b"<html>\n<title> - LOCKING YOUR CYBER FRONT DOOR--THE CHALLENGES FACING HOME USERS AND SMALL BUSINESSES</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n  LOCKING YOUR CYBER FRONT DOOR--THE CHALLENGES FACING HOME USERS AND \n                            SMALL BUSINESSES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION\n                POLICY, INTERGOVERNMENTAL RELATIONS AND\n                               THE CENSUS\n\n                                 of the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JUNE 16, 2004\n\n                               __________\n\n                           Serial No. 108-234\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n96-994                      WASHINGTON : 2004\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\nCHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nMARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nDOUG OSE, California                 DENNIS J. KUCINICH, Ohio\nRON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois\nJO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts\nTODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri\nCHRIS CANNON, Utah                   DIANE E. WATSON, California\nADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland\nJOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California\nNATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, \nCANDICE S. MILLER, Michigan              Maryland\nTIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of \nMICHAEL R. TURNER, Ohio                  Columbia\nJOHN R. CARTER, Texas                JIM COOPER, Tennessee\nMARSHA BLACKBURN, Tennessee          BETTY McCOLLUM, Minnesota\nPATRICK J. TIBERI, Ohio                          ------\nKATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont \n                                         (Independent)\n\n                    Melissa Wojciak, Staff Director\n       David Marin, Deputy Staff Director/Communications Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n          Phil Barnett, Minority Chief of Staff/Chief Counsel\n\n   Subcommittee on Technology, Information Policy, Intergovernmental \n                        Relations and the Census\n\n                   ADAM H. PUTNAM, Florida, Chairman\nCANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri\nDOUG OSE, California                 STEPHEN F. LYNCH, Massachusetts\nTIM MURPHY, Pennsylvania             ------ ------\nMICHAEL R. TURNER, Ohio\n\n                               Ex Officio\n\nTOM DAVIS, Virginia                  HENRY A. WAXMAN, California\n                        Bob Dix, Staff Director\n                  Dan Daly, Professional Staff Member\n                         Juliana French, Clerk\n           David McMillen, Minority Professional Staff Member\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on June 16, 2004....................................     1\nStatement of:\n    Yoran, Amit, Director, National Cyber Security Division, \n      Department of Homeland Security; J. Howard Beales III, \n      Director, Bureau of Consumer Protection, Federal Trade \n      Commission; Cheryl A. Mills, Associate Administrator, \n      Entrepreneurial Development, Small Business Administration; \n      and Ed Roback, Chief, Computer Security Division, National \n      Institute of Standards and Technology, Department of \n      Commerce...................................................    12\nLetters, statements, etc., submitted for the record by:\n    Beales, J. Howard, III, Director, Bureau of Consumer \n      Protection, Federal Trade Commission, prepared statement of    23\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................    10\n    Dailey, Thomas M., chair and president, U.S. Internet Service \n      Provider Association, general counsel, Verizon Online, \n      prepared statement of......................................    80\n    Frischmann, Don, senior vice president, communications and \n      brand management, Symantec Corp., prepared statement of....    73\n    Kurtz, Paul, executive director, Cyber Security Industry \n      Alliance, prepared statement of............................   126\n    Mills, Cheryl A., Associate Administrator, Entrepreneurial \n      Development, Small Business Administration, prepared \n      statement of...............................................    44\n    Putnam, Hon. Adam H., a Representative in Congress from the \n      State of Florida, prepared statement of....................     5\n    Reitinger, Philip, senior security strategist, Microsoft \n      Corp., prepared statement of...............................    63\n    Roback, Ed, Chief, Computer Security Division, National \n      Institute of Standards and Technology, Department of \n      Commerce, prepared statement of............................    49\n    Tevanian, Avadis, Apple Computer, Inc., prepared statement of    68\n    Yoran, Amit, Director, National Cyber Security Division, \n      Department of Homeland Security, prepared statement of.....    15\n\n \n  LOCKING YOUR CYBER FRONT DOOR--THE CHALLENGES FACING HOME USERS AND \n                            SMALL BUSINESSES\n\n                              ----------                              \n\n\n                        WEDNESDAY, JUNE 16, 2004\n\n                  House of Representatives,\n   Subcommittee on Technology, Information Policy, \n        Intergovernmental Relations and the Census,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2:30 p.m., in \nroom 2154, Rayburn House Office Building, Hon. Adam Putnam \n(chairman of the subcommittee) presiding.\n    Present: Representatives Putnam, Clay and Murphy.\n    Staff present: Bob Dix, staff director; John Hambel, senior \ncounsel; Dan Daly, professional staff member and deputy \ncounsel; Juliana French, clerk; Felipe Colon, fellow; Colin \nSamples and Katlyn Jahrling, interns; David McMillen, Mark \nStephenson, and Adam Bordes, minority professional staff \nmembers; and Cecelia Morton, minority office manager.\n    Mr. Putnam. A quorum being present, this hearing on the \nSubcommittee on Technology, Information Policy, \nIntergovernmental Relations and the Census will come to order. \nI want to welcome everyone here today to this hearing entitled, \n``Locking your Cyber Front Door--The Challenges Facing Home \nUsers and Small Businesses.''\n    We will immediately go into my opening statement and the \nwitnesses' opening statements as quickly as possible. We are \nexpecting a series of five votes which will pretty well \nmutilate the bulk of the afternoon. We are going to move as \nexpeditiously as possible.\n    In the past few years, the growth in access and use of the \nInternet, the increase in ``always on'' high-speed connections, \nand the rapid development and deployment of new computing \ndevices has resulted in expanding global computing network. \nAlthough these advances have improved the quality of life, this \nnetwork is susceptible to viruses and worms that can circle the \nworld in a matter of minutes.\n    The potential for more sophisticated and malicious cyber \nattacks is growing at an alarming rate. While businesses, \neducational institutions and home users enjoy the benefits of \nusing the Internet, they are not always adequately informed \nabout the potential dangers of computer systems left vulnerable \nand unprotected.\n    This hearing is a continuation of a series of oversight \nhearings that the subcommittee has conducted during the 108th \nCongress on the issue of cyber security. On April 21st, the \nsubcommittee held a hearing specifically on educational \nawareness for all cyber citizens. Most recently, on June 2nd, \nthe subcommittee conducted an oversight hearing on cyber \nsecurity and vulnerability management issues facing large \nenterprises. The purpose of this hearing is to focus attention \non the challenges facing home users and small businesses.