[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
WORM AND VIRUS DEFENSE: HOW CAN WE PROTECT THE NATION'S COMPUTERS FROM
THESE THREATS?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 10, 2003
__________
Serial No. 108-123
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
92-654 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma C.A. ``DUTCH'' RUPPERSBERGER,
NATHAN DEAL, Georgia Maryland
CANDICE S. MILLER, Michigan ELEANOR HOLMES NORTON, District of
TIM MURPHY, Pennsylvania Columbia
MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee
JOHN R. CARTER, Texas CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota ------
MARSHA BLACKBURN, Tennessee BERNARD SANDERS, Vermont
(Independent)
Peter Sirh, Staff Director
Melissa Wojciak, Deputy Staff Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Philip M. Schiliro, Minority Staff Director
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California DIANE E. WATSON, California
TIM MURPHY, Pennsylvania STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
Chip Walker, Professional Staff Member
Ursula Wojciechowski, Clerk
David McMillen, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on September 10, 2003............................... 1
Statement of:
Akers, Greg, senior vice president, chief technology officer,
government solutions and corporate security programs, Cisco
Systems, Inc.; Phil Reitinger, senior security strategist,
Microsoft Corp.; Vincent Gullotto, vice president,
antivirus emergency response team, Network Associates,
Inc.; and John Schwarz, president and chief operating
officer, Symantec Corp..................................... 125
Dacey, Robert, Director, IT Security, General Accounting
Office; Richard Pethia, Director, Cert Coordination Center;
Lawrence Hale, Director, FedCIRC, Department of Homeland
Security; Norman Lorentz, Acting Administrator, Electronic
Government and Information Technology, Office of Management
and Budget; and John Malcolm, Deputy Assistant Attorney
General, Criminal Division, Department of Justice.......... 7
Eschelbeck, Gerhard, chief technology officer and vice
president of engineering, Qualys, Inc.; Christopher
Wysopal, co-founder, Organization for Internet Safety and
director of research and development, @stake.Inc.; and Ken
Silva, vice president, operations and infrastructure,
Verisign, Inc.............................................. 87
Letters, statements, etc., submitted for the record by:
Akers, Greg, senior vice president, chief technology officer,
government solutions and corporate security programs, Cisco
Systems, Inc., prepared statement of....................... 128
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 71
Dacey, Robert, Director, IT Security, General Accounting
Office, prepared statement of.............................. 9
Eschelbeck, Gerhard, chief technology officer and vice
president of engineering, Qualys, Inc., prepared statement
of......................................................... 89
Gullotto, Vincent, vice president, antivirus emergency
response team, Network Associates, Inc., prepared statement
of......................................................... 157
Hale, Lawrence, Director, FedCIRC, Department of Homeland
Security, prepared statement of............................ 46
Lorentz, Norman, Acting Administrator, Electronic Government
and Information Technology, Office of Management and
Budget, prepared statement of.............................. 52
Malcolm, John, Deputy Assistant Attorney General, Criminal
Division, Department of Justice, prepared statement of..... 58
Pethia, Richard, Director, Cert Coordination Center, prepared
statement of............................................... 31
Putnam, Hon. Adam H., a Representative in Congress from the
State of Florida, prepared statement of.................... 4
Reitinger, Phil, senior security strategist, Microsoft Corp.,
prepared statement of...................................... 142
Schwarz, John, president and chief operating officer,
Symantec Corp., prepared statement of...................... 175
Silva, Ken, vice president, operations and infrastructure,
Verisign, Inc., prepared statement of...................... 110
Wysopal, Christopher, co-founder, Organization for Internet
Safety and director of research and development,
@stake.Inc., prepared statement of......................... 98
WORM AND VIRUS DEFENSE: HOW CAN WE PROTECT THE NATION'S COMPUTERS FROM
THESE THREATS?
----------
WEDNESDAY, SEPTEMBER 10, 2003
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Adam Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam, Miller, and Clay.
Staff present: Bob Dix, staff director; John Hambel, senior
counsel; Chip Walker, Scott Klein, and Lori Martin,
professional staff members; Ursula Wojciechowski, clerk;
Suzanne Lightman, fellow; Jamie Harper and Erik Glavich,
legislative assistants; David McMillen, minority professional
staff member; and Jean Gosa, minority assistant clerk.
Mr. Putnam. The quorum being present, the Subcommittee on
Technology, Information Policy, Intergovernmental Relations and
the Census will come to order. Good morning.
Today we continue our in-depth review of cyber security
issues affecting our Nation. There are several things unique to
cyber attacks that make the task of preventing them difficult.
Cyber attacks can occur from anywhere around the globe, from
the caves of Afghanistan to the battlefields of Iraq, from the
most remote regions in the world or right here in our own back
yard. The technology used for cyber attacks is readily
available and changes continually, and perhaps most dangerous
of all is the failure of many people, including those who are
critical to securing these networks and information from
attack, to take the threat seriously, to receive adequate
training and take proactive steps needed to secure their
networks. A severe cyber attack would have devastating
repercussions throughout the Nation in a physical sense and in
real economic dollars.
The initial plan for this hearing was to focus primarily on
strategies and methodologies within the agencies of the Federal
Government for identifying and mitigating computer
vulnerabilities through a system of patch management. Recent
events, however, have caused us to expand the boundaries of
this hearing to include computer systems throughout the Nation.
This summer, everyone once again realized how vulnerable
our computer networks are to cyber attack. The Blaster worm and
SoBig.F virus brought home the reality that unsecured computer
systems are all too prevalent and that as a Nation across all
levels, government, business and home users, we must take
computer security more seriously than we have in the past. The
Blaster worm infected over 400,000 computers in under 5 days.
In fact, 1 in 3 Internet users are infected with some type of
virus or worm every year.
The speed at which worms and viruses can spread is
astonishing and a contributing fact to that rapid spread is the
lethargic pace at which people deploy the patches that can
prevent infection in the first place. Microsoft announced the
vulnerability and had the patch available weeks before the
exploit appeared.
Recent viruses and worms have been blamed for bringing down
train signaling stations throughout the East, affecting the
entire CSX railroad system, which covers 23 States.
Additionally, new information is coming to light that the
Blaster worm is being linked to the severity of the power
blackout of last month. The North American Electric Reliability
Council blames another worm, Slammer, for impairing bulk
electric system control by bringing down networks. We learned
last week that the U.S. Nuclear Regulatory Commission issued a
formal information notice to nuclear power plant operators
warning them about an incident in January in which the Slammer
computer worm penetrated networks in Ohio's Davis-Besse nuclear
plant and disabled two important monitoring systems for hours.
A recent Gartner study predicts that by the year 2005, 90
percent of cyber attacks will attempt to exploit
vulnerabilities for which a patch is already available or a
solution known. So why aren't systems patched and why aren't
anti-virus programs kept up to date? This hearing will examine
the issues surrounding these incidents, including how
vulnerabilities are discovered, how the public is notified
about potential vulnerabilities, the mechanisms for protection,
the real and potential problems presented by patch systems and
the scope of the problem confronting the Federal Government,
the business community, and the general public.
System administrators are often overwhelmed with simply
maintaining all the systems they have responsibility for
overseeing. Challenges that organizations face in maintaining
their systems are significant. With an estimated 4,000
vulnerabilities being discovered every year, it is an enormous
challenge for any but the best resourced organizations to
install all of the software patches that are released by the
manufacturer. Not only is the sheer quantity of patches
overwhelming for administrators and everyone else to keep up
with, but patches can be difficult to apply and have unexpected
side effects on other systems that administrators must then
evaluate and address. As a result, after a patch is released,
administrators often take a long time to fix all of their
vulnerable computer systems. Obviously small organizations and
home users who lack the skills of system administrators are
even less likely to keep up with the flow of patches.
The Department of Homeland Security's Federal Computer
Incident Response Center recently let a $10.8 million 5-year
contract for governmentwide patch management service to notify
agencies about security holes in commercial software for
systems on their networks and the availability of patches to
fix them. The service is known as the patch authentication and
dissemination capability [PADC]. The goal is to simplify patch
management by providing administrators only with information
relevant to their systems and ensuring that patches are genuine
and affected. PADC went on-line in January of this year.
According to officials, once agency system administrators have
provided a profile of their systems and software, PADC will
alert them to potential vulnerabilities, provide interim
security advice until a patch is available, disseminate
available patches and keep management informed of available
patches and which ones their systems administrators have
downloaded.
Large organizations such as business and educational
institutions often rely on commercial firms to notify them of
vulnerabilities. For example, there are several firms that
offer vulnerability notification combined with analysis of the
customer's computer system for those vulnerabilities. These
firms also provide information on where to get the patches and
prioritize them for administrators. In addition, the commercial
critical infrastructure sectors depend on information from
their information sharing analysis centers [ISACs], to help
them respond to potential cyber threats. These ISACs are
designed to allow members of a sector to share information
about incidents to help increase preparedness and vigilance.
The progress of Blaster demonstrates the importance of the
early warning systems that ISACs are tasked with developing.
Independent researchers discover most vulnerabilities.
These researchers may be academics, consultants or Black Hats.
The Organization for Internet Security is working with software
vendors, consultants and other interested parties to formalize
procedures for dealing with vulnerabilities, including vendor
notification and control disclosures. There's a very important
role for government to play in these disclosure procedures. It
is no longer acceptable for vendors to determine on their own
schedule who gets notified and when. Given the potential
national security risk that can emanate from the exploitation
of a vulnerability, it is imperative that the appropriate
government entities be involved in this process from the
beginning.
Vulnerabilities in software and the worms and viruses that
exploit them have become a fact of life for the Internet. The
government, law enforcement and private industry must develop
and continue to update a plan to deal with these emerging
threats.
How can we educate home and small business users to
minimize the risk posed by zombie computers? How can
researchers, the government and software industry work together
to identify and remedy vulnerabilities in the most instructive
manner? And how will the Federal Government evolve an effective
patch management program? What can be done to expedite the
discovery and prosecution of cyber criminals who release worms
and viruses? And most important of all, how can the Federal
Government, law enforcement and industry work together to
protect the vital infrastructure of the Internet?
[The prepared statement of Hon. Adam H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T2654.001
[GRAPHIC] [TIFF OMITTED] T2654.002
[GRAPHIC] [TIFF OMITTED] T2654.003
Mr. Putnam. We have an outstanding line up of witnesses
this morning who will share with us their expertise as we
explore worms and viruses and how we can better protect the
Nation's computers. As is the custom of this committee, we'll
ask our witnesses as they are seated in panel one to rise and
be sworn in.
[Witnesses sworn.]
Mr. Putnam. Note for the record that all of the witnesses
responded in the affirmative. We will begin with our first
witness, and we have three panels. The panels are rather large
panels. They are unusually large for this subcommittee, but the
scope of our topic demanded it. But we would ask that all of
our witnesses adhere as best they can to our 5-minute rule. And
I will introduce Mr. Dacey.
Robert Dacey is currently Director of Information, Security
Issues at the U.S. General Accounting Office. His
responsibilities include evaluating information systems
security in Federal agencies and corporations, including the
development of related methodologies, assessing the Federal
infrastructure for managing information security, evaluating
the Federal Government's efforts to protect our Nation's
private and public critical infrastructure from cyber threats
and identifying best security practices at leading
organizations and promoting their adoption by Federal agencies.
In addition to his many years at information security auditing,
Mr. Dacey has also led GAO's annual audits of the consolidated
financial statements of the U.S. Government, GAO'S financial
audit quality assurance efforts, including methodology and
training and other GAO financial statement audits. We
appreciate you being a part of this panel, and you are
recognized for 5 minutes.
STATEMENTS OF ROBERT DACEY, DIRECTOR, IT SECURITY, GENERAL
ACCOUNTING OFFICE; RICHARD PETHIA, DIRECTOR, CERT COORDINATION
CENTER; LAWRENCE HALE, DIRECTOR, FEDCIRC, DEPARTMENT OF
HOMELAND SECURITY; NORMAN LORENTZ, ACTING ADMINISTRATOR,
ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF
MANAGEMENT AND BUDGET; AND JOHN MALCOLM, DEPUTY ASSISTANT
ATTORNEY GENERAL, CRIMINAL DIVISION, DEPARTMENT OF JUSTICE
Mr. Dacey. Thank you, Mr. Chairman. I am pleased to be here
today to participate in the subcommittee's hearing on cyber
incidents and the role of software patch management in
mitigating the risks that these types of events will recur. I
will briefly summarize my written statement.
The exploitation of software vulnerabilities by hackers and
others can result in significant damage to both Federal and
private sector computer systems, ranging from Web site
defacements to gaining the ability to read, modify or delete
sensitive information, destroy systems, disrupt operations or
launch attacks against other organizations. The number of
reported security vulnerabilities and software products has
grown dramatically in recent years to over 11,000 cumulatively
reported by CERT/CC since 1995.
Factors increasing the risk of system vulnerabilities and
exploits include the increasing complexity and size of software
programs, the increasing sophistication and availability of
hacking tools, increasing system interconnectivity combined
with decreasing length of time from the announcement of a
vulnerability until it is exploited, and decreasing length of
time for attacks to infiltrate the Internet.
Although generally available before vulnerability exploits
are launched, patches are too frequently not installed,
resulting in damages to unpatched systems. My written testimony
refers to several of these exploits and summarizes the
responses to two recently reported serious vulnerabilities.
Given these increasing risks, effective patch management
programs have become critical to securing both Federal and
private sector systems. Key elements of a patch management
program include top management support, standardized policies,
procedures and tools; dedicated resources and clearly assigned
responsibilities; current technology inventories;
identification of relevant vulnerabilities and patches; patch
risk assessment and testing; patch distribution; and monitoring
system through networks and host vulnerability scanning.
There are several efforts to address software vulnerability
in the Federal systems, including OMB reporting requirements
concerning agency patch management programs as part of the
Federal Information Security Management Act [FISMA]; NIST,
patch management guidance, and FedCIRC incident reporting,
handling and prevention handling services. For example, as you
mentioned in your statement, FedCIRC provides PADC, a patch
notification service, which provides agencies at no charge with
information on trusted authenticated patches for their specific
technologies. PADC currently has 41 agency subscribers,
although OMB recently reported that actual usage of those
accounts are extremely low.
A number of commercial tools and resources are available
that can assist in performing patch management functions more
efficiently and effectively, such as identifying relevant
patches, deploying patches, scanning systems for
vulnerabilities and providing management reporting. In addition
to implementing effective patch management processes, several
other steps can be taken to address software vulnerabilities.
These include one, deploying other technologies such as
antivirus software, firewalls and other network security and
configuration tools to provide a layered defense against
attacks; two, employing more rigorous software engineering
practices in designing, implementing and testing software
products to reduce the number of potential vulnerabilities;
three, improving tools to more efficiently and effectively
manage patching; four, researching and developing technologies
to prevent, detect and recover from attacks as well as identify
perpetrators; and five, ensuring effective tested contingency
planning processes and procedures.
Mr. Chairman, this concludes my statement. I will be
pleased to answer any questions that you have at this time.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] T2654.004
[GRAPHIC] [TIFF OMITTED] T2654.005
[GRAPHIC] [TIFF OMITTED] T2654.006
[GRAPHIC] [TIFF OMITTED] T2654.007
[GRAPHIC] [TIFF OMITTED] T2654.008
[GRAPHIC] [TIFF OMITTED] T2654.009
[GRAPHIC] [TIFF OMITTED] T2654.010
[GRAPHIC] [TIFF OMITTED] T2654.011
[GRAPHIC] [TIFF OMITTED] T2654.012
[GRAPHIC] [TIFF OMITTED] T2654.013
[GRAPHIC] [TIFF OMITTED] T2654.014
[GRAPHIC] [TIFF OMITTED] T2654.015
[GRAPHIC] [TIFF OMITTED] T2654.016
[GRAPHIC] [TIFF OMITTED] T2654.017
[GRAPHIC] [TIFF OMITTED] T2654.018
[GRAPHIC] [TIFF OMITTED] T2654.019
[GRAPHIC] [TIFF OMITTED] T2654.020
[GRAPHIC] [TIFF OMITTED] T2654.021
[GRAPHIC] [TIFF OMITTED] T2654.022
[GRAPHIC] [TIFF OMITTED] T2654.023
Mr. Putnam. Thank you very much, Mr. Dacey. I appreciate
you adhering to our 5-minute rule as well.
Our next witness is Richard Pethia. Mr. Pethia directs the
CERT Coordination Center, which conducts security incident
response activities and fosters the development of incident
response infrastructures that leads to rapid correction of
vulnerabilities and resolution of incidents. Working out of the
software engineering institute at Carnegie Mellon University,
he has been tracking vulnerabilities for 15 years. Before
coming to SEI, Mr. Pethia was the Director of Engineering at
the Decision Data Co. He has over 30 years experience in both
technical and managerial positions.
You are recognized for 5 minutes, Mr. Pethia.
Mr. Pethia. Thank you, Mr. Chairman, and thank you
especially for the opportunity to testify on the issue of
defending against cyber viruses and worms. At the CERT
Coordination Center since 1988, we have handled over 260,000
security incidents and have helped to resolve over 11,000
vulnerabilities, published hundreds of security alerts and
security best practice guides and provide training in a variety
of security topics.
Worms and viruses are both in a more general category of
programs called malicious code. Both exploit weaknesses in
computer software, replicating themselves and are attaching
themselves to other programs. They spread quickly. By
definition, worms are programs that spread without human
intervention once they have been introduced into the system.
And viruses are programs that require some action on the part
of the user, such as opening an e-mail attachment. Today these
worms and viruses are causing damage more quickly than those
created in the past and are spreading to the most vulnerable of
all systems, computer systems of home users.
The Code Red worm spread around the world faster in 2001
than the Melissa virus did in 1999. Just months later, the
NIMDA worm caused serious damage within an hour of the first
reported infection. And in January of this year Slammer had
significant impact in just minutes. Virus and worm attacks
alone have resulted in millions of dollars of loss in just the
last 12 months. The 2003 computer crime survey states that
viruses are the most cited form of attack with an estimated
cost of over $27 million across the approximately 500
respondents to the survey. Estimates on the Blaster worm and
the SoBig.F virus range from $525 million to more than $1
billion in loss. The cost estimates include lost productivity,
wasted hours, lost sales and extra bandwidth cost.
For the past 15 years we have relied heavily on fast
reaction to ensure the damage is minimized. But today it's
clear that reactive solutions alone are no longer adequate.
Many attacks are now fully automated and spread with blinding
speed. The attack technology has become increasingly complex,
increasing the time it takes to analyze the attack and produce
countermeasures. We have been increasingly dependent on the
Internet. Even short interruptions in service cause significant
loss and can jeopardize critical service.
