planet.
After ten years of an on-again, off-again merry-go-round by the
federal government to become a more responsible software buyer, we are
seeing constructive action being taken by the Defense Department to
enforce a pro-security approach to software procurement known as
NSTISSP #11. Simply put, for national security systems, an agency can
only purchase commercial software that has been independently evaluated
under the international Common Criteria (ISO 15408) or the Federal
Information Processing Standards (FIPS) Cryptomodule Validation Program
(CMVP).
Since NSTISSP #11 went into effect 14 months ago, we've seen
several positive developments. First, a number of firms, including
several of our competitors, are getting their products evaluated under
FIPS or the Common Criteria for the first time. Second, we're seeing
firms, including Oracle, financing evaluations of open source products.
The security of open source versus proprietary software must not be a
religious argument, as it so often is, but a business one. Open source,
like proprietary software, is here to stay. We must all work to make it
as secure as possible. Third, several industry organizations, such as
the financial services industry, are coming together to make security a
purchasing criterion industry-wide and are using NSTISSP #11 as a
model.
We're seeing all of this because the initial impression from an
industry perspective is that the federal government--the largest single
buyer of commercial software--means business this time. As a result,
security is now more in the software development consciousness than it
was two years ago, and all of us as information technology consumers
stand to benefit. That, in and of itself, is a major victory, and
credit goes to the people within the Defense Department and
intelligence agencies, as well as Congress, who are making a concerted
effort to make this process work.
Secure ``out of the box.'' NSTISSP #11 is a strong lesson that the
federal government, acting as a security conscious software buyer, can
change the entire commercial software landscape for the better. That
said, are there ways, other than NSTISSP #11, that can accomplish the
same purpose? We believe one measure worth considering is for the
federal government to insist that the commercial software it buys is
either defaulted to a secure setting right out of the box, or made easy
for the customer to change security settings, for example, through
automated tools that enable customers to become, and remain, secure.
For example, the Office of Management and Budget, working in
conjunction with the federal agencies, the National Institute of
Standards and Technology (NIST) and private industry, could specify
what is the appropriate default security setting for the software it
buys, or require appropriate and easy-to-use tools needed to change
these settings.
Software Underwriters Lab. Government can be a useful vehicle to
promote voluntary cooperation in the name of better security. For
example, the Federal Trade Commission could work with the software
industry to establish the software equivalent of the Underwriters
Laboratories (UL). Security evaluations under the Common Criteria,
which can cost half a million dollars per evaluation, are not for
everyone, especially for many forms of consumer software. A software
version of the UL is a cost-effective vehicle to capture less complex,
more consumer-oriented forms of software. Again, the fundamental goal
is to make all commercial software secure by design, delivery and
deployment. To get there, the federal government should work with
private industry to establish a consumer software equivalent of the UL.
Thanks to the UL, most consumer products are generally difficult to
operate in an insecure fashion. For example, Cuisinarts are designed so
that you can't lose a finger while the blades are whirling. We don't
expect the consumer to do anything special to operate Cuisinarts
securely; they just are secure. Similarly, consumers should not be
expected to be rocket scientists or security experts. Industry needs to
make it easy to be secure.
Better Information for Buyers. There are already several good web
sites to help private and public customers understand Common Criteria,
FIPS and NSTISSP #11. However, particularly as more and more private
customers see Common Criteria as a potential security benchmark, we are
finding that what many of our customers need is a one stop, ``go to''
site in order to validate vendor security claims and compare them to
the evaluation results themselves. It would be useful for a government
procurement officer, or a private sector buyer, to be able to see all
evaluations of any type, for a single vendor, at a single glance, from
a single location, whether FIPS-140 or Common Criteria, whether
evaluated here or abroad. This empowers them to make apples to apples
comparisons. For example, two database vendors can both receive an EAL4
certification, even though one database vendor made two functionality
claims in a security target, while the other database vendor made forty
security claims. A clearinghouse would enable buyers to perform
security target ``scorecarding'' and facilitate this and other types of
comparisons.
Academic Research and Professional Development. As in many
disciplines, the market alone cannot produce every security solution. A
culture of security, like any professional culture, has to have an
academic component for professional development, and to advance the
field in areas not addressed in the commercial marketplace. For
example, even with a good development process, ``to err is human.'' A
developer can check 20 of 21 conditions, and if failure to check the
21st causes a buffer overflow, the system is still potentially
vulnerable. Keep in mind, hackers only need to find one error, while
developers have to anticipate and close every one. It's an uneven
battle. Federal government resources directed toward academic talent
can work with industry and level the playing field.
One area that deserves attention, especially as more and more US
firms partner with foreign countries on software development, is
research on effective tools that can scan software and pinpoint
irregularities or backdoors in the code. Unfortunately, this type of
product research and development is not seen as an attractive option
among venture capitalists, who generally channel their funds toward
products that are nothing more than techno-band-aids for security
faults. In other words, the market mentality toward information
assurance is focused on developing a better Band-Aid, rather than an
effective vaccine.
Congress last year took an important step in filling this void when
it passed the Cyber Security Research and Development Act, which
authorizes nearly a billion dollars over five years to invest in
projects like code-scanning tools. We are about to enter the second
year of this five-year program, and Congress is providing very limited
assistance to pursue the goals of this legislation. We hope Congress
will increase its investment.
If the medical community could eradicate smallpox with a strong
investment in research, we should be able to eradicate buffer
overflows. It's just code, after all.
A portion of the proposed investments under the Cyber Security R&D
Act is authorized to create or improve academic programs and research
centers on computer security in order to increase the number of
graduates with this specialty. These kinds of investments are needed.
The National Science Foundation reported earlier this year that only
seven PhD's in cybersecurity are awarded each year. Research conducted
more than two years ago found that while there were twenty-three
schools identified as ``centers of excellence'' in information
assurance, not one four-year university offered a bachelor's program in
cybersecurity. Only one associate degree program was offered at two-
year institutions. We've seen some progress on this front, but much
more can be done if the federal government invested more resources in
this effort. The private sector can be a critical support component as
well, especially given the current and growing demand for information
security professionals among publicly held corporations.
In the IT industry, no one should be able to work on software that
becomes part of critical infrastructure without proving that they
understand and can demonstrate sound software design, coding and
engineering principles. We do not allow engineers to design buildings
merely because they use ``the coolest materials.'' They must be
licensed professional engineers. Why do we hire programmers to design
critical IT infrastructure merely because they know the coolest
programming languages? Ignorance and hubris are the enemies of reliable
cyber infrastructure. Industry lacks for neither of these,
unfortunately, so long as we hire based on what programming languages
someone knows, and not whether they speak the language of
cybersecurity. We are at war, and all our footsoldiers must be armed
with the knowledge of what the enemy can and will do to the unprepared
or careless.
A strong academic component in our culture of security also fosters
a competitive and diverse culture. Strong competition and diversity
will prevent the IT equivalent of the Irish potato famine, where
reliance on one strain of potatoes brought on mass starvation and
emigration. Similarly, lack of ``biological'' diversity in many IT
infrastructures renders them immensely susceptible to cyberplagues. I
dare say that far more than one quarter of our population would be
affected should the next cyberplague be more destructive than its
predecessors. Biological diversity breeds resistance. Lack of it is
deadly.
As today's hackers and virus spreaders demonstrate every day,
cybersecurity is an evolving discipline, one that combines art and
science, and determination and passion. One cannot simply take a
snapshot of a company's IT systems today and compare it to some
preconceived list and say ``yes, you are secure,'' or ``yes, you are
doing the right things toward better security.'' The state of the art
is in a perpetual state of revolution.
Ultimately, any culture is as good as the institutions that serve
as the foundation of that culture. So, if there is an overarching
recommendation for you and your congressional colleagues, it is to work
with us in industry and in academia to facilitate the development of
the institutions, practices and mores necessary to build a strong,
vibrant and diverse culture of security. I believe we have turned a
corner, and are making progress toward getting more and more of our
customers to think about security. Further steps are needed, such as
the ones outlined here. Again, these recommendations are no silver
bullets, but what we at Oracle believe are the next appropriate steps
up this ladder of better security. We are very pleased to be a part of
next month's Cybersecurity Summit being planned by the Department of
Homeland Security, and some of our leading trade associations.
Establishing that kind of regular, continuing dialogue is yet another
link toward making sure we have truly turned a corner for the better,
rather than yet another trip on the merry-go-round of information
assurance.
Thank you again, Mr. Chairman, for the opportunity to appear before
you today.
Mr. Stearns. And I thank the gentlewoman.
Mr. Ansanelli.
STATEMENT OF JOSEPH G. ANSANELLI
Mr. Ansanelli. Good morning. I am Joseph Ansanelli, CEO of
Vontu. Our company provides information security software,
specifically designed to help organizations protect consumer
data by monitoring for the inappropriate distribution of non-
public information via the Internet.
Mr. Chairman, members of the subcommittee, I commend your
efforts in organizing this hearing.
The FTC recently provided, I think, an excellent answer for
what is at risk for the consumer. As many of you know, in 2002
approximately 10,000,000 people were victims of identity theft.
They reported $5 billion in out-of-pocket expenses and many
hours repairing credit histories. In the last 5 years, almost
30 million people were victims. Clearly, identity theft is a
risk for consumers. There is also a risk for businesses, who
last year suffered an estimated loss of nearly $48 billion.
Additionally, businesses risk something even more important,
the loss of consumer trust.
Vontu recently commissioned a study of 1,000 consumers to
understand the relationship between consumer data security
trust and commerce. Three highlights from this study. No. 1,
security drives purchasing decisions. More than 75 percent of
consumers said security and privacy were important in their
purchasing decisions.
No. 2, consumer notification is important. About 80 percent
of the consumers said that they wanted to be notified when
companies are at least 75 percent sure that personal
information has been compromised, and, three, all security
violations are not the same. More than half of the respondents
said they would be more concerned if their private information
fell into the wrong hands due to an incident caused by an
employee rather than a hacker.
This third point is very important. While most security
testimony has focused on the remarks related to hackers
breaking into computer networks from the outside, our focus is
on the new security threat, insiders. Every day we create and
store records that contain credit card numbers, Social Security
numbers, and other types of non-public personal information.
The sad fact is that many identity thieves never have to break
into a firewall to get to this data. Their employer has already
issued them the password to access this information. As a
result, last year, a customer service representative of
TeleData Communications who had easy access to consumer credit
reports allegedly stole 30,000 customer records using his
legitimate access. TeleData is the single largest identity
theft crime ever prosecuted.
Also, the Secret Service has assembled teams to investigate
fraud rings that enlist corporate employees to steal consumer
information, and last consumer credit information provider
Trans Union issued a report stating that the top cause of
identity fraud today is now theft of records from employers or
other businesses.
The problem with better protecting consumer data is no
longer just an issue of keeping up with the hacker, but also
one of ensuring that those with access keep the information
secure. It is clear to me that we need new efforts to minimize
this growing risk of identity theft as well as the insider
threat.
However, I do not believe new government regulations alone
can solve this problem. The right solution is a partnership
with government and industry. To begin with, I suggest this
committee consider developing a consumer data security
standard, part of the Consumer Privacy Protection Act of 2003,
H.R. 1636. This would ensure a nationally unified and standard
approach to protecting consumer information. It should include
a requirement for companies to do the basics in security,
consider adding seat belts to automobiles. This requirement
should include protecting and ensuring the confidentiality of
non-public data, detecting potential misuse of consumer
information, and correcting problems as they are discovered and
notifying consumers when appropriate.
These requirements are similar to those under Gramm-Leach-
Bliley and HIPAA. I ask you to consider if and why the
industries covered by Gramm-Leach-Bliley and HIPAA are somehow
unique in their need to protect the same personal data such as
a credit card and Social Security numbers that many other
industries also store. It seems that any business it manages
exposes consumers to identity theft risk and should be held to
a similar standard.
Also, a national standard is important because confusion is
the enemy of consumer protection. Unless a national standard
emerges I fear that businesses will be forced to comply with a
patchwork of 50 different State regulations.
Last, it is important to have a carrot to ensure
partnership. The risk of civil lawsuits or steep fines
discourages some companies from going beyond the basic
requirement. We strongly suggest any future legislation include
a regulatory carrot through a safe harbor to encourage
companies to go beyond any basic security requirements without
fear of severe penalties.
