[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





  PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE 
                             CYBER CITIZEN

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 21, 2004

                               __________

                           Serial No. 108-209

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
96-315                      WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, 
CANDICE S. MILLER, Michigan              Maryland
TIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of 
MICHAEL R. TURNER, Ohio                  Columbia
JOHN R. CARTER, Texas                JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee          ------ ------
PATRICK J. TIBERI, Ohio                          ------
KATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania             ------ ------
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                  Dan Daly, Professional Staff Member
                         Juliana French, Clerk
            Adam Bordes, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 21, 2004...................................     1
Statement of:
    Clinton, Larry, chief operating officer, Internet Security 
      Alliance; Andrew Howell, vice president, Homeland Security, 
      U.S. Chamber of Commerce; Rodney Petersen, security task 
      force coordinator, EDUCAUSE; and Douglas Sabo, member, 
      board of directors, National Cyber Security Alliance.......    58
    Swindle, Orson, Commissioner, Federal Trade Commission; and 
      Amit Yoran, Director, National Cyber Security Directorate, 
      Department of Homeland Security............................    12
Letters, statements, etc., submitted for the record by:
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................    10
    Clinton, Larry, chief operating officer, Internet Security 
      Alliance, prepared statement of............................    61
    Howell, Andrew, vice president, Homeland Security, U.S. 
      Chamber of Commerce, prepared statement of.................    69
    Petersen, Rodney, security task force coordinator, EDUCAUSE, 
      prepared statement of......................................    84
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     5
    Sabo, Douglas, member, board of directors, National Cyber 
      Security Alliance, prepared statement of...................   105
    Swindle, Orson, Commissioner, Federal Trade Commission, 
      prepared statement of......................................    15
    Yoran, Amit, Director, National Cyber Security Directorate, 
      Department of Homeland Security, prepared statement of.....    36

 
  PROTECTING OUR NATION'S CYBER SPACE: EDUCATIONAL AWARENESS FOR THE 
                             CYBER CITIZEN

                              ----------                              


                       WEDNESDAY, APRIL 21, 2004

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2 p.m., in 
room 2154, Rayburn House Office Building, Hon. Adam H. Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam and Clay.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Dan Daly, professional staff member and deputy 
counsel; Juliana French, clerk; Suzanne Lightman, fellow; 
Earley Green, minority chief clerk; and Jean Gosa, minority 
assistant clerk.
    Mr. Putnam. A quorum being present, this hearing of the 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order. 
Good afternoon and welcome to another important hearing on 
cyber security.
    I want to welcome you all today to the hearing entitled 
``Protecting our Nation's Cyber Space: Educational Awareness 
for the Cyber Citizen.'' In the past few years, the growth in 
access and use of the Internet, the increase in high-speed 
connections that are always on, and the rapid development and 
deployment of new computing devices has resulted in an 
expanding global computing network. Although these advances 
have improved our quality of life, this global network is 
susceptible to viruses and worms that can circle the world in 
minutes, not to mention the potential of more malicious cyber 
attacks. While businesses, educational institutions, and home 
users enjoy the benefits of using the Internet, they are often 
not adequately informed about the potential dangers that their 
computer systems face if left vulnerable and unprotected. The 
good news is there are solutions and remedies to help mitigate 
the threats; the bad news is awareness of these solutions and 
the practice of safe Internet use is not far reaching. Attacks 
are evolving at a greater speed than preparation.
    This hearing will provide an opportunity to learn about the 
efforts of the Federal Government, trade associations, 
corporations, and nonprofits to raise awareness about the 
importance of cyber security. Today I want to call on all 
stakeholders to take immediate action. All of us have a role 
and a responsibility to implement basic cyber security hygiene 
in order to reduce the potential vulnerabilities that could 
contribute to a successful cyber attack.
    As use of the Internet all over the world grows, so do the 
presence and ambitions of people with criminal and malicious 
intent. Hackers attempt to take over people's computers to 
create ways to send spam, steal information, and launch attacks 
undetected. Criminals try to trick unsuspecting cyber citizens 
to reveal personal information by impersonating respectable Web 
sites, a crime known as ``phishing.'' Consumers on the Internet 
may be tricked into downloading spyware. These programs may be 
harmless, yet extremely annoying, such as delivering a 
continuous stream of pop-up ads. Or they may be malicious, 
extracting information such as passwords and personal 
information for criminal purposes.
    There are existing and emerging protections against these 
threats. Cyber citizens can arm themselves with virus 
protection software to help stop any potential impact of worms 
and viruses. Use of firewalls can help prevent some forms of 
spyware. Of course, after the rapid spread and dramatic impact 
of worms and viruses this past year, I think we all know the 
importance of keeping our systems patched and up to date. 
Security notices are everywhere reminding us not to open e-mail 
from people we do not know, and not to download programs from 
unknown sources.
    However, many Internet users, consumers, nonprofits, 
educational institutions, and businesses do not employ these 
well-known protections. They are either unaware of the risks, 
or unaware of the solutions, or both.
    User awareness is only part of the problem. Many of the 
security problems that users face are rooted in products that 
were designed to deliver functionality, often without adequate 
regard to security. The manufacturers of both software and 
hardware products must accept some responsibility in this area 
and respond to the growing demands of the consuming public for 
improved quality and security. This subcommittee has already 
held hearings on the proliferation of worms and viruses and on 
the issue of software assurance. And I will continue to pursue 
those issues. But I am heartened by what I see as signs that 
the manufacturers are stepping up to the plate. I see an 
increased attention to security that seems to go beyond merely 
lip service. Manufacturers of all levels of notoriety are 
publicly confirming their commitment to providing consumers 
with products that are less ``buggy'' and more secure.
    In an effort to dramatically improve information security 
throughout corporate America, I convened a group of 25 leaders 
from business organizations, as well as representatives from 
academic and institutional communities to form the Corporate 
Information Security Working Group. The intent was to produce a 
set of recommendations that could form the basis of an action 
plan for improving cyber security for businesses and 
enterprises of all sizes and sectors. The group divided into 
subgroups, one of which was the Awareness, Education, and 
Training Subgroup. This subgroup's mission was to identify, 
partner with and build on the good work of organizations that 
have or are developing campaigns to raise awareness on the 
importance of cyber security. Let me pause and acknowledge the 
tremendous work that Commissioner Swindle and the FTC have been 
pursuing for some time now. It is my view that our collective 
efforts can make a difference. The Awareness, Education, and 
Training Subgroup reported recommendations for three categories 
of users--small businesses, large enterprises, and home users.
    For small businesses, the group suggested creating and 
distributing a Small Business Guidebook for Cyber Security that 
explains cyber security risks in terms that are readily 
understood and that motivate small business owners to take 
action.
    For large enterprises, the Awareness, Education, and 
Training Subgroup suggested enhancing distribution of existing 
documents for large enterprise managers. Many organizations, 
including the Institute for Internal Auditors, the Internet 
Security Alliance, and the Business Software Alliance, have 
done great work in this regard. The group believes these 
documents deserve greater distribution and will work with 
organizations representing large corporations to find the 
proper channels for broader dissemination. Furthermore, for 
large enterprises, the group suggested creating a guide for 
information security for C-level executives, such as CEOs, 
CFOs, and COOs. A user-friendly guide for C-level executives is 
necessary to raise the profile of the information security 
issue in terms senior executives can understand. To that end, 
the group is currently working with representatives of large 
business organizations to see how it might collaborate on and 
distribute such a guide.
    Finally, the group suggested targeted efforts aimed at the 
mass market would help educate home users. The group is seeking 
to buildupon existing relationships and forging new 
partnerships between organizations, corporations, and the 
government to help educate the home user base on cyber 
security.
    One of the other subgroups worked diligently on developing 
a set of best practices and guiding principles in information 
security that could apply from the most unsophisticated home 
user to the most sophisticated enterprise. Those efforts have 
produced incredible results, and provided a foundation for the 
Awareness, Education, and Training Subgroup to buildupon.
    In addition to my Corporate Information Security Work 
Group, there are several other organizations, including both 
public and private entities, that are working to improve 
awareness and provide education to cyber citizens. This 
includes a broad base of constituent groups, including the 
education community. Today we will hear about awareness and 
education efforts in the K through 12 community, as well as in 
institutions of higher education. In addition to these 
awareness and education efforts, I am pleased to announce at 
this hearing two partnerships that the Department of Homeland 
Security is undertaking to train information security and 
assurance professionals through our Nation's colleges and 
universities. The Department will be partnering with NSA to 
enhance the Centers of Academic Excellence in Information 
Assurance Education Program to increase the number of 
information security professionals entering the work force. The 
Department will also be partnering with the National Science 
Foundation on a Scholarship for Service Program, which provides 
2-year scholarships for training information assurance 
specialists who in turn make a commitment to work for a Federal 
civilian agency for 2 years. I look forward to hearing more 
about these various initiatives in the testimony today.
    I will note that I do have a concern. I worry that if we 
bombard our cyber citizens with too many messages from too many 
sources, they may become confused and take no action at all. If 
we are to begin a national, intensive campaign to educate 
individuals, and small and medium businesses on cyber security, 
we need to have a collaborative strategy that facilitates the 
delivery of a clear and common message about how folks can 
protect against the threat of a cyber attack. I look forward to 
hearing from today's witnesses that my concern is being 
addressed in a proactive and collaborative manner.
    We must maintain the advantages that multiple channels give 
us for outreach and we must continue to recognize that one size 
does not fit all and that a required level of cyber security 
hygiene will vary depending on the profile of the user. Some 
basic steps are invariably common to most users and today we 
will identify steps being taken to convey that information. The 
more voices repeating the message, the more people are likely 
to hear it and pay attention. It would be difficult in my 
estimation and based on what I have learned to overstate the 
importance and timeliness of such an effort.
    I look forward to the testimony of our witnesses and I 
thank them for their contribution to the cyber security of our 
Nation.
    Today's hearing can be viewed live via Web cast by going to 
reform.house.gov and clicking on the link under live committee 
broadcast.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T6315.001
    
    [GRAPHIC] [TIFF OMITTED] T6315.002
    
    [GRAPHIC] [TIFF OMITTED] T6315.003
    
    [GRAPHIC] [TIFF OMITTED] T6315.004
    
    Mr. Putnam. I would like to welcome the gentleman from 
Missouri, our ranking member of the subcommittee, Mr. Clay, and 
recognize him for his opening remarks.
    Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman, for holding today's 
hearing on ways we can improve our educational efforts in the 
realm of cyber security. I, too, share your concerns and I am 
hopeful that our witnesses can share with us different 
perspectives on effective methods for reaching our goals.
    As our global economy becomes more dependent on the 
efficiencies associated with the information super-highway, we 
must become more aware of the risks and costs associated with 
such advanced technology. Although legislating appropriate 
standards in rapidly changing technologies is, at best, a 
reactive approach to policymaking, we may have few other viable 
options. The ominous threat of widespread and well-orchestrated 
cyber attack would have severe consequences in both real 
economic terms and consumer confidence. If efforts to legislate 
cyber security standards are to be effective, the prevention of 
such attacks through outreach, training, education, and 
awareness must be central to its mission.
    Once again, I believe there are two central components that 
are integral to providing adequate computer security for the 
Federal Government. First, the management of our agencies' 
networks must become a top priority throughout the government. 
This approach should not only include adequate funding for 
computer security, but better stewardship of our critical 
assets and more frequent vulnerability assessments for our 
investments.
    Second, the government must find a way to incorporate 
minimal software and hardware security standards into its 
annual $60 billion investment in information technology. We 
must harness the purchasing power of the Federal Government to 
demand more stringent computer security standards from vendors 
and contractors at every level of the procurement process.
    I want to thank our chairman for his work on improving 
computer security standards through the Corporate Information 
Security Working Group. It is my hope that his collaborative 
efforts with the private sector can bring us closer to 
achieving what have been, to this point, elusive goals.
    Mr. Chairman, this concludes my remarks, and I ask that 
they may be inserted into the record. Thank you.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T6315.005
    
    [GRAPHIC] [TIFF OMITTED] T6315.006
    
    Mr. Putnam. Without objection, so ordered.
    I will move directly into the oath. As is the custom with 
this committee, our witnesses are sworn in.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that both witnesses 
responded in the affirmative.
    We will now move into the testimony. I would like to 
introduce our first witness, Orson Swindle. Mr. Swindle was 
sworn in as Commissioner for the Federal Trade Commission 
December 18, 1997. In December 2001, Commissioner Swindle was 
appointed as head of the U.S. delegation to the Organization 
for Economic Cooperation and Development Experts' Group to 
review the 1992 OECD guidelines for the security of information 
systems. He has a distinguished military career, and served in 
the Reagan administration from 1981 to 1989 directing financial 
assistance programs to economically distressed rural and 
municipal areas of the country. As Assistant Secretary of 
Commerce for Development, he managed the Department of 
Commerce's national economic development efforts, directing 
seven offices across the country. He was State Director of the 
Farmers Home Administration for the U.S. Department of 
Agriculture, financing rural housing, community infrastructure, 
businesses, and farming.
    We welcome you to the subcommittee, and appreciate your 
work in this area. You are recognized for 5 minutes for your 
oral statement. Your written statements, for both witnesses, 
will be inserted into the record. You are recognized.

