[House Hearing, 107 Congress]
[From the U.S. Government Printing Office]




                               before the

                        FINANCIAL MANAGEMENT AND

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION


                            AUGUST 29, 2001


                           Serial No. 107-77


       Printed for the use of the Committee on Government Reform

  Available via the World Wide Web: http://www.gpo.gov/congress/house


                            WASHINGTON : 2002
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001


                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             PATSY T. MINK, Hawaii
JOHN L. MICA, Florida                CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia                    ROD R. BLAGOJEVICH, Illinois
DAN MILLER, Florida                  DANNY K. DAVIS, Illinois
DOUG OSE, California                 JOHN F. TIERNEY, Massachusetts
RON LEWIS, Kentucky                  JIM TURNER, Texas
JO ANN DAVIS, Virginia               THOMAS H. ALLEN, Maine
DAVE WELDON, Florida                 WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              ------ ------
C.L. ``BUTCH'' OTTER, Idaho                      ------
EDWARD L. SCHROCK, Virginia          BERNARD SANDERS, Vermont 
JOHN J. DUNCAN, Jr., Tennessee           (Independent)

                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director

    Subcommittee on Government Efficiency, Financial Management and 
                      Intergovernmental Relations

                   STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida                  MAJOR R. OWENS, New York
DOUG OSE, California                 PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida              CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
   Bonnie Heald, Director of Communications/Professional Staff Member
                          Mark Johnson, Clerk
           David McMillen, Minority Professional Staff Member

                            C O N T E N T S

Hearing held on August 29, 2001..................................     1
Statement of:
    Carpenter, Jeffrey J., manager, Cert Coordination Center, 
      Carnegie Mellon University.................................    56
    Castro, Lawrence, Chief, Defensive Information Operations 
      Group, Information Assurance Directorate, National Security 
      Agency.....................................................    27
    Culp, Scott, manager, Microsoft Security Response Center, 
      Microsoft Corp.............................................   140
    Lewis, Alethia, deputy director, Department of Information 
      Technology, State of California............................   107
    Maiffret, Marc, chief hacking officer, eEye Digital Security.   160
    Miller, Harris, president, Information Technology Association 
      of America.................................................   119
    Neumann, Peter G., principal scientist, Computer Science 
      Laboratory, SRI International, Menlo Park, CA..............   131
    Rhodes, Keith A., Chief Technologist, Center for Technology 
      and Engineering, General Accounting Office.................     5
    Trilling, Stephen, senior director of advanced concepts, 
      Symantec Corp..............................................   150
    Wiser, Leslie G., Jr., Section Chief, National Infrastructure 
      Protection Center, Federal Bureau of Investigation.........    37
Letters, statements, etc., submitted for the record by:
    Carpenter, Jeffrey J., manager, Cert Coordination Center, 
      Carnegie Mellon University, prepared statement of..........    59
    Castro, Lawrence, Chief, Defensive Information Operations 
      Group, Information Assurance Directorate, National Security 
      Agency, prepared statement of..............................    31
    Culp, Scott, manager, Microsoft Security Response Center, 
      Microsoft Corp., prepared statement of.....................   142
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     3
    Lewis, Alethia, deputy director, Department of Information 
      Technology, State of California, prepared statement of.....   110
    Maiffret, Marc, chief hacking officer, eEye Digital Security, 
      prepared statement of......................................   163
    Miller, Harris, president, Information Technology Association 
      of America, prepared statement of..........................   123
    Neumann, Peter G., principal scientist, Computer Science 
      Laboratory, SRI International, Menlo Park, CA, prepared 
      statement of...............................................   135
    Rhodes, Keith A., Chief Technologist, Center for Technology 
      and Engineering, General Accounting Office, prepared 
      statement of...............................................     9
    Trilling, Stephen, senior director of advanced concepts, 
      Symantec Corp., prepared statement of......................   153
    Wiser, Leslie G., Jr., Section Chief, National Infrastructure 
      Protection Center, Federal Bureau of Investigation, 
      prepared statement of......................................    40



                       WEDNESDAY, AUGUST 29, 2001

                  House of Representatives,
  Subcommittee on Government Efficiency, Financial 
        Management and Intergovernmental Relations,
                            Committee on Government Reform,
                                                      San Jose, CA.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 205 of the San Jose Council Chamber at 801 North First 
Street, San Jose, CA, Hon. Stephen Horn (chairman of the 
subcommittee) presiding.
    Present: Representative Horn.
    Also present: Representative Honda.
    Staff present: J. Russell George, staff director and chief 
counsel; Bonnie Heald, director of communications; Elizabeth 
Johnston, detailee; Scott Fagan, assistant to the subcommittee; 
Mark Johnson, clerk; and David McMillen, minority professional 
staff member.
    Mr. Horn. This hearing of the Subcommittee on Government 
Efficiency, Financial Management and Intergovernmental 
Relations will come to order.
    The dramatic increase in computer use and the Internet are 
changing the way we communicate and conduct business. With 58 
percent of Americans now having home Internet access, our 
Federal, State and local governments increasingly rely on the 
Internet to conduct business. More than 40 million Americans 
now perform such routine activities as filing income tax 
returns, health benefit claims, and renewing driver's licenses 
    In addition to this wealth of personal information, the 
government's computer systems hold information that is vital to 
the security and economic well-being of this Nation.
    Unfortunately, these systems are increasingly vulnerable to 
hostile attacks that are capable of extracting unauthorized 
information and potentially threatening the Nation's 
    Overall, the number and sophistication of these attacks is 
rising dramatically according to the federally funded CERT 
Coordination Center. Just to explain CERT, it stands for 
Computer Emergency Response Team, and it's our friends at 
Carnegie-Mellon that have been working on this for years. The 
number of incidents rose from 9,859 in 1999 to 21,765 in the 
year 2000.
    So far this year, 15,476 incidents have been recorded. An 
increasing number of these attacks, often in the form of 
viruses or worms, specifically target government systems. There 
are more than 48,000 known worms and viruses which enable 
hackers to gain access to systems and data stored on the 
infected computers. Some of the most destructive of these 
programs can delete system and application software and even 
destroy the hardware itself. There are nearly 110 million with 
Internet connections and, as we have seen, these potentially 
devastating viruses or worms can become an epidemic in 
    In 1999, for example, the Melissa virus gained notoriety 
because of the speed at which it spread. The first confirmed 
reports of Melissa were received on Friday, March 26, 1999. By 
Monday, March 29, the virus had affected more than 100,000 
    Last year the ILOVEYOU virus created worldwide havoc in a 
matter of days costing an estimated almost $8 billion to fix it 
up. Last month, worms called Code Red I and II in Roman 
numerals, burrowed into nearly 1 million computer systems 
worldwide and affected an estimated 100 million computer users. 
E-mail systems went down for days. Workers were locked out of 
crucial computer files and some e-commerce ground to a halt. 
Government Web sites came under siege with the Pentagon 
shutting down public access to all of its Web servers. To date, 
the cost of Code Red worms have risen to more than $2 billion 
and are mushrooming to about $200 million per day.
    So far, these viruses and worms have not caused irreparable 
damage to the Federal Government's information systems. 
However, as the attacks become more sophisticated, the 
magnitude of the potential threat is colossal.
    We must do something more than just react to these attacks. 
There is no easy fix but governments at every level must be 
prepared for the next attempted invasion. Computer security 
must have a priority.
    Today we will examine the extent of the threat to 
government computer systems and the need for policy changes to 
ensure that these systems which are vital to this Nation and 
its economy and its citizens are protected.
    We welcome our witnesses today and we look forward to their 
    [The prepared statement of Hon. Stephen Horn follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.001
    [GRAPHIC] [TIFF OMITTED] T0480.002
    Mr. Horn. Panel one will include Keith Rhodes, Chief 
Technologist, Center for Technology and Engineering, of the 
U.S. General Accounting Office. That is part of the legislative 
branch of government headed by the Controller General of the 
United States.
    Mr. Castro, Larry Castro, is chief of defensive information 
operations group of the Information Assurances Directorate. 
General Hadon is the commanding officer of the National 
Security Agency, and we welcome Mr. Castro. The Information 
Assurance Directorate and the National Security Agency is 
really our No. 1 intelligence group in the United States.
    Leslie G. Wiser, Jr., Section Chief, National 
Infrastructure Protective Center, the Federal Bureau of 
Investigation. They have been particularly active and very 
cooperative with the Congress just as the National Security 
Agency has cooperated with the Congress on this very difficult 
    After Mr. Wiser, we will have Jeff Carpenter, manager of 
the CERT Coordination Center that I mentioned earlier with 
Carnegie-Mellon University and its Computer Emergency Response 
    The fifth one is Patricia Kuhar, program manager for 
information technology, California State Department of 
Information Technology.
    In addition, one of my colleagues will be here. Mr. Honda, 
the gentleman from California. Michael Honda is making his way 
to the hearing from Sacramento. I wish him well. Most of you 
know this because a lot of you have been before us before. But 
this is an investigating committee and, as such, we do 
administer an oath to make sure everything is done under oath. 
So if you will stand up and put your right hands up.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note that all four witnesses 
present have taken the oath, and we can now start with Mr. 


    Mr. Rhodes. Thank you, Mr. Chairman.
    In keeping with the rules of the committee, I'd like to 
give a brief summary and have my full statement submitted for 
the record.
    Mr. Horn. I might add that when I name each individual, 
that automatically under our rules their statement goes 
immediately into the hearing record. This is being taken down 
by very able people, and Mr. Rhodes knows this, and we're 
delighted to have a member of the U.S. General Accounting 
    Mr. Rhodes. Thank you.
    Mr. Chairman and members of the subcommittee, thank you for 
inviting me to participate in today's hearing on the most 
recent rash of computer attacks. This is the third time I've 
testified before Congress over the past several years on 
specific viruses. First, the Melissa virus in April 1999 and 
second, the ILOVEYOU virus in May 2000. At both hearings I 
stressed that the next attack would likely propagate faster, do 
more damage, and be more difficult to detect and counter.
    Again, we are having to deal with destruction are 
reportedly costing billions. In the past 2 months, 
organizations and individuals have had to contend with several 
particularly vexing attacks. The most notable, of course, is 
Code Red but potentially more damaging are Code Red II and its 
variants and SirCam.
    Together, these attacks have infected millions of computer 
users, shut down Web sites, slowed Internet service, and 
disrupted business and government operations. They have already 
caused billions of dollars of damage, and their full effects 
have yet to be completely assessed, partly because viruses and 
worms don't just go away, especially the latest Code Red II 
variant which seems to have been modified to enable it to 
reinfect the systems it attacks.
    Despite some similarities, each of the recent attacks is 
very different in its makeup, method of attack, and potential 
damage. Generally, Code Red and Code Red II are both worms 
which are attacks that propagate themselves to networks without 
any user intervention of interaction. They both take advantage 
of a flaw in a component of versions 4.0 and 5.0 of Microsoft's 
Internet Information Services [IIS] Web server software.
    The main point I want to make about these two worms as well 
as the associated virus is that in and of themselves they might 
not be necessarily all that interesting. The potential of the 
attacks, however, is what I would like to cover today in my 
    The worms have taken an additional step compared to what 
ILOVEYOU or Melissa did. Code Red itself combined a worm with a 
denial of service attach, and Code Red II has combined a worm 
with the ability for installing a back door for circumventing 
security services inside Web service. SirCam, on the other 
hand, is a virus but it's a virus that doesn't rely on, as with 
ILOVEYOU, the internal mail server capability of the systems it 
attacks. Rather, it brings its own e-mail software with it so 
that it can send itself out.
    Some of the points that I'd like to make today are that 
computer security, what we need to understand from these worms 
and virus attacks is that computer security is indeed a full-
time job. New threats and vulnerabilities are constantly being 
identified, and measures to address those threats and 
vulnerabilities are being developed and implemented.
    For example, when the vulnerability exploded when Code Red 
was announced, a patch was also made available at the same 
time. This required installations using the affected software 
to: No. 1 keep up with the vulnerabilities associated with 
their software; and No. 2, install a patch to address the 
vulnerability. Until this announcement, most, if not all, of 
these installations did not know they had a problem. 
Considering the number of affected servers, a number of sites 
did not take the quick response necessary to address this new 
vulnerability. For example, install the available patches.
    This also underscores a point that we've made to this 
committee as well as other committees and the Congress 
regarding general controls of computer security across the 
government. The government is not in a position to protect 
itself. It does not have the talent, it does not have the 
training, it does not have the early warning. We are 
constantly--in my other capacity I run a computer security test 
laboratory in the General Accounting Office that has done work 
for this and other committees, and we are always able to break 
in and usually we are able to break in undetected and we are 
not using any sophisticated techniques. So it's not surprising 
that Code Red, Code Red II, Code Red's latest variant, SirCam, 
etc., are affected.
    For example, I don't know if the gentleman from Symantec, 
Stephen Trilling, is going to actually disassemble the Code Red 
software for you later, but it's not very smart code. It's not 
very sophisticated. Yes, it does combine denial of service 
attack with its ability to be a worm, but it's not very good 
code at all. When you look at it, it's thrown together and yet 
it's still extremely effective.
    No. 2 the attacks are coming faster after the vulnerability 
is announced. About 1 month after the vulnerability was 
announced, an effective attack using that vulnerability was 
launched. Shortly after this attack was launched, another 
attack with far more serious consequences was launched. That's 
Code Red II. Code Red came out, then Code Red II came out and, 
as a matter of fact, we were modifying the testimony in real 
time over the last week because a new variant had come out.
    No. 3 installing software is a complex business. In some 
cases, entities are installing software without actually 
knowing the services that are being activated. For example, we 
understand that some entities were installing Windows 2000 
without understanding that the ISS services were being 
activated. Therefore, take for example, your own cell phone. 
You probably don't know all the services that are associated 
with your cell phone, and you probably don't use all of them. 
However, when you buy a software package now, you're getting a 
complete set of services, some of which you don't know that 
they may have vulnerability.
    The initial threat associated with a given attack is 
difficult to assess. I think one of the reasons, Mr. Chairman, 
that you and I get to see one another on an annual basis is 
that $8 billion distributed across the entire world, sort of 
like the first rules of physics. If I distribute the energy 
across a wide enough area, nobody feels the impact. $8 billion 
worldwide. Nobody seems to be willing to cry uncle, either the 
government or industry or individual users.
    Substantial financial impact. It's very hard to get anyone 
to say that $8 billion matters. We are now on our way to, as 
you pointed out, $200 million a day perhaps in impact and yet 
no one is willing to scream uncle. Therefore, what is the 
definition of critical infrastructure? If it's truly critical, 
someone should be crying uncle by now or somebody is in a 
position to not be able to cry uncle.
    Affected servers. One of the additional things about the 
current set of worms is that the affected servers broadcast the 
fact that their resources can be compromised. It's not just 
that Code Red goes in and takes over your environment, but Code 
Red goes in, takes over your environment and then tells 
everyone else that your environment has been compromised. The 
vulnerability exploited by Code Red can be used to take over 
the server. Nefarious individuals are always looking for 
servers that can be compromised in this fashion.
    However, rather than seeking out servers that have this 
vulnerability, all a person has to do is to look at their own 
network to see what servers are attempting to spread the Code 
Red worm to them. Based on this information, the individual 
knows that the server is vulnerable to this attack. The attacks 
are indeed getting worse and worse. The attacks are coming 
faster after vulnerabilities are being identified and have a 
more devastating impact.
    For example, the initial version of Code Red appeared about 
1 month after the vulnerability was published. Shortly after 
the initial release, another attack that allowed an 
unauthorized individual to take over the server was launched.
    In the midst of all of this gloom and doom that I'm 
presenting, I would like to point out that there was one good 
thing that did come out of this legislative Code Red attacks, 
and that was there was very good coordination between the U.S. 
Government and private industry. It was, to my mind, the first 
time the government and industry had effectively worked 
together. This is the first time, in a coordinated fashion, 
that government and industry had worked to address a problem 
such as this. This is a positive step forward. However, I will 
say that this is the pound of cure rather than the ounce of 
    One of my last points. Most software is not secure. Instead 
of relying on the code and fix approach for software 
development and security, we need to build security in the 
software during the development process. Although this may 
sound simple, it often conflicts with a get to market fast 
development program. Users, individual, corporate and 
government, are more than willing to state the mantra of it's a 
trade-off between usability and cost and the probability of a 
compromise remote PC is low. In other words, the users do not 
want to spend the time and money to secure systems since the 
``other stuff'' we do for a living is more important and 
valuable. The fallacy in this argument is that the users have 
not done the risk analysis that allows them to make an informed 
decision about their security posture.
    The last point I'd like to make, Mr. Chairman, is that in 
going along with the pound of cure, your committee has talked 
time and time again that there's a dearth of management inside 
government and so you and others have brought about the 
government Information Security Reform Act. But again, that's a 
cure as opposed to a prevention because that requires 
organizations like OMB, the Inspectors General, and the General 
Accounting Office to come in and validate the security posture 
of the departments and agencies. Again, we're in a situation, 
as we were in Y2K, where the Congress is stepping in to pass 
laws to make certain that people do due diligence regarding 
their own security posture.
    Thank you very much, Mr. Chairman. That concludes my 
testimony, and I would entertain any questions from you or 
committee members.
    [The prepared statement of Mr. Rhodes follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.003
    [GRAPHIC] [TIFF OMITTED] T0480.004
    [GRAPHIC] [TIFF OMITTED] T0480.005
    [GRAPHIC] [TIFF OMITTED] T0480.006
    [GRAPHIC] [TIFF OMITTED] T0480.007
    [GRAPHIC] [TIFF OMITTED] T0480.008
    [GRAPHIC] [TIFF OMITTED] T0480.009
    [GRAPHIC] [TIFF OMITTED] T0480.010
    [GRAPHIC] [TIFF OMITTED] T0480.011
    [GRAPHIC] [TIFF OMITTED] T0480.012
    [GRAPHIC] [TIFF OMITTED] T0480.013
    [GRAPHIC] [TIFF OMITTED] T0480.014
    [GRAPHIC] [TIFF OMITTED] T0480.015
    [GRAPHIC] [TIFF OMITTED] T0480.016
    [GRAPHIC] [TIFF OMITTED] T0480.017
    [GRAPHIC] [TIFF OMITTED] T0480.018
    [GRAPHIC] [TIFF OMITTED] T0480.019
    [GRAPHIC] [TIFF OMITTED] T0480.020
    Mr. Horn. Yes. We will have all the presenters and get it 
all on the table and then we'll go to questions.
    We now have Larry Castro, Chief Defensive Information 
Operations Group of the Information Assurance Directorate of 
what is probably our greatest national intelligence agency, the 
National Security Agency. Thank you, Mr. Castro, for coming.

