[House Hearing, 108 Congress] [From the U.S. Government Publishing Office] WORM AND VIRUS DEFENSE: HOW CAN WE PROTECT THE NATION'S COMPUTERS FROM THESE THREATS? ======================================================================= HEARING before the SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS AND THE CENSUS of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS FIRST SESSION __________ SEPTEMBER 10, 2003 __________ Serial No. 108-123 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ 92-654 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2003 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman DAN BURTON, Indiana HENRY A. WAXMAN, California CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland DOUG OSE, California DENNIS J. KUCINICH, Ohio RON LEWIS, Kentucky DANNY K. DAVIS, Illinois JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri CHRIS CANNON, Utah DIANE E. WATSON, California ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California JOHN SULLIVAN, Oklahoma C.A. ``DUTCH'' RUPPERSBERGER, NATHAN DEAL, Georgia Maryland CANDICE S. MILLER, Michigan ELEANOR HOLMES NORTON, District of TIM MURPHY, Pennsylvania Columbia MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee JOHN R. CARTER, Texas CHRIS BELL, Texas WILLIAM J. JANKLOW, South Dakota ------ MARSHA BLACKBURN, Tennessee BERNARD SANDERS, Vermont (Independent) Peter Sirh, Staff Director Melissa Wojciak, Deputy Staff Director Rob Borden, Parliamentarian Teresa Austin, Chief Clerk Philip M. Schiliro, Minority Staff Director Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census ADAM H. PUTNAM, Florida, Chairman CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri DOUG OSE, California DIANE E. WATSON, California TIM MURPHY, Pennsylvania STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio Ex Officio TOM DAVIS, Virginia HENRY A. WAXMAN, California Bob Dix, Staff Director Chip Walker, Professional Staff Member Ursula Wojciechowski, Clerk David McMillen, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on September 10, 2003............................... 1 Statement of: Akers, Greg, senior vice president, chief technology officer, government solutions and corporate security programs, Cisco Systems, Inc.; Phil Reitinger, senior security strategist, Microsoft Corp.; Vincent Gullotto, vice president, antivirus emergency response team, Network Associates, Inc.; and John Schwarz, president and chief operating officer, Symantec Corp..................................... 125 Dacey, Robert, Director, IT Security, General Accounting Office; Richard Pethia, Director, Cert Coordination Center; Lawrence Hale, Director, FedCIRC, Department of Homeland Security; Norman Lorentz, Acting Administrator, Electronic Government and Information Technology, Office of Management and Budget; and John Malcolm, Deputy Assistant Attorney General, Criminal Division, Department of Justice.......... 7 Eschelbeck, Gerhard, chief technology officer and vice president of engineering, Qualys, Inc.; Christopher Wysopal, co-founder, Organization for Internet Safety and director of research and development, @stake.Inc.; and Ken Silva, vice president, operations and infrastructure, Verisign, Inc.............................................. 87 Letters, statements, etc., submitted for the record by: Akers, Greg, senior vice president, chief technology officer, government solutions and corporate security programs, Cisco Systems, Inc., prepared statement of....................... 128 Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 71 Dacey, Robert, Director, IT Security, General Accounting Office, prepared statement of.............................. 9 Eschelbeck, Gerhard, chief technology officer and vice president of engineering, Qualys, Inc., prepared statement of......................................................... 89 Gullotto, Vincent, vice president, antivirus emergency response team, Network Associates, Inc., prepared statement of......................................................... 157 Hale, Lawrence, Director, FedCIRC, Department of Homeland Security, prepared statement of............................ 46 Lorentz, Norman, Acting Administrator, Electronic Government and Information Technology, Office of Management and Budget, prepared statement of.............................. 52 Malcolm, John, Deputy Assistant Attorney General, Criminal Division, Department of Justice, prepared statement of..... 58 Pethia, Richard, Director, Cert Coordination Center, prepared statement of............................................... 31 Putnam, Hon. Adam H., a Representative in Congress from the State of Florida, prepared statement of.................... 4 Reitinger, Phil, senior security strategist, Microsoft Corp., prepared statement of...................................... 142 Schwarz, John, president and chief operating officer, Symantec Corp., prepared statement of...................... 175 Silva, Ken, vice president, operations and infrastructure, Verisign, Inc., prepared statement of...................... 110 Wysopal, Christopher, co-founder, Organization for Internet Safety and director of research and development, @stake.Inc., prepared statement of......................... 98 WORM AND VIRUS DEFENSE: HOW CAN WE PROTECT THE NATION'S COMPUTERS FROM THESE THREATS? ---------- WEDNESDAY, SEPTEMBER 10, 2003 House of Representatives, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2154, Rayburn House Office Building, Hon. Adam Putnam (chairman of the subcommittee) presiding. Present: Representatives Putnam, Miller, and Clay. Staff present: Bob Dix, staff director; John Hambel, senior counsel; Chip Walker, Scott Klein, and Lori Martin, professional staff members; Ursula Wojciechowski, clerk; Suzanne Lightman, fellow; Jamie Harper and Erik Glavich, legislative assistants; David McMillen, minority professional staff member; and Jean Gosa, minority assistant clerk. Mr. Putnam. The quorum being present, the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census will come to order. Good morning. Today we continue our in-depth review of cyber security issues affecting our Nation. There are several things unique to cyber attacks that make the task of preventing them difficult. Cyber attacks can occur from anywhere around the globe, from the caves of Afghanistan to the battlefields of Iraq, from the most remote regions in the world or right here in our own back yard. The technology used for cyber attacks is readily available and changes continually, and perhaps most dangerous of all is the failure of many people, including those who are critical to securing these networks and information from attack, to take the threat seriously, to receive adequate training and take proactive steps needed to secure their networks. A severe cyber attack would have devastating repercussions throughout the Nation in a physical sense and in real economic dollars. The initial plan for this hearing was to focus primarily on strategies and methodologies within the agencies of the Federal Government for identifying and mitigating computer vulnerabilities through a system of patch management. Recent events, however, have caused us to expand the boundaries of this hearing to include computer systems throughout the Nation. This summer, everyone once again realized how vulnerable our computer networks are to cyber attack. The Blaster worm and SoBig.F virus brought home the reality that unsecured computer systems are all too prevalent and that as a Nation across all levels, government, business and home users, we must take computer security more seriously than we have in the past. The Blaster worm infected over 400,000 computers in under 5 days. In fact, 1 in 3 Internet users are infected with some type of virus or worm every year. The speed at which worms and viruses can spread is astonishing and a contributing fact to that rapid spread is the lethargic pace at which people deploy the patches that can prevent infection in the first place. Microsoft announced the vulnerability and had the patch available weeks before the exploit appeared. Recent viruses and worms have been blamed for bringing down train signaling stations throughout the East, affecting the entire CSX railroad system, which covers 23 States. Additionally, new information is coming to light that the Blaster worm is being linked to the severity of the power blackout of last month. The North American Electric Reliability Council blames another worm, Slammer, for impairing bulk electric system control by bringing down networks. We learned last week that the U.S. Nuclear Regulatory Commission issued a formal information notice to nuclear power plant operators warning them about an incident in January in which the Slammer computer worm penetrated networks in Ohio's Davis-Besse nuclear plant and disabled two important monitoring systems for hours. A recent Gartner study predicts that by the year 2005, 90 percent of cyber attacks will attempt to exploit vulnerabilities for which a patch is already available or a solution known. So why aren't systems patched and why aren't anti-virus programs kept up to date? This hearing will examine the issues surrounding these incidents, including how vulnerabilities are discovered, how the public is notified about potential vulnerabilities, the mechanisms for protection, the real and potential problems presented by patch systems and the scope of the problem confronting the Federal Government, the business community, and the general public. System administrators are often overwhelmed with simply maintaining all the systems they have responsibility for overseeing. Challenges that organizations face in maintaining their systems are significant. With an estimated 4,000 vulnerabilities being discovered every year, it is an enormous challenge for any but the best resourced organizations to install all of the software patches that are released by the manufacturer. Not only is the sheer quantity of patches overwhelming for administrators and everyone else to keep up with, but patches can be difficult to apply and have unexpected side effects on other systems that administrators must then evaluate and address. As a result, after a patch is released, administrators often take a long time to fix all of their vulnerable computer systems. Obviously small organizations and home users who lack the skills of system administrators are even less likely to keep up with the flow of patches. The Department of Homeland Security's Federal Computer Incident Response Center recently let a $10.8 million 5-year contract for governmentwide patch management service to notify agencies about security holes in commercial software for systems on their networks and the availability of patches to fix them. The service is known as the patch authentication and dissemination capability [PADC]. The goal is to simplify patch management by providing administrators only with information relevant to their systems and ensuring that patches are genuine and affected. PADC went on-line in January of this year. According to officials, once agency system administrators have provided a profile of their systems and software, PADC will alert them to potential vulnerabilities, provide interim security advice until a patch is available, disseminate available patches and keep management informed of available patches and which ones their systems administrators have downloaded. Large organizations such as business and educational institutions often rely on commercial firms to notify them of vulnerabilities. For example, there are several firms that offer vulnerability notification combined with analysis of the customer's computer system for those vulnerabilities. These firms also provide information on where to get the patches and prioritize them for administrators. In addition, the commercial critical infrastructure sectors depend on information from their information sharing analysis centers [ISACs], to help them respond to potential cyber threats. These ISACs are designed to allow members of a sector to share information about incidents to help increase preparedness and vigilance. The progress of Blaster demonstrates the importance of the early warning systems that ISACs are tasked with developing. Independent researchers discover most vulnerabilities. These researchers may be academics, consultants or Black Hats. The Organization for Internet Security is working with software vendors, consultants and other interested parties to formalize procedures for dealing with vulnerabilities, including vendor notification and control disclosures. There's a very important role for government to play in these disclosure procedures. It is no longer acceptable for vendors to determine on their own schedule who gets notified and when. Given the potential national security risk that can emanate from the exploitation of a vulnerability, it is imperative that the appropriate government entities be involved in this process from the beginning. Vulnerabilities in software and the worms and viruses that exploit them have become a fact of life for the Internet. The government, law enforcement and private industry must develop and continue to update a plan to deal with these emerging threats. How can we educate home and small business users to minimize the risk posed by zombie computers? How can researchers, the government and software industry work together to identify and remedy vulnerabilities in the most instructive manner? And how will the Federal Government evolve an effective patch management program? What can be done to expedite the discovery and prosecution of cyber criminals who release worms and viruses? And most important of all, how can the Federal Government, law enforcement and industry work together to protect the vital infrastructure of the Internet? [The prepared statement of Hon. Adam H. Putnam follows:] [GRAPHIC] [TIFF OMITTED] T2654.001 [GRAPHIC] [TIFF OMITTED] T2654.002 [GRAPHIC] [TIFF OMITTED] T2654.003 Mr. Putnam. We have an outstanding line up of witnesses this morning who will share with us their expertise as we explore worms and viruses and how we can better protect the Nation's computers. As is the custom of this committee, we'll ask our witnesses as they are seated in panel one to rise and be sworn in. [Witnesses sworn.] Mr. Putnam. Note for the record that all of the witnesses responded in the affirmative. We will begin with our first witness, and we have three panels. The panels are rather large panels. They are unusually large for this subcommittee, but the scope of our topic demanded it. But we would ask that all of our witnesses adhere as best they can to our 5-minute rule. And I will introduce Mr. Dacey. Robert Dacey is currently Director of Information, Security Issues at the U.S. General Accounting Office. His responsibilities include evaluating information systems security in Federal agencies and corporations, including the development of related methodologies, assessing the Federal infrastructure for managing information security, evaluating the Federal Government's efforts to protect our Nation's private and public critical infrastructure from cyber threats and identifying best security practices at leading organizations and promoting their adoption by Federal agencies. In addition to his many years at information security auditing, Mr. Dacey has also led GAO's annual audits of the consolidated financial statements of the U.S. Government, GAO'S financial audit quality assurance efforts, including methodology and training and other GAO financial statement audits. We appreciate you being a part of this panel, and you are recognized for 5 minutes. STATEMENTS OF ROBERT DACEY, DIRECTOR, IT SECURITY, GENERAL ACCOUNTING OFFICE; RICHARD PETHIA, DIRECTOR, CERT COORDINATION CENTER; LAWRENCE HALE, DIRECTOR, FEDCIRC, DEPARTMENT OF HOMELAND SECURITY; NORMAN LORENTZ, ACTING ADMINISTRATOR, ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET; AND JOHN MALCOLM, DEPUTY ASSISTANT ATTORNEY GENERAL, CRIMINAL DIVISION, DEPARTMENT OF JUSTICE Mr. Dacey. Thank you, Mr. Chairman. I am pleased to be here today to participate in the subcommittee's hearing on cyber incidents and the role of software patch management in mitigating the risks that these types of events will recur. I will briefly summarize my written statement. The exploitation of software vulnerabilities by hackers and others can result in significant damage to both Federal and private sector computer systems, ranging from Web site defacements to gaining the ability to read, modify or delete sensitive information, destroy systems, disrupt operations or launch attacks against other organizations. The number of reported security vulnerabilities and software products has grown dramatically in recent years to over 11,000 cumulatively reported by CERT/CC since 1995. Factors increasing the risk of system vulnerabilities and exploits include the increasing complexity and size of software programs, the increasing sophistication and availability of hacking tools, increasing system interconnectivity combined with decreasing length of time from the announcement of a vulnerability until it is exploited, and decreasing length of time for attacks to infiltrate the Internet. Although generally available before vulnerability exploits are launched, patches are too frequently not installed, resulting in damages to unpatched systems. My written testimony refers to several of these exploits and summarizes the responses to two recently reported serious vulnerabilities. Given these increasing risks, effective patch management programs have become critical to securing both Federal and private sector systems. Key elements of a patch management program include top management support, standardized policies, procedures and tools; dedicated resources and clearly assigned responsibilities; current technology inventories; identification of relevant vulnerabilities and patches; patch risk assessment and testing; patch distribution; and monitoring system through networks and host vulnerability scanning. There are several efforts to address software vulnerability in the Federal systems, including OMB reporting requirements concerning agency patch management programs as part of the Federal Information Security Management Act [FISMA]; NIST, patch management guidance, and FedCIRC incident reporting, handling and prevention handling services. For example, as you mentioned in your statement, FedCIRC provides PADC, a patch notification service, which provides agencies at no charge with information on trusted authenticated patches for their specific technologies. PADC currently has 41 agency subscribers, although OMB recently reported that actual usage of those accounts are extremely low. A number of commercial tools and resources are available that can assist in performing patch management functions more efficiently and effectively, such as identifying relevant patches, deploying patches, scanning systems for vulnerabilities and providing management reporting. In addition to implementing effective patch management processes, several other steps can be taken to address software vulnerabilities. These include one, deploying other technologies such as antivirus software, firewalls and other network security and configuration tools to provide a layered defense against attacks; two, employing more rigorous software engineering practices in designing, implementing and testing software products to reduce the number of potential vulnerabilities; three, improving tools to more efficiently and effectively manage patching; four, researching and developing technologies to prevent, detect and recover from attacks as well as identify perpetrators; and five, ensuring effective tested contingency planning processes and procedures. Mr. Chairman, this concludes my statement. I will be pleased to answer any questions that you have at this time. [The prepared statement of Mr. Dacey follows:] [GRAPHIC] [TIFF OMITTED] T2654.004 [GRAPHIC] [TIFF OMITTED] T2654.005 [GRAPHIC] [TIFF OMITTED] T2654.006 [GRAPHIC] [TIFF OMITTED] T2654.007 [GRAPHIC] [TIFF OMITTED] T2654.008 [GRAPHIC] [TIFF OMITTED] T2654.009 [GRAPHIC] [TIFF OMITTED] T2654.010 [GRAPHIC] [TIFF OMITTED] T2654.011 [GRAPHIC] [TIFF OMITTED] T2654.012 [GRAPHIC] [TIFF OMITTED] T2654.013 [GRAPHIC] [TIFF OMITTED] T2654.014 [GRAPHIC] [TIFF OMITTED] T2654.015 [GRAPHIC] [TIFF OMITTED] T2654.016 [GRAPHIC] [TIFF OMITTED] T2654.017 [GRAPHIC] [TIFF OMITTED] T2654.018 [GRAPHIC] [TIFF OMITTED] T2654.019 [GRAPHIC] [TIFF OMITTED] T2654.020 [GRAPHIC] [TIFF OMITTED] T2654.021 [GRAPHIC] [TIFF OMITTED] T2654.022 [GRAPHIC] [TIFF OMITTED] T2654.023 Mr. Putnam. Thank you very much, Mr. Dacey. I appreciate you adhering to our 5-minute rule as well. Our next witness is Richard Pethia. Mr. Pethia directs the CERT Coordination Center, which conducts security incident response activities and fosters the development of incident response infrastructures that leads to rapid correction of vulnerabilities and resolution of incidents. Working out of the software engineering institute at Carnegie Mellon University, he has been tracking vulnerabilities for 15 years. Before coming to SEI, Mr. Pethia was the Director of Engineering at the Decision Data Co. He has over 30 years experience in both technical and managerial positions. You are recognized for 5 minutes, Mr. Pethia. Mr. Pethia. Thank you, Mr. Chairman, and thank you especially for the opportunity to testify on the issue of defending against cyber viruses and worms. At the CERT Coordination Center since 1988, we have handled over 260,000 security incidents and have helped to resolve over 11,000 vulnerabilities, published hundreds of security alerts and security best practice guides and provide training in a variety of security topics. Worms and viruses are both in a more general category of programs called malicious code. Both exploit weaknesses in computer software, replicating themselves and are attaching themselves to other programs. They spread quickly. By definition, worms are programs that spread without human intervention once they have been introduced into the system. And viruses are programs that require some action on the part of the user, such as opening an e-mail attachment. Today these worms and viruses are causing damage more quickly than those created in the past and are spreading to the most vulnerable of all systems, computer systems of home users. The Code Red worm spread around the world faster in 2001 than the Melissa virus did in 1999. Just months later, the NIMDA worm caused serious damage within an hour of the first reported infection. And in January of this year Slammer had significant impact in just minutes. Virus and worm attacks alone have resulted in millions of dollars of loss in just the last 12 months. The 2003 computer crime survey states that viruses are the most cited form of attack with an estimated cost of over $27 million across the approximately 500 respondents to the survey. Estimates on the Blaster worm and the SoBig.F virus range from $525 million to more than $1 billion in loss. The cost estimates include lost productivity, wasted hours, lost sales and extra bandwidth cost. For the past 15 years we have relied heavily on fast reaction to ensure the damage is minimized. But today it's clear that reactive solutions alone are no longer adequate. Many attacks are now fully automated and spread with blinding speed. The attack technology has become increasingly complex, increasing the time it takes to analyze the attack and produce countermeasures. We have been increasingly dependent on the Internet. Even short interruptions in service cause significant loss and can jeopardize critical service. Aggressive, coordinated, continually improving response will