   STATEMENTS OF ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE 
 COMMISSION; AND AMIT YORAN, DIRECTOR, NATIONAL CYBER SECURITY 
          DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY

    Mr. Swindle. Mr. Chairman, Mr. Clay, and members of the 
subcommittee, I appreciate the opportunity to discuss the FTC's 
work on information security. The views expressed in the 
written statement represent the views of the Federal Trade 
Commission. My oral remarks and responses to questions, of 
course, are my own. This hearing is most timely and I applaud 
the chairman for his leadership on this very vital subject.
    Today, maintaining the security of our information systems 
and networks is essential to every aspect of our lives. We are 
all directly or indirectly linked together by this 
infrastructure. We benefit enormously from these systems; 
however, there are vulnerabilities that threaten the security 
of and do major harm to stored information, the flow of 
information, and the continued viability of the systems 
themselves.
    The FTC has sought to address these vulnerabilities through 
consumer and business education, stressing the fundamental 
importance of good security practices, plus law enforcement 
actions, and international cooperation. Safe computing 
practices by home computer users are especially important in 
our broadband world. Viruses, worms, and dial-up service 
attacks have left a trail of very costly destruction and, as 
the chairman mentioned, it could get worse. To help promote a 
culture of security, the FTC created an information security 
mascot, Dewie the e-Turtle, to educate businesses, consumers, 
and children about the importance of information security and 
the precautions they can take to protect personal information. 
The Dewie Web site has registered more than 600,000 visits 
since its deployment in August 2002. In addition the FTC had 
distributed a video news release seen by 1.5 million consumers; 
we have distributed 160,000 postcards featuring Dewie; and 
information security was the theme of National Consumer 
Protection Week in 2003.
    Our Web site contains tips on how to stay safe on line as 
well as publications addressing issues related to spam, file 
sharing, high-speed Internet access, shopping on line, and 
identity theft. The growing problem of phishing is addressed. 
This is a high-tech scam that uses spam to deceive consumers 
into disclosing their credit card numbers, bank account 
information, Social Security numbers, passwords, and other 
sensitive personal information. This information and our Web 
sites are available to Members of Congress for constituent 
services. Despite our efforts, only about three dozen Members 
of the Congress have their Web sites linked to the FTC Web 
site. I think we can all do better than this.
    The Internet has made us a global community and 
international collaboration is important to ensuring 
information security. The FTC has played a leading role within 
the OECD in revising and implementing its security guidelines, 
urging a widely publicized OECD Web site, and aggressively 
urging member countries to immediately implement the principles 
of information security. We are encouraging our global partners 
to share their experiences with the international community, 
including the APEC, the United Nations, and the TransAtlantic 
Business and Consumer Dialogues.
    The FTC, the Department of Homeland Security, and such 
organizations as the newly formed National Cyber Security 
Partnership of trade associations, which includes the Chamber 
of Commerce, ITAA, TechNet, and BSA, are working individually 
and together to enhance consumer and business education. The 
National Cyber Security Summit met in December 2003 to 
implement the National Strategy to Secure Cyber Space and 
formed five task forces, including one devoted to comprehensive 
awareness. I am pleased that Dan Caprio of my staff 
participated as co-chairman of the awareness task force. That 
task force issued a report recommending a number of very 
concrete proposals to increase consumer awareness, including a 
comprehensive cyber awareness campaign to reach consumers 
through a 3-year national advertising campaign; a partnership 
with ISPs to educate home users about cyber security issues; 
and distribution of a cyber security tool kit through Stay Safe 
On Line.
    The FTC remains committed to expanding our public-private 
partnership and leveraging relationships with consumer groups, 
industry, trade associations, other government agencies, and 
educators to raise consumer awareness. The Commission has used 
its law enforcement authority to address information security 
issues using our authority under Section 5 of the Federal Trade 
Commission Act. To date, the Commission's security cases have 
been based on deception. In four separate settlements with 
companies that collected personal information from consumers, 
including a settlement with Tower Records which was announced 
today, we have alleged that the companies made explicit or 
implicit promises to take appropriate steps to protect 
consumers' information. In fact, we found their security 
measures to be inadequate. We alleged that Tower made specific 
promises to protect personal information provided by consumers 
on its Web site, yet failed to take reasonable and appropriate 
steps to detect and prevent against well-known vulnerabilities. 
The lesson: When you are making changes, do not forget to 
ensure that your security safeguards are in place.
    Through these information security enforcement actions, the 
Commission has come to recognize several principles that govern 
any information security program. First, a company's security 
procedures must be appropriate for the kind of information it 
collects and maintains. Second, not all breaches of information 
security are violations of the Federal Trade Commission law. 
Third, there can be law violations without a known breach in 
security. And fourth, good security is an ongoing process of 
assessing and addressing risk and vulnerabilities.
    The critical reality in our information-based economy is 
that we all have a role to play in protecting cyber space. 
Creating a culture of security is a journey, it is not a 
destination, and leadership will be essential. Thank you for 
this opportunity to appear here today, and I look forward to 
answering your questions.
    [The prepared statement of Mr. Swindle follows:]

    [GRAPHIC] [TIFF OMITTED] T6315.007
    
    [GRAPHIC] [TIFF OMITTED] T6315.008
    
    [GRAPHIC] [TIFF OMITTED] T6315.009
    
    [GRAPHIC] [TIFF OMITTED] T6315.010
    
    [GRAPHIC] [TIFF OMITTED] T6315.011
    
    [GRAPHIC] [TIFF OMITTED] T6315.012
    
    [GRAPHIC] [TIFF OMITTED] T6315.013
    
    [GRAPHIC] [TIFF OMITTED] T6315.014
    
    [GRAPHIC] [TIFF OMITTED] T6315.015
    
    [GRAPHIC] [TIFF OMITTED] T6315.016
    
    [GRAPHIC] [TIFF OMITTED] T6315.017
    
    [GRAPHIC] [TIFF OMITTED] T6315.018
    
    [GRAPHIC] [TIFF OMITTED] T6315.019
    
    [GRAPHIC] [TIFF OMITTED] T6315.020
    
    [GRAPHIC] [TIFF OMITTED] T6315.021
    
    [GRAPHIC] [TIFF OMITTED] T6315.022
    
    [GRAPHIC] [TIFF OMITTED] T6315.023
    
    [GRAPHIC] [TIFF OMITTED] T6315.024
    
    Mr. Putnam. Thank you very much Commissioner.
    Our next witness is Amit Yoran. Mr. Yoran is the Director 
of the National Cyber Security Division of the Department of 
Homeland Security. The National Cyber Security Division 
provides for 24-7 functions, including conducting cyber space 
analysis, issuing alerts and warnings, improving information 
sharing, responding to major incidents, and aiding in national 
level recovery efforts. Most recently Mr. Yoran served as the 
vice president of worldwide managed security services at the 
Symantec Corp., overseeing 24-7 security operation centers 
delivering security services to hundreds of companies in over 
40 countries around the world. Prior to working at Symantec, 
Mr. Yoran founded RipTech, an information security company. He 
also served as an officer in the U.S. military as the 
vulnerability assessment program director for the U.S. 
Department of Defense's computer emergency response team, and 
supported security efforts for the Office of the Assistant 
Secretary of Defense.
    We welcome you to the subcommittee. You are recognized for 
5 minutes.
    Mr. Yoran. Good afternoon, Chairman Putnam and 
distinguished members of the subcommittee. My name is Amit 
Yoran, and I am Director of the National Cyber Security 
Division within the Office of Infrastructure Protection of the 
Homeland Security's Information Analysis and Infrastructure 
Protection Directorate. I am pleased to appear before you today 
to discuss our initiatives addressing educational awareness for 
the cyber citizen. We view cyber awareness as a critical 
component within our mandate to improve cyber security. We have 
implemented measures to reach as many people as quickly as 
possible. Education and training are also critical elements of 
our strategic initiatives to improve the long term cyber 
security posture of our Nation. Education of our cyber 
community on the rules of the road is fundamental for enhancing 
citizen safety in the cyber world.
    The National Cyber Security Division was created to serve 
as the national focal point for public and private sectors to 
address cyber security issues. NCSD is charged with 
coordinating the implementation of the National Strategy to 
Secure Cyber Space. The Department works closely with our 
partners in the Federal Government, at the State and local 
level, as well as with the private sector and academia on a 
variety of programs and initiatives to protect our information 
infrastructure.
    On January 28th of this year, the Department of Homeland 
Security unveiled the National Cyber Alert System, delivering 
targeted, timely, and actionable information to Americans to 
secure their computer systems. We have already issued several 
alerts and a periodic series of best practices and how-to 
guidance pieces. We strive to make the information provided 
understandable to all computer users, both the highly technical 
and those like my wife, who, despite her advanced degrees and 
profession, need this information presented in plain English. I 
am pleased to report that Americans are exhibiting a keen 
interest in the alert system. And on the day of the National 
Cyber Alert System launch we had over 1 million hits to the US-
CERT Web site. Today, more than 250,000 direct subscribers are 
receiving National Cyber Alerts to enhance their cyber 
security. For your reference and for your constituents, I urge 
you to visit www.us-cert.gov and to encourage you to include a 
link to US-CERT on your congressional Web page and recommend 
your constituents sign up for the National Cyber Alert System 
to help them improve their cyber vigilance and protect our 
Nation.
    We have engaged in many media interactions to provide a 
voice of reason in our efforts to improve awareness among the 
cyber citizenry and also reach as many Americans as possible in 
the plain language they can easily understand and act upon. The 
Department of Homeland Security is the sponsor of the National 
Cyber Security Alliance and the Stay Safe On Line, a public-
private effort created to educate home users and small 
businesses on cyber security best practices. Each time we turn 
our clocks ahead and back to account for Daylight Savings Time 
we encourage Americans to review and improve their cyber 
readiness. I challenge each Member of Congress to sponsor a 
cyber security awareness event in your district on October 31, 
the next National Cyber Security Day. Although Cyber Security 
Day is not yet broadly recognized, our continued and joint 
efforts will ensure their future success and effectiveness.
    In addition to awareness, other key aspects of our strategy 
are focused on training and education. Homeland Security is 
actively engaged with our intergovernmental partners and is 
also reaching out to academic institutions to establish 
cooperative relationships. I again cite the two recent 
accomplishments which you previously mentioned in this regard.
    We have signed on to partner with the National Security 
Agency to expand the NSA Center for Academic Excellence in 
Information Assurance Education Program to a broader National 
Centers of Academic Excellence initiative. The program was 
established by the NSA in 1998 to promote higher education in 
information assurance. Universities designated as centers are 
eligible for scholarships and grants through both the Federal 
and Department of Defense Information Assurance Scholarship 
programs. The new, increased scope will accelerate and expand 
the current program to attain national prominence, attract 
participation from other universities, resulting in an 
increased number of cyber security professionals for our 
Nation.
    Second, Homeland Security has partnered with the National 
Science Foundation on the Scholarship for Service program. This 
initiative promotes university level information assurance 
education and places program graduates into the Federal work 
force. The Department of Homeland Security has already hired 
graduates and we are excited about the capability of these 
graduates and the quality of the work force this program is 
producing.
    In addition to these accomplishments, we have identified 
other strategic education programs. We are working with the 
Department of Education, EDUCAUSE, and others to develop cyber 
security programs for the K through 12 curriculum in our public 
schools. It is imperative that we educate and raise America's 
youth in a culture which fosters prudent cyber security 
practices and ethics. Our goal is to ensure that all computer 
users understand the rules of the road for cyber security and 
are empowered to stay safe on line.
    Thank you for opportunity to testify before you today. I 
would be pleased to answer any questions that you have at this 
time.
    [The prepared statement of Mr. Yoran follows:]