In closing, if not more is done to protect consumer
information, especially in the electronic form, the cost of
identity theft will continue to grow, causing a drag on this
country to sustain its leading position in the global company.
I welcome the opportunity to answer any additional
questions.
[The prepared statement of Joseph G. Ansanelli follows:]
Prepared Statement of Joseph Ansanelli, Chairman and CEO of Vontu, Inc.
My name is Joseph Ansanelli and I am the CEO of Vontu, Inc. Our
company provides information security software to help organizations
protect consumer data by monitoring for the inappropriate distribution
of non-public personal information via the internet. I am honored to
provide testimony on information security, consumer data and the risks
for consumers.
Identity Theft is the Risk for Consumers
The FTC recently provided an excellent answer to the question
``What's at Risk for the Consumer?'' They estimate that approximately
10 million people in the last year alone were victims of Identity
Theft. These victims reported $5 billion in out-of-pocket expenses and
countless hours of lost time repairing their credit histories. In the
last five years, almost 30 million people or 10 percent of the US
population were victims of identity theft. Clearly, identity theft is
what is at risk for consumers.
Losing Consumer Trust is the Risk for Business
This is not only a risk for consumers, but is a risk for business
as well. As part of the same FTC report, the losses to businesses
totaled nearly $48 billion.
Additionally, there is a risk that is not mitigated through
insurance or other strategies--loss of consumer trust. Vontu recently
commissioned a survey of 1000 consumers in the United States to better
understand the effect that security of customer data has on consumer
trust and commerce. Some of the findings include:
� Security drives purchasing decisions--More than 75 percent of
consumers said security and privacy were important in their
decisions from whom they purchase.
� Consumers will speak with their wallets--Fifty percent said that they
would move their business to another company if they did not
have confidence in a company's ability to protect their
personal data.
� Insider theft increases concerns about a company's data security
efforts--More than 50 percent of the consumers surveyed said an
insider breach would cause them to be more concerned about how
a company secures their information
Clearly, financial costs and loss of consumer trust, as a result of
identity theft, are what is at risk for business. The question is how
does cybersecurity play into these risks?
The Insider--A Major Cause of Identity Theft
While most security testimony has focused on the threats related to
hackers breaking into computer networks from the outside, my remarks
today will focus a new and growing security threat--insiders. The sad
fact is that many identity thieves never have to break through a
firewall. Their employer has issued them a username and password that
gives them access to a virtual treasure trove of consumer data.
Everyday, companies throughout this country create and store
millions of records that contain social security numbers, credit card
numbers and other types of non-public personal information. At most of
those companies, a significant percentage of employees have legitimate
access to this data. This has created a potentially explosive
combination of companies storing more consumer information and at the
same time providing insiders with more access to that data.
Last year, the volatility of this combination made headlines. A
customer service employee of Teledata Communications Inc. who had easy
access to consumer credit reports allegedly stole 30,000 customer
records. This theft caused millions of dollars in financial losses and
demonstrates that even though any computer system can be hacked, it is
much easier, and in many cases far more damaging, for information to be
stolen from the inside.
Teledata is the single largest identity theft crime ever
prosecuted. However, I am convinced that this kind of crime continues
today, yet it often goes unrecognized. Insiders use their legitimate
access to copy sensitive information and with a few clicks of their
mouse, send it outside the company.
Law enforcement and regulators are also starting to raise the issue
of the growing danger to consumers from insiders. Special Agent Tim
Cadigan testified this summer that the Secret Service has assembled
special teams to investigate the growing number of incidents where
fraud rings enlist corporate employees in schemes to steal consumer
information.
Mr. Howard Beales, Director of the Federal Trade Commission's
Bureau of Consumer Protection, said in January that the FTC continues
to see evidence that insiders were stealing consumer data at an
increasing rate and using it to commit identity crimes. In September,
the FTC reported that about a quarter of all consumers who knew that
their information had been stolen believed that insiders were
responsible.
Lastly, consumer credit information provider TransUnion recently
issued a publicly available report stating that the top cause of
identity fraud is now theft of records from employers or other
businesses.
The problem of better protecting consumer data is no longer just an
issue of keeping out the hacker but also one of ensuring that those
with access to the data keep the information secure.
Consumer Data Security Standard
It is clear that we need new efforts to minimize this growing risk
to consumers and businesses. However, I do not believe new government
regulations alone can solve this problem. Instead, the right solution
is to build a partnership of government and industry using both ``the
carrot and the stick''.
To begin with, I suggest this committee develop a Consumer Data
Security standard--possibly as part of the proposed Consumer Privacy
Protection Act of 2003 (HR 1636). This standard would ensure a
national, unified and standard approach to protecting consumer
information and thereby stop one of the primary sources of identity
theft. It should be self-regulating with oversight from appropriate
agencies when problems arise and include a requirement for companies
to:
� Protect and ensure the confidentiality of all non-public personal
information;
� Detect potential misuse of consumer information;
� Ensure compliance by its workforce with their data security policies;
� Correct problems as they are discovered.
These requirements are similar to those required under Gramm Leach
Bliley and HIPAA. Are the industries covered by these regulations
unique in their need to protect personal data? It seems that any
business that manages sensitive financial or other non-public personal
information exposes consumers to identity theft. Whether it is
providing your social security number when purchasing a mobile phone or
using your credit card to buy groceries, you are exposing your personal
information to theft--a cross-industry, unified approach is needed.
Additionally, this committee may want to make notification a part
of this standard. In our survey, consumers said they wanted to be
notified early and often when security and privacy violations occur. In
fact, 80 percent said they want to be notified when companies are 75
percent sure that a violation has occurred.
This Consumer Data Security standard is the ``stick'' to ensure
that there is a base level of responsibility for consumer data
protection.
Safe Harbor
As mentioned earlier, a partnership between government and business
is required to better protect consumer information. Unfortunately,
today many of the current and proposed Federal and State regulations
serve as a disincentive to proactively search for insider breaches or
inappropriate disclosures of consumer information. For example, the
risk of civil lawsuits or regulatory censure discourages some companies
from going beyond what is considered a base requirement. Future
legislation should include a regulatory ``carrot'' through a ``safe
harbor'' to encourage companies to go beyond basic security
requirements and aggressively pursue potential leaks of data without
fear of severe penalties.
This approach of the ``carrot and stick'' would not only encourage
most companies to adopt new consumer protections quickly, it would free
limited government resources to concentrate on the most egregious
violations of the standard itself. Additionally, this proposal would
help to solve one of the unaddressed issues regarding Identity Theft in
both of the current Fair Credit Reporting Act bills approved this year
by the House and the Senate.
In closing, the increasing costs of identity theft coupled with
consumers' increased demands for security protection are driving these
issues to the top of the agenda for consumers, business and government.
If more is not done by all parties involved with respect to protecting
electronic information, the costs will continue to grow, potentially
affecting the country's ability to expand its leading position in the
world economy.
I hope these comments will prove helpful to the subcommittee as it
continues its deliberations on improving consumer data security. I
welcome the opportunity to continue working with you, and am happy to
answer any questions you might have.
Thank you.
Mr. Stearns. Thank you.
Mr. Burton.
STATEMENT OF DANIEL BURTON
Mr. Burton. Good morning, and thank you for the opportunity
to testify.
My name is Dan Burton. I am Vice President of Government
Affairs for Entrust, Inc., and as a world leader in securing
digital identities and information, Entrust is driving the
creation of a robust manageable business security environment
through use of such technologies as encryption, digital
signatures authentication and authorization.
I want to be very clear in my message. The cybersecurity
problem is not getting better. Since 2001, when this
subcommittee held a hearing on this issue, CERT reports a
tripling of breaches from 52,000 to a projected 150,000 by the
end of 2003. Although awareness has increased, understanding
has not. Most companies are still struggling with this issue.
It is critical that this subcommittee provide the private
sector with clear direction to protect sensitive consumer and
business information. You can do so by strongly endorsing
information and security governance programs that provide
businesses risk assessment reporting and accountability. Let me
give you some examples of the problem based on our market
experience.
The first example speaks to the fact that even if you
understand the threat, it is hard for companies to justify more
than just a limited response because of the complexity and the
investment in people, time and resources that is required. Last
year, a large consumer data company suffered a breach when one
of its customer's employees used the company's server to hack
the passwords of other customers. This company believed that it
had taken reasonable precautions to protect its data,
especially since the penalties for not taking action were
vague.
In this case, the seriousness of the breach and the new
penalties created under California's SB 1386 forced the company
to change the way it thought about protecting its information
systems. This company has put in place a much more robust set
of security measures.
A second example speaks to the need to treat cybersecurity
as a continuous process. A large financial institution
implemented strong authentication digital signatures but year
after year failed to upgrade its software, despite the fact
that there was no cost to do so.
The reason? It did not have the systems in place to treat
cybersecurity as a continuous process. Only when the company
failed an audit and was cutoff from outside software support
did senior management get involved and put in place the
necessary procedures.
A final example shows how some companies are taking a more
proactive approach. Several years ago, a major insurance
company with a very large data base of confidential consumer
records realized that it was a prime target for identity
thieves and hackers. It couldn't simply lock up its records,
since the field agents needed access to them, so it did a risk
assessment and implemented a systemic information security
governance plan. This program facilitated broad, highly secure
access to data.
These three charges paint very different responses to the
cybersecurity threat, but they all underscore a similar theme
and one that I want to highlight today.
Companies need a clear understanding of cybersecurity
costs, benefits, and penalties before they will make
cybersecurity a priority.
Where do we stand? The growing array of Federal legislation
does not go far enough to ensure companies take sufficient
action. Some major laws affecting cybersecurity have been in
place and have been referred to today, Sarbanes-Oxley, Gramm-
Leach-Bliley, HIPAA. These laws tend to treat cybersecurity as
a secondary issue. Two other cybersecurity laws are having a
more immediate impact on market behavior, the California Breach
Notification Act, SB 1386, and the Federal Information Security
Management Act, FISMA.
Like it or not, and many people do not like it, by creating
a private right of action for failure to report the breach of
unencrypted personal information, SB 1386 has had a stark
impact on industry's cost-benefit analysis and by treating
cybersecurity as a management responsibility and tying it to
OMB funding decisions, FISMA has had an immediate impact on the
behavior of Federal agencies.
We think that there is an information security governance
imperative. A governance's framework is important because it
guides the implementation, evaluation and improvement of
cybersecurity practices. A successful program requires three
basic functions, risk assessment, reporting, accountability. It
is our experience that in the absence of mandates for these
activities, cybersecurity never receives the management
attention and funding that are critical to succeed.
Entrust developed just such a framework for cybersecurity
and brought it to the Business Software Alliance, which created
a task force co-chaired by our CEO, Bill Conner. The BSA report
released last month entitled Information Security Governance
Toward a Framework for Action highlights the fact that if we
are to make real progress we must treat cybersecurity not only
as a technical issue but as a management issue. We are also
asked to co-chair the Governance Task Force at the upcoming DHS
Cybersecurity Summit.
In conclusion, some compare cybersecurity to Y2K and
emphasize the need to require public companies to report on
their cybersecurity governance programs and their SEC filings.
We didn't solve the Y2K problem by holding seminars for Cobol
code writers. We solved it by engaging senior management in the
issue and structuring liability laws appropriately.
Others have compared cybersecurity to on-line privacy and
emphasize the need for voluntary reporting about risks,
breaches and policies backed up by FTC enforcement. There is no
privacy without security, and my favorite metaphor here is that
of a canary in a glass cage in a room full of hungry cats. This
canary has absolutely no privacy. However, it has perfect
security. We have got to solve security first if in fact we
want to have true on-line privacy.
Perhaps the best analogy for the issue, however, is
quality. Like quality, cybersecurity requires numerous
itegrative steps that are part of a continuous process.
Companies must complete one cycle of the program, measure their
progress, report their performance to senior management, fine-
tune their efforts, and begin another cycle with slightly more
rigor. Repeated cycles lead to improvements that will not only
protect sensitive information but also enable productivity
growth and new market opportunities.
