[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
COMPUTER VIRUSES: THE DISEASE, THE DETECTION, AND THE PRESCRIPTION FOR
PROTECTION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
NOVEMBER 6, 2003
__________
Serial No. 108-66
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
90-727 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
----------------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas Ranking Member
FRED UPTON, Michigan HENRY A. WAXMAN, California
CLIFF STEARNS, Florida EDWARD J. MARKEY, Massachusetts
PAUL E. GILLMOR, Ohio RALPH M. HALL, Texas
JAMES C. GREENWOOD, Pennsylvania RICK BOUCHER, Virginia
CHRISTOPHER COX, California EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey
RICHARD BURR, North Carolina SHERROD BROWN, Ohio
Vice Chairman BART GORDON, Tennessee
ED WHITFIELD, Kentucky PETER DEUTSCH, Florida
CHARLIE NORWOOD, Georgia BOBBY L. RUSH, Illinois
BARBARA CUBIN, Wyoming ANNA G. ESHOO, California
JOHN SHIMKUS, Illinois BART STUPAK, Michigan
HEATHER WILSON, New Mexico ELIOT L. ENGEL, New York
JOHN B. SHADEGG, Arizona ALBERT R. WYNN, Maryland
CHARLES W. ``CHIP'' PICKERING, GENE GREEN, Texas
Mississippi KAREN McCARTHY, Missouri
VITO FOSSELLA, New York TED STRICKLAND, Ohio
ROY BLUNT, Missouri DIANA DeGETTE, Colorado
STEVE BUYER, Indiana LOIS CAPPS, California
GEORGE RADANOVICH, California MICHAEL F. DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire CHRISTOPHER JOHN, Louisiana
JOSEPH R. PITTS, Pennsylvania TOM ALLEN, Maine
MARY BONO, California JIM DAVIS, Florida
GREG WALDEN, Oregon JAN SCHAKOWSKY, Illinois
LEE TERRY, Nebraska HILDA L. SOLIS, California
ERNIE FLETCHER, Kentucky
MIKE FERGUSON, New Jersey
MIKE ROGERS, Michigan
DARRELL E. ISSA, California
C.L. ``BUTCH'' OTTER, Idaho
Dan R. Brouillette, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Telecommunications and the Internet
FRED UPTON, Michigan, Chairman
MICHAEL BILIRAKIS, Florida EDWARD J. MARKEY, Massachusetts
JOE BARTON, Texas Ranking Member
CLIFF STEARNS, Florida BOBBY L. RUSH, Illinois
Vice Chairman KAREN McCARTHY, Missouri
PAUL E. GILLMOR, Ohio MICHAEL F. DOYLE, Pennsylvania
CHRISTOPHER COX, California JIM DAVIS, Florida
NATHAN DEAL, Georgia RICK BOUCHER, Virginia
ED WHITFIELD, Kentucky EDOLPHUS TOWNS, New York
BARBARA CUBIN, Wyoming BART GORDON, Tennessee
JOHN SHIMKUS, Illinois PETER DEUTSCH, Florida
HEATHER WILSON, New Mexico ANNA G. ESHOO, California
CHARLES W. ``CHIP'' PICKERING, BART STUPAK, Michigan
Mississippi ELIOT L. ENGEL, New York
VITO FOSSELLA, New York ALBERT R. WYNN, Maryland
CHARLES F. BASS, New Hampshire GENE GREEN, Texas
MARY BONO, California JOHN D. DINGELL, Michigan,
GREG WALDEN, Oregon (Ex Officio)
LEE TERRY, Nebraska
W.J. ``BILLY'' TAUZIN, Louisiana
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Hancock, William, Chief Executive Officer, Internet Security
Alliance................................................... 30
Holleyman, Robert W., II, President and Chief Executive
Officer, Business Software Alliance........................ 42
Pethia, Richard D., Director, CERT Coordination Center,
Software Engineering Institute, Carnegie Mellon University. 13
Silva, Ken, Vice President, VeriSign Inc..................... 26
Wong, Arthur, Vice President, Security Response, Symantec
Corporation................................................ 37
(iii)
COMPUTER VIRUSES: THE DISEASE, THE DETECTION, AND THE PRESCRIPTION FOR
PROTECTION
----------
THURSDAY, NOVEMBER 6, 2003
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Telecommunications
and the Internet,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:30 a.m., in
room 2123, Rayburn House Office Building, Hon. Fred Upton
(chairman) presiding.
Members present: Representatives Upton, Stearns, Deal,
Shimkus, Bass, Bono, Walden, Markey, McCarthy, Eshoo, and
Green.
Staff present: Kelly Zerzan, majority counsel; Will
Nordwind, majority counsel and policy coordinator; Neil Fried,
majority counsel; Jaylyn Connaughton, majority professional
staff; Will Carty, legislative clerk; Peter Filon, minority
counsel; and Jessica McNiece, minority research assistant.
Mr. Upton. Good morning, everyone. I apologize for this
virus, but I would rather have this virus than one at my house
on my computer. You need to take that sucker back to the
hospital.
Good morning. Today's hearing is entitled ``Computer
Viruses: The Disease, the Detection and the Prescription for
Prevention.'' If someone had told me a few years ago that an
evil scientist plotted from his underground lair to send a
malicious code to infect computers all around the world with a
worm which would first replicate itself for the first 20 days
of each month, the second would deploy web pages on infected
servers with a page that declared ``hacked by the Chinese'' and
third launch a concerted attack on the White House Web server
in an attempt to overwhelm it, I would have guessed that this
was the latest plot in the next James bond movie. What we now
know is, in fact, this happened with the ``Code Red'' worm in
July 2001.
Unfortunately, worms and viruses are not science fiction.
They are an alarming fact of life in the Internet age. The
Internet now connects over 170 million computers, and the
number continues to grow. Our society is increasingly dependent
upon the Internet to communicate bank and purchase goods and
services. Moreover, many of our Nation's important functions,
such as the electricity grid, the stock exchanges, the banking
system and commerce rely in large part on the smooth and
uninterrupted operation of the Internet.
Without a doubt, our reliance on the Internet has had a
positive effect on the productivity, efficiency and convenience
of our country. However, it is precisely this fact which makes
us so vulnerable to the havoc which can be wreaked by viruses
and worms. I speak from experience when I say that anyone who
has lost files or work or has had their computer crash due to a
worm or virus knows the frustration which they cause.
In addition, worms and viruses can cause tremendous
economic damage. So far, damages in the form of lost
productivity, wasted hours, lost sales, extra bandwidth from
the ``Blaster'' worm alone are estimated to be at least $525
million; and ``Sobig.F'' damages are estimated to be over $500
million again. Some estimates are even higher, even in the
billions of dollars.
As bad as that is, in the wake of September 11, there is
the even more chilling specter of cyberterrorist attacks on our
Nation's increasingly Internet-dependent critical
infrastructures. Research and analysis suggests that worms and
viruses are proliferating and are able to move with increasing
speed across the globe. According to testimony we are going to
hear today, the ``Slammer'' worm had a significant impact in
just minutes; and the depressing fact is that it only takes one
personal computer, some decent programming skills, a warped
mind and a cruel heart to launch a virus or a worm with over
40,000 viruses and their variant strains that have been
identified to this day. It appears as if these traits are not
in short supply.
Law enforcement is a critical element in stopping those who
seek to infect the Internet with viruses and worms, and I would
note that just yesterday Microsoft announced that it has put up
$5 million in reward money for information which will lead law
enforcement to the successful capture of the culprits who
launch destructive viruses and worms. I applaud their efforts.
While I hope that the bounty will help, I recognize that
law enforcement in this area is extremely challenging. That is
why the focus of today's hearing is on the prescription for
protection. We need to figure out how both we can adequately
arm all levels of government, business and the consumers with
the best information as to what steps they can take to protect
themselves and how we can ensure that everyone takes those
steps. That is what we hope to learn today from the
distinguished panel.
At this point I yield to the ranking member of the
subcommittee, my friend the, gentleman from Massachusetts, Mr.
Markey.
Mr. Markey. Thank you, Mr. Chairman.
Did you say you had a virus, Mr. Chairman?
Mr. Upton. Yeah. Is that why you are over there?
Mr. Markey. Yeah. So----
Mr. Upton. I haven't touched the documents over here yet,
so it is spreading throughout the office just like that. I have
got two people sick today--one yesterday, three today.
Mr. Markey. So----
Mr. Upton. Congress will be out of session tomorrow for
good reason.
Mr. Markey. And a real virus--what you have is much worse
than anything these people are going to talk about. I mean
infinitely worse, okay? So just so we can--if we can have a
hearing on a computer virus, then we should actually try to
take measures--they are going to tell us about how to prevent
the spread of these viruses, right? So I am going to try to
stay over here.
Mr. Upton. There is no feeder.
Mr. Markey. And I want to commend you for calling this
hearing. It is a subject that plagues millions of computer
users as well as businesses around the country. They can wreak
havoc as they propagate their way through computer networks,
including the Internet. Because of the increasing
interconnectedness of our Nation's telecommunications and
computer infrastructure and the fact that ever more Americans
go on-line every year, we can see an increased vulnerability to
the debilitating nature of a virus attack.
There are some 65,000 viruses for the Windows program,
which over 90 percent of American computer users utilize. Some
computer experts have pointed out the inherent vulnerability of
millions of computer users relying upon the same operating
system. The very interoperability and efficiency that
businesses and computers prize about their telecommunications
and computer capabilities have an Achilles-heel quality if
preyed upon by computer programmers with nefarious intent.
Microsoft has announced recently a program to make bounty
payments to those who lead them to the creators of viruses that
attack Microsoft software. The result of a cyberattack can
cause consumers to lose valuable files and data. They can
render a computer network inoperable for hours or even days,
and they can cost victims millions of dollars in lost time,
sales and equipment.
A whole industry has grown up with the personal computer to
help thwart such attacks and fight viruses. Much like in the
real world, where new viruses or variations of older strains
may arise each flu season requiring new vaccination, software
programmers for security firms are constantly battling new
viruses that are launched onto the Internet on a seemingly
daily basis. One estimate indicates that U.S. companies spent
over $12 billion last year alone in combatting and cleaning up
after virus attacks.
Moreover, with the threat posed by terrorists, especially
intelligent, sophisticated terrorist organizations with access
to great financial resources, the prospect of cyberterrorism is
a clear danger to our key infrastructure and our economy.
I want to commend you, Mr. Chairman, for calling this
timely hearing; and I yield back the balance of my time.
Mr. Upton. Thank you, Mr. Markey. Mr. Shimkus from
Illinois.
Mr. Shimkus. Thank you, Mr. Chairman. I also want to thank
you for holding this hearing.
I do have a bill that is being marked up in the Senate
Foreign Relations Committee this morning. I am going to run
over there and do some personal lobbying on that. I am really
the last person that wants to make any analysis or comment on
security at this time, so I respectfully yield back the balance
of my time.
Mr. Upton. Make sure you have an escort over to the Senate.
Mr. Green.
Mr. Green. Thank you, Mr. Chairman, for calling this
hearing regarding impacts and solutions for the computer virus
problem.
Computer viruses are causing terrible harm to the computer
users and billions in damages to U.S. Businesses. Computer
technologies have delivered tremendous benefits to our economy
and society in the recent years, but there are unintended
consequences. We have unsolicited e-mails, we have viruses, we
have computer worms, and recent combinations of that are
attempting to swarm our networks. The combination of e-mail,
spam and viruses is like putting a SARS patient on every
airline flight in the country.
In August, the Sobig virus became the fastest-spreading and
most pervasive computer virus in history. How did Sobig spread
so fast? Spam. What was the cost? At least $3 billion.
An August 12, 2003, Business Week article described how
virus writers and spammers are borrowing each others techniques
with devastating consequences; and, Mr. Chairman, I ask
unanimous consent to place this Business Week article in the
record.
Mr. Upton. Without objection.
[The article follows:]
SECURITY NET
By Jane Black
Unholy Matrimony: Spam and Virus
Their common goal is subterfuge, and by combining their strategies,
they could make today's junk e-mail look like a mere nuisance
In June, half of all e-mail was spam--those annoying unsolicited
messages that hawk everything from porn and Viagra to mortgage-
refinancing deals and weight-loss patches. But if you think spam is out
of control, prepare yourself. It could get a lot worse.
Over the past few months, e-mail security companies have seen
mounting evidence that spammers are using virus-writing techniques to
assure that their sales pitches get through. At the same time, intrepid
virus writers have latched onto spammers' trusty mass-mailing
techniques in an effort to wreak widespread digital mayhem. ``What
we're seeing is the convergence of the spammer and the malicious code
writer,'' says David Perry, global director of education at antivirus
company Trend Micro (TMIC).
RELAY STATIONS. Witness the recent spread of a virus known as
Webber, which was discovered on July 16. It carried the subject line
``Re: Your credit application.'' Users who opened the attachment
downloaded a malicious program that turned a home PC into a so-called
open relay server, which allows a third party to send or receive e-
mail--including spam--remotely from that PC. Spammers are notorious for
using open relays to hide their identities. According to British e-mail
security company MessageLabs, 70% of spam comes through open relays.
Then there's Sobig.E, a virus that grabs e-mail addresses from
several different locations on a PC, including the Windows address book
and Internet cache files. Sobig.E then tries to send a copy of itself
to each address. It also uses one of the stolen addresses to forge the
source of the message, so that it appears to come from someone else.
MessageLabs believes Sobig.E is a spammers' virus designed to harvest
legitimate e-mail addresses from users' computers.
So far, no concrete evidence shows any home PCs that have been
infected by either Webber or Sobig.E have been used to send spam. But
experts fear that the two viruses could be ``spam zombies,'' programs
that will lie in wait on a PC until called on by the spammer to send
out millions of untraceable e-mails.
``I LOVE YOU'' MORE. The convergence of spam and malicious code
makes sense, says Chris Miller, Symantec's (SMYC) group product manager
for enterprise e-mail security. ``They have a common goal--to do what
they're doing without being seen,'' Miller says.
Virus writers and spammers send out their messages from
illegitimate e-mail accounts, never from the ISPs where they are
registered. It isn't hard to see where the union of these two insidious
groups' techniques might lead. Using such weapons as Sobig.E and
Webber, spammers can hijack a user's address book, then use the PC to
send out hundreds, even thousands, of junk messages.
And virus writers can use mass-mailing techniques to spread
malicious code even faster than before. The destructive ``I Love You''
virus of 2000 was originally sent to a small number of people. Within
days it had affected tens of millions of computers and caused damage
worth hundreds of millions of dollars. Imagine if, like spam, it had
originally been mailed to a half-million computers.
Security experts cite other recent examples of spam-virus
convergence:
� Key-logger Trojans. In May, 2003, a major food-manufacturing company
received a spam e-mail that, when viewed in a preview pane in
Microsoft Outlook, showed a message that appeared to be an
opportunity to sign up for a newsletter. First, though, the
message asked the recipient to verify their e-mail log-on ID
and password. That information was collected by the key-logger
code and then sent to the spammer, who could then log into the
user's e-mail at any time and search for valuable information.
� Drive-by downloads. Recent spam sent to a major airline manufacturer
led unsuspecting users to Web pages where spying software was
secretly downloaded without the user's knowledge. So-called
spyware monitors a user's activity on the Internet and
transmits that information to someone else, usually an
advertiser or online marketer. Spyware can also gather
information about e-mail addresses, passwords, and credit-card
numbers. Drive-by downloads can be done without either
notifying the user or asking permission because many users
accept such a download without question, thinking it's a normal
function of the Web site.
CALL IT ``MALWARE.'' According to the strictest definitions, key
loggers and drive-by downloads aren't viruses, which are programs that
replicate themselves. (If you've seen The Matrix Reloaded, think of the
way Agent Smith makes infinite copies of himself to try to destroy
Keanu Reeves' Neo.) A Trojan is a program that rolls into your computer
unannounced, then persuades the computer to launch it through fraud.
As spam and malicious code converge, however, such definitions are
becoming less useful. That's why experts like Trend Micro's Perry are
now looking at a broader term--``malware''--to describe any program
with malicious intent. ``With traditional hackers, the motivation has
always been to prove that you're a rad dude,'' Perry said in a phone
interview from the Las Vegas hacker convention DefCon. ``But when we
start seeing these techniques used for commercial gain like spam, it's
going to get a whole lot more serious.'' Cybersurfers, beware.
Mr. Green. A third even more despicable tactic is also a
possibility, a spam message with a virus that turns innocent
computers into senders of more spam. It is the invasion of the
in-box snatchers, with spammers turning our computers into
spamming zombies with virus-infected spam infecting our
networks.
I am glad we are having this hearing to see what private-
sector solutions can be developed to attack this new and
mutated infection. But there is also something this committee
and this Congress can do about it. To complement and support
private-sector efforts to stop spam and spam viruses, the
majority of members of our committee are sponsors of H.R. 2515,
the Wilson-Green Anti-Spam Act of 2003, which is the strongest
anti-spam bill in Congress.
Many are impressed that the Senate acted so quickly on
their spam legislation, but I want to warn my colleagues that a
weak spam bill will be worse than none at all. If we are going
to preempt State laws under which State actions are currently
being brought, it needs to be a strong Federal law. With the
unholy alliance of spam and viruses we need all the law
enforcement tools on hand to protect ourselves.
The Senate-passed bill has ineffective enforcement, as a
bipartisan Internet committee of the National Association of
Attorney Generals concluded in their November 4 letter. The
letter was signed by the Texas Attorney General, along with
Attorney Generals from California, Kansas, Maryland, Nevada,
Vermont, Virginia and Washington. And, again, Mr. Chairman, I
ask unanimous consent to enter this into the record.
Mr. Upton. Without objection.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T0727.001
[GRAPHIC] [TIFF OMITTED] T0727.002
[GRAPHIC] [TIFF OMITTED] T0727.003
[GRAPHIC] [TIFF OMITTED] T0727.004
Mr. Green. To cite one example of how strong anti-spam
legislation will cut down on computer viruses, the Wilson-Green
bill bans misleading subject lines. Misleading subject lines
are a primary way that spam viruses work, enticing innocent
users to open dangerous e-mail.
The bill offered by my good friend, Mr. Burr of North
Carolina, does not prohibit misleading subject lines. The bill
that passed the Senate allows spammers an affirmative defense
clause so that they can argue that they tried to follow a law
while they were actually violating it.
The Wilson-Green bill also prohibits dictionary attacks, a
highly effective spamming method that can make a spam virus
even more devastating. Neither the Burr bill nor the Senate-
passed bill prohibits dictionary attacks.
These differences don't just impact how much consumers are
annoyed. They have a major impact on our economy. I stand ready
to continue working with the Chairman of the subcommittee, the
full committee and Mr. Burr to get a strong bill out to the
House.
In closing, I want to mention again that just one spam
virus caused at least $3 billion in economic damages. Some
estimates are much higher. Viruses used to be sent out by
hackers trying to prove how smart they are. Now spam viruses
like Sobig are being sent out by people trying to see how much
money they can make. I believe we need to act on a strong anti-
spam legislation with law enforcement that is tough as soon as
possible.
Again, Mr. Chairman, thank you for holding this hearing;
and again, to this distinguished panel, I look forward to their
responses. Thank you.
Mr. Upton. Thank you very much.
Mr. Walden.
Mr. Walden. Thank you, Mr. Chairman. I am going to defer an
opening statement.
I just hope we can figure out how to get these modern-day
vandals early and prevent this kind of abuse. I look forward to
the testimony of the panel. I intend to read their submitted
testimony.
Thank you, Mr. Chairman.
Mr. Upton. Thank you very much.
[Additional statements submitted for the record follow:]
Prepared Statement of Hon. Paul E. Gillmor, a Representative in
Congress from the State of Ohio
I thank the Chairman for the opportunity to address this important
issue. The increasing use of computers and the steady spread of the
digital age continues its worldwide impact. Yet, the negative effects
of computer viruses threaten our personal and national security.
Each day, thousands of people and corporations find their computer
infrastructure compromised by viruses, worms, and other digital
threats. In 2002, computer viruses in the United States caused nearly
$50 million in damages. The August 2003, threat of the Sobig and virus
alone cost almost $30 billion in worldwide damages.