Aggressive, coordinated, continually improving response
will continue to be necessary, but we also must move quickly to
put other solutions in place. System operators must adopt
security practices such as information security risk
assessments, security management policies and secure system
administrations practices. Senior managers must provide visible
endorsement and financial support for these security
improvement efforts. They must also keep their skills and
knowledge current and educate their users to raise awareness of
security issues and improve their ability to recognize and
respond to problems. Technology vendors must also take steps
such as producing virus resistant or virus proof software,
dramatically reducing the number of implementation errors in
their products that lead to vulnerabilities, and providing
secure out of the box configurations that have security options
turned on rather than require users to enable the functions.
The government can also help by taking a multi-pronged
approach: Using its buying power to demand higher quality
software, holding vendors more accountable for defects in
released products and providing incentives for low defect
products and for products that are highly resistant to viruses.
Information assurance research is also needed to yield
networks capable of surviving attacks while preserving
sensitive information. Among the activities should be the
creation of a unified and integrated framework for all
information assurance, rigorous methods to assess and manage
risk, quantitative techniques to determine the cost benefit of
risk mitigation strategies, systematic tools and simulation
tools to analyze cascade effects of attacks and new
technologies for resisting, recognizing and recovering from
attacks, accidents and failures.
More technical specialists should be trained to expand its
scholarship programs to build the university infrastructure we
will need for the long-term development of trained security
professionals. And to encourage safe computing the government
should support the development of education material and
programs about cyber space for all users, including home users
and small businesses, support programs to provide early
training and security practices in appropriate use.
In conclusion, our dependence on interconnected computing
systems is rapidly increasing and even short-term disruptions
from viruses and worms have major consequences. Our current
solutions are not keeping pace with the increased strength and
speed of attack and our information infrastructures are at
risk.
The National Cyber Security Division formed by the
Department of Homeland Security is a critical step toward
implementation of some of these recommendations. However,
implementing a safer cyber space will require the NCSD and the
entire Federal Government to work with State and local
governments, the private sector to drive better software
practices, more secure products, higher awareness at all
levels, increase research and development activities and
increase training for special computer users and all users.
Thank you.
[The prepared statement of Mr. Pethia follows:]
[GRAPHIC] [TIFF OMITTED] T2654.024
[GRAPHIC] [TIFF OMITTED] T2654.025
[GRAPHIC] [TIFF OMITTED] T2654.026
[GRAPHIC] [TIFF OMITTED] T2654.027
[GRAPHIC] [TIFF OMITTED] T2654.028
[GRAPHIC] [TIFF OMITTED] T2654.029
[GRAPHIC] [TIFF OMITTED] T2654.030
[GRAPHIC] [TIFF OMITTED] T2654.031
[GRAPHIC] [TIFF OMITTED] T2654.032
[GRAPHIC] [TIFF OMITTED] T2654.033
[GRAPHIC] [TIFF OMITTED] T2654.034
[GRAPHIC] [TIFF OMITTED] T2654.035
[GRAPHIC] [TIFF OMITTED] T2654.036
Mr. Putnam. Thank you very much. Our next witness is Mr.
Hale. Lawrence Hale is the Director of the Department of
Homeland Security Federal Computer Incident Response Center
[FedCIRC]. He has been active in the information assurance
community since 1996, when he served the chairman of the joint
Chiefs of Staff as an information assurance action officer
working on security interoperability issues. While at the
Pentagon Mr. Hale was a member of the Joint Staff Information
Operations Response Cell during a number of exercises and
actual cyber events, which have helped to shape U.S. Government
policy in dealing with computer security.
In January 1999, Mr. Hale became the first uniformed
military officer assigned to the National Infrastructure
Protection Center at the FBI Headquarters. While there he
worked to improve the process of issuing warnings of cyber
related events and served on the Y2K task force for the FBI. He
retired from the U.S. Navy as a commander in May 2001, has a
Master's Degree in national security and strategic studies from
the Naval War College and a Master's in aeronautical science
from Embry-Riddle.
Welcome to the subcommittee.
Mr. Hale. Good morning, Mr. Chairman and Ranking Member
Clay. On behalf of the Federal Computer Incident Response
Center of the Department of Homeland Security, thank you for
this opportunity to appear before you to discuss how we can
protect the Nation's computers. I am Lawrence Hale, Director of
the FedCIRC, which is part of the Department of Homeland
Security's Information Analysis and Infrastructure Protection
Directorate. FedCIRC is the Federal-civilian government's
trusted focal point for computer security incident reporting,
providing assistance with incident prevention and response.
Within the Department of Homeland Security Information
Analysis and Infrastructure Protection Directorate is the newly
established National Cyber Security Division. The National
Cyber Security Division is responsible for coordinating the
implementation of the national strategy to secure cyberspace.
Key functional areas within the division include Risk Threat
and Vulnerability Identification and Reduction, Cyber Security
Tracking, Analysis and Response Center and Outreach Awareness
and Training. The FedCIRC is now a component of Cyber Security
Tracking, Analysis and Response Center.
The National Cyber Security Division has combined the
information gathering and analytical capabilities of the cyber
watch elements of the National Infrastructure Protection Center
and the FedCIRC and coordinates with the National Communication
System. By doing this, the National Cyber Security Division not
only has the added benefit of enhanced resources but the
synergy of knowledge created from the unique resources from
each of these watch elements.
The Federal Government's ability to limit the effects of
the recent wave of worms and viruses on its networks
demonstrate how these collaborative relationships work and how
each participant's contributions help to assess and mitigate
potential damage. FedCIRC has the goal of securing the Federal
Government's cyberspace. FedCIRC, as noted in the e-Government
Act of 2002, the Federal Information Security Management Act,
serves as the Federal information security incident center for
the Federal civilian government. FedCIRC is the central
government non-law enforcement focal point for coordination of
response to attacks, promoting incident reporting and cross
agency sharing of data about common vulnerabilities. As such,
FedCIRC must compile and analyze information about incidents
that threaten information security and inform Federal agencies
about current and potential information security threats and
vulnerabilities.
FedCIRC demonstrated the National Cyber Security Division's
enhanced coordination role during the recent wave of worms and
viruses. Working closely with the CERT Coordination Center and
software providers, FedCIRC identified the potential impact of
newly disclosed vulnerabilities and developed corrective
actions in mitigating strategies. Federal civilian agencies
were advised of the existence of these vulnerabilities and
given actionable information on reducing their exposure to the
threats before attack programs were released. Patches were
developed, validated and disseminated to agencies. And working
closely with OMB and the Federal CIO Council, agencies were
instructed to take action to address the vulnerabilities and
report their status. As a result of these measures, the Federal
Government was better prepared to avoid damaging impact when
the exploit codes that were released in the attack phase of
these events occurred.
The National Cyber Security Division has a number of
initiatives underway to aid in threat vulnerability reduction.
As was mentioned, the majority of successful attacks on
computer systems result from hackers exploiting the most widely
known vulnerabilities in commercial software products. The
problem is not that patches to fix these vulnerabilities don't
exist, but that existing patches are not quickly and correctly
applied. Agencies must have a plan on how patch management is
integrated into their configuration management process.
FedCIRC's patch authentication and dissemination capability
[PADC], a Web enabled service that provides a trusted source of
validated patches and notifications on new threat and
vulnerabilities, is a first step.
FedCIRC's vision is to build from the ability of providing
validated patches to developing a more enhanced IT
configuration and vulnerability management program that will
automate the process. By automating the process, agencies will
no longer have the burden of having to manually apply patches
which will enable them to have more time to focus on building a
more robust configuration management program.
In closing, I would like to assure the committee that the
National Cyber Security Division is committed to building on
the success the FedCIRC has achieved in helping Federal
civilian agencies protect their information systems from the
most damaging effects of malicious code. National Cyber
Security Division must now translate this success to a national
scale. I look forward to continuing to work with OMB and the
Congress to ensure that we are successful in this important
endeavor.
[The prepared statement of Mr. Hale follows:]
[GRAPHIC] [TIFF OMITTED] T2654.037
[GRAPHIC] [TIFF OMITTED] T2654.038
[GRAPHIC] [TIFF OMITTED] T2654.039
[GRAPHIC] [TIFF OMITTED] T2654.040
Mr. Putnam. Thank you very much Mr. Hale. I would like to
welcome our distinguished ranking member and vice chair of the
subcommittee as well, and we will be taking their opening
statements at the conclusion of the first panel's remarks as
well.
Our next witness is Norman Lorentz. Mr. Lorentz joined the
Office of Management and Budget in January 2002 as Chief
Technology Officer, the Chief e-Government Architect for the
Federal Government. Mr. Lorentz is responsible for identifying
and developing support for investments in emerging technology
opportunities that will improve the Government's technical
information and business architectures.
Prior to joining the Federal Government, he was senior vice
president and chief technology officer for the IT career
solutions provider, Dice, Inc. In this capacity he directed the
development of technology strategy and infrastructure. He was
also the firm's chief quality officer and a member of the
executive committee. He brings to OMB extensive experience in
government.
From 1998 to 2000, he was senior vice president and chief
technology officer for the U.S. Postal Service. In 1998, he
receive the Board of Governors Award, the U.S. Postal Service's
highest recognition, and this year was named as a Federal 100
winner as well as recognition by Info World magazine as 1 of
the 25 most influential CTOs in the United States. And this is
your last appearance before a congressional committee as a
public servant with OMB, as you will be leaving that agency and
moving back into the private sector. So we appreciate your
service to the government and to this subcommittee, and you are
recognized.
Mr. Lorentz. Thank you, Mr. Chairman, and good morning,
members of the committee. Thank you for inviting me to discuss
this important topic of worm and virus defense. My testimony
today will address how the Federal Government protects its IT
systems from this pervasive threat.
By design, worms and viruses can cause substantial damage
and prove disruptive to normal business operations. For this
reason it is important for the Federal agencies to continuously
and rapidly take proactive measures to lessen the number of
successful attacks. The month of August proved to be an
unusually busy time for malicious code activity, beginning with
Blaster and then quickly spreading the SoBig.F worm. In
general, the Federal Government withstood these attacks and the
impact on citizen services was minimal.
Agencies have improved their protection against malicious
code by installing patches, blocking executables at the
firewall and using antivirus software with automatic updates.
Agencies, however, did report modest impacts associated with
both worms to date. Reports from Federal civilian agencies show
approximately 1,000 computers affected by each exploit. This
impact ranged from a slowdown in agency e-mail to temporary
unavailability of agency systems. A number of laptops proved to
be susceptible to the infection since configuration management
was even on these portable devices.
The Federal Government's ability to thwart worms and
viruses depends on a number of interlocking management,
technical and operational controls. It is critical that these
controls continue to evolve to keep pace with this increasingly
sophisticated threat.
First, how were vulnerabilities discovered? DHS's Federal
Computer Incident Response Center [FedCIRC], closely
coordinates with a number of industry as well as government
partners. These partners include Carnegie Mellon CERT, law
enforcement and the Intelligence Community. These organizations
routinely communicate advanced notice to DHS regarding the
discovery of software vulnerabilities in the development of
malicious code.
Second, how are agencies notified about these
vulnerabilities? OMB and the CIO Council have developed and
deployed a process to rapidly identify and respond to cyber
threats and critical vulnerabilities. CIOs are advised via
conference call as well as followup e-mail of specific actions
necessary to protect agency systems. Agencies must then report
through FedCIRC to OMB on the implementation of those required
countermeasures. This emergency notification and reporting
process was instituted for the Microsoft RPC vulnerability in
July and as a result the agencies were able to rapidly close
vulnerabilities that otherwise might have been exploited by the
Blaster worm. There are mechanisms that exist for protecting
systems.
The National Institute of Standard and Technology [NIST],
recommends that the agencies implement a patch management
program, harden all hosts appropriately, deploy antivirus
software and detect and block malicious code and configure the
network perimeter to deny all traffic that is not necessary. As
part of the statutory responsibility under FISMA, the National
Institute of Standards and Technology will publish in September
draft guidelines for incident handling. The guidelines will
discuss how to establish and maintain an effective incident
reporting and response program with an emphasis on incident
detection, analysis, prioritization and containment. The
guidelines will include recommendations for handling certain
types of incidents and the distribution of denial of service
attacks and malicious code infections.
Last, the problems presented by the patching systems. Patch
management is an essential part of any agency's information
security program and requires a significant investment in time
and effort. Agencies must carefully follow predefined processes
in order to successfully remediate system vulnerabilities
across the enterprise. A number of agencies utilize automated
tools to push the patches to the desktop. The automation of the
patch management process is significantly easier when the
agency maintains a standardized software configuration. At the
present, 47 agencies subscribe to FedCIRC's PADC capability.
This service validates and quickly distributes corrective
patches for known vulnerabilities.
In closing, OMB is committed to a Federal Government with
resilient information systems. Worms and viruses must not be
able or allowed to significantly affect agency business
processes. OMB will continue to work with the agencies,
Congress and GAO to ensure that appropriate countermeasures are
in place to reduce the impact of malicious code.
Thank you very much.
[The prepared statement of Mr. Lorentz follows:]
[GRAPHIC] [TIFF OMITTED] T2654.041
[GRAPHIC] [TIFF OMITTED] T2654.042
[GRAPHIC] [TIFF OMITTED] T2654.043
[GRAPHIC] [TIFF OMITTED] T2654.044
Mr. Putnam. Thank you very much.
Our next witness is John Malcolm. Mr. Malcolm is currently
a Deputy Assistant Attorney General in the Criminal Division at
the Department of Justice, where his duties include overseeing
the Computer Crime and Intellectual Property Section, the Child
Exploitation and Obscenity Section, the Domestic Security
Section and the Office of Special Investigations. Pretty robust
portfolio.
An honors graduate of Columbia College and Harvard Law
School, Mr. Malcolm served as a law clerk to judges on both the
U.S. District Court for the Northern District of Georgia and
the 11th Circuit Court of Appeals. For 7 years Mr. Malcolm was
an Assistant U.S. Attorney in Atlanta, GA, where he was
assigned to the Fraud and Public Corruption Section. Mr.
Malcolm also served as an Associate Independent Counsel in
Washington, DC, investigating fraud and abuse at HUD.
Prior to rejoining the Department of Justice in August
2001, Mr. Malcolm was a partner at the Atlanta law firm of
Malcolm & Schroeder, LLP.
Thank you for sharing your time with us and look forward to
your testimony, and you are recognized for 5 minutes.
Mr. Malcolm. Thank you for giving me this opportunity to
testify about the Department of Justice's ongoing efforts to
protect our Nation's critical infrastructure from the growing
problem of Internet borne worms and viruses. Although computer
viruses have been around for a long time, the ubiquity of
Internet access and household ownership of computers in the
United States have manifestly increased the deleterious impact
of viruses and worms on our critical infrastructure and on our
daily lives.
It seems that nearly every week we learn the name of a new
computer virus or worm that exploits flaws in commonly used
software and quickly spreads through the Internet. Some of
these, like the Blaster worm, make the front pages of
newspapers. These viruses and worms are merely the tip of the
iceberg. They are just the ones that receive the most public
attention. Hundreds more are released every year, posing a
daily challenge to those who are responsible for protecting
networks and investigating network attacks.
The effect of these viruses and worms should not be
underestimated. For example, in the United States, the Slammer
worm shut down the automatic teller machine system and caused
significant transportation delays when electronic ticketing
used for airline travel was affected. The Blaster worm and its
variants have affected hundreds of thousands of computers.
Moreover, since the Internet is seamless and borderless, the
harmful impact of worms and viruses is not limited to our
country but affects countries across the world. Clones or new
variants of malicious codes continue to crop up, raising
concerns that more damaging variants are right around the
corner. In many cases succeeding generations of viruses and
worms will build on its capabilities adding additional harmful
pay loads.
The worldwide damage to computers and data as well as the
productive time lost as the result of worms and viruses is
measured in the millions and by some estimates in the billions
of dollars. This damage has an undeniable adverse effect on
important sectors of our economy and potentially undercuts the
security of our Nation's critical infrastructure.
The Department of justice has devoted significant resources
to investigating and prosecuting persons who release malicious
codes on the Internet. These efforts have met with some
success. It bears mentioning, however, that tracking the
sources of worms and viruses on the Internet is difficult and
presents unique challenges to investigators because of the
speed with which programs are spread and fundamental
characteristics of computer networks, particularly in peer to
peer network applications. It is difficult to determine
precisely where an outbreak begins since simultaneous file
transfers can occur in computers literally throughout the
world.
Although tracking the sources of computer worms and viruses
is difficult, the Department of Justice is fully committed to
effectively investigating such attacks. The Criminal Division's
Computer Crime and Intellectual Property Section helps
coordinate investigations of computer crimes of all sorts,
including virus and worm attacks. These prosecutors in turn
train and work with computer hacking and intellectual property
units and computer and telecommunications coordinators in each
of the 93 U.S. Attorneys offices across the country. Together
this network of prosecutors working with law enforcement agents
from the Secret Service and the FBI and using important tools
provided by the Patriot Act provide an integrated approach to
addressing computer crime. Because the perpetrators of offenses
may live in other countries, the investigations involve an
international component that draws upon the Department's
contacts with law enforcement counterparts abroad. Indeed,
international cooperation is a foundation of the Department
strategy for combating cyber crimes, including worms and
viruses. Our efforts are rewarded whenever evidence is obtained
from foreign countries that further domestic investigations or
when we are able to furnish similar assistance to other
countries.
In addition to international outreach, Department attorneys
and agencies regularly meet with industry, trade groups and
State and local law enforcement officials in order to improve
communication. The Department of Justice pursues a message of a
culture of security where both individual users and
corporations view computer security as a key component for
successful computing experience. Experience sadly teaches us
that much of the damage to our computer networks is caused by
teenagers and young adults armed with free hacking tools,
plenty of time and too little moral teaching about how to use
computers and how not to use computers. Therefore, the
Department has also pursued educational programs directed to
youth, their teachers and parents. We describe the program as
cyber ethics. In fact, CCIPS, in an article authored by the
section chief, has published an article dealing with cyber
ethics in the current issue of Newsweek.
The Department of Justice continues to make progress in its
battle against computer crime and intellectual property theft.
Recognizing the challenges ahead, we look forward to continued
success in our efforts.
Mr. Chairman, that concludes my prepared statement. I look
forward to getting your questions.
[The prepared statement of Mr. Malcolm follows:]
[GRAPHIC] [TIFF OMITTED] T2654.045
[GRAPHIC] [TIFF OMITTED] T2654.046
[GRAPHIC] [TIFF OMITTED] T2654.047
[GRAPHIC] [TIFF OMITTED] T2654.048
[GRAPHIC] [TIFF OMITTED] T2654.049
[GRAPHIC] [TIFF OMITTED] T2654.050
[GRAPHIC] [TIFF OMITTED] T2654.051
[GRAPHIC] [TIFF OMITTED] T2654.052
[GRAPHIC] [TIFF OMITTED] T2654.053
[GRAPHIC] [TIFF OMITTED] T2654.054
[GRAPHIC] [TIFF OMITTED] T2654.055
[GRAPHIC] [TIFF OMITTED] T2654.056
Mr. Putnam. Thank you very much and thank all of you for
your adherence to our time restrictions. At this time I will
introduce the ranking member of the subcommittee, the
distinguished gentleman from Missouri, Mr. Clay.
