b"<html>\n<title> - PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE CYBER CITIZEN</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n  PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE \n                             CYBER CITIZEN\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION\n                POLICY, INTERGOVERNMENTAL RELATIONS AND\n                               THE CENSUS\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             APRIL 21, 2004\n\n                               __________\n\n                           Serial No. 108-209\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n96-315                      WASHINGTON : 2004\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\nCHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nMARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nDOUG OSE, California                 DENNIS J. KUCINICH, Ohio\nRON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois\nJO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts\nTODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri\nCHRIS CANNON, Utah                   DIANE E. WATSON, California\nADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland\nJOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California\nNATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, \nCANDICE S. MILLER, Michigan              Maryland\nTIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of \nMICHAEL R. TURNER, Ohio                  Columbia\nJOHN R. CARTER, Texas                JIM COOPER, Tennessee\nMARSHA BLACKBURN, Tennessee          ------ ------\nPATRICK J. TIBERI, Ohio                          ------\nKATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont \n                                         (Independent)\n\n                    Melissa Wojciak, Staff Director\n       David Marin, Deputy Staff Director/Communications Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n          Phil Barnett, Minority Chief of Staff/Chief Counsel\n\n   Subcommittee on Technology, Information Policy, Intergovernmental \n                        Relations and the Census\n\n                   ADAM H. PUTNAM, Florida, Chairman\nCANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri\nDOUG OSE, California                 STEPHEN F. LYNCH, Massachusetts\nTIM MURPHY, Pennsylvania             ------ ------\nMICHAEL R. TURNER, Ohio\n\n                               Ex Officio\n\nTOM DAVIS, Virginia                  HENRY A. WAXMAN, California\n                        Bob Dix, Staff Director\n                  Dan Daly, Professional Staff Member\n                         Juliana French, Clerk\n            Adam Bordes, Minority Professional Staff Member\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on April 21, 2004...................................     1\nStatement of:\n    Clinton, Larry, chief operating officer, Internet Security \n      Alliance; Andrew Howell, vice president, Homeland Security, \n      U.S. Chamber of Commerce; Rodney Petersen, security task \n      force coordinator, EDUCAUSE; and Douglas Sabo, member, \n      board of directors, National Cyber Security Alliance.......    58\n    Swindle, Orson, Commissioner, Federal Trade Commission; and \n      Amit Yoran, Director, National Cyber Security Directorate, \n      Department of Homeland Security............................    12\nLetters, statements, etc., submitted for the record by:\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................    10\n    Clinton, Larry, chief operating officer, Internet Security \n      Alliance, prepared statement of............................    61\n    Howell, Andrew, vice president, Homeland Security, U.S. \n      Chamber of Commerce, prepared statement of.................    69\n    Petersen, Rodney, security task force coordinator, EDUCAUSE, \n      prepared statement of......................................    84\n    Putnam, Hon. Adam H., a Representative in Congress from the \n      State of Florida, prepared statement of....................     5\n    Sabo, Douglas, member, board of directors, National Cyber \n      Security Alliance, prepared statement of...................   105\n    Swindle, Orson, Commissioner, Federal Trade Commission, \n      prepared statement of......................................    15\n    Yoran, Amit, Director, National Cyber Security Directorate, \n      Department of Homeland Security, prepared statement of.....    36\n\n \n  PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE \n                             CYBER CITIZEN\n\n                              ----------                              \n\n\n                       WEDNESDAY, APRIL 21, 2004\n\n                  House of Representatives,\n   Subcommittee on Technology, Information Policy, \n        Intergovernmental Relations and the Census,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2 p.m., in \nroom 2154, Rayburn House Office Building, Hon. Adam H. Putnam \n(chairman of the subcommittee) presiding.\n    Present: Representatives Putnam and Clay.\n    Staff present: Bob Dix, staff director; John Hambel, senior \ncounsel; Dan Daly, professional staff member and deputy \ncounsel; Juliana French, clerk; Suzanne Lightman, fellow; \nEarley Green, minority chief clerk; and Jean Gosa, minority \nassistant clerk.\n    Mr. Putnam. A quorum being present, this hearing of the \nSubcommittee on Technology, Information Policy, \nIntergovernmental Relations and the Census will come to order. \nGood afternoon and welcome to another important hearing on \ncyber security.\n    I want to welcome you all today to the hearing entitled \n``Protecting our Nation's Cyber Space: Educational Awareness \nfor the Cyber Citizen.'' In the past few years, the growth in \naccess and use of the Internet, the increase in high-speed \nconnections that are always on, and the rapid development and \ndeployment of new computing devices has resulted in an \nexpanding global computing network. Although these advances \nhave improved our quality of life, this global network is \nsusceptible to viruses and worms that can circle the world in \nminutes, not to mention the potential of more malicious cyber \nattacks. While businesses, educational institutions, and home \nusers enjoy the benefits of using the Internet, they are often \nnot adequately informed about the potential dangers that their \ncomputer systems face if left vulnerable and unprotected. The \ngood news is there are solutions and remedies to help mitigate \nthe threats; the bad news is awareness of these solutions and \nthe practice of safe Internet use is not far reaching. Attacks \nare evolving at a greater speed than preparation.\n    This hearing will provide an opportunity to learn about the \nefforts of the Federal Government, trade associations, \ncorporations, and nonprofits to raise awareness about the \nimportance of cyber security. Today I want to call on all \nstakeholders to take immediate action. All of us have a role \nand a responsibility to implement basic cyber security hygiene \nin order to reduce the potential vulnerabilities that could \ncontribute to a successful cyber attack.\n    As use of the Internet all over the world grows, so do the \npresence and ambitions of people with criminal and malicious \nintent. Hackers attempt to take over people's computers to \ncreate ways to send spam, steal information, and launch attacks \nundetected. Criminals try to trick unsuspecting cyber citizens \nto reveal personal information by impersonating respectable Web \nsites, a crime known as ``phishing.'' Consumers on the Internet \nmay be tricked into downloading spyware. These programs may be \nharmless, yet extremely annoying, such as delivering a \ncontinuous stream of pop-up ads. Or they may be malicious, \nextracting information such as passwords and personal \ninformation for criminal purposes.\n    There are existing and emerging protections against these \nthreats. Cyber citizens can arm themselves with virus \nprotection software to help stop any potential impact of worms \nand viruses. Use of firewalls can help prevent some forms of \nspyware. Of course, after the rapid spread and dramatic impact \nof worms and viruses this past year, I think we all know the \nimportance of keeping our systems patched and up to date. \nSecurity notices are everywhere reminding us not to open e-mail \nfrom people we do not know, and not to download programs from \nunknown sources.\n    However, many Internet users, consumers, nonprofits, \neducational institutions, and businesses do not employ these \nwell-known protections. They are either unaware of the risks, \nor unaware of the solutions, or both.\n    User awareness is only part of the problem. Many of the \nsecurity problems that users face are rooted in products that \nwere designed to deliver functionality, often without adequate \nregard to security. The manufacturers of both software and \nhardware products must accept some responsibility in this area \nand respond to the growing demands of the consuming public for \nimproved quality and security. This subcommittee has already \nheld hearings on the proliferation of worms and viruses and on \nthe issue of software assurance. And I will continue to pursue \nthose issues. But I am heartened by what I see as signs that \nthe manufacturers are stepping up to the plate. I see an \nincreased attention to security that seems to go beyond merely \nlip service. Manufacturers of all levels of notoriety are \npublicly confirming their commitment to providing consumers \nwith products that are less ``buggy'' and more secure.\n    In an effort to dramatically improve information security \nthroughout corporate America, I convened a group of 25 leaders \nfrom business organizations, as well as representatives from \nacademic and institutional communities to form the Corporate \nInformation Security Working Group. The intent was to produce a \nset of recommendations that could form the basis of an action \nplan for improving cyber security for businesses and \nenterprises of all sizes and sectors. The group divided into \nsubgroups, one of which was the Awareness, Education, and \nTraining Subgroup. This subgroup's mission was to identify, \npartner with and build on the good work of organizations that \nhave or are developing campaigns to raise awareness on the \nimportance of cyber security. Let me pause and acknowledge the \ntremendous work that Commissioner Swindle and the FTC have been \npursuing for some time now. It is my view that our collective \nefforts can make a difference. The Awareness, Education, and \nTraining Subgroup reported recommendations for three categories \nof users--small businesses, large enterprises, and home users.\n    For small businesses, the group suggested creating and \ndistributing a Small Business Guidebook for Cyber Security that \nexplains cyber security risks in terms that are readily \nunderstood and that motivate small business owners to take \naction.\n    For large enterprises, the Awareness, Education, and \nTraining Subgroup suggested enhancing distribution of existing \ndocuments for large enterprise managers. Many organizations, \nincluding the Institute for Internal Auditors, the Internet \nSecurity Alliance, and the Business Software Alliance, have \ndone great work in this regard. The group believes these \ndocuments deserve greater distribution and will work with \norganizations representing large corporations to find the \nproper channels for broader dissemination. Furthermore, for \nlarge enterprises, the group suggested creating a guide for \ninformation security for C-level executives, such as CEOs, \nCFOs, and COOs. A user-friendly guide for C-level executives is \nnecessary to raise the profile of the information security \nissue in terms senior executives can understand. To that end, \nthe group is currently working with representatives of large \nbusiness organizations to see how it might collaborate on and \ndistribute such a guide.\n    Finally, the group suggested targeted efforts aimed at the \nmass market would help educate home users. The group is seeking \nto buildupon existing relationships and forging new \npartnerships between organizations, corporations, and the \ngovernment to help educate the home user base on cyber \nsecurity.\n    One of the other subgroups worked diligently on developing \na set of best practices and guiding principles in information \nsecurity that could apply from the most unsophisticated home \nuser to the most sophisticated enterprise. Those efforts have \nproduced incredible results, and provided a foundation for the \nAwareness, Education, and Training Subgroup to buildupon.\n    In addition to my Corporate Information Security Work \nGroup, there are several other organizations, including both \npublic and private entities, that are working to improve \nawareness and provide education to cyber citizens. This \nincludes a broad base of constituent groups, including the \neducation community. Today we will hear about awareness and \neducation efforts in the K through 12 community, as well as in \ninstitutions of higher education. In addition to these \nawareness and education efforts, I am pleased to announce at \nthis hearing two partnerships that the Department of Homeland \nSecurity is undertaking to train information security and \nassurance professionals through our Nation's colleges and \nuniversities. The Department will be partnering with NSA to \nenhance the Centers of Academic Excellence in Information \nAssurance Education Program to increase the number of \ninformation security professionals entering the work force. The \nDepartment will also be partnering with the National Science \nFoundation on a Scholarship for Service Program, which provides \n2-year scholarships for training information assurance \nspecialists who in turn make a commitment to work for a Federal \ncivilian agency for 2 years. I look forward to hearing more \nabout these various initiatives in the testimony today.\n    I will note that I do have a concern. I worry that if we \nbombard our cyber citizens with too many messages from too many \nsources, they may become confused and take no action at all. If \nwe are to begin a national, intensive campaign to educate \nindividuals, and small and medium businesses on cyber security, \nwe need to have a collaborative strategy that facilitates the \ndelivery of a clear and common message about how folks can \nprotect against the threat of a cyber attack. I look forward to \nhearing from today's witnesses that my concern is being \naddressed in a proactive and collaborative manner.\n    We must maintain the advantages that multiple channels give \nus for outreach and we must continue to recognize that one size \ndoes not fit all and that a required level of cyber security \nhygiene will vary depending on the profile of the user. Some \nbasic steps are invariably common to most users and today we \nwill identify steps being taken to convey that information. The \nmore voices repeating the message, the more people are likely \nto hear it and pay attention. It would be difficult in my \nestimation and based on what I have learned to overstate the \nimportance and timeliness of such an effort.\n    I look forward to the testimony of our witnesses and I \nthank them for their contribution to the cyber security of our \nNation.\n    Today's hearing can be viewed live via Web cast by going to \nreform.house.gov and clicking on the link under live committee \nbroadcast.\n    [The prepared statement of Hon. Adam H. Putnam follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6315.001\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.002\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.003\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.004\n    \n    Mr. Putnam. I would like to welcome the gentleman from \nMissouri, our ranking member of the subcommittee, Mr. Clay, and \nrecognize him for his opening remarks.\n    Mr. Clay.\n    Mr. Clay. Thank you, Mr. Chairman, for holding today's \nhearing on ways we can improve our educational efforts in the \nrealm of cyber security. I, too, share your concerns and I am \nhopeful that our witnesses can share with us different \nperspectives on effective methods for reaching our goals.