Today we are a nation dependent on the resources of the digital
age. The use of the Internet, email, instant messaging, and online
shopping and banking provide many Americans with the resources for a
simpler life. However, the many wonderful features of computers and the
Internet are often overshadowed by the acts of the malicious few. The
50 percent increase in theft of confidential data during the first half
of this year is just one of the many evils that will continue to face
our people and businesses.
In addition, we face an imminent threat to our national security
systems which cannot be ignored. The reliance on digital technology by
the energy, medical and defense systems across the United States and my
State of Ohio, while necessary, leaves our country susceptible to many
dangers. The lack of solid computer security measures capable of
protecting against a constant bombardment of technology attacks poses a
direct threat to our national security.
Our first priority has to be informing the people. As a first step,
an increased use of anti-virus software and firewalls will assist in
securing many of the computers and systems currently vulnerable to
attack. All of our friends, families, and staffs have felt the effects
of digital attacks; some through personal trauma, others through the
press, but all through the damaging results on our country and our
economy. Today we must commit to inform and assist in this fight.
I welcome the well-balanced panel of witnesses and look forward to
hearing your perspectives concerning this timely issue.
Again, I thank the Chairman and yield back the remainder of my
time.
______
Prepared Statement of Hon. Barbara Cubin, a Representative in Congress
from the State of Wyoming
Thank you, Mr. Chairman.
I would like to thank you for holding this hearing to examine the
scourge of computer viruses. As our nation continues its evolution to a
fully wired or in this day and age Awireless@ technological society,
the impact of malicious computer programs can be staggering. Frankly,
it's hard for me to comprehend why someone would consciously act to
debilitate the property of others. Just as puzzling as the brazen acts
of thieves and other common thugs, or the international threat of
homicide bombings, the proliferation and complexity of these
cyberattacks are testaments to the growing criminal element and
national security threat that worms and viruses embody.
As a result of this hearing I would like to get a better
understanding of the scope of the problem and the impact it has on
commerce and the operation of our nation's electronic infrastructure. I
am also hoping that our expert panel can clarify the differences
between worms and viruses and explain what steps consumers and
businesses can take to inoculate themselves against vulnerability. I'm
also curious what role Congress plays in this matter. After all, it
strikes me as a difficult endeavor in the anonymous realm of the
Internet to catch the perpetrators of these crimes, while
simultaneously observing constitutional protections against search and
seizure.
Nevertheless, as a Member representing rural Wyoming, where the
Internet keeps us connected to the rest of America, I have concerns
about how these vulnerabilities affect the small businesses and
entrepreneurs across the state, and by extension our local economy.
We have the opportunity in today's hearing to fully analyze the
threat of worms and viruses and make certain that not only is our
marketplace secure but also the vital government computer systems that
could be tempting targets for a terrorist attack.
Thank you Mr. Chairman, I yield back the balance of my time.
______
Prepared Statement of Hon. Mary Bono, a Representative in Congress from
the State of California
Mr. Chairman, I would like to thank you for your leadership on this
issue. Computer viruses and worms pose a substantial threat to the
Internet, consumers, and the stability of businesses. I look forward to
hearing from the witnesses to learn more about various ways we may help
in the fight against cyber attacks.
It is unfortunate that some have found ways to program malicious
code onto the computers of others. Such codes substantially slow down
computer performance and sometimes even bring computers to a screeching
halt.
The result is more than mere inconvenience. Such security
violations are quite costly. In fact, experts estimate that
corporations in the United States alone spent approximately $12.3
billion to clean up damage from computer viruses in 2001, and that the
worms of this past summer costs businesses up to $3 billion.
Part of the problem is that often times, the potential damage is
undetectable until it is too late. Businesses as well as consumers are
repeatedly uninformed about possible cyber attacks. In fact, some cyber
attacks can be launched, while remaining entirely undetectable.
For example, as many of you know, this past July, I along with
Congressman Edolphus Towns, introduced H.R. 2929, ``the Safeguards
Against Privacy Invasions Act,'' or rather the SPI Act. This bill aims
to address the issues related to ``spyware.'' Like viruses, spyware
programs embed codes into other computer programs, affecting the
efficiency of computers.
However, spyware is even more threatening since such code can be
used to actually spy on computer users. Some spyware programs track the
actions of Internet travelers for the purpose of presenting targeted
advertisements, but many spyware programs are used to view computer
users' actions, enabling access to personal and financial information
by unknown entities.
According to a recent industry publication, spyware is rampant and
problematic, and ``nearly 75 percent of customer problems with computer
performance can be linked in some way to spyware and its
applications.'' The Reporter (July 7, 2003). Despite this enormous
effect on computer users, shortly after introducing the SPI Act, it
became evident to me that many members of Congress and consumers are
unaware of spyware.
I hope to hear the witnesses' thoughts on the issue of spyware as
it relates to computer viruses and other computer problems, and I urge
my colleagues to seriously consider this issue, as I feel that it may
be one of the most serious threats facing our computer-using
constituents.
______
Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee
on Energy and Commerce
Thank you, Mr. Chairman, for holding this very important hearing
today on computer worms and viruses. We saw a summer season full of
news stories about computer bugs with names such as ``Blaster'' and
``Slammer,'' and I hope this hearing can shed some light on this very
troubling subject.
There is no question that modern computer viruses are the ``common
cold'' of the Internet. They can spread quickly across open networks,
like the Internet, and each bug can cause billions of dollars in damage
in its wake.
To put the threat into some perspective, five years ago the chance
of receiving a virus over a 12-month period was about 1 in 1000. Today,
the chance of infection has dropped dramatically to about 1 in 10. In
fact, while the number of Internet users continues to grow at a healthy
pace, the dangerous activity on the Internet is growing even faster.
Virus experts have recorded more than 65,000 worms and viruses and
their strains over the years. Although, thankfully, most viruses are
annoying time-wasters. Increasingly, however, we are seeing more
advanced and sophisticated threats that can deliver a destructive
payload.
Traditionally, we have viewed cyber attacks as threats to
information that could wreak havoc on businesses, governments and
economies across the world. But today, our nation's critical physical
infrastructure is powered by computer systems that utilize the
Internet. Such attacks can shut down facilities like airports, bridges,
electrical grids, nuclear plants, and air traffic control--posing
enormous public safety risks. It is only a matter of time before
Internet worms and viruses are used to attack infrastructure that will
result in more than just financial losses. For this reason, cyber
security must be at the forefront of the minds of those in business and
government.
We have an excellent panel of experts before us today to educate us
on this important issue. Businesses need to ramp up their cyber
security, consumers need to be vigilant, and Congress must continue to
ensure our computer and technology networks are safe.
I am anxious to hear from our witnesses what can be done to stem
the tide of computer worms and viruses, what steps are being taken to
address our vulnerabilities, and what role, if any, the federal
government--specifically the Congress--can play to promote increased
awareness and action on these issues.
Thank you again, Mr. Chairman for holding this hearing. I yield
back my time.
______
Prepared Statement of Hon. Anna G. Eshoo, a Representative in Congress
from the State of California
Mr. Chairman, thank you for holding this hearing.
I'd like to welcome Ken Silva of VeriSign and Art Wong of Symantec.
Both VeriSign and Symantec are based in my district and I'm proud that
they join this panel of experts today to discuss what I think could be
one of the most important hearings this panel holds.
Our country is increasingly dependent on the network of computers
that make up the Internet.
We use this technology in our day-to-day activities . . . from
checking the weather to our checking account.
Most people don't realize the amount of personal information
readily available through the Internet and how vulnerable this
information is to cyber attacks and how fragile our patchwork of
networked critical infrastructure really is.
The blackout in the Northeast last August is an example not only of
how connected we are, but how, when parts of those connections fail,
entire regions and sectors of our economy can literally be shut down.
Clearly the protection of this infrastructure is an important topic
that the Congress must address.
The number of worms and computer viruses that have paralyzed the
Internet and seriously affected our economy have grown in the last
year.
This is not just hacking taking place--these worms and viruses can
stop the commerce taking place over the Internet. There are severe
economic consequences to these cyber attacks. It's calculated that the
worm attacks this summer cost nearly $2 billion dollars.
Our ability to respond to these threats greatly depends on
cooperation between the public, the private sector and the federal
government. The Department of Homeland Security is one of the key
components in establishing a relationship with the private sector that
will help build programs to combat these threats. There's much work to
be done, but we've at least begun to address the serious threat of
cyber attacks through homeland security initiatives.
We also need to make sure that we promote consumer education and
awareness of these threats.
Individual home users need to realize that their Internet use is
also vulnerable to attacks and their computers may be used to
disseminate computer viruses.
Mr. Chairman, thank you for holding this important hearing. I look
forward to the testimony of our panel of experts and working with you
to solve this national challenge.
Mr. Upton. Well, we are delighted to have a distinguished
panel this morning. We are honored to have Mr. Richard Pethia,
the Director of the CERT Coordination Center from the Software
Engineering Institute; Mr. Ken Silva, Vice President of
VeriSign; Dr. Bill Hancock, Chief Executive Officer of Internet
Security Alliance; Mr. Art Wong, Vice President of Security
Response for Symantec Corporation; and Mr. Robert Holleyman II,
President and CEO of Business Software Alliance here in
Washington.
Gentlemen, your statements are made part of the record. At
this point we would like you to take 5 minutes each to give an
opening statement, at which point, when you are finished, we
will have questions from the members that are here.
Mr. Pethia.
STATEMENTS OF RICHARD D. PETHIA, DIRECTOR, CERT COORDINATION
CENTER, SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON
UNIVERSITY; KEN SILVA, VICE PRESIDENT, VERISIGN INC.; WILLIAM
HANCOCK, CHIEF EXECUTIVE OFFICER, INTERNET SECURITY ALLIANCE;
ARTHUR WONG, VICE PRESIDENT, SECURITY RESPONSE, SYMANTEC
CORPORATION; AND ROBERT W. HOLLEYMAN, II, PRESIDENT AND CHIEF
EXECUTIVE OFFICER, BUSINESS SOFTWARE ALLIANCE
Mr. Pethia. Thank you, Mr. Chairman and members of the
subcommittee, for the opportunity to talk to you today about
the important issue of cyberviruses and worms. My views today
are shaped by the lessons we have learned at the CERT
Coordination Center where for 15 years we have dealt with the
problem and more recently have partnered with the Department of
Homeland Security to form the U.S. CERT.
Today, worms and viruses are a growing risk that cause
damage more quickly than those created in the past. With the
Code Red worm in 2001, there were days between the first
identification and the widespread damage. In January of this
year, Slammer had significant impact in just minutes.
As already mentioned this morning, virus and worm attacks
alone have resulted in millions of dollars of damage, with
individual viruses often causing damage in excess of $500
million. While the viruses and worms we have seen in the past
have infected computers, clogged networks and mail servers, few
have been programmed to do more than just propagate. In the
future, it is likely we will see viruses and worms carrying
payloads that delete or corrupt data and program files or leak
sensitive information.
It is clear that our current reactive solutions alone are
no longer adequate. With the Internet now connecting over 171
million computers and with many attacks now being fully
automated, they spread with blinding speed across the entire
Internet community. The attack technology is becoming
increasingly complex, increasing the time it takes to analyze
the attack mechanisms in order to produce antidotes. With
increasing dependency on the Internet even short interruptions
of service can cause significant economic loss in very short
periods of time.
What can we do?
First of all, we need to continue to improve our warning
and response capabilities by building collaborative
partnerships across organizations that participate in
cyberwatch warning and response functions.
Second step is to reduce vulnerabilities by collaborating
with the private sector to develop new tools and methods for
detecting and remediating vulnerabilities in products that are
commonly used in our information infrastructures. Especially
needed are new generations of software that are virus resistant
or virus proof. Vendors need to provide systems and software
that constrain the execution of imported code, especially the
code that comes from unknown or untrusted sources. Some
techniques to do this have been known for decades. Others, such
as sandbox attack techniques, are more recent.
We need to dramatically reduce implementation errors. Last
year over 4,000 new vulnerabilities were reported to the CERT
Coordination Center.
While it is unlikely that we will ever be able to develop
defect-free software, vendors need to be proactive, study and
learn from past vulnerabilities and adopt new known, effective
software engineering practices that dramatically reduce the
number of flaws in their software products.
Finally, we need high security default configurations, out-
of-the-box software configurations that have security options
turned on, rather than depending on the users to turn them on.
System operators also need to take critical systems to
adopt security practices. Senior managers must visibly endorse
security improvement efforts and support adoption of effective
practices and technologies and provide the resources needed to
implement those improvements, keeping their skills and
knowledge current by attending courses and using information
sources that continue to track this dynamic and ever-changing
problem.
Finally, home users must improve their understanding of the
problems and use practices and technology such as anti-virus
products and personal computer firewalls.
Other things we think the government can do would be to
provide incentives for higher quality, more secure products.
The government should use its buying power and adopt code
integrity clauses, clauses that hold the vendors more
accountable for security defects and provide incentives for
vendors to supply low-defect products and products that are
highly resistant to viruses.
Also in this area are upgraded acquisition processes that
put more emphasis on the security characteristics of the
systems being required.
In the long term, research is needed to develop a unified
and integrated framework for all information assurance analysis
design and implementation, rigorous methods to assess and
manage risks, and simulation tools to analyze the possible
cascade effects of attacks across interdependent systems.
The government scholarship programs that currently exist to
produce security specialists are doing a good job, but we need
to expand those programs over the next 5 years to build the
university infrastructure we will need for the long term.
Finally, we need more awareness and training for all
Internet users, including the development of educational
material for children in the K through 12 age frames.
The National Cybersecurity Division formed by the
Department of Homeland Security and the U.S. CERT are steps
toward implementation of these recommendations, but a safer
cyberspace will require that the NCSD, the entire Federal
Government, State and local governments and the private sector
all work together to improve security practices, create higher
quality software, build awareness at all levels and sponsor
increased research and development activities leading to new
generations of virus-tolerant products.
[The prepared statement of Richard D. Pethia follows:]
Prepared Statement of Richard D. Pethia, Director, CERT '
Coordination Center, Software Engineering Institute, Carnegie Mellon
University
INTRODUCTION
Mr. Chairman and Members of the Subcommittee: My name is Rich
Pethia. I am the director of the CERT ' Coordination Center
(CERT/CC). Thank you for the opportunity to testify on the important
issue of cyber security. Today I will discuss viruses and worms and the
steps we must take to protect our systems from them.
The CERT/CC was formed in 1988 as a direct result of the first
Internet worm. It was the first computer security incident to make
headline news, serving as a wake-up call for network security. In
response, the CERT/CC was established by the Defense Advanced Research
Projects Agency at Carnegie Mellon University's Software Engineering
Institute, in Pittsburgh with a mission to serve as a focal point to
help resolve computer security incidents and vulnerabilities, to help
others establish incident response capabilities, and to raise awareness
of computer security issues and help people understand the steps they
need to take to better protect their systems. We activated the center
in just two weeks, and we have worked hard to maintain our ability to
react quickly. The CERT/CC staff has handled 260,000 incidents,
cataloged and worked on resolutions to more than 11,000 computer
vulnerabilities, and published hundreds of security alerts.
In September of this year, the Department of Homeland Security, in
conjunction with Carnegie Mellon University, created the US-CERT. The
US-CERT is a growing partnership between the CERT/CC and DHS's National
Cyber Security Division (NCSD) and is forging strong partnerships with
many different types of organizations that conduct cyber security
analysis and response efforts--From government laboratories, to
academic institutions, to major hardware and software suppliers. The
US-CERT is focused on preventing and mitigating cyber attacks and
reducing cyber vulnerabilities. It provides the needed focal point for
these over two hundred private, public, and academic organizations that
conduct cyber security incident watch, warning, response, and
prevention functions.
GROWING RISK FROM WORMS AND VIRUSES
Worms and viruses are in a more general category of programs called
``malicious code.'' Both exploit weaknesses in computer software,
replicating themselves and/or attaching themselves to other programs.
They spread quickly and easily from system to system. By definition,
worms are programs that spread with no human intervention after they
are started. Viruses are programs that require some action on the part
of the user, such as opening an email attachment, before they spread.
Users are often enticed to open email attachments, sometimes because of
an intriguing or legitimate-sounding subject line and sometimes, when
address books have been compromised, because the email appears to be
from someone the user knows. Worms and viruses can bypass security
measures, such as firewalls, and clog systems to the point that
response is slow or shut off.
Today, worms and viruses are causing damage more quickly than those
created in the past and are spreading to the most vulnerable of all
systems--The computer systems of home users. The Code Red worm spread
around the world faster in 2001 than the so-called Morris worm moved
through U.S. computers in 1988, and faster than the Melissa virus in
1999. With the Code Red worm, there were days between first
identification and widespread damage. Just months later, the Nimda worm
caused serious damage within an hour of the first report of infection.
In January of this year, Slammer had significant impact in just
minutes.
The figures attached to the end of this testimony show the speed
and magnitude of the Blaster worm compared to previous worms, as well
as indications of Blaster's and Sobig.F's continued impact. Figure 1,
Blaster, Slammer, and Code Red Growth Over Day 1, shows how quickly
Slammer infected a significant number of computer systems. It shows
that Blaster was slightly slower than Slammer, but still much faster
than Code Red. After 24 hours, Blaster had infected 336,000 computers;
Code Red infected 265,000; and Slammer had infected 55,000. Figure 2,
Comparing Blaster and Code Red in the First 18 Hours, shows the growth
in the number of computers reached by the Blaster and Code Red worms in
the first 18 hours. In both cases, 100,000 computers were infected in
the first 3 to 5 hours. The fast exploitation limits the time security
experts like those at the US-CERT have to analyze the problem and warn
the Internet community. Likewise, system administrators and users have
little time to protect their systems.
Figure 3, Blaster-Infected Systems Scanning per Hour: Long-Lasting
Effects, demonstrates how far-reaching worms and viruses can be. After
the initial surge of infections from the Blaster worm and subsequent
patching, the impact reached a steady-state of 30,000 computers in any
given hour However, it is a different 30,000 computers (an average of
150,000 in any given day), depending on the time of day. Peaks
represent activity in different parts of the world, cycling through
business days. The Blaster worm is still active and continues to have
impacts on computer systems across the globe.
IMPACT OF WORMS AND VIRUSES
At best, worms and viruses can be inconvenient and costly to
recover from. At worst, they can be devastating. Virus and worm attacks
alone have resulted in millions of dollars of loss in just the last
twelve months.
In the 2003 CSI/FBI Computer Crime and Security Survey
(www.gocsi.com), viruses were the most cited form of attack (82% of
respondents were affected), with an estimated cost of $27,382,340. The
lowest reported cost to a victim was $40,000, and the highest was
$6,000,000. The Australian Computer Crime and Security Survey found
similar results, with 80% of respondents affected by viruses or worms.
Of the victims, 57% reported financial losses, totaling $2,223,900.
According to the Australian survey, one-third (33%) of the victims
recovered in less than one day, and 30% recovered in one to seven days.
The other 37% took more time, including two organizations that believe
they might never recover.
So far, damages from the Blaster worm are estimated to be at least
$525 million, and Sobig.F damages are estimated to be over $500 million
(Business Week, among other reports in the media).The cost estimates
include lost productivity, wasted hours, lost sales, and extra
bandwidth costs. The Economist (August 23, 2003) estimated that Sobig.F
was responsible for one of every 16 email messages that crossed the
Internet. In our own experience, Sobig.F has accounted for 87% of all
email to our [email protected] address from August 18 through the end of
that month. We received more than 10,000 infected messages a day, or
one message every 8.6 seconds. Figure 4, Emails messages per Day to
[email protected], shows this in a graph. Sobig.F was so effective because
it could send multiple emails at the same time, resulting in thousands
of messages a minute. Moreover, Sobig has been refined many times,
making it harder to stop (the ``F'' stands for the 6th version).
IMPLICATIONS FOR THE FUTURE
The significance of our recent experience with Blaster and Sobig.F
lies beyond their specific activity. Rather, the worms represent a
larger problem with Internet security and forecasts what we can expect
in the future.
My most important message today is that the Internet is vulnerable
to these types of attack today, and the damage is likely to increase.
While the viruses and worms we have seen in the past have caused
considerable damage by infecting computers, and clogging networks and
mail servers, few have been programmed to do more that just propagate.
