b"<html>\n<title> - YOU'VE GOT MAIL--BUT IS IT SECURE? AN EXAMINATION OF INTERNET VULNERABILI-TIES AFFECTING BUSINESSES, GOVERNMENTS AND HOMES</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n     YOU'VE GOT MAIL--BUT IS IT SECURE? AN EXAMINATION OF INTERNET \n      VULNERABILITIES AFFECTING BUSINESSES, GOVERNMENTS AND HOMES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 16, 2003\n\n                               __________\n\n                           Serial No. 108-95\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n<star>91-445      U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2003\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\nCHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nMARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nDOUG OSE, California                 DENNIS J. KUCINICH, Ohio\nRON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois\nJO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts\nTODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri\nCHRIS CANNON, Utah                   DIANE E. WATSON, California\nADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland\nJOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California\nJOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, \nNATHAN DEAL, Georgia                     Maryland\nCANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of \nTIM MURPHY, Pennsylvania                 Columbia\nMICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee\nJOHN R. CARTER, Texas                CHRIS BELL, Texas\nWILLIAM J. JANKLOW, South Dakota                 ------\nMARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont \n                                         (Independent)\n\n                       Peter Sirh, Staff Director\n                 Melissa Wojciak, Deputy Staff Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n              Philip M. Schiliro, Minority Staff Director\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on October 16, 2003.................................     1\nStatement of:\n    Evans, Karen, Administrator, Office of Electronic Government, \n      Office of Management and Budget............................    23\n    Leighton, Dr. F. Thomson, chief scientist, Akamai \n      Technologies, Inc., professor of applied mathematics, MIT; \n      and Kenneth Ammon, president and co-founder, government \n      solutions, NETSEC, Inc.....................................    33\nLetters, statements, etc., submitted for the record by:\n    Ammon, Kenneth, president and co-founder, government \n      solutions, NETSEC, Inc., prepared statement of.............    73\n    Cummings, Hon. Elijah E., a Representative in Congress from \n      the State of Maryland, prepared statement of...............    20\n    Davis, Chairman Tom, a Representative in Congress from the \n      State of Virginia, prepared statement of...................     4\n    Evans, Karen, Administrator, Office of Electronic Government, \n      Office of Management and Budget, prepared statement of.....    26\n    Leighton, Dr. F. Thomson, chief scientist, Akamai \n      Technologies, Inc., professor of applied mathematics, MIT, \n      prepared statement of......................................    40\n    Sanchez, Hon. Linda T., a Representative in Congress from the \n      State of California, prepared statement of.................    14\n    Waxman, Hon. Henry A., a Representative in Congress from the \n      State of California, prepared statement of.................     9\n\n \n     YOU'VE GOT MAIL--BUT IS IT SECURE? AN EXAMINATION OF INTERNET \n      VULNERABILI-TIES AFFECTING BUSINESSES, GOVERNMENTS AND HOMES\n\n                              ----------                              \n\n\n                       THURSDAY, OCTOBER 16, 2003\n\n                          House of Representatives,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The committee met, pursuant to notice, at 10:02 a.m., in \nroom 2154, Rayburn House Office Building, Hon. Tom Davis \n(chairman of the committee) presiding.\n    Present: Representatives Tom Davis of Virginia, Ose, \nPlatts, Turner, Blackburn, Waxman, Cummings, Tierney, Watson, \nVan Hollen, Sanchez, Ruppersberger, and Norton.\n    Staff present: Peter Sirh, staff director; Melissa Wojciak, \ndeputy staff director; Ellen Brown, legislative director and \nsenior policy counsel; Randall Kaplan, counsel; David Marin, \ndirector of communications; Victoria Proctor, senior \nprofessional staff member; Drew Crockett, professional staff \nmember; Teresa Austin, chief clerk; Brien Beattie, deputy \nclerk; and Corinne Zaccagnini, chief information officer; \nMichelle Ash, minority counsel; Nancy Scola, minority \nprofessional staff member; Earley Green, minority chief clerk; \nJean Gosa, minority assistant clerk; and Cecelia Morton, \nminority office manager.\n    Chairman Tom Davis. Good morning. A quorum being present, \nthe Committee on Government Reform will come to order. I would \nlike to welcome everybody to today's hearing on Internet \nvulnerabilities and the threat they pose to our national \nsecurity, public health and safety, and economy.\n    Citizens, businesses and governments rely on the Internet \nfor a variety of activities: business transactions, acquisition \nof goods and services, and the collection and dissemination of \ninformation, to name just a few. This morning the committee \nwill review what steps these disparate groups are taking to \ncreate a more secure cyber-environment, with particular \nattention to the Federal Government's response to this growing \ncyber-threat.\n    My primary goal today is one of public education. Computer \nsecurity can no longer be relegated to the back benches of \npublic discourse, or remain the concern solely of governments \nor corporate technology experts. Think of electronic tax filing \nor online license renewals. The fact that we are all ever-more \n``interconnected'' means we are all in this battle together. \nWhat affects one system could very well affect all of us, and \nthe unfortunate reality is that the Internet is inherently a \nbreeding ground for malevolent actors.\n    Congress has taken some strides to help Federal agencies \nprotect their information systems from security breaches. I \nsponsored FISMA, the Federal Information Security Management \nAct of 2002, which was enacted last year as part of the E-\nGovernment Act of 2002. FISMA provides a strong framework for \ninformation security in the Federal Government by requiring \nFederal agencies to use a risk-based management approach to \nsecure their information systems.\n    This year, Chairman Putnam and his subcommittee will \nclosely oversee implementation of FISMA, including new OMB \nguidelines, and the establishment of agency testing and \nevaluation plans, and the development and promulgation of \ninformation security standards. FISMA is a step in the right \ndirection for Government, but the threat is still great.\n    As we have seen in recent months, computer viruses and \nworms can cause significant damage to home and work computers. \nLoss of files and data can cause irreparable financial damage, \nmar a business reputation and even shut down operations in a \nprivate or Government enterprise. Furthermore, hackers are able \nto divert traffic from Web sites and steal information, \nincluding personally identifiable information, patients' \nmedical records, and financial details. The financial impact of \nsuch attacks is estimated to range from hundreds of millions \ninto the billions of dollars. Other intentional threats include \nelectronic eavesdropping or scanning to uncover passwords and \nother data.\n    But there are also unintentional threats that can be caused \nby flaws in computer software. From chief information officers \nto students to small business owners, everyone needs to know \nhow to respond to cyber attacks. When a new flaw is identified \nin ubiquitous software like Microsoft operating systems, users \nneed to take preemptive action to minimize damage from the \ninevitable hacker attacks. For example, security patches \nreleased by software manufacturers can be installed in systems \nto correct these flaws. When patches are announced, one has to \nact quickly to install them. So does the average computer user \nknow what software he is running? Does he know if the alert \napplies to him? If so, does he know where to find the patch and \nhow to apply it? The committee is examining these questions as \npart of the information security effort in the Federal \nGovernment.\n    The aggressive push to implement e-government initiatives \nmeans that Federal computer systems are communicating with \ncomputers in homes and businesses. If non-Federal computers are \nnot adequately secured, there is an added risk to our Federal \nsystem. The challenge for the Federal Government is to promote \nelectronic government initiatives while ensuring the integrity \nof its systems.\n    Educating all computer users about cyber security is \ncritical. It is a matter of public safety, and our outreach \nneeds a sense of urgency. When you connect to another computer, \nyou are connecting to every computer that computer has ever \nconnected to. Now, for most computer users, security is an \nissue that they may address at work, but most people are lax \nabout securing a home computer that is connected to the \nInternet. The average user needs to understand the full range \nof threats. For example, how software such as peer-to-peer file \nsharing applications leave computers defenseless against cyber \nattacks. For instance, the recent Swen worm circulating in \nEurope purports to be a Microsoft security alert and enters \ncomputers as an e-mail attachment on an e-mail ``delivery \nfailure'' notice. Then it tries to spread to other computers \nthrough the Kazaa peer-to-peer file-sharing network. Because of \nthe interconnectivity of the information systems and the \nincreased reliance on computers for transactions via the \nInternet, this type of worm has the potential to cause \nsignificant damage to home computers as well as those in \nbusinesses, financial institutions, and governments.\n    Even our Nation's critical infrastructure sectors depend on \ninformation systems to protect the Nation's water supply, oil \nand gas pipelines, electrical grids, and other critical \ninfrastructure. Significant damage to these systems could have \na devastating impact on our national security, public health \nand safety, and economy. In fact, terrorists have already \nexpressed their intent to attack our critical infrastructure, \nprompting the GAO to include cyber critical infrastructure \nprotection on its high-risk series for the first time in \nJanuary 2003.\n    We have three distinguished witnesses with us this morning \nto help shed some light on this important issue. On our first \npanel, the committee will hear from Ms. Karen Evans, the \nAdministrator of the Office of Electronic Government at OMB. \nThis is her maiden testimony before this committee. She will \ntestify about the Federal Government's response to this growing \ncyber threat. Welcome, Karen. We are happy to have you here. \nYou come here with a great reputation from the Department of \nEnergy, so we are pleased to hear what you say and look forward \nto working with you.\n    Our second panel is Dr. Tom Leighton, the co-founder and \nchief scientist of Akamai Technologies, and Mr. Kenneth Ammon, \npresident and co-founder of NetSec. Akamai will give a \ndemonstration of the ``Slammer'' worm's effect in elapsed time \nand its estimated impact on individual computers and networks. \nA presentation from NetSec will show the ease with which the \naverage computer user can obtain names, Social Security \nnumbers, and other sensitive information through popular search \nengines like Google.\n    I would like to thank all of our witnesses for appearing \nbefore the committee. I look forward to their testimony. I now \nyield to Mr. Waxman for his opening statement.\n    [The prepared statement of Chairman Tom Davis follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1445.001\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.002\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.003\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.004\n    \n    Mr. Waxman. Thank you, Mr. Chairman. I want to commend you \nfor holding this hearing. This hearing today is another \nimportant hearing on computer security.\n    Earlier this year we held a series of hearings on the risks \nof peer-to-peer file sharing programs, including how they could \nbe used to find all kinds of personal data about computer \nusers. This then led to the introduction and passage in the \nHouse of the Government Network Security Act of 2003, which \nrequires Federal agencies to assess the risk posed by peer-to-\npeer file sharing programs.\n    Today we are exploring another aspect of computer security: \nhow worms and viruses spread rapidly across the Internet, \nfinding unprotected computers. We also will learn how millions \nof people are using wireless networks, many unaware that their \ncomputers are vulnerable to attack. Business, governments, and \nindividual home users are at risk for computer invasion. \nEfforts must be taken by all users to make the Internet more \nsecure.\n    There is an important role for government in protecting \nfamilies from the risks of worms, viruses, and other malicious \nfiles. American families do not have computer experts on staff, \nor even easy access to training. If the family is lucky, it has \na teenager who understands computers, but even that is not \nenough. The Government can help by providing the public access \nto the vast wealth of information on computer security \ndeveloped by our Government agencies.\n    Computer software manufacturers can help also. Patch \nmanagement on home computers is becoming more automated, but it \nis not clear that the majority of the public understands the \nimportance of installing these patches and what the patches do. \nIt would be better if the software had fewer holes when it was \nshipped.