[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
WHO MIGHT BE LURKING AT YOUR CYBER FRONT DOOR? IS YOUR SYSTEM REALLY
SECURE? STRATEGIES AND TECHNOLOGIES TO PREVENT, DETECT AND RESPOND TO
THE GROWING THREAT OF NETWORK VULNERABILITIES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
JUNE 2, 2004
__________
Serial No. 108-232
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
96-992 WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER,
CANDICE S. MILLER, Michigan Maryland
TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of
MICHAEL R. TURNER, Ohio Columbia
JOHN R. CARTER, Texas JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee ------ ------
PATRICK J. TIBERI, Ohio ------
KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont
(Independent)
Melissa Wojciak, Staff Director
David Marin, Deputy Staff Director/Communications Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania ------ ------
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
Dan Daly, Professional Staff Member
Juliana French, Clerk
Adam Bordes, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on June 2, 2004..................................... 1
Statement of:
Beinhorn, Dubhe, vice president, Juniper Federal Systems;
Scott Culp, senior security strategist, Microsoft Corp.;
Louis Rosenthal, executive vice president, ABN Amro
Services Co., Inc.; Marc Maiffret, chief hacking officer,
eEye Digital Security; and Steve Solomon, chief executive
officer, Citadel Security Software, Inc.................... 92
Evans, Karen, Administrator, E-Government and Information
Technology, Office of Management and Budget; Robert Dacey,
Director, Information Security Issues, U.S. General
Accounting Office; Amit Yoran, Director, National Cyber
Security Division, Department of Homeland Security; Dawn
Meyerriecks, Chief Technology Officer, Defense Information
Systems Agency, Department of Defense; and Daniel Mehan,
Assistant Administrator, Information Services and Chief
Information Officer, Federal Aviation Administration....... 11
Letters, statements, etc., submitted for the record by:
Beinhorn, Dubhe, vice president, Juniper Federal Systems,
prepared statement of...................................... 95
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 79
Culp, Scott, senior security strategist, Microsoft Corp.,
prepared statement of...................................... 102
Dacey, Robert, Director, Information Security Issues, U.S.
General Accounting Office, prepared statement of........... 21
Evans, Karen, Administrator, E-Government and Information
Technology, Office of Management and Budget, prepared
statement of............................................... 14
Maiffret, Marc, chief hacking officer, eEye Digital Security,
prepared statement of...................................... 134
Mehan, Daniel, Assistant Administrator, Information Services
and Chief Information Officer, Federal Aviation
Administration, prepared statement of...................... 70
Meyerriecks, Dawn, Chief Technology Officer, Defense
Information Systems Agency, Department of Defense, prepared
statement of............................................... 56
Putnam, Hon. Adam H., a Representative in Congress from the
State of Florida, prepared statement of.................... 6
Rosenthal, Louis, executive vice president, ABN Amro Services
Co., Inc., prepared statement of........................... 125
Solomon, Steve, chief executive officer, Citadel Security
Software, Inc., prepared statement of...................... 153
Yoran, Amit, Director, National Cyber Security Division,
Department of Homeland Security, prepared statement of..... 44
WHO MIGHT BE LURKING AT YOUR CYBER FRONT DOOR? IS YOUR SYSTEM REALLY
SECURE? STRATEGIES AND TECHNOLOGIES TO PREVENT, DETECT AND RESPOND TO
THE GROWING THREAT OF NETWORK VULNERABILITIES
----------
WEDNESDAY, JUNE 2, 2004
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 1:40 p.m., in
room 2154, Rayburn House Office Building, Hon. Adam H. Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam and Clay.
Staff present: Bob Dix, staff director; John Hambel, senior
counsel; Dan Daly, professional staff member and deputy
counsel; Juliana French, clerk; Felipe Colon, fellow; Kaitlyn
Jahrling and Collin Samples, interns; Adam Bordes and David
McMillen, minority professional staff members; and Jean Gosa,
minority assistant clerk.
Mr. Putnam. A quorum being present, this hearing of the
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census will come to order.
Good afternoon. Welcome back. I hope everyone had a nice
Memorial Day respite from dealing with Congress.
Today's subcommittee hearing is entitled, ``Who Might be
Lurking at Your Cyber Front Door? Is Your System Really Secure?
Strategies and Technologies to Prevent, Detect and Respond to
the Growing Threat of Network Vulnerabilities'' Today, we
continue our in-depth review of cyber security issues affecting
our Nation.
The Internet has created a global network of systems that
have improved the quality of our lives, created unprecedented
communications capabilities and increased productivity. The
interdependent nature of these systems has also unleashed the
potential for worldwide cyber attacks that can affect hundreds
of thousands of computers in mere hours. Since 1999, the number
of cyber attacks has grown and continues to grow at an alarming
rate. The cost of preventing and responding to these attacks is
staggering. Some estimate that the economic impact from digital
attacks in 2004 will be in the billions. While opinions may
differ on the cost of the impact, there is clear evidence that
the effect on private and public sectors is significant.
Preventing cyber attacks and damages caused pose unique and
menacing challenges. Our critical infrastructure and government
systems can be and are being attacked from everywhere at any
time. Cyber criminals, disgruntled insiders, hackers, enemy
states and those who wish us harm are constantly seeking to
steal confidential information, hijack vulnerable computers and
turn them into zombies that can be used to carry out malicious
activities. This is a global, 24/7 challenge. There can be no
down time when it comes to protecting our Nation's critical
infrastructure.
Of greater concern, we know that various terrorist groups
possess advanced vulnerability scanning capabilities and are
very sophisticated and becoming more so each day. The
combination of a cyber attack in conjunction with a physical
attack could magnify the effects of the physical destruction
and create greater mayhem. We all have a role and
responsibility in taking appropriate measures to reduce the
risk and improve our overall information security profile.
In preparation for this hearing, the subcommittee traveled
to the NSA yesterday and continued to be impressed with the
work that is going on out there. We appreciate the efforts of
that agency.
As a Nation, we have taken dramatic steps to increase our
physical security but protecting our information networks has
not progressed at the same pace, either in the public or in the
private sector. The Department of Homeland Security is working
to make strides in this area. I acknowledge the efforts of the
National Cyber Security Division but I remain concerned that we
are collectively not moving fast enough to protect the American
people and the U.S. economy from the real threats that exist
today. Make no mistake, the threat is serious, the
vulnerabilities are extensive and the time for action is now.
New vulnerabilities in software and hardware products are
discovered constantly. According to the CERT Coordination
Center at the end of 2003, there were over 12,000 known
vulnerabilities that could be exploited. They span across
thousands of products from a number of different vendors. With
the increasing complexity and size of software programs, we
likely will never reach a point where no new vulnerabilities
are discovered. However, we need to continue to strive to
improve and develop more advanced tools for testing and
evaluating code.
The problem of newly discovered vulnerabilities is
compounded by the fact that the window the good guys have is
closing. Attackers are exploiting published vulnerabilities
faster than ever. The recent Sasser worm outbreak occurred just
17 days after the patch was released. Although it was largely
contained, it still caused significant disruptions around the
globe.
In addition to the shrinking period from patch to exploit,
attackers are finding faster ways to exploit existing
vulnerabilities previously deemed low risk. In April of this
year, a researcher reported he was able to exploit quickly a
previously known flaw in some of the underlying Internet
traffic technology. It was thought to take between 4 and 142
years to exploit this flaw. The researcher cut the exploit time
down to a matter of seconds.
The rise of mobile computing further complicates the
vulnerability issue. Laptops that were not connected to a
network when the latest patches were released, can pick up a
worm or virus and become time bombs waiting to go off when
reconnected to the network. Remote access presents its own set
of new and growing vulnerability challenges. Not only is the
sheer quantity of patches and systems overwhelming for
administrators to keep up with, but also patches can have
unexpected side effects on other system components resulting in
losses of system availability. As a result, after a patch is
released, system administrators often take a long time to fix
other vulnerable computer systems. Configuration management is
a key element of vulnerability management and it is more
challenging in the Federal Government, which has a number of
legacy systems running customized applications that can be
difficult to patch when a new vulnerability arises.
Clearly the challenge of vulnerability management is great.
We must ensure that current systems are cleaned and protected
while at the same time ensuring that new systems do not become
victims. There are tools and strategies available to help
achieve these goals. According to at least one estimate, 95
percent of all network intrusions could be avoided by keeping
systems secure through effective use of vulnerability
management strategies. We need to focus our vulnerability
management efforts on three key ingredients: prevention,
detection and response.
For prevention, we need to do our best to reduce the impact
of inevitable software and hardware vulnerabilities. That means
having systems appropriately identified, configured and
patched. It means producing more secure software and hardware.
It means using new technologies, processes and protocols to
stop attacks dead in their tracks before intrusion occurs.
Detection, even with a strong program of protection,
network intrusions are likely to continue. Detection requires
laser focus. We must always be on our guard so that no
intrusion goes unnoticed. This means a program that includes
vulnerability scanning and intrusion detection capabilities.
Response, once we have detected an attack, we need to have
ways to isolate the intrusion attempt, trigger an incident
response plan when appropriate and limit the potential impact.
Vulnerability management is especially important in Federal
systems. This subcommittee has aggressively overseen
implementation and compliance with requirements of FISMA. FISMA
provides a comprehensive risk management framework for
information security in Federal departments and agencies. At
the end of last year, we released a report card detailing the
largest Federal departments and agencies progress in
implementing FISMA. In 2003, the overall Federal Government
received a grade of ``D,'' a slight improvement over the grade
of ``F'' it received in 2002. The reports behind the grade
reveals troubling signs of weakness within the Federal
Government's information security. Of the 24 largest
departments and agencies, only 5 had completed inventories of
their critical IT assets, leaving 19 without. This is troubling
considering we are 4 years into this process and still have far
too many agencies with incomplete inventories.
As we have said in the past, you can't secure what you
don't know you have. You can't claim to have completed the
certification and accreditation process without a reliable
inventory of assets. Cyber attackers specifically target the
Federal Government because of the high value of penetrating or
taking over government systems. A myriad of automated attack
tools are operating around the clock scanning the Internet for
systems to be taken over. Experts suggest that some Federal
systems have already been compromised and are being used as
attack tools even as we speak. I am concerned not only how
future systems will be protected but also how the Federal
Government will take the necessary steps to improve the
security and integrity of current systems. These gaps will
persist until Federal agencies are able to appropriately track
the vulnerability status of all of their systems using accurate
and complete inventories.
For the future, we will continue to monitor the agencies'
implementation of FISMA and OMB's guidance to agencies on
implementing FISMA. Specifically, I would like to see more
detailed guidance and enforcement of FISMA's configuration
management provisions. Also, with the termination of the
Federal Patch Service [FPS], in February 2004, I am looking to
OMB as well as the Department of Homeland Security for their
thoughts about the feasibility of providing centralized patch
management services to civilian agencies as part of an overall
vulnerability management strategy.
In conjunction with oversight of Federal information
security, I remain deeply concerned about the state of
information security in the private sector. Eighty-five percent
of the Nation's critical infrastructure is owned or controlled
by the private sector, thus, maintaining its integrity and
availability is critical to the continued success of the
Nation's economy and protection of the American people.
Worms, viruses, hacking, identify theft, fraud, extortion
and industrial espionage continue to rise exponentially in
frequency, severity and cost. Last year alone, cyber attacks
cost the U.S. financial sector nearly $1 billion according to
BITS, a non-profit financial service industry consortium.
Business leaders are responsible for doing their part to
improve the security of information systems. I have called on
businesses of all sizes throughout the country to consider the
matter of information security as it relates to their business.
Some businesses are clearly elements of the Nation's critical
infrastructure and require a more robust risk management plan.
However, every business has a responsibility to practice at
least basic information security hygiene and do their part to
contribute to the overall security of computers and networks in
this Nation.
Vulnerabilities in software and worms and viruses that
exploit them have become a fact of life for the Internet. The
Government, law enforcement, researchers and private industry
must join together to protect the vital structure of the
Internet and cyber criminals must be rooted out and brought to
justice. Some progress is being made but security is a journey
that never ends.
Today's hearing is an opportunity to examine the challenges
in managing information system vulnerabilities, strategies to
assess and reduce the risk created by these vulnerabilities,
the pace of the Government and private sector's employment of
these strategies in securing their own systems and how
automated tools should be employed in applying those
strategies.
We look forward to the expert testimony that our
distinguished panels of leaders in information security will
provide as well as the opportunity to discuss the challenges
that lie ahead.
[The prepared statement of Hon. Adam H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T6992.001
[GRAPHIC] [TIFF OMITTED] T6992.002
[GRAPHIC] [TIFF OMITTED] T6992.003
[GRAPHIC] [TIFF OMITTED] T6992.004
[GRAPHIC] [TIFF OMITTED] T6992.005
Mr. Putnam. We will await the distinguished ranking
member's testimony and insert it in the record at the
appropriate time. With that, we will go ahead and ask the first
panel and anyone accompanying you to provide corollary
information to the subcommittee to please rise for the
administration of the oath.
[Witnesses sworn.]
Mr. Putnam. I would note for the record all the witnesses
responded in the affirmative. We will begin the testimony of
panel I with Ms. Evans. On September 3, 2003, Karen Evans was
appointed by President Bush to be Administrator of the Office
of Electronic Government and Information Technology at the
Office of Management and Budget. Prior to joining OMB, Ms.
Evans was Chief Information Officer of the Department of Energy
and served as vice chairman of the CIO Council. Before that,
she served at the Department of Justice as Assistant and
Division Director for Information Systems Management.
Welcome to the subcommittee. You are recognized.
STATEMENTS OF KAREN EVANS, ADMINISTRATOR, E-GOVERNMENT AND
INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET; ROBERT
DACEY, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GENERAL
ACCOUNTING OFFICE; AMIT YORAN, DIRECTOR, NATIONAL CYBER
SECURITY DIVISION, DEPARTMENT OF HOMELAND SECURITY; DAWN
MEYERRIECKS, CHIEF TECHNOLOGY OFFICER, DEFENSE INFORMATION
SYSTEMS AGENCY, DEPARTMENT OF DEFENSE; AND DANIEL MEHAN,
ASSISTANT ADMINISTRATOR, INFORMATION SERVICES AND CHIEF
INFORMATION OFFICER, FEDERAL AVIATION ADMINISTRATION
Ms. Evans. Good afternoon, Mr. Chairman. Thank you for
inviting me to speak about vulnerability management strategies
and technologies.
In the past few years, threats in cyber space have risen
dramatically. Hackers routinely attempt to access networks and
to disrupt business operations by exploiting software flaws.
Because of this threat, Federal CIOs devote considerable
resources to the remediation of software vulnerabilities.