\n    As our global economy becomes more dependent on the \nefficiencies associated with the information super-highway, we \nmust become more aware of the risks and costs associated with \nsuch advanced technology. Although legislating appropriate \nstandards in rapidly changing technologies is, at best, a \nreactive approach to policymaking, we may have few other viable \noptions. The ominous threat of widespread and well-orchestrated \ncyber attack would have severe consequences in both real \neconomic terms and consumer confidence. If efforts to legislate \ncyber security standards are to be effective, the prevention of \nsuch attacks through outreach, training, education, and \nawareness must be central to its mission.\n    Once again, I believe there are two central components that \nare integral to providing adequate computer security for the \nFederal Government. First, the management of our agencies' \nnetworks must become a top priority throughout the government. \nThis approach should not only include adequate funding for \ncomputer security, but better stewardship of our critical \nassets and more frequent vulnerability assessments for our \ninvestments.\n    Second, the government must find a way to incorporate \nminimal software and hardware security standards into its \nannual $60 billion investment in information technology. We \nmust harness the purchasing power of the Federal Government to \ndemand more stringent computer security standards from vendors \nand contractors at every level of the procurement process.\n    I want to thank our chairman for his work on improving \ncomputer security standards through the Corporate Information \nSecurity Working Group. It is my hope that his collaborative \nefforts with the private sector can bring us closer to \nachieving what have been, to this point, elusive goals.\n    Mr. Chairman, this concludes my remarks, and I ask that \nthey may be inserted into the record. Thank you.\n    [The prepared statement of Hon. Wm. Lacy Clay follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6315.005\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.006\n    \n    Mr. Putnam. Without objection, so ordered.\n    I will move directly into the oath. As is the custom with \nthis committee, our witnesses are sworn in.\n    [Witnesses sworn.]\n    Mr. Putnam. Note for the record that both witnesses \nresponded in the affirmative.\n    We will now move into the testimony. I would like to \nintroduce our first witness, Orson Swindle. Mr. Swindle was \nsworn in as Commissioner for the Federal Trade Commission \nDecember 18, 1997. In December 2001, Commissioner Swindle was \nappointed as head of the U.S. delegation to the Organization \nfor Economic Cooperation and Development Experts' Group to \nreview the 1992 OECD guidelines for the security of information \nsystems. He has a distinguished military career, and served in \nthe Reagan administration from 1981 to 1989 directing financial \nassistance programs to economically distressed rural and \nmunicipal areas of the country. As Assistant Secretary of \nCommerce for Development, he managed the Department of \nCommerce's national economic development efforts, directing \nseven offices across the country. He was State Director of the \nFarmers Home Administration for the U.S. Department of \nAgriculture, financing rural housing, community infrastructure, \nbusinesses, and farming.\n    We welcome you to the subcommittee, and appreciate your \nwork in this area. You are recognized for 5 minutes for your \noral statement. Your written statements, for both witnesses, \nwill be inserted into the record. You are recognized.\n\n   STATEMENTS OF ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE \n COMMISSION; AND AMIT YORAN, DIRECTOR, NATIONAL CYBER SECURITY \n          DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Swindle. Mr. Chairman, Mr. Clay, and members of the \nsubcommittee, I appreciate the opportunity to discuss the FTC's \nwork on information security. The views expressed in the \nwritten statement represent the views of the Federal Trade \nCommission. My oral remarks and responses to questions, of \ncourse, are my own. This hearing is most timely and I applaud \nthe chairman for his leadership on this very vital subject.\n    Today, maintaining the security of our information systems \nand networks is essential to every aspect of our lives. We are \nall directly or indirectly linked together by this \ninfrastructure. We benefit enormously from these systems; \nhowever, there are vulnerabilities that threaten the security \nof and do major harm to stored information, the flow of \ninformation, and the continued viability of the systems \nthemselves.\n    The FTC has sought to address these vulnerabilities through \nconsumer and business education, stressing the fundamental \nimportance of good security practices, plus law enforcement \nactions, and international cooperation. Safe computing \npractices by home computer users are especially important in \nour broadband world. Viruses, worms, and dial-up service \nattacks have left a trail of very costly destruction and, as \nthe chairman mentioned, it could get worse. To help promote a \nculture of security, the FTC created an information security \nmascot, Dewie the e-Turtle, to educate businesses, consumers, \nand children about the importance of information security and \nthe precautions they can take to protect personal information. \nThe Dewie Web site has registered more than 600,000 visits \nsince its deployment in August 2002. In addition the FTC had \ndistributed a video news release seen by 1.5 million consumers; \nwe have distributed 160,000 postcards featuring Dewie; and \ninformation security was the theme of National Consumer \nProtection Week in 2003.\n    Our Web site contains tips on how to stay safe on line as \nwell as publications addressing issues related to spam, file \nsharing, high-speed Internet access, shopping on line, and \nidentity theft. The growing problem of phishing is addressed. \nThis is a high-tech scam that uses spam to deceive consumers \ninto disclosing their credit card numbers, bank account \ninformation, Social Security numbers, passwords, and other \nsensitive personal information. This information and our Web \nsites are available to Members of Congress for constituent \nservices. Despite our efforts, only about three dozen Members \nof the Congress have their Web sites linked to the FTC Web \nsite. I think we can all do better than this.\n    The Internet has made us a global community and \ninternational collaboration is important to ensuring \ninformation security. The FTC has played a leading role within \nthe OECD in revising and implementing its security guidelines, \nurging a widely publicized OECD Web site, and aggressively \nurging member countries to immediately implement the principles \nof information security. We are encouraging our global partners \nto share their experiences with the international community, \nincluding the APEC, the United Nations, and the TransAtlantic \nBusiness and Consumer Dialogues.\n    The FTC, the Department of Homeland Security, and such \norganizations as the newly formed National Cyber Security \nPartnership of trade associations, which includes the Chamber \nof Commerce, ITAA, TechNet, and BSA, are working individually \nand together to enhance consumer and business education. The \nNational Cyber Security Summit met in December 2003 to \nimplement the National Strategy to Secure Cyber Space and \nformed five task forces, including one devoted to comprehensive \nawareness. I am pleased that Dan Caprio of my staff \nparticipated as co-chairman of the awareness task force. That \ntask force issued a report recommending a number of very \nconcrete proposals to increase consumer awareness, including a \ncomprehensive cyber awareness campaign to reach consumers \nthrough a 3-year national advertising campaign; a partnership \nwith ISPs to educate home users about cyber security issues; \nand distribution of a cyber security tool kit through Stay Safe \nOn Line.\n    The FTC remains committed to expanding our public-private \npartnership and leveraging relationships with consumer groups, \nindustry, trade associations, other government agencies, and \neducators to raise consumer awareness. The Commission has used \nits law enforcement authority to address information security \nissues using our authority under Section 5 of the Federal Trade \nCommission Act. To date, the Commission's security cases have \nbeen based on deception. In four separate settlements with \ncompanies that collected personal information from consumers, \nincluding a settlement with Tower Records which was announced \ntoday, we have alleged that the companies made explicit or \nimplicit promises to take appropriate steps to protect \nconsumers' information. In fact, we found their security \nmeasures to be inadequate. We alleged that Tower made specific \npromises to protect personal information provided by consumers \non its Web site, yet failed to take reasonable and appropriate \nsteps to detect and prevent against well-known vulnerabilities. \nThe lesson: When you are making changes, do not forget to \nensure that your security safeguards are in place.\n    Through these information security enforcement actions, the \nCommission has come to recognize several principles that govern \nany information security program. First, a company's security \nprocedures must be appropriate for the kind of information it \ncollects and maintains. Second, not all breaches of information \nsecurity are violations of the Federal Trade Commission law. \nThird, there can be law violations without a known breach in \nsecurity. And fourth, good security is an ongoing process of \nassessing and addressing risk and vulnerabilities.\n    The critical reality in our information-based economy is \nthat we all have a role to play in protecting cyber space. \nCreating a culture of security is a journey, it is not a \ndestination, and leadership will be essential. Thank you for \nthis opportunity to appear here today, and I look forward to \nanswering your questions.\n    [The prepared statement of Mr. Swindle follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6315.007\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.008\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.009\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.010\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.011\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.012\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.013\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.014\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.015\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.016\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.017\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.018\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.019\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.020\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.021\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.022\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.023\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.024\n    \n    Mr. Putnam. Thank you very much Commissioner.\n    Our next witness is Amit Yoran. Mr. Yoran is the Director \nof the National Cyber Security Division of the Department of \nHomeland Security. The National Cyber Security Division \nprovides for 24-7 functions, including conducting cyber space \nanalysis, issuing alerts and warnings, improving information \nsharing, responding to major incidents, and aiding in national \nlevel recovery efforts. Most recently Mr. Yoran served as the \nvice president of worldwide managed security services at the \nSymantec Corp., overseeing 24-7 security operation centers \ndelivering security services to hundreds of companies in over \n40 countries around the world. Prior to working at Symantec, \nMr. Yoran founded RipTech, an information security company. He \nalso served as an officer in the U.S. military as the \nvulnerability assessment program director for the U.S. \nDepartment of Defense's computer emergency response team, and \nsupported security efforts for the Office of the Assistant \nSecretary of Defense.\n    We welcome you to the subcommittee. You are recognized for \n5 minutes.\n    Mr. Yoran. Good afternoon, Chairman Putnam and \ndistinguished members of the subcommittee. My name is Amit \nYoran, and I am Director of the National Cyber Security \nDivision within the Office of Infrastructure Protection of the \nHomeland Security's Information Analysis and Infrastructure \nProtection Directorate. I am pleased to appear before you today \nto discuss our initiatives addressing educational awareness for \nthe cyber citizen. We view cyber awareness as a critical \ncomponent within our mandate to improve cyber security. We have \nimplemented measures to reach as many people as quickly as \npossible. Education and training are also critical elements of \nour strategic initiatives to improve the long term cyber \nsecurity posture of our Nation. Education of our cyber \ncommunity on the rules of the road is fundamental for enhancing \ncitizen safety in the cyber world.\n    The National Cyber Security Division was created to serve \nas the national focal point for public and private sectors to \naddress cyber security issues. NCSD is charged with \ncoordinating the implementation of the National Strategy to \nSecure Cyber Space. The Department works closely with our \npartners in the Federal Government, at the State and local \nlevel, as well as with the private sector and academia on a \nvariety of programs and initiatives to protect our information \ninfrastructure.\n    On January 28th of this year, the Department of Homeland \nSecurity unveiled the National Cyber Alert System, delivering \ntargeted, timely, and actionable information to Americans to \nsecure their computer systems. We have already issued several \nalerts and a periodic series of best practices and how-to \nguidance pieces. We strive to make the information provided \nunderstandable to all computer users, both the highly technical \nand those like my wife, who, despite her advanced degrees and \nprofession, need this information presented in plain English. I \nam pleased to report that Americans are exhibiting a keen \ninterest in the alert system. And on the day of the National \nCyber Alert System launch we had over 1 million hits to the US-\nCERT Web site. Today, more than 250,000 direct subscribers are \nreceiving National Cyber Alerts to enhance their cyber \nsecurity. For your reference and for your constituents, I urge \nyou to visit www.us-cert.gov and to encourage you to include a \nlink to US-CERT on your congressional Web page and recommend \nyour constituents sign up for the National Cyber Alert System \nto help them improve their cyber vigilance and protect our \nNation.\n    We have engaged in many media interactions to provide a \nvoice of reason in our efforts to improve awareness among the \ncyber citizenry and also reach as many Americans as possible in \nthe plain language they can easily understand and act upon. The \nDepartment of Homeland Security is the sponsor of the National \nCyber Security Alliance and the Stay Safe On Line, a public-\nprivate effort created to educate home users and small \nbusinesses on cyber security best practices. Each time we turn \nour clocks ahead and back to account for Daylight Savings Time \nwe encourage Americans to review and improve their cyber \nreadiness. I challenge each Member of Congress to sponsor a \ncyber security awareness event in your district on October 31, \nthe next National Cyber Security Day. Although Cyber Security \nDay is not yet broadly recognized, our continued and joint \nefforts will ensure their future success and effectiveness.\n    In addition to awareness, other key aspects of our strategy \nare focused on training and education. Homeland Security is \nactively engaged with our intergovernmental partners and is \nalso reaching out to academic institutions to establish \ncooperative relationships. I again cite the two recent \naccomplishments which you previously mentioned in this regard.