As a global leader in the field with the benefit of
firsthand knowledge and the best practices implemented around
the world, Entrust strongly urges this subcommittee to lead the
effort to take cybersecurity out of esoteric, technical
discussions and into mainstream business management. The goal
should be to encourage companies to treat cybersecurity as a
corporate governance issue, which includes business risk
assessment and reporting with management accountability. A good
governance framework will produce a transparent process that
includes executive management as responsible and assigns the--
--
Mr. Stearns. Mr. Burton, I just need you to summarize.
Mr. Burton. The cybersecurity is real, this is not a case
of crying wolf. The statistics detail the increased damage and
increased threats that occur daily. There is no reason to wait
for a major breach or attack that incapacitates the Nation
before acting, especially when there is strong consensus around
of the steps industry must take. We are now all burdened with
the awareness of the threat and have the corresponding
responsibility to act. Congress must do everything that it can
to ensure effective programs are in place for the private and
government sector.
Thank you.
[The prepared statement of Daniel Burton follows:]
Prepared Statement of Daniel Burton, Vice President of Government
Affairs, Entrust, Inc.
Good Morning. Chairman Stearns and Members of the Subcommittee,
thank you for the opportunity to provide testimony on this important
and timely subject. My name is Daniel Burton, and I am Vice President
of Government Affairs for Entrust, Inc. In my testimony today, I will
address our view of where the private sector stands in its efforts to
secure its information systems and what this Subcommittee can do to
accelerate progress.
I want to be very clear in my message. The cyber security problem
is not getting better. Since 2001, when this committee held a hearing
on this issue, CERT has reported a tripling of cyber security breaches,
from 52,000 in 2001 to a projected 150,000 by the end of 2003. Although
some companies have recognized the threat of cyber attacks to their
business performance and their customers' personal information, most
are struggling to deal with the issue. It is incumbent on this
Subcommittee to galvanize industry efforts to protect sensitive
consumer and business information. This can only be accomplished by
securing the private sector IT systems that control the majority of the
nation's critical infrastructure. You can do so by strongly endorsing
information security governance programs that drive business risk
assessment, reporting and accountability.
Entrust is a world leader in securing digital identities and
information. Over 1,200 enterprises and government agencies in more
than 50 countries use our security software solutions, so we have a
good perspective on today's cyber security reality. As a company, we
are leading the evolution from defensive, perimeter-oriented technology
approaches to a more proactive business security strategy that enables
increased productivity. This strategy involves creating a more robust,
manageable business security environment through the use of
technologies such as encryption, digital signatures, authentication and
authorization. We also work with customers to put in place the policies
and procedures that protect digital identities and information. Our
biggest competition comes not from other companies, but from the ``do
nothing'' business mindset regarding cyber security.
i. examples of the problem
A few examples based on Entrust's experience in the market show how
enterprises are responding to cyber security today.
Last year, a company that is a large collector and processor of
consumer data suffered a breach when one of its customer's employees
used the company's servers to hack the passwords of its other
customers. The hacker then proceeded to access and copy databases
containing highly personal consumer information. Because this company's
clients include 14 of the top 15 credit card companies, 7 of the top
ten automakers and 5 of the top 6 retail banks, in addition to other
major consumer brands, the attack was not a trivial hack. Fortunately,
no identity theft complaints have been traced directly to this breach.
Despite the fact that many people focus on external threats, it is
important to note that this breach, like most, was internal, meaning
that it came from an insider. Moreover, it was discovered only by
accident ten months after the incident occurred when law enforcement
agents researching another breach discovered e-mails describing this
one. As soon as the company learned of the attack, it informed its
customers, as required by the California cyber security breach
notification law (SB 1386), and implemented authentication and
encryption systems to better protect its data.
As a major database company with a pretty good security and privacy
program, this company believed that it had taken reasonable precautions
to protect its data, especially since it was doing as much as many
other companies and the penalties for not taking action are vague. In
this respect, it is typical of many companies. The reality facing
business today is that even if you understand the threat, it is hard to
justify more than limited cyber security measures because of the
complexity involved and the investment in people, time and resources
that is required. In this case, however, the seriousness of the breach
and the new penalties created under California SB 1386 forced the
company to change the way it thought about protecting its information
systems. Today, this company is on the forefront of driving a higher
standard and better understanding of cyber security reality.
A second example speaks to the need to treat cyber security as a
continuous process. Several years ago, a large financial institution
implemented strong authentication and digital signatures on its cash
management service offering for its business customers. I should note
that billions of dollars traverse this network. Although there was no
additional fee to upgrade this technology as new versions of the
software were released, the company repeatedly failed to do so. The
reason? It did not have the systems in place to treat cyber security as
a continuous process. Only when the company failed an audit because it
was cut off from software support did senior management become involved
and take the necessary steps to upgrade the company's security systems.
A third example shows that, despite the lip service they pay to the
issue, some companies are unwilling to do anything about cyber security
that will affect application performance. A major investment bank
realized that it did not have adequate cyber security protections in
place and undertook a review of solutions to securely authenticate its
sensitive communications internally and with customers. As a condition
of this review, however, it stated that it was not willing to sacrifice
any application performance for better security. This meant that it
would accept only a few milliseconds response time for authentication
during fail over. Since no security products can meet this standard,
now the company is deciding whether they will tolerate even a minimal
performance compromise in order to include security.
A fourth example involves Federal agencies, which in their size and
complexity are similar to large enterprises. Until a few years ago, the
Federal government did not have an adequate cyber security policy,
despite the fact that year after year Congressional report cards gave
most government agencies an ``F'' in information security. It was not
until Congress passed the Government Information Security Reform Act
(GISRA), later amended by the Federal Information Management Security
Act (FISMA)--which coupled IT security performance with OMB budget
controls--that Federal agencies began to change. By insisting that
cyber security be treated as a governance and budget issue with risk
assessment, reporting and senior management engagement, FISMA and OMB
forced Federal agencies to begin to upgrade their cyber security
programs.
A final example shows that when companies view cyber security as a
business enabler that improves productivity, they are more likely to be
proactive. Several years ago, a major insurance company with a large
database of confidential customer records realized that it was a prime
target for identity thieves and hackers. The insurance company couldn't
simply lock up its records since it had thousands of field agents that
needed to access them to service customer needs. In order to solve this
problem, the insurance company did a comprehensive risk assessment and,
using digital signatures and authentication technology, implemented an
information security governance plan that encompassed strategy,
technology, people and process. By proactively securing its IT systems,
the company not only protected confidential customer information, but
also created the secure business operations necessary to increase the
productivity of its agents.
Although these examples paint different responses to the cyber
security threat, they all underscore a similar theme--without a better
business understanding of cyber security costs, benefits and penalties,
most companies will take only limited cyber security measures.
ii. where do we stand?
Regardless of how you grade industry's response, there is no doubt
that the cyber security risk is increasing. Although some companies are
responding, overall business progress has been slow. The current
situation brings to mind the ``boiling frog'' metaphor. If you drop a
frog in boiling water, it will jump out. However, if you put a frog in
a pot of water and gradually raise the temperature, the frog will cook.
I think many companies are being ``cooked'' when it comes to cyber
security.
Like quality improvement, cyber security is not a one-time event,
but a continuous process. Just as few managers understood the quality
movement when Deming first introduced it, few business leaders fully
grasp the new and evolving discipline of cyber security today. We are
at the beginning of this brave new digital frontier, and Congress must
find ways to accelerate industry's understanding and progress.
Companies make little distinction between cyber terrorism, cyber crime
and cyber vandalism. The fact that different actors with different
motives perpetrate these attacks may be significant to government
enforcement agencies, but it is of little consequence to industry. As
far as industry is concerned, the primary question is not, who was
responsible for the attack? But, how much damage did it cause? What is
the likelihood that it will happen again? And, what are the cost,
liability and brand implications? Anything that Congress can do to
bring incentives for constructive action and clarity to industry's
assessment of costs and benefits will help in the effort to protect our
critical infrastructure.
The growing array of Federal legislation has not adequately
addressed this issue. Some major laws affecting cyber security are
already in place, such as the Sarbanes-Oxley Act, the Gramm-Leach-
Bliley Act and the Health Insurance Portability and Accountability Act.
These laws, however, tend to treat cyber security as a secondary issue
and cite requirements that are often so vague that they do little to
improve focus or understanding of the issue or help industry better
calculate costs and benefits. Faced with weighing ambiguous cyber
security risks against other business and economic realities, companies
have tended to follow one of three paths. Some have chosen to do
nothing and wait until either the threat becomes more potent or
regulatory requirements get clarified. Others--probably the majority--
have made some initial efforts, but have not really integrated cyber
security into their core business operations. A third group--comprised
of only a rare few exceptions--has embraced cyber security as a market
differentiator, integrating it into their core operations and elevating
it to an executive management concern.
Two other cyber security laws, however, are having a more immediate
and profound effect on market behavior: the California cyber security
breach notification act (SB 1386) and the Federal Information Security
Management Act (FISMA). These laws are specific about cyber security
penalties and programs. By creating private rights of action and
penalties for failure to report breaches of unencrypted personal
information, SB 1386 has changed industry's cost-benefit analysis. And
by treating cyber security as management responsibility that entails
risk assessment and reporting, the Federal Information Security
Management Act outlined a roadmap for Federal agencies that has enabled
progress.
iii. the information security governance imperative
Given the increased awareness of the problem, the lack of
understanding, and the legislative ambiguity, Entrust has moved
proactively to foster collaboration between the public and private
sectors on this topic. We first began working this issue inside our
company, with the active engagement of our Board of Directors and
executive management. At the direction of our CEO, Entrust began to
develop and implement just such a cyber security governance program
last year. As an information security software company, we felt it was
our responsibility to help create a framework that would allow for
appropriate risk assessments, performance measures, management
guidelines and board audits. The program we developed is tailored to
the business needs of Entrust and embodies our interpretation of ISO/
IEC 17799 and how the Federal Information Management Act (FISMA) can be
applied to the private sector. We identified 141 elements that were
important to measure progress. When we started, 25 of these elements
were in the red, indicating the need for serious improvement; today,
only two are. Our journey is off and running but not over.
As an information security software company who lives in this
space, our experience raises real concerns about the status of the
average company and the country. As we discovered at the starting point
of our cyber security review, we were not nearly as secure as we would
have predicted. This discovery made us wonder whether other companies
are are making real and ``measurable'' progress since many of them lack
a framework.
As a result of our experience, Entrust brought this framework to
the Business Software Alliance (BSA) who created a cyber security task
force co-chaired by Entrust's CEO, Bill Conner. The BSA report,
entitled, Information Security Governance: Toward a Framework for
Action, released in October 2003, found that information security is
not only a technical issue, but also a corporate governance challenge.
To quote that report,
While there is broad consensus on the actions needed to create
strong security, too often responsibility is left to the chief
information officer or the chief information security officer.
In fact, strong security requires the active engagement of
executive management. By treating these challenges as a
governance issue and defining specific tasks that employees at
all levels of an organization can discharge, enterprises can
begin to create a management framework that will lead to
positive results.
A governance framework is important because it guides the
implementation, evaluation and improvement of cyber security practices.
An organization that creates such a framework can use it to articulate
goals and responsibilities and evaluate progress over time. One of the
most important aspects of such a framework is that by defining business
and cyber security responsibilities within an organization, it creates
a roadmap for improvement. By specifying who does what and forcing
companies to report on their results to their own boards, it allows
companies to assign specific responsibilities and translate awareness
into action.
Effective cyber security governance programs usually have three
basic functions: risk assessment, reporting and accountability. Their
payoff comes from the fact that they insist on the systematic oversight
and execution necessary to make cyber security part of a company's core
business operations. Simply identifying best practices is not enough;
they must be married with effective implementation at all levels of an
organization. To be effective, each information security program must
be tailored to the needs of the individual business and industry in
which it operates. It must identify business drivers; clarify roles and
responsibilities; recognize commonalities; define metrics; include
periodic progress reports to executive management; and specify what
corporate executives, business unit heads, senior managers, and CIOs
should do.