                        SECURITY AGENCY

    Mr. Castro. Thank you, sir. Good morning. Thank you for 
that kind introduction. On behalf of our Director, Lieutenant 
General Mike Hadon, I am pleased to respond to the 
subcommittee's invitation to discuss NSA's view of the threats 
posed by malicious computer code, particularly viruses and 
    My name is Larry Castro. I lead the Defensive Information 
Operations Group within NSA's Information Assurance 
Directorate. I'm accompanied today by Mr. Steve Ryan, a senior 
technical director in our group. We have submitted to the 
committee a formal statement for the record, and what I'd like 
to do is just summarize some of the key points of that as well 
as refer you to a few graphics that we put together.
    As the chairman has most kindly pointed out, NSA is 
probably most well known for its signals intelligence or SIGINT 
mission which provides critical information about a wide range 
of foreign intelligence topics. Our Information Assurance 
mission to protect national security related information is an 
equally vital part of NSA's 50 year history and it's in this 
capacity of representing NSA's information assurance capability 
that I appear before you today.
    What I'd first like to do in the next chart is to share 
with you the larger context with which we approach our 
information assurance mission and that is we seek in our 
products and the services that we provide to our customers 
within the national security community to provide products and 
services that emphasize these five attributes. We are, of 
course, most well known for historically providing very high-
grade encryption products, but as the world of networking has 
evolved, we have branched out and our products now seek to help 
ensure the availability of communications, to protect data 
integrity, and to ensure the ability to authenticate and have 
non-repudiation among users.
    Even with these within the even larger framework, we 
operate our entire information assurance mission, and that is 
to say again we seek to work across a wide spectrum with regard 
to computer and cyber incidents ranging from providing the 
technology to protect to engaging in services in cooperation 
with the U.S. Space Command and Joint Task Force on Computer 
Network Operations to detect and report on incidents in cyber 
space and then finally in support of the Defense Information 
System Agency to react to those incidents.
    What the chart seeks to depict is to say that to do all of 
this you need to have that mix among technology, operations and 
personnel. The technology needs to be robust and the people, as 
has been pointed out in Mr. Rhodes' testimony, need to be well-
trained to do the job. And then finally, you have to implement 
a sound information assurance policy.
    I'd like to share with you all our view of the environment 
in which we're operating. Here, this is not a piece of modern 
art. It, in fact, is a result of work done by Doctor Bill 
Cheswick at Lumina wherein he has developed a capability of 
scanning the Internet. This is a scan of some 80,000 Internet 
routers. Each of those dots, should they be capable of being 
resolved, is one such router and the connections between the 
routers are color-coded to show the state of conductivity.
    Within NSA and within our Information Assurance Defensive 
Operations Group we have a number of customers who correspond 
to one or more of those dots, and our job is to provide the 
situation awareness of what's going on among that whole milieu 
of dots, in particular, looking for the routers associated with 
bad actors. And I will try to describe some of the techniques 
that we use to do that. The sort of take way though is that the 
impression that you're given and the reason I like to use this 
chart is that this is an exploding environment. It's continuing 
to grow and branch out and that there are no boundaries in that 
chart up there. We don't see any State boundaries within the 
U.S. Department of Defense. We don't see any boundaries between 
U.S. Space Command, U.S. Central Command. And this is the 
message that we take, that the vulnerability of one leads to 
the vulnerability of all.
    Going now to discuss a little bit about the threat. It's 
clearly one that has many, many dimensions and, from our 
perspective at NSA, we see folks in each of those clouds 
playing in cyber space. They have varying motives. Some are 
just in it for ego, quite frankly. Others are there for 
financial gain and occasionally we detect those who are there 
for serious data mining, possibly even espionage.
    In the next chart we attempt to define the classes of 
attacks that we are contemplating. Starting from the left and 
then working to the right, we would simply alert the committee 
that there is a credible threat actually even in the 
distribution of software. The ability to implant this malicious 
code as the software is put into shrink wrap does exist and, of 
course, there are many who are concerned about this and are 
reacting to it.
    Then with regard to the actual communication structures 
within the Internet itself, as shown there, there are both 
passive and active means of monitoring those structures, of 
inserting one's self in for less than good purposes. Of course, 
the main thrust of this presentation and this committee's work 
is the active remote attack that we show there in the bottom 
and that is surely one for which and through which we see the 
majority of incidents that we work on today.
    And then getting actually into the enclave that we seek to 
defend. There are those who would simply stand off just outside 
this enclave, perhaps just outside this window, attempting to 
influence the cyber environment and then, quite frankly, sir, 
the thing that we're most concerned about within the Department 
of Defense, and it's been borne out over the last several 
years, is the insider threat. Again, the insider, either 
cooperating with outsiders or on its own, can do quite a bit of 
    The other thing that needs to be noted is more and more we 
see the appearance of bulletin boards, chat rooms and other 
fora allowing hackers and those who would attempt to do harm in 
cyber space to exchange information. What this chart attempts 
to depict is that freeware that allows someone to become a 
scrip kitty and perhaps even become more extensive is readily 
available, is increasing in complexity and simply allows more 
efficient work on behalf of the hacker.
    Now I'd like to turn to an examination that we completed 
within the Department of Defense looking at incidents over the 
last quarter. That would be to say the last 3 months preceding 
this one. What we did was to look at the apparent origin of the 
incidents that we are recording in the Department of Defense in 
the Joint Task Force on Computer Network Operations. 
Interestingly, as you can see, for that particular quarter and 
for a number of different reasons having to do with lots of 
things going on in the world, China was the country of apparent 
origin for over 20 percent of the incidents recorded within the 
Department of Defense. The others in the top 10 are shown 
    I do have to make one clarification with regard to apparent 
origin. As many know, the apparent origin is simply the last 
place that we see an attack coming from. As the chart here 
shows, the actual perpetrator could be located anywhere behind 
that apparent origin location. However, I still think it's 
useful to show which countries are being implicated, either 
wittingly or unwittingly, in these kind of attacks and 
intrusion attempts.
    As has been discussed over the last 3 months, there have 
been a number of different worms and viruses and attacks that 
have shown up. One that impressed us most was the one referred 
to as the W32 Leaves worm or just the Leaves worm. Without 
going into the details--time doesn't allow--simply to say that 
this was a very, very complex attack. What impressed us most 
was the fact that when it was all said and done, the intruder 
down there in the lower right had the capability, estimates 
say, to control with one single set of commands about 24,000 
zombies that he had established in his network. He did it in a 
very, very sophisticated way, a way that involved from time to 
time using encryption of his commands and, as I said before, he 
was able in the end to setup a command and control mechanism 
that did not require him to communicate individually with each 
of the computers under his control, but rather he used an 
Internet relay chat channel to provide both updates to his 
zombies and to provide commands.
    We actually saw no harmful activity that came from this 
attempt to setup this distributed computing network, but I 
think it is indicative of the sophistication that we can expect 
to see in the future.
    Now with regard to what we would suggest are the ways 
ahead, and they have already been very well covered by Mr. 
Rhodes so I will only seek to reiterate one more time. There's 
clearly a very, very strong component of education and 
awareness, not only for the practitioners but, we would submit, 
for the Nation at large. We would commend the committee. We 
think that having this hearing involving both government 
entities, academia, and the industry is a very, very important 
way of getting that message out.
    We would also like to share with the committee the fact 
that within NSA, trying to get to the point again raised by Mr. 
Rhodes with regard to having sufficient folks well-trained, we 
have established an Academic Centers of Excellence Program that 
uses community-accepted criteria for validating the curricula 
of universities who engage in information assurance-related 
    Within California, of the 23 universities that have been so 
designated, U.C. Davis, Stanford University and the Naval Post-
Graduate School of Monterey have been designated as Academic 
Centers of Excellence for information assurance education.
    The second point is that giving increasing emphasis on 
anticipatory defensive measures. Specifically by this, we mean 
the fact that, again, as has already been pointed out, every 
one of the vulnerabilities that are being exploited by those 
who would do harm in cyber space are known beforehand and are 
anticipated by the hacker before the defense community makes 
the necessary patch.
    To give you an idea of how we are always behind the power 
curve, last year within the Department of Defense, there were 
on the order of 24,000 what we would describe as incidents. Our 
definition of incidents is different from those used by the 
Search CC, so the numbers aren't quite the same.
    But the important take away is that we estimate that at 
least 80 percent of the those 24,000 incidents could have been 
prevented had the patch to close the particular vulnerability 
in question been in place in a proper amount of time. And 
that's not to say that the department doesn't give high 
visibility to making these patches, but it is, quite frankly, a 
resource issue. The same system administrator who's charged 
with making that patch is also charged with keeping that 
computer system up and supporting his commander and, of course, 
that's usually what takes the priority.
    And then finally, as was mentioned again previously, the 
kind of interaction between governmental entities and between 
the government and industry that we saw so well carried out 
during the Code Red campaign is in fact what we would suggest 
be the model for the future. If we have that kind of continued 
cooperation, if we have the mechanisms in place, both 
mechanical mechanisms and, quite frankly, emotional and thought 
process mechanisms, we believe we can go a long way in getting 
ahead of the power curve.
    That concludes my testimony, sir, and we'd be glad to take 
questions at the appropriate time.
    [The prepared statement of Mr. Castro follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.021
    [GRAPHIC] [TIFF OMITTED] T0480.022
    [GRAPHIC] [TIFF OMITTED] T0480.023
    [GRAPHIC] [TIFF OMITTED] T0480.024
    [GRAPHIC] [TIFF OMITTED] T0480.025
    [GRAPHIC] [TIFF OMITTED] T0480.026
    Mr. Horn. Well, thank you very much. We'll have a number of 
questions very shortly here.
    Now we have Leslie Wiser, the Section Chief for the 
National Infrastructure Protection Center of the Federal Bureau 
of Investigation. I want to thank you very much for the 
cooperation you have had with the Congress and this committee 
and bringing people from all over the world so we could get a 
good look at them. You've always helped us in this area, and 
thank you, just as the National Security Agency has helped us.
    So proceed, Mr. Wiser.


    Mr. Wiser. Chairman Horn, thank you for those kind comments 
and thank you for inviting me here today to testify about how 
the National Infrastructure Protection Center [NIPC], is 
addressing the threats posed to government systems by computer 
viruses and worms. I have a formal statement that I will submit 
for the committee, and I will continue with other remarks.
    I spoke with NIPC Director Ron Dick yesterday, and he 
regrets not being able to attend but asked me to forward his 
gratitude as well to this committee. It's been suggested that 
www stands not for World Wide Web; rather, in this context, it 
seems to mean wild, wild west. Cyber crime is a new frontier 
requiring new thinking and new skills. Dealing with Internet 
viruses, worms and the vast spectrum of threats to government 
and private sector information systems requires a dedicated and 
cooperative effort. It is fitting that we are in the heart of 
the information technology community. It's that cooperative 
effort that I will focus on here today.
    The mission of the NIPC is to detect, deter, warn of, 
investigate and respond to cyber intrusions that threaten our 
critical infrastructures. It is the only organization in the 
United States with this national infrastructure protection 
mandate. The NIPC gathers together under one roof 
representatives from, among others, the law enforcement, 
intelligence, and defense communities which collectively 
provide a unique analytical perspective to cyber intrusion 
information obtained from investigation, intelligence 
collection, foreign liaison and private sector cooperation. 
This perspective ensures that no single discipline addresses 
cyber intrusions of critical infrastructures in a vacuum. 
Rather, a cyber incident is examined as a system security 
matter as well as for its potential as a counter-intelligence 
defense and law enforcement matter.
    While the mission of the NIPC outlined in Presidential 
Decision Directive 63 is broad, our complement is relatively 
small with 91 FBI employees and 18 detailees, many of whom 
field critical leadership roles. I am pleased to serve with a 
fine staff of dedicated men and women including NIPC's Deputy 
Director, Rear Admiral James Plehal of the U.S. Naval Reserve, 
who hail from 12 Federal entities and 3 foreign governments. 
Please allow me to provide a few examples that demonstrate our 
approach to protecting U.S. critical infrastructures including 
our government information systems.
    In July 2001 the NIPC issued a series of timely predictive 
warnings regarding the Code Red worm. Before issuing these 
warnings, the NIPC conducted daily tele-conferences with the 
National Security Council, the National Security Agency, the 
Defense Department's Joint Task Force for Computer Network 
Operations, the Justice Department, the CIA, CERT and others to 
form a consensus response strategy. As a result of this 
cooperation, the impact of Code Red was successfully mitigated. 
The NIPC was quick to fulfill its warning mission while 
simultaneously coordinating the FBI investigation which is 
    Similarly, on July 23, 2001 the NIPC, again working with 
the same partners, issued an advisory regarding the Leave worm 
which infected over 20,000 machines. The FBI's investigation 
and analysis determined the infected computers were 
synchronizing, possibly for an attack. Through the execution of 
several search warrants and sophisticated analysis by our 
computer scientists, we followed the trail to the United 
Kingdom where New Scotland Yard identified a subject and 
arrested him. In this example, the successful investigation 
itself ended the threat.
    In contrast to the success of the Leave worm investigation, 
we are often frustrated when we are forced to obtain several 
separate court orders tracing intruders back through several 
ISP hot points. This is difficult enough when all the activity 
is within the United States. It often becomes formidable when 
the trail leads overseas. The trans-national nature of cyber 
attacks requires solid liaison with foreign partners with whom 
we can exchange warnings of malicious computer activity.
    Currently, the NIPC has connectivity with similar centers 
in the U.K., Canada, Australia, New Zealand and Sweden and in 
May, I extended an offer to the German Government, which is 
under consideration. We think there is great benefit in 
establishing a global network including partners in time zones 
ahead of us to provide early warning of attacks.
    Along with foreign collaboration, cooperation with the 
private sector is absolutely essential to successfully protect 
U.S. critical infrastructures. As a result, the NIPC 
established InfraGard where like-minded professionals can share 
best practices and discuss other issues of importance to them. 
InfraGard is like a neighborhood watch because members band 
together to protect each other. They have shared information 
about attacks with each other on a confidential basis by 
providing sanitized reports to the NIPC.
    In May the Safe America Foundation presented its 2001 World 
Safe Internet Safety Award to the NIPC for the InfraGard 
partnership. Today InfraGard boasts over 1,800 members 
including 87 Fortune 500 companies in 65 chapters across the 
United States and Puerto Rico.
    In June the NIPC hosted the first annual InfraGard Congress 
here in California where private sector representatives from 
around the country gathered and elected an executive committee 
to help lead this important initiative. In particular, small 
startup businesses that cannot afford a dedicated security 
office or fees charged by for profit security enterprises have 
found a home in InfraGard.
    InfraGard is a free service and puts a face on law 
enforcement that enhances accessibility, communication, 
cooperation and trust. I don't know of another program like it 
in the world, and foreign officials and companies have 
expressed an interest in creating InfraGard-like programs in 
their countries. For example, Mr. Elfen Menses of the 
Philippine National Bureau of Investigation, who testified 
before this subcommittee last year, attended the InfraGard 
Congress as an observer. He left energized and committed to 
starting an InfraGard-like program in the Philippines, and we 
embrace efforts to establish foreign public/private 
partnerships as a step to enhancing global security.
    Pursuant to PDD63, the NIPC was appointed to be the Federal 
Government's liaison for Emergency Law Enforcement Services 
Sector, the ELES Center, one of the critical infrastructures 
identified in PDD63. The NIPC works cooperatively with the ELES 
Sector Forum, a group of seasoned State and local law 
enforcement professionals, to protect State and local law 
enforcement data and communication systems, including the 911 
    On March 2 the NIPC and members of the forum led by Sheriff 
Pat Sullivan of Colorado presented the completed sector plan to 
the White House. The plan and an accompanying guide, a toolbox 
of best practices, worksheets and checklists, is the Nation's 
only completed infrastructure protection plan. It is being used 
as a model for other infrastructures.
    Yet we will not succeed in stemming the tide of devastating 
viruses and worms on the Internet without raising public 
awareness, continued cooperation with the private sector, 
strong relationships at all levels of government, and a united 
front with foreign governments. The good news is that through 
new thinking and new skills, we have made significant progress 
in all these areas.
    I remain grateful for the opportunity to discuss this 
important topic with you. I'm also gratified to see many of our 
U.S. Government and private sector partners here at the table. 
We want to work closely with them, this subcommittee, and with 
other Members of Congress on infrastructure protection issues.
    Thank you very much, sir.
    [The prepared statement of Mr. Wiser follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.027
    [GRAPHIC] [TIFF OMITTED] T0480.028
    [GRAPHIC] [TIFF OMITTED] T0480.029
    [GRAPHIC] [TIFF OMITTED] T0480.030
    [GRAPHIC] [TIFF OMITTED] T0480.031
    [GRAPHIC] [TIFF OMITTED] T0480.032
    [GRAPHIC] [TIFF OMITTED] T0480.033
    [GRAPHIC] [TIFF OMITTED] T0480.034
    [GRAPHIC] [TIFF OMITTED] T0480.035
    [GRAPHIC] [TIFF OMITTED] T0480.036
    [GRAPHIC] [TIFF OMITTED] T0480.037
    [GRAPHIC] [TIFF OMITTED] T0480.038
    [GRAPHIC] [TIFF OMITTED] T0480.039
    [GRAPHIC] [TIFF OMITTED] T0480.040
    [GRAPHIC] [TIFF OMITTED] T0480.041
    [GRAPHIC] [TIFF OMITTED] T0480.042
    Mr. Horn. Thank you very much. We appreciate your testimony 
and all your excellent people over there.
    We now go to Jeff Carpenter. He is the manager of the CERT 
Coordination Center of Carnegie-Mellon University and the CERT 
I think has probably got a patent on it or a copyright, but it 
stands for Computer Emergency Response Team. We have been 
looking with great interest over the last few years that in all 
our feeling, Carnegie-Mellon University is ahead of the pack in 
terms of the universities of America. So thank you very much 
for coming.