\n    Today we will examine the difficulties these users confront \nin protecting their computers; the actions taken by the Federal \nGovernment to create partnerships that will assist home users \nand small businesses and their efforts; the role of software \nand hardware manufacturers in responding to the expectations \nand demands of the user community to provide the market place \nwith higher quality and more secure products; the role of \nInternet service providers in helping to educate and protect \ntheir subscribers; and the tools and strategies available to \nhome users and small businesses to lessen their exposure.\n    Home users and small businesses are in a uniquely \nvulnerable position because their computers often face the same \nworms, viruses, and automated attacks that business and \nGovernment computers face. Yet, these users may not have the \nsame level of resources available to mitigate those risks.\n    Accordingly, it is critically important that all \nstakeholders examine tools and strategies to comprehensively \naddress this challenge. Right now, home and small business \nusers face a number of types of risks. Viruses and worms can \ndisable home user systems. Home users may also be tricked into \ndownloading spyware. These programs can be harmless, yet \nextremely annoying, such as delivering a continuous stream of \npop-up ads, or they may be malicious, extracting information \nsuch as passwords and personal information for criminal \npurposes. Home users also face the threat of fraud and identity \ntheft, including a newer approach known as ``phishing.''\n    Small businesses face these same threats as well, but their \nchallenges are compounded by the fact that they may have a \nnetwork of machines to manage, as well as the challenge of \nemployees using laptops and remote access. Of even greater \nconcern, small businesses face the threat of disgruntled \ninsiders who were once trusted users.\n    Finally, small businesses may also have private information \nfrom their customers and data bases that are connected to the \nInternet. Cyber criminals who gain access to this information \nmay attempt to extort money out of small businesses to keep the \nbreach quiet. The loss of reputation from such an incident \ncould be devastating to a small business.\n    There are existing and emerging protections against these \nthreats. Home users and small businesses can arm themselves \nwith virus-protection software to help stop any potential \nimpacted viruses and worms. The use of firewalls can help \nprevent some forms of spyware and attempts at unauthorized \naccess to a user's machine. Automated patches are also a step \nin the right direction to help users stay up-to-date with \nprotections against the most recently published \nvulnerabilities.\n    However, employment of these well-known protections is \nstill inconsistent. Awareness of the available protections \nneeds to be elevated so that basic computer security hygiene \nbecomes a common practice among all users. Increasing cyber \nsecurity awareness will help users to protect themselves, but \nuser awareness is only part of the problem. Many of the \nsecurity problems that users face are rooted in products that \nwere designed to deliver functionality, often without adequate \nregard to security.\n    We can no longer simply blame the users for their failure \nto mitigate vulnerabilities. The users are not responsible for \nthe flaws and defects in the products that are the source of \nthe vulnerabilities. We will continue to examine the progress \nbeing achieved by manufactures of hardware and software \nproducts in responding to the consumer and public demand for \nhigher quality and more secure products in the market place. I \nam encouraged by what I see as signs that the manufacturers \nhave taken this demand very seriously and are working \ndiligently to remedy it.\n    Vendors are starting to release products that are secure by \ndefault, by enabling secure technical control settings, and by \nrequiring affirmative action of the user to enable features \nthat would make the product less secure. Software and hardware \nvendors are making more significant commitments to their \nquality assurance programs in an effort to identify bugs prior \nto the deployment of new systems. Collaboration among vendors \nto offer a bundled suite of security products to users, along \nwith a more concerted effort to configure systems in a more \nsecure manner out-of-the-box will produce a more secure \ncomputing environment.\n    In addition to the efforts of the vendors to improve \nsecurity of their products, the Federal Government needs to \nhelp improve the security of computer products and services \nthrough R&D. Inadequate tools exist in the market place today \nto conduct effective code evaluation in advance of deployment \nto identify flaws, defects, and the potential of a malicious \ncode willfully inserted in a software product.\n    By collaborating with partners in the world of academia and \nthe private sector, the Federal Government should be working to \nsupport the development of such tools and other quality \nassurance tools that can make a meaningful difference in \nimproving the quality and security of new IT products. The \nFederal Government has an important role in targeting research \nand development efforts to address these critical issues.\n    As a Member of Congress, a home computer user, and a \nchampion of small business, this problem hits close to home. I \nintend to continue my efforts to improve cyber security in \nevery sector of our Nation. In furtherance of this effort, we \nhave convened a group of 25 leaders from business \norganizations, as well as representatives from academic and \ninstitutional communities, to form the Corporate Information \nSecurity Working Group. The intent was to produce a set of \nrecommendations that could form the basis of an action plan for \nimproving cyber security for businesses and enterprises of all \nsizes and sectors.\n    The group divided into subgroups, one of which was \nAwareness, Education, and Training Subgroup. This subgroup's \nmission was to identify, partner with, and build on the good \nwork of organizations that have or are developing campaigns \nthat raise awareness on the importance of cyber security. The \nAwareness, Education, and Training Subgroup reported \nrecommendations for three categories of users--small \nbusinesses, large enterprises, and home users.\n    For small businesses, the group suggested creating and \ndistributing a small business guidebook for cyber security that \nexplains cyber security risks in terms that are readily \nunderstood and that motivates small business owners to take \naction.\n    For home users, the group suggested targeted efforts aimed \nat the mass market that would help to educate these users. The \ngroup is seeking to build upon existing relationships and to \nforge new partnerships between organizations, corporations, and \nGovernment.\n    I will continue my support for these initiatives and intend \nto reconvene the Corporate Information Security Working Group \nat the end of this month to further develop a number of the \nrecommendations that were produced in phase I. We have also \ntaken an important step in furtherance of a recommendation from \nthat working group.