According to the BSA information security governance report, the
board and the CEO has responsibility for overseeing policy
coordination, business unit compliance and accountability. The business
unit head has responsibility for providing information security
protection commensurate with the company's risks and business needs, as
well as training, controls, and reporting. The senior manager has
responsibility for securing information and systems, assessing assets,
determining appropriate levels of security, cost-effectively reducing
risk, testing and controls. The CIO and CISO have responsibility for
developing and maintaining compliance with the security program,
designating a security officer, developing the required policies,
assisting senior managers, and conducting a security awareness program.
iv. conclusion
Congress should embrace requirements for information security
governance and reporting. Citing the Y2K experience, some have
emphasized the need for a ruling that would require public companies to
report on cyber security governance programs in their SEC filings. In
order for such a provision to be successful, it will be necessary to
avoid esoteric requirements that increase the cost and complexity of
implementing solutions but do little to increase cyber security and
shareholder value. Others have cited the online privacy debate and
emphasized the need for voluntary reporting about cyber security
policies and breaches, backed up by FTC enforcement. For this approach
to succeed, it must also encompass the need to secure business
information systems. Still others have compared cyber security to the
quality movement and insisted that government provide incentives for
companies to undertake the training and process improvements necessary
to secure their information systems.
We would recommend the following lessons for companies intent on
securing our critical infrastructure:
� A business information security governance framework for risk
assessment and reporting with executive management engagement
and board oversight is essential. A good governance framework
will produce a transparent process that allows management to
assign responsibility and make investment decisions to address
unacceptable risks.
� Businesses need to get on with it--just do it. Information security
is a very broad topic with seemingly endless detail. Companies
should not try to solve the problem all at once. Instead, they
should begin with the top-level policy issues. The important
thing is to get started. Too many programs never get off the
ground because the effort looks too daunting.
� Business information security governance is a continuous improvement
program. Like quality, cyber security improvement requires
numerous iterative exercises in a continuous journey. Companies
should complete one cycle of the program at a high level,
report to the Board on their performance, fine-tune their
program and begin another cycle with slightly more rigor.
Repeated cycles will lead to real improvements.
Whatever course is taken, the objective should be to encourage
companies to treat cyber security as a corporate governance issue that
includes business risk assessment and reporting with management
accountability. The cyber security threat is real, and there is strong
consensus around the steps that industry must take. Congress needs to
do everything it can to drive more effective programs in the private
sector. This Subcommittee has extensive experience dealing with complex
issues, and we are confident in your abilities to address this one. We
are at an inflection point in the effort to strengthen cyber security
and need your leadership.
Mr. Stearns. I thank you, and, Mr. Thompson, thank you for
your patience. We welcome your statement .
STATEMENT OF ROGER THOMPSON
Mr. Thompson. Good morning. Thank you for allowing me to
testify. My name is Roger Thompson.
Mr. Stearns. Could you pull it a little closer to you, the
mike?
Mr. Thompson. There we go.
Thank you for allowing me to testify. My name is Roger
Thompson. I am the former Director of Malware Research at the
TruSecure Corporation, and I am currently Vice President of
Product Development at PestPatrol. PestPatrol was founded in
May 2000 by a team of software professionals to encounter the
growing threat of malicious non-viral software. Currently one
of PestPatrol's greatest concerns is the threat of Spyware, so
I would like to introduce you to the problem as our customers
see it, being consumers, and give you an idea of how the
software community's efforts to protect is developing.
Spyware is silent. It is invisible to the consumer. It
allows criminals to steal from them. It arrives uninvited and
unwanted. It has not received the attention needed to warn the
unsuspecting of these dangers to their personal confidential
information, and perhaps worst of all spyware and similar
malware problems rob consumers of the confidence needed to make
commerce over the Internet inviting, safe and successful.
Every day we hear horror stories from our customers that
illustrate the very real and personal losses caused by the
spyware problem. Wanda Gilman is a church secretary from
Saginaw, Michigan. Like most people, she has received warnings
from her anti-virus software about virus attacks and she
thought she was pretty well protected on that front and
unfortunately it became abundantly clear to Wanda that she
needed something more after she experienced two instances of
identity theft. Neither incident involved more than $1,000, but
it was an uncomfortable feeling for her to have her identity
hijacked and a long and complicated recovery each time around.
Michelle Scalero from New Jersey has a home computer that
her family shares for on-line banking and purchasing, as well
as enjoying what the Web has to offer them and their young
children. They were extremely alarmed when they found their PC
flooded with explicit teen porn pop-ups, caused by a Trojan
horse program that had been delivered by a piece of spyware
they had unknowingly downloaded onto their computer.
Barbara Wolski bought a brand new computer that was
supposed to be very fast, 2.6 gigs, which included a special
feature called hyperthread technology to make the processing
speed even faster, and then she found that her old computer
which was only 1 gig ran faster than the new one. She ran the
anti-spyware program and found over 5,000 pieces of spyware
factory-installed on the new machine, all busy ``phoning home''
information about her, causing the massive slowdown.
None of this needs to happen. We hear thousands of similar
sad stories all the time. A record number of incidents were
reported this year, more than 60,000 at the end of last month
and it keeps growing. $24 billion is the estimated identity
theft losses in the United States from identity theft last
year, $73 billion, estimated identity theft projected
domestically by the end of this year, and $9,800 the average
take from each identity robbery.
These numbers come from the Aberdeen Group, an industry
analyst firm that calls identity theft ``the crime that pays.''
Aberdeen also warns that profits from these crimes are so
encouraging that organized crime has become a factor. It has
been 20 years since the first virus was created and for much of
my career I watched the damage that computers could cause from
children at home to senior corporate executives.
My computer career began in Australia in 1979, where I
worked as a mainframe systems engineer. I co-founded the first
Australian anti-virus software company, Leprechaun Software,
and launched the Virus Buster product back in 1987. In 1991, I
moved to the United States. I started Thompson Network
Software, which produced The Doctor range of systems management
and security products.
When I became Director of Malware Research at TruSecure
Corporation, I was able to focus more closely on the way that
different kinds of malware were developing, and the sheer size
of the problem was really brought home to me. Now, at my
current company I am working with malware's faster-growing and
most insidious incarnation yet, spyware.
Here is the new stuff. The anti-spyware is still in its
infancy, but it has proven to me every day from the prevalence
data collected by my company that this type of secretive
invasive software is a huge problem for computer users. Before
we can address possible solutions, we need to define what the
spyware problem actually is. For me spyware is any software
that is intended to aid an unauthorized person or entity in
causing a computer, without the knowledge of the computer's
user or owner, to divulge private information.
The industry has begun to make consumers more aware of this
threat by banding together. To begin educating the public on
spyware and its dangers, we recently co-founded along with
several other anti-spyware companies the Consortium of Anti-
Spyware Technology, COAST. This nonprofit organization is a
forum in which members cooperate to increase awareness of the
growing problem. We reached agreement on the definition of
spyware, which helps us technology vendors create products that
address consumers' concerns. The dangers of spyware are not
always known and are almost never obvious. Usually you know
when you have a virus or worm. These problems are in your face.
Spyware, on the other hand, silently installs itself on the PC,
where it might take any number of different and unwanted
actions; for example, phone home information about you, your
computer and your surfing habits to a third party, to use to
spam you or push pop-up ads to your screen, open up your
computer to a remote attacker using a RAT, or Remote Access
Trojan, to remotely control your computer, capture every key
stroke you type, private or confidential e-mails, passwords,
bank account information, and report it back to a thief or a
blackmailer, allow your computer to be hijacked and attack a
third party's computers in a denial of service attack that can
cost companies millions and make you liable for damages. They
can probe your system for vulnerability to otherwise exploit
the system.
If that does not make the computer users on the
subcommittee nervous, consider that the on-line holiday season
has already arrived. With more and more people shopping on-
line, the potential for identity theft is much greater.
Shoppers are stressed and distracted and may not take their
usual care in protecting themselves from electronic
pickpockets.
No one would allow a silent and hidden burglar into his or
her home without a fight and, as you saw with the real world
experience I described earlier, spyware has the ability to ruin
someone's Christmas. Like having your wallet stolen, life
becomes a bureaucratic nightmare of new identity cards and
credit cards. And ultimately how do you retrieve your privacy
from an unknown or uncaring prowler using the Internet as a
hunting ground?
These anti-virus companies were often accused of hyping
gloom and doom to help increase their own sales and profits.
That was long ago proven to be unfounded. Today, the billions
of dollars lost, in identity theft, transaction hijacking,
sensitive information, are compounded by the huge losses to
credit card companies that must reissue cards whenever an
account is compromised or even suspected of being compromised.
The growing threat is no exaggeration. I think everyone on
this panel would agree a huge portion of damages and tangential
damages caused by spyware and malware goes unreported and is
unknown. Something must be done to protect the Wanda Gilmans,
the Michelle Scaleros, and the Barbara Wolskis, who only want
to conduct their on-line activities and purchases with peace of
mind, knowing they can do it safely.
H.R. 2929, the Safeguards against Privacy Invasions Act, is
a powerful step in this direction. In person, consumers have
the choice not to answer questions when they go shopping. Why
shouldn't on-line shoppers have the same choice to say no to
spyware. As a representative of my company and as a person who
has devoted my working life to malware eradication, I urge you
to pass the SPI Act.
[The prepared statement of Roger Thompson follows:]
Prepared Statement of Roger Thompson, Vice President, Product
Development, PestPatrol, Inc. formerly Director of Malware Research,
TruSecure Corporation
Good morning.
Spyware is silent. It's invisible to the consumer. It allows
criminals to steal from them. It arrives uninvited and unwanted. It has
not received the attention needed to warn the unsuspecting of these
dangers to their personal and confidential information. And, perhaps
worst of all, spyware and similar malware problems rob consumers of the
confidence needed to make commerce over the Internet inviting, safe and
successful.
Every day, we hear horror stories from our customers that
illustrate the very real and personal losses caused by the spyware
problem. Listen for a moment to just three:
� Wanda Gilman is a church secretary from Saginaw, Michigan. Like most
people, she has received warnings from her anti-virus software
about virus attacks, and she thought she was pretty much
protected on that front. Unfortunately, it became abundantly
clear to Wanda that she needed something more than her anti-
virus after she experienced not one but two incidences of
identity theft. While neither incident involved more than
$1000, it was an uncomfortable feeling for her to have her
identity hijacked, and a long and complicated recovery each
time around.
� Michelle Scalero from New Jersey has a home computer that her family
shares for online banking and purchasing, as well as enjoying
what the web has to offer them and their young children. They
were extremely alarmed when they found their PC flooded with
explicit teen porn pop-ups caused by a trojan horse program
that had been delivered by a piece of spyware they had
unknowingly downloaded onto their computer.
� Barbara Wolski bought a brand new computer that was supposed to be
very fast (2.6 GHz), which included a special feature called
hyperthread technology to make the processing speed even
faster. While her old computer was only 1.2 GHz, it ran faster
than the new one. Barbara ran our anti-spyware software on the
new machine and found over 5000 pieces of spyware factory-
installed on the new machine, all busy ``phoning home''
information about her--causing the massive slow-down.None of
this needed to happen. And we hear thousands of similarly sad
stories all the time. Our customers reported a record number of
such incidents this year--more than 60,000 as of the end of
last month--and the complaints keep growing.
Here are some numbers to think about as we discuss protecting
consumers from spyware:
� 24 billion dollars . . . that's estimated identity theft losses in
the US from identity theft last year.
� 73 billion dollars . . . that's estimated losses from identity theft
projected domestically by the end of this year.
� 9,800 dollars . . . that's the estimated average ``take'' from each
identity robbery.
These numbers come from the Aberdeen Group, an industry analyst
firm that calls identity theft ``the crime that pays.'' Aberdeen also
warns that the profits from these crimes are so encouraging that the
organized crime is becoming a factor.
You may have heard that last week was a dubious anniversary . . .
it's been 20 years since the first virus was created. Through much of
my career, I have watched the damage that computer intruders can
cause--to every PC user from children at home to senior corporate
executives.
My computing career began in Australia (perhaps you recognize the
accent) in 1979, where I worked as a mainframe systems engineer. I co-
founded the first Australian anti-virus software company, Leprechaun
Software, and launched the Virus Buster product back in 1987. After
moving to the United States, I started Thompson Network Software, which
produced The Doctor range of systems management and security products.
When I became Director of Malware Research at TruSecure
Corporation, I was able to focus more closely on the way that different
kinds of malware were developing, and the sheer size of the problem was
really brought home to me. And now, at my current company, I am working
with malware's fastest-growing and most insidious incarnation yet--
spyware.
The anti-spyware industry is still in its infancy, but it's proven
to me every day from the prevalence data collected by my company that
this type of secretive, invasive software is a huge problem for
computer users.
