b"<html>\n<title> - CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER?</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n   CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER?\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                COMMERCE, TRADE, AND CONSUMER PROTECTION\n\n                                 of the\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 19, 2003\n\n                               __________\n\n                           Serial No. 108-52\n\n                               __________\n\n      Printed for the use of the Committee on Energy and Commerce\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 house\n\n                               __________\n\n\n\n\n\n\n\n\n                      U.S. GOVERNMENT PRINTING OFFICE\n\n90-728                        WASHINGTON : 2003\n_______________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800, DC area (202) 512-1800 Fax: (202) 512-2250 Mail: stop SSOP, Washington, DC 20402-0001\n\n\n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman\n\nMICHAEL BILIRAKIS, Florida           JOHN D. DINGELL, Michigan\nJOE BARTON, Texas                      Ranking Member\nFRED UPTON, Michigan                 HENRY A. WAXMAN, California\nCLIFF STEARNS, Florida               EDWARD J. MARKEY, Massachusetts\nPAUL E. GILLMOR, Ohio                RALPH M. HALL, Texas\nJAMES C. GREENWOOD, Pennsylvania     RICK BOUCHER, Virginia\nCHRISTOPHER COX, California          EDOLPHUS TOWNS, New York\nNATHAN DEAL, Georgia                 FRANK PALLONE, Jr., New Jersey\nRICHARD BURR, North Carolina         SHERROD BROWN, Ohio\n  Vice Chairman                      BART GORDON, Tennessee\nED WHITFIELD, Kentucky               PETER DEUTSCH, Florida\nCHARLIE NORWOOD, Georgia             BOBBY L. RUSH, Illinois\nBARBARA CUBIN, Wyoming               ANNA G. ESHOO, California\nJOHN SHIMKUS, Illinois               BART STUPAK, Michigan\nHEATHER WILSON, New Mexico           ELIOT L. ENGEL, New York\nJOHN B. SHADEGG, Arizona             ALBERT R. WYNN, Maryland\nCHARLES W. ``CHIP'' PICKERING,       GENE GREEN, Texas\nMississippi                          KAREN McCARTHY, Missouri\nVITO FOSSELLA, New York              TED STRICKLAND, Ohio\nROY BLUNT, Missouri                  DIANA DeGETTE, Colorado\nSTEVE BUYER, Indiana                 LOIS CAPPS, California\nGEORGE RADANOVICH, California        MICHAEL F. DOYLE, Pennsylvania\nCHARLES F. BASS, New Hampshire       CHRISTOPHER JOHN, Louisiana\nJOSEPH R. PITTS, Pennsylvania        TOM ALLEN, Maine\nMARY BONO, California                JIM DAVIS, Florida\nGREG WALDEN, Oregon                  JAN SCHAKOWSKY, Illinois\nLEE TERRY, Nebraska                  HILDA L. SOLIS, California\nERNIE FLETCHER, Kentucky\nMIKE FERGUSON, New Jersey\nMIKE ROGERS, Michigan\nDARRELL E. ISSA, California\nC.L. ``BUTCH'' OTTER, Idaho\n\n                   Dan R. Brouillette, Staff Director\n\n                   James D. Barnette, General Counsel\n\n      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel\n\n                                 ______\n\n        Subcommittee on Commerce, Trade, and Consumer Protection\n\n                    CLIFF STEARNS, Florida, Chairman\n\nFRED UPTON, Michigan                 JAN SCHAKOWSKY, Illinois\nBARBARA CUBIN, Wyoming                 Ranking Member\nJOHN SHIMKUS, Illinois               HILDA L. SOLIS, California\nJOHN B. SHADEGG, Arizona             EDWARD J. MARKEY, Massachusetts\n  Vice Chairman                      EDOLPHUS TOWNS, New York\nGEORGE RADANOVICH, California        SHERROD BROWN, Ohio\nCHARLES F. BASS, New Hampshire       JIM DAVIS, Florida\nJOSEPH R. PITTS, Pennsylvania        PETER DEUTSCH, Florida\nMARY BONO, California                BART STUPAK, Michigan\nLEE TERRY, Nebraska                  GENE GREEN, Texas\nERNIE FLETCHER, Kentucky             KAREN McCARTHY, Missouri\nMIKE FERGUSON, New Jersey            TED STRICKLAND, Ohio\nDARRELL E. ISSA, California          DIANA DeGETTE, Colorado\nC.L. ``BUTCH'' OTTER, Idaho          JOHN D. DINGELL, Michigan,\nW.J. ``BILLY'' TAUZIN, Louisiana       (Ex Officio)\n  (Ex Officio)\n\n                                  (ii)\n\n\n\n\n\n                            C O N T E N T S\n\n                               __________\n                                                                   Page\n\nTestimony of:\n    Ansanelli, Joseph G., Chairman and CEO, Vontu, Inc...........    48\n    Burton, Daniel, V.ice President, Governmental Affairs, \n      Entrust Technologies.......................................    52\n    Charney, Scott, Chief Trustworthy Computing Strategist, \n      Microsoft Corporation......................................    30\n    Davidson, Mary Ann, Chief Security Officer, Oracle \n      Corporation................................................    43\n    Morrow, David B., Managing Principal, Global Security and \n      Privacy Services, EDS......................................    37\n    Schmidt, Howard A., Vice President, Chief Information \n      Security Officer, eBay Inc.................................    23\n    Swindle, Hon. Orson, Commissioner, Federal Trade Commission..    16\n    Thompson, Roger, Vice President of Product Development, \n      PestPatrol, Inc............................................    58\n\n                                 (iii)\n\n  \n\n\n   CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER?\n\n                              ----------                              \n\n\n                      WEDNESDAY, NOVEMBER 19, 2003\n\n              House of Representatives,    \n              Committee on Energy and Commerce,    \n                       Subcommittee on Commerce, Trade,    \n                                   and Consumer Protection,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10:10 a.m., in \nroom 2123, Rayburn House Office Building, Hon. Cliff Stearns \n(chairman) presiding.\n    Members present: Representatives Stearns, Shimkus, Shadegg, \nPitts, Bono, Issa, Schakowsky, Towns, Davis, Green, and \nMcCarthy.\n    Staff present: Ramsen Betfarhad, policy coordinator and \nmajority counsel; Jill Latham, legislative clerk; Jon Tripp, \ndeputy communications director; David Cavicke, majority \ncounsel; and David Nelson, minority counsel.\n    Mr. Stearns. Good morning. Welcome to the Subcommittee on \nCommerce, Trade, and Consumer Protection's hearing on \ncybersecurity and consumer data. I am pleased that we are \njoined this morning by a group of distinguished witnesses. And \nall of us look forward to your testimony.\n    On November 15, 2001, nearly 2 years ago to the day, the \nsubcommittee held a hearing entitled, ``Cybersecurity: Private \nSector Efforts Addressing Cyber Threats.'' The focal point of \nthat hearing, as it is with this hearing, was cybersecurity as \nit related to consumer data used in stream of commerce.\n    We are fortunate that three of our witnesses, Ms. Davidson, \nMr. Schmidt, and Mr. Morrow, all of whom testified at the \nhearing 2 years ago, have joined us today to reflect on what \nhas transpired with regard to cybersecurity in the last 2 \nyears. Normally you don't have people back to give you a little \npost-analysis. So we are very fortunate to have that.I am \nconfident their insights, along with the testimony of the other \nwitnesses, will be particularly helpful to our better \nunderstanding the issue, its evolution, and what we believe is \nits increasing significance.\n    The subcommittee's hearings 2 years ago was held in the \nshadow of the tragic events of September 11, when we as a \nNation, it seemed, had become obsessed with security. Of \ncourse, that was and is understandable. Yet the problem that \ngave rise to cybersecurity concerns that predated September 11, \nin just the years 2000 and 2001, as a result of only three \ncyberattacks--the ``I Love You'' and ``Code Red'' viruses and \nthe February 2000 denial-of-service attacks--the media reported \nlosses in excess of $10 billion.\n    The number of cyberattacks, as reported by the Computer \nEmergency Response Team, CERT, at the Carnegie Mellon \nUniversity, was expected to nearly double in 2001 from 2,000 to \n40,000.\n    Now, fast forward 2 years. In 2003, the ``SQL Slammer'' \nworm disrupted computers around the globe. And during the \nattack, half of all Internet traffic was being lost. The \nSoBig.F virus clogged e-mail boxes and networks around the \nworld, and became the fastest spreading virus on record, \ninfecting 1 in 17 e-mails at its peak.\n    Showing a bit of humor, the creator of the Blaster worm, \nwhich caused some 500,000 computers running Windows to crash, \ntargeted the Microsoft Web site from which users could download \nthe program and the patch to protect their vulnerability with \nMicrosoft Windows code, the very weakness in Windows that the \nworm itself was exploiting.\n    The virus and worm attacks of 2003 did bring about \ndisruptions, such as the SQL Slammer worm, knocking out Bank of \nAmerica's ATM machines for a while, but overall they did little \nreported damage. Although the ultimate objective of the SoBig.F \nvirus is not known, the 2003 vintage of viruses and worms, like \nmost of the ones that preceded them, did not have a malicious \nor destructive payload. If they did, their impact would have \nbeen very, very different. These viruses and worm attacks are \nexternal attacks to the networks, and, as such, according to \nsome estimates, only represent 30 percent of computer attacks. \nThe remaining 70 percent of the attacks are carried out from \nwithin the corporate firewalls.\n    Those attacks or security breaches taking place within the \ncorporate firewalls, many argue, are the most costly and, of \ncourse, the least reported. I raise the issue of virus and worm \npayload within corporate firewall breaches, because one key \nquestion I want answered today is ``What are the real risks and \ncosts to consumers from cybersecurity breaches, and what poses \nthe most risk to cybersecurity?''\n    One response to breaches in cybersecurity by industry and \ngovernment alike has been increased spending on security \ntechnologies. UBS Warburg estimates that such spending will \nincrease from $6 billion in 2001 to over $13 billion in the \nyear 2003.\n    Meanwhile, other data suggests that companies spend less \nthan just 3 percent of their technology budget on security. The \ntechnology budgets tend to be around 3 percent of revenues. So \nwhy are these expenditures so low? Some argue because there is \nno real understanding of quantifiable cost associated with \ncybersecurity breaches, even among senior managers. Is this \ntrue? This is another question for the panel to consider.\n    Finally, many argue that cybersecurity is not just a \ntechnological problem and thus can't be solved by adding new \nand improved technologies defending against cyberattacks, but, \nrather, they argue that it is as much a governance or \nmanagement issue as it is a technological problem. Strategic \ndecisions, such as deciding the appropriate balance between \ncost and risk, are ones that only senior managers can take. And \nwithout a clear mandate from the top management, cybersecurity \nmeasures will be disregarded as just simply nuisances by rank-\nand-file employees.\n    Moreover, it appears that there is increased management \nparticipation mostly when it is mandated either directly or \nindirectly by government regulations. For example, the Graham-\nLeach-Bliley Act, the Sarbanes-Oxley Act, the Health Insurance \nPortability and Accountability Act, or enforcement actions by \nthe Federal Trade Commission.\n    I want to know, are these observations accurate? If so, is \nthere an optimum role for the Federal Government to play when \nit comes to protecting consumers from cybersecurity threats?\n    With that, I conclude my opening statement and welcome the \nranking member for her opening statement.\n    Ms. Schakowsky. Thank you, Mr. Chairman, for conveying this \nimportant hearing today. Cybersecurity is one of those words \nthat have recently entered our lexicon. Most people are \nprobably confused, as I was, the first time they hear or see it \nin print. There are no doubt several interpretations of the \nword. It is one of those things like electricity or television \nsignals that we all hope someone else understands enough to \nassure its availability.\n    Before widespread viruses and ID theft became somewhat of a \nnorm, we were able to take cybersecurity for granted. Of \ncourse, it should be safe to operate a home computer or a Palm \nPilot. Unfortunately more and more Americans, a \ndisproportionate share in and around Chicago, by the way, have \ncome to a very personal understanding of how vulnerable our \ninformation technology, storage, and transmittal systems are.\n    No longer is cybersecurity something over which just \ngovernment and corporate technicians fret. Life savings now \ndisappear before victims are even aware that there is a threat \nto the security of their personal and financial information. \nHighly sensitive personal information is available for sale \nwithout the knowledge, much less the consent, of targeted \nindividuals.\n    Americans expect that their government and the private \nsector institutions they rely upon for financial and other \nservices will protect their privacy, and that those they rely \non for cybersecurity will do their job. It is becoming \nincreasingly apparent that consumers are not being adequately \nprotected.\n    Estimates of the economic impact of cybercrimes on society \nvary widely. One of our witnesses will tell us that identify \ntheft alone totaled $24 billion last year, and is expected to \nescalate to $73 billion by the end of this year. If he is \ncorrect, this means that identity theft will cost Americans \nmore, perhaps much more, than the authorized cost of the war in \nIraq.\n    Another witness tells us that 1 in 10 Americans has been \nvictimized by identify theft. Each of these heists is estimated \nto cost nearly $10,000; clearly this problem is reaching \nepidemic proportions.\n    Added to the economic cost is the loss of our invaluable \nprivacy. We are all aware of the Orwellian dangers that may \nflow from personal information that the government can tap, \nusing sophisticated technology. What many of us do not \nadequately understand is the danger of intrusive prying by \nprivate interests. The expropriation of commercially useful \ndata from each and every one of us that accesses the Internet \nfrom a computer where personal information is stored is a \ncontinuous process. And, of course, there is no reason to \nbelieve that firms interested in selling us something are the \nonly ones looking.\n    I look forward to the testimony of the Federal Trade \nCommission regarding what the Federal Government is doing to \ncontrol this electronic crime spree. I hope in the future we \ncan also hear from the Justice Department or the agencies that \nregulate financial institutions, because it is my understanding \nthat much, if not most, of identify theft is perpetrated by \nemployees of banks, insurance companies, and the like.\n    I would have liked to hear directly from those private \ninstitutions as well. Nonetheless, Mr. Chairman, I am looking \nforward to hearing from the witnesses you have assembled. I am \nsure they will be able to give us a sufficiently comprehensive \npicture of the problems with our cybersecurity systems from \nwhich we can fashion whatever policy changes may be necessary \nto protect the privacy, pocketbook, and safety of our \nconstituents.\n    And, Mr. Chairman, I look forward to working with you, as \nalways, to end this epidemic. I look forward hearing from each \nof our witnesses, and I thank them for taking time to share \ntheir expertise with us today.\n    Mr. Stearns. I thank the gentlelady.\n    The gentlelady from California, Ms. Bono.\n    Mrs. Bono. Good morning, and thank you, Mr. Chairman. I \nlook forward to hearing from your colleagues and the witnesses \non the issue of cybersecurity as it relates to consumers.\n    Cybersecurity and the protection of consumer data is a very \nreal issue that the government, businesses, and consumers alike \nmust acknowledge and respond to. Of course, there are many \nthings that consumers can do to protect themselves.\n    Antivirus software and patches are regularly available for \ndownloading and updating. Moreover, one should always be \ncautious while downloading software. Consumers should avoid \nopening e-mails from strangers and should be hesitant to \ndisclose personally identifiable information over nonsecure \nsites.\n    However, the methods of hacking into computers and data \nbases are just as evolving as the technologies on which they \nreside and function. Recently I introduced H.R. 2929, also \nknown as the Safeguards Against Privacy Invasions Act, or the \nSpy Act. This bill aims to put consumers in the loop. \nUnfortunately, consumers regularly and unknowingly download \nsoftware programs that have the ability to track their every \nmove.\n    Consumers are sometimes informed when they download such \nsoftware. However, the notice is buried deep inside multi-\nthousand-word documents that are filled with technical terms \nand legalese that would confuse even a high-tech expert.\n    Many spyware programs are purposefully designed to shut off \nany antivirus or firewall software program it detects. The Spy \nAct would help prevent Internet spying by requiring spyware \nentities to inform computer users of the presence of such \nsoftware, the nature of spyware, and its intended function.\n    Moreover, before downloading such software, spyware \ncompanies would first have to obtain permission from the \ncomputer user. This a very basic concept. The PC has become our \nnew town square and global market as well as our private data \nbase. If a consumer downloads software that can monitor the \ninformation shared during transactions for the sake of the \nconsumer as well as e-commerce, it is imperative that the \nconsumer be informed of whom he or she is inviting into their \ncomputer and what he or she is capable of. After being \ninformed, the consumer should have the chance to decide whether \nto continue with that download.\n    Since the introduction of H.R. 2929, I have had the \nopportunity to speak with many different sectors of the \ntechnology industry and retail businesses that operate on the \nInternet. Through these discussions I have received meaningful \nfeedback, and I am currently working on refining H.R. 2929. \nOnce installed on computers, some spyware programs--like \nviruses embedded among code for other programs--in effect how \nthese programs function on the users computer.\n    Additionally, spyware is becoming more and more difficult \nto detect and remove. Usually such programs are bundled with \nanother unrelated application that cannot be easily removed, \neven after the unrelated application has been removed.\n    According to a recent study, many problems with computer \nperformance can be linked in some way to spyware and its \napplications. Additionally, some computers have several hundred \nspyware advertizing applications running, which inevitably slow \ndown computers and can cause lockups. If you have spyware on \nyour computer, you most likely are getting more pop-up \nadvertisements than you would have if you have had no such \nsoftware on your computer.\n    Moreover, the advertisers may not always be forthcoming. \nMany times spyware entities contract with companies to post \nadvertisements and, in turn, post such advertisements on the \nWeb sites of competitors. The result is confusion. In other \nwords, while visiting the Web site for Company A, you may be \nbrowsing to purchase a product. However, while browsing, a pop-\nup link may appear, informing you of a great sale. Under the \nimpression that you are looking at a link for Company A, you \nmay purchase the product, all the while uninformed that the \nproduct was purchased via a pop-up link from Company B. I have \noften thought that this would be a very effective campaign \ntool, too, to put out a link and have someone go to my \nopponent's Web site and my Web site pops up.\n    All of these consumer disadvantages can be decreased or \neliminated if disclosures surrounding spyware are required and \nenforced. If consumers are informed about spyware, chances are \nthey will not choose to download the software. Upon choosing \nnot to download software, consumers' computers will run more \nefficiently, their antivirus programs and firewalls will \nfunction better, they can decide which information to share and \nnot share, and consumers will not be deceived into buying a \nproduct or service from unknown entities or voting for our \nopponents.\n    Thank you, and I look forward to hearing from the witnesses \non the issue.\n    Mr. Stearns. I thank the gentlelady.\n    Mr. Green.\n    Mr. Green. Thank you, Mr. Chairman. I thank you and our \nranking member for holding this important hearing on \ncybersecurity and its impact on consumers.\n    The proliferation of Internet-based services and commerce \nhas dramatically changed the world we live in, and many of \nthese changes have been for the better, with consumers able to \nmake almost any purchase imaginable on line. Unfortunately, \nthese computing advances also create a fertile ground for \nfraudulent activities and thus increase the pressing need for \ncomputer security.\n    The problems are coming from all directions. We have \nviruses, computer worms that are attempting to swarm our \nnetworks and are causing terrible harm to computer users and \nbillions in damages to U.S. Businesses. We have unsolicited e-\nmails taking over our in-boxes, spam that at the very least is \nan annoyance and at worst is helping to transmit these computer \nviruses and deliver pornographic e-mails to our children.\n    Mr. Chairman, if I could ask unanimous consent to put in an \narticle from Business Week that was published on August 12 \nabout the unholy matrimony, spam versus virus.\n    Mr. Stearns. By unanimous consent, so ordered.\n    [The article referred to follows:]\n\n                    [Business Week--August 12, 2003]\n\n                    Unholy Matrimony: Spam and Virus\n                             By Jane Black\n    Their common goal is subterfuge, and by combining their strategies, \nthey could make today's junk e-mail look like a mere nuisance\n    In June, half of all e-mail was spam--those annoying unsolicited \nmessages that hawk everything from porn and Viagra to mortgage-\nrefinancing deals and weight-loss patches. But if you think spam is out \nof control, prepare yourself. It could get a lot worse.\n    Over the past few months, e-mail security companies have seen \nmounting evidence that spammers are using virus-writing techniques to \nassure that their sales pitches get through. At the same time, intrepid \nvirus writers have latched onto spammers' trusty mass-mailing \ntechniques in an effort to wreak widespread digital mayhem. ``What \nwe're seeing is the convergence of the spammer and the malicious code \nwriter,'' says David Perry, global director of education at antivirus \ncompany Trend Micro (TMIC).\n    RELAY STATIONS. Witness the recent spread of a virus known as \nWebber, which was discovered on July 16. It carried the subject line \n``Re: Your credit application.'' Users who opened the attachment \ndownloaded a malicious program that turned a home PC into a so-called \nopen relay server, which allows a third party to send or receive e-\nmail--including spam--remotely from that PC. Spammers are notorious for \nusing open relays to hide their identities. According to British e-mail \nsecurity company MessageLabs, 70% of spam comes through open relays.\n    Then there's Sobig.E, a virus that grabs e-mail addresses from \nseveral different locations on a PC, including the Windows address book \nand Internet cache files. Sobig.E then tries to send a copy of itself \nto each address. It also uses one of the stolen addresses to forge the \nsource of the message, so that it appears to come from someone else. \nMessageLabs believes Sobig.E is a spammers' virus designed to harvest \nlegitimate e-mail addresses from users' computers.\n    So far, no concrete evidence shows any home PCs that have been \ninfected by either Webber or Sobig.E have been used to send spam. But \nexperts fear that the two viruses could be ``spam zombies,'' programs \nthat will lie in wait on a PC until called on by the spammer to send \nout millions of untraceable e-mails.\n    ``I LOVE YOU'' MORE. The convergence of spam and malicious code \nmakes sense, says Chris Miller, Symantec's (SMYC ) group product \nmanager for enterprise e-mail security. ``They have a common goal--to \ndo what they're doing without being seen,'' Miller says.\n    Virus writers and spammers send out their messages from \nillegitimate e-mail accounts, never from the ISPs where they are \nregistered. It isn't hard to see where the union of these two insidious \ngroups' techniques might lead. Using such weapons as Sobig.E and \nWebber, spammers can hijack a user's address book, then use the PC to \nsend out hundreds, even thousands, of junk messages.\n    And virus writers can use mass-mailing techniques to spread \nmalicious code even faster than before. The destructive ``I Love You'' \nvirus of 2000 was originally sent to a small number of people. Within \ndays it had affected tens of millions of computers and caused damage \nworth hundreds of millions of dollars. Imagine if, like spam, it had \noriginally been mailed to a half-million computers.\n    Security experts cite other recent examples of spam-virus \nconvergence:\n\x01 Key-logger Trojans. In May, 2003, a major food-manufacturing company \n        received a spam e-mail that, when viewed in a preview pane in \n        Microsoft Outlook, showed a message that appeared to be an \n        opportunity to sign up for a newsletter. First, though, the \n        message asked the recipient to verify their e-mail log-on ID \n        and password. That information was collected by the key-logger \n        code and then sent to the spammer, who could then log into the \n        user's e-mail at any time and search for valuable information.\n\x01 Drive-by downloads. Recent spam sent to a major airline manufacturer \n        led unsuspecting users to Web pages where spying software was \n        secretly downloaded without the user's knowledge. So-called \n        spyware monitors a user's activity on the Internet and \n        transmits that information to someone else, usually an \n        advertiser or online marketer. Spyware can also gather \n        information about e-mail addresses, passwords, and credit-card \n        numbers. Drive-by downloads can be done without either \n        notifying the user or asking permission because many users \n        accept such a download without question, thinking it's a normal \n        function of the Web site.\n    CALL IT ``MALWARE.'' According to the strictest definitions, key \nloggers and drive-by downloads aren't viruses, which are programs that \nreplicate themselves. (If you've seen The Matrix Reloaded, think of the \nway Agent Smith makes infinite copies of himself to try to destroy \nKeanu Reeves' Neo.) A Trojan is a program that rolls into your computer \nunannounced, then persuades the computer to launch it through fraud.\n    As spam and malicious code converge, however, such definitions are \nbecoming less useful. That's why experts like Trend Micro's Perry are \nnow looking at a broader term--``malware''--to describe any program \nwith malicious intent. ``With traditional hackers, the motivation has \nalways been to prove that you're a rad dude,'' Perry said in a phone \ninterview from the Las Vegas hacker convention DefCon. ``But when we \nstart seeing these techniques used for commercial gain like spam, it's \ngoing to get a whole lot more serious.'' Cybersurfers, beware.\n\n    Mr. Green. Thank you, Mr. Chairman. We can all agree that \nspam is a serious problem that both Congress and the private \nsector should address quickly, and I hope that Congress will \nact before the end of the session to enact the Wilson-Green \nAntispam Act of 2003, which is the strongest antispam bill in \nCongress.\n    And, Mr. Chairman, again, I would like to ask unanimous \nconsent to place into the record a letter by the Internet \nCommittee of the National Association of Attorney Generals that \ntalks about the Senate bill that passed and the need for strong \nlegislation.\n    Mr. Stearns. By the unanimous consent, so ordered.\n    [The letter follows:]\n    [GRAPHIC] [TIFF OMITTED] 90728.001\n    \n    [GRAPHIC] [TIFF OMITTED] 90728.002\n    \n    [GRAPHIC] [TIFF OMITTED] 90728.003\n    \n    [GRAPHIC] [TIFF OMITTED] 90728.004\n    \n    [GRAPHIC] [TIFF OMITTED] 90728.005\n    \n    Mr. Green. Thank you, again, Mr. Chairman.\n    When we investigate cybersecurity, however, we must also \nconsider the increasing troubles and problem of identity theft. \nAccording to the Federal Trade Commission, identity theft is \nthe most common complaint from consumers in all 50 States. With \nsimple personal information such as name, Social Security \nnumber, or credit card number, identity thieves can commit \nfraud or other crimes in our name.\n    The implications for victims of identify theft can't be \noverexaggerated. They can easily include damaged credit \nrecords, unauthorized credit card charges, and bank \nwithdrawals, not to mention the months or even years that it \ntakes for victims to restore their good names and credit \nrecords.\n    The magic question remains, how can we prevent these \ncomputer-related security problems that seem to be spiraling \nout of control? With the increased organization, efficiency, \nand productivity that computer systems offer, it is safe to say \nthat our dependence on computers will continue to rise; \ntherefore, we must ensure that we take the appropriate \nprecautions to ensure that any information stored in or \ntransmitted through computers, be it personal, medical, or \nfinancial, is secure.\n    We also need to examine the extent to which the Federal \nGovernment and other law enforcement mechanisms can help solve \nthis problem. By some estimates, less than 30 percent of \ncomputer attacks come from outside of a company or computer \nsystem. That being said, I think we have to work with the \nprivate sector to take a hard look at the practices companies \nare putting in place to combat attacks within their own \nfirewall.\n    I am also interested to hear our witnesses' experience with \ncybersecurity and learn their opinions on how best we can go \nabout solving these problems. And, again, I would like to thank \nour panel today, and look forward to their testimony.\n    Thank you, Mr. Chairman and Ranking Member Schakowsky.\n    Mr. Stearns. Thank you.\n    Mr. Pitts.\n    Mr. Pitts. Thank you, Mr. Chairman. And thank you for \nconvening this important hearing on cybersecurity.\n    Rapid advances in technology are greatly impacting the \nlives of every American. Computer software, information \nsystems, and cybernetworks are revolutionizing the way that we \ncommunicate, and the way we conduct business and provide \nservices. And while there is a lot of good in the advances, \nthere is also great potential for harm.\n    Technology is a cat-and-mouse game. Each advancement of \ntechnology leads to an exploitation that we must vigilantly \nguard against, and the hearing this morning takes a look at the \nmyriad threats to cybersecurity. One area that I am greatly \nconcerned about is the development of peer-to-peer software.\n    Peer-to-peer software allows individuals to download and \ntrade files, many of which are illegal, with one another. It \nhas also become the latest vehicle that pedophiles use to \nexploit and abuse innocent children by distributing child \npornography. And peer-to-peer software can cause any personal \ninformation stored in a computer, such as financial or medical \nrecords, to be inadvertently shared with anyone else with the \nsame software.\n    And that is why my colleague Chris John and I introduced \nH.R. 2885, ``The Protecting Children from Peer to Peer \nPornography Act.''\n    Mr. Chairman, I appreciate your interest in this issue. It \nis my hope that we can have a hearing in the near future \ndedicated to taking a closer look at this dangerous new \nsoftware that threatens our children or a person's privacy and \nour cybersecurity in general.\n    Thank you, Mr. Chairman.\n    Mr. Stearns. Thank you.\n    The gentleman from New York, Mr. Towns.\n    Mr. Towns. Thank you very much, Mr. Chairman.\n    The Internet will never reach its fullest potential unless \nconsumers feel comfortable and confident while surfing the Web \nand partaking in e-commerce. How can we ask citizens to put \npersonal information, such as credit cards, PIN numbers, onto \nthe computer if they are worried about issues such as identity \ntheft, spam, or other privacy protections?\n    It seems that every time we turn around there is a new \nvirus harming commerce on the Internet, and the most pressing \nof these data and privacy abuses is what has come to be known \nas spyware. Spyware is a particularly dangerous threat to the \nfuture of e-commerce and Internet consumer confidence.\n    Many times consumers do not even know what this software--\nwhich can track all movements on a computer, copy keystrokes, \nand open security holes in networks--is open on their system, \nmuch less have the knowledge it takes to get them removed.\n    It should also be noted that many of the peer-to-peer \nprograms suggested Kazaa and Morpheus are funded largely by \nallowing these spyware companies to piggyback on their network, \nallowing for corporate entities to gain information about our \nchildren and their on-line habits.\n    I am proud upon the lead Democratic sponsor of H.R. 2929, \nthe Safeguard Against Privacy Invasion Act, with my friend from \nCalifornia, Mrs. Bono. This bill will ban these programs from \nbeing downloaded from the Internet to unknowing consumers. It \nis a commonsense approach to privacy protection, and I would \nlike to thank the many members on both sides of the aisle from \nthis committee who have chosen to cosponsor the bill with us, \nand look forward to working closely with the leadership to \nensure its passage through the committee.\n    On that note, Mr. Chairman, I yield back the balance of my \ntime.\n    Mr. Stearns. I thank the gentleman.\n    Mr. Shimkus.\n    Mr. Shimkus. Thank you, Mr. Chairman, and I will be brief.\n    I always want to take the opportunity to, especially in \nconsumer protection that deals with the Internet and \ncybersecurity, to continue to mention .kids.us as a place safe \nfor kids, that was passed into law, signed by the President, \nand now we have groups that are using it: Smithsonian.kids.us, \nit is safe, no hyperlinks, no chatrooms for kids under the age \nof 13.\n    And so I use the bully pulpit here to continue to help \nbuild interest and movement for people to take use of .kids.us.\n    Other than that, Mr. Chairman, I know we have got a great \npanel of people testifying. I want to get to that. Thank you \nfor the time. And I yield back.\n    Mr. Stearns.  I thank the gentleman.\n    The gentlelady from Missouri.\n    Ms. McCarthy. Mr. Chairman, I want to thank you for pulling \ntogether such a distinguished panel of experts for our work \ntoday. I am going to put my remarks in the record so that we \ncan get on learning about the wisdom that is here to be shared.\n    Mr. Stearns. I thank the gentlelady.\n    And the vice chairman of the committee, Mr. Shadegg.\n    Mr. Shadegg. Thank you, too, Mr. Chairman. I too want to \nthank you for holding this important hearing today and for \nputting together a tremendous panel for us to learn from.\n    And I do want to mention that both as a member of this \nsubcommittee, and as a member of the Select Homeland Security \nCommittee, I worry deeply about these issues. I have devoted a \ngreat deal of time to them, having written in 1998 the Identity \nTheft and Assumption Deterrence Act, which made identity theft \na Federal crime for the first time.\n    We have already heard here this morning the degree to which \nmillions of Americans are victimized by that crime, and that we \nare losing billions of dollars to it.\n    The Fair Credit Reporting Act, which is now in conference, \nincludes some important provisions to deal with that issue. But \nthere is much more we can do. And I appreciate, Mr. Chairman, \nyour holding this hearing, and I look forward to the testimony \nof the witnesses.\n    Mr. Stearns. I thank my colleague.\n    [Additional statement submitted for the record follows:]\n Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee \n                         on Energy and Commerce\n    Mr. Chairman, Thank you for calling this important hearing today.\n    Cyber security is a very serious concern in today's digital world, \nand as our global economy and all of our lives rely more and more on \ncomputers, it will become essential that we ensure that our nation's \ncomputers--corporate, government, and personal computers--are safe from \nthe hackers and other malefactors in the digital environment. We've \nlearned in the last few years how much damage viruses and worms, such \nas ``Sobig.F'' and ``Blaster,'' can do to our computer infrastructure. \nIn fact, the New York Times estimated that the cost of the ``I Love \nyou'' virus alone--which seriously affected this House and this \nCommittee--may have reached as much as $15 Billion.\n    Computers affect almost every aspect of our daily lives. From our \ncomputers at home and our personal e-mail accounts, to the daily work \nof the public and private sectors, the role of computers in our society \nis so ubiquitous as to go almost unnoticed at times. The security of \nthese systems however cannot go unnoticed. Not only can the e-mail \nsystem of the House of Representatives be hindered or disabled, but one \nshudders to think of the damage that could be done to countless \nconsumers if someone was able to infiltrate one of the many enormous \ndatabases in this country and steal the personal information--from \ncredit card numbers to music preferences--of millions of Americans.