[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





WORM AND VIRUS DEFENSE: HOW CAN WE PROTECT THE NATION'S COMPUTERS FROM 
                             THESE THREATS?

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 10, 2003

                               __________

                           Serial No. 108-123

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

92-654              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, 
NATHAN DEAL, Georgia                     Maryland
CANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of 
TIM MURPHY, Pennsylvania                 Columbia
MICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee
JOHN R. CARTER, Texas                CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota                 ------
MARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont 
                                         (Independent)

                       Peter Sirh, Staff Director
                 Melissa Wojciak, Deputy Staff Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
              Philip M. Schiliro, Minority Staff Director

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 DIANE E. WATSON, California
TIM MURPHY, Pennsylvania             STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                 Chip Walker, Professional Staff Member
                      Ursula Wojciechowski, Clerk
           David McMillen, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on September 10, 2003...............................     1
Statement of:
    Akers, Greg, senior vice president, chief technology officer, 
      government solutions and corporate security programs, Cisco 
      Systems, Inc.; Phil Reitinger, senior security strategist, 
      Microsoft Corp.; Vincent Gullotto, vice president, 
      antivirus emergency response team, Network Associates, 
      Inc.; and John Schwarz, president and chief operating 
      officer, Symantec Corp.....................................   125
    Dacey, Robert, Director, IT Security, General Accounting 
      Office; Richard Pethia, Director, Cert Coordination Center; 
      Lawrence Hale, Director, FedCIRC, Department of Homeland 
      Security; Norman Lorentz, Acting Administrator, Electronic 
      Government and Information Technology, Office of Management 
      and Budget; and John Malcolm, Deputy Assistant Attorney 
      General, Criminal Division, Department of Justice..........     7
    Eschelbeck, Gerhard, chief technology officer and vice 
      president of engineering, Qualys, Inc.; Christopher 
      Wysopal, co-founder, Organization for Internet Safety and 
      director of research and development, @stake.Inc.; and Ken 
      Silva, vice president, operations and infrastructure, 
      Verisign, Inc..............................................    87
Letters, statements, etc., submitted for the record by:
    Akers, Greg, senior vice president, chief technology officer, 
      government solutions and corporate security programs, Cisco 
      Systems, Inc., prepared statement of.......................   128
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................    71
    Dacey, Robert, Director, IT Security, General Accounting 
      Office, prepared statement of..............................     9
    Eschelbeck, Gerhard, chief technology officer and vice 
      president of engineering, Qualys, Inc., prepared statement 
      of.........................................................    89
    Gullotto, Vincent, vice president, antivirus emergency 
      response team, Network Associates, Inc., prepared statement 
      of.........................................................   157
    Hale, Lawrence, Director, FedCIRC, Department of Homeland 
      Security, prepared statement of............................    46
    Lorentz, Norman, Acting Administrator, Electronic Government 
      and Information Technology, Office of Management and 
      Budget, prepared statement of..............................    52
    Malcolm, John, Deputy Assistant Attorney General, Criminal 
      Division, Department of Justice, prepared statement of.....    58
    Pethia, Richard, Director, Cert Coordination Center, prepared 
      statement of...............................................    31
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     4
    Reitinger, Phil, senior security strategist, Microsoft Corp., 
      prepared statement of......................................   142
    Schwarz, John, president and chief operating officer, 
      Symantec Corp., prepared statement of......................   175
    Silva, Ken, vice president, operations and infrastructure, 
      Verisign, Inc., prepared statement of......................   110
    Wysopal, Christopher, co-founder, Organization for Internet 
      Safety and director of research and development, 
      @stake.Inc., prepared statement of.........................    98

 
WORM AND VIRUS DEFENSE: HOW CAN WE PROTECT THE NATION'S COMPUTERS FROM 
                             THESE THREATS?

                              ----------                              


                     WEDNESDAY, SEPTEMBER 10, 2003

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam, Miller, and Clay.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Chip Walker, Scott Klein, and Lori Martin, 
professional staff members; Ursula Wojciechowski, clerk; 
Suzanne Lightman, fellow; Jamie Harper and Erik Glavich, 
legislative assistants; David McMillen, minority professional 
staff member; and Jean Gosa, minority assistant clerk.
    Mr. Putnam. The quorum being present, the Subcommittee on 
Technology, Information Policy, Intergovernmental Relations and 
the Census will come to order. Good morning.
    Today we continue our in-depth review of cyber security 
issues affecting our Nation. There are several things unique to 
cyber attacks that make the task of preventing them difficult. 
Cyber attacks can occur from anywhere around the globe, from 
the caves of Afghanistan to the battlefields of Iraq, from the 
most remote regions in the world or right here in our own back 
yard. The technology used for cyber attacks is readily 
available and changes continually, and perhaps most dangerous 
of all is the failure of many people, including those who are 
critical to securing these networks and information from 
attack, to take the threat seriously, to receive adequate 
training and take proactive steps needed to secure their 
networks. A severe cyber attack would have devastating 
repercussions throughout the Nation in a physical sense and in 
real economic dollars.
    The initial plan for this hearing was to focus primarily on 
strategies and methodologies within the agencies of the Federal 
Government for identifying and mitigating computer 
vulnerabilities through a system of patch management. Recent 
events, however, have caused us to expand the boundaries of 
this hearing to include computer systems throughout the Nation.
    This summer, everyone once again realized how vulnerable 
our computer networks are to cyber attack. The Blaster worm and 
SoBig.F virus brought home the reality that unsecured computer 
systems are all too prevalent and that as a Nation across all 
levels, government, business and home users, we must take 
computer security more seriously than we have in the past. The 
Blaster worm infected over 400,000 computers in under 5 days. 
In fact, 1 in 3 Internet users are infected with some type of 
virus or worm every year.
    The speed at which worms and viruses can spread is 
astonishing and a contributing fact to that rapid spread is the 
lethargic pace at which people deploy the patches that can 
prevent infection in the first place. Microsoft announced the 
vulnerability and had the patch available weeks before the 
exploit appeared.
    Recent viruses and worms have been blamed for bringing down 
train signaling stations throughout the East, affecting the 
entire CSX railroad system, which covers 23 States. 
Additionally, new information is coming to light that the 
Blaster worm is being linked to the severity of the power 
blackout of last month. The North American Electric Reliability 
Council blames another worm, Slammer, for impairing bulk 
electric system control by bringing down networks. We learned 
last week that the U.S. Nuclear Regulatory Commission issued a 
formal information notice to nuclear power plant operators 
warning them about an incident in January in which the Slammer 
computer worm penetrated networks in Ohio's Davis-Besse nuclear 
plant and disabled two important monitoring systems for hours.
    A recent Gartner study predicts that by the year 2005, 90 
percent of cyber attacks will attempt to exploit 
vulnerabilities for which a patch is already available or a 
solution known. So why aren't systems patched and why aren't 
anti-virus programs kept up to date? This hearing will examine 
the issues surrounding these incidents, including how 
vulnerabilities are discovered, how the public is notified 
about potential vulnerabilities, the mechanisms for protection, 
the real and potential problems presented by patch systems and 
the scope of the problem confronting the Federal Government, 
the business community, and the general public.
    System administrators are often overwhelmed with simply 
maintaining all the systems they have responsibility for 
overseeing. Challenges that organizations face in maintaining 
their systems are significant. With an estimated 4,000 
vulnerabilities being discovered every year, it is an enormous 
challenge for any but the best resourced organizations to 
install all of the software patches that are released by the 
manufacturer. Not only is the sheer quantity of patches 
overwhelming for administrators and everyone else to keep up 
with, but patches can be difficult to apply and have unexpected 
side effects on other systems that administrators must then 
evaluate and address. As a result, after a patch is released, 
administrators often take a long time to fix all of their 
vulnerable computer systems. Obviously small organizations and 
home users who lack the skills of system administrators are 
even less likely to keep up with the flow of patches.
    The Department of Homeland Security's Federal Computer 
Incident Response Center recently let a $10.8 million 5-year 
contract for governmentwide patch management service to notify 
agencies about security holes in commercial software for 
systems on their networks and the availability of patches to 
fix them. The service is known as the patch authentication and 
dissemination capability [PADC]. The goal is to simplify patch 
management by providing administrators only with information 
relevant to their systems and ensuring that patches are genuine 
and affected. PADC went on-line in January of this year. 
According to officials, once agency system administrators have 
provided a profile of their systems and software, PADC will 
alert them to potential vulnerabilities, provide interim 
security advice until a patch is available, disseminate 
available patches and keep management informed of available 
patches and which ones their systems administrators have 
downloaded.
    Large organizations such as business and educational 
institutions often rely on commercial firms to notify them of 
vulnerabilities. For example, there are several firms that 
offer vulnerability notification combined with analysis of the 
customer's computer system for those vulnerabilities. These 
firms also provide information on where to get the patches and 
prioritize them for administrators. In addition, the commercial 
critical infrastructure sectors depend on information from 
their information sharing analysis centers [ISACs], to help 
them respond to potential cyber threats. These ISACs are 
designed to allow members of a sector to share information 
about incidents to help increase preparedness and vigilance. 
The progress of Blaster demonstrates the importance of the 
early warning systems that ISACs are tasked with developing.
    Independent researchers discover most vulnerabilities. 
These researchers may be academics, consultants or Black Hats. 
The Organization for Internet Security is working with software 
vendors, consultants and other interested parties to formalize 
procedures for dealing with vulnerabilities, including vendor 
notification and control disclosures. There's a very important 
role for government to play in these disclosure procedures. It 
is no longer acceptable for vendors to determine on their own 
schedule who gets notified and when. Given the potential 
national security risk that can emanate from the exploitation 
of a vulnerability, it is imperative that the appropriate 
government entities be involved in this process from the 
beginning.
    Vulnerabilities in software and the worms and viruses that 
exploit them have become a fact of life for the Internet. The 
government, law enforcement and private industry must develop 
and continue to update a plan to deal with these emerging 
threats.
    How can we educate home and small business users to 
minimize the risk posed by zombie computers? How can 
researchers, the government and software industry work together 
to identify and remedy vulnerabilities in the most instructive 
manner? And how will the Federal Government evolve an effective 
patch management program? What can be done to expedite the 
discovery and prosecution of cyber criminals who release worms 
and viruses? And most important of all, how can the Federal 
Government, law enforcement and industry work together to 
protect the vital infrastructure of the Internet?
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.001
    
    [GRAPHIC] [TIFF OMITTED] T2654.002
    
    [GRAPHIC] [TIFF OMITTED] T2654.003
    
    Mr. Putnam. We have an outstanding line up of witnesses 
this morning who will share with us their expertise as we 
explore worms and viruses and how we can better protect the 
Nation's computers. As is the custom of this committee, we'll 
ask our witnesses as they are seated in panel one to rise and 
be sworn in.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that all of the witnesses 
responded in the affirmative. We will begin with our first 
witness, and we have three panels. The panels are rather large 
panels. They are unusually large for this subcommittee, but the 
scope of our topic demanded it. But we would ask that all of 
our witnesses adhere as best they can to our 5-minute rule. And 
I will introduce Mr. Dacey.
    Robert Dacey is currently Director of Information, Security 
Issues at the U.S. General Accounting Office. His 
responsibilities include evaluating information systems 
security in Federal agencies and corporations, including the 
development of related methodologies, assessing the Federal 
infrastructure for managing information security, evaluating 
the Federal Government's efforts to protect our Nation's 
private and public critical infrastructure from cyber threats 
and identifying best security practices at leading 
organizations and promoting their adoption by Federal agencies. 
In addition to his many years at information security auditing, 
Mr. Dacey has also led GAO's annual audits of the consolidated 
financial statements of the U.S. Government, GAO'S financial 
audit quality assurance efforts, including methodology and 
training and other GAO financial statement audits. We 
appreciate you being a part of this panel, and you are 
recognized for 5 minutes.

  STATEMENTS OF ROBERT DACEY, DIRECTOR, IT SECURITY, GENERAL 
ACCOUNTING OFFICE; RICHARD PETHIA, DIRECTOR, CERT COORDINATION 
    CENTER; LAWRENCE HALE, DIRECTOR, FEDCIRC, DEPARTMENT OF 
   HOMELAND SECURITY; NORMAN LORENTZ, ACTING ADMINISTRATOR, 
  ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF 
   MANAGEMENT AND BUDGET; AND JOHN MALCOLM, DEPUTY ASSISTANT 
   ATTORNEY GENERAL, CRIMINAL DIVISION, DEPARTMENT OF JUSTICE

    Mr. Dacey. Thank you, Mr. Chairman. I am pleased to be here 
today to participate in the subcommittee's hearing on cyber 
incidents and the role of software patch management in 
mitigating the risks that these types of events will recur. I 
will briefly summarize my written statement.
    The exploitation of software vulnerabilities by hackers and 
others can result in significant damage to both Federal and 
private sector computer systems, ranging from Web site 
defacements to gaining the ability to read, modify or delete 
sensitive information, destroy systems, disrupt operations or 
launch attacks against other organizations. The number of 
reported security vulnerabilities and software products has 
grown dramatically in recent years to over 11,000 cumulatively 
reported by CERT/CC since 1995.
    Factors increasing the risk of system vulnerabilities and 
exploits include the increasing complexity and size of software 
programs, the increasing sophistication and availability of 
hacking tools, increasing system interconnectivity combined 
with decreasing length of time from the announcement of a 
vulnerability until it is exploited, and decreasing length of 
time for attacks to infiltrate the Internet.
    Although generally available before vulnerability exploits 
are launched, patches are too frequently not installed, 
resulting in damages to unpatched systems. My written testimony 
refers to several of these exploits and summarizes the 
responses to two recently reported serious vulnerabilities.
    Given these increasing risks, effective patch management 
programs have become critical to securing both Federal and 
private sector systems. Key elements of a patch management 
program include top management support, standardized policies, 
procedures and tools; dedicated resources and clearly assigned 
responsibilities; current technology inventories; 
identification of relevant vulnerabilities and patches; patch 
risk assessment and testing; patch distribution; and monitoring 
system through networks and host vulnerability scanning.
    There are several efforts to address software vulnerability 
in the Federal systems, including OMB reporting requirements 
concerning agency patch management programs as part of the 
Federal Information Security Management Act [FISMA]; NIST, 
patch management guidance, and FedCIRC incident reporting, 
handling and prevention handling services. For example, as you 
mentioned in your statement, FedCIRC provides PADC, a patch 
notification service, which provides agencies at no charge with 
information on trusted authenticated patches for their specific 
technologies. PADC currently has 41 agency subscribers, 
although OMB recently reported that actual usage of those 
accounts are extremely low.
    A number of commercial tools and resources are available 
that can assist in performing patch management functions more 
efficiently and effectively, such as identifying relevant 
patches, deploying patches, scanning systems for 
vulnerabilities and providing management reporting. In addition 
to implementing effective patch management processes, several 
other steps can be taken to address software vulnerabilities. 
These include one, deploying other technologies such as 
antivirus software, firewalls and other network security and 
configuration tools to provide a layered defense against 
attacks; two, employing more rigorous software engineering 
practices in designing, implementing and testing software 
products to reduce the number of potential vulnerabilities; 
three, improving tools to more efficiently and effectively 
manage patching; four, researching and developing technologies 
to prevent, detect and recover from attacks as well as identify 
perpetrators; and five, ensuring effective tested contingency 
planning processes and procedures.
    Mr. Chairman, this concludes my statement. I will be 
pleased to answer any questions that you have at this time.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.004
    
    [GRAPHIC] [TIFF OMITTED] T2654.005
    
    [GRAPHIC] [TIFF OMITTED] T2654.006
    
    [GRAPHIC] [TIFF OMITTED] T2654.007
    
    [GRAPHIC] [TIFF OMITTED] T2654.008
    
    [GRAPHIC] [TIFF OMITTED] T2654.009
    
    [GRAPHIC] [TIFF OMITTED] T2654.010
    
    [GRAPHIC] [TIFF OMITTED] T2654.011
    
    [GRAPHIC] [TIFF OMITTED] T2654.012
    
    [GRAPHIC] [TIFF OMITTED] T2654.013
    
    [GRAPHIC] [TIFF OMITTED] T2654.014
    
    [GRAPHIC] [TIFF OMITTED] T2654.015
    
    [GRAPHIC] [TIFF OMITTED] T2654.016
    
    [GRAPHIC] [TIFF OMITTED] T2654.017
    
    [GRAPHIC] [TIFF OMITTED] T2654.018
    
    [GRAPHIC] [TIFF OMITTED] T2654.019
    
    [GRAPHIC] [TIFF OMITTED] T2654.020
    
    [GRAPHIC] [TIFF OMITTED] T2654.021
    
    [GRAPHIC] [TIFF OMITTED] T2654.022
    
    [GRAPHIC] [TIFF OMITTED] T2654.023
    
    Mr. Putnam. Thank you very much, Mr. Dacey. I appreciate 
you adhering to our 5-minute rule as well.
    Our next witness is Richard Pethia. Mr. Pethia directs the 
CERT Coordination Center, which conducts security incident 
response activities and fosters the development of incident 
response infrastructures that leads to rapid correction of 
vulnerabilities and resolution of incidents. Working out of the 
software engineering institute at Carnegie Mellon University, 
he has been tracking vulnerabilities for 15 years. Before 
coming to SEI, Mr. Pethia was the Director of Engineering at 
the Decision Data Co. He has over 30 years experience in both 
technical and managerial positions.
    You are recognized for 5 minutes, Mr. Pethia.
    Mr. Pethia. Thank you, Mr. Chairman, and thank you 
especially for the opportunity to testify on the issue of 
defending against cyber viruses and worms. At the CERT 
Coordination Center since 1988, we have handled over 260,000 
security incidents and have helped to resolve over 11,000 
vulnerabilities, published hundreds of security alerts and 
security best practice guides and provide training in a variety 
of security topics.
    Worms and viruses are both in a more general category of 
programs called malicious code. Both exploit weaknesses in 
computer software, replicating themselves and are attaching 
themselves to other programs. They spread quickly. By 
definition, worms are programs that spread without human 
intervention once they have been introduced into the system. 
And viruses are programs that require some action on the part 
of the user, such as opening an e-mail attachment. Today these 
worms and viruses are causing damage more quickly than those 
created in the past and are spreading to the most vulnerable of 
all systems, computer systems of home users.
    The Code Red worm spread around the world faster in 2001 
than the Melissa virus did in 1999. Just months later, the 
NIMDA worm caused serious damage within an hour of the first 
reported infection. And in January of this year Slammer had 
significant impact in just minutes. Virus and worm attacks 
alone have resulted in millions of dollars of loss in just the 
last 12 months. The 2003 computer crime survey states that 
viruses are the most cited form of attack with an estimated 
cost of over $27 million across the approximately 500 
respondents to the survey. Estimates on the Blaster worm and 
the SoBig.F virus range from $525 million to more than $1 
billion in loss. The cost estimates include lost productivity, 
wasted hours, lost sales and extra bandwidth cost.
    For the past 15 years we have relied heavily on fast 
reaction to ensure the damage is minimized. But today it's 
clear that reactive solutions alone are no longer adequate. 
Many attacks are now fully automated and spread with blinding 
speed. The attack technology has become increasingly complex, 
increasing the time it takes to analyze the attack and produce 
countermeasures. We have been increasingly dependent on the 
Internet. Even short interruptions in service cause significant 
loss and can jeopardize critical service.
    Aggressive, coordinated, continually improving response 
will continue to be necessary, but we also must move quickly to 
put other solutions in place. System operators must adopt 
security practices such as information security risk 
assessments, security management policies and secure system 
administrations practices. Senior managers must provide visible 
endorsement and financial support for these security 
improvement efforts. They must also keep their skills and 
knowledge current and educate their users to raise awareness of 
security issues and improve their ability to recognize and 
respond to problems. Technology vendors must also take steps 
such as producing virus resistant or virus proof software, 
dramatically reducing the number of implementation errors in 
their products that lead to vulnerabilities, and providing 
secure out of the box configurations that have security options 
turned on rather than require users to enable the functions.
    The government can also help by taking a multi-pronged 
approach: Using its buying power to demand higher quality 
software, holding vendors more accountable for defects in 
released products and providing incentives for low defect 
products and for products that are highly resistant to viruses.
    Information assurance research is also needed to yield 
networks capable of surviving attacks while preserving 
sensitive information. Among the activities should be the 
creation of a unified and integrated framework for all 
information assurance, rigorous methods to assess and manage 
risk, quantitative techniques to determine the cost benefit of 
risk mitigation strategies, systematic tools and simulation 
tools to analyze cascade effects of attacks and new 
technologies for resisting, recognizing and recovering from 
attacks, accidents and failures.
    More technical specialists should be trained to expand its 
scholarship programs to build the university infrastructure we 
will need for the long-term development of trained security 
professionals. And to encourage safe computing the government 
should support the development of education material and 
programs about cyber space for all users, including home users 
and small businesses, support programs to provide early 
training and security practices in appropriate use.
    In conclusion, our dependence on interconnected computing 
systems is rapidly increasing and even short-term disruptions 
from viruses and worms have major consequences. Our current 
solutions are not keeping pace with the increased strength and 
speed of attack and our information infrastructures are at 
risk.
    The National Cyber Security Division formed by the 
Department of Homeland Security is a critical step toward 
implementation of some of these recommendations. However, 
implementing a safer cyber space will require the NCSD and the 
entire Federal Government to work with State and local 
governments, the private sector to drive better software 
practices, more secure products, higher awareness at all 
levels, increase research and development activities and 
increase training for special computer users and all users.
    Thank you.
    [The prepared statement of Mr. Pethia follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.024
    