continue to be necessary, but we also must move quickly to put other solutions in place. System operators must adopt security practices such as information security risk assessments, security management policies and secure system administrations practices. Senior managers must provide visible endorsement and financial support for these security improvement efforts. They must also keep their skills and knowledge current and educate their users to raise awareness of security issues and improve their ability to recognize and respond to problems. Technology vendors must also take steps such as producing virus resistant or virus proof software, dramatically reducing the number of implementation errors in their products that lead to vulnerabilities, and providing secure out of the box configurations that have security options turned on rather than require users to enable the functions. The government can also help by taking a multi-pronged approach: Using its buying power to demand higher quality software, holding vendors more accountable for defects in released products and providing incentives for low defect products and for products that are highly resistant to viruses. Information assurance research is also needed to yield networks capable of surviving attacks while preserving sensitive information. Among the activities should be the creation of a unified and integrated framework for all information assurance, rigorous methods to assess and manage risk, quantitative techniques to determine the cost benefit of risk mitigation strategies, systematic tools and simulation tools to analyze cascade effects of attacks and new technologies for resisting, recognizing and recovering from attacks, accidents and failures. More technical specialists should be trained to expand its scholarship programs to build the university infrastructure we will need for the long-term development of trained security professionals. And to encourage safe computing the government should support the development of education material and programs about cyber space for all users, including home users and small businesses, support programs to provide early training and security practices in appropriate use. In conclusion, our dependence on interconnected computing systems is rapidly increasing and even short-term disruptions from viruses and worms have major consequences. Our current solutions are not keeping pace with the increased strength and speed of attack and our information infrastructures are at risk. The National Cyber Security Division formed by the Department of Homeland Security is a critical step toward implementation of some of these recommendations. However, implementing a safer cyber space will require the NCSD and the entire Federal Government to work with State and local governments, the private sector to drive better software practices, more secure products, higher awareness at all levels, increase research and development activities and increase training for special computer users and all users. Thank you. [The prepared statement of Mr. Pethia follows:] [GRAPHIC] [TIFF OMITTED] T2654.024 [GRAPHIC] [TIFF OMITTED] T2654.025 [GRAPHIC] [TIFF OMITTED] T2654.026 [GRAPHIC] [TIFF OMITTED] T2654.027 [GRAPHIC] [TIFF OMITTED] T2654.028 [GRAPHIC] [TIFF OMITTED] T2654.029 [GRAPHIC] [TIFF OMITTED] T2654.030 [GRAPHIC] [TIFF OMITTED] T2654.031 [GRAPHIC] [TIFF OMITTED] T2654.032 [GRAPHIC] [TIFF OMITTED] T2654.033 [GRAPHIC] [TIFF OMITTED] T2654.034 [GRAPHIC] [TIFF OMITTED] T2654.035 [GRAPHIC] [TIFF OMITTED] T2654.036 Mr. Putnam. Thank you very much. Our next witness is Mr. Hale. Lawrence Hale is the Director of the Department of Homeland Security Federal Computer Incident Response Center [FedCIRC]. He has been active in the information assurance community since 1996, when he served the chairman of the joint Chiefs of Staff as an information assurance action officer working on security interoperability issues. While at the Pentagon Mr. Hale was a member of the Joint Staff Information Operations Response Cell during a number of exercises and actual cyber events, which have helped to shape U.S. Government policy in dealing with computer security. In January 1999, Mr. Hale became the first uniformed military officer assigned to the National Infrastructure Protection Center at the FBI Headquarters. While there he worked to improve the process of issuing warnings of cyber related events and served on the Y2K task force for the FBI. He retired from the U.S. Navy as a commander in May 2001, has a Master's Degree in national security and strategic studies from the Naval War College and a Master's in aeronautical science from Embry-Riddle. Welcome to the subcommittee. Mr. Hale. Good morning, Mr. Chairman and Ranking Member Clay. On behalf of the Federal Computer Incident Response Center of the Department of Homeland Security, thank you for this opportunity to appear before you to discuss how we can protect the Nation's computers. I am Lawrence Hale, Director of the FedCIRC, which is part of the Department of Homeland Security's Information Analysis and Infrastructure Protection Directorate. FedCIRC is the Federal-civilian government's trusted focal point for computer security incident reporting, providing assistance with incident prevention and response. Within the Department of Homeland Security Information Analysis and Infrastructure Protection Directorate is the newly established National Cyber Security Division. The National Cyber Security Division is responsible for coordinating the implementation of the national strategy to secure cyberspace. Key functional areas within the division include Risk Threat and Vulnerability Identification and Reduction, Cyber Security Tracking, Analysis and Response Center and Outreach Awareness and Training. The FedCIRC is now a component of Cyber Security Tracking, Analysis and Response Center. The National Cyber Security Division has combined the information gathering and analytical capabilities of the cyber watch elements of the National Infrastructure Protection Center and the FedCIRC and coordinates with the National Communication System. By doing this, the National Cyber Security Division not only has the added benefit of enhanced resources but the synergy of knowledge created from the unique resources from each of these watch elements. The Federal Government's ability to limit the effects of the recent wave of worms and viruses on its networks demonstrate how these collaborative relationships work and how each participant's contributions help to assess and mitigate potential damage. FedCIRC has the goal of securing the Federal Government's cyberspace. FedCIRC, as noted in the e-Government Act of 2002, the Federal Information Security Management Act, serves as the Federal information security incident center for the Federal civilian government. FedCIRC is the central government non-law enforcement focal point for coordination of response to attacks, promoting incident reporting and cross agency sharing of data about common vulnerabilities. As such, FedCIRC must compile and analyze information about incidents that threaten information security and inform Federal agencies about current and potential information security threats and vulnerabilities. FedCIRC demonstrated the National Cyber Security Division's enhanced coordination role during the recent wave of worms and viruses. Working closely with the CERT Coordination Center and software providers, FedCIRC identified the potential impact of newly disclosed vulnerabilities and developed corrective actions in mitigating strategies. Federal civilian agencies were advised of the existence of these vulnerabilities and given actionable information on reducing their exposure to the threats before attack programs were released. Patches were developed, validated and disseminated to agencies. And working closely with OMB and the Federal CIO Council, agencies were instructed to take action to address the vulnerabilities and report their status. As a result of these measures, the Federal Government was better prepared to avoid damaging impact when the exploit codes that were released in the attack phase of these events occurred. The National Cyber Security Division has a number of initiatives underway to aid in threat vulnerability reduction. As was mentioned, the majority of successful attacks on computer systems result from hackers exploiting the most widely known vulnerabilities in commercial software products. The problem is not that patches to fix these vulnerabilities don't exist, but that existing patches are not quickly and correctly applied. Agencies must have a plan on how patch management is integrated into their configuration management process. FedCIRC's patch authentication and dissemination capability [PADC], a Web enabled service that provides a trusted source of validated patches and notifications on new threat and vulnerabilities, is a first step. FedCIRC's vision is to build from the ability of providing validated patches to developing a more enhanced IT configuration and vulnerability management program that will automate the process. By automating the process, agencies will no longer have the burden of having to manually apply patches which will enable them to have more time to focus on building a more robust configuration management program. In closing, I would like to assure the committee that the National Cyber Security Division is committed to building on the success the FedCIRC has achieved in helping Federal civilian agencies protect their information systems from the most damaging effects of malicious code. National Cyber Security Division must now translate this success to a national scale. I look forward to continuing to work with OMB and the Congress to ensure that we are successful in this important endeavor. [The prepared statement of Mr. Hale follows:] [GRAPHIC] [TIFF OMITTED] T2654.037 [GRAPHIC] [TIFF OMITTED] T2654.038 [GRAPHIC] [TIFF OMITTED] T2654.039 [GRAPHIC] [TIFF OMITTED] T2654.040 Mr. Putnam. Thank you very much Mr. Hale. I would like to welcome our distinguished ranking member and vice chair of the subcommittee as well, and we will be taking their opening statements at the conclusion of the first panel's remarks as well. Our next witness is Norman Lorentz. Mr. Lorentz joined the Office of Management and Budget in January 2002 as Chief Technology Officer, the Chief e-Government Architect for the Federal Government. Mr. Lorentz is responsible for identifying and developing support for investments in emerging technology opportunities that will improve the Government's technical information and business architectures. Prior to joining the Federal Government, he was senior vice president and chief technology officer for the IT career solutions provider, Dice, Inc. In this capacity he directed the development of technology strategy and infrastructure. He was also the firm's chief quality officer and a member of the executive committee. He brings to OMB extensive experience in government. From 1998 to 2000, he was senior vice president and chief technology officer for the U.S. Postal Service. In 1998, he receive the Board of Governors Award, the U.S. Postal Service's highest recognition, and this year was named as a Federal 100 winner as well as recognition by Info World magazine as 1 of the 25 most influential CTOs in the United States. And this is your last appearance before a congressional committee as a public servant with OMB, as you will be leaving that agency and moving back into the private sector. So we appreciate your service to the government and to this subcommittee, and you are recognized. Mr. Lorentz. Thank you, Mr. Chairman, and good morning, members of the committee. Thank you for inviting me to discuss this important topic of worm and virus defense. My testimony today will address how the Federal Government protects its IT systems from this pervasive threat. By design, worms and viruses can cause substantial damage and prove disruptive to normal business operations. For this reason it is important for the Federal agencies to continuously and rapidly take proactive measures to lessen the number of successful attacks. The month of August proved to be an unusually busy time for malicious code activity, beginning with Blaster and then quickly spreading the SoBig.F worm. In general, the Federal Government withstood these attacks and the impact on citizen services was minimal. Agencies have improved their protection against malicious code by installing patches, blocking executables at the firewall and using antivirus software with automatic updates. Agencies, however, did report modest impacts associated with both worms to date. Reports from Federal civilian agencies show approximately 1,000 computers affected by each exploit. This impact ranged from a slowdown in agency e-mail to temporary unavailability of agency systems. A number of laptops proved to be susceptible to the infection since configuration management was even on these portable devices. The Federal Government's ability to thwart worms and viruses depends on a number of interlocking management, technical and operational controls. It is critical that these controls continue to evolve to keep pace with this increasingly sophisticated threat. First, how were vulnerabilities discovered? DHS's Federal Computer Incident Response Center [FedCIRC], closely coordinates with a number of industry as well as government partners. These partners include Carnegie Mellon CERT, law enforcement and the Intelligence Community. These organizations routinely communicate advanced notice to DHS regarding the discovery of software vulnerabilities in the development of malicious code. Second, how are agencies notified about these vulnerabilities? OMB and the CIO Council have developed and deployed a process to rapidly identify and respond to cyber threats and critical vulnerabilities. CIOs are advised via conference call as well as followup e-mail of specific actions necessary to protect agency systems. Agencies must then report through FedCIRC to OMB on the implementation of those required countermeasures. This emergency notification and reporting process was instituted for the Microsoft RPC vulnerability in July and as a result the agencies were able to rapidly close vulnerabilities that otherwise might have been exploited by the Blaster worm. There are mechanisms that exist for protecting systems. The National Institute of Standard and Technology [NIST], recommends that the agencies implement a patch management program, harden all hosts appropriately, deploy antivirus software and detect and block malicious code and configure the network perimeter to deny all traffic that is not necessary. As part of the statutory responsibility under FISMA, the National Institute of Standards and Technology will publish in September draft guidelines for incident handling. The guidelines will discuss how to establish and maintain an effective incident reporting and response program with an emphasis on incident detection, analysis, prioritization and containment. The guidelines will include recommendations for handling certain types of incidents and the distribution of denial of service attacks and malicious code infections. Last, the problems presented by the patching systems. Patch management is an essential part of any agency's information security program and requires a significant investment in time and effort. Agencies must carefully follow predefined processes in order to successfully remediate system vulnerabilities across the enterprise. A number of agencies utilize automated tools to push the patches to the desktop. The automation of the patch management process is significantly easier when the agency maintains a standardized software configuration. At the present, 47 agencies subscribe to FedCIRC's PADC capability. This service validates and quickly distributes corrective patches for known vulnerabilities. In closing, OMB is committed to a Federal Government with resilient information systems. Worms and viruses must not be able or allowed to significantly affect agency business processes. OMB will continue to work with the agencies, Congress and GAO to ensure that appropriate countermeasures are in place to reduce the impact of malicious code. Thank you very much. [The prepared statement of Mr. Lorentz follows:] [GRAPHIC] [TIFF OMITTED] T2654.041 [GRAPHIC] [TIFF OMITTED] T2654.042 [GRAPHIC] [TIFF OMITTED] T2654.043 [GRAPHIC] [TIFF OMITTED] T2654.044 Mr. Putnam. Thank you very much. Our next witness is John Malcolm. Mr. Malcolm is currently a Deputy Assistant Attorney General in the Criminal Division at the Department of Justice, where his duties include overseeing the Computer Crime and Intellectual Property Section, the Child Exploitation and Obscenity Section, the Domestic Security Section and the Office of Special Investigations. Pretty robust portfolio. An honors graduate of Columbia College and Harvard Law School, Mr. Malcolm served as a law clerk to judges on both the U.S. District Court for the Northern District of Georgia and the 11th Circuit Court of Appeals. For 7 years Mr. Malcolm was an Assistant U.S. Attorney in Atlanta, GA, where he was assigned to the Fraud and Public Corruption Section. Mr. Malcolm also served as an Associate Independent Counsel in Washington, DC, investigating fraud and abuse at HUD. Prior to rejoining the Department of Justice in August 2001, Mr. Malcolm was a partner at the Atlanta law firm of Malcolm & Schroeder, LLP. Thank you for sharing your time with us and look forward to your testimony, and you are recognized for 5 minutes. Mr. Malcolm. Thank you for giving me this opportunity to testify about the Department of Justice's ongoing efforts to protect our Nation's critical infrastructure from the growing problem of Internet borne worms and viruses. Although computer viruses have been around for a long time, the ubiquity of Internet access and household ownership of computers in the United States have manifestly increased the deleterious impact of viruses and worms on our critical infrastructure and on our daily lives. It seems that nearly every week we learn the name of a new computer virus or worm that exploits flaws in commonly used software and quickly spreads through the Internet. Some of these, like the Blaster worm, make the front pages of newspapers. These viruses and worms are merely the tip of the iceberg. They are just the ones that receive the most public attention. Hundreds more are released every year, posing a daily challenge to those who are responsible for protecting networks and investigating network attacks. The effect of these viruses and worms should not be underestimated. For example, in the United States, the Slammer worm shut down the automatic teller machine system and caused significant transportation delays when electronic ticketing used for airline travel was affected. The Blaster worm and its variants have affected hundreds of thousands of computers. Moreover, since the Internet is seamless and borderless, the harmful impact of worms and viruses is not limited to our country but affects countries across the world. Clones or new variants of malicious codes continue to crop up, raising concerns that more damaging variants are right around the corner. In many cases succeeding generations of viruses and worms will build on its capabilities adding additional harmful pay loads. The worldwide damage to computers and data as well as the productive time lost as the result of worms and viruses is measured in the millions and by some estimates in the billions of dollars. This damage has an undeniable adverse effect on important sectors of our economy and potentially undercuts the security of our Nation's critical infrastructure. The Department of justice has devoted significant resources to investigating and prosecuting persons who release malicious codes on the Internet. These efforts have met with some success. It bears mentioning, however, that tracking the sources of worms and viruses on the Internet is difficult and presents unique challenges to investigators because of the speed with which programs are spread and fundamental characteristics of computer networks, particularly in peer to peer network applications. It is difficult to determine precisely where an outbreak begins since simultaneous file transfers can occur in computers literally throughout the world. Although tracking the sources of computer worms and viruses is difficult, the Department of Justice is fully committed to effectively investigating such attacks. The Criminal Division's Computer Crime and Intellectual Property Section helps coordinate investigations of computer crimes of all sorts, including virus and worm attacks. These prosecutors in turn train and work with computer hacking and intellectual property units and computer and telecommunications coordinators in each of the 93 U.S. Attorneys offices across the country. Together this network of prosecutors working with law enforcement agents from the Secret Service and the FBI and using important tools provided by the Patriot Act provide an integrated approach to addressing computer crime. Because the perpetrators of offenses may live in other countries, the investigations involve an international component that draws upon the Department's contacts with law enforcement counterparts abroad. Indeed, international cooperation is a foundation of the Department strategy for combating cyber crimes, including worms and viruses. Our efforts are rewarded whenever evidence is obtained from foreign countries that further domestic investigations or when we are able to furnish similar assistance to other countries. In addition to international outreach, Department attorneys and agencies regularly meet with industry, trade groups and State and local law enforcement officials in order to improve communication. The Department of Justice pursues a message of a culture of security where both individual users and corporations view computer security as a key component for successful computing experience. Experience sadly teaches us that much of the damage to our computer networks is caused by teenagers and young adults armed with free hacking tools, plenty of time and too little moral teaching about how to use computers and how not to use computers. Therefore, the Department has also pursued educational programs directed to youth, their teachers and parents. We describe the program as cyber ethics. In fact, CCIPS, in an article authored by the section chief, has published an article dealing with cyber ethics in the current issue of Newsweek. The Department of Justice continues to make progress in its battle against computer crime and intellectual property theft. Recognizing the challenges ahead, we look forward to continued success in our efforts. Mr. Chairman, that concludes my prepared statement. I look forward to getting your questions. [The prepared statement of Mr. Malcolm follows:] [GRAPHIC] [TIFF OMITTED] T2654.045 [GRAPHIC] [TIFF OMITTED] T2654.046 [GRAPHIC] [TIFF OMITTED] T2654.047 [GRAPHIC] [TIFF OMITTED] T2654.048 [GRAPHIC] [TIFF OMITTED] T2654.049 [GRAPHIC] [TIFF OMITTED] T2654.050 [GRAPHIC] [TIFF OMITTED] T2654.051 [GRAPHIC] [TIFF OMITTED] T2654.052 [GRAPHIC] [TIFF OMITTED] T2654.053 [GRAPHIC] [TIFF OMITTED] T2654.054 [GRAPHIC] [TIFF OMITTED] T2654.055 [GRAPHIC] [TIFF OMITTED] T2654.056 Mr. Putnam. Thank you very much and thank all of you for your adherence to our time restrictions. At this time I will introduce the ranking member of the subcommittee, the distinguished gentleman from Missouri, Mr. Clay. Mr. Clay. Thank you, Mr. Chairman, especially for calling this hearing and my thanks to the witnesses who have taken the time to be with us today and share