\n    We have signed on to partner with the National Security \nAgency to expand the NSA Center for Academic Excellence in \nInformation Assurance Education Program to a broader National \nCenters of Academic Excellence initiative. The program was \nestablished by the NSA in 1998 to promote higher education in \ninformation assurance. Universities designated as centers are \neligible for scholarships and grants through both the Federal \nand Department of Defense Information Assurance Scholarship \nprograms. The new, increased scope will accelerate and expand \nthe current program to attain national prominence, attract \nparticipation from other universities, resulting in an \nincreased number of cyber security professionals for our \nNation.\n    Second, Homeland Security has partnered with the National \nScience Foundation on the Scholarship for Service program. This \ninitiative promotes university level information assurance \neducation and places program graduates into the Federal work \nforce. The Department of Homeland Security has already hired \ngraduates and we are excited about the capability of these \ngraduates and the quality of the work force this program is \nproducing.\n    In addition to these accomplishments, we have identified \nother strategic education programs. We are working with the \nDepartment of Education, EDUCAUSE, and others to develop cyber \nsecurity programs for the K through 12 curriculum in our public \nschools. It is imperative that we educate and raise America's \nyouth in a culture which fosters prudent cyber security \npractices and ethics. Our goal is to ensure that all computer \nusers understand the rules of the road for cyber security and \nare empowered to stay safe on line.\n    Thank you for opportunity to testify before you today. I \nwould be pleased to answer any questions that you have at this \ntime.\n    [The prepared statement of Mr. Yoran follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6315.025\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.026\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.027\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.028\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.029\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.030\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.031\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.032\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.033\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.034\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.035\n    \n    Mr. Putnam. Thank you, Mr. Yoran. I appreciate your being \nhere today. You have had an interesting week. I would like to \ngive you the opportunity to elaborate on the Cyber Alert that \nyou have issued and if you would give some comment to this \nsubcommittee on the nature of the vulnerability and the status \nof efforts to remedy that vulnerability on the Internet \nrouters.\n    Mr. Yoran. Thank you, Chairman Putnam. The creation of the \nNational Cyber Alert System allows us to reach out directly to \na large number of operators in cyber space with information \ntargeted to them on how they can best protect their systems or \nthe systems which they are responsible for. In a number of \nrecent cases, vulnerabilities have been brought to our \nattention which would cause specific routers to malfunction and \nbecome inoperable and not pass the traffic which they were \nintended to pass. This vulnerability is not information which \nis actionable to most home users, but certainly through our \ntargeted delivery mechanism we can reach out to the cyber \nsecurity community and provide this information to them. The \ndetail and accuracy of the information allow the Department of \nHomeland Security and the Federal Government to work closely \nand cooperatively with the private sector. In an alert we \nissued late last night, we worked closely with Cisco, who \nproved to be a valuable partner to the Department of Homeland \nSecurity and the Nation in being very forthright about a \nvulnerability which was brought to their attention in their \nclose working relationship with the US-CERT and the Department \nof Homeland Security, and, perhaps most importantly, with their \ncustomers, to assure that Internet backbone services and \nrouters were adequately protected in an expeditious fashion.\n    Mr. Putnam. Why was it the British Government who revealed \nthe vulnerability and not the Department of Homeland Security \nin our own country?\n    Mr. Yoran. I will not comment on the logic behind the \nBritish Government releasing this vulnerability on their \nspecific timeline. Given the availability of that information, \nit was important for the Department of Homeland Security, \nworking with Cisco and key Internet service providers, to put \nout and make as broadly available as possible some technical \ninformation with an appropriate level of detail so that folks \nknew how best to protect themselves. I am happy to report that \nwhile this is a significant vulnerability, those warnings were \nrapidly heeded by much of the backbone community and the \nlikelihood of significant Internet disruption as a result of \nthis vulnerability has been minimized.\n    Mr. Putnam. My understanding is, and correct me if I am \nwrong, that the potential for this vulnerability has been known \nfor some time; it was not known that anyone could exploit it. \nIs that the case? And if so, how long has your office been \naware of the existence of this potential vulnerability? And the \nfollowup would be, are there others that until now people have \nthought were not exploitable that we should be addressing and \nthat people should be aware of?\n    Mr. Yoran. Chairman Putnam, I would welcome the opportunity \nto brief you in a smaller forum, a more confidential venue on \nsome of the pre-public announcement activities and coordination \non what information was released and which communities we \nworked with to best serve the public interest and protect the \nNation.\n    In terms of specific exploit code, in terms of specific \nvulnerabilities which were known about and have recently had \nexploit code developed, there have been a series of \nvulnerabilities discovered over the past 24 hours. In fact, two \nalerts have been issued on very similar topics over the past 24 \nhours. One of those alerts, the one dealing with the border \ngateway protocol, the more commonly adopted best practices \napproach to router management would significantly mitigate the \nrisk and exposure an organization would experience, again \nhighlighting the need for best practices and best practice \nguidance such as your working group produced and is available \nfrom NIST and from many of the vendors.\n    For the second of the recent vulnerabilities discovered, it \nis in fact a new vulnerability discovered in a specific \nvendor's implementation of the Simple Network Management \nProtocol.\n    Mr. Putnam. I think that Mr. Clay and I both would \nappreciate the opportunity to discuss other issues in the \nappropriate forum and setting. But for the purposes of this \nhearing, let me just ask, is security enhanced by a fundamental \nshift from the Internet to IP-6?\n    Mr. Yoran. Mr. Chairman, there are some very promising \ncharacteristics of IP version 6 which have security enhancing \ncapability which have significant impact on how the Nation or \nthe infrastructures might defend against some of the threats we \nface today. Many attack techniques which deal with exhaustive \nsearching of Internet addresses, looking for vulnerabilities \nare much less practical in an IP v. 6-type of environment. \nThrough a number of efforts within the Department of Homeland \nSecurity's Science and Technology Directorate, we are investing \nin a better understanding of IP v. 6's effect on Internet \nsecurity. The Department of Commerce has a very active effort \nin understanding the implications of IP v. 6 and the adoption \nof IP v. 6 from a security perspective. It is important, \nhowever, to also recognize that many of the vulnerabilities \nwhich exist and many of the attack techniques which exist are \nnot going to go away with the increased adoption of this new \nprotocol.\n    Mr. Putnam. Thank you. I appreciate that very much. We will \nreturn to the theme of the day.\n    Commissioner Swindle, the evidence clearly indicates that \ncomputer users of all levels of sophistication are potential \nvictims of worms and viruses and denial of service attacks. Who \nare the target audiences of the efforts by the FTC and, in Mr. \nYoran's case, the cyber security division to address \nimprovements in cyber security? I assume that the cyber turtle \nis not speaking to large enterprises. But in general, as you \nprioritize your audience, who is at the top of the list?\n    Mr. Swindle. Mr. Chairman, the cyber turtle is actually a \nvery sophisticated creature. He is handsome and he is affable \nand he was modeled after me, so let us be careful how we talk \nabout him. [Laughter.]\n    Mr. Putnam. Mr. Clay and I would like to meet him. Can we \ncall him as a witness? [Laughter.]\n    Mr. Swindle. The FTC has traditionally been involved with \nconsumer protection matters and consumer education is a large \naspect of how we go about doing our business, both from the \nantitrust side as well as the consumer protection side. It is \nall to enhance consumer welfare. We have a tremendous amount of \nexperience in consumer education and our efforts with Dewie the \ne-Turtle have been addressed primarily to consumers and small \nbusinesses. However, in the process of finding better ways to \ncommunicate with consumers, we deal with industry associations \nand large businesses on a constant basis and have established \nsome rather good relationships with these companies, seeking a \nbetter understanding of the problems, seeking their advice on \nhow they market to their customers, and we learn together from \neach other's experiences. So, it is a rather comprehensive \napproach to educating the consumer.\n    The target primarily is the broad base. If you can imagine \na triangle of people concerned with computer and information \nsystems security, the broad base of the triangle would be 250 \nmillion consumers here in the United States, and then we can \nmultiply by all the people in the world who are also involved \nin this. Then we get up to higher levels of corporate \ninvolvement, lower levels of small business involvement, but \nyet the base is broad and the triangle narrows as you go \nhigher. So our focus is on the broad base consumers, and we \nwork closely with industry, small businesses, and associations \nto try to convey our message.\n    Mr. Putnam. Thank you. We look forward to Dewie joining the \ngreat pantheon of other public servant characters like Woodsie \nthe Owl, Smokey the Bear, and McGruff the Crime Dog.\n    Mr. Swindle. That was the motivation behind my asking three \nbright young people, I said ``I want a Smokey the Bear to be \nour spokesperson.'' and they came up with Dewie. And it has \nbeen fairly successful.\n    Mr. Putnam. Well, good.\n    Mr. Swindle. At the Federal Trade Commission, while we have \nthe potential and expertise to do a lot of consumer education, \nwe are a relatively small agency. We've got Dewie launched, and \nwe are hoping that industry will pick it up and expand it. And \nit has expanded. We have Dewie appearing in schools and on \ntelevision and with industries, and we have many industries and \nassociations of industries linked to our Web site in which you \nwill see the presence of Dewie on each one of those, as well as \nthe OECD, for that matter, in the international world. They are \nstill trying to figure him out over in Germany, but they will \nget there.\n    Mr. Putnam. Thank you, Commissioner. At this time, I would \nlike to yield to Mr. Clay for his first round of questions.\n    Mr. Clay.\n    Mr. Clay. Thank you, Mr. Chairman. I appreciate it.\n    Mr. Yoran, welcome to the committee. Can you describe for \nme the procedures that are in place to work with the private \nsector in circumstances that DHS advisories or warnings are \nnecessary? For example, did the Department of Homeland Security \ncollaborate effectively with Microsoft and the anti-virus \ncompanies during the recent wave of cyber attacks?\n    Mr. Yoran. Thank you, Congressman Clay. The Department of \nHomeland Security, through the efforts of the U.S. Computer \nEmergency Readiness Team, have several venues and interaction \npoints with which we are working with many entities in both the \npublic and private sector. In many cases, before issuing a \nspecific alert, in cases such as the recent Cisco alert which \nwas published, in cases like recent viruses alerts and \nvulnerabilities in specific vendor operating systems such as \nMicroSoft, we have worked with and collaborated with those \ncompanies to assure that the information which we are providing \nis, in fact, technically accurate and that we are adequately \nproviding enough information in an actionable fashion so that \nthe public can work with the vendors providing those specific \nsoftware packages on how they can best protect themselves. \nFurther, our collaboration with the private sector extends \nbeyond the vendor community and into the critical \ninfrastructure owner-operator community, working closely with \nnumerous ISACs, numerous industry associations, other \ninformation sharing organizations, and cyber security \nprofessionals and experts in the private sector to help them \nbest assess the impact of these vulnerabilities on their \nspecific industries.\n    Mr. Clay. An extensive network of consulting going on \nthere.\n    Mr. Yoran. Yes, sir. There exists an extensive network and \nnumerous interaction points which we are continually refining \nand expanding upon in a series of public-private partnerships.\n    Mr. Clay. Thank you. In creating the Homeland Security \nDepartment, Congress moved the Federal Computer Response Team \nfrom GSA to Homeland Security. Has this move contributed in a \npositive manner in the ways in which DHS now responds to cyber \nattacks? Did anyone leave the agency rather than move, as we \nsaw with some other agencies?\n    Mr. Yoran. Well, sir, I could not provide details at this \npoint as to whether anyone moved or not. I can certainly assure \nyou that a number of highly qualified experts came into the \nDepartment of Homeland Security with the transition of the Fed-\nCERT capability and that Fed-CERT is very active in helping the \nFederal Government understand, address, and respond to \nvulnerabilities and malicious activities as they are discovered \nand as they occur. Earlier this morning, in fact, the Fed-CERT, \nLarry Hale, who is the Assistant Director of the US-CERT and \nthe Director of Fed-CERT, conducted a conference call with OMB, \nunder the leadership of Karen Evans, and the entire CIO \ncouncil, we had representation there from the US-CERT, we had \nrepresentation from Cisco, to help provide specific detail on \nthe recent vulnerabilities, as, again, an illustration of how \nthat Fed-CERT capability has translated into rapid capability \nfor the Department of Homeland Security in addressing cyber \nsecurity threats. We additionally conducted coordination \nactivity with the chief information security officers of the \nFederal Government over the past 24 hours with respect to this \nspecific vulnerability.\n    Mr. Clay. OK. Thank you for that response.\n    Mr. Swindle, from a business perspective, do you view the \nsoftware security industry as competitive and cutting-edge, or \nare there limited participants that may impact the availability \nof products or the cost of these products? How do you view the \nindustry as far as from a business perspective?