[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





  LOCKING YOUR CYBER FRONT DOOR--THE CHALLENGES FACING HOME USERS AND 
                            SMALL BUSINESSES

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 16, 2004

                               __________

                           Serial No. 108-234

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
96-994                      WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, 
CANDICE S. MILLER, Michigan              Maryland
TIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of 
MICHAEL R. TURNER, Ohio                  Columbia
JOHN R. CARTER, Texas                JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee          BETTY McCOLLUM, Minnesota
PATRICK J. TIBERI, Ohio                          ------
KATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania             ------ ------
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                  Dan Daly, Professional Staff Member
                         Juliana French, Clerk
           David McMillen, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 16, 2004....................................     1
Statement of:
    Yoran, Amit, Director, National Cyber Security Division, 
      Department of Homeland Security; J. Howard Beales III, 
      Director, Bureau of Consumer Protection, Federal Trade 
      Commission; Cheryl A. Mills, Associate Administrator, 
      Entrepreneurial Development, Small Business Administration; 
      and Ed Roback, Chief, Computer Security Division, National 
      Institute of Standards and Technology, Department of 
      Commerce...................................................    12
Letters, statements, etc., submitted for the record by:
    Beales, J. Howard, III, Director, Bureau of Consumer 
      Protection, Federal Trade Commission, prepared statement of    23
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................    10
    Dailey, Thomas M., chair and president, U.S. Internet Service 
      Provider Association, general counsel, Verizon Online, 
      prepared statement of......................................    80
    Frischmann, Don, senior vice president, communications and 
      brand management, Symantec Corp., prepared statement of....    73
    Kurtz, Paul, executive director, Cyber Security Industry 
      Alliance, prepared statement of............................   126
    Mills, Cheryl A., Associate Administrator, Entrepreneurial 
      Development, Small Business Administration, prepared 
      statement of...............................................    44
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     5
    Reitinger, Philip, senior security strategist, Microsoft 
      Corp., prepared statement of...............................    63
    Roback, Ed, Chief, Computer Security Division, National 
      Institute of Standards and Technology, Department of 
      Commerce, prepared statement of............................    49
    Tevanian, Avadis, Apple Computer, Inc., prepared statement of    68
    Yoran, Amit, Director, National Cyber Security Division, 
      Department of Homeland Security, prepared statement of.....    15