In the future, it is likely that we will see more malicious attacks
with viruses and worms carrying payloads that delete or corrupt data
and program files or leak sensitive information. These attacks could
easily be aimed at computers used by government organizations at all
levels and computers used at research laboratories, in schools, in
business, and at home. They are vulnerable to problems that have
already been discovered, sometimes years ago, and they are vulnerable
to problems that will be discovered in the future.
The implications for Federal, state, and local governments and for
critical infrastructure operators is that their computer systems are
vulnerable both to attack and to being used to further attacks on
others. With more and more government and private sector organizations
increasing their dependence on the Internet, our ability to carry on
business reliably is at risk.
CURRENT REACTIVE SOLUTIONS ARE LIMITED
For the past 15 years, we have relied heavily on the ability of the
Internet community as a whole to react quickly enough to security
attacks to ensure that damage is minimized and attacks are quickly
defeated. Today, however, it is clear that reactive solutions alone are
no longer adequate. To briefly summarize the factors,
� The Internet now connects over 171,000,000 computers and continues to
grow at a rapid pace. At any point in time, there are millions
of connected computers that are vulnerable to one form of
attack or another.
� Attack technology has now advanced to the point where it is easy for
attackers to take advantage of these vulnerable machines and
harness them together to launch high-powered attacks.
� Many attacks are now fully automated and spread with blinding speed
across the entire Internet community, regardless of geographic
or national boundaries.
� The attack technology has become increasingly complex and in some
cases intentionally stealthy, thus increasing the time it takes
to discover and analyze the attack mechanisms in order to
produce antidotes.
� Internet users have become increasingly dependent on the Internet and
now use it for many critical applications as well as online
business transactions. Even relatively short interruptions in
service cause significant economic loss and can jeopardize
critical services.
These factors, taken together, indicate that we can expect many
attacks to cause significant economic losses and service disruptions in
very short periods of time. Aggressive, coordinated, continually
improving response will continue to be necessary, but we must also move
quickly to put other solutions in place.
RECOMMENDED ACTIONS--WHAT CAN WE DO?
The actions needed to deal effectively with this growing problem
are embodied in the strategy developed by the US-CERT. They include:
� Improved warning and response to incidents with increased
coordination of response information
� Reducing vulnerabilities
� Enhancing prevention and protection efforts
IMPROVED WARNING AND RESPONSE
Improved warning and response functions are critically needed to
combat fast moving automated attacks such as viruses and worms. To
improve current response activities, the US-CERT is building a
collaborative partnership between computer security incident response
teams, managed security service providers, information technology
vendors, security product and service providers and other organizations
that participate in cyber watch, warning, and response functions.
Working together, and using common information sharing and
dissemination principles, the partnership is significantly increasing
the nation's ability to protect against and respond to large-scale
cyber incidents. Emphasis is currently be placed on the development and
use of common alerting protocols and collaboration and communication
mechanisms to support the rapid identification and analysis of new
attacks and the timely production and dissemination and remediation
information.
REDUCING VULNERABILITIES
A key component of the US-CERT strategy is to collaborate with the
private sector to develop new tools and methods for detecting and
remediating vulnerabilities in products commonly used in our
information infrastructures. Technology vendors are in a position to
help prevent the spread of worms and viruses. Although some companies
have begun moving toward improvement in the security in their products,
there is a long way to go. Software developers do not devote enough
effort to applying lessons learned about the causes of vulnerabilities.
The same types of vulnerabilities continue to appear in newer versions
of products that were in earlier versions.
Additional vulnerabilities come from the difficulty of securely
configuring operating systems and applications. These products are
complex and often shipped to customers with security features disabled,
forcing the technology user to go through the difficult and error-prone
process of properly enabling the security features they need. While the
current practices allow the user to start using the product quickly and
reduce the number of calls to the product vendor's service center when
a product is released, it results in many Internet-connected systems
that are misconfigured from a security standpoint. This opens the door
to worms and viruses.
It is critical for technology vendors to produce products that are
impervious to worms and viruses in the first place. In today's Internet
environment, a security approach based on ``user beware'' is
unacceptable. The systems are too complex and the attacks happen too
fast for this approach to work. Fortunately, good software engineering
practices can dramatically improve our ability to withstand attacks.
The solutions required are a combination of the following:
� Virus-resistant/virus-proof software. There is nothing intrinsic
about computers or software that makes them vulnerable to
viruses. Viruses propagate and infect systems because of design
choices that have been made by computer and software designers.
Designs are susceptible to viruses and their effects when they
allow the import of executable code, in one form or another,
and allow that code to be executed without constraint on the
machine that received it. Unconstrained execution allows
program developers to easily take full advantage of a system's
capabilities, but does so with the side effect of making the
system vulnerable to virus attack. To effectively control
viruses in the long term, vendors must provide systems and
software that constrain the execution of imported code,
especially code that comes from unknown or untrusted sources.
Some techniques to do this have been known for decades. Others,
such as ``sandbox'' techniques, are more recent.
� Dramatically reducing implementation errors. Most vulnerabilities in
products come from software implementation errors. They remain
in products, waiting to be discovered, and are fixed only after
they are found while the products are in use. In many cases,
identical flaws are continually reintroduced into new versions
of products. The great majority of these vulnerabilities are
caused by low level design or implementation (coding) errors.
Vendors need to be proactive, study and learn from past
mistakes, and adopt known, effective software engineering
practices that dramatically reduce the number of flaws in
software products.
� High-security default configurations. With the complexity of today's
products, properly configuring systems and networks to use the
strongest security built into the products is difficult, even
for people with strong technical skills and training. Small
mistakes can leave systems vulnerable and put users at risk.
Vendors can help reduce the impact of security problems by
shipping products with ``out of the box'' configurations that
have security options turned on rather than require users to
turn them on. The users can change these ``default''
configurations if desired, but they would have the benefit of
starting from a secure base configuration.
ENHANCING PREVENTION AND PROTECTION EFFORTS
Addressing the threat of worms and viruses is not easy. With
approximately 4,000 vulnerabilities being discovered each year, system
and network administrators are in a difficult situation. They are
challenged with keeping up with all the systems they have and all the
patches released for those systems. Patches can be difficult to apply
and might even have unexpected side effects. We have found that, after
a vendor releases a security patch, it takes a long time for system
operators to fix all the vulnerable computer systems. It can be months
or years before the patches are implemented on 90-95 percent of the
vulnerable computers. For example, the US-CERT still receives reports
of outbreaks of the Melissa virus, which exploits vulnerabilities that
are more than four years old.
There are a variety of reasons for the delay. The job might be too
time-consuming, too complex, or just given too low a priority. Because
many managers do not fully understand the risks, they neither give
security a high enough priority nor assign adequate resources.
Moreover, business policies sometimes lead organizations to make
suboptimal tradeoffs between business goals and security needs.
Exacerbating the problem is the fact that the demand for skilled system
administrators far exceeds the supply.
In the face of this difficult situation, the US-CERT is working
with the private sector to encourage system operators to take several
critical steps.
Adopt security practices: It is critical that organizations, large
and small, adopt the use of effective information security risk
assessments, management policies, and security practices. While there
is often discussion and debate over which particular body of practices
might be in some way ``best,'' it is clear that descriptions of
effective practices and policy templates are widely available from both
government and private sources.
What is often missing today is management commitment: senior
management's visible endorsement of security improvement efforts and
the provision of the resources needed to implement the required
improvements.
Keep skills and knowledge current. System operators should attend
courses that enhance their skills and knowledge, and they should be
given the necessary time and support to do so. They need to keep
current with attack trends and with tools that help them protect their
systems against the attacks. The security problem is dynamic and ever-
changing with new attacks and new vulnerabilities appearing daily.
Help educate the users of their systems. System operators must
provide security awareness programs to raise users' awareness of
security issues, improve their ability to recognize a problem, instruct
them on what to do if they identify a problem, and increase their
understanding of what they can do to protect their systems,
RECOMMENDED ACTIONS--WHAT ELSE CAN THE GOVERNMENT DO?
The founding of the National Cyber Security Division and the US-
CERT were critical first steps in the US government taking leadership
over the cyber security of our nation. Government must continue to show
leadership by implementing several key additional actions. These
actions include:
Provide incentives for higher quality/more security products. To
encourage product vendors to produce the needed higher quality
products, we encourage the government to use its buying power to demand
higher quality software. The government should consider upgrading its
contracting processes to include ``code integrity'' clauses--clauses
that hold vendors more accountable for defects, including security
defects, in released products and provide incentives for vendors that
supply low defect products and products that are highly resistant to
viruses. The lower operating costs that come from use of such products
should easily pay for the incentive program.
Also needed in this area are upgraded acquisition processes that
put more emphasis on the security characteristics of systems being
acquired. In addition, to support these new processes, acquisition
professionals need to be given training not only in current government
security regulations and policies, but also in the fundamentals of
security concepts and architectures. This type of skill building is
essential in order to ensure that the government is acquiring systems
that meet the spirit, as well as the letter, of the regulations.
Invest in information assurance research. It is critical to
maintain a long-term view and invest in research toward systems and
operational techniques that yield networks capable of surviving attacks
while protecting sensitive data. In doing so, it is essential to seek
fundamental technological solutions and to seek proactive, preventive
approaches, not just reactive, curative approaches.
Thus, the government should support a research agenda that seeks
new approaches to system security. These approaches should include
design and implementation strategies, recovery tactics, strategies to
resist attacks, survivability trade-off analysis, and the development
of security architectures. Among the activities should be the creation
of
� A unified and integrated framework for all information assurance
analysis and design
� Rigorous methods to assess and manage the risks imposed by threats to
information assets
� Quantitative techniques to determine the cost/benefit of risk
mitigation strategies
� Systematic methods and simulation tools to analyze cascade effects of
attacks, accidents, and failures across interdependent systems
� New technologies for resisting attacks and for recognizing and
recovering from attacks, accidents, and failures
Acquire and foster more technical specialists. Government
identification and support of cyber-security centers of excellence and
the provision of scholarships that support students working on degrees
in these universities are steps in the right direction. The current
levels of support, however, are far short of what is required to
produce the technical specialists we need to secure our systems and
networks. These programs should be expanded over the next five years to
build the university infrastructure we will need for the long-term
development of trained security professionals.
Provide more awareness and training for Internet users. The
combination of easy access and user-friendly interfaces has drawn users
of all ages and from all walks of life to the Internet. As a result,
many Internet users have little understanding of Internet technology or
the security practices they should adopt. To encourage ``safe
computing,'' there are steps we believe the government could take:
� Support the development of educational material and programs about
cyberspace for all users. There is a critical need for
education and increased awareness of the security
characteristics, threats, opportunities, and appropriate
behavior in cyberspace. Because the survivability of systems is
dependent on the security of systems at other sites, fixing
one's own systems is not sufficient to ensure those systems
will survive attacks. Home users and business users alike need
to be educated on how to operate their computers most securely,
and consumers need to be educated on how to select the products
they buy. Market pressure, in turn, will encourage vendors to
release products that are less vulnerable to compromise.
� Support programs that provide early training in security practices
and appropriate use. This training should be integrated into
general education about computing. Children should learn early
about acceptable and unacceptable behavior when they begin
using computers just as they are taught about acceptable and
unacceptable behavior when they begin using
libraries.1 Although this recommendation is aimed at
elementary and secondary school teachers, they themselves need
to be educated by security experts and professional
organizations. Parents need be educated as well and should
reinforce lessons in security and behavior on computer
networks.
---------------------------------------------------------------------------
\1\ National Research Council, Computers at Risk: Safe Computing in
the Information Age, National Academy Press, 1991, recommendation 3c,
p. 37.
---------------------------------------------------------------------------
The National Cyber Security Division (NCSD), formed by the
Department of Homeland Security in June 2003, is a critical step
towards implementation of these recommendations. The mission of NCSD
and the design of the organization are well-aligned to successfully
coordinate implementation of the recommendations that I have described
here. However, implementing a ``safer-cyberspace'' will require, the
NCSD and the entire Federal government to work with state and local
governments and the private sector to drive better software practices,
higher awareness at all levels, increased research and development
activities, and increased training for technical specialists.
CONCLUSION
Our dependence on interconnected computing systems is rapidly
increasing, and even short-term disruptions from viruses and worms can
have major consequences. Our current solutions are not keeping pace
with the increased strength and speed of attacks, and our information
infrastructures are at risk. Solutions are not simple but must be
pursued aggressively to allow us to keep our information
infrastructures operating at acceptable levels of risk. We can make
significant progress by making changes in software design and
development practices, increasing the number of trained system managers
and administrators, improving the knowledge level of users, and
increasing research into secure and survivable systems. Additional
government support for research, development, and education in computer
and network security would have a positive effect on the overall
security of the Internet.
[GRAPHIC] [TIFF OMITTED] T0727.005
[GRAPHIC] [TIFF OMITTED] T0727.006
[GRAPHIC] [TIFF OMITTED] T0727.007
[GRAPHIC] [TIFF OMITTED] T0727.008
Mr. Upton. Thank you very much.
Mr. Silva.
STATEMENT OF KENNETH SILVA
Mr. Silva. Good morning Mr. Chairman, other distinguished
members of the subcommittee. We at VeriSign are honored to have
the opportunity to provide our views on this very important
subject of computer viruses and how we detect their
proliferation across the Internet by watching our information
networks.
VeriSign is uniquely situated to observe the continuing
assaults on our information infrastructure. VeriSign's security
organization provides authentication, secure credit card
processing, fraud protection, managed security services and a
range of other services. Our telecommunications services group
provides the essential signaling and switching services to make
today's digital telephony, both wired and cellular, possible.
Our naming and directory services includes VeriSign's
computer infrastructure dedicated to the management of the
Domain Name system of the Internet, including the A and J root
servers, the top of the DNS tree.
Since 2000, I have had the privilege of serving both
Network Solutions and now VeriSign as manager of the resources
dedicated to maintaining security of these complex technology
assets.
The proliferation of worms and viruses is costing our
Nation's companies billions of dollars. As you have already
pointed out this morning, some examples of these costs--and
these are just estimates that have been published--Klez, about
$9.5 billion; Love Bug, about $9 billion; Code Red, $2 billion;
Slammer, $1 billion; Sobig.F and Blaster combined, somewhere in
the neighborhood of $3.5 billion--and this is just in the month
of August alone for Blaster and Sobig. This, coupled with
increasingly costly regulatory compliance, is a tremendous
burden on our economy and the strength of our industry.
Today, despite widespread perceptions that Internet-related
activity has slowed since the bubble burst this March 2000,
Internet usage has in fact continued to grow at impressive
rates. This is best illustrated by the growth in Internet
Domain Name Systems' resolutions. VeriSign's data show that
Doman Name resolutions grew by 51 percent year over year
between 2002 and 2003. For e-mail alone, that actually grew 245
percent over the same time period. Currently, VeriSign
processes over 10 billion Internet Domain Name queries a day on
average, which is more than three times what it was in 2000.
This growth in Internet usage has been outpaced,
unfortunately, by an increase in security and fraud threats,
which are increasing both in number and complexity. The number
of security events per device managed by VeriSign's managed
security services grew a hundred percent between May and August
2003. From a geographical perspective, the United States
continued to be the leading source of these threats to the
Internet, accounting for nearly 81 percent of those events.
The Sobig.F e-mail worm, released in August 2003, provides
a clear example of the increasing complexity of security
threats. This worm was hard-coded to access the Doman Name
system root servers, bypassing the Doman Name servers run by
enterprises. As a result, VeriSign recorded a 25fold increase
in peak e mail related DNS traffic on its routes when the worm
was active.
We are also seeing that Internet fraud is growing rapidly
as well. Data from the fraud prevention system indicates that
6.2 percent of e-commerce transactions in the United States
were potential fraud attempts. Over 52 percent of those fraud
attempts originate from outside of the United States.
There is increasing evidence of overlap between
perpetrators of Internet fraud and security attacks. Analysis
of the data shows an extremely high correlation, about 47
percent, between sources of fraud and sources of other
security-related attacks. Attackers who gain control of
Internet host machines are using these compromised hosts for
both security attacks and fraudulent e-commerce transactions.
Let me now explain how there three myths in our current
state of cybersecurity that must be addressed.
Myth No. 1. The real problem on our networks is not
proliferation of worms, virus attacks, identity theft or even
spam.
Let me explain this point. The proliferation of worms,
viruses, ID theft and spam is not the problem. All of these,
while each extremely serious, are only symptoms of a much
larger problem that we have today of a highly attractive and
vulnerable network across our computer networks.
Myth No. 2. The solution to this problem is to require more
rigorous software design to protect individual systems.
Many are tempted to demonize the software vendors and other
members of the network community for viruses, worms and
attacks. We believe that we must resist this temptation. The
idea that somehow if only the operating system vendors made
bullet-proof operating systems and applications all Internet
security problems would evaporate is purely fiction. The
reality is that the weakest link in computer security remains
the end users. Many of the worms and viruses take advantage of
human behavior and exploit it in order to spread the virus.
Myth No. 3. The objective is a network so secure that it
can withstand the evolving and ever more sophisticated
assaults.
The point is not to prevent every attack but to make sure
that no attack succeeds in bringing down the institution. The
point is not to be blindly secure but rather be thoughtfully
survivable.
We must stop believing that firewalls, intrusion detection
systems and log monitoring alone are adequate security. These
are only tools of security. A comprehensive approach that
entails those tools, as well as network intelligence on
impending or eminent attacks is the only viable solution for
success. If we consider this a war on cyberattacks, then we
must treat it as such. No military commander would suggest that
his troops simply wait in foxholes and return fire when fired
upon. They would insist on early warning systems and detailed
intelligence about their targets and movements. This is the
direction we must head for the war on cyberattacks.
In conclusion, the solutions to our cybersecurity challenge
require three commitments.
First, we must provide education to all users to make the
investments in hygiene practices and tools necessary and
appropriate to their status on the Internet.
Second, we must provide incentives to infrastructure
custodians to maintain the investments in research and
development to provide the innovative tools that meet the ever-
evolving threat of our networks from many sources we have heard
about today.
Last, we must provide government at the national and
international levels the forensic tools, investigative
training, investigative powers and early warning systems.
We believe that these actions will improve the overall
health and well-being of the Internet, but none are magic
solutions or silver bullets. True long-term health and well-
being of our information systems will take time and everyone's
efforts. Again, this is as much a responsibility of people as
it is technology.
Thank you, Mr. Chairman and members of the committee, for
the opportunity to testify before you today.
[The prepared statement of Kenneth Silva follows:]
Prepared Statement of Kenneth Silva, Vice President, Networks and
Security, VeriSign, Inc.
Good morning Mr. Chairman and distinguished members of the
Subcommittee. My name is Ken Silva and I am Vice President for Networks
and Security of VeriSign, headquartered in Mountain View, California.
We at VeriSign are honored to have the opportunity to provide our
views on the very important subject of Computer Viruses and how we
detect them proliferating across the internet by watching our
information networks.
VeriSign is uniquely situated to observe the continuing assaults on
our information infrastructure. Our company provides industry-leading
technologies in three relatively distinct--yet interrelated--lines of
business. Each of the three serves an important role in the rapidly
converging infrastructures that support communication and electronic
commerce around the globe.
VeriSign's security organization provides encryption,
authentication, secure credit card processing, fraud protection and
detection, managed network security services and a range of other
services that enable e-commerce, e-government and the over-all secure
Internet experience that hundreds of millions of users around the globe
have come to rely on.
VeriSign's second line of business is our Telecommunications
Services group provides the essential signaling and switching services
that make today's digital telephony--both wired and cellular--possible.
This includes features like call waiting and forwarding, wireless
roaming and the soon-to-be available wireless number portability.
Our third major line of business is now known as ``naming and
directory services,'' and includes VeriSign's computer infrastructure
dedicated to the management of the Domain Name system of the Internet,
including our stewardship of the A- and J-root servers--two of the
thirteen computers around the globe that represent the top of the
pyramid of the Internet's dispersed hierarchy. This is the part of the
infrastructure of the Internet that allows each one of you as you type
in www.house.gov into your web browser and be instantly connected to
one unique computer from among the hundreds of millions on the network.
VeriSign also manages the .COM and .NET top-level domains that for many
have come to symbolize the essence of the Internet.