Currently, due to the large number of vulnerabilities
discovered each year, agencies must correctly determine which
patches to implement immediately and which to schedule for the
next maintenance cycle, while sustaining their current service
levels for their customers. Given the rise in the number of
identified vulnerabilities, this task is becoming more and more
of a challenge. As agencies' information technology security
programs mature, the Federal Government is moving away from a
reactive remediation approach for dealing with IT security
vulnerabilities. Through implementation of guidance and
policies that promote sound risk management, the use of
automated tools and development of a culture where security is
ingrained in planning and development of systems life cycles,
the Federal Government is evolving toward a more proactive
approach to deal with vulnerabilities existing within
information technology applications systems and networks. As a
result, we will be able to focus resources on analytical trend
analysis, the use of benchmarks, leveraging buying power and
cooperative work with industry leaders to ensure software
development meets our needs and is safer out of the box.
The Federal Government uses several preemptive strategies
to assess and reduce the risk created by software
vulnerabilities before vulnerabilities are exploited. First,
CIOs are required by the Paperwork Reduction Act to maintain a
current and complete inventory of the agencies' information
resources. Each system identified in the inventory must undergo
a threat assessment and a certification and accreditation [C&A]
consistent with national standards and guidance.
In addition to a system inventory and required system
C&A's, agencies must institute a configuration management
process. This process is intended to be closely tied to the
system inventory, establishing an initial baseline of the
configurations associated with existing hardware and software.
The purpose of a configuration management process is to
facilitate change to the baseline by ensuring security
configurations are addressed in a standardized manner. This
helps to prevent misconfigurations leading to vulnerability
exploits. Configuration of mobile devices and perimeter
security devices such as firewalls and intrusion detection
systems are especially important since configurations help to
mitigate risk at points where the agency's network is
vulnerable to threats from outside their own network.
All IT systems should be configured in accordance with
security benchmarks. Working with the agencies and other
industry security experts, organizations such as the Center for
Internet Security produce security benchmarks to reduce the
likelihood of successful intrusions. Likewise, NSA provides
security configuration guides to the Department of Defense and
other Government agencies. The Cyber Security Research and
Development Act formally tasks the National Institute of
Standards and Technology to develop security settings for each
hardware and software system that is or is likely to be used
within the Federal Government. The Federal Information Security
Management Act [FISMA], is a critical mechanism used to drive
protection of Federal systems. According to fiscal year 2003
FISMA data, a number of departments and agencies in some cases
had incomplete inventories of hardware and software assets.
OMB's fiscal year 2004 FISMA reporting guidance asks the
agency's inspector generals to comment on whether agencies are
updating their inventory at least annually and whether the
agency and the IG agree on the total number of systems.
FISMA requires each agency to develop and enforce
compliance with specific system configurations. This year both
the CIO and the IG must report on the status of agency-wide
policies regarding standard security configurations.
Additionally, agencies will be asked to list the specific
benchmarks which are in use. Because worms and viruses can
cause substantial damage, Federal agencies must take proactive
measures to lessen the number of successful attacks. Agencies
use antivirus software with automatic updates in order to
detect and block malicious code. DHS' Computer Emergency
Readiness Team reports only a few agencies were impacted by the
recent Sasser worm. In general, the Federal Government has
withstood cyber attacks with minimum impact on citizens. Patch
management is an essential part of the agency's information
security program and although fiscal year 2003 FISMA data
demonstrates that most agencies had a formal process in place
for the dissemination of security patches, in several cases IGs
had concerns with the timeliness of the distribution of
patches. OMB's fiscal year 2004 FISMA reporting guidance asks
whether agency configuration requirements address the patching
of security vulnerabilities.
Federal agencies are required to test the technical
controls of every system identified in the agency's inventory.
Last year, the 24 largest agencies reported that they had
tested an average of 64 percent of their systems. As part of
OMB's fiscal year 2004 FISMA guidance, agencies will be asked
to specifically report on the use of vulnerability scans and
penetration testing. Many agencies rely on automated inventory
tools to accurately collect hardware and software information
from computers across the enterprise. These tools record the
presence of unauthorized software as well as outdated software
versions. Automated inventory tools reduce the expenditure of
staff time and simplify the process of gathering information
from computers in multiple locations. Departments and agencies
frequently use system and network vulnerability scanners to
quickly identify known weaknesses in their infrastructures.
Software scanners locate the vulnerabilities using the data
base of already catalogued system weaknesses.
Agencies are constantly refining their management processes
to assure risks and threats from vulnerabilities are being
handled in a strategic and proactive manner. This is being
accomplished through the adherence to guidance and standards,
configuration management, implementation of benchmarking and
the increased use of automated tools to detect and preempt
exploits of vulnerabilities. By taking a proactive approach,
the Federal Government will be poised to deal with threats
posed from cyber space. OMB will continue to work with the
agencies and the Congress to ensure appropriate vulnerability
management strategies and technologies are in place. These
measures will minimize disruption and service and preserve the
integrity and the availability of Federal systems.
I am pleased to take questions at this time.
[The prepared statement of Ms. Evans follows:]
[GRAPHIC] [TIFF OMITTED] T6992.006
[GRAPHIC] [TIFF OMITTED] T6992.007
[GRAPHIC] [TIFF OMITTED] T6992.008
[GRAPHIC] [TIFF OMITTED] T6992.009
[GRAPHIC] [TIFF OMITTED] T6992.010
Mr. Putnam. Thank you, Ms. Evans.
Our next witness is Robert Dacey. Mr. Dacey is currently
Director of Information Security Issues, U.S. General
Accounting Office. His responsibilities include evaluating
information system security in Federal agencies and
corporations, assessing the Federal infrastructure for managing
information security, evaluating the Federal Government's
efforts to protect our Nation's private and public critical
infrastructure from cyber threats and identifying best security
practices of leading organizations and promoting their adoption
by Federal agencies.
In addition to many years of information security auditing,
Mr. Dacey has also previously led several GAO financial audits.
You are recognized for 5 minutes. Welcome to the
subcommittee.
Mr. Dacey. Mr. Chairman, members of the subcommittee, I am
pleased to be here today to discuss patch management and steps
agencies can take to mitigate information security risks
resulting from software vulnerabilities. Today we are releasing
our more detailed report on this subject which was requested by
this subcommittee as well as the full committee. As you
requested, I will briefly summarize my written statement.
The exploitation of software vulnerabilities by hackers and
others can result in significant damage to both Federal and
non-Federal operations and assets ranging from Web site to
defacement to gaining the ability to read, modify or delete
sensitive information, destroy systems, disrupt operations or
launch attacks against other organizations. Such risks continue
to grow with the increasing volume of reported security
vulnerabilities, the increasing complexity and size of computer
programs, the increasing sophistication and availability of
easy to use hacking tools, the decreasing length of time from
the announcement of a vulnerability until it is exploited,
which is evidenced by the chart on the easel. As you can see,
that has been steadily decreasing to the point where we will
have exploits within a day of the announcement of
vulnerability, so-called zero day exploits and those are
becoming more commonplace as we go forward. Another risk factor
is the decreasing length of time for attacks to propagate
throughout the Internet.
There have been a number of Federal efforts to address
patch management which Ms. Evans summarized, including the
FISMA reporting requirements as well as guidance. Also, a
number of commercial tools and services are available to assist
agencies in performing patch management functions more
efficiently and effectively.
In our testimony last September before this subcommittee,
we described several key elements of an effective patch
management program, including standardizing policies,
procedures and tools, performing risk assessments and testing
patches, and monitoring system status. Responses to our survey
of 24 major Federal agencies included the reported status of
agency information and implementation of these key patch
management practices.
All 24 agencies consistently reported having adopted
certain of these practices, including involving senior
management, developing system inventories, and providing
information security training. However, agency implementation
of other key practices varied. For example, one-third reported
not having developed agencywide patch management policies and
about 40 percent reported having no agencywide patch management
procedures in place.
Two, just under half of the 24 agencies said they performed
documented risk assessments of all major systems to determine
whether to apply a patch or work around, while others reported
they considered various factors before implementing the patch.
While all 24 agencies reported that they test some patches
before deployment, only about 40 percent reported testing all
and only 4 of the 24 reported they monitor all of their systems
on a regular basis to assess their networks and patch status,
while others indicated they performed some level of monitoring
activities. Without consistent implementation of patch
management practices, agencies are at increased risk of attacks
that can exploit software vulnerabilities in their systems.
Security experts and agency officials identified several
challenges to implementing effective patch management
practices, including the high volume and frequency of patches,
the patching of heterogeneous systems typically found in
Federal agencies, ensuring mobile systems receive the latest
patches, patching high availability systems and dedicating
sufficient resources to patch management. In our report with
which OMB generally agreed, we recommend that OMB instruct
agencies to provide more refined information on patch
management practices in their FISMA reports and to determine
the feasibility of providing selected centralized patch
management services to assist Federal agencies.
In addition to implementing effective patch management
practices, our report also identifies several additional steps
that can be taken to address software vulnerabilities
including, one, employing more rigorous software engineering
practices to reduce the number of potential vulnerabilities;
two, deploying a layered defense in-depth strategy against
attacks; three, ensuring strong configuration management and
contingency planning practices; and four, researching and
developing new technologies to better prevent, detect and
recover from attacks as well as to identify perpetrators.
Mr. Chairman and members of the subcommittee, this
concludes my statement. I would be pleased to answer any
questions you or other members of the subcommittee may have at
this time.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] T6992.011
[GRAPHIC] [TIFF OMITTED] T6992.012
[GRAPHIC] [TIFF OMITTED] T6992.013
[GRAPHIC] [TIFF OMITTED] T6992.014
[GRAPHIC] [TIFF OMITTED] T6992.015
[GRAPHIC] [TIFF OMITTED] T6992.016
[GRAPHIC] [TIFF OMITTED] T6992.017
[GRAPHIC] [TIFF OMITTED] T6992.018
[GRAPHIC] [TIFF OMITTED] T6992.019
[GRAPHIC] [TIFF OMITTED] T6992.020
[GRAPHIC] [TIFF OMITTED] T6992.021
[GRAPHIC] [TIFF OMITTED] T6992.022
[GRAPHIC] [TIFF OMITTED] T6992.023
[GRAPHIC] [TIFF OMITTED] T6992.024
[GRAPHIC] [TIFF OMITTED] T6992.025
[GRAPHIC] [TIFF OMITTED] T6992.026
[GRAPHIC] [TIFF OMITTED] T6992.027
[GRAPHIC] [TIFF OMITTED] T6992.028
[GRAPHIC] [TIFF OMITTED] T6992.029
[GRAPHIC] [TIFF OMITTED] T6992.030
Mr. Putnam. Thank you, Mr. Dacey.
Our next witness is Amit Yoran, the Director of the
National Cyber Security Division, Department of Homeland
Security. This division provides security services such as
cyber space analysis and vulnerability alerts and warnings to
both the public and private sector.
Before taking this position, Mr. Yoran served as the vice
president of Worldwide Managed Security Services at the
Symantec Corp. He also served as an officer in the U.S.
military, as the Vulnerability Assessment Program Director for
the U.S. Department of Defense's Computer Emergency Response
Team and supported security efforts for the Office of the
Assistant Secretary of Defense.
He is a graduate of the U.S. Military Academy at West Point
and received a Masters of Computer Science from George
Washington University.
Welcome to the subcommittee.
Mr. Yoran. Good afternoon, Chairman Putnam and
distinguished members of the subcommittee. I am pleased to have
an opportunity to appear before this committee to discuss DHS'
initiatives focusing on vulnerability management.
Today's infrastructures' interdependence on computer and
control systems represents significant challenges in managing
system risk. Many vulnerability management efforts can be
characterized as a cat and mouse game of discovery, system
patching, exploitation and incident response. We have several
efforts well underway to best leverage Federal resources and
collaborate with the private sector. While I am proud of our
efforts to date, I also recognize that this is only the very
beginning of an ever maturing process. My experiences continue
to strengthen my conviction that fundamental changes in
software and hardware architecture are required for us to break
out of this cat and mouse cycle and change the fundamental
paradigms of cyber security.
A major element of successful vulnerability management
include dynamic 24-7 situational awareness capabilities and the
mechanisms for response. The Department of Homeland Security in
partnership with Carnegie Mellon University's CERTCC has
created the U.S. CERT to serve as a national focal point for
response and partnership among and between public and private
sectors. Already the U.S. CERT has created a national cyber
alert system.
Only through an active and productive working relationship
with the private sector can we hope to achieve the type of
situational awareness necessary and core capability required
for our Nation to respond and recover from cyber incidents. To
that end, U.S. CERT has over the past few months developed
coordination activities and 24-7 interactions with the
operational elements of the 14 ISACs of our Nation's critical
infrastructures. We are actively growing these relationships to
foster trust and gain a better appreciation for one another's
capabilities, relative strengths, and understanding for how we
might be able to work together during time of crisis. This
initial operational interaction with the ISACs has been very
warmly received and represents a fundamental building block for
the public/private partnership.
We have also increased our efforts interacting with cyber
experts in the private industry who might be able to provide
great value to the Nation in interpreting cyber activities as
they unfold. I commend those entities in the private sector
which have already stepped up to the plate in helping the U.S.
CERT in this ongoing and collaborative effort.
It is our goal that this will result in a more structured
partnership program this summer. The U.S. CERT Partner Program
will become the cornerstone of national cyber security
coordination for preparedness, analysis, warning and response
efforts across the public and private sectors. Such a
partnership and early warning network has already been
specifically called for by the National Cyber Security
Partnership's Early Warning Task Force recommendations and
other advisory bodies and entities.
The U.S. CERT is developing a focused control system center
to specifically look at cyber vulnerabilities, exploits,
protective measures and coordinate response activities within
the critical infrastructure control systems. This Control
System Center will work with the control systems and SCADA
vendor communities, ISACs and operators to increase awareness
of and attention to security considerations in the operation of
our Nation's critical infrastructures. The Control System
Center will also include the development of a control system
test bed facility.
Over the past 3 months, we have helped the public sector
better organize itself in the area of cyber security, first,
through the creation of the Government Forum of Incident
Response and Security Teams. Those individuals and
organizations responsible for cyber incident response within
the Federal community are sharing information and better
coordinating their defensive efforts. Second, we have created
the Chief Information Security Officer Forum for the CISOs of
the Federal Government to share common experiences, challenges,
techniques, programs and capabilities. Those CISOs, the
operators responsible for securing the information systems in
the Federal Government, have specific efforts underway in the
areas of FISMA, patching and configuration management and
incident reporting and response.
In addition to helping the Government better secure its
cyber space, we are preparing the Federal Government to bring
its resources to bear in a more coordinated fashion during time
of cyber crisis. Through the creation of the Cyber Interagency
Incident Management Group, departments and agencies with
significant security operating capabilities and authorities to
operate in the cyber realm are already preparing coordinated
Federal action.
The efforts I have mentioned constitute only a portion of
the national programs underway, not only within the Department
of Homeland Security and the Federal Government but most
importantly within the private sector to address cyber
vulnerabilities. While these efforts are improving our
preparedness, the most effective step toward vulnerability
management must occur through the prevention step. A clear
focus on improved software assurance must become a cornerstone
for the public/private partnership. The Software Assurance Task
Force of December's Cyber Security Summit has made numerous
specific recommendations to improve the quality of code
throughout the software development life cycles. Those
recommendations and others underway are fundamental for the
private sector to mitigate risks and assure software integrity,
reducing the numbers and impact of vulnerabilities we will face
in the future.