\n    This kind of theft and misuse of personal data is not yet a \nwidespread problem, but unless we all facilitate and encourage open \ndiscussion about how we best combat the bad actors, we will only see \nthese problems grow. Most computer scientists don't say ``if'' when \ndiscussing this possibility, they say ``when.'' They believe that a \ntruly debilitating virus will inevitably make its way around the \nInternet sometime in the relatively near future. Companies must take a \npreventive approach when looking at solutions to security problems. \nThey must realize that, as the old adage says, ``An ounce of prevention \nis worth a pound of cure.'' We must combat technology with technology. \nInvestment must be made in the security of vital and sensitive systems, \nin order to ensure the confidence of the American people in the retail, \nbanking, and health care computer systems they depend upon.\n    But simply investing in technology to combat viruses is not enough. \nIn the end, the private sector and the American people must work in \nconcert to best protect the computers and networks we all use. The \nprivate sector needs to reevaluate its vulnerabilities as well as its \ncurrent security priorities. The public needs to be better educated \nabout anti-virus software and personal firewalls for their home \ncomputers, as well as the insidious ``SpyWare'' technology that can \nmonitor individuals' computers and their actions on the Internet. I \nknow the gentlelady from California, Ms. Bono, has introduced a bill--\nH.R. 2929, ``The Safeguard Against Privacy Invasions Act''--that \nattempts to deal with this concern, and I look forward to working with \nher on the bill to try to prevent these intrusions.\n    In the end, Mr. Chairman, it seems that the genie is out of the \nproverbial bottle, and this problem is not going to go away on its own. \nIt is up to all of us to work together to safeguard our computer \ninfrastructure to prevent the next serious virus from becoming a \nnationwide, indeed even a worldwide problem.\n    Thank you, and I yield back the balance of my time.\n\n    Mr. Stearns. And with that, we will start with the panel \nand welcome the Honorable Orson Swindle, the Commissioner of \nthe Federal Trade Commission; Mr. Howard Schmidt, Vice \nPresident, Chief Information Security Officer of eBay; Mr. \nScott Charney, Chief Trustworthy Computing Strategist from \nMicrosoft Corporation; Mr. David Morrow, Managing Principal, \nGlobal Security and Privacy Services; Ms. Mary Ann Davidson, \nChief Security Officer, Oracle Corporation; Mr. Joseph G. \nAnsanelli, Chairman and CEO of Vontu, Incorporated; Mr. Daniel \nBurton, Vice President of Government Affairs, Entrust \nTechnologies; and Mr. Roger Thompson, Vice President of Product \nDevelopment, PestPatrol, Incorporated.\n    And we will let Commissioner Swindle start. We will go from \nmy right to my left. I welcome you.\n\n STATEMENTS OF HON. ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE \n     COMMISSION; HOWARD A. SCHMIDT, VICE PRESIDENT, CHIEF \n INFORMATION SECURITY OFFICER, eBAY INC.; SCOTT CHARNEY, CHIEF \nTRUSTWORTHY COMPUTING STRATEGIST, MICROSOFT CORPORATION; DAVID \n  B. MORROW, MANAGING PRINCIPAL, GLOBAL SECURITY AND PRIVACY \n   SERVICES, EDS; MARY ANN DAVIDSON, CHIEF SECURITY OFFICER, \n  ORACLE CORPORATION; JOSEPH G. ANSANELLI, CHAIRMAN AND CEO, \n   VONTU, INC.; DANIEL BURTON, VICE PRESIDENT, GOVERNMENTAL \n    AFFAIRS, ENTRUST TECHNOLOGIES; AND ROGER THOMPSON, VICE \n       PRESIDENT OF PRODUCT DEVELOPMENT, PESTPATROL, INC.\n\n    Mr. Swindle. Thank you, Mr. Chairman. Mr. Chairman, members \nof the subcommittee, I appreciate the opportunity to present \nthe Commission's views on Cybersecurity and Consumer Data: What \nis at risk for the consumer?\n    At the outset, I believe that it is important that we not \nlose sight of the forest for the trees. Cybersecurity is a vast \nissue that faces many threats, and the challenges that the \nCommission faces in protecting consumers in cyberspace are \nnumerous. The Commission takes action to protect consumers from \nfraud, whether they are individuals or companies who engage in \nidentity theft, use a pretext to obtain personal information, \nemploy deceptive spam to trick consumers into providing \npersonal and financial information (phishing), misrepresent the \nsender of spam to misdirect the ``remove me'' request to an \ninnocent third party (spoofing), or exploit computer system \nvulnerabilities in order to extort money from consumers (D-\nSquare Solutions).\n    Consumers are also placed at risk by their own conduct, \nsuch as through peer-to-peer file-sharing or failing to use \nfirewalls and antivirus software. While there are many \nchallenges to cybersecurity, I will focus my remarks on \ncompanies who obtain and control consumer information.\n    The Commission addresses information security concerns \nthrough aggressive law enforcement actions, consumer and \nbusiness education, and international cooperation. Through \nthese efforts we strive to enhance the security of information \nsystems and networks and bring attention to the fact that all \nusers of information technology, that is, government, industry, \nand the general public, must play a role in this effort.\n    If companies fail to keep their express and implied \npromises to protect sensitive information obtained from \nconsumers, then those promises are deceptive. The Commission \nhas brought enforcement actions against such companies for \nviolating Section 5 of the Federal Trade Commission Act, which \nprohibits unfair and deceptive practices.\n    Three of these Commission cases illustrate some important \nprinciples. The case against Eli Lilly demonstrates that a \ncompany's security procedures must be appropriate for the kind \nof information it collects and maintains. Despite promises to \nmaintain security of sensitive information, Eli Lilly \ninadvertently disclosed the names of consumers who used a \nprescription drug.\n    Our case against Microsoft illustrates that there can be \nlaw violations without a known or actual breach of security. \nMicrosoft promised consumers that it would maintain a high \nlevel of security for its Passport and Passport Wallet system \nof accounts. Even though there was no actual security breach, \nafter reviewing Microsoft's systems, the Commission alleged \nthat Microsoft failed to take reasonably appropriate measures \nto maintain the security of consumers' personal information.\n    The case against Guess, Inc. illustrates that good security \ndepends upon an ongoing process of risk assessment, identifying \nvulnerabilities, and taking reasonable steps to minimize or \neliminate those risks. We alleged that Guess stored consumers' \ninformation, including credit card numbers, in clear \nunencrypted text, despite claims to the contrary.\n    Unencrypted information is vulnerable to attackers, \nsomething that is well known in the industry and can be \ncorrected.\n    The Commission's settlements in these three cases require \nthe companies to implement comprehensive information security \nprograms. In addition, Microsoft and Guess must obtain an \nindependent security audit every 2 years.\n    The Commission has engaged in a broad and continuing \nawareness and outreach campaign to educate businesses, \nconsumers, and political leaders about the importance of \ncybersecurity. We work closely with industry, government \nagencies, and consumer groups to expand awareness. This is the \nsingle most essential element in creating a culture of security \nthat is increasingly necessary for the protection of our \ncritical infrastructure.\n    We have a first-class Web site focusing on safe computing \npractices. Our site provides a wealth of information on \ncybersecurity and how each of us can and must contribute to the \neffort. Our Web site registered more than 400,000 visits in the \nfirst year of deployment, making it one of the most popular FTC \nWeb pages. And, a Google search recently indicates that 445 \nother Web sites link to our security site.\n    Every House and Senate office has a copy of our safe \ncomputing disk. And I might add, I will hold this up, and I \nthink there is a package on your desk with a lot of our \ninformation security material in the package.\n    This CD disk was designed to assist each Member of Congress \nand staff in educating constituents on safe computing \npractices. Several Members of Congress have constructed \nexcellent information security pages on their Web sites using \ninformation from the FTC. Each Member is an outstanding leader \nwithin his or her community and district. As the FTC's \nauthorizing body and as the leaders in consumer protection, \nthis committee in particular can partner with us effectively in \nour consumer awareness efforts on information security.\n    Our staff and I personally are standing by to help you and \njoin with you in leading.\n    In addition to law enforcement and our awareness campaign, \nthe Commission has taken an active leadership role in \ninternational efforts promoting cybersecurity. In 2002, the FTC \nled the U.S. Delegation, working with the OECD, to revise its \nsecurity guidelines. The revised guidelines serve as an \nexcellent, common sense starting point for government, \nbusiness, and organizations to implement information security. \nThey address accountability, awareness, and action by all \nparticipants and form the basis for international cooperation \ntoward establishing a culture of security. The guidelines have \nbeen embraced by the United Nations, APEC, nongovernment \norganizations, and many international businesses and \nassociations.\n    In conclusion, attaining adequate information security will \nbe a continuing journey; a long project, where complacency is \nnot an option. I look forward to responding to your questions. \nThank you.\n    [The prepared statement of Hon. Orson Swindle follows:]\n Prepared Statement of Hon. Orson Swindel, Commissioner, Federal Trade \n                               Commission\n                            i. introduction\n    Mr. Chairman, and members of the subcommittee, I am Commissioner \nOrson Swindle.<SUP>1</SUP> I appreciate the opportunity to appear \nbefore you today to discuss the Federal Trade Commission's role in \nprotecting information security and its importance to both consumers \nand businesses.\n    Today, maintaining the security of our computer-driven information \nsystems is essential to every aspect of our lives. A secure information \ninfrastructure is required for the operation of everything from our \ntraffic lights to our credit and financial systems, including our \nnuclear and electrical power supplies, and our emergency medical \nservice. We are all, therefore, directly or indirectly linked together \nby this infrastructure. Consumers rely on and use computers at work and \nat home; increasingly, more consumers are making purchases over the \nInternet and paying bills and banking online.\n    These interconnected information systems provide enormous benefits \nto consumers, businesses, and government alike. At the same time, \nhowever, these systems can create serious vulnerabilities that threaten \nthe security of the information stored and maintained in these systems \nas well as the continued viability of the systems themselves. Every \nday, security breaches cause real and tangible harms to businesses, \nother institutions, and consumers.<SUP>2</SUP> These breaches and the \nharm they do shake consumer confidence in the companies and systems to \nwhich they have entrusted their personal information.\n                ii. the federal trade commission's role\n    The Federal Trade Commission has a broad mandate to protect \nconsumers and the Commission's approach to information security is \nsimilar to the approaches taken in our other consumer protection \nefforts. As such, the Commission has sought to address concerns about \nthe security of our nation's computer systems through a combined \napproach that stresses the education of businesses, consumers, and \ngovernment agencies about the fundamental importance of good security \npractices; law enforcement actions; and international cooperation. Our \nprogram encompasses efforts to ensure the security of computer \nnetworks, an understanding that we all have a role to play, as well as \nefforts to ensure that companies keep the promises they make to \nconsumers about information security and privacy. In the information \nsecurity matters, our enforcement tools derive from Section 5 of the \nFTC Act,<SUP>3</SUP> which prohibits unfair or deception acts or \npractices, and the Commission's Gramm-Leach-Bliley Safeguard Rule \n(``Safeguards Rule'' or ``Rule'').<SUP>4</SUP> Our educational efforts \ninclude business education to promote compliance with the law, consumer \nand business education to help promote a ``Culture of Security,'' \ninternational collaboration, public workshops to highlight emerging \nissues, and outreach to political leaders.\nA. Section 5\n    The basic consumer protection statute enforced by the Commission is \nSection 5 of the FTC Act, which provides that ``unfair or deceptive \nacts or practices in or affecting commerce are declared unlawful.'' \n<SUP>5</SUP> The statute defines ``unfair'' practices as those that \n``cause[] or [are] likely to cause substantial injury to consumers \nwhich is not reasonably avoidable by consumers themselves and not \noutweighed by countervailing benefits to consumers or to competition.'' \n<SUP>6</SUP> To date, the Commission's security cases have been based \non deception,<SUP>7</SUP> which the Commission and the courts have \ndefined as a material representation or omission that is likely to \nmislead consumers acting reasonably under the \ncircumstances.<SUP>8</SUP>\n    The companies that have been subject to enforcement actions have \nmade explicit or implicit promises that they would take appropriate \nsteps to protect sensitive information obtained from consumers. Their \nsecurity measures, however, proved to be inadequate; their promises, \ntherefore, deceptive.\n    Through the information security enforcement actions, the \nCommission has come to recognize several principles that govern any \ninformation security program.\n1. Security procedures should be appropriate under the circumstances\n    First, a company's security procedures must be appropriate for the \nkind of information it collects and maintains. Different levels of \nsensitivity may dictate different types of security measures. It is \nhighly problematic when a company inadvertently releases sensitive \npersonal information due to inadequate security procedures.\n    The Commission's first information security case, Eli \nLilly,<SUP>9</SUP> involved an alleged inadvertent disclosure of \nsensitive information despite the company's promises to maintain the \nsecurity of that information. Specifically, Lilly put consumers' e-mail \naddresses in the ``To'' line of the e-mail that was sent to Prozac \nusers who subscribed to a service on Lilly's website, essentially \ndisclosing the identities of all of the Prozac user-subscribers.\n    Given the sensitivity of the information involved, this disclosure \nwas a serious breach. Nevertheless, the Commission recognized that \nthere is no such thing as ``perfect'' security and that breaches can \noccur even when a company has taken all reasonable precautions. \nTherefore, the Commission construed statements in Lilly's privacy \npolicy as a promise to take steps ``appropriate under the \ncircumstances'' to protect personal information. Similarly, the \ncomplaint alleged that the breach resulted from Lilly's ``failure to \nmaintain or implement internal measures appropriate under the \ncircumstances to protect sensitive consumer information.'' \n<SUP>10</SUP> The focus was on the reasonableness of the company's \nefforts.\n    According to the complaint in the Lilly matter, the company failed, \namong other things, to provide appropriate training and oversight for \nthe employee who sent the e-mail and to implement appropriate checks on \nthe process of using sensitive customer data. The order contains strong \nrelief that should provide significant protections for consumers, as \nwell as ``instructions'' to companies. First, it prohibits the \nmisrepresentations about the use of, and protection for, personal \ninformation. Second, it requires Lilly to implement a comprehensive \ninformation security program similar to the program required under the \nFTC's Gramm-Leach-Bliley Safeguards Rule, which is discussed below. \nFinally, to provide additional assurances that the information security \nprogram complies with the consent order, every year the company must \nhave its program reviewed by a qualified person to ensure compliance.\n2. Not All Security Breaches Are Violations of FTC Law\n    The second principle that arises from the Commission's enforcement \nin the information security area is that not all breaches of \ninformation security are violations of FTC law--the Commission is not \nsimply saying ``gotcha'' for security breaches. Although a breach may \nindicate a problem with a company's security, breaches can happen, as \nnoted above, even when a company has taken every reasonable precaution. \nIn such instances, the breach will not violate the laws that the FTC \nenforces. Instead, the Commission recognizes that security is an \nongoing process of using reasonable and appropriate measures in light \nof the circumstances.\n    When breaches occur, our staff reviews available information to \ndetermine whether the incident warrants further examination. If it \ndoes, the staff gathers information to enable us to assess the \nreasonableness of the company's procedures in light of the \ncircumstances surrounding the breach. This allows the Commission to \ndetermine whether the breach resulted from the failure to have \nprocedures in place that are reasonable in light of the sensitivity of \nthe information. In many instances, we have concluded that FTC action \nis not warranted. When we find a failure to implement reasonable \nprocedures, however, we act.\n3. Law Violations Without a Known Breach of Security\n    The Commission's case against Microsoft <SUP>11</SUP> illustrates a \nthird principle--that there can be law violations without a known \nbreach of security. Because appropriate information security practices \nare necessary to protect consumers' privacy, companies cannot simply \nwait for a breach to occur before they take action. Particularly when \nexplicit promises are made, companies have a legal obligation to take \nreasonable steps to guard against reasonably anticipated \nvulnerabilities.\n    Like Eli Lilly, Microsoft promised consumers that it would keep \ntheir information secure. Unlike Lilly, there was no specific security \nbreach that triggered action by the Commission. The Commission's \ncomplaint alleged that there were significant security problems that, \nleft uncorrected, could jeopardize the privacy of millions of \nconsumers. In particular, the complaint alleged that Microsoft did not \nemploy ``sufficient measures reasonable and appropriate under the \ncircumstances to maintain and protect the privacy and confidentiality \nof personal information obtained through Passport and Passport \nWallet.'' <SUP>12</SUP> The complaint further alleged that Microsoft \nfailed to have systems in place to prevent unauthorized access; detect \nunauthorized access; monitor for potential vulnerabilities; and record \nand retain systems information sufficient to perform security audits \nand investigations. Again, sensitive information was at issue--\nfinancial information including credit card numbers.\n    Like the Commission's order against Eli Lilly, the Microsoft order \nprohibits any misrepresentations about the use of, and protection for, \npersonal information and requires Microsoft to implement a \ncomprehensive information security program. In addition, Microsoft must \nhave an independent professional certify, every two years, that the \ncompany's information security program meets or exceeds the standards \nin the order and is operating effectively.\n4. Good Security is an Ongoing Process of Assessing Risks and \n        Vulnerabilities\n    The Commission's third case, against Guess, Inc.,<SUP>13</SUP> \nhighlighted a fourth principle--that good security is an ongoing \nprocess of assessing and addressing risks and vulnerabilities. The \nrisks companies and consumers confront change over time. Hackers and \nthieves will adapt to whatever measures are in place, and new \ntechnologies likely will have new vulnerabilities waiting to be \ndiscovered. As a result, companies need to assess the risks they face \non an ongoing basis and make adjustments to reduce these risks.\n    The Guess case highlighted this crucial aspect of information \nsecurity in the context of web-based applications and the databases \nassociated with them. Databases frequently house sensitive data such as \ncredit card numbers, and Web-based applications are often the ``front \ndoor'' to these databases. It is critical that online companies take \nreasonable steps to secure these aspects of their systems, especially \nwhen they have made promises about the security they provide for \nconsumer information.\n    In Guess, the Commission alleged that the company broke such a \npromise concerning sensitive information collected through its website, \nwww.guess.com. According to the Commission's complaint, by conducting a \n``web-based application'' attack on the Guess website, an attacker \ngained access to a database containing 191,000 credit card numbers. \nThis particular type of attack was well known in the industry and \nappeared on a variety of lists of known vulnerabilities. The complaint \nalleged that, despite specific claims that it provided security for the \ninformation collected from consumers through its website, Guess did \nnot: employ commonly known, relatively low-cost methods to block web-\napplication attacks; adopt policies and procedures to identify these \nand other vulnerabilities; or test its website and databases for known \napplication vulnerabilities, which would have disclosed that the \nwebsite and associated databases were at risk of attack. Essentially, \nthe Commission alleged that the company had no system in place to test \nfor known application vulnerabilities or to detect or to block attacks \nonce they occurred.\n    In addition, the complaint alleged that Guess misrepresented that \nthe personal information it obtained from consumers through \nwww.guess.com was stored in an unreadable, encrypted format at all \ntimes; but, in fact, after launching the attack, the attacker could \nread the personal information, including credit card numbers, stored on \nwww.guess.com in clear, unencrypted text.\n    As in its prior security cases, the Commission's emphasis in Guess \nwas on reasonableness. When the information is sensitive, the \nvulnerabilities well known, and the fixes inexpensive and relatively \neasy to implement, it is unreasonable simply to ignore the problem. As \nin the prior orders, the Commission's order against Guess prohibits the \nmisrepresentations, requires Guess to implement a comprehensive \ninformation security program, and, like Microsoft, requires an \nindependent audit every two years.\nB. GLB Safeguards Rule\n    In addition to our enforcement authority under Section 5 of the FTC \nAct, the Commission also has responsibility for enforcing its Gramm-\nLeach-Bliley Safeguards Rule, which requires financial institutions \nunder the FTC's jurisdiction to develop and implement appropriate \nphysical, technical, and procedural safeguards to protect customer \ninformation.<SUP>14</SUP> The Rule became effective on May 23 of this \nyear, and the Commission expects that it will quickly become an \nimportant enforcement and guidance tool to ensure greater security for \nconsumers' sensitive financial information. The Safeguards Rule \nrequires a wide variety of financial institutions to implement \ncomprehensive protections for customer information--many of them for \nthe first time. If fully implemented by companies, as required, the \nRule could go a long way to reduce risks to this information, including \nidentity theft.\n    The Safeguards Rule requires financial institutions to develop a \nwritten information security plan that describes their program to \nprotect customer information. Due to the wide variety of entities \ncovered, the Rule requires a plan that accounts for each entity's \nparticular circumstances--its size and complexity, the nature and scope \nof its activities, and the sensitivity of the customer information it \nhandles.\n    As part of its plan, each financial institution must: (1) designate \none or more employees to coordinate the safeguards; (2) identify and \nassess the risks to customer information in each relevant area of the \ncompany's operation, and evaluate the effectiveness of the current \nsafeguards for controlling these risks; (3) design and implement a \nsafeguards program, and regularly monitor and test it; (4) hire \nappropriate service providers and contract with them to implement \nsafeguards; and (5) evaluate and adjust the program in light of \nrelevant circumstances, including changes in the firm's business \narrangements or operations, or the results of testing and monitoring of \nsafeguards. The Safeguards Rule requires businesses to consider all \nareas of their operation, but identifies three areas that are \nparticularly important to information security: employee management and \ntraining; information systems; and management of system failures.\n    Prior to the Rule's effective date, the Commission issued guidance \nto businesses covered by the Safeguards Rule to help them understand \nthe Rule's requirements.<SUP>15</SUP> Commission staff also met, and \ncontinues to meet, with a variety of trade associations and companies \nto alert them to the Rule's requirements and to gain a better \nunderstanding of how the Rule is affecting particular industry \nsegments. Now that the Rule is effective, the Commission is \ninvestigating compliance by covered entities.\nC. Education and workshops\n    In addition to our law enforcement efforts and conducting outreach \nunder the Commission's Safeguard's Rule, the Commission has engaged in \na broad educational campaign to educate businesses and consumers about \nthe importance of information security and the precautions they can \ntake to protect or minimize risks to personal information. These \nefforts have included creation of an information security ``mascot,'' \nDewie the e-Turtle, who hosts a portion of the FTC website devoted to \neducating businesses and consumers about security,<SUP>16</SUP> \npublication of business guidance regarding common vulnerabilities in \ncomputer systems,<SUP>17</SUP> speeches by Commissioners and staff \nabout the importance of this issue, and outreach to the international \ncommunity. Many offices in the Commission including the Commission's \nBureau of Consumer Protection, the Office of Public Affairs, and the \nOffice of Congressional Relations, have participated in this effort to \neducate consumers and businesses.\n    The Commission's outreach effort is centered on the Commission's \ninformation security website.<SUP>18</SUP> The website registered more \nthan 400,000 visits in its first year of deployment, making it one of \nthe most popular FTC web pages. The site is now available in CD-ROM and \nPDF format and frequently updated with new information for consumers on \ncybersecurity issues. In addition, the Commission's Office of Consumer \nand Business Education has produced a video news release, which has \nbeen seen by an estimated 1.5 million consumers; distributed 160,000 \npostcards featuring Dewie and his information security message to \napproximately 400 college campuses nationwide; and coordinated the 2003 \nNational Consumer Protection Week with a consortium of public- and \nprivate-sector organizations around the theme of information security.\n    Finally, the Commission's Office of Congressional Relations has \nconducted outreach through constituent service representatives in each \nof the 535 House and Senate member offices by mailing ``Safe \nComputing'' CDs. We would like to thank Chairman Stearns for his \nleadership on the issue of cybersecurity, and for encouraging his \ncolleagues, in his July 18, 2003 ``Dear Colleague'' letter announcing \nthe delivery of the FTC's safe Internet practices outreach kit, to \neducate their constituents on safe computing practices.\n    In addition, the Commission uses opportunities that arise in non-\nsecurity cases to educate the public about security issues. For \nexample, in early November, the Commission announced that a district \ncourt issued a temporary restraining order in an action against D \nSquared Solutions, and its principals.<SUP>19</SUP> The complaint \nalleged that the defendants operated a scam that barraged consumers' \ncomputers with repeated Windows Messenger Service pop up ads--most of \nwhich advertised software that consumers could purchase for about $25 \nto block future pop ups. Part of what made the defendants' conduct so \negregious is that consumers continued to be bombarded by pop-ups, even \nwhen they were off of the Internet and working in other applications \nsuch as word-processing or spreadsheet programs and that the defendants \nallegedly either sold or licensed their pop-up sending-software to \nother people allowing them to engage in the conduct. The defendants' \nwebsite allegedly offered software that would allow buyers to send pop-\nups to 135,000 Internet addresses per hour, along with a database of \nmore than two billion unique addresses. Contrary to the defendants' \nrepresentations, consumers, when educated about how the Windows \noperating systems works, can actually stop pop-up spam at no cost by \nchanging the Windows default system.\n    In addition to bringing a law enforcement action to halt the \ndefendants' conduct, the Commission issued an alert to consumers about \nthe security issues raised in the case. The ``Consumer Alert'' provides \ninstructions for consumers on how to disable the Windows Messenger \nService in order to avoid other pop-up spam. The alert <SUP>20</SUP> \nalso discusses the use of firewalls to block hackers from accessing \nconsumers' computers.\n    Finally, the Commission continues, and will continue, to host \nworkshops on information security issues when appropriate. Last summer, \nthe Commission hosted two workshops focusing on the role technology \nplays in protecting personal information.<SUP>21</SUP> The first \nworkshop focused on the technologies available to consumers to protect \nthemselves. Panelists generally agreed that, to succeed in the \nmarketplace, these technologies must be easy to use and built into the \nbasic hardware and software consumers purchase.\n    The second workshop focused on the technologies available to \nbusinesses. We learned that businesses, like consumers, need technology \nthat is easy to use and compatible with their other systems. \nUnfortunately, we also heard that too many technologies are sold before \nundergoing adequate testing and quality control, frustrating progress \nin this area.\n    The Commission also held a workshop on unsolicited commercial e-\nmail (``spam'') which was instructive about the security risks that \nspam poses. We learned that, in addition to other problems, spam can \nalso serve as a vehicle for malicious and damaging code.\nD. International Efforts\n    In addition to our cases and domestic efforts, the Commission has \ntaken an active international role in promoting cybersecurity. We \nrecognize that American society and societies around the world need to \nthink about security in a new way. The Internet and associated \ntechnology have literally made us a global community. We are joining \nwith our neighbors in the global community in this enormous effort to \neducate and establish a culture of security.\n    During the summer of 2002, the Organization for Economic \nCooperation and Development (``OECD'') issued a set of principles for \nestablishing a culture of security--principles that can assist us all \nin minimizing our vulnerabilities. Commissioner Swindle has had the \nopportunity to work with this organization and to head the U.S. \nDelegation to the Experts Group on the post-September 11 review of \nexisting OECD Security Guidelines and to the Working Party on \nInformation Security and Privacy.\n    The OECD principles are contained in a document entitled \n``Guidelines for the Security of Information Systems and Networks: \nTowards a Culture of Security.'' <SUP>22</SUP> The nine principles are \nan excellent, common-sense starting point for formulating a workable \napproach to security. They address awareness, accountability, and \naction. They also reflect the principles that guide the FTC in its \nanalysis of security-related cases, including that security \narchitecture and procedures should be appropriate for the kind of \ninformation collected and maintained and that good security is an \nongoing process of assessing and addressing risks and vulnerabilities. \nThese principles can be incorporated at all levels of use among \nconsumers, government policy makers, and industry. They already have \nbeen the model for more sector-specific guidance by industry groups and \nassociations.\n    Besides the OECD, the Commission also is involved in information \nprivacy and cybersecurity work undertaken by the Asian Pacific Economic \nCooperation (``APEC'') forum. APEC's Council of Ministers endorsed the \nOECD Security Guidelines in 2002. Promoting information system and \nnetwork security is one of its chief priorities. The APEC Electronic \nCommerce Steering Group (``ECSG'') promotes awareness and \nresponsibility for cybersecurity among small and medium-sized \nbusinesses that interact with consumers. Commission staff participated \nin APEC workshop and business education efforts this past year and is \nactively engaged in this work for the foreseeable future.\n    Along with the OECD and APEC, in December 2002, the United Nations \nGeneral Assembly unanimously adopted a resolution calling for the \ncreation of a global culture of cybersecurity. Other UN groups, \ninternational organizations, and bilateral groups with whom the \nCommission has dialogues, including the TransAtlantic Business and \nConsumer Dialogues, the Global Business Dialogue on Electronic \nCommerce, and bilateral governmental partners in Asia and in the EU \nalso are working on cybersecurity initiatives.\n    Notwithstanding these global efforts, developing a ``Culture of \nSecurity'' is a daunting challenge. The FTC and other government \nagencies have a role to play, but the government cannot do this alone, \nnor should it try. The Commission is working with consumer groups, \nbusiness, trade associations, and educators to instill this new way of \nthinking. We are encouraging our global partners to do the same and to \nshare what is learned.\n                            iii. conclusion\n    The Commission, through law enforcement and consumer and business \neducation, is committed to reducing the harm that occurs through \ninformation security breaches. Maintaining good security practices is a \ncritical step in preventing these breaches and the resulting harms, \nwhich can range from major nuisance to major destruction. The critical \nlesson in this information-based economy is that we are all in this \ntogether: government, private industry, and consumers, and we must all \ntake appropriate steps to create a culture of security.\n\n                                ENDNOTES\n\n    <SUP>1</SUP> The views expressed in this statement represent the \nviews of the Commission. My oral presentation and responses to \nquestions are my own and do not necessarily represent the views of the \nCommission or any other Commissioner.\n    <SUP>2</SUP> For example, our recently released Identity Theft \nReport, available at http://www.ftc.gov/os/2003/09/synovatereport.pdf, \nshowed that over 27 million individuals have been victims of identity \ntheft, which may have occurred either offline or online, in the last \nfive years, including almost 10 million individuals in the last year \nalone. The survey also showed that the average loss to businesses was \n$4800 per victim. Although various laws limit consumers' liability for \nidentity theft, their average loss was still $500--and much higher in \ncertain circumstances.\n    <SUP>3</SUP> 15 U.S.C. \x06 45.\n    <SUP>4</SUP> 16 C.F.R. Part 314, available online at http://\nwww.ftc.gov/os/2002/05/67fr36585.pdf.\n    <SUP>5</SUP> 15 U.S.C. \x06 45 (a) (1).\n    <SUP>6</SUP> 15 U.S.C. \x06 45(n).\n    <SUP>7</SUP> Where appropriate, the Commission has also brought \nInternet cases using the unfairness doctrine. See FTC v. C.J., Civ. No. \n03-CV-5275-GHK (RZX) (Filed C.D. Cal. July 24 2003), http://\nwww.ftc.gov/os/2003/07/phishingcomp.pdf.\n    <SUP>8</SUP> Letter from FTC to Hon. John D. Dingell, Chairman, \nSubcommittee on Oversight and Investigations (Oct. 14, 1983), reprinted \nin appendix to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984) \n(setting forth the commission's Deception Policy Statement.).\n    <SUP>9</SUP> The Commission's final decision and order against Eli \nLilly is available at www.ftc.gov/os/2002/05/elilillydo.htm. The \ncomplaint is available at www.ftc.gov/os/2002/05/elilillycmp.htm.\n    <SUP>10</SUP> Eli Lilly Complaint, paragraph 7.\n    <SUP>11</SUP> The Commission's final decision and order against \nMicrosoft is available at http://www.ftc.gov/os/2002/12/\nmicrosoftdecision.pdf. The complaint is available at http://\nwww.ftc.gov/os/2002/12/microsoftcomplaint.pdf.\n    <SUP>12</SUP> Microsoft Complaint, paragraph 7.\n    <SUP>13</SUP> The Commission's final decision and order against \nGuess, Inc. is available at http://www.ftc.gov/os/2003/06/\nguessagree.htm. The complaint is available at http://www.ftc.gov/os/\n2003/06/guesscmp.htm.\n    <SUP>14</SUP> 16 C.F.R. Part 314, available online at http://\nwww.ftc.gov/os/2002/05/67fr36585.pdf.\n    <SUP>15</SUP> Financial Institutions and Customer Data: Complying \nwith the Safeguards Rule, available at http://www.ftc.gove/bcp/conline/\npubs/buspubs/safeguards.htm.\n    <SUP>16</SUP> See http://www.ftc.gov/bcp/conline/edcams/\ninfosecurity/index.html.\n    <SUP>17</SUP> See http://www.ftc.gov/bcp/conline/pubs/buspubs/\nsecurity.htm.\n    <SUP>18</SUP> See http://www.ftc.gov/infosecurity.\n    <SUP>19</SUP> The Commission's press release announcing the case \ncan be found at http://www.ftc.gov/opa/2003/11/dsquared.htm.\n    <SUP>20</SUP> The alert can be found at http://www.ftc.gov/bcp/\nconline/pubs/alerts/popalrt.html.\n    <SUP>21</SUP> Additional information about the workshops are \navailable at http://www.ftc.gov/bcp/workshops/technology/indes.html.\n    <SUP>22</SUP> http://www.oecd.org/dataoecd/16/22/15582260.pdf\n\n    Mr. Stearns. I thank the Commissioner.