Mr. Clay. Thank you, Mr. Chairman, especially for calling
this hearing and my thanks to the witnesses who have taken the
time to be with us today and share their expertise.
Computer bugs like worms and viruses are one more example
of the complexity of the world we live in. On the other hand,
they are one more example of the frailty of human beings and
the difficulty of legislating appropriate behavior. Many worms
and viruses we have seen are nothing more than exuberance of
youth experimenting with newly found freedoms and skill. As has
always been the case, the pranks of youth can have consequences
well beyond their capability to understand those consequences.
Last week, the FBI arrested a Minnesota high school senior
and charged him with intentionally causing and attempting to
cause damage to computers protected under Federal law. He faces
a $250,000 fine and 10 years in prison. This young man was so
naive that he built into his computer bug a direct link to his
own computer. Catching him was not difficult. However, the
damage done was real. The worm attack he participated in forced
shutdowns of computer systems at the Federal Reserve Bank of
Atlanta, the Maryland Motor Vehicle Administration, the
Minnesota Department of Transportation and part of 3M
facilities, including a plant in Hutchinson.
Unfortunately, most hackers are not as naive as this
Minnesota teenager nor as benign. One of the earliest publicly
documented cases of hacking was in 1988 at the Lawrence Berkley
Lab. Cliff Stone, an astronomer turned systems manager at
Lawrence Berkley Lab, was alerted to the presence of an
unauthorized user in the inner system by a 75-cent accounting
error. His investigations eventually uncovered a spy ring that
was breaking into government computers stealing sensitive
military information.
We are faced with developing public policy that recognizes
both the exuberance of youth and the real threat to our
government and corporations by those who seek to do us harm.
One element of that public policy must be a renewed attention
to preventing these attacks.
Mr. Chairman, I will not go through this entire statement,
but I think you have indicated that you are working on
legislation that would encourage corporate America to do a
better job of securing their computers, and I look forward to
working with you on that legislation.
The problems faced by corporations are much like those
facing the Federal Government and we should work together to
solve those problems, and I will submit the entirety of my
statement in the record. Thank you.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T2654.057
[GRAPHIC] [TIFF OMITTED] T2654.058
[GRAPHIC] [TIFF OMITTED] T2654.059
[GRAPHIC] [TIFF OMITTED] T2654.060
Mr. Putnam. Thank you, Mr. Clay, and without objection your
entire statement will be included in the record. And at this
time I recognize the distinguished vice chair of the
subcommittee, the former Secretary of State of the great State
of Michigan, Ms. Miller.
Mrs. Miller. Thank you, Mr. Chairman, and I apologize for
being late this morning. I had an opportunity to speak on the
floor about the second anniversary of the horrific attacks on
our Nation. I certainly appreciate you holding the hearing
today and with the recent computer virus attacks on our
Nation's information infrastructure the importance of this
hearing is undeniable, timely and certainly appropriate. And
with three panels testifying, I will be very brief in my
opening statement.
The focus of today's hearing is to examine what steps are
being taken to protect the information infrastructure, both the
public and the private levels, from the spread of viruses. And
we in the Federal Government certainly have the responsibility
of protecting our citizens and ensuring that the infrastructure
individuals and businesses rely on is secure. In addition, the
government must protect its own systems in order to function
efficiently and effectively and this dual responsibility makes
the task facing the Federal Government particularly
challenging.
In April of this year testimony was submitted by Robert
Dacey of the GAO to the subcommittee citing a November 2002
cyber attack that affected both private and government networks
and caused $900,000 in damage to computers. This is obviously a
significant figure. And if a large scale cyber attack were
implemented not only would the damage caused to computers be
considerable but the additional financial loss and damage to
the physical infrastructure could seriously affect the
operations of our Nation.
And actually we in the House of Representatives have
firsthand knowledge of how potentially devastating these
viruses can be. The recent Blaster and the SoBig virus attacks
of just a few weeks ago nearly crippled the House e-mail
network by overloading service with a complex array of
erroneous messages. Fortunately, the combined efforts of the
House Information Resources and the systems administrators and
the Members' offices limited the extent of damage that the
virus creators had likely hoped for.
In fact, these attacks likely inhibited our Nation's
ability to adequately respond to the vast power outage
experienced by the eastern half of our Nation. I certainly
shudder at the thought of what could happen to everyday
businesses if a successful virus or worm crippled our Nation's
power grids or financial networks, the Internet, government
networks or any other infrastructure that we rely so heavily
on.
Viruses are a new weapon of attack for those who wish to do
harm to this great Nation. The creators of these weapons are
terrorists, quite frankly, cyber terrorists who want to disrupt
our way of life and to cause considerable harm to our economy
and infrastructure. And as with the terrorists that we are
fighting with conventional means, these cyber terrorists are
using the freedoms that we hold dear against us. They can
unleash an attack on our soil from anywhere in the world, and
we must be prepared.
Mr. Chairman, thank you for holding this important hearing.
Certainly protecting our Nation's information infrastructure
must be a top priority of the Congress. Thank you.
Mr. Putnam. Thank you very much, Mrs. Miller. We will get
to the questions.
Mr. Hale, what percentage of the Federal Government had
already downloaded the patch for Blaster prior to its release?
Mr. Hale. Mr. Chairman, I don't have the exact figure with
me. It is safe to say in the approximately 4 weeks between the
time the vulnerability was announced by Microsoft and the
advisories from FedCIRC were issued the vast majority of
agencies had downloaded the patches, and I will if given the
opportunity try to provide you a more measured answer in
writing.
Mr. Putnam. What percentage of the Federal Government
subscribes to FedCIRC's program?
Mr. Hale. All Federal agencies receive advisories from
FedCIRC, the PADC program in specific; 47 Federal agencies are
subscribing to PADC. But PADC is just one part of an agency's
patch management strategy. And many agencies have other methods
of getting their patches, testing them and applying them. The
information the advisories provided by FedCIRC go to all
agencies.
Mr. Putnam. So then, Mr. Lorentz, how many different
options are utilized by the various agencies to handle patch
management? Sounds like some contract with the private sector.
Some do it internally. Some subscribe to PADC. So we've got a
lot of different patches to doing that.
Mr. Lorentz. There are different approaches. We do not
dictate which method that they use. As part of our FISMA
oversight, we do require them to have specific plans, risk
mitigation, patch management. We are soon to get the annual
FISMA reports on September 22nd on that. But the important
issue here, as you can tell from the testimony of everyone
here, is that the only way we're protected is if all the dots
are connected, the configuration management, the patch
management, the management oversight to make sure those
processes are implemented as appropriate, the adherence to the
information provided by FedCIRC. So there can be variation in
the tools, but there cannot be variation in the expected
outcome or how those dots are connected in order to mitigate
the problem.
Mr. Putnam. Mr. Malcolm, you mentioned a number of issues
about the law enforcement approach to computer security. How
many people have actually served time in jail for releasing
malicious code, worms and viruses?
Mr. Malcolm. There are a couple of instances that
immediately come to mind. One was Mafia Boy in the United
States who was actually prosecuted in Canada. He ended up
getting a sentence. There was David Smith, who was arrested and
charged and successfully prosecuted for releasing the Melissa
virus. I believe he got a 20-month term of imprisonment.
I would add in that regard the U.S. Sentencing Commission
is reevaluating the guidelines as they apply to these sorts of
offenses and we expect significant increases. There have been
other perpetrators who have been identified of course. Mr.
Parsons was alleged to have--he has only been charged. He is
presumed to be innocent. I don't know if convicted of those
offenses what kind of prison term he would get. I can get back
to you with a more precise answer as to that.
Mr. Putnam. We have heard testimony that there are hundreds
of viruses per year and millions or maybe even into the
billions of damage done. Is there a different attitude or is
there a different approach about cyber crimes than there is
about other types of crimes? Has our sentencing guidelines, our
judicial system, our laws, our legislative branch not kept up
with the technology that can promulgate new types of threats?
Mr. Malcolm. In terms of keeping up with the laws obviously
emerging technologies present all kinds of problems for law
enforcement, and so we need to constantly reevaluate the state
of our laws. And USA Patriot Act, one of the provisions
provides now for nationwide service of process of pen trap
orders and an explicit recognition. The pen trap orders apply
to noncontent interceptions over the Internet. That is an
important step in conducting these sorts of investigations.
I am not going to suggest that it is going to be the last
such step that is necessary. It's certainly true that as these
worms and viruses become more sophisticated and proliferate at
a greater rate, the potential damage is real. I think
historically there has been a perception that crimes taking
place in the physical world are somehow more serious than
crimes taking place over the cyber world. I believe that
perception is rapidly breaking down, and I expect the
prosecutions and sentences to increase.
Mr. Putnam. Mr. Pethia, Carnegie Mellon has done much more
work on this than anyone. I would like you to comment on this
different attitude. When we had conversations with the private
sector when I was in Silicon Valley, the analogy is always used
that people rattle their door knobs and rattle their locks
thousands of times per day depending on which firm it is.
Obviously you have high profile targets in the IT world and
some are lower. But some are getting thousands of door
rattlings per day and they choose not to report it. They don't
want to give any uneasiness to shareholders or to consumers, so
they just accept it as part of this Internet culture, and it
results in hundreds of true viruses per year.
Is there a different attitude about the Internet and crime
and consequences?
Mr. Pethia. I don't know about different attitude, but I
sense a certain complacency, that people have become so
accustomed to the problem and are often so overwhelmed with the
problem, so unable on their own to change some of the root
causes of the problem, that they've simply chosen to live with
it as best they can.
You're right, many don't report the attacks, but, again,
many are so trivial and so common that if you were to report
them, it's not clear what anyone would do with all of that
data. In fact, separating the wheat from the chaff, the serious
attacks from the trivial, has become an increasing challenge
for all of us who do any kind of instant response. Buried in
all of this are the serious attacks like the Blasters and the
SoBigs and the people who are intent to do malicious damage.
But, I think the widespread recognition is that the
problem's here and it's serious, but I think individuals don't
know what they can do above and beyond putting controls in
place in their own organizations.
Mr. Putnam. You don't think that there's necessarily a
different attitude about it?
Mr. Pethia. I think it's more an attitude of complacency
and acceptance and just frustration over not knowing what steps
that they can take as individual organizations or as
individuals to make a difference.
Mr. Putnam. Have you ever heard of something called a Black
Hat convention?
Mr. Pethia. Sure.
Mr. Putnam. What is that?
Mr. Pethia. There are a number of different conferences.
There are two that are typically held every year about people
who talk about the Black Hat conference, or people who at one
time wore black hats, they broke into and attacked computer
systems. That conferences is now typically attended by white
hats and not black hats, but they talk about weaknesses in
software. They talk about what can be done to improve the
situation. They talk about how do we exploit some of these
problems so they recognize very much how widespread and serious
this problem is, and in their own ways they try to take steps
to get corrections out to the world.
Mr. Putnam. What percentage of those who are attempting to
hack into computers and exploit code vulnerabilities, what
percentage of them are bright, capable teenagers seeing what
they can do, and what percentage of them are malicious? What
percentage are based offshore, and what percentage are based
domestically?
Mr. Pethia. Those are good questions. I wish we had answers
to those. You know, we all have our guesses, but I don't know
of anyone who's done any detailed studies about what's called
the Internet underground, what the composition of that culture
is or even what the economy is. There's an underground economy
that's growing, that trades in things like account names and
passwords and Social Security numbers that are pirated and
drivers' license numbers that are pirated, and I don't think
any of us really has a good understanding of what that culture
is or how big it is or how many different kinds of people play
in it.
One thing that is really clear is that it is literally
child's play to break into many of the systems that we have
today, and when a level of skill needed to attack a system is
so low, you can expect all kinds of players to come into that
arena.
Mr. Putnam. When the conventioneers, whether they're
wearing black hats or white hats, when they come together in
the good of their heart, talk about ways to improve the system
and draw attention to different software companies'
vulnerabilities, do they ever ask for money or credit or
acknowledgment or anything in exchange for disclosing that
information?
Mr. Pethia. There certainly are cases where these
individuals have tried to extort money from vendors in order to
not publicly disclose patches or vulnerabilities in their
products. We've certainly seen cases where individuals have
tried to extort organizations because they've uncovered
weaknesses in their operational systems and have expected money
in return not to make that public or to exploit those
vulnerabilities in some way. So there is a maliciousness there
in some cases.
Mr. Putnam. Mr. Malcolm, do you have any other comments
about the source and origin and nature of these hackers? Are
they primarily international, domestic, teens, professionals?
Mr. Malcolm. I think you can really break that down into
different categories in that you have a core group of
committed, highly sophisticated hackers who come up with
sophisticated worms and viruses, and then unfortunately what
they do frequently is there are chat rooms and Internet sites,
news groups in which hackers communicate, and literally
somebody who develops a very sophisticated hacking tool can put
it out there so that so-called script kiddies, unsophisticated
people who just happen to go to that site, can then utilize
that tool.
So the level of sophistication can vary dramatically among
hackers, and because these tools are made available on the
Internet, lots of people can then implement them to cause
damage. I think that because the Internet is borderless and
seamless, and there are people who are hell-bent on destruction
and technically savvy around the world, you have perpetrators
who are domestic and perpetrators who are international.
Mr. Putnam. Thank you very much.
Mr. Clay. The Chair recognizes.
Mr. Clay. Thank you.
Let me ask any of the three, Mr. Dacey, Hale, and Lorentz:
Did the Department of Homeland Security collaborate effectively
with Microsoft and the antivirus companies in the Department's
effort to issue advisories? And you can start, Mr. Lorentz.
Mr. Lorentz. In our view, the proof is in the results. The
problems were, for the most part, in general, mitigated, and
there was two pieces of that.
First of all was getting the information out about the
remediation, which they did, and then was really following up
and holding the agencies accountable on our behalf, to make
sure what the implementation was and reporting that back, and
we did that in a manner so that we could share what people's
experiences were. So, in our view, it was in both of these
incidents that we've had recently they did a find job.
Mr. Putnam. Thank you.
Mr. Dacey, anything to add?
Mr. Dacey. In terms of that, I'd just like to add one
thing. We did do some analysis and gathered information with
respect to the two vulnerabilities, the Microsoft RPC and the
Cisco, and in those cases there was a fairly active discussion
and reporting that took place on those two. As Mr. Lorentz
indicated, for those two specifically, which were deemed
critical, there were separate teleconferences and data requests
that were sent out to agencies to ask, you know, what they had
done and whether or not they had patched their systems in
response to them.
I think that is a process which has taken place, I believe,
on a few of the occasions prior to this, but I know that there
is some opportunity there which would be acknowledged to
improve that process, to make sure that people have been
communicated to in a rapid manner by standardizing processes
and procedures for that communication to occur. But I would
also defer to Mr. Hale, who could probably speak more to the
specifics of those interactions.
Mr. Clay. Great.
Mr. Hale. Yes, sir. I appreciate the remarks of my
colleagues, and I just wanted to point out that those, as well
as the Cisco vulnerability, the IOS vulnerability that has
occurred in the past 3 months has been the major events in
cyber incidents that have occurred since the formation of the
national Cybersecurity Division, and so those are indicative of
the kind of coordination and collaboration that this Division
has started to do and intends to build on to improve not only
the information-sharing among the Federal agencies, but also
with the critical infrastructure protection community.
Mr. Clay. Let me ask you, Mr. Hale, in creating the
Homeland Security Department, Congress moved the Federal
Computer Response Team from GSA to Homeland Security. How has
this move affected that group? Did anyone leave the Agency,
rather than move, as we saw with some other agencies, and did
the move affect the group's ability to respond to any of the
more recent attacks?
Mr. Hale. The effect was entirely positive, sir. The
FedCIRC was under GSA, had a focus on the security of Federal
agencies in providing a service to Federal agencies, our
customer base, and thanks to the provisions of FISMA, Federal
Information Security Management Act, FedCIRC was able to remain
focused on that mission and continue to provide our services to
our customers. We didn't lose any staff members as a result of
going to the Department of Homeland Security; in fact,
recruiting to fill our vacancies became increasingly easier
because there were a lot of people who were very interested in
becoming part of our efforts to help cybersecurity and the
Federal agencies, and by joining forces with the National
Infrastructure Protection Center and the other elements of
NIAP, we've actually improved our ability to gather information
and disseminate information to the customer base.
Mr. Clay. Let me ask you, Mr. Malcolm, recent viruses and
worms, such as Code Red, Nimbda, and Slammer, have brought
large portions of the Internet to a halt, caused extensive
expenses and lost revenue, and consumed the attention of tens
of thousands of computer security professionals, computer
network administrators and users. These are serious crimes.
Have law enforcement officials found and arrested the
individual responsible for these viruses and worm attacks?
Mr. Malcolm. They've also consumed the time and attention
of a lot of dedicated law enforcement agents. Of course, the
Department doesn't comment about ongoing investigations;
however, I think it is safe to say that with each of the worms
and viruses you have identified, those are all matters of
ongoing investigation in which we work cooperatively with our
international counterparts. We have some successes, as with the
criminal complaint that's been filed in the variant ``B'' of
the Blaster worm, but I think it is safe to say that there is a
lot more work to be done, and unfortunately, we not only have
to act retroactively, but because these worms and viruses come
out weekly, we have to react prospectively as well.
Mr. Clay. Are the individuals who are responsible for these
attacks, are they still at large today?
Mr. Malcolm. Other than those who have been arrested either
here or overseas by international counterparts, yes, they're
still at large, unless they've died.
Mr. Clay. And you work with international law enforcement,
too?
Mr. Malcolm. Twenty-four hours a day, 7 days a week.
Mr. Clay. How many have you arrested out of the viruses
that I named, the three that I named, Code Red, Nimbda and
Slammer?
Mr. Malcolm. I don't know the answer to that question. I
believe they are all matters of ongoing investigation. I'm not
sure off the top of my head of any arrests in those particular
cases, but I can go back and check, and if there's anything
that's a matter of public information, I'd be happy to furnish
it.
Mr. Clay. Would you share that with us?
Mr. Malcolm. If that's public information, I certainly
will.
Mr. Clay. Thank you, Mr. Chairman. That's all.
Mr. Putnam. Thank you.
Mrs. Miller.
Mrs. Miller. I thank you, Mr. Chairman. I'll just ask a
couple of questions here, but I think the nature of my
questions are reiterating what all the committee members are
talking about here and what is really happening as far as the
attitude that our Nation has and our Justice Department, our
law enforcement has toward these cyberhackers.
You know, I was following here in the papers recently where
the recording industry has filed all these lawsuits against the
file sharers. I know 200 lawsuits or whatever. Obviously,
that's not really terrorism, unless you're a recording star,
you're losing all this money, right? But I was interested in
the response of these college kids who are downloading all this
music and are getting sued, and they certainly don't care about
that. We're going to continue to down--I mean, their attitude
is unbelievably cavalier, I think, to breaking the law by using
electronic means to do so, and perhaps that is part of the
problem we have with these cyberhackers is the attitude of our
legislature, of our law enforcement; I mean, are we serious
enough? And as you were mentioning, some of the--you know, is
it just college kids who are doing this? Obviously not. You've
got the whole realm of different kinds of people who are doing
the cyberhacking.