 
  LOCKING YOUR CYBER FRONT DOOR--THE CHALLENGES FACING HOME USERS AND 
                            SMALL BUSINESSES

                              ----------                              


                        WEDNESDAY, JUNE 16, 2004

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:30 p.m., in 
room 2154, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam, Clay and Murphy.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Dan Daly, professional staff member and deputy 
counsel; Juliana French, clerk; Felipe Colon, fellow; Colin 
Samples and Katlyn Jahrling, interns; David McMillen, Mark 
Stephenson, and Adam Bordes, minority professional staff 
members; and Cecelia Morton, minority office manager.
    Mr. Putnam. A quorum being present, this hearing on the 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order. 
I want to welcome everyone here today to this hearing entitled, 
``Locking your Cyber Front Door--The Challenges Facing Home 
Users and Small Businesses.''
    We will immediately go into my opening statement and the 
witnesses' opening statements as quickly as possible. We are 
expecting a series of five votes which will pretty well 
mutilate the bulk of the afternoon. We are going to move as 
expeditiously as possible.
    In the past few years, the growth in access and use of the 
Internet, the increase in ``always on'' high-speed connections, 
and the rapid development and deployment of new computing 
devices has resulted in expanding global computing network. 
Although these advances have improved the quality of life, this 
network is susceptible to viruses and worms that can circle the 
world in a matter of minutes.
    The potential for more sophisticated and malicious cyber 
attacks is growing at an alarming rate. While businesses, 
educational institutions and home users enjoy the benefits of 
using the Internet, they are not always adequately informed 
about the potential dangers of computer systems left vulnerable 
and unprotected.
    This hearing is a continuation of a series of oversight 
hearings that the subcommittee has conducted during the 108th 
Congress on the issue of cyber security. On April 21st, the 
subcommittee held a hearing specifically on educational 
awareness for all cyber citizens. Most recently, on June 2nd, 
the subcommittee conducted an oversight hearing on cyber 
security and vulnerability management issues facing large 
enterprises. The purpose of this hearing is to focus attention 
on the challenges facing home users and small businesses.
    Today we will examine the difficulties these users confront 
in protecting their computers; the actions taken by the Federal 
Government to create partnerships that will assist home users 
and small businesses and their efforts; the role of software 
and hardware manufacturers in responding to the expectations 
and demands of the user community to provide the market place 
with higher quality and more secure products; the role of 
Internet service providers in helping to educate and protect 
their subscribers; and the tools and strategies available to 
home users and small businesses to lessen their exposure.
    Home users and small businesses are in a uniquely 
vulnerable position because their computers often face the same 
worms, viruses, and automated attacks that business and 
Government computers face. Yet, these users may not have the 
same level of resources available to mitigate those risks.
    Accordingly, it is critically important that all 
stakeholders examine tools and strategies to comprehensively 
address this challenge. Right now, home and small business 
users face a number of types of risks. Viruses and worms can 
disable home user systems. Home users may also be tricked into 
downloading spyware. These programs can be harmless, yet 
extremely annoying, such as delivering a continuous stream of 
pop-up ads, or they may be malicious, extracting information 
such as passwords and personal information for criminal 
purposes. Home users also face the threat of fraud and identity 
theft, including a newer approach known as ``phishing.''
    Small businesses face these same threats as well, but their 
challenges are compounded by the fact that they may have a 
network of machines to manage, as well as the challenge of 
employees using laptops and remote access. Of even greater 
concern, small businesses face the threat of disgruntled 
insiders who were once trusted users.
    Finally, small businesses may also have private information 
from their customers and data bases that are connected to the 
Internet. Cyber criminals who gain access to this information 
may attempt to extort money out of small businesses to keep the 
breach quiet. The loss of reputation from such an incident 
could be devastating to a small business.
    There are existing and emerging protections against these 
threats. Home users and small businesses can arm themselves 
with virus-protection software to help stop any potential 
impacted viruses and worms. The use of firewalls can help 
prevent some forms of spyware and attempts at unauthorized 
access to a user's machine. Automated patches are also a step 
in the right direction to help users stay up-to-date with 
protections against the most recently published 
vulnerabilities.
    However, employment of these well-known protections is 
still inconsistent. Awareness of the available protections 
needs to be elevated so that basic computer security hygiene 
becomes a common practice among all users. Increasing cyber 
security awareness will help users to protect themselves, but 
user awareness is only part of the problem. Many of the 
security problems that users face are rooted in products that 
were designed to deliver functionality, often without adequate 
regard to security.
    We can no longer simply blame the users for their failure 
to mitigate vulnerabilities. The users are not responsible for 
the flaws and defects in the products that are the source of 
the vulnerabilities. We will continue to examine the progress 
being achieved by manufactures of hardware and software 
products in responding to the consumer and public demand for 
higher quality and more secure products in the market place. I 
am encouraged by what I see as signs that the manufacturers 
have taken this demand very seriously and are working 
diligently to remedy it.
    Vendors are starting to release products that are secure by 
default, by enabling secure technical control settings, and by 
requiring affirmative action of the user to enable features 
that would make the product less secure. Software and hardware 
vendors are making more significant commitments to their 
quality assurance programs in an effort to identify bugs prior 
to the deployment of new systems. Collaboration among vendors 
to offer a bundled suite of security products to users, along 
with a more concerted effort to configure systems in a more 
secure manner out-of-the-box will produce a more secure 
computing environment.
    In addition to the efforts of the vendors to improve 
security of their products, the Federal Government needs to 
help improve the security of computer products and services 
through R&D. Inadequate tools exist in the market place today 
to conduct effective code evaluation in advance of deployment 
to identify flaws, defects, and the potential of a malicious 
code willfully inserted in a software product.
    By collaborating with partners in the world of academia and 
the private sector, the Federal Government should be working to 
support the development of such tools and other quality 
assurance tools that can make a meaningful difference in 
improving the quality and security of new IT products. The 
Federal Government has an important role in targeting research 
and development efforts to address these critical issues.
    As a Member of Congress, a home computer user, and a 
champion of small business, this problem hits close to home. I 
intend to continue my efforts to improve cyber security in 
every sector of our Nation. In furtherance of this effort, we 
have convened a group of 25 leaders from business 
organizations, as well as representatives from academic and 
institutional communities, to form the Corporate Information 
Security Working Group. The intent was to produce a set of 
recommendations that could form the basis of an action plan for 
improving cyber security for businesses and enterprises of all 
sizes and sectors.
    The group divided into subgroups, one of which was 
Awareness, Education, and Training Subgroup. This subgroup's 
mission was to identify, partner with, and build on the good 
work of organizations that have or are developing campaigns 
that raise awareness on the importance of cyber security. The 
Awareness, Education, and Training Subgroup reported 
recommendations for three categories of users--small 
businesses, large enterprises, and home users.
    For small businesses, the group suggested creating and 
distributing a small business guidebook for cyber security that 
explains cyber security risks in terms that are readily 
understood and that motivates small business owners to take 
action.
    For home users, the group suggested targeted efforts aimed 
at the mass market that would help to educate these users. The 
group is seeking to build upon existing relationships and to 
forge new partnerships between organizations, corporations, and 
Government.
    I will continue my support for these initiatives and intend 
to reconvene the Corporate Information Security Working Group 
at the end of this month to further develop a number of the 
recommendations that were produced in phase I. We have also 
taken an important step in furtherance of a recommendation from 
that working group.
    Yesterday, along with Chairman Tom Davis, I introduced H.R. 
4570 to amend the 1996 Clinger-Cohen Act to place a greater 
emphasis on computer security within the Federal Government. 
The bill brings Clinger-Cohen in line with the realities of 
today's information technology world by requiring agencies to 
specifically consider security when conducting systems planning 
and acquisition. We are confident that once it is signed into 
law, it will help to strengthen the Federal Government's 
overall efforts to improve the information security profile of 
its systems.
    In closing, I want to make clear that securing the Nation's 
cyber space is an urgent challenge and we all have a role to 
play. The threat is real. The vulnerabilities are extensive. 
The time for action is now. Unfortunately, there are no simple 
solutions. We will continue to examine the role that Congress 
and the Federal Government can and should play in being a 
partner-in-progress, in elevating the attention to this matter 
for all stakeholders. Education and awareness is a key element 
to advise all users about the tools and strategies to reduce 
the risks associated with a very real cyber threat.
    I look forward to all the testimony from today's witnesses. 
Today's hearing can be viewed live via Webcast. At this time I 
would be happy to recognize the ranking member.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T6994.001
    
    [GRAPHIC] [TIFF OMITTED] T6994.002
    
    [GRAPHIC] [TIFF OMITTED] T6994.003
    
    [GRAPHIC] [TIFF OMITTED] T6994.004
    
    Mr. Clay. Thank you, Mr. Chairman.
    Let me thank the chairman for holding today's hearing on 
cyber security and the challenges facing America's small 
businesses and home user communities. I thank the witnesses 
before us today and hope their insights on methods for computer 
security will be both technologically realistic and practical 
for our target audiences.
    Mr. Chairman, I will stop there since we do have a vote 
going. I would like to just make an abbreviated statement in 
reference to my entire opening statement. In the interest of 
time, I would ask that the remainder be submitted for the 
record.
    Mr. Putnam. Without objection, so ordered.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T6994.005
    
    [GRAPHIC] [TIFF OMITTED] T6994.006
    
    Mr. Putnam. The committee will stand in recess.
    [Recess.]
    Mr. Putnam. The committee will come to order.
    Let us move directly into testimony for panel I. Before we 
do so, let us administer the oath. If all of our witnesses, and 
anyone traveling with you to assist you in answering our 
questions, would please rise and raise your right hands.
    [Witnesses sworn.]
    Mr. Putnam. As a note for the record, all the witnesses 
responded in the affirmative.
    Our first witness is Amit Yoran. Mr. Yoran is the Director 
of the National Cyber Security Division of the Department of 
Homeland Security. Before joining the Department, he served as 
the vice president of Worldwide Managed Security Services at 
Symantec, Corp. Prior to that, he founded Riptec, an 
information security company.
    Welcome to the subcommittee. You are recognized for 5 
minutes.