\n    Mr. Schmidt, welcome.\n\n                 STATEMENT OF HOWARD A. SCHMIDT\n\n    Mr. Schmidt. Thank you, Mr. Chairman.\n    Chairman Stearns, distinguished members of the committee, \nmy name is Howard Schmidt. I am the Vice President and Chief of \nInformation Security for eBay, where I lead a team responsible \nfor ensuring the trustworthiness and security of the services \nthat bring so many global citizens together each day in this \ntremendous global marketplace.\n    I would like to thank you again for the opportunity to come \nbefore the committee for the second time and your continued \nleadership in this very important issue. Prior to arriving at \neBay a few months ago, I had the privilege of being appointed \nby President Bush to lead, with Richard Clarke, the President's \nCritical Infrastructure Protection Board, which represented one \npart of the overall government response to the threat of \ncybersecurity attacks in the wake of September 11; and after 31 \nyears retired, and we successfully published the National \nStrategy Defense for Cyberspace, working with a team of \ndedicated public servants, this body, and the American public.\n    In addition to my day job, I continue to proudly serve at \nthe U.S. Army Reserves, assigned to the 701st MP Group as a \nSpecial Agent with the computer crimes section, and also serve \non the board of directors for ISC Squared, the body that \noversees certification for security professionals through the \nCISSB certification.\n    My remarks today will focus primarily on the changes that \nhave taken place with both business and government to create \nthe level of information-sharing and collaboration necessary to \nimprove cybersecurity and to further improve security for \nconsumers, as well as how the sharing and collaboration has \nindeed improved the level of information and protection of \nconsumer data.\n    I would like to provide my update in specific examples of \nimprovement in four major areas. Those areas are awareness and \neducation, product enhancement, government activities and \nprivate sector initiatives. While these examples will not be \ncomprehensive, they will indeed be some representative efforts \nwe have undergone.\n    I would also state, even though my comments are very \noptimistic as where we have come from, I think we will also \nhave a long way to go. I think under the block of awareness and \neducation, one of the biggest visible changes that has taken \nplace is the increase in dialog and training to better inform \nthe end user and consumer on how to secure their computer \nsystems and their information.\n    One of the first consumer-targeted awareness programs was \ntruly a joint public/private partnership between many of the \ncompanies, the FTC, NSA, as well as some other government \nagencies, and it took place in the formation of the \nCybersecurity Alliance, and the creation of our Web site, \nstaysafeonline.info, which we drove out of the efforts of the \nWhite House. This Web site has a wealth of information to help \neven the most inexperienced users understand cybersecurity, \npotential threats from on-line criminals, and steps they can \ntake to protect themselves.\n    In addition, we at the White House held a series of town \nhall meetings over the past 18 months to meet with private \nsector partners, individuals, parent-teacher organizations, \nwith speakers ranging from CEOs of major financial \ninstitutions, to my distinguished colleague to my left, \nCommissioner Orson Swindle. Many of these town meetings were \nalso Webcast to get the broadest audience to be able to see \nthem and participate over the Internet.\n    Private sector companies have also held free seminars \naround the country, providing awareness to citizens. Many of \nthese sessions focused on informing the elderly, one of the \nsegments of our society who has received great benefits in the \non-line world and the resources that it can provide. Also, as \nwe enter the holiday season, there will be mass media campaigns \nto educate consumers further on how to safely and securely \nenjoy the richness and robustness of the on-line e-commerce \nworld.\n    Under product enhancements, another major improvement we \nhave seen over the past 2 years has been the way security is \nnow offered as a standard within software and hardware. One \nvery visible example is with the hardware provided to use \nwireless technology and broadband, we now see firewalls being \nbuilt directly into these components as well as antivirus \nsoftware being built into wireless modem operations.\n    Major operating systems have now auto update features as \nantivirus functions. Many antivirus vendors have done an \namazing job in speeding up the detection and analysis of many \nof the threats that you have mentioned in your opening comments \nof the viruses and trojans that are found in the wire. Many of \nthem even provide free on-line services for consumers to be \nable to download and inspect their systems as a public service, \nand I noticed in the paper this morning, one of them is now \noffering free antivirus software for the next year.\n    Under the heading of government activities, there have been \na number of great activities beyond the creation of the \nNational Strategy to Defend Cyberspace. Recently the Department \nof Homeland Security created the U.S. Computer Emergency \nResponse Team at Carnegie Mellon as a focal point for building \npartnerships based on cybersecurity response networks and \nproviding a notification network of threats and vulnerabilities \nas they are discovered.\n    The Department of Justice, the U.S. Secret Service, and the \nFBI have significantly improved the response times and \nincreased priorities around the investigation of cybercrimes. \nAs a matter of fact, Director Mueller has placed cybercrime as \none of the top five priorities within the FBI, and the Secret \nService is growing a cadre of expert agents working with \nprivate sector called the Electronic Crime Task Force. \nAdditionally, the Department of Defense continues to work in \nthat area as well.\n    On the government effort, since these things have no \nborders, the State Department has done a wonderful job in \ncreating multilateral and bilateral discussions with \ninternational partners, many of which the industry colleagues, \nsome of us sitting here today, have been a part of since the \nvery beginning.\n    Two quick examples in the private sector initiatives:\n    We know that there will be no silver bullets in enhancing \ncybersecurity, but recently we created a coalition to address \nspecifically the area of on-line identity theft. We have fully \nrecognized that the vast majority of identity theft occurs in \nthe off-line world through dumpster diving and other \nmechanisms, but we have seen, as many of you have, an increase \nin criminals attempting to do the same thing on line.\n    The two recent methods are what we call phishing, with a p-\nh, or spoofed e-mails, where criminals send out thousands of e-\nmails telling people to update their information. We are \nworking to address this in four areas: building new \ntechnologies to prevent this; second, to provide awareness and \ntraining to consumers so they are better informed to not fall \nvictim to these scams; third, to share information amongst very \ncompetitive companies on protection of these things; and \nfourth, to work with the law enforcement community to prevent \nthese people through deterrence of investigation.\n    In closing, I want to cite three specific areas I think \nthat we can look at because, despite the great security \nenhancements we have seen and will continue to see, there are \nclear challenges you must address.\n    We must review our commitment to enhance consumer awareness \nof basic cybersecurity practices, and the recent attacks have \nonce again demonstrated how home users are now becoming the \ntarget.\n    Second, while we build an effective response network, we \nmust not lose sight of the innovation frontier. Technologists \non the horizon hold the potential to dramatically and \npotentially decisively transform our cybersecurity challenges. \nSelf-healing computers, embedded technologies, can enable \ndevices that recognize and defend against these attacks. We \nmust not inhibit their ability to move forward in collaboration \nwith our best universities.\n    And, finally, we must recognize that cybersecurity is no \nlonger merely about product services and strategies. What is at \nstake in the effective implementation of advanced cybersecurity \ntechnology is nothing less than the ability to unleash the next \nwave of IT-led growth in jobs and productivity. Cybersecurity \nis an essential enabler.\n    In closing, I want to say that the next step of this will \nbe on December 2 and 3. Homeland Security has invited a lot of \nthe public service or private sector organizations to create a \nsummit, creating a task force to move forward in a lot of those \nareas that we mentioned and we care very deeply about.\n    This concludes my prepared remarks and I thank you for the \nopportunity to be here.\n    [The prepared statement of Howard A. Schmidt follows:]\n   Prepared Statement of Howard A. Schmidt, Vice President and Chief \n             Information Security Officer, eBay Corporation\n                              introduction\n    Chairman Stearns, distinguished members of the Committee, my name \nis Howard A. Schmidt. I am the Vice President and Chief Information \nSecurity Officer for eBay, where I lead a team responsible for ensuring \nthe trustworthiness and security of the services that bring so many \nglobal citizens together in this tremendous global marketplace each \nday. I would like to thank you for the opportunity to come before this \nCommittee again as well as your continued leadership on this very \nimportant issue. Prior to my current position at eBay and subsequent to \nmy last appearance, I had the privilege of being appointed by President \nBush to lead, with Richard Clarke, the President's Critical \nInfrastructure Protection Board, which represented one part of the \noverall governmental response to the threat of cyber security attacks \nin the wake of September 11. I retired from 31 years of public service \nafter completing and publishing the ``National Strategy to Defend \nCyberspace,'' working with a team of dedicated public servants, this \nbody, and the American public.\n    I have had the privilege of working with committed individuals in \nthe private sector, law enforcement, and government to forge the \ncollaboration and cooperation that is so essential to safeguard cyber \nspace for everyone, from inexperienced home users to large well-run \ncorporate enterprises. I assisted in the formation of some of the first \ncollaborative efforts in the law enforcement community to address cyber \ncrime in local law enforcement and the FBI. I also helped lead the \ncreation of the Information Technology Information Sharing and Analysis \nCenter (IT-ISAC) and had the honor of serving as its first president.\n    I continue to proudly serve in the U.S. Army reserves, assigned to \nthe 701st MP Group, (CID) as a Special Agent with the computer crime \nunit at CID headquarters. I also serve on the Board of Directors for \nISC2, the body that oversees certification of security professionals \nthrough the CISSP certification. My remarks today will focus primarily \non the changes that have taken place within both business and \ngovernment to create the level of information sharing and collaboration \nnecessary to improve Cybersecurity and further improve security for \nconsumers, as well as how this sharing and collaboration has improved \nthe level of information and protection of consumer computer data.\n    Today, the Internet connects over 170 million computers and an \nestimated 680 million users, with an estimated growth to 904 million by \nthe end of 2004. From major data operations conducting large-scale \nfinancial transactions, to wireless devices keeping families connected, \nthe Internet touches virtually all aspects of our economy and quality \nof life. eBay is a prime example of how deeply ingrained the Internet \nis in American life. Every day on eBay, millions of Americans, along \nwith millions of people in countries around the world, come together to \nbuy and sell all types of goods and services. Business relationships \nand, often, deep friendships are formed on the basis of commerce and \nshared interests. The eBay marketplace reflects the enormous power of \nthe Internet to unite humanity at a crucial moment in history.\n    More pointedly, the Internet has become a fundamental component of \nbusiness processes--enhancing productivity by speeding connectivity \nbetween remote locations or across functional operations. The Internet \nis deeply ingrained in managing power, producing chemicals, designing \nand manufacturing cars, managing money and delivering government \nservices ranging from human services to environmental permitting. The \nflip side of these productivity-enhancing applications is an increase \nin attacks against the online community.\n    Today the Internet is utilized by hundreds of millions of users all \nacross the globe sending information ranging from homework assignments \nand simple greetings to the most sensitive financial and operational \ndata of government and industry, all at the speed of light. The \nInternet landscape also includes a private sector security industry \nthat has grown to an estimated $17 billion per year in goods and \nservices. And, as we are all painfully aware, attack speeds today are \nmeasured in seconds, not days.\n    I would like to provide my update in the format specific examples \nof improvement in four major areas. Those areas are: Awareness and \neducation; product enhancements; government activities; and private \nsector initiatives. While we have made significant progress, I also \nwant to stress that we still have much work to do and will continue to \nimprove overall Cybersecurity by continued improvement in some of the \nexamples I will mention today.\nAwareness & Education:\n    One of the biggest visible changes that has taken place is \nincreased dialogue and training to better inform the end user on how to \nsecure their computers and information. One of the first consumer-\ntargeted awareness programs was truly a joint private-public \npartnership. This partnership took place in the form of the Cyber \nSecurity Alliance. The alliance combined the expertise of a number of \nprivate sector entities with the efforts of government partners to \ncreate a comprehensive website for consumers. The website, \nwww.staysafeonline.info has a wealth of information to help even the \nmost inexperienced users understand cyber security, potential threats \nfrom online criminals, and steps they can take to protect themselves.\n    In addition, the White House held a series of town hall meetings \naround the country with private sector partners. These town hall \nmeetings were open to the public and well-attended, with speakers \nranging from CEOs of major financial institutions and exchanges, to \nsubject-matter experts in cyber security. Many of these town hall \nmeetings were webcast so those that could not attend in person could \nparticipate over the Internet.\n    Private sector companies have also held free seminars around the \ncountry to provide awareness to citizens. Many of the sessions focused \non informing the elderly, one of the segments of our society that has \nreceived great benefit from the online world and the resources that it \nprovides. As we enter the holiday shopping season, there will be mass \nmedia campaigns to educate consumers on how to safely and securely \nenjoy the richness and robustness of the online e-commerce world.\n    In the category of formal education, the National Security Agency \n(NSA) has a program identifying universities that meet the criteria to \nbe designated a center of academic excellence in information security. \nThis NSA program not only ensures the education of the next generation \nof information security professionals, but also guarantees that the \nuniversity has sound cyber security practices in place as well as \nawareness education for the students, who make up a large number of the \nonline users and consumers. The NSA also administers the Cyber Corp \nprogram with NSF and OPM, providing scholarships for students in cyber \nsecurity.\nProduct Enhancements:\n    Another major improvement that we have seen in the past two years \nis the way security enhancements are now offered standard in software \nand hardware. One very visible example is the hardware provided to use \nwireless technology. Broadband technology (Cable modem, DSL, satellites \netc.) has given us capabilities and speeds that were only available to \ncorporations before. We now see firewalls and the ability to download \nanti-virus software being built into wireless modems.\n    The major operating systems now have auto-update features included, \nand are now being turned on by default in more future versions. \nProducts are now being shipped with many services turned off by \ndefault, thus making them more secure. Many of the online email \nservices block potentially malicious code and do a much better job of \nblocking the Spam that often contains malicious functions.\n    Anti-virus vendors have done an amazing job in speeding up the \ndetection, analysis and updates for many of the viruses that are found \nin the wild. Many of them even provide free online virus scans as a \npublic service to assist consumers.\nGovernment Activities:\n    There have been a number of government actions that have taken \nplace since I last appeared before this committee--most notably the \ncreation of the President's Critical Infrastructure Protection Board \nand the release of the National Strategy to Defend Cyberspace. This \ncritical document set the framework for much of the private public \npartnerships, focusing a section on home users and small/medium \nenterprises.\n    I would also argue that the consolidation of cyber security related \norganizations into the Department of Homeland Security in the \nInfrastructure Protection Director was a valuable reorganization. The \nbringing together of the NIPC (FBI), Fed-CIRC (GSA), CIAO (Commerce), \nEnergy Information Assurance Division (DoE) and the National \nCommunications System (DoD) created a center of excellence that, with \nthe help of focused leadership, will move to implement the national \nstrategy. This new organization is called the National Cyber Security \nDivision.\n    Recent action taken by the Department of Homeland Security (DHS) to \ncreate the US CERT at Carnegie Mellon University has the potential to \nsignificantly enhance security for all users. The US CERT is designed \nto serve as a focal point for building partnerships based cyber \nsecurity response network and provide a notification network as threats \nand vulnerabilities are discovered.\n    The goal for US CERT is to ensure that there is an average response \ntime of no less than 30 minutes in the case of any attack. The very \nspecific nature of this goal is designed to deliberately focus the US \nCERT on building broad participation by the private sector.\n    The US CERT will undertake the following major initiatives:\n\n\x01 Develop common incident and vulnerability reporting protocols to \n        accelerate information sharing across the public and private \n        response communities;\n\x01 Develop initiatives to enhance and promote the development of \n        response and warning technologies; and\n\x01 Forge partnerships to improve incident prevention methods and \n        technologies;\n    The Dept. of Justice, the U.S. Secret Service and the FBI have \nsignificantly decreased their response times and increased priorities \naround investigations of cyber crimes. Director Mueller has placed \ncyber crime in the top 5 priorities at the FBI, and the Secret Service \nhas added a number of electronic crime task forces in order to \nsuccessfully investigate and prosecute cyber criminals. All of the \nDefense Department's investigative organizations have led the way \ninvestigating cyber crimes and have some of the best investigators in \nthe world. The Department of Justice, through its Computer Crime and \nIntellectual Property Section, has chaired the G-8 Subcommittee on \ncyber crime and has been a significant driving force in combating \nworldwide cyber crime.\n    Since there are no borders when it comes to cyber space, and \ncriminal attacks on consumers can come from all corners of the world, \nthe State Department has conducted bilateral and multilateral \ndiscussions to ensure that there is international cooperation in the \neffort to protect cyber security.\n    I have had the extreme pleasure of working with Commissioner \nSwindel of the Federal Trade Commission, who has been a beacon of light \nfor the protection of consumers' privacy and security. With his help in \nthe creation of the FTC's ``Dewey'' program and his tireless support \nfor town hall meetings, he truly has created a ``culture of security'' \nglobally.\nPrivate Sector Initiatives:\n    While there will be no silver bullets in enhancing cyber security, \nthe private sector continues to grow its capabilities and make solid \nimprovement in securing their part of cyberspace . Two of the earliest \nexamples of private-public cooperation for ``Cyber Crime/Cyber \nSecurity'' were the the High Tech Crime Investigators Association \n(HTCIA) and the Information Systems Security Association (ISSA). Both \norganizations date back to the mid/late 80's and are dedicated to \nsharing nformation on cyber crime and information security. They still \nexist today and their membership and value have increased significantly \nover the years.\n    Most recently, the private sector has created a coalition that I \nsee as an excellent example of efforts to enhance consumer cyber \nsecurity. As you are probably aware, identity theft is a major problem. \nWhile the vast majority of ID theft occurs in the physical world, we \nhave seen an increase in the activities of criminals to commit the same \ntypes of crime online. The most recent method is by using what we call \n``phishing'' or ``spoofed'' emails. The criminals will send out \nthousands of emails telling people that there is an error with their \nonline account and ask them to fill in an ``update form'' or their \naccount will be closed. This form has the look and feel of major e-\ncommerce sites--there was even a fake email from someone pretendingto \nbe the FBI and asking unsuspecting users to enter personal information \ninto a fake web site.\n    To combat this, many of the major players in the e-commerce space \nbanded together to create an Anti-Online ID Theft Coalition. The \nCoalition boasts many private sector members, with the Information \nTechnology Association of America providing support as the executive \ndirector. The Coalition has four major goals: 1) to build technology to \nreduce the likelihood of these mails even reaching their intended \nvictim; 2) to provide awareness training to consumers so they can more \nreadily identify these criminal acts; 3) to share information on new \nscams amongst the various security teams; and 4) to insure \naccountability by working with law enforcement to identify and \nprosecute these bad actors.\n    In a larger perspective, Sector Coordinators representing each of \nthe major sectors of our economy have been appointed to fight potential \ncyber attack. A sector coordinator is an individual in the private \nsector identified by the sector lead agency to coordinate their sector, \nacting as an honest broker to organize and bring the sector together to \nwork cooperatively on sector cyber security protection issues. The \nsector coordinator can be an individual or an institution from a \nprivate entity.\n    These private sector leaders provide the central conduit to the \nfederal government for the information needed to develop an accurate \nunderstanding of what is going on throughout the nation's \ninfrastructures on a strategic level with regards to critical \ninfrastructure protection activities. The sector coordinators and the \nvarious sector members were key to the creation of the National \nStrategy to Defend Cyber Space.\n    In addition, there has been a number of new private sector \nInformation Sharing and Analysis Centers (ISACs). An ISAC is an \noperational mechanism to enable members to share information about \nvulnerabilities, threats, and incidents (cyber and physical). The \nsector coordinator develops these Centers with support from the sector \nliaison. In some cases, an ISAC Manager may be designated, who is \nresponsible for the day-to-day operations of the ISAC, to work with the \nsector coordinator or the sector coordinating body with support from \nDHS and the lead federal agencies.\n    Despite these security enhancements, we can be certain that as \nincreased collaboration continues to enhance our protection and \nresponsiveness, the nature and sophistication of attacks will certainly \nevolve. There are clear challenges we must continue to address.\n    First, we must renew our commitment to enhance consumer awareness \nof basic cyber security practices. The recent attacks demonstrate that \nhome users can be used as an effective pathway to launch attacks, or as \na gateway into large enterprises. We need to build on the public/\nprivate initiatives to promote cyber security with a focused and \naggressive outreach effort to benefit all consumers.\n    Second, while we build an effective response network we must not \nlose sight of the innovation frontier. Technologies on the horizon hold \nthe potential to dramatically and potentially decisively transform our \ncyber security challenges. Self-healing computers, embedded \ntechnologies that enable devices to recognize and defend against \nattacks, and devices which enhance both security and privacy are within \nreach with an aggressive technology development agenda. This effort \nmust be industry-led in collaboration with our best Universities. Most \nimportantly, it must be synergistically linked with our response \ninitiatives.\n    Finally, we must recognize that cyber security is no longer merely \nabout products, services and strategies to protect key operations. What \nis at stake in the effective implementation of advanced cyber security \ntechnologies and strategies is nothing less than the ability to unleash \nthe next wave of information technology-led growth in jobs and \nproductivity. Cyber security is an essential enabler to the advent of \nthe next generation Internet and all it holds for how we work, live, \nand learn.\n    I don't want to close without mentioning my expectation that many \nof these challenges will be addressed, and indeed met head-on, with \ntangible commitments and deliverables through the upcoming National \nCyber Security Summit, to be held on December 2-3, 2003. This Summit \nwill be co-hosted by the Information Technology Association of America, \nthe U.S. Chamber of Commerce, TechNet and the Business Software \nAlliance, with the support of the Department of Homeland Security. I \nhave the honor to serve at that summit, as will many of the brightest \nminds and most innovative companies across all sectors of the economy.\n    The work of this summit will continue past December 2-3 through \ntask force work programs that will drive toward solutions in intense \nwork before, during, and beyond the Summit. We expect that many of \nthese proposals will be forwarded to DHS early next year, after which \nwe can measure progress on an ongoing basis. We expect this to be an \nall-hands-on-deck effort where we bring together, distill, and \nintegrate many of the outstanding work products from many groups \nregarding cyber security metrics, software development and maintenance, \npublic outreach initiatives, and, of course, public-private \npartnerships in information sharing and early warning systems.\n    Chairman Stearns, this concludes my prepared remarks. I thank you \nfor the opportunity to come before this Committee and welcome any \nquestions that you and the Committee members may have.\n\n    Mr. Stearns. Thank you.\n    Mr. Charney.\n\n                   STATEMENT OF SCOTT CHARNEY\n\n    Mr. Charney. Thank you. Chairman Stearns, Ranking Member \nSchakowsky, and members of the subcommittee, my name is Scott \nCharney, and I am Microsoft's Chief Trustworthy Computing \nStrategist.\n    I want to thank you for the opportunity to appear here \ntoday to provide our views on cybersecurity and what we are \ndoing to secure consumer data. At Microsoft, security is our \nNo. 1 priority. We are committed to continually improving the \nsecurity of our software.\n    As Howard Schmidt just said, there are no silver bullets in \ncybersecurity; there will always be vulnerabilities in complex \nsoftware and systems. As was true when we testified before you \nin 2001, cybersecurity involves many layers and many \ncollaborative partnerships. In other words, cybersecurity \ninvolves management of technologies, as much as the technology \nitself.\n    Meanwhile, much has changed since we last testified before \nyou. Consumer dependence on the Internet has grown. And as of \nMarch 2003, 30 million homes in America had a broadband \nconnection to the Internet, double the number who had high-\nspeed connections at the end of 2001.\n    Another key change over the past 2 years is that the time \nbetween the issuance of a patch and the time when we see a \nconcrete exploit taking advantage of the underlying \nvulnerability has dramatically shortened. Therefore, once a \npatch is released, a race ensues between those installing the \npatch to eliminate the vulnerability and those developing code \nthat exploits the vulnerability.\n    Moreover, the sophistication and severity of cyberattacks \nare also increasing. In response to these threats, industry has \nincreased tremendously the resources and priority it devotes to \ncybersecurity issues, and the government has also taken \nsignificant steps during this time period to address these \nheightened risks for on-line consumers, including creating the \nNational Cybersecurity Division at the Department of Homeland \nSecurity and signing the Council of Europe's Cybercrime Treaty. \nWe commend these actions as important steps and hope the Senate \nratifies the treaty when it is received.\n    Security is Microsoft's top priority, and we know that \nsecurity is a journey rather than a destination. 2 years ago \nbefore this committee, my friend and co-panelists Howard \nSchmidt properly stated: We know there is no finish line for \nthese efforts, but by working as we have with industry peers \nand with governments, we have a chance to keep one step ahead \nof cyber criminals.\n    Shortly thereafter, Bill Gates had launched our trustworthy \ncomputing initiative, which involves every aspect of Microsoft \nand focuses on four key pillars: security, privacy, \nreliability, and business integrity. As part of this, we have \nenhanced the training of our developers to put security at the \nheart of software design and at the foundation of the \ndevelopment process.\n    Through this effort we are seeing a quantifiable decrease \nin vulnerabilities. For example, if you compare Windows Server \n2000 and Windows Server 2003, for the last 6 months Windows \nServer 2003 has required fewer patches.\n    Another part of trustworthy computing involves \ncommunicating with our customers. In the wake of Blaster, we \nlaunched the Protect Your PC campaign, urging commerce to take \nthree steps to improve their security, all available through \nMicrosoft.com/protect.\n    Two years ago, we also spoke about the need of increased \ndeterrence of criminal hacking. Although the Cybersecurity \nEnforcement Act passed last year, there is still much more that \nneeds to be done. Despite the best and laudable efforts of \ndedicated law enforcement personnel, far too many hackers \nunleash their malicious code, commit crimes with no punishment. \nThis is an untenable situation.\n    Earlier this month, we took a significant step to support \nlaw enforcement by creating the Antivirus Reward Program to \nprovide monetary rewards for information resulting in the \narrest and conviction of hackers. The government continues to \nplay a key role in efforts to secure consumers' software and \ndata.\n    I want to outline a few specific areas where government \ninitiatives can be particularly helpful in promoting \ncybersecurity.\n    First, the public sector should increase its support for \nbasic research and security technology.\n    Second, the government can lead by example by securing its \nown systems, buying software that is engineered for security, \nproviding better training for government systems administrators \nand leading public awareness campaigns, such as the FTC's \ncampaign featuring Dewey the Turtle.\n    Third, government and industry should reduce barriers to \nexchanges of information.\n    Fourth, law enforcement should receive additional \nresources. We also support the forfeiture of personal property \nused in committing these crimes.\n    Fifth, greater cross-jurisdictional cooperation among law \nenforcement is needed for investigating cyberattacks.\n    In conclusion, we will continue to pursue trustworthy \ncomputing and to work closely with our partners in the computer \nsoftware and communications industries, the government and our \ncommerce to enhance cybersecurity.\n    Thank you, and I look forward to your questions.\n    [The prepared statement of Scott Charney follows:]\n   Prepared Statement of Scott Charney, Chief Trustworthy Computing \n                   Strategist, Microsoft Corporation\n    Chairman Stearns, Ranking Member Schakowsky, and Members of the \nSubcommittee: My name is Scott Charney, and I am Microsoft's Chief \nTrustworthy Computing Strategist. I want to thank you for the \nopportunity to appear today to provide our views on cybersecurity and \non what we are doing to secure consumer data. I oversee the development \nof strategies to create more secure software and services and to \nenhance consumer security and privacy through our long-term Trustworthy \nComputing initiative. My goal is to reduce the number of successful \ncomputer attacks and increase the confidence of all computer users. \nThis is something I have worked toward throughout much of my career, \nincluding during my service as chief of the Computer Crime and \nIntellectual Property Section (CCIPS) in the Criminal Division of the \nU.S. Department of Justice. While at CCIPS, I helped prosecute nearly \nevery major hacker case in the United States from 1991 to 1999.\n    At Microsoft, security is our number one priority, and as an \nindustry leader, we are committed to continually improving the \ncapability of our software to protect the privacy of consumers and the \nsecurity of their data. We are at the forefront of industry efforts to \nenhance the security of computer programs and networks and to educate \nconsumers about good cybersecurity practices. We also work closely with \nour partners in industry and governments around the world to identify \nsecurity threats to computer networks, share best practices, improve \nour coordinated responses to security breaches, and prevent computer \nattacks from happening in the first place.\n    This hearing is exceptionally timely because of the rapid \ndevelopments in cybersecurity over the past two years. We \nwholeheartedly agree with this Subcommittee that it is critical for all \nof us to address consumer concerns about the privacy and security of \ntheir online data in order to stimulate the further growth of e-\ncommerce and to help realize the Internet's full potential.\n    Today, I want to describe the risks posed to consumers' \ncybersecurity, and the ways in which industry and government are \nworking together to protect consumers' online data. First, I will \ndiscuss the general state of cybersecurity since November 2001, when we \nlast appeared before this Subcommittee; I will touch both on what has \nstayed the same, and on what has changed. Second, I will discuss \nMicrosoft's ongoing efforts to help secure consumers' computer data. \nThird, I will offer a few suggested steps that the government can take \nto enhance the security of consumer data.\n                  i. cybersecurity since november 2001\n    The pursuit of cybersecurity involves a daily and never-ending \ncontest between industry, governments, and computer users, on the one \nhand, and cyber criminals, on the other. Hackers remain elusive, \naggressive, and innovative. When we last testified before this \nSubcommittee on this topic, the ``ILOVEYOU,'' Code Red, Ramen, Li0n, \nand Trinoo worms and viruses had already struck a variety of operating \nsystems. Since that time, criminal hackers have unleashed Slapper, \nScalper, Slammer, Blaster, SoBig, and many other viruses and worms to \ninfect computers, deny service, and impair recovery.\n    There are no silver bullets in cybersecurity, and there will always \nbe vulnerabilities in complex software and systems, as well as human \nerrors made. As was true in 2001, cybersecurity involves many layers \nand many collaborative partnerships, including software design, \nsoftware configuration, software patching, the sharing of threat and \nvulnerability information, user education, user practices, and the \ninvestigation and prosecution of cybercrime both within the United \nStates and internationally. In other words, cybersecurity involves \nmanagement of technology as much as the technology itself.\n    Meanwhile, much has changed since we last testified before you. \nConsumer dependence on the Internet has grown, and consumers are more \nfrequently sharing their personal information, including their \nidentities, contact information, financial data, and health \ninformation, over the Internet. Moreover, as the personal computer \nbecomes more central to the daily lives of many citizens and to the \ndaily functions of the public and private sectors, the government, \nconsumers, and business enterprises are storing more personal \ninformation on their Internet-connected computers and networks, thus \npotentially exposing their data to hackers even if that personal \ninformation is never transmitted over the Internet. In addition, \nconsumers with broadband are, unlike those with a dial-up connection, \nconnected to the Internet with unvarying IP addresses and at a high \nconnection speed, and therefore place consumer data at greater risk. As \nof March 2003, 30 million homes in America had a broadband connection \nto the Internet, double the number who had a high-speed connection at \nhome at the end of 2001 and a 50% increase from March 2002.