\n    The Internet is a communal good. No one person or \norganization can secure it; it can only be secured by a joint \neffort. That effort needs active participation from businesses \nthat work on the Internet as well as businesses that produce \ncomputer software. And there is a role for Government both in \nsecuring its own computers and in educating the public of the \nrisks and how to handle those risks.\n    Mr. Chairman, the hearings you have held on these important \ntopics have helped inform Congress and the public and provided \nthe foundation for legislation. I want to commend you for your \nleadership on these issues, and I look forward to the hearing.\n    [The prepared statement of Hon. Henry A. Waxman follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1445.005\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.006\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.007\n    \n    Chairman Tom Davis. Thank you very much.\n    Any other Members wish to make statements? Ms. Sanchez.\n    Ms. Sanchez. I would like to commend Chairman Davis and \nRanking Member Waxman for calling this important hearing today, \nbecause I know, firsthand, how tedious and cumbersome computer \ninfections can be. In the past year I have had several computer \nviruses, and, as a result, every time my computer screen \nfreezes, I am paranoid that I have another virus.\n    Through an e-mail list serve that I have called the \nWashington Update, I update my constituents on a regular basis \nabout what is happening in Washington, DC, and when I wrote to \nmy constituents about today's hearing and requested that they \nshare with me some of their experiences with computer viruses, \nthe results were immediate and resounding. I was inundated with \ne-mails about the economic, social, and personal toll computer \nviruses have on the lives of my constituents, and I just want \nto share a really quick sampling of some of those stories \nbefore we begin.\n    A gentleman by the name of Mark Patton, who owns a business \nin my community, wrote to me and said, ``Our business was \nvictimized by a number of computer viruses on one occasion. We \nhad hired an IT consultant to provide maintenance for our \nnetwork, but, unfortunately, they were not keeping up with our \nvirus protection. As a result, we had to replace our server, \nupgrade our system, and subsequently fire our IT consultant. \nThe entire episode cost our small business over $10,000, \nwithout even considering the lost time we incurred. Viruses are \na threat to all businesses. The lesson is buyer beware when \nhiring an IT consultant, but, more importantly, as businesses \nbecome more and more dependent on the Internet, Internet \nsecurity becomes a very important issue.''\n    The Mission Hills Mortgage Bankers Gateway Business Bank \nwrote to me and said, ``At the height of the virus infected e-\nmail epidemic, Mission Hills Mortgage Bankers Gateway Business \nBank Web mail site was swamped with thousands of virus-laden e-\nmails a day in August and September. Fortunately, our firewall \nand virus software caught and cleaned up our e-mail system, but \nthe unsanitized e-mail was passed through to the individuals to \nwhom it was addressed. Personally, I was deleting 30 to 50 e-\nmails a day, both annoying and time-consuming. What I didn't \nknow was how vulnerable a home computer with DSL or cable \naccess is without a firewall, even with virus checker software. \nI wasn't aware that viruses can come through to your computer \nin ways other than on an e-mail until I got one. That was a \nmonth ago. I purchased and installed a firewall right away, but \nI am still experiencing a problem with my computer. Apparently \nthe damage to files can remain after the virus is cleaned up.''\n    And this problem has not only affected the businesses that \nwrote to me, but Rio Hondo Community College wrote to me: ``We \nwere hit hard by the worm at Rio Hondo College during the first \nweek of our semester this fall. Our mainframe computer and \nevery desktop computer on campus was unusable for a week. We \ncould not register students, certify athletic eligibility of \nathletes, process financial aid requests, conduct many of our \nclasses, or function in any capacity for a whole week. Eight \nweeks later we are still trying to get computers and printers \nand e-mail functioning for everyone.''\n    This particular little anecdote very much moved me. A \nconstituent by the name of Mark Katt wrote: ``I like to take \npictures of my daughter, who is currently 2 years old. I use my \ndigital camera to take a picture of her from the moment she was \nborn and every single month until she reached her first \nbirthday. I stored all of those pictures in my hard drive, so \nwhen I would be ready I would sort them all out and have them \ndeveloped and make a nice album that I could show my daughter \nwhen she grew up, and maybe play a slide show during her 18th \nbirthday party. But my computer was hit by the virus just \nbefore I got them developed. My 1 year worth of project, my \ndream and my gift to my daughter, are all gone, together with \nthe pictures. I would pay, no matter what the price, if I could \nretrieve all of those pictures. They were priceless, and you \ncannot bring back the hands of time.''\n    Diane Schumacher from my district wrote: ``I had a virus in \nSeptember of this year. It was the ``So Big'' virus. I got it \nwhen I purchased an item over the Internet that came with an \nattachment. I have been laid off. The last thing I needed was \nto be out of contact not only with the EDD, the Employment \nDevelopment Department, but also with my job search and support \ngroups, not to mention the expense of trying to repair the \ndamage.''\n    The stories that I have just shared with you today \nunderscore the prevalence of computer infections. Furthermore, \ncomputer viruses are a very real problem not just for \nbusinesses, but home users are also affected by this burdensome \nand costly problem. An unemployed constituent, a community \ncollege, a bank, and a father all have been victimized by \ncomputer viruses. They affect everybody. There is much work \nahead of us to eradicate the threat of computer infections, so \nI want to thank each of the witnesses for being here today to \ndiscuss this important topic, and I look forward to their \ntestimony.\n    Again, I would like to thank the chairman and the ranking \nmember for holding this hearing.\n    [The prepared statement of Hon. Linda T. Sanchez follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1445.008\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.009\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.010\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.011\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.012\n    \n    Chairman Tom Davis. Thank you very much.\n    Any other opening statements?\n    Mr. Cummings. Mr. Chairman, I have a very brief statement.\n    Chairman Tom Davis. Sure. Gentleman from Maryland.\n    Mr. Cummings. I want to thank you, Mr. Chairman, for \nholding today's hearing on the vulnerability of the Internet \nfor both businesses and citizens.\n    Initially, computers alone were subject to programming \nerrors or bugs that were attached to computer programs \naffecting only individual computers, without the risk that the \nerror would be passed on to another computer. Today, however, \nwith increased knowledge about cyber technology and the advent \nof the Internet security weaknesses in both computers and on \nthe Internet and because the Internet connects millions upon \nmillions of computers and computer networks belonging to \ngovernments, business, schools, and homes, these seemingly \nsmall viruses or worms sent out by hackers have the potential \nto do major harm to computer operating systems.\n    The Internet is fundamental to present-day living. Business \nis conducted online, items are purchased and sold online, \nindividuals communicate daily via e-mail or gather news and \ninformation from Web pages, and many even manage their accounts \nand conduct banking online. More importantly, the Federal \nGovernment, as well as other national structures, rely on the \nInternet for managing issues ranking from banking to defense. \nBecause of this, cyber safety and security is pertinent, not \nonly to individuals and private entities, but also to Federal \nsecurity.\n    Today's hearing will serve as an avenue to educate the \ngeneral public about the Internet's vulnerability, and it will \nalso address important issues regarding the different ways \nresearchers, the Government, and the software industry can work \ntogether to eliminate these vulnerabilities through the \ncreation of effective patches and systems for dealing with \nInternet security risks, as well as the expedition and \ndiscovery of cyber criminals. We must be proactive in our \nefforts to deal with cyber security and our review of the many \ndifferent ways technology has the potential to greatly enhance \nor reduce the quality of life for Americans and the rest of the \nworld.\n    Again, I thank you, Mr. Chairman, for holding this hearing. \nI look forward to hearing from our witnesses today as we \ndiscuss different ways to protect the vital infrastructure of \nthe Internet and educate home and small business users about \ncomputer infections.\n    With that, I yield back.\n    [The prepared statement of Hon. Elijah E. Cummings \nfollows:]\n\n[GRAPHIC] [TIFF OMITTED] T1445.013\n\n[GRAPHIC] [TIFF OMITTED] T1445.014\n\n[GRAPHIC] [TIFF OMITTED] T1445.015\n\n    Chairman Tom Davis. Thank you.\n    Any other statements?\n    All right, we will proceed to our first panel. Again, we \nhave the Honorable Karen Evans, the Administrator of the Office \nof Electronic Government at the Office of Management and \nBudget.\n    It is the policy of this committee that we swear you in, so \nif you would rise with me and raise your right hand.\n    [Witness sworn.]\n    Chairman Tom Davis. Thanks for being with us. Your whole \nstatement is in the record. You have a light in front of you. \nWhen it turns orange, 4 minutes are up. You are given 5 \nminutes. If you need more, take it, but I think we would like \nto keep to that so we can get to questions. Keep it moving. \nThank you.\n\n STATEMENT OF KAREN EVANS, ADMINISTRATOR, OFFICE OF ELECTRONIC \n          GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET\n\n    Ms. Evans. Good morning, Mr. Chairman, Ranking Member \nWaxman, and members of the committee. Thank you for inviting me \nto discuss the Federal Government's response to this growing \ncyber threat.\n    The Federal Computer Incident Response Center, FedCIRC, \nwithin the Department of Homeland Security is the Federal \nGovernment's civilian focal point for coordinating response to \ncyber attacks, promoting incident reporting, and cross-agency \nsharing of data about common vulnerabilities. As part of its \nresponsibilities, FedCIRC informs Federal agencies about \ncurrent and potential security threats.\n    Working with FedCIRC, OMB and the CIO Council have \ndeveloped a process to rapidly counteract identified threats \nand vulnerabilities. CIOs are advised via conference call, as \nwell as followup e-mail, of specific actions needed to protect \nagency systems. Agencies must then report to OMB on the \nimplementation of required countermeasures.\n    FedCIRC maintains a strong relationship with a number of \nindustry as well as government partners. These partners include \ncommercial software vendors, Carnegie Mellon University's \nComputer Emergency Response Team, law enforcement, the \nintelligence community, and agency incident response teams. \nThese organizations routinely communicate advance notice to DHS \nregarding the discovery of software vulnerabilities and the \ndevelopment of malicious code designed to exploit these \nweaknesses.\n    Securing cyberspace is an ongoing process as new \ntechnologies appear and new vulnerabilities are identified. The \nNational Institute of Standards and Technology [NIST], provides \ntimely guidance to Federal agencies on securing networks, \nsystems and applications. NIST recommends that agencies \nimplement patch management programs, harden all hosts \nappropriately, deploy antivirus software to detect and block \nmalicious code, and configure the network perimeter to deny all \ntraffic that is not necessary. Additional recommendations \ninclude user awareness briefings, as well as training for \ntechnical staff on security standards and procedures.\n    As part of its statutory responsibilities under the Federal \nInformation Security Management Act, NIST published in \nSeptember a draft Computer Security Incident Handling Guide. \nThis publication seeks to help both established and newly \nformed incident response teams to respond effectively and \nefficiently to a variety of incidents.\n    Another critical mechanism used to enforce protection of \nFederal systems is the Federal Information Security Management \nAct [FISMA]. Under FISMA, the Federal agencies are required to \nperiodically test and evaluate the effectiveness of their \ninformation security policies, procedures, and practices. The \nresults of both the agency self-assessments and the IG \nassessments are provided to OMB each September. OMB submits a \nsummary report to Congress based on the agency and IG reports.\n    Improving the Federal Government's response to Internet-\nbased attacks also requires that we focus on enterprise \narchitecture and standardized deployment of security \ntechnologies. As new technologies become available and cost-\neffective, they must be incorporated into the IT infrastructure \nwhere they can monitor common precursors and indications of \nattacks.\n    Discerning the source of malicious Internet activity is \noften difficult. The Federal Government will continue to rely \non Federal, State, and local law enforcement to investigate and \nprosecute developers of worms, viruses, and denial of service \nattacks. Agencies must continue to report computer incidents \nand assist law enforcement investigations to the greatest \nextent possible.