\n    Mr. Swindle. If I understand the question correctly, Mr. \nClay, there is no doubt in my mind that we have very \ncompetitive companies out there attempting to come up with \nbetter and better and more acceptable, I mean that from the \nstandpoint of consumer acceptability, products. As Chairman \nPutnam mentioned earlier, we have gone through this \nevolutionary process of getting into this world of cyber space \nand companies raced out, competitively, I might add, to try to \nacquire customer base, they had bells and whistles galore. Not \nmany people were thinking too much about security or privacy \nfor that matter, which has been a major concern of the Federal \nTrade Commission over the past few years. I think today, \ncertainly on the privacy matter, these competitive companies \nare paying attention to it, and now I think they are focusing \non security, and we are seeing better and better products from \na security standpoint.\n    I think we will eventually see an evolution, and I think \nthis is driven by the capacity of technology to accommodate it. \nI mean, everybody sort of knows what we want to do, getting the \ntechnology that will do it economically is another question. We \nare seeing us progress to a point where more and more \ncomputers, especially home computers, the personal devices that \nthe masses of people use, will have baked into them more and \nmore security and privacy attributes that will hopefully take \nsome of the necessary action away from the user and make it \nautomatic. I guess probably the best analogy I have found \nthroughout this whole discussion has been the automobile. I can \nremember and I guess, I am looking around the room here, I may \nbe the only one in here that can remember the way automobiles \nwere back in the early 1950's. There were an awful lot of \nthings we had to do then that we do not even know exist today. \nSo I think we will see this industry progress that way. We have \ntremendous private sector companies trying to do good work, and \nthey are working very hard at it.\n    Mr. Clay. I thank you for that response. One other \nquestion. From your perspective, are there additional measures \nthat the Federal Government ought to pursue to strengthen \nsecurity measures taken by those in private industry? And are \nthere economic-based computer security hygiene standards or \nother mechanisms in the marketplace?\n    Mr. Swindle. I think the answer to that question is \nmultifaceted. It is going to take all of us working on it. It \nis going to take legislative pressure, it is going to take \nregulatory pressure, it is going to take competition pressure. \nAs I said, we all got out front providing bells and whistles \nand nobody thought about security. Now, the company that gets \nahead of its competition is one that is providing good \nsecurity. So I think all these forces together are going to \nplay a role. I think the chairman's program with the private \nsector and the initiatives he has taken are good. He has sort \nof waived the flag of regulation or some new law, and it is \njust amazing how that inspires people to get moving.\n    Mr. Clay. To get together, right.\n    Mr. Swindle. And I do the same thing. I say either you do \nit--it is like the old Fram oil filter commercial where the guy \nholds it up and says either you buy one of these now or I will \nsee you over here, and there is a smoldering engine over here. \nSo, legislation alone will not solve this problem. It is moving \ntoo fast. By the time the Congress enacts legislation, that \nproblem has come and gone and we have a new one. I just do not \nthink legislation alone is a solution. But I do think we \nprogress if we are all pushing each other, challenging each \nother, and we continue this dialog in search of the right \nanswer--because we all have a stake in this. We all have a \nselfish interest in getting it right because we are going to \npay the price either as a home user whose computer which costs \n$700 got a virus and destroyed it, he has an interest in it, as \nwell as Microsoft and AOL and all these other big guys, and the \nFederal Government. So we all have to work on this and push.\n    Mr. Clay. Thank you for your response, Mr. Swindle.\n    Mr. Swindle. Yes, sir.\n    Mr. Putnam. Thank you, Mr. Clay. Before I get back into \nsome more questions, I would like to introduce Matthew Jaunce, \nfrom Laughton-Childs Middle School in Lakeland, FL, who has a \nclass assignment of shadowing a member of the community, \nhopefully a productive member of the community, unfortunately, \nhe chose to shadow a Congressman. But Matthew, wave your hand, \nand welcome to Washington.\n    [Applause.]\n    Mr. Putnam. Commissioner Swindle, is there an estimate on \nthe amount of economic impact or harm that has been done \nthrough phishing, phishing with a P?\n    Mr. Swindle. P-H.\n    Mr. Putnam. Phishing with a P-H.\n    Mr. Swindle. I struggle with that also. I do not know, Mr. \nChairman, if we have an accurate quantitative assessment of how \nmuch of a problem it is. But we know that identity theft is \nvery large. I think we did a survey here recently, I think it \nwas last September, in which it is estimated, if I remember \ncorrectly something on the order of 27 million people over the \npast 5 years have had some unfortunate engagement with identity \ntheft. As you certainly know, and as I mentioned earlier, \nphishing is a process whereby people are tricked into giving \nvital information such as their names and their Social Security \nnumbers. Those two items alone can lead to an awful lot of \nmischief on the part of bad guys because they can use those two \npieces of information to get credit cards, and by the time you \ncatch them, your credit report has been done such damage it \nwill take you years to get over it. These are serious problems \nand phishing is expanding.\n    There are lots of different things that could help curtail \nit. But I still contend the one thing that will help most is \nindividual responsibility. And for people to be responsible and \nprotect themselves they have to know what is happening. And \nthat is a part of our consumer education program, to let people \nknow the kinds of bad things that go on. We are seeing good \nsigns. There is a commercial running on at least cable \nnetworks, because that is about all I get a chance to look at, \nadvertising, if I remember correctly, a shredder. It shows a \nguy rummaging through a trash can, and he finds some stuff, \nputs it in his pocket, and the owner of the trash can drives \nup. It is late in the evening, and the guy who is rummaging \nthrough the trash can says, ``Hi, Tom'' or something to that \neffect, as if he knew this guy, and the guy has a puzzled look \non his face. So much of this information does come from trash \ncans and mishandled information, carelessly handled \ninformation.\n    So the problem of phishing, I cannot give you quantitative \nnumbers on it, but I can assure you it is growing. The damage \ncaused by bits and pieces of personal information falling into \nthe wrong hands either by people losing it, which tends to be \nthe dominant way, or somebody stealing it through the \ntechnology of computers is major. Very large.\n    Mr. Putnam. As a corollary to that, has any action been \ntaken to prevent the deliberate construction of Web sites that \nprey on people's misspellings and particularly target children, \na common misspelling of Britney Spears would lead you into a \npornographic site, or, the most common one, whitehouse.com \ninstead of whitehouse.gov. I know that is not exactly a cyber \nsecurity issue, but since we are talking about protecting the \nhome user, that certainly is an important piece. Has anything \nbeen done on that where they deliberately construct a Web site \nto lure children into these sites?\n    Mr. Swindle. We have had a couple of cases which go back a \ncouple of years. One we refer to as ``Fat Finger Dialing,'' or \nsomething of that nature. But we have taken some action against \npeople who do these kinds of things. Again, it is a large world \nout there. I do not recall many complaints of recent times \nabout that because I frankly think people are sort of savvy to \nthis and pick up on it. But it is certainly out there, and it \nis another pitfall that people can fall prey to.\n    Mr. Putnam. Sure. Mr. Yoran, what has been the impact of \ncurrent and recent legislative initiatives such as Graham-\nLeach-Bliley, HIPPA, and Sarbanes-Oxley on improving \ninformation security, not just for the regulated sectors but \nthroughout corporate America?\n    Mr. Yoran. Chairman Putnam, some of the corollary effects \nof both existing legislation and some of the proposed \nlegislation is an increased visibility of cyber security \nissues, an increased awareness in the private sector of their \nresponsibilities, and an increased focus on execution of cyber \nsecurity practices in the private sector.\n    I will also add, given the opportunity, to some of the \ncomments Commissioner Swindle made earlier in terms of cyber \ncrime. I certainly commend the Department of Justice's focus in \nthe protection of children and going after child pornography, \nand also commend various efforts in the private sector to help \ncurtail this type of activity, specifically America OnLine and \nother organizations which are providing an infrastructure and a \nmuch safer environment for America's youth in terms of their \ncyber security and their exposure to some of these threats.\n    Mr. Putnam. What steps has your division taken to motivate \nthe private sector to report intrusion incidents, and how is \nthat information protected so as not to produce a competitive \ndisadvantage for those people who are doing the right thing and \ncoming forward with that information?\n    Mr. Yoran. There are a number of initiatives underway to \nhelp encourage collaboration with the private sector, one \ncomponent of which is the reporting of incidents. Certainly, in \nour technical alerts and in delivering technical information \nand assistance, guidance to the private sector is one form of \nactivity underway which encourages and has resulted already in \nthe private sector's willingness to discuss cyber security \nissues with the Department of Homeland Security and we are \nconfident that will continue. Additionally, sharing the \nincreased practices around information sharing not only within \nthe public sector, but from the public sector to the private \nsector have encouraged increased collaboration with the private \nsector. Again, I will cite two recent interactions with Cisco \nas the US-CERT and Cisco's willingness to be very forthright \nwith us and use us as one mechanism for their outreach to their \ncustomers and the set of people who may be affected by recent \nvulnerability discoveries.\n    Mr. Putnam. Commissioner Swindle, do you believe that some \nof the recent legislation like HIPPA, and Graham-Leach-Bliley, \nand Sarbanes-Oxley have aided in improving information security \nthroughout corporate America?\n    Mr. Swindle. In a word, yes. I think again back to that \npressure, and I think it has brought a greater awareness among \ncorporate America, and the consumers, and vendors, and clients \nand customers that this is serious business. And while some of \nit may be an enormous burden, as oftentimes legislation tends \nto be, we have to keep working to minimize those burdens while \nat the same time, where it is possible through legislation, put \nin place measures that will improve the circumstances.\n    I think getting corporate America's leadership focused on \nthis, getting boards of directors focused on this, on why it is \nimportant, and the bottom line is why it is important for most \nof those people, that will help us create this culture of \nsecurity that I mentioned. I do not know of a better way that \nwe can solve this problem or at least minimize this problem. I \ndo not know that we will ever solve the problem because \ntechnology is moving too much, but when concerns about \ninformation security and privacy of customers and clients and \nthe information that pertains to them becomes part of a \ncorporate culture, it will be the way we do things as opposed \nto something we have to do. I think in this new world in which \nwe are living, knowing that is what we should be responsible \nfor doing, that this is what we ought to do for the benefit of \nthe corporation ought to be a part of that company's culture. \nIt is the establishing through audit and other means of how the \ncompany does business and certifying the ethics, the morality, \nif you will, the proper procedures that they use for their \ncorporation.\n    I think that is just a part of the new world that we live \nin. And more and more corporate leadership is realizing this \nand they will adopt it because I think they represent \nresponsible companies that want to do well. I think they are \ngoing to have to do these kinds of things to do well. I would \nhope they would do it of their own initiative as opposed to \nhaving to have a law that says you have to do this. This is \ncommon sense. It is the right thing to do.\n    Mr. Putnam. What is the role of the ISP community in \nserving as a communications channel to computer users about \ncomputer security hygiene and cyber ethics?\n    Mr. Swindle. I think they have a large responsibility in \nthis and, as I mentioned I think in my oral testimony, a part \nof the recent task force on comprehensive awareness, one of the \nfeatures of it, initiatives of it would be to have the ISPs \nengage in a lot of consumer education. The ISPs have two big \nproblems. One is all this stuff flooding in on top of it which \nis consuming its resources, causing it great expense. And on \nthe other side of that, the ISPs push, and e-mail comes to mind \nright away because that is what most consumers are engaged in \nand that is where an awful lot of this mischief goes on, the \nnuisances go right out to consumers. The ISPs I think have made \nremarkable progress, certainly the major ones, and I am sure \nsome of the smaller ones have done so also, over the past \ncouple of years in providing their subscribers with great \ntools. I use one of the major ISPs, and I was beating them up \nrather severely a couple of years ago and now with their system \nI rarely see any spam. I can go see the spam if I want to, but \nI do not have to engage it at all. They are doing good work. \nThey are providing the tools.\n    What I think the biggest challenge is is getting the point \nacross to consumers, users, home users, this wide base, the \nnecessity that they do certain things. It is sort of like \nchanging the oil in your car. We can build the finest car in \nthe world, but if you do not change the oil in it, it will not \nbe the finest very long because it is going to have problems. I \nthink we need to make this idea of information security as much \na part of our mindset as changing the oil in the car, making \nsure the brake pads are in good shape, or, even more simply, \nlooking to the left and right when you cross the street. There \nis a role, as we have both said, for everyone to play here. I \njust think we have to convey that message to everyone that they \nhave to play this role.\n    Mr. Putnam. Mr. Yoran, the role of the ISP community?\n    Mr. Yoran. Thank you, Chairman Putnam. Similar to \nCommissioner Swindle's comments, I believe we need a common \nresponsibility framework, certainly looking at and pointing to \nresponsibilities and action which ISPs can take up, and many of \nthem are taking up, is one venue for progress. But, similarly, \nthe consumers and the users of technology need to adapt better \npractices. They need to place greater emphasis on their cyber \nsecurity and cyber security preparedness. The produce vendors \nand the software community need to adopt better software \ndevelopment practices and take up the responsibility to do \nthat, to make cyber security more understandable. If you were \nnot thrown off by all the technical jargon required to explain \nsome of the vulnerabilities of the past 24 hours, you are in a \nsmall minority. Cyber security is too complex in today's \nenvironment.