  STATEMENTS OF AMIT YORAN, DIRECTOR, NATIONAL CYBER SECURITY 
  DIVISION, DEPARTMENT OF HOMELAND SECURITY; J. HOWARD BEALES 
  III, DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE 
     COMMISSION; CHERYL A. MILLS, ASSOCIATE ADMINISTRATOR, 
ENTREPRENEURIAL DEVELOPMENT, SMALL BUSINESS ADMINISTRATION; AND 
    ED ROBACK, CHIEF, COMPUTER SECURITY DIVISION, NATIONAL 
 INSTITUTE OF STANDARDS AND TECHNOLOGY, DEPARTMENT OF COMMERCE

    Mr. Yoran. Good afternoon, Chairman Putnam and 
distinguished members of the subcommittee. I am pleased to have 
an opportunity to appear before the committee to discuss cyber 
security challenges facing home users and small businesses. 
Small businesses do not have the same security resources as 
large companies, and as a result, their systems are often more 
vulnerable. Many home users are not aware of cyber security 
threats, or how to protect themselves.
    The Department of Homeland Security's U.S. CERT has 
established a series of programs focused on home users and 
small businesses to target their specific needs. These programs 
leverage several mechanisms to enhance our communication to the 
public. December's National Cyber Security Summit established 
an Awareness and Outreach Task Force to provide recommendations 
for increasing awareness among home users and small businesses.
    In March, the Task Force submitted its recommendations to 
the National Cyber Security Partnership. We have implemented a 
number of recommendations, as I will describe this afternoon, 
and are considering others as part of our overall awareness 
efforts. Many of these recommendations and efforts are 
consistent with the recommendations of your CISWG.
    DHS is a sponsor of the National Cyber Security Alliance 
and Staysafe Online, a public/private organization created 
precisely to educated home users and small businesses on cyber 
security best practices. Other NCSA sponsors include the 
Federal Trade Committee, AT&T, America On-Line, Computer 
Associates, ITAA, Network Associates, Symantec, and recently 
the Cyber Security Industry Alliance.
    The Department of Homeland Security has provided matching 
funds to expand NCSA's outreach campaign. DHS' U.S. CERT 
launched the National Cyber Alert System in January of this 
year. The National Cyber Alert System is an important mechanism 
for delivering targeted, timely, and actionable information to 
help Americans protect their systems.
    We have already issued several alerts and a periodic series 
of best practices and how-to guides. These tips help educate 
home users and small businesses on security practices and 
increase awareness. Some topics have included: Understanding 
Firewalls, Good Security Habits, Choosing and Protecting 
Passwords, and Why Cyber Security is a Problem.
    I am pleased to announce that DHS' U.S. CERT and the Multi-
State Information Sharing and Analysis Center [MSISAC], are 
developing a series of national Webcasts to examine critical 
and timely cyber security issues. The first Webcast planned for 
this series will take place next Tuesday, June 22nd.
    These Webcasts will be archived and put on the U.S. 
CERT.gov Web site and available for public viewing. This 
national Webcast initiative is a collaborative effort between 
Government and private sector to help strength our Nation's 
cyber readiness and resilience. Webcasts will feature a variety 
of cyber security topics of interest to Government agencies, 
enterprises, and small businesses. Future sessions will focus 
on home users. These Webcasts are a strategic awareness tool to 
help home users and small businesses improve their cyber 
security posture and practices.
    In addition, DHS' U.S. CERT supports the Internet Security 
Alliance's Common Sense Guide to Cyber Security for Small 
Businesses. This guide was produced as a result of focus 
groups, in coordination with the U.S. Chamber of Commerce, the 
National Association of Manufacturers, and the National 
Federation of Independent Businesses, and the Electronic 
Industry Alliance. NCSA is posting this guide on the U.S. 
CERT.gov Web site and requests that it also be placed on other 
appropriate homeland security and Government Web sites.
    DHS and the Department of Justice's Bureau of Justice 
Statistics are producing a study on the effects of cyber crime 
in the United States, including those crimes affecting home 
users and small businesses. The goal of this survey is to 
provide comprehensive and statistically relevant information on 
the subject of cyber crime in the United States. This 
information can be used in a number of ways, including 
strategic information, technology, security planning, and 
resource allocation. It can help better prepare small 
businesses to address their cyber security challenge.
    While we are optimistic that many of these efforts will 
help home users and small businesses increase their awareness 
and better protect themselves, we also believe that effective 
cyber security is a difficult challenge for these groups. The 
Department of Homeland Security is working with leading 
Internet service providers and technology providers in the 
private sector to make cyber security simpler to achieve for 
all.
    Thank you for the opportunity to testify before you today. 
I would be pleased to answer any questions you may have. I 
would ask that my testimony be included in its entirety.
    Mr. Putnam. Without objection, so ordered.
    [The prepared statement of Mr. Yoran follows:]