    Mr. Carpenter. Thank you, Mr. Chairman. Thank you for your 
remarks. My name is Jeff Carpenter. I manage the CERT 
Coordination Center which is part of the Software Engineering 
Institute at Carnegie-Mellon University. Thank you for the 
opportunity to testify before your subcommittee today. I have a 
formal statement which I am submitting for the record, and I 
will just summarize my remarks now. Today I'm going to talk 
about the Code Red worm attacks and the broader implications of 
those attacks.
    In our first full year of operation in 1989, CERT responded 
to more than 100 computer security incidents. In the year 2000, 
staff handled more than 21,000 incidents. In total, CERT staff 
has handled over 63,000 incidents and catalogued more than 
3,700 computer vulnerabilities. This testimony is based on that 
broad experience as well as our specific experience with the 
Code Red worm.
    To begin the story of the Code Red worm, we need to look 
back to June 19. On that day, we published an advisory 
describing a vulnerability in Microsoft's Internet information 
server, Web server software. This vulnerability could allow 
intruders to compromise computers running vulnerable versions 
of IIS. This means that an intruder could take control of a 
vulnerable computer, accessing or changing data on that 
computer, or using that computer to launch attacks against 
other organizations.
    A month later the first signs of Code Red worm appeared on 
July 13. Code Red is called a worm because it's self-
propagating. When it compromises a computer, the worm looks for 
computers to compromise, compromises those computers and then 
those computers begin compromising other computers without the 
direct intervention of the intruder that initially launched the 
worm. Code Red took advantage of the fact that many computers 
on the Internet that were running IIS still a month later were 
running vulnerable versions of IIS.
    On July 19 the more aggressive version of the worm began 
spreading rapidly. As the day progressed, the rate of computers 
being scanned and compromised continued to increase 
exponentially. On July 20 Code Red changed its type of 
activity. Instead of propagating the worm, it changed into 
launching a denial of service attack against a high-profile Web 
site. When this change occurred, the spreading of the attack 
stopped. By the time that the spreading of the attack stopped, 
more than 250,000 computers had been compromised and that was 
unprecedented in a 24-hour time period.
    CERT, along with a number of other government and industry 
organizations, worked over the next few weeks to raise 
awareness of the need to patch systems immediately. There was a 
sense of urgency connected with this joint warning because we 
anticipated that the worm would change back to propagation mode 
on August 1. Even with the publicity that we did over the next 
week or so, when the worm started spreading again on August 1, 
about 150,000 computers were compromised by the next day. So 
even with the publicity, many machines were not patched.
    The significance of Code Red lies beyond the specific 
activity we've described. Rather, the worm represents a larger 
problem with Internet security and forecasts what we can expect 
in the future. My most important message today is not only is 
the Internet vulnerable to attack today, but it's going to stay 
vulnerable to attack for the foreseeable future. Systems are 
vulnerable to problems that have already been discovered, 
sometimes years ago, and they remain vulnerable to problems 
that will be discovered in the future.
    Multiple factors contribute to this problem. CERT 
experience shows that intruders will develop exploit scripts 
for vulnerabilities in products such as IIS. They will then use 
these scripts to compromise computers and will share these 
scripts with other intruders so those intruders can attack 
systems using them.
    New exploits are causing damage more quickly than those 
created in the past. One primary reason is that intruders are 
developing better techniques for identifying vulnerable 
computers and exploiting them. The ability of intruders to 
compromise systems quickly limits the time that security 
experts have to analyze the problem and warn the Internet 
community. Likewise, system administrators and users have 
little time to protect their systems from these attacks.
    This year CERT expects to catalog well over 2,000 
vulnerabilities by the end of the year. The rate of reports is 
doubling each year. There's little evidence of improvement in 
the security of most products. Developers are not devoting 
sufficient effort to applying lessons learned about sources of 
vulnerabilities. While we continue to see exploitation of old 
vulnerabilities, we're also seeing an increase in new 
vulnerabilities. Many of them have the same root causes and 
many of them could have been prevented by good software 
development practices.
    System and network administrators are challenged with 
keeping up with all of the systems they have and all the 
patches released for those systems. We have found that after a 
vendor releases a security patch it takes a long time for 
system administrators to fix all the vulnerable computer 
systems. It can be months or years before patches are applied 
to only 90 percent of the vulnerable computers. For example, we 
still to this day receive reports of outbreaks of the Melissa 
virus which is over 2 years old.
    There are a variety of reasons for the delay. The job might 
be time-consuming, too complex or low-priority for the system 
administration's staff to handle. But even in an ideal 
situation, conscientious system administrators cannot 
adequately protect their computer systems because other system 
administrators and users including home users do not adequately 
protect their systems. The security of each system on the 
Internet affects the security of other systems.
    Federal, State and local governments should be concerned. 
Their increased use of the Internet to conduct business and 
provide information has a corresponding increase in the risk of 
compromise. Action is needed on many fronts. With the 
technology product development, vendors need to be proactive in 
proving their software development practices and shipping 
products that are configured securely out of the box. Improved 
practices will reduce vulnerabilities in products on the market 
and reduce risk of compromise. In our experience, once a 
vulnerability makes it out into the field installed on systems, 
it's very difficult to have that vulnerability fixed on all of 
the systems that it reaches. So we want to try to prevent the 
vulnerabilities from being in the products that get released to 
the field to begin with.
    System administrators also need better tools to manage the 
updating of software and computers. Home users and business 
users alike need to be educated on how to operate computers 
most securely and consumers need to be educated on how to 
select the products they buy.
    To the acquisition community, it's important to evaluate 
suppliers for product security but the current ways of 
describing security requirements are immature and the problem 
today is not the lack of features, it's the software is flawed.
    For long-term improvements to occur, the government should 
sponsor research and development leading to safer operating 
systems that are also easier to maintain and manage. There 
should also be increased research in survival of systems that 
are better able to resist, recognize and recover from attacks 
while still providing critical functionality.
    And finally, the government should provide meaningful 
infrastructure support for university programs and information 
security education and research to produce a new generation of 
experts in this field. Problems such as Code Red will occur 
again. Solutions are not simple because the underlying causes 
must be addressed. However, we can make significant progress 
through changes in software design and development practices 
and system administration in the knowledge of users and in 
acquisition practices. Additionally, the government should 
support research and development and education in computer 
network security.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Carpenter follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.043
    [GRAPHIC] [TIFF OMITTED] T0480.044
    [GRAPHIC] [TIFF OMITTED] T0480.045
    [GRAPHIC] [TIFF OMITTED] T0480.046
    [GRAPHIC] [TIFF OMITTED] T0480.047
    [GRAPHIC] [TIFF OMITTED] T0480.048
    [GRAPHIC] [TIFF OMITTED] T0480.049
    [GRAPHIC] [TIFF OMITTED] T0480.050
    [GRAPHIC] [TIFF OMITTED] T0480.051
    [GRAPHIC] [TIFF OMITTED] T0480.052
    [GRAPHIC] [TIFF OMITTED] T0480.053
    [GRAPHIC] [TIFF OMITTED] T0480.054
    [GRAPHIC] [TIFF OMITTED] T0480.055
    [GRAPHIC] [TIFF OMITTED] T0480.056
    [GRAPHIC] [TIFF OMITTED] T0480.057
    [GRAPHIC] [TIFF OMITTED] T0480.058
    [GRAPHIC] [TIFF OMITTED] T0480.059
    [GRAPHIC] [TIFF OMITTED] T0480.060
    [GRAPHIC] [TIFF OMITTED] T0480.061
    [GRAPHIC] [TIFF OMITTED] T0480.062
    [GRAPHIC] [TIFF OMITTED] T0480.063
    [GRAPHIC] [TIFF OMITTED] T0480.064
    [GRAPHIC] [TIFF OMITTED] T0480.065
    [GRAPHIC] [TIFF OMITTED] T0480.066
    [GRAPHIC] [TIFF OMITTED] T0480.067
    [GRAPHIC] [TIFF OMITTED] T0480.068
    [GRAPHIC] [TIFF OMITTED] T0480.069
    [GRAPHIC] [TIFF OMITTED] T0480.070
    [GRAPHIC] [TIFF OMITTED] T0480.071
    [GRAPHIC] [TIFF OMITTED] T0480.072
    [GRAPHIC] [TIFF OMITTED] T0480.073
    [GRAPHIC] [TIFF OMITTED] T0480.074
    [GRAPHIC] [TIFF OMITTED] T0480.075
    [GRAPHIC] [TIFF OMITTED] T0480.076
    [GRAPHIC] [TIFF OMITTED] T0480.077
    [GRAPHIC] [TIFF OMITTED] T0480.078
    [GRAPHIC] [TIFF OMITTED] T0480.079
    [GRAPHIC] [TIFF OMITTED] T0480.080
    [GRAPHIC] [TIFF OMITTED] T0480.081
    [GRAPHIC] [TIFF OMITTED] T0480.082
    [GRAPHIC] [TIFF OMITTED] T0480.083
    [GRAPHIC] [TIFF OMITTED] T0480.084
    [GRAPHIC] [TIFF OMITTED] T0480.085
    [GRAPHIC] [TIFF OMITTED] T0480.086
    [GRAPHIC] [TIFF OMITTED] T0480.087
    [GRAPHIC] [TIFF OMITTED] T0480.088
    [GRAPHIC] [TIFF OMITTED] T0480.089
    [GRAPHIC] [TIFF OMITTED] T0480.090
    Mr. Horn. Well, we thank you very much and we'll have a lot 
of questions coming up very shortly.
    From the State of California we have Alethia Lewis, deputy 
director of the Department of Information Technology and 
Patricia Kuhar, the program manager, Information Security for 
the Department of Information Technology. You weren't here when 
we noted that we do swear in our various guests and I believe 
Ms. Kuhar is the official witness, but Ms. Lewis will be doing 
the testifying. So if you'll raise your right hands.
    [Witnesses sworn.]
    Mr. Horn. Clerk will note both witnesses affirmed the oath. 
So Ms. Lewis, proceed. We've got some of your testimony. It's 
in the record and if you'd like to submit some more, obviously 
we'd be delighted to have your thoughts. So go ahead.