Industry leaders such as Microsoft and others have enhanced
their development processes. Their adoption of best practices
may lead to a decline of vulnerabilities in server software and
corresponding reduction in the number of patches for their
customers. Oracle and others are committed to more secure
products and have undergone numerous security evaluation
efforts of their products. We commend those who are making
security improvements a clear priority for their development
practices and for their business.
Thank you for the opportunity to testify before you today
and I would be happy to answer any questions you may have at
this time.
[The prepared statement of Mr. Yoran follows:]
[GRAPHIC] [TIFF OMITTED] T6992.031
[GRAPHIC] [TIFF OMITTED] T6992.032
[GRAPHIC] [TIFF OMITTED] T6992.033
[GRAPHIC] [TIFF OMITTED] T6992.034
[GRAPHIC] [TIFF OMITTED] T6992.035
[GRAPHIC] [TIFF OMITTED] T6992.036
[GRAPHIC] [TIFF OMITTED] T6992.037
[GRAPHIC] [TIFF OMITTED] T6992.038
[GRAPHIC] [TIFF OMITTED] T6992.039
Mr. Putnam. Thank you, Mr. Yoran.
Our next witness is Dawn Meyerriecks, the Chief Technology
Officer, Defense Information Systems Agency and provides
technical direction for Defense's Global Information Grid
initiative. Before joining DISA in September 1995, Ms.
Meyerriecks was the Chief Architect for the Army Global Command
and Control System.
She attended Carnegie Mellon University and was awarded a
Bachelor of Science Degree in electrical engineering with a
double major in administration and management science. She has
also received a Master of Science in computer science from
Loyola Marymount University. Her awards include InfoWorld 2002
CTO of the Year; Federal Computer Week 2000 Top 100; and the
Presidential Distinguished Service Award in November 2001.
Welcome to the subcommittee. You are recognized.
Ms. Meyerriecks. Thank you, Mr. Chairman. It is my
privilege to testify for this august body on vulnerability
management in the Department of Defense today. You do have
handouts of slides and I would like to speak to those. Because
we actually put some statistics and reporting on ourselves, it
would probably be useful for you to glance at those as we go
through the presentation.
Let me start with slide 2 to explain where DISA sits in
terms of the Department of Defense. We are the IT integrator,
we are the joint acquisition, engineering and operations
organization within the Department of Defense and 50 percent of
our 8,000 personnel are deployed to the field at any particular
point in time. If you look at that particular slide, we put in
the wide area networks, we run the computing centers and we
also build the applications stack for joint command and control
and joint combat support operations, as well as a number of
other things we do on the righthand side of the slide. We do
White House communications support to the President and a
number of related computer science and electrical engineering
systems engineering things that actually pull the whole
capability together as the backbone infrastructure that
supports the Department of Defense. I thought that was
important to go through that to give you kind of where we sit
in terms of DOD responsibilities.
If you will move with me to the next slide on incidents
reported, you can see by the curves that some interesting
things are happening. The initial curves are related to the
fact that this is kind of a relatively new sport but also that
we got better in terms of detection. You see fairly steep
curves in terms of year over year, 1997 to 2002. You will
notice that it flattened a bit between this year and last year
and we attribute that, based on ongoing analysis, the fact that
we have tightened our NPPR net/Internet gateways. Our NPPR net
is the DOD's intranet, if you can envision it as our corporate
intranet, and we actually tightened up a great deal of the
protocols that we make available to the Internet community in
terms of the kinds of traffic that we pass. At least so far
that looks like that has been a very key strategy for us. It is
a big part of our Defense in-depth approach. I wanted to
highlight that as we move into the vulnerability management and
talk about the servers and computers in the department that we
don't count on any one of these in order to address the
problem, we actually are putting in checks and balances in as
many places as we have opportunity.
On the next slide, I am going to drill down on the two
sorts of most onerous access problems we see from a computer
perspective. We have a whole categorization that we have worked
across the community and we are going to spend a little time
assuming with you are familiar with unauthorized root access
and unauthorized user access, let me give you two examples.
Unauthorized root access in a command and control application
would say that somebody who achieved that could actually change
the position of friendly or enemy forces anyplace on the planet
if they were at the right server, pretty onerous for us.
Unauthorized user access would say that if I were the actual
track manager for my position in terms of the ship if I am on
ship, I could only change that particular piece for which I
have legitimate access. Those are the two sorts of things we
worry about most in terms of impact to mission.
If you will turn with me to the next slide which is serious
incidents in DOD, if you keep in mind those two situations then
you can see the graphs. It is a relatively busy slide but I
will tell you the trend for user level access is slightly
downward if we smooth those curves. The trend for CAT1 root or
administrator access is slightly upward if we smooth those
curves. The good news is that overall this represents 4 million
computers in the unclassified environment that the DOD supports
and the number of incidents actually relates to the number of
computers that have been compromised at that level. So the good
thing is in orders of magnitude, clearly 35 is still something
to be worried about given the magnitude of the work that we do.
If you will turn to the next slide, No. 6, why did these
attackers succeed, I think we have shown these slides in the
past or similar slides that match the statistics my colleagues
have spoken to, 90 percent, based on the data we collect and we
run the DOD CERT, are preventable. You can see the progress we
are making there in terms of 26 percent of those we actually
are ahead in terms of having issued an information assurance
vulnerability alert to the department that people are required
to act on within prescribed time constraints and the 64 percent
my colleagues have talked about in terms of misconfigurations
and the configuration management point you made in your opening
statements, there is still 10 percent that we can't predict and
that we deal with as they occur.
If you will turn to the next slide, this is a pretty
simplistic statement of what it is we are trying to do. We try
to put these out so that it is very simple for folks to follow
what their job is particularly our system administrators and
our operators, those charged with protecting the IT assets of
the Department.
This will be my final slide, steps to the goal, there are
drilled down slides that are provided further in the brief that
talk to each one of these points. We have done a couple of
things this year that I think are very important that we
articulate. One is we have put in place a clear chain of
command. There is a single belly button now that is responsible
for the status of the IT infrastructure in the Department. It
is a four star and we are a component of supporting that four
star. His or her responsibility today is to monitor, manage and
operate the network and the associated IT assets.
The steps to the goal, the preventive, proactive piece, we
have put together secure configuration guidance in concert with
the National Security Agency and we make those broadly
available. We have had some success with actually getting
vendors in step two to ship us products that are configured
from their factories that are in compliance with that secure
guidance so that we actually get components from the factory
that are already configured accordingly. We also distribute
gold disks for those that want to start from scratch with
computers that are not configured that way and provide
antivirus software and enterprise level not just to the
Department in terms of IT assets that we own but also for home
computer use. We find a lot of times one of the problems is
people bring in disks that are actually infected. That way we
can preclude some of that.
Step three, we have a very robust set of patch servers
stood up not only on our intranet but also on our classified
network so we can keep current. We have the IAVA process I
talked to and we are in the process of procuring for the
Department and automated remediation tool so that we can take
inventory and apply patches as they become available as it
makes sense to do so.
Step four is the state of all the computers we have in the
process of this procurement but we also send out compliance
teams that do on the order of several hundred visits a year and
we are training the services to be able to do this themselves
as well. We also spot check that people are keeping their
configurations current.
With that, I am happy to take any questions the committee
has.
[The prepared statement of Ms. Meyerriecks follows:]
[GRAPHIC] [TIFF OMITTED] T6992.040
[GRAPHIC] [TIFF OMITTED] T6992.041
[GRAPHIC] [TIFF OMITTED] T6992.042
[GRAPHIC] [TIFF OMITTED] T6992.043
[GRAPHIC] [TIFF OMITTED] T6992.044
[GRAPHIC] [TIFF OMITTED] T6992.045
[GRAPHIC] [TIFF OMITTED] T6992.046
[GRAPHIC] [TIFF OMITTED] T6992.047
[GRAPHIC] [TIFF OMITTED] T6992.048
[GRAPHIC] [TIFF OMITTED] T6992.049
[GRAPHIC] [TIFF OMITTED] T6992.050
Mr. Putnam. Thank you. Is belly button a technical term or
is that Defense jargon? [Laughter.]
Our next witness is Daniel Mehan, the Assistant
Administrator, Information Services and Chief Information
Officer, Federal Aviation Administration. In that capacity, he
is the principal advisor to the Administrator on the agency's
information technology and directs strategic planning for
information technology across the agency. He oversees the
implementation of the FAA's information system security, E-
Government and process improvement programs.
Prior to joining the FAA, Mr. Mehan spent 30 years at AT&T
where upon his retirement he served as international vice
president for quality and process management.
Mr. Mehan graduated from Drexel University with a
Bachelor's Degree in electrical engineering. He also has a
Master's in systems engineering and a Ph.D. In operations
Research from the University of Pennsylvania.
Welcome to the subcommittee. You are recognized.
Mr. Mehan. Good afternoon, Mr. Chairman and members of the
subcommittee. It is my pleasure to appear before you today to
provide a perspective on the challenges of securing information
systems in a Federal/civilian agency and to share with you the
model the FAA has developed to address these challenges over
the next several years.
I would like to commend the subcommittee for holding this
hearing on the effects of our cyber security program and to
acknowledge my colleague, Lisa Schlosser, the Department's
Associate CIO for Information Technology Security.
The FAA maintains, operates and regulates the largest and
most complex aviation system in the world. Effective management
of a vast web of information about aircraft, weather, runway
conditions, navigational aids and myriad of other elements is
paramount to accomplishing our mission. To secure its cyber
infrastructure, the FAA is implementing an android model for
cyber defense depicting on the easel to your left that emulates
one of the most resilient systems in the world, the human body.
This holistic view enables the agency to address both short and
long term cyber security objectives within the context of a
unified framework.
There are six principal elements of the android cyber
defense and they are analogous to six facets of the human
body's defense. The three on the left side of the android are:
architecture simplification, element hardening and boundary
protection are the ones that have received the most attention
historically and I would like to address them first.
Architecture simplification is analogous to nutrition and
exercise. It is designed to ensure that the cyber
infrastructure is in good shape to resist an attack. In this
area, we are developing a technical reference model and common
access architecture that will become the road map for effective
information technology applications in the future. We are also
ensuring that the number of systems in our inventory declines
over time as we establish a more streamlined information
technology architecture.
Element hardening is analogous to protecting major organs
such as the heart and lungs. This element focuses on
vulnerability management since it is about discovering
vulnerabilities and setting priorities to conduct remediation.
The FAA will complete security certification and authorization
packages on more than 95 percent of its systems by the end of
this month. In addition, more than 1,600 FAA servers are
scanned on a regular basis in order to identify and reduce the
number of vulnerabilities per server. Results in these areas
are included as key metrics in the FAA's overall management
plan known as our flight plan which is reviewed monthly with
Administrator Blakey.
With respect to patch management, the FAA has established
policy and is currently using patch management tools to deliver
software patches on our systems. We are also completing the
requirements for a departmentwide patch management tool set
which will allow for an enterprise-wide license and
standardized approach.
Boundary protection is analogous to skin and membrane. It
is the first line of defense against invaders. The FAA has
significantly improved its boundary defense by reducing the
number of authorized Internet access points, by implementing a
new email system that reduces the number of mailboxes from 855
to 12 and by beginning to deploy the new FAA telecommunications
infrastructure.
We believe there are tangible benefits being gained from
our focus on the three left side elements of the android
demonstrated by the fact that the agency and the Department
have fared well in the recent cyber storms of Sasser, blaster
and nimda. That said, there is much more to do.
The FAA is on a path to modernize its air traffic systems
and to use more commercial, off the shelf products. The agency
will also augment the three elements on the right side of the
android model: orderly quarantine, systemic monitoring and
informed recovery.
Orderly quarantine is analogous to the human body's immune
system. We need a cyber immune system that can find, analyze
and cure previously unknown viruses faster than the viruses can
spread. Human intervention must be eliminated for portions of
the defense because of the necessity to react quickly.
Increased research will be required in the coming years to
develop practical defense capabilities in this challenging area
and it is an area where people process and technology must be
blended.
Systemic monitoring is analogous to monitoring the vital
signs of the body on a continuous basis. The FAA wants to
implement an IT infrastructure that can detect failures in near
real time and protect and heal itself. This capability requires
the system to know its environment and to act accordingly. Self
awareness and autonomic capabilities are still embryonic. One
challenge in these operations is that input from a large number
of network sensors involves enormous amounts of data that must
be processed. The FAA has begun incorporating into its Computer
Security Incident Response Center a data fusion capability
using the next generation of tools to conduct data aggregation
and event correlation to detect anomalous behavior.
Informed recovery is analogous to medical regimens such as
administering antibiotics and undergoing surgery. Informed
recovery and complex information systems is the set of actions
that occur after there has been a cyber security incident. For
the FAA these actions will include advisories from our CERT,
establish procedures to be followed during an alert and orderly
backup and recovery mechanisms. Since a key requirement is to
shrink response time, one of the near term goals is to converge
vulnerability scanners, trouble ticketing programs and patch
management software in order to automate more of the process
from scanning to notification to remediation. The private
sector can advance this initiative by exporting system message
logs to an external bus so that this information can be used in
real time with the other data sources.
To conclude, Mr. Chairman, the FAA, with the entire
Department of Transportation, is complying fully with FISMA and
has fared well using its multi-layered defense approach in the
face of recent viruses and worms. That said, cyber defense over
the balance of this decade must rely on the total android. The
FAA will meet this challenge through a coordinated application
of traditional and emerging techniques that provide a
comprehensive approach to cyber defense. The android model
presents a unifying framework for addressing cyber security on
such a comprehensive basis.
To make one final human analogy, no one can guarantee we
will never catch a cold but we need to be sure it doesn't
become a case of pneumonia. The FAA and the Department of
Transportation are dedicated to achieving that objective.
That concludes my remarks, Mr. Chairman. I would be pleased
to answer any questions you may have.
[The prepared statement of Mr. Mehan follows:]
[GRAPHIC] [TIFF OMITTED] T6992.051
[GRAPHIC] [TIFF OMITTED] T6992.052
[GRAPHIC] [TIFF OMITTED] T6992.053
[GRAPHIC] [TIFF OMITTED] T6992.054
[GRAPHIC] [TIFF OMITTED] T6992.055
[GRAPHIC] [TIFF OMITTED] T6992.056
[GRAPHIC] [TIFF OMITTED] T6992.057
[GRAPHIC] [TIFF OMITTED] T6992.058
Mr. Putnam. Thank you, Mr. Mehan.
Mr. Clay, would you like to make any opening statements?
Mr. Clay. No, I will forego the opening statement and get
right to the questioning.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T6992.059
[GRAPHIC] [TIFF OMITTED] T6992.060
Mr. Putnam. Very well. I will recognize you for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman, for holding this
hearing. I guess I had better start with Mr. Dacey.
I would be interested to know your views on whether FISMA
ought to be reexamined to address issues of cyber security in
the Federal Government? Are there specific issues that should
be addressed in this Congress, in particular?