\n    Yesterday, along with Chairman Tom Davis, I introduced H.R. \n4570 to amend the 1996 Clinger-Cohen Act to place a greater \nemphasis on computer security within the Federal Government. \nThe bill brings Clinger-Cohen in line with the realities of \ntoday's information technology world by requiring agencies to \nspecifically consider security when conducting systems planning \nand acquisition. We are confident that once it is signed into \nlaw, it will help to strengthen the Federal Government's \noverall efforts to improve the information security profile of \nits systems.\n    In closing, I want to make clear that securing the Nation's \ncyber space is an urgent challenge and we all have a role to \nplay. The threat is real. The vulnerabilities are extensive. \nThe time for action is now. Unfortunately, there are no simple \nsolutions. We will continue to examine the role that Congress \nand the Federal Government can and should play in being a \npartner-in-progress, in elevating the attention to this matter \nfor all stakeholders. Education and awareness is a key element \nto advise all users about the tools and strategies to reduce \nthe risks associated with a very real cyber threat.\n    I look forward to all the testimony from today's witnesses. \nToday's hearing can be viewed live via Webcast. At this time I \nwould be happy to recognize the ranking member.\n    [The prepared statement of Hon. Adam H. Putnam follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6994.001\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.002\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.003\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.004\n    \n    Mr. Clay. Thank you, Mr. Chairman.\n    Let me thank the chairman for holding today's hearing on \ncyber security and the challenges facing America's small \nbusinesses and home user communities. I thank the witnesses \nbefore us today and hope their insights on methods for computer \nsecurity will be both technologically realistic and practical \nfor our target audiences.\n    Mr. Chairman, I will stop there since we do have a vote \ngoing. I would like to just make an abbreviated statement in \nreference to my entire opening statement. In the interest of \ntime, I would ask that the remainder be submitted for the \nrecord.\n    Mr. Putnam. Without objection, so ordered.\n    [The prepared statement of Hon. Wm. Lacy Clay follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6994.005\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.006\n    \n    Mr. Putnam. The committee will stand in recess.\n    [Recess.]\n    Mr. Putnam. The committee will come to order.\n    Let us move directly into testimony for panel I. Before we \ndo so, let us administer the oath. If all of our witnesses, and \nanyone traveling with you to assist you in answering our \nquestions, would please rise and raise your right hands.\n    [Witnesses sworn.]\n    Mr. Putnam. As a note for the record, all the witnesses \nresponded in the affirmative.\n    Our first witness is Amit Yoran. Mr. Yoran is the Director \nof the National Cyber Security Division of the Department of \nHomeland Security. Before joining the Department, he served as \nthe vice president of Worldwide Managed Security Services at \nSymantec, Corp. Prior to that, he founded Riptec, an \ninformation security company.\n    Welcome to the subcommittee. You are recognized for 5 \nminutes.\n\n  STATEMENTS OF AMIT YORAN, DIRECTOR, NATIONAL CYBER SECURITY \n  DIVISION, DEPARTMENT OF HOMELAND SECURITY; J. HOWARD BEALES \n  III, DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE \n     COMMISSION; CHERYL A. MILLS, ASSOCIATE ADMINISTRATOR, \nENTREPRENEURIAL DEVELOPMENT, SMALL BUSINESS ADMINISTRATION; AND \n    ED ROBACK, CHIEF, COMPUTER SECURITY DIVISION, NATIONAL \n INSTITUTE OF STANDARDS AND TECHNOLOGY, DEPARTMENT OF COMMERCE\n\n    Mr. Yoran. Good afternoon, Chairman Putnam and \ndistinguished members of the subcommittee. I am pleased to have \nan opportunity to appear before the committee to discuss cyber \nsecurity challenges facing home users and small businesses. \nSmall businesses do not have the same security resources as \nlarge companies, and as a result, their systems are often more \nvulnerable. Many home users are not aware of cyber security \nthreats, or how to protect themselves.\n    The Department of Homeland Security's U.S. CERT has \nestablished a series of programs focused on home users and \nsmall businesses to target their specific needs. These programs \nleverage several mechanisms to enhance our communication to the \npublic. December's National Cyber Security Summit established \nan Awareness and Outreach Task Force to provide recommendations \nfor increasing awareness among home users and small businesses.\n    In March, the Task Force submitted its recommendations to \nthe National Cyber Security Partnership. We have implemented a \nnumber of recommendations, as I will describe this afternoon, \nand are considering others as part of our overall awareness \nefforts. Many of these recommendations and efforts are \nconsistent with the recommendations of your CISWG.\n    DHS is a sponsor of the National Cyber Security Alliance \nand Staysafe Online, a public/private organization created \nprecisely to educated home users and small businesses on cyber \nsecurity best practices. Other NCSA sponsors include the \nFederal Trade Committee, AT&T, America On-Line, Computer \nAssociates, ITAA, Network Associates, Symantec, and recently \nthe Cyber Security Industry Alliance.\n    The Department of Homeland Security has provided matching \nfunds to expand NCSA's outreach campaign. DHS' U.S. CERT \nlaunched the National Cyber Alert System in January of this \nyear. The National Cyber Alert System is an important mechanism \nfor delivering targeted, timely, and actionable information to \nhelp Americans protect their systems.\n    We have already issued several alerts and a periodic series \nof best practices and how-to guides. These tips help educate \nhome users and small businesses on security practices and \nincrease awareness. Some topics have included: Understanding \nFirewalls, Good Security Habits, Choosing and Protecting \nPasswords, and Why Cyber Security is a Problem.\n    I am pleased to announce that DHS' U.S. CERT and the Multi-\nState Information Sharing and Analysis Center [MSISAC], are \ndeveloping a series of national Webcasts to examine critical \nand timely cyber security issues. The first Webcast planned for \nthis series will take place next Tuesday, June 22nd.\n    These Webcasts will be archived and put on the U.S. \nCERT.gov Web site and available for public viewing. This \nnational Webcast initiative is a collaborative effort between \nGovernment and private sector to help strength our Nation's \ncyber readiness and resilience. Webcasts will feature a variety \nof cyber security topics of interest to Government agencies, \nenterprises, and small businesses. Future sessions will focus \non home users. These Webcasts are a strategic awareness tool to \nhelp home users and small businesses improve their cyber \nsecurity posture and practices.\n    In addition, DHS' U.S. CERT supports the Internet Security \nAlliance's Common Sense Guide to Cyber Security for Small \nBusinesses. This guide was produced as a result of focus \ngroups, in coordination with the U.S. Chamber of Commerce, the \nNational Association of Manufacturers, and the National \nFederation of Independent Businesses, and the Electronic \nIndustry Alliance. NCSA is posting this guide on the U.S. \nCERT.gov Web site and requests that it also be placed on other \nappropriate homeland security and Government Web sites.