\n    There is a clear role for educators to improve cyber \nsecurity awareness, ethics, and make more available cyber \nsecurity courses and information so that we can better train a \ncadre of cyber security professionals. And there is a \nsignificant role for industry to play in their information \nsharing and analysis centers and in the operator community to \naddress with a unified front cyber security challenges facing \ntheir industries.\n    Mr. Putnam. Commissioner, what is the role of the law \nenforcement community here? Are they doing an adequate job in \nprosecuting hackers and people who are using spam and using \nspyware and using phishing techniques illegally to defraud \npeople, and are they doing an adequate job of educating the \npublic about the penalties for engaging in that type of \nconduct?\n    Mr. Swindle. I will answer the last question first, whether \nthey are doing a great enough job of educating the public as to \nthe penalties they might suffer. I think we are hampered in \nthis business of technology by the inability sometimes to find \nthe bad guys. Certainly, we at the Federal Trade Commission \nhave pressed cases over the past several years in which large \ncorporations have been called to task for some of their \nnegligence and carelessness in how they protect information, \nand they pay prices in a civil sense, not a criminal sense. \nThey are put under order to not do this again. In several cases \nthat I mentioned in my written testimony, a couple of the \ncompanies have at least a 20 year love affair to endure with \nthe Federal Trade Commission because they have to do audits and \nreport to us.\n    As far as the criminals go, I know the spam issue is \nsomething that everybody is familiar with. Finding the \nperpetrators of spam is a very difficult process. We are doing \na number of investigations in the Federal Trade Commission, and \nwe are going to have some results. But oftentimes, as we have \nsaid previously in testimony, when we get to the end of the \ntrail and find the bad guys, there is nothing for us really to \nget other than put him out of business. And for every one of \nthose you put out of business, there is another one that pops \nup.\n    I think we do a pretty darn good job of law enforcement \nunder the laws that we have. I would not advocate for more laws \nother than what has been passed here in the Can Spam Act. We \nare looking at the requirements of that act trying to figure \nout how we successfully employ the requirements of it. We are \ngetting lots of input from industry, from consumer groups, from \nprivacy advocates, from all sorts of people, to help us \nformulate the best possible way we can enforce the law.\n    Part of our education effort is to work with law \nenforcement agencies. In the past year or so, we visited I \nthink it is at least 10 cities speaking to law enforcement \npersonnel telling them about identity theft, because it is \nsingularly, if I remember correctly, the largest complaint we \nget, trying to help them help consumers and victims. And, we \nput out a lot of education materials to try to help consumers \nwho have been victims to work their way out of some of the \nproblems that are created.\n    So, there is a large effort going on. Unfortunately, it is \na target rich environment, and it is difficult to get to \neveryone.\n    Mr. Putnam. Thank you very much. Commissioner, I know you \nhave another engagement that you need to attend to. Before we \nconclude, if you would give us the top three things that the \nhome user should do to make their systems more secure.\n    Mr. Swindle. Think. Always think. You know, as I mentioned, \nthe ISPs in the last couple of years I think have done a good \njob and what they have given you is a good spam blocker, they \nhave provided prompted updates of virus protections and \nfirewall protections. If the average consumer, home user would \nemploy a virus program, employ a firewall, keep those up to \ndate, use a spam blocker to narrow down how much garbage comes \nin your computer, and be careful about how you open e-mail and \nthings of this nature, you could avoid a lot of grief because a \nlot of these really bad acts come through, believe it or not, \nthe simple feat of sending an e-mail. It can do a lot of \ndestruction. And employing these simple steps is not a \ndifficult thing to do.\n    Again, it is back to making everybody aware. And we would \nsolicit the help of industry, as we are doing, and we would \ncertainly ask that Congress call on us. We will make materials \navailable. I would like to see, as sort of a goal for all of \nus, see every Member of Congress have a link to the Federal \nTrade Commissionsite as well as the sites that I think you \nmentioned earlier that industry has identified. There is so \nmuch good information out there about how to be safer. And that \nis what we have to achieve--safe computing. And I thank you \nvery much for this opportunity.\n    Mr. Putnam. Thank you very much, Commissioner.\n    Mr. Yoran, top three things home users can do to make their \nsystems more secure?\n    Mr. Yoran. I would agree that the top one is think. Many of \nthe mistakes which are made could be easily avoided by folks \ntaking a moment to reflect before opening attachments from \nfolks they have not received e-mail from or from which they are \nnot expecting e-mail. I would encourage folks to subscribe to \nthe National Cyber Alert System to receive tips and information \non how they can protect themselves from online scams, phishing, \nand a wide variety of activities. And to also learn more \nthrough participation in many of the Stay Safe On Line \ninitiatives. Certainly, if turtles can be teenage mutant ninja \nand martial arts experts, they can help America better protect \nour cyber citizens.\n    Mr. Putnam. Thank you very much. I thank the entire first \npanel. And with that, I will dismiss panel I and we will go \ninto recess momentarily as we set up for panel II.\n    The subcommittee is in recess.\n    [Recess.]\n    Mr. Putnam. The subcommittee will convene.\n    I would like to ask the second panel to rise and raise your \nright hand for the administration of the oath.\n    [Witnesses sworn.]\n    Mr. Putnam. Note for the record that all the witnesses \nresponded in the affirmative and have their official souvenir \nphoto of being sworn in.\n    We will move directly to the testimony. Our first witness \nis Larry Clinton. Mr. Clinton is currently the deputy executive \ndirector and chief of staff of the Internet Security Alliance, \na collaboration between the CERT/cc at Carnegie Mellon \nUniversity and one of the Nation's largest trade groups, the \n1,200 member company Electronic Industries Alliance. This past \nyear Mr. Clinton has served as the private sector coordinator \nof the Corporate Information Security Working Group on Market \nIncentives for Improved Cyber Security. Prior to coming to \nISAlliance last year, Mr. Clinton was with U.S. Telecom \nAssociation for 12 years including the last 6 as vice \npresident.\n    We welcome you to the subcommittee. You are recognized for \n5 minutes.\n\nSTATEMENTS OF LARRY CLINTON, CHIEF OPERATING OFFICER, INTERNET \n  SECURITY ALLIANCE; ANDREW HOWELL, VICE PRESIDENT, HOMELAND \n SECURITY, U.S. CHAMBER OF COMMERCE; RODNEY PETERSEN, SECURITY \n  TASK FORCE COORDINATOR, EDUCAUSE; AND DOUGLAS SABO, MEMBER, \n      BOARD OF DIRECTORS, NATIONAL CYBER SECURITY ALLIANCE\n\n    Mr. Clinton. ``I am very busy. Do I really need to read \nthis?'' That, Mr. Chairman, is the first line of the ``Common \nSense Guide to Cyber Security for Small Businesses'' which the \nInternet Security Alliance released on its Web site earlier \nthis month.\n    We decided to begin our publication in this unusual way \nbecause during the market research we did preparing the \ndocument we learned a critical fact. That is, that education is \nfar more than simply raising awareness or disseminating \ninformation. Education, resulting in behavior change, requires \nmotivation.\n    The Internet Security Alliance is a collaboration between \nthe CERT/cc at Carnegie Mellon University and the Electronic \nIndustries Alliance. We are an international organization with \nmembership on four continents and a wide variety of economic \nsectors, including banking, insurance, entertainment, \ntraditional manufacturing, as well as telecommunications, \nsecurity, and consumer food products. The ISAlliance runs an \nintensive information sharing program with the CERT/cc and we \nhave taken this information and from it produced a series of \nbest practice guides which are provided free of charge on our \nWeb site.\n    In December of last year, the ISAlliance was asked by the \nNational Cyber Security Summit to produce a best practices \ndocument, this time targeted to small business users. Small \nbusinesses are particularly vulnerable to cyber attack. One out \nof every three small businesses was affected by the MyDoom \nvirus, fully twice the number of larger businesses. Obviously, \nlarger organizations have more to lose in terms of absolute \ndollars; however, smaller margins that smaller businesses \noperate under vastly magnify the impact an attack can have on a \nsmall business.\n    Despite the need, there is very little help being offered \nto this community. The very first conclusion reached by the \nBest Practices task force you formed, Mr. Chairman, on the \nCorporation Information Security Working Group, was that \navailable IS guidance as a whole is not readily scalable to \nmeet the varying needs of large, mid-size, and small \norganizations.\n    We decided to approach this project in a market-driven way \nand asked the target audience what they needed to know and how \nwe could best motivate them. We coordinated with the National \nAssociation of Manufacturers, the National Federation of \nIndependent Businesses, and the U.S. Chamber of Commerce. Each \nof these organizations agreed to gather for us a group of their \nmembership and we conducted 10 focus groups, involving nearly \n100 actual small businesses, to discuss their cyber security \nneeds.\n    We learned that small businesses are aware of the potential \nimpact of cyber attacks but they are also aware of the costs \nboth in time and money to constantly keep up with the ever \nevolving threats and vulnerabilities. Attempting to address the \nneeds of small businesses and cyber security without \nrealistically addressing the costs of their full participation \nis shortsighted and will ultimately be ineffective.\n    Having been educated by our audience, we produced a \ndocument that I believe looks unlike any other in the field. To \nspeak to the small business owner's needs, we provided a real \nlist of cast studies drawn from the media, the FBI Web site, \nand reported directly to us during our research. These are \nactual cases of small manufacturers, contractors, credit \nunions, hotels, diners, limo services, law firms, accountants, \nand venture capitalists, all of whom have had their businesses \nseverely hurt by cyber attacks. They describe a wide variety of \nsituations we believe the typical small business owner can \nrelate to. We then outlined a 12-step program of cyber security \nspecifically for small businesses including why they need to \ntake the step, how to get started, who needs to be involved, \nthe degree of technical skill required, and, specifically, the \ncost involved.\n    However, more important than the product we produced is \nwhat we learned while we were producing it. For too long, cyber \nsecurity has been thought of as an IT problem with an IT \nsolution. While obviously there are technology elements to \ncyber security, it is also a management problem, it is an \neconomic problem, and it is a cultural problem. And to \nadequately address the need, we need to listen to the IT people \nof course, but also the users, the educators, the marketers, \nand the economists. We need a broad, market-centered, \nincentive-laden approach to the issue, rather than a narrow, \ntechno-centered dogmatic approach.\n    We learned again that to achieve long term behavior change, \nwhich is the goal of education, we need to do more than simply \nshare information. You noted it yourself, Mr. Chairman, in the \nletter you sent inviting us to today's hearing. You said, for \nexample, the Blaster worm infected over 400,000 computers \nworldwide in less than 5 days, despite the fact that the patch \nthat would have prevented the infection had been available for \nover a month. The information was there, Mr. Chairman, but the \nnecessary incentives to use it were not. Speaking as a former \nteacher, who is married to an elementary school teacher with \ntwo small children in school, I can assure you that education \ntakes more than providing information. Some students are \nmotivated by praise, some by pride in good grades, some by the \nprospect of tangible rewards. Few are motivated by threats. \nComputer users are no different. Creative thinking needs to be \ndone on the issue of incentives.\n    ISAlliance is taking the lead on this issue. In the first \nquarter of 2003, we signed an agreement with AIG, the world's \nlargest provider of cyber insurance. Under this agreement, AIG \nwill provide premium credits, where permitted, of up to 15 \npercent for companies who will join the Alliance and subscribe \nto our best practices. We believe this is the first operating \nprogram which specifically ties a widely independently endorsed \nset of cyber security best practices specifically to directly \nlower business cost. I understand that today we are here to \ndiscuss straightforward the issues of education. But I would \nurge the Chair to consider another hearing soon to discuss the \ncomplex issues of developing a market incentive program to \ncompliment the educational initiatives.\n    I must thank you and your staff, particularly Mr. Dixon, \nMr. Chairman, for the leadership you have shown in this regard. \nThank you.\n    [The prepared statement of Mr. Clinton follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6315.037\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.038\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.039\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.040\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.041\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.042\n    \n    Mr. Putnam. Thank you, Mr. Clinton.\n    Our next witness is Andrew Howell. Mr. Howell is the vice \npresident of Homeland Security for the U.S. Chamber of \nCommerce, the world's largest business federation. As such, he \nis the organization's principal spokesman on homeland security \nissues and responsible for building and maintaining \nrelationships with the administration and regulatory agency \nleaders. He is also responsible for developing the \norganization's overall homeland security policy strategy and \nensuring that it is implemented. Prior to his current position, \nMr. Howell served as senior vice president of the National \nChamber Foundation, a public policy research arm of the U.S. \nChamber of Commerce.\n    Welcome to the subcommittee. You are recognized for 5 \nminutes.\n    Mr. Howell. Thank you and good afternoon, Chairman Putnam, \nCongressman Clay. My name is Andrew Howell. I am vice president \nof homeland security for the U.S. Chamber of Commerce. The \nChamber is the world's largest business federation representing \nmore than 3 million businesses and organizations of every size, \nsector, and region.\n    Thank you for giving me this opportunity to discuss the \nChamber's cyber security awareness efforts with you all. Also, \nMr. Chairman, I would like to thank you for your leadership on \nthis issue, and for recognizing the importance of enhancing \nawareness of cyber security among the public and private \nsectors.\n    ``The National Strategy to Secure Cyberspace,'' released in \nFebruary 2003, called for a comprehensive, national awareness \nprogram to empower all Americans--businesses, the general work \nforce, and the general population--to secure their own parts of \ncyberspace. This strategy asserts that everyone who uses the \nInternet has a responsibility to secure the portion of \ncyberspace that they control.