    [GRAPHIC] [TIFF OMITTED] T2654.025
    
    [GRAPHIC] [TIFF OMITTED] T2654.026
    
    [GRAPHIC] [TIFF OMITTED] T2654.027
    
    [GRAPHIC] [TIFF OMITTED] T2654.028
    
    [GRAPHIC] [TIFF OMITTED] T2654.029
    
    [GRAPHIC] [TIFF OMITTED] T2654.030
    
    [GRAPHIC] [TIFF OMITTED] T2654.031
    
    [GRAPHIC] [TIFF OMITTED] T2654.032
    
    [GRAPHIC] [TIFF OMITTED] T2654.033
    
    [GRAPHIC] [TIFF OMITTED] T2654.034
    
    [GRAPHIC] [TIFF OMITTED] T2654.035
    
    [GRAPHIC] [TIFF OMITTED] T2654.036
    
    Mr. Putnam. Thank you very much. Our next witness is Mr. 
Hale. Lawrence Hale is the Director of the Department of 
Homeland Security Federal Computer Incident Response Center 
[FedCIRC]. He has been active in the information assurance 
community since 1996, when he served the chairman of the joint 
Chiefs of Staff as an information assurance action officer 
working on security interoperability issues. While at the 
Pentagon Mr. Hale was a member of the Joint Staff Information 
Operations Response Cell during a number of exercises and 
actual cyber events, which have helped to shape U.S. Government 
policy in dealing with computer security.
    In January 1999, Mr. Hale became the first uniformed 
military officer assigned to the National Infrastructure 
Protection Center at the FBI Headquarters. While there he 
worked to improve the process of issuing warnings of cyber 
related events and served on the Y2K task force for the FBI. He 
retired from the U.S. Navy as a commander in May 2001, has a 
Master's Degree in national security and strategic studies from 
the Naval War College and a Master's in aeronautical science 
from Embry-Riddle.
    Welcome to the subcommittee.
    Mr. Hale. Good morning, Mr. Chairman and Ranking Member 
Clay. On behalf of the Federal Computer Incident Response 
Center of the Department of Homeland Security, thank you for 
this opportunity to appear before you to discuss how we can 
protect the Nation's computers. I am Lawrence Hale, Director of 
the FedCIRC, which is part of the Department of Homeland 
Security's Information Analysis and Infrastructure Protection 
Directorate. FedCIRC is the Federal-civilian government's 
trusted focal point for computer security incident reporting, 
providing assistance with incident prevention and response.
    Within the Department of Homeland Security Information 
Analysis and Infrastructure Protection Directorate is the newly 
established National Cyber Security Division. The National 
Cyber Security Division is responsible for coordinating the 
implementation of the national strategy to secure cyberspace. 
Key functional areas within the division include Risk Threat 
and Vulnerability Identification and Reduction, Cyber Security 
Tracking, Analysis and Response Center and Outreach Awareness 
and Training. The FedCIRC is now a component of Cyber Security 
Tracking, Analysis and Response Center.
    The National Cyber Security Division has combined the 
information gathering and analytical capabilities of the cyber 
watch elements of the National Infrastructure Protection Center 
and the FedCIRC and coordinates with the National Communication 
System. By doing this, the National Cyber Security Division not 
only has the added benefit of enhanced resources but the 
synergy of knowledge created from the unique resources from 
each of these watch elements.
    The Federal Government's ability to limit the effects of 
the recent wave of worms and viruses on its networks 
demonstrate how these collaborative relationships work and how 
each participant's contributions help to assess and mitigate 
potential damage. FedCIRC has the goal of securing the Federal 
Government's cyberspace. FedCIRC, as noted in the e-Government 
Act of 2002, the Federal Information Security Management Act, 
serves as the Federal information security incident center for 
the Federal civilian government. FedCIRC is the central 
government non-law enforcement focal point for coordination of 
response to attacks, promoting incident reporting and cross 
agency sharing of data about common vulnerabilities. As such, 
FedCIRC must compile and analyze information about incidents 
that threaten information security and inform Federal agencies 
about current and potential information security threats and 
vulnerabilities.
    FedCIRC demonstrated the National Cyber Security Division's 
enhanced coordination role during the recent wave of worms and 
viruses. Working closely with the CERT Coordination Center and 
software providers, FedCIRC identified the potential impact of 
newly disclosed vulnerabilities and developed corrective 
actions in mitigating strategies. Federal civilian agencies 
were advised of the existence of these vulnerabilities and 
given actionable information on reducing their exposure to the 
threats before attack programs were released. Patches were 
developed, validated and disseminated to agencies. And working 
closely with OMB and the Federal CIO Council, agencies were 
instructed to take action to address the vulnerabilities and 
report their status. As a result of these measures, the Federal 
Government was better prepared to avoid damaging impact when 
the exploit codes that were released in the attack phase of 
these events occurred.
    The National Cyber Security Division has a number of 
initiatives underway to aid in threat vulnerability reduction. 
As was mentioned, the majority of successful attacks on 
computer systems result from hackers exploiting the most widely 
known vulnerabilities in commercial software products. The 
problem is not that patches to fix these vulnerabilities don't 
exist, but that existing patches are not quickly and correctly 
applied. Agencies must have a plan on how patch management is 
integrated into their configuration management process. 
FedCIRC's patch authentication and dissemination capability 
[PADC], a Web enabled service that provides a trusted source of 
validated patches and notifications on new threat and 
vulnerabilities, is a first step.
    FedCIRC's vision is to build from the ability of providing 
validated patches to developing a more enhanced IT 
configuration and vulnerability management program that will 
automate the process. By automating the process, agencies will 
no longer have the burden of having to manually apply patches 
which will enable them to have more time to focus on building a 
more robust configuration management program.
    In closing, I would like to assure the committee that the 
National Cyber Security Division is committed to building on 
the success the FedCIRC has achieved in helping Federal 
civilian agencies protect their information systems from the 
most damaging effects of malicious code. National Cyber 
Security Division must now translate this success to a national 
scale. I look forward to continuing to work with OMB and the 
Congress to ensure that we are successful in this important 
endeavor.
    [The prepared statement of Mr. Hale follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.037
    
    [GRAPHIC] [TIFF OMITTED] T2654.038
    
    [GRAPHIC] [TIFF OMITTED] T2654.039
    
    [GRAPHIC] [TIFF OMITTED] T2654.040
    
    Mr. Putnam. Thank you very much Mr. Hale. I would like to 
welcome our distinguished ranking member and vice chair of the 
subcommittee as well, and we will be taking their opening 
statements at the conclusion of the first panel's remarks as 
well.
    Our next witness is Norman Lorentz. Mr. Lorentz joined the 
Office of Management and Budget in January 2002 as Chief 
Technology Officer, the Chief e-Government Architect for the 
Federal Government. Mr. Lorentz is responsible for identifying 
and developing support for investments in emerging technology 
opportunities that will improve the Government's technical 
information and business architectures.
    Prior to joining the Federal Government, he was senior vice 
president and chief technology officer for the IT career 
solutions provider, Dice, Inc. In this capacity he directed the 
development of technology strategy and infrastructure. He was 
also the firm's chief quality officer and a member of the 
executive committee. He brings to OMB extensive experience in 
government.
    From 1998 to 2000, he was senior vice president and chief 
technology officer for the U.S. Postal Service. In 1998, he 
receive the Board of Governors Award, the U.S. Postal Service's 
highest recognition, and this year was named as a Federal 100 
winner as well as recognition by Info World magazine as 1 of 
the 25 most influential CTOs in the United States. And this is 
your last appearance before a congressional committee as a 
public servant with OMB, as you will be leaving that agency and 
moving back into the private sector. So we appreciate your 
service to the government and to this subcommittee, and you are 
recognized.
    Mr. Lorentz. Thank you, Mr. Chairman, and good morning, 
members of the committee. Thank you for inviting me to discuss 
this important topic of worm and virus defense. My testimony 
today will address how the Federal Government protects its IT 
systems from this pervasive threat.
    By design, worms and viruses can cause substantial damage 
and prove disruptive to normal business operations. For this 
reason it is important for the Federal agencies to continuously 
and rapidly take proactive measures to lessen the number of 
successful attacks. The month of August proved to be an 
unusually busy time for malicious code activity, beginning with 
Blaster and then quickly spreading the SoBig.F worm. In 
general, the Federal Government withstood these attacks and the 
impact on citizen services was minimal.
    Agencies have improved their protection against malicious 
code by installing patches, blocking executables at the 
firewall and using antivirus software with automatic updates. 
Agencies, however, did report modest impacts associated with 
both worms to date. Reports from Federal civilian agencies show 
approximately 1,000 computers affected by each exploit. This 
impact ranged from a slowdown in agency e-mail to temporary 
unavailability of agency systems. A number of laptops proved to 
be susceptible to the infection since configuration management 
was even on these portable devices.
    The Federal Government's ability to thwart worms and 
viruses depends on a number of interlocking management, 
technical and operational controls. It is critical that these 
controls continue to evolve to keep pace with this increasingly 
sophisticated threat.
    First, how were vulnerabilities discovered? DHS's Federal 
Computer Incident Response Center [FedCIRC], closely 
coordinates with a number of industry as well as government 
partners. These partners include Carnegie Mellon CERT, law 
enforcement and the Intelligence Community. These organizations 
routinely communicate advanced notice to DHS regarding the 
discovery of software vulnerabilities in the development of 
malicious code.
    Second, how are agencies notified about these 
vulnerabilities? OMB and the CIO Council have developed and 
deployed a process to rapidly identify and respond to cyber 
threats and critical vulnerabilities. CIOs are advised via 
conference call as well as followup e-mail of specific actions 
necessary to protect agency systems. Agencies must then report 
through FedCIRC to OMB on the implementation of those required 
countermeasures. This emergency notification and reporting 
process was instituted for the Microsoft RPC vulnerability in 
July and as a result the agencies were able to rapidly close 
vulnerabilities that otherwise might have been exploited by the 
Blaster worm. There are mechanisms that exist for protecting 
systems.
    The National Institute of Standard and Technology [NIST], 
recommends that the agencies implement a patch management 
program, harden all hosts appropriately, deploy antivirus 
software and detect and block malicious code and configure the 
network perimeter to deny all traffic that is not necessary. As 
part of the statutory responsibility under FISMA, the National 
Institute of Standards and Technology will publish in September 
draft guidelines for incident handling. The guidelines will 
discuss how to establish and maintain an effective incident 
reporting and response program with an emphasis on incident 
detection, analysis, prioritization and containment. The 
guidelines will include recommendations for handling certain 
types of incidents and the distribution of denial of service 
attacks and malicious code infections.
    Last, the problems presented by the patching systems. Patch 
management is an essential part of any agency's information 
security program and requires a significant investment in time 
and effort. Agencies must carefully follow predefined processes 
in order to successfully remediate system vulnerabilities 
across the enterprise. A number of agencies utilize automated 
tools to push the patches to the desktop. The automation of the 
patch management process is significantly easier when the 
agency maintains a standardized software configuration. At the 
present, 47 agencies subscribe to FedCIRC's PADC capability. 
This service validates and quickly distributes corrective 
patches for known vulnerabilities.
    In closing, OMB is committed to a Federal Government with 
resilient information systems. Worms and viruses must not be 
able or allowed to significantly affect agency business 
processes. OMB will continue to work with the agencies, 
Congress and GAO to ensure that appropriate countermeasures are 
in place to reduce the impact of malicious code.
    Thank you very much.
    [The prepared statement of Mr. Lorentz follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.041
    
    [GRAPHIC] [TIFF OMITTED] T2654.042
    
    [GRAPHIC] [TIFF OMITTED] T2654.043
    
    [GRAPHIC] [TIFF OMITTED] T2654.044
    
    Mr. Putnam. Thank you very much.
    Our next witness is John Malcolm. Mr. Malcolm is currently 
a Deputy Assistant Attorney General in the Criminal Division at 
the Department of Justice, where his duties include overseeing 
the Computer Crime and Intellectual Property Section, the Child 
Exploitation and Obscenity Section, the Domestic Security 
Section and the Office of Special Investigations. Pretty robust 
portfolio.
    An honors graduate of Columbia College and Harvard Law 
School, Mr. Malcolm served as a law clerk to judges on both the 
U.S. District Court for the Northern District of Georgia and 
the 11th Circuit Court of Appeals. For 7 years Mr. Malcolm was 
an Assistant U.S. Attorney in Atlanta, GA, where he was 
assigned to the Fraud and Public Corruption Section. Mr. 
Malcolm also served as an Associate Independent Counsel in 
Washington, DC, investigating fraud and abuse at HUD.
    Prior to rejoining the Department of Justice in August 
2001, Mr. Malcolm was a partner at the Atlanta law firm of 
Malcolm & Schroeder, LLP.
    Thank you for sharing your time with us and look forward to 
your testimony, and you are recognized for 5 minutes.
    Mr. Malcolm. Thank you for giving me this opportunity to 
testify about the Department of Justice's ongoing efforts to 
protect our Nation's critical infrastructure from the growing 
problem of Internet borne worms and viruses. Although computer 
viruses have been around for a long time, the ubiquity of 
Internet access and household ownership of computers in the 
United States have manifestly increased the deleterious impact 
of viruses and worms on our critical infrastructure and on our 
daily lives.
    It seems that nearly every week we learn the name of a new 
computer virus or worm that exploits flaws in commonly used 
software and quickly spreads through the Internet. Some of 
these, like the Blaster worm, make the front pages of 
newspapers. These viruses and worms are merely the tip of the 
iceberg. They are just the ones that receive the most public 
attention. Hundreds more are released every year, posing a 
daily challenge to those who are responsible for protecting 
networks and investigating network attacks.
    The effect of these viruses and worms should not be 
underestimated. For example, in the United States, the Slammer 
worm shut down the automatic teller machine system and caused 
significant transportation delays when electronic ticketing 
used for airline travel was affected. The Blaster worm and its 
variants have affected hundreds of thousands of computers. 
Moreover, since the Internet is seamless and borderless, the 
harmful impact of worms and viruses is not limited to our 
country but affects countries across the world. Clones or new 
variants of malicious codes continue to crop up, raising 
concerns that more damaging variants are right around the 
corner. In many cases succeeding generations of viruses and 
worms will build on its capabilities adding additional harmful 
pay loads.
    The worldwide damage to computers and data as well as the 
productive time lost as the result of worms and viruses is 
measured in the millions and by some estimates in the billions 
of dollars. This damage has an undeniable adverse effect on 
important sectors of our economy and potentially undercuts the 
security of our Nation's critical infrastructure.
    The Department of justice has devoted significant resources 
to investigating and prosecuting persons who release malicious 
codes on the Internet. These efforts have met with some 
success. It bears mentioning, however, that tracking the 
sources of worms and viruses on the Internet is difficult and 
presents unique challenges to investigators because of the 
speed with which programs are spread and fundamental 
characteristics of computer networks, particularly in peer to 
peer network applications. It is difficult to determine 
precisely where an outbreak begins since simultaneous file 
transfers can occur in computers literally throughout the 
world.
    Although tracking the sources of computer worms and viruses 
is difficult, the Department of Justice is fully committed to 
effectively investigating such attacks. The Criminal Division's 
Computer Crime and Intellectual Property Section helps 
coordinate investigations of computer crimes of all sorts, 
including virus and worm attacks. These prosecutors in turn 
train and work with computer hacking and intellectual property 
units and computer and telecommunications coordinators in each 
of the 93 U.S. Attorneys offices across the country. Together 
this network of prosecutors working with law enforcement agents 
from the Secret Service and the FBI and using important tools 
provided by the Patriot Act provide an integrated approach to 
addressing computer crime. Because the perpetrators of offenses 
may live in other countries, the investigations involve an 
international component that draws upon the Department's 
contacts with law enforcement counterparts abroad. Indeed, 
international cooperation is a foundation of the Department 
strategy for combating cyber crimes, including worms and 
viruses. Our efforts are rewarded whenever evidence is obtained 
from foreign countries that further domestic investigations or 
when we are able to furnish similar assistance to other 
countries.
    In addition to international outreach, Department attorneys 
and agencies regularly meet with industry, trade groups and 
State and local law enforcement officials in order to improve 
communication. The Department of Justice pursues a message of a 
culture of security where both individual users and 
corporations view computer security as a key component for 
successful computing experience. Experience sadly teaches us 
that much of the damage to our computer networks is caused by 
teenagers and young adults armed with free hacking tools, 
plenty of time and too little moral teaching about how to use 
computers and how not to use computers. Therefore, the 
Department has also pursued educational programs directed to 
youth, their teachers and parents. We describe the program as 
cyber ethics. In fact, CCIPS, in an article authored by the 
section chief, has published an article dealing with cyber 
ethics in the current issue of Newsweek.
    The Department of Justice continues to make progress in its 
battle against computer crime and intellectual property theft. 
Recognizing the challenges ahead, we look forward to continued 
success in our efforts.
    Mr. Chairman, that concludes my prepared statement. I look 
forward to getting your questions.
    [The prepared statement of Mr. Malcolm follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.045
    
