Protecting America's Critical Infrastructure

OFFICE OF INFORMATION ASSURANCE AND CRITICAL INFRASTRUCTURE PROTECTION
FEDERAL TECHNOLOGY SERVICE
GENERAL SERVICES ADMINISTRATION
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
COMMITTEE ON ENERGY AND COMMERCE AND THE
UNITED STATES HOUSE OF REPRESENTATIVES

APRIL 5, 2001

Report to Committee

Good morning, Mr. Chairman and Members of the Committee. On behalf of the Federal Technology Service of the General Services Administration let me thank you for this opportunity to appear before you to discuss our perspective on the state of security for government information technology resources.

As you know we operate an entity known as FedCIRC. FedCIRC stands for the Federal Computer Incident Response Center, and is a component of GSA's Federal Technology Service. FedCIRC is the central coordinating activity associated with security related incidents affecting computer systems within the Civilian Agencies and Departments of the United States Government. FedCIRC provides security incident identification, containment and recovery services and works within the Federal community to educate agencies on effective security practices and procedures. FedCIRC's prevention and awareness program includes security bulletins and advisories, hardware and software vulnerability notifications, and vulnerability fixes.

With the recent enactment by Congress of the Government Information Security Reform Act, federal agencies and departments must report computer security incidents to FedCIRC. FedCIRC's role is to assist those federal agencies and departments with the containment of security incidents and to provide information and tools to aid them with the recovery process. In January, the Office of Management and Budget (OMB) issued implementing guidance on the new security act. In that guidance, OMB instructed agencies to implement both technical and procedural means to detect security incidents, report them to FedCIRC, and to use FedCIRC to share information on common vulnerabilities. Agencies were advised to work with their security officials and Inspectors General to remove all internal obstacles to timely reporting and sharing. Additionally, in October of last year, the Federal CIO Council worked with FedCIRC and developed procedural advice to agencies for efficient interaction with FedCIRC.

When an incident is reported to FedCIRC, we work with those involved to collect pertinent information, analyze it for severity and potential impact, and offer guidance to minimize or eliminate further proliferation or damage. Additionally, FedCIRC assists in identifying system vulnerabilities associated with the incident and provides recommendations to prevent recurrence. Moreover, FedCIRC works closely with the FBI's NIPC and the national security community to ensure that incidents with potential law enforcement or national security impact are quickly reported to the appropriate authorities.

As government and industry systems and network interconnectivity increase, the boundaries between the two begin to blur. This huge network of networks, known of course as the Internet, includes both government and private systems. In some fashion, through the Internet, all of these systems are interconnected. Thus, an inescapable fact of life in this Internet Age is that any risk associated with any part of the Internet environment is ultimately assumed by all systems connected to it. Any security weakness across the Internet has the potential of being exploited to gain unauthorized access to one or more of the connected systems.

Reports from the Department of Defense and other sources tell us that over 100 countries have or are developing information warfare capabilities that could be used to target critical components of the national infrastructure including government systems. The National Security Agency has determined that potential adversaries are collecting significant knowledge on U.S. information systems and also collecting information and techniques to attack these systems. These techniques give an adversary the capability of launching attacks from anywhere in the world that are potentially impossible to trace.

Since October 1998, FedCIRC incident records have shown an increasing trend in the number of attacks targeting government systems. Overall, there were 376 incidents reported in 1998 that affected 2,732 Federal civilian systems and 86 military systems. In 1999, the figure had risen to 580 reported incidents affecting 1,306,271 Federal civilian systems and 614 military systems. By 2000, reported incidents numbered 586, which impacted 575,568 Federal civilian systems and 148 of their military counterparts. Though these numbers are in themselves ample cause for concern, these numbers reflect only those reported incidents and do not include incidents that were not reported. Studies conducted by the Department of Defense as well as data collected from the broad Internet community by Carnegie Mellon University's CERT Coordination Center indicate that as many as 80% of actual security incidents go unreported. More importantly, perhaps is the reason incidents appear to remain unreported. In most cases incidents are not reported because the organization was unable to recognize that its systems had been penetrated or because there were no indications of penetration or attack.