Mr. Dacey. In terms of FISMA, I think the law itself is
fairly complete and comprehensive. I think there are a number
of steps still underway, certainly the development of standards
by NIST, the continuing refinement and development of some of
the performance measures and reporting processes to assist the
Congress in oversight. At this point, I don't have any specific
changes that would be required but I do suggest that Congress
should continue, and this subcommittee in particular, as it
has, to monitor the progress of FISMA's implementation. There
certainly have been challenges identified that need to be
addressed and those need to go forward and continue to be
monitored and improved over time.
Mr. Clay. Based upon your survey, what patch management
practices do agencies need to focus on?
Mr. Dacey. The areas that we looked at, and this is a
survey and self reported information, but overall, we found
there were some practices that were consistently applied. I
think the area that was interesting to me personally was the
number of agencies that did not have agencywide patch
management policies and procedures. I think what I said before
was a third said they didn't have agencywide policies and about
40 percent said they didn't have procedures. I think that is an
important area because unless you have a consistent approach to
patch management in the agency, there is a high likelihood that
you are going to do it in an ad hoc manner and be consistent in
protecting your infrastructure.
In terms of some of the other areas, I think in risk
assessments in terms of testing and monitoring, I think all the
respondents said they were doing some level. There were some
agencies, however, that were kind of at the top end, testing
all patches, doing formal risk assessments. I think there is
some variation in the extent to which they are applying those
practices and that might be something to continue to look at
and determine whether or not some of those agencies should come
up a level in terms of their adoption of those practices.
Mr. Clay. Thank you for that answer.
Mr. Yoran, your testimony mentions efforts underway to
develop a comprehensive operational partnership called the U.S.
CERT Partner Program for Improved Security Response Efforts.
Can you describe for us the key changes that you feel will
demonstrate improvements over current U.S. CERT efforts? Is the
private sector embracing these efforts or are there pockets of
resistance within certain industries or sectors?
Mr. Yoran. There are a number of improvements between the
partnership program which the U.S. CERT is undertaking and the
existing paradigm. In many cases, the national response in
cyber security has historically been coordinated by a number of
private and trusted relationships and we will continue to
encourage those relationships but at the same time, we
recognize a need as our Nation's dependence on technology
increases, the need for us to institutionalize many of those
interactions and institutionalize the response as a Nation to
cyber activities and incidents. So the focus in the partnership
program is to really extend the existing practices surrounding
incident response, to institutionalize them, to promote the
dialog and structured relationships that can promote a more
effective response going forward.
In terms of reluctance or resistance to such a partnership
program, we have been very encouraged by the enthusiasm of the
private sector to interact with the Department of Homeland
Security and in fact with the other departments and agencies in
the Federal Government in a coordinated national response
activity. So I think in large part, we are very pleased by the
response.
Mr. Clay. Let me ask, did you deploy any of the national
cyber alert systems recently with the different viruses and
worms and how did that work?
Mr. Yoran. We have issued a number of alerts. The National
Cyber Alert System went live January 28, 2004. We have issued a
number of alerts based on our analysis, based on feedback in
collaboration we have had with other departments in the Federal
Government and also with numerous entities in the private
sector providing us their analysis and opinion on severity of
vulnerabilities and the breadth of ongoing activities.
In terms of the effectiveness of that program, we have had
in just a few months time over a quarter of a million direct
subscribers, people looking for the types of information which
we are publishing to them and we have also established
relationships with other programs such as Infoguard and other
entities which are actively engaged in responding to cyber
security activities. They are also distributing that
information. So we are pleased with the progress of that alert
system and the private sector has also engaged us in numerous
incidents where they want to leverage our capability to help
get out the word about a particular vulnerability. A case of
that might be where Cisco had a number of vulnerabilities a few
weeks ago and they wanted to ensure that the word got out about
those vulnerabilities to the folks responsible for protecting
those routers. Through that relationship, we are able to help
them in that effort.
Mr. Clay. For Ms. Meyerriecks, how do you assess the risk
associated with different vulnerabilities? Does this affect
your approach in monitoring your networks for vulnerabilities
and attacks? In one of your handouts, you talk about DOD
employees using their personal home computers. How secure is
that practice?
Ms. Meyerriecks. Let me make sure that I clarify that. Our
employees use not their work computers but their personal
computers at home and when they find something that is useful
and many of us work long hours, I am sure you can relate, they
may in fact bring in a disk or some other media. When we did
the enterprise license for antivirus and associated things, we
actually licensed it such that they could also use it for home
use on their home computers.
Mr. Clay. I wonder how much work they actually take home. I
am just curious.
Ms. Meyerriecks. At least some of us work lots of hours
which I am sure you can relate to. I just wanted to be clear on
that.
The reason we categorize the threats is a risk assessment
strategy that we take and if it is categorized as a relatively
low threat, then we can react to that at a different pace than
we would if something looked like it could cause a real
compromise. That is intrinsically why we categorize things. The
things I talked to today, the category I and II are those
things we think would have most mission critical impact. We
work those at a much higher priority, much higher pace. In lots
of cases, we are actually supplying to other folks the code and
sharing information very, very early on so that we are
positioned to respond very quickly to the threats before they
become widely known, publicly or can be exploited. That is part
of our risk management mitigation strategy that we have
categorized things to respond in that way.
Mr. Clay. Thank the panel for their answers.
Thank you, Mr. Chairman.
Mr. Putnam. Thank you, Mr. Clay.
Ms. Evans, in FISMA, there is a section that targets
vulnerability reduction requiring each agency to develop
specific system configuration requirements. Can you elaborate
on the steps that have been taken or will be taken to enforce
this provision?
Ms. Evans. We have sent out our draft FISMA reporting
guidance to the agencies for this year, fiscal year 2004. We
are specifically asking questions about how they are putting
together the configuration management and how they are managing
that particular aspect of the act. As I said in my statement,
we are asking specifically if they are using industry
benchmarks, how they are managing the process and how they
identify vulnerabilities. This is an ongoing process of which
the IGs are also involved through verification of agency data
and assessment of the process and look at how the agency, the
department's management of the IT security program overall. We
are specifically addressing the configuration management issue
this year as well and asking the IGs to look at that.
Mr. Putnam. Part and parcel of that, how great an obstacle
is it that so few agencies have completed the reliable
inventory of assets? How does that play into vulnerability
management?
Ms. Evans. As we previously discussed during the March
hearing, we agree that this really is the heart and soul of the
issue and that it is difficult for an agency to say they have
secured 90 percent of their systems if there isn't a good
management process in place to identify the inventory of those
systems. Again, in the fiscal year 2004 guidance, we are
stressing that point and asking the IGs to look at how that
process is being managed within the agency and whether
inventory is being updated. We have taken your concerns very
seriously and we too have asked those questions.
As you know in the scorecard one of the criteria that is in
place in order for agencies to go green, they have to be able
to show that they have certified and accredited 90 percent of
their systems. The basic question we are asking is, how they
identify the 90 percent, and how they can assert that this 90
percent is based off of the covered inventory and whether there
is a good process in place to manage this invention before an
agency will really move to green.
Mr. Putnam. Mr. Yoran, FISMA also requires each agency to
establish minimum security configuration standards for the
system they deploy. I would expect DHS is the leading agency in
meeting this requirement so that other agencies can learn from
your experience. What have you done to develop minimum security
benchmarks?
Mr. Yoran. We are working actively with a number of
organizations within the Federal Government to help establish
those standards. Clearly it is not an effort which can be done
within the Department of Homeland Security in isolation. To
that end, we are working with NIST on those efforts and we are
also working with the Center for Internet Security and making
sure that the standards which are produced by the Center are
readily available to those departments and agencies should they
choose to adopt them for their own systems. It is also an area
where we believe significant progress can be made working with
vendors and encouraging them to take stewardship for their
products in producing security configuration guidelines for
those products, not only for the Federal departments and
agencies but for use in the private sector as well.
Mr. Putnam. Is it that partnership or some other testing
facility that you have established to ensure applications are
not negatively infected by the more secure configurations?
Mr. Yoran. There are a number of testing labs and
facilities both in the private sector and in the public sector
to focus on vulnerabilities and configuration management. Our
effort, specifically in the Control Systems Center of U.S. CERT
and the test bed facility is to look at the control system and
SCADA applications which are in use in the critical
infrastructures and to increase emphasis, focus and testing of
their security features and mechanisms.
Mr. Putnam. Section 3544 of FISMA describes Federal agency
security responsibilities as including ``information systems
used or operated by an agency or by a contractor of an agency
or other organization on behalf of an agency.'' That same
section also requires that each agency provide information
security for the information and ``information systems that
support the operations and assets of the agency, including
those provided or managed by the agency, another agency,
contractor or other source.'' OMB's guidance in 2003 states,
``Agencies are responsible for ensuring appropriate security
controls for third party systems that have access to Government
systems.''
In my 2003 FISMA report card, the majority of agencies had
not reviewed FISMA compliance with their contractors. What
steps are being taken to remedy this and who is, to borrow Ms.
Meyerriecks' term, who is the belly button to ensure this is
happening? We will start with you, Ms. Meyerriecks.
Ms. Meyerriecks. Because of the sensitivity of the mission
that the Department has, we have for many years put in place in
our contract and acquisition strategy security criteria,
particularly for developers and administrators of mission
critical classified systems. That is has been a common practice
for us for a number of years. I want to distinguish a couple
different levels of contract support that we do. There are
contractors that administer systems in our environment, on our
behalf. They fall into the exact same set of criteria that any
of us do as a Government or military employee of the Department
of Defense. It may be contractor maintained but it is a
Government asset, so we apply the exact same physical security,
information technology security. That is in our best interest
and we have done that because of the criticality of the
mission.
The second level I think is what you were poking at more
directly and that is the people that supply products to us.
Those folks, because of the acquisition strategy that we have
in place, have to fall under the same sort of criteria. For
example, if you are doing mission critical command and control
for us, then there is a common security classification
clearance required as well as for example, contractors cannot
work in our building unless they have a secret level DOD
clearance and have had that in place for quite some time.
If you are poking at the commercial industry, that is
another step we would need to work with OMB and the rest of the
agencies to look at what the implications are there. That is
very far reaching as you are well aware.
Mr. Putnam. Ms. Evans.
Ms. Evans. As part of our FISMA guidance, we do provide a
question and answer section to clarify these types of issues
going forward to the agencies. As far as asking who is
responsible, the way that FISMA is set up, each agency head is
responsible for the management of their overall security
program. Therefore, if they make use of multiple contract
services, the issue of how they manage their overall security
profile needs to be addressed. We are planning to look at that
this year along with the other issues that we have talked
about, such as configuration management.
Mr. Putnam. Mr. Dacey, do you want to add anything to that?
Mr. Dacey. Just a couple comments. When we did the first
GISRA implementation, identification was made that contractor
systems were a problem because a lot of agencies weren't
considering them. In last year's FISMA reporting we got a bit
of improvement but there was a discrepancy to some extent in
this particular measure between the IGs and the CIOs reporting
the information. The CIOs said as my records indicate 22
agencies said they did manage and monitor their contractor
systems appropriately. The IGs said about half of them did. So
there was some difference. I think that is one area as we
talked about in March that further refinement of the type of
information we are getting back would be very helpful. Right
now there is basically one question that says are you
monitoring and supervising your contractor systems. I think if
we were to look at that and perhaps gain a bit more information
in the next reporting cycle, which Ms. Evans alluded to, I
haven't seen what you are asking for, that could help get that
information. I think that is an important area.
I still think there are areas that haven't been explored
and OMB's guidance talks about State and local governments. The
Federal Government has lots of systems that interact with State
and local systems particularly in the benefits area. That is an
area that I don't know has been explored a lot. I know in some
areas there has been a lot of exploration. Medicare contractors
have long been supported. I know DOD has done that for several
years. So I think that is an area where we need to keep looking
closely. I think that is a risk area as evidence from our
control system testimony. A virus gotten from a contractor
system right into the Davis Bessey nuclear powerplant which
fortunately at that time was under maintenance but it just goes
to show there are lots of avenues and opportunities. We
routinely test some of those areas when we do our security
reviews, particularly where contractors are regularly into
agency systems.
Mr. Putnam. Mr. Mehan, you mentioned your agency's total
compliance with FISMA. Does that include the OMB's guidance
regarding third party systems and contractors?
Mr. Mehan. Yes. We have put a lot of focus on personnel
security. Our contracts have all been modified to be sure that
wherever people are dealing with information technology and
have access to our systems, the appropriate clearances are
provided and that we know the people who are using those
systems.
I will tell you though that just as in the long run, there
are more sophisticated techniques that will be used, it is our
intent over the longer run to eventually use biometrics to test
the entry of contractors or others to our systems on a more
controlled and daily basis.
Mr. Putnam. Mr. Dacey, as I mentioned in my opening
statement, my concern is not only on how future systems will be
protected but how we retrofit current systems and improve their
security and integrity, cleaning them, protecting them and
making sure they are not immediately spreading something to the
newer systems. Some suggest that Federal systems have already
been compromised and are currently being used as attack tools.
What are your thoughts on that? Obviously it is very alarming
and how do we go about identifying those and cleaning up those
systems?
Mr. Dacey. There are a couple of issues there. One is the
challenge in the Federal environment particularly of applying
patches and other techniques to protect those systems in the
first place. Again, prevention is the first step. I think the
challenge there is how do we keep the system patched. We have
control systems with unique characteristics that you can't just
apply a patch, it might break your control system and the
vendors sometimes take a while to understand and assess the
patches before they can apply them because those control
systems rely upon some of the same operating systems that
vulnerabilities occur.
Additionally, in applying patches, testing them is a major
challenge. I think if you look at successful agencies or
private sector actually, and I think you made some visits in
the field, you will see they have standard builds. We talked
about it here at DISA, we are hearing about that at Agriculture
and other places. If you don't have standard configurations,
you don't know how your systems are going to react when you
start applying these patches and making the fixes. So I think
that is another area we need to keep looking to in terms of
that, and a very critical area because it takes a lot of time
if you have all disparate systems to understand how these
patches are going to affect them.
The third area is just looking at some of these other
practices we talked about today, defense in-depth and some of
the other strategies, not just patching but how do we protect
the whole by providing layers of protection. Related to that as
part of FISMA is the whole process of monitoring these systems,
making sure we are able to detect anomalous activities so if we
do find someone is in there doing inappropriate things and stop
it as quickly as possible. I can't speak to the extent to which
that may be happening but certainly there have been reported
instances where Federal systems have been attacked and used as
servers for chat rooms, certainly some State systems have been
used to do other activities because someone broke in and set up
back doors. It does happen. I just don't know or have any
information on the frequency but it is possible.
Mr. Putnam. Mr. Yoran, how effectively are we using other
information technology management options, the Federal
enterprise architecture comes to mind, to promote or ensure
information security within the Federal Government? I will let
you take first crack and then Ms. Evans.
Mr. Yoran. I believe we are leveraging the enterprise
architecture. It is really an area that falls outside of the
specific purview of the Cyber Security Division and I would
defer to Ms. Evans.