    [GRAPHIC] [TIFF OMITTED] T2654.046
    
    [GRAPHIC] [TIFF OMITTED] T2654.047
    
    [GRAPHIC] [TIFF OMITTED] T2654.048
    
    [GRAPHIC] [TIFF OMITTED] T2654.049
    
    [GRAPHIC] [TIFF OMITTED] T2654.050
    
    [GRAPHIC] [TIFF OMITTED] T2654.051
    
    [GRAPHIC] [TIFF OMITTED] T2654.052
    
    [GRAPHIC] [TIFF OMITTED] T2654.053
    
    [GRAPHIC] [TIFF OMITTED] T2654.054
    
    [GRAPHIC] [TIFF OMITTED] T2654.055
    
    [GRAPHIC] [TIFF OMITTED] T2654.056
    
    Mr. Putnam. Thank you very much and thank all of you for 
your adherence to our time restrictions. At this time I will 
introduce the ranking member of the subcommittee, the 
distinguished gentleman from Missouri, Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman, especially for calling 
this hearing and my thanks to the witnesses who have taken the 
time to be with us today and share their expertise.
    Computer bugs like worms and viruses are one more example 
of the complexity of the world we live in. On the other hand, 
they are one more example of the frailty of human beings and 
the difficulty of legislating appropriate behavior. Many worms 
and viruses we have seen are nothing more than exuberance of 
youth experimenting with newly found freedoms and skill. As has 
always been the case, the pranks of youth can have consequences 
well beyond their capability to understand those consequences.
    Last week, the FBI arrested a Minnesota high school senior 
and charged him with intentionally causing and attempting to 
cause damage to computers protected under Federal law. He faces 
a $250,000 fine and 10 years in prison. This young man was so 
naive that he built into his computer bug a direct link to his 
own computer. Catching him was not difficult. However, the 
damage done was real. The worm attack he participated in forced 
shutdowns of computer systems at the Federal Reserve Bank of 
Atlanta, the Maryland Motor Vehicle Administration, the 
Minnesota Department of Transportation and part of 3M 
facilities, including a plant in Hutchinson.
    Unfortunately, most hackers are not as naive as this 
Minnesota teenager nor as benign. One of the earliest publicly 
documented cases of hacking was in 1988 at the Lawrence Berkley 
Lab. Cliff Stone, an astronomer turned systems manager at 
Lawrence Berkley Lab, was alerted to the presence of an 
unauthorized user in the inner system by a 75-cent accounting 
error. His investigations eventually uncovered a spy ring that 
was breaking into government computers stealing sensitive 
military information.
    We are faced with developing public policy that recognizes 
both the exuberance of youth and the real threat to our 
government and corporations by those who seek to do us harm. 
One element of that public policy must be a renewed attention 
to preventing these attacks.
    Mr. Chairman, I will not go through this entire statement, 
but I think you have indicated that you are working on 
legislation that would encourage corporate America to do a 
better job of securing their computers, and I look forward to 
working with you on that legislation.
    The problems faced by corporations are much like those 
facing the Federal Government and we should work together to 
solve those problems, and I will submit the entirety of my 
statement in the record. Thank you.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.057
    
    [GRAPHIC] [TIFF OMITTED] T2654.058
    
    [GRAPHIC] [TIFF OMITTED] T2654.059
    
    [GRAPHIC] [TIFF OMITTED] T2654.060
    
    Mr. Putnam. Thank you, Mr. Clay, and without objection your 
entire statement will be included in the record. And at this 
time I recognize the distinguished vice chair of the 
subcommittee, the former Secretary of State of the great State 
of Michigan, Ms. Miller.
    Mrs. Miller. Thank you, Mr. Chairman, and I apologize for 
being late this morning. I had an opportunity to speak on the 
floor about the second anniversary of the horrific attacks on 
our Nation. I certainly appreciate you holding the hearing 
today and with the recent computer virus attacks on our 
Nation's information infrastructure the importance of this 
hearing is undeniable, timely and certainly appropriate. And 
with three panels testifying, I will be very brief in my 
opening statement.
    The focus of today's hearing is to examine what steps are 
being taken to protect the information infrastructure, both the 
public and the private levels, from the spread of viruses. And 
we in the Federal Government certainly have the responsibility 
of protecting our citizens and ensuring that the infrastructure 
individuals and businesses rely on is secure. In addition, the 
government must protect its own systems in order to function 
efficiently and effectively and this dual responsibility makes 
the task facing the Federal Government particularly 
challenging.
    In April of this year testimony was submitted by Robert 
Dacey of the GAO to the subcommittee citing a November 2002 
cyber attack that affected both private and government networks 
and caused $900,000 in damage to computers. This is obviously a 
significant figure. And if a large scale cyber attack were 
implemented not only would the damage caused to computers be 
considerable but the additional financial loss and damage to 
the physical infrastructure could seriously affect the 
operations of our Nation.
    And actually we in the House of Representatives have 
firsthand knowledge of how potentially devastating these 
viruses can be. The recent Blaster and the SoBig virus attacks 
of just a few weeks ago nearly crippled the House e-mail 
network by overloading service with a complex array of 
erroneous messages. Fortunately, the combined efforts of the 
House Information Resources and the systems administrators and 
the Members' offices limited the extent of damage that the 
virus creators had likely hoped for.
    In fact, these attacks likely inhibited our Nation's 
ability to adequately respond to the vast power outage 
experienced by the eastern half of our Nation. I certainly 
shudder at the thought of what could happen to everyday 
businesses if a successful virus or worm crippled our Nation's 
power grids or financial networks, the Internet, government 
networks or any other infrastructure that we rely so heavily 
on.
    Viruses are a new weapon of attack for those who wish to do 
harm to this great Nation. The creators of these weapons are 
terrorists, quite frankly, cyber terrorists who want to disrupt 
our way of life and to cause considerable harm to our economy 
and infrastructure. And as with the terrorists that we are 
fighting with conventional means, these cyber terrorists are 
using the freedoms that we hold dear against us. They can 
unleash an attack on our soil from anywhere in the world, and 
we must be prepared.
    Mr. Chairman, thank you for holding this important hearing. 
Certainly protecting our Nation's information infrastructure 
must be a top priority of the Congress. Thank you.
    Mr. Putnam. Thank you very much, Mrs. Miller. We will get 
to the questions.
    Mr. Hale, what percentage of the Federal Government had 
already downloaded the patch for Blaster prior to its release?
    Mr. Hale. Mr. Chairman, I don't have the exact figure with 
me. It is safe to say in the approximately 4 weeks between the 
time the vulnerability was announced by Microsoft and the 
advisories from FedCIRC were issued the vast majority of 
agencies had downloaded the patches, and I will if given the 
opportunity try to provide you a more measured answer in 
writing.
    Mr. Putnam. What percentage of the Federal Government 
subscribes to FedCIRC's program?
    Mr. Hale. All Federal agencies receive advisories from 
FedCIRC, the PADC program in specific; 47 Federal agencies are 
subscribing to PADC. But PADC is just one part of an agency's 
patch management strategy. And many agencies have other methods 
of getting their patches, testing them and applying them. The 
information the advisories provided by FedCIRC go to all 
agencies.
    Mr. Putnam. So then, Mr. Lorentz, how many different 
options are utilized by the various agencies to handle patch 
management? Sounds like some contract with the private sector. 
Some do it internally. Some subscribe to PADC. So we've got a 
lot of different patches to doing that.
    Mr. Lorentz. There are different approaches. We do not 
dictate which method that they use. As part of our FISMA 
oversight, we do require them to have specific plans, risk 
mitigation, patch management. We are soon to get the annual 
FISMA reports on September 22nd on that. But the important 
issue here, as you can tell from the testimony of everyone 
here, is that the only way we're protected is if all the dots 
are connected, the configuration management, the patch 
management, the management oversight to make sure those 
processes are implemented as appropriate, the adherence to the 
information provided by FedCIRC. So there can be variation in 
the tools, but there cannot be variation in the expected 
outcome or how those dots are connected in order to mitigate 
the problem.
    Mr. Putnam. Mr. Malcolm, you mentioned a number of issues 
about the law enforcement approach to computer security. How 
many people have actually served time in jail for releasing 
malicious code, worms and viruses?
    Mr. Malcolm. There are a couple of instances that 
immediately come to mind. One was Mafia Boy in the United 
States who was actually prosecuted in Canada. He ended up 
getting a sentence. There was David Smith, who was arrested and 
charged and successfully prosecuted for releasing the Melissa 
virus. I believe he got a 20-month term of imprisonment.
    I would add in that regard the U.S. Sentencing Commission 
is reevaluating the guidelines as they apply to these sorts of 
offenses and we expect significant increases. There have been 
other perpetrators who have been identified of course. Mr. 
Parsons was alleged to have--he has only been charged. He is 
presumed to be innocent. I don't know if convicted of those 
offenses what kind of prison term he would get. I can get back 
to you with a more precise answer as to that.
    Mr. Putnam. We have heard testimony that there are hundreds 
of viruses per year and millions or maybe even into the 
billions of damage done. Is there a different attitude or is 
there a different approach about cyber crimes than there is 
about other types of crimes? Has our sentencing guidelines, our 
judicial system, our laws, our legislative branch not kept up 
with the technology that can promulgate new types of threats?
    Mr. Malcolm. In terms of keeping up with the laws obviously 
emerging technologies present all kinds of problems for law 
enforcement, and so we need to constantly reevaluate the state 
of our laws. And USA Patriot Act, one of the provisions 
provides now for nationwide service of process of pen trap 
orders and an explicit recognition. The pen trap orders apply 
to noncontent interceptions over the Internet. That is an 
important step in conducting these sorts of investigations.
    I am not going to suggest that it is going to be the last 
such step that is necessary. It's certainly true that as these 
worms and viruses become more sophisticated and proliferate at 
a greater rate, the potential damage is real. I think 
historically there has been a perception that crimes taking 
place in the physical world are somehow more serious than 
crimes taking place over the cyber world. I believe that 
perception is rapidly breaking down, and I expect the 
prosecutions and sentences to increase.
    Mr. Putnam. Mr. Pethia, Carnegie Mellon has done much more 
work on this than anyone. I would like you to comment on this 
different attitude. When we had conversations with the private 
sector when I was in Silicon Valley, the analogy is always used 
that people rattle their door knobs and rattle their locks 
thousands of times per day depending on which firm it is. 
Obviously you have high profile targets in the IT world and 
some are lower. But some are getting thousands of door 
rattlings per day and they choose not to report it. They don't 
want to give any uneasiness to shareholders or to consumers, so 
they just accept it as part of this Internet culture, and it 
results in hundreds of true viruses per year.
    Is there a different attitude about the Internet and crime 
and consequences?
    Mr. Pethia. I don't know about different attitude, but I 
sense a certain complacency, that people have become so 
accustomed to the problem and are often so overwhelmed with the 
problem, so unable on their own to change some of the root 
causes of the problem, that they've simply chosen to live with 
it as best they can.
    You're right, many don't report the attacks, but, again, 
many are so trivial and so common that if you were to report 
them, it's not clear what anyone would do with all of that 
data. In fact, separating the wheat from the chaff, the serious 
attacks from the trivial, has become an increasing challenge 
for all of us who do any kind of instant response. Buried in 
all of this are the serious attacks like the Blasters and the 
SoBigs and the people who are intent to do malicious damage.
    But, I think the widespread recognition is that the 
problem's here and it's serious, but I think individuals don't 
know what they can do above and beyond putting controls in 
place in their own organizations.
    Mr. Putnam. You don't think that there's necessarily a 
different attitude about it?
    Mr. Pethia. I think it's more an attitude of complacency 
and acceptance and just frustration over not knowing what steps 
that they can take as individual organizations or as 
individuals to make a difference.
    Mr. Putnam. Have you ever heard of something called a Black 
Hat convention?
    Mr. Pethia. Sure.
    Mr. Putnam. What is that?
    Mr. Pethia. There are a number of different conferences. 
There are two that are typically held every year about people 
who talk about the Black Hat conference, or people who at one 
time wore black hats, they broke into and attacked computer 
systems. That conferences is now typically attended by white 
hats and not black hats, but they talk about weaknesses in 
software. They talk about what can be done to improve the 
situation. They talk about how do we exploit some of these 
problems so they recognize very much how widespread and serious 
this problem is, and in their own ways they try to take steps 
to get corrections out to the world.
    Mr. Putnam. What percentage of those who are attempting to 
hack into computers and exploit code vulnerabilities, what 
percentage of them are bright, capable teenagers seeing what 
they can do, and what percentage of them are malicious? What 
percentage are based offshore, and what percentage are based 
domestically?
    Mr. Pethia. Those are good questions. I wish we had answers 
to those. You know, we all have our guesses, but I don't know 
of anyone who's done any detailed studies about what's called 
the Internet underground, what the composition of that culture 
is or even what the economy is. There's an underground economy 
that's growing, that trades in things like account names and 
passwords and Social Security numbers that are pirated and 
drivers' license numbers that are pirated, and I don't think 
any of us really has a good understanding of what that culture 
is or how big it is or how many different kinds of people play 
in it.
    One thing that is really clear is that it is literally 
child's play to break into many of the systems that we have 
today, and when a level of skill needed to attack a system is 
so low, you can expect all kinds of players to come into that 
arena.
    Mr. Putnam. When the conventioneers, whether they're 
wearing black hats or white hats, when they come together in 
the good of their heart, talk about ways to improve the system 
and draw attention to different software companies' 
vulnerabilities, do they ever ask for money or credit or 
acknowledgment or anything in exchange for disclosing that 
information?
    Mr. Pethia. There certainly are cases where these 
individuals have tried to extort money from vendors in order to 
not publicly disclose patches or vulnerabilities in their 
products. We've certainly seen cases where individuals have 
tried to extort organizations because they've uncovered 
weaknesses in their operational systems and have expected money 
in return not to make that public or to exploit those 
vulnerabilities in some way. So there is a maliciousness there 
in some cases.
    Mr. Putnam. Mr. Malcolm, do you have any other comments 
about the source and origin and nature of these hackers? Are 
they primarily international, domestic, teens, professionals?
    Mr. Malcolm. I think you can really break that down into 
different categories in that you have a core group of 
committed, highly sophisticated hackers who come up with 
sophisticated worms and viruses, and then unfortunately what 
they do frequently is there are chat rooms and Internet sites, 
news groups in which hackers communicate, and literally 
somebody who develops a very sophisticated hacking tool can put 
it out there so that so-called script kiddies, unsophisticated 
people who just happen to go to that site, can then utilize 
that tool.
    So the level of sophistication can vary dramatically among 
hackers, and because these tools are made available on the 
Internet, lots of people can then implement them to cause 
damage. I think that because the Internet is borderless and 
seamless, and there are people who are hell-bent on destruction 
and technically savvy around the world, you have perpetrators 
who are domestic and perpetrators who are international.
    Mr. Putnam. Thank you very much.
    Mr. Clay. The Chair recognizes.
    Mr. Clay. Thank you.
    Let me ask any of the three, Mr. Dacey, Hale, and Lorentz: 
Did the Department of Homeland Security collaborate effectively 
with Microsoft and the antivirus companies in the Department's 
effort to issue advisories? And you can start, Mr. Lorentz.
    Mr. Lorentz. In our view, the proof is in the results. The 
problems were, for the most part, in general, mitigated, and 
there was two pieces of that.
    First of all was getting the information out about the 
remediation, which they did, and then was really following up 
and holding the agencies accountable on our behalf, to make 
sure what the implementation was and reporting that back, and 
we did that in a manner so that we could share what people's 
experiences were. So, in our view, it was in both of these 
incidents that we've had recently they did a find job.
    Mr. Putnam. Thank you.
    Mr. Dacey, anything to add?
    Mr. Dacey. In terms of that, I'd just like to add one 
thing. We did do some analysis and gathered information with 
respect to the two vulnerabilities, the Microsoft RPC and the 
Cisco, and in those cases there was a fairly active discussion 
and reporting that took place on those two. As Mr. Lorentz 
indicated, for those two specifically, which were deemed 
critical, there were separate teleconferences and data requests 
that were sent out to agencies to ask, you know, what they had 
done and whether or not they had patched their systems in 
response to them.
    I think that is a process which has taken place, I believe, 
on a few of the occasions prior to this, but I know that there 
is some opportunity there which would be acknowledged to 
improve that process, to make sure that people have been 
communicated to in a rapid manner by standardizing processes 
and procedures for that communication to occur. But I would 
also defer to Mr. Hale, who could probably speak more to the 
specifics of those interactions.
    Mr. Clay. Great.
    Mr. Hale. Yes, sir. I appreciate the remarks of my 
colleagues, and I just wanted to point out that those, as well 
as the Cisco vulnerability, the IOS vulnerability that has 
occurred in the past 3 months has been the major events in 
cyber incidents that have occurred since the formation of the 
national Cybersecurity Division, and so those are indicative of 
the kind of coordination and collaboration that this Division 
has started to do and intends to build on to improve not only 
the information-sharing among the Federal agencies, but also 
with the critical infrastructure protection community.
    Mr. Clay. Let me ask you, Mr. Hale, in creating the 
Homeland Security Department, Congress moved the Federal 
Computer Response Team from GSA to Homeland Security. How has 
this move affected that group? Did anyone leave the Agency, 
rather than move, as we saw with some other agencies, and did 
the move affect the group's ability to respond to any of the 
more recent attacks?
    Mr. Hale. The effect was entirely positive, sir. The 
FedCIRC was under GSA, had a focus on the security of Federal 
agencies in providing a service to Federal agencies, our 
customer base, and thanks to the provisions of FISMA, Federal 
Information Security Management Act, FedCIRC was able to remain 
focused on that mission and continue to provide our services to 
our customers. We didn't lose any staff members as a result of 
going to the Department of Homeland Security; in fact, 
recruiting to fill our vacancies became increasingly easier 
because there were a lot of people who were very interested in 
becoming part of our efforts to help cybersecurity and the 
Federal agencies, and by joining forces with the National 
Infrastructure Protection Center and the other elements of 
NIAP, we've actually improved our ability to gather information 
and disseminate information to the customer base.
    Mr. Clay. Let me ask you, Mr. Malcolm, recent viruses and 
worms, such as Code Red, Nimbda, and Slammer, have brought 
large portions of the Internet to a halt, caused extensive 
expenses and lost revenue, and consumed the attention of tens 
of thousands of computer security professionals, computer 
network administrators and users. These are serious crimes. 
Have law enforcement officials found and arrested the 
individual responsible for these viruses and worm attacks?
    Mr. Malcolm. They've also consumed the time and attention 
of a lot of dedicated law enforcement agents. Of course, the 
Department doesn't comment about ongoing investigations; 
however, I think it is safe to say that with each of the worms 
and viruses you have identified, those are all matters of 
ongoing investigation in which we work cooperatively with our 
international counterparts. We have some successes, as with the 
criminal complaint that's been filed in the variant ``B'' of 
the Blaster worm, but I think it is safe to say that there is a 
lot more work to be done, and unfortunately, we not only have 
to act retroactively, but because these worms and viruses come 
out weekly, we have to react prospectively as well.
    Mr. Clay. Are the individuals who are responsible for these 
attacks, are they still at large today?
    Mr. Malcolm. Other than those who have been arrested either 
here or overseas by international counterparts, yes, they're 
still at large, unless they've died.
    Mr. Clay. And you work with international law enforcement, 
too?
    Mr. Malcolm. Twenty-four hours a day, 7 days a week.
    Mr. Clay. How many have you arrested out of the viruses 
that I named, the three that I named, Code Red, Nimbda and 
Slammer?
    Mr. Malcolm. I don't know the answer to that question. I 
believe they are all matters of ongoing investigation. I'm not 
sure off the top of my head of any arrests in those particular 
cases, but I can go back and check, and if there's anything 
that's a matter of public information, I'd be happy to furnish 
it.
    Mr. Clay. Would you share that with us?
    Mr. Malcolm. If that's public information, I certainly 
will.
    Mr. Clay. Thank you, Mr. Chairman. That's all.
    Mr. Putnam. Thank you.
    Mrs. Miller.
    Mrs. Miller. I thank you, Mr. Chairman. I'll just ask a 
couple of questions here, but I think the nature of my 
questions are reiterating what all the committee members are 
talking about here and what is really happening as far as the 
attitude that our Nation has and our Justice Department, our 
law enforcement has toward these cyberhackers.
    You know, I was following here in the papers recently where 
the recording industry has filed all these lawsuits against the 
file sharers. I know 200 lawsuits or whatever. Obviously, 
that's not really terrorism, unless you're a recording star, 
you're losing all this money, right? But I was interested in 
the response of these college kids who are downloading all this 
music and are getting sued, and they certainly don't care about 
that. We're going to continue to down--I mean, their attitude 
is unbelievably cavalier, I think, to breaking the law by using 
electronic means to do so, and perhaps that is part of the 
problem we have with these cyberhackers is the attitude of our 
legislature, of our law enforcement; I mean, are we serious 
enough? And as you were mentioning, some of the--you know, is 
it just college kids who are doing this? Obviously not. You've 
got the whole realm of different kinds of people who are doing 
the cyberhacking.
    Have you ever done a psychological profile? I mean, these 
people are terrorists that are trying to shut down, as I was 
mentioning, power grids or those kinds of things. That's not 
downloading music. Let me ask you first about that, as far as 
the Justice Department. Has there been a psychological profile? 
I mean, there must be some type of common trait, common 
element. It would be like an arsonist, right? You see the fire 
services do profiles of arsonists. These are people that burn 
buildings and stand back, and there's a whole profile about 
these kinds of people that perpetrate that kind of crime.
    Mr. Malcolm. I'm not aware of any psychological profile. I 
think that perhaps I could contrast the situation with an arson 
in that unless somebody wants to literally kill somebody inside 
a building, arsonists tend to be motivated by one purpose, and 
that is collect the insurance money.
    In terms of hackers, I think you run the gamut. You 
obviously have, perhaps, terrorists who are interested in 
exploiting critical infrastructure for destructive ends. You 
can have political ``hactivists'' who go on to deface Web pages 
of something that they are protesting. You have sophisticated 
hackers who take pleasure in trying to stay one step ahead of 
the technological development of law enforcement, who take 
pleasure in their ability to outwit law enforcement by masking 
their activities. And you also have, as I say, these script 
kiddies who are more or less with respect to their use of the 
computers who were out there on a lark. They all cause harm of 
varying degrees. We take them all seriously.
    Mrs. Miller. Let me just ask one other question in regard 
to the Patriot Act. You mention the Patriot Act, and the 
Patriot Act, of course, there's been a lot of consternation 
talked about the Patriot Act of whether or not privacy--a lot 
of privacy advocates are concerned about how the Patriot Act is 
being implemented, how you are identifying and apprehending 
culprits.
    I'm a supporter of the Patriot Act, and I'm just wondering 
how that particular tool has assisted the Justice Department in 
our law enforcement, and are a lot of these concerns being 
raised by the Patriot Act impeding your ability to prosecute, 
apprehend people, identify them, etc.? How is the Patriot Act 
helping you?
    Mr. Malcolm. There are several questions in there that kind 
of cut across a broad swath. Let me respond to the more narrow 
question, then I can fill in as you would like me to.
    With respect to hacking investigation, any crime that is 
taking place online, time is absolutely of the essence. If you 
can catch somebody while they are in the act or trace their 
communications either in real time or very shortly thereafter, 
your odds of catching somebody go up dramatically. Internet 
service providers don't retain records typically for a very 
long period of time, and people can very quickly cover their 
tracks.
    There are a number of provisions in the Patriot Act that 
help. There is, one, the hacker trespass exception of the 
Patriot Act. If somebody breaks into a system, the owner of 
that system now can give consent to the government to go in and 
track the activities of that hacker while they are taking 
place. Certainly the ability to go and get a pen/trap order in 
one district and use that order to follow the communications 
from ISP to ISP to ISP, to get those records frozen as quickly 
as possible, has proven of invaluable assistance. There are 
other tools such as nationwide service process for search 
warrants, subpoenas, all of which have been instrumental in 
terms of these investigations.
    Mrs. Miller. Thank you.
    My last question just to the panel, I suppose. Obviously, 
the Federal Government has their own role to play in protecting 
our own information and security systems and that, but I think 
the public needs to be educated on security, computer security, 
as well. I'm not sure who I'm asking this question to; any of 
the panelists, I suppose. Do you have a feeling that there is a 
role for the Federal Government to play in regards to educating 
the general public about security safety and how important it 
is?
    Mr. Pethia. I'm going to start just by saying I think 
that's something that I think is a strong role for the Federal 
Government, and it needs to happen across the country with 
people of all ages and all occupations. Starting at the 
elementary school level or where we teach students about 
computer skills, we need to teach them about computer ethics 
and the risks of working with computers and interacting in the 
Internet age. We teach our children how not to get into cars 
with strangers. We should teach them how not to get into chat 
rooms with strangers as well. So from there all the way up 
through the home user, the retired home user, all of these 
people are vulnerable to some kind of problems because of 
security or lack of security on the Internet, and I think there 
is a strong role for the government there to put together that 
kind of awareness, to put together those kind of training 
programs and make them broadly available.
    Mr. Lorentz. I think I would just add I think that our 
government has a responsibility to our citizens. As part of the 
management agenda, security is clearly one of the things we are 
looking at. It cuts across public and private-sector activity. 
We do have a role in clearly communicating what's acceptable, 
what's not, creating that common language, if you will, and it 
begins with exhibiting the behaviors that we would wish to see.
    Mr. Hale. I would definitely endorse the statements. In 
fact, with home computers being connected and always on, it's 
nothing short of a patriotic duty to maintain the security of 
your home computer because it can be used to attack other 
computers by other people.
    Mrs. Miller. Thank you Mr. Chairman.
    Mr. Putnam. Thank you, Mrs. Miller.
    Mr. Malcolm, are there differences among nations in the 
laws regarding cybercrimes, and are there other nations who 
have particularly more effective means of enforcing them and 
have a greater success rate in prosecution, and are there 
certain countries that are more or less helpful to us in 
investigative work?
    Mr. Malcolm. I think the short answer to all of those 
questions was yes. There are a couple of things that I can say 
in that regard. One is we cooperated with our international 
counterparts throughout the world in terms of drafting the 
now--well, it hasn't been ratified in this country, but the now 
implemented accounts in the Europe Cybercrime Convention. One 
of the beauties of the cybercrime convention in addition to 
encouraging international cooperation is that it mandates 
signatory countries to update their substantive and procedural 
laws with respect to computer hacking offenses, which would 
include worms and viruses.
    Mr. Putnam. Updates them to presumably a certain standard?
    Mr. Malcolm. That's right.
    Mr. Putnam. And are we already at that standard in the 
United States?
    Mr. Malcolm. We're constantly retinkering, but, yes, we try 
to maintain the highest standard that we can. We work 
cooperatively with Congress in that endeavor. And I would add 
that the Department of Justice, although not uniquely--the 
Department--the State Department certainly, too--goes overseas 
and works with legislators and law enforcement officers in 
other countries to try to keep their laws updated as well.
    From other entities, such as the G-8, there is a high-tech 
unit that's called the 24/7 network in which we are able to 
communicate with law enforcement counterparts in these fast-
breaking investigations on a moments notice, 24 hours a day, 7 
days a week. There are 30 countries that are members of the 
high-tech 24/7 network. We're encouraging other countries to 
join. Some countries have better facilities, training, more 
money to devote to this effort than other countries, but we're 
encouraging all of them to stay current.
    Mr. Putnam. But you're not aware of any one particular area 
of the world that is a source of more hacking attempts than 
another?
    Mr. Malcolm. The answer to that question, with respect to 
Internet piracy, with respect to hacking, I don't know the 
answer to that question, Congressman.
    Mr. Putnam. Mr. Pethia, do you?
    Mr. Pethia. No, not that's been sustained over any long 
period of time. For a while, there were a number of viruses 
that for some reason came out of Bulgaria, and you see short 
periods of time where you'll see an increase of activity from 
some geographic area, but nothing that I know of that's been 
sustained over a long period of time.
    Mr. Putnam. We may hear more about this in later panels. 
For the OMB, how long does it take, because everyone has 
different patch management systems--are you able to measure how 
long it takes for all of the computers to download the patch 
when a particular vulnerability is released and the patch is 
also then released? Do you know when everyone has taken 
advantage of it?
    Mr. Lorentz. I can answer the more management aspect of 
that and later get into the technical, because they basically 
act as our agent in that. But we literally are advised of the 
vulnerability, we call attention to the vulnerability. FedCIRC 
makes the agency aware of what the remediation of the patch is, 
and then we specifically set a time to get back to monitor the 
adherence to the remediation.
    And it's in the last two incidents that's exactly what we 
did, and I would feel quite sure that FedCIRC probably has some 
cycle time issues that they can look at in terms of how long it 
actually takes, but, you know, there's two aspects to all of 
this. The most significant aspect is the management aspect, and 
that is holding people accountable once they know, and it's 
mutually accountable to CIOs as well. Once they know that there 
is an incursion, that the patch has to be applied, and that 
there's accountability to apply, then there's the obviously 
technical nature of things, and there's a number of technical 
capabilities that are equally effective, but I would pass it to 
Larry on the cycle time question.
    Mr. Hale. For the 47 subscribers of patch C, we can tell 
when they download, but even that is--can be a misleading 
statistic, because one download can serve thousands of 
computers, and an agency may download one time and take care of 
their whole enterprise with that. So we've tried developing 
metrics with industry with the software manufacturers, and 
that's the constant refrain is you can't measure how many 
computers have been inoculated by a single download, but it's 
the best thing we've got is to tell that agencies are 
downloading the patches.
    Now, with the patch C system, agencies can also--once 
they've inoculated their systems, they can enter in the report 
and say--it requires a manual entry, but say that we've 
completed 90 percent or we've completed 99 percent or 100 
percent of computers affected by this vulnerability, so there's 
a method built in for reporting back.
    Mr. Putnam. Mr. Malcolm, if someone were to break into Coca 
Cola's headquarters in Atlanta and go into the office and steal 
the recipe for Coca Cola, what would be a ballpark estimate 
assuming they were arrested and convicted, what type of 
consequence would they face for that?
    Mr. Malcolm. Mr. Chairman, there are a lot variables that 
would go into answering that question.
    Mr. Putnam. Ballpark. I'm not a judge.
    Mr. Malcolm. Well, in the interest of trademark 
infringement, theft, I would estimate statutory penalties at 10 
years or so, depending on whether or not the person has a prior 
record. That would obviously affect their sentencing 
guidelines.
    There are just too many variables for me to answer that 
question, without having a guideline book in front of me, but 
obviously the factors are what are the charges, what is the 
severity of the loss, what is the person's past criminal 
record?
    Mr. Putnam. Well, what would it be if they hacked into Coca 
Cola's computer system and downloaded the secret recipe?
    Mr. Malcolm. Same answer: You would have all sorts of 
variables as to whether or not they abused a position of trust, 
what was the damage that they cased. It could obviously be, in 
the case of Coca Cola, a major company, a major loss, a 
significant period of time.
    Mr. Putnam. Would it be significantly different than had 
they physically taken it?
    Mr. Malcolm. There are different guidelines factors that 
would take into account the fact that a computer was used, and 
special skills were used, and, depending on who this person 
was, whether or not they abused the position of trust. There 
are, under the sentencing guidelines--there are just too many 
individual case-specific factors for me to give you an accurate 
answer to your question. I think it is safe to say that if this 
was a major product and caused a serious loss, I would expect 
the dollar figure to be high, and that will dramatically 
increase the sentence since the major factor that is taken into 
account by the sentencing guidelines is the loss to the victim.
    Mr. Putnam. OK. There are hundreds of viruses released 
every year, according to the testimony of this panel. The 
damages range into the billions, according to your testimony.
    Mr. Malcolm. Yes.
    Mr. Putnam. If you could only recall two arrests, two 
convictions, two jail times--you mentioned David Smith and one 
other.
    Now, I asked, what's the source of the threat? Well, we 
really don't know. Is it foreign or domestic? Well, we really 
don't know. That seems to reinforce a premise that cybercrime 
is treated vastly different than some other crime that caused 
billions in damage and shut down power grids and shut down 
departments of transportation and threatened security systems 
within and without the government. It would suggest that there 
is a different approach, a different attitude, a different 
level of concern about cybercrime. Would you agree or disagree 
with that?
    Mr. Malcolm. I would reject that implication totally. There 
are, of course, other instances in which perpetrators had been 
identified; for example, the fellow in the Philippines who 
promulgated and released the ILOVEYOU virus. I would also say 
that there are--you know, the Department of Justice is well 
aware, as is the Department of Homeland Security, that 
cybervulnerabilities are among the most critical problems that 
we have and could have a dramatic impact in terms of protecting 
our critical infrastructure.
    These are unusually complicated investigations in which 
very sophisticated people are very good at covering their 
tracks. To somehow suggest that just because there are fewer 
public arrests out there in the media, that this is not an 
absolutely high, high, high priority at the Department of 
Justice would be a completely wrong assumption to make.
    Mr. Putnam. OK. I take it at your word.
    Any other questions from the subcommittee members?
    Very well. We will dismiss panel one and seat panel two as 
quickly as possible.
    Thank you very much, gentlemen, for your input, and those 
of you who can, we would encourage you to stay around and 
listen to the private sector comments as well.
    [Recess.]
    Mr. Putnam. Very well. The subcommittee will reconvene.
    I've asked panel two to rise and please be sworn in.
    [Witnesses sworn.]
    Mr. Putnam. Note, for the record, all the witnesses 
responded in the affirmative.
    We appreciate you being seated as quickly as possible, and 
we will move straight to your testimony. I would ask that you 
be as good about maintaining our 5-minute rule as the first 
panel was.
    Our first witness is Mr. Gerhard Eschelbeck, overseeing 
Qualys' engineering and operation. Gerhard Eschelbeck is 
responsible for protecting over 1,100 corporate networks. He's 
an internationally recognized security and distribution systems 
expert and was recently recognized as 1 of the 25 most 
influential CTOs by InfoWorld Media Group.
    Prior to joining Qualys, Gerhard was senior vice president 
of engineering for security products at Network Associates; 
vice president of engineering of antivirus products at McAfee 
Associates. He was a research scientist at the University of 
Linz, Austria, from which he earned his Master's and Ph.D. 
degrees in computer science. He has authored many articles and 
papers and is inventor of numerous patents in the field of 
network security automation, and is a frequent speaker at 
networking and security conferences worldwide.
    Welcome.
    Glad to have you at the subcommittee, and you're 
recognized.