\n    Another key change over the past two years is that the time between \nthe issuance of a patch and the time when we see a concrete exploit \ntaking advantage of the underlying vulnerability has dramatically \nshortened. This time period is crucial because we have had very few \nattacks that actually precede the patch; more typically, once a patch \nis released, a race ensues between those installing the patch to \neliminate the vulnerability and those developing code that exploits the \nvulnerability. When an exploit is developed faster, enterprises and \nindividuals have that much less time to learn of, test, and install the \npatch before a hacker uses the exploit to inflict damage. That window \nfor the NIMDA virus was 331 days between patch release and exploit; for \nBlaster, less than two years later, it was only 26 days.\n    The chronology leading up to the criminal launch of the Blaster \nworm illustrates the complex interplay between software companies, \nsecurity researchers, persons who publish exploit code, and hackers. On \nJuly 16, we delivered a patch for the vulnerability and a security \nbulletin to our customers. This was followed by ongoing outreach to \nconsumers, analysts, the press, our industry partners, and the \ngovernment. On July 25, nine days after we released the patch, a \nsecurity research group called XFOCUS published a tool to exploit the \nvulnerability that the security bulletin and patch had highlighted. In \nessence, XFOCUS analyzed our patch by reverse engineering it to \nidentify the vulnerability, then developed a means to attack the \nvulnerability, and finally offered that attack to the world so that any \nunsophisticated hacker could then unleash an attack by downloading \nXFOCUS's work and using launch tools freely available on the Internet.\n    At this point, we heightened our efforts to inform our customers \nabout the steps they should take to secure their computers. On August \n11, only 26 days after release of the patch, the Blaster worm was \ndiscovered as it spread through the Internet. This sequence of events \nunderscores a dilemma: the same information that helps customers to \nsecure their systems also enables self-identified security researchers \nand others to develop and publish exploit code, which hackers then use \nto launch damaging criminal attacks.\n    The sophistication and severity of cyberattacks are also \nincreasing. The Slammer worm in January 2003 did not attack the data of \ninfected systems, but resulted in a dramatic increase in network \ntraffic worldwide and in temporary loss of Internet access for some \nusers. This past summer, criminal hackers released the Blaster worm, \nwhich spread by exploiting a security vulnerability for which we had \nreleased a patch. Machines infected by Blaster used the network \nconnection to locate new, vulnerable machines, whereupon the worm would \ncopy itself, infect the new machine, and continue the process. Blaster \naffected Windows NT4, Windows XP, Windows 2000, and Windows Server 2003 \nsystems, but could not reach those machines that were patched and \ndefended by a properly configured firewall. The worm also tried to deny \nservice to those users seeking to download the patch for Blaster.\n    In addition, cybercriminals have been able to make viruses more \nprevalent and harder for consumers to detect by ``spoofing'' legitimate \nemail addresses, which makes it more difficult to determine who the \nreal sender is. In 2002, there were twice as many email viruses as \nthere were in 2001. In January 2003, the SoBig virus spoofed email \naddresses and contained infectious .pif attachments, which if opened \nwould infect the user's computer and search the infected user's hard \ndrive for email addresses of possible further victims. Multiple \nvariants of the SoBig virus surfaced during the year. It is important \nto note that SoBig did not exploit any software vulnerability; it was a \nsocial engineering attack based on users' willingness to trust email \nthat appeared to be from individuals whom they knew.\n    In response to these threats, industry has increased tremendously \nthe resources and priority it devotes to cybersecurity issues. Many of \nthose efforts continue today, and I will describe them in more detail \nin the next Section. Over the past two years, the government has also \ntaken significant steps during this time period to address these \nheightened risks for online consumers. We commend these actions as \nimportant steps in our shared journey toward enhanced cybersecurity.\n    First and foremost, the Department of Homeland Security created the \nNational Cyber Security Division (NCSD) under the Department's \nInformation Analysis and Infrastructure Protection Directorate. The \nNCSD is established to provide 24 x 7 functions, including cyberspace \nanalysis, issuing alerts and warning, improving information sharing, \nresponding to major incidents, and aiding in national-level recovery \nefforts. The Department created the NCSD as part of its implementation \nof the Homeland Security Act of 2002 and the National Strategy to \nSecure Cyberspace, which the White House released in February 2003 \nafter soliciting extensive comments from consumers, industry, and other \ngovernment actors. We worked with government officials in all of these \nactivities, and we are encouraged by the work DHS has done to date. \nMoreover, I personally look forward to co-chairing a task force at its \nDecember ``National Cyber Security Summit.''\n    Second, the United States signed the Council of Europe Convention \non Cybercrime in November 2001. The Convention requires parties to have \nminimum procedural tools to investigate such attacks, and to facilitate \ninternational cooperation in investigating those attacks. Because of \nthe inherently international nature of cybercrime, the Council of \nEurope cybercrime treaty is an important step towards the transborder \ncooperation that is vital to combating cybercrime and protecting \nconsumers. We look forward to the day when the treaty is sent to the \nSenate for its consideration.\n            ii. our response to cybersecurity threats today\n    Security is Microsoft's top priority. We have devoted and will \ncontinue to devote enormous resources to enhancing security. As we \nconfront new challenges and develop new approaches and new \npartnerships, we continue to learn that perfect security in cyberspace \nis unattainable, just as it is in the physical world. Operating system \nsoftware is one of the most complex items that humans have created, and \nit is impossible to eliminate all software vulnerabilities. Thus, we \nknow that security is a journey rather than a destination, and it can \nonly be improved by partnerships involving government, industry, \nresponsible security researchers, and customers around the world \nincluding government agencies, enterprises, and individual users. Two \nyears ago before this committee, my friend and co-panelist Howard \nSchmidt properly stated, ``We know that there is no finish line to \nthese efforts, but by working as we have with industry peers--including \nsome of these panelists--and with governments, we have a chance to keep \none step ahead of cyber-criminals.''\nA. Trustworthy Computing\n    In January 2002, Bill Gates launched our Trustworthy Computing \ninitiative, which involves every aspect of Microsoft and focuses on \nfour key pillars: security, privacy, reliability, and business \nintegrity. Security involves designing programs and systems that are \nresilient to attack so that the confidentiality, integrity, and \navailability of data and systems are protected. The goal of our privacy \nefforts is to give individual consumers greater control over their \npersonal data and to ensure, as with the efforts against spam, their \nright to be left alone. Reliability means creating software and systems \nthat are dependable, available when needed, and perform at expected \nlevels. Finally business integrity means acting with honesty and \nintegrity at all times, and engaging openly and transparently with \ncustomers.\n    Under the security pillar, we are working to create software and \nservices for all of our customers that are Secure by Design, Secure by \nDefault, and Secure in Deployment, and to communicate openly about our \nefforts.\n\n\x01 ``Secure by Design'' means two things: writing more secure code and \n        architecting more secure software and services.\n\x01 ``Secure by Default'' means that computer software is more secure out \n        of the box, with features turned off until needed and turned on \n        by the users, whether it is in a home environment or an IT \n        department.\n\x01 ``Secure in Deployment'' means making it easier for consumers, \n        commercial and government users, and IT professionals to \n        maintain the security of their systems.\n\x01 ``Communications'' means sharing what we learn both within and \n        outside of Microsoft, providing clear channels for people to \n        talk with us about security issues, and addressing those issues \n        with governments, our industry counterparts, and the public.\n    The Trustworthy Computing goals are real and specific, and this \neffort is now ingrained in our culture and is part of the way we value \nour work.\n    We have enhanced the training of our developers to put security at \nthe heart of software design and at the foundation of the development \nprocess. Security is and will continue to be our highest software \ndevelopment priority. All new software releases and service packs are \nnow subject to an enhanced security release process which has already \nresulted in a notable decline of vulnerabilities in some of our server \nsoftware. This effort, which can cost hundreds of millions of dollars \nand delay the software's release to the market, is a critical step in \nimproving software security and reliability. We are seeing a \nquantifiable and dramatic decrease in vulnerabilities: for example, \nWindows Server 2003 followed this process and in the first ninety days, \nwe reported and patched three critical or important security \nvulnerabilities and six total in the first 180 days. Whereas in Windows \nServer 2000, we found eight critical or important vulnerabilities in \nthe first ninety days, and twenty one in the first 180 days.\n    When an attack does occur, our Microsoft Security Response Center \n(MSRC) coordinates the investigation of reported vulnerabilities, the \ndevelopment of patches, and our customer outreach efforts. We are very \nproud of this organization and believe it represents the industry's \nstate of the art response center.\n    Although we have made major strides, much work on Trustworthy \nComputing remains ahead of us. One key piece of that work is the Next-\nGeneration Secure Computing Base (NGSCB). This is an on-going research \nand development effort to help create a safer computing environment for \nusers by giving them access to four core hardware-based features \nmissing in today's PCs: strong process isolation, sealed storage, a \nsecure path to and from the user, and strong assurances of software \nidentity. These changes, which require new PC hardware and software, \ncan provide protection against malicious software and enhance user \nprivacy, computer security, data protection and system integrity.\n    Part of Trustworthy Computing involves communicating with our \ncustomers. In the wake of Blaster, we launched the Protect Your PC \ncampaign, urging customers to take three steps to improve their \nsecurity: install and/or activate an Internet firewall, stay up to date \non security patches, and install an anti-virus solution and keep it up \nto date. The www.microsoft.com/protect web site serves as the focal \npoint for the campaign. We also provide a wide range of free security \ntools and prescriptive guidance to make it easier for consumers to make \ntheir computers and their data more secure.\nB. Streamlining the Patching Process\n    Patch management is a significant issue. We recognize that the most \nimportant solution is to reduce the number of vulnerabilities in code, \nthus reducing the need for patching. This is why we are emphasizing \nsecure by design. But no operating system--regardless of development \nmodel--will ever be free of all vulnerabilities. We must manage this \nrisk by providing customers with simple and easy to use patches. To \nstreamline those processes, we are taking the following steps:\n\n\x01 Improving our testing of patches to ensure patch quality.\n\x01 Reducing the number of patch installers to provide users with a \n        consistent patch experience, and make patching simpler.\n\x01 Working to ensure that each patch is reversible, so a rollback is \n        possible if deployment raises an unanticipated issue, such as \n        adversely affecting a legacy application.\n\x01 Ensuring that patches register their presence on the system--and \n        producing improved scanning tools--so a user can quickly \n        determine if his or her machine is patched appropriately.\n\x01 Making our security patch releases more predictable. We are now \n        providing security updates once a month, but we will still \n        provide patches outside this schedule when necessary, such as \n        when exploit code is publicly available.\n\x01 Avoiding reboot of the computer where practicable, as our customers \n        are more likely to apply a patch more quickly, if server \n        availability will not be interrupted.\n\x01 Producing specific technology, such as Software Update Services and \n        Systems Management Server, so enterprises can download patches, \n        test them in their unique environments, and then easily deploy \n        them.\n\x01 Informing customers about the AutoUpdate feature in recent Microsoft \n        operating systems, which can automatically download updates and \n        then either install them as scheduled or request permission \n        from the user to do so.\nC. Securing Enterprises to Protect Consumers\n    As noted, protecting consumer security depends, in part, on \nprotecting the security of enterprise servers, which often hold \nvaluable consumer data. Steve Ballmer, Microsoft's Chief Executive \nOfficer, announced last month that we are working to secure these \nnetworks from the hazards that arise when users log into those networks \nfrom home or other remote locations. Those hazards include malicious e-\nmails, viruses and worms, malicious web content, and buffer overruns.\n    While patches remain part of the solution, we are developing what \nwe call safety technology to secure these networks at the perimeter by:\n\n\x01 Reducing the risk from computers such as notebooks and portable \n        computers that are moved between an enterprise's network and \n        external networks.\n\x01 Improving browsing technologies to minimize the risk of hostile web \n        sites executing malicious code on visiting users' computers.\n\x01 Enhancing memory protection to help prevent successful buffer overrun \n        attacks.\n\x01 Improving the Internet Connection Firewall within Windows while also \n        working closely with partners in the software security \n        industry.\n    Through these measures, we hope to help protect machines even when \nnot patched, thus giving enterprises more time to test and deploy \npatches and enabling enterprises to patch on their schedule, not on a \nschedule determined by hackers.\n    We are also providing new information and guidance on how \nenterprises can secure their computers to protect data, including the \npersonal information of their customers.\nD. Industry Partnerships\n    We embrace our role in providing more secure computing for all our \ncustomers. Because security is an industry-wide issue, we participate \nactively in partnerships that span the industry, customers and both the \npublic and private sectors to encourage customers to implement software \nin more secure ways.\n    For example, we are a founding member of the Organization for \nInternet Safety (OIS), an alliance of leading technology vendors, \nsecurity researchers, and consultancies that is dedicated to the \nprinciple that security researchers and vendors should follow common \nprocesses and best practices to efficiently resolve security issues and \nto ensure that Internet users are protected.\n    We also work with the Virus Information Alliance (VIA), a \ncentralized resource for Internet users seeking information about the \nlatest virus threats. Through its member companies, Microsoft, Network \nAssociates, Trend Micro, Computer Associates, Sybari, and Symantec, the \nVIA offers recommended best practices for preventing malicious attacks, \ninformation about specific viruses, how-to articles and links to other \nanti-virus resources on its web site.\n    I am personally participating with some of my co-panelists in the \nGlobal Council of Chief Security Officers, a newly formed think tank \nthat will share information with member companies and governments on \ncybersecurity issues and enhance the involvement of private sector \nofficials in cybersecurity issues.\n    We also helped found the Information Technology--Information \nSharing and Analysis Center (IT--ISAC) and I serve on its board today. \nThe IT-ISAC coordinates information-sharing on cyber-events among \ninformation technology companies and the government.\nE. Anti-Virus Reward Program\n    Two years ago we spoke about the need to increase deterrence of \ncriminal hacking. Although the Cyber Security Enforcement Act passed \nthis Congress last year, there is still much more that needs to be \ndone. Despite the best and laudable efforts of dedicated law \nenforcement personnel, far too many hackers unleash their malicious \ncode or commit crimes with no punishment, as evidenced by the fact that \nthe authorities have yet to bring to justice the criminals who launched \nmajor attacks like Blaster, NIMDA and Slammer. This is an untenable \nsituation, and it is one the nation allows to persist in no other area. \nWe need a robust deterrent to criminal activity online.\n    When criminal attacks are launched, we work with law enforcement \nofficials to support their investigations. And earlier this month, we \ntook a significant step to support them by creating the Anti-Virus \nReward Program to provide monetary rewards for information resulting in \nthe arrest and conviction of hackers. For example, we have announced a \nreward of $250,000 each for information leading to the arrest and \nconviction of those responsible for the SoBig virus and the Blaster \nworm.\n    To use a medical analogy, we are strengthening the Internet's \nimmune system through initiatives such as the anti-virus reward \nprogram, our technical and legal anti-spam efforts, consumer education, \nand efforts to secure existing systems and to make security integral to \nnew systems and applications. In the meantime, interim treatment will \nbe necessary.\n                       iii. the government's role\n    The government continues to play a key role in efforts to secure \nconsumers' software and data. We have recently collaborated with the \nDepartment of Homeland Security to raise awareness of cyberthreats \nthrough release of security bulletins. Such partnering between industry \nand the government is a vital step toward additional cybersecurity for \nconsumers. I want to outline a few specific areas where government \ninitiatives can be particularly helpful in promoting cybersecurity.\n    First, sustained public support of research and development \ncontinues to play a vital role in advancing the IT industry's efforts \nto secure consumers' software and data. A major portion of our $6.9 \nbillion annual R&D investment goes to security, and accordingly, we \nsupport additional federal funding for basic cybersecurity research and \ndevelopment (R&D), including university-driven research. The public \nsector should increase its support for basic research in technology and \nshould maintain its traditional support for transferring the results of \nfederally-funded R&D under permissive licenses to the private sector so \nthat all industry participants can further develop the technology and \ncommercialize it to help make all software more secure.\n    Second, the government can lead by example by securing its own \nsystems through the use of reasonable security practices, buying \nsoftware that is engineered for security, and providing better training \nfor government systems administrators. We also hope government will \ncontinue to promote security awareness among both home consumers and \nbusinesses--as the Federal Trade Commission did in its information \ncampaign featuring Dewie the Turtle.\n    Third, government and industry should continue to examine and \nreduce barriers to appropriate exchanges of information, and to build \nmechanisms and interfaces for such exchanges. One encouraging step in \nthis direction is the NCSD's recent creation of the National Computer \nEmergency Response Team (US-CERT). This coordination center, for the \nfirst time, links public and private response capabilities to \nfacilitate communication of critical security information throughout \nthe Internet community.\n    Fourth, it will take increased government commitment to root out \nthose who hack into computers and propagate destructive worms and \nviruses that harm millions of computer users. Therefore, law \nenforcement should receive additional resources, personnel, and \nequipment in order to investigate and prosecute cyber crimes. We also \nsupport tough penalties on criminal hackers, such as forfeiture of \npersonal property used in committing these crimes.\n    Fifth, because cybersecurity is inherently an international problem \nwith international solutions, greater cross-jurisdictional cooperation \namong law enforcement is needed for investigating cyber-attacks.\n                               conclusion\n    We will continue to pursue Trustworthy Computing and to work \nclosely with our partners in the computer, software, and communications \nindustries, the government, and our customers to enhance cybersecurity. \nIn the end, a shared commitment to reducing cybersecurity risks and a \ncoordinated response to cybersecurity threats of all kinds--one that is \nbased on dialogue and cooperation between the public and private \nsectors--offer the greatest hope for protecting the privacy of consumer \ndata, enhancing the confidence of consumers in the Internet, and \nfostering the growth of a vibrant, trustworthy online economy.\n\n    Mr. Stearns. I thank the gentleman.\n    Mr. Morrow, welcome.\n\n                  STATEMENT OF DAVID B. MORROW\n\n    Mr. Morrow. Thank you. Mr. Chairman and members of the \nsubcommittee, thank you for the opportunity to testify before \nyou today on Cybersecurity and Consumer Data: What is at risk \nfor the consumer?\n    My name is David Morrow and I am the Deputy Director of \nGlobal Security and Privacy Services at Electronic Data \nSystems, Incorporated. I have over 25 years of experience in \nthe information technology field, with an emphasis on security. \nI am honored to join you today to present EDS's views on the \nstate of information security or cybersecurity 2 years after my \nlast appearance before the subcommittee.\n    I will focus today my comments on what has changed in the \nlast 2 years, what needs improvement, and what can be done by \nboth industry and the government to further protect our \ninformation networks. I will provide an outline here and \nrequest that my written comments be entered into the record.\n    So, what has changed? Thankfully, we have not seen another \nSeptember 11. But as has been noted previously, we are still in \na heightened threat environment. More recent attacks on our \ninformation networks, such as the DNS Root Server attacks in \nOctober 2002 and several high-profile virus and worm attacks, \nhave not stopped us from relying on these networks to conduct \nbusiness and live our lives.\n    In that context, here are some of the things that we are \nseeing: We are seeing an increase in the tempo and severity of \nnew viruses and other attacks on our information \ninfrastructure. That makes what we call ``patch management'' a \nmuch larger issue.\n    We are also seeing an alarming increase in the incidence of \nidentity theft and criminal misuse of personal information that \naffects millions of Americans. Other changes are occurring in \nthe regulatory environment. While regulations don't give \ndetailed requirements for information security, and shouldn't \nin my opinion, they do have implications for improving the \nintegrity of everyone's data. Due to the increasing number of \nattacks and some of the regulatory requirements, we are seeing \nan increased awareness of the problem. More clients are coming \nto us with questions about how to address their information and \nnetwork security, but they are often still asking the wrong \nquestions.\n    There is not one solution that can address everything. \nInformation security is a continual process that elevates \nsecurity planning out of the traditional information technology \nsilo. Companies and agencies need to look at information \nsecurity in a holistic way to create and integrate what has \nbeen dubbed ``the culture of security'' into their entire \nenterprise.\n    Despite this demonstrated critical importance and increased \nawareness, we have not seen a notable increase in the amount of \ninvestment that small and medium companies are making, and the \ngovernment, are making in information security. There is cause \nfor hope, however, because in a survey of corporate information \nofficers released earlier this month by Forrester Research, \nincreased funding for security and privacy efforts were at the \ntop of the priority list for 2004.\n    What companies have been doing is committing some resources \nand expertise to the greater dialog in information security. \nImportantly, efforts are extending beyond the so-called high-\ntechnology sector into the greater business community, but more \nstill needs to be done in that area.\n    EDS recently led a project in Business Roundtable to \ndevelop a cybersecurity road map for large corporations in any \nsector. ``Building Security in the Digital Economy: An \nExecutive Resource,'' was submitted as part of my written \ntestimony.\n    So what needs improvement? Based on the changes I have \nmentioned, I would like to make two points about areas where we \ncan do more. First, while I appreciate the increased level of \nawareness about information security, we need to improve on the \nlevel of real investment. In order to do that, we need to \nincorporate the notion of security as a business enabler into \nall of our business models. Enterprises that do so are \ninvesting in more strategic ways and are better able to serve \ntheir clients, consumers, citizens and business partners.\n    Second, we can improve upon the effectiveness of our \ninformation-sharing and public/private partnership efforts. We \nhave made important strides in this area, but we need to do \nmore to coordinate activities and results.\n    In sum, I would characterize that our state of information \nsecurity information is marginally better than it was 2 years \nago, with the hope for greater improvement.\n    So what can we do? I would like to make a few \nrecommendations based on my comments today.\n    First, we can continue our efforts for a more coordinated \nprogram of industry/government cooperation.\n    Second, we can strive to improve information-sharing \nmechanisms and look for ways to collaborate across them as well \nas within them.\n    Third, we still believe that there are areas where \nincentives are necessary for companies to upgrade their \ninformation security, especially for small- and medium-sized \ncompanies. This is also particularly true for functions that \nthe U.S. Government deems to be of critical importance to our \neconomic and, therefore, our national security.\n    Fourth, we must continue to emphasize research and \ndevelopment for innovations in security.\n    Fifth, I still remain a strong proponent of ways in which \nwe can develop and professionalize the cadre of information \nsecurity professionals practicing today, including the \nexpansion of programs beyond purely technical disciplines and \ninto the more general business and general curriculums.\n    And finally, due to the interconnected networks that \ntranscend traditional borders today, it is imperative that we \nengage in the overall global dialog on information security as \nwell.\n    In conclusion, I would like to emphasize that the \nimprovements we have made over the last 2 years in information \nsecurity have much to do with increased awareness, and I \nsupport efforts such as this hearing toward that objective. We \nare now better off and we are leaning in the right direction, \nbut we can and need to do more now. I outlined some suggestions \nfor future focus that I hope are helpful.\n    Mr. Chairman, thank you for the opportunity to share my \nviews and EDS's experience once again. I will be happy to \nanswer questions you or members of the subcommittee may have.\n    [The prepared statement of David B. Morrow follows:]\n Prepared Statement of David Morrow, Deputy Director, Global Security \n                       and Privacy Services, EDS\n                              introduction\n    Mr. Chairman and Members of the Subcommittee, thank you for the \nopportunity to testify before you today on Cybersecurity and Consumer \nData: What's at Risk for the Consumer. My name is David Morrow, and I \nam the deputy director for global security and privacy services at EDS. \nI have over 25 years of experience in the information technology \n(``IT'') field as a computer programmer and analyst, operations chief, \nsecurity officer, investigator, and consultant. Prior to joining EDS, I \nwas a security consultant with Ernst and Young, LLP and Fiderus \nStrategic Security and Privacy Services, a small, start-up consulting \nfirm. I also spent 13 years of a 22-year Air Force career as an \ninvestigator of computer crime for the Air Force Office of Special \nInvestigations (AFOSI). When I retired in 1998, I was the Chief of the \nComputer Crime Investigations and Information Warfare Division for \nAFOSI. I am honored to join you today to present EDS' views on the \nstate of information technology security, two years after my last \nappearance before the Subcommittee.\n    In my testimony two years ago, I focused on the changes in our way \nof life after the tragedy of September 11, and the need to make \ninvestments to protect our information networks. I called upon \ngovernment and industry to increase their collaboration, to focus not \nonly on physical security but also information security, and to view \ncyber security as an essential capital investment rather than as an \nexpense. I also noted a few ways that government can help industry bear \nthe burden to protect our information economy and, therefore, our \neconomic security. At the risk of repeating myself, I do want to \nemphasize that all those comments still hold true. Today, I will focus \nmy comments on what has changed in the last two years, what needs \nimprovement, and once again where I think both industry and government \ncan make greater efforts.\nWhat has changed?\n    Thankfully, we have not seen another September 11. However, we are \nstill in a heightened threat environment. More recent attacks on our \ninformation networks, such as the DNS root server attacks in October \n2002 and several high profile virus and worm attacks, have not stopped \nus from relying on them to conduct business and live our lives. In \nfact, we continue to look to information technology to drive \ninnovation, efficiency, and productivity in our business operations. In \naddition, consumer use of the Internet for recreation and to conduct \nbusiness continues to expand. And, our networks and the data on them \nare still vulnerable.\n    At EDS, we are seeing an increase in the tempo and severity of new \nviruses and other attacks on our information infrastructure. As I \nbelieve many of us predicted here two years ago, the complexity and \nsophistication of such attacks has continued to increase, making the \ntask of defending and repairing our networks and systems all the more \ndifficult. Installing software ``patches'' to deflect intrusions has \nbecome the favored way of addressing impending attacks. But, our \nclients are concerned about the need to install patch after patch after \npatch in rapid succession, on thousands of servers and tens of \nthousands of desktops. As you can imagine, it is a daunting task to do \nthree major patch updates in one week in a large company or government \nagency. As these attacks become more frequent, severe, and \nsophisticated in often incompatible environments, what we call patch \nmanagement has become a larger issue.\n    Unfortunately, another change we have seen is the increased \nincidence of identity theft and criminal misuse of personal information \nthat affects millions of Americans at any given moment. While there are \na variety of both high and low technology ways to obtain personal \nidentity and credit information, the biggest ``bang'' for the criminal \n``buck'' is still to locate and steal such information from an insecure \nnetwork. I am disturbed by the increasing number of identity theft \nvictims, and I believe more effective practices in network security and \nprotection of personal data would benefit us all, both individually and \nas a society. I am glad to see that the Administration and Congress \ntook the opportunity of reauthorizing the Fair Credit Reporting Act to \naddress this challenge in a positive way and look forward to the \npassage of that legislation very soon.\n    Another change is the regulatory environment for us and for our \nclients. The Federal Trade Commission's new ``Do-Not-Call-List'', the \nSarbanes-Oxley Act, and the pending FCRA reauthorization are the latest \niterations. They follow the Gramm-Leach-Bliley Act and the Health \nInsurance Portability and Accountability Act. None of these regulatory \nframeworks give specific requirements for information security--and \nshouldn't, in my opinion. But in one way or another, either through \ngreater corporate accountability, stronger privacy requirements, or new \nreporting obligations, each has direct or indirect implications for \nimproving the integrity of data. As such, I would argue that each \nraises the level of awareness of information security in enterprises \nacross the country.\n    This increasing awareness is a key component in the changes that I \nhave seen in the last two years. More and more companies are coming to \nus with questions about how to address their information and network \nsecurity. The problem is, they are still often asking the wrong \nquestions. There is not a silver bullet that can address everything \nthat achieves a stronger security posture. You can't point and click \nand say ``done.'' There are no magic technologies or software. \nInformation security is a continual process that elevates security \nplanning out of the traditional information technology silo and \ninvolves the whole enterprise: IT, legal, regulatory, sales, marketing, \nand security, as well as each individual employee and business partner. \nIt's hard work, but it's essential.\n    Another concern is the lack of details or guidance on standards of \nacceptable security practices. There are many organizations that are \nputting forth standards that purport to drive best practices or \ninteroperability, for example. But the proliferation of differing \nstandards has caused some confusion among some of our clients that has \nprevented them from making important changes as they wait for further \ndirection. We often use the ISO Standards because they are widely \naccepted, but there is room for improvement in developing standards for \nthe future that are flexible enough to reflect changes in technology \nand business operations.\n    As modern global businesses become increasingly intertwined through \npartnerships, consortia, and merger and acquisition activity, \ntraditional network and security boundaries are, in many cases, no \nlonger intact. The security problems of one member of a partnership \narrangement or newly acquired company now quickly become the problems \nof the entire group as the insecure network or system becomes the weak \nlink in the entire chain. In addition, information security entails \nmany things that may not appear to be security issues at first glance, \nsuch as enterprise training, for example. Addressing these issues \nrequires strategic thinking about:\n\n\x01 the way a company or agency uses information, both on the network and \n        off;\n\x01 what information is critical to the enterprise;\n\x01 what risk mitigation measures need to be put in place for what \n        functions, how your information security fits into an overall \n        business continuity plan; and\n\x01 how privacy and security policies and processes complement--or \n        contradict--each other in the business.\n    Companies need to look at information security in a holistic way to \ncreate and integrate what has been dubbed a ``culture of security'' in \nto their enterprise. This may be a daunting task for those enterprises \nthat are behind, but it is crucial to ensuring our economic security.\n    Despite its demonstrated critical importance, we have not seen a \nuniversally overwhelming increase in the amount of investment that \ncompanies or the government are making in information security. Some of \nthe early adopters are often driven by regulation or in response to an \nattack, but there are many more who have taken a wait-and-see approach \nand hope that the next incident does not affect them--at least not too \nmuch. Part of that is a response to the current economic situation, and \npart is still a lack of understanding of the loss implications from an \nattack or even a natural disaster.\n    There is cause for hope, however. In a survey of corporate Chief \nInformation Officers released earlier this month by Forrester Research, \nincreased funding for security and privacy efforts were at the top of \nthe list of priorities for 2004. I am hopeful that as the economy \ncontinues to recover, these plans will materialize into concrete \nactions and investment in the security and privacy of our national data \nresources.