Ms. Evans. Thank you for asking that question. Actually, as
we have discussed previously, the Architecture Committee of the
CIO Council has been working on a security profile to overlay
through all the models of the Federal enterprise architecture.
The reason for this is to be sure that security is thought of
through all aspects of the system life cycle as investments go
forward. The Federal enterprise architecture, from our
standpoint, is very critical and security needs to be
highlighted from the very beginning of the planning of an
investment all the way through the operations and maintenance
of that investment. We have to ensure that we are leveraging
best practices and components that have been deployed in other
parts of the Government and the architecture will give us the
tool with which we can do that. Several of the mechanisms and
practices we are talking about will be brought to life as we
leverage this profile. The Council is getting ready to release
a draft of this profile to the CIOs for comment very shortly.
Mr. Putnam. Ms. Meyerriecks, take a moment if you would and
give us some detail as to what security procedures DOD has
implemented.
Ms. Meyerriecks. We could go on at length about those but
some of the ones I think have been most effective, some of the
things we have done in the past 12 months are the tightening up
I spoke to in my testimony about the interfaces between the
corporate intranet, our NPRA Net as we refer to it and the
Internet in terms of the gateways but we were also in a
situation several years ago and brought to the attention of the
Secretary where we actually had no DMZ, a demilitarized zone,
actually a common IT term as well but it fits the military very
well in terms of where we put our public facing Web servers and
portals. People were actually coming into our corporate
intranet to hit those. That was a major issue because it made
us very vulnerable to anybody who could exploit one of those in
terms of getting into the corporation. So one of the major
initiatives we took on in the last 12 to 18 months was to
establish a demilitarized zone and put out practices and
procedures for how a provider, and we have literally tens of
agencies that provide public facing, consumer interfaces, how
they could intersect with our demilitarized zone. It was
actually funded as opposed to a fee for service initiative.
Their responsibility is to put the servers in the zone and
configure them properly so that they are not able to be used as
a departure point for further exploit into the infrastructure.
You see in our flattening curve actions like that have actually
we think started to pay off in terms of penetration, successful
penetration into our infrastructure.
Another very successful effort was also the STGS and the
work we have done with NSA which is one of our sister agencies
and also NIST, just a DOD/IC intelligence community, in terms
of specifying secure configurations and the really good
response we have had from all of our commercial providers in
terms of being willing to learn from those and in some cases
embrace those and ship product based on those configuration
management guides.
I would say those are two things that have been force
multipliers in terms of our ability to combat the threat.
Mr. Putnam. Do you have an agencywide patch management
system?
Ms. Meyerriecks. We have a DOD-wide patch management
system. DISA administers to a large extent that capability for
the Department but it is very much a partnership with
particularly the services in terms of distribution and command
and control of how we distribute those patches. As my
colleagues alluded, we do have unique applications, so there
are places where an Air Force has a specific mission that might
be impacted in a negative way by a particular patch because the
vendors can't understand every implication. We roll them out at
an enterprise level and then we do testing for each of the
specific platforms where we have those sorts of applications to
ensure that it is not going to have a dilatory effect on the
actual application we are trying to support.
Mr. Putnam. Having laid out some of these strengths, maybe
you can share why DOD's FISMA score is so bad.
Ms. Meyerriecks. We will have to take that for the record,
sir. I don't have the background to address that. I apologize.
Mr. Putnam. We will let you answer that for the record.
Mr. Yoran, we spend $60 billion a year in IT hardware,
software, annual investment by the Federal Government.
Obviously DHS being something of a startup I merging all the
disparate departments and agencies, you are spending a fortune
and you have unique security requirements. How have you used
the procurement power behind the needs that you have to really
ensure that the security is baked in?
Mr. Yoran. That question really needs to be answered with a
number of tier responses. Within the Department of Homeland
Security, we are working with Steve Cooper's organization and
the CIO shop to identify the security requirements of the
Department and ensure that we are procuring those technologies
which can address the security requirements which the CIO's
office is ultimately responsible for identifying.
We also hope to be able to better leverage those
requirements and in our interaction with the other departments
and agencies of the Federal Government to work with the vendor
community so that they can take some of those practices and
improve the products which they are delivering to the Federal
Government as a customer and to the extent that we can create
consistency between our requirements and the requirements of
other critical infrastructure operators, BITS and the financial
services, the American Chemical Council and the chemistry
sector, and we can define these uniform requirements for the
vendor community. I believe that will make their job a lot
easier and a lot more focused in bringing us solutions which
address these common requirements.
Mr. Putnam. Ms. Evans, do you wish to add anything to his
comments on ways to leverage our $60 billion annual investment
in high quality, more secure products?
Ms. Evans. We do intend at OMB to use the Smart Buy
initiative to really work on leveraging these security
benchmarks. It will require partnership between the Government
and industry but, I do believe, based on my past experience as
the Department of Energy CIO, industry wants this partnership
just as much as Government does. There is value to both parties
coming together. The Government can make their expectations
very clear. Industry benefits because the country as a whole
will benefit from more secure products.
I think industry wants a partnership. I know we have talked
to industry about that. We intend to leverage that same type of
model that we used at Energy through the Oracle contract. That
took a long time with the Center of Internet Security working
on the benchmarks across several industry partners that were
involved in coming up with those benchmarks. This work could be
leveraged and can be used in the long run by everyone. It is
our intention to do that. That is why we are asking about
benchmarking, and as we continue to evolve the Smart Buy
initiative we can take it to industry and say this is how we
would like to proceed with our buying.
Mr. Putnam. Ms. Meyerriecks, do you wish to add anything?
Obviously this is a huge concern for the Department of Defense
software assurance. Do you have any comments on that?
Ms. Meyerriecks. I would just like to echo my colleague's
statements regarding industry.
The other comment that I would make is one of the things
that has also proven beneficial to us is efforts like the
common criteria where we actually encourage vendors to think
about how to make more secure products while they are still in
the labs as opposed to negotiating a configuration after it has
already been cut into the silicon if you will. Amit talked
about the importance of influencing products earlier in their
development cycle, so they are thinking about that as opposed
to patching them afterwards. Common criteria has been
especially useful. We ought to think about how we encourage
more of that behavior.
Mr. Putnam. Mr. Mehan.
Mr. Mehan. The only thing I would add to what my colleagues
have said which I support is what vendors have told us is that
it is important that in our request for quotes and so forth
that we have the same enthusiasm for cyber security as we have
in other rhetoric. The cyber security aspect of it was
absolutely fundamental. In fact, vendors pretty much had to
prove they could satisfy that before we got into too much else
they were going to provide. That sent a strong signal to
industry.
Mr. Putnam. This is a particularly good panel in terms of
the agencies and departments represented for this topic. I
really appreciate your participating. When you look at FAA and
certainly the events that have transformed our approach to air
travel and peoples' approach to security and safety, obviously
the Department of Defense and certainly Homeland Security and
all of you are in key positions to be crying in the night about
the need for more emphasis on cyber security. Do the three of
you have the ear, the access, the entre to your respective
department or agency heads and do you believe that the cyber
threat is being adequately addressed? Begin with Mr. Mehan and
end with Mr. Yoran and then unfortunately we are going to have
to bring this panel to a close. Mr. Mehan.
Mr. Mehan. I clearly have access to the Administrator of
our agency whom I report to directly. I also have access to the
Department of Transportation CIO who is also the vice chair of
the Federal CIO Council and we have the ear of the Secretary of
Transportation. There is no lack of access to the top deck of
Transportation and Aviation. I think it is a message that all
of us in concert with Congress have to keep putting out to the
public and putting out to the industry because I think one of
our big challenges is in the second half of this decade, there
is the potential that we could see more orchestrated, more
sophisticated attacks and we have much to do in order to be
ready for them. That is part of why we have laid out a long
term model for approaching this.
Mr. Putnam. Thank you, Mr. Mehan. While we give Ms.
Meyerriecks another moment to think through her comments, your
android approach, your design, your idea, is very effective and
we certainly appreciate the work that you are doing at FAA.
Ms. Meyerriecks.
Ms. Meyerriecks. I have my direct report to my agency head
as well and we absolutely have access to our CIO who has made
it one of their top priorities--it would be good to have one
who wasn't an acting one if I could put in that plug--as well
as access to the Secretary and this is a high priority for us.
I share the concern that we not lose focus in terms of keeping
it a high priority topic because with all of the demands on the
resources of the Department we need to make sure that it stays
front and center in terms of our leadership's interest and
commitment to it, but it is not an issue today.
Mr. Putnam. Mr. Yoran.
Mr. Yoran. The Department of Homeland Security, I
personally have spoken with Secretary Ridge, with Executive
Secretary Lowey on cyber security issues and am confident in
their focus and attention to cyber security as a very valid
concern for our Nation. On a regular and ongoing basis, I have
discussions about cyber security with the Under Secretary for
Information Analysis and Infrastructure Protection, Under
Secretary LaBudy and Assistant Secretary Laskowski.
Our approach is to continue to focus on an outcome based,
integrated risk management approach which includes an active
interest in cyber security as a vulnerability to our Nation.
Mr. Putnam. Thank you.
Mr. Dacey or Ms. Evans, do you have any final remarks
before we dismiss panel I and seat panel II? Mr. Dacey.
Mr. Dacey. Just a brief comment. We have talked a lot about
trying to address some of the security issues of the software
as it is developed but I do think and FISMA promotes a
consistent process to try to develop the standard minimum
security guidelines by risk level as well as NIST is developing
checklists which are consistent with the standard guidelines in
the STGs that were talked about earlier. I think that is an
important area because we need to continue to leverage that
being done centrally because I don't think we can rely
continually on the system admins to individually come up with
the right solutions or even subcomponents of agencies. To the
extent we can build in some clear processes, communicate those,
develop training and so forth, that will go a long way because
just with patch management if you are looking at maybe having
24 or 48 hours to get something fixed, that is not a long time.
You have to look for more long range solutions to the problem.
Mr. Putnam. Ms. Evans.
Ms. Evans. First, I would like to thank you again for
having this hearing on cyber security. This is an important
priority to the administration. We are taking steps to ensure
that it does stay on the forefront as my colleagues have
mentioned. We are doing this through the implementation of
FISMA but as well as through the President's management agenda.
Because this is a priority, we are trying to ensure that the
agencies have the resources that they need in order to ensure
they have good management practices in place to achieve the
results of a safer infrastructure, and safer cyber security
environment, so that we can move forward and use technology in
a way that minimizes risk to us. Thank you again for the
hearing.
Mr. Putnam. Thank you. Noting that there are no further
questions, we will stand in recess while we reset the witness
table for panel II. The subcommittee is recessed and will
reconvene in just a few moments.
[Recess.]
Mr. Putnam. The subcommittee will reconvene.
I would ask the witnesses to take their seats, please.
[Witnesses sworn.]
Mr. Putnam. We will move immediately to testimony with Ms.
Dubhe Beinhorn, vice president of Juniper Federal Systems and
is responsible for the development and execution of all aspects
of Federal engagements. Prior to joining Juniper in 2001, she
was with SafeNet where she was general manager of the PKI
hardware and software division and held responsibility for all
aspects of this division including sales, systems, marketing,
supporting and manufacturing. She has more than 25 years of
experience in the Federal Government and the enterprise
competing industry in both domestic and global markets.
Ms. Beinhorn holds a Bachelor's Degree in business from
Roanoke College in Virginia. Welcome to the subcommittee. You
are recognized for 5 minutes and I would ask all of our
witnesses to please limit your testimony to 5 minutes as we
have a large panel.
You are recognized.
STATEMENTS OF DUBHE BEINHORN, VICE PRESIDENT, JUNIPER FEDERAL
SYSTEMS; SCOTT CULP, SENIOR SECURITY STRATEGIST, MICROSOFT
CORP.; LOUIS ROSENTHAL, EXECUTIVE VICE PRESIDENT, ABN AMRO
SERVICES CO., INC.; MARC MAIFFRET, CHIEF HACKING OFFICER, eEYE
DIGITAL SECURITY; AND STEVE SOLOMON, CHIEF EXECUTIVE OFFICER,
CITADEL SECURITY SOFTWARE, INC.
Ms. Beinhorn. Thank you, Mr. Chairman and members of the
subcommittee. It is a pleasure to appear before you today to
discuss the growing challenge of vulnerability management in
information technology systems. You and the subcommittee have
been leaders in raising awareness of the importance of network
security in the public and private sectors. Your work with the
Corporate Information Security Working Group is an important
example of your commitment to ensuring a true public/private
partnership for solving the very difficult challenge of cyber
security.
At Juniper Networks we take our participation extremely
seriously as we do our commitment to you, Mr. Chairman, in
fully supporting active participation by CEOs, working groups
and other forums all with an end goal of joint solution
determination.
The challenge itself, the threats to today's networks
continues to grow. Attacks continue to evolve and move from the
network to the application level. They are more sophisticated,
using new origination points and come from known and unknown
sources. The problem is made worse because of the inability of
much of the existing Internet infrastructure to identify and
then block threats that emerge. More vulnerabilities are
discovered every day. The time from discovery to exploit
continues to shrink and the pressure placed on network
administrators to remediate these vulnerabilities in a timely
fashion continues to grow much like baling water out of a boat
that continues to spring leaks. Patch management is only a
short term fix and does nothing to solve the root cause of
network insecurity.
Part of the challenge is the simple fact that the Internet
is not just one network. It is multiple networks connected
together. As such, it was never designed with security in mind.
Its greatest strength, widespread connectivity at low cost, is
also one of the greatest weaknesses. With low cost comes
diminished value, unreliability and lack of security. Each
network has its own security policy and as we all know, network
security is only as strong as the weakest link.
At the moment, only isolated networks can guarantee
infrastructure and data security from outside attacks. However,
isolated networks work against netcentric enterprise services.
Additionally, isolated networks do not address the problem of
insider attacks and are cost prohibitive for many Government
and enterprise networks.
Most people are focused on securing the enterprise. There
is, however, another critical element. It is securing the
fabric of cyberspace beyond the enterprise firewall, the space
between the enterprises. President Bush, in his national
strategy to secure cyber space, called for ``securing the
mechanisms of the Internet.''
Right now, all packets travel over the same public network
with the same priority and the same security. Part of the
challenge is recognition that all packets are not created equal
and we must devise a security approach that assigns the right
level of security for each packet that flows from its
originator through the public network to its destination. This
is the challenge.
First and foremost, service providers and networking
companies of both private and public infrastructure play a
critical role in alleviating the problem. All companies should
be encouraged by Congress and congressional leaders to share
information. Specifically, public and private industry forums
should focus on pre- and post-attack vulnerabilities as well as
real time attack isolation and prevention. All Internet
stakeholders need to develop a set of industry best practices
based on the information communicated by all forums. As an
example, such collaboration may yield mechanisms to prevent
users masquerading as other users and denying access in the
first place, techniques for securing the network control plane
so that false routes may not be hijacked or injected, thus
preventing man in the middle attacks. Finally, the use of
automated tools to conduct assessments and ongoing security
audits to help identify vulnerabilities on the network and
usual activity.