    [GRAPHIC] [TIFF OMITTED] T6994.007
    
    [GRAPHIC] [TIFF OMITTED] T6994.008
    
    [GRAPHIC] [TIFF OMITTED] T6994.009
    
    [GRAPHIC] [TIFF OMITTED] T6994.010
    
    [GRAPHIC] [TIFF OMITTED] T6994.011
    
    Mr. Putnam. Thank you very much. I appreciate your adhering 
to our 5-minute rule so that we can get as much done as 
possible this afternoon.
    Our next witness is J. Howard Beales. Mr. Beales is the 
Director of Federal Trade Commission's Bureau of Consumer 
Protection. He was appointed in June 2001. He has experience in 
both academia and Government. His major areas of expertise and 
interest include law and economics, the economic and legal 
aspects of marketing and advertising, and other aspects of 
Government regulation of the economy.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Mr. Beales. Thank you, Mr. Chairman. I appreciate the 
opportunity to appear before you today to discuss the 
challenges that consumers and businesses face in protecting 
their computer systems and the information contained in them, 
as well as the FTC's role in promoting a culture of security.
    Today, maintaining the security of our computer-driven 
information systems is essential to every aspect of our lives. 
Our interconnected information systems provide enormous 
benefits to consumers, businesses, and Government alike. But 
serious vulnerabilities threaten the security of the 
information they contain, as well as the continued viability of 
the systems themselves. Every day security breaches cause real 
and tangible harms to businesses and other institutions, as 
well as to consumers.
    The FTC has sought to address concerns about the security 
of our computer systems through a combined approach that 
stresses education, law enforcement actions, and international 
cooperation.
    Regarding education, one of our most successful strategies 
is to hold public workshops designed to educate the agency and 
the public about issues related to information security. One 
such workshop held in two sessions during May and June of last 
year, specifically explored the issues before the committee 
today.
    Workshop participants identified a range of challenges 
facing consumers, industry, and policymakers. For example, many 
consumers do not buy the privacy tools now on the market 
because they are often available only as expensive hard-to-use 
system add-ons. Consumers also use these tools improperly. For 
example, failing to configure their firewalls appropriately, 
using easily guessed passwords, or using anti-virus software 
and operating systems without properly updating them.
    Moreover, many consumers are largely unaware of the 
consequences of poorly protected systems and personal 
information. Panelists also urged technology vendors to make 
security support and updates easier and more automatic for 
consumers. Many panelists agreed that privacy-enhancing 
technologies, in order to be most effective, should be more 
tightly integrated or baked into systems so that even novice 
users can easily enjoy their protections.
    To help businesses better develop ways to protect their 
systems, panelists urged the adoption of a comprehensive risk-
management strategy that incorporates four critical elements--
people, policy, process, and technology. Companies must train 
their people about the threats to the information systems and 
the steps they should take to address them. Companies must also 
develop and communicate policies regarding the appropriate use 
of information and computer systems, and put in place processes 
to ensure that polices are implemented. Finally, they must 
deploy technology effectively and securely.
    One valuable tool to help consumers understand the 
importance of information security, and to use privacy tools 
more effectively are educational campaigns similar to the 
campaigns launched to increase seatbelt use or discourage 
smoking. Such campaigns can take awhile to produce changes in 
consumer behavior, but they can help consumers play a more 
effective role in protecting themselves and society as a whole.
    The FTC has, for several years, engaged in a broad outreach 
campaign to educate businesses and consumers and information 
security and the precautions they can take to protect or 
minimize risks to personal information. These efforts have 
included creation of an information security mascot, Dewey the 
E-Turtle, who hosts a portion of the FTC Web site devoted to 
educating businesses and consumers about security.
    We published Business Guidance regarding common 
vulnerabilities in computer systems and responding to 
information compromises. Commissioners and the staff have made 
speeches. We have worked with the Department of Homeland 
Security and such organizations as the National Cyber Security 
Partnership. We have reached out to the international 
community.
    Even if consumers do everything right, however, their 
personal information may still be vulnerable if the businesses 
who obtain that information fail to protect it. Therefore, the 
Commission has also pursued law-enforcement actions in 
appropriate cases. In four separate settlements with companies 
that collected sensitive information from consumers, we have 
alleged that the companies violated the FTC Act by making 
promises that they would take appropriate steps to protect 
sensitive information obtained from consumers. In fact, we 
found their security measures to be inadequate and their 
claims, therefore, deceptive.
    The Commission also has responsibility for enforcing its 
Gramm-Leach-Bliley-Safeguards Rule which regards financial 
institutions to protect customer information. In brief, the 
rule requires them to develop a written information security 
plan that includes certain elements basic to security. These 
include identifying and assessing the risks in each relevant 
area of the company's operation, and designing and implementing 
appropriate safeguards for controlling these risks. Companies 
must also regularly monitor and test their programs and 
evaluate and adjust the program in light of relevant 
circumstances.
    In addition to our domestic efforts, the Commission has 
taken an active international role in seeking to establish a 
culture of security. We have worked on cyber security 
initiatives with OECD, as well as other international 
organizations.
    Security presents challenges for everyone in our global 
information-based economy, but particularly for consumers and 
small businesses. We are committed to continuing our work 
promoting security awareness and sound information practices 
through education,
enforcement, and cooperation.
    Thank you for the opportunity. I look forward to questions. 
I would ask that my testimony be included in its entirety.
    Mr. Putnam. Without objection, so ordered.
    [The prepared statement of Mr. Beales follows:]