\n    DHS and the Department of Justice's Bureau of Justice \nStatistics are producing a study on the effects of cyber crime \nin the United States, including those crimes affecting home \nusers and small businesses. The goal of this survey is to \nprovide comprehensive and statistically relevant information on \nthe subject of cyber crime in the United States. This \ninformation can be used in a number of ways, including \nstrategic information, technology, security planning, and \nresource allocation. It can help better prepare small \nbusinesses to address their cyber security challenge.\n    While we are optimistic that many of these efforts will \nhelp home users and small businesses increase their awareness \nand better protect themselves, we also believe that effective \ncyber security is a difficult challenge for these groups. The \nDepartment of Homeland Security is working with leading \nInternet service providers and technology providers in the \nprivate sector to make cyber security simpler to achieve for \nall.\n    Thank you for the opportunity to testify before you today. \nI would be pleased to answer any questions you may have. I \nwould ask that my testimony be included in its entirety.\n    Mr. Putnam. Without objection, so ordered.\n    [The prepared statement of Mr. Yoran follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6994.007\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.008\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.009\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.010\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.011\n    \n    Mr. Putnam. Thank you very much. I appreciate your adhering \nto our 5-minute rule so that we can get as much done as \npossible this afternoon.\n    Our next witness is J. Howard Beales. Mr. Beales is the \nDirector of Federal Trade Commission's Bureau of Consumer \nProtection. He was appointed in June 2001. He has experience in \nboth academia and Government. His major areas of expertise and \ninterest include law and economics, the economic and legal \naspects of marketing and advertising, and other aspects of \nGovernment regulation of the economy.\n    Welcome to the subcommittee. You are recognized for 5 \nminutes.\n    Mr. Beales. Thank you, Mr. Chairman. I appreciate the \nopportunity to appear before you today to discuss the \nchallenges that consumers and businesses face in protecting \ntheir computer systems and the information contained in them, \nas well as the FTC's role in promoting a culture of security.\n    Today, maintaining the security of our computer-driven \ninformation systems is essential to every aspect of our lives. \nOur interconnected information systems provide enormous \nbenefits to consumers, businesses, and Government alike. But \nserious vulnerabilities threaten the security of the \ninformation they contain, as well as the continued viability of \nthe systems themselves. Every day security breaches cause real \nand tangible harms to businesses and other institutions, as \nwell as to consumers.\n    The FTC has sought to address concerns about the security \nof our computer systems through a combined approach that \nstresses education, law enforcement actions, and international \ncooperation.\n    Regarding education, one of our most successful strategies \nis to hold public workshops designed to educate the agency and \nthe public about issues related to information security. One \nsuch workshop held in two sessions during May and June of last \nyear, specifically explored the issues before the committee \ntoday.\n    Workshop participants identified a range of challenges \nfacing consumers, industry, and policymakers. For example, many \nconsumers do not buy the privacy tools now on the market \nbecause they are often available only as expensive hard-to-use \nsystem add-ons. Consumers also use these tools improperly. For \nexample, failing to configure their firewalls appropriately, \nusing easily guessed passwords, or using anti-virus software \nand operating systems without properly updating them.\n    Moreover, many consumers are largely unaware of the \nconsequences of poorly protected systems and personal \ninformation. Panelists also urged technology vendors to make \nsecurity support and updates easier and more automatic for \nconsumers. Many panelists agreed that privacy-enhancing \ntechnologies, in order to be most effective, should be more \ntightly integrated or baked into systems so that even novice \nusers can easily enjoy their protections.\n    To help businesses better develop ways to protect their \nsystems, panelists urged the adoption of a comprehensive risk-\nmanagement strategy that incorporates four critical elements--\npeople, policy, process, and technology. Companies must train \ntheir people about the threats to the information systems and \nthe steps they should take to address them. Companies must also \ndevelop and communicate policies regarding the appropriate use \nof information and computer systems, and put in place processes \nto ensure that polices are implemented. Finally, they must \ndeploy technology effectively and securely.\n    One valuable tool to help consumers understand the \nimportance of information security, and to use privacy tools \nmore effectively are educational campaigns similar to the \ncampaigns launched to increase seatbelt use or discourage \nsmoking. Such campaigns can take awhile to produce changes in \nconsumer behavior, but they can help consumers play a more \neffective role in protecting themselves and society as a whole.\n    The FTC has, for several years, engaged in a broad outreach \ncampaign to educate businesses and consumers and information \nsecurity and the precautions they can take to protect or \nminimize risks to personal information. These efforts have \nincluded creation of an information security mascot, Dewey the \nE-Turtle, who hosts a portion of the FTC Web site devoted to \neducating businesses and consumers about security.\n    We published Business Guidance regarding common \nvulnerabilities in computer systems and responding to \ninformation compromises. Commissioners and the staff have made \nspeeches. We have worked with the Department of Homeland \nSecurity and such organizations as the National Cyber Security \nPartnership. We have reached out to the international \ncommunity.\n    Even if consumers do everything right, however, their \npersonal information may still be vulnerable if the businesses \nwho obtain that information fail to protect it. Therefore, the \nCommission has also pursued law-enforcement actions in \nappropriate cases. In four separate settlements with companies \nthat collected sensitive information from consumers, we have \nalleged that the companies violated the FTC Act by making \npromises that they would take appropriate steps to protect \nsensitive information obtained from consumers. In fact, we \nfound their security measures to be inadequate and their \nclaims, therefore, deceptive.\n    The Commission also has responsibility for enforcing its \nGramm-Leach-Bliley-Safeguards Rule which regards financial \ninstitutions to protect customer information. In brief, the \nrule requires them to develop a written information security \nplan that includes certain elements basic to security. These \ninclude identifying and assessing the risks in each relevant \narea of the company's operation, and designing and implementing \nappropriate safeguards for controlling these risks. Companies \nmust also regularly monitor and test their programs and \nevaluate and adjust the program in light of relevant \ncircumstances.