\n    The Chamber supports this view. It is the responsibility of \na person using a product to know how to use that product \nsafely. However, we do not believe that raising awareness is \nthe only step in our journey to enhancing cyber security. \nInstead, it is one very important leg in this trip. Enhancing \ncyber security requires the combined efforts of users, \ntechnologists, and senior executives, those that use software \nand hardware, those that make software and hardware, and those \nthat manage enterprises that rely on software and hardware to \nmake the company operate. While technologists have a \nresponsibility to make secure products, end users have a \nresponsibility to use those products securely.\n    A good analogy to this is the automobile. While cars \nprovide individuals with great benefits, they also can be \ndangerous. Therefore, cars come equipped with seatbelts and \nairbags. However, ultimately, it is the driver's responsibility \nto buckle his seatbelt and know how to operate the vehicle \nsafely. The vehicle must be maintained regularly, and when \nthere is a recall notice, the owner has the responsibility to \ntake the car in for repair. At the same time, automakers \ncontinue to design cars with new and innovative features, \nincluding new ones oriented to improve safety, and market them \nto the consumer.\n    By promoting user awareness, we are not, as some maintain, \nblaming users for cyber vulnerabilities. Instead, it is through \nawareness that we highlight the issue of cyber security, inform \npeople what they can do to manage online risks, and, in the \nprocess, create a market of consumers who can intelligently \nfactor security into their purchasing decisions. By informing \nusers about what they can do to enhance their cyber security, \nwe will reduce the number of breaches, mitigate economic \nlosses, and create a market that demands more secure products.\n    Moving the market to demand more secure products is an \nimportant component of enhancing our Nation's level of cyber \nsecurity preparedness. Ultimately, we believe the market is \nbetter able to respond to security challenges than regulations \nwill ever be. Whereas market forces propel companies to be \nflexible, innovative, and customer oriented, regulations are \nreactive and constrictive. As companies of all types become \nmore aware of information security risks and protective steps \nthey can take, we are confident they will demand more secure \nproducts. Companies that recognize this market shift and sell \nproducts that exploit it will have an advantage over their \ncompetitors. The market remains a powerful vehicle for \nincreasing cyber security, but before this power is fully \nrealized, we need to better inform consumers on why cyber \nsecurity is an issue that matters to them.\n    For these reasons, the U.S. Chamber of Commerce is \ncommitted to increasing the awareness of cyber security in the \nbusiness community and explaining cyber security in terms that \nbusinesses understand. For too long the issue of cyber security \nhas been talked about in technological terms, as Larry \nmentioned. As a result, many corporate leaders and small \nbusiness owners view it as a technology issue that should be \nsolved by technologists. From our perspective, this is a \nmistaken perception that must be corrected.\n    The U.S. Chamber has regularly used our membership \npublications, including USChamber.com, to provide tips and \nguidance to small business owners, to explain why cyber \nsecurity is important to their businesses, and to offer easy to \nimplement advice on how to better secure their networks. \nIncluded with my prepared statement is one such article which \nappeared in the April edition of our monthly newsletter.\n    Mr. Chairman, my prepared statement details activity the \nChamber has undertaken to implement the awareness component of \nthe National Strategy. Given our limited time, I will not go \ninto detail about these activities. However, as you know, the \nChamber co-chaired the Awareness in Education Group that was \ncreated as part of your Corporate Information Security Working \nGroup, and we serve as secretariat of the National Cyber \nSecurity Summit Awareness and Outreach Task Force. Both our \nNational Cyber Security Summit Task Force Report and reports to \nthe CISWG were submitted with my prepared statement.\n    Mr. Chairman, thank you again for this opportunity. I would \nbe pleased to answer any questions at the end of this panel you \nor anyone else might have. Thank you.\n    [The prepared statement of Mr. Howell follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6315.043\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.044\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.045\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.046\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.047\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.048\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.049\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.050\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.051\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.052\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.053\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.054\n    \n    Mr. Putnam. Thank you, Mr. Howell.\n    Our next witness is Rodney Petersen. Mr. Petersen is policy \nanalyst with EDUCAUSE, and the project coordinator for the \nEDUCAUSE/Internet2 Computer and Network Security Task Force. \nEDUCAUSE is a nonprofit association whose mission is to advance \nhigher education by promoting the intelligent use of \ninformation technology. Mr. Petersen recently co-edited the \nbook ``Computer and Network Security in Higher Education.'' He \nwas formerly the director of IT policy and planning in the \noffice of the vice president and chief information officer at \nthe University of Maryland. In addition, he was the founder of \nProject Nethics at the University of Maryland, a group whose \nmission is to ensure responsible use of information technology \nthrough user education and enforcement of acceptable use \npolicies.\n    You are recognized for 5 minutes. Welcome to the \nsubcommittee.\n    Mr. Petersen. Thank you, Mr. Chairman and members of the \ncommittee. I want to thank you for the opportunity to testify \ntoday regarding education and awareness for the cyber citizen. \nLater in my testimony, I have a video and some slides I would \nlike to display, and with your permission, Mr. Chairman, I \nwould like them added to the record.\n    By holding this hearing today, you signal the importance of \neducation and awareness as part of an overall strategy to \nimprove the cyber security of the Nation. The present \nchallenges of cyber security require the establishment of a \nlife-long culture of security from the cradle to the grave. And \nto emphasize something you said earlier, Mr. Chairman, in your \nopening remarks, education and awareness is a necessary but \ninsufficient approach to protecting our Nation's cyber space.\n    I am here today, as you said, on behalf of the EDUCAUSE \nInternet2 Computer and Network Security Task Force. EDUCAUSE is \na nonprofit association of nearly 2,000 colleges and \nuniversities. Internet2 develops and deploys advanced network \napplications and technologies for research and higher \neducation, accelerating tomorrow's Internet.\n    EDUCAUSE and Internet2 established a Computer and Network \nSecurity Task Force in July 2000. The Security Task Force is \ncoordinating its efforts on behalf of a diverse group of \nassociations and types of educational institutions, including \nresearch universities, State colleges and universities, Land-\nGrant institutions, independent colleges and community \ncolleges; some 4,000-plus colleges and universities across the \nUnited States.\n    The Security Task Force prepared the higher education \ncontribution to the National Strategy to Secure Cyber Space. \nAnd more recently, we participated in the National Cyber \nSecurity Summit. I was a member of the Awareness Task Force \nthat has been previously referenced, where I served as the co-\nchair for the Subcommittee on Schools and Institutions of \nHigher Education. Therefore, my testimony today will address \neducation and awareness from kindergarten through college based \nupon the findings and recommendations of that subcommittee.\n    Colleges and universities have long been interested in \nsupporting the efforts of elementary and secondary schools to \nimprove awareness of students on issues such as cyber ethics \nand security. After all, life-long habits are formed early, and \nthe better we educate students about online safety in the K \nthrough 12 setting, the less we will be required once they \narrive to college. Similarly, cyber security awareness \nfacilitated by schools and colleges will benefit companies and \ngovernment agencies that will eventually employ a new \ngeneration of technology-savvy and security conscious workers.\n    While at the University of Maryland, I was the founder of \nthe group you previously described, Project NEThics. Every \nspring, the university hosts Maryland Day, which so happens to \nbe this coming weekend, and we invite members of the local \ncommunity to come onto the College Park campus for family fun \nand educational activities. One year, Project NEThics, in \npartnership with our Prince Georges County computer forensics \nunit, hosted a computer lab where we invited children and their \nparents to participate in activities designed to increase their \nawareness for online safety. We talked to parents about the \nimportant role of adult supervision and watching their \nchildren's online activities and wanting to acquaint parents \nwith the risks and benefits of computer use. And we left \nparents with literature, including an online safety pledge \nprovided by the Center for Missing and Exploited Children.\n    Project NEThics also works closely at the University of \nMaryland with the College of Education to develop seminars for \nteachers and school media specialists on cyber ethics and \nsecurity. This summer, the university will host a conference \nentitled ``Cyberethics, Cybersecurity, and Cybersafety for \nProfessional Educators.''\n    The Consortium on School Networking is a national nonprofit \norganization whose mission is to advance the K through 12 \neducation community's capacity to effectively use technology to \nimprove learning. COSN is currently working to help \nsuperintendents, chief technology officers of local school \ndistricts better integrate effective security practices into \ndistrict management, operations, and the user experience.\n    And CyberSmart is a nonprofit organization that develops \nand provides curricula and training programs for teachers, \nschool administrators, and students.\n    The EDUCAUSE/Internet2 Computer and Network Security Task \nForce has been pursing efforts to increase education and \nawareness in higher education. To this end, we have developed a \nworking group that has identified a set of target audiences, \namong them including executives, all users relevant to this \npanel, members of the information assurance team, users of \nbusiness systems, IT staff, faculty staff, students, and \nguests. Individuals interact with technology differently \ndepending on their specific roles or responsibilities and the \neducational levels as well as cultural influences may vary. \nTherefore, education awareness is often customized to meet the \ntarget population. For example, at this time I would like to \nshow you an awareness video developed for students at the \nUniversity of Virginia.\n    Mr. Putnam. We have to keep it short.\n    [Video presentation follows:]\n\n    Student. When I go to UVA----\n    Student. I want to open e-mail attachments from strangers \nand get a virus.\n    Student. I want to post obscene messages on the Internet.\n    Student. Commit fraud using someone else's online identity.\n    Student. I want to run a business from my UVA personal Web \npage.\n    Student. I want to share my address and phone number----\n    Student. My password----\n    Student. My private fantasies with faceless creeps on the \nNet.\n    Student. When I go to UVA----\n    Student. When I go to UVA, I want to leave my e-mail open \nso strangers can read my incoming messages and answer them.\n    Student. Filing a copy I lost by pirating music and posting \nit on the Web.\n    Student. Harass people by sending threatening e-mails or \nchain letters or pornographic URLs.\n    Student. I want to hack into government computers and go to \nFederal prison.\n\n    [End of video presentation.]\n    Mr. Petersen. So I think the video underscores the need for \nmessages that are creative and targeted toward the audience \nthey are intended to address.\n    Because of time, I am going to skip over some further \nslides here that have examples of posters. But the one that is \ncurrently before you is a campaign where the slogan is \n``Passwords are like underwear'' and some of the themes are \n``change yours often,'' ``don't leave yours lying around,'' \n``don't share with a friend,'' ``the longer the better,'' ``be \nmysterious.'' And you can get the point that you have to reach \nstudents where they are and humor is a key ingredient.\n    Let me just say one thing and then I will conclude by \ntalking about Cyber Security Day. Several colleges and \nuniversities did recently observe the Cyber Security Day, and \nwe expect a number of campuses to plan activities during the \nweek of October 31st to observe the next Cyber Security Day.\n    In conclusion, first, the improvement of cyber security is \nneeded, and we need to see support both from the public and the \nprivate for what is happening in our schools and institutions \nof higher education. Second, the baseline information that is \nrequired of all users must be kept to a minimum. Third, there \nshould be consistency in the basic awareness messages. And \nfinally, our efforts to increase awareness and education \nregarding cyber security must happen in parallel to the \ndevelopment of more secure technologies. Thank you.\n    [The prepared statement of Mr. Petersen follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6315.055\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.056\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.057\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.058\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.059\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.060\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.061\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.062\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.063\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.064\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.065\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.066\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.067\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.068\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.069\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.070\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.071\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.072\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.073\n    \n    Mr. Putnam. Thank you, Mr. Petersen.\n    Our final witness on the second panel is Douglas Sabo. Mr. \nSabo is appearing today in his role as a member of the board of \ndirectors of the National Cyber Security Alliance. He is also \nthe director of government and community relations for McAfee \nSecurity. In that role, Mr. Sabo addresses domestic and \ninternational public policy issues affecting the company and \noversees the company's corporate citizenship activities. McAfee \nSecurity, headquartered in Santa Clara, CA, is a leading \nsupplier of security and intrusion protection solutions for e-\nbusinesses. Mr. Sabo also serves as chair of the Security \nWorking Group of the Business Software Alliance and co-chair of \nDepartment of Commerce's International Outreach Subcommittee of \nthe Economic Security Working Group.\n    You are recognized for 5 minutes.\n    Mr. Sabo. Thank you. I am not sure how I am going to \nfollowup a discussion of underwear. [Laughter.]