These tools can also be part of a larger effort aimed at
creating a culture within companies as well as Government
agencies of security awareness and responsibility. These
industry best practices allow for malicious traffic to be
identified, blocked and prevented from spreading. They give us
the ability to quickly identify and quarantine hot spots and
reduce the spread of viruses and the rising cost of businesses
and consumers from such attacks.
The public network cannot stand alone in the protection of
businesses, institutions and citizens. Security must also be
established at multiple levels including application device and
department levels. These security measures must be able to
communicate with each other and with the network to form a
level of protection that is greater than the sum of the parts.
Networks must intelligently interact with the user and the
application so that the level of trust can be established at
the beginning of each network transaction.
Much work has been done by companies participating in the
Web services movement and standards development effort. Local
and wide area networks must leverage this work to extend the
concept of trust agents and user federations to the network
itself. The work is already underway. At Juniper Networks,
along with 18 other industry leaders, we are working to build
these standards to create networks that can deliver a specified
level of security, performance and reliability. The group calls
itself the Infranet Industry Council. It seeks to put existing
technology and standards to work building on them when
necessary to form an underlying communications infrastructure
that provides the best attributes of public and private
networks.
An infranet is a selectively open network with assured
performance and security of a private network enabling a packet
infrastructure to support all communications. Infranets can be
built and operated by service providers, agencies and
businesses and can be securely interconnected with each other
for the purpose of giving users and on demand appropriately
tuned to their unique security and quality requirements. At the
appropriate time, we would welcome the opportunity to explain
this further.
Over the long term, vulnerability management must be
addressed by all Internet community members to design more
secure systems and networks with a zero trust tolerance. This
means there should be absolute distrust of outsiders and
insiders. We should recognize both as equal threats and not
give greater weight to one or the other. Building networks that
trust no one is a far better approach to managing the threats
and will ensure a higher level of security.
Juniper Networks' approach to network security is based on
ensuring reliability, security and quality throughout the
network. This commitment and our activities with public
infrastructure providers and with the defense and intelligence
community enables us to do our part to better secure our
critical networks and play an active role as a member in the
cyber security industry alliance.
In today's world, it is no longer about competing. It is
about collaborating. With your help, Mr. Chairman, the
Government initiatives to guide industry, vendors and all
stakeholders will succeed in true joint development of a
worldwide Internet capable of meeting its mission regardless of
malicious intent, unforeseen failure or misadventure.
On behalf of Juniper, we thank you for the opportunity to
be here today.
[The prepared statement of Ms. Beinhorn follows:]
[GRAPHIC] [TIFF OMITTED] T6992.061
[GRAPHIC] [TIFF OMITTED] T6992.062
[GRAPHIC] [TIFF OMITTED] T6992.063
[GRAPHIC] [TIFF OMITTED] T6992.064
[GRAPHIC] [TIFF OMITTED] T6992.065
Mr. Putnam. Thank you.
Our next witness is Scott Culp, senior security strategist
for Microsoft Corp. As member of the Trustworthy Computing
Team, Mr. Culp focuses on developing companywide security
policies and procedures, evaluating the security of current
Microsoft products and services and reaching out to the
critical infrastructure protection community.
Mr. Culp is the founder and former manager of the Microsoft
Security Response Center where he helped develop and implement
leading security response capabilities.
Welcome to the subcommittee. You are recognized for 5
minutes.
Mr. Culp. Thank you for the opportunity to appear today. My
name is Scott Culp and I am a senior security strategist at
Microsoft. Delivering on the trustworthy initiative is one of
Microsoft's top priorities and improving the manageability of
security patches is an important part of that work.
A troubling recent security trend has been the dramatic
shortening of the time between the issuance of a patch that
fixes a vulnerability and the appearance of a worm exploiting
it. In just the past several years, this window has narrowed
from hundreds of days in the case of nimda to 26 days to
blaster, to 17 days for the recent Sasser worm. In the face of
this trend, Microsoft is employing a defense in-depth strategy.
First and foremost, Microsoft recognizes that the most
effective improvement we can make with regard to patches is to
require fewer of them and we are making substantial progress in
reducing security vulnerabilities in our software but no
software will ever be completely free of vulnerabilities and so
we are improving entire patch management ecosystems. Over just
the past year, we have largely standardized the operation of
our patches, significantly reduced their size and reduced the
need to reboot the system after applying them. In the next
service packs for Windows XP and Windows Server 2003, we will
deliver new technologies that will help protect systems even if
the user has not installed all needed patches. In the longer
term, we are developing break through technologies that will
enable systems to dynamically change their behavior when needed
patches are missing and to automatically recognize and defend
against attacks.
At the same time, we are working to help raise Federal
agency awareness of products and resources that address the
requirements of the Federal Information Security Management Act
and we are providing improved training opportunities for all
our customers, including continuing our twice yearly Federal
security summits. We are also contributing to important
security policy initiatives. Within just the past few months,
Microsoft co-chaired a National Cyber Security Partnership Task
Force that recommended important improvements in the entire
software development life cycle including patch management. We
are working with BITS to address the financial sector's legacy
and other needs and challenges.
These efforts and others underlie what we believe is the
industry's leading incident response process. To highlight
this, let me use the Sasser worm as an example. On April 13,
2004, Microsoft published a security bulletin and patch
addressing the vulnerability that Sasser ultimately exploited.
Microsoft's engineering and educational efforts over the
preceding months contributed to a patch uptake rate that was
300 percent higher than for last summer's blaster patch. We
provided information, guidance and recovery tools for our
customers worldwide, including contacting U.S. CERT at the time
of the release of the bulletin and again when Sasser was
discovered. Our antivirus reward program caused an individual
to provide information to law enforcement that contributed to
the arrest of the worm's alleged author.
Ultimately, we believe these actions reduced the worm's
impact but the fact that it occurred at all reminds us that we
need to continue improving. We all have roles to play in
improving cyber security. As the Congress and the
administration addressed this topic, we suggest several actions
which we are eager to work with the Government on.
First, we hope the Senate will ratify the Council of Europe
Cyber Crime Treaty. Second, our law enforcers are doing great
work but need more training and better equipment. Third,
Government systems administrators would benefit from more
intensive training in security. Fourth, we support the common
criteria process but believe it could be improved to make it
more efficient and cost effective. Finally, we support
increased basic research in cyber security and computer
forensics.
In the final analysis, a more secure computing environment
is best achieved when industry leaders continue to innovate
around security to continuously improve the security of
software products, help customers operate their networks more
securely and to provide effective security and incident
response processes.
I would like to thank the committee for this opportunity
and I look forward to your questions.
[The prepared statement of Mr. Culp follows:]
[GRAPHIC] [TIFF OMITTED] T6992.066
[GRAPHIC] [TIFF OMITTED] T6992.067
[GRAPHIC] [TIFF OMITTED] T6992.068
[GRAPHIC] [TIFF OMITTED] T6992.069
[GRAPHIC] [TIFF OMITTED] T6992.070
[GRAPHIC] [TIFF OMITTED] T6992.071
[GRAPHIC] [TIFF OMITTED] T6992.072
[GRAPHIC] [TIFF OMITTED] T6992.073
[GRAPHIC] [TIFF OMITTED] T6992.074
[GRAPHIC] [TIFF OMITTED] T6992.075
[GRAPHIC] [TIFF OMITTED] T6992.076
[GRAPHIC] [TIFF OMITTED] T6992.077
[GRAPHIC] [TIFF OMITTED] T6992.078
[GRAPHIC] [TIFF OMITTED] T6992.079
[GRAPHIC] [TIFF OMITTED] T6992.080
[GRAPHIC] [TIFF OMITTED] T6992.081
[GRAPHIC] [TIFF OMITTED] T6992.082
[GRAPHIC] [TIFF OMITTED] T6992.083
[GRAPHIC] [TIFF OMITTED] T6992.084
[GRAPHIC] [TIFF OMITTED] T6992.085
Mr. Putnam. Thank you.
Our next witness is Louis Rosenthal, executive vice
president, ABN AMRO Services Co. He is responsible for
information technology infrastructure and operations,
supporting the consumer, commercial mortgage and e-commerce
business units of ABN AMRO in North America, as well as some
global business units.
Prior to his current position, Mr. Rosenthal held the
position of executive vice president of service delivery at
European American Bank in New York, formerly owned by ABN AMRO.
Prior to that, he spent 7 years at the Bank of New York. He
serves on the executive committee and advisory group for BITS,
the technology arm of the Financial Services Roundtable.
Welcome to the subcommittee. You are recognized for 5
minutes.
Mr. Rosenthal. Thank you, Mr. Chairman, for the opportunity
to testify today about the ways the financial services sector
is addressing information security challenges.
I am Louis Rosenthal, executive vice president with LaSalle
Bank Corp., a subsidiary of ABN AMRO Services Co. I am pleased
to appear before you today on behalf of BITS and the Financial
Services Roundtable. I am a member of the BITS Executive
Committee, a non-profit industry consortium of 100 of the
largest financial institutions in the United States. BITS is
the sister organization to the roundtable. LaSalle, one of the
largest banks in the midwest, is a subsidiary of Netherlands-
based ABN AMRO Bank operating in about 60 countries around the
world with about $780 billion in assets.
Through BITS, the financial services industry has been at
the forefront of advancing security. No industry takes cyber
security more seriously than the financial sector. The
financial services industry is firmly committed to safeguarding
our customers' information, maintaining our trusted
relationship with our customers and complying with the numerous
laws and regulations promulgated by the financial regulators.
The challenges are plentiful. As I speak, hackers are
writing code to compromise systems. Viruses are at epidemic
levels. We are increasingly concerned that a coordinated cyber
attack of some kind could impact communications, SCADA systems
or first responder systems and put all of us at terrible risk.
The prospect of zero day exploits with malicious payloads are a
reality. Cyber security, like physical security, is critical to
the well being of the Nation and its infrastructure.
Financial institutions are heavily regulated and constantly
supervised by our Federal and State regulators. The industry
has worked consistently and diligently to comply with these
requirements. We do not believe more regulation of the
financial services industry will help us address the cyber
security challenges. Rather, we believe the private and public
sectors must work together to address cyber security issues.
That is why we are urging our partners in the technology
industry to do their fair share to ensure the soundness of our
Nation's critical infrastructure. It is also why BITS
enthusiastically participated in the chairman's Corporate
Information Security Working Group.
Ensuring software security is enormously costly. In
December 2003, BITS surveyed its member institutions on the
cost of addressing software vulnerabilities, including managing
software patches. We found that software vulnerabilities are
approaching the cost of $1 billion annually to the financial
services industry alone.
In October 2003, BITS launched its software security and
patch management initiative. BITS' goal is to mitigate security
risks to financial services consumers and the financial
services infrastructure, ease the burden of patch management
and help member companies comply with regulatory requirements.
A key part of this work is our collaboration with software
companies to create solutions acceptable to all parties. We
have shared with these companies a series of business
requirements that BITS members agree are critical to the
soundness of systems used in the financial services industry.
In February of this year, BITS and the Financial Services
Roundtable held a cyber security CEO summit here in Washington.
The event promoted CEO to CEO dialog on software security
issues.
This past April, BITS and the Financial Services Roundtable
announced a joint policy statement calling on the software
industry to improve the security of products and services it
provides to financial services customers. BITS is working with
other critical infrastructure industries and industry
associations to help motivate a larger user movement. For
example, BITS worked closely with the Business Roundtable in
developing that organization's widely publicized cyber security
principles. The BITS Product Certification Program is another
important part of our work to address software security. The
BITS Certification Program is a testing capability that
provides security criteria against which software can be
tested.
It is important for the committee to recognize the
dependence of all critical infrastructures on software and the
Internet. In so doing, we have developed six key
recommendations for the committee to consider. One, encourage
providers of software to accept responsibility for their role
their products and services play in supporting the Nation's
critical infrastructure. Two, support measures that make
producers of software more accountable for the quality of their
products including ensuring their products are designed to
include security as part of the development process, testing
that their products meet quality standards and that financial
services security requirements are met before the products are
sold, developing patch management processes that minimize cost,
complexity, downtime and risk to user organizations. Software
vendors should identify vulnerabilities as soon as possible and
ensure that the patch is thoroughly tested and continuing patch
support for older but still viable versions of software
currently in use in the critical infrastructures.
Three, provide incentives and other measures that encourage
implementation of more secure software development processes.
Four, provide exemption from antitrust laws for critical
infrastructure industry groups so they can better discuss and
develop baseline security requirements for the software and
hardware they purchase. Fifth, encourage collaboration and
coordination among other critical infrastructure sectors and
Government agencies to mitigate software security risks. Sixth,
encourage regulatory agencies to review software vendors
similar to how the regulators currently review third party
service providers so that software vendors deliver safe and
sound products to the financial services industry. Through
collaboration and a partnership, we can address the cyber
security challenges.
Thank you for the opportunity to testify today and I will
take questions later.
[The prepared statement of Mr. Rosenthal follows:]
[GRAPHIC] [TIFF OMITTED] T6992.086
[GRAPHIC] [TIFF OMITTED] T6992.087
[GRAPHIC] [TIFF OMITTED] T6992.088
[GRAPHIC] [TIFF OMITTED] T6992.089
[GRAPHIC] [TIFF OMITTED] T6992.090
[GRAPHIC] [TIFF OMITTED] T6992.091
[GRAPHIC] [TIFF OMITTED] T6992.092
Mr. Putnam. Thank you, Mr. Rosenthal.
Our next witness is Marc Maiffret, chief hacking officer
for eEye Digital Security, a leading security software
provider. In 2001, eEye engineers discovered and named the Code
Red virus and helped the White House avert a potential
disaster. In addition, eEye's research team discovered the
latest Microsoft ASN vulnerability.
Mr. Maiffret has been featured in several publications and
has testified previously before Congress providing his expert
opinion on the Nation's infrastructure.
Mr. Maiffret, welcome to the subcommittee. You are
recognized for 5 minutes.
Mr. Maiffret. Thank you very much.
For some time, security has been a race to create new
protection mechanisms for never ending onslaught of
vulnerabilities, the vulnerabilities that organizations face
are not simply system and software vulnerabilities but also
social vulnerabilities and how people interact with technology.
On the surface, it would seem the simple solution to the
vulnerability problem would be as easy as organizations
patching their systems. This however is not the case. Times are
changing and now more than ever new threats arise quicker than
ever before. The window of vulnerability which is the time
organizations have to patch the systems is shrinking.
On average, new threats emerge between 1 and 2 weeks after
a vulnerability is discovered, therefore not allowing companies
to react fast enough. Patching is not enough. We need new
security solutions that can mitigate the risk of
vulnerabilities before new threats emerge regardless if systems
are patched or not.
One of the reasons that organizations are failing is not
from a lack of security tools but from the lack of creating a
process and policy around those security tools. Simply having
the tools to know that you are vulnerable or that you are under
attack is not enough if the information is not audited and
tracked to some sort of completion.