\n    In addition to our domestic efforts, the Commission has \ntaken an active international role in seeking to establish a \nculture of security. We have worked on cyber security \ninitiatives with OECD, as well as other international \norganizations.\n    Security presents challenges for everyone in our global \ninformation-based economy, but particularly for consumers and \nsmall businesses. We are committed to continuing our work \npromoting security awareness and sound information practices \nthrough education,\nenforcement, and cooperation.\n    Thank you for the opportunity. I look forward to questions. \nI would ask that my testimony be included in its entirety.\n    Mr. Putnam. Without objection, so ordered.\n    [The prepared statement of Mr. Beales follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6994.012\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.013\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.014\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.015\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.016\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.017\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.018\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.019\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.020\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.021\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.022\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.023\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.024\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.025\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.026\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.027\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.028\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.029\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.030\n    \n    Mr. Putnam. Thank you very much.\n    Our next witness is Cheryl Mills. Ms. Mills is the \nAssociate Administrator, Entrepreneurial Development for the \nU.S. Small Business Administration. She manages SBA's Technical \nAssistance Programs, providing information, training, and \nbusiness counseling for 1.4 million small business owners \nnationwide. Her office provides this service through a variety \nof business-development networks across the Nation.\n    Welcome to the subcommittee. You are recognized for 5 \nminutes.\n    Ms. Mills. Thank you very much, Mr. Chairman. Chairman \nPutnam and members of the subcommittee, I appreciate the \nopportunity to testify before you today about an issue that is \nof utmost importance in today's business world--securing our \nNation's vast information technology network.\n    There are 25 million small businesses in America, but \ntoday's small businesses are nothing like the Mom-and-Pop \nentrepreneurs of 50 years ago, whose market place was often \nlimited to their local community. In 2004, America's small \nbusinesses are national and global enterprises who ship their \nproducts across the country and around the globe. The main \nreason for this change to the small business landscape is \ncomputer technology. Today's entrepreneurs use computers and \nthe Internet to market their products, purchase supplies and \nequipment, and correspond quickly with customers.\n    While the SBA is most often associated with our successful \nloan program, we are also very proud of the valuable technical \nassistance that we provide to America's entrepreneurs. As ADA \nfor entrepreneurial development, I am responsible for seeing \nthat program.\n    The SBA provides technical assistance through our core \ninfrastructure of small business developmental centers, women's \nbusiness centers, SCORE counselors, and our district offices. \nThe resources are spread throughout the country in over 1,200 \nlocations. In 2003, these resource partners provided technical \nassistance to over 2 million small businesses.\n    Through this infrastructure, the SBA has worked to address \nthe challenges of IT security. One way we see of doing this is \nobviously by partnering with other Federal agencies, as well as \nthe private sector to educate small businesses about the \nbenefits and the risks associated with today's technology-based \nbusiness world.\n    In 2002, SBA teamed up with the Hartford to distribute over \n25,000 copies of a guidebook entitled, ``Managing Your Risk: \nThe Smart Approach to Protecting Your Business.'' It provided \nmanagement guidance on a variety of topics including computers \nand E-Commerce risks.\n    Throughout 2003, SBA and the Hartford conducted 10 risk-\nmanagement seminars for 500 small business entrepreneurs and \npublished an audio tape and CD ROM on IT security. In addition, \nthe SBA is working in collaboration with the FBI and NIST on a \nseries of regional meetings on IT securities for small \nbusinesses. These meetings have provided small business with an \noverview of information on security threats, vulnerabilities, \nand corresponding protective tools and techniques. Through this \npartnership, we have reached over 800 small businesses just in \n11 seminars.\n    Like the cosponsorship agreement with the Hartford, SBA is \ncurrently considering collaboration with the U.S. Chamber of \nCommerce to publish a guide to cyber security. The SBA and the \nChamber will work together to ensure this publication will be \ndistributed to as many small businesses as possible.\n    Also, through our Small Business Training Network [SBTN], \nat www.sba.gov/training we provide on-line training and have \nprovided that already to nearly 650,000 entrepreneurs in 2003. \nWe offer a variety of E-Commerce counseling courses. One of the \nmost popular is entitled, Information Security Basics. That was \ndeveloped in collaboration with the George Washington \nUniversity. This multi-part course is designed to help a small \nbusiness to understand the importance of implementing a sound \ninformation security plan.\n    SCORE also provides counseling on a range of E-Commerce \ntopics from How to Combat Computer Viruses to Understanding \nCustomer Privacy Issues. Earlier this year, the Association of \nSmall Business Developmental Centers partnered with Microsoft \nto develop and introduce the E-Security Guide for Small \nBusiness. I have provided the subcommittee with a copy of this \nguide which is also available on-line. SBDC can utilize the E-\nSecurity Guide's information when working now with a small \nbusiness client.\n    Mr. Chairman, I want to assure you that this administration \nremains committed to providing our Nation's small businesses \nwith the tools they need to survive in today's global market \nplace. I look forward to listening to the other panelists, and \nalso working with the subcommittee to continue serving the IT \nsecurity needs of the small business community.\n    Thank you. I would be happy to answer any questions. I \nwould ask that my testimony be included in its entirety.\n    Mr. Putnam. Without objection, so ordered.\n    [The prepared statement of Ms. Mills follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6994.031\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.032\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.033\n    \n    Mr. Putnam. Thank you very much.\n    Our final witness on this panel is Mr. Ed Roback. Mr. \nRoback serves as Chief of the Computer Security Division at the \nNational Institute of Standards and Technology, and supporting \nthe agency's responsibilities to protect sensitive Federal \ninformation and promote security in commercial information \ntechnology products. The Computer Security Division's efforts \ninclude work in the area of security standards, testing E-\nAuthentication, studying security issues with emerging \ntechnologies, and developing security guidelines for Federal \nagencies.