STATEMENTS OF GERHARD ESCHELBECK, CHIEF TECHNOLOGY OFFICER AND 
   VICE PRESIDENT OF ENGINEERING, QUALYS, INC.; CHRISTOPHER 
   WYSOPAL, CO-FOUNDER, ORGANIZATION FOR INTERNET SAFETY AND 
  DIRECTOR OF RESEARCH AND DEVELOPMENT, @STAKE.INC.; AND KEN 
SILVA, VICE PRESIDENT, OPERATIONS AND INFRASTRUCTURE, VERISIGN, 
                              INC.

    Mr. Eschelbeck. Mr. Chairman and members of the 
subcommittee, thank you for the invitation to testify about my 
research on network vulnerabilities. The business of my company 
gives us a front row seat to new threats against networked 
computers and communications systems. Qualys provides an 
automated service over the Web to audit the security of 
networks.
    I've just analyzed more than 1.2 million network 
vulnerabilities found by our virus scanning service during a 
recent 18-month period. This vast data pool demonstrates that 
known risks are far more prevalent than anyone has imagined. 
Analytical data also demonstrates a new breed of automated 
Internet-borne viruses and worms that mock traditional security 
defenses.
    The source of data for my analysis was anonymous results 
from 1.5 million security audit scans made by organizations 
worldwide. We learned four themes that are called the laws of 
vulnerabilities. The law of half-life talks about the fact that 
it takes an average of about 30 days for organizations to fix 
50 percent of their vulnerable systems within enterprises. The 
law of prevalence talks about the fact that half of the most 
prevalent and critical vulnerabilities are replaced by new ones 
each and every year. The law of persistence: Some old 
vulnerabilities recur due to the deployment of unpatched 
software as part of new rollouts. The law of exploitation, 
finally, talks about the fact that 80 percent of the 
vulnerability exploits are available within 60 days of public 
announcements.
    Automating defenses against these threats is crucial, 
because human-based efforts are not working. In each case of 
recent damaging strikes, we've had advanced warning; weeks, 
even months, to prepare for known vulnerabilities, yet 
attackers were still able to hit hundreds of thousands of PCs 
and servers.
    Risks to network and system security are increasing because 
the triggers are becoming automated, requiring no human action 
to deliver destructive payloads. Earlier first-generation 
threats are virus-type attacks, spreading with e-mail and file-
sharing. They require human action to trigger, such as opening 
an infected file attachment. An example would be the most 
recent SoBig virus.
    Second-generation threats comprise active worms leveraging 
system and application vulnerabilities. Penetration occurs 
without requiring user action. Replication, identification, 
targeting of new victims are automatic. Blended threats are 
common, such as incorporating viruses and Trojans.
    A third generation of threats is now posing trouble. We've 
already seen the potential for damage. The SQL Slammer worm 
rapidly hit more than 75,000 homes running Microsoft SQL 
server, caused major damage worldwide. SQL Slammer was the 
fastest worm ever, infecting more than 90 percent of the 
vulnerable systems within 10 minutes.
    A few days after Microsoft published a DCOM vulnerability 
in July 2003, Qualys's automated scanning service ranked this 
security vulnerability as the most prevalent vulnerability 
ever. Following the laws of vulnerability, Blaster and its 
derivatives appeared 3 weeks later, infecting more than 100,000 
systems per hour at its peak. Urgency's now rising from a 
shortening discovery/attack cycle. SQL Slammer happened 6 
months after discovery; Nimda was 4 months; Slapper was 6 
weeks; and Blaster and Nachi came just 3 weeks after news of 
the vulnerability.
    Public policy for network securities should strongly 
encourage the use of automation as an equal force response to 
automated tools used by attackers. Automating defense 
strategies include regular security audits of networks and 
systems, keeping antivirus software up to date, timely patch 
management, and the ongoing variation of security policy.
    To summarize, many vulnerabilities linger, sometimes 
without an end. New attacks are capable of spreading faster 
than any possible human response effort. Protecting our 
networks is a continuous process of eliminating critical 
vulnerabilities on the regional, national and international 
scale.
    In conclusion, public policy should demand timely detection 
and a rapid application of remedies providing protection from 
these threats.
    Thank you for the opportunity to testify, and I look 
forward to your questions.
    Mr. Putnam. Thank you very much, Mr. Eschelbeck.
    [The prepared statement of Mr. Eschelbeck follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.061
    