their expertise. Computer bugs like worms and viruses are one more example of the complexity of the world we live in. On the other hand, they are one more example of the frailty of human beings and the difficulty of legislating appropriate behavior. Many worms and viruses we have seen are nothing more than exuberance of youth experimenting with newly found freedoms and skill. As has always been the case, the pranks of youth can have consequences well beyond their capability to understand those consequences. Last week, the FBI arrested a Minnesota high school senior and charged him with intentionally causing and attempting to cause damage to computers protected under Federal law. He faces a $250,000 fine and 10 years in prison. This young man was so naive that he built into his computer bug a direct link to his own computer. Catching him was not difficult. However, the damage done was real. The worm attack he participated in forced shutdowns of computer systems at the Federal Reserve Bank of Atlanta, the Maryland Motor Vehicle Administration, the Minnesota Department of Transportation and part of 3M facilities, including a plant in Hutchinson. Unfortunately, most hackers are not as naive as this Minnesota teenager nor as benign. One of the earliest publicly documented cases of hacking was in 1988 at the Lawrence Berkley Lab. Cliff Stone, an astronomer turned systems manager at Lawrence Berkley Lab, was alerted to the presence of an unauthorized user in the inner system by a 75-cent accounting error. His investigations eventually uncovered a spy ring that was breaking into government computers stealing sensitive military information. We are faced with developing public policy that recognizes both the exuberance of youth and the real threat to our government and corporations by those who seek to do us harm. One element of that public policy must be a renewed attention to preventing these attacks. Mr. Chairman, I will not go through this entire statement, but I think you have indicated that you are working on legislation that would encourage corporate America to do a better job of securing their computers, and I look forward to working with you on that legislation. The problems faced by corporations are much like those facing the Federal Government and we should work together to solve those problems, and I will submit the entirety of my statement in the record. Thank you. [The prepared statement of Hon. Wm. Lacy Clay follows:] [GRAPHIC] [TIFF OMITTED] T2654.057 [GRAPHIC] [TIFF OMITTED] T2654.058 [GRAPHIC] [TIFF OMITTED] T2654.059 [GRAPHIC] [TIFF OMITTED] T2654.060 Mr. Putnam. Thank you, Mr. Clay, and without objection your entire statement will be included in the record. And at this time I recognize the distinguished vice chair of the subcommittee, the former Secretary of State of the great State of Michigan, Ms. Miller. Mrs. Miller. Thank you, Mr. Chairman, and I apologize for being late this morning. I had an opportunity to speak on the floor about the second anniversary of the horrific attacks on our Nation. I certainly appreciate you holding the hearing today and with the recent computer virus attacks on our Nation's information infrastructure the importance of this hearing is undeniable, timely and certainly appropriate. And with three panels testifying, I will be very brief in my opening statement. The focus of today's hearing is to examine what steps are being taken to protect the information infrastructure, both the public and the private levels, from the spread of viruses. And we in the Federal Government certainly have the responsibility of protecting our citizens and ensuring that the infrastructure individuals and businesses rely on is secure. In addition, the government must protect its own systems in order to function efficiently and effectively and this dual responsibility makes the task facing the Federal Government particularly challenging. In April of this year testimony was submitted by Robert Dacey of the GAO to the subcommittee citing a November 2002 cyber attack that affected both private and government networks and caused $900,000 in damage to computers. This is obviously a significant figure. And if a large scale cyber attack were implemented not only would the damage caused to computers be considerable but the additional financial loss and damage to the physical infrastructure could seriously affect the operations of our Nation. And actually we in the House of Representatives have firsthand knowledge of how potentially devastating these viruses can be. The recent Blaster and the SoBig virus attacks of just a few weeks ago nearly crippled the House e-mail network by overloading service with a complex array of erroneous messages. Fortunately, the combined efforts of the House Information Resources and the systems administrators and the Members' offices limited the extent of damage that the virus creators had likely hoped for. In fact, these attacks likely inhibited our Nation's ability to adequately respond to the vast power outage experienced by the eastern half of our Nation. I certainly shudder at the thought of what could happen to everyday businesses if a successful virus or worm crippled our Nation's power grids or financial networks, the Internet, government networks or any other infrastructure that we rely so heavily on. Viruses are a new weapon of attack for those who wish to do harm to this great Nation. The creators of these weapons are terrorists, quite frankly, cyber terrorists who want to disrupt our way of life and to cause considerable harm to our economy and infrastructure. And as with the terrorists that we are fighting with conventional means, these cyber terrorists are using the freedoms that we hold dear against us. They can unleash an attack on our soil from anywhere in the world, and we must be prepared. Mr. Chairman, thank you for holding this important hearing. Certainly protecting our Nation's information infrastructure must be a top priority of the Congress. Thank you. Mr. Putnam. Thank you very much, Mrs. Miller. We will get to the questions. Mr. Hale, what percentage of the Federal Government had already downloaded the patch for Blaster prior to its release? Mr. Hale. Mr. Chairman, I don't have the exact figure with me. It is safe to say in the approximately 4 weeks between the time the vulnerability was announced by Microsoft and the advisories from FedCIRC were issued the vast majority of agencies had downloaded the patches, and I will if given the opportunity try to provide you a more measured answer in writing. Mr. Putnam. What percentage of the Federal Government subscribes to FedCIRC's program? Mr. Hale. All Federal agencies receive advisories from FedCIRC, the PADC program in specific; 47 Federal agencies are subscribing to PADC. But PADC is just one part of an agency's patch management strategy. And many agencies have other methods of getting their patches, testing them and applying them. The information the advisories provided by FedCIRC go to all agencies. Mr. Putnam. So then, Mr. Lorentz, how many different options are utilized by the various agencies to handle patch management? Sounds like some contract with the private sector. Some do it internally. Some subscribe to PADC. So we've got a lot of different patches to doing that. Mr. Lorentz. There are different approaches. We do not dictate which method that they use. As part of our FISMA oversight, we do require them to have specific plans, risk mitigation, patch management. We are soon to get the annual FISMA reports on September 22nd on that. But the important issue here, as you can tell from the testimony of everyone here, is that the only way we're protected is if all the dots are connected, the configuration management, the patch management, the management oversight to make sure those processes are implemented as appropriate, the adherence to the information provided by FedCIRC. So there can be variation in the tools, but there cannot be variation in the expected outcome or how those dots are connected in order to mitigate the problem. Mr. Putnam. Mr. Malcolm, you mentioned a number of issues about the law enforcement approach to computer security. How many people have actually served time in jail for releasing malicious code, worms and viruses? Mr. Malcolm. There are a couple of instances that immediately come to mind. One was Mafia Boy in the United States who was actually prosecuted in Canada. He ended up getting a sentence. There was David Smith, who was arrested and charged and successfully prosecuted for releasing the Melissa virus. I believe he got a 20-month term of imprisonment. I would add in that regard the U.S. Sentencing Commission is reevaluating the guidelines as they apply to these sorts of offenses and we expect significant increases. There have been other perpetrators who have been identified of course. Mr. Parsons was alleged to have--he has only been charged. He is presumed to be innocent. I don't know if convicted of those offenses what kind of prison term he would get. I can get back to you with a more precise answer as to that. Mr. Putnam. We have heard testimony that there are hundreds of viruses per year and millions or maybe even into the billions of damage done. Is there a different attitude or is there a different approach about cyber crimes than there is about other types of crimes? Has our sentencing guidelines, our judicial system, our laws, our legislative branch not kept up with the technology that can promulgate new types of threats? Mr. Malcolm. In terms of keeping up with the laws obviously emerging technologies present all kinds of problems for law enforcement, and so we need to constantly reevaluate the state of our laws. And USA Patriot Act, one of the provisions provides now for nationwide service of process of pen trap orders and an explicit recognition. The pen trap orders apply to noncontent interceptions over the Internet. That is an important step in conducting these sorts of investigations. I am not going to suggest that it is going to be the last such step that is necessary. It's certainly true that as these worms and viruses become more sophisticated and proliferate at a greater rate, the potential damage is real. I think historically there has been a perception that crimes taking place in the physical world are somehow more serious than crimes taking place over the cyber world. I believe that perception is rapidly breaking down, and I expect the prosecutions and sentences to increase. Mr. Putnam. Mr. Pethia, Carnegie Mellon has done much more work on this than anyone. I would like you to comment on this different attitude. When we had conversations with the private sector when I was in Silicon Valley, the analogy is always used that people rattle their door knobs and rattle their locks thousands of times per day depending on which firm it is. Obviously you have high profile targets in the IT world and some are lower. But some are getting thousands of door rattlings per day and they choose not to report it. They don't want to give any uneasiness to shareholders or to consumers, so they just accept it as part of this Internet culture, and it results in hundreds of true viruses per year. Is there a different attitude about the Internet and crime and consequences? Mr. Pethia. I don't know about different attitude, but I sense a certain complacency, that people have become so accustomed to the problem and are often so overwhelmed with the problem, so unable on their own to change some of the root causes of the problem, that they've simply chosen to live with it as best they can. You're right, many don't report the attacks, but, again, many are so trivial and so common that if you were to report them, it's not clear what anyone would do with all of that data. In fact, separating the wheat from the chaff, the serious attacks from the trivial, has become an increasing challenge for all of us who do any kind of instant response. Buried in all of this are the serious attacks like the Blasters and the SoBigs and the people who are intent to do malicious damage. But, I think the widespread recognition is that the problem's here and it's serious, but I think individuals don't know what they can do above and beyond putting controls in place in their own organizations. Mr. Putnam. You don't think that there's necessarily a different attitude about it? Mr. Pethia. I think it's more an attitude of complacency and acceptance and just frustration over not knowing what steps that they can take as individual organizations or as individuals to make a difference. Mr. Putnam. Have you ever heard of something called a Black Hat convention? Mr. Pethia. Sure. Mr. Putnam. What is that? Mr. Pethia. There are a number of different conferences. There are two that are typically held every year about people who talk about the Black Hat conference, or people who at one time wore black hats, they broke into and attacked computer systems. That conferences is now typically attended by white hats and not black hats, but they talk about weaknesses in software. They talk about what can be done to improve the situation. They talk about how do we exploit some of these problems so they recognize very much how widespread and serious this problem is, and in their own ways they try to take steps to get corrections out to the world. Mr. Putnam. What percentage of those who are attempting to hack into computers and exploit code vulnerabilities, what percentage of them are bright, capable teenagers seeing what they can do, and what percentage of them are malicious? What percentage are based offshore, and what percentage are based domestically? Mr. Pethia. Those are good questions. I wish we had answers to those. You know, we all have our guesses, but I don't know of anyone who's done any detailed studies about what's called the Internet underground, what the composition of that culture is or even what the economy is. There's an underground economy that's growing, that trades in things like account names and passwords and Social Security numbers that are pirated and drivers' license numbers that are pirated, and I don't think any of us really has a good understanding of what that culture is or how big it is or how many different kinds of people play in it. One thing that is really clear is that it is literally child's play to break into many of the systems that we have today, and when a level of skill needed to attack a system is so low, you can expect all kinds of players to come into that arena. Mr. Putnam. When the conventioneers, whether they're wearing black hats or white hats, when they come together in the good of their heart, talk about ways to improve the system and draw attention to different software companies' vulnerabilities, do they ever ask for money or credit or acknowledgment or anything in exchange for disclosing that information? Mr. Pethia. There certainly are cases where these individuals have tried to extort money from vendors in order to not publicly disclose patches or vulnerabilities in their products. We've certainly seen cases where individuals have tried to extort organizations because they've uncovered weaknesses in their operational systems and have expected money in return not to make that public or to exploit those vulnerabilities in some way. So there is a maliciousness there in some cases. Mr. Putnam. Mr. Malcolm, do you have any other comments about the source and origin and nature of these hackers? Are they primarily international, domestic, teens, professionals? Mr. Malcolm. I think you can really break that down into different categories in that you have a core group of committed, highly sophisticated hackers who come up with sophisticated worms and viruses, and then unfortunately what they do frequently is there are chat rooms and Internet sites, news groups in which hackers communicate, and literally somebody who develops a very sophisticated hacking tool can put it out there so that so-called script kiddies, unsophisticated people who just happen to go to that site, can then utilize that tool. So the level of sophistication can vary dramatically among hackers, and because these tools are made available on the Internet, lots of people can then implement them to cause damage. I think that because the Internet is borderless and seamless, and there are people who are hell-bent on destruction and technically savvy around the world, you have perpetrators who are domestic and perpetrators who are international. Mr. Putnam. Thank you very much. Mr. Clay. The Chair recognizes. Mr. Clay. Thank you. Let me ask any of the three, Mr. Dacey, Hale, and Lorentz: Did the Department of Homeland Security collaborate effectively with Microsoft and the antivirus companies in the Department's effort to issue advisories? And you can start, Mr. Lorentz. Mr. Lorentz. In our view, the proof is in the results. The problems were, for the most part, in general, mitigated, and there was two pieces of that. First of all was getting the information out about the remediation, which they did, and then was really following up and holding the agencies accountable on our behalf, to make sure what the implementation was and reporting that back, and we did that in a manner so that we could share what people's experiences were. So, in our view, it was in both of these incidents that we've had recently they did a find job. Mr. Putnam. Thank you. Mr. Dacey, anything to add? Mr. Dacey. In terms of that, I'd just like to add one thing. We did do some analysis and gathered information with respect to the two vulnerabilities, the Microsoft RPC and the Cisco, and in those cases there was a fairly active discussion and reporting that took place on those two. As Mr. Lorentz indicated, for those two specifically, which were deemed critical, there were separate teleconferences and data requests that were sent out to agencies to ask, you know, what they had done and whether or not they had patched their systems in response to them. I think that is a process which has taken place, I believe, on a few of the occasions prior to this, but I know that there is some opportunity there which would be acknowledged to improve that process, to make sure that people have been communicated to in a rapid manner by standardizing processes and procedures for that communication to occur. But I would also defer to Mr. Hale, who could probably speak more to the specifics of those interactions. Mr. Clay. Great. Mr. Hale. Yes, sir. I appreciate the remarks of my colleagues, and I just wanted to point out that those, as well as the Cisco vulnerability, the IOS vulnerability that has occurred in the past 3 months has been the major events in cyber incidents that have occurred since the formation of the national Cybersecurity Division, and so those are indicative of the kind of coordination and collaboration that this Division has started to do and intends to build on to improve not only the information-sharing among the Federal agencies, but also with the critical infrastructure protection community. Mr. Clay. Let me ask you, Mr. Hale, in creating the Homeland Security Department, Congress moved the Federal Computer Response Team from GSA to Homeland Security. How has this move affected that group? Did anyone leave the Agency, rather than move, as we saw with some other agencies, and did the move affect the group's ability to respond to any of the more recent attacks? Mr. Hale. The effect was entirely positive, sir. The FedCIRC was under GSA, had a focus on the security of Federal agencies in providing a service to Federal agencies, our customer base, and thanks to the provisions of FISMA, Federal Information Security Management Act, FedCIRC was able to remain focused on that mission and continue to provide our services to our customers. We didn't lose any staff members as a result of going to the Department of Homeland Security; in fact, recruiting to fill our vacancies became increasingly easier because there were a lot of people who were very interested in becoming part of our efforts to help cybersecurity and the Federal agencies, and by joining forces with the National Infrastructure Protection Center and the other elements of NIAP, we've actually improved our ability to gather information and disseminate information to the customer base. Mr. Clay. Let me ask you, Mr. Malcolm, recent viruses and worms, such as Code Red, Nimbda, and Slammer, have brought large portions of the Internet to a halt, caused extensive expenses and lost revenue, and consumed the attention of tens of thousands of computer security professionals, computer network administrators and users. These are serious crimes. Have law enforcement officials found and arrested the individual responsible for these viruses and worm attacks? Mr. Malcolm. They've also consumed the time and attention of a lot of dedicated law enforcement agents. Of course, the Department doesn't comment about ongoing investigations; however, I think it is safe to say that with each of the worms and viruses you have identified, those are all matters of ongoing investigation in which we work cooperatively with our international counterparts. We have some successes, as with the criminal complaint that's been filed in the variant ``B'' of the Blaster worm, but I think it is safe to say that there is a lot more work to be done, and unfortunately, we not only have to act retroactively, but because these worms and viruses come out weekly, we have to react prospectively as well. Mr. Clay. Are the individuals who are responsible for these attacks, are they still at large today? Mr. Malcolm. Other than those who have been arrested either here or overseas by international counterparts, yes, they're still at large, unless they've died. Mr. Clay. And you work with international law enforcement, too? Mr. Malcolm. Twenty-four hours a day, 7 days a week. Mr. Clay. How many have you arrested out of the viruses that I named, the three that I named, Code Red, Nimbda and Slammer? Mr. Malcolm. I don't know the answer to that question. I believe they are all matters of ongoing investigation. I'm not sure off the top of my head of any arrests in those particular cases, but I can go back and check, and if there's anything that's a matter of public information, I'd be happy to furnish it. Mr. Clay. Would you share that with us? Mr. Malcolm. If that's public information, I certainly will. Mr. Clay. Thank you, Mr. Chairman. That's all. Mr. Putnam. Thank you. Mrs. Miller. Mrs. Miller. I thank you, Mr. Chairman. I'll just ask a couple of questions here, but I think the nature of my questions are reiterating what all the committee members are talking about here and what is really happening as far as the attitude that our Nation has and our Justice Department, our law enforcement has toward these cyberhackers. You know, I was following here in the papers recently where the recording industry has filed all these lawsuits against the file sharers. I know 200 lawsuits or whatever. Obviously, that's not really terrorism, unless you're a recording star, you're losing all this money, right? But I was interested in the response of these college kids who are downloading all this music and are getting sued, and they certainly don't care about that. We're going to continue to down--I mean, their attitude is unbelievably cavalier, I think, to breaking the law by using electronic means to do so, and perhaps that is part of the problem we have with these cyberhackers is the attitude of our legislature, of our law enforcement; I mean, are we serious enough? And as you were mentioning, some of the--you know, is it just college kids who are doing this? Obviously not. You've got the whole realm of different kinds of people who are doing the cyberhacking. Have you ever