    Ms. Lewis. Thank you. My name is Alethia Lewis and I'm 
Deputy Director with the Department of Information Technology 
responsible for the department's external affairs and liaison 
to other State agencies in IT matters. As stated, I have with 
me today Ms. Patty Kuhar, the department's information security 
program manager and a board certified information systems 
security professional.
    We're here representing the State of California on behalf 
of the Governor's office and the Department of Information 
    I'd like to thank you for inviting us to participate in 
this hearing. We did prepare a statement which I'll be 
presenting a slightly condensed version of that statement here 
as testimony.
    California state government has over 100,000 computer work 
stations and e-mail users and over 1,000 Web servers at 
hundreds of locations state-wide. With the large number of 
users, the even larger number of e-mail correspondence and 
network connections, our systems are often subject to attack 
and disruption by viruses and worms. The most visible and 
notorious of these incidents involve mass e-mail viruses and 
worms. Like many others, the State was hit particularly hard by 
the Love Bug viruses which interrupted e-mail systems at many 
departments for periods varying from a few minutes to several 
days. Melissa, Kournikova and a few others have caused similar 
but somewhat less wide-spread disruptions. Each time, several 
hundred hours of work by skilled and scarce technicians was 
required to get the e-mail systems cleaned-up and back in 
    Over the past few years, we've deployed commercial software 
products to protect most State work stations and many e-mail 
servers. We know this has resulted in a big reduction in the 
amount of impact that worms and viruses might have had by 
comparing the impact of attacks on the best protected sites 
with those that are less protected. Nevertheless, the defense 
are far from perfect. It is a time consuming and continued 
effort to ensure that every device and server has software 
protection from the latest viruses and inevitably, a few 
systems get missed and are left vulnerable.
    Increasingly, the most destructive or at least disruptive 
malicious software spreads around the world in just a few days 
or even hours. The fast spreading Melissa was a real wakeup 
call. We learned that an e-mail virus can span the world in 
less than 24-hours hitting just about every vulnerable system. 
We've had to change our approach to system protection from 
focus on individual desktops out to the perimeters, adding 
security software to e-mail servers and installing more robust 
protections at the edges of our networks.
    In addition to changing our security architecture to allow 
us to apply fixes more rapidly, we also have taken steps to 
make our organization more responsive with the establishment of 
trained incident response teams and practice recovery 
procedures. In fact though, we are just holding our own. 
Generally, we're staying just a bit ahead of, perhaps not 
falling any further behind, the bad guys. But we should expect 
this to change for several reasons.
    First, the motives of most malicious software authors have 
heretofore been mostly anarchic. We in government should view 
the apparent political intent behind some of the worm events 
this spring with special alarm as the target is likely to be 
us. Second, unlike the mass e-mail viruses which usually take 
advantage of human nature to turn otherwise useful software 
features against us, the most destructive malicious software 
exploits unintentional flaws in the commercial software we're 
    In the fairly recent past, we and the industry have had 
several months to find and fix those flaws before the bad guys 
began to exploit it. Usually, only systems maintained by 
careless or overworked system administrators were affected. But 
as we learned with the recent Code Red experience, the 
attacking community is learning to move faster, too, and a 
startling number of systems were caught unprepared for this 
worm which emerged only a few weeks after the vulnerability was 
    Third, again exemplified by the Code Red, the worm itself 
can change quickly making it hard for even the most alert 
security staff to keep up. The original version of Code Red was 
fairly innocuous, at least to the system directly attacked, and 
could be cleared by a simple reboot. Later versions were 
potentially much more dangerous and required much more time 
consuming recovery measures.
    Fourth, as for both the Code Red worm and the mass e-mail 
viruses, protecting your own system is not enough. When the 
Code Red worm hit, every Internet user faced potential 
disruption due to the sheer volume of traffic generated by the 
worm's victims. Information security has become a community 
responsibility. We must maintain robust security measures, not 
just to protect our systems, but to avoid becoming a nuisance 
to our peers.
    And here we face the most difficult challenge of all, 
making sure our users understand and perform their role in 
information security. This is always difficult and is a 
constantly moving target. Nonetheless, we must move our user 
communities to a higher-level of sophistication, especially 
since so many of them now have computers in their homes. These 
home systems may well be used for after work hours and, while 
we hate to discourage that, they are new sources of 
vulnerability. With all this broad band network connectivity, 
they're a sitting duck for attackers.
    So we believe that above all we must place our trust in 
policy more than technology. We need to stay current with the 
emerging attack methods and improving security measures. We 
need to be more organizationally and technically nimble in 
closing holes and responding to incidents, and we need to 
educate and keep re-educating our users and technical staff. 
But ultimately we need to recognize that network-attached 
resources are vulnerable. Systems that depend on the Internet 
are going to be disrupted. We need to have effective 
alternatives for accomplishing critical missions. Sensitive 
information on network-attached systems is going to be 
improperly accessed. We need to keep the most critical secrets, 
including those involving private information, out of harm's 
way, behind firewalls and properly encrypted.
    At the State, we have set standards for information 
security throughout government that ensure consistent and 
reliable level of information security throughout State 
government. We now require that information security 
requirements are identified and addressed when new systems are 
planned. We require that implemented security measures are 
continually checked by information security officers 
independent of the technology staff to make sure our 
protections are not allowed to lapse. We have established a 
level of security performance by State departments that is 
attainable and is expected by our leaders and the public we 
    In addition, to make sure everyone in the organization from 
the chief executive officer to the key data operator is on our 
security team. We have been sponsoring a continuing series of 
information security forums and seminars. Presented by 
independent public and private sector information security 
experts, these quarterly events are typically attended by over 
200 State government decisionmakers, program managers and IT 
    This concludes my testimony and, again, I'd like to thank 
you for inviting us to participate in this hearing.
    [The prepared statement of Ms. Lewis follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.091
    [GRAPHIC] [TIFF OMITTED] T0480.092
    [GRAPHIC] [TIFF OMITTED] T0480.093
    Mr. Horn. Well, thank you very much, and we will now go to 
questions. Some of them will be the same that we'll give the 
second panel. The first one that comes to mind is do you feel 
we have appropriate laws to deal with this problem and what 
would you suggest? I'll ask Mr. Rhodes. We'll just go right 
down the line.
    Mr. Rhodes. I do believe the laws are appropriate. There's 
enough laws on the books for anybody to exercise prosecution. 
The struggle that I see in working with law enforcement is not 
that the law is inadequate. It's trying to present highly 
technical evidence in a court room. Having been an expert 
witness in legal cases, I can tell you that there's nothing 
more confusing than an engineer standing up in front of jury 
trying to explain a denial of service attack and then, just as 
our associate here, Mr. Castro, pointed out, if I show you this 
cloud and at one point the actual attacker is here but it looks 
like the apparent attacker is here and the victim is here, how 
do we convey that in a way of making ceratin that the laws are 
enforced? It's not really a question of law. It's a question of 
forensic analysis and being able to present cogent argument in 
a courtroom.
    Mr. Rhodes. Mr. Castro.
    Mr. Castro. From the NSA perspective, we wouldn't offer 
anything ourselves but I do believe there's an issue that Mr. 
Wiser will address that he mentioned in his testimony with 
regard to having to seek warrant authority from different 
jurisdictions. Clearly, the key to getting to some sense of 
attribution is to be able to move very, very quickly once an 
attack begins, and it would be in that area that I suspect Les 
will talk about the need for being able to move faster in that 
    Mr. Horn. Thank you, Larry. Mr. Wiser representing the 
Federal Bureau of Investigation. They're the ones that are 
going to be following this up.
    Mr. Wiser. Sir, time is of the essence in conducting 
computer intrusion investigations, and we find that logs are 
perishable and we depend upon those logs to trace back through 
Internet service providers the trail that an intruder uses. 
What we're required to do because the Federal rules of criminal 
procedure mandate this is that we obtain court orders in the 
judicial district in which the place to be searched exists. 
When an intruder uses several different hot points, those 
different ISPs, we have to obtain in serial fashion a number of 
separate orders and, of course, this is a timely process that 
could threaten an investigation and one in which a life may 
depend upon it in a manner that is different from a simple 
intrusion investigation. So that is one of our primary concerns 
that we're interested in.
    I echo what Assistant Attorney General Cherkoff mentioned 
in earlier testimony before another committee about penalties 
where, despite the large dollar amount of damage that can be 
done, there seems to be disproportionately low maximum 
penalties for computer intrusions and viruses.
    The last point that I would mention would be that in my 
discussions with members of the private sector, one of the 
reasons--and I expect that there are many reasons--but one of 
the reasons that they are sometimes reluctant to come forward 
with information to us is that they fear that the Freedom of 
Information Act does not provide adequate protection for 
proprietary information that they provide to us and so they've 
asked for a clarification of the law enforcement exception or 
another exception to be created in FOIA. This is something 
which there's a continuing dialog about when we've discussed 
this with the Judiciary Committees as well.
    Those are the three things that I would point to and, of 
course, there are others that I'd be happy to speak with you at 
another time about.
    Mr. Horn. Mr. Carpenter, manager of the CERT Coordination 
Center, Carnegie Mellon.
    Mr. Carpenter. I would just echo Mr. Wiser's comment on 
FOIA. From our perspective and our discussions with industry as 
well as government, that has been probably one of the largest 
issues that has been raised to us is issues regarding what 
sensitive information regarding incidents be exposed to FOIA 
requests. So that would be the only comment we would have on 
    Mr. Horn. Ms. Lewis, what does the State of California have 
with regard to laws that can relate to this damaging of the 
computer infrastructure?
    Ms. Lewis. Actually, at the State we work on policy that 
relates directly to the IT computers and stuff that we actually 
use. I really don't have any comments with respect to that 
particular issue.
    Mr. Horn. I'm delighted to have one of my colleagues. He's 
fought the traffic between Sacramento and San Jose. Michael 
Honda is the representative right in the middle of Silicon 
Valley, and we thank you for coming. He'll have to go to 
another appointment shortly, but I'd like him to pose a few 
questions if he wishes to.
    Mr. Honda. Thank you, Mr. Chairman, and thank you for 
having this hearing. I know that from my visits with Symantec 
and other organizations and companies in this area that 
security is a critical area, not only in government, but also 
for personal uses and for commercial uses. I don't have any 
questions since I did not hear most of the testimony. I've been 
briefly going through the written testimony. So I wouldn't be 
able to ask any intelligent questions, but I do understand that 
the issues around security, from my visit with Symantec, is 
that we have a variety of issues and circumstances that we have 
to be particularly cognizant of. It's not only related to 
hardwire security and accessing our security information that 
we have, but also the wireless issue is a very important area 
that we're not keenly aware of and I think that the commercial 
uses that I've been exposed to and schooled in poses even 
greater concern on my part as far as government uses of similar 
kinds of techniques that we have in place.
    So I'll be listening and I'll be reading the materials, but 
I'll be back following-up with Mr. Horn on issues of security. 
But I think that the issue of wireless and things that we don't 
see and don't realize and are not cognizant of is one top 
priority for me.
    And then also for public policy folks for the schools and 
educated in the basic things that you all understand so that as 
policymakers we'll be able to understand how to work with you 
in developing policies on secure systems. I know that Dr. 
Neumann is here and he's testified quite a few times, and so I 
think the other concern I have that I'm sure is shared by Mr. 
Horn and that is how quickly do we move and with whom do we 
move and how will we be able to put the system together. So I 
appreciate all of you being here and sharing your information 
and your thoughts.
    Thank you, Mr. Chairman.
    Mr. Horn. Thank you.
    Let me ask Mr. Castro. I'm quoting from your written 
testimony. ``In taking out a computer network, the single 
hacker has the cyber destructive power normally associated with 
a nation state.'' If that's the case, what can be done 
technologically to address this problem?
    Mr. Castro. Well, there are a wealth of things and I 
suspect in the industry panel you'll hear from some of the 
industry folks. But within the National Security Agency in 
cooperation with the National Institute of Standards and 
Technology, we jointly administer a program called the National 
Information Assurance Partnership. It's through this 
partnership that there have been a number of independent 
laboratories established. Think of them if you will as the 
underwriter laboratory's equivalent for cyber products.
    What we have now set up is a process whereby industry can 
bring security and security-related products to these 
laboratories and, at their expense, at the industry's expense, 
can have these products evaluated against what is now being 
called the international common criteria. This is a criteria 
for specifying the five characteristics I showed you there 
earlier in my testimony specifying how those characteristics 
can be achieved and graded for achievement.
    It's referred to as the international common criteria 
because all the English speaking partners have signed up to 
this criteria and it's now being moved out even for further 
international acceptance. So the goal would be to have a set of 
standards by which security and security-related products can 
be certified as doing what it is that they are advertised to 
do. These could range from firewalls in one case to public key 
infrastructure arrangements in other cases.
    So I think the short answer, sir, is that there are a 
variety of defensive measures. We refer to them within the 
Department of Defense as defense in depth. They certainly in 
every case include well-trained people at the very, very 
frontend of that defensive posture but then backed-up by the 
appropriate software and hardware configurations.
    The other thing I'd like to add is I really appreciate 
Congressman Honda's concern about wireless security. That is an 
area that at NSA we're working very, very closely with 
industry, some in this area, to produce secure versions of 
cellular telephones and other wireless devices. This is, quite 
frankly, the threat of the future as more and more of our 
Nation will be moving to this wireless technology. So your 
point is well taken, sir, and we're right on it.
    Mr. Horn. We do need to look at this from a broader 
perspective that you've laid out there and I would suggest 
we're talking about a computer NATO. I wonder to what degree is 
the National Security Agency and the FBI--I know you've worked 
with foreign people here. Are they listening to us and are they 
hoping that you're helpful to them?
    Mr. Castro. Maybe we can take it in two parts and I'll 
defer to Mr. Wiser on the cooperation on what we call attack 
sensing and warning. But certainly in the area of cooperating 
to produce secure products and to ensure that that security is 
inter-operable within both the NATO and other coalition 
environments, I think the answer to your question, sir, is that 
the allies are very, very well engaged. Again, we have a number 
of both bilateral and multilateral arrangements that will 
attempt to introduce the secure operability within our 
defensive posture.
    And then I would ask if Mr. Wiser could answer the question 
on cooperation with regard to sensing and warning of attacks.
    Mr. Wiser. Sir Congressman, Mr. Chairman, the NIPC is 
unique because inside it we have the three disciplines 
represented. That would be law enforcement, intelligence and 
defense. In fact, NSA is represented at the NIPC and so we have 
a tremendous coordination and cooperation on a number of levels 
within the defense community and the NIPC and, therefore, the 
    But also in the center we have representatives from foreign 
governments. We have presently the U.K., Canada and Australia 
represented. And we find that this is very important in our 
links with those important allies. But in addition to that, we 
have connectivity with similar centers around the world, and I 
mentioned earlier the U.K., Canada and Australia as well as New 
Zealand and Sweden, and we're working now with Germany to 
establish that kind of a relationship as well.
    So with those relationships and with the relationships that 
our legal attaches stationed in 44 countries around the world 
are engaged in, we are working toward that global security, and 
we find that our allies and those countries with whom we work 
are extremely interested in pursuing this objective.
    Mr. Horn. Mr. Neumann's testimony is coming up on panel 
two, but I want to get your ideas on it. He raises the point 
that despite U.S. laws to prevent or punish hackers, given the 
international aspect of this problem, little can be done. Do 
you agree with that and how do we deal with it?
    Mr. Wiser. We've been, just as I mentioned in the 
testimony, very successful with the Leave worm case. It's just 
the latest example. That threat is now over. A number of people 
I don't think realized the danger that the Leave worm 
represented, but those of us that were working on this 
problem--I know that Mr. Castro, as he mentioned, is very 
familiar with this--know that it presented a great potential 
for danger. But the investigation itself solved this problem, 
and we've been successful on a number of different 
    For example, the Love Bug virus was solved quickly. I mean 
we had an FBI agent within 24-hours standing outside the door 
of the person responsible, along with the Philippine officials, 
Mr. Menses's group. So we are establishing these relationships 
with countries and as long as we can trace the trail back, many 
of the countries have been cooperative. Another example would 
be the Bloumberg case in Kazekstan where we have a league in 
Amate who worked with Kazekstani authorities to bring people 
that threatened the Bloumberg financial network to London where 
we did a sting operation there and individuals have been 
extradited to the United States to stand trial in that case.
    So we have examples of success. I would say that there's a 
way to go, but we're optimistic that other countries will 
become more sophisticated with their statutes, with skilled 
investigators, and we take part in the training of those 
investigators and I think their growing awareness will create 
the will to cooperate with us.
    Mr. Horn. In looking at the originator of the Codes Red, do 
you think that man or whoever will be apprehended?
    Mr. Wiser. Yes, sir. I do. I'm confident about those kinds 
of things. I'm an optimist and I believe that we'll be able to 
eventually find the person responsible.
    Mr. Horn. Is there anything we should be promoting with the 
people in Silicon Valley, either in software, hardware where 
some of this can be headed off?
    Mr. Castro. If I could comment on that, sir, and I'm sure 
others will, too. Anything that can be done to really 
demonstrate the commitment of the U.S. Government to ensuring 
the security of our ability to work on the Net and then to 
translate that into meaningful action would be helpful.
    As I said, from the Department of Defense's point of view, 
we are not a dominant, although a very large customer for 
information technology. In today's market place, we are not a 
dominant customer. So if someone is going to make the argument 
only on the economics of what DOD can provide, it's not going 
to make it. The case is going to have to be made on a very much 
larger scale that it is critical to our Nation's total 
infrastructure that vendors start thinking security in their 
products from the very, very point of inception. The lesson 
that we have learned over NSA's 50 year history is that if you 
try to go in after the fact and improve a product, it sometimes 
doesn't work and, if it does work, it can be a very costly 
    So again, fora like this where for industry we demonstrate 
the government's desire to really keep security in the 
forefront and the Congress's intent to back that desire are 
things that are needed.
    Mr. Horn. Can you tell us how many government servers were 
compromised by Code Red and Code Red II? How much damage was 
made at this point?
    Mr. Castro. I can speak for the Department of Defense. 
Others will have to speak for the rest of the government. 
Within the Department, General Brian, the commander of the 
Joint Task Force on Computer Network Operations, made the 
decision on the evening that it was clear that bad things were 
going to happen that the Department would go to what we call 
Info Con Alpha. Info Con Alpha is the first step where we 
normally are in, which is normal Info Con. This Info Con 
gradation is meant to match in some way DefCon and ThreatCon 
status that are already well-established within the Department. 
In doing that, then we raise the awareness of system 
administrators throughout the Department.
    He also directed the blocking of all port 80. Again, 
without getting into a lot of that, and it was already 
mentioned in previous testimony, what we basically did is to 
disable anybody's ability to come in and exploit the one 
particular port on which the vulnerability was being exploited.
    I believe that what we're saying now, with the Department 
still at Info Con Alpha and we are gradually getting ourselves 
back to a normal state. You may be aware that there are some 
finite number of places where the Department's portion of the 
Internet, which we refer to as the NipperNet, connects to the 
Internet. There are 13 such gateways currently in existence and 
we've opened up now 9 of those 13. I can't give you the 
specifics on what we have taken down, but I believe it's safe 
to say the Department is slowly recovering and we will probably 
lift the conditions on Info Con Alpha within the next 2 weeks.
    Mr. Horn. I believe Mr. Rhodes, you and your team in the 
General Accounting Office, have gone through security, various 
designs, at various of the domestic parts of the government. 
Have you ever had fun with the Defense Department and CIA and 
knock them a little and gone through their systems?
    Mr. Rhodes. No. Well, yes, we've done it with the 
Department of Defense. I guess one point that I would make is 
the latest estimate that we have on total number of servers 
that have been taken down is 975,000. Those aren't government 
servers though. That was the total estimated number.
    I guess one point I would make is that you asked about what 
could be done for Silicon Valley. What can be done to make the 
developers change their mind? I have to echo what Mr. Castro 
said. The U.S. Government has to take the point that you've 
made continually during your membership in the House and say 
they have to be able to manage. Silicon Valley is not going to 
make a decision that's not based on economics. They're in 
business, and we can't expect them to do it any other way.
    If we as the U.S. Government do not manage from a security 
standpoint, why in the world should they? If we can't make it 
economically feasible for them, either by building systems 
specifically for us or putting the security in, we're going to 
continue to be in the same position we are now which are down 
stream testers of released software that hasn't been fully 
tested because they're trying to get their product to market 
and they're testing it well enough to get to market, not well 
enough to withstand a Code Red virus or something like that.
    Mr. Horn. We will have the majority and minority staff give 
you a few questions that we simply can't get to because I want 
to get to the second panel. If some of you can stay, we'd 
certainly appreciate it to go into questioning on panel two. So 
let's move now to panel two. I think most of you saw the 
routine. We thank you very much for coming and we do swear in 
all witnesses and those that support the witnesses. Get them 
all to stand up and we don't have to keep making changes.
    [Witnesses sworn.]
    Mr. Horn. Let the record note that five members took the 
oath, and we will proceed. We now start with an old friend of 
this committee and a very knowledgeable person, not only in the 
United States but throughout the world on behalf of his 
colleagues in the Information Technology Association of 
America. So Harris Miller, president of that fine group, let's 
start with you.