    [GRAPHIC] [TIFF OMITTED] T6315.025
    
    [GRAPHIC] [TIFF OMITTED] T6315.026
    
    [GRAPHIC] [TIFF OMITTED] T6315.027
    
    [GRAPHIC] [TIFF OMITTED] T6315.028
    
    [GRAPHIC] [TIFF OMITTED] T6315.029
    
    [GRAPHIC] [TIFF OMITTED] T6315.030
    
    [GRAPHIC] [TIFF OMITTED] T6315.031
    
    [GRAPHIC] [TIFF OMITTED] T6315.032
    
    [GRAPHIC] [TIFF OMITTED] T6315.033
    
    [GRAPHIC] [TIFF OMITTED] T6315.034
    
    [GRAPHIC] [TIFF OMITTED] T6315.035
    
    Mr. Putnam. Thank you, Mr. Yoran. I appreciate your being 
here today. You have had an interesting week. I would like to 
give you the opportunity to elaborate on the Cyber Alert that 
you have issued and if you would give some comment to this 
subcommittee on the nature of the vulnerability and the status 
of efforts to remedy that vulnerability on the Internet 
routers.
    Mr. Yoran. Thank you, Chairman Putnam. The creation of the 
National Cyber Alert System allows us to reach out directly to 
a large number of operators in cyber space with information 
targeted to them on how they can best protect their systems or 
the systems which they are responsible for. In a number of 
recent cases, vulnerabilities have been brought to our 
attention which would cause specific routers to malfunction and 
become inoperable and not pass the traffic which they were 
intended to pass. This vulnerability is not information which 
is actionable to most home users, but certainly through our 
targeted delivery mechanism we can reach out to the cyber 
security community and provide this information to them. The 
detail and accuracy of the information allow the Department of 
Homeland Security and the Federal Government to work closely 
and cooperatively with the private sector. In an alert we 
issued late last night, we worked closely with Cisco, who 
proved to be a valuable partner to the Department of Homeland 
Security and the Nation in being very forthright about a 
vulnerability which was brought to their attention in their 
close working relationship with the US-CERT and the Department 
of Homeland Security, and, perhaps most importantly, with their 
customers, to assure that Internet backbone services and 
routers were adequately protected in an expeditious fashion.
    Mr. Putnam. Why was it the British Government who revealed 
the vulnerability and not the Department of Homeland Security 
in our own country?
    Mr. Yoran. I will not comment on the logic behind the 
British Government releasing this vulnerability on their 
specific timeline. Given the availability of that information, 
it was important for the Department of Homeland Security, 
working with Cisco and key Internet service providers, to put 
out and make as broadly available as possible some technical 
information with an appropriate level of detail so that folks 
knew how best to protect themselves. I am happy to report that 
while this is a significant vulnerability, those warnings were 
rapidly heeded by much of the backbone community and the 
likelihood of significant Internet disruption as a result of 
this vulnerability has been minimized.
    Mr. Putnam. My understanding is, and correct me if I am 
wrong, that the potential for this vulnerability has been known 
for some time; it was not known that anyone could exploit it. 
Is that the case? And if so, how long has your office been 
aware of the existence of this potential vulnerability? And the 
followup would be, are there others that until now people have 
thought were not exploitable that we should be addressing and 
that people should be aware of?
    Mr. Yoran. Chairman Putnam, I would welcome the opportunity 
to brief you in a smaller forum, a more confidential venue on 
some of the pre-public announcement activities and coordination 
on what information was released and which communities we 
worked with to best serve the public interest and protect the 
Nation.
    In terms of specific exploit code, in terms of specific 
vulnerabilities which were known about and have recently had 
exploit code developed, there have been a series of 
vulnerabilities discovered over the past 24 hours. In fact, two 
alerts have been issued on very similar topics over the past 24 
hours. One of those alerts, the one dealing with the border 
gateway protocol, the more commonly adopted best practices 
approach to router management would significantly mitigate the 
risk and exposure an organization would experience, again 
highlighting the need for best practices and best practice 
guidance such as your working group produced and is available 
from NIST and from many of the vendors.
    For the second of the recent vulnerabilities discovered, it 
is in fact a new vulnerability discovered in a specific 
vendor's implementation of the Simple Network Management 
Protocol.
    Mr. Putnam. I think that Mr. Clay and I both would 
appreciate the opportunity to discuss other issues in the 
appropriate forum and setting. But for the purposes of this 
hearing, let me just ask, is security enhanced by a fundamental 
shift from the Internet to IP-6?
    Mr. Yoran. Mr. Chairman, there are some very promising 
characteristics of IP version 6 which have security enhancing 
capability which have significant impact on how the Nation or 
the infrastructures might defend against some of the threats we 
face today. Many attack techniques which deal with exhaustive 
searching of Internet addresses, looking for vulnerabilities 
are much less practical in an IP v. 6-type of environment. 
Through a number of efforts within the Department of Homeland 
Security's Science and Technology Directorate, we are investing 
in a better understanding of IP v. 6's effect on Internet 
security. The Department of Commerce has a very active effort 
in understanding the implications of IP v. 6 and the adoption 
of IP v. 6 from a security perspective. It is important, 
however, to also recognize that many of the vulnerabilities 
which exist and many of the attack techniques which exist are 
not going to go away with the increased adoption of this new 
protocol.
    Mr. Putnam. Thank you. I appreciate that very much. We will 
return to the theme of the day.
    Commissioner Swindle, the evidence clearly indicates that 
computer users of all levels of sophistication are potential 
victims of worms and viruses and denial of service attacks. Who 
are the target audiences of the efforts by the FTC and, in Mr. 
Yoran's case, the cyber security division to address 
improvements in cyber security? I assume that the cyber turtle 
is not speaking to large enterprises. But in general, as you 
prioritize your audience, who is at the top of the list?
    Mr. Swindle. Mr. Chairman, the cyber turtle is actually a 
very sophisticated creature. He is handsome and he is affable 
and he was modeled after me, so let us be careful how we talk 
about him. [Laughter.]
    Mr. Putnam. Mr. Clay and I would like to meet him. Can we 
call him as a witness? [Laughter.]
    Mr. Swindle. The FTC has traditionally been involved with 
consumer protection matters and consumer education is a large 
aspect of how we go about doing our business, both from the 
antitrust side as well as the consumer protection side. It is 
all to enhance consumer welfare. We have a tremendous amount of 
experience in consumer education and our efforts with Dewie the 
e-Turtle have been addressed primarily to consumers and small 
businesses. However, in the process of finding better ways to 
communicate with consumers, we deal with industry associations 
and large businesses on a constant basis and have established 
some rather good relationships with these companies, seeking a 
better understanding of the problems, seeking their advice on 
how they market to their customers, and we learn together from 
each other's experiences. So, it is a rather comprehensive 
approach to educating the consumer.
    The target primarily is the broad base. If you can imagine 
a triangle of people concerned with computer and information 
systems security, the broad base of the triangle would be 250 
million consumers here in the United States, and then we can 
multiply by all the people in the world who are also involved 
in this. Then we get up to higher levels of corporate 
involvement, lower levels of small business involvement, but 
yet the base is broad and the triangle narrows as you go 
higher. So our focus is on the broad base consumers, and we 
work closely with industry, small businesses, and associations 
to try to convey our message.
    Mr. Putnam. Thank you. We look forward to Dewie joining the 
great pantheon of other public servant characters like Woodsie 
the Owl, Smokey the Bear, and McGruff the Crime Dog.
    Mr. Swindle. That was the motivation behind my asking three 
bright young people, I said ``I want a Smokey the Bear to be 
our spokesperson.'' and they came up with Dewie. And it has 
been fairly successful.
    Mr. Putnam. Well, good.
    Mr. Swindle. At the Federal Trade Commission, while we have 
the potential and expertise to do a lot of consumer education, 
we are a relatively small agency. We've got Dewie launched, and 
we are hoping that industry will pick it up and expand it. And 
it has expanded. We have Dewie appearing in schools and on 
television and with industries, and we have many industries and 
associations of industries linked to our Web site in which you 
will see the presence of Dewie on each one of those, as well as 
the OECD, for that matter, in the international world. They are 
still trying to figure him out over in Germany, but they will 
get there.
    Mr. Putnam. Thank you, Commissioner. At this time, I would 
like to yield to Mr. Clay for his first round of questions.
    Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman. I appreciate it.
    Mr. Yoran, welcome to the committee. Can you describe for 
me the procedures that are in place to work with the private 
sector in circumstances that DHS advisories or warnings are 
necessary? For example, did the Department of Homeland Security 
collaborate effectively with Microsoft and the anti-virus 
companies during the recent wave of cyber attacks?
    Mr. Yoran. Thank you, Congressman Clay. The Department of 
Homeland Security, through the efforts of the U.S. Computer 
Emergency Readiness Team, have several venues and interaction 
points with which we are working with many entities in both the 
public and private sector. In many cases, before issuing a 
specific alert, in cases such as the recent Cisco alert which 
was published, in cases like recent viruses alerts and 
vulnerabilities in specific vendor operating systems such as 
MicroSoft, we have worked with and collaborated with those 
companies to assure that the information which we are providing 
is, in fact, technically accurate and that we are adequately 
providing enough information in an actionable fashion so that 
the public can work with the vendors providing those specific 
software packages on how they can best protect themselves. 
Further, our collaboration with the private sector extends 
beyond the vendor community and into the critical 
infrastructure owner-operator community, working closely with 
numerous ISACs, numerous industry associations, other 
information sharing organizations, and cyber security 
professionals and experts in the private sector to help them 
best assess the impact of these vulnerabilities on their 
specific industries.
    Mr. Clay. An extensive network of consulting going on 
there.
    Mr. Yoran. Yes, sir. There exists an extensive network and 
numerous interaction points which we are continually refining 
and expanding upon in a series of public-private partnerships.
    Mr. Clay. Thank you. In creating the Homeland Security 
Department, Congress moved the Federal Computer Response Team 
from GSA to Homeland Security. Has this move contributed in a 
positive manner in the ways in which DHS now responds to cyber 
attacks? Did anyone leave the agency rather than move, as we 
saw with some other agencies?
    Mr. Yoran. Well, sir, I could not provide details at this 
point as to whether anyone moved or not. I can certainly assure 
you that a number of highly qualified experts came into the 
Department of Homeland Security with the transition of the Fed-
CERT capability and that Fed-CERT is very active in helping the 
Federal Government understand, address, and respond to 
vulnerabilities and malicious activities as they are discovered 
and as they occur. Earlier this morning, in fact, the Fed-CERT, 
Larry Hale, who is the Assistant Director of the US-CERT and 
the Director of Fed-CERT, conducted a conference call with OMB, 
under the leadership of Karen Evans, and the entire CIO 
council, we had representation there from the US-CERT, we had 
representation from Cisco, to help provide specific detail on 
the recent vulnerabilities, as, again, an illustration of how 
that Fed-CERT capability has translated into rapid capability 
for the Department of Homeland Security in addressing cyber 
security threats. We additionally conducted coordination 
activity with the chief information security officers of the 
Federal Government over the past 24 hours with respect to this 
specific vulnerability.
    Mr. Clay. OK. Thank you for that response.
    Mr. Swindle, from a business perspective, do you view the 
software security industry as competitive and cutting-edge, or 
are there limited participants that may impact the availability 
of products or the cost of these products? How do you view the 
industry as far as from a business perspective?
    Mr. Swindle. If I understand the question correctly, Mr. 
Clay, there is no doubt in my mind that we have very 
competitive companies out there attempting to come up with 
better and better and more acceptable, I mean that from the 
standpoint of consumer acceptability, products. As Chairman 
Putnam mentioned earlier, we have gone through this 
evolutionary process of getting into this world of cyber space 
and companies raced out, competitively, I might add, to try to 
acquire customer base, they had bells and whistles galore. Not 
many people were thinking too much about security or privacy 
for that matter, which has been a major concern of the Federal 
Trade Commission over the past few years. I think today, 
certainly on the privacy matter, these competitive companies 
are paying attention to it, and now I think they are focusing 
on security, and we are seeing better and better products from 
a security standpoint.
    I think we will eventually see an evolution, and I think 
this is driven by the capacity of technology to accommodate it. 
I mean, everybody sort of knows what we want to do, getting the 
technology that will do it economically is another question. We 
are seeing us progress to a point where more and more 
computers, especially home computers, the personal devices that 
the masses of people use, will have baked into them more and 
more security and privacy attributes that will hopefully take 
some of the necessary action away from the user and make it 
automatic. I guess probably the best analogy I have found 
throughout this whole discussion has been the automobile. I can 
remember and I guess, I am looking around the room here, I may 
be the only one in here that can remember the way automobiles 
were back in the early 1950's. There were an awful lot of 
things we had to do then that we do not even know exist today. 
So I think we will see this industry progress that way. We have 
tremendous private sector companies trying to do good work, and 
they are working very hard at it.
    Mr. Clay. I thank you for that response. One other 
question. From your perspective, are there additional measures 
that the Federal Government ought to pursue to strengthen 
security measures taken by those in private industry? And are 
there economic-based computer security hygiene standards or 
other mechanisms in the marketplace?
    Mr. Swindle. I think the answer to that question is 
multifaceted. It is going to take all of us working on it. It 
is going to take legislative pressure, it is going to take 
regulatory pressure, it is going to take competition pressure. 
As I said, we all got out front providing bells and whistles 
and nobody thought about security. Now, the company that gets 
ahead of its competition is one that is providing good 
security. So I think all these forces together are going to 
play a role. I think the chairman's program with the private 
sector and the initiatives he has taken are good. He has sort 
of waived the flag of regulation or some new law, and it is 
just amazing how that inspires people to get moving.
    Mr. Clay. To get together, right.
    Mr. Swindle. And I do the same thing. I say either you do 
it--it is like the old Fram oil filter commercial where the guy 
holds it up and says either you buy one of these now or I will 
see you over here, and there is a smoldering engine over here. 
So, legislation alone will not solve this problem. It is moving 
too fast. By the time the Congress enacts legislation, that 
problem has come and gone and we have a new one. I just do not 
think legislation alone is a solution. But I do think we 
progress if we are all pushing each other, challenging each 
other, and we continue this dialog in search of the right 
answer--because we all have a stake in this. We all have a 
selfish interest in getting it right because we are going to 
pay the price either as a home user whose computer which costs 
$700 got a virus and destroyed it, he has an interest in it, as 
well as Microsoft and AOL and all these other big guys, and the 
Federal Government. So we all have to work on this and push.
    Mr. Clay. Thank you for your response, Mr. Swindle.
    Mr. Swindle. Yes, sir.
    Mr. Putnam. Thank you, Mr. Clay. Before I get back into 
some more questions, I would like to introduce Matthew Jaunce, 
from Laughton-Childs Middle School in Lakeland, FL, who has a 
class assignment of shadowing a member of the community, 
hopefully a productive member of the community, unfortunately, 
he chose to shadow a Congressman. But Matthew, wave your hand, 
and welcome to Washington.
    [Applause.]
    Mr. Putnam. Commissioner Swindle, is there an estimate on 
the amount of economic impact or harm that has been done 