\n    What companies have been doing since September 11, is committing \nsome resources and expertise to the greater dialogue on information \nsecurity. Trade associations and other industry groups are including \ninformation security in their work program, or beefing up existing \nprograms. New information sharing mechanisms are developing, existing \nones are working to improve their impact, and industry groups are \nputting forth best practices and other guidance for their industry. EDS \nwas a founding member of the Information Technology Information Sharing \nAnalysis Center, or ISAC, one of 13 that were set up as part of \nPresidential Decision Directive 63 for the designated critical \ninfrastructures. We have also taken on a role in the National \nInfrastructure Advisory Council (NIAC) that was established after \nSeptember 11.\n    Importantly, efforts are also extending beyond the so-called high \ntechnology sector. EDS led an effort in the Business Roundtable, an \nassociation of Fortune 200 Chief Executive Officers, to develop a \nroadmap for large corporations in any sector to seriously consider \ntheir cyber security. The publication is called Building Security in \nthe Digital Economy: An Executive Resource and is submitted as part of \nmy written testimony.\nWhat still needs improvement?\n    While I appreciate the increased level of awareness, I still think \nwe need to do more to increase the level of real investment and \nimprovement in information security. I believe it requires a \nrecognition that security is not merely good for its own sake. We need \nto incorporate the notion of security as a business enabler into our \nbusiness models. Enterprises that are looking at security as an enabler \nto their business are investing in more strategic ways, and are, \ntherefore, better able to serve their clients, consumers, citizens, and \nbusiness partners. As I said earlier, it's not just a business expense \n. . . it's an essential element in today's strategic--and networked--\nbusiness model.\n    I believe the jury is still out on the role of the Department of \nHomeland Security in information security. We do applaud the creation \nof the National Cyber Security Division (NCSD) as well as its initial \nefforts on establishing the U.S. Computer Emergency Response Team (US-\nCERT) and collaborating with industry. EDS will be participating in the \nCyber Security Summit scheduled for early December and the ongoing work \nof the summit's designated task forces. However, we hope that its \nplacement in the new agency does not illustrate a lack of concern, \nauthority, or funding for information security efforts in the US \ngovernment. We all need to be diligent to make sure the NCSD's efforts \nare maintained and relevant.\n    Virtually every one on this panel two years ago called for a \npublic-private partnership and increased collaboration on cyber \nsecurity. Arguably, we have made important strides in that direction as \nmore companies, people, and agencies are talking about these issues in \nour associations and in government groups. These efforts are \nencouraging, but I argue we can do more, particularly by coordinating \nand learning from them, rather than duplicating them. In addition, once \nagain we cannot look at individual aspects of security in isolation. As \nwe consider our infrastructure protection, we have to look at the \nconvergence of physical and cyber security because they can no longer \nbe looked at independently.\n    In sum, I would characterize our state of information security \nreadiness as marginally better than it was two years ago, with hope for \ngreater improvement. While more are concerned, many are not doing as \nlittle as possible to remedy the problems they have. While more are \naware of the threat, they are not mitigating the corresponding risks \nwith appropriate measures. And, while there is more activity and \npublic-private collaboration on information security, it is not well \ncoordinated across the spectrum of industries and issues that are \nimpacted by security measures.\nWhat can be done?\n    First, we can continue our efforts for a more coordinated program \nof industry-government cooperation. The release of the Administration's \nNational Strategy to Secure Cyberspace earlier this year provides a \nframework for continued work, and I urge both industry and government \nto take advantage of the upcoming Summit to solidify some of that work \ngoing forward. The Department of Homeland Security's National Cyber \nSecurity Division provides a focal point for monitoring industry \nefforts and participating as appropriate. As DHS solidifies its \noperations, we should ensure that the division has the appropriate \nmandate, funding, and industry coordination to support its activities.\n    Second, we can strive to improve information sharing mechanisms \nthat are an important component of the public-private partnership on \ncyber security. For example, the Information Sharing and Analysis \nCenters (ISACs) are still active and are looking for ways to be more \neffective for their industries. I would argue the ISACs should also \nlook for ways to communicate and even collaborate with each other when \nappropriate. Just as we cannot put information security into one silo, \nwe cannot look at each industry sector in isolation. We are all \ninterconnected now and rely on not only the security of our own \nnetwork, but that of our suppliers, customers, partners, and \ncompetitors. Industry was collectively pleased when Congress provided \nfor Freedom of Information Act exemptions for information shared on \ncyber security in the Homeland Security Act. We urge Congress to \npreserve the integrity of that provision in any future reviews of the \nAct in order to allow continued information sharing about \nvulnerabilities, breaches, attacks, and other actual or anticipated \ncyber incidents. Our experience has repeatedly shown that effective and \ntimely information sharing is one of the most effective ways to prevent \nwidespread incidents and to combat them when they do occur.\n    Third, we still believe there are areas where incentives are \nnecessary for companies to allocate the necessary funds to upgrade \ntheir information security. This is particularly true for functions \nthat the US Government deems to be of critical importance to our \neconomic--and, therefore, our national security.\n    Fourth, we must continue to emphasize research and development for \ninnovations in information security and encourage Congress to keep \nthese avenues open for resolution in the budget process.\n    Fifth, I remain a strong proponent of ways in which we can continue \nto develop and professionalize the cadre of information security \nprofessionals practicing today. In the past two years we have seen a \nnotable increase in the number of educational institutions offering \ncourses and even advanced degrees in information security topics. While \nthis is an encouraging sign, I still believe that there is great room \nfor improvement in expanding the discussions beyond the purely \ntechnical disciplines and into the more general business curriculum.\n    Finally, as stated earlier, our intertwined information networks \nare global in nature and transcend traditional borders. That directly \nimpacts global companies such as ours as well as consumers. It is \nimperative that we engage in the global dialogue on information \nsecurity as well. I commend the Organization for Economic Cooperation \nand Development and the Asia Pacific Economic Cooperation for their \nefforts to bring this issue to the international arena.\nConclusion\n    In conclusion, I would just like to emphasize the fact that the \nimprovements we have made over that last two years in information \nsecurity have much to do with an increasing awareness of cyber security \nconcerns for all of us. Increased awareness here at home and abroad \nwill continue to be crucial for our security going forward, and I \nsupport efforts such as this hearing toward that objective. We are \nbetter off and heading in the right direction, but we can and need to \ndo more--now. I have outlined some suggestions for future focus that I \nhope are helpful to the Committee.\n    Mr. Chairman, thank you for the opportunity to share my views and \nEDS' experience once again. I will be happy to answer any questions you \nand the Members of the Subcommittee may have.\n\n    Mr. Stearns. Thank you.\n    Ms. Davidson, welcome.\n\n                 STATEMENT OF MARY ANN DAVIDSON\n\n    Ms. Davidson. Thank you, Mr. Chairman, Ranking Member \nSchakowsky, and members of the subcommittee. My name is Mary \nAnn Davidson and I am the Chief Security Officer of Oracle. \nThank you for inviting me here again to talk about the efforts \ninformation technology consumers, producers, caretakers, and \npolicymakers can take to advance information assurance.\n    As you know, I appeared before the subcommittee just a few \nmonths after the events of September 11. In the shadow of one \nof the most tragic terrorist attacks in history, all of us \ncontemplated the potential catastrophe caused by cyberterror on \na massive scale.\n    While we have yet to witness a point-and-click terrorist \nattack, we have experienced, through Code Red, Blaster and \nSoBig, its forbears, billions of dollars in damage and lost \nproductivity. These attacks are a grim reminder that far too \nmuch commercial software is built without attention to \ninformation assurance principles, leaving many of our national \ncyberassets vulnerable to attack; and the vulnerability \nincreases every day.\n    Bounty money may nab us a few bad guys' scalps, but it \nwon't slow the development of automated hacking tools. This is \na cyber arms race and the bad guys are winning. For us at \nOracle, the goal is clear: to achieve an industry culture where \nall commercial software is designed, developed, and deployed \nsecurely.\n    It has been said twice there are no silver bullets, so I \nwon't say that. I will say it is not going to be a slam dunk. \nAnd, in fact, good intentions can do more harm than good. In \nCalifornia, a breach of a major data center prompted the \nlegislature to hastily impose reporting requirements on \nsecurity breaches. However well intended, the law was passed \nwithout a fundamental understanding of the limits of current \ntechnology and arguably could make the consumer data more \nvulnerable to unauthorized access.\n    We need sound ideas, not good intentions from government. \nFortunately, the Federal Government can do good both as a \nsoftware buyer and a policymaker to strengthen the culture of \nsecure software.\n    The Federal Government first of all can leverage its buying \npower by insisting on more secure software. And we know at \nOracle how this works, because we built security for 25 years, \nbecause of one of our important customer bases, who I \naffectionately refer as the ``professional paranoids'' asked us \nfor it.\n    The Defense Department is setting an excellent example by \nenforcing a pro-security approach to procurement through NISSIP \n11, which says for national security systems an agency can \npurchase only that software which has been independently \nevaluated under the Common Criteria or the Federal Information \nProcessing Standards Cryptomodule Validation Program. That is a \nmouthful.\n    Since NSTISSP 11 went into effect 17 months ago, we have \nseen a number of positive developments. First, many firms are \nfinally pursuing evaluations under FIPS of the Common Criteria \nfor the first time, and it is high time.\n    Second, several firms, including Oracle, are financing \nevaluations of open-source products.\n    Third, many organizations, such as the financial services \nindustry, are coming together to make security a purchasing \ncriteria industrywide, and are using NSTISSP 11 as a model.\n    Thanks to NSTISSP 11, security is now far more in the \nsoftware development consciousness than it was 2 years ago. \nThat is a victory for which a large part of the credit goes to \nCongress and to DOD and the intelligence agencies.\n    There are other ways that the Federal Government can \nleverage its buying power. For example, the Federal Government \ncould insist that the commercial software it buys is either \ndefaulted to a secure setting ``out of the box'' or made easy \nfor the customer to change security settings, such as through \nautomated tools.\n    As more private and public consumers seek Common Criteria \nand FIPS as potential security benchmarks, a go-to \nclearinghouse is needed to validate vendor security claims and \ncompare them to evaluation results themselves; to make apples-\nto-apples comparisons. For example, a couple of vendors can do \ncommon criteria evaluation and yet have far more stringent \ntargets or less stringent targets. The clearinghouse would \nenable buyers to perform scorecarding and facilitate \ncomparisons.\n    Evaluations can cost a half million dollars under the \nCommon Criteria, so it is clearly not for everyone and probably \nnot for consumer software. A software equivalent of the \nUnderwriters Laboratories could ensure that even this kind of \nsoftware is secure by design, delivering deployment.\n    Thanks to the UL, most consumer products are generally \ndifficult to operate in an insecure fashion. We don't expect a \nconsumer to do anything special to operate Cuisinarts securely; \nthey just are secure. And, in fact, you have to make the \nproduct do something unnatural to hurt yourself while using it.\n    Consumers should not be expected to be computer security \nexperts. Industry needs to make it easy for them to be secure.\n    Finally, a culture of security has to have an academic \ncomponent for professional development and research in areas \nnot addressed in the commercial marketplace. It is said, to err \nis human. A developer can check 20 of 21 conditions, and if \nfailure to check the 21st causes a buffer overflow, the system \nis sometime vulnerable. Hackers only need to find one error, \nbut developers have to close every one. It is an uneven battle. \nFederal support can help level the playing field.\n    Research is needed on tools that can scan software and \npinpoint irregularities or back doors in the code. This type of \nproduct is not seen as an attractive option among venture \ncapitalists, because the dominant market mentality in \ninformation assurance is focused on developing a better Band-\nAid, rather than an effective vaccine.\n    The recently enacted Cbersecurity Research and Development \nAct can be a useful resource for these types of challenges and \nCongress should make the highest possible investments to \nimplement this legislation. If the medical community can \neradicate smallpox with a strong investment in research, we \nshould be able to eradicate buffer overflows. It is just code, \nafter all.\n    The R&D Act can also fund new and improved academic \nprograms and research centers on computer security in order to \nincrease the number of graduates with this specialty. And, in \nfact, we need to change the mentality around who we allow to \nwork on critical cyberinfrastructure. We don't allow engineers \nto design buildings merely because they use the coolest \nmaterials; they have to be licensed professional engineers.\n    A similar approach is needed in cybersecurity. Ignorance \nand hubris are the enemies of reliable cyberinfrastructure. \nIndustry lacks for neither of these, unfortunately, so long as \nwe hire based on knowledge of programming languages and not \nwhether those employees understand the language of \ncybersecurity.\n    We are at war and all of our foot soldiers must be armed \nwith the knowledge of what the enemy can and will do to the \ncareless or unprepared. A strong academic component can also \nfoster a diverse culture. Diversity will prevent the TI \nequivalent of the Irish potato famine, where reliance on one \nstrain of potatoes brought on mass starvation and emigration.\n    Lack of biological diversity in many IT infrastructures has \nrendered them immensely susceptible to cyberplagues, and I \ndaresay that far more than one-quarter of our population would \nbe affected should the next cyberplague be more destructive \nthan its predecessors.\n    Biological diversity breeds resistance and the lack of it \nis deadly.\n    Ultimately, any culture is as strong as the institutions it \nsupported, so our hope is that government will work with us in \nan industry, in an academia to facilitate the institutions \npractices and mores necessary to build a vibrant strong culture \nand security. I believe we turned the corner and are making \nprogress. We are extremely pleased to be a part of the next \nmonth's Cybersecurity Summit being planned by the Department of \nHomeland Security. That kind of dialog can ensure that we have \nturned the corner for the better.\n    Mr. Stearns. I may need you to sum up.\n    Ms. Davidson. Thank you, Mr. Chairman, and I thank you for \nthe opportunity to appear before you today.\n    [The prepared statement of Mary Ann Davidson follows:]\nPrepared Statement of Mary Ann Davidson, Chief Security Officer, Oracle \n                              Corporation\n    Mr. Chairman, Ranking Member Schakowsky, and members of the \nSubcommittee, my name is Mary Ann Davidson, Chief Security Officer of \nOracle Corporation. Thank you for inviting me here again to talk about \ncybersecurity, and specifically, the efforts all of us can take--as \ninformation technology consumers, producers, caretakers and \npolicymakers--to advance information assurance.\n    As you know, I appeared before this subcommittee just a few months \nafter the ghastly events of September 11th. In the shadow of one of the \nmost tragic terrorist attacks in history, all of us contemplated the \npotential catastrophe caused by cyberterror on a massive scale, and the \nneed for all of us to take far greater responsibility toward better \ninformation assurance.\n    While we have yet to witness a point-and-click terrorist attack, we \nhave experienced, through CodeRed, Blaster and Sobig.F, its forebears, \nwith billions of dollars in damage and lost productivity. These attacks \nare a grim reminder of what I warned this subcommittee two years ago: \nFar too much commercial software is built without attention to \ninformation assurance principles, leaving many of our national \ncyberassets--most in private hands--vulnerable to attack.\n    This vulnerability increases every day. Bounty money may result in \nthe arrest of one or two of those responsible for cyberplagues, but it \nwon't slow the development of advanced hacking tools, or change our \nincreasing dependence on Internet-based platforms to administer public \nand private enterprises--two trends that are at the heart of our \ngrowing vulnerability. We are in our own version of an arms race, and \nthe bad guys are winning.\n    For the information technology industry, our contribution to \ncybersecurity is straightforward: to achieve a marketplace and an \nindustry culture where all commercial software is designed, delivered \nand deployed securely. There are no ``silver bullets'' to get there. A \nculture of security will require years to achieve and decades to \nmaintain. Good intentions are not good enough and frankly, can do more \nharm than good. We already have seen one instance, in California, where \na cyber-related event triggered a rush by the legislature to impose \nreporting requirements on security breaches. This law was passed \nwithout a fundamental understanding of the limits of current \ntechnology, and arguably could make consumer data more vulnerable to \nunauthorized access. It's not good intentions, but sound ideas that we \nneed from government, and fortunately, there are a number of \nconstructive steps the federal government can take, as both a software \nbuyer and policy-maker to move us toward a culture of secure software.\n    Let the buyers be wary. Try as you might, Congress can't legislate \ngood software. Those in a position to make a difference for the better \nare software consumers, from small business enterprises to big \ngovernment agencies. All they have to do is make security a purchasing \ncriterion. We at Oracle made the investments to integrate security \nthroughout our development process because our customers asked for it. \nOur first customers, the intelligence community, who I affectionately \ncall the ``professional paranoids,'' are some of the most security-\nconscious people on the planet.\n    After ten years of an on-again, off-again merry-go-round by the \nfederal government to become a more responsible software buyer, we are \nseeing constructive action being taken by the Defense Department to \nenforce a pro-security approach to software procurement known as \nNSTISSP #11. Simply put, for national security systems, an agency can \nonly purchase commercial software that has been independently evaluated \nunder the international Common Criteria (ISO 15408) or the Federal \nInformation Processing Standards (FIPS) Cryptomodule Validation Program \n(CMVP).\n    Since NSTISSP #11 went into effect 14 months ago, we've seen \nseveral positive developments. First, a number of firms, including \nseveral of our competitors, are getting their products evaluated under \nFIPS or the Common Criteria for the first time. Second, we're seeing \nfirms, including Oracle, financing evaluations of open source products. \nThe security of open source versus proprietary software must not be a \nreligious argument, as it so often is, but a business one. Open source, \nlike proprietary software, is here to stay. We must all work to make it \nas secure as possible. Third, several industry organizations, such as \nthe financial services industry, are coming together to make security a \npurchasing criterion industry-wide and are using NSTISSP #11 as a \nmodel.\n    We're seeing all of this because the initial impression from an \nindustry perspective is that the federal government--the largest single \nbuyer of commercial software--means business this time. As a result, \nsecurity is now more in the software development consciousness than it \nwas two years ago, and all of us as information technology consumers \nstand to benefit. That, in and of itself, is a major victory, and \ncredit goes to the people within the Defense Department and \nintelligence agencies, as well as Congress, who are making a concerted \neffort to make this process work.\n    Secure ``out of the box.'' NSTISSP #11 is a strong lesson that the \nfederal government, acting as a security conscious software buyer, can \nchange the entire commercial software landscape for the better. That \nsaid, are there ways, other than NSTISSP #11, that can accomplish the \nsame purpose? We believe one measure worth considering is for the \nfederal government to insist that the commercial software it buys is \neither defaulted to a secure setting right out of the box, or made easy \nfor the customer to change security settings, for example, through \nautomated tools that enable customers to become, and remain, secure. \nFor example, the Office of Management and Budget, working in \nconjunction with the federal agencies, the National Institute of \nStandards and Technology (NIST) and private industry, could specify \nwhat is the appropriate default security setting for the software it \nbuys, or require appropriate and easy-to-use tools needed to change \nthese settings.\n    Software Underwriters Lab. Government can be a useful vehicle to \npromote voluntary cooperation in the name of better security. For \nexample, the Federal Trade Commission could work with the software \nindustry to establish the software equivalent of the Underwriters \nLaboratories (UL). Security evaluations under the Common Criteria, \nwhich can cost half a million dollars per evaluation, are not for \neveryone, especially for many forms of consumer software. A software \nversion of the UL is a cost-effective vehicle to capture less complex, \nmore consumer-oriented forms of software. Again, the fundamental goal \nis to make all commercial software secure by design, delivery and \ndeployment. To get there, the federal government should work with \nprivate industry to establish a consumer software equivalent of the UL. \nThanks to the UL, most consumer products are generally difficult to \noperate in an insecure fashion. For example, Cuisinarts are designed so \nthat you can't lose a finger while the blades are whirling. We don't \nexpect the consumer to do anything special to operate Cuisinarts \nsecurely; they just are secure. Similarly, consumers should not be \nexpected to be rocket scientists or security experts. Industry needs to \nmake it easy to be secure.\n    Better Information for Buyers. There are already several good web \nsites to help private and public customers understand Common Criteria, \nFIPS and NSTISSP #11. However, particularly as more and more private \ncustomers see Common Criteria as a potential security benchmark, we are \nfinding that what many of our customers need is a one stop, ``go to'' \nsite in order to validate vendor security claims and compare them to \nthe evaluation results themselves. It would be useful for a government \nprocurement officer, or a private sector buyer, to be able to see all \nevaluations of any type, for a single vendor, at a single glance, from \na single location, whether FIPS-140 or Common Criteria, whether \nevaluated here or abroad. This empowers them to make apples to apples \ncomparisons. For example, two database vendors can both receive an EAL4 \ncertification, even though one database vendor made two functionality \nclaims in a security target, while the other database vendor made forty \nsecurity claims. A clearinghouse would enable buyers to perform \nsecurity target ``scorecarding'' and facilitate this and other types of \ncomparisons.\n    Academic Research and Professional Development. As in many \ndisciplines, the market alone cannot produce every security solution. A \nculture of security, like any professional culture, has to have an \nacademic component for professional development, and to advance the \nfield in areas not addressed in the commercial marketplace. For \nexample, even with a good development process, ``to err is human.'' A \ndeveloper can check 20 of 21 conditions, and if failure to check the \n21st causes a buffer overflow, the system is still potentially \nvulnerable. Keep in mind, hackers only need to find one error, while \ndevelopers have to anticipate and close every one. It's an uneven \nbattle. Federal government resources directed toward academic talent \ncan work with industry and level the playing field.\n    One area that deserves attention, especially as more and more US \nfirms partner with foreign countries on software development, is \nresearch on effective tools that can scan software and pinpoint \nirregularities or backdoors in the code. Unfortunately, this type of \nproduct research and development is not seen as an attractive option \namong venture capitalists, who generally channel their funds toward \nproducts that are nothing more than techno-band-aids for security \nfaults. In other words, the market mentality toward information \nassurance is focused on developing a better Band-Aid, rather than an \neffective vaccine.\n    Congress last year took an important step in filling this void when \nit passed the Cyber Security Research and Development Act, which \nauthorizes nearly a billion dollars over five years to invest in \nprojects like code-scanning tools. We are about to enter the second \nyear of this five-year program, and Congress is providing very limited \nassistance to pursue the goals of this legislation. We hope Congress \nwill increase its investment.\n    If the medical community could eradicate smallpox with a strong \ninvestment in research, we should be able to eradicate buffer \noverflows. It's just code, after all.\n    A portion of the proposed investments under the Cyber Security R&D \nAct is authorized to create or improve academic programs and research \ncenters on computer security in order to increase the number of \ngraduates with this specialty. These kinds of investments are needed. \nThe National Science Foundation reported earlier this year that only \nseven PhD's in cybersecurity are awarded each year. Research conducted \nmore than two years ago found that while there were twenty-three \nschools identified as ``centers of excellence'' in information \nassurance, not one four-year university offered a bachelor's program in \ncybersecurity. Only one associate degree program was offered at two-\nyear institutions. We've seen some progress on this front, but much \nmore can be done if the federal government invested more resources in \nthis effort. The private sector can be a critical support component as \nwell, especially given the current and growing demand for information \nsecurity professionals among publicly held corporations.\n    In the IT industry, no one should be able to work on software that \nbecomes part of critical infrastructure without proving that they \nunderstand and can demonstrate sound software design, coding and \nengineering principles. We do not allow engineers to design buildings \nmerely because they use ``the coolest materials.'' They must be \nlicensed professional engineers. Why do we hire programmers to design \ncritical IT infrastructure merely because they know the coolest \nprogramming languages? Ignorance and hubris are the enemies of reliable \ncyber infrastructure. Industry lacks for neither of these, \nunfortunately, so long as we hire based on what programming languages \nsomeone knows, and not whether they speak the language of \ncybersecurity. We are at war, and all our footsoldiers must be armed \nwith the knowledge of what the enemy can and will do to the unprepared \nor careless.\n    A strong academic component in our culture of security also fosters \na competitive and diverse culture. Strong competition and diversity \nwill prevent the IT equivalent of the Irish potato famine, where \nreliance on one strain of potatoes brought on mass starvation and \nemigration. Similarly, lack of ``biological'' diversity in many IT \ninfrastructures renders them immensely susceptible to cyberplagues. I \ndare say that far more than one quarter of our population would be \naffected should the next cyberplague be more destructive than its \npredecessors. Biological diversity breeds resistance. Lack of it is \ndeadly.\n    As today's hackers and virus spreaders demonstrate every day, \ncybersecurity is an evolving discipline, one that combines art and \nscience, and determination and passion. One cannot simply take a \nsnapshot of a company's IT systems today and compare it to some \npreconceived list and say ``yes, you are secure,'' or ``yes, you are \ndoing the right things toward better security.'' The state of the art \nis in a perpetual state of revolution.\n    Ultimately, any culture is as good as the institutions that serve \nas the foundation of that culture. So, if there is an overarching \nrecommendation for you and your congressional colleagues, it is to work \nwith us in industry and in academia to facilitate the development of \nthe institutions, practices and mores necessary to build a strong, \nvibrant and diverse culture of security. I believe we have turned a \ncorner, and are making progress toward getting more and more of our \ncustomers to think about security. Further steps are needed, such as \nthe ones outlined here. Again, these recommendations are no silver \nbullets, but what we at Oracle believe are the next appropriate steps \nup this ladder of better security. We are very pleased to be a part of \nnext month's Cybersecurity Summit being planned by the Department of \nHomeland Security, and some of our leading trade associations. \nEstablishing that kind of regular, continuing dialogue is yet another \nlink toward making sure we have truly turned a corner for the better, \nrather than yet another trip on the merry-go-round of information \nassurance.\n    Thank you again, Mr. Chairman, for the opportunity to appear before \nyou today.\n\n    Mr. Stearns. And I thank the gentlewoman.\n    Mr. Ansanelli.\n\n                STATEMENT OF JOSEPH G. ANSANELLI\n\n    Mr. Ansanelli. Good morning. I am Joseph Ansanelli, CEO of \nVontu. Our company provides information security software, \nspecifically designed to help organizations protect consumer \ndata by monitoring for the inappropriate distribution of non-\npublic information via the Internet.\n    Mr. Chairman, members of the subcommittee, I commend your \nefforts in organizing this hearing.\n    The FTC recently provided, I think, an excellent answer for \nwhat is at risk for the consumer. As many of you know, in 2002 \napproximately 10,000,000 people were victims of identity theft. \nThey reported $5 billion in out-of-pocket expenses and many \nhours repairing credit histories. In the last 5 years, almost \n30 million people were victims. Clearly, identity theft is a \nrisk for consumers. There is also a risk for businesses, who \nlast year suffered an estimated loss of nearly $48 billion. \nAdditionally, businesses risk something even more important, \nthe loss of consumer trust.\n    Vontu recently commissioned a study of 1,000 consumers to \nunderstand the relationship between consumer data security \ntrust and commerce. Three highlights from this study. No. 1, \nsecurity drives purchasing decisions. More than 75 percent of \nconsumers said security and privacy were important in their \npurchasing decisions.\n    No. 2, consumer notification is important. About 80 percent \nof the consumers said that they wanted to be notified when \ncompanies are at least 75 percent sure that personal \ninformation has been compromised, and, three, all security \nviolations are not the same. More than half of the respondents \nsaid they would be more concerned if their private information \nfell into the wrong hands due to an incident caused by an \nemployee rather than a hacker.\n    This third point is very important. While most security \ntestimony has focused on the remarks related to hackers \nbreaking into computer networks from the outside, our focus is \non the new security threat, insiders. Every day we create and \nstore records that contain credit card numbers, Social Security \nnumbers, and other types of non-public personal information. \nThe sad fact is that many identity thieves never have to break \ninto a firewall to get to this data. Their employer has already \nissued them the password to access this information. As a \nresult, last year, a customer service representative of \nTeleData Communications who had easy access to consumer credit \nreports allegedly stole 30,000 customer records using his \nlegitimate access. TeleData is the single largest identity \ntheft crime ever prosecuted.\n    Also, the Secret Service has assembled teams to investigate \nfraud rings that enlist corporate employees to steal consumer \ninformation, and last consumer credit information provider \nTrans Union issued a report stating that the top cause of \nidentity fraud today is now theft of records from employers or \nother businesses.\n    The problem with better protecting consumer data is no \nlonger just an issue of keeping up with the hacker, but also \none of ensuring that those with access keep the information \nsecure. It is clear to me that we need new efforts to minimize \nthis growing risk of identity theft as well as the insider \nthreat.\n    However, I do not believe new government regulations alone \ncan solve this problem. The right solution is a partnership \nwith government and industry. To begin with, I suggest this \ncommittee consider developing a consumer data security \nstandard, part of the Consumer Privacy Protection Act of 2003, \nH.R. 1636. This would ensure a nationally unified and standard \napproach to protecting consumer information. It should include \na requirement for companies to do the basics in security, \nconsider adding seat belts to automobiles. This requirement \nshould include protecting and ensuring the confidentiality of \nnon-public data, detecting potential misuse of consumer \ninformation, and correcting problems as they are discovered and \nnotifying consumers when appropriate.\n    These requirements are similar to those under Gramm-Leach-\nBliley and HIPAA. I ask you to consider if and why the \nindustries covered by Gramm-Leach-Bliley and HIPAA are somehow \nunique in their need to protect the same personal data such as \na credit card and Social Security numbers that many other \nindustries also store. It seems that any business it manages \nexposes consumers to identity theft risk and should be held to \na similar standard.\n    Also, a national standard is important because confusion is \nthe enemy of consumer protection. Unless a national standard \nemerges I fear that businesses will be forced to comply with a \npatchwork of 50 different State regulations.\n    Last, it is important to have a carrot to ensure \npartnership. The risk of civil lawsuits or steep fines \ndiscourages some companies from going beyond the basic \nrequirement. We strongly suggest any future legislation include \na regulatory carrot through a safe harbor to encourage \ncompanies to go beyond any basic security requirements without \nfear of severe penalties.\n    In closing, if not more is done to protect consumer \ninformation, especially in the electronic form, the cost of \nidentity theft will continue to grow, causing a drag on this \ncountry to sustain its leading position in the global company.\n    I welcome the opportunity to answer any additional \nquestions.\n    [The prepared statement of Joseph G. Ansanelli follows:]\nPrepared Statement of Joseph Ansanelli, Chairman and CEO of Vontu, Inc.\n    My name is Joseph Ansanelli and I am the CEO of Vontu, Inc. Our \ncompany provides information security software to help organizations \nprotect consumer data by monitoring for the inappropriate distribution \nof non-public personal information via the internet. I am honored to \nprovide testimony on information security, consumer data and the risks \nfor consumers.\nIdentity Theft is the Risk for Consumers\n    The FTC recently provided an excellent answer to the question \n``What's at Risk for the Consumer?'' They estimate that approximately \n10 million people in the last year alone were victims of Identity \nTheft. These victims reported $5 billion in out-of-pocket expenses and \ncountless hours of lost time repairing their credit histories. In the \nlast five years, almost 30 million people or 10 percent of the US \npopulation were victims of identity theft. Clearly, identity theft is \nwhat is at risk for consumers.