\n    The National Strategy to Secure Cyberspace recommends that \nthe software industry consider promoting a more secure out-of-\nthe-box installation and implementation of their products, \nincluding increasing user awareness and user friendliness of \ntheir security features. OMB supports the agency use of \nenterprise licensing agreements which will require vendors to \nconfigure software to meet security benchmarks.\n    Additionally, the Federal Government will soon begin a \ncomprehensive review of the National Information Assurance \nPartnership [NIAP]. The review will consider to what extent, if \nany, NIAP can address the continuing problem of security flaws \nin commercial software products. This review will include \nlessons learned from the implementation of the Department of \nDefense July 2002 policy requiring the acquisition of products \nto be reviewed under the NIAP evaluation process.\n    Patch management is an essential part of the agency's \ninformation security program and requires a substantial \ninvestment of time, effort, and resources. At the present time, \n47 agencies subscribe to FedCIRC's Patch Authentication and \nDissemination Capability. This service validates and quickly \ndistributes corrective patches for known vulnerabilities.\n    Because of its vast inventory and the vulnerabilities \ninherent in commercial software, the Federal Government will, \nfor the immediate future, continue to be impacted by threats \nfrom the Internet. Through our oversight of agency security \npolices and practices, OMB will continue to work with agencies \nto ensure that risks associated with cyber attacks are \nappropriately mitigated.\n    In closing, OMB is committed to a Federal Government with \nresilient information systems. OMB will continue to work with \nagencies and the Congress to ensure that appropriate \ncountermeasures are in place to reduce the impact of Internet-\nborne attacks.\n    [The prepared statement of Ms. Evans follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1445.016\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.017\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.018\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.019\n    \n    Chairman Tom Davis. Thank you very much.\n    Let me start the questioning. Mr. Ammon, in his testimony, \nstates that computer security can't be an add-on but, rather, \nneeds to be integrated into the IT infrastructure management. \nCan you discuss what efforts the Federal Government is taking \nin this regard, recognizing you have just been on the job a few \nweeks? Does OMB adequately address this in the budget review \nprocess?\n    Ms. Evans. What I believe is occurring and what he means by \nthat is that cyber security cannot be an afterthought; it can't \nbe that the project is thought about or that the business \ninvestment is thought about, implemented, and then you add on \ncyber security. What OMB is doing through the business case and \nthrough the budget process is, as agencies develop business \ncases and propose their IT investments, cyber security is a \ncritical factor in evaluating that investment and how that \nproject is going to move forward. And it is evaluated up front, \nduring the investment, prior to the investment decisions being \nmade, and you have to address how cyber security is going to be \nimplemented as that investment goes forward.\n    Chairman Tom Davis. As we let out these large contracts, is \nthat a part of it, where we are asking the vendors or the \npotential vendors what the safeguards are they are putting into \nthis? Do you know the answer to that?\n    Ms. Evans. I would say right now that I can speak from my \nexperience at Department of Energy of what was required of me \nthrough the budget process and through the management process \nthat OMB does have over the agencies. And as we move forward \nand as agencies move forward in the procurement process, it is \nincumbent on the CIO, as they make those investment decisions, \nthat those questions are asked during the procurement process \nof how you evaluate potential vendors and their products going \nforward so that as those products come into your \ninfrastructure, the risk is identified, the risk then is either \nmitigated or a risk assessment is done in accordance with FISMA \nso that you know what the impact of that technology or that \ninvestment is going to be on your infrastructure. Then a risk \nassessment is done and the manager who is responsible accepts \nwhether that risk level is acceptable for implementation within \nthe infrastructure.\n    Chairman Tom Davis. But an IT contract is a very complex \npiece and procurement officials look at a lot. They look at \ncost.\n    Ms. Evans. Yes.\n    Chairman Tom Davis. They look at experience. They take a \nlook at what innovations can be brought to bear. They may have \nto look at a set-aside provision, depending on what it looks \nlike and who is getting it. And I guess my question in all this \nis cyber security is obviously a factor. Ultimately, it could \nbe the most important factor as you look down the road. We \nfound this with Y2K. Even contracts as late as 1999 were being \nlet, and there were no Y2K safeguards being put in. Where does \nthis rank in the pecking order, and is there going to be an \neffort to try to rev this up as an important component of \nfuture IT purposes?\n    Ms. Evans. Again, I would like to draw from my past \nexperience and bring it forward into my new job at OMB. As a \nCIO, as a past CIO and now responsible for the IT assets of the \nFederal Government as a whole, no decision is made without \nreally assessing what the cyber security impact of that will \nbe. If it is not assessed at the time, and continuously \nassessed through the life cycle of that investment, it will \ncost more, it could cost more in the long-run; and it is \nimportant that it is integrated into everything that we do. So \nI plan to bring that forward through several initiatives that \nare already ongoing within OMB to ensure that the cyber \nsecurity aspect of whatever we do is properly addressed.\n    Chairman Tom Davis. Because it is a tough balancing act \nwhen you are looking over cost, experience and innovation, and \nsomebody may have a more secure vehicle that may be far more \nexpensive, and weighing it.\n    Ms. Evans. Yes, it is.\n    Chairman Tom Davis. And the purpose of this hearing is, of \ncourse, cyber security. I think we are going to see in our next \npanel just tremendous vulnerabilities that we have that public \nisn't aware of. I am still very uncomfortable with our level of \ncyber security in Government and in the Internet at large. I \nthink people don't understand the inherent risks that are out \nthere. So it is a tremendous difficulty, and how we deal with \nit legislatively is one piece, and then the bulk of the public \ngoes with the administration and what priority you are going to \nput on it.\n    I have one other question before we recognize someone else. \nA number of our vulnerabilities stem from flawed commercial \nsoftware. Since the Federal Government is the largest consumer, \ndo you feel that the National Information Assurance Partnership \nis adequately addressing this?\n    Ms. Evans. Well, as I stated, we are going to begin a \nreview of that and look to what extent that partnership will be \nable to address those particular issues. So as we move forward \non that, I would be glad to come back to the committee with our \nevaluations.\n    Chairman Tom Davis. Keep us involved in that.\n    Ms. Sanchez, any questions?\n    Any questions?\n    Mr. Cummings. I was just wondering, does OMB have efforts \nunderway to reduce the amount of paperwork required under the \nFederal Information Security Management Act?\n    Ms. Evans. Well, I would say, and again I have to draw from \nmy agency experience as one who has to submit a lot of that \ninformation, who had to submit that, that the current processes \nand procedures in place allow for flexibility for the CIO and \nthe program offices to be able to determine and assess what the \nrisks are, to be able to submit the information under the Plans \nof Action and Milestones. So I don't know that I necessarily \nlook at it as a reduction of paperwork, but it is really a \nprocess going forward of doing the risk assessment and how you \naccurately reflect that and be able to submit to OMB through \nthe Plans of Action and Milestones.\n    Mr. Cummings. So when you have older computers, I guess it \nmakes it a lot more difficult, that is, the security issues.\n    Ms. Evans. If you have older computers? I don't understand \nthe question. Are you asking about the security vulnerabilities \nassociated with older computers?\n    Mr. Cummings. That is correct.\n    Ms. Evans. We are getting into a technical discussion here, \nbut it is a debate. Some people view that older computers could \nbe more secure from the aspect that hackers have a tendency to \nattack and develop malicious code for newer operating systems. \nSo some people may argue with you that an older computer is \nmore secure because the current attacks are actually targeted \nto more current vulnerabilities. I would say that a CIO, in \nassessing overall security, would have to look at both of \nthose: what are the risks associated with maintaining an older \nplatform and ability to continue the operations and maintenance \nof that for the program that it is supporting versus the cyber \nsecurity. I believe that we talked about the balancing act and \nthe decisions that need to be made so that you can have a full \ncomprehensive program moving forward.\n    Mr. Cummings. Thank you.\n    Chairman Tom Davis. I just have a couple other questions \nbefore I let you go.\n    Ensuring adequate information security obviously requires a \nvery skilled level of Federal employee. The Federal Government \nfinds itself competing against the private sector for talented \nemployees in these areas, and we have seen that some of our \nbest and brightest are eligible to retire over the next few \nyears in Government. Do you think that agencies have the \nresources necessary to execute the elaborate security measures \nthat are necessary to maintain their systems and keep \nGovernment connected?\n    Ms. Evans. I think that there are several initiatives that \nare underway so that agencies have tools that are available to \nthem to capitalize on succession planning. Through the \nPresident's Management Agenda there is a human capital \ninitiative that really outlines how an agency is going to deal \nwith all aspects of human capital and succession planning. \nAlso, through the work of the Federal CIO Council and through \nthe work on the Committee on Human Workforce Development, under \nthe chairmanship of Ira Hobbs, that has really put together a \nlot of work that has gone forward so that we can maximize the \nuse of that within our existing resources, to be able to really \ndeploy and utilize the talent that we have while we are also \nplanning for the future and being able to move forward; that it \nis identified skill gaps for us to be able to concentrate on \nand to be able to move forward.\n    I think that the budget process, the way that it is set up, \nas agencies continue to move forward and identify where they \nwant to invest and how they want to do things, that the budget \nprocess allows for them to identify how they want to deal with \nthis and how they want to move forward in the future, and it \nwill be evaluated and reflected in the budget and the budget \ndecisions.\n    Chairman Tom Davis. OK. My last question is, the prevalence \nof Internet vulnerabilities highlights the need to establish a \nbalance between the Government's communication with citizens \nand businesses and the security of Government networks. In his \nwritten testimony, Dr. Leighton recommends removing public-\nfacing Web sites from Government networks. Are you aware of \nagencies that do this or are considering implementing such \nmeasures, and would this adversely affect any of the electronic \ngovernment initiatives?\n    Ms. Evans. Those are considered managed services and each \nCIO, as he goes forward in his planning and his strategy to \nmanage those resources, that is an alternative that is \nconsidered. And so if that is the best solution for that \nagency's cyber security posture, as well as meeting the mission \nthat it needs, that is an alternative that is evaluated for \npotential service providers. So it is a great idea if it meets \nyour business need and it matches your cyber security posture \nof what you are doing for your department as a whole.\n    Chairman Tom Davis. OK. Well, thanks, this is the beginning \nof ongoing discussions and communications with you. I \ncongratulate you on your new position. We are going to get our \nnext panel in, and I wonder if you can stay for their \ntestimony. I guess we wanted you to hear what they both have to \nsay. We have two very able people from the private sector in \nthis, and thank you very much.\n    We will take a 1-minute recess and try to move our next \npanel on, and swear them in and hear their testimony. It is \ngoing to be, I think, pretty interesting.\n    [Recess.]\n    Chairman Tom Davis. Our next panel is Tom Leighton, the co-\nfounder and the chief scientist of Akamai Technologies, and Mr. \nKenneth Ammon, the president and co-founder of NetSec.\n    It is our policy that we swear you in before you testify, \nso if you will just rise with me and raise your right hands.\n    [Witnesses sworn.]\n    Chairman Tom Davis. Thank you very much. We are the chief \ninvestigative committee in Congress, and that is why we swear \npeople in. We are not anticipating any acts of perjury, \nalthough I did have Wes Unseld, who was the head coach for the \nBullets, up before a committee 1 year, and I asked him, since \nhe was under oath, ``Are the Bullets going to have a winning \nseason this year?'' And his answer was ``I can promise you we \nwill have exciting basketball.'' Now, at the end of the year we \nevaluated whether that qualified as crossing the line or not, \ngiven the record, but it is just the way we do things. But \nthank you both for being here. Dr. Leighton, why don't I start \nwith you, and then Dr. Ammon. I think you have a demonstration?\n    Mr. Leighton. Yes.