through phishing, phishing with a P?
    Mr. Swindle. P-H.
    Mr. Putnam. Phishing with a P-H.
    Mr. Swindle. I struggle with that also. I do not know, Mr. 
Chairman, if we have an accurate quantitative assessment of how 
much of a problem it is. But we know that identity theft is 
very large. I think we did a survey here recently, I think it 
was last September, in which it is estimated, if I remember 
correctly something on the order of 27 million people over the 
past 5 years have had some unfortunate engagement with identity 
theft. As you certainly know, and as I mentioned earlier, 
phishing is a process whereby people are tricked into giving 
vital information such as their names and their Social Security 
numbers. Those two items alone can lead to an awful lot of 
mischief on the part of bad guys because they can use those two 
pieces of information to get credit cards, and by the time you 
catch them, your credit report has been done such damage it 
will take you years to get over it. These are serious problems 
and phishing is expanding.
    There are lots of different things that could help curtail 
it. But I still contend the one thing that will help most is 
individual responsibility. And for people to be responsible and 
protect themselves they have to know what is happening. And 
that is a part of our consumer education program, to let people 
know the kinds of bad things that go on. We are seeing good 
signs. There is a commercial running on at least cable 
networks, because that is about all I get a chance to look at, 
advertising, if I remember correctly, a shredder. It shows a 
guy rummaging through a trash can, and he finds some stuff, 
puts it in his pocket, and the owner of the trash can drives 
up. It is late in the evening, and the guy who is rummaging 
through the trash can says, ``Hi, Tom'' or something to that 
effect, as if he knew this guy, and the guy has a puzzled look 
on his face. So much of this information does come from trash 
cans and mishandled information, carelessly handled 
information.
    So the problem of phishing, I cannot give you quantitative 
numbers on it, but I can assure you it is growing. The damage 
caused by bits and pieces of personal information falling into 
the wrong hands either by people losing it, which tends to be 
the dominant way, or somebody stealing it through the 
technology of computers is major. Very large.
    Mr. Putnam. As a corollary to that, has any action been 
taken to prevent the deliberate construction of Web sites that 
prey on people's misspellings and particularly target children, 
a common misspelling of Britney Spears would lead you into a 
pornographic site, or, the most common one, whitehouse.com 
instead of whitehouse.gov. I know that is not exactly a cyber 
security issue, but since we are talking about protecting the 
home user, that certainly is an important piece. Has anything 
been done on that where they deliberately construct a Web site 
to lure children into these sites?
    Mr. Swindle. We have had a couple of cases which go back a 
couple of years. One we refer to as ``Fat Finger Dialing,'' or 
something of that nature. But we have taken some action against 
people who do these kinds of things. Again, it is a large world 
out there. I do not recall many complaints of recent times 
about that because I frankly think people are sort of savvy to 
this and pick up on it. But it is certainly out there, and it 
is another pitfall that people can fall prey to.
    Mr. Putnam. Sure. Mr. Yoran, what has been the impact of 
current and recent legislative initiatives such as Graham-
Leach-Bliley, HIPPA, and Sarbanes-Oxley on improving 
information security, not just for the regulated sectors but 
throughout corporate America?
    Mr. Yoran. Chairman Putnam, some of the corollary effects 
of both existing legislation and some of the proposed 
legislation is an increased visibility of cyber security 
issues, an increased awareness in the private sector of their 
responsibilities, and an increased focus on execution of cyber 
security practices in the private sector.
    I will also add, given the opportunity, to some of the 
comments Commissioner Swindle made earlier in terms of cyber 
crime. I certainly commend the Department of Justice's focus in 
the protection of children and going after child pornography, 
and also commend various efforts in the private sector to help 
curtail this type of activity, specifically America OnLine and 
other organizations which are providing an infrastructure and a 
much safer environment for America's youth in terms of their 
cyber security and their exposure to some of these threats.
    Mr. Putnam. What steps has your division taken to motivate 
the private sector to report intrusion incidents, and how is 
that information protected so as not to produce a competitive 
disadvantage for those people who are doing the right thing and 
coming forward with that information?
    Mr. Yoran. There are a number of initiatives underway to 
help encourage collaboration with the private sector, one 
component of which is the reporting of incidents. Certainly, in 
our technical alerts and in delivering technical information 
and assistance, guidance to the private sector is one form of 
activity underway which encourages and has resulted already in 
the private sector's willingness to discuss cyber security 
issues with the Department of Homeland Security and we are 
confident that will continue. Additionally, sharing the 
increased practices around information sharing not only within 
the public sector, but from the public sector to the private 
sector have encouraged increased collaboration with the private 
sector. Again, I will cite two recent interactions with Cisco 
as the US-CERT and Cisco's willingness to be very forthright 
with us and use us as one mechanism for their outreach to their 
customers and the set of people who may be affected by recent 
vulnerability discoveries.
    Mr. Putnam. Commissioner Swindle, do you believe that some 
of the recent legislation like HIPPA, and Graham-Leach-Bliley, 
and Sarbanes-Oxley have aided in improving information security 
throughout corporate America?
    Mr. Swindle. In a word, yes. I think again back to that 
pressure, and I think it has brought a greater awareness among 
corporate America, and the consumers, and vendors, and clients 
and customers that this is serious business. And while some of 
it may be an enormous burden, as oftentimes legislation tends 
to be, we have to keep working to minimize those burdens while 
at the same time, where it is possible through legislation, put 
in place measures that will improve the circumstances.
    I think getting corporate America's leadership focused on 
this, getting boards of directors focused on this, on why it is 
important, and the bottom line is why it is important for most 
of those people, that will help us create this culture of 
security that I mentioned. I do not know of a better way that 
we can solve this problem or at least minimize this problem. I 
do not know that we will ever solve the problem because 
technology is moving too much, but when concerns about 
information security and privacy of customers and clients and 
the information that pertains to them becomes part of a 
corporate culture, it will be the way we do things as opposed 
to something we have to do. I think in this new world in which 
we are living, knowing that is what we should be responsible 
for doing, that this is what we ought to do for the benefit of 
the corporation ought to be a part of that company's culture. 
It is the establishing through audit and other means of how the 
company does business and certifying the ethics, the morality, 
if you will, the proper procedures that they use for their 
corporation.
    I think that is just a part of the new world that we live 
in. And more and more corporate leadership is realizing this 
and they will adopt it because I think they represent 
responsible companies that want to do well. I think they are 
going to have to do these kinds of things to do well. I would 
hope they would do it of their own initiative as opposed to 
having to have a law that says you have to do this. This is 
common sense. It is the right thing to do.
    Mr. Putnam. What is the role of the ISP community in 
serving as a communications channel to computer users about 
computer security hygiene and cyber ethics?
    Mr. Swindle. I think they have a large responsibility in 
this and, as I mentioned I think in my oral testimony, a part 
of the recent task force on comprehensive awareness, one of the 
features of it, initiatives of it would be to have the ISPs 
engage in a lot of consumer education. The ISPs have two big 
problems. One is all this stuff flooding in on top of it which 
is consuming its resources, causing it great expense. And on 
the other side of that, the ISPs push, and e-mail comes to mind 
right away because that is what most consumers are engaged in 
and that is where an awful lot of this mischief goes on, the 
nuisances go right out to consumers. The ISPs I think have made 
remarkable progress, certainly the major ones, and I am sure 
some of the smaller ones have done so also, over the past 
couple of years in providing their subscribers with great 
tools. I use one of the major ISPs, and I was beating them up 
rather severely a couple of years ago and now with their system 
I rarely see any spam. I can go see the spam if I want to, but 
I do not have to engage it at all. They are doing good work. 
They are providing the tools.
    What I think the biggest challenge is is getting the point 
across to consumers, users, home users, this wide base, the 
necessity that they do certain things. It is sort of like 
changing the oil in your car. We can build the finest car in 
the world, but if you do not change the oil in it, it will not 
be the finest very long because it is going to have problems. I 
think we need to make this idea of information security as much 
a part of our mindset as changing the oil in the car, making 
sure the brake pads are in good shape, or, even more simply, 
looking to the left and right when you cross the street. There 
is a role, as we have both said, for everyone to play here. I 
just think we have to convey that message to everyone that they 
have to play this role.
    Mr. Putnam. Mr. Yoran, the role of the ISP community?
    Mr. Yoran. Thank you, Chairman Putnam. Similar to 
Commissioner Swindle's comments, I believe we need a common 
responsibility framework, certainly looking at and pointing to 
responsibilities and action which ISPs can take up, and many of 
them are taking up, is one venue for progress. But, similarly, 
the consumers and the users of technology need to adapt better 
practices. They need to place greater emphasis on their cyber 
security and cyber security preparedness. The produce vendors 
and the software community need to adopt better software 
development practices and take up the responsibility to do 
that, to make cyber security more understandable. If you were 
not thrown off by all the technical jargon required to explain 
some of the vulnerabilities of the past 24 hours, you are in a 
small minority. Cyber security is too complex in today's 
environment.
    There is a clear role for educators to improve cyber 
security awareness, ethics, and make more available cyber 
security courses and information so that we can better train a 
cadre of cyber security professionals. And there is a 
significant role for industry to play in their information 
sharing and analysis centers and in the operator community to 
address with a unified front cyber security challenges facing 
their industries.
    Mr. Putnam. Commissioner, what is the role of the law 
enforcement community here? Are they doing an adequate job in 
prosecuting hackers and people who are using spam and using 
spyware and using phishing techniques illegally to defraud 
people, and are they doing an adequate job of educating the 
public about the penalties for engaging in that type of 
conduct?
    Mr. Swindle. I will answer the last question first, whether 
they are doing a great enough job of educating the public as to 
the penalties they might suffer. I think we are hampered in 
this business of technology by the inability sometimes to find 
the bad guys. Certainly, we at the Federal Trade Commission 
have pressed cases over the past several years in which large 
corporations have been called to task for some of their 
negligence and carelessness in how they protect information, 
and they pay prices in a civil sense, not a criminal sense. 
They are put under order to not do this again. In several cases 
that I mentioned in my written testimony, a couple of the 
companies have at least a 20 year love affair to endure with 
the Federal Trade Commission because they have to do audits and 
report to us.
    As far as the criminals go, I know the spam issue is 
something that everybody is familiar with. Finding the 
perpetrators of spam is a very difficult process. We are doing 
a number of investigations in the Federal Trade Commission, and 
we are going to have some results. But oftentimes, as we have 
said previously in testimony, when we get to the end of the 
trail and find the bad guys, there is nothing for us really to 
get other than put him out of business. And for every one of 
those you put out of business, there is another one that pops 
up.
    I think we do a pretty darn good job of law enforcement 
under the laws that we have. I would not advocate for more laws 
other than what has been passed here in the Can Spam Act. We 
are looking at the requirements of that act trying to figure 
out how we successfully employ the requirements of it. We are 
getting lots of input from industry, from consumer groups, from 
privacy advocates, from all sorts of people, to help us 
formulate the best possible way we can enforce the law.
    Part of our education effort is to work with law 
enforcement agencies. In the past year or so, we visited I 
think it is at least 10 cities speaking to law enforcement 
personnel telling them about identity theft, because it is 
singularly, if I remember correctly, the largest complaint we 
get, trying to help them help consumers and victims. And, we 
put out a lot of education materials to try to help consumers 
who have been victims to work their way out of some of the 
problems that are created.
    So, there is a large effort going on. Unfortunately, it is 
a target rich environment, and it is difficult to get to 
everyone.
    Mr. Putnam. Thank you very much. Commissioner, I know you 
have another engagement that you need to attend to. Before we 
conclude, if you would give us the top three things that the 
home user should do to make their systems more secure.
    Mr. Swindle. Think. Always think. You know, as I mentioned, 
the ISPs in the last couple of years I think have done a good 
job and what they have given you is a good spam blocker, they 
have provided prompted updates of virus protections and 
firewall protections. If the average consumer, home user would 
employ a virus program, employ a firewall, keep those up to 
date, use a spam blocker to narrow down how much garbage comes 
in your computer, and be careful about how you open e-mail and 
things of this nature, you could avoid a lot of grief because a 
lot of these really bad acts come through, believe it or not, 
the simple feat of sending an e-mail. It can do a lot of 
destruction. And employing these simple steps is not a 
difficult thing to do.
    Again, it is back to making everybody aware. And we would 
solicit the help of industry, as we are doing, and we would 
certainly ask that Congress call on us. We will make materials 
available. I would like to see, as sort of a goal for all of 
us, see every Member of Congress have a link to the Federal 
Trade Commissionsite as well as the sites that I think you 
mentioned earlier that industry has identified. There is so 
much good information out there about how to be safer. And that 
is what we have to achieve--safe computing. And I thank you 
very much for this opportunity.
    Mr. Putnam. Thank you very much, Commissioner.
    Mr. Yoran, top three things home users can do to make their 
systems more secure?
    Mr. Yoran. I would agree that the top one is think. Many of 
the mistakes which are made could be easily avoided by folks 
taking a moment to reflect before opening attachments from 
folks they have not received e-mail from or from which they are 
not expecting e-mail. I would encourage folks to subscribe to 
the National Cyber Alert System to receive tips and information 
on how they can protect themselves from online scams, phishing, 
and a wide variety of activities. And to also learn more 
through participation in many of the Stay Safe On Line 
initiatives. Certainly, if turtles can be teenage mutant ninja 
and martial arts experts, they can help America better protect 
our cyber citizens.
    Mr. Putnam. Thank you very much. I thank the entire first 
panel. And with that, I will dismiss panel I and we will go 
into recess momentarily as we set up for panel II.
    The subcommittee is in recess.
    [Recess.]
    Mr. Putnam. The subcommittee will convene.
    I would like to ask the second panel to rise and raise your 
right hand for the administration of the oath.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that all the witnesses 
responded in the affirmative and have their official souvenir 
photo of being sworn in.
    We will move directly to the testimony. Our first witness 
is Larry Clinton. Mr. Clinton is currently the deputy executive 
director and chief of staff of the Internet Security Alliance, 
a collaboration between the CERT/cc at Carnegie Mellon 
University and one of the Nation's largest trade groups, the 
1,200 member company Electronic Industries Alliance. This past 
year Mr. Clinton has served as the private sector coordinator 
of the Corporate Information Security Working Group on Market 
Incentives for Improved Cyber Security. Prior to coming to 
ISAlliance last year, Mr. Clinton was with U.S. Telecom 
Association for 12 years including the last 6 as vice 
president.
    We welcome you to the subcommittee. You are recognized for 
5 minutes.