    [GRAPHIC] [TIFF OMITTED] T2654.062
    
    [GRAPHIC] [TIFF OMITTED] T2654.063
    
    [GRAPHIC] [TIFF OMITTED] T2654.064
    
    [GRAPHIC] [TIFF OMITTED] T2654.065
    
    [GRAPHIC] [TIFF OMITTED] T2654.066
    
    [GRAPHIC] [TIFF OMITTED] T2654.067
    
    Mr. Putnam. Our next witness is Chris Wysopal. Mr. Wysopal 
is director of research and development at @stake.Inc, managing 
@stake's pioneering research in application security. His 
primary focus is building products to assure and test software 
security. Working with vendors and the general public, Mr. 
Wysopal was also responsible for managing @stake's 
vulnerability research and disclosure process.
    His career in the information security industry has spanned 
over 13 years where he has held positions in industry while 
also serving as regular advisor to various government agencies. 
Prior to joining @stake, Mr. Wysopal was senior security 
engineer at GTE Internetworking, formerly known as BBN, where 
he was the most senior engineer on the IT security staff. In 
addition, Mr. Wysopal is coauthor of the award-winning 
password-auditing program, LC3, which is used by more than 
2,000 government, military and corporate organizations 
worldwide. And, finally, he is a founding member of the 
Organization for Internet Safety.
    Welcome to the subcommittee. We look forward to your 
testimony.
    Mr. Wysopal. Chairman Putnam and members of the committee, 
thank you for inviting me to testify today on the subject of 
protecting the Nation's computers from viruses and worms. This 
is a great honor for me. My company @stake consults for the 
Fortune 1,000, including four of the world's top software 
companies. We help them build more secure software and secure 
their infrastructures. I am also a founding member of the 
Organization for Internet Safety. OIS is a group of software 
vendors and security companies joined together to produce a 
process for reporting and responding to new vulnerability 
information safely.
    Today I would like to cover three pertinent issues: The 
software development process, the vulnerability research 
process, and finally, responsible vulnerability reporting and 
response. Unfortunately, in less than 72 hours, if an unpatched 
new computer is connected to the Internet, it will be 
compromised. This is indicative of the software flaws that 
affect our information economy. My first point is on software 
development, the root cause of the problem is software flaws. 
Every virus or worm takes advantage of a security flaw in the 
design or implementation of a software program. The flaw can 
exist almost anywhere inside a program that processes data 
directly from a network or from a file delivered by an e-mail 
attachment. This means that practically every software program 
in the age of the Internet falls into in the category of 
requiring security quality processes during its development. If 
these processes are not in place and followed rigorously by the 
manufacturer, flaws will inevitably creep into the software 
during development, be discovered, and end up exploited.
    Automatic patching is a great solution for some computers, 
but many environments have requirements that don't allow 
patches to be applied in automatic or even timely manual 
manner. One of the key problems with patching is the Internet 
or the network the computer's connected to is the distribution 
system. This means that a computer needs to be connected to the 
Internet to be patched. The irony is the Internet is the attack 
vector that puts the computer at risk.
    As recent examples of worms demonstrate, reactive solutions 
are not keeping up with the speed of malicious programs. Many 
of the flaws found in software after it is shipped to customers 
are not found by the vendor. Many are found through directed 
research by vulnerability researchers. These are individuals 
who investigate the security of software for academic reasons, 
profit, or mere curiosity. A primary motivation of 
vulnerability research is altruistic. There aren't any 
independent or government watchdog groups looking out for the 
safety of the software--computer users' use. Given this vacuum, 
researchers feel that someone should test and find 
vulnerabilities. They feel that every flaw they find and report 
is another flaw that will be fixed before a malicious person 
finds and exploits it. In this way, vulnerability researchers 
can make all computers users more safe.
    Vulnerability researchers are performing a testing function 
that should have been done as part of the security quality 
assurance process by the vendor. Vulnerability researchers 
think differently than traditional software testers. They think 
from the perspective of an attacker. The fact that there is a 
vast amount of software already deployed with latent 
undiscovered flaws means that we will be dealing with newly 
discovered vulnerabilities for the foreseeable future.
    A process for handling new vulnerability information in a 
timely and safe way is required. There is some debate in the 
vulnerability research community as to the best way to handle 
vulnerability information. However, most agree that it is 
responsible to inform the vendor of the vulnerable product and 
give them time to create a patch. 4,200 vulnerabilities were 
tracked by CERT last year. Almost all had patches available 
when the information became public due to vulnerability 
researchers informing vendors prior to publicly disclosing.
    The Organization for Internet Safety has published a 
process that these flaw-finders can use to report flaws to 
vendors and for vendors to respond to these reports, sometimes 
with a patch. The goal of the OIS process is to protect the 
computer user community as a whole. A balance was struck 
between the timeliness and reliability of patches and between 
helping sophisticated users and the majority of users who are 
unable to help themselves.
    To conclude, software vendors face challenges building 
software. Vulnerability researchers can help find the flaws 
that vendors miss. Both need to come together to handle 
vulnerability safety. All I ask is a step in this direction. 
Viruses and worms are shutting down government offices and 
businesses for days. The impact grows each year. When a 
technology contains dangerous, unseen risks, we should have 
assurances that it is built properly. We need the, ``electrical 
code for building software,'' and we need a way to assure that 
the code is followed. This will reduce the risk of insecure 
software at its source and strengthen the computer 
infrastructure for us all.
    Thank you.
    Mr. Putnam. Thank you very much. Appreciate your input.
    [The prepared statement of Mr. Wysopal follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.068
    
    [GRAPHIC] [TIFF OMITTED] T2654.069
    
    [GRAPHIC] [TIFF OMITTED] T2654.070
    
    [GRAPHIC] [TIFF OMITTED] T2654.071
    
    [GRAPHIC] [TIFF OMITTED] T2654.072
    
    [GRAPHIC] [TIFF OMITTED] T2654.073
    
    [GRAPHIC] [TIFF OMITTED] T2654.074
    
    [GRAPHIC] [TIFF OMITTED] T2654.075
    
    [GRAPHIC] [TIFF OMITTED] T2654.076
    
    [GRAPHIC] [TIFF OMITTED] T2654.077
    
    Mr. Putnam. Our next witness is Ken Silva. As vice 
president for VeriSign's networking and information security, 
Mr. Silva oversees the mission-critical infrastructure for all 
network security and production IT services for VeriSign. In 
this role, he oversees the mission-critical network 
infrastructure for VeriSign's three core business units: 
security services, naming and directory services, and 
telecommunications services. His responsibilities include 
oversight of the technical and network security for the 
definitive data base of over 27 million Web addresses in dot-
com and dot-net, the world's most recognizable top-level 
domains.
    Additionally Mr. Silva coordinates the security oversight 
of VeriSign's Public Key Infrastructure security systems.
    Mr. Silva serves on the board of directors for the 
Information Technology, Information Sharing and Analysis 
Center, and the executive board of the International Security 
Alliance.
    He advises and participates in a number of national and 
international committees for organizations, and he joined 
VeriSign with more than 20 years' experience in the 
telecommunications and security industry in his portfolio.
    Welcome to the subcommittee. We're delighted to have you. 
You're recognized.
    Mr. Silva. Thank you, Mr. Chairman and other members of the 
subcommittee. VeriSign's pleased to have the opportunity to 
provide our views on the epidemic virus and worm attacks that 
continue to threaten the integrity and security of information 
systems we've all come to depend on. VeriSign is a company 
that's perhaps uniquely situated to observe the continuing 
assaults on our information infrastructure. Our company 
provides industry-leading technologies in three relatively 
distinct yet interrelated lines of business. These include 
telecommunications, infrastructure services, management 
security, and payment processing services, directory and naming 
services.
    Our naming services is the business dedicated to the 
management of the domain name system, including our operation 
of the A and J root servers. These are 2 of the servers out of 
the 13 servers that allow you to find www.house.gov. Of the 
hundreds of millions of machines on the Internet, it would 
direct you to the correct one.
    In addition to that, for the last 10 years, we've managed 
the dot-com and dot-net top-level domains.
    Since 2000, I've managed VeriSign's resources dedicated to 
maintaining the security of these complex technology assets.
    Today I would like to make three key points. First, we 
should not underestimate the significance of these attacks. 
Although the most recent worms and viruses have been labeled by 
some as nondestructive, they've cost American business in 
excess of $3.5 billion in August alone. We can only imagine 
what the cost would have been had these destroyed data along 
their path.
    Second, we should accept our shared responsibilities. Each 
of us has a responsibility. This includes lawmakers, government 
agencies, industry and private citizens. Government has a role 
both as a model of good security practices, as well as a 
thought leader in global security. Our citizens must be 
educated. We teach our children how to use computers in school, 
but do we teach them how to use them responsibly?
    Third, we must resist the temptation to demonize individual 
participants in the network community. The finger-pointing in 
general is neither accurate nor helpful. It's all too easy to 
blame the operating systems manufacturer for flaws in their 
code or the network providers for not securing their networks. 
Many of the worms attack not only popular operating systems, 
but open source software as well.
    Mr. Chairman, there are measures which will over time 
improve the security posture of our network, but there is no 
silver bullet that will miraculously solve our network security 
challenges.
    VeriSign's role over past decade has led us to make 
significant investments in network hardware, engineering, 
research and development. Armed with that knowledge, we can 
deploy and advise others on the network how to deploy the very 
best configurations and maintain the stable and secure 
functioning of the Internet. VeriSign's unique monitoring 
capabilities allow us to watch as the virus propagates around 
the global network. As a result of VeriSign's constant 
vigilance, we're often among the first to recognize it, and as 
an attack develops--you can see our view up here shows our 
global constellation. I brought another slide with me, which is 
an example of the graphic data that we're able to monitor. This 
one shows a propagation of the SoBig.F virus in just a short 6-
hour span on August 19.
    There's another one following that, the next graphic, 
please, which today just happens to be the very day that this 
virus has decided to disarm itself. This was taken this 
morning.
    Following the September 11 attacks, we provided some of 
these monitoring capabilities to both the Defense Department's 
NCS and the FBI's NIPC, to enable them to observe and detect 
anonymous traffic on the network.
    Our long experience and the most recent events like Blaster 
worm reveal fundamental truths about our networks in the 
attacks. A few years ago, these things took months or weeks to 
propagate. Now they propagate in hours or minutes. Not only are 
the weapons behaving more aggressively, they're increasing 
their uniqueness, making selection of appropriate 
countermeasures difficult and uncertain. As a result of this 
growing risk and our growing dependency on our networks, I 
believe we must face up to the reality that these network 
attacks are every bit as threatening as physical attacks on 
critical infrastructures, warranting serious attention to 
strategies to defend against them and remedy their impact. Even 
when they don't bring down the network of a targeted site, the 
insult to the network's integrity still has observable and 
measurable consequences.
    Another level of damage, these attacks fundamentally 
threaten the core assets of the Internet, including the 
Internet root servers and top-level domains. There are larger 
costs to these attacks.
    I'd like to thank you for giving me the opportunity to 
appear before you today. Thank you.
    Mr. Putnam. Thank you very much, Mr. Silva, and I 
appreciate your--all of you limiting your remarks to the 5 
minutes.
    [The prepared statement of Mr. Silva follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.078
    
    [GRAPHIC] [TIFF OMITTED] T2654.079
    
    [GRAPHIC] [TIFF OMITTED] T2654.080
    
    [GRAPHIC] [TIFF OMITTED] T2654.081
    
    [GRAPHIC] [TIFF OMITTED] T2654.082
    
    [GRAPHIC] [TIFF OMITTED] T2654.083
    
    [GRAPHIC] [TIFF OMITTED] T2654.084
    
    Mr. Putnam. Mr. Silva, I get the impression that you had to 
cut yours a little bit short, so I'm going to give you the 
opportunity to expand on it by asking my first question about 
root servers. And, if you will, just take us in nontechnical 
terms to their role in the architecture of the Internet, and 
what their vulnerabilities have been in the past two viruses 
and worms, and what impact that could have in economic terms.
    Mr. Silva. OK. Well, Mr. Chairman, the root servers are 
sort of the top of the Internet naming system, if you will. 
There's an invisible period at the end of every domain name 
that people don't see, and that happens to be the root, and, 
then from there it goes.com; then, you know, Microsoft.com; and 
then www, etc. They're sort of at that very top level. No other 
computers can be found without the information that these 
provide. And then there's another layer down from that which 
VeriSign also operates, for dot-com and dot-net.
    The SoBig.F worm in particular had a unique attack that it 
presented on the A root server, and that the A and B root 
servers were--it's where that--that worm first looked to find 
out where an e-mail was supposed to be sent, OK? So if they 
wanted to send it to, you know, anyone, it would simply look to 
the root server first to find out where that mail server was.
    Now, in the Blaster worm, that didn't actually have an 
impact directly on the root servers themselves, because there 
was no protocol that the root servers were running or a 
particular name look-up that was required for that worm to 
spread.
    Mr. Putnam. You mentioned and other panelists have made 
allusions to open source versus proprietary. Is one less 
vulnerable than the other, or if you would just comment a bit 
on the old debate between proprietary and open-source software, 
again, beginning with Mr. Wysopal. Let Mr. Silva think about 
his for a second.
    Mr. Wysopal. The theory with open-source software is that 
it can be made more secure because there's more eyes. Every 
single user has the potential, if they have the skill set, to 
find flaws in that software and then correct them for 
themselves or notify the maintainer to correct them. With 
proprietary software, the user has no way really of looking 
deeply into the software by examining the code, but, 
practically, users of open-source software are not expert code 
reviewers and don't have the time to actually review the code, 
so we see vulnerabilities sort of in equal proportion in both 
the open-source world and in the proprietary software world.
    Mr. Putnam. Mr. Silva.
    Mr. Silva. Yeah. I would agree mostly with what he said, 
except that there always has been this statement that, in the 
open-source world, the source code's available, and if you were 
running it, you could certainly look at it. I doubt seriously 
that you would know, 99.99 percent of the rest of the people 
who use it.
    In addition to the people who use the software not 
necessarily being expert code reviewers, in many of the cases 
people actually writing the software are not actually expert 
software writers either. So it's not that it's bad software, it 
certainly is good software, but it's no more or less vulnerable 
than the software that goes through rigid configuration, 
management, and software review standards.
    Mr. Putnam. Mr. Eschelbeck, would you like to weigh in?
    Mr. Eschelbeck. I do not necessarily see a relation between 
open source versus closed source from a vulnerability 
prevalence perspective. I don't think there is any analytical 
data that would support that.
    However, I do believe strongly that software that's more 
popular, more widely used out there has been reviewed much more 
widely and is more popular, and that's one of the main reasons 
why I think there is more vulnerabilities known about a 
software that's used widely rather than a software package 
that's not used at all out there.
    Mr. Putnam. What would be the impact of, in terms of 
improved Internet security, if any, of the next generation of 
Internet, IPv6? Does that in any way alter security concerns?
    Mr. Wysopal. I don't think IPv6 really alters the security 
concerns. What IPv6 does is it makes many more Internet 
addresses available, so we can have an Internet address for, 
you know, your wristwatch or any small object you could have, 
thousands or millions of times more Internet addresses with 
IPv6. It doesn't really address any security issues.
    Mr. Silva. Well, actually, it does address some security 
issues, although probably not for the masses. There are 
protocols that are part of the IPv6 standard that would allow 
better authentication between IP addresses as they connect. 
Some of those capabilities have since been transferred to IPv4, 
such as the IP SAC, which is what many of the BPM tunnels use 
today, but for the general Web server, probably not.
    You know, just for the average computer on the network that 
doesn't need to authenticate every single user, it's probably 
not going to offer anything new for them.
    Mr. Putnam. Mr. Eschelbeck, do you wish to add anything?
    Mr. Eschelbeck. I would say exactly the same thing. I think 
there is a lot of improvements in IPv6, and it's clearly the 
right step in the right direction, but there is still pieces 
missing that we don't do in IPv6 today, like in the new 
protocols that are coming up. And particularly if you look from 
a vulnerability perspective, IPv6 is not going to address the 
vulnerability problem. That's really the reality why we are 
here today, why we're looking for vulnerabilities and how to 
address them. So IPv6 is certainly the way to move from an 
authentication, from an encryption perspective, and it would 
fix some of those underlying issues, but would not fix all of 
the security issues that we are facing today.
    Mr. Putnam. Thank you. I will stop there and recognize the 
ranking member, Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman. And any one of you can 
attempt to answer these questions.
    Let me start out by asking: What motivates people to engage 
in computer hacking?
    I mean, let's start on this end of the table.
    Mr. Eschelbeck. I do think that there is--obviously, if you 
look back in history, mostly what we have seen, some of the 
attacks really didn't have any specific target in mind. They 
were mostly like who is the first who is going to launch a worm 
on the Internet, and that was the results we have seen in 
traffic congestion, things like that. But I clearly see moving 
forward motives in mind.
    If I look at Blaster, it was probably the biggest turning 
point we have seen here by Blaster introducing the ability to 
deliver a payload that actually does something malicious, other 
than just creating noise on the Internet. And in this 
particular case with Blaster was the denial of service attack 
against Microsoft, and I do see some transit that is clearly 
the opportunity for more active payloads coming in future 
worms. They were motivated by motives that we don't know and 
fully understand at all.
    Mr. Clay. Mr. Wysopal.
    Mr. Wysopal. I think the main motivation is experimentation 
and exploration, but these people who do this experimentation 
don't take into account any sense of ethics, and they don't 
really care that their experiments cause harm to others.
    Mr. Clay. Mr. Silva, what do you think about it?
    Mr. Silva. I don't really have anything to add.
    Mr. Clay. All right. Let me ask you, there has been much 
discussion about information-sharing and cyber vulnerability 
issues between the government and the private sector, and 
within the private sector are there any legal or policy 
barriers that continue to impede information-sharing and 
cooperation?
    Mr. Silva, we can start with you.
    Mr. Silva. Well, there are a number of issues related to 
antitrust, OK, that have been raised amongst companies sharing 
information, amongst a select group of people, that's not 
publicly available. More recently--or, excuse me, prior to 
that, one of the issues was FOIA, quite frankly, sharing 
information between government and industries and having, you 
know, the possibility that a publicly traded company with, you 
know, some known vulnerability that if they made that 
information available to the government would somehow be 
available through FOIA. Some action has been taken in that 
direction, but those are probably the two main impediments 
there.
    Mr. Wysopal. I think another main impediment is companies 
trying to refrain from looking embarrassed basically. A lot of 
companies such as financial services companies banks are among 
the most trusted financial institutions, and people expect the 
highest level of assurances to protect their money, you know, 
their privacy, and it could be embarrassing. It could be a 
competitive advantage of some of their competitors to say, you 
know, put your money with us. You know, your privacy will 
really be protected with us. They say they do, but look at 
this, this, and this. So I think a lot of it is competition and 
fear of embarrassment.
    Mr. Clay. Very interesting.
    Yes, Mr. Eschelbeck?
    Mr. Eschelbeck. I would actually agree with Chris's 
statement. I would like to add one point here. What we see as 
well is those areas, those sectors, in general that are--have 
legislation for auditing requirements, for security auditing 
requirements, we see a bigger sense of urgency there in 
comparison to some of the areas that are not legislated today.
    Mr. Clay. Going back to attacks and computer hacking, do 
any of you have any knowledge of foreign governments involved 
in cyberattacks. How is that different from hackers attacking 
for the fun of it?
    Let's start with you, Mr Wysopal.
    Mr. Wysopal. It's very difficult to say where some of the 
malicious code, the exploit code, that's written or where some 
of this vulnerability research comes from. It's difficult to 
say whether it's a foreign government, or it's just an 
individual in a foreign country. When we see some malicious 
code, we certainly see levels of sophistication that are equal 
to the most sophisticated in the world coming from countries 
such as China. It's fairly easy to tell because of the language 
differences where some of this is coming from, but it's very 
difficult to tell whether it's actually government-sponsored or 
just academics or just, you know, black hats.
    Mr. Clay. Anybody else got anything to add?
    Mr. Silva.
    Mr. Silva. Well, I think probably law enforcement 
intelligence representatives could probably answer the question 
as to the foreign sponsorship of the hacking probably better 
than any of us here could, but I have to say that I think most 
of these, at least from earlier testimony, have actually been 
caught. The few of that have actually been caught have turned 
out to be young adults or teenagers.
    While I think we should be concerned about terrorist 
sponsorship or state-sponsored hacking and malicious activity, 
I think we should definitely not discard the fact that the vast 
majority of these appear to be coming from, you know, 
pranksters, OK, that have no political affiliation or 
governmental sponsorship. So, while I think it's important that 
we know if it is state-sponsored, I don't think that all of our 
efforts should be focused in that direction.
    Mr. Clay. Perhaps any one of you can take a stab at this, 
but can the Federal Government use its procurement power to 
improve the security of computer software? Anybody have a 
thought on that?
    Mr. Wysopal. I think definitely. The Federal Government is 
probably the largest purchaser of technology, especially 
software, and one thing that doesn't happen when people 
purchase software is an acceptance test for the security of 
that software. Sometimes it's acceptance testing that has 
certain features or has a certain level of performance, but 
acceptance testing for security is more expensive and time-
consuming, so no one really does it.
    If the Federal Government was to do that, the benefits 
would be all the users of that software, because the Federal 
Government could say, you know, we spent a lot of money and 
tested this, and we rejected it, and we need to go back to the 
drawing board and build something secure. I think if that 
happened, the other users of software would say--or potential 
purchasers of the software would think twice about buying it, 
if the government wasn't willing to use it.
    Mr. Clay. Thank you. Thank you very much, Mr. Chairman.
    Thank you very much, Mr. Chairman.
    Mr. Putnam. Mrs. Miller.
    Mrs. Miller. Thank you, Mr. Chairman. I am going to pick up 
on the ranking member's question here, but I think we are all 
struggling with this panel, members of the committee, with this 
panel on understanding what is the appropriate role of the 
Federal Government.
    And you are in the private sector, and--I mean, I am a 
person that generally thinks that less government is better and 
less government regulation is better. But because our society 
is becoming so unbelievably dependent on the Internet, on 
computers for communication purposes and for security purposes, 
for everything, the term ``vulnerability researcher,'' I guess 
I never really heard that before, as I listen to you say it. 
Now it is going to be part of my nomenclature here. But it's 
very descriptive, and I can understand what you're talking 
about there.
    Do you think that the Federal Government, first of all, has 
an oversight role? Should we be using our purchasing power to 
set standards out for software? What is the fine line of the 
government not overregulating private industry, but certainly 
having consternation about some of the security problems that 
are inherent in software? What would your suggestion be on how 
far you think the government should be going here, and what is 
the appropriate action for the Federal Government?
    I mean, we just had this huge power outage in my State of 
Michigan, and we are looking to the Public Service Commission 
to regulate an industry. And I'm trying to understand 
everything about the energy policy of our Nation, but I could 
not tell you what the proper amount for a person to pay per 
kilowatt hour actually is. We rely on the experts.
    You are the experts in the software industry; and I think 
we are trying to struggle to understand what we need to do 
appropriately without overstepping our bounds into the private 
sector.
    Mr. Wysopal. Well, one place where I think it's important 
for the government to regulate is when we get to issues of 
safety, you know, when we are talking about cars or airplanes 
or chemicals or things like that.
    Regulation of safety is important. There used to be, you 
know, something that you write documents with and safety wasn't 
an issue. But now when we're seeing these networks being 
interconnected with things like the power grid actually being 
connected directly to the Internet, you know, through maybe a 
few gateways, but you know, the worms got in. You know the 
worms can get inside, start to get to the issue of safety. And 
that's a place where I think some regulation is appropriate.
    You know, the software industry is a fast-moving industry 
and putting any regulation on it is certainly going to slow 
down innovation. There's no doubt about it. But maybe it's time 
to think about some limited safety regulations.
    Mr. Silva. I think that there's a fundamental role of our 
government, whether Federal Government or State government, to 
provide education to our people, to our citizens. If any of you 
happen to have a DSL or cable modem at home and would actually 
install a firewall on it and look at the logs, you would be 
shocked at the number of times penetration attempts actually 
hit your machine. It would just boggle your mind; it really 
would.
    But as I said in my testimony, or in my statement, we teach 
our children in almost every school in the country, we teach 
them how to use computers, how to use a word processor, how to 
boot a disk, but we don't actually teach them how to 
responsibly use the computers and what the consequences of 
their actions or inactions actually are. So I think that's a 
role that the Federal Government can play, as well as State 
government.
    Mr. Eschelbeck. I think there are two areas, looking at it. 
On the one side we have, obviously, existing infrastructure 
that we need to look at from a security perspective, and that's 
probably going to give us an effort for the next 5 or 10 years. 
And there are specific ideas how those could be handled.
    However, there is the new software aspect when new software 
comes out, there are standards in place like common criteria 
that are being used to secure--to improve security software. 
Such standards are not existing for any commercial-type 
applications. I am not asking for common criteria-type 
certification for any type of software, but some lightweight 
certification would give at least a seal of approval from a 
security perspective as far as the new technology that is 
coming out there.
    As far as the existing infrastructure we have in place 
today, I think we have to give the leadership perspective 
infrastructure so they can measure. The key part is, how do I 
measure security today. There are no tools or well-defined 
metrics out there. And I think we have to give the leadership 
and the government, and industry as well, infrastructure tools 
and ways to measure their security, so that they can say, I am 
at the level 4, I am at the level 5, and in comparison to other 
agencies, for example, I am at this level.
    So there are ways I think those could be accomplished by 
putting infrastructure in place there.
    Mrs. Miller. No other questions. Just a comment.
    I certainly picked up from both of the panels how important 
it is for education. You know, really the Internet is still 
relatively a new phenomenon. Ten years ago, 20 years ago, many 
people had not heard of the Internet or were not using it every 
day. The children now, of course--and perhaps it is 
generational--are leaping onto these computers.
    I was struggling yesterday trying to download my boarding 
pass, and all these things keep coming up on my computer 
saying, upload this right now or your computer is going to blow 
up or something. I'm trying to understand it all.
    But at any rate I certainly appreciate the testimony here 
today, and I think the government certainly recognizes again 
that society is becoming so dependent on electronic technology 
and how important it is for every generation to understand what 
the implications are of some of the cyber hacking, and how 
important it is for them to be able to use these tools properly 
and understand the ramifications of what they're up to.
    Thank you.
    Mr. Putnam. Thank you, Mrs. Miller.
    Mr. Wysopal, if you would, you probably made the most 
extensive comments about researchers. Tell us a little bit 
about the category of researchers who would not be classified 
as altruistic, and their motivations; and I'm not asking you to 
psychoanalyze them, but how big a group are we talking about? 
Do they seek fame, seek money or simply the thrill of being 
able to discover the source code?
    Mr. Wysopal. I think it's mostly the thrill of having power 
over computers on the Internet. Part of the way that they keep 
score is how many systems, you know, have you compromised--the 
vulnerability that you discovered and wrote exploit tools for 
or malicious code for, how many computers can you compromise 
with that.
    So a bug that was exploited in a software package that was 
used by 100 people, no one will care about, but if you find a 
bug in a Microsoft piece of software which is used by millions 
of people, then you are looked at amongst your malicious peers 
as more important and a better black hat.
    And this is definitely a very serious problem that people 
are able to find these vulnerabilities, and usually they keep 
them to themselves. They don't tell the vendors. They keep them 
to themselves or share them amongst a small group of people. So 
they can go into computers with impunity on the Internet and 
know that problem won't be patched.
    And that's a very difficult problem to control. The only 
way to control that is to actually design the software without 
the flaws to begin with.
    Mr. Putnam. And that is an impossibility, right, to have a 
truly foolproof code?
    Mr. Wysopal. Yes. There's no such thing as 100 percent 
secure. But as a company, we do security quality testing for 
many different software vendors, and we see a vast difference 
in the number of flaws we find in a piece of software which was 
developed by a secure development process. Where training was 
given to the developers, they thought about security through 
the entire phase, from design implementation to test, versus 
software where security is really an afterthought; where after 
the product is shipped, people say, maybe we should think about 
how to configure it better.
    When it isn't thought of from the very beginning, there is 
a big difference in the number of flaws that end up in the end 
product.
    Mr. Putnam. Mr. Silva, you mentioned rule No. 2 was for 
everyone to accept more responsibility. You discussed the 
importance of education and things of that nature.
    But with the prevalence of broadband, has responsibility 
shifted somewhat to providers or to cable operators or to 
telecommunications companies whose history and tradition and 
corporate culture would not ordinarily lead them to believe 
that protection against hackers or firewalls would be something 
of their responsibility?
    Mr. Silva. Well, as I said in my statement, it is a 
responsibility of everyone, and I think--we always sort of 
gravitate to the natural thing to do, which is to sort of look 
at, is this not somebody else, is the responsibility shifting 
from one group to another?
    I don't think it's shifting; I think it's never changed. I 
think that ISPs, the people that we all use to connect to the 
Internet, have some level of responsibility. I think that the 
government, that industry, my company as well as all of the 
others, have a responsibility to do their part.
    For instance, the Blaster worm has been running around the 
Internet now for weeks, and the network providers are carrying 
the traffic around it. One would think they would see that 
traffic moving around in the network and either deal with it or 
at least work with a group of people to try to figure out how 
to mitigate this.
    At the same time, if they were to suddenly block that 
traffic, you know, I can assure you it will create other 
problems on the Internet. So I think we just have to work 
together and we have to find out what that magic fingerprint 
is.
    There are a lot of these companies that are carrying this 
traffic that aren't in the best of financial shapes right now 
and probably aren't going to invest hundreds of millions of 
dollars into research and mitigation methods.
    Mr. Putnam. Thank you very much.
    Is there anything that you have not been asked that you 
wish to comment on or perhaps respond to as a result of panel 
one, or do you have any additional comments before we seat 
panel three?
    Thank you all very much for your assistance and your input. 
With that, we dismiss panel two and seat panel three as quickly 
as possible. And the committee is in recess.
    [Recess.]
    Mr. Putnam. We have panel three seated, and the committee 
will come back together. And I would ask that you rise, please, 
and raise your right hands to be sworn in.
    [Witnesses sworn.]
    Mr. Putnam. Let the record show that all the witnesses have 
answered in the affirmative.
    We will go straight to your testimony, and I would ask that 
you follow the examples of panels one and two and adhere to our 
5-minute rule on opening statements. And I will introduce our 
first witness.
    Greg Akers is senior vice president and chief technology 
officer for three strategic areas at Cisco--customer advocacy 
technology, corporate strategic security programs and 
government solutions.
    Within customer advocacy technology he and his team focused 
on how to most effectively use technology to improve Cisco's 
productivity and strengthen Cisco's relationships with its 
valued customers. Specific initiatives include technology 
engineering, autonomic and adaptive networking, cross-customer 
advocacy research and development functions, and Internet 
capabilities integration.
    He also leads Cisco's corporate strategic security programs 
with a focus on information security, intellectual property, 
security solution certifications, and cyber warfare.
    Additionally, Mr. Akers runs a government solutions team to 
address the unique requirements of government. The mission of 
this team is to provide solutions aimed at government's core 
business, enabling achievements of its mission to protect its 
citizenry. He has dedicated teams to address global defense in 
space, critical infrastructure protection, U.S. homeland 
security challenges and a government systems unit. His primary 
focus will be to adapt Cisco products and services to respond 
to the unique requirements.
    Welcome to the subcommittee. We are delighted to have you. 
You are recognized.