\n    Chairman Tom Davis. So take whatever time you need on that, \nthe same with you, Dr. Ammon, and then we will move to \nquestions.\n\n STATEMENT OF DR. F. THOMSON LEIGHTON, CHIEF SCIENTIST, AKAMAI \nTECHNOLOGIES, INC., PROFESSOR OF APPLIED MATHEMATICS, MIT; AND \nKENNETH AMMON, PRESIDENT AND CO-FOUNDER, GOVERNMENT SOLUTIONS, \n                          NETSEC, INC.\n\n    Mr. Leighton. Chairman Davis, Ranking Member Waxman, \nSubcommittee Chairman Putnam, Subcommittee Ranking Member Clay, \nand members of the committee, I appreciate the opportunity to \ntestify this morning about one of my personal and professional \npassions, namely, the Internet. The Internet has been a focus \nof my work at the Massachusetts Institute of Technology, and \nalso constitutes the basis for our creation of Akamai \nTechnologies.\n    Akamai runs the world's largest distributed computing \nplatform with more than 14,000 computer servers located in over \n1,100 different networks in 70 countries. Like the Internet \nitself, Akamai evolved from what was originally an academic \nresearch project sponsored by the Defense Advanced Research \nProjects Agency [DARPA]. Today, Akamai is a major commercial \nenterprise that delivers a substantial portion of all Web \ntraffic. Using sophisticated mathematical methods and \nalgorithms to coordinate the operation of thousands of Web \nservers across the Internet, Akamai distributes content and \napplications from thousands of Web sites to hundreds of \nmillions of consumers worldwide. We serve each of you every \nday. Over 70 of the businesses on the Fortune 500 utilize the \nAkamai platform to distribute their content and applications \nreliably, securely, and efficiently, as do the Department of \nDefense, Department of Education, Department of Homeland \nSecurity, the FBI, Internal Revenue Service, the Centers for \nDisease Control and Prevention, the U.S. Geological Survey, the \nSupreme Court, and many other Federal, State, and local \ngovernment organizations.\n    As part of our services, Akamai provides an extensive, \nreal-time, worldwide view of Internet traffic and conditions, a \nglimpse of which we will see this morning. One of our central \nmissions at Akamai is to enable enterprises and government \nagencies to understand and manage the many vulnerabilities and \nproblems associated with using the Internet.\n    At Akamai we understand the power and potential of the \nInternet. Hundreds of millions of people use the Internet on a \ndaily basis to send e-mail, search for information, pay a bill, \nbuy a book, get the news, make a reservation, download music, \nrun a business, or just to chat with a friend. Trillions of \ndollars of e-commerce are conducted over the Internet annually. \nThe Internet is also used to manage critical national \ninfrastructure in sectors such as transportation, banking, \nmanufacturing, utilities, and defense. The Internet is truly a \ncommunications phenomenon that is transforming the way people \nwork, live, derive entertainment, and communicate all over the \nworld. It embraces fundamental notions of individual choice and \nfreedom that are hallmarks of our American society.\n    Unfortunately, the power of the Internet can be exploited \nfor evil as well as good, a phenomenon that is not atypical for \nsuch a great advance in technology. And for reasons that I will \ndescribe shortly, the Internet is particularly vulnerable to \nthe exploits of those with malevolent intentions. As you know, \nwe have already witnessed events wherein a single individual \nhas been able to disrupt Internet communications on a \nwidespread basis, thereby causing billions of dollars in \neconomic damage. Less well understood is the fact that \ninformation being transmitted on the Internet can also be \nrerouted, stolen, and manipulated with relative ease. The \nconsequences of such vulnerabilities are becoming increasingly \ndangerous as our dependence on the Internet grows. Internet and \nsoftware security are talked about much but understood little. \nToday I will spend a few minutes talking about how the Internet \nworks and why it is vulnerable.\n    Many people think of the Internet as a single network. This \nis a misconception. In fact, the Internet consists of over \n15,000 separate networks spread across most every nation in the \nworld. The wires and fibers in these networks are \ninterconnected in a somewhat haphazard fashion by millions of \nswitches known as routers. There was no central architect who \ndecided how or where the 15,000 networks should be connected to \none another, and there was no central command center to govern \nthe minute-by-minute or even month-by-month operations of the \nInternet.\n    The glue that holds the Internet together and that allows \nit to function are the protocols such as the Border Gateway \nProtocol [BGP], that are used to route packets of data from one \nnetwork to another, the services such as the Domain Name System \n[DNS], that are used to identify the correct destination for \ntraffic on the Internet, and the myriad software packages used \nto support such diverse tasks as e-mail, Web browsing, file \nsharing, and instant messaging. All of the software and \nprotocols have flaws that can be exploited by an attacker. \nThousands of new flaws were discovered in just the last year.\n    For the most part, the protocols used in the Internet today \nare very similar to those that were developed over 20 years ago \nwhen the Internet was first invented. Back then, the Internet \nwas known as the DARPANet and it was used by only a small \nnumber of researchers in a few locations. The original Internet \nprotocols were based on a foundation of trust. It was assumed \nthat the users of the Internet would use the Internet for the \npurposes for which it was intended and that they would do \nnothing to harm either the infrastructure or other users, \neither intentionally or even by accident. There was a strong \nsense of community in which the individual user would not take \nactions to the detriment of the common good, even if such \nactions would directly benefit the individual. While such noble \nassumptions were fairly safe in the collegial environment of \nthe DARPANet of 20 years ago, they are clearly not valid in the \nInternet of today, where there are many individuals and perhaps \neven terrorists or governments whose intentions are malevolent. \nAnd therein lies the problem.\n    Let me begin the discussion of Internet vulnerabilities by \nshowing you a video of what happened to the Internet when the \nSlammer Worm hit on January 25th of this year. On the monitor \nyou can see a map of the world. Shading is used to \ndifferentiate between daytime and nighttime in the various \ngeographics. The current time on this display is in the evening \naround 7 p.m. on January 23rd. On the monitor you will notice \nsome red and yellow lines. A yellow line indicates a major \nInternet link that is experiencing a substantial degradation in \nperformance. A red line indicates a link that is performing so \npoorly that it may well be unusable. It is normal to see a few \nsuch lines at any time on the Internet; the Internet is very \nlarge and it always has problems. This is one of the many \ndisplays that we use in our Cambridge Network Operations \nCommand Center to diagnose the problems on the Internet.\n    I will now advance this display over a period of several \ndays. You will see the sun move over the globe and you will see \nchanges in Internet conditions as various problems occur and \nabate. Everything is normal until just after midnight on \nJanuary 25th, when the Slammer Worm was released into the \nInternet. As you will see, the impact of Slammer was dramatic.\n    Akamai personnel first detected Slammer in Asia. Within \nminutes, Slammer had spread to hundreds of thousands of \ncomputers worldwide, causing a serious disruption to Internet \ncommunications that lasted for days on some networks. Akamai's \nmeasurements indicate that in the hours following Slammer's \noutbreak, as much as 20 percent of all Web traffic was \ninterrupted. It is estimated that Slammer caused well over $1 \nbillion of economic damage.\n    Critical U.S. Government networks were also affected. In \nfact, the BGP churn, a measure of network health, on a key \nDefense network was among the highest of the thousands of \nnetworks that we monitor worldwide.\n    On the monitor you can see a plot of the churn caused by \nSlammer aggregated over the entire Internet. From left to right \nyou will see time advance and the spike, of course, corresponds \nto the outbreak of Slammer. The pink or orange color denotes \nthe churn on North American networks in the Internet, including \nDefense networks; the blue indicates the churn on Asian \nnetworks; and green denotes the churn on European networks. Of \ncourse, most of the networks are North American, and so you \nwould expect to see a high churn in North America.\n    The damage caused by Slammer is fairly well known. In fact, \nSlammer was the subject of some excellent testimony before the \nSubcommittee on Technology, Information Policy, \nIntergovernmental Relations and the Census last month. What may \nbe less well known is that Slammer was a relatively benign worm \nin that it had no ``payload.'' Slammer's only function was to \nreplicate itself, and it was the mechanics of the replication \nthat caused the damage. Had Slammer been specifically designed \nto cause damage, the outcome could have been far worse.\n    Slammer exploited a software bug that had been discovered 6 \nmonths earlier, one of the many such vulnerabilities that are \ndiscovered in Internet-based software each year. Other worms \nand viruses are more malevolent. In addition to using the \ninfected computer as a host for self-replication, they also \ncause the computer to perform an Internet-based attack of some \nkind. For example, the Code Red virus released 2 years ago was \nspecifically designed to attack the White House Web \ninfrastructure. The recent Blaster worm was designed to attack \nMicrosoft's Web infrastructure.\n    On the monitor I have displayed the initial outbreak and \ncurrent activity of Code Red and Blaster. On the left-hand \ncolumn and the top row you will see the outbreak of Code Red \nroughly 2 years ago. On the bottom left you see the outbreak of \nBlaster. On the right-hand side you will see the current \nactivity of those viruses and, as you can see, both viruses are \nstill active, although both the White House and Microsoft have \ntaken steps to mitigate any damage they may cause.\n    In other cases, the virus or worm acts as a Trojan horse, \nleaving the infected computer in a vulnerable state that can be \nexploited later in a manner and at a time chosen by the \nattacker. In this way, an attacker can assemble an army of \nsubverted computers from the comfort of his own home, perhaps \nin a foreign country. The attacker can then use the computer \narmy to carry out an attack at will. Typically, the subverted \ncomputers reside in our homes and offices. It sounds strange, \nbut the reality is that as we buy more powerful computers and \nprovide them with better connectivity to the Internet, for \nexample broadband, we increase the power of the attacker to \ninflict damage upon us.\n    Even the world's largest Web presences cannot, by \nthemselves, withstand a distributed denial of service attack, \nalso known as a DDOS attack, from an army of thousands of \nsubverted computers. As shown on the monitor, a typical Web \nsite such as www.fbi.gov can process millions of bits of data \nper second. This shows normal use. Now we see what happens when \nthe Web site is attacked by an army of subverted computers. The \nvolume from a DDOS or distributed denial service attack can be \n1,000 times as large as normal usage. Recently, Akamai has \nobserved volumes of attack traffic exceeding 6 gigabits a \nsecond. That is 6 billion bits of data being dumped on the \ntarget every second. Needless to say, the Web site will crash \nalong with the infrastructure around it.\n    Akamai's distributed network helps to mitigate such attacks \nby providing a shield for its customer's Web site. Instead of \nattacking a single location, with a distributed network \narchitecture the army of subverted computers must now mount \nsimultaneous attacks against thousands of servers in hundreds \nof locations. This is much harder to do. Moreover, the Akamai \nsystem has been designed to immediately recover from the loss \nof even large numbers of its servers, and so even if the \nattacker is successful in neutralizing some of our servers, \nAkamai still delivers the content from the Web site as if \neverything were running normally. This capability was proved \nduring the recent war in Iraq, when the Akamai platform \nsuccessfully thwarted several large-scale attacks that were \nmounted against key Government Web sites. It was also proved \nduring the Slammer, Blaster, Code Red, and numerous other \nattacks, during which Akamai services operated normally.\n    As I noted earlier, critical Government networks are also \nvulnerable to Internet-based attacks. In part, this is because \nGovernment networks often use the same hardware and software as \nthe rest of the Internet and several are connected to the \nInternet just like everyone else. Hence, as was seen with \nSlammer, they are often affected like everyone else.\n    Defending against Internet-based attacks can be difficult. \nFor example, one defense against proliferation of viruses and \nworms on Government networks is to shut down all Web-based \ntraffic on the network. Another defense is to disconnect the \nGovernment network from the rest of the Internet. Both defenses \nhave the unfortunate side effect of cutting off access to \nthousands of Government Web sites from their daily users.\n    Many steps can be taken to help prevent attacks on \nGovernment networks and to mitigate their effect. Monitoring of \nvirus activity, maintaining up-to-date software patches, and \nimproving the security and consistency of firewalls would all \nbe helpful. It could also make sense to remove public-facing \nWeb sites from Government networks altogether. As can be seen \non the monitor, as long as the public is invited into \nGovernment networks in order to access public Web sites it is \ndifficult, if not impossible, to prevent unwanted access by \nattackers. Attackers come in just as the normal public does. By \nserving the content externally, however, the public no longer \nneeds direct access to the Government network and it is much \neasier to filter out attack traffic.