Since 2000, I have had the privilege of serving both Network
Solutions and now VeriSign as manager of the resources dedicated to
maintaining the security of these complex technology assets. On behalf
of VeriSign, I also have the privilege of serving in a number of
industry leadership capacities, including representing the company on
working groups of the President's National Security Telecommunications
Advisory Committee--the ``NSTAC'', working groups of the NRIC, which
advises the Federal Communications Commission, and as a board member of
both the Internet Security Alliance and the ``IT ISAC''--the
Information Technology sector's Information Sharing and Analysis
Center.
The proliferation of worms and viruses is costing our nation's
companies billions of dollars. Some examples of worm costs are; Klez--
$9.5 Billion, Love Bug--$9 billion, Code Red--$2.5 billion, Slammer--$1
Billion, and Sobig.F and Blaster combined were anywhere from $3.5-7
Billion in August alone. This coupled with increasingly costly
regulatory compliance is a tremendous burden on our economy and the
strength of our industry.
In discussing this topic of the proliferation of worms, viruses and
hacking attacks, I want to address three key cyber security myths that
exist today. But before I discuss these myths, I'd like to begin first
with a picture of what we are seeing on the network from our unique
perspective as one of the Internet's stewards.
Today, despite widespread perceptions that Internet-related
activity has slowed since the ``bubble'' burst in March 2000, Internet
usage has, in fact, continued to grow at impressive rates. This is best
illustrated by the growth in Internet Domain Name Systems' resolutions.
VeriSign's data show hat Domain Name resolutions grew by an average 51%
between August 2002 and August 2003. Domain Name resolutions for e-mail
grew by 245% in the same time period. Currently, VeriSign processes
over 10 billion Internet Domain Name queries a day on average, which is
more than 3 times the daily volume in 2000.
This growth in Internet usage has been outpaced by increased
security and fraud threats, which increasing both in number and
complexity. The number of security events per device managed by
VeriSign grew on average by 99% just between May 2003 and August 2003.
From a geographical perspective, the United States continued to be the
leading source of threats to the internet, accounting for nearly 81% of
security events.
The Sobig.F email worm, released in August 2003, provides a clear
example of the increase in complexity of security threats. This worm
was hard-coded to access the Domain Name System root servers, bypassing
the Domain Name servers run by enterprises. As a result, VeriSign
recorded a 25-fold increase in peak e-mail related DNS traffic on its
roots servers when the worm was active.
We are also seeing that Internet fraud is growing rapidly as well.
Data from VeriSign's fraud prevention systems indicate that 6.2% of e-
commerce transactions in the United States were potential fraud
attempts. Over 52% of fraud attempts originate from outside the United
States.
There is increasing evidence of overlap between perpetrators of
Internet fraud and security attacks. Analysis of VeriSign's data shows
extremely high correlation (47%) between sources of fraud and sources
of other security attacks. Attackers who gain control of Internet host
machines are using these compromised hosts for both security attacks
and fraudulent e-commerce transactions.
Let me now explain how there are three myths in our current state
of cyber security that must be addressed.
Myth #1: The real problem on our networks is a proliferation of worms,
virus attacks, identity theft or even Spam.
Let me explain this point. The proliferation of worms, viruses, ID
theft or even Spam is not the problem. All of these--while each
extremely serious--are only symptoms of a much larger problem that we
have today of a highly attractive vulnerability across our computer
networks. Identity thieves, corporate saboteurs, spammers, and
mischievous hackers exploit this vulnerability. That vulnerability must
be addressed through changed behaviors, both by users and by Internet
infrastructure stewards.
Simply put, we all have a shared responsibility as users to
uniformly deploy better security hygiene. Whether we are a large e-
commerce dependent business or individuals, we can and should do more.
At the most basic level, every individual user can contribute to
improve security by taking basic steps toward improved security. These
prescriptions are well known and widely distributed--yet far too few
actually engage even in the most simple, low-cost and no cost measures
such as: using passwords and changing them regularly; using anti-virus
software and updating it regularly; patching operating systems; getting
firewalls and using them; and if you have an always on network
connection, turn it off when not using it.
These simple, low cost measures are not a prescription for
guaranteed network security. But they are easy steps every user can
take to increase their own security posture. By doing so, we improve
the overall resilience of the network to attacks. Such measures will
strengthen the networks weakest links and those exploited by hackers.
When taken, these steps to reduce the population of targeted computers
a virus can successfully invade.
MYTH #2: The solution to this problem is to require more rigorous
software design to protect individual systems.
Many are tempted today to demonize software vendors and other
members of the network community for viruses, worms and attacks. We
believe we must resist this temptation. The idea that somehow if only
Microsoft made bulletproof operating systems and applications all
Internet security problems would evaporate is purely fiction. This type
of finger pointing is often misplaced and in most cases does more harm
than good. It is all too simple to blame the operating system
manufacturer for flawed code or the network providers for not securing
their networks. Many of the worm attack not only popular operating
systems, but open source software as well.
This second myth of software user culpability is another area of
user responsibility at the consumer and commercial level. This area
involves what is called ``patch management''--a catch phrase to
describe the very important act of maintaining current release levels
of software and installing and configuring them appropriately. Only in
this way with the benefits of discovered, reported and fixed
vulnerabilities that have been addressed through software research and
development be put to use on the network.
For the networks stewards such as VeriSign, this area is a crucial
aspect of an overall cyber security strategy. Over the past few years
in a down economy, we have invested tens of millions of dollars in
equipment to provide the massive headroom of servers and storage to
withstand unexpected attacks of untold dimensions. At the same time, we
also have a strong commitment to fundamental innovations that will
bring improved, increasingly secure tools to the broad community of
network users.
MYTH #3: The objective is a network so secure that it can withstand the
evolving and ever more sophisticated assaults.
The need to achieve an impenetrable network belies the fact that
even if we succeed in scaring away many of the most opportunistic
exploiters by better and broader deployment of enhanced security tools;
there is still the likelihood that some attacks will succeed. To this
point, we must heed the words of Julia Allen and other colleagues at
the Carnegie Mellon's Software Engineering Institute: the point is not
to prevent every attack but is to make sure that no attack succeeds in
bringing down the institution. The point is not to be blindly secure,
but rather to be thoughtfully survivable.
In the final analysis, all of us must strive for a system of
operating principles that means that no attack will succeed in
disabling the user or its institution.
We must stop believing that firewalls, intrusion detection systems
and log monitoring is adequate security. These are only tools of
security. A comprehensive approach that entails those tools, as well as
network intelligence on impending or imminent attacks is the only
viable solution for success. If we consider this a war on cyber
attacks, then we must treat it as such. No military commander would
suggest that his troops simply wait in foxholes and return fire when
fired upon. They would insist on early warning systems and detailed
intelligence about their targets and movements. This is the direction
we must head in the war on cyber attacks.
In conclusion, the solutions to our cyber security challenge
require three commitments.
First, we must provide incentives to all users to make the
investments in hygiene-practices and tools necessary and appropriate to
their status on the Internet.
Second, we must provide incentives to infrastructure custodians,
such as VeriSign, to maintain the investments in research and
development to provide the innovative tools that meet the ever-evolving
threat to our networks from the many sources we have heard about today.
Last, we must provide government at the national and international
levels with both forensic tools and investigative training and powers
to reach those who are attacking our networks, and through those
attacks seek to impact our way of life and our opportunity to
contribute to better lives around the world.
VeriSign believes that these actions will improve the overall
health and well being of the Internet, but none are magic solutions or
silver bullets. True long term health and well being of our information
systems will take time and everyone's efforts. Again, this is as much a
responsibility of people as it is of technology.
Thank you Mr. Chairman and members of the committee for the
opportunity to testify before you today.
Mr. Upton. Thank you.
Dr. Hancock.
STATEMENT OF WILLIAM HANCOCK
Mr. Hancock. Thank you, Mr. Chairman.
My name is Dr. Bill Hancock. I am the Vice President of
Security and Chief Security Officer of Cable & Wireless, a
large international telecommunications and hosting company. I
am Chairman of the National Reliability and Interoperability
Council Focus Group 1B on cybersecurity, a federally authorized
council of advisors to the FCC; and I am also the Chairman of
the Board of the Internet Security Alliance and appear before
you here today on behalf of the nearly 60 members of the
Internet Security Alliance.
I am pleased to note that four of the five witnesses that
we have before you here today are also members of the Internet
Security Alliance, testifying further proof that the Internet
Security Alliance has a convicted and overarching concern with
security on the Internet and through its member companies.
Among the beliefs of the NIS Alliance is the Internet is
primarily owned and operated by private organizations and
therefore it is the private sector's responsibility for
aggressively securing the Internet environment.
Information security on the Internet is grossly inadequate.
This is proven over and over again by different types of
attacks and malfeasance that occurs.
A great deal of security requirements--enhancements, excuse
me--can occur through application of basic technologies and
through advanced education and security awareness.
Technology, while critical to the security industry, will
not be enough to provide a safe and secure Internet
environment.
To improve overall cybersecurity, creative structures--you
have to excuse, Mr. Chairman. I am legally blind, and therefore
it takes a minute----
Mr. Upton. I understand. Don't worry.
Mr. Hancock. Government is going to be a critical partner
in--ultimately, a partnership between industry and the
government is going to need to exist to be able to create a
substantial difference and change in the current situation
environments and Internet security.
I am what we call in the security business a ``gray
beard,'' which basically means that I have had enough stress
and enough age to go along with it dealing with security
problems from day to day. When a worm or a virus hits our
infrastructure, invariably it is one of my customers that gets
hit. My customers will then call us up, and we have to leap
into action and go back and deal with the problem at hand.
Sometimes the viruses and worms that we get are rather
silly, such as one that was called Giggles some years ago that
caused your PC to giggle incessantly. Some of them are very
serious that cause the depositing of certain types of
technologies onto the PC itself or onto any kind of machine
that may be affected, and this includes Unix and Macintosh
machines.
Over time, the initial aspects of viruses were actually
part of an elaborate game that was played at Bell Labs called
CPU Wars. The purpose of CPU Wars was to go back and learn more
about operating systems by infecting each others' machines.
Over time, this has become a virus writing technique.
Historically, viruses do not leap from machine to machine.
Viruses infect and hurt the machine upon which they are on as
they become malicious code over the years.
Over time, other methods of moving this type of information
around have occurred. In 1988, as a consultant to the National
Aeronautics and Space Administration, I sat there with many of
my partners totally appalled watching a worm, the first one
that we know of, hit the Internet now known as the Morris worm
and cause debilitating capabilities--or, excuse me,
debilitating all functionality on the network itself.
In those days, the number of people that were on the
Internet numbered in the thousands; and getting folks on the
phone to find out what was going on was rather trivial. Such is
not the case today with over 655 million users of the Internet.
With the conditions for development of viruses and worms
remaining as is, I expect the following situations to develop
in the very near future:
No. 1, I believe that infection of what we call the
invisible networking devices--invisible networking devices are
those which historically have not been networked but are
networked now. These include things such as DVD players. They
include such thing as cable boxes. They include automotive
electronic systems, radio frequency ID tag systems, even things
like parking lot gate attendant systems. All these types of
infrastructures now have network connections. All these types
of infrastructures now are becoming more and more
sophisticated, and all of them eventually will be affected by
these type of operations, either by network outages or because
of the infections themselves.
Simultaneously, we all invest and use more and more
commercial off-the-shelf technologies, and those technologies
make for a common platform environment for viruses and worms to
spread.
We believe also that worms and viruses will result in
hybrid attacks against communications infrastructures due to
the lack of security controls and working protocols. Most
protocols that are used in the case of Internet and other types
of environments were developed in the 1970's, and these are
your transport protocols, network routing protocols and so
forth. Those protocols have not improved in security controls
or capabilities in the last 30 years.
We will also find that other types of building block
protocols such as Abstract Syntax Notation .1 will also cause
debilitating concern and debilitating results if this is used
as part of a virus or a worm environment.
Use of viruses and worms also we believe will be a problem
in the near future for the simple fact that we know that nation
states and other types of organized intelligence operations are
using these types of things as test beds for potential
cyberwarfare. The result is that, while there are an awful lot
of viruses and worms that do attack the Internet and that do
attack individuals and many of these are written by people who
have ulterior motives in mind, there are some situations that
have been documented that are done by nation states with the
ultimate purpose of a precursor either to an attack, a
terrorist operation or other types of malicious intent toward
the US economy.
While there are plenty of disturbing trends in virus
development, we believe there are certain issues that the
Internet Security Alliance is definitely concerned about.
No. 1 is companies that provide critical services such as
utilities, transport and petrochemical type of activities are
connecting more and more of their closed circuit networks and
closed circuit environments that have historically been on
private networks are now being connected to public networks
such as Internet. As a result, a worm or virus infestation will
now go back over and infect these types of environments which
can cause serious problems throughout the infrastructure.
Home consumer PCs are becoming increasingly targeted by
worms and viruses as a way to go back and attack other types of
environments, and they become part or chains of attack systems
known as Zombies. In these type of environments denial of
service attacks and other types of worm attacks can have
debilitating results. The cure for such infestations is a long
way off, and it is going to require a partnership between the
government and industry.
We know that base research in network security
improvements, improvement of security technologies, legislative
efforts and other types of activities involved with the actual
limitation of worms and viruses will have a long-term effect on
trying to cure.
One big problem that we keep running into that we are very
concerned about is the fact law enforcement is typically
hampered due a lack of tools, lack of investment and a lack of
skill sets. Last year, for instance, there were very, very few
virus writer arrests that were done worldwide. In fact, it
numbers less than 10; and, at the same time, well over 100 to
200 viruses a month are generated.
Perhaps the most ironic part of viruses and worm
infestation throughout the infrastructure is not the cost to
repair or the cost to prevent the infection. It is the cost of
entry point. In the case of biological, chemical or nuclear
terrorism, the cost is either hundreds of thousands or millions
of dollar, having to do with the purchase of the weapons,
deployment, training of individuals. In the case of dealing
with viruses and worms, the entry point costs to going back and
infecting an infrastructure is very simple. It is a PC with an
Internet connection.
With that, Mr. Chairman, thank you very much.
[The prepared statement of William Hancock follows:]
Prepared Statement of William Hancock, Chairman, Internet Security
Alliance
Thank you Mr. Chairman. My name is Dr. William Hancock. I am Vice
President of Security and Chief Security Officer of Cable & Wireless, a
large multinational telecommunications and hosting company. I am
Chairman of the National Reliability and Interoperability Council
(NRIC) Focus Group 1B, Cybersecurity, a federally authorized council of
advisors to the FCC. I am also the Chairman of the Board of the
Internet Security Alliance. I appear here today on behalf of the nearly
60 member companies of the Internet Security Alliance.
The Internet Security Alliance was created in April of 2001, six
months prior to 9/11 as a collaboration of the Computer Emergency
Response Team Coordination Center (CERT/CC) at Carnegie Mellon
University and the Electronic Industries Alliance as well as founding
membership of well known international companies with high interest in
security issues related to Internet commerce.
I am pleased to note that four of the five witnesses before you
this morning are members of the IS Alliance. This doesn't surprise me
since members of the Alliance engage in a broad range of activities
designed to enhance information security not just for themselves but
for all of us who make up the world-wide Internet community.
We are an international, inter-industry group of companies
dedicated to expanding cyber security through information sharing, best
practices, standards development, education and training, public policy
development, international outreach to trusted partners and the
creation of market-based incentive programs to improve information
security.
Among the core beliefs of the IS Alliance are the following:
1. The Internet is primarily owned and operated by private
organizations and therefore it is the private sector's
responsibility to aggressively secure the Internet.
2. Information security on the Internet is grossly inadequate.
3. A great deal of security enhancements can occur through application
of basic technologies and through enhanced education and
security awareness.
4. Technology, while critical to security, will not be enough to
provide a safe and secure Internet environment.
5. To improve overall cyber security, creative structures, thought and
incentives may need to evolve to provide continued security
assurance from the home PC to the large corporate network
environments.
6. Government is a critical partner, but, ultimately, the industry must
shoulder a substantial responsibility and demonstrate
leadership in this field if we are to eventually succeed.
As what we in the security business call a ``grey beard,'' I have
been a technical expert, ``insider'' and leader in the development and
deployment of networking and security technologies for over 30 years.
While such a span of time might tend to make one wax philosophical
about viruses and worms, I tend to have a reality-based perspective as
an active practitioner of security on one of the largest network
infrastructures in the world. When worms and viruses hit
infrastructures, to me it's not a statistic where some other company
was taken to the pavement: it's often one of my customers where I and
my security teams are expected to leap into action and solve the crisis
at hand.
As a security practitioner, I saw the technical games that were the
genesis of modern computer viral infections. A computer virus is a man-
made code component that attacks computer software and causes a variety
of debilitating conditions. Most folks in the security community
attribute initial virus development as part of a technical game at Bell
Labs in the late 1960's called ``CPU Wars,'' where developers of
operating systems would deliberately create infestation code and place
it on each other's machines. This action typically resulted in machine
disruptions, funny messages on screens and other types of computing
interruptions. There were strict rules, however--infestations had to be
non-propagative, they could not cause destruction, stop applications
from executing and they could not execute during normal hours of
operations. Infestations had to be removable on demand. The initial
purpose of such games and pranks were to learn, creatively, about how
operating systems and computers worked and to share discoveries and
ideas in a creative way.
Such is not the case today.
Viruses are a main staple of the hacking community as a method of
disrupting programs and systems for a variety of purposes. Some virus-
writing efforts are for personal motivations to hurt a specific
company, product or service. Some are written by skilled programmers
with serious social development or emotional problems as a means of
self-expression. Other viruses are written by ``gangs'' of programmers
who have a specific political agenda or by those who have a need to
express social will. Still other viruses are written by nation-states
as part of their cyberwarfare development efforts to debilitate
infrastructure in today's modern technology-dependent warfare
environments. There are entities that write viruses under contract to
attack competitors and their infrastructure. There are disgruntled
employees who seek revenge on their former corporate masters. Viruses
are written for a wide variety of reasons but are broadly categorized
as being written for social dysfunctional reasons or for the purposes
of economic disruption.
Viruses do not self-propagate. They attack whatever system upon
which they are activated and perform their damage on that system. Some
virus writers have gotten creative with the explosive use of email and
have devised ways for viruses to be propagated by email programs and
systems. While it appears that a virus ``moves,'' the technical reality
is that the virus does not self-propagate--it needs assistance from an
external program such as e-mail or from a file transfer action to move
from system to system. With the worldwide proliferation of email in the
last five years, this makes movement of viruses from one system to
another painfully trivial.
Viruses have a variety of effects on businesses. Some are just
annoying, such as one of the early viruses called ``giggle,'' which
caused a PC to play a giggling voice continually through the PC's
speakers for hours upon end. Other viruses destroy software at great
corporate cost. One disgruntled employee case I worked on some years
ago with the FBI involved an individual who was fired for hacking into
the human resources system and changing his salary. After being fired,
he went home, downloaded a piece of malicious code from an Internet
underground hacking site and created a small program that would delete
all contents of a user's hard drive. He then created a fake email
account on a popular public email site and emailed the virus to all the
staff at the company with a notation that the file contained a speech
from the company's president and that it was being sent so that
employees could hear it. Upon ``playing'' the file, the virus wiped out
the hard drive. 1279 employees were sent the virus--710 ran the program
and their entire systems had to be rebuilt. The overall cost to correct
the damage caused by this one virus at this company was almost one
million dollars. You can imagine the horrific cost to repair such
damage at a large defense contractor, financial institution or
manufacturing concern.
Many more malicious and wide-spread viruses are seen ``in the
wild'' on the Internet on a daily basis. Many are written with Russian,
Chinese and other languages in comments in their code. Some have direct
ties to organized crime, especially outside the US. Many are propagated
from commonly known havens for virus writers where there is no fear of
legal prosecution or where the technical skills of the government to
prosecute are minimal or non-existent. Some estimates are as many as
100 or more computer viruses or their variants are released world-wide
on a monthly basis. The costs to protect against viruses and contain
them when they hit can easily be quantified world-wide in the billions
of dollars.