Before we can address possible solutions to the problem, however,
we need to define what the spyware problem actually is. For me, spyware
is any software that is intended to aid an unauthorized person or
entity in causing a computer, without the knowledge of the computer's
user or owner, to divulge private information.
The industry has begun to make consumers more aware of this threat
by banding together. To begin educating the public on spyware and its
dangers, we recently co-founded, along with several other anti-spyware
software companies, the Consortium Of Anti-Spyware Technology (COAST)
group. This non-profit organization is a forum in which members
cooperate to increase awareness of the growing spyware problem. We've
reached agreement on the definition of spyware, which helps us
technology vendors create products that address consumers' concerns.
The dangers of spyware are not always known and are almost never
obvious. Usually, you know when you have a virus or worm--these
problems are ``in your face''. Spyware, on the other hand, silently
installs itself on a PC, where it might start to take any number of
different and unwanted actions. For example:
� ``Phone home'' information about you, your computer and your surfing
habits to a third party to use to spam you or push pop-up ads
to your screen
� Open up your computer to a remote attacker using a RAT (Remote Access
Trojan) to remotely control your computer
� Capture every keystroke you type--private or confidential emails,
passwords, bank account information--and report it back to a
thief or blackmailer
� Allow your computer to be hijacked and used to attack a third party's
computers in a denial-of-service attack that can cost companies
millions and make you liable for damages
� Probe your system for vulnerabilities that can enable a hacker to
steal files or otherwise exploit your system.
If that doesn't make the computer users on the subcommittee
nervous, consider that the holiday online commerce season has already
arrived.
During the holiday shopping season, with more and more people
shopping online, the potential for identity theft is much greater--
shoppers are stressed and distracted, and may not take their usual care
in protecting themselves from electronic pickpockets.
No one would allow a silent and hidden burglar into his or her home
without a fight. As you saw with the real-world experiences I described
earlier, spyware has the potential to ruin someone's Christmas. Like
having your wallet stolen, life becomes a bureaucratic nightmare of new
identity cards and credit cards. And, ultimately, how do you retrieve
your privacy from an unknown and uncaring prowler or corporation using
the Internet as a hunting ground?
The anti-virus companies were often accused of hyping gloom and
doom to help increase their own sales and profits--that was long ago
proven to be unfounded. Today, the billions of dollars lost--in
identity theft, transaction hijacking, sensitive information--are
compounded by the huge losses to credit card companies that must
reissue cards whenever any account has been compromised or even
suspected of being compromised. The growing threat is no exaggeration.
I think everyone on this panel would agree that a huge portion of
damages and tangential damages caused by spyware and malware goes
unreported and is unknown.
Something must be done to protect the Wanda Gilmans's, Michelle
Scaleros's and Barbara Wolskis's, who only want to conduct their online
activities and purchases with the peace of mind of knowing they can do
so safely. H.R. 2929, the Safeguards Against Privacy Invasions Act, is
powerful step in this direction. In person, consumers have the choice
not to answer address, phone and email address questions when they go
shopping. Why shouldn't on-line shoppers have the same choice to say no
to spyware?
As a representative of my company and as a person who has devoted
my working life to malware eradication, I urge you to pass the SPI Act.
Thank you.
Mr. Stearns. I thank the gentleman, and now I will start
the questions, and I think I go back to my opening statement.
What are the real risks and costs to consumers for
cybersecurity breaches and what poses the most risk to
cybersecurity, and then what is the optimum role for the
Federal Government to play when it comes to protecting
consumers from cybersecurity threats?
I would start out with Commissioner Swindle. You point out
in your opening statement that not all security breaches are
violations of the Federal Trade Commission. In your opinion, is
there a need for legislation in this area, giving the FTC
additional authority? What is your feeling here?
Mr. Swindle. Mr. Chairman, to the point of not all breaches
are security violations or violations of the law, I think if we
just think of it in the context of a couple of examples if the
breach resulted in my name and address going out to the world--
--
Mr. Stearns. That is a breach?
Mr. Swindle. [continuing] that is not a problem.
Mr. Stearns. That is a breach or not?
Mr. Swindle. That can be a breach of the system because it
is contained in the system, I think, but if along with that my
credit card went, that is a serious problem and the
consequences could be rather dire if somebody got hold of my
financial information, my credit card. Just having my address,
which is publicly known personal information, that does not
necessarily constitute a violation of law, and I think we could
look at it from the context of what harm has been done.
Mr. Stearns. Do you have a data base in which you have
actually collected this information that has internally
affected employees or major companies? Do you have a data base
at the Federal Trade Commission on this?
Mr. Swindle. I am not aware of a data base of that nature.
Mr. Stearns. Reliable data on harms to data infrastructures
caused internally by employees of major data base companies? Do
you have a reliable data base?
Mr. Swindle. I have never thought of it in that context. I
do not think we have a data base specifically designed as such.
Mr. Stearns. Well, I guess.
Mr. Swindle. And assembling that data base might even be
setting up a target to be breached and causing a problem.
Mr. Stearns. What about the Gramm-Leach-Bliley Act? Have
you experienced any security problems or policies for financial
institutions under the Gramm-Leach-Bliley Act we passed?
Mr. Swindle. The problem with that act, the most obvious
one, comes from the nature of the requirements for notice, and
we have all received the copious quantities of papers that no
one could understand. But, I think Gramm-Leach-Bliley has put a
focus on institutions' obligation to security and privacy and,
in a sense, I think that is good.
Mr. Stearns. Okay. Mr. Charney, should there be common
standards for independent security evaluations and why are such
standards important and who should set those standards?
Mr. Charney. For the most part, standards can be important.
The risk is that if we set standards that fixate on a
particular technology what we will end up doing is stifling
innovation. So one of the things that we focus on more is best
practices, so that we can develop methodologies in both product
development and in management; that is, both at the same time,
cutting edge but flexible enough to allow further innovation.
So if you are talking about standards for security, for
example, there is a risk. For example, the government had a
standard for encryption called Data Encryption Standard, and
when that standard was no longer viable the entire industry,
including the government, moved away from that standard to
something more secure, and it was 2 years later that the
government finally promulgated a new standard, after everyone
had already left the old one. So the challenge is to be able to
provide prescriptive guidance to customers and consumers about
how to protect themselves without locking in the technology.
Mr. Stearns. I guess we would say security is a public
good. Can markets alone be fully responsive to cybersecurity
concerns, just the markets themselves, or----
Mr. Charney. I think the markets have some limitation.
Mr. Stearns. This best practices you talked about, in your
opinion do you think the Federal Government--like Mr. Ansanelli
had indicated, there might be a Federal role here?
Mr. Charney. Oh, there is clearly a Federal role and there
is a couple of them actually. The government can lead the way
in the development of best practices. The General Accounting
Office, for example, frequently looks at the security of
government systems and issues government report cards which, to
be honest, have not been very favorable.
The second thing is there are constraints on the market,
and for public safety and for national security purposes
governments may need higher levels of security than markets
normally provide. In those kinds of cases, the government
should take steps, particularly in research and development and
other areas, to make sure that the gap between what the
governments need and what markets will provide are in fact
closed.
Mr. Stearns. Mr. Ansanelli, you mentioned something about a
consumer data security standard that has got our staff's
attention, to ensure that there is a base level of
responsibility for consumer protection, consumer data
protection.
Do you see the need for this kind of baseline standard and
what should the standard be?
Mr. Ansanelli. The reason why it is helpful to have that
standard is when you compare what has happened between Gramm-
Leach-Bliley and HIPAA, that those organizations tend to
protect data more than other organizations, so you have seen
improvements as a result of the security requirements and
Grammm-Leach-Bliley, I think it is section 501(b), with respect
to protecting consumer data. So there have been improvements in
the protection of that data as a result, and I think that
evidence indicates that it would be better to also then have
other organizations that actually keep that same data, if a
financial institution has my Social Security number, when I buy
a phone if I have to give them my Social Security number
because they do a credit check on me. So why is it that one
industry might have to have a standard where another might not,
and I think very importantly the risk that I think might happen
is that the States will end up driving the requirements and the
regulations, so that either companies will have to wind up
dealing with a patchwork of lots of different regulations.
There are about 200 different identity theft bills at the State
level currently being discussed right now. I think it is
important there is a uniform standard as opposed to 50
different standards that has to emerge.
Mr. Stearns. So what you are saying is you would like the
Federal Government to come up with the consumer data security
standard?
Mr. Ansanelli. Yes, and it should be about what are the
best practices and what are the requirements that every company
who stores non-public personal information should have to live
by and it should be something that----
Mr. Stearns. Mr. Burton, would you like to comment and then
I will close?
Mr. Burton. Yes.
Any of that is working on standards. I guess it is my
concern that by treating it as a technical issue, which
standards again puts you squarely back into a technical
discussion, you are missing a huge motivator here, and that is
that senior management is not making the decisions to invest,
to train, to hold people accountable, because it is extremely
complex and it is too often seen as a defensive technical
issue.
A porcupine if it rolls itself into a ball is perfectly
protected. Its quills are everywhere, but they cannot move,
they cannot eat, they cannot do anything productive, and I
think so much of this discussion is on definitive technology
issues that fail to address the management question and the
issue that ultimately a lot of cybersecurity is enabling, just
as quality is enabling, and I think you can make a huge
contribution.
Mr. Stearns. Thank you.
Ms. Schakowsky.
Ms. Schakowsky. Mr. Swindle, I wanted to get back to your
comment that you made, regarding the fact that if my name and
address went out that that is not a very serious breach of
security, and so some things are serious and some things are
not, and yet when you look at your testimony and you talk about
the Commission's first information security case, the Eli Lilly
case, which essentially was the name and address, in this case
an e-mail address, but in any case it was consumers of Prozac--
was it? Yeah, Prozac, very sensitive information, and all that
went out was a name and address. So I am disagreeing with you
that name and address going out is not necessarily, or
certainly can be an important breach of violation, I would
think, since you treated it that way. But I also was concerned
about the sanctions, which seem to me a very minor slap on the
wrist, whereas the implications for consumers of that
information, that very sensitive information going out, could
be very serious. So I wanted you to just comment on this.
Mr. Swindle. I would be happy to, Congresswoman.
First off, I believe the question related to there could be
a breach without a violation of the law. I believe that is the
way I understood the question.
The release of nothing more than my name and address, which
is in the phone book, could hardly be construed as a violation
of law.
Now, in the case of Eli Lilly, it was a name and the
address and the identification of a person who was using a
medication. The use of that medication carries a connotation of
health problems and all sorts of emotional problems perhaps and
things of this nature, which could indeed be certainly a gross
violation of personal information and privacy. So that can be
construed, I think. They are entirely two different things if
we take them in the context I gave them to you. But perhaps
another way of looking at this: How can there can be a breach
without a violation of the law?
We are dealing, if I may describe this as an example, we
are dealing with a machine with a million moving parts in it
and to my mind nobody's perfected all one million parts, and
companies can take every reasonable effort they know how to
take, given the circumstances of the nature of the information
and how it is stored and how it is used, and there might still
be a breach in the security.
Having taken every reasonable step they can take, then I
think we would probably find it hard to say that is a violation
of the law, when they did everything they possibly could. As
technology evolves we will constantly be confronted with that
problem. You know, the Defense Department has this problem,
Congress has this problem, Microsoft has this problem, all
companies have this problem because it is just a massive
complex problem with which to deal. I do think there is a
distinction there.
Ms. Schakowsky. Are you talking about, what did you say,
user error? Are you talking about perhaps issues of management,
individual errors that are made? I mean, it would seem to me
that a company would still or anybody would still have to take
responsibility for that. I am trying to understand where you
draw the line.
Yes, we certainly expect that all possible measures are
taken, and you are saying but if there is still a breach after
that, then nobody is responsible for that?
Mr. Swindle. No, I do not think I said that, Congresswoman.
Ms. Schakowsky. Okay.
Mr. Swindle. I did not address the accountability. We all
have to be accountable. We are responsible for running the
train, and I think industry does take that responsibility very
seriously.
In the case of Eli Lilly, we thought that the best possible
solution. This is an incredibly fine company, as is Microsoft,
as are the companies represented here on this panel. They are
doing their utmost.