    STATEMENTS OF GREG AKERS, SENIOR VICE PRESIDENT, CHIEF 
TECHNOLOGY OFFICER, GOVERNMENT SOLUTIONS AND CORPORATE SECURITY 
PROGRAMS, CISCO SYSTEMS, INC.; PHIL REITINGER, SENIOR SECURITY 
STRATEGIST, MICROSOFT CORP.; VINCENT GULLOTTO, VICE PRESIDENT, 
 ANTIVIRUS EMERGENCY RESPONSE TEAM, NETWORK ASSOCIATES, INC.; 
   AND JOHN SCHWARZ, PRESIDENT AND CHIEF OPERATING OFFICER, 
                         SYMANTEC CORP.

    Mr. Akers. Thank you. Chairman Putnam, Ranking Member Clay, 
thank you very much for the opportunity to testify today on 
this very important issue.
    Cisco is a provider of networking infrastructure for the 
Internet and intranets of all types. We provide end-to-end 
network solutions, connecting people to computers and networks 
all over the world, and align the work-play-live-and-learn 
without regards to differences in time, place, or type of 
computer they happen to use.
    Roughly 80 percent of Cisco's support transactions and 85 
percent of Cisco's sales transactions are completed over our 
own company Web site. Therefore, we are very concerned about 
threats and the correct operation of the infrastructure of the 
Internet.
    Rather than summarize the details already provided in my 
written testimony, in the short time today, I would like to 
provide recommendations to three specific groups--industry, 
individuals, and government--with specific actions to address 
some of these threats.
    Vulnerabilities can never be completely eliminated, as has 
been previously stated. Establishing a product security 
response capability is a huge step toward reducing the threat. 
Another major improvement is gathering by setting up obvious e-
mail and easy-to-use Web pages, by vendors and customers alike, 
so they are easily accessible, that will allow vendors to 
produce results for incidents as they incur.
    Most vendors today neither have a team nor modification 
methods in place. Industry members can contribute greatly by 
establishing and publicizing product security processes, 
including taking minimum steps to establish a response team and 
create necessary links to facilitate incoming reports and 
outgoing announcements.
    External reports of vulnerabilities are often accompanied 
with demands to publish in a short period of time, less time 
than the vendor needs to develop fixed software and work around 
and test these fixes completely. The public is generally 
unaware of the internal constraints influencing the vendors' 
schedules.
    Because every vulnerability and vendor is unique, time 
lines should be adjusted by the vendor and the external party 
for each situation individually. Vendors can help by 
streamlining their own schedules for producing software and by 
establishing expectations for negotiating flexible but 
effective time lines with all external parties.
    Many individuals and groups fail to practice 
confidentiality regarding vulnerabilities and fail to maintain 
computer and networking systems at some moderate reasonable 
base line and vulnerability. The consequences can be severe. 
Individuals should act responsibly regarding vulnerability 
information. We have published the security advisories and 
encourage others to do the same.
    Some practice poor control over the need-to-know 
information regarding vulnerability. Some lack timeliness or 
otherwise detract from the overall success of the process. 
Numerous plans have been derailed or completely rerouted due to 
leaks, made more severe by late arrival of information or 
otherwise slowed down by lack of information or improper 
information.
    Participants are responsible for reporting vulnerabilities 
promptly and solely to the appropriate recipient, protecting 
the confidentiality and lending assistance as they are able to. 
Vendor-neutral coordinating centers are valuable conduits for 
reporting and handling vulnerabilities. The trust placed in 
such organizations by the worldwide network security community 
for the criticality of important coordination function might be 
jeopardized if it becomes too dependent on funding or other 
centralized government control, or any one individual entity 
within industry or the public sector.
    Government should ensure that coordinating centers are 
available, receive adequate funding from multiple sources and 
avoid dependencies that will treat any participant unevenly or 
in any other way unfairly. Many are aware of the issue with the 
``script kiddies,'' but not are aware of the professional 
``black hats'' who work for a combination of organized crime, 
terrorists, or nation-states. An entire marketplace that 
exploits vulnerabilities has sprung up on the Net and has easy-
to-use tools, yet it is virtually unknown to the public.
    Government should increase funding and support for the 
development of the maturation of cyber intelligence, the 
advancement of information sharing, and the overall improvement 
of law enforcement's ability to prosecute cyber crimes. One 
issue is common to all the action groups: Vendors respond to 
customers' demands. Buyers from all of these groups wield 
considerable influence at purchasing time. If product security 
or response team are important to you, the buyer should vote 
with the wallet.
    Specifying systems that meet the demands for more security 
are inevitably the ways vendors will respond, to include 
increased security measures in their products. Industry, 
individuals, and government can set effective examples for 
defining base line security requirements and require compliance 
to these simply by completion of sales.
    The global nature of the Internet means that no single 
country or industry group can address vulnerabilities in 
isolation. Success in this arena requires public-private 
cooperation between all three of these entities.
    As an example, consider the cooperation industry under the 
auspices of a national infrastructure assurance council, 
developing a vulnerability disclosure framework that should 
prove to be useful to all parties. The industry leaders I work 
with understand the roles and are willing to do their part to 
protect our national and economic security. The recommendations 
presented here would be a good starting point for improving the 
security posture for the entire Internet.
    I want to thank you, Mr. Chairman, and the other 
subcommittee members for inviting me today. And I will be happy 
to answer any questions that you may have.
    Mr. Putnam. Thank you very much Mr. Akers.
    [The prepared statement of Mr. Akers follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.085
    
    [GRAPHIC] [TIFF OMITTED] T2654.086
    
    [GRAPHIC] [TIFF OMITTED] T2654.087
    
    [GRAPHIC] [TIFF OMITTED] T2654.088
    
    [GRAPHIC] [TIFF OMITTED] T2654.089
    
    [GRAPHIC] [TIFF OMITTED] T2654.090
    
    [GRAPHIC] [TIFF OMITTED] T2654.091
    
    [GRAPHIC] [TIFF OMITTED] T2654.092
    
    [GRAPHIC] [TIFF OMITTED] T2654.093
    
    [GRAPHIC] [TIFF OMITTED] T2654.094
    
    [GRAPHIC] [TIFF OMITTED] T2654.095
    
    [GRAPHIC] [TIFF OMITTED] T2654.096
    
    Mr. Putnam. Our next witness is Philip Reitinger. Mr. 
Reitinger is a senior security strategist with Microsoft 
Corp.'s Trustworthy Computing security team. The Trustworthy 
Computing Initiative at Microsoft is a long-term, company-wide 
initiative to promote the values of reliability, security, 
privacy and business integrity.
    Before joining Microsoft in January 2003, Mr. Reitinger was 
the Executive Director of the Department of Defense's Cyber 
Crime Center and the Deputy Chief of the computer crime and 
intellectual property section of the Criminal Division of the 
Department of Justice.
    Mr. Reitinger is the former Chair of both the Group of 
Eight's High Tech Subgroup and the National Cyber Crime 
Training Partnership's Vision and Policy Committee.
    We look forward to your testimony, Mr. Reitinger, and you 
are recognized for 5 minutes.
    Mr. Reitinger. Good morning, Chairman Putnam, Ranking 
Member Clay. My name is Philip Reitinger, and I am a senior 
security strategist with Microsoft. I want to thank you for the 
opportunity to appear here today.
    Before joining Microsoft, as the chairman noted, I was the 
Deputy Chief of the Computer Crime and Intellectual Property 
Section of the Department of Justice, the Executive Director of 
the DOD Cyber Crime Center and the Chair of the G8 Subgroup on 
high tech crime. Thus, for some time I have been concerned with 
criminal threats to people and networks and with the challenges 
posed by responding to cyber crime.
    Responding to those challenges requires effective action on 
many fronts. Today, I would like to make four main points.
    First, Microsoft is committed to continuing to strengthen 
our software to make it less vulnerable to attack. Microsoft 
under its Trustworthy Computing Initiative is working to create 
software for its customers to secure by design, secure by 
default, and secure in deployment. We are designing and writing 
software more securely, making it more secure out of the box 
and making it easier to keep secure.
    These goals are becoming ingrained in our culture and are 
part of the way we value our work. Even so, there is no such 
thing as completely secure software. Therefore, and second, 
when security vulnerabilities are found, the process is to 
provide customers with the necessary fixes; they must be easy, 
fast and transparent so the customers can stay secure in 
deployment.
    For example, we have included an automatic update feature 
in recent Microsoft operating systems. My written testimony 
describes the additional steps we are taking in more detail. 
Our goal is to make patch application easier so that every 
single customer can readily have the appropriate patches 
installed and have his and her information protected.
    Third, as the recent past so amply demonstrates, criminals 
will use computer networks to launch attacks, and we must be 
able to respond quickly and effectively. In the case of 
Blaster, before the worm was released, Microsoft built, tested, 
and delivered a remedy for the vulnerability which Blaster 
exploited. We then undertook extensive measures to advise 
customers of the need to apply the patch immediately and how to 
protect their systems.
    After the release of the worm, our efforts continued and 
expanded and included launching our Protect Your PC campaign, 
which included providing security information to users through 
publications such as the New York Times and the Washington 
Post.
    In parallel with these public efforts, we undertook an in-
depth review postmortem to understand how to reduce the 
likelihood of similar vulnerabilities occurring in the future. 
We carried out a full scrub of the subsystem that contained the 
vulnerability. And today we are releasing an additional patch 
fixing vulnerabilities we found. We know that security is a 
process of continuing improvement, and we are committed to that 
process.
    Fourth, as a society, we need to devote increased resources 
to law enforcement personnel, training, equipment, and 
capabilities to prevent and investigate cyber crime. Technical 
and management solutions cannot prevent every cyber attack. 
Determined and sophisticated cyber criminals develop new means 
to break into systems and harm the on-line public.
    In this case, Microsoft worked closely with law enforcement 
efforts to identify the individuals or organizations involved, 
and created and released Blaster interference.
    But despite the best and laudable efforts of the United 
States and international law enforcement communities, it is 
still very hard to identify and prosecute cyber criminals 
worldwide. For example, the computer forensic challenges facing 
law enforcement are daunting. The amount of data that is stored 
electronically is growing exponentially, and law enforcement's 
technical capability to extract critical evidence from this 
massive electronic data is falling rapidly behind.
    In conclusion, the Blaster worm and its variants were 
serious criminal attacks against the owners and users of 
computer networks. These attacks merited and received equally 
serious attention from Microsoft, the government, our 
customers, and our partners. In the end, a shared commitment to 
reducing cyber security risk and a coordinated public and 
private response to cyber security threats of all kinds offers 
the greatest hope for promoting security and fostering the 
growth of a vibrant, trustworthy on-line world.
    Thank you.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Reitinger follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.097
    