\nLosing Consumer Trust is the Risk for Business\n    This is not only a risk for consumers, but is a risk for business \nas well. As part of the same FTC report, the losses to businesses \ntotaled nearly $48 billion.\n    Additionally, there is a risk that is not mitigated through \ninsurance or other strategies--loss of consumer trust. Vontu recently \ncommissioned a survey of 1000 consumers in the United States to better \nunderstand the effect that security of customer data has on consumer \ntrust and commerce. Some of the findings include:\n\n\x01 Security drives purchasing decisions--More than 75 percent of \n        consumers said security and privacy were important in their \n        decisions from whom they purchase.\n\x01 Consumers will speak with their wallets--Fifty percent said that they \n        would move their business to another company if they did not \n        have confidence in a company's ability to protect their \n        personal data.\n\x01 Insider theft increases concerns about a company's data security \n        efforts--More than 50 percent of the consumers surveyed said an \n        insider breach would cause them to be more concerned about how \n        a company secures their information\n    Clearly, financial costs and loss of consumer trust, as a result of \nidentity theft, are what is at risk for business. The question is how \ndoes cybersecurity play into these risks?\nThe Insider--A Major Cause of Identity Theft\n    While most security testimony has focused on the threats related to \nhackers breaking into computer networks from the outside, my remarks \ntoday will focus a new and growing security threat--insiders. The sad \nfact is that many identity thieves never have to break through a \nfirewall. Their employer has issued them a username and password that \ngives them access to a virtual treasure trove of consumer data.\n    Everyday, companies throughout this country create and store \nmillions of records that contain social security numbers, credit card \nnumbers and other types of non-public personal information. At most of \nthose companies, a significant percentage of employees have legitimate \naccess to this data. This has created a potentially explosive \ncombination of companies storing more consumer information and at the \nsame time providing insiders with more access to that data.\n    Last year, the volatility of this combination made headlines. A \ncustomer service employee of Teledata Communications Inc. who had easy \naccess to consumer credit reports allegedly stole 30,000 customer \nrecords. This theft caused millions of dollars in financial losses and \ndemonstrates that even though any computer system can be hacked, it is \nmuch easier, and in many cases far more damaging, for information to be \nstolen from the inside.\n    Teledata is the single largest identity theft crime ever \nprosecuted. However, I am convinced that this kind of crime continues \ntoday, yet it often goes unrecognized. Insiders use their legitimate \naccess to copy sensitive information and with a few clicks of their \nmouse, send it outside the company.\n    Law enforcement and regulators are also starting to raise the issue \nof the growing danger to consumers from insiders. Special Agent Tim \nCadigan testified this summer that the Secret Service has assembled \nspecial teams to investigate the growing number of incidents where \nfraud rings enlist corporate employees in schemes to steal consumer \ninformation.\n    Mr. Howard Beales, Director of the Federal Trade Commission's \nBureau of Consumer Protection, said in January that the FTC continues \nto see evidence that insiders were stealing consumer data at an \nincreasing rate and using it to commit identity crimes. In September, \nthe FTC reported that about a quarter of all consumers who knew that \ntheir information had been stolen believed that insiders were \nresponsible.\n    Lastly, consumer credit information provider TransUnion recently \nissued a publicly available report stating that the top cause of \nidentity fraud is now theft of records from employers or other \nbusinesses.\n    The problem of better protecting consumer data is no longer just an \nissue of keeping out the hacker but also one of ensuring that those \nwith access to the data keep the information secure.\nConsumer Data Security Standard\n    It is clear that we need new efforts to minimize this growing risk \nto consumers and businesses. However, I do not believe new government \nregulations alone can solve this problem. Instead, the right solution \nis to build a partnership of government and industry using both ``the \ncarrot and the stick''.\n    To begin with, I suggest this committee develop a Consumer Data \nSecurity standard--possibly as part of the proposed Consumer Privacy \nProtection Act of 2003 (HR 1636). This standard would ensure a \nnational, unified and standard approach to protecting consumer \ninformation and thereby stop one of the primary sources of identity \ntheft. It should be self-regulating with oversight from appropriate \nagencies when problems arise and include a requirement for companies \nto:\n\n\x01 Protect and ensure the confidentiality of all non-public personal \n        information;\n\x01 Detect potential misuse of consumer information;\n\x01 Ensure compliance by its workforce with their data security policies;\n\x01 Correct problems as they are discovered.\n    These requirements are similar to those required under Gramm Leach \nBliley and HIPAA. Are the industries covered by these regulations \nunique in their need to protect personal data? It seems that any \nbusiness that manages sensitive financial or other non-public personal \ninformation exposes consumers to identity theft. Whether it is \nproviding your social security number when purchasing a mobile phone or \nusing your credit card to buy groceries, you are exposing your personal \ninformation to theft--a cross-industry, unified approach is needed.\n    Additionally, this committee may want to make notification a part \nof this standard. In our survey, consumers said they wanted to be \nnotified early and often when security and privacy violations occur. In \nfact, 80 percent said they want to be notified when companies are 75 \npercent sure that a violation has occurred.\n    This Consumer Data Security standard is the ``stick'' to ensure \nthat there is a base level of responsibility for consumer data \nprotection.\nSafe Harbor\n    As mentioned earlier, a partnership between government and business \nis required to better protect consumer information. Unfortunately, \ntoday many of the current and proposed Federal and State regulations \nserve as a disincentive to proactively search for insider breaches or \ninappropriate disclosures of consumer information. For example, the \nrisk of civil lawsuits or regulatory censure discourages some companies \nfrom going beyond what is considered a base requirement. Future \nlegislation should include a regulatory ``carrot'' through a ``safe \nharbor'' to encourage companies to go beyond basic security \nrequirements and aggressively pursue potential leaks of data without \nfear of severe penalties.\n    This approach of the ``carrot and stick'' would not only encourage \nmost companies to adopt new consumer protections quickly, it would free \nlimited government resources to concentrate on the most egregious \nviolations of the standard itself. Additionally, this proposal would \nhelp to solve one of the unaddressed issues regarding Identity Theft in \nboth of the current Fair Credit Reporting Act bills approved this year \nby the House and the Senate.\n    In closing, the increasing costs of identity theft coupled with \nconsumers' increased demands for security protection are driving these \nissues to the top of the agenda for consumers, business and government. \nIf more is not done by all parties involved with respect to protecting \nelectronic information, the costs will continue to grow, potentially \naffecting the country's ability to expand its leading position in the \nworld economy.\n    I hope these comments will prove helpful to the subcommittee as it \ncontinues its deliberations on improving consumer data security. I \nwelcome the opportunity to continue working with you, and am happy to \nanswer any questions you might have.\n    Thank you.\n\n    Mr. Stearns. Thank you.\n    Mr. Burton.\n\n                   STATEMENT OF DANIEL BURTON\n\n    Mr. Burton. Good morning, and thank you for the opportunity \nto testify.\n    My name is Dan Burton. I am Vice President of Government \nAffairs for Entrust, Inc., and as a world leader in securing \ndigital identities and information, Entrust is driving the \ncreation of a robust manageable business security environment \nthrough use of such technologies as encryption, digital \nsignatures authentication and authorization.\n    I want to be very clear in my message. The cybersecurity \nproblem is not getting better. Since 2001, when this \nsubcommittee held a hearing on this issue, CERT reports a \ntripling of breaches from 52,000 to a projected 150,000 by the \nend of 2003. Although awareness has increased, understanding \nhas not. Most companies are still struggling with this issue.\n    It is critical that this subcommittee provide the private \nsector with clear direction to protect sensitive consumer and \nbusiness information. You can do so by strongly endorsing \ninformation and security governance programs that provide \nbusinesses risk assessment reporting and accountability. Let me \ngive you some examples of the problem based on our market \nexperience.\n    The first example speaks to the fact that even if you \nunderstand the threat, it is hard for companies to justify more \nthan just a limited response because of the complexity and the \ninvestment in people, time and resources that is required. Last \nyear, a large consumer data company suffered a breach when one \nof its customer's employees used the company's server to hack \nthe passwords of other customers. This company believed that it \nhad taken reasonable precautions to protect its data, \nespecially since the penalties for not taking action were \nvague.\n    In this case, the seriousness of the breach and the new \npenalties created under California's SB 1386 forced the company \nto change the way it thought about protecting its information \nsystems. This company has put in place a much more robust set \nof security measures.\n    A second example speaks to the need to treat cybersecurity \nas a continuous process. A large financial institution \nimplemented strong authentication digital signatures but year \nafter year failed to upgrade its software, despite the fact \nthat there was no cost to do so.\n    The reason? It did not have the systems in place to treat \ncybersecurity as a continuous process. Only when the company \nfailed an audit and was cutoff from outside software support \ndid senior management get involved and put in place the \nnecessary procedures.\n    A final example shows how some companies are taking a more \nproactive approach. Several years ago, a major insurance \ncompany with a very large data base of confidential consumer \nrecords realized that it was a prime target for identity \nthieves and hackers. It couldn't simply lock up its records, \nsince the field agents needed access to them, so it did a risk \nassessment and implemented a systemic information security \ngovernance plan. This program facilitated broad, highly secure \naccess to data.\n    These three charges paint very different responses to the \ncybersecurity threat, but they all underscore a similar theme \nand one that I want to highlight today.\n    Companies need a clear understanding of cybersecurity \ncosts, benefits, and penalties before they will make \ncybersecurity a priority.\n    Where do we stand? The growing array of Federal legislation \ndoes not go far enough to ensure companies take sufficient \naction. Some major laws affecting cybersecurity have been in \nplace and have been referred to today, Sarbanes-Oxley, Gramm-\nLeach-Bliley, HIPAA. These laws tend to treat cybersecurity as \na secondary issue. Two other cybersecurity laws are having a \nmore immediate impact on market behavior, the California Breach \nNotification Act, SB 1386, and the Federal Information Security \nManagement Act, FISMA.\n    Like it or not, and many people do not like it, by creating \na private right of action for failure to report the breach of \nunencrypted personal information, SB 1386 has had a stark \nimpact on industry's cost-benefit analysis and by treating \ncybersecurity as a management responsibility and tying it to \nOMB funding decisions, FISMA has had an immediate impact on the \nbehavior of Federal agencies.\n    We think that there is an information security governance \nimperative. A governance's framework is important because it \nguides the implementation, evaluation and improvement of \ncybersecurity practices. A successful program requires three \nbasic functions, risk assessment, reporting, accountability. It \nis our experience that in the absence of mandates for these \nactivities, cybersecurity never receives the management \nattention and funding that are critical to succeed.\n    Entrust developed just such a framework for cybersecurity \nand brought it to the Business Software Alliance, which created \na task force co-chaired by our CEO, Bill Conner. The BSA report \nreleased last month entitled Information Security Governance \nToward a Framework for Action highlights the fact that if we \nare to make real progress we must treat cybersecurity not only \nas a technical issue but as a management issue. We are also \nasked to co-chair the Governance Task Force at the upcoming DHS \nCybersecurity Summit.\n    In conclusion, some compare cybersecurity to Y2K and \nemphasize the need to require public companies to report on \ntheir cybersecurity governance programs and their SEC filings. \nWe didn't solve the Y2K problem by holding seminars for Cobol \ncode writers. We solved it by engaging senior management in the \nissue and structuring liability laws appropriately.\n    Others have compared cybersecurity to on-line privacy and \nemphasize the need for voluntary reporting about risks, \nbreaches and policies backed up by FTC enforcement. There is no \nprivacy without security, and my favorite metaphor here is that \nof a canary in a glass cage in a room full of hungry cats. This \ncanary has absolutely no privacy. However, it has perfect \nsecurity. We have got to solve security first if in fact we \nwant to have true on-line privacy.\n    Perhaps the best analogy for the issue, however, is \nquality. Like quality, cybersecurity requires numerous \nitegrative steps that are part of a continuous process. \nCompanies must complete one cycle of the program, measure their \nprogress, report their performance to senior management, fine-\ntune their efforts, and begin another cycle with slightly more \nrigor. Repeated cycles lead to improvements that will not only \nprotect sensitive information but also enable productivity \ngrowth and new market opportunities.\n    As a global leader in the field with the benefit of \nfirsthand knowledge and the best practices implemented around \nthe world, Entrust strongly urges this subcommittee to lead the \neffort to take cybersecurity out of esoteric, technical \ndiscussions and into mainstream business management. The goal \nshould be to encourage companies to treat cybersecurity as a \ncorporate governance issue, which includes business risk \nassessment and reporting with management accountability. A good \ngovernance framework will produce a transparent process that \nincludes executive management as responsible and assigns the--\n--\n    Mr. Stearns. Mr. Burton, I just need you to summarize.\n    Mr. Burton. The cybersecurity is real, this is not a case \nof crying wolf. The statistics detail the increased damage and \nincreased threats that occur daily. There is no reason to wait \nfor a major breach or attack that incapacitates the Nation \nbefore acting, especially when there is strong consensus around \nof the steps industry must take. We are now all burdened with \nthe awareness of the threat and have the corresponding \nresponsibility to act. Congress must do everything that it can \nto ensure effective programs are in place for the private and \ngovernment sector.\n    Thank you.\n    [The prepared statement of Daniel Burton follows:]\n   Prepared Statement of Daniel Burton, Vice President of Government \n                         Affairs, Entrust, Inc.\n    Good Morning. Chairman Stearns and Members of the Subcommittee, \nthank you for the opportunity to provide testimony on this important \nand timely subject. My name is Daniel Burton, and I am Vice President \nof Government Affairs for Entrust, Inc. In my testimony today, I will \naddress our view of where the private sector stands in its efforts to \nsecure its information systems and what this Subcommittee can do to \naccelerate progress.\n    I want to be very clear in my message. The cyber security problem \nis not getting better. Since 2001, when this committee held a hearing \non this issue, CERT has reported a tripling of cyber security breaches, \nfrom 52,000 in 2001 to a projected 150,000 by the end of 2003. Although \nsome companies have recognized the threat of cyber attacks to their \nbusiness performance and their customers' personal information, most \nare struggling to deal with the issue. It is incumbent on this \nSubcommittee to galvanize industry efforts to protect sensitive \nconsumer and business information. This can only be accomplished by \nsecuring the private sector IT systems that control the majority of the \nnation's critical infrastructure. You can do so by strongly endorsing \ninformation security governance programs that drive business risk \nassessment, reporting and accountability.\n    Entrust is a world leader in securing digital identities and \ninformation. Over 1,200 enterprises and government agencies in more \nthan 50 countries use our security software solutions, so we have a \ngood perspective on today's cyber security reality. As a company, we \nare leading the evolution from defensive, perimeter-oriented technology \napproaches to a more proactive business security strategy that enables \nincreased productivity. This strategy involves creating a more robust, \nmanageable business security environment through the use of \ntechnologies such as encryption, digital signatures, authentication and \nauthorization. We also work with customers to put in place the policies \nand procedures that protect digital identities and information. Our \nbiggest competition comes not from other companies, but from the ``do \nnothing'' business mindset regarding cyber security.\n                       i. examples of the problem\n    A few examples based on Entrust's experience in the market show how \nenterprises are responding to cyber security today.\n    Last year, a company that is a large collector and processor of \nconsumer data suffered a breach when one of its customer's employees \nused the company's servers to hack the passwords of its other \ncustomers. The hacker then proceeded to access and copy databases \ncontaining highly personal consumer information. Because this company's \nclients include 14 of the top 15 credit card companies, 7 of the top \nten automakers and 5 of the top 6 retail banks, in addition to other \nmajor consumer brands, the attack was not a trivial hack. Fortunately, \nno identity theft complaints have been traced directly to this breach. \nDespite the fact that many people focus on external threats, it is \nimportant to note that this breach, like most, was internal, meaning \nthat it came from an insider. Moreover, it was discovered only by \naccident ten months after the incident occurred when law enforcement \nagents researching another breach discovered e-mails describing this \none. As soon as the company learned of the attack, it informed its \ncustomers, as required by the California cyber security breach \nnotification law (SB 1386), and implemented authentication and \nencryption systems to better protect its data.\n    As a major database company with a pretty good security and privacy \nprogram, this company believed that it had taken reasonable precautions \nto protect its data, especially since it was doing as much as many \nother companies and the penalties for not taking action are vague. In \nthis respect, it is typical of many companies. The reality facing \nbusiness today is that even if you understand the threat, it is hard to \njustify more than limited cyber security measures because of the \ncomplexity involved and the investment in people, time and resources \nthat is required. In this case, however, the seriousness of the breach \nand the new penalties created under California SB 1386 forced the \ncompany to change the way it thought about protecting its information \nsystems. Today, this company is on the forefront of driving a higher \nstandard and better understanding of cyber security reality.\n    A second example speaks to the need to treat cyber security as a \ncontinuous process. Several years ago, a large financial institution \nimplemented strong authentication and digital signatures on its cash \nmanagement service offering for its business customers. I should note \nthat billions of dollars traverse this network. Although there was no \nadditional fee to upgrade this technology as new versions of the \nsoftware were released, the company repeatedly failed to do so. The \nreason? It did not have the systems in place to treat cyber security as \na continuous process. Only when the company failed an audit because it \nwas cut off from software support did senior management become involved \nand take the necessary steps to upgrade the company's security systems.\n    A third example shows that, despite the lip service they pay to the \nissue, some companies are unwilling to do anything about cyber security \nthat will affect application performance. A major investment bank \nrealized that it did not have adequate cyber security protections in \nplace and undertook a review of solutions to securely authenticate its \nsensitive communications internally and with customers. As a condition \nof this review, however, it stated that it was not willing to sacrifice \nany application performance for better security. This meant that it \nwould accept only a few milliseconds response time for authentication \nduring fail over. Since no security products can meet this standard, \nnow the company is deciding whether they will tolerate even a minimal \nperformance compromise in order to include security.\n    A fourth example involves Federal agencies, which in their size and \ncomplexity are similar to large enterprises. Until a few years ago, the \nFederal government did not have an adequate cyber security policy, \ndespite the fact that year after year Congressional report cards gave \nmost government agencies an ``F'' in information security. It was not \nuntil Congress passed the Government Information Security Reform Act \n(GISRA), later amended by the Federal Information Management Security \nAct (FISMA)--which coupled IT security performance with OMB budget \ncontrols--that Federal agencies began to change. By insisting that \ncyber security be treated as a governance and budget issue with risk \nassessment, reporting and senior management engagement, FISMA and OMB \nforced Federal agencies to begin to upgrade their cyber security \nprograms.\n    A final example shows that when companies view cyber security as a \nbusiness enabler that improves productivity, they are more likely to be \nproactive. Several years ago, a major insurance company with a large \ndatabase of confidential customer records realized that it was a prime \ntarget for identity thieves and hackers. The insurance company couldn't \nsimply lock up its records since it had thousands of field agents that \nneeded to access them to service customer needs. In order to solve this \nproblem, the insurance company did a comprehensive risk assessment and, \nusing digital signatures and authentication technology, implemented an \ninformation security governance plan that encompassed strategy, \ntechnology, people and process. By proactively securing its IT systems, \nthe company not only protected confidential customer information, but \nalso created the secure business operations necessary to increase the \nproductivity of its agents.\n    Although these examples paint different responses to the cyber \nsecurity threat, they all underscore a similar theme--without a better \nbusiness understanding of cyber security costs, benefits and penalties, \nmost companies will take only limited cyber security measures.\n                         ii. where do we stand?\n    Regardless of how you grade industry's response, there is no doubt \nthat the cyber security risk is increasing. Although some companies are \nresponding, overall business progress has been slow. The current \nsituation brings to mind the ``boiling frog'' metaphor. If you drop a \nfrog in boiling water, it will jump out. However, if you put a frog in \na pot of water and gradually raise the temperature, the frog will cook. \nI think many companies are being ``cooked'' when it comes to cyber \nsecurity.\n    Like quality improvement, cyber security is not a one-time event, \nbut a continuous process. Just as few managers understood the quality \nmovement when Deming first introduced it, few business leaders fully \ngrasp the new and evolving discipline of cyber security today. We are \nat the beginning of this brave new digital frontier, and Congress must \nfind ways to accelerate industry's understanding and progress. \nCompanies make little distinction between cyber terrorism, cyber crime \nand cyber vandalism. The fact that different actors with different \nmotives perpetrate these attacks may be significant to government \nenforcement agencies, but it is of little consequence to industry. As \nfar as industry is concerned, the primary question is not, who was \nresponsible for the attack? But, how much damage did it cause? What is \nthe likelihood that it will happen again? And, what are the cost, \nliability and brand implications? Anything that Congress can do to \nbring incentives for constructive action and clarity to industry's \nassessment of costs and benefits will help in the effort to protect our \ncritical infrastructure.\n    The growing array of Federal legislation has not adequately \naddressed this issue. Some major laws affecting cyber security are \nalready in place, such as the Sarbanes-Oxley Act, the Gramm-Leach-\nBliley Act and the Health Insurance Portability and Accountability Act. \nThese laws, however, tend to treat cyber security as a secondary issue \nand cite requirements that are often so vague that they do little to \nimprove focus or understanding of the issue or help industry better \ncalculate costs and benefits. Faced with weighing ambiguous cyber \nsecurity risks against other business and economic realities, companies \nhave tended to follow one of three paths. Some have chosen to do \nnothing and wait until either the threat becomes more potent or \nregulatory requirements get clarified. Others--probably the majority--\nhave made some initial efforts, but have not really integrated cyber \nsecurity into their core business operations. A third group--comprised \nof only a rare few exceptions--has embraced cyber security as a market \ndifferentiator, integrating it into their core operations and elevating \nit to an executive management concern.\n    Two other cyber security laws, however, are having a more immediate \nand profound effect on market behavior: the California cyber security \nbreach notification act (SB 1386) and the Federal Information Security \nManagement Act (FISMA). These laws are specific about cyber security \npenalties and programs. By creating private rights of action and \npenalties for failure to report breaches of unencrypted personal \ninformation, SB 1386 has changed industry's cost-benefit analysis. And \nby treating cyber security as management responsibility that entails \nrisk assessment and reporting, the Federal Information Security \nManagement Act outlined a roadmap for Federal agencies that has enabled \nprogress.\n          iii. the information security governance imperative\n    Given the increased awareness of the problem, the lack of \nunderstanding, and the legislative ambiguity, Entrust has moved \nproactively to foster collaboration between the public and private \nsectors on this topic. We first began working this issue inside our \ncompany, with the active engagement of our Board of Directors and \nexecutive management. At the direction of our CEO, Entrust began to \ndevelop and implement just such a cyber security governance program \nlast year. As an information security software company, we felt it was \nour responsibility to help create a framework that would allow for \nappropriate risk assessments, performance measures, management \nguidelines and board audits. The program we developed is tailored to \nthe business needs of Entrust and embodies our interpretation of ISO/\nIEC 17799 and how the Federal Information Management Act (FISMA) can be \napplied to the private sector. We identified 141 elements that were \nimportant to measure progress. When we started, 25 of these elements \nwere in the red, indicating the need for serious improvement; today, \nonly two are. Our journey is off and running but not over.\n    As an information security software company who lives in this \nspace, our experience raises real concerns about the status of the \naverage company and the country. As we discovered at the starting point \nof our cyber security review, we were not nearly as secure as we would \nhave predicted. This discovery made us wonder whether other companies \nare are making real and ``measurable'' progress since many of them lack \na framework.\n    As a result of our experience, Entrust brought this framework to \nthe Business Software Alliance (BSA) who created a cyber security task \nforce co-chaired by Entrust's CEO, Bill Conner. The BSA report, \nentitled, Information Security Governance: Toward a Framework for \nAction, released in October 2003, found that information security is \nnot only a technical issue, but also a corporate governance challenge. \nTo quote that report,\n        While there is broad consensus on the actions needed to create \n        strong security, too often responsibility is left to the chief \n        information officer or the chief information security officer. \n        In fact, strong security requires the active engagement of \n        executive management. By treating these challenges as a \n        governance issue and defining specific tasks that employees at \n        all levels of an organization can discharge, enterprises can \n        begin to create a management framework that will lead to \n        positive results.\n    A governance framework is important because it guides the \nimplementation, evaluation and improvement of cyber security practices. \nAn organization that creates such a framework can use it to articulate \ngoals and responsibilities and evaluate progress over time. One of the \nmost important aspects of such a framework is that by defining business \nand cyber security responsibilities within an organization, it creates \na roadmap for improvement. By specifying who does what and forcing \ncompanies to report on their results to their own boards, it allows \ncompanies to assign specific responsibilities and translate awareness \ninto action.\n    Effective cyber security governance programs usually have three \nbasic functions: risk assessment, reporting and accountability. Their \npayoff comes from the fact that they insist on the systematic oversight \nand execution necessary to make cyber security part of a company's core \nbusiness operations. Simply identifying best practices is not enough; \nthey must be married with effective implementation at all levels of an \norganization. To be effective, each information security program must \nbe tailored to the needs of the individual business and industry in \nwhich it operates. It must identify business drivers; clarify roles and \nresponsibilities; recognize commonalities; define metrics; include \nperiodic progress reports to executive management; and specify what \ncorporate executives, business unit heads, senior managers, and CIOs \nshould do.\n    According to the BSA information security governance report, the \nboard and the CEO has responsibility for overseeing policy \ncoordination, business unit compliance and accountability. The business \nunit head has responsibility for providing information security \nprotection commensurate with the company's risks and business needs, as \nwell as training, controls, and reporting. The senior manager has \nresponsibility for securing information and systems, assessing assets, \ndetermining appropriate levels of security, cost-effectively reducing \nrisk, testing and controls. The CIO and CISO have responsibility for \ndeveloping and maintaining compliance with the security program, \ndesignating a security officer, developing the required policies, \nassisting senior managers, and conducting a security awareness program.\n                             iv. conclusion\n    Congress should embrace requirements for information security \ngovernance and reporting. Citing the Y2K experience, some have \nemphasized the need for a ruling that would require public companies to \nreport on cyber security governance programs in their SEC filings. In \norder for such a provision to be successful, it will be necessary to \navoid esoteric requirements that increase the cost and complexity of \nimplementing solutions but do little to increase cyber security and \nshareholder value. Others have cited the online privacy debate and \nemphasized the need for voluntary reporting about cyber security \npolicies and breaches, backed up by FTC enforcement. For this approach \nto succeed, it must also encompass the need to secure business \ninformation systems. Still others have compared cyber security to the \nquality movement and insisted that government provide incentives for \ncompanies to undertake the training and process improvements necessary \nto secure their information systems.\n    We would recommend the following lessons for companies intent on \nsecuring our critical infrastructure:\n\n\x01 A business information security governance framework for risk \n        assessment and reporting with executive management engagement \n        and board oversight is essential. A good governance framework \n        will produce a transparent process that allows management to \n        assign responsibility and make investment decisions to address \n        unacceptable risks.\n\x01 Businesses need to get on with it--just do it. Information security \n        is a very broad topic with seemingly endless detail. Companies \n        should not try to solve the problem all at once. Instead, they \n        should begin with the top-level policy issues. The important \n        thing is to get started. Too many programs never get off the \n        ground because the effort looks too daunting.\n\x01 Business information security governance is a continuous improvement \n        program. Like quality, cyber security improvement requires \n        numerous iterative exercises in a continuous journey. Companies \n        should complete one cycle of the program at a high level, \n        report to the Board on their performance, fine-tune their \n        program and begin another cycle with slightly more rigor. \n        Repeated cycles will lead to real improvements.\n    Whatever course is taken, the objective should be to encourage \ncompanies to treat cyber security as a corporate governance issue that \nincludes business risk assessment and reporting with management \naccountability. The cyber security threat is real, and there is strong \nconsensus around the steps that industry must take. Congress needs to \ndo everything it can to drive more effective programs in the private \nsector. This Subcommittee has extensive experience dealing with complex \nissues, and we are confident in your abilities to address this one. We \nare at an inflection point in the effort to strengthen cyber security \nand need your leadership.\n\n    Mr. Stearns. I thank you, and, Mr. Thompson, thank you for \nyour patience. We welcome your statement .\n\n                   STATEMENT OF ROGER THOMPSON\n\n    Mr. Thompson. Good morning. Thank you for allowing me to \ntestify. My name is Roger Thompson.\n    Mr. Stearns. Could you pull it a little closer to you, the \nmike?\n    Mr. Thompson. There we go.\n    Thank you for allowing me to testify. My name is Roger \nThompson. I am the former Director of Malware Research at the \nTruSecure Corporation, and I am currently Vice President of \nProduct Development at PestPatrol. PestPatrol was founded in \nMay 2000 by a team of software professionals to encounter the \ngrowing threat of malicious non-viral software. Currently one \nof PestPatrol's greatest concerns is the threat of Spyware, so \nI would like to introduce you to the problem as our customers \nsee it, being consumers, and give you an idea of how the \nsoftware community's efforts to protect is developing.\n    Spyware is silent. It is invisible to the consumer. It \nallows criminals to steal from them. It arrives uninvited and \nunwanted. It has not received the attention needed to warn the \nunsuspecting of these dangers to their personal confidential \ninformation, and perhaps worst of all spyware and similar \nmalware problems rob consumers of the confidence needed to make \ncommerce over the Internet inviting, safe and successful.\n    Every day we hear horror stories from our customers that \nillustrate the very real and personal losses caused by the \nspyware problem. Wanda Gilman is a church secretary from \nSaginaw, Michigan. Like most people, she has received warnings \nfrom her anti-virus software about virus attacks and she \nthought she was pretty well protected on that front and \nunfortunately it became abundantly clear to Wanda that she \nneeded something more after she experienced two instances of \nidentity theft. Neither incident involved more than $1,000, but \nit was an uncomfortable feeling for her to have her identity \nhijacked and a long and complicated recovery each time around.