I thought it would be helpful to illustrate in kind of real
world terms some of the problems that a large organization
actually faces in terms of computer security. I actually met
with the head of security for the largest financial
organization in the United States and have some interesting
statistics. This organization is actually in charge of auditing
2.5 million IP addresses or computer addresses. Out of those
2.5 million IP addresses, there is roughly over half a million
active systems or computer or devices they need to protect. On
a system of this scale, there is really no room for failure,
even if you think of a 1 percent failure of security or a 1
percent failure of patches being deployed and whatnot, that is
still many thousands of systems potentially going to be at risk
or no longer functioning. Those are systems that are dependent
for business processes and other types of activities.
The interesting thing is that while some of these numbers
are staggering for this organization, they are able to maintain
their security in a way that allows them to not only roll out
patches within 48 hours of vulnerabilities being released, but
at the same time have all the right protection mechanisms in
place on the perimeter of their network.
Even with all this, being a large network and having a good
response to security, doing everything right is costing them
roughly $15 million per security incident. That would be a
critical security vulnerability which requires them to go out
of the normal operation activities to deploy a patch or to
secure their systems.
That is all I have for now.
[The prepared statement of Mr. Maiffret follows:]
[GRAPHIC] [TIFF OMITTED] T6992.093
[GRAPHIC] [TIFF OMITTED] T6992.094
[GRAPHIC] [TIFF OMITTED] T6992.095
[GRAPHIC] [TIFF OMITTED] T6992.096
[GRAPHIC] [TIFF OMITTED] T6992.097
[GRAPHIC] [TIFF OMITTED] T6992.098
[GRAPHIC] [TIFF OMITTED] T6992.099
[GRAPHIC] [TIFF OMITTED] T6992.100
[GRAPHIC] [TIFF OMITTED] T6992.101
[GRAPHIC] [TIFF OMITTED] T6992.102
[GRAPHIC] [TIFF OMITTED] T6992.103
[GRAPHIC] [TIFF OMITTED] T6992.104
[GRAPHIC] [TIFF OMITTED] T6992.105
[GRAPHIC] [TIFF OMITTED] T6992.106
[GRAPHIC] [TIFF OMITTED] T6992.107
[GRAPHIC] [TIFF OMITTED] T6992.108
Mr. Putnam. Thank you, Mr. Maiffret.
Our next and final witness for this panel is Steve Solomon,
chief executive officer of Citadel Security Software since its
formation in December 1996 and as president and CEO of CT
Holdings since May 1997. Mr. Solomon spent 8 years in the
security software industry.
Citadel Security Software creates and provides full life
cycle vulnerability management solutions that protect
information technology infrastructures. Mr. Solomon is a board
member of the Cyber Security Industry Alliance and served as
the chairman of the Committee on Computer Privacy and Data
Security Standards, a private sector initiative that followed
the work of the Privacy Roundtable led by U.S. Senator John
Cornyn, formerly attorney general of Texas.
Welcome to the subcommittee. You are recognized for your
testimony for 5 minutes.
Mr. Solomon. Good afternoon, Mr. Chairman and members of
the subcommittee. I want to thank you for the opportunity to
appear today to discuss vulnerability management strategies and
technology.
Before I start, I want to applaud the committee for having
the commitment and vision to help our Nation's drive awareness
and direction to this ever growing security threat facing our
critical IT infrastructure.
Today's organizations face exponential growth in the number
of vulnerabilities and the speed at which the attacks are
introduced. At a recent DOD Information Assurance Conference,
it was predicted by the year 2010, we will face nearly 400,000
new vulnerabilities per year which equates to roughly 8,000
vulnerabilities per week or one new vulnerability every 5
minutes.
By successfully exploiting one vulnerability, organizations
are exposed to potentially tens of millions of dollars in
economic damage and successful attack on our Nation's critical
infrastructure could result in life threatening events,
jeopardize our national security and impact our way of life.
By the year 2010, it is estimated there will be half a
billion users on the Internet. In a society open like ours, our
complex organizations, remote employees and open access to
systems, we are targets for individuals and organizations that
want to attack us. We cannot let September 11 repeat itself in
cyber space.
To be prepared for this onslaught, we must continue to
expand the foundation that the committee has initiated.
Expansion must include the need for sound vulnerability
management processes, supporting technology and the necessary
legislation to ensure our Nation's critical IT infrastructure
is protected. We have seen the sophistication and speed of the
attacks mature to where the existing security measures such as
firewalls and a virus are not enough to stop these attacks. By
fixing known vulnerabilities, we can proactively eliminate
cyber threats, reduce risk and deliver a more secure IT
infrastructure.
Organizations must take a proactive stance and implement a
full life cycle vulnerability management capability. Success
requires new processes, automated technology to support these
processes and management's commitment to drive the needed
change.
In the public sector, FISMA is helping to drive initiative
in the awareness for improved cyber security. However,
interpretation has not been consistent throughout all agencies
resulting in inconsistencies and actions to address these
problems. However, there are excellent examples of
organizations that have already implemented proactive
vulnerability management processes such as the Department of
Veterans Affairs and National Finance. In addition, other
agencies such as FAA, the DOT, IRS and Department of Defense
have all started taking proactive steps to address the need for
full life cycle vulnerability management.
For most of corporate America, the process is broken or
fragmented across different groups using point tools and manual
techniques. There are some industries ahead of others primarily
driven by the mandates of Sarbanes-Oxley, GOB and HIPPA which
are driving awareness and need for more proactive uses.
However, the interpretation of these mandates and the required
action to comply are too broad resulting in ineffective results
leading to continued attacks and exposure on a daily basis.
Compounding the problem across both the public and private
sector is the increased number of remote users who return to
the enterprise networks with compromised environments results
in continued introduction of malicious attacks after
remediation actions have taken place. Organizations have
implemented some form of patch management tool have a false
sense of security. On average, only 30 percent of an
organization's verified vulnerability relates to patching,
leaving the network exposed to the remaining 70 percent of the
problem which are more dangerous and easily exploited. These
products do not address the problem of full life cycle
vulnerability management and effectively become part of the
problem.
To successfully deliver a full life cycle vulnerability
management process, automation is a necessity. The ability for
multiple security and IT operations disciplines to work
together requires technology that provides an integrated
platform by which to manage the process. Leveraging automation
will shift organizations from reactionary to a proactive
vulnerability capability.
Technology is available today to deliver the flexibility of
automated vulnerability management. A key requirement is
solutions that provide seamless integration across the
assessment and remediation steps of the process. Full function
remediation solutions must address all types of IT
vulnerabilities and provide a mechanism to report on the
progress from the assessment to mitigation to the ongoing
compliance. In order to streamline the process, solutions must
provide a comprehensive library of remediation actions
identified to fix the vulnerabilities with the ability to
rapidly deploy the remediation actions across the network on a
consistent, repeatable process.
As new vulnerabilities are discovered on a daily basis,
there must be a mechanism to continually deliver new
intelligence and remediation actions that are tested. To
mitigate the impact to remote users, solutions must provide
capability to both quarantine and remediate devices upon the
network connection.
The commercial software industry must be involved in
providing solutions. NIAP common criteria certification is an
excellent step in the endeavor, yet there is no enforcement
across the public sector to purchase products that are common
criteria certified. We recommend the Government lead the way in
requiring software solutions be certified and common criteria
at AL3 or above before they can be procured for implementation.
To further reduce the risk, we must address the concern of
offshore development. A major portion of the software
development today occurs offshore. We must ask for additional
controls to ensure software development overseas is secure.
Software development organizations should be required to have
all overseas development of software examined for malicious
capabilities embedded in the code. Industry and Government must
work together to develop some form of standard to review the
process to address the growing threat.
A few months ago many leaders from the cyber security
industry came together to form an important alliance. The Cyber
Security Industry Alliance represents the latest commitment
from cyber security industry to positively enhance information
security. I am proud to say Citadel serves as a board member on
the committee. The mission of CSI is to enhance cyber security
through public policy initiative, public sector partnership and
corporate outreach, academic programs and alliance behind
emerging industry technologies.
In conclusion, the vulnerability management is a core
security requirement. By successfully implementing a proactive,
automated approach, organizations can reduce the risk and
mitigate their exposure to cyber threats. Industry and academia
must work together closely with Government to drive awareness,
education and provide direction across public and private
sectors with national security efforts.
I thank the committee for the opportunity to testify.
[The prepared statement of Mr. Solomon follows:]
[GRAPHIC] [TIFF OMITTED] T6992.109
[GRAPHIC] [TIFF OMITTED] T6992.110
[GRAPHIC] [TIFF OMITTED] T6992.111
[GRAPHIC] [TIFF OMITTED] T6992.112
[GRAPHIC] [TIFF OMITTED] T6992.113
[GRAPHIC] [TIFF OMITTED] T6992.114
[GRAPHIC] [TIFF OMITTED] T6992.115
[GRAPHIC] [TIFF OMITTED] T6992.116
[GRAPHIC] [TIFF OMITTED] T6992.117
Mr. Putnam. Thank you, Mr. Solomon.
Ms. Beinhorn, Mr. Culp, the other three panelists have had
some interesting observations to make about the software
development community. Mr. Rosenthal supported that you do your
fair share, Mr. Solomon called for expanded use of common
criteria and expanded software assurance programs, particularly
as we look at the offshore activity that is taking place. How
do you respond to that? Mr. Culp first.
Mr. Culp. We are supporters of the common criteria process.
Windows 2000 has been certified. To a certain extent the valid
concern about offshoring misses the point. It is not where the
software is developed, it is how it is developed. Software
built within the United States can be just as vulnerable as
software built someplace else. What is important is not where
it is built but that it is built with a solid, sound
development process, that provides for independent review
within the developing organization, that provides for thorough
testing and that is mindful and protective against
opportunities to try to insert malicious code.
With that said, the vast majority of Microsoft software,
including all of our Windows products, are built in the United
States in Redmond but the overall concern about offshoring I
think might be more properly redirected to be concerned about
oversight of the software in a tight development process.
Mr. Putnam. Ms. Beinhorn.
Ms. Beinhorn. At Juniper, again we take the software issue
extremely seriously. We also embrace the common criteria
certification process as well as the FIPPS process with an eye
toward the prevention up front. You might recall Donna
Meyerriecks' comments earlier today about the development
process and how important it is to look at these things prior
to silicon. So we take it in a very logical sort of stepped
process at Juniper. All of the elements of the security that
are embedded in our products are scrutinized by a team of
professionals and put through a rather rigorous testing
scenario against all known vulnerabilities at that time. So we
fully embrace the formal process and the certification process
and I agree actually with my colleague that tighter controls on
those processes is certainly in the best interest of the
Internet and cyber security.
To the point of offshore software, the majority of our
software development is all done here but I also concur that it
really doesn't matter where software is developed. I think
again it is a process that requires very tight controls and
very intense scrutiny.
Mr. Putnam. How many lines of code are we talking about
reviewing to find the couple of lines that are malicious? If
you are going to take it up a notch, bake in security, you are
concerned about the offshore influence, what type of task are
we talking about to find something someone slips in?
Mr. Culp. Well, it is a large task. All modern operating
systems are in the tens of millions of lines of code order of
magnitude. Trying to go through a completed code base and
review it for something that somebody may have surreptitiously
slipped in is very difficult and that is why it is so important
to take a multilayered approach to vetting the software. You
vet the individual modules as they are built, you vet the
designs as they are developed, you can vet the fidelity of the
development against the design and then as you get further
along in the development, you begin to bring in folks who maybe
haven't seen the software before but who are experts in code
level review.
One of the reasons that we participate in common criteria
is because we want that external review. We bring the best
minds we can to bear on writing the software but we know at the
end of the day, we are human too and may make a mistake. So we
want very much to include those independent, third party
experts and give them an opportunity to review the product at a
source code level and bring their expertise to bear to make
sure we have done everything right.
Mr. Putnam. Mr. Maiffret, what are your thoughts on that?
Mr. Maiffret. I think in general, I agree it is not
necessarily where the software is developed because it could
just as easily be in the United States and somebody here on
some sort of visa or is in the process of being sponsored. As
far as being able to find bugs in software that were
maliciously put there, in some cases it is almost an impossible
task because as it stands right now, we still haven't even come
to the point where we can automatically find all known security
bugs within software. Because we can't do that, we are not
going to be able to find people that are mistakenly putting
bugs in there on purpose. Really, it is not a matter of can you
find them and what not.
Mr. Putnam. If it is an impossible task, what do we do?
Mr. Maiffret. To take it back a level, to say it is an
impossible task and at the same time say you are never going to
have 100 percent security in an application, that it is an
impossible task to identify all known vulnerabilities in
applications, so I think we need to look at security in
different ways. It is not about finding every single
vulnerability that you can but about having outer safeguards
around the actual components that you are trying to protect.
A real world example that is great is if you take the DIS
and NSA guidelines and the STG documents, there is plenty of
configuration information in there that had computers actually
been set up to comply with all those configurations options,
there are numerous worms that actually wouldn't have been able
to infect or do anything to those computers even if they
weren't patched. A lot of times there are things like that you
can do that more broadly protect systems. There are also other
efforts you can do which actually Microsoft is one of the
leaders in one of the common types of vulnerabilities, buffer
overflows and Microsoft is working with a lot of the processor
community to more generically be able to protect from those
kinds of attacks knowing that you are not going to be able to
discover all of them within the code.
Mr. Putnam. Mr. Solomon.
Mr. Solomon. On that subject, the offshore concerns were
raised with us because it is easy and cheap and maybe my
colleagues on this panel have processes in place, a lot of
companies don't and the process is very simple for people to
call up and get something done very quick and very cheaply and
there are no controls on what is coming back in. It is simply
saying we don't know what we don't know today. As you said, how
many vulnerabilities would be in how many lines of code. I was
at a recent conference with the Department of Defense and they
estimate by the year 2010 for every 7-10 lines of code, there
would be one new vulnerability. Try to find it. Once again, we
have to take a proactive approach to this instead of
reactionary. We have to develop a baseline, we are developing
STGs and the right performance but what we are doing today in
the manual process is broken because we can't keep up with the
speed of the vulnerabilities unless we have a process for
fixing it. Fixing everything as we talked about earlier,
patching is not enough. Doing it consistently in a repeatable
process, it becomes a core process of our information
infrastructure.
Mr. Putnam. Mr. Rosenthal, it is costing your industry $1
billion a year. What are your thoughts?
Mr. Rosenthal. I would agree with the panelists with
respect to how code is written, how code is developed. I think
there is a notion of a higher duty of care, not just in the
software development process but in how the software is
actually deployed and used in the environment. So the same
software can be deployed in my home office, on my home
computer. The implications of vulnerability being exploited
there has very little impact on the Nation's infrastructure.
That same software product deployed in a critical
infrastructure like a financial services firm, an exploitation
of a vulnerability can be extremely damaging to the financial
services firm as well as the critical infrastructure of the
Nation.
I would tell you that I think in general the IT industry
needs to understand exactly what their products are being used
for, whether they be operating systems or accounting systems.