    [GRAPHIC] [TIFF OMITTED] T2654.098
    
    [GRAPHIC] [TIFF OMITTED] T2654.099
    
    [GRAPHIC] [TIFF OMITTED] T2654.100
    
    [GRAPHIC] [TIFF OMITTED] T2654.101
    
    [GRAPHIC] [TIFF OMITTED] T2654.102
    
    [GRAPHIC] [TIFF OMITTED] T2654.103
    
    [GRAPHIC] [TIFF OMITTED] T2654.104
    
    [GRAPHIC] [TIFF OMITTED] T2654.105
    
    [GRAPHIC] [TIFF OMITTED] T2654.106
    
    [GRAPHIC] [TIFF OMITTED] T2654.107
    
    [GRAPHIC] [TIFF OMITTED] T2654.108
    
    Mr. Putnam. Our next witness is Vincent Gullotto. Mr. 
Gullotto is the vice president of research for AVERT, the 
Antivirus Emergency Response Team, the antivirus research arm 
at Network Associates. For roughly half a decade, Mr. Gullotto 
has been involved in the day-to-day operations of AVERT labs. 
Located throughout 18 cities around the world, AVERT labs is 
responsible for the research and discovery of computer viruses, 
including Melissa, Love Letter, and Bubble Boy. Are you the 
ones who name them?
    Mr. Gullotto. Yes.
    Mr. Putnam. So Bubble Boy was your idea?
    Mr. Gullotto. Yes.
    Mr. Putnam. Under his leadership, the AVERT group is 
credited with the discovery of the first wireless virus, Phage.
    Mr. Gullotto has developed the concepts and initial designs 
for a number of AVERT service and solution offerings, including 
programs such as WebImmune, the world's first Internet virus 
security scanner that resides on the Web, as well as the AVERT 
Malware Stinger, a stand-alone program designed to supplement 
antivirus programs.
    Mr. Gullotto, we are looking forward your testimony and 
delighted to have you here.
    Mr. Gullotto. Chairman Putnam, Ranking Member Clay, thank 
you very much for inviting me today to join the subcommittee 
and speak on behalf of a very serious problem we are having 
today, computer viruses and the evolving threat that we see 
going forward.
    As you stated, AVERT is an antivirus research arm for 
Network Associates. We are a global organization working 24 
hours a day, 7 days a week, discovering new viruses and naming 
new viruses as well. In addition to this work, we also work 
participatingly with 27 other companies in the antivirus 
discussion network [AVED], and on a day-to-day basis work 
closely with law enforcement as often as possible to identify 
and investigate cyber attacks and cyber crime.
    While my written testimony submitted for the record 
provides a recent history of computer viruses and worms, as 
well as descriptions and impacts of the most well-known ones, I 
want to focus my testimony on three important trends and 
followup with three recommendations.
    First, Mr. Chairman, governments and companies have become 
more porous. In recent years, companies have opened their 
enterprise to serve customers better and improve productivity 
of employees and suppliers. Enterprises are becoming electronic 
sponges. They are porous, and it's getting harder to tell the 
inside from the outside.
    Second, reported vulnerabilities are on the rise. We have 
already heard the number is on the increase, and they will 
continue to increase as time goes on. The bad news is that this 
new threat, worms which exploit these vulnerabilities, can 
cause even greater damage than more traditional worms and 
viruses.
    And third, the speed of cyber attacks has accelerated 
dramatically with a shrinking window of exposure between 
vulnerability and exploit. Attackers exploit a window of 
exposure between when the vulnerability is announced and when 
all the infected systems can be patched. Today, the time is 
short. It's a matter of hours in some cases or a matter of 
weeks and days. In the future we expect it to become even 
shorter.
    Once a vulnerability is announced, we may see an exploit 
within a matter of hours, and that vulnerability exploited in 
such a way that, within minutes perhaps, that exploit will be 
around the world. Denial of services like CodeRed and Nimda 
caused spread around the world in hours. And, of course, 
earlier this year we saw Slammer infect thousands of machines 
in just under 3 minutes.
    How do we protect ourselves from computer viruses, worms, 
and other attacks? One key way is by moving from a traditional 
reactive approach to a security approach where proactive 
intrusive protection is used. What's required to close the 
window of exposure is protection in depth, including solutions 
that can be deployed before a new threat appears in the field, 
so that the threat simply bounces off the company's defenses.
    Intrusion prevention looks for anomalies, and attack 
signatures in response, by preventing the attacks from 
permeating the network or system defense. An intrusion 
prevention system protects a network from attack while 
providing breathing room and response time for analysts to fix 
vulnerabilities.
    There are other steps we can take to make a real 
difference. While my written testimony has recommendations for 
enterprising consumers, for the sake of time, I would like to 
share three with the policymakers today.
    First, we believe policymakers should embrace Cyber First 
Responders. We respectfully suggest the cyber security 
industry, including those at the table here today, represent 
Cyber First Responders in our battle against the attacks on the 
information infrastructure. Policymakers, in addressing the 
threat of viruses, worms, and other attacks, should turn to 
these Cyber First Responders, who can provide policymakers with 
real-time, non-hype, accurate information about the nature of 
threats and the extent of the impact.
    Second, policymakers should continue promoting a culture of 
security, a term used both in the United States and abroad, and 
here today as well. We believe the policymakers around the 
world can embrace this concept by continuing to shine a light 
on cyber security. Policymakers can support public awareness 
efforts such as the Stay Safe Online campaign; the government 
industry's collaborative bodies, including the Partnership for 
Critical Infrastructure Security; focus government leadership, 
such as the government's high-ranking single point of command 
that we hope will be announced soon; and real-time information 
sharing organizations, including the various vertical sector 
information sharing and analysis centers.
    And finally, policymakers should increase support of long-
term cyber security research and development.
    In addressing our cyber-security challenges, research and 
development plays a key role in allowing us to stay ahead of 
the next generation of attacks. Yet many experts in industry 
and academia agree that we are at risk of dropping the ball on 
critical R&D needs.
    In the area of R&D, we recommend that policymakers 
authorize the study of our Nation's critical infrastructure 
vulnerabilities, increase R&D funds to leading departments and 
agencies for collaborative R&D with industry and academia, 
refocus collaborative R&D on longer-term challenges and improve 
coordination amongst government-funded R&D projects.
    As we commonly know in the industry, security is not a 
place to get to; it is an ever-evolving challenge. We urge the 
subcommittee and Congress to continue to put energy into 
addressing the cyber-security challenge, and in return, I 
pledge to you our company's commitment to work with government 
and industry and academia to develop solutions to these urgent 
needs.
    I thank you for the opportunity to testify this morning and 
look forward to your questions.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Gullotto follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.109
    
    [GRAPHIC] [TIFF OMITTED] T2654.110
    
    [GRAPHIC] [TIFF OMITTED] T2654.111
    
    [GRAPHIC] [TIFF OMITTED] T2654.112
    
    [GRAPHIC] [TIFF OMITTED] T2654.113
    
    [GRAPHIC] [TIFF OMITTED] T2654.114
    
    [GRAPHIC] [TIFF OMITTED] T2654.115
    
    [GRAPHIC] [TIFF OMITTED] T2654.116
    
    [GRAPHIC] [TIFF OMITTED] T2654.117
    
    [GRAPHIC] [TIFF OMITTED] T2654.118
    
    [GRAPHIC] [TIFF OMITTED] T2654.119
    
    [GRAPHIC] [TIFF OMITTED] T2654.120
    
    [GRAPHIC] [TIFF OMITTED] T2654.121
    
    [GRAPHIC] [TIFF OMITTED] T2654.122
    
    [GRAPHIC] [TIFF OMITTED] T2654.123
    
    Mr. Putnam. Our next witness is John Schwarz. Mr. Schwarz 
is president and chief operating officer of Symantec, 
responsible for Symantec's product development, incident 
response, sales, support, professional services, marketing and 
partner relationships.
    Previously, Mr. Schwarz was president and CEO of 
Reciprocal, Inc., which provided comprehensive business-to-
business secure e-commerce services for digital content 
distribution over the Internet.
    Prior to taking the lead role at Reciprocal, Mr. Schwarz 
spent 25 years at IBM. Most recently, he was general manager of 
IBM's Industry Solutions Unit, a worldwide organization focused 
on building business applications and related services for 
IBM's large industry customers. He has held numerous 
development positions within IBM, including vice president of 
development for the company's Personal Software Products 
Division where he was responsible for IBM's OS/2 Warp and PCDOS 
product management systems development.
    As the vice president of application development for the 
Software Solutions Products Group in Toronto, he was 
responsible for the development of worldwide product management 
of IBM's application development and distributed data base 
products business.
    We look forward to your testimony, Mr. Schwarz. Welcome to 
the committee.
    Mr. Schwarz. Chairman Putnam, Ranking Member Clay, thank 
you for the opportunity to provide testimony on this important 
and timely subject, and thanks for that long personal history.
    Today, much of our economy depends on critical assets that 
are in digital form. We are a society that relies more and more 
on information technology; yet, we have not taken the steps to 
protect those assets to the same degree that we have our 
physical assets.
    The cyber world is maturing and is a pervasive structure in 
organizations, as well as at home. It is also becoming more 
complex and vulnerable. The attacks are faster, less 
predictable, and more severe. The number of opportunities for 
exploitation also continues to grow at a rapid pace. In fact, 
it is estimated, on average, 250 new software vulnerabilities 
are discovered each month. These vulnerabilities are being 
exploited faster and more aggressively than ever. Again, on 
average, the industry is identifying 450 new viruses each 
month, with some very colorful names, with many reaching pretty 
high severity levels.
    We saw the transition to ``blended threats,'' with worms 
like Code Red and Nimda containing multiple attack mechanisms. 
These blended threats, that combine the attributes of a 
traditional virus and a hack attack, typically resulting in a 
massive denial of Internet services, are truly the biggest 
threat we face today in the cyber world. Leveraging the vast 
number of new vulnerabilities, and through the introduction of 
destructive payloads, rapidly propagating blended cyber 
attacks, represent a substantial future risk.
    The next generation of attacks, known as ``flash threats,'' 
have the potential to infect massive portions of corporate 
networks or the entire Internet within minutes or perhaps even 
seconds. The recent Blaster or SQL Slammer worms saw hints of 
these types of threats. As you've already heard, SQL Slammer 
infected 90 percent of the initially vulnerable systems in 
approximately 10 minutes.
    Such threats require entirely new proactive systems to stop 
them. There's no reactive remedy that will ever be fast enough 
to protect against threats spreading at these speeds.
    The interconnectivity of individuals, businesses, and 
government organizations is becoming ever more pervasive and 
continuous through always-on broadband connections. As a 
result, there is a vast, unmanaged computing capacity that is 
potentially available to the cyber criminals to launch massive 
denial-of-service offensives against selected targets or 
perhaps against the Internet as a whole.
    Let me discuss some actions that we believe can improve our 
cyber security. First, awareness and education often mentioned 
today.
    Educating our consumers, our businesses, the operators of 
critical infrastructure as well as all levels of government, on 
the importance of protecting our systems is essential. We need 
a broad awareness campaign that reaches out to all users of the 
Internet. At the least, all users need to be made aware of the 
value of firewall and automatically updated antivirus 
technology, like putting seat belts in cars. The remote or 
wireless connected worker is becoming more prevalent and can 
unknowingly open up an otherwise secure community network to 
potential vulnerabilities and attack through unprotected 
wireless connections in the home or in the office.
    At the enterprise and organization level, the issue of IT 
security has for too long been left to the security 
administrator, or the CIO. This needs to change. Cyber security 
needs the top leadership of the business or government 
organization. As an example, the recent corporate governance 
legislation known as Sarbanes-Oxley significantly strengthened 
the rules pertaining to the financial management of all 
businesses. However, the legislation makes no mention of the 
importance of protecting the information systems that produce 
the data used in the financial management processes. Only when 
cyber security is treated with the same attention as the 
protection of physical and financial assets can we enable the 
necessary cultural change and focus enough attention and 
resources to truly address the cyber threat.
    Second, cyber crime. We saw the arrest of Jeffrey Lee 
Parson for writing a variant of the Blaster worm, but we have 
yet to find the bigger culprits, the original authors of the 
recent flurry of new attacks. We need to realize that 
protecting the Internet is really a global issue, one that 
requires better international cooperation. We need more and 
higher quality resources for law enforcement to work on 
computer forensics, and we need cooperation from government and 
industry to assist prosecutors in building cases.
    We require more harmony in cyber crime laws. Perhaps the 
Council of Europe's cyber crime treaty is a good starting 
point. Governments and industry should reach across borders 
when appropriate to share information on cyber crime cases, 
best practices, threats and vulnerabilities, in order to gain a 
measure of prosecution success and early warning of potential 
attacks.
    The industry information sharing and analysis centers, the 
ISACs, can be a nucleus of that initiative. There should be a 
confidential, single point of contact in government so that the 
experts can communicate at a peer level at times of major cyber 
attacks. And again the recently announced cyber warning 
information network will be a good base for this exchange.
    Third, research and development; as mentioned earlier flash 
threats may be wreaking havoc in the near feature, and we must 
be more productive in our cyber security practices, focusing on 
behavior blocking technologies, faster threat identifications 
to event correlation, real-time vulnerability scanning, and 
automated software patch deployment.
    Given the shrinking time from discovery to exploit, much 
new research and development needs to take place which even the 
combined resources of the industry cannot deliver in time. The 
government and academia must join this effort with incremental 
funding, proactive recruiting of the best talent and highly 
focused, jointly funded precompetitive projects.
    Finally, audit and risk analysis: Security is not a static 
issue and, thus, requires regular assessments of systems and 
vigilance on the part of the IT managers, and for that matter, 
all users of the Internet. I commend the committee for its 
efforts to enact programs like FISMA, which require annual 
assessments of government systems and also require actions to 
improve the protection of those systems.
    The committee's oversight in this area is invaluable. This 
is not just something that government should do, but all 
enterprises, large and small, should be encouraged to follow 
this example of regular security assessments. Critically, 
though, we need thorough and timely remediation of any audit 
findings. The current performance of most organizations, 
government and industry alike, falls well short of desired 
levels.
    In closing, let me issue this challenge to the industry, 
government, and individual users. We must take cyber security 
more seriously and we must do it together. Aware and compliant 
users are the best defense against most cyber attacks. Most 
importantly, we all, as individual users of the Internet, need 
to do our part to protect cyberspace. Experience shows that 
effective implementations of security solutions cost in the 
range of 6 to 8 percent of the overall IT budgets. Few 
corporations or government departments have allocated adequate 
levels of funding to this critical need. It is time that we put 
our resources to work to minimize the risk of a serious 
disruption of our national cyber infrastructure.
    Thank you and I look forward to your questions.
    Mr. Putnam. Thank you very much, Mr. Schwarz.
    [The prepared statement of Mr. Schwarz follows:]