In 1988, at the genesis of commercial use of the Internet, I was
working at NASA's Langley facility as a consultant when the now-famous
Morris worm hit the Internet. We all scratched our heads and initially
thought there was a network infrastructure problem. What we did not
know was that a young student at Cornell University had created a self-
replicating program which would move, very rapidly, from computer to
computer, attempting to replicate itself as fast as possible throughout
all connected computers. Back then, the Internet was small enough that
all the major network control area personnel knew each other
personally. We could all get on a conference call and discuss what was
going on and coordinate a response. It caused such a serious outage of
the Internet that many organizations, to include CERT/CC (represented
here today), were founded to serve as an early-warning and solutions
service for what was recognized as a new security threat with explosive
growth potential. Needless to say, with the estimated 655 million
worldwide users of Internet, getting together on a worm attack
conference call has become rather problematic.
A worm is typically an autonomous self-propagating program which
travels from machine to machine, executing its payload. They do not
need the assistance of other standard programs, such as email servers,
and can move from system to system using an exploit in a program or
protocol. A worm typically consists of a ``movement'' component, a
propagation component and a payload, which may contain nothing at all,
self-executing code or a malicious viral infection. Payloads seen in
the last couple of years have consisted of a system subversion
methodology called a ``root kit,'' where a hacker may later take total
control of a system, using standard ``known'' viruses or defacement
tools for automatically defacing websites. For instance, in May 2001, a
hacking group that called themselves the Honkers Union of China defaced
several hundred thousand websites using a worm that defaced the
victim's website with a banner containing the hacker's name. The worm
would then rapidly attempt to propagate itself to other sites.
Most worms in today's environment propagate from system to system
using known vulnerabilities and attempting to exploit a system based
upon those vulnerabilities. In many cases, proper patching against
known vulnerabilities or disabling technical components that are not
needed for operations would prevent the attack and subsequent
propagation of many worms. For instance, on January 25th of this year,
a worm called ``Slammer'' attacked Internet systems via a known
vulnerability in a popular database program--one for which the
corrective patch had existed for over 7 months. Sites that were patched
simply were not affected. Sites that blocked all network entry points
for all programs, except those that were open for production programs,
with technologies such as firewalls were similarly not affected.
Unfortunately, much of the Internet community using the database had
not properly applied those patches and they were severely debilitated
for almost three days as a result of such negligence.
Some worms have been written to attempt to hurt specific Internet
addresses such as whitehouse.gov and software manufacturing companies.
Studies of the various types of worms seen in the last two years
suggest that some are being used to probe, experiment and test methods
in which to infiltrate infrastructures throughout the world. Having
reviewed many of them and examined the code personally, it is readily
apparent to me that some were written by very professional, highly
trained programmers who could have easily done substantially more
damage than they did--if they wanted to. When professionally written
worms appear, they gain extra attention from within the security
community as it usually is an indication that someone very serious
about their efforts is setting something up for later use in a more
destructive way.
The use of worm-based techniques of propagation, combined with
virus development techniques, is causing new problems for companies and
consumers alike. A good example is the recent and continuing
propagation of the SoBig worm/virus technology that was and is still
used by SPAMmers. SoBig and its variants are commonly used by SPAMmers
to distribute a compact email server system to computers which
previously did not have such capability. The unwitting victims, such as
a broadband cable-connected home PC, are favorite targets of SPAMmers.
By doing this, the numbers of email servers capable of sending SPAM to
users on any given day has jumped from a couple of hundred thousand or
so to several million. This type of technological approach to SPAMming
has resulted in an exponential jump in SPAM emails, bandwidth
consumption, and overhead (congestion) throughout the Internet.
While most of the uses of viruses and worms are typically malicious
or at least inconvenient in today's environment, this will change over
time. Worm technologies are currently being viewed as a potential
method to distribute critical security patches to systems on networks.
Viruses can be used to distribute applications on some modern operating
systems. Some countries have introduced legislation to outlaw all use
of viruses and worms in all forms. This is a short-sighted and a
simplex application of laws to a complex issue as the same technologies
are being looked at, very seriously, for use in good--not evil.
With the conditions for development of viruses and worms remaining
as-is, I expect the following situations to develop in the near future:
� Infestations of ``invisible'' infrastructures. Most of us don't think
about the software inside a cell phone, automotive electronic
system, DVD player, radio frequency ID tag systems, parking lot
gate attendant systems, toll booths, wireless luggage bag-to-
passenger matching systems, point of sale terminals, automatic
door openers, letter sorters, printing presses and many others.
As these technologies become more sophisticated, so do their
connectivity methods and operating environments. Companies that
produce such products migrate towards general-use commercial
off-the-shelf (COTS) technologies, which allow greater
opportunities for attack.
� Worm, virus and hybrid attacks against communications infrastructures
due to lack of security controls in base networking protocols
and ``building block'' protocols such as Abstract Syntax
Notation.1 (ASN.1). Much of the communications infrastructure
of the world is built on protocol security concepts developed
in the 1970's which do not translate well into today's
technical security needs.
� Use of viruses and worms by terrorist organizations as a way to
deteriorate, disrupt and disable economic and social support
systems in use by countries dedicated to anti-terrorist
efforts. As horrible and malicious as the various physical
attacks have been by terrorists against the United States,
those effects are minimal compared to a debilitating attack by
a worm against our financial, transport or utility
infrastructures.
� Accelerated sponsorship by hostile nation-states where the use of
cyber attack is a rapid method of furthering a country's
political and economic goals (cyber warfare and information
operations methodologies).
� Worms/viruses that ``jump'' between operating environments and
applications. Some have shown this capability already and it's
a rapidly growing trend.
While there are many disturbing trends in virus and worm
development, there are certain issues which IS Alliance is particularly
concerned about:
1. Companies that provide critical services, such as utilities,
transport and petrochemical entities are interconnecting
historically isolated networks with Internet facilities. This
results in such networks being attacked and infested with
viruses and worms that cause the networks to become disabled
and this can critically affect infrastructure.
2. Home consumer PCs are being increasingly targeted by viruses, worms
and hybrids harnessed for use as part of world-wide malicious
``chains'' of attack systems (known as Zombies) to effect
Distributed Denial of Service (DDoS) and worm attacks against
Internet connected entities
3. Research and development into new security encodings and methods in
base network protocols needs to be accelerated to help offset
the continued development of malicious code used to attack
infrastructure
4. Lack of law enforcement actions, globally, in the prosecution and
arrest of virus and worm developers. An extremely low number of
persons involved in the development and distribution of
malicious code are ever identified or prosecuted due to a lack
of technical tools, skills and personnel in most law
enforcement organizations.
5. Inclusion of basic system and application protection methodologies
by developers of same. Basic technologies such as polymorphic
checksums and cryptographic signature methods are well known
and available. Such technologies could be used by all manner of
developers to stop infestations and propagation of these
malicious code segments.
6. Lack of senior corporate management to act properly, responsibly,
rationally and quickly in the deployment of security
technologies to prevent infestations and propagation of
malicious code. Too many companies still do not invest in the
basics.
7. Acknowledgement that viruses and worms are truly a multinational
problem. While leadership by technologically advanced countries
is crucial, introduction of viruses and worms into network
infrastructure is easily done by the ``weakest link'' in
connectivity--a small country with no laws on cybercrime, no
assets to protect, and no national will or means to prosecute
perpetrators becomes the entry point for the world to be
attacked. Remember that access to a small country's
infrastructure does not require a physical presence--even a
dial-up connection from anywhere on the planet will do just
fine.
The ``cure'' for infestations is a long way off and will require
partnership with industry and government to solve. Base research in
network security improvements, deployment of security technologies,
legislative efforts to prevent criminal use of worms and viruses,
improvement in operating systems to stop infestations, application-
level security technologies, law enforcement prosecution of cyber
criminals involved in the creation and distribution of virus and worm
technologies, improvement in base critical infrastructure and education
and training through all levels of corporations, government and society
will need to be combined to come up with effective eradication
solutions.
Perhaps the most ironic aspect of viruses and worms is not just the
cost to repair or prevent infestation--it's not like biological,
chemical or nuclear terrorism where thousands or millions of dollars
are required to make such an attack happen. It's just the entry cost
necessary to create and distribute worms and viruses: A PC with an
Internet connection.
With this, Mr. Chairman, ladies and gentlemen, I conclude my
opening remarks. Thank you for your efforts and your leadership in this
important topic.
Mr. Upton. Thank you very much.
Mr. Wong.
STATEMENT OF ARTHUR WONG
Mr. Wong. Chairman Upton, members of the subcommittee,
thank you for the opportunity to provide testimony on this
important topic.
My name is Arthur Wong, and I am the Vice President of
Response for Symantec, the world leader in Internet security
technology, providing a broad range of content and network
security software and appliance solutions to individuals,
enterprises and service providers.
We are at an important juncture regarding cybersecurity.
The threats we are seeing today are more sophisticated, more
aggressive and are able to spread more rapidly than ever
before. Equally important, the time it takes from the discovery
of a new vulnerability to the time the vulnerability is
exploited by the launch of a worm or a blended threat is
rapidly shrinking. These two phenomena have made the Internet
increasingly vulnerable to attack.
For example, the Slammer worm attack from January of this
year exploited a vulnerability discovered 6 months earlier. In
August this year, the time window changed significantly with
the release of the Blaster worm. Blaster was launched just 26
days after the discovery of the vulnerability it exploited.
We are already beginning to see even the early stages of
what we call flash threats. These threats are near instant in
their delivery and where human reaction time is probably not
fast enough to prevent attacks that occur globally in minutes
or mere seconds. The Slammer worm in January spread globally
within 15 minutes.
Let me give you some additional insight based on our
recently released Internet Security Threat Report, a
comprehensive semi-annual view of cybersecurity activity. The
report documented over 1,400 new vulnerabilities, a 12 percent
increase from last year. Sixty-six percent of all the new
attacks this year documented were based upon highly severe
vulnerabilities.
Now, early warning and alerting capabilities, strong patch
management and solid internal processes to respond to potential
threat may be the difference between protecting critical
systems and having them actually compromised.
Let me now turn to two key areas, corporate security
governance and user awareness.
Corporate IT security cannot be an afterthought or an add-
on approach. It should be integrated into the overall
management plan for an organization. In today's connected
world, we rely heavily on our IT infrastructure to conduct
business and should not be compromised due to lack of security
measures.
In developing a cybersecurity plan, we believe there should
be a focus on the following areas: business continuity,
regulatory compliance, enabling ``e'' initiatives and the
establishment of a security policy and implementation plan. All
of this must be done balancing risk and managing costs to
ensure system availability and security.
IT security requires a new level of governance at the most
senior levels. It requires a top-down approach that reaches
across an organization's departments and functions. It requires
the creation of a culture of security.
Let me now turn to education and awareness. A vulnerable
system, regardless of whether it is a home user surfing the Web
on a broadband connection, a wireless mobile computer at
Starbucks, or a telecommuter working from home, all can open
the door to a virus or worm attack.
I would point out that we wrongly think of the individual
user as merely a home user. Users are also employees,
customers, business partners of enterprises and companies.
We also need to educate employees through a well-organized
security training program. Symantec has taken an active role in
promoting a broad-based awareness campaign through our
participation as a founding member of the National Cyber
Security Alliance.
In partnership with the Department of Homeland Security and
the Ad Council, the Alliance recently announced a $1.8 million
national cybersecurity awareness campaign of which we are a
major contributor and supporter of. The program will be
designed to educate the home and small business users on the
importance of using anti-virus and firewall technology, as well
as tips to defend against on-line fraud.
A recent study by the National Cyber Security Alliance
showed about 67 percent of high-speed Internet users do not use
firewalls, and more than 60 percent do not regularly update
their anti-virus software, confirming the need for this broad-
based campaign.
Symantec has created a free tool on our Web site called
Symantec Security Check that scans an individual system for
vulnerabilities and viruses. We have conducted over 50 million
scans in 2 years. Now, of the 3.9 million people who were
scanned and agreed to submit their data to us, 24 percent did
not have any virus protection whatsoever; and 9 percent of
those that did have some type of anti-virus solution did not
regularly update it. In addition, of the 1.35 million users who
submitted their data to our virus detection scan, 35 percent
were already infected with a virus or worm.
The work by the National Cyber Security Alliance is a great
example of the type of public-private partnership essential to
promoting a safe and secure computing environment. Security is
more than just installing a piece of software. It is the use of
best practices, updating your anti-virus and practicing secure
computing to ensure that systems are safe and the Nation's
infrastructure is more secure.
Thank you.
[The prepared statement of Arthur Wong follows:]
Prepared Statement of Arthur Wong, Vice President, Response, Symantec
Corporation
Chairman Upton, Ranking Member Markey, members of the Subcommittee,
thank you for the opportunity to provide testimony today on computer
Viruses. This is a timely and important topic and on behalf of
Symantec, I appreciate your willingness to examine the issue and
challenges surrounding it.
Symantec, the world leader in Internet security technology,
provides a broad range of content and network security software and
appliance solutions to individuals, enterprises and service providers.
The company is a leading provider of client, gateway and server
security solutions for virus protection, firewalls and virtual private
networks, vulnerability management, intrusion detection, Internet
content and e-mail filtering, remote management technologies and
security services to enterprises and service providers around the
world. Symantec's Norton brand of consumer security products is a
leader in worldwide retail sales and industry awards. Headquartered in
Cupertino, Calif., Symantec has worldwide operations in 38 countries.
We are at an important juncture with regard to cyber security. The
threats we are seeing today are more sophisticated, more aggressive and
are able to spread more rapidly than ever before. Equally important,
the time from the discovery of a new vulnerability to the release of an
exploit targeting that vulnerability is rapidly shrinking. I make the
analogy of an exploit being an ``unlocked door'' of a building and an
exploit being a break-in by someone who knows about the unlocked door.
These two phenomena have made the Internet increasingly vulnerable to
attack.
We are already beginning to see the early stages of what are called
flash threats, threats that are near instant in their delivery. These
are threats in which human reaction time is probably not fast enough. A
good example would be the recent Slammer worm, which, at it's a peak
rate, infected 90 percent of the vulnerable systems in just 15 minutes.
This speed of propagation, combined with the reduction of the time to
exploitation, raises serious issues about the approach our nation is
taking to protect our networks.
We have taken the initial steps to improve our cyber security, from
the largest corporations or infrastructures to the individual end user,
but security is an evolving process and we must continue to be
aggressive in our corporate IT security governance and in educating the
individual user about good cyber security practices.
Congress passed the Federal Information Security Management Act
(FISMA) to improve the protection of government systems. This risk-
based management approach provides a guideline for Agencies to improve
the protection of their critical assets.
In the private sector, associations like the Business Software
Alliance and TechNet are working on information security governance
projects to assist the private sector on improving the protection of
their infrastructure. I am pleased that Symantec is a part of both of
those projects.
I would also point to the upcoming Department of Homeland Security
Summit scheduled for December. The summit's intent is to bring together
government and industry leaders to work on implementing the National
Strategy to Secure Cyberspace. This is a positive sign of the
commitment to work together on this important issue.
But more needs to be done. If anything, the recent attacks during
the month of August served as a ``wake-up'' to all of us. In fact, the
threat of major cyber attacks causing significant damage to our
infrastructure is real and still exists today.
Let me give some additional insight into the nature of the threats
we are seeing with information from our recently released Internet
Security Threat Report, a comprehensive semi-annual view of cyber
security activity. The report covers information on vulnerability
discoveries, malicious code trends and network-based attacks. I have
included a copy of the report for submission with this testimony.
The report represents the distillation of data from over 500
Symantec managed security customers and over 20,000 registered sensors
monitoring worldwide network activity in more than 180 countries. We
would argue that it provides the most complete view of the health of
the Internet available anywhere today.
As I mentioned earlier, the time from vulnerability discovery to
exploit is rapidly shrinking. For example, the SQL Slammer worm attack
from January of this year, exploited a vulnerability discovered about
six months earlier. Just a few months later that benchmark changed
significantly with the release of the Blaster worm. This blended threat
exploited a vulnerability just 26 days after disclosure.
We have also seen that 64 percent of all new attacks targeted
vulnerabilities less than one year old. Moreover, of all the new
attacks documented in the first half of this year, 66 percent targeted
what would be classified as highly severe vulnerabilities. Symantec
documented over 1400 new vulnerabilities, a 12 percent increase from
last year. In looking at the severity of these new vulnerabilities, we
saw a 6 percent increase in those carrying a ``high'' severity rating
and a 21 percent increase in those of ``moderate'' severity. These
trends should be a major concern to all of us. As they continue, we
will need new security paradigms to appropriately protect our cyber-
infrastructure
Early warning and alerting capabilities, strong patch management,
and solid internal processes to respond when a new vulnerability is
discovered, may be the difference between protecting critical systems
and having them compromised.
With regard to malicious code trends, we observed a much more
aggressive attack pattern. The Blaster worm, as an example, infected
systems at an average rate of 2,500 computers per hour.
We are also starting to see the use of viruses and worms to attack
newer applications, such as instant messaging and peer to peer
networking.
In fact, of the top 50 malicious code submissions we received in
our laboratory during the first half of this year, 19 used peer-to-peer
and/or instant messaging applications--an increase of almost 400
percent in just one year.
So, the trends suggest that the overall rate of attack activity
rose 19 percent. Companies experienced, on average, 38 attacks per week
compared to 32 for same period last year.
By highlighting some of these key findings, we see the importance
of prioritizing cyber security at work and at home.
I would like to focus on two key areas I believe are important to
improving cyber security of our IT infrastructure: Corporate IT
security governance and user awareness.
Corporate IT security cannot continue to be an afterthought or add-
on approach. It should be integrated into the overall management plan
for an organization. In today's connected world, we rely heavily on our
IT infrastructure to conduct business, and it should not be compromised
due to a lack of security measures.
The resource constraints that many organizations are facing,
coupled with the increasing rate of attacks, make this a daunting
challenge. In many instances, these attacks are dealt with in a
reactive rather than a proactive manner, making the task even more
difficult.
In developing a cyber security plan, we believe it should focus on
the following areas: ensuring overall business continuity, adhering to
regulatory compliance, enabling organizations for their ``e''
initiatives, and, establishment of a security policy and implementation
plan. All of this must be done with a watchful eye on balancing risk
and managing cost to ensure both system availability and security.
In discussions with enterprise organizations, they cite three main
drivers of the need to look at security in a more holistic manner. They
include the disappearing perimeter, the increase in threats and the
lack of security expertise.
The question really is ``how do we adequately address these
issues?'' I believe IT security requires a new level of governance at
the senior level. It requires a top down approach that reaches across
the organization's departments and functions. It requires the creation
of a culture of security.
IT governance must be a part of the overall governance of an
organization. Doing so will ensure that IT is aligned with the
organization to deliver value to its constituents, that IT resources
are responsibly utilized and that IT risks are mitigated and managed
appropriately. Taking this a step further, information security should
also fit in this broader view. For example, information security
reports should go to senior executives in an organization and
information security audits should be part of the overall audit
program.
Furthermore, implementing security with real-time risk management
is a key to preparation and protection. Organizations need to know
where they are vulnerable, establish benchmark security levels and
policies that will ensure compliance.
Let me now turn to education and awareness. We have often heard the
statement that we, as individual users of the Internet, have an
obligation to protect our piece of cyber space.'' I firmly believe this
is true.
A vulnerable system, regardless of whether it is a home user
surfing the web on a broadband connection, a wireless mobile computer
at Starbucks, or a telecommuter working from home, all can open the
door to threats.
As we continue to see increased computing power for the individual
user and continued adoption of high-speed connections, we must focus on
providing a safe and secure environment for that user, which includes
using a firewall and a regularly updated anti-virus program.
I would point out that we often think of the individual user as
only the home user, a view that is short sighted. As mobile computing
becomes more pervasive we need to be aware at the enterprise of the
potential holes to the network that could open up from customers,
business partners or employees.
The perimeter to the enterprise is disappearing and steps must be
taken to protect those critical assets not just at the gateway, but at
all the end-points or access points being used in today's environment.
This means more than just implementing technology solutions. It
means educating the employees through a well-organized security-
training program. Employees need to be armed with the knowledge to
responsibly protect our networks.
Symantec has taken an active role in promoting a broad-based
awareness campaign through our participation as a founding member of
the National Cyber Security Alliance.
In partnership with the Department of Homeland Security and the Ad
Council, the Alliance recently announced a $1.8 million national
cybersecurity awareness campaign. Symantec is a major supporter of this
effort along with other leaders from industry and government.
The Alliance program will be designed to educate the home and small
business users on the importance of using anti-virus and firewall
technology, as well as tips to defend against online fraud. Further
information from the Alliance can be found at www.staysafeonline.info.