    [GRAPHIC] [TIFF OMITTED] T6994.012
    
    [GRAPHIC] [TIFF OMITTED] T6994.013
    
    [GRAPHIC] [TIFF OMITTED] T6994.014
    
    [GRAPHIC] [TIFF OMITTED] T6994.015
    
    [GRAPHIC] [TIFF OMITTED] T6994.016
    
    [GRAPHIC] [TIFF OMITTED] T6994.017
    
    [GRAPHIC] [TIFF OMITTED] T6994.018
    
    [GRAPHIC] [TIFF OMITTED] T6994.019
    
    [GRAPHIC] [TIFF OMITTED] T6994.020
    
    [GRAPHIC] [TIFF OMITTED] T6994.021
    
    [GRAPHIC] [TIFF OMITTED] T6994.022
    
    [GRAPHIC] [TIFF OMITTED] T6994.023
    
    [GRAPHIC] [TIFF OMITTED] T6994.024
    
    [GRAPHIC] [TIFF OMITTED] T6994.025
    
    [GRAPHIC] [TIFF OMITTED] T6994.026
    
    [GRAPHIC] [TIFF OMITTED] T6994.027
    
    [GRAPHIC] [TIFF OMITTED] T6994.028
    
    [GRAPHIC] [TIFF OMITTED] T6994.029
    
    [GRAPHIC] [TIFF OMITTED] T6994.030
    
    Mr. Putnam. Thank you very much.
    Our next witness is Cheryl Mills. Ms. Mills is the 
Associate Administrator, Entrepreneurial Development for the 
U.S. Small Business Administration. She manages SBA's Technical 
Assistance Programs, providing information, training, and 
business counseling for 1.4 million small business owners 
nationwide. Her office provides this service through a variety 
of business-development networks across the Nation.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Ms. Mills. Thank you very much, Mr. Chairman. Chairman 
Putnam and members of the subcommittee, I appreciate the 
opportunity to testify before you today about an issue that is 
of utmost importance in today's business world--securing our 
Nation's vast information technology network.
    There are 25 million small businesses in America, but 
today's small businesses are nothing like the Mom-and-Pop 
entrepreneurs of 50 years ago, whose market place was often 
limited to their local community. In 2004, America's small 
businesses are national and global enterprises who ship their 
products across the country and around the globe. The main 
reason for this change to the small business landscape is 
computer technology. Today's entrepreneurs use computers and 
the Internet to market their products, purchase supplies and 
equipment, and correspond quickly with customers.
    While the SBA is most often associated with our successful 
loan program, we are also very proud of the valuable technical 
assistance that we provide to America's entrepreneurs. As ADA 
for entrepreneurial development, I am responsible for seeing 
that program.
    The SBA provides technical assistance through our core 
infrastructure of small business developmental centers, women's 
business centers, SCORE counselors, and our district offices. 
The resources are spread throughout the country in over 1,200 
locations. In 2003, these resource partners provided technical 
assistance to over 2 million small businesses.
    Through this infrastructure, the SBA has worked to address 
the challenges of IT security. One way we see of doing this is 
obviously by partnering with other Federal agencies, as well as 
the private sector to educate small businesses about the 
benefits and the risks associated with today's technology-based 
business world.
    In 2002, SBA teamed up with the Hartford to distribute over 
25,000 copies of a guidebook entitled, ``Managing Your Risk: 
The Smart Approach to Protecting Your Business.'' It provided 
management guidance on a variety of topics including computers 
and E-Commerce risks.
    Throughout 2003, SBA and the Hartford conducted 10 risk-
management seminars for 500 small business entrepreneurs and 
published an audio tape and CD ROM on IT security. In addition, 
the SBA is working in collaboration with the FBI and NIST on a 
series of regional meetings on IT securities for small 
businesses. These meetings have provided small business with an 
overview of information on security threats, vulnerabilities, 
and corresponding protective tools and techniques. Through this 
partnership, we have reached over 800 small businesses just in 
11 seminars.
    Like the cosponsorship agreement with the Hartford, SBA is 
currently considering collaboration with the U.S. Chamber of 
Commerce to publish a guide to cyber security. The SBA and the 
Chamber will work together to ensure this publication will be 
distributed to as many small businesses as possible.
    Also, through our Small Business Training Network [SBTN], 
at www.sba.gov/training we provide on-line training and have 
provided that already to nearly 650,000 entrepreneurs in 2003. 
We offer a variety of E-Commerce counseling courses. One of the 
most popular is entitled, Information Security Basics. That was 
developed in collaboration with the George Washington 
University. This multi-part course is designed to help a small 
business to understand the importance of implementing a sound 
information security plan.
    SCORE also provides counseling on a range of E-Commerce 
topics from How to Combat Computer Viruses to Understanding 
Customer Privacy Issues. Earlier this year, the Association of 
Small Business Developmental Centers partnered with Microsoft 
to develop and introduce the E-Security Guide for Small 
Business. I have provided the subcommittee with a copy of this 
guide which is also available on-line. SBDC can utilize the E-
Security Guide's information when working now with a small 
business client.
    Mr. Chairman, I want to assure you that this administration 
remains committed to providing our Nation's small businesses 
with the tools they need to survive in today's global market 
place. I look forward to listening to the other panelists, and 
also working with the subcommittee to continue serving the IT 
security needs of the small business community.
    Thank you. I would be happy to answer any questions. I 
would ask that my testimony be included in its entirety.
    Mr. Putnam. Without objection, so ordered.
    [The prepared statement of Ms. Mills follows:]

    [GRAPHIC] [TIFF OMITTED] T6994.031
    
    [GRAPHIC] [TIFF OMITTED] T6994.032
    
    [GRAPHIC] [TIFF OMITTED] T6994.033
    
    Mr. Putnam. Thank you very much.
    Our final witness on this panel is Mr. Ed Roback. Mr. 
Roback serves as Chief of the Computer Security Division at the 
National Institute of Standards and Technology, and supporting 
the agency's responsibilities to protect sensitive Federal 
information and promote security in commercial information 
technology products. The Computer Security Division's efforts 
include work in the area of security standards, testing E-
Authentication, studying security issues with emerging 
technologies, and developing security guidelines for Federal 
agencies.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Mr. Roback. Thank you very much, Chairman Putnam and 
members of the subcommittee for this opportunity to testify 
today on the perspectives of the National Institute of 
Standards and Technology regarding the challenges facing home 
users and small businesses in better securing their systems and 
information.
    Our broad work in the area of information security, 
generally speaking, is applicable to a wide variety of users, 
including small businesses as well as the larger agencies of 
the Federal Government. In particular, home users and small 
businesses face an enormous challenge in protecting their 
computers. Their systems are operated in environments where 
there is not normally full knowledge or understanding of 
potential risks or technology capabilities. The risks to our 
small systems are, in fact, so complex and pervasive, we cannot 
expect these small businesses to become experts in this area. 
Yet, they want to take advantage of new technologies along with 
all the risks that presents.
    So today what I would like to do is to tell you a little 
bit about some work NIST has done in this area. As my colleague 
mentioned, NIST has formed a partnership with SBA and the 
Federal Bureau of Investigation's Infraguard Program to sponsor 
workshops and on-line support for small businesses. We have 
built a Small Business Resource Center on our Web site where we 
distribute training materials to be used by small businesses 
and in-house security sessions.
    We have also provided briefings to organizations at various 
events engaged with small businesses across the country. NIST's 
manufacturing extension partnership also has developed a tool 
called E-Scan Security Assessment tool that provides the 
capability for small businesses to assess their security 
posture and recommends some security corrective measures.
    In addition to these specific efforts, we believe that home 
users and small businesses can benefit broadly from the range 
of initiatives that are underway at NIST in the area of 
security guidelines, security research, security testing, and 
so forth. After all, we are all using the same commercial 
products.
    I will not go into the details. That is all summarized in 
my written statement, but some of the guidelines such as 
wireless teleworking and other kinds of guidelines also 
obviously can apply to home users and small businesses.
    I would like to highlight one piece of work in particular 
and that is our work with vendors to develop a Web-based 
repository on security check lists. As you know, many 
commercial products are delivered with security features turned 
off. The question for users is: Well, what should I turn on in 
the area of security for my particular environment? We are in 
the process of developing IT security product checklists that 
provide settings and options to minimize the security risks 
associated with each computer hardware or software system 
widely used in the Federal Government which, of course, 
translates into nearly every commercial product.
    In summary, Mr. Chairman, the challenges facing home users 
and small businesses is greater than it has ever been, but it 
is also very similar to those challenges facing Federal 
agencies and other users. We are all using the same products. 
We are all connected to the same networks.
    If they are to maximize capabilities and efficiencies 
offered by these technologies while minimizing risks to their 
system, more must be done. Training efforts must be increased. 
More must be done in the area of secure configuration. More 
must be done in the area of product benchmarking, scanning 
tools, outreach, and indeed research so that we can improve the 
situation and simplify the current unfortunate complexity that 
exists in trying to secure these systems. We are at a situation 
right now where it is simply too much to expect small 
businesses to understand all the risks in order to be able to 
address their security needs.
    Thank you, Mr. Chairman, for the opportunity to present our 
views regarding the security challenges facing home users. I 
would be pleased to take any questions you may have. I would 
ask that my testimony be included in its entirety.
    Mr. Putnam. Without objection, so ordered.
    [The prepared statement of Mr. Roback follows:]