\n    Welcome to the subcommittee. You are recognized for 5 \nminutes.\n    Mr. Roback. Thank you very much, Chairman Putnam and \nmembers of the subcommittee for this opportunity to testify \ntoday on the perspectives of the National Institute of \nStandards and Technology regarding the challenges facing home \nusers and small businesses in better securing their systems and \ninformation.\n    Our broad work in the area of information security, \ngenerally speaking, is applicable to a wide variety of users, \nincluding small businesses as well as the larger agencies of \nthe Federal Government. In particular, home users and small \nbusinesses face an enormous challenge in protecting their \ncomputers. Their systems are operated in environments where \nthere is not normally full knowledge or understanding of \npotential risks or technology capabilities. The risks to our \nsmall systems are, in fact, so complex and pervasive, we cannot \nexpect these small businesses to become experts in this area. \nYet, they want to take advantage of new technologies along with \nall the risks that presents.\n    So today what I would like to do is to tell you a little \nbit about some work NIST has done in this area. As my colleague \nmentioned, NIST has formed a partnership with SBA and the \nFederal Bureau of Investigation's Infraguard Program to sponsor \nworkshops and on-line support for small businesses. We have \nbuilt a Small Business Resource Center on our Web site where we \ndistribute training materials to be used by small businesses \nand in-house security sessions.\n    We have also provided briefings to organizations at various \nevents engaged with small businesses across the country. NIST's \nmanufacturing extension partnership also has developed a tool \ncalled E-Scan Security Assessment tool that provides the \ncapability for small businesses to assess their security \nposture and recommends some security corrective measures.\n    In addition to these specific efforts, we believe that home \nusers and small businesses can benefit broadly from the range \nof initiatives that are underway at NIST in the area of \nsecurity guidelines, security research, security testing, and \nso forth. After all, we are all using the same commercial \nproducts.\n    I will not go into the details. That is all summarized in \nmy written statement, but some of the guidelines such as \nwireless teleworking and other kinds of guidelines also \nobviously can apply to home users and small businesses.\n    I would like to highlight one piece of work in particular \nand that is our work with vendors to develop a Web-based \nrepository on security check lists. As you know, many \ncommercial products are delivered with security features turned \noff. The question for users is: Well, what should I turn on in \nthe area of security for my particular environment? We are in \nthe process of developing IT security product checklists that \nprovide settings and options to minimize the security risks \nassociated with each computer hardware or software system \nwidely used in the Federal Government which, of course, \ntranslates into nearly every commercial product.\n    In summary, Mr. Chairman, the challenges facing home users \nand small businesses is greater than it has ever been, but it \nis also very similar to those challenges facing Federal \nagencies and other users. We are all using the same products. \nWe are all connected to the same networks.\n    If they are to maximize capabilities and efficiencies \noffered by these technologies while minimizing risks to their \nsystem, more must be done. Training efforts must be increased. \nMore must be done in the area of secure configuration. More \nmust be done in the area of product benchmarking, scanning \ntools, outreach, and indeed research so that we can improve the \nsituation and simplify the current unfortunate complexity that \nexists in trying to secure these systems. We are at a situation \nright now where it is simply too much to expect small \nbusinesses to understand all the risks in order to be able to \naddress their security needs.\n    Thank you, Mr. Chairman, for the opportunity to present our \nviews regarding the security challenges facing home users. I \nwould be pleased to take any questions you may have. I would \nask that my testimony be included in its entirety.\n    Mr. Putnam. Without objection, so ordered.\n    [The prepared statement of Mr. Roback follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T6994.034\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.035\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.036\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.037\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.038\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.039\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.040\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.041\n    \n    [GRAPHIC] [TIFF OMITTED] T6994.042\n    \n    Mr. Putnam. Thank you very much.\n    I want to thank all of our witnesses. I again apologize for \nthe extended delay due to votes. I want to thank the gentleman \nfrom Pennsylvania for joining us, our distinguished member of \nthe subcommittee. I will allow him to go first if he would \nprefer.\n    Mr. Murphy. Thank you, Mr. Chairman. I appreciate that. I \nwant to thank the committee, too. I know that this may not seem \nthat exciting an issue to the general public but anybody who \nowns a computer in their home and anybody who has a business \nhas more than once pounded that computer, saying ``What is \nwrong with this thing?'' We know that there could be some \nthings to be taken care of. So your testimony is extremely \nimportant for business and for the home user.\n    I would like to ask about the role and response of the \nprivate sector here, including hardware and software vendors, \nPC makers, ISPs, etc., in contributing to its improve security \nprofile of home users and small businesses. I think of it \nparticularly here because, like anybody else, sometimes I will \nturn on my computer. Another family member may have been using \nit, or I will open up what I thought was an e-mail from a \nfriend which may have something else attached to it.\n    I often times feel, like many other home users, ``Why do I \nhave to be the one always to pay the money here to prevent what \nthe system is allowing through?'' The software can add up over \ntime, all the editions and updates. What can the private sector \ndo to help everybody who is a small business person or just a \nhome user of computers? I will take an answer from anybody \nhere.\n    Mr. Beales. Well, I think one thing that the private sector \ncan do--and I think we are seeing this increasingly--is to \nbuild in some of the basic security features so that they are \nthere for users who need them. When you get a broadband or \n``always on'' connection of some sort, it comes with the basic \nsecurity precautions installed that ought to accompany that \nkind of application. I think we are seeing more and more of \nthat. It would be good to see more. But I think that is a very \nuseful role for the private sector to play.\n    Mr. Murphy. Does anyone else have any comments? Mr. Roback?\n    Mr. Roback. I think we also have to look at the power of \nthe market place in terms of distinguishing the benefits folks \ncan get from security and the ability and the willingness for \npeople to pay for it. Right now people, of course, want \nsecurity, but they are not necessarily willing to pay more per \nmonth for a service that provides a higher level of security. \nSo we need to work.