A recent study by the National Cyber Security Alliance confirms the
need for this broad-based campaign. That study showed that about 67
percent of high speed Internet users do not use firewalls and more than
60 percent do not regularly update their anti-virus software.
In addition to the National Cyber Security Alliance, Symantec has
also created a tool that home users and small businesses can use. This
tool, called Symantec Security Check, can be found at http://
www.symantec.com/securitycheck , It is free service that scans an
individual's system for vulnerabilities. To date we have conducted over
50 million scans. Of the 3.9 million people who were scanned and agreed
to submit their data, 24 percent did not have any anti-virus
protection, and 9 percent of those that did have some type of anti-
virus solution did not regularly update their definitions. In addition,
of the 1.35 million users who agreed to submit their data to our virus
detection scan, 35 percent were infected with viruses or worms.
We need to broadly get the message out about the dangers and
threats to our Internet infrastructure. The work by the National Cyber
Security Alliance is a great example of the type of public-private
partnership that is essential to promoting a safe and secure computing
environment, and ultimately better protecting our critical
infrastructure.
Let me close by saying that education and awareness of the
individual whether in the largest multi-national corporation, small
business or the home user is critical. Security is more than just
installing a piece of software, it is using best practices, updating
your anti-virus and practicing safe and secure computing to ensure that
systems are safe and the nation's infrastructure is more secure.
Thank you.
Mr. Upton. Thank you very much.
Mr. Holleyman.
STATEMENT OF ROBERT W. HOLLEYMAN, II
Mr. Holleyman. Chairman Upton and members of the
subcommittee, I appreciate the opportunity to testify today on
behalf of the member companies of the Business Software
Alliance. Our companies are the leading developers of personal
computer software, enterprise software, as well as are leading
hardware partners and e-commerce providers.
I would like to address three points in my testimony today
that I think are important as we look to this framework for
protecting ourselves against viruses and worms not only here in
the U.S. But internationally.
First, we need to create an environment in which
information security is a priority for every company, every
government, every household and every developer; second, we
need to enhance law enforcement's capabilities to treat
destructive viruses as the serious crimes that they are; and,
third, we need to build on our international cooperation using
U.S. Leadership with key partners to recognize that viruses
are, more often than not, international in scope.
I believe the scope of the problem has been well
articulated by witnesses on this panel before me, so I will not
go back through that scope except to say that the number of
attacks are growing and this is a growing problem.
At the BSA, in our years working on the issue of
cybersecurity, we focused on both industry-led best practices
and legislative reforms. In the software industry, we have
redoubled our efforts to build more reliable, better and more
secure products. Security is the top priority for each and
every CEO in the companies that we represent, and we believe
that we have a responsibility and are stepping up to the plate
to ensure that that culture of security is within all of our
companies.
We also believe that the culture of security needs to be
extended as a senior management priority for every company. BSA
has created a CEO-level task force on this issue. We want to
ensure that private-sector participation is a key part of
creating this culture of security, because indeed the private
sector owns, operates and maintains nearly 90 percent of the
information networks.
BSA has a just-released Framework for Action that outlines
specific roles for business unit heads, senior managers, CIOs
and CEOs themselves. As part of that, we analyze the field.
There is a lot of great information that has been developed by
governments, by private-sector groups about what needs to be
done. Much of that information, however, is very technical in
nature, and part of what we need in closing these gaps is to
create a framework so that not only the technologists can
understand this but senior managers can understand this, and we
also need to take this to the home and users of small
businesses as well.
As part of this, BSA has released a checklist that
identifies the type of steps that need to be taken to improving
cybersecurity for individuals, for small organizations, for
medium- to large-sized enterprises and for government agencies.
It recognizes, appropriately, that everyone has a role in this,
but there are also levels of technical understanding that vary,
and we would be happy to work with this subcommittee in making
sure that those sorts of checklists are disseminated.
We also are working in the area of law enforcement. Law
enforcement must have tools that are at least equal to those of
the cybercriminals that they are trying to combat. Many times
cybercrime is not yet perceived as a real crime. There is
insufficient deterrence for cybercriminals and potential
terrorists.
To deal with this, we have to raise awareness globally that
computer attacks are serious. We need to ensure that law
enforcement has the right tools. They need the right personnel,
they need the right training, they need the right equipment.
And, third, we have to deal with the cross-jurisdictional
aspects of this, recognizing that many times these crimes need
to be pursued across international borders.
Congress has led the way through its efforts in the U.S.
Such as the Cybersecurity Enhancement Act approved by Congress
last year that increased penalties for people who commit
cyberattacks. We need to ensure that those models are
replicated around the world.
Finally, this brings me to my last point, which is
international cooperation. This is absolutely vital, and I
believe this is a unique time for leadership by the U.S.
Government in this area. Everyone working in this field,
whether they are in industry or law enforcement or political
leaders, recognize that we have only begun to scratch the
surface in dealing with this problem. There are, however, only
a handful of other governments around the world who have begun
to focus the same level of attention that we have.
The U.S. just reached an agreement with Japan, a memorandum
of understanding on fighting cybercrime and cyberterrorism. The
European Union is creating a network and information security
agency. There is a great opportunity in working with Australia,
another leader, and Canada, another leader, to create this
international framework that allows us to deal with this as a
matter of policy, a matter of law enforcement and a matter of
awareness.
As part of this, we want to ensure that the U.S. principles
that ensure that there is private-sector leadership, that we
develop flexible standards, that will allow new products to be
innovative and to come on the marketplace can be deployed. We
believe that through these partnerships of technology and
throughout the private-sector leadership and the U.S. global
effort we can make progress. At BSA, we are committed to
working with government as part of this. We welcome the
opportunity to testify today to be part of this dialog.
The goal of today's hearing is to look at viruses and
worms. The longer term goal is to look at what it takes to
create a culture of security, to create more confidence in
networks and information networks and to promote economic
prosperity.
Thank you.
[The prepared statement of Robert W. Holleyman, II
follows:]
Prepared Statement of Robert Holleyman, President and CEO, Business
Software Alliance (BSA)
Good morning. Chairman Upton, Congressman Markey, Members of the
Subcommittee, thank you for the opportunity to provide testimony on
this important and timely subject: computer viruses. My name is Robert
Holleyman and I am President and CEO of the Business Software Alliance
(BSA).
BSA represents the world's leading developers of software, hardware
and Internet technologies. We are headquartered in Washington, D.C. We
also have offices in Europe and Asia and are active in more than 65
countries.
Today I'd like to focus my remarks on laying out a prescription for
prevention of cyber attacks and the three critical areas where
technology companies and governments need to make progress in order to
make our information networks safer:
� First, elevating information security as management priority for
every company.
� Second, enhancing law enforcement's capabilities to treat destructive
virus attacks as serious crimes, and
� Third, increasing international cooperation to better recognize that
viruses are, more often than not, international in scope.
But before I talk about some of these crucial steps that the high-
tech industry and governments around the world need to take to mitigate
our risks, let me begin by giving you a prognosis for the disease.
� According to preliminary data from a BSA survey of more than
12,000 information security professionals, 65 percent of security
professionals believe it is likely that their organization will be hit
with a major cyber attack in the next 12 months.
� According to research by Symantec, an estimated 200-300 new
viruses are discovered each month, bringing the total number of
catalogued viruses and worms to over 65,000.
� Gartner has predicted that cyber crime will double or triple
between 2001 and the end of this year. It also believes that by 2005,
60 percent of the security breaches will be financially or politically
motivated.
� The cost of viruses to American business is staggering. Business
Week and Gartner report that viruses have already cost US businesses
$13 billion this year alone.
As the National Strategy to Secure Cyber Space has clearly
articulated, the threats are real, and the solutions are not simple.
At the Business Software Alliance, we have focused much of the last
several years on working with businesses and governments to assist them
in preparing against potential cyber attacks, and to institute--through
both industry-led best practices and legislative reforms--sound
policies to help eliminate some of this confusion and maximize our
collective cyber preparedness.
Our efforts have encompassed a wide array of topics--from
encouraging industry leadership in best information security practices,
to opposing technology-specific government standards that would stymie
the dynamic evolution of security and anti-virus tools.
Indeed, the software industry has redoubled its own efforts to
build better, more reliable, and more secure products. I can tell you
with complete certainty that security is the top priority for each and
every CEO in our industry. Clearly, our industry has a critical
responsibility to make the most secure products possible, and we are
stepping up to the plate.
At the same time, there are three areas where we, as a nation, must
collectively turn our focus.
INFORMATION SECURITY MANAGEMENT
First, it is imperative that cyber security become a senior
management priority for every company. We need to fundamentally
recognize that information security is not solely a technical issue,
but a corporate management challenge that must be treated as such to
make progress. That's why the BSA has created a CEO Task Force on this
issue, which is working to elevate cyber security to the level of
senior management. We must remember, after all, that the private sector
owns nearly 90 percent of the nation's information networks.
We are doing more than just preaching this message, however. The
BSA task force recently released a preliminary Framework for Action
that outlines specific roles for business unit heads, senior managers,
CIOs, and the CEOs themselves. This whitepaper distilled the lessons
contained in other policy reports, legislation, and guidelines and
found broad consensus on what needs to be done.
The more we do together to promote awareness of information
security among corporate executives and accelerate adoption of
effective security strategies, the more secure our nation will be.
EFFECTIVE LAW ENFORCEMENT ACTIONS
The second area that needs immediate attention is law enforcement
in cyber space. Determined, innovative hackers, virus writers and cyber
criminals are constantly working to develop new ways to break into
systems--just as criminals in the real world are continually inventing
new types of fraud and finding new ways to break into cars or homes.
But many cyber crimes are not yet perceived as real crimes. As a
result, there is insufficient deterrence for these cyber criminals and
potential cyber terrorists.
Let me highlight three areas for further progress:
� First, we need to raise awareness globally that computer viruses,
worms and denial of service attacks are not clever acts of
mischief, but serious crimes that can cause major economic
damage, or worse. Just as in the offline world, when criminals
steal or attack online, authorities need to be able to find and
punish them.
� Second, we need to ensure that law enforcement has the resources it
needs--personnel, training, and equipment--so that cyber space
doesn't turn into a safe haven for hackers, virus writers and
other criminals. Governments need access to the same cutting-
edge technologies that cyber criminals use, and the ability to
coordinate, investigate and enforce.
� Third, we need to ensure greater cross-jurisdictional cooperation in
investigating cyber attacks. Cyber security is inherently an
international issue that requires international solutions. Many
of the most recent cyber attacks were international in scope.
Continued collaboration, information sharing, and tough laws in
every country criminalizing cyber attacks are vital to ensuring
that law enforcement can help prevent crime and investigate
cyber criminals wherever they may hide.
That brings me to my third and final point:
international cooperation.
Our cooperative efforts need to extend far beyond law enforcement.
Indeed, strong relationships are necessary with Europe and the still
small number of countries around the globe that are taking a lead on
these issues.
I was in Brussels in June for a major forum that BSA co-organized
with leading members of the European Parliament to discuss cyber
security, and, specifically, the European Commission's proposed Network
and Information Security Agency. It is crucial that the technology
industry--and the U.S. government--work closely with the EU to ensure
that the structure of this new agency--and any others that are
ultimately created around the world--is flexible enough to provide
rapid responses to ever-changing security threats. It also needs to be
technology-neutral--relying on performance guidelines and best
practices rather than technology-limiting standards.
The U.S. has a unique opportunity to build new global partnerships
and set baseline standards that reinforce the importance of technology
neutrality and private sector leadership.
In closing, let me affirm BSA's belief that successful,
constructive partnership by both government and industry is necessary
to effectively meet the global information security challenge.
While today's hearing is about making progress in defending against
computer viruses and worms, it is really about how we can build faith
in our information networks to make them more valuable and effective.
To do this, we need a shared commitment to reducing risks and
increasing cooperation between businesses, network operators, law
enforcement agencies and governments as a whole. The BSA stands
committed to playing our part in helping ensure that the nation has a
prescription, not just for immunizing ourselves against viruses and
worms, but for enabling a safe and healthy digital world that fosters
innovation, unleashes human potential, and spurs economic growth.
Thank you and I look forward to your questions.
Mr. Upton. I want to thank all of you for your fine
testimony this morning.
I just--you know, as we woke up to the news this morning,
some of us saw it last night, about Microsoft's $5 million
reward mechanism, I think we all applauded that. But, at the
same time, we said, is this enough?
When you talk about the number of culprits that were caught
this last year, I think--Dr. Hancock, I think it was you that
said less than 10, and they have all been pretty high-profile
cases. The young man allegedly from Minneapolis, I think it
was, a few others that we can remember.
But when you think about the cost to the consumers and
businesses as well as individuals, as we look at our own
systems at night when we go home, with the anti-virus software
packages that we all have, I would guess that it is probably
almost every week that I see something pop up on my PC with
some report or some request that is made of me to shut things
down and restart that software. But with these number of
attacks growing, is this a losing battle that we can't catch
up?
Mr. Hancock. Sir, I believe that it is not a losing battle,
but it is a very, very serious one. I think that the thing that
you need to understand is that even the people that are caught
and the people that have been caught in the last 12 months in
many cases were not the original writers of the virus or the
worm in question. In many cases, they took the original and
mutated it into something else that they themselves produced.
This means that we are still having a great deal of trouble
trying to find the original writers of many of these types of
technologies that we see. We will continue to have that problem
as long as there are safe havens around the world and there are
places where prosecution does not happen. If there is no
repercussion for going back and creating a malevolent
environment, then there is no reason for someone to stop.
The other problem that we run into is that in some cases
there is serious motive involved with some of these reasons and
efforts that people do these things. So one area to look at is
to also go back and see how do you dry up the revenue source,
and if you can dry up the revenue source a lot of this nonsense
will stop.
That is especially the case with spam. All spam involves
some sort of revenue source, someone paying to have spam put
out there or some sort of way to generate revenue. Most spam
messages involve things like, you know, drug refills or
potentially other ways to purchase illicit drugs. In those
types of situations, there is a profit motive involved; and if
you can dry up their profit motive you dry up the spam
accordingly. So spam may use worm and virus techniques to get
around, but it would stop a lot of it if there were ways to go
back and dry up the ways that these people generate revenue for
themselves.
Mr. Upton. What is your--anyone else want to comment on
that? Mr. Silva.
Mr. Silva. Yeah. I would like to comment on the first part
of that with respect to Microsoft's issuing a reward for this.
I think it is a very commendable thing that they have done. But
I think it is also a sign of the times, okay? I mean, this is
really at a stage pretty much--it is real money. It is real
money, but, you know, the tactics we are having to take now are
similar to those of the old West, okay? We are having to offer
rewards and bounties for, you know, the villains out there that
are attacking our networks.
I agree that we have to do that at this point in time, but
it is a scary situation that we are in, that these are the
tactics we have to resort to.
Mr. Upton. What is your guess as to how many of these
actually come from overseas? 50 percent? 25 percent? 80
percent?
Mr. Pethia. I don't certainly have a good guess at that. We
have certainly seen historically at different points in time
there would be an outburst of viruses coming from some
particular part of the world. But I think if you look across
time I don't know that there is any single source that stands
out above any others.
Mr. Hancock. I will comment, Mr. Chairman, that it is my
personal experience with several of them recently that some of
the more, shall we say, professionally written products that
have come out and hit people in viruses and worms have had
comments in foreign languages in them, specifically Russian and
Chinese. In both of those situations, at least the Russian one,
we were able to backtrack through our cyberattack tiger team
that the worm itself originated from a machine in Australia
which we were able to forensically examine. We found out that
that machine had been broken into from a location in Russia.
Upon further investigation with the Russian computer police in
Moscow, it turned out that it was an organized crime operation
in progress, where it just basically deposited it to work on
the outside. But it was written, according to them, by a
potentially organized crime unit in the Russian area.
So we are starting to see a lot of those are being
professionally written by people with skill. If you read the
comments and you look at the code, they are written by people
who know what they are doing and in some cases are actually
written in terms of organized crime definitely outside the
United States in many cases. But we have seen quite a few of
them coming from the Chinese area and also coming from Russia.
Mr. Wong. Chairman Upton, what we have seen--because we
monitor over 20,000 devices worldwide in over 182 different
countries in the overall scheme of attacks, we have seen that
most of these actually originate in the United States attacking
people, organizations and infrastructure in the United States.
So whether these individual virus writers or these individual
viruses or attacks have started somewhere else or not, the main
thing that we see overall as a trend is that most of them start
here. Most of them are targeted here.
Mr. Upton. Thank you.
Mr. Green.
Mr. Green. Thank you, Mr. Chairman.
Dr. Hancock, can you give us a little more detail on how
spammers are currently using the Sobig worm months after it did
such terrible damage to networks nationwide?
Mr. Hancock. In terms of what, sir?
Mr. Green. Well, in terms of how they continue to use--are
they using or continuing to use the worm even after it was
discovered?
Mr. Hancock. Yes, sir, they are. In fact, I think the
current variant is up to level G right now.
I have, through my good friend, Commissioner Orson Swindle
at the FTC, he asked me to prepare a talk last May on the
future of spam. I have the dubious honor of now being labeled
the ``prophet of doom'' by the FTC because I got up and said,
here is how it is going to happen next and what is going to
happen; and I predicted what Sobig turned out to be a full 4
months before it hit the Internet.
The bottom line of this is that what people are doing is
that spam is a function of e-mail. To send an e-mail at any
given time in the world, you have to have an open relay within
an e-mail server. It has been estimated that at any given time
there is about 100 to 150,000 of those that are open worldwide.
The concept of Sobig is that you not use an existing open
relay. Instead, you send software to a particular machine which
then deposits an e-mail transmittal system onto a machine that
did not have e-mail transmittal capabilities whatsoever, like
your home PC.
So what Sobig does that makes it very nasty is that, as it
goes around, it infects different machines in a worm-like way.
It then downloads a full e-mail service capability to that
machine that could not previously generate e-mails. In other
words, it becomes an e-mail server. The result is that Sobig
and its variants have now come up to an estimated over 1
million active open relays available at any given time, which
means that spammers can use those on machines that they could
previously not access because they were only limited to
whatever open relays are out there.
So the technology of Sobig basically provides--and there
are other ones, too, besides Sobig--provides the ability for
spammers to use worm technology and worm concepts to deposit
malicious code on machines and turn those into spam relay
systems. So Sobig does continue to be generated, the new
versions. Those new versions find new ways to weasel themselves
into different machines and deposit these kinds of spam relay
software technology out there to increase the opportunity for
spammers to send spam.
Mr. Green. Do you think that any of the anti-spam
legislation that regulates the unsolicited e-mail with
effective law enforcement, the FTC, will help protect
businesses from the fusion of the spam and the virus problem?
Mr. Hancock. Sir, I am on record with the FTC as saying
that I think it will have minimal effect, because the spammers
will simply move offshore. There is no legislation in other
countries.
Mr. Green. Do you think, though, if we actually do
something in the United States, as I think one of the witnesses
mentioned earlier, then we have to deal with our other
countries, our trading partners similar to what you dealt with
the Russian computer police, for example?
Mr. Hancock. Yes, sir. I think that that is a very good
thing to do. But I will caution also, one of the areas that has
historically been known for having a lot of problems with
computer security is in Romania. I happen to know that--I have
actually met with their one computer crime guy in all of
Romania, and this poor individual is grossly overwhelmed. And
when you start dealing with that kind of situation, I think
that there is very good intent by other countries and our
trading partners, but there is no investment in their own law
enforcement, nor is there any investment in their own
infrastructure to go back and prevent these kinds of things
from happening. When you have one law enforcement guy in an
entire country dealing with some of the worst problems that
come out throughout the entire network infrastructure, it makes
a losing proposition even if you go back and try to muscle that
particular trade partner.
So I am not defending them and I am not saying it is the
right thing to do, but it is a reality.
Mr. Green. And, again, everything starts with one step, I
guess. So, you know, if you have a strong Federal law like we
have some strong State laws, then we can deal with our trading
partners. Again, Romania is a country that obviously wants to
join the EU, and will have to comply with the same agreements
that other countries do with the EU, along with trade with our
own country. So at least we have that leverage.