                     ASSOCIATION OF AMERICA

    Mr. Miller. Thank you, Mr. Chairman. Thank you for inviting 
me to the heart of Silicon Valley to testify about what 
practices, policies and tools are being deployed to reduce the 
impact of computer security threats to government at all 
levels. I commend you for your continued leadership on 
information technology issue.
    IPA is proud to be the leading association on cyber 
security issues representing over 500 corporate members. These 
are companies that have a vested economic interest in assuring 
that the public feels safe in cyber space to conduct electronic 
commerce and, in a developing era of e-government, that their 
information will be secure and transactions reliable.
    Though the official title of today's hearing focuses on 
government information security, I submit to you that security 
challenge is ultimately a government and business challenge 
that must be addressed at the highest levels of all 
organizations, whether public or private. We must do more than 
just recognizing the challenge, however, though that is an 
important first step. We must work together to find ways to 
enable solutions, solutions to threats that will likely become 
more significant as the Internet becomes more pervasive.
    As a witness during the Code Red situation, if cyber 
security receives the kind of prioritization needed at senior 
levels, government and industry can mobilize quickly and 
effectively to combat common and significant threats to the 
Internet. Those efforts during the Code Red situation helped to 
reach users of vulnerable systems on a massive, unprecedented 
scale that prevented the further spread of the worm. Over a 
million copies of the patch were downloaded and, since that 
patch can be downloaded and installed to any number of 
machines, the number of systems that are actually patched is no 
doubt higher.
    Few of the major Web sites were affected by the Code Red 
worm because many took action after the industry/government 
announcement on July 30. The public awareness of information 
security issues increased significantly during the Code Red 
situation. This cooperative, proactive response by industry and 
government that Mr. Rhodes addressed in his comments could be 
used as one model for more meaningful and effective cooperation 
on cyber security issues in the future.
    If industry and government do not collaborate, then the 
impact of such threats on the Internet users will be much 
greater in the future.
    Chairman Horn, I know from working together with you 
closely on Y2K and cyber security issues that you are fond of 
report cards and grading which you issued in your previous life 
as a leading academic political scientist. Today I would like 
to offer my own report card in six separate categories and an 
overall grade on industry and government handling of computer 
security threats. This is my own grading system, I tell you, 
and I look forward to suggestions from you and others about 
ways to improve it.
    The first area is the government organization. In 
addressing the challenges and developing structures that can 
adequately address cyber security challenges, the Federal 
Government has moved from what had to be a failing grade just a 
few years ago to a passing grade or C today. I base my C grade 
on four factors: the priority for this issue for the Federal 
Government, internal cooperation within the government, 
mechanisms for liaising with stakeholders, particularly in the 
private sector, and response time.
    The national plan for cyber security and Presidential 
Decision Directive 63 help provide a framework for government 
organization. However, the alphabet soup of government agencies 
charged with some aspect of cyber crime prevention makes it 
easy to see why progress has been slow in the government. We 
credit the National Infrastructure Protection Center under the 
leadership of Ron Dick to forge ahead with programs such as 
InfoGard which was described in Mr. Wiser's testimony. Because 
of his efforts and joint efforts between ITAA and the 
Department of Justice, we've increased the cooperation between 
law enforcement and the industry.
    According to numerous press reports, President Bush will 
sign soon after Labor Day an Executive order that will 
establish the critical infrastructure and protection and 
continuity board. As that draft Executive order has been 
explained to us, it should be a major step forward creating 
substantially more coordination within government and less 
duplication among the plethora of government departments and 
agencies involved in InfoSec. Should this new board result in a 
centralized, coordinated cyber security effort based in the 
White House, I think the government grade could be moved from a 
C to a B.
    Let me talk about a second area related to government. 
Government funding for information security. Here the story is 
not so positive, Mr. Chairman. The grade for government funding 
at best has moved from a D- to a D. Mr. Chairman, while you and 
some of your colleagues such as Representative Greenwood have 
done a valuable service in scrutinizing computer security 
policies and practices in U.S. Government agencies and 
departments, that is not enough. As that well-known philosopher 
Yogi Berra would say, this is deja vu all over again. During 
Y2K you pointed out in a series of hearings that government 
agencies had neither the plans nor the funds for Y2K 
remediation. Under your prodding, they came up with a plan but 
they still didn't have the funds. We seem to be seeing the same 
thing today InfoSec. Agencies seem to be knowing much more 
about what they need to do, but the funding is not there.
    A GAO office report issued earlier this month strongly 
criticized the Department of Commerce for InfoSec failures 
internally, and that carried the clear implications report that 
additional financial resources are needed. Every Federal CIO 
with whom I speak privately tells me they are in desperate need 
of additional funding for their InfoSec activities. There is a 
long way to go before the government is going to get a passing 
grade here.
    For example, President Bush requested an e-government fund 
of $20 million this year but, as you know, the House 
Appropriations Committee and the Senate Appropriations 
Committee only provided $5 million for even that. So we're 
going to have to work together, Mr. Chairman, under your 
leadership to convince your colleagues in Congress that 
government agencies they need to really address the InfoSec 
    Area No. 3. How about industry? Where is their focus in 
information security? I think one of the good news stories from 
Y2K is that issue elevated the whole issue of information 
technology from a back room to a front office issue. The CEOs, 
the members of the board began to understand how important 
information technology was to their businesses. Similarly, 
they've come to understand how important information security 
is to their businesses if they're going to get continuity.
    Yet, at best, I only give corporate America a B- because we 
have a lot of variations. Some industries such as financial 
services, telecommunications, are doing very well but others 
are frankly far behind and particularly small businesses and 
mid-size businesses as under Y2K are far behind. I commend the 
FBI for its InfoCar program because that reaches small 
businesses. But we have a long way to go. Organizations must be 
willing to invest in development of comprehensive security 
procedures and to educate all employees continuously. We have 
to practice sensible cyber hygiene and Internet users have to 
be vigilant about it.
    The next area I wish to give a grade is industry/government 
cooperation. The Ad Hoc Coalition on Industry and Government 
that was formed to provide a public service message to counter 
the Code Red worm is a major operational success, as Mr. Rhodes 
remarked. It illustrates just how far players have come. A few 
years ago, industry cooperation would have received an F or 
maybe a D. However, through hard work on both sides, progress 
has been made. The efforts to stand up the Information Sharing 
and Analysis Centers, ISACs, by the telecommunications 
industry, financial services industry, electric industry, 
transportation and now the IT industry have helped to bring us 
up to a C grade and, in fact, Code Red may get us up to a B-. 
But in order to get to an A, the remaining industry sectors 
will need to stand up and operationalize the ISACs and the 
ISACs will need to share confidential information.
    Equally important, if maybe not more important, is sharing 
information between industry and government on sensitive 
information in both directions. We strongly support the bill 
that was referred to by the previous panel introduced by 
Congressmen Tom Davis and Jim Moran and soon to be introduced 
by Senator Bennett and Senator Kyl in the Senate to remove 
legal obstacles related to the Freedom of Information Act and 
Senator Feinstein from the State of California is in a position 
as chairwoman of the Senate Judiciary Committee Subcommittee on 
Technology, Terrorism and Government Information to move that 
bill through the Senate under her leadership.
    The next area is industry to industry cooperation. Let me 
emphasize that while government has a critical role to play, 
not just in the United States but internationally, vertical 
industries also have an obligation to communicate on cyber 
security issues, again, similar to the obligation they had 
under Y2K. Progress has been made. We've moved from maybe a D- 
a few short years ago to a C+/B- today. How so?
    Critical to this has been the Partnership for Critical 
Infrastructure Security which was begun in December 1999. This 
created a cross-sectoral dialog with collaboration from 
government, particularly the Critical Infrastructure Assurance 
Office, to address risks to the Nation's critical 
infrastructures and assure delivery of essential services over 
the Nation's critical infrastructures in the face of cyber 
threats. The Partnership is run by companies and private sector 
associations and is effectively meeting the industry dialog 
    But much more needs to be done globally. I have advocated 
creation of an international InfoSec cooperation center, 
analogous to the highly successful International Y2K 
Cooperation Center that you supported very strongly, Mr. 
Chairman, during that challenge to our global economy.
    Let me next address international cooperation. Again, I 
think the best I can do here is a C-. Some areas are working 
well, others not so well. Let me tell you briefly about an area 
well-intended that seems to have gone a little bit awry, and 
that's the work of the Council of Europe to establish a cyber 
crime convention. The principle here is great. We need to have 
laws in every country around the world, not just in the United 
States, to fight cyber crime. As we saw in the example of the 
Philippines at the time that incident occurred that was 
referred to in the previous panel, they didn't have laws at 
that time to prosecute the people even though they identified 
them. Fortunately, the Philippines has since updated their 
    The Cyber Crime Convention, if we could get it adopted 
around the world, in theory is a good idea. Unfortunately, the 
Cyber Crime Treaty has some flaws in it because it was 
developed by law enforcement officials without adequate input 
from industry and economic ministries. So we think with some 
changes in it, that might be a model law that could be adopted 
in many countries around the world.
    To sum up, there is much work to do. In addition to 
improving our letter grades in information security, both 
industry and government need to strive to have the teacher 
commend us for playing well with others. Cooperation, 
communication and sharing sensitive information are the keys to 
moving from today's overall grade, which is a C-, to an A+.
    Summer vacation is ending, Mr. Chairman, and we are about 
to begin a new school year. By working together to build 
meaningful and effective relationships that recognize the 
bottom line impact of InfoSec on our businesses and government 
operations, both domestically and globally, we can all move to 
the head of the class on cyber security issues. Thank you very 
    [The prepared statement of Mr. Miller follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.094
    [GRAPHIC] [TIFF OMITTED] T0480.095
    [GRAPHIC] [TIFF OMITTED] T0480.096
    [GRAPHIC] [TIFF OMITTED] T0480.097
    [GRAPHIC] [TIFF OMITTED] T0480.098
    [GRAPHIC] [TIFF OMITTED] T0480.099
    [GRAPHIC] [TIFF OMITTED] T0480.100
    [GRAPHIC] [TIFF OMITTED] T0480.101
    Mr. Horn. Thank you very much.
    We now have a rather well known person in the whole 
computer evolution and that's Peter Neumann, the principal 
scientist, Computer Science Laboratory, SRI International which 
used to stand for Stanford Research Institute, but you don't 
say that any more, I gather. Delighted to have you here.


    Mr. Neumann. Thank you. Thank you for your very kind 
    SRI, I should point out, is a not-for-profit research 
institute. I would like to believe that what I have to say is 
motivated, not by any corporate need or any allegiance to any 
particular ideas.
    I think the message that I want to give you is pretty well 
taken care of in my written testimony. I'm going to summarize 
it very briefly.
    The bottom line here, I think, goes back to September 19, 
1988 when Robert Morris, who was at the time chief scientist of 
the Computer Security Center at NSA, said, ``To a first 
approximation, every computer in the world is connected to 
every other computer in the world.'' That was 13 years ago. The 
situation is much worse now. The number of computers that are 
connected to the Internet is enormous.
    A month and a half later, it was his son who, in a research 
experiment that went awry, created the Internet worm which, in 
some sense, was the beginning of all of this nonsense that we 
have going on relating to worms, viruses, trojan horses, and so 
on. Letter bombs coming through e-mail.
    I would like to take a broader view of the problem and make 
the very bold statement that what we're really talking about is 
not viruses, worms and related subjects but the fact that the 
computer security and information security infrastructure, 
including all the networking, is riddled with so many security 
flaws that it is virtually impossible to expect that we can 
have any meaningful sense of security, given the infrastructure 
that we have today, and I want to elaborate on that to some 
    Larry Castro mentioned the classical DOD mantra which is 
defense in depth. What we have is weakness in depth. There are 
vulnerabilities essentially everywhere, in the mass market 
desktop systems, in the server systems, in the networking, in 
the embedding of even some of the cryptography in the world 
into platforms that are again riddled with security 
vulnerabilities. So let me very briefly go through what I've 
called a set of seemingly dirty truths that remain largely 
unspoken and under-appreciated in my written testimony.
    The first is that what we have today is a far cry from what 
is straightforwardly possible. Back in 1965 I was part of an 
ARPA, Advanced Research Project Agency, project in MIT in Bell 
Labs which developed a commercial operating system that had 
enormous research advances in it. If we look at what's happened 
in the last 36 years, many of those research advances and other 
similar advances have not found their way into the mainstream. 
What this leaves us with, especially me as a researcher, is the 
very gnawing feeling, annoying and gnawing, that the good stuff 
that should be coming out of research is not finding its way 
into the market place.
    One of the great adages of our society is that the market 
place is supposed to drive everything. Unfortunately, the 
market place seems to be much more interested in whiz bang 
features and rush to market place than it is in having systems 
that are truly reliable, secure, and available in high degrees 
and survivable in the face of all sorts of problems.
    The problems that we're addressing today in terms of worms, 
viruses and so on are really the tip of the iceberg. If in fact 
it is possible to penetrate systems from anywhere in the world, 
irrespective of what the laws are in this country, we have a 
fundamental problem. Whereas the laws are important and the 
laws are in fact useful in many respects, the comment that you 
quoted earlier was based on the fact that if you cannot trace 
back to find out where the problem is coming from because of 
network weaving and the lack of accountability and the lack of 
identity and authorization and authentication, then the laws 
may be absolutely worthless except as a possible deterrent for 
the people who believe that those laws are applicable to them.
    So we have a situation in which the Internet provides the 
opportunity for attacks from essentially anywhere in the world, 
and many of those attacks can be created by individuals for 
which it is almost impossible to trace them back. I appreciate 
the optimism stated in the previous panel, but I believe that 
one of the most important things here is finding ways of 
incentivizing the improvement in the systems that we're dealing 
    The previous panel dealt primarily with the methodology of 
patching. Patching is extremely limited. If you start with 
something that is fundamentally insecure, you add patches, you 
may or not remove a vulnerability and, in fact, you may 
introduce new vulnerabilities. But because there were so many 
vulnerabilities in the original products, you merely transfer 
the attacks to new vulnerabilities.
    If you look back at the Internet worm of 1988, essentially 
all of the vulnerabilities that existed at that time--and there 
were four of them--are still present today in one form or 
another. They may not be the specific flaws in the specific 
code that was used at that time, but the characteristics of 
those four flaws are all present in systems today. This 
suggests that we are not progressing as we should be 
progressing. So let me very briefly go through some of my 
seemingly dirty truths.
    I don't really need to go into detail to you on the 
President's Commission on Critical Infrastructure which found a 
great many vulnerabilities. The Internet, being enormous and 
relatively uncontrollable, and being international is not 
really the culprit itself. It's all of the systems that are 
attached to it. The presence of these almost trivial to 
perpetrate Internet mail bombs, for example, are the result of 
the fact that there is very little inherent security in the 
systems that we're dealing with. I mentioned the education 
problem indirectly, but I think I should mention it very 
    The difficulties in developing very secure systems are 
enormous. They require a great deal of education. They require 
good software engineering practice, which is not very widely 
found in this country or in other countries, as well. To 
develop systems that are very secure, life critical, ultra-
reliable takes an enormous amount of effort and, although there 
has been enormous research in those areas in the past 40 years 
or so that I've been involved in this area, the research is not 
finding its way into the market place.
    Another dirty truth is this outsourcing thing, and you may 
remember from the Y2K business the fact that the air traffic 
control remediation was done by foreign nationals, essentially 
unbeknownst to the technical people at the FAA. That was rather 
startling when it was uncovered. The notion that DOD would like 
to outsource all of its critical functionality--for example, 
system administrators, is startling. If you can't have a 
trustworthy system, then you outsource the management of it to 
somebody who might be even less trustworthy than the system 
itself. This does not sound like a good way to run a ship.
    In general, simple systems and simple solutions are not 
very effective. This gets us into the laws, to some extent. One 
of the simple solutions that Congress has come up with is the 
Digital Millennium Copyright Act which has a chilling effect on 
the research community and which, in fact, is seriously 
hindering, in my opinion, the development of systems that are 
more secure because somebody who points out that a particular 
system is not secure is immediately threatened as in the case 
that occurred last week of somebody who pointed out that his 
local newspaper had its Web site totally available to anybody 
in the world and anybody could do anything to it with 
essentially no authorization. He was threatened with 5 year 
felony charge for having pointed out that this problem existed. 
We're shooting the messenger in many cases in the enforcement 
of the Digital Millennium Copyright Act.
    The Uniform Computer Transactions Act, the UCITA 
legislation which is working its way through many States, has a 
chilling effect as well. It allows the vendor or the developer 
to declare absolutely no liability for anything that goes 
wrong. This is a very strange business. I remember in the Y2K 
era there was legislation that said the remediators for Y2K 
should be absolved of their liability and should be able to 
have a certain freedom in that respect. I believe that when we 
get to the issue of what the laws can do, the area of liability 
is going to be a very important one.
    There has been legislation in the past and directives from 
the government that have dumped down security. Examples of that 
include the use of good crypto. There's one example that is 
extremely important to me. I was at a workshop yesterday and 
the day before on electronic voting systems. Here's an example 
where there's a mad rush to replace the punch card ballots 
after Florida with all electronic voting systems. This is an 
example where the simple solution of rushing into an electronic 
voting system does not solve the problem at all because every 
existing system today has essentially no assurance that the 
vote as cast is actually the vote as counted. The vendors say 
trust us. We have proprietary software. We can't show anybody 
the software because it would diminish the security of the 
system which is actually nonsense in many cases and that we 
just have to trust them that they're going to do everything 
right because they know what they're doing. This is an example 
of an apparently simple solution that in fact has very serious 
    Another example is the use of legislation to insist on 
filters to solve the spam problem. This doesn't work, and we've 
had cases where the Bible and the encyclopedias and all sorts 
of things are banned or where people's Web sites are banned 
because their name happens to include the string S-E-X like 
Essex and Sussex.
    Now, my conclusions are very simple. We need to address 
technological problems with technological solutions. We need to 
address legal problems with legal solutions. We need to address 
all of the problems of computer security, computer reliability, 
with a combination of these approaches. Laws by themselves do 
not solve the problem. Technology by itself does not solve the 
problem. We need a combination of socio-economic and political, 
technological and other approaches. So at the very minimum, we 
need what I think would be radically improved security 
reliability and availability in the systems that we are using, 
not only in our critical infrastructures, but in our Internet 
conduct of normal business.
    As I said several times, it is really unfortunate that many 
of the important research advances of the last 45 years or so 
have not found their way into the market place. I don't know 
how you can incentivize that more effectively, but I think 
you've got to find ways to do it. There are roles that NIST can 
play. In the former session, the common criteria was mentioned. 
NIST has been involved for many years in the elaboration of the 
common criteria. If those were systematically used in an 
effective way, it would be tremendously valuable.
    One of the examples. One of my doctoral students has just 
written a thesis on applying the common criteria to the 
electronic voting problem and demonstrates that even if all of 
those criteria that she's constructed were satisfied, it's 
still not enough, but it's a major, major step forward. So I 
recommend strong endorsement of that approach.
    I'm very concerned about liability issues. I believe that 
liability legislation could go a very long way. The idea that a 
vendor can disclaim all of its liability is a joke, although 
it's good marketing. I believe that Federal legislation that 
imposes strict liabilities on end consequential damages for 
gross negligence in not only system development but corporate 
misbehavior would be very valuable. There's a proposal today 
that I saw about making Web site and system purveyors liable 
for not using best practices when it comes to security, for not 
installing the patches that have been given to them and, in 
some cases, they've been told that they were critical. In some 
cases, they weren't told at all.
    So in my final comment, there is some wonderful research 
and development out there and it really needs to be worked into 
the development of systems that are substantially more secure, 
more reliable. Along with that goes the education and the 
training and everything else that's needed to make it work. But 
if I look around the country, I do not see the adequate 
attention to software engineering, to security, to reliability 
in even graduate programs and certainly not in undergraduate 
    Thank you very much.
    [The prepared statement of Mr. Neumann follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.102
    [GRAPHIC] [TIFF OMITTED] T0480.103
    [GRAPHIC] [TIFF OMITTED] T0480.104
    [GRAPHIC] [TIFF OMITTED] T0480.105
    [GRAPHIC] [TIFF OMITTED] T0480.106
    Mr. Horn. Thank you. We appreciate those comments. They're 
stimulating, to say the least.
    Scott Culp is the lead security program manager for the 
Microsoft Corp. We're glad to have you with us.