done a psychological profile? I mean, these people are terrorists that are trying to shut down, as I was mentioning, power grids or those kinds of things. That's not downloading music. Let me ask you first about that, as far as the Justice Department. Has there been a psychological profile? I mean, there must be some type of common trait, common element. It would be like an arsonist, right? You see the fire services do profiles of arsonists. These are people that burn buildings and stand back, and there's a whole profile about these kinds of people that perpetrate that kind of crime. Mr. Malcolm. I'm not aware of any psychological profile. I think that perhaps I could contrast the situation with an arson in that unless somebody wants to literally kill somebody inside a building, arsonists tend to be motivated by one purpose, and that is collect the insurance money. In terms of hackers, I think you run the gamut. You obviously have, perhaps, terrorists who are interested in exploiting critical infrastructure for destructive ends. You can have political ``hactivists'' who go on to deface Web pages of something that they are protesting. You have sophisticated hackers who take pleasure in trying to stay one step ahead of the technological development of law enforcement, who take pleasure in their ability to outwit law enforcement by masking their activities. And you also have, as I say, these script kiddies who are more or less with respect to their use of the computers who were out there on a lark. They all cause harm of varying degrees. We take them all seriously. Mrs. Miller. Let me just ask one other question in regard to the Patriot Act. You mention the Patriot Act, and the Patriot Act, of course, there's been a lot of consternation talked about the Patriot Act of whether or not privacy--a lot of privacy advocates are concerned about how the Patriot Act is being implemented, how you are identifying and apprehending culprits. I'm a supporter of the Patriot Act, and I'm just wondering how that particular tool has assisted the Justice Department in our law enforcement, and are a lot of these concerns being raised by the Patriot Act impeding your ability to prosecute, apprehend people, identify them, etc.? How is the Patriot Act helping you? Mr. Malcolm. There are several questions in there that kind of cut across a broad swath. Let me respond to the more narrow question, then I can fill in as you would like me to. With respect to hacking investigation, any crime that is taking place online, time is absolutely of the essence. If you can catch somebody while they are in the act or trace their communications either in real time or very shortly thereafter, your odds of catching somebody go up dramatically. Internet service providers don't retain records typically for a very long period of time, and people can very quickly cover their tracks. There are a number of provisions in the Patriot Act that help. There is, one, the hacker trespass exception of the Patriot Act. If somebody breaks into a system, the owner of that system now can give consent to the government to go in and track the activities of that hacker while they are taking place. Certainly the ability to go and get a pen/trap order in one district and use that order to follow the communications from ISP to ISP to ISP, to get those records frozen as quickly as possible, has proven of invaluable assistance. There are other tools such as nationwide service process for search warrants, subpoenas, all of which have been instrumental in terms of these investigations. Mrs. Miller. Thank you. My last question just to the panel, I suppose. Obviously, the Federal Government has their own role to play in protecting our own information and security systems and that, but I think the public needs to be educated on security, computer security, as well. I'm not sure who I'm asking this question to; any of the panelists, I suppose. Do you have a feeling that there is a role for the Federal Government to play in regards to educating the general public about security safety and how important it is? Mr. Pethia. I'm going to start just by saying I think that's something that I think is a strong role for the Federal Government, and it needs to happen across the country with people of all ages and all occupations. Starting at the elementary school level or where we teach students about computer skills, we need to teach them about computer ethics and the risks of working with computers and interacting in the Internet age. We teach our children how not to get into cars with strangers. We should teach them how not to get into chat rooms with strangers as well. So from there all the way up through the home user, the retired home user, all of these people are vulnerable to some kind of problems because of security or lack of security on the Internet, and I think there is a strong role for the government there to put together that kind of awareness, to put together those kind of training programs and make them broadly available. Mr. Lorentz. I think I would just add I think that our government has a responsibility to our citizens. As part of the management agenda, security is clearly one of the things we are looking at. It cuts across public and private-sector activity. We do have a role in clearly communicating what's acceptable, what's not, creating that common language, if you will, and it begins with exhibiting the behaviors that we would wish to see. Mr. Hale. I would definitely endorse the statements. In fact, with home computers being connected and always on, it's nothing short of a patriotic duty to maintain the security of your home computer because it can be used to attack other computers by other people. Mrs. Miller. Thank you Mr. Chairman. Mr. Putnam. Thank you, Mrs. Miller. Mr. Malcolm, are there differences among nations in the laws regarding cybercrimes, and are there other nations who have particularly more effective means of enforcing them and have a greater success rate in prosecution, and are there certain countries that are more or less helpful to us in investigative work? Mr. Malcolm. I think the short answer to all of those questions was yes. There are a couple of things that I can say in that regard. One is we cooperated with our international counterparts throughout the world in terms of drafting the now--well, it hasn't been ratified in this country, but the now implemented accounts in the Europe Cybercrime Convention. One of the beauties of the cybercrime convention in addition to encouraging international cooperation is that it mandates signatory countries to update their substantive and procedural laws with respect to computer hacking offenses, which would include worms and viruses. Mr. Putnam. Updates them to presumably a certain standard? Mr. Malcolm. That's right. Mr. Putnam. And are we already at that standard in the United States? Mr. Malcolm. We're constantly retinkering, but, yes, we try to maintain the highest standard that we can. We work cooperatively with Congress in that endeavor. And I would add that the Department of Justice, although not uniquely--the Department--the State Department certainly, too--goes overseas and works with legislators and law enforcement officers in other countries to try to keep their laws updated as well. From other entities, such as the G-8, there is a high-tech unit that's called the 24/7 network in which we are able to communicate with law enforcement counterparts in these fast- breaking investigations on a moments notice, 24 hours a day, 7 days a week. There are 30 countries that are members of the high-tech 24/7 network. We're encouraging other countries to join. Some countries have better facilities, training, more money to devote to this effort than other countries, but we're encouraging all of them to stay current. Mr. Putnam. But you're not aware of any one particular area of the world that is a source of more hacking attempts than another? Mr. Malcolm. The answer to that question, with respect to Internet piracy, with respect to hacking, I don't know the answer to that question, Congressman. Mr. Putnam. Mr. Pethia, do you? Mr. Pethia. No, not that's been sustained over any long period of time. For a while, there were a number of viruses that for some reason came out of Bulgaria, and you see short periods of time where you'll see an increase of activity from some geographic area, but nothing that I know of that's been sustained over a long period of time. Mr. Putnam. We may hear more about this in later panels. For the OMB, how long does it take, because everyone has different patch management systems--are you able to measure how long it takes for all of the computers to download the patch when a particular vulnerability is released and the patch is also then released? Do you know when everyone has taken advantage of it? Mr. Lorentz. I can answer the more management aspect of that and later get into the technical, because they basically act as our agent in that. But we literally are advised of the vulnerability, we call attention to the vulnerability. FedCIRC makes the agency aware of what the remediation of the patch is, and then we specifically set a time to get back to monitor the adherence to the remediation. And it's in the last two incidents that's exactly what we did, and I would feel quite sure that FedCIRC probably has some cycle time issues that they can look at in terms of how long it actually takes, but, you know, there's two aspects to all of this. The most significant aspect is the management aspect, and that is holding people accountable once they know, and it's mutually accountable to CIOs as well. Once they know that there is an incursion, that the patch has to be applied, and that there's accountability to apply, then there's the obviously technical nature of things, and there's a number of technical capabilities that are equally effective, but I would pass it to Larry on the cycle time question. Mr. Hale. For the 47 subscribers of patch C, we can tell when they download, but even that is--can be a misleading statistic, because one download can serve thousands of computers, and an agency may download one time and take care of their whole enterprise with that. So we've tried developing metrics with industry with the software manufacturers, and that's the constant refrain is you can't measure how many computers have been inoculated by a single download, but it's the best thing we've got is to tell that agencies are downloading the patches. Now, with the patch C system, agencies can also--once they've inoculated their systems, they can enter in the report and say--it requires a manual entry, but say that we've completed 90 percent or we've completed 99 percent or 100 percent of computers affected by this vulnerability, so there's a method built in for reporting back. Mr. Putnam. Mr. Malcolm, if someone were to break into Coca Cola's headquarters in Atlanta and go into the office and steal the recipe for Coca Cola, what would be a ballpark estimate assuming they were arrested and convicted, what type of consequence would they face for that? Mr. Malcolm. Mr. Chairman, there are a lot variables that would go into answering that question. Mr. Putnam. Ballpark. I'm not a judge. Mr. Malcolm. Well, in the interest of trademark infringement, theft, I would estimate statutory penalties at 10 years or so, depending on whether or not the person has a prior record. That would obviously affect their sentencing guidelines. There are just too many variables for me to answer that question, without having a guideline book in front of me, but obviously the factors are what are the charges, what is the severity of the loss, what is the person's past criminal record? Mr. Putnam. Well, what would it be if they hacked into Coca Cola's computer system and downloaded the secret recipe? Mr. Malcolm. Same answer: You would have all sorts of variables as to whether or not they abused a position of trust, what was the damage that they cased. It could obviously be, in the case of Coca Cola, a major company, a major loss, a significant period of time. Mr. Putnam. Would it be significantly different than had they physically taken it? Mr. Malcolm. There are different guidelines factors that would take into account the fact that a computer was used, and special skills were used, and, depending on who this person was, whether or not they abused the position of trust. There are, under the sentencing guidelines--there are just too many individual case-specific factors for me to give you an accurate answer to your question. I think it is safe to say that if this was a major product and caused a serious loss, I would expect the dollar figure to be high, and that will dramatically increase the sentence since the major factor that is taken into account by the sentencing guidelines is the loss to the victim. Mr. Putnam. OK. There are hundreds of viruses released every year, according to the testimony of this panel. The damages range into the billions, according to your testimony. Mr. Malcolm. Yes. Mr. Putnam. If you could only recall two arrests, two convictions, two jail times--you mentioned David Smith and one other. Now, I asked, what's the source of the threat? Well, we really don't know. Is it foreign or domestic? Well, we really don't know. That seems to reinforce a premise that cybercrime is treated vastly different than some other crime that caused billions in damage and shut down power grids and shut down departments of transportation and threatened security systems within and without the government. It would suggest that there is a different approach, a different attitude, a different level of concern about cybercrime. Would you agree or disagree with that? Mr. Malcolm. I would reject that implication totally. There are, of course, other instances in which perpetrators had been identified; for example, the fellow in the Philippines who promulgated and released the ILOVEYOU virus. I would also say that there are--you know, the Department of Justice is well aware, as is the Department of Homeland Security, that cybervulnerabilities are among the most critical problems that we have and could have a dramatic impact in terms of protecting our critical infrastructure. These are unusually complicated investigations in which very sophisticated people are very good at covering their tracks. To somehow suggest that just because there are fewer public arrests out there in the media, that this is not an absolutely high, high, high priority at the Department of Justice would be a completely wrong assumption to make. Mr. Putnam. OK. I take it at your word. Any other questions from the subcommittee members? Very well. We will dismiss panel one and seat panel two as quickly as possible. Thank you very much, gentlemen, for your input, and those of you who can, we would encourage you to stay around and listen to the private sector comments as well. [Recess.] Mr. Putnam. Very well. The subcommittee will reconvene. I've asked panel two to rise and please be sworn in. [Witnesses sworn.] Mr. Putnam. Note, for the record, all the witnesses responded in the affirmative. We appreciate you being seated as quickly as possible, and we will move straight to your testimony. I would ask that you be as good about maintaining our 5-minute rule as the first panel was. Our first witness is Mr. Gerhard Eschelbeck, overseeing Qualys' engineering and operation. Gerhard Eschelbeck is responsible for protecting over 1,100 corporate networks. He's an internationally recognized security and distribution systems expert and was recently recognized as 1 of the 25 most influential CTOs by InfoWorld Media Group. Prior to joining Qualys, Gerhard was senior vice president of engineering for security products at Network Associates; vice president of engineering of antivirus products at McAfee Associates. He was a research scientist at the University of Linz, Austria, from which he earned his Master's and Ph.D. degrees in computer science. He has authored many articles and papers and is inventor of numerous patents in the field of network security automation, and is a frequent speaker at networking and security conferences worldwide. Welcome. Glad to have you at the subcommittee, and you're recognized. STATEMENTS OF GERHARD ESCHELBECK, CHIEF TECHNOLOGY OFFICER AND VICE PRESIDENT OF ENGINEERING, QUALYS, INC.; CHRISTOPHER WYSOPAL, CO-FOUNDER, ORGANIZATION FOR INTERNET SAFETY AND DIRECTOR OF RESEARCH AND DEVELOPMENT, @STAKE.INC.; AND KEN SILVA, VICE PRESIDENT, OPERATIONS AND INFRASTRUCTURE, VERISIGN, INC. Mr. Eschelbeck. Mr. Chairman and members of the subcommittee, thank you for the invitation to testify about my research on network vulnerabilities. The business of my company gives us a front row seat to new threats against networked computers and communications systems. Qualys provides an automated service over the Web to audit the security of networks. I've just analyzed more than 1.2 million network vulnerabilities found by our virus scanning service during a recent 18-month period. This vast data pool demonstrates that known risks are far more prevalent than anyone has imagined. Analytical data also demonstrates a new breed of automated Internet-borne viruses and worms that mock traditional security defenses. The source of data for my analysis was anonymous results from 1.5 million security audit scans made by organizations worldwide. We learned four themes that are called the laws of vulnerabilities. The law of half-life talks about the fact that it takes an average of about 30 days for organizations to fix 50 percent of their vulnerable systems within enterprises. The law of prevalence talks about the fact that half of the most prevalent and critical vulnerabilities are replaced by new ones each and every year. The law of persistence: Some old vulnerabilities recur due to the deployment of unpatched software as part of new rollouts. The law of exploitation, finally, talks about the fact that 80 percent of the vulnerability exploits are available within 60 days of public announcements. Automating defenses against these threats is crucial, because human-based efforts are not working. In each case of recent damaging strikes, we've had advanced warning; weeks, even months, to prepare for known vulnerabilities, yet attackers were still able to hit hundreds of thousands of PCs and servers. Risks to network and system security are increasing because the triggers are becoming automated, requiring no human action to deliver destructive payloads. Earlier first-generation threats are virus-type attacks, spreading with e-mail and file- sharing. They require human action to trigger, such as opening an infected file attachment. An example would be the most recent SoBig virus. Second-generation threats comprise active worms leveraging system and application vulnerabilities. Penetration occurs without requiring user action. Replication, identification, targeting of new victims are automatic. Blended threats are common, such as incorporating viruses and Trojans. A third generation of threats is now posing trouble. We've already seen the potential for damage. The SQL Slammer worm rapidly hit more than 75,000 homes running Microsoft SQL server, caused major damage worldwide. SQL Slammer was the fastest worm ever, infecting more than 90 percent of the vulnerable systems within 10 minutes. A few days after Microsoft published a DCOM vulnerability in July 2003, Qualys's automated scanning service ranked this security vulnerability as the most prevalent vulnerability ever. Following the laws of vulnerability, Blaster and its derivatives appeared 3 weeks later, infecting more than 100,000 systems per hour at its peak. Urgency's now rising from a shortening discovery/attack cycle. SQL Slammer happened 6 months after discovery; Nimda was 4 months; Slapper was 6 weeks; and Blaster and Nachi came just 3 weeks after news of the vulnerability. Public policy for network securities should strongly encourage the use of automation as an equal force response to automated tools used by attackers. Automating defense strategies include regular security audits of networks and systems, keeping antivirus software up to date, timely patch management, and the ongoing variation of security policy. To summarize, many vulnerabilities linger, sometimes without an end. New attacks are capable of spreading faster than any possible human response effort. Protecting our networks is a continuous process of eliminating critical vulnerabilities on the regional, national and international scale. In conclusion, public policy should demand timely detection and a rapid application of remedies providing protection from these threats. Thank you for the opportunity to testify, and I look forward to your questions. Mr. Putnam. Thank you very much, Mr. Eschelbeck. [The prepared statement of Mr. Eschelbeck follows:] [GRAPHIC] [TIFF OMITTED] T2654.061 [GRAPHIC] [TIFF OMITTED] T2654.062 [GRAPHIC] [TIFF OMITTED] T2654.063 [GRAPHIC] [TIFF OMITTED] T2654.064 [GRAPHIC] [TIFF OMITTED] T2654.065 [GRAPHIC] [TIFF OMITTED] T2654.066 [GRAPHIC] [TIFF OMITTED] T2654.067 Mr. Putnam. Our next witness is Chris Wysopal. Mr. Wysopal is director of research and development at @stake.Inc, managing @stake's pioneering research in application security. His primary focus is building products to assure and test software security. Working with vendors and the general public, Mr. Wysopal was also responsible for managing @stake's vulnerability research and disclosure process. His career in the information security industry has spanned over 13 years where he has held positions in industry while also serving as regular advisor to various government agencies. Prior to joining @stake, Mr. Wysopal was senior security engineer at GTE Internetworking, formerly known as BBN, where he was the most senior engineer on the IT security staff. In addition, Mr. Wysopal is coauthor of the award-winning password-auditing program, LC3, which is used by more than 2,000 government, military and corporate organizations worldwide. And, finally, he is a founding member of the Organization for Internet Safety. Welcome to the subcommittee. We look forward to your testimony. Mr. Wysopal. Chairman Putnam and members of the committee, thank you for inviting me to testify today on the subject of protecting the Nation's computers from viruses and worms. This is a great honor for me. My company @stake consults for the Fortune 1,000, including four of the world's top software companies. We help them build more secure software and secure their infrastructures. I am also a founding member of the Organization for Internet Safety. OIS is a group of software vendors and security companies joined together to produce a process for reporting and responding to new vulnerability information safely. Today I would like to cover three pertinent issues: The software development process, the vulnerability research process, and finally, responsible vulnerability reporting and response. Unfortunately, in less than 72 hours, if an unpatched new computer is connected to the Internet, it will be compromised. This is indicative of the software flaws that affect our information economy. My first point is on software development, the root cause of the problem is software flaws. Every virus or worm takes advantage of a security flaw in the design or implementation of a software program. The flaw can exist almost anywhere inside a program that processes data directly from a network or from a file delivered by an e-mail attachment. This means that practically every software program in the age of the Internet falls into in the category of requiring security quality processes during its development. If these processes are not in place and followed rigorously by the manufacturer, flaws will inevitably creep into the software during development, be discovered, and end up exploited. Automatic patching is a great solution for some computers, but many environments have requirements that don't allow patches to be applied in automatic or even timely manual manner. One of the key problems with patching is the Internet or the network the computer's connected to is the distribution system. This means that a computer needs to be connected to the Internet to be patched. The irony is the Internet is the attack vector that puts the computer at risk. As recent examples of worms demonstrate, reactive solutions are not keeping up with the speed of malicious programs. Many of the flaws found in software after it is shipped to customers are not found by the vendor. Many are found through directed research by vulnerability researchers. These are individuals who investigate the security of software for academic reasons, profit, or mere curiosity. A primary motivation of vulnerability research is altruistic. There aren't any independent or government watchdog groups looking out for the safety of the software--computer users' use. Given this vacuum, researchers feel that someone should test and find vulnerabilities. They feel that every flaw they find and report is another flaw that will be fixed before a malicious person finds and exploits it. In this way, vulnerability researchers can make all computers users more safe. Vulnerability researchers are performing a testing function that should have been done as part of the security quality assurance process by the vendor. Vulnerability researchers think differently than traditional software testers. They think from the perspective of an attacker. The fact that there is a vast amount of software already deployed with latent undiscovered flaws means that we will be dealing with newly discovered vulnerabilities for the foreseeable future. A process for handling new vulnerability information in a timely and safe way is required. There is some debate in the vulnerability research community as to the best way to handle vulnerability information. However, most agree that it is responsible to inform the vendor of the vulnerable product and give them time to create a patch. 