\n    Michelle Scalero from New Jersey has a home computer that \nher family shares for on-line banking and purchasing, as well \nas enjoying what the Web has to offer them and their young \nchildren. They were extremely alarmed when they found their PC \nflooded with explicit teen porn pop-ups, caused by a Trojan \nhorse program that had been delivered by a piece of spyware \nthey had unknowingly downloaded onto their computer.\n    Barbara Wolski bought a brand new computer that was \nsupposed to be very fast, 2.6 gigs, which included a special \nfeature called hyperthread technology to make the processing \nspeed even faster, and then she found that her old computer \nwhich was only 1 gig ran faster than the new one. She ran the \nanti-spyware program and found over 5,000 pieces of spyware \nfactory-installed on the new machine, all busy ``phoning home'' \ninformation about her, causing the massive slowdown.\n    None of this needs to happen. We hear thousands of similar \nsad stories all the time. A record number of incidents were \nreported this year, more than 60,000 at the end of last month \nand it keeps growing. $24 billion is the estimated identity \ntheft losses in the United States from identity theft last \nyear, $73 billion, estimated identity theft projected \ndomestically by the end of this year, and $9,800 the average \ntake from each identity robbery.\n    These numbers come from the Aberdeen Group, an industry \nanalyst firm that calls identity theft ``the crime that pays.'' \nAberdeen also warns that profits from these crimes are so \nencouraging that organized crime has become a factor. It has \nbeen 20 years since the first virus was created and for much of \nmy career I watched the damage that computers could cause from \nchildren at home to senior corporate executives.\n    My computer career began in Australia in 1979, where I \nworked as a mainframe systems engineer. I co-founded the first \nAustralian anti-virus software company, Leprechaun Software, \nand launched the Virus Buster product back in 1987. In 1991, I \nmoved to the United States. I started Thompson Network \nSoftware, which produced The Doctor range of systems management \nand security products.\n    When I became Director of Malware Research at TruSecure \nCorporation, I was able to focus more closely on the way that \ndifferent kinds of malware were developing, and the sheer size \nof the problem was really brought home to me. Now, at my \ncurrent company I am working with malware's faster-growing and \nmost insidious incarnation yet, spyware.\n    Here is the new stuff. The anti-spyware is still in its \ninfancy, but it has proven to me every day from the prevalence \ndata collected by my company that this type of secretive \ninvasive software is a huge problem for computer users. Before \nwe can address possible solutions, we need to define what the \nspyware problem actually is. For me spyware is any software \nthat is intended to aid an unauthorized person or entity in \ncausing a computer, without the knowledge of the computer's \nuser or owner, to divulge private information.\n    The industry has begun to make consumers more aware of this \nthreat by banding together. To begin educating the public on \nspyware and its dangers, we recently co-founded along with \nseveral other anti-spyware companies the Consortium of Anti-\nSpyware Technology, COAST. This nonprofit organization is a \nforum in which members cooperate to increase awareness of the \ngrowing problem. We reached agreement on the definition of \nspyware, which helps us technology vendors create products that \naddress consumers' concerns. The dangers of spyware are not \nalways known and are almost never obvious. Usually you know \nwhen you have a virus or worm. These problems are in your face. \nSpyware, on the other hand, silently installs itself on the PC, \nwhere it might take any number of different and unwanted \nactions; for example, phone home information about you, your \ncomputer and your surfing habits to a third party, to use to \nspam you or push pop-up ads to your screen, open up your \ncomputer to a remote attacker using a RAT, or Remote Access \nTrojan, to remotely control your computer, capture every key \nstroke you type, private or confidential e-mails, passwords, \nbank account information, and report it back to a thief or a \nblackmailer, allow your computer to be hijacked and attack a \nthird party's computers in a denial of service attack that can \ncost companies millions and make you liable for damages. They \ncan probe your system for vulnerability to otherwise exploit \nthe system.\n    If that does not make the computer users on the \nsubcommittee nervous, consider that the on-line holiday season \nhas already arrived. With more and more people shopping on-\nline, the potential for identity theft is much greater. \nShoppers are stressed and distracted and may not take their \nusual care in protecting themselves from electronic \npickpockets.\n    No one would allow a silent and hidden burglar into his or \nher home without a fight and, as you saw with the real world \nexperience I described earlier, spyware has the ability to ruin \nsomeone's Christmas. Like having your wallet stolen, life \nbecomes a bureaucratic nightmare of new identity cards and \ncredit cards. And ultimately how do you retrieve your privacy \nfrom an unknown or uncaring prowler using the Internet as a \nhunting ground?\n    These anti-virus companies were often accused of hyping \ngloom and doom to help increase their own sales and profits. \nThat was long ago proven to be unfounded. Today, the billions \nof dollars lost, in identity theft, transaction hijacking, \nsensitive information, are compounded by the huge losses to \ncredit card companies that must reissue cards whenever an \naccount is compromised or even suspected of being compromised.\n    The growing threat is no exaggeration. I think everyone on \nthis panel would agree a huge portion of damages and tangential \ndamages caused by spyware and malware goes unreported and is \nunknown. Something must be done to protect the Wanda Gilmans, \nthe Michelle Scaleros, and the Barbara Wolskis, who only want \nto conduct their on-line activities and purchases with peace of \nmind, knowing they can do it safely.\n    H.R. 2929, the Safeguards against Privacy Invasions Act, is \na powerful step in this direction. In person, consumers have \nthe choice not to answer questions when they go shopping. Why \nshouldn't on-line shoppers have the same choice to say no to \nspyware. As a representative of my company and as a person who \nhas devoted my working life to malware eradication, I urge you \nto pass the SPI Act.\n    [The prepared statement of Roger Thompson follows:]\n     Prepared Statement of Roger Thompson, Vice President, Product \n Development, PestPatrol, Inc. formerly Director of Malware Research, \n                         TruSecure Corporation\n    Good morning.\n    Spyware is silent. It's invisible to the consumer. It allows \ncriminals to steal from them. It arrives uninvited and unwanted. It has \nnot received the attention needed to warn the unsuspecting of these \ndangers to their personal and confidential information. And, perhaps \nworst of all, spyware and similar malware problems rob consumers of the \nconfidence needed to make commerce over the Internet inviting, safe and \nsuccessful.\n    Every day, we hear horror stories from our customers that \nillustrate the very real and personal losses caused by the spyware \nproblem. Listen for a moment to just three:\n\n\x01 Wanda Gilman is a church secretary from Saginaw, Michigan. Like most \n        people, she has received warnings from her anti-virus software \n        about virus attacks, and she thought she was pretty much \n        protected on that front. Unfortunately, it became abundantly \n        clear to Wanda that she needed something more than her anti-\n        virus after she experienced not one but two incidences of \n        identity theft. While neither incident involved more than \n        $1000, it was an uncomfortable feeling for her to have her \n        identity hijacked, and a long and complicated recovery each \n        time around.\n\x01 Michelle Scalero from New Jersey has a home computer that her family \n        shares for online banking and purchasing, as well as enjoying \n        what the web has to offer them and their young children. They \n        were extremely alarmed when they found their PC flooded with \n        explicit teen porn pop-ups caused by a trojan horse program \n        that had been delivered by a piece of spyware they had \n        unknowingly downloaded onto their computer.\n\x01 Barbara Wolski bought a brand new computer that was supposed to be \n        very fast (2.6 GHz), which included a special feature called \n        hyperthread technology to make the processing speed even \n        faster. While her old computer was only 1.2 GHz, it ran faster \n        than the new one. Barbara ran our anti-spyware software on the \n        new machine and found over 5000 pieces of spyware factory-\n        installed on the new machine, all busy ``phoning home'' \n        information about her--causing the massive slow-down.None of \n        this needed to happen. And we hear thousands of similarly sad \n        stories all the time. Our customers reported a record number of \n        such incidents this year--more than 60,000 as of the end of \n        last month--and the complaints keep growing.\n    Here are some numbers to think about as we discuss protecting \nconsumers from spyware:\n\n\x01 24 billion dollars . . . that's estimated identity theft losses in \n        the US from identity theft last year.\n\x01 73 billion dollars . . . that's estimated losses from identity theft \n        projected domestically by the end of this year.\n\x01 9,800 dollars . . . that's the estimated average ``take'' from each \n        identity robbery.\n    These numbers come from the Aberdeen Group, an industry analyst \nfirm that calls identity theft ``the crime that pays.'' Aberdeen also \nwarns that the profits from these crimes are so encouraging that the \norganized crime is becoming a factor.\n    You may have heard that last week was a dubious anniversary . . . \nit's been 20 years since the first virus was created. Through much of \nmy career, I have watched the damage that computer intruders can \ncause--to every PC user from children at home to senior corporate \nexecutives.\n    My computing career began in Australia (perhaps you recognize the \naccent) in 1979, where I worked as a mainframe systems engineer. I co-\nfounded the first Australian anti-virus software company, Leprechaun \nSoftware, and launched the Virus Buster product back in 1987. After \nmoving to the United States, I started Thompson Network Software, which \nproduced The Doctor range of systems management and security products.\n    When I became Director of Malware Research at TruSecure \nCorporation, I was able to focus more closely on the way that different \nkinds of malware were developing, and the sheer size of the problem was \nreally brought home to me. And now, at my current company, I am working \nwith malware's fastest-growing and most insidious incarnation yet--\nspyware.\n    The anti-spyware industry is still in its infancy, but it's proven \nto me every day from the prevalence data collected by my company that \nthis type of secretive, invasive software is a huge problem for \ncomputer users.\n    Before we can address possible solutions to the problem, however, \nwe need to define what the spyware problem actually is. For me, spyware \nis any software that is intended to aid an unauthorized person or \nentity in causing a computer, without the knowledge of the computer's \nuser or owner, to divulge private information.\n    The industry has begun to make consumers more aware of this threat \nby banding together. To begin educating the public on spyware and its \ndangers, we recently co-founded, along with several other anti-spyware \nsoftware companies, the Consortium Of Anti-Spyware Technology (COAST) \ngroup. This non-profit organization is a forum in which members \ncooperate to increase awareness of the growing spyware problem. We've \nreached agreement on the definition of spyware, which helps us \ntechnology vendors create products that address consumers' concerns.\n    The dangers of spyware are not always known and are almost never \nobvious. Usually, you know when you have a virus or worm--these \nproblems are ``in your face''. Spyware, on the other hand, silently \ninstalls itself on a PC, where it might start to take any number of \ndifferent and unwanted actions. For example:\n\n\x01 ``Phone home'' information about you, your computer and your surfing \n        habits to a third party to use to spam you or push pop-up ads \n        to your screen\n\x01 Open up your computer to a remote attacker using a RAT (Remote Access \n        Trojan) to remotely control your computer\n\x01 Capture every keystroke you type--private or confidential emails, \n        passwords, bank account information--and report it back to a \n        thief or blackmailer\n\x01 Allow your computer to be hijacked and used to attack a third party's \n        computers in a denial-of-service attack that can cost companies \n        millions and make you liable for damages\n\x01 Probe your system for vulnerabilities that can enable a hacker to \n        steal files or otherwise exploit your system.\n    If that doesn't make the computer users on the subcommittee \nnervous, consider that the holiday online commerce season has already \narrived.\n    During the holiday shopping season, with more and more people \nshopping online, the potential for identity theft is much greater--\nshoppers are stressed and distracted, and may not take their usual care \nin protecting themselves from electronic pickpockets.\n    No one would allow a silent and hidden burglar into his or her home \nwithout a fight. As you saw with the real-world experiences I described \nearlier, spyware has the potential to ruin someone's Christmas. Like \nhaving your wallet stolen, life becomes a bureaucratic nightmare of new \nidentity cards and credit cards. And, ultimately, how do you retrieve \nyour privacy from an unknown and uncaring prowler or corporation using \nthe Internet as a hunting ground?\n    The anti-virus companies were often accused of hyping gloom and \ndoom to help increase their own sales and profits--that was long ago \nproven to be unfounded. Today, the billions of dollars lost--in \nidentity theft, transaction hijacking, sensitive information--are \ncompounded by the huge losses to credit card companies that must \nreissue cards whenever any account has been compromised or even \nsuspected of being compromised. The growing threat is no exaggeration. \nI think everyone on this panel would agree that a huge portion of \ndamages and tangential damages caused by spyware and malware goes \nunreported and is unknown.\n    Something must be done to protect the Wanda Gilmans's, Michelle \nScaleros's and Barbara Wolskis's, who only want to conduct their online \nactivities and purchases with the peace of mind of knowing they can do \nso safely. H.R. 2929, the Safeguards Against Privacy Invasions Act, is \npowerful step in this direction. In person, consumers have the choice \nnot to answer address, phone and email address questions when they go \nshopping. Why shouldn't on-line shoppers have the same choice to say no \nto spyware?\n    As a representative of my company and as a person who has devoted \nmy working life to malware eradication, I urge you to pass the SPI Act.\n    Thank you.\n\n    Mr. Stearns. I thank the gentleman, and now I will start \nthe questions, and I think I go back to my opening statement.\n    What are the real risks and costs to consumers for \ncybersecurity breaches and what poses the most risk to \ncybersecurity, and then what is the optimum role for the \nFederal Government to play when it comes to protecting \nconsumers from cybersecurity threats?\n    I would start out with Commissioner Swindle. You point out \nin your opening statement that not all security breaches are \nviolations of the Federal Trade Commission. In your opinion, is \nthere a need for legislation in this area, giving the FTC \nadditional authority? What is your feeling here?\n    Mr. Swindle. Mr. Chairman, to the point of not all breaches \nare security violations or violations of the law, I think if we \njust think of it in the context of a couple of examples if the \nbreach resulted in my name and address going out to the world--\n--\n    Mr. Stearns. That is a breach?\n    Mr. Swindle. [continuing] that is not a problem.\n    Mr. Stearns. That is a breach or not?\n    Mr. Swindle. That can be a breach of the system because it \nis contained in the system, I think, but if along with that my \ncredit card went, that is a serious problem and the \nconsequences could be rather dire if somebody got hold of my \nfinancial information, my credit card. Just having my address, \nwhich is publicly known personal information, that does not \nnecessarily constitute a violation of law, and I think we could \nlook at it from the context of what harm has been done.\n    Mr. Stearns. Do you have a data base in which you have \nactually collected this information that has internally \naffected employees or major companies? Do you have a data base \nat the Federal Trade Commission on this?\n    Mr. Swindle. I am not aware of a data base of that nature.\n    Mr. Stearns. Reliable data on harms to data infrastructures \ncaused internally by employees of major data base companies? Do \nyou have a reliable data base?\n    Mr. Swindle. I have never thought of it in that context. I \ndo not think we have a data base specifically designed as such.\n    Mr. Stearns. Well, I guess.\n    Mr. Swindle. And assembling that data base might even be \nsetting up a target to be breached and causing a problem.\n    Mr. Stearns. What about the Gramm-Leach-Bliley Act? Have \nyou experienced any security problems or policies for financial \ninstitutions under the Gramm-Leach-Bliley Act we passed?\n    Mr. Swindle. The problem with that act, the most obvious \none, comes from the nature of the requirements for notice, and \nwe have all received the copious quantities of papers that no \none could understand. But, I think Gramm-Leach-Bliley has put a \nfocus on institutions' obligation to security and privacy and, \nin a sense, I think that is good.\n    Mr. Stearns. Okay. Mr. Charney, should there be common \nstandards for independent security evaluations and why are such \nstandards important and who should set those standards?\n    Mr. Charney. For the most part, standards can be important. \nThe risk is that if we set standards that fixate on a \nparticular technology what we will end up doing is stifling \ninnovation. So one of the things that we focus on more is best \npractices, so that we can develop methodologies in both product \ndevelopment and in management; that is, both at the same time, \ncutting edge but flexible enough to allow further innovation. \nSo if you are talking about standards for security, for \nexample, there is a risk. For example, the government had a \nstandard for encryption called Data Encryption Standard, and \nwhen that standard was no longer viable the entire industry, \nincluding the government, moved away from that standard to \nsomething more secure, and it was 2 years later that the \ngovernment finally promulgated a new standard, after everyone \nhad already left the old one. So the challenge is to be able to \nprovide prescriptive guidance to customers and consumers about \nhow to protect themselves without locking in the technology.\n    Mr. Stearns. I guess we would say security is a public \ngood. Can markets alone be fully responsive to cybersecurity \nconcerns, just the markets themselves, or----\n    Mr. Charney. I think the markets have some limitation.\n    Mr. Stearns. This best practices you talked about, in your \nopinion do you think the Federal Government--like Mr. Ansanelli \nhad indicated, there might be a Federal role here?\n    Mr. Charney. Oh, there is clearly a Federal role and there \nis a couple of them actually. The government can lead the way \nin the development of best practices. The General Accounting \nOffice, for example, frequently looks at the security of \ngovernment systems and issues government report cards which, to \nbe honest, have not been very favorable.\n    The second thing is there are constraints on the market, \nand for public safety and for national security purposes \ngovernments may need higher levels of security than markets \nnormally provide. In those kinds of cases, the government \nshould take steps, particularly in research and development and \nother areas, to make sure that the gap between what the \ngovernments need and what markets will provide are in fact \nclosed.\n    Mr. Stearns. Mr. Ansanelli, you mentioned something about a \nconsumer data security standard that has got our staff's \nattention, to ensure that there is a base level of \nresponsibility for consumer protection, consumer data \nprotection.\n    Do you see the need for this kind of baseline standard and \nwhat should the standard be?\n    Mr. Ansanelli. The reason why it is helpful to have that \nstandard is when you compare what has happened between Gramm-\nLeach-Bliley and HIPAA, that those organizations tend to \nprotect data more than other organizations, so you have seen \nimprovements as a result of the security requirements and \nGrammm-Leach-Bliley, I think it is section 501(b), with respect \nto protecting consumer data. So there have been improvements in \nthe protection of that data as a result, and I think that \nevidence indicates that it would be better to also then have \nother organizations that actually keep that same data, if a \nfinancial institution has my Social Security number, when I buy \na phone if I have to give them my Social Security number \nbecause they do a credit check on me. So why is it that one \nindustry might have to have a standard where another might not, \nand I think very importantly the risk that I think might happen \nis that the States will end up driving the requirements and the \nregulations, so that either companies will have to wind up \ndealing with a patchwork of lots of different regulations. \nThere are about 200 different identity theft bills at the State \nlevel currently being discussed right now. I think it is \nimportant there is a uniform standard as opposed to 50 \ndifferent standards that has to emerge.\n    Mr. Stearns. So what you are saying is you would like the \nFederal Government to come up with the consumer data security \nstandard?\n    Mr. Ansanelli. Yes, and it should be about what are the \nbest practices and what are the requirements that every company \nwho stores non-public personal information should have to live \nby and it should be something that----\n    Mr. Stearns. Mr. Burton, would you like to comment and then \nI will close?\n    Mr. Burton. Yes.\n    Any of that is working on standards. I guess it is my \nconcern that by treating it as a technical issue, which \nstandards again puts you squarely back into a technical \ndiscussion, you are missing a huge motivator here, and that is \nthat senior management is not making the decisions to invest, \nto train, to hold people accountable, because it is extremely \ncomplex and it is too often seen as a defensive technical \nissue.\n    A porcupine if it rolls itself into a ball is perfectly \nprotected. Its quills are everywhere, but they cannot move, \nthey cannot eat, they cannot do anything productive, and I \nthink so much of this discussion is on definitive technology \nissues that fail to address the management question and the \nissue that ultimately a lot of cybersecurity is enabling, just \nas quality is enabling, and I think you can make a huge \ncontribution.\n    Mr. Stearns. Thank you.\n    Ms. Schakowsky.\n    Ms. Schakowsky. Mr. Swindle, I wanted to get back to your \ncomment that you made, regarding the fact that if my name and \naddress went out that that is not a very serious breach of \nsecurity, and so some things are serious and some things are \nnot, and yet when you look at your testimony and you talk about \nthe Commission's first information security case, the Eli Lilly \ncase, which essentially was the name and address, in this case \nan e-mail address, but in any case it was consumers of Prozac--\nwas it? Yeah, Prozac, very sensitive information, and all that \nwent out was a name and address. So I am disagreeing with you \nthat name and address going out is not necessarily, or \ncertainly can be an important breach of violation, I would \nthink, since you treated it that way. But I also was concerned \nabout the sanctions, which seem to me a very minor slap on the \nwrist, whereas the implications for consumers of that \ninformation, that very sensitive information going out, could \nbe very serious. So I wanted you to just comment on this.\n    Mr. Swindle. I would be happy to, Congresswoman.\n    First off, I believe the question related to there could be \na breach without a violation of the law. I believe that is the \nway I understood the question.\n    The release of nothing more than my name and address, which \nis in the phone book, could hardly be construed as a violation \nof law.\n    Now, in the case of Eli Lilly, it was a name and the \naddress and the identification of a person who was using a \nmedication. The use of that medication carries a connotation of \nhealth problems and all sorts of emotional problems perhaps and \nthings of this nature, which could indeed be certainly a gross \nviolation of personal information and privacy. So that can be \nconstrued, I think. They are entirely two different things if \nwe take them in the context I gave them to you. But perhaps \nanother way of looking at this: How can there can be a breach \nwithout a violation of the law?\n    We are dealing, if I may describe this as an example, we \nare dealing with a machine with a million moving parts in it \nand to my mind nobody's perfected all one million parts, and \ncompanies can take every reasonable effort they know how to \ntake, given the circumstances of the nature of the information \nand how it is stored and how it is used, and there might still \nbe a breach in the security.\n    Having taken every reasonable step they can take, then I \nthink we would probably find it hard to say that is a violation \nof the law, when they did everything they possibly could. As \ntechnology evolves we will constantly be confronted with that \nproblem. You know, the Defense Department has this problem, \nCongress has this problem, Microsoft has this problem, all \ncompanies have this problem because it is just a massive \ncomplex problem with which to deal. I do think there is a \ndistinction there.\n    Ms. Schakowsky. Are you talking about, what did you say, \nuser error? Are you talking about perhaps issues of management, \nindividual errors that are made? I mean, it would seem to me \nthat a company would still or anybody would still have to take \nresponsibility for that. I am trying to understand where you \ndraw the line.\n    Yes, we certainly expect that all possible measures are \ntaken, and you are saying but if there is still a breach after \nthat, then nobody is responsible for that?\n    Mr. Swindle. No, I do not think I said that, Congresswoman.\n    Ms. Schakowsky. Okay.\n    Mr. Swindle. I did not address the accountability. We all \nhave to be accountable. We are responsible for running the \ntrain, and I think industry does take that responsibility very \nseriously.\n    In the case of Eli Lilly, we thought that the best possible \nsolution. This is an incredibly fine company, as is Microsoft, \nas are the companies represented here on this panel. They are \ndoing their utmost.\n    In the case of Eli Lilly, there was negligence, not \nsufficient training, there were not sufficient technical \nsafeguards put in. They are under scrutiny and have corrected \nthose requirements, the deficiencies, and we are going to be \nmonitoring them. As I think I indicated, they report to us with \nan audit system every 2 years.\n    Ms. Schakowsky. Yeah, I would still think that it is more \nthan a slight slap on the wrist.\n    Mr. Swindle. And we were concerned with this, but what do \nwe--what else perhaps--questionably, what else could we have \ndone?\n    Ms. Schakowsky. That is the question for us; is not it?\n    Mr. Swindle. A huge penalty, would it accomplish that and \ncorrect the problem?\n    The problem was mostly technical and training, I think. If \nthey corrected the problem, we go on. They certainly can be \nsubject to several penalty pursued by the people they harmed. \nThat is always open to victims.\n    Ms. Schakowsky. Well, I think much of the testimony here \ndoes say that there need to be appropriate sanctions, and that \nis certainly what we need to consider.\n    I want, Mr. Chairman, to have your permission to leave the \nrecord open for further questions. I have a number of \nquestions.\n    Mr. Stearns. I think that is in order.\n    Ms. Schakowsky. If I could put in?\n    Mr. Stearns. Sure.\n    Go ahead.\n    Ms. Schakowsky. I wanted to ask--I wanted to submit this \ndocument, which is an e-mail from Bill Gates and addressed to \nMicrosoft and subsidiaries. They are all FTE dated January 15, \n2002, for the record, and I have a number of questions around \nthat that I hope that Mr. Swindle will answer, and also \nactually Mr. Charney, about that.\n    Mr. Stearns. Would you like to submit that?\n    Ms. Schakowsky. If I could.\n    Mr. Stearns. By unanimous consent, so ordered.\n    [The information referred to follows:]\n\nFrom: Bill Gates\nSent: Tuesday, January 15, 2002 5:22 PM\nTo: Microsoft and Subsidiaries: All FTE\nSubject: Trustworthy computing\n\n    Every few years I have sent out a memo talking about the highest \npriority for Microsoft. Two years ago, it was the kickoff of our .NET \nstrategy. Before that, it was several memos about the importance of the \nInternet to our future and the ways we could make the Internet truly \nuseful for people. Over the last year it has become clear that ensuring \n.NET is a platform for Trustworthy Computing is more important than any \nother part of our work. If we don't do this, people simply won't be \nwilling--or able--to take advantage of all the other great work we do. \nTrustworthy Computing is the highest priority for all the work we are \ndoing. We must lead the industry to a whole new level of \nTrustworthiness in computing.\n    When we started work on Microsoft .NET more than two years ago, we \nset a new direction for the company--and articulated a new way to think \nabout our software. Rather than developing standalone applications and \nWeb sites, today we're moving towards smart clients with rich user \ninterfaces interacting with Web services. We're driving the XML Web \nservices standards so that systems from all vendors can share \ninformation, while working to make Windows the best client and server \nfor this new era.\n    There is a lot of excitement about what this architecture makes \npossible. It allows the dreams about e-business that have been hyped \nover the last few years to become a reality. It enables people to \ncollaborate in new ways, including how they read, communicate, share \nannotations, analyze information and meet.\n    However, even more important than any of these new capabilities is \nthe fact that it is designed from the ground up to deliver Trustworthy \nComputing. What I mean by this is that customers will always be able to \nrely on these systems to be available and to secure their information. \nTrustworthy Computing is computing that is as available, reliable and \nsecure as electricity, water services and telephony.\n    Today, in the developed world, we do not worry about electricity \nand water services being available. With telephony, we rely both on its \navailability and its security for conducting highly confidential \nbusiness transactions without worrying that information about who we \ncall or what we say will be compromised.--Computing falls well short of \nthis, ranging from the individual user who isn't willing to add a new \napplication because it might destabilize their system, to a corporation \nthat moves slowly to embrace e-business because today's platforms don't \nmake the grade.\n    The events of last year--from September's terrorist attacks to a \nnumber of malicious and highly publicized computer viruses--reminded \nevery one of us how important it is to ensure the integrity and \nsecurity of our critical infrastructure, whether it's the airlines or \ncomputer systems.\n    Computing is already an important part of many people's lives. \nWithin ten years, it will be an integral and indispensable part of \nalmost everything we do. Microsoft and the computer industry will only \nsucceed in that world if CIOs, consumers and everyone else sees that \nMicrosoft has created a platform for Trustworthy Computing.\n    Every week there are reports of newly discovered security problems \nin all kinds of software, from individual applications and services to \nWindows, Linux, Unix and other platforms. We have done a great job of \nhaving teams work around the clock to deliver security fixes for any \nproblems that arise. Our responsiveness has been unmatched--but as an \nindustry leader we can and must do better. Our new design approaches \nneed to dramatically reduce the number of such issues that come up in \nthe software that Microsoft, its partners and its customers create. We \nneed to make it automatic for customers to get the benefits of these \nfixes. Eventually, our software should be so fundamentally secure that \ncustomers never even worry about it.\n    No Trustworthy Computing platform exists today. It is only in the \ncontext of the basic redesign we have done around .NET that we can \nachieve this. The key design decisions we made around .NET include the \nadvances we need to deliver on this vision. Visual Studio .NET is the \nfirst multi-language tool that is optimized for the creation of secure \ncode, so it is a key foundation element.\n    I've spent the past few months working with Craig Mundie's group \nand others across the company to define what achieving Trustworthy \nComputing will entail, and to focus our efforts on building trust into \nevery one of our products and services. Key aspects include:\n    Availability: Our products should always be available when our \ncustomers need them. System outages should become a thing of the past \nbecause of a software architecture that supports redundancy and \nautomatic recovery. Self-management should allow for service resumption \nwithout user intervention in almost every case.\n    Security: The data our software and services store on behalf of our \ncustomers should be protected from harm and used or modified only in \nappropriate ways. Security models should be easy for developers to \nunderstand and build into their applications.\n    Privacy: Users should be in control of how their data is used. \nPolicies for information use should be clear to the user. Users should \nbe in control of when and if they receive information to make best use \nof their time. It should be easy for users to specify appropriate use \nof their information including controlling the use of email they send.\n    Trustworthiness is a much broader concept than security, and \nwinning our customers' trust involves more than just fixing bugs and \nachieving ``five-nines'' availability. It's a fundamental challenge \nthat spans the entire computing ecosystem, from individual chips all \nthe way to global Internet services. It's about smart software, \nservices and industry-wide cooperation.\n    There are many changes Microsoft needs to make as a company to \nensure and keep our customers' trust at every level--from the way we \ndevelop software, to our support efforts, to our operational and \nbusiness practices. As software has become ever more complex, \ninterdependent and interconnected, our reputation as a company has in \nturn become more vulnerable. Flaws in a single Microsoft product, \nservice or policy not only affect the quality of our platform and \nservices overall, but also our customers' view of us as a company.\n    In recent months, we've stepped up programs and services that help \nus create better software and increase security for our customers. Last \nfall, we launched the Strategic Technology Protection Program, making \nsoftware like IIS and Windows .NET Server secure by default, and \neducating our customers on how to get--and stay--secure. The error-\nreporting features built into Office XP and Windows XP are giving us a \nclear view of how to raise the level of reliability. The Office team is \nfocused on training and processes that will anticipate and prevent \nsecurity problems. In December, the Visual Studio .NET team conducted a \ncomprehensive review of every aspect of their product for potential \nsecurity issues. We will be conducting similarly intensive reviews in \nthe Windows division and throughout the company in the coming months.\n    At the same time, we're in the process of training all our \ndevelopers in the latest secure coding techniques. We've also published \nbooks like ``Writing Secure Code,'' by Michael Howard and David \nLeBlanc, which gives all developers the tools they need to build secure \nsoftware from the ground up. In addition, we must have even more highly \ntrained sales, service and support people, along with offerings such as \nsecurity assessments and broad security solutions. I encourage everyone \nat Microsoft to look at what we've done so far and think about how they \ncan contribute.\n    But we need to go much further.\n    In the past, we've made our software and services more compelling \nfor users by adding new features and functionality, and by making our \nplatform richly extensible. We've done a terrific job at that, but all \nthose great features won't matter unless customers trust our software. \nSo now, when we face a choice between adding features and resolving \nsecurity issues, we need to choose security. Our products should \nemphasize security right out of the box, and we must constantly refine \nand improve that security as threats evolve.-- A good example of this \nis the changes we made in Outlook to avoid email borne viruses. If we \ndiscover a risk that a feature could compromise someone's privacy, that \nproblem gets solved first. If there is any way we can better protect \nimportant data and minimize downtime, we should focus on this. These \nprinciples should apply at every stage of the development cycle of \nevery kind of software we create, from operating systems and desktop \napplications to global Web services.