                    CENTER, MICROSOFT CORP.

    Mr. Culp. It's a pleasure to be here. Thank you for the 
opportunity to appear today at this hearing. My name is Scott 
Culp. I'm the manager of the Microsoft Security Response 
Center. I'd like to commend the chairman and the committee for 
leadership on government computer security. It's a matter that 
we take with great seriousness, not only because the U.S. 
Government is one of our largest customers but also as an issue 
of civic duty. Mobile hostile code such as viruses and worms 
pose an ongoing threat to the security of our network systems. 
Every vendor's platforms can be affected and countering worms 
and viruses is a challenge that the entire IT industry must 
    As an industry leader though, Microsoft has a number of 
ambitious programs designed to combat hostile code and to 
safeguard our networks. The good news is that the basic design 
and architecture of the systems that we all use is sound. 
Viruses and worms only succeed when they can bypass the 
security these systems provide. Some say to do this is for the 
virus or worm to exploit a security vulnerability, a hole in 
the system's armor.
    To reduce the occurrence of security vulnerabilities and 
out products, Microsoft has had an ambitious program under way 
for over 18 months called the Secure Windows Initiative which 
has as its goal nothing less than a generational improvement in 
the development practices that we use. We're providing advanced 
security training to our developers, we're building leading 
edge tools that dramatically improve how we test our software 
and we're using innovative techniques like penetration test 
teams in which we intentionally try to break into our own 
products. At the same time, we're increasing our use of 
independent third party experts, both inside and outside the 
government, to validate our work.
    But software is and always will be a human activity subject 
to human frailties. No piece of bug-free software has ever been 
developed and none ever will be. To root out any security 
vulnerabilities that may have slipped through our development 
and testing processes, Microsoft has assembled a Security 
Response Center which even our critics acknowledge to be the 
best in the industry. We investigate every claim of a security 
vulnerability affecting one of our products. When one is found, 
we quickly develop updated software and we deliver it through a 
well-publicized Web site, a free mailing list with over 200,000 
subscribers and automated sites like our Windows Update Web 
    Last year alone, we received over 10,000 reports. We 
investigated every single one of them. Of these, a grand total 
of 100 security vulnerabilities in all Microsoft products was 
    The other way that viruses and worms typically succeed is 
through social engineering, tricking the user into undermining 
his or her own security. To combat viruses and worms that use 
these techniques, Microsoft announced in April of this year a 
war on hostile code. One outcome of this campaign is something 
called the Outlook E-mail Security Update which blocks e-mail 
viruses. To the best of our knowledge, the number of customers 
who, after applying this update, have subsequently been 
affected by an e-mail virus is zero worldwide.
    Another element of the war on hostile code is a new feature 
in Windows XP called Software Restriction Policies which stop 
viruses and worms from executing on the machine even if the 
user downloads them and tries to run them.
    In addition to improving our products, we work 
collaboratively with our colleagues throughout the security 
community. Microsoft senior executives are also fully engaged 
in the U.S. government's security policy initiatives. For 
example, Bill Gates, Microsoft's chairman and chief software 
architect, received a Presidential appointment to a National 
Infrastructure Assurance Council and Craig Monday, Microsoft's 
senior vice president and chief technical officer for strategy 
and policy, received a Presidential appointment to the National 
Security Telecommunications Advisory Council.
    But technology is not a panacea. Breaking into computers 
and writing viruses and worms to damage them is a crime and 
it's important that we not lose sight of that fact. Just as we 
can never realistically expect the threat of burglary or bank 
robbery to end, we should realize that cyber crime will always 
be a fact of life and, accordingly, Microsoft strongly supports 
enforcing our society's cyber crime laws and we work closely 
with domestic and international authorities and we strongly 
support increased funding for computer crime enforcement.
    In sum, Microsoft takes its responsibilities as an industry 
leader very seriously and we believe that the efforts of 
Microsoft and its colleagues in the industry will improve the 
security of the U.S. government's networks, the Nation's, and 
the world's. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Culp follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.107
    [GRAPHIC] [TIFF OMITTED] T0480.108
    [GRAPHIC] [TIFF OMITTED] T0480.109
    [GRAPHIC] [TIFF OMITTED] T0480.110
    [GRAPHIC] [TIFF OMITTED] T0480.111
    [GRAPHIC] [TIFF OMITTED] T0480.112
    [GRAPHIC] [TIFF OMITTED] T0480.113
    [GRAPHIC] [TIFF OMITTED] T0480.114
    Mr. Horn. Thank you very much. Our second to last witness 
is Stephen Trilling, senior director of advanced concepts from 
the Symantec Corp.

                    CONCEPTS, SYMANTEC CORP

    Mr. Trilling. Thank you, Chairman Horn and members of the 
subcommittee for giving me the chance to testify today about 
the growing threat of computer worms to our national and 
economic security.
    Mr. Chairman, I'd also like to commend you and your 
subcommittee for your leadership in examining cyber security 
issues and for releasing the report card on computer security 
in the Federal Government.
    My name is Stephen Trilling. I'm here representing Symantec 
Corp. We're a world leader in Internet security technology, 
providing solutions to government, individuals, enterprises, 
and Internet service providers. At Symantec I oversee our 
Advanced Concepts Team, a group dedicated to studying new 
security threats and creating new technologies to better 
protect our electronic frontiers.
    Prior to this role, I directed our Anti-Virus Research 
Group, a worldwide team responsible for analyzing and creating 
fixes for computer viruses and other malicious threats.
    I'd like to first discuss the difference between computer 
viruses and worms such as Code Red. Traditional viruses, while 
potentially very damaging to individual computers, spread only 
very slowly to other computers. Users can inadvertently spread 
traditional viruses when they share infected files with one 
another. For example, through user-initiated e-mail. Again, 
since viruses rely on humans to spread, they spread only very 
slowly between different computers.
    I'd like to direct your attention to the screen to show a 
short simulation of how traditional viruses spread. In the 
simulation, each large circle represents an individual 
organization and each of the small dots inside the large circle 
represents a computer. What we're going to do is hypothetically 
plant the virus in the left hand organization shown as a single 
red dot--although I know from trying this out earlier the dots 
look black on that screen--and watch how it spreads over time. 
You can go ahead and start.
    So what we're looking at is at the concept virus. It's a 
simple virus that spreads when people exchange infected 
documents with each other and, as you can see, viruses spread 
over days or even weeks at about the rate that people exchange 
information. This picture is how the world looked to us up 
until the Melissa threat was released just over 2 years ago.
    In contrast to traditional viruses, computer worms--as has 
already been mentioned today--are designed specifically to 
spread over networks to as many computers as possible. Most 
worms, such as Melissa and LoveLetter, hijack e-mail systems to 
spread themselves automatically and, because worms spread 
largely or completely without human interaction, they can 
infect new users at an exponential rate without regard to 
borders or boundaries.
    So I'd like to go back to the simulation and watch how a 
single worm infection can ravage an organization. You can go 
ahead and start that. As you can see, computer worms have 
completely changed the rules of our game. Looking ahead, there 
are three factors that increase the potential for future damage 
from worms. No. 1, our global economy is clearly becoming more 
dependent on the Internet. Computers connected to the Internet 
now control e-commerce sites, power generation, electronic 
business supply chains, government transactions, and numerous 
other operations. A properly targeted computer worm could 
hobble any of these systems, threatening our national security.
    No. 2, as more home users move to high-speed broad-band 
Internet connections through cable modems or DSL, the potential 
for a devastating attack grows further. A Code Red type worm 
could spread to tens of millions or more home computers within 
hours. A denial of service attack then launched from tens of 
millions of infected machines could decimate the on-line 
business to business transactions of all Fortune 500 companies 
as well as all business to business and government to 
government electronic transactions. A large part of our economy 
would simply grind to a halt.
    Finally, No. 3, the demographics of on-line attackers are 
changing. Until now, most computer worms appear to have been 
created by amateurs with no specific targets. However, with 
more business and government functions occurring on-line, we 
expect to see an increase in professional attacks from 
organized crime, corporate spies, terrorist groups, and other 
organizations targeting specific systems on the Internet.
    Today industry research shows that the public and private 
sector have been reasonably successful in taking the first step 
in cyber defense through deployment of anti-virus software and 
firewalls. The same research has shown that government entitles 
rank among the earliest adopters of anti-virus technology and 
are also among the most effective at fighting computer viruses 
in a timely fashion.
    Moving forward, it will be increasingly important for both 
the government and private sector to share as much information 
on cyber attacks as possible. Harris Miller on this panel has 
already spoken to you about the formulation of the ISACs, a 
good step in encouraging such cooperation.
    Symantec is a founding board member of the IT-ISAC and I 
would like to commend Harris Miller for his efforts in helping 
to create this important organization.
    Now I'd like to move to some recommendations. A good lesson 
learned from the private sector is the need to appropriately 
prioritize potential security solutions according to their 
cost/reward tradeoff. Deploying effective security is not an 
all or nothing procedure. Rather, it is an evolutionary process 
where each successive step further reduces risk.
    We sometimes refer to an 80/20 rule for security. By 
applying the most important 20 percent of potential security 
solutions, one can likely prevent 80 percent of possible 
attacks. Based on our experiences, there are three top 
recommendations to protect against 80 percent of likely 
    No. 1, organizations should deploy properly configured and 
updated anti-virus software and firewalls. No. 2, organizations 
need to install appropriate updates for any announced security 
holes on all systems as soon as these are available. As we've 
seen, such actions would have disabled the Code Red worm.
    And finally, No. 3, organizations should have a specific 
policy to ensure that computer users' passwords cannot be 
easily compromised. Beyond these 80/20 rules are there further 
general recommendations.
    No. 1, organizations should consider deploying other types 
of security software such as vulnerability assessment or 
intrusion detection software at all appropriate layers of their 
    No. 2, organizations should consider instituting a policy 
to block all executable programs from flowing into their 
networks through e-mail attachments. Many corporations have 
successfully blocked numerous worms through just such 
    And finally, No. 3, industries and government agencies 
deemed essential to our national security, as described in 
PDD63, should consider using private networks for all critical 
communications to isolate themselves from worm-based attacks.
    In conclusion, Mr. Chairman, over the coming decade, a 
computer worm could easily devastate our national economy. The 
time to invest in this problem is now. Both the government and 
corporations are building their next generation of on-line 
systems today and all of these systems will be targets 
tomorrow. Thank you very much.
    [The prepared statement of Mr. Trilling follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.115
    [GRAPHIC] [TIFF OMITTED] T0480.116
    [GRAPHIC] [TIFF OMITTED] T0480.117
    [GRAPHIC] [TIFF OMITTED] T0480.118
    [GRAPHIC] [TIFF OMITTED] T0480.119
    [GRAPHIC] [TIFF OMITTED] T0480.120
    [GRAPHIC] [TIFF OMITTED] T0480.121
    Mr. Horn. Thank you, and we will back to you on a number of 
    Our last presenter is Marc Maiffret, the chief hacking 
officer of eEye Digital Security. Welcome. We're delighted to 
have you here.


    Mr. Maiffret. Thank you. I'd like to thank you for 
providing me the opportunity to be here today. I hope to bring 
a real world perspective to some of the issues that are 
currently affecting the security of our computer networks. My 
name is Marc Maiffret and I'm the co-founder and chief hacking 
officer of the eEye Digital Security. I've been in the computer 
security field for about 6 years now. The first 3 years of my 
experience was mainly as a hacker and the last 3 years has been 
as the chief hacking officer of the eEye Digital Security.
    The eEye Digital Security was started with the goal of 
creating software products that would help protect companies 
against the growing threat of cyber attack. Besides just 
creating software products, eEye also focuses on vulnerability 
research as a way to stay on top of the latest security 
threats. Vulnerability research is the process of analyzing 
software products to find ways in which an attacker can 
manipulate software in a malicious way.
    I've personally found vulnerabilities within 30 or so 
different software products and eEye itself has also been 
responsible for the discovery and disclosure of a few of the 
largest software vulnerabilities ever. It is a real world 
experience I have in hacking, vulnerability research and worms 
which I hope provides you all with an insight into the problems 
we are currently facing in the world of computer security.
    Computer systems and networks are vulnerable to many 
different types of attacks. The computer worm is one of the 
most dangerous types of attacks that threaten the Internet 
today, potentially more damaging than any virus. A virus can 
only infect systems if the computer user performs a certain 
action--for example, executing an e-mail attachment--whereas a 
worm, once planted on the Internet, is completely self-
propagating. This functionality allows a worm program to infect 
a very large number of systems in a very short period of time. 
Once the worm spreading has begun, the author of the worm could 
have control over thousands, if not millions, of systems which 
can then be used to perform attacks against the Internet or 
specific parts of the Internet.
    Code Red represents one of the best modern examples of a 
worm and the impact they can have on the Internet. Code Red was 
discovered around July 13 of this year. The first detailed 
technical analysis of Code Red was actually published July 17. 
That first detailed analysis of Code Red was done by myself and 
Ryan Permeh of the eEye Digital Security. Funny enough, we 
actually named the worm after the type of soft drink we had 
been drinking while performing our analysis.
    For a worm to propagate, it requires a method of entry. In 
the case of Code Red, it was via vulnerability within Microsoft 
Internet Information Services Web server or IIS. The 
vulnerability that the worm used to compromise Microsoft IIS 
Web servers is a vulnerability called the dot IDA buffer 
overflow. The dot IDA buffer overflow was actually a 
vulnerability found by eEye Digital Security. Microsoft and 
eEye Digital Security released the security advisory a month 
before Code Red was found in the wild. The advisory gave 
administrators instructions on how to protect themselves from 
the dot IDA vulnerability. Therefore, if administrators had 
installed the Microsoft security patch, then Code Red would not 
have had the ability to infect any systems and spread itself 
across the Internet.
    Code Red was designed with two goals in mind. The first 
goal was to infect as many IIS Web servers as possible and the 
second goal is to attack the White House Web server between the 
20th and the 27th of every month. Code Red seems to have been 
very successful at its first goal while failing at its second 
goal. The reason it was successful for its first goal is due to 
the fact that many Web servers were left unpatched against the 
IDA vulnerability. Code Red failed at its second goal because 
eEye Digital Security's early analysis of Code Red provided 
enough information in advance to protect the White House Web 
    The aftermath of Code Red has shown us the devastating 
effect that worms can have on the Internet. Although the worm 
only reached one of its two goals, the effects of the first 
goal had numerous implications. The rapid spreading of Code Red 
created abnormally high amounts of network traffic causing some 
networks to go off-line. Certain routers and other network 
devices experienced crashes unforeseen before Code Red.
    Five hundred thousand systems were comprised at the highest 
level of access and they were broadcasting that fact to the 
Internet at large. Although preventative measures stopped the 
second goal of the worm from being achieved, had it occurred, 
it would have been the largest distributed denial of service 
attack the Internet has seen today. Code Red has served as a 
warning shot to grab the attention of the Internet community.
    The biggest problem facing security today is that there are 
too many people talking about what we could do or what the 
threat is and not enough people doing real work that will 
result in a mitigating or abolishment of those threats. The 
Code Red worm was in some ways one of the best things to happen 
to computer security in a long time. It was a much needed 
wakeup call for software vendors and network administrators 
alike. Code Red could have caused much more damage than it did 
and, if the authors of Code Red had really wanted to attempt to 
take down the Internet, they could most likely have easily done 
    What made all of this possible and what steps can we take 
to help prevent things like this in the future? These are the 
most important questions and, luckily, there is much we can 
learn from Code Red to improve our current security standing. 
One of the first areas that needs improvement is the way that 
software vendors test their code for stability and security. 
I'm a software engineer so I know that mistakes do happen and 
programmers will now and then accidentally write vulnerable 
code. Software vendors, however, are usually not very motivated 
to take security seriously.
    Software vendors are not the only ones at fault here 
though. Network administrators and managers at various 
corporations are also to blame for faulty security. Going back 
to Code Red as our example, we can see that really the largest 
reason for Code Red's spreading as it did was because a lot of 
network administrators did not install the Microsoft security 
    It should also be noted that many companies have a very 
small budget for an IT staff or do not even have an IT staff. 
This leads to a lot of problems for administrators when it 
comes to securing a company's network.
    To help get security messages out to the public, there 
needs to be a centralized organization for vulnerability 
alerting. There are a few cyber watch organizations, NIPC, 
SANS, CERT, that currently watch for large scale attacks, i.e., 
worms, larger vulnerabilities and viruses. However, I feel 
these organizations would be able to accomplish a lot more if 
they sent alerts about all vulnerabilities instead of only 
vulnerabilities deemed serious enough to cover. There should be 
a Web site or e-mail alert system that administrators could 
join that would allow them to find out about all 
vulnerabilities and patches.
    Something that was said earlier I thought was pretty 
interesting from the gentleman from SRI. The reality of the 
situation right now is that there's a few aspects to security. 
One of the main things is, of course, vulnerabilities. Really, 
the type of vulnerabilities that are out there, there's I'd say 
five to six different classes of vulnerabilities out there. 
Things like buffer overflows, etc. These classes of 
vulnerabilities have actually been around, some of them, for 20 
years, 15 years. For example, the class of vulnerability that 
Code Red was exploiting was a buffer overflow vulnerability. 
The Robert Morris worm itself was exploiting that type of 
    So I think one thing is that the research has been done 
about buffer overflows and all these things and a lot of people 
have given the same speeches about doing more and all this sort 
of stuff but really, to me, when I got into the security field, 
I was kind of amazed that still, 15 years later after things 
like buffer overflows have been covered, that something like 
that is still actually a problem today. Really, it comes down 
to software vendors and also IT administrators, etc., but 
stopping worms, stopping viruses, stopping a lot of the 
vulnerabilities out there, it is not as hard of a thing to do 
as some people might say it is. These are vulnerabilities that 
have been around for a long-time and there's tons of 
information on them and there definitely is a lot that we could 
be doing to make sure that software products do not have these 
types of vulnerabilities. That's all.
    [The prepared statement of Mr. Maiffret follows:]