In the case of Eli Lilly, there was negligence, not
sufficient training, there were not sufficient technical
safeguards put in. They are under scrutiny and have corrected
those requirements, the deficiencies, and we are going to be
monitoring them. As I think I indicated, they report to us with
an audit system every 2 years.
Ms. Schakowsky. Yeah, I would still think that it is more
than a slight slap on the wrist.
Mr. Swindle. And we were concerned with this, but what do
we--what else perhaps--questionably, what else could we have
done?
Ms. Schakowsky. That is the question for us; is not it?
Mr. Swindle. A huge penalty, would it accomplish that and
correct the problem?
The problem was mostly technical and training, I think. If
they corrected the problem, we go on. They certainly can be
subject to several penalty pursued by the people they harmed.
That is always open to victims.
Ms. Schakowsky. Well, I think much of the testimony here
does say that there need to be appropriate sanctions, and that
is certainly what we need to consider.
I want, Mr. Chairman, to have your permission to leave the
record open for further questions. I have a number of
questions.
Mr. Stearns. I think that is in order.
Ms. Schakowsky. If I could put in?
Mr. Stearns. Sure.
Go ahead.
Ms. Schakowsky. I wanted to ask--I wanted to submit this
document, which is an e-mail from Bill Gates and addressed to
Microsoft and subsidiaries. They are all FTE dated January 15,
2002, for the record, and I have a number of questions around
that that I hope that Mr. Swindle will answer, and also
actually Mr. Charney, about that.
Mr. Stearns. Would you like to submit that?
Ms. Schakowsky. If I could.
Mr. Stearns. By unanimous consent, so ordered.
[The information referred to follows:]
From: Bill Gates
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
Every few years I have sent out a memo talking about the highest
priority for Microsoft. Two years ago, it was the kickoff of our .NET
strategy. Before that, it was several memos about the importance of the
Internet to our future and the ways we could make the Internet truly
useful for people. Over the last year it has become clear that ensuring
.NET is a platform for Trustworthy Computing is more important than any
other part of our work. If we don't do this, people simply won't be
willing--or able--to take advantage of all the other great work we do.
Trustworthy Computing is the highest priority for all the work we are
doing. We must lead the industry to a whole new level of
Trustworthiness in computing.
When we started work on Microsoft .NET more than two years ago, we
set a new direction for the company--and articulated a new way to think
about our software. Rather than developing standalone applications and
Web sites, today we're moving towards smart clients with rich user
interfaces interacting with Web services. We're driving the XML Web
services standards so that systems from all vendors can share
information, while working to make Windows the best client and server
for this new era.
There is a lot of excitement about what this architecture makes
possible. It allows the dreams about e-business that have been hyped
over the last few years to become a reality. It enables people to
collaborate in new ways, including how they read, communicate, share
annotations, analyze information and meet.
However, even more important than any of these new capabilities is
the fact that it is designed from the ground up to deliver Trustworthy
Computing. What I mean by this is that customers will always be able to
rely on these systems to be available and to secure their information.
Trustworthy Computing is computing that is as available, reliable and
secure as electricity, water services and telephony.
Today, in the developed world, we do not worry about electricity
and water services being available. With telephony, we rely both on its
availability and its security for conducting highly confidential
business transactions without worrying that information about who we
call or what we say will be compromised.--Computing falls well short of
this, ranging from the individual user who isn't willing to add a new
application because it might destabilize their system, to a corporation
that moves slowly to embrace e-business because today's platforms don't
make the grade.
The events of last year--from September's terrorist attacks to a
number of malicious and highly publicized computer viruses--reminded
every one of us how important it is to ensure the integrity and
security of our critical infrastructure, whether it's the airlines or
computer systems.
Computing is already an important part of many people's lives.
Within ten years, it will be an integral and indispensable part of
almost everything we do. Microsoft and the computer industry will only
succeed in that world if CIOs, consumers and everyone else sees that
Microsoft has created a platform for Trustworthy Computing.
Every week there are reports of newly discovered security problems
in all kinds of software, from individual applications and services to
Windows, Linux, Unix and other platforms. We have done a great job of
having teams work around the clock to deliver security fixes for any
problems that arise. Our responsiveness has been unmatched--but as an
industry leader we can and must do better. Our new design approaches
need to dramatically reduce the number of such issues that come up in
the software that Microsoft, its partners and its customers create. We
need to make it automatic for customers to get the benefits of these
fixes. Eventually, our software should be so fundamentally secure that
customers never even worry about it.
No Trustworthy Computing platform exists today. It is only in the
context of the basic redesign we have done around .NET that we can
achieve this. The key design decisions we made around .NET include the
advances we need to deliver on this vision. Visual Studio .NET is the
first multi-language tool that is optimized for the creation of secure
code, so it is a key foundation element.
I've spent the past few months working with Craig Mundie's group
and others across the company to define what achieving Trustworthy
Computing will entail, and to focus our efforts on building trust into
every one of our products and services. Key aspects include:
Availability: Our products should always be available when our
customers need them. System outages should become a thing of the past
because of a software architecture that supports redundancy and
automatic recovery. Self-management should allow for service resumption
without user intervention in almost every case.
Security: The data our software and services store on behalf of our
customers should be protected from harm and used or modified only in
appropriate ways. Security models should be easy for developers to
understand and build into their applications.
Privacy: Users should be in control of how their data is used.
Policies for information use should be clear to the user. Users should
be in control of when and if they receive information to make best use
of their time. It should be easy for users to specify appropriate use
of their information including controlling the use of email they send.
Trustworthiness is a much broader concept than security, and
winning our customers' trust involves more than just fixing bugs and
achieving ``five-nines'' availability. It's a fundamental challenge
that spans the entire computing ecosystem, from individual chips all
the way to global Internet services. It's about smart software,
services and industry-wide cooperation.
There are many changes Microsoft needs to make as a company to
ensure and keep our customers' trust at every level--from the way we
develop software, to our support efforts, to our operational and
business practices. As software has become ever more complex,
interdependent and interconnected, our reputation as a company has in
turn become more vulnerable. Flaws in a single Microsoft product,
service or policy not only affect the quality of our platform and
services overall, but also our customers' view of us as a company.
In recent months, we've stepped up programs and services that help
us create better software and increase security for our customers. Last
fall, we launched the Strategic Technology Protection Program, making
software like IIS and Windows .NET Server secure by default, and
educating our customers on how to get--and stay--secure. The error-
reporting features built into Office XP and Windows XP are giving us a
clear view of how to raise the level of reliability. The Office team is
focused on training and processes that will anticipate and prevent
security problems. In December, the Visual Studio .NET team conducted a
comprehensive review of every aspect of their product for potential
security issues. We will be conducting similarly intensive reviews in
the Windows division and throughout the company in the coming months.
At the same time, we're in the process of training all our
developers in the latest secure coding techniques. We've also published
books like ``Writing Secure Code,'' by Michael Howard and David
LeBlanc, which gives all developers the tools they need to build secure
software from the ground up. In addition, we must have even more highly
trained sales, service and support people, along with offerings such as
security assessments and broad security solutions. I encourage everyone
at Microsoft to look at what we've done so far and think about how they
can contribute.
But we need to go much further.
In the past, we've made our software and services more compelling
for users by adding new features and functionality, and by making our
platform richly extensible. We've done a terrific job at that, but all
those great features won't matter unless customers trust our software.
So now, when we face a choice between adding features and resolving
security issues, we need to choose security. Our products should
emphasize security right out of the box, and we must constantly refine
and improve that security as threats evolve.-- A good example of this
is the changes we made in Outlook to avoid email borne viruses. If we
discover a risk that a feature could compromise someone's privacy, that
problem gets solved first. If there is any way we can better protect
important data and minimize downtime, we should focus on this. These
principles should apply at every stage of the development cycle of
every kind of software we create, from operating systems and desktop
applications to global Web services.
Going forward, we must develop technologies and policies that help
businesses better manage ever larger networks of PCs, servers and other
intelligent devices, knowing that their critical business systems are
safe from harm. Systems will have to become self-managing and
inherently resilient. We need to prepare now for the kind of software
that will make this happen, and we must be the kind of company that
people can rely on to deliver it.
This priority touches on all the software work we do. By delivering
on Trustworthy Computing, customers will get dramatically more value
out of our advances than they have in the past. The challenge here is
one that Microsoft is uniquely suited to solve.
Bill
Mr. Stearns. Let's see, the gentlelady from California is
recognized.
Ms. Bono. Thank you, Mr. Chairman, and I thank the
panelists for sticking with us through all of this.
I think the one theme that generally has come up for me in
this testimony so far is that Ms. Davidson alluded to the fact
that California did some knee-jerk reacting to the situation
and came up with legislation that was not very good, and
whether or not you know this, Congress is probably--in all of
the issues we deal with we are technologically challenged, and
we were all thrilled the day we got Blackberrys, but there is a
funny story I remember of a Member of Congress who held up his
Blackberry and said this is great, I do not know how to work
it, and I said why don't you try turning it on first, and that
is a true story.
Now, these people might be experts in whatever field they
are in, we have the CDC and the NIH, who do a lot of our great
work in medicine, but in Congress do we have the governmental
entity in place?
I think, Mr. Swindle, I would ask you the question. We have
got the FTC, the FBI, but do we have an entity that works
specifically with Congress to move more swiftly in the case of
these issues or is it sort of--are we a little bit lacking in
that area?
Mr. Swindle. I do not think we have a central agency that
would combine the resources of all of us to work with Congress,
but I think each of these agencies, in their own realm, work
with Congress very closely. I know we try to work with Congress
as closely as we can when Congress is considering drafting
legislation to solve a problem. Often we propose suggestions as
to how current laws might be modified, and I think we are often
on the side of urging caution before we legislate to solve a
problem where very likely the proposed solution will perhaps
cause more harm than good. As one of the panelists said
earlier, sometimes the process is so slow that we have gone
well beyond that problem and already found a solution to it.
In all honesty, I think it takes each one of these
agencies. They have some responsibility and oversight of these
issues, dealing with their expertise, working with Congress,
and realizing that there is no simple solution to any of these
problems.
Legislation alone will not solve it, technology alone will
not solve it, and in my mind the most important single factor
when you think of the base of the triangle of people who are
involved, the consumers across the bottom, 270 million. As we
work on up to the triangle top we are worrying about nuclear
attack, but that is only a handful. But down at the bottom of
this triangle, every one of the people in the base, consumers,
students, business people, small business people who are using
computers and are connected on the Internet, they are all part
of the problem and part of the solution.
Ms. Bono. Right. I am sorry for cutting you off, but my
spyware legislation, I think you have seen it or your staff has
seen it, and I was wondering if you could comment because to me
this seems to be a good solution. It seems to address the
situation.
There have been some, you know, tremendous media reports,
and I thank the media actually. Even The Washington Post today
has a great article and in it he quotes something that shocked
me. I do not believe anybody brought this point up. I have it
here, I promise you.
Anyway, he talks about--here it is, Sharman Networks, that
when you download KaZaA, that they install something called
ALLNET and that this ALLNET actually harnesses unused
processing power on your CPU and then sells that processing
power. I have never heard of sharing hardware over this and I
am wondering if perhaps, Mr. Charney, you could comment on the
fact that they are not only using data but they are basically
stealing a little bit of your processing capability.
Mr. Charney. The key word there is stealing, so one of the
things we need to be clear about is that peer-to-peer networks
have some important societal advantages. You look at something
like SETI, the Search for Extraterrestrial Intelligence, where
a lot of independent researchers and individuals agree to share
processing time because what happens is that computers have
become far more powerful. Home users have a lot more power on
the desktop than they actually use or need, and one of the
issues is can we harness that process in some way and share
that power.
The key is that those things have to be done with full
notice and consent and not done to someone without their
knowledge, where someone else is either taking their
information or processing power without telling them, without
getting their consent. But it would be a mistake to think that
peer-to-peer in and of itself is a bad thing.
Ms. Bono. Right.
Mr. Charney. Merely the technology that permits the use of
distributed processing.
Ms. Bono. Well, is Microsoft concerned about spyware? Other
than pretty much endorsing my bill, thank you for that, if that
is what he was doing, Mr. Chairman.
Mr. Charney. We absolutely care about spyware, so one of
our pillars of trustworthy computing is privacy, and our
philosophy is that consumers have to make informed choices of
how data is used and to be able to control the data about them,
and to the extent people are taking their data without their
notice and consent, that is a problem, and the solution, like
most IT solutions, will be a combination of best practices,
technology, and in some cases regulations.