    [GRAPHIC] [TIFF OMITTED] T6994.034
    
    [GRAPHIC] [TIFF OMITTED] T6994.035
    
    [GRAPHIC] [TIFF OMITTED] T6994.036
    
    [GRAPHIC] [TIFF OMITTED] T6994.037
    
    [GRAPHIC] [TIFF OMITTED] T6994.038
    
    [GRAPHIC] [TIFF OMITTED] T6994.039
    
    [GRAPHIC] [TIFF OMITTED] T6994.040
    
    [GRAPHIC] [TIFF OMITTED] T6994.041
    
    [GRAPHIC] [TIFF OMITTED] T6994.042
    
    Mr. Putnam. Thank you very much.
    I want to thank all of our witnesses. I again apologize for 
the extended delay due to votes. I want to thank the gentleman 
from Pennsylvania for joining us, our distinguished member of 
the subcommittee. I will allow him to go first if he would 
prefer.
    Mr. Murphy. Thank you, Mr. Chairman. I appreciate that. I 
want to thank the committee, too. I know that this may not seem 
that exciting an issue to the general public but anybody who 
owns a computer in their home and anybody who has a business 
has more than once pounded that computer, saying ``What is 
wrong with this thing?'' We know that there could be some 
things to be taken care of. So your testimony is extremely 
important for business and for the home user.
    I would like to ask about the role and response of the 
private sector here, including hardware and software vendors, 
PC makers, ISPs, etc., in contributing to its improve security 
profile of home users and small businesses. I think of it 
particularly here because, like anybody else, sometimes I will 
turn on my computer. Another family member may have been using 
it, or I will open up what I thought was an e-mail from a 
friend which may have something else attached to it.
    I often times feel, like many other home users, ``Why do I 
have to be the one always to pay the money here to prevent what 
the system is allowing through?'' The software can add up over 
time, all the editions and updates. What can the private sector 
do to help everybody who is a small business person or just a 
home user of computers? I will take an answer from anybody 
here.
    Mr. Beales. Well, I think one thing that the private sector 
can do--and I think we are seeing this increasingly--is to 
build in some of the basic security features so that they are 
there for users who need them. When you get a broadband or 
``always on'' connection of some sort, it comes with the basic 
security precautions installed that ought to accompany that 
kind of application. I think we are seeing more and more of 
that. It would be good to see more. But I think that is a very 
useful role for the private sector to play.
    Mr. Murphy. Does anyone else have any comments? Mr. Roback?
    Mr. Roback. I think we also have to look at the power of 
the market place in terms of distinguishing the benefits folks 
can get from security and the ability and the willingness for 
people to pay for it. Right now people, of course, want 
security, but they are not necessarily willing to pay more per 
month for a service that provides a higher level of security. 
So we need to work.
    Mr. Murphy. I guess this relates also to small businesses 
and commerce. But there is a symbiotic relationship between, 
for example, people who want to be able to monitor what you are 
going to in terms of Web sites so they can target e-mail to you 
or spam, or pop-ups. I understand that everybody would like to 
be able to trace things. But it crosses over into privacy 
issues, too, and opens up where people are downloading things 
or are constantly spying on your computer, too.
    But whose responsibility does this become? This goes to the 
next question: What is the most appropriate role for Congress 
here in dealing with this? Do we just assume that it is up to 
every computer owner to take care of their own problems? Or 
should we be outlining some things on our level to say that 
there has to be certain rules to be followed nationwide?
    Mr. Roback.
    Mr. Roback. Well, from my perspective, the challenge is, of 
course, that the network is worldwide. So, it does not stop at 
the borders of this country. You are connecting all the time to 
Web sites around the world. Whatever rules we might put in 
place geographically here may well be completely ignored 
overseas. So there needs to be a really global understanding of 
what the role should be, on which I do not think you are ever 
going to attain perfection. I think you are then bound to have 
reliance on user responsibility that they have to do some due 
diligence to protect their assets.
    Mr. Murphy. Mr. Beales.
    Mr. Beales. Congressman Murphy, I think some of what we see 
out there--and it is clearly a role for us and at this point I 
do not know that it is a role for the Congress--but there are 
law enforcement problems in the way some bad software ends up 
on consumers' systems.
    If there is deception in tricking people into downloading 
stuff that they do not know that they are getting, or if 
software takes over a person's computer and resets settings and 
then cannot be set back, and consumers do not know that they 
are getting into that kind of a mess when they download it, 
those things probably do violate our statute as unfair or 
deceptive practices. We are actively looking for cases against 
that kind of conduct.
    Mr. Murphy. I hope so. I think it is important for 
consumers to be able to join together and have those kinds of 
protections. I think it does get to be harmful. Certainly a 
small business costs a massive amount of money when all the 
computers slow down.
    I see my time is almost up. Hopefully I will have some time 
for questions later.
    Mr. Chairman, I yield back.
    Mr. Putnam. Thank you very much, Mr. Murphy.
    What would all of you describe as the single greatest cyber 
threat facing home users and small businesses today? We will 
begin with Mr. Yoran.
    Mr. Yoran. The largest threat to home users and small 
businesses is the sheer complexity of effectively protecting 
one's computer systems, a small business, or a home user. 
Security is far too complex. I think some of the efforts which 
we have talked about here in terms of outreach and in terms of 
awareness, educating the consumer markets, and educating the 
small business markets, will help drive the market to producing 
higher quality products.
    Much of the efforts underway are geared specifically to 
making cyber security an easier issue for the home users to 
deal with. Those efforts fall into a number of different 
categories, including delivering computer and computer systems 
and configurations which are better secured than they had been 
historically. They include the software vendors, delivering 
software which is capable of patching itself without a 
tremendous amount of intervention from the home user, and 
investment in the private sector to producing higher quality 
code within the security community of making their products 
easier to use to cover some of the flaws and vulnerabilities 
which are discovered in the products which are less security 
aware.
    And ultimately, it is in the service providers delivering 
Internet connectivity in a fashion that is more secure out-of-
the-box that defends against ``phishing'' scams, that defends 
against viruses and other network-based attacks. It is really a 
complex issue. When you look at action on the part of Congress 
or other folks to provide regulation for the software industry 
to encourage or force higher-quality code or practices. I think 
we need to very carefully evaluate the effectiveness of that 
approach versus the effectiveness of investment into the 
research and development of tools which will empower them, or 
enable them, to produce higher quality code.