\n    Mr. Murphy. I guess this relates also to small businesses \nand commerce. But there is a symbiotic relationship between, \nfor example, people who want to be able to monitor what you are \ngoing to in terms of Web sites so they can target e-mail to you \nor spam, or pop-ups. I understand that everybody would like to \nbe able to trace things. But it crosses over into privacy \nissues, too, and opens up where people are downloading things \nor are constantly spying on your computer, too.\n    But whose responsibility does this become? This goes to the \nnext question: What is the most appropriate role for Congress \nhere in dealing with this? Do we just assume that it is up to \nevery computer owner to take care of their own problems? Or \nshould we be outlining some things on our level to say that \nthere has to be certain rules to be followed nationwide?\n    Mr. Roback.\n    Mr. Roback. Well, from my perspective, the challenge is, of \ncourse, that the network is worldwide. So, it does not stop at \nthe borders of this country. You are connecting all the time to \nWeb sites around the world. Whatever rules we might put in \nplace geographically here may well be completely ignored \noverseas. So there needs to be a really global understanding of \nwhat the role should be, on which I do not think you are ever \ngoing to attain perfection. I think you are then bound to have \nreliance on user responsibility that they have to do some due \ndiligence to protect their assets.\n    Mr. Murphy. Mr. Beales.\n    Mr. Beales. Congressman Murphy, I think some of what we see \nout there--and it is clearly a role for us and at this point I \ndo not know that it is a role for the Congress--but there are \nlaw enforcement problems in the way some bad software ends up \non consumers' systems.\n    If there is deception in tricking people into downloading \nstuff that they do not know that they are getting, or if \nsoftware takes over a person's computer and resets settings and \nthen cannot be set back, and consumers do not know that they \nare getting into that kind of a mess when they download it, \nthose things probably do violate our statute as unfair or \ndeceptive practices. We are actively looking for cases against \nthat kind of conduct.\n    Mr. Murphy. I hope so. I think it is important for \nconsumers to be able to join together and have those kinds of \nprotections. I think it does get to be harmful. Certainly a \nsmall business costs a massive amount of money when all the \ncomputers slow down.\n    I see my time is almost up. Hopefully I will have some time \nfor questions later.\n    Mr. Chairman, I yield back.\n    Mr. Putnam. Thank you very much, Mr. Murphy.\n    What would all of you describe as the single greatest cyber \nthreat facing home users and small businesses today? We will \nbegin with Mr. Yoran.\n    Mr. Yoran. The largest threat to home users and small \nbusinesses is the sheer complexity of effectively protecting \none's computer systems, a small business, or a home user. \nSecurity is far too complex. I think some of the efforts which \nwe have talked about here in terms of outreach and in terms of \nawareness, educating the consumer markets, and educating the \nsmall business markets, will help drive the market to producing \nhigher quality products.\n    Much of the efforts underway are geared specifically to \nmaking cyber security an easier issue for the home users to \ndeal with. Those efforts fall into a number of different \ncategories, including delivering computer and computer systems \nand configurations which are better secured than they had been \nhistorically. They include the software vendors, delivering \nsoftware which is capable of patching itself without a \ntremendous amount of intervention from the home user, and \ninvestment in the private sector to producing higher quality \ncode within the security community of making their products \neasier to use to cover some of the flaws and vulnerabilities \nwhich are discovered in the products which are less security \naware.\n    And ultimately, it is in the service providers delivering \nInternet connectivity in a fashion that is more secure out-of-\nthe-box that defends against ``phishing'' scams, that defends \nagainst viruses and other network-based attacks. It is really a \ncomplex issue. When you look at action on the part of Congress \nor other folks to provide regulation for the software industry \nto encourage or force higher-quality code or practices. I think \nwe need to very carefully evaluate the effectiveness of that \napproach versus the effectiveness of investment into the \nresearch and development of tools which will empower them, or \nenable them, to produce higher quality code.\n    I know, in fact, of no cases where software vendors or \nsoftware developers are interested in producing code with flaws \nin it. So the more research we can conduct, the better the \nquality of the tools to foster higher quality software, the \nbetter off we are and the more likely that those tools will \nresult in meaningful progress in the private sector.\n    Mr. Putnam. Mr. Beales.\n    Mr. Beales. I think the biggest problem is the lack of \nattention on the part of both businesses and the home users--\nattention to the fact that there is a problem and attention to \nthe fact that the nature of the problem is continuously \nchanging. The threats that we face evolve because the tactics \nof those who would do bad are evolving in response to the last \nset of changes.\n    I think even when people try to take steps, too often they \nsay, ``I put in place this piece of software. I am done. I do \nnot need to worry about security anymore.'' That is not true. \nPeople need to pay attention to new threats as they emerge, and \nparticularly companies need to pay attention to new threats as \nthey emerge, and try to address those over time.\n    Mr. Putnam. Ms. Mills.\n    Ms. Mills. Thank you, Mr. Chairman. This goes to \nCongressman Murphy's question as well. No. 1, I think the very \nkey is to raise the visibility. Second, it is the education and \nthe impact on how to protect one's self. I know recently I, \nmyself, was receiving undeliverable e-mail messages on my home \ncomputer from people I never sent a message to. I took it into \na service tech. I thought I had a virus. He said, ``No, your e-\nmail address was grabbed somewhere in cyber space and they are \nnow sending messages to various individuals using your address.\n    So, I think the consumer, the small business, is definitely \nnot aware of the capabilities that are out there right now in \nthis whole world of viruses. I think raising that visibility, \nengaging the private sector to help in the education, just as \nmy Association of Small Business Developmental Centers did with \nMicrosoft. I think that is the No. 1 step we need to take.\n    Mr. Putnam. Mr. Roback.\n    Mr. Roback. In addition to all the insightful comments by \nmy colleagues, I guess I would point out this. The current \nsituation to me seems untenable of the degree of exploitation \nof known vulnerabilities we have now with commercial products. \nOne of the Web-based resources we have at our site at NIST has \nover 6,600 vulnerabilities in commercial products. Of course, \nwith these vulnerabilities come kiddy scripts and other things \nthat exploit them and can be used to attack systems.\n    So we are chasing our own tail in terms of trying to stay \nup-to-date, in terms of installing patches and also trying to \nstay knowledgeable and taking advantage of what security \nfeatures are in commercial products, in terms of having to turn \non the right level of security, but not too much so you do not \nbreak everything.