Of course computer security incidents vary in degree of severity and significance. Many incidents, such as web page defacements, are seemingly insignificant and generally categorized as "cyber-graffiti." Typically, systems that are victims of defacement have one thing in common, an overabundance of commonly known weaknesses in their respective operating system and server software. Though the damage from such incidents may be small, the rising number of occurrences suggests a clear pattern of inattentiveness to security problems, especially those that might be easily resolved with publicly available software patches.

While these relatively minor incidents may amount to mostly nuisances, the more significant incidents are those associated with the development of sophisticated attack methodologies. Such attack methodologies involve the organized distribution of intrusion techniques across the Internet. So called "hackers", "crackers," mischievous individuals, rogue nations and even state sponsored attacks are all threats to systems in government and the private sector.

In particular, unauthorized intrusions into government systems containing sensitive information are also on the rise. In 2000, as I reported earlier, FedCIRC documented 586 incidents affecting government systems. 155 of those were reported from 32 agencies and resulted in what is known as "root compromise." A root compromise means the intruder has gained full administrative or "root" privileges over the targeted system. This means that any information or capability of the system is totally owned by and controllable by the intruder. With "root" privileges, the intruder can cover his or her tracks because the privileges allow them to alter system logs and thereby erase any evidence of intrusion activities. In at least 5 of the incidents involving a root compromise, access to sensitive government information was verified. For the remaining 150 incidents, compromise of any and all information must be assumed. Root compromises were also employed in 17 separate instances where the compromised systems were used to host and then launch attacks. Attacks of this nature are particularly egregious since they work to erode the public trust in government systems integrity while serving to openly demonstrate security vulnerabilities within government systems.

More recently, as a byproduct of the Y2K problem, a new type of attack has been gaining attention. This type of attack is known as the "Distributed Denial of Service" attack and is considered one of the most potentially damaging attack methods yet to be developed. The Distributed Denial of Service or DDoS attack simply overwhelms a targeted system with so much information that the targeted system cannot grant access to legitimate users. This attack can be particularly damaging when components of the critical infrastructure such as power grid controls, traffic controls, emergency and medical services are subject to a DDoS attack, since these attacks render their targets effectively inoperative. And if that is not enough, the DDoS attack, after first identifying and compromising vulnerable systems anywhere across the Internet, next deposits on those compromised systems hostile software capable of launching further attacks. Once in place, the exploited systems can then be orchestrated to simultaneously launch attacks on a predetermined target, flooding the target with more information than it is capable of processing. Ninety three government systems were targets of DDoS attacks, many of which resulted in the disruption of critical government services.

Perpetrators continually scan the Internet to identify systems with weak security profiles or vulnerabilities. These reconnaissance activities focus on identifying the active services, operating systems, software versions and any protective mechanism that may be in place. Armed with this information, a would-be intruder can consult publicly available information repositories and references for vulnerabilities particular to their selected target. Then they can devise attack strategies with the highest probabilities for successful compromise. Port scans, probes, network mapping applications and commonly used network administration tools are typical resources used by an intruder to identify weaknesses in the chosen organization's infrastructure and to simplify the intrusion effort. Incidents reported by Federal agencies to FedCIRC during 1998 indicated a mere 157 occurrences. However in 1999 there was a significant jump in network reconnaissance activity to 1,686 occurrences. Although 2000 showed a slight decrease, the number of reported reconnaissance incidents still was 1,207.

The sophistication of computer viruses also poses a significant threat. While yesterday's viruses were destructive to files residing on a system, today's viruses come in many forms and self propagate by exploiting the advanced capabilities of modern-day software applications. Computer viruses may harbor capabilities to destroy both hardware and software. They may arrive in the form of so-called "trojan horse" code capable of capturing and transmitting sensitive information, user account data or administrator passwords. As legitimate software programs incorporate more advanced capabilities, those same capabilities are being harnessed to very destructive purposes. As we observed during the "Melissa" and "I Love You" viruses, a single email on the other side of the globe began saturating mail servers within a few short hours. The number of virus incidents reported by Federal agencies in 1998, 1999 and 2000 totaled 55, 35, and 36 respectively. Since anti-virus defenses are developed in response to a virus, there is a relatively significant period of time between the capturing of the virus code and the development of a defense. Considering the near-real-time communications capabilities available to a large percentage of the world population, microseconds can mean the difference between normal operations and system disruption.