4,200 vulnerabilities were tracked by CERT last year. Almost all had patches available when the information became public due to vulnerability researchers informing vendors prior to publicly disclosing. The Organization for Internet Safety has published a process that these flaw-finders can use to report flaws to vendors and for vendors to respond to these reports, sometimes with a patch. The goal of the OIS process is to protect the computer user community as a whole. A balance was struck between the timeliness and reliability of patches and between helping sophisticated users and the majority of users who are unable to help themselves. To conclude, software vendors face challenges building software. Vulnerability researchers can help find the flaws that vendors miss. Both need to come together to handle vulnerability safety. All I ask is a step in this direction. Viruses and worms are shutting down government offices and businesses for days. The impact grows each year. When a technology contains dangerous, unseen risks, we should have assurances that it is built properly. We need the, ``electrical code for building software,'' and we need a way to assure that the code is followed. This will reduce the risk of insecure software at its source and strengthen the computer infrastructure for us all. Thank you. Mr. Putnam. Thank you very much. Appreciate your input. [The prepared statement of Mr. Wysopal follows:] [GRAPHIC] [TIFF OMITTED] T2654.068 [GRAPHIC] [TIFF OMITTED] T2654.069 [GRAPHIC] [TIFF OMITTED] T2654.070 [GRAPHIC] [TIFF OMITTED] T2654.071 [GRAPHIC] [TIFF OMITTED] T2654.072 [GRAPHIC] [TIFF OMITTED] T2654.073 [GRAPHIC] [TIFF OMITTED] T2654.074 [GRAPHIC] [TIFF OMITTED] T2654.075 [GRAPHIC] [TIFF OMITTED] T2654.076 [GRAPHIC] [TIFF OMITTED] T2654.077 Mr. Putnam. Our next witness is Ken Silva. As vice president for VeriSign's networking and information security, Mr. Silva oversees the mission-critical infrastructure for all network security and production IT services for VeriSign. In this role, he oversees the mission-critical network infrastructure for VeriSign's three core business units: security services, naming and directory services, and telecommunications services. His responsibilities include oversight of the technical and network security for the definitive data base of over 27 million Web addresses in dot- com and dot-net, the world's most recognizable top-level domains. Additionally Mr. Silva coordinates the security oversight of VeriSign's Public Key Infrastructure security systems. Mr. Silva serves on the board of directors for the Information Technology, Information Sharing and Analysis Center, and the executive board of the International Security Alliance. He advises and participates in a number of national and international committees for organizations, and he joined VeriSign with more than 20 years' experience in the telecommunications and security industry in his portfolio. Welcome to the subcommittee. We're delighted to have you. You're recognized. Mr. Silva. Thank you, Mr. Chairman and other members of the subcommittee. VeriSign's pleased to have the opportunity to provide our views on the epidemic virus and worm attacks that continue to threaten the integrity and security of information systems we've all come to depend on. VeriSign is a company that's perhaps uniquely situated to observe the continuing assaults on our information infrastructure. Our company provides industry-leading technologies in three relatively distinct yet interrelated lines of business. These include telecommunications, infrastructure services, management security, and payment processing services, directory and naming services. Our naming services is the business dedicated to the management of the domain name system, including our operation of the A and J root servers. These are 2 of the servers out of the 13 servers that allow you to find www.house.gov. Of the hundreds of millions of machines on the Internet, it would direct you to the correct one. In addition to that, for the last 10 years, we've managed the dot-com and dot-net top-level domains. Since 2000, I've managed VeriSign's resources dedicated to maintaining the security of these complex technology assets. Today I would like to make three key points. First, we should not underestimate the significance of these attacks. Although the most recent worms and viruses have been labeled by some as nondestructive, they've cost American business in excess of $3.5 billion in August alone. We can only imagine what the cost would have been had these destroyed data along their path. Second, we should accept our shared responsibilities. Each of us has a responsibility. This includes lawmakers, government agencies, industry and private citizens. Government has a role both as a model of good security practices, as well as a thought leader in global security. Our citizens must be educated. We teach our children how to use computers in school, but do we teach them how to use them responsibly? Third, we must resist the temptation to demonize individual participants in the network community. The finger-pointing in general is neither accurate nor helpful. It's all too easy to blame the operating systems manufacturer for flaws in their code or the network providers for not securing their networks. Many of the worms attack not only popular operating systems, but open source software as well. Mr. Chairman, there are measures which will over time improve the security posture of our network, but there is no silver bullet that will miraculously solve our network security challenges. VeriSign's role over past decade has led us to make significant investments in network hardware, engineering, research and development. Armed with that knowledge, we can deploy and advise others on the network how to deploy the very best configurations and maintain the stable and secure functioning of the Internet. VeriSign's unique monitoring capabilities allow us to watch as the virus propagates around the global network. As a result of VeriSign's constant vigilance, we're often among the first to recognize it, and as an attack develops--you can see our view up here shows our global constellation. I brought another slide with me, which is an example of the graphic data that we're able to monitor. This one shows a propagation of the SoBig.F virus in just a short 6- hour span on August 19. There's another one following that, the next graphic, please, which today just happens to be the very day that this virus has decided to disarm itself. This was taken this morning. Following the September 11 attacks, we provided some of these monitoring capabilities to both the Defense Department's NCS and the FBI's NIPC, to enable them to observe and detect anonymous traffic on the network. Our long experience and the most recent events like Blaster worm reveal fundamental truths about our networks in the attacks. A few years ago, these things took months or weeks to propagate. Now they propagate in hours or minutes. Not only are the weapons behaving more aggressively, they're increasing their uniqueness, making selection of appropriate countermeasures difficult and uncertain. As a result of this growing risk and our growing dependency on our networks, I believe we must face up to the reality that these network attacks are every bit as threatening as physical attacks on critical infrastructures, warranting serious attention to strategies to defend against them and remedy their impact. Even when they don't bring down the network of a targeted site, the insult to the network's integrity still has observable and measurable consequences. Another level of damage, these attacks fundamentally threaten the core assets of the Internet, including the Internet root servers and top-level domains. There are larger costs to these attacks. I'd like to thank you for giving me the opportunity to appear before you today. Thank you. Mr. Putnam. Thank you very much, Mr. Silva, and I appreciate your--all of you limiting your remarks to the 5 minutes. [The prepared statement of Mr. Silva follows:] [GRAPHIC] [TIFF OMITTED] T2654.078 [GRAPHIC] [TIFF OMITTED] T2654.079 [GRAPHIC] [TIFF OMITTED] T2654.080 [GRAPHIC] [TIFF OMITTED] T2654.081 [GRAPHIC] [TIFF OMITTED] T2654.082 [GRAPHIC] [TIFF OMITTED] T2654.083 [GRAPHIC] [TIFF OMITTED] T2654.084 Mr. Putnam. Mr. Silva, I get the impression that you had to cut yours a little bit short, so I'm going to give you the opportunity to expand on it by asking my first question about root servers. And, if you will, just take us in nontechnical terms to their role in the architecture of the Internet, and what their vulnerabilities have been in the past two viruses and worms, and what impact that could have in economic terms. Mr. Silva. OK. Well, Mr. Chairman, the root servers are sort of the top of the Internet naming system, if you will. There's an invisible period at the end of every domain name that people don't see, and that happens to be the root, and, then from there it goes.com; then, you know, Microsoft.com; and then www, etc. They're sort of at that very top level. No other computers can be found without the information that these provide. And then there's another layer down from that which VeriSign also operates, for dot-com and dot-net. The SoBig.F worm in particular had a unique attack that it presented on the A root server, and that the A and B root servers were--it's where that--that worm first looked to find out where an e-mail was supposed to be sent, OK? So if they wanted to send it to, you know, anyone, it would simply look to the root server first to find out where that mail server was. Now, in the Blaster worm, that didn't actually have an impact directly on the root servers themselves, because there was no protocol that the root servers were running or a particular name look-up that was required for that worm to spread. Mr. Putnam. You mentioned and other panelists have made allusions to open source versus proprietary. Is one less vulnerable than the other, or if you would just comment a bit on the old debate between proprietary and open-source software, again, beginning with Mr. Wysopal. Let Mr. Silva think about his for a second. Mr. Wysopal. The theory with open-source software is that it can be made more secure because there's more eyes. Every single user has the potential, if they have the skill set, to find flaws in that software and then correct them for themselves or notify the maintainer to correct them. With proprietary software, the user has no way really of looking deeply into the software by examining the code, but, practically, users of open-source software are not expert code reviewers and don't have the time to actually review the code, so we see vulnerabilities sort of in equal proportion in both the open-source world and in the proprietary software world. Mr. Putnam. Mr. Silva. Mr. Silva. Yeah. I would agree mostly with what he said, except that there always has been this statement that, in the open-source world, the source code's available, and if you were running it, you could certainly look at it. I doubt seriously that you would know, 99.99 percent of the rest of the people who use it. In addition to the people who use the software not necessarily being expert code reviewers, in many of the cases people actually writing the software are not actually expert software writers either. So it's not that it's bad software, it certainly is good software, but it's no more or less vulnerable than the software that goes through rigid configuration, management, and software review standards. Mr. Putnam. Mr. Eschelbeck, would you like to weigh in? Mr. Eschelbeck. I do not necessarily see a relation between open source versus closed source from a vulnerability prevalence perspective. I don't think there is any analytical data that would support that. However, I do believe strongly that software that's more popular, more widely used out there has been reviewed much more widely and is more popular, and that's one of the main reasons why I think there is more vulnerabilities known about a software that's used widely rather than a software package that's not used at all out there. Mr. Putnam. What would be the impact of, in terms of improved Internet security, if any, of the next generation of Internet, IPv6? Does that in any way alter security concerns? Mr. Wysopal. I don't think IPv6 really alters the security concerns. What IPv6 does is it makes many more Internet addresses available, so we can have an Internet address for, you know, your wristwatch or any small object you could have, thousands or millions of times more Internet addresses with IPv6. It doesn't really address any security issues. Mr. Silva. Well, actually, it does address some security issues, although probably not for the masses. There are protocols that are part of the IPv6 standard that would allow better authentication between IP addresses as they connect. Some of those capabilities have since been transferred to IPv4, such as the IP SAC, which is what many of the BPM tunnels use today, but for the general Web server, probably not. You know, just for the average computer on the network that doesn't need to authenticate every single user, it's probably not going to offer anything new for them. Mr. Putnam. Mr. Eschelbeck, do you wish to add anything? Mr. Eschelbeck. I would say exactly the same thing. I think there is a lot of improvements in IPv6, and it's clearly the right step in the right direction, but there is still pieces missing that we don't do in IPv6 today, like in the new protocols that are coming up. And particularly if you look from a vulnerability perspective, IPv6 is not going to address the vulnerability problem. That's really the reality why we are here today, why we're looking for vulnerabilities and how to address them. So IPv6 is certainly the way to move from an authentication, from an encryption perspective, and it would fix some of those underlying issues, but would not fix all of the security issues that we are facing today. Mr. Putnam. Thank you. I will stop there and recognize the ranking member, Mr. Clay. Mr. Clay. Thank you, Mr. Chairman. And any one of you can attempt to answer these questions. Let me start out by asking: What motivates people to engage in computer hacking? I mean, let's start on this end of the table. Mr. Eschelbeck. I do think that there is--obviously, if you look back in history, mostly what we have seen, some of the attacks really didn't have any specific target in mind. They were mostly like who is the first who is going to launch a worm on the Internet, and that was the results we have seen in traffic congestion, things like that. But I clearly see moving forward motives in mind. If I look at Blaster, it was probably the biggest turning point we have seen here by Blaster introducing the ability to deliver a payload that actually does something malicious, other than just creating noise on the Internet. And in this particular case with Blaster was the denial of service attack against Microsoft, and I do see some transit that is clearly the opportunity for more active payloads coming in future worms. They were motivated by motives that we don't know and fully understand at all. Mr. Clay. Mr. Wysopal. Mr. Wysopal. I think the main motivation is experimentation and exploration, but these people who do this experimentation don't take into account any sense of ethics, and they don't really care that their experiments cause harm to others. Mr. Clay. Mr. Silva, what do you think about it? Mr. Silva. I don't really have anything to add. Mr. Clay. All right. Let me ask you, there has been much discussion about information-sharing and cyber vulnerability issues between the government and the private sector, and within the private sector are there any legal or policy barriers that continue to impede information-sharing and cooperation? Mr. Silva, we can start with you. Mr. Silva. Well, there are a number of issues related to antitrust, OK, that have been raised amongst companies sharing information, amongst a select group of people, that's not publicly available. More recently--or, excuse me, prior to that, one of the issues was FOIA, quite frankly, sharing information between government and industries and having, you know, the possibility that a publicly traded company with, you know, some known vulnerability that if they made that information available to the government would somehow be available through FOIA. Some action has been taken in that direction, but those are probably the two main impediments there. Mr. Wysopal. I think another main impediment is companies trying to refrain from looking embarrassed basically. A lot of companies such as financial services companies banks are among the most trusted financial institutions, and people expect the highest level of assurances to protect their money, you know, their privacy, and it could be embarrassing. It could be a competitive advantage of some of their competitors to say, you know, put your money with us. You know, your privacy will really be protected with us. They say they do, but look at this, this, and this. So I think a lot of it is competition and fear of embarrassment. Mr. Clay. Very interesting. Yes, Mr. Eschelbeck? Mr. Eschelbeck. I would actually agree with Chris's statement. I would like to add one point here. What we see as well is those areas, those sectors, in general that are--have legislation for auditing requirements, for security auditing requirements, we see a bigger sense of urgency there in comparison to some of the areas that are not legislated today. Mr. Clay. Going back to attacks and computer hacking, do any of you have any knowledge of foreign governments involved in cyberattacks. How is that different from hackers attacking for the fun of it? Let's start with you, Mr Wysopal. Mr. Wysopal. It's very difficult to say where some of the malicious code, the exploit code, that's written or where some of this vulnerability research comes from. It's difficult to say whether it's a foreign government, or it's just an individual in a foreign country. When we see some malicious code, we certainly see levels of sophistication that are equal to the most sophisticated in the world coming from countries such as China. It's fairly easy to tell because of the language differences where some of this is coming from, but it's very difficult to tell whether it's actually government-sponsored or just academics or just, you know, black hats. Mr. Clay. Anybody else got anything to add? Mr. Silva. Mr. Silva. Well, I think probably law enforcement intelligence representatives could probably answer the question as to the foreign sponsorship of the hacking probably better than any of us here could, but I have to say that I think most of these, at least from earlier testimony, have actually been caught. The few of that have actually been caught have turned out to be young adults or teenagers. While I think we should be concerned about terrorist sponsorship or state-sponsored hacking and malicious activity, I think we should definitely not discard the fact that the vast majority of these appear to be coming from, you know, pranksters, OK, that have no political affiliation or governmental sponsorship. So, while I think it's important that we know if it is state-sponsored, I don't think that all of our efforts should be focused in that direction. Mr. Clay. Perhaps any one of you can take a stab at this, but can the Federal Government use its procurement power to improve the security of computer software? Anybody have a thought on that? Mr. Wysopal. I think definitely. The Federal Government is probably the largest purchaser of technology, especially software, and one thing that doesn't happen when people purchase software is an acceptance test for the security of that software. Sometimes it's acceptance testing that has certain features or has a certain level of performance, but acceptance testing for security is more expensive and time- consuming, so no one really does it. If the Federal Government was to do that, the benefits would be all the users of that software, because the Federal Government could say, you know, we spent a lot of money and tested this, and we rejected it, and we need to go back to the drawing board and build something secure. I think if that happened, the other users of software would say--or potential purchasers of the software would think twice about buying it, if the government wasn't willing to use it. Mr. Clay. Thank you. Thank you very much, Mr. Chairman. Thank you very much, Mr. Chairman. Mr. Putnam. Mrs. Miller. Mrs. Miller. Thank you, Mr. Chairman. I am going to pick up on the ranking member's question here, but I think we are all struggling with this panel, members of the committee, with this panel on understanding what is the appropriate role of the Federal Government. And you are in the private sector, and--I mean, I am a person that generally thinks that less government is better and less government regulation is better. But because our society is becoming so unbelievably dependent on the Internet, on computers for communication purposes and for security purposes, for everything, the term ``vulnerability researcher,'' I guess I never really heard that before, as I listen to you say it. Now it is going to be part of my nomenclature here. But it's very descriptive, and I can understand what you're talking about there. Do you think that the Federal Government, first of all, has an