\n    The perpetrators of Slammer, Code Red, the original \nBlaster, and thousands of other Internet attacks have not been \ncaught. That is because the Internet protocols make it very \neasy to mask one's identity, often by stealing that of another. \nFor example, before a spammer releases his onslaught of \nunwanted e-mails into the Internet, the spammer will often \nhijack someone else's Internet identity and use that identity \nas the home base from which to send the spam. When \ninvestigators try to detect the source of the spam they are led \nto an innocent bystander.\n    On the Internet most anyone can impersonate most anyone \nelse. Impersonation was never really contemplated when the \nInternet was designed and so no defenses were incorporated to \nprevent it. The implications go well beyond spam. For example, \nthere are many ways for a thief to steal credit card numbers, \npersonal passwords, and many other sensitive data that are \ncommonly transmitted over the Internet. If a thief wants to \nlearn the password to your online bank account, the thief \nsimply directs your computer or your Internet service provider \nto send him or her all Web traffic destined for your bank. He \ncan do this because it is relatively easy to trick your \ncomputer and/or the Internet into sending traffic to an \nunintended destination.\n    For example, one way of doing this is shown on the monitor. \nDisplayed here is the normal operation of the Internet with \nend-users going to a Web server. They are directed to that Web \nserver by the Border Gateway Protocol [BGP]. If we can see the \nnext slide, we see what happens when a hacker or attacker wants \nto intercept that traffic. The hacker simply sends an \nelectronic message to your ISP saying, ``Please send me the \ntraffic destined for the bank.'' Your ISP doesn't check that \nthe hacker is not the bank, and will immediately comply and \nsend all traffic destined for the bank to the hacker. Once the \nhacker receives that information, it will return to your \nbrowser a copy of the bank's Web site. You then will enter your \npasswords and your confidential information to get access to \nyour account, but now it has gone to the hacker instead of the \nbank and nobody knows.\n    This phenomenon often happens by accident. Every day an ISP \nwill accidentally claim the traffic for a Web site by accident, \nand part or all the Internet will send the traffic to the wrong \nlocation. This is known as black-holing. I know of a recent \nexample where a major e-commerce site was black-holed by \naccident for 5 hours, costing millions of dollars in damages. \nPrecise figures in the total amount of damage caused by e-crime \nannually are difficult to obtain, but data from the FBI's \nInternet Fraud Complaint Center indicates that this is a large \nand very rapidly growing problem.\n    It is truly remarkable that the Internet technology \ndeveloped so many years ago has scaled so well and in so many \nunforeseen ways. But the time has now come to take a fresh look \nat the Internet's protocols and operating procedures, and to \nimplement the changes that are necessary to make the Internet \nmore secure.\n    The vulnerabilities that I have mentioned today represent \njust the tip of the proverbial iceberg. Many more are listed in \nmy written testimony. The number I have talked about today is \njust limited by my time for this testimony, which is about to \nexpire.\n    I would be happy to answer any questions you would have.\n    [The prepared statement of Mr. Leighton follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1445.020\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.021\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.022\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.023\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.024\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.025\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.026\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.027\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.028\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.029\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.030\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.031\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.032\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.033\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.034\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.035\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.036\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.037\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.038\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.039\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.040\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.041\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.042\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.043\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.044\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.045\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.046\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.047\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Ammon, thanks for being with us.\n    Mr. Ammon. My name is Ken Ammon, and I am co-founder and \npresident of NetSec, an information security services firm \nheadquartered in Herndon, VA. From our 24/7 security operations \ncenter, NetSec provides managed and professional security \nservices to 5 of the Global 10 largest corporations, and 9 of \nthe 15 cabinet-level departments of the U.S. Government. We \nmonitor and manage systems in 22 countries around the globe. I \nwould like to thank Chairman Davis, Ranking Member Waxman, and \nthe committee for the opportunity to share with you the \nperspectives on enterprise security I have gained in my 5 years \nrunning NetSec, as well as my tenure in the U.S. Government, \nwhere I served as an Air Force officer and later as a security \nexpert for the National Security Agency.\n    I know the time of the committee is limited, so I will \nfocus my remarks on two important and related subjects \naffecting the security of the information in the U.S. \nGovernment. The first examines some very real, rapidly emerging \nthreats; the second looks at law this committee developed, the \nFederal Information Security Management Act, and how it can be \nthe guidepost for effectively managing sensitive information \nacross Government.\n    Every member of this committee is familiar with the high \nprofile worms and viruses that have disrupted operations and \ncaused billions of dollars in economic damage across private \nand public sectors. We just observed how devastating these can \nbe and how rapidly they can move. Clearly, such threats are \nserious and need to be addressed as part of any comprehensive \ninformation security strategy. But I am going to shift things \nand talk about the threats you don't hear about and can't \nreadily detect. I submit that the threats I will demonstrate \nthis morning may be less pervasive in their global reach, but \nmay be far more devastating in their ability to breach the most \nsensitive boundaries of our national security and citizen \nprivacy.\n    In my mind, there are two important platforms involved in \nsecuring information. The first platform is the infrastructure, \nand that is personal computers, servers, and networks. This \ninfrastructure platform has been the dominant focus of \ninformation security strategies to date. The second platform \nrevolves around the applications and information within the \nnetwork. It simply does not follow that a secure infrastructure \nensures secure information.\n    NetSec maintains what we call an Attack Lab, a facility \nwhere highly skilled ethical hackers are paid by our clients to \nbreak into their security systems in order to attempt to \nidentify and resolve security vulnerabilities. In the course of \nrecent application security research, NetSec's Attack Lab \nuncovered a method using the popular Google search engine and \nsome advanced search key words to access sensitive data \nregarding U.S. military personnel actions, suspected \nterrorists, and very personal information about U.S. citizens.\n    The slide up now demonstrates that information--some of \nwhich has been redacted--such as Social Security numbers, the \nname of the individuals, locations; and for those of you that \ncan't read it, I know that the committee has a copy of this. \nInformation about terrorist connections, passport numbers, \ncountries of birth and such, this was all retained off a simple \nGoogle search, and this is just an example of thousands of \nrecords that we were able to access. Virtually anyone present \nin this hearing could access this information within a couple \nof minutes from virtually any PC connected to the Internet.\n    It is highly probable that systems that house the data in \nexhibit 1 here were each certified and accredited to process \nsensitive information. Simple configuration changes to the \napplications could have prevented this information leak. \nHowever, only through end-to-end application-level testing can \nthe full scope of such vulnerabilities be identified. While \nthis type of testing is becoming more common among commercial \nclients, there seems to be little awareness of or interest in \nthis kind of testing in the Federal Government. And this \ntesting, just for simplicity purposes, is testing Web-facing \napplications and how they react to and accept information, as \nwell as deliver information, both Government-to-Government and \nGovernment-to-citizens. This information needs to be carefully \nexamined as a critical component of information security in the \nFederal Government as well, we believe.\n    The second emerging threat involves the growing reliance on \nwireless networks that are being installed in Government \nfacilities for obvious convenience, efficiency, and cost-\navoidance reasons. Wireless networks pose a great potential \ndanger, because if the wireless network is not properly secured \nit can open gaping holes in previously secure wired networks. \nWe refer to this problem as the ``steel door-grass hut'' \napproach to security.\n    In the past, our Attack Lab has conducted several ``war \ndrives,'' which are basically taking a car and driving around a \nparticular region and, using a device similar to this, a \nPringles can--you can get the instructions for this right off \nthe Internet. And what this does is, it connects to your laptop \nand allows you to access wireless networks from a much greater \ndistance than would be advertised by the providers. What we \nfound is that they were able to connect to numerous, hundreds \nof wireless networks in the Federal core of Washington, DC. The \nimage on the screen here, you can't see the color coding key, \nwhich is a little lower on the screen, but red, yellow, and \ngreen are represented here, red being high density, yellow \nbeing low density, and green is roughly 14 separate points is \nthe low point for abilities to connect to these systems.\n    Once again, the tools that the hackers use to connect to \nthese networks are readily available on the Internet, and for \nour purposes we just detected the networks; it actually takes \nsome additional effort to try to actually connect to the \ninformation available on the network. But literally you have \nthe ability to be sitting in the desk next to somebody's \ncomputer once you connect to these wireless networks, and more \nthan likely he will never know that it happens.\n    So we believe the Federal Government must create an \nenvironment that continuously rises to the challenge of threats \nsuch as these. Congress has made an important contribution to \nsecuring our Federal information assets with the enactment of \nFISMA. The visibility and importance bestowed upon the issue of \ninformation security by the passage of this law are invaluable. \nHowever, Congress needs to pay close attention and continuous \nattention to how this law is interpreted and enforced in order \nfor it to be effective in driving practical, pragmatic, and \noptimal use of resources available to achieve the best possible \ninformation security posture. To that end, I offer the \nfollowing observations.\n    FISMA does run the risk of becoming a paperwork exercise. I \nbelieve we need more focus on ``rubber meets the road'' risk \nmeasures that reflect our actual progress in reducing \nvulnerability, not just a report card on how much of the \nrequired paperwork has been filed on time. If you look at the \nreporting that is being done under the auspices of FISMA, there \nare virtually no objective measures of agencies' real-world \nsecurity posture, and this is what is and is not acceptable \nrisk.\n    A good illustration is the emphasis on system certification \nand accreditation [C&A]. In the Federal IT community today, \nFISMA law and OMB guidance are widely interpreted as equating \nsystem security with the completion of system C&A. Much FISMA \nreporting focuses largely on the progress agencies are making \nin completing the C&A process for all of their major systems. \nC&A is the process whereby tradeoffs between security and \nefficiency are identified, optimized, documented, and approved \nin the course of fielding a new information system. It is an \nexcellent way to reduce risk and to make sure the appropriate \nlevel of security is being designed into the system from the \noutset. Unfortunately, C&A provides little value when applied \nto existing or legacy systems. But due to the fact that FISMA \ncompliance and progress has been equated with how many systems \nhave gone through C&A, agencies are lavishly spending scarce \nresources to produce C&A reports that merely state the obvious: \nthe legacy system is not secure and can't be effectively \nsecured, in page after gory page of detail. And I actually have \nan example of one of these documents with us, and it is 5 \ninches of documentation. So it is a lot of paperwork that you \ngo through for just one system, and thousands of these are \nbeing produced. Just reviewing the resulting stacks of hundreds \nof these pages of documentation per system presents a daunting \ntask. You can imagine that much of the documentation gets \nfiled, never to be looked at again.