\n    Going forward, we must develop technologies and policies that help \nbusinesses better manage ever larger networks of PCs, servers and other \nintelligent devices, knowing that their critical business systems are \nsafe from harm. Systems will have to become self-managing and \ninherently resilient. We need to prepare now for the kind of software \nthat will make this happen, and we must be the kind of company that \npeople can rely on to deliver it.\n    This priority touches on all the software work we do. By delivering \non Trustworthy Computing, customers will get dramatically more value \nout of our advances than they have in the past. The challenge here is \none that Microsoft is uniquely suited to solve.\n                                                       Bill\n\n    Mr. Stearns. Let's see, the gentlelady from California is \nrecognized.\n    Ms. Bono. Thank you, Mr. Chairman, and I thank the \npanelists for sticking with us through all of this.\n    I think the one theme that generally has come up for me in \nthis testimony so far is that Ms. Davidson alluded to the fact \nthat California did some knee-jerk reacting to the situation \nand came up with legislation that was not very good, and \nwhether or not you know this, Congress is probably--in all of \nthe issues we deal with we are technologically challenged, and \nwe were all thrilled the day we got Blackberrys, but there is a \nfunny story I remember of a Member of Congress who held up his \nBlackberry and said this is great, I do not know how to work \nit, and I said why don't you try turning it on first, and that \nis a true story.\n    Now, these people might be experts in whatever field they \nare in, we have the CDC and the NIH, who do a lot of our great \nwork in medicine, but in Congress do we have the governmental \nentity in place?\n    I think, Mr. Swindle, I would ask you the question. We have \ngot the FTC, the FBI, but do we have an entity that works \nspecifically with Congress to move more swiftly in the case of \nthese issues or is it sort of--are we a little bit lacking in \nthat area?\n    Mr. Swindle. I do not think we have a central agency that \nwould combine the resources of all of us to work with Congress, \nbut I think each of these agencies, in their own realm, work \nwith Congress very closely. I know we try to work with Congress \nas closely as we can when Congress is considering drafting \nlegislation to solve a problem. Often we propose suggestions as \nto how current laws might be modified, and I think we are often \non the side of urging caution before we legislate to solve a \nproblem where very likely the proposed solution will perhaps \ncause more harm than good. As one of the panelists said \nearlier, sometimes the process is so slow that we have gone \nwell beyond that problem and already found a solution to it.\n    In all honesty, I think it takes each one of these \nagencies. They have some responsibility and oversight of these \nissues, dealing with their expertise, working with Congress, \nand realizing that there is no simple solution to any of these \nproblems.\n    Legislation alone will not solve it, technology alone will \nnot solve it, and in my mind the most important single factor \nwhen you think of the base of the triangle of people who are \ninvolved, the consumers across the bottom, 270 million. As we \nwork on up to the triangle top we are worrying about nuclear \nattack, but that is only a handful. But down at the bottom of \nthis triangle, every one of the people in the base, consumers, \nstudents, business people, small business people who are using \ncomputers and are connected on the Internet, they are all part \nof the problem and part of the solution.\n    Ms. Bono. Right. I am sorry for cutting you off, but my \nspyware legislation, I think you have seen it or your staff has \nseen it, and I was wondering if you could comment because to me \nthis seems to be a good solution. It seems to address the \nsituation.\n    There have been some, you know, tremendous media reports, \nand I thank the media actually. Even The Washington Post today \nhas a great article and in it he quotes something that shocked \nme. I do not believe anybody brought this point up. I have it \nhere, I promise you.\n    Anyway, he talks about--here it is, Sharman Networks, that \nwhen you download KaZaA, that they install something called \nALLNET and that this ALLNET actually harnesses unused \nprocessing power on your CPU and then sells that processing \npower. I have never heard of sharing hardware over this and I \nam wondering if perhaps, Mr. Charney, you could comment on the \nfact that they are not only using data but they are basically \nstealing a little bit of your processing capability.\n    Mr. Charney. The key word there is stealing, so one of the \nthings we need to be clear about is that peer-to-peer networks \nhave some important societal advantages. You look at something \nlike SETI, the Search for Extraterrestrial Intelligence, where \na lot of independent researchers and individuals agree to share \nprocessing time because what happens is that computers have \nbecome far more powerful. Home users have a lot more power on \nthe desktop than they actually use or need, and one of the \nissues is can we harness that process in some way and share \nthat power.\n    The key is that those things have to be done with full \nnotice and consent and not done to someone without their \nknowledge, where someone else is either taking their \ninformation or processing power without telling them, without \ngetting their consent. But it would be a mistake to think that \npeer-to-peer in and of itself is a bad thing.\n    Ms. Bono. Right.\n    Mr. Charney. Merely the technology that permits the use of \ndistributed processing.\n    Ms. Bono. Well, is Microsoft concerned about spyware? Other \nthan pretty much endorsing my bill, thank you for that, if that \nis what he was doing, Mr. Chairman.\n    Mr. Charney. We absolutely care about spyware, so one of \nour pillars of trustworthy computing is privacy, and our \nphilosophy is that consumers have to make informed choices of \nhow data is used and to be able to control the data about them, \nand to the extent people are taking their data without their \nnotice and consent, that is a problem, and the solution, like \nmost IT solutions, will be a combination of best practices, \ntechnology, and in some cases regulations.\n    Ms. Bono. Could the ISPs do a better job? I know you all \nhave MSN, but obviously they are not going to, but could not, \nfor example, your competitor, AOL, who promotes McAfee daily, \nevery time you log on you get this sales pitch from McAfee, \ncould not they install that along with their software, AOL, and \nhave it built into the firewall and the automatic patches that \nyou say consumers do not do often enough?\n    Mr. Charney. We have tried to make this easier for \nconsumers. We have built the ICF firewall into Windows, and if \nyou go to the Microsoft.com/protect, we have links to anti-\nvirus vendors, where people can easily get virus software. We \nhave to make it much easier to manage.\n    I would point out that you have to remember this technology \nwas built by geeks for geeks. If you think about the telephone \nas phones ended up in every home in America, the phone company \nsaid if we are going to sell more services, we have to devise \nmore complex software, call forwarding, caller ID, all those \nfeatures. As they add all this complexity, the user interface \nremained the same, 12 buttons.\n    My mother has a PC. She is 74 years old. She can go to a \nrun command, write her own code and run it. She cannot, she is \nnot technically capable of doing it, but we have given her the \ntechnology to do it. It is a completely different paradigm.\n    Ms. Bono. Thank you. Mr. Chairman, I will yield back.\n    Mr. Stearns. We are going to have a second round if you \nwant to.\n    Ms. Bono. Thank you.\n    Mr. Stearns. I recognize the gentleman from Arizona.\n    Mr. Shadegg. Mr. Ansanelli, you mentioned in your written \ntestimony an unaddressed issue regarding identity theft in the \nFair Credit Reporting Act, the legislation that is in \nconference that I referred to in my opening statement.\n    Can you go into greater detail about that?\n    Mr. Ansanelli. Sure. It has not been passed yet by the \nwhole House and the Senate, but I think if you look at what the \nFair Credit Reporting Act has in it, I think about the issue of \nidentity theft as sort of three pillars.\n    The first is protecting the data that is the consumer's \nidentity to begin with. Second is detecting any problems that \nare occurring, either someone is trying to do fraud or, you \nknow, trying to get a credit card as a result of fraud. And \nthen the third thing is correcting the problem, primarily for \nconsumers. How do consumers fix their credit? They have been a \nvictim. How do they correct it?\n    And as I look at the act there is quite a bit in correcting \nthe problem for consumers, and that is good. There is a fair \namount of detecting the problem with respect to address \nnotifications and what not, but there is very little with \nregard to prescriptions for protecting information to begin \nwith, and that goes again to the issue around consumer data \nstandard, and if you do not protect the data you are only going \nto have to apply larger and larger BandAids in the future.\n    Mr. Shadegg. I tried to amend that legislation to add \nfurther restrictions on the use of Social Security numbers. \nHowever, had we done that, it would have taken it out of the \njurisdiction of the Financial Services Committee and put it in \nthe jurisdiction of the Judiciary Committee and it would have \ncaused the bill to require a second referral and we weren't \nable to do it, but would you agree that that is one of the most \nimportant things that needs to be done?\n    Mr. Ansanelli. I agree that that is a glaring omission.\n    Mr. Shadegg. The gentlelady sitting next to you, it seems \nyou would like to make a comment on that point?\n    Ms. Davidson. Hosanna. I was making a note to myself that \nno one--although you did ask the obvious question why is the \nSocial Security number collected in so many nontaxable \ntransactions. Having recently purchased a house in the great \nState of Idaho, I was astonished to find that every single \nentity in the city, whether it was sewage, power, trash pickup, \nrequired my Social Security number and I had to ask the \nquestion: Is sewage taxable, because it was a complete mystery \nto me why it was collected in the first place.\n    The Social Security number, had it not become ubiquitous as \na means to identify consumers, quite honestly, a lot of the \nidentity theft problem would probably go away.\n    Mr. Shadegg. My colleague, Clay Shaw, has a comprehensive \nbill addressing this issue, going right to the issue of Social \nSecurity numbers. That was the issue we would have tread on if \nwe had been able to put further restrictions on Social Security \nnumbers into the Fair Credit Reporting Act, and that is the \nreason we did not do it. You might want to contact his office \nand interject yourself into the debate on that bill because I \nthink that is an important part of this discussion.\n    We were able to require the truncation of Social Security \nnumbers in the draft of the fair credit reporting bill that \npassed the House. We did that, so we have taken a minor step, \nbut I think it is a serious problem.\n    Mr. Ansanelli, Mr. Burton next to you says we shouldn't be \nlooking at these technical issues and creating a standard. We \nought to be instead creating incentives to do that.\n    I am going to give him a chance to explain that, but how do \nyou respond?\n    Mr. Ansanelli. I agree. I am not proposing we have \ntechnical requirements or standards. I think the standards need \nto be around principles, and as I testified today, and I did \ntestify in the House Financial Services Committee on FCRA, that \nit involves responsibility from everyone at the board level \ndown to protect the data and you have to have those principles \nto make sure that everyone knows they are responsible for \nprotecting the data, that they have an obligation to detect and \nenforce compliance by the people that have access to the data \nand you need to correct problems, and the correction of those \nproblems includes things like training and education. It is \ndefinitely not proposing technical standards. It is having a \nclear understanding of the responsibility associated with the \nfact that you store and manage that consumer non-public, \nprivate information.\n    Mr. Shadegg. With regard to the protection of information \nwhere you think we could have gone further in the Fair Credit \nReporting Act, would you be willing to submit to my office your \nsuggestions as to what we need to be doing to go beyond that?\n    Mr. Ansanelli. More than willing.\n    Mr. Shadegg. I have some doubts about the ability of \nCongress to micromanage this problem, legislative piece by \nlegislative piece.\n    We passed the Identity Theft Act a number of years ago, and \nit took a step in the right direction, but we are not there. It \nseems to me that crooks are always going to move faster than we \nare and we are not going to be able to achieve the kind of \nreform or the kind of protection we would like to just by \nlegislating one bill at a time in this area. So your notion \nthat business needs to take a completely different mindset \nseems to me a better solution.\n    How do we go about creating the incentives or creating a \ndynamic in which business leaders will see it as in their \ninterest to not act like the porcupine and roll up in a ball \nand defend itself, but rather aggressively go after this \nproblem?\n    Mr. Burton. That is a seminal question, I think, and I \nthink that is a question that industry needs to ask itself, as \nwell as this committee needs to reflect on, because to go back \nto Scott Charney, if the PC is something built by geeks for \ngeeks, well, then cybersecurity is the pinnacle of the \ngeekiness in the PC, and I think when this issue comes up, too \noften the reaction is oh, mine eyes glaze over. I will talk \nabout privacy, that is a personal issue, that is a consumer \nissue, and I can understand it. Cybersecurity is a geek \ntechnical issue that I do not want to even open that book, and \nI think that if we somehow make the translation from a \ntechnical issue, and it is technical, I am not saying we should \ndismiss that, but it is often treated solely in those terms, \nand again the best paradigms that I have is quality, and \nquality awareness comes first, I think we have awareness with \ncybersecurity. Now we need to start building it systematically \nand to functions of our system, and I think anything this \ncommittee can do to clarify cost-benefits and perhaps penalties \nwould be a big contribution, and again I think the levers are \nnot that complex. I think it is risk assessment, it is \nreporting, it is accountability, and I think those three \nopinions can really drive huge, huge change in this field.\n    So I do not have a specific answer for your question, but I \ndo think that is the key question for this whole debate.\n    Mr. Shadegg. Mr. Chairman, my time has expired. Thank you.\n    Mr. Stearns. Thank you.\n    Members, if you want to stay, we will have a second round.\n    The gentlelady from Missouri.\n    Mr. McCarthy. Mr. Chairman, let me apologize for having to \nleave. I had another hearing and of course when you do that, \nthe question that you are going to ask might have been asked \nalready. So, Mr. Chairman, please feel free to say read the \nrecord.\n    Microsoft, let me just see. I think I want to give this to \nMs. Davidson, I think might be in the best position to answer \nit.\n    Microsoft Corporation made news when they announced a \nbounty program for information leading to the arrest and \nprosecution of hackers. Do you intend to launch a similar \nprogram for those hackers who attack your software?\n    Ms. Davidson. That is a very interesting question. We have \nno immediate plans to do this, and I preface this statement by \nsaying I have no wish to exceed Microsoft in this particular \nrealm. Microsoft tends to be a very visible target for hackers, \nto be fair to them, because they are large, they have been very \nsuccessful, and, quite honestly, there are more hackers gunning \nfor them at this point than are gunning for Oracle, for which I \nam exceedingly grateful. I am happy to accede market leadership \nto you in that realm.\n    At this point, I do agree with certainly Microsoft and \nothers in the industry on one key point. We certainly welcome \npeople who find faults in our software and bring it to our \nattention. We certainly do everything possible to avoid them \nthe way that we build our product, and we are always happy to \ngive recognition to those researchers who find fault and say \nthank you, we have fixed it, and we tell our customers.\n    There are a group of researchers for whom thank you and \npotentially hiring them for bettering your software is not \nenough. They want your scalp, and one of the ways they get that \nis by releasing exploit code at forums such as Black Hat and \nother hacker conventions.\n    No vendor will say that it is not their responsibility to \nbuild secure software. The buck definitely stops here, but \nthose who trade in information about how to exploit \nvulnerabilities and give it to others are effectively arsonists \nswapping fire starting techniques, and they claim they want \nbetter building codes but try telling that to someone whose \nhouse has burned down.\n    So at this point we have no plans to offer a bounty, but I \ndo agree that the problem of irresponsible disclosure of \ndetailed information about security faults, specifically \ncreation of exploit code and releasing it into the wild, is in \npart responsible for a lot of the malicious and damaging \nbehavior to our infrastructure.\n    Mr. McCarthy. All right. Does open source software like \nLinux have vulnerabilities to worms and viruses?\n    I have seen a recent report that an open source developer \ntried to insert a Trojan horse into Linux.\n    First of all, could you explain what is a Trojan horse, and \nhow do you ensure that your developers do not insert malicious \ncodes like that into your data base?\n    Ms. Davidson. A Trojan horse is--of course, goes all the \nway back to Greek literature in the Iliad, actually the \nOdyssey. The idea is to get something into your code base that \ndoes something malicious. For example, one could insert code \nthat would capture a user's password and potentially mail it to \na bad guy or capture a Social Security number or other \nsensitive piece of information. The premise is that someone has \ndeliberately and willfully put code in that does something bad, \nunbeknownst to anyone else.\n    This is something people spend a lot of time talking about \nand it is certainly not--it is a risk but, quite honestly, most \nof the problem in software that creates these viruses and worms \nis preventable, avoidable security faults.\n    I mentioned, and I will not get all nerdy on you, but \nbuffer overflows. That is about 70 percent of security faults, \nand it basically means that instead of--if a program is \nexpecting 10 numbers and it does not handle gracefully if it \nreceives 11 numbers, or letters or something else, it could \ncreate a buffer overflow and that is 70 percent approximately \nof security faults. It is just bad programming.\n    So getting back to your question how do you prevent this--\n--\n    Mr. McCarthy. Yes.\n    Ms. Davidson. [continuing] I believe you cannot absolutely \nprevent someone from willfully putting malicious code in your \nsoftware because you cannot prevent them from making careless \nerrors. Now what you can do is to have very good development \nprocesses, you can have code reviews, you separate your code so \nthat not everyone gets access to everything to make changes, \nand the one piece that truly is missing right now is we do not \nhave automated tools that can scan code and find, first of all, \navoidable, preventable security faults, which is really most of \nthe problem in that, much less look for things like malicious \ncode or malware. The tools just do not exist in the market now.\n    Mr. McCarthy. Thank you very much, Mr. Chairman. I see my \ntime has expired.\n    Mr. Stearns. I thank the gentleman.\n    Mr. Morrow, you summed up your testimony by characterizing, \n``our state of information security readiness is marginally \nbetter than it was 2 years ago.''\n    What can we as the U.S. Government do so that 2 years from \nnow the improvement in our information security readiness would \nbe more than marginal?\n    Mr. Morrow. Well, sir, I believe I outlined a few things in \nmy testimony. One of the things that we see a lot of is that a \nlot of effort has been spent by very large organizations, the \nfinancial industry, you know Fortune 500 companies, but a lot \nof the issues have trickled down and a lot of the \nvulnerabilities are still being addressed at the levels of the \nmid-range business and the small-range business, and that is \nfor several reasons. One, these things cost money to fix. A lot \nof companies in the last few years due to the economic downturn \nhaven't had the money to invest in these type things, and you \nhave to understand and always keep aware of the interconnected \nnature of all these things, and just because the Fortune 500 \ncompanies and the government may make great strides, if the \nsmaller companies and smaller institutions, private \norganizations, et cetera, do not make similar strides, cannot \nmake similar strides for economic reasons, then there is a \nproblem because that opens up vulnerabilities to everyone.\n    So I think one of the things personally that we can have a \nlot of bang for the buck, if you will, is to help figure out \nincentives for small and mid-size and smaller companies to--and \norganizations to address these problems.\n    Mr. Stearns. Who would provide these incentives?\n    Mr. Morrow. Well, I think it could be a couple of different \nways. One could be financial incentives of some manner. That \nobviously is something in the purview of the Federal \nGovernment. Others might be the research and development, tax \ncredits, things like that, and there may be an education or \nsome sort of public service type of incentive where very small \ncompanies who offer--small tier companies and small businesses, \nprivately owned businesses, who have one or two systems and \nhave problems, they may require incentive from the government \nto provide them with basic tools, much like what Microsoft does \nin some of their software, for a very much reduced cost. I \nthink that would go a long way.\n    Mr. Stearns. Okay. Mr. Schmidt, to date how effective have \ncyberattacks been, and have you seen an increase in their \neffectiveness, and, if so, why do you think so?\n    Mr. Schmidt. I think first and foremost we have to define \nwhat we mean by how effective they have been. For example, if \nthe intent of some of these were to shut down major financial \nsystems, shut down electrical power grids, no, they have not \nbeen successful on a universal basis. We have seen some spot \noutages. But, as we move forward, I think what we will see is \nthe--as we referred to as the zero-day vulnerabilities and \nexploits. As both Ms. Davidson and Mr. Charney mentioned, the \ntime between the identification of vulnerability and the time \nthat it is exploited has been increasingly shorter.\n    Now, you mentioned in your opening comments, Mr. Chairman, \nthe SQL Slammer event back in January. That widespread event \ntook place in less than 10 minutes, whereas some of the ones \nyou mentioned earlier, the Code Red and Nimda, occurred over a \nmatter of days to see maximum infection.\n    The interesting piece of this is if you look at the ratio \nof computers affected versus the ratio of computers that are \nnow currently employed, it was actually a smaller percentage of \ncomputers that were infected in a shorter period of time, but \nwe have got a lot more computers out there. So we are doing a \nbetter job at it. So overall, the impact was probably less than \nit could have been had it been 2 years ago with that same \nnumber of computers.\n    I think the fundamental issue is if we don't continue to \nimprove these processes, reduce the vulnerabilities, make \nbetter tools available to prevent these things from even taking \nplace, which, as the Department of Defense has shown, 98 \npercent of the successful intrusions into those systems were \nthe result of someone not installing a patch, so if we install \nthe patches, their effectiveness would be much less than they \nare today.\n    Mr. Stearns. Ms. Davidson, I think you recommended a \ngovernment software underwriters lab. I think that intrigued \nall of us here and the staff, sort of the consumer equivalent \nof--software equivalent of the UL. I would like you maybe to \nelaborate and then have the Commissioner maybe just give his \ncomments on it.\n    Ms. Davidson. Thank you. I would be happy to do that.\n    We do have mechanisms for large pieces of commercial \nsoftware to go through an independent security evaluation. \nThere is an ISO standard for that, 15408, which is a common \ncriteria.\n    As I mentioned earlier, the Defense Department requires \nproducts used in national security systems to go through common \ncriteria evaluations. They are really good, and they help \nimprove the security of software, because it forces developers \nto a secure software development process. That is a great \nthing, and we are a great proponent of that. But they are best \nsuited--it is certainly not a cure-all for all cybersecurity \nills, and they really are best suited to more mature products \nwith a longer life cycle that are really sort of large pieces \nof software, like operating systems or data bases, firewalls. \nThat is not--and they are quite expensive. They can cost \nbetween $500,000 and $1 million.\n    That is obviously not well-suited for a small consumer \nproducts device, where the cost of the evaluation might \nactually dwarf your product sales. Usually something is better \nthan nothing when you are talking about improvements. If you \ncan have something that is a lighter weight form of that for \ncommercial products, like a PDA or other types of small \ndevices, that would be----\n    Mr. Stearns. I talked to a president of a university, and \nhe said he is going to have to spend $100,000 for software to \nprotect his university from cyberattacks. So maybe that piece \nof software should go to a software underwriters lab. Is that \nwhat you are saying?\n    Ms. Davidson. Well, I think you have to look at probably \nthe complexity of the software, the target market, and what it \nis being used for.\n    Mr. Stearns. So cost alone would not determine?\n    Ms. Davidson. Cost alone doesn't. And as much as people \ncomplain about how expensive these are, I can tell you that it \ncosts Oracle--if we have a security fault in our software that \nhas been out there a few years, and we have to fix it on 20 \noperating systems and four product versions, which we have done \nto protect all our customers, happily to do that, it costs us \n$1 million to fix that type of avoidable, preventable security \nfault.\n    If you prevent one of those or find it before you ship the \nproduct, you pay for the cost of the evaluation.\n    Mr. Stearns. Uh-huh.\n    Ms. Davidson. So it is cost-effective. And risk management \ndoesn't really work when you are talking about, well, I am \ngoing to let my customers hang in the wind because I didn't \nfeel like doing a better quality job with my product. That is \nnot acceptable.\n    Mr. Stearns. Commissioner, what do you think of the idea of \na software underwriters lab? I mean, it wouldn't necessarily be \nunder the Federal Trade Commission, but you are the only person \nhere from the government, so we will ask you.\n    Mr. Swindle. In this entire world of information technology \nwe live in, I think creative ideas are going to be the currency \nof making progress. And I think any idea of this nature \ndeserves attention, as Ms. Davidson said.\n    These remedies that we often aspire to are very expensive, \nnot to mention the fact that they are very complex. I think we \nare always interested, the FTC, in exploring new ideas.\n    Something that I would suggest that deals with most of the \nquestions that have been asked, that is security, sort of \nmirrors the privacy debate that we have had over the last 5 or \n6 years that I have been at the Commission. If you go back 6 \nyears ago, very few companies had privacy policies. They didn't \npost them. They were not very effective or were too difficult \nto understand. Today that has changed appreciably. And I used \nto say that privacy had better become a part of the corporate \nculture of businesses or there would be an FTC in their future, \nprobably.\n    I think security is along the same track, just running a \nfew years behind. Security has got to become an essential part \nof the management scheme of all companies, because we are \nbecoming more and more reliant upon handling of data and \ninformation and the transmission of that data and information. \nWithout security, we jeopardize the whole system. It becomes a \nmatter of critical importance to one's own self-interest that \nwe do this right. So I think security is going to have to \nbecome a part of the corporate culture as well as privacy.\n    Mr. Stearns. Okay. Let me just conclude, Mr. Thompson. We \nwant to make sure you are involved here. Maybe just you can \ngive a general evaluation on cybersecurity relative to this \nspyware that Ms. Bono has mentioned, maybe just some general \ncomments.\n    Mr. Thompson. Sure. I think I have heard some great ideas \nand some great suggestions. The only thing is that it has \nreally all been aimed at protecting the corporate end of \nthings, and protecting the consumer from the corporate end of \nthings.\n    But there is more to it than that. There is a whole world \nof consumers out there, and there is no one standing up for \nthem. That is really the intent of Ms. Bono's bill. Every month \nI see thousands of Remote Access Trojans posted to the Usenet \nin an attempt to catch some of these consumers, and there is \nno--they are catching people, and there is no one sticking up \nfor them.\n    Mr. Stearns. Every month you see thousands?\n    Mr. Thompson. Thousands of Trojan horses are disguised as \nadult movies or----\n    Mr. Stearns. Help aids?\n    Mr. Thompson. Something. And they are posted to the Usenet. \nThey are posted to the peer-to-peer networks.\n    Mr. Stearns. So you download that, thinking this software \nis going to help you. Bingo, you are caught.\n    Mr. Thompson. And are you caught. And these are the worst \nkind of spyware. These are the ones that do steal the \nkeystrokes, these are the ones that do steal your credit cards, \nthey do steal your identity. And no one is looking out for \nthese people. Someone has to look out for them.\n    Mr. Stearns. My time has expired.\n    The gentlelady from California.\n    Mrs. Bono. Thank you, Mr. Chairman. I want to piggyback on \nthat for Mr. Thompson as well. If you installed something like \nNorton Utilities or an antivirus firewall, every time your \ncomputer transmits to the Internet, you can have a notification \nthat tells you your computer is speaking to the Internet.\n    Mr. Thompson. Sure.\n    Mrs. Bono. Does that, in fact, notify you that spyware is \ntransmitting data?\n    Mr. Thompson. If everyone is playing by the rules. But \nsometimes they are subtle and they simply don't play by the \nrules, and they piggyback on something that has already been \nauthorized. These things are tricky.\n    Mrs. Bono. Some people have said that the problem with this \nlegislation is companies would move offshore, similar to the \nantispam legislation. But, to me, this doesn't seem like a \nvalid argument. Would you----\n    Mr. Thompson. I think some of them are offshore already, \nand probably some more would move offshore. But it would be \nnice to cut down on the people that were actually doing it \nopenly.\n    Mrs. Bono. I agree. Thank you.\n    Ms. Davidson, you briefly mentioned hacker conventions or \nconferences. Is there a room filled with people at a Hyatt \ndoing this, or is this something that is all taking place \nonline?\n    Ms. Davidson. I think they are a little more upscale than \nthe Hyatt, no disrespect to Hyatt.\n    Yes, there are such things. I am sure that Mr. Charney has \nbeen to one as well to see the amount of collusion going on in \nthe halls to try to exploit the latest vulnerability in vendor \nsoftware.\n    Quite honestly, some of the hackers spend more time in the \nhall devising viruses than I think they do at the actual \nsessions. There are such things. One of the problems in the \nindustry really is that the hackers are very good at playing \nnicely with one another. They share information. They share \nexploit code.\n    One of the reasons there is such a shortening of this \nwindow is in the past you could assume if there was a \nvulnerability in your software, and it was difficult to find or \nexploit, someone would have to spend a lot of time doing that. \nThen you only had to worry about the one bad guy or bad gal as \nthe case may be. Now those people create automated ways of \ndoing bad things, and they share it with other people, who may \nthen improve upon it and find more destructive or virulent \nforms of viruses or worms. And they actually have conventions. \nThat is a real problem.\n    Mrs. Bono. That is amazing to me that we can have physical \nget-togethers of bad guys, and they are infiltrated by the FBI \nor whoever ought to be there. How do we not know about this but \nyou guys do?\n    Ms. Davidson. Well, I think--Scott, I am sure, will have \nsome comments on this. Actually there are a number of people \nwho go to these from industry, partly because that is where \nthey learn about the latest techniques for breaking into \nthings.\n    I am not against general discussions of how to--how things \nare broken so that you can understand how to better defend \nagainst those attacks. I think we would be sticking our heads \nin the sand if we didn't participate in that. But when someone \ncreates the exact--effectively leaves a Molotov cocktail on the \nfront lawn of a building with a box of matches next to it, with \na sign that says, have fun throwing this, they have some \naccountability. And many of them feel that they have no \naccountability; it is intellectual showing off.\n    Mr. Charney. I want to add a couple of comments, because I \nthink they are important. I spent 9 years as Chief of the \nComputer Crime and Intellectual Property Section at the Justice \nDepartment. Law enforcement agents do go to these conferences. \nThey actually have a Spot-the-Fed event, which is quite common.\n    But there is something else that is also important to note. \nI mean, I agree with all Mary Ann's comments, but after the \nOklahoma City bombing, the Office of Legal Council gave a \nconstitutional opinion, at Congress's request, that bomb-making \ninformation on the Internet was first-amendment-protected.\n    Similarly, information about code vulnerabilities, exploit \ncode, other kinds of information like that is constitutionally \nprotected most likely. It is one thing to deploy the code and \ntake action, but to go to a conference and talk about how you \nmight exploit a system is probably a constitutionally protected \nactivity.\n    And so we always have to keep this in some context.\n    Ms. Bono. Thank you.\n    Is there any--changing the subject a little bit, \nrecognizing that the minute that something is digitized, it is \na 1 and a zero, but are there hardware answers here like \nbiometric identifiers or credit card terminals that hardware \nmanufacturers are looking at? And I am basically back to \nconsumer protection solely, but is there a hardware answer on \nthe horizon?\n    Mr. Charney. Microsoft is investing about $6.9 million this \nyear on research and development, and one of the more important \nprojects we are working on is something called the next \ngeneration security computing base. It is moving security into \nthe hardware, working with the major chip manufacturers to \ncreate a secure chip set on your computer. You will still have \nthe general purpose computer that you have today, but you will \nhave a second chip set that will control what runs on your \nmachine with strong memory and process isolation.\n    And the goal of this, if this works, is that when code \ntries to execute on your machine without your permission, if it \nis on that protected side of the machine, you will be notified \nthat code is trying to run. You will be able to block it.\n    But, this is, you know, very difficult research and \ndevelopment. And, I mean, we are shooting for, in the long-term \ntimeframe, the next version of the operating system, which \nmeans roughly 2006, give or take.\n    Mrs. Bono. Well, thank you.\n    Mr. Chairman, I can go on and on, but I will stop. I just \nthank you all so much for your time today. It has been very \ninformative.\n    Mr. Stearns. And I thank the gentlelady for staying for the \nsecond round.\n    We have concluded our subcommittee hearing.\n    I would point out that the Federal Trade Commission has a \ncomplete set of documents talking about how to stay safe \nonline. They have a little mascot who is promoting it. And so I \ncall attention to Members, too, that part of these programs \nprobably should be on their congressional Websites so people \ncan go to use, whether you are sight-seeing on the Internet or \nwhether you are talking about electronic theft, or how to stay \nsafe. The Federal Trade Commission has done a great deal of \nwork on this and are to be commended for all that they are \ndoing.\n    With that I want to thank the witnesses, and we will \nprobably have some follow-up questions for you. And I will \nallow the members to offer that to you, give you 5 working days \nto answer them if you could.\n    With that, the subcommittee is adjourned.\n    [Whereupon, at 12:20 p.m., the subcommittee was adjourned.]\n\n                                   - \n\x1a\n</pre></body></html>\n"