\n    What are some of the solutions? Well, I usually talk in \nterms of four steps of solutions. The first is the need for \nbetter specifications. I am not talking Government-mandated \nstandards here, necessarily, but better commercial industry \nconsensus-based sets of specifications, and better testing to \nknow that those specifications are correctly implemented by \nproducts, that is: Are they implementing and using sound \nsecurity technologies and techniques?\n    Third, is taking advantage of those techniques that are \nappropriate for your environments, so turning on and turning \noff the right security settings. Fourth, is trying to ensure \nthrough these scanning tools and so forth that those settings \nare maintained and not inadvertently or maliciously turned off.\n    It probably will not surprise you, since I come from a \nresearch institution, that all of these areas need research so \nthat we can improve the ways to do that.\n    Mr. Putnam. Mr. Yoran, from a national security standpoint, \nhow does the computer security of home users and small \nbusinesses impact the overall security profile of the Nation's \ninformation network?\n    Mr. Yoran. Chairman Putnam, in a number of recent incidents \nand events, we have seen cases where large numbers of home \ncomputers always-on, high bandwidth systems, have been used to \nattack components of the Nation's, and really the world's, \ncyber infrastructure. In many cases those efforts have been \nthwarted and in some cases they have been effective.\n    To the extent that home systems are on-line, are always on \nand are connected through high-speed access points, they can \nserve in the role of zombie or participate in large Botnet \nactivities and really make the incidence response process a lot \nmore complex and increase the likelihood that our Nation's \ncyber infrastructure or that other critical infrastructures may \nbe adversely impacted in the near future.\n    Mr. Putnam. How have the partnerships and the initiatives \nthat your Department have taken benefited home users and small \nbusinesses?\n    Mr. Yoran. Well, sir, they have benefited home users and \nsmall businesses in a number of ways. The efforts of the cyber \nalert system to help increase awareness of cyber events and \nhelp to increase the actionable items which home users and \nsmall businesses can take to protect their own computers has \nbeen well received. We have had over a quarter of a million \nsubscribers to that cyber alert system in just the few months \nthat it has been made available to the public.\n    But all of these efforts again are tactile and operational \nin nature and need to be pursued in conjunction with \ndevelopment programs for the technology industry and for the \ncyber security industry, to help assure that the next \ngeneration of products are more resilient and more immune to \nthese types of attacks.\n    Mr. Putnam. As you know, yesterday an attack caused \nfailures at Acami; are you aware of that, the world's biggest \nhost. They handle 15 percent of the net's traffic. What was \nyour office's role and response to that attack?\n    Mr. Yoran. Chairman Putnam, in many instances the \nDepartment of Homeland Security and the U.S. CERT play a lead \nrole in helping organizations respond to cyber incidents and \nvery importantly, help coordinate those organizations in their \ninteraction with other private sector entities and with public \nsupport mechanisms, such as law enforcement and other Federal \nresources which may be brought to bear during the time of a \ncrisis.\n    In instances like the attacks which we saw yesterday, the \nlead role, if you will, was played by the private sector in \nprotecting their systems and developing and enhancing their \nprotective measures to bring their systems back on line. The \nrole of the U.S. CERT and the Department of Homeland Security \nin that particular case was more focused around understanding \nevents as they were unfolding, and helping to share, as \nappropriate, information with other private sector and public \nsector entities to determine what effect those events may have \non other critical infrastructures.\n    Mr. Putnam. This appears to have been a denial of service \nattack. Are we seeing an increase in those types of attacks?\n    Mr. Yoran. Sir, we are seeing a number of denial----\n    Mr. Putnam. We will take a recess due to the power failure.\n    [Recess.]\n    Mr. Putnam. The subcommittee will adjourn due to power \nfailure.\n    [Whereupon, at 4:26 p.m., the subcommittee was adjourned, \nto reconvene at the call of the Chair.]\n    [The prepared statements of Philip Reitinger, Avadis \nTevanian, Don Frischmann, Thomas M. Dailey, and Paul Kurtz, \nsubmitted for the record but not presented due to the power \noutage, follow:]\n\n[GRAPHIC] [TIFF OMITTED] T6994.043\n\n[GRAPHIC] [TIFF OMITTED] T6994.044\n\n[GRAPHIC] [TIFF OMITTED] T6994.045\n\n[GRAPHIC] [TIFF OMITTED] T6994.046\n\n[GRAPHIC] [TIFF OMITTED] T6994.047\n\n[GRAPHIC] [TIFF OMITTED] T6994.048\n\n[GRAPHIC] [TIFF OMITTED] T6994.049\n\n[GRAPHIC] [TIFF OMITTED] T6994.050\n\n[GRAPHIC] [TIFF OMITTED] T6994.051\n\n[GRAPHIC] [TIFF OMITTED] T6994.052\n\n[GRAPHIC] [TIFF OMITTED] T6994.053\n\n[GRAPHIC] [TIFF OMITTED] T6994.054\n\n[GRAPHIC] [TIFF OMITTED] T6994.055\n\n[GRAPHIC] [TIFF OMITTED] T6994.056\n\n[GRAPHIC] [TIFF OMITTED] T6994.057\n\n[GRAPHIC] [TIFF OMITTED] T6994.058\n\n[GRAPHIC] [TIFF OMITTED] T6994.059\n\n[GRAPHIC] [TIFF OMITTED] T6994.060\n\n[GRAPHIC] [TIFF OMITTED] T6994.061\n\n[GRAPHIC] [TIFF OMITTED] T6994.062\n\n[GRAPHIC] [TIFF OMITTED] T6994.063\n\n[GRAPHIC] [TIFF OMITTED] T6994.064\n\n[GRAPHIC] [TIFF OMITTED] T6994.065\n\n[GRAPHIC] [TIFF OMITTED] T6994.066\n\n[GRAPHIC] [TIFF OMITTED] T6994.067\n\n[GRAPHIC] [TIFF OMITTED] T6994.068\n\n[GRAPHIC] [TIFF OMITTED] T6994.069\n\n[GRAPHIC] [TIFF OMITTED] T6994.070\n\n[GRAPHIC] [TIFF OMITTED] T6994.071\n\n[GRAPHIC] [TIFF OMITTED] T6994.072\n\n[GRAPHIC] [TIFF OMITTED] T6994.073\n\n[GRAPHIC] [TIFF OMITTED] T6994.074\n\n[GRAPHIC] [TIFF OMITTED] T6994.075\n\n[GRAPHIC] [TIFF OMITTED] T6994.076\n\n[GRAPHIC] [TIFF OMITTED] T6994.077\n\n[GRAPHIC] [TIFF OMITTED] T6994.078\n\n[GRAPHIC] [TIFF OMITTED] T6994.079\n\n[GRAPHIC] [TIFF OMITTED] T6994.080\n\n[GRAPHIC] [TIFF OMITTED] T6994.081\n\n[GRAPHIC] [TIFF OMITTED] T6994.082\n\n[GRAPHIC] [TIFF OMITTED] T6994.083\n\n[GRAPHIC] [TIFF OMITTED] T6994.084\n\n[GRAPHIC] [TIFF OMITTED] T6994.085\n\n[GRAPHIC] [TIFF OMITTED] T6994.086\n\n[GRAPHIC] [TIFF OMITTED] T6994.087\n\n[GRAPHIC] [TIFF OMITTED] T6994.088\n\n[GRAPHIC] [TIFF OMITTED] T6994.089\n\n[GRAPHIC] [TIFF OMITTED] T6994.090\n\n[GRAPHIC] [TIFF OMITTED] T6994.091\n\n[GRAPHIC] [TIFF OMITTED] T6994.092\n\n[GRAPHIC] [TIFF OMITTED] T6994.093\n\n[GRAPHIC] [TIFF OMITTED] T6994.094\n\n[GRAPHIC] [TIFF OMITTED] T6994.095\n\n[GRAPHIC] [TIFF OMITTED] T6994.096\n\n[GRAPHIC] [TIFF OMITTED] T6994.097\n\n[GRAPHIC] [TIFF OMITTED] T6994.098\n\n[GRAPHIC] [TIFF OMITTED] T6994.099\n\n[GRAPHIC] [TIFF OMITTED] T6994.100\n\n[GRAPHIC] [TIFF OMITTED] T6994.101\n\n[GRAPHIC] [TIFF OMITTED] T6994.102\n\n[GRAPHIC] [TIFF OMITTED] T6994.103\n\n[GRAPHIC] [TIFF OMITTED] T6994.104\n\n[GRAPHIC] [TIFF OMITTED] T6994.105\n\n[GRAPHIC] [TIFF OMITTED] T6994.106\n\n[GRAPHIC] [TIFF OMITTED] T6994.107\n\n[GRAPHIC] [TIFF OMITTED] T6994.108\n\n[GRAPHIC] [TIFF OMITTED] T6994.109\n\n[GRAPHIC] [TIFF OMITTED] T6994.110\n\n[GRAPHIC] [TIFF OMITTED] T6994.111\n\n[GRAPHIC] [TIFF OMITTED] T6994.112\n\n[GRAPHIC] [TIFF OMITTED] T6994.113\n\n                                 <all>\n\x1a\n</pre></body></html>\n"