\n    In cases such as this, and in this I mean the legacy \nsystems that are already in place, we need to stop wasting \nmoney on C&A reports, shortcut the paperwork process, and spend \nmore of our money effectively for pragmatic risk reduction \nuntil the system can be modernized. If we fail to set up a \nsystem of reporting and oversight that promotes practical \nactions in the face of known vulnerabilities, we risk putting \nour best people in lose-lose situations such as that faced by a \nrecently audited Federal agency. In this case, the agency was \ncited in the GAO report for failing to do C&A on an aging \nsecurity system that was slated for imminent replacement by the \nagency. And I understand the price tag for one of these C&As is \nanywhere from $100,000 to $200,000 to certify and accredit a \nsingle system. The managers responsible decided, correctly in \nmy opinion, that spending the money to do a C&A report on these \nsystems would be a waste of taxpayer funds, but in doing the \nright thing agency technology and management executives left \nthemselves open to criticism from the auditors and, \nsubsequently, sensationalization of that criticism in the \npress. The irony is that the system cited had actually been \nrock solid--tested for security vulnerability and found not to \ncontain any--and was actually put in place to mitigate \nsignificant risk that was in place in the system. It continued \nto perform flawlessly until its recent replacement with newer \ntechnology.\n    My second observation is that security can't be bolted on \nto the IT infrastructure, and failures in IT management equal \nfailures in security; you cannot separate the two, I believe. \nWe must continue to get our IT management house in order to \nachieve a secure environment. No amount of focus on security \ncan overcome fundamental weaknesses in how our information \nsystems are managed.\n    As Government and industry have learned from the recent \nworm outbreaks, you can't protect what you don't know about, \nand what you don't know about your infrastructure will hurt \nyou. Automated malicious code and hackers are very efficient in \nfinding the machines in your infrastructure that are not \nproperly patched. Even though the information goes to the \ndepartments and agencies, there are vulnerabilities. In many \ncases they do not have the asset management and configuration \ncontrols in place to adequately ensure all these systems have \nbeen patched, and we believe this to be a foundation of \nsecurity.\n    Not to be ignored, a key issue for proper infrastructure \nmanagement is organizational structure. Agencies should steer \nclear of having the fox watch the security hen house. There \nshould be a healthy system of checks and balances and a \npositive relationship in place between those responsible for IT \ninfrastructure and those responsible for information security \nmanagement.\n    My final observation this morning is that we mustn't waste \nscarce resources reinventing the wheel. There are too many \nredundant, ineffective efforts going on in parallel, all \ndesigned to provide 24/7 security vigilance for Federal \nnetworks. In many cases there are multiple, redundant efforts \ntaking place, separate bureaus within the same department each \nbuilding their own security operations infrastructure. This is \na serious waste of precious security expertise and budget.\n    NetSec clients, some of the world's largest corporations \nand government agencies, have recognized that enterprise \nsecurity requires a level of focus and expertise hard to find \nin any organization, and we don't believe that these resources \nare going to be produced at a rate to meet this demand any time \nsoon. That is why they have elected to entrust the monitoring \nand management of network security pieces to us, leaving scarce \ninternal resources to focus on more core security-related \nissues.\n    Where feasible, the Government should take advantage of the \nproven capability of commercial companies already providing \ntop-notch 24/7 security services on an outsourced basis. \nCommercially managed security providers offer an unparalleled \ncombination of research and operational 24/7 security \nexpertise. Government should avoid investing in internal \ndevelopment of services already available in the commercial \nmarketplace.\n    In conclusion, not one of us in the room had an idea 10 \nyears ago, when the Internet was first made available to the \npublic, that our addiction to this medium would become so \nsubstantial in such a short period of time. None of us knew the \nincredible potential of this medium to positively improve the \nlives of every citizen, increase the efficiency of Government \nand frankly, enhance the principles of freedom and \ncommunication that are hallmarks of our American society. So \nfew of us had any idea the extent to which critical and \nsensitive information would become vulnerable to multiple kinds \nof mischief and misuse. There is no right or wrong answer. This \nmay be the most important on-the-job training and learning \nprogram ever devised.\n    Security must be addressed. I believe it has been relegated \nto a second-tier status when it comes to discussions of and \ninvestments in security and other national priorities. This \ncommittee led the effort that produced FISMA, and I believe the \ncommittee has an opportunity to lead and educate Government, \nespecially at the senior executive levels, of just how \nimportant ongoing and coordinated information security \nmanagement is to our national security.\n    It has been a pleasure for NetSec as a company and me \npersonally to appear here today. Your efforts are in fact very, \nvery important. I wish you every success and stand ready to \nassist in an appropriate way. While the task of securing \nGovernment information systems is a daunting one, I am \nencouraged by the level of awareness and activity that has been \nfostered by the enactment of FISMA. We really do see this as \nlandmark legislation and the focus on security is \nunprecedented. This committee has the opportunity, through its \napproach to FISMA oversight, to ensure that the attention paid \nyields true results and lowers the Federal Government's \nexposure to the security risks that go hand-in-hand with the \nbenefits of the Internet.\n    Thank you.\n    [The prepared statement of Mr. Ammon follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1445.048\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.049\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.050\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.051\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.052\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.053\n    \n    [GRAPHIC] [TIFF OMITTED] T1445.054\n    \n    Chairman Tom Davis. Well, thank you both. I don't know if I \nfeel better after your testimony, but I think it is very \nrevealing, and it is information the committee has to have. I \njust have two or three questions I want to go through.\n    First of all, Dr. Leighton, let me start with you. \nBasically, if you are concerned about security on the Internet, \nwhether you are government, business, or an individual, you \ncan't just buy a piece of software and be secure. I think that \nis the message here.\n    Mr. Leighton. That is correct.\n    Chairman Tom Davis. You basically need some kind of filter, \nsome kind of system, your own pipes, to be able to protect, is \nthat fair?\n    Mr. Leighton. You need all that and you need the Internet \nto be fixed in the sense of securing the basic underlying \nprotocols. Even if you bought the fanciest filters, firewalls, \nall the software patches, and did everything else right, as \nsoon as your traffic goes out onto the Internet, the Internet \nis not secure, and someone could alter BGP because BGP is not \nsecured, someone could alter DNS because that is not secured, \nand you could be compromised.\n    Chairman Tom Davis. That is a huge job, to try to alter.\n    Mr. Leighton. That is correct.\n    Chairman Tom Davis. That is beyond the scope of this \nhearing and I think that will take some time to fix, but I \nthink a lot of people don't understand that.\n    Mr. Leighton. That is correct.\n    Chairman Tom Davis. They plug it in and they don't \nunderstand how this evolved and how it came about.\n    In your testimony you discussed some of the vulnerabilities \naffecting the Internet and indicated that these are only a \nfraction of the ones that we face. I wonder if you could just \ngo into some of the others briefly.\n    Mr. Leighton. Yes. I didn't speak at length about the \nDomain Names System. This is like the 411 of the Internet. When \nyou go to call somebody on the phone, you punch in a phone \nnumber instead of their name, and you get the phone number by \nlooking it up in a phone directory or calling 411. The Internet \nworks the same way. You type www.fbi.gov into your browser, but \nyour browser actually consults an Internet-like phone book to \nfind the IP address, and that Internet phone book is \ndistributed through something called the Domain Name System. \nThat system is not authenticated, it is easy for a hacker or an \nattacker to change entries in the domain name servers, and that \nmeans that you think you are going to fbi.gov, but if someone \nchanged the IP address or changed the equivalent of a phone \nnumber, you are going to go somewhere else. This is one way to \nget your bank information. You think you are going to your \nbank, but in fact you get routed somewhere else.\n    DNS should be authenticated. You shouldn't be able to \nchange an entry. It would be like changing the white pages in \nevery city in the country, or your favorite city, without \nanybody knowing, only it is a lot easier to do on the Internet.\n    BGP should be authenticated. Today, anybody can send \ntraffic wherever they want, and they can do it selectively. It \nhappens by accident all the time, and it is largely, today, \nuntraceable. Akamai actually runs a service where we keep track \nof that and try to notify people when it is happening.\n    And, of course, there are all the software vulnerabilities \non the end computers. People, as we speak, are assembling \narmies of zombies to send spam. As we speak, there is a new bug \nin Internet Explorer that will send traffic to the wrong place \nnamely, the hacker will direct where he wants your traffic to \ngo. So it is yet another way that you can type your bank's name \ninto your browser, but you are not going to your bank because \nsomeone has installed a Trojan horse on your computer without \nyour knowledge. And it is easy to forge return addresses. One \nof the aspects that made spam so effective was the mail \nappeared to come from your friend and if you looked at it, \neverything looked like it was coming from somebody you \nrecognized, so you opened it and looked at it and, wham, you \ngot infected. Both at the packet level and at the application \nor e-mail level it is easy to forge the return address to make \nthe traffic look like it came from somewhere else. And there \nare ways that one could hope going about stopping that and \nmaking it so you can't fake it on the Internet.\n    So given these kinds of vulnerabilities, it is very easy to \nconstruct all different kinds of attacks to do bad things on \nthe Internet.\n    Chairman Tom Davis. I think some of those you are \ndescribing as cyber attacks could be nothing more than mere \nprobing, searching for weaknesses, but the worst could be yet \nto come. I mean, could we potentially be facing a digital Pearl \nHarbor?\n    Mr. Leighton. Yes, the attacks we have seen so far, for \nexample, Slammer, which was considered so devastating, may well \nhave just been a probe; it had no payload. It wasn't meant to \ndo any damage, per se, it just grew so fast, that is what \nbrought down so much of the Internet. One could imagine if you \nactually put a payload in a Slammer and made it more \nsophisticated, you know, it was only a very narrow attack, the \npossibilities are large. As we become more dependent on the \nInternet with critical national infrastructure, it becomes \nfrightening what might be doable.\n    Chairman Tom Davis. Thank you.\n    Mr. Ammon, thanks for being here as well, and both of you \nfor your presentations.\n    Can you give me two or three specific actions you could \nidentify to ensure that the Federal Government gets on track to \nsecure the application and information environments that now \nreside on literally thousands of old and emerging computer \nsystems?\n    Mr. Ammon. I think there are two issues that are fairly \ncritical. One is that the efforts that take place in assessing \nvulnerabilities on legacy systems should be pragmatic and those \ndollars should be split between finding out where the most \nsignificant vulnerabilities are and then applying dollars to \nmitigating that risk until the system could be modernized. Once \nagain, the certification and accreditation process is fairly \nlengthy, and it is designed to provide the decisionmaker with a \nquantification of risk. In, I would say, 10 out of 10 cases \nthere is really nothing substantial you can do to go back and \nchange that risk in a legacy system, you pretty much have to \ntake a look at how to do it right the next time around. I think \nwhat we are trying to do here is close 15 years of lack of \nsecurity focus in a year or 2-year period, and I think we need \na process to ramp up those older systems and then follow C&A \nfor new systems that are coming out.