Mr. Hancock. No argument, sir. And I am not saying that we
should not pass legislation in the United States or that we
should not try to contain the problem here. I am simply stating
the fact that what will happen and has happened with other
types of situations where laws have been passed in a specific
country is that the people that exercised the malfeasance just
simply moved to another country.
Mr. Green. But we shouldn't throw up our hands and
surrender?
Mr. Hancock. No, absolutely not.
Mr. Green. Okay. Thank you.
Mr. Upton. Mr. Deal.
Mr. Deal. Thank you, Mr. Chairman.
I want to try to get a handle on this in terms of why this
is happening. For a long time I think many of us regarded this
as some form of juvenile delinquency for computer geeks; that
it was a form of graffiti that was just an act of vandalism.
Obviously, with the magnitude of the impact that you have
talked about, that even though that is a portion, I am sure, of
it, I would like to know what you think the motivations for
this problem really are.
Dr. Hancock, you alluded to the issue of profit, profit for
spammers, using this as a technique to bypass and get their
information out. What other motives are there other than
spammer profit? What are the motivations for this? There have
been some allusion referenced perhaps to potential terrorism. I
don't know that we have had specific examples of that being a
motivation. But would the panel care to elaborate on what these
motivations are? Something that is this big of a problem, there
has got to be something other than just pure fun to see what
kind of trouble you can cause in the universe. What are the
motives?
Mr. Hancock. If you would like to, sir, I can give a first
stab and then invite the other panelists, because I am sure
they have their opinions as well.
It has been my experience--and I have been involved in over
600 hacker prosecutions--that a vast majority of them are
dysfunctional individuals. These are people who literally we
bust them at 3 o'clock in the morning, because that is the best
time to get them because they are the only ones awake in the
house. These are people that have very serious social problems.
They do not associate with other folks. It is a way of
expressing themselves, using their intellect and using their
capabilities. And that tends to be a very large percentage of
what we run into.
Another one is, you run into hacker gangs. There are folks
out there that--such as Cult of the Dead Cow, Hacking for
Gurlz, spelled G-U-R-L-Z, and these types of individuals that
believe certain manifestos, and therefore they use these types
of techniques to go back and further their manifestos.
Hacking for Gurlz, for instance, has a manifesto that
states that information has a soul and yearns to be free, and
therefore what they do is they go back and attack in groups
people and capabilities and corporate structures to turn
information free, because they believe that your Microsoft Word
file has a soul and needs to get out. And so there is that sort
of mentality out there, and it really does exist and these
people really believe these kinds of things.
You have also got the other extremes that basically say
that there is evidence that goes worldwide where virus attacks,
worm attacks, spam attacks may be against competitors as part
of a competitive function. And there are places on the Internet
where you can go hire people that will go back and write things
and produce spam and produce viruses and worms to go back and
attack competitors or attack a competitive infrastructure. And
that has been documented in other countries, and it has
happened.
There are other things that happen where you are dealing
with kids that are just out there messing around. For instance,
we have been documenting a lot of what we call script kiddie
attacks. The bulk of them happen between 4 o'clock p.m. Pacific
time on Friday and 9 o'clock p.m. Pacific time on Sunday,
because every kid without a date starts picking on our network.
So I am going to start a site called geekdate.com and try to
get them some dates and leave us alone. But that is a different
problem.
But you will see this whole rash of things that are out
there. And then about 5 percent of what we hear that goes on--
and I have some anecdotal evidence and also some direct
evidence to this effect, nation states that are competitive to
the United States or that do not feel politically aligned to
the United States. And a good example of that is in May 2001,
something called the Honkers Union of China launched a worm
attack that basically disabled well over 300,000 Web sites with
the defacement of Honkers Union of China banner across all of
those. As part of a sympathetic attack, while the attack was in
progress, Brazilian hacking teams got involved and started
helping propagate the same worm and virus around, simply
because the folks down there really don't think very highly of
the United States in many case. And Brazil is becoming a very
large place where you can get a lot of hacks, you can hire
people, you can get these kinds of things out there.
So there is an enormous range of reasons why people do
these types of things. Some of them are profit-oriented, some
of them are socially dysfunctional.
Mr. Deal. Could I stop at that point just to ask a
question, because it goes back to what Mr. Green had said
earlier.
Are we seriously pursuing efforts now to tie in our trade
agreements or other negotiated agreements with other countries
their requirement that they clamp down on these matters
internally? For example, it would seem to me that it is not too
far-fetched to say that we would build into trade agreements
that this kind of activity coming from another nation is an
unfair trade practice that could trigger sanctions in other
areas if they don't do something about it and we can trace it
to coming from their country.
Are any groups pursuing those kinds of arguments, to say
that that is the only way we can ever really get a handle on it
because of the international nature of the entity?
Mr. Hancock. Sir, I am not equipped to answer that
question, so I will have to defer that to the other panelists.
Mr. Silva. Well, I guess if you look at the spam problem
individually, okay, I am not so sure that going after the
people sending the spam is the answer as opposed to taking the
site away that they are being directed to. Okay. The spam is
usually, in many cases, directing to a Web site. It really
doesn't matter who sent the mail. It really doesn't. The fact
of the matter is that all of the spam is directing someone to a
Web site. Take the Web site away, and the spam is meaningless
anyway, and the purpose of sending it ceases to exist.
So, you know, if we take sort of most of that away, then
that takes the spam down a considerable amount, down to sort of
the mail order fraud sorts of things and other things like
that. So, go after sort of the originating source--or, I should
say, the destination rather than the source of the spam, okay,
because where the spam comes from I think matters not, and
people will just come up with more creative ways of hiding
where it is coming from. Even if we have trade sanctions, our
ability to be able to track them could become more difficult.
Mr. Deal. Are current laws adequately directed in that
fashion?
Mr. Silva. Absolutely not.
Mr. Holleyman. Mr. Deal, if I may comment. When the
President released in February this year the National Strategy
to Secure Cyberspace, there is one section of that dealing with
what we need to do internationally. One of the recommendations
is to get more countries to join the Council of Europe Treaty
on Cyber Crime. And so part of what we are doing, before we get
to using trade sanctions, is holding out the type of models
that we think are appropriate.
This new agreement that the U.S. reached with Japan was the
first formal MOU, as I understand it, between governments. I
think there is a huge opportunity for leadership.
And in response to the earlier question from Mr. Green, I
think when you take a subset of this, which is spam, we do
think that there is some appropriate legislation that could be
useful that could then become a model for our trading partners.
Clearly, none of this will be resolved overnight, but we should
use every tool internationally. And I think there is a unique
opportunity for U.S. leadership in this area, because the field
is so fertile, and we are one of the handful of countries
dealing with this in a serious, significant way.
Mr. Deal. Thank you, Mr. Chairman.
Mr. Upton. Ms. McCarthy.
Ms. McCarthy. Thank you, Mr. Chairman. And thanks to the
panel. And I did get to listen to Mr. Green and Mr. Deal's
questioning, and I appreciate your forthright answers.
And so as we look to a solution--because each of you in
your papers talk about in the end what can be done. I find
repeating themes of the trade agreements and education,
international laws such as just mentioned by the President's
recommendations in February, changes in software design, and
incentives to infrastructure custodians, such as several of you
represent, to help with research in this. And so I guess I
would like to revisit with you how you would wish the Congress
to proceed with any of these in sort of a sense of priorities
given, you know, the skills and the abilities that we have.
All of these papers are fantastic and your ideas are great,
but how--could you help us focus now on how best for us to
proceed in this matter that will be effective, efficient, and
timely with the resources that we have? Anyone. And all of you,
if you wish to comment.
Again, I thank you for your thoughtful presentations and
papers. They are outstanding.
Mr. Holleyman. Let me just mention a couple things. One, I
think there is an opportunity on the law enforcement side as
part of the appropriations process to make sure that U.S. law
enforcement agencies have the right personnel, the right
training, the right equipment to deal with this, and that we
arm our allies--the U.S. personnel who deal with our
international allies to help train those folks as part of an
international effort.
I think second there is the effort by the U.S. Government
to lead in terms of the U.S. Government's own attention to
cybersecurity. The FSMA legislation that was passed last year
has been a good model that we are now trying to deploy for the
private sector. So we think that ensuring that Federal
departments and agencies are also creating that culture of
security is important.
And, finally, I think it is building this culture of
awareness. And that is, using every platform to talk about
this, to create this culture of security, getting information
into the hands of your constituents; so whether they are a
small business, an individual, a large business, they
understand what part they have to play in this. And as an
industry, we are eager to work with you in making that
information known.
Ms. McCarthy. Thank you very much.
Mr. Wong. Ms. McCarthy, part of it I think is having to do
with an awareness campaign, making small steps now to bigger
gains and bigger goals.
I remember growing up, that when forest fires used to be a
major problem, and we came up with the Smoky the Bear campaign.
And since then, arguably, we have had less forest fires, except
for recently in California.
When Mr. Green had asked earlier why do we still get so
much spam, why are there so many attacks after these things
have already been discovered, well, even a very simple
awareness issue is that it has been estimated that more than 60
percent of the desktop computers out there do not either have
antivirus software or updated antivirus software. So there is a
big part of it that can be helped just by the awareness of
having the right software or things that will detect some of
these things that--the attacks that are coming.
The awareness certainly starts from children, also through
businesses and adults and home users and employees, where we
can each actually secure our own individual piece of
cyberspace, thus making all of cyberspace more secure. And that
starts with education and awareness, and we can take those
steps now.
Ms. McCarthy. Thank you, Mr. Wong.
Dr. Hancock.
Mr. Hancock. I would have to agree with the panelists. I
would also state that I believe that awareness, as Mr. Silva
mentioned before, has to start at a very early age. And I will
give just a quick anecdotal example.
My oldest stepson is 32 years old and runs e-mail at one of
the largest telcos now, and he has been around cybersecurity
since age 11. My youngest son is 14; he has not known a day of
his life without a computer around. And when he first started
using the P-to-P-type of technology and copying music for free,
we had to have a little lecture. But that sort of thing is very
important, because by educating him, I found that he very
quickly educated all his friends. And he runs around with about
10 or 12 kids that are very much into cyberspace. One of these
children just makes amazing Web sites for businesses at age 14.
So I believe that early education in the K through 12 area
is absolutely critical to going forward as a national plan.
Simultaneously, though, I believe that we also have to be
aware that we are not out of the woods when it comes to
terrorism. Terrorism is going to use technology now and in the
future to go back and further their goals. So one of the things
we have to also keep in mind is that while we want to have a
long-term relationship with our youth and basically bring them
up the right way and teach them about security, we also have to
simultaneously remember that there are adults out there that
are going to use our current open infrastructure against us.
And in some ways it can be rather devastating. Because of that,
I believe that there is also a need to jump some legislation
and to jump into some areas that may be not as well thought out
as we would like, but at least can start to curtail some of
these activities that are out there and start looking at some
of these issues.
Some technologies, such as a technique called
steganography, are known to be used by the opposition.
Steganography is where you take technology such as a Microsoft
Word file, or take a drawing or perhaps an operational plan
embedded into a graphic, post it on a Web site; someone else
can download the graphic, it looks like a graphic, it feels
like a graphic, but you are hiding the data within the graphic.
And at that point you can extract operational orders, you can
extract operational information. This type of activity goes on.
That kind of activity has to stop. There are techniques out
there right now such as polymorphic check songs using things
such as cryptologic signatures that will stop that sort of
thing from happening, to keep from using an open infrastructure
in a negative way and by the terrorists either through viruses,
worms, or other kinds of infestations like steganography.
So I think it is a dual-pole problem. I think there is a
long-term awareness problem that we have to deal with, but I
also believe that simultaneously we have got to do something
about some of the short-term issues and start taking some
action; otherwise, we are not going to get on top of this.
Ms. McCarthy. Thank you.
Mr. Silva?
Mr. Silva. I agree with Mr. Wong, that I think the
education part of it is sort of the no-brainer thing and the
low-hanging fruit right off the bat, okay? We teach our
children in schools how to use computers, but it is not
currently part of the curriculum to teach them how to use them
safely, okay? As parents and teachers, we teach our children
how to cross the street safely, but we don't necessarily teach
them how to cross the Internet safely. So to the extent that
the Federal Government provides some funding assistance to some
schools, it would probably be worthwhile to direct some of that
funding in the proper direction.
Another thing I think that is very important is the
Department of Homeland Security is very interested in
developing an early warning system.
Ms. McCarthy. Yes.
Mr. Silva. And I think that Congress should support that
wholeheartedly with as much vigor as is possible.
Now, with respect to--there always seems to be this sort of
come back to let us just write better software kind of thing. I
think that is sort of beating a dead horse, and I think it is a
no-win game, quite frankly. But as I am sure Mr. Holleyman
would agree, while we have a number of antivirus solutions that
need to be updated on a regular basis so registered users do
update them on a regular basis, people who run Microsoft
Windows, for example, the patches are available on a regular
basis. The problem is that a large number of computers--and it
is a shockingly large number of computers--are running software
which is not registered software and was not legitimately
acquired, so therefore not entitled to all of the updates,
patches, et cetera. So we are still looking at a huge number of
machines that even if properly--if the software manufacturers
properly produce the patches, et cetera, there are still a huge
number of computers that can't get those patches. So it is
still a big target for anyone to hit.
So just to close, I do believe that the education early
warning systems are two very low-hanging pieces of fruit that I
think we should dive right into.
Ms. McCarthy. Thank you, Mr. Silva.
Mr. Pethia. Let me be the contrarian for a moment. I agree
that awareness and training are going to be important and we
should certainly pay some attention there. But the probability
that we can drag 150 million users up that learning curve in a
short period of time I think is pretty small, especially when
you think about this as an international issue. If we want to
protect ourselves from getting spam attacks, we have to educate
the planet, not just the people in the United States. So that
is a huge, huge drop.
I like to look for leverage points, and one of the leverage
points I happen to think is possible in the short term--short
term being over the next 5 years--is better software. I don't
think the horse is quite dead. I think we can have better
horses out there in our operating systems and our applications
software and our networking software. It will never be perfect.
We can't rely on that as a silver bullet. But I think the
government has an opportunity through its acquisition practices
to provide incentives to people who produce products that
reduce the overall cost of ownership of those products. And if
you save money because you buy product X over your experience
with product Y, reward the vendor with some piece of that
savings.
The other thing is, as Ken mentioned, the early warning
system I do think is critically important. Being able to
develop an international indications and warning system that
gives us advanced notice of these attacks is going to be
critical to deal effectively with them effectively. And then
ensuring that the various organizations that do research and
development funding in this area within the Department of
Defense organizations like DARPA, the Homeland Security
Advanced Research Projects Agency, the Infrastructure Assurance
and Infrastructure Protection Division of DHS, to ensure that
those kinds of organizations continue to have a component of
their budget that is focused on cybersecurity research.
Ms. McCarthy. Excellent.
Mr. Chairman, I apologize for going beyond my time, but I
felt this would be worthwhile to have a summary from each on
this question. I thank you.
Mr. Upton. Thank you.
Ms. Bono.
Mrs. Bono. Thank you, Mr. Chairman. And thank all of the
panelists as well.
It is a perfect segue in to me when you started talking
about children, because I have two teenagers at home and I have
tried to educate them. We have talked about viruses, worms, and
spam. But 1 day on my PC, this wonderful little Bonzi Buddy
came up, which brings us to a new area, and that is Addware and
Spyware. And nobody has really talked about Addware and Spyware
yet, but I consider them to be as big a burden and if not
increasingly more threatening to PC owners, both businesses and
private individuals, as certainly spam is.
I think people aren't quite aware of Spyware and Addware,
but I try to describe it to my colleagues as the guy following
you around in the trench coat with glasses on that you don't
know is there but he is monitoring your every move. And I am
wondering if you all--to be quite honest, I have legislation on
Spyware and Addware out here, so I am hoping you all will lend
some testimony to support my cause, although this is more about
viruses.
But if any of you could comment briefly on whether you
think Spyware and Addware is as big a threat as are viruses to
PC users. And, Mr. Wong, I am a huge Symantec user, and
appreciate the work you do to save my family from harmful
attacks.
Mr. Wong. Well, thank you very much.
Well, in terms of Spyware and Addware, that is an
increasingly large--that is an increasingly large problem. I
think it is even worse than you have already said it, in terms
of having someone follow you around. In some cases, it is a bad
as having someone in your own home and hiding in your closet
without you knowing it. There are many technologies that are
currently available that help block Addware and Spyware so that
you can prevent some of these things.
We certainly support the kind of legislation that you are
talking about. But the other thing to note is that there is
something called Spyware that can be used for good purposes as
well, when you need to monitor, when you need to manage or help
administer computers remotely, say if you need to support other
people who work in your environment. There are certainly useful
and legitimate reasons for having things or software that sit
resident on a desktop and help you manage or monitor it.
It becomes a problem when these things are in stealth mode,
when they are hidden from the intended target, and when they
are used for malicious purposes sometimes, as many times they
are.
Mrs. Bono. Excuse me. Let me jump in here. What is so great
about my legislation, Mr. Chairman, is that all we are asking
is that somebody who is placing some Spyware or Addware on an
end user, is that in the end user license agreement they state
we are doing this to you and you need to know it. It is a
single box, and here it is, and do you accept it? And you can
check yes or no. Because I see some reasonable reasons also for
Spyware, Addware. It could be a consumer-friendly shopping
service as well. But also, at the end I would like to have a
one-button removal tool that removes the Spyware or Addware.
So I just wanted to say that hopefully we are in agreement
on this. And I believe BSA has been supportive of my
legislation.
So does anybody else want to comment on Spyware or--did I
cut you off, Mr. Wong? I am sorry. Go ahead.
Mr. Wong. No, not at all. Certainly having a button to
remove it is something that would be helpful. There is already
technology that can help block that kind of behavior and that
kind of software that comes out. It is also worth mentioning
that, in addition to having someone monitor your computer
through Spyware, that through worms and viruses that are
related, people who--these hackers can deposit code on your
systems to gather information from you. And we have seen much
of that before, where you inadvertently give passwords out to
financial bank accounts, passwords to trading accounts. We have
seen worms out there and viruses where they actually harvest
information from financial institutions. If you are X bank or
this financial institution, then send this type of information
to another computer so that we can see--so that they can see
what is in there and use it for their own malicious intent. But
we fully support your type of initiative.
Mrs. Bono. Thank you.
Yes?
Mr. Silva. I think that the initiative is very good. I
think it is exactly the right direction for Spyware and other
things. In fact, I mean, I believe that for any software that
is installed on a computer, the user should know what they are
installing, okay, quite frankly.
Again, the problem comes back to what we have already
discussed earlier. This is a fine step for the United States to
take, but again it could potentially become an international
problem. Where, you know, your legislation would certainly
apply and I think is a noble effort within the United States,
and I think that is probably where we are going to go after the
vast majority of it anyway, but I still think we have the
problem with the offshore.
Mrs. Bono. I agree with you. But the initial reason behind
my seeking this idea out was that when kids really download
Kazaa and these P-to-P-type programs, what they don't realize
is there still is an economic model as the basis for it, but
someone else is making the money, not necessarily song writers.
But there still is a money-making motive behind it all.
So, yes, I think as Mr. Green said, it is a step in the
right direction, and certainly if they move offshore. But
currently it is the Kazaa sites and the P-to-P sites that are
installing this Addware. I have had to go to the length of
buying a computer for each of my kids to get them off of mine,
because they slow the machine down and put all these great
things on that are, you know, temperatures and times and you
name it. So it is a step in the right direction, I think.
Mr. Silva. So I think that maybe this is the first step in
a multistep effort that, you know, perhaps in another year that
we could actually have some legislation that actually targets
the description for any software that, you know, that it
shouldn't do things that it doesn't tell the user about. Okay?
There shouldn't be software on a machine that sends data around
and whatnot. Even if it is for legitimate purposes, the user
should know, has the right to know what the software is doing.
Now, you know, I mean, there is probably some limits on
that information. But, quite frankly, I think that your
proposed legislation here is applicable in many areas, not just
in Spyware. There is legitimate software that some people call
Spyware.
Mrs. Bono. Well, thank you.
Thank you, Mr. Chairman.
Mr. Upton. Mr. Bass.
Mr. Bass. Thank you, Mr. Chairman. It is a great hearing,
very interesting.
In the committee memo here that we were given today, I
would like to read a sentence and then have some comments from
you.