oversight role? Should we be using our purchasing power to set standards out for software? What is the fine line of the government not overregulating private industry, but certainly having consternation about some of the security problems that are inherent in software? What would your suggestion be on how far you think the government should be going here, and what is the appropriate action for the Federal Government? I mean, we just had this huge power outage in my State of Michigan, and we are looking to the Public Service Commission to regulate an industry. And I'm trying to understand everything about the energy policy of our Nation, but I could not tell you what the proper amount for a person to pay per kilowatt hour actually is. We rely on the experts. You are the experts in the software industry; and I think we are trying to struggle to understand what we need to do appropriately without overstepping our bounds into the private sector. Mr. Wysopal. Well, one place where I think it's important for the government to regulate is when we get to issues of safety, you know, when we are talking about cars or airplanes or chemicals or things like that. Regulation of safety is important. There used to be, you know, something that you write documents with and safety wasn't an issue. But now when we're seeing these networks being interconnected with things like the power grid actually being connected directly to the Internet, you know, through maybe a few gateways, but you know, the worms got in. You know the worms can get inside, start to get to the issue of safety. And that's a place where I think some regulation is appropriate. You know, the software industry is a fast-moving industry and putting any regulation on it is certainly going to slow down innovation. There's no doubt about it. But maybe it's time to think about some limited safety regulations. Mr. Silva. I think that there's a fundamental role of our government, whether Federal Government or State government, to provide education to our people, to our citizens. If any of you happen to have a DSL or cable modem at home and would actually install a firewall on it and look at the logs, you would be shocked at the number of times penetration attempts actually hit your machine. It would just boggle your mind; it really would. But as I said in my testimony, or in my statement, we teach our children in almost every school in the country, we teach them how to use computers, how to use a word processor, how to boot a disk, but we don't actually teach them how to responsibly use the computers and what the consequences of their actions or inactions actually are. So I think that's a role that the Federal Government can play, as well as State government. Mr. Eschelbeck. I think there are two areas, looking at it. On the one side we have, obviously, existing infrastructure that we need to look at from a security perspective, and that's probably going to give us an effort for the next 5 or 10 years. And there are specific ideas how those could be handled. However, there is the new software aspect when new software comes out, there are standards in place like common criteria that are being used to secure--to improve security software. Such standards are not existing for any commercial-type applications. I am not asking for common criteria-type certification for any type of software, but some lightweight certification would give at least a seal of approval from a security perspective as far as the new technology that is coming out there. As far as the existing infrastructure we have in place today, I think we have to give the leadership perspective infrastructure so they can measure. The key part is, how do I measure security today. There are no tools or well-defined metrics out there. And I think we have to give the leadership and the government, and industry as well, infrastructure tools and ways to measure their security, so that they can say, I am at the level 4, I am at the level 5, and in comparison to other agencies, for example, I am at this level. So there are ways I think those could be accomplished by putting infrastructure in place there. Mrs. Miller. No other questions. Just a comment. I certainly picked up from both of the panels how important it is for education. You know, really the Internet is still relatively a new phenomenon. Ten years ago, 20 years ago, many people had not heard of the Internet or were not using it every day. The children now, of course--and perhaps it is generational--are leaping onto these computers. I was struggling yesterday trying to download my boarding pass, and all these things keep coming up on my computer saying, upload this right now or your computer is going to blow up or something. I'm trying to understand it all. But at any rate I certainly appreciate the testimony here today, and I think the government certainly recognizes again that society is becoming so dependent on electronic technology and how important it is for every generation to understand what the implications are of some of the cyber hacking, and how important it is for them to be able to use these tools properly and understand the ramifications of what they're up to. Thank you. Mr. Putnam. Thank you, Mrs. Miller. Mr. Wysopal, if you would, you probably made the most extensive comments about researchers. Tell us a little bit about the category of researchers who would not be classified as altruistic, and their motivations; and I'm not asking you to psychoanalyze them, but how big a group are we talking about? Do they seek fame, seek money or simply the thrill of being able to discover the source code? Mr. Wysopal. I think it's mostly the thrill of having power over computers on the Internet. Part of the way that they keep score is how many systems, you know, have you compromised--the vulnerability that you discovered and wrote exploit tools for or malicious code for, how many computers can you compromise with that. So a bug that was exploited in a software package that was used by 100 people, no one will care about, but if you find a bug in a Microsoft piece of software which is used by millions of people, then you are looked at amongst your malicious peers as more important and a better black hat. And this is definitely a very serious problem that people are able to find these vulnerabilities, and usually they keep them to themselves. They don't tell the vendors. They keep them to themselves or share them amongst a small group of people. So they can go into computers with impunity on the Internet and know that problem won't be patched. And that's a very difficult problem to control. The only way to control that is to actually design the software without the flaws to begin with. Mr. Putnam. And that is an impossibility, right, to have a truly foolproof code? Mr. Wysopal. Yes. There's no such thing as 100 percent secure. But as a company, we do security quality testing for many different software vendors, and we see a vast difference in the number of flaws we find in a piece of software which was developed by a secure development process. Where training was given to the developers, they thought about security through the entire phase, from design implementation to test, versus software where security is really an afterthought; where after the product is shipped, people say, maybe we should think about how to configure it better. When it isn't thought of from the very beginning, there is a big difference in the number of flaws that end up in the end product. Mr. Putnam. Mr. Silva, you mentioned rule No. 2 was for everyone to accept more responsibility. You discussed the importance of education and things of that nature. But with the prevalence of broadband, has responsibility shifted somewhat to providers or to cable operators or to telecommunications companies whose history and tradition and corporate culture would not ordinarily lead them to believe that protection against hackers or firewalls would be something of their responsibility? Mr. Silva. Well, as I said in my statement, it is a responsibility of everyone, and I think--we always sort of gravitate to the natural thing to do, which is to sort of look at, is this not somebody else, is the responsibility shifting from one group to another? I don't think it's shifting; I think it's never changed. I think that ISPs, the people that we all use to connect to the Internet, have some level of responsibility. I think that the government, that industry, my company as well as all of the others, have a responsibility to do their part. For instance, the Blaster worm has been running around the Internet now for weeks, and the network providers are carrying the traffic around it. One would think they would see that traffic moving around in the network and either deal with it or at least work with a group of people to try to figure out how to mitigate this. At the same time, if they were to suddenly block that traffic, you know, I can assure you it will create other problems on the Internet. So I think we just have to work together and we have to find out what that magic fingerprint is. There are a lot of these companies that are carrying this traffic that aren't in the best of financial shapes right now and probably aren't going to invest hundreds of millions of dollars into research and mitigation methods. Mr. Putnam. Thank you very much. Is there anything that you have not been asked that you wish to comment on or perhaps respond to as a result of panel one, or do you have any additional comments before we seat panel three? Thank you all very much for your assistance and your input. With that, we dismiss panel two and seat panel three as quickly as possible. And the committee is in recess. [Recess.] Mr. Putnam. We have panel three seated, and the committee will come back together. And I would ask that you rise, please, and raise your right hands to be sworn in. [Witnesses sworn.] Mr. Putnam. Let the record show that all the witnesses have answered in the affirmative. We will go straight to your testimony, and I would ask that you follow the examples of panels one and two and adhere to our 5-minute rule on opening statements. And I will introduce our first witness. Greg Akers is senior vice president and chief technology officer for three strategic areas at Cisco--customer advocacy technology, corporate strategic security programs and government solutions. Within customer advocacy technology he and his team focused on how to most effectively use technology to improve Cisco's productivity and strengthen Cisco's relationships with its valued customers. Specific initiatives include technology engineering, autonomic and adaptive networking, cross-customer advocacy research and development functions, and Internet capabilities integration. He also leads Cisco's corporate strategic security programs with a focus on information security, intellectual property, security solution certifications, and cyber warfare. Additionally, Mr. Akers runs a government solutions team to address the unique requirements of government. The mission of this team is to provide solutions aimed at government's core business, enabling achievements of its mission to protect its citizenry. He has dedicated teams to address global defense in space, critical infrastructure protection, U.S. homeland security challenges and a government systems unit. His primary focus will be to adapt Cisco products and services to respond to the unique requirements. Welcome to the subcommittee. We are delighted to have you. You are recognized. STATEMENTS OF GREG AKERS, SENIOR VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER, GOVERNMENT SOLUTIONS AND CORPORATE SECURITY PROGRAMS, CISCO SYSTEMS, INC.; PHIL REITINGER, SENIOR SECURITY STRATEGIST, MICROSOFT CORP.; VINCENT GULLOTTO, VICE PRESIDENT, ANTIVIRUS EMERGENCY RESPONSE TEAM, NETWORK ASSOCIATES, INC.; AND JOHN SCHWARZ, PRESIDENT AND CHIEF OPERATING OFFICER, SYMANTEC CORP. Mr. Akers. Thank you. Chairman Putnam, Ranking Member Clay, thank you very much for the opportunity to testify today on this very important issue. Cisco is a provider of networking infrastructure for the Internet and intranets of all types. We provide end-to-end network solutions, connecting people to computers and networks all over the world, and align the work-play-live-and-learn without regards to differences in time, place, or type of computer they happen to use. Roughly 80 percent of Cisco's support transactions and 85 percent of Cisco's sales transactions are completed over our own company Web site. Therefore, we are very concerned about threats and the correct operation of the infrastructure of the Internet. Rather than summarize the details already provided in my written testimony, in the short time today, I would like to provide recommendations to three specific groups--industry, individuals, and government--with specific actions to address some of these threats. Vulnerabilities can never be completely eliminated, as has been previously stated. Establishing a product security response capability is a huge step toward reducing the threat. Another major improvement is gathering by setting up obvious e- mail and easy-to-use Web pages, by vendors and customers alike, so they are easily accessible, that will allow vendors to produce results for incidents as they incur. Most vendors today neither have a team nor modification methods in place. Industry members can contribute greatly by establishing and publicizing product security processes, including taking minimum steps to establish a response team and create necessary links to facilitate incoming reports and outgoing announcements. External reports of vulnerabilities are often accompanied with demands to publish in a short period of time, less time than the vendor needs to develop fixed software and work around and test these fixes completely. The public is generally unaware of the internal constraints influencing the vendors' schedules. Because every vulnerability and vendor is unique, time lines should be adjusted by the vendor and the external party for each situation individually. Vendors can help by streamlining their own schedules for producing software and by establishing expectations for negotiating flexible but effective time lines with all external parties. Many individuals and groups fail to practice confidentiality regarding vulnerabilities and fail to maintain computer and networking systems at some moderate reasonable base line and vulnerability. The consequences can be severe. Individuals should act responsibly regarding vulnerability information. We have published the security advisories and encourage others to do the same. Some practice poor control over the need-to-know information regarding vulnerability. Some lack timeliness or otherwise detract from the overall success of the process. Numerous plans have been derailed or completely rerouted due to leaks, made more severe by late arrival of information or otherwise slowed down by lack of information or improper information. Participants are responsible for reporting vulnerabilities promptly and solely to the appropriate recipient, protecting the confidentiality and lending assistance as they are able to. Vendor-neutral coordinating centers are valuable conduits for reporting and handling vulnerabilities. The trust placed in such organizations by the worldwide network security community for the criticality of important coordination function might be jeopardized if it becomes too dependent on funding or other centralized government control, or any one individual entity within industry or the public sector. Government should ensure that coordinating centers are available, receive adequate funding from multiple sources and avoid dependencies that will treat any participant unevenly or in any other way unfairly. Many are aware of the issue with the ``script kiddies,'' but not are aware of the professional ``black hats'' who work for a combination of organized crime, terrorists, or nation-states. An entire marketplace that exploits vulnerabilities has sprung up on the Net and has easy- to-use tools, yet it is virtually unknown to the public. Government should increase funding and support for the development of the maturation of cyber intelligence, the advancement of information sharing, and the overall improvement of law enforcement's ability to prosecute cyber crimes. One issue is common to all the action groups: Vendors respond to customers' demands. Buyers from all of these groups wield considerable influence at purchasing time. If product security or response team are important to you, the buyer should vote with the wallet. Specifying systems that meet the demands for more security are inevitably the ways vendors will respond, to include increased security measures in their products. Industry, individuals, and government can set effective examples for defining base line security requirements and require compliance to these simply by completion of sales. The global nature of the Internet means that no single country or industry group can address vulnerabilities in isolation. Success in this arena requires public-private cooperation between all three of these entities. As an example, consider the cooperation industry under the auspices of a national infrastructure assurance council, developing a vulnerability disclosure framework that should prove to be useful to all parties. The industry leaders I work with understand the roles and are willing to do their part to protect our national and economic security. The recommendations presented here would be a good starting point for improving the security posture for the entire Internet. I want to thank you, Mr. Chairman, and the other subcommittee members for inviting me today. And I will be happy to answer any questions that you may have. Mr. Putnam. Thank you very much Mr. Akers. [The prepared statement of Mr. Akers follows:] [GRAPHIC] [TIFF OMITTED] T2654.085 [GRAPHIC] [TIFF OMITTED] T2654.086 [GRAPHIC] [TIFF OMITTED] T2654.087 [GRAPHIC] [TIFF OMITTED] T2654.088 [GRAPHIC] [TIFF OMITTED] T2654.089 [GRAPHIC] [TIFF OMITTED] T2654.090 [GRAPHIC] [TIFF OMITTED] T2654.091 [GRAPHIC] [TIFF OMITTED] T2654.092 [GRAPHIC] [TIFF OMITTED] T2654.093 [GRAPHIC] [TIFF OMITTED] T2654.094 [GRAPHIC] [TIFF OMITTED] T2654.095 [GRAPHIC] [TIFF OMITTED] T2654.096 Mr. Putnam. Our next witness is Philip Reitinger. Mr. Reitinger is a senior security strategist with Microsoft Corp.'s Trustworthy Computing security team. The Trustworthy Computing Initiative at Microsoft is a long-term, company-wide initiative to promote the values of reliability, security, privacy and business integrity. Before joining Microsoft in January 2003, Mr. Reitinger was the Executive Director of the Department of Defense's Cyber Crime Center and the Deputy Chief of the computer crime and intellectual property section of the Criminal Division of the Department of Justice. Mr. Reitinger is the former Chair of both the Group of Eight's High Tech Subgroup and the National Cyber Crime Training Partnership's Vision and Policy Committee. We look forward to your testimony, Mr. Reitinger, and you are recognized for 5 minutes. Mr. Reitinger. Good morning, Chairman Putnam, Ranking Member Clay. My name is Philip Reitinger, and I am a senior security strategist with Microsoft. I want to thank you for the opportunity to appear here today. Before joining Microsoft, as the chairman noted, I was the Deputy Chief of the Computer Crime and Intellectual Property Section of the Department of Justice, the Executive Director of the DOD Cyber Crime Center and the Chair of the G8 Subgroup on high tech crime. Thus, for some time I have been concerned with criminal threats to people and networks and with the challenges posed by responding to cyber crime. Responding to those challenges requires effective action on many fronts. Today, I would like to make four main points. First, Microsoft is committed to continuing to strengthen our software to make it less vulnerable to attack. Microsoft under its Trustworthy Computing Initiative is working to create software for its customers to secure by design, secure by default, and secure in deployment. We are designing and writing software more securely, making it more secure out of the box and making it easier to keep secure. These goals are becoming ingrained in our culture and are part of the way we value our work. Even so, there is no such thing as completely secure software. Therefore, and second, when security vulnerabilities are found, the process is to provide customers with the necessary fixes; they must be easy, fast and transparent so the customers can stay secure in deployment. For example, we have included an automatic update feature in recent Microsoft operating systems. My written testimony describes the additional steps we are taking in more detail. Our goal is to make patch application easier so that every single customer can readily have the appropriate patches installed and have his and her information protected. Third, as the recent past so amply demonstrates, criminals will use computer networks to launch attacks, and we must be able to respond quickly and effectively. In the case of Blaster, before the worm was released, Microsoft built, tested, and delivered a remedy for the vulnerability which Blaster exploited. We then undertook extensive measures to advise customers of the need to apply the patch immediately and how to protect their systems. After the release of the worm, our efforts continued and expanded and included launching our Protect Your PC campaign, which included providing security information to users through publications such as the New York Times and the Washington Post. In parallel with these public efforts, we undertook an in- depth review postmortem to understand how to reduce the likelihood of similar vulnerabilities occurring in the future. We carried out a full scrub of the subsystem that contained the vulnerability. And today we are releasing an additional patch fixing vulnerabilities we found. We know that security is a process of continuing improvement, and we are committed to that process. Fourth, as a society, we need to devote increased resources to law enforcement personnel, training, equipment, and capabilities to prevent and investigate cyber crime. Technical and management solutions cannot prevent every cyber attack. Determined and sophisticated cyber criminals develop new means to break into systems and harm the on-line public. In this case, Microsoft worked closely with law enforcement efforts to identify the individuals or organizations involved, and created and released Blaster interference. But despite the best and laudable efforts of the United States and international law enforcement communities, it is still very hard to identify and prosecute cyber criminals worldwide. For example, the computer forensic challenges facing law enforcement are daunting. The amount of data that is stored electronically is growing exponentially, and law enforcement's technical capability to extract critical evidence from this massive electronic data is falling rapidly behind. In conclusion, the Blaster worm and its variants were serious criminal attacks against the owners and users of computer networks. These attacks merited and received equally serious attention from Microsoft, the government, our customers, and our partners. In the end, a shared commitment to reducing cyber security risk and a coordinated public and private response to cyber security threats of all kinds offers the greatest hope for promoting security and fostering the growth of a vibrant, trustworthy on-line world. Thank you. Mr. Putnam. Thank you very much. [The prepared statement of Mr. Reitinger follows:] [GRAPHIC] [TIFF OMITTED] T2654.097 [GRAPHIC] [TIFF OMITTED] T2654.098 [GRAPHIC] [TIFF OMITTED] T2654.099 [GRAPHIC] [TIFF OMITTED] T2654.100 [GRAPHIC] [TIFF OMITTED] T2654.101 [GRAPHIC] [TIFF OMITTED] T2654.102 [GRAPHIC] [TIFF OMITTED] T2654.103 [GRAPHIC] [TIFF OMITTED] T2654.104 [GRAPHIC] [TIFF OMITTED] T2654.105 [GRAPHIC] [TIFF OMITTED] T2654.106 [GRAPHIC] [TIFF OMITTED] T2654.107 [GRAPHIC] [TIFF OMITTED] T2654.108 Mr. Putnam. Our next witness is Vincent Gullotto. Mr. Gullotto is the vice president of research for AVERT, the Antivirus Emergency Response Team, the antivirus research arm at Network Associates. For roughly half a decade, Mr. Gullotto has been involved in the day-to-day operations of AVERT labs. Located throughout 18 cities around the world, AVERT labs is responsible for the research and discovery of computer viruses, including Melissa, Love Letter, and Bubble Boy. Are you the ones who name them? Mr. Gullotto. Yes. Mr. Putnam. So Bubble Boy was your idea? Mr. Gullotto. Yes. Mr. Putnam. Under his leadership, the AVERT group is credited with the discovery of the first wireless virus, Phage. Mr. Gullotto has developed the concepts and initial designs for a number of AVERT service and solution offerings, including programs such as WebImmune, the world's first Internet virus security scanner that resides on the Web, as well as the AVERT Malware Stinger, a stand-alone program designed to supplement antivirus programs. Mr. Gullotto, we are looking forward your testimony and delighted to have you here. Mr. Gullotto. Chairman Putnam, Ranking Member Clay, thank you very much for inviting me today to join the subcommittee and speak on behalf of a very serious problem we are having today, computer viruses and the evolving threat that we see going forward. As you stated, AVERT is an antivirus research arm for Network Associates. We are a global organization working 24 hours a day, 7 days a week, discovering new viruses and naming new viruses as well. In addition to this work, we also work participatingly with 27 other companies in the antivirus discussion network [AVED], and on a day-to-day basis work closely with law enforcement as often as possible to identify and investigate cyber attacks and cyber crime. While my written testimony submitted for the record provides a recent history of computer viruses and worms, as well as descriptions and impacts of the most well-known ones, I want to focus my testimony on three important trends and followup with three recommendations. First, Mr. Chairman, governments and companies have become more porous. In recent years, companies have opened their enterprise to serve customers better and improve productivity of employees and suppliers. Enterprises are becoming electronic sponges. They are porous, and it's getting harder to tell the inside from the outside. Second, reported vulnerabilities are on the rise. We have already heard the number is on the increase, and they will continue to increase as time goes on. The bad news is that this new threat, worms which exploit these vulnerabilities, can cause even greater damage than more traditional worms and viruses. And third, the speed of cyber attacks has accelerated dramatically with a shrinking window of exposure between vulnerability and exploit. Attackers exploit a window of exposure between when the vulnerability is announced and when all the infected systems can be patched. Today, the time is short. It's a matter of hours in some cases or a matter of weeks and days. In the future we expect it to become even shorter. Once a vulnerability is announced, we may see an exploit within a matter of hours, and that vulnerability exploited in such a way that, within minutes perhaps, that exploit will be around the world. Denial of services like CodeRed and Nimda caused spread around the world in hours. And, of course, earlier this year we saw Slammer infect thousands of machines in just under 3 minutes. How do we protect ourselves from computer viruses, worms, and other attacks? One key way is by moving from a traditional reactive approach to a security approach where proactive intrusive protection is used. What's required to close the window of exposure is protection in depth, including solutions that can be deployed before a new threat appears in the field, so that the threat simply bounces off the company's defenses. Intrusion prevention looks for anomalies, and attack signatures in response, by preventing the attacks from permeating the network or system defense. An intrusion prevention system protects a network from attack while providing breathing room and response time for analysts to fix vulnerabilities. There are other steps we can take to make a real difference. While my written testimony has recommendations for enterprising consumers, for the sake of time, I would like to share three with the policymakers today. First, we believe policymakers should embrace Cyber First Responders. We respectfully suggest the cyber security industry, including those at the table here today, represent Cyber First Responders in our battle against the attacks on the information infrastructure. Policymakers, in addressing the threat of viruses, worms, and other attacks, should turn to these Cyber First Responders, who can provide policymakers with real-time, non-hype, accurate information about the nature of threats and the extent of the impact. Second, policymakers should continue promoting a culture of security, a term used both in the United States and abroad, and here today as well. We believe the policymakers around the world can embrace this concept by continuing to shine a light on cyber security. Policymakers can support public awareness efforts such as the Stay Safe Online campaign; the government industry's collaborative bodies, including the Partnership for Critical Infrastructure Security; focus government leadership, such as the government's high-ranking single point of command that we hope will be announced soon; and real-time information sharing organizations, including the various vertical sector information sharing and analysis centers. And finally, policymakers should increase support of long- term cyber security research and development. In addressing our cyber-security challenges, research and development plays a key role in allowing us to stay ahead of the next generation of attacks. Yet many experts in industry and academia agree that we are at risk of dropping the ball on critical R&D needs. In the area of R&D, we recommend that policymakers authorize the study of our Nation's critical infrastructure vulnerabilities, increase R&D funds to leading departments and agencies for collaborative R&D with industry and academia, refocus collaborative R&D on longer-term challenges and improve coordination amongst government-funded R&D projects. As we commonly know in the industry, security is not a place to get to; it is an ever-evolving challenge. We urge the subcommittee and Congress to continue to put energy into addressing the cyber-security challenge, and in return, I pledge to you our company's commitment to work with government and industry and academia to develop solutions to these urgent needs. I thank you for the opportunity to testify this morning and look forward to your questions. Mr. Putnam. Thank you very much. [The prepared statement of Mr. Gullotto follows:] [GRAPHIC] [TIFF OMITTED] T2654.109 [GRAPHIC] [TIFF OMITTED] T2654.110 [GRAPHIC] [TIFF OMITTED] T2654.111 [GRAPHIC] [TIFF OMITTED] T2654.112 [GRAPHIC] [TIFF OMITTED] T2654.113 [GRAPHIC] [TIFF OMITTED] T2654.114 [GRAPHIC] [TIFF OMITTED] T2654.115 [GRAPHIC] [TIFF OMITTED] T2654.116 [GRAPHIC] [TIFF OMITTED] T2654.117 [GRAPHIC] [TIFF OMITTED] T2654.118 [GRAPHIC] [TIFF OMITTED] T2654.119 [GRAPHIC] [TIFF OMITTED] T2654.120 [GRAPHIC] [TIFF OMITTED] T2654.121 [GRAPHIC] [TIFF OMITTED] T2654.122 [GRAPHIC] [TIFF OMITTED] T2654.123 Mr. Putnam. Our next witness is John Schwarz. Mr. Schwarz is president and chief operating officer of Symantec, responsible for Symantec's product development, incident response, sales, support, professional services, marketing and partner relationships. Previously, Mr. Schwarz was president and CEO of Reciprocal, Inc., which provided comprehensive business-to- business secure e-commerce services for digital content distribution over the Internet. Prior to taking the lead role at Reciprocal, Mr. Schwarz spent 25 years at IBM. Most recently, he was general manager of IBM's Industry Solutions Unit, a worldwide organization focused on building business applications and related services for IBM's large industry customers. He has held numerous development positions within IBM, including vice president of development for the company's Personal Software Products Division where he was responsible for IBM's OS/2 Warp and PCDOS product management systems development. As the vice president of application development for the Software Solutions Products Group in Toronto, he was responsible for the development of worldwide product management of IBM's application development and distributed data base products business. We look forward to your testimony, Mr. Schwarz. Welcome to the committee. Mr. Schwarz. Chairman Putnam, Ranking Member Clay, thank you for the opportunity to provide testimony on this important and timely subject, and thanks for that long personal history. Today, much of our economy depends on critical assets that are in digital form. We are a society that relies more and more on information technology; yet, we have not taken the steps to protect those assets to the same degree that we have our physical assets. The cyber world is maturing and is a pervasive structure in organizations, as well as at home. It is also becoming more complex and vulnerable. The attacks are faster, less predictable, and more severe. The number of opportunities for exploitation also continues to grow at a rapid pace. In fact, it is estimated, on average, 250 new software vulnerabilities are discovered each month. These vulnerabilities are being exploited faster and more aggressively than ever. Again, on average, the industry is identifying 450 new viruses each month, with some very colorful names, with many reaching pretty high severity levels. We saw the transition to ``blended threats,'' with worms like Code Red and Nimda containing multiple attack mechanisms. These blended threats, that combine the attributes of a traditional virus and a hack attack, typically resulting in a massive denial of Internet services, are truly the biggest threat we face today in the cyber world. Leveraging the vast number of new vulnerabilities, and through the introduction of destructive payloads, rapidly propagating blended cyber attacks, represent a substantial future risk. The next generation of attacks, known as ``flash threats,'' have the potential to infect massive portions of corporate networks or the entire Internet within minutes or perhaps even seconds. The recent Blaster or SQL Slammer worms saw hints of these types of threats. As you've already heard, SQL Slammer infected 90 percent of the initially vulnerable systems in approximately 10 minutes. Such threats require entirely new proactive systems to stop them. There's no reactive remedy that will ever be fast enough to protect against threats spreading at these speeds. The interconnectivity of individuals, businesses, and government organizations is becoming ever more pervasive and continuous through always-on broadband connections. As a result, there is a vast, unmanaged computing capacity that is potentially available to the cyber criminals to launch massive denial-of-service offensives against selected targets or perhaps against the Internet as a whole. Let me discuss some actions that we believe can improve our cyber security. First, awareness and education often mentioned today. Educating our consumers, our businesses, the operators of critical infrastructure as well as all levels of government, on the importance of protecting our systems is essential. We need a broad awareness campaign that reaches out to all users of the Internet. At the least, all users need to be made aware of the value of firewall and automatically updated antivirus technology, like putting seat belts in cars. The remote or wireless connected worker is becoming more prevalent and can unknowingly open up an otherwise secure community network to potential vulnerabilities and attack through unprotected wireless connections in the home or in the office. At the enterprise and organization level, the issue of IT security has for too long been left to the security administrator, or the CIO. This needs to change. Cyber security needs the top leadership of the business or government organization. As an example, the recent corporate governance legislation known as Sarbanes-Oxley significantly strengthened the rules pertaining to the financial management of all businesses. However, the legislation makes no mention of the importance of protecting the information systems that produce the data used in the financial management processes. Only when cyber security is treated with the same attention as the protection of physical and financial assets can we enable the necessary cultural change and focus enough attention and resources to truly address the cyber threat. Second, cyber crime. We saw the arrest of Jeffrey Lee Parson for writing a variant of the Blaster worm, but we have yet to find the bigger culprits, the original authors of the recent flurry of new attacks. We need to realize that protecting the Internet is really a global issue, one that requires better international cooperation. We need more and higher quality resources for law enforcement to work on computer forensics, and we need cooperation from government and industry to assist prosecutors in building cases. We require more harmony in cyber crime laws. Perhaps the Council of Europe's cyber crime treaty is a good starting point. Governments and industry should reach across borders when appropriate to share information on cyber crime cases, best practices, threats and vulnerabilities, in order to gain a measure of prosecution success and early warning of potential attacks. The industry information sharing and analysis centers, the ISACs, can be a nucleus of that initiative. There should be a confidential, single point of contact in government so that the experts can communicate at a peer level at times of major cyber attacks. And again the recently announced cyber warning information network will be a good base for this exchange. Third, research and development; as mentioned earlier flash threats may be wreaking havoc in the near feature, and we must be more productive in our cyber security practices, focusing on behavior blocking technologies, faster threat identifications to event correlation, real-time vulnerability scanning, and automated software patch deployment. Given the shrinking time from discovery to exploit, much new research and development needs to take place which even the combined resources of the industry cannot deliver in time. The government and academia must join this effort with incremental funding, proactive recruiting of the best talent and highly focused, jointly funded precompetitive projects. Finally, audit and risk analysis: Security is not a static issue and, thus, requires regular assessments of systems and vigilance on the part of the IT managers, and for that matter, all users of the Internet. I commend the committee for its efforts to enact programs like FISMA, which require annual assessments of government systems and also require actions to improve the protection of those systems. The committee's oversight in this area is invaluable. This is not just something that government should do, but all enterprises, large and small, should be encouraged to follow this example of regular security assessments. Critically, though, we need thorough and timely remediation of any audit findings. The current performance of most organizations, government and industry alike, falls well short of desired levels. In closing, let me issue this challenge to the industry, government, and individual users. We must take cyber security more seriously and we must do it together. Aware and compliant users are the best defense against most cyber attacks. Most importantly, we all, as individual users of the Internet, need to do our part to protect cyberspace. Experience shows that effective implementations of security solutions cost in the range of 6 to 8 percent of the overall IT budgets. Few corporations or government departments have allocated adequate levels of funding to this critical need. It is time that we put our resources to work to minimize the risk of a serious disruption of our national cyber infrastructure. Thank you and I look forward to your questions. Mr. Putnam. Thank you very much, Mr. Schwarz. [The prepared statement of Mr. Schwarz follows:] [GRAPHIC] [TIFF OMITTED] T2654.124 [GRAPHIC] [TIFF OMITTED] T2654.125 [GRAPHIC] [TIFF OMITTED] T2654.126 [GRAPHIC] [TIFF OMITTED] T2654.127 Mr. Putnam. I appreciate the input of this entire panel, and for the record, this was the worst panel about sticking to the time lines. Usually it's the bureaucrats that go over. But all of you were very interesting with very important information, and we are delighted to have it. I would like to begin with Mr. Reitinger with Microsoft. You have had a bad month. It has been a tough several weeks at the office. Walk us through what happens when someone, whether they have altruistic intentions, or not-so-altruistic intentions, notifies you of a vulnerability. And walk us through the process of developing a patch, releasing it; and at what point do you notify the Federal Government, as well as your customers? Could you just walk us through that process? Mr. Reitinger. Of course, Mr. Chairman. Ideally, the process works with, if there's an external notification, someone contacting a software vendor, which might be Microsoft or another vendor, who then begins to develop a patch. If the notification is to the vendor, that allows the vendor to work to develop the patch in advance so that the public can be protected. The patch is developed, and that can be a very intensive process. The Blaster patch or the patch for the vulnerability of the Blaster attack, for example, was done due to a number of different operating systems. The information associated with it had to be developed, I think, in 25 languages. And then that patch is rolled out. In the case of Microsoft, Microsoft rolls out patches unless there's a public exploit, generally on a Wednesday for predictability purposes, so customers can know it's coming. At that point, we begin to work actively with the community, with our customers, with people in the Federal Government, including the Department of Homeland Security, to make sure that the information about the patch can get distributed as broadly as possible. Now this next stage is the most critical stage because patch uptake, as we know, is critical. The vast majority of attacks that we have seen over time have been after a patch is released. So the key is getting patch uptake once the patch is released and available. At some point in that process, as happened in the case at issue, there may be some exploit code that is released and perhaps eventually there is a worm or another set of attacks that are involved. But that is the big window, to get patch uptake as broad and as deep as possible. Mr. Putnam. Does the Federal Government or a particular agency of the Federal Government receive an early heads-up about a vulnerability that could have serious consequences? Mr. Reitinger. Typically, because Microsoft's products are distributed so broadly, both within the United States and around the world, the notification is done at the same time; in other words, we released one, we released all. And the reason is, we've got customers around the world, we've got users around the world. You need to make sure you can distribute the information as broadly and as deeply as possible, and so it's generally notification to many. Mr. Putnam. So a vulnerability comes to light, you develop the patch, you put it out there, and then it becomes the responsibility of the consumer to actually patch their system. And in this most recent case, despite the fact that your patch had been out there for weeks, those who failed to download it had the system go down; and so it reflects poorly despite the fact that you had already provided the solution. My understanding is, Microsoft is working on some better technology to make those downloads automatic. And are there legal issues, specifically the Computer Fraud and Abuse Act, that might prevent you from making it easier for consumers to patch their systems? Mr. Reitinger. As the chairman's question indicates, there is already a future in Microsoft operating systems called Auto- Update that can automatically download and prompt the user to install patches. We are currently looking at how we can make that process easier and transparent for end-users so they can more readily have that option available to them, so that more people will in fact use and install Auto-Update. I think your question about the Computer Fraud and Abuse Act goes to the question of whether we could basically say to our customers, you have to use Auto-Update and we install Auto- Update by default. And the answer to that question is, yes, there are legal problems. Laws like the Computer Fraud and Abuse Act and other regulations, European directives, would prohibit access to an end-user's computer without an access of authority. We actually need consent to do that, and that is something we want to do. We want to, in fact, not overcome consumers' consent, but empower them and make their consent more effective and make it more able to control their own computer security and privacy. Mr. Putnam. Mr. Akers, what's your take on the whole process of notification? And walk us through your system, if it differs from Microsoft, when you have an issue that may arise that may impact the Federal Government. Mr. Akers. It does differ a little bit. We have been at this process since I have been at the company, and most notably our last restart of the process was in 1997, so it's a continuous process that we undertake. Our intent from the discovery of vulnerability, either internally or externally found, is notification to the customer and remediation so that the customer is not impacted. You also have to remember that in the case of Cisco, the fabric of the Internet itself and the intranets that deploy these patches is, in and of itself, part of the issue we have to consider as a part of the problem, too. So, for instance, we have to be worried about our ability to distribute patches if the fabric itself does not have integrity. So when we discover vulnerability, we also begin to develop a patch. But we also, at the same time, begin to develop a plan of notification and remediation. These take different shapes depending on the nature of the vulnerability, the technologies that are involved and the issues that are at hand. In some cases, because we have to ensure that we can deploy the released information and the software itself, we may notify critical infrastructure components of the problem so that they can remediate the problem, so we can continue then to work with the rest of the constituent customer base to deploy software release and information. We look at this on an individual case basis and use processes and policies within the company to determine how to do that, at which time we then go through the process of completing the software build, much as Microsoft indicated they do. Once that is ready, both the plan and the software, we then begin the notification process and remediation process