\n    The second issue as far as application level security goes, \nI know that there is a push to Web-enable much of Government, \nand I think that follows in step with commercial business and \nwhat everybody is trying to do, be more friendly with who you \nhave to do business with and citizens, and make it easier for \nfolks to exchange information. I think that there needs to be \nsome type of information or legislation put into the existing \nFISMA Act that calls out specifically transaction-level \nassessments. Much of the focus is on infrastructure and, like I \nsaid, you can get that right and everything can check out, and \nwe have seen examples where by just changing some information \nin your Web browser, right at the very top where you actually \nrequest to get to the Web site, you are now staring at somebody \nelse's information. And this has been prevalent in financial \nand other communities, and they have been very concerned with \nthis, and so they have made significant efforts to modify their \nmethodology to ensure they assess this risk and correctly field \nthese types of applications. But literally we have seen zero \ninterest in the Government for actually taking a look at these \ntypes of risk and figuring out what to do about them.\n    Chairman Tom Davis. Well, thank you very much.\n    Mr. Tierney.\n    Mr. Tierney. Thank you.\n    This is intriguing and fascinating, and made all the more \nmysterious by my lack of knowledge in the technical area, so \nbear with me, if you would. Thank you for your testimonies.\n    When you talk about new protocols, can we do that? I mean, \nis there likelihood that we are going to be able to accomplish \na set of new protocols to get over the hurdles that we talked \nabout? And if that is the case, what is being done now and who \nis doing it, is it Government or private industry moving in \nthat direction? And what would Government's role be if there is \na role for it in moving along that path?\n    Mr. Leighton. Yes, Government has an important role to \nplay. Just the way that Government provided the funding that \ncreated the Internet over 20 years ago, Government can provide \nthe funding and direct funding toward research initiatives to \nhelp secure the Internet today. Some progress has already been \nmade. There is technology available that can help secure BGP \nand DNS and the core infrastructure protocols. It is not being \napplied today, and part of that may be the expense associated \nwith applying it.\n    So there can be a combination of getting protocols that are \neven more affordable to be deployed on the Internet and also \nusing the purchasing power of the Government to buy products \nand buy from companies that are supplying companies that are \nmore secure, that have invested in the security. Typically, a \ncompany that is invested in security, the services cost more, \nthe products cost more, and Government can play a role by \ndeciding that they want the secure offering versus maybe an \noffer that is less secure, and using the purchasing power to do \nthat. So it is a combination approach.\n    Mr. Tierney. And is that happening now? Is something being \ndone as we speak about securing some of these protocols, \nchanging them?\n    Mr. Leighton. There is some of that happening now. It would \nhelp to have it be happening a lot more and a lot faster.\n    Mr. Tierney. You talked in your testimony a little bit \nabout removing the public-facing Web sites from Government \nnetworks altogether.\n    Mr. Leighton. Yes.\n    Mr. Tierney. Is that a recommendation, that you would no \nlonger have that public access to Government information in \norder to secure it? Or is there some way of doing that where \nyou just separate the two and work from there?\n    Mr. Leighton. The recommendation would be to actually \nimprove the public access, which you would do by taking the \npublic-facing Web sites off of the sensitive Government \nnetworks. Today you have a situation where there is a very \nlarge Government network, many Government networks, where they \nhave thousands of public-facing Web sites sitting side-by-side \nwith sensitive Government servers, and that is a recipe for \nproblems. As the public comes in, the attackers come in, they \ninfect the machines, and then the sensitive servers sitting \nright next door, they get infected, and now you have a serious \nproblem. If you were to take the public-facing material and \nexport that off of the Government network, take it outside of \nthe sensitive network, now you don't invite the bad guys in \nwith the public so, in effect, by doing that the access to the \npublic content will be improved; it will be faster, it will be \ncheaper, and it will be more reliable, so the public gets \nbetter access to the Government and the Government stays more \nsecure.\n    Mr. Tierney. Mr. Ammon, I represent a lot of people who are \nreally concerned about identity theft, and it hits all age \ngroups, and I have heard some pretty horrendous stories right \nacross the board, with seniors in particular, those that are \nable to rate the technology barrier and actually get access to \ncomputers and the Internet, if they are disabled or aged, \nthings of that nature. What is the message to them here from \nwhat you talked about today, should they not trust doing \nbusiness over the Internet? Should they be concerned that there \nis nothing in place to protect them absolutely right now, or \nshould they be encouraged to do that, and what protections \ncould they take to be reasonably certain that they won't be the \nvictims?\n    Mr. Ammon. Just from my observations on the use of the \nInternet, I think a lot of folks understand there is this level \nof risk, but the value of the Internet and the access to this \ninformation they feel really is something that drives them to \nstill use the capability, even being aware this is possible. I \nbelieve, though, that there is an expectation that things are \nbeing done to make it better, and I think we are going to let a \nlot of folks down if we don't actually step up and do something \nto make it better, because these are widely publicized, these \nevents, and the information definitely is used for ill intent, \nand we have seen more activity with organized crime wanting to \nget to this information so that you create a more effective way \nof exploiting that theft of identity. So I think that there is \nsome patience still available, but things have to be moved \nquickly.\n    Mr. Tierney. And who would we place that responsibility \nwith, would it be industry, particularly the commercial side of \nthese things, that they should protect themselves, or must the \nGovernment step in and do it because they might not do it?\n    Mr. Ammon. I think that one of the challenges that you face \nis that it is impossible at this point to point to a model that \nsomeone has put in place and say, ``They have it right so let \nus just do what they have.'' I think what we have seen is, \ncommercially more is being done at the actual ``rubber meets \nthe road'' level for protecting their infrastructure, but \nGovernment has taken, I think, some fantastic leadership in \nputting together the visibility and oversight necessary in acts \nsuch as FISMA. I think that what we are doing is we are kind of \nclosing the gap here, and Government has a great opportunity to \ntake a leadership role and set a model for how this can be \ndone, and I think corporate America would willingly adopt this \nif there was a Government model for actually executing on these \nproblems. So I would recommend Government take a leadership \nposition.\n    Mr. Tierney. Thank you.\n    Chairman Tom Davis. Thank you very much.\n    Mr. Turner.\n    Mr. Turner. Thank you, Mr. Chairman.\n    I am really interested in the discussion concerning the \nwireless network access. In my own community, a couple years \nago, a company that was interested in promoting their efforts \nto provide security services for companies that are using the \nInternet went around the city and identified networks that were \nopen where there was a spillover, where the company was not \neven necessarily aware that they were broadcasting access to \ntheir network. We know that there are some places where people \nare advertising as an opportunity, bookstores and the like, to \ncome in and utilize the wireless network, but many companies \nthat implement the wireless network to one, get rid of a lot of \nthe costs of wiring or two, provide themselves greater \nassistance in areas, for example, a building like this, where \nit may be very difficult to modify a building for wiring--might \nchoose a wireless alternative, not really knowing that they are \nbroadcasting access to their network.\n    You began to discuss that even though people might have \naccess to the network itself, they might not be able to gain \naccess to secure information. But I think it is still a shock \nto many companies that might be using wireless that anyone \ncould have any access to the network at all through that. So \ncould you talk a little about the spillover and if there is any \nability to limit the spillover if you choose to have a wireless \nnetwork? And also how you might be able to secure access; if \nyou aren't able to limit spillover, how can you make it so that \nsomeone cannot access it? I know that certainly any company, if \nthey saw someone walk into their business and begin to plug \ninto their network, would immediately consider that as doing \nsomething criminal but think nothing of the fact that outside \nof their walls people might be able to access their network. \nCould you elaborate on that, please?\n    Mr. Ammon. Sure. I think wireless does have a lot of very \nbeneficial features and it can be useful. I think that creating \na policy and then having a way of enforcing that policy, the \nlatter half of that statement is the real challenge. We see \nmany organizations with a policy either prohibiting wireless \nsecurity or stating how it can be done effectively and \nsecurely, but they really don't know when it is showed up in a \nway other than in that manner. Case in point, we had one agency \nwhere they had fielded a brand new security system, and all of \nthe cameras that covered the perimeter actually were using \nwireless networking protocol to communicate. So the IT \norganization was not even aware that capability existed, that \nwith a laptop you could sit a mile away, point these cameras at \ntrees, at any point that you wanted to, because it had not been \nprotected. And it really has to do with a lack of knowledge \nthat these systems exist. So there are some emerging \ntechnologies that allow you to detect and actually enforce your \npolicy, and we think there needs to be perhaps more education \nand focus that these technologies exist, and that can be an \ninstrumental part for fielding a successful wireless program.\n    Mr. Turner. Dr. Leighton, do you have anything else to add?\n    Mr. Leighton. No. He covered it very well.\n    Mr. Turner. Thank you.\n    Chairman Tom Davis. Mr. Ruppersberger, any questions?\n    I have a couple more questions.\n    Dr. Leighton, you mentioned that Internet protocols make it \nvery easy to mask one's identity, often by latching on and \nstealing somebody else's. This impersonation can be taken a \nstep further, where an attacker can redirect Internet traffic \nto an unintended destination, pretending to be that of the \noriginal site, thereby getting access to highly sensitive \ninformation. What practical steps can we take to protect \ninnocent bystanders from both forms of theft, outside of \nredoing the whole Internet?\n    Mr. Leighton. I don't know that you would need to redo the \nentire Internet. It would help to authenticate Border Gateway \nProtocol so that if I went to an ISP and said, ``Send me the \ntraffic for this IP address,'' it would check first and make \nsure that I own that IP address. There is mathematical \ntechnology called authentication encryption and authentication \ndigital signature technology which could be applied in this \ncontext. A similar process could be applied to the Domain Name \nSystem. Secure protocols can be used to communicate if you are \nsure that both ends are actually using the protocol. One of the \nmisconceptions today is when you go to your bank you are using \nSSL or HTTP secure, you think you are secure, but if I can \nintercept your traffic ahead of time, I won't start the session \nusing the right key or I won't start the secure session at all, \nand so you are misled into thinking you are secure when you are \nnot.\n    So there are a variety of steps, and I guess the first is \neducation, making people aware that the problem exists today \nand there is something to be dealt with. And then the next step \nis developing the right procedures to put into place in the \nexisting Internet. I don't think you need to replace the \nInternet to make it more secure, it is improving the protocols \nto make them work better.\n    Chairman Tom Davis. Do you think that is best directed from \nthe Federal Government as a practical matter?\n    Mr. Leighton. I think the Federal Government can certainly \nplay an important role in highlighting the problem.\n    Chairman Tom Davis. Absent us doing that, is it likely to \noccur, do you think, anytime soon?\n    Mr. Leighton. No.\n    Chairman Tom Davis. I guess that is what I am after.\n    Mr. Leighton. No, we have known about this for a long time. \nWe are seeing the effects of it now in a very public way, in \nthe news stories, and it is something that affects all of us \ntoday. The effects will get worse if we don't correct the \nproblem. Part of it is that you have 15,000 different competing \neconomic units that make up the Internet, and they have to \ncooperate somehow, and leadership from the Government could be \nhelpful.\n    Chairman Tom Davis. Mr. Ammon, let me ask you. You talked \nabout how FISMA could be nothing more than a big paperwork \ndisplay, and that is our fear too. I think you said that the \ncertification and accreditation process in FISMA should not be \nconsidered a panacea because it can't guarantee the security of \nlegacy systems in the Federal Government. What are commercial \nbest practices for ensuring older systems?