Have you ever done a psychological profile? I mean, these
people are terrorists that are trying to shut down, as I was
mentioning, power grids or those kinds of things. That's not
downloading music. Let me ask you first about that, as far as
the Justice Department. Has there been a psychological profile?
I mean, there must be some type of common trait, common
element. It would be like an arsonist, right? You see the fire
services do profiles of arsonists. These are people that burn
buildings and stand back, and there's a whole profile about
these kinds of people that perpetrate that kind of crime.
Mr. Malcolm. I'm not aware of any psychological profile. I
think that perhaps I could contrast the situation with an arson
in that unless somebody wants to literally kill somebody inside
a building, arsonists tend to be motivated by one purpose, and
that is collect the insurance money.
In terms of hackers, I think you run the gamut. You
obviously have, perhaps, terrorists who are interested in
exploiting critical infrastructure for destructive ends. You
can have political ``hactivists'' who go on to deface Web pages
of something that they are protesting. You have sophisticated
hackers who take pleasure in trying to stay one step ahead of
the technological development of law enforcement, who take
pleasure in their ability to outwit law enforcement by masking
their activities. And you also have, as I say, these script
kiddies who are more or less with respect to their use of the
computers who were out there on a lark. They all cause harm of
varying degrees. We take them all seriously.
Mrs. Miller. Let me just ask one other question in regard
to the Patriot Act. You mention the Patriot Act, and the
Patriot Act, of course, there's been a lot of consternation
talked about the Patriot Act of whether or not privacy--a lot
of privacy advocates are concerned about how the Patriot Act is
being implemented, how you are identifying and apprehending
culprits.
I'm a supporter of the Patriot Act, and I'm just wondering
how that particular tool has assisted the Justice Department in
our law enforcement, and are a lot of these concerns being
raised by the Patriot Act impeding your ability to prosecute,
apprehend people, identify them, etc.? How is the Patriot Act
helping you?
Mr. Malcolm. There are several questions in there that kind
of cut across a broad swath. Let me respond to the more narrow
question, then I can fill in as you would like me to.
With respect to hacking investigation, any crime that is
taking place online, time is absolutely of the essence. If you
can catch somebody while they are in the act or trace their
communications either in real time or very shortly thereafter,
your odds of catching somebody go up dramatically. Internet
service providers don't retain records typically for a very
long period of time, and people can very quickly cover their
tracks.
There are a number of provisions in the Patriot Act that
help. There is, one, the hacker trespass exception of the
Patriot Act. If somebody breaks into a system, the owner of
that system now can give consent to the government to go in and
track the activities of that hacker while they are taking
place. Certainly the ability to go and get a pen/trap order in
one district and use that order to follow the communications
from ISP to ISP to ISP, to get those records frozen as quickly
as possible, has proven of invaluable assistance. There are
other tools such as nationwide service process for search
warrants, subpoenas, all of which have been instrumental in
terms of these investigations.
Mrs. Miller. Thank you.
My last question just to the panel, I suppose. Obviously,
the Federal Government has their own role to play in protecting
our own information and security systems and that, but I think
the public needs to be educated on security, computer security,
as well. I'm not sure who I'm asking this question to; any of
the panelists, I suppose. Do you have a feeling that there is a
role for the Federal Government to play in regards to educating
the general public about security safety and how important it
is?
Mr. Pethia. I'm going to start just by saying I think
that's something that I think is a strong role for the Federal
Government, and it needs to happen across the country with
people of all ages and all occupations. Starting at the
elementary school level or where we teach students about
computer skills, we need to teach them about computer ethics
and the risks of working with computers and interacting in the
Internet age. We teach our children how not to get into cars
with strangers. We should teach them how not to get into chat
rooms with strangers as well. So from there all the way up
through the home user, the retired home user, all of these
people are vulnerable to some kind of problems because of
security or lack of security on the Internet, and I think there
is a strong role for the government there to put together that
kind of awareness, to put together those kind of training
programs and make them broadly available.
Mr. Lorentz. I think I would just add I think that our
government has a responsibility to our citizens. As part of the
management agenda, security is clearly one of the things we are
looking at. It cuts across public and private-sector activity.
We do have a role in clearly communicating what's acceptable,
what's not, creating that common language, if you will, and it
begins with exhibiting the behaviors that we would wish to see.
Mr. Hale. I would definitely endorse the statements. In
fact, with home computers being connected and always on, it's
nothing short of a patriotic duty to maintain the security of
your home computer because it can be used to attack other
computers by other people.
Mrs. Miller. Thank you Mr. Chairman.
Mr. Putnam. Thank you, Mrs. Miller.
Mr. Malcolm, are there differences among nations in the
laws regarding cybercrimes, and are there other nations who
have particularly more effective means of enforcing them and
have a greater success rate in prosecution, and are there
certain countries that are more or less helpful to us in
investigative work?
Mr. Malcolm. I think the short answer to all of those
questions was yes. There are a couple of things that I can say
in that regard. One is we cooperated with our international
counterparts throughout the world in terms of drafting the
now--well, it hasn't been ratified in this country, but the now
implemented accounts in the Europe Cybercrime Convention. One
of the beauties of the cybercrime convention in addition to
encouraging international cooperation is that it mandates
signatory countries to update their substantive and procedural
laws with respect to computer hacking offenses, which would
include worms and viruses.
Mr. Putnam. Updates them to presumably a certain standard?
Mr. Malcolm. That's right.
Mr. Putnam. And are we already at that standard in the
United States?
Mr. Malcolm. We're constantly retinkering, but, yes, we try
to maintain the highest standard that we can. We work
cooperatively with Congress in that endeavor. And I would add
that the Department of Justice, although not uniquely--the
Department--the State Department certainly, too--goes overseas
and works with legislators and law enforcement officers in
other countries to try to keep their laws updated as well.
From other entities, such as the G-8, there is a high-tech
unit that's called the 24/7 network in which we are able to
communicate with law enforcement counterparts in these fast-
breaking investigations on a moments notice, 24 hours a day, 7
days a week. There are 30 countries that are members of the
high-tech 24/7 network. We're encouraging other countries to
join. Some countries have better facilities, training, more
money to devote to this effort than other countries, but we're
encouraging all of them to stay current.
Mr. Putnam. But you're not aware of any one particular area
of the world that is a source of more hacking attempts than
another?
Mr. Malcolm. The answer to that question, with respect to
Internet piracy, with respect to hacking, I don't know the
answer to that question, Congressman.
Mr. Putnam. Mr. Pethia, do you?
Mr. Pethia. No, not that's been sustained over any long
period of time. For a while, there were a number of viruses
that for some reason came out of Bulgaria, and you see short
periods of time where you'll see an increase of activity from
some geographic area, but nothing that I know of that's been
sustained over a long period of time.
Mr. Putnam. We may hear more about this in later panels.
For the OMB, how long does it take, because everyone has
different patch management systems--are you able to measure how
long it takes for all of the computers to download the patch
when a particular vulnerability is released and the patch is
also then released? Do you know when everyone has taken
advantage of it?
Mr. Lorentz. I can answer the more management aspect of
that and later get into the technical, because they basically
act as our agent in that. But we literally are advised of the
vulnerability, we call attention to the vulnerability. FedCIRC
makes the agency aware of what the remediation of the patch is,
and then we specifically set a time to get back to monitor the
adherence to the remediation.
And it's in the last two incidents that's exactly what we
did, and I would feel quite sure that FedCIRC probably has some
cycle time issues that they can look at in terms of how long it
actually takes, but, you know, there's two aspects to all of
this. The most significant aspect is the management aspect, and
that is holding people accountable once they know, and it's
mutually accountable to CIOs as well. Once they know that there
is an incursion, that the patch has to be applied, and that
there's accountability to apply, then there's the obviously
technical nature of things, and there's a number of technical
capabilities that are equally effective, but I would pass it to
Larry on the cycle time question.
Mr. Hale. For the 47 subscribers of patch C, we can tell
when they download, but even that is--can be a misleading
statistic, because one download can serve thousands of
computers, and an agency may download one time and take care of
their whole enterprise with that. So we've tried developing
metrics with industry with the software manufacturers, and
that's the constant refrain is you can't measure how many
computers have been inoculated by a single download, but it's
the best thing we've got is to tell that agencies are
downloading the patches.
Now, with the patch C system, agencies can also--once
they've inoculated their systems, they can enter in the report
and say--it requires a manual entry, but say that we've
completed 90 percent or we've completed 99 percent or 100
percent of computers affected by this vulnerability, so there's
a method built in for reporting back.
Mr. Putnam. Mr. Malcolm, if someone were to break into Coca
Cola's headquarters in Atlanta and go into the office and steal
the recipe for Coca Cola, what would be a ballpark estimate
assuming they were arrested and convicted, what type of
consequence would they face for that?
Mr. Malcolm. Mr. Chairman, there are a lot variables that
would go into answering that question.
Mr. Putnam. Ballpark. I'm not a judge.
Mr. Malcolm. Well, in the interest of trademark
infringement, theft, I would estimate statutory penalties at 10
years or so, depending on whether or not the person has a prior
record. That would obviously affect their sentencing
guidelines.
There are just too many variables for me to answer that
question, without having a guideline book in front of me, but
obviously the factors are what are the charges, what is the
severity of the loss, what is the person's past criminal
record?
Mr. Putnam. Well, what would it be if they hacked into Coca
Cola's computer system and downloaded the secret recipe?
Mr. Malcolm. Same answer: You would have all sorts of
variables as to whether or not they abused a position of trust,
what was the damage that they cased. It could obviously be, in
the case of Coca Cola, a major company, a major loss, a
significant period of time.
Mr. Putnam. Would it be significantly different than had
they physically taken it?
Mr. Malcolm. There are different guidelines factors that
would take into account the fact that a computer was used, and
special skills were used, and, depending on who this person
was, whether or not they abused the position of trust. There
are, under the sentencing guidelines--there are just too many
individual case-specific factors for me to give you an accurate
answer to your question. I think it is safe to say that if this
was a major product and caused a serious loss, I would expect
the dollar figure to be high, and that will dramatically
increase the sentence since the major factor that is taken into
account by the sentencing guidelines is the loss to the victim.
Mr. Putnam. OK. There are hundreds of viruses released
every year, according to the testimony of this panel. The
damages range into the billions, according to your testimony.
Mr. Malcolm. Yes.
Mr. Putnam. If you could only recall two arrests, two
convictions, two jail times--you mentioned David Smith and one
other.
Now, I asked, what's the source of the threat? Well, we
really don't know. Is it foreign or domestic? Well, we really
don't know. That seems to reinforce a premise that cybercrime
is treated vastly different than some other crime that caused
billions in damage and shut down power grids and shut down
departments of transportation and threatened security systems
within and without the government. It would suggest that there
is a different approach, a different attitude, a different
level of concern about cybercrime. Would you agree or disagree
with that?
Mr. Malcolm. I would reject that implication totally. There
are, of course, other instances in which perpetrators had been
identified; for example, the fellow in the Philippines who
promulgated and released the ILOVEYOU virus. I would also say
that there are--you know, the Department of Justice is well
aware, as is the Department of Homeland Security, that
cybervulnerabilities are among the most critical problems that
we have and could have a dramatic impact in terms of protecting
our critical infrastructure.
These are unusually complicated investigations in which
very sophisticated people are very good at covering their
tracks. To somehow suggest that just because there are fewer
public arrests out there in the media, that this is not an
absolutely high, high, high priority at the Department of
Justice would be a completely wrong assumption to make.
Mr. Putnam. OK. I take it at your word.
Any other questions from the subcommittee members?
Very well. We will dismiss panel one and seat panel two as
quickly as possible.
Thank you very much, gentlemen, for your input, and those
of you who can, we would encourage you to stay around and
listen to the private sector comments as well.
[Recess.]
Mr. Putnam. Very well. The subcommittee will reconvene.
I've asked panel two to rise and please be sworn in.
[Witnesses sworn.]
Mr. Putnam. Note, for the record, all the witnesses
responded in the affirmative.
We appreciate you being seated as quickly as possible, and
we will move straight to your testimony. I would ask that you
be as good about maintaining our 5-minute rule as the first
panel was.
Our first witness is Mr. Gerhard Eschelbeck, overseeing
Qualys' engineering and operation. Gerhard Eschelbeck is
responsible for protecting over 1,100 corporate networks. He's
an internationally recognized security and distribution systems
expert and was recently recognized as 1 of the 25 most
influential CTOs by InfoWorld Media Group.
Prior to joining Qualys, Gerhard was senior vice president
of engineering for security products at Network Associates;
vice president of engineering of antivirus products at McAfee
Associates. He was a research scientist at the University of
Linz, Austria, from which he earned his Master's and Ph.D.
degrees in computer science. He has authored many articles and
papers and is inventor of numerous patents in the field of
network security automation, and is a frequent speaker at
networking and security conferences worldwide.
Welcome.
Glad to have you at the subcommittee, and you're
recognized.
STATEMENTS OF GERHARD ESCHELBECK, CHIEF TECHNOLOGY OFFICER AND
VICE PRESIDENT OF ENGINEERING, QUALYS, INC.; CHRISTOPHER
WYSOPAL, CO-FOUNDER, ORGANIZATION FOR INTERNET SAFETY AND
DIRECTOR OF RESEARCH AND DEVELOPMENT, @STAKE.INC.; AND KEN
SILVA, VICE PRESIDENT, OPERATIONS AND INFRASTRUCTURE, VERISIGN,
INC.
Mr. Eschelbeck. Mr. Chairman and members of the
subcommittee, thank you for the invitation to testify about my
research on network vulnerabilities. The business of my company
gives us a front row seat to new threats against networked
computers and communications systems. Qualys provides an
automated service over the Web to audit the security of
networks.
I've just analyzed more than 1.2 million network
vulnerabilities found by our virus scanning service during a
recent 18-month period. This vast data pool demonstrates that
known risks are far more prevalent than anyone has imagined.
Analytical data also demonstrates a new breed of automated
Internet-borne viruses and worms that mock traditional security
defenses.
The source of data for my analysis was anonymous results
from 1.5 million security audit scans made by organizations
worldwide. We learned four themes that are called the laws of
vulnerabilities. The law of half-life talks about the fact that
it takes an average of about 30 days for organizations to fix
50 percent of their vulnerable systems within enterprises. The
law of prevalence talks about the fact that half of the most
prevalent and critical vulnerabilities are replaced by new ones
each and every year. The law of persistence: Some old
vulnerabilities recur due to the deployment of unpatched
software as part of new rollouts. The law of exploitation,
finally, talks about the fact that 80 percent of the
vulnerability exploits are available within 60 days of public
announcements.
Automating defenses against these threats is crucial,
because human-based efforts are not working. In each case of
recent damaging strikes, we've had advanced warning; weeks,
even months, to prepare for known vulnerabilities, yet
attackers were still able to hit hundreds of thousands of PCs
and servers.
Risks to network and system security are increasing because
the triggers are becoming automated, requiring no human action
to deliver destructive payloads. Earlier first-generation
threats are virus-type attacks, spreading with e-mail and file-
sharing. They require human action to trigger, such as opening
an infected file attachment. An example would be the most
recent SoBig virus.
Second-generation threats comprise active worms leveraging
system and application vulnerabilities. Penetration occurs
without requiring user action. Replication, identification,
targeting of new victims are automatic. Blended threats are
common, such as incorporating viruses and Trojans.
A third generation of threats is now posing trouble. We've
already seen the potential for damage. The SQL Slammer worm
rapidly hit more than 75,000 homes running Microsoft SQL
server, caused major damage worldwide. SQL Slammer was the
fastest worm ever, infecting more than 90 percent of the
vulnerable systems within 10 minutes.
A few days after Microsoft published a DCOM vulnerability
in July 2003, Qualys's automated scanning service ranked this
security vulnerability as the most prevalent vulnerability
ever. Following the laws of vulnerability, Blaster and its
derivatives appeared 3 weeks later, infecting more than 100,000
systems per hour at its peak. Urgency's now rising from a
shortening discovery/attack cycle. SQL Slammer happened 6
months after discovery; Nimda was 4 months; Slapper was 6
weeks; and Blaster and Nachi came just 3 weeks after news of
the vulnerability.
Public policy for network securities should strongly
encourage the use of automation as an equal force response to
automated tools used by attackers. Automating defense
strategies include regular security audits of networks and
systems, keeping antivirus software up to date, timely patch
management, and the ongoing variation of security policy.
To summarize, many vulnerabilities linger, sometimes
without an end. New attacks are capable of spreading faster
than any possible human response effort. Protecting our
networks is a continuous process of eliminating critical
vulnerabilities on the regional, national and international
scale.
In conclusion, public policy should demand timely detection
and a rapid application of remedies providing protection from
these threats.
Thank you for the opportunity to testify, and I look
forward to your questions.
Mr. Putnam. Thank you very much, Mr. Eschelbeck.
[The prepared statement of Mr. Eschelbeck follows:]
[GRAPHIC] [TIFF OMITTED] T2654.061
[GRAPHIC] [TIFF OMITTED] T2654.062
[GRAPHIC] [TIFF OMITTED] T2654.063
[GRAPHIC] [TIFF OMITTED] T2654.064
[GRAPHIC] [TIFF OMITTED] T2654.065
[GRAPHIC] [TIFF OMITTED] T2654.066
[GRAPHIC] [TIFF OMITTED] T2654.067
Mr. Putnam. Our next witness is Chris Wysopal. Mr. Wysopal
is director of research and development at @stake.Inc, managing
@stake's pioneering research in application security. His
primary focus is building products to assure and test software
security. Working with vendors and the general public, Mr.
Wysopal was also responsible for managing @stake's
vulnerability research and disclosure process.
His career in the information security industry has spanned
over 13 years where he has held positions in industry while
also serving as regular advisor to various government agencies.
Prior to joining @stake, Mr. Wysopal was senior security
engineer at GTE Internetworking, formerly known as BBN, where
he was the most senior engineer on the IT security staff. In
addition, Mr. Wysopal is coauthor of the award-winning
password-auditing program, LC3, which is used by more than
2,000 government, military and corporate organizations
worldwide. And, finally, he is a founding member of the
Organization for Internet Safety.
Welcome to the subcommittee. We look forward to your
testimony.
Mr. Wysopal. Chairman Putnam and members of the committee,
thank you for inviting me to testify today on the subject of
protecting the Nation's computers from viruses and worms. This
is a great honor for me. My company @stake consults for the
Fortune 1,000, including four of the world's top software
companies. We help them build more secure software and secure
their infrastructures. I am also a founding member of the
Organization for Internet Safety. OIS is a group of software
vendors and security companies joined together to produce a
process for reporting and responding to new vulnerability
information safely.