    [GRAPHIC] [TIFF OMITTED] T0480.122
    [GRAPHIC] [TIFF OMITTED] T0480.123
    [GRAPHIC] [TIFF OMITTED] T0480.124
    [GRAPHIC] [TIFF OMITTED] T0480.125
    [GRAPHIC] [TIFF OMITTED] T0480.126
    [GRAPHIC] [TIFF OMITTED] T0480.127
    [GRAPHIC] [TIFF OMITTED] T0480.128
    [GRAPHIC] [TIFF OMITTED] T0480.129
    [GRAPHIC] [TIFF OMITTED] T0480.130
    [GRAPHIC] [TIFF OMITTED] T0480.131
    Mr. Horn. Thank you very much. Let me ask you a question 
and we'll start going this way. You heard the testimony of Mr. 
Castro of the National Security Agency and the ease with which 
hackers can learn their trade. Do you agree?
    Mr. Maiffret. Yes. Definitely. To write something like Code 
Red would take probably an hour or two. It's a very trivial 
thing to do. To launch something like Code Red to the Internet 
in a way where you're not going to be tracked, you're not going 
to be detected, is very simple to do. Even sometimes finding 
the vulnerabilities of these worms exploiting stuff is also 
actually rather trivial. Some of the most talented people out 
there happen to be on the side of the hackers and what not. 
Really, the thing is it's like that sort of knowledge, as the 
gentleman from SRI was saying, has not really been transferred 
into a lot of the corporate companies that are actually 
developing these products and what not. A lot of them have 
started to do some very good things recently. Microsoft would 
be a perfect example that's made a lot of improvements lately. 
However, the majority of software vendors out there still, it's 
a race for do I have the same features as this other software 
    Really, one of the things, security is not going to 
necessarily change until enough administrators are actually 
demanding for better security and that's what the market is 
actually asking for rather than new features being released.
    Mr. Horn. What are the disincentives that you can think of 
that governments might have to stem the hacker behavior, or do 
you think it's a problem?
    Mr. Maiffret. There's a lot of talk about having laws that 
are a little bit more scary or whatnot but coming from the 
hacker past and stuff, really when you're in that like mindset 
and when you are that teenager breaking into systems and 
whatnot, even though you read something in the newspapers about 
Kevin McNeff being in jail for 5 years and this sort of thing--
which is definitely serious--you usually think you're above 
that and you're not going to get caught, etc. So laws, I don't 
really think, are necessarily going to scare people into not 
doing it and whatnot. I mean it really comes down to stopping 
the vulnerability in the first place.
    And actually, it's not an easy task to get vendors and 
whatnot to actually start looking at security first and then 
designing the product around security. It's usually design the 
product and then design the security around it, which is not 
necessarily the best thing to do.
    Mr. Horn. Let me try an analogy out on you and see if it 
makes any sense in the electronics of software, hardware, so 
forth. A lot of people look for marks on pistols and the bullet 
goes out and you've got usually, as the FBI knows, you can find 
and relate what happened on that barrel as the projectile went. 
The other one is the use of gun powder in terms of shot guns 
and people are talking about well, gee, why can't we have in 
that one on the shot gun in particular, you can put in types of 
things that have a pattern that no other shot gun shell does 
that. So is there any way that something like that can be in 
the electronics and all of the ones that are into software and 
maybe even hardware?
    Mr. Maiffret. I guess the question is basically kind of 
like the attackers and the hackers, whatever you want to label 
them, performing the attacks if there's something that can be 
kind of resident or left to be able to help track them. Would 
that be correct?
    Mr. Horn. Could be.
    Mr. Maiffret. Basically, dealing with software and whatnot, 
it's not really an easy thing to put anything in there like 
that. I mean people have tried to put in kind of bug type 
devices or things. Different software products have like unique 
identifiers for each computer which has actually led to the 
capture of a couple of different e-mail virus authors. However, 
all of those things, if you're smart enough, it really just is 
software and it's bytes of information and that is all easily 
manipulable. So it's not necessarily where you're going to 
track a hacker that way.
    There are a lot of things that could be done as far as on 
the network layer with things like intrusion detection systems 
and actually being able to detect an attack coming over the 
network and you'll at least have some sort of starting point of 
where they came from. Even intrusion detection systems, which 
is one of the more popular ways of creating logs to track 
attackers, even IDS systems themselves are vulnerable to 
attacks. Either yesterday or sometime today eEye Digital 
Security is releasing another security advisory on which we 
basically illustrate a technical way where you could bypass any 
commercial intrusion detection system to be able to attack IS 
Web servers.
    What that means is that if somebody would have had that 
knowledge--in fact, somebody did have that knowledge at the 
time of Code Red--they could have used that knowledge to 
basically change around the Code Red attack in a way where 
intrusion detection systems would not have actually detected 
it, which is what led to the early analyses and the information 
getting out. So it could have potentially given Code Red and 
things of that nature another week head start on attacking the 
systems and what not.
    One of the things I was covering in my written testimony is 
I think that there's a lot that could be done as far as trying 
to detect some of these worms earlier in the process, to be 
able to get the word out and having a sort of system. They call 
it a honey pot in the security field. But you basically have a 
set of dummy servers that look vulnerable and whatnot and 
they're really watching. Typically they're used to monitor 
attackers and how they work. However, you could adapt something 
like that for worms and, if you did own a large enough block of 
IP addresses or computer network addresses, you could actually 
detect a worm and be able to get the analysis out much earlier 
than we have been right now.
    Mr. Horn. Mr. Trilling, you want to comment on that dialog?
    Mr. Trilling. Yes, with regard to tracing back?
    Mr. Horn. Right.
    Mr. Trilling. Certainly a lot of these threats, e-mail 
threats and so on and Code Red, as they move through the 
Internet, they do leave traces, whether it's in logs or whether 
it's in the actual e-mail. Sometimes they use the analogy as a 
letter goes from one city to the next, each post office will 
put a local stamp on that envelope and eventually, if you want 
to trace back through all the stamps, you can find the origin. 
But the extent to which you're likely to be successful at that 
is very much related to how much effort you want to take and, 
as has been mentioned earlier, there are over 50,000 known 
computer viruses and worms right now. It's not likely to be 
practical for law enforcement officials to be able to trace 
back to the origin of all of them.
    So certainly, as we've seen with Melissa, as we saw with 
LoveLetter, it is possible and certainly when effort is placed, 
when there's a high-profile attack that does a lot of damage, 
it's absolutely possible to trace back to the origin, but it's 
time consuming, it requires money and resources and proper 
    Mr. Horn. Mr. Culp, how about it? What's your feeling for 
    Mr. Culp. Well, trying to make changes in the software 
that's going to run on a hacker's machine to identify the 
hacker is ultimately going to be futile. The hacker owns that 
machine and, as Mr. Maiffret put it, it's just software. If a 
vendor installs tracking software into the operating system, a 
person who installs it on their machine and has administrative 
control can simply take it off. They can patch it with 
something that nulls out the functionality.
    Just the same, what Mr. Trilling was saying about improved 
forensics as the information transits the network is a much 
more interesting idea. The flip side though is that there could 
potentially be privacy concerns. But the real issue here is not 
so much the technology as much as human behavior.
    I want to sketch a scenario for your consideration. Suppose 
we lived in a world where I could come home today and find out 
that on my way out to work this morning I accidentally left my 
back door unlocked and when I came into the house, I found all 
my furniture gone with a sign that said, ``I've taken all your 
furniture in order to teach you about the importance of locking 
your doors.'' Now, suppose that I knew who did it and the 
general opinion of society was, well, he's done you a favor. 
He's shown you how insecure your home was. Does anybody believe 
that our homes would be secure?
    The reason that we don't tolerate this kind of behavior in 
our physical lives is because we know what it would lead to. 
Cyber crime is crime. There's nothing new about it. It's the 
same old type of crime we've had for generations. It's breaking 
and entering. It's robbery. It's burglary. It's destruction of 
property. We focus on the cyber part of cyber crime and we lose 
track of the fact that this is just crime. What keeps us safe 
in our insecure physical world is the deterrent value of law 
enforcement. To a certain extent, that's missing in cyberspace 
and that's one reason why we have the problems that we do. 
Adding tracking information is fine, but it presupposes that 
there's going to be effective law enforcement.
    Mr. Horn. Mr. Neumann.
    Mr. Neumann. Thank you. There's a huge confusion between 
leaving your front door open and leaving your computer system 
accessible from anywhere in the world. Recently, Abby Rueben, 
who works at AT&T Labs, one of the old Bell Lab spin-offs, was 
sitting in the Morristown Memorial Hospital and all of a sudden 
the green light on his laptop goes off and he discovers that 
he's instantaneously connected to the wireless network of the 
hospital with no security, no authentication, no protection 
    As I mentioned earlier, we had this case in Oklahoma where 
a guy let his newspaper know that their Web site was open and 
he's now up for 5 year felony charge. Abby did not do anything 
within the Morristown Memorial Hospital, but he noted this and 
I published it in my risk forum and I fear that all of a sudden 
people are going to be going after him because he has exceeded 
    In the Robert Morris case, Morris was accused by the 
Federal prosecutor of exceeding authority. In the four 
mechanisms that he used in the Internet world, not a single one 
of them required any authority. There was no authentication 
required, there was no access control required. The startling 
thing about this is the law that we're dealing with says you 
must exceed authority. If there's no authority required, then 
somebody who happens to access your system from afar is 
obviously intending to break into your system. But the law as 
it is written does not say that he's doing anything wrong if 
he's being accused of exceeding authority and there's no 
authority required.
    One of the most fundamental problems we have is that fixed 
passwords are being used. Fixed passwords are flying around the 
Internet unencrypted. They're trivial to sniff. There's lots of 
software you can get that will enable you to pick off 
essentially any Internet traffic.
    The fact that somebody breaks into your system should be a 
violation of the law and yet, as the law says, if he's 
exceeding authority, there's something fishy here. So I think 
we have to be a little bit careful if the laws are not saying 
what they're supposed to be saying. If there is no 
authentication and there exists zombie machines all over the 
place that people can jump into and use as springboards for 
attacks with no trace back possible because they've broken in 
masquerading as someone else and you have no idea who they are 
or where they're coming from because of the way they come in, 
there's something fundamentally wrong here.
    I mentioned the idea of malicious code. You have to realize 
that the malicious code, once it's in your system, is executing 
as if it were you. So the challenge is to keep it from getting 
in there in the first place. The laws do not help in that 
respect. So yes, we need better laws, I think, but we also need 
better systems.
    I will just mention the Advanced Research Project Agency of 
the DOD which has at the moment a set of 10 contracts--I happen 
to be lucky enough to have one of them--on what's called 
composable high assurance trustworthy system. This is an effort 
to radically improve the security/availability/ reliability of 
the computer operating systems that we deal with, and I'm 
hoping that research will inspire some of our computer vendors 
and developers to use some of the better techniques to come out 
of that research program.
    But again, I say I don't have much hope because I've seen 
the research that we did back in 1965 which is widely ignored. 
Thank you.
    Mr. Horn. Harris Miller, president, Information Technology 
Association of America. How do you look on this?
    Mr. Miller. I think the idea of the unique identifier, I 
would agree with what Mr. Culp said. The problem with the 
technology is that technology can be over-ridden, No. 1. No. 2, 
the privacy advocates would go absolutely ballistic. They've 
gone crazy when they've accused companies like Intel and others 
of trying to plant identifiers in their computers, even though 
Intel is doing it purely to protect the consumer. The consumer 
privacy advocates say that this is an attempt to install big 
brother. So I think the negative reaction sociologically, in 
addition to the technological obstacle that Mr. Culp outlined, 
really don't make that a very good alternative solution.
    I would like to comment on two other things that you 
addressed earlier though, Mr. Chairman. One is about the 
behavior of cyber citizens. We're not foolish enough to believe 
that simply saying be good will solve all of our cyber 
problems. However, we're sort of at the other extreme right now 
where we don't teach young people at all about good cyber 
    In fact, there is still a tendency to revere hackers as if 
somehow this is a positive element of our society. It's good to 
be able to say I brought down the Defense Department Web site 
or, even worse, Johnny and Susie's parents say, isn't Johnny or 
Susie clever? They brought down the Defense Department Web site 
as if it's a mark of admiration. They wouldn't be proud if 
Johnny or Susie burned down the Pentagon or burned down an 
office building, but somehow they're proud if they can figure 
out a way to show that they're technologically more 
sophisticated than the people who developed the software.
    That's why ITAA has worked with the Department of Justice 
and now Department of Defense on our cyber citizen program. We 
think that there needs to be education built into the 
classrooms all the way K-12 and higher education and even 
beyond to teach people good cyber ethics. Again, it's not going 
to solve all the problems but the previous panel mentioned that 
24,000 attacks occurred on DOD last year. DOD will tell you 
that a huge percentage of those, 80, 90, 95 percent, is what 
they call script kitties. People just fooling around because 
they think it's cute or clever. Doesn't mean most of those 
attacks succeed but it does mean that it's harder for DOD as 
the object of attack to identify the serious problem because 
there's so much chaff coming at them in the form of people 
playing games. So I think that we do need to focus more on 
cyber education.
    The last point I'd like to make is I enjoy Doctor Neumann. 
He's obviously a lot smarter than all of us, but he does 
somehow take statements and run a little bit to the extreme. 
For example, he says that the Y2K legislation totally protected 
software vendors. As you know as one of the authors of the 
legislation, that was not the objective. The objective was to 
try to make the point that if a remediation could be found, 
that should be the first choice before you run off to the 
courts. That was a system that worked reasonably well.
    I would just disagree candidly with Doctor Neumann's 
assessment that the market place does not provide incentives 
for cyber security. I think the market place provides 
tremendous incentive to cyber security but, just as with 
automobiles, people want it both ways. They want to be able to 
do speedy business, but they want to be able to do secure 
business. So the challenge for industry is to balance those two 
interests off. We could all drive HumVees and armored personnel 
carriers down the road and probably wouldn't have 42,000 
Americans die on American highways. But we'd go a lot slower, 
they'd be a lot more expensive to run, they'd ruin the 
highways. We'd have to replace them a lot more often. So we try 
to come up with a balance: cars that are safe but also are 
fairly inexpensive and can move quickly.
    That's the challenge for the IT world. Companies, 
customers, individual consumers, both domestically and 
globally, want new products. They want products that work 
quickly. They want to be able to get their e-mail instantly if 
not faster. They want to have wireless access but at the same 
time they want security. So the challenge for all of us, both 
as producers of these products and as consumers, is to reach 
that balance. I think that clearly the good news is there's a 
lot more focus on cyber security. Mr. Maiffret said quite 
correctly the Code Red virus was a wakeup call. An even bigger 
wakeup call was the February 2000 distributed denial of service 
attacks which led to the creation of the IT-ISAC. So these 
incidents are good in a way. Fortunately, there's never been 
what Dick Clark and others have referred to as an electronic 
Pearl Harbor where it really has destroyed the Internet it's 
been so bad. But I think there have been enough serious 
incidents that people are paying more attention. I think we are 
making progress.
    Mr. Horn. When a symptom of being a virus or a worm or 
whatever you want to call it, is there a way to sort of think 
about that software side? Can you get all this bombardment away 
into another part within a computer and that would then divert 
the group that's making the attack?
    Mr. Miller. I'll defer more to the experts. Again, I don't 
think it's possible to say that somehow you know intrinsically 
that these are good guys and bad guys. What technology has 
tried to do is separate that as much as possible. Mr. Maiffret 
mentioned the idea of this honey pot concept where you create a 
lot of IP addresses that are basically out there just to lure 
bad guys hoping that because security experts or government 
officials are watching those IP addresses, they would catch 
earlier warnings of these problems before they become widely 
diffused through the real government and the real private 
sector. But I don't know that there's any way of saying at the 
end of the day we're going to know every bad guy that walks 
into the bank any more than we're going to know every bad piece 
of code that comes in. I don't think there's any way of saying 
that in advance.
    Clearly, the tradeoff--and I think I discussed this before 
another hearing you had, one of your colleagues said, well, can 
I get to a situation where I never get an e-mail virus on my 