They are not just products that get deployed in an environment
identically. Changes are made, the way they are configured is
different. In fact, the way they are managed in some cases is
different. I think the industry should really spend more time
understanding exactly the usefulness of these software and
technology products, especially in critical infrastructure
industries.
Mr. Putnam. How well do you think the process is today, how
effectively is the private sector working with DHS to release
information about vulnerabilities, to share that with the
people who need to understand it before the exploits are
developed? Mr. Culp and then Ms. Beinhorn.
Mr. Culp. We are actively sharing information through a
number of different venues. The key point to understanding
where we are coming from with respect to information sharing
after the bulletin is out is that we recognize that although it
may be bad publicity for Microsoft for a lot of people to know
about a vulnerability they need to patch, that vulnerability
isn't going to go away until people know about it and know what
they need to do. So we have a very active interest in making
sure that as many people know about our mistakes and what to do
to correct them as possible.
I will give you one example of what we have been doing.
Virtually ever Microsoft employee carries around a stack of
these cards that on the one hand has a placard exhorting people
to sign up for the free security updates that we send by email
every time we release a security bulletin. We have several
million subscribers to this free service and we send out every
security bulletin that we release to that mailing list.
We are also working very closely with the CERTs, in
particular U.S. CERT. We have a very close and productive
relationship with DHS and believe they are vital in helping to
get out the word to the U.S. computer user base but we also
need to get information out to users and the rest of the world.
So we actively work with CERTs in a number of different
countries. As we did in the case of the Sasser worm, we contact
the CERTs when the bulletin is released, we ask for their help
in getting out the information to users and then when we find
an attack in progress, we revisit and give them more
information so everybody can stay informed.
Mr. Putnam. So you are generally satisfied with the process
as it stands today?
Mr. Culp. I am never satisfied with the process as it
stands, it can always be made much better. I would like to have
to do a lot fewer of these alerts. I think that would be the
best improvement we could make, to have to send out things a
little less often through this channel but we do have by far
the most robust communication system of anybody in the industry
when it comes to reporting on security vulnerabilities.
Mr. Putnam. You paid a reward for someone to turn in the
person who released the Sasser worm, correct?
Mr. Culp. We do have a virus rewards program. I believe the
reward is paid out upon arrest and conviction. In the case of
the Sasser worm, that is still being handled by law
enforcement, so the program is there but the question of the
Sasser worm hasn't come to finale.
Mr. Putnam. Is there an estimate on the damage that the
Sasser worm caused?
Mr. Culp. I don't think I have seen an estimate yet and
they usually vary widely depending on source.
Mr. Putnam. Does anyone on the panel know? Anyone have any
idea? What about the charges that were leveled against the
individual? What is the potential penalty for releasing the
worm?
Mr. Culp. I don't know. That is a matter for German law.
The individual who was arrested is in Germany and I am afraid I
just not an expert in German law.
Mr. Putnam. Let me ask it a different way. Do you think the
penalties for releasing these worms and viruses in the United
States are adequate considering the damage that has been done
and is capable of being done to the economy?
Mr. Culp. In general, I think I would like to see stronger
enforcement and stiffer penalties. These worms are causing
significant economic damage. They are requiring customers to
spend serious resources to protect their enterprises and the
punishment should be commensurate with the level of damage.
Mr. Putnam. Mr. Rosenthal, your thoughts on that same
question?
Mr. Rosenthal. I don't know the exact penalties but I would
tell you that they are not strong enough. A physical robbery of
a bank, a holdup, we are limited by the amount of cash we allow
tellers to have and many of those people walk rather quickly.
Hackers have the ability of not just taking down a financial
institution but they could knock out critical financial
networks that impact our economy. So if you could tell me what
the penalty was, I would tell you it needs to be doubled.
Mr. Putnam. Mr. Maiffret, your company has researched and
found a number of vulnerabilities, often being the first one.
What tools are at your disposal or at anyone's disposal to
analyze code and therefore discover these vulnerabilities?
Mr. Maiffret. Really a lot of it comes down to the team of
people we have been able to build. Obviously in-house we don't
have source code to any of the software that we find
vulnerabilities in so we actually look at the compiled code
itself and are able to analyze it that way to find
vulnerabilities. For the most part, a lot of times it is not
necessarily tools that we use but just people sitting down, we
have basic tools to look at a program but for the most part it
is somebody actually going through how a program works and
figuring out how to make it do things it shouldn't.
Mr. Putnam. Mr. Solomon, do you want to comment on that?
Mr. Solomon. Actually the discovery process internally will
actually work with the CERT or scanning partners as well as the
development team. A key side to that is identifying
vulnerabilities in the wild as well before there are known
exploits. As they are identified, we look to write the
remediation fixes for them. So we have a team of engineers that
actually write the remediation process so they can build a
library. Today we have over 16,000 actions for cross multiple
platforms for remediation so they get tested before they get
applied. It is a team of engineers working with proprietary
tools.
Mr. Putnam. Ms. Beinhorn, this spring a researcher
discovered a new way to exploit a vulnerability in the
transmission control protocol that would potentially have
allowed substantial disruption of Internet traffic. It has
serious effects on routers. What steps did your firm take when
you found out about the vulnerability?
Ms. Beinhorn. That particular problem within TCP has been
known for a while and companies like Juniper Networks and Cisco
Systems worked along with a number of forums and the Government
to resolve those issues. Yes, they were potentially very
frightening but the actual truth of it is that when you
architect something like TCP and it was done so many years ago,
that as time evolves and systems and software evolve, different
things will come up in code.
I think the resolution to this particular issue is well in
hand and probably anymore detail on this topic we should
contribute something outside of this forum.
Mr. Putnam. We talked about this in the first panel. The
Government spends $60 billion a year annually in investment for
IT goods and services. What can the Government do to leverage
that buying power to get more security baked in?
Ms. Beinhorn. It is Juniper's opinion and strong conviction
that the Government and the public and private sectors need to
work more closely. I think there are lots of very legitimate
and productive forums out there but with respect to the spend,
which is if you distill it down for equipment, it comes in on
the order of about $10-$12 billion but the development of
silicon and the direction the Government wants to take need to
collide and that is not something that is done overnight. It is
a process that has to take into consideration a lot of
preventive measures with respect to both hardware and software.
We would like to see a more formal and closely knit
relationship. The President's management agenda does call for
participation by private and public entities but we work with
DISA, NSA and a number of agencies. It would be better if maybe
DHS was the focal point or central point for the consolidation
of the go forward requirements and they were brought formally
to industry for discussion and evolutionary development.
Mr. Putnam. Why DHS?
Ms. Beinhorn. It is a suggestion, Mr. Chairman. It seems to
be the agency with, as you said, the most amount of money, so
it would be logical to perhaps place the responsibility there.
Mr. Putnam. Mr. Culp or Ms. Beinhorn, times have changed,
priorities have changed, security is a greater factor in
development today than it used to be, tens of millions of
computers around the world. As our security gets better with
new versions of operating systems, we still will have millions
of home users and small businesses and libraries and schools
and everybody else that is a bit behind the curve on updating
their equipment connected to the same network. As everyone
agrees your security is only as good as your weakest link. How
do we deal with that component of user groups even as the
quality grows, the security improves, but you still have a lot
of people out there using the old stuff. What do we do about
that?
Mr. Culp. That is absolutely true and that is one of the
biggest hurdles. We know the software we are producing today is
much more capable, much more secure. It is built for the
current threat and environment. We do, as you mentioned, have a
very large legacy base and there are some limits to what we can
do but with that said, let me give you a couple examples of
what we are doing.
One thing we can do is upgrade the practices of the
operators of that software. As often as not, the security of a
network is dependent more on the management practices and the
way it is deployed and configured than it is on the technology.
So we worked very closely with some of our partners in the
industry to develop deployment guides and configuration guides
that will let people using the older software continue to do so
effectively and securely.
We are also in some cases back porting some of the
technologies I described in my written and oral testimony to
previous platforms. A really good example of that is the auto
update mechanism that was originally released in Windows XP and
lets you automatically get patches directly from Microsoft.
After we released it for Windows XP, we back ported it to
Windows 2000, so the Windows 2000 users could have the benefit
of that same technology. We do that whenever we can. So as much
as we can, we push that better technology back to the existing
legacy base and provide them with better practices to secure
what they have and we try to ease the migration into the newer
platforms.
Mr. Putnam. Ms. Beinhorn, do you want to comment on that?
Ms. Beinhorn. Actually not. I think that is less germane
for Juniper than it is for Microsoft.
Mr. Putnam. Anyone else wish to comment on that? Mr.
Solomon?
Mr. Solomon. Back to the older programs, a lot of it comes
back to the operating system itself and configuring and setting
up the system. While we can update the patches and everything
else, a great example is one organization that had about 1,500
devices, did an assessment and realized they had 256,000
vulnerabilities on one network. They determined 56,000 were
critical, this is a Government agency. Out of the 56,000, maybe
20 percent was related to patches and the rest were back doors,
configurations, unsecure accounts, where anybody could get in
and exploit that system. So it comes back to doing a total
system management. It is a combination of working together. As
I said earlier, a patch is not enough, you really have to focus
on a complete vulnerability life cycle and close all these
vulnerabilities going forward.
Mr. Putnam. Talk to me a bit, particularly Mr. Maiffret and
Mr. Solomon, about wireless, the way everybody is going, PDAs,
the home PCs that are used for remote access and laptops that
are brought on-sight, you have public and private networks,
these unsecured systems obviously can be corrupted and then
reintroduced into the system. How do we deal with that
challenge which is only growing?
Mr. Solomon. It is growing more and more as we get better
in cleaning up our networks, then we have to worry about
someone plugging back in and contaminating after a weekend.
There is technology out there today that will actually
quarantine a box and won't allow communication to the network
before you remediate the box. So it is an automated approach,
something we developed, the technology that now allows you
before the communication back to the network, the box will be
remediated. Today people are going to the hotel and plugging in
or they come back after the weekend and utilize the device.
Further, wireless devices are going to be a big concern
moving forward, a simple printer on your network is a
vulnerable box. I can actually export your printer faster than
I can your desktop. We have to be more secure not just looking
at our PC and servers, we have to look at more devices going
forward from our printers, our copiers to wireless. That is
where exploits will be controlling the future. People will be
looking for the weakest link and those would be the weakest
links within the community. Today you have to be able to
remediate and have a total remediation process for people that
have disconnected and quarantine those boxes before you allow
them back on the network and make sure they are secure and
remediated.
Mr. Putnam. Mr. Maiffret.
Mr. Maiffret. I would concur that there are many solutions
being developed to help with the problem of rogue machines and
remote users and things of that nature. As far as wireless
goes, it is still pretty challenging because there are so many
different types of wireless. There are not necessarily a lot of
standards. There is everything from wireless that is used for
home use and small offices to some of the more high end
wireless systems to now things like cell phones running more
popular operating systems which is going to create a whole new
avenue of attack but for the most part on the wireless front,
there are still so many going in so many different directions
that it is hard to have standardized security on how the thing
should work.
Mr. Putnam. Any other comments on the trend toward wireless
and reconnecting to the network? We will begin with Ms.
Beinhorn as we wrap up this hearing and give you the
opportunity to make any comments you wish you had been asked
about or any thoughts or observations from this hearing. We
will go down the line and begin with you.
Ms. Beinhorn. Thank you. We are obviously very pleased to
be a part of this today and we look forward to contributing in
the future. We completely support your agenda for the
involvement of industry and specifically the C level
involvement because the buck stops there, so it should also
start there and the commitment should start there.
I just want to reinforce that. I think our participation in
this and other forums will be helpful to the community.
Thank you.
Mr. Putnam. Thank you.
Mr. Culp.
Mr. Culp. I would echo what Ms. Beinhorn said. I think we
are seeing positive results from the public/private
partnerships and I think we are seeing the market causing many
of the needed improvements. Customers are wielding their buying
power as we speak, security is not just very high on their
list, it is at the very top of their list. Microsoft and the
rest of our colleagues in the industry know we have to supply
that and provide it and it is that market pressure that is
behind many of the improvements and innovations that I and the
other folks on the panel have described today.
Mr. Putnam. Mr. Rosenthal.
Mr. Rosenthal. I would thank you again for your leadership
in bringing these issues to the forefront today. Beyond the six
recommendations that I mentioned before as well as in my
written statement, I would ask the committee and you to closely
look at the impact that software products and other technology
products has on critical infrastructure sectors of our Nation.
Thank you.
Mr. Putnam. Thank you.
Mr. Maiffret.
Mr. Maiffret. I think there definitely needs to be a lot of
thought and research put more on the side of why we are
failing. It is amazing to me if we are spending especially in
the Government, $80 million a year on technology and whatever
the percentage is there on security, I think there definitely
needs to be a lot of analysis done. Any time we do have a
failure, what went wrong, was there not a budget, was there not
enough personnel, was there the right personnel and the right
tools in place but there wasn't a good process to actually
track what was going on and things weren't followed through to
completion, basically more specifics on why the failures are
actually happening if we are spending that much.
Mr. Putnam. Mr. Solomon.
Mr. Solomon. I want to thank you for inviting me today and
once again commend the committee on what they are doing.
Last year I met with Mark Forman when he was head of OMB
and he told me last year the Government spent approximately
$1.5 billion in some form of vulnerability management with
their IT budget and the agencies still got the majority of
``F'' at that time. Looking at what the spend is in a cycle
that is getting vicious, it is going to be more expensive and
you can't keep up with it. As the hackers are moving faster, we
seem to be moving slower sometimes because the reaction and our
time and the process from manual to automation I think has to
move a lot faster with understanding from legislation what they
need to do.
Common criteria we thought was a very key point and it is
important to have comment period and as an industry, I think it
is very important for us all to go through it but the key is
agencies don't follow it sometimes. You can go through the
standards but why go through the standards and all of a sudden
purchase another technology that once again potentially is not
going through the certification the industry should be going
through.
Third and most important, the definition, we heard a lot
about patch management. I think the definition from
vulnerability management to patch management is getting lost.
The interpretation is it is vulnerability management, patching
is a subset of what you need to do as part of vulnerability
management. I see from the GAO report committees talking about
configuration management but a true vulnerability management
cycle includes configuration and patch management as a subset
of what you need to do to ensure your networks.
Thank you.
Mr. Putnam. Thank you all. I want to thank both of our
panels of witnesses for your participation today. The knowledge
and experience and observations that were shared were
outstanding.
I want to thank Mr. Clay for his continued leadership and
participation in these issues.
As I stated earlier, security is a process, not a
destination. Hackers, cyber criminals, disgruntled insiders,
corporate spies and enemy states are not going away and no
hardware or software will ever be totally secure. As such, the
Federal Government and the private sector must be diligent in
implementing proven risk management strategies to prevent,
detect and respond to information security breaches.
In the event there may be additional questions or
statements for the record that we did not have time for today,
the record will remain open for 2 weeks for submitted questions
and answers.
Again, thank you for your support and your leadership. With
that, the subcommittee stands adjourned.
[Whereupon, at 4:22 p.m., the subcommittee was adjourned,
to reconvene at the call of the Chair.]