Today I would like to cover three pertinent issues: The
software development process, the vulnerability research
process, and finally, responsible vulnerability reporting and
response. Unfortunately, in less than 72 hours, if an unpatched
new computer is connected to the Internet, it will be
compromised. This is indicative of the software flaws that
affect our information economy. My first point is on software
development, the root cause of the problem is software flaws.
Every virus or worm takes advantage of a security flaw in the
design or implementation of a software program. The flaw can
exist almost anywhere inside a program that processes data
directly from a network or from a file delivered by an e-mail
attachment. This means that practically every software program
in the age of the Internet falls into in the category of
requiring security quality processes during its development. If
these processes are not in place and followed rigorously by the
manufacturer, flaws will inevitably creep into the software
during development, be discovered, and end up exploited.
Automatic patching is a great solution for some computers,
but many environments have requirements that don't allow
patches to be applied in automatic or even timely manual
manner. One of the key problems with patching is the Internet
or the network the computer's connected to is the distribution
system. This means that a computer needs to be connected to the
Internet to be patched. The irony is the Internet is the attack
vector that puts the computer at risk.
As recent examples of worms demonstrate, reactive solutions
are not keeping up with the speed of malicious programs. Many
of the flaws found in software after it is shipped to customers
are not found by the vendor. Many are found through directed
research by vulnerability researchers. These are individuals
who investigate the security of software for academic reasons,
profit, or mere curiosity. A primary motivation of
vulnerability research is altruistic. There aren't any
independent or government watchdog groups looking out for the
safety of the software--computer users' use. Given this vacuum,
researchers feel that someone should test and find
vulnerabilities. They feel that every flaw they find and report
is another flaw that will be fixed before a malicious person
finds and exploits it. In this way, vulnerability researchers
can make all computers users more safe.
Vulnerability researchers are performing a testing function
that should have been done as part of the security quality
assurance process by the vendor. Vulnerability researchers
think differently than traditional software testers. They think
from the perspective of an attacker. The fact that there is a
vast amount of software already deployed with latent
undiscovered flaws means that we will be dealing with newly
discovered vulnerabilities for the foreseeable future.
A process for handling new vulnerability information in a
timely and safe way is required. There is some debate in the
vulnerability research community as to the best way to handle
vulnerability information. However, most agree that it is
responsible to inform the vendor of the vulnerable product and
give them time to create a patch. 4,200 vulnerabilities were
tracked by CERT last year. Almost all had patches available
when the information became public due to vulnerability
researchers informing vendors prior to publicly disclosing.
The Organization for Internet Safety has published a
process that these flaw-finders can use to report flaws to
vendors and for vendors to respond to these reports, sometimes
with a patch. The goal of the OIS process is to protect the
computer user community as a whole. A balance was struck
between the timeliness and reliability of patches and between
helping sophisticated users and the majority of users who are
unable to help themselves.
To conclude, software vendors face challenges building
software. Vulnerability researchers can help find the flaws
that vendors miss. Both need to come together to handle
vulnerability safety. All I ask is a step in this direction.
Viruses and worms are shutting down government offices and
businesses for days. The impact grows each year. When a
technology contains dangerous, unseen risks, we should have
assurances that it is built properly. We need the, ``electrical
code for building software,'' and we need a way to assure that
the code is followed. This will reduce the risk of insecure
software at its source and strengthen the computer
infrastructure for us all.
Thank you.
Mr. Putnam. Thank you very much. Appreciate your input.
[The prepared statement of Mr. Wysopal follows:]
[GRAPHIC] [TIFF OMITTED] T2654.068
[GRAPHIC] [TIFF OMITTED] T2654.069
[GRAPHIC] [TIFF OMITTED] T2654.070
[GRAPHIC] [TIFF OMITTED] T2654.071
[GRAPHIC] [TIFF OMITTED] T2654.072
[GRAPHIC] [TIFF OMITTED] T2654.073
[GRAPHIC] [TIFF OMITTED] T2654.074
[GRAPHIC] [TIFF OMITTED] T2654.075
[GRAPHIC] [TIFF OMITTED] T2654.076
[GRAPHIC] [TIFF OMITTED] T2654.077
Mr. Putnam. Our next witness is Ken Silva. As vice
president for VeriSign's networking and information security,
Mr. Silva oversees the mission-critical infrastructure for all
network security and production IT services for VeriSign. In
this role, he oversees the mission-critical network
infrastructure for VeriSign's three core business units:
security services, naming and directory services, and
telecommunications services. His responsibilities include
oversight of the technical and network security for the
definitive data base of over 27 million Web addresses in dot-
com and dot-net, the world's most recognizable top-level
domains.
Additionally Mr. Silva coordinates the security oversight
of VeriSign's Public Key Infrastructure security systems.
Mr. Silva serves on the board of directors for the
Information Technology, Information Sharing and Analysis
Center, and the executive board of the International Security
Alliance.
He advises and participates in a number of national and
international committees for organizations, and he joined
VeriSign with more than 20 years' experience in the
telecommunications and security industry in his portfolio.
Welcome to the subcommittee. We're delighted to have you.
You're recognized.
Mr. Silva. Thank you, Mr. Chairman and other members of the
subcommittee. VeriSign's pleased to have the opportunity to
provide our views on the epidemic virus and worm attacks that
continue to threaten the integrity and security of information
systems we've all come to depend on. VeriSign is a company
that's perhaps uniquely situated to observe the continuing
assaults on our information infrastructure. Our company
provides industry-leading technologies in three relatively
distinct yet interrelated lines of business. These include
telecommunications, infrastructure services, management
security, and payment processing services, directory and naming
services.
Our naming services is the business dedicated to the
management of the domain name system, including our operation
of the A and J root servers. These are 2 of the servers out of
the 13 servers that allow you to find www.house.gov. Of the
hundreds of millions of machines on the Internet, it would
direct you to the correct one.
In addition to that, for the last 10 years, we've managed
the dot-com and dot-net top-level domains.
Since 2000, I've managed VeriSign's resources dedicated to
maintaining the security of these complex technology assets.
Today I would like to make three key points. First, we
should not underestimate the significance of these attacks.
Although the most recent worms and viruses have been labeled by
some as nondestructive, they've cost American business in
excess of $3.5 billion in August alone. We can only imagine
what the cost would have been had these destroyed data along
their path.
Second, we should accept our shared responsibilities. Each
of us has a responsibility. This includes lawmakers, government
agencies, industry and private citizens. Government has a role
both as a model of good security practices, as well as a
thought leader in global security. Our citizens must be
educated. We teach our children how to use computers in school,
but do we teach them how to use them responsibly?
Third, we must resist the temptation to demonize individual
participants in the network community. The finger-pointing in
general is neither accurate nor helpful. It's all too easy to
blame the operating systems manufacturer for flaws in their
code or the network providers for not securing their networks.
Many of the worms attack not only popular operating systems,
but open source software as well.
Mr. Chairman, there are measures which will over time
improve the security posture of our network, but there is no
silver bullet that will miraculously solve our network security
challenges.
VeriSign's role over past decade has led us to make
significant investments in network hardware, engineering,
research and development. Armed with that knowledge, we can
deploy and advise others on the network how to deploy the very
best configurations and maintain the stable and secure
functioning of the Internet. VeriSign's unique monitoring
capabilities allow us to watch as the virus propagates around
the global network. As a result of VeriSign's constant
vigilance, we're often among the first to recognize it, and as
an attack develops--you can see our view up here shows our
global constellation. I brought another slide with me, which is
an example of the graphic data that we're able to monitor. This
one shows a propagation of the SoBig.F virus in just a short 6-
hour span on August 19.
There's another one following that, the next graphic,
please, which today just happens to be the very day that this
virus has decided to disarm itself. This was taken this
morning.
Following the September 11 attacks, we provided some of
these monitoring capabilities to both the Defense Department's
NCS and the FBI's NIPC, to enable them to observe and detect
anonymous traffic on the network.
Our long experience and the most recent events like Blaster
worm reveal fundamental truths about our networks in the
attacks. A few years ago, these things took months or weeks to
propagate. Now they propagate in hours or minutes. Not only are
the weapons behaving more aggressively, they're increasing
their uniqueness, making selection of appropriate
countermeasures difficult and uncertain. As a result of this
growing risk and our growing dependency on our networks, I
believe we must face up to the reality that these network
attacks are every bit as threatening as physical attacks on
critical infrastructures, warranting serious attention to
strategies to defend against them and remedy their impact. Even
when they don't bring down the network of a targeted site, the
insult to the network's integrity still has observable and
measurable consequences.
Another level of damage, these attacks fundamentally
threaten the core assets of the Internet, including the
Internet root servers and top-level domains. There are larger
costs to these attacks.
I'd like to thank you for giving me the opportunity to
appear before you today. Thank you.
Mr. Putnam. Thank you very much, Mr. Silva, and I
appreciate your--all of you limiting your remarks to the 5
minutes.
[The prepared statement of Mr. Silva follows:]
[GRAPHIC] [TIFF OMITTED] T2654.078
[GRAPHIC] [TIFF OMITTED] T2654.079
[GRAPHIC] [TIFF OMITTED] T2654.080
[GRAPHIC] [TIFF OMITTED] T2654.081
[GRAPHIC] [TIFF OMITTED] T2654.082
[GRAPHIC] [TIFF OMITTED] T2654.083
[GRAPHIC] [TIFF OMITTED] T2654.084
Mr. Putnam. Mr. Silva, I get the impression that you had to
cut yours a little bit short, so I'm going to give you the
opportunity to expand on it by asking my first question about
root servers. And, if you will, just take us in nontechnical
terms to their role in the architecture of the Internet, and
what their vulnerabilities have been in the past two viruses
and worms, and what impact that could have in economic terms.
Mr. Silva. OK. Well, Mr. Chairman, the root servers are
sort of the top of the Internet naming system, if you will.
There's an invisible period at the end of every domain name
that people don't see, and that happens to be the root, and,
then from there it goes.com; then, you know, Microsoft.com; and
then www, etc. They're sort of at that very top level. No other
computers can be found without the information that these
provide. And then there's another layer down from that which
VeriSign also operates, for dot-com and dot-net.
The SoBig.F worm in particular had a unique attack that it
presented on the A root server, and that the A and B root
servers were--it's where that--that worm first looked to find
out where an e-mail was supposed to be sent, OK? So if they
wanted to send it to, you know, anyone, it would simply look to
the root server first to find out where that mail server was.
Now, in the Blaster worm, that didn't actually have an
impact directly on the root servers themselves, because there
was no protocol that the root servers were running or a
particular name look-up that was required for that worm to
spread.
Mr. Putnam. You mentioned and other panelists have made
allusions to open source versus proprietary. Is one less
vulnerable than the other, or if you would just comment a bit
on the old debate between proprietary and open-source software,
again, beginning with Mr. Wysopal. Let Mr. Silva think about
his for a second.
Mr. Wysopal. The theory with open-source software is that
it can be made more secure because there's more eyes. Every
single user has the potential, if they have the skill set, to
find flaws in that software and then correct them for
themselves or notify the maintainer to correct them. With
proprietary software, the user has no way really of looking
deeply into the software by examining the code, but,
practically, users of open-source software are not expert code
reviewers and don't have the time to actually review the code,
so we see vulnerabilities sort of in equal proportion in both
the open-source world and in the proprietary software world.
Mr. Putnam. Mr. Silva.
Mr. Silva. Yeah. I would agree mostly with what he said,
except that there always has been this statement that, in the
open-source world, the source code's available, and if you were
running it, you could certainly look at it. I doubt seriously
that you would know, 99.99 percent of the rest of the people
who use it.
In addition to the people who use the software not
necessarily being expert code reviewers, in many of the cases
people actually writing the software are not actually expert
software writers either. So it's not that it's bad software, it
certainly is good software, but it's no more or less vulnerable
than the software that goes through rigid configuration,
management, and software review standards.
Mr. Putnam. Mr. Eschelbeck, would you like to weigh in?
Mr. Eschelbeck. I do not necessarily see a relation between
open source versus closed source from a vulnerability
prevalence perspective. I don't think there is any analytical
data that would support that.
However, I do believe strongly that software that's more
popular, more widely used out there has been reviewed much more
widely and is more popular, and that's one of the main reasons
why I think there is more vulnerabilities known about a
software that's used widely rather than a software package
that's not used at all out there.
Mr. Putnam. What would be the impact of, in terms of
improved Internet security, if any, of the next generation of
Internet, IPv6? Does that in any way alter security concerns?
Mr. Wysopal. I don't think IPv6 really alters the security
concerns. What IPv6 does is it makes many more Internet
addresses available, so we can have an Internet address for,
you know, your wristwatch or any small object you could have,
thousands or millions of times more Internet addresses with
IPv6. It doesn't really address any security issues.
Mr. Silva. Well, actually, it does address some security
issues, although probably not for the masses. There are
protocols that are part of the IPv6 standard that would allow
better authentication between IP addresses as they connect.
Some of those capabilities have since been transferred to IPv4,
such as the IP SAC, which is what many of the BPM tunnels use
today, but for the general Web server, probably not.
You know, just for the average computer on the network that
doesn't need to authenticate every single user, it's probably
not going to offer anything new for them.
Mr. Putnam. Mr. Eschelbeck, do you wish to add anything?
Mr. Eschelbeck. I would say exactly the same thing. I think
there is a lot of improvements in IPv6, and it's clearly the
right step in the right direction, but there is still pieces
missing that we don't do in IPv6 today, like in the new
protocols that are coming up. And particularly if you look from
a vulnerability perspective, IPv6 is not going to address the
vulnerability problem. That's really the reality why we are
here today, why we're looking for vulnerabilities and how to
address them. So IPv6 is certainly the way to move from an
authentication, from an encryption perspective, and it would
fix some of those underlying issues, but would not fix all of
the security issues that we are facing today.
Mr. Putnam. Thank you. I will stop there and recognize the
ranking member, Mr. Clay.
Mr. Clay. Thank you, Mr. Chairman. And any one of you can
attempt to answer these questions.
Let me start out by asking: What motivates people to engage
in computer hacking?
I mean, let's start on this end of the table.
Mr. Eschelbeck. I do think that there is--obviously, if you
look back in history, mostly what we have seen, some of the
attacks really didn't have any specific target in mind. They
were mostly like who is the first who is going to launch a worm
on the Internet, and that was the results we have seen in
traffic congestion, things like that. But I clearly see moving
forward motives in mind.
If I look at Blaster, it was probably the biggest turning
point we have seen here by Blaster introducing the ability to
deliver a payload that actually does something malicious, other
than just creating noise on the Internet. And in this
particular case with Blaster was the denial of service attack
against Microsoft, and I do see some transit that is clearly
the opportunity for more active payloads coming in future
worms. They were motivated by motives that we don't know and
fully understand at all.
Mr. Clay. Mr. Wysopal.
Mr. Wysopal. I think the main motivation is experimentation
and exploration, but these people who do this experimentation
don't take into account any sense of ethics, and they don't
really care that their experiments cause harm to others.
Mr. Clay. Mr. Silva, what do you think about it?
Mr. Silva. I don't really have anything to add.
Mr. Clay. All right. Let me ask you, there has been much
discussion about information-sharing and cyber vulnerability
issues between the government and the private sector, and
within the private sector are there any legal or policy
barriers that continue to impede information-sharing and
cooperation?
Mr. Silva, we can start with you.
Mr. Silva. Well, there are a number of issues related to
antitrust, OK, that have been raised amongst companies sharing
information, amongst a select group of people, that's not
publicly available. More recently--or, excuse me, prior to
that, one of the issues was FOIA, quite frankly, sharing
information between government and industries and having, you
know, the possibility that a publicly traded company with, you
know, some known vulnerability that if they made that
information available to the government would somehow be
available through FOIA. Some action has been taken in that
direction, but those are probably the two main impediments
there.
Mr. Wysopal. I think another main impediment is companies
trying to refrain from looking embarrassed basically. A lot of
companies such as financial services companies banks are among
the most trusted financial institutions, and people expect the
highest level of assurances to protect their money, you know,
their privacy, and it could be embarrassing. It could be a
competitive advantage of some of their competitors to say, you
know, put your money with us. You know, your privacy will
really be protected with us. They say they do, but look at
this, this, and this. So I think a lot of it is competition and
fear of embarrassment.
Mr. Clay. Very interesting.
Yes, Mr. Eschelbeck?
Mr. Eschelbeck. I would actually agree with Chris's
statement. I would like to add one point here. What we see as
well is those areas, those sectors, in general that are--have
legislation for auditing requirements, for security auditing
requirements, we see a bigger sense of urgency there in
comparison to some of the areas that are not legislated today.
Mr. Clay. Going back to attacks and computer hacking, do
any of you have any knowledge of foreign governments involved
in cyberattacks. How is that different from hackers attacking
for the fun of it?
Let's start with you, Mr Wysopal.
Mr. Wysopal. It's very difficult to say where some of the
malicious code, the exploit code, that's written or where some
of this vulnerability research comes from. It's difficult to
say whether it's a foreign government, or it's just an
individual in a foreign country. When we see some malicious
code, we certainly see levels of sophistication that are equal
to the most sophisticated in the world coming from countries
such as China. It's fairly easy to tell because of the language
differences where some of this is coming from, but it's very
difficult to tell whether it's actually government-sponsored or
just academics or just, you know, black hats.
Mr. Clay. Anybody else got anything to add?
Mr. Silva.
Mr. Silva. Well, I think probably law enforcement
intelligence representatives could probably answer the question
as to the foreign sponsorship of the hacking probably better
than any of us here could, but I have to say that I think most
of these, at least from earlier testimony, have actually been
caught. The few of that have actually been caught have turned
out to be young adults or teenagers.
While I think we should be concerned about terrorist
sponsorship or state-sponsored hacking and malicious activity,
I think we should definitely not discard the fact that the vast
majority of these appear to be coming from, you know,
pranksters, OK, that have no political affiliation or
governmental sponsorship. So, while I think it's important that
we know if it is state-sponsored, I don't think that all of our
efforts should be focused in that direction.
Mr. Clay. Perhaps any one of you can take a stab at this,
but can the Federal Government use its procurement power to
improve the security of computer software? Anybody have a
thought on that?
Mr. Wysopal. I think definitely. The Federal Government is
probably the largest purchaser of technology, especially
software, and one thing that doesn't happen when people
purchase software is an acceptance test for the security of
that software. Sometimes it's acceptance testing that has
certain features or has a certain level of performance, but
acceptance testing for security is more expensive and time-
consuming, so no one really does it.
If the Federal Government was to do that, the benefits
would be all the users of that software, because the Federal
Government could say, you know, we spent a lot of money and
tested this, and we rejected it, and we need to go back to the
drawing board and build something secure. I think if that
happened, the other users of software would say--or potential
purchasers of the software would think twice about buying it,
if the government wasn't willing to use it.
Mr. Clay. Thank you. Thank you very much, Mr. Chairman.
Thank you very much, Mr. Chairman.
Mr. Putnam. Mrs. Miller.