STATEMENTS OF LARRY CLINTON, CHIEF OPERATING OFFICER, INTERNET 
  SECURITY ALLIANCE; ANDREW HOWELL, VICE PRESIDENT, HOMELAND 
 SECURITY, U.S. CHAMBER OF COMMERCE; RODNEY PETERSEN, SECURITY 
  TASK FORCE COORDINATOR, EDUCAUSE; AND DOUGLAS SABO, MEMBER, 
      BOARD OF DIRECTORS, NATIONAL CYBER SECURITY ALLIANCE

    Mr. Clinton. ``I am very busy. Do I really need to read 
this?'' That, Mr. Chairman, is the first line of the ``Common 
Sense Guide to Cyber Security for Small Businesses'' which the 
Internet Security Alliance released on its Web site earlier 
this month.
    We decided to begin our publication in this unusual way 
because during the market research we did preparing the 
document we learned a critical fact. That is, that education is 
far more than simply raising awareness or disseminating 
information. Education, resulting in behavior change, requires 
motivation.
    The Internet Security Alliance is a collaboration between 
the CERT/cc at Carnegie Mellon University and the Electronic 
Industries Alliance. We are an international organization with 
membership on four continents and a wide variety of economic 
sectors, including banking, insurance, entertainment, 
traditional manufacturing, as well as telecommunications, 
security, and consumer food products. The ISAlliance runs an 
intensive information sharing program with the CERT/cc and we 
have taken this information and from it produced a series of 
best practice guides which are provided free of charge on our 
Web site.
    In December of last year, the ISAlliance was asked by the 
National Cyber Security Summit to produce a best practices 
document, this time targeted to small business users. Small 
businesses are particularly vulnerable to cyber attack. One out 
of every three small businesses was affected by the MyDoom 
virus, fully twice the number of larger businesses. Obviously, 
larger organizations have more to lose in terms of absolute 
dollars; however, smaller margins that smaller businesses 
operate under vastly magnify the impact an attack can have on a 
small business.
    Despite the need, there is very little help being offered 
to this community. The very first conclusion reached by the 
Best Practices task force you formed, Mr. Chairman, on the 
Corporation Information Security Working Group, was that 
available IS guidance as a whole is not readily scalable to 
meet the varying needs of large, mid-size, and small 
organizations.
    We decided to approach this project in a market-driven way 
and asked the target audience what they needed to know and how 
we could best motivate them. We coordinated with the National 
Association of Manufacturers, the National Federation of 
Independent Businesses, and the U.S. Chamber of Commerce. Each 
of these organizations agreed to gather for us a group of their 
membership and we conducted 10 focus groups, involving nearly 
100 actual small businesses, to discuss their cyber security 
needs.
    We learned that small businesses are aware of the potential 
impact of cyber attacks but they are also aware of the costs 
both in time and money to constantly keep up with the ever 
evolving threats and vulnerabilities. Attempting to address the 
needs of small businesses and cyber security without 
realistically addressing the costs of their full participation 
is shortsighted and will ultimately be ineffective.
    Having been educated by our audience, we produced a 
document that I believe looks unlike any other in the field. To 
speak to the small business owner's needs, we provided a real 
list of cast studies drawn from the media, the FBI Web site, 
and reported directly to us during our research. These are 
actual cases of small manufacturers, contractors, credit 
unions, hotels, diners, limo services, law firms, accountants, 
and venture capitalists, all of whom have had their businesses 
severely hurt by cyber attacks. They describe a wide variety of 
situations we believe the typical small business owner can 
relate to. We then outlined a 12-step program of cyber security 
specifically for small businesses including why they need to 
take the step, how to get started, who needs to be involved, 
the degree of technical skill required, and, specifically, the 
cost involved.
    However, more important than the product we produced is 
what we learned while we were producing it. For too long, cyber 
security has been thought of as an IT problem with an IT 
solution. While obviously there are technology elements to 
cyber security, it is also a management problem, it is an 
economic problem, and it is a cultural problem. And to 
adequately address the need, we need to listen to the IT people 
of course, but also the users, the educators, the marketers, 
and the economists. We need a broad, market-centered, 
incentive-laden approach to the issue, rather than a narrow, 
techno-centered dogmatic approach.
    We learned again that to achieve long term behavior change, 
which is the goal of education, we need to do more than simply 
share information. You noted it yourself, Mr. Chairman, in the 
letter you sent inviting us to today's hearing. You said, for 
example, the Blaster worm infected over 400,000 computers 
worldwide in less than 5 days, despite the fact that the patch 
that would have prevented the infection had been available for 
over a month. The information was there, Mr. Chairman, but the 
necessary incentives to use it were not. Speaking as a former 
teacher, who is married to an elementary school teacher with 
two small children in school, I can assure you that education 
takes more than providing information. Some students are 
motivated by praise, some by pride in good grades, some by the 
prospect of tangible rewards. Few are motivated by threats. 
Computer users are no different. Creative thinking needs to be 
done on the issue of incentives.
    ISAlliance is taking the lead on this issue. In the first 
quarter of 2003, we signed an agreement with AIG, the world's 
largest provider of cyber insurance. Under this agreement, AIG 
will provide premium credits, where permitted, of up to 15 
percent for companies who will join the Alliance and subscribe 
to our best practices. We believe this is the first operating 
program which specifically ties a widely independently endorsed 
set of cyber security best practices specifically to directly 
lower business cost. I understand that today we are here to 
discuss straightforward the issues of education. But I would 
urge the Chair to consider another hearing soon to discuss the 
complex issues of developing a market incentive program to 
compliment the educational initiatives.
    I must thank you and your staff, particularly Mr. Dixon, 
Mr. Chairman, for the leadership you have shown in this regard. 
Thank you.
    [The prepared statement of Mr. Clinton follows:]

    [GRAPHIC] [TIFF OMITTED] T6315.037
    
    [GRAPHIC] [TIFF OMITTED] T6315.038
    
    [GRAPHIC] [TIFF OMITTED] T6315.039
    
    [GRAPHIC] [TIFF OMITTED] T6315.040
    
    [GRAPHIC] [TIFF OMITTED] T6315.041
    
    [GRAPHIC] [TIFF OMITTED] T6315.042
    
    Mr. Putnam. Thank you, Mr. Clinton.
    Our next witness is Andrew Howell. Mr. Howell is the vice 
president of Homeland Security for the U.S. Chamber of 
Commerce, the world's largest business federation. As such, he 
is the organization's principal spokesman on homeland security 
issues and responsible for building and maintaining 
relationships with the administration and regulatory agency 
leaders. He is also responsible for developing the 
organization's overall homeland security policy strategy and 
ensuring that it is implemented. Prior to his current position, 
Mr. Howell served as senior vice president of the National 
Chamber Foundation, a public policy research arm of the U.S. 
Chamber of Commerce.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Mr. Howell. Thank you and good afternoon, Chairman Putnam, 
Congressman Clay. My name is Andrew Howell. I am vice president 
of homeland security for the U.S. Chamber of Commerce. The 
Chamber is the world's largest business federation representing 
more than 3 million businesses and organizations of every size, 
sector, and region.
    Thank you for giving me this opportunity to discuss the 
Chamber's cyber security awareness efforts with you all. Also, 
Mr. Chairman, I would like to thank you for your leadership on 
this issue, and for recognizing the importance of enhancing 
awareness of cyber security among the public and private 
sectors.
    ``The National Strategy to Secure Cyberspace,'' released in 
February 2003, called for a comprehensive, national awareness 
program to empower all Americans--businesses, the general work 
force, and the general population--to secure their own parts of 
cyberspace. This strategy asserts that everyone who uses the 
Internet has a responsibility to secure the portion of 
cyberspace that they control.
    The Chamber supports this view. It is the responsibility of 
a person using a product to know how to use that product 
safely. However, we do not believe that raising awareness is 
the only step in our journey to enhancing cyber security. 
Instead, it is one very important leg in this trip. Enhancing 
cyber security requires the combined efforts of users, 
technologists, and senior executives, those that use software 
and hardware, those that make software and hardware, and those 
that manage enterprises that rely on software and hardware to 
make the company operate. While technologists have a 
responsibility to make secure products, end users have a 
responsibility to use those products securely.
    A good analogy to this is the automobile. While cars 
provide individuals with great benefits, they also can be 
dangerous. Therefore, cars come equipped with seatbelts and 
airbags. However, ultimately, it is the driver's responsibility 
to buckle his seatbelt and know how to operate the vehicle 
safely. The vehicle must be maintained regularly, and when 
there is a recall notice, the owner has the responsibility to 
take the car in for repair. At the same time, automakers 
continue to design cars with new and innovative features, 
including new ones oriented to improve safety, and market them 
to the consumer.
    By promoting user awareness, we are not, as some maintain, 
blaming users for cyber vulnerabilities. Instead, it is through 
awareness that we highlight the issue of cyber security, inform 
people what they can do to manage online risks, and, in the 
process, create a market of consumers who can intelligently 
factor security into their purchasing decisions. By informing 
users about what they can do to enhance their cyber security, 
we will reduce the number of breaches, mitigate economic 
losses, and create a market that demands more secure products.
    Moving the market to demand more secure products is an 
important component of enhancing our Nation's level of cyber 
security preparedness. Ultimately, we believe the market is 
better able to respond to security challenges than regulations 
will ever be. Whereas market forces propel companies to be 
flexible, innovative, and customer oriented, regulations are 
reactive and constrictive. As companies of all types become 
more aware of information security risks and protective steps 
they can take, we are confident they will demand more secure 
products. Companies that recognize this market shift and sell 
products that exploit it will have an advantage over their 
competitors. The market remains a powerful vehicle for 
increasing cyber security, but before this power is fully 
realized, we need to better inform consumers on why cyber 
security is an issue that matters to them.
    For these reasons, the U.S. Chamber of Commerce is 
committed to increasing the awareness of cyber security in the 
business community and explaining cyber security in terms that 
businesses understand. For too long the issue of cyber security 
has been talked about in technological terms, as Larry 
mentioned. As a result, many corporate leaders and small 
business owners view it as a technology issue that should be 
solved by technologists. From our perspective, this is a 
mistaken perception that must be corrected.
    The U.S. Chamber has regularly used our membership 
publications, including USChamber.com, to provide tips and 
guidance to small business owners, to explain why cyber 
security is important to their businesses, and to offer easy to 
implement advice on how to better secure their networks. 
Included with my prepared statement is one such article which 
appeared in the April edition of our monthly newsletter.
    Mr. Chairman, my prepared statement details activity the 
Chamber has undertaken to implement the awareness component of 
the National Strategy. Given our limited time, I will not go 
into detail about these activities. However, as you know, the 
Chamber co-chaired the Awareness in Education Group that was 
created as part of your Corporate Information Security Working 
Group, and we serve as secretariat of the National Cyber 
Security Summit Awareness and Outreach Task Force. Both our 
National Cyber Security Summit Task Force Report and reports to 
the CISWG were submitted with my prepared statement.
    Mr. Chairman, thank you again for this opportunity. I would 
be pleased to answer any questions at the end of this panel you 
or anyone else might have. Thank you.
    [The prepared statement of Mr. Howell follows:]