\n    Mr. Ammon. They are searching for leadership here also. I \nknow that IT governance has now been augmented to include IT \nsecurity governance, designed to drive visibility and such in \ncommercial organizations. And I think that is a positive move \nforward, but they have spent, I think, more time at the \nexecution level trying to ensure that these older systems are \neither phased out, and I think they have done that fairly \nrapidly, or they have put measures in place to, at a minimum, \nminimize the risk that is apparent. And they spend the money \ndoing that as opposed to generating a very large document that \njust captures what they already know.\n    And, look, we do certification and accreditation as a \ncompany, so I could sit back and say, great, we will keep doing \nit and make lots of money at doing this, but we think that it \njust leaves too much risk on the table. So having a parallel \nprocess that allows the Government and the security \ndecisionmakers to short-circuit that process for legacy \nsystems, but not basically meet the criticism of an audit, \nwould be very helpful in allowing them to mitigate risk and \nbuild the systems more securely as they roll out the new \nsystems. And I think that is something that could perhaps be \nput into FISMA, or at least guidance should be produced in that \ndirection.\n    Chairman Tom Davis. When I go home tonight, what is the \nfirst thing I can do to minimize the security threat to my own \ncomputer?\n    Mr. Leighton. Get all the patches installed on your \nsoftware, get a firewall installed, and be familiar with how to \nuse it and make sure it is functioning properly.\n    Chairman Tom Davis. OK. Do you agree with that?\n    Mr. Ammon. We used to have a joke about this at the \nNational Security Agency: ``Turn it off and put it in a box.'' \nBut I think the real answer there is that bad things happen to \ncomputers. Sometimes the disk blows up, sometimes it is a virus \nthat comes in. You know, back up your data, do some common \nsense, straightforward things, and make sure you have available \nsecurity software such as virus protection software. There are \npersonal firewalls that I think still have some growing to do, \nthey seem to be overly complex for the average user, but even \nthat can be helpful in mitigating some of the risk.\n    Chairman Tom Davis. All that mitigates it, but clearly you \nare still very vulnerable.\n    Mr. Ammon. You are still going to have issues, so just be \nsmart about what you put on there, back it up. You know, these \npervasive connections such as cable modems and such, they \ndefinitely increase the level of risk that you have. So if you \nare not going to be home, shut it down, don't leave it up and \nrunning, because people are constantly knocking on that door, \nand if they find something wrong, they will take advantage of \nit.\n    Chairman Tom Davis. And the vulnerabilities are tremendous. \nIf you get some malevolent group that understands this stuff \nand comes in, they can do severe damage. I mean, we talked \nbefore about a digital Pearl Harbor, that is the potential \nhere.\n    Mr. Ammon. Absolutely. Yes.\n    Mr. Leighton. In addition to the harm that can be caused to \nyou, if you are keeping track of your machine and the latest \nvirus scanning and so forth, you want to be sure that your \nmachine isn't contributing to the attack on somebody else's \ninfrastructure, to make sure that your computer hasn't been \nsubverted.\n    Chairman Tom Davis. I know Mrs. Blackburn is on her way \nback from the floor. She just e-mailed and had some questions \nshe wants to ask.\n    Let me ask if any other Members have any other questions \nthey want to ask at this point.\n    And is there anything else that you would like to add that \nmaybe you didn't get a chance to say that you want to emphasize \nin lieu of some of the questions that have come forth?\n    Mr. Leighton. Well, I think we have covered the basic \npoints: that there are serious problems, we need to be educated \nabout them, and there are steps we can start taking to make \nthings better, and I think Congress has a very important role \nthere.\n    Chairman Tom Davis. Viruses or worms can leave an infected \ncomputer in a very vulnerable state, as you noted before, that \ncan be exploited later by an attacker. So it comes in and it is \nliterally like a virus, it weakens the system so an attacker \ncan come in. Now, how can homes and businesses protect \nthemselves to ensure that their systems are not used as a \nTrojan horse? Is there any detection device on that you are \naware of? If a home user's computer has such a Trojan horse and \nthey want to file their taxes electronically or check their \nbank account online, then are those institutions at risk?\n    Mr. Leighton. Yes. Getting the latest virus scan software. \nTypically, once a virus is out there, software has been \ndeveloped to detect it, you know, in fairly short order, and so \nif you get that software, you can help detect that your \ncomputer has been compromised. In the most obvious cases your \ncomputer has all sorts of problems and you know something is \nwrong; in the less obvious cases it is being used as a Trojan \nhorse and you don't detect the problem, and that is why you \nwant to be proactive about seeing if you have a problem even \nthough you are not witnessing symptoms currently. There are \nstories today of computer armies numbering many thousands, \nmaybe hundreds of thousands of computers connected to the \nInternet that can be used later for an attack, and you want to \nbe sure that your computer is not one of them.\n    Chairman Tom Davis. You are both out there in the private \nsector, marketing products, meeting with people. Why is there \nstill a lack of attention paid in some cases to information \nsecurity as a fundamental element of routine business \noperations in many businesses?\n    Mr. Leighton. There is a lack of understanding of the \nnature of the problem and there is severe economic pressure \nthat limits proactive investment in security-related offerings. \nThat makes it hard to invest in a problem that hasn't happened \nto you yet. We see that all the time in speaking with \ncustomers; they haven't been hit yet by something, and so they \nare not as inclined to put the investment in to prevent that \nsomething from happening.\n    Chairman Tom Davis. It is like homeowners insurance almost, \nright?\n    Mr. Leighton. Exactly. Once the disaster happens, they are \nvery happy customers, because then they know there is a cost \ninvolved and that they can prevent it from happening again at a \nvery low price. So it is exactly that situation.\n    Mr. Ammon. I think organizational structure is problematic \nat this point also. When you put the security responsibility \ndirectly under the CIO you can have, especially in commercial \norganizations where CIOs are very driven to reduce costs, you \nhave a security officer basically looking to introduce cost \ninto the business. That can affect incentives, goals, \ncompensation of the person who is trying to reduce the overall \nexpense in IT. So I think in some cases where we have seen \ncommercial organizations place that role in a different \norganization, I think that you get greater high visibility for \nwhat may be wrong and potentially more support for the dollars \nto fix it, because you are not at odds with your goals that you \nare trying to achieve in your position.\n    Chairman Tom Davis. Mr. Putnam wanted to ask this question. \nHe says, given that there are oftentimes patches available for \nidentified vulnerabilities, why is it that so many government, \ncorporate, and home users remain so incredibly vulnerable? And \nI guess from your statement, you can have all the patches you \nwant, but there are always more vulnerabilities out there and \npeople willing to exploit them. But I will let you answer it.\n    Mr. Leighton. Yes, that is true. That said, the best thing, \nthe first thing to do is get the patches installed. And part of \nthe issue there is there are just so many bugs and exploits \nthat patches just keep on coming, and you have to make sure you \nstay current, and that takes real effort.\n    Chairman Tom Davis. Are most of these viruses and worms \nthat you are seeing in your businesses coming from outside the \nUnited States or from inside the United States?\n    Mr. Leighton. That is actually hard to say with certainty, \nbecause most of them you can't track their origin. We first \nobserved Slammer in Asia, but it spread very quickly. We can't \nsay for sure that it started there. So it is really hard to \nknow for sure where they come from.\n    Mr. Ammon. And I think that you can get descriptions of how \nthese viruses or worms actually work, and they make your head \nspin, lots of ones and zeros and Xs and Os and such, but there \nare tools available on the Internet that basically give you a \nworkbench with a mouse and point and click that allows you to \nbuild these. So what has happened is you have enabled the \nnovice now to go out and build these type of destructive \ncapabilities, launch them into the wild, and they do their \ndamage. So it used to be you had to be very smart to put one of \nthese things together, and so you were limited by the number of \nsmart, malicious folks you have. Well, now they have sort of \nmultiplied their ability to do damage by creating toolkits for \nthe novice to do this. And I think it is something worth taking \na look into and discussing whether those tools should be out \nthere and available.\n    Chairman Tom Davis. Do you think most of these attacks are \nmalevolent or just people playing games?\n    Mr. Ammon. Well, I think you get to see the ones that sort \nof have a life of their own. What you don't see is what I think \nyou should be very concerned about, because the motivated \nattacker, the enemy to the country or corporation is not going \nto make a lot of noise, doesn't want to be seen, and they are \ngoing to get in and they are going to get out, and they are \ngoing to get to the valuable information; and we have seen this \nin economic espionage as well as just Government situations \nwhen I was at NSA.\n    Chairman Tom Davis. Government architecture and computers \nhave locally-loaded application software. Would it be a good \nidea for Government to use a thin client which would make \nsoftware applicable to a central control server that would \nminimize that threat? Any thoughts on that?\n    Mr. Leighton. I think a lot of the same issues would exist. \nYou know, if it brought greater control and visibility as to \nwhat is going on, what software is on your network, that is \nhelpful, but a lot of the same issues will still exist.\n    Mr. Ammon. A browser is a fairly simple piece of software. \nWhat we found is that there is complex infrastructure on the \nother side of that browser that you connect to to do business; \nthere are data bases, the actual technology that allows you to \nsee a Web page when you go to a site, and that is a fairly \ncomplex infrastructure, it involves many components. And I \nthink that end-to-end security of the platform that houses the \ninformation and serves the request is where the focus needs to \nbe. If you get that right, then the client shouldn't be able to \ndo damage to you.\n    Chairman Tom Davis. Thank you very much. This has been, I \nthink, very helpful to the committee. I don't see Mrs. \nBlackburn here. I will give her a minute with you afterwards if \nshe walks in in the next couple of minutes. This has been \nexcellent in terms of collecting information. You know, what we \ndo with it, what the administration does with it, I think is \nreally going to be up to us to sit down and talk about. But I \nhope to use you both as resources as we move forward. We \nappreciate what you are doing and the innovations you are \nbringing to bear and your experience out there in the real \nworld. Again, having been in the private sector and the \nincentives that are offered for what you get, this is money \nthat you spend defensively that you have nothing to show for on \nthe bottom line. You are looking at your risk, I guess, but \neverybody thinks it can't happen to them.\n    Let me ask one other question. How commonplace is it, Dr. \nLeighton, with your clients, that there are penetrations that \nyou are able to stop? You can detect that to some extent, can't \nyou?\n    Mr. Leighton. Yes. Certain kinds of penetrations have \nsubstantial success: Web-based attacks and keeping the Web \ninfrastructure running even when it is under attack. We have \nseveral high profile Government sites, including the FBI, which \nwe aren't allowed to talk about, which we are having trouble \nkeeping up because of all the attacks, and since they have used \nAkamai services they haven't witnessed an attack on their site \neven though it happens every day, and that is because we \nprovide a defensive shield.\n    Chairman Tom Davis. And you can see that from where you \nare, that the shield is working, basically?\n    Mr. Leighton. Oh, absolutely. And we give them monitoring \ntools so they can actually see the attack and say, ``Oh my \ngoodness, there is a major attack against the site,'' but the \nsite is functioning normally because we are fielding that \nattack and monitoring it. We have seen some extraordinarily \nlarge attacks against Government Web sites during the last \nyear.\n    Chairman Tom Davis. And so far you have been impenetrable?\n    Mr. Leighton. So far.\n    Chairman Tom Davis. That is all I can ask.\n    Mr. Leighton. We put a lot of investment in trying to make \nsure it stays up and running and stays secure.\n    Chairman Tom Davis. OK. Well, again, thank you both very \nmuch. We appreciate your being here.\n    And the record will remain open if Members want to add \ncomments until the end of the day. If you have any additional \nthoughts in the next week or so, we will keep the record open \nand you can supplement it. The hearing is adjourned. Thank you.\n    [Whereupon, at 11:45 a.m., the committee was adjourned, to \nreconvene at the call of the Chair.]\n    [Additional information submitted for the hearing record \nfollows:]\n\n[GRAPHIC] [TIFF OMITTED] T1445.055\n\n[GRAPHIC] [TIFF OMITTED] T1445.056\n\n\x1a\n</pre></body></html>\n"