Mrs. Miller. Thank you, Mr. Chairman. I am going to pick up
on the ranking member's question here, but I think we are all
struggling with this panel, members of the committee, with this
panel on understanding what is the appropriate role of the
Federal Government.
And you are in the private sector, and--I mean, I am a
person that generally thinks that less government is better and
less government regulation is better. But because our society
is becoming so unbelievably dependent on the Internet, on
computers for communication purposes and for security purposes,
for everything, the term ``vulnerability researcher,'' I guess
I never really heard that before, as I listen to you say it.
Now it is going to be part of my nomenclature here. But it's
very descriptive, and I can understand what you're talking
about there.
Do you think that the Federal Government, first of all, has
an oversight role? Should we be using our purchasing power to
set standards out for software? What is the fine line of the
government not overregulating private industry, but certainly
having consternation about some of the security problems that
are inherent in software? What would your suggestion be on how
far you think the government should be going here, and what is
the appropriate action for the Federal Government?
I mean, we just had this huge power outage in my State of
Michigan, and we are looking to the Public Service Commission
to regulate an industry. And I'm trying to understand
everything about the energy policy of our Nation, but I could
not tell you what the proper amount for a person to pay per
kilowatt hour actually is. We rely on the experts.
You are the experts in the software industry; and I think
we are trying to struggle to understand what we need to do
appropriately without overstepping our bounds into the private
sector.
Mr. Wysopal. Well, one place where I think it's important
for the government to regulate is when we get to issues of
safety, you know, when we are talking about cars or airplanes
or chemicals or things like that.
Regulation of safety is important. There used to be, you
know, something that you write documents with and safety wasn't
an issue. But now when we're seeing these networks being
interconnected with things like the power grid actually being
connected directly to the Internet, you know, through maybe a
few gateways, but you know, the worms got in. You know the
worms can get inside, start to get to the issue of safety. And
that's a place where I think some regulation is appropriate.
You know, the software industry is a fast-moving industry
and putting any regulation on it is certainly going to slow
down innovation. There's no doubt about it. But maybe it's time
to think about some limited safety regulations.
Mr. Silva. I think that there's a fundamental role of our
government, whether Federal Government or State government, to
provide education to our people, to our citizens. If any of you
happen to have a DSL or cable modem at home and would actually
install a firewall on it and look at the logs, you would be
shocked at the number of times penetration attempts actually
hit your machine. It would just boggle your mind; it really
would.
But as I said in my testimony, or in my statement, we teach
our children in almost every school in the country, we teach
them how to use computers, how to use a word processor, how to
boot a disk, but we don't actually teach them how to
responsibly use the computers and what the consequences of
their actions or inactions actually are. So I think that's a
role that the Federal Government can play, as well as State
government.
Mr. Eschelbeck. I think there are two areas, looking at it.
On the one side we have, obviously, existing infrastructure
that we need to look at from a security perspective, and that's
probably going to give us an effort for the next 5 or 10 years.
And there are specific ideas how those could be handled.
However, there is the new software aspect when new software
comes out, there are standards in place like common criteria
that are being used to secure--to improve security software.
Such standards are not existing for any commercial-type
applications. I am not asking for common criteria-type
certification for any type of software, but some lightweight
certification would give at least a seal of approval from a
security perspective as far as the new technology that is
coming out there.
As far as the existing infrastructure we have in place
today, I think we have to give the leadership perspective
infrastructure so they can measure. The key part is, how do I
measure security today. There are no tools or well-defined
metrics out there. And I think we have to give the leadership
and the government, and industry as well, infrastructure tools
and ways to measure their security, so that they can say, I am
at the level 4, I am at the level 5, and in comparison to other
agencies, for example, I am at this level.
So there are ways I think those could be accomplished by
putting infrastructure in place there.
Mrs. Miller. No other questions. Just a comment.
I certainly picked up from both of the panels how important
it is for education. You know, really the Internet is still
relatively a new phenomenon. Ten years ago, 20 years ago, many
people had not heard of the Internet or were not using it every
day. The children now, of course--and perhaps it is
generational--are leaping onto these computers.
I was struggling yesterday trying to download my boarding
pass, and all these things keep coming up on my computer
saying, upload this right now or your computer is going to blow
up or something. I'm trying to understand it all.
But at any rate I certainly appreciate the testimony here
today, and I think the government certainly recognizes again
that society is becoming so dependent on electronic technology
and how important it is for every generation to understand what
the implications are of some of the cyber hacking, and how
important it is for them to be able to use these tools properly
and understand the ramifications of what they're up to.
Thank you.
Mr. Putnam. Thank you, Mrs. Miller.
Mr. Wysopal, if you would, you probably made the most
extensive comments about researchers. Tell us a little bit
about the category of researchers who would not be classified
as altruistic, and their motivations; and I'm not asking you to
psychoanalyze them, but how big a group are we talking about?
Do they seek fame, seek money or simply the thrill of being
able to discover the source code?
Mr. Wysopal. I think it's mostly the thrill of having power
over computers on the Internet. Part of the way that they keep
score is how many systems, you know, have you compromised--the
vulnerability that you discovered and wrote exploit tools for
or malicious code for, how many computers can you compromise
with that.
So a bug that was exploited in a software package that was
used by 100 people, no one will care about, but if you find a
bug in a Microsoft piece of software which is used by millions
of people, then you are looked at amongst your malicious peers
as more important and a better black hat.
And this is definitely a very serious problem that people
are able to find these vulnerabilities, and usually they keep
them to themselves. They don't tell the vendors. They keep them
to themselves or share them amongst a small group of people. So
they can go into computers with impunity on the Internet and
know that problem won't be patched.
And that's a very difficult problem to control. The only
way to control that is to actually design the software without
the flaws to begin with.
Mr. Putnam. And that is an impossibility, right, to have a
truly foolproof code?
Mr. Wysopal. Yes. There's no such thing as 100 percent
secure. But as a company, we do security quality testing for
many different software vendors, and we see a vast difference
in the number of flaws we find in a piece of software which was
developed by a secure development process. Where training was
given to the developers, they thought about security through
the entire phase, from design implementation to test, versus
software where security is really an afterthought; where after
the product is shipped, people say, maybe we should think about
how to configure it better.
When it isn't thought of from the very beginning, there is
a big difference in the number of flaws that end up in the end
product.
Mr. Putnam. Mr. Silva, you mentioned rule No. 2 was for
everyone to accept more responsibility. You discussed the
importance of education and things of that nature.
But with the prevalence of broadband, has responsibility
shifted somewhat to providers or to cable operators or to
telecommunications companies whose history and tradition and
corporate culture would not ordinarily lead them to believe
that protection against hackers or firewalls would be something
of their responsibility?
Mr. Silva. Well, as I said in my statement, it is a
responsibility of everyone, and I think--we always sort of
gravitate to the natural thing to do, which is to sort of look
at, is this not somebody else, is the responsibility shifting
from one group to another?
I don't think it's shifting; I think it's never changed. I
think that ISPs, the people that we all use to connect to the
Internet, have some level of responsibility. I think that the
government, that industry, my company as well as all of the
others, have a responsibility to do their part.
For instance, the Blaster worm has been running around the
Internet now for weeks, and the network providers are carrying
the traffic around it. One would think they would see that
traffic moving around in the network and either deal with it or
at least work with a group of people to try to figure out how
to mitigate this.
At the same time, if they were to suddenly block that
traffic, you know, I can assure you it will create other
problems on the Internet. So I think we just have to work
together and we have to find out what that magic fingerprint
is.
There are a lot of these companies that are carrying this
traffic that aren't in the best of financial shapes right now
and probably aren't going to invest hundreds of millions of
dollars into research and mitigation methods.
Mr. Putnam. Thank you very much.
Is there anything that you have not been asked that you
wish to comment on or perhaps respond to as a result of panel
one, or do you have any additional comments before we seat
panel three?
Thank you all very much for your assistance and your input.
With that, we dismiss panel two and seat panel three as quickly
as possible. And the committee is in recess.
[Recess.]
Mr. Putnam. We have panel three seated, and the committee
will come back together. And I would ask that you rise, please,
and raise your right hands to be sworn in.
[Witnesses sworn.]
Mr. Putnam. Let the record show that all the witnesses have
answered in the affirmative.
We will go straight to your testimony, and I would ask that
you follow the examples of panels one and two and adhere to our
5-minute rule on opening statements. And I will introduce our
first witness.
Greg Akers is senior vice president and chief technology
officer for three strategic areas at Cisco--customer advocacy
technology, corporate strategic security programs and
government solutions.
Within customer advocacy technology he and his team focused
on how to most effectively use technology to improve Cisco's
productivity and strengthen Cisco's relationships with its
valued customers. Specific initiatives include technology
engineering, autonomic and adaptive networking, cross-customer
advocacy research and development functions, and Internet
capabilities integration.
He also leads Cisco's corporate strategic security programs
with a focus on information security, intellectual property,
security solution certifications, and cyber warfare.
Additionally, Mr. Akers runs a government solutions team to
address the unique requirements of government. The mission of
this team is to provide solutions aimed at government's core
business, enabling achievements of its mission to protect its
citizenry. He has dedicated teams to address global defense in
space, critical infrastructure protection, U.S. homeland
security challenges and a government systems unit. His primary
focus will be to adapt Cisco products and services to respond
to the unique requirements.
Welcome to the subcommittee. We are delighted to have you.
You are recognized.
STATEMENTS OF GREG AKERS, SENIOR VICE PRESIDENT, CHIEF
TECHNOLOGY OFFICER, GOVERNMENT SOLUTIONS AND CORPORATE SECURITY
PROGRAMS, CISCO SYSTEMS, INC.; PHIL REITINGER, SENIOR SECURITY
STRATEGIST, MICROSOFT CORP.; VINCENT GULLOTTO, VICE PRESIDENT,
ANTIVIRUS EMERGENCY RESPONSE TEAM, NETWORK ASSOCIATES, INC.;
AND JOHN SCHWARZ, PRESIDENT AND CHIEF OPERATING OFFICER,
SYMANTEC CORP.
Mr. Akers. Thank you. Chairman Putnam, Ranking Member Clay,
thank you very much for the opportunity to testify today on
this very important issue.
Cisco is a provider of networking infrastructure for the
Internet and intranets of all types. We provide end-to-end
network solutions, connecting people to computers and networks
all over the world, and align the work-play-live-and-learn
without regards to differences in time, place, or type of
computer they happen to use.
Roughly 80 percent of Cisco's support transactions and 85
percent of Cisco's sales transactions are completed over our
own company Web site. Therefore, we are very concerned about
threats and the correct operation of the infrastructure of the
Internet.
Rather than summarize the details already provided in my
written testimony, in the short time today, I would like to
provide recommendations to three specific groups--industry,
individuals, and government--with specific actions to address
some of these threats.
Vulnerabilities can never be completely eliminated, as has
been previously stated. Establishing a product security
response capability is a huge step toward reducing the threat.
Another major improvement is gathering by setting up obvious e-
mail and easy-to-use Web pages, by vendors and customers alike,
so they are easily accessible, that will allow vendors to
produce results for incidents as they incur.
Most vendors today neither have a team nor modification
methods in place. Industry members can contribute greatly by
establishing and publicizing product security processes,
including taking minimum steps to establish a response team and
create necessary links to facilitate incoming reports and
outgoing announcements.
External reports of vulnerabilities are often accompanied
with demands to publish in a short period of time, less time
than the vendor needs to develop fixed software and work around
and test these fixes completely. The public is generally
unaware of the internal constraints influencing the vendors'
schedules.
Because every vulnerability and vendor is unique, time
lines should be adjusted by the vendor and the external party
for each situation individually. Vendors can help by
streamlining their own schedules for producing software and by
establishing expectations for negotiating flexible but
effective time lines with all external parties.
Many individuals and groups fail to practice
confidentiality regarding vulnerabilities and fail to maintain
computer and networking systems at some moderate reasonable
base line and vulnerability. The consequences can be severe.
Individuals should act responsibly regarding vulnerability
information. We have published the security advisories and
encourage others to do the same.
Some practice poor control over the need-to-know
information regarding vulnerability. Some lack timeliness or
otherwise detract from the overall success of the process.
Numerous plans have been derailed or completely rerouted due to
leaks, made more severe by late arrival of information or
otherwise slowed down by lack of information or improper
information.
Participants are responsible for reporting vulnerabilities
promptly and solely to the appropriate recipient, protecting
the confidentiality and lending assistance as they are able to.
Vendor-neutral coordinating centers are valuable conduits for
reporting and handling vulnerabilities. The trust placed in
such organizations by the worldwide network security community
for the criticality of important coordination function might be
jeopardized if it becomes too dependent on funding or other
centralized government control, or any one individual entity
within industry or the public sector.
Government should ensure that coordinating centers are
available, receive adequate funding from multiple sources and
avoid dependencies that will treat any participant unevenly or
in any other way unfairly. Many are aware of the issue with the
``script kiddies,'' but not are aware of the professional
``black hats'' who work for a combination of organized crime,
terrorists, or nation-states. An entire marketplace that
exploits vulnerabilities has sprung up on the Net and has easy-
to-use tools, yet it is virtually unknown to the public.
Government should increase funding and support for the
development of the maturation of cyber intelligence, the
advancement of information sharing, and the overall improvement
of law enforcement's ability to prosecute cyber crimes. One
issue is common to all the action groups: Vendors respond to
customers' demands. Buyers from all of these groups wield
considerable influence at purchasing time. If product security
or response team are important to you, the buyer should vote
with the wallet.
Specifying systems that meet the demands for more security
are inevitably the ways vendors will respond, to include
increased security measures in their products. Industry,
individuals, and government can set effective examples for
defining base line security requirements and require compliance
to these simply by completion of sales.
The global nature of the Internet means that no single
country or industry group can address vulnerabilities in
isolation. Success in this arena requires public-private
cooperation between all three of these entities.
As an example, consider the cooperation industry under the
auspices of a national infrastructure assurance council,
developing a vulnerability disclosure framework that should
prove to be useful to all parties. The industry leaders I work
with understand the roles and are willing to do their part to
protect our national and economic security. The recommendations
presented here would be a good starting point for improving the
security posture for the entire Internet.
I want to thank you, Mr. Chairman, and the other
subcommittee members for inviting me today. And I will be happy
to answer any questions that you may have.
Mr. Putnam. Thank you very much Mr. Akers.
[The prepared statement of Mr. Akers follows:]
[GRAPHIC] [TIFF OMITTED] T2654.085
[GRAPHIC] [TIFF OMITTED] T2654.086
[GRAPHIC] [TIFF OMITTED] T2654.087
[GRAPHIC] [TIFF OMITTED] T2654.088
[GRAPHIC] [TIFF OMITTED] T2654.089
[GRAPHIC] [TIFF OMITTED] T2654.090
[GRAPHIC] [TIFF OMITTED] T2654.091
[GRAPHIC] [TIFF OMITTED] T2654.092
[GRAPHIC] [TIFF OMITTED] T2654.093
[GRAPHIC] [TIFF OMITTED] T2654.094
[GRAPHIC] [TIFF OMITTED] T2654.095
[GRAPHIC] [TIFF OMITTED] T2654.096
Mr. Putnam. Our next witness is Philip Reitinger. Mr.
Reitinger is a senior security strategist with Microsoft
Corp.'s Trustworthy Computing security team. The Trustworthy
Computing Initiative at Microsoft is a long-term, company-wide
initiative to promote the values of reliability, security,
privacy and business integrity.
Before joining Microsoft in January 2003, Mr. Reitinger was
the Executive Director of the Department of Defense's Cyber
Crime Center and the Deputy Chief of the computer crime and
intellectual property section of the Criminal Division of the
Department of Justice.
Mr. Reitinger is the former Chair of both the Group of
Eight's High Tech Subgroup and the National Cyber Crime
Training Partnership's Vision and Policy Committee.
We look forward to your testimony, Mr. Reitinger, and you
are recognized for 5 minutes.
Mr. Reitinger. Good morning, Chairman Putnam, Ranking
Member Clay. My name is Philip Reitinger, and I am a senior
security strategist with Microsoft. I want to thank you for the
opportunity to appear here today.
Before joining Microsoft, as the chairman noted, I was the
Deputy Chief of the Computer Crime and Intellectual Property
Section of the Department of Justice, the Executive Director of
the DOD Cyber Crime Center and the Chair of the G8 Subgroup on
high tech crime. Thus, for some time I have been concerned with
criminal threats to people and networks and with the challenges
posed by responding to cyber crime.
Responding to those challenges requires effective action on
many fronts. Today, I would like to make four main points.
First, Microsoft is committed to continuing to strengthen
our software to make it less vulnerable to attack. Microsoft
under its Trustworthy Computing Initiative is working to create
software for its customers to secure by design, secure by
default, and secure in deployment. We are designing and writing
software more securely, making it more secure out of the box
and making it easier to keep secure.
These goals are becoming ingrained in our culture and are
part of the way we value our work. Even so, there is no such
thing as completely secure software. Therefore, and second,
when security vulnerabilities are found, the process is to
provide customers with the necessary fixes; they must be easy,
fast and transparent so the customers can stay secure in
deployment.
For example, we have included an automatic update feature
in recent Microsoft operating systems. My written testimony
describes the additional steps we are taking in more detail.
Our goal is to make patch application easier so that every
single customer can readily have the appropriate patches
installed and have his and her information protected.
Third, as the recent past so amply demonstrates, criminals
will use computer networks to launch attacks, and we must be
able to respond quickly and effectively. In the case of
Blaster, before the worm was released, Microsoft built, tested,
and delivered a remedy for the vulnerability which Blaster
exploited. We then undertook extensive measures to advise
customers of the need to apply the patch immediately and how to
protect their systems.
After the release of the worm, our efforts continued and
expanded and included launching our Protect Your PC campaign,
which included providing security information to users through
publications such as the New York Times and the Washington
Post.
In parallel with these public efforts, we undertook an in-
depth review postmortem to understand how to reduce the
likelihood of similar vulnerabilities occurring in the future.
We carried out a full scrub of the subsystem that contained the
vulnerability. And today we are releasing an additional patch
fixing vulnerabilities we found. We know that security is a
process of continuing improvement, and we are committed to that
process.
Fourth, as a society, we need to devote increased resources
to law enforcement personnel, training, equipment, and
capabilities to prevent and investigate cyber crime. Technical
and management solutions cannot prevent every cyber attack.
Determined and sophisticated cyber criminals develop new means
to break into systems and harm the on-line public.
In this case, Microsoft worked closely with law enforcement
efforts to identify the individuals or organizations involved,
and created and released Blaster interference.
But despite the best and laudable efforts of the United
States and international law enforcement communities, it is
still very hard to identify and prosecute cyber criminals
worldwide. For example, the computer forensic challenges facing
law enforcement are daunting. The amount of data that is stored
electronically is growing exponentially, and law enforcement's
technical capability to extract critical evidence from this
massive electronic data is falling rapidly behind.