    [GRAPHIC] [TIFF OMITTED] T2654.124
    
    [GRAPHIC] [TIFF OMITTED] T2654.125
    
    [GRAPHIC] [TIFF OMITTED] T2654.126
    
    [GRAPHIC] [TIFF OMITTED] T2654.127
    
    Mr. Putnam. I appreciate the input of this entire panel, 
and for the record, this was the worst panel about sticking to 
the time lines. Usually it's the bureaucrats that go over. But 
all of you were very interesting with very important 
information, and we are delighted to have it. I would like to 
begin with Mr. Reitinger with Microsoft.
    You have had a bad month. It has been a tough several weeks 
at the office. Walk us through what happens when someone, 
whether they have altruistic intentions, or not-so-altruistic 
intentions, notifies you of a vulnerability.
    And walk us through the process of developing a patch, 
releasing it; and at what point do you notify the Federal 
Government, as well as your customers? Could you just walk us 
through that process?
    Mr. Reitinger. Of course, Mr. Chairman.
    Ideally, the process works with, if there's an external 
notification, someone contacting a software vendor, which might 
be Microsoft or another vendor, who then begins to develop a 
patch. If the notification is to the vendor, that allows the 
vendor to work to develop the patch in advance so that the 
public can be protected.
    The patch is developed, and that can be a very intensive 
process. The Blaster patch or the patch for the vulnerability 
of the Blaster attack, for example, was done due to a number of 
different operating systems. The information associated with it 
had to be developed, I think, in 25 languages. And then that 
patch is rolled out.
    In the case of Microsoft, Microsoft rolls out patches 
unless there's a public exploit, generally on a Wednesday for 
predictability purposes, so customers can know it's coming. At 
that point, we begin to work actively with the community, with 
our customers, with people in the Federal Government, including 
the Department of Homeland Security, to make sure that the 
information about the patch can get distributed as broadly as 
possible.
    Now this next stage is the most critical stage because 
patch uptake, as we know, is critical. The vast majority of 
attacks that we have seen over time have been after a patch is 
released. So the key is getting patch uptake once the patch is 
released and available.
    At some point in that process, as happened in the case at 
issue, there may be some exploit code that is released and 
perhaps eventually there is a worm or another set of attacks 
that are involved.
    But that is the big window, to get patch uptake as broad 
and as deep as possible.
    Mr. Putnam. Does the Federal Government or a particular 
agency of the Federal Government receive an early heads-up 
about a vulnerability that could have serious consequences?
    Mr. Reitinger. Typically, because Microsoft's products are 
distributed so broadly, both within the United States and 
around the world, the notification is done at the same time; in 
other words, we released one, we released all. And the reason 
is, we've got customers around the world, we've got users 
around the world. You need to make sure you can distribute the 
information as broadly and as deeply as possible, and so it's 
generally notification to many.
    Mr. Putnam. So a vulnerability comes to light, you develop 
the patch, you put it out there, and then it becomes the 
responsibility of the consumer to actually patch their system. 
And in this most recent case, despite the fact that your patch 
had been out there for weeks, those who failed to download it 
had the system go down; and so it reflects poorly despite the 
fact that you had already provided the solution.
    My understanding is, Microsoft is working on some better 
technology to make those downloads automatic. And are there 
legal issues, specifically the Computer Fraud and Abuse Act, 
that might prevent you from making it easier for consumers to 
patch their systems?
    Mr. Reitinger. As the chairman's question indicates, there 
is already a future in Microsoft operating systems called Auto-
Update that can automatically download and prompt the user to 
install patches. We are currently looking at how we can make 
that process easier and transparent for end-users so they can 
more readily have that option available to them, so that more 
people will in fact use and install Auto-Update.
    I think your question about the Computer Fraud and Abuse 
Act goes to the question of whether we could basically say to 
our customers, you have to use Auto-Update and we install Auto-
Update by default. And the answer to that question is, yes, 
there are legal problems. Laws like the Computer Fraud and 
Abuse Act and other regulations, European directives, would 
prohibit access to an end-user's computer without an access of 
authority.
    We actually need consent to do that, and that is something 
we want to do. We want to, in fact, not overcome consumers' 
consent, but empower them and make their consent more effective 
and make it more able to control their own computer security 
and privacy.
    Mr. Putnam. Mr. Akers, what's your take on the whole 
process of notification? And walk us through your system, if it 
differs from Microsoft, when you have an issue that may arise 
that may impact the Federal Government.
    Mr. Akers. It does differ a little bit.
    We have been at this process since I have been at the 
company, and most notably our last restart of the process was 
in 1997, so it's a continuous process that we undertake. Our 
intent from the discovery of vulnerability, either internally 
or externally found, is notification to the customer and 
remediation so that the customer is not impacted. You also have 
to remember that in the case of Cisco, the fabric of the 
Internet itself and the intranets that deploy these patches is, 
in and of itself, part of the issue we have to consider as a 
part of the problem, too.
    So, for instance, we have to be worried about our ability 
to distribute patches if the fabric itself does not have 
integrity. So when we discover vulnerability, we also begin to 
develop a patch. But we also, at the same time, begin to 
develop a plan of notification and remediation. These take 
different shapes depending on the nature of the vulnerability, 
the technologies that are involved and the issues that are at 
hand. In some cases, because we have to ensure that we can 
deploy the released information and the software itself, we may 
notify critical infrastructure components of the problem so 
that they can remediate the problem, so we can continue then to 
work with the rest of the constituent customer base to deploy 
software release and information.
    We look at this on an individual case basis and use 
processes and policies within the company to determine how to 
do that, at which time we then go through the process of 
completing the software build, much as Microsoft indicated they 
do. Once that is ready, both the plan and the software, we then 
begin the notification process and remediation process with our 
customers.
    We believe this process, for us, has worked well over the 
years and believe that it provides the best of both worlds in 
the context of both protecting the infrastructures themselves, 
our customers, and making sure that we get the information into 
the hands of the people that can protect themselves before the 
information is made available to those that might exploit it 
and use it for detrimental purposes.
    Mr. Putnam. Do you have a different notification process 
for an agency of the Federal Government than you do for an 
individual customer?
    Mr. Akers. We treat the agency of the Federal Government as 
if it were part of the critical infrastructure, and we put them 
in the same structure prioritization as we would any other 
critical infrastructure. If we determine that a critical 
infrastructure asset of the Federal Government has a particular 
or unique circumstance, they would be prioritized accordingly 
within our scheme.
    Mr. Putnam. Mr. Reitinger, in the cyber hacker world, 
everybody likes to pick on Microsoft. As we heard in earlier 
testimony, everybody gets their merit badges by messing with 
you all.
    You have a tremendous background in law enforcement, as 
well, so you have seen both sides of this. Are you satisfied 
with the legal framework that exists today for punishing people 
who are hackers?
    Mr. Reitinger. That is a very good question, Mr. Chairman. 
I think, in terms of punishing hackers, the answer is mostly 
yes, because Congress just last year passed an additional law 
raising the penalties for cyber crime and how that's going to 
work in practice, the sentencing guidelines associated that are 
now being developed.
    There are two other areas, though, that require 
examination. One is, is the breadth of penalties enough? Have 
we criminalized everything we ought to criminalize as opposed 
to what the amount of the penalty is? And I think that can 
change over time as new ways to harm people on-line are 
created.
    Secondarily, there is the question of law enforcement's 
ability to identify and then prosecute people, and that is the 
point to which my testimony related. It is actually very hard 
to--as your questions to Mr. Malcolm on the first panel 
indicated, it is very hard to identify hackers and virus 
writers and worm writers online, and we need to do what we can 
to remediate that. And perhaps the biggest way to do that is to 
ensure that law enforcement has the resources necessary to 
attack the problem, particularly with regard to training and 
things like forensics capabilities.
    The last element I'll just mention briefly is the 
international piece. As Mr. Schwarz indicated, it's critical. 
All cybercrime--not all cybercrime, but almost all cybercrime 
involves an international element. Even if it's a person in the 
United States attacking a place in the United States, they will 
probably pass their attacks abroad. So you typically have an 
international element in cybercrime. That means that you have 
to have the same capabilities that you have in the United 
States created around the world, and things like the Council of 
Europe Cybercrime Convention, if ratified by countries like the 
United States and other signatories, could go a long way toward 
remediating that problem.
    Mr. Putnam. Mr. Gulloto and Mr. Schwarz, your company's 
mission in life is to protect your clients' systems from these 
worms, from these viruses, from these hackers, from malicious 
code. You monitor this on a 24-hour, 7-day-a-week basis. Do you 
notice any trends in where these threats come from? Is there a 
seasonality to the trends? Are there more in the summer than 
there are during the school year? Do they arise from Eastern 
Europe or Asia or North America? Could you give us some sense 
of the landscape of the threat environment?
    Mr. Schwarz. Let me jump in and obviously allow my 
colleague to comment. We today monitor almost 1,000 customers' 
networks around the world and have further some 22,000 real-
time scanners placed in strategic points around the Internet 
around the world. That level of input gives us a pretty good 
perspective on what is actually happening on the Internet.
    First and foremost, the majority of the attacks appear to 
be originating in the United States, so the thought of somehow 
being flooded from the outside does not seem to hold true.
    Second, the attacks are gaining in, if you will, virility 
as a result of shared technology, which is very much available 
in public domains on the Internet. So one of the comments I 
would make relative to the criminalization of this conduct, 
ought to think about including the publishing of exploitation 
methodologies and tools which can then be downloaded by people 
who don't necessarily have the skill to further the damage of 
the Internet.
    We do not see any seasonality, we do not see any changes in 
scope as the year progresses or as various political events 
happen to take place around the world. What we do see is a 
direct correlation between the rise of always-on broadband 
connection and the penetration of these attacks around the 
world as these always-on machines are taken over and used as a 
base to launch massive further damage. And as my colleague from 
Microsoft points out, the tracing of these attacks to its 
origin, given today's technology, is almost impossible.
    Mr. Putnam. Mr. Gulloto.
    Mr. Gulloto. I concur with a great deal of what Mr. Schwarz 
said. What I would like to address is a little bit more about 
the specifics of the origins of the virus-writing activity 
itself, specifically where viruses may or may not come from. In 
many cases, as we've heard previously today, and today and I 
will concur with that as well, it is very difficult for us to 
specifically state where a virus has been written or where it 
is originating from. As Mr. Schwarz has pointed out, there is--
a majority of the traffic originates in the United States, but 
we are not completely convinced that the traffic that 
originates in the United States actually came from the United 
States.
    I'll go to an example of a group called 29 A that exists, 
from what we understand and what we have researched, in Brazil 
and in Spain. There is a common language between the two. We 
have seen even in code where one virus writer will acknowledge 
another virus writer for helping create some piece of code 
together or in such a way in which they were successfully able 
to take one piece of expertise from one area and the other from 
another area, get it to work together, and then in many cases 
it will get out. Now, it gets out deliberately in some cases, 
or they may post it to a Web site which will ask people to come 
to that Web site, get that--it could have come from the United 
States--double-clicked it when they put it on their desktop or 
began to simply distribute it throughout a network of friends, 
who then may have double-clicked on it to get it moving in the 
case of a mass mailer.
    The worms are a little more difficult to state, meaning 
that I may be a virus writer that lives in Belgium--which there 
is a woman virus writer, her name is Gigabyte, she is 18 years 
old. She may have written a piece of code at her home in 
Belgium, but she may have taken it to France, went into an 
Internet cafe, put in her floppy disk, go to the program, ran 
it. That program immediately begins to spread. She unplugs the 
diskette, pays her 5 euro for the hour that she spent on the 
computer, and she walks out the door. It begins to spread at 
that particular point in time.
    Mr. Putnam. Mr. Schwarz, you mentioned that the majority of 
the attacks originate in the United States. Do you distinguish 
between probes and attacks, or are they the same term?
    Mr. Schwarz. We do distinguish among various categories and 
severities of attacks. And, yes, there are distinctions between 
probes where people are looking for vulnerabilities or open 
switches, if you will, open access points, and actual attacks 
that have been launched to penetrate and cause damage. We see 
about 175 million such events per day across the spectrum of 
the systems that we do monitor. Categorizing that volume of 
data to actually identify specific types of attacks is a bit of 
a daunting task. What we do with the data is correlate the 
information from multiple points and attempt to isolate those 
that have potential for being serious or those that indicate a 
new type of activity from which we have not been able to defend 
ourselves previously, and then build defenses based on that new 
intelligence.
    Mr. Putnam. And do those probes also mostly originate from 
the United States?
    Mr. Schwarz. The total traffic that we see--and again, I 
agree with Vincent's point relative to the actual pinpointing 
of the origin of the code, but the total traffic volume still 
is to some 75 or 80 percent originating in the United States. 
What we see is countries that have a very large prevalence of 
always on connections, like Korea and Japan, ranking very high, 
perhaps beyond the size of their population, but that may be 
simply spoofed addresses targeting those countries as a way to 
launch attacks, but not originating there.
    Mr. Putnam. One of the concerns that we have heard, 
particularly with the reference to the virus that went silent 
today, was shut down as of today, is that it is an attempt by 
these code writers to learn, to explore the system for a finite 
period of time, and then before it could necessarily be reacted 
to, it goes down so that they are learning and essentially 
applying that knowledge toward developing the better or the 
perfect virus or the perfect worm. Could you comment on that? 
Anyone.
    Mr. Gulloto. I would agree that is certainly a possibility. 
We have seen behavior like this for quite some time. 
Approximately 3 years ago Mr. Hale, who had testified a little 
bit earlier, and I were on a committee, if you will, that 
looked at a threat called Leaves. It was an Internet worm. And 
at first it had looked to be rather a meek worm, but as we did 
more and more analysis of it, it became very complex in what it 
was that it did. It looked to be something that perhaps someone 
had created to see what would happen if they released it, what 
data could it gather, where could it go, what could it do so 
that they could then in turn go ahead and create another threat 
of such a nature to then have it go further. The good news was 
that person was actually arrested. And so I don't have any idea 
what happened to that person, but I know that there was an 
arrest in that case.
    Now, we could take a look at other such threats and also 
concur that there is some education process. We could look at 
one specific factor in a threat to say this might be what they 
are looking to see works or doesn't work. The SoBig virus now 
is one that you mentioned, is one that's in its fifth to sixth 
generation, meaning it is multiple family members. There have 
been other variance of SoBig that have spread quite far as 
well, and the commonality amongst each variant is that it has 
an extension, which is PIF. And in many cases, when we see a 
new extension be exploited, it is an opportunity for all virus 
writers to learn to see if it will become successful or not, 
because if it is successful, others will use that same 
extension, knowing fair well that most computer users, which we 
would probably look to more toward the consumer user, but then 
again end users, within an environment would not understand.
    We've spent a great deal of time educating people in the 
past couple of years about how not to click on anything that 
has a VBS extension. Well, we got them to understand that. 
Those viruses seem to have gone away. However, PIF looks a lot 
like JIF. JIF is not necessarily a file that can be infected. 
People double-click on it every single day and e-mail. No 
problems. They get to see something, it's great. It's a 
misunderstanding. Virus writers probably understand this, use 
it to educate themselves to see what else they can plant that 
will become successful.
    Mr. Putnam. Mr. Schwarz, did you wish to add anything to 
that?
    Mr. Schwarz. I think this is a very accurate description of 
the actual state of the technology used by the virus writers. 
Again, I would like to stress the importance of dealing with 
Web sites that actually publish this information, which are 
then shared among a community of people that perhaps do not 
have the skill to create the original varieties, but can adapt 
and cause additional damage.
    One other thought which I would like to leave with the 
panel or with the committee is that many of the worms that 
perhaps or the viruses that are perhaps the most threatening 
are not those that achieve the notoriety of a SoBig. They are 
very visible because of the traffic they generate, but perhaps 
a low-profile-type worm or Trojans that have been placed in 
strategic points in the network in systems that are very 
critical to a business or the national infrastructure that can 
be triggered somewhere down the road with a subsequent worm or 
subsequent attack, causing a disruption of service or causing 
deletion of data, or causing, in fact, just a flow of 
information to an entity that might wish to observe what is 
going on.
    So we need to not observe just those attacks that cause the 
service very large volume issues, but need to be looking for 
low-profile, potentially, in fact, more insidious and dangerous 
worms than those we have seen to date.
    Mr. Putnam. Mr. Akers and Mr. Reitinger, recognizing that 
there will never be a perfect code, what can software designers 
do to develop more secure codes, more secure systems as the 
abilities of the bad guys, the black hats, continue to improve? 
What efforts can we take to get better, more secure systems?
    Mr. Akers. I think there is actually two things that we are 
both doing, and we need to continue to do, as an industry. 
Education is a big part with our software developers. We teach 
our software developers that are coming out of academia today 
to develop software based on the function required at hand, and 
we don't teach them to be mindful of the issues around security 
that might provide vulnerabilities and subsequent exploits.
    There are a number of programs out there. There are centers 
of excellence that are part of a program at the National 
Security Agency. There are a number of other venues by which we 
acquire information about how to do good quality, secure 
software engineering. And we need to continue to educate our 
software engineers and academia how to do those things and for 
those that are out in practice today, and continue to do what 
we are doing, which is bringing that information directly to 
them so that as they develop a product initially, they are 
mindful of the issues that we are dealing with from a security 
standpoint today. This is something that's going to be an 
ongoing process.
    The second thing is continued testing. And that is 
something that I know that most of the vendors here and most of 
the vendors across the community are doing more today than we 
ever have. We internally have programs, we externally have 
programs, and we are going to continue to reinforce our ability 
to simply look for and test for those vulnerabilities that we 
might be in a position to uncover that we can then mitigate 
prior to the time of an exploit.
    I want to kind of piggyback on the last question a little 
bit, too. As we look at this issue around vulnerability 
yielding an exploit, the other thing we can do is we could 
watch the testing of some of this exploit code. I can't think 
of a vulnerability that has been disclosed that at some point 
along the line somebody didn't turn the knob to see if it was 
more interesting than maybe the vulnerability seemed at the 
time the vendor talked about it. And if we start seeing these 
kinds of things, government and private sector should be able 
to identify those instances and come together to take a look at 
what the miscreants might actually be doing, and then start 
thinking about how to thwart the attempts that they may make at 
those particular vulnerabilities going forward.
    Mr. Putnam. You mentioned the education and then its 
importance for your software designers. But these miscreants, 
as you've referred to them, or script kiddies are more 
intellectually driven; it is a game. Some people do crosswords, 
some people try to break into systems, and then the more 
malicious types. Now, don't script kiddies grow up to work for 
the Microsofts and Ciscos of the world?
    Mr. Akers. Not knowingly, in my case. We take a very dim 
view of that activity. But, no. Typically it's difficult to 
even distinguish between the activities of the script kiddies 
and the more orchestrated and well-organized, funded, and 
otherwise notable engagements. As a matter of fact, understand 
that it wouldn't be out of the realm of possibility that those 
more well-developed organizations and entities could take 
advantage of the behavior of the script kiddies to accomplish 
what they want to accomplish. So education of software 
engineers is a key part of it. And what you generally find, or 
at least what we generally find, is they do have a--once 
educated, they do maintain and have a clear understanding of 
the issues and want to do the right thing.
    I think as was said earlier, it's almost viewed as being 
patriotic to make sure that when we're providing critical 
infrastructures, we're doing it with the highest degree of 
quality and security that we possibly can. And our developers 
take that to heart much like the rest of the developers in the 
community do.
    Mr. Putnam. Mr. Reitinger.
    Mr. Reitinger. Mr. Chairman, let me answer that question in 
two parts, first what software companies can do, and then turn 
to the education points.
    What software companies can do is have a robust software 
assurance process. Conduct code reviews before software ships, 
use independent test teams, do threat modeling, make sure they 
train their developers. Use automated tools to test for 
security, and seek third-party certifications such as the 
common criteria. This is something that companies like 
Microsoft and other software companies do.
    They need to conduct robust after-actions when 
vulnerabilities do occur to figure out what went wrong and how 
the process can be fixed going forward, because security is 
really a destination as opposed to an end. Or, excuse me, is 
really a process as opposed to an end.
    Software companies need to make security easier to do so 
that the software's secure out of the box and it's easier to 
maintain going forward. So there's a whole software assurance 
and software support process that can ease the burden and help 
solve the problem.
    With regard to education, there are a number of components 
of that. One is educating users about how they can secure their 
systems. That is the focus of a lot of government efforts and 
the Microsoft Protect Your PC Initiative.
    There is also the component of the ethical outreach to 
kids, which was the subject of your present talk. How do we 
stop--how do we make young folks, if you will, not do the sorts 
of things that some of them are doing now, attacking systems, 
so that we have less chaff that we have to worry about to find 
the wheat. That is a really hard problem, and I think requires 
us to figure out how to convince young, computer-literate 
people that breaking into systems, if you will pardon the 
colloquialism, isn't cool. It doesn't build your status in a 
peer group. It's like burning down a building. And people 
really get hurt. That's something we have not all successfully 
done yet, and we need to continue to work on.
    Mr. Putnam. Mr. Schwarz, Mr. Gulloto, do you all have any 
comments on either of those issues? Do you have any comments on 
the education component, and how we can be more effective at 
it, and whose responsibility it is?
    Mr. Schwarz. Let me offer one suggestion. Obviously, 
education is hugely important, and the more we do, the better 
for all of us. There is a technology solution that can be 
applied to partly address this problem, which is something that 
we call client compliance, or compliancee, as it is called in 
bad English. Client compliance is about ensuring that when a 
client is reaching out to the network to be connected, that the 
network has the ability to test whether that client meets some 
basic minimum standards of good housekeeping relative to 
security.
    It would be great if we could come together, government and 
industry, and develop a joint standard for how that compliance 
could be achieved and then have the ability for the ISPs, for 
the in-house servers, to, in fact, test every client before 
they are given access to the network. That technology in 
addition to education could help us dramatically improve the 
level of standard, the level of security that we see today.
    Mr. Putnam. Mr. Gulloto, any comments?
    Mr. Gulloto. With regard to the education aspect, today we 
face a point where we are about to probably look at the next 
generation of threats and how is it that we can educate 
primarily the home user, but to protect themselves from those 
threats. We have them to the point that they understand that 
they are probably best served by putting antivirus and updating 
that antivirus as often as a vendor makes it available.
    Antivirus today is no longer sufficient enough to protect 
everyone from the threats that we are seeing such as the 
Internet worms, which in many cases travel at certain points in 
the Internet where there may not be an antivirus product that 
can actually support or protect them from that. Therefore, as 
we have spoken about today, the evolution of the threat, we 
have to evolve our education and how we go about having the 
consumer at home understand that the Internet is a big city, 
and that like many cities, there are good parts and there are 
bad parts. You should proceed with caution in both areas, and 
understand that what you may find in the good part is good; 
what you may find in the bad part might look good, but it's not 
necessarily good.
    People that are using the Internet today to exploit 
children, they are looking to exploit consumers by stealing 
data for a financial gain, I think are slightly different than 
perhaps some of the script kiddies that we have spoken about 
today. But clearly, when we developed the stay safe on line 
campaign sometime back, I think we looked to find that to be an 
avenue in which we could teach the consumer ways in which we 
could have them understand as to what a bad guy looked like on 
the Internet and what a good guy looked like on the Internet, 
and perhaps what a bad guy that looked like a good guy on the 
Internet was.
    I think funding plays a huge part of it, actually, to be 
able to maintain and sustain this type of education, this 
evolving education that we need, which is why many of us today 
have talked about ways in which we can find funding to further 
R&D, but that R&D will include education.
    Mr. Putnam. Thank you very much.
    I am told that there is a 1:30 hearing in this same room, 
and so we need to bring it in for a landing. Is there anything 
that we have not covered that any of the panelists would like 
to add to the discussion before we wrap up? Beginning with Mr. 
Akers. Do you have any final comments?
    Mr. Akers. No.
    Mr. Putnam. Mr. Reitinger.
    Mr. Reitinger. Thank you for the opportunity to testify 
today, Mr. Chairman.
    Mr. Putnam. Delighted to have you. Thank you. Appreciate 
your insight.
    Mr. Gulloto.
    Mr. Gutknecht. No. Thank you.
    Mr. Putnam. Dr. Schwarz.
    Mr. Schwarz. No. Thank you.
    Mr. Putnam. Well, thank you all very much. This has been an 
outstanding hearing. I do apologize for its length, but I think 
that it was valuable and well worth our time.
    I will remind everyone we have two more hearings next week 
on cybersecurity as well. And, with that, the record will 
remain open for 2 weeks for submitted questions and answers of 
topics that we were unable to get to today.
    The subcommittee stands adjourned.
    [Whereupon, at 1:20 p.m., the subcommittee was adjourned.]