Ms. Bono. Could the ISPs do a better job? I know you all
have MSN, but obviously they are not going to, but could not,
for example, your competitor, AOL, who promotes McAfee daily,
every time you log on you get this sales pitch from McAfee,
could not they install that along with their software, AOL, and
have it built into the firewall and the automatic patches that
you say consumers do not do often enough?
Mr. Charney. We have tried to make this easier for
consumers. We have built the ICF firewall into Windows, and if
you go to the Microsoft.com/protect, we have links to anti-
virus vendors, where people can easily get virus software. We
have to make it much easier to manage.
I would point out that you have to remember this technology
was built by geeks for geeks. If you think about the telephone
as phones ended up in every home in America, the phone company
said if we are going to sell more services, we have to devise
more complex software, call forwarding, caller ID, all those
features. As they add all this complexity, the user interface
remained the same, 12 buttons.
My mother has a PC. She is 74 years old. She can go to a
run command, write her own code and run it. She cannot, she is
not technically capable of doing it, but we have given her the
technology to do it. It is a completely different paradigm.
Ms. Bono. Thank you. Mr. Chairman, I will yield back.
Mr. Stearns. We are going to have a second round if you
want to.
Ms. Bono. Thank you.
Mr. Stearns. I recognize the gentleman from Arizona.
Mr. Shadegg. Mr. Ansanelli, you mentioned in your written
testimony an unaddressed issue regarding identity theft in the
Fair Credit Reporting Act, the legislation that is in
conference that I referred to in my opening statement.
Can you go into greater detail about that?
Mr. Ansanelli. Sure. It has not been passed yet by the
whole House and the Senate, but I think if you look at what the
Fair Credit Reporting Act has in it, I think about the issue of
identity theft as sort of three pillars.
The first is protecting the data that is the consumer's
identity to begin with. Second is detecting any problems that
are occurring, either someone is trying to do fraud or, you
know, trying to get a credit card as a result of fraud. And
then the third thing is correcting the problem, primarily for
consumers. How do consumers fix their credit? They have been a
victim. How do they correct it?
And as I look at the act there is quite a bit in correcting
the problem for consumers, and that is good. There is a fair
amount of detecting the problem with respect to address
notifications and what not, but there is very little with
regard to prescriptions for protecting information to begin
with, and that goes again to the issue around consumer data
standard, and if you do not protect the data you are only going
to have to apply larger and larger BandAids in the future.
Mr. Shadegg. I tried to amend that legislation to add
further restrictions on the use of Social Security numbers.
However, had we done that, it would have taken it out of the
jurisdiction of the Financial Services Committee and put it in
the jurisdiction of the Judiciary Committee and it would have
caused the bill to require a second referral and we weren't
able to do it, but would you agree that that is one of the most
important things that needs to be done?
Mr. Ansanelli. I agree that that is a glaring omission.
Mr. Shadegg. The gentlelady sitting next to you, it seems
you would like to make a comment on that point?
Ms. Davidson. Hosanna. I was making a note to myself that
no one--although you did ask the obvious question why is the
Social Security number collected in so many nontaxable
transactions. Having recently purchased a house in the great
State of Idaho, I was astonished to find that every single
entity in the city, whether it was sewage, power, trash pickup,
required my Social Security number and I had to ask the
question: Is sewage taxable, because it was a complete mystery
to me why it was collected in the first place.
The Social Security number, had it not become ubiquitous as
a means to identify consumers, quite honestly, a lot of the
identity theft problem would probably go away.
Mr. Shadegg. My colleague, Clay Shaw, has a comprehensive
bill addressing this issue, going right to the issue of Social
Security numbers. That was the issue we would have tread on if
we had been able to put further restrictions on Social Security
numbers into the Fair Credit Reporting Act, and that is the
reason we did not do it. You might want to contact his office
and interject yourself into the debate on that bill because I
think that is an important part of this discussion.
We were able to require the truncation of Social Security
numbers in the draft of the fair credit reporting bill that
passed the House. We did that, so we have taken a minor step,
but I think it is a serious problem.
Mr. Ansanelli, Mr. Burton next to you says we shouldn't be
looking at these technical issues and creating a standard. We
ought to be instead creating incentives to do that.
I am going to give him a chance to explain that, but how do
you respond?
Mr. Ansanelli. I agree. I am not proposing we have
technical requirements or standards. I think the standards need
to be around principles, and as I testified today, and I did
testify in the House Financial Services Committee on FCRA, that
it involves responsibility from everyone at the board level
down to protect the data and you have to have those principles
to make sure that everyone knows they are responsible for
protecting the data, that they have an obligation to detect and
enforce compliance by the people that have access to the data
and you need to correct problems, and the correction of those
problems includes things like training and education. It is
definitely not proposing technical standards. It is having a
clear understanding of the responsibility associated with the
fact that you store and manage that consumer non-public,
private information.
Mr. Shadegg. With regard to the protection of information
where you think we could have gone further in the Fair Credit
Reporting Act, would you be willing to submit to my office your
suggestions as to what we need to be doing to go beyond that?
Mr. Ansanelli. More than willing.
Mr. Shadegg. I have some doubts about the ability of
Congress to micromanage this problem, legislative piece by
legislative piece.
We passed the Identity Theft Act a number of years ago, and
it took a step in the right direction, but we are not there. It
seems to me that crooks are always going to move faster than we
are and we are not going to be able to achieve the kind of
reform or the kind of protection we would like to just by
legislating one bill at a time in this area. So your notion
that business needs to take a completely different mindset
seems to me a better solution.
How do we go about creating the incentives or creating a
dynamic in which business leaders will see it as in their
interest to not act like the porcupine and roll up in a ball
and defend itself, but rather aggressively go after this
problem?
Mr. Burton. That is a seminal question, I think, and I
think that is a question that industry needs to ask itself, as
well as this committee needs to reflect on, because to go back
to Scott Charney, if the PC is something built by geeks for
geeks, well, then cybersecurity is the pinnacle of the
geekiness in the PC, and I think when this issue comes up, too
often the reaction is oh, mine eyes glaze over. I will talk
about privacy, that is a personal issue, that is a consumer
issue, and I can understand it. Cybersecurity is a geek
technical issue that I do not want to even open that book, and
I think that if we somehow make the translation from a
technical issue, and it is technical, I am not saying we should
dismiss that, but it is often treated solely in those terms,
and again the best paradigms that I have is quality, and
quality awareness comes first, I think we have awareness with
cybersecurity. Now we need to start building it systematically
and to functions of our system, and I think anything this
committee can do to clarify cost-benefits and perhaps penalties
would be a big contribution, and again I think the levers are
not that complex. I think it is risk assessment, it is
reporting, it is accountability, and I think those three
opinions can really drive huge, huge change in this field.
So I do not have a specific answer for your question, but I
do think that is the key question for this whole debate.
Mr. Shadegg. Mr. Chairman, my time has expired. Thank you.
Mr. Stearns. Thank you.
Members, if you want to stay, we will have a second round.
The gentlelady from Missouri.
Mr. McCarthy. Mr. Chairman, let me apologize for having to
leave. I had another hearing and of course when you do that,
the question that you are going to ask might have been asked
already. So, Mr. Chairman, please feel free to say read the
record.
Microsoft, let me just see. I think I want to give this to
Ms. Davidson, I think might be in the best position to answer
it.
Microsoft Corporation made news when they announced a
bounty program for information leading to the arrest and
prosecution of hackers. Do you intend to launch a similar
program for those hackers who attack your software?
Ms. Davidson. That is a very interesting question. We have
no immediate plans to do this, and I preface this statement by
saying I have no wish to exceed Microsoft in this particular
realm. Microsoft tends to be a very visible target for hackers,
to be fair to them, because they are large, they have been very
successful, and, quite honestly, there are more hackers gunning
for them at this point than are gunning for Oracle, for which I
am exceedingly grateful. I am happy to accede market leadership
to you in that realm.
At this point, I do agree with certainly Microsoft and
others in the industry on one key point. We certainly welcome
people who find faults in our software and bring it to our
attention. We certainly do everything possible to avoid them
the way that we build our product, and we are always happy to
give recognition to those researchers who find fault and say
thank you, we have fixed it, and we tell our customers.
There are a group of researchers for whom thank you and
potentially hiring them for bettering your software is not
enough. They want your scalp, and one of the ways they get that
is by releasing exploit code at forums such as Black Hat and
other hacker conventions.
No vendor will say that it is not their responsibility to
build secure software. The buck definitely stops here, but
those who trade in information about how to exploit
vulnerabilities and give it to others are effectively arsonists
swapping fire starting techniques, and they claim they want
better building codes but try telling that to someone whose
house has burned down.
So at this point we have no plans to offer a bounty, but I
do agree that the problem of irresponsible disclosure of
detailed information about security faults, specifically
creation of exploit code and releasing it into the wild, is in
part responsible for a lot of the malicious and damaging
behavior to our infrastructure.
Mr. McCarthy. All right. Does open source software like
Linux have vulnerabilities to worms and viruses?
I have seen a recent report that an open source developer
tried to insert a Trojan horse into Linux.
First of all, could you explain what is a Trojan horse, and
how do you ensure that your developers do not insert malicious
codes like that into your data base?
Ms. Davidson. A Trojan horse is--of course, goes all the
way back to Greek literature in the Iliad, actually the
Odyssey. The idea is to get something into your code base that
does something malicious. For example, one could insert code
that would capture a user's password and potentially mail it to
a bad guy or capture a Social Security number or other
sensitive piece of information. The premise is that someone has
deliberately and willfully put code in that does something bad,
unbeknownst to anyone else.
This is something people spend a lot of time talking about
and it is certainly not--it is a risk but, quite honestly, most
of the problem in software that creates these viruses and worms
is preventable, avoidable security faults.
I mentioned, and I will not get all nerdy on you, but
buffer overflows. That is about 70 percent of security faults,
and it basically means that instead of--if a program is
expecting 10 numbers and it does not handle gracefully if it
receives 11 numbers, or letters or something else, it could
create a buffer overflow and that is 70 percent approximately
of security faults. It is just bad programming.
So getting back to your question how do you prevent this--
--
Mr. McCarthy. Yes.
Ms. Davidson. [continuing] I believe you cannot absolutely
prevent someone from willfully putting malicious code in your
software because you cannot prevent them from making careless
errors. Now what you can do is to have very good development
processes, you can have code reviews, you separate your code so
that not everyone gets access to everything to make changes,
and the one piece that truly is missing right now is we do not
have automated tools that can scan code and find, first of all,
avoidable, preventable security faults, which is really most of
the problem in that, much less look for things like malicious
code or malware. The tools just do not exist in the market now.
Mr. McCarthy. Thank you very much, Mr. Chairman. I see my
time has expired.
Mr. Stearns. I thank the gentleman.
Mr. Morrow, you summed up your testimony by characterizing,
``our state of information security readiness is marginally
better than it was 2 years ago.''
What can we as the U.S. Government do so that 2 years from
now the improvement in our information security readiness would
be more than marginal?
Mr. Morrow. Well, sir, I believe I outlined a few things in
my testimony. One of the things that we see a lot of is that a
lot of effort has been spent by very large organizations, the
financial industry, you know Fortune 500 companies, but a lot
of the issues have trickled down and a lot of the
vulnerabilities are still being addressed at the levels of the
mid-range business and the small-range business, and that is
for several reasons. One, these things cost money to fix. A lot
of companies in the last few years due to the economic downturn
haven't had the money to invest in these type things, and you
have to understand and always keep aware of the interconnected
nature of all these things, and just because the Fortune 500
companies and the government may make great strides, if the
smaller companies and smaller institutions, private
organizations, et cetera, do not make similar strides, cannot
make similar strides for economic reasons, then there is a
problem because that opens up vulnerabilities to everyone.
So I think one of the things personally that we can have a
lot of bang for the buck, if you will, is to help figure out
incentives for small and mid-size and smaller companies to--and
organizations to address these problems.
Mr. Stearns. Who would provide these incentives?