I quote: The main reason for the long life of viruses and
worms--and I suppose this has also occurred for the prevalence
of viruses and worms--is a lack of updated antivirus protection
by system administrators and computer users.
I know you all have addressed this issue in some detail
already. Is it time for the Federal Government to establish
some sort of an Internet security agency that would develop
standards for all legitimate software, require automatic
updates, patches, and so forth, and establish a base level for
every single computer in the country regardless of whether the
user knew or didn't know what was best for that particular unit
to prevent the spread of viruses and worms?
Anybody want to comment on that?
Mr. Holleyman. I will start.
I think, Mr. Bass, the question you are asking is an
appropriate question, which is, what does it take to build this
culture of security? And it requires different things for
different types of users. I mean, there are different standards
we can rightfully expect for a home user, for a small business,
for a large enterprise. We need to have different standards
that address that. I am not sure that a Federal agency at this
point is necessary to do that, given the new tools that are
being placed within DHS giving some of those State Departments
an international role. I think we have the right resources
there.
What we just need to do is build this awareness of how
often does an individual need to update their antivirus; what
would you expect within a medium-sized enterprise; do you have
a firewall in place? Make that information plainly available,
and then ultimately there is a balance that has to be struck
here. We could create software, we could create a network that
is so secure that it would be very difficult for legitimate
users to use. You could build so many locks in a house and a
building that people couldn't get in there. And so the balance
has to be we have to improve on the status quo, because that is
not acceptable. At the same time, we need a reasonable balance
so that you have don't have to be a technical expert to run
your home computer or your office computer. You just need to
know what----
Mr. Bass. And I know others may want to respond to this,
but is there any reason why any computer in this country
shouldn't have some kind of antivirus software on it as a
requirement?
Mr. Wong. Mr. Bass, there is no reason why there is a
computer system out there that shouldn't have antivirus
software on it.
Mr. Upton. Mr. Wong, if I may just interrupt. You know, at
Rotary you would be fined a dollar for that. You can at least
mention Norton, right?
Mr. Silva. Okay. So, actually the problem is these are
called personal computers, a lot of them; and personal
computers mean that they are shaped based on the personal
characteristics of the individual who uses them. So I think
that what you are proposing is tantamount to trimming a little
fat off the Constitution. I am not so sure that if we have a
bunch of computers out there, that the Federal Government is
going to require them to receive automatic updates from
somebody; who do they trust? Is this the government that they
are going to trust to provide these updates to them? Or who is
going to provide the updates to them and they must trust them?
And the other thing is I think that the public outcry in
this particular area of having software installed without the
knowledge of the user--you know, on their systems as a mandate,
I think would just be--I mean, it would just be shocking how--
the public outcry on this.
Now, I mean, personally I think that we should--that smart
computer users would in fact update their software and have it,
but I am just not sure that any kind of agency, you know,
Federal agency that required automatic updates on people's
computers for all of their software is something that the
public would tolerate, quite frankly.
Mr. Hancock. I would like to address both issues. One
issue, having to do with should you have a baseline security of
your system. One of the things that I have been involved in for
the last 2 years is the creation of cybersecurity best
practices for the telco industry. And that is where anytime you
pick up the phone, the person at the other end that runs all
that for you, it is those kind of companies. Prior to 2 years
ago, there were no cybersecurity best practices at all; now
there is over 200 of them. Those best practices include virus
protection, they include a wide range of security issues
involved. There is a lot more to it than just should we go back
and compel people to have an antivirus capability or firewall,
or whatever the case may be.
The problem with that is that the best practices are a
start, they are not a finish at any stretch, and we are
continuing to refine those. The Internet security lines, we
have also generated best practices both for the home user--
there is a document about that--and best practices for
executives on how to go back and measure their organizations,
saying are we doing the right thing security-wise. Those are a
start. They are not mandated, so to speak, but they are a very
strong start to get people to start being aware of these are
the things you can do.
There are standards and practices that are put out by
experts. The members of the team at the SEC, for instance, are
all my equivalent partners; at the phone companies, are all the
chief security officers of all the different phone companies
that are out there, and they deal with the same problems that I
do.
But that is where we are starting right now because the
problem is, is that when you really get down to it, personal
computing, while we all use it and we all have it, is one
aspect of computing. There is an aspect where a, quote unquote,
personal computer may be used in a process control environment
to control a factory automation network; where, if you put any
antivirus software on there at all, or mandated it all, you
would actually take that computer and make that invaluable to a
desktop but it doesn't work at all in a factory production
floor. The same thing would apply in power companies or water
treatment facilities for the water plants. And I have a vast
amount of experience putting these kinds of computers in, and
none of these would be appropriate for antiviral-type of
operations.
However, we can confront those types of networks with
different types of security technology to keep that sort of
thing from even hitting those networks, because those computer
networks, if they were forced to have that kind of technology
imposed on them, would never operate efficiently nor operate
correctly, and the end result is certain infrastructure would
go splat and not work at all.
So I believe that under certain categories there is a good
security baseline requirement. I think there has been an
enormous amount of energy put into the generation of real best
practices that have real capabilities in the last 2 years that
didn't exist 2 years ago. But I simultaneously believe that a
mandate of a base security configuration for all computing
types would probably be problematic at best, and something
dangerous at worst, under certain conditions.
As far as a Federal agency for mandating an oversight of
something like this, I don't know that it is quite the time for
that just yet, but I do believe that the adoption by the
Federal Government of best practices and standards for
computational capabilities such as those that are being
developed by NIST right now and those developed by the
Department of Commerce and those developed by the SEC, and
start to spread those around where it is uniformly applied. And
then also making that part of the chain of trust agreement
between the Federal agencies and whoever they purchase
equipment and technology from would be a very strong start to
start making some of that stuff happen.
Mr. Bass. Thank you, Mr. Chairman.
Mr. Upton. Thank you.
I would like to go back to something that Ms. Bono said,
frustration that she had with her kids that she actually had to
purchase a computer for each one of her kids. And I sense it
was because of the P-to-P networking and the ability of harmful
worms and viruses to spread, because she didn't have three
computers--two kids. Right? How----
Mrs. Bono. Excuse me, Mr. Chairman. Four computers. My
husband has his own, too, because he is as bad as the kids.
Mr. Upton. How do these P-to-P networks contribute to the
ability of harmful worms and viruses spreading the damage? Is
it an enormous problem? Is it a small problem? Does every
family with kids need to get their own system for each one?
Mr. Hancock. Mr. Chairman, I can address it from my
perspective. We have several hundred thousand customers on our
networks, that probably there are anywhere from 80 to 90
million users. So we see P-to-P all the time. And the problem
is that a lot of the end sources of P-to-P contribute false
documents, false programs, things like that. Sometimes as a
prank by children. Many times it is a way for them to go back
and forward their agenda, like I said before, with the hacking
gangs. We have actually had some situations like that.
In the situation of using P-to-P to go back and forth, it
is just another mechanism to transmit a virus or a worm, no
different than using e-mail or using spam to go back and using
e-mail as a transport mechanism. So P-to-P is just another
transport mechanism to move malware around. The difference is
is that most P-to-P is available to younger generation
individuals, and those younger generation individuals a lot of
times start messing around with this stuff and they don't know
what they are messing around with. Or they actually have--in
some cases we have seen rival cyber gangs, for lack of a better
definition, that actually start to pick on each other by using
P-to-P to transmit malware back and forth between each other,
and it ends up getting spread all over the place because they
put it up on different places for people to download things.
And that is my direct experience with that. The other
panelists may have a different view of it, but that is a lot of
the times how this stuff gets into place, is based upon what we
see in a live network.
Mr. Upton. And as you talked earlier in your testimony
about the nightmare scenario about how viruses could get worse,
spreading to DVD players, Xbox games, cable systems. If it is
P-to-P, I mean, it would be pretty dramatic.
Mr. Silva. Well, that is right. And I agree with everything
that Dr. Hancock said. The thing that actually further
complicates it is that a lot of the people who are using the P-
to-P are doing stuff they shouldn't be doing. So their motives
for reporting whenever they get viruses or worms from a P-to-P
network are probably--there is probably a deterrent for them to
report it, because then it begs the question, what exactly were
you doing?
Mr. Upton. Mr. Wong, I have a question. I will confess that
I have your competitor antivirus on my system and I have had a
little problem the last couple weeks. I would just be curious
to know how this is dealt with. When I turn on my computer, I
have Microsoft XP, and when I am just about to ready to get
logged on to my password, it all of a sudden goes blank. The
whole computer shuts off. I have got to restart the whole
thing; it takes a couple of minutes. It happens probably every
week. And then there is a little notice that comes on that
says, Do you want this report to be filed with--I think it is
McAfee, but I don't know if it goes to McAfee or if it goes to
AOL. And I hit and click yes, and watch the little bars go, and
a minute later it says okay, and you go ahead.
What actually happens? How is that--is it reported that I
had a problem? Is there some patch that I am able to get down
the road that is going to fix it? Is this a ruse so that the
culprit who sent this thing to me is laughing all the way? I
mean, what is happening when I hit that yes button?
Mr. Wong. Well, Mr. Upton, you are using a competitor's
software. I am not surprised. But that being said, there is a
good likelihood that you probably even have a virus on your
computer system right now.
Mr. Upton. That is what I suspect.
Mr. Wong. When you press that button--and we have similar
technology at Symantec where our 120 million users do have the
ability to send us a sample of their virus that they may have
contracted. When they send that to us, we have the ability to--
if it is a new type of virus or a new strain, we have the
ability to create an antivirus for it and then send it out back
to that person who sent us that particular virus. And then we
have the ability to then inoculate and send the benefits or the
signature of that virus back out to our 120 million users so
that they as well are protected.
Mr. Upton. So that at some point when you get an update, it
may be taken care of.
Mr. Wong. Absolutely, that is the case. We can see right
now where even in our own antivirus laboratories we get as many
as 10,000 submissions on a monthly basis of new viruses or new
virus strains that have not been propagated in the wild. And
what happens is that we develop definitions to detect these new
viruses that you may not have even seen yet, and then you have
the ability to, when you use the Norton antivirus product or
Symantec, you get that automatically updated and sent to you
without you even knowing it.
Mr. Hancock. Mr. Chairman, being the geek on the panel, may
I suggest, sir, that you go to the NAI site and download a
utility called Stinger, and it will get rid of that.
Mr. Upton. Okay. Good. I will do that. Thank you.
Ms. Bono, you have additional questions?
Mrs. Bono. Thank you, Mr. Chairman. Thank you. Just a
couple.
First of all, a comment that I think the ISPs are the first
line of defense for the average consumer when AOL and MSN, or
whomever, warns the user and reminds them to update. And I
think for the average American the ISP is the portal to the
Internet. They are not directly accessing the Internet. And so
I would say that I think AOL does a good job, even though they
use your competitor--I use, as I said, Norton. And I am a huge
fan because I have gone--although sometimes you guys, your
processes are very, very elaborate and you could simplify them
for removing a virus.
But would it ever get to the point where we have to just
entirely separate our financial networks where--because that is
my concern. I do all of my banking on line. And would you ever
have an entirely separate way of accessing, say, your bank, and
then keep your e-mail entirely separate? Is that where we are
going to?
Mr. Wong. Well, I think it is a matter of functionality
versus security. And to have something that is completely
secure, you would have to completely separate it. But then, of
course, it might not be functional. You might not be able to do
the things that you really need to do to be able to communicate
or conduct transactions that you might really need to do if you
were fully, fully secured by having separate systems.
Now, that being said, what we can do is increase the level
of protection that we have when we have sensitive information
that we have on a single system, so that we have measures to
protect us, to monitor things, to block certain behaviors, to
block certain attacks that are coming in, to block viruses that
are coming in, and to not let offending viruses or attacks come
out of your own systems.
So I think that it is more of a solution of instead of let
us separate it and not have the functionality that we need, we
need to really concentrate on what can we do better to secure
what we have so that we continue to have the functionality and
the communications that we need.
Mrs. Bono. But in a strange way, if you do your banking
over the telephone, using the keypad, it is secure. But the
minute you go to your PC, you are losing that? You are not
secure over the phone lines? No?
Mr. Wong. I wouldn't say that you are any more secure by
using the telephone. There has been a lot of--there was
telephone hacking before there was Internet hacking. And
certainly you take the same type of risks in the telephone as
you do over the Internet.
Mr. Hancock. And in some cases--I would agree with Mr.
Wong--In some cases, one of the things you want to be careful
about is making sure that you do what we call in the business
``compartmentalization'' of your own computer. Specifically, if
you have things that are very sensitive, you would want to
potentially encrypt those files or make those files where, even
if somebody did get ahold of them, they are useless to anyone
else.
And so you can't just assume that the computer is either
secure or not secure. There are different levels you might
impose upon yourself and on your own computer. So, for
instance, on my computer I do my banking over the Internet; I
charge and buy services over the Internet, but I am very
careful who I do business with. I am very careful to use
encrypted capabilities. I am very careful to store my data on
my machine in such a manner that if you did break into my
machine or someone did get onto my machine, if they steal
really sensitive stuff, they are going to get a bunch of files
full of gobbledygook because it has all been encrypted. So I
think it is a matter of caring for different levels of
sensitivity of information that you have and using the proper
tools for that.
Mrs. Bono. Does adding a router protect you to Trojan
horses?
Mr. Hancock. No, ma'am. Not at all.
Mr. Pethia. And just building on that, we are almost
talking about things like viruses and worms as if they were
acts of nature that we can't do anything about. I mean, this is
an engineering problem. And the reason that we are connecting
everything with everything else is because it leads to greater
business opportunity, it leads to greater efficiency, it leads
to higher levels of productivity. There are good reasons to
have all these things interconnected.
But what we need to do is to ensure that the engineering
solutions that we bring to the table when we do interconnect
these things come with the right security characteristics. And
that is what I think we need to push for. Not go backwards and
try to segregate everything, but rather to try to put things
together in the way that we are to begin with.
Mrs. Bono. Interestingly enough, I think technology and the
way we go is we move forward and sometimes we move backwards.
Cell phones are getting bigger once again. So my thinking was,
if we are going to start moving backwards again with separating
out our networks.
But thank you, Mr. Chairman, for this second round of
questions. Thank you very much.
Mr. Upton. Mr. Bass, do you have further questions?
Mr. Bass. Thank you, Mr. Chairman. Yes.
I would like to address the issue of economic terrorism
over the Internet. I know some of you alluded to it. In some
respects, you could say that the attack on the World Trade
Center was the equivalent of a declaration of economic war and
the fatalities were people who were capitalists and in
business.
The same kind of attacks can occur, as you all well know,
over the Internet. And I was wondering if you could give me
some sort of a summary as to the level and seriousness of
organized international economic terrorist attacks on American
or international Web sites such as Bank of America, for
example, or a big international clearinghouse for funds and
currencies, banking centers and investment centers and other
economic spots. Is this a serious international problem? And
what is being done about it?
Mr. Hancock. I will take it first. The answer is, yes. And
definitively, yes.
Mr. Bass. And also are there governments that are
conducting these attacks, or are these extranational forces?
Mr. Hancock. I can't answer that question directly, sir,
and it would probably be inappropriate to do it here. However,
I will answer the first part, and basically state categorically
that more and more financial institutions are using the
Internet or the equivalent thereof to actually become the
financial clearing and transaction network that is being used
by those financial institutions. In fact, there are a couple of
major financial institutions just recently used Internet-only
for their entire transactional load in a specific day.
In the case of January 25, when Slammer hit the Internet,
that particular worm that hit the Internet was something that
attacked a vulnerability that existed in a data base that had
been patched 7 months previously. However, several large and
major financial transaction institutions got hit very, very
hard by that. And the only thing that saved them from getting
into a situation where they could not complete the required and
federally mandated transaction clearing was the fact that it
hit on a weekend.
Mr. Bass. Do you feel they were the target of the whole
effort, or were they just a----
Mr. Hancock. They were there, and they didn't patch and
they got hit.
Mr. Bass. I am interested in efforts that are made that are
specifically organized to bring down economic institutions in
the United States.
Mr. Hancock. There are attacks that I have seen that have
been directed specifically toward financial institutions in the
United States. Some of those attacks have been originated
outside the United States, some have been originated by
disgruntled people inside the United States. And those have
been led through the Internet. In most cases, it hasn't been
debilitating to the financial institution because the
institution itself does all its back-end financials on a back-
end network and not on the Internet or through a Web site.
However, that is changing because more and more are
starting to go that way, and therefore a debilitating attack
would have a severe financial impact on that institution.
Mr. Wong. Mr. Bass, if you take a look at the Bugbear
virus, specifically that was actually targeted partially at
financial institutions, where it was harvesting and gathering
information and doing certain things if you were--a listed
number of financial institutions that they specifically listed
in the code of that particular virus.
Mr. Silva. I think probably the U.S. intelligence services
would probably be the best place to provide information on
where--you know, asserted efforts against our financial
community from foreign governments.
However, what I would like to point out is that in all the
sort of worms we have been talking about today in a general
sense, most of them--most of them were nondestructive in nature
in terms of the data that they destroyed behind them. Okay? In
other words, they didn't. They simply infected a machine and
then went on to the other machine. In most cases. I am not
saying in all.
If worms such as So Big, Blaster, NAGEE, and some of the
others had actually--or in particular Slammer, which was
specifically targeted at SQL data bases, MSSQL data bases. If
those had actually eaten away and taken the data with them,
that could have been very catastrophic. Many financial
institutions in fact were infected with these worms, but it was
nonimpacting to the customers because no data was altered or
deleted. So it is not a giant leap to take these worms and make
them some sort of targeted economic bomb, if you will.
Fortunately, that hasn't happened yet.
Mr. Wong. I would take that one step further in that I
completely agree with Mr. Silva, in that the worms and viruses
that we have seen in the last number of years, they have been
destructive in the sense that they have caused downtime and
things like that. But we haven't seen deadly payloads. We
haven't seen hard drive crashes. We haven't seen destruction of
data. But that technology already exists.
There have been viruses that have been developed in the
past where you can destroy the hard drive when you contract the
virus, you can corrupt the data that is on that particular
computer system. The worms that we have seen could be
potentially just merely payload delivery devices for these
types of destructive payload that already exists. So we haven't
seen it yet, but the technology already exists, and that is
certainly something that we need to be aware of for the future.
Mr. Hancock. I would agree with Mr. Wong and Mr. Silva
both, and add on one last thing about that. Just the Slammer
worm itself was a good example of rapid propagation and rapid
consumption of Internet bandwidth with zero payload. And that
was the thing that was very startling about it. It was very
professionally written, it had a very high rate of propagation
speed, like in the order of 42 milliseconds. But what is more
important, though, is that the payload was nothing. And if you
put in even a DOS command like format, space, C, colon, it
would have been absolutely catastrophically devastating to an
enormous number of machines.
So--and in the situation of taking and creating what we
call a hybrid worm, which is a rapid propagation worm with a
viral payload, is that possible? The answer is absolutely, yes,
and it is just a matter of time.
Mr. Silva. I guess I want to make sure that we are not sort
of going in a direction where we are sort of suggesting that
doing business on the Internet is a questionable thing, because
I don't think it is. In fact, I think e-commerce on the
Internet is very safe because there is fair amount of
authentication that goes on between the bank and the end user
here. Okay?
So in terms of how these things move around and whether or
not your credit card information is safe, I would absolutely
say that credit card information that is passed over an SSO
connection is far safer than pin numbers entered on a cordless
phone in your living room.
Mr. Bass. Thank you, Mr. Chairman. I might want to follow
up on that if there is a chance for one more follow-up round.
Thank you.
Mr. Upton. Well, gentlemen, I thank you very much and we
all appreciate your testimony, your leadership on this issue.
It is a mighty concern by all Americans at all levels of use on
computers, whether they be a small business, a large business,
or our homes and working with our kids and our husband and
wives. And we appreciate your leadership and your commitment to
the cause, and we look forward to hearing from you again. Thank
you very much. God bless.
Whereupon, at 11:29 a.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
[GRAPHIC] [TIFF OMITTED] T0727.009
[GRAPHIC] [TIFF OMITTED] T0727.010
[GRAPHIC] [TIFF OMITTED] T0727.011
[GRAPHIC] [TIFF OMITTED] T0727.012
[GRAPHIC] [TIFF OMITTED] T0727.013