    [GRAPHIC] [TIFF OMITTED] T6315.043
    
    [GRAPHIC] [TIFF OMITTED] T6315.044
    
    [GRAPHIC] [TIFF OMITTED] T6315.045
    
    [GRAPHIC] [TIFF OMITTED] T6315.046
    
    [GRAPHIC] [TIFF OMITTED] T6315.047
    
    [GRAPHIC] [TIFF OMITTED] T6315.048
    
    [GRAPHIC] [TIFF OMITTED] T6315.049
    
    [GRAPHIC] [TIFF OMITTED] T6315.050
    
    [GRAPHIC] [TIFF OMITTED] T6315.051
    
    [GRAPHIC] [TIFF OMITTED] T6315.052
    
    [GRAPHIC] [TIFF OMITTED] T6315.053
    
    [GRAPHIC] [TIFF OMITTED] T6315.054
    
    Mr. Putnam. Thank you, Mr. Howell.
    Our next witness is Rodney Petersen. Mr. Petersen is policy 
analyst with EDUCAUSE, and the project coordinator for the 
EDUCAUSE/Internet2 Computer and Network Security Task Force. 
EDUCAUSE is a nonprofit association whose mission is to advance 
higher education by promoting the intelligent use of 
information technology. Mr. Petersen recently co-edited the 
book ``Computer and Network Security in Higher Education.'' He 
was formerly the director of IT policy and planning in the 
office of the vice president and chief information officer at 
the University of Maryland. In addition, he was the founder of 
Project Nethics at the University of Maryland, a group whose 
mission is to ensure responsible use of information technology 
through user education and enforcement of acceptable use 
policies.
    You are recognized for 5 minutes. Welcome to the 
subcommittee.
    Mr. Petersen. Thank you, Mr. Chairman and members of the 
committee. I want to thank you for the opportunity to testify 
today regarding education and awareness for the cyber citizen. 
Later in my testimony, I have a video and some slides I would 
like to display, and with your permission, Mr. Chairman, I 
would like them added to the record.
    By holding this hearing today, you signal the importance of 
education and awareness as part of an overall strategy to 
improve the cyber security of the Nation. The present 
challenges of cyber security require the establishment of a 
life-long culture of security from the cradle to the grave. And 
to emphasize something you said earlier, Mr. Chairman, in your 
opening remarks, education and awareness is a necessary but 
insufficient approach to protecting our Nation's cyber space.
    I am here today, as you said, on behalf of the EDUCAUSE 
Internet2 Computer and Network Security Task Force. EDUCAUSE is 
a nonprofit association of nearly 2,000 colleges and 
universities. Internet2 develops and deploys advanced network 
applications and technologies for research and higher 
education, accelerating tomorrow's Internet.
    EDUCAUSE and Internet2 established a Computer and Network 
Security Task Force in July 2000. The Security Task Force is 
coordinating its efforts on behalf of a diverse group of 
associations and types of educational institutions, including 
research universities, State colleges and universities, Land-
Grant institutions, independent colleges and community 
colleges; some 4,000-plus colleges and universities across the 
United States.
    The Security Task Force prepared the higher education 
contribution to the National Strategy to Secure Cyber Space. 
And more recently, we participated in the National Cyber 
Security Summit. I was a member of the Awareness Task Force 
that has been previously referenced, where I served as the co-
chair for the Subcommittee on Schools and Institutions of 
Higher Education. Therefore, my testimony today will address 
education and awareness from kindergarten through college based 
upon the findings and recommendations of that subcommittee.
    Colleges and universities have long been interested in 
supporting the efforts of elementary and secondary schools to 
improve awareness of students on issues such as cyber ethics 
and security. After all, life-long habits are formed early, and 
the better we educate students about online safety in the K 
through 12 setting, the less we will be required once they 
arrive to college. Similarly, cyber security awareness 
facilitated by schools and colleges will benefit companies and 
government agencies that will eventually employ a new 
generation of technology-savvy and security conscious workers.
    While at the University of Maryland, I was the founder of 
the group you previously described, Project NEThics. Every 
spring, the university hosts Maryland Day, which so happens to 
be this coming weekend, and we invite members of the local 
community to come onto the College Park campus for family fun 
and educational activities. One year, Project NEThics, in 
partnership with our Prince Georges County computer forensics 
unit, hosted a computer lab where we invited children and their 
parents to participate in activities designed to increase their 
awareness for online safety. We talked to parents about the 
important role of adult supervision and watching their 
children's online activities and wanting to acquaint parents 
with the risks and benefits of computer use. And we left 
parents with literature, including an online safety pledge 
provided by the Center for Missing and Exploited Children.
    Project NEThics also works closely at the University of 
Maryland with the College of Education to develop seminars for 
teachers and school media specialists on cyber ethics and 
security. This summer, the university will host a conference 
entitled ``Cyberethics, Cybersecurity, and Cybersafety for 
Professional Educators.''
    The Consortium on School Networking is a national nonprofit 
organization whose mission is to advance the K through 12 
education community's capacity to effectively use technology to 
improve learning. COSN is currently working to help 
superintendents, chief technology officers of local school 
districts better integrate effective security practices into 
district management, operations, and the user experience.
    And CyberSmart is a nonprofit organization that develops 
and provides curricula and training programs for teachers, 
school administrators, and students.
    The EDUCAUSE/Internet2 Computer and Network Security Task 
Force has been pursing efforts to increase education and 
awareness in higher education. To this end, we have developed a 
working group that has identified a set of target audiences, 
among them including executives, all users relevant to this 
panel, members of the information assurance team, users of 
business systems, IT staff, faculty staff, students, and 
guests. Individuals interact with technology differently 
depending on their specific roles or responsibilities and the 
educational levels as well as cultural influences may vary. 
Therefore, education awareness is often customized to meet the 
target population. For example, at this time I would like to 
show you an awareness video developed for students at the 
University of Virginia.
    Mr. Putnam. We have to keep it short.
    [Video presentation follows:]

    Student. When I go to UVA----
    Student. I want to open e-mail attachments from strangers 
and get a virus.
    Student. I want to post obscene messages on the Internet.
    Student. Commit fraud using someone else's online identity.
    Student. I want to run a business from my UVA personal Web 
page.
    Student. I want to share my address and phone number----
    Student. My password----
    Student. My private fantasies with faceless creeps on the 
Net.
    Student. When I go to UVA----
    Student. When I go to UVA, I want to leave my e-mail open 
so strangers can read my incoming messages and answer them.
    Student. Filing a copy I lost by pirating music and posting 
it on the Web.
    Student. Harass people by sending threatening e-mails or 
chain letters or pornographic URLs.
    Student. I want to hack into government computers and go to 
Federal prison.

    [End of video presentation.]
    Mr. Petersen. So I think the video underscores the need for 
messages that are creative and targeted toward the audience 
they are intended to address.
    Because of time, I am going to skip over some further 
slides here that have examples of posters. But the one that is 
currently before you is a campaign where the slogan is 
``Passwords are like underwear'' and some of the themes are 
``change yours often,'' ``don't leave yours lying around,'' 
``don't share with a friend,'' ``the longer the better,'' ``be 
mysterious.'' And you can get the point that you have to reach 
students where they are and humor is a key ingredient.
    Let me just say one thing and then I will conclude by 
talking about Cyber Security Day. Several colleges and 
universities did recently observe the Cyber Security Day, and 
we expect a number of campuses to plan activities during the 
week of October 31st to observe the next Cyber Security Day.
    In conclusion, first, the improvement of cyber security is 
needed, and we need to see support both from the public and the 
private for what is happening in our schools and institutions 
of higher education. Second, the baseline information that is 
required of all users must be kept to a minimum. Third, there 
should be consistency in the basic awareness messages. And 
finally, our efforts to increase awareness and education 
regarding cyber security must happen in parallel to the 
development of more secure technologies. Thank you.
    [The prepared statement of Mr. Petersen follows:]