    I know, in fact, of no cases where software vendors or 
software developers are interested in producing code with flaws 
in it. So the more research we can conduct, the better the 
quality of the tools to foster higher quality software, the 
better off we are and the more likely that those tools will 
result in meaningful progress in the private sector.
    Mr. Putnam. Mr. Beales.
    Mr. Beales. I think the biggest problem is the lack of 
attention on the part of both businesses and the home users--
attention to the fact that there is a problem and attention to 
the fact that the nature of the problem is continuously 
changing. The threats that we face evolve because the tactics 
of those who would do bad are evolving in response to the last 
set of changes.
    I think even when people try to take steps, too often they 
say, ``I put in place this piece of software. I am done. I do 
not need to worry about security anymore.'' That is not true. 
People need to pay attention to new threats as they emerge, and 
particularly companies need to pay attention to new threats as 
they emerge, and try to address those over time.
    Mr. Putnam. Ms. Mills.
    Ms. Mills. Thank you, Mr. Chairman. This goes to 
Congressman Murphy's question as well. No. 1, I think the very 
key is to raise the visibility. Second, it is the education and 
the impact on how to protect one's self. I know recently I, 
myself, was receiving undeliverable e-mail messages on my home 
computer from people I never sent a message to. I took it into 
a service tech. I thought I had a virus. He said, ``No, your e-
mail address was grabbed somewhere in cyber space and they are 
now sending messages to various individuals using your address.
    So, I think the consumer, the small business, is definitely 
not aware of the capabilities that are out there right now in 
this whole world of viruses. I think raising that visibility, 
engaging the private sector to help in the education, just as 
my Association of Small Business Developmental Centers did with 
Microsoft. I think that is the No. 1 step we need to take.
    Mr. Putnam. Mr. Roback.
    Mr. Roback. In addition to all the insightful comments by 
my colleagues, I guess I would point out this. The current 
situation to me seems untenable of the degree of exploitation 
of known vulnerabilities we have now with commercial products. 
One of the Web-based resources we have at our site at NIST has 
over 6,600 vulnerabilities in commercial products. Of course, 
with these vulnerabilities come kiddy scripts and other things 
that exploit them and can be used to attack systems.
    So we are chasing our own tail in terms of trying to stay 
up-to-date, in terms of installing patches and also trying to 
stay knowledgeable and taking advantage of what security 
features are in commercial products, in terms of having to turn 
on the right level of security, but not too much so you do not 
break everything.
    What are some of the solutions? Well, I usually talk in 
terms of four steps of solutions. The first is the need for 
better specifications. I am not talking Government-mandated 
standards here, necessarily, but better commercial industry 
consensus-based sets of specifications, and better testing to 
know that those specifications are correctly implemented by 
products, that is: Are they implementing and using sound 
security technologies and techniques?
    Third, is taking advantage of those techniques that are 
appropriate for your environments, so turning on and turning 
off the right security settings. Fourth, is trying to ensure 
through these scanning tools and so forth that those settings 
are maintained and not inadvertently or maliciously turned off.
    It probably will not surprise you, since I come from a 
research institution, that all of these areas need research so 
that we can improve the ways to do that.
    Mr. Putnam. Mr. Yoran, from a national security standpoint, 
how does the computer security of home users and small 
businesses impact the overall security profile of the Nation's 
information network?
    Mr. Yoran. Chairman Putnam, in a number of recent incidents 
and events, we have seen cases where large numbers of home 
computers always-on, high bandwidth systems, have been used to 
attack components of the Nation's, and really the world's, 
cyber infrastructure. In many cases those efforts have been 
thwarted and in some cases they have been effective.
    To the extent that home systems are on-line, are always on 
and are connected through high-speed access points, they can 
serve in the role of zombie or participate in large Botnet 
activities and really make the incidence response process a lot 
more complex and increase the likelihood that our Nation's 
cyber infrastructure or that other critical infrastructures may 
be adversely impacted in the near future.
    Mr. Putnam. How have the partnerships and the initiatives 
that your Department have taken benefited home users and small 
businesses?
    Mr. Yoran. Well, sir, they have benefited home users and 
small businesses in a number of ways. The efforts of the cyber 
alert system to help increase awareness of cyber events and 
help to increase the actionable items which home users and 
small businesses can take to protect their own computers has 
been well received. We have had over a quarter of a million 
subscribers to that cyber alert system in just the few months 
that it has been made available to the public.
    But all of these efforts again are tactile and operational 
in nature and need to be pursued in conjunction with 
development programs for the technology industry and for the 
cyber security industry, to help assure that the next 
generation of products are more resilient and more immune to 
these types of attacks.
    Mr. Putnam. As you know, yesterday an attack caused 
failures at Acami; are you aware of that, the world's biggest 
host. They handle 15 percent of the net's traffic. What was 
your office's role and response to that attack?
    Mr. Yoran. Chairman Putnam, in many instances the 
Department of Homeland Security and the U.S. CERT play a lead 
role in helping organizations respond to cyber incidents and 
very importantly, help coordinate those organizations in their 
interaction with other private sector entities and with public 
support mechanisms, such as law enforcement and other Federal 
resources which may be brought to bear during the time of a 
crisis.
    In instances like the attacks which we saw yesterday, the 
lead role, if you will, was played by the private sector in 
protecting their systems and developing and enhancing their 
protective measures to bring their systems back on line. The 
role of the U.S. CERT and the Department of Homeland Security 
in that particular case was more focused around understanding 
events as they were unfolding, and helping to share, as 
appropriate, information with other private sector and public 
sector entities to determine what effect those events may have 
on other critical infrastructures.
    Mr. Putnam. This appears to have been a denial of service 
attack. Are we seeing an increase in those types of attacks?
    Mr. Yoran. Sir, we are seeing a number of denial----
    Mr. Putnam. We will take a recess due to the power failure.
    [Recess.]
    Mr. Putnam. The subcommittee will adjourn due to power 
failure.
    [Whereupon, at 4:26 p.m., the subcommittee was adjourned, 
to reconvene at the call of the Chair.]
    [The prepared statements of Philip Reitinger, Avadis 
Tevanian, Don Frischmann, Thomas M. Dailey, and Paul Kurtz, 
submitted for the record but not presented due to the power 
outage, follow:]