\n    Good afternoon, Mr. Chairman, Ranking Member Clay, and \nmembers of the subcommittee. My name is Douglas Sabo. I am a \nmember of the board of directors of the National Cyber Security \nAlliance and I testify this afternoon on behalf of that \norganization. And as you mentioned, Mr. Chairman, I am also \ndirector of government and community relations for McAfee \nSecurity. I join with my colleagues on this panel in thanking \nyou for your personal leadership on the cyber security issue, \nboth through your series of cyber security hearings as well as \nyour working groups with industry. I also commend your staff \nfor being first-rate on all of these issues.\n    As you have heard others mention, the National Cyber \nSecurity Alliance [NCSA], is a unique partnership among the \nFederal Government, leading private sector companies, trade \nassociations, and educational organizations, including all of \nthe organizations testifying here today. Our fundamental \npurpose is to contribute to our Nation's overall cyber security \nby improving the behaviors of consumers, small businesses, and \nour youth from kindergarten to higher ed. And Mr. Chairman, we \nshare your concerns about bombarding citizens with too many \nmessages from too many sources. We hope that our partnership \nwill contribute to avoiding that problem.\n    Others have already talked today about the overall \nchallenge and the important role that these audiences do play. \nThe NCSA strongly agrees with these assessments. And rather \nthan reiterate this information, I would like to introduce you \nto initiatives that we hope will reach our three main \naudiences. First, for small businesses, the NCSA is developing \ncyber security tool kits to discuss vulnerabilities and threats \nas well as tips and steps for responding. These tool kits, \nwhich will be available in soft and hard copy, will include \nmaterials, guidebooks, and training programs on the cyber \nsecurity essentials. We are in discussions with a number of \norganizations to develop and distribute these tool kits, \nincluding the Small Business Administration, InfraGard, the ISP \ncommunity and others, and we hope to begin distribution by mid-\nJune.\n    Second, we are focusing on educating our youth on cyber \nsecurity practices to make sure the next generation of users is \ncyber secure. Through partnering with outside organizations \nsuch as EduCalls and CyberSmart!, we hope to develop and \ndisseminate cyber security curriculum to educators across the \ncountry. These materials already are developed for the K \nthrough 8 audience, with 9 through 12 pending. And to reach our \nyoungest audience, the NCSA also supported a national poster \ncontest in which students were asked to creatively depict the \nimportance of cyber security. We plan to hold this contest \nagain this fall.\n    Finally, I would like to use a couple minutes to focus on \nthe consumer audience. Already the NCSA has launched our \nflagship Web site, www.staysafeonline.info, which received over \n1 million hits in its first month alone. This site contains our \ntop 10 cyber security tips, self-tests, tech talks, and more. \nIn addition, we have held semi-annual National Cyber Security \nDays timed with Daylight Savings Time changes. While these have \nnot been as successful as we had hoped, we are busy working to \nrelaunch these this fall.\n    But what the NCSA is most excited about in the consumer \narea is what we hope will be the cornerstone of the NCSA \neffort, a multi-year national cyber security awareness \ncampaign. This campaign, targeted at home users, will use \npublic service announcements and other creative methods to \nraise awareness of the cyber security issue and steps people \nshould take to protect themselves, and thus all of us. While \nour efforts certainly will depend on the resources we are able \nto raise for this campaign, we hope that our national cyber \nsecurity awareness campaign will be on the level of many of \nthose that I am sure you are familiar with, healthy lifestyles, \nwildfire prevention, drunk driving prevention, the importance \nof voting, drug abuse prevention, and terrorism emergency \npreparedness. These broad campaigns have imprinted our culture \nwith a number of easily recognizable campaign catch phrases, \nsuch as, ``Don't drink and drive,'' ``Buckle Up,'' ``Only you \ncan prevent wildfires,'' and ``Take a bite out of crime.'' \nPerhaps our effort will add a new one.\n    Are public awareness campaigns effective? We certainly \nbelieve they can be. Consider please the results of the Ad \nCouncil, a nonprofit organization that uses volunteer talent \nfrom the advertising and communications industries. \nApplications, for example, for Big Brothers, Big Sisters \nmentors increased by 75 percent in the first 8 months of their \ncampaign. Destruction of our forests by wildfires has been \nreduced from 22 million acres to less than 4 million acres per \nyear since their forest fire prevention campaign began. And \nsafety belt usage rose from 14 percent to 79 percent since \ntheir safety belt campaign launched in 1985, saving an \nestimated 85,000 lives. With the proper resources, we believe \nthe NCSA national awareness campaign can achieve the same level \nof success for cyber security behavior. It will not be a silver \nbullet, but together with all the other NCSA efforts as well \nbroader initiatives to reduce vulnerabilities, improve security \nusability, expand R&D, and enhanced corporate governance, we \ncan truly make a difference.\n    Mr. Chairman and members of the subcommittee, I thank you \nagain for the opportunity to testify today. And I look forward \nto answering any questions you may have.\n    [The prepared statement of Mr. Sabo follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6315.074\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.075\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.076\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.077\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.078\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.079\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.080\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.081\n    \n    [GRAPHIC] [TIFF OMITTED] T6315.082\n    \n    Mr. Putnam. Thank you, Mr. Sabo. Thank you to all of our \nwitnesses.\n    We will begin with Mr. Clay's questions.\n    Mr. Clay. Thank you very much, Mr. Chairman. Thank you all \nfor being here today.\n    Mr. Clinton, we will start with you. What steps can the \nFederal Government take to use its procurement power to improve \nthe security of computer software? Is the Internet security \nindustry able to agree on some minimal standards for computer \nsecurity hygiene? I guess that is a two-part question.\n    Mr. Clinton. Thank you, Mr. Clay. We do think that the \nprocurement process is probably the best first step for the \nFederal Government to take in terms of establishing benchmarks \nfor appropriate security to be included within products that \nthey purchase. I think what we think is most important about \nthis is that it would be the Federal Government using its \nmarket forces rather than its regulatory forces to encourage \nbehavior. We think absolutely that is the model that is going \nto be most effective is the use of the market. During the \nCorporate Information Security Working Group we discussed this \nquite a bit and talked about how if the Federal Government \ncould act as a model through its procurement practices, as the \nDepartment of Energy already has started, that we might be able \nto make an awful lot of steps, and that has the effect on the \nrest of the market of likely lowering costs, making these sorts \nof devices or procedures more accessible to small businesses.\n    Now the second question, Mr. Clay, was whether or not we \ncould agree on standards. It kind of depends on what you are \ntalking about in terms of standards. There is an awful lot of \nstandards activity that is already underway. If what you are \nsuggesting is do we think that the Federal Government should be \npassing legislation or regulation mandating standards, we would \nthink that is the wrong way to go. And let me explain why. It \nis not so much that we are opposed to standards. EIA is one of \nthe largest standards producers in the entire world. It has to \ndo, Mr. Clay, with the nature of the Internet.\n    The Internet is a 21st century technology. Most of the \nregulatory models that we use in the Federal Government now are \n18th century models. The FCC and the SEC are modelled on the \nold ICC which regulated railroads. We are dealing with \nsomething that is entirely different now. We think that for \nsecurity purposes we need a much more dynamic manager of the \nInternet and the only mechanism that we can identify that will \nbe dynamic enough to keep up with the ever-increasing attacks \nand technologies of the attackers is to use market forces. So, \nmore creative use of insurance, more creative use of liability \ncarrots involving marketing for cyber security. And there is a \nrange of things that we identified in our incentives group \nreport we think are far more likely to succeed in our ultimate \naim of achieving cyber security than a federally mandated \nstandard.\n    Mr. Clay. Oh, please do not misunderstand the question. I \nwas just asking could the industry come together and establish \nthe standards. I never made inference to a Federal law, and \nthat is not where I am going with that.\n    Mr. Clinton. I appreciate that. And, yes, we are working on \nthat quite hard.\n    Mr. Clay. Thank you for the answer. Mr. Sabo, do you \nbelieve the Federal Government's commitment to cyber security \ntraining and certification particularly at the systems and \nnetwork administrator level is adequate? And how important is \ntraining and certification to cyber security?\n    Mr. Sabo. Thank you, Ranking Member Clay. The National \nCyber Security Alliance itself does not have a particular \nposition on those areas. But if I could speak on behalf of \nmyself and the company that I do work for during the day, I do \nthink, and the organizations that support the NCSA would \nprobably agree, there is significant training going on but that \nthere is always more that could be done. I think we heard from \nthe director of the NCSD previously about the number of \nprograms that are out there, the scholarship for service and \nthe other organizations, and I think there is certainly a lot \nmore to be done. In our purview of the awareness side, we did \ntalk significantly about awareness for home users. But I think \nyou could take what we plan to do for home users and also put \nthat for Federal Government workers, both as users that will \nthen be going home and using their personal systems probably to \neven connect into Federal Government systems, and then also as \nemployees of the Federal Government. So our awareness efforts \ncertainly would be useful for that audience as well.\n    Mr. Clay. OK. I thank you for that comment. Mr. Chairman, I \nthink my time is up.\n    Mr. Putnam. You are welcome to continue.\n    Mr. Clay. OK. Just one more question for Mr. Petersen. \nBefore I ask the question, I just want to make you aware that I \ntoo am a University of Maryland graduate. So fear the turtle. \n[Laughter.]\n    Mr. Petersen. Yes. I was thinking of that earlier when \nDewie was displayed. [Laughter.]\n    Mr. Clay. On a serious note, though, is the Congress \nadequately funding research and development in the cyber \nsecurity area? And what other methods could the Federal \nGovernment employ in order to achieve widespread cyber \nsecurity?\n    Mr. Petersen. Thank you for your question. I do think you \nare on the right path to increasing funding for cyber security \nresearch and development efforts. The university environments \nare particularly participating in National Science Foundation \nsolicitations, they currently are reviewing proposals now for a \ncyber trust solicitation. We have been working pretty regularly \nwith the Science and Technology Directorate of the Department \nof Homeland Security, although I note that in their $1 billion-\nplus budget only $18 million are devoted to cyber security and \nmany of us think that is wholly inadequate and perhaps \nsymbolizes that cyber security is not thought to be the \npriority that it should be.\n    Having said that, I think there is more room for funding \nfor R&D. But I do not want us to forget what we are here about \ntoday and certainly what our group represents, which is \nsecuring today's Internet. There are not nearly enough Federal \nGovernment funds available to deal with education and awareness \nof the mass populace, including kids in schools and higher \neducation, and efforts needed to secure our current \ninfrastructure.\n    Mr. Clay. Thank you for that response. Mr. Chairman, I \nyield back the balance of my time.\n    Mr. Putnam. Thank you, Mr. Clay. Mr. Clinton, one of the \nkey ingredients to a successful education and awareness \ncampaign is clarity and credibility of the message. Given your \nexperiences and knowledge of the work to identify cyber \nsecurity best practices, what is the most direct and clear \nmessage that can be conveyed to home users and small \nbusinesses?\n    Mr. Clinton. Thank you, Mr. Chairman. I was thinking of \nthis when you asked the first panel the question. My answer is \na little different. I support their view that people need to \nthink. But I think they need to think of their computer in a \ndifferent sense. My experience is that most home users tend to \nthink, and I am saying most home users, not the sophisticates, \nmost home users still think of their computer like it is a TV \nset, that you just turn it on and it provides you things. And \nthat is the wrong way to think of your computer. I think a \nbetter way to think of your computer is like it is a gifted \nchild; it is something you need to work with, it is something \nyou need to interact with, and if you treat it well and protect \nit and develop it, it can do great things, but if you do not, \nit could come back and cause all sorts of tremendous problem. I \nthink we need to get consumers to think of the technology very, \nvery differently.\n    Most of us have become so comfortable with some of the \nrudimentary elements of the Internet we forget that just a few \nyears ago e-mail scared us. I remember when I worked for my \nfirst Member here on Capitol Hill, and I will not say who that \nwas, I had to show him how to turn on the computer. It was not \nthat long ago. But I do not think that we have completely kept \nup with what is really behind this medium. It looks too easy. \nSo I would say what we need to do is we need to get people to \nrethink what it is they are dealing with. They have to have an \nactive relationship with their network, not just treat it as a \npassive appliance.\n    Mr. Putnam. Mr. Howell, your thoughts?\n    Mr. Howell. I agree entirely with Larry. And I would argue \nthat a computer is also a gold mine which has tremendous \npotential and has to be exploited in order to achieve that \npotential. In one of our most recent efforts to educate our \nmembership, we were talking to several of our small companies \nwho had no concept of the fact that keeping customer \ninformation--customer invoices, sales lists, sales figures, \nrevenue and expense items, their general ledger--on a computer \nthat was accessible via high speed to the Internet without a \nfirewall and without anti-virus was essentially a security \nrisk. They just had not thought about their computer that way. \nI would agree with Larry, they viewed it as almost an \nentertainment vehicle, something there for their pleasure and \ntheir ease of use, and they did not view any of the risks that \nthe sophisticated users see out there everyday. And it is \nbecause, frankly, we have not done enough to educate people \nabout the threats that are facing them and, at the same time, \nmake action to mitigate those threats possible.\n    Mr. Putnam. What is the appropriate role for the hardware \nand software vending community, not only to provide more secure \nand higher quality products, but also to educate their \nconsumers about basic cyber security practices?