    [GRAPHIC] [TIFF OMITTED] T6315.055
    
    [GRAPHIC] [TIFF OMITTED] T6315.056
    
    [GRAPHIC] [TIFF OMITTED] T6315.057
    
    [GRAPHIC] [TIFF OMITTED] T6315.058
    
    [GRAPHIC] [TIFF OMITTED] T6315.059
    
    [GRAPHIC] [TIFF OMITTED] T6315.060
    
    [GRAPHIC] [TIFF OMITTED] T6315.061
    
    [GRAPHIC] [TIFF OMITTED] T6315.062
    
    [GRAPHIC] [TIFF OMITTED] T6315.063
    
    [GRAPHIC] [TIFF OMITTED] T6315.064
    
    [GRAPHIC] [TIFF OMITTED] T6315.065
    
    [GRAPHIC] [TIFF OMITTED] T6315.066
    
    [GRAPHIC] [TIFF OMITTED] T6315.067
    
    [GRAPHIC] [TIFF OMITTED] T6315.068
    
    [GRAPHIC] [TIFF OMITTED] T6315.069
    
    [GRAPHIC] [TIFF OMITTED] T6315.070
    
    [GRAPHIC] [TIFF OMITTED] T6315.071
    
    [GRAPHIC] [TIFF OMITTED] T6315.072
    
    [GRAPHIC] [TIFF OMITTED] T6315.073
    
    Mr. Putnam. Thank you, Mr. Petersen.
    Our final witness on the second panel is Douglas Sabo. Mr. 
Sabo is appearing today in his role as a member of the board of 
directors of the National Cyber Security Alliance. He is also 
the director of government and community relations for McAfee 
Security. In that role, Mr. Sabo addresses domestic and 
international public policy issues affecting the company and 
oversees the company's corporate citizenship activities. McAfee 
Security, headquartered in Santa Clara, CA, is a leading 
supplier of security and intrusion protection solutions for e-
businesses. Mr. Sabo also serves as chair of the Security 
Working Group of the Business Software Alliance and co-chair of 
Department of Commerce's International Outreach Subcommittee of 
the Economic Security Working Group.
    You are recognized for 5 minutes.
    Mr. Sabo. Thank you. I am not sure how I am going to 
followup a discussion of underwear. [Laughter.]
    Good afternoon, Mr. Chairman, Ranking Member Clay, and 
members of the subcommittee. My name is Douglas Sabo. I am a 
member of the board of directors of the National Cyber Security 
Alliance and I testify this afternoon on behalf of that 
organization. And as you mentioned, Mr. Chairman, I am also 
director of government and community relations for McAfee 
Security. I join with my colleagues on this panel in thanking 
you for your personal leadership on the cyber security issue, 
both through your series of cyber security hearings as well as 
your working groups with industry. I also commend your staff 
for being first-rate on all of these issues.
    As you have heard others mention, the National Cyber 
Security Alliance [NCSA], is a unique partnership among the 
Federal Government, leading private sector companies, trade 
associations, and educational organizations, including all of 
the organizations testifying here today. Our fundamental 
purpose is to contribute to our Nation's overall cyber security 
by improving the behaviors of consumers, small businesses, and 
our youth from kindergarten to higher ed. And Mr. Chairman, we 
share your concerns about bombarding citizens with too many 
messages from too many sources. We hope that our partnership 
will contribute to avoiding that problem.
    Others have already talked today about the overall 
challenge and the important role that these audiences do play. 
The NCSA strongly agrees with these assessments. And rather 
than reiterate this information, I would like to introduce you 
to initiatives that we hope will reach our three main 
audiences. First, for small businesses, the NCSA is developing 
cyber security tool kits to discuss vulnerabilities and threats 
as well as tips and steps for responding. These tool kits, 
which will be available in soft and hard copy, will include 
materials, guidebooks, and training programs on the cyber 
security essentials. We are in discussions with a number of 
organizations to develop and distribute these tool kits, 
including the Small Business Administration, InfraGard, the ISP 
community and others, and we hope to begin distribution by mid-
June.
    Second, we are focusing on educating our youth on cyber 
security practices to make sure the next generation of users is 
cyber secure. Through partnering with outside organizations 
such as EduCalls and CyberSmart!, we hope to develop and 
disseminate cyber security curriculum to educators across the 
country. These materials already are developed for the K 
through 8 audience, with 9 through 12 pending. And to reach our 
youngest audience, the NCSA also supported a national poster 
contest in which students were asked to creatively depict the 
importance of cyber security. We plan to hold this contest 
again this fall.
    Finally, I would like to use a couple minutes to focus on 
the consumer audience. Already the NCSA has launched our 
flagship Web site, www.staysafeonline.info, which received over 
1 million hits in its first month alone. This site contains our 
top 10 cyber security tips, self-tests, tech talks, and more. 
In addition, we have held semi-annual National Cyber Security 
Days timed with Daylight Savings Time changes. While these have 
not been as successful as we had hoped, we are busy working to 
relaunch these this fall.
    But what the NCSA is most excited about in the consumer 
area is what we hope will be the cornerstone of the NCSA 
effort, a multi-year national cyber security awareness 
campaign. This campaign, targeted at home users, will use 
public service announcements and other creative methods to 
raise awareness of the cyber security issue and steps people 
should take to protect themselves, and thus all of us. While 
our efforts certainly will depend on the resources we are able 
to raise for this campaign, we hope that our national cyber 
security awareness campaign will be on the level of many of 
those that I am sure you are familiar with, healthy lifestyles, 
wildfire prevention, drunk driving prevention, the importance 
of voting, drug abuse prevention, and terrorism emergency 
preparedness. These broad campaigns have imprinted our culture 
with a number of easily recognizable campaign catch phrases, 
such as, ``Don't drink and drive,'' ``Buckle Up,'' ``Only you 
can prevent wildfires,'' and ``Take a bite out of crime.'' 
Perhaps our effort will add a new one.
    Are public awareness campaigns effective? We certainly 
believe they can be. Consider please the results of the Ad 
Council, a nonprofit organization that uses volunteer talent 
from the advertising and communications industries. 
Applications, for example, for Big Brothers, Big Sisters 
mentors increased by 75 percent in the first 8 months of their 
campaign. Destruction of our forests by wildfires has been 
reduced from 22 million acres to less than 4 million acres per 
year since their forest fire prevention campaign began. And 
safety belt usage rose from 14 percent to 79 percent since 
their safety belt campaign launched in 1985, saving an 
estimated 85,000 lives. With the proper resources, we believe 
the NCSA national awareness campaign can achieve the same level 
of success for cyber security behavior. It will not be a silver 
bullet, but together with all the other NCSA efforts as well 
broader initiatives to reduce vulnerabilities, improve security 
usability, expand R&D, and enhanced corporate governance, we 
can truly make a difference.
    Mr. Chairman and members of the subcommittee, I thank you 
again for the opportunity to testify today. And I look forward 
to answering any questions you may have.
    [The prepared statement of Mr. Sabo follows:]