In conclusion, the Blaster worm and its variants were
serious criminal attacks against the owners and users of
computer networks. These attacks merited and received equally
serious attention from Microsoft, the government, our
customers, and our partners. In the end, a shared commitment to
reducing cyber security risk and a coordinated public and
private response to cyber security threats of all kinds offers
the greatest hope for promoting security and fostering the
growth of a vibrant, trustworthy on-line world.
Thank you.
Mr. Putnam. Thank you very much.
[The prepared statement of Mr. Reitinger follows:]
[GRAPHIC] [TIFF OMITTED] T2654.097
[GRAPHIC] [TIFF OMITTED] T2654.098
[GRAPHIC] [TIFF OMITTED] T2654.099
[GRAPHIC] [TIFF OMITTED] T2654.100
[GRAPHIC] [TIFF OMITTED] T2654.101
[GRAPHIC] [TIFF OMITTED] T2654.102
[GRAPHIC] [TIFF OMITTED] T2654.103
[GRAPHIC] [TIFF OMITTED] T2654.104
[GRAPHIC] [TIFF OMITTED] T2654.105
[GRAPHIC] [TIFF OMITTED] T2654.106
[GRAPHIC] [TIFF OMITTED] T2654.107
[GRAPHIC] [TIFF OMITTED] T2654.108
Mr. Putnam. Our next witness is Vincent Gullotto. Mr.
Gullotto is the vice president of research for AVERT, the
Antivirus Emergency Response Team, the antivirus research arm
at Network Associates. For roughly half a decade, Mr. Gullotto
has been involved in the day-to-day operations of AVERT labs.
Located throughout 18 cities around the world, AVERT labs is
responsible for the research and discovery of computer viruses,
including Melissa, Love Letter, and Bubble Boy. Are you the
ones who name them?
Mr. Gullotto. Yes.
Mr. Putnam. So Bubble Boy was your idea?
Mr. Gullotto. Yes.
Mr. Putnam. Under his leadership, the AVERT group is
credited with the discovery of the first wireless virus, Phage.
Mr. Gullotto has developed the concepts and initial designs
for a number of AVERT service and solution offerings, including
programs such as WebImmune, the world's first Internet virus
security scanner that resides on the Web, as well as the AVERT
Malware Stinger, a stand-alone program designed to supplement
antivirus programs.
Mr. Gullotto, we are looking forward your testimony and
delighted to have you here.
Mr. Gullotto. Chairman Putnam, Ranking Member Clay, thank
you very much for inviting me today to join the subcommittee
and speak on behalf of a very serious problem we are having
today, computer viruses and the evolving threat that we see
going forward.
As you stated, AVERT is an antivirus research arm for
Network Associates. We are a global organization working 24
hours a day, 7 days a week, discovering new viruses and naming
new viruses as well. In addition to this work, we also work
participatingly with 27 other companies in the antivirus
discussion network [AVED], and on a day-to-day basis work
closely with law enforcement as often as possible to identify
and investigate cyber attacks and cyber crime.
While my written testimony submitted for the record
provides a recent history of computer viruses and worms, as
well as descriptions and impacts of the most well-known ones, I
want to focus my testimony on three important trends and
followup with three recommendations.
First, Mr. Chairman, governments and companies have become
more porous. In recent years, companies have opened their
enterprise to serve customers better and improve productivity
of employees and suppliers. Enterprises are becoming electronic
sponges. They are porous, and it's getting harder to tell the
inside from the outside.
Second, reported vulnerabilities are on the rise. We have
already heard the number is on the increase, and they will
continue to increase as time goes on. The bad news is that this
new threat, worms which exploit these vulnerabilities, can
cause even greater damage than more traditional worms and
viruses.
And third, the speed of cyber attacks has accelerated
dramatically with a shrinking window of exposure between
vulnerability and exploit. Attackers exploit a window of
exposure between when the vulnerability is announced and when
all the infected systems can be patched. Today, the time is
short. It's a matter of hours in some cases or a matter of
weeks and days. In the future we expect it to become even
shorter.
Once a vulnerability is announced, we may see an exploit
within a matter of hours, and that vulnerability exploited in
such a way that, within minutes perhaps, that exploit will be
around the world. Denial of services like CodeRed and Nimda
caused spread around the world in hours. And, of course,
earlier this year we saw Slammer infect thousands of machines
in just under 3 minutes.
How do we protect ourselves from computer viruses, worms,
and other attacks? One key way is by moving from a traditional
reactive approach to a security approach where proactive
intrusive protection is used. What's required to close the
window of exposure is protection in depth, including solutions
that can be deployed before a new threat appears in the field,
so that the threat simply bounces off the company's defenses.
Intrusion prevention looks for anomalies, and attack
signatures in response, by preventing the attacks from
permeating the network or system defense. An intrusion
prevention system protects a network from attack while
providing breathing room and response time for analysts to fix
vulnerabilities.
There are other steps we can take to make a real
difference. While my written testimony has recommendations for
enterprising consumers, for the sake of time, I would like to
share three with the policymakers today.
First, we believe policymakers should embrace Cyber First
Responders. We respectfully suggest the cyber security
industry, including those at the table here today, represent
Cyber First Responders in our battle against the attacks on the
information infrastructure. Policymakers, in addressing the
threat of viruses, worms, and other attacks, should turn to
these Cyber First Responders, who can provide policymakers with
real-time, non-hype, accurate information about the nature of
threats and the extent of the impact.
Second, policymakers should continue promoting a culture of
security, a term used both in the United States and abroad, and
here today as well. We believe the policymakers around the
world can embrace this concept by continuing to shine a light
on cyber security. Policymakers can support public awareness
efforts such as the Stay Safe Online campaign; the government
industry's collaborative bodies, including the Partnership for
Critical Infrastructure Security; focus government leadership,
such as the government's high-ranking single point of command
that we hope will be announced soon; and real-time information
sharing organizations, including the various vertical sector
information sharing and analysis centers.
And finally, policymakers should increase support of long-
term cyber security research and development.
In addressing our cyber-security challenges, research and
development plays a key role in allowing us to stay ahead of
the next generation of attacks. Yet many experts in industry
and academia agree that we are at risk of dropping the ball on
critical R&D needs.
In the area of R&D, we recommend that policymakers
authorize the study of our Nation's critical infrastructure
vulnerabilities, increase R&D funds to leading departments and
agencies for collaborative R&D with industry and academia,
refocus collaborative R&D on longer-term challenges and improve
coordination amongst government-funded R&D projects.
As we commonly know in the industry, security is not a
place to get to; it is an ever-evolving challenge. We urge the
subcommittee and Congress to continue to put energy into
addressing the cyber-security challenge, and in return, I
pledge to you our company's commitment to work with government
and industry and academia to develop solutions to these urgent
needs.
I thank you for the opportunity to testify this morning and
look forward to your questions.
Mr. Putnam. Thank you very much.
[The prepared statement of Mr. Gullotto follows:]
[GRAPHIC] [TIFF OMITTED] T2654.109
[GRAPHIC] [TIFF OMITTED] T2654.110
[GRAPHIC] [TIFF OMITTED] T2654.111
[GRAPHIC] [TIFF OMITTED] T2654.112
[GRAPHIC] [TIFF OMITTED] T2654.113
[GRAPHIC] [TIFF OMITTED] T2654.114
[GRAPHIC] [TIFF OMITTED] T2654.115
[GRAPHIC] [TIFF OMITTED] T2654.116
[GRAPHIC] [TIFF OMITTED] T2654.117
[GRAPHIC] [TIFF OMITTED] T2654.118
[GRAPHIC] [TIFF OMITTED] T2654.119
[GRAPHIC] [TIFF OMITTED] T2654.120
[GRAPHIC] [TIFF OMITTED] T2654.121
[GRAPHIC] [TIFF OMITTED] T2654.122
[GRAPHIC] [TIFF OMITTED] T2654.123
Mr. Putnam. Our next witness is John Schwarz. Mr. Schwarz
is president and chief operating officer of Symantec,
responsible for Symantec's product development, incident
response, sales, support, professional services, marketing and
partner relationships.
Previously, Mr. Schwarz was president and CEO of
Reciprocal, Inc., which provided comprehensive business-to-
business secure e-commerce services for digital content
distribution over the Internet.
Prior to taking the lead role at Reciprocal, Mr. Schwarz
spent 25 years at IBM. Most recently, he was general manager of
IBM's Industry Solutions Unit, a worldwide organization focused
on building business applications and related services for
IBM's large industry customers. He has held numerous
development positions within IBM, including vice president of
development for the company's Personal Software Products
Division where he was responsible for IBM's OS/2 Warp and PCDOS
product management systems development.
As the vice president of application development for the
Software Solutions Products Group in Toronto, he was
responsible for the development of worldwide product management
of IBM's application development and distributed data base
products business.
We look forward to your testimony, Mr. Schwarz. Welcome to
the committee.
Mr. Schwarz. Chairman Putnam, Ranking Member Clay, thank
you for the opportunity to provide testimony on this important
and timely subject, and thanks for that long personal history.
Today, much of our economy depends on critical assets that
are in digital form. We are a society that relies more and more
on information technology; yet, we have not taken the steps to
protect those assets to the same degree that we have our
physical assets.
The cyber world is maturing and is a pervasive structure in
organizations, as well as at home. It is also becoming more
complex and vulnerable. The attacks are faster, less
predictable, and more severe. The number of opportunities for
exploitation also continues to grow at a rapid pace. In fact,
it is estimated, on average, 250 new software vulnerabilities
are discovered each month. These vulnerabilities are being
exploited faster and more aggressively than ever. Again, on
average, the industry is identifying 450 new viruses each
month, with some very colorful names, with many reaching pretty
high severity levels.
We saw the transition to ``blended threats,'' with worms
like Code Red and Nimda containing multiple attack mechanisms.
These blended threats, that combine the attributes of a
traditional virus and a hack attack, typically resulting in a
massive denial of Internet services, are truly the biggest
threat we face today in the cyber world. Leveraging the vast
number of new vulnerabilities, and through the introduction of
destructive payloads, rapidly propagating blended cyber
attacks, represent a substantial future risk.
The next generation of attacks, known as ``flash threats,''
have the potential to infect massive portions of corporate
networks or the entire Internet within minutes or perhaps even
seconds. The recent Blaster or SQL Slammer worms saw hints of
these types of threats. As you've already heard, SQL Slammer
infected 90 percent of the initially vulnerable systems in
approximately 10 minutes.
Such threats require entirely new proactive systems to stop
them. There's no reactive remedy that will ever be fast enough
to protect against threats spreading at these speeds.
The interconnectivity of individuals, businesses, and
government organizations is becoming ever more pervasive and
continuous through always-on broadband connections. As a
result, there is a vast, unmanaged computing capacity that is
potentially available to the cyber criminals to launch massive
denial-of-service offensives against selected targets or
perhaps against the Internet as a whole.
Let me discuss some actions that we believe can improve our
cyber security. First, awareness and education often mentioned
today.
Educating our consumers, our businesses, the operators of
critical infrastructure as well as all levels of government, on
the importance of protecting our systems is essential. We need
a broad awareness campaign that reaches out to all users of the
Internet. At the least, all users need to be made aware of the
value of firewall and automatically updated antivirus
technology, like putting seat belts in cars. The remote or
wireless connected worker is becoming more prevalent and can
unknowingly open up an otherwise secure community network to
potential vulnerabilities and attack through unprotected
wireless connections in the home or in the office.
At the enterprise and organization level, the issue of IT
security has for too long been left to the security
administrator, or the CIO. This needs to change. Cyber security
needs the top leadership of the business or government
organization. As an example, the recent corporate governance
legislation known as Sarbanes-Oxley significantly strengthened
the rules pertaining to the financial management of all
businesses. However, the legislation makes no mention of the
importance of protecting the information systems that produce
the data used in the financial management processes. Only when
cyber security is treated with the same attention as the
protection of physical and financial assets can we enable the
necessary cultural change and focus enough attention and
resources to truly address the cyber threat.
Second, cyber crime. We saw the arrest of Jeffrey Lee
Parson for writing a variant of the Blaster worm, but we have
yet to find the bigger culprits, the original authors of the
recent flurry of new attacks. We need to realize that
protecting the Internet is really a global issue, one that
requires better international cooperation. We need more and
higher quality resources for law enforcement to work on
computer forensics, and we need cooperation from government and
industry to assist prosecutors in building cases.
We require more harmony in cyber crime laws. Perhaps the
Council of Europe's cyber crime treaty is a good starting
point. Governments and industry should reach across borders
when appropriate to share information on cyber crime cases,
best practices, threats and vulnerabilities, in order to gain a
measure of prosecution success and early warning of potential
attacks.
The industry information sharing and analysis centers, the
ISACs, can be a nucleus of that initiative. There should be a
confidential, single point of contact in government so that the
experts can communicate at a peer level at times of major cyber
attacks. And again the recently announced cyber warning
information network will be a good base for this exchange.
Third, research and development; as mentioned earlier flash
threats may be wreaking havoc in the near feature, and we must
be more productive in our cyber security practices, focusing on
behavior blocking technologies, faster threat identifications
to event correlation, real-time vulnerability scanning, and
automated software patch deployment.
Given the shrinking time from discovery to exploit, much
new research and development needs to take place which even the
combined resources of the industry cannot deliver in time. The
government and academia must join this effort with incremental
funding, proactive recruiting of the best talent and highly
focused, jointly funded precompetitive projects.
Finally, audit and risk analysis: Security is not a static
issue and, thus, requires regular assessments of systems and
vigilance on the part of the IT managers, and for that matter,
all users of the Internet. I commend the committee for its
efforts to enact programs like FISMA, which require annual
assessments of government systems and also require actions to
improve the protection of those systems.
The committee's oversight in this area is invaluable. This
is not just something that government should do, but all
enterprises, large and small, should be encouraged to follow
this example of regular security assessments. Critically,
though, we need thorough and timely remediation of any audit
findings. The current performance of most organizations,
government and industry alike, falls well short of desired
levels.
In closing, let me issue this challenge to the industry,
government, and individual users. We must take cyber security
more seriously and we must do it together. Aware and compliant
users are the best defense against most cyber attacks. Most
importantly, we all, as individual users of the Internet, need
to do our part to protect cyberspace. Experience shows that
effective implementations of security solutions cost in the
range of 6 to 8 percent of the overall IT budgets. Few
corporations or government departments have allocated adequate
levels of funding to this critical need. It is time that we put
our resources to work to minimize the risk of a serious
disruption of our national cyber infrastructure.
Thank you and I look forward to your questions.
Mr. Putnam. Thank you very much, Mr. Schwarz.
[The prepared statement of Mr. Schwarz follows:]
[GRAPHIC] [TIFF OMITTED] T2654.124
[GRAPHIC] [TIFF OMITTED] T2654.125
[GRAPHIC] [TIFF OMITTED] T2654.126
[GRAPHIC] [TIFF OMITTED] T2654.127
Mr. Putnam. I appreciate the input of this entire panel,
and for the record, this was the worst panel about sticking to
the time lines. Usually it's the bureaucrats that go over. But
all of you were very interesting with very important
information, and we are delighted to have it. I would like to
begin with Mr. Reitinger with Microsoft.
You have had a bad month. It has been a tough several weeks
at the office. Walk us through what happens when someone,
whether they have altruistic intentions, or not-so-altruistic
intentions, notifies you of a vulnerability.
And walk us through the process of developing a patch,
releasing it; and at what point do you notify the Federal
Government, as well as your customers? Could you just walk us
through that process?
Mr. Reitinger. Of course, Mr. Chairman.
Ideally, the process works with, if there's an external
notification, someone contacting a software vendor, which might
be Microsoft or another vendor, who then begins to develop a
patch. If the notification is to the vendor, that allows the
vendor to work to develop the patch in advance so that the
public can be protected.
The patch is developed, and that can be a very intensive
process. The Blaster patch or the patch for the vulnerability
of the Blaster attack, for example, was done due to a number of
different operating systems. The information associated with it
had to be developed, I think, in 25 languages. And then that
patch is rolled out.
In the case of Microsoft, Microsoft rolls out patches
unless there's a public exploit, generally on a Wednesday for
predictability purposes, so customers can know it's coming. At
that point, we begin to work actively with the community, with
our customers, with people in the Federal Government, including
the Department of Homeland Security, to make sure that the
information about the patch can get distributed as broadly as
possible.
Now this next stage is the most critical stage because
patch uptake, as we know, is critical. The vast majority of
attacks that we have seen over time have been after a patch is
released. So the key is getting patch uptake once the patch is
released and available.
At some point in that process, as happened in the case at
issue, there may be some exploit code that is released and
perhaps eventually there is a worm or another set of attacks
that are involved.
But that is the big window, to get patch uptake as broad
and as deep as possible.
Mr. Putnam. Does the Federal Government or a particular
agency of the Federal Government receive an early heads-up
about a vulnerability that could have serious consequences?
Mr. Reitinger. Typically, because Microsoft's products are
distributed so broadly, both within the United States and
around the world, the notification is done at the same time; in
other words, we released one, we released all. And the reason
is, we've got customers around the world, we've got users
around the world. You need to make sure you can distribute the
information as broadly and as deeply as possible, and so it's
generally notification to many.
Mr. Putnam. So a vulnerability comes to light, you develop
the patch, you put it out there, and then it becomes the
responsibility of the consumer to actually patch their system.
And in this most recent case, despite the fact that your patch
had been out there for weeks, those who failed to download it
had the system go down; and so it reflects poorly despite the
fact that you had already provided the solution.
My understanding is, Microsoft is working on some better
technology to make those downloads automatic. And are there
legal issues, specifically the Computer Fraud and Abuse Act,
that might prevent you from making it easier for consumers to
patch their systems?
Mr. Reitinger. As the chairman's question indicates, there
is already a future in Microsoft operating systems called Auto-
Update that can automatically download and prompt the user to
install patches. We are currently looking at how we can make
that process easier and transparent for end-users so they can
more readily have that option available to them, so that more
people will in fact use and install Auto-Update.
I think your question about the Computer Fraud and Abuse
Act goes to the question of whether we could basically say to
our customers, you have to use Auto-Update and we install Auto-
Update by default. And the answer to that question is, yes,
there are legal problems. Laws like the Computer Fraud and
Abuse Act and other regulations, European directives, would
prohibit access to an end-user's computer without an access of
authority.
We actually need consent to do that, and that is something
we want to do. We want to, in fact, not overcome consumers'
consent, but empower them and make their consent more effective
and make it more able to control their own computer security
and privacy.
Mr. Putnam. Mr. Akers, what's your take on the whole
process of notification? And walk us through your system, if it
differs from Microsoft, when you have an issue that may arise
that may impact the Federal Government.
Mr. Akers. It does differ a little bit.
We have been at this process since I have been at the
company, and most notably our last restart of the process was
in 1997, so it's a continuous process that we undertake. Our
intent from the discovery of vulnerability, either internally
or externally found, is notification to the customer and
remediation so that the customer is not impacted. You also have
to remember that in the case of Cisco, the fabric of the
Internet itself and the intranets that deploy these patches is,
in and of itself, part of the issue we have to consider as a
part of the problem, too.