Mr. Morrow. Well, I think it could be a couple of different
ways. One could be financial incentives of some manner. That
obviously is something in the purview of the Federal
Government. Others might be the research and development, tax
credits, things like that, and there may be an education or
some sort of public service type of incentive where very small
companies who offer--small tier companies and small businesses,
privately owned businesses, who have one or two systems and
have problems, they may require incentive from the government
to provide them with basic tools, much like what Microsoft does
in some of their software, for a very much reduced cost. I
think that would go a long way.
Mr. Stearns. Okay. Mr. Schmidt, to date how effective have
cyberattacks been, and have you seen an increase in their
effectiveness, and, if so, why do you think so?
Mr. Schmidt. I think first and foremost we have to define
what we mean by how effective they have been. For example, if
the intent of some of these were to shut down major financial
systems, shut down electrical power grids, no, they have not
been successful on a universal basis. We have seen some spot
outages. But, as we move forward, I think what we will see is
the--as we referred to as the zero-day vulnerabilities and
exploits. As both Ms. Davidson and Mr. Charney mentioned, the
time between the identification of vulnerability and the time
that it is exploited has been increasingly shorter.
Now, you mentioned in your opening comments, Mr. Chairman,
the SQL Slammer event back in January. That widespread event
took place in less than 10 minutes, whereas some of the ones
you mentioned earlier, the Code Red and Nimda, occurred over a
matter of days to see maximum infection.
The interesting piece of this is if you look at the ratio
of computers affected versus the ratio of computers that are
now currently employed, it was actually a smaller percentage of
computers that were infected in a shorter period of time, but
we have got a lot more computers out there. So we are doing a
better job at it. So overall, the impact was probably less than
it could have been had it been 2 years ago with that same
number of computers.
I think the fundamental issue is if we don't continue to
improve these processes, reduce the vulnerabilities, make
better tools available to prevent these things from even taking
place, which, as the Department of Defense has shown, 98
percent of the successful intrusions into those systems were
the result of someone not installing a patch, so if we install
the patches, their effectiveness would be much less than they
are today.
Mr. Stearns. Ms. Davidson, I think you recommended a
government software underwriters lab. I think that intrigued
all of us here and the staff, sort of the consumer equivalent
of--software equivalent of the UL. I would like you maybe to
elaborate and then have the Commissioner maybe just give his
comments on it.
Ms. Davidson. Thank you. I would be happy to do that.
We do have mechanisms for large pieces of commercial
software to go through an independent security evaluation.
There is an ISO standard for that, 15408, which is a common
criteria.
As I mentioned earlier, the Defense Department requires
products used in national security systems to go through common
criteria evaluations. They are really good, and they help
improve the security of software, because it forces developers
to a secure software development process. That is a great
thing, and we are a great proponent of that. But they are best
suited--it is certainly not a cure-all for all cybersecurity
ills, and they really are best suited to more mature products
with a longer life cycle that are really sort of large pieces
of software, like operating systems or data bases, firewalls.
That is not--and they are quite expensive. They can cost
between $500,000 and $1 million.
That is obviously not well-suited for a small consumer
products device, where the cost of the evaluation might
actually dwarf your product sales. Usually something is better
than nothing when you are talking about improvements. If you
can have something that is a lighter weight form of that for
commercial products, like a PDA or other types of small
devices, that would be----
Mr. Stearns. I talked to a president of a university, and
he said he is going to have to spend $100,000 for software to
protect his university from cyberattacks. So maybe that piece
of software should go to a software underwriters lab. Is that
what you are saying?
Ms. Davidson. Well, I think you have to look at probably
the complexity of the software, the target market, and what it
is being used for.
Mr. Stearns. So cost alone would not determine?
Ms. Davidson. Cost alone doesn't. And as much as people
complain about how expensive these are, I can tell you that it
costs Oracle--if we have a security fault in our software that
has been out there a few years, and we have to fix it on 20
operating systems and four product versions, which we have done
to protect all our customers, happily to do that, it costs us
$1 million to fix that type of avoidable, preventable security
fault.
If you prevent one of those or find it before you ship the
product, you pay for the cost of the evaluation.
Mr. Stearns. Uh-huh.
Ms. Davidson. So it is cost-effective. And risk management
doesn't really work when you are talking about, well, I am
going to let my customers hang in the wind because I didn't
feel like doing a better quality job with my product. That is
not acceptable.
Mr. Stearns. Commissioner, what do you think of the idea of
a software underwriters lab? I mean, it wouldn't necessarily be
under the Federal Trade Commission, but you are the only person
here from the government, so we will ask you.
Mr. Swindle. In this entire world of information technology
we live in, I think creative ideas are going to be the currency
of making progress. And I think any idea of this nature
deserves attention, as Ms. Davidson said.
These remedies that we often aspire to are very expensive,
not to mention the fact that they are very complex. I think we
are always interested, the FTC, in exploring new ideas.
Something that I would suggest that deals with most of the
questions that have been asked, that is security, sort of
mirrors the privacy debate that we have had over the last 5 or
6 years that I have been at the Commission. If you go back 6
years ago, very few companies had privacy policies. They didn't
post them. They were not very effective or were too difficult
to understand. Today that has changed appreciably. And I used
to say that privacy had better become a part of the corporate
culture of businesses or there would be an FTC in their future,
probably.
I think security is along the same track, just running a
few years behind. Security has got to become an essential part
of the management scheme of all companies, because we are
becoming more and more reliant upon handling of data and
information and the transmission of that data and information.
Without security, we jeopardize the whole system. It becomes a
matter of critical importance to one's own self-interest that
we do this right. So I think security is going to have to
become a part of the corporate culture as well as privacy.
Mr. Stearns. Okay. Let me just conclude, Mr. Thompson. We
want to make sure you are involved here. Maybe just you can
give a general evaluation on cybersecurity relative to this
spyware that Ms. Bono has mentioned, maybe just some general
comments.
Mr. Thompson. Sure. I think I have heard some great ideas
and some great suggestions. The only thing is that it has
really all been aimed at protecting the corporate end of
things, and protecting the consumer from the corporate end of
things.
But there is more to it than that. There is a whole world
of consumers out there, and there is no one standing up for
them. That is really the intent of Ms. Bono's bill. Every month
I see thousands of Remote Access Trojans posted to the Usenet
in an attempt to catch some of these consumers, and there is
no--they are catching people, and there is no one sticking up
for them.
Mr. Stearns. Every month you see thousands?
Mr. Thompson. Thousands of Trojan horses are disguised as
adult movies or----
Mr. Stearns. Help aids?
Mr. Thompson. Something. And they are posted to the Usenet.
They are posted to the peer-to-peer networks.
Mr. Stearns. So you download that, thinking this software
is going to help you. Bingo, you are caught.
Mr. Thompson. And are you caught. And these are the worst
kind of spyware. These are the ones that do steal the
keystrokes, these are the ones that do steal your credit cards,
they do steal your identity. And no one is looking out for
these people. Someone has to look out for them.
Mr. Stearns. My time has expired.
The gentlelady from California.
Mrs. Bono. Thank you, Mr. Chairman. I want to piggyback on
that for Mr. Thompson as well. If you installed something like
Norton Utilities or an antivirus firewall, every time your
computer transmits to the Internet, you can have a notification
that tells you your computer is speaking to the Internet.
Mr. Thompson. Sure.
Mrs. Bono. Does that, in fact, notify you that spyware is
transmitting data?
Mr. Thompson. If everyone is playing by the rules. But
sometimes they are subtle and they simply don't play by the
rules, and they piggyback on something that has already been
authorized. These things are tricky.
Mrs. Bono. Some people have said that the problem with this
legislation is companies would move offshore, similar to the
antispam legislation. But, to me, this doesn't seem like a
valid argument. Would you----
Mr. Thompson. I think some of them are offshore already,
and probably some more would move offshore. But it would be
nice to cut down on the people that were actually doing it
openly.
Mrs. Bono. I agree. Thank you.
Ms. Davidson, you briefly mentioned hacker conventions or
conferences. Is there a room filled with people at a Hyatt
doing this, or is this something that is all taking place
online?
Ms. Davidson. I think they are a little more upscale than
the Hyatt, no disrespect to Hyatt.
Yes, there are such things. I am sure that Mr. Charney has
been to one as well to see the amount of collusion going on in
the halls to try to exploit the latest vulnerability in vendor
software.
Quite honestly, some of the hackers spend more time in the
hall devising viruses than I think they do at the actual
sessions. There are such things. One of the problems in the
industry really is that the hackers are very good at playing
nicely with one another. They share information. They share
exploit code.
One of the reasons there is such a shortening of this
window is in the past you could assume if there was a
vulnerability in your software, and it was difficult to find or
exploit, someone would have to spend a lot of time doing that.
Then you only had to worry about the one bad guy or bad gal as
the case may be. Now those people create automated ways of
doing bad things, and they share it with other people, who may
then improve upon it and find more destructive or virulent
forms of viruses or worms. And they actually have conventions.
That is a real problem.
Mrs. Bono. That is amazing to me that we can have physical
get-togethers of bad guys, and they are infiltrated by the FBI
or whoever ought to be there. How do we not know about this but
you guys do?
Ms. Davidson. Well, I think--Scott, I am sure, will have
some comments on this. Actually there are a number of people
who go to these from industry, partly because that is where
they learn about the latest techniques for breaking into
things.
I am not against general discussions of how to--how things
are broken so that you can understand how to better defend
against those attacks. I think we would be sticking our heads
in the sand if we didn't participate in that. But when someone
creates the exact--effectively leaves a Molotov cocktail on the
front lawn of a building with a box of matches next to it, with
a sign that says, have fun throwing this, they have some
accountability. And many of them feel that they have no
accountability; it is intellectual showing off.
Mr. Charney. I want to add a couple of comments, because I
think they are important. I spent 9 years as Chief of the
Computer Crime and Intellectual Property Section at the Justice
Department. Law enforcement agents do go to these conferences.
They actually have a Spot-the-Fed event, which is quite common.
But there is something else that is also important to note.
I mean, I agree with all Mary Ann's comments, but after the
Oklahoma City bombing, the Office of Legal Council gave a
constitutional opinion, at Congress's request, that bomb-making
information on the Internet was first-amendment-protected.
Similarly, information about code vulnerabilities, exploit
code, other kinds of information like that is constitutionally
protected most likely. It is one thing to deploy the code and
take action, but to go to a conference and talk about how you
might exploit a system is probably a constitutionally protected
activity.
And so we always have to keep this in some context.
Ms. Bono. Thank you.
Is there any--changing the subject a little bit,
recognizing that the minute that something is digitized, it is
a 1 and a zero, but are there hardware answers here like
biometric identifiers or credit card terminals that hardware
manufacturers are looking at? And I am basically back to
consumer protection solely, but is there a hardware answer on
the horizon?
Mr. Charney. Microsoft is investing about $6.9 million this
year on research and development, and one of the more important
projects we are working on is something called the next
generation security computing base. It is moving security into
the hardware, working with the major chip manufacturers to
create a secure chip set on your computer. You will still have
the general purpose computer that you have today, but you will
have a second chip set that will control what runs on your
machine with strong memory and process isolation.
And the goal of this, if this works, is that when code
tries to execute on your machine without your permission, if it
is on that protected side of the machine, you will be notified
that code is trying to run. You will be able to block it.
But, this is, you know, very difficult research and
development. And, I mean, we are shooting for, in the long-term
timeframe, the next version of the operating system, which
means roughly 2006, give or take.
Mrs. Bono. Well, thank you.
Mr. Chairman, I can go on and on, but I will stop. I just
thank you all so much for your time today. It has been very
informative.
Mr. Stearns. And I thank the gentlelady for staying for the
second round.
We have concluded our subcommittee hearing.
I would point out that the Federal Trade Commission has a
complete set of documents talking about how to stay safe
online. They have a little mascot who is promoting it. And so I
call attention to Members, too, that part of these programs
probably should be on their congressional Websites so people
can go to use, whether you are sight-seeing on the Internet or
whether you are talking about electronic theft, or how to stay
safe. The Federal Trade Commission has done a great deal of
work on this and are to be commended for all that they are
doing.
With that I want to thank the witnesses, and we will
probably have some follow-up questions for you. And I will
allow the members to offer that to you, give you 5 working days
to answer them if you could.
With that, the subcommittee is adjourned.
[Whereupon, at 12:20 p.m., the subcommittee was adjourned.]
-