    [GRAPHIC] [TIFF OMITTED] T6315.074
    
    [GRAPHIC] [TIFF OMITTED] T6315.075
    
    [GRAPHIC] [TIFF OMITTED] T6315.076
    
    [GRAPHIC] [TIFF OMITTED] T6315.077
    
    [GRAPHIC] [TIFF OMITTED] T6315.078
    
    [GRAPHIC] [TIFF OMITTED] T6315.079
    
    [GRAPHIC] [TIFF OMITTED] T6315.080
    
    [GRAPHIC] [TIFF OMITTED] T6315.081
    
    [GRAPHIC] [TIFF OMITTED] T6315.082
    
    Mr. Putnam. Thank you, Mr. Sabo. Thank you to all of our 
witnesses.
    We will begin with Mr. Clay's questions.
    Mr. Clay. Thank you very much, Mr. Chairman. Thank you all 
for being here today.
    Mr. Clinton, we will start with you. What steps can the 
Federal Government take to use its procurement power to improve 
the security of computer software? Is the Internet security 
industry able to agree on some minimal standards for computer 
security hygiene? I guess that is a two-part question.
    Mr. Clinton. Thank you, Mr. Clay. We do think that the 
procurement process is probably the best first step for the 
Federal Government to take in terms of establishing benchmarks 
for appropriate security to be included within products that 
they purchase. I think what we think is most important about 
this is that it would be the Federal Government using its 
market forces rather than its regulatory forces to encourage 
behavior. We think absolutely that is the model that is going 
to be most effective is the use of the market. During the 
Corporate Information Security Working Group we discussed this 
quite a bit and talked about how if the Federal Government 
could act as a model through its procurement practices, as the 
Department of Energy already has started, that we might be able 
to make an awful lot of steps, and that has the effect on the 
rest of the market of likely lowering costs, making these sorts 
of devices or procedures more accessible to small businesses.
    Now the second question, Mr. Clay, was whether or not we 
could agree on standards. It kind of depends on what you are 
talking about in terms of standards. There is an awful lot of 
standards activity that is already underway. If what you are 
suggesting is do we think that the Federal Government should be 
passing legislation or regulation mandating standards, we would 
think that is the wrong way to go. And let me explain why. It 
is not so much that we are opposed to standards. EIA is one of 
the largest standards producers in the entire world. It has to 
do, Mr. Clay, with the nature of the Internet.
    The Internet is a 21st century technology. Most of the 
regulatory models that we use in the Federal Government now are 
18th century models. The FCC and the SEC are modelled on the 
old ICC which regulated railroads. We are dealing with 
something that is entirely different now. We think that for 
security purposes we need a much more dynamic manager of the 
Internet and the only mechanism that we can identify that will 
be dynamic enough to keep up with the ever-increasing attacks 
and technologies of the attackers is to use market forces. So, 
more creative use of insurance, more creative use of liability 
carrots involving marketing for cyber security. And there is a 
range of things that we identified in our incentives group 
report we think are far more likely to succeed in our ultimate 
aim of achieving cyber security than a federally mandated 
standard.
    Mr. Clay. Oh, please do not misunderstand the question. I 
was just asking could the industry come together and establish 
the standards. I never made inference to a Federal law, and 
that is not where I am going with that.
    Mr. Clinton. I appreciate that. And, yes, we are working on 
that quite hard.
    Mr. Clay. Thank you for the answer. Mr. Sabo, do you 
believe the Federal Government's commitment to cyber security 
training and certification particularly at the systems and 
network administrator level is adequate? And how important is 
training and certification to cyber security?
    Mr. Sabo. Thank you, Ranking Member Clay. The National 
Cyber Security Alliance itself does not have a particular 
position on those areas. But if I could speak on behalf of 
myself and the company that I do work for during the day, I do 
think, and the organizations that support the NCSA would 
probably agree, there is significant training going on but that 
there is always more that could be done. I think we heard from 
the director of the NCSD previously about the number of 
programs that are out there, the scholarship for service and 
the other organizations, and I think there is certainly a lot 
more to be done. In our purview of the awareness side, we did 
talk significantly about awareness for home users. But I think 
you could take what we plan to do for home users and also put 
that for Federal Government workers, both as users that will 
then be going home and using their personal systems probably to 
even connect into Federal Government systems, and then also as 
employees of the Federal Government. So our awareness efforts 
certainly would be useful for that audience as well.
    Mr. Clay. OK. I thank you for that comment. Mr. Chairman, I 
think my time is up.
    Mr. Putnam. You are welcome to continue.
    Mr. Clay. OK. Just one more question for Mr. Petersen. 
Before I ask the question, I just want to make you aware that I 
too am a University of Maryland graduate. So fear the turtle. 
[Laughter.]
    Mr. Petersen. Yes. I was thinking of that earlier when 
Dewie was displayed. [Laughter.]
    Mr. Clay. On a serious note, though, is the Congress 
adequately funding research and development in the cyber 
security area? And what other methods could the Federal 
Government employ in order to achieve widespread cyber 
security?
    Mr. Petersen. Thank you for your question. I do think you 
are on the right path to increasing funding for cyber security 
research and development efforts. The university environments 
are particularly participating in National Science Foundation 
solicitations, they currently are reviewing proposals now for a 
cyber trust solicitation. We have been working pretty regularly 
with the Science and Technology Directorate of the Department 
of Homeland Security, although I note that in their $1 billion-
plus budget only $18 million are devoted to cyber security and 
many of us think that is wholly inadequate and perhaps 
symbolizes that cyber security is not thought to be the 
priority that it should be.
    Having said that, I think there is more room for funding 
for R&D. But I do not want us to forget what we are here about 
today and certainly what our group represents, which is 
securing today's Internet. There are not nearly enough Federal 
Government funds available to deal with education and awareness 
of the mass populace, including kids in schools and higher 
education, and efforts needed to secure our current 
infrastructure.
    Mr. Clay. Thank you for that response. Mr. Chairman, I 
yield back the balance of my time.
    Mr. Putnam. Thank you, Mr. Clay. Mr. Clinton, one of the 
key ingredients to a successful education and awareness 
campaign is clarity and credibility of the message. Given your 
experiences and knowledge of the work to identify cyber 
security best practices, what is the most direct and clear 
message that can be conveyed to home users and small 
businesses?
    Mr. Clinton. Thank you, Mr. Chairman. I was thinking of 
this when you asked the first panel the question. My answer is 
a little different. I support their view that people need to 
think. But I think they need to think of their computer in a 
different sense. My experience is that most home users tend to 
think, and I am saying most home users, not the sophisticates, 
most home users still think of their computer like it is a TV 
set, that you just turn it on and it provides you things. And 
that is the wrong way to think of your computer. I think a 
better way to think of your computer is like it is a gifted 
child; it is something you need to work with, it is something 
you need to interact with, and if you treat it well and protect 
it and develop it, it can do great things, but if you do not, 
it could come back and cause all sorts of tremendous problem. I 
think we need to get consumers to think of the technology very, 
very differently.
    Most of us have become so comfortable with some of the 
rudimentary elements of the Internet we forget that just a few 
years ago e-mail scared us. I remember when I worked for my 
first Member here on Capitol Hill, and I will not say who that 
was, I had to show him how to turn on the computer. It was not 
that long ago. But I do not think that we have completely kept 
up with what is really behind this medium. It looks too easy. 
So I would say what we need to do is we need to get people to 
rethink what it is they are dealing with. They have to have an 
active relationship with their network, not just treat it as a 
passive appliance.
    Mr. Putnam. Mr. Howell, your thoughts?
    Mr. Howell. I agree entirely with Larry. And I would argue 
that a computer is also a gold mine which has tremendous 
potential and has to be exploited in order to achieve that 
potential. In one of our most recent efforts to educate our 
membership, we were talking to several of our small companies 
who had no concept of the fact that keeping customer 
information--customer invoices, sales lists, sales figures, 
revenue and expense items, their general ledger--on a computer 
that was accessible via high speed to the Internet without a 
firewall and without anti-virus was essentially a security 
risk. They just had not thought about their computer that way. 
I would agree with Larry, they viewed it as almost an 
entertainment vehicle, something there for their pleasure and 
their ease of use, and they did not view any of the risks that 
the sophisticated users see out there everyday. And it is 
because, frankly, we have not done enough to educate people 
about the threats that are facing them and, at the same time, 
make action to mitigate those threats possible.
    Mr. Putnam. What is the appropriate role for the hardware 
and software vending community, not only to provide more secure 
and higher quality products, but also to educate their 
consumers about basic cyber security practices?
    Mr. Howell. I think that all three parts of this triangle, 
the hardware and software vendors as well as the user 
community, must do much more collaboratively to talk about 
risks, vulnerabilities, and mitigation of risk and 
vulnerabilities. Among large enterprises you are seeing much 
more collaboration on all three sides of that. But it has taken 
a long time to develop and a lot of those things develop based 
on trust and years of working with one another and the 
information technology industry is relatively young. At the 
same time, I think that we are seeing more medium-size 
enterprises catch up and do some of this. And the challenge 
therefore remains the small enterprise community. And as Larry 
mentioned, that was quickly viewed within our Corporate 
Information Security Working Group as an area where there is no 
targeted information on risk mitigation and what the real 
threats are. So I think it is a multifaceted process depending 
on what particular market you are looking at--the large 
enterprise market, I think it is a collaborative process; 
medium-size enterprises, I think they are moving toward that 
collaboration; small enterprises, it is still very much 
awareness and education oriented.
    Mr. Putnam. Mr. Petersen, your thoughts on that?
    Mr. Petersen. Your question about hardware and software 
reminded me of a story over the Christmas holidays. I had a 
friend who subscribed for the first time to Comcast cable and 
when he went to the local shopping mall he got a CD and the 
installation instructions and he came home and installed it and 
within a matter of seconds he got the Blaster worm. And in 
trying to help my friend troubleshoot the problem, the first 
thing that occurred to me is how come Comcast cable is not 
distributing information to its customers about the threats 
that currently existed at that point in time, that when you 
move from being off-line to broadband you better make sure your 
operating system is up to date, and, by the way, here is a CD 
that can provide you the latest patches and the latest anti-
virus stuff. So I think absolutely there is a role for hardware 
and software and other service providers to play in providing 
consumers with educational and awareness materials.
    Second, if you think about our parents and students who are 
buying computers for their children, think if they open that 
computer box and there is a label that said, you know, ``Tear 
this off and be aware, if you do not do X, Y, and Z, you could 
lose your data and all the important work that you put into 
this machine.'' I do believe that, aside from our role in 
educating and making users aware, hardware and software vendors 
could help.
    Mr. Putnam. Mr. Sabo, do you want to add anything to that?
    Mr. Sabo. Yes, thank you, Mr. Chairman. I do think there is 
significant information out there from the software/hardware 
vendors and the ISP community. But I think there is a 
fundamental research need that we all could perhaps support in 
looking at user behavior, benchmarks, metrics, in order to 
understand how we reach these users, what are the best 
messages--and I do not think there is a one size fits all 
message for security; I think what will motivate users will 
vary greatly among them; fundamental research in where to reach 
them, to what sites to go, what places in the real world and 
the virtual world to place these messages' and then fundamental 
research in who to reach, who are these ``users.'' I think a 
number of studies have shown that a majority of home users who 
are doing a lot of the financial transactions in households are 
the women in the households. I think that would impact 
therefore where we deliver these messages, what types of Web 
sites, what types of media that perhaps our awareness campaign 
will target. So I think there is a lot of information that is 
out there but, exactly as you said in your opening statement, 
perhaps we run the risk of having too much and we may need to 
really think about where are the best places to go and to put 
this information.
    Mr. Putnam. That is a perfect segue into my next question. 
You have heard the FTC testify about the turtle, you have Stay 
Safe On Line, there are a number of other approaches to 
increasing awareness. Is that type of symphony of approaches 
helpful in that you are hitting different pieces of the 
audiences, or do you believe that there should be a more 
centralized message, centralized theme, centralized Web site 
for people to go for information on becoming more secure?
    Mr. Sabo. I definitely agree that we are in a period of 
``let a thousand flowers bloom.'' And perhaps in a way we have 
become victims of our own success, that we have talked about 
the important need for all these awareness efforts and we are 
starting to get them. And I think behind scenes we are also 
seeing a lot more effort to do the centralization, but 
centralization of the organization behind it. So you have the 
folks who are running these talking to each other much more. 
And I think there is a lot of room for improvement in that 
area. We certainly would commit ourselves to being part of any 
effort that would help with that. I do think, at the end of the 
day, each set of users are going to respond to different types 
of messages in different media.
    Mr. Putnam. Mr. Petersen.
    Mr. Petersen. I share your concern but I think we are 
headed in the right direction. I know even EDUCAUSE has more 
recently become a sponsor of the Alliance. We are working 
closely with the FTC. And when we look at our colleges and 
university environments, many of them, like Florida State 
University, Florida, University of Maryland, are large 
enterprises. So whatever messages we might be targeting toward 
large businesses probably apply to our large colleges and 
universities. Many of them are small colleges and community 
colleges and the small business environment messages are the 
same.
    One of the things we have worked hard with the Alliance on 
is when you take their top 10 cyber tips, those should be the 
same top 10 cyber tips that all of our users hear about, our 
students, faculty, staff. So rather than us starting from 
scratch or writing our own messages, we are working hard to 
make sure their messages get put into the appropriate language 
so that we can use them and convey a consistent message.
    Mr. Putnam. Mr. Clinton, do you want to add something to 
that?
    Mr. Clinton. I would agree that the messages should be 
consolidated. But I do want to caution that there is a problem 
if we think we have the right answer and so all we have to do 
is go out and make everybody understand the right answer. We 
have published two best practices that we are very proud of and 
that got endorsed by a lot of people and we thought they were 
great. And we took our best practices to the small business 
guys and they said, ``What are you talking about? We do not 
understand this. No small business guy would ever read this 
stuff.'' But the technologist people think, hey, this is the 
right message. And we found out by doing the market research it 
was not the right message.
    So I think that there needs to be some consolidation with 
regard to messages, that we should not have conflicting 
messages, for sure. But I do not think we do. I would agree 
with the rest of the panel that I think we are moving in the 
right direction. But the way messages are presented need to be 
targeted differently to different audiences. We represent small 
companies and we represent enormous companies and they deal 
with these issues very, very differently. I think that the 
approach that we need to take is a market-centered approach. We 
need to go out to each target market. And small business may 
not be a target market. Small business may be an enormous 
market that needs to be much better segmented within that 
market in order to better appreciate these people. There are 
small technology companies and there are small marketing 
companies, and you talk to these guys in different ways.
    So I do not think it is quite as simple as saying we have 
the message, all we have to do is get it out. I think that we 
have a lot of the right ideas but I think we need to continue 
to work on it and we need to involve the users, we need to 
involve the target audiences much more in developing the 
messages. And I think we are just at the beginning of that 
process.
    Mr. Putnam. Mr. Howell.
    Mr. Howell. I would agree. But I would just add one thing, 
and that is, you also have to look at the messenger and the 
affinity of the desired market to that messenger. Different 
organizations have different affinity with different type and 
sizes of organizations and companies. And agreed, having the 
same set or a similar set of messages is essential. But one 
organization that may be the best messenger might have 
absolutely no affinity with or relation to the target market, 
and therefore, if one were to follow our principles of not 
opening e-mails, for example, from an unknown sender, that e-
mail would get deleted because there is no affinity to that 
sender. So that is the only other issue I would add here.
    And at the same time, I think the National Cyber Security 
Summit, held last December and an ongoing vehicle, as well as 
NCSA, both have been fantastic vehicles, joining with your 
Information Security Working Group, in aggregating 
organizations that have been working just in an area of 
awareness alone to sit down at a table, think about how they 
can multiply or take advantage of their efforts and reduce 
waste and enhance efficiency and increase awareness. It has 
been tremendous. Every week, for example, since we started 
participating in your group we have been approached by at least 
one other association who wants to join in what we are trying 
to do on education and awareness. That has been one of the most 
rewarding things we have seen so far in all the education and 
awareness efforts.
    Mr. Putnam. And finally, do you all believe that this issue 
has risen to the boardroom, to the C-level executives? All the 
talk about worms and viruses and exploits, some attention 
through Sarbanes-Oxley and Section 404, are top level 
executives finally treating cyber security as a business risk? 
We will begin with Mr. Sabo and work down the table.
    Mr. Sabo. Thank you. I think today, compared to 2, even 3 
years ago, we have come a significant way in getting the 
attention to that level. But I think there is certainly a lot 
more in the corporate governance side between the work that the 
Cyber Security Summit Working Group as well as your own has 
done is significant and the word needs to get out now. And that 
is I think the stage we are at.
    Mr. Petersen. I would say no. In the college and university 
environment, we have a long way to go particularly at the 
president level and the board level. In fact, I would say that 
is one of the reasons why in my first bullet I said we need 
support from the private and government sector. It was not just 
referring to financial support. Many people in government and 
certainly part of corporations sit on college and university 
boards, and I am hoping the awareness that is being created 
within industry and government will translate to board members 
going to those board meetings and saying what are you doing 
about information security on your campus, why have we not 
talked about it in the context of governance. And I think the 
same message needs to be carried forward to our presidents and 
chancellors and other executive leaders. We are certainly doing 
our part as our task force to raise awareness, but I think we 
could use the assistance and support of other executives.
    Mr. Putnam. Mr. Howell.
    Mr. Howell. One of the recommendations that we made within 
our National Cyber Security Summit Large Enterprises Working 
Group was that our ad hoc coalition come together with DHS and 
we recommended a series of forums across the country with 
senior DHS officials and CEOs to discuss information security 
and corporate governance. And we hope that DHS will take up 
that recommendation because we believe that it is essential. I 
would agree with Doug, we have made progress. But I think much 
more remains to be done. At the same time, we need to move 
forward with a collaborative approach with a framework similar 
to what the Corporate Governance Task Force of the National 
Cyber Security Summit came out with recently. That is a great 
starting point, one of many materials that are out there. And 
moving forward with implementation of all of these documents 
is, I think, an essential next step.
    Mr. Putnam. Thank you. Mr. Clinton.
    Mr. Clinton. I would have to say that we have maybe taken 
the first steps in this direction. But, no, Mr. Chairman, we 
have not at all reached the summit of the CEOs and the COOs. 
Just a couple of facts. I heard the first panel talk about how 
they were under the impression that Graham-Leach-Bliley, 
Sarbanes-Oxley may have increased awareness, and perhaps it has 
increased awareness some. But the fact is, Mr. Chairman, that 
the number of incidents last year and again early this year are 
going through the roof. The amount of money that is being lost 
is going through the roof. So if there is some increased 
awareness, it is not enough.
    Another fact. The most recent study that I have seen on 
this, done by CSO magazine, indicated that most corporations 
they recommended should be increasing their IT cyber security 
budget by approximately 33 percent. They went back and looked 
at how many corporations had done that. They found that only 22 
percent of the corporations had increased it, and only 7 
percent of the corporations had increased it the amount that 
was required. So we are a long way away.
    Mr. Chairman, this I think goes back into the conversation 
we just had on your last question, finding the right messages 
for this particular target audience, COOs, CEOs. I do not want 
to cast any aspersions on the CEOs and COOs who fund, frankly, 
my organization, but the fact of the matter is, Mr. Chairman, 
they are not going to do this because it is in the national 
interest. We need to find messages that speak to their 
corporate interest. We need to find issues that speak to the 
corporate interest. We need to do a better job demonstrating 
the return on investment to good cyber security. We need to do 
a better job of providing the sort of incentives that level of 
corporate executive pays attention to--lower business costs, 
less liability exposure. Those are the sorts of things that are 
talked about in CEO board rooms and CEO discussions. And we 
have not done that yet. I think that there is a tremendous 
amount that we have not yet gotten to in the public-private 
partnership in that area that lays still before us. And we are 
enthusiastic about working with the Congress in those areas. 
But we are just at the first couple steps, in my opinion, sir.
    Mr. Putnam. Thank you, Mr. Clinton, particularly for your 
candor. We assume that is not going to be the punch-out quote 
in your monthly newsletter to your members.
    Mr. Clinton. No, sir. I am going to use your opening 
statement as our punch-out quote.
    Mr. Putnam. I want to thank all of our witnesses for your 
efforts in this important arena. I know that your work 
continues to help our cyber citizens enjoy the benefits of the 
Internet in a safe and secure manner. I also want to thank Mr. 
Clay for his participation today. In the event that there are 
additional questions that we did not get to today, the record 
will remain open for 2 weeks for submitted questions and 
answers.
    With that, the subcommittee stands adjourned.
    [Whereupon, at 4:07 p.m., the subcommittee was adjourned, 
to reconvene at the call of the Chair.]

                                 