computer? I said to the Member of Congress, you could. You'd 
have someone else get all your e-mail and let him or her be the 
guinea pig, in a sense, and he or she would screen it. But, of 
course, you're giving up your privacy because that means 
someone else gets all your e-mail. You're giving up the time 
sensitivity because someone else would have to filter it and 
make sure it was all done. So that's a trade-off. You could 
say, OK, I as an individual don't want to get any viruses but 
what kind of tradeoffs am I going to make then?
    Mr. Horn. Let me just ask a few closing questions here. Mr. 
Maiffret, you've been criticized for giving a blueprint of the 
exploit to malicious programmers. Could you tell us how you 
believe this is an important way to provide details of threats 
to the on-line community?
    Mr. Maiffret. Yes. The first thing would be the wording on 
that would be it's not necessarily a blueprint. The main 
criticism came with Code Red and people said that we gave out 
enough details where somebody took our details and then 
actually wrote Code Red from those details.
    In the case of Code Red, the actual techniques that they 
used were far superior to anything that we talked about. In 
every advisory on software that we do, we always give out 
enough details where a vulnerability scanning type tool or an 
intrusion detection system or administrators themselves will 
have enough technical information where they can either test 
the vulnerability to make sure that the patch is working 
themselves or that they can actually update their intrusion 
detection systems to be able to monitor for potential people 
trying to exploit the vulnerability.
    It is a double-edged sword because yes, there is the 
information that's there and somebody could take that and try 
to write an exploit program with it, as they call it. However, 
the thing people need to understand is that even without any 
information at all, it's actually rather trivial to actually 
figure out where the vulnerability lies and exploit it. This 
has happened in the past before. One example of that would be 
Code Red itself was actually based off of another worm that was 
released back in April of this year and the vulnerability that 
worm exploited, there was actually no technical details ever 
released on it.
    So what happened from that was that some hackers did figure 
out the technical details, did write an exploit for it, did 
write a worm for it. However, since there was no public 
technical details released about it, no security software tools 
or anything out there were actually updated to be able to look 
for that specific signature. So back in April when Code Red was 
actually first attempting to go around the Internet, since 
there was no details, nobody was actually able to detect that 
it was going on. There just happened to be a couple of 
administrators at Sandia Labs that were lucky enough to see it.
    Mr. Horn. Recently the editorial editor of the Washington 
Post, Meg Greenfield, had her computer and people wondered what 
her password was and so when they found out, she simply said 
password, and I began to think that's so obvious, maybe people 
would leave her alone. No one would obviously think password 
for the password.
    Mr. Maiffret. One of the most common.
    Mr. Horn. That's right. Well, since some of you have 
teaching backgrounds, I guess I'd be interested in the fact 
that even Microsoft who warned the users of the newly 
discovered vulnerability and issued the patch to protect 
against the exploit did not protect all of its own systems, 
illustrative of the day-to-day challenge that system 
administrators face in maintaining the security of their 
systems. Any thinking on that?
    Mr. Maiffret. Sure. Let's walk back through. As you noted, 
when the initial patch was released, we did extensive 
publicity. Let me run through a couple of things that we did. 
As always, we released a security bulletin on our Web site. 
It's one of those heavily traveled Web sites on the Internet. 
We mailed it to over 200,000 subscribers to our mailing list.
    We also took the unusual step, because of the severity of 
the vulnerability, of engaging our worldwide support 
organization, particularly several thousand employees known as 
technical account managers who have direct relationships with 
customers and we asked them, call your customer and tell them 
you need to put this patch on now, read the bulletin later.
    We also proactively contacted the media and asked for help 
in getting information out. This was without a doubt the most 
widely publicized security bulletin in history. It's in keeping 
with how we have traditionally handled security 
vulnerabilities. Our goal at the end of the day is to get as 
many patches on machines that need them and, if the way to do 
that is to air the fact that we've made a mistake worldwide, 
we're going to do that.
    But as you mentioned, we neglected to fully protect our own 
networks. We did have a few machines, scattered machines here 
and there, that didn't get patched and this is illustrative of 
a problem that's inherent in a patch-based protection scheme. 
Applying patches is a management burden. Takes time. Certainly 
takes less time to apply a patch than it does to rebuild a 
machine after the machine has been compromised, but just the 
same, there's a management burden associated with this. We've 
invested quite a bit of time and effort, even starting before 
the worm, into trying to make our patches as simple as possible 
to get onto the machines that need them.
    Let me give you a couple of examples. Starting in May, we 
inaugurated a practice in which every IIS patch, patches not 
only whatever the vulnerability is we're discussing here now, 
but includes every previous patch for IIS. So if you just apply 
the most recent patch, you're protected against everything. No 
other vendor in the industry does that.
    We've also taken some steps to do some technology 
development to make it easier to get the patches onto the 
machines. Specifically, not requiring the machines to reboot. 
It turned out when we talked with our customers we found that 
was a significant impediment to a lot of them. So we did some 
technology development. We rolled out no reboot patches. And 
just recently we've rolled out some tools that have been in the 
works that have been under development since earlier this year 
that we believe will help ensure that customers have fully 
patched machines.
    The first one is something called the Microsoft Personal 
Security Advisor. It's a Web site. You navigate to the Web site 
and it downloads some software to your machine that allows it 
to scan itself with reference to a data base that we keep up to 
the minute on our site to find out whether your machine is 
configured securely and to determine whether or not you're 
missing any patches. We released a companion tool that server 
farm administrators can use so that if you're, for instance, an 
administrator with 100 machines, from a single console you can 
tell which patches each one of those machines is lacking and 
keep them up to date. But just the same, the fact that we 
didn't have perfect compliance ourselves illustrates that 
there's more work to be done and we're certainly committed to 
making improvements as we go forward. We have some new features 
in our upcoming products that we believe will make it even 
easier to stay up to date on patches, including some 
technologies that will allow you to stay up to date 
    Mr. Horn. That's very interesting and Mr. Trilling, I was 
intrigued by your testimony. Applying a few simple rules. One 
can prevent the majority of attacks on your systems. More 
specifically, you detailed three top security recommendations 
that would likely protect against 80 percent of the attacks. In 
your opinion, should these rules be made mandatory for 
government agencies? That's a good probability.
    Mr. Trilling. Right. It's an interesting question. I think 
a little outside my area of expertise. I certainly feel like 
security rules and security policies really ought to be decided 
on by security companies rather than necessarily by the 
government. The other thing to point out is that security 
really is different for everybody. One of the things we often 
say is that it's important to secure your systems in such a way 
that the cost of breaking into that system is greater than the 
value of information you could get out of that system. So the 
effort to protect information for the Department of Defense is 
going to be very different than for a home user's individual 
Web site. I think each of those decisions needs to be made 
individually by individual organizations in consultation in 
many cases with security experts.
    I'd have to sort of understand a little bit the framework 
of what you're talking about but I think in general it would be 
difficult to sort of mandate across all agencies that these 
certain laws ought to be applied because the needs of security 
for different agencies and different organizations are really 
different depending on the value of what they're trying to 
    Mr. Miller. Mr. Chairman, the Federal CIO Council is trying 
to deal with this kind of a challenge and IT has been somewhat 
involved. It's basically led by the Federal CIO Council, 
particularly Mr. John Gilligan who's now the Deputy CIO at the 
Department of the Air Force and previously was CIO at the 
Department of Energy. What they're trying to do is establish 
best practices across agencies and it is complicated for the 
reasons Mr. Trilling suggested because there's no one size fits 
all. But by sharing information within the Federal CIO Council 
and then between industry and government, that's the role ITA 
has played by bringing to the government CIOs some of the best 
practices applied in commercial settings. We think there has 
been some progress there.
    Your staff might want to get a debriefing from the Federal 
CIO Council about how their best practices are coming along. 
They're trying to achieve in practice what Mr. Trilling has 
outlined in theory would be a good idea.
    Mr. Trilling. If I could just make one quick point just to 
take an example. If you were to mandate inside an organization 
every user inside the organization needed to change their 
password every 5 minutes, clearly that would reduce 
productivity enormously to the extent that most companies would 
never make that tradeoff. But there may well be some 
organization, some government organization where security is so 
critical that you're willing to make that tradeoff, and you see 
this over and over again, the tradeoff between convenience and 
security. More convenience often means less security and people 
need to, again, appropriately protect themselves depending on 
the value of their information stored on their computer 
    Mr. Horn. Mr. Neumann.
    Mr. Neumann. A couple of comments. One is that this 80/20 
business is a moving target. I go back to my tip of the iceberg 
analogy. You chop off the top very small percentage of the 
iceberg and there's still exactly the same size of the iceberg 
there. You may get rid of the 80 percent but there's an 
escalation effect here in that the attackers are advancing 
faster than the developers which means that no matter how much 
there is visible of the iceberg, you still have a very serious 
    You mentioned education. Let me just speak to that. I've 
taught in a bunch of different universities. Most recently I 
taught a course based on work that I've done for the Army 
Research Lab on how to build reliable, secure, highly 
survivable systems. All of the notes for that course are on my 
Web site and I think when you talk about how do you set 
principles and try to get people to enforce them, a good place 
to start is to read a document like that and discover what the 
principles are and see which ones of them are applicable.
    The most important thing is the architecture, as I've 
mentioned. I don't have a virus problem. I can read e-mail with 
all kinds of attachments but it never bothers me. I'm not 
running a Microsoft operating system. I'm running a Lennox 
system. Lennox has its own security violations and 
vulnerabilities. But the point is that if you focus on an 
architecture in which your system protects itself against 
itself--and again I go back to the research that we did in 1965 
which pretty much solved that problem--then a lot of the 
problems that you see in malicious code don't happen because 
the malicious code is executing with all of your privileges and 
you're giving it freedom to do whatever it wants.
    So all of the stuff about Trojan horses is ignoring one 
fundamental thing. That once somebody has broken into your 
system with a virus or a worm or whatever it is, you don't know 
that there's a residual Trojan horse there. There might be 
something nasty just sitting waiting for something else to 
happen. The Trojan horses are really the ultimate problem here. 
We're talking a lot about viruses and worms, but the real 
problem is the fact that systems are not designed with adequate 
architectures to protect themselves against themselves and to 
protect themselves against outsiders as well as, of course, 
    Mr. Trilling. May I make a very quick comment to respond to 
Mr. Neumann. I think you're quite correct in saying that it is 
a moving target and that more of the iceberg is always showing 
when you cutoff the top. But again, it's about reducing risk. 
As we pointed out here, most of these crimes, most of these 
worms that we talked about today, were not targeted attacks. 
They were crimes of opportunity. Code Red simply went from 
machine to machine checking somebody's door knob. It would be 
like somebody walking through a neighborhood seeing if each 
door was open. If the door was open, they'd walk in and attack. 
If not, they'd keep moving. You could break into that home but 
you might as well keep walking down the block because you'll 
find another home that's open down the road.
    Most of these attacks such as Code Red are crimes of 
opportunity. They're going from machine to machine seeing if 
they can break in and so, again, it's all about reducing risk. 
By taking a small number of steps, we believe you can reduce 
your risk a lot. Certainly, to reduce your risk further to get 
that next part of the iceberg is going to be a big step for 
some organizations is more cost effective and more needed than 
others. But you want to make sure that the person just trying 
to walk into your door or come in through your basement, which 
is how most attacks are occurring today, you want to make sure 
you're stopping that. That's for government machines as well as 
home machines.
    Mr. Horn. Mr. Maiffret, any thoughts on this?
    Mr. Maiffret. I guess beyond just like it's really 
something where I think they're kind of talking like if you 
like patch the current top 10 vulnerabilities, you're making 
the best effort. But I think what Mr. Neumann was saying is 
when you patch the ranked top 10 right now, then hackers move 
on to the next top 10 and the next top 10. It's really 
something where the biggest vulnerabilities, they're just that 
and if you fix them, then the things that were not necessarily 
the biggest vulnerabilities the week before, now they are. It's 
really something where you do have to try to eliminate all of 
them. It's not something about doing the top 10 checklist or 
something of that nature.
    Mr. Trilling. I think that's also a really good point which 
is that you never get to the point where you are now secure. 
Security is a moving target. The value of the information on 
your network could suddenly change tomorrow as your business 
changes, as you acquire a new organization. So companies, 
organizations, government entities should never be stopping and 
saying, well, because we've gone through these top 10 lists, 
we're now done. Security is an evolving thing in much the same 
way that physical security is also.
    Mr. Horn. One of my colleagues who sat near me in our 
investigation of the White House e-mails which went on for 
dozens of hours and he said to me, he said, I'm just going to 
get rid of e-mail. The heck with it. They had the most stupid 
conversation. It was not great political theory or great policy 
and all this. They were darned stupid crazy things. Everything 
from every joke on Arkansas and everything else. He said, 
enough is enough. If they want to see me, they can walk through 
the door.
    Panel one has been very gracious listening to this dialog 
and if you have any thoughts that we haven't explored, feel 
free to get to the microphone or we can just send it back, I 
think, and put it in the front row there whereas they're in the 
orchestra pit. I've got a number of questions here and if 
you're on the way home or something or dictating into whatever 
your little thing is, we would welcome. Both the Democratic 
staff and the Republican majority staff have a number of 
questions. So we appreciate any helpfulness you could give in 
    We will keep the hearing over and out and open for probably 
2 weeks and then any thoughts you have going back. I want to 
thank all of you. You're very able in your whole firm of 
computers and enhancing computer security in the public and 
private sectors is a priority of this subcommittee and must 
become a priority, we think, for governments at all the levels 
because as we get from enhancing computer security, we're also 
talking about helping to have privacy for the citizen. Their 
records should not be used without their access or whatever the 
law reads on that.
    We'll issue a second report card on computer security 
within the Federal Government shortly. Attention to and action 
on this important issue must occur at the highest levels. It 
took them 2 years in the previous administration to wake up to 
Y2K and we're hoping that the current administration will take 
this very seriously, and I think they will. Today's hearing is 
a part of that process and we thank you very much for coming 
here, some of you for 3,000 miles.
    The staff I'd like to thank for this hearing is to my left, 
J. Russell George, the staff director/chief counsel of the 
subcommittee. Bonnie Heald is here out in the audience. She's 
working with the press, professional staff member, director of 
communications. And then Elizabeth Johnston, as a lot of you 
know, is a detailee with us and very knowledgeable on all sorts 
of issues. Scott Fagan is assistant to the subcommittee. Scott, 
this is his last hearing because he's going into the American 
Foreign Service. So you might see him in embassies throughout 
the world and maybe one of these days he'll be an ambassador 
and will be nice to us in congressional delegations. Hopefully 
you've been around us enough to know that Congress is trying to 
help you. We're not from the government alone.
    David McMillen, professional staff for the Democrat group 
and the San Jose Council Chamber's contacts that really helped 
us here tremendously. Judy Lacy, Ross Braver and the court 
reporters and Mark Johnson is the clerk for the majority. Mark, 
you're still around. You're not going to go in the foreign 
service or anything, are you?
    Mr. Johnson. I'm here as long as you want me.
    Mr. Horn. And the court reporter is George Palmer. It's 
tough when you go as long as we have, and we thank you, Mr. 
Palmer, for doing a good job on this, and that it'll be a good 
    So now this hearing will be in other parts of the United 
States on a number of questions. So we thank you all. 
    [Whereupon, at 12:58 p.m., the subcommittee was adjourned, 
to reconvene at the call of the Chair.]