So, for instance, we have to be worried about our ability
to distribute patches if the fabric itself does not have
integrity. So when we discover vulnerability, we also begin to
develop a patch. But we also, at the same time, begin to
develop a plan of notification and remediation. These take
different shapes depending on the nature of the vulnerability,
the technologies that are involved and the issues that are at
hand. In some cases, because we have to ensure that we can
deploy the released information and the software itself, we may
notify critical infrastructure components of the problem so
that they can remediate the problem, so we can continue then to
work with the rest of the constituent customer base to deploy
software release and information.
We look at this on an individual case basis and use
processes and policies within the company to determine how to
do that, at which time we then go through the process of
completing the software build, much as Microsoft indicated they
do. Once that is ready, both the plan and the software, we then
begin the notification process and remediation process with our
customers.
We believe this process, for us, has worked well over the
years and believe that it provides the best of both worlds in
the context of both protecting the infrastructures themselves,
our customers, and making sure that we get the information into
the hands of the people that can protect themselves before the
information is made available to those that might exploit it
and use it for detrimental purposes.
Mr. Putnam. Do you have a different notification process
for an agency of the Federal Government than you do for an
individual customer?
Mr. Akers. We treat the agency of the Federal Government as
if it were part of the critical infrastructure, and we put them
in the same structure prioritization as we would any other
critical infrastructure. If we determine that a critical
infrastructure asset of the Federal Government has a particular
or unique circumstance, they would be prioritized accordingly
within our scheme.
Mr. Putnam. Mr. Reitinger, in the cyber hacker world,
everybody likes to pick on Microsoft. As we heard in earlier
testimony, everybody gets their merit badges by messing with
you all.
You have a tremendous background in law enforcement, as
well, so you have seen both sides of this. Are you satisfied
with the legal framework that exists today for punishing people
who are hackers?
Mr. Reitinger. That is a very good question, Mr. Chairman.
I think, in terms of punishing hackers, the answer is mostly
yes, because Congress just last year passed an additional law
raising the penalties for cyber crime and how that's going to
work in practice, the sentencing guidelines associated that are
now being developed.
There are two other areas, though, that require
examination. One is, is the breadth of penalties enough? Have
we criminalized everything we ought to criminalize as opposed
to what the amount of the penalty is? And I think that can
change over time as new ways to harm people on-line are
created.
Secondarily, there is the question of law enforcement's
ability to identify and then prosecute people, and that is the
point to which my testimony related. It is actually very hard
to--as your questions to Mr. Malcolm on the first panel
indicated, it is very hard to identify hackers and virus
writers and worm writers online, and we need to do what we can
to remediate that. And perhaps the biggest way to do that is to
ensure that law enforcement has the resources necessary to
attack the problem, particularly with regard to training and
things like forensics capabilities.
The last element I'll just mention briefly is the
international piece. As Mr. Schwarz indicated, it's critical.
All cybercrime--not all cybercrime, but almost all cybercrime
involves an international element. Even if it's a person in the
United States attacking a place in the United States, they will
probably pass their attacks abroad. So you typically have an
international element in cybercrime. That means that you have
to have the same capabilities that you have in the United
States created around the world, and things like the Council of
Europe Cybercrime Convention, if ratified by countries like the
United States and other signatories, could go a long way toward
remediating that problem.
Mr. Putnam. Mr. Gulloto and Mr. Schwarz, your company's
mission in life is to protect your clients' systems from these
worms, from these viruses, from these hackers, from malicious
code. You monitor this on a 24-hour, 7-day-a-week basis. Do you
notice any trends in where these threats come from? Is there a
seasonality to the trends? Are there more in the summer than
there are during the school year? Do they arise from Eastern
Europe or Asia or North America? Could you give us some sense
of the landscape of the threat environment?
Mr. Schwarz. Let me jump in and obviously allow my
colleague to comment. We today monitor almost 1,000 customers'
networks around the world and have further some 22,000 real-
time scanners placed in strategic points around the Internet
around the world. That level of input gives us a pretty good
perspective on what is actually happening on the Internet.
First and foremost, the majority of the attacks appear to
be originating in the United States, so the thought of somehow
being flooded from the outside does not seem to hold true.
Second, the attacks are gaining in, if you will, virility
as a result of shared technology, which is very much available
in public domains on the Internet. So one of the comments I
would make relative to the criminalization of this conduct,
ought to think about including the publishing of exploitation
methodologies and tools which can then be downloaded by people
who don't necessarily have the skill to further the damage of
the Internet.
We do not see any seasonality, we do not see any changes in
scope as the year progresses or as various political events
happen to take place around the world. What we do see is a
direct correlation between the rise of always-on broadband
connection and the penetration of these attacks around the
world as these always-on machines are taken over and used as a
base to launch massive further damage. And as my colleague from
Microsoft points out, the tracing of these attacks to its
origin, given today's technology, is almost impossible.
Mr. Putnam. Mr. Gulloto.
Mr. Gulloto. I concur with a great deal of what Mr. Schwarz
said. What I would like to address is a little bit more about
the specifics of the origins of the virus-writing activity
itself, specifically where viruses may or may not come from. In
many cases, as we've heard previously today, and today and I
will concur with that as well, it is very difficult for us to
specifically state where a virus has been written or where it
is originating from. As Mr. Schwarz has pointed out, there is--
a majority of the traffic originates in the United States, but
we are not completely convinced that the traffic that
originates in the United States actually came from the United
States.
I'll go to an example of a group called 29 A that exists,
from what we understand and what we have researched, in Brazil
and in Spain. There is a common language between the two. We
have seen even in code where one virus writer will acknowledge
another virus writer for helping create some piece of code
together or in such a way in which they were successfully able
to take one piece of expertise from one area and the other from
another area, get it to work together, and then in many cases
it will get out. Now, it gets out deliberately in some cases,
or they may post it to a Web site which will ask people to come
to that Web site, get that--it could have come from the United
States--double-clicked it when they put it on their desktop or
began to simply distribute it throughout a network of friends,
who then may have double-clicked on it to get it moving in the
case of a mass mailer.
The worms are a little more difficult to state, meaning
that I may be a virus writer that lives in Belgium--which there
is a woman virus writer, her name is Gigabyte, she is 18 years
old. She may have written a piece of code at her home in
Belgium, but she may have taken it to France, went into an
Internet cafe, put in her floppy disk, go to the program, ran
it. That program immediately begins to spread. She unplugs the
diskette, pays her 5 euro for the hour that she spent on the
computer, and she walks out the door. It begins to spread at
that particular point in time.
Mr. Putnam. Mr. Schwarz, you mentioned that the majority of
the attacks originate in the United States. Do you distinguish
between probes and attacks, or are they the same term?
Mr. Schwarz. We do distinguish among various categories and
severities of attacks. And, yes, there are distinctions between
probes where people are looking for vulnerabilities or open
switches, if you will, open access points, and actual attacks
that have been launched to penetrate and cause damage. We see
about 175 million such events per day across the spectrum of
the systems that we do monitor. Categorizing that volume of
data to actually identify specific types of attacks is a bit of
a daunting task. What we do with the data is correlate the
information from multiple points and attempt to isolate those
that have potential for being serious or those that indicate a
new type of activity from which we have not been able to defend
ourselves previously, and then build defenses based on that new
intelligence.
Mr. Putnam. And do those probes also mostly originate from
the United States?
Mr. Schwarz. The total traffic that we see--and again, I
agree with Vincent's point relative to the actual pinpointing
of the origin of the code, but the total traffic volume still
is to some 75 or 80 percent originating in the United States.
What we see is countries that have a very large prevalence of
always on connections, like Korea and Japan, ranking very high,
perhaps beyond the size of their population, but that may be
simply spoofed addresses targeting those countries as a way to
launch attacks, but not originating there.
Mr. Putnam. One of the concerns that we have heard,
particularly with the reference to the virus that went silent
today, was shut down as of today, is that it is an attempt by
these code writers to learn, to explore the system for a finite
period of time, and then before it could necessarily be reacted
to, it goes down so that they are learning and essentially
applying that knowledge toward developing the better or the
perfect virus or the perfect worm. Could you comment on that?
Anyone.
Mr. Gulloto. I would agree that is certainly a possibility.
We have seen behavior like this for quite some time.
Approximately 3 years ago Mr. Hale, who had testified a little
bit earlier, and I were on a committee, if you will, that
looked at a threat called Leaves. It was an Internet worm. And
at first it had looked to be rather a meek worm, but as we did
more and more analysis of it, it became very complex in what it
was that it did. It looked to be something that perhaps someone
had created to see what would happen if they released it, what
data could it gather, where could it go, what could it do so
that they could then in turn go ahead and create another threat
of such a nature to then have it go further. The good news was
that person was actually arrested. And so I don't have any idea
what happened to that person, but I know that there was an
arrest in that case.
Now, we could take a look at other such threats and also
concur that there is some education process. We could look at
one specific factor in a threat to say this might be what they
are looking to see works or doesn't work. The SoBig virus now
is one that you mentioned, is one that's in its fifth to sixth
generation, meaning it is multiple family members. There have
been other variance of SoBig that have spread quite far as
well, and the commonality amongst each variant is that it has
an extension, which is PIF. And in many cases, when we see a
new extension be exploited, it is an opportunity for all virus
writers to learn to see if it will become successful or not,
because if it is successful, others will use that same
extension, knowing fair well that most computer users, which we
would probably look to more toward the consumer user, but then
again end users, within an environment would not understand.
We've spent a great deal of time educating people in the
past couple of years about how not to click on anything that
has a VBS extension. Well, we got them to understand that.
Those viruses seem to have gone away. However, PIF looks a lot
like JIF. JIF is not necessarily a file that can be infected.
People double-click on it every single day and e-mail. No
problems. They get to see something, it's great. It's a
misunderstanding. Virus writers probably understand this, use
it to educate themselves to see what else they can plant that
will become successful.
Mr. Putnam. Mr. Schwarz, did you wish to add anything to
that?
Mr. Schwarz. I think this is a very accurate description of
the actual state of the technology used by the virus writers.
Again, I would like to stress the importance of dealing with
Web sites that actually publish this information, which are
then shared among a community of people that perhaps do not
have the skill to create the original varieties, but can adapt
and cause additional damage.
One other thought which I would like to leave with the
panel or with the committee is that many of the worms that
perhaps or the viruses that are perhaps the most threatening
are not those that achieve the notoriety of a SoBig. They are
very visible because of the traffic they generate, but perhaps
a low-profile-type worm or Trojans that have been placed in
strategic points in the network in systems that are very
critical to a business or the national infrastructure that can
be triggered somewhere down the road with a subsequent worm or
subsequent attack, causing a disruption of service or causing
deletion of data, or causing, in fact, just a flow of
information to an entity that might wish to observe what is
going on.
So we need to not observe just those attacks that cause the
service very large volume issues, but need to be looking for
low-profile, potentially, in fact, more insidious and dangerous
worms than those we have seen to date.
Mr. Putnam. Mr. Akers and Mr. Reitinger, recognizing that
there will never be a perfect code, what can software designers
do to develop more secure codes, more secure systems as the
abilities of the bad guys, the black hats, continue to improve?
What efforts can we take to get better, more secure systems?
Mr. Akers. I think there is actually two things that we are
both doing, and we need to continue to do, as an industry.
Education is a big part with our software developers. We teach
our software developers that are coming out of academia today
to develop software based on the function required at hand, and
we don't teach them to be mindful of the issues around security
that might provide vulnerabilities and subsequent exploits.
There are a number of programs out there. There are centers
of excellence that are part of a program at the National
Security Agency. There are a number of other venues by which we
acquire information about how to do good quality, secure
software engineering. And we need to continue to educate our
software engineers and academia how to do those things and for
those that are out in practice today, and continue to do what
we are doing, which is bringing that information directly to
them so that as they develop a product initially, they are
mindful of the issues that we are dealing with from a security
standpoint today. This is something that's going to be an
ongoing process.
The second thing is continued testing. And that is
something that I know that most of the vendors here and most of
the vendors across the community are doing more today than we
ever have. We internally have programs, we externally have
programs, and we are going to continue to reinforce our ability
to simply look for and test for those vulnerabilities that we
might be in a position to uncover that we can then mitigate
prior to the time of an exploit.
I want to kind of piggyback on the last question a little
bit, too. As we look at this issue around vulnerability
yielding an exploit, the other thing we can do is we could
watch the testing of some of this exploit code. I can't think
of a vulnerability that has been disclosed that at some point
along the line somebody didn't turn the knob to see if it was
more interesting than maybe the vulnerability seemed at the
time the vendor talked about it. And if we start seeing these
kinds of things, government and private sector should be able
to identify those instances and come together to take a look at
what the miscreants might actually be doing, and then start
thinking about how to thwart the attempts that they may make at
those particular vulnerabilities going forward.
Mr. Putnam. You mentioned the education and then its
importance for your software designers. But these miscreants,
as you've referred to them, or script kiddies are more
intellectually driven; it is a game. Some people do crosswords,
some people try to break into systems, and then the more
malicious types. Now, don't script kiddies grow up to work for
the Microsofts and Ciscos of the world?
Mr. Akers. Not knowingly, in my case. We take a very dim
view of that activity. But, no. Typically it's difficult to
even distinguish between the activities of the script kiddies
and the more orchestrated and well-organized, funded, and
otherwise notable engagements. As a matter of fact, understand
that it wouldn't be out of the realm of possibility that those
more well-developed organizations and entities could take
advantage of the behavior of the script kiddies to accomplish
what they want to accomplish. So education of software
engineers is a key part of it. And what you generally find, or
at least what we generally find, is they do have a--once
educated, they do maintain and have a clear understanding of
the issues and want to do the right thing.
I think as was said earlier, it's almost viewed as being
patriotic to make sure that when we're providing critical
infrastructures, we're doing it with the highest degree of
quality and security that we possibly can. And our developers
take that to heart much like the rest of the developers in the
community do.
Mr. Putnam. Mr. Reitinger.
Mr. Reitinger. Mr. Chairman, let me answer that question in
two parts, first what software companies can do, and then turn
to the education points.
What software companies can do is have a robust software
assurance process. Conduct code reviews before software ships,
use independent test teams, do threat modeling, make sure they
train their developers. Use automated tools to test for
security, and seek third-party certifications such as the
common criteria. This is something that companies like
Microsoft and other software companies do.
They need to conduct robust after-actions when
vulnerabilities do occur to figure out what went wrong and how
the process can be fixed going forward, because security is
really a destination as opposed to an end. Or, excuse me, is
really a process as opposed to an end.
Software companies need to make security easier to do so
that the software's secure out of the box and it's easier to
maintain going forward. So there's a whole software assurance
and software support process that can ease the burden and help
solve the problem.
With regard to education, there are a number of components
of that. One is educating users about how they can secure their
systems. That is the focus of a lot of government efforts and
the Microsoft Protect Your PC Initiative.
There is also the component of the ethical outreach to
kids, which was the subject of your present talk. How do we
stop--how do we make young folks, if you will, not do the sorts
of things that some of them are doing now, attacking systems,
so that we have less chaff that we have to worry about to find
the wheat. That is a really hard problem, and I think requires
us to figure out how to convince young, computer-literate
people that breaking into systems, if you will pardon the
colloquialism, isn't cool. It doesn't build your status in a
peer group. It's like burning down a building. And people
really get hurt. That's something we have not all successfully
done yet, and we need to continue to work on.
Mr. Putnam. Mr. Schwarz, Mr. Gulloto, do you all have any
comments on either of those issues? Do you have any comments on
the education component, and how we can be more effective at
it, and whose responsibility it is?
Mr. Schwarz. Let me offer one suggestion. Obviously,
education is hugely important, and the more we do, the better
for all of us. There is a technology solution that can be
applied to partly address this problem, which is something that
we call client compliance, or compliancee, as it is called in
bad English. Client compliance is about ensuring that when a
client is reaching out to the network to be connected, that the
network has the ability to test whether that client meets some
basic minimum standards of good housekeeping relative to
security.
It would be great if we could come together, government and
industry, and develop a joint standard for how that compliance
could be achieved and then have the ability for the ISPs, for
the in-house servers, to, in fact, test every client before
they are given access to the network. That technology in
addition to education could help us dramatically improve the
level of standard, the level of security that we see today.
Mr. Putnam. Mr. Gulloto, any comments?
Mr. Gulloto. With regard to the education aspect, today we
face a point where we are about to probably look at the next
generation of threats and how is it that we can educate
primarily the home user, but to protect themselves from those
threats. We have them to the point that they understand that
they are probably best served by putting antivirus and updating
that antivirus as often as a vendor makes it available.
Antivirus today is no longer sufficient enough to protect
everyone from the threats that we are seeing such as the
Internet worms, which in many cases travel at certain points in
the Internet where there may not be an antivirus product that
can actually support or protect them from that. Therefore, as
we have spoken about today, the evolution of the threat, we
have to evolve our education and how we go about having the
consumer at home understand that the Internet is a big city,
and that like many cities, there are good parts and there are
bad parts. You should proceed with caution in both areas, and
understand that what you may find in the good part is good;
what you may find in the bad part might look good, but it's not
necessarily good.
People that are using the Internet today to exploit
children, they are looking to exploit consumers by stealing
data for a financial gain, I think are slightly different than
perhaps some of the script kiddies that we have spoken about
today. But clearly, when we developed the stay safe on line
campaign sometime back, I think we looked to find that to be an
avenue in which we could teach the consumer ways in which we
could have them understand as to what a bad guy looked like on
the Internet and what a good guy looked like on the Internet,
and perhaps what a bad guy that looked like a good guy on the
Internet was.
I think funding plays a huge part of it, actually, to be
able to maintain and sustain this type of education, this
evolving education that we need, which is why many of us today
have talked about ways in which we can find funding to further
R&D, but that R&D will include education.
Mr. Putnam. Thank you very much.
I am told that there is a 1:30 hearing in this same room,
and so we need to bring it in for a landing. Is there anything
that we have not covered that any of the panelists would like
to add to the discussion before we wrap up? Beginning with Mr.
Akers. Do you have any final comments?
Mr. Akers. No.
Mr. Putnam. Mr. Reitinger.
Mr. Reitinger. Thank you for the opportunity to testify
today, Mr. Chairman.
Mr. Putnam. Delighted to have you. Thank you. Appreciate
your insight.
Mr. Gulloto.
Mr. Gutknecht. No. Thank you.
Mr. Putnam. Dr. Schwarz.
Mr. Schwarz. No. Thank you.
Mr. Putnam. Well, thank you all very much. This has been an
outstanding hearing. I do apologize for its length, but I think
that it was valuable and well worth our time.
I will remind everyone we have two more hearings next week
on cybersecurity as well. And, with that, the record will
remain open for 2 weeks for submitted questions and answers of
topics that we were unable to get to today.
The subcommittee stands adjourned.
[Whereupon, at 1:20 p.m., the subcommittee was adjourned.]