with our customers. We believe this process, for us, has worked well over the years and believe that it provides the best of both worlds in the context of both protecting the infrastructures themselves, our customers, and making sure that we get the information into the hands of the people that can protect themselves before the information is made available to those that might exploit it and use it for detrimental purposes. Mr. Putnam. Do you have a different notification process for an agency of the Federal Government than you do for an individual customer? Mr. Akers. We treat the agency of the Federal Government as if it were part of the critical infrastructure, and we put them in the same structure prioritization as we would any other critical infrastructure. If we determine that a critical infrastructure asset of the Federal Government has a particular or unique circumstance, they would be prioritized accordingly within our scheme. Mr. Putnam. Mr. Reitinger, in the cyber hacker world, everybody likes to pick on Microsoft. As we heard in earlier testimony, everybody gets their merit badges by messing with you all. You have a tremendous background in law enforcement, as well, so you have seen both sides of this. Are you satisfied with the legal framework that exists today for punishing people who are hackers? Mr. Reitinger. That is a very good question, Mr. Chairman. I think, in terms of punishing hackers, the answer is mostly yes, because Congress just last year passed an additional law raising the penalties for cyber crime and how that's going to work in practice, the sentencing guidelines associated that are now being developed. There are two other areas, though, that require examination. One is, is the breadth of penalties enough? Have we criminalized everything we ought to criminalize as opposed to what the amount of the penalty is? And I think that can change over time as new ways to harm people on-line are created. Secondarily, there is the question of law enforcement's ability to identify and then prosecute people, and that is the point to which my testimony related. It is actually very hard to--as your questions to Mr. Malcolm on the first panel indicated, it is very hard to identify hackers and virus writers and worm writers online, and we need to do what we can to remediate that. And perhaps the biggest way to do that is to ensure that law enforcement has the resources necessary to attack the problem, particularly with regard to training and things like forensics capabilities. The last element I'll just mention briefly is the international piece. As Mr. Schwarz indicated, it's critical. All cybercrime--not all cybercrime, but almost all cybercrime involves an international element. Even if it's a person in the United States attacking a place in the United States, they will probably pass their attacks abroad. So you typically have an international element in cybercrime. That means that you have to have the same capabilities that you have in the United States created around the world, and things like the Council of Europe Cybercrime Convention, if ratified by countries like the United States and other signatories, could go a long way toward remediating that problem. Mr. Putnam. Mr. Gulloto and Mr. Schwarz, your company's mission in life is to protect your clients' systems from these worms, from these viruses, from these hackers, from malicious code. You monitor this on a 24-hour, 7-day-a-week basis. Do you notice any trends in where these threats come from? Is there a seasonality to the trends? Are there more in the summer than there are during the school year? Do they arise from Eastern Europe or Asia or North America? Could you give us some sense of the landscape of the threat environment? Mr. Schwarz. Let me jump in and obviously allow my colleague to comment. We today monitor almost 1,000 customers' networks around the world and have further some 22,000 real- time scanners placed in strategic points around the Internet around the world. That level of input gives us a pretty good perspective on what is actually happening on the Internet. First and foremost, the majority of the attacks appear to be originating in the United States, so the thought of somehow being flooded from the outside does not seem to hold true. Second, the attacks are gaining in, if you will, virility as a result of shared technology, which is very much available in public domains on the Internet. So one of the comments I would make relative to the criminalization of this conduct, ought to think about including the publishing of exploitation methodologies and tools which can then be downloaded by people who don't necessarily have the skill to further the damage of the Internet. We do not see any seasonality, we do not see any changes in scope as the year progresses or as various political events happen to take place around the world. What we do see is a direct correlation between the rise of always-on broadband connection and the penetration of these attacks around the world as these always-on machines are taken over and used as a base to launch massive further damage. And as my colleague from Microsoft points out, the tracing of these attacks to its origin, given today's technology, is almost impossible. Mr. Putnam. Mr. Gulloto. Mr. Gulloto. I concur with a great deal of what Mr. Schwarz said. What I would like to address is a little bit more about the specifics of the origins of the virus-writing activity itself, specifically where viruses may or may not come from. In many cases, as we've heard previously today, and today and I will concur with that as well, it is very difficult for us to specifically state where a virus has been written or where it is originating from. As Mr. Schwarz has pointed out, there is-- a majority of the traffic originates in the United States, but we are not completely convinced that the traffic that originates in the United States actually came from the United States. I'll go to an example of a group called 29 A that exists, from what we understand and what we have researched, in Brazil and in Spain. There is a common language between the two. We have seen even in code where one virus writer will acknowledge another virus writer for helping create some piece of code together or in such a way in which they were successfully able to take one piece of expertise from one area and the other from another area, get it to work together, and then in many cases it will get out. Now, it gets out deliberately in some cases, or they may post it to a Web site which will ask people to come to that Web site, get that--it could have come from the United States--double-clicked it when they put it on their desktop or began to simply distribute it throughout a network of friends, who then may have double-clicked on it to get it moving in the case of a mass mailer. The worms are a little more difficult to state, meaning that I may be a virus writer that lives in Belgium--which there is a woman virus writer, her name is Gigabyte, she is 18 years old. She may have written a piece of code at her home in Belgium, but she may have taken it to France, went into an Internet cafe, put in her floppy disk, go to the program, ran it. That program immediately begins to spread. She unplugs the diskette, pays her 5 euro for the hour that she spent on the computer, and she walks out the door. It begins to spread at that particular point in time. Mr. Putnam. Mr. Schwarz, you mentioned that the majority of the attacks originate in the United States. Do you distinguish between probes and attacks, or are they the same term? Mr. Schwarz. We do distinguish among various categories and severities of attacks. And, yes, there are distinctions between probes where people are looking for vulnerabilities or open switches, if you will, open access points, and actual attacks that have been launched to penetrate and cause damage. We see about 175 million such events per day across the spectrum of the systems that we do monitor. Categorizing that volume of data to actually identify specific types of attacks is a bit of a daunting task. What we do with the data is correlate the information from multiple points and attempt to isolate those that have potential for being serious or those that indicate a new type of activity from which we have not been able to defend ourselves previously, and then build defenses based on that new intelligence. Mr. Putnam. And do those probes also mostly originate from the United States? Mr. Schwarz. The total traffic that we see--and again, I agree with Vincent's point relative to the actual pinpointing of the origin of the code, but the total traffic volume still is to some 75 or 80 percent originating in the United States. What we see is countries that have a very large prevalence of always on connections, like Korea and Japan, ranking very high, perhaps beyond the size of their population, but that may be simply spoofed addresses targeting those countries as a way to launch attacks, but not originating there. Mr. Putnam. One of the concerns that we have heard, particularly with the reference to the virus that went silent today, was shut down as of today, is that it is an attempt by these code writers to learn, to explore the system for a finite period of time, and then before it could necessarily be reacted to, it goes down so that they are learning and essentially applying that knowledge toward developing the better or the perfect virus or the perfect worm. Could you comment on that? Anyone. Mr. Gulloto. I would agree that is certainly a possibility. We have seen behavior like this for quite some time. Approximately 3 years ago Mr. Hale, who had testified a little bit earlier, and I were on a committee, if you will, that looked at a threat called Leaves. It was an Internet worm. And at first it had looked to be rather a meek worm, but as we did more and more analysis of it, it became very complex in what it was that it did. It looked to be something that perhaps someone had created to see what would happen if they released it, what data could it gather, where could it go, what could it do so that they could then in turn go ahead and create another threat of such a nature to then have it go further. The good news was that person was actually arrested. And so I don't have any idea what happened to that person, but I know that there was an arrest in that case. Now, we could take a look at other such threats and also concur that there is some education process. We could look at one specific factor in a threat to say this might be what they are looking to see works or doesn't work. The SoBig virus now is one that you mentioned, is one that's in its fifth to sixth generation, meaning it is multiple family members. There have been other variance of SoBig that have spread quite far as well, and the commonality amongst each variant is that it has an extension, which is PIF. And in many cases, when we see a new extension be exploited, it is an opportunity for all virus writers to learn to see if it will become successful or not, because if it is successful, others will use that same extension, knowing fair well that most computer users, which we would probably look to more toward the consumer user, but then again end users, within an environment would not understand. We've spent a great deal of time educating people in the past couple of years about how not to click on anything that has a VBS extension. Well, we got them to understand that. Those viruses seem to have gone away. However, PIF looks a lot like JIF. JIF is not necessarily a file that can be infected. People double-click on it every single day and e-mail. No problems. They get to see something, it's great. It's a misunderstanding. Virus writers probably understand this, use it to educate themselves to see what else they can plant that will become successful. Mr. Putnam. Mr. Schwarz, did you wish to add anything to that? Mr. Schwarz. I think this is a very accurate description of the actual state of the technology used by the virus writers. Again, I would like to stress the importance of dealing with Web sites that actually publish this information, which are then shared among a community of people that perhaps do not have the skill to create the original varieties, but can adapt and cause additional damage. One other thought which I would like to leave with the panel or with the committee is that many of the worms that perhaps or the viruses that are perhaps the most threatening are not those that achieve the notoriety of a SoBig. They are very visible because of the traffic they generate, but perhaps a low-profile-type worm or Trojans that have been placed in strategic points in the network in systems that are very critical to a business or the national infrastructure that can be triggered somewhere down the road with a subsequent worm or subsequent attack, causing a disruption of service or causing deletion of data, or causing, in fact, just a flow of information to an entity that might wish to observe what is going on. So we need to not observe just those attacks that cause the service very large volume issues, but need to be looking for low-profile, potentially, in fact, more insidious and dangerous worms than those we have seen to date. Mr. Putnam. Mr. Akers and Mr. Reitinger, recognizing that there will never be a perfect code, what can software designers do to develop more secure codes, more secure systems as the abilities of the bad guys, the black hats, continue to improve? What efforts can we take to get better, more secure systems? Mr. Akers. I think there is actually two things that we are both doing, and we need to continue to do, as an industry. Education is a big part with our software developers. We teach our software developers that are coming out of academia today to develop software based on the function required at hand, and we don't teach them to be mindful of the issues around security that might provide vulnerabilities and subsequent exploits. There are a number of programs out there. There are centers of excellence that are part of a program at the National Security Agency. There are a number of other venues by which we acquire information about how to do good quality, secure software engineering. And we need to continue to educate our software engineers and academia how to do those things and for those that are out in practice today, and continue to do what we are doing, which is bringing that information directly to them so that as they develop a product initially, they are mindful of the issues that we are dealing with from a security standpoint today. This is something that's going to be an ongoing process. The second thing is continued testing. And that is something that I know that most of the vendors here and most of the vendors across the community are doing more today than we ever have. We internally have programs, we externally have programs, and we are going to continue to reinforce our ability to simply look for and test for those vulnerabilities that we might be in a position to uncover that we can then mitigate prior to the time of an exploit. I want to kind of piggyback on the last question a little bit, too. As we look at this issue around vulnerability yielding an exploit, the other thing we can do is we could watch the testing of some of this exploit code. I can't think of a vulnerability that has been disclosed that at some point along the line somebody didn't turn the knob to see if it was more interesting than maybe the vulnerability seemed at the time the vendor talked about it. And if we start seeing these kinds of things, government and private sector should be able to identify those instances and come together to take a look at what the miscreants might actually be doing, and then start thinking about how to thwart the attempts that they may make at those particular vulnerabilities going forward. Mr. Putnam. You mentioned the education and then its importance for your software designers. But these miscreants, as you've referred to them, or script kiddies are more intellectually driven; it is a game. Some people do crosswords, some people try to break into systems, and then the more malicious types. Now, don't script kiddies grow up to work for the Microsofts and Ciscos of the world? Mr. Akers. Not knowingly, in my case. We take a very dim view of that activity. But, no. Typically it's difficult to even distinguish between the activities of the script kiddies and the more orchestrated and well-organized, funded, and otherwise notable engagements. As a matter of fact, understand that it wouldn't be out of the realm of possibility that those more well-developed organizations and entities could take advantage of the behavior of the script kiddies to accomplish what they want to accomplish. So education of software engineers is a key part of it. And what you generally find, or at least what we generally find, is they do have a--once educated, they do maintain and have a clear understanding of the issues and want to do the right thing. I think as was said earlier, it's almost viewed as being patriotic to make sure that when we're providing critical infrastructures, we're doing it with the highest degree of quality and security that we possibly can. And our developers take that to heart much like the rest of the developers in the community do. Mr. Putnam. Mr. Reitinger. Mr. Reitinger. Mr. Chairman, let me answer that question in two parts, first what software companies can do, and then turn to the education points. What software companies can do is have a robust software assurance process. Conduct code reviews before software ships, use independent test teams, do threat modeling, make sure they train their developers. Use automated tools to test for security, and seek third-party certifications such as the common criteria. This is something that companies like Microsoft and other software companies do. They need to conduct robust after-actions when vulnerabilities do occur to figure out what went wrong and how the process can be fixed going forward, because security is really a destination as opposed to an end. Or, excuse me, is really a process as opposed to an end. Software companies need to make security easier to do so that the software's secure out of the box and it's easier to maintain going forward. So there's a whole software assurance and software support process that can ease the burden and help solve the problem. With regard to education, there are a number of components of that. One is educating users about how they can secure their systems. That is the focus of a lot of government efforts and the Microsoft Protect Your PC Initiative. There is also the component of the ethical outreach to kids, which was the subject of your present talk. How do we stop--how do we make young folks, if you will, not do the sorts of things that some of them are doing now, attacking systems, so that we have less chaff that we have to worry about to find the wheat. That is a really hard problem, and I think requires us to figure out how to convince young, computer-literate people that breaking into systems, if you will pardon the colloquialism, isn't cool. It doesn't build your status in a peer group. It's like burning down a building. And people really get hurt. That's something we have not all successfully done yet, and we need to continue to work on. Mr. Putnam. Mr. Schwarz, Mr. Gulloto, do you all have any comments on either of those issues? Do you have any comments on the education component, and how we can be more effective at it, and whose responsibility it is? Mr. Schwarz. Let me offer one suggestion. Obviously, education is hugely important, and the more we do, the better for all of us. There is a technology solution that can be applied to partly address this problem, which is something that we call client compliance, or compliancee, as it is called in bad English. Client compliance is about ensuring that when a client is reaching out to the network to be connected, that the network has the ability to test whether that client meets some basic minimum standards of good housekeeping relative to security. It would be great if we could come together, government and industry, and develop a joint standard for how that compliance could be achieved and then have the ability for the ISPs, for the in-house servers, to, in fact, test every client before they are given access to the network. That technology in addition to education could help us dramatically improve the level of standard, the level of security that we see today. Mr. Putnam. Mr. Gulloto, any comments? Mr. Gulloto. With regard to the education aspect, today we face a point where we are about to probably look at the next generation of threats and how is it that we can educate primarily the home user, but to protect themselves from those threats. We have them to the point that they understand that they are probably best served by putting antivirus and updating that antivirus as often as a vendor makes it available. Antivirus today is no longer sufficient enough to protect everyone from the threats that we are seeing such as the Internet worms, which in many cases travel at certain points in the Internet where there may not be an antivirus product that can actually support or protect them from that. Therefore, as we have spoken about today, the evolution of the threat, we have to evolve our education and how we go about having the consumer at home understand that the Internet is a big city, and that like many cities, there are good parts and there are bad parts. You should proceed with caution in both areas, and understand that what you may find in the good part is good; what you may find in the bad part might look good, but it's not necessarily good. People that are using the Internet today to exploit children, they are looking to exploit consumers by stealing data for a financial gain, I think are slightly different than perhaps some of the script kiddies that we have spoken about today. But clearly, when we developed the stay safe on line campaign sometime back, I think we looked to find that to be an avenue in which we could teach the consumer ways in which we could have them understand as to what a bad guy looked like on the Internet and what a good guy looked like on the Internet, and perhaps what a bad guy that looked like a good guy on the Internet was. I think funding plays a huge part of it, actually, to be able to maintain and sustain this type of education, this evolving education that we need, which is why many of us today have talked about ways in which we can find funding to further R&D, but that R&D will include education. Mr. Putnam. Thank you very much. I am told that there is a 1:30 hearing in this same room, and so we need to bring it in for a landing. Is there anything that we have not covered that any of the panelists would like to add to the discussion before we wrap up? Beginning with Mr. Akers. Do you have any final comments? Mr. Akers. No. Mr. Putnam. Mr. Reitinger. Mr. Reitinger. Thank you for the opportunity to testify today, Mr. Chairman. Mr. Putnam. Delighted to have you. Thank you. Appreciate your insight. Mr. Gulloto. Mr. Gutknecht. No. Thank you. Mr. Putnam. Dr. Schwarz. Mr. Schwarz. No. Thank you. Mr. Putnam. Well, thank you all very much. This has been an outstanding hearing. I do apologize for its length, but I think that it was valuable and well worth our time. I will remind everyone we have two more hearings next week on cybersecurity as well. And, with that, the record will remain open for 2 weeks for submitted questions and answers of topics that we were unable to get to today. The subcommittee stands adjourned. [Whereupon, at 1:20 p.m., the subcommittee was adjourned.]