\n    Mr. Howell. I think that all three parts of this triangle, \nthe hardware and software vendors as well as the user \ncommunity, must do much more collaboratively to talk about \nrisks, vulnerabilities, and mitigation of risk and \nvulnerabilities. Among large enterprises you are seeing much \nmore collaboration on all three sides of that. But it has taken \na long time to develop and a lot of those things develop based \non trust and years of working with one another and the \ninformation technology industry is relatively young. At the \nsame time, I think that we are seeing more medium-size \nenterprises catch up and do some of this. And the challenge \ntherefore remains the small enterprise community. And as Larry \nmentioned, that was quickly viewed within our Corporate \nInformation Security Working Group as an area where there is no \ntargeted information on risk mitigation and what the real \nthreats are. So I think it is a multifaceted process depending \non what particular market you are looking at--the large \nenterprise market, I think it is a collaborative process; \nmedium-size enterprises, I think they are moving toward that \ncollaboration; small enterprises, it is still very much \nawareness and education oriented.\n    Mr. Putnam. Mr. Petersen, your thoughts on that?\n    Mr. Petersen. Your question about hardware and software \nreminded me of a story over the Christmas holidays. I had a \nfriend who subscribed for the first time to Comcast cable and \nwhen he went to the local shopping mall he got a CD and the \ninstallation instructions and he came home and installed it and \nwithin a matter of seconds he got the Blaster worm. And in \ntrying to help my friend troubleshoot the problem, the first \nthing that occurred to me is how come Comcast cable is not \ndistributing information to its customers about the threats \nthat currently existed at that point in time, that when you \nmove from being off-line to broadband you better make sure your \noperating system is up to date, and, by the way, here is a CD \nthat can provide you the latest patches and the latest anti-\nvirus stuff. So I think absolutely there is a role for hardware \nand software and other service providers to play in providing \nconsumers with educational and awareness materials.\n    Second, if you think about our parents and students who are \nbuying computers for their children, think if they open that \ncomputer box and there is a label that said, you know, ``Tear \nthis off and be aware, if you do not do X, Y, and Z, you could \nlose your data and all the important work that you put into \nthis machine.'' I do believe that, aside from our role in \neducating and making users aware, hardware and software vendors \ncould help.\n    Mr. Putnam. Mr. Sabo, do you want to add anything to that?\n    Mr. Sabo. Yes, thank you, Mr. Chairman. I do think there is \nsignificant information out there from the software/hardware \nvendors and the ISP community. But I think there is a \nfundamental research need that we all could perhaps support in \nlooking at user behavior, benchmarks, metrics, in order to \nunderstand how we reach these users, what are the best \nmessages--and I do not think there is a one size fits all \nmessage for security; I think what will motivate users will \nvary greatly among them; fundamental research in where to reach \nthem, to what sites to go, what places in the real world and \nthe virtual world to place these messages' and then fundamental \nresearch in who to reach, who are these ``users.'' I think a \nnumber of studies have shown that a majority of home users who \nare doing a lot of the financial transactions in households are \nthe women in the households. I think that would impact \ntherefore where we deliver these messages, what types of Web \nsites, what types of media that perhaps our awareness campaign \nwill target. So I think there is a lot of information that is \nout there but, exactly as you said in your opening statement, \nperhaps we run the risk of having too much and we may need to \nreally think about where are the best places to go and to put \nthis information.\n    Mr. Putnam. That is a perfect segue into my next question. \nYou have heard the FTC testify about the turtle, you have Stay \nSafe On Line, there are a number of other approaches to \nincreasing awareness. Is that type of symphony of approaches \nhelpful in that you are hitting different pieces of the \naudiences, or do you believe that there should be a more \ncentralized message, centralized theme, centralized Web site \nfor people to go for information on becoming more secure?\n    Mr. Sabo. I definitely agree that we are in a period of \n``let a thousand flowers bloom.'' And perhaps in a way we have \nbecome victims of our own success, that we have talked about \nthe important need for all these awareness efforts and we are \nstarting to get them. And I think behind scenes we are also \nseeing a lot more effort to do the centralization, but \ncentralization of the organization behind it. So you have the \nfolks who are running these talking to each other much more. \nAnd I think there is a lot of room for improvement in that \narea. We certainly would commit ourselves to being part of any \neffort that would help with that. I do think, at the end of the \nday, each set of users are going to respond to different types \nof messages in different media.\n    Mr. Putnam. Mr. Petersen.\n    Mr. Petersen. I share your concern but I think we are \nheaded in the right direction. I know even EDUCAUSE has more \nrecently become a sponsor of the Alliance. We are working \nclosely with the FTC. And when we look at our colleges and \nuniversity environments, many of them, like Florida State \nUniversity, Florida, University of Maryland, are large \nenterprises. So whatever messages we might be targeting toward \nlarge businesses probably apply to our large colleges and \nuniversities. Many of them are small colleges and community \ncolleges and the small business environment messages are the \nsame.\n    One of the things we have worked hard with the Alliance on \nis when you take their top 10 cyber tips, those should be the \nsame top 10 cyber tips that all of our users hear about, our \nstudents, faculty, staff. So rather than us starting from \nscratch or writing our own messages, we are working hard to \nmake sure their messages get put into the appropriate language \nso that we can use them and convey a consistent message.\n    Mr. Putnam. Mr. Clinton, do you want to add something to \nthat?\n    Mr. Clinton. I would agree that the messages should be \nconsolidated. But I do want to caution that there is a problem \nif we think we have the right answer and so all we have to do \nis go out and make everybody understand the right answer. We \nhave published two best practices that we are very proud of and \nthat got endorsed by a lot of people and we thought they were \ngreat. And we took our best practices to the small business \nguys and they said, ``What are you talking about? We do not \nunderstand this. No small business guy would ever read this \nstuff.'' But the technologist people think, hey, this is the \nright message. And we found out by doing the market research it \nwas not the right message.\n    So I think that there needs to be some consolidation with \nregard to messages, that we should not have conflicting \nmessages, for sure. But I do not think we do. I would agree \nwith the rest of the panel that I think we are moving in the \nright direction. But the way messages are presented need to be \ntargeted differently to different audiences. We represent small \ncompanies and we represent enormous companies and they deal \nwith these issues very, very differently. I think that the \napproach that we need to take is a market-centered approach. We \nneed to go out to each target market. And small business may \nnot be a target market. Small business may be an enormous \nmarket that needs to be much better segmented within that \nmarket in order to better appreciate these people. There are \nsmall technology companies and there are small marketing \ncompanies, and you talk to these guys in different ways.\n    So I do not think it is quite as simple as saying we have \nthe message, all we have to do is get it out. I think that we \nhave a lot of the right ideas but I think we need to continue \nto work on it and we need to involve the users, we need to \ninvolve the target audiences much more in developing the \nmessages. And I think we are just at the beginning of that \nprocess.\n    Mr. Putnam. Mr. Howell.\n    Mr. Howell. I would agree. But I would just add one thing, \nand that is, you also have to look at the messenger and the \naffinity of the desired market to that messenger. Different \norganizations have different affinity with different type and \nsizes of organizations and companies. And agreed, having the \nsame set or a similar set of messages is essential. But one \norganization that may be the best messenger might have \nabsolutely no affinity with or relation to the target market, \nand therefore, if one were to follow our principles of not \nopening e-mails, for example, from an unknown sender, that e-\nmail would get deleted because there is no affinity to that \nsender. So that is the only other issue I would add here.\n    And at the same time, I think the National Cyber Security \nSummit, held last December and an ongoing vehicle, as well as \nNCSA, both have been fantastic vehicles, joining with your \nInformation Security Working Group, in aggregating \norganizations that have been working just in an area of \nawareness alone to sit down at a table, think about how they \ncan multiply or take advantage of their efforts and reduce \nwaste and enhance efficiency and increase awareness. It has \nbeen tremendous. Every week, for example, since we started \nparticipating in your group we have been approached by at least \none other association who wants to join in what we are trying \nto do on education and awareness. That has been one of the most \nrewarding things we have seen so far in all the education and \nawareness efforts.\n    Mr. Putnam. And finally, do you all believe that this issue \nhas risen to the boardroom, to the C-level executives? All the \ntalk about worms and viruses and exploits, some attention \nthrough Sarbanes-Oxley and Section 404, are top level \nexecutives finally treating cyber security as a business risk? \nWe will begin with Mr. Sabo and work down the table.\n    Mr. Sabo. Thank you. I think today, compared to 2, even 3 \nyears ago, we have come a significant way in getting the \nattention to that level. But I think there is certainly a lot \nmore in the corporate governance side between the work that the \nCyber Security Summit Working Group as well as your own has \ndone is significant and the word needs to get out now. And that \nis I think the stage we are at.\n    Mr. Petersen. I would say no. In the college and university \nenvironment, we have a long way to go particularly at the \npresident level and the board level. In fact, I would say that \nis one of the reasons why in my first bullet I said we need \nsupport from the private and government sector. It was not just \nreferring to financial support. Many people in government and \ncertainly part of corporations sit on college and university \nboards, and I am hoping the awareness that is being created \nwithin industry and government will translate to board members \ngoing to those board meetings and saying what are you doing \nabout information security on your campus, why have we not \ntalked about it in the context of governance. And I think the \nsame message needs to be carried forward to our presidents and \nchancellors and other executive leaders. We are certainly doing \nour part as our task force to raise awareness, but I think we \ncould use the assistance and support of other executives.\n    Mr. Putnam. Mr. Howell.\n    Mr. Howell. One of the recommendations that we made within \nour National Cyber Security Summit Large Enterprises Working \nGroup was that our ad hoc coalition come together with DHS and \nwe recommended a series of forums across the country with \nsenior DHS officials and CEOs to discuss information security \nand corporate governance. And we hope that DHS will take up \nthat recommendation because we believe that it is essential. I \nwould agree with Doug, we have made progress. But I think much \nmore remains to be done. At the same time, we need to move \nforward with a collaborative approach with a framework similar \nto what the Corporate Governance Task Force of the National \nCyber Security Summit came out with recently. That is a great \nstarting point, one of many materials that are out there. And \nmoving forward with implementation of all of these documents \nis, I think, an essential next step.\n    Mr. Putnam. Thank you. Mr. Clinton.\n    Mr. Clinton. I would have to say that we have maybe taken \nthe first steps in this direction. But, no, Mr. Chairman, we \nhave not at all reached the summit of the CEOs and the COOs. \nJust a couple of facts. I heard the first panel talk about how \nthey were under the impression that Graham-Leach-Bliley, \nSarbanes-Oxley may have increased awareness, and perhaps it has \nincreased awareness some. But the fact is, Mr. Chairman, that \nthe number of incidents last year and again early this year are \ngoing through the roof. The amount of money that is being lost \nis going through the roof. So if there is some increased \nawareness, it is not enough.\n    Another fact. The most recent study that I have seen on \nthis, done by CSO magazine, indicated that most corporations \nthey recommended should be increasing their IT cyber security \nbudget by approximately 33 percent. They went back and looked \nat how many corporations had done that. They found that only 22 \npercent of the corporations had increased it, and only 7 \npercent of the corporations had increased it the amount that \nwas required. So we are a long way away.\n    Mr. Chairman, this I think goes back into the conversation \nwe just had on your last question, finding the right messages \nfor this particular target audience, COOs, CEOs. I do not want \nto cast any aspersions on the CEOs and COOs who fund, frankly, \nmy organization, but the fact of the matter is, Mr. Chairman, \nthey are not going to do this because it is in the national \ninterest. We need to find messages that speak to their \ncorporate interest. We need to find issues that speak to the \ncorporate interest. We need to do a better job demonstrating \nthe return on investment to good cyber security. We need to do \na better job of providing the sort of incentives that level of \ncorporate executive pays attention to--lower business costs, \nless liability exposure. Those are the sorts of things that are \ntalked about in CEO board rooms and CEO discussions. And we \nhave not done that yet. I think that there is a tremendous \namount that we have not yet gotten to in the public-private \npartnership in that area that lays still before us. And we are \nenthusiastic about working with the Congress in those areas. \nBut we are just at the first couple steps, in my opinion, sir.\n    Mr. Putnam. Thank you, Mr. Clinton, particularly for your \ncandor. We assume that is not going to be the punch-out quote \nin your monthly newsletter to your members.\n    Mr. Clinton. No, sir. I am going to use your opening \nstatement as our punch-out quote.\n    Mr. Putnam. I want to thank all of our witnesses for your \nefforts in this important arena. I know that your work \ncontinues to help our cyber citizens enjoy the benefits of the \nInternet in a safe and secure manner. I also want to thank Mr. \nClay for his participation today. In the event that there are \nadditional questions that we did not get to today, the record \nwill remain open for 2 weeks for submitted questions and \nanswers.\n    With that, the subcommittee stands adjourned.\n    [Whereupon, at 4:07 p.m., the subcommittee was adjourned, \nto reconvene at the call of the Chair.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"