[GRAPHIC] [TIFF OMITTED] T6994.043

[GRAPHIC] [TIFF OMITTED] T6994.044

[GRAPHIC] [TIFF OMITTED] T6994.045

[GRAPHIC] [TIFF OMITTED] T6994.046

[GRAPHIC] [TIFF OMITTED] T6994.047

[GRAPHIC] [TIFF OMITTED] T6994.048

[GRAPHIC] [TIFF OMITTED] T6994.049

[GRAPHIC] [TIFF OMITTED] T6994.050

[GRAPHIC] [TIFF OMITTED] T6994.051

[GRAPHIC] [TIFF OMITTED] T6994.052

[GRAPHIC] [TIFF OMITTED] T6994.053

[GRAPHIC] [TIFF OMITTED] T6994.054

[GRAPHIC] [TIFF OMITTED] T6994.055

[GRAPHIC] [TIFF OMITTED] T6994.056

[GRAPHIC] [TIFF OMITTED] T6994.057

[GRAPHIC] [TIFF OMITTED] T6994.058

[GRAPHIC] [TIFF OMITTED] T6994.059

[GRAPHIC] [TIFF OMITTED] T6994.060

[GRAPHIC] [TIFF OMITTED] T6994.061

[GRAPHIC] [TIFF OMITTED] T6994.062

[GRAPHIC] [TIFF OMITTED] T6994.063

[GRAPHIC] [TIFF OMITTED] T6994.064

[GRAPHIC] [TIFF OMITTED] T6994.065

[GRAPHIC] [TIFF OMITTED] T6994.066

[GRAPHIC] [TIFF OMITTED] T6994.067

[GRAPHIC] [TIFF OMITTED] T6994.068

[GRAPHIC] [TIFF OMITTED] T6994.069

[GRAPHIC] [TIFF OMITTED] T6994.070

[GRAPHIC] [TIFF OMITTED] T6994.071

[GRAPHIC] [TIFF OMITTED] T6994.072

[GRAPHIC] [TIFF OMITTED] T6994.073

[GRAPHIC] [TIFF OMITTED] T6994.074

[GRAPHIC] [TIFF OMITTED] T6994.075

[GRAPHIC] [TIFF OMITTED] T6994.076

[GRAPHIC] [TIFF OMITTED] T6994.077

[GRAPHIC] [TIFF OMITTED] T6994.078

[GRAPHIC] [TIFF OMITTED] T6994.079

[GRAPHIC] [TIFF OMITTED] T6994.080

[GRAPHIC] [TIFF OMITTED] T6994.081

[GRAPHIC] [TIFF OMITTED] T6994.082

[GRAPHIC] [TIFF OMITTED] T6994.083

[GRAPHIC] [TIFF OMITTED] T6994.084

[GRAPHIC] [TIFF OMITTED] T6994.085

[GRAPHIC] [TIFF OMITTED] T6994.086

[GRAPHIC] [TIFF OMITTED] T6994.087

[GRAPHIC] [TIFF OMITTED] T6994.088

[GRAPHIC] [TIFF OMITTED] T6994.089

[GRAPHIC] [TIFF OMITTED] T6994.090

[GRAPHIC] [TIFF OMITTED] T6994.091

[GRAPHIC] [TIFF OMITTED] T6994.092

[GRAPHIC] [TIFF OMITTED] T6994.093

[GRAPHIC] [TIFF OMITTED] T6994.094

[GRAPHIC] [TIFF OMITTED] T6994.095

[GRAPHIC] [TIFF OMITTED] T6994.096

[GRAPHIC] [TIFF OMITTED] T6994.097

[GRAPHIC] [TIFF OMITTED] T6994.098

[GRAPHIC] [TIFF OMITTED] T6994.099

[GRAPHIC] [TIFF OMITTED] T6994.100

[GRAPHIC] [TIFF OMITTED] T6994.101

[GRAPHIC] [TIFF OMITTED] T6994.102

[GRAPHIC] [TIFF OMITTED] T6994.103

[GRAPHIC] [TIFF OMITTED] T6994.104

[GRAPHIC] [TIFF OMITTED] T6994.105

[GRAPHIC] [TIFF OMITTED] T6994.106

[GRAPHIC] [TIFF OMITTED] T6994.107

[GRAPHIC] [TIFF OMITTED] T6994.108

[GRAPHIC] [TIFF OMITTED] T6994.109

[GRAPHIC] [TIFF OMITTED] T6994.110

[GRAPHIC] [TIFF OMITTED] T6994.111

[GRAPHIC] [TIFF OMITTED] T6994.112

[GRAPHIC] [TIFF OMITTED] T6994.113

                                 