Statistics compiled by Carnegie Mellon University's CERT Coordination Center show a definite correlation between the growth of software vulnerabilities and the number of reported incidents. From 1988 to present day, the number of vulnerabilities identified annually has increased from only single digits to well over 800. The number of reported incidents across industry and government closely track that of the vulnerabilities, from a meager few in 1988 to almost 25,000 as of the beginning of this year. These trends indicate that Internet connected systems are becoming increasingly vulnerable to attack and that defensive measures are not yet adequate to protect against exploitation of the vulnerabilities.

With the rapid transition to a paperless government and increasing dependence on e-government solutions, the focus on secure technology approaches must be a high priority. The unprecedented growth in technology is driving government to implement capabilities and services so rapidly that security concerns are often overlooked. The adoption of e-commerce solutions, e-government solutions and countless forms of electronic information exchange is in danger of moving forward without adequate consideration of the protection of the systems and the information they store, process or transmit. We in government cannot afford to overlook our inherent responsibility to protect sensitive information from unauthorized disclosure. The implementation of strategic defenses for the Federal Information Infrastructure can only be realized if we act promptly to establish the proper foundation for already overdue initiatives to combat these issues. Information sharing and collaboration on the part of all concerned is key to the creation of effective defenses. FedCIRC, in cooperation with every Civilian Federal Agency, Industry, Law Enforcement, the Department of Defense and Academia, has begun building a virtual network of partners to facilitate the sharing of security relevant information and ideas. Each week, the list of partners increases as more and more realize that this battle cannot be fought in isolation. Every contributing piece of information from a participating partner has the potential of unlocking a critical cyber-defense problem.

Summary

Mr. Chairman, in my remarks here this morning, I have merely touched on the most significant information security challenges we face in this Internet Age dawning before us. My goal was to inform you and this committee about the nature of the cyber-security issues we face collectively as a nation. I also want to help you appreciate the degree and level of commitment that those in FedCIRC and participating organizations share regarding the protection of the components of our Critical Infrastructure. We appreciate your leadership and that of the Committee in helping us achieve our goals and allowing us to share information that is crucial to the effective defense of Federal Information Technology resources.

Summation of Testimony

The General Services Administration, Federal Technology Service will offer testimony pertaining to the level of cyber threats and the overall security profile of Federal Civilian Agency networks. Ms. Sallie McDonald, Assistant Commissioner, Office of Information Assurance and Critical Infrastructure Protection will deliver the testimony which is based on computer security related incident reports filed with the Federal Computer Incident Response Center (FedCIRC).

FedCIRC is the central activity for the collection and analysis of reports detailing cyber events impacting Federal information technology (IT) resources. FedCIRC's mission is to assist Federal Agencies and Department with the identification, containment and recovery from computer security related events. They provide technical insight, guidance, information and tools to aid system administrators with the complex tasks associated with secure and responsible network management.

Ms. McDonald will address some of the most threatening cyber security issues including root compromises, distributed denial of service attacks and malicious code. She will also deliver a summation of statistical data compiled from FedCIRC incident reports that will show the increasing threat to government systems and the proliferation of sophisticated attack tools and methods. Elements of Ms. McDonald's testimony will address:

• FedCIRC Mission Responsibilities
  
• Government Information Security Reform Act
  
• Security Related Incidents Affecting Government Systems
  
• Software Patch Efforts
  
• Root Compromises in Government
  
• Distributed Denial of Service Attacks
  
• Network Reconnaissance Activities
  
• Computer Viruses and Malicious Code

Information in this testimony is based on incidents reported by Federal Civilian Agencies and Departments and does not include data from unreported events. Though certain trends may be concluded from the available information, the accuracy of any conclusion may be questionable if not correlated with that of unreported incidents. With the passing of the Government Information Security Reform Act, agency reporting to FedCIRC is now mandated and future statistics are expected to portray a more accurate